[Question] How To Log QEMU Memory Access
peter.maydell at linaro.org
Thu Mar 15 12:41:09 UTC 2012
2012/3/15 周春华 <uulinux at gmail.com>:
> Do you means that the QEMU TLB maps the guest virtual address to host
> virtual address,
> and the begging and end virtual addresses of the memory
> allocated for RAM device emulating are the RAM physical begging and end
> address from guest view?
I don't know what you mean by this. RAM in qemu need not be
contiguous in guest physical address space, and it need not
be contiguous in host physical address space either.
> If so, it seems hard to monitor the guest physical memory.
Yes, that's what I said.
> However, [exec.c:qemu_get_ram_ptr] seems to get a host virtual address from
> a guest physical address. It confuses me.
Obviously QEMU knows how to map between guest physical addresses
and host virtual addresses, or it wouldn't work. This function
is one very small part of a complicated subsystem which caches
the "guest virtual -> guest physical -> host virtual" lookups so
we don't need to do them again and again when we execute load or
If you want to follow the code in more detail, when QEMU gets
a "TLB miss" (ie it doesn't know where the RAM for a guest virtual
address is) it calls target-arm/helper.c:cpu_arm_handle_mmu_fault().
This calls get_phys_addr() to do a page table walk and convert the
guest virtual address to a guest physical address. Assuming that
succeeded, it calls exec.c:tlb_set_page(), passing the guest
virtual and guest physical addresses, to add a TLB entry. This
function calls memory_region_get_ram_ptr() which in turn calls
qemu_get_ram_ptr(), getting the host virtual address. We can then
cache the host virtual address for this guest virtual address in the
TLB entry. Later on when we actually execute a guest load or store
instruction we will pull the TLB entry out of the data structure and
use the host virtual address cached in it. tcg_out_qemu_ld/st
are the functions which generate the native code which gets the
TLB entry and loads via the cached host virtual address.
Note that there are other slow paths for memory access which don't
use the TLB and instead do go via physical addresses at the time
they need to do the load/store.
More information about the linaro-dev