StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POqemu memory operations
primarykey
Id
11923941
data
AcceptedAnswerId
0
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2012-08-12T16:46:27.040
FavoriteCount
5
LastActivityDate
2017-04-11T18:49:02.707
LastEditDate
2015-05-21T03:00:59.407
LastEditorUserId
311567
OwnerUserId
950238
ParentId
0
PostTypeId
1
Score
7
ViewCount
845
LastEditorDisplayName
text
Body
I intend to use Qemu to generate a memory trace for the execution of a x86 guest operating system. According to tcg wiki page, Qemu uses a handful of helpers to generate load/stores to the target(guest) memory. This list of instructions is <code>tcg_gen_qemu_ld8s/u</code>, <code>tcg_gen_qemu_ld16s/u</code>, <code>tcg_gen_qemu_ld32s/u</code>, <code>tcg_gen_qemu_ld64</code>. (We have a similar set for store instructions). I am trapping all calls to the above functions in the target-i386/translate.c file However, I am still missing load/stores of certain instructions like <pre><code>cmp ecx, [r12+0x4] mov r10b, [r13+0x0] mov byte [rax+0xf0000], 0x0 mov byte [rax+rdx], 0x0 </code></pre> Questions : <ol> <li>Can someone please point to other load/store points (direct or indirect) that I am missing ??</li> <li>Does qemu provide a single entry point function for accesses to guest memory (like <code>guest_read()</code>) which can be instrumented for tracing all loads from the guest memory ???</li> <li>Can somebody please point to a good documentation where I can understand how qemu maintains the state of the guest memory ??</li> </ol> Sorry friends for the misleading instructions in the previous mail. <pre><code>cmp ecx, [r12+0x4] mov r10b, [r13+0x0] mov byte [rax+0xf0000], 0x0 mov byte [rax+rdx], 0x0 </code></pre> It seems all the above instructions are getting covered with the <code>tcg_gen_ld/st</code> helpers. But now I have stumbled upon another problem : I initially thought that all the interactions with the guest memory happen through the helper instructions in the translate.c file. However, I found that the helper functions for some instructions like <code>cmpxcgh8b</code> and <code>cmpxchg16b</code> are actually accessing guest memory. So, does it mean there are more than one entry points for reading guest memory. Can some one please explain how are the ldq and stq instructions translated to access the guest memory ?? 
Tags
<memory><virtualization><qemu><kvm>
Title
qemu memory operations
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USdashesy
UserOwnerUserId
1. USprathmesh.kallurkar
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POqemu memory operations
 UserUserId
 USprathmesh.kallurkar
 VoteTypeVoteTypeId
 VTFavorite
2. VO
 singulars
 PostPostId
 POqemu memory operations
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POqemu memory operations
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.