Binary Translation - Dynamic Binary Translation

Dynamic Binary Translation

Dynamic binary translation looks at a short sequence of code—typically on the order of a single basic block—then translates it and caches the resulting sequence. Code is only translated as it is discovered and when possible, and branch instructions are made to point to already translated and saved code (memoization).

Dynamic binary translation differs from simple emulation (eliminating the emulator's main read-decode-execute loop—a major performance bottleneck), paying for this by large overhead during translation time. This overhead is hopefully amortized as translated code sequences are executed multiple times.

More advanced dynamic translators employ dynamic recompilation where the translated code is instrumented to find out what portions are executed a large number of times, and these portions are optimized aggressively. This technique is reminiscent of a JIT compiler, and in fact such compilers (e.g. Sun's HotSpot technology) can be viewed as dynamic translators from a virtual instruction set (the bytecode) to a real one.

• Apple Computer implemented a dynamic translating emulator for M68K code in their PowerPC line of Macintoshes, which achieved a very high level of reliability, performance and compatibility (see Mac 68K emulator). This allowed Apple to bring the machines to market with only a partially native operating system, and end users could adopt the new, faster architecture without risking their investment in software. Partly because the emulator was so successful, many parts of the operating system remained emulated. A full transition to a PowerPC native operating system (OS) was not made until the release of Mac OS X (10.0) in 2001. (The OS X "Classic" runtime environment continued to offer this emulation capability on PowerPC Macs until OS X 10.5.)

• Mac OS X 10.4.4 for Intel-based Macs introduced the Rosetta dynamic translation layer to ease Apple's transition from PPC-based hardware to x86. Developed for Apple by Transitive Corporation, the Rosetta software is an implementation of Transitive's QuickTransit solution.

• QuickTransit during its product lifespan also provided SPARC→x86, x86→Power Architecture and MIPS→Itanium 2 translation support.

• DEC achieved similar success with its translation tools to help users migrate from the CISC VAX architecture to the Alpha RISC architecture.

• DEC created the FX!32 binary translator for converting x86 applications to Alpha applications.

• Sun Microsystems' Wabi software included dynamic translation from x86 to SPARC instructions.

• In January 2000, Transmeta Corporation announced a novel processor design named Crusoe. From the FAQ on their web site, The smart microprocessor consists of a hardware VLIW core as its engine and a software layer called Code Morphing software. The Code Morphing software acts as a shell ... morphing or translating x86 instructions to native Crusoe instructions. In addition, the Code Morphing software contains a dynamic compiler and code optimizer ... The result is increased performance at the least amount of power. ... allows Transmeta to evolve the VLIW hardware and Code Morphing software separately without affecting the huge base of software applications. More info at arstechnica, geek.com.

• HP ARIES (Automatic Re-translation and Integrated Environment Simulation) is a dynamic binary translation system that combines fast code interpretation with two phase dynamic translation to transparently and accurately execute HP 9000 HP-UX applications on HP-UX 11i for HP Integrity servers. The ARIES fast interpreter emulates a complete set of non-privileged PA-RISC instructions with no user intervention. During interpretation, it monitors the application's execution pattern and translates only the frequently executed code into native Itanium code at runtime. ARIES implements two phase dynamic translation, a technique in which translated code in first phase collects runtime profile information which is used during second phase translation to further optimize the translated code. ARIES stores the dynamically translated code in memory buffer called code cache. Further references to translated basic blocks execute directly in the code cache and do not require additional interpretation or translation. The targets of translated code blocks are back-patched to ensure execution takes place in code cache most of the time. At the end of the emulation, ARIES discards all the translated code without modifying the original application. The ARIES emulation engine also implements Environment Emulation which emulates an HP 9000 HP-UX application's system calls, signal delivery, exception management, threads management, emulation of HP GDB for debugging, and core file creation for the application.

• Intel Corporation has developed and implemented an IA-32 Execution Layer - a dynamic binary translator designed to support IA-32 applications on Itanium-based systems, which was included in Microsoft Windows server OS for Itanium architecture, as well as in several flavors of Linux, including Red Hat and Suse. It used a two-phase (later three-phase) approach: initially it quickly translated every piece of code at a basic block level, adding certain instrumentation for detecting hot code; then hot code was dynamically optimized at a super-block level, and the optimized translated code replaced cold code on the fly. Later interpretation engine was added that allowed to avoid altogether translation of code executed just a few times - cold non-optimized translation became thus the second phase, and hot optimized translation became the third phase. IA-32 Execution Layer supported self-modified code, and could even optimize it quite well.

• Some test & debugging systems dating back to the 1970s such as "Oliver", utilized dynamic binary translation to provide breakpoint, storage protection, trace, program animation and other features for IBM/360/370/390/ES9000 platforms.