Dynamically Translating x86 to LLVM using QEMU

QEMU [1] is a system emulator that can run unmodified guest operating systems on a host OS, where the guest and host CPU architecture can be different. For example, QEMU can run x86 guest OSes on a MIPS host, or even x86 on x86 (e.g., a Windows guest on a Linux host). QEMU emulates a complete system including processors, devices, and chipsets. More implementation details regarding QEMU are available in [1]. In this paper, we focus on the design and implementation of the LLVM backend for QEMU. LLVM [5] is a compiler framework which can optimize programs across their entire lifetime, including compile-time and run-time. It also performs offline optimizations. The LLVM backend converts the guest instruction set to LLVM bitcode, optimizes this bitcode, and turns it back to x86, using the JIT capabilities of the LLVM run-time. We build upon an existing attempt to write an LLVM backend for QEMU [6]. The LLVM backend can be used for several purposes. We interfaced QEMU with the KLEE symbolic execution engine to test OS kernel, drivers, and applications [3]; we also use the LLVM backend for device driver testing [4] and reverse engineering [2]. The paper is structured as follows. First, we explain how QEMU runs unmodified guest OSes (§2), then we describe the specificities of the LLVM backend (§3), how it is implemented (§4), evaluate its performance (§5), discuss the limitations (§6), and conclude (§7).