qemu - Speaker Deck

Slide 1

Slide 1 text

Qemu bananaapple

Slide 2

Slide 2 text

Qemu • QEMU is a generic and open source machine emulator and virtualizer • Two modes • System (target-softmmu) • User (target-linux-user) • Targets • i386 • x86_64 • arm Kvm support could be used accelerate the system emulation

Slide 3

Slide 3 text

Qemu

Slide 4

Slide 4 text

TCG (Tiny Code Generator) • After version 0.9.1, Qemu use TCG as replacement of DynGen and GCC • TCG (Tiny Code Generator) is a code generator which translates code fragments ("basic blocks") from target code (any of the targets supported by QEMU) to a code representation which can be run on a host. • Translation Block -> TCG Operations -> Host Code

Slide 5

Slide 5 text

Main loop • cpu_exec() at /cpu-exec.c called each time around main loop • Using sigsetjmp and siglongjmp

Slide 6

Slide 6 text

Translation Block • Defined in include/exec/exec-all.h • pc, cs_base, flags • tc_ptr: a pointer to the translated code of this TB • jmp_list_next[2]: jump to next TB in a list • jmp_list_first: pointer to the first TB jumping to this one

Slide 7

Slide 7 text

Translation Block • Since each TB can have two jumps, it can participate in two lists. jmp_list_first and jmp_list_next are 4-byte aligned pointers to a TranslationBlock structure, but the two least significant bits of them are used to encode which data field of the pointed TB should be used to traverse the list further from that TB: • 0 => jmp_list_next[0], 1 => jmp_list_next[1], 2 => jmp_list_first

Slide 8

Slide 8 text

Translation Block • Block exit point: • encounter branch(modify PC) • reach page boundary 000081ac: 81ac: add $sp, $sp #-24 81b0: str $fp, [$sp+#20] … 81c2: beq $lr 81c6: mov $sp, $fp … 81d0: ret $lr Branch occur Block 1 Block 2 YODO Lab -8-

Slide 9

Slide 9 text

Block Chaining • Jump directly between basic blocks YODO Lab -9-

Slide 10

Slide 10 text

Chaining Steps • tb_add_jump() in “cpu-exec.c” YODO Lab -10-

Slide 11

Slide 11 text

TCG (Tiny Code Generator)

Slide 12

Slide 12 text

TCG (Tiny Code Generator)

Slide 13

Slide 13 text

TCG (Tiny Code Generator)

Slide 14

Slide 14 text

Codebase

Slide 15

Slide 15 text

Codebase • /vl.c: Setup virtual machine specification such as size of ram…… • /hw/: Emulated Hardware • /target-xxx/: Guest (Target) Specific • /target-xxx/translate.c: Guest Specific ISA is converted into TCG ops • /tcg/: Host (TCG) Specific • /tcg/*/tcg-target.c: TCG ops to Host Code • /cpu-exec.c: cpu-exec() finds the next translation block to translate and execute • /tci.c: tcg_qemu_tb_exec() real function execute code

Slide 16

Slide 16 text

Reference • https://lists.gnu.org/archive/html/qemu-devel/2011- 04/pdfhC5rVdz7U8.pdf • https://dl.dropboxusercontent.com/u/8976842/TCG.pdf • http://www.slideshare.net/RampantJeff/qemu-binary-translation • http://lugatgt.org/content/qemu_internals/downloads/slides.pdf