[Qemu-discuss] How do -icount flags work in QEMU TCG

[Arnabjyoti Kalita]

Hi all,

I have been trying to understand how the -icount shift=N | auto flags work
in QEMU. There are small descriptions as to how it works already, but I
just wanted a clearer perspective.

I obtained a trace of the target instructions using "-d in_asm" switch
while having the icount flags in the command.

I specifically run the below command -

./qemu-system-x86_64 -m 10G -machine pc-i440fx-2.5 *-icount auto* -drive
file=~/hexlab_data/ubuntu16.04.server.qcow2,format=qcow2 -loadvm twelve -d
in_asm

I see that in the trace file, some of the TCG blocks seem to be translated
more than once -

( NOTE: I am not using the TB Cache/Hash Table and have managed to disable
it in the QEMU code )

IN:
0xffffffff81061fd0:             nopl     (%rax, %rax)
0xffffffff81061fd5:             pushq    %rbp
0xffffffff81061fd6:             movq     0x10a00fb(%rip), %rax
0xffffffff81061fdd:             movq     %rsp, %rbp
0xffffffff81061fe0:             movl     0xf0(%rax), %eax
0xffffffff81061fe6:             movl     %eax, %eax
0xffffffff81061fe8:             popq     %rbp
0xffffffff81061fe9:             retq

----------------
IN:
0xffffffff81061fe0:             movl     0xf0(%rax), %eax
0xffffffff81061fe6:             movl     %eax, %eax
0xffffffff81061fe8:             popq     %rbp
0xffffffff81061fe9:             retq

----------------
IN:
0xffffffff81061fe0:             movl     0xf0(%rax), %eax


----------------
IN:
0xffffffff81061fe6:             movl     %eax, %eax
0xffffffff81061fe8:             popq     %rbp
0xffffffff81061fe9:             retq

The above example shows one TCG block that has been translated 4 times.
Does this mean the execution gets interrupted in between ? Atleast the
translation looked to be complete.

If the execution does get terminated in between, what conditions need to be
true for this to happen ?

Also how does this use of -icount ensure that the QEMU execution will be
deterministic ?