Qemu Userspace Emulator with library + method

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* Qemu Userspace Emulator with library + method
@ 2021-12-13  9:49 Marcus Engene
  2021-12-14 19:59 ` Alex Bennée
  0 siblings, 1 reply; 2+ messages in thread
From: Marcus Engene @ 2021-12-13  9:49 UTC (permalink / raw)
  To: qemu-devel

[-- Attachment #1: Type: text/plain, Size: 1998 bytes --]

Hi,

I'd like to do instruction traces with library+function name included.

 From what I understand *in_asm* only shows instructions when they are 
being JIT:ed.
If I call a function twice I only see the instructions once so it makes 
sense.

As a workaround, I tried to do a plugin. I looked at the examples in 
contrib/plugins and it seems to work nicely. I see all instructions in 
userspace:

0000004000802100 48 89 e7                             movq %rsp, %rdi
0000004000802103 e8 08 0e 00 00                       callq 0x4000802f10
0000004000802f10 f3 0f 1e fa                          endbr64
0000004000802f14 55                                   pushq %rbp
0000004000802f15 48 89 e5                             movq %rsp, %rbp
0000004000802f18 41 57                                pushq %r15

However, for it to be super useful, I'd also like to see what library or 
source file each instruction lives, and what function we're in.

Example output from perf + intel_pt

a.out 602812 [006] 206712.277263361: 7f8d50217084 brk+0x4 
(/usr/lib/x86_64-linux-gnu/ld-2.31.so)     mov $0xc, %eax
a.out 602812 [006] 206712.277263361:      7f8d50217089 brk+0x9 
(/usr/lib/x86_64-linux-gnu/ld-2.31.so)         syscall
a.out 602812 [006] 206712.277264027:      7f8d5021708b brk+0xb 
(/usr/lib/x86_64-linux-gnu/ld-2.31.so)         cmp $0xfffffffffffff000, %rax
a.out 602812 [006] 206712.277264027:      7f8d50217091 brk+0x11 
(/usr/lib/x86_64-linux-gnu/ld-2.31.so)         jnbe 0x7f8d502170a8
a.out 602812 [006] 206712.277264027:      7f8d50217093 brk+0x13 
(/usr/lib/x86_64-linux-gnu/ld-2.31.so)         movq  %rax, 0x1106e(%rip)

Is this doable? Do you have any advice on where to start?

I tried to get the "symbol" in the plugin, but I only get null values.

Kind regards,
Marcus



[-- Attachment #2: Type: text/html, Size: 2659 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Qemu Userspace Emulator with library + method
  2021-12-13  9:49 Qemu Userspace Emulator with library + method Marcus Engene
@ 2021-12-14 19:59 ` Alex Bennée
  0 siblings, 0 replies; 2+ messages in thread
From: Alex Bennée @ 2021-12-14 19:59 UTC (permalink / raw)
  To: Marcus Engene; +Cc: qemu-devel


Marcus Engene <mengpg2@engene.se> writes:

> Hi,
>
> I'd like to do instruction traces with library+function name included.
>
> From what I understand in_asm only shows instructions when they are being JIT:ed. 
> If I call a function twice I only see the instructions once so it makes sense.
>
> As a workaround, I tried to do a plugin. I looked at the examples in contrib/plugins and it seems to work nicely. I see all instructions in
> userspace:
>
> 0000004000802100 48 89 e7                             movq %rsp, %rdi
> 0000004000802103 e8 08 0e 00 00                       callq 0x4000802f10
> 0000004000802f10 f3 0f 1e fa                          endbr64 
> 0000004000802f14 55                                   pushq %rbp
> 0000004000802f15 48 89 e5                             movq %rsp, %rbp
> 0000004000802f18 41 57                                pushq %r15

This looks like you could expand/tweak the existing execlog to get what
you want rather than writing a whole new plugin.

> However, for it to be super useful, I'd also like to see what library or source file each instruction lives, and what function we're in.
>
> Example output from perf + intel_pt
>
> a.out 602812 [006] 206712.277263361:      7f8d50217084 brk+0x4 (/usr/lib/x86_64-linux-gnu/ld-2.31.so)         mov $0xc, %eax
> a.out 602812 [006] 206712.277263361:      7f8d50217089 brk+0x9 (/usr/lib/x86_64-linux-gnu/ld-2.31.so)         syscall 
> a.out 602812 [006] 206712.277264027:      7f8d5021708b brk+0xb (/usr/lib/x86_64-linux-gnu/ld-2.31.so)         cmp $0xfffffffffffff000, %rax
> a.out 602812 [006] 206712.277264027:      7f8d50217091 brk+0x11 (/usr/lib/x86_64-linux-gnu/ld-2.31.so)         jnbe 0x7f8d502170a8
> a.out 602812 [006] 206712.277264027:      7f8d50217093 brk+0x13 (/usr/lib/x86_64-linux-gnu/ld-2.31.so)         movq  %rax, 0x1106e
> (%rip)
>
> Is this doable? Do you have any advice on where to start?

Totally.

>
> I tried to get the "symbol" in the plugin, but I only get null values.

You mean using qemu_plugin_insn_symbol()?

IIRC that only works on the main binary and of course needs a
non-stripped binary. Basically we would need to expand the elf loader to
consider libraries as well. However that will require some sort of hook
to spot them getting mapped in by the guests ld.so. Maybe we could add
some heuristics to the mmap syscalls to spot that?

>
> Kind regards,
> Marcus


-- 
Alex Bennée


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-12-14 20:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-13  9:49 Qemu Userspace Emulator with library + method Marcus Engene
2021-12-14 19:59 ` Alex Bennée

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).