\input texinfo @c -*- texinfo -*-
\input texinfo @c -*- texinfo -*-
+@c %**start of header
+@setfilename qemu-doc.info
+@settitle QEMU CPU Emulator User Documentation
+@exampleindent 0
+@paragraphindent 0
+@c %**end of header
-@settitle QEMU CPU Emulator User Documentation
-@center @titlefont{QEMU CPU Emulator User Documentation}
+@center @titlefont{QEMU CPU Emulator}
+@sp 1
+@center @titlefont{User Documentation}
@sp 3
@end titlepage
@end iftex
@sp 3
@end titlepage
@end iftex
+@ifnottex
+@node Top
+@top
+
+@menu
+* Introduction::
+* Installation::
+* QEMU PC System emulator::
+* QEMU System emulator for non PC targets::
+* QEMU Linux User space emulator::
+* compilation:: Compilation from the sources
+* Index::
+@end menu
+@end ifnottex
+
+@contents
+
+@node Introduction
+@menu
+* intro_features:: Features
+@end menu
+
+@node intro_features
@section Features
QEMU is a FAST! processor emulator using dynamic translation to
@section Features
QEMU is a FAST! processor emulator using dynamic translation to
For user emulation, x86, PowerPC, ARM, MIPS, and Sparc32/64 CPUs are supported.
For user emulation, x86, PowerPC, ARM, MIPS, and Sparc32/64 CPUs are supported.
@chapter Installation
If you want to compile QEMU yourself, see @ref{compilation}.
@chapter Installation
If you want to compile QEMU yourself, see @ref{compilation}.
+@menu
+* install_linux:: Linux
+* install_windows:: Windows
+* install_mac:: Macintosh
+@end menu
+
+@node install_linux
@section Linux
If a precompiled package is available for your distribution - you just
have to install it. Otherwise, see @ref{compilation}.
@section Linux
If a precompiled package is available for your distribution - you just
have to install it. Otherwise, see @ref{compilation}.
@section Windows
Download the experimental binary installer at
@section Windows
Download the experimental binary installer at
-@url{http://www.free.oszoo.org/download.html}.
+@url{http://www.free.oszoo.org/@/download.html}.
@section Mac OS X
Download the experimental binary installer at
@section Mac OS X
Download the experimental binary installer at
-@url{http://www.free.oszoo.org/download.html}.
+@url{http://www.free.oszoo.org/@/download.html}.
+@node QEMU PC System emulator
@chapter QEMU PC System emulator
@chapter QEMU PC System emulator
+@menu
+* pcsys_introduction:: Introduction
+* pcsys_quickstart:: Quick Start
+* sec_invocation:: Invocation
+* pcsys_keys:: Keys
+* pcsys_monitor:: QEMU Monitor
+* disk_images:: Disk Images
+* pcsys_network:: Network emulation
+* direct_linux_boot:: Direct Linux Boot
+* pcsys_usb:: USB emulation
+* gdb_usage:: GDB usage
+* pcsys_os_specific:: Target OS specific information
+@end menu
+
+@node pcsys_introduction
@section Introduction
@c man begin DESCRIPTION
@section Introduction
@c man begin DESCRIPTION
@section Quick Start
Download and uncompress the linux image (@file{linux.img}) and type:
@section Quick Start
Download and uncompress the linux image (@file{linux.img}) and type:
@item -fda file
@item -fdb file
@item -fda file
@item -fdb file
-Use @var{file} as floppy disk 0/1 image (@xref{disk_images}). You can
+Use @var{file} as floppy disk 0/1 image (@pxref{disk_images}). You can
use the host floppy by using @file{/dev/fd0} as filename.
@item -hda file
@item -hdb file
@item -hdc file
@item -hdd file
use the host floppy by using @file{/dev/fd0} as filename.
@item -hda file
@item -hdb file
@item -hdc file
@item -hdd file
-Use @var{file} as hard disk 0, 1, 2 or 3 image (@xref{disk_images}).
+Use @var{file} as hard disk 0, 1, 2 or 3 image (@pxref{disk_images}).
@item -cdrom file
Use @var{file} as CD-ROM image (you cannot use @option{-hdc} and and
@item -cdrom file
Use @var{file} as CD-ROM image (you cannot use @option{-hdc} and and
@item -snapshot
Write to temporary files instead of disk image files. In this case,
the raw disk image you use is not written back. You can however force
@item -snapshot
Write to temporary files instead of disk image files. In this case,
the raw disk image you use is not written back. You can however force
-the write back by pressing @key{C-a s} (@xref{disk_images}).
+the write back by pressing @key{C-a s} (@pxref{disk_images}).
@item -m megs
Set virtual RAM size to @var{megs} megabytes. Default is 128 MB.
@item -m megs
Set virtual RAM size to @var{megs} megabytes. Default is 128 MB.
Example:
@example
# launch a first QEMU instance
Example:
@example
# launch a first QEMU instance
-qemu linux.img -net nic,macaddr=52:54:00:12:34:56 -net socket,listen=:1234
-# connect the VLAN 0 of this instance to the VLAN 0 of the first instance
-qemu linux.img -net nic,macaddr=52:54:00:12:34:57 -net socket,connect=127.0.0.1:1234
+qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \
+ -net socket,listen=:1234
+# connect the VLAN 0 of this instance to the VLAN 0
+# of the first instance
+qemu linux.img -net nic,macaddr=52:54:00:12:34:57 \
+ -net socket,connect=127.0.0.1:1234
@end example
@item -net socket[,vlan=n][,fd=h][,mcast=maddr:port]
@end example
@item -net socket[,vlan=n][,fd=h][,mcast=maddr:port]
Example:
@example
# launch one QEMU instance
Example:
@example
# launch one QEMU instance
-qemu linux.img -net nic,macaddr=52:54:00:12:34:56 -net socket,mcast=230.0.0.1:1234
+qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \
+ -net socket,mcast=230.0.0.1:1234
# launch another QEMU instance on same "bus"
# launch another QEMU instance on same "bus"
-qemu linux.img -net nic,macaddr=52:54:00:12:34:57 -net socket,mcast=230.0.0.1:1234
+qemu linux.img -net nic,macaddr=52:54:00:12:34:57 \
+ -net socket,mcast=230.0.0.1:1234
# launch yet another QEMU instance on same "bus"
# launch yet another QEMU instance on same "bus"
-qemu linux.img -net nic,macaddr=52:54:00:12:34:58 -net socket,mcast=230.0.0.1:1234
+qemu linux.img -net nic,macaddr=52:54:00:12:34:58 \
+ -net socket,mcast=230.0.0.1:1234
@end example
Example (User Mode Linux compat.):
@example
@end example
Example (User Mode Linux compat.):
@example
-# launch QEMU instance (note mcast address selected is UML's default)
-qemu linux.img -net nic,macaddr=52:54:00:12:34:56 -net socket,mcast=239.192.168.1:1102
+# launch QEMU instance (note mcast address selected
+# is UML's default)
+qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \
+ -net socket,mcast=239.192.168.1:1102
# launch UML
/path/to/linux ubd0=/path/to/root_fs eth0=mcast
@end example
# launch UML
/path/to/linux ubd0=/path/to/root_fs eth0=mcast
@end example
non graphical mode.
@item -s
non graphical mode.
@item -s
-Wait gdb connection to port 1234 (@xref{gdb_usage}).
+Wait gdb connection to port 1234 (@pxref{gdb_usage}).
@item -p port
Change gdb connection port.
@item -S
@item -p port
Change gdb connection port.
@item -S
@section Keys
@c man begin OPTIONS
@section Keys
@c man begin OPTIONS
-@setfilename qemu
-@settitle QEMU System Emulator
-
@c man begin SEEALSO
The HTML documentation of QEMU for more precise information and Linux
user mode emulator invocation.
@c man begin SEEALSO
The HTML documentation of QEMU for more precise information and Linux
user mode emulator invocation.
@section QEMU Monitor
The QEMU monitor is used to give complex commands to the QEMU
@section QEMU Monitor
The QEMU monitor is used to give complex commands to the QEMU
@item
Dump 80 16 bit values at the start of the video memory.
@item
Dump 80 16 bit values at the start of the video memory.
(qemu) xp/80hx 0xb8000
0x000b8000: 0x0b50 0x0b6c 0x0b65 0x0b78 0x0b38 0x0b36 0x0b2f 0x0b42
0x000b8010: 0x0b6f 0x0b63 0x0b68 0x0b73 0x0b20 0x0b56 0x0b47 0x0b41
(qemu) xp/80hx 0xb8000
0x000b8000: 0x0b50 0x0b6c 0x0b65 0x0b78 0x0b38 0x0b36 0x0b2f 0x0b42
0x000b8010: 0x0b6f 0x0b63 0x0b68 0x0b73 0x0b20 0x0b56 0x0b47 0x0b41
0x000b8070: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
0x000b8080: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
0x000b8090: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
0x000b8070: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
0x000b8080: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
0x000b8090: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
@end itemize
@item p or print/fmt expr
@end itemize
@item p or print/fmt expr
growable disk images (their size increase as non empty sectors are
written), compressed and encrypted disk images.
growable disk images (their size increase as non empty sectors are
written), compressed and encrypted disk images.
+@menu
+* disk_images_quickstart:: Quick start for disk image creation
+* disk_images_snapshot_mode:: Snapshot mode
+* qemu_img_invocation:: qemu-img Invocation
+* disk_images_fat_images:: Virtual FAT disk images
+@end menu
+
+@node disk_images_quickstart
@subsection Quick start for disk image creation
You can create a disk image with the command:
@subsection Quick start for disk image creation
You can create a disk image with the command:
size in kilobytes. You can add an @code{M} suffix to give the size in
megabytes and a @code{G} suffix for gigabytes.
size in kilobytes. You can add an @code{M} suffix to give the size in
megabytes and a @code{G} suffix for gigabytes.
-@xref{qemu_img_invocation} for more information.
+See @ref{qemu_img_invocation} for more information.
+@node disk_images_snapshot_mode
@subsection Snapshot mode
If you use the option @option{-snapshot}, all disk images are
@subsection Snapshot mode
If you use the option @option{-snapshot}, all disk images are
+@node disk_images_fat_images
@subsection Virtual FAT disk images
QEMU can automatically create a virtual FAT disk image from a
@subsection Virtual FAT disk images
QEMU can automatically create a virtual FAT disk image from a
@item write to the FAT directory on the host system while accessing it with the guest system.
@end itemize
@item write to the FAT directory on the host system while accessing it with the guest system.
@end itemize
@section Network emulation
QEMU can simulate several networks cards (NE2000 boards on the PC
@section Network emulation
QEMU can simulate several networks cards (NE2000 boards on the PC
@item Launch @code{qemu.sh}. You should have the following output:
@item Launch @code{qemu.sh}. You should have the following output:
> ./qemu.sh
Connected to host network interface: tun0
> ./qemu.sh
Connected to host network interface: tun0
-Linux version 2.4.21 (bellard@@voyager.localdomain) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #5 Tue Nov 11 18:18:53 CET 2003
+Linux version 2.4.21 (bellard@@voyager.localdomain) (gcc version 3.2.2 20030222 @/(Red Hat @/Linux 3.2.2-5)) #5 Tue Nov 11 18:18:53 CET 2003
BIOS-provided physical RAM map:
BIOS-e801: 0000000000000000 - 000000000009f000 (usable)
BIOS-e801: 0000000000100000 - 0000000002000000 (usable)
BIOS-provided physical RAM map:
BIOS-e801: 0000000000000000 - 000000000009f000 (usable)
BIOS-e801: 0000000000100000 - 0000000002000000 (usable)
zone(0): 4096 pages.
zone(1): 4096 pages.
zone(2): 0 pages.
zone(0): 4096 pages.
zone(1): 4096 pages.
zone(2): 0 pages.
-Kernel command line: root=/dev/hda sb=0x220,5,1,5 ide2=noprobe ide3=noprobe ide4=noprobe ide5=noprobe console=ttyS0
+Kernel command line: root=/dev/hda sb=0x220,5,1,5 ide2=noprobe ide3=noprobe ide4=noprobe @/ide5=noprobe console=ttyS0
ide_setup: ide2=noprobe
ide_setup: ide3=noprobe
ide_setup: ide4=noprobe
ide_setup: ide2=noprobe
ide_setup: ide3=noprobe
ide_setup: ide4=noprobe
Detected 2399.621 MHz processor.
Console: colour EGA 80x25
Calibrating delay loop... 4744.80 BogoMIPS
Detected 2399.621 MHz processor.
Console: colour EGA 80x25
Calibrating delay loop... 4744.80 BogoMIPS
-Memory: 28872k/32768k available (1210k kernel code, 3508k reserved, 266k data, 64k init, 0k highmem)
+Memory: 28872k/32768k available (1210k kernel code, 3508k reserved, 266k data, 64k init, @/0k highmem)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
VFS: Mounted root (ext2 filesystem).
Freeing unused kernel memory: 64k freed
VFS: Mounted root (ext2 filesystem).
Freeing unused kernel memory: 64k freed
-Linux version 2.4.21 (bellard@@voyager.localdomain) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #5 Tue Nov 11 18:18:53 CET 2003
+Linux version 2.4.21 (bellard@@voyager.localdomain) (gcc version 3.2.2 20030222 @/(Red Hat @/Linux 3.2.2-5)) #5 Tue Nov 11 18:18:53 CET 2003
QEMU Linux test distribution (based on Redhat 9)
Type 'exit' to halt the system
sh-2.05b#
QEMU Linux test distribution (based on Redhat 9)
Type 'exit' to halt the system
sh-2.05b#
@item
Then you can play with the kernel inside the virtual serial console. You
@item
Then you can play with the kernel inside the virtual serial console. You
@section USB emulation
QEMU emulates a PCI UHCI USB controller and a 8 port USB hub connected
@section USB emulation
QEMU emulates a PCI UHCI USB controller and a 8 port USB hub connected
In order to use gdb, launch qemu with the '-s' option. It will wait for a
gdb connection:
@example
In order to use gdb, launch qemu with the '-s' option. It will wait for a
gdb connection:
@example
-> qemu -s -kernel arch/i386/boot/bzImage -hda root-2.4.20.img -append "root=/dev/hda"
+> qemu -s -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \
+ -append "root=/dev/hda"
Connected to host network interface: tun0
Waiting gdb connection on port 1234
@end example
Connected to host network interface: tun0
Waiting gdb connection on port 1234
@end example
@code{x/10i $cs*16+*eip} to dump the code at the PC position.
@end enumerate
@code{x/10i $cs*16+*eip} to dump the code at the PC position.
@end enumerate
@section Target OS specific information
@subsection Linux
@section Target OS specific information
@subsection Linux
from @url{http://www.vmware.com/software/dosidle210.zip} to solve this
problem.
from @url{http://www.vmware.com/software/dosidle210.zip} to solve this
problem.
+@node QEMU System emulator for non PC targets
@chapter QEMU System emulator for non PC targets
QEMU is a generic emulator and it emulates many non PC
machines. Most of the options are similar to the PC emulator. The
differences are mentionned in the following sections.
@chapter QEMU System emulator for non PC targets
QEMU is a generic emulator and it emulates many non PC
machines. Most of the options are similar to the PC emulator. The
differences are mentionned in the following sections.
+@menu
+* QEMU PowerPC System emulator::
+* Sparc32 System emulator invocation::
+* Sparc64 System emulator invocation::
+* MIPS System emulator invocation::
+* ARM System emulator invocation::
+@end menu
+
+@node QEMU PowerPC System emulator
@section QEMU PowerPC System emulator
Use the executable @file{qemu-system-ppc} to simulate a complete PREP
@section QEMU PowerPC System emulator
Use the executable @file{qemu-system-ppc} to simulate a complete PREP
More information is available at
@url{http://perso.magic.fr/l_indien/qemu-ppc/}.
More information is available at
@url{http://perso.magic.fr/l_indien/qemu-ppc/}.
+@node Sparc32 System emulator invocation
@section Sparc32 System emulator invocation
Use the executable @file{qemu-system-sparc} to simulate a JavaStation
@section Sparc32 System emulator invocation
Use the executable @file{qemu-system-sparc} to simulate a JavaStation
The number of peripherals is fixed in the architecture.
QEMU uses the Proll, a PROM replacement available at
The number of peripherals is fixed in the architecture.
QEMU uses the Proll, a PROM replacement available at
-@url{http://people.redhat.com/zaitcev/linux/}. The required
+@url{http://people.redhat.com/@/zaitcev/linux/}. The required
QEMU-specific patches are included with the sources.
A sample Linux 2.6 series kernel and ram disk image are available on
QEMU-specific patches are included with the sources.
A sample Linux 2.6 series kernel and ram disk image are available on
+@node Sparc64 System emulator invocation
@section Sparc64 System emulator invocation
Use the executable @file{qemu-system-sparc64} to simulate a Sun4u machine.
@section Sparc64 System emulator invocation
Use the executable @file{qemu-system-sparc64} to simulate a Sun4u machine.
PC-compatible serial ports
@end itemize
PC-compatible serial ports
@end itemize
+@node MIPS System emulator invocation
@section MIPS System emulator invocation
Use the executable @file{qemu-system-mips} to simulate a MIPS machine.
@section MIPS System emulator invocation
Use the executable @file{qemu-system-mips} to simulate a MIPS machine.
More information is available in the QEMU mailing-list archive.
More information is available in the QEMU mailing-list archive.
+@node ARM System emulator invocation
@section ARM System emulator invocation
Use the executable @file{qemu-system-arm} to simulate a ARM
@section ARM System emulator invocation
Use the executable @file{qemu-system-arm} to simulate a ARM
A Linux 2.6 test image is available on the QEMU web site. More
information is available in the QEMU mailing-list archive.
A Linux 2.6 test image is available on the QEMU web site. More
information is available in the QEMU mailing-list archive.
+@node QEMU Linux User space emulator
@chapter QEMU Linux User space emulator
@chapter QEMU Linux User space emulator
+@menu
+* Quick Start::
+* Wine launch::
+* Command line options::
+@end menu
+
+@node Quick Start
@section Quick Start
In order to launch a Linux process, QEMU needs the process executable
@section Quick Start
In order to launch a Linux process, QEMU needs the process executable
@item The x86 version of QEMU is also included. You can try weird things such as:
@example
@item The x86 version of QEMU is also included. You can try weird things such as:
@example
-qemu-i386 /usr/local/qemu-i386/bin/qemu-i386 /usr/local/qemu-i386/bin/ls-i386
+qemu-i386 /usr/local/qemu-i386/bin/qemu-i386 \
+ /usr/local/qemu-i386/bin/ls-i386
@end example
@end itemize
@end example
@end itemize
@section Wine launch
@itemize
@section Wine launch
@itemize
(@file{qemu-XXX-i386-wine.tar.gz} on the QEMU web page).
@item Configure Wine on your account. Look at the provided script
(@file{qemu-XXX-i386-wine.tar.gz} on the QEMU web page).
@item Configure Wine on your account. Look at the provided script
-@file{/usr/local/qemu-i386/bin/wine-conf.sh}. Your previous
+@file{/usr/local/qemu-i386/@/bin/wine-conf.sh}. Your previous
@code{$@{HOME@}/.wine} directory is saved to @code{$@{HOME@}/.wine.org}.
@item Then you can try the example @file{putty.exe}:
@example
@code{$@{HOME@}/.wine} directory is saved to @code{$@{HOME@}/.wine.org}.
@item Then you can try the example @file{putty.exe}:
@example
-qemu-i386 /usr/local/qemu-i386/wine/bin/wine /usr/local/qemu-i386/wine/c/Program\ Files/putty.exe
+qemu-i386 /usr/local/qemu-i386/wine/bin/wine \
+ /usr/local/qemu-i386/wine/c/Program\ Files/putty.exe
@end example
@end itemize
@end example
@end itemize
+@node Command line options
@section Command line options
@example
@section Command line options
@example
@node compilation
@chapter Compilation from the sources
@node compilation
@chapter Compilation from the sources
+@menu
+* Linux/Unix::
+* Windows::
+* Cross compilation for Windows with Linux::
+* Mac OS X::
+@end menu
+
+@node Linux/Unix
@section Linux/Unix
@subsection Compilation
@section Linux/Unix
@subsection Compilation
variables. You must use gcc 3.x on PowerPC.
@end example
variables. You must use gcc 3.x on PowerPC.
@end example
@section Windows
@itemize
@section Windows
@itemize
@item Download
the MinGW development library of SDL 1.2.x
@item Download
the MinGW development library of SDL 1.2.x
-(@file{SDL-devel-1.2.x-mingw32.tar.gz}) from
+(@file{SDL-devel-1.2.x-@/mingw32.tar.gz}) from
@url{http://www.libsdl.org}. Unpack it in a temporary place, and
unpack the archive @file{i386-mingw32msvc.tar.gz} in the MinGW tool
directory. Edit the @file{sdl-config} script so that it gives the
@url{http://www.libsdl.org}. Unpack it in a temporary place, and
unpack the archive @file{i386-mingw32msvc.tar.gz} in the MinGW tool
directory. Edit the @file{sdl-config} script so that it gives the
+@node Cross compilation for Windows with Linux
@section Cross compilation for Windows with Linux
@itemize
@section Cross compilation for Windows with Linux
@itemize
Note: Currently, Wine does not seem able to launch
QEMU for Win32.
Note: Currently, Wine does not seem able to launch
QEMU for Win32.
@section Mac OS X
The Mac OS X patches are not fully merged in QEMU, so you should look
at the QEMU mailing list archive to have all the necessary
information.
@section Mac OS X
The Mac OS X patches are not fully merged in QEMU, so you should look
at the QEMU mailing list archive to have all the necessary
information.
+@node Index
+@chapter Index
+@printindex cp
+
+@bye
\input texinfo @c -*- texinfo -*-
\input texinfo @c -*- texinfo -*-
+@c %**start of header
+@setfilename qemu-tech.info
+@settitle QEMU Internals
+@exampleindent 0
+@paragraphindent 0
+@c %**end of header
-@settitle QEMU Internals
@titlepage
@sp 7
@center @titlefont{QEMU Internals}
@titlepage
@sp 7
@center @titlefont{QEMU Internals}
@end titlepage
@end iftex
@end titlepage
@end iftex
+@ifnottex
+@node Top
+@top
+
+@menu
+* Introduction::
+* QEMU Internals::
+* Regression Tests::
+* Index::
+@end menu
+@end ifnottex
+
+@contents
+
+@node Introduction
+@menu
+* intro_features:: Features
+* intro_x86_emulation:: x86 emulation
+* intro_arm_emulation:: ARM emulation
+* intro_ppc_emulation:: PowerPC emulation
+* intro_sparc_emulation:: SPARC emulation
+@end menu
+
+@node intro_features
@section Features
QEMU is a FAST! processor emulator using a portable dynamic
@section Features
QEMU is a FAST! processor emulator using a portable dynamic
@item User space only or full system emulation.
@item User space only or full system emulation.
-@item Using dynamic translation to native code for reasonnable speed.
+@item Using dynamic translation to native code for reasonable speed.
@item Working on x86 and PowerPC hosts. Being tested on ARM, Sparc32, Alpha and S390.
@item Working on x86 and PowerPC hosts. Being tested on ARM, Sparc32, Alpha and S390.
@item Accurate signal handling by remapping host signals to target signals.
@end itemize
@item Accurate signal handling by remapping host signals to target signals.
@end itemize
QEMU full system emulation features:
@itemize
@item QEMU can either use a full software MMU for maximum portability or use the host system call mmap() to simulate the target MMU.
@end itemize
QEMU full system emulation features:
@itemize
@item QEMU can either use a full software MMU for maximum portability or use the host system call mmap() to simulate the target MMU.
@end itemize
+@node intro_x86_emulation
@section x86 emulation
QEMU x86 target features:
@section x86 emulation
QEMU x86 target features:
+@node intro_arm_emulation
@section ARM emulation
@itemize
@section ARM emulation
@itemize
+@node intro_ppc_emulation
@section PowerPC emulation
@itemize
@section PowerPC emulation
@itemize
+@node intro_sparc_emulation
@section SPARC emulation
@itemize
@section SPARC emulation
@itemize
+@menu
+* QEMU compared to other emulators::
+* Portable dynamic translation::
+* Register allocation::
+* Condition code optimisations::
+* CPU state optimisations::
+* Translation cache::
+* Direct block chaining::
+* Self-modifying code and translated code invalidation::
+* Exception support::
+* MMU emulation::
+* Hardware interrupts::
+* User emulation specific details::
+* Bibliography::
+@end menu
+
+@node QEMU compared to other emulators
@section QEMU compared to other emulators
Like bochs [3], QEMU emulates an x86 CPU. But QEMU is much faster than
@section QEMU compared to other emulators
Like bochs [3], QEMU emulates an x86 CPU. But QEMU is much faster than
and potentially unsafe host drivers. Moreover, they are unable to
provide cycle exact simulation as an emulator can.
and potentially unsafe host drivers. Moreover, they are unable to
provide cycle exact simulation as an emulator can.
+@node Portable dynamic translation
@section Portable dynamic translation
QEMU is a dynamic translator. When it first encounters a piece of code,
@section Portable dynamic translation
QEMU is a dynamic translator. When it first encounters a piece of code,
To go even faster, GCC static register variables are used to keep the
state of the virtual CPU.
To go even faster, GCC static register variables are used to keep the
state of the virtual CPU.
+@node Register allocation
@section Register allocation
Since QEMU uses fixed simple instructions, no efficient register
@section Register allocation
Since QEMU uses fixed simple instructions, no efficient register
register, most of the virtual CPU state can be put in registers without
doing complicated register allocation.
register, most of the virtual CPU state can be put in registers without
doing complicated register allocation.
+@node Condition code optimisations
@section Condition code optimisations
Good CPU condition codes emulation (@code{EFLAGS} register on x86) is a
@section Condition code optimisations
Good CPU condition codes emulation (@code{EFLAGS} register on x86) is a
the condition codes are not needed by the next instructions, no
condition codes are computed at all.
the condition codes are not needed by the next instructions, no
condition codes are computed at all.
+@node CPU state optimisations
@section CPU state optimisations
The x86 CPU has many internal states which change the way it evaluates
@section CPU state optimisations
The x86 CPU has many internal states which change the way it evaluates
[The FPU stack pointer register is not handled that way yet].
[The FPU stack pointer register is not handled that way yet].
@section Translation cache
A 16 MByte cache holds the most recently used translations. For
@section Translation cache
A 16 MByte cache holds the most recently used translations. For
terminated by a jump or by a virtual CPU state change which the
translator cannot deduce statically).
terminated by a jump or by a virtual CPU state change which the
translator cannot deduce statically).
+@node Direct block chaining
@section Direct block chaining
After each translated basic block is executed, QEMU uses the simulated
@section Direct block chaining
After each translated basic block is executed, QEMU uses the simulated
architectures (such as x86 or PowerPC), the @code{JUMP} opcode is
directly patched so that the block chaining has no overhead.
architectures (such as x86 or PowerPC), the @code{JUMP} opcode is
directly patched so that the block chaining has no overhead.
+@node Self-modifying code and translated code invalidation
@section Self-modifying code and translated code invalidation
Self-modifying code is a special challenge in x86 emulation because no
@section Self-modifying code and translated code invalidation
Self-modifying code is a special challenge in x86 emulation because no
really needs to be invalidated. It avoids invalidating the code when
only data is modified in the page.
really needs to be invalidated. It avoids invalidating the code when
only data is modified in the page.
@section Exception support
longjmp() is used when an exception such as division by zero is
@section Exception support
longjmp() is used when an exception such as division by zero is
optimisations. It is not a big concern because the emulated code can
still be restarted in any cases.
optimisations. It is not a big concern because the emulated code can
still be restarted in any cases.
@section MMU emulation
For system emulation, QEMU uses the mmap() system call to emulate the
@section MMU emulation
For system emulation, QEMU uses the mmap() system call to emulate the
When MMU mappings change, only the chaining of the basic blocks is
reset (i.e. a basic block can no longer jump directly to another one).
When MMU mappings change, only the chaining of the basic blocks is
reset (i.e. a basic block can no longer jump directly to another one).
+@node Hardware interrupts
@section Hardware interrupts
In order to be faster, QEMU does not check at every basic block if an
@section Hardware interrupts
In order to be faster, QEMU does not check at every basic block if an
of the CPU emulator. Then the main loop can test if the interrupt is
pending and handle it.
of the CPU emulator. Then the main loop can test if the interrupt is
pending and handle it.
+@node User emulation specific details
@section User emulation specific details
@subsection Linux system call translation
@section User emulation specific details
@subsection Linux system call translation
shared object as the ld-linux.so ELF interpreter. That way, it can be
relocated at load time.
shared object as the ld-linux.so ELF interpreter. That way, it can be
relocated at load time.
@section Bibliography
@table @asis
@section Bibliography
@table @asis
x86 emulator on Alpha-Linux.
@item [5]
x86 emulator on Alpha-Linux.
@item [5]
-@url{http://www.usenix.org/publications/library/proceedings/usenix-nt97/full_papers/chernoff/chernoff.pdf},
+@url{http://www.usenix.org/publications/library/proceedings/usenix-nt97/@/full_papers/chernoff/chernoff.pdf},
DIGITAL FX!32: Running 32-Bit x86 Applications on Alpha NT, by Anton
Chernoff and Ray Hookway.
DIGITAL FX!32: Running 32-Bit x86 Applications on Alpha NT, by Anton
Chernoff and Ray Hookway.
@chapter Regression Tests
In the directory @file{tests/}, various interesting testing programs
are available. There are used for regression testing.
@chapter Regression Tests
In the directory @file{tests/}, various interesting testing programs
are available. There are used for regression testing.
+@menu
+* test-i386::
+* linux-test::
+* qruncom.c::
+@end menu
+
+@node test-i386
@section @file{test-i386}
This program executes most of the 16 bit and 32 bit x86 instructions and
@section @file{test-i386}
This program executes most of the 16 bit and 32 bit x86 instructions and
Various exceptions are raised to test most of the x86 user space
exception reporting.
Various exceptions are raised to test most of the x86 user space
exception reporting.
@section @file{linux-test}
This program tests various Linux system calls. It is used to verify
that the system call parameters are correctly converted between target
and host CPUs.
@section @file{linux-test}
This program tests various Linux system calls. It is used to verify
that the system call parameters are correctly converted between target
and host CPUs.
@section @file{qruncom.c}
Example of usage of @code{libqemu} to emulate a user mode i386 CPU.
@section @file{qruncom.c}
Example of usage of @code{libqemu} to emulate a user mode i386 CPU.
+
+@node Index
+@chapter Index
+@printindex cp
+
+@bye