qemu memory operations
Asked Answered
G

1

8

I intend to use Qemu to generate a memory trace for the execution of a x86 guest operating system.

According to tcg wiki page, Qemu uses a handful of helpers to generate load/stores to the target(guest) memory. This list of instructions is tcg_gen_qemu_ld8s/u, tcg_gen_qemu_ld16s/u, tcg_gen_qemu_ld32s/u, tcg_gen_qemu_ld64. (We have a similar set for store instructions). I am trapping all calls to the above functions in the target-i386/translate.c file

However, I am still missing load/stores of certain instructions like

cmp ecx, [r12+0x4]
mov r10b, [r13+0x0]
mov byte [rax+0xf0000], 0x0
mov byte [rax+rdx], 0x0

Questions :

  1. Can someone please point to other load/store points (direct or indirect) that I am missing ??
  2. Does qemu provide a single entry point function for accesses to guest memory (like guest_read()) which can be instrumented for tracing all loads from the guest memory ???
  3. Can somebody please point to a good documentation where I can understand how qemu maintains the state of the guest memory ??

Sorry friends for the misleading instructions in the previous mail.

cmp ecx, [r12+0x4]
mov r10b, [r13+0x0]
mov byte [rax+0xf0000], 0x0
mov byte [rax+rdx], 0x0

It seems all the above instructions are getting covered with the tcg_gen_ld/st helpers.

But now I have stumbled upon another problem :
I initially thought that all the interactions with the guest memory happen through the helper instructions in the translate.c file. However, I found that the helper functions for some instructions like cmpxcgh8b and cmpxchg16b are actually accessing guest memory.

So, does it mean there are more than one entry points for reading guest memory. Can some one please explain how are the ldq and stq instructions translated to access the guest memory ??

Gean answered 12/8, 2012 at 16:46 Comment(0)
B
3

The other functions that load data are called cpu_ld*_data and cpu_st*_data, or cpu_ld*_data_ra and cpu_st*_data_ra. The _ra version have an additional argument, which is the address of the caller in the generated code. It is used to compute the address of the faulting instruction in case the load or store generates a page fault.

For example, grepping for cmpxchg8b gives

target/i386/mem_helper.c:void helper_cmpxchg8b(CPUX86State *env, target_ulong a0)

and inside that function:

uintptr_t ra = GETPC();
...
oldv = cpu_ldq_data_ra(env, a0, ra);
newv = (cmpv == oldv ? newv : oldv);
/* always do the store */
cpu_stq_data_ra(env, a0, newv, ra);
Breadroot answered 11/4, 2017 at 18:49 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.