Here is a collection of disk images which can be used to test system emulation.
|linux-0.2.img.bz2 (8 MB)||Small Linux disk image containing a 2.6.20 Linux kernel, X11 and various utilities to test QEMU|
|odin1440.img||FreeDOS floppy disk image from ODIN (Steve Nickolas)|
|small.ffs.bz2||Small NetBSD Image (thanx to Nicolas Ollinger)|
|minix204.tar.bz2||Minix 2.0.4 (thanx to Túlio Almeida Pexoto)|
|efi-bios.tar.bz2||EFI BIOS for QEMU (thanx to Tristan Gingold)|
|sparc-test-0.2.tar.gz||SPARC Linux 2.6 test kernel and initrd disk image|
|arm-test-0.2.tar.gz||ARM Linux 2.6 test kernel and initrd disk image (thanx to Paul Brook)|
|mips-test-0.2.tar.gz||MIPS Linux 2.6 test kernel and initrd disk image (thanx to Thiemo Seufer)|
|mipsel-test-0.2.tar.gz||MIPS little endian Linux 2.6 test kernel and initrd disk image (thanx to Thiemo Seufer)|
|coldfire-test-0.1.tar.bz2||Coldfire Linux 2.6 test kernel and initrd disk image (thanx to Paul Brook)|
|sh-test-0.2.tar.bz2||SH4 Linux 2.6 test kernel and initrd disk image (thanx to Shin-ichiro KAWASAKI)|
|cris-axisdev88-img-linux2_6_33.tgz||CRIS AXIS Devboard88 Linux 2.6 test image with selftesting testsuite (Edgar E. Iglesias)|
|mb-s3adsp1800-linux-2_6_34.tgz||Microblaze S3ADSP1800 Linux 2.6 test image with selftesting testsuite (Edgar E. Iglesias)|
|ppc-virtexml507-linux-2_6_34.tgz||PPC-440 Virtex-ML507 Linux 2.6 test image (Edgar E. Iglesias)|
|xtensa-dc232b_kernel_rootfs.tgz||Xtensa Linux 2.6.29 test image (Max Filippov)|
These executables can be used to test Linux user mode emulation.
|linux-user-test-0.3.tar.gz||Distribution of shared libraries and various shell executables for almost all Linux target architectures that QEMU simulates. It is used to make regression tests on the Linux user mode emulation.|
|linux-user-busyboxes-0.1.tar.xz||Collection of static busybox binaries for almost all Linux target architectures that QEMU simulates. For quick smoke testing of Linux user mode emulation.|
It is also possible to run the Linux Test Project's syscall test suite under the Linux user mode emulation.
This includes any test to detect memory leaks, reads of uninitialised memory, buffer overflows or other forms of illegal memory access.
Typically these kind of tests are done using Valgrind on a Linux host. Any of the disk images and executables listed above can be used in such tests.
# Simple i386 boot test (BIOS only) with Valgrind. valgrind --leak-check=full --track-origins=yes --verbose qemu-system-i386
There are a number of tools which analyse C code and try to detect typical errors. None of these tools is perfect, so using different tools with QEMU will detect more bugs. Be prepared to also get lots of false warnings!
This is an example used on Debian. It needs package clang.
# Start from the root directory with QEMU code. mkdir -f bin/debug/ccc-analyzer cd bin/debug/ccc-analyzer ../../../configure --enable-debug --enable-trace-backend=stderr \ --cc=/usr/share/clang/scan-build/ccc-analyzer --disable-docs make
At least on my Linux host (1 GiB RAM, 2 GiB swap), make hangs when ccc-analyzer analyzes target-mips/translate.c: function decode_opc is too complex for the analyzer and takes all memory. Killing the clang process helps in this situation. It's needed 6 times because there are 4 MIPS system emulations and 2 Linux MIPS user emulations.
I guess this is because target-mips/translate.c contains switches with cases covering a very large range; assuming ccc-analyzer expands these case ranges somehow, it probably blows up memory completely.
Here is a typical example using smatch (from git://repo.or.cz/smatch.git):
# Start from the root directory with QEMU code. mkdir -f bin/debug/smatch cd bin/debug/smatch CHECK="smatch" ../../../configure --enable-debug --cc=cgcc --host-cc=cgcc make
This example expects that smatch and cgcc are installed in your PATH (if not, you must add absolute paths to the example).
Periodic scans of QEMU are done on the public Coverity Scan service (scan.coverity.com). You can request access on their website, and the administrator will grant it if you are an active participant in QEMU development.
Coverity is confused slightly by multiple definitions of functions with the same name. For this reason, Coverity scans are done as follows:
mkdir cov-int ./configure make libqemustub.a cov-build --dir cov-int make tar cvf - cov-int | xz > cov-int.tar.xz
Notice that libqemustub.a is ignored by Coverity. This is because some stubs call abort() and this causes dead-code false positives. The file cov-int.tar.xz can then be uploaded to Coverity Scan's "Submit build" page. Customarily, the "project version" is set to the output of git describe HEAD and the "description/tag" is set to "commit XYZ" where XYZ is the full SHA1 hash of the commit.