Archipelago » qemu

\input texinfo @c -*- texinfo -*-

@settitle QEMU x86 Emulator Reference Documentation

@titlepage

@sp 7

@center @titlefont{QEMU x86 Emulator Reference Documentation}

@sp 3

@end titlepage

@chapter Introduction

QEMU is an x86 processor emulator. Its purpose is to run x86 Linux

processes on non-x86 Linux architectures such as PowerPC or ARM. By

using dynamic translation it achieves a reasonnable speed while being

easy to port on new host CPUs. Its main goal is to be able to launch the

@code{Wine} Windows API emulator (@url{http://www.winehq.org}) on

non-x86 CPUs.

QEMU features:

@itemize 

@item User space only x86 emulator.

@item Currently ported on i386, PowerPC and S390.

@item Using dynamic translation to native code for reasonnable speed.

@item The virtual x86 CPU supports 16 bit and 32 bit addressing with segmentation. 

User space LDT and GDT are emulated. VM86 mode is also supported

(experimental).

@item Generic Linux system call converter, including most ioctls.

@item clone() emulation using native CPU clone() to use Linux scheduler for threads.

@item Accurate signal handling by remapping host signals to virtual x86 signals.

@item QEMU can emulate itself on x86 (experimental).

@item The virtual x86 CPU is a library (@code{libqemu}) which can be used 

in other projects.

@item An extensive Linux x86 CPU test program is included @file{tests/test-i386}. 

It can be used to test other x86 virtual CPUs.

@end itemize

Current QEMU Limitations:

@itemize 

@item Not all x86 exceptions are precise (yet). [Very few programs need that].

@item No support for self-modifying code (yet). [Very few programs need that, a notable exception is QEMU itself !].

@item No SSE/MMX support (yet).

@item No x86-64 support.

@item Some Linux syscalls are missing.

@item The x86 segment limits and access rights are not tested at every 

memory access (and will never be to have good performances).

@item On non x86 host CPUs, @code{double}s are used instead of the non standard 

10 byte @code{long double}s of x86 for floating point emulation to get

maximum performances.

@end itemize

@chapter Invocation

@section Quick Start

In order to launch a Linux process, QEMU needs the process executable

itself and all the target (x86) dynamic libraries used by it. 

@itemize

@item On x86, you can just try to launch any process by using the native

libraries:

@example 

qemu -L / /bin/ls

@end example

@code{-L /} tells that the x86 dynamic linker must be searched with a

@file{/} prefix.

@item Since QEMU is also a linux process, you can launch qemu with qemu:

@example 

qemu -L / qemu -L / /bin/ls

@end example

@item On non x86 CPUs, you need first to download at least an x86 glibc

(@file{qemu-XXX-i386-glibc21.tar.gz} on the QEMU web page). Ensure that

@code{LD_LIBRARY_PATH} is not set:

@example

unset LD_LIBRARY_PATH 

@end example

Then you can launch the precompiled @file{ls} x86 executable:

@example

qemu /usr/local/qemu-i386/bin/ls-i386

@end example

You can look at @file{/usr/local/qemu-i386/bin/qemu-conf.sh} so that

QEMU is automatically launched by the Linux kernel when you try to

launch x86 executables. It requires the @code{binfmt_misc} module in the

Linux kernel.

@item The x86 version of QEMU is also included. You can try weird things such as:

@example

qemu /usr/local/qemu-i386/bin/qemu-i386 /usr/local/qemu-i386/bin/ls-i386

@end example

@end itemize

@section Wine launch (Currently only tested when emulating x86 on x86)

@itemize

@item Ensure that you have a working QEMU with the x86 glibc

distribution (see previous section). In order to verify it, you must be

able to do:

@example

qemu /usr/local/qemu-i386/bin/ls-i386

@end example

@item Download the binary x86 Wine install

(@file{qemu-XXX-i386-wine.tar.gz} on the QEMU web page). 

@item Configure Wine on your account. Look at the provided script

@file{/usr/local/qemu-i386/bin/wine-conf.sh}. Your previous

@code{$@{HOME@}/.wine} directory is saved to @code{$@{HOME@}/.wine.org}.

@item Then you can try the example @file{putty.exe}:

@example

qemu /usr/local/qemu-i386/wine/bin/wine /usr/local/qemu-i386/wine/c/Program\ Files/putty.exe

@end example

@end itemize

@section Command line options

@example

usage: qemu [-h] [-d] [-L path] [-s size] program [arguments...]

@end example

@table @samp

@item -h

Print the help

@item -d

Activate log (logfile=/tmp/qemu.log)

@item -L path   

Set the x86 elf interpreter prefix (default=/usr/local/qemu-i386)

@item -s size

Set the x86 stack size in bytes (default=524288)

@end table

@chapter QEMU Internals

@section QEMU compared to other emulators

Unlike bochs [3], QEMU emulates only a user space x86 CPU. It means that

you cannot launch an operating system with it. The benefit is that it is

simpler and faster due to the fact that some of the low level CPU state

can be ignored (in particular, no virtual memory needs to be emulated).

Like Valgrind [2], QEMU does user space emulation and dynamic

translation. Valgrind is mainly a memory debugger while QEMU has no

support for it (QEMU could be used to detect out of bound memory accesses

as Valgrind, but it has no support to track uninitialised data as

Valgrind does). Valgrind dynamic translator generates better code than

QEMU (in particular it does register allocation) but it is closely tied

to an x86 host.

EM86 [4] is the closest project to QEMU (and QEMU still uses some of its

code, in particular the ELF file loader). EM86 was limited to an alpha

host and used a proprietary and slow interpreter (the interpreter part

of the FX!32 Digital Win32 code translator [5]).

TWIN [6] is a Windows API emulator like Wine. It is less accurate than

Wine but includes a protected mode x86 interpreter to launch x86 Windows

executables. Such an approach as greater potential because most of the

Windows API is executed natively but it is far more difficult to develop

because all the data structures and function parameters exchanged

between the API and the x86 code must be converted.

@section Portable dynamic translation

QEMU is a dynamic translator. When it first encounters a piece of code,

it converts it to the host instruction set. Usually dynamic translators

are very complicated and highly CPU dependant. QEMU uses some tricks

which make it relatively easily portable and simple while achieving good

performances.

The basic idea is to split every x86 instruction into fewer simpler

instructions. Each simple instruction is implemented by a piece of C

code (see @file{op-i386.c}). Then a compile time tool (@file{dyngen})

takes the corresponding object file (@file{op-i386.o}) to generate a

dynamic code generator which concatenates the simple instructions to

build a function (see @file{op-i386.h:dyngen_code()}).

In essence, the process is similar to [1], but more work is done at

compile time. 

A key idea to get optimal performances is that constant parameters can

be passed to the simple operations. For that purpose, dummy ELF

relocations are generated with gcc for each constant parameter. Then,

the tool (@file{dyngen}) can locate the relocations and generate the

appriopriate C code to resolve them when building the dynamic code.

That way, QEMU is no more difficult to port than a dynamic linker.

To go even faster, GCC static register variables are used to keep the

state of the virtual CPU.

@section Register allocation

Since QEMU uses fixed simple instructions, no efficient register

allocation can be done. However, because RISC CPUs have a lot of

register, most of the virtual CPU state can be put in registers without

doing complicated register allocation.

@section Condition code optimisations

Good CPU condition codes emulation (@code{EFLAGS} register on x86) is a

critical point to get good performances. QEMU uses lazy condition code

evaluation: instead of computing the condition codes after each x86

instruction, it just stores one operand (called @code{CC_SRC}), the

result (called @code{CC_DST}) and the type of operation (called

@code{CC_OP}).

@code{CC_OP} is almost never explicitely set in the generated code

because it is known at translation time.

In order to increase performances, a backward pass is performed on the

generated simple instructions (see

@code{translate-i386.c:optimize_flags()}). When it can be proved that

the condition codes are not needed by the next instructions, no

condition codes are computed at all.

@section CPU state optimisations

The x86 CPU has many internal states which change the way it evaluates

instructions. In order to achieve a good speed, the translation phase

considers that some state information of the virtual x86 CPU cannot

change in it. For example, if the SS, DS and ES segments have a zero

base, then the translator does not even generate an addition for the

segment base.

[The FPU stack pointer register is not handled that way yet].

@section Translation cache

A 2MByte cache holds the most recently used translations. For

simplicity, it is completely flushed when it is full. A translation unit

contains just a single basic block (a block of x86 instructions

terminated by a jump or by a virtual CPU state change which the

translator cannot deduce statically).

[Currently, the translated code is not patched if it jumps to another

translated code].

@section Exception support

longjmp() is used when an exception such as division by zero is

encountered. The host SIGSEGV and SIGBUS signal handlers are used to get

invalid memory accesses. 

[Currently, the virtual CPU cannot retrieve the exact CPU state in some

exceptions, although it could except for the @code{EFLAGS} register].

@section Linux system call translation

QEMU includes a generic system call translator for Linux. It means that

the parameters of the system calls can be converted to fix the

endianness and 32/64 bit issues. The IOCTLs are converted with a generic

type description system (see @file{ioctls.h} and @file{thunk.c}).

@section Linux signals

Normal and real-time signals are queued along with their information

(@code{siginfo_t}) as it is done in the Linux kernel. Then an interrupt

request is done to the virtual CPU. When it is interrupted, one queued

signal is handled by generating a stack frame in the virtual CPU as the

Linux kernel does. The @code{sigreturn()} system call is emulated to return

from the virtual signal handler.

Some signals (such as SIGALRM) directly come from the host. Other

signals are synthetized from the virtual CPU exceptions such as SIGFPE

when a division by zero is done (see @code{main.c:cpu_loop()}).

The blocked signal mask is still handled by the host Linux kernel so

that most signal system calls can be redirected directly to the host

Linux kernel. Only the @code{sigaction()} and @code{sigreturn()} system

calls need to be fully emulated (see @file{signal.c}).

@section clone() system call and threads

The Linux clone() system call is usually used to create a thread. QEMU

uses the host clone() system call so that real host threads are created

for each emulated thread. One virtual CPU instance is created for each

thread.

The virtual x86 CPU atomic operations are emulated with a global lock so

that their semantic is preserved.

@section Self-virtualization

QEMU was conceived so that ultimately it can emulate itself. Althought

it is not very useful, it is an important test to show the power of the

emulator.

Achieving self-virtualization is not easy because there may be address

space conflicts. QEMU solves this problem by being an executable ELF

shared object as the ld-linux.so ELF interpreter. That way, it can be

relocated at load time.

Since self-modifying code is not supported yet, QEMU cannot emulate

itself in case of translation cache flush. This limitation will be

suppressed soon.

@section Bibliography

@table @asis

@item [1] 

@url{http://citeseer.nj.nec.com/piumarta98optimizing.html}, Optimizing

direct threaded code by selective inlining (1998) by Ian Piumarta, Fabio

Riccardi.

@item [2]

@url{http://developer.kde.org/~sewardj/}, Valgrind, an open-source

memory debugger for x86-GNU/Linux, by Julian Seward.

@item [3]

@url{http://bochs.sourceforge.net/}, the Bochs IA-32 Emulator Project,

by Kevin Lawton et al.

@item [4]

@url{http://www.cs.rose-hulman.edu/~donaldlf/em86/index.html}, the EM86

x86 emulator on Alpha-Linux.

@item [5]

@url{http://www.usenix.org/publications/library/proceedings/usenix-nt97/full_papers/chernoff/chernoff.pdf},

DIGITAL FX!32: Running 32-Bit x86 Applications on Alpha NT, by Anton

Chernoff and Ray Hookway.

@item [6]

@url{http://www.willows.com/}, Windows API library emulation from

Willows Software.

@end table

@chapter Regression Tests

In the directory @file{tests/}, various interesting x86 testing programs

are available. There are used for regression testing.

@section @file{hello}

Very simple statically linked x86 program, just to test QEMU during a

port to a new host CPU.

@section @file{test-i386}

This program executes most of the 16 bit and 32 bit x86 instructions and

generates a text output. It can be compared with the output obtained with

a real CPU or another emulator. The target @code{make test} runs this

program and a @code{diff} on the generated output.

The Linux system call @code{modify_ldt()} is used to create x86 selectors

to test some 16 bit addressing and 32 bit with segmentation cases.

@section @file{testsig}

This program tests various signal cases, including SIGFPE, SIGSEGV and

SIGILL.

@section @file{testclone}

Tests the @code{clone()} system call (basic test).

@section @file{testthread}

Tests the glibc threads (more complicated than @code{clone()} because signals

are also used).

@section @file{sha1}

It is a simple benchmark. Care must be taken to interpret the results

because it mostly tests the ability of the virtual CPU to optimize the

@code{rol} x86 instruction and the condition code computations.

@section @file{runcom}

A very simple MSDOS emulator to test the Linux vm86() system call

emulation. The excellent 54 byte @file{pi_10.com} PI number calculator

can be launched with it. @file{pi_10.com} was written by Bertram

Felgenhauer (more information at @url{http://www.boo.net/~jasonp/pipage.html}).