TCG IR extraction

TCG IR extraction

[Tom Clark]

[-- Attachment #1: Type: text/plain, Size: 982 bytes --]

Hello,

Thanks so much for reading this and I appreciate any and all time you put
into this.

I'm a dev working on a project that's using QEMU as its basis. I'm
interested in extracting the IR representation of translation blocks,
preferably at the instruction level, to do some analysis on it. In various
documentation around the web I see lots of references to textual examples
of the IR so I assumed it would be possible to extract it in byte format
and convert to textual myself.

I've done a lot of digging in the source and found the code_gen_buffer and
determined that's where the IR generation is being written to, but I'm
having trouble cross referencing DisasContext, etc, with that global to
actually identify individual lines of code. I'm also assuming there's some
kind of framing going on, so I don't think that I can even expect it to be
a simple buffer of bytes.

So my  - is this reasonable to even attempt, and if so, how would you go
about doing it?

Regards,
-T

[-- Attachment #2: Type: text/html, Size: 1199 bytes --]

Re: TCG IR extraction

[Richard Henderson]

On 8/31/22 19:11, Tom Clark wrote:
> I've done a lot of digging in the source and found the code_gen_buffer and determined 
> that's where the IR generation is being written to

That's not IR generation, but the JIT compiler output.

There's no sequential "byte" format.  There's struct TCGOp, which is the double-linked 
list of operations and its parameters, which are (encoded) TCGTemp and constants, and you 
need tcg_op_defs[] to interpret them.

See e.g. tcg_optimize() for how to iterate through the list and interpret each opcode.


r~

Re: TCG IR extraction

[Alex Bennée]

Tom Clark <tsc288@gmail.com> writes:

> Hello,
>
> Thanks so much for reading this and I appreciate any and all time you put into this.
>
> I'm a dev working on a project that's using QEMU as its basis. I'm interested in extracting the IR representation of
> translation blocks, preferably at the instruction level, to do some
> analysis on it.

If you are purely interested in the instruction level you could look at
TCG plugins although they deliberately don't expose any of the details of the
underlying TCGOps.

> In various documentation around the web
> I see lots of references to textual examples of the IR so I assumed it would be possible to extract it in byte format and
> convert to textual myself. 
>
> I've done a lot of digging in the source and found the code_gen_buffer and determined that's where the IR generation is
> being written to, but I'm having trouble cross referencing DisasContext, etc, with that global to actually identify individual
> lines of code. I'm also assuming there's some kind of framing going on, so I don't think that I can even expect it to be a
> simple buffer of bytes.
>
> So my  - is this reasonable to even attempt, and if so, how would you go about doing it?
>
> Regards,
> -T


-- 
Alex Bennée