[Qemu-devel] When the tlb_fill will be called from generated code?

[Qemu-devel] When the tlb_fill will be called from generated code?

[陳韋任]

Hi, all

  The comment above tlb_fill says:

    /* try to fill the TLB and return an exception if error. If retaddr is
       NULL, it means that the function was called in C code (i.e. not
       from generated code or from helper.c) */

I see tlb_fill only be called from softmmu_template.h (i.e., C code). I
am wondering when/where the tlb_fill is called from generated code (code
cache) or from helper.c.

  Thanks!

Regards,
chenwj

-- 
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667

Re: [Qemu-devel] When the tlb_fill will be called from generated code?

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 689 bytes --]

On 2011-09-27 06:15, 陳韋任 wrote:
> Hi, all
> 
>   The comment above tlb_fill says:
> 
>     /* try to fill the TLB and return an exception if error. If retaddr is
>        NULL, it means that the function was called in C code (i.e. not
>        from generated code or from helper.c) */
> 
> I see tlb_fill only be called from softmmu_template.h (i.e., C code). I
> am wondering when/where the tlb_fill is called from generated code (code
> cache) or from helper.c.
> 

You can find the answer yourself: Load qemu into gdb, set a breakpoint
on that function and let it run. If you want to catch only the retaddr
== NULL case, make the breakpoint conditional.

Jan


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [Qemu-devel] When the tlb_fill will be called from generated code?

[陳韋任]

Hi, Jan

> You can find the answer yourself: Load qemu into gdb, set a breakpoint
> on that function and let it run. If you want to catch only the retaddr
> == NULL case, make the breakpoint conditional.

  Thanks for your tip. I see when retaddr != NULL, then the calling
sequence of tlb_fill might be something like (take i386 guest for
example):

  - __stl_mmu/__ldl_mmu -> tlb_fill

  - helper_ljmp_protected -> load_segment -> ldl_kernel -> __ldl_mmu

I am not sure when/where __stl_mmu/__ldl_mmu are used. I do set
breakpoint on __stl_mmu/__ldl_mmu, but the backtrace can only show
something like,

#0  __stl_mmu (addr=196608, val=0, mmu_idx=0) at /tmp/chenwj/temp/qemu-0.13.0/softmmu_template.h:228
#1  0x00000000400028e1 in ?? ()
#2  0x00000000000000b4 in ?? ()
#3  0xecc68ff412fa4137 in ?? ()
#4  0x0000000000000000 in ?? ()

When retaddr == NULL, then the calling sequence of tlb_fill is,

  tb_find_slow -> get_page_addr_code -> ldub_code -> __ldb_cmmu

I can only guest the b in __ldb_cmmu means load byte, but I can't
figure out what's the difference between _cmmu and _mmu. Could you
give me some hint? Thanks!


Regards,
chenwj

-- 
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667

Re: [Qemu-devel] When the tlb_fill will be called from generated code?

[Max Filippov]

> I am not sure when/where __stl_mmu/__ldl_mmu are used. I do set

They are called from the places in TBs where
tcg_gen_qemu_{ld,st}{8,16,32,64}{u,s} were injected.

> breakpoint on __stl_mmu/__ldl_mmu, but the backtrace can only show
> something like,
>
> #0  __stl_mmu (addr=196608, val=0, mmu_idx=0) at /tmp/chenwj/temp/qemu-0.13.0/softmmu_template.h:228
> #1  0x00000000400028e1 in ?? ()
> #2  0x00000000000000b4 in ?? ()
> #3  0xecc68ff412fa4137 in ?? ()
> #4  0x0000000000000000 in ?? ()
>
> When retaddr == NULL, then the calling sequence of tlb_fill is,
>
>  tb_find_slow -> get_page_addr_code -> ldub_code -> __ldb_cmmu
>
> I can only guest the b in __ldb_cmmu means load byte, but I can't
> figure out what's the difference between _cmmu and _mmu. Could you
> give me some hint? Thanks!

_cmmu is used to access code, _mmu is for data.

-- 
Thanks.
-- Max

Re: [Qemu-devel] When the tlb_fill will be called from generated code?

[陳韋任]

> > I am not sure when/where __stl_mmu/__ldl_mmu are used. I do set
> 
> They are called from the places in TBs where
> tcg_gen_qemu_{ld,st}{8,16,32,64}{u,s} were injected.

  So you mean __stl_mmu/__ldl_mmu are called from the code cache.
 
> > breakpoint on __stl_mmu/__ldl_mmu, but the backtrace can only show
> > something like,
> >
> > #0 鍮_stl_mmu (addr=196608, val=0, mmu_idx=0) at /tmp/chenwj/temp/qemu-0.13.0/softmmu_template.h:228
> > #1 ?0x00000000400028e1 in ?? ()
> > #2 ?0x00000000000000b4 in ?? ()
> > #3 ?0xecc68ff412fa4137 in ?? ()
> > #4 ?0x0000000000000000 in ?? ()

  Does those ?? mean since we are in the code cache, so GDB cannot
show their backtarce?

> > When retaddr == NULL, then the calling sequence of tlb_fill is,
> >
> > 慯b_find_slow -> get_page_addr_code -> ldub_code -> __ldb_cmmu
> >
> > I can only guest the b in __ldb_cmmu means load byte, but I can't
> > figure out what's the difference between _cmmu and _mmu. Could you
> > give me some hint? Thanks!
> 
> _cmmu is used to access code, _mmu is for data.

  I see. Thanks, and I find building QEMU with --extra-cflags="-save-temps"
is really help. Those *.i files make things much clear.

Regards,
chenwj

-- 
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667

Re: [Qemu-devel] When the tlb_fill will be called from generated code?

[Max Filippov]

> > They are called from the places in TBs where
> > tcg_gen_qemu_{ld,st}{8,16,32,64}{u,s} were injected.
> 
>   So you mean __stl_mmu/__ldl_mmu are called from the code cache.
>  
> > > breakpoint on __stl_mmu/__ldl_mmu, but the backtrace can only show
> > > something like,
> > >
> > > #0 鍮_stl_mmu (addr=196608, val=0, mmu_idx=0) at /tmp/chenwj/temp/qemu-0.13.0/softmmu_template.h:228
> > > #1 ?0x00000000400028e1 in ?? ()
> > > #2 ?0x00000000000000b4 in ?? ()
> > > #3 ?0xecc68ff412fa4137 in ?? ()
> > > #4 ?0x0000000000000000 in ?? ()
> 
>   Does those ?? mean since we are in the code cache, so GDB cannot
> show their backtarce?

Yes, at least for the frame #1. Addresses in frames #2-#4 don't look right, probably because #1 does not have a stack frame.

Thanks.
-- Max

Re: [Qemu-devel] When the tlb_fill will be called from generated code?

[Mulyadi Santosa]

Hi :)

2011/9/28 陳韋任 <chenwj@iis.sinica.edu.tw>:
>  I see. Thanks, and I find building QEMU with --extra-cflags="-save-temps"
> is really help. Those *.i files make things much clear.

glad that my -save-temps suggestion helps other ;)


-- 
regards,

Mulyadi Santosa
Freelance Linux trainer and consultant

blog: the-hydra.blogspot.com
training: mulyaditraining.blogspot.com

Re: [Qemu-devel] When the tlb_fill will be called from generated code?

[陳韋任]

> glad that my -save-temps suggestion helps other ;)

  Indeed. Thanks again, Mulyadi.

Regards,
chenwj

-- 
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667

Re: [Qemu-devel] When the tlb_fill will be called from generated code?

[Blue Swirl]

On Tue, Sep 27, 2011 at 11:02 AM, 陳韋任 <chenwj@iis.sinica.edu.tw> wrote:
> Hi, Jan
>
>> You can find the answer yourself: Load qemu into gdb, set a breakpoint
>> on that function and let it run. If you want to catch only the retaddr
>> == NULL case, make the breakpoint conditional.
>
>  Thanks for your tip. I see when retaddr != NULL, then the calling
> sequence of tlb_fill might be something like (take i386 guest for
> example):
>
>  - __stl_mmu/__ldl_mmu -> tlb_fill
>
>  - helper_ljmp_protected -> load_segment -> ldl_kernel -> __ldl_mmu
>
> I am not sure when/where __stl_mmu/__ldl_mmu are used. I do set
> breakpoint on __stl_mmu/__ldl_mmu, but the backtrace can only show
> something like,
>
> #0  __stl_mmu (addr=196608, val=0, mmu_idx=0) at /tmp/chenwj/temp/qemu-0.13.0/softmmu_template.h:228
> #1  0x00000000400028e1 in ?? ()
> #2  0x00000000000000b4 in ?? ()
> #3  0xecc68ff412fa4137 in ?? ()
> #4  0x0000000000000000 in ?? ()
>
> When retaddr == NULL, then the calling sequence of tlb_fill is,
>
>  tb_find_slow -> get_page_addr_code -> ldub_code -> __ldb_cmmu
>
> I can only guest the b in __ldb_cmmu means load byte, but I can't
> figure out what's the difference between _cmmu and _mmu. Could you
> give me some hint? Thanks!

End of exec.c instantiates the code load functions (ld*_code), there
GETPC is defined as NULL. Otherwise GETPC works as usual, so it will
not return NULL.

The memory access templates are a bit confusing. Op helpers use
softmmu_exec.h to instantiate {ld,st}*_{kernel,user,etc} functions.
TCG needs __{ld,st}* helpers for qemu_{ld,st}* TLB miss case, these
are generated by softmmu_template.h. I'll soon apply a patch which
adds comments to the files.

Re: [Qemu-devel] When the tlb_fill will be called from generated code?

[陳韋任]

> End of exec.c instantiates the code load functions (ld*_code), there
> GETPC is defined as NULL. Otherwise GETPC works as usual, so it will
> not return NULL.
> 
> The memory access templates are a bit confusing. Op helpers use
> softmmu_exec.h to instantiate {ld,st}*_{kernel,user,etc} functions.
> TCG needs __{ld,st}* helpers for qemu_{ld,st}* TLB miss case, these
> are generated by softmmu_template.h. I'll soon apply a patch which
> adds comments to the files.

  Thanks. I am very appreciate it. :-)

Regards,
chenwj

-- 
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667