Verified Commit b1663bd3 authored by SIMONIN Matthieu's avatar SIMONIN Matthieu
Browse files

doc/qemu mmio management

parent 478ccefe
Pipeline #153117 passed with stages
in 4 minutes and 34 seconds
* MMIO management
- Question: What happens when the guest want to output a network packet ?
- Configuration under consideration:
+ full emulation (soft qemu, tcg accelerated) with e1000 emulated network card (network frontend) and and a TAP network backend
+ example of corresponding command:
~qemu-system-x86_64 --accel tcg -m 1g -drive file=tantap.qcow2 -netdev tap,id=mynet0,ifname=tap0,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01~
- Initialisation
When the device is initialised it declares a MMIO region which is a special
Memory Region with callbacks associated for ~read~ and ~write~ operation.
+ For e1000 emulated card this is found here:
+ The MMIO region is built with this options:
+ ~e1000_mmio_write~ will be responsible to send the network packet to its associated peer (here the tap backend)
- following some calls, e1000 ends up calling ~qemu_send_packet~, the generic function to transfer data between peers (here frontend -> backend):
- Runtime: how/when the ~read/write~ callbacks are actually called ?
+ that's easy to answer tracing the callers: ~read/write~ callbacks are called by ~memory_dispatch_read/write~ and ~io_readx/io_writex~ in ~cputlb.c~
which are called by the ~read/store_helper~ in the same file.
- Now the fun part, who's calling the helper functions
+ enter the TCG magic ...
+ for instance An ARM guest can be emulated in an i386 machines
Qemu needs to offer various guest/host combination (arm, i386, 32 bits, 64 bits).
If the gurest can be almost anything the host is determined by the machine qemu is runnning on.
+ Qemu translates the guest instructions to host understandable instructions in 2 phases:
- first it translates the guest instruction into instructions of an intermediate instruction set: TCG (Tiny Code Generation)
- second it translates the TCG instruction into instruction executable by the host
- translation occurs in the emulated CPU routine.
an emulated CPU will (almost) continuously --
+ get the next sets of instruction to translate and translate it to TCG --
+ then translate it to the target host instruction sets --
+ and execute it --
+ First phase: Guest to TCG -- (actually depends on the guest implementation)
- instructions are translated by block of instructions: ~Translation Block (tb)~. Each tb is
translated one after the another.
- a ~Tb~ in qemu stores some some meta
data about the translated instructions (e.g the program counter of the
current block, the address of the next instruction of the next Tb [e.g to
jump directly to the next Tb code]) --
- there's a cache mecanism that caches Tbs --
- guest instructions are translated one after another.
+ depends on the guest arch: e.g for i386 --
- e.g for ~inc~ instruction
- One interesting aspect is that for memory access TCG uses load/store instructions
+ e.g for inc if the operant is a memory address it is detected and special load instruction is generated (instead of a move)
+ instruction for loading the operand (address in this case) is generated here:
+ instruction for storing the operand (address in this case) is generated here:
+ Second phase: TCG to Host --
- ~tcg_gen_code~ go through all the TCG instructions --
- But now we have special ld/st instruction when memory is accessed.
this code is specific to the host arch. For i386:
for ld/st instruction --
opcode are macro generated by:
- For load/store opcode, qemu relies on a tlb to do guest to host address translation and proceed with the operations
+ e.g for ld instruction:
+ the host address from the TLB are generated:
+ if a cache miss occurs (at the execution time (not now)) qemu generate a conditional jump:
- When all the TCG instructions are generated, Qemu generates all the slow path blocks (needed in cas of cache miss)
+ here --
+ for i386/ld op:
+ and here ... is the magic ... it generate a call to a c helper function:
- ld/store helper calls ~io_readx~/~io_writex~ if the ~tlb_addr~ is flagged as an MMIO region: e.g
- TODO who's flagging the ~tlb_addr~ as MMIO ?
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment