Dear Mr Fabrice: I am a graduate student of university in china. I major in computer. Recently,I found " When QEMU first encounters a piece of target code, it translate it to host code up to the next jump or instruction modifying the static CPU state in a way that cannot be deduced at translation time " in your paper called QEMU, a Fast and portable Dynamic Translator. So do I think that the size of some translate block is big. I want to print the tb which contains two or more powerpc code. I modifying the function called cpu_exec as list: tb = tb_find_fast(); 639 if(tb->size>4) 640 { printf("tb size:%d\n",tb->size); 641 exit(0); 642 }// in cpu-exec.c I let the ppc emulator reset address is 0x100. And my testbench code is as list: 00000100 <_start>: 100: 3c 60 00 00 lis r3,0 104: 60 63 00 00 ori r3,r3,0 108: 7c 60 01 24 mtmsr r3 10c: 7c 7b 03 a6 mtsrr1 r3 110: 3c 60 00 00 lis r3,0 114: 60 63 00 00 ori r3,r3,0 118: 7c 70 8b a6 mtspr 560,r3 11c: 3c 60 00 00 lis r3,0 120: 60 63 08 00 ori r3,r3,2048 124: 7c 7e 9b a6 mtspr 638,r3 128: 3c 20 00 40 lis r1,64 12c: 60 21 00 00 ori r1,r1,0 130: 7c 00 02 78 xor r0,r0,r0 134: 94 01 ff fc stwu r0,-4(r1) 138: 94 01 ff fc stwu r0,-4(r1) 13c: 3c 60 00 00 lis r3,0 140: 60 63 00 00 ori r3,r3,0 144: 48 00 5c 09 bl 5d4c 148: 3c 40 00 50 lis r2,80 14c: 7c 56 03 a6 mtdec r2 150: 3c 60 00 2f lis r3,47 154: 60 63 c0 14 ori r3,r3,49172 158: 3c 80 ff ff lis r4,-1 15c: 60 84 ff ff ori r4,r4,65535 160: 90 83 00 00 stw r4,0(r3) 164: 3c 60 00 00 lis r3,0 168: 60 63 20 8c ori r3,r3,8332 16c: 7c 68 03 a6 mtlr r3 170: 4e 80 00 21 blrl ....... I expect that QEMU would exit because one tb is more than 4(tb only contains one ppc code). But I can not find this thing take place in the test. I don't understand why QEMU is not encounters a big tb. I wonder if you would tell me the reason by Email. Thank you for your kind consideration of this request.