Post on 28-Nov-2014
description
QEMUBinary Translations
2014/09/25@NCKU Embedded Course
Jeff Liaw
rampant1018@gmail.com
OutlineIntroduction of QEMU
OverviewTranslation BlockTiny Code GeneratorPorting to New Architecture
LinaroQEMU Monitor
A debug tool for AArch64/QEMU
YOD
O L
ab
-2-
Introduction of QEMU
What is QEMU?Quick EMUlatorQEMU is a FAST! processor emulator
Time for booting linux kernel(buildroot) QEMU needs 2 sec Foundation Model needs 12 sec
Simulation V.S EmulationSimulation – For analysis and studyEmulation – For usage as substitute
YOD
O L
ab
-4-
Usage of QEMUModes:
System-mode emulation – emulation of a full system
User-mode emulation – launch processes compiled for another CPU(same OS) Ex. execute arm/linux program on x86/linux
Popular uses:For cross-compilation development
environmentsVirtualization, device emulation, for kvmAndroid Emulator(part of SDK)
YOD
O L
ab
-5-
QEMU Generic FeaturesSupport
Self-modifying codePrecise exceptionFPU
software emulation host FPU instructions
Dynamic translation to native code => speed
YOD
O L
ab
-6-
QEMU Full System Emulation Features
Full software MMU => portability
Optionally use an in-kernel accelerator(kvm)
Various hardware devices can be emulated
SMP even on host with a single CPU
YOD
O L
ab
-7-
QEMU Emulation ExampleHost(Win7/x86) emulate Guest(Linux/arm)
x86 ISA is different from ARM’s ISA
emulate
YOD
O L
ab
-8-
Dynamic TranslationTarget CPU instruction → Host CPU instruction(runtime)
32MB
YOD
O L
ab
-9-
Translation & Execution
Main Loop: IRQ handle translation run guest
initialize the process or andjump to the host code
restore normal state andreturn to the main loop
Overhead!
YOD
O L
ab
-10-
Translation & Execution
We need emulation!Host
Emulation
Main Loop: IRQ handle translation run guest
YOD
O L
ab
-11-
Basic Block(Translated Block, TB)Block exit point:
encounter branch(modify PC)reach page boundary
000081ac<abort>: 81ac: add $sp, $sp #-24 81b0: str $fp, [$sp+#20] … 81c2: beq $lr 81c6: mov $sp, $fp … 81d0: ret $lr
Branchoccur
Block 1
Block 2
YOD
O L
ab
-12-
Block ChainingJump directly between basic blocks
YOD
O L
ab
-13-
Chaining Steps
tb_add_jump() in “cpu-exec.c”
YOD
O L
ab
-14-
CPU Execution Flow
Exceptions:asynchronous interrupts(unchain)process I/Ono more TB
Look up TBCby target PC
Translate onebasic block
Chain it toexisted block
Executetranslated
code
Exception handling
CachedN
Y
tb_gen_code()
tb_add_jump()
cpu_tb_exec()
YOD
O L
ab
-15-
Examplearm-none-eabi-gcc -c -mcpu=arm926ej-s -g foo.c foo.o -O0
YOD
O L
ab
-16-
Example r4 = dummy r5 = i
dummy++ when i < 5dummy-- when i >= 5
i count from 0 to 9
TranslationCache
TB 1
TB 1
cpu-exec
TB 2
TB 2
TB 3
TB 3
TB 4
TB 4TB 5
TB 5
YOD
O L
ab
-17-
CPU dependency(bad idea)
Target CPU Host CPUgenerate host code
Bomb!!!!!!
YOD
O L
ab
-18-
CPU independency(good idea)
-19-
Target CPU Host CPUgenerate host code
All problems in CScan be solved byanother level of
indirection
YOD
O L
ab
-19-
Tiny Code Generator(TCG)Since QEMU 0.10
Relax dependency
Steps:1. Target instruction
→ RISC-like TCG ops2. Optimizations3. TCG ops
→ host instructions
Frontend
Backend
YOD
O L
ab
-20-
TCG micro-ops
Simple instructionEx. add → TCG micro-ops
ARM
micro-ops
Convert
P.S tmp5 and tmp6 are temporary variables
YOD
O L
ab
-21-
TCG micro-ops
Complicated instructionEx. qadd → TCG micro-ops(helper)
ARM
micro-ops
Convert
P.S tmp5, tmp6 and tmp7 are temporary variables
YOD
O L
ab
-22-
TCG micro-opsTCG micro-ops
Basic functions
Temporary variablesDivide one instruction to multiple small
operations
Helper functionhandle complicated instructions
YOD
O L
ab
-23-
TCG Frontend APItcg_gen_<op>[i]_<reg_size>
<op> - operation[i] - immediate or register<reg_size> - size of register
YOD
O L
ab
-24-
TCG Frontend API
Temporary variable allocate & delete
Call helper function
YOD
O L
ab
-25-
TCG internal
Two column:op code(opc)op parameter(opparam)
OPC OPPARAM
op_add_i32 ret
arg1
arg2
OPC
OPPARAM
YOD
O L
ab
-26-
ARM micro-opsConvert
OPC OPPARAM
op_movi_i32
op_mov_i32op_add_i32
op_mov_i32
t0arg2t1
cpu_R[arg1]t1
t1t0
cpu_R[arg1]t1
YOD
O L
ab
-27-
TCG Backend
Frontend
Backend
OPC OPPARAM
op_movi_i32
op_mov_i32op_add_i32
op_mov_i32
t0arg2t1
cpu_R[arg1]t1
t1t0
cpu_R[arg1]t1
YOD
O L
ab
-28-
TCG Backendmicro-ops → host code
QEMU on x86-64
micro-ops
Host machine
Convert
YOD
O L
ab
-29-
TCG Backendx86-64 backend example
OPC OPPARAM
op_movi_i32
op_mov_i32op_add_i32
op_mov_i32
t0arg2t1
cpu_R[arg1]t1
t1t0
cpu_R[arg1]t1
YOD
O L
ab
-30-
TCG PortingPorting source tree
qemu/target-*/
cpu.h
translate.c
op_helper.c
helper.c
qemu/tcg/*/
tcg-target.c
tcg-target.h
Frontend Backend
regs and cpu status declaration
target instruction → micro-op
complicated instruction whichcan’t be modeled with micro-op
exception handling(ex. divide 0)
YOD
O L
ab
-31-
Linaro
OverviewBuild the future of Open Source Software on ARM
Does the core engineering
YOD
O L
ab
-33-
MembersCore Members Club Members
Group Members
YOD
O L
ab
-34-
Android L Developer PreviewAndroid emulator based
on QEMU
Differences to mainlineQEMUUser Interface
keypad/buttons accelerated graphics
Emulated Devices Fast IPC(qemu_pipe) GSM, GPS, sensors
Ref: http://www.linaro.org/blog/core-dump/running-64bit-android-l-qemu/
YOD
O L
ab
-35-
QEMU-Monitor
OverviewQEMU provide gdb stub
debug in running imagedisplay general purpose registers(pc, spsr)single step execution
But can not display system registerhard to debug kernel image
YOD
O L
ab
-37-
QEMU gdbserver & qemu-monitorQEMU gdbserver send gdb packet when VM_STATE change
Custom packet through IPC socket
GDB_VM_STATE_CHANGE
Send GDBPacket
Send CustomPacket
Receive CustomPacket
Print RelatedInformation
IPC Socket
QEMU
qemu-monitor
Custom Packet
YOD
O L
ab
-38-
QEMU System Registers MappingSome registers are not implemented
QEMU Variables mapping to ARM registers
Hard-coded target-arm/helper.c
Hash Key
YOD
O L
ab
-39-
Screenshot
YOD
O L
ab
-40-
THE END
YOD
O L
ab
41
QEMU & KVM
QEMUrun independently
QEMU + KVMqemu(userspace tool)kvm(hypervisor)
YOD
O L
ab
-42-