[Qemu-devel] full dynamic instruction trace for MIPS target

[Qemu-devel] full dynamic instruction trace for MIPS target

[Boris Cámara]

[-- Attachment #1: Type: text/plain, Size: 897 bytes --]

   
Hi,

I think the correct way to get the full instruction trace on a MIPS emulated processor is:

-Disabling the tb cache: I  did this by modifying the tb_find_slow() and tb_find_fast() functions to ever go to "not_found" label where the code is translated with no cache searches.


-Loggin the PC and the instruction: I created a qemu_log() function clone and call it just before executing decode_opc() on target-mips/translate.c

Please, can any one  tell me if it is correct or if I am missing something?
I  made some tests using this method but it is very very slow. Is there a more efficient way to obtain the full instruction trace for a MIPS target processor emulated on qemu?

thanks,


      ____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com

[-- Attachment #2: Type: text/html, Size: 4277 bytes --]

Re: [Qemu-devel] full dynamic instruction trace for MIPS target

[Richard Henderson]

On 04/05/2010 03:09 PM, Boris Cámara wrote:
> I think the correct way to get the full instruction trace on a MIPS
> emulated processor is:

-singlestep -d exec

That gives you the address of each instruction executed.
I'm not sure what else you want than this, as you havn't said.


r~

Res: [Qemu-devel] full dynamic instruction trace for MIPS target

[Boris Cámara]

[-- Attachment #1: Type: text/plain, Size: 1067 bytes --]

I need the PC and the executated instruction to extract a complete trace of the execution in a file.

I found since the translation block is cached the "-d in_asm" option with not output a complete execution trace. Only when the TB is cached is logged.

What does -singlestep means?

thanks,




________________________________
De: Richard Henderson <rth@twiddle.net>
Para: Boris Cámara <vesmar@rocketmail.com>
Cc: qemu-devel@nongnu.org
Enviadas: Segunda-feira, 5 de Abril de 2010 19:41:52
Assunto: Re: [Qemu-devel] full dynamic instruction trace for MIPS target

On 04/05/2010 03:09 PM, Boris Cámara wrote:
> I think the correct way to get the full instruction trace on a MIPS
> emulated processor is:

-singlestep -d exec

That gives you the address of each instruction executed.
I'm not sure what else you want than this, as you havn't said.


r~


      ____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com

[-- Attachment #2: Type: text/html, Size: 2064 bytes --]

Re: [Qemu-devel] full dynamic instruction trace for MIPS target

[Vince Weaver]

> I think the correct way to get the full instruction trace on a MIPS 
> emulated processor is:

the way you describe is slow because you are constantly re-generating the 
TBs.  The best way to do this is to add your instrumentation to the TBs.

I have code that does that for a recent version of Qemu here:
  http://www.csl.cornell.edu/~vince/projects/qemusim/

although it outputs Basic-Block vectors, not a full memory trace like you 
want.  It has been validated to match proper instruction counts using 
hardware performnce counters though.

I also have code creating full instruction/memory traces for Qemu MIPS 
that can be found here:
  http://www.csl.cornell.edu/~vince/projects/qemu-trace/

but it's against Qemu from 2007 pre-dating the TCG changeover so of 
limited use probably.  I hvae some code somewhere that updated this to 
work with TCG but I don't know what happened to it.

Vince

Res: [Qemu-devel] full dynamic instruction trace for MIPS target

[Boris Cámara]

[-- Attachment #1: Type: text/plain, Size: 2376 bytes --]

Hi Vince, 
The aproach you are using on http://www.csl.cornell.edu/~vince/projects/qemu-trace/ to get the PC dump is similar to mine but as you dont disable the TB caches It is not a full execution trace. You only dump the PC when they are compiled and inserted on the  TB cache. When qemu needs to execute the same code again, tb_find_slow() will find it  was cached so your code wont dump the executed PCs again beacuse tb_gen_code()   wont be called this time.

On    http://www.csl.cornell.edu/~vince/projects/qemusim/ I found the same logic because you call the helper function inside of gen_intermediate_code_internal() which is called by tb_find_slow() too.

So, as far as i understand if tb_find_slow() find the  previously cached PC on the TB vector, your dump_pc() helper functions will not be called again for this TB.

Did you get correct values for your counters in bbvs[bb] ?

I didnt run your patch yet so I m not sure  that I said is 100% correct. :)





________________________________
De: Vince Weaver <vince@csl.cornell.edu>
Para: Boris Cámara <vesmar@rocketmail.com>
Cc: qemu-devel@nongnu.org
Enviadas: Segunda-feira, 5 de Abril de 2010 22:41:52
Assunto: Re: [Qemu-devel] full dynamic instruction trace for MIPS target


> I think the correct way to get the full instruction trace on a MIPS 
> emulated processor is:

the way you describe is slow because you are constantly re-generating the 
TBs.  The best way to do this is to add your instrumentation to the TBs.

I have code that does that for a recent version of Qemu here:
  http://www.csl.cornell.edu/~vince/projects/qemusim/

although it outputs Basic-Block vectors, not a full memory trace like you 
want.  It has been validated to match proper instruction counts using 
hardware performnce counters though.

I also have code creating full instruction/memory traces for Qemu MIPS 
that can be found here:
  http://www.csl.cornell.edu/~vince/projects/qemu-trace/

but it's against Qemu from 2007 pre-dating the TCG changeover so of 
limited use probably.  I hvae some code somewhere that updated this to 
work with TCG but I don't know what happened to it.

Vince


      ____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com

[-- Attachment #2: Type: text/html, Size: 3801 bytes --]

Re: Res: [Qemu-devel] full dynamic instruction trace for MIPS target

[Vince Weaver]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2467 bytes --]

On Tue, 6 Apr 2010, Boris Cámara wrote:

>The aproach you are using on 
>http://www.csl.cornell.edu/~vince/projects/qemu-trace/ to get the PC dump 
>is similar to mine but as you dont disable the TB caches It is not a full 
>execution trace. 

I can assure you that it does in fact work.

> You only dump the PC when they are compiled and inserted 
> on the TB cache.

no, look closer.  My code at instrumentation time inserts a helper-op 
after each instruction.  This is like a virtual instruction that lives in 
the TB and calls my counting function.  So each time the TB is re-executed 
the calls happen again, as they are part of the TB instruction stream.

> Did you get correct values for your counters in bbvs[bb] ?

yes.  And the resuts match valgrind, pin, and hardware performance 
counters.

Vince



________________________________
De: Vince Weaver <vince@csl.cornell.edu>
Para: Boris Cámara <vesmar@rocketmail.com>
Cc: qemu-devel@nongnu.org
Enviadas: Segunda-feira, 5 de Abril de 2010 22:41:52
Assunto: Re: [Qemu-devel] full dynamic instruction trace for MIPS target


> I think the correct way to get the full instruction trace on a MIPS 
> emulated processor is:

the way you describe is slow because you are constantly re-generating the 
TBs.  The best way to do this is to add your instrumentation to the TBs.

I have code that does that for a recent version of Qemu here:
  http://www.csl.cornell.edu/~vince/projects/qemusim/

although it outputs Basic-Block vectors, not a full memory trace like you 
want.  It has been validated to match proper instruction counts using 
hardware performnce counters though.

I also have code creating full instruction/memory traces for Qemu MIPS 
that can be found here:
  http://www.csl.cornell.edu/~vince/projects/qemu-trace/

but it's against Qemu from 2007 pre-dating the TCG changeover so of 
limited use probably.  I hvae some code somewhere that updated this to 
work with TCG but I don't know what happened to it.

Vince


      ____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com

-- 
/*  Vince Weaver  vince@csl.cornell.edu  http://csl.cornell.edu/~vince  */

main(){char O,o[66]="|\n\\/_  ",*I=o+7,l[]="B!FhhBHCWE9C?cJFKET$+h'Iq*chT"
,i=0,_;while(_=l[i++])for(O=0;O++<_>>5;)*I=*(I++-(_&31));*I=0;puts(o+5);}

Res: Res: [Qemu-devel] full dynamic instruction trace for MIPS target

[Boris Cámara]

>This is like a virtual instruction that lives in 
>the TB and calls my counting function.  So each time the TB is re-executed 
>the calls happen again, as they are part of the TB instruction stream.

It sounds good! Today a will apply the patches and run it to get a better understanding.

> Did you get correct values for your counters in bbvs[bb] ?

Yes, concidently last week I have read your HIPEAC paper, great job.

________________________________
De: Vince Weaver <vince@csl.cornell.edu>
Para: Boris Cámara <vesmar@rocketmail.com>
Cc: qemu-devel@nongnu.org
Enviadas: Terça-feira, 6 de Abril de 2010 23:33:57
Assunto: Re: Res: [Qemu-devel] full dynamic instruction trace for MIPS target

On Tue, 6 Apr 2010, Boris Cámara wrote:

>The aproach you are using on 
>http://www.csl.cornell.edu/~vince/projects/qemu-trace/ to get the PC dump 
>is similar to mine but as you dont disable the TB caches It is not a full 
>execution trace. 

I can assure you that it does in fact work.

> You only dump the PC when they are compiled and inserted 
> on the TB cache.

no, look closer.  My code at instrumentation time inserts a helper-op 
after each instruction.  This is like a virtual instruction that lives in 
the TB and calls my counting function.  So each time the TB is re-executed 
the calls happen again, as they are part of the TB instruction stream.

> Did you get correct values for your counters in bbvs[bb] ?

yes.  And the resuts match valgrind, pin, and hardware performance 
counters.

Vince



________________________________
De: Vince Weaver <vince@csl.cornell.edu>
Para: Boris Cámara <vesmar@rocketmail.com>
Cc: qemu-devel@nongnu.org
Enviadas: Segunda-feira, 5 de Abril de 2010 22:41:52
Assunto: Re: [Qemu-devel] full dynamic instruction trace for MIPS target


> I think the correct way to get the full instruction trace on a MIPS 
> emulated processor is:

the way you describe is slow because you are constantly re-generating the 
TBs.  The best way to do this is to add your instrumentation to the TBs.

I have code that does that for a recent version of Qemu here:
  http://www.csl.cornell.edu/~vince/projects/qemusim/

although it outputs Basic-Block vectors, not a full memory trace like you 
want.  It has been validated to match proper instruction counts using 
hardware performnce counters though.

I also have code creating full instruction/memory traces for Qemu MIPS 
that can be found here:
  http://www.csl.cornell.edu/~vince/projects/qemu-trace/

but it's against Qemu from 2007 pre-dating the TCG changeover so of 
limited use probably.  I hvae some code somewhere that updated this to 
work with TCG but I don't know what happened to it.

Vince


      ____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com

-- 
/*  Vince Weaver  vince@csl.cornell.edu  http://csl.cornell.edu/~vince  */

main(){char O,o[66]="|\n\\/_  ",*I=o+7,l[]="B!FhhBHCWE9C?cJFKET$+h'Iq*chT"
,i=0,_;while(_=l[i++])for(O=0;O++<_>>5;)*I=*(I++-(_&31));*I=0;puts(o+5);}


      ____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com