LEAVE emulation infinite loop

All of lore.kernel.org
 help / color / mirror / Atom feed

* LEAVE emulation infinite loop
@ 2011-04-24  7:08 Matteo Signorini
  2011-04-24  7:14 ` Avi Kivity
  0 siblings, 1 reply; 4+ messages in thread
From: Matteo Signorini @ 2011-04-24  7:08 UTC (permalink / raw)
  To: kvm

Hello everybody,
I have a problem with an opcode emulation not yet emulated in kvm-kmod
2.6.38-rc7.
The opcode is the "LEAVE" that as Intel Manual says:

"Set RSP to RBP, then pop RBP"

The problem is that despite to the fact that the opcode of the leave
(C9) is correctly fetched and decoded, it falls in an infinite loop
(found by some printk debug prints)

Now I'm wondering...the eip needed in order to continue the vm
execution is moved-on by the insns_fetch operation so after the first
byte decode of the LEAVE opcode I shouldn't execute it again...so what
I'm doing wrong?

I posted here the diff output so you can see which changes I made on
kvm original source code


*** emulate.c   2011-04-21 13:19:11.535663092 +0200

--- myemulate.c 2011-04-21 13:34:21.490313650 +0200
*************** static struct opcode opcode_table[256] =
*** 2504,2510 ****
        D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr
| ModRM | No64),
        G(ByteOp, group11), G(0, group11),
        /* 0xC8 - 0xCF */
!       N, N, N, D(ImplicitOps | Stack),
        D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64),
D(ImplicitOps),
        /* 0xD0 - 0xD7 */
        D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
--- 2504,2510 ----
        D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr
| ModRM | No64),
        G(ByteOp, group11), G(0, group11),
        /* 0xC8 - 0xCF */
!       N, D(ImplicitOps | SrcNone), N, D(ImplicitOps | Stack),
        D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64),
D(ImplicitOps),
        /* 0xD0 - 0xD7 */
        D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
*************** special_insn:
*** 3259,3264 ****
--- 3259,3268 ----
        case 0xc5:              /* lds */
                rc = emulate_load_segment(ctxt, ops, VCPU_SREG_DS);
                break;
+       case 0xc9:              /* leave */
+               c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RBP];
+               rc = emulate_pop_sreg(ctxt, ops, VCPU_REGS_RBP);
+               goto done;
        case 0xcb:              /* ret far */
                rc = emulate_ret_far(ctxt, ops);
                break;


Thank you in advance,
Matteo

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: LEAVE emulation infinite loop
  2011-04-24  7:08 LEAVE emulation infinite loop Matteo Signorini
@ 2011-04-24  7:14 ` Avi Kivity
  2011-04-25  9:05   ` Matteo Signorini
  0 siblings, 1 reply; 4+ messages in thread
From: Avi Kivity @ 2011-04-24  7:14 UTC (permalink / raw)
  To: Matteo Signorini; +Cc: kvm

On 04/24/2011 10:08 AM, Matteo Signorini wrote:
> Hello everybody,
> I have a problem with an opcode emulation not yet emulated in kvm-kmod
> 2.6.38-rc7.
> The opcode is the "LEAVE" that as Intel Manual says:
>
> "Set RSP to RBP, then pop RBP"
>
> The problem is that despite to the fact that the opcode of the leave
> (C9) is correctly fetched and decoded, it falls in an infinite loop
> (found by some printk debug prints)
>
> Now I'm wondering...the eip needed in order to continue the vm
> execution is moved-on by the insns_fetch operation so after the first
> byte decode of the LEAVE opcode I shouldn't execute it again...so what
> I'm doing wrong?
>
> I posted here the diff output so you can see which changes I made on
> kvm original source code
>
>
>          case 0xc5:              /* lds */
>                  rc = emulate_load_segment(ctxt, ops, VCPU_SREG_DS);
>                  break;
> +       case 0xc9:              /* leave */
> +               c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RBP];
> +               rc = emulate_pop_sreg(ctxt, ops, VCPU_REGS_RBP);
> +               goto done;
>          case 0xcb:              /* ret far */
>                  rc = emulate_ret_far(ctxt, ops);
>                  break;
>
>

Why are you calling emulate_pop_sreg()? RBP is not a segment register.

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: LEAVE emulation infinite loop
  2011-04-24  7:14 ` Avi Kivity
@ 2011-04-25  9:05   ` Matteo Signorini
  2011-04-26  8:50     ` Avi Kivity
  0 siblings, 1 reply; 4+ messages in thread
From: Matteo Signorini @ 2011-04-25  9:05 UTC (permalink / raw)
  To: Avi Kivity; +Cc: Matteo Signorini, kvm

Hi to All,

I fixed the previously highlighted error, calling the right pop
emulation function
but still get the same error, an infinite "leave" emulation loop.
IMHO this is not an emulation error since x86_decode_insn and
x86_emulate_insn return a correct value ( r=0 )
so I don't understand what I'm doing wrong...
could you please give me an hint to fix it?

Thank you in advance,
Matteo

*** emulate.c   2011-04-21 13:19:11.535663092 +0200

--- myemulate.c 2011-04-21 13:34:21.490313650 +0200
*************** static struct opcode opcode_table[256] =
*** 2504,2510 ****
       D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr
| ModRM | No64),
       G(ByteOp, group11), G(0, group11),
       /* 0xC8 - 0xCF */
!       N, N, N, D(ImplicitOps | Stack),
       D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64),
D(ImplicitOps),
       /* 0xD0 - 0xD7 */
       D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
--- 2504,2510 ----
       D(DstReg | SrcMemFAddr | ModRM | No64), D(DstReg | SrcMemFAddr
| ModRM | No64),
       G(ByteOp, group11), G(0, group11),
       /* 0xC8 - 0xCF */
!       N, D(ImplicitOps | SrcNone), N, D(ImplicitOps | Stack),
       D(ImplicitOps), D(SrcImmByte), D(ImplicitOps | No64),
D(ImplicitOps),
       /* 0xD0 - 0xD7 */
       D2bv(DstMem | SrcOne | ModRM), D2bv(DstMem | ModRM),
*************** special_insn:
*** 3259,3264 ****
--- 3259,3268 ----
       case 0xc5:              /* lds */
               rc = emulate_load_segment(ctxt, ops, VCPU_SREG_DS);
               break;
+       case 0xc9:              /* leave */
+               c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RBP];
+               rc = emulate_pop(ctxt, ops, &c->regs[VCPU_REGS_RBP],
c->op_bytes);
+               goto done;
       case 0xcb:              /* ret far */
               rc = emulate_ret_far(ctxt, ops);
               break;



2011/4/24 Avi Kivity <avi@redhat.com>
>
> On 04/24/2011 10:08 AM, Matteo Signorini wrote:
>>
>> Hello everybody,
>> I have a problem with an opcode emulation not yet emulated in kvm-kmod
>> 2.6.38-rc7.
>> The opcode is the "LEAVE" that as Intel Manual says:
>>
>> "Set RSP to RBP, then pop RBP"
>>
>> The problem is that despite to the fact that the opcode of the leave
>> (C9) is correctly fetched and decoded, it falls in an infinite loop
>> (found by some printk debug prints)
>>
>> Now I'm wondering...the eip needed in order to continue the vm
>> execution is moved-on by the insns_fetch operation so after the first
>> byte decode of the LEAVE opcode I shouldn't execute it again...so what
>> I'm doing wrong?
>>
>> I posted here the diff output so you can see which changes I made on
>> kvm original source code
>>
>>
>>         case 0xc5:              /* lds */
>>                 rc = emulate_load_segment(ctxt, ops, VCPU_SREG_DS);
>>                 break;
>> +       case 0xc9:              /* leave */
>> +               c->regs[VCPU_REGS_RSP] = c->regs[VCPU_REGS_RBP];
>> +               rc = emulate_pop_sreg(ctxt, ops, VCPU_REGS_RBP);
>> +               goto done;
>>         case 0xcb:              /* ret far */
>>                 rc = emulate_ret_far(ctxt, ops);
>>                 break;
>>
>>
>
> Why are you calling emulate_pop_sreg()? RBP is not a segment register.
>
> --
> I have a truly marvellous patch that fixes the bug which this
> signature is too narrow to contain.
>
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: LEAVE emulation infinite loop
  2011-04-25  9:05   ` Matteo Signorini
@ 2011-04-26  8:50     ` Avi Kivity
  0 siblings, 0 replies; 4+ messages in thread
From: Avi Kivity @ 2011-04-26  8:50 UTC (permalink / raw)
  To: Matteo Signorini; +Cc: Matteo Signorini, kvm

On 04/25/2011 12:05 PM, Matteo Signorini wrote:
> Hi to All,
>
> I fixed the previously highlighted error, calling the right pop
> emulation function
> but still get the same error, an infinite "leave" emulation loop.
> IMHO this is not an emulation error since x86_decode_insn and
> x86_emulate_insn return a correct value ( r=0 )
> so I don't understand what I'm doing wrong...
> could you please give me an hint to fix it?

No idea, sorry, you'll have to debug it.

-- 
error compiling committee.c: too many arguments to function


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2011-04-26  8:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-24  7:08 LEAVE emulation infinite loop Matteo Signorini
2011-04-24  7:14 ` Avi Kivity
2011-04-25  9:05   ` Matteo Signorini
2011-04-26  8:50     ` Avi Kivity

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.