From: Stefano Bonifazi <stefboombastic@gmail.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] classic emulator Vs QEMU-TCG
Date: Thu, 16 Dec 2010 16:20:44 +0100 [thread overview]
Message-ID: <4D0A2E4C.6070307@gmail.com> (raw)
Hi all!
I am a student, trying to understand QEMU, specifically TCG
translation/execution.
After spending much time on the code I still have big doubts. I think my
doubts are due to the classic idea I have of an emulator.
Actually as a student, I've never developed even a simple classic
emulator myself, but in my idea it should follow this flow:
1) Fetch target instruction
i.e. PC(0x532652) : 0x104265 (I am just inventing)
2) Decode
Opcode 0x10 : ADD, R1: 0x42, R2: 0x65
3) Look up instruction function table:
switch(opcode)
case add :
add(R1, R2)
break;
4) Execution
void add(int R1, int R2)
{ env->reg[R1] = env->reg[R1] + env[R2];}
Now all of that would be compiled offline for the host machine and at
runtime the host macine would just execute the binary host code for the
instruction "env->reg[R1] = env->reg[R1] + env[R2];" (its host binary
translation)
In QEMU/TCG, thanks to the help of Mr. Blue Swirl, I understood there is
a runtime creation of host binary, starting from the loaded target binary..
My big doubt is, how can I execute that new binary? .. Shall TCG put it
in some memory location, and then make the process branch to that
address (and then back) ?
I really can't see how that happens in the code :(
in cpu-exec.c : cpu_exec_nocache i find:
> /* execute the generated code */
> next_tb = tcg_qemu_tb_exec(tb->tc_ptr);
and in cpu-exec.c : cpu_exec
> /* execute the generated code */
>
> next_tb = tcg_qemu_tb_exec(tc_ptr);
so I thought tcg_qemu_tb_exec "function" should do the work of executing
the translated binary in the host.
But then I found out it is just a define in tcg.h:
> #define tcg_qemu_tb_exec(tb_ptr) ((long REGPARM (*)(void
> *))code_gen_prologue)(tb_ptr)
and again in exec.c
> uint8_t code_gen_prologue[1024] code_gen_section;
Maybe I have some problems with that C syntax, but I really don't
understand what happens there.. how the execution happens!
I think for all of you working for so long on QEMU, with a long
successful experience in this field should be very easy.. but atm I
really can't figure it out alone.. I can't find good documents
explaining it, and I can't understand myself from the code!
Thank you very very much for any help! :)
Stefano B.
next reply other threads:[~2010-12-16 15:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-16 15:20 Stefano Bonifazi [this message]
2010-12-16 15:41 ` [Qemu-devel] classic emulator Vs QEMU-TCG Peter Maydell
2010-12-17 13:49 ` Stefano Bonifazi
2010-12-16 15:57 ` Mulyadi Santosa
2010-12-17 9:47 ` Stefano Bonifazi
2010-12-17 10:18 ` Mulyadi Santosa
2010-12-17 13:51 ` Andreas Färber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D0A2E4C.6070307@gmail.com \
--to=stefboombastic@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.