Index: qemu-tech.texi =================================================================== RCS file: /sources/qemu/qemu/qemu-tech.texi,v retrieving revision 1.8 diff -u -b -B -u -r1.8 qemu-tech.texi --- qemu-tech.texi 23 Jul 2005 14:27:54 -0000 1.8 +++ qemu-tech.texi 30 Apr 2006 20:38:23 -0000 @@ -1,7 +1,12 @@ \input texinfo @c -*- texinfo -*- +@c %**start of header +@setfilename qemu-tech.info +@settitle QEMU Internals +@exampleindent 0 +@paragraphindent 0 +@c %**end of header @iftex -@settitle QEMU Internals @titlepage @sp 7 @center @titlefont{QEMU Internals} @@ -9,8 +14,32 @@ @end titlepage @end iftex +@ifnottex +@node Top +@top + +@menu +* Introduction:: +* QEMU Internals:: +* Regression Tests:: +* Index:: +@end menu +@end ifnottex + +@contents + +@node Introduction @chapter Introduction +@menu +* intro_features:: Features +* intro_x86_emulation:: x86 emulation +* intro_arm_emulation:: ARM emulation +* intro_ppc_emulation:: PowerPC emulation +* intro_sparc_emulation:: SPARC emulation +@end menu + +@node intro_features @section Features QEMU is a FAST! processor emulator using a portable dynamic @@ -43,7 +72,7 @@ @item User space only or full system emulation. -@item Using dynamic translation to native code for reasonnable speed. +@item Using dynamic translation to native code for reasonable speed. @item Working on x86 and PowerPC hosts. Being tested on ARM, Sparc32, Alpha and S390. @@ -65,13 +94,13 @@ @item Accurate signal handling by remapping host signals to target signals. @end itemize -@end itemize QEMU full system emulation features: @itemize @item QEMU can either use a full software MMU for maximum portability or use the host system call mmap() to simulate the target MMU. @end itemize +@node intro_x86_emulation @section x86 emulation QEMU x86 target features: @@ -110,6 +139,7 @@ @end itemize +@node intro_arm_emulation @section ARM emulation @itemize @@ -122,6 +152,7 @@ @end itemize +@node intro_ppc_emulation @section PowerPC emulation @itemize @@ -133,6 +164,7 @@ @end itemize +@node intro_sparc_emulation @section SPARC emulation @itemize @@ -166,8 +198,26 @@ @end itemize +@node QEMU Internals @chapter QEMU Internals +@menu +* QEMU compared to other emulators:: +* Portable dynamic translation:: +* Register allocation:: +* Condition code optimisations:: +* CPU state optimisations:: +* Translation cache:: +* Direct block chaining:: +* Self-modifying code and translated code invalidation:: +* Exception support:: +* MMU emulation:: +* Hardware interrupts:: +* User emulation specific details:: +* Bibliography:: +@end menu + +@node QEMU compared to other emulators @section QEMU compared to other emulators Like bochs [3], QEMU emulates an x86 CPU. But QEMU is much faster than @@ -214,6 +264,7 @@ and potentially unsafe host drivers. Moreover, they are unable to provide cycle exact simulation as an emulator can. +@node Portable dynamic translation @section Portable dynamic translation QEMU is a dynamic translator. When it first encounters a piece of code, @@ -243,6 +294,7 @@ To go even faster, GCC static register variables are used to keep the state of the virtual CPU. +@node Register allocation @section Register allocation Since QEMU uses fixed simple instructions, no efficient register @@ -250,6 +302,7 @@ register, most of the virtual CPU state can be put in registers without doing complicated register allocation. +@node Condition code optimisations @section Condition code optimisations Good CPU condition codes emulation (@code{EFLAGS} register on x86) is a @@ -268,6 +321,7 @@ the condition codes are not needed by the next instructions, no condition codes are computed at all. +@node CPU state optimisations @section CPU state optimisations The x86 CPU has many internal states which change the way it evaluates @@ -279,6 +333,7 @@ [The FPU stack pointer register is not handled that way yet]. +@node Translation cache @section Translation cache A 16 MByte cache holds the most recently used translations. For @@ -287,6 +342,7 @@ terminated by a jump or by a virtual CPU state change which the translator cannot deduce statically). +@node Direct block chaining @section Direct block chaining After each translated basic block is executed, QEMU uses the simulated @@ -302,6 +358,7 @@ architectures (such as x86 or PowerPC), the @code{JUMP} opcode is directly patched so that the block chaining has no overhead. +@node Self-modifying code and translated code invalidation @section Self-modifying code and translated code invalidation Self-modifying code is a special challenge in x86 emulation because no @@ -332,6 +389,7 @@ really needs to be invalidated. It avoids invalidating the code when only data is modified in the page. +@node Exception support @section Exception support longjmp() is used when an exception such as division by zero is @@ -348,6 +406,7 @@ optimisations. It is not a big concern because the emulated code can still be restarted in any cases. +@node MMU emulation @section MMU emulation For system emulation, QEMU uses the mmap() system call to emulate the @@ -367,6 +426,7 @@ When MMU mappings change, only the chaining of the basic blocks is reset (i.e. a basic block can no longer jump directly to another one). +@node Hardware interrupts @section Hardware interrupts In order to be faster, QEMU does not check at every basic block if an @@ -377,6 +437,7 @@ of the CPU emulator. Then the main loop can test if the interrupt is pending and handle it. +@node User emulation specific details @section User emulation specific details @subsection Linux system call translation @@ -434,6 +495,7 @@ shared object as the ld-linux.so ELF interpreter. That way, it can be relocated at load time. +@node Bibliography @section Bibliography @table @asis @@ -456,7 +518,7 @@ x86 emulator on Alpha-Linux. @item [5] -@url{http://www.usenix.org/publications/library/proceedings/usenix-nt97/full_papers/chernoff/chernoff.pdf}, +@url{http://www.usenix.org/publications/library/proceedings/usenix-nt97/@/full_papers/chernoff/chernoff.pdf}, DIGITAL FX!32: Running 32-Bit x86 Applications on Alpha NT, by Anton Chernoff and Ray Hookway. @@ -486,11 +548,19 @@ @end table +@node Regression Tests @chapter Regression Tests In the directory @file{tests/}, various interesting testing programs are available. There are used for regression testing. +@menu +* test-i386:: +* linux-test:: +* qruncom.c:: +@end menu + +@node test-i386 @section @file{test-i386} This program executes most of the 16 bit and 32 bit x86 instructions and @@ -506,12 +576,20 @@ Various exceptions are raised to test most of the x86 user space exception reporting. +@node linux-test @section @file{linux-test} This program tests various Linux system calls. It is used to verify that the system call parameters are correctly converted between target and host CPUs. +@node qruncom.c @section @file{qruncom.c} Example of usage of @code{libqemu} to emulate a user mode i386 CPU. + +@node Index +@chapter Index +@printindex cp + +@bye