From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:50481) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RTkzx-0004no-1C for qemu-devel@nongnu.org; Thu, 24 Nov 2011 20:54:41 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RTkzu-0001B0-5r for qemu-devel@nongnu.org; Thu, 24 Nov 2011 20:54:40 -0500 Received: from mail-iy0-f173.google.com ([209.85.210.173]:63554) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RTkzu-0001Au-1i for qemu-devel@nongnu.org; Thu, 24 Nov 2011 20:54:38 -0500 Received: by iakk32 with SMTP id k32so4278983iak.4 for ; Thu, 24 Nov 2011 17:54:36 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20110924111600.GA35317@cs.nctu.edu.tw> References: <4E7A9153.9030905@linux.vnet.ibm.com> <20110922015833.GA11618@cs.nctu.edu.tw> <4E7A9D2E.20402@linux.vnet.ibm.com> <20110922023611.GA14886@cs.nctu.edu.tw> <20110923021411.GA2359@cs.nctu.edu.tw> <20110924025026.GA55686@cs.nctu.edu.tw> <20110924111600.GA35317@cs.nctu.edu.tw> Date: Thu, 24 Nov 2011 20:54:36 -0500 Message-ID: From: Xin Tong Content-Type: text/plain; charset=Big5 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] TB chaining List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: =?UTF-8?B?6Zmz6Z+L5Lu7?= Cc: qemu-devel@nongnu.org I came back to the block chaining code. This code is still not very clear to me. Here we are linking tb_next -> tb. jmp_next of the tb contains the next tbs it will jump to. why are we checking the !tb->jmp_next[n], but not !tb_next->jmp_next[n] ? static inline void tb_add_jump(TranslationBlock *tb, int n, TranslationBlock *tb_next) { if (!tb->jmp_next[n]) { /* patch the native jump address */ tb_set_jmp_target(tb, n, (unsigned long)tb_next->tc_ptr); /* add in TB jmp circular list */ tb->jmp_next[n] =3D tb_next->jmp_first; tb_next->jmp_first =3D (TranslationBlock *)((long)(tb) | (n)); } } Thanks a lot Xin On Sat, Sep 24, 2011 at 7:16 AM, =B3=AF=AD=B3=A5=F4 wrote: >> Say your are trying to emulate an indirect jump ( i.e. jmp eax). Because= eax >> is unknown at compile time, you will have to return to the mainloop to l= ook >> it up. However, if you know some likely values, you can do a few cached >> compare and hope it hits one of them. >> >> compare eax =3D 0x33e3e23 >> jmp tb 30 >> compare eax =3D 0332d2ed >> jmp tb 30 >> tb exit > > I believe we are talking about the same thing. :-) The terminology > "IBTC" is coined by "Evaluating Indirect Branch Handling Mechanisms > in Software Dynamic Translation Systems". QEMU does not implement > IBTC or inline caching. > >> If the branch target is fix, you will still need 2 jmps, one for taken >> branch another for nottaken branch. can you show me where the code does = that >> is ? > > Take x86 for example, see gen_goto_tb (target-i386/translate.c). > gen_goto_tb generates TCG IR for block chaining. Here is the code > snip of gen_goto_tb. > > tcg_gen_goto_tb(tb_num); // tb_num could be taken or nottaken branch > > gen_jmp_im(eip); > > tcg_gen_exit_tb((tcg_target_long)tb + tb_num); > > How block chaining is done is a little complicate. You can refer to the > white paper "Porting QEMU to Plan 9: QEMU Internals and Port Strategy" > to get a general idea. > > HTH. > > Regards, > chenwj > > -- > Wei-Ren Chen (=B3=AF=AD=B3=A5=F4) > Computer Systems Lab, Institute of Information Science, > Academia Sinica, Taiwan (R.O.C.) > Tel:886-2-2788-3799 #1667 >