Performance Counter Addresses

Robert O'Callahan robert at
Mon Oct 5 00:01:54 UTC 2015

On Mon, Oct 5, 2015 at 12:41 PM, Downing, Evan P <edowning3 at>

> Yes, I am running rr inside of QEMU using CPU emulation mode.
> Ah, I did not know QEMU's CPU emulation did not support these counters.
> I know there is an out-of-tree patch to support PMU, but it's only for KVM
> I believe:
> A project I am working on was written on top of QEMU 1.0.1 a few years ago.
> However, this project does not support KVM.
> For various reasons, I need to be able to use Mozilla's rr inside of a
> Linux instance on this old version of QEMU (that is, without using KVM).
> Wouldn't there be a way to leverage QEMU's "icount" parameter in order to
> simulate the retired instruction counter parameter used in rr?

Yes, probably.

However, rr depends on the retired-conditional-branches counter, not the
instruction counter.

The only engineering effort left would be to figure out how to set a
> counter for recording hardware interrupts, correct?

rr doesn't depend on the interrupt counter.

> Or maybe I could write a linux kernel module that could keep a running
> count of the instructions and hardware interrupts somewhere in memory
> (inside of the Guest Linux instance) and have rr access those memory
> addresses whenever it wants?

It probably wouldn't be very hard to extend QEMU with code to count the
number of retired conditional branches, and an interface to expose that
count to rr (which needs to be able to read the counter value, reset the
counter value to some value, and trigger an interrupt when the counter
value reaches zero). Using the actual x86 PMU interface might be best since
then you wouldn't have to modify the kernel.

However, I still don't know what your ultimate goal is, but you might be
better off forward-porting your code to a newer version of QEMU and using
something like PANDA ( which supports record
and replay built into QEMU.

