Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

qemu memory operations

Tags:

memory

qemu

kvm

virtualization

I intend to use Qemu to generate a memory trace for the execution of a x86 guest operating system.

According to tcg wiki page, Qemu uses a handful of helpers to generate load/stores to the target(guest) memory. This list of instructions is tcg_gen_qemu_ld8s/u, tcg_gen_qemu_ld16s/u, tcg_gen_qemu_ld32s/u, tcg_gen_qemu_ld64. (We have a similar set for store instructions). I am trapping all calls to the above functions in the target-i386/translate.c file

However, I am still missing load/stores of certain instructions like

cmp ecx, [r12+0x4]
mov r10b, [r13+0x0]
mov byte [rax+0xf0000], 0x0
mov byte [rax+rdx], 0x0

Questions :

  1. Can someone please point to other load/store points (direct or indirect) that I am missing ??
  2. Does qemu provide a single entry point function for accesses to guest memory (like guest_read()) which can be instrumented for tracing all loads from the guest memory ???
  3. Can somebody please point to a good documentation where I can understand how qemu maintains the state of the guest memory ??

Sorry friends for the misleading instructions in the previous mail.

cmp ecx, [r12+0x4]
mov r10b, [r13+0x0]
mov byte [rax+0xf0000], 0x0
mov byte [rax+rdx], 0x0

It seems all the above instructions are getting covered with the tcg_gen_ld/st helpers.

But now I have stumbled upon another problem :
I initially thought that all the interactions with the guest memory happen through the helper instructions in the translate.c file. However, I found that the helper functions for some instructions like cmpxcgh8b and cmpxchg16b are actually accessing guest memory.

So, does it mean there are more than one entry points for reading guest memory. Can some one please explain how are the ldq and stq instructions translated to access the guest memory ??

like image 325
prathmesh.kallurkar Avatar asked Aug 12 '12 16:08

prathmesh.kallurkar

1 Answers

The other functions that load data are called cpu_ld*_data and cpu_st*_data, or cpu_ld*_data_ra and cpu_st*_data_ra. The _ra version have an additional argument, which is the address of the caller in the generated code. It is used to compute the address of the faulting instruction in case the load or store generates a page fault.

For example, grepping for cmpxchg8b gives

target/i386/mem_helper.c:void helper_cmpxchg8b(CPUX86State *env, target_ulong a0)

and inside that function:

uintptr_t ra = GETPC();
...
oldv = cpu_ldq_data_ra(env, a0, ra);
newv = (cmpv == oldv ? newv : oldv);
/* always do the store */
cpu_stq_data_ra(env, a0, newv, ra);
like image 99
Paolo Bonzini Avatar answered Sep 30 '22 19:09

Paolo Bonzini
Sign in to Comment

Related questions

node.js process out of memory error
Interactively work with list objects that take up massive memory
What is the need for having "nmem" and "size" parameters in C functions? [duplicate]
How to minimize memory consumption of c++ program using copy-on-write?
Why modifying global variable increases memory usage in Chrome
Java Object Memory Footprint - Visualvm and java.sizeOf measurement
What could cause this memory issue?
Memory allocation optimized away by compilers
Difference between Bytearray and List in Python
UWP - Frame navigation seems to cause unmanaged memory leaks
Confusing Caching Behaviour of a Simple C Program
Emulating a memory barrier in Java to get rid of volatile reads
Growing Resident Size Set in JVM
alignment and granularity of mmap
Monitoring directory for changes - potential high memory
Memory leak in batch for loop?
PHPExcel memory issue
precautions to take to prevent memory leaks due to added event handles
Reserving a portion of SDRAM to pass data between U-Boot and the Linux Kernel
PHP: how are query results stored in mysqli_result

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!