操作系統(tǒng)-清華向勇、參考5-s2e qemu

1、QEMUOverviewCreated by Fabrice Bellard in 2003 Function-level emulationFaster than “cycle-accurate” simulators.Good enough to use applications written for another CPU.Just-in-time (JIT) compilation support to achieve high performance (400 500 MIPS)Lots of peripherals support (VGA, serial, and Ethern

2、et, etc)Lots ofhosts ands support (full system emulation)x86, arm, mips, sh4, cris, sparc, powerpc, nds32, qemu/hw/* contain all of the supported boards.Good enough to use applications written for another CPU.User mode emulation: can run applications compiled for anotherCPU.2QEMUoverviewUpdate statu

3、s0.9.1 (Jan 6, 2008)Stable and stop for a long time0.10 (Mar 5, 2009)TCG support (a new general JIT framework)0.11 (Sep 24, 2009)KVM support0.12More KVM support.Code refactoringnew peripheral framework to support dynamic board configuration3QEMUJITTCG (Tiny Code Generator)a generic backend for a C c

4、ompiler. It was simplified to be used in QEMU.Translation Block (TB)A TCG basic block corresponds to a list of instructions terminated by a branch instruction.16Mb code cache size4QEMUJIT Prologue, EpilogueWhen the-machine is ARM5QEMUJITcpu exec() called each time around main loop. Program executes

5、until an unchained block is encountered.Returns to cpu exec() through epilogue. Enter the code cache:Linux: Set buffer executable and jump to Buffer & Execute6QEMUJIT code genflowFront-end: qemu/tcg/tcg.c gen_intermediate_code disas_insnInterprete source instruction and translate to micro-ops.Transl

6、ation stops when a conditional branch is encountered.7QEMUJIT code genflowtcg_liveness_ysisRemove dead code.Ex. and_i32 t0, t0, $0 xffffffffEx. add_i32 t0, t1, t2 add_i32 t0, t0, $1mov_i32 t0, $18QEMUJIT code genflowRegister mapregister struct CPUNDS32State *env asm(r14);registerregisterregister_ulo

7、ng T0 asm(r15);_ulong T1 asm(r12);_ulong T2 asm(r13);9QEMUJIT Block chainingAvoid context-switch overheadEvery time a block returns, try to chain it.tb_add_jump(): back-patch the native jump address10QEMUJIT SummaryLook up TBTranslate one TBChain it to existed TBsExecute Code cacheException happen a

8、nd handlingCached?NoS2E: platformforyzingsoftwaresystems12CG-R TLCG-RTL服務器生成關(guān)系文件源代碼編譯函數(shù)調(diào)用圖生成函數(shù)調(diào)用關(guān)系列表生成Html緩存機制瀏覽器數(shù)據(jù)預處理源代碼編譯中間結(jié)果13CG-R TL 的處理流程基于編譯的中間結(jié)果獲取函數(shù)信息-準確的函數(shù)調(diào)用關(guān)系調(diào)用圖與調(diào)用關(guān)系列表及函數(shù)注釋的有機結(jié)合與源代碼查看工具lxr的結(jié)合，使用靈活step 1step 3轉(zhuǎn)編譯的中間結(jié)果step 2提取函數(shù)定義和函數(shù)調(diào)用信息生成函數(shù)調(diào)用關(guān)系文件step 4生成函數(shù)調(diào)用圖形和關(guān)系列表流程14DCG-RTL確定內(nèi)核工具 Systemtap ftrace,S2E數(shù)據(jù)處理算法 DCGRTL明確動態(tài)靜態(tài)結(jié)范圍 合的函數(shù)調(diào)用圖函數(shù)調(diào)用圖生成DCGRTL算法流程15Refer