Paolo Bonzini | 78e8779 | 2016-10-06 16:12:11 +0200 | [diff] [blame] | 1 | @node Implementation notes |
| 2 | @appendix Implementation notes |
bellard | debc706 | 2006-04-30 21:58:41 +0000 | [diff] [blame] | 3 | |
| 4 | @menu |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 5 | * CPU emulation:: |
| 6 | * Translator Internals:: |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 7 | * QEMU compared to other emulators:: |
| 8 | * Bibliography:: |
bellard | debc706 | 2006-04-30 21:58:41 +0000 | [diff] [blame] | 9 | @end menu |
bellard | debc706 | 2006-04-30 21:58:41 +0000 | [diff] [blame] | 10 | |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 11 | @node CPU emulation |
Paolo Bonzini | 78e8779 | 2016-10-06 16:12:11 +0200 | [diff] [blame] | 12 | @section CPU emulation |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 13 | |
bellard | debc706 | 2006-04-30 21:58:41 +0000 | [diff] [blame] | 14 | @menu |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 15 | * x86:: x86 and x86-64 emulation |
| 16 | * ARM:: ARM emulation |
| 17 | * MIPS:: MIPS emulation |
| 18 | * PPC:: PowerPC emulation |
| 19 | * SPARC:: Sparc32 and Sparc64 emulation |
| 20 | * Xtensa:: Xtensa emulation |
bellard | debc706 | 2006-04-30 21:58:41 +0000 | [diff] [blame] | 21 | @end menu |
| 22 | |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 23 | @node x86 |
Paolo Bonzini | 78e8779 | 2016-10-06 16:12:11 +0200 | [diff] [blame] | 24 | @subsection x86 and x86-64 emulation |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 25 | |
| 26 | QEMU x86 target features: |
| 27 | |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 28 | @itemize |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 29 | |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 30 | @item The virtual x86 CPU supports 16 bit and 32 bit addressing with segmentation. |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 31 | LDT/GDT and IDT are emulated. VM86 mode is also supported to run |
| 32 | DOSEMU. There is some support for MMX/3DNow!, SSE, SSE2, SSE3, SSSE3, |
| 33 | and SSE4 as well as x86-64 SVM. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 34 | |
| 35 | @item Support of host page sizes bigger than 4KB in user mode emulation. |
| 36 | |
| 37 | @item QEMU can emulate itself on x86. |
| 38 | |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 39 | @item An extensive Linux x86 CPU test program is included @file{tests/test-i386}. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 40 | It can be used to test other x86 virtual CPUs. |
| 41 | |
| 42 | @end itemize |
| 43 | |
| 44 | Current QEMU limitations: |
| 45 | |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 46 | @itemize |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 47 | |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 48 | @item Limited x86-64 support. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 49 | |
| 50 | @item IPC syscalls are missing. |
| 51 | |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 52 | @item The x86 segment limits and access rights are not tested at every |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 53 | memory access (yet). Hopefully, very few OSes seem to rely on that for |
| 54 | normal use. |
| 55 | |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 56 | @end itemize |
| 57 | |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 58 | @node ARM |
Paolo Bonzini | 78e8779 | 2016-10-06 16:12:11 +0200 | [diff] [blame] | 59 | @subsection ARM emulation |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 60 | |
| 61 | @itemize |
| 62 | |
| 63 | @item Full ARM 7 user emulation. |
| 64 | |
| 65 | @item NWFPE FPU support included in user Linux emulation. |
| 66 | |
| 67 | @item Can run most ARM Linux binaries. |
| 68 | |
| 69 | @end itemize |
| 70 | |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 71 | @node MIPS |
Paolo Bonzini | 78e8779 | 2016-10-06 16:12:11 +0200 | [diff] [blame] | 72 | @subsection MIPS emulation |
ths | 24d4de4 | 2007-07-11 10:24:28 +0000 | [diff] [blame] | 73 | |
| 74 | @itemize |
| 75 | |
| 76 | @item The system emulation allows full MIPS32/MIPS64 Release 2 emulation, |
| 77 | including privileged instructions, FPU and MMU, in both little and big |
| 78 | endian modes. |
| 79 | |
| 80 | @item The Linux userland emulation can run many 32 bit MIPS Linux binaries. |
| 81 | |
| 82 | @end itemize |
| 83 | |
| 84 | Current QEMU limitations: |
| 85 | |
| 86 | @itemize |
| 87 | |
| 88 | @item Self-modifying code is not always handled correctly. |
| 89 | |
| 90 | @item 64 bit userland emulation is not implemented. |
| 91 | |
| 92 | @item The system emulation is not complete enough to run real firmware. |
| 93 | |
ths | b1f4523 | 2007-07-12 09:03:30 +0000 | [diff] [blame] | 94 | @item The watchpoint debug facility is not implemented. |
| 95 | |
ths | 24d4de4 | 2007-07-11 10:24:28 +0000 | [diff] [blame] | 96 | @end itemize |
| 97 | |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 98 | @node PPC |
Paolo Bonzini | 78e8779 | 2016-10-06 16:12:11 +0200 | [diff] [blame] | 99 | @subsection PowerPC emulation |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 100 | |
| 101 | @itemize |
| 102 | |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 103 | @item Full PowerPC 32 bit emulation, including privileged instructions, |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 104 | FPU and MMU. |
| 105 | |
| 106 | @item Can run most PowerPC Linux binaries. |
| 107 | |
| 108 | @end itemize |
| 109 | |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 110 | @node SPARC |
Paolo Bonzini | 78e8779 | 2016-10-06 16:12:11 +0200 | [diff] [blame] | 111 | @subsection Sparc32 and Sparc64 emulation |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 112 | |
| 113 | @itemize |
| 114 | |
blueswir1 | f6b647c | 2007-04-05 18:40:23 +0000 | [diff] [blame] | 115 | @item Full SPARC V8 emulation, including privileged |
bellard | 3475187 | 2005-07-02 14:31:34 +0000 | [diff] [blame] | 116 | instructions, FPU and MMU. SPARC V9 emulation includes most privileged |
blueswir1 | a785e42 | 2007-10-20 08:09:05 +0000 | [diff] [blame] | 117 | and VIS instructions, FPU and I/D MMU. Alignment is fully enforced. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 118 | |
blueswir1 | a785e42 | 2007-10-20 08:09:05 +0000 | [diff] [blame] | 119 | @item Can run most 32-bit SPARC Linux binaries, SPARC32PLUS Linux binaries and |
| 120 | some 64-bit SPARC Linux binaries. |
bellard | 3475187 | 2005-07-02 14:31:34 +0000 | [diff] [blame] | 121 | |
| 122 | @end itemize |
| 123 | |
| 124 | Current QEMU limitations: |
| 125 | |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 126 | @itemize |
bellard | 3475187 | 2005-07-02 14:31:34 +0000 | [diff] [blame] | 127 | |
bellard | 3475187 | 2005-07-02 14:31:34 +0000 | [diff] [blame] | 128 | @item IPC syscalls are missing. |
| 129 | |
blueswir1 | 1f58732 | 2007-11-25 18:40:20 +0000 | [diff] [blame] | 130 | @item Floating point exception support is buggy. |
bellard | 3475187 | 2005-07-02 14:31:34 +0000 | [diff] [blame] | 131 | |
| 132 | @item Atomic instructions are not correctly implemented. |
| 133 | |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 134 | @item There are still some problems with Sparc64 emulators. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 135 | |
| 136 | @end itemize |
| 137 | |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 138 | @node Xtensa |
Paolo Bonzini | 78e8779 | 2016-10-06 16:12:11 +0200 | [diff] [blame] | 139 | @subsection Xtensa emulation |
Max Filippov | 3aeaea6 | 2011-10-10 14:48:23 +0400 | [diff] [blame] | 140 | |
| 141 | @itemize |
| 142 | |
| 143 | @item Core Xtensa ISA emulation, including most options: code density, |
| 144 | loop, extended L32R, 16- and 32-bit multiplication, 32-bit division, |
Max Filippov | 044d003 | 2012-11-29 19:53:20 +0400 | [diff] [blame] | 145 | MAC16, miscellaneous operations, boolean, FP coprocessor, coprocessor |
| 146 | context, debug, multiprocessor synchronization, |
Max Filippov | 3aeaea6 | 2011-10-10 14:48:23 +0400 | [diff] [blame] | 147 | conditional store, exceptions, relocatable vectors, unaligned exception, |
| 148 | interrupts (including high priority and timer), hardware alignment, |
| 149 | region protection, region translation, MMU, windowed registers, thread |
| 150 | pointer, processor ID. |
| 151 | |
Max Filippov | 044d003 | 2012-11-29 19:53:20 +0400 | [diff] [blame] | 152 | @item Not implemented options: data/instruction cache (including cache |
| 153 | prefetch and locking), XLMI, processor interface. Also options not |
| 154 | covered by the core ISA (e.g. FLIX, wide branches) are not implemented. |
Max Filippov | 3aeaea6 | 2011-10-10 14:48:23 +0400 | [diff] [blame] | 155 | |
| 156 | @item Can run most Xtensa Linux binaries. |
| 157 | |
| 158 | @item New core configuration that requires no additional instructions |
| 159 | may be created from overlay with minimal amount of hand-written code. |
| 160 | |
| 161 | @end itemize |
| 162 | |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 163 | @node Translator Internals |
Paolo Bonzini | 78e8779 | 2016-10-06 16:12:11 +0200 | [diff] [blame] | 164 | @section Translator Internals |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 165 | |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 166 | QEMU is a dynamic translator. When it first encounters a piece of code, |
| 167 | it converts it to the host instruction set. Usually dynamic translators |
| 168 | are very complicated and highly CPU dependent. QEMU uses some tricks |
| 169 | which make it relatively easily portable and simple while achieving good |
| 170 | performances. |
| 171 | |
Paolo Bonzini | bf28a69 | 2016-10-06 15:10:10 +0200 | [diff] [blame] | 172 | QEMU's dynamic translation backend is called TCG, for "Tiny Code |
| 173 | Generator". For more information, please take a look at @code{tcg/README}. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 174 | |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 175 | Some notable features of QEMU's dynamic translator are: |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 176 | |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 177 | @table @strong |
| 178 | |
| 179 | @item CPU state optimisations: |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 180 | The target CPUs have many internal states which change the way it |
| 181 | evaluates instructions. In order to achieve a good speed, the |
| 182 | translation phase considers that some state information of the virtual |
| 183 | CPU cannot change in it. The state is recorded in the Translation |
| 184 | Block (TB). If the state changes (e.g. privilege level), a new TB will |
| 185 | be generated and the previous TB won't be used anymore until the state |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 186 | matches the state recorded in the previous TB. The same idea can be applied |
| 187 | to other aspects of the CPU state. For example, on x86, if the SS, |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 188 | DS and ES segments have a zero base, then the translator does not even |
| 189 | generate an addition for the segment base. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 190 | |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 191 | @item Direct block chaining: |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 192 | After each translated basic block is executed, QEMU uses the simulated |
Gonglei | d274e07 | 2015-07-03 17:50:57 +0800 | [diff] [blame] | 193 | Program Counter (PC) and other cpu state information (such as the CS |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 194 | segment base value) to find the next basic block. |
| 195 | |
| 196 | In order to accelerate the most common cases where the new simulated PC |
| 197 | is known, QEMU can patch a basic block so that it jumps directly to the |
| 198 | next one. |
| 199 | |
| 200 | The most portable code uses an indirect jump. An indirect jump makes |
| 201 | it easier to make the jump target modification atomic. On some host |
| 202 | architectures (such as x86 or PowerPC), the @code{JUMP} opcode is |
| 203 | directly patched so that the block chaining has no overhead. |
| 204 | |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 205 | @item Self-modifying code and translated code invalidation: |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 206 | Self-modifying code is a special challenge in x86 emulation because no |
| 207 | instruction cache invalidation is signaled by the application when code |
| 208 | is modified. |
| 209 | |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 210 | User-mode emulation marks a host page as write-protected (if it is |
| 211 | not already read-only) every time translated code is generated for a |
| 212 | basic block. Then, if a write access is done to the page, Linux raises |
| 213 | a SEGV signal. QEMU then invalidates all the translated code in the page |
| 214 | and enables write accesses to the page. For system emulation, write |
| 215 | protection is achieved through the software MMU. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 216 | |
| 217 | Correct translated code invalidation is done efficiently by maintaining |
| 218 | a linked list of every translated block contained in a given page. Other |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 219 | linked lists are also maintained to undo direct block chaining. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 220 | |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 221 | On RISC targets, correctly written software uses memory barriers and |
| 222 | cache flushes, so some of the protection above would not be |
| 223 | necessary. However, QEMU still requires that the generated code always |
| 224 | matches the target instructions in memory in order to handle |
| 225 | exceptions correctly. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 226 | |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 227 | @item Exception support: |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 228 | longjmp() is used when an exception such as division by zero is |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 229 | encountered. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 230 | |
| 231 | The host SIGSEGV and SIGBUS signal handlers are used to get invalid |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 232 | memory accesses. QEMU keeps a map from host program counter to |
| 233 | target program counter, and looks up where the exception happened |
| 234 | based on the host program counter at the exception point. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 235 | |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 236 | On some targets, some bits of the virtual CPU's state are not flushed to the |
| 237 | memory until the end of the translation block. This is done for internal |
| 238 | emulation state that is rarely accessed directly by the program and/or changes |
| 239 | very often throughout the execution of a translation block---this includes |
| 240 | condition codes on x86, delay slots on SPARC, conditional execution on |
| 241 | ARM, and so on. This state is stored for each target instruction, and |
| 242 | looked up on exceptions. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 243 | |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 244 | @item MMU emulation: |
| 245 | For system emulation QEMU uses a software MMU. In that mode, the MMU |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 246 | virtual to physical address translation is done at every memory |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 247 | access. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 248 | |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 249 | QEMU uses an address translation cache (TLB) to speed up the translation. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 250 | In order to avoid flushing the translated code each time the MMU |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 251 | mappings change, all caches in QEMU are physically indexed. This |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 252 | means that each basic block is indexed with its physical address. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 253 | |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 254 | In order to avoid invalidating the basic block chain when MMU mappings |
| 255 | change, chaining is only performed when the destination of the jump |
| 256 | shares a page with the basic block that is performing the jump. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 257 | |
Paolo Bonzini | 36e4970 | 2016-10-06 16:25:12 +0200 | [diff] [blame] | 258 | The MMU can also distinguish RAM and ROM memory areas from MMIO memory |
| 259 | areas. Access is faster for RAM and ROM because the translation cache also |
| 260 | hosts the offset between guest address and host memory. Accessing MMIO |
| 261 | memory areas instead calls out to C code for device emulation. |
| 262 | Finally, the MMU helps tracking dirty pages and pages pointed to by |
| 263 | translation blocks. |
| 264 | @end table |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 265 | |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 266 | @node QEMU compared to other emulators |
Paolo Bonzini | 78e8779 | 2016-10-06 16:12:11 +0200 | [diff] [blame] | 267 | @section QEMU compared to other emulators |
Paolo Bonzini | 77d47e1 | 2016-10-06 16:49:03 +0200 | [diff] [blame] | 268 | |
| 269 | Like bochs [1], QEMU emulates an x86 CPU. But QEMU is much faster than |
| 270 | bochs as it uses dynamic compilation. Bochs is closely tied to x86 PC |
| 271 | emulation while QEMU can emulate several processors. |
| 272 | |
| 273 | Like Valgrind [2], QEMU does user space emulation and dynamic |
| 274 | translation. Valgrind is mainly a memory debugger while QEMU has no |
| 275 | support for it (QEMU could be used to detect out of bound memory |
| 276 | accesses as Valgrind, but it has no support to track uninitialised data |
| 277 | as Valgrind does). The Valgrind dynamic translator generates better code |
| 278 | than QEMU (in particular it does register allocation) but it is closely |
| 279 | tied to an x86 host and target and has no support for precise exceptions |
| 280 | and system emulation. |
| 281 | |
| 282 | EM86 [3] is the closest project to user space QEMU (and QEMU still uses |
| 283 | some of its code, in particular the ELF file loader). EM86 was limited |
| 284 | to an alpha host and used a proprietary and slow interpreter (the |
| 285 | interpreter part of the FX!32 Digital Win32 code translator [4]). |
| 286 | |
| 287 | TWIN from Willows Software was a Windows API emulator like Wine. It is less |
| 288 | accurate than Wine but includes a protected mode x86 interpreter to launch |
| 289 | x86 Windows executables. Such an approach has greater potential because most |
| 290 | of the Windows API is executed natively but it is far more difficult to |
| 291 | develop because all the data structures and function parameters exchanged |
| 292 | between the API and the x86 code must be converted. |
| 293 | |
| 294 | User mode Linux [5] was the only solution before QEMU to launch a |
| 295 | Linux kernel as a process while not needing any host kernel |
| 296 | patches. However, user mode Linux requires heavy kernel patches while |
| 297 | QEMU accepts unpatched Linux kernels. The price to pay is that QEMU is |
| 298 | slower. |
| 299 | |
| 300 | The Plex86 [6] PC virtualizer is done in the same spirit as the now |
| 301 | obsolete qemu-fast system emulator. It requires a patched Linux kernel |
| 302 | to work (you cannot launch the same kernel on your PC), but the |
| 303 | patches are really small. As it is a PC virtualizer (no emulation is |
| 304 | done except for some privileged instructions), it has the potential of |
| 305 | being faster than QEMU. The downside is that a complicated (and |
| 306 | potentially unsafe) host kernel patch is needed. |
| 307 | |
| 308 | The commercial PC Virtualizers (VMWare [7], VirtualPC [8]) are faster |
| 309 | than QEMU (without virtualization), but they all need specific, proprietary |
| 310 | and potentially unsafe host drivers. Moreover, they are unable to |
| 311 | provide cycle exact simulation as an emulator can. |
| 312 | |
| 313 | VirtualBox [9], Xen [10] and KVM [11] are based on QEMU. QEMU-SystemC |
| 314 | [12] uses QEMU to simulate a system where some hardware devices are |
| 315 | developed in SystemC. |
| 316 | |
bellard | debc706 | 2006-04-30 21:58:41 +0000 | [diff] [blame] | 317 | @node Bibliography |
Paolo Bonzini | 78e8779 | 2016-10-06 16:12:11 +0200 | [diff] [blame] | 318 | @section Bibliography |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 319 | |
| 320 | @table @asis |
| 321 | |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 322 | @item [1] |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 323 | @url{http://bochs.sourceforge.net/}, the Bochs IA-32 Emulator Project, |
| 324 | by Kevin Lawton et al. |
| 325 | |
Thomas Huth | 8e9620a | 2015-09-25 11:38:36 +0200 | [diff] [blame] | 326 | @item [2] |
| 327 | @url{http://www.valgrind.org/}, Valgrind, an open-source memory debugger |
| 328 | for GNU/Linux. |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 329 | |
Thomas Huth | 8e9620a | 2015-09-25 11:38:36 +0200 | [diff] [blame] | 330 | @item [3] |
| 331 | @url{http://ftp.dreamtime.org/pub/linux/Linux-Alpha/em86/v0.2/docs/em86.html}, |
| 332 | the EM86 x86 emulator on Alpha-Linux. |
| 333 | |
| 334 | @item [4] |
bellard | debc706 | 2006-04-30 21:58:41 +0000 | [diff] [blame] | 335 | @url{http://www.usenix.org/publications/library/proceedings/usenix-nt97/@/full_papers/chernoff/chernoff.pdf}, |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 336 | DIGITAL FX!32: Running 32-Bit x86 Applications on Alpha NT, by Anton |
| 337 | Chernoff and Ray Hookway. |
| 338 | |
Thomas Huth | 8e9620a | 2015-09-25 11:38:36 +0200 | [diff] [blame] | 339 | @item [5] |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 340 | @url{http://user-mode-linux.sourceforge.net/}, |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 341 | The User-mode Linux Kernel. |
| 342 | |
Thomas Huth | 8e9620a | 2015-09-25 11:38:36 +0200 | [diff] [blame] | 343 | @item [6] |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 344 | @url{http://www.plex86.org/}, |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 345 | The new Plex86 project. |
| 346 | |
Thomas Huth | 8e9620a | 2015-09-25 11:38:36 +0200 | [diff] [blame] | 347 | @item [7] |
ths | 5fafdf2 | 2007-09-16 21:08:06 +0000 | [diff] [blame] | 348 | @url{http://www.vmware.com/}, |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 349 | The VMWare PC virtualizer. |
| 350 | |
Thomas Huth | 8e9620a | 2015-09-25 11:38:36 +0200 | [diff] [blame] | 351 | @item [8] |
| 352 | @url{https://www.microsoft.com/download/details.aspx?id=3702}, |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 353 | The VirtualPC PC virtualizer. |
| 354 | |
Thomas Huth | 8e9620a | 2015-09-25 11:38:36 +0200 | [diff] [blame] | 355 | @item [9] |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 356 | @url{http://virtualbox.org/}, |
| 357 | The VirtualBox PC virtualizer. |
| 358 | |
Thomas Huth | 8e9620a | 2015-09-25 11:38:36 +0200 | [diff] [blame] | 359 | @item [10] |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 360 | @url{http://www.xen.org/}, |
| 361 | The Xen hypervisor. |
| 362 | |
Thomas Huth | 8e9620a | 2015-09-25 11:38:36 +0200 | [diff] [blame] | 363 | @item [11] |
| 364 | @url{http://www.linux-kvm.org/}, |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 365 | Kernel Based Virtual Machine (KVM). |
| 366 | |
Thomas Huth | 8e9620a | 2015-09-25 11:38:36 +0200 | [diff] [blame] | 367 | @item [12] |
blueswir1 | 998a050 | 2008-10-09 18:52:04 +0000 | [diff] [blame] | 368 | @url{http://www.greensocs.com/projects/QEMUSystemC}, |
| 369 | QEMU-SystemC, a hardware co-simulator. |
| 370 | |
bellard | 1f67313 | 2004-04-04 15:21:17 +0000 | [diff] [blame] | 371 | @end table |