Hi, I would like to create an accurate trace of basic blocks that get
executed. I'm interested in a trace of what a CPU would execute, and not
for the purposes of studying qemu itself.
I'm currently emitting trace data from cpu_tb_exec
by printing out the env->eip (x86_64 only). This seems to be roughly
the right place -- there's already cpu tracing in this function.
I do notice that some basic blocks get printed twice here though, and
I tracked it down to basic blocks being rescheduled if execution returns
with TB_EXIT_* flags set
So I capture the PC before execution and only emit them if this is
not the case, after execution. This gets rid of the duplicate edges in
the trace, but there is still one problem left that I don't understand!
Sometimes, when running the same program twice in a situation that
should give the exact same trace, I see differences:
+ basic block ffffff812f2930 returned with flag 3, setting pc to ffffffff812f285d
In this case the basic block wasn't merely restarted. The PC was updated
to a different value after the next_tb had the TB_EXIT_REQUESTED flag set.
The particular basic block in question at ffffffff812f2930 ends with a callq
to 0xffffffff812f2850 and then falls through to 0xffffffff812f293d. So I would
expect to see the "..2930" and "..293d" in the trace, but not the "..285d" in
the trace, unless it was just continuing mid-basic block after the exit?
What exactly is going on here. What is the purpose of the TB_EXIT_REQUESTED
here? What is causing execution to resume at "...285d" afterwards? Is there
a simple way to filter out any extraneous basic blocks that get started midpoint (if
that is the case) and keep the true basic block starts?
Thank you in advance for any insights.