In case anyone is interested, I've pushed an updated version for the static
instrumentation:
https://projects.gso.ac.upc.edu/projects/qemu-instrument/
git clone https://code.gso.ac.upc.edu/git/qemu-instrument/
Changes:
* Instruction-based backdoors produce an immediate exit to the 'cpu_exec' loop
(so that instrumentation state change can take effect immediately).
I couldn't find documentation on how 'cpu_exec' works WRT 'exit_tb', but
this document helped me understand it (section 2.2.3):
http://gsoc.cat-v.org/people/nwf/paper-strategy-plus.pdf
* Real per-cpu instrumentation state.
* Per-state TB cache; now switching states can reuse already-translated TBs,
improving performance: tb_phys_cache is no longer flushed; instead, only
tb_jmp_cache is flushed (for the state switching CPU).
This provides a first fully-working version of the lower-level infrastructure.
What's next:
* Start defining the necessary static instrumentation points.
* Invoke defined points on each target architecture.
This is the time-consuming part, so if anyone is interested on implementing the
invocation of points on any target, contributions are appreciated.
Lluis
--
"And it's much the same thing with knowledge, for whenever you learn
something new, the whole world becomes that much richer."
-- The Princess of Pure Reason, as told by Norton Juster in The Phantom
Tollbooth
