[Qemu-devel] Handling of setend instruction for ARM
The TCG translation for the ARM setend instruction for user level binaries is empty. A binary which just prints hello world but inverts the endianness to big endian at the beginning of main gives a segmentation fault on native ARM but prints out hello world on qemu-arm. So does QEMU continue under the little endian setting even after encountering a setend be instruction? And if so, isn't it incorrect? Rajat.
[Qemu-devel] Switch off use of helper functions
Is there any way in QEMU to switch off the use of helper functions and make it translate target code to TCG code using only TCG micro-ops and not calls to helper functions? Rajat.
Re: [Qemu-devel] arm-linux-user, i386-linux-user: Make QEMU act as TCG compiler
QEMU as a dynamic translator is already available. This adds extra functionality to QEMU. I needed to do this since I wanted to explore the ARM memory model over TCG micro-operations; so I needed translation of the whole binary and not just the parts which QEMU needs to execute. Don't know if others would find this feature useful. Rajat. On Thu, Feb 23, 2012 at 3:57 AM, 陳韋任 che...@iis.sinica.edu.tw wrote: Hi Rajat, Great work! It seems this is a kind of like static compilation, right? I think people are more interested in using QEMU as a dynamic translator as a library. Would you mind to tell me what scenario your work aims to? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
Re: [Qemu-devel] arm-linux-user, i386-linux-user: Make QEMU act as TCG compiler
Hi Peter, Would QEMU developers be interested in integrating this TCG compilation functionality that I have been working on into later releases of QEMU? The patch I have right now breaks the original emulation but if there is some interest in supporting static compilation into TCG in the future, I can submit a clean patch which does not break emulation but instead adds a run-time option to generate TCG compilation. I would be grateful if you could let me know. Many thanks in anticipation. With warm regards, Rajat. 2012/2/23 Rajat Goyal rajat.go...@cl.cam.ac.uk QEMU as a dynamic translator is already available. This adds extra functionality to QEMU. I needed to do this since I wanted to explore the ARM memory model over TCG micro-operations; so I needed translation of the whole binary and not just the parts which QEMU needs to execute. Don't know if others would find this feature useful. Rajat. On Thu, Feb 23, 2012 at 3:57 AM, 陳韋任 che...@iis.sinica.edu.tw wrote: Hi Rajat, Great work! It seems this is a kind of like static compilation, right? I think people are more interested in using QEMU as a dynamic translator as a library. Would you mind to tell me what scenario your work aims to? Regards, chenwj -- Wei-Ren Chen (陳韋任) Computer Systems Lab, Institute of Information Science, Academia Sinica, Taiwan (R.O.C.) Tel:886-2-2788-3799 #1667 Homepage: http://people.cs.nctu.edu.tw/~chenwj
[Qemu-devel] Self-emulation not working on ARM
Hi All, I tried running this command on ARM qemu-arm /usr/local/bin/qemu-arm and it gives 'uncaught target signal 11: segmentation fault'. However, the QEMU manual says QEMU is built for self-emulation. The manual also says that for the same reason, the binary is a shared object file but qemu-arm does not have the ET_DYN flag enabled. Am I missing something here? Thanks, Rajat.
Re: [Qemu-devel] Get only TCG code without execution
Hi, I have modified QEMU to act as a TCG compiler and give me the TCG code for the whole binary. However, I cannot find a way to obtain the last address in the binary. The symbol table loaded into syminfos contains only the address of the last symbol. Not the address of the last machine instruction. I can obtain this if I can obtain the length of the last section in the ELF. How can I do that in QEMU? Thanks, Rajat. On Sat, Jan 21, 2012 at 12:21 AM, Jamie Lokier ja...@shareable.org wrote: 陳韋任 wrote: What's load/store exclusive implementation? It's how some architectures do atomic operations, instead of having atomic instructions like x86 does. And as a general emulator, QEMU shouldn't implement any architecture-specific memory model, right? What comes into my mind is QEMU only need to follow guest memory operations when translates guest binary to TCG ops. When translate TCG ops to host binary, it also has to be careful not to mess up the memory ordering. The error occurs when emulating two or more guest CPUs in parallel using two or more host CPUs for speed. Then not mess up the memory ordering may require barrier instructions in the host binary code, depending on the guest and host architectures. Without barrier instructions, the CPUs reorder memory accesses even if the instruction order is kept the same. This reordering done by the CPU is called the memory model. TCG cannot currently produce these barrier instructions, and it's not clear if it will ever be able to do so efficiently. -- Jamie -- Rajat Goyal 5th year undergraduate student Master of Technology in Mathematics and Computing - Integrated Program Department of Mathematics IIT Delhi
Re: [Qemu-devel] Get only TCG code without execution
Thank you so much for your help Peter. I was using version 0.15.1. On 1.0, it works like a dream! I was not talking about semantics of individual instructions but semantics of the whole multi-threaded program. Multi-threaded programs can lead to several different (most of which are unintended) states of the CPU. What states are possible is described in a mathematically rigorous definition of the ARM memory model. My task is to implement this memory model over TCG ops and then compare the results on several different (multi-threaded) litmus tests with the implementation of the memory model over ARM instructions. For the same task, I need QEMU to give me the TCG translation for code which it never branches into and hence, never needs to translate and execute (because ARM multiprocessors can perform speculative execution). Rajat. On Tue, Jan 17, 2012 at 8:33 AM, Peter Maydell peter.mayd...@linaro.orgwrote: On 17 January 2012 01:04, 陳韋任 che...@iis.sinica.edu.tw wrote: What is the way out of this? The reason I need TCG code is because my project work is to write a semantics for TCG micro-operations and then compare my semantics with a semantics for ARM instructions being written by someone else. To test my semantics, I need the corresponding TCG code for several different multi-threaded ARM binaries. Why does this have to be a multi-threaded binary? In the multithreaded case, the instructions executed by QEMU won't be deterministic (it will depend on how the host OS schedules the multiple threads) so it's going to be hard to compare a long trace output to something else. I guess Rajat's goal is to compare the semantics of TCG ops and ARM binary, therefore the non-deterministic might not be the issue. Or he want to use semantics to solve the non-deterministic problem. But if you're looking at the semantics at a level where you don't care about the non-determinism of the threading, you might just as well look at them at an individual instruction or TB level, in which case a single threaded program is just as good and less confusing, surely? -- PMM -- Rajat Goyal 5th year undergraduate student Integrated Master of Technology Mathematics and Computing Department of Mathematics IIT Delhi
Re: [Qemu-devel] Get only TCG code without execution
Thanks for your text, Stefan. The situation is like this. The most basic multi-threaded program (using pthreads) which just prints something like I am Thread 1 and I am Thread 2 does not work over the QEMU user emulator. There are no output messages saying I am thread 1 etc. when the program binary is run over qemu-arm or qemu-i386. For qemu-i386, the reason is alright - there is no implementation for the futex syscall. But for qemu-arm, the syscall trace shows * *** longjmp causes uninitialized stack frame ***: qemu-arm terminated*. And hence, the entire TCG code for the binary is not obtained in the QEMU log since QEMU does not complete execution of the binary. What is the way out of this? The reason I need TCG code is because my project work is to write a semantics for TCG micro-operations and then compare my semantics with a semantics for ARM instructions being written by someone else. To test my semantics, I need the corresponding TCG code for several different multi-threaded ARM binaries. Many thanks in anticipation, Rajat. On Mon, Jan 16, 2012 at 8:41 AM, Stefan Hajnoczi stefa...@gmail.com wrote: On Sun, Jan 15, 2012 at 11:09:18PM +, Rajat Goyal wrote: I am doing a project to build a daemonic ARM emulator using QEMU. One of the requirements is to get the complete TCG code for any multi-threaded ARM program that I run on QEMU. I do not need QEMU to execute the program and show me the output. Just the entire TCG code. The latest version of qemu-arm seems to break while running pthread parallel ARM binaries, ie, qemu-arm terminates without completing execution and hence, the entire TCG code cannot be captured in the log. Is there a way by which I can get the complete TCG code for pthread parallel binaries in exchange for not making QEMU execute the binary? QEMU is a dynamic binary translator. You don't know the next block without executing the current block. It's not possible to translate a whole program without executing it - remember it can load shared libraries, use self-modifying code, or just employ indirect jumps which you cannot analyze statically. In the general case it's not possible. Can you explain why you're trying to do this? Stefan -- Rajat Goyal 5th year undergraduate student Integrated Master of Technology Mathematics and Computing Department of Mathematics IIT Delhi
[Qemu-devel] Get only TCG code without execution
I am doing a project to build a daemonic ARM emulator using QEMU. One of the requirements is to get the complete TCG code for any multi-threaded ARM program that I run on QEMU. I do not need QEMU to execute the program and show me the output. Just the entire TCG code. The latest version of qemu-arm seems to break while running pthread parallel ARM binaries, ie, qemu-arm terminates without completing execution and hence, the entire TCG code cannot be captured in the log. Is there a way by which I can get the complete TCG code for pthread parallel binaries in exchange for not making QEMU execute the binary? Any help would be appreciated. -- Rajat Goyal 5th year undergraduate student Integrated Master of Technology Mathematics and Computing Department of Mathematics IIT Delhi
