[Qemu-devel] Physical address debugging

[Qemu-devel] Physical address debugging

[Zeus Gómez Marmolejo]

[-- Attachment #1: Type: text/plain, Size: 765 bytes --]

Hi all,

I just want to do a very simple task. I'm using QEMU for debugging a new OS
and I see that there is a memory region that is being updated by an unknown
task. I don't know if it's another process or the kernel itself.

So I would like to put a physical memory watchpoint. I don't know how to do
that. As the GDB stub is operating using virtual addressing, I cannot place
a watchpoint on an address as it's not stopping.

To make it short, I want the equivalent of the Bochs command "watch write
addr", which inserts a write watch point at physical address 'addr'. I
haven't seen this is possible on the QEMU monitor...


Thank you very much!!


-- 
Zeus Gómez Marmolejo
Zet - The x86 (IA-32) open implementation
http://zet.aluzina.org

[-- Attachment #2: Type: text/html, Size: 1025 bytes --]

Re: [Qemu-devel] Physical address debugging

[Jan Kiszka]

On 2011-08-26 16:21, Zeus Gómez Marmolejo wrote:
> Hi all,
> 
> I just want to do a very simple task. I'm using QEMU for debugging a new OS
> and I see that there is a memory region that is being updated by an unknown
> task. I don't know if it's another process or the kernel itself.
> 
> So I would like to put a physical memory watchpoint. I don't know how to do
> that. As the GDB stub is operating using virtual addressing, I cannot place
> a watchpoint on an address as it's not stopping.
> 
> To make it short, I want the equivalent of the Bochs command "watch write
> addr", which inserts a write watch point at physical address 'addr'. I
> haven't seen this is possible on the QEMU monitor...

Indeed, it isn't. It's impossible with KVM (due to lacking hardware
support) but would be feasible with TCG if you extend (or ad-hoc hack)
QEMU code accordingly.

The alternative is to trace the guest OS's page mapping and set watches
on all virtual addresses that refer to the physical one in question. But
I guess that is already part of what you want to debug...

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] Physical address debugging

[Blue Swirl]

2011/8/26 Jan Kiszka <jan.kiszka@siemens.com>:
> On 2011-08-26 16:21, Zeus Gómez Marmolejo wrote:
>> Hi all,
>>
>> I just want to do a very simple task. I'm using QEMU for debugging a new OS
>> and I see that there is a memory region that is being updated by an unknown
>> task. I don't know if it's another process or the kernel itself.
>>
>> So I would like to put a physical memory watchpoint. I don't know how to do
>> that. As the GDB stub is operating using virtual addressing, I cannot place
>> a watchpoint on an address as it's not stopping.
>>
>> To make it short, I want the equivalent of the Bochs command "watch write
>> addr", which inserts a write watch point at physical address 'addr'. I
>> haven't seen this is possible on the QEMU monitor...
>
> Indeed, it isn't. It's impossible with KVM (due to lacking hardware
> support) but would be feasible with TCG if you extend (or ad-hoc hack)
> QEMU code accordingly.

Why impossible? The existing watchpoints replace original physical
memory with io_mem_watch MMIO, virtual addresses are translated to
physical in exec.c:tlb_set_page(). The only missing piece is to allow
setting watchpoints with physical addresses directly.

Since KVM can handle MMIO, I think it should also be able to handle
watchpoints.

> The alternative is to trace the guest OS's page mapping and set watches
> on all virtual addresses that refer to the physical one in question. But
> I guess that is already part of what you want to debug...
>
> Jan
>
> --
> Siemens AG, Corporate Technology, CT T DE IT 1
> Corporate Competence Center Embedded Linux
>
>

Re: [Qemu-devel] Physical address debugging

[Jan Kiszka]

On 2011-08-26 19:34, Blue Swirl wrote:
> 2011/8/26 Jan Kiszka <jan.kiszka@siemens.com>:
>> On 2011-08-26 16:21, Zeus Gómez Marmolejo wrote:
>>> Hi all,
>>>
>>> I just want to do a very simple task. I'm using QEMU for debugging a new OS
>>> and I see that there is a memory region that is being updated by an unknown
>>> task. I don't know if it's another process or the kernel itself.
>>>
>>> So I would like to put a physical memory watchpoint. I don't know how to do
>>> that. As the GDB stub is operating using virtual addressing, I cannot place
>>> a watchpoint on an address as it's not stopping.
>>>
>>> To make it short, I want the equivalent of the Bochs command "watch write
>>> addr", which inserts a write watch point at physical address 'addr'. I
>>> haven't seen this is possible on the QEMU monitor...
>>
>> Indeed, it isn't. It's impossible with KVM (due to lacking hardware
>> support) but would be feasible with TCG if you extend (or ad-hoc hack)
>> QEMU code accordingly.
> 
> Why impossible? The existing watchpoints replace original physical
> memory with io_mem_watch MMIO, virtual addresses are translated to
> physical in exec.c:tlb_set_page(). The only missing piece is to allow
> setting watchpoints with physical addresses directly.
> 
> Since KVM can handle MMIO, I think it should also be able to handle
> watchpoints.

KVM uses x86 debug registers for watchpoints. And the SDM states:

16.2.1 Debug Address Registers (DR0-DR3)

Each of the debug-address registers (DR0 through DR3) holds the 32-bit
linear address of a breakpoint (see Figure 16-1). Breakpoint comparisons
are made before physical address translation occurs. [...]

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] Physical address debugging

[Blue Swirl]

2011/8/26 Jan Kiszka <jan.kiszka@siemens.com>:
> On 2011-08-26 19:34, Blue Swirl wrote:
>> 2011/8/26 Jan Kiszka <jan.kiszka@siemens.com>:
>>> On 2011-08-26 16:21, Zeus Gómez Marmolejo wrote:
>>>> Hi all,
>>>>
>>>> I just want to do a very simple task. I'm using QEMU for debugging a new OS
>>>> and I see that there is a memory region that is being updated by an unknown
>>>> task. I don't know if it's another process or the kernel itself.
>>>>
>>>> So I would like to put a physical memory watchpoint. I don't know how to do
>>>> that. As the GDB stub is operating using virtual addressing, I cannot place
>>>> a watchpoint on an address as it's not stopping.
>>>>
>>>> To make it short, I want the equivalent of the Bochs command "watch write
>>>> addr", which inserts a write watch point at physical address 'addr'. I
>>>> haven't seen this is possible on the QEMU monitor...
>>>
>>> Indeed, it isn't. It's impossible with KVM (due to lacking hardware
>>> support) but would be feasible with TCG if you extend (or ad-hoc hack)
>>> QEMU code accordingly.
>>
>> Why impossible? The existing watchpoints replace original physical
>> memory with io_mem_watch MMIO, virtual addresses are translated to
>> physical in exec.c:tlb_set_page(). The only missing piece is to allow
>> setting watchpoints with physical addresses directly.
>>
>> Since KVM can handle MMIO, I think it should also be able to handle
>> watchpoints.
>
> KVM uses x86 debug registers for watchpoints. And the SDM states:
>
> 16.2.1 Debug Address Registers (DR0-DR3)
>
> Each of the debug-address registers (DR0 through DR3) holds the 32-bit
> linear address of a breakpoint (see Figure 16-1). Breakpoint comparisons
> are made before physical address translation occurs. [...]

KVM could be changed to use the TCG version. What's the benefit of
using debug registers, speed? Is that important for debugging?

Re: [Qemu-devel] Physical address debugging

[Jan Kiszka]

On 2011-08-26 20:02, Blue Swirl wrote:
> 2011/8/26 Jan Kiszka <jan.kiszka@siemens.com>:
>> On 2011-08-26 19:34, Blue Swirl wrote:
>>> 2011/8/26 Jan Kiszka <jan.kiszka@siemens.com>:
>>>> On 2011-08-26 16:21, Zeus Gómez Marmolejo wrote:
>>>>> Hi all,
>>>>>
>>>>> I just want to do a very simple task. I'm using QEMU for debugging a new OS
>>>>> and I see that there is a memory region that is being updated by an unknown
>>>>> task. I don't know if it's another process or the kernel itself.
>>>>>
>>>>> So I would like to put a physical memory watchpoint. I don't know how to do
>>>>> that. As the GDB stub is operating using virtual addressing, I cannot place
>>>>> a watchpoint on an address as it's not stopping.
>>>>>
>>>>> To make it short, I want the equivalent of the Bochs command "watch write
>>>>> addr", which inserts a write watch point at physical address 'addr'. I
>>>>> haven't seen this is possible on the QEMU monitor...
>>>>
>>>> Indeed, it isn't. It's impossible with KVM (due to lacking hardware
>>>> support) but would be feasible with TCG if you extend (or ad-hoc hack)
>>>> QEMU code accordingly.
>>>
>>> Why impossible? The existing watchpoints replace original physical
>>> memory with io_mem_watch MMIO, virtual addresses are translated to
>>> physical in exec.c:tlb_set_page(). The only missing piece is to allow
>>> setting watchpoints with physical addresses directly.
>>>
>>> Since KVM can handle MMIO, I think it should also be able to handle
>>> watchpoints.
>>
>> KVM uses x86 debug registers for watchpoints. And the SDM states:
>>
>> 16.2.1 Debug Address Registers (DR0-DR3)
>>
>> Each of the debug-address registers (DR0 through DR3) holds the 32-bit
>> linear address of a breakpoint (see Figure 16-1). Breakpoint comparisons
>> are made before physical address translation occurs. [...]
> 
> KVM could be changed to use the TCG version. What's the benefit of
> using debug registers, speed? Is that important for debugging?

When debugging tiny SMP races, yes as it may change the timing.

But MMIO based watchpoints may indeed work as well and also would
overcome the "Who needs more than 4 hw breakpoints?". But configuring
watchpoints on physical address or manually switching between soft and
hard ones need some configuration interface, ideally one that gdb can
drive. We also need some interface to finally add monitor trap support
(single stepping without injecting TF into guest flags, an Intel VT-x
feature). Just takes someone to do all this... :)

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] Physical address debugging

[Zeus Gómez Marmolejo]

[-- Attachment #1: Type: text/plain, Size: 3509 bytes --]

I don't think GDB can help us very much on that, as it's only working with
virtual addresses. You can't set a physical address breakpoint because the
protocol doesn't allow it. So I guess it can be only done in the monitor.

So, for you that you know very well the QEMU code, and suppose that I want
to do a quick modification to stop on an address write and print the
backtrace. How I could do it?? I want a one line modification to the code
(with the address hardcoded) to stop the monitor. That should be easy,
right?

Many thanks!

El 26 de agosto de 2011 20:12, Jan Kiszka <jan.kiszka@siemens.com> escribió:

> On 2011-08-26 20:02, Blue Swirl wrote:
> > 2011/8/26 Jan Kiszka <jan.kiszka@siemens.com>:
> >> On 2011-08-26 19:34, Blue Swirl wrote:
> >>> 2011/8/26 Jan Kiszka <jan.kiszka@siemens.com>:
> >>>> On 2011-08-26 16:21, Zeus Gómez Marmolejo wrote:
> >>>>> Hi all,
> >>>>>
> >>>>> I just want to do a very simple task. I'm using QEMU for debugging a
> new OS
> >>>>> and I see that there is a memory region that is being updated by an
> unknown
> >>>>> task. I don't know if it's another process or the kernel itself.
> >>>>>
> >>>>> So I would like to put a physical memory watchpoint. I don't know how
> to do
> >>>>> that. As the GDB stub is operating using virtual addressing, I cannot
> place
> >>>>> a watchpoint on an address as it's not stopping.
> >>>>>
> >>>>> To make it short, I want the equivalent of the Bochs command "watch
> write
> >>>>> addr", which inserts a write watch point at physical address 'addr'.
> I
> >>>>> haven't seen this is possible on the QEMU monitor...
> >>>>
> >>>> Indeed, it isn't. It's impossible with KVM (due to lacking hardware
> >>>> support) but would be feasible with TCG if you extend (or ad-hoc hack)
> >>>> QEMU code accordingly.
> >>>
> >>> Why impossible? The existing watchpoints replace original physical
> >>> memory with io_mem_watch MMIO, virtual addresses are translated to
> >>> physical in exec.c:tlb_set_page(). The only missing piece is to allow
> >>> setting watchpoints with physical addresses directly.
> >>>
> >>> Since KVM can handle MMIO, I think it should also be able to handle
> >>> watchpoints.
> >>
> >> KVM uses x86 debug registers for watchpoints. And the SDM states:
> >>
> >> 16.2.1 Debug Address Registers (DR0-DR3)
> >>
> >> Each of the debug-address registers (DR0 through DR3) holds the 32-bit
> >> linear address of a breakpoint (see Figure 16-1). Breakpoint comparisons
> >> are made before physical address translation occurs. [...]
> >
> > KVM could be changed to use the TCG version. What's the benefit of
> > using debug registers, speed? Is that important for debugging?
>
> When debugging tiny SMP races, yes as it may change the timing.
>
> But MMIO based watchpoints may indeed work as well and also would
> overcome the "Who needs more than 4 hw breakpoints?". But configuring
> watchpoints on physical address or manually switching between soft and
> hard ones need some configuration interface, ideally one that gdb can
> drive. We also need some interface to finally add monitor trap support
> (single stepping without injecting TF into guest flags, an Intel VT-x
> feature). Just takes someone to do all this... :)
>
> Jan
>
> --
> Siemens AG, Corporate Technology, CT T DE IT 1
> Corporate Competence Center Embedded Linux
>



-- 
Zeus Gómez Marmolejo
Zet - The x86 (IA-32) open implementation
http://zet.aluzina.org

[-- Attachment #2: Type: text/html, Size: 4689 bytes --]

Re: [Qemu-devel] Physical address debugging

[Lluís]

Zeus Gómez Marmolejo writes:

> So, for you that you know very well the QEMU code, and suppose that I
> want to do a quick modification to stop on an address write and print
> the backtrace.  How I could do it?? I want a one line modification to
> the code (with the address hardcoded) to stop the monitor. That should
> be easy, right?

I'm not sure if this will work, but here's a possibility.

You can edit the 'tlb_set_page' routine in exec.c. Just before the
"QTAILQ_FOREACH(wp, &env->watchpoints, entry) {" line, check if the
'paddr' argument matches your hard-coded conditions and, if true, inject
a new watchpoint with the virtual address of the translation. This
should insert a memory write watchpoint on all virtual addresses mapping
to your physical address of interest.

  if (my__is_interesting(paddr)) {
     cpu_watchpoint_insert(env, vaddr, my__access_size, 
                           BP_MEM_WRITE, NULL);
  }

BTW, if you plan to "activate" the watchpoint after some time running
(i.e., not from the beggining, because you may not know yet the physical
address), remember to call 'tlb_flush(env, 1)' on all CPUState
structures in order to flush any previous "non-watchpointed"
translations.

This is obviously not tested, but at least should take you near to what
you want.


Lluis

-- 
 "And it's much the same thing with knowledge, for whenever you learn
 something new, the whole world becomes that much richer."
 -- The Princess of Pure Reason, as told by Norton Juster in The Phantom
 Tollbooth

Re: [Qemu-devel] Physical address debugging

[Avi Kivity]

On 08/26/2011 08:34 PM, Blue Swirl wrote:
> >  Indeed, it isn't. It's impossible with KVM (due to lacking hardware
> >  support) but would be feasible with TCG if you extend (or ad-hoc hack)
> >  QEMU code accordingly.
>
> Why impossible? The existing watchpoints replace original physical
> memory with io_mem_watch MMIO, virtual addresses are translated to
> physical in exec.c:tlb_set_page(). The only missing piece is to allow
> setting watchpoints with physical addresses directly.
>
> Since KVM can handle MMIO, I think it should also be able to handle
> watchpoints.
>

Not on RAM areas.

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] Physical address debugging

[Blue Swirl]

2011/8/29 Avi Kivity <avi@redhat.com>:
> On 08/26/2011 08:34 PM, Blue Swirl wrote:
>>
>> >  Indeed, it isn't. It's impossible with KVM (due to lacking hardware
>> >  support) but would be feasible with TCG if you extend (or ad-hoc hack)
>> >  QEMU code accordingly.
>>
>> Why impossible? The existing watchpoints replace original physical
>> memory with io_mem_watch MMIO, virtual addresses are translated to
>> physical in exec.c:tlb_set_page(). The only missing piece is to allow
>> setting watchpoints with physical addresses directly.
>>
>> Since KVM can handle MMIO, I think it should also be able to handle
>> watchpoints.
>>
>
> Not on RAM areas.

But isn't it possible to unmap one page of RAM and replace that by
MMIO page on KVM, is this because of the memory slots? Does your
memory work help?

Re: [Qemu-devel] Physical address debugging

[Avi Kivity]

On 08/30/2011 09:31 PM, Blue Swirl wrote:
> >>
> >>  Since KVM can handle MMIO, I think it should also be able to handle
> >>  watchpoints.
> >>
> >
> >  Not on RAM areas.
>
> But isn't it possible to unmap one page of RAM and replace that by
> MMIO page on KVM, is this because of the memory slots?

It is possible.  Currently kvm won't execute code from mmio, but that's 
easy to fix.  Of course, the kvm instruction emulator isn't 100% 
complete (or even close, when considering vector extensions).

> Does your
> memory work help?

It does, you an add an overlay page and then remove it when done.

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.