From: "Emilio G. Cota" <cota@braap.org>
To: Peter Maydell <peter.maydell@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
Stefan Hajnoczi <stefanha@redhat.com>,
Markus Armbruster <armbru@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v6 01/22] instrument: Add documentation
Date: Fri, 6 Oct 2017 13:59:29 -0400 [thread overview]
Message-ID: <20171006175929.GA28281@flamenco> (raw)
In-Reply-To: <87vajsl3h7.fsf@frigg.lan>
On Fri, Oct 06, 2017 at 18:07:16 +0300, Lluís Vilanova wrote:
> Emilio G Cota writes:
> > On Thu, Oct 05, 2017 at 02:28:12 +0300, Lluís Vilanova wrote:
> >> The API takes care of telling you if the access could be performed
> >> successfully. If you access the instruction's memory representation at
> >> translation time, it should be able to perform the access, since QEMU's
> >> translation loop just had to do so in order to access that instruction (I should
> >> check what happens in the corner case where another guest CPU changes the page
> >> table, since I'm not sure if the address translation functions I'm using in QEMU
> >> will use the per-vCPU TLB cache or always traverse the page table).
>
> > That was my concern, I'd rather just perform the read once, that is, the read(s)
> > done by ops->insn_translate.
>
> If your concern is on performance, that should not be an issue, since you'd be
> using the memory peek functions at translation-time. Furthermore, since others
> suggested having memory peek anyway, that's a nicer way (to me) to compose APIs
> (and is less complex to implement).
My concern was the same as yours, correctness -- what happens if something
changes between the two reads? Because the two reads should always return
the same thing.
> > I see. I implemented what I suggested above, i.e. tb_trans_cb
> > (i.e. post_trans) passes an opaque descriptor of the TB (which can
> > be iterated over insn by insn) and the return value (void *) of this
> > cb will be passed by tb_exec_cb (i.e. pre_exec). Perf-wise this
> > is pretty OK, turns out even if we don't end up caring about the
> > TB, the additional per-TB helper (which might not end up calling
> > a callback) does not introduce significant overhead at execution time.
>
> So you build this structure after translating the whole TB, and the user can
> iterate it to check the translated instructions. This is closer to other
> existing tools: you iterate the structure and then decide which/how to
> instrument instructions, memory accesses, etc within it.
Correct. I suspect they went with this design because it makes sense to
do this preprocessing once, instead of having each plugin do it
themselves. I'm not sure how much we should care about supporting multiple
plugins, but the impression I get from DynamoRIO is that it seems important
to users.
> My only concern is that this is much more complex than the simpler API I propose
> (you must build the informational structures, generate calls to every possible
> instrumentation call, which will be optimized-out by TCG if the user decides not
> to use them, and overall pay in performance for any unused functionality),
> whereas your approach can be implemented on top of it.
It's pretty simple; tr_ops->translate_insn has to copy each insn.
For instance, on aarch64 (disas_a64 is called from tr_translate_insn):
-static void disas_a64_insn(CPUARMState *env, DisasContext *s)
+static void disas_a64_insn(CPUARMState *env, DisasContext *s, struct qemu_plugin_insn *q_insn)
{
uint32_t insn;
insn = arm_ldl_code(env, s->pc, s->sctlr_b);
+ if (q_insn) {
+ qemu_plugin_insn_append(q_insn, &insn, sizeof(insn));
+ }
It takes some memory though (we duplicate the guest code), but perf-wise this
isn't a big deal (an empty callback on every TB execution incurs only a 10-15%
perf slowdown).
I don't understand the part where you say that the instrumentation call can
be optimized out. Is there a special value of a "TCG promise" (at tb_trans_post
time) that removes the previously generated callback (at tb_trans_pre time)?
Otherwise I don't see how selective TB instrumentation can work at tb_trans_pre
time.
Thanks,
E.
next prev parent reply other threads:[~2017-10-06 17:59 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-13 9:53 [Qemu-devel] [PATCH v6 00/22] instrument: Add basic event instrumentation Lluís Vilanova
2017-09-13 9:57 ` [Qemu-devel] [PATCH v6 01/22] instrument: Add documentation Lluís Vilanova
2017-09-14 14:41 ` Peter Maydell
2017-09-15 13:39 ` Lluís Vilanova
2017-09-18 14:41 ` Peter Maydell
2017-09-18 17:09 ` Lluís Vilanova
2017-09-18 17:42 ` Peter Maydell
2017-09-19 13:50 ` Emilio G. Cota
2017-09-25 18:03 ` Lluís Vilanova
2017-09-25 19:42 ` Emilio G. Cota
2017-09-26 16:49 ` Lluís Vilanova
2017-09-29 13:16 ` Lluís Vilanova
2017-09-29 17:59 ` Emilio G. Cota
2017-09-29 21:46 ` Lluís Vilanova
2017-09-30 18:09 ` Emilio G. Cota
2017-10-04 23:28 ` Lluís Vilanova
2017-10-05 0:50 ` Emilio G. Cota
2017-10-06 15:07 ` Lluís Vilanova
2017-10-06 17:59 ` Emilio G. Cota [this message]
2017-10-15 16:30 ` Lluís Vilanova
2017-10-15 16:47 ` Peter Maydell
2017-10-21 14:05 ` Lluís Vilanova
2017-10-21 16:56 ` Peter Maydell
2017-10-21 17:12 ` Alex Bennée
2017-09-19 13:09 ` Peter Maydell
2017-09-18 14:33 ` Stefan Hajnoczi
2017-09-18 14:40 ` Stefan Hajnoczi
2017-09-13 10:01 ` [Qemu-devel] [PATCH v6 02/22] instrument: Add configure-time flag Lluís Vilanova
2017-09-13 10:05 ` [Qemu-devel] [PATCH v6 03/22] instrument: Add generic library loader Lluís Vilanova
2017-09-18 14:34 ` Stefan Hajnoczi
2017-09-13 10:09 ` [Qemu-devel] [PATCH v6 04/22] instrument: [linux-user] Add command line " Lluís Vilanova
2017-09-13 10:13 ` [Qemu-devel] [PATCH v6 05/22] instrument: [bsd-user] " Lluís Vilanova
2017-09-13 10:17 ` [Qemu-devel] [PATCH v6 06/22] instrument: [softmmu] " Lluís Vilanova
2017-09-13 10:21 ` [Qemu-devel] [PATCH v6 07/22] instrument: [qapi] Add " Lluís Vilanova
2017-09-13 10:25 ` [Qemu-devel] [PATCH v6 08/22] instrument: [hmp] " Lluís Vilanova
2017-09-13 10:30 ` [Qemu-devel] [PATCH v6 09/22] instrument: Add basic control interface Lluís Vilanova
2017-09-13 10:34 ` [Qemu-devel] [PATCH v6 10/22] instrument: Add support for tracing events Lluís Vilanova
2017-09-13 10:38 ` [Qemu-devel] [PATCH v6 11/22] instrument: Track vCPUs Lluís Vilanova
2017-09-13 10:42 ` [Qemu-devel] [PATCH v6 12/22] instrument: Add event 'guest_cpu_enter' Lluís Vilanova
2017-09-13 10:46 ` [Qemu-devel] [PATCH v6 13/22] instrument: Support synchronous modification of vCPU state Lluís Vilanova
2017-09-13 10:50 ` [Qemu-devel] [PATCH v6 14/22] exec: Add function to synchronously flush TB on a stopped vCPU Lluís Vilanova
2017-09-13 10:54 ` [Qemu-devel] [PATCH v6 15/22] instrument: Add event 'guest_cpu_exit' Lluís Vilanova
2017-09-13 10:58 ` [Qemu-devel] [PATCH v6 16/22] instrument: Add event 'guest_cpu_reset' Lluís Vilanova
2017-09-13 11:02 ` [Qemu-devel] [PATCH v6 17/22] trace: Introduce a proper structure to describe memory accesses Lluís Vilanova
2017-09-13 11:06 ` [Qemu-devel] [PATCH v6 18/22] instrument: Add event 'guest_mem_before_trans' Lluís Vilanova
2017-09-13 11:10 ` [Qemu-devel] [PATCH v6 19/22] instrument: Add event 'guest_mem_before_exec' Lluís Vilanova
2017-09-13 11:14 ` [Qemu-devel] [PATCH v6 20/22] instrument: Add event 'guest_user_syscall' Lluís Vilanova
2017-09-13 11:18 ` [Qemu-devel] [PATCH v6 21/22] instrument: Add event 'guest_user_syscall_ret' Lluís Vilanova
2017-09-13 11:22 ` [Qemu-devel] [PATCH v6 22/22] instrument: Add API to manipulate guest memory Lluís Vilanova
2017-09-13 11:42 ` [Qemu-devel] [PATCH v6 00/22] instrument: Add basic event instrumentation no-reply
2017-09-22 22:48 ` Emilio G. Cota
2017-09-25 18:07 ` Lluís Vilanova
2017-09-25 18:55 ` Emilio G. Cota
2017-09-26 8:17 ` Lluís Vilanova
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171006175929.GA28281@flamenco \
--to=cota@braap.org \
--cc=armbru@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.