From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=38199 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PTFdS-0002db-4V for qemu-devel@nongnu.org; Thu, 16 Dec 2010 10:20:51 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PTFdQ-0000OE-Lm for qemu-devel@nongnu.org; Thu, 16 Dec 2010 10:20:49 -0500 Received: from mail-ww0-f53.google.com ([74.125.82.53]:40042) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PTFdQ-0000Nc-GQ for qemu-devel@nongnu.org; Thu, 16 Dec 2010 10:20:48 -0500 Received: by wwi18 with SMTP id 18so2348512wwi.10 for ; Thu, 16 Dec 2010 07:20:47 -0800 (PST) Message-ID: <4D0A2E4C.6070307@gmail.com> Date: Thu, 16 Dec 2010 16:20:44 +0100 From: Stefano Bonifazi MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [Qemu-devel] classic emulator Vs QEMU-TCG List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Hi all! I am a student, trying to understand QEMU, specifically TCG translation/execution. After spending much time on the code I still have big doubts. I think my doubts are due to the classic idea I have of an emulator. Actually as a student, I've never developed even a simple classic emulator myself, but in my idea it should follow this flow: 1) Fetch target instruction i.e. PC(0x532652) : 0x104265 (I am just inventing) 2) Decode Opcode 0x10 : ADD, R1: 0x42, R2: 0x65 3) Look up instruction function table: switch(opcode) case add : add(R1, R2) break; 4) Execution void add(int R1, int R2) { env->reg[R1] = env->reg[R1] + env[R2];} Now all of that would be compiled offline for the host machine and at runtime the host macine would just execute the binary host code for the instruction "env->reg[R1] = env->reg[R1] + env[R2];" (its host binary translation) In QEMU/TCG, thanks to the help of Mr. Blue Swirl, I understood there is a runtime creation of host binary, starting from the loaded target binary.. My big doubt is, how can I execute that new binary? .. Shall TCG put it in some memory location, and then make the process branch to that address (and then back) ? I really can't see how that happens in the code :( in cpu-exec.c : cpu_exec_nocache i find: > /* execute the generated code */ > next_tb = tcg_qemu_tb_exec(tb->tc_ptr); and in cpu-exec.c : cpu_exec > /* execute the generated code */ > > next_tb = tcg_qemu_tb_exec(tc_ptr); so I thought tcg_qemu_tb_exec "function" should do the work of executing the translated binary in the host. But then I found out it is just a define in tcg.h: > #define tcg_qemu_tb_exec(tb_ptr) ((long REGPARM (*)(void > *))code_gen_prologue)(tb_ptr) and again in exec.c > uint8_t code_gen_prologue[1024] code_gen_section; Maybe I have some problems with that C syntax, but I really don't understand what happens there.. how the execution happens! I think for all of you working for so long on QEMU, with a long successful experience in this field should be very easy.. but atm I really can't figure it out alone.. I can't find good documents explaining it, and I can't understand myself from the code! Thank you very very much for any help! :) Stefano B.