Introduction
QEMU is a fast machine emulator written by Fabrice Bellard (A French computer programmer with considerable achievements in developing open source applications). It supports full system virtualization into another system and Linux user mode simulation in which process compiled for one CPU can be run on another CPU. It emulates several CPU’s (X86, PowerPC, ARM and SPARC) on several hosts (X86, PowerPC, ARM and SPARC). The primary use of QEMU is to run one operating system on another. Another feature is debugging that is state of virtual machine can be stored, inspected and restored. The Linux user mode simulation can be used to test cross-compilers.QEMU consists of a CPU emulator, emulated devices (mouse, keyboard, VGA Display etc), generic devices (network devices, character devices used to connect host machine with virtual machine), a debugger and a command line interface. It can run on Windows, Linux and MAC OS X. QEMU’s core virtual library is released under GNU Lesser General Public License. While running on windows proprietary FMOD library is used, this disqualifies it from having a single open source software license.
Method of Operation
The main method of working of QEMU is to use Dynamic Translation that is runtime conversion of target CPU instruction set into host instruction set. The resulting code is stored into a translation cache so that it can be reused. While considering the working of QEMU following points can be discussed (as mentioned in [5]):-
i.Portable Dynamic Translation
Each target CPU instruction is split into fewer simple instructions called micro-operations. Each micro-operation is then implemented by a C code. This small C code is converted into object code with GNU C compiler. The micro-operations are chosen such that their number is less than the number of operands and instructions of target CPU.
A compile time tool called dyngen uses the object file containing micro-operations to generate a dynamic code generator. Now this generator can be invoked at runtime to generate complete host function which combines several micro-operations.
ii.Translation Blocks and Translation Cache
When QEMU first encounters a piece of target code it translates it to the host code up to next jump instruction or a instruction which modifies static CPU state. These blocks are called Translated Blocks. A 16 MB cache holds the most recently used TB’s. A static CPU state is that information which is known at translation time when entering the translation block, like value of Program Counter.
iii.Register Allocation
QEMU uses fixed register allocation. Each target CPU register is mapped to a fixed host register or memory address. On most of the hosts, all target registers are mapped to memory addresses, only a few are mapped to host registers.
iv.Condition Code Optimization
QEMU uses the lazy condition code evaluation. Instead of storing the condition code after each instruction it just stores one operand (CC_SRC), result (CC_DST) and type of operation (CC_OP). For example for 32 bit addition R=A+B
CC_SRC=A
CC_DST=R
CC_OPP=CC_OP_ADDL
From here we can calculate the value of A, R and B and all the condition codes needed for next instruction like Carry (CF), Overflow (OF), Zero Result (ZF) can be calculated. This process can further be optimized by keeping the values in variables up to the end of translation block only.
v.Direct Block Chaining
After each Translated block is executed QEMU uses simulated program counter or other information from static CPU state to find next TB using hash table. If the next TB has not been translated then it is translated first otherwise QEMU directly jumps to next block. In some cases the instruction of next block is directly attached with current block to save considerable overhead.
vi.Memory Management
For system emulation QEMU uses mmap() system call to emulate target Memory Management Unit. It works as long as emulated OS does not use area reserved by host OS.
QEMU also supports software MMU. In this mode at every memory access virtual address to physical address translation is done. It uses an address translation cache to speed up the translation.
vii.Exception Support
When an exception occurs longjmp() is used to jump to the exception handling code. If software MMU is not used then host signal handlers are used to detect invalid memory access.
QEMU supports precise exceptions as it is able to retrieve the exact CPU state when exception occurred. Most of the target CPU state is translated so there is nothing to be done. For state which is not translated retranslation of Translation Block is done where exception occurred.
Software Performance
Installation of QEMU is straight forward. It can be downloaded from QEMU website. It requires disk images to run. These images are in Copy-On-Write format which enables us to define a multi Gigabyte disk but the space acquired will be equivalent to real data in it. Its performance can be vastly improved with Kqemu package for virtualization of X86 processors. Also command line tools provide good control over virtual machines. At runtime different system components can be emulated. But QEMU has some disadvantages also. First incomplete support for less frequently used architectures is there. Secondly, no special device drivers for guests are provided therefore performance of multimedia applications is not up to the mark. A major disadvantage is that it does not compile with latest version of GNU C compiler.
Go Back:Virtualization and Open Source