[Qemu-devel] PC traces from QEMU

[Qemu-devel] PC traces from QEMU

[Shashidhar Mysore]

[-- Attachment #1: Type: text/plain, Size: 355 bytes --]

Hi

I intend to extract program counter streams from QEMU as a program executes.
Can you please point me to the hooks that I may have to insert into the QEMU
source code in order to extract the PC values?

Also, since I'm new to QEMU, I'd appreciate if somebody can point me to some
documents which explain the internals of QEMU source.

Thanks,
-Shashi.

[-- Attachment #2: Type: text/html, Size: 396 bytes --]

[Qemu-devel] Re: PC traces from QEMU

[Antti P Miettinen]

"Shashidhar Mysore" <shashimc@gmail.com> writes:
> I intend to extract program counter streams from QEMU as a program executes.
> Can you please point me to the hooks that I may have to insert into the QEMU
> source code in order to extract the PC values?

I used to do that with qemu 0.7. I did not dig into this deep enough
to find the minimal changes but at least the following was enough:
- define DEBUG_EXEC in cpu-exec.c
- disable USE_DIRECT_JUMP in exec-all.h
- disable USE_CODE_COPY in target-i386/cpu.h
- force dc->jmp_opt to zero in target-i386/translate.c
Would be nice if enabling PC traces were possible with e.g. command
line (maybe requiring config time enable would be good too :-)

-- 
http://www.iki.fi/~ananaza/

Re: [Qemu-devel] Re: PC traces from QEMU

[Stuart Brady]

On Thu, Mar 29, 2007 at 08:29:03PM +0300, Antti P Miettinen wrote:
> "Shashidhar Mysore" <shashimc@gmail.com> writes:
> > I intend to extract program counter streams from QEMU as a program executes.
> > Can you please point me to the hooks that I may have to insert into the QEMU
> > source code in order to extract the PC values?
> 
> I used to do that with qemu 0.7. I did not dig into this deep enough
> to find the minimal changes but at least the following was enough:
[...]
> - force dc->jmp_opt to zero in target-i386/translate.c

I don't quite see where you would do this.

BTW, the approach I took was to add something like gen_op_dump_pc(s->pc)
near the top of disas_insn (in translate.c), and have op_dump_pc (in
op.c) pass the program counter (held in PARAM1) to a helper (in
helper.c) that then prints it out.  I expect that's not the best
approach, but it worked quite well for my purposes.

Cheers,
-- 
Stuart Brady

Re: [Qemu-devel] Re: PC traces from QEMU

[andrzej zaborowski]

On 29/03/07, Stuart Brady <sdbrady@ntlworld.com> wrote:
> On Thu, Mar 29, 2007 at 08:29:03PM +0300, Antti P Miettinen wrote:
> > "Shashidhar Mysore" <shashimc@gmail.com> writes:
> > > I intend to extract program counter streams from QEMU as a program executes.
> > > Can you please point me to the hooks that I may have to insert into the QEMU
> > > source code in order to extract the PC values?
> >
> > I used to do that with qemu 0.7. I did not dig into this deep enough
> > to find the minimal changes but at least the following was enough:
> [...]
> > - force dc->jmp_opt to zero in target-i386/translate.c
>
> I don't quite see where you would do this.
>
> BTW, the approach I took was to add something like gen_op_dump_pc(s->pc)
> near the top of disas_insn (in translate.c), and have op_dump_pc (in
> op.c) pass the program counter (held in PARAM1) to a helper (in
> helper.c) that then prints it out.  I expect that's not the best
> approach, but it worked quite well for my purposes.

The approach I took was call "cpu_single_step(env, 1); vm_start();
return;" in gdb_vm_stopped in gdbstub.c. Then after I connect to qemu
with gdb the first time it single steps in a loop - probably very
inefficient but works.

Just my two cents.
Andrzej

Re: [Qemu-devel] Re: PC traces from QEMU

[Shashidhar Mysore]

[-- Attachment #1: Type: text/plain, Size: 1219 bytes --]

Hi Stuart,

Thanks for the reply, but since I'm a little new to qemu, can you please
elaborate on how to insert the op_dump_pc function to extract the PC values?


Thanks,
-Shashi.

On 3/29/07, Stuart Brady <sdbrady@ntlworld.com> wrote:
>
> On Thu, Mar 29, 2007 at 08:29:03PM +0300, Antti P Miettinen wrote:
> > "Shashidhar Mysore" <shashimc@gmail.com> writes:
> > > I intend to extract program counter streams from QEMU as a program
> executes.
> > > Can you please point me to the hooks that I may have to insert into
> the QEMU
> > > source code in order to extract the PC values?
> >
> > I used to do that with qemu 0.7. I did not dig into this deep enough
> > to find the minimal changes but at least the following was enough:
> [...]
> > - force dc->jmp_opt to zero in target-i386/translate.c
>
> I don't quite see where you would do this.
>
> BTW, the approach I took was to add something like gen_op_dump_pc(s->pc)
> near the top of disas_insn (in translate.c), and have op_dump_pc (in
> op.c) pass the program counter (held in PARAM1) to a helper (in
> helper.c) that then prints it out.  I expect that's not the best
> approach, but it worked quite well for my purposes.
>
> Cheers,
> --
> Stuart Brady
>
>
>

[-- Attachment #2: Type: text/html, Size: 1654 bytes --]

Re: [Qemu-devel] Re: PC traces from QEMU

[Stuart Brady]

On Thu, Mar 29, 2007 at 06:28:14PM -0700, Shashidhar Mysore wrote:
> Hi Stuart,
> 
> Thanks for the reply, but since I'm a little new to qemu, can you please
> elaborate on how to insert the op_dump_pc function to extract the PC values?

Well, here's a patch that does it:

Index: target-i386/exec.h
===================================================================
RCS file: /sources/qemu/qemu/target-i386/exec.h,v
retrieving revision 1.31
diff -u -r1.31 exec.h
--- target-i386/exec.h	24 Sep 2006 18:40:46 -0000	1.31
+++ target-i386/exec.h	30 Mar 2007 11:02:08 -0000
@@ -146,6 +146,8 @@
 
 extern CCTable cc_table[];
 
+void helper_dump_pc(target_ulong PC);
+
 void load_seg(int seg_reg, int selector);
 void helper_ljmp_protected_T0_T1(int next_eip);
 void helper_lcall_real_T0_T1(int shift, int next_eip);
Index: target-i386/helper.c
===================================================================
RCS file: /sources/qemu/qemu/target-i386/helper.c,v
retrieving revision 1.74
diff -u -r1.74 helper.c
--- target-i386/helper.c	1 Feb 2007 22:12:19 -0000	1.74
+++ target-i386/helper.c	30 Mar 2007 11:02:09 -0000
@@ -30,6 +30,16 @@
 } while (0)
 #endif
 
+void helper_dump_pc(target_ulong pc)
+{
+    if (logfile)
+#ifdef TARGET_X86_64
+        fprintf(logfile, "PC = %016" PRIx64 "\n", pc);
+#else
+        fprintf(logfile, "PC = %08x\n", pc);
+#endif
+}
+
 const uint8_t parity_table[256] = {
     CC_P, 0, 0, CC_P, 0, CC_P, CC_P, 0,
     0, CC_P, CC_P, 0, CC_P, 0, 0, CC_P,
Index: target-i386/op.c
===================================================================
RCS file: /sources/qemu/qemu/target-i386/op.c,v
retrieving revision 1.47
diff -u -r1.47 op.c
--- target-i386/op.c	1 Feb 2007 22:11:07 -0000	1.47
+++ target-i386/op.c	30 Mar 2007 11:02:09 -0000
@@ -132,6 +132,11 @@
 
 #endif
 
+void OPPROTO op_dump_pc(void)
+{
+    helper_dump_pc(PARAM1);
+}
+
 /* operations with flags */
 
 /* update flags with T0 and T1 (add/sub case) */
Index: target-i386/translate.c
===================================================================
RCS file: /sources/qemu/qemu/target-i386/translate.c,v
retrieving revision 1.62
diff -u -r1.62 translate.c
--- target-i386/translate.c	16 Jan 2007 19:28:58 -0000	1.62
+++ target-i386/translate.c	30 Mar 2007 11:02:10 -0000
@@ -3155,6 +3155,7 @@
     int rex_w, rex_r;
 
     s->pc = pc_start;
+    gen_op_dump_pc(s->pc);
     prefixes = 0;
     aflag = s->code32;
     dflag = s->code32;

It's probably not the best way to do this, but it worked well enough for
my purposes.  (target-z80 -- where there is only one address space! :-)
-- 
Stuart Brady

Re: [Qemu-devel] Re: PC traces from QEMU

[Shashidhar Mysore]

[-- Attachment #1: Type: text/plain, Size: 3252 bytes --]

Hi Stuart,

Thanks for the patch. It works well for me, except that the log file grows
so huge and qemu slows down quite a lot. Did you have problems with this? I
was wondering if there was a way to actually begin the PC trace collection
after completely booting QEMU and also restrict it to a particular process
ID?

Just a clarification, does the log now have all retired PCs?

Thanks,
-Shashi.

On 3/30/07, Stuart Brady <sdbrady@ntlworld.com> wrote:
>
> On Thu, Mar 29, 2007 at 06:28:14PM -0700, Shashidhar Mysore wrote:
> > Hi Stuart,
> >
> > Thanks for the reply, but since I'm a little new to qemu, can you please
> > elaborate on how to insert the op_dump_pc function to extract the PC
> values?
>
> Well, here's a patch that does it:
>
> Index: target-i386/exec.h
> ===================================================================
> RCS file: /sources/qemu/qemu/target-i386/exec.h,v
> retrieving revision 1.31
> diff -u -r1.31 exec.h
> --- target-i386/exec.h  24 Sep 2006 18:40:46 -0000      1.31
> +++ target-i386/exec.h  30 Mar 2007 11:02:08 -0000
> @@ -146,6 +146,8 @@
>
> extern CCTable cc_table[];
>
> +void helper_dump_pc(target_ulong PC);
> +
> void load_seg(int seg_reg, int selector);
> void helper_ljmp_protected_T0_T1(int next_eip);
> void helper_lcall_real_T0_T1(int shift, int next_eip);
> Index: target-i386/helper.c
> ===================================================================
> RCS file: /sources/qemu/qemu/target-i386/helper.c,v
> retrieving revision 1.74
> diff -u -r1.74 helper.c
> --- target-i386/helper.c        1 Feb 2007 22:12:19 -0000       1.74
> +++ target-i386/helper.c        30 Mar 2007 11:02:09 -0000
> @@ -30,6 +30,16 @@
> } while (0)
> #endif
>
> +void helper_dump_pc(target_ulong pc)
> +{
> +    if (logfile)
> +#ifdef TARGET_X86_64
> +        fprintf(logfile, "PC = %016" PRIx64 "\n", pc);
> +#else
> +        fprintf(logfile, "PC = %08x\n", pc);
> +#endif
> +}
> +
> const uint8_t parity_table[256] = {
>      CC_P, 0, 0, CC_P, 0, CC_P, CC_P, 0,
>      0, CC_P, CC_P, 0, CC_P, 0, 0, CC_P,
> Index: target-i386/op.c
> ===================================================================
> RCS file: /sources/qemu/qemu/target-i386/op.c,v
> retrieving revision 1.47
> diff -u -r1.47 op.c
> --- target-i386/op.c    1 Feb 2007 22:11:07 -0000       1.47
> +++ target-i386/op.c    30 Mar 2007 11:02:09 -0000
> @@ -132,6 +132,11 @@
>
> #endif
>
> +void OPPROTO op_dump_pc(void)
> +{
> +    helper_dump_pc(PARAM1);
> +}
> +
> /* operations with flags */
>
> /* update flags with T0 and T1 (add/sub case) */
> Index: target-i386/translate.c
> ===================================================================
> RCS file: /sources/qemu/qemu/target-i386/translate.c,v
> retrieving revision 1.62
> diff -u -r1.62 translate.c
> --- target-i386/translate.c     16 Jan 2007 19:28:58 -0000      1.62
> +++ target-i386/translate.c     30 Mar 2007 11:02:10 -0000
> @@ -3155,6 +3155,7 @@
>      int rex_w, rex_r;
>
>      s->pc = pc_start;
> +    gen_op_dump_pc(s->pc);
>      prefixes = 0;
>      aflag = s->code32;
>      dflag = s->code32;
>
> It's probably not the best way to do this, but it worked well enough for
> my purposes.  (target-z80 -- where there is only one address space! :-)
> --
> Stuart Brady
>

[-- Attachment #2: Type: text/html, Size: 4322 bytes --]

Re: [Qemu-devel] Re: PC traces from QEMU

[Thiemo Seufer]

Shashidhar Mysore wrote:
> Hi Stuart,
> 
> Thanks for the patch. It works well for me, except that the log file grows
> so huge and qemu slows down quite a lot. Did you have problems with this? I
> was wondering if there was a way to actually begin the PC trace collection
> after completely booting QEMU and also restrict it to a particular process
> ID?

FWIW, I would appreciate a patch which makes this a command line /
monitor log option called "pc". :-)

[snip]
> >--- target-i386/helper.c        1 Feb 2007 22:12:19 -0000       1.74
> >+++ target-i386/helper.c        30 Mar 2007 11:02:09 -0000
> >@@ -30,6 +30,16 @@
> >} while (0)
> >#endif
> >
> >+void helper_dump_pc(target_ulong pc)
> >+{
> >+    if (logfile)
> >+#ifdef TARGET_X86_64
> >+        fprintf(logfile, "PC = %016" PRIx64 "\n", pc);
> >+#else
> >+        fprintf(logfile, "PC = %08x\n", pc);
> >+#endif

We have TARGET_FMT_lx for that.


Thiemo

Re: [Qemu-devel] Re: PC traces from QEMU

[Shashidhar Mysore]

[-- Attachment #1: Type: text/plain, Size: 2154 bytes --]

Hi Antti,

Thanks for the reply. Honestly, I am new to QEMU, hence I just tried
following the steps you had mentioned to extract PCs without actually
knowing what each of those mean.

As you had said,
- I defined DEBUG_EXEC in cpu-exec.c
- I disabled USE_DIRECT_JUMP in exec-all.h
- I disabled USE_CODE_COPY in target-i386/cpu.h
- I hardcoded force_dc->jmp_opt to equal zero in target-i386/translate.c
(force_dc->jmp_opt = 0;)

However, when I try to make the qemu-0.9.0 that I have, I get the following
error -

##########################################################
$ make
....
/qemu-0.9.0-trial/target-i386/translate.c
/qemu-0.9.0-trial/target-i386/translate.c: In function `gen_goto _tb':
/qemu-0.9.0-trial/target-i386/translate.c:1766: error: too many arguments to
function `gen_op_goto_tb0'
/qemu-0.9.0-trial/target-i386/translate.c:1768: error: too many arguments to
function `gen_op_goto_tb1'
make[1]: *** [translate.o] Error 1
make[1]: Leaving directory `/qemu-0.9.0-trial/i386-linux-user'
make: *** [subdir-i386-linux-user] Error 2

######################################################

Do you know if I'm doing something wrong here? Also, since qemu-0.7 doesn't
seem to be available for download from the qemu webpage, I couldn't try the
same with qemu-0.7. I appreciate your help on this.

Thanks,
-Shashi.

On 3/29/07, Antti P Miettinen <ananaza@iki.fi> wrote:
>
> "Shashidhar Mysore" <shashimc@gmail.com> writes:
> > I intend to extract program counter streams from QEMU as a program
> executes.
> > Can you please point me to the hooks that I may have to insert into the
> QEMU
> > source code in order to extract the PC values?
>
> I used to do that with qemu 0.7. I did not dig into this deep enough
> to find the minimal changes but at least the following was enough:
> - define DEBUG_EXEC in cpu-exec.c
> - disable USE_DIRECT_JUMP in exec-all.h
> - disable USE_CODE_COPY in target-i386/cpu.h
> - force dc->jmp_opt to zero in target-i386/translate.c
> Would be nice if enabling PC traces were possible with e.g. command
> line (maybe requiring config time enable would be good too :-)
>
> --
> http://www.iki.fi/~ananaza/
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 2680 bytes --]