1GXEMUL(1) BSD General Commands Manual GXEMUL(1)
2
4 gxemul — an experimental framework for full-system machine emulation
5
7 gxemul [options] -e name [additional components and files ...]
8 gxemul [options] configfile
9 gxemul -V
10 gxemul -H
11
13 gxemul [machine, other, and general options] [file ...]
14 gxemul [general options] @configfile
15
17 gxemul is a framework for full-system computer architecture emulation.
18 Several processor architectures and machine types have been implemented.
19 It is working well enough to allow unmodified "guest" operating systems
20 (e.g. NetBSD) to run inside the emulator, as if they were running on real
21 hardware.
22 The emulator emulates (networks of) real machines. The machines may con‐
24 sist of ARM, MIPS, Motorola 88K, PowerPC, and SuperH processors, and var‐
25 ious surrounding hardware components such as framebuffers, busses, inter‐
26 rupt controllers, ethernet controllers, disk controllers, and serial port
27 controllers.
28 Note: Only very few emulated machine modes have been rewritten to use the
30 new emulation framework introduced in version 0.6.x, so there are two
31 different ways to use the emulator. (Most emulation modes and machines
32 are only valid in the old framework.)
33 The options available for the new framework are:
35 -B Enables snapshotting (required for reverse execution/stepping).
37 -e name
39 Start with a machine based on template 'name'. The name may be
40 followed by optional arguments in parentheses, e.g.
41 gxemul -V -e 'testmips(cpu=R4400)'
43 Remember to use quotes if your shell gives special meaning to
45 parentheses.
46 -H Display a list of available machine templates.
48 -q Start up in Quiet mode (i.e. suppress debug messages). If an
50 error occurs during emulation which stops execution and drops the
51 user into the debugger, quiet mode is turned off.
52 -V Start up in interactive mode, paused. If this option is used, -q
54 is ignored.
55 When using the -e option, the remainder of the command line consists of
57 zero or more additional files to load, or components to add to the emula‐
58 tion setup. Including these on the command line is equivalent to using
59 the 'add' command (although with a different syntax) in the interactive
60 debugger. A simple example is a file name to load into the emulated
61 machine, but they can be more complex as well. See the Adding Additional
62 Components on the Command Line section below for more details.
63 When not using the -e option, the config file should be one that was pre‐
65 viously saved from within the emulator using the 'save' command.
66 Starting the emulator with the -V switch will bring you to the interac‐
68 tive debugger environment, without starting the emulation.
69
71 The general syntax is:
72 existing_component_path:component(args)
74 If existing_component_path part is omitted, it is assumed to be cpu0.
76 The component(args) part may be written as just args, in which case the
77 name of the component is autodetected, and the args is given as an argu‐
78 ment called "name" to that component.
79 gxemul For example, if the additional component/filename is just
81 netbsd-GENERIC
83 this will be equivalent to
85 cpu0:file(name=netbsd-GENERIC)
87 An attempt will be made to load the file netbsd-GENERIC into cpu0, which
89 is the default component if none is specified. This will most likely be
90 expanded into root.machine0.mainbus0.cpu0. If cpu0 is ambiguous, then
91 this will not work; the specific cpu0 name must be supplied instead, like
92 this:
93 machine3.mainbus0.cpu0:netbsd-GENERIC
95 Another example, using an SDL display component to show the contents of
97 an emulated video framebuffer:
98 fb_videoram0:sdl()
100 Here, the existing component name (the framebuffer) and the component to
102 add (the SDL display component) are included, but no arguments.
103
105 Please read the HTML documentation for more details on how to run com‐
106 plete guest operating systems in the emulator.
107
109 The emulator can be invoked in the following ways:
110 1. When emulating a complete machine, configuration options can be sup‐
112 plied directly on the command line.
113 2. Options can be read from a configuration file.
115 The easiest way to use the emulator is to supply settings directly on the
117 command line.
118 The most important thing you need to supply is the file argument. This is
120 the name of a binary file (an ELF, a.out, COFF/ECOFF, SREC, or a raw
121 binary image) which you wish to run in the emulator. This file might be
122 an operating system kernel, or perhaps a ROM image file. If more than
123 one filename is supplied, all files are loaded into memory, and the entry
124 point (if available) is taken from the last file.
125 Apart from the name of a binary file, you must also use the -E and/or -e
127 options to select which emulation mode to use. This is necessary because
128 the emulator cannot in general deduce this from the file being executed.
129 For example, a MIPS-based machine from DEC (a DECstation) is very differ‐
130 ent from a MIPS-based machine from SGI. Use gxemul -H to get a list of
131 available emulation modes.
132 There are three exceptions to the normal invocation usage mentioned
134 above.
135 1. For DECstation emulation, if you have a bootable DECstation harddisk
137 or CDROM image, then just supplying the diskimage via the -d option is
138 sufficient. The filename of the kernel can then be skipped, as the emula‐
139 tor runs the bootblocks from the diskimage directly and doesn't need the
140 kernel as a separate file.
141 2. If you supply an ISO9660 CDROM disk image, then using the -j option to
143 indicate a file on the CDROM filesystem to load is sufficient; no addi‐
144 tional kernel filename needs to be supplied on the command line.
145 3. For Dreamcast emulation, when booting e.g. a NetBSD/dreamcast CDROM
147 image, it is enough to supply the disk image (with the correct ISO parti‐
148 tion start offset). Bootblocks will be read directly from the CDROM
149 image, and there is no need to supply the name of an external kernel on
150 the command line.
151 Gzipped kernels are automatically unzipped, by calling the external gun‐
153 zip program, both when specifying a gzipped file directly on the command
154 line and when loading such a file using the -j option.
155 Machine selection options:
157 -E t Try to emulate machine type t. This option is not always needed,
159 if the -e option uniquely selects a machine. (Use -H to get a
160 list of types.)
161 -e st Try to emulate machine subtype st. Use this together with -E.
163 (This option is not always needed, if a machine type has no sub‐
164 types.)
165 Other options:
167 -C x Try to emulate a specific CPU type, x. This overrides the
169 default CPU type for the machine being emulated. (Use -H to get
170 a list of available CPU types.)
171 -d [modifiers:]filename
173 Add filename as a disk image. By adding one or more modifier
174 characters and then a colon (":") as a prefix to filename, you
175 can modify the way the disk image is treated. Available modifiers
176 are:
177 b Specifies that this is a boot device.
179 c CD-ROM.
181 d DISK (this is the default).
183 f FLOPPY.
185 gH;S; Override the default geometry; use H heads and S sectors-
187 per-track. (The number of cylinders is calculated auto‐
188 matically.)
189 i IDE. (This is the default for most machine types.)
191 oOFS; Set the base offset for an ISO9660 filesystem on a disk
193 image. The default is 0. A suitable offset when booting
194 from Dreamcast ISO9660 filesystem images, which are off‐
195 set by 11702 sectors, is 23965696.
196 r Read-only (don't allow changes to be written to the
198 file).
199 s SCSI.
201 t Tape.
203 V Add an overlay filename to an already defined disk image.
205 (A ID number must also be specified when this flag is
206 used. See the documentation for an example of how to use
207 overlays.)
208 0-7 Force a specific ID number.
210 For SCSI devices, the ID number is the SCSI ID. For IDE hard‐
212 disks, the ID number has the following meaning:
213 0 Primary master.
215 1 Primary slave.
217 2 Secondary master.
219 3 Secondary slave.
221 Unless otherwise specified, filenames ending with ".iso" or
223 ".cdr" are assumed to be CDROM images. Most others are assumed to
224 be disks. Depending on which machine is being emulated, the
225 default for disks can be either SCSI or IDE. Some disk images
226 that are very small are assumed to be floppy disks. (If you are
227 not happy with the way a disk image is detected, then you need to
228 use explicit prefixes to force a specific type.)
229 For floppies, the gH;S; prefix is ignored. Instead, the number of
231 heads and cylinders are assumed to be 2 and 80, respectively, and
232 the number of sectors per track is calculated automatically.
233 (This works for 720KB, 1.2MB, 1.44MB, and 2.88MB floppies.)
234 -I hz Set the main CPU's frequency to hz Hz. This option does not work
236 for all emulated machine modes. It affects the way count/compare
237 interrupts are faked to simulate emulated time = real world time.
238 If the guest operating system relies on RTC interrupts instead of
239 count/compare interrupts, then this option has no effect.
240 Setting the frequency to zero disables automatic synchronization
242 of emulated time vs real world time, and the count/compare system
243 runs at a fixed rate.
244 -i Enable instruction trace, i.e. display disassembly of each
246 instruction as it is being executed.
247 -J Disable instruction combinations in the dynamic translator.
249 -j n Set the name of the kernel to n. When booting from an ISO9660
251 filesystem, the emulator will try to boot using this file. (In
252 some emulation modes, eg. DECstation, this name is passed along
253 to the boot program. Useful names are "bsd" for OpenBSD/pmax,
254 "vmunix" for Ultrix, or "vmsprite" for Sprite.)
255 -M m Emulate m MBs of physical RAM. This overrides the default amount
257 of RAM for the selected machine type.
258 -N Display the number of executed instructions per second on aver‐
260 age, at regular intervals.
261 -n nr Set the number of processors in the machine, for SMP experiments.
263 Note 1: The emulator allocates quite a lot of virtual memory for
265 per-CPU translation tables. On 64-bit hosts, this is normally not
266 a problem. On 32-bit hosts, this can use up all available virtual
267 userspace memory. The solution is to either run the emulator on a
268 64-bit host, or limit the number of emulated CPUs to a reasonably
269 low number.
270 Note 2: SMP simulation is not working very well yet; multiple
272 processors are simulated, but synchronization between the proces‐
273 sors does not map very well to how real-world SMP systems work.
274 -O Force a "netboot" (tftp instead of disk), even when a disk image
276 is present (for DECstation, SGI, and ARC emulation).
277 -o arg Set the boot argument (mostly useful for DEC, ARC, or SGI emula‐
279 tion). Default arg for DEC is "-a", for ARC/SGI it is "-aN", and
280 for CATS it is "-A".
281 -p pc Add a breakpoint. pc can be a symbol, or a numeric value.
283 (Remember to use the "0x" prefix for hexadecimal values.)
284 -Q Disable the built-in (software-only) PROM emulation. This option
286 is useful for experimenting with running raw ROM images from real
287 machines. The default behaviour of the emulator is to "fake" cer‐
288 tain PROM calls used by guest operating systems (e.g. NetBSD), so
289 that no real PROM image is needed.
290 -R Use a random bootstrap cpu, instead of CPU nr 0. (This option is
292 only meaningful together with the -n option.)
293 -r Dump register contents for every executed instruction.
295 -S Initialize emulated RAM to random data, instead of zeroes. This
297 option is useful when trying to trigger bugs in a program that
298 occur because the program assumed that uninitialized memory con‐
299 tains zeros. (Use with care.)
300 -s flags:filename
302 Gather statistics based on the current emulated program counter
303 value, while the program executes. The statistics is actually
304 just a raw dump of all program counter values in sequence, suit‐
305 able for post-analysis with separate tools. Output is appended to
306 filename.
307 The flags should include one or more of the following type speci‐
309 fiers:
310 v Virtual. This means that the program counter value is
312 used.
313 p Physical. This means that the physical address of where
315 the program is actually running is used.
316 i Instruction call. This type of statistics gathering is
318 practically only useful during development of the emula‐
319 tor itself. The output is a list of addresses of instruc‐
320 tion call functions (ic->f), which after some post-pro‐
321 cessing can be used as a basis for deciding when to
322 implement instruction combinations.
323 The flags may also include the following optional modifiers:
325 d Disabled at startup.
327 o Overwrite the file, instead of appending to it.
329 Statistics gathering can be enabled/disabled at runtime by using
331 the "statistics_enabled = yes" and "statistics_enabled = no"
332 debugger commands.
333 When gathering instruction statistics using the -s option,
335 instruction combinations are always disabled (i.e. an implicit -J
336 flag is added to the command line).
337 -T Halt if the emulated program attempts to access non-existing mem‐
339 ory.
340 -t Show a trace tree of all function calls being made.
342 -U Enable slow_serial_interrupts_hack_for_linux.
344 -X Use X11. This option enables graphical framebuffers.
346 -x Open up new xterms for emulated serial ports. The default behav‐
348 iour is to open up xterms when using configuration files, or if
349 X11 is enabled. When starting up a simple emulation session with
350 settings directly on the command line, and neither -X nor -x is
351 used, then all output is confined to the terminal that gxemul
352 started in.
353 -Y n Scale down framebuffer windows by n x n times. This option is
355 useful when emulating a very large framebuffer, and the actual
356 display is of lower resolution. If n is negative, then there will
357 be no scaledown, but emulation of certain graphic controllers
358 will be scaled up by -n times instead. E.g. Using -2 with VGA
359 text mode emulation will result in 80x25 character cells rendered
360 in a 1280x800 window, instead of the normal resolution of
361 640x400.
362 -Z n Set the number of graphics cards, for emulating a dual-head or
364 tripple-head environment. (Only for DECstation emulation so far.)
365 -z disp
367 Add disp as an X11 display to use for framebuffers.
368 General options:
370 -c cmd Add cmd as a command to run before starting the simulation. A
372 similar effect can be achieved by using the -V option, and enter‐
373 ing the commands manually.
374 -D Causes the emulator to skip a call to srandom(). This leads to
376 somewhat more deterministic behaviour than running without this
377 option. However, if the emulated machine has clocks or timer
378 interrupt sources, or if user interaction is taking place (e.g.
379 keyboard input at irregular intervals), then this option is mean‐
380 ingless.
381 -H Display a list of available CPU types and machine types. (Most
383 of these don't work. Please read the HTML documentation included
384 in the gxemul distribution for details on which modes that actu‐
385 ally work.)
386 -h Display a list of all available command line options.
388 -k n Set the size of the dyntrans cache (per emulated CPU) to n MB.
390 The default size is 48 MB.
391 -K Force the single-step debugger to be entered at the end of a sim‐
393 ulation.
394 -q Quiet mode; this suppresses startup messages.
396 -V Start up in the single-step debugger, paused. If this option is
398 used, -q is ignored.
399 -v Increase verbosity (show more debug messages). This option can be
401 used multiple times.
402 Configuration file startup:
404 @ configfile
406 Start an emulation based on the contents of configfile.
407 For more information, please read the HTML documentation in the doc/ sub‐
409 directory of the gxemul distribution.
410
412 The following command will start NetBSD/pmax on an emulated DECstation
413 5000/200 (3MAX):
414 gxemul -e 3max -d nbsd_pmax.img
416 nbsd_pmax.img should be a raw disk image containing a bootable Net‐
418 BSD/pmax filesystem.
419 The following command will start an emulation session based on settings
421 in the configuration file "mysession". The -v option tells gxemul to be
422 verbose.
423 gxemul -v @mysession
425 If you have compiled the small Hello World program mentioned in the
427 gxemul documentation, the following command will start up an emulated
428 test machine in "paused" mode:
429 gxemul -E oldtestmips -V hello_mips
431 Paused mode means that you enter the interactive single-step debugger
433 directly at startup, instead of launching the Hello World program.
434 The paused mode is also what should be used when running "unknown" files
436 for the first time in the emulator. E.g. if you have a binary which you
437 think is some kind of MIPS ROM image, then you can try the following:
438 gxemul -vv -E baremips -V 0xbfc00000:image.raw
440 You can then use the single-stepping functionality of the built-in debug‐
442 ger to run the code in the ROM image, to see how it behaves. Based on
443 that, you can deduce what machine type it was actually from (the baremips
444 machine is not a real machine), and perhaps try again with another emula‐
445 tion mode.
446 In general, however, real ROM images require much more emulation detail
448 than GXemul provides, so they can usually not run.
449 Please read the HTML documentation for more details.
451
453 There are many bugs. Some of the known bugs are mentioned in the TODO
454 file in the gxemul source distribution, some are marked as TODO in the
455 source code itself.
456 Most emulation modes are legacy (Old framework) modes, which have not yet
458 been rewritten to use the new framework. The documentation is most likely
459 buggy, in the sense that it describes things from the old framework when
460 the new one applies, and/or vice versa.
461 gxemul is in general not cycle-accurate; it does not simulate individual
463 pipe-line stages or penalties caused by branch-prediction misses or cache
464 misses, so it cannot be used for accurate simulation of any actual real-
465 world processor.
466 gxemul is in general not timing-accurate. Many emulation modes try to
468 make the guest operating system's clock run at the same speed as the host
469 clock. However, the number of instructions executed per clock tick can
470 obviously vary, depending on the current CPU load on the host.
471
473 GXemul is Copyright (C) 2003-2018 Anders Gavare <gavare@gmail.com>
474 See http://gxemul.sourceforge.net/ for more information. For other Copy‐
476 right messages, see the corresponding parts of the source code and/or
477 documentation.
478BSD June 20, 2019 BSD