2. 程式人生 > >Understand Qemu TCG

Understand Qemu TCG

阿新 發佈:2019-01-05
  1. The whole executing process of QEMU

    main() //vl.c

    main_loop() //vl.c

    x86_cpu_realizefn() //例項化虛擬機器CPU裝置模型

    qemu_init_vcpu() //KVM沒有enable,並且啟用了TCG的情況下,tcg_enabled()

    qemu_tcg_init_vcpu()//啟動VCPU執行緒,執行緒處理函式為qemu_tcg_cpu_thread_fn

    qemu_tcg_cpu_thread_fn()

    tcg_exec_all()

    tcg_cpu_exec()

    cpu_exec() //cpu-exee.c

    tb = tb_find_fast(); // translate target code to host assemble  language and host machine code.

    next_tb = cpu_tb_exec()

    next_tb = tcg_qemu_tb_exec(tc_ptr); // execute the code contained in translation block.

    cpu_exec() 中執行如下:

    next_tb = 0; /* force lookup of first TB */

    for(;;) {

       process interrupt request;

tb_find_fast();

 tcg_qemu_tb_exec(tc_ptr);   


}

tb_find_fast() {

    get translation block from tb cache;

    if not found

    tb_find_slow();

}



tb_find_slow() {

get translation block from hash table;

    if not found

        tb_gen_code();//translate it now

}



//generate host code

tb_gen_code() // return a translated block

cpu_gen_code()

gen_intermediate_code(env, tb);

gen_intermediate_code_internal()

pc_ptr = disas_insn(dc, pc_ptr);

  gen_code_size = tcg_gen_code(s, gen_code_buf); //generate machine code

        tcg_gen_code_common(s, gen_code_buf, -1);



2. How do QEMU execute host instructions containing in translation block ?

2.1 There is a array defined in exec.c:

//uint8_t code_gen_prologue[1024] code_gen_section;(老版本)

struct TCGContext {

//……

uint8_t *code_ptr;

/* Code generation */

uint8_t *code_gen_prologue;

};


2.2 in function tcg_prologue_init() in tcg.c

/* init global prologue and epilogue */
s->code_buf = s->code_gen_prologue;
s->code_ptr = s->code_buf;
  tcg_target_qemu_prologue(s);

then, {s->code_ptr) points to the address of code_gen_prologue.



2.3 function: tcg_target_qemu_prologue(), call tcg_out_push(), which fills value to *(s->code_ptr).

/* Generate global QEMU prologue and epilogue code */staticvoid tcg_target_qemu_prologue(TCGContext *s){int i, frame_size, push_size, stack_addend;/* TB prologue *//* Save all callee saved registers. */for(i = 0; i < ARRAY_SIZE(tcg_target_callee_save_regs); i++){
        tcg_out_push(s, tcg_target_callee_save_regs[i]);}/* Reserve some stack space. */
    push_size = 1 + ARRAY_SIZE(tcg_target_callee_save_regs);
    push_size *= TCG_TARGET_REG_BITS / 8;

    frame_size = push_size + TCG_STATIC_CALL_ARGS_SIZE;
    frame_size =(frame_size + TCG_TARGET_STACK_ALIGN - 1)&~(TCG_TARGET_STACK_ALIGN - 1);
    stack_addend = frame_size - push_size;
    tcg_out_addi(s, TCG_REG_ESP,-stack_addend);/* jmp *tb. */
    tcg_out_modrm(s, OPC_GRP5, EXT5_JMPN_Ev, tcg_target_call_iarg_regs[0]);/* TB epilogue */
    tb_ret_addr = s->code_ptr;

    tcg_out_addi(s, TCG_REG_ESP, stack_addend);for(i = ARRAY_SIZE(tcg_target_callee_save_regs)- 1; i >= 0; i--){
        tcg_out_pop(s, tcg_target_callee_save_regs[i]);}
    tcg_out_opc(s, OPC_RET, 0, 0, 0);}


2.4 After getting a translation block by calling tb_find_fast(), call tcg_qemu_tb_exec(tc_ptr), which is a macro defined as following:

# define tcg_qemu_tb_exec(env, tb_ptr) \
((uintptr_t (*)(void *, void *))tcg_ctx.code_gen_prologue)(env, tb_ptr)


code_gen_prologue(tb_ptr) is casted to a function with two parameter, in such a way, execute host machine code stored in code_gen_prologue.



3. Distinction between user mode and system mode emulation of QEMU?

QEMU has two operating modes:

  • Full system emulation. In this mode, QEMU emulates a full system (for example a PC), including one or several processors and various peripherals. It can be used to launch different Operating Systems without rebooting the PC or to debug system code.
  • User mode emulation. In this mode, QEMU can launch processes compiled for one CPU on another CPU. It can be used to launch the Wine Windows API emulator (http://www.winehq.org) or to ease cross-compilation and cross-debugging.

4. One macro glue

#define xglue(x, y) x ## y
#define glue(x, y) xglue(x, y)

#define SUFFIX _mmx

void glue(helper_pcmpistrm, SUFFIX)(Reg *d, Reg *s,uint32_t ctrl)


First, this function is expanded to :(glue(x, y) -> xglue(x, y))

xglue(helper_pcmpistrm,_mmx)(Reg *d, Reg *s,uint32_t ctrl)


Second, (  xglue(x, y) -> x ## y )

helper_pcmpistrm_mmx(Reg *d, Reg *s,uint32_t ctrl)


So,

void glue(helper_pcmpistrm, SUFFIX)(Reg *d, Reg *s,uint32_t ctrl)

==

helper_pcmpistrm_mmx(Reg *d, Reg *s,uint32_t ctrl)


5. How do the qemu translate virtual address to physical address when load a instruction ?

phys_pc = get_page_addr_code(env, pc);

/* NOTE: this function can trigger an exception *//* NOTE2: the returned address is not exactly the physical address:    it is the offset relative to phys_ram_base */staticinline tb_page_addr_t get_page_addr_code(CPUState *env1, target_ulong addr){int mmu_idx, page_index, pd;void*p;

    page_index =(addr >> TARGET_PAGE_BITS)&(CPU_TLB_SIZE - 1);
    mmu_idx = cpu_mmu_index(env1);if(unlikely(env1->tlb_table[mmu_idx][page_index].addr_code !=(addr & TARGET_PAGE_MASK))){
        ldub_code(addr);}
    pd = env1->tlb_table[mmu_idx][page_index].addr_code &~TARGET_PAGE_MASK;if(pd > IO_MEM_ROM &&!(pd & IO_MEM_ROMD)){#if defined(TARGET_SPARC)|| defined(TARGET_MIPS)
        do_unassigned_access(addr, 0, 1, 0, 4);#else
        cpu_abort(env1,"Trying to execute code outside RAM or ROM at 0x" TARGET_FMT_lx "\n", addr);#endif}
    p =(void*)(unsignedlong)addr
+ env1->tlb_table[mmu_idx][page_index].addend;return qemu_ram_addr_from_host(p);}


5. TCG .vs. Dyngen

6. Helper function

http://www.greensocs.com/Projects/QEMUSystemC/docs/QEMUSystemC/QEMUSystemCDataflow



7. Memory simulation in QEMU

http://www.slideshare.net/zchen/memory-simulation-in-qemu



8. For system simulation.

b = ldub_code(s->pc);

will call this function(in softmmu_header.h):

glue is a marico, after replacing, it is :

     static inline RES_TYPE ld_{USUFFIX}_{MEMSUFFIX}(target_ulong ptr);

staticinline RES_TYPE glue(glue(ld, USUFFIX), MEMSUFFIX)(target_ulong ptr){int page_index;
    RES_TYPE res;
    target_ulong addr;unsignedlong physaddr;int mmu_idx;

    addr = ptr;
    page_index =(addr >> TARGET_PAGE_BITS)&(CPU_TLB_SIZE - 1);
    mmu_idx = CPU_MMU_INDEX;if(unlikely(env->tlb_table[mmu_idx][page_index].ADDR_READ !=(addr &(TARGET_PAGE_MASK |(DATA_SIZE - 1))))){
        res = glue(glue(__ld, SUFFIX), MMUSUFFIX)(addr, mmu_idx);}else{
        physaddr = addr + env->tlb_table[mmu_idx][page_index].addend;
        res = glue(glue(ld, USUFFIX), _raw)((uint8_t*)physaddr);}return res;}


9. QEMU device model

相關推薦

Understand Qemu TCG

The whole executing process of QEMU main() //vl.c main_loop() //vl.c x86_cpu_realizefn() //例項化虛擬機器CPU裝置模型 qemu_init_vcpu() //KVM沒有enable,並且啟用了TCG的情況下,tcg_

qemu tcg程式碼執行流程

一.qemu簡介          qemu是使用動態二進位制翻譯的cpu模擬器,它支援兩種執行模式:全系統模擬和使用者態模擬。在全系統模擬下,qemu可以模擬處理器和各種外設,可以執行作業系統。使用者態可以執行為另外一種cpu編譯的程序,前提是兩者執行的os要一致。qemu使用了動態二進位制翻譯將tar

qemu-TCG動態翻譯技術

1. TCG簡單介紹    TCG(Tiny Code Generator)最早被用於C編譯器的後端。在TCG相關的程式碼中,target指的是我們通常說的host,這一點需要注意,並不是我們理解的被模擬的平臺。 2. TCG動態翻譯技術的幾個概念 (1)與dyng

qemu原始碼分析之五-- TCG動態翻譯技術

1. TCG簡單介紹 TCG(Tiny Code Generator)最早被用於C編譯器的後端。在TCG相關的程式碼中,target指的是我們通常說的host,這一點需要注意,並不是我們理解的被模擬的平臺。 2. TCG動態翻譯技術的幾個概念 (1)與dyngen一樣,TCG的“function”與qem

QemuTCG運算元的定義及註釋

tcg/tcg.h:Define type and accessor macros for TCG variables. TCG variables are the inputs and outputs of TCG ops, as described in tcg/

qemu學習(四)————tcg操作碼 分析

 首先要說的是,操作碼的定義位置: 在./tcg/tcg.h:104行有如下列舉定義: typedef enum TCGOpcode { #define DEF(name, oargs, iargs, cargs, flags) INDEX_op_ ## nam

隨想錄(qemu仿真linux kernel)

仿真 ram vmlinux 原理 mil ext target init 一段時間 【 聲明:版權全部,歡迎轉載。請勿用於商業用途。 聯系信箱:feixiaoxing @163.com】 算上從研究生開始,自己看kernel的時間不短了。盡管代碼看了不少,原

4.EVE-NG導入Qemu鏡像

模擬器 gns3 仿真平臺 網絡模擬器 eve-ng 文章列表(關註微信公眾號EmulatedLab,及時獲取文章以及下載鏈接)1、EVE-NG介紹(EVE-NG最好用的模擬器,仿真環境時代來臨!)2、EVE-NG安裝過程介紹3、EVE-NG導入Dynamips和IOL4、EVE-NG導入

[HTTP] Understand 2xx HTTP Status Code Responses

post when text 技術 head and total load quest The 2xx family of status codes are used in HTTP responses to indicate success. Beyond the gen

qemu基本使用

控制臺 ... virtual 不同的 安裝 height 圖形 order ons 1、qemu的安裝   請參考家用路由器0day漏洞挖掘技術這本書 2、基本使用   qemu有主要如下兩種運作模式: 用戶模式(User Mode),亦稱使用者模式。qemu能啟動那些

阿裏雲EC2+QEMU虛擬機+ROS完全教程!

detail yun mage 註意 med 遠程命令 rtx network with ---恢復內容開始--- 1、安裝centos6.5 x64 同時記錄,當前centos分配得到的IP,子網掩碼,網關,以及MAC!!! 查看IP、mac命令ip add 查看網關命令

You gentle I will never understand 83

best jordans shoesOnce we ease in to the summer time, basketball tournament months are warming up. Which mean‘s the Jordan Brand-backed Quai 54 tourney is

LCA-tarjan understand 2

pid strong edge lca arc repl root memset html 下面是一個最基礎的LCA題目 http://poj.org/problem?id=1330 赤裸裸的 題意 輸入cas 後 有cas組數據 輸入 n 再輸入n-1 條邊

Qemu-kvm的網絡模式

kvm 多元化 網絡 qemu-kvm之橋接模式橋接原理圖 在qemu-kvm的橋接方式中,將宿主機的物理網卡橋接在br0,虛擬網卡vnet1,vnet0鏈接在eth0上,eth0相當於交換機。客戶機從網卡前驅上將信息發送早網卡後驅上,網卡後驅通過eth0將信息發送給br0,在此將信息發送出去。

KVM+Qemu+Libvirt實戰

等等 eboot blog 輸入 splay 終端 服務 內存 1-1 上一篇的文章是為了給這一篇文件提供理論的基礎,在這篇文章中我將帶大家一起來實現在linux中虛擬出ubuntu的server版來 我們需要用KVM+Qemu+Libvirt來進行kvm全虛擬化,創建虛

understand的安裝

編寫 part lin 文件夾 gedit and .net 定位 cati 1.win7 64位下安裝 1)下載Understand.4.0.908.x64.rar。 2)解壓之,直接運行裏面的Understand-4.0.908-Windows-64bit.exe。 3

利用qemu-guest-agent實現重置密碼的功能(測試中)

com install rpm etc cnblogs tps 1-1 利用 sta Windows虛擬機: 1.在宿主機上操作: wget https://fedorapeople.org/groups/virt/virtio-win/virtio-win.repo

如何解決在QEMU上仿真STM32F429時出現的問題

clas oca core msi simple ports org errors 遇到 基於陳老師提供的Hello_RTOS工程:   qemu 2.8.0   arm-none-eabi-gcc 4.8.2 下載工程並編譯 1 git clone https://gi

Understand:高效代碼靜態分析神器詳解(轉)

none 前段時間 兩個 箭頭 ++ 開發 obj 結構 導入 之前用Windows系統,一直用source insight查看代碼非常方便,但是年前換到mac下面,雖說很多東西都方便了,但是卻沒有了靜態代碼分析工具,很幸運,前段時間找到一款比source insight軟

CentOS 7 利用qemu模擬ARM vexpress A9開發板

ogr install 進入 復制 不同 .html ini 依賴 roo 聽說qemu用於仿真arm很不錯,今日就來試了一把。由於剛剛開始,了解的並不多。本文僅僅記錄Qemu裝載Linux kernel和busybox根文件系統的過程。後續將會深入了解仿真的其他內容。 先