Tracewrap 8.1

.github/workflows/build.yaml

@@ -0,0 +1,41 @@
+name: Build target user
+
+on: [pull_request, workflow_dispatch]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python 3.x
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.x'
+    - name: Copy source.list file to include deb-src
+      run: |
+        sudo cp /etc/apt/sources.list /etc/apt/sources.list.d/tmp.list
+        sudo sed -i "s/# deb-src/deb-src/g" /etc/apt/sources.list.d/tmp.list
+    - name: Install deps
+      run: |
+        sudo apt-get  update
+        sudo apt-get --no-install-recommends -y build-dep qemu
+        sudo apt-get install -y autoconf libtool protobuf-c-compiler
+        pip3 install --user ninja
+    - name: Install OCaml
+      uses: ocaml/setup-ocaml@v2
+      with:
+        ocaml-compiler: 4.14.x
+        dune-cache: true
+        opam-disable-sandboxing: true
+    - name: Install piqi
+      run: |
+        opam install piqi
+    - name: Clone qemu and bap-frames
+      run: |
+        git clone --depth 1 http://github.com/BinaryAnalysisPlatform/bap-frames.git
+        git clone --depth 1 http://github.com/BinaryAnalysisPlatform/qemu.git
+    - name: Build without tracewrap
+      run: |
+        cd qemu
+        ./configure --prefix=$HOME --target-list=arm-linux-user
+        ninja -C build

README.md

@@ -0,0 +1,98 @@
+# Overview
+
+Qemu tracer - a tracer based on [qemu](https://github.com/qemu/qemu)
+project. It executes a binary executable and saves trace data using
+[Protocol Buffer](https://developers.google.com/protocol-buffers/)
+format. The contents of the trace data is defined in
+[bap-traces](https://github.com/BinaryAnalysisPlatform/bap-traces)
+project.
+
+# Installing released binaries
+
+If you don't want to mess with the source and building, then you can just
+dowload a tarball with prebuilt binaries. Look at the latest release and
+it might happen, that we have built binaries for your linux distribution,
+if it is not the case, then create an issue, and we will build it for you.
+
+Let's pretend, that you're using Ubuntu Trusty, and install it. First
+download it with your favorite downloader:
+
+```
+wget https://github.com/BinaryAnalysisPlatform/qemu/releases/download/v2.0.0-tracewrap-2.0.0-rc1/qemu-tracewrap-ubuntu-14.04.4-LTS.tgz
+```
+
+Install it in the specified prefix with a command like `tar -C <prefix> -xf qemu-tracewrap-ubuntu-14.04.4-LTS.tgz`, e.g.,
+to install in your home directory:
+```
+tar -C $HOME -xf qemu-tracewrap-ubuntu-14.04.4-LTS.tgz
+```
+
+
+
+# Build
+
+## Preparation
+
+Note: the instructions assume that you're using Ubuntu, but it
+may work on other systems, that uses apt-get.
+
+Before building the qemu-tracewrap, you need to install the following packages:
+   * qemu build dependencies
+   * autoconf, libtool, protobuf-c-compiler
+   * [piqi library](http://piqi.org/doc/ocaml)
+
+To install qemu build dependencies, use the following command
+
+```bash
+$ sudo apt-get --no-install-recommends -y build-dep qemu
+```
+
+To install autoconf, libtool, protobuf-c-compiler, use the
+following command
+
+```bash
+$ sudo apt-get install autoconf libtool protobuf-c-compiler
+```
+
+To install [piqi library](http://piqi.org/doc/ocaml) with
+[opam](https://opam.ocaml.org/doc/Install.html), use the following command
+```bash
+$ opam install piqi
+```
+
+## Building
+
+Download [bap-frames](https://github.com/BinaryAnalysisPlatform/bap-frames) with
+following command
+
+```bash
+$ git clone https://github.com/BinaryAnalysisPlatform/bap-frames.git
+```
+
+Download qemu tracer with following command
+
+```bash
+$ git clone git@github.com:BinaryAnalysisPlatform/qemu.git
+```
+
+Change folder to qemu and build tracer:
+```bash
+$ cd qemu
+$ ./configure --prefix=$HOME --with-tracewrap=<absolute-path-to>/bap-frames --target-list=<ARCH>-linux-user
+$ ninja -C build
+$ ninja -C build install
+```
+
+# Usage
+
+To run executable `exec` compiled for `arch`, use `qemu-arch exec` command, e.g.,
+`qemu-x86_64 /bin/ls`. It will dump the trace into `ls.frames` file. You can configure
+the filename with `-tracefile` option, e.g., `qemu-arm -tracefile arm.ls.frames ls`
+
+
+Hints: use option -L to set the elf interpreter prefix to 'path'. Use
+[fetchlibs.sh](https://raw.githubusercontent.com/BinaryAnalysisPlatform/bap-frames/master/test/fetchlibs.sh)
+to download arm and x86 libraries.
+
+# Notes
+  Only ARM, X86, X86-64, MIPS targets are supported in this branch.

VERSION

@@ -1 +1 @@
-8.1.0
+8.1.2

accel/kvm/kvm-all.c

@@ -2458,7 +2458,7 @@ static int kvm_init(MachineState *ms)
     KVMState *s;
     const KVMCapabilityInfo *missing_cap;
     int ret;
-    int type = 0;
+    int type;
     uint64_t dirty_log_manual_caps;
 
     qemu_mutex_init(&kml_slots_lock);
@@ -2523,6 +2523,8 @@ static int kvm_init(MachineState *ms)
         type = mc->kvm_type(ms, kvm_type);
     } else if (mc->kvm_type) {
         type = mc->kvm_type(ms, NULL);
+    } else {
+        type = kvm_arch_get_default_type(ms);
     }
 
     do {

accel/tcg/cpu-exec-common.c

@@ -33,36 +33,6 @@ void cpu_loop_exit_noexc(CPUState *cpu)
     cpu_loop_exit(cpu);
 }
 
-#if defined(CONFIG_SOFTMMU)
-void cpu_reloading_memory_map(void)
-{
-    if (qemu_in_vcpu_thread() && current_cpu->running) {
-        /* The guest can in theory prolong the RCU critical section as long
-         * as it feels like. The major problem with this is that because it
-         * can do multiple reconfigurations of the memory map within the
-         * critical section, we could potentially accumulate an unbounded
-         * collection of memory data structures awaiting reclamation.
-         *
-         * Because the only thing we're currently protecting with RCU is the
-         * memory data structures, it's sufficient to break the critical section
-         * in this callback, which we know will get called every time the
-         * memory map is rearranged.
-         *
-         * (If we add anything else in the system that uses RCU to protect
-         * its data structures, we will need to implement some other mechanism
-         * to force TCG CPUs to exit the critical section, at which point this
-         * part of this callback might become unnecessary.)
-         *
-         * This pair matches cpu_exec's rcu_read_lock()/rcu_read_unlock(), which
-         * only protects cpu->as->dispatch. Since we know our caller is about
-         * to reload it, it's safe to split the critical section.
-         */
-        rcu_read_unlock();
-        rcu_read_lock();
-    }
-}
-#endif
-
 void cpu_loop_exit(CPUState *cpu)
 {
     /* Undo the setting in cpu_tb_exec.  */

accel/tcg/cpu-exec.c

@@ -720,7 +720,7 @@ static inline bool cpu_handle_exception(CPUState *cpu, int *ret)
             && cpu_neg(cpu)->icount_decr.u16.low + cpu->icount_extra == 0) {
             /* Execute just one insn to trigger exception pending in the log */
             cpu->cflags_next_tb = (curr_cflags(cpu) & ~CF_USE_ICOUNT)
-                | CF_NOIRQ | 1;
+                | CF_LAST_IO | CF_NOIRQ | 1;
         }
 #endif
         return false;
@@ -1032,10 +1032,12 @@ cpu_exec_loop(CPUState *cpu, SyncClocks *sc)
                 last_tb = NULL;
             }
 #endif
+#ifndef HAS_TRACEWRAP
             /* See if we can patch the calling TB. */
             if (last_tb) {
                 tb_add_jump(last_tb, tb_exit, tb);
             }
+#endif
 
             cpu_loop_exec_tb(cpu, tb, pc, &last_tb, &tb_exit);
 

accel/tcg/tb-maint.c

@@ -1083,7 +1083,8 @@ bool tb_invalidate_phys_page_unwind(tb_page_addr_t addr, uintptr_t pc)
     if (current_tb_modified) {
         /* Force execution of one insn next time.  */
         CPUState *cpu = current_cpu;
-        cpu->cflags_next_tb = 1 | CF_NOIRQ | curr_cflags(current_cpu);
+        cpu->cflags_next_tb =
+            1 | CF_LAST_IO | CF_NOIRQ | curr_cflags(current_cpu);
         return true;
     }
     return false;
@@ -1153,7 +1154,8 @@ tb_invalidate_phys_page_range__locked(struct page_collection *pages,
     if (current_tb_modified) {
         page_collection_unlock(pages);
         /* Force execution of one insn next time.  */
-        current_cpu->cflags_next_tb = 1 | CF_NOIRQ | curr_cflags(current_cpu);
+        current_cpu->cflags_next_tb =
+            1 | CF_LAST_IO | CF_NOIRQ | curr_cflags(current_cpu);
         mmap_unlock();
         cpu_loop_exit_noexc(current_cpu);
     }

accel/tcg/tcg-accel-ops-mttcg.c

@@ -100,14 +100,9 @@ static void *mttcg_cpu_thread_fn(void *arg)
                 break;
             case EXCP_HALTED:
                 /*
-                 * during start-up the vCPU is reset and the thread is
-                 * kicked several times. If we don't ensure we go back
-                 * to sleep in the halted state we won't cleanly
-                 * start-up when the vCPU is enabled.
-                 *
-                 * cpu->halted should ensure we sleep in wait_io_event
+                 * Usually cpu->halted is set, but may have already been
+                 * reset by another thread by the time we arrive here.
                  */
-                g_assert(cpu->halted);
                 break;
             case EXCP_ATOMIC:
                 qemu_mutex_unlock_iothread();

accel/tcg/translator.c

@@ -16,26 +16,19 @@
 #include "tcg/tcg-op-common.h"
 #include "internal.h"
 
-static void gen_io_start(void)
+static void set_can_do_io(DisasContextBase *db, bool val)
 {
-    tcg_gen_st_i32(tcg_constant_i32(1), cpu_env,
-                   offsetof(ArchCPU, parent_obj.can_do_io) -
-                   offsetof(ArchCPU, env));
+    if (db->saved_can_do_io != val) {
+        db->saved_can_do_io = val;
+        tcg_gen_st_i32(tcg_constant_i32(val), cpu_env,
+                       offsetof(ArchCPU, parent_obj.can_do_io) -
+                       offsetof(ArchCPU, env));
+    }
 }
 
 bool translator_io_start(DisasContextBase *db)
 {
-    uint32_t cflags = tb_cflags(db->tb);
-
-    if (!(cflags & CF_USE_ICOUNT)) {
-        return false;
-    }
-    if (db->num_insns == db->max_insns && (cflags & CF_LAST_IO)) {
-        /* Already started in translator_loop. */
-        return true;
-    }
-
-    gen_io_start();
+    set_can_do_io(db, true);
 
     /*
      * Ensure that this instruction will be the last in the TB.
@@ -47,14 +40,17 @@ bool translator_io_start(DisasContextBase *db)
     return true;
 }
 
-static TCGOp *gen_tb_start(uint32_t cflags)
+static TCGOp *gen_tb_start(DisasContextBase *db, uint32_t cflags)
 {
-    TCGv_i32 count = tcg_temp_new_i32();
+    TCGv_i32 count = NULL;
     TCGOp *icount_start_insn = NULL;
 
-    tcg_gen_ld_i32(count, cpu_env,
-                   offsetof(ArchCPU, neg.icount_decr.u32) -
-                   offsetof(ArchCPU, env));
+    if ((cflags & CF_USE_ICOUNT) || !(cflags & CF_NOIRQ)) {
+        count = tcg_temp_new_i32();
+        tcg_gen_ld_i32(count, cpu_env,
+                       offsetof(ArchCPU, neg.icount_decr.u32) -
+                       offsetof(ArchCPU, env));
+    }
 
     if (cflags & CF_USE_ICOUNT) {
         /*
@@ -84,18 +80,15 @@ static TCGOp *gen_tb_start(uint32_t cflags)
         tcg_gen_st16_i32(count, cpu_env,
                          offsetof(ArchCPU, neg.icount_decr.u16.low) -
                          offsetof(ArchCPU, env));
-        /*
-         * cpu->can_do_io is cleared automatically here at the beginning of
-         * each translation block.  The cost is minimal and only paid for
-         * -icount, plus it would be very easy to forget doing it in the
-         * translator. Doing it here means we don't need a gen_io_end() to
-         * go with gen_io_start().
-         */
-        tcg_gen_st_i32(tcg_constant_i32(0), cpu_env,
-                       offsetof(ArchCPU, parent_obj.can_do_io) -
-                       offsetof(ArchCPU, env));
     }
 
+    /*
+     * cpu->can_do_io is set automatically here at the beginning of
+     * each translation block.  The cost is minimal, plus it would be
+     * very easy to forget doing it in the translator.
+     */
+    set_can_do_io(db, db->max_insns == 1 && (cflags & CF_LAST_IO));
+
     return icount_start_insn;
 }
 
@@ -144,18 +137,25 @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int *max_insns,
     db->num_insns = 0;
     db->max_insns = *max_insns;
     db->singlestep_enabled = cflags & CF_SINGLE_STEP;
+    db->saved_can_do_io = -1;
     db->host_addr[0] = host_pc;
     db->host_addr[1] = NULL;
 
     ops->init_disas_context(db, cpu);
     tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */
 
     /* Start translating.  */
-    icount_start_insn = gen_tb_start(cflags);
+    icount_start_insn = gen_tb_start(db, cflags);
     ops->tb_start(db, cpu);
     tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */
 
-    plugin_enabled = plugin_gen_tb_start(cpu, db, cflags & CF_MEMI_ONLY);
+    if (cflags & CF_MEMI_ONLY) {
+        /* We should only see CF_MEMI_ONLY for io_recompile. */
+        assert(cflags & CF_LAST_IO);
+        plugin_enabled = plugin_gen_tb_start(cpu, db, true);
+    } else {
+        plugin_enabled = plugin_gen_tb_start(cpu, db, false);
+    }
 
     while (true) {
         *max_insns = ++db->num_insns;
@@ -172,13 +172,9 @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int *max_insns,
            the next instruction.  */
         if (db->num_insns == db->max_insns && (cflags & CF_LAST_IO)) {
             /* Accept I/O on the last instruction.  */
-            gen_io_start();
-            ops->translate_insn(db, cpu);
-        } else {
-            /* we should only see CF_MEMI_ONLY for io_recompile */
-            tcg_debug_assert(!(cflags & CF_MEMI_ONLY));
-            ops->translate_insn(db, cpu);
+            set_can_do_io(db, true);
         }
+        ops->translate_insn(db, cpu);
 
         /*
          * We can't instrument after instructions that change control