Chunqiang Li,Zhiwei Liu,Yunhai Shang,Lenian He,Xiaolang Yan

DOI: https://doi.org/10.1142/s0218126624502426

2024-01-01

Journal of Circuits Systems and Computers

Abstract:In the domain of process virtual machine (PVM) binary translation, the difference in address space layout between the guest program and the translated program requires the recalculation of jump instruction targets, resulting in suboptimal execution efficiency. This paper presents a novel method called SPC-Indexed Indirect Branch Hardware Cache Redirecting (SPCIC) technique. SPCIC utilizes specialized branch instruction to represent indirect branches from guest programs while frequently-used target addresses are cached in a customized hardware mapping table. When translating an indirect branch, SPCIC queries the jump target cache first to achieve a fast redirection unless the destination address is not cached. Besides, SPCIC merely falls back to the software-based remapping approach when the query fails, improving the translation efficiency to the greatest extent. SPCIC is implemented on the QEMU platform to accelerate the translation of ARM payloads into RISC-V. Experiments are carried on SPEC2006 to demonstrate the effectiveness of SPCIC for reducing the runtime overhead of indirect branch translation. The experimental results indicate up to 11% average improvement and 35% maximum improvement are obtained on the selected benchmark.

Chunqiang Li,Zhiwei Liu,Yunhai Shang,Lenian He,Xiaolang Yan

DOI: https://doi.org/10.3390/electronics12143014

IF: 2.9

2023-01-01

Electronics

Abstract:Binary translation, as an important bridge for application compatibility between different instruction set architectures (ISAs), has attracted much attention in the industry. However, due to hardware resource limitations of the target ISA, the translation efficiency and the practicability are poor. Recently, Apple has made it possible to run x86 programs on ARM through a translation technology called Rosetta based on software-hardware collaboration. In this paper, we proposed a hardware non-invasive mapping method for condition bits (HNIMCB) in binary translation, which innovatively implements the setting and referencing operations of the condition bits without changing the original instruction encoding and function of the target processor. This method is applicable for binary translation from source architectures with condition bit operations to target architectures without condition bit operations. It eliminates the difference of conditional bit resources between the source and target ISAs, reduces the computational instructions and memory access operations after translation from the source to the target ISA, and dramatically improves the translation efficiency. We conducted this experiment on a functional simulation level using the QEMU binary translator from ARM to RISC-V. A series of benchmark tests revealed that the total number of instructions decreased by 41%, while the number of memory access instructions decreased by 37% after the translation applying with the HNIMCB.

Wei Li,Xiaohui Luo,Yiran Zhang,Qingkai Meng,Fengyuan Ren

DOI: https://doi.org/10.1007/978-3-031-12597-3_1

2022-01-01

Abstract:Emulation of Instruction Set Architecture (ISA) is necessary for a wide variety of use cases, such as providing the compatibility to execute programs compiled for a different ISA. This issue is usually solved using Dynamic Binary Translation (DBT), where guest machine code is translated to host ISA on runtime and Just-in-time (JIT) compilation is performed to achieve high-performance emulation. QEMU, a famous emulator, is developed to solve this issue, where Tiny Code Generator (TCG) is constructed to translate guest binary code to TCG Intermediate Representation (IR), and then generate target ISA machine code from TCG IR. Due to the limitations of TCG, some extensions, such as HQEMU, use LLVM as the backend to optimize programs and generate high-performance machine code. However, HQEMU is limited by its underlying implementation. That is, HQEMU still translates guest binary code to TCG IR at first. In this paper, we develop a novel, LLVM-based emulator, where guest machine code is directly lifted to LLVM IR to reduce the extra overhead and produce high-quality machine code. We evaluate our DBT emulator using BYTEmark benchmark and demonstrating its ability to outperform the de facto standard QEMU DBT system. The evaluation results confirm that our emulator delivers an average speedup of 3.3x over QEMU across BYTEmark benchmark compiled for x86-64 running on an ARMv8 platform, meanwhile, demonstrate that our user-level DBT emulator can significantly reduce the overhead to run a program on a cross-ISA system.

Emilio G. Cota,Luca P. Carloni

DOI: https://doi.org/10.1145/3313808.3313811

2019-01-01

Abstract:The rise in instruction set architecture (ISA) diversity and the growing adoption of virtual machines are driving a need for fast, scalable, full-system, cross-ISA emulation and instrumentation tools. Unfortunately, achieving high performance for these cross-ISA tools is challenging due to dynamic binary translation (DBT) overhead and the complexity of instrumenting full-system emulators. In this paper we improve cross-ISA emulation and instrumentation performance through three novel techniques. First, we increase floating point (FP) emulation performance by observing that most FP operations can be correctly emulated by surrounding the use of the host FP unit with a minimal amount of non-FP code. Second, we introduce the design of a translator with a shared code cache that scales for multi-core guests, even when they generate translated code in parallel at a high rate. Third, we present an ISA-agnostic instrumentation layer that can instrument guest operations that occur outside of the DBT’s intermediate representation (IR), which are common in full-system emulators. We implement our approach in Qelt, a high-performance cross-ISA machine emulator and instrumentation tool based on QEMU. Our results show that Qelt scales to 32 cores when emulating a guest machine used for parallel compilation, which demonstrates scalable code translation. Furthermore, experiments based on SPEC06 show that Qelt (1) outperforms QEMU as a full-system cross-ISA machine emulator by 1.76×/2.18× for integer/FP workloads, (2) outperforms state-of-the-art, cross-ISA, full-system instrumentation tools by 1.5×-3×, and (3) can match the performance of Pin, a state-of-the-art, same-ISA DBI tool, when used for complex instrumentation such as cache simulation.

Chen Qiao,Liehui Jiang,Wei Dong,Lixin Wang

2011-01-01

Abstract:This paper takes Alpha processor as the platform,and migrates the system simulation software of QEMU to Alpha platform,so that the virtual machine on system can perform Linux operating system based on x86 architecture to achieve Alpha processor compatible x86 applications.Performance test is performed on virtual machine.Through the statistics of code inflation rate,a restricted virtual machine performance instruction type,is found to provide reference for virtual machine performance optimization.

Jinhu Jiang,Chaoyi Liang,Rongchao Dong,Zhaohui Yang,Zhongjun Zhou,Wenwen Wang,Pen-Chung Yew,Weihua Zhang

2024-02-15

Abstract:System-level emulators have been used extensively for system design, debugging and evaluation. They work by providing a system-level virtual machine to support a guest operating system (OS) running on a platform with the same or different native OS that uses the same or different instruction-set architecture. For such system-level emulation, dynamic binary translation (DBT) is one of the core technologies. A recently proposed learning-based DBT approach has shown a significantly improved performance with a higher quality of translated code using automatically learned translation rules. However, it has only been applied to user-level emulation, and not yet to system-level emulation. In this paper, we explore the feasibility of applying this approach to improve system-level emulation, and use QEMU to build a prototype. ... To achieve better performance, we leverage several optimizations that include coordination overhead reduction to reduce the overhead of each coordination, and coordination elimination and code scheduling to reduce the coordination frequency. Experimental results show that it can achieve an average of 1.36X speedup over QEMU 6.1 with negligible coordination overhead in the system emulation mode using SPEC CINT2006 as application benchmarks and 1.15X on real-world applications.

Operating Systems,Performance

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Yuan Yao,Zhongyong Lu,Qingsong Shi,Wenzhi Chen

DOI: https://doi.org/10.1109/FPL.2013.6645554

2013-01-01

Abstract:Binary translation is used to allow applications of one instruction set architecture (ISA) to run on another, thereby maintaining the binary level compatibility across ISAs. Conventional software binary translation systems suffer performance loss because of architectural heterogeneity amongst ISAs, control flow translation and context switches. In this paper, we propose an FPGA based hardware-software co-designed dynamic binary translation (DBT) system, which moderates these issues at a low level of hardware cost. In our DBT system, we propose a MIPS condition code flags register and a modest ISA extension to bridge the architectural gap, a hardware address mapping mechanism to accelerate the handling of control flow instructions, and a scratchpad memory to reduce performance loss during context switches. We implement the system on Xilinx XC5VLX110T. Quantitative experiments reveal that the overall performance improvement is 56.1% over the baseline configuration, with only extra 1.4% of slices and 5.4% of BRAMs of Xilinx XC5VLX110T occupied.

Jiunn-Yeu Chen,Wuu Yang,Wei-Chung Hsu,Bor-Yeh Shen,Quan-Huei Ou

DOI: https://doi.org/10.1145/2996458

2017-08-31

ACM Transactions on Embedded Computing Systems

Abstract:Code discovery has been a main challenge for static binary translation, especially when the source instruction set architecture has variable-length instructions, such as the x86 architectures. Due to embedded data such as PC (program counter)-relative data, jump tables, or paddings in the code section, a binary translator may be misled to translate data as instructions. For variable-length instructions, once a piece of data is mis-translated as instructions, decoding subsequent bytes could also go wrong. We are concerned with static binary translation for the very popular Advanced RISC Machine (ARM) architectures. Although ARM is considered a reduced instruction set computer architecture, it does allow the mix of 32-bit (ARM) instructions and 16-bit (Thumb) instructions in the same executables. In addition to different instruction lengths, the ARM and Thumb instructions are located at 4-byte or 2-byte aligned addresses, respectively. Furthermore, because ARM and Thumb instructions share the same encoding space, a 4-byte word could sometimes be decoded as one ARM instruction or two Thumb instructions. The correct decoding of this 4-byte word is actually determined at runtime by the least-significant bit of the program counter. For unstripped binaries, the mapping symbols can be used to identify ARM code regions and Thumb code regions. However, for stripped binaries, such mapping symbols are unavailable. We propose a novel solution to statically translate stripped ARM/Thumb mixed executables. Our solution is implemented in a static binary translator. The binary translator further generates multiple versions of translated code for the code regions whose types cannot be determined with our solution. One of the code versions is selected during runtime. The binary translator also includes a series of analyses that enable the removal of most useless code versions. Based on the experimental results on stripped ARM/Thumb mixed binaries in the SPEC2006 and Embedded Microprocessor Benchmark Consortium (EEMBC) benchmark suites, our static binary translator achieves impressive performance when migrating them to run on x86 machines and the space overhead is no more than 10%.

computer science, software engineering, hardware & architecture

Weiwu Hu,Qi Liu,Jian Wang,Songsong Cai,Menghao Su,Xiaoyu Li

DOI: https://doi.org/10.1109/iccd.2009.5413138

2009-01-01

Abstract:Binary translation is one of the most important approaches for system migration. However, software binary translation systems often suffer from the inefficiency and traditional hardware-software co-designed virtual machines require the unavoidable re-design of the processor architecture. This paper presents a novel hardware-software co-designed method to accelerate the binary translation on an existing architecture. The hardware supports for source-architecture-only functions, partial decodes and binary translation system acceleration are proposed. These hardware supports help the binary translation system to achieve high performance and simplify the design of the binary translation software. In the meantime, the hardware cost is well controlled in a certain low level. These supports are implemented in Godson-3 processors to speedup the x86 binary translation to the native MIPS instruction set. Performance evaluations on RTL simulation and FPGA emulation platforms show that the proposed method can speedup most benchmark programs by nearly 10 times compared to pure software-based binary translation and achieves about 70% performance of the native program execution. The chip is fabricated in ST 65nm CMOS technology, and the physical design results show that the chip area cost is less than 5%.

Sheng-Yu Fu,Ding-Yang Hang,Jan-Joan Wu,Pangfeng Lui,Wei-Chung Hsu,Ding-Yong Hong,Jan-Jan Wu,Pangfeng Liu

DOI: https://doi.org/10.1109/icpads.2015.70

2015-12-01

Abstract:HQEMU is a multi-threaded and re-targetable dynamic binary translator built on top of QEMU and LLVM. It combines the fast and reliable code translation in the TCG (Tiny Code Generator) of QEMU and the rich optimizations in LLVM to achieve high performance for both short running and long running applications. One weakness of HQEMU lies in the lack of efficient SIMD instruction translation. This work investigates on how to remedy that. Two approaches have been designed and tested. One simple approach is to modify the help function to emit LLVM vector IR, and a more complete approach is to add a newly introduced vector IR in the TCG phase. Although both approaches can exploit the SIMD instructions of the host machine, the second and more complete approach has superior runtime as well as compile time advantages,

Wenbing Xie,Qiaoling Luo,Xue Tian,Junyi Huang,Fengbin Qi

DOI: https://doi.org/10.3390/electronics13091608

IF: 2.9

2024-04-24

Electronics

Abstract:The emergence of new instruction set architectures (ISAs) poses challenges in ensuring compatibility with legacy applications. Dynamic binary translation (DBT) serves as a crucial approach for achieving cross-ISA compatibility, enabling legacy applications to run compatibly with cross-ISAs. However, software-based translation encounters significant performance overhead, including substantial memory access and insufficient exploitation of target architecture features. The significant performance overhead challenges hinder the practical implementation of DBT. In this paper, we investigate a novel peephole optimization approach. First, we perform peephole analysis to identify redundant memory access and suboptimal instruction sequences. Next, we leverage live variable analysis to eliminate redundant memory-access instructions. Additionally, we bridge the gaps between cross-ISAs by exploiting ISA-specific features through instruction fusion. Finally, we implement the proposed optimization design using the open-source QEMU and extensively evaluate it on both ARM64 and SW64 platforms. The experimental results reveal that SPEC2006 benchmark effectively gets a maximum performance speedup of 1.52×, alongside a reduction in code size of up to 13.98%. These results affirm the effectiveness of our optimization approach in DBT performance and code sizes.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wenwen Wang,Jiacheng Wu,Xiaoli Gong,Tao Li,Pen-Chung Yew

DOI: https://doi.org/10.1145/3186411.3186413

2018-01-01

ACM SIGPLAN Notices

Abstract:The recent transition in the software industry toward dynamically generated code poses a new challenge to existing dynamic binary translation (DBT) systems. A significant re-translation overhead could be introduced due to the maintenance of the consistency between the dynamically-generated guest code and the corresponding translated host code. To address this issue, this paper presents a novel approach to optimize DBT systems for guest applications with dynamically-generated code. The proposed approach can maximize the reuse of previously translated host code to mitigate the re-translation overhead. A prototype based on such an approach has been implemented on an existing DBT system HQEMU. Experimental results on a set of JavaScript applications show that it can achieve a 1.24X performance speedup on average compared to the original HQEMU.

Huang Wang,Chao Wang,Huaping Chen

DOI: https://doi.org/10.1504/ijhpsa.2015.072853

2015-01-01

Abstract:Cross-instruction set architecture ISA full-system emulator plays an important role in reusing binary codes across different architectures. With the rapid development of multi-core technology, it is desirable to build a high-performance multi-core emulator rather than conventional single core emulator. However, current mainstream cross-ISA full-system emulator can only work sequentially, which seriously confines the parallelism. In order to take the advantage of parallelism of host platform to emulate multi processor architecture, this paper presents XE-MU, a cross-ISA full-system emulator on multiple processor architectures. Firstly, efficient methods are targeted to translate atomic instructions. Secondly, we study the approach to emulation of communications for inter-core and core-to-I/O devices. For the implementation, we utilise both GCC built-in-functions and LL/SC instructions-based methods to translate the atomic instructions. We propose a portable and efficient lock-free queue implementation for communications in virtual machine. In order to verify the effectiveness of these methods, we conducted experiments on the Loongson-3A hardware platform. Experimental results demonstrate that both methods are able to enhance the performance of the emulator and reduce the overhead of inter-core communication with interrupts; thereby, the efficiency of the emulator can be greatly improved.

Wei Chen,Zhiying Wang,Dan Chen

DOI: https://doi.org/10.4304/jcp.5.7.1133-1141

2010-01-01

Abstract:Virtual Machine (VM) can not only release the processor designers from the burden of ensuring cross-platform compatibility but also provide new opportunities for innovation. Instruction Set Architecture (ISA) emulation is the key aspect of a VM. This paper describes the design and implementation of TransARM-IU, a use-level ISA emulator that supports IA-32 applications on ARM-based systems. This paper also discusses several dedicated solutions to several crucial issues related to the development of TransARM-IU, such as the Executable and Linking Format resolution and hybrid threaded interpretation. In particular, conventional interpretation is implemented in a centralized style which consumes much more execution time. A hybrid threaded interpretation method is proposed to improve the efficiency of the emulator by appending a portion of the simple decoding and dispatching code to the end of each of the instruction interpreter routines. For performance evaluation, we selected 6 benchmarks from MiBench and carried out the experiments on two real ARM-based systems. Experimental results demonstrate the correctness of TransARM-IU in terms of ISA emulation and indicate that TransARM-IU is competitive to other ISA emulators. © 2010 ACADEMY PUBLISHER.

Chen Gao,Xiangwei Meng,Wei Li,Jinhui Lai,Yiran Zhang,Fengyuan Ren

2024-01-01

Abstract:The increasing prevalence of new Instruction Set Architectures (ISAs) necessitates the migration of closed-source binary programs across ISAs. Dynamic Binary Translation (DBT) stands out as a crucial technology for the cross-ISA emulation of binary programs. However, due to the mismatch in memory consistency between guest ISA and host ISA, DBT systems face substantial challenges in guaranteeing correctness and translation performance for concurrent programs. Despite several attempts to bridge the memory inconsistency between guest and host ISA, prior work is either not universal for cross-ISA DBT systems or inefficient and even error-prone in translation. This work presents CrossMapping, a general primitive mapping framework to enhance existing DBT systems for crossISA translation. By harmonizing memory consistency across diverse ISAs, CrossMapping enables smooth cross-ISA translation and accomplishes correct emulation. CrossMapping introduces specification tables to describe memory models in a unified and precise format, which facilitates the derivation of concurrent primitive mapping schemes based on a convenient comparison and analysis of memory models. The correctness of cross-ISA emulation is guaranteed by harmoniously integrating the derived mapping schemes with existing DBT systems. We evaluate CrossMapping for x86, ARMv8, and RISC-V on top of QEMU using the PARSEC benchmark suite. The results show that the average performance improvement can reach 8.5% when emulating x86 on ARMv8 and 7.3% when emulating x86 on RISC-V.

Chen Wei,Wang Zhiying,Zheng Zhong,Xiao Nong,Shen Li,Lu Hongyi

2011-01-01

Abstract:Instruction set architecture (ISA) emulation is the key to implement a virtual machine across different ISAs. This paper presents the design and implementation of TransARM, an efficient ISA emulator supporting IA-32 applications on ARM-based systems. TransARM adopts interpretation and binary translation as its basis. Interpretation is performed at the initial stage of emulation. Translation is performed only on the hot spots. Lazy flag updating and Pcache-based hybrid threaded interpretation is used to improve the interpretation performance while superblock chaining is used to accelerate binary translation. Several implementation issues which are crucial in the design of an ISA emulator are discussed, such as the executable and linking format resolution, architecture mapping and system call emulation. Benchmarks selected from MiBench are emulated by TransARM on two real ARM-based systems. Experimental results demon-strate the correctness of TransARM in terms of ISA emulation and indicate that TransARM is competitive to other ISA emulators.

Yu-Ping Liu,Ding-Yong Hong,Jan-Jan Wu,Sheng-Yu Fu,Wei-Chung Hsu

DOI: https://doi.org/10.1145/3301488

IF: 1.444

2019-03-08

ACM Transactions on Architecture and Code Optimization

Abstract:Single instruction multiple data (SIMD) has been adopted for decades because of its superior performance and power efficiency. The SIMD capability (i.e., width, number of registers, and advanced instructions) has diverged rapidly on different SIMD instruction-set architectures (ISAs). Therefore, migrating existing applications to another host ISA that has fewer but longer SIMD registers and more advanced instructions raises the issues of asymmetric SIMD capability. To date, this issue has been overlooked and the host SIMD capability is underutilized, resulting in suboptimal performance. In this article, we present a novel binary translation technique called spill-aware superword level parallelism (saSLP), which combines short ARMv8 instructions and registers in the guest binaries to exploit the x86 AVX2 host’s parallelism, register capacity, and gather instructions. Our experiment results show that saSLP improves the performance by 1.6× (2.3×) across a number of benchmarks and reduces spilling by 97% (99%) for ARMv8 to x86 AVX2 (AVX-512) translation. Furthermore, with AVX2 (AVX-512) gather instructions, saSLP speeds up several data-irregular applications that cannot be vectorized on ARMv8 NEON by up to 3.9× (4.2×).

computer science, theory & methods, hardware & architecture

Ding-Yong Hong,Yu-Ping Liu,Sheng-Yu Fu,Jan-Jan Wu,Wei-Chung Hsu

DOI: https://doi.org/10.1145/3173456

2018-06-02

ACM Transactions on Embedded Computing Systems

Abstract:Recent trends in SIMD architecture have tended toward longer vector lengths, and more enhanced SIMD features have been introduced in newer vector instruction sets. However, legacy or proprietary applications compiled with short-SIMD ISA cannot benefit from the long-SIMD architecture that supports improved parallelism and enhanced vector primitives, resulting in only a small fraction of potential peak performance. This article presents a dynamic binary translation technique that enables short-SIMD binaries to exploit benefits of new SIMD architectures by rewriting short-SIMD loop code. We propose a general approach that translates loops consisting of short-SIMD instructions to machine-independent IR, conducts SIMD loop transformation/optimization at this IR level, and finally translates to long-SIMD instructions. Two solutions are presented to enforce SIMD load/store alignment, one for the problem caused by the binary translator’s internal translation condition and one general approach using dynamic loop peeling optimization. Benchmark results show that average speedups of 1.51× and 2.48× are achieved for an ARM NEON to x86 AVX2 and x86 AVX-512 loop transformation, respectively.

computer science, software engineering, hardware & architecture

Ahmed Heakl,Chaimaa Abi,Rania Hossam,Abdulrahman Mahmoud

2024-11-25

Abstract:The transition from x86 to ARM architecture is becoming increasingly common across various domains, primarily driven by ARM's energy efficiency and improved performance across traditional sectors. However, this ISA shift poses significant challenges, mainly due to the extensive legacy ecosystem of x86 software and lack of portability across proprietary ecosystems and software stacks. This paper introduces CRT, a lightweight LLM-based transpiler that automatically converts x86 assembly to ARM assembly. Our approach bridges the fundamental architectural gap between x86's CISC-based and ARM's RISC-based computing paradigms while preserving program semantics and optimizing performance. We evaluate CRT on diverse real-world applications, achieving 79.25% translation accuracy from x86 to ARMv5 on our comprehensive test suite, and an 88.68% accuracy from x86 to RISC-V. In practical deployments on Apple M2 hardware (ARMv8), our transpiled code achieves 1.73$\times$ speedup compared to Apple's Rosetta 2 virtualization engine, while delivering 2.41$\times$ memory efficiency and 1.47$\times$ better energy consumption. Through testing and analysis, we show that CRT successfully navigates the CISC/RISC divide and generates correctly executable RISC code despite machine ``language'' barriers. We release our code, models, training datasets, and benchmarks at: \url{<a class="link-external link-https" href="https://ahmedheakl.github.io/asm2asm/" rel="external noopener nofollow">this https URL</a>}.

Programming Languages,Hardware Architecture