From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NdPlC-0006Gm-Uf for qemu-devel@nongnu.org; Fri, 05 Feb 2010 10:06:18 -0500 Received: from [199.232.76.173] (port=45674 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NdPlC-0006G2-4M for qemu-devel@nongnu.org; Fri, 05 Feb 2010 10:06:18 -0500 Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim 4.60) (envelope-from ) id 1NdPl9-0004zj-Pc for qemu-devel@nongnu.org; Fri, 05 Feb 2010 10:06:17 -0500 Received: from www.seclab.tuwien.ac.at ([128.130.60.29]:53869 helo=mail.seclab.tuwien.ac.at) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1NdPl9-0004Ur-C0 for qemu-devel@nongnu.org; Fri, 05 Feb 2010 10:06:15 -0500 From: Clemens Kolbitsch Date: Fri, 5 Feb 2010 16:01:21 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201002051601.21927.ck@iseclab.org> Subject: [Qemu-devel] TB monitoring List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Guys, I need a Qemu-internals expert to help me out here: I'm trying to monitor execution of certain (user-land) TBs in a i386-softmmu system. For this, the cpu-main loop has been patched: Before jumping into a TB's generated code, I first check its guest-virtual start address whether it matches any of my monitored EIPs. Obviously, this only works for monitoring function starts (or other locations where a new TB is guaranteed to start) and with TB-chaining turned off. So far, this has been working great (for years even). Now I tried to improve the performance of my monitoring system by doing the following: Each TB is associated with an additional 2 bits (in the "cflags"): "seen-before" and "monitored". Whenever I check a TB, I also set its seen- before flag and update the monitored bit (if the TB contains a monitored start EIP). Since a TB might be shared between two guest processes (the system is monitoring a Windows XP guest), I also save the a guest-process unique ID with the TB (using some bits from its CR3). With this, I can skip checking a TB if its seen-before bit is set, but the monitored is clear. If the TB's guest-process-ID is different from the currently executing process-ID I just reset the seen-before bit (which forces the EIP analysis). I have tried this on various programs, running inside my guest and it seems to be fast and working (almost ;-)). However, sometimes (*very* rarely), the above approach misses a monitored TB (skips analysis). Could someone comment on my approach, maybe including some of the following thoughts: 1) is it possible that a TB grows ... i.e., it merges with a second TB where the second is monitored but the first one isn't? 2) are there any situations how a TB can be created without going through tb_alloc (which internally resets the cflags and thus my bits)? Note that my code is based on Qemu 0.9.1 (if you wonder why I refer to certain old-style Qemu-internals). Any help would be greatly appreciated!! If you need some more information or don't fully understand the problem, please don't hesitate to ask. Thanks!! Clemens