12
32
@chapter Introduction
35
* intro_features:: Features
36
* intro_x86_emulation:: x86 emulation
37
* intro_arm_emulation:: ARM emulation
38
* intro_mips_emulation:: MIPS emulation
39
* intro_ppc_emulation:: PowerPC emulation
40
* intro_sparc_emulation:: SPARC emulation
16
46
QEMU is a FAST! processor emulator using a portable dynamic
24
54
Full system emulation. In this mode, QEMU emulates a full system
25
(usually a PC), including a processor and various peripherials. It can
55
(usually a PC), including a processor and various peripherals. It can
26
56
be used to launch an different Operating System without rebooting the
27
57
PC or to debug system code.
30
60
User mode emulation (Linux host only). In this mode, QEMU can launch
31
61
Linux processes compiled for one CPU on another CPU. It can be used to
32
62
launch the Wine Windows API emulator (@url{http://www.winehq.org}) or
52
82
@item Precise exceptions support.
54
@item The virtual CPU is a library (@code{libqemu}) which can be used
84
@item The virtual CPU is a library (@code{libqemu}) which can be used
55
85
in other projects (look at @file{qemu/tests/qruncom.c} to have an
56
86
example of user mode @code{libqemu} usage).
60
90
QEMU user mode emulation features:
62
92
@item Generic Linux system call converter, including most ioctls.
64
94
@item clone() emulation using native CPU clone() to use Linux scheduler for threads.
66
@item Accurate signal handling by remapping host signals to target signals.
96
@item Accurate signal handling by remapping host signals to target signals.
70
99
QEMU full system emulation features:
72
101
@item QEMU can either use a full software MMU for maximum portability or use the host system call mmap() to simulate the target MMU.
104
@node intro_x86_emulation
75
105
@section x86 emulation
77
107
QEMU x86 target features:
81
@item The virtual x86 CPU supports 16 bit and 32 bit addressing with segmentation.
111
@item The virtual x86 CPU supports 16 bit and 32 bit addressing with segmentation.
82
112
LDT/GDT and IDT are emulated. VM86 mode is also supported to run DOSEMU.
84
114
@item Support of host page sizes bigger than 4KB in user mode emulation.
86
116
@item QEMU can emulate itself on x86.
88
@item An extensive Linux x86 CPU test program is included @file{tests/test-i386}.
118
@item An extensive Linux x86 CPU test program is included @file{tests/test-i386}.
89
119
It can be used to test other x86 virtual CPUs.
93
123
Current QEMU limitations:
97
127
@item No SSE/MMX support (yet).
101
131
@item IPC syscalls are missing.
103
@item The x86 segment limits and access rights are not tested at every
133
@item The x86 segment limits and access rights are not tested at every
104
134
memory access (yet). Hopefully, very few OSes seem to rely on that for
107
@item On non x86 host CPUs, @code{double}s are used instead of the non standard
137
@item On non x86 host CPUs, @code{double}s are used instead of the non standard
108
138
10 byte @code{long double}s of x86 for floating point emulation to get
109
139
maximum performances.
143
@node intro_arm_emulation
113
144
@section ARM emulation
156
@node intro_mips_emulation
157
@section MIPS emulation
161
@item The system emulation allows full MIPS32/MIPS64 Release 2 emulation,
162
including privileged instructions, FPU and MMU, in both little and big
165
@item The Linux userland emulation can run many 32 bit MIPS Linux binaries.
169
Current QEMU limitations:
173
@item Self-modifying code is not always handled correctly.
175
@item 64 bit userland emulation is not implemented.
177
@item The system emulation is not complete enough to run real firmware.
179
@item The watchpoint debug facility is not implemented.
183
@node intro_ppc_emulation
125
184
@section PowerPC emulation
129
@item Full PowerPC 32 bit emulation, including priviledged instructions,
188
@item Full PowerPC 32 bit emulation, including privileged instructions,
132
191
@item Can run most PowerPC Linux binaries.
195
@node intro_sparc_emulation
136
196
@section SPARC emulation
140
@item SPARC V8 user support, except FPU instructions.
142
@item Can run some SPARC Linux binaries.
200
@item Full SPARC V8 emulation, including privileged
201
instructions, FPU and MMU. SPARC V9 emulation includes most privileged
202
and VIS instructions, FPU and I/D MMU. Alignment is fully enforced.
204
@item Can run most 32-bit SPARC Linux binaries, SPARC32PLUS Linux binaries and
205
some 64-bit SPARC Linux binaries.
209
Current QEMU limitations:
213
@item IPC syscalls are missing.
215
@item Floating point exception support is buggy.
217
@item Atomic instructions are not correctly implemented.
219
@item Sparc64 emulators are not usable for anything yet.
146
224
@chapter QEMU Internals
227
* QEMU compared to other emulators::
228
* Portable dynamic translation::
229
* Register allocation::
230
* Condition code optimisations::
231
* CPU state optimisations::
232
* Translation cache::
233
* Direct block chaining::
234
* Self-modifying code and translated code invalidation::
235
* Exception support::
237
* Hardware interrupts::
238
* User emulation specific details::
242
@node QEMU compared to other emulators
148
243
@section QEMU compared to other emulators
150
245
Like bochs [3], QEMU emulates an x86 CPU. But QEMU is much faster than
168
263
TWIN [6] is a Windows API emulator like Wine. It is less accurate than
169
264
Wine but includes a protected mode x86 interpreter to launch x86 Windows
170
executables. Such an approach as greater potential because most of the
265
executables. Such an approach has greater potential because most of the
171
266
Windows API is executed natively but it is far more difficult to develop
172
267
because all the data structures and function parameters exchanged
173
268
between the API and the x86 code must be converted.
191
286
and potentially unsafe host drivers. Moreover, they are unable to
192
287
provide cycle exact simulation as an emulator can.
289
@node Portable dynamic translation
194
290
@section Portable dynamic translation
196
292
QEMU is a dynamic translator. When it first encounters a piece of code,
207
303
instructions to build a function (see @file{op.h:dyngen_code()}).
209
305
In essence, the process is similar to [1], but more work is done at
212
308
A key idea to get optimal performances is that constant parameters can
213
309
be passed to the simple operations. For that purpose, dummy ELF
220
316
To go even faster, GCC static register variables are used to keep the
221
317
state of the virtual CPU.
319
@node Register allocation
223
320
@section Register allocation
225
322
Since QEMU uses fixed simple instructions, no efficient register
227
324
register, most of the virtual CPU state can be put in registers without
228
325
doing complicated register allocation.
327
@node Condition code optimisations
230
328
@section Condition code optimisations
232
330
Good CPU condition codes emulation (@code{EFLAGS} register on x86) is a
245
343
the condition codes are not needed by the next instructions, no
246
344
condition codes are computed at all.
346
@node CPU state optimisations
248
347
@section CPU state optimisations
250
349
The x86 CPU has many internal states which change the way it evaluates
257
356
[The FPU stack pointer register is not handled that way yet].
358
@node Translation cache
259
359
@section Translation cache
261
A 2MByte cache holds the most recently used translations. For
361
A 16 MByte cache holds the most recently used translations. For
262
362
simplicity, it is completely flushed when it is full. A translation unit
263
363
contains just a single basic block (a block of x86 instructions
264
364
terminated by a jump or by a virtual CPU state change which the
265
365
translator cannot deduce statically).
367
@node Direct block chaining
267
368
@section Direct block chaining
269
370
After each translated basic block is executed, QEMU uses the simulated
279
380
architectures (such as x86 or PowerPC), the @code{JUMP} opcode is
280
381
directly patched so that the block chaining has no overhead.
383
@node Self-modifying code and translated code invalidation
282
384
@section Self-modifying code and translated code invalidation
284
386
Self-modifying code is a special challenge in x86 emulation because no
294
396
Correct translated code invalidation is done efficiently by maintaining
295
397
a linked list of every translated block contained in a given page. Other
296
linked lists are also maintained to undo direct block chaining.
398
linked lists are also maintained to undo direct block chaining.
298
400
Although the overhead of doing @code{mprotect()} calls is important,
299
401
most MSDOS programs can be emulated at reasonnable speed with QEMU and
309
411
really needs to be invalidated. It avoids invalidating the code when
310
412
only data is modified in the page.
414
@node Exception support
312
415
@section Exception support
314
417
longjmp() is used when an exception such as division by zero is
317
420
The host SIGSEGV and SIGBUS signal handlers are used to get invalid
318
421
memory accesses. The exact CPU state can be retrieved because all the
340
444
In order to avoid flushing the translated code each time the MMU
341
445
mappings change, QEMU uses a physically indexed translation cache. It
342
means that each basic block is indexed with its physical address.
446
means that each basic block is indexed with its physical address.
344
448
When MMU mappings change, only the chaining of the basic blocks is
345
449
reset (i.e. a basic block can no longer jump directly to another one).
451
@node Hardware interrupts
347
452
@section Hardware interrupts
349
454
In order to be faster, QEMU does not check at every basic block if an
433
540
x86 emulator on Alpha-Linux.
436
@url{http://www.usenix.org/publications/library/proceedings/usenix-nt97/full_papers/chernoff/chernoff.pdf},
543
@url{http://www.usenix.org/publications/library/proceedings/usenix-nt97/@/full_papers/chernoff/chernoff.pdf},
437
544
DIGITAL FX!32: Running 32-Bit x86 Applications on Alpha NT, by Anton
438
545
Chernoff and Ray Hookway.
442
549
Willows Software.
445
@url{http://user-mode-linux.sourceforge.net/},
552
@url{http://user-mode-linux.sourceforge.net/},
446
553
The User-mode Linux Kernel.
449
@url{http://www.plex86.org/},
556
@url{http://www.plex86.org/},
450
557
The new Plex86 project.
453
@url{http://www.vmware.com/},
560
@url{http://www.vmware.com/},
454
561
The VMWare PC virtualizer.
457
@url{http://www.microsoft.com/windowsxp/virtualpc/},
564
@url{http://www.microsoft.com/windowsxp/virtualpc/},
458
565
The VirtualPC PC virtualizer.
461
@url{http://www.twoostwo.org/},
568
@url{http://www.twoostwo.org/},
462
569
The TwoOStwo PC virtualizer.
573
@node Regression Tests
466
574
@chapter Regression Tests
468
576
In the directory @file{tests/}, various interesting testing programs
469
are available. There are used for regression testing.
577
are available. They are used for regression testing.
471
586
@section @file{test-i386}
473
588
This program executes most of the 16 bit and 32 bit x86 instructions and
483
598
Various exceptions are raised to test most of the x86 user space
484
599
exception reporting.
486
602
@section @file{linux-test}
488
604
This program tests various Linux system calls. It is used to verify
489
605
that the system call parameters are correctly converted between target
492
@section @file{hello-i386}
494
Very simple statically linked x86 program, just to test QEMU during a
495
port to a new host CPU.
497
@section @file{hello-arm}
499
Very simple statically linked ARM program, just to test QEMU during a
500
port to a new host CPU.
504
It is a simple benchmark. Care must be taken to interpret the results
505
because it mostly tests the ability of the virtual CPU to optimize the
506
@code{rol} x86 instruction and the condition code computations.
609
@section @file{qruncom.c}
611
Example of usage of @code{libqemu} to emulate a user mode i386 CPU.
added
removed
qemu-tech.texi
