[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] An architectural question
From: |
Balazs Attila-Mihaly \(Cd-MaN\) |
Subject: |
[Qemu-devel] An architectural question |
Date: |
Tue, 11 Dec 2007 02:36:33 -0800 (PST) |
Hello all,
First of all I want to apologize for this mail and hope that I won't wast to
much of your valuable time hacking on Qemu ;-). My goal is to implement a
tracing system in Qemu, which would suspend the emulation at certain points
(determined by linear addresses), dump some information from the memory and
resume the execution.
My first attempt was to "hijack" the breakpoint system, by doing the following:
I've placed a breakpoint at the address of the instruction I wanted to trace
and inside of the main_loop function when the EXCP_DEBUG exception occurred I
performed the logging after which I called vm_start to resume the operation.
However the performance was abyssal...
My next idea would be to replace the opcode generated for the debug point with
a procedure call (which would, instead of stopping the emulation, perform the
logging and let the emulation go on its way). I've implemented a prototype for
this by placing the address of the callback procedure inside of the CPUState
structure (given that this structure is accessible to the code fragments),
however it segfaults.
My questions would be:
- What would be the most optimal way to implement this? (Something that would
allow the OS to run at a usable speed inside of the emulated machine...)
- What does the kernel level acceleration layer (kqemu) exactly do? Does it
create a separate address space (page directory) for the emulated process? Is
it possible to perform a callback from the code running under kqemu into a
procedure defined in Qemu the way I'm trying to do it (I see multiple possible
obstacles here: is the code run in a separate address space? is it run with a
separate privilege level - ring 0/1 vs ring 3)?
- Do I understand correctly that when using full acceleration (ie.
-kernel-kqemu), the dynamic translation (ie. guest code -> translation block)
is limited to code segments which cause exceptions? If so, do I infer correctly
that, unless the code I wish to trace is of such type, it will never have the
chance to call the logging procedure (because it would be included in the
translation block)?
Best regards and thank you for your time and patience.
___________________________________________________________
Support the World Aids Awareness campaign this month with Yahoo! For Good
http://uk.promotions.yahoo.com/forgood/
- [Qemu-devel] An architectural question,
Balazs Attila-Mihaly \(Cd-MaN\) <=