Record dynamic instruction trace or histogram in QEMU?

5
votes

  1. I've written and compiled a RISC-V Linux application.

  2. I want to dump all the instructions that get executed at run-time (which cannot be achieved by static analysis).

Is it possible to get a dynamic assembly instruction execution historgram from QEMU (or other tools)?

4
linuxassemblytraceqemuriscv
Did the QEMU manual contain anything useful on the subject? - fuz
So you want counts by mnemonic (ignoring operands), not necessarily an actual trace of every instruction in execution order? Given a trace you can process it into a histogram if necessary. (I updated your question title to be more specific.) - Peter Cordes
@PeterCordes Yes that's what I want. But how to obtain the trace (of executed guest assembly instructions) from QEMU ? - noureddine-as
I don't know, that's why I upvoted your question. But that might be a useful search term since it's standard terminology and something that other people have probably wanted at some point. - Peter Cordes

4 Answers

5
votes

For instruction tracing, I go with -singlestep -d nochain,cpu, combined with some awk. This can become painfully slow and large depending on the code you run.

Regarding the statistics you'd like to obtain, delegate it to R/numpy/pandas/whatever after extracting the program counter.

The presentation or video of user "yvr18" on that topic, might cover some aspects of QEMU tracing at various levels (as well as some interesting heatmap visualization).

3
votes

QEMU doesn't currently support that sort of trace of all instructions executed.

  1. The closest we have today is that there are various bits of debug logging under the -d switch, and you can combine the tracing of "instructions translated from guest to native" with the "blocks of translated code executed" translation to work out what was executed, but this is pretty awkward.

  2. Alternatively you could try scripting the gdbstub interface to do something like "disassemble instruction at PC; singlestep" which will (slowly!) give you all the instructions executed.

Note: There ongoing work to improve QEMU's ability to introspect guest execution so that you can write a simple 'plugin' with functions that are called back on events like guest instruction execution; with that it would be fairly easy to write a dump of guest instructions executed (or do more interesting processing), but this is still work-in-progress, so not available yet.

2
votes

It seems you can do something similar with rv8 (https://github.com/rv8-io/rv8), using the command: 

rv-jit -l
2
votes

The "spike" RISC-V emulator allows tracing instructions executed, new values stored into registers, or just simply a histogram of PC values (from which you can extract what instruction was at each PC location).

It's not as fast as qemu, but runs at 100 to 200 MIPS on current x86 hardware (at least without tracing enabled)