1 |
.\" $Id: gxemul.1,v 1.101 2007/06/30 13:55:02 debug Exp $ |
2 |
.\" |
3 |
.\" Copyright (C) 2004-2007 Anders Gavare. All rights reserved. |
4 |
.\" |
5 |
.\" Redistribution and use in source and binary forms, with or without |
6 |
.\" modification, are permitted provided that the following conditions are met: |
7 |
.\" |
8 |
.\" 1. Redistributions of source code must retain the above copyright |
9 |
.\" notice, this list of conditions and the following disclaimer. |
10 |
.\" 2. Redistributions in binary form must reproduce the above copyright |
11 |
.\" notice, this list of conditions and the following disclaimer in the |
12 |
.\" documentation and/or other materials provided with the distribution. |
13 |
.\" 3. The name of the author may not be used to endorse or promote products |
14 |
.\" derived from this software without specific prior written permission. |
15 |
.\" |
16 |
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
17 |
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
18 |
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
19 |
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
20 |
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
21 |
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
22 |
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
23 |
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
24 |
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
25 |
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
26 |
.\" SUCH DAMAGE. |
27 |
.\" |
28 |
.\" |
29 |
.\" This is a minimal man page for GXemul. Process this file with |
30 |
.\" groff -man -Tascii gxemul.1 or nroff -man gxemul.1 |
31 |
.\" |
32 |
.Dd JULY 2007 |
33 |
.Dt GXEMUL 1 |
34 |
.Os |
35 |
.Sh NAME |
36 |
.Nm gxemul |
37 |
.Nd an experimental framework for full-system machine emulation |
38 |
.Sh SYNOPSIS |
39 |
.Nm |
40 |
.Op machine, other, and general options |
41 |
.Op file Ar ... |
42 |
.Nm |
43 |
.Op general options |
44 |
.Ar @configfile |
45 |
.Nm |
46 |
.Op userland, other, and general options |
47 |
.Ar file Op Ar args ... |
48 |
.Sh DESCRIPTION |
49 |
.Nm |
50 |
is a framework for full-system computer architecture emulation. |
51 |
Several processor architectures and machine types have been implemented. |
52 |
It is working well enough to allow unmodified "guest" operating |
53 |
systems (e.g. NetBSD) to run inside the emulator, as if they were running |
54 |
on real hardware. |
55 |
.Pp |
56 |
The emulator emulates (networks of) real machines. The machines may |
57 |
consist of ARM, MIPS, PowerPC, and SuperH processors, and various |
58 |
surrounding hardware components such as framebuffers, busses, interrupt |
59 |
controllers, ethernet controllers, disk controllers, and serial port |
60 |
controllers. |
61 |
.Pp |
62 |
The emulator can be invoked in the following ways: |
63 |
.Pp |
64 |
1. When emulating a complete machine, configuration options can be |
65 |
supplied directly on the command line. |
66 |
.Pp |
67 |
2. Options can be read from a configuration file. |
68 |
.Pp |
69 |
3. When emulating a userland environment (syscall-only emulation, not |
70 |
emulating complete machines), then the program name and its argument |
71 |
should be given on the command line. (This mode is not really usable yet.) |
72 |
.Pp |
73 |
The easiest way to use the emulator is to supply settings directly on the |
74 |
command line. |
75 |
.Pp |
76 |
The most important thing you need to supply is the |
77 |
file argument. This is the name of a binary file (an ELF, a.out, COFF/ECOFF, |
78 |
SREC, or a raw binary image) which you wish to run in the emulator. This file |
79 |
might be an operating system kernel, or perhaps a ROM image file. |
80 |
If more than one filename is supplied, all files are loaded into memory, |
81 |
and the entry point (if available) is taken from the last file. |
82 |
.Pp |
83 |
Apart from the name of a binary file, you must also use the |
84 |
.Fl E |
85 |
and/or |
86 |
.Fl e |
87 |
options to select which emulation mode to use. This is necessary because |
88 |
the emulator cannot in general deduce this from the file being executed. |
89 |
For example, a MIPS-based machine from DEC (a DECstation) is very different |
90 |
from a MIPS-based machine from SGI. Use |
91 |
.Nm |
92 |
.Fl H |
93 |
to get a list of available emulation modes. |
94 |
.Pp |
95 |
There are three exceptions to the normal invocation usage mentioned above. |
96 |
.Pp |
97 |
1. For DECstation emulation, if you have a bootable DECstation harddisk or |
98 |
CDROM image, then just supplying the diskimage via the |
99 |
.Fl d |
100 |
option is sufficient. The filename of the kernel can then be |
101 |
skipped, as the emulator runs the bootblocks from the diskimage directly and |
102 |
doesn't need the kernel as a separate file. |
103 |
.Pp |
104 |
2. If you supply an ISO9660 CDROM disk image, then using the |
105 |
.Fl j |
106 |
option to indicate a file on the CDROM filesystem to load is sufficient; |
107 |
no additional kernel filename needs to be supplied on the command line. |
108 |
.Pp |
109 |
3. For Dreamcast emulation, when booting e.g. a NetBSD/dreamcast CDROM |
110 |
image, it is enough to supply the disk image (with the correct ISO |
111 |
partition start offset). Bootblocks will be read directly from the CDROM |
112 |
image, and there is no need to supply the name of an external kernel on |
113 |
the command line. |
114 |
.Pp |
115 |
Gzipped kernels are automatically unzipped, by calling the external gunzip |
116 |
program, both when specifying a gzipped file directly on the command line |
117 |
and when loading such a file using the |
118 |
.Fl j |
119 |
option. |
120 |
.Pp |
121 |
Machine selection options: |
122 |
.Bl -tag -width Ds |
123 |
.It Fl E Ar t |
124 |
Try to emulate machine type |
125 |
.Ar "t". |
126 |
This option is not always needed, if the |
127 |
.Fl e |
128 |
option uniquely selects a machine. |
129 |
(Use |
130 |
.Fl H |
131 |
to get a list of types.) |
132 |
.It Fl e Ar st |
133 |
Try to emulate machine subtype |
134 |
.Ar "st". |
135 |
Use this together with |
136 |
.Fl E . |
137 |
(This option is not always needed, if a machine type has no subtypes.) |
138 |
.El |
139 |
.Pp |
140 |
Other options: |
141 |
.Bl -tag -width Ds |
142 |
.It Fl C Ar x |
143 |
Try to emulate a specific CPU type, |
144 |
.Ar "x". |
145 |
This overrides the default CPU type for the machine being emulated. |
146 |
(Use |
147 |
.Fl H |
148 |
to get a list of available CPU types.) |
149 |
.It Fl d Ar [modifiers:]filename |
150 |
Add |
151 |
.Ar filename |
152 |
as a disk image. By adding one or more modifier characters and then a |
153 |
colon (":") as a prefix to |
154 |
.Ar filename, |
155 |
you can modify the way the disk image is treated. Available modifiers are: |
156 |
.Bl -tag -width Ds |
157 |
.It b |
158 |
Specifies that this is a boot device. |
159 |
.It c |
160 |
CD-ROM. |
161 |
.It d |
162 |
DISK (this is the default). |
163 |
.It f |
164 |
FLOPPY. |
165 |
.It gH;S; |
166 |
Override the default geometry; use H heads and S sectors-per-track. |
167 |
(The number of cylinders is calculated automatically.) |
168 |
.It i |
169 |
IDE. (This is the default for most machine types.) |
170 |
.It oOFS; |
171 |
Set the base offset for an ISO9660 filesystem on a disk image. The default |
172 |
is 0. A suitable offset when booting from Dreamcast ISO9660 filesystem |
173 |
images, which are offset by 11702 sectors, is 23965696. |
174 |
.It r |
175 |
Read-only (don't allow changes to be written to the file). |
176 |
.It s |
177 |
SCSI. |
178 |
.It t |
179 |
Tape. |
180 |
.It V |
181 |
Add an overlay filename to an already defined disk image. |
182 |
(A ID number must also be specified when this flag is used. See the |
183 |
documentation for an example of how to use overlays.) |
184 |
.It 0-7 |
185 |
Force a specific ID number. |
186 |
.El |
187 |
.Pp |
188 |
For SCSI devices, the ID number is the SCSI ID. For IDE harddisks, the ID |
189 |
number has the following meaning: |
190 |
.Bl -tag -width Ds |
191 |
.It 0 |
192 |
Primary master. |
193 |
.It 1 |
194 |
Primary slave. |
195 |
.It 2 |
196 |
Secondary master. |
197 |
.It 3 |
198 |
Secondary slave. |
199 |
.El |
200 |
.Pp |
201 |
Unless otherwise specified, filenames ending with ".iso" or ".cdr" are |
202 |
assumed to be CDROM images. Most others are assumed to be disks. Depending |
203 |
on which machine is being emulated, the default for disks can be either |
204 |
SCSI or IDE. Some disk images that are very small are assumed to be floppy |
205 |
disks. (If you are not happy with the way a disk image is detected, then |
206 |
you need to use explicit prefixes to force a specific type.) |
207 |
.Pp |
208 |
For floppies, the gH;S; prefix is ignored. Instead, the number of |
209 |
heads and cylinders are assumed to be 2 and 80, respectively, and the |
210 |
number of sectors per track is calculated automatically. (This works for |
211 |
720KB, 1.2MB, 1.44MB, and 2.88MB floppies.) |
212 |
.It Fl I Ar hz |
213 |
Set the main CPU's frequency to |
214 |
.Ar hz |
215 |
Hz. This option does not work for all emulated machine modes. It affects |
216 |
the way count/compare interrupts are faked to simulate emulated time = |
217 |
real world time. If the guest operating system relies on RTC interrupts |
218 |
instead of count/compare interrupts, then this option has no effect. |
219 |
.Pp |
220 |
Setting the frequency to zero disables automatic synchronization of |
221 |
emulated time vs real world time, and the count/compare system runs at a |
222 |
fixed rate. |
223 |
.It Fl i |
224 |
Enable instruction trace, i.e. display disassembly of each instruction as |
225 |
it is being executed. |
226 |
.It Fl J |
227 |
Disable instruction combinations in the dynamic translator. |
228 |
.It Fl j Ar n |
229 |
Set the name of the kernel to |
230 |
.Ar "n". |
231 |
When booting from an ISO9660 filesystem, the emulator will try to boot |
232 |
using this file. (In some emulation modes, eg. DECstation, this name is passed |
233 |
along to the boot program. Useful names are "bsd" for OpenBSD/pmax, |
234 |
"vmunix" for Ultrix, or "vmsprite" for Sprite.) |
235 |
.It Fl M Ar m |
236 |
Emulate |
237 |
.Ar m |
238 |
MBs of physical RAM. This overrides the default amount of RAM for the |
239 |
selected machine type. |
240 |
.It Fl N |
241 |
Display the number of executed instructions per second on average, at |
242 |
regular intervals. |
243 |
.It Fl n Ar nr |
244 |
Set the number of processors in the machine, for SMP experiments. |
245 |
.Pp |
246 |
Note 1: The emulator allocates quite a lot of virtual memory for |
247 |
per-CPU translation tables. On 64-bit hosts, this is normally not a |
248 |
problem. On 32-bit hosts, this can use up all available virtual userspace |
249 |
memory. The solution is to either run the emulator on a 64-bit host, |
250 |
or limit the number of emulated CPUs to a reasonably low number. |
251 |
.Pp |
252 |
Note 2: SMP simulation is not working very well yet; multiple processors |
253 |
are simulated, but synchronization between the processors does not map |
254 |
very well to how real-world SMP systems work. |
255 |
.It Fl O |
256 |
Force a "netboot" (tftp instead of disk), even when a disk image is |
257 |
present (for DECstation, SGI, and ARC emulation). |
258 |
.It Fl o Ar arg |
259 |
Set the boot argument (mostly useful for DEC, ARC, or SGI emulation). |
260 |
Default |
261 |
.Ar arg |
262 |
for DEC is "-a", for ARC/SGI it is "-aN", and for CATS it is "-A". |
263 |
.It Fl p Ar pc |
264 |
Add a breakpoint. |
265 |
.Ar pc |
266 |
can be a symbol, or a numeric value. (Remember to use the "0x" prefix for |
267 |
hexadecimal values.) |
268 |
.It Fl Q |
269 |
Disable the built-in (software-only) PROM emulation. This option is useful |
270 |
for experimenting with running raw ROM images from real machines. The default |
271 |
behaviour of the emulator is to "fake" certain PROM calls used by guest |
272 |
operating systems (e.g. NetBSD), so that no real PROM image is needed. |
273 |
.It Fl R |
274 |
Use a random bootstrap cpu, instead of CPU nr 0. (This option is only |
275 |
meaningful together with the |
276 |
.Fl n |
277 |
option.) |
278 |
.It Fl r |
279 |
Dump register contents for every executed instruction. |
280 |
.It Fl S |
281 |
Initialize emulated RAM to random data, instead of zeroes. This option |
282 |
is useful when trying to trigger bugs in a program that occur because the |
283 |
program assumed that uninitialized memory contains zeros. (Use with |
284 |
care.) |
285 |
.It Fl s Ar flags:filename |
286 |
Gather statistics based on the current emulated program counter value, |
287 |
while the program executes. The statistics is actually just a raw dump of |
288 |
all program counter values in sequence, suitable for post-analysis with |
289 |
separate tools. Output is appended to |
290 |
.Ar filename. |
291 |
.Pp |
292 |
The |
293 |
.Ar flags |
294 |
should include one or more of the following type specifiers: |
295 |
.Bl -tag -width Ds |
296 |
.It v |
297 |
Virtual. This means that the program counter value is used. |
298 |
.It p |
299 |
Physical. This means that the physical address of where the program |
300 |
is actually running is used. |
301 |
.It i |
302 |
Instruction call. This type of statistics gathering is practically only |
303 |
useful during development of the emulator itself. The output is a list of |
304 |
addresses of instruction call functions (ic->f), which after some |
305 |
post-processing can be used as a basis for deciding when to implement |
306 |
instruction combinations. |
307 |
.El |
308 |
.Pp |
309 |
The |
310 |
.Ar flags |
311 |
may also include the following optional modifiers: |
312 |
.Bl -tag -width Ds |
313 |
.It d |
314 |
Disabled at startup. |
315 |
.It o |
316 |
Overwrite the file, instead of appending to it. |
317 |
.El |
318 |
.Pp |
319 |
Statistics gathering can be enabled/disabled at runtime by using the |
320 |
"statistics_enabled = yes" and "statistics_enabled = no" debugger |
321 |
commands. |
322 |
.Pp |
323 |
When gathering instruction statistics using the |
324 |
.Fl s |
325 |
option, instruction combinations are always disabled (i.e. an implicit |
326 |
.Fl J |
327 |
flag is added to the command line). |
328 |
.It Fl T |
329 |
Halt if the emulated program attempts to access non-existing memory. |
330 |
.It Fl t |
331 |
Show a trace tree of all function calls being made. |
332 |
.It Fl U |
333 |
Enable slow_serial_interrupts_hack_for_linux. |
334 |
.It Fl X |
335 |
Use X11. This option enables graphical framebuffers. |
336 |
.It Fl x |
337 |
Open up new xterms for emulated serial ports. The default behaviour is to |
338 |
open up xterms when using configuration files, or if X11 is enabled. When |
339 |
starting up a simple emulation session with settings directly on the |
340 |
command line, and neither |
341 |
.Fl X |
342 |
nor |
343 |
.Fl x |
344 |
is used, then all output is confined to the terminal that |
345 |
.Nm |
346 |
started in. |
347 |
.It Fl Y Ar n |
348 |
Scale down framebuffer windows by |
349 |
.Ar n |
350 |
x |
351 |
.Ar n |
352 |
times. This option is useful when emulating a very large framebuffer, and |
353 |
the actual display is of lower resolution. If |
354 |
.Ar n |
355 |
is negative, then there will be no scaledown, but emulation of certain |
356 |
graphic controllers will be scaled up |
357 |
by |
358 |
.Ar -n |
359 |
times instead. E.g. Using |
360 |
.Ar -2 |
361 |
with VGA text mode emulation will result in 80x25 character cells rendered |
362 |
in a 1280x800 window, instead of the normal resolution of 640x400. |
363 |
.It Fl Z Ar n |
364 |
Set the number of graphics cards, for emulating a dual-head or tripple-head |
365 |
environment. (Only for DECstation emulation so far.) |
366 |
.It Fl z Ar disp |
367 |
Add |
368 |
.Ar disp |
369 |
as an X11 display to use for framebuffers. |
370 |
.El |
371 |
.Pp |
372 |
Userland options: |
373 |
.Bl -tag -width Ds |
374 |
.It Fl u Ar emul-mode |
375 |
Userland-only (syscall) emulation. (Use |
376 |
.Fl H |
377 |
to get a list of available emulation modes.) Some (but not all) of the |
378 |
options listed under Other options above can also be used with |
379 |
userland emulation. |
380 |
.Pp |
381 |
Note: Userland (syscall) emulation does not really work yet. |
382 |
.El |
383 |
.Pp |
384 |
General options: |
385 |
.Bl -tag -width Ds |
386 |
.It Fl c Ar cmd |
387 |
Add |
388 |
.Ar cmd |
389 |
as a command to run before starting the simulation. A similar effect can |
390 |
be achieved by using the |
391 |
.Fl V |
392 |
option, and entering the commands manually. |
393 |
.It Fl D |
394 |
Causes the emulator to skip a call to srandom(). This leads to somewhat |
395 |
more deterministic behaviour than running without this option. |
396 |
However, if the emulated machine has clocks or timer interrupt sources, |
397 |
or if user interaction is taking place (e.g. keyboard input at irregular |
398 |
intervals), then this option is meaningless. |
399 |
.It Fl H |
400 |
Display a list of available CPU types, machine types, and userland |
401 |
emulation modes. (Most of these don't work. Please read the documentation |
402 |
included in the |
403 |
.Nm |
404 |
distribution for details on which modes that actually work. Userland |
405 |
emulation is not included in stable release builds, since it doesn't work |
406 |
yet.) |
407 |
.It Fl h |
408 |
Display a list of all available command line options. |
409 |
.It Fl k Ar n |
410 |
Set the size of the dyntrans cache (per emulated CPU) to |
411 |
.Ar n |
412 |
MB. The default size is 48 MB. |
413 |
.It Fl K |
414 |
Force the single-step debugger to be entered at the end of a simulation. |
415 |
.It Fl q |
416 |
Quiet mode; this suppresses startup messages. |
417 |
.It Fl V |
418 |
Start up in the single-step debugger, paused. |
419 |
.It Fl v |
420 |
Increase verbosity (show more debug messages). This option can be used |
421 |
multiple times. |
422 |
.El |
423 |
.Pp |
424 |
Configuration file startup: |
425 |
.Bl -tag -width Ds |
426 |
.It @ Ar configfile |
427 |
Start an emulation based on the contents of |
428 |
.Ar "configfile". |
429 |
.El |
430 |
.Pp |
431 |
For more information, please read the documentation in the doc/ |
432 |
subdirectory of the |
433 |
.Nm |
434 |
distribution. |
435 |
.Sh EXAMPLES |
436 |
The following command will start NetBSD/pmax on an emulated DECstation |
437 |
5000/200 (3MAX): |
438 |
.Pp |
439 |
.Dl "gxemul -e 3max -d nbsd_pmax.img" |
440 |
.Pp |
441 |
nbsd_pmax.img should be a raw disk image containing a bootable |
442 |
NetBSD/pmax filesystem. |
443 |
.Pp |
444 |
The following command will start an emulation session based on settings in |
445 |
the configuration file "mysession". The -v option tells gxemul to be |
446 |
verbose. |
447 |
.Pp |
448 |
.Dl "gxemul -v @mysession" |
449 |
.Pp |
450 |
If you have compiled the small Hello World program mentioned in the |
451 |
.Nm |
452 |
documentation, the following command will start up an |
453 |
emulated test machine in "paused" mode: |
454 |
.Pp |
455 |
.Dl "gxemul -E testmips -V hello_mips" |
456 |
.Pp |
457 |
Paused mode means that you enter the interactive single-step debugger |
458 |
directly at startup, instead of launching the Hello World program. |
459 |
.Pp |
460 |
The paused mode is also what should be used when running "unknown" files |
461 |
for the first time in the emulator. E.g. if you have a binary which you |
462 |
think is some kind of MIPS ROM image, then you can try the following: |
463 |
.Pp |
464 |
.Dl "gxemul -vv -E baremips -V 0xbfc00000:image.raw" |
465 |
.Pp |
466 |
You can then use the single-stepping functionality of the built-in |
467 |
debugger to run the code in the ROM image, to see how it behaves. Based on |
468 |
that, you can deduce what machine type it was actually from (the |
469 |
baremips machine is not a real machine), and perhaps try again with |
470 |
another emulation mode. |
471 |
.Pp |
472 |
In general, however, real ROM images require much more emulation detail |
473 |
than GXemul provides, so they can usually not run. |
474 |
.Pp |
475 |
Please read the documentation for more details. |
476 |
.Sh BUGS |
477 |
There are many bugs. Some of the known bugs are mentioned in the TODO |
478 |
file in the |
479 |
.Nm |
480 |
source distribution, some are marked as TODO in the source code itself. |
481 |
.Pp |
482 |
Userland (syscall-only) emulation, i.e. running a userland binary directly |
483 |
without simulating an entire machine, doesn't really work yet. |
484 |
.Pp |
485 |
.Nm |
486 |
is in general not cycle-accurate; it does not simulate individual |
487 |
pipe-line stages or penalties caused by branch-prediction misses or |
488 |
cache misses, so it cannot be used for accurate simulation of any actual |
489 |
real-world processor. |
490 |
.Pp |
491 |
.Nm |
492 |
is in general not timing-accurate. Many emulation modes try to make the |
493 |
guest operating system's clock run at the same speed as the host clock. |
494 |
However, the number of instructions executed per clock tick can |
495 |
obviously vary, depending on the current CPU load on the host. |
496 |
.Sh AUTHOR |
497 |
GXemul is Copyright (C) 2003-2007 Anders Gavare <anders@gavare.se> |
498 |
.Pp |
499 |
See http://gavare.se/gxemul/ for more information. For other Copyright |
500 |
messages, see the corresponding parts of the source code and/or |
501 |
documentation. |