xref: /openbmc/qemu/docs/about/emulation.rst (revision 682a0528)
1Emulation
2=========
3
4QEMU's Tiny Code Generator (TCG) provides the ability to emulate a
5number of CPU architectures on any supported host platform. Both
6:ref:`System Emulation` and :ref:`User Mode Emulation` are supported
7depending on the guest architecture.
8
9.. list-table:: Supported Guest Architectures for Emulation
10  :widths: 30 10 10 50
11  :header-rows: 1
12
13  * - Architecture (qemu name)
14    - System
15    - User
16    - Notes
17  * - Alpha
18    - Yes
19    - Yes
20    - Legacy 64 bit RISC ISA developed by DEC
21  * - Arm (arm, aarch64)
22    - :ref:`Yes<ARM-System-emulator>`
23    - Yes
24    - Wide range of features, see :ref:`Arm Emulation` for details
25  * - AVR
26    - :ref:`Yes<AVR-System-emulator>`
27    - No
28    - 8 bit micro controller, often used in maker projects
29  * - Cris
30    - Yes
31    - Yes
32    - Embedded RISC chip developed by AXIS
33  * - Hexagon
34    - No
35    - Yes
36    - Family of DSPs by Qualcomm
37  * - PA-RISC (hppa)
38    - Yes
39    - Yes
40    - A legacy RISC system used in HP's old minicomputers
41  * - x86 (i386, x86_64)
42    - :ref:`Yes<QEMU-PC-System-emulator>`
43    - Yes
44    - The ubiquitous desktop PC CPU architecture, 32 and 64 bit.
45  * - LoongArch
46    - Yes
47    - Yes
48    - A MIPS-like 64bit RISC architecture developed in China
49  * - m68k
50    - :ref:`Yes<ColdFire-System-emulator>`
51    - Yes
52    - Motorola 68000 variants and ColdFire
53  * - Microblaze
54    - Yes
55    - Yes
56    - RISC based soft-core by Xilinx
57  * - MIPS (mips*)
58    - :ref:`Yes<MIPS-System-emulator>`
59    - Yes
60    - Venerable RISC architecture originally out of Stanford University
61  * - OpenRISC
62    - :ref:`Yes<OpenRISC-System-emulator>`
63    - Yes
64    - Open source RISC architecture developed by the OpenRISC community
65  * - Power (ppc, ppc64)
66    - :ref:`Yes<PowerPC-System-emulator>`
67    - Yes
68    - A general purpose RISC architecture now managed by IBM
69  * - RISC-V
70    - :ref:`Yes<RISC-V-System-emulator>`
71    - Yes
72    - An open standard RISC ISA maintained by RISC-V International
73  * - RX
74    - :ref:`Yes<RX-System-emulator>`
75    - No
76    - A 32 bit micro controller developed by Renesas
77  * - s390x
78    - :ref:`Yes<s390x-System-emulator>`
79    - Yes
80    - A 64 bit CPU found in IBM's System Z mainframes
81  * - sh4
82    - Yes
83    - Yes
84    - A 32 bit RISC embedded CPU developed by Hitachi
85  * - SPARC (sparc, sparc64)
86    - :ref:`Yes<Sparc32-System-emulator>`
87    - Yes
88    - A RISC ISA originally developed by Sun Microsystems
89  * - Tricore
90    - Yes
91    - No
92    - A 32 bit RISC/uController/DSP developed by Infineon
93  * - Xtensa
94    - :ref:`Yes<Xtensa-System-emulator>`
95    - Yes
96    - A configurable 32 bit soft core now owned by Cadence
97
98.. _Semihosting:
99
100Semihosting
101-----------
102
103Semihosting is a feature defined by the owner of the architecture to
104allow programs to interact with a debugging host system. On real
105hardware this is usually provided by an In-circuit emulator (ICE)
106hooked directly to the board. QEMU's implementation allows for
107semihosting calls to be passed to the host system or via the
108``gdbstub``.
109
110Generally semihosting makes it easier to bring up low level code before a
111more fully functional operating system has been enabled. On QEMU it
112also allows for embedded micro-controller code which typically doesn't
113have a full libc to be run as "bare-metal" code under QEMU's user-mode
114emulation. It is also useful for writing test cases and indeed a
115number of compiler suites as well as QEMU itself use semihosting calls
116to exit test code while reporting the success state.
117
118Semihosting is only available using TCG emulation. This is because the
119instructions to trigger a semihosting call are typically reserved
120causing most hypervisors to trap and fault on them.
121
122.. warning::
123   Semihosting inherently bypasses any isolation there may be between
124   the guest and the host. As a result a program using semihosting can
125   happily trash your host system. Some semihosting calls (e.g.
126   ``SYS_READC``) can block execution indefinitely. You should only
127   ever run trusted code with semihosting enabled.
128
129Redirection
130~~~~~~~~~~~
131
132Semihosting calls can be re-directed to a (potentially remote) gdb
133during debugging via the :ref:`gdbstub<GDB usage>`. Output to the
134semihosting console is configured as a ``chardev`` so can be
135redirected to a file, pipe or socket like any other ``chardev``
136device.
137
138Supported Targets
139~~~~~~~~~~~~~~~~~
140
141Most targets offer similar semihosting implementations with some
142minor changes to define the appropriate instruction to encode the
143semihosting call and which registers hold the parameters. They tend to
144presents a simple POSIX-like API which allows your program to read and
145write files, access the console and some other basic interactions.
146
147For full details of the ABI for a particular target, and the set of
148calls it provides, you should consult the semihosting specification
149for that architecture.
150
151.. note::
152   QEMU makes an implementation decision to implement all file
153   access in ``O_BINARY`` mode. The user-visible effect of this is
154   regardless of the text/binary mode the program sets QEMU will
155   always select a binary mode ensuring no line-terminator conversion
156   is performed on input or output. This is because gdb semihosting
157   support doesn't make the distinction between the modes and
158   magically processing line endings can be confusing.
159
160.. list-table:: Guest Architectures supporting Semihosting
161  :widths: 10 10 80
162  :header-rows: 1
163
164  * - Architecture
165    - Modes
166    - Specification
167  * - Arm
168    - System and User-mode
169    - https://github.com/ARM-software/abi-aa/blob/main/semihosting/semihosting.rst
170  * - m68k
171    - System
172    - https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=libgloss/m68k/m68k-semi.txt;hb=HEAD
173  * - MIPS
174    - System
175    - Unified Hosting Interface (MD01069)
176  * - RISC-V
177    - System and User-mode
178    - https://github.com/riscv/riscv-semihosting-spec/blob/main/riscv-semihosting-spec.adoc
179  * - Xtensa
180    - System
181    - Tensilica ISS SIMCALL
182
183TCG Plugins
184-----------
185
186QEMU TCG plugins provide a way for users to run experiments taking
187advantage of the total system control emulation can have over a guest.
188It provides a mechanism for plugins to subscribe to events during
189translation and execution and optionally callback into the plugin
190during these events. TCG plugins are unable to change the system state
191only monitor it passively. However they can do this down to an
192individual instruction granularity including potentially subscribing
193to all load and store operations.
194
195See the developer section of the manual for details about
196:ref:`writing plugins<TCG Plugins>`.
197
198Usage
199~~~~~
200
201Any QEMU binary with TCG support has plugins enabled by default.
202Earlier releases needed to be explicitly enabled with::
203
204  configure --enable-plugins
205
206Once built a program can be run with multiple plugins loaded each with
207their own arguments::
208
209  $QEMU $OTHER_QEMU_ARGS \
210      -plugin contrib/plugin/libhowvec.so,inline=on,count=hint \
211      -plugin contrib/plugin/libhotblocks.so
212
213Arguments are plugin specific and can be used to modify their
214behaviour. In this case the howvec plugin is being asked to use inline
215ops to count and break down the hint instructions by type.
216
217Linux user-mode emulation also evaluates the environment variable
218``QEMU_PLUGIN``::
219
220  QEMU_PLUGIN="file=contrib/plugins/libhowvec.so,inline=on,count=hint" $QEMU
221
222Example Plugins
223~~~~~~~~~~~~~~~
224
225There are a number of plugins included with QEMU and you are
226encouraged to contribute your own plugins plugins upstream. There is a
227``contrib/plugins`` directory where they can go. There are also some
228basic plugins that are used to test and exercise the API during the
229``make check-tcg`` target in ``tests/tcg/plugins`` that are never the
230less useful for basic analysis.
231
232Empty
233.....
234
235``tests/tcg/plugins/empty.c``
236
237Purely a test plugin for measuring the overhead of the plugins system
238itself. Does no instrumentation.
239
240Basic Blocks
241............
242
243``tests/tcg/plugins/bb.c``
244
245A very basic plugin which will measure execution in coarse terms as
246each basic block is executed. By default the results are shown once
247execution finishes::
248
249  $ qemu-aarch64 -plugin tests/plugin/libbb.so \
250      -d plugin ./tests/tcg/aarch64-linux-user/sha1
251  SHA1=15dd99a1991e0b3826fede3deffc1feba42278e6
252  bb's: 2277338, insns: 158483046
253
254Behaviour can be tweaked with the following arguments:
255
256.. list-table:: Basic Block plugin arguments
257  :widths: 20 80
258  :header-rows: 1
259
260  * - Option
261    - Description
262  * - inline=true|false
263    - Use faster inline addition of a single counter. Not per-cpu and not
264      thread safe.
265  * - idle=true|false
266    - Dump the current execution stats whenever the guest vCPU idles
267
268Instruction
269...........
270
271``tests/tcg/plugins/insn.c``
272
273This is a basic instruction level instrumentation which can count the
274number of instructions executed on each core/thread::
275
276  $ qemu-aarch64 -plugin tests/plugin/libinsn.so \
277      -d plugin ./tests/tcg/aarch64-linux-user/threadcount
278  Created 10 threads
279  Done
280  cpu 0 insns: 46765
281  cpu 1 insns: 3694
282  cpu 2 insns: 3694
283  cpu 3 insns: 2994
284  cpu 4 insns: 1497
285  cpu 5 insns: 1497
286  cpu 6 insns: 1497
287  cpu 7 insns: 1497
288  total insns: 63135
289
290Behaviour can be tweaked with the following arguments:
291
292.. list-table:: Instruction plugin arguments
293  :widths: 20 80
294  :header-rows: 1
295
296  * - Option
297    - Description
298  * - inline=true|false
299    - Use faster inline addition of a single counter.
300  * - sizes=true|false
301    - Give a summary of the instruction sizes for the execution
302  * - match=<string>
303    - Only instrument instructions matching the string prefix
304
305The ``match`` option will show some basic stats including how many
306instructions have executed since the last execution. For
307example::
308
309   $ qemu-aarch64 -plugin tests/plugin/libinsn.so,match=bl \
310       -d plugin ./tests/tcg/aarch64-linux-user/sha512-vector
311   ...
312   0x40069c, 'bl #0x4002b0', 10 hits, 1093 match hits, Δ+1257 since last match, 98 avg insns/match
313   0x4006ac, 'bl #0x403690', 10 hits, 1094 match hits, Δ+47 since last match, 98 avg insns/match
314   0x4037fc, 'bl #0x4002b0', 18 hits, 1095 match hits, Δ+22 since last match, 98 avg insns/match
315   0x400720, 'bl #0x403690', 10 hits, 1096 match hits, Δ+58 since last match, 98 avg insns/match
316   0x4037fc, 'bl #0x4002b0', 19 hits, 1097 match hits, Δ+22 since last match, 98 avg insns/match
317   0x400730, 'bl #0x403690', 10 hits, 1098 match hits, Δ+33 since last match, 98 avg insns/match
318   0x4037ac, 'bl #0x4002b0', 12 hits, 1099 match hits, Δ+20 since last match, 98 avg insns/match
319   ...
320
321For more detailed execution tracing see the ``execlog`` plugin for
322other options.
323
324Memory
325......
326
327``tests/tcg/plugins/mem.c``
328
329Basic instruction level memory instrumentation::
330
331  $ qemu-aarch64 -plugin tests/plugin/libmem.so,inline=true \
332      -d plugin ./tests/tcg/aarch64-linux-user/sha1
333  SHA1=15dd99a1991e0b3826fede3deffc1feba42278e6
334  inline mem accesses: 79525013
335
336Behaviour can be tweaked with the following arguments:
337
338.. list-table:: Memory plugin arguments
339  :widths: 20 80
340  :header-rows: 1
341
342  * - Option
343    - Description
344  * - inline=true|false
345    - Use faster inline addition of a single counter
346  * - callback=true|false
347    - Use callbacks on each memory instrumentation.
348  * - hwaddr=true|false
349    - Count IO accesses (only for system emulation)
350
351System Calls
352............
353
354``tests/tcg/plugins/syscall.c``
355
356A basic syscall tracing plugin. This only works for user-mode. By
357default it will give a summary of syscall stats at the end of the
358run::
359
360  $ qemu-aarch64 -plugin tests/plugin/libsyscall \
361      -d plugin ./tests/tcg/aarch64-linux-user/threadcount
362  Created 10 threads
363  Done
364  syscall no.  calls  errors
365  226          12     0
366  99           11     11
367  115          11     0
368  222          11     0
369  93           10     0
370  220          10     0
371  233          10     0
372  215          8      0
373  214          4      0
374  134          2      0
375  64           2      0
376  96           1      0
377  94           1      0
378  80           1      0
379  261          1      0
380  78           1      0
381  160          1      0
382  135          1      0
383
384Hot Blocks
385..........
386
387``contrib/plugins/hotblocks.c``
388
389The hotblocks plugin allows you to examine the where hot paths of
390execution are in your program. Once the program has finished you will
391get a sorted list of blocks reporting the starting PC, translation
392count, number of instructions and execution count. This will work best
393with linux-user execution as system emulation tends to generate
394re-translations as blocks from different programs get swapped in and
395out of system memory.
396
397If your program is single-threaded you can use the ``inline`` option for
398slightly faster (but not thread safe) counters.
399
400Example::
401
402  $ qemu-aarch64 \
403    -plugin contrib/plugins/libhotblocks.so -d plugin \
404    ./tests/tcg/aarch64-linux-user/sha1
405  SHA1=15dd99a1991e0b3826fede3deffc1feba42278e6
406  collected 903 entries in the hash table
407  pc, tcount, icount, ecount
408  0x0000000041ed10, 1, 5, 66087
409  0x000000004002b0, 1, 4, 66087
410  ...
411
412
413Hot Pages
414.........
415
416``contrib/plugins/hotpages.c``
417
418Similar to hotblocks but this time tracks memory accesses::
419
420  $ qemu-aarch64 \
421    -plugin contrib/plugins/libhotpages.so -d plugin \
422    ./tests/tcg/aarch64-linux-user/sha1
423  SHA1=15dd99a1991e0b3826fede3deffc1feba42278e6
424  Addr, RCPUs, Reads, WCPUs, Writes
425  0x000055007fe000, 0x0001, 31747952, 0x0001, 8835161
426  0x000055007ff000, 0x0001, 29001054, 0x0001, 8780625
427  0x00005500800000, 0x0001, 687465, 0x0001, 335857
428  0x0000000048b000, 0x0001, 130594, 0x0001, 355
429  0x0000000048a000, 0x0001, 1826, 0x0001, 11
430
431The hotpages plugin can be configured using the following arguments:
432
433.. list-table:: Hot pages arguments
434  :widths: 20 80
435  :header-rows: 1
436
437  * - Option
438    - Description
439  * - sortby=reads|writes|address
440    - Log the data sorted by either the number of reads, the number of writes, or
441      memory address. (Default: entries are sorted by the sum of reads and writes)
442  * - io=on
443    - Track IO addresses. Only relevant to full system emulation. (Default: off)
444  * - pagesize=N
445    - The page size used. (Default: N = 4096)
446
447Instruction Distribution
448........................
449
450``contrib/plugins/howvec.c``
451
452This is an instruction classifier so can be used to count different
453types of instructions. It has a number of options to refine which get
454counted. You can give a value to the ``count`` argument for a class of
455instructions to break it down fully, so for example to see all the system
456registers accesses::
457
458  $ qemu-system-aarch64 $(QEMU_ARGS) \
459    -append "root=/dev/sda2 systemd.unit=benchmark.service" \
460    -smp 4 -plugin ./contrib/plugins/libhowvec.so,count=sreg -d plugin
461
462which will lead to a sorted list after the class breakdown::
463
464  Instruction Classes:
465  Class:   UDEF                   not counted
466  Class:   SVE                    (68 hits)
467  Class:   PCrel addr             (47789483 hits)
468  Class:   Add/Sub (imm)          (192817388 hits)
469  Class:   Logical (imm)          (93852565 hits)
470  Class:   Move Wide (imm)        (76398116 hits)
471  Class:   Bitfield               (44706084 hits)
472  Class:   Extract                (5499257 hits)
473  Class:   Cond Branch (imm)      (147202932 hits)
474  Class:   Exception Gen          (193581 hits)
475  Class:     NOP                  not counted
476  Class:   Hints                  (6652291 hits)
477  Class:   Barriers               (8001661 hits)
478  Class:   PSTATE                 (1801695 hits)
479  Class:   System Insn            (6385349 hits)
480  Class:   System Reg             counted individually
481  Class:   Branch (reg)           (69497127 hits)
482  Class:   Branch (imm)           (84393665 hits)
483  Class:   Cmp & Branch           (110929659 hits)
484  Class:   Tst & Branch           (44681442 hits)
485  Class:   AdvSimd ldstmult       (736 hits)
486  Class:   ldst excl              (9098783 hits)
487  Class:   Load Reg (lit)         (87189424 hits)
488  Class:   ldst noalloc pair      (3264433 hits)
489  Class:   ldst pair              (412526434 hits)
490  Class:   ldst reg (imm)         (314734576 hits)
491  Class: Loads & Stores           (2117774 hits)
492  Class: Data Proc Reg            (223519077 hits)
493  Class: Scalar FP                (31657954 hits)
494  Individual Instructions:
495  Instr: mrs x0, sp_el0           (2682661 hits)  (op=0xd5384100/  System Reg)
496  Instr: mrs x1, tpidr_el2        (1789339 hits)  (op=0xd53cd041/  System Reg)
497  Instr: mrs x2, tpidr_el2        (1513494 hits)  (op=0xd53cd042/  System Reg)
498  Instr: mrs x0, tpidr_el2        (1490823 hits)  (op=0xd53cd040/  System Reg)
499  Instr: mrs x1, sp_el0           (933793 hits)   (op=0xd5384101/  System Reg)
500  Instr: mrs x2, sp_el0           (699516 hits)   (op=0xd5384102/  System Reg)
501  Instr: mrs x4, tpidr_el2        (528437 hits)   (op=0xd53cd044/  System Reg)
502  Instr: mrs x30, ttbr1_el1       (480776 hits)   (op=0xd538203e/  System Reg)
503  Instr: msr ttbr1_el1, x30       (480713 hits)   (op=0xd518203e/  System Reg)
504  Instr: msr vbar_el1, x30        (480671 hits)   (op=0xd518c01e/  System Reg)
505  ...
506
507To find the argument shorthand for the class you need to examine the
508source code of the plugin at the moment, specifically the ``*opt``
509argument in the InsnClassExecCount tables.
510
511Lockstep Execution
512..................
513
514``contrib/plugins/lockstep.c``
515
516This is a debugging tool for developers who want to find out when and
517where execution diverges after a subtle change to TCG code generation.
518It is not an exact science and results are likely to be mixed once
519asynchronous events are introduced. While the use of -icount can
520introduce determinism to the execution flow it doesn't always follow
521the translation sequence will be exactly the same. Typically this is
522caused by a timer firing to service the GUI causing a block to end
523early. However in some cases it has proved to be useful in pointing
524people at roughly where execution diverges. The only argument you need
525for the plugin is a path for the socket the two instances will
526communicate over::
527
528
529  $ qemu-system-sparc -monitor none -parallel none \
530    -net none -M SS-20 -m 256 -kernel day11/zImage.elf \
531    -plugin ./contrib/plugins/liblockstep.so,sockpath=lockstep-sparc.sock \
532    -d plugin,nochain
533
534which will eventually report::
535
536  qemu-system-sparc: warning: nic lance.0 has no peer
537  @ 0x000000ffd06678 vs 0x000000ffd001e0 (2/1 since last)
538  @ 0x000000ffd07d9c vs 0x000000ffd06678 (3/1 since last)
539  Δ insn_count @ 0x000000ffd07d9c (809900609) vs 0x000000ffd06678 (809900612)
540    previously @ 0x000000ffd06678/10 (809900609 insns)
541    previously @ 0x000000ffd001e0/4 (809900599 insns)
542    previously @ 0x000000ffd080ac/2 (809900595 insns)
543    previously @ 0x000000ffd08098/5 (809900593 insns)
544    previously @ 0x000000ffd080c0/1 (809900588 insns)
545
546
547Hardware Profile
548................
549
550``contrib/plugins/hwprofile.c``
551
552The hwprofile tool can only be used with system emulation and allows
553the user to see what hardware is accessed how often. It has a number of options:
554
555.. list-table:: Hardware Profile arguments
556  :widths: 20 80
557  :header-rows: 1
558
559  * - Option
560    - Description
561  * - track=[read|write]
562    - By default the plugin tracks both reads and writes. You can use
563      this option to limit the tracking to just one class of accesses.
564  * - source
565    - Will include a detailed break down of what the guest PC that made the
566      access was. Not compatible with the pattern option. Example output::
567
568        cirrus-low-memory @ 0xfffffd00000a0000
569         pc:fffffc0000005cdc, 1, 256
570         pc:fffffc0000005ce8, 1, 256
571         pc:fffffc0000005cec, 1, 256
572
573  * - pattern
574    - Instead break down the accesses based on the offset into the HW
575      region. This can be useful for seeing the most used registers of
576      a device. Example output::
577
578        pci0-conf @ 0xfffffd01fe000000
579          off:00000004, 1, 1
580          off:00000010, 1, 3
581          off:00000014, 1, 3
582          off:00000018, 1, 2
583          off:0000001c, 1, 2
584          off:00000020, 1, 2
585          ...
586
587
588Execution Log
589.............
590
591``contrib/plugins/execlog.c``
592
593The execlog tool traces executed instructions with memory access. It can be used
594for debugging and security analysis purposes.
595Please be aware that this will generate a lot of output.
596
597The plugin needs default argument::
598
599  $ qemu-system-arm $(QEMU_ARGS) \
600    -plugin ./contrib/plugins/libexeclog.so -d plugin
601
602which will output an execution trace following this structure::
603
604  # vCPU, vAddr, opcode, disassembly[, load/store, memory addr, device]...
605  0, 0xa12, 0xf8012400, "movs r4, #0"
606  0, 0xa14, 0xf87f42b4, "cmp r4, r6"
607  0, 0xa16, 0xd206, "bhs #0xa26"
608  0, 0xa18, 0xfff94803, "ldr r0, [pc, #0xc]", load, 0x00010a28, RAM
609  0, 0xa1a, 0xf989f000, "bl #0xd30"
610  0, 0xd30, 0xfff9b510, "push {r4, lr}", store, 0x20003ee0, RAM, store, 0x20003ee4, RAM
611  0, 0xd32, 0xf9893014, "adds r0, #0x14"
612  0, 0xd34, 0xf9c8f000, "bl #0x10c8"
613  0, 0x10c8, 0xfff96c43, "ldr r3, [r0, #0x44]", load, 0x200000e4, RAM
614
615Please note that you need to configure QEMU with Capstone support to get disassembly.
616
617The output can be filtered to only track certain instructions or
618addresses using the ``ifilter`` or ``afilter`` options. You can stack the
619arguments if required::
620
621  $ qemu-system-arm $(QEMU_ARGS) \
622    -plugin ./contrib/plugins/libexeclog.so,ifilter=st1w,afilter=0x40001808 -d plugin
623
624This plugin can also dump registers when they change value. Specify the name of the
625registers with multiple ``reg`` options. You can also use glob style matching if you wish::
626
627  $ qemu-system-arm $(QEMU_ARGS) \
628    -plugin ./contrib/plugins/libexeclog.so,reg=\*_el2,reg=sp -d plugin
629
630Be aware that each additional register to check will slow down
631execution quite considerably. You can optimise the number of register
632checks done by using the rdisas option. This will only instrument
633instructions that mention the registers in question in disassembly.
634This is not foolproof as some instructions implicitly change
635instructions. You can use the ifilter to catch these cases::
636
637  $ qemu-system-arm $(QEMU_ARGS) \
638    -plugin ./contrib/plugins/libexeclog.so,ifilter=msr,ifilter=blr,reg=x30,reg=\*_el1,rdisas=on
639
640Cache Modelling
641...............
642
643``contrib/plugins/cache.c``
644
645Cache modelling plugin that measures the performance of a given L1 cache
646configuration, and optionally a unified L2 per-core cache when a given working
647set is run::
648
649  $ qemu-x86_64 -plugin ./contrib/plugins/libcache.so \
650      -d plugin -D cache.log ./tests/tcg/x86_64-linux-user/float_convs
651
652will report the following::
653
654    core #, data accesses, data misses, dmiss rate, insn accesses, insn misses, imiss rate
655    0       996695         508             0.0510%  2642799        18617           0.7044%
656
657    address, data misses, instruction
658    0x424f1e (_int_malloc), 109, movq %rax, 8(%rcx)
659    0x41f395 (_IO_default_xsputn), 49, movb %dl, (%rdi, %rax)
660    0x42584d (ptmalloc_init.part.0), 33, movaps %xmm0, (%rax)
661    0x454d48 (__tunables_init), 20, cmpb $0, (%r8)
662    ...
663
664    address, fetch misses, instruction
665    0x4160a0 (__vfprintf_internal), 744, movl $1, %ebx
666    0x41f0a0 (_IO_setb), 744, endbr64
667    0x415882 (__vfprintf_internal), 744, movq %r12, %rdi
668    0x4268a0 (__malloc), 696, andq $0xfffffffffffffff0, %rax
669    ...
670
671The plugin has a number of arguments, all of them are optional:
672
673.. list-table:: Cache modelling arguments
674  :widths: 20 80
675  :header-rows: 1
676
677  * - Option
678    - Description
679  * - limit=N
680    - Print top N icache and dcache thrashing instructions along with
681      their address, number of misses, and its disassembly. (default: 32)
682  * - icachesize=N
683      iblksize=B
684      iassoc=A
685    - Instruction cache configuration arguments. They specify the
686      cache size, block size, and associativity of the instruction
687      cache, respectively. (default: N = 16384, B = 64, A = 8)
688  * - dcachesize=N
689    - Data cache size (default: 16834)
690  * - dblksize=B
691    - Data cache block size (default: 64)
692  * - dassoc=A
693    - Data cache associativity (default: 8)
694  * - evict=POLICY
695    - Sets the eviction policy to POLICY. Available policies are:
696      ``lru``, ``fifo``, and ``rand``. The plugin will use
697      the specified policy for both instruction and data caches.
698      (default: POLICY = ``lru``)
699  * - cores=N
700    - Sets the number of cores for which we maintain separate icache
701      and dcache. (default: for linux-user, N = 1, for full system
702      emulation: N = cores available to guest)
703  * - l2=on
704    - Simulates a unified L2 cache (stores blocks for both
705      instructions and data) using the default L2 configuration (cache
706      size = 2MB, associativity = 16-way, block size = 64B).
707  * - l2cachesize=N
708    - L2 cache size (default: 2097152 (2MB)), implies ``l2=on``
709  * - l2blksize=B
710    - L2 cache block size (default: 64), implies ``l2=on``
711  * - l2assoc=A
712    - L2 cache associativity (default: 16), implies ``l2=on``
713
714Stop on Trigger
715...............
716
717``contrib/plugins/stoptrigger.c``
718
719The stoptrigger plugin allows to setup triggers to stop emulation.
720It can be used for research purposes to launch some code and precisely stop it
721and understand where its execution flow went.
722
723Two types of triggers can be configured: a count of instructions to stop at,
724or an address to stop at. Multiple triggers can be set at once.
725
726By default, QEMU will exit with return code 0. A custom return code can be
727configured for each trigger using ``:CODE`` syntax.
728
729For example, to stop at the 20-th instruction with return code 41, at address
7300xd4 with return code 0 or at address 0xd8 with return code 42::
731
732  $ qemu-system-aarch64 $(QEMU_ARGS) \
733    -plugin ./contrib/plugins/libstoptrigger.so,icount=20:41,addr=0xd4,addr=0xd8:42 -d plugin
734
735The plugin will log the reason of exit, for example::
736
737  0xd4 reached, exiting
738
739Other emulation features
740------------------------
741
742When running system emulation you can also enable deterministic
743execution which allows for repeatable record/replay debugging. See
744:ref:`Record/Replay<replay>` for more details.
745
746