The document discusses dynamic binary translation (DBT) and the use of translation caches to improve the efficiency of code execution on different CPUs. It outlines virtualization techniques, QEMU internals, various cache algorithms, and proposes a new cache algorithm design along with its simulation results. The findings suggest that the current QEMU translation cache is inefficient, and the proposed algorithm may reduce unnecessary re-translations and improve performance.

1. Responsible : Prof. Frédéric Pétrot
Supervisor : Luc Michel
TIMA Laboratory - SLS Group
Grenoble, France
Translation cache policies for
dynamic binary translation
Ecole
Nationale
des Sciences
de l'Informatique
Saber Ferjani

2. 2
 DBT: Is a CPU simulation technique, it reads a
short sequence of code (Target), translates it,
and executes it in a different CPU (Host).
Host Machine
CPUSimulated Target
translation
asm code

3. TB TB TB TB TB TB
3
 Translation cache: It is a buffer in host
machine that stores the Translated Blocks (TB)

4. Outline
1. Virtualization and simulation techniques
2. Qemu Internals
3. Typical cache algorithms
4. Cache algorithm proposal
5. Simulation results
6. Conclusion & Perspectives
4

5. 1. Virtualization and simulation techniques
5
1.1. Just In Time Compiler

6. 1. Virtualization and simulation techniques
6
1.2. Hosted & Native Hypervisors

7. 1. Virtualization and simulation techniques
7
1.3. Virtualization tools
Virtual Box
Virtual PC
VMware
Xen
Bochs
Valgrind
Qemu
KVM

8. 1. Virtualization and simulation techniques
8
1.4. Simulation techniques
 Interpretive technique ► Extremely slow!
 Native Simulation ► Need source code!
 Binary Translation:
 Static ► Cannot handle indirect branches
 Dynamic ► Quite fast & flexible

9. 2. Qemu internals
9
2.1. Overview
 Generic & Open source machine emulator
 Created by Fabrice Bellard in 2003
 Supported targets: IA32, ARM, SPARC, MIPS, PPC…

10. 2. Qemu internals
10
2.2. Execution flow example

11. 2. Qemu internals
11
2.3. Main execution loop

12. 2. Qemu internals
12
2.4. Translation cache size

13. 2. Qemu internals
13
2.4. TB allocation

14. 3. Typical cache algorithms
14
Optimal cache algorithm (offline)
Basic cache algorithms:
Flush, Random, FIFO, LRU, LFU
Advanced cache algorithms:
LRFU, 2Q, LIRS, ARC
Qemu constraints:
TB are not movable
TB size is variable,
TB size is unpredictable

15. 4. Cache algorithm proposal
15
4.1. Algorithm design

16. 4. Cache algorithm proposal
16
4.2. Data structure
Constant insertion overhead
Frequently referenced TBs are elected for
re-translation into separated cache area

17. 4. Cache algorithm proposal
17
4.3. HST update
Before CSA flush, add address of all TBs
that were executed more than 𝐹𝑡ℎ
HST is used as circular buffer,
HST size is fixed to half of HSA size
@HS1
@HS2
@HS3@HS4
@HS5

18. Qemu monitor: Back-end configuration
console interface
Log options:
out asm: show generated host code
In asm: show target assembly code
Exec: show trace before each executed TB
…etc
Generated log of (log exec):
Trace (Host Address) [(Target Address)]
5. Simulation results
18
5.1. Qemu log

19. 5. Simulation results
19
5.2. TB-trace: Translation cache simulator

20. 5. Simulation results
20
5.3. Simulated cache algorithms
LRU
LFU
CSA HSA
• A-LRU:
• A-LFU:
• A-2Q:
@
@
@@
@
HST

21. 5. Simulation results
5.3. Qemu used guest machines
LZMA benchmark
Linux Kernel
Windows XP start-up

22. 5. Simulation results
22
5.5. Guest 1: LZMA benchmark over Debian
0,25 0,375 0,5
62
89
72
50 55 5256
68
88
CSA
flushs
Quota=
LRU LFU 2Q
0,25 0,375 0,5
18,5%
39,6%
26,1%
86,9% 91,3% 90,1%
81,8% 81,9% 81,8%
Hotspot
hit

23. 5. Simulation results
23
5.6. Guest 2: Linux kernel 2.6.20
0,25 0,375 0,5
15
18
22
15
17
21
16
19
23
CSA
flushs
Quota=
LRU LFU 2Q
+1
HSA
flush
+1
HSA
flush
0,25 0,375 0,5
24,1%
32,1%
43,6%
24,4%
61,9% 57,4%
30,0%
64,1% 65,2%
Hotspot
hit

24. 5. Simulation results
24
5.7. Guest 3: Windows XP start-up
0,25 0,375 0,5
15
18
21
15
17
21
16
19
24
CSA
flushs
Quota=
LRU LFU 2Q
+1
HSA
flush
+1
HSA
flush
+1
HSA
flush
0,25 0,375 0,5
16,0%
45,2%
52,1%
23,4%
56,5% 51,4%
29,0%
45,3%
64,7%
Hotspot
hit

25. Qemu translation cache is inefficient
Cache algorithms based on page
replacement cannot be used
Our algorithm proposal advantages:
Reduce unneeded re-translations
TB insertion overhead is constant
Drawbacks:
Invalidated TB remain allocated
Address find operation depend on HST size
6. Conclusion & Perspectives
25
6.1. Conclusion

26. Use a hash function for HST to accelerate
TB lookup before each new translation,
Use an op-code buffer to accelerate TB
re-translation of hot spots,
Estimate size of next translation, and try
to overwrite invalidated TB
6. Conclusion & Perspectives
26
6.2. Perspectives

27. 27
Questions?