Qemu translation framework and debugging tools

Address: http://blog.csdn.net/ariesjzj/article/details/7972755

The main framework translated in qemu is located in the cpu_exec () function in the cpu-exec.c.

For (;;){
If (setjmp (env-> jmp_env) = 0 ){
// Exception Handling
For (;;){
// Longjmp if there is an exception has been requested
Tb_find_fast () // look up translation block.
...
Tb_add_jump () // chaining
...
Tcg_qemu_tb_exec () // execute the translation Block
}

}
}

The jump context is set at the beginning of the External Loop to prepare for future interrupt processing. check whether there is any interruption in the internal loop. If yes, jump to the jump context set above, in addition, the internal loop mainly performs translation and execution of translation code. Tb_find_fast () is used to find whether the code to be executed has been translated:

Tb_find_fast () // search the fast lookup table (env-> tb_jmp_cache)
If not found
Tb_find_slow () // search the slow lookup table (physical page table-tb_phys_hash)
If not found
Tb_gen_code () // do translation
Else
// Add to fast lookup table
Else
Return

Where tb_gen_code starts Translation:

Tb_gen_code ()
// Alloc translation Block
Cpu_gen_code ()
// Add to slow lookup table

Cpu_gen_code ()
Gen_intermediate_code () // Phase 1
Gen_intermediate_code_internal ()
Disas_insn ()
Tcg_gen_code // Phase 2
Tcg_gen_code_common ()

Translation is divided into two phases:
Phase 1: The guest code is represented in the middle (called micro operation ). The implementation code of this phase is mainly in the target-arch directory, and the results are stored in gen_opc_buf (TCG opcode) and gen_opparam_buf (TCG operand.
Phase 2: indicates the host code in the middle. The implementation code for this phase is mainly in the TCG directory. The result is stored in gen_code_buf.

The code for executing the translation has been translated:

Tcg_qemu_tb_exec ()
Code_gen_prologue // generated by tcg_target_qemu_prologue () When initialization.

Code_gen_prologue
// Prologue: callee saved registers, reserve stack space, etc.
// Jump to translated code
// Epilogue: Restore register and stack, etc.

In the android emulator, qemu provides us with some powerful debugging tools, such

1. Monitor, which allows users to interact with and control qemu during operation. First, add the startup parameter:
$ Emulator.exe-AVD test-qemu-monitor telnet: 1235, server, Nowait

Connect to the instance via telnet:
(Via Telnet) o localhost 1235

Then you can see the qemu shell prompt. Then you can run the commands provided by monitor.

2. log. When the parameter-qemu-D is added at startup, logs can be output as needed:

Log items (comma separated ):
Out_asm show generated host assembly code for each compiled TB
In_asm show target assembly code for each compiled TB
OP show micro ops for each compiled TB
Op_opt show micro Ops before eflags optimization and after liveness Analysis
Int show interrupts/exceptions in short format
Exec show trace before each executed Tb (lots of logs)
CPU show CPU state before block Translation
Pcall show Protected Mode far CILS/returns/exceptions
Cpu_reset show CPU state before CPU resets

For example, when in_asm is added, out_asm can print the guest code and the translated host code:

In:
0xfffffff0: ljmp $0xf000, $ 0xe05b

Out: [size = 32]
0x06614020: mov $0xf000, % eax
0x06614025: movzwl % ax, % eax
0x06614028: mov % eax, 0x50 (% EBP)
0x0661402b: SHL $0x4, % eax
0x0661402e: mov % eax, 0x54 (% EBP)
0x06614031: mov $ 0xe05b, % eax
0x06614036: mov % eax, 0x20 (% EBP)
0x06614039: XOR % eax, % eax
0x0661403b: JMP 0x844548