From: "Lluís Vilanova" <vilanova@ac.upc.edu>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: "Emilio G. Cota" <cota@braap.org>,
QEMU Developers <qemu-devel@nongnu.org>,
Stefan Hajnoczi <stefanha@redhat.com>,
Markus Armbruster <armbru@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v6 01/22] instrument: Add documentation
Date: Mon, 25 Sep 2017 21:03:39 +0300 [thread overview]
Message-ID: <87o9pywt8k.fsf@frigg.lan> (raw)
In-Reply-To: <CAFEAcA9FhXKVKe1E_pVDWX3u0W7WuKQmO54Z1Jgj-iL980yPew@mail.gmail.com> (Peter Maydell's message of "Mon, 18 Sep 2017 18:42:55 +0100")
First, sorry for the late response; I was away for a few days.
Peter Maydell writes:
> On 18 September 2017 at 18:09, Lluís Vilanova <vilanova@ac.upc.edu> wrote:
>> Peter Maydell writes:
>>> It's also exposing internal QEMU implementation detail.
>>> What if in future we decide to switch from our current
>>> setup to always interpreting guest instructions as a
>>> first pass with JITting done only in the background for
>>> hot code?
>>
>> TCI still has a separation of translation-time (translate.c) and execution-time
>> (interpreting the TCG opcodes), and I don't think that's gonna go away anytime
>> soon.
> I didn't mean TCI, which is nothing like what you'd use for
> this if you did it (TCI is slower than just JITting.)
My point is that even on the cold path you need to decode a guest instruction
(equivalent to translating) and emulate it on the spot (equivalent to
executing).
>> Even if it did, I think there still will be a translation/execution separation
>> easy enough to hook into (even if it's a "fake" one for the cold-path
>> interpreted instructions).
> But what would it mean? You don't have basic blocks any more.
Every instruction emulated on the spot can be seen as a newly translated block
(of one instruction only), which is executed immediately after.
>>> Sticking to instrumentation events that correspond exactly to guest
>>> execution events means they won't break or expose internals.
>>
>> It also means we won't be able to "conditionally" instrument instructions (e.g.,
>> based on their opcode, address range, etc.).
> You can still do that, it's just less efficient (your
> condition-check happens in the callout to the instrumentation
> plugin). We can add "filter" options later if we need them
> (which I would rather do than have translate-time callbacks).
Before answering, a short summary of when knowing about translate/execute makes
a difference:
* Record some information only once when an instruction is translated, instead
of recording it on every executed instruction (e.g., a study of opcode
distribution, which you can get from a file of per-TB opcodes - generated at
translation time - and a list of executed TBs - generated at execution time
-). The translate/execute separation makes this run faster *and* produces much
smaller files with the recorded info.
Other typical examples that benefit from this are writing a simulator that
feeds off a stream of instruction information (a common reason why people want
to trace memory accesses and information of executed instructions).
* Conditionally instrumenting instructions.
Adding filtering to the instrumentation API would only solve the second point,
but not the first one.
Now, do we need/want to support the first point?
>> Of course we can add the translation/execution differentiation later if we find
>> it necessary for performance, but I would rather avoid leaving "historical"
>> instrumentation points behind on the API.
>>
>> What are the use-cases you're aiming for?
> * I want to be able to point the small stream of people who come
> into qemu-devel asking "how do I trace all my guest's memory
> accesses" at a clean API for it.
> * I want to be able to have less ugly and confusing tracing
> than our current -d output (and perhaps emit tracing in formats
> that other analysis tools want as input)
> * I want to keep this initial tracing API simple enough that
> we can agree on it and get a first working useful version.
Fair enough.
I know it's not exactly the same we're discussing, but the plot in [1] compares
a few different ways to trace memory accesses on SPEC benchmarks:
* First bar is using a Intel's tool called PIN [2].
* Second is calling into an instrumentation function on every executed memory
access in QEMU.
* Third is embedding the hot path of writing the memory access info to an array
into the TCG opcode stream (more or less equivalent to supporting filtering;
when the array is full, a user's callback is called - cold path -)
* Fourth bar can be ignored.
This was working on a much older version of instrumentation for QEMU, but I can
implement something that does the first use-case point above and some filtering
example (second use-case point) to see what's the performance difference.
[1] https://filetea.me/n3wy9WwyCCZR72E9OWXHArHDw
[2] https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool
Thanks!
Lluis
next prev parent reply other threads:[~2017-09-25 18:04 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-13 9:53 [Qemu-devel] [PATCH v6 00/22] instrument: Add basic event instrumentation Lluís Vilanova
2017-09-13 9:57 ` [Qemu-devel] [PATCH v6 01/22] instrument: Add documentation Lluís Vilanova
2017-09-14 14:41 ` Peter Maydell
2017-09-15 13:39 ` Lluís Vilanova
2017-09-18 14:41 ` Peter Maydell
2017-09-18 17:09 ` Lluís Vilanova
2017-09-18 17:42 ` Peter Maydell
2017-09-19 13:50 ` Emilio G. Cota
2017-09-25 18:03 ` Lluís Vilanova [this message]
2017-09-25 19:42 ` Emilio G. Cota
2017-09-26 16:49 ` Lluís Vilanova
2017-09-29 13:16 ` Lluís Vilanova
2017-09-29 17:59 ` Emilio G. Cota
2017-09-29 21:46 ` Lluís Vilanova
2017-09-30 18:09 ` Emilio G. Cota
2017-10-04 23:28 ` Lluís Vilanova
2017-10-05 0:50 ` Emilio G. Cota
2017-10-06 15:07 ` Lluís Vilanova
2017-10-06 17:59 ` Emilio G. Cota
2017-10-15 16:30 ` Lluís Vilanova
2017-10-15 16:47 ` Peter Maydell
2017-10-21 14:05 ` Lluís Vilanova
2017-10-21 16:56 ` Peter Maydell
2017-10-21 17:12 ` Alex Bennée
2017-09-19 13:09 ` Peter Maydell
2017-09-18 14:33 ` Stefan Hajnoczi
2017-09-18 14:40 ` Stefan Hajnoczi
2017-09-13 10:01 ` [Qemu-devel] [PATCH v6 02/22] instrument: Add configure-time flag Lluís Vilanova
2017-09-13 10:05 ` [Qemu-devel] [PATCH v6 03/22] instrument: Add generic library loader Lluís Vilanova
2017-09-18 14:34 ` Stefan Hajnoczi
2017-09-13 10:09 ` [Qemu-devel] [PATCH v6 04/22] instrument: [linux-user] Add command line " Lluís Vilanova
2017-09-13 10:13 ` [Qemu-devel] [PATCH v6 05/22] instrument: [bsd-user] " Lluís Vilanova
2017-09-13 10:17 ` [Qemu-devel] [PATCH v6 06/22] instrument: [softmmu] " Lluís Vilanova
2017-09-13 10:21 ` [Qemu-devel] [PATCH v6 07/22] instrument: [qapi] Add " Lluís Vilanova
2017-09-13 10:25 ` [Qemu-devel] [PATCH v6 08/22] instrument: [hmp] " Lluís Vilanova
2017-09-13 10:30 ` [Qemu-devel] [PATCH v6 09/22] instrument: Add basic control interface Lluís Vilanova
2017-09-13 10:34 ` [Qemu-devel] [PATCH v6 10/22] instrument: Add support for tracing events Lluís Vilanova
2017-09-13 10:38 ` [Qemu-devel] [PATCH v6 11/22] instrument: Track vCPUs Lluís Vilanova
2017-09-13 10:42 ` [Qemu-devel] [PATCH v6 12/22] instrument: Add event 'guest_cpu_enter' Lluís Vilanova
2017-09-13 10:46 ` [Qemu-devel] [PATCH v6 13/22] instrument: Support synchronous modification of vCPU state Lluís Vilanova
2017-09-13 10:50 ` [Qemu-devel] [PATCH v6 14/22] exec: Add function to synchronously flush TB on a stopped vCPU Lluís Vilanova
2017-09-13 10:54 ` [Qemu-devel] [PATCH v6 15/22] instrument: Add event 'guest_cpu_exit' Lluís Vilanova
2017-09-13 10:58 ` [Qemu-devel] [PATCH v6 16/22] instrument: Add event 'guest_cpu_reset' Lluís Vilanova
2017-09-13 11:02 ` [Qemu-devel] [PATCH v6 17/22] trace: Introduce a proper structure to describe memory accesses Lluís Vilanova
2017-09-13 11:06 ` [Qemu-devel] [PATCH v6 18/22] instrument: Add event 'guest_mem_before_trans' Lluís Vilanova
2017-09-13 11:10 ` [Qemu-devel] [PATCH v6 19/22] instrument: Add event 'guest_mem_before_exec' Lluís Vilanova
2017-09-13 11:14 ` [Qemu-devel] [PATCH v6 20/22] instrument: Add event 'guest_user_syscall' Lluís Vilanova
2017-09-13 11:18 ` [Qemu-devel] [PATCH v6 21/22] instrument: Add event 'guest_user_syscall_ret' Lluís Vilanova
2017-09-13 11:22 ` [Qemu-devel] [PATCH v6 22/22] instrument: Add API to manipulate guest memory Lluís Vilanova
2017-09-13 11:42 ` [Qemu-devel] [PATCH v6 00/22] instrument: Add basic event instrumentation no-reply
2017-09-22 22:48 ` Emilio G. Cota
2017-09-25 18:07 ` Lluís Vilanova
2017-09-25 18:55 ` Emilio G. Cota
2017-09-26 8:17 ` Lluís Vilanova
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o9pywt8k.fsf@frigg.lan \
--to=vilanova@ac.upc.edu \
--cc=armbru@redhat.com \
--cc=cota@braap.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.