Re: [Qemu-devel] Android Goldfish on QEMU
On Sat, May 26, 2012 at 02:51:29PM +0200, Andreas Färber wrote: Am 26.05.2012 07:55, schrieb 陳韋任: On Fri, May 25, 2012 at 06:13:25PM -0400, Ira Ray Jenkins wrote: I found a GSOC11 project that attempted to port the Android Goldfish platform to mainline QEMU. Was this project successful, or is this currently being worked on? The author sent the patchset last year [1], but apparently it not get merged into trunk. I don't know why. :) Presumably because the student didn't react to any of the review comments and never sent a fixed v2. It would be great if we can bring it back. ;) Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH 6/9] unicore32-softmmu: add generic cpu state save/load functions
Hi Guan,
+void cpu_save(QEMUFile *f, void *opaque)
+{
+int i;
+CPUUniCore32State *env = (CPUUniCore32State *)opaque;
+
+for (i = 0; i 32; i++) {
+qemu_put_be32(f, env-regs[i]);
+}
+qemu_put_be32(f, cpu_asr_read(env));
+qemu_put_be32(f, env-bsr);
+for (i = 0; i 6; i++) {
+qemu_put_be32(f, env-banked_bsr[i]);
+qemu_put_be32(f, env-banked_r29[i]);
+qemu_put_be32(f, env-banked_r30[i]);
+}
+
+qemu_put_be32(f, env-cp0.c0_cpuid);
+qemu_put_be32(f, env-cp0.c0_cachetype);
+qemu_put_be32(f, env-cp0.c1_sys);
+qemu_put_be32(f, env-cp0.c2_base);
+qemu_put_be32(f, env-cp0.c3_faultstatus);
+qemu_put_be32(f, env-cp0.c4_faultaddr);
+qemu_put_be32(f, env-cp0.c5_cacheop);
+qemu_put_be32(f, env-cp0.c6_tlbop);
+
+qemu_put_be32(f, env-features);
+
+if (env-features UC32_HWCAP_UCF64) {
+for (i = 0; i 16; i++) {
+CPU_DoubleU u;
+u.d = env-ucf64.regs[i];
+qemu_put_be32(f, u.l.upper);
+qemu_put_be32(f, u.l.lower);
+}
+for (i = 0; i 32; i++) {
+qemu_put_be32(f, env-ucf64.xregs[i]);
+}
+}
+}
Do you think use VMState rather then QEMUFile is a good idea?
I saw OpenRISC target got this kind of feedback before [1].
Regards,
chenwj
[1] http://lists.gnu.org/archive/html/qemu-devel/2012-05/msg02457.html
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Android Goldfish on QEMU
On Fri, May 25, 2012 at 06:13:25PM -0400, Ira Ray Jenkins wrote: I found a GSOC11 project that attempted to port the Android Goldfish platform to mainline QEMU. Was this project successful, or is this currently being worked on? The author sent the patchset last year [1], but apparently it not get merged into trunk. I don't know why. :) Regards, chenwj [1] http://lists.gnu.org/archive/html/qemu-devel/2011-08/msg02436.html -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] How to create new target port?
I'm investigating adding a new target architecture to QEMU. Are there documents, how-to's, or other guidance on how to approach this? Or any advice? I noticed that there are a number of directories for architectures like target-arm and target-mips. There are also definitions under tcg for arm and mips. I noticed that target-microblaze exists, but there is no microblaze directory under tcg. What does this mean? Depends on what you'd like to add, a guest or a host support. If you want to add a new guest, take target-xxx/* as an example. Otherwise, looks at tcg/xxx/*. The term target could be a little MISLEADING here. :) Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] How to measure precise system time in qemu?
Is there anything else can help me get more precise execution time? From the COREMU guys, I was told that you can use rdtsc to get pretty accurate timing on x86 guest/host. And from the chat on IRC, Peter told me you can use SYS_CLOCK/SYS_TIME on a ARM guest to get the host time. I think you can use `time` to measure the timing in user mode, but things seems get quit complicate in system mode. Regards, chenwj [1] http://blog.gmane.org/gmane.comp.emulators.qemu.coremu.devel/month=20120401 -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH 02/15] Openrisc: add MMU support
diff --git a/target-openrisc/mem_helper.c b/target-openrisc/mem_helper.c index a2d93c7..922dd6b 100644 --- a/target-openrisc/mem_helper.c +++ b/target-openrisc/mem_helper.c @@ -42,5 +42,30 @@ 戹oid tlb_fill(CPUOPENRISCState *env1, target_ulong addr, int is_write, ? ? ? ? ? ? ? int mmu_idx, uintptr_t retaddr) ㏵ + ? ?TranslationBlock *tb; + ? 蟖PUOPENRISCState *saved_env; + ? 抦nsigned long pc; + ? 犲nt ret; + + ? 坟aved_env = env; + ? 猬nv = env1; Please avoid compiling with AREG0 and remove this. Sorry, I'm not very sure about it, may you give me more hits? In dyngen-exec.h, the CPUArchState *env is kept in particular host register (AREG0), so you shouldn't use env here somehow. Maybe Blue can show you some example how to do that, target-sparc/* might be a place? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Is it possible to retrieve pre-process information in QEMU?
I would like to know if I can retrieve pre-process information in QEMU
system mode. For example, I want to know each process's page fault ratio.
Is there a way to do that?
logically, it's possible, but you need to locate the task_struct of
each processes first. Using GDB, that might be a bit easier but still
not easy.
Why not just monitor it inside the guest? using system tap for example?
O.K., what I did is something like below,
---
void tlb_fill(CPUARMState *env1, target_ulong addr, int is_write, int mmu_idx,
uintptr_t retaddr)
{
ret = cpu_arm_handle_mmu_fault(env, addr, is_write, mmu_idx);
if (unlikely(ret)) {
page_fault++; // page fault
}
env = saved_env;
}
---
IIUC, cpu_arm_handle_mmu_fault will lookup guest page table, return 1 if there
is a page fault, that's why I add a counter there. But this way I'll collect a
global static not per-process one. I'll try systemtap latter but not sure it
does the same thing I want to do.
Any thoughts? :)
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH 01/15] Openrisc: add target stub
+CPUOPENRISCState *cpu_openrisc_init(const char *cpu_model)
+{
+CPUOPENRISCState *env;
+static int tcg_inited;
+
+env = g_malloc0(sizeof(*env));
+memset(env, 0, sizeof(*env));
^^
No need to memset env to zero, since g_malloc0 already did it for you.
diff --git a/target-openrisc/helper.h b/target-openrisc/helper.h
new file mode 100644
index 000..103d9b4
--- /dev/null
+++ b/target-openrisc/helper.h
[snip]
+#include def-helper.h
+
+#include def-helper.h
I suppose you only need to #include def-helper.h once?
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH 01/15] Openrisc: add target stub
Pleave avoid unnecessary uppercase spelling: OpenRISCCPUClass? That distinguishes it from the all-uppercase cast macros. Or OpenriscCPUClass as you spell it elsewhere? I used OPENRISCCPU in the code, if it is not good, I can change it into OpenriscCPU. I think OpenRISC is better [1]. Regards, chenwj [1] http://en.wikipedia.org/wiki/OpenRISC -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH 01/15] Openrisc: add target stub
This is a mix of two ways of doing the same thing. You should only use
VMState for new code.
did you mean I should not use QEMUFile?
I guess what Andreas means is there are two ways to do cpu_save/cpu_load,
the one you wrote is the old style. For the brand new target, you should use
VMState completely. You can take target-lm32/machine.c as an example.
---
void cpu_save(QEMUFile *f, void *opaque)
{
vmstate_save_state(f, vmstate_cpu, opaque);
}
int cpu_load(QEMUFile *f, void *opaque, int version_id)
{
return vmstate_load_state(f, vmstate_cpu, opaque, version_id);
}
---
Leave to vmstate_save_state/vmstate_load_state (savevm.c) do the real things.
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH 03/15] Openrisc: add instructions translation
+ ? 坟witch (op0) {
+ ? ?case 0x10: ? ?/*lf.add.d*/
+ ? ? ? 猂OG_DIS(lf.add.d r%d, r%d, r%d\n, rd, ra, rb);
+ ? ? ? 慯cg_gen_add_i64(cpu_R[rd], cpu_R[ra], cpu_R[rb]);
Through this function you generate integer operations on the
registers, although ISA
suggests that there should be either single- or double-precision
floating point operations.
Sorry, I didn't find a TCG-IR that make single- or double-precision
floating point operations, may you give me some hits?
I guest you need to write your own floating helper functions to do that.
Am I right, Max?
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
[Qemu-devel] Is it possible to retrieve pre-process information in QEMU?
Hi all, I would like to know if I can retrieve pre-process information in QEMU system mode. For example, I want to know each process's page fault ratio. Is there a way to do that? Thanks. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] x86 AREG0 patches
On Sun, May 13, 2012 at 09:04:39PM +, Blue Swirl wrote: Hi, A preview of x86 AREG0 patches can be found at the usual place: URL git://repo.or.cz/qemu/blueswirl.git http://repo.or.cz/r/qemu/blueswirl.git This is obviously 1.2 material. Is this patch will remove AREG0 so that we can use clang to compile QEMU? How much the performance lose? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
[Qemu-devel] What TARGET_HAS_PRECISE_SMC means?
Hi all, I see only x86 define TARGET_HAS_PRECISE_SMC (target-i386/cpu.h), and the comment says, /* support for self modifying code even if the modified instruction is close to the modifying instruction */ #define TARGET_HAS_PRECISE_SMC I would like to know what it means and want to know more about it, but googling doesn't help. Would you mind to shed some light on that? Thanks. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] What TARGET_HAS_PRECISE_SMC means?
This enables support for handling the case where a guest instruction
modifies the memory corresponding to the QEMU TB which it is in.
For most CPU architectures this will (on hardware) give unpredictable
results because of hardware prefetch / pipelining / caching, and so
there's no need for QEMU to go to great lengths to support it (typically
the CPU architecture requires some explicit act like a cache flush
before starting to execute the modified code, which is where QEMU will
flush its translation cache).
On x86 actions like modify the next instruction have historically
worked and so QEMU has to actually handle this.
I am trying to understand tb_invalidate_phys_page_range (exec.c) which has
TARGET_HAS_PRECISE_SMC macro inside.
---
void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
int is_cpu_write_access)
{
#ifdef TARGET_HAS_PRECISE_SMC
int current_tb_not_found = is_cpu_write_access;
#endif /* TARGET_HAS_PRECISE_SMC */
... snip ...
#ifdef TARGET_HAS_PRECISE_SMC
if (current_tb_not_found) {
current_tb_not_found = 0;
current_tb = NULL;
if (env-mem_io_pc) {
/* now we have a real cpu fault */
current_tb = tb_find_pc(env-mem_io_pc);
}
}
if (current_tb == tb
(current_tb-cflags CF_COUNT_MASK) != 1) {
current_tb_modified = 1;
cpu_restore_state(current_tb, env,
env-mem_io_pc, NULL);
cpu_get_tb_cpu_state(env, current_pc, current_cs_base,
current_flags);
}
#endif /* TARGET_HAS_PRECISE_SMC */
}
---
From the backtrace I observed, the argument is_cpu_write_access is one only
when guest is doing MMIO (see below). And the part of
tb_invalidate_phys_page_range
involved TARGET_HAS_PRECISE_SMC get executed only when current_tb_not_found is
one
(equal to is_cpu_write_access). I mean only then it finds current_tb, and
executes
cpu_restore_state ... etc, otherwise it skips the whole thing. My question is,
does MMIO change guest instructions? Because you said,
This enables support for handling the case where a guest instruction modifies
the memory corresponding to the QEMU TB which it is in.
I am not expect it's MMIO modifies the guest memory.
---
#0 tb_invalidate_phys_page_range (start=229376, end=229380,
is_cpu_write_access=1) at /tmp/chenwj/qemu-0.13.0/exec.c:985
#1 0x00508bd2 in tb_invalidate_phys_page_fast (start=229376, len=4) at
/tmp/chenwj/qemu-0.13.0/exec.c:1112
#2 0x0050c69b in notdirty_mem_writel (opaque=0x0, ram_addr=229376,
val=0) at /tmp/chenwj/qemu-0.13.0/exec.c:3120
#3 0x0054e3c1 in io_writel (physaddr=229376, val=0, addr=229376,
retaddr=0x40016031) at /tmp/chenwj/qemu-0.13.0/softmmu_template.h:213
#4 0x0054e4ab in __stl_mmu (addr=229376, val=0, mmu_idx=0) at
/tmp/chenwj/qemu-0.13.0/softmmu_template.h:245
---
Thanks!
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [Bug 996303] Re: does not work with clang
On Wed, May 09, 2012 at 08:05:25AM -, Stevan Vucenovic wrote: Can you please show me where to find configure options or specific options to accomplish that ? `../qemu/configure --enable-tcg-interpreter` will use TCI not TCG. You can use `configure --help` to see what options it provides. -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] To run (replay) the intermediate micro-ops directly
Does anyone know, how to run(replay) the intermediate micro-ops directly? For example, I have traced some micro-op instructions, and want to see what happens with these instructions(after being translated into host code and then run). Probably with Graphic User Interface. Any approach to do this in QEMU? Thanks. Maybe take a look at http://lists.gnu.org/archive/html/qemu-devel/2008-07/msg00507.html Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] KVM call agenda for May, Tuesday 8th
- QEMU documentation qemu-doc.texi is in a pretty awful state. I'm wondering if anyone has any ideas about how we can improve it. One thing we could do is move the entire contents of it to the wiki to allow for broader editing. What's qemu-tech.texi status? ;) I'd also be really happy to have a documentation submaintainer if anyone is interested in the role. Other ideas? IMHO, one of the problem is there are documents scattering out there, not just in one place. There are too many links on http://wiki.qemu.org/Manual. :/ If people can focus on one document, then it's easier to make it a good shape. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [RFC 1.1] Fix qemu in documentation for version 1.1?
I think man pages and html documentation should be as correct as possible and therefore suggest replacing qemu by qemu-system-i386 (or qemu-system-x86_64, any other executable, or randomly selected executables?) in *texi. How about qemu-system-YOUR_TARGET? Not everyone use x86/x86_64, so I think replace qemu with particular name is inappropriate. When qemu is not used for the name of the executable, it should be written QEMU. Agreed. I have no idea about remaining stuff. :) Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] API for single stepping an emulated CPU
I am designing a virtual peripheral for Qemu, for which I need to single step through the program on the emulated CPU (my peripheral will be some kind of a debugger). My question is: is there an API to execute exactly one instruction in Qemu? I've already found the *_pause and *_resume functions, but they are - as far as I know - not applicable for my task. Just a quick reply. QEMU system mode provides -singlestep option. Maybe you can start from there, see how the singlestep is done. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
[Qemu-devel] How to build realview-pbx-a9 kernel/rootfs for QEMU by using buildroot?
Hi all, I am trying to use buildroot to build a kernel/rootfs for realview-pbx-a9, then use QEMU to emulate realview-pbx-a9. However I have trouble with building a working image. buildroot povides some default config for QEMU but not for realview-pbx-a9, so I borrow qemu_arm_versatile_defconfig then made some modification. Here is my flow, --- # I download the kernel config on http://www.arm.com/community/software-enablement/linux.php $ wget 'http://linux-arm.org/git?p=ael.git;a=blob_plain;f=kernel/config/config-ael-2011.06.00-vexpress-a9-smp-thumb;hb=2011.06' $ make qemu_arm_versatile_defconfig $ make menuconfig # 1. Change Target Architecture Variant to cortex-A9 # # 2. Change Kernel version to 2.6.38.7 (which is listed on the top of the #kernel config I just download) # # 3. Change Kernel configuration to the kernel config I just download $ make $ cd output/images/ $ qemu-system-arm -M realview-pbx-a9 -kernel zImage -hda rootfs.ext2 -append \ root=/dev/sda1 console=ttyAMA0 -nographic Uncompressing Linux... done, booting the kernel. --- The result is the QEMU hang at the Uncompressing Linux... message. Any idea on which part I might did wrong? I use QEMU git head and QEMU 0.13. Thanks in advance. :) Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Optimization for amd CPUs without amd-v using sse2, 3, 4 instructions
On Sun, Apr 22, 2012 at 12:07:40PM +0800, 陳韋任 wrote: I am using qemu to run VMs on my computer with amd chip on board. However, my computer doesn't support amd-v, so the performance of the VM is low. I do have experiences in optimization of program using sse technique. Is it possible to speed up the qemu for those x86 chips that do not support hardware virtualization using sse instructions ? If so, I would like to contribute the the qemu community. Without hardware virtualization (amd-v, for example), QEMU uses binary translation to run your VM. That says each guest instruction executed by the VM is translated into TCG ops (QEMU IR), then translated into host instructions and executed. Perhaps you have to look at tcg/i386/*, which is the TCG ops - host binary part. Or, you can look at target-i386/*, which is the guest binary - TCG ops part. Currently, guest SIMD instruction is emulated by helper functions in scalar manner. Maybe you can try to map guest SIMD into host SIMD. Or, you can use LLVM to speedup QEMU! Just let LLVM worry about how to generate SSE instructions. ;) Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Optimization for amd CPUs without amd-v using sse2, 3, 4 instructions
I am using qemu to run VMs on my computer with amd chip on board. However, my computer doesn't support amd-v, so the performance of the VM is low. I do have experiences in optimization of program using sse technique. Is it possible to speed up the qemu for those x86 chips that do not support hardware virtualization using sse instructions ? If so, I would like to contribute the the qemu community. Without hardware virtualization (amd-v, for example), QEMU uses binary translation to run your VM. That says each guest instruction executed by the VM is translated into TCG ops (QEMU IR), then translated into host instructions and executed. Perhaps you have to look at tcg/i386/*, which is the TCG ops - host binary part. Or, you can look at target-i386/*, which is the guest binary - TCG ops part. Currently, guest SIMD instruction is emulated by helper functions in scalar manner. Maybe you can try to map guest SIMD into host SIMD. Good Luck! Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] qemu softmmu inlined lookup sequence
what does the inline sequence look like ? what kind of things (other than refill tlb) performed in callout but not the inlined sequence ? What do you mean by the inline sequence, the host binary? If so, --- 0xe86c8 mov_i32 tmp2,edi qemu_ld8u tmp0,tmp2,$0x0 ext8u_i32 tmp12,tmp0 movi_i32 tmp13,$0xff00 and_i32 edx,edx,tmp13 or_i32 edx,edx,tmp12 OUT: [size=172] 0x4ce0: mov0x1c(%r14),%ebp 0x4ce4: mov%ebp,%esi --- (a) 0x4ce6: mov%ebp,%edi 0x4ce8: shr$0x7,%esi 0x4ceb: and$0xf000,%edi 0x4cf1: and$0x1fe0,%esi 0x4cf7: lea0x348(%r14,%rsi,1),%rsi 0x4cff: cmp(%rsi),%edi 0x4d01: mov%ebp,%edi 0x4d03: jne0x4d0e 0x4d05: add0x10(%rsi),%rdi 0x4d09: movzbl (%rdi),%ebp 0x4d0c: jmp0x4d18 0x4d0e: xor%esi,%esi 0x4d10: callq 0x54cf8e--- (b) 0x4d15: movzbl %al,%ebp 0x4d18: movzbl %bpl,%ebp 0x4d1c: mov0x8(%r14),%ebx --- The code between (a) and (b) is (almost) what TLB lookup hit/miss looks like. If TLB miss, it will call something like __ldb_mmu (b). __ldb_mmu will try to walk guest page table, then fill TLB entry if page table hit, or raise a guest page fault exception if page table miss. HTH, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] qemu softmmu inlined lookup sequence
If TLB miss, it will call something like __ldb_mmu (b). __ldb_mmu will try
to
walk guest page table, then fill TLB entry if page table hit, or raise a
guest
page fault exception if page table miss.
Yep. that is what i was taught. the sequence of code above is an
inlined assembly for walking the TLB. In the __ldx_mmu, the tlb is
walked again ? why ?
int index, shift;
target_phys_addr_t ioaddr;
unsigned long addend;
target_ulong tlb_addr, addr1, addr2;
index = (addr TARGET_PAGE_BITS) (CPU_TLB_SIZE - 1);
redo:
tlb_addr = env-tlb_table[mmu_idx][index].ADDR_READ;
if ((addr TARGET_PAGE_MASK) == (tlb_addr (TARGET_PAGE_MASK |
TLB_INVALID_MASK))) {
...
}
...
...
fill_tlb()
...
}
Perhaps __ldb_mmu is not only called in the TLB lookup sequence, I guess.
But I am not sure of it.
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] A error when gdb the newest branch, can you help me? Thank you very much!
Thank you very much for your feedback, I found the reason: when I git pull to the newest branch then use gdb 7.2, the error will happen, when I update gdb to 7.3, That is ok. But I don't know the reason. Maybe the newest branch brings something which don't compatible with gdb. Does gdb 7.2 support PIE? QEMU default build is PIE. Try disable PIE build then run gdb 7.2 again? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] qemu softmmu inlined lookup sequence
On Tue, Apr 17, 2012 at 08:17:09PM +, Blue Swirl wrote: On Tue, Apr 17, 2012 at 05:40, Xin Tong xerox.time.t...@gmail.com wrote: that is possible. but if that is the case, why not split the tlb walking and the tlb fill ? can anyone please confirm ? I sent a patch earlier that did something like that but it wasn't very successful: http://lists.nongnu.org/archive/html/qemu-devel/2012-04/msg00992.html So functions like __ldb_mmu actually don't need to walk the TLB again? Why you said the patch was't very successful? I don't others' comment against the patch. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Question about the block linking limitation
I've made a test from the grub multiboot sample, you may find it here:
http://jcmvbkbc.spb.ru/git/?p=dumb/qemu-test-kernel.git;a=summary
With it I see that an attempt to execute a TB that spans two pages causes
an exception when the second page is unmapped. It happens because both
tlb_flush and tlb_flush_page invalidate relevant tb_jmp_cache entries:
the former flushes all of them, the latter flushes them for two adjacent pages
around the given address. Later tb_find_fast fails to find a TB in the
tb_jmp_cache and has to call tb_find_slow which retranslates TB, triggering
a pagefault.
Thanks for the example, Max. But..., I want to repeat the experiment you did
and cannot figure out how to do that. Would you mind to give me some hints? For
example, how did you locate the TB spanning pages whose second page happened to
be unmapped?
Also, I found something interesting in function cpu_exec (cpu-exec.c). The
code snip below will do block linking only when the target tb does NOT span
guest pages. Is it necessary? According to your observation, it seems QEMU
handle tb spanning pages appropriately, why it still needs to check if the
target tb spanning guest pages?
---
if (next_tb != 0 tb-page_addr[1] == -1) {
^^
tb_add_jump((TranslationBlock *)(next_tb ~3), next_tb 3, tb);
}
---
Finally, does the comment on gen_goto_tb (target-i386/translate.c) still
hold? Maybe we should change it to something like we handle the case where
the block linking spans two pages here?
---
/* NOTE: we handle the case where the TB spans two pages here */
if ((pc TARGET_PAGE_MASK) == (tb-pc TARGET_PAGE_MASK) ||
(pc TARGET_PAGE_MASK) == ((s-pc - 1) TARGET_PAGE_MASK)) {
}
---
Thanks!
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Question about the block linking limitation
s-pc is updated each time a byte of code is fetched, when an instruction is fully decoded s-pc points to the first byte of the next instruction. I see that it only makes difference when a branching instruction ends exactly at a page boundary. In this case (s-pc - 1) prevents from linking to the next page, which seems to be its main purpose. That makes things clear to me. So, one tb is allowed to span guest pages, but not the linking between tbs, right? From the previous discussion [1][2], you said the reason behind the block linking constraint is, if the guest page which the second tb2 belongs to is changed (swapped out or task switching), then QEMU has no chance to stop tb2 from execution. My question is, what makes tb2 execution invalid? The code of tb2 (in the code cache) is still the same, although the guest page containing tb2 is gone. Is it because tb2 need something, like data, in the guest page? Doesn't a tb spanning guest pages have above problem? I mean what if the guest page 2 is changed? In this case, the execution flow jump from tb.a to tb.b. It seems it may have the same problem as above to me. || | tb.a | guest page 1 -- | tb.b | guest page 2 (replaced with another guest code) || Any idea on that? Thanks! Regards, chenwj [1] http://lists.nongnu.org/archive/html/qemu-devel/2011-08/msg02251.html [2] https://lists.gnu.org/archive/html/qemu-devel/2011-09/msg03065.html -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
[Qemu-devel] Question about the block linking limitation
Hi all,
Could someone help me to confirm that I understand how the QEMU cross page
boundary checking correctly or not? Below is the source code I am looking at,
static inline void gen_goto_tb(DisasContext *s, int tb_num, target_ulong eip)
{
if ((pc TARGET_PAGE_MASK) == (tb-pc TARGET_PAGE_MASK) ||--- (1)
(pc TARGET_PAGE_MASK) == ((s-pc - 1) TARGET_PAGE_MASK)) { --- (2)
}
}
(a)(b)
tb-pc -- tb-pc --
|| ||
|| -
|| ||
|| s-pc -- ||
-
|| ||
pc -- || pc -- ||
|| ||
|| ||
My understanding is, if tb itself doesn't cross guest page boundary (a), then
condition (1) is enough to check if the jump target (pc) is in the same guest
page as tb is. Or, tb itself spans two guest pages (b), then we have to use
condition (2) to check if the jump target (pc) is in the same guest page as tb
is. In summary, those check (1) and (2) are used to avoid block linking to cross
guest page boundary.
Am I right? If so far so good, I am curious about why we need (s-pc - 1)
instead of just (s-pc). Could you shed some light on that? Thanks in advance!
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Switch off use of helper functions
On Wed, Apr 04, 2012 at 02:56:37PM +0100, Rajat Goyal wrote: Is there any way in QEMU to switch off the use of helper functions and make it translate target code to TCG code using only TCG micro-ops and not calls to helper functions? Writing TCG micro-ops to do complicated tasks done by helper functions might not so easy, that why there are helper functions, we only need to do a simple call. Perhaps you need to write TCG micro-ops to achieve what helper functions do on your own, then you can replace all helper function calls with those TCG micro-ops. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Monitor Instruction Execution
How can I monitor the execution of some specific instructions (for example calls) of an application executing in linux-user mode? My first idea was inserting an interrupt (creating its proper handler) before all target instructions but I couldn`t get the it working. Any ideas on this? How about inserting your own helper functions instead of an interrupt? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Debug single program in QEMU
Could you tell me what kind of programs can be emulated in user-mode of QEMU ? Use-mode can emulate programs compiled for different ISA but with same OS. It seems that only limited programs can be emulated in user-mode, like /bin/ls, and with warning. A lot of other programs cannot be emulated, like GUI programs, browser, etc. Currently, I only emulate command line programs, i.e., something like `/bin/ls`. I am curious about running /bin/ls with warning in your case. Can you elaborate on what your enviroment is? For example, what version of QEMU you're using, how you run the example program, and what kind of warning you have. I don't know QEMU can/cannot deal with GUI, but I think it should. You can also give us an example on that. Additionally, why so many instructions come out when I use -d in_asm to log? It's hard to find the real instructions of that single program... You have to know that even a simple helloworld contains many instructions than you thought (dynamic linker, for example). My suggestion is using `objdump` at the same time to locate the function you're interested in, then look into the log. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
[Qemu-devel] Why we need unlink tb when cpu_interrupt/cpu_exit get called?
Hi all, I am wondering why we need to unlink tb when cpu_interrupt/cpu_exit is called, and want to know what happened if we don't unlink tb. In theory, QEMU want the execution flow comes back from code cache to QEMU itself so that interrupts can be handled as soon as possible. However, I ran linux-0.2.img with a modified QEMU whose cpu_unlink_tb does nothing. Everything seems work fine. Is this experiment too trivial to show what bad things happened when we don't unlink tb? Thanks! :) Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Why we need unlink tb when cpu_interrupt/cpu_exit get called?
Try following with and without tb unlinking on aforementioned image to
feel the difference:
sh-2.05b# echo char main[]={0xeb,-2}; h.c
sh-2.05b# tcc -run h.c
I think the example you gave me is an infinite loop, right? O.K., here is
what I got.
Case 1. With tb unlinking
- tcc runs infinitely and I can not stop it by using Ctrl + C. But I can use
Ctrl + C to kill QEMU itself.
Case 2. Without tb unlinking (I comment out the function body of
cpu_unlink_tb)
- tcc runs infinitely and without any responding. In case 1, the guest OS
can
respond to my keyboard. Besides, Ctrl + C can not terminate QEMU, I have
to
use `kill` to stop it.
Is this what you expect?
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Moniter The Ram Access On QEMU
Now I want to moniter memory access on QEMU (guest virtual or guest physical). I found that QEMU will translate arm instructions into TCG instructions, and the TCG instructions will be translated into X86 instructions. The function tcg_out_op(tcg/i386/tcg_target.c) will translate the TCG instructions into X86 instructions eventually. Does the case statement just like OP_32_64(ld8u) and INDEX_op_qemu_ld8u.etc includes all memory access routines on X86 view. Is it proper for me to add some codes in TCG - X86 to moniter the ram access on QEMU? TGC ops like qemu_ld/qemu_st is for address translations (guest virtual to host virtual) in system mode, that's all I can tell. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Moniter The Ram Access On QEMU
Now I have some probem with the exception handle. I found the funciton do_interrupt in target-arm/helper.c and gen_exception in target-arm/translate.c seems to handle the exceptions. But I am comfused with those two functions, which function will do the really work about generating an exception. As my understanding, I think “do_interrupt” seems to do some preparations before enter exceptions just like operate some registers and accumulate the exception handler address. And gen_exception seems to do the read job to generate a exception. But I'm not sure. Interrupt is a external source which breaks the current execution flow of the CPU. For example, a device might raise an interrupt so that CPU can know the device has completed its task. On the other hand, exception is an internal source which breaks the current execution flow of the CPU. Take divide by zero as an example, CPU will detect this error (occurred in the CPU itself). So depends on what you mean exception, do_interrupt or gen_exception might does the real work. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] memory ordering emulation in qemu
On Thu, Mar 29, 2012 at 04:49:02PM -0400, Xin Tong wrote: I am wondering what the solution in qemu is if the guest architecture has a stronger memory ordering requirement than the host archiecture ? memory fences ? There was a thread has a similar discussion. See http://lists.gnu.org/archive/html/qemu-devel/2012-01/msg01897.html Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [RFC 1/9] hostdev: introduce the infrastructure for host device model
Il 28/03/2012 09:53, Zhi Yong Wu ha scritto: By the way, why have we not add one QOM cookbook to docs? It is very useful for us newbiew to learn. You can write what you learn during this work. This should be a good start! :) Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [RFC 1/9] hostdev: introduce the infrastructure for host device model
On Wed, Mar 28, 2012 at 04:25:54PM +0800, Zhi Yong Wu wrote: On Wed, Mar 28, 2012 at 4:05 PM, 陳韋任 che...@iis.sinica.edu.tw wrote: Il 28/03/2012 09:53, Zhi Yong Wu ha scritto: By the way, why have we not add one QOM cookbook to docs? It is very useful for us newbiew to learn. You can write what you learn during this work. This should be a good start! :) You know, i need to get enough skills now. :) I mean make some notes during the work. Good luck! Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH V2 0/4] MIPS ASE DSP Support for Qemu
It would be better to break it up as patches each of which adds support for a coherent bite-sized subset of these instructions (so each individual patch includes the helper function declaration, implementation and translate.c changes for a smaller number of instructions). I am reading MIPS ASE DSP manual [1]. I think you can group those instructions as Chapter 4. MIPS DSP ASE Instruction Summary does. So you might have following patches, [1/] MIPS ASE DSP Support - Arithmetic Sub-class (~50 ins) [2/] MIPS ASE DSP Support - GPR-Based Shift Sub-class (~22 ins) [3/] MIPS ASE DSP Support - Multiply Sub-class (~38 ins) [4/] MIPS ASE DSP Support - Bit/ Manipulation Sub-class (~6 ins) [5/] MIPS ASE DSP Support - Compare-Pick Sub-class (~18 ins) [6/] MIPS ASE DSP Support - Accumulator and DSPControl Access Sub-class (~21 ins) [7/] MIPS ASE DSP Support - Indexed-Load and Branch Sub-class (4 ins) [8/] MIPS ASE DSP Testcase You can combine smaller subsets into a bigger one to make each patch equally sized. Each patch adding MIPS ASE DSP support should be self-contained, which means you can apply (and compile) them one-by-one, no error occured. I think testcase for all ASE DSP instructions can be just one patch. Regards, chenwj [1] MIPS32® Architecture for Programmers VolumeIV-e: The MIPS® DSP Application-Specific Extension to the MIPS32®Architecture http://www.mips.com/products/product-materials/processor/mips-architecture/ -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] How To Boot Up Linux Kernel/Android on QEMU
Another question, how can I boot up Android on QEMU? IIRC, QEMU is lack of some hw support needed by Android platform, so the answer might be no. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Debug single program in QEMU
On Thu, Mar 15, 2012 at 01:26:44PM +0700, Mulyadi Santosa wrote: On Thu, Mar 15, 2012 at 09:12, Yue Chen ycyc...@gmail.com wrote: Hi!~ Now I'd like to see what the micro-ops (intermediate operations generated by TCG) of a single Linux or Windows program, any approach to do this under QEMU? Thanks. are you referring to you Qemu system emulation or Qemu user mode? Does that matter? I think -d op should be enough, right? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Debug single program in QEMU
O.K., then. You must specify which mode you're running, user mode or system mode? User mode shouldn't have the issue you described. For system mode, I have no good idea on how to track a specific program running on the guest OS. On Thu, Mar 15, 2012 at 09:40:48AM -0400, Yue Chen wrote: But it is hard to localize a specific program instead of lots of logs. On Mar 15, 2012 4:14 AM, 陳韋任 che...@iis.sinica.edu.tw wrote: On Thu, Mar 15, 2012 at 01:26:44PM +0700, Mulyadi Santosa wrote: On Thu, Mar 15, 2012 at 09:12, Yue Chen ycyc...@gmail.com wrote: Hi!~ Now I'd like to see what the micro-ops (intermediate operations generated by TCG) of a single Linux or Windows program, any approach to do this under QEMU? Thanks. are you referring to you Qemu system emulation or Qemu user mode? Does that matter? I think -d op should be enough, right? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Debug single program in QEMU
http://qemu.weilnetz.de/qemu-doc.html#QEMU-User-space-emulator On Thu, Mar 15, 2012 at 10:42:02PM -0400, Yue Chen wrote: So how to run a Windows program or Linux program under user mode ? I cannot find useful documentations. Many thanks. -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Doubts about qemu tcg/tci
CC'ed to the list. Am I misunderstanding something? How exactly this reallocation happens (or where in the source code am I able to track and understand the process)? http://lugatgt.org/content/qemu_internals/downloads/slides.pdf http://m1.archiveorange.com/m/att/1XS1v/ArchiveOrange_YD2LcLkRqU2so0i2Zoj99h2bwUsa.pdf Should be good start. This was very insightful. Which is the book that contains the mentioned chapter? I would like to read it completely. I don't know the book, but I think this chapter is good enough. :) Second, what exactly means the identifying letters of arguments counted in front of each instruction (i, o, c) ? Is it too hard to create a patch on the disassembly function to also output its values? Sorry, I don't understand what you're trying to do. Where do you see those identifying letters? It is on the output generated with -d out_asm option. One example: 0x6023d908: call o=0 i=1 c=2 From the what you say below, I guess your're using TCI not TCG, right? Okey. I'm familiar with objdump, but I couldn't generate a similar output with qemu. All I could get was the IR with code cache addresses, and not a dump with the translated asm or even the IR with original addresses (like you mentioned above, also highlighting the function names). Is it possible for me to do? Try to use TCG? :) Here is an example of what I'm trying to do: I'm trying to trace a process execution inside qemu and map every call instruction executed, being able to identify where this call led the execution flow. So far, I've been able to generate the out_asm output (which is built-in) and I also have modified the interpreter code to output the addresses of the instruction executed. Following the instructions executed I noticed that the calls are not modifying the code flow, as follows: Example out_asm code block: 0x6023d908: call o=0 i=1 c=2 0x6023d913: ext32u_i64 o=1 i=1 c=0 0x6023d917: shr_i64o=1 i=2 c=0 0x6023d924: or_i64 o=1 i=2 c=0 Example output generated by the tracer I inserted in tci: CALL executed: 6023d908 Instruction executed: 6023d913 Instruction executed: 6023d917 Instruction executed: 6023d924 I *guess*, for example, the call is to call some helper functions which are normal C functions (target-i386/op_helper.c). What you record is only the execution flow in the code cache. As we see, the call didn't redirect the code (and it happens always with other calls in the code). I imagine that it is an optimization that places subsequent code on the code cache, to avoid the need to jump to somewhere else (so the call destination needs to be eagerly decided). So, how wrong am I about it? Is there some explanation I need to get or some source code I should read in order to understand better what is happening here? See above. Finally, as I am trying to trace the functions called, is it possible for me to output the true address of the translated instruction instead of its code cache address? If yes, this would allow me to compare the generated trace and with the dump of the IR, making it easy to draw a code flow graph. I think you need to output the guest pc, which is ususally something like target_ulong pc. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] questions about pci
CC'ed to the list. On Wed, Mar 07, 2012 at 07:47:08PM +0800, WanPeng Li wrote: On Tue, Mar 06, 2012 at 06:10:16PM +0800, 陳韋任 wrote: I read pci code in qemu about i440fx, pci.c and so on. I think if guest os whose mainboard is based on x86, it will use IO instructions to access PCI configuration space.If not use passthrough, qemu should emulate these operations.I find a function called kvm_handle_io who will ^ Looks suspicious. Prefix kvm mean passthrough, I guess. If want to use passthrough, you should add additional options, but I'am not. so not use passthrough here. Are you sure you are running into kvm_handle_io while booting a guest OS by using QEMU? I set a breakpoint at kvm_handle_io but never stopping at it. Or you're using KVM? I think you know something about PCI, so I need your help to confirm some details.In phyical machine based on x86 platform, for example, during the process of kernel traverse pci devices, it needs to write pci configuration space, this influnce will reach the configuration space by two registers(0xcf8,0xcfc).In Qemu 0xcf8 and 0xcfc bind to some methods(read/write) of PHB.So every IO instructions(in/out) in guest os who intend to write pci configuration space should capture by kvm then pass to qemu to emulate(if not use passthrough).In guest os IO O.K., from here I am pretty sure you are talking about KVM which uses QEMU to emulate devices. I am not familiar in this part, so ... instructions just read/write 0xcf8, 0xcfc, then pci will parse the address and forward to right device.In qemu it should first through PHB who binds methods and 0xcf8/0xcfc,then parse the address by the code itself.right? So every pci read/write configuration space should through PHB read/write methods first. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [patch] correct tracing.txt
Simple patch should cc to qemu-triv...@nongnu.org :). On Thu, Mar 08, 2012 at 04:24:52PM +0800, Jun Koi wrote: this patch corrects the configure's trace option in docs/tracing.txt Signed-off-by: Jun Koi junkoi2...@gmail.com diff --git a/docs/tracing.txt b/docs/tracing.txt index ea29f2c..7b11d15 100644 --- a/docs/tracing.txt +++ b/docs/tracing.txt @@ -9,7 +9,7 @@ for debugging, profiling, and observing execution. 1. Build with the 'simple' trace backend: -./configure --trace-backend=simple +./configure --enable-trace-backend=simple make 2. Create a file with the events you want to trace: -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] questions about pci
I read pci code in qemu about i440fx, pci.c and so on. I think if guest os whose mainboard is based on x86, it will use IO instructions to access PCI configuration space.If not use passthrough, qemu should emulate these operations.I find a function called kvm_handle_io who will ^ Looks suspicious. Prefix kvm mean passthrough, I guess. emulate ioport write/read, I have traced this function, but I haven't found it has any relationship with pci read/write configuration space functions like i440fx_write_config and piix3_write_config.So how does it emulate pci configuration space access when not use passthrough? `grep -r i440fx_write_config *` show you that you should take a look on hw/piix_pci.c. Besides, setting breakpoint at i440fx_write_config also show you how it get called. HTH, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] IRQ number, interrupt number, interrupt line GPIO[in/out]
Can anyone explain their relationship and difference among them? It is very appreciated if you can make some comments. thanks. I think IRQ number, interrupt number are quite similar things. You can check PIC [1] first, especially 8259A [2]. When a device raise an interrupt, the interrupt is delivered to CPU through PIC. Each device attaches itself to one of PIC's pins. Thus, when we say the IRQ number of device X is Y, it means device X attaches itself to PIC's pin Y. PIC will deliver the highest priority interrupt to the CPU. The term interrupt line might appear in PCI context [3]. BIOS usually uses interrupt line to represent what PIC pin the device attatches to. Note that PIC (Programmable Interrupt Controller) and PCI (Peripheral Component Interconnect) are different things. GPIO mostly is used on SoC. It depends on the vendor how to use GPIO. One of GPIO capabilities is similar to PIC, I guess. But I leave this to SoC experts. I strongly recommend the book [5] if you want to learn how things work. HTH, chenwj [1] http://en.wikipedia.org/wiki/Programmable_Interrupt_Controller [2] http://en.wikipedia.org/wiki/Intel_8259 [3] http://en.wikipedia.org/wiki/Conventional_PCI [4] http://en.wikipedia.org/wiki/General_Purpose_Input/Output [5] 系统虚拟化:原理与实现 -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Support for Nested Paging
Does QEMU emulate the Nested Page Tables implemented by AMD-V architecture or the Intel VT? I think the answer is no. Also I am trying to understand the QEMU source with an objective of participating in the Google Summer of Code and contributing to QEMU. I have tried tracing through the code but seems this link http://repo.or.cz/w/qemu/stefanha.git/blob_plain/refs/heads/tracing:/docs/tracing.txt is not updated because many of the options do not work here. I would very happy if someone could provide me links to a good starting point to understand QEMU source code. The tracing you mentioned is not tend to help reading the code. Depends on which part of QEMU you're trying to play with, you have some background knowledge of it. See Getting to know the code on the QEMU wiki [1]. And the slides mentioned on the mail below is a good start. http://www.mail-archive.com/qemu-devel@nongnu.org/msg99864.html HTH, chenwj [1] http://wiki.qemu.org/Documentation/GettingStartedDevelopers#Getting_to_know_the_code -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Doubts about qemu tcg/tci
I'm trying to read the asm code generated with the -D qemu option, but I am having some difficulties. Should be -d option. First, I've seen that the generated asm is allocated in different address ranges. The beginning of the dump says: end_code0x080486dc start_code 0x08048000 This is guest binary range. but the first instruction's address is: 0x6022caf0 This is the address of host binary in the code cache. Am I misunderstanding something? How exactly this reallocation happens (or where in the source code am I able to track and understand the process)? http://lugatgt.org/content/qemu_internals/downloads/slides.pdf http://m1.archiveorange.com/m/att/1XS1v/ArchiveOrange_YD2LcLkRqU2so0i2Zoj99h2bwUsa.pdf Should be good start. Second, what exactly means the identifying letters of arguments counted in front of each instruction (i, o, c) ? Is it too hard to create a patch on the disassembly function to also output its values? Sorry, I don't understand what you're trying to do. Where do you see those identifying letters? Third, Is there a trivial way for me to track an original function inside the generated asm dump? I mean, if I create a C function called foo(), that is called somewhere inside the main function, what should I do in order to find the translated instructions inside the outputted dump? `objdump -D` should show you the address of the function you're interested in. For example, function foo() locates 0x080483b4. You can lookup qemu.log for that address. Also, it seems QEMU will log the function name, too. Say, IN: foo --- 0x080483b4: push %ebp 0x080483b5: mov%esp,%ebp 0x080483b7: pop%ebp 0x080483b8: ret Finally, I've been trying to find material about how this translation works properly, but I've been unable to find much. Is there something I should be reading before asking around here? If yes, please, point me to it! See above. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH v2] TCG: Convert global variables to be TLS.
If you're serious about multithreading TCG then I think the first steps are: * fix existing race conditions * think very hard * come up with an overall design for what you're proposing As COREMU [1] point out, current QEMU atomic instruction emulation approach is problematic. For example, guest application might use x86 xchg instruction to implement spin lock/unlock (addr is a shared memory space). spin_unlock: spin_lock: try: r10 = 1; xchg addr, r10; if (r10 == 0) goto success; *addr = 0; fail: pause; if (*addr != 0) goto fail; goto try; success: After QEMU translation, guest xchg instruction becomes spin_unlock: spin_lock: helper_lock; *addr = 0; T0 = r10; T1 = *addr; *addr = T0; r10 = T1; helper_unlock; You can the see the atomicity on which spin lock/unlock rely is broken. *addr = 0 can happened in the between of helper_lock/helper_unlock. COREMU solve this by using a lightway software transaction memory to emulate atomic instructions. I think this issue is quite important if we want to make TCG multithreaded, right? Is there a better way to solve this? Regards, chenwj [1] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.187.6011rep=rep1type=pdf -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] QOM: why klass used instead of class ?
On Wed, Feb 29, 2012 at 10:59:54AM +0400, Michael Tokarev wrote:
On 29.02.2012 09:52, Evgeny Voevodin wrote:
include/qemu/object.h:
[]
* void my_device_class_init(ObjectClass *klass, void *class_data)
* {
* DeviceClass *dc = DEVICE_CLASS(klass);
* dc-reset = my_device_reset;
* }
*
Why to use klass, not class?
Because in C++, class is a reserved word. It is quite typical idiom
to replace class with klass in (public) headers.
I thought QEMU is written in C, right? Is there anything related to C++?
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
[Qemu-devel] How QEMU handle precise exception?
Hi all, I would like to know how QEMU handle precise exception. Basically, QEMU need to maintain a well-defined guest architecture state (register + memory) before returning to the exception handler. For the guest register, does QEMU save the guest registers (except guest pc) before every guest instruction which might raise exception? For the guest memory, is it because how QEMU does (see below) so that guest memory is in a consistent state when guest exception occured? - Emulate guest store memory operations in the same order as in the original program order. - Emulate all potentially trapping guest instructions in the same order with respect to the guest store instructions. Thanks! Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH v2] TCG: Convert global variables to be TLS.
Certainly would :) Also I've studied COREMU: http://ppi.fudan.edu.cn/_media/publications%3Bcoremu-ppopp11.pdf But they are based on v0.14 as I can remember and seems that this project is not going to come upstream. Anyway, thee are a lot of useful approaches they done while facing different problems on the way of paralleling the TCG. I'm sure that those approaches should be used in future work. FWIW, COREMU maintainer tends to upstream their work but they have another project to do right now, so ... ;) Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH v2] TCG: Convert global variables to be TLS.
On Tue, Feb 28, 2012 at 08:10:58AM +, Peter Maydell wrote: On 28 February 2012 03:13, Evgeny Voevodin e.voevo...@samsung.com wrote: I wanted to get some feedback and points to show up a direction to move in this field. And qomification of translation caches is an interesting suggestion I think. If you're serious about multithreading TCG then I think the first steps are: * fix existing race conditions * think very hard * come up with an overall design for what you're proposing You won't get there by incremental steps unless you know where you're going... Would the paper PQEMU: A Parallel System Emulator Based on QEMU help on this? Regards, chenwj [1] http://www.cs.nthu.edu.tw/~ychung/conference/ICPADS2011.pdf -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Help me about the FDC
3: or give me some introduce of FDC. http://en.wikipedia.org/wiki/Floppy_disk_controller HTH, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Help me about the FDC
2: explain the struct of FDCtrl; In order to know what those fields in FDCtrl mean, you might need to read ftp://download.intel.com/design/archives/periphrl/docs/29047504.pdf first. As the comment in hw/fdc.c says, it's Intel 82078 floppy disk controller emulation. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH v2] Fix dependency issue introduced by commit 7b93fadf3a38d1ed65ea5536a52efc2772c6e3b8
Hi Stefan, Peter already fix this issue [1]. Please ignore my patch, thanks! Regards, chenwj [1] http://patchwork.ozlabs.org/patch/142306/ -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [PATCH v2] Fix dependency issue introduced by commit 7b93fadf3a38d1ed65ea5536a52efc2772c6e3b8
...which Peter has already done: http://patchwork.ozlabs.org/patch/142306/ Please coordinate with him. O.K., I already told Stefan to ignore my patch. :) Thanks! Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] arm-linux-user, i386-linux-user: Make QEMU act as TCG compiler
Hi Rajat, Great work! It seems this is a kind of like static compilation, right? I think people are more interested in using QEMU as a dynamic translator as a library. Would you mind to tell me what scenario your work aims to? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
[Qemu-devel] [PATCH] Fix dependency issue introduced by commit 7b93fadf3a38d1ed65ea5536a52efc2772c6e3b8
Commit 7b93fadf3a38d1ed65ea5536a52efc2772c6e3b8 adds basic version of bridge helper, but introduces dependency issue at the same time. While building target xxx-linux-user, qemu-bridge-helper.c needs config-host.h which is not generated at the moment. Building recurse-all target first fixes the problem. Signed-off-by: Chen Wei-Ren che...@iis.sinica.edu.tw --- Makefile |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/Makefile b/Makefile index e66e885..618b306 100644 --- a/Makefile +++ b/Makefile @@ -79,7 +79,7 @@ defconfig: -include config-all-devices.mak -build-all: $(DOCS) $(TOOLS) $(HELPERS-y) recurse-all +build-all: $(DOCS) $(TOOLS) recurse-all $(HELPERS-y) config-host.h: config-host.h-timestamp config-host.h-timestamp: config-host.mak -- 1.7.3.4
[Qemu-devel] [PATCH v2] Fix dependency issue introduced by commit 7b93fadf3a38d1ed65ea5536a52efc2772c6e3b8
Commit 7b93fadf3a38d1ed65ea5536a52efc2772c6e3b8 adds basic version of bridge helper, but introduces dependency issue at the same time. While building target xxx-linux-user, qemu-bridge-helper.c needs config-host.h which is not generated at the moment. Explicitly declaring the dependency for the helper in the Makefile. Signed-off-by: Chen Wei-Ren che...@iis.sinica.edu.tw --- v2: Explicitly declaring the dependency for the helper instead of relying on ordering side-effects. Makefile |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/Makefile b/Makefile index e66e885..1b2488c 100644 --- a/Makefile +++ b/Makefile @@ -36,7 +36,7 @@ $(call set-vpath, $(SRC_PATH):$(SRC_PATH)/hw) LIBS+=-lz $(LIBS_TOOLS) -HELPERS-$(CONFIG_LINUX) = qemu-bridge-helper$(EXESUF) +HELPERS-$(CONFIG_LINUX) : config-host.h qemu-bridge-helper$(EXESUF) ifdef BUILD_DOCS DOCS=qemu-doc.html qemu-tech.html qemu.1 qemu-img.1 qemu-nbd.8 QMP/qmp-commands.txt -- 1.7.3.4
Re: [Qemu-devel] [Qemu-trivial] [PATCH] Fix dependency issue introduced by commit 7b93fadf3a38d1ed65ea5536a52efc2772c6e3b8
On Tue, Feb 21, 2012 at 12:27:26PM +, Stefan Hajnoczi wrote: On Tue, Feb 21, 2012 at 10:12 AM, 陳韋任 che...@iis.sinica.edu.tw wrote: Commit 7b93fadf3a38d1ed65ea5536a52efc2772c6e3b8 adds basic version of bridge helper, but introduces dependency issue at the same time. While building target xxx-linux-user, qemu-bridge-helper.c needs config-host.h which is not generated at the moment. Building recurse-all target first fixes the problem. The build system should not rely on ordering side-effects. Instead, please explicitly declare the dependency for the helper or see if the dependency can be eliminated if it is inappropriate. O.K., since the dependency cannot be eliminated, I'll explicitly declare the dependency for the helper. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [MASCOT CONTEST] Alex Bradbury #1
+1 -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [MASCOT CONTEST] Benoit Canet #2
+1 -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [MASCOT CONTEST] Wei-Ren Chen #2
+1 -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [MASCOT CONTEST] Andreas Faerber #1
+1 -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [MASCOT CONTEST] Clare Liguori #1
+1 -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [MASCOT CONTEST] Wei-Ren Chen #3
+1 -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] [MASCOT CONTEST] Wei-Ren Chen #5
+1 -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] How to follow a child process created in the guest OS?
On Fri, Feb 10, 2012 at 11:48:05PM +, Paul Brook wrote: I am running this tiny OS on QEMU then using GDB to connect it. I want to follow task 1 after the forking, but it seems that GDB stick with task 0 and cannot follow task 1 even I do `set follow-fork-mode child`. You have exactly one CPU. That's what the qemu GDB stub exposes. Multiple processes are an illusion created by your operating system. It is not something qemu knows or cares about. In most cases if you want to do debugging within that OS created illusion (aka a userspace process) then you probably don't want to be using a hardware debug probe (i.e. the qemu gdb stub) at all. Instead you want to be using the debug facilities provided by your operating system. On linux this would be ptrace, probably via gdbserver. I see. Thanks. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] how could I analysis the trace log?
I just guess the format of input events file of the simpletrace.py. For so many available events, how could I specify the format of all those events? http://repo.or.cz/w/qemu/stefanha.git/blob_plain/refs/heads/tracing:/docs/tracing.txt Reading Trace events might be help. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] How to follow a child process created in the guest OS?
On Fri, Feb 10, 2012 at 08:14:41AM +, Stefan Hajnoczi wrote:
On Thu, Feb 09, 2012 at 06:33:16PM +0800, 陳韋任 wrote:
The question is not so related to QEMU itself, but I want to give it a
try.
I am running a tiny OS on QEMU and debugging it with gdbstub. The tiny OS
will
fork process 1, 2, ... and so on. I want to follow the child process, but
the
GDB command `set follow-fork-mode child` doesn't work. This seems to be a
bug
or missing feature in GDB remote protocol. [1]
Is there a way to do what I'm trying to do? Thanks!
I'm confused. If you are running a system emulator with a guest OS
inside then GDB's process-level features are not available. The QEMU
gdbstub gives you access at the system-level. If you want to debug
guest processes, run gdb inside the guest.
Hope the code snip below can clarify what I am trying to do.
- Tiny OS code -
void main(void) /* This really IS void, no error here. */
{
/* initialize enviroment */
sti();
move_to_user_mode();
if (!fork()) {/* we count on this going ok */
init(); // task 1
}
for(;;) pause(); // task 0
}
I am running this tiny OS on QEMU then using GDB to connect it.
I want to follow task 1 after the forking, but it seems that GDB
stick with task 0 and cannot follow task 1 even I do `set follow-fork-mode
child`.
Thanks!
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] spawning and killing threads in qemu
On Wed, Feb 08, 2012 at 09:40:08PM -0500, Xin Tong wrote:
can you show me where these threads get created in the qemu code ?
If you mean vcpu thread, see cpu_x86_init (target-i386/helper.c).
At the end of this function,
CPUX86State *cpu_x86_init(const char *cpu_model)
{
qemu_init_vcpu(env); ---
return env;
}
Just follow qemu_init_vcpu and you'll see how vcpu thread is spawn.
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
[Qemu-devel] How to follow a child process created in the guest OS?
Hi all, The question is not so related to QEMU itself, but I want to give it a try. I am running a tiny OS on QEMU and debugging it with gdbstub. The tiny OS will fork process 1, 2, ... and so on. I want to follow the child process, but the GDB command `set follow-fork-mode child` doesn't work. This seems to be a bug or missing feature in GDB remote protocol. [1] Is there a way to do what I'm trying to do? Thanks! Regards, chenwj [1] http://sourceware.org/bugzilla/show_bug.cgi?id=13584 -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] spawning and killing threads in qemu
Hi Stefan, Thanks for the explanation. :) Qemu 1.0 enable IO thread by default, I think that's why you can see there are two threads. You can check block/raw-posix-aio.h, posix-aio-compat.c and linux-aio.c. --enable-io-thread is different from posix-aio-compat.c's thread pool. The option --enable-io-thread should have been gone sine QEMU 1.0, right? Or you just use the term to mean IO thread? --enable-io-thread means there is a dedicated thread (created at startup) which runs the event loop. I want to know where IO thread is lauched but I am lost in vl.c. Would you mind to shed some light on that? The temporary threads you are seeing are indeed posix-aio-compat.c worker threads. They execute blocking I/O system calls so that the QEMU event loop can continue to process events while I/O operations are running. So, IO thread runs the event loop (I think it's main_loop_wait in main-loop.c, right?), and it leave blocking I/O system calls to posix-aio-compat.c worker threads? Is that correct? Thanks! Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Get only TCG code without execution
As x86 doesn't use or need barrier instructions, when translating x86 to (say) run on ARM host, multi-threaded code that needs barriers isn't easy to detect, so barriers may be required between every memory access in the generated ARM code. Sounds awful to me. Regardless current QEMU's support for multi-threaded application, it's possible to emulate a architecture with stronger memory model on a weaker one? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
[Qemu-devel] [PATCH v2] cpu-exec.c: Correct comment about this file and indentation cleanup
Each target use #define marco (in target-xxx/cpu.h) to rename cpu_exec
(cpu-exec.c) to cpu_xxx_exec, then defines its own cpu_loop which calls
cpu_xxx_exec. So basically, cpu-exec.c is not i386 (only) emulator main
execution loop. This patch correctes the comment of this file and does
indentation cleanup.
Signed-off-by: Chen Wei-Ren (陳韋任) che...@iis.sinica.edu.tw
---
v1 - v2:
Didn't notice tab in previous patch, please use this patch instead.
Sorry about that.
cpu-exec.c | 10 +-
1 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/cpu-exec.c b/cpu-exec.c
index a9fa608..2c2d24e 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -1,5 +1,5 @@
/*
- * i386 emulator main execution loop
+ * emulator main execution loop
*
* Copyright (c) 2003-2005 Fabrice Bellard
*
@@ -304,7 +304,7 @@ int cpu_exec(CPUState *env)
env-hflags2 |= HF2_NMI_MASK;
do_interrupt_x86_hardirq(env, EXCP02_NMI, 1);
next_tb = 0;
- } else if (interrupt_request CPU_INTERRUPT_MCE) {
+} else if (interrupt_request CPU_INTERRUPT_MCE) {
env-interrupt_request = ~CPU_INTERRUPT_MCE;
do_interrupt_x86_hardirq(env, EXCP12_MCHK, 0);
next_tb = 0;
@@ -390,7 +390,7 @@ int cpu_exec(CPUState *env)
next_tb = 0;
}
}
- }
+}
#elif defined(TARGET_ARM)
if (interrupt_request CPU_INTERRUPT_FIQ
!(env-uncached_cpsr CPSR_F)) {
@@ -429,7 +429,7 @@ int cpu_exec(CPUState *env)
{
int idx = -1;
/* ??? This hard-codes the OSF/1 interrupt levels. */
- switch (env-pal_mode ? 7 : env-ps PS_INT_MASK) {
+switch (env-pal_mode ? 7 : env-ps PS_INT_MASK) {
case 0 ... 3:
if (interrupt_request CPU_INTERRUPT_HARD) {
idx = EXCP_DEV_INTERRUPT;
@@ -562,7 +562,7 @@ int cpu_exec(CPUState *env)
barrier();
if (likely(!env-exit_request)) {
tc_ptr = tb-tc_ptr;
-/* execute the generated code */
+/* execute the generated code */
next_tb = tcg_qemu_tb_exec(env, tc_ptr);
if ((next_tb 3) == 2) {
/* Instruction counter expired. */
--
1.7.3.5
[Qemu-devel] [PATCH] cpu-exec.c: Correct comment about this file and indentation cleanup
Each target use #define marco (in target-xxx/cpu.h) to rename cpu_exec
(cpu-exec.c) to cpu_xxx_exec, then defines its own cpu_loop which calls
cpu_xxx_exec. So basically, cpu-exec.c is not i386 (only) emulator main
execution loop. This patch correctes the comment of this file and does
indentation cleanup.
Signed-off-by: Chen Wei-Ren (陳韋任) che...@iis.sinica.edu.tw
---
cpu-exec.c | 10 +-
1 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/cpu-exec.c b/cpu-exec.c
index a9fa608..f7f19f5 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -1,5 +1,5 @@
/*
- * i386 emulator main execution loop
+ * emulator main execution loop
*
* Copyright (c) 2003-2005 Fabrice Bellard
*
@@ -304,7 +304,7 @@ int cpu_exec(CPUState *env)
env-hflags2 |= HF2_NMI_MASK;
do_interrupt_x86_hardirq(env, EXCP02_NMI, 1);
next_tb = 0;
- } else if (interrupt_request CPU_INTERRUPT_MCE) {
+ } else if (interrupt_request
CPU_INTERRUPT_MCE) {
env-interrupt_request = ~CPU_INTERRUPT_MCE;
do_interrupt_x86_hardirq(env, EXCP12_MCHK, 0);
next_tb = 0;
@@ -390,7 +390,7 @@ int cpu_exec(CPUState *env)
next_tb = 0;
}
}
- }
+ }
#elif defined(TARGET_ARM)
if (interrupt_request CPU_INTERRUPT_FIQ
!(env-uncached_cpsr CPSR_F)) {
@@ -429,7 +429,7 @@ int cpu_exec(CPUState *env)
{
int idx = -1;
/* ??? This hard-codes the OSF/1 interrupt levels. */
- switch (env-pal_mode ? 7 : env-ps PS_INT_MASK) {
+ switch (env-pal_mode ? 7 : env-ps
PS_INT_MASK) {
case 0 ... 3:
if (interrupt_request CPU_INTERRUPT_HARD) {
idx = EXCP_DEV_INTERRUPT;
@@ -562,7 +562,7 @@ int cpu_exec(CPUState *env)
barrier();
if (likely(!env-exit_request)) {
tc_ptr = tb-tc_ptr;
-/* execute the generated code */
+/* execute the generated code */
next_tb = tcg_qemu_tb_exec(env, tc_ptr);
if ((next_tb 3) == 2) {
/* Instruction counter expired. */
--
1.7.3.5
Re: [Qemu-devel] Is there any document about qemu's kernel boot loader?
On Thu, Feb 02, 2012 at 10:48:13AM +0800, 杨亮 wrote: Hi, recently I am focusing on KVM(kernel virtualization machine), in which the device simulation employ the Qemu’s code directly. Still, the Qemu can run the Guest OS alone, from kernel boot to device simulation. Device simulation is somehow easy to comprehend. As for kernel boot, is there any detailed document? I need some to make it clearer. I guess not. You might need to read the source code first then ask question here. :) Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] libqemu for use in parallel-language based simulator
Hi, Sean libqemu appears to be the heart of what we need. Just the core functionality of a processor's instruction-set. We will need a few thousand or so separate processor-states, similar to how COREMU has multiple processor states. libqemu is gone. Maybe you can try libcpu [1] instead? Regards, chenwj [1] http://www.libcpu.org/wiki/Main_Page -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] virtual pc hash table vs physical pc hash table
On Fri, Jan 20, 2012 at 08:49:56AM -0500, Xin Tong wrote: maybe one of the reasons of having the virtual pc hash table is that the pc does not need to be tranlated to a physical pc which is used in the physical pc hash table. Take context switch as an example. Before context switching, you can use process A's virtual pc to index the virtual pc hash table. After context switching, the original virtual pc hash table is no longer valid since process B has the same virtual address space. Therefore, QEMU turns to use (guest) physical pc to index the physical pc hash table. If the tb of process B is existed, QEMU refill the virtual pc hash table. Otherwise, it does the translation. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] nested page table translation for non-x86 operating system
On Fri, Jan 20, 2012 at 08:54:12AM -0500, Xin Tong wrote:
On Fri, Jan 20, 2012 at 3:23 AM, 陳韋任 che...@iis.sinica.edu.tw wrote:
1. The control of gCR3 and hCR3 needs kernel access. While they can
be set with a device module as what is done in kvm. Trapping into the
kernel every time gCR3 is reseted might be too expensive.
Why the control of gCR3 needs kernel access? Isn't gCR3 just a field of the
CPUX86State? QEMU should have the control of it. Or you mean the trapping
thing?
I do not think gCR3 is a field in the CPUx86State. I think inorder to
change the guest CR3, we need to trap into the kernel as kvm does.
If your scenario is pure QEMU (without kvm), I think gCR3 is a field in the
CPUx86State. See below,
typedef struct CPUX86State {
...
target_ulong cr[5]; /* NOTE: cr1 is unused */
...
};
Or I misunderstand what you're trying to do?
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] longjmp in qemu
On Sat, Jan 28, 2012 at 05:17:56PM -0500, Xin Tong wrote:
I am investigating what longjmp is used for in qemu.
longjmp is used in a couple of places.
1.
void cpu_loop_exit(void)
{
env-current_tb = NULL;
longjmp(env-jmp_env, 1);
}
cpu_loop_exit is called when there is an interrupt_request or exit_request
pending
Yes.
2.
void cpu_resume_from_signal(CPUState *env1, void *puc)
{
...
longjmp(env-jmp_env, 1);
}
cpu_resume_from_signal is called in a couple of places, each of which
suggests something faulty has happened. my guess is that it will get call
when exceptions have occurred in the code cache. Am I right ?
Not exactly. `grep -r cpu_resume_from_signal` shows places using
cpu_resume_from_signal. Not all of them means something faulty has happened,
I think.
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] TCG register allocator
On Wed, Jan 25, 2012 at 01:58:10PM -0500, Xin Tong wrote: I am working on extending coremu (parallel version of qemu). Currently, the code cache in coremu is private, I am working towards to make it shared by all cores. I think the add_tb_jump may not be atomic. If you're talking about [1], maybe you can seek for help on their mailing list too. [1] http://sourceforge.net/p/coremu/home/Home/ Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Proper way to walk through all vpcus
On Sat, Jan 28, 2012 at 05:06:54PM -0500, Xin Tong wrote:
What is the proper way to iterate over all vcpus in qemu ? below is what i
use in my code. Not sure whether it is the best way, also is a a macro is
qemu to do this ?
CPUState *curr_cpu = first_cpu;
for(; curr_cpu != NULL; curr_cpu = curr_cpu-next_cpu) {
...
}
Seems this is a proper way to iterate all virtual cpus.
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] setjmp outside cpu loop
On Sun, Jan 22, 2012 at 11:18:43AM -0500, Xin Tong wrote: There is a setjmp outside the cpu loop in qemu cpu-exec.c. it is used by longjmp later when a cpu exit request is given. I am wondering that can a cpu_loop_exit() be called when the tcg is doing the translation ? Do you mean if there is another thread calls cpu_loop_exit when TCG is doing the translation? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] spawning and killing threads in qemu
On Thu, Jan 26, 2012 at 1:35 PM, Paolo Bonzini pbonz...@redhat.com wrote: On 01/26/2012 07:31 PM, Xin Tong wrote: When i attach gdb to qemu running in system mode, i often get things like [Thread 0x7ffed2013700 (LWP 29499) exited] [New Thread 0x7ffed2013700 (LWP 29500)] what spawns these threads and what do these threads do ? The block layer's thread pool. Qemu 1.0 enable IO thread by default, I think that's why you can see there are two threads. You can check block/raw-posix-aio.h, posix-aio-compat.c and linux-aio.c. HTH, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] TB chaining in QEMU
The only reason this doesn't have any visible effect is: (1) x86 doesn't have split icache/dcache so no incoherency issues I think intel new architecture does split instruction cache/data cache. http://upload.wikimedia.org/wikipedia/commons/6/64/Intel_Nehalem_arch.svg But I do not know what kind of inconsistency you refer to if the icache and dcache are split. can you please give an example. What Peter said is that the data in icache/dcache will be sync'ed automatically on x86. What binary translation does is writing some data (which will be executed as instruction latter on) into the memory. In this case, icache/dcache should be sync'ed. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Get only TCG code without execution
I was not talking about semantics of individual instructions but semantics of the whole multi-threaded program. Multi-threaded programs can lead to several different (most of which are unintended) states of the CPU. What states are possible is described in a mathematically rigorous definition of the ARM memory model. My task is to implement this memory model over TCG ops and then compare the results on several different (multi-threaded) litmus tests with the implementation of the memory model over ARM instructions. For the same task, I need QEMU to give me the TCG translation for code which it never branches into and hence, never needs to translate and execute (because ARM multiprocessors can perform speculative execution). Out of curiosity. What's ARM memory model? From the Wikipedia [1], it seems ARMv7 has the same memory model as IA64. Regards, chenwj [1] http://en.wikipedia.org/wiki/Memory_ordering -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] nested page table translation for non-x86 operating system
1. The control of gCR3 and hCR3 needs kernel access. While they can be set with a device module as what is done in kvm. Trapping into the kernel every time gCR3 is reseted might be too expensive. Why the control of gCR3 needs kernel access? Isn't gCR3 just a field of the CPUX86State? QEMU should have the control of it. Or you mean the trapping thing? 2. After setting the gCR3 and hCR3. whatever memory references fall within the guest memory will be done correctly. However, memory references done by the host will be broken. Therefore, when we load the from the CPUstates, call to helpers for exits from the code cache, we need to change the paging mechanism back to non-nested. can this be done ? how expensive will this be ? Why the memeory references done by the host will be broken? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Get only TCG code without execution
I was not talking about semantics of individual instructions but semantics of the whole multi-threaded program. Multi-threaded programs can lead to several different (most of which are unintended) states of the CPU. What states are possible is described in a mathematically rigorous definition of the ARM memory model. My task is to implement this memory model over TCG ops and then compare the results on several different (multi-threaded) litmus tests with the implementation of the memory model over ARM instructions. Some points to note: * The current QEMU code has some known race conditions which can cause crashes/hangs in heavily threaded programs in linux-user mode; see eg https://bugs.launchpad.net/qemu/+bug/668799 * We don't really make a serious attempt at implementing the ARM memory model in QEMU; our load/store exclusive implementation is pretty hopeless, for instance * In linux-user mode we basically just pass loads/stores/etc through as host-cpu loads/stores, so you get whatever the host's memory model semantics are, not what the guest CPU is supposed to do * a combination of the above plus the fact we don't implement caches in system emulation mode means that our implementation of all the barrier insns is a simple no-op; you'll never see barriers at the TCG op level What's load/store exclusive implementation? And as a general emulator, QEMU shouldn't implement any architecture-specific memory model, right? What comes into my mind is QEMU only need to follow guest memory operations when translates guest binary to TCG ops. When translate TCG ops to host binary, it also has to be careful not to mess up the memory ordering. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Question about do_interrupt (target-i386/op_helper.c)
In cpu_exec() env is a local variable. In do_interrupt() it is the global variable (held in a specific register via asm(AREG0)). The two aren't necessarily the same value, hence the fiddling about. Do you mean we sync env with envl at this point? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] QEMU TB Unlinking due to interrupt.
On Fri, Dec 09, 2011 at 07:08:43PM -0500, Xin Tong wrote: can you forward me the patch please. Peter. Also, as far as I understand, tb unlinking can only happen in 2 cases. 1. some other tbs being invalidated. 2. interrrupt pending http://lists.gnu.org/archive/html/qemu-devel/2011-09/msg03643.html HTH, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] Get only TCG code without execution
On Fri, Jan 20, 2012 at 09:09:46AM +, Peter Maydell wrote: On 20 January 2012 06:12, 陳韋任 che...@iis.sinica.edu.tw wrote: Out of curiosity. What's ARM memory model? From the Wikipedia [1], it seems ARMv7 has the same memory model as IA64. The ARM memory model is the set of semantics for memory accesses as defined in the ARM Architecture Reference Manual (covering not just reordering but also exclusive accesses, alignment, barriers, etc). The manual devotes 50 pages to it so I'm not about to try to summarise it here :-) Seems the Wikipedia only lists the memory ordering part. ;) And as a general emulator, QEMU shouldn't implement any architecture-specific memory model, right? Wrong, at least in theory. Ideally QEMU should implement exactly the semantics required by the guest architecture memory model (it's allowed to be stricter than the architecture requires, of course), in the same way it should implement the semantics required by the guest architecture instruction set. A guest binary for ARM can rely on the memory ordering constraints imposed by the memory model just as much as it can rely on the fact that the ADD instruction adds two registers together. In practice, of course (a) this is an enormous amount of work and also slows the emulator down drastically and (b) guest binaries don't actually rely that much on the memory model. And the fairly strict memory model provided by x86 means that for x86 hosts we actually get most of the important bits of the guest memory model right anyway. AFAIK, LLVM defines it's own memory model [1] which is inspired by the C++11 memory model. That's why I think instead of implementing architecture-specific memory model, QEMU should define a more general (strict) one. You said, guest binaries don't actually rely that much on the memory model. I think the reason is those guest binaries are single thread. Memory model is important in multi-threaded case. BTW, our binary translator now can translate x86 binary to ARM binary, and ARM has weaker memory model than x86. [1] http://llvm.org/docs/LangRef.html#memmodel Regards, chenwj P.S. Happy Chinese New Year. :) -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] virtual pc hash table vs physical pc hash table
On Mon, Jan 02, 2012 at 07:11:41AM -0500, Xin Tong wrote: In qemu, there is a virtual pc hash table and a physical pc hash table. virtual pc hash table is used to find tbs until a context switch. and physical pc hash table keeps all the translated tb. virtual pc hash table is smaller, accessed with 12 bits and physical pc hash table is bigger, accessed with 15 bits. the size in the hash tables are the primary reasons for having 2 hash tables ? I think not. tb_find_fast use the virtual pc as index to search env-tb_jmp_cache, and check the result of tb_jmp_cache is sane or not. If something goes wrong, it turns to call tb_find_slow to use physical pc to do a slow search. The size should not be the reason for having 2 hash tables. Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] icount and tb chaining
What i mean here is that in gen-icount.h, the icount_decr.u32 field is
exhausted and jumps out to the cpu-exec loop. This is where you would
fall into tb_add_jump with the second argument being 2, and only if
icount_extra was greater than zero. This is what I meant, and
previously you showed me that the chaining is left intact by the check
in tb_add_jump. Hope this is clearer. -Jim
I am not familiar with icount stuff, so some dunmp questions here. In
gen_icount_start (gen-icount.h), it loads icount_decr.u32 into count,
then subtracts 0xdeadbeef from count, finally stores count back to
icount_decr.u16.low.
1) Why subtract 0xdeadbeef from count? Does 0xdeadbeef have any meaning?
2) Why store count back to icount_decr.u16.low rather than icount_decr.u32?
In cpu_exec (cpu-exec.c),
// Does insns_left means how many guest instructions left in tb and needed
// to be executed?
insns_left = env-icount_decr.u32;
// what the if-branch means, in particular icount_extra? I guess it has
// something to do with Qemu timer, but not sure.
if (env-icount_extra insns_left = 0) {
// I cannot figure out what's going on here. Could you shed light on it?
} else {
}
Many thanks! :)
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
[Qemu-devel] Question about do_interrupt (target-i386/op_helper.c)
Hi all,
I am looking at do_interrupt (target-i386/op_helper.c) and find something
strange. Code sinpt below,
void do_interrupt(CPUState *env1)
{
CPUState *saved_env;
saved_env = env;
env = env1;
...
}
In i386-linux-user, cpu_exec (cpu-exec.c) calls do_interrupt like this,
do_interrupt(env);
My questions are: 1) It seems to me the parameter of do_interrupt (envl) should
be the same as env inside do_interrupt (which comes from dyngen-exec.h's
#define).
Why we need to assign envl to env here? Is it redundant, or I miss something? 2)
In target-i386/op_helper.c, some functions use the global env, while others use
function parameter env. Is it necessary? Or we can unify how they use env?
Thanks.
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
Homepage: http://people.cs.nctu.edu.tw/~chenwj
