programming technologies, mipt, april 7th, 2012

Programming Technologies, MIPT, April 7th, 2012

Introduction to Binary Translation Technology

Roman Sokolov SMWare

[email protected]

Elbrus Binary Translation Technology for IA-32 CompatibilityIntroduction to Binary Translation Technology, Programming Technologies, MIPT, April 7th, 2012

• Binary translation is a process of conversion of source (guest) architecture executable binary codes into executable codes of target (native) architecture.

• Motivations:• binary compatibility w/o source codes recompilation (new archs

enabling – more efficient, less complicated, etc.)• dynamic optimization• JIT• security• instrumentation and analysis of binaries• virtualization• simulation• …

Guest Applications

Guest BIOS,OS & Libraries

GuestApplications

App level BTNative

Applications

Native BIOS, OS & Libraries

HW

Full System BT

HW

Application-level DBTS Full system DBTS

Elbrus Binary Translation Technology for IA-32 Compatibility

BT systems classes

Static Dynamic

Introduction to Binary Translation Technology, Programming Technologies, MIPT, April 7th, 2012

Elbrus Binary Translation Technology for IA-32 Compatibility

x86nativex86nativex86

x86guestNew native applications

x86x86

Transmeta’s

Approach

x86nativex86

applications

Intel’s Approach

Example: How to use MS Windows on x86-incompatible computer

Elbrus’s Approach

(mode choice at boot time)


Adaptive binary translation (1/2)

Adaptive dynamic binary translation (1/2)

Optimizing region translation

Guest binaries

Interpretation (and profiling of traces)

Non-optimizing trace translation

Translations cache: execution and

profiling of regions

Adaptive retranslation


Adaptive dynamic binary translation (2/2): profile of execution



BTS layout

Guest MemorySpace

BT System(native)Memory SpaceSystem CodeSystem DataCompiler HeapCode CachesAddrMap Table

Code Base

Invisible for guest programs



Guest control transfer (AddrMap+Cache, GRAS, Native linking)


Translations cache

Transl.

AddrMap (S/W)AddrMap Cache (H/W)

Transl.

Translateg. brn

n. brn

found

not found

Transl.

GRAS (H/W)

Transl.Transl. g. rtn (pop)

push on g. call

g.rtn (pop)

g. call


Security

Self-modifying code

Interrupts and precise exceptions

Difference in legacy and host ops semantics

Binary Translation Problems

Memory mapped I/O devices


Robust performance required!


Hardware support

Functionality Performance

Compatible TLB, MMU, guest memory space support

Compatible global registers, FP stack

Guest code modification protection (SMC/DMA)

Instruction equivalents

BTS ROM Guest-to-native address translation cache, Guest return address stack

Recovery support

Asynchronous interrupts support

Memory mapped I/O pages protection

H/W thread/core for dynamic opt.

MLT, DAM, …



Optimized code Compensation code

computes & restorescontext for Current RP

Non-optimized code

Set Recovery Pointinstruction

Exception Handler

GuestException Handler

Program execution

Speculativeinstructionbringing

exceptionreturns

diagnosticvalue

Real exception on

the same guest instr.

Check instr.

causes exception

Back to Current RP

Recovery model


0

1

10

0

Binary Translated

Code

Guest code

Guest code

Translation

Physical Space Bitmap

Native VM SpaceGuest VM Space

Physical memory space is represented via a bitmapBitmap entry represents 4K in physical space Translator tags guest code memory locations in the bitmap

Physical memory protection (1/2): translation



0

1

10

0

Binary Translated

Code

Guest code

Guest code

TLB

Physical Space Bitmap

Chipset

HDD

DMANative VM SpaceGuest VM SpaceException

Exception

Writes to the tagged memory locations result in exceptions TLB protects tagged memory locations from CPU memory writes Chipset protects tagged memory locations from DMA memory writes

Bitmap entries are cached internally in hardware Exact memory address reported for each violation attempted

Physical memory protection (2/2): execution


Dynamic optimization vs. Latency

Execution Execution

New hot region acquired

Interrupt

Interrupt delivery delay (latency)

Interrupt delivery

End of optimizationStart of optimization


Background optimization

Approach• Optimizing translation is separated in a different thread (optimization

thread), that can run simultaneously with the main execution thread.• Hot regions are detected by the execution thread and are then scheduled to

be optimized in background by the optimization thread.

Dual(many)-coreOptimization is moved onto underutilized processor core Benefits• Improves application’s execution

latency• Removes overhead from the

application’s execution• Enables the application of

more aggressive optimizations.

Single-coreOptimization is interleaved with execution

Benefits• Improves application’s execution

latency


Single-core background optimization (1/3)

Execution Execution

New hot region acquired

InterruptInterrupt delivery

End of optimizationStart of optimization

InterruptInterrupt delivery

Execution

Optimization

Time-sliced optimization


Dual-core background optimization (1/2)

Core 2· Optimizing translation of region

Core 1· Execution· Run-time support· Interpreter and non-opt. translation

Acquire new hot region

Allocate region translation in translation cache

Offloaded optimization


Future works

Guest architecture multiprocessor system emulation

Guest Applications


Full System BT

HW

Guest Applications


Full System BT

Core0:Exec

Core1:Opt

Full System BT

Core0:Exec

Core1:Opt



Dynamic Binary Translation: summary

• Key paradigm for resolving compatibility/performancetension is speculation, recovery, and adaptive retranslation

• The devil is in the details: a successful solution must dealwith unpleasant architectural details

• Precise exceptions• Interrupts and DMA• Memory-mapped I/O• Self-modifying code

All techniques developed for real performance problems



Dynamic Binary Translation: summary

Proc• Enables transparent transition to new architectures• Allows to transparently improve underlying hardware• Optimization of legacy codes with no sources available• Provides run-time optimization opportunities (as compared to static

native compilers)• Hardware bugs masking

Cons• Translation overhead degrades runtime performance• BTS consumes RAM to store internal structures and translated

codes• High-performance BT requires hardware support• Full-system BTS are hard to debug


Q&A

Further reading: Virtual Machines: Versatile Platforms for Systems and Processes by: Jim Smith, Ravi Nair; Morgan Kaufmann Publishers


programming technologies, mipt, april 7th, 2012

Documents

adaptive binary translation

guest programsintroduction

native linkingintroduction

gras hwtransl

profiling of tracesnon

rtn pop push

boot timeintroduction

precise exceptionsdifference