Wei Li,Xiaohui Luo,Yiran Zhang,Qingkai Meng,Fengyuan Ren

DOI: https://doi.org/10.1007/978-3-031-12597-3_1

2022-01-01

Abstract:Emulation of Instruction Set Architecture (ISA) is necessary for a wide variety of use cases, such as providing the compatibility to execute programs compiled for a different ISA. This issue is usually solved using Dynamic Binary Translation (DBT), where guest machine code is translated to host ISA on runtime and Just-in-time (JIT) compilation is performed to achieve high-performance emulation. QEMU, a famous emulator, is developed to solve this issue, where Tiny Code Generator (TCG) is constructed to translate guest binary code to TCG Intermediate Representation (IR), and then generate target ISA machine code from TCG IR. Due to the limitations of TCG, some extensions, such as HQEMU, use LLVM as the backend to optimize programs and generate high-performance machine code. However, HQEMU is limited by its underlying implementation. That is, HQEMU still translates guest binary code to TCG IR at first. In this paper, we develop a novel, LLVM-based emulator, where guest machine code is directly lifted to LLVM IR to reduce the extra overhead and produce high-quality machine code. We evaluate our DBT emulator using BYTEmark benchmark and demonstrating its ability to outperform the de facto standard QEMU DBT system. The evaluation results confirm that our emulator delivers an average speedup of 3.3x over QEMU across BYTEmark benchmark compiled for x86-64 running on an ARMv8 platform, meanwhile, demonstrate that our user-level DBT emulator can significantly reduce the overhead to run a program on a cross-ISA system.

Chunqiang Li,Zhiwei Liu,Yunhai Shang,Lenian He,Xiaolang Yan

DOI: https://doi.org/10.1142/s0218126624502426

2024-01-01

Journal of Circuits Systems and Computers

Abstract:In the domain of process virtual machine (PVM) binary translation, the difference in address space layout between the guest program and the translated program requires the recalculation of jump instruction targets, resulting in suboptimal execution efficiency. This paper presents a novel method called SPC-Indexed Indirect Branch Hardware Cache Redirecting (SPCIC) technique. SPCIC utilizes specialized branch instruction to represent indirect branches from guest programs while frequently-used target addresses are cached in a customized hardware mapping table. When translating an indirect branch, SPCIC queries the jump target cache first to achieve a fast redirection unless the destination address is not cached. Besides, SPCIC merely falls back to the software-based remapping approach when the query fails, improving the translation efficiency to the greatest extent. SPCIC is implemented on the QEMU platform to accelerate the translation of ARM payloads into RISC-V. Experiments are carried on SPEC2006 to demonstrate the effectiveness of SPCIC for reducing the runtime overhead of indirect branch translation. The experimental results indicate up to 11% average improvement and 35% maximum improvement are obtained on the selected benchmark.

Huang Wang,Xianglan Chen,Huaping Chen

DOI: https://doi.org/10.1007/s10766-015-0379-0

2015-01-01

International Journal of Parallel Programming

Abstract:Cross instruction-set-architecture (cross-ISA) virtual machine is the core technology to many important applications. However, traditional cross-ISA virtual machines have encountered several bottlenecks: (1) they cannot effectively utilize the host machine's peripheral hardware, (2) the utilization ratio of CPU for traditional virtual machines is low, (3) it is difficult to debug traditional cross-ISA virtual machines and (4) the traditional virtual machine emulates multicore processor sequentially. To solve these problems, a retargetable and high-performance system xKEMU is proposed in this paper. By reusing QEMU (Bellard in QEMU, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track, 2005) and Linux kernel (www.kernel.org, 2015) as components, xKEMU could improve QEMU performance by a factor of about 1.24x on integer and memory performance for x86-64 to x86 emulation. The performance of virtual devices is also enhanced due to pass-through in the emulation of peripheral devices.

Chen Gao,Xiangwei Meng,Wei Li,Jinhui Lai,Yiran Zhang,Fengyuan Ren

2024-01-01

Abstract:The increasing prevalence of new Instruction Set Architectures (ISAs) necessitates the migration of closed-source binary programs across ISAs. Dynamic Binary Translation (DBT) stands out as a crucial technology for the cross-ISA emulation of binary programs. However, due to the mismatch in memory consistency between guest ISA and host ISA, DBT systems face substantial challenges in guaranteeing correctness and translation performance for concurrent programs. Despite several attempts to bridge the memory inconsistency between guest and host ISA, prior work is either not universal for cross-ISA DBT systems or inefficient and even error-prone in translation. This work presents CrossMapping, a general primitive mapping framework to enhance existing DBT systems for crossISA translation. By harmonizing memory consistency across diverse ISAs, CrossMapping enables smooth cross-ISA translation and accomplishes correct emulation. CrossMapping introduces specification tables to describe memory models in a unified and precise format, which facilitates the derivation of concurrent primitive mapping schemes based on a convenient comparison and analysis of memory models. The correctness of cross-ISA emulation is guaranteed by harmoniously integrating the derived mapping schemes with existing DBT systems. We evaluate CrossMapping for x86, ARMv8, and RISC-V on top of QEMU using the PARSEC benchmark suite. The results show that the average performance improvement can reach 8.5% when emulating x86 on ARMv8 and 7.3% when emulating x86 on RISC-V.

Chunqiang Li,Zhiwei Liu,Yunhai Shang,Lenian He,Xiaolang Yan

DOI: https://doi.org/10.3390/electronics12143014

IF: 2.9

2023-01-01

Electronics

Abstract:Binary translation, as an important bridge for application compatibility between different instruction set architectures (ISAs), has attracted much attention in the industry. However, due to hardware resource limitations of the target ISA, the translation efficiency and the practicability are poor. Recently, Apple has made it possible to run x86 programs on ARM through a translation technology called Rosetta based on software-hardware collaboration. In this paper, we proposed a hardware non-invasive mapping method for condition bits (HNIMCB) in binary translation, which innovatively implements the setting and referencing operations of the condition bits without changing the original instruction encoding and function of the target processor. This method is applicable for binary translation from source architectures with condition bit operations to target architectures without condition bit operations. It eliminates the difference of conditional bit resources between the source and target ISAs, reduces the computational instructions and memory access operations after translation from the source to the target ISA, and dramatically improves the translation efficiency. We conducted this experiment on a functional simulation level using the QEMU binary translator from ARM to RISC-V. A series of benchmark tests revealed that the total number of instructions decreased by 41%, while the number of memory access instructions decreased by 37% after the translation applying with the HNIMCB.

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Huang Wang,Chao Wang,Huaping Chen

DOI: https://doi.org/10.1504/ijhpsa.2015.072853

2015-01-01

Abstract:Cross-instruction set architecture ISA full-system emulator plays an important role in reusing binary codes across different architectures. With the rapid development of multi-core technology, it is desirable to build a high-performance multi-core emulator rather than conventional single core emulator. However, current mainstream cross-ISA full-system emulator can only work sequentially, which seriously confines the parallelism. In order to take the advantage of parallelism of host platform to emulate multi processor architecture, this paper presents XE-MU, a cross-ISA full-system emulator on multiple processor architectures. Firstly, efficient methods are targeted to translate atomic instructions. Secondly, we study the approach to emulation of communications for inter-core and core-to-I/O devices. For the implementation, we utilise both GCC built-in-functions and LL/SC instructions-based methods to translate the atomic instructions. We propose a portable and efficient lock-free queue implementation for communications in virtual machine. In order to verify the effectiveness of these methods, we conducted experiments on the Loongson-3A hardware platform. Experimental results demonstrate that both methods are able to enhance the performance of the emulator and reduce the overhead of inter-core communication with interrupts; thereby, the efficiency of the emulator can be greatly improved.

Wenbing Xie,Qiaoling Luo,Xue Tian,Junyi Huang,Fengbin Qi

DOI: https://doi.org/10.3390/electronics13091608

IF: 2.9

2024-04-24

Electronics

Abstract:The emergence of new instruction set architectures (ISAs) poses challenges in ensuring compatibility with legacy applications. Dynamic binary translation (DBT) serves as a crucial approach for achieving cross-ISA compatibility, enabling legacy applications to run compatibly with cross-ISAs. However, software-based translation encounters significant performance overhead, including substantial memory access and insufficient exploitation of target architecture features. The significant performance overhead challenges hinder the practical implementation of DBT. In this paper, we investigate a novel peephole optimization approach. First, we perform peephole analysis to identify redundant memory access and suboptimal instruction sequences. Next, we leverage live variable analysis to eliminate redundant memory-access instructions. Additionally, we bridge the gaps between cross-ISAs by exploiting ISA-specific features through instruction fusion. Finally, we implement the proposed optimization design using the open-source QEMU and extensively evaluate it on both ARM64 and SW64 platforms. The experimental results reveal that SPEC2006 benchmark effectively gets a maximum performance speedup of 1.52×, alongside a reduction in code size of up to 13.98%. These results affirm the effectiveness of our optimization approach in DBT performance and code sizes.

engineering, electrical & electronic,computer science, information systems,physics, applied

Alexis Engelke,Dominik Okwieka,Martin Schulz

DOI: https://doi.org/10.1145/3453933.3454022

2021-04-07

Abstract:Emulation of other or newer processor architectures is necessary for a wide variety of use cases, from ensuring compatibility to offering a vehicle for computer architecture research. This problem is usually approached using dynamic binary translation, where machine code is translated, on the fly, to the host architecture during program execution. Existing systems, like QEMU, usually focus on translation performance rather than the overall program execution, and extensions, like HQEMU, are limited by their underlying implementation. Conversely, performance-focused systems are typically used for binary instrumentation. E.g., DynamoRIO reuses original instructions where possible, while Instrew utilizes the LLVM compiler infrastructure, but only supports same-architecture code generation. In this short paper, we generalize Instrew to support different guest and host architectures by refactoring the lifter and by implementing target-independent optimizations to re-use host hardware features for emulated code. We demonstrate this flexibility by adding support for RISC-V as guest architecture and AArch64 as host architecture. Our performance results on SPEC CPU2017 show significant improvements compared to QEMU, HQEMU as well as the original Instrew.

Jinhu Jiang,Chaoyi Liang,Rongchao Dong,Zhaohui Yang,Zhongjun Zhou,Wenwen Wang,Pen-Chung Yew,Weihua Zhang

2024-02-15

Abstract:System-level emulators have been used extensively for system design, debugging and evaluation. They work by providing a system-level virtual machine to support a guest operating system (OS) running on a platform with the same or different native OS that uses the same or different instruction-set architecture. For such system-level emulation, dynamic binary translation (DBT) is one of the core technologies. A recently proposed learning-based DBT approach has shown a significantly improved performance with a higher quality of translated code using automatically learned translation rules. However, it has only been applied to user-level emulation, and not yet to system-level emulation. In this paper, we explore the feasibility of applying this approach to improve system-level emulation, and use QEMU to build a prototype. ... To achieve better performance, we leverage several optimizations that include coordination overhead reduction to reduce the overhead of each coordination, and coordination elimination and code scheduling to reduce the coordination frequency. Experimental results show that it can achieve an average of 1.36X speedup over QEMU 6.1 with negligible coordination overhead in the system emulation mode using SPEC CINT2006 as application benchmarks and 1.15X on real-world applications.

Operating Systems,Performance

Chen Qiao,Liehui Jiang,Wei Dong,Lixin Wang

2011-01-01

Abstract:This paper takes Alpha processor as the platform,and migrates the system simulation software of QEMU to Alpha platform,so that the virtual machine on system can perform Linux operating system based on x86 architecture to achieve Alpha processor compatible x86 applications.Performance test is performed on virtual machine.Through the statistics of code inflation rate,a restricted virtual machine performance instruction type,is found to provide reference for virtual machine performance optimization.

Chen Wei,Wang Zhiying,Zheng Zhong,Xiao Nong,Shen Li,Lu Hongyi

2011-01-01

Abstract:Instruction set architecture (ISA) emulation is the key to implement a virtual machine across different ISAs. This paper presents the design and implementation of TransARM, an efficient ISA emulator supporting IA-32 applications on ARM-based systems. TransARM adopts interpretation and binary translation as its basis. Interpretation is performed at the initial stage of emulation. Translation is performed only on the hot spots. Lazy flag updating and Pcache-based hybrid threaded interpretation is used to improve the interpretation performance while superblock chaining is used to accelerate binary translation. Several implementation issues which are crucial in the design of an ISA emulator are discussed, such as the executable and linking format resolution, architecture mapping and system call emulation. Benchmarks selected from MiBench are emulated by TransARM on two real ARM-based systems. Experimental results demon-strate the correctness of TransARM in terms of ISA emulation and indicate that TransARM is competitive to other ISA emulators.

Yuan Yao,Zhongyong Lu,Qingsong Shi,Wenzhi Chen

DOI: https://doi.org/10.1109/FPL.2013.6645554

2013-01-01

Abstract:Binary translation is used to allow applications of one instruction set architecture (ISA) to run on another, thereby maintaining the binary level compatibility across ISAs. Conventional software binary translation systems suffer performance loss because of architectural heterogeneity amongst ISAs, control flow translation and context switches. In this paper, we propose an FPGA based hardware-software co-designed dynamic binary translation (DBT) system, which moderates these issues at a low level of hardware cost. In our DBT system, we propose a MIPS condition code flags register and a modest ISA extension to bridge the architectural gap, a hardware address mapping mechanism to accelerate the handling of control flow instructions, and a scratchpad memory to reduce performance loss during context switches. We implement the system on Xilinx XC5VLX110T. Quantitative experiments reveal that the overall performance improvement is 56.1% over the baseline configuration, with only extra 1.4% of slices and 5.4% of BRAMs of Xilinx XC5VLX110T occupied.

Jin Wu,Jian Dong,Ruili Fang,Ziyi Zhao,Xiaoli Gong,Wenwen Wang,Decheng Zuo

DOI: https://doi.org/10.1145/3453933.3454016

2021-01-01

Abstract:System virtualization is a fundamental technology that enables many important applications. However, existing virtualization techniques suffer from a critical limitation due to their limited exploitation of host SIMD hardware resources, especially when a guest application does not have inherently fine-grained data-level parallelism. To bridge this utilization gap and unleash the full potential of host SIMD resources, this paper proposes an effective and unconventional SIMD exploitation technique. The proposed exploitation takes advantage of ample host SIMD registers and powerful host SIMD instructions to generate more efficient host binary code for guest applications even without any fine-grained data-level parallelism. It also mitigates the shortage of general-purpose registers on the host platform, as well as improves the efficiency of accessing guest registers. We have implemented the exploitation in an extensively-used virtualization platform, QEMU. Experimental results on a comprehensive list of benchmarks from PARSEC, SPEC-CPU2017, and Google Octane JavaScript benchmark suite show that an average of 2.2X performance speedup can be achieved for AArch64 binaries on an x86-64 host machine. We believe the proposed technique will provide a new perspective for our community to rethink the exploitation of SIMD hardware resources.

Tingtao Li,Alei Liang,Bo Liu,Ling Lin,Haibing Guan

2008-01-01

Abstract:In the recent years, dynamic binary translation has become a hot research area. Besides supporting legacy binary code and ISA virtualization, it enables innovative co-designed microarchitectures and allows transparent binary instrumentation. The dynamic nature of the translation usually incurs extra execution overhead and many research works had proposed software and hardware solutions to minimize the overhead [1, 2]. In this paper, we analyze our dynamic binary translator (StarDBT) performance and depict the main sources of overhead in details. We classify the translation operations and associated overhead into five major categories, and quantify their contribution to the overall overhead. Based on the analysis and detailed evaluation, we identify and point out the most promising solutions to address the overhead problem. We believe this study is an important first step toward the grand goal of zero-overhead dynamic binary translation.

Liu Hongwei,Qiu Ji,Gao Xiang,Chen Yunji

DOI: https://doi.org/10.3772/j.issn.1002-0470.2014.01.004

2014-01-01

Abstract:The characteristics of the excution migration in heterogeneous multi-core processors were analyzed, and a binary-instrumentation based execution migration method for homogeneous multi-core processors was put forward to solve the drawbacks of the present methods for execution migration between shared ISA heterogeneous multi-cores in efficiency, cost, compatibility, or programmability. The proposed migration method based on binary-instrumentation can take full advantage of shared-ISA heterogeneous multi-core to enhance the performance of heterogeneous chip multiprocessors with low cost. And it need not to modify the source code or the compile system. The experimental results obtained from the test on the SPEC procedure showed that its run-time efficiency was 2.25 times of kernel simulation.

xiaowu jiang,xianglan chen,huang wang,huaping chen

DOI: https://doi.org/10.1007/978-3-642-41674-3_145

2014-01-01

Abstract:In this paper, we port a parallel full-system emulator to RISC host to achieve higher performance by utilize all the multi-core resources from physical CPU, in contrast the traditional full-system emulator is sequentially in SMP emulation and can only use one core of host machine. We mainly deal with the atomic instruction translation to RISC ll/sc pairs, and apply lightweight lock-free FIFO queue algorithms using both interleaving and non-interleaving ll/sc pairs. The tests show that the performance of parallel full-system emulator have high efficiency.

Benyi Xie,Yue Yan,Chenghao Yan,Sicheng Tao,Zhuangzhuang Zhang,Xinyu Li,Yanzhi Lan,Xiang Wu,Tianyi Liu,Tingting Zhang,Fuxin Zhang

DOI: https://doi.org/10.1145/3640813

IF: 1.444

2024-01-15

ACM Transactions on Architecture and Code Optimization

Abstract:Dynamic binary translators (DBTs) are widely used to migrate applications between different instruction set architectures (ISAs). Despite extensive research to improve DBT performance, noticeable overhead remains, preventing near-native performance, especially when translating from complex instruction set computer (CISC) to reduced instruction set computer (RISC). For computational workloads, the main overhead stems from translated code quality. Experimental data show state-of-the-art DBT products have dynamic code inflation of at least 1.46. This indicates on average over 1.46 host instructions are needed to emulate one guest instruction. Worse, inflation closely correlates with translated code quality. However, the detailed sources of instruction inflation remain unclear. To understand the sources of inflation, we present Deflater, an instruction inflation analysis framework comprising a mathematical model, a collection of black-box unit tests called BenchMIAOes, and a trace-based simulator called InflatSim. The mathematical model calculates overall inflation based on the inflation of individual instructions and translation block (TB) optimizations. BenchMIAOes extract model parameters from DBTs without accessing DBT source code. InflatSim implements the model and uses the extracted parameters from BenchMIAOes to simulate a given DBT’s behavior. Deflater is a valuable tool to guide DBT analysis and improvement. Using Deflater, we simulated inflation for three state-of-the-art CISC-to-RISC DBTs: ExaGear, Rosetta2, and LATX, with inflation errors of 5.63%, 5.15%, and 3.44% respectively for SPEC CPU 2017, gaining insights into these commercial DBTs. Deflater also efficiently models inflation for the open-source DBT QEMU and suggests optimizations that can substantially reduce inflation. Implementing the suggested optimizations confirms Deflater’s effective guidance, with 4.65% inflation error, and gains 5.47x performance improvement.

computer science, theory & methods, hardware & architecture

Wei Chen,Zhiying Wang,Dan Chen

DOI: https://doi.org/10.4304/jcp.5.7.1133-1141

2010-01-01

Abstract:Virtual Machine (VM) can not only release the processor designers from the burden of ensuring cross-platform compatibility but also provide new opportunities for innovation. Instruction Set Architecture (ISA) emulation is the key aspect of a VM. This paper describes the design and implementation of TransARM-IU, a use-level ISA emulator that supports IA-32 applications on ARM-based systems. This paper also discusses several dedicated solutions to several crucial issues related to the development of TransARM-IU, such as the Executable and Linking Format resolution and hybrid threaded interpretation. In particular, conventional interpretation is implemented in a centralized style which consumes much more execution time. A hybrid threaded interpretation method is proposed to improve the efficiency of the emulator by appending a portion of the simple decoding and dispatching code to the end of each of the instruction interpreter routines. For performance evaluation, we selected 6 benchmarks from MiBench and carried out the experiments on two real ARM-based systems. Experimental results demonstrate the correctness of TransARM-IU in terms of ISA emulation and indicate that TransARM-IU is competitive to other ISA emulators. © 2010 ACADEMY PUBLISHER.

Ashwin Poduval,Hayden Coffey,Michael Swift

2024-11-17

Abstract:Memory performance is often the main bottleneck in modern computing systems. In recent years, researchers have attempted to scale the memory wall by leveraging new technology such as CXL, HBM, and in- and near-memory processing. Developers optimizing for such hardware need to understand how target applications perform to fully take advantage of these systems. Existing software and hardware performance introspection techniques are ill-suited for this purpose due to one or more of the following factors: coarse-grained measurement, inability to offer data needed to debug key issues, high runtime overhead, and hardware dependence. The heightened integration between compute and memory in many proposed systems offers an opportunity to extend compiler support for this purpose. We have developed Examem, a memory performance introspection framework based on the LLVM compiler infrastructure. Examem supports developer annotated regions in code, allowing for targeted instrumentation of kernels. Examem supports hardware performance counters when available, in addition to software instrumentation. It statically records information about the instruction mix of the code and adds dynamic instrumentation to produce estimated memory bandwidth for an instrumented region at runtime. This combined approach keeps runtime overhead low while remaining accurate, with a geomean overhead under 10% and a geomean byte accuracy of 93%. Finally, our instrumentation is performed using an LLVM IR pass, which is target agnostic, and we have applied it to four ISAs.

Performance,Hardware Architecture