Home Explore Help
Register Sign In
FangSoftSoft
/
qemu
mirror of https://github.com/utmapp/qemu.git
2
0
Fork 0
Files Issues 0 Wiki
Branch: ios-support-jit-v1
Branches Tags
qemu
/
docs
/
devel
/
ios.rst

ios.rst 6.1 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120 
  1. ===========
    2. 

  2. iOS Support
    3. 

  3. ===========
    4. 

  4. 

  5. To run qemu on the iOS platform, some modifications were required. Most of the 
    6. 

  6. modifications are conditioned on the ``CONFIG_IOS`` and ``CONFIG_NO_RWX`` 
    7. 

  7. configuration variables.
    8. 

  8. 

  9. Build support
    10. 

  10. -------------
    11. 

  11. 

  12. For the code to compile, certain changes in the block driver and the slirp 
    13. 

  13. driver had to be made. There is no ``system()`` call, so code requiring it had 
    14. 

  14. to be disabled.
    15. 

  15. 

  16. ``ucontext`` support is broken on iOS. The implementation from ``libucontext`` 
    17. 

  17. is used instead.
    18. 

  18. 

  19. Because ``fork()`` is not allowed on iOS apps, the option to build qemu and the 
    20. 

  20. utilities as shared libraries is added. Note that because qemu does not perform 
    21. 

  21. resource cleanup in most cases (open files, allocated memory, etc), it is 
    22. 

  22. advisable that the user implements a proxy layer for syscalls so resources can 
    23. 

  23. be kept track by the app that uses qemu as a shared library.
    24. 

  24. 

  25. Executable memory locking
    26. 

  26. -------------------------
    27. 

  27. 

  28. The iOS kernel does not permit ``mmap()`` pages with 
    29. 

  29. ``PROT_READ | PROT_WRITE | PROT_EXEC``. However, it does allow allocating pages 
    30. 

  30. with only ``PROT_READ | PROT_WRITE`` and then later calling ``mprotect()`` with 
    31. 

  31. ``PROT_READ | PROT_EXEC``. A page can never be both writable and executable.
    32. 

  32. 

  33. In this document, we will refer to a page that is read-writable as "unlocked" 
    34. 

  34. and a page that is read-executable as "locked." Because ``mprotect()`` is an 
    35. 

  35. expensive call, we try to defer calling it until we need to and also try to 
    36. 

  36. avoid calling it unless it is absolutely needed.
    37. 

  37. 

  38. One approach would be to unlock the entire TCG region when a TB translation is 
    39. 

  39. being done and then lock the entire region when a TB is about to be executed. 
    40. 

  40. This would require thousands of pages to be locked and unlocked all the time. 
    41. 

  41. Additionally, it means that different vCPU threads cannot share the same TLB 
    42. 

  42. cache.
    43. 

  43. 

  44. TB allocation changes
    45. 

  45. ---------------------
    46. 

  46. 

  47. To improve the performance, we first notice that ``tcg_tb_alloc()`` returns a 
    48. 

  48. chunk of memory that must be unlocked. A recent change in qemu places the TB 
    49. 

  49. structure close to the code buffer in order to improve both cache locality and 
    50. 

  50. reduce code size and memory usage. Unfortunately, we have to regress this 
    51. 

  51. improvement as any benefit from it is negated with the need to unlock the memory
    52. 

  52. whenever we need to mutate the TB structure.
    53. 

  53. 

  54. We go back to the old method of statically allocating a large buffer for all 
    55. 

  55. TBs in a region. However a few improvements are made. First, we try to respect 
    56. 

  56. the locality by making this buffer close to the code. Second, whenever we flush 
    57. 

  57. the TB cache, we will use the average size of code blocks to divide up the TCG 
    58. 

  58. region into space for TB structures and space for code blocks.
    59. 

  59. 

  60. Locked memory water level
    61. 

  61. -------------------------
    62. 

  62. 

  63. By moving the TB allocation, we made it such that the memory only needs to be 
    64. 

  64. unlocked in the context of ``tb_gen_code()``. Because the code buffer pointer 
    65. 

  65. only grows downwards (we do not ever "free" code blocks and have holes), we 
    66. 

  66. only ever need to unlock at most one page.
    67. 

  67. 

  68. We can think of the entire TCG region divided into two sections: the locked 
    69. 

  69. section and the unlocked section. At the start, the entire region is unlocked. 
    70. 

  70. As more and more code blocks are generated, the allocation pointer moves 
    71. 

  71. upwards. We can then lock the memory of any memory below the allocation pointer 
    72. 

  72. as the code generated is immutable. Therefore we can keep a second pointer to 
    73. 

  73. the highest page boundary the allocation pointer passes and keep all the memory 
    74. 

  74. below that pointer (all the way to the start of the region) locked and all the 
    75. 

  75. memory above it unlocked. This pointer is our locked water level.
    76. 

  76. 

  77. That way, assuming all pages are unlocked at the start, we will progressively 
    78. 

  78. lock more pages as more code is generated. The only page we ever need to unlock 
    79. 

  79. would be the page pointed to by our locked water level pointer.
    80. 

  80. 

  81. In ``tb_gen_code()`` we will call ``mprotect()`` on at most one page in order to
    82. 

  82. unlock the top of the water level (if it is currently locked). In 
    83. 

  83. ``cpu_tb_exec()`` we will call ``mprotect()`` on all pages below the water 
    84. 

  84. level that are currently unlocked. This will, in most cases, be one or zero 
    85. 

  85. pages with the exception being if multiple pages of code were generated without 
    86. 

  86. being executed.
    87. 

  87. 

  88. Multiple threads
    89. 

  89. ----------------
    90. 

  90. 

  91. Additional consideration is needed to handle multiple threads. We do not permit 
    92. 

  92. one vCPU from executing code on another vCPU if the end of the code is located 
    93. 

  93. at it's TCG region's locked water level. The reason is that without having 
    94. 

  94. synchronization between threads, we cannot guarantee if the page at the water 
    95. 

  95. level is locked or unlocked.
    96. 

  96. 

  97. There are multiple places this may happen: when a TB is being looked up in the 
    98. 

  98. main loop, when a TB is being looked up as part of ``goto_tb``, and the TB chain 
    99. 

  99. caches (where after lookup, we encode a jump so a future call to the first TB 
    100. 

  100. will immediately jump into the second TB without lookup).
    101. 

  101. 

  102. Since adding synchronization is expensive (holding on thread idle while another 
    103. 

  103. one is generating code defeats the purpose of parallel TCG contexts), we 
    104. 

  104. implement a lock-less solution. In each TB, we store a pointer to the water 
    105. 

  105. level pointer. Whenever a TB is looked up, we check that either 1) the TB 
    106. 

  106. belongs to the current thread and therefore we can ensure the memory is locked 
    107. 

  107. during execution or 2) the water level of the TCG context that the TB belongs to
    108. 

  108. is beyond the end of the TB's code block. This does mean that there might be 
    109. 

  109. redundant code generation done by multiple TCG contexts if multiple vCPUs all 
    110. 

  110. decide to execute the same block of code at the same time. This should not 
    111. 

  111. happen too often.
    112. 

  112. 

  113. Similarly, for the TB chain cache, we will only chain a TB if either 1) both 
    114. 

  114. TBs' code buffer end pointer resides in the same page and therefore if the 
    115. 

  115. memory is locked to execute the first TB, we can jump to the second TB without 
    116. 

  116. issue, or 2) the second TB's code block fully resides below the locked water 
    117. 

  117. level of its TCG context. This means in some cases (such as two newly minted 
    118. 

  118. TBs from two threads happen to be chained), we will not chain the TB when we 
    119. 

  119. see it initially but will only chain it after a few subsequent executions and 
    120. 

  120. the locked water level has risen.
    121.