QEMU 设备模拟
设备模拟目的
我们好像不会干一件事而毫无目的,就算不停刷微信朋友圈也是为了打发你无聊的时间。
其实最装B的回答是:设备模拟的目的就是模拟设备。这话是屁话,不过也能说明些什么,确实是模拟设备,用软件的方式提供硬件设备具备的功能。
对于和PC机交互的硬件设备,主要要干两件事,一是提供IRQ中断,二是响应IO输入输出。IO包括PIO/MMIO/DMA等(DMA算不算IO?)
以i8254.c实现的pit为例,主要提供了IRQ注入和PIO响应,见初始化函数pit_initfn:
static const MemoryRegionOps pit_ioport_ops = { .read = pit_ioport_read, .write = pit_ioport_write, .impl = { .min_access_size = 1, .max_access_size = 1, }, .endianness = DEVICE_LITTLE_ENDIAN, }; static int pit_initfn(PITCommonState *pit) { PITChannelState *s; s = &pit->channels[0]; /* the timer 0 is connected to an IRQ */ //这里有个irq_timer,用于qemu_set_irq提供中断注入 s->irq_timer = qemu_new_timer_ns(vm_clock, pit_irq_timer, s); qdev_init_gpio_out(&pit->dev.qdev, &s->irq, 1); memory_region_init_io(&pit->ioports, &pit_ioport_ops, pit, "pit", 4); qdev_init_gpio_in(&pit->dev.qdev, pit_irq_control, 1); return 0; }
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
staticconstMemoryRegionOpspit_ioport_ops={
.read=pit_ioport_read,
.write=pit_ioport_write,
.impl={
.min_access_size=1,
.max_access_size=1,
},
.endianness=DEVICE_LITTLE_ENDIAN,
};
staticintpit_initfn(PITCommonState*pit)
{
PITChannelState*s;
s=&pit->channels[0];
/* the timer 0 is connected to an IRQ */
//这里有个irq_timer,用于qemu_set_irq提供中断注入
s->irq_timer=qemu_new_timer_ns(vm_clock,pit_irq_timer,s);
qdev_init_gpio_out(&pit->dev.qdev,&s->irq,1);
memory_region_init_io(&pit->ioports,&pit_ioport_ops,pit,"pit",4);
qdev_init_gpio_in(&pit->dev.qdev,pit_irq_control,1);
return0;
}
|
这里的pit_ioport_ops,主要注册GUEST操作系统读写PIO时候的回调函数。
模块注册
QEMU要模拟模块那么多,以程序员的喜好,至少得来一套管理这些模拟设备模块的接口,以示设计良好。
QEMU将被模拟的模块分为了四类:
typedef enum { MODULE_INIT_BLOCK, MODULE_INIT_MACHINE, MODULE_INIT_QAPI, MODULE_INIT_QOM, MODULE_INIT_MAX } module_init_type;
|
1
2
3
4
5
6
7
|
typedefenum{
MODULE_INIT_BLOCK,
MODULE_INIT_MACHINE,
MODULE_INIT_QAPI,
MODULE_INIT_QOM,
MODULE_INIT_MAX
}module_init_type;
|
- BLOCK
比如磁盘IO就属于BLOCK类型,e.g: block_init(bdrv_qcow2_init); block_init(iscsi_block_init); - MACHINE
PC虚拟machine_init(pc_machine_init); XEN半虚拟化machine_init(xenpv_machine_init); MIPS虚拟machine_init(mips_machine_init); - QAPI
QEMU GUEST AGENT模块里面会执行QAPI注册的回调 - QOM
QOM树大枝多,儿孙满堂,应该是这里面最复杂的一个,我们重点介绍。
e.g:ObjectClass -> PCIDeviceClass //显卡type_init(cirrus_vga_register_types),网卡 type_init(rtl8139_register_types) IDEDeviceClass //IDE硬盘或CD-ROM type_init(ide_register_types) ISADeviceClass //鼠标键盘type_init(i8042_register_types),RTC时钟type_init(pit_register) SysBusDeviceClass //MMIO IDE(IDE设备直接连接CPU bus而不是连接IDE controller)type_init(mmio_ide_register_types) CPUClass -> X86CPUClass //X86 CPU架构 -> CRISCPUClass12345ObjectClass-> PCIDeviceClass //显卡type_init(cirrus_vga_register_types),网卡type_init(rtl8139_register_types)IDEDeviceClass //IDE硬盘或CD-ROM type_init(ide_register_types)ISADeviceClass //鼠标键盘type_init(i8042_register_types),RTC时钟type_init(pit_register)SysBusDeviceClass//MMIO IDE(IDE设备直接连接CPU bus而不是连接IDE controller)type_init(mmio_ide_register_types) CPUClass -> X86CPUClass //X86 CPU架构-> CRISCPUClass
注册QOM设备的时候,使用QEMU提供的宏,type_init宏进行注册:
#define type_init(function) module_init(function, MODULE_INIT_QOM) #define module_init(function, type) \ static void __attribute__((constructor)) do_qemu_init_ ## function(void) { \ register_module_init(function, type); \ }
|
1
2
3
4
5
|
#define type_init(function) module_init(function, MODULE_INIT_QOM)
#define module_init(function, type) \
staticvoid__attribute__((constructor))do_qemu_init_## function(void) { \
register_module_init(function,type);\
}
|
这和写LINUX驱动类似,一般写在一个模块实现文件的最底部,以pit为例,写的是type_init(pit_register_types)展开后为:
static void __attribute__((constructor)) do_qemu_init_pit_register_types(void) { register_module_init(pit_register_types, MODULE_INIT_QOM); }
|
1
2
3
4
|
staticvoid__attribute__((constructor))do_qemu_init_pit_register_types(void)
{
register_module_init(pit_register_types,MODULE_INIT_QOM);
}
|
那么,这个do_qemu_init_pit_register_types何时调用?
在gcc里面,给函数加上__attribute__((destructor)),表示此函数需要在main开始前自动调用,测试调用顺序是: 全局对象构造函数 -> __attribute__((constructor)) -> main -> 全局对象析构函数 -> __attribute__((destructor))。
调用register_module_init就是将pit_register_types回调函数插入util\module.c里定义的init_type_list[MODULE_INIT_QOM]链表内。
void register_module_init(void (*fn)(void), module_init_type type) { ModuleEntry *e; ModuleTypeList *l; e = g_malloc0(sizeof(*e)); e->init = fn; //init指针被设置为fn l = find_type(type); QTAILQ_INSERT_TAIL(l, e, node); }
|
1
2
3
4
5
6
7
8
9
|
voidregister_module_init(void(*fn)(void),module_init_typetype)
{
ModuleEntry*e;
ModuleTypeList*l;
e=g_malloc0(sizeof(*e));
e->init=fn;//init指针被设置为fn
l=find_type(type);
QTAILQ_INSERT_TAIL(l,e,node);
}
|
通过下面main函数的部分代码可以看出,模块初始化顺序是QOM->MACHINE->BLOCK,至于QAPI,在这个流程里没看到。
void main() { module_call_init(MODULE_INIT_QOM); //初始化设备 qemu_add_opts //初始化默认选项 module_call_init(MODULE_INIT_MACHINE); //初始化机器类型 machine = find_default_machine(); //这里对machine赋值,下面还会通过参数更改machine vtp_script_execute(g_qemu_start_hook_path, g_fairsched_string, TYPE_START); //开机启动脚本的调用 深度分析启动参数 bdrv_init_with_whitelist -> bdrv_init -> module_call_init(MODULE_INIT_BLOCK); //初始化BLOCK设备 machine->init(&args); //初始化machine qemu_run_machine_init_done_notifiers(); //初始化成功回调通知 qemu_system_reset(VMRESET_SILENT);//system reset 启动运行 if (loadvm) { load_vmstate(loadvm); } else if (loadstate) { load_state_from_blockdev(loadstate); } resume_all_vcpus(); main_loop(); //进入主循环 }
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
voidmain()
{
module_call_init(MODULE_INIT_QOM);//初始化设备
qemu_add_opts//初始化默认选项
module_call_init(MODULE_INIT_MACHINE);//初始化机器类型
machine=find_default_machine();//这里对machine赋值,下面还会通过参数更改machine
vtp_script_execute(g_qemu_start_hook_path,g_fairsched_string,TYPE_START);//开机启动脚本的调用
深度分析启动参数
bdrv_init_with_whitelist->bdrv_init->module_call_init(MODULE_INIT_BLOCK);//初始化BLOCK设备
machine->init(&args);//初始化machine
qemu_run_machine_init_done_notifiers();//初始化成功回调通知
qemu_system_reset(VMRESET_SILENT);//system reset 启动运行
if(loadvm){
load_vmstate(loadvm);
}elseif(loadstate){
load_state_from_blockdev(loadstate);
}
resume_all_vcpus();
main_loop();//进入主循环
}
|
在main函数进来的时候,首先调用module_call_init(MODULE_INIT_QOM);
void module_call_init(module_init_type type) { ModuleTypeList *l; ModuleEntry *e; l = find_type(type); QTAILQ_FOREACH(e, l, node) { e->init(); //这里,就是调用刚才注册的回调,例如,对于kvm-pit来说,调用的是pit_register } }
|
1
2
3
4
5
6
7
8
9
|
voidmodule_call_init(module_init_typetype)
{
ModuleTypeList*l;
ModuleEntry*e;
l=find_type(type);
QTAILQ_FOREACH(e,l,node){
e->init();//这里,就是调用刚才注册的回调,例如,对于kvm-pit来说,调用的是pit_register
}
}
|
此module_call_init将依次调用注册的回调,如PIT的pit_register_types:
static const TypeInfo pit_info = { .name = "isa-pit", //做为type_table的key .parent = "pit-common", //父类型,这个比较重要,如果本TypeInfo没有设置class_size,会根据parent获取parent TypeImpl的class_size .instance_size = sizeof(PITCommonState),//分配实例的大小 .class_init = pit_class_init, //初始化函数 }; static void pit_register_types(void) { type_register_static(&pit_info); }
|
1
2
3
4
5
6
7
8
9
10
11
|
staticconstTypeInfopit_info={
.name ="isa-pit", //做为type_table的key
.parent ="pit-common", //父类型,这个比较重要,如果本TypeInfo没有设置class_size,会根据parent获取parent TypeImpl的class_size
.instance_size=sizeof(PITCommonState),//分配实例的大小
.class_init=pit_class_init, //初始化函数
};
staticvoidpit_register_types(void)
{
type_register_static(&pit_info);
}
|
pit_register_types又进一步调用type_register_static -> type_register -> type_register_internal,这个函数完成的功能其实只是在qom\object.c的type_table里插入了一个HASH键值 对,以TypeInfo的name为KEY,malloc了一个TypeInfo结构的超集TypeImpl为VALUE,在以name为KEY回溯 parent时需要TypeImpl,其实这个hash也可以做成一个tree。
QOM的Object模型
以pit为例,通过回溯parent你可以看到,其定义TypeInfo最终形成一个继承关系:
"isa-pit" -> "pit-common" -> "isa-device" -> "device" -> "object"
qom\object.c
static TypeInfo object_info = { .name = "object", .instance_size = sizeof(Object), .instance_init = object_instance_init, .abstract = true, };
|
1
2
3
4
5
6
|
staticTypeInfoobject_info={
.name="object",
.instance_size=sizeof(Object),
.instance_init=object_instance_init,
.abstract=true,
};
|
hw\qdev.c
static const TypeInfo device_type_info = { .name = "device", .parent = "object" , .instance_size = sizeof(DeviceState), .instance_init = device_initfn, .instance_finalize = device_finalize, .class_base_init = device_class_base_init, .class_init = device_class_init, .abstract = true, .class_size = sizeof(DeviceClass), };
|
1
2
3
4
5
6
7
8
9
10
11
|
staticconstTypeInfodevice_type_info={
.name="device",
.parent="object",
.instance_size=sizeof(DeviceState),
.instance_init=device_initfn,
.instance_finalize=device_finalize,
.class_base_init=device_class_base_init,
.class_init=device_class_init,
.abstract=true,
.class_size=sizeof(DeviceClass),
};
|
hw\isa-bus.c
static const TypeInfo isa_device_type_info = { .name = "isa-device", .parent = "device", .instance_size = sizeof(ISADevice), .abstract = true, .class_size = sizeof(ISADeviceClass), .class_init = isa_device_class_init, };
|
1
2
3
4
5
6
7
8
|
staticconstTypeInfoisa_device_type_info={
.name="isa-device",
.parent="device",
.instance_size=sizeof(ISADevice),
.abstract=true,
.class_size=sizeof(ISADeviceClass),
.class_init=isa_device_class_init,
};
|
hw\i8254_common.c
static const TypeInfo pit_common_type = { .name = "pit-common", .parent = "isa-device", .instance_size = sizeof(PITCommonState), .class_size = sizeof(PITCommonClass), .class_init = pit_common_class_init, .abstract = true, };
|
1
2
3
4
5
6
7
8
|
staticconstTypeInfopit_common_type={
.name ="pit-common",
.parent ="isa-device",
.instance_size=sizeof(PITCommonState),
.class_size =sizeof(PITCommonClass),
.class_init =pit_common_class_init,
.abstract =true,
};
|
hw\i8254.c
static const TypeInfo pit_info = { .name = "isa-pit", .parent = "pit-common", .instance_size = sizeof(PITCommonState), .class_init = pit_class_initfn, };
|
1
2
3
4
5
6
|
staticconstTypeInfopit_info={
.name ="isa-pit",
.parent ="pit-common",
.instance_size=sizeof(PITCommonState),
.class_init =pit_class_initfn,
};
|
由于TypeInfo只是注册时临时使用,而TypeImpl是TypeInfo的超集,所以,这层关系也反应了TypeImpl的继承关系。
struct TypeImpl { const char *name; size_t class_size; size_t instance_size; void (*class_init)(ObjectClass *klass, void *data); void (*class_base_init)(ObjectClass *klass, void *data); void (*class_finalize)(ObjectClass *klass, void *data); void *class_data; void (*instance_init)(Object *obj); void (*instance_finalize)(Object *obj); bool abstract; const char *parent; TypeImpl *parent_type; ObjectClass *class; int num_interfaces; InterfaceImpl interfaces[MAX_INTERFACES]; };
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
structTypeImpl
{
constchar*name;
size_tclass_size;
size_tinstance_size;
void(*class_init)(ObjectClass*klass,void*data);
void(*class_base_init)(ObjectClass*klass,void*data);
void(*class_finalize)(ObjectClass*klass,void*data);
void*class_data;
void(*instance_init)(Object*obj);
void(*instance_finalize)(Object*obj);
boolabstract;
constchar*parent;
TypeImpl*parent_type;
ObjectClass*class;
intnum_interfaces;
InterfaceImplinterfaces[MAX_INTERFACES];
};
|
Figure 1 TypeImpl图解
打印查看TypeImpl属性:
(gdb) p *obj->class->type //struct TypeImpl * type
$13 = {name = 0x5555566e5e30 "mc146818rtc", class_size = 128, instance_size = 664, class_init = 0x55555579b790 , class_base_init = 0,
class_finalize = 0, class_data = 0x0, instance_init = 0, instance_finalize = 0, abstract = false, parent = 0x5555566e5e50 "isa-device",
parent_type = 0x5555566d8bd0, class = 0x555556a50e50, num_interfaces = 0, interfaces = {{typename = 0x0} }}
$13 = {name = 0x5555566e5e30 "mc146818rtc", class_size = 128, instance_size = 664, class_init = 0x55555579b790 , class_base_init = 0,
class_finalize = 0, class_data = 0x0, instance_init = 0, instance_finalize = 0, abstract = false, parent = 0x5555566e5e50 "isa-device",
parent_type = 0x5555566d8bd0, class = 0x555556a50e50, num_interfaces = 0, interfaces = {{typename = 0x0} }}
其主要包含如下部分:
- name/parent/parent_type 表示自己的,父亲的KEY和TypeImpl指针。
- class/class_size/class_init/class_base_init/class_finalize/class_data 和ObjectClass联系,组成继承关系。
- instance_init/instance_finalize和ObjectClass有裙带关系的Object,共同完成继承体系。
- num_interfaces/interfaces 用于管理接口。
Object和ObjectClass的关系
还是通过这条继承链来看:
"isa-pit" -> "pit-common" -> "isa-device" -> "device" -> "object"
其中ObjectClass链的定义为:
struct ObjectClass { /*< private >*/ Type type; GSList *interfaces; ObjectUnparent *unparent; }; typedef struct DeviceClass { /*< private >*/ ObjectClass parent_class; /*< public >*/ const char *fw_name; const char *desc; Property *props; int no_user; /* callbacks */ void (*reset)(DeviceState *dev); DeviceRealize realize; DeviceUnrealize unrealize; /* device state */ const struct VMStateDescription *vmsd; /* Private to qdev / bus. */ qdev_initfn init; /* TODO remove, once users are converted to realize */ qdev_event unplug; qdev_event exit; const char *bus_type; } DeviceClass; typedef struct ISADeviceClass { DeviceClass parent_class; int (*init)(ISADevice *dev); } ISADeviceClass; typedef struct PITCommonClass { ISADeviceClass parent_class; int (*init)(PITCommonState *s); void (*set_channel_gate)(PITCommonState *s, PITChannelState *sc, int val); void (*get_channel_info)(PITCommonState *s, PITChannelState *sc, PITChannelInfo *info); void (*pre_save)(PITCommonState *s); void (*post_load)(PITCommonState *s); } PITCommonClass;
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
structObjectClass
{
/*< private >*/
Typetype;
GSList*interfaces;
ObjectUnparent*unparent;
};
typedefstructDeviceClass{
/*< private >*/
ObjectClassparent_class;
/*< public >*/
constchar*fw_name;
constchar*desc;
Property*props;
intno_user;
/* callbacks */
void(*reset)(DeviceState*dev);
DeviceRealizerealize;
DeviceUnrealizeunrealize;
/* device state */
conststructVMStateDescription*vmsd;
/* Private to qdev / bus. */
qdev_initfninit;/* TODO remove, once users are converted to realize */
qdev_eventunplug;
qdev_eventexit;
constchar*bus_type;
}DeviceClass;
typedefstructISADeviceClass{
DeviceClassparent_class;
int(*init)(ISADevice*dev);
}ISADeviceClass;
typedefstructPITCommonClass{
ISADeviceClassparent_class;
int(*init)(PITCommonState*s);
void(*set_channel_gate)(PITCommonState*s,PITChannelState*sc,intval);
void(*get_channel_info)(PITCommonState*s,PITChannelState*sc,
PITChannelInfo*info);
void(*pre_save)(PITCommonState*s);
void(*post_load)(PITCommonState*s);
}PITCommonClass;
|
下层定义包含上层,很明显的继承模型,ObjectClass更像C++的CLASS,而Object链的定义为:
struct Object { /*< private >*/ ObjectClass *class; ObjectFree *free; QTAILQ_HEAD(, ObjectProperty) properties; uint32_t ref; Object *parent; }; struct DeviceState { /*< private >*/ Object parent_obj; /*< public >*/ const char *id; bool realized; QemuOpts *opts; int hotplugged; BusState *parent_bus; int num_gpio_out; qemu_irq *gpio_out; int num_gpio_in; qemu_irq *gpio_in; QLIST_HEAD(, BusState) child_bus; int num_child_bus; int instance_id_alias; int alias_required_for_version; }; struct ISADevice { DeviceState qdev; uint32_t isairq[2]; int nirqs; int ioport_id; }; typedef struct PITCommonState { ISADevice dev; MemoryRegion ioports; uint32_t iobase; PITChannelState channels[3]; } PITCommonState;
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
structObject
{
/*< private >*/
ObjectClass*class;
ObjectFree*free;
QTAILQ_HEAD(,ObjectProperty)properties;
uint32_tref;
Object*parent;
};
structDeviceState{
/*< private >*/
Objectparent_obj;
/*< public >*/
constchar*id;
boolrealized;
QemuOpts*opts;
inthotplugged;
BusState*parent_bus;
intnum_gpio_out;
qemu_irq*gpio_out;
intnum_gpio_in;
qemu_irq*gpio_in;
QLIST_HEAD(,BusState)child_bus;
intnum_child_bus;
intinstance_id_alias;
intalias_required_for_version;
};
structISADevice{
DeviceStateqdev;
uint32_tisairq[2];
intnirqs;
intioport_id;
};
typedefstructPITCommonState{
ISADevicedev;
MemoryRegionioports;
uint32_tiobase;
PITChannelStatechannels[3];
}PITCommonState;
|
有了ObjectClass为什么还要有个Object?从代码看,ObjectClass只有一份实例,而Object是可以多个实例 的,Object引用ObjectClass获得ObjectClass的特征,但是同时又节约了初始化和存放ObjectClass的CPU和空间,相 同的ObjectClass可以被多个Object引用,例如scsi-disk.c里面有"scsi-hd","scsi-cd","scsi- block","scsi-disk"四种Object共同引用了"scsi-device"。这里可以想象成C++的虚继承,ObjectClass是 virtual class而Object是class。其实两者是可以柔和在一起的,Object也有对应的继承关系,用来保存特定属性。
Figure 2 ObjectClass和Object 关系
Object和ObjectClass的初始化
上面讲的Object和ObjectClass主要是完成一个对象继承模型,从代码看QEMU的这个模型实现并不非常很优雅,封装不够彻底,就像你妈给你做了条裤子,却没有做裤腰带,还得提着上路。
Object和ObjectClass的初始化方式并不一致,需要分别初始化,ObjectClass通常使用object_class_by_name 获取,此函数会根据提供的KEY去查找TypeImpl并初始化ObjectClass指针;而Object的初始化是使用的object_new,通过 参数KEY查找TypeImpl然后malloc 实例。以qdev_try_create获取"isa-pit"的Object DeviceState实例来说,其获取DeviceState的函数如此定义:
DeviceState *qdev_try_create(BusState *bus, const char *type) { DeviceState *dev; //这个type为TypeInfo.name,例如"isa-pit" if (object_class_by_name(type) == NULL) { return NULL; } //type_initialize完成后,object_new用来实例化一个instance dev = DEVICE(object_new(type));// = DEVICE(object_new_with_type(type_get_by_name(typename))) if (!dev) { return NULL; } if (!bus) { bus = sysbus_get_default(); } qdev_set_parent_bus(dev, bus); object_unref(OBJECT(dev)); return dev; } ObjectClass *object_class_by_name(const char *typename) { //之前在type_register_static的时候,注册了TypeInfo.name,例如"isa-pit"为key的TypeImpl TypeImpl *type = type_get_by_name(typename); if (!type) { return NULL; } type_initialize(type); //这里面,初始化class, return type->class; } //其实这个函数更应该叫做new_TypeInfo_class() static void type_initialize(TypeImpl *ti) { TypeImpl *parent; if (ti->class) { return; } /* type_class_get_size 首先获取自己的class_size变量,如果没有,再找parent类型所指的TypeImpl的class_size,直到找到为止 比如"isa-pit"没有设置class_size,那么获取的是"pit-common"的class_size, 而type_object_get_size也是类似 static const TypeInfo pit_common_type = { .name = "pit-common", .parent = "isa-device", .instance_size = sizeof(PITCommonState), .class_size = sizeof(PITCommonClass), .class_init = pit_common_class_init, .abstract = true, }; */ ti->class_size = type_class_get_size(ti); ti->instance_size = type_object_get_size(ti); ti->class = g_malloc0(ti->class_size); parent = type_get_parent(ti); if (parent) { //1,保证parent初始化了 type_initialize(parent); GSList *e; int i; //2,将parent的class内容memcpy一份给自己的对应的parent区域 g_assert(parent->class_size <= ti->class_size); memcpy(ti->class, parent->class, parent->class_size); //3,将parent里面的class的interfaces做一次深度复制,复制给自己 for (e = parent->class->interfaces; e; e = e->next) { ObjectClass *iface = e->data; type_initialize_interface(ti, object_class_get_name(iface)); } //4.如果本类型有自己的interfaces,初始化 for (i = 0; i < ti->num_interfaces; i++) { TypeImpl *t = type_get_by_name(ti->interfaces[i].typename); for (e = ti->class->interfaces; e; e = e->next) { TypeImpl *target_type = OBJECT_CLASS(e->data)->type; if (type_is_ancestor(target_type, t)) { break; } } if (e) { continue; } type_initialize_interface(ti, ti->interfaces[i].typename); } } ti->class->type = ti; while (parent) { if (parent->class_base_init) { //回溯回调parent的class_base_init函数 parent->class_base_init(ti->class, ti->class_data); } parent = type_get_parent(parent); } if (ti->class_init) { /* 如果本类设置了class_init,回调它,ti->class_data是一个void*的参数 比如"isa-pit"我们设置了pit_class_initfn 这个函数主要干啥?主要填充class里的其他该填充的地方。 malloc之后你总得调用构造函数吧,调用构造函数的第一句都是super(xxx) 这工作前面,2,3步骤已经做了,然后干你自己的活。见pit_class_initfn定义 */ ti->class_init(ti->class, ti->class_data); } }
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
DeviceState*qdev_try_create(BusState*bus,constchar*type)
{
DeviceState*dev;
//这个type为TypeInfo.name,例如"isa-pit"
if(object_class_by_name(type)==NULL){
returnNULL;
}
//type_initialize完成后,object_new用来实例化一个instance
dev=DEVICE(object_new(type));// = DEVICE(object_new_with_type(type_get_by_name(typename)))
if(!dev){
returnNULL;
}
if(!bus){
bus=sysbus_get_default();
}
qdev_set_parent_bus(dev,bus);
object_unref(OBJECT(dev));
returndev;
}
ObjectClass*object_class_by_name(constchar*typename)
{
//之前在type_register_static的时候,注册了TypeInfo.name,例如"isa-pit"为key的TypeImpl
TypeImpl*type=type_get_by_name(typename);
if(!type){
returnNULL;
}
type_initialize(type);//这里面,初始化class,
returntype->class;
}
//其实这个函数更应该叫做new_TypeInfo_class()
staticvoidtype_initialize(TypeImpl*ti)
{
TypeImpl*parent;
if(ti->class){
return;
}
/*
type_class_get_size 首先获取自己的class_size变量,如果没有,再找parent类型所指的TypeImpl的class_size,直到找到为止
比如"isa-pit"没有设置class_size,那么获取的是"pit-common"的class_size, 而type_object_get_size也是类似
static const TypeInfo pit_common_type = {
.name = "pit-common",
.parent = "isa-device",
.instance_size = sizeof(PITCommonState),
.class_size = sizeof(PITCommonClass),
.class_init = pit_common_class_init,
.abstract = true,
};
*/
ti->class_size=type_class_get_size(ti);
ti->instance_size=type_object_get_size(ti);
ti->class=g_malloc0(ti->class_size);
parent=type_get_parent(ti);
if(parent){
//1,保证parent初始化了
type_initialize(parent);
GSList*e;
inti;
//2,将parent的class内容memcpy一份给自己的对应的parent区域
g_assert(parent->class_size<=ti->class_size);
memcpy(ti->class,parent->class,parent->class_size);
//3,将parent里面的class的interfaces做一次深度复制,复制给自己
for(e=parent->class->interfaces;e;e=e->next){
ObjectClass*iface=e->data;
type_initialize_interface(ti,object_class_get_name(iface));
}
//4.如果本类型有自己的interfaces,初始化
for(i=0;inum_interfaces;i++){
TypeImpl*t=type_get_by_name(ti->interfaces[i].typename);
for(e=ti->class->interfaces;e;e=e->next){
TypeImpl*target_type=OBJECT_CLASS(e->data)->type;
if(type_is_ancestor(target_type,t)){
break;
}
}
if(e){
continue;
}
type_initialize_interface(ti,ti->interfaces[i].typename);
}
}
ti->class->type=ti;
while(parent){
if(parent->class_base_init){
//回溯回调parent的class_base_init函数
parent->class_base_init(ti->class,ti->class_data);
}
parent=type_get_parent(parent);
}
if(ti->class_init){
/*
如果本类设置了class_init,回调它,ti->class_data是一个void*的参数
比如"isa-pit"我们设置了pit_class_initfn
这个函数主要干啥?主要填充class里的其他该填充的地方。
malloc之后你总得调用构造函数吧,调用构造函数的第一句都是super(xxx)
这工作前面,2,3步骤已经做了,然后干你自己的活。见pit_class_initfn定义
*/
ti->class_init(ti->class,ti->class_data);
}
}
|
上述代码把object_class_by_name的流程说完了,再看看object_new(type) = object_new_with_type(type_get_by_name(typename))的流程:
Object *object_new_with_type(Type type) { Object *obj; g_assert(type != NULL); type_initialize(type); obj = g_malloc(type->instance_size); //这个instance_size是初始化TypeInfo的时候设置的sizeof(PITCommonState) object_initialize_with_type(obj, type); obj->free = g_free; return obj; } void object_initialize_with_type(void *data, TypeImpl *type) { Object *obj = data; g_assert(type != NULL); type_initialize(type); g_assert(type->instance_size >= sizeof(Object)); g_assert(type->abstract == false); memset(obj, 0, type->instance_size); obj->class = type->class; //instace的类型通过class指针指定 object_ref(obj); QTAILQ_INIT(&obj->properties); object_init_with_type(obj, type); //深度递归调用TypeImpl及其parent的instance_init函数指针,相当于new instance的构造函数 }
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
Object*object_new_with_type(Typetype)
{
Object*obj;
g_assert(type!=NULL);
type_initialize(type);
obj=g_malloc(type->instance_size);//这个instance_size是初始化TypeInfo的时候设置的sizeof(PITCommonState)
object_initialize_with_type(obj,type);
obj->free=g_free;
returnobj;
}
voidobject_initialize_with_type(void*data,TypeImpl*type)
{
Object*obj=data;
g_assert(type!=NULL);
type_initialize(type);
g_assert(type->instance_size>=sizeof(Object));
g_assert(type->abstract==false);
memset(obj,0,type->instance_size);
obj->class=type->class;//instace的类型通过class指针指定
object_ref(obj);
QTAILQ_INIT(&obj->properties);
object_init_with_type(obj,type);//深度递归调用TypeImpl及其parent的instance_init函数指针,相当于new instance的构造函数
}
|
qdev_try_create->object_class_by_name->type_initialize的调用流程,如果父 ObjectClass没初始化,会初始化父ObjectClass,此时调用到父ObjectClass对应name的TypeImpl的 class_init函数,例如"pit-common"的class_init回调pit_common_class_init,此回调会设置 ISADeviceClass的init回调为pit_init_common。
Object类型转换
再解释下Object里常用的一个宏:OBJECT_CHECK,以ISA_DEVICE这段代码为例:
static const TypeInfo mc146818rtc_info = { .name = "mc146818rtc", .parent = "isa-device", .instance_size = sizeof(RTCState), .class_init = rtc_class_initfn, }; ISADevice *isa_create(ISABus *bus, const char *name) { DeviceState *dev; if (!bus) { hw_error("Tried to create isa device %s with no isa bus present.", name); } dev = qdev_create(&bus->qbus, name); return ISA_DEVICE(dev);//毫无疑问,"mc146818rtc"肯定可以转换为"isa-device",why?见mc146818rtc_info定义 } ISADevice *dev = isa_create(bus, "mc146818rtc");
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
staticconstTypeInfomc146818rtc_info={
.name ="mc146818rtc",
.parent ="isa-device",
.instance_size=sizeof(RTCState),
.class_init =rtc_class_initfn,
};
ISADevice*isa_create(ISABus*bus,constchar*name)
{
DeviceState*dev;
if(!bus){
hw_error("Tried to create isa device %s with no isa bus present.",name);
}
dev=qdev_create(&bus->qbus,name);
returnISA_DEVICE(dev);//毫无疑问,"mc146818rtc"肯定可以转换为"isa-device",why?见mc146818rtc_info定义
}
ISADevice*dev=isa_create(bus,"mc146818rtc");
|
这里的ISA_DEVICE体现了OBJECT的类型转换功能,宏定义为:
#define OBJECT(obj) \ ((Object *)(obj)) #define OBJECT_CHECK(type, obj, name) \ ((type *)object_dynamic_cast_assert(OBJECT(obj), (name))) #define ISA_DEVICE(obj) \ OBJECT_CHECK(ISADevice, (obj), TYPE_ISA_DEVICE)
|
1
2
3
4
5
6
|
#define OBJECT(obj) \
((Object*)(obj))
#define OBJECT_CHECK(type, obj, name) \
((type*)object_dynamic_cast_assert(OBJECT(obj),(name)))
#define ISA_DEVICE(obj) \
OBJECT_CHECK(ISADevice,(obj),TYPE_ISA_DEVICE)
|
展开后为:
#define ISA_DEVICE(dev) (ISADevice*)object_class_dynamic_cast(((Object *)dev)->class, "isa-device")
|
1
|
#define ISA_DEVICE(dev) (ISADevice*)object_class_dynamic_cast(((Object *)dev)->class, "isa-device")
|
object.c里面定义了object_class_dynamic_cast函数,其实此函数功能比较简单,就是通过遍历parent看当前class是否有一个祖先是typename,其定义如下:
ObjectClass *object_class_dynamic_cast(ObjectClass *class, const char *typename) { TypeImpl *target_type = type_get_by_name(typename); //找到"isa-device"对应的TypeImpl* TypeImpl *type = class->type; //本ObjectClass真实的TypeImpl*,其实这里是"mc146818rtc" ObjectClass *ret = NULL; /* (gdb) p *target_type $31 = {name = 0x5555566d0b20 "isa-device", class_size = 128, instance_size = 160, class_init = 0x55555568ddd0 , class_base_init = 0, class_finalize = 0, class_data = 0x0, instance_init = 0, instance_finalize = 0, abstract = true, parent = 0x5555566d0a40 "device", parent_type = 0x5555566da730, class = 0x555556a14750, num_interfaces = 0, interfaces = {{typename = 0x0} }} (gdb) p *type_interface $33 = {name = 0x5555566e40b0 "interface", class_size = 32, instance_size = 0, class_init = 0, class_base_init = 0, class_finalize = 0, class_data = 0x0, instance_init = 0, instance_finalize = 0, abstract = true, parent = 0x0, parent_type = 0x0, class = 0x0, num_interfaces = 0, interfaces = {{ typename = 0x0} }} type_is_ancestor用于判断,"interface"是否是"isa-device"的祖先(判断方法是递归遍历"isa-device" 的parent,比较是否有"interface"),如果是,那么要考虑interface的情况,这里不是,且 type->num_interfaces为0 */ if (type->num_interfaces && type_is_ancestor(target_type, type_interface)) { int found = 0; GSList *i; for (i = class->interfaces; i; i = i->next) { ObjectClass *target_class = i->data; if (type_is_ancestor(target_class->type, target_type)) { ret = target_class; found++; } } /* The match was ambiguous, don't allow a cast */ if (found > 1) { ret = NULL; } } else if (type_is_ancestor(type, target_type)) { /* 判断type="mc146818rtc"的祖先是否是target_type="isa-device", 如果是,这里表示子类class="mc146818rtc"能成功转换为父类typename="isa-device"所指的ObjectClass */ ret = class; } return ret; }
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
ObjectClass*object_class_dynamic_cast(ObjectClass*class,
constchar*typename)
{
TypeImpl*target_type=type_get_by_name(typename);//找到"isa-device"对应的TypeImpl*
TypeImpl*type=class->type;//本ObjectClass真实的TypeImpl*,其实这里是"mc146818rtc"
ObjectClass*ret=NULL;
/*
(gdb) p *target_type
$31 = {name = 0x5555566d0b20 "isa-device", class_size = 128, instance_size = 160, class_init = 0x55555568ddd0 , class_base_init = 0,
class_finalize = 0, class_data = 0x0, instance_init = 0, instance_finalize = 0, abstract = true, parent = 0x5555566d0a40 "device", parent_type = 0x5555566da730,
class = 0x555556a14750, num_interfaces = 0, interfaces = {{typename = 0x0} }}
(gdb) p *type_interface
$33 = {name = 0x5555566e40b0 "interface", class_size = 32, instance_size = 0, class_init = 0, class_base_init = 0, class_finalize = 0, class_data = 0x0,
instance_init = 0, instance_finalize = 0, abstract = true, parent = 0x0, parent_type = 0x0, class = 0x0, num_interfaces = 0, interfaces = {{
typename = 0x0} }}
type_is_ancestor 用于判断,"interface"是否是"isa-device"的祖先(判断方法是递归遍历"isa-device"的parent,比较是否 有"interface"),如果是,那么要考虑interface的情况,这里不是,且type->num_interfaces为0
*/
if(type->num_interfaces&&type_is_ancestor(target_type,type_interface)){
intfound=0;
GSList*i;
for(i=class->interfaces;i;i=i->next){
ObjectClass*target_class=i->data;
if(type_is_ancestor(target_class->type,target_type)){
ret=target_class;
found++;
}
}
/* The match was ambiguous, don't allow a cast */
if(found>1){
ret=NULL;
}
}elseif(type_is_ancestor(type,target_type)){
/*
判断type="mc146818rtc"的祖先是否是target_type="isa-device",
如果是,这里表示子类class="mc146818rtc"能成功转换为父类typename="isa-device"所指的ObjectClass
*/
ret=class;
}
returnret;
}
|
GDB显示其内部数据为:
(gdb) p *obj //Object *obj
$11 = {class = 0x555556a50e50, free = 0x7ffff7424020 , properties = {tqh_first = 0x555556a17da0, tqh_last = 0x555556a50fd0}, ref = 1, parent = 0x0}
(gdb) p *obj->class //ObjectClass * class
$12 = {type = 0x5555566e5cb0, interfaces = 0x0, unparent = 0x5555556b1ac0 }
(gdb) p *obj->class->type //struct TypeImpl * type
$13 = {name = 0x5555566e5e30 "mc146818rtc", class_size = 128, instance_size = 664, class_init = 0x55555579b790 , class_base_init = 0,
class_finalize = 0, class_data = 0x0, instance_init = 0, instance_finalize = 0, abstract = false, parent = 0x5555566e5e50 "isa-device",
parent_type = 0x5555566d8bd0, class = 0x555556a50e50, num_interfaces = 0, interfaces = {{typename = 0x0} }}
$11 = {class = 0x555556a50e50, free = 0x7ffff7424020 , properties = {tqh_first = 0x555556a17da0, tqh_last = 0x555556a50fd0}, ref = 1, parent = 0x0}
(gdb) p *obj->class //ObjectClass * class
$12 = {type = 0x5555566e5cb0, interfaces = 0x0, unparent = 0x5555556b1ac0 }
(gdb) p *obj->class->type //struct TypeImpl * type
$13 = {name = 0x5555566e5e30 "mc146818rtc", class_size = 128, instance_size = 664, class_init = 0x55555579b790 , class_base_init = 0,
class_finalize = 0, class_data = 0x0, instance_init = 0, instance_finalize = 0, abstract = false, parent = 0x5555566e5e50 "isa-device",
parent_type = 0x5555566d8bd0, class = 0x555556a50e50, num_interfaces = 0, interfaces = {{typename = 0x0} }}
QOM设备初始化
基于Object和ObjectClass实现的QOM设备,何时触发他的初始化,以PIT为例,将之前的Object和ObjectClass想象成C++,那么PIT对应的PitCommonState定义应该类似如下所示:
class PITCommonClass : public ISADeviceClass { public: virtual int init(PITCommonState *s) = 0; }; class ISADevice : public DeviceState { public: int nirqs; int ioport_id; }; class PITCommonState : public ISADevice, public PITCommonClass { int init(PITCommonState *s); };
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
classPITCommonClass:publicISADeviceClass{
public:
virtualintinit(PITCommonState*s)=0;
};
classISADevice:publicDeviceState{
public:
intnirqs;
intioport_id;
};
classPITCommonState:publicISADevice,publicPITCommonClass{
intinit(PITCommonState*s);
};
|
看吧,QEMU绕了这么大一个圈子,就想实现这样一个结构,所以有的时候用C++还是有好处的(虽然本人生理周期现正处于不太喜欢C++时间)。
那么,何处调用了new PITCommonState()?
这得从main函数开始看,main函数里面,有machine->init(&args);函数调用,这是对注册的machine的初始 化,而默认的machine是在pc_piix.c里面pc_machine_init函数注册的第一个machine,即:
static QEMUMachine pc_i440fx_machine_v1_4 = { .name = "pc-i440fx-1.4", .alias = "pc", .desc = "Standard PC (i440FX + PIIX, 1996)", .init = pc_init_pci, .max_cpus = 255, .is_default = 1, .default_machine_opts = KVM_MACHINE_OPTIONS, DEFAULT_MACHINE_OPTIONS, }; qemu_register_machine(&pc_i440fx_machine_v1_4);
|
1
2
3
4
5
6
7
8
9
10
11
|
staticQEMUMachinepc_i440fx_machine_v1_4={
.name="pc-i440fx-1.4",
.alias="pc",
.desc="Standard PC (i440FX + PIIX, 1996)",
.init=pc_init_pci,
.max_cpus=255,
.is_default=1,
.default_machine_opts=KVM_MACHINE_OPTIONS,
DEFAULT_MACHINE_OPTIONS,
};
qemu_register_machine(&pc_i440fx_machine_v1_4);
|
当main函数调用machine->init时,我的实验环境默认情况其实就是调用的pc_i440fx_machine_v1_4的初始化回调pc_init_pci -> pc_init1,这个函数主要初始化相关PC硬件:
static void pc_init1(MemoryRegion *system_memory, MemoryRegion *system_io, ram_addr_t ram_size, const char *boot_device, const char *kernel_filename, const char *kernel_cmdline, const char *initrd_filename, const char *cpu_model, int pci_enabled, int kvmclock_enabled) { //CPU类型初始化-> cpu_x86_init -> mce_init/qemu_init_vcpu,初始化VCPU pc_cpus_init(cpu_model); //初始化acpi_tables pc_acpi_init("acpi-dsdt.aml"); if (!xen_enabled()) { //ROM, BIOS, RAM相关初始化 fw_cfg = pc_memory_init(system_memory, kernel_filename, kernel_cmdline, initrd_filename, below_4g_mem_size, above_4g_mem_size, rom_memory, &ram_memory); } //IRQ,初始化 //VGA初始化 pc_vga_init(isa_bus, pci_enabled ? pci_bus : NULL); /* init basic PC hardware */ pc_basic_device_init(isa_bus, gsi, &rtc_state, &floppy, xen_enabled()); //这里调用pit_init //初始化网卡 pc_nic_init(isa_bus, pci_bus); //初始化硬盘,音频设备 //初始化cmos数据,比如设置cmos rtc时钟,是否提供PS/2设备 pc_cmos_init(below_4g_mem_size, above_4g_mem_size, boot_device, floppy, idebus[0], idebus[1], rtc_state); //初始化USB if (pci_enabled && usb_enabled(false)) { pci_create_simple(pci_bus, piix3_devfn + 2, "piix3-usb-uhci"); } } void pc_basic_device_init(ISABus *isa_bus, qemu_irq *gsi, ISADevice **rtc_state, ISADevice **floppy, bool no_vmport) { //初始化HPET //初始化mc146818 rtc //初始化i8042 PIT pit = pit_init(isa_bus, 0x40, pit_isa_irq, pit_alt_irq); //初始化串口,并口 //初始化vmmouse ps2_mouse }
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
staticvoidpc_init1(MemoryRegion*system_memory,
MemoryRegion*system_io,
ram_addr_tram_size,
constchar*boot_device,
constchar*kernel_filename,
constchar*kernel_cmdline,
constchar*initrd_filename,
constchar*cpu_model,
intpci_enabled,
intkvmclock_enabled)
{
//CPU类型初始化-> cpu_x86_init -> mce_init/qemu_init_vcpu,初始化VCPU
pc_cpus_init(cpu_model);
//初始化acpi_tables
pc_acpi_init("acpi-dsdt.aml");
if(!xen_enabled()){
//ROM, BIOS, RAM相关初始化
fw_cfg=pc_memory_init(system_memory,
kernel_filename,kernel_cmdline,initrd_filename,
below_4g_mem_size,above_4g_mem_size,
rom_memory,&ram_memory);
}
//IRQ,初始化
//VGA初始化
pc_vga_init(isa_bus,pci_enabled?pci_bus:NULL);
/* init basic PC hardware */
pc_basic_device_init(isa_bus,gsi,&rtc_state,&floppy,xen_enabled());//这里调用pit_init
//初始化网卡
pc_nic_init(isa_bus,pci_bus);
//初始化硬盘,音频设备
//初始化cmos数据,比如设置cmos rtc时钟,是否提供PS/2设备
pc_cmos_init(below_4g_mem_size,above_4g_mem_size,boot_device,
floppy,idebus[0],idebus[1],rtc_state);
//初始化USB
if(pci_enabled&&usb_enabled(false)){
pci_create_simple(pci_bus,piix3_devfn+2,"piix3-usb-uhci");
}
}
voidpc_basic_device_init(ISABus*isa_bus,qemu_irq*gsi,
ISADevice**rtc_state,
ISADevice**floppy,
boolno_vmport)
{
//初始化HPET
//初始化mc146818 rtc
//初始化i8042 PIT
pit=pit_init(isa_bus,0x40,pit_isa_irq,pit_alt_irq);
//初始化串口,并口
//初始化vmmouse ps2_mouse
}
|
接下来的流程是pit_init -> isa_create(bus, "isa-pit") -> qdev_create -> qdev_try_create,qdev_try_create的实现在前面已经讲了,如上节所述,它分别使用 object_class_by_name和object_new来初始化ObjectClass和Object。
属性设置
Object同ObjectClass的显著区别就是Object提供了属性的概念,以MC146818为例,其定义时设置了"base_year"和"lost_tick_policy":
static Property mc146818rtc_properties[] = { DEFINE_PROP_INT32("base_year", RTCState, base_year, 1980), DEFINE_PROP_LOSTTICKPOLICY("lost_tick_policy", RTCState, lost_tick_policy, LOST_TICK_DISCARD), DEFINE_PROP_END_OF_LIST(), };
|
1
2
3
4
5
6
|
staticPropertymc146818rtc_properties[]={
DEFINE_PROP_INT32("base_year",RTCState,base_year,1980),
DEFINE_PROP_LOSTTICKPOLICY("lost_tick_policy",RTCState,
lost_tick_policy,LOST_TICK_DISCARD),
DEFINE_PROP_END_OF_LIST(),
};
|
但是用GDB一看:
(gdb) p *obj->properties.tqh_first
$15 = {name = 0x555556a17df0 "type", type = 0x555556a17e10 "string", get = 0x555555727ae0 , set = 0,
release = 0x555555727980 , opaque = 0x555556a17d80, node = {tqe_next = 0x555556a17e50, tqe_prev = 0x555556a17af0}}
(gdb) p *obj->properties.tqh_first.node.tqe_next
$21 = {name = 0x555556a17ea0 "realized", type = 0x555556a17ec0 "bool", get = 0x5555557279c0 , set = 0x555555727a40 ,
release = 0x555555727940 , opaque = 0x555556a17e30, node = {tqe_next = 0x555556a17ee0, tqe_prev = 0x555556a17dd0}}
(gdb) p *obj->properties.tqh_first.node.tqe_next.node.tqe_next
$22 = {name = 0x555556a17f30 "base_year", type = 0x555556a1be10 "int32", get = 0x5555556af370 , set = 0x5555556afc60 , release = 0,
opaque = 0x555555d4e1a0, node = {tqe_next = 0x555556a50ee0, tqe_prev = 0x555556a17e80}}
(gdb) p *obj->properties.tqh_first.node.tqe_next.node.tqe_next.node.tqe_next
$23 = {name = 0x555556a1be30 "lost_tick_policy", type = 0x555556a1be50 "LostTickPolicy", get = 0x5555556af400 , set = 0x5555556af990 ,
release = 0, opaque = 0x555555d4e1c0, node = {tqe_next = 0x555556a50fa0, tqe_prev = 0x555556a17f10}}
(gdb) p *obj->properties.tqh_first.node.tqe_next.node.tqe_next.node.tqe_next.node.tqe_next
$24 = {name = 0x555556a50f80 "parent_bus", type = 0x55555680b1d0 "link", get = 0x555555729e50 ,
set = 0x55555572a320 , release = 0, opaque = 0x555556a17b30, node = {tqe_next = 0x0, tqe_prev = 0x555556a50f10}}
(gdb) p *obj->properties.tqh_first.node.tqe_next.node.tqe_next.node.tqe_next.node.tqe_next.node.tqe_next
Cannot access memory at address 0x0
$15 = {name = 0x555556a17df0 "type", type = 0x555556a17e10 "string", get = 0x555555727ae0 , set = 0,
release = 0x555555727980 , opaque = 0x555556a17d80, node = {tqe_next = 0x555556a17e50, tqe_prev = 0x555556a17af0}}
(gdb) p *obj->properties.tqh_first.node.tqe_next
$21 = {name = 0x555556a17ea0 "realized", type = 0x555556a17ec0 "bool", get = 0x5555557279c0 , set = 0x555555727a40 ,
release = 0x555555727940 , opaque = 0x555556a17e30, node = {tqe_next = 0x555556a17ee0, tqe_prev = 0x555556a17dd0}}
(gdb) p *obj->properties.tqh_first.node.tqe_next.node.tqe_next
$22 = {name = 0x555556a17f30 "base_year", type = 0x555556a1be10 "int32", get = 0x5555556af370 , set = 0x5555556afc60 , release = 0,
opaque = 0x555555d4e1a0, node = {tqe_next = 0x555556a50ee0, tqe_prev = 0x555556a17e80}}
(gdb) p *obj->properties.tqh_first.node.tqe_next.node.tqe_next.node.tqe_next
$23 = {name = 0x555556a1be30 "lost_tick_policy", type = 0x555556a1be50 "LostTickPolicy", get = 0x5555556af400 , set = 0x5555556af990 ,
release = 0, opaque = 0x555555d4e1c0, node = {tqe_next = 0x555556a50fa0, tqe_prev = 0x555556a17f10}}
(gdb) p *obj->properties.tqh_first.node.tqe_next.node.tqe_next.node.tqe_next.node.tqe_next
$24 = {name = 0x555556a50f80 "parent_bus", type = 0x55555680b1d0 "link", get = 0x555555729e50 ,
set = 0x55555572a320 , release = 0, opaque = 0x555556a17b30, node = {tqe_next = 0x0, tqe_prev = 0x555556a50f10}}
(gdb) p *obj->properties.tqh_first.node.tqe_next.node.tqe_next.node.tqe_next.node.tqe_next.node.tqe_next
Cannot access memory at address 0x0
事实上却多了"type" "realized" "parent_bus",这些属性都是动态添加的。
在"object"类型的,instance_init = object_instance_init回调处,添加了
object_property_add_str(obj, "type", qdev_get_type, NULL, NULL);
|
1
|
object_property_add_str(obj,"type",qdev_get_type,NULL,NULL);
|
在"device"类型的instance_init = device_initfn回调处,添加了
object_property_add_bool(obj, "realized", device_get_realized, device_set_realized, NULL); bject_property_add_link(OBJECT(dev), "parent_bus", TYPE_BUS, (Object **)&dev->parent_bus, NULL);
|
1
2
3
4
|
object_property_add_bool(obj,"realized",
device_get_realized,device_set_realized,NULL);
bject_property_add_link(OBJECT(dev),"parent_bus",TYPE_BUS,
(Object**)&dev->parent_bus,NULL);
|
设置属性的时候,调用类似qdev_prop_set_int32(&dev->qdev, "base_year", base_year);进行设置,这里,注意第一个参数为什么是DeviceState* dev->qdev而不是ISADevice *dev?
因为rtc_class_initfn里初始化props是给 DeviceClass *dc初始化的,所以对应的应该是DeviceState而不是子类ISADevice。
设置属性是如何实现的?
以"realized"的bool属性设置为例,调用顺序为object_property_set_bool -> object_property_set_qobject -> object_property_set,此函数定义:
void object_property_set(Object *obj, Visitor *v, const char *name, Error **errp) { //obj还是"mc146818rtc"的实例,name为"realized",object_property_find其实就是查找obj的properties链表里是否存在名字为name的属性 ObjectProperty *prop = object_property_find(obj, name, errp); if (prop == NULL) { return; } if (!prop->set) {//如果存在,且没有设置过set handler,错误 error_set(errp, QERR_PERMISSION_DENIED); } else {//"realized"的set函数为property_set_bool prop->set(obj, v, prop->opaque, name, errp); } } static void property_set_bool(Object *obj, Visitor *v, void *opaque, const char *name, Error **errp) { BoolProperty *prop = opaque; bool value; Error *local_err = NULL; visit_type_bool(v, &value, name, &local_err); if (local_err) { error_propagate(errp, local_err); return; } prop->set(obj, value, errp); //对于realized来说,其实就是调用device_set_realized }
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
voidobject_property_set(Object*obj,Visitor*v,constchar*name,
Error**errp)
{
//obj还是"mc146818rtc"的实例,name为"realized",object_property_find其实就是查找obj的properties链表里是否存在名字为name的属性
ObjectProperty*prop=object_property_find(obj,name,errp);
if(prop==NULL){
return;
}
if(!prop->set){//如果存在,且没有设置过set handler,错误
error_set(errp,QERR_PERMISSION_DENIED);
}else{//"realized"的set函数为property_set_bool
prop->set(obj,v,prop->opaque,name,errp);
}
}
staticvoidproperty_set_bool(Object*obj,Visitor*v,void*opaque,
constchar*name,Error**errp)
{
BoolProperty*prop=opaque;
boolvalue;
Error*local_err=NULL;
visit_type_bool(v,&value,name,&local_err);
if(local_err){
error_propagate(errp,local_err);
return;
}
prop->set(obj,value,errp);//对于realized来说,其实就是调用device_set_realized
}
|
而CALLBACK=device_set_realized 又会调用CALLBACK=device_realize。
模块PIO回调流程
注册回调
以mc146818 rtc为例,在rtc_initfn的时候,注册回调的代码如下:
static const MemoryRegionOps cmos_ops = { .read = cmos_ioport_read, .write = cmos_ioport_write, .impl = { .min_access_size = 1, .max_access_size = 1, }, .endianness = DEVICE_LITTLE_ENDIAN, }; void isa_register_ioport(ISADevice *dev, MemoryRegion *io, uint16_t start) { memory_region_add_subregion(isabus->address_space_io, start, io); isa_init_ioport(dev, start); } memory_region_init_io(&s->io, &cmos_ops, s, "rtc", 2); isa_register_ioport(dev, &s->io, base);
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
staticconstMemoryRegionOpscmos_ops={
.read=cmos_ioport_read,
.write=cmos_ioport_write,
.impl={
.min_access_size=1,
.max_access_size=1,
},
.endianness=DEVICE_LITTLE_ENDIAN,
};
voidisa_register_ioport(ISADevice*dev,MemoryRegion*io,uint16_tstart)
{
memory_region_add_subregion(isabus->address_space_io,start,io);
isa_init_ioport(dev,start);
}
memory_region_init_io(&s->io,&cmos_ops,s,"rtc",2);
isa_register_ioport(dev,&s->io,base);
|
其中s->io是MemoryRegion类型,MemoryRegion是可以像树一样,多级挂载,比如,现在将rtc的 MemoryRegion挂载在isabus的address_space_io这个MemoryRegion下,其start参数为offset在整个 isabus->address_space_io MemoryRegion中的偏移,即0x70,那么END呢?END在memory_region_init_io的时候已经存储到 MemoryRegion的size里面了。
再看看isabus内容,有个更深入的性感的认识:
(gdb) p *isabus
$8 = {qbus = {obj = {class = 0x555556a14e70, free = 0x7ffff7424020 , properties = {tqh_first = 0x555556a14f60, tqh_last = 0x555556a1eab0}, ref = 4,
parent = 0x55555698d740}, parent = 0x55555698d740, name = 0x555556a14ff0 "isa.0", allow_hotplug = 0, max_index = 3, children = {tqh_first = 0x555556a50f30,
tqh_last = 0x555556a16450}, sibling = {le_next = 0x0, le_prev = 0x55555698d7b8}}, address_space_io = 0x555556708930, irqs = 0x55555699c4f0}
(gdb) p *isabus->address_space_io
$9 = {ops = 0x0, opaque = 0x0, parent = 0x0, size = {lo = 65536, hi = 0}, addr = 0, destructor = 0x5555557cb8e0 , ram_addr = 0,
subpage = false, terminates = false, readable = true, ram = false, readonly = false, enabled = true, rom_device = false, warning_printed = false,
flush_coalesced_mmio = false, alias = 0x0, alias_offset = 0, priority = 0, may_overlap = false, subregions = {tqh_first = 0x55555698de48,
tqh_last = 0x55555698bf60}, subregions_link = {tqe_next = 0x0, tqe_prev = 0x0}, coalesced = {tqh_first = 0x0, tqh_last = 0x5555567089b8},
name = 0x5555566f7220 "io", dirty_log_mask = 0 '\000', ioeventfd_nb = 0, ioeventfds = 0x0, updateaddr = 0, updateopaque = 0x0}
$8 = {qbus = {obj = {class = 0x555556a14e70, free = 0x7ffff7424020 , properties = {tqh_first = 0x555556a14f60, tqh_last = 0x555556a1eab0}, ref = 4,
parent = 0x55555698d740}, parent = 0x55555698d740, name = 0x555556a14ff0 "isa.0", allow_hotplug = 0, max_index = 3, children = {tqh_first = 0x555556a50f30,
tqh_last = 0x555556a16450}, sibling = {le_next = 0x0, le_prev = 0x55555698d7b8}}, address_space_io = 0x555556708930, irqs = 0x55555699c4f0}
(gdb) p *isabus->address_space_io
$9 = {ops = 0x0, opaque = 0x0, parent = 0x0, size = {lo = 65536, hi = 0}, addr = 0, destructor = 0x5555557cb8e0 , ram_addr = 0,
subpage = false, terminates = false, readable = true, ram = false, readonly = false, enabled = true, rom_device = false, warning_printed = false,
flush_coalesced_mmio = false, alias = 0x0, alias_offset = 0, priority = 0, may_overlap = false, subregions = {tqh_first = 0x55555698de48,
tqh_last = 0x55555698bf60}, subregions_link = {tqe_next = 0x0, tqe_prev = 0x0}, coalesced = {tqh_first = 0x0, tqh_last = 0x5555567089b8},
name = 0x5555566f7220 "io", dirty_log_mask = 0 '\000', ioeventfd_nb = 0, ioeventfds = 0x0, updateaddr = 0, updateopaque = 0x0}
回调流程
QEMU通过kvm_cpu_exec -> kvm_vcpu_ioctl(cpu, KVM_RUN, 0) 执行GUEST机CODE,当GUEST遇到IO等操作需要退出,会先在KVM里处理,KVM不能处理,kvm_vcpu_ioctl就返回,给QEMU 处理,QEMU根据返回的run->exit_reason进行分派,比如PROT READ 0x71操作,退出时其exit_reason为KVM_EXIT_IO,kvm_handle_io里,根据direction判断是read还是 write,根据read的长度,判断该回调哪个函数。比如0x71 read 1字节的时候,调用的是:
stb_p(ptr, cpu_inb(port));
stb_p是将第二个参数cpu_inb(port)的结果转换为一个字节大小赋值给第一个参数ptr所指内存。
cpu_inb (addr=addr@entry=113)
cpu_inb和cpu_inw和cpu_inl是一家人的三兄弟,长得极其神似,我们看cpu_inb,在他调用的ioport_read的时候,第一 个参数叫index=0,这是和他的兄弟cpu_inw, cpu_inl区别开来的关键特征。本来这里应该没有index啥事的,但总有人偷懒不设置对应addr的handler,index就是对专门为这种懒 人擦屁股,没有handler的时候,给选择一个默认handler,你大概也看明白了,就index的话,三兄弟的差别在于inb=0, inw=1, inl=2。
uint8_t cpu_inb(pio_addr_t addr) { uint8_t val; val = ioport_read(0, addr); return val; }
|
1
2
3
4
5
6
|
uint8_tcpu_inb(pio_addr_taddr)
{
uint8_tval;
val=ioport_read(0,addr);
returnval;
}
|
read 的address比较重要,例如rtc的0x71,index其实是用来选择默认handler的,当在对应的ioport_read_table里面没有注册函数的时候就根据index的值,分别选择readb, readw, readl来做默认操作。
static uint32_t ioport_read(int index, uint32_t address) { static IOPortReadFunc * const default_func[3] = { default_ioport_readb, default_ioport_readw, default_ioport_readl }; IOPortReadFunc *func = ioport_read_table[index][address]; if (!func) func = default_func[index]; /* func一般都是ioport_readb_thunk 关键在于ioport_opaque[address]这里面存放的是不同端口的IORange* 这个ioport_opaque的每个值,都存储的该端口对应的IORange* 当读写此端口的时候,就会找到之前注册的IORange回调,比如mc146818的IORange为 (gdb) p *(IORange *)ioport_opaque[0x71] $22 = {ops = 0x7fca4a51c380, base = 112, len = 2} (gdb) p *(IORangeOps*)0x7fca4a51c380 $25 = {read = 0x7fca49fe1190 , write = 0x7fca49fe1050 , destructor = 0x7fca49fdfcb0 } 由于x70,0x71都是readb,所以在mc146818设备的时候,这个func其实为ioport_readb_thunk (gdb) p ioport_read_table[0][0x70] $67 = (IOPortReadFunc *) 0x5555557c6980 (gdb) p ioport_read_table[0][0x71] $68 = (IOPortReadFunc *) 0x5555557c6980 */ return func(ioport_opaque[address], address); }
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
staticuint32_tioport_read(intindex,uint32_taddress)
{
staticIOPortReadFunc*constdefault_func[3]={
default_ioport_readb,
default_ioport_readw,
default_ioport_readl
};
IOPortReadFunc*func=ioport_read_table[index][address];
if(!func)
func=default_func[index];
/*
func一般都是ioport_readb_thunk 关键在于ioport_opaque[address]这里面存放的是不同端口的IORange*
这个ioport_opaque的每个值,都存储的该端口对应的IORange*
当读写此端口的时候,就会找到之前注册的IORange回调,比如mc146818的IORange为
(gdb) p *(IORange *)ioport_opaque[0x71]
$22 = {ops = 0x7fca4a51c380, base = 112, len = 2}
(gdb) p *(IORangeOps*)0x7fca4a51c380
$25 = {read = 0x7fca49fe1190 , write = 0x7fca49fe1050 ,
destructor = 0x7fca49fdfcb0 }
由于x70,0x71都是readb,所以在mc146818设备的时候,这个func其实为ioport_readb_thunk
(gdb) p ioport_read_table[0][0x70]
$67 = (IOPortReadFunc *) 0x5555557c6980
(gdb) p ioport_read_table[0][0x71]
$68 = (IOPortReadFunc *) 0x5555557c6980
*/
returnfunc(ioport_opaque[address],address);
}
|
ioport_readb_thunk (opaque=, addr=)
ioport_register里面,注册了对一个字节的ioport read handler为ioport_readb_thunk,其实这个函数非常简单
就是调用了ops->read的时候,将width设置为1,和ioport_readw_thunk,ioport_readl_thunk之类的就差一个width的区别
为什么要搞这么复杂?这是为了64K的read空间设计的回调,因为不同的offset位置,我们需要知道是应该调用readb还是readw还是readl。
static IOPortReadFunc *ioport_read_table[3][64 * 1024] static uint32_t ioport_readb_thunk(void *opaque, uint32_t addr) { IORange *ioport = opaque; uint64_t data; //read is memory_region_iorange_read when input char to ps/2 keyboard //比如,mc146818的时候,addr为x71,ioport->base为x71, ioport->len=2 ioport->ops->read(ioport, addr - ioport->base, 1, &data); return data; }
|
1
2
3
4
5
6
7
8
9
10
|
staticIOPortReadFunc*ioport_read_table[3][64*1024]
staticuint32_tioport_readb_thunk(void*opaque,uint32_taddr)
{
IORange*ioport=opaque;
uint64_tdata;
//read is memory_region_iorange_read when input char to ps/2 keyboard
//比如,mc146818的时候,addr为x71,ioport->base为x71, ioport->len=2
ioport->ops->read(ioport,addr-ioport->base,1,&data);
returndata;
}
|
上面的回调为memory_region_iorange_read (iorange=0x55555680b1a0, offset=1, width=1, data=0x7fffec1fdc00)
static const MemoryRegionOps cmos_ops = { .read = cmos_ioport_read, .write = cmos_ioport_write, .impl = { .min_access_size = 1, .max_access_size = 1, }, .endianness = DEVICE_LITTLE_ENDIAN, }; static void memory_region_iorange_read(IORange *iorange, uint64_t offset, unsigned width, uint64_t *data) { MemoryRegionIORange *mrio = container_of(iorange, MemoryRegionIORange, iorange); /* 一段MemoryRegionIORange里包含了IORange iorange和MemoryRegion* mr (gdb) p *mrio $58 = {iorange = {ops = 0x555555d16200, base = 0x70, len = 2}, mr = 0x555556a17b80, offset = 0} (gdb) p *mrio->iorange.ops $59 = {read = 0x5555557ccf50 , write = 0x5555557cce10 , destructor = 0x5555557cba70 } (gdb) p *mrio->mr $60 = {ops = 0x555555d14ba0, opaque = 0x555556a17ae0, parent = 0x555556708930, size = {lo = 2, hi = 0}, addr = 112, destructor = 0x5555557cb910 , ram_addr = 18446744073709551615, subpage = false, terminates = true, readable = true, ram = false, readonly = false, enabled = true, rom_device = false, warning_printed = false, flush_coalesced_mmio = false, alias = 0x0, alias_offset = 0, priority = 0, may_overlap = false, subregions = {tqh_first = 0x0, tqh_last = 0x555556a17be8}, subregions_link = {tqe_next = 0x555556a50d80, tqe_prev = 0x555556a1c1f8}, coalesced = {tqh_first = 0x0, tqh_last = 0x555556a17c08}, name = 0x55555680b300 "rtc", dirty_log_mask = 0 '\000', ioeventfd_nb = 0, ioeventfds = 0x0, updateaddr = 0, updateopaque = 0x0} (gdb) p *mrio->mr->ops $61 = {read = 0x55555579ea20 , write = 0x55555579e040 , endianness = DEVICE_LITTLE_ENDIAN, valid = {min_access_size = 0, max_access_size = 0, unaligned = false, accepts = 0}, impl = {min_access_size = 1, max_access_size = 1, unaligned = false}, old_portio = 0x0, old_mmio = { read = {0, 0, 0}, write = {0, 0, 0}}} */ MemoryRegion *mr = mrio->mr; //如果mrio还有offset,要加上这个偏移,这个offset其实是当成地址来用的,比如,我认为read 0x71应该在已有offset=1的基础上加上x70,但是他没加 offset += mrio->offset; if (mr->ops->old_portio) {//对"mc146818rtc"已经没有old_portio的CALLBACK了,跳过 const MemoryRegionPortio *mrp = find_portio(mr, offset - mrio->offset, width, false); *data = ((uint64_t)1 << (width * 8)) - 1; if (mrp) { *data = mrp->read(mr->opaque, offset); } else if (width == 2) { mrp = find_portio(mr, offset - mrio->offset, 1, false); assert(mrp); *data = mrp->read(mr->opaque, offset) | (mrp->read(mr->opaque, offset + 1) << 8); } return; } *data = 0;//这是read后的返回值存储区域,提前清零 access_with_adjusted_size(offset, data, width, mr->ops->impl.min_access_size, //这个min_access_size和max_access_size是在设置ops的时候定义的,见cmos_ops mr->ops->impl.max_access_size, memory_region_read_accessor, mr); }
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
staticconstMemoryRegionOpscmos_ops={
.read=cmos_ioport_read,
.write=cmos_ioport_write,
.impl={
.min_access_size=1,
.max_access_size=1,
},
.endianness=DEVICE_LITTLE_ENDIAN,
};
staticvoidmemory_region_iorange_read(IORange*iorange,
uint64_toffset,
unsignedwidth,
uint64_t*data)
{
MemoryRegionIORange*mrio
=container_of(iorange,MemoryRegionIORange,iorange);
/*
一段MemoryRegionIORange里包含了IORange iorange和MemoryRegion* mr
(gdb) p *mrio
$58 = {iorange = {ops = 0x555555d16200, base = 0x70, len = 2}, mr = 0x555556a17b80, offset = 0}
(gdb) p *mrio->iorange.ops
$59 = {read = 0x5555557ccf50 , write = 0x5555557cce10 ,
destructor = 0x5555557cba70 }
(gdb) p *mrio->mr
$60 = {ops = 0x555555d14ba0, opaque = 0x555556a17ae0, parent = 0x555556708930, size = {lo = 2, hi = 0}, addr = 112,
destructor = 0x5555557cb910 , ram_addr = 18446744073709551615, subpage = false, terminates = true, readable = true, ram = false,
readonly = false, enabled = true, rom_device = false, warning_printed = false, flush_coalesced_mmio = false, alias = 0x0, alias_offset = 0, priority = 0,
may_overlap = false, subregions = {tqh_first = 0x0, tqh_last = 0x555556a17be8}, subregions_link = {tqe_next = 0x555556a50d80, tqe_prev = 0x555556a1c1f8},
coalesced = {tqh_first = 0x0, tqh_last = 0x555556a17c08}, name = 0x55555680b300 "rtc", dirty_log_mask = 0 '\000', ioeventfd_nb = 0, ioeventfds = 0x0,
updateaddr = 0, updateopaque = 0x0}
(gdb) p *mrio->mr->ops
$61 = {read = 0x55555579ea20 , write = 0x55555579e040 , endianness = DEVICE_LITTLE_ENDIAN, valid = {min_access_size = 0,
max_access_size = 0, unaligned = false, accepts = 0}, impl = {min_access_size = 1, max_access_size = 1, unaligned = false}, old_portio = 0x0, old_mmio = {
read = {0, 0, 0}, write = {0, 0, 0}}}
*/
MemoryRegion*mr=mrio->mr;
//如果mrio还有offset,要加上这个偏移,这个offset其实是当成地址来用的,比如,我认为read 0x71应该在已有offset=1的基础上加上x70,但是他没加
offset+=mrio->offset;
if(mr->ops->old_portio){//对"mc146818rtc"已经没有old_portio的CALLBACK了,跳过
constMemoryRegionPortio*mrp=find_portio(mr,offset-mrio->offset,
width,false);
*data=((uint64_t)1<<(width*8))-1;
if(mrp){
*data=mrp->read(mr->opaque,offset);
}elseif(width==2){
mrp=find_portio(mr,offset-mrio->offset,1,false);
assert(mrp);
*data=mrp->read(mr->opaque,offset)|
(mrp->read(mr->opaque,offset+1)<<8);
}
return;
}
*data=0;//这是read后的返回值存储区域,提前清零
access_with_adjusted_size(offset,data,width,
mr->ops->impl.min_access_size,//这个min_access_size和max_access_size是在设置ops的时候定义的,见cmos_ops
mr->ops->impl.max_access_size,
memory_region_read_accessor,mr);
}
|
从参数看,这里的access参数为memory_region_read_accessor,而这个value参数,用来存放read的返回值。接下来进入
access_with_adjusted_size (addr=addr@entry=1, value=value@entry=0x7fffec1fdc00, size=1, access_size_min=, access_size_max=, access=access@entry=0x5555557cbf70 , opaque=opaque@entry=0x555556a17b80),其access参数非常重要,继续回调的就是access。
static void access_with_adjusted_size(hwaddr addr, uint64_t *value, unsigned size, unsigned access_size_min, unsigned access_size_max, void (*access)(void *opaque, hwaddr addr, uint64_t *value, unsigned size, unsigned shift, uint64_t mask), void *opaque) { uint64_t access_mask; unsigned access_size; unsigned i; if (!access_size_min) { access_size_min = 1; } if (!access_size_max) { access_size_max = 4; } access_size = MAX(MIN(size, access_size_max), access_size_min);//size其实在参数里面已经指定了,但是为了安全,要确保access_size区间为[1,4]字节 access_mask = -1ULL >> (64 - access_size * 8);//作为mask,对Read的几个mask,确保结果大小为预期大小 for (i = 0; i < size; i += access_size) { /* 最大返回结果其实只有sizeof(value) = 64bit,这里的设计是,每次取一个字节的返回结果 但是access_size可以不为bit,比如read 0x100,假设read范围为bit,就是x100-0x104,access_size可以为, 这样就分两步走,第一步Read 0x100-0x102返回个字节的结果,存储到value的低字节 第二步Read 0x103-0x104返回个字节的结果,存储到value的高字节 最后返回的value就存储了两次的Read值,只占用了bit,不会超过bit */ access(opaque, addr + i, value, access_size, i * 8, access_mask); } }
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
staticvoidaccess_with_adjusted_size(hwaddraddr,
uint64_t*value,
unsignedsize,
unsignedaccess_size_min,
unsignedaccess_size_max,
void(*access)(void*opaque,
hwaddraddr,
uint64_t*value,
unsignedsize,
unsignedshift,
uint64_tmask),
void*opaque)
{
uint64_taccess_mask;
unsignedaccess_size;
unsignedi;
if(!access_size_min){
access_size_min=1;
}
if(!access_size_max){
access_size_max=4;
}
access_size=MAX(MIN(size,access_size_max),access_size_min);//size其实在参数里面已经指定了,但是为了安全,要确保access_size区间为[1,4]字节
access_mask=-1ULL>>(64-access_size*8);//作为mask,对Read的几个mask,确保结果大小为预期大小
for(i=0;i<size;i+=access_size){ <="" div="" style="word-wrap: break-word;">
/*
最大返回结果其实只有sizeof(value) = 64bit,这里的设计是,每次取一个字节的返回结果
但是access_size可以不为bit,比如read 0x100,假设read范围为bit,就是x100-0x104,access_size可以为,
这样就分两步走,第一步Read 0x100-0x102返回个字节的结果,存储到value的低字节
第二步Read 0x103-0x104返回个字节的结果,存储到value的高字节
最后返回的value就存储了两次的Read值,只占用了bit,不会超过bit
*/
access(opaque,addr+i,value,access_size,i*8,access_mask);
}
}
|
上面的access_with_adjusted_size的access参数其实就是memory_region_read_accessor,可以通过GDB打印出来:
memory_region_read_accessor (opaque=0x555556a17b80, addr=, value=0x7fffec1fdc00, size=1, shift=0, mask=255)
(gdb) p *mr
$52 = {ops = 0x555555d14ba0, opaque = 0x555556a17ae0, parent = 0x555556708930, size = {lo = 2, hi = 0}, addr = 112,
destructor = 0x5555557cb910 , ram_addr = 18446744073709551615, subpage = false, terminates = true, readable = true, ram = false,
readonly = false, enabled = true, rom_device = false, warning_printed = false, flush_coalesced_mmio = false, alias = 0x0, alias_offset = 0, priority = 0,
may_overlap = false, subregions = {tqh_first = 0x0, tqh_last = 0x555556a17be8}, subregions_link = {tqe_next = 0x555556a50d80, tqe_prev = 0x555556a1c1f8},
coalesced = {tqh_first = 0x0, tqh_last = 0x555556a17c08}, name = 0x55555680b300 "rtc", dirty_log_mask = 0 '\000', ioeventfd_nb = 0, ioeventfds = 0x0,
updateaddr = 0, updateopaque = 0x0}
(gdb) p *mr->ops
$53 = {read = 0x55555579ea20 , write = 0x55555579e040 , endianness = DEVICE_LITTLE_ENDIAN, valid = {min_access_size = 0,
max_access_size = 0, unaligned = false, accepts = 0}, impl = {min_access_size = 1, max_access_size = 1, unaligned = false}, old_portio = 0x0, old_mmio = {
read = {0, 0, 0}, write = {0, 0, 0}}}
(gdb) p *mr
$52 = {ops = 0x555555d14ba0, opaque = 0x555556a17ae0, parent = 0x555556708930, size = {lo = 2, hi = 0}, addr = 112,
destructor = 0x5555557cb910 , ram_addr = 18446744073709551615, subpage = false, terminates = true, readable = true, ram = false,
readonly = false, enabled = true, rom_device = false, warning_printed = false, flush_coalesced_mmio = false, alias = 0x0, alias_offset = 0, priority = 0,
may_overlap = false, subregions = {tqh_first = 0x0, tqh_last = 0x555556a17be8}, subregions_link = {tqe_next = 0x555556a50d80, tqe_prev = 0x555556a1c1f8},
coalesced = {tqh_first = 0x0, tqh_last = 0x555556a17c08}, name = 0x55555680b300 "rtc", dirty_log_mask = 0 '\000', ioeventfd_nb = 0, ioeventfds = 0x0,
updateaddr = 0, updateopaque = 0x0}
(gdb) p *mr->ops
$53 = {read = 0x55555579ea20 , write = 0x55555579e040 , endianness = DEVICE_LITTLE_ENDIAN, valid = {min_access_size = 0,
max_access_size = 0, unaligned = false, accepts = 0}, impl = {min_access_size = 1, max_access_size = 1, unaligned = false}, old_portio = 0x0, old_mmio = {
read = {0, 0, 0}, write = {0, 0, 0}}}
绕了这么多,memory_region_read_accessor里的mr->ops->read终于到了我们注册的函数,如 mc146818的cmos_ioport_read (opaque=0x555556a17ae0, addr=1, size=1)
static void memory_region_read_accessor(void *opaque, hwaddr addr, uint64_t *value, unsigned size, unsigned shift, uint64_t mask) { MemoryRegion *mr = opaque; uint64_t tmp; if (mr->flush_coalesced_mmio) { qemu_flush_coalesced_mmio_buffer(); } tmp = mr->ops->read(mr->opaque, addr, size); *value |= (tmp & mask) << shift; }
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
staticvoidmemory_region_read_accessor(void*opaque,
hwaddraddr,
uint64_t*value,
unsignedsize,
unsignedshift,
uint64_tmask)
{
MemoryRegion*mr=opaque;
uint64_ttmp;
if(mr->flush_coalesced_mmio){
qemu_flush_coalesced_mmio_buffer();
}
tmp=mr->ops->read(mr->opaque,addr,size);
*value|=(tmp&mask)<<shift; <="" div="" style="word-wrap: break-word;">
}
|