- Generated on Sat May 3 2025 20:15:08 for OpenVADL by
1.13.2
|
OpenVADL (463b4edb)
open-vadl
|
OpenVADL lets users generate a functional instruction set simulator from a VADL specification. It uses QEMU to achieve high performance simulation and enabling convenient QEMU features such as GDB debugging.
Specifically, OpenVADL generates a QEMU guest frontend integrated into the QEMU system. The currently used QEMU version is 9.2.2.
To generate an ISS, your VADL specification must contain a processor definition, which serves as the entry point of the ISS generator.
If you generate the ISS the first time, you may want to include the --init flag. This will download and extract the correct QEMU version for you. For all subsequent generations calls, you won't need this argument.
The ISS is written to ./gen/iss and contains the whole QEMU project including the generated guest frontend.
Before building it, you must install all the necessary dependencies for QEMU. Please follow this official guide to install everything necessary.
Follow these steps:
The target name used in step 4. matches the ISA defined in the processor section of your VADL specification.
To customize it, use the [ target name : <custom-name> ] annotation.
To see all available targets, including your own, run ../configure --target-list.
If everything worked, the build directory should contain a qemu-system-mytarget executable.
To run a guest binary, invoke it with:
In the following, we explore the RV64IM RISC-V processor specification in VADL, inspect the generated simulator, and learn how to run real programs.
The open-vadl repository contains the sys/risc-v/rv64im.vadl VADL specification.
Although it includes more than just the processor definition, we will concentrate on that part, as it's the one to customize the generated ISS.
As the name implies, this processor is based on the RISC-V Spike simulator. The Spike board is not a real hardware specification, but it's widely used for testing and simulation.
The processor implements the RV64IM RISC-V 64-bit ISA with the base Integer and Multiplication extensions. Any program we want to run must be compiled for rv64im, otherwise the simulator will fail on unsupported instructions.
It also uses the [ htif ] annotation, referencing the Host-Target Interface used in Spike. In full-system simulation, programs can't exit the simulation on their own—HTIF provides a mechanism to send and receive commands between the guest and host. We'll see later how to use this in practice.
The reset block in the processor definition specifies how the CPU state is initialized on reset.
This typically happens when the simulation starts.
Here, the program counter (defined in the ISA) is set to 0x1000, pointing to the reset vector in MROM.
All other registers and CPU state default to zero.
The processor also defines memory regions, each with a type (e.g., RAM), a name (e.g., DRAM), and an associated address space, represented by a memory definition—in this case, MEM from the RV64IM ISA. The [ base: 0x8000000 ] annotation sets the start address of the region in the address space. Optionally, you can specify a [ size : <size> ], though one RAM region can remain unbounded and rely on available host memory. The [ firmware ] annotation indicates that firmware passed via QEMU's -bios flag should be loaded at the start of this region.
In addition to DRAM, the Spike board also defines a MROM region:
This region is of type ROM, meaning it's non-volatile and initialized during board setup. It remains read-only throughout the simulation. It acts as the reset vector, setting up initial CPU state and jumping to the firmware entry point at 0x80000000—the start of the DRAM region. This region doesn't need [ base ] or [ size ] annotations, since OpenVADL infers those from the initialization code. Also note: this reset vector is executed at simulation start, as the program counter is set to 0x1000 in the reset block we discussed earlier.
Now that we've reviewed the RV64IM processor definition, we can move on to generating the QEMU frontend.
Because we added the --init option, the command first downloads and extracts QEMU to ./gen/iss, then generates the frontend based on our specification.
Several files are generated, but the key ones are under target/rv64im and hw/rv64im in the QEMU project.
target/rv64im contains all CPU/ISA-related files, including the CPU state, instruction translation, and exception handling. In cpu.h, we can inspect the generated CPU state:
This contains the register file X and the PC register, as defined in our ISA.
In translate.c, we find all TCG translation functions for each instruction. QEMU uses these functions to translate guest instructions into its intermediate TCG representation. This is then compiled to host code by the QEMU backend for execution.
For example, if QEMU encounters an ADD RISC-V instruction, which is defined in VADL as
it will call this function to produce a sequence of TCG operations that add two registers:
Let's build the QEMU executable to run our first program.
First, configure QEMU to use our generated target in the build directory. The target name is derived from the ISA used in the processor definition (in lowercase). After configuration, build QEMU to get an executable named qemu-system-rv64im.
Next, we need a RISC-V program to run. To build one, install the RISC-V GNU Toolchain.
Once your toolchain is ready, write your first hello.c program:
Here you can see the [ htif ] annotation in action, as defined in the processor specification. We declare two global variables, tohost and fromhost, used to communicate with the host. When the firmware is loaded as an ELF, QEMU locates these symbols and maps them to the HTIF MMIO handler, which is triggered on read/write access.
do_tohost function writes 64-bit values to tohost, but first waits until the handler is ready ( while (tohost)).terminate function sends an exit command with an exit code to the HTIF.cputchar function sends a character to device 1 (stdout) using command 1 (write).For details on the HTIF implementation, see hw/char/riscv_htif.c in the QEMU project.
Since we're writing a bare-metal program, we need to provide a custom linker script (link.ld).
From our MROM and reset definitions, we know execution begins at 0x80000000 after reset. Therefore, our entry point must be at this address. We place the .text.init section at 0x80000000. This section will contain startup assembly code that we define next. Following .text.init, we place the C program, then a gap of at least 0x8000 bytes, and finally define __stack_top at the end. This gap acts as the stack, which must be initialized at the start of execution.
The last step is writing the init.S file, which defines the .text.init section.
This minimal _start assembly sets the stack pointer (X2) to the __stack_top address defined in the linker script, then jumps to the main function from hello.c. If we don’t initialize the stack pointer, it defaults to 0 (as per the reset procedure).
This would lead to a write to address 0x0 when building main’s stack frame—an invalid, non-writable memory region—causing an exception.
Now that everything is in place, we can compile and link the program into an ELF executable.
There are a few important flags to note during compilation:
-mcmodel=medany: Required because the default medlow model only supports symbols to have an absolute address of ±2 GiB. Our code starts at 0x80000000, which exceeds that range.-march=rv64im -mabi=lp64: Ensures the compiler only uses instructions defined in the I and M extensions, matching our ISA spec.-nostartfiles: Prevents the default crt0.S startup from being linked. We use our custom init.S instead.Now that we have our hello ELF file, we can run it and get the following output:
Note: The above example—especially init.S and link.ld—is intentionally minimal and omits many proper handling steps.
However, it’s enough to demonstrate how to run simple C programs.
1.13.2