qemu

Qemu bananaapple

Qemu • QEMU is a generic and open source machine
emulator and virtualizer • Two modes • System (target-softmmu) • User (target-linux-user) • Targets • i386 • x86_64 • arm Kvm support could be used accelerate the system emulation

TCG (Tiny Code Generator) • After version 0.9.1, Qemu use
TCG as replacement of DynGen and GCC • TCG (Tiny Code Generator) is a code generator which translates code fragments ("basic blocks") from target code (any of the targets supported by QEMU) to a code representation which can be run on a host. • Translation Block -> TCG Operations -> Host Code

Main loop • cpu_exec() at /cpu-exec.c called each time around
main loop • Using sigsetjmp and siglongjmp

Translation Block • Defined in include/exec/exec-all.h • pc, cs_base, flags
• tc_ptr: a pointer to the translated code of this TB • jmp_list_next[2]: jump to next TB in a list • jmp_list_first: pointer to the first TB jumping to this one

Translation Block • Since each TB can have two jumps,
it can participate in two lists. jmp_list_first and jmp_list_next are 4-byte aligned pointers to a TranslationBlock structure, but the two least significant bits of them are used to encode which data field of the pointed TB should be used to traverse the list further from that TB: • 0 => jmp_list_next[0], 1 => jmp_list_next[1], 2 => jmp_list_first

Translation Block • Block exit point: • encounter branch(modify PC)
• reach page boundary 000081ac<abort>: 81ac: add $sp, $sp #-24 81b0: str $fp, [$sp+#20] … 81c2: beq $lr 81c6: mov $sp, $fp … 81d0: ret $lr Branch occur Block 1 Block 2 YODO Lab -8-

Block Chaining • Jump directly between basic blocks YODO Lab
-9-

Chaining Steps • tb_add_jump() in “cpu-exec.c” YODO Lab -10-

TCG (Tiny Code Generator)

Codebase

Codebase • /vl.c: Setup virtual machine specification such as size
of ram…… • /hw/: Emulated Hardware • /target-xxx/: Guest (Target) Specific • /target-xxx/translate.c: Guest Specific ISA is converted into TCG ops • /tcg/: Host (TCG) Specific • /tcg/*/tcg-target.c: TCG ops to Host Code • /cpu-exec.c: cpu-exec() finds the next translation block to translate and execute • /tci.c: tcg_qemu_tb_exec() real function execute code

Reference • https://lists.gnu.org/archive/html/qemu-devel/2011- 04/pdfhC5rVdz7U8.pdf • https://dl.dropboxusercontent.com/u/8976842/TCG.pdf • http://www.slideshare.net/RampantJeff/qemu-binary-translation • http://lugatgt.org/content/qemu_internals/downloads/slides.pdf

qemu

qemu

bananaappletw

More Decks by bananaappletw

Other Decks in Programming

Featured

Transcript

Qemu bananaapple

Qemu • QEMU is a generic and open source machine

Qemu

TCG (Tiny Code Generator) • After version 0.9.1, Qemu use

Main loop • cpu_exec() at /cpu-exec.c called each time around

Translation Block • Defined in include/exec/exec-all.h • pc, cs_base, flags

Translation Block • Since each TB can have two jumps,

Translation Block • Block exit point: • encounter branch(modify PC)

Block Chaining • Jump directly between basic blocks YODO Lab

Chaining Steps • tb_add_jump() in “cpu-exec.c” YODO Lab -10-

TCG (Tiny Code Generator)

TCG (Tiny Code Generator)

TCG (Tiny Code Generator)

Codebase

Codebase • /vl.c: Setup virtual machine specification such as size

Reference • https://lists.gnu.org/archive/html/qemu-devel/2011- 04/pdfhC5rVdz7U8.pdf • https://dl.dropboxusercontent.com/u/8976842/TCG.pdf • http://www.slideshare.net/RampantJeff/qemu-binary-translation • http://lugatgt.org/content/qemu_internals/downloads/slides.pdf