[Qemu-devel] [PATCH 00/10] qemu-tech cleanup

[Qemu-devel] [PATCH 00/10] qemu-tech cleanup

[Paolo Bonzini]

qemu-tech is limited to TCG and large parts of it are obsolete or are
just fine in qemu-doc.  Split it into other sources of documentation,
placing what's left in an appendix of qemu-doc.

Ultimately we should have a new internals manual built from docs/, and
then the "Translator Internals" parts of qemu-tech could move to docs/
as well.  The bits on limitation and features of CPU emulation should
remain in qemu-doc.  They are not entirely up-to-date, but I am not
attempting to improve that yet---also because I could only really do
that for x86.

Paolo Bonzini (10):
  qemu-tech: drop index
  qemu-doc: replace introduction with the one from the internals manual
  qemu-doc: drop installation and compilation notes
  qemu-tech: move text from qemu-tech to tcg/README
  qemu-tech: document lazy condition code evaluation in cpu.h
  qemu-tech: move user mode emulation features from qemu-tech
  qemu-tech: move TCG test documentation to tests/tcg/README
  qemu-tech: reorganize content
  qemu-tech: rewrite some parts
  qemu-doc: merge qemu-tech and qemu-doc

 .gitignore         |   2 -
 Makefile           |  13 +-
 README             |   2 -
 qemu-doc.texi      | 352 +++++++--------------------------
 qemu-tech.texi     | 557 +++++++++++------------------------------------------
 qemu.nsi           |   3 -
 target-cris/cpu.h  |   7 +
 target-i386/cpu.h  |   7 +
 target-m68k/cpu.h  |   8 +
 target-sparc/cpu.h |   5 +
 tcg/README         |   5 +
 tests/tcg/README   |  76 ++++++++
 ui/cocoa.m         |   9 -
 13 files changed, 301 insertions(+), 745 deletions(-)
 create mode 100644 tests/tcg/README

-- 
2.7.4

[Qemu-devel] [PATCH 01/10] qemu-tech: drop index

[Paolo Bonzini]

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 qemu-tech.texi | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/qemu-tech.texi b/qemu-tech.texi
index 1b048cb..be1c210 100644
--- a/qemu-tech.texi
+++ b/qemu-tech.texi
@@ -32,7 +32,6 @@
 * Introduction::
 * QEMU Internals::
 * Regression Tests::
-* Index::
 @end menu
 @end ifnottex
 
@@ -691,8 +690,4 @@ This program tests various Linux system calls. It is used to verify
 that the system call parameters are correctly converted between target
 and host CPUs.
 
-@node Index
-@chapter Index
-@printindex cp
-
 @bye
-- 
2.7.4

[Qemu-devel] [PATCH 02/10] qemu-doc: replace introduction with the one from the internals manual

[Paolo Bonzini]

The user manual has an obsolete introduction, while the one in
the internals manual lists QEMU's features quite nicely.
Drop the obsolete content and remove generic user-level
documentation from qemu-tech.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 qemu-doc.texi  | 84 +++++++++++++++++++++++++++++--------------------------
 qemu-tech.texi | 88 ----------------------------------------------------------
 2 files changed, 44 insertions(+), 128 deletions(-)

diff --git a/qemu-doc.texi b/qemu-doc.texi
index f37fd31..9f75c9d 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -57,65 +57,69 @@
 QEMU is a FAST! processor emulator using dynamic translation to
 achieve good emulation speed.
 
+@cindex operating modes
 QEMU has two operating modes:
 
 @itemize
-@cindex operating modes
-
-@item
 @cindex system emulation
-Full system emulation. In this mode, QEMU emulates a full system (for
+@item Full system emulation. In this mode, QEMU emulates a full system (for
 example a PC), including one or several processors and various
 peripherals. It can be used to launch different Operating Systems
 without rebooting the PC or to debug system code.
 
-@item
 @cindex user mode emulation
-User mode emulation. In this mode, QEMU can launch
+@item User mode emulation. In this mode, QEMU can launch
 processes compiled for one CPU on another CPU. It can be used to
 launch the Wine Windows API emulator (@url{http://www.winehq.org}) or
 to ease cross-compilation and cross-debugging.
 
 @end itemize
 
-QEMU can run without a host kernel driver and yet gives acceptable
-performance.
+QEMU has the following features:
+
+@itemize
+@item QEMU can run without a host kernel driver and yet gives acceptable
+performance.  It uses dynamic translation to native code for reasonable speed,
+with support for self-modifying code and precise exceptions.
+
+@item It is portable to several operating systems (GNU/Linux, *BSD, Mac OS X,
+Windows) and architectures.
+
+@item It performs accurate software emulation of the FPU.
+@end itemize
 
-For system emulation, the following hardware targets are supported:
+QEMU user mode emulation has the following features:
 @itemize
-@cindex emulated target systems
-@cindex supported target systems
-@item PC (x86 or x86_64 processor)
-@item ISA PC (old style PC without PCI bus)
-@item PREP (PowerPC processor)
-@item G3 Beige PowerMac (PowerPC processor)
-@item Mac99 PowerMac (PowerPC processor, in progress)
-@item Sun4m/Sun4c/Sun4d (32-bit Sparc processor)
-@item Sun4u/Sun4v (64-bit Sparc processor, in progress)
-@item Malta board (32-bit and 64-bit MIPS processors)
-@item MIPS Magnum (64-bit MIPS processor)
-@item ARM Integrator/CP (ARM)
-@item ARM Versatile baseboard (ARM)
-@item ARM RealView Emulation/Platform baseboard (ARM)
-@item Spitz, Akita, Borzoi, Terrier and Tosa PDAs (PXA270 processor)
-@item Luminary Micro LM3S811EVB (ARM Cortex-M3)
-@item Luminary Micro LM3S6965EVB (ARM Cortex-M3)
-@item Freescale MCF5208EVB (ColdFire V2).
-@item Arnewsh MCF5206 evaluation board (ColdFire V2).
-@item Palm Tungsten|E PDA (OMAP310 processor)
-@item N800 and N810 tablets (OMAP2420 processor)
-@item MusicPal (MV88W8618 ARM processor)
-@item Gumstix "Connex" and "Verdex" motherboards (PXA255/270).
-@item Siemens SX1 smartphone (OMAP310 processor)
-@item AXIS-Devboard88 (CRISv32 ETRAX-FS).
-@item Petalogix Spartan 3aDSP1800 MMU ref design (MicroBlaze).
-@item Avnet LX60/LX110/LX200 boards (Xtensa)
+@item Generic Linux system call converter, including most ioctls.
+
+@item clone() emulation using native CPU clone() to use Linux scheduler for threads.
+
+@item Accurate signal handling by remapping host signals to target signals.
+@end itemize
+
+QEMU full system emulation has the following features:
+@itemize
+@item
+QEMU uses a full software MMU for maximum portability.
+
+@item
+QEMU can optionally use an in-kernel accelerator, like kvm. The accelerators 
+execute most of the guest code natively, while
+continuing to emulate the rest of the machine.
+
+@item
+Various hardware devices can be emulated and in some cases, host
+devices (e.g. serial and parallel ports, USB, drives) can be used
+transparently by the guest Operating System. Host device passthrough
+can be used for talking to external physical peripherals (e.g. a
+webcam, modem or tape drive).
+
+@item
+Symmetric multiprocessing (SMP) support.  Currently, an in-kernel
+accelerator is required to use more than one host CPU for emulation.
+
 @end itemize
 
-@cindex supported user mode targets
-For user emulation, x86 (32 and 64 bit), PowerPC (32 and 64 bit),
-ARM, MIPS (32 bit only), Sparc (32 and 64 bit),
-Alpha, ColdFire(m68k), CRISv32 and MicroBlaze CPUs are supported.
 
 @node Installation
 @chapter Installation
diff --git a/qemu-tech.texi b/qemu-tech.texi
index be1c210..2ab7cd4 100644
--- a/qemu-tech.texi
+++ b/qemu-tech.texi
@@ -41,7 +41,6 @@
 @chapter Introduction
 
 @menu
-* intro_features::         Features
 * intro_x86_emulation::    x86 and x86-64 emulation
 * intro_arm_emulation::    ARM emulation
 * intro_mips_emulation::   MIPS emulation
@@ -51,93 +50,6 @@
 * intro_other_emulation::  Other CPU emulation
 @end menu
 
-@node intro_features
-@section Features
-
-QEMU is a FAST! processor emulator using a portable dynamic
-translator.
-
-QEMU has two operating modes:
-
-@itemize @minus
-
-@item
-Full system emulation. In this mode (full platform virtualization),
-QEMU emulates a full system (usually a PC), including a processor and
-various peripherals. It can be used to launch several different
-Operating Systems at once without rebooting the host machine or to
-debug system code.
-
-@item
-User mode emulation. In this mode (application level virtualization),
-QEMU can launch processes compiled for one CPU on another CPU, however
-the Operating Systems must match. This can be used for example to ease
-cross-compilation and cross-debugging.
-@end itemize
-
-As QEMU requires no host kernel driver to run, it is very safe and
-easy to use.
-
-QEMU generic features:
-
-@itemize
-
-@item User space only or full system emulation.
-
-@item Using dynamic translation to native code for reasonable speed.
-
-@item
-Working on x86, x86_64 and PowerPC32/64 hosts. Being tested on ARM,
-S390x, Sparc32 and Sparc64.
-
-@item Self-modifying code support.
-
-@item Precise exceptions support.
-
-@item
-Floating point library supporting both full software emulation and
-native host FPU instructions.
-
-@end itemize
-
-QEMU user mode emulation features:
-@itemize
-@item Generic Linux system call converter, including most ioctls.
-
-@item clone() emulation using native CPU clone() to use Linux scheduler for threads.
-
-@item Accurate signal handling by remapping host signals to target signals.
-@end itemize
-
-Linux user emulator (Linux host only) can be used to launch the Wine
-Windows API emulator (@url{http://www.winehq.org}). A BSD user emulator for BSD
-hosts is under development. It would also be possible to develop a
-similar user emulator for Solaris.
-
-QEMU full system emulation features:
-@itemize
-@item
-QEMU uses a full software MMU for maximum portability.
-
-@item
-QEMU can optionally use an in-kernel accelerator, like kvm. The accelerators 
-execute some of the guest code natively, while
-continuing to emulate the rest of the machine.
-
-@item
-Various hardware devices can be emulated and in some cases, host
-devices (e.g. serial and parallel ports, USB, drives) can be used
-transparently by the guest Operating System. Host device passthrough
-can be used for talking to external physical peripherals (e.g. a
-webcam, modem or tape drive).
-
-@item
-Symmetric multiprocessing (SMP) even on a host with a single CPU. On a
-SMP host system, QEMU can use only one CPU fully due to difficulty in
-implementing atomic memory accesses efficiently.
-
-@end itemize
-
 @node intro_x86_emulation
 @section x86 and x86-64 emulation
 
-- 
2.7.4

[Qemu-devel] [PATCH 03/10] qemu-doc: drop installation and compilation notes

[Paolo Bonzini]

These are in README or obsolete, and the detailed version can be on a
website instead.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 README        |   2 -
 qemu-doc.texi | 249 ----------------------------------------------------------
 2 files changed, 251 deletions(-)

diff --git a/README b/README
index f38193f..bd8060a 100644
--- a/README
+++ b/README
@@ -42,8 +42,6 @@ of other UNIX targets. The simple steps to build QEMU are:
   ../configure
   make
 
-Complete details of the process for building and configuring QEMU for
-all supported host platforms can be found in the qemu-tech.html file.
 Additional information can also be found online via the QEMU website:
 
   http://qemu-project.org/Hosts/Linux
diff --git a/qemu-doc.texi b/qemu-doc.texi
index 9f75c9d..e60c46b 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -32,11 +32,9 @@
 
 @menu
 * Introduction::
-* Installation::
 * QEMU PC System emulator::
 * QEMU System emulator for non PC targets::
 * QEMU User space emulator::
-* compilation:: Compilation from the sources
 * License::
 * Index::
 @end menu
@@ -121,39 +119,6 @@ accelerator is required to use more than one host CPU for emulation.
 @end itemize
 
 
-@node Installation
-@chapter Installation
-
-If you want to compile QEMU yourself, see @ref{compilation}.
-
-@menu
-* install_linux::   Linux
-* install_windows:: Windows
-* install_mac::     Macintosh
-@end menu
-
-@node install_linux
-@section Linux
-@cindex installation (Linux)
-
-If a precompiled package is available for your distribution - you just
-have to install it. Otherwise, see @ref{compilation}.
-
-@node install_windows
-@section Windows
-@cindex installation (Windows)
-
-Download the experimental binary installer at
-@url{http://www.free.oszoo.org/@/download.html}.
-TODO (no longer available)
-
-@node install_mac
-@section Mac OS X
-
-Download the experimental binary installer at
-@url{http://www.free.oszoo.org/@/download.html}.
-TODO (no longer available)
-
 @node QEMU PC System emulator
 @chapter QEMU PC System emulator
 @cindex system emulation (PC)
@@ -2949,220 +2914,6 @@ Act as if the host page size was 'pagesize' bytes
 Run the emulation in single step mode.
 @end table
 
-@node compilation
-@chapter Compilation from the sources
-
-@menu
-* Linux/Unix::
-* Windows::
-* Cross compilation for Windows with Linux::
-* Mac OS X::
-* Make targets::
-@end menu
-
-@node Linux/Unix
-@section Linux/Unix
-
-@subsection Compilation
-
-First you must decompress the sources:
-@example
-cd /tmp
-tar zxvf qemu-x.y.z.tar.gz
-cd qemu-x.y.z
-@end example
-
-Then you configure QEMU and build it (usually no options are needed):
-@example
-./configure
-make
-@end example
-
-Then type as root user:
-@example
-make install
-@end example
-to install QEMU in @file{/usr/local}.
-
-@node Windows
-@section Windows
-
-@itemize
-@item Install the current versions of MSYS and MinGW from
-@url{http://www.mingw.org/}. You can find detailed installation
-instructions in the download section and the FAQ.
-
-@item Download
-the MinGW development library of SDL 1.2.x
-(@file{SDL-devel-1.2.x-@/mingw32.tar.gz}) from
-@url{http://www.libsdl.org}. Unpack it in a temporary place and
-edit the @file{sdl-config} script so that it gives the
-correct SDL directory when invoked.
-
-@item Install the MinGW version of zlib and make sure
-@file{zlib.h} and @file{libz.dll.a} are in
-MinGW's default header and linker search paths.
-
-@item Extract the current version of QEMU.
-
-@item Start the MSYS shell (file @file{msys.bat}).
-
-@item Change to the QEMU directory. Launch @file{./configure} and
-@file{make}.  If you have problems using SDL, verify that
-@file{sdl-config} can be launched from the MSYS command line.
-
-@item You can install QEMU in @file{Program Files/QEMU} by typing
-@file{make install}. Don't forget to copy @file{SDL.dll} in
-@file{Program Files/QEMU}.
-
-@end itemize
-
-@node Cross compilation for Windows with Linux
-@section Cross compilation for Windows with Linux
-
-@itemize
-@item
-Install the MinGW cross compilation tools available at
-@url{http://www.mingw.org/}.
-
-@item Download
-the MinGW development library of SDL 1.2.x
-(@file{SDL-devel-1.2.x-@/mingw32.tar.gz}) from
-@url{http://www.libsdl.org}. Unpack it in a temporary place and
-edit the @file{sdl-config} script so that it gives the
-correct SDL directory when invoked.  Set up the @code{PATH} environment
-variable so that @file{sdl-config} can be launched by
-the QEMU configuration script.
-
-@item Install the MinGW version of zlib and make sure
-@file{zlib.h} and @file{libz.dll.a} are in
-MinGW's default header and linker search paths.
-
-@item
-Configure QEMU for Windows cross compilation:
-@example
-PATH=/usr/i686-pc-mingw32/sys-root/mingw/bin:$PATH ./configure --cross-prefix='i686-pc-mingw32-'
-@end example
-The example assumes @file{sdl-config} is installed under @file{/usr/i686-pc-mingw32/sys-root/mingw/bin} and
-MinGW cross compilation tools have names like @file{i686-pc-mingw32-gcc} and @file{i686-pc-mingw32-strip}.
-We set the @code{PATH} environment variable to ensure the MinGW version of @file{sdl-config} is used and
-use --cross-prefix to specify the name of the cross compiler.
-You can also use --prefix to set the Win32 install path which defaults to @file{c:/Program Files/QEMU}.
-
-Under Fedora Linux, you can run:
-@example
-yum -y install mingw32-gcc mingw32-SDL mingw32-zlib
-@end example
-to get a suitable cross compilation environment.
-
-@item You can install QEMU in the installation directory by typing
-@code{make install}. Don't forget to copy @file{SDL.dll} and @file{zlib1.dll} into the
-installation directory.
-
-@end itemize
-
-Wine can be used to launch the resulting qemu-system-i386.exe
-and all other qemu-system-@var{target}.exe compiled for Win32.
-
-@node Mac OS X
-@section Mac OS X
-
-System Requirements:
-@itemize
-@item Mac OS 10.5 or higher
-@item The clang compiler shipped with Xcode 4.2 or higher,
-or GCC 4.3 or higher
-@end itemize
-
-Additional Requirements (install in order):
-@enumerate
-@item libffi: @uref{https://sourceware.org/libffi/}
-@item gettext: @uref{http://www.gnu.org/software/gettext/}
-@item glib: @uref{http://ftp.gnome.org/pub/GNOME/sources/glib/}
-@item pkg-config: @uref{http://www.freedesktop.org/wiki/Software/pkg-config/}
-@item autoconf: @uref{http://www.gnu.org/software/autoconf/autoconf.html}
-@item automake: @uref{http://www.gnu.org/software/automake/}
-@item pixman: @uref{http://www.pixman.org/}
-@end enumerate
-
-* You may find it easiest to get these from a third-party packager
-such as Homebrew, Macports, or Fink.
-
-After downloading the QEMU source code, double-click it to expand it.
-
-Then configure and make QEMU:
-@example
-./configure
-make
-@end example
-
-If you have a recent version of Mac OS X (OSX 10.7 or better
-with Xcode 4.2 or better) we recommend building QEMU with the
-default compiler provided by Apple, for your version of Mac OS X
-(which will be 'clang'). The configure script will
-automatically pick this.
-
-Note: If after the configure step you see a message like this:
-@example
-ERROR: Your compiler does not support the __thread specifier for
-       Thread-Local Storage (TLS). Please upgrade to a version that does.
-@end example
-you may have to build your own version of gcc from source. Expect that to take
-several hours. More information can be found here:
-@uref{https://gcc.gnu.org/install/} @*
-
-These are some of the third party binaries of gcc available for download:
-@itemize
-@item Homebrew: @uref{http://brew.sh/}
-@item @uref{https://www.litebeam.net/gcc/gcc_472.pkg}
-@item @uref{http://www.macports.org/ports.php?by=name&substr=gcc}
-@end itemize
-
-You can have several versions of GCC on your system. To specify a certain version,
-use the --cc and --cxx options.
-@example
-./configure --cxx=<path of your c++ compiler> --cc=<path of your c compiler> <other options>
-@end example
-
-@node Make targets
-@section Make targets
-
-@table @code
-
-@item make
-@item make all
-Make everything which is typically needed.
-
-@item install
-TODO
-
-@item install-doc
-TODO
-
-@item make clean
-Remove most files which were built during make.
-
-@item make distclean
-Remove everything which was built during make.
-
-@item make dvi
-@item make html
-@item make info
-@item make pdf
-Create documentation in dvi, html, info or pdf format.
-
-@item make cscope
-TODO
-
-@item make defconfig
-(Re-)create some build configuration files.
-User made changes will be overwritten.
-
-@item tar
-@item tarbin
-TODO
-
-@end table
 
 @node License
 @appendix License
-- 
2.7.4

[Qemu-devel] [PATCH 04/10] qemu-tech: move text from qemu-tech to tcg/README

[Paolo Bonzini]

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 qemu-tech.texi | 12 ++----------
 tcg/README     |  5 +++++
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/qemu-tech.texi b/qemu-tech.texi
index 2ab7cd4..082b62c 100644
--- a/qemu-tech.texi
+++ b/qemu-tech.texi
@@ -287,16 +287,8 @@ are very complicated and highly CPU dependent. QEMU uses some tricks
 which make it relatively easily portable and simple while achieving good
 performances.
 
-After the release of version 0.9.1, QEMU switched to a new method of
-generating code, Tiny Code Generator or TCG. TCG relaxes the
-dependency on the exact version of the compiler used. The basic idea
-is to split every target instruction into a couple of RISC-like TCG
-ops (see @code{target-i386/translate.c}). Some optimizations can be
-performed at this stage, including liveness analysis and trivial
-constant expression evaluation. TCG ops are then implemented in the
-host CPU back end, also known as TCG target (see
-@code{tcg/i386/tcg-target.inc.c}). For more information, please take a
-look at @code{tcg/README}.
+QEMU's dynamic translation backend is called TCG, for "Tiny Code
+Generator". For more information, please take a look at @code{tcg/README}.
 
 @node Condition code optimisations
 @section Condition code optimisations
diff --git a/tcg/README b/tcg/README
index 1d48aa9..ae31388 100644
--- a/tcg/README
+++ b/tcg/README
@@ -8,6 +8,11 @@ in the QOP code generator written by Paul Brook.
 
 2) Definitions
 
+TCG receives RISC-like "TCG ops" and performs some optimizations on them,
+including liveness analysis and trivial constant expression
+evaluation.  TCG ops are then implemented in the host CPU back end,
+also known as the TCG "target".
+
 The TCG "target" is the architecture for which we generate the
 code. It is of course not the same as the "target" of QEMU which is
 the emulated architecture. As TCG started as a generic C backend used
-- 
2.7.4

[Qemu-devel] [PATCH 05/10] qemu-tech: document lazy condition code evaluation in cpu.h

[Paolo Bonzini]

Unlike the other sections, they are pretty specific to a particular CPU.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 qemu-tech.texi     | 25 -------------------------
 target-cris/cpu.h  |  7 +++++++
 target-i386/cpu.h  |  7 +++++++
 target-m68k/cpu.h  |  8 ++++++++
 target-sparc/cpu.h |  5 +++++
 5 files changed, 27 insertions(+), 25 deletions(-)

diff --git a/qemu-tech.texi b/qemu-tech.texi
index 082b62c..75ceea4 100644
--- a/qemu-tech.texi
+++ b/qemu-tech.texi
@@ -214,7 +214,6 @@ SH4
 @menu
 * QEMU compared to other emulators::
 * Portable dynamic translation::
-* Condition code optimisations::
 * CPU state optimisations::
 * Translation cache::
 * Direct block chaining::
@@ -290,30 +289,6 @@ performances.
 QEMU's dynamic translation backend is called TCG, for "Tiny Code
 Generator". For more information, please take a look at @code{tcg/README}.
 
-@node Condition code optimisations
-@section Condition code optimisations
-
-Lazy evaluation of CPU condition codes (@code{EFLAGS} register on x86)
-is important for CPUs where every instruction sets the condition
-codes. It tends to be less important on conventional RISC systems
-where condition codes are only updated when explicitly requested. On
-Sparc64, costly update of both 32 and 64 bit condition codes can be
-avoided with lazy evaluation.
-
-Instead of computing the condition codes after each x86 instruction,
-QEMU just stores one operand (called @code{CC_SRC}), the result
-(called @code{CC_DST}) and the type of operation (called
-@code{CC_OP}). When the condition codes are needed, the condition
-codes can be calculated using this information. In addition, an
-optimized calculation can be performed for some instruction types like
-conditional branches.
-
-@code{CC_OP} is almost never explicitly set in the generated code
-because it is known at translation time.
-
-The lazy condition code evaluation is used on x86, m68k, cris and
-Sparc. ARM uses a simplified variant for the N and Z flags.
-
 @node CPU state optimisations
 @section CPU state optimisations
 
diff --git a/target-cris/cpu.h b/target-cris/cpu.h
index 7d7fe6e..6d3de56 100644
--- a/target-cris/cpu.h
+++ b/target-cris/cpu.h
@@ -223,6 +223,13 @@ int cpu_cris_signal_handler(int host_signum, void *pinfo,
 void cris_initialize_tcg(void);
 void cris_initialize_crisv10_tcg(void);
 
+/* Instead of computing the condition codes after each x86 instruction,
+ * QEMU just stores one operand (called CC_SRC), the result
+ * (called CC_DST) and the type of operation (called CC_OP). When the
+ * condition codes are needed, the condition codes can be calculated
+ * using this information. Condition codes are not generated if they
+ * are only needed for conditional branches.
+ */
 enum {
     CC_OP_DYNAMIC, /* Use env->cc_op  */
     CC_OP_FLAGS,
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index 6d028aa..f606f15 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -698,6 +698,13 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
 /* Use a clearer name for this.  */
 #define CPU_INTERRUPT_INIT      CPU_INTERRUPT_RESET
 
+/* Instead of computing the condition codes after each x86 instruction,
+ * QEMU just stores one operand (called CC_SRC), the result
+ * (called CC_DST) and the type of operation (called CC_OP). When the
+ * condition codes are needed, the condition codes can be calculated
+ * using this information. Condition codes are not generated if they
+ * are only needed for conditional branches.
+ */
 typedef enum {
     CC_OP_DYNAMIC, /* must use dynamic code to get cc_op */
     CC_OP_EFLAGS,  /* all cc are explicitly computed, CC_SRC = flags */
diff --git a/target-m68k/cpu.h b/target-m68k/cpu.h
index c2d40cb..ccc7157 100644
--- a/target-m68k/cpu.h
+++ b/target-m68k/cpu.h
@@ -154,6 +154,14 @@ int cpu_m68k_signal_handler(int host_signum, void *pinfo,
                            void *puc);
 void cpu_m68k_flush_flags(CPUM68KState *, int);
 
+
+/* Instead of computing the condition codes after each x86 instruction,
+ * QEMU just stores one operand (called CC_SRC), the result
+ * (called CC_DST) and the type of operation (called CC_OP). When the
+ * condition codes are needed, the condition codes can be calculated
+ * using this information. Condition codes are not generated if they
+ * are only needed for conditional branches.
+ */
 enum {
     CC_OP_DYNAMIC, /* Use env->cc_op  */
     CC_OP_FLAGS, /* CC_DEST = CVZN, CC_SRC = unused */
diff --git a/target-sparc/cpu.h b/target-sparc/cpu.h
index a3d64a4..646a103 100644
--- a/target-sparc/cpu.h
+++ b/target-sparc/cpu.h
@@ -102,6 +102,11 @@
 #define CC_DST (env->cc_dst)
 #define CC_OP  (env->cc_op)
 
+/* Even though lazy evaluation of CPU condition codes tends to be less
+ * important on RISC systems where condition codes are only updated
+ * when explicitly requested, SPARC uses it to update 32-bit and 64-bit
+ * condition codes.
+ */
 enum {
     CC_OP_DYNAMIC, /* must use dynamic code to get cc_op */
     CC_OP_FLAGS,   /* all cc are back in status register */
-- 
2.7.4

[Qemu-devel] [PATCH 06/10] qemu-tech: move user mode emulation features from qemu-tech

[Paolo Bonzini]

These are interesting for users too, since nowadays most
qemu-user users are going to be somewhat technical rather than
just people that want to run Wine.  Some detail is lost, on
the other hand some of the information I removed (e.g. basic
block unchaining) was obsolete.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 qemu-doc.texi  | 34 ++++++++++++++++++++++++++++
 qemu-tech.texi | 71 ----------------------------------------------------------
 2 files changed, 34 insertions(+), 71 deletions(-)

diff --git a/qemu-doc.texi b/qemu-doc.texi
index e60c46b..5b93acc 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -2629,6 +2629,7 @@ so should only be used with trusted guest OS.
 
 @menu
 * Supported Operating Systems ::
+* Features::
 * Linux User space emulator::
 * BSD User space emulator ::
 @end menu
@@ -2645,6 +2646,39 @@ Linux (referred as qemu-linux-user)
 BSD (referred as qemu-bsd-user)
 @end itemize
 
+@node Features
+@section Features
+
+QEMU user space emulation has the following notable features:
+
+@table @strong
+@item System call translation:
+QEMU includes a generic system call translator.  This means that
+the parameters of the system calls can be converted to fix
+endianness and 32/64-bit mismatches between hosts and targets.
+IOCTLs can be converted too.
+
+@item POSIX signal handling:
+QEMU can redirect to the running program all signals coming from
+the host (such as SIGALRM), as well as synthesize signals from
+virtual CPU extensions (for example SIGFPE when the program
+executes a division by zero).
+
+QEMU relies on the host kernel to emulate most signal system
+calls, for example to emulate the signal mask.  On Linux, QEMU
+supports both normal and real-time signals.
+
+@item Threading:
+On Linux, QEMU can emulate the @code{clone} and create a real host
+thread (with a separate virtual CPU) for each emulated thread.
+Note that not all targets currently emulate atomic operations correctly.
+x86 and ARM use a global lock in order to preserve their semantics.
+@end table
+
+QEMU was conceived so that ultimately it can emulate itself. Although
+it is not very useful, it is an important test to show the power of the
+emulator.
+
 @node Linux User space emulator
 @section Linux User space emulator
 
diff --git a/qemu-tech.texi b/qemu-tech.texi
index 75ceea4..16780a1 100644
--- a/qemu-tech.texi
+++ b/qemu-tech.texi
@@ -221,8 +221,6 @@ SH4
 * Exception support::
 * MMU emulation::
 * Device emulation::
-* Hardware interrupts::
-* User emulation specific details::
 * Bibliography::
 @end menu
 
@@ -410,75 +408,6 @@ Usually the devices implement a reset method and register support for
 saving and loading of the device state. The devices can also use
 timers, especially together with the use of bottom halves (BHs).
 
-@node Hardware interrupts
-@section Hardware interrupts
-
-In order to be faster, QEMU does not check at every basic block if a
-hardware interrupt is pending. Instead, the user must asynchronously
-call a specific function to tell that an interrupt is pending. This
-function resets the chaining of the currently executing basic
-block. It ensures that the execution will return soon in the main loop
-of the CPU emulator. Then the main loop can test if the interrupt is
-pending and handle it.
-
-@node User emulation specific details
-@section User emulation specific details
-
-@subsection Linux system call translation
-
-QEMU includes a generic system call translator for Linux. It means that
-the parameters of the system calls can be converted to fix the
-endianness and 32/64 bit issues. The IOCTLs are converted with a generic
-type description system (see @file{ioctls.h} and @file{thunk.c}).
-
-QEMU supports host CPUs which have pages bigger than 4KB. It records all
-the mappings the process does and try to emulated the @code{mmap()}
-system calls in cases where the host @code{mmap()} call would fail
-because of bad page alignment.
-
-@subsection Linux signals
-
-Normal and real-time signals are queued along with their information
-(@code{siginfo_t}) as it is done in the Linux kernel. Then an interrupt
-request is done to the virtual CPU. When it is interrupted, one queued
-signal is handled by generating a stack frame in the virtual CPU as the
-Linux kernel does. The @code{sigreturn()} system call is emulated to return
-from the virtual signal handler.
-
-Some signals (such as SIGALRM) directly come from the host. Other
-signals are synthesized from the virtual CPU exceptions such as SIGFPE
-when a division by zero is done (see @code{main.c:cpu_loop()}).
-
-The blocked signal mask is still handled by the host Linux kernel so
-that most signal system calls can be redirected directly to the host
-Linux kernel. Only the @code{sigaction()} and @code{sigreturn()} system
-calls need to be fully emulated (see @file{signal.c}).
-
-@subsection clone() system call and threads
-
-The Linux clone() system call is usually used to create a thread. QEMU
-uses the host clone() system call so that real host threads are created
-for each emulated thread. One virtual CPU instance is created for each
-thread.
-
-The virtual x86 CPU atomic operations are emulated with a global lock so
-that their semantic is preserved.
-
-Note that currently there are still some locking issues in QEMU. In
-particular, the translated cache flush is not protected yet against
-reentrancy.
-
-@subsection Self-virtualization
-
-QEMU was conceived so that ultimately it can emulate itself. Although
-it is not very useful, it is an important test to show the power of the
-emulator.
-
-Achieving self-virtualization is not easy because there may be address
-space conflicts. QEMU user emulators solve this problem by being an
-executable ELF shared object as the ld-linux.so ELF interpreter. That
-way, it can be relocated at load time.
-
 @node Bibliography
 @section Bibliography
 
-- 
2.7.4

[Qemu-devel] [PATCH 07/10] qemu-tech: move TCG test documentation to tests/tcg/README

[Paolo Bonzini]

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 qemu-tech.texi   | 35 --------------------------
 tests/tcg/README | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 35 deletions(-)
 create mode 100644 tests/tcg/README

diff --git a/qemu-tech.texi b/qemu-tech.texi
index 16780a1..adfb53b 100644
--- a/qemu-tech.texi
+++ b/qemu-tech.texi
@@ -31,7 +31,6 @@
 @menu
 * Introduction::
 * QEMU Internals::
-* Regression Tests::
 @end menu
 @end ifnottex
 
@@ -464,38 +463,4 @@ QEMU-SystemC, a hardware co-simulator.
 
 @end table
 
-@node Regression Tests
-@chapter Regression Tests
-
-In the directory @file{tests/}, various interesting testing programs
-are available. They are used for regression testing.
-
-@menu
-* test-i386::
-* linux-test::
-@end menu
-
-@node test-i386
-@section @file{test-i386}
-
-This program executes most of the 16 bit and 32 bit x86 instructions and
-generates a text output. It can be compared with the output obtained with
-a real CPU or another emulator. The target @code{make test} runs this
-program and a @code{diff} on the generated output.
-
-The Linux system call @code{modify_ldt()} is used to create x86 selectors
-to test some 16 bit addressing and 32 bit with segmentation cases.
-
-The Linux system call @code{vm86()} is used to test vm86 emulation.
-
-Various exceptions are raised to test most of the x86 user space
-exception reporting.
-
-@node linux-test
-@section @file{linux-test}
-
-This program tests various Linux system calls. It is used to verify
-that the system call parameters are correctly converted between target
-and host CPUs.
-
 @bye
diff --git a/tests/tcg/README b/tests/tcg/README
new file mode 100644
index 0000000..5dcfb48
--- /dev/null
+++ b/tests/tcg/README
@@ -0,0 +1,80 @@
+This directory contains various interesting programs for
+regression testing.
+
+The target "make test" runs the programs and, if applicable,
+runs "diff" to detect mismatches between output on the host and
+output on QEMU.
+
+i386
+====
+
+test-i386
+---------
+
+This program executes most of the 16 bit and 32 bit x86 instructions and
+generates a text output, for comparison with the output obtained with
+a real CPU or another emulator.
+
+The Linux system call modify_ldt() is used to create x86 selectors
+to test some 16 bit addressing and 32 bit with segmentation cases.
+
+The Linux system call vm86() is used to test vm86 emulation.
+
+Various exceptions are raised to test most of the x86 user space
+exception reporting.
+
+linux-test
+----------
+
+This program tests various Linux system calls. It is used to verify
+that the system call parameters are correctly converted between target
+and host CPUs.
+
+test-i386-fprem
+---------------
+
+runcom
+------
+
+test-mmap
+---------
+
+sha1
+----
+
+hello-i386
+----------
+
+
+ARM
+===
+
+hello-arm
+---------
+
+test-arm-iwmmxt
+---------------
+
+MIPS
+====
+
+hello-mips
+----------
+
+hello-mipsel
+------------
+
+CRIS
+====
+The testsuite for CRIS is in tests/tcg/cris.  You can run it
+with "make test-cris".
+
+LM32
+====
+The testsuite for LM32 is in tests/tcg/lm32.  You can run it
+with "make test-lm32".
+
+Other architectures
+===================
+Other architectures have testsuites in subdirectories of tests/tcg.
+Please consult the makefiles in those directories.
-- 
2.7.4

[Qemu-devel] [PATCH 08/10] qemu-tech: reorganize content

[Paolo Bonzini]

Make the structure more flat, place comparison last, rename "Introduction"
to "CPU emulation".

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 qemu-tech.texi | 171 +++++++++++++++++++++++++--------------------------------
 1 file changed, 74 insertions(+), 97 deletions(-)

diff --git a/qemu-tech.texi b/qemu-tech.texi
index adfb53b..2e499a7 100644
--- a/qemu-tech.texi
+++ b/qemu-tech.texi
@@ -29,27 +29,29 @@
 @top
 
 @menu
-* Introduction::
-* QEMU Internals::
+* CPU emulation::
+* Translator Internals::
+* Device emulation::
+* QEMU compared to other emulators::
+* Bibliography::
 @end menu
 @end ifnottex
 
 @contents
 
-@node Introduction
-@chapter Introduction
+@node CPU emulation
+@chapter CPU emulation
 
 @menu
-* intro_x86_emulation::    x86 and x86-64 emulation
-* intro_arm_emulation::    ARM emulation
-* intro_mips_emulation::   MIPS emulation
-* intro_ppc_emulation::    PowerPC emulation
-* intro_sparc_emulation::  Sparc32 and Sparc64 emulation
-* intro_xtensa_emulation:: Xtensa emulation
-* intro_other_emulation::  Other CPU emulation
+* x86::     x86 and x86-64 emulation
+* ARM::     ARM emulation
+* MIPS::    MIPS emulation
+* PPC::     PowerPC emulation
+* SPARC::   Sparc32 and Sparc64 emulation
+* Xtensa::  Xtensa emulation
 @end menu
 
-@node intro_x86_emulation
+@node x86
 @section x86 and x86-64 emulation
 
 QEMU x86 target features:
@@ -84,7 +86,7 @@ normal use.
 
 @end itemize
 
-@node intro_arm_emulation
+@node ARM
 @section ARM emulation
 
 @itemize
@@ -97,7 +99,7 @@ normal use.
 
 @end itemize
 
-@node intro_mips_emulation
+@node MIPS
 @section MIPS emulation
 
 @itemize
@@ -124,7 +126,7 @@ Current QEMU limitations:
 
 @end itemize
 
-@node intro_ppc_emulation
+@node PPC
 @section PowerPC emulation
 
 @itemize
@@ -136,7 +138,7 @@ FPU and MMU.
 
 @end itemize
 
-@node intro_sparc_emulation
+@node SPARC
 @section Sparc32 and Sparc64 emulation
 
 @itemize
@@ -164,7 +166,7 @@ Current QEMU limitations:
 
 @end itemize
 
-@node intro_xtensa_emulation
+@node Xtensa
 @section Xtensa emulation
 
 @itemize
@@ -189,94 +191,18 @@ may be created from overlay with minimal amount of hand-written code.
 
 @end itemize
 
-@node intro_other_emulation
-@section Other CPU emulation
-
-In addition to the above, QEMU supports emulation of other CPUs with
-varying levels of success. These are:
-
-@itemize
-
-@item
-Alpha
-@item
-CRIS
-@item
-M68k
-@item
-SH4
-@end itemize
-
-@node QEMU Internals
-@chapter QEMU Internals
+@node Translator Internals
+@chapter Translator Internals
 
 @menu
-* QEMU compared to other emulators::
-* Portable dynamic translation::
 * CPU state optimisations::
 * Translation cache::
 * Direct block chaining::
 * Self-modifying code and translated code invalidation::
 * Exception support::
 * MMU emulation::
-* Device emulation::
-* Bibliography::
 @end menu
 
-@node QEMU compared to other emulators
-@section QEMU compared to other emulators
-
-Like bochs [1], QEMU emulates an x86 CPU. But QEMU is much faster than
-bochs as it uses dynamic compilation. Bochs is closely tied to x86 PC
-emulation while QEMU can emulate several processors.
-
-Like Valgrind [2], QEMU does user space emulation and dynamic
-translation. Valgrind is mainly a memory debugger while QEMU has no
-support for it (QEMU could be used to detect out of bound memory
-accesses as Valgrind, but it has no support to track uninitialised data
-as Valgrind does). The Valgrind dynamic translator generates better code
-than QEMU (in particular it does register allocation) but it is closely
-tied to an x86 host and target and has no support for precise exceptions
-and system emulation.
-
-EM86 [3] is the closest project to user space QEMU (and QEMU still uses
-some of its code, in particular the ELF file loader). EM86 was limited
-to an alpha host and used a proprietary and slow interpreter (the
-interpreter part of the FX!32 Digital Win32 code translator [4]).
-
-TWIN from Willows Software was a Windows API emulator like Wine. It is less
-accurate than Wine but includes a protected mode x86 interpreter to launch
-x86 Windows executables. Such an approach has greater potential because most
-of the Windows API is executed natively but it is far more difficult to
-develop because all the data structures and function parameters exchanged
-between the API and the x86 code must be converted.
-
-User mode Linux [5] was the only solution before QEMU to launch a
-Linux kernel as a process while not needing any host kernel
-patches. However, user mode Linux requires heavy kernel patches while
-QEMU accepts unpatched Linux kernels. The price to pay is that QEMU is
-slower.
-
-The Plex86 [6] PC virtualizer is done in the same spirit as the now
-obsolete qemu-fast system emulator. It requires a patched Linux kernel
-to work (you cannot launch the same kernel on your PC), but the
-patches are really small. As it is a PC virtualizer (no emulation is
-done except for some privileged instructions), it has the potential of
-being faster than QEMU. The downside is that a complicated (and
-potentially unsafe) host kernel patch is needed.
-
-The commercial PC Virtualizers (VMWare [7], VirtualPC [8]) are faster
-than QEMU (without virtualization), but they all need specific, proprietary
-and potentially unsafe host drivers. Moreover, they are unable to
-provide cycle exact simulation as an emulator can.
-
-VirtualBox [9], Xen [10] and KVM [11] are based on QEMU. QEMU-SystemC
-[12] uses QEMU to simulate a system where some hardware devices are
-developed in SystemC.
-
-@node Portable dynamic translation
-@section Portable dynamic translation
-
 QEMU is a dynamic translator. When it first encounters a piece of code,
 it converts it to the host instruction set. Usually dynamic translators
 are very complicated and highly CPU dependent. QEMU uses some tricks
@@ -381,7 +307,7 @@ When MMU mappings change, only the chaining of the basic blocks is
 reset (i.e. a basic block can no longer jump directly to another one).
 
 @node Device emulation
-@section Device emulation
+@chapter Device emulation
 
 Systems emulated by QEMU are organized by boards. At initialization
 phase, each board instantiates a number of CPUs, devices, RAM and
@@ -407,8 +333,59 @@ Usually the devices implement a reset method and register support for
 saving and loading of the device state. The devices can also use
 timers, especially together with the use of bottom halves (BHs).
 
+@node QEMU compared to other emulators
+@chapter QEMU compared to other emulators
+
+Like bochs [1], QEMU emulates an x86 CPU. But QEMU is much faster than
+bochs as it uses dynamic compilation. Bochs is closely tied to x86 PC
+emulation while QEMU can emulate several processors.
+
+Like Valgrind [2], QEMU does user space emulation and dynamic
+translation. Valgrind is mainly a memory debugger while QEMU has no
+support for it (QEMU could be used to detect out of bound memory
+accesses as Valgrind, but it has no support to track uninitialised data
+as Valgrind does). The Valgrind dynamic translator generates better code
+than QEMU (in particular it does register allocation) but it is closely
+tied to an x86 host and target and has no support for precise exceptions
+and system emulation.
+
+EM86 [3] is the closest project to user space QEMU (and QEMU still uses
+some of its code, in particular the ELF file loader). EM86 was limited
+to an alpha host and used a proprietary and slow interpreter (the
+interpreter part of the FX!32 Digital Win32 code translator [4]).
+
+TWIN from Willows Software was a Windows API emulator like Wine. It is less
+accurate than Wine but includes a protected mode x86 interpreter to launch
+x86 Windows executables. Such an approach has greater potential because most
+of the Windows API is executed natively but it is far more difficult to
+develop because all the data structures and function parameters exchanged
+between the API and the x86 code must be converted.
+
+User mode Linux [5] was the only solution before QEMU to launch a
+Linux kernel as a process while not needing any host kernel
+patches. However, user mode Linux requires heavy kernel patches while
+QEMU accepts unpatched Linux kernels. The price to pay is that QEMU is
+slower.
+
+The Plex86 [6] PC virtualizer is done in the same spirit as the now
+obsolete qemu-fast system emulator. It requires a patched Linux kernel
+to work (you cannot launch the same kernel on your PC), but the
+patches are really small. As it is a PC virtualizer (no emulation is
+done except for some privileged instructions), it has the potential of
+being faster than QEMU. The downside is that a complicated (and
+potentially unsafe) host kernel patch is needed.
+
+The commercial PC Virtualizers (VMWare [7], VirtualPC [8]) are faster
+than QEMU (without virtualization), but they all need specific, proprietary
+and potentially unsafe host drivers. Moreover, they are unable to
+provide cycle exact simulation as an emulator can.
+
+VirtualBox [9], Xen [10] and KVM [11] are based on QEMU. QEMU-SystemC
+[12] uses QEMU to simulate a system where some hardware devices are
+developed in SystemC.
+
 @node Bibliography
-@section Bibliography
+@chapter Bibliography
 
 @table @asis
 
-- 
2.7.4

[Qemu-devel] [PATCH 09/10] qemu-tech: rewrite some parts

[Paolo Bonzini]

Drop most the device emulation part and merge the rest into the description
of the MMU.  Make some bits more up-to-date.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 qemu-tech.texi | 124 +++++++++++++++++++--------------------------------------
 1 file changed, 42 insertions(+), 82 deletions(-)

diff --git a/qemu-tech.texi b/qemu-tech.texi
index 2e499a7..7535f5f 100644
--- a/qemu-tech.texi
+++ b/qemu-tech.texi
@@ -31,7 +31,6 @@
 @menu
 * CPU emulation::
 * Translator Internals::
-* Device emulation::
 * QEMU compared to other emulators::
 * Bibliography::
 @end menu
@@ -194,15 +193,6 @@ may be created from overlay with minimal amount of hand-written code.
 @node Translator Internals
 @chapter Translator Internals
 
-@menu
-* CPU state optimisations::
-* Translation cache::
-* Direct block chaining::
-* Self-modifying code and translated code invalidation::
-* Exception support::
-* MMU emulation::
-@end menu
-
 QEMU is a dynamic translator. When it first encounters a piece of code,
 it converts it to the host instruction set. Usually dynamic translators
 are very complicated and highly CPU dependent. QEMU uses some tricks
@@ -212,33 +202,23 @@ performances.
 QEMU's dynamic translation backend is called TCG, for "Tiny Code
 Generator". For more information, please take a look at @code{tcg/README}.
 
-@node CPU state optimisations
-@section CPU state optimisations
+Some notable features of QEMU's dynamic translator are:
 
+@table @strong
+
+@item CPU state optimisations:
 The target CPUs have many internal states which change the way it
 evaluates instructions. In order to achieve a good speed, the
 translation phase considers that some state information of the virtual
 CPU cannot change in it. The state is recorded in the Translation
 Block (TB). If the state changes (e.g. privilege level), a new TB will
 be generated and the previous TB won't be used anymore until the state
-matches the state recorded in the previous TB. For example, if the SS,
+matches the state recorded in the previous TB. The same idea can be applied
+to other aspects of the CPU state.  For example, on x86, if the SS,
 DS and ES segments have a zero base, then the translator does not even
 generate an addition for the segment base.
 
-[The FPU stack pointer register is not handled that way yet].
-
-@node Translation cache
-@section Translation cache
-
-A 32 MByte cache holds the most recently used translations. For
-simplicity, it is completely flushed when it is full. A translation unit
-contains just a single basic block (a block of x86 instructions
-terminated by a jump or by a virtual CPU state change which the
-translator cannot deduce statically).
-
-@node Direct block chaining
-@section Direct block chaining
-
+@item Direct block chaining:
 After each translated basic block is executed, QEMU uses the simulated
 Program Counter (PC) and other cpu state information (such as the CS
 segment base value) to find the next basic block.
@@ -252,18 +232,17 @@ it easier to make the jump target modification atomic. On some host
 architectures (such as x86 or PowerPC), the @code{JUMP} opcode is
 directly patched so that the block chaining has no overhead.
 
-@node Self-modifying code and translated code invalidation
-@section Self-modifying code and translated code invalidation
-
+@item Self-modifying code and translated code invalidation:
 Self-modifying code is a special challenge in x86 emulation because no
 instruction cache invalidation is signaled by the application when code
 is modified.
 
-When translated code is generated for a basic block, the corresponding
-host page is write protected if it is not already read-only. Then, if
-a write access is done to the page, Linux raises a SEGV signal. QEMU
-then invalidates all the translated code in the page and enables write
-accesses to the page.
+User-mode emulation marks a host page as write-protected (if it is
+not already read-only) every time translated code is generated for a
+basic block.  Then, if a write access is done to the page, Linux raises
+a SEGV signal. QEMU then invalidates all the translated code in the page
+and enables write accesses to the page.  For system emulation, write
+protection is achieved through the software MMU.
 
 Correct translated code invalidation is done efficiently by maintaining
 a linked list of every translated block contained in a given page. Other
@@ -275,63 +254,44 @@ necessary. However, QEMU still requires that the generated code always
 matches the target instructions in memory in order to handle
 exceptions correctly.
 
-@node Exception support
-@section Exception support
-
+@item Exception support:
 longjmp() is used when an exception such as division by zero is
 encountered.
 
 The host SIGSEGV and SIGBUS signal handlers are used to get invalid
-memory accesses. The simulated program counter is found by
-retranslating the corresponding basic block and by looking where the
-host program counter was at the exception point.
-
-The virtual CPU cannot retrieve the exact @code{EFLAGS} register because
-in some cases it is not computed because of condition code
-optimisations. It is not a big concern because the emulated code can
-still be restarted in any cases.
-
-@node MMU emulation
-@section MMU emulation
-
-For system emulation QEMU supports a soft MMU. In that mode, the MMU
+memory accesses. QEMU keeps a map that host program counter to
+target program counter, and looks up where the exception happened
+based on the host program counter at the exception point.
+
+On some targets, some bits of the virtual CPU's state are not flushed to the
+memory until the end of the translation block.  This is done for internal
+emulation state that is rarely accessed directly by the program and/or changes
+very often throughout the execution of a translation block---this includes
+condition codes on x86, delay slots on SPARC, conditional execution on
+ARM, and so on.  This state is stored for each target instruction, and
+looked up on exceptions.
+
+@item MMU emulation:
+For system emulation QEMU uses a software MMU. In that mode, the MMU
 virtual to physical address translation is done at every memory
-access. QEMU uses an address translation cache to speed up the
-translation.
+access.
 
+QEMU uses an address translation cache (TLB) to speed up the translation.
 In order to avoid flushing the translated code each time the MMU
-mappings change, QEMU uses a physically indexed translation cache. It
+mappings change, all caches in QEMU are physically indexed.  This
 means that each basic block is indexed with its physical address.
 
-When MMU mappings change, only the chaining of the basic blocks is
-reset (i.e. a basic block can no longer jump directly to another one).
-
-@node Device emulation
-@chapter Device emulation
-
-Systems emulated by QEMU are organized by boards. At initialization
-phase, each board instantiates a number of CPUs, devices, RAM and
-ROM. Each device in turn can assign I/O ports or memory areas (for
-MMIO) to its handlers. When the emulation starts, an access to the
-ports or MMIO memory areas assigned to the device causes the
-corresponding handler to be called.
+In order to avoid invalidating the basic block chain when MMU mappings
+change, chaining is only performed when the destination of the jump
+shares a page with the basic block that is performing the jump.
 
-RAM and ROM are handled more optimally, only the offset to the host
-memory needs to be added to the guest address.
-
-The video RAM of VGA and other display cards is special: it can be
-read or written directly like RAM, but write accesses cause the memory
-to be marked with VGA_DIRTY flag as well.
-
-QEMU supports some device classes like serial and parallel ports, USB,
-drives and network devices, by providing APIs for easier connection to
-the generic, higher level implementations. The API hides the
-implementation details from the devices, like native device use or
-advanced block device formats like QCOW.
-
-Usually the devices implement a reset method and register support for
-saving and loading of the device state. The devices can also use
-timers, especially together with the use of bottom halves (BHs).
+The MMU can also distinguish RAM and ROM memory areas from MMIO memory
+areas.  Access is faster for RAM and ROM because the translation cache also
+hosts the offset between guest address and host memory.  Accessing MMIO
+memory areas instead calls out to C code for device emulation.
+Finally, the MMU helps tracking dirty pages and pages pointed to by
+translation blocks.
+@end table
 
 @node QEMU compared to other emulators
 @chapter QEMU compared to other emulators
-- 
2.7.4

[Qemu-devel] [PATCH 10/10] qemu-doc: merge qemu-tech and qemu-doc

[Paolo Bonzini]

Merge what is left of qemu-tech into the main manual.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 .gitignore     |  2 --
 Makefile       | 13 ++++++-------
 qemu-doc.texi  |  3 +++
 qemu-tech.texi | 56 ++++++++++++--------------------------------------------
 qemu.nsi       |  3 ---
 ui/cocoa.m     |  9 ---------
 6 files changed, 21 insertions(+), 65 deletions(-)

diff --git a/.gitignore b/.gitignore
index c91d018..c88ebf9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -39,9 +39,7 @@
 /qmp-introspect.[ch]
 /qmp-marshal.c
 /qemu-doc.html
-/qemu-tech.html
 /qemu-doc.info
-/qemu-tech.info
 /qemu-img
 /qemu-nbd
 /qemu-options.def
diff --git a/Makefile b/Makefile
index f103616..f148077 100644
--- a/Makefile
+++ b/Makefile
@@ -93,7 +93,7 @@ LIBS+=-lz $(LIBS_TOOLS)
 HELPERS-$(CONFIG_LINUX) = qemu-bridge-helper$(EXESUF)
 
 ifdef BUILD_DOCS
-DOCS=qemu-doc.html qemu-tech.html qemu.1 qemu-img.1 qemu-nbd.8 qemu-ga.8
+DOCS=qemu-doc.html qemu.1 qemu-img.1 qemu-nbd.8 qemu-ga.8
 ifdef CONFIG_VIRTFS
 DOCS+=fsdev/virtfs-proxy-helper.1
 endif
@@ -398,7 +398,6 @@ distclean: clean
 	rm -f qemu-doc.vr
 	rm -f config.log
 	rm -f linux-headers/asm
-	rm -f qemu-tech.info qemu-tech.aux qemu-tech.cp qemu-tech.dvi qemu-tech.fn qemu-tech.info qemu-tech.ky qemu-tech.log qemu-tech.pdf qemu-tech.pg qemu-tech.toc qemu-tech.tp qemu-tech.vr
 	for d in $(TARGET_DIRS); do \
 	rm -rf $$d || exit 1 ; \
         done
@@ -434,7 +433,7 @@ endif
 
 install-doc: $(DOCS)
 	$(INSTALL_DIR) "$(DESTDIR)$(qemu_docdir)"
-	$(INSTALL_DATA) qemu-doc.html  qemu-tech.html "$(DESTDIR)$(qemu_docdir)"
+	$(INSTALL_DATA) qemu-doc.html "$(DESTDIR)$(qemu_docdir)"
 	$(INSTALL_DATA) $(SRC_PATH)/docs/qmp-commands.txt "$(DESTDIR)$(qemu_docdir)"
 ifdef CONFIG_POSIX
 	$(INSTALL_DIR) "$(DESTDIR)$(mandir)/man1"
@@ -592,10 +591,10 @@ qemu-ga.8: qemu-ga.texi
 	  $(POD2MAN) --section=8 --center=" " --release=" " qemu-ga.pod > $@, \
 	  "  GEN   $@")
 
-dvi: qemu-doc.dvi qemu-tech.dvi
-html: qemu-doc.html qemu-tech.html
-info: qemu-doc.info qemu-tech.info
-pdf: qemu-doc.pdf qemu-tech.pdf
+dvi: qemu-doc.dvi
+html: qemu-doc.html
+info: qemu-doc.info
+pdf: qemu-doc.pdf
 
 qemu-doc.dvi qemu-doc.html qemu-doc.info qemu-doc.pdf: \
 	qemu-img.texi qemu-nbd.texi qemu-options.texi qemu-option-trace.texi \
diff --git a/qemu-doc.texi b/qemu-doc.texi
index 5b93acc..05314c6 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -35,6 +35,7 @@
 * QEMU PC System emulator::
 * QEMU System emulator for non PC targets::
 * QEMU User space emulator::
+* Implementation notes::
 * License::
 * Index::
 @end menu
@@ -2949,6 +2950,8 @@ Run the emulation in single step mode.
 @end table
 
 
+@include qemu-tech.texi
+
 @node License
 @appendix License
 
diff --git a/qemu-tech.texi b/qemu-tech.texi
index 7535f5f..5dc0e3b 100644
--- a/qemu-tech.texi
+++ b/qemu-tech.texi
@@ -1,32 +1,5 @@
-\input texinfo @c -*- texinfo -*-
-@c %**start of header
-@setfilename qemu-tech.info
-
-@documentlanguage en
-@documentencoding UTF-8
-
-@settitle QEMU Internals
-@exampleindent 0
-@paragraphindent 0
-@c %**end of header
-
-@ifinfo
-@direntry
-* QEMU Internals: (qemu-tech).   The QEMU Emulator Internals.
-@end direntry
-@end ifinfo
-
-@iftex
-@titlepage
-@sp 7
-@center @titlefont{QEMU Internals}
-@sp 3
-@end titlepage
-@end iftex
-
-@ifnottex
-@node Top
-@top
+@node Implementation notes
+@appendix Implementation notes
 
 @menu
 * CPU emulation::
@@ -34,12 +7,9 @@
 * QEMU compared to other emulators::
 * Bibliography::
 @end menu
-@end ifnottex
-
-@contents
 
 @node CPU emulation
-@chapter CPU emulation
+@section CPU emulation
 
 @menu
 * x86::     x86 and x86-64 emulation
@@ -51,7 +21,7 @@
 @end menu
 
 @node x86
-@section x86 and x86-64 emulation
+@subsection x86 and x86-64 emulation
 
 QEMU x86 target features:
 
@@ -86,7 +56,7 @@ normal use.
 @end itemize
 
 @node ARM
-@section ARM emulation
+@subsection ARM emulation
 
 @itemize
 
@@ -99,7 +69,7 @@ normal use.
 @end itemize
 
 @node MIPS
-@section MIPS emulation
+@subsection MIPS emulation
 
 @itemize
 
@@ -126,7 +96,7 @@ Current QEMU limitations:
 @end itemize
 
 @node PPC
-@section PowerPC emulation
+@subsection PowerPC emulation
 
 @itemize
 
@@ -138,7 +108,7 @@ FPU and MMU.
 @end itemize
 
 @node SPARC
-@section Sparc32 and Sparc64 emulation
+@subsection Sparc32 and Sparc64 emulation
 
 @itemize
 
@@ -166,7 +136,7 @@ Current QEMU limitations:
 @end itemize
 
 @node Xtensa
-@section Xtensa emulation
+@subsection Xtensa emulation
 
 @itemize
 
@@ -191,7 +161,7 @@ may be created from overlay with minimal amount of hand-written code.
 @end itemize
 
 @node Translator Internals
-@chapter Translator Internals
+@section Translator Internals
 
 QEMU is a dynamic translator. When it first encounters a piece of code,
 it converts it to the host instruction set. Usually dynamic translators
@@ -294,7 +264,7 @@ translation blocks.
 @end table
 
 @node QEMU compared to other emulators
-@chapter QEMU compared to other emulators
+@section QEMU compared to other emulators
 
 Like bochs [1], QEMU emulates an x86 CPU. But QEMU is much faster than
 bochs as it uses dynamic compilation. Bochs is closely tied to x86 PC
@@ -345,7 +315,7 @@ VirtualBox [9], Xen [10] and KVM [11] are based on QEMU. QEMU-SystemC
 developed in SystemC.
 
 @node Bibliography
-@chapter Bibliography
+@section Bibliography
 
 @table @asis
 
@@ -399,5 +369,3 @@ Kernel Based Virtual Machine (KVM).
 QEMU-SystemC, a hardware co-simulator.
 
 @end table
-
-@bye
diff --git a/qemu.nsi b/qemu.nsi
index a20f6ef..1a2d7d1 100644
--- a/qemu.nsi
+++ b/qemu.nsi
@@ -171,10 +171,8 @@ SectionEnd
 Section "Documentation" SectionDoc
     SetOutPath "$INSTDIR"
     File "${BINDIR}\qemu-doc.html"
-    File "${BINDIR}\qemu-tech.html"
     CreateDirectory "$SMPROGRAMS\${PRODUCT}"
     CreateShortCut "$SMPROGRAMS\${PRODUCT}\User Documentation.lnk" "$INSTDIR\qemu-doc.html" "" "$INSTDIR\qemu-doc.html" 0
-    CreateShortCut "$SMPROGRAMS\${PRODUCT}\Technical Documentation.lnk" "$INSTDIR\qemu-tech.html" "" "$INSTDIR\qemu-tech.html" 0
 SectionEnd
 !endif
 
@@ -219,7 +217,6 @@ Section "Uninstall"
     Delete "$INSTDIR\qemu.exe"
     Delete "$INSTDIR\qemu-system-*.exe"
     Delete "$INSTDIR\qemu-doc.html"
-    Delete "$INSTDIR\qemu-tech.html"
     RMDir /r "$INSTDIR\keymaps"
     RMDir /r "$INSTDIR\share"
     ; Remove generated files
diff --git a/ui/cocoa.m b/ui/cocoa.m
index ba0e98a..26d4a1c 100644
--- a/ui/cocoa.m
+++ b/ui/cocoa.m
@@ -814,7 +814,6 @@ QemuCocoaView *cocoaView;
 - (void)doToggleFullScreen:(id)sender;
 - (void)toggleFullScreen:(id)sender;
 - (void)showQEMUDoc:(id)sender;
-- (void)showQEMUTec:(id)sender;
 - (void)zoomToFit:(id) sender;
 - (void)displayConsole:(id)sender;
 - (void)pauseQEMU:(id)sender;
@@ -998,13 +997,6 @@ QemuCocoaView *cocoaView;
     [self openDocumentation: @"qemu-doc.html"];
 }
 
-- (void)showQEMUTec:(id)sender
-{
-    COCOA_DEBUG("QemuCocoaAppController: showQEMUTec\n");
-
-    [self openDocumentation: @"qemu-tech.html"];
-}
-
 /* Stretches video to fit host monitor size */
 - (void)zoomToFit:(id) sender
 {
@@ -1335,7 +1327,6 @@ int main (int argc, const char * argv[]) {
     // Help menu
     menu = [[NSMenu alloc] initWithTitle:@"Help"];
     [menu addItem: [[[NSMenuItem alloc] initWithTitle:@"QEMU Documentation" action:@selector(showQEMUDoc:) keyEquivalent:@"?"] autorelease]]; // QEMU Help
-    [menu addItem: [[[NSMenuItem alloc] initWithTitle:@"QEMU Technology" action:@selector(showQEMUTec:) keyEquivalent:@""] autorelease]]; // QEMU Help
     menuItem = [[[NSMenuItem alloc] initWithTitle:@"Window" action:nil keyEquivalent:@""] autorelease];
     [menuItem setSubmenu:menu];
     [[NSApp mainMenu] addItem:menuItem];
-- 
2.7.4

Re: [Qemu-devel] [PATCH 05/10] qemu-tech: document lazy condition code evaluation in cpu.h

[Emilio G. Cota]

On Thu, Oct 06, 2016 at 17:24:18 +0200, Paolo Bonzini wrote:
> Unlike the other sections, they are pretty specific to a particular CPU.
> 
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>  qemu-tech.texi     | 25 -------------------------
>  target-cris/cpu.h  |  7 +++++++
>  target-i386/cpu.h  |  7 +++++++
>  target-m68k/cpu.h  |  8 ++++++++
>  target-sparc/cpu.h |  5 +++++
>  5 files changed, 27 insertions(+), 25 deletions(-)
(snip)
> diff --git a/target-cris/cpu.h b/target-cris/cpu.h
> index 7d7fe6e..6d3de56 100644
> --- a/target-cris/cpu.h
> +++ b/target-cris/cpu.h
> @@ -223,6 +223,13 @@ int cpu_cris_signal_handler(int host_signum, void *pinfo,
>  void cris_initialize_tcg(void);
>  void cris_initialize_crisv10_tcg(void);
>  
> +/* Instead of computing the condition codes after each x86 instruction,
> + * QEMU just stores one operand (called CC_SRC), the result
> + * (called CC_DST) and the type of operation (called CC_OP). When the
> + * condition codes are needed, the condition codes can be calculated
> + * using this information. Condition codes are not generated if they
> + * are only needed for conditional branches.
> + */

This text doesn't seem to be cris-specific, e.g.:
- "each x86 instruction"
- CC_SRC (git grep CC_SRC here doesn't return anything)
- CC_DST (ditto)

>  enum {
>      CC_OP_DYNAMIC, /* Use env->cc_op  */
>      CC_OP_FLAGS,
> diff --git a/target-i386/cpu.h b/target-i386/cpu.h
> index 6d028aa..f606f15 100644
> --- a/target-i386/cpu.h
> +++ b/target-i386/cpu.h
> @@ -698,6 +698,13 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
>  /* Use a clearer name for this.  */
>  #define CPU_INTERRUPT_INIT      CPU_INTERRUPT_RESET
>  
> +/* Instead of computing the condition codes after each x86 instruction,
> + * QEMU just stores one operand (called CC_SRC), the result
> + * (called CC_DST) and the type of operation (called CC_OP). When the
> + * condition codes are needed, the condition codes can be calculated
> + * using this information. Condition codes are not generated if they
> + * are only needed for conditional branches.
> + */
>  typedef enum {
>      CC_OP_DYNAMIC, /* must use dynamic code to get cc_op */
>      CC_OP_EFLAGS,  /* all cc are explicitly computed, CC_SRC = flags */
> diff --git a/target-m68k/cpu.h b/target-m68k/cpu.h
> index c2d40cb..ccc7157 100644
> --- a/target-m68k/cpu.h
> +++ b/target-m68k/cpu.h
> @@ -154,6 +154,14 @@ int cpu_m68k_signal_handler(int host_signum, void *pinfo,
>                             void *puc);
>  void cpu_m68k_flush_flags(CPUM68KState *, int);
>  
> +
> +/* Instead of computing the condition codes after each x86 instruction,
> + * QEMU just stores one operand (called CC_SRC), the result
> + * (called CC_DST) and the type of operation (called CC_OP). When the
> + * condition codes are needed, the condition codes can be calculated
> + * using this information. Condition codes are not generated if they
> + * are only needed for conditional branches.
> + */

Same as above:
- "each x86 instruction"
- no CC_DST

		Emilio

Re: [Qemu-devel] [PATCH 05/10] qemu-tech: document lazy condition code evaluation in cpu.h

[Paolo Bonzini]

On 06/10/2016 18:18, Emilio G. Cota wrote:
> On Thu, Oct 06, 2016 at 17:24:18 +0200, Paolo Bonzini wrote:
>> Unlike the other sections, they are pretty specific to a particular CPU.
>>
>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>> ---
>>  qemu-tech.texi     | 25 -------------------------
>>  target-cris/cpu.h  |  7 +++++++
>>  target-i386/cpu.h  |  7 +++++++
>>  target-m68k/cpu.h  |  8 ++++++++
>>  target-sparc/cpu.h |  5 +++++
>>  5 files changed, 27 insertions(+), 25 deletions(-)
> (snip)
>> diff --git a/target-cris/cpu.h b/target-cris/cpu.h
>> index 7d7fe6e..6d3de56 100644
>> --- a/target-cris/cpu.h
>> +++ b/target-cris/cpu.h
>> @@ -223,6 +223,13 @@ int cpu_cris_signal_handler(int host_signum, void *pinfo,
>>  void cris_initialize_tcg(void);
>>  void cris_initialize_crisv10_tcg(void);
>>  
>> +/* Instead of computing the condition codes after each x86 instruction,
>> + * QEMU just stores one operand (called CC_SRC), the result
>> + * (called CC_DST) and the type of operation (called CC_OP). When the
>> + * condition codes are needed, the condition codes can be calculated
>> + * using this information. Condition codes are not generated if they
>> + * are only needed for conditional branches.
>> + */
> 
> This text doesn't seem to be cris-specific, e.g.:
> - "each x86 instruction"
> - CC_SRC (git grep CC_SRC here doesn't return anything)
> - CC_DST (ditto)

Yeah, it's cc_src and cc_dest.  The uppercase is a relic of dyngen
(pre-TCG).  Same for m68k.

Paolo

> 
>>  enum {
>>      CC_OP_DYNAMIC, /* Use env->cc_op  */
>>      CC_OP_FLAGS,
>> diff --git a/target-i386/cpu.h b/target-i386/cpu.h
>> index 6d028aa..f606f15 100644
>> --- a/target-i386/cpu.h
>> +++ b/target-i386/cpu.h
>> @@ -698,6 +698,13 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
>>  /* Use a clearer name for this.  */
>>  #define CPU_INTERRUPT_INIT      CPU_INTERRUPT_RESET
>>  
>> +/* Instead of computing the condition codes after each x86 instruction,
>> + * QEMU just stores one operand (called CC_SRC), the result
>> + * (called CC_DST) and the type of operation (called CC_OP). When the
>> + * condition codes are needed, the condition codes can be calculated
>> + * using this information. Condition codes are not generated if they
>> + * are only needed for conditional branches.
>> + */
>>  typedef enum {
>>      CC_OP_DYNAMIC, /* must use dynamic code to get cc_op */
>>      CC_OP_EFLAGS,  /* all cc are explicitly computed, CC_SRC = flags */
>> diff --git a/target-m68k/cpu.h b/target-m68k/cpu.h
>> index c2d40cb..ccc7157 100644
>> --- a/target-m68k/cpu.h
>> +++ b/target-m68k/cpu.h
>> @@ -154,6 +154,14 @@ int cpu_m68k_signal_handler(int host_signum, void *pinfo,
>>                             void *puc);
>>  void cpu_m68k_flush_flags(CPUM68KState *, int);
>>  
>> +
>> +/* Instead of computing the condition codes after each x86 instruction,
>> + * QEMU just stores one operand (called CC_SRC), the result
>> + * (called CC_DST) and the type of operation (called CC_OP). When the
>> + * condition codes are needed, the condition codes can be calculated
>> + * using this information. Condition codes are not generated if they
>> + * are only needed for conditional branches.
>> + */
> 
> Same as above:
> - "each x86 instruction"
> - no CC_DST
> 
> 		Emilio
> 

Re: [Qemu-devel] [PATCH 09/10] qemu-tech: rewrite some parts

[Emilio G. Cota]

On Thu, Oct 06, 2016 at 17:24:22 +0200, Paolo Bonzini wrote:
> Drop most the device emulation part and merge the rest into the description
> of the MMU.  Make some bits more up-to-date.
> 
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(snip)
>  The host SIGSEGV and SIGBUS signal handlers are used to get invalid
> -memory accesses. The simulated program counter is found by
> -retranslating the corresponding basic block and by looking where the
> -host program counter was at the exception point.
> -
> -The virtual CPU cannot retrieve the exact @code{EFLAGS} register because
> -in some cases it is not computed because of condition code
> -optimisations. It is not a big concern because the emulated code can
> -still be restarted in any cases.
> -
> -@node MMU emulation
> -@section MMU emulation
> -
> -For system emulation QEMU supports a soft MMU. In that mode, the MMU
> +memory accesses. QEMU keeps a map that host program counter to
> +target program counter, and looks up where the exception happened
> +based on the host program counter at the exception point.

I had to read "keeps a map that host program to target program counter"
several times; that "that" confused me.
Perhaps "keeps a map of host-to-target program counters" would
be clearer?

> +On some targets, some bits of the virtual CPU's state are not flushed to the
> +memory until the end of the translation block.  This is done for internal

"flushed to memory" sounds better to me than "flushed to the memory".

		Emilio

Re: [Qemu-devel] [PATCH 00/10] qemu-tech cleanup

[Emilio G. Cota]

On Thu, Oct 06, 2016 at 17:24:13 +0200, Paolo Bonzini wrote:
> qemu-tech is limited to TCG and large parts of it are obsolete or are
> just fine in qemu-doc.  Split it into other sources of documentation,
> placing what's left in an appendix of qemu-doc.
> 
> Ultimately we should have a new internals manual built from docs/, and
> then the "Translator Internals" parts of qemu-tech could move to docs/
> as well.  The bits on limitation and features of CPU emulation should
> remain in qemu-doc.  They are not entirely up-to-date, but I am not
> attempting to improve that yet---also because I could only really do
> that for x86.

Very happy with this update!

Reviewed-by: Emilio G. Cota <cota@braap.org>
for the whole patchset.

Thanks,

		Emilio

Re: [Qemu-devel] [PATCH 06/10] qemu-tech: move user mode emulation features from qemu-tech

[Jonathan Neuschäfer]

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

On Thu, Oct 06, 2016 at 05:24:19PM +0200, Paolo Bonzini wrote:
> These are interesting for users too, since nowadays most
> qemu-user users are going to be somewhat technical rather than
> just people that want to run Wine.  Some detail is lost, on
> the other hand some of the information I removed (e.g. basic
> block unchaining) was obsolete.
> 
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
[...]
> +@item Threading:
> +On Linux, QEMU can emulate the @code{clone} and create a real host

s/@code{clone}/@code{clone} syscall/ ?

Thanks for reworking the documentation!


Regards,
Jonathan Neuschäfer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [Qemu-devel] [PATCH 05/10] qemu-tech: document lazy condition code evaluation in cpu.h

[Peter Maydell]

On 6 October 2016 at 16:24, Paolo Bonzini <pbonzini@redhat.com> wrote:
> Unlike the other sections, they are pretty specific to a particular CPU.
>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>  qemu-tech.texi     | 25 -------------------------
>  target-cris/cpu.h  |  7 +++++++
>  target-i386/cpu.h  |  7 +++++++
>  target-m68k/cpu.h  |  8 ++++++++
>  target-sparc/cpu.h |  5 +++++
>  5 files changed, 27 insertions(+), 25 deletions(-)

target-s390x/ also seems to have the CC optimization...

thanks
-- PMM

Re: [Qemu-devel] [PATCH 09/10] qemu-tech: rewrite some parts

[Paolo Bonzini]

On 06/10/2016 18:31, Emilio G. Cota wrote:
>> > -
>> > -For system emulation QEMU supports a soft MMU. In that mode, the MMU
>> > +memory accesses. QEMU keeps a map that host program counter to
>> > +target program counter, and looks up where the exception happened
>> > +based on the host program counter at the exception point.
> I had to read "keeps a map that host program to target program counter"
> several times; that "that" confused me.
> Perhaps "keeps a map of host-to-target program counters" would
> be clearer?
> 

It should have been a "from" (from host program counter to target
program counter).

Paolo

Re: [Qemu-devel] [PATCH 06/10] qemu-tech: move user mode emulation features from qemu-tech

[Paolo Bonzini]

On 06/10/2016 20:32, Jonathan Neuschäfer wrote:
> On Thu, Oct 06, 2016 at 05:24:19PM +0200, Paolo Bonzini wrote:
>> These are interesting for users too, since nowadays most
>> qemu-user users are going to be somewhat technical rather than
>> just people that want to run Wine.  Some detail is lost, on
>> the other hand some of the information I removed (e.g. basic
>> block unchaining) was obsolete.
>>
>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>> ---
> [...]
>> +@item Threading:
>> +On Linux, QEMU can emulate the @code{clone} and create a real host
> 
> s/@code{clone}/@code{clone} syscall/ ?

Indeed, thanks!

Paolo

> Thanks for reworking the documentation!
> 
> 
> Regards,
> Jonathan Neuschäfer
> 

Re: [Qemu-devel] [PATCH 05/10] qemu-tech: document lazy condition code evaluation in cpu.h

[Paolo Bonzini]

On 06/10/2016 20:45, Peter Maydell wrote:
> On 6 October 2016 at 16:24, Paolo Bonzini <pbonzini@redhat.com> wrote:
>> Unlike the other sections, they are pretty specific to a particular CPU.
>>
>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>> ---
>>  qemu-tech.texi     | 25 -------------------------
>>  target-cris/cpu.h  |  7 +++++++
>>  target-i386/cpu.h  |  7 +++++++
>>  target-m68k/cpu.h  |  8 ++++++++
>>  target-sparc/cpu.h |  5 +++++
>>  5 files changed, 27 insertions(+), 25 deletions(-)
> 
> target-s390x/ also seems to have the CC optimization...

Indeed:

diff --git a/target-s390x/cpu.h b/target-s390x/cpu.h
index 4fb34b5..4e58cde 100644
--- a/target-s390x/cpu.h
+++ b/target-s390x/cpu.h
@@ -671,6 +671,13 @@ ObjectClass *s390_cpu_class_by_name(const char *name);
 
 /* CC optimization */
 
+/* Instead of computing the condition codes after each x86 instruction,
+ * QEMU just stores the result (called CC_DST), the type of operation
+ * (called CC_OP) and whatever operands are needed (CC_SRC and possibly
+ * CC_VR). When the condition codes are needed, the condition codes can
+ * be calculated using this information. Condition codes are not generated
+ * if they are only needed for conditional branches.
+ */
 enum cc_op {
     CC_OP_CONST0 = 0,           /* CC is 0 */
     CC_OP_CONST1,               /* CC is 1 */

Paolo