Longer writeups and cross-references.
Some of the tools here have bibliographic entries, home pages or
online papers, noted with ``See: ...''.
Many are also described and referenced in
the 1994 SIGMETRICS Shade paper, noted with
See here for a list of tools.
The listed tools include:
- Gemulator [IBM PC] (Atari ST emulator)
- ST XFormer [Atari ST] (Atari 130XE emulator)
- PC XFormer 2 [IBM PC] (Atari 800 emulator)
- PC XFormer 3 [IBM PC] (Atari 130XE emulator)
The listed tools include Apple II emulators:
- Apple 2000 [Amiga]
- AppleOnAmiga [Amiga]
- STM [Macintosh]
- YAE [Unix/X]
The listed tools include Macintosh emulators:
- AMax [Amiga] (software + hardware)
- Emplant [Amiga] (software + hardware)
- ShapeShifter [Amiga]
- MAE [Unix/X]
ATOM is built on top of
See: bib cite, Shade
As of 1994, Cerberus was being actively used and updated by
He might be willing to provide information and/or code.
The EDSAC Debugger uses a tracing simulator that operates
fetching the simulated instruction;
decoding it to save trace information;
checking to see if the instruction is a branch,
and updating the simulated program counter if it is;
else placing the instruction in the middle of the simulator loop
and executing it directly;
and then returning to the top of the simulator loop.
As an aside, the 1951 paper on the EDSAC debugger
contains a pretty complete description of a modern debugger...
EEL reads object files and executables
and allows tools built on top of EEL to modify the machine code
without needing details of the underlying architecture or operating
system or with the consequences of adding or deleting code.
EEL appears as a C++ class.
EEL is provided with an executable,
which it analyzes, creating abstractions such as
executable (whole program), routines, CFGs, instructions and snippets.
A tool built on EEL then edits the executable by
performing structured rewrites of the EEL constructs;
EEL ensures that details of register allocation, branches, etc.
are updated correctly in the final code.
is a tool for convering Sun SPARC binaries to DEC Alpha AXP binaries.
Express web page
g88 is a portable simulator
that simulates both user and system-mode code.
It uses threaded code to performance on the order
of a few tens of instructions per simulated instruction.
g88 was written by
Built on top of
``The Interpreter'' is a micro-architecture that is intended
for a variety of uses including emulation of existing or hypothetical
machines and program profiling.
An emulator is written in microcode and instructions executed from the
microinstructions that are executed from the microstore give both
parallelism and fast execution.
More detailed review:
- A brief (1,000 word) history of microprogramming.
- (pg. 715) Suggested applications: emulation of existing or hypothetical
machines; direct execution of high-level languages; tuning
the instruction set to the application (by iterative profiling
and instruction-set change).
- (pg. 715) ``Emulation is defined in this paper as the ability
to execute machine language programs intended for one machine
(the mulated machine) on another machine (the host machine).
Within this broad definition, any machine wit certain basic
cpabilities can emulate any other machine; however, a measure
of the efficiency of operation is generally implied when the
term emulation is used.
For example, ... a conventional computer [has poor] emulation
efficiency ... since for each machine language instruction of
the emulated machine there corresponds a sequence of machine
instructions to be executed on the host machine ... (called
simulation ... [Husson 70] and [Tucker 1965]) turns out to be
significanly more efficent on micorprogrammable computers.
In a microprogrammed machine, the controls for performing the
fetching and execution fo the machine instructions of the
mulated machine consist of a sequence of microinstructions
which allows the increased efficiency.''
In short, as Deutsch and Schiffman point
out, you get hardware support for instruction fetch and
decode, which are typically multi-instruction operations in
- (pg. 717) Description of Interpreter features that help it
emulate a variety of machine architectures and instruction
- (pg. 719) ``The basic items necessary to define a machine and
hence emulate it are:
Note that you also need e.g. data formats, an exception model,
a device or other I/O model, ...
- Memory structure (registers, stacks, etc.),,
- Machine language format (0, 1, 2, 3 address)
including effective operand address calculation,
- Operation codes and their functional m eaning
(instructions for arithmetic, branching, etc.).''
- (pg. 719) ``The process of writing an emulation therefore,
involves the following analysis and the microprogramming of
these basic items:
- Mapping the registers (stacks, etc.) from the emulated
machine onto the host machine.
- Analysis of the machine language format and addressing
- Analysis of each operation code defined i the machine
- (pg. 719-720) ``All of the registers of the emulated machine
must be mapped onto the host machine; that is, each register
must have a corresponding register on the host machine. The
most frequently used registers are mapped onto the registers
within the Interpreter Logic Unit (e.g., registers A1, A2,
A3). The remaining registers are stored either in the main
system memory or in special high speed registers depending on
the desired emulatin speed [[Which, I assume, means ``do you
want R5 fast and R6 slow or R6 fast and R5 slow; it doesn't
make sense to me that they'd offer you slower emulation as a
feature --pardo]]. The machine language format may be 0, 1,
2, 3 address or variable length for increased code density,
and may involve indexing, indirection, relative addressing,
stacks and complex address conversions. Figure 14 shows the
general micrporogram requirements (MPM Map) and operating
procesures for the exmulation task.
You're probably already familiar with the concepts in this paper.
The paper describes the overall structure of a classic
this one happens to use microcode, but many of the same
features are the same when using normal machine code.
The opportunity with microcode (which tends to be poorly
stated in all of these papers) is that writable microcode
allows the use of a machine with a very fast and very flexible
but very space-consuming instruction set; microcode makes such
an instruction set useful by providing a fast
mechanism for mapping that instruction set to a denser
representation (the one stored in primary memory).
In the particular case of emulation, much of the interpreter
can be written directly in the low-density machine code and
can take advantage of that code's
flexibility and performance without being hurt by the low
- See also:
Deutsch's ST-80 VM,
written (largely) in Xerox Dorado microcode.
This review/summary by Pardo.
MPtrace statically augments parallel programs written for the i386-based
Sequent Symmetry multiprocessor.
The instrumented programs are then run to generate
multiprocessor address traces.
MPtrace was written by
and Eric J. Koldinger
under the supervision of
Susan J. Eggers
Henry M. Levy
The New Jersey Machine Code Toolkit
lets programmers decode and encode machine instructions symbolically,
guided by machine specifications that mappings between symbolic
and machine (binary) forms.
It thus helps programmers write applications such as
assemblers, diassemblers, linkers, run-time code generators, tracing tools,
and other tools that consume or produce machine code.
Questions and comments can be sent to
Shade combines efficient instruction-set simulation
a flexible, extensible trace generation capability.
Efficiency is achieved by dynamically compiling and caching
code to simulate and trace the application program;
the cost is as low as two instructions per simulated instruction.
The user may control
the extent of
in various ways;
arbitrarily detailed application state information may be collected
during the simulation, but
tracing less translates directly into greater efficiency.
Shade implementations run on SPARC systems and
simulate the SPARC (Versions 8 and 9)
and MIPS I instruction sets.
Shade was written by
with help from
SimICS is a multiprocessor simulator.
SimICS simulates both the user and system modes
of 88000 and SPARC processors and is used for
simulation, debugging, and prototyping.
SimICS should soon be available under license.
SimICS is a rewrite of gsim,
which, in turn, was derived from
SimICS was written by
- Spectrum [Amiga]
- ZXAM [Amiga]
- KGB [Amiga]
- !MZX [Archimedes]
- !Speccy [Archimedes]
- Speculator [Archimedes]
- ZX-SPECTRUM Emulator [Atari]
- JPP [IBM PC]
- Z80 [IBM PC]
- SpecEm [IBM PC]
- SP [IBM PC]
- SPECTRUM [IBM PC]
- VGASpec [IBM PC]
- Elwro 800-3 Jr v1.0 [IBM PC]
- MacSpeccy [Macintosh]
- PowerSpectum [PowerMAC]
- xzx [Unix/X]
- xz80 [Unix/X]
SimOS emulates both user-mode and system-mode code for a MIPS-based
It uses a combination of direct-execution
(some OS rewrites may be required)
and dynamic cross-compilation
(no rewrites needed)
in order to emulate and, to some degree, instrument.
An Atari ST emulator
that runs on (at least) a Sun SPARC IPC under SunOS 4.1;
it emulates an MC68000, RAM, ROM, Atari ST graphics, keyboard, BIOS,
and maybe some other stuff.
On a SPECint=13.8 machine
it runs average half the speed of a real ST.
By: Marinos "nino" Yannikos.
Talisman is a fast timing-accurate simulator
for an 88000-based multiple-processor machine.
Talisman provides both user-mode and system mode simulation
and can boot OS kernels.
Simulation is reasonably fast,
on the order of a hundred instructions per simulated instruction.
Talisman also does low-level timing simulation and typically
produces estimated running times that are within a few percent
of running times on real hardware.
Note that e.g. turning off dynamic RAM refresh simulation
makes the timing accuracy substantially worse!
Built on top of
Wine is a Microsoft Windows(tm)
OS emulator for i*86 systems.
Most of the application's code runs native,
but calls to ``OS'' functions are transformed into calls into Unix/X.
Some programs require enhanced mode device drivers
and will (probably) never run under Wine.
Wine is neither a processor emulator nor a tracing tool.
- 2500 A.D.
- Avocet Systems
on a 33 MHz 486 matches the speed of a 12 MHz 8051
- Cybernetic Micro Systems
- Dunfield Development Systems
Low cost $50.00
500,000+ instructions/second on 486/33
Can interface to target system for physical I/O
Includes PC hosted "on chip" debugger with identical user
- HiTech Equipment Corp.
- Iota Systems, Inc.
- J & M Microtek, Inc.
- Keil Electronics
- Lear Com Company
- Mandeno Granville Electronics, Ltd
- Micro Computer Control Corporation
Simulator/source code debugger ($79.95)
- Microtek Research
- Production Languages Corp.
Emulators ($$$ - high, $$ - medium, $ - low priced)
- Advanced Micro Solutions $$
- Advanced Microcomputer Systems, Inc. $
- American Automation $$$ $$
- Applied Microsystems $$
- ChipTools (front end for Nohau's emulator)
- Cybernetic Micro Systems $
- Dunfield Development Systems $
plans for pseudo-ice using Dallas DS5000/DS2250
used together with their resident monitor and host debugger
- HBI Limited $
- Hewlett-Packard $$$
- HiTech Equipment Corp.
- Huntsville Microsystems $$
- Intel Corporation $$$
- Kontron Electronics $$$
- Mandeno Granville Electronics, Ltd
full line covering everything from the Atmel flash to the
Siemens powerhouse 80c517a
- MetaLink Corporation $$ $
- Nohau Corporation $$
- Orion Instruments $$$
- Philips $
DS-750 pseudo-ICE developed by Philips and CEIBO
real-time emulation and simulator debug mode
source-level debugging for C, PL/M, and assembler
programs 8xC75x parts
low cost - only $100
DOS and Windows versions available
- Signum Systems $$
- Sophia Systems $$$
- Zax Corporation
- Zitek Corporation $$$
(Contacts listed in FAQ below).
From instruction-set simulation and tracing