Introduction to QEMU

8/13/2019 Introduction to QEMU

1/73

VM && QEMU

Date:2010/04/09 , rednoah


2/73

Outline

Introduction to Virtual Machine

VM Overview

Interpretation

Binary Translation

Process VM

Introduction to QEMU

QEMU OverviewQEMU JIT

QEMU other topics


3/73

Reference

James Smith and Ravi Nair, Virtual Machines:

Versatile Platforms for Systems and Processors

QEMU internals

http://wiki.qemu.org/Main_Page
http://wiki.qemu.org/Main_Pagehttp://wiki.qemu.org/Main_Page


4/73


5/73

VM Overview

Why do we prefer something virtual than real?

why Virtual memory?

sharing, protection, large address space,

why Java virtual machine? interoperability, application sharing, protection

why Virtual I/O?

flexibility, low cost sharing, better management

why Virtual Private Network (VPN) ?

secure communication over unsecure net


6/73

VM Overview

Common VMs:

IBM VM/CMS

VMware GSX

Xen Virtual PC

JVM, MS CLI (Common Language Infrastructure)

Dalvik virtual machine

IA-32 IL, Apple Rosetta, HP PA-Aries Transmeta Crusoe

QEMU


7/73


8/73

VM Overview

Virtual Machines

Add virtualization software to a host platform and

support guest process or system on a VM.


9/73


10/73

VM Overview

System Virtual Machine

Provide a system environment

Constructed at ISA-level

Example: IBM VM/360, Vmware

Purpose:

Server consolidation

Secure partitioning Fault isolation

Support software development and deployment

Cloud computing bandwagon


11/73

VM Overview

High-Level Language Virtual Machine

Java and MS CIL (Common Language Infrastructure) are currentexamples.

Binary class files are distributed

ISA (IR) is part of binary class format

OS interaction via API (part of VM platform)


12/73

VM Overview

High-Level Language Virtual Machine

Dalvik bytecode format


13/73

VM Overview

QEMU User-mode QEMU System-mode


14/73

Interpretation

Emulation ? Simulation ? Emulation: to be you. (A method for enabling a (sub)system

to present the same interface and characteristics as another)

Simulation: to be like you.

Guest and Host Refer toplatforms

Source and Target Source ISA: Original instruction set or binary

Target ISA: Instruction set being executed by processorperforming emulation.

Refer to ISAs


15/73

Interpretation

Ways of implementing emulation

Interpretation: instruction at-a-time

Binary Translation: block-at-a-time optimized for

repeated instruction executions Why binaries/executables?

Dynamic or Static compilation ?


16/73

Interpretation

Interpretation State Hold complete source architecture state in the interpreters data

memory

target-arm/cpu.h


17/73

Interpretation

Decode-Dispatch Interpretation

while (!halt && !interrupt)

{

inst = code(PC);

opcode = extract(inst,31,6);

switch(opcode) {

case LdWord: LdWord(inst);

case ALU: ALU(inst);case Branch: Branch(inst);

. . .

}


18/73

Interpretation


LdWord(inst){

RT = extract(inst,25,5);

RA = extract(inst,20,5);displacement =extract(inst,15,16);source = regs[RA];address = source + displacement ;

regs[RT] = data[address];PC = PC + 4;

}


19/73

Interpretation



20/73

Interpretation

Decode-Dispatch (Efficiency)


21/73


22/73

Binary Translation

Generate custom code for every source instruction.

For example, a load instruction in source code

could be translated into a respective load

instruction in native code. Get rid of repeatedparsing, decoding, andjumping

overhead.

Register mapping is needed to reduce load/storessignificantly.


23/73


24/73

Binary Translation


25/73

Binary Translation

Register mapping to reduce load/store


26/73

Binary Translation


27/73


28/73

Binary Translation

Source PC v.s. Target PC (program counter)

TPC(Target PC) is different from SPC(Source PC)

For indirect branches, the registers hold source PCs. So

we must provide a way to map SPCs to TPCs.

Incorrect translation !/* jump indirect through ctr, but ctr

contains SPC*/


29/73

Binary Translation

Dynamic Translation

First Interpret And perform code discovery as a

byproduct

Translate Code

Incrementally, as it is discovered Place translated blocks into Code

Cache

Save source to target PC mappingin anAddressLookup Table

Emulation process Execute translated block to end

Lookup next source PC in table If translated, jump to target

PC

else interpret and translate


30/73


31/73

Binary Translation

The translation system needs to track

SPC at all timesControl is shifted as needed between the interpreter,

the EM, and translated blocks in the code cache. Each

component must have a way to track SPC.

Interpreter uses SPC directly

Interpreter passes the next SPC to EMTranslated block passes the next SPC to EM

using JAL (jump and link instruction) or

mapping SPC to a register.


32/73

Binary Translation

Control flows between translated block and

emulation manager

Emulation

Manager

Translation Block

Translation Block

Translation BlockContext switch


33/73

Binary Translation

Control flow optimization - Chaining

a.out

1

2

3

Cache cache

1

2

3

0

4

Interpreter

Emulator

SPC-TPC

Lookup

Table


34/73


35/73

Binary Translation

CC is set more often than referenced.

If a CC is set before its use, the earlier set CC does not need to besaved. However, most CC are saved at the end of each translated

block.

If it can be determined that the following block always set the CCbefore use, the current block does not save the CC it sets. Thepayoff is very high. (ex. all x86 ALU operations update CC)

Some rarely used CC (V,C) or flags (e.g. parity) can be simulatedusing lazy evaluation. Instead of saving/restoring the CC or theflag, save the instructionand its operandsand re-computetheCC/flag when it is needed


36/73

Binary Translation

CC example (IA32 to PowerPC)


37/73

Binary Translation

CC Optimizations

Combine Compare with Branch

ARM may use two instructions for a branch: a compare (or a TST or TEQ)instruction followed by a branch. For some simple cases, MIPS cansimply use a compare-and-branch instruction.

There are cases, although very rare, the translated code (in terms ofnumber of instructions) could be even smaller than the original ARMcode.

Mapping each flag to a dedicated register

Example:

N:R17 Z: R18 C:R19 V:R20

This can reduce instruction overhead to extract/deposit target flags from/to theCPSR (Current Program Status Register).

It the target architecture has sufficient number of registers, this optimizationshould be considered. Otherwise, it may take away three more registers,and cause register spilling.


38/73

Binary Translation

Other issues of translation

Data Formats and Arithmetic

Memory Data Alignment

Byte Order


39/73

Process VM

Perform guest/host mapping atthe ABI(ISA + system calls)level

Encapsulate guest process inprocess-level runtime

Example: QEMU linux user-mode

Issues

Memory architecture

Exception architecture

OS call emulation

Overall VM architecture

High performance

implementation

System environments


40/73

Process VMImplementation


41/73

Process VM

Loader A special loader writes guest code and data into a region holding the guests

memory image, and load the runtime code into memory.

Initialization Allocate memory for the code cache and other tables Initialize runtime data structures and invoke OS to establish signal

handlers. Emulation engine

Emulate guest instructions with interpreter or binary translation

Code Cache Manager What translation to flush?

OS Call Emulator Translate OS calls and OS responses

Exception Emulator Handle signals

If registered by src, pass to src handler, If not, emulate host response

Form precise state


42/73

Process VM

Compatibility A strict definition of compatibility (e.g. bug-to-bug

compatible) would exclude many useful process VM.

Intrinsic compatibility Any software written by the most devious programmer will

work in a compatible way

Example: Intel strives for intrinsic compatibility when itproduces a new x86 microprocessor

Extrinsic compatibilityMany useful VM applications do not achieve intrinsic

compatibility

Limited application set: run Microsoft productivitytools (Office)


43/73

Process VM

Compatibility issuesState Mapping

if the guest process uses all virtual address space, intrinsiccompatibility cannot be achieved

Mapping of control transfers

some potential trapping instructions may be removed

User-level instruction

FP format may be different

OS operation

host OS does not support exactly the same function as theguests native OS


44/73


45/73

Process VM

Guest address space > Host address space +

Runtime


46/73

Process VM

Direct Translation Methods VM software mapping is slow

Use underlying hardware If guest address space + runtime fit within host space


47/73

Process VM - Protecting Runtime Memory


48/73


49/73

QEMU overview

Update status 0.9.1 (Jan 6, 2008)

Stable and stop for a long time

0.10 (Mar 5, 2009)

TCG support (a new general JIT framework) 0.11 (Sep 24, 2009)

KVM support

0.12

More KVM support.

Code refactoringnew peripheral framework to support dynamic boardconfiguration


50/73

QEMU ScreenshotEmulate ARM11MPCore


51/73

QEMU ScreenshotAndroid 2.1


52/73

QEMU JIT

TCG (Tiny Code Generator)

a generic backend for a C compiler. It was simplified

to be used in QEMU.

Translation Block (TB)A TCG "basic block" corresponds to a list of

instructions terminated by a branch instruction.

16Mb code cache size


53/73

QEMU JIT

Prologue, Epilogue When the target-machine is ARM


54/73


55/73

QEMU JITcode gen flow

Front-end: qemu/tcg/tcg.c gen_intermediate_codedisas_XXX_insn

Interprete source instruction and translate to micro-ops.

Translation stops when a conditional branch is encountered.


56/73


tcg_liveness_analysis Remove dead code.

Ex. and_i32 t0, t0, $0xffffffff

Ex. add_i32 t0, t1, t2 add_i32 t0, t0, $1 mov_i32 t0, $1


57/73


Register mapping register struct CPUNDS32State *env asm(r14);

register target_ulong T0 asm(r15);




58/73

QEMU JITBlock chaining

Avoid context-switch overhead

Every time a block returns, try to chain it.

tb_add_jump(): back-patch the native jump address


59/73

QEMU JITMemory load emulation

Base on qemu 0.10.5 , emulate mips (little endian)

decode_opctranslate mips-asm to micro-op

Translation stops when a conditional branch is

encountered. gen_store_gpr will store this value to the emulated

cpusgeneral register.


60/73


61/73


Generate binary code

cpu_gen_code gen_intermediate_code tcg_gen_code

/qemu/Translate-all.c /qemu/Tcg.c

tcg_gen_code_commontcg_reg_alloc_optcg_out_op

/qemu/Tcg/i386/tcg-target.c

opc

tcg outputs 0xe8 which means a call

instruction in x86. It will call the functions in

array qemu_ld_helpers.The args to the

functions is passed by registers EAX,EDXand ECX.


62/73


#define REGPARM__attribute((regparm(3)))

0xe8

pc (s->code_ptr)

__ldb_mmu

pc+4 (s->code_ptr += 4)

qemu_ld_helpers[s_bits]

Offset (4 byte)


63/73

QEMU JIT Memory load emulation


64/73


SoftMMU

Translate the guest physical address to host virtual address.

phys_offset == IO_MEM_RAMguest RAM space

phys_offset[31:12]: the offset of this page in emulated physical

memory.

phys_offset +phys_ram_base = host virtual address

phys_offset > IO_MEM_ROMMMIO space

phys_offset[11:3]: the index in io_mem_write/io_mem_read

array.

register the I/O emulation functions:



65/73


SoftMMU

Original way 1. Translate the guest virtual address to guest physical address

2. Then qemu needs to find the PhysPageDesc entry in table l1_phys_mapand getthephys_offset

3. phys_offset +phys_ram_base = host virtual address

Software TLB table

1. Search TLB first. 2. Hit: guest_virtual_address + addend = host_virtual_address.

3. Miss: Search the l1_phys_maptable and then fill the corresponding entry to theTLB table



66/73


SoftMMU (__ldX_mmu)

()



67/73


SoftMMU (__ldX_mmu)

cpu_exectb_find_fasttb_find_slowget_phys_addr_code(if tlb not

match)ldub_code(softmmu_header.h)__ldl_mmu(softmmu_template.h)tlb

_fillcpu_XXX_handle_mmu_faulttlb_set_pagetlb_set_page_exec


68/73

QEMU JITSummary

Look up TB

Translate oneTB

Chain it to

existed TBs

Execute Code

cache

Exception

happen and

handling

Cached? No

Yes

Q h i


69/73

QEMU other topics

Fixed register allocation

Conditional code (CC)

Lazy CC evaluation

Recovery when needed

register struct CPUARMState *env asm(r14);




R = A + B

CC_SRC=A

CC_DST=R

CC_OP=CC_OP_ADDL


70/73

S d i i


71/73

Source code organization

TranslationBlock structure in translate-all.h

Translation cache is code_gen_bufferin exec.c

cpu-exec() in cpu-exec.c orchestrates translation

andblock chaining.

vl.c: Main loop for system emulation.

S l D


72/73

Sample Demo

Using gdb to debug QEMU

Using QEMU to debug guest OS

QEMU Linux-user mode emulation

QEMU system mode emulation

F i f QEMU


73/73

Funny issues of QEMU

Generate execution traces to drive timing models

Try to integrate timing models

Improve optimization, say, by retaining chaining

across interrupts TCG Optimization.

Code cache management

Optimization passes of micro-op Multi-core emulate multi-core

Date post:	04-Jun-2018
Category:	Documents
Upload:	santyd
View:	264 times
Download:	5 times

Introduction to QEMU

Documents