[Qemu-devel] Tracing guest virtual addresses

[Qemu-devel] Tracing guest virtual addresses

[Jayanto Minocha]

Hi,

I think there have been a few threads on the mailing list regarding tracing
guest virtual addresses for load and store instructions, but I have been
unable to get it to work. I am trying this for an AArch64 machine, and am
using the softmmu.

The tracing infrastructure provides the following event:

vcpu tcg guest_mem_before(...).

But that is only used to instrument the cpu_ld/cpu_st macros, which is only
called in the case of a tlb miss.

I've been going over the archives, and it looks like I need to instrument
tcg_out_tlb_load. Am I on the right path ?

Regards,
-Jayanto

Re: [Qemu-devel] Tracing guest virtual addresses

[Lluís Vilanova]

Jayanto Minocha writes:

> Hi,
> I think there have been a few threads on the mailing list regarding tracing
> guest virtual addresses for load and store instructions, but I have been
> unable to get it to work. I am trying this for an AArch64 machine, and am
> using the softmmu.

> The tracing infrastructure provides the following event:

> vcpu tcg guest_mem_before(...).

> But that is only used to instrument the cpu_ld/cpu_st macros, which is only
> called in the case of a tlb miss.

> I've been going over the archives, and it looks like I need to instrument
> tcg_out_tlb_load. Am I on the right path ?

That event should trace all guest memory accesses performed by the CPU. If you
found any case where this does not hold, it is likely a bug and I'd appreciate
it if you can point me to the smallest possible failing example.


Thanks,
  Lluis

Re: [Qemu-devel] Tracing guest virtual addresses

[Peter Maydell]

On 20 June 2017 at 12:02, Lluís Vilanova <vilanova@ac.upc.edu> wrote:
> Jayanto Minocha writes:
>> But that is only used to instrument the cpu_ld/cpu_st macros, which is only
>> called in the case of a tlb miss.
>
>> I've been going over the archives, and it looks like I need to instrument
>> tcg_out_tlb_load. Am I on the right path ?
>
> That event should trace all guest memory accesses performed by the CPU. If you
> found any case where this does not hold, it is likely a bug and I'd appreciate
> it if you can point me to the smallest possible failing example.

Does it catch memory accesses that are performed via helper functions,
or only ones done by inline TCG code?

thanks
-- PMM

Re: [Qemu-devel] Tracing guest virtual addresses

[Emilio G. Cota]

On Tue, Jun 20, 2017 at 14:02:02 +0300, Lluís Vilanova wrote:
> Jayanto Minocha writes:
> 
> > Hi,
> > I think there have been a few threads on the mailing list regarding tracing
> > guest virtual addresses for load and store instructions, but I have been
> > unable to get it to work. I am trying this for an AArch64 machine, and am
> > using the softmmu.
> 
> > The tracing infrastructure provides the following event:
> 
> > vcpu tcg guest_mem_before(...).
> 
> > But that is only used to instrument the cpu_ld/cpu_st macros, which is only
> > called in the case of a tlb miss.
> 
> > I've been going over the archives, and it looks like I need to instrument
> > tcg_out_tlb_load. Am I on the right path ?
> 
> That event should trace all guest memory accesses performed by the CPU. If you
> found any case where this does not hold, it is likely a bug and I'd appreciate
> it if you can point me to the smallest possible failing example.

I'm having trouble with this as well, although I'm pretty sure I must be doing
something wrong (never used the tracing infrastructure before). Here's what
I'm doing:

$ git show --pretty=short
commit e85c0d14014514a2f0faeae5b4c23fab5b234de4
Merge: 65a0e3e 7f3cf2d
Author: Peter Maydell <peter.maydell@linaro.org>

    Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging


$ git diff
diff --git a/accel/tcg/trace-events b/accel/tcg/trace-events
index 2de8359..385a462 100644
--- a/accel/tcg/trace-events
+++ b/accel/tcg/trace-events
@@ -2,7 +2,7 @@

 # TCG related tracing (mostly disabled by default)
 # cpu-exec.c
-disable exec_tb(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
+exec_tb(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
 disable exec_tb_nocache(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
 disable exec_tb_exit(void *last_tb, unsigned int flags) "tb:%p flags=%x"

diff --git a/trace-events b/trace-events
index bae63fd..7df49a3 100644
--- a/trace-events
+++ b/trace-events
@@ -106,7 +106,7 @@ vcpu guest_cpu_reset(void)
 #
 # Mode: user, softmmu
 # Targets: TCG(all)
-disable vcpu tcg guest_mem_before(TCGv vaddr, uint8_t info) "info=%d", "vaddr=0x%016"PRIx64" info=%d"
+vcpu tcg guest_mem_before(TCGv vaddr, uint8_t info) "info=%d", "vaddr=0x%016"PRIx64" info=%d"

 # @num: System call number.
 # @arg*: System call argument value.

$ mkdir build
$ cd build
$ ../configure --target-list=arm-softmmu,x86_64-linux-user --enable-trace-backends=simple && make -j 12
[...]

$ cat ../ev
guest_mem_before_exec
guest_mem_before_trans
exec_tb

$ x86_64-linux-user/qemu-x86_64 -trace events=../ev /bin/date
Tue Jun 20 13:11:49 EDT 2017

$ ls -lt | head | grep trace
-rw-rw-r--  1 cota cota   169721 Jun 20 13:11 trace-2150

$ scripts/simpletrace.py trace-events-all trace-2150
exec_tb 0.000 pid=2150 tb=0x7f5896667010 pc=0x4000801cc0
exec_tb 21.648 pid=2150 tb=0x7f5896667088 pc=0x4000805c00
[...]

100% of the file is exec_tb lines, i.e. no memory references whatsoever.

Similar results with arm-softmmu.

Thanks,

		Emilio

Re: [Qemu-devel] Tracing guest virtual addresses

[Jayanto Minocha]

Lluis,

My modifications were almost the same as those done by Emilio. There were
no memory trace events in the trace file.

-J

On Tue, Jun 20, 2017 at 10:20 AM, Emilio G. Cota <cota@braap.org> wrote:

> On Tue, Jun 20, 2017 at 14:02:02 +0300, Lluís Vilanova wrote:
> > Jayanto Minocha writes:
> >
> > > Hi,
> > > I think there have been a few threads on the mailing list regarding
> tracing
> > > guest virtual addresses for load and store instructions, but I have
> been
> > > unable to get it to work. I am trying this for an AArch64 machine, and
> am
> > > using the softmmu.
> >
> > > The tracing infrastructure provides the following event:
> >
> > > vcpu tcg guest_mem_before(...).
> >
> > > But that is only used to instrument the cpu_ld/cpu_st macros, which is
> only
> > > called in the case of a tlb miss.
> >
> > > I've been going over the archives, and it looks like I need to
> instrument
> > > tcg_out_tlb_load. Am I on the right path ?
> >
> > That event should trace all guest memory accesses performed by the CPU.
> If you
> > found any case where this does not hold, it is likely a bug and I'd
> appreciate
> > it if you can point me to the smallest possible failing example.
>
> I'm having trouble with this as well, although I'm pretty sure I must be
> doing
> something wrong (never used the tracing infrastructure before). Here's what
> I'm doing:
>
> $ git show --pretty=short
> commit e85c0d14014514a2f0faeae5b4c23fab5b234de4
> Merge: 65a0e3e 7f3cf2d
> Author: Peter Maydell <peter.maydell@linaro.org>
>
>     Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into
> staging
>
>
> $ git diff
> diff --git a/accel/tcg/trace-events b/accel/tcg/trace-events
> index 2de8359..385a462 100644
> --- a/accel/tcg/trace-events
> +++ b/accel/tcg/trace-events
> @@ -2,7 +2,7 @@
>
>  # TCG related tracing (mostly disabled by default)
>  # cpu-exec.c
> -disable exec_tb(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
> +exec_tb(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
>  disable exec_tb_nocache(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
>  disable exec_tb_exit(void *last_tb, unsigned int flags) "tb:%p flags=%x"
>
> diff --git a/trace-events b/trace-events
> index bae63fd..7df49a3 100644
> --- a/trace-events
> +++ b/trace-events
> @@ -106,7 +106,7 @@ vcpu guest_cpu_reset(void)
>  #
>  # Mode: user, softmmu
>  # Targets: TCG(all)
> -disable vcpu tcg guest_mem_before(TCGv vaddr, uint8_t info) "info=%d",
> "vaddr=0x%016"PRIx64" info=%d"
> +vcpu tcg guest_mem_before(TCGv vaddr, uint8_t info) "info=%d",
> "vaddr=0x%016"PRIx64" info=%d"
>
>  # @num: System call number.
>  # @arg*: System call argument value.
>
> $ mkdir build
> $ cd build
> $ ../configure --target-list=arm-softmmu,x86_64-linux-user
> --enable-trace-backends=simple && make -j 12
> [...]
>
> $ cat ../ev
> guest_mem_before_exec
> guest_mem_before_trans
> exec_tb
>
> $ x86_64-linux-user/qemu-x86_64 -trace events=../ev /bin/date
> Tue Jun 20 13:11:49 EDT 2017
>
> $ ls -lt | head | grep trace
> -rw-rw-r--  1 cota cota   169721 Jun 20 13:11 trace-2150
>
> $ scripts/simpletrace.py trace-events-all trace-2150
> exec_tb 0.000 pid=2150 tb=0x7f5896667010 pc=0x4000801cc0
> exec_tb 21.648 pid=2150 tb=0x7f5896667088 pc=0x4000805c00
> [...]
>
> 100% of the file is exec_tb lines, i.e. no memory references whatsoever.
>
> Similar results with arm-softmmu.
>
> Thanks,
>
>                 Emilio
>
>

Re: [Qemu-devel] Tracing guest virtual addresses

[Alex Bennée]

Peter Maydell <peter.maydell@linaro.org> writes:

> On 20 June 2017 at 12:02, Lluís Vilanova <vilanova@ac.upc.edu> wrote:
>> Jayanto Minocha writes:
>>> But that is only used to instrument the cpu_ld/cpu_st macros, which is only
>>> called in the case of a tlb miss.
>>
>>> I've been going over the archives, and it looks like I need to instrument
>>> tcg_out_tlb_load. Am I on the right path ?
>>
>> That event should trace all guest memory accesses performed by the CPU. If you
>> found any case where this does not hold, it is likely a bug and I'd appreciate
>> it if you can point me to the smallest possible failing example.
>
> Does it catch memory accesses that are performed via helper functions,
> or only ones done by inline TCG code?

AFAICT it inserts a helper call on the TCG ld/st ops. I wonder why not
just ensure we always take the slow path and put the helpers in the
access functions there? You could even apply an address mask if you only
want to look at certain address ranges.

>
> thanks
> -- PMM


--
Alex Bennée

Re: [Qemu-devel] Tracing guest virtual addresses

[Lluís Vilanova]

Jayanto Minocha writes:

> Lluis,
> My modifications were almost the same as those done by Emilio. There were
> no memory trace events in the trace file.

I'll take a look at it after I finish revamping the generic translation loop
series (hopefully today).

Thanks,
  Lluis


> -J

> On Tue, Jun 20, 2017 at 10:20 AM, Emilio G. Cota <cota@braap.org> wrote:

>> On Tue, Jun 20, 2017 at 14:02:02 +0300, Lluís Vilanova wrote:
>> > Jayanto Minocha writes:
>> >
>> > > Hi,
>> > > I think there have been a few threads on the mailing list regarding
>> tracing
>> > > guest virtual addresses for load and store instructions, but I have
>> been
>> > > unable to get it to work. I am trying this for an AArch64 machine, and
>> am
>> > > using the softmmu.
>> >
>> > > The tracing infrastructure provides the following event:
>> >
>> > > vcpu tcg guest_mem_before(...).
>> >
>> > > But that is only used to instrument the cpu_ld/cpu_st macros, which is
>> only
>> > > called in the case of a tlb miss.
>> >
>> > > I've been going over the archives, and it looks like I need to
>> instrument
>> > > tcg_out_tlb_load. Am I on the right path ?
>> >
>> > That event should trace all guest memory accesses performed by the CPU.
>> If you
>> > found any case where this does not hold, it is likely a bug and I'd
>> appreciate
>> > it if you can point me to the smallest possible failing example.
>> 
>> I'm having trouble with this as well, although I'm pretty sure I must be
>> doing
>> something wrong (never used the tracing infrastructure before). Here's what
>> I'm doing:
>> 
>> $ git show --pretty=short
>> commit e85c0d14014514a2f0faeae5b4c23fab5b234de4
>> Merge: 65a0e3e 7f3cf2d
>> Author: Peter Maydell <peter.maydell@linaro.org>
>> 
>> Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into
>> staging
>> 
>> 
>> $ git diff
>> diff --git a/accel/tcg/trace-events b/accel/tcg/trace-events
>> index 2de8359..385a462 100644
>> --- a/accel/tcg/trace-events
>> +++ b/accel/tcg/trace-events
>> @@ -2,7 +2,7 @@
>> 
>> # TCG related tracing (mostly disabled by default)
>> # cpu-exec.c
>> -disable exec_tb(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
>> +exec_tb(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
>> disable exec_tb_nocache(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
>> disable exec_tb_exit(void *last_tb, unsigned int flags) "tb:%p flags=%x"
>> 
>> diff --git a/trace-events b/trace-events
>> index bae63fd..7df49a3 100644
>> --- a/trace-events
>> +++ b/trace-events
>> @@ -106,7 +106,7 @@ vcpu guest_cpu_reset(void)
>> #
>> # Mode: user, softmmu
>> # Targets: TCG(all)
>> -disable vcpu tcg guest_mem_before(TCGv vaddr, uint8_t info) "info=%d",
>> "vaddr=0x%016"PRIx64" info=%d"
>> +vcpu tcg guest_mem_before(TCGv vaddr, uint8_t info) "info=%d",
>> "vaddr=0x%016"PRIx64" info=%d"
>> 
>> # @num: System call number.
>> # @arg*: System call argument value.
>> 
>> $ mkdir build
>> $ cd build
>> $ ../configure --target-list=arm-softmmu,x86_64-linux-user
>> --enable-trace-backends=simple && make -j 12
>> [...]
>> 
>> $ cat ../ev
>> guest_mem_before_exec
>> guest_mem_before_trans
>> exec_tb
>> 
>> $ x86_64-linux-user/qemu-x86_64 -trace events=../ev /bin/date
>> Tue Jun 20 13:11:49 EDT 2017
>> 
>> $ ls -lt | head | grep trace
>> -rw-rw-r--  1 cota cota   169721 Jun 20 13:11 trace-2150
>> 
>> $ scripts/simpletrace.py trace-events-all trace-2150
>> exec_tb 0.000 pid=2150 tb=0x7f5896667010 pc=0x4000801cc0
>> exec_tb 21.648 pid=2150 tb=0x7f5896667088 pc=0x4000805c00
>> [...]
>> 
>> 100% of the file is exec_tb lines, i.e. no memory references whatsoever.
>> 
>> Similar results with arm-softmmu.
>> 
>> Thanks,
>> 
>> Emilio
>> 
>> 

Re: [Qemu-devel] Tracing guest virtual addresses

[Lluís Vilanova]

Lluís Vilanova writes:

> Jayanto Minocha writes:
>> Lluis,
>> My modifications were almost the same as those done by Emilio. There were
>> no memory trace events in the trace file.

> I'll take a look at it after I finish revamping the generic translation loop
> series (hopefully today).

I just sent a patch that should fix it:

  https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg05491.html


Cheers,
  Lluis



>> -J

>> On Tue, Jun 20, 2017 at 10:20 AM, Emilio G. Cota <cota@braap.org> wrote:

>>> On Tue, Jun 20, 2017 at 14:02:02 +0300, Lluís Vilanova wrote:
>>> > Jayanto Minocha writes:
>>> >
>>> > > Hi,
>>> > > I think there have been a few threads on the mailing list regarding
>>> tracing
>>> > > guest virtual addresses for load and store instructions, but I have
>>> been
>>> > > unable to get it to work. I am trying this for an AArch64 machine, and
>>> am
>>> > > using the softmmu.
>>> >
>>> > > The tracing infrastructure provides the following event:
>>> >
>>> > > vcpu tcg guest_mem_before(...).
>>> >
>>> > > But that is only used to instrument the cpu_ld/cpu_st macros, which is
>>> only
>>> > > called in the case of a tlb miss.
>>> >
>>> > > I've been going over the archives, and it looks like I need to
>>> instrument
>>> > > tcg_out_tlb_load. Am I on the right path ?
>>> >
>>> > That event should trace all guest memory accesses performed by the CPU.
>>> If you
>>> > found any case where this does not hold, it is likely a bug and I'd
>>> appreciate
>>> > it if you can point me to the smallest possible failing example.
>>> 
>>> I'm having trouble with this as well, although I'm pretty sure I must be
>>> doing
>>> something wrong (never used the tracing infrastructure before). Here's what
>>> I'm doing:
>>> 
>>> $ git show --pretty=short
>>> commit e85c0d14014514a2f0faeae5b4c23fab5b234de4
>>> Merge: 65a0e3e 7f3cf2d
>>> Author: Peter Maydell <peter.maydell@linaro.org>
>>> 
>>> Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into
>>> staging
>>> 
>>> 
>>> $ git diff
>>> diff --git a/accel/tcg/trace-events b/accel/tcg/trace-events
>>> index 2de8359..385a462 100644
>>> --- a/accel/tcg/trace-events
>>> +++ b/accel/tcg/trace-events
>>> @@ -2,7 +2,7 @@
>>> 
>>> # TCG related tracing (mostly disabled by default)
>>> # cpu-exec.c
>>> -disable exec_tb(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
>>> +exec_tb(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
>>> disable exec_tb_nocache(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
>>> disable exec_tb_exit(void *last_tb, unsigned int flags) "tb:%p flags=%x"
>>> 
>>> diff --git a/trace-events b/trace-events
>>> index bae63fd..7df49a3 100644
>>> --- a/trace-events
>>> +++ b/trace-events
>>> @@ -106,7 +106,7 @@ vcpu guest_cpu_reset(void)
>>> #
>>> # Mode: user, softmmu
>>> # Targets: TCG(all)
>>> -disable vcpu tcg guest_mem_before(TCGv vaddr, uint8_t info) "info=%d",
>>> "vaddr=0x%016"PRIx64" info=%d"
>>> +vcpu tcg guest_mem_before(TCGv vaddr, uint8_t info) "info=%d",
>>> "vaddr=0x%016"PRIx64" info=%d"
>>> 
>>> # @num: System call number.
>>> # @arg*: System call argument value.
>>> 
>>> $ mkdir build
>>> $ cd build
>>> $ ../configure --target-list=arm-softmmu,x86_64-linux-user
>>> --enable-trace-backends=simple && make -j 12
>>> [...]
>>> 
>>> $ cat ../ev
>>> guest_mem_before_exec
>>> guest_mem_before_trans
>>> exec_tb
>>> 
>>> $ x86_64-linux-user/qemu-x86_64 -trace events=../ev /bin/date
>>> Tue Jun 20 13:11:49 EDT 2017
>>> 
>>> $ ls -lt | head | grep trace
>>> -rw-rw-r--  1 cota cota   169721 Jun 20 13:11 trace-2150
>>> 
>>> $ scripts/simpletrace.py trace-events-all trace-2150
>>> exec_tb 0.000 pid=2150 tb=0x7f5896667010 pc=0x4000801cc0
>>> exec_tb 21.648 pid=2150 tb=0x7f5896667088 pc=0x4000805c00
>>> [...]
>>> 
>>> 100% of the file is exec_tb lines, i.e. no memory references whatsoever.
>>> 
>>> Similar results with arm-softmmu.
>>> 
>>> Thanks,
>>> 
>>> Emilio
>>> 
>>> 

Re: [Qemu-devel] Tracing guest virtual addresses

[Lluís Vilanova]

Alex Bennée writes:

> Peter Maydell <peter.maydell@linaro.org> writes:

>> On 20 June 2017 at 12:02, Lluís Vilanova <vilanova@ac.upc.edu> wrote:
>>> Jayanto Minocha writes:
>>>> But that is only used to instrument the cpu_ld/cpu_st macros, which is only
>>>> called in the case of a tlb miss.
>>> 
>>>> I've been going over the archives, and it looks like I need to instrument
>>>> tcg_out_tlb_load. Am I on the right path ?
>>> 
>>> That event should trace all guest memory accesses performed by the CPU. If you
>>> found any case where this does not hold, it is likely a bug and I'd appreciate
>>> it if you can point me to the smallest possible failing example.
>> 
>> Does it catch memory accesses that are performed via helper functions,
>> or only ones done by inline TCG code?

> AFAICT it inserts a helper call on the TCG ld/st ops. I wonder why not
> just ensure we always take the slow path and put the helpers in the
> access functions there? You could even apply an address mask if you only
> want to look at certain address ranges.

It also catches accesses performed by helpers.


Cheers,
  Lluis

Re: [Qemu-devel] Tracing guest virtual addresses

[Alex Bennée]

Lluís Vilanova <vilanova@ac.upc.edu> writes:

> Alex Bennée writes:
>
>> Peter Maydell <peter.maydell@linaro.org> writes:
>
>>> On 20 June 2017 at 12:02, Lluís Vilanova <vilanova@ac.upc.edu> wrote:
>>>> Jayanto Minocha writes:
>>>>> But that is only used to instrument the cpu_ld/cpu_st macros, which is only
>>>>> called in the case of a tlb miss.
>>>>
>>>>> I've been going over the archives, and it looks like I need to instrument
>>>>> tcg_out_tlb_load. Am I on the right path ?
>>>>
>>>> That event should trace all guest memory accesses performed by the CPU. If you
>>>> found any case where this does not hold, it is likely a bug and I'd appreciate
>>>> it if you can point me to the smallest possible failing example.
>>>
>>> Does it catch memory accesses that are performed via helper functions,
>>> or only ones done by inline TCG code?
>
>> AFAICT it inserts a helper call on the TCG ld/st ops. I wonder why not
>> just ensure we always take the slow path and put the helpers in the
>> access functions there? You could even apply an address mask if you only
>> want to look at certain address ranges.
>
> It also catches accesses performed by helpers.

Don't helper accesses also pass through the SoftMMU? Or are we talking
about user-space access as well here?

>
>
> Cheers,
>   Lluis


--
Alex Bennée

Re: [Qemu-devel] Tracing guest virtual addresses

[Lluís Vilanova]

Alex Bennée writes:

> Lluís Vilanova <vilanova@ac.upc.edu> writes:

>> Alex Bennée writes:
>> 
>>> Peter Maydell <peter.maydell@linaro.org> writes:
>> 
>>>> On 20 June 2017 at 12:02, Lluís Vilanova <vilanova@ac.upc.edu> wrote:
>>>>> Jayanto Minocha writes:
>>>>>> But that is only used to instrument the cpu_ld/cpu_st macros, which is only
>>>>>> called in the case of a tlb miss.
>>>>> 
>>>>>> I've been going over the archives, and it looks like I need to instrument
>>>>>> tcg_out_tlb_load. Am I on the right path ?
>>>>> 
>>>>> That event should trace all guest memory accesses performed by the CPU. If you
>>>>> found any case where this does not hold, it is likely a bug and I'd appreciate
>>>>> it if you can point me to the smallest possible failing example.
>>>> 
>>>> Does it catch memory accesses that are performed via helper functions,
>>>> or only ones done by inline TCG code?
>> 
>>> AFAICT it inserts a helper call on the TCG ld/st ops. I wonder why not
>>> just ensure we always take the slow path and put the helpers in the
>>> access functions there? You could even apply an address mask if you only
>>> want to look at certain address ranges.
>> 
>> It also catches accesses performed by helpers.

> Don't helper accesses also pass through the SoftMMU? Or are we talking
> about user-space access as well here?

There's two places where memory access tracing is triggered:

* tcg_gen_qemu_ld/st_...
* ld/st templates (both softmmu and user)

AFAIK, helpers use the ld/st templates to access guest memory.

You can check for calls to trace_guest_mem_before_exec and
trace_guest_mem_before_tcg.


Thanks,
  Lluis

Re: [Qemu-devel] Tracing guest virtual addresses

[Peter Maydell]

On 26 June 2017 at 10:26, Lluís Vilanova <vilanova@ac.upc.edu> wrote:
> There's two places where memory access tracing is triggered:
>
> * tcg_gen_qemu_ld/st_...
> * ld/st templates (both softmmu and user)
>
> AFAIK, helpers use the ld/st templates to access guest memory.

Mostly, but there are one or two special cases, for instance
the ARM HELPER(dc_zva) in target/arm/helper.c, which has a
fastpath that uses tlb_vaddr_to_host to look up the host memory
address and then memset to do the clear-to-zeroes operation.

thanks
-- PMM

Re: [Qemu-devel] Tracing guest virtual addresses

[Lluís Vilanova]

Peter Maydell writes:

> On 26 June 2017 at 10:26, Lluís Vilanova <vilanova@ac.upc.edu> wrote:
>> There's two places where memory access tracing is triggered:
>> 
>> * tcg_gen_qemu_ld/st_...
>> * ld/st templates (both softmmu and user)
>> 
>> AFAIK, helpers use the ld/st templates to access guest memory.

> Mostly, but there are one or two special cases, for instance
> the ARM HELPER(dc_zva) in target/arm/helper.c, which has a
> fastpath that uses tlb_vaddr_to_host to look up the host memory
> address and then memset to do the clear-to-zeroes operation.

Should that be replaced with a cpu_memset or similar?

Cheers,
  Lluis

Re: [Qemu-devel] Tracing guest virtual addresses

[Peter Maydell]

On 26 June 2017 at 13:04, Lluís Vilanova <vilanova@ac.upc.edu> wrote:
> Peter Maydell writes:
>
>> On 26 June 2017 at 10:26, Lluís Vilanova <vilanova@ac.upc.edu> wrote:
>>> There's two places where memory access tracing is triggered:
>>>
>>> * tcg_gen_qemu_ld/st_...
>>> * ld/st templates (both softmmu and user)
>>>
>>> AFAIK, helpers use the ld/st templates to access guest memory.
>
>> Mostly, but there are one or two special cases, for instance
>> the ARM HELPER(dc_zva) in target/arm/helper.c, which has a
>> fastpath that uses tlb_vaddr_to_host to look up the host memory
>> address and then memset to do the clear-to-zeroes operation.
>
> Should that be replaced with a cpu_memset or similar?

Possibly -- PPC and S390 also have a fast-memset like this
(and S390 also has a fast-memmove). However I would be wary
of there being architecture-specific corner cases (eg
needing to get the right vaddr for a fault if the accesses
fault).

thanks
-- PMM

Re: [Qemu-devel] Tracing guest virtual addresses

[Emilio G. Cota]

On Sun, Jun 25, 2017 at 15:16:46 +0300, Lluís Vilanova wrote:
> Lluís Vilanova writes:
> 
> > Jayanto Minocha writes:
> >> Lluis,
> >> My modifications were almost the same as those done by Emilio. There were
> >> no memory trace events in the trace file.
> 
> > I'll take a look at it after I finish revamping the generic translation loop
> > series (hopefully today).
> 
> I just sent a patch that should fix it:
> 
>   https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg05491.html

Yay! That fixes the problem for me:

$ ../scripts/simpletrace.py trace-events-all trace-17579 | head -5
guest_mem_before_exec 0.000 pid=17579 __cpu=0x563780e726a0 vaddr=0x4000a2a030 info=0x4
guest_mem_before_exec 0.368 pid=17579 __cpu=0x563780e726a0 vaddr=0x4000a2a034 info=0x4
guest_mem_before_exec 0.162 pid=17579 __cpu=0x563780e726a0 vaddr=0x4000a2a034 info=0x14
guest_mem_before_exec 0.163 pid=17579 __cpu=0x563780e726a0 vaddr=0x4000a2a028 info=0x4
guest_mem_before_exec 0.109 pid=17579 __cpu=0x563780e726a0 vaddr=0x4000a2a02c info=0x4

Thanks,

		Emilio