docs/devel/tcg.rst

7 QEMU is a dynamic translator. When it first encounters a piece of code,
9 are very complicated and highly CPU dependent. QEMU uses some tricks
13 QEMU's dynamic translation backend is called TCG, for "Tiny Code
14 Generator". For more information, please take a look at :ref:`tcg-ops-ref`.
17 details of QEMU's dynamic translator.
20 -----------------------
29 to other aspects of the CPU state.  For example, on x86, if the SS,
34 ---------------------
36 After each translated basic block is executed, QEMU uses the simulated
42 main loop. That’s where QEMU looks for the next TB to execute,
44 in memory. Then QEMU proceeds to execute this next TB, starting at the
48 callback to be re-evaluated before executing additional instructions.
53 simulated PC is already available, QEMU has mechanisms that allow
127 Self-modifying code and translated code invalidation
128 ----------------------------------------------------
130 Self-modifying code is a special challenge in x86 emulation because no
134 User-mode emulation marks a host page as write-protected (if it is
135 not already read-only) every time translated code is generated for a
137 a SEGV signal. QEMU then invalidates all the translated code in the page
147 necessary. However, QEMU still requires that the generated code always
152 -----------------
158 memory accesses.  QEMU keeps a map from host program counter to
165 very often throughout the execution of a translation block---this includes
166 condition codes on x86, delay slots on SPARC, conditional execution on
171 -------------
173 For system emulation QEMU uses a software MMU. In that mode, the MMU
177 QEMU uses an address translation cache (TLB) to speed up the translation.
179 mappings change, all caches in QEMU are physically indexed.  This
194 ---------------------
199 limitation you can use the ``-perfmap`` or the ``-jitdump`` option to generate
200 map files. ``-perfmap`` is lightweight and produces only guest-host mappings.
201 ``-jitdump`` additionally saves JITed code and guest debug information (if
207   perf record $QEMU -perfmap $REMAINING_ARGS
210   perf record -k 1 $QEMU -jitdump $REMAINING_ARGS
211   DEBUGINFOD_URLS= perf inject -j -i perf.data -o perf.data.jitted
212   perf report -i perf.data.jitted
214 Note that qemu-system generates mappings only for ``-kernel`` files in ELF