> Say your are trying to emulate an indirect jump ( i.e. jmp eax). Because eax
> is unknown at compile time, you will have to return to the mainloop to look
> it up. However, if you know some likely values, you can do a few cached
> compare and hope it hits one of them.
>
> compare eax = 0x33e3e23
> jmp tb 30
> compare eax = 0332d2ed
> jmp tb 30
> tb exit
I believe we are talking about the same thing. :-) The terminology
"IBTC" is coined by "Evaluating Indirect Branch Handling Mechanisms
in Software Dynamic Translation Systems". QEMU does not implement
IBTC or inline caching.
> If the branch target is fix, you will still need 2 jmps, one for taken
> branch another for nottaken branch. can you show me where the code does that
> is ?
Take x86 for example, see gen_goto_tb (target-i386/translate.c).
gen_goto_tb generates TCG IR for block chaining. Here is the code
snip of gen_goto_tb.
tcg_gen_goto_tb(tb_num); // tb_num could be taken or nottaken branch
gen_jmp_im(eip);
tcg_gen_exit_tb((tcg_target_long)tb + tb_num);
How block chaining is done is a little complicate. You can refer to the
white paper "Porting QEMU to Plan 9: QEMU Internals and Port Strategy"
to get a general idea.
HTH.
Regards,
chenwj
--
Wei-Ren Chen (陳韋任)
Computer Systems Lab, Institute of Information Science,
Academia Sinica, Taiwan (R.O.C.)
Tel:886-2-2788-3799 #1667
