[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] An architectural question

From: Balazs Attila-Mihaly \(Cd-MaN\)
Subject: [Qemu-devel] An architectural question
Date: Tue, 11 Dec 2007 02:36:33 -0800 (PST)

Hello all,

First of all I want to apologize for this mail and hope that I won't wast to 
much of your valuable time hacking on Qemu ;-). My goal is to implement a 
tracing system in Qemu, which would suspend the emulation at certain points 
(determined by linear addresses), dump some information from the memory and 
resume the execution.

My first attempt was to "hijack" the breakpoint system, by doing the following: 
I've placed a breakpoint at the address of the instruction I wanted to trace 
and inside of the main_loop function when the EXCP_DEBUG exception occurred I 
performed the logging after which I called vm_start to resume the operation. 
However the performance was abyssal...

My next idea would be to replace the opcode generated for the debug point with 
a procedure call (which would, instead of stopping the emulation, perform the 
logging and let the emulation go on its way). I've implemented a prototype for 
this by placing the address of the callback procedure inside of the CPUState 
structure (given that this structure is accessible to the code fragments), 
however it segfaults.

My questions would be:
- What would be the most optimal way to implement this? (Something that would 
allow the OS to run at a usable speed inside of the emulated machine...)
- What does the kernel level acceleration layer (kqemu) exactly do? Does it 
create a separate address space (page directory) for the emulated process? Is 
it possible to perform a callback from the code running under kqemu into a 
procedure defined in Qemu the way I'm trying to do it (I see multiple possible 
obstacles here: is the code run in a separate address space? is it run with a 
separate privilege level - ring 0/1 vs ring 3)? 
- Do I understand correctly that when using full acceleration (ie. 
-kernel-kqemu), the dynamic translation (ie. guest code -> translation block) 
is limited to code segments which cause exceptions? If so, do I infer correctly 
that, unless the code I wish to trace is of such type, it will never have the 
chance to call the logging procedure (because it would be included in the 
translation block)?

Best regards and thank you for your time and patience.

Support the World Aids Awareness campaign this month with Yahoo! For Good 

reply via email to

[Prev in Thread] Current Thread [Next in Thread]