QEMU’s Tiny Code Generator (TCG) enables cross-architecture emulation, but its true power emerges through advanced features like semihosting and the TCG plugin framework. These tools provide unprecedented visibility into guest systems—critical for firmware developers, security researchers, and performance engineers.

Semihosting: Bridging Host and Guest

Semihosting allows guest code (especially bare-metal firmware) to leverage host resources via defined ABI calls:

SYS_WRITE0("Hello from guest!");  // Output to host console

Key characteristics:
- Supported Architectures: Arm, RISC-V, MIPS, m68k, Xtensa (system/user-mode varies)
- Use Cases:
- Early bootloader debugging
- Test case execution without OS dependencies
- Embedded development with limited I/O
- Security Warning:

Semihosting bypasses guest-host isolation. Untrusted code can corrupt host files or hang via calls like SYS_READC. Only enable for trusted workloads.
- Redirection: Output can be piped to files/sockets via QEMU’s chardev system or GDB.

TCG Plugins: Deep System Observability

Plugins passively monitor guest execution at instruction granularity without modifying state. Enabled by default in modern QEMU builds, they’re invoked via:

qemu-x86_64 -plugin ./contrib/plugins/hotpages.so,io=on -D log.txt ./guest_binary

Essential Plugins & Use Cases:

  1. hotblocks:
    • Identifies frequently executed basic blocks
    • Critical for JIT optimization analysis
  2. hwprofile:
    • Tracks hardware MMIO access (-plugin hwprofile.so,source)
    • Reveals device driver interaction patterns
  3. execlog:
    • Logs every instruction + memory access (massive output)
    • Pair with Capstone for disassembly
    • Filter: -plugin execlog.so,ifilter=call*,afilter=0x4000-0x8000
  4. cache:
    • Simulates L1/L2 caches
    • Configurable size/associativity/eviction policies
    • Measures thrashing: icache misses: 19.31% (13,485,492 misses)
  5. uftrace:
    • Generates Perfetto-compatible traces
    • Supports user/system mode across x86/Arm
    • Requires -fno-omit-frame-pointer in guest code

Why This Matters

  • Semihosting accelerates bring-up of low-level code but demands strict trust boundaries.
  • Plugins transform QEMU into a runtime analysis powerhouse—enabling cache simulation, security audits, and hardware profiling without physical hardware.
    For developers working on hypervisors, embedded systems, or vulnerability research, these features provide surgical precision for introspection tasks that traditional debuggers can’t match.

Source: QEMU Emulation Documentation