[Qemu-devel] Monitor Memory Accesses

[Qemu-devel] Monitor Memory Accesses

[Andrea Pellegrini]

Hi all,
I want to track all the memory accesses performed in a program 
execution. Right now I'm working on an amd64 machine with target x86_64 
but eventually I would like to do the same for other architectures (at 
least ARM and PPC). With few changes I was able to print out the address 
of the instructions that the processor executes (well at least the first 
address of the basic block) and now I was looking for a way to record 
all memory loads and stores. I believe I have to change some code in the 
file translate.c and I was wondering if anybody can give me a quick help 
about which part of code I should change. It would be great if I could 
call a function right before every time a load or store is executed.
Thank you very much!
~Andrea

Re: [Qemu-devel] Monitor Memory Accesses

[Laurent Desnogues]

On Wed, Feb 18, 2009 at 1:48 PM, Andrea Pellegrini
<andrea.pellegrini@gmail.com> wrote:
> I want to track all the memory accesses performed in a program execution.
> Right now I'm working on an amd64 machine with target x86_64 but eventually
> I would like to do the same for other architectures (at least ARM and PPC).
> With few changes I was able to print out the address of the instructions
> that the processor executes (well at least the first address of the basic
> block)

I guess you're doing that by calling a helper.  If you don't, that
won't work :-)

> and now I was looking for a way to record all memory loads and
> stores. I believe I have to change some code in the file translate.c and I
> was wondering if anybody can give me a quick help about which part of code I
> should change. It would be great if I could call a function right before
> every time a load or store is executed.

You should look for parts of translate.c that generate target loads
and stores;  basically look for calls to tcg_gen_qemu_ld* and
tcg_gen_qemu_st*.


Laurent

Re: [Qemu-devel] Monitor Memory Accesses

[Andrea Pellegrini]

Thanks for the quick reply!

I obtain the instruction addresses through the function
static TranslationBlock *tb_find_slow(target_ulong pc,
                                      target_ulong cs_base,
                                      uint64_t flags)

......
// Andrea, let's check the pc
    printf("PC: 0x%x\n", pc);
....

in cpu_exec.c. So far it worked but maybe there is a better way to do 
it. Where can I find more informations about the "helper"?
I'm just starting working with Qemu so I'm still not 100% sure about 
what is going on.  :-P

I searched in target-i386/translate.c for
tcg_gen_qemu_ld
or
tcg_gen_qemu_lst
and nothing pops up. Am I looking at the right thing?
Thanks
~Andrea


Laurent Desnogues wrote:
> On Wed, Feb 18, 2009 at 1:48 PM, Andrea Pellegrini
> <andrea.pellegrini@gmail.com> wrote:
>   
>> I want to track all the memory accesses performed in a program execution.
>> Right now I'm working on an amd64 machine with target x86_64 but eventually
>> I would like to do the same for other architectures (at least ARM and PPC).
>> With few changes I was able to print out the address of the instructions
>> that the processor executes (well at least the first address of the basic
>> block)
>>     
>
> I guess you're doing that by calling a helper.  If you don't, that
> won't work :-)
>
>   
>> and now I was looking for a way to record all memory loads and
>> stores. I believe I have to change some code in the file translate.c and I
>> was wondering if anybody can give me a quick help about which part of code I
>> should change. It would be great if I could call a function right before
>> every time a load or store is executed.
>>     
>
> You should look for parts of translate.c that generate target loads
> and stores;  basically look for calls to tcg_gen_qemu_ld* and
> tcg_gen_qemu_st*.
>
>
> Laurent
>
>
>
>   

Re: [Qemu-devel] Monitor Memory Accesses

[Laurent Desnogues]

On Wed, Feb 18, 2009 at 2:17 PM, Andrea Pellegrini
<andrea.pellegrini@gmail.com> wrote:
> Thanks for the quick reply!
>
> I obtain the instruction addresses through the function
> static TranslationBlock *tb_find_slow(target_ulong pc,
>                                     target_ulong cs_base,
>                                     uint64_t flags)
>
> ......
> // Andrea, let's check the pc
>   printf("PC: 0x%x\n", pc);
> ....
>
> in cpu_exec.c. So far it worked but maybe there is a better way to do it.

No, it doesn't work.  Try to track the PC of a loop and you'll see
what I mean.

You should start by learning what is run-time code generation ;)

> Where can I find more informations about the "helper"?
> I'm just starting working with Qemu so I'm still not 100% sure about what is
> going on.  :-P

The documentation is the source.  It's not easy to enter, but once
you've understood the basic inner-workings, doing what you're
after should not be very difficult.

> I searched in target-i386/translate.c for
> tcg_gen_qemu_ld
> or
> tcg_gen_qemu_lst
> and nothing pops up. Am I looking at the right thing?

I talked about tcg_gen_qemu_ld*.

Just to make it clear, I am talking of svn version of qemu.  If you're
using 0.9.1 then it's a completely different story, and I invite you to
take a look at Vince Weaver's work:

http://www.csl.cornell.edu/~vince/projects/qemusim/
http://www.csl.cornell.edu/~vince/projects/qemu-trace/


Laurent

Re: [Qemu-devel] Monitor Memory Accesses

[Andrea Pellegrini]

Thanks Laurent,
I slightly modified the code from Vince and it worked great for my 
purpose (at least to monitor the PC).
Just a quick question:
In the file linux-user/mmap.c, which is the difference between the two 
following lines? Does the first one provide the virtual address while 
the second one is already translated in the real address?

        p = mmap(g2h(mmap_start),
                 host_len, prot, flags | MAP_FIXED, fd, host_offset);

        p = mmap(real_start ? g2h(real_start) : NULL,
                 host_len, prot, flags, fd, host_offset);

I'm just starting to work on tracking the load/store. :-)

~Andrea

Laurent Desnogues wrote:
> On Wed, Feb 18, 2009 at 2:17 PM, Andrea Pellegrini
> <andrea.pellegrini@gmail.com> wrote:
>   
>> Thanks for the quick reply!
>>
>> I obtain the instruction addresses through the function
>> static TranslationBlock *tb_find_slow(target_ulong pc,
>>                                     target_ulong cs_base,
>>                                     uint64_t flags)
>>
>> ......
>> // Andrea, let's check the pc
>>   printf("PC: 0x%x\n", pc);
>> ....
>>
>> in cpu_exec.c. So far it worked but maybe there is a better way to do it.
>>     
>
> No, it doesn't work.  Try to track the PC of a loop and you'll see
> what I mean.
>
> You should start by learning what is run-time code generation ;)
>
>   
>> Where can I find more informations about the "helper"?
>> I'm just starting working with Qemu so I'm still not 100% sure about what is
>> going on.  :-P
>>     
>
> The documentation is the source.  It's not easy to enter, but once
> you've understood the basic inner-workings, doing what you're
> after should not be very difficult.
>
>   
>> I searched in target-i386/translate.c for
>> tcg_gen_qemu_ld
>> or
>> tcg_gen_qemu_lst
>> and nothing pops up. Am I looking at the right thing?
>>     
>
> I talked about tcg_gen_qemu_ld*.
>
> Just to make it clear, I am talking of svn version of qemu.  If you're
> using 0.9.1 then it's a completely different story, and I invite you to
> take a look at Vince Weaver's work:
>
> http://www.csl.cornell.edu/~vince/projects/qemusim/
> http://www.csl.cornell.edu/~vince/projects/qemu-trace/
>
>
> Laurent
>
>
>
>   

Re: [Qemu-devel] Monitor Memory Accesses

[Laurent Desnogues]

On Wed, Feb 18, 2009 at 4:40 PM, Andrea Pellegrini
<andrea.pellegrini@gmail.com> wrote:
> In the file linux-user/mmap.c, which is the difference between the two
> following lines? Does the first one provide the virtual address while the
> second one is already translated in the real address?
>
>       p = mmap(g2h(mmap_start),
>                host_len, prot, flags | MAP_FIXED, fd, host_offset);
>
>       p = mmap(real_start ? g2h(real_start) : NULL,
>                host_len, prot, flags, fd, host_offset);
>
> I'm just starting to work on tracking the load/store. :-)

I don't think you have to care about that.  You want to print the
addresses your guest accesses (which are virtual since you're
running linux user mode, IIUC).

As I don't know anything about 0.9.1, all I can recommend is
again to look at what Vincent did;  in particular this:

http://www.csl.cornell.edu/~vince/projects/qemu-trace/qemu-mips-dinero.patch


Laurent

Re: [Qemu-devel] Monitor Memory Accesses

[Vince Weaver]

Hello

> As I don't know anything about 0.9.1, all I can recommend is
> again to look at what Vincent did;  in particular this:
>
> http://www.csl.cornell.edu/~vince/projects/qemu-trace/qemu-mips-dinero.patch

I actually have updated code that works against the SVN codebase and TCG. 
I just haven't had a chance to clean it up and post it.  I'll see if I can 
find time in the near future.

Vince

Re: [Qemu-devel] Monitor Memory Accesses

[Andrea Pellegrini]

Hi Vince,
nice to talk to you again. I figured that we are trying to do basically 
the same thing. 
Are you able to use the traces from Qemu with Dinero? If so, in case of 
cache miss, can you stall the execution of Qemu for some cycles?
Thanks,
~Andrea

Vince Weaver wrote:
> Hello
>
>> As I don't know anything about 0.9.1, all I can recommend is
>> again to look at what Vincent did;  in particular this:
>>
>> http://www.csl.cornell.edu/~vince/projects/qemu-trace/qemu-mips-dinero.patch 
>>
>
> I actually have updated code that works against the SVN codebase and 
> TCG. I just haven't had a chance to clean it up and post it.  I'll see 
> if I can find time in the near future.
>
> Vince
>
>
>

Re: [Qemu-devel] Monitor Memory Accesses

[Vince Weaver]

On Wed, 18 Feb 2009, Andrea Pellegrini wrote:
> nice to talk to you again. I figured that we are trying to do basically the 
> same thing. Are you able to use the traces from Qemu with Dinero? If so, in 
> case of cache miss, can you stall the execution of Qemu for some cycles?

You can use Qemu to generate traces for Dinero, patches for that were 
previously mentioned in this thread.

Stalling is meaningless though... Qemu is not cycle-accurate.

If you really want cycle accurate values, you're going to have to feed the 
traces from Qemu into a timing simulator.  It might be possible to create 
a simple mips timing simulator that hooks into Qemu (see my wddd 2008 
paper) but that would involve significant hacking that's not really 
related to Qemu development.

Vince

Re: [Qemu-devel] Monitor Memory Accesses

[Andrea Pellegrini]

I agree.
I only need a basic timing simulation, I can start simply with CPI=1,
issue one instruction per clock, assume a perfect branch predictor and
calling good for right now.
Thanks for the link to the code, I'll take a look at your patch in the
afternoon,
~Andrea

Vince Weaver wrote:
> On Wed, 18 Feb 2009, Andrea Pellegrini wrote:
>> nice to talk to you again. I figured that we are trying to do 
>> basically the same thing. Are you able to use the traces from Qemu 
>> with Dinero? If so, in case of cache miss, can you stall the 
>> execution of Qemu for some cycles?
>
> You can use Qemu to generate traces for Dinero, patches for that were 
> previously mentioned in this thread.
>
> Stalling is meaningless though... Qemu is not cycle-accurate.
>
> If you really want cycle accurate values, you're going to have to feed 
> the traces from Qemu into a timing simulator.  It might be possible to 
> create a simple mips timing simulator that hooks into Qemu (see my 
> wddd 2008 paper) but that would involve significant hacking that's not 
> really related to Qemu development.
>
> Vince
>
>
>
>
>
>