QEMU simulates with style

Imagine walking up to a friend running Windows on a laptop and asking to borrow the machine for a moment. You plug a pendrive into its USB port, open a window that boots into Linux, log on to a Web site, and download a file, then close the window, remove the pendrive, thank your friend, and walk away -- leaving your friend’s Windows session unaffected.

While that scenario has a high coolness factor, its utility is a bit limited. But what if you want to install a new application on your Windows system and you’re unsure of that application’s trustworthiness? You quickly launch Windows in a virtual environment and start the app in that environment; sure enough, it crashes horribly. You shrug, close the virtual environment, throw it away, and resume your normal Windows activities. No harm done.

Users of VMware’s powerful virtualization system have enjoyed this capability for some time. Now, the open source world has a tool that allows similar powers: QEMU, the brainchild of France’s Fabrice Bellard. While not as robust as commercial virtualizers, QEMU’s features set the stage for not only running x86 Linux on x86 Windows (and vice versa), but running just about any OS, regardless of processor, on Windows and Linux.

Behind the Magic

Strictly speaking, QEMU is an emulator, not a virtualizer. That is, the code of the “guest OS” is translated and executed by the processor of the “host OS,” so a QEMU-enabled system host running x86, 64-bit x86, or PowerPC (testing is underway to add Alpha, Sparc, ARM, and IBM S/390) can run a guest OS executing x86, ARM, Sparc, PowerPC, or MIPS instructions. A version for Mac OS X is still in its infancy, but on the way. The full matrix of supported guest OSes that have been verified for each host OS is large and in a constant state of flux; check claunia.com/qemu/ for the most up-to-date combinations.

QEMU performs its emulation magic using a technique called “dynamic binary translation.” As guest code executes, QEMU identifies “translation blocks” (TBs) -- sequences of instructions terminated by jump or branch instructions. TBs execute linearly because there are no branches within the blocks, which considerably minimizes the work QEMU must perform to emulate that code.

QEMU then passes through the TB, translating each instruction to equivalent “micro operations” that will be executed on the host. Some optimization is performed during the translation (such as removing redundant operations whose results are known not to have any effect outside of the TB), after which the converted micro operations code is executed on the host.

In the case of x86-on-x86 execution, QEMU does become a virtualizer. Much of the emulation is bypassed, and the new KQEMU Accelerator module allows QEMU to run both user and kernel-mode code at near full speed. (User code executes at full speed; according to an estimate by Bellard, 90 percent of kernel-mode code will execute at full speed with the accelerator enabled.)

When the accelerator is activated, the QEMU emulator simply examines the code to verify that it can be executed natively, and dispatches it to the accelerator. The code runs at full speed until the next exception, interrupt, or virtual device access; QEMU then steps in and provides the service needed to maintain the virtual environment. One note: The Accelerator module is closed-source. It’s still free and can be used in a commercial application, but you need permission to redistribute it.