From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:43858)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <chenwj@cs.nctu.edu.tw>) id 1R6YpT-00034j-2C
	for qemu-devel@nongnu.org; Wed, 21 Sep 2011 22:15:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <chenwj@cs.nctu.edu.tw>) id 1R6YpR-0002PY-Pz
	for qemu-devel@nongnu.org; Wed, 21 Sep 2011 22:15:59 -0400
Received: from csmailer.cs.nctu.edu.tw ([140.113.235.130]:44329)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <chenwj@cs.nctu.edu.tw>) id 1R6YpQ-0002PG-Uh
	for qemu-devel@nongnu.org; Wed, 21 Sep 2011 22:15:57 -0400
Date: Thu, 22 Sep 2011 10:15:53 +0800
From: =?utf-8?B?6Zmz6Z+L5Lu7?= <chenwj@iis.sinica.edu.tw>
Message-ID: <20110922021553.GA11442@cs.nctu.edu.tw>
References: <CALKntY0kWES6fFn2_xVN9LGgbjtyZQ3wNSvP3gV7S93n-iVk1Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CALKntY0kWES6fFn2_xVN9LGgbjtyZQ3wNSvP3gV7S93n-iVk1Q@mail.gmail.com>
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] TB chaining
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Xin Tong <xerox.time.tech@gmail.com>
Cc: qemu-devel@nongnu.org

> I am new to QEMU, can anyone please tell me where the TB chaining code =
is in
> QEMU ?

  struct TranslationBlock has fields used to to block chaining. You also
need to look into it.

cpu_exec (cpu-exec.c)

  It's the main execution loop where the interrupt/exception is handled
, and translared TB is found then executed.

  /* prepare setjmp context for exception handling */
  for(;;) {
      if (setjmp(env->jmp_env) =3D=3D 0) {
          /* if an exception is pending, we execute it here */
      }

      next_tb =3D 0; /* force lookup of first TB */
      for(;;) {
          interrupt_request =3D env->interrupt_request;
          if (unlikely(interrupt_request)) {

          }

          tb =3D tb_find_fast(env);

          if (next_tb !=3D 0 && tb->page_addr[1] =3D=3D -1) {
              tb_add_jump((TranslationBlock *)(next_tb & ~3), next_tb & 3=
, tb);
          }

          if (likely(!env->exit_request)) {
                tc_ptr =3D tb->tc_ptr;
              /* execute the generated code */
                next_tb =3D tcg_qemu_tb_exec(env, tc_ptr);
          }=20
      }
  }

tb_add_jump does block chaining. The variable names next_tb and tb
could be misleading here. tb_add_jump will link next_tb to tb, i.e.,
next_tb -> tb. And QEMU use the last two bit of the pointer to
TranslationBlock to encode the direction of the block chaining.
For example, next_tb[0] might be the if branch, and next_tb[1]
might be the else branch.

  Block chaining can be done direct or indirect. Direct means you patch
the translated code in the tranlation code cache, so that it'll jump
to next translated code block then executed. Indirect means you use
TranslationBlock tb_next field to point to next translated code block
in the tranlation code cache. On host like x86 and arm, direct block
chaining is used.

  Also note that while QEMU generate host binary from TCG IR, it will
leave some space for further block chaining to do the patch.


Regards,
chenwj

--=20
Wei-Ren Chen (=E9=99=B3=E9=9F=8B=E4=BB=BB)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667