Profiling and Coverage

Profile and coverage collection support is currently experimental.

TEMU supports the collection of execution profiles. These profiles can also be used for coverage analysis.

At present the following metrics are collected:

  • Taken branch counters

  • Not-taken branches counters

As profiling has a negative performance impact, it needs to be enabled.

Enabling Profiling Mode

To enable profiling in the command line invoke the enableProfiling command method.

The memSpace property should be set to the CPUs memory space object. The memSpace property was introduced as an optional property in TEMU 2.2.6 in order to support forwards compatibility.

To enable profiling in the API call the enableProfiling() method in the CpuIface


Exporting Profiles

Profiles can be exported in YAML format with the cov-write command. Before cov-write, the profile state should be flushed.

cov-write file='-'
cov-write can use the - name in order to specify stdout.

The exported format currently looks like the following:

  - {src: 0x4, tgt: 0x204, count: 1}

Marks out the physical address of the branch instruction.


Marks the physical address of the target of the branch.


Marks how many time that branch arc has been executed.

From the branch arcs (in combination with the binary), it is possible to derive information such as instruction coverage and branch coverage.