SimICS Tutorial: Getting a Grip on Grep

This page gives a fairly thorough tutorial of using SimICS to study the behavior of a simple program. As an example we chose to study the GNU utility grep. We are here using version 2.0 of grep, the full distribution for which can be fetched from MIT at ftp://prep.ai.mit.edu/pub/gnu/grep-2.0.tar.gz.

You can replicate this tutorial if you fetch the SimICS examples. In it we include the grep source code, a ready-configured makefile, and a pre-compiled, dynamically linked binary, as well as this HTML file together with a shell script that should regenerate something similar to this file, if you've installed SimICS correctly. (I'll try to keep this file up-to-date; the last major overhaul of this tutorial was in May, 1997.)

Getting started

Let's pretend we're looking for the usage of the function "copyset". We run grep on its own source code:

shell>./grep copyset *.[ch]
dfa.c:copyset(src, dst)
dfa.c:  copyset(s, dfa->charclasses[i]);
dfa.c:	copyset(d->charclasses[d->tokens[pos.index] - CSET], matches);
dfa.c:	      copyset(leftovers, labels[ngrps]);
dfa.c:	      copyset(intersect, labels[j]);
dfa.c:	  copyset(matches, labels[ngrps]);
shell>

Pretty straightforward. Now lets assume that this is a good benchmark for grep, and we want to study what grep does when it searches for "copyset" in its own source code.

SimICS is an instruction-set simulator that can run ordinary Solaris (Sparc V8) binaries. It does this by emulating the effects of each Sparc instruction, one-by-one. When it encounters a system call, it attempts to emulate the effects of it. By running programs in this rather roundabout manner, SimICS allows you to do various interesting things that are difficult or impossible to do with other types of tools.

Command line mode and log files

We begin with running grep "on top of" SimICS in the simplest manner possible:

shell>simics ./grep copyset *.[ch]
SimICS - Copyright 1991-1997 by SICS, All Rights Reserved
         Version: Alpha 0.9 (Sun May 25 15:12:38 MET DST 1997)
         Processor: 'Sparc V8 (v1.0)'

Type 'readme' for details on warranty, copying, new versions, etc.

SimICS log file opened as '.simics-log-001'
Loading file '././grep' to new unix process
dfa.c:copyset(src, dst)
dfa.c:  copyset(s, dfa->charclasses[i]);
dfa.c:	copyset(d->charclasses[d->tokens[pos.index] - CSET], matches);
dfa.c:	      copyset(leftovers, labels[ngrps]);
dfa.c:	      copyset(intersect, labels[j]);
dfa.c:	  copyset(matches, labels[ngrps]);
shell>

Here we've run SimICS in "command line mode". Upon seeing what appears to be a command followed by a list of arguments, SimICS will load the program, and simulate the effects of the program, passing along the various arguments. When the program exits, so does SimICS. In addition to the normal output from grep, SimICS prints a copyright notice and a small comment about a log file. The log file contains all the commands given to SimICS, including command line arguments. This log file can be used as an input script, allowing an interactive session with SimICS to be easily duplicated. SimICS will generate a new log file each time it is executed.

If we don't want the various comments and copyright information, but want to see exactly the same output as grep generates when run by itself, we can use a particular set of command-line arguments to tell SimICS to be as inconspicuous as possible:

shell>simics -no-copyright -quiet -no-log ./grep copyset *.[ch]
Loading file '././grep' to new unix process
dfa.c:copyset(src, dst)
dfa.c:  copyset(s, dfa->charclasses[i]);
dfa.c:	copyset(d->charclasses[d->tokens[pos.index] - CSET], matches);
dfa.c:	      copyset(leftovers, labels[ngrps]);
dfa.c:	      copyset(intersect, labels[j]);
dfa.c:	  copyset(matches, labels[ngrps]);
shell>

In the example, we also suppress the generation of a log file.

Script files and processor statistics

But this is still not terribly interesting, since what goes on under the hood is all hidden away. Let's try something else. As we mentioned above, SimICS can execute from a script. The default script name is ".simics", which is read by SimICS when run running in "command line mode":

shell>cat .simics
load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
sysbreak _exit
c
pstats
quit
shell>
shell>simics -no-tty -echo
SimICS - Copyright 1991-1997 by SICS, All Rights Reserved
         Version: Alpha 0.9 (Sun May 25 15:12:38 MET DST 1997)
         Processor: 'Sparc V8 (v1.0)'

Type 'readme' for details on warranty, copying, new versions, etc.

SimICS log file opened as '.simics-log-002'
[.simics:1] load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
Loading file '././grep' to new unix process
[.simics:2] sysbreak _exit
[.simics:3] c
dfa.c:copyset(src, dst)
dfa.c:  copyset(s, dfa->charclasses[i]);
dfa.c:	copyset(d->charclasses[d->tokens[pos.index] - CSET], matches);
dfa.c:	      copyset(leftovers, labels[ngrps]);
dfa.c:	      copyset(intersect, labels[j]);
dfa.c:	  copyset(matches, labels[ngrps]);
Breakpoint: about to request system call '_exit'
Caught breakpoint
[1001] <0x7ffd3ed0> <0x00172ed0>    0 0 0 0 1  ta          8 
[.simics:4] pstats

Statistics for cpu 0

Statistics vectors: (raw data)

User mode:
        812  tlb misses passed on to unix emulation
     254153  memory read operations
      30443  memory write operations
         65  (internal) intermediate text pages allocated
        104  simulated physical pages allocated
     835981  number of instructions

Supervisor mode:

(Note: only non-zero statistic vector values are shown.)

   Number of cycles executed (CPU 0): 835981

Profiler totals:  (this may take a while, you can interrupt with Ctrl-C)
  TLB misses passed on to Unix emulation  -->  812
  Number of (taken) branches *to* the code block  -->  129261
  Number of (taken) branches *from* the code block  -->  129261
  Count of instruction execution (based on branch arcs)  -->  835981
  Number of addresses from which instructions have been fetched  -->  877
[.simics:5] quit
Exiting SimICS. Log file is in '.simics-log-002'.
shell>

In the above example we've introduced several things at once:

SimICS has its own script language, with dozens of commands and the ability to evaluate simple expressions.
If we start SimICS with the "-echo" flag, all commands read from scripts are written to the terminal, labeled with the file name and line.
When run interactively, we use the load-unix command to load a program into simulated memory. load-unix takes two important parameters, the name of the program and the parameter list. Note that, since we are no longer running from the shell, we need to manually expand the wildcard notation "*.[ch]" into a list of files.
The sysbreak command sets breakpoints on system calls. Especially useful is setting a breakpoint on the "_exit" system call. Since SimICS is a system-level simulator, it can run multiple processes at the same time. "_exit" tells SimICS to clean up after the process, which means among other things dumping memory regions allocated for that process, which makes it difficult to inspect the profile of the program (more on this later). Note that a system call breakpoint stops execution immediately before the system call is about to be triggered.
The c command (alias for the run command) "continues" execution.
When SimICS stops execution, it will list the instruction that is pointed to by the program counter. This line has several components, and is worth a closer look. In this example, the first number - "[1001]" - is the process identifier. (The first process is always given the number 1001.) The next two numbers show the virtual address and the physical address of the instruction, respectively. SimICS simulates virtual memory, meaning that if, say, you start two copies of the same program, they will share the text segment (use the same physical pages), but have different physical pages for their data (though the same virtual addresses). Next comes a handful of small numbers separated by spaces - these are profiler values (more on this later). Finally, the instruction ("ta 8") is listed, which is the Sparc V8 "trap" instruction.
The pstats command lists various interesting statistics related to the physical processor. The statistics listed will vary. The listing shows what is typically a minimum set, namely:
- statistics vector counts
- cycle counts
- profiler totals
Statistics vectors are counters of events, some internal to SimICS, some related to the hardware, and some related to the software. In the example above, the count of memory operations and TLB misses are probably of interest.
Profilers are similar to counters, except that they are also related to memory addresses (of instructions or data). The pstats command will show summaries across the whole address space.
Both stat vectors and profilers can be added to dynamically, either by special commands or dynamically loaded extensions.
The quit command exits SimICS.

Data Caches and Extensions

SimICS supports cache simulation using extensions. Extensions are dynamically loadable objects that can add features to SimICS. A principal use is to load a memory hierarchy simulator, either one you've written yourself or one that comes with the SimICS distribution.

In the SimICS distribution, at least two memory hierarchy extensions are included: generic-cache and supersparc. In this example we'll use generic-cache.

When generic-cache is loaded, pstats will show the overall cache performance of the application. Generic-cache can simulate caches with varying line size, number of lines, and associativity. You can set these values interactively. Generic-cache simulates a combined data and instruction cache. Let's try running the same test as above, but add simulation of a large cache:

shell>cat .simics-2
load-object "generic-cache"
$simcacheassoc = 1
$simcachelinecount = 16384
$simcachelinesize = 64
list-vars
init
load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
sysbreak _exit
c
pstats
quit
shell>
shell>simics -no-tty -echo -n -x .simics-2
SimICS - Copyright 1991-1997 by SICS, All Rights Reserved
         Version: Alpha 0.9 (Sun May 25 15:12:38 MET DST 1997)
         Processor: 'Sparc V8 (v1.0)'

Type 'readme' for details on warranty, copying, new versions, etc.

SimICS log file opened as '.simics-log-003'
[.simics-2:1] load-object "generic-cache"
Successfully loaded generic data cache simulator module.
This adds two profilers (read and write misses), a bunch of stat vector entries,
and a new 'pstat' extension. See the README file for more information.
[.simics-2:2] $simcacheassoc = 1
-> 1
[.simics-2:3] $simcachelinecount = 16384
-> 16384
[.simics-2:4] $simcachelinesize = 64
-> 64
[.simics-2:5] list-vars
  $simcacheassoc     = 1
  $simcachelinecount = 16384
  $simcachelinesize  = 64
  $simnoxterm        = 1
[.simics-2:6] init
[.simics-2:7] load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
Loading file '././grep' to new unix process
[.simics-2:8] sysbreak _exit
[.simics-2:9] c
dfa.c:copyset(src, dst)
dfa.c:  copyset(s, dfa->charclasses[i]);
dfa.c:	copyset(d->charclasses[d->tokens[pos.index] - CSET], matches);
dfa.c:	      copyset(leftovers, labels[ngrps]);
dfa.c:	      copyset(intersect, labels[j]);
dfa.c:	  copyset(matches, labels[ngrps]);
Breakpoint: about to request system call '_exit'
Caught breakpoint
[1001] <0x7ffd3ed0> <0x00172ed0>   0 0 0 0 0 0 0 1  ta          8 
[.simics-2:10] pstats

Statistics for cpu 0

Statistics vectors: (raw data)

User mode:
        812  tlb misses passed on to unix emulation
     254153  memory read operations
      30578  memory write operations
         65  (internal) intermediate text pages allocated
        104  simulated physical pages allocated
     835981  number of instructions
        647  stat_replacements
         44  stat_inhibits
        130  stat_invalidate_ops
          8  stat_proc_invalidates
       1075  instruction fetch misses
       1979  stat_mem_read_misses
        358  stat_mem_write_misses

Supervisor mode:

(Note: only non-zero statistic vector values are shown.)

Analysis of Generic cache simulation for CPU 0:
Cache: 16384 lines of 64 bytes each, associativity 1, total 1024 kbyte.

Memory statistics, user mode:
  Memory reads:      254153 (89.26%)
  Memory writes:     30578 (10.74%)
  I/O:               0 (0.00%)
  Total accesses:    284731

  Replacements:      647
  Inhibits:          44
  Invalidate Ops:    130
  Net Invalidates:   0
  Proc Invalidates:  8

Cache (D+I) performance, user mode: (ignores I/O accesses)
  Read miss rate:    0.779% (1979/254153)
  Write miss rate:   1.171% (358/30578)
  Instr miss rate:   0.129% (1075/835981)
  Total miss rate:   0.304% (3412/1120712)

Memory statistics, supervisor mode:
  Memory reads:      0 (NaN%)
  Memory writes:     0 (NaN%)
  I/O:               0 (NaN%)
  Total accesses:    0

  Replacements:      0
  Inhibits:          0
  Invalidate Ops:    0
  Net Invalidates:   0
  Proc Invalidates:  0

Cache (D+I) performance, supervisor mode: (ignores I/O accesses)
  Read miss rate:    NaN% (0/0)
  Write miss rate:   NaN% (0/0)
  Instr miss rate:   NaN% (0/0)
  Total miss rate:   NaN% (0/0)


   Number of cycles executed (CPU 0): 835981

Profiler totals:  (this may take a while, you can interrupt with Ctrl-C)
  Instruction cache misses  -->  1075
  Cache misses (writes) caused by program line  -->  358
  Cache misses (reads) caused by program line  -->  1979
  TLB misses passed on to Unix emulation  -->  812
  Number of (taken) branches *to* the code block  -->  129216
  Number of (taken) branches *from* the code block  -->  129216
  Count of instruction execution (based on branch arcs)  -->  835981
  Number of addresses from which instructions have been fetched  -->  877
[.simics-2:11] quit
Exiting SimICS. Log file is in '.simics-log-003'.
shell>

Here, we're simulating a 1 megabyte, direct-mapped unified (data and instruction) cache with 64-byte lines.

Again, we've introduced some new things:

We're now starting SimICS with a different script file from ".simics", using the "-x" flag. The "-n" flag tells SimICS to ignore the default ".simics".
We've loaded an extension using load-object.
We use SimICS environment variables. Variables in SimICS begin with a "$" character. By definition, all possible variables exist at all times, and their default value is zero. You can list all non-zero values with the list-vars command.
To configure the data cache, we set the simcacheassoc, simcachelinecount, and simcachelinesize values. For them to have effect, we need to give the command init. init attempts to reset the simulator, dumping old state (except things like environment variables), and re-creating the machine. A complete list of things you can configure is in the SimICS user manual. The most interesting variable, in addition to the data cache, is simprocessors which tells SimICS how many Sparc processors should be simulated (SimICS can simulate shared-memory multiprocessors).

The other cache extension, supersparc, simulates the on-chip caches of the SuperSPARC processor, namely 16 kbyte 4-way set associative data cache and 20 kbyte 5-way set associative instruction cache. The supersparc extension does not simulate coherency. The benefit of a specialized cache simulator is that it is significantly faster.

For the rest of this document, we will use the supersparc cache simulator.

Unix emulation and help

SimICS internalizes emulation for a few dozen common SunOS 5.x system calls. This includes support for nasty things like fork(), exec(), mmap(), etc. This allows SimICS to create, in essence, a virtual Unix machine:

shell>cat .simics-3
load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
sysbreak _exit
c
ptime
ps
umem
help umem-sum
umem-sum
umem-pro
umem-reg 1
syscalls
quit
shell>
shell>simics -no-tty -echo -n -x .simics-3
SimICS - Copyright 1991-1997 by SICS, All Rights Reserved
         Version: Alpha 0.9 (Sun May 25 15:12:38 MET DST 1997)
         Processor: 'Sparc V8 (v1.0)'

Type 'readme' for details on warranty, copying, new versions, etc.

SimICS log file opened as '.simics-log-004'
[.simics-3:1] load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
Loading file '././grep' to new unix process
[.simics-3:2] sysbreak _exit
[.simics-3:3] c
dfa.c:copyset(src, dst)
dfa.c:  copyset(s, dfa->charclasses[i]);
dfa.c:	copyset(d->charclasses[d->tokens[pos.index] - CSET], matches);
dfa.c:	      copyset(leftovers, labels[ngrps]);
dfa.c:	      copyset(intersect, labels[j]);
dfa.c:	  copyset(matches, labels[ngrps]);
Breakpoint: about to request system call '_exit'
Caught breakpoint
[1001] <0x7ffd3ed0> <0x00172ed0>    0 0 0 0 1  ta          8 
[.simics-3:4] ptime
   Number of cycles executed (CPU 0): 835981
[.simics-3:5] ps
pid   pgrp  sess  prnt  sts  cpu  stck  heap  nc    op count  program
1001  4001  1001     0  RUN    0    4K   17K   0      835981  ././grep

[.simics-3:6] umem
Ambiguous command. The following match:
   umem-all       alias for 'unix-info-memory'
   umem-process   info on a process pregions.
   umem-region    Unix info on specific memory region.
   umem-summary   Summary info on memory regions.
   umem-text      Unix info on text regions of current process.
[.simics-3:7] help umem-sum
Summary info on memory regions.
 Usage: umem-summary
 Lists summary info on all memory regions.
See also umem-all, umem-process, umem-region and umem-text.
[.simics-3:8] umem-sum

All memory regions, with global info.

No.    RegionSize  File offset Sh?  Refs  Type            Inode (if any)
   0   0x00004000  0xffffffff  no      1  r_Private  inode  0  (file "<STDIN>")
   1   0x00012000  0x00000000  yes     1  r_Shared   inode  6  (file "././grep")
   2   0x00015000  0x00000000  yes     1  r_Shared   inode  7  (file "/usr/lib/ld.so.1")
   3   0x00022000  0x0001102c  no      1  r_Private  inode  6  (file "././grep")
   4   0x000a7000  0xffffffff  no      1  r_Private  inode  9  (file "/usr/lib/libc.so.1")
   5   0x00001000  0xffffffff  yes     1  r_Shared   inode 10  (file "/usr/lib/libdl.so.1")
   6   0x00001000  0xffffffff  no      1  r_Private  inode  8  (file "/dev/zero")
   7   0x00018000  0x00014420  no      1  r_Private  inode  7  (file "/usr/lib/ld.so.1")
  13   0x00002000  0xffffffff  no      1  r_Private  inode  8  (file "/dev/zero")
  14   0x00085000  0xffffffff  no      1  r_Private  inode  9  (file "/usr/lib/libc.so.1")
  15   0x00097000  0xffffffff  no      1  r_Private  inode  9  (file "/usr/lib/libc.so.1")
[.simics-3:9] umem-pro

Memory pregions in process 1001:

Virtual address range  Size(p)  Prot  Type            Reg  Off.(p)   Mapped file (if any)
0x00010000-0x00021fff  0x00012   R X   rt_Text           1  0x00000   inode  6  (file "././grep")
0x00031000-0x00041fff  0x00011   RWX   rt_Data           3  0x00011   inode  6  (file "././grep")
0x7ff60000-0x7ffddfff  0x0007e   R X   rt_map_private   15  0x00000   inode  9  (file "/usr/lib/libc.so.1")
0x7ffed000-0x7fff4fff  0x00008   RWX   rt_map_private   14  0x0007d   inode  9  (file "/usr/lib/libc.so.1")
0x7fff5000-0x7fff6fff  0x00002   RWX   rt_map_private   13  0x00000   inode  8  (file "/dev/zero")
0x7fff7000-0x7fffcfff  0x00006   R X   rt_map_private    4  0x000a1   inode  9  (file "/usr/lib/libc.so.1")
0x7fffd000-0x7fffdfff  0x00001   R X   rt_map_shared     5  0x00000   inode 10  (file "/usr/lib/libdl.so.1")
0x7fffe000-0x7fffefff  0x00001   RWX   rt_map_private    6  0x00000   inode  8  (file "/dev/zero")
0xdf7d0000-0xdf7e4fff  0x00015   R X   rt_Text           2  0x00000   inode  7  (file "/usr/lib/ld.so.1")
0xdf7f4000-0xdf7f7fff  0x00004   RWX   rt_Data           7  0x00014   inode  7  (file "/usr/lib/ld.so.1")
0xdfffc000-0xdfffffff  0x00004   RWX   rt_Stack          0  0x00000 
[.simics-3:10] umem-reg 1
Info on region 1 (note: virtual address is actually the relative offset):
    Inode          6  (file "././grep")
    File offset    0x0
    Type           r_Shared 
    Shared?        yes
    Ref count      1
    ---------------------
    info on page table:
      number of entries: 18
      virtual     physical      flags and profiling data ....
      0x00000000  0x00004000    valid    0 0 0 0 0 
      0x00001000  0x00005000    valid    2 1158 1157 6519 37 
      0x00002000  0x00006000    valid    2  202  203 1016 20 
      0x00003000  0x00007000    valid    2   87   87  470  6 
      0x00004000  0x00008000    valid    0    0    0    0  0 
      0x00005000  0x00009000    valid    1   19   19  123  1 
      0x00006000  0x0000A000    valid    1   30   30  203  9 
      0x00007000  0x0000B000    valid    0    0    0    0  0 
      0x00008000  0x0000C000    valid    0    0    0    0  0 
      0x00009000  0x0000D000    valid    1  150  142  424 13 
      0x0000a000  0x0000E000    valid    1  109  110 1055 10 
      0x0000b000  0x0000F000    valid    1  438  445 2584 37 
      0x0000c000  0x00010000    valid    1  172  172 1219 11 
      0x0000d000  0x00011000    valid    1 1169 1153 5401 25 
      0x0000e000  0x00012000    valid    1  686  702 4450 30 
      0x0000f000  0x00013000    valid    3 18345 18345 281163 33 
      0x00010000  0x00014000    valid    2   154   154   1043 13 
      0x00011000  0x00015000    valid    0     0     0      0  0 
[.simics-3:11] syscalls
System Call    Freq   Statistic   Description
read             35      386006   Read from file descriptor
write             6         269   Write to file descriptor
open             19               Open a file
close            18               Close a file descriptor
brk               6               Change data segment space allocation
lseek             1               Set position in file
fstat             2               Get file status
ioctl             2               Control operation on I/O device or stream
mmap              8               Map pages of memory
munmap            3               Unmap pages of memory
sysconfig         3               Get configuration system variables (undocumented syscall)
systeminfo        1               Get and set system information strings
[.simics-3:12] quit
Exiting SimICS. Log file is in '.simics-log-004'.
shell>

As usual, we run from a script (".simics-3"), and demonstrate some commands:

The first command is ptime, which lists the number of instructions executed by the program. (This includes work done by the dynamic linker.)
The next command is a unix-emulation-specific command, ps. Similar to the Unix program "ps", ps will list summary information on all loaded processes. In this example, we're running only one process, and it lists the process identifier, process group, session group, parent process id, status (grep is currently RUNning), which physical processor that grep is scheduled on, size of stack and heap, "nice" level (priority), number of instructions executed by process, and what program is being executed.
Next we wish to look at memory usage. We give the command umem, but this turns out to be ambiguous. SimICS will prefix-match all commands, and list alternatives if there are ambiguities. Also, the help command will (generally) give more detailed information on the command. The text given by the help command is the same as in the user manual (which is extracted from the source code).
We select the umem-summary command, which lists information on the memory regions currently active. It lists all regions currently in existence. The command umem-process gives the memory region information for a particular process, including where in that process' virtual address space each region is mapped.
In order to get more detailed information on the text region of grep (region 1), we use the umem-region command. This will list all pages in the region, where they are in physical memory, various flags and profiling data.
Another interesting unix-specific command is syscalls, which lists stats on what system calls have been executed so far. There is also a "statistic" category which attempts to estimate the amount of work triggered by the system calls. For example, the statistic for read is the number of bytes read. There is also a brief description on each call. Note that not all system calls are documented by Sun (but when you write Unix emulators there is nowhere to hide).

Controlling the execution - breakpoints and watchpoints

A benefit of running a program on a simulator such as SimICS is that it offers very good control over the execution. SimICS allows you to set breakpoints on several types of events, including:

memory accesses to a particular address (or range of addresses)
execution of an instruction from a particular address
execution of a particular type of instruction
system call (specific or just any system call)

Let's try some of these:

shell>cat .simics-4
load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
sysbreak _exit
sb 100000
c
umem-sum
umem-pro
wp 0x00010000 (4096 * 0x12)
umem-reg 1
wpp 0x4000 (4096 * 0x12)
watchpoint-info
c
ptime
unwatch-phys 0x4000 (4096 * 0x12) r
watchpoint-info
c
ptime
trace st
break-trace-on
c
ptime
list-trace-on
sb 1000
c
quit
shell>
shell>simics -no-tty -echo -n -x .simics-4
SimICS - Copyright 1991-1997 by SICS, All Rights Reserved
         Version: Alpha 0.9 (Sun May 25 15:12:38 MET DST 1997)
         Processor: 'Sparc V8 (v1.0)'

Type 'readme' for details on warranty, copying, new versions, etc.

SimICS log file opened as '.simics-log-005'
[.simics-4:1] load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
Loading file '././grep' to new unix process
[.simics-4:2] sysbreak _exit
[.simics-4:3] sb 100000
[.simics-4:4] c
Caught time breakpoint
[1001] <0xdf7e33d8> <0x0003c3d8>   0 0 0 313 1  be_a       0xdf7e33b8
[.simics-4:5] umem-sum

All memory regions, with global info.

No.    RegionSize  File offset Sh?  Refs  Type            Inode (if any)
   0   0x00004000  0xffffffff  no      1  r_Private  inode  0  (file "<STDIN>")
   1   0x00012000  0x00000000  yes     1  r_Shared   inode  6  (file "././grep")
   2   0x00015000  0x00000000  yes     1  r_Shared   inode  7  (file "/usr/lib/ld.so.1")
   3   0x00013000  0x0001102c  no      1  r_Private  inode  6  (file "././grep")
   4   0x000a7000  0xffffffff  no      1  r_Private  inode  9  (file "/usr/lib/libc.so.1")
   5   0x00001000  0xffffffff  yes     1  r_Shared   inode 10  (file "/usr/lib/libdl.so.1")
   6   0x00001000  0xffffffff  no      1  r_Private  inode  8  (file "/dev/zero")
   7   0x00018000  0x00014420  no      1  r_Private  inode  7  (file "/usr/lib/ld.so.1")
  13   0x00002000  0xffffffff  no      1  r_Private  inode  8  (file "/dev/zero")
  14   0x00085000  0xffffffff  no      1  r_Private  inode  9  (file "/usr/lib/libc.so.1")
  15   0x00097000  0xffffffff  no      1  r_Private  inode  9  (file "/usr/lib/libc.so.1")
[.simics-4:6] umem-pro

Memory pregions in process 1001:

Virtual address range  Size(p)  Prot  Type            Reg  Off.(p)   Mapped file (if any)
0x00010000-0x00021fff  0x00012   R X   rt_Text           1  0x00000   inode  6  (file "././grep")
0x00031000-0x00032fff  0x00002   RWX   rt_Data           3  0x00011   inode  6  (file "././grep")
0x7ff60000-0x7ffddfff  0x0007e   R X   rt_map_private   15  0x00000   inode  9  (file "/usr/lib/libc.so.1")
0x7ffed000-0x7fff4fff  0x00008   RWX   rt_map_private   14  0x0007d   inode  9  (file "/usr/lib/libc.so.1")
0x7fff5000-0x7fff6fff  0x00002   RWX   rt_map_private   13  0x00000   inode  8  (file "/dev/zero")
0x7fff7000-0x7fffcfff  0x00006   R X   rt_map_private    4  0x000a1   inode  9  (file "/usr/lib/libc.so.1")
0x7fffd000-0x7fffdfff  0x00001   R X   rt_map_shared     5  0x00000   inode 10  (file "/usr/lib/libdl.so.1")
0x7fffe000-0x7fffefff  0x00001   RWX   rt_map_private    6  0x00000   inode  8  (file "/dev/zero")
0xdf7d0000-0xdf7e4fff  0x00015   R X   rt_Text           2  0x00000   inode  7  (file "/usr/lib/ld.so.1")
0xdf7f4000-0xdf7f7fff  0x00004   RWX   rt_Data           7  0x00014   inode  7  (file "/usr/lib/ld.so.1")
0xdfffc000-0xdfffffff  0x00004   RWX   rt_Stack          0  0x00000 
[.simics-4:7] wp 0x00010000 (4096 * 0x12)
***  Cannot manipulate watchpoint affecting virtual address 0x10000.
Try using physical address(es).
[.simics-4:8] umem-reg 1
Info on region 1 (note: virtual address is actually the relative offset):
    Inode          6  (file "././grep")
    File offset    0x0
    Type           r_Shared 
    Shared?        yes
    Ref count      1
    ---------------------
    info on page table:
      number of entries: 18
      virtual     physical      flags and profiling data ....
      0x00000000  0x00004000    valid    0 0 0   0 0 
      0x00001000  0x00005000    valid    0 0 0   0 0 
      0x00002000  0x00006000    valid    0 0 0   0 0 
      0x00003000  0x00007000    valid    0 0 0   0 0 
      0x00004000  0x00008000    valid    0 0 0   0 0 
      0x00005000  0x00009000    valid    0 0 0   0 0 
      0x00006000  0x0000A000    valid    0 0 0   0 0 
      0x00007000  0x0000B000    valid    0 0 0   0 0 
      0x00008000  0x0000C000    valid    0 0 0   0 0 
      0x00009000  0x0000D000    valid    0 0 0   0 0 
      0x0000a000  0x0000E000    valid    0 0 0   0 0 
      0x0000b000  0x0000F000    valid    0 0 0   0 0 
      0x0000c000  0x00010000    valid    0 0 0   0 0 
      0x0000d000  0x00011000    valid    0 0 0   0 0 
      0x0000e000  0x00012000    valid    0 0 0   0 0 
      0x0000f000  0x00013000    valid    0 0 0   0 0 
      0x00010000  0x00014000    valid    0 0 0   0 0 
      0x00011000  0x00015000    valid    0 0 0   0 0 
[.simics-4:9] wpp 0x4000 (4096 * 0x12)
[.simics-4:10] watchpoint-info

Memory watchpoints (including breakpoints) for node 0:
Reads (physical addresses):
     0x4000 - 0x15fff
Writes (physical addresses):
     0x4000 - 0x15fff
Execute (physical addresses):
     0x4000 - 0x15fff
[.simics-4:11] c
Breakpoint on accessing address 0x100e8.
Caught memory breakpoint
[1001] <0xdf7d5a7c> <0x0002ea7c>   0 2 0   0 1  ld         %o3, %g0, %i5 
[.simics-4:12] ptime
   Number of cycles executed (CPU 0): 136687
[.simics-4:13] unwatch-phys 0x4000 (4096 * 0x12) r
[.simics-4:14] watchpoint-info

Memory watchpoints (including breakpoints) for node 0:
Reads (physical addresses):
Writes (physical addresses):
     0x4000 - 0x15fff
Execute (physical addresses):
     0x4000 - 0x15fff
[.simics-4:15] c
Caught breakpoint
[1001] <0x000113e8> <0x000053e8>   0 1 0   0 0  or         %g0, 0, %fp 
[.simics-4:16] ptime
   Number of cycles executed (CPU 0): 407079
[.simics-4:17] trace st
Enabling tracing for 'stb'
Enabling tracing for 'stb'
Enabling tracing for 'sth'
Enabling tracing for 'sth'
Enabling tracing for 'st'
Enabling tracing for 'st'
Enabling tracing for 'std'
Enabling tracing for 'std'
Enabling tracing for 'stba'
Enabling tracing for 'stha'
Enabling tracing for 'sta'
Enabling tracing for 'stda'
Enabling tracing for 'stbar'
Enabling tracing for 'stf'
Enabling tracing for 'stf'
Enabling tracing for 'stdf'
Enabling tracing for 'stdf'
Enabling tracing for 'st_fsr'
Enabling tracing for 'st_fsr'
Enabling tracing for 'stdfq'
Enabling tracing for 'stdfq'
[.simics-4:18] break-trace-on
[.simics-4:19] c
Tracing breakpoint ...
Caught breakpoint
[1001] <0xdf7d5a40> <0x0002ea40>   0 0 0   0 1  st         %i3 -> [%fp + 80]
[.simics-4:20] ptime
   Number of cycles executed (CPU 0): 407313
[.simics-4:21] list-trace-on
[.simics-4:22] sb 1000
[.simics-4:23] c
[407313] [1001] <0xdf7d5a40> <0x0002ea40>   0 0 0   0 1  st         %i3 -> [%fp + 80]
[407571] [1001] <0xdf7d5a40> <0x0002ea40>   0 0 0   0 1  st         %i3 -> [%fp + 80]
[407806] [1001] <0xdf7d5b44> <0x0002eb44>   0 0 3   0 1  st         %i1 [%i2 + %g0]
[407891] [1001] <0xdf7d4598> <0x0002d598>   0 0 0   0 1  st         %o3 -> [%o0 + 8]
[407897] [1001] <0xdf7d45b0> <0x0002d5b0>   0 0 0   0 1  st         %o3 -> [%o0 + 4]
[408208] [1001] <0xdf7d5a40> <0x0002ea40>   0 0 0   0 1  st         %i3 -> [%fp + 80]
Caught time breakpoint
[1001] <0xdf7e1978> <0x0003a978>   0 0 0   0 1  subcc      %i3, %i5, %i3 
[.simics-4:24] quit
Exiting SimICS. Log file is in '.simics-log-005'.
shell>

Comments:

First we use the sb command. This is an alias for sim-break, and sets a time breakpoint. In our example, we tell SimICS to run exactly 100000 instructions, neither more nor less. As usual, SimICS lists the line we're on.
The virtual address looks a bit strange, so we use the umem-sum and umem-pro commands to find out where we are. Turns out that we're inside "/usr/lib.ld.so.1". This is the dynamic linker. SimICS will load dynamic objects just like any other program, allowing you to debug any such object or constellation of objects.
We're probably not interested in following the linker's work, so we want to stop when we get to the program itself, the text of which is apparently loaded into region 1. We set a breakpoint using the wp command, which is an alias for watchpoint. You're probably familiar with breakpoints, which allow debuggers to stop on some program line. Watchpoints generally refer to a similar mechanism, allowing debuggers to catch memory references to particular addresses. SimICS generalizes watchpoints, and supports breakpoints on any combination of Read, Write, or Instruction fetch operations, to any set of memory addresses. In the example, we try to set a breakpoint on the 18 pages starting at virtual address 0x10000.
Apparently, SimICS didn't like that. For some reason the Unix emulation disliked setting breakpoints on the virtual addresses in memory region 1. The reason for this is a bit esoteric, but worth mentioning since similar things happens often.
SimICS does full simulation of virtual memory, including TLB table lookup, page tables, memory regions, reference counts, etc. This means that consecutive virtual pages are not necessarily consecutive in physical memory. For this and similar reasons, several of SimICS' functions aren't smart enough to handle large virtual address ranges. But other functions are, including umem-reg (in general, the umem functions are pretty smart about memory, since that is their nature). Using the information from umem-reg, we can use the wpp command to set breakpoints on the physical addresses that contain memory region 1 (grep's text segment).
This brings us to another aspect of watchpoints in SimICS: they are always, always related to physical addresses. This is because a breapoint on a virtual address cannot be constant. SimICS allows wild remapping of memory using mmap() and similar functions, and can also support running system level code such as operating systems (that often load TLB entries according to their own algorithms). Thus, physical address breakpoints are a general solution. A side-effect is that you can set breakpoints on an address regardless of the presence of data or instructions on that address, or if the address is subsequently overwritten (something that would fool an ordinary debugger which typically implements breakpoints by inserting a trap instruction).
We can now use the watchpoint-info function to inspect the results. This reports current watchpoints, classifying them into Read, Write, and Execute breakpoints.
We continue execution with c, but we're still inside the dynamic linker. As you can see, the dynamic linker reads from the text segment, presumably as part of its linking work. We therefore selectively remove the breakpoint on reads using the unwatch-phys command. This time we use the third parameter, which is a combination of "r", "w", or "x". For example, "rw" corresponds to read or write. In this case we want to ignore reads. Again, we use watchpoint-info to confirm that we now only have watchpoints for writes and instruction fetches.
After continuing again, we stop on the first address in region 1 (the grep text segment) that is executed. We use ptime to tell us how many instructions have been executed, and it turns out to be quite a few. Dynamically linking small programs is clearly expensive.
Our next breakpoint function is a little unusual. The trace command allows us to trace particular Sparc instructions. To use trace, we need to specify two things: what instruction to trace, and what each trace instance should do. In this case, we ask to trace "st", which means that all Sparc instructions that begin with "st" are traced (which happens to be all store-to-memory instructions). We then select trace function break-trace-on, and continue. A few hundred instructions later we encounter our first store instruction, and SimICS stops immediately before executing it.
Another interesting trace alternative is list-trace-on, which lists the occurrences of instructions. We can switch tracing function at any time, keeping the same tracing set. The resulting listing shows all store instructions executed for the next 1000 instructions, each list item beginning with the "time stamp" of that instruction.

Inspecting state

Most of the execution state of the processor is available for inspection during simulation. This includes memory, processor state, and devices such as the translation look-aside buffer (TLB).

shell>cat .simics-5
$tlb_entries = 16
load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
sb 100000
c
pregs
pfi
pmap
x (read-reg (6 + 8)) 32
ptlb
quit
shell>
shell>simics -no-tty -echo -n -x .simics-5
SimICS - Copyright 1991-1997 by SICS, All Rights Reserved
         Version: Alpha 0.9 (Sun May 25 15:12:38 MET DST 1997)
         Processor: 'Sparc V8 (v1.0)'

Type 'readme' for details on warranty, copying, new versions, etc.

SimICS log file opened as '.simics-log-006'
[.simics-5:1] $tlb_entries = 16
-> 16
[.simics-5:2] load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
Loading file '././grep' to new unix process
[.simics-5:3] sb 100000
[.simics-5:4] c
Caught time breakpoint
[1001] <0xdf7e33d8> <0x0003c3d8>   0 0 0 313 1  be_a       0xdf7e33b8
[.simics-5:5] pregs
Processor 0:
      %i          %l          %o          %g     
0  0x00000000  0x00000016  0x00000004  0x00000000
1  0x7fff2864  0x7ffdcbec  0x00000000  0xdf7db494
2  0xdffffc30  0x00000000  0x00000001  0x00000000
3  0xdf7e3d5c  0xdf7f5b3c  0x00000000  0x00000000
4  0xdf7f5b3c  0x00000004  0xdffffc30  0x00000000
5  0x00000016  0x00000000  0xdffffc30  0x00000000
6  0xdffffb80  0xdf7f52bc  0xdffffb08  0x00000000
7  0xdf7db830  0xdf7f4420  0x7ffdcbec  0x00000000

      %pc         %npc        %tbr        %cwp        %wim     
   0xdf7e33d8  0xdf7e33dc  0x00000000  0x00000000  0x00000008

      %psr
   0x40401000  (~N Z ~V ~C  impl 4 ver 0 EC 0 EF 1 PIL 0 S 0 PS 0 ET 0)

[.simics-5:6] pfi
Processor 0:
       0 - 7     8 - 15    16 - 23    24 - 31
0  0x00000000 0x00000000 0x00000000 0x00000000 
1  0x00000000 0x00000000 0x00000000 0x00000000 
2  0x00000000 0x00000000 0x00000000 0x00000000 
3  0x00000000 0x00000000 0x00000000 0x00000000 
4  0x00000000 0x00000000 0x00000000 0x00000000 
5  0x00000000 0x00000000 0x00000000 0x00000000 
6  0x00000000 0x00000000 0x00000000 0x00000000 
7  0x00000000 0x00000000 0x00000000 0x00000000 

      %pc         %npc        %cwp        %wim     
   0xdf7e33d8  0xdf7e33dc  0x00000000  0x00000008

[.simics-5:7] pmap
Memory map for global physical memory:

0x00000000: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDIIIIIIIIIDDIIIIIDDD
0x00040000: DDDDDDDDDDDDDDDDDDIDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
0x00080000: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
0x000C0000: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
0x00100000: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
0x00140000: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
0x00180000: DDDDDDDDDDDDDDDDDDDDDD..........................................

0x00213000: ..................DDDDDDDD.....................................

Pages of 4K allocated: 414
Current count of translated instructions:   4644
[.simics-5:8] x (read-reg (6 + 8)) 32

0xdffffb08 : 0x00000001 0x00017a84 0x00017a8a 0xdf7f4c90 
0xdffffb18 : 0x00000000 0xdf7f5e78 0x7fffe018 0xdf7f4c90 
[.simics-5:9] ptlb
TLB contents for CPU 0:
    virtual     physical    R/W/X  valid?
  0 0x00011000  0x00005000  R   X  yes
  1 0xdf7db000  0x00034000  R   X  yes
  2 0xdf7e2000  0x0003b000  R   X  yes
  3 0xdf7e3000  0x0003c000  R   X  yes
  4 0x7ff67000  0x00106000  R   X  yes
  5 0x7fff2000  0x00218000  R W X  yes
  6 0x7ff71000  0x00110000  R   X  yes
  7 0xdf7e1000  0x0003a000  R   X  yes
  8 0xdf7d5000  0x0002e000  R   X  yes
  9 0x7fff3000  0x00219000  R W X  yes
 10 0xdf7f4000  0x00052000  R W X  yes
 11 0x7fff1000  0x00217000  R W X  yes
 12 0x7ff70000  0x0010f000  R   X  yes
 13 0xdffff000  0x00003000  R W X  yes
 14 0x7ff63000  0x00102000  R   X  yes
 15 0xdf7f5000  0x00053000  R W X  yes
[.simics-5:10] quit
Exiting SimICS. Log file is in '.simics-log-006'.
shell>

Comments:

Commands such as pregs and pf dump the contents of the registers. In the case of floating point registers, you can also get them interpreted as integers, floats, or doubles (using pfi, pfpf, and pfd).
Some commands give you an overview of what is going on. pmap lists all activities that have affected (physical) memory. An "I" shows that instructions have been executed on the page, a "D" shows that data has been read or written. (If both are true, only "I" is written.) pmap also tells you how many instructions have been executed, which is an estimate of the number of unique instructions that have been executed thus far. This gives a good indication of instruction cache pressure.
You can examine virtual memory using the x command (and examine physical memory using the xp command). In the example, we give x the address of the stack pointer, which is in register %o6 (which corresponds to general register 14). Note that we demonstrate the use of expressions when we use read-reg to fetch %o6. You can nest any expressions with parenthesis as long as the the command also returns a value.
You can inspect system-level state such as TLB contents. ptlb lists all translations that are currently in the TLB, including what access rights each page has. Note that you can interactively change the number of TLB entries (using the environment variable tlb_entries). In the example we set them to 16 (default is 64).

Profiling

Now we're beginning to do some interesting stuff. SimICS supports profiles. A profile keeps track of which instruction causes events to happen. This can include, at a minimum, for each word in memory:

Number of TLB misses
Number of times the instruction has been executed
Number of (taken) branches to the instruction
Number of (taken) branches from the instruction
Whether the instruction has ever been executed or not (0 or 1)

If you're running with a cache simulator extension, you will probably also have:

Number of cache misses on writes
Number of cache misses on reads
Number of cache misses on instruction fetches

For example:

shell>cat .simics-6
load-object "supersparc"
load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
sysbreak _exit
c
prof-page-map
prof-info
pfd 0x00013000
umem-sum
umem-pro
dis 0x0001f200 64
quit
shell>
shell>simics -no-tty -echo -n -x .simics-6
SimICS - Copyright 1991-1997 by SICS, All Rights Reserved
         Version: Alpha 0.9 (Sun May 25 15:12:38 MET DST 1997)
         Processor: 'Sparc V8 (v1.0)'

Type 'readme' for details on warranty, copying, new versions, etc.

SimICS log file opened as '.simics-log-007'
[.simics-6:1] load-object "supersparc"
Loaded SuperSparc cache model. Three new profilers and the command 'dump-cache'.
[.simics-6:2] load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
Loading file '././grep' to new unix process
[.simics-6:3] sysbreak _exit
[.simics-6:4] c
dfa.c:copyset(src, dst)
dfa.c:  copyset(s, dfa->charclasses[i]);
dfa.c:	copyset(d->charclasses[d->tokens[pos.index] - CSET], matches);
dfa.c:	      copyset(leftovers, labels[ngrps]);
dfa.c:	      copyset(intersect, labels[j]);
dfa.c:	  copyset(matches, labels[ngrps]);
Breakpoint: about to request system call '_exit'
Caught breakpoint
[1001] <0x7ffd3ed0> <0x00172ed0>   0 0 0 0 0 0 0 1  ta          8 
[.simics-6:5] prof-page-map

Profile stats per page (zeroes not listed):
Physical    Virtual    ( source )
0x00005000  0x00011000 (pid 1001)   46 5 7 2 1159 1158 6519 37 
0x00006000  0x00012000 (pid 1001)   26 3 9 2  202  203 1016 20 
0x00007000  0x00013000 (pid 1001)   10 0 6 2   87   87  470  6 
0x00009000  0x00015000 (pid 1001)    2 0 0 1   19   19  123  1 
0x0000a000  0x00016000 (pid 1001)    9 0 0 1   30   30  203  9 
0x0000d000  0x00019000 (pid 1001)   10 1 0 1  150  142  424 13 
0x0000e000  0x0001a000 (pid 1001)   12 0 4 1  109  110 1055 10 
0x0000f000  0x0001b000 (pid 1001)   40 1 1 1  438  445 2584 37 
0x00010000  0x0001c000 (pid 1001)   19 0 0 1  172  172 1219 11 
0x00011000  0x0001d000 (pid 1001)   23 9 1 1 1169 1153 5401 25 
0x00012000  0x0001e000 (pid 1001)   46 12 0 1  686  702 4450 30 
0x00013000  0x0001f000 (pid 1001)   29  8 1029 3 18345 18345 281163 33 
0x00014000  0x00020000 (pid 1001)    9  0    2 2   154   154   1043 13 
0x00027000  0x00031000 (pid 1001)    8  0    0 0   677   677   2645  8 
0x0002d000  0xdf7d4000 (pid 1001)   42 231   21 17  3824  3804  15043 29 
0x0002e000  0xdf7d5000 (pid 1001)   52  31  783 73  8452  8473  49983 31 
0x0002f000  0xdf7d6000 (pid 1001)   51   1   23 19   524   524   2803 26 
0x00030000  0xdf7d7000 (pid 1001)   40  11   20  9  1578  1578   5897 31 
0x00031000  0xdf7d8000 (pid 1001)   36   1    6  4   156   156    682 34 
0x00032000  0xdf7d9000 (pid 1001)   29   8    3  4   181   181    943 23 
0x00033000  0xdf7da000 (pid 1001)   12   0    0  5   428   428   1412 15 
0x00034000  0xdf7db000 (pid 1001)   61  56 1230 35 28718 28718 149979 41 
0x00035000  0xdf7dc000 (pid 1001)   10   0    7  2    36    36    169  7 
0x00038000  0xdf7df000 (pid 1001)    2   0    0  1     2     2      6  2 
0x00039000  0xdf7e0000 (pid 1001)   12   0    2 491    35    35    165 10 
0x0003a000  0xdf7e1000 (pid 1001)   58  28   10  14 19048 19047  97558 39 
0x0003b000  0xdf7e2000 (pid 1001)   39  30   34   3  5185  5186  48572 31 
0x0003c000  0xdf7e3000 (pid 1001)   18   0  237   6 24136 24136  83150 10 
0x00052000  0xdf7f4000 (pid 1001)    7   0    0   0  1173  1173   3519  8 
0x00115000  0x7ff76000 (pid 1001)   14   1    2   3    53    53    219 11 
0x00116000  0x7ff77000 (pid 1001)   10   0    0   1    17    17     84 12 
0x00117000  0x7ff78000 (pid 1001)    3   0    4   1    14    14     90  2 
0x00121000  0x7ff82000 (pid 1001)   34  11    5   2  1424  1424   7409 25 
0x00122000  0x7ff83000 (pid 1001)    3   0    0   1   222   222   1590  4 
0x00134000  0x7ff95000 (pid 1001)    2   0    0   1    30    30     90  1 
0x00135000  0x7ff96000 (pid 1001)    6   0    0   2    36    36    110  8 
0x00136000  0x7ff97000 (pid 1001)    7   0    0  11   121   121    515  6 
0x00137000  0x7ff98000 (pid 1001)    4   0    0   2    18    18     60  7 
0x00138000  0x7ff99000 (pid 1001)    2   0    0   1     7     7     22  1 
0x0013a000  0x7ff9b000 (pid 1001)    4   0    0   1   101   101    342  1 
0x0013f000  0x7ffa0000 (pid 1001)    4   0    1   1     5     5     22  6 
0x00141000  0x7ffa2000 (pid 1001)    3   2    0   2     2     2     33  3 
0x00146000  0x7ffa7000 (pid 1001)    2   0    1   1     8     8     28  4 
0x00148000  0x7ffa9000 (pid 1001)    1   0    0   1   223   223    896  4 
0x00149000  0x7ffaa000 (pid 1001)   50 275    5   9  5048  4924  34464 35 
0x0014a000  0x7ffab000 (pid 1001)   12   2    0   3  1161  1285   7467  7 
0x00153000  0x7ffb4000 (pid 1001)    2   0    0   1    28    28    110  5 
0x00154000  0x7ffb5000 (pid 1001)    5   0    1   1    13    13     84  7 
0x00159000  0x7ffba000 (pid 1001)    2   0    1   1     3     3     19  2 
0x0015b000  0x7ffbc000 (pid 1001)    4   0    0   1     4     4     37  6 
0x0015d000  0x7ffbe000 (pid 1001)   12   5    8   2   116   116    954  9 
0x0015e000  0x7ffbf000 (pid 1001)   12   2    2   1   119   119    642 17 
0x0015f000  0x7ffc0000 (pid 1001)   11   0    1   1   113   113    414 10 
0x0016a000  0x7ffcb000 (pid 1001)   17   1    5   3    95    95    480 11 
0x0016c000  0x7ffcd000 (pid 1001)    1   0    0   1    12    12     36  3 
0x0016d000  0x7ffce000 (pid 1001)   21   1   10   3   305   305   1318 17 
0x0016e000  0x7ffcf000 (pid 1001)   10   2    0   1   788   788   5498  8 
0x00172000  0x7ffd3000 (pid 1001)    9   1    1   4   607   606   1231 10 
0x00214000  0x7ffee000 (pid 1001)    3   0    0   0   633   633   2484  4 
0x00215000  0x7ffef000 (pid 1001)   13   0    0   3    52    52    184 20 
0x00216000  0x7fff0000 (pid 1001)   16   0    0   1   226   226    853 21 
[.simics-6:6] prof-info
Active profilers, from 'left to right':
Column 1:  Instruction cache misses caused by program line ($SIM_SS_INSTR_MISS_WEIGHT = 0.000000)
Column 2:  Cache misses (writes) caused by program line ($SIM_SS_WRITE_MISS_WEIGHT = 0.000000)
Column 3:  Cache misses (reads) caused by program line ($SIM_SS_READ_MISS_WEIGHT = 0.000000)
Column 4:  TLB misses passed on to Unix emulation ($SIM_TLB_MISS_WEIGHT = 0.000000)
Column 5:  Number of (taken) branches *to* the code block ($SIM_TO_WEIGHT = 0.000000)
Column 6:  Number of (taken) branches *from* the code block ($SIM_FROM_WEIGHT = 0.000000)
Column 7:  Count of instruction execution (based on branch arcs) ($SIM_PC_WEIGHT = 0.000000)
Column 8:  Number of addresses from which instructions have been fetched ($SIM_INSTR_WEIGHT = 0.000000)
[.simics-6:7] pfd 0x00013000

Profile stats for page 0x00013000 (zeroes not listed):
  Physical    Virtual    ( source )
0x00013000  0x0001f000 (pid 1001)    1   0    0   0     6     6     32  1 
0x00013100  0x0001f100 (pid 1001)    1   0    0   0     1     1      3  4 
0x00013200  0x0001f200 (pid 1001)    4   8  391   0 12208  5262 106381  1 
0x00013300  0x0001f300 (pid 1001)    4   0  637   0  5839 12778 173380  2 
0x00013400  0x0001f400 (pid 1001)    3   0    0   0   187   194    649  4 
0x00013500  0x0001f500 (pid 1001)    0   0    0   0     0     0      0  0 
0x00013600  0x0001f600 (pid 1001)    0   0    0   0     0     0      0  0 
0x00013700  0x0001f700 (pid 1001)    3   0    0   2    79    78    582  5 
0x00013800  0x0001f800 (pid 1001)    2   0    1   0     1     2     28  1 
0x00013900  0x0001f900 (pid 1001)    0   0    0   0     0     0      0  0 
0x00013a00  0x0001fa00 (pid 1001)    0   0    0   0     0     0      0  0 
0x00013b00  0x0001fb00 (pid 1001)    0   0    0   0     0     0      0  0 
0x00013c00  0x0001fc00 (pid 1001)    3   0    0   0     4     3     15  5 
0x00013d00  0x0001fd00 (pid 1001)    4   0    0   0     7     8     48  3 
0x00013e00  0x0001fe00 (pid 1001)    3   0    0   1    10    10     36  4 
0x00013f00  0x0001ff00 (pid 1001)    1   0    0   0     3     3      9  3 
[.simics-6:8] umem-sum

All memory regions, with global info.

No.    RegionSize  File offset Sh?  Refs  Type            Inode (if any)
   0   0x00004000  0xffffffff  no      1  r_Private  inode  0  (file "<STDIN>")
   1   0x00012000  0x00000000  yes     1  r_Shared   inode  6  (file "././grep")
   2   0x00015000  0x00000000  yes     1  r_Shared   inode  7  (file "/usr/lib/ld.so.1")
   3   0x00022000  0x0001102c  no      1  r_Private  inode  6  (file "././grep")
   4   0x000a7000  0xffffffff  no      1  r_Private  inode  9  (file "/usr/lib/libc.so.1")
   5   0x00001000  0xffffffff  yes     1  r_Shared   inode 10  (file "/usr/lib/libdl.so.1")
   6   0x00001000  0xffffffff  no      1  r_Private  inode  8  (file "/dev/zero")
   7   0x00018000  0x00014420  no      1  r_Private  inode  7  (file "/usr/lib/ld.so.1")
  13   0x00002000  0xffffffff  no      1  r_Private  inode  8  (file "/dev/zero")
  14   0x00085000  0xffffffff  no      1  r_Private  inode  9  (file "/usr/lib/libc.so.1")
  15   0x00097000  0xffffffff  no      1  r_Private  inode  9  (file "/usr/lib/libc.so.1")
[.simics-6:9] umem-pro

Memory pregions in process 1001:

Virtual address range  Size(p)  Prot  Type            Reg  Off.(p)   Mapped file (if any)
0x00010000-0x00021fff  0x00012   R X   rt_Text           1  0x00000   inode  6  (file "././grep")
0x00031000-0x00041fff  0x00011   RWX   rt_Data           3  0x00011   inode  6  (file "././grep")
0x7ff60000-0x7ffddfff  0x0007e   R X   rt_map_private   15  0x00000   inode  9  (file "/usr/lib/libc.so.1")
0x7ffed000-0x7fff4fff  0x00008   RWX   rt_map_private   14  0x0007d   inode  9  (file "/usr/lib/libc.so.1")
0x7fff5000-0x7fff6fff  0x00002   RWX   rt_map_private   13  0x00000   inode  8  (file "/dev/zero")
0x7fff7000-0x7fffcfff  0x00006   R X   rt_map_private    4  0x000a1   inode  9  (file "/usr/lib/libc.so.1")
0x7fffd000-0x7fffdfff  0x00001   R X   rt_map_shared     5  0x00000   inode 10  (file "/usr/lib/libdl.so.1")
0x7fffe000-0x7fffefff  0x00001   RWX   rt_map_private    6  0x00000   inode  8  (file "/dev/zero")
0xdf7d0000-0xdf7e4fff  0x00015   R X   rt_Text           2  0x00000   inode  7  (file "/usr/lib/ld.so.1")
0xdf7f4000-0xdf7f7fff  0x00004   RWX   rt_Data           7  0x00014   inode  7  (file "/usr/lib/ld.so.1")
0xdfffc000-0xdfffffff  0x00004   RWX   rt_Stack          0  0x00000 
[.simics-6:10] dis 0x0001f200 64
[1001] <0x0001f200> <0x00013200>    1   1    1   0     0     0      0  0  add        %o2, 1, %o2 
[1001] <0x0001f204> <0x00013204>    0   0    0   0     0     0      0  0  subcc      %o2, 255, %g0 
[1001] <0x0001f208> <0x00013208>    0   0    0   0     0     0      0  0  ble        0x0001f1f0
[1001] <0x0001f20c> <0x0001320c>    0   0    0   0     0     0      0  0  stb        %o1 -> [%o0 + 60]
[1001] <0x0001f210> <0x00013210>    0   0    0   0     0     0      0  0  ba_a       0x0001f234
[1001] <0x0001f214> <0x00013214>    0   0    0   0     1     0      1  0  add        %fp, -16, %o3 
[1001] <0x0001f218> <0x00013218>    0   0    0   0   255     0    256  1  add        %i0, %o2, %o0 
[1001] <0x0001f21c> <0x0001321c>    0   0    0   0     0     0    256  1  add        %o3, %o2, %o1 
[1001] <0x0001f220> <0x00013220>    0   0    0   0     0     0    256  1  ldub       %o1, -256, %o1 
[1001] <0x0001f224> <0x00013224>    0   0    0   0     0     0    256  1  add        %o2, 1, %o2 
[1001] <0x0001f228> <0x00013228>    0   0    0   0     0     0    256  1  subcc      %o2, 255, %g0 
[1001] <0x0001f22c> <0x0001322c>    0   0    0   0     0     0    256  1  ble        0x0001f218
[1001] <0x0001f230> <0x00013230>    0   7    0   0     0   255    256  1  stb        %o1 -> [%o0 + 60]
[1001] <0x0001f234> <0x00013234>    0   0    0   0     0     0      1  1  jmpl_l     missing op impl
[1001] <0x0001f238> <0x00013238>    0   0    0   0     0     1      1  1  restore    %g0, 0, %o0 
[1001] <0x0001f23c> <0x0001323c>    0   0    0   0    26     0     26  1  save       %sp, -112, %sp 
[1001] <0x0001f240> <0x00013240>    1   0    0   0     0     0     26  1  ld         %i0, 52, %o5 
[1001] <0x0001f244> <0x00013244>    0   0    0   0     0     0     26  1  subcc      %o5, 0, %g0 
[1001] <0x0001f248> <0x00013248>    0   0    0   0     0     0     26  1  bne        0x0001f258
[1001] <0x0001f24c> <0x0001324c>    0   0    0   0     0    26     26  1  subcc      %o5, %i2, %g0 
[1001] <0x0001f250> <0x00013250>    0   0    0   0     0     0      0  0  ba         0x0001f460
[1001] <0x0001f254> <0x00013254>    0   0    0   0     0     0      0  0  or         %g0, %i1, %i0 
[1001] <0x0001f258> <0x00013258>    0   0    0   0    26     0     26  1  bgu        0x0001f45c
[1001] <0x0001f25c> <0x0001325c>    0   0    0   0     0     0     26  1  subcc      %o5, 1, %g0 
[1001] <0x0001f260> <0x00013260>    0   0    0   0     0     0     26  1  bne        0x0001f28c
[1001] <0x0001f264> <0x00013264>    0   0    0   0     0    26     26  1  add        %i0, 60, %o4 
[1001] <0x0001f268> <0x00013268>    0   0    0   0     0     0      0  0  ld         %i0, 1340, %o1 
[1001] <0x0001f26c> <0x0001326c>    0   0    0   0     0     0      0  0  or         %g0, %i1, %o0 
[1001] <0x0001f270> <0x00013270>    0   0    0   0     0     0      0  0  ldsb       %o1, %g0, %o1 
[1001] <0x0001f274> <0x00013274>    0   0    0   0     0     0      0  0  call       0x0003118c
[1001] <0x0001f278> <0x00013278>    0   0    0   0     0     0      0  0  or         %g0, %i2, %o2 
[1001] <0x0001f27c> <0x0001327c>    0   0    0   0     0     0      0  0  ba         0x0001f460
[1001] <0x0001f280> <0x00013280>    0   0    0   0     0     0      0  0  or         %g0, %o0, %i0 
[1001] <0x0001f284> <0x00013284>    0   0    0   0     0     0      0  0  ba         0x0001f460
[1001] <0x0001f288> <0x00013288>    0   0    0   0     0     0      0  0  sub        %i0, %o5, %i0 
[1001] <0x0001f28c> <0x0001328c>    1   0    0   0    26     0     26  1  ld         %i0, 1340, %o0 
[1001] <0x0001f290> <0x00013290>    0   0    0   0     0     0     26  1  add        %o5, %o0, %g3 
[1001] <0x0001f294> <0x00013294>    0   0    0   0     0     0     26  1  ldub       %g3, -2, %g1 
[1001] <0x0001f298> <0x00013298>    0   0    0   0     0     0     26  1  ld         %i0, 1344, %o7 
[1001] <0x0001f29c> <0x0001329c>    0   0    0   0     0     0     26  1  sll        %o5, 1, %o0 
[1001] <0x0001f2a0> <0x000132a0>    0   0    0   0     0     0     26  1  add        %o0, %o5, %o0 
[1001] <0x0001f2a4> <0x000132a4>    0   0    0   0     0     0     26  1  sll        %o0, 2, %o0 
[1001] <0x0001f2a8> <0x000132a8>    0   0    0   0     0     0     26  1  subcc      %i2, %o0, %g0 
[1001] <0x0001f2ac> <0x000132ac>    0   0    0   0     0     0     26  1  bleu       0x0001f3d0
[1001] <0x0001f2b0> <0x000132b0>    0   0    0   0     0     0     26  1  add        %i1, %o5, %i0 
[1001] <0x0001f2b4> <0x000132b4>    0   0    0   0     0     0     26  1  add        %i1, %i2, %g2 
[1001] <0x0001f2b8> <0x000132b8>    0   0    0   0     0     0     26  1  sub        %o0, %o5, %o0 
[1001] <0x0001f2bc> <0x000132bc>    0   0    0   0     0     0     26  1  sub        %g2, %o0, %g2 
[1001] <0x0001f2c0> <0x000132c0>    1   0    0   0  3478     0   3504  1  subcc      %i0, %g2, %g0 
[1001] <0x0001f2c4> <0x000132c4>    0   0    0   0     0  3497   3504  1  bgu_a      0x0001f3d4
[1001] <0x0001f2c8> <0x000132c8>    0   0    0   0     0     7      7  1  add        %i1, %i2, %g2 
[1001] <0x0001f2cc> <0x000132cc>    0   0   66   0  3497     0   3497  1  ldub       %i0, -1, %o0 
[1001] <0x0001f2d0> <0x000132d0>    0   0    0   0  4899     0   8396  1  ldub       %o4, %o0, %o1 
[1001] <0x0001f2d4> <0x000132d4>    0   0    0   0     0     0   8396  1  add        %i0, %o1, %i0 
[1001] <0x0001f2d8> <0x000132d8>    0   0  105   0     0     0   8396  1  ldub       %i0, -1, %o0 
[1001] <0x0001f2dc> <0x000132dc>    0   0    1   0     0     0   8396  1  ldub       %o4, %o0, %o1 
[1001] <0x0001f2e0> <0x000132e0>    0   0    0   0     0     0   8396  1  subcc      %o1, 0, %g0 
[1001] <0x0001f2e4> <0x000132e4>    0   0    0   0     0     0   8396  1  be         0x0001f370
[1001] <0x0001f2e8> <0x000132e8>    0   0    0   0     0  1450   8396  1  add        %i0, %o1, %i0 
[1001] <0x0001f2ec> <0x000132ec>    0   0  115   0     0     0   6946  1  ldub       %i0, -1, %o0 
[1001] <0x0001f2f0> <0x000132f0>    0   0    0   0     0     0   6946  1  ldub       %o4, %o0, %o1 
[1001] <0x0001f2f4> <0x000132f4>    0   0    0   0     0     0   6946  1  add        %i0, %o1, %i0 
[1001] <0x0001f2f8> <0x000132f8>    0   0  103   0     0     0   6946  1  ldub       %i0, -1, %o0 
[1001] <0x0001f2fc> <0x000132fc>    0   0    0   0     0     0   6946  1  ldub       %o4, %o0, %o1 
[.simics-6:11] quit
Exiting SimICS. Log file is in '.simics-log-007'.
shell>

Comments:

We begin with running the grep program until completion. The command prof-page-map lists statistics for all (physical) memory pages. (The reason that the columns are not aligned is that all profiling output routines adapt to the maximum width seen thus far.) As usual, SimICS tries to guess what each physical page corresponds to, in terms of virtual address and process ID (useful if you're simultaneously profiling multiple programs).
If you forget what the profile columns represent, you can use the command prof-info to refresh your memory.
If you want to dig deeper into the profile, you can expand each physical page (4096 bytes, or 1024 locations) into groups of 64 instructions, i.e. 16 lines, using prof-page-detail (or simply "pfd").
Of course, you can use umem-sum and/or umem-pro at any time to figure out what region you're looking at. As we might suspect, address 0x13000 is in the text segment of the grep program itself.
A further level of detail can be had with the dis command. In the example we list the entire subpage, showing profiling stats for individual sparc instructions.
The count of execution of instructions is the number of times that an instruction has been fetched and executed from that (physical) address. This means that you can profile dynamically generated code, for instance. It also means that if you run a long workload, text segments might overlap with previously terminated programs.

Of course, for large programs this can become rather unwieldly. Therefore, SimICS supports setting linear weights to each of the profiles:

shell>cat .simics-7
load-object "supersparc"
load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
sysbreak _exit
c
prof-info
$SIM_SS_READ_MISS_WEIGHT = 1
$SIM_TLB_MISS_WEIGHT = 1
prof-weight 64 10
dis 0x0001f2c0 (64 / 4)
quit
shell>
shell>simics -no-tty -echo -n -x .simics-7
SimICS - Copyright 1991-1997 by SICS, All Rights Reserved
         Version: Alpha 0.9 (Sun May 25 15:12:38 MET DST 1997)
         Processor: 'Sparc V8 (v1.0)'

Type 'readme' for details on warranty, copying, new versions, etc.

SimICS log file opened as '.simics-log-008'
[.simics-7:1] load-object "supersparc"
Loaded SuperSparc cache model. Three new profilers and the command 'dump-cache'.
[.simics-7:2] load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
Loading file '././grep' to new unix process
[.simics-7:3] sysbreak _exit
[.simics-7:4] c
dfa.c:copyset(src, dst)
dfa.c:  copyset(s, dfa->charclasses[i]);
dfa.c:	copyset(d->charclasses[d->tokens[pos.index] - CSET], matches);
dfa.c:	      copyset(leftovers, labels[ngrps]);
dfa.c:	      copyset(intersect, labels[j]);
dfa.c:	  copyset(matches, labels[ngrps]);
Breakpoint: about to request system call '_exit'
Caught breakpoint
[1001] <0x7ffd3ed0> <0x00172ed0>   0 0 0 0 0 0 0 1  ta          8 
[.simics-7:5] prof-info
Active profilers, from 'left to right':
Column 1:  Instruction cache misses caused by program line ($SIM_SS_INSTR_MISS_WEIGHT = 0.000000)
Column 2:  Cache misses (writes) caused by program line ($SIM_SS_WRITE_MISS_WEIGHT = 0.000000)
Column 3:  Cache misses (reads) caused by program line ($SIM_SS_READ_MISS_WEIGHT = 0.000000)
Column 4:  TLB misses passed on to Unix emulation ($SIM_TLB_MISS_WEIGHT = 0.000000)
Column 5:  Number of (taken) branches *to* the code block ($SIM_TO_WEIGHT = 0.000000)
Column 6:  Number of (taken) branches *from* the code block ($SIM_FROM_WEIGHT = 0.000000)
Column 7:  Count of instruction execution (based on branch arcs) ($SIM_PC_WEIGHT = 0.000000)
Column 8:  Number of addresses from which instructions have been fetched ($SIM_INSTR_WEIGHT = 0.000000)
[.simics-7:6] $SIM_SS_READ_MISS_WEIGHT = 1
-> 1
[.simics-7:7] $SIM_TLB_MISS_WEIGHT = 1
-> 1
[.simics-7:8] prof-weight 64 10
Weighted profiling results:
  Physical    Virtual    ( source )
  0x00034380  0xdf7db380 (pid 1001)       539.00
  0x00039080  0xdf7e0080 (pid 1001)       484.00
  0x000132c0  0x0001f2c0 (pid 1001)       390.00
  0x00013300  0x0001f300 (pid 1001)       387.00
  0x0002eac0  0xdf7d5ac0 (pid 1001)       268.00
  0x00034880  0xdf7db880 (pid 1001)       267.00
  0x00013340  0x0001f340 (pid 1001)       249.00
  0x0003c0c0  0xdf7e30c0 (pid 1001)       239.00
  0x0002ea80  0xdf7d5a80 (pid 1001)       193.00
  0x0002e9c0  0xdf7d59c0 (pid 1001)       164.00
Sum:                 3180.00 (74%)
Not shown:           1114.00 (26%)
System total:        4294.00
[.simics-7:9] dis 0x0001f2c0 (64 / 4)
[1001] <0x0001f2c0> <0x000132c0>   1 0 0 0 3478 0 3504 1  subcc      %i0, %g2, %g0 
[1001] <0x0001f2c4> <0x000132c4>   0 0 0 0    0 3497 3504 1  bgu_a      0x0001f3d4
[1001] <0x0001f2c8> <0x000132c8>   0 0 0 0    0    7    7 1  add        %i1, %i2, %g2 
[1001] <0x0001f2cc> <0x000132cc>   0 0 66 0 3497    0 3497 1  ldub       %i0, -1, %o0 
[1001] <0x0001f2d0> <0x000132d0>   0 0  0 0 4899    0 8396 1  ldub       %o4, %o0, %o1 
[1001] <0x0001f2d4> <0x000132d4>   0 0  0 0    0    0 8396 1  add        %i0, %o1, %i0 
[1001] <0x0001f2d8> <0x000132d8>   0 0 105 0    0    0 8396 1  ldub       %i0, -1, %o0 
[1001] <0x0001f2dc> <0x000132dc>   0 0   1 0    0    0 8396 1  ldub       %o4, %o0, %o1 
[1001] <0x0001f2e0> <0x000132e0>   0 0   0 0    0    0 8396 1  subcc      %o1, 0, %g0 
[1001] <0x0001f2e4> <0x000132e4>   0 0   0 0    0    0 8396 1  be         0x0001f370
[1001] <0x0001f2e8> <0x000132e8>   0 0   0 0    0 1450 8396 1  add        %i0, %o1, %i0 
[1001] <0x0001f2ec> <0x000132ec>   0 0 115 0    0    0 6946 1  ldub       %i0, -1, %o0 
[1001] <0x0001f2f0> <0x000132f0>   0 0   0 0    0    0 6946 1  ldub       %o4, %o0, %o1 
[1001] <0x0001f2f4> <0x000132f4>   0 0   0 0    0    0 6946 1  add        %i0, %o1, %i0 
[1001] <0x0001f2f8> <0x000132f8>   0 0 103 0    0    0 6946 1  ldub       %i0, -1, %o0 
[1001] <0x0001f2fc> <0x000132fc>   0 0   0 0    0    0 6946 1  ldub       %o4, %o0, %o1 
[.simics-7:10] quit
Exiting SimICS. Log file is in '.simics-log-008'.
shell>

Comments:

We first use prof-info to remind us of what the profile columns mean, and also to see what the names of the weight variables are. We then set $SIM_SS_READ_MISS_WEIGHT and $SIM_TLB_MISS_WEIGHT to one, to investigate where read misses are (TLB misses on Sparcs generally cause an additional miss during TLB load).
Next, we use the prof-weight command to view the results. This command takes two arguments, block granularity and top count. What it does is to go over all of memory and accumulate the profiling statistics in blocks, in the example blocks of size 64. It then shows the top values, in the example the top 10. It also shows what percentage is covered by the listing. In the example, 85% of read and TLB misses are in the top 10 offendors of instruction blocks.
We now use dis to list the worst block (note that the three top offendors are adjacent in memory). This gives us an exact listing of which sparc instructions caused most data cache misses in this run.

Symbolic front end - using GDB

The SimICS distribution includes a modified version of GDB 4.11 called gdb-simics. gdb-simics can support running SimICS as a back-end. You can run gdb-simics in several ways:

from the command line, directly on the program, i.e. by the command "gdb-simics ./grep"
from within gdb-simics, using the usual "load-unix" command
from within emacs, using the included emacs lisp file (simics.el) for emacs 18.x, or just running gdb-simics when using emacs 19.x.

The later alternatives are better (i.e. running from within emacs is best). In the example below, we've chosen the second alternative. Note that the first alternative does not allow you to pass parameters directly to the program. Please also refer to the gdb-simics README file for hints on usage.

gdb-simics can basically do everything GDB 4.11 can do, in addition to the features in SimICS. Standard GDB functions, such as single stepping, setting and clearing breakpoints, etc, are transparently translated to SimICS commands. gdb-simics and simics-backend share the same command line: any command that GDB doesn't understand, it passes on to SimICS. You can force a command to be passed to SimICS by using the sim command.

shell> gdb-simics
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.11 (sparc-sun-solaris2.3 --target sparc-simics-simics), 
Copyright 1993 Free Software Foundation, Inc.
(gdb-simics) help simics
SimICS specific commands. Activated with 'target simics'.
 
SimICS is an instruction set simulator of the Sparc V8 processor, including
emulation of parts of the Unix (SunOS 5.x) interface. This version of GDB is
extended with support for running SimICS over a pipe. This support is
activated either by starting GDB on a program (e.g. 'gdb-simics my-program')
or with the 'target simics' command.
 
Documentation on SimICS can be found at 'http://www.sics.se/simics/'.
 
There are also some simics-specific GDB commands, see the list below.
 
Please send questions or bug reports to Peter Magnusson at psm@sics.se 

List of commands:

flush -- Try to clean up connection with SimICS
dbgsimics -- Enable (some) debugging output from SimICS interface
sim -- Pass command on to SimICS (alias 's')

Type "help" followed by command name for full documentation.
Command name abbreviations are allowed if unambiguous.
(gdb-simics) target simics
Connected to SimICS (pid 27160).
SimICS - Copyright 1991-1997 by SICS, All Rights Reserved
         Version: Alpha 0.9 (Tue May 13 16:51:06 MET DST 1997)
         Processor: 'Sparc V8 (v1.0)'

Type 'readme' for details on warranty, copying, new versions, etc.

SimICS log file opened as '.simics-log-2'
(gdb-simics) load-unix "./grep" "copyset alloca.c dfa.c dfa.h getopt.c getopt.h getpagesize.h grep.c grep.h kwset.c kwset.h obstack.c obstack.h regex.c regex.h search.c"
(gdb-simics) symbol grep
Reading symbols from grep...done.
(gdb-simics) sysbreak _exit
(gdb-simics) load-object supersparc
Loaded SuperSparc cache model. Three new profilers and the command 'dump-cache'.
(gdb-simics) c
Continuing.
dfa.c:copyset(src, dst)
dfa.c:  copyset(s, dfa->charclasses[i]);
dfa.c:	copyset(d->charclasses[d->tokens[pos.index] - CSET], matches);
dfa.c:	      copyset(leftovers, labels[ngrps]);
dfa.c:	      copyset(intersect, labels[j]);
dfa.c:	  copyset(matches, labels[ngrps]);
Breakpoint: about to request system call '_exit'
0x7ffd3ed0 in match_words ()
(gdb-simics) s $SIM_PC_WEIGHT = 1
-> 1
(gdb-simics) prof-weight 32
Weighted profiling results:
  Physical    Virtual    ( source )
  0x000132e0  0x0001f2e0 (pid 1001)     59918.00
  0x00013300  0x0001f300 (pid 1001)     53350.00
  0x00013320  0x0001f320 (pid 1001)     46696.00
  0x000132c0  0x0001f2c0 (pid 1001)     44096.00
  0x00013340  0x0001f340 (pid 1001)     40221.00
  0x00013360  0x0001f360 (pid 1001)     23298.00
  0x000343a0  0xdf7db3a0 (pid 1001)     17112.00
  0x000343c0  0xdf7db3c0 (pid 1001)     14973.00
  0x0002ea00  0xdf7d5a00 (pid 1001)     12544.00
  0x00034820  0xdf7db820 (pid 1001)     12040.00
Sum:               324248.00 (39%)
Not shown:         511733.00 (61%)
System total:      835981.00
(gdb-simics) x/8i 0x1f2e0
0x1f2e0 :   unimp  0x0
0x1f2e4 :   -> 41943075unimp  0x0
0x1f2e8 :   -> -1341784055unimp  0x0
0x1f2ec :   -> -804372481unimp  0x0
0x1f2f0 :   -> -771031032unimp  0x0
0x1f2f4 :   -> -1341784055unimp  0x0
0x1f2f8 :   -> -804372481unimp  0x0
0x1f2fc :   -> -771031032unimp  0x0
(gdb-simics) flush
(gdb-simics) x/8i 0x1f2e0
0x1f2e0 :	 0 0   0 0 0    0 8396 1 cmp  %o1, 0
0x1f2e4 :	 0 0   0 0 0    0 8396 1 be  0x1f370 
0x1f2e8 :	 0 0   0 0 0 1450 8396 1 add  %i0, %o1, %i0
0x1f2ec :	 0 0 115 0 0    0 6946 1 ldub  [ %i0 + -1 ], %o0
0x1f2f0 :	 0 0   0 0 0    0 6946 1 ldub  [ %o4 + %o0 ], %o1
0x1f2f4 :	 0 0   0 0 0    0 6946 1 add  %i0, %o1, %i0
0x1f2f8 :	 0 0 103 0 0    0 6946 1 ldub  [ %i0 + -1 ], %o0
0x1f2fc :	 0 0   0 0 0    0 6946 1 ldub  [ %o4 + %o0 ], %o1
(gdb-simics) list *0x1f2ec
0x1f2ec is in bmexec (kwset.c:560).
555	                         		  {
556	 0 0  66 0 8396    0 20289 3 		    d = d1[U(tp[-1])], tp += d;
557	 0 0 106 0    0    0 16792 2 		    d = d1[U(tp[-1])], tp += d;
558	 0 0   0 0    0 1450 25188 3 		    if (d == 0)
559	                             		      goto found;
560	 0 0 115 0    0    0 20838 3 		    d = d1[U(tp[-1])], tp += d;
561	 1 0 104 0    0    0 20838 3 		    d = d1[U(tp[-1])], tp += d;
562	 0 0 126 0    0    0 13892 2 		    d = d1[U(tp[-1])], tp += d;
563	 0 0   0 0    0 1109 20838 3 		    if (d == 0)
564	                             		      goto found;
(gdb-simics)

Comments:

We first do the help simics command in GDB, which provides a useful reminder for how to start SimICS from withing GDB.
We initialize access to simics with the command target simics. This tells gdb to start a background SimICS process. Communication between gdb-simics and the SimICS process (simics-backend) is done over a pipe.
We next use load-unix in the usual fashion to fetch a program binary into memory. Note that we cannot use the GDB set args command, instead we need to give the arguments as a parameter to load-unix.
Next we use the GDB symbol command to tell GDB what file to fetch symbol tables from. gdb-simics supports simultaneous debugging of several different programs, but whenever we need to access the symbol information, we need to make sure we're looking at the right symbol tables.
As usual, we use sysbreak _exit and c to start execution.
To find the busiest part of grep, we again set $SIM_PC_WEIGHT to 1, and use prof-weight to get a listing of the top ten offendors (grouping instructions in chunks of 8). Note how we use the "s" prefix to make sure that GDB doesn't try to parse the setting of an environment variable. (gdb-simics variables and simics-backend variables are in different name spaces.)
Once we've found the important code, we use the GDB disassembly command. Note that both GDB and SimICS use the x command to disassemble, but their syntax is different. Again, if we wish to force GDB to pass the command on to SimICS, we can add the "s" prefix.
In this example, gdb-simics printed junk when asked to disassemble. The reason is that gdb-simics and simics-backend communicate over a pipe, and they sometimes get out of synch. We use the flush command to "kick" both of them and hope that this fixes matters. (I hope to get rid of this terrible hack someday, but until then, flush will be a useful friend.)
On our second attempt, "x/8i" lists the assembler code where much of our execution is spent.
Finally, since GDB understands symbol information, we can list C code directly with the list command. In particular, the address format *ADDRESS tells GDB to list the C code around the address ADDRESS. When gdb-simics lists C code (or assembler), it always asks simics-backend to provide a summary string for the code on that line. Thus, our profiler columns are included in the listing.
(Note: if the code is compiled with optimization flags on, different lines of C may overlap, or some lines of C may have "disappeared" and actually ended up somewhere else. For detailed analysis, always disassemble the instructions using "s dis" or "x/i".)

That wraps up our SimICS tutorial. Thanks for reading this far. If you have any suggestions for this page, please let us know.

This web page has been generated automatically from running this script. It was generated on Sun May 25 15:18:18 MET DST 1997 and the SimICS version used was SimICS Alpha 0.9 (Sun May 25 15:12:38 MET DST 1997) .

SimICS Tutorial: Getting a Grip on Grep

Table of Contents

Getting started

Command line mode and log files

Script files and processor statistics

Data Caches and Extensions

Unix emulation and help

Controlling the execution - breakpoints and watchpoints

Inspecting state

Profiling

Symbolic front end - using GDB