Re: [Qemu-devel] qemu-system-* using mmap?

[Tim Olson]

On Dec 13, 2006, at 10:04 AM, Joseph Miller wrote:

> Can someone elaborate on this a little?  What is the difference 
> between the SOFTMMU and the mmap()?  Should I be using the 
> --enable-system or the --disable-system for win32 guest on i386 debian 
> host?  Can someone give a little more insight on this technicality?

For full system emulation, qemu needs to support the emulated 
processor's ability to perform virtual->physical address translation 
for every memory reference (including data loads/stores and 
non-pc-relative branches).  Using the SOFTMMU method, this is done at 
basic-block translation time by inlining a software TLB lookup routine 
for each memory reference.  This expands a simple target load 
instruction into a sequence of ~20 host processor instructions (for x86 
target, ppc host I see about 25 instructions for TLB lookup).

The other way to handle this would be to use the host's MMU to do the 
translation directly, via an mmap() system call which sets up the 
translation.  Then the translated basic block would contain memory 
references using the target system's virtual address values, and the 
translation would occur in the host's hardware MMU during execution 
(fast), rather than having to execute a software TLB lookup.  However, 
there are a number of restrictions to using mmap() translation (host 
and target address spaces cannot overlap, etc.)  It appears that this 
feature has been removed from current versions of qemu, so the only way 
to do full system emulation is via the SOFTMMU method.

        -- tim