From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:39780) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T2LBe-0005Ls-3k for qemu-devel@nongnu.org; Fri, 17 Aug 2012 07:57:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1T2LBd-0004zY-1S for qemu-devel@nongnu.org; Fri, 17 Aug 2012 07:57:58 -0400 Received: from mail-ob0-f173.google.com ([209.85.214.173]:42353) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1T2LBc-0004zR-SR for qemu-devel@nongnu.org; Fri, 17 Aug 2012 07:57:56 -0400 Received: by obbta14 with SMTP id ta14so4913018obb.4 for ; Fri, 17 Aug 2012 04:57:56 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20120817111436.GB67669@cs.nctu.edu.tw> References: <20120816080243.GA33123@cs.nctu.edu.tw> <20120817111436.GB67669@cs.nctu.edu.tw> Date: Fri, 17 Aug 2012 15:57:55 +0400 Message-ID: From: Max Filippov Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] qemu log function to print out the registers of the guest List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: =?UTF-8?B?6Zmz6Z+L5Lu7IChXZWktUmVuIENoZW4p?= Cc: Laurent Desnogues , Steven , qemu-devel@nongnu.org On Fri, Aug 17, 2012 at 3:14 PM, =E9=99=B3=E9=9F=8B=E4=BB=BB (Wei-Ren Chen) wrote: >> > On Thu, Aug 16, 2012 at 7:49 PM, Steven wrote= : >> > [...] >> >> I want to get the guest memory address in the instruction mov >> >> 0x4(%ebx) %eax, whic is 0x4(%ebx). >> >> Since %ebx is not resolved until the execution time, the code in >> >> softmmu_header.h does not generate any hit or miss information. >> >> Do you know any place that I could resolve the memory access address?= Thanks. >> > >> > You'll have to generate code. Look at how helpers work. >> Hi, Laurent, >> do you mean the target-i386/op_helper.c/helper.c or the tcg helper? Than= ks. > > What do you mean by "resolve the memory access address"? Do you want > to get guest virtual address for each guest memory access, right? As Max > mentioned before (you can also read [1]), there are fast and slow path > in QEMU softmmu, tlb hit and tlb miss respectively. Max provided patch > for slow path. As for fast path, take a look on tcg_out_tlb_load (tcg > /i386/tcg-target.c). tcg_out_tlb_load will generate native code in the > code cache to do tlb lookup, I think you cannot use the trick Max used > since tcg_out_tlb_load will not be called when the fast path executed, That's why I've posted the following hunk that should have made all accesses go via slow path: diff --git a/tcg/i386/tcg-target.c b/tcg/i386/tcg-target.c index da17bba..ec68c19 100644 --- a/tcg/i386/tcg-target.c +++ b/tcg/i386/tcg-target.c @@ -1062,7 +1062,7 @@ static inline void tcg_out_tlb_load(TCGContext *s, int addrlo_idx, tcg_out_mov(s, type, r0, addrlo); /* jne label1 */ - tcg_out8(s, OPC_JCC_short + JCC_JNE); + tcg_out8(s, OPC_JMP_short); label_ptr[0] =3D s->code_ptr; s->code_ptr++; > it "generates" code instead. Therefore, you might have to insert your > instrument code in the code cache, perhaps modifying tcg_out_tlb_load > to log value of "addrlo" (see comments above tcg_out_tlb_load). --=20 Thanks. -- Max