0.4.3/man/gxemul.1

.\" $Id: gxemul.1,v 1.76 2006/11/04 06:40:20 debug Exp $
.\"
.\" Copyright (C) 2004-2006  Anders Gavare.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote products
.\"    derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\" 
.\" 
.\" This is a minimal man page for GXemul. Process this file with
.\"     groff -man -Tascii gxemul.1    or    nroff -man gxemul.1
.\"
.Dd NOVEMBER 2006
.Dt GXEMUL 1
.Os
.Sh NAME
.Nm gxemul
.Nd an experimental machine emulator
.Sh SYNOPSIS
.Nm
.Op machine, other, and general options
.Op file Ar ...
.Nm
.Op general options
.Ar @configfile
.\" TODO: Reenable this once userland emulation works:
.\" .Nm
.\" .Op userland, other, and general options
.\" .Ar file Op Ar args ...
.Sh DESCRIPTION
.Nm
is an experimental instruction-level machine emulator. Several
emulation modes are available. In some modes, processors and surrounding
hardware components are emulated well enough to let unmodified operating
systems (e.g. NetBSD) run inside the emulator as if they were running on a 
real machine.
.Pp
Processors (ARM, MIPS, PowerPC, SuperH) are emulated using dynamic translation.
However, unlike some other dynamically translating emulators, GXemul does
not currently generate native code, only a "runnable intermediate
representation", and will thus run on any host architecture, without the
need to implement per-architecture backends.
.Pp
The emulator can be invoked in the following ways:
.Pp
1. When emulating a complete machine, configuration options can be entered
directly on the command line.
.Pp
2. Options can be read from a configuration file.
.\" .Pp
.\" 3. When emulating a userland environment (syscall-only emulation, not
.\" emulating complete machines), then the program name and its argument
.\" should be given on the command line. (This mode doesn't really work yet,
.\" and is disabled for stable release builds.)
.Pp
The easiest way to use the emulator is to supply settings directly on the 
command line. The most important thing you need to supply is the
file argument. This is the name of a binary file (an ELF, a.out, COFF/ECOFF,
SREC, or a raw binary image) which you wish to run in the emulator. This file
might be an operating system kernel, or perhaps a ROM image file.
.Pp
If more than one filename is supplied, all files are loaded into memory, 
and the entry point (if available) is taken from the last file.
.Pp
Apart from the name of a binary file, it is also necessary to select
which specific emulation mode to use. For example, a MIPS-based machine
from DEC (a DECstation) is very different from a MIPS-based machine
from SGI. Use
.Nm
.Fl H
to get a list of available emulation modes.
.Pp
There are two exceptions to the normal invocation usage mentioned above.
The first is for DECstation emulation: if you have a bootable
DECstation harddisk or CDROM image, then just supplying the diskimage via 
the
.Fl d
option is sufficient. (The filename of the kernel can then be 
skipped, as the emulator runs the bootblocks from the diskimage directly and 
doesn't need the kernel as a separate file.)
The second is if you supply an ISO9660 CDROM disk image. You may then use 
the
.Fl j
option to indicate which file on the CDROM filesystem that should be 
loaded into emulated memory.
.Pp
Gzipped kernels are automatically unzipped, by calling the external gunzip 
program, both when specifying a gzipped file directly on the command line 
and when loading such a file using the
.Fl j
option.
.Pp
Machine selection options:
.Bl -tag -width Ds
.It Fl E Ar t
Try to emulate machine type
.Ar "t".
This option is not always needed, if the
.Fl e
option uniquely selects a machine.
(Use
.Fl H
to get a list of types.)
.It Fl e Ar st
Try to emulate machine subtype
.Ar "st".
Use this together with
.Fl E .
(This option is not always needed, if a machine type has no subtypes.)
.El
.Pp
Other options:
.Bl -tag -width Ds
.It Fl C Ar x
Try to emulate a specific CPU type,
.Ar "x".
This overrides the default CPU type for the machine being emulated.
(Use
.Fl H
to get a list of available CPU types.)
.It Fl d Ar [modifiers:]filename
Add
.Ar filename
as a disk image. By adding one or more modifier characters and then a
colon (":") as a prefix to
.Ar filename,
you can modify the way the disk image is treated. Available modifiers are:
.Bl -tag -width Ds
.It b
Specifies that this is a boot device.
.It c
CD-ROM.
.It d
DISK (this is the default).
.It f
FLOPPY.
.It gH;S;
Override the default geometry; use H heads and S sectors-per-track.
(The number of cylinders is calculated automatically.)
.It i
IDE. (This is the default for most machine types.)
.It r
Read-only (don't allow changes to be written to the file).
.It s
SCSI.
.It t
Tape.
.It 0-7
Force a specific ID number.
.El
.Pp
For SCSI devices, the ID number is the SCSI ID. For IDE harddisks, the ID 
number has the following meaning:
.Bl -tag -width Ds
.It 0
Primary master.
.It 1
Primary slave.
.It 2
Secondary master.
.It 3
Secondary slave.
.El
.Pp
Unless otherwise specified, filenames ending with ".iso" or ".cdr" are 
assumed to be CDROM images. Most others are assumed to be disks. Depending
on which machine is being emulated, the default for disks can be either 
SCSI or IDE. Some disk images that are very small are assumed to be floppy 
disks. (If you are not happy with the way a disk image is detected, then 
you need to use explicit prefixes to force a specific type.)
.Pp
For floppies, the gH;S; prefix is ignored. Instead, the number of 
heads and cylinders are assumed to be 2 and 80, respectively, and the 
number of sectors per track is calculated automatically. (This works for 
720KB, 1.2MB, 1.44MB, and 2.88MB floppies.)
.It Fl G Ar port
Pause at startup, and listen to TCP port
.Ar port
for incoming remote GDB connections. The emulator starts up in paused 
mode, and it is up to the remote GDB instance to start the session.
.It Fl I Ar hz
Set the main CPUs frequency to
.Ar hz
Hz. This option does not work for all emulated machine modes. It affects 
the way count/compare interrupts are faked to simulate emulated time = 
real world time. If the guest operating system relies on RTC interrupts
instead of count/compare interrupts, then this option has no effect.
.Pp
Setting the frequency to zero disables automatic synchronization of 
emulated time vs real world time, and the count/compare system runs at a 
fixed rate.
.It Fl i
Enable instruction trace, i.e. display disassembly of each instruction as
it is being executed.
.It Fl J
Disable instruction combinations in the dynamic translator.
.It Fl j Ar n
Set the name of the kernel to
.Ar "n".
When booting from an ISO9660 filesystem, the emulator will try to boot 
using this file. (In some emulation modes, eg. DECstation, this name is passed 
along to the boot program. Useful names are "bsd" for OpenBSD/pmax, 
"vmunix" for Ultrix, or "vmsprite" for Sprite.)
.It Fl M Ar m
Emulate
.Ar m
MBs of physical RAM. This overrides the default amount of RAM for the 
selected machine type.
.It Fl N
Display the number of executed instructions per second on average, at
regular intervals.
.It Fl n Ar nr
Set the number of processors in the machine, for SMP experiments.
.Pp
Note 1: The emulator allocates quite a lot of virtual memory for
per-CPU translation tables. On 64-bit hosts, this is normally not a
problem. On 32-bit hosts, this can use up all available virtual userspace
memory. The solution is to either run the emulator on a 64-bit host,
or limit the number of emulated CPUs to a reasonably low number.
.Pp
Note 2: SMP simulation is not working very well yet; multiple processors 
are simulated, but synchronization between the processors does not map
very well to how real-world SMP systems work.
.It Fl O
Force a "netboot" (tftp instead of disk), even when a disk image is
present (for DECstation, SGI, and ARC emulation).
.It Fl o Ar arg
Set the boot argument (mostly useful for DEC, ARC, or SGI emulation).
Default
.Ar arg
for DEC is "-a", for ARC/SGI it is "-aN", and for CATS it is "-A".
.It Fl p Ar pc
Add a breakpoint.
.Ar pc
can be a symbol, or a numeric value. (Remember to use the "0x" prefix for
hexadecimal values.)
.It Fl Q
Disable the built-in (software-only) PROM emulation. This option is useful
for experimenting with running raw ROM images from real machines. The default 
behaviour of the emulator is to "fake" certain PROM calls used by guest 
operating systems (e.g. NetBSD), so that no real PROM image is needed.
.It Fl R
Use a random bootstrap cpu, instead of CPU nr 0. (This option is only 
meaningful together with the
.Fl n
option.)
.It Fl r
Dump register contents for every executed instruction.
.It Fl S
Initialize emulated RAM to random data, instead of zeroes. This option
is useful when trying to trigger bugs in a program that occur because the
program assumed that uninitialized memory contains zeros. (Use with
care.)
.It Fl s Ar flags:filename
Gather statistics based on the current emulated program counter value, 
while the program executes. The statistics is actually just a raw dump of 
all program counter values in sequence, suitable for post-analysis with 
separate tools. Output is appended to
.Ar filename.
.Pp
The
.Ar flags
should include one or more of the following type specifiers:
.Bl -tag -width Ds
.It v
Virtual. This means that the program counter value is used.
.It p
Physical. This means that the physical address of where the program
is actually running is used.
.It i
Instruction call. This type of statistics gathering is practically only 
useful during development of the emulator itself. The output is a list of
addresses of instruction call functions (ic->f), which after some
post-processing can be used as a basis for deciding when to implement
instruction combinations.
.El
.Pp
The
.Ar flags
may also include the following optional modifiers:
.Bl -tag -width Ds
.It d
Disabled at startup.
.It o
Overwrite the file, instead of appending to it.
.El
.Pp
.\" Statistics gathering can be enabled/disabled at runtime by using the
.\" "TODO" debugger command.
.\" .Pp
When gathering instruction statistics using the
.Fl s
option, instruction combinations are always disabled (i.e.
an implicit
.Fl J
is added to the command line).
.Pp
If a value is missing (e.g. the end-of-page slot does not really have a 
known physical address), it is written out as just a dash ("-").
.It Fl t
Show a trace tree of all function calls being made.
.It Fl U
Enable slow_serial_interrupts_hack_for_linux.
.It Fl X
Use X11. This option enables graphical framebuffers.
.It Fl x
Open up new xterms for emulated serial ports. The default behaviour is to 
open up xterms when using configuration files, or if X11 is enabled. When 
starting up a simple emulation session with settings directly on the 
command line, and neither
.Fl X
nor
.Fl x
is used, then all output is confined to the terminal that
.Nm
started in.
.It Fl Y Ar n
Scale down framebuffer windows by
.Ar n
x
.Ar n
times. This option is useful when emulating a very large framebuffer, and 
the actual display is of lower resolution. If
.Ar n
is negative, then there will be no scaledown, but emulation of certain 
graphic controllers will be scaled up
by
.Ar -n
times instead. E.g. Using
.Ar -2
with VGA text mode emulation will result in 80x25 character cells rendered 
in a 1280x800 window, instead of the normal resolution of 640x400.
.It Fl Z Ar n
Set the number of graphics cards, for emulating a dual-head or tripple-head
environment. (Only for DECstation emulation so far.)
.It Fl z Ar disp
Add
.Ar disp
as an X11 display to use for framebuffers.
.El
.Pp
.\" Userland options:
.\" .Bl -tag -width Ds
.\" .It Fl u Ar emul-mode
.\" Userland-only (syscall) emulation. (Use
.\" .Fl H
.\" to get a list of available emulation modes.) Some (but not all) of the
.\" options listed under Other options above can also be used with 
.\" userland emulation.
.\" .El
.\" .Pp
General options:
.Bl -tag -width Ds
.It Fl c Ar cmd
Add
.Ar cmd
as a command to run before starting the simulation. A similar effect can 
be achieved by using the
.Fl V
option, and entering the commands manually.
.It Fl D
Causes the emulator to skip a call to srandom(). This leads to somewhat
more deterministic behaviour than running without this option.
However, if the emulated machine has clocks or timer interrupt sources,
or if user interaction is taking place (e.g. keyboard input at irregular
intervals), then this option is meaningless.
.It Fl H
Display a list of available CPU types, machine types, and userland
emulation modes. (Most of these don't work. Please read the documentation
included in the
.Nm
distribution for details on which modes that actually work. Userland
emulation is not included in stable release builds, since it doesn't work 
yet.)
.It Fl h
Display a list of all available command line options.
.It Fl K
Force the single-step debugger to be entered at the end of a simulation.
.It Fl q
Quiet mode; this suppresses startup messages.
.\".It Fl s
.\"For MIPS emulation: Show opcode usage statistics after the simulation.
.\"For non-MIPS emulation (i.e. using dyntrans): Save statistics to a file 
.\"at regular intervals of which physical addresses that were executed.
.It Fl V
Start up in the single-step debugger, paused.
.It Fl v
Increase verbosity (show more debug messages). This option can be used
multiple times.
.El
.Pp
Configuration file startup:
.Bl -tag -width Ds
.It @ Ar configfile
Start an emulation based on the contents of
.Ar "configfile".
.El
.Pp
For more information, please read the documentation in the doc/
subdirectory of the
.Nm
distribution.
.Sh EXAMPLES
The following command will start NetBSD/pmax on an emulated DECstation 
5000/200 (3MAX):
.Pp
.Dl "gxemul -e 3max -d nbsd_pmax.img"
.Pp
nbsd_pmax.img should be a raw disk image containing a bootable 
NetBSD/pmax filesystem.
.Pp
The following command will start an emulation session based on settings in 
the configuration file "mysession". The -v option tells gxemul to be
verbose.
.Pp
.Dl "gxemul -v @mysession"
.Pp
If you have compiled the small Hello World program mentioned in the
.Nm
documentation, the following command will start up an
emulated test machine in "paused" mode:
.Pp
.Dl "gxemul -E testmips -V hello_mips"
.Pp
Paused mode means that you enter the interactive single-step debugger
directly at startup, instead of launching the Hello World program.
.Pp
The paused mode is also what should be used when running "unknown" files 
for the first time in the emulator. E.g. if you have a binary which you 
think is some kind of MIPS ROM image, then you can try the following:
.Pp
.Dl "gxemul -vv -E baremips -V 0xbfc00000:image.raw"
.Pp
You can then use the single-stepping functionality of the built-in 
debugger to run the code in the ROM image, to see how it behaves. Based on 
that, you can deduce what machine type it was actually from (the 
baremips machine is not a real machine), and perhaps try again with 
another emulation mode.
.Pp
In general, however, real ROM images require much more emulation detail 
than GXemul provides, so they can usually not run.
.Pp
Please read the documentation for more details.
.Sh BUGS
There are many bugs. Some of the known bugs are mentioned in the TODO 
file in the
.Nm
source distribution, some are marked as TODO in the source code itself.
.Pp
Userland (syscall-only) emulation, i.e. running a userland binary directly 
without simulating an entire machine, doesn't really work yet.
.Pp
The documentation sometimes only reflects the way things worked with 
the old MIPS emulation mode (prior to 0.4.0), and it is incorrect when
applied to current releases.
.Pp
.Nm
is in general not cycle-accurate; it does not simulate individual
pipe-line stages or penalties caused by branch-prediction misses or
cache misses, so it cannot be used for accurate simulation of any actual
real-world processor.
.Pp
.Nm
is in general not timing-accurate. Some emulation modes
(DECstation, CATS, NetWinder, MobilePro (hpcmips), Malta (evbmips),
Cobalt, Algor, and Dreamcast) try to make the guest
operating system's clock run at the same speed as the host clock.
However, the number of instructions executed per clock tick can
obviously vary, depending on the current CPU load on the host.
.Sh AUTHOR
GXemul is Copyright (C) 2003-2006 Anders Gavare <anders@gavare.se>
.Pp
See http://gavare.se/gxemul/ for more information. For other Copyright
messages, see the corresponding parts of the source code and/or
documentation.
1	.\" $Id: gxemul.1,v 1.76 2006/11/04 06:40:20 debug Exp $
2	.\"
3	.\" Copyright (C) 2004-2006 Anders Gavare. All rights reserved.
4	.\"
5	.\" Redistribution and use in source and binary forms, with or without
6	.\" modification, are permitted provided that the following conditions are met:
7	.\"
8	.\" 1. Redistributions of source code must retain the above copyright
9	.\" notice, this list of conditions and the following disclaimer.
10	.\" 2. Redistributions in binary form must reproduce the above copyright
11	.\" notice, this list of conditions and the following disclaimer in the
12	.\" documentation and/or other materials provided with the distribution.
13	.\" 3. The name of the author may not be used to endorse or promote products
14	.\" derived from this software without specific prior written permission.
15	.\"
16	.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17	.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19	.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20	.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21	.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22	.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24	.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26	.\" SUCH DAMAGE.
27	.\"
28	.\"
29	.\" This is a minimal man page for GXemul. Process this file with
30	.\" groff -man -Tascii gxemul.1 or nroff -man gxemul.1
31	.\"
32	.Dd NOVEMBER 2006
33	.Dt GXEMUL 1
34	.Os
35	.Sh NAME
36	.Nm gxemul
37	.Nd an experimental machine emulator
38	.Sh SYNOPSIS
39	.Nm
40	.Op machine, other, and general options
41	.Op file Ar ...
42	.Nm
43	.Op general options
44	.Ar @configfile
45	.\" TODO: Reenable this once userland emulation works:
46	.\" .Nm
47	.\" .Op userland, other, and general options
48	.\" .Ar file Op Ar args ...
49	.Sh DESCRIPTION
50	.Nm
51	is an experimental instruction-level machine emulator. Several
52	emulation modes are available. In some modes, processors and surrounding
53	hardware components are emulated well enough to let unmodified operating
54	systems (e.g. NetBSD) run inside the emulator as if they were running on a
55	real machine.
56	.Pp
57	Processors (ARM, MIPS, PowerPC, SuperH) are emulated using dynamic translation.
58	However, unlike some other dynamically translating emulators, GXemul does
59	not currently generate native code, only a "runnable intermediate
60	representation", and will thus run on any host architecture, without the
61	need to implement per-architecture backends.
62	.Pp
63	The emulator can be invoked in the following ways:
64	.Pp
65	1. When emulating a complete machine, configuration options can be entered
66	directly on the command line.
67	.Pp
68	2. Options can be read from a configuration file.
69	.\" .Pp
70	.\" 3. When emulating a userland environment (syscall-only emulation, not
71	.\" emulating complete machines), then the program name and its argument
72	.\" should be given on the command line. (This mode doesn't really work yet,
73	.\" and is disabled for stable release builds.)
74	.Pp
75	The easiest way to use the emulator is to supply settings directly on the
76	command line. The most important thing you need to supply is the
77	file argument. This is the name of a binary file (an ELF, a.out, COFF/ECOFF,
78	SREC, or a raw binary image) which you wish to run in the emulator. This file
79	might be an operating system kernel, or perhaps a ROM image file.
80	.Pp
81	If more than one filename is supplied, all files are loaded into memory,
82	and the entry point (if available) is taken from the last file.
83	.Pp
84	Apart from the name of a binary file, it is also necessary to select
85	which specific emulation mode to use. For example, a MIPS-based machine
86	from DEC (a DECstation) is very different from a MIPS-based machine
87	from SGI. Use
88	.Nm
89	.Fl H
90	to get a list of available emulation modes.
91	.Pp
92	There are two exceptions to the normal invocation usage mentioned above.
93	The first is for DECstation emulation: if you have a bootable
94	DECstation harddisk or CDROM image, then just supplying the diskimage via
95	the
96	.Fl d
97	option is sufficient. (The filename of the kernel can then be
98	skipped, as the emulator runs the bootblocks from the diskimage directly and
99	doesn't need the kernel as a separate file.)
100	The second is if you supply an ISO9660 CDROM disk image. You may then use
101	the
102	.Fl j
103	option to indicate which file on the CDROM filesystem that should be
104	loaded into emulated memory.
105	.Pp
106	Gzipped kernels are automatically unzipped, by calling the external gunzip
107	program, both when specifying a gzipped file directly on the command line
108	and when loading such a file using the
109	.Fl j
110	option.
111	.Pp
112	Machine selection options:
113	.Bl -tag -width Ds
114	.It Fl E Ar t
115	Try to emulate machine type
116	.Ar "t".
117	This option is not always needed, if the
118	.Fl e
119	option uniquely selects a machine.
120	(Use
121	.Fl H
122	to get a list of types.)
123	.It Fl e Ar st
124	Try to emulate machine subtype
125	.Ar "st".
126	Use this together with
127	.Fl E .
128	(This option is not always needed, if a machine type has no subtypes.)
129	.El
130	.Pp
131	Other options:
132	.Bl -tag -width Ds
133	.It Fl C Ar x
134	Try to emulate a specific CPU type,
135	.Ar "x".
136	This overrides the default CPU type for the machine being emulated.
137	(Use
138	.Fl H
139	to get a list of available CPU types.)
140	.It Fl d Ar [modifiers:]filename
141	Add
142	.Ar filename
143	as a disk image. By adding one or more modifier characters and then a
144	colon (":") as a prefix to
145	.Ar filename,
146	you can modify the way the disk image is treated. Available modifiers are:
147	.Bl -tag -width Ds
148	.It b
149	Specifies that this is a boot device.
150	.It c
151	CD-ROM.
152	.It d
153	DISK (this is the default).
154	.It f
155	FLOPPY.
156	.It gH;S;
157	Override the default geometry; use H heads and S sectors-per-track.
158	(The number of cylinders is calculated automatically.)
159	.It i
160	IDE. (This is the default for most machine types.)
161	.It r
162	Read-only (don't allow changes to be written to the file).
163	.It s
164	SCSI.
165	.It t
166	Tape.
167	.It 0-7
168	Force a specific ID number.
169	.El
170	.Pp
171	For SCSI devices, the ID number is the SCSI ID. For IDE harddisks, the ID
172	number has the following meaning:
173	.Bl -tag -width Ds
174	.It 0
175	Primary master.
176	.It 1
177	Primary slave.
178	.It 2
179	Secondary master.
180	.It 3
181	Secondary slave.
182	.El
183	.Pp
184	Unless otherwise specified, filenames ending with ".iso" or ".cdr" are
185	assumed to be CDROM images. Most others are assumed to be disks. Depending
186	on which machine is being emulated, the default for disks can be either
187	SCSI or IDE. Some disk images that are very small are assumed to be floppy
188	disks. (If you are not happy with the way a disk image is detected, then
189	you need to use explicit prefixes to force a specific type.)
190	.Pp
191	For floppies, the gH;S; prefix is ignored. Instead, the number of
192	heads and cylinders are assumed to be 2 and 80, respectively, and the
193	number of sectors per track is calculated automatically. (This works for
194	720KB, 1.2MB, 1.44MB, and 2.88MB floppies.)
195	.It Fl G Ar port
196	Pause at startup, and listen to TCP port
197	.Ar port
198	for incoming remote GDB connections. The emulator starts up in paused
199	mode, and it is up to the remote GDB instance to start the session.
200	.It Fl I Ar hz
201	Set the main CPUs frequency to
202	.Ar hz
203	Hz. This option does not work for all emulated machine modes. It affects
204	the way count/compare interrupts are faked to simulate emulated time =
205	real world time. If the guest operating system relies on RTC interrupts
206	instead of count/compare interrupts, then this option has no effect.
207	.Pp
208	Setting the frequency to zero disables automatic synchronization of
209	emulated time vs real world time, and the count/compare system runs at a
210	fixed rate.
211	.It Fl i
212	Enable instruction trace, i.e. display disassembly of each instruction as
213	it is being executed.
214	.It Fl J
215	Disable instruction combinations in the dynamic translator.
216	.It Fl j Ar n
217	Set the name of the kernel to
218	.Ar "n".
219	When booting from an ISO9660 filesystem, the emulator will try to boot
220	using this file. (In some emulation modes, eg. DECstation, this name is passed
221	along to the boot program. Useful names are "bsd" for OpenBSD/pmax,
222	"vmunix" for Ultrix, or "vmsprite" for Sprite.)
223	.It Fl M Ar m
224	Emulate
225	.Ar m
226	MBs of physical RAM. This overrides the default amount of RAM for the
227	selected machine type.
228	.It Fl N
229	Display the number of executed instructions per second on average, at
230	regular intervals.
231	.It Fl n Ar nr
232	Set the number of processors in the machine, for SMP experiments.
233	.Pp
234	Note 1: The emulator allocates quite a lot of virtual memory for
235	per-CPU translation tables. On 64-bit hosts, this is normally not a
236	problem. On 32-bit hosts, this can use up all available virtual userspace
237	memory. The solution is to either run the emulator on a 64-bit host,
238	or limit the number of emulated CPUs to a reasonably low number.
239	.Pp
240	Note 2: SMP simulation is not working very well yet; multiple processors
241	are simulated, but synchronization between the processors does not map
242	very well to how real-world SMP systems work.
243	.It Fl O
244	Force a "netboot" (tftp instead of disk), even when a disk image is
245	present (for DECstation, SGI, and ARC emulation).
246	.It Fl o Ar arg
247	Set the boot argument (mostly useful for DEC, ARC, or SGI emulation).
248	Default
249	.Ar arg
250	for DEC is "-a", for ARC/SGI it is "-aN", and for CATS it is "-A".
251	.It Fl p Ar pc
252	Add a breakpoint.
253	.Ar pc
254	can be a symbol, or a numeric value. (Remember to use the "0x" prefix for
255	hexadecimal values.)
256	.It Fl Q
257	Disable the built-in (software-only) PROM emulation. This option is useful
258	for experimenting with running raw ROM images from real machines. The default
259	behaviour of the emulator is to "fake" certain PROM calls used by guest
260	operating systems (e.g. NetBSD), so that no real PROM image is needed.
261	.It Fl R
262	Use a random bootstrap cpu, instead of CPU nr 0. (This option is only
263	meaningful together with the
264	.Fl n
265	option.)
266	.It Fl r
267	Dump register contents for every executed instruction.
268	.It Fl S
269	Initialize emulated RAM to random data, instead of zeroes. This option
270	is useful when trying to trigger bugs in a program that occur because the
271	program assumed that uninitialized memory contains zeros. (Use with
272	care.)
273	.It Fl s Ar flags:filename
274	Gather statistics based on the current emulated program counter value,
275	while the program executes. The statistics is actually just a raw dump of
276	all program counter values in sequence, suitable for post-analysis with
277	separate tools. Output is appended to
278	.Ar filename.
279	.Pp
280	The
281	.Ar flags
282	should include one or more of the following type specifiers:
283	.Bl -tag -width Ds
284	.It v
285	Virtual. This means that the program counter value is used.
286	.It p
287	Physical. This means that the physical address of where the program
288	is actually running is used.
289	.It i
290	Instruction call. This type of statistics gathering is practically only
291	useful during development of the emulator itself. The output is a list of
292	addresses of instruction call functions (ic->f), which after some
293	post-processing can be used as a basis for deciding when to implement
294	instruction combinations.
295	.El
296	.Pp
297	The
298	.Ar flags
299	may also include the following optional modifiers:
300	.Bl -tag -width Ds
301	.It d
302	Disabled at startup.
303	.It o
304	Overwrite the file, instead of appending to it.
305	.El
306	.Pp
307	.\" Statistics gathering can be enabled/disabled at runtime by using the
308	.\" "TODO" debugger command.
309	.\" .Pp
310	When gathering instruction statistics using the
311	.Fl s
312	option, instruction combinations are always disabled (i.e.
313	an implicit
314	.Fl J
315	is added to the command line).
316	.Pp
317	If a value is missing (e.g. the end-of-page slot does not really have a
318	known physical address), it is written out as just a dash ("-").
319	.It Fl t
320	Show a trace tree of all function calls being made.
321	.It Fl U
322	Enable slow_serial_interrupts_hack_for_linux.
323	.It Fl X
324	Use X11. This option enables graphical framebuffers.
325	.It Fl x
326	Open up new xterms for emulated serial ports. The default behaviour is to
327	open up xterms when using configuration files, or if X11 is enabled. When
328	starting up a simple emulation session with settings directly on the
329	command line, and neither
330	.Fl X
331	nor
332	.Fl x
333	is used, then all output is confined to the terminal that
334	.Nm
335	started in.
336	.It Fl Y Ar n
337	Scale down framebuffer windows by
338	.Ar n
339	x
340	.Ar n
341	times. This option is useful when emulating a very large framebuffer, and
342	the actual display is of lower resolution. If
343	.Ar n
344	is negative, then there will be no scaledown, but emulation of certain
345	graphic controllers will be scaled up
346	by
347	.Ar -n
348	times instead. E.g. Using
349	.Ar -2
350	with VGA text mode emulation will result in 80x25 character cells rendered
351	in a 1280x800 window, instead of the normal resolution of 640x400.
352	.It Fl Z Ar n
353	Set the number of graphics cards, for emulating a dual-head or tripple-head
354	environment. (Only for DECstation emulation so far.)
355	.It Fl z Ar disp
356	Add
357	.Ar disp
358	as an X11 display to use for framebuffers.
359	.El
360	.Pp
361	.\" Userland options:
362	.\" .Bl -tag -width Ds
363	.\" .It Fl u Ar emul-mode
364	.\" Userland-only (syscall) emulation. (Use
365	.\" .Fl H
366	.\" to get a list of available emulation modes.) Some (but not all) of the
367	.\" options listed under Other options above can also be used with
368	.\" userland emulation.
369	.\" .El
370	.\" .Pp
371	General options:
372	.Bl -tag -width Ds
373	.It Fl c Ar cmd
374	Add
375	.Ar cmd
376	as a command to run before starting the simulation. A similar effect can
377	be achieved by using the
378	.Fl V
379	option, and entering the commands manually.
380	.It Fl D
381	Causes the emulator to skip a call to srandom(). This leads to somewhat
382	more deterministic behaviour than running without this option.
383	However, if the emulated machine has clocks or timer interrupt sources,
384	or if user interaction is taking place (e.g. keyboard input at irregular
385	intervals), then this option is meaningless.
386	.It Fl H
387	Display a list of available CPU types, machine types, and userland
388	emulation modes. (Most of these don't work. Please read the documentation
389	included in the
390	.Nm
391	distribution for details on which modes that actually work. Userland
392	emulation is not included in stable release builds, since it doesn't work
393	yet.)
394	.It Fl h
395	Display a list of all available command line options.
396	.It Fl K
397	Force the single-step debugger to be entered at the end of a simulation.
398	.It Fl q
399	Quiet mode; this suppresses startup messages.
400	.\".It Fl s
401	.\"For MIPS emulation: Show opcode usage statistics after the simulation.
402	.\"For non-MIPS emulation (i.e. using dyntrans): Save statistics to a file
403	.\"at regular intervals of which physical addresses that were executed.
404	.It Fl V
405	Start up in the single-step debugger, paused.
406	.It Fl v
407	Increase verbosity (show more debug messages). This option can be used
408	multiple times.
409	.El
410	.Pp
411	Configuration file startup:
412	.Bl -tag -width Ds
413	.It @ Ar configfile
414	Start an emulation based on the contents of
415	.Ar "configfile".
416	.El
417	.Pp
418	For more information, please read the documentation in the doc/
419	subdirectory of the
420	.Nm
421	distribution.
422	.Sh EXAMPLES
423	The following command will start NetBSD/pmax on an emulated DECstation
424	5000/200 (3MAX):
425	.Pp
426	.Dl "gxemul -e 3max -d nbsd_pmax.img"
427	.Pp
428	nbsd_pmax.img should be a raw disk image containing a bootable
429	NetBSD/pmax filesystem.
430	.Pp
431	The following command will start an emulation session based on settings in
432	the configuration file "mysession". The -v option tells gxemul to be
433	verbose.
434	.Pp
435	.Dl "gxemul -v @mysession"
436	.Pp
437	If you have compiled the small Hello World program mentioned in the
438	.Nm
439	documentation, the following command will start up an
440	emulated test machine in "paused" mode:
441	.Pp
442	.Dl "gxemul -E testmips -V hello_mips"
443	.Pp
444	Paused mode means that you enter the interactive single-step debugger
445	directly at startup, instead of launching the Hello World program.
446	.Pp
447	The paused mode is also what should be used when running "unknown" files
448	for the first time in the emulator. E.g. if you have a binary which you
449	think is some kind of MIPS ROM image, then you can try the following:
450	.Pp
451	.Dl "gxemul -vv -E baremips -V 0xbfc00000:image.raw"
452	.Pp
453	You can then use the single-stepping functionality of the built-in
454	debugger to run the code in the ROM image, to see how it behaves. Based on
455	that, you can deduce what machine type it was actually from (the
456	baremips machine is not a real machine), and perhaps try again with
457	another emulation mode.
458	.Pp
459	In general, however, real ROM images require much more emulation detail
460	than GXemul provides, so they can usually not run.
461	.Pp
462	Please read the documentation for more details.
463	.Sh BUGS
464	There are many bugs. Some of the known bugs are mentioned in the TODO
465	file in the
466	.Nm
467	source distribution, some are marked as TODO in the source code itself.
468	.Pp
469	Userland (syscall-only) emulation, i.e. running a userland binary directly
470	without simulating an entire machine, doesn't really work yet.
471	.Pp
472	The documentation sometimes only reflects the way things worked with
473	the old MIPS emulation mode (prior to 0.4.0), and it is incorrect when
474	applied to current releases.
475	.Pp
476	.Nm
477	is in general not cycle-accurate; it does not simulate individual
478	pipe-line stages or penalties caused by branch-prediction misses or
479	cache misses, so it cannot be used for accurate simulation of any actual
480	real-world processor.
481	.Pp
482	.Nm
483	is in general not timing-accurate. Some emulation modes
484	(DECstation, CATS, NetWinder, MobilePro (hpcmips), Malta (evbmips),
485	Cobalt, Algor, and Dreamcast) try to make the guest
486	operating system's clock run at the same speed as the host clock.
487	However, the number of instructions executed per clock tick can
488	obviously vary, depending on the current CPU load on the host.
489	.Sh AUTHOR
490	GXemul is Copyright (C) 2003-2006 Anders Gavare <anders@gavare.se>
491	.Pp
492	See http://gavare.se/gxemul/ for more information. For other Copyright
493	messages, see the corresponding parts of the source code and/or
494	documentation.