QEMUBinary Translations

2014/09/25@NCKU Embedded Course

Jeff Liaw

rampant1018@gmail.com

OutlineIntroduction of QEMU

OverviewTranslation BlockTiny Code GeneratorPorting to New Architecture

LinaroQEMU Monitor

A debug tool for AArch64/QEMU

YOD

O L

ab

-2-

Introduction of QEMU

What is QEMU?Quick EMUlatorQEMU is a FAST! processor emulator

Time for booting linux kernel(buildroot) QEMU needs 2 sec Foundation Model needs 12 sec

Simulation V.S EmulationSimulation – For analysis and studyEmulation – For usage as substitute

YOD

O L

ab

-4-

Usage of QEMUModes:

System-mode emulation – emulation of a full system

User-mode emulation – launch processes compiled for another CPU(same OS) Ex. execute arm/linux program on x86/linux

Popular uses:For cross-compilation development

environmentsVirtualization, device emulation, for kvmAndroid Emulator(part of SDK)

YOD

O L

ab

-5-

QEMU Generic FeaturesSupport

Self-modifying codePrecise exceptionFPU

software emulation host FPU instructions

Dynamic translation to native code => speed

YOD

O L

ab

-6-

QEMU Full System Emulation Features

Full software MMU => portability

Optionally use an in-kernel accelerator(kvm)

Various hardware devices can be emulated

SMP even on host with a single CPU

YOD

O L

ab

-7-

QEMU Emulation ExampleHost(Win7/x86) emulate Guest(Linux/arm)

x86 ISA is different from ARM’s ISA

emulate

YOD

O L

ab

-8-

Dynamic TranslationTarget CPU instruction → Host CPU instruction(runtime)

32MB

YOD

O L

ab

-9-

Translation & Execution

Main Loop: IRQ handle translation run guest

initialize the process or andjump to the host code

restore normal state andreturn to the main loop

Overhead!

YOD

O L

ab

-10-

Translation & Execution

We need emulation!Host

Emulation

Main Loop: IRQ handle translation run guest

YOD

O L

ab

-11-

Basic Block(Translated Block, TB)Block exit point:

encounter branch(modify PC)reach page boundary

000081ac<abort>: 81ac: add $sp, $sp #-24 81b0: str $fp, [$sp+#20] … 81c2: beq $lr 81c6: mov $sp, $fp … 81d0: ret $lr

Branchoccur

Block 1

Block 2

YOD

O L

ab

-12-

Block ChainingJump directly between basic blocks

YOD

O L

ab

-13-

Chaining Steps

tb_add_jump() in “cpu-exec.c”

YOD

O L

ab

-14-

CPU Execution Flow

Exceptions:asynchronous interrupts(unchain)process I/Ono more TB

Look up TBCby target PC

Translate onebasic block

Chain it toexisted block

Executetranslated

code

Exception handling

CachedN

Y

tb_gen_code()

tb_add_jump()

cpu_tb_exec()

YOD

O L

ab

-15-

Examplearm-none-eabi-gcc -c -mcpu=arm926ej-s -g foo.c foo.o -O0

YOD

O L

ab

-16-

Example r4 = dummy r5 = i

dummy++ when i < 5dummy-- when i >= 5

i count from 0 to 9

TranslationCache

TB 1

TB 1

cpu-exec

TB 2

TB 2

TB 3

TB 3

TB 4

TB 4TB 5

TB 5

YOD

O L

ab

-17-

CPU dependency(bad idea)

Target CPU Host CPUgenerate host code

Bomb!!!!!!

YOD

O L

ab

-18-

CPU independency(good idea)

-19-

Target CPU Host CPUgenerate host code

All problems in CScan be solved byanother level of

indirection

YOD

O L

ab

-19-

Tiny Code Generator(TCG)Since QEMU 0.10

Relax dependency

Steps:1. Target instruction

→ RISC-like TCG ops2. Optimizations3. TCG ops

→ host instructions

Frontend

Backend

YOD

O L

ab

-20-

TCG micro-ops

Simple instructionEx. add → TCG micro-ops

ARM

micro-ops

Convert

P.S tmp5 and tmp6 are temporary variables

YOD

O L

ab

-21-

TCG micro-ops

Complicated instructionEx. qadd → TCG micro-ops(helper)

ARM

micro-ops

Convert

P.S tmp5, tmp6 and tmp7 are temporary variables

YOD

O L

ab

-22-

TCG micro-opsTCG micro-ops

Basic functions

Temporary variablesDivide one instruction to multiple small

operations

Helper functionhandle complicated instructions

YOD

O L

ab

-23-

TCG Frontend APItcg_gen_<op>[i]_<reg_size>

<op> - operation[i] - immediate or register<reg_size> - size of register

YOD

O L

ab

-24-

TCG Frontend API

Temporary variable allocate & delete

Call helper function

YOD

O L

ab

-25-

TCG internal

Two column:op code(opc)op parameter(opparam)

OPC OPPARAM

op_add_i32 ret

arg1

arg2

OPC

OPPARAM

YOD

O L

ab

-26-

ARM micro-opsConvert

OPC OPPARAM

op_movi_i32

op_mov_i32op_add_i32

op_mov_i32

t0arg2t1

cpu_R[arg1]t1

t1t0

cpu_R[arg1]t1

YOD

O L

ab

-27-

TCG Backend

Frontend

Backend

OPC OPPARAM

op_movi_i32

op_mov_i32op_add_i32

op_mov_i32

t0arg2t1

cpu_R[arg1]t1

t1t0

cpu_R[arg1]t1

YOD

O L

ab

-28-

TCG Backendmicro-ops → host code

QEMU on x86-64

micro-ops

Host machine

Convert

YOD

O L

ab

-29-

TCG Backendx86-64 backend example

OPC OPPARAM

op_movi_i32

op_mov_i32op_add_i32

op_mov_i32

t0arg2t1

cpu_R[arg1]t1

t1t0

cpu_R[arg1]t1

YOD

O L

ab

-30-

TCG PortingPorting source tree

qemu/target-*/

cpu.h

translate.c

op_helper.c

helper.c

qemu/tcg/*/

tcg-target.c

tcg-target.h

Frontend Backend

regs and cpu status declaration

target instruction → micro-op

complicated instruction whichcan’t be modeled with micro-op

exception handling(ex. divide 0)

YOD

O L

ab

-31-

Linaro

OverviewBuild the future of Open Source Software on ARM

Does the core engineering

YOD

O L

ab

-33-

MembersCore Members Club Members

Group Members

YOD

O L

ab

-34-

Android L Developer PreviewAndroid emulator based

on QEMU

Differences to mainlineQEMUUser Interface

keypad/buttons accelerated graphics

Emulated Devices Fast IPC(qemu_pipe) GSM, GPS, sensors

Ref: http://www.linaro.org/blog/core-dump/running-64bit-android-l-qemu/

YOD

O L

ab

-35-

QEMU-Monitor

OverviewQEMU provide gdb stub

debug in running imagedisplay general purpose registers(pc, spsr)single step execution

But can not display system registerhard to debug kernel image

YOD

O L

ab

-37-

QEMU gdbserver & qemu-monitorQEMU gdbserver send gdb packet when VM_STATE change

Custom packet through IPC socket

GDB_VM_STATE_CHANGE

Send GDBPacket

Send CustomPacket

Receive CustomPacket

Print RelatedInformation

IPC Socket

QEMU

qemu-monitor

Custom Packet

YOD

O L

ab

-38-

QEMU System Registers MappingSome registers are not implemented

QEMU Variables mapping to ARM registers

Hard-coded target-arm/helper.c

Hash Key

YOD

O L

ab

-39-

Screenshot

YOD

O L

ab

-40-

THE END

YOD

O L

ab

41

QEMU & KVM

QEMUrun independently

QEMU + KVMqemu(userspace tool)kvm(hypervisor)

YOD

O L

ab

-42-