In this project, we have implemented two indirect branch handling mechanisms: a shadow stack and an indirect branch target cache(IBTC) in QEMU full-system emulator to improve indirect branch performance.
Indirect branch target cache works similar to hardware cache, but it stores the address of the related code fragment stored in the code cache.
Each time a cache lookup succeeds, the indirect branch can directly branch to the target address but not the emulation engine.
The following picture shows how IBTC works.
A shadow stack is used to accelerate searching branch targets when current instruction is a return instruction.
The address of the translation block corresponding to next instruction of the function call is pushed on the shadow stack while the function call is executed.
When the callee returns, the top of the shadow stack is popped, and the popped address is the translation block of the return address.
The following picture shows how shadow stack works.
# git clone https://github.com/a110605/qemu.git
# cd qemu
# ./configure --target-list=i386-linux-user
The qemu executable is located at i386-linux-user/qemu-i386 after make
# make
The optimization functions are inplemented in [qemu_dir]/optimization.c.
For more details information, please refer the following documents