How to debug QEMU

STEP 1: add a gloabcontrol variable before main in vl.c. we will stop on main() if the controlvariable is zero
 
int g_stop_here = 1;
int main(int argc, char **argv, char **envp){ ......
             while(g_stop_here){
                            ;//loop, wait debug;
             }
......
}
 
STEP 2: compile and runqemu
qemu-system-x86_64 -machine accel=kvm -smp 8 -drivefile=./test.raw,format=raw -drive file=./disk.qcow2 -cdrom./RHEL6.3-20120613.2-Server-x86_64-DVD1.iso -m 2048 -serial stdio -vnc 10.238.153.111:0-monitor telnet:10.238.153.111:6666,server,nowait
 
STEP 3: gdb attach theqemu process
[root@localhost host]# ps -ef | grep qemu
root      18816  17406 9922:06 pts/1    00:00:05 qemu-system-x86_64

roooot@localhost host]# gdb -p 18816
 
STEP 4: set thebreakpoint
(gdb) bt
#0  0x000055580c4d3fbd in main (argc=19,argv=0x7ffcae0149a8, envp=0x7ffcae014a48) at vl.c:2944
(gdb) b kvm_put_msr_feature_control
Breakpoint 1 at 0x55580c4b1a89: file/home/mce/workspace/git/qemu/qemu/target-i386/kvm.c, line 1311.
(gdb) b x86_cpu_reset
Breakpoint 2 at 0x55580c47f49f: file/home/mce/workspace/git/qemu/qemu/target-i386/cpu.c, line 2608.
 
STEP 5: set the gloabcontrol variable to zero and contiue run qemu process
(gdb) set var g_stop_here=0
(gdb) c
 
STEP 6: QEMU will stopat the breakpoint, and we can debug the process. Also we need see the logic ofqemu, some printf could be very helpful.
Breakpoint 2, x86_cpu_reset (s=0x55580e906f30) at/home/mce/workspace/git/qemu/qemu/target-i386/cpu.c:2608
2608        X86CPU*cpu = X86_CPU(s);
(gdb) bt
#0  x86_cpu_reset (s=0x55580e906f30) at/home/mce/workspace/git/qemu/qemu/target-i386/cpu.c:2608
#1  0x000055580c68a571 in cpu_reset(cpu=0x55580e906f30) at qom/cpu.c:231
#2  0x000055580c4800c7 in x86_cpu_realizefn (dev=0x55580e906f30,errp=0x7ffcae014210) at/home/mce/workspace/git/qemu/qemu/target-i386/cpu.c:2914
#3  0x000055580c55c9bd in device_set_realized(obj=0x55580e906f30, value=true, errp=0x7ffcae0143c8) at hw/core/qdev.c:1055
#4  0x000055580c6cd84d in property_set_bool(obj=0x55580e906f30, v=0x55580e921bf0, opaque=0x55580e8f7720,name=0x55580c7ba530 "realized", errp=0x7ffcae0143c8) atqom/object.c:1708
#5  0x000055580c6cbe84 in object_property_set(obj=0x55580e906f30, v=0x55580e921bf0, name=0x55580c7ba530 "realized",errp=0x7ffcae0143c8) at qom/object.c:965
#6  0x000055580c6ce71b inobject_property_set_qobject (obj=0x55580e906f30, value=0x55580e8f6bc0,name=0x55580c7ba530 "realized", errp=0x7ffcae0143c8) atqom/qom-qobject.c:24
#7  0x000055580c6cc11a in object_property_set_bool(obj=0x55580e906f30, value=true, name=0x55580c7ba530 "realized",errp=0x7ffcae0143c8) at qom/object.c:1034
#8  0x000055580c431fff in pc_new_cpu(cpu_model=0x55580c7ba5e5 "qemu64", apic_id=0, errp=0x7ffcae014420)at /home/mce/workspace/git/qemu/qemu/hw/i386/pc.c:1069
#9  0x000055580c4322bc in pc_cpus_init(cpu_model=0x55580c7ba5e5 "qemu64") at/home/mce/workspace/git/qemu/qemu/hw/i386/pc.c:1145
#10 0x000055580c434d2d in pc_init1(machine=0x55580e8a5bc0, host_type=0x55580c7bb237 "i440FX-pcihost",pci_type=0x55580c7bb230 "i440FX")
    at/home/mce/workspace/git/qemu/qemu/hw/i386/pc_piix.c:142
#11 0x000055580c43597b in pc_init_v2_5(machine=0x55580e8a5bc0) at/home/mce/workspace/git/qemu/qemu/hw/i386/pc_piix.c:474
#12 0x000055580c4d7cbb in main (argc=19,argv=0x7ffcae0149a8, envp=0x7ffcae014a48) at vl.c:4474