Workshops
Hands-on With Virtutech Simics
Jakob Engblom
Welcome
What will we do today?
• A hands-on look at Virtutech Simics
• Compile, download, and execute programs
– For cross-targets running (embedded) Linux
– Single virtual development board
– Network of virtual machines
• Inspect and debug functionality
• Running code on a machine with no OS
– Extend the model with a new hardware device
– Test a simple device driver
3
Simics is a Systems Simulator
Phone
Server
Network
IP Phone
PC
Internet
4
Simics is a Systems Simulator
Simics/Phone
Simics/Phone
Simics/Phone
Simics/Server
Simics
Simics
Sim Network
Simics
Simics/PC
Simics
Simics/IP Phone
IP
Simics
Simics
5
Simics is a Systems Simulator
Apps
Applications
RTOS
RTOS
HW Model
Hardware model
Simics/Phone
Simics/Phone
Simics/Phone
Simics/Server
Simics
Simics
Sim Network
Behavioral
simulation of
function
Simics
Simics/PC
Simics
Simics/IP Phone
IP
Simics
Simics
6
Traditional Development Process
•
Use hardware to test and debug software
–
–
–
–
Expensive
Unwieldy environment for debugging
Not available early enough
Often, not every developer can have a test bed
7
Virtutech Simics
• Virtualized Software Development
– Simulates the system under development and its
immediate environment
– Runs entire software image unchanged
– Model peripheral devices
• Benefits of software over
hardware
–
–
–
–
–
8
Customizable
Cheaper
Programmer-friendly
Scriptable & controllable
Available earlier
Virtualized Software Development
Identical build
tools chain
The software can’t
tell the difference
Runs binaries
from real target
User program
Server
Complete
production
software
Simulated
hardware
DB
Middleware
Operating system
Firmware
Drivers
CPU
CPU
Bus
PCI
RAM
I2C
ROM
Disk
Disk Ctrl
FLASH
Hardware
9
Network
LCD
ASIC
net
Complete Virtualization
All
All software:
software: arbitrary
arbitrary &
&
unmodified.
unmodified. Same
Same as
as on
on aa
real
real system.
system.
User program
Arbitrary;
Arbitrary; currently
currently supports
supports
Alpha,
Alpha, ARM,
ARM, IA64,
IA64, 32/64
32/64 bit
bit
x86,
x86, 32/64
32/64 bit
bit Sparc,
Sparc,
32/64
32/64 bit
bit MIPS,
MIPS, 32/64
32/64 bit
bit
PowerPC,
PowerPC, TI
TI C6400,
C6400, msp430
msp430
Target operating system
Simulated target hardware
Simics
Linux,
Linux, Solaris,
Solaris,
Windows
Windows
Host operating system
Host hardware
PC
PC (32(32- &
& 64-bit)
64-bit)
or
or Sparc
Sparc
10
Getting Started
Getting Started: VmWare Player
• Start VmWare player
• Select the ”simics-on-linux.vmx” file
12
Getting Started: Boot
• When the virtual computer starts
• It will boot into grub
• Press ”return” to boot the Linux we need
13
Getting Started: Login
• At login prompt:
– User “user”
– Password “user”
• Or wait to be
automatically
logged-in as “user”
14
Getting Started: Terminal
• When the Linux has
booted, you will be at
the desktop with no
windows open
• Click the “terminal” to
get a text console
15
Getting Started: More Terminals
• I find it convenient with two terminals
– Or even better, two tabs in the terminal
16
Getting Started: Simics Docs
• Simics has HTML, PDF,
and online help
• To access HTML & PDF,
open the ”Simics
documentation” folder
on the desktop
• User guide is linked
directly as well
17
Starting Simics
Starting Simics
• On Linux, Simics is a command-line app
• Simics exposes a sophisticated commandline interface
– And graphical or text windows for the displays
and serial ports of the target systems
• Simics uses a workspace directory:
– /home/user/simics-workspace in this case
19
Starting Simics
• Linux command-line
– Will be prefixed “host$” in the following slides
– What you type is going to be bold
• So we do the following:
host$ cd simics-workspace
host$ ./simics target/ebony/ebony-linux-firststeps.simics
20
Starting SimicsLinux commands
to start Simics
Target console,
output from
target machine
appears here
Simics prompt,
also called the
Simics console
21
Starting Simics: target & host
Target
console
Programs
Complete and unmodified
Linux
PowerPC 440
Simics
console
Simics
Host
Host
operating
OS: Linux
system
Host
Host:
hardware
PC
22
Simics Workspaces
• Based on the eclipse concept
• Provides a base location for:
–
–
–
–
checkpoints
machine configuration files
locally built simics modules
scripts
• Keeps user data
• Simics installation separate from workspace
– (here: /opt/virtutech/simics-3.0.22/)
• Multiple workspaces & Simics installations
can coexist on a system
23
Structure of Workspace
• simics-workspace/
modules/ -- stores user-developed hardware models
simpledma/ -- simple DMA controller
targets/ -- stores target machine setups
arm-sa1110/ -- StrongARM machine
ebony/ -- PPC440gp development board
mpc8641d-simple/ -- mpc8641d board
ppc-simple/ -- very basic PowerPC machine
sunfire/ -- Sun server machine
x86-440bx/ -- standard PC
x86-linux/ -- stores compiled modules
24
Boot the Target
• Simics command-line
– Prefixed “simics>” in the following
• To run 2 billion cycles for the boot:
simics> c 2_000_000_000
• To stop simulation at any point: ctrl-C
• To run simulation until stopped:
simics> c
25
Inspect Target State from Simics
• Some Simics
commands:
simics> ptime
simics> pregs
simics> pregs –all
simics> da count=10
simics> x %r1
simics> help
simics> si
26
Inspect Target State from Simics
• Simics logs all device accesses
– simics> uart0.log
• Devices present their state
– simics> uart0.status
– simics> emac0.status
– simics> emac0.info
27
Test the Target Machine
• Commands on the target machine CLI:
– Prefixed “$” in the following
• Make Simics run, then use target console:
simics> c
$ pwd
$ uname –a
$ cat /proc/cpuinfo
$ ifconfig
28
Compile & Load
a User Program
Create and Load a User Program
• Stop Simics in the meanwhile
• Use the second terminal/tab to compile
30
Look at the Code
• Start the “Text Editor” (on the desktop)
• Look at the file
./simics-workspace/target/ebony/helloworld-440.c
• Make some changes to see that it is your
program and not the standard program
31
32
Compile the Program
• We have a script prepared to compile for
the target, using a PPC cross-compiler
• Use in the second terminal/tab
• The script (does NOT want .c for filename):
host$ compile-for-linux <PROGRAM>
• Use here:
host$ cd simics-workspace/
host$ compile-for-linux targets/ebony/helloworld-440
33
Load the Program on the Target
• Use simicsfs
– A special file system on the target machine
– Mounts the host machine file system
– Requires simicsfs driver in target linux
• Start Simics again
– Otherwise, we cannot type commands in the
target console
– Note that unlike VmWare (Player), Simics can
stop and hold execution of the target machine
34
Load the Program on the Target
• Start Simics simulation again
simics> c
• Mount the host & copy the program
$ mount /host
$ ls /host
– Navigate to /home/user/simicsworkspace/targets/ebony within simicsfs
$ cp helloworld-440 .
35
Run the Program on the Target
• Check that the program has been copied
$ ls
• And then run it
$ ./helloworld-440
36
Scripting the Target
• You can put breakpoints on console output
from the target, and send text to the target
simics> (ctrl-C) to stop simulation
simics> con0.input “helloworld-440\n“
simics> con0.break “# “
simics> c
• When simulation stops, try some other
input
37
Network Simulation
Target System
Regular Linux
networking API for
the applications
Linux talks to the
network device,
like on a real
machine
Simulated
machines send
packets onto the
simulated network
Application
Application
Linux 2.4
Linux 2.6
Ebony PPC 440 GP
Argo Navis MPC8641D
Simics
Ethernet Link
Simulation
Simics
39
Dual-core e600
machine from
Freescale
Starting the Network Target
• Use the provided target script
host$ ./simics targets/network/network.simics
• Use text editor to look at the script
– Note how machine scripts are called with
parameters
– If you want, try changing some parameters
40
Target System Consoles
Console on Ebony
Application
Application
Linux 2.4
Linux 2.6
Ebony PPC 440 GP
Argo Navis MPC8641D
Simics
Ethernet Link
Simulation
Console on
ArgoNavis
Simics
Simics console, for
the entire system
41
Boot the Network Target
• Tell Simics to run 2 billion instructions on
the ebony card
simics> current-processor
simics> c 2_000_000_000
• After the boot, check the time
simics> ptime –all
– Note that processors have different time
– The 8641D processors are higher clocked
42
Take a Checkpoint
• This boot took some time
• Save the outcome as a checkpoint for later
reference and instant “reboot”
simics> write-configuration netbooted.ckpt
• Check the result in second terminal:
– Should be in /home/user/simics-workspace
host$ ls
43
Try the Network
• Both targets have “ping” installed
– Ebony is 10.10.0.50
– ArgoNavis is 10.10.0.40
– Also try:
$ ifconfig
$ cat /proc/cpuinfo
44
Connect to the Outside World
• Tell Simics to create a bridge to the host
simics> connect-real-network 10.10.0.50
simics> c
– Simics network hides behind a simple NAT
router inside Simics
– With port-forwarding for incoming connections
– To connect to telnetd on ebony:
• In the second terminal window on the host
host$ telnet localhost 4023
45
Connect to the Outside World
Application
Application
Linux 2.4
Linux 2.6
Ebony PPC 440 GP
Argo Navis MPC8641D
10.10.0.50
10.10.0.40
Simics
Ethernet Link
Simulation
Simics
NAT
router
Simics
10.10.0.1
Host Linux
Host PC (VmWare)
46
Telnet
Quit Simics
• simics> exit
47
Compiling a Network Program
Network Test Programs
• targets/network/sender.c
– Simple program sending a single string
– Arguments: dest IP, dest port, string
• targets/network/receiverserver.c
– Simple daemon program
– Waits for connections from sender, prints the
received string on the console
– Argument: port to listen on
49
Compile the Network Programs
• Use the compile-for-linux script
host$ compile-for-linux targets/network/sender
host$ compile-for-linux targets/network/receiverserver
50
Load Programs on the Targets
• Start Simics from the checkpoint we took
host$ ./simics –c netbooted.ckpt
simics> ptime -all
• Use simicsfs again
– Simicsfs configured to point to targets/network
simics> ebony_hfs0.root
simics> argo_hfs.root
• Start simulation
simics> c
51
Load Programs on the Targets
• Ebony requires /host to be mounted
ebony$ mount /host
ebony$ cp /host/sender .
ebony$ ./sender
ebony$ umount /host
• Argo already has it mounted
Unmount /host to
maintain determinism in
the simulation. Typical
way things are done with
simicsfs.
argo$ cp /host/receiverserver .
argo$ ./receiverserver
argo$ ls -l
argo$ umount /host
Binary is big since argo (and
ebony) do not have many
shared files installed. Instead,
the programs are statically
linked.
• Save the simulation state
simics> ctrl-C
simics> write-configuration netswloaded.ckpt
52
Try Programs
• Argo navis: start receiver:
argo$ ./receiverserver 4000 &
argo$ ps
• Ebony: send a message:
ebony$ ./sender 10.10.0.40 4000 “hi there”
53
Source-Level Inspect & Debug
Quit and Restart Simics
• Exit Simics
• Start using the netswloaded checkpoint
host$ ./simics –c netswloaded.ckpt
simics> c
• Start the receiver program again, test it
– We took the checkpoint before it had started
55
Stop at Magic Breakpoint
• Sender program has a hook in it
– Magic breakpoint
• NOP on target
• Simics catches it and treats it specially
• Runs with no side effect on physical hardware
– Useful to find interesting points in SW loads
• To stop when magic executes:
simics> magic-break-enable
56
Stop at Magic Breakpoint
• Rerun sender program, wait for stop
ebony$ ./sender 10.10.0.40 4000 “help!”
– ...”magic instruction (or r0,r0,r0)”
• When Simics has stopped, set up for debug
– simics> run-command-file
targets/network/sendersymbols.simics
– Loads the debug symbols for sender and sets up Simics
so that it uses the symbols to display the code
– Note that debug symbols are non-trivial in a system
environment like Simics: multiple machines, multiple
processors, operating systems and programs running
57
Single-Step Program
• Watch the network traffic as we go
simics> link0.log-level 3
• Single-step on Ebony
– Note that argo is also stopped
simics> next
– A few times to see when packets start flying
– And to see the message displayed on argo
• Complete the program execution
58
Let’s Do It in Reverse
• Stop Simics, enable backwards debugging
simics> set-bookmark start
simics> list-bookmarks
simics> c
ebony$ ./sender 10.10.0.40 4000 “test reverse”
– ...
simics> next
– Until message has been delivered, and then
simics> rnext
– To step backwards in the program execution
– Notice that output disappears on argo
59
Free-Run Reverse
• Stop Simics catching magic breakpoint and
reverse execution
simics> magic-break-disable
simics> reverse
• Note activity on serial consoles
• An go back to forwards execution
simics> c
– Note that input is replayed just like you typed it
60
Symbols for Receiver
• Activate symbol information for Argo
simics> run-command-file target/network/receiversymbols.simics
– Also includes the kernel symbol information
• Set breakpoint on “recv” call in receiver
simics> break –x (sym “recv”)
• Send a message from ebony, wait for
breakpoint
simics> current-processor
simics> where
61
Symbols for All
• Also see what is happening on the sender
simics> pselect ebony_cpu0
simics> where
• Try source breakpoints on the receiver
simics> pselect argo_cpu0
simics> break (pos receiversender.c:54)
simics> list-breakpoints
simics> delete (some breakpoint)
– When simulation stops, try next, rnext, etc.
62
Hardware Access Break
• Simics lets you break on hardware access
simics> break-io ebony_emac0
– Then start sender program again, wait for break
simics> where
simics> list main 37
63
Running a Machine with no OS
A Machine with No OS
• Target: targets/ppc-simple
– Only a PPC603e CPU, memory, and serial-port
• Look at the script ppc-simple-uartdriver.simics
– load-binary used to put a program in memory
– set-pc to point PC to program start point
– write-reg r1 to setup stack pointer
• Start it and inspect the system setup
host$ ./simics targets/ppc-simple/ppc-simple-uart-driver.simics
simics> list-objects
simics> phys_mem.map
65
Run the Program
• You can single-step or run free
– Symbols for the program are loaded
– Right from the first instruction
– Very useful for operating system debug
simics> si
simics> ptime
simics> next
– ...
simics> reverse 4000 (when reached for(;;))
66
Device Modeling
Add a DMA Controller
• Simics provides the Device Modeling
Language to write new devices for targets
– New devices are easy to add
– DML is a very efficient device modeling system
• We will add a simple DMA controller to ppcsimple and do a polled device driver for it
68
Building a new Device Model
• Device models located in the workspace:
– /home/user/simics-workspace/modules/
host$ cd /home/user/simics-workspace
host$ ls modules/
• Modules built from workspace top-level
host$ make clean
host$ make
69
The Simics Equation
Simics API
High Speed ISS
Instruction Set
Simulators
Fast
CPU Models
DML
User
Interface
Simulation
Infrastructure
Event Queue
Debug Features
Interface to 3rd Party Tools
70
Device Modeling
Language
Simics Architecture
Programs
Target Operating System
Processors
Standard Devices
Networks
Custom Devices
Simics Core
Multiprocessor
Checkpointing
Advanced
Breakpoints
Proven API
Configuration
Multiple
Machines
Determinism
Virtual Memory
Events
32/64-bit
Handling
Distribution
Visibility
Scalability
Virtual Time
Endianness
Handling
Profiling
Tracing
Timing Models
Real Network
Debugging
Fault Injection
Test Harnesses
Reverse Execution
Simics
71
Simics Architecture
Provided by
Virtutech
Added by Virtutech,
user, or third party
consultant
Programs
Target Operating System
Processors
Standard Devices
Networks
Custom Devices
Simics Core
Multiprocessor
Checkpointing
Advanced
Breakpoints
Proven API
Configuration
Multiple
Machines
Determinism
Virtual Memory
Events
32/64-bit
Handling
Distribution
Visibility
Scalability
Virtual Time
Endianness
Handling
Profiling
Tracing
Timing Models
Real Network
Debugging
Fault Injection
Test Harnesses
Reverse Execution
Simics
72
What is DML?
• A simple declarative language for modeling
devices
–
–
–
–
–
A C-like syntax for model semantics
Declarative structures for interfaces
Encourages compactness and readability
Reduces the risk of errors
Reduces the code length
• Designed for hardware device modeling in
Simics
– Makes using the Simics API much simpler
– Generates bulky repetitive code for you
• Compiled using dmlc – as you have already
73
seen
Simple DMA Device in DML
So What is Modeled?
• To start DMA:
–
–
–
–
–
DMA_source <- address to transfer from
DMA_dest <- address to transfer to
DMA_control.EN <- 1 to enable DMA
DMA_control.SWT <- 1 to start DMA from SW
DMA_control.TS <- # words to transfer
• Status reporting when completed:
– DMA_status.TC
• Set to one when transfer completed, cleared by SW
– DMA_control.SWT <- 0
– DMA_source & DMA_dest updated
75
Look at the Source Code
• Open the text editor
• Look at
modules/simple_dma/simple_dma.dml
76
DML General Syntax
• Comments
– Both C style /* … */ and C++ style //
• Statements
– Terminate with a semi-colon
• Block and Scope
– C style using { and }
• Literals
–
–
–
–
–
C style
Integers: 123 and 0b11110101 and 0x5ab3
Floating-point: 3.1415 and 6.6e-11
Strings: "hello world"
Booleans: true or false
77
DML General Syntax
• Object names prefixed with $
– $DMA_source
– $event
• Sub-objects accessed using dot notation
– $DMA_control.TS
– call $event.post(time,data)
• Many objects take description strings in declaration
– register MSR “Master Status Register”;
• Methods called explicitly, or inlined
– call $method(...)
– inline $method(...)
78
DML General Syntax
• Arrays and Subscripts
– A mix of C and Python style using [ and ]
• Log command built into language
– log “info”, 2 : “device model doing something”;
• Objects can be declared in any order
– No need to declare objects before use
– DMLC compiler resolves all dependencies and names
• Many objects have default methods
automatically generated by the DML
compiler
– post in events
– read, write for registers
79
Driver Software
• The file targets/ppc-simple/dmadriver.c
• Compile using compile-for-no-os script
host$ compile-for-no-os targets/ppc-simple/dmadriver
–
–
–
–
Does not rely on any part of libc
Compiles for a static start address of code
Loaded just like UART driver
Polled driver for simplicity
80
Testing the DMA Device
• Start Simics:
host$ ./simics targets/ppc-simple/ppc-simple-dma.simics
• Investigate the machine setup:
simics> list-objects
simics> help dma0
simics> phys_mem.map
• Increase logging to see all activity in device
simics> dma0.log-level 2
81
Testing the DMA Device
• Look at the evolving device state
– Using Simics attributes
• Attributes export the complete state of a device
• Used for inspection, state change, and checkpoints
• Auto-generated for all registers in DML
– Use OBJECT->ATTRIBUTE to get & set
simics> output-radix 16 2
simics> dma0->b_DMA_control
simics> dma0->b_DMA_status
82
Interfaces of a Device Model
Programs
Target Operating System
Processor
Memory access
Simics
Core
read()
implements
write()
connect
get()
connect
implements
get or set
attributes
CLI or Python
Script
set()
Device
Checkpointing
Register
Device
Simics
83
Testing the DMA Device
• To let us follow the activity, stop on each
access to the DMA device
simics> break-io dma0
• Start simulation with “continue” (c)
– It will stop at each access
– When stopped, look at attributes and the log
simics> dma0.log
84
Testing the DMA Device
• After access to DMA_source and DMA_dest,
look at the source and dest of the DMA
simics> x (dma0->b_DMA_source)
simics> x (dma0->b_DMA_dest)
85
Testing the DMA Device
The DMA driver program
prints what it thinks is
going to be copied
Simics prints the next
instruction (and source
line) to execute
Memory contents of
destination before
copying using DMA
86
Testing the DMA Device
• When simulation stops before the line:
52 *dma_control = DMA_SWT | DMA_EN | count;
• Do ”next” to get to the next line
• Note the log about delay to completion
• Look at the Simics event queue
simics> peq
87
Testing the DMA Device
• Advance simulation until DMA completes
simics> unbreak-io dma0
simics> c 49151
• Check state of things
simics> dma0->b_DMA_status
simics> x 0x22000
• Finish program work
simics> c 100_000
88
That’s It!
Summary
• Simics models runs the real software
– Single & multiple boards and processors
– Models can be extended with new devices
– Used as an alternative to physical hardware
• Simics is powerful debug system
–
–
–
–
Inspect both software and hardware
Reverse debugging for arbitrary systems
Global stop
Breakpoints impossible on real hardware
• Simics can be scripted and automated
90
What Now?
• Feel free to play around with Simics using
the tools we have seen today
• If you want to keep playing with Simics,
copy the VmWare player image you used
– It is about 2GB in size, fits on a large USB stick
– License is valid for about one more week
• If you want to discuss more, grab me during
the conference
– I also have a talk about Simics on Thursday
91
Inside the DML File
DML File Structure
• dml 1.0;
– Declare language version
– Multiple versions can be in use simultaneously
• device simple_dma;
– Declare the name of the class of the device
– Multiple objects of the same class can be used
• parameter documentation = “...”;
– Provide simple description of the device
– Accessible in Simics help system
93
DML File Structure
• import “....dml”;
– Import files containing functionality to use
• constant time_per_byte=...;
– Declare symbolic constants for use in the code
• connect target_mem_space ...
– Connect to other parts of the simulated system
– Here: the memory space (phys_mem)
– Needed so that the device can read & write memory
94
DML File Structure
• bank b { ... }
– Declares a bank of one or more registers
– Registers can contain fields
– Bank is memory-mapped in system configuration
• The device does not know where it is mapped
• A device can have many banks, each mapped separately
– Registers specify offsets in the bank
– Provides settings for all registers in the bank
• Byte order – big-endian here, we attach to a PPC processor
• Size (if uniform)
– The core of the DML device model
95
DML File Structure
• register DMA_control size 4 @ 0x00 “...” {
– Declare a register of 4 bytes at offset zero
• field EN[31]
– A single-bit field inside the register
– We use little-endian bit order here, i.e the usual way with the leastsignificant bit being bit zero
– PowerPC-attached devices often use big-endian bit numbering
since that is IBM standard
– By default, registers and fields store values written
• field TS[15:0]
– 16-bit field
• method after_write() { ... }
– Performs an action after all fields of the register has been written
– Standard way to handle activity in a register split into fields
96
DML File Structure
• register DMA_source size 4 @ 0x08 {
– A full 32-bit register
• method write(value) {
– Called when the register is written to
– Counterpoint is method read()->(value)
• log “info”, 2 : ...
– Print a log message when the register is written
– $qname = name of the register
• $this = value
– Store value written as the value of the register
97
DML File Structure
• method do_dma_transfer()
– The actual work of DMA_control.after_write()
• inline $complete_delay_ev.post(...)
– ”post” function is automatically generated for event
– Post an event to complete the DMA operation later
– Time computed from number of words to transfer
• event complete_delay_ev {
– Declares the event used to delay completion of the
DMA operation
• method event(data) {
– Called when event triggers, i.e. DMA is to complete
98
DML File Structure
• method complete_dma () {
– Performs the actual movement of data
– In one chunk, after the time needed to transfer
• More efficient than modeling piecewise movement
• Typical for Simics transaction-oriented modeling
– Called from the event posted by after_write()
– Reads and modifies values of registers and
fields in the bank
99
Remember!
Enter the evaluation form and be a part of making Øredev even better.
You will automatically be part of the evening lottery
100