A deep dive into QEMU: The Tiny Code Generator (TCG), part 1

Summary

A deep dive into QEMU: The Tiny Code Generator (TCG), part 1 This blog post details some internals of the QEMU TCG engine, the machinery responsible for executing target instructions on the host. You should have already read Execution loop and Breakpoints handling blog posts to have some pointers. Be kind rewind The vCPU thread executes instructions through tcg_cpu_exec which finds and/or generates translated blocks. As previously explained, tb_gen_code will generate intermediate representation (IR) code thanks to gen_intermediate_code and then host architecture assembly instructions with tcg_gen_code: TranslationBlock *tb_gen_code(CPUState *cpu, target_ulong pc, target_ulong cs_base, uint32_t flags, int cflags) { tb = tb_alloc(pc); ... /* generate IR code */ gen_intermediate_code(cpu, tb, max_insns); ... /* generate machine code */ gen_code_size = tcg_gen_code(tcg_ctx, tb); ... } The QEMU TCG has a notion of frontend and backend operations. The frontend-ops are the generated intermediate code which is what QEMU will execute. The backend-ops are the operations implemented on the host CPU, which is where the code is executed. The QEMU git tree has a README introduction about the TCG which details the IR language. It’s an interesting read for sure. Overview The gen_intermediate_code function is a VM architecture dependent wrapper to the translator_loop generic function. Let’s imagine we were emulating PowerPC code on an Intel x86 host. The gen_intermediate_code would look like: static const TranslatorOps ppc_tr_ops = { .init_disas_context = ppc_tr_init_disas_context, .tb_start = ppc_tr_tb_start, .insn_start = ppc_tr_insn_start, .breakpoint_check = ppc_tr_breakpoint_check, .translate_insn = ppc_tr_translate_insn, .tb_stop = ppc_tr_tb_stop, .disas_log = ppc_tr_disas_log, }; void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns) { DisasContext ctx; translator_loop(&ppc_tr_ops, &ctx.base, cs, tb, max_insns); } While the translator_loop remains the s...