Binary translation
In computing, binary translation (or (binary) recompilation) is the emulation of one instruction set by another through translation of binary code. Sequences of instructions are translated from the source to the target instruction set. In some cases such as instruction set simulation, the target instruction set may be the same as the source instruction set, providing testing and debugging features such as instruction trace, conditional breakpoints and hot spot detection.
The two main types are static and dynamic binary translation. Translation can be done in hardware (for example, by circuits in a CPU) or in software (e.g. run-time engines, statical recompiler, emulators).
Motivation
Motivation for using the complex process of binary translation is either that a compilation of the source code to the destination platform or instruction set is not available (or technically problematic) or when the source code is plainly not available anymore (Abandonware).
Performance-wise static recompilations have the potential to achieve a better performance than real emulation approaches as in optimal case one overhead introducing interface is removed.
Static binary translation
A translator using static binary translation aims to convert all of the code of an executable file into code that runs on the target architecture without having to run the code first, as is done in dynamic binary translation. This is very difficult to do correctly, since not all the code can be discovered by the translator. For example, some parts of the executable may be reachable only through indirect branches, whose value is known only at run-time.
One such static binary translator uses universal superoptimizer peephole technology (developed by Sorav Bansal, and Alex Aiken from Stanford University) to perform efficient translation between possibly many source and target pairs, with considerably low development costs and high performance of the target binary. In experiments of PowerPC-to-x86 translations, some binaries even outperformed native versions, but on average they ran at two-thirds of native speed.
Examples for static binary translations
In 2014, an ARM architecture version of the 1998 video game StarCraft was generated by static recompilation and additional reverse engineering of the original x86 version.[1][2] The Pandora handheld community was capable of developing the required tools[3] on their own and achieving such translations successfully several times.[4][5]
For instance, a successful x86-to-x64 static recompilation was generated for the procedural terrain generator of the video game Cube World in 2014.[6]
Another example is the NES-to-x86 statically recompiled version of the videogame Super Mario Bros. which was generated under usage of LLVM in 2013.[7]
In 2004 Scott Elliott and Phillip R. Hutchinson at Nintendo developed a tool to generate "C" code from Game Boy binary that could then be compiled for a new platform and linked against a hardware library for use in airline entertainment systems.[8]
In 1995 Norman Ramsey at Bell Communications Research and Mary F. Fernandez at Department of Computer Science, Princeton University developed The New Jersey Machine-Code Toolkit that had the basic tools for static assembly translation.[9]
Dynamic binary translation
Dynamic binary translation looks at a short sequence of code—typically on the order of a single basic block—then translates it and caches the resulting sequence. Code is only translated as it is discovered and when possible, and branch instructions are made to point to already translated and saved code (memoization).
Dynamic binary translation differs from simple emulation (eliminating the emulator's main read-decode-execute loop—a major performance bottleneck), paying for this by large overhead during translation time. This overhead is hopefully amortized as translated code sequences are executed multiple times.
More advanced dynamic translators employ dynamic recompilation where the translated code is instrumented to find out what portions are executed a large number of times, and these portions are optimized aggressively. This technique is reminiscent of a JIT compiler, and in fact such compilers (e.g. Sun's HotSpot technology) can be viewed as dynamic translators from a virtual instruction set (the bytecode) to a real one.
Examples for dynamic binary translations in software
- Apple Computer implemented a dynamic translating emulator for M68K code in their PowerPC line of Macintoshes, which achieved a very high level of reliability, performance and compatibility (see Mac 68K emulator). This allowed Apple to bring the machines to market with only a partially native operating system, and end users could adopt the new, faster architecture without risking their investment in software. Partly because the emulator was so successful, many parts of the operating system remained emulated. A full transition to a PowerPC native operating system (OS) was not made until the release of Mac OS X (10.0) in 2001. (The OS X "Classic" runtime environment continued to offer this emulation capability on PowerPC Macs until OS X 10.5.)
- Mac OS X 10.4.4 for Intel-based Macs introduced the Rosetta dynamic translation layer to ease Apple's transition from PPC-based hardware to x86. Developed for Apple by Transitive Corporation, the Rosetta software is an implementation of Transitive's QuickTransit solution.
- QuickTransit during its product lifespan also provided SPARC→x86, x86→Power Architecture and MIPS→Itanium 2 translation support.
- DEC achieved similar success with its translation tools to help users migrate from the CISC VAX architecture to the Alpha RISC architecture.
- HP ARIES (Automatic Re-translation and Integrated Environment Simulation) is a software[10] dynamic binary translation system that combines fast code interpretation with two phase dynamic translation to transparently and accurately execute HP 9000 HP-UX applications on HP-UX 11i for HP Integrity servers.[11] The ARIES fast interpreter emulates a complete set of non-privileged PA-RISC instructions with no user intervention. During interpretation, it monitors the application's execution pattern and translates only the frequently executed code into native Itanium code at runtime. ARIES implements two phase dynamic translation, a technique in which translated code in first phase collects runtime profile information which is used during second phase translation to further optimize the translated code. ARIES stores the dynamically translated code in memory buffer called code cache. Further references to translated basic blocks execute directly in the code cache and do not require additional interpretation or translation. The targets of translated code blocks are back-patched to ensure execution takes place in code cache most of the time. At the end of the emulation, ARIES discards all the translated code without modifying the original application. The ARIES emulation engine also implements Environment Emulation which emulates an HP 9000 HP-UX application's system calls, signal delivery, exception management, threads management, emulation of HP GDB for debugging, and core file creation for the application.
- Sun Microsystems' Wabi software included dynamic translation from x86 to SPARC instructions.
- In January 2000, Transmeta Corporation announced a novel processor design named Crusoe.[12][13] From the FAQ[14] on their web site,
The smart microprocessor consists of a hardware VLIW core as its engine and a software layer called Code Morphing software. The Code Morphing software acts as a shell ... morphing or translating x86 instructions to native Crusoe instructions. In addition, the Code Morphing software contains a dynamic compiler and code optimizer ... The result is increased performance at the least amount of power. ... [This] allows Transmeta to evolve the VLIW hardware and Code Morphing software separately without affecting the huge base of software applications.
- Intel Corporation developed and implemented an IA-32 Execution Layer - a dynamic binary translator designed to support IA-32 applications on Itanium-based systems, which was included in Microsoft Windows Server for Itanium architecture, as well as in several flavors of Linux, including Red Hat and Suse. It allowed IA-32 applications to run faster than they would using the native IA-32 mode on Itanium processors.
- Some test & debugging systems dating back to the 1970s such as "Oliver", utilized dynamic binary translation to provide breakpoint, storage protection, trace, program animation and other features for IBM/360/370/390/ES9000 platforms.
- .NET Framework's just-in-time compiler translates the CLI of an executable into the native instruction set.
Examples for dynamic binary translations in hardware
- x86 Intel CPUs since the Pentium Pro translate complex CISC x86 instructions to more RISC-like internal Microcode instructions.
- Nvidia Tegra K1 Denver translates ARM instructions over a slow hardware decoder to its native microcode instructions and uses a software binary translator for hot code.
See also
- Binary recompiler
- Dynamic recompilation
- Just-in-time compilation
- Instruction set simulator
- Emulator
- Virtual machine
- Comparison of platform virtualization software
- Shadow memory
References
- ↑ Steinlechner, Peter (March 10, 2014). "Starcraft für ARM-Handheld kompiliert" (in German). golem.de. Retrieved March 25, 2014.
- ↑ notaz (March 4, 2014). "StarCraft". repo.openpandora.org. Retrieved March 26, 2014.
- ↑ notaz (2014-03-01). "ia32rtools/". GitHub. Retrieved 2015-01-09.
- ↑ notaz (March 4, 2014). "Starcraft". openpandora.org. Retrieved March 29, 2014.
The "no source, no port" rule is not completely true, you can get something similar (but not the same) as a port through static recompilation. Similar stuff was done several times by M-HT for some DOS games. The game was also converted for Android with somewhat similar approach.
- ↑ M-HT. "Warcraft: Orcs & Humans". repo.openpandora.org.
- ↑ Kærlev, Mathias (2014-04-14). "Practical and Portable X86 Recompilation". Retrieved 2014-08-08.
but then the idea of somehow using the original x86 machine code presented itself. However, for our open server, we need to support x86-64 as well, and in that case, we absolutely need emulation or recompilation. [...] Static recompilation to assembler seemed like a much better option, but to keep it portable, we would need to write backends for x86, x86-64, and possibly ARM/PowerPC.
- ↑ Kelley, Andrew (2013-07-07). "Statically Recompiling NES Games into Native Executables with LLVM and Go". Retrieved 2013-08-08.
This article presents original research regarding the possibility of statically disassembling and recompiling Nintendo Entertainment System games into native executables.
- ↑ US 7765539, Elliott, Scott & Phillip Hutchinson, "System and method for trans-compiling video games", issued 2010
- ↑ Ramsey, Norman; Fernandez, Mary F (1995). "The New Jersey Machine-Code Toolkit". Proceeding TCON'95 Proceedings of the USENIX 1995 Technical Conference Proceedings (USENIX Association Berkeley, CA, USA): 24–24.
- ↑ Jim Carlson, Jerry Huck (2003). "Itanium Rising: Breaking Through Moore's Second Law of Computing Power". Prentice Hall PTR. Retrieved 2015-01-09.
- ↑ "HP ARIES Dynamic Binary Translator". HP. Retrieved 2015-01-09.
- ↑ Stokes, Jon. "Transmeta Crusoe Explored". Ars Technica. Retrieved 2015-01-09.
- ↑ Hughes, Rob (January 20, 2000). "Transmeta's Crusoe Microprocessor". geek.com. Archived from the original on April 17, 2008.
- ↑ FAQ
Further reading
- Haber, Gadi (2010). "Introduction to Binary Translation" (PDF). Intel.
- Bansal, Sorav; Aiken, Alex (December 2008). "Binary Translation Using Peephole Superoptimizers". Department of Computer Science and Engineering. Indian Institute of Technology Delhi. Retrieved 30 March 2014.
- Baraz, Leonid; Devor, Tevi; Etzion, Orna; Goldenberg, Shalom; Skaletsky, Alex; Wang, Yun; Zemach, Yigal (2003). "IA-32 Execution Layer: a two-phase dynamic translator designed to support IA-32 applications on Itanium-based systems". Proceedings of the 36th Annual IEEE/ACM International Symposium on Microarchitecture. MICRO 36 (Washington, DC, USA: IEEE Computer Society): 191—. ISBN 0-7695-2043-X.
- Toal, Graham. "An Emulator Writer's HOWTO for Static Binary Translation". Self-published.
- Chernoff, Anton; Herdeg, Mark; Hookway, Ray; Reeve, Chris; Rubin, Norman; Tye, Tony; Yadavalli, S. Bharadwaj; Yates, John (1998). "FX!32: A Profile-Directed Binary Translator". IEEE Micro 18 (2): 56–64. ISSN 0272-1732.