|
| From: | Scott Dattalo |
| Subject: | [Qemu-discuss] Singlestepping & Target assembly instructions |
| Date: | Tue, 15 Sep 2015 11:38:26 -0700 |
| User-agent: | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 |
Back in 2012, Manu asked:
I'm using QEmu to debug an ARM target (OS-less code). I searched/googled for help on how to trace all instructions executed on the target CPU. Using -singlestep and -d in_asm option switches generate the data I'm looking for, however as the translation blocks are cached, the instructions are only printed once (the first time the instruction is translated from target code to host code). Is there any way to force QEmu to disable the TB cache so that the translation occurs each time a target instruction is loaded, or a clever way to print out the address of each executed instruction ? I do not care about performances (disabling the TB is likely to cause a massive performance drawback).
The answer provided doesn't work (at least with the latest QEmu in git). Specifically, it appears that once a TB has been cached there is no way to trace instruction execution. Similar to Manu, I invoke QEmu with '-D trace.log -d in_asm,cpu,exec -singlestep'. In my case, there are loops that execute dozens of times and the 'trace.log' only traces one pass through the loop.
There is one painfully slow workaround: attach gdb to QEmu (e.g. by passing -s -S along with the other QEmu invocation options) and to single step the simulated program.
For example, I have a loop that executes 100 iterations. Here's the trace log line count for an instruction in that loop with and withou gdb:
No gdb:
grep 0x000101d4: trace.log | wc
1 6 45
Single stepping with gdb:
grep 0x000101d4: trace.log | wc
100 600 4500
Question: how can you tell QEmu to create an instruction trace?
Thanks,
Scott
| [Prev in Thread] | Current Thread | [Next in Thread] |