Re: [Qemu-devel] TB chaining

[陳韋任]

> Say your are trying to emulate an indirect jump ( i.e. jmp eax). Because eax
> is unknown at compile time, you will have to return to the mainloop to look
> it up. However, if you know some likely values, you can do a few cached
> compare and hope it hits one of them.
> 
> compare eax = 0x33e3e23
>    jmp tb 30
> compare eax = 0332d2ed
>   jmp tb 30
> tb exit

  I believe we are talking about the same thing. :-) The terminology
"IBTC" is coined by "Evaluating Indirect Branch Handling Mechanisms
in Software Dynamic Translation Systems". QEMU does not implement
IBTC or inline caching.

> If the branch target is fix, you will still need 2 jmps, one for taken
> branch another for nottaken branch. can you show me where the code does that
> is ?

  Take x86 for example, see gen_goto_tb (target-i386/translate.c).
gen_goto_tb generates TCG IR for block chaining. Here is the code
snip of gen_goto_tb.

    tcg_gen_goto_tb(tb_num); // tb_num could be taken or nottaken branch

    gen_jmp_im(eip);

    tcg_gen_exit_tb((tcg_target_long)tb + tb_num);

How block chaining is done is a little complicate. You can refer to the
white paper "Porting QEMU to Plan 9: QEMU Internals and Port Strategy"
to get a general idea.

  HTH.

Regards,
chenwj

-- 
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667