docs/devel/tcg.rst

7 QEMU is a dynamic translator. When it first encounters a piece of code,
13 QEMU's dynamic translation backend is called TCG, for "Tiny Code
25 CPU cannot change in it. The state is recorded in the Translation
36 After each translated basic block is executed, QEMU uses the simulated
40 In its simplest, less optimized form, this is done by exiting from the
49 It is mandatory to exit this way after any CPU state changes that may
53 simulated PC is already available, QEMU has mechanisms that allow
62 matches the current CPU state. If the destination TB is available its
63 code address is returned, otherwise the address of the JIT epilogue is
64 returned. The call to the helper is always followed by the tcg ``goto_ptr``
78    that has been assumed constant and is required by the main loop to
79    correctly locate and execute the next TB. For most guests, this is
89 associated with the specified jump slot. Initially, this is the address
95 The first time this whole sequence is executed, step 1 simply jumps
97 the current TB. As a result, the behavior is very similar to the less
107 The next time this previous TB is executed and we get to that same
109 is still in memory) and will jump directly to the first instruction of
122 jump slot index, the address of the TB just executed is also returned.
130 Self-modifying code is a special challenge in x86 emulation because no
131 instruction cache invalidation is signaled by the application when code
132 is modified.
134 User-mode emulation marks a host page as write-protected (if it is
135 not already read-only) every time translated code is generated for a
136 basic block.  Then, if a write access is done to the page, Linux raises
139 protection is achieved through the software MMU.
141 Correct translated code invalidation is done efficiently by maintaining
154 longjmp() is used when an exception such as division by zero is
163 memory until the end of the translation block.  This is done for internal
164 emulation state that is rarely accessed directly by the program and/or changes
167 Arm, and so on.  This state is stored for each target instruction, and
174 virtual to physical address translation is done at every memory
180 means that each basic block is indexed with its physical address.
183 change, chaining is only performed when the destination of the jump
184 shares a page with the basic block that is performing the jump.
187 areas.  Access is faster for RAM and ROM because the translation cache also
200 map files. ``-perfmap`` is lightweight and produces only guest-host mappings.