From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=45248 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PTGE8-0001LE-Ho for qemu-devel@nongnu.org; Thu, 16 Dec 2010 10:58:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PTGE7-0001fp-8q for qemu-devel@nongnu.org; Thu, 16 Dec 2010 10:58:44 -0500 Received: from mail-ew0-f45.google.com ([209.85.215.45]:57530) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PTGE7-0001fW-4E for qemu-devel@nongnu.org; Thu, 16 Dec 2010 10:58:43 -0500 Received: by ewy10 with SMTP id 10so2021481ewy.4 for ; Thu, 16 Dec 2010 07:58:41 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <4D0A2E4C.6070307@gmail.com> References: <4D0A2E4C.6070307@gmail.com> From: Mulyadi Santosa Date: Thu, 16 Dec 2010 22:57:51 +0700 Message-ID: Subject: Re: [Qemu-devel] classic emulator Vs QEMU-TCG Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefano Bonifazi Cc: qemu-devel@nongnu.org Hi Stefano.... I'll try to share what I know about TCG...... On Thu, Dec 16, 2010 at 22:20, Stefano Bonifazi wrote: > Actually as a student, I've never developed even a simple classic emulato= r > myself, you're not alone...trust me...... :) >but in my idea it should follow this flow: > 1) Fetch target instruction > =A0i.e. PC(0x532652) : 0x104265 (I am just inventing) > 2) Decode > =A0Opcode 0x10 : =A0ADD, =A0R1: 0x42, R2: 0x65 > 3) Look up instruction function table: > =A0switch(opcode) > =A0case add : > =A0 add(R1, R2) > =A0break; > 4) Execution > =A0void add(int R1, int R2) > =A0{ env->reg[R1] =3D env->reg[R1] + env[R2];} You're right. Basically, we're taught that emulation is like big giant "swith..case" with lots of condition. And that's exactly what Bochs does AFAIK... The pros of this approach is instruction could be simulated as precise as possible and we could have more precise control about timing...however the cons is... as we saw that big case branching...cache miss could likely happen (in host machine I mean) and pipeline stalls might happen more. By doing what Qemu does, be it using the old dyngen or new TCG, we try to maintain "execution fluidity" by interpreting instruction as less as possible and strings together the already translated blocks ... And don't forget that Qemu sometimes does things like lazy flags update, somewhat simple dead code elimination and so on. More like tiny compiler...right? > Now all of that would be compiled offline for the host machine and at > runtime the host macine would just execute the binary host code for the > instruction =A0"env->reg[R1] =3D env->reg[R1] + env[R2];" (its host binar= y > translation) > > My big doubt is, how can I execute that new binary? .. Shall TCG put it i= n > some memory location, and then make the process branch to that address (a= nd > then back) ? > I really can't see how that happens in the code :( > > in cpu-exec.c : cpu_exec_nocache i find: > >> /* execute the generated code */ >> =A0 =A0next_tb =3D tcg_qemu_tb_exec(tb->tc_ptr); > > and in cpu-exec.c : cpu_exec > >> /* execute the generated code */ >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0next_tb =3D tcg_qemu_tb_exec(tc_p= tr); > > so I thought tcg_qemu_tb_exec "function" should do the work of executing = the > translated binary in the host. > But then I found out it is just a define in tcg.h: > >> #define tcg_qemu_tb_exec(tb_ptr) ((long REGPARM (*)(void >> *))code_gen_prologue)(tb_ptr) > > and again in exec.c > >> uint8_t code_gen_prologue[1024] code_gen_section; > > Maybe I have some problems with that C syntax, but I really don't underst= and > what happens there.. how the execution happens! With my limited C knowledge, I saw that as a instruction jump (to tb_ptr). The "code_gen_prologue" seems to me like a cast..... casting each opcode in tb_ptr as uint8_t.... with maximum length=3D1024 I hope that's the right interpretation...I must admit Qemu is full of gcc and C tricks here and there... --=20 regards, Mulyadi Santosa Freelance Linux trainer and consultant blog: the-hydra.blogspot.com training: mulyaditraining.blogspot.com