* Re: [Xen-users] boot a existing windows in hvm domain [not found] ` <8fec1fce0708061955xb5018b4tf1e51863154e0f1a@mail.gmail.com> @ 2007-08-07 5:48 ` Brady Chen 2007-08-07 5:59 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-07 5:48 UTC (permalink / raw) To: Z24, AL.LINUX, tygrawy; +Cc: xen-devel cc to xen-devel, Hi all, someone saw this kind of error before? it's a Trap 6 error when start the windows. Does it mean that some opcodes in real mode are not be simulated? How can I get the instruction which is not be simulated? I tried to fetch8(regs) in function trap of xen-3.1.0-src/tools/firmware/vmxassist/vm86.c, but it cause more traps, and the hvm is reset immediately. thank you in advance On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: > Hi Z24, AL, > ccing tygrawy@gazeta,pl, for I found he got the same issue. > > I tried in ThinkPad T60, > /dev/sda1 -- windows > /dev/sda2 -- Linux + Xen 3.1.0 > > in xen guest, the whole sda is mapped to virtual hda. > disk = [ 'phy:/dev/sda, hda, w' ] > > I could see the grub menu in xen guest, and could boot in to the linux > (you know, it's re-enter into the linux), but when I select windows > from grub menu, it will hang after print "chainloader +1" > the xen dmesg shows: > (XEN) HVM1: Trap (0x6) while in real mode > (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E > (XEN) HVM1: esp D7384 ebp D73D0 esi D7364 edi D00 > (XEN) HVM1: trapno 6 errno 0 > (XEN) HVM1: eip D0800 cs 10 eflags 13046 > (XEN) HVM1: uesp D7474 uss 2 > (XEN) HVM1: ves D4AB8 vds D4C1D vfs D07FE vgs D7474 > (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651 > (XEN) HVM1: > (XEN) HVM1: Halt called from %eip 0xD037 > > tygrawy: > I found you have the same issue months ago, have you find out the > reason? Thank you very much. > > http://lists.xensource.com/archives/html/xen-users/2007-07/msg00521.html > > On 8/2/07, Brady Chen <chenchp@gmail.com> wrote: > > On 8/2/07, Z24 <z24@gmx.net> wrote: > > > On Thu, 2 Aug 2007 17:47:59 +0800, you wrote: > > > > > > >thank you all, > > > >looks like it's possible. it's great! > > > > > > > >Z24, > > > >do you get the hardware issue Archie said, that's my concern too. > > > >you know, windows may be bluescreen if the hardware changes. > > > > > > Before booting the Windows domU I copied the current Windows HW > > > Profile to a new HW Profile, then when I boot the domU I choose the > > > new HW profile. > > > The first time I booted the domU, Windows took some minutes more than > > > usual to load, I suppose it was setting automatically the hardware > > > drivers; the next time it booted only a little slower than when I boot > > > it natively (due to virtualization). > > > > > thanks, I will have a try. > > > > > >and for your case, i think you could install another grub in the windows disk > > > > > > What do you mean? > > > Xen VM configuration with 'phy:/dev/hda,ioemu:hda,w' only (hda is > > > Windows disk) and grub-install on /dev/hda without mapping? > > yup, install grub on /dev/hda, it will not be used when you not using > > xen (i mean when you reboot your PC, and choose windows from the grub > > menu). but when you use xen to boot /dev/hda, the grub on /dev/hda > > could be used to load the windows. Don't know if it really works, > > don't have a try now. > > > > > > -- > > > Z24 > > > http://www.mycomputingart.com/ > > > > > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 5:48 ` [Xen-users] boot a existing windows in hvm domain Brady Chen @ 2007-08-07 5:59 ` Keir Fraser 2007-08-07 6:06 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-07 5:59 UTC (permalink / raw) To: Brady Chen, Z24, AL.LINUX, tygrawy; +Cc: xen-devel Could be something to do with virtual hard disk geometry. Are you running latest xen-unstable? Was your OS installed with latest xen-unstable, or an older version? -- KEir On 7/8/07 06:48, "Brady Chen" <chenchp@gmail.com> wrote: > cc to xen-devel, > > Hi all, > someone saw this kind of error before? > it's a Trap 6 error when start the windows. Does it mean that some > opcodes in real mode are not be simulated? How can I get the > instruction which is not be simulated? > > I tried to fetch8(regs) in function trap of > xen-3.1.0-src/tools/firmware/vmxassist/vm86.c, but it cause more > traps, and the hvm is reset immediately. > > thank you in advance > > On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: >> Hi Z24, AL, >> ccing tygrawy@gazeta,pl, for I found he got the same issue. >> >> I tried in ThinkPad T60, >> /dev/sda1 -- windows >> /dev/sda2 -- Linux + Xen 3.1.0 >> >> in xen guest, the whole sda is mapped to virtual hda. >> disk = [ 'phy:/dev/sda, hda, w' ] >> >> I could see the grub menu in xen guest, and could boot in to the linux >> (you know, it's re-enter into the linux), but when I select windows >> from grub menu, it will hang after print "chainloader +1" >> the xen dmesg shows: >> (XEN) HVM1: Trap (0x6) while in real mode >> (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E >> (XEN) HVM1: esp D7384 ebp D73D0 esi D7364 edi D00 >> (XEN) HVM1: trapno 6 errno 0 >> (XEN) HVM1: eip D0800 cs 10 eflags 13046 >> (XEN) HVM1: uesp D7474 uss 2 >> (XEN) HVM1: ves D4AB8 vds D4C1D vfs D07FE vgs D7474 >> (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651 >> (XEN) HVM1: >> (XEN) HVM1: Halt called from %eip 0xD037 >> >> tygrawy: >> I found you have the same issue months ago, have you find out the >> reason? Thank you very much. >> >> http://lists.xensource.com/archives/html/xen-users/2007-07/msg00521.html >> >> On 8/2/07, Brady Chen <chenchp@gmail.com> wrote: >>> On 8/2/07, Z24 <z24@gmx.net> wrote: >>>> On Thu, 2 Aug 2007 17:47:59 +0800, you wrote: >>>> >>>>> thank you all, >>>>> looks like it's possible. it's great! >>>>> >>>>> Z24, >>>>> do you get the hardware issue Archie said, that's my concern too. >>>>> you know, windows may be bluescreen if the hardware changes. >>>> >>>> Before booting the Windows domU I copied the current Windows HW >>>> Profile to a new HW Profile, then when I boot the domU I choose the >>>> new HW profile. >>>> The first time I booted the domU, Windows took some minutes more than >>>> usual to load, I suppose it was setting automatically the hardware >>>> drivers; the next time it booted only a little slower than when I boot >>>> it natively (due to virtualization). >>>> >>> thanks, I will have a try. >>> >>>>> and for your case, i think you could install another grub in the windows >>>>> disk >>>> >>>> What do you mean? >>>> Xen VM configuration with 'phy:/dev/hda,ioemu:hda,w' only (hda is >>>> Windows disk) and grub-install on /dev/hda without mapping? >>> yup, install grub on /dev/hda, it will not be used when you not using >>> xen (i mean when you reboot your PC, and choose windows from the grub >>> menu). but when you use xen to boot /dev/hda, the grub on /dev/hda >>> could be used to load the windows. Don't know if it really works, >>> don't have a try now. >>>> >>>> -- >>>> Z24 >>>> http://www.mycomputingart.com/ >>>> >>> >> > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 5:59 ` Keir Fraser @ 2007-08-07 6:06 ` Brady Chen 2007-08-07 6:32 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-07 6:06 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Hi Keir, Thank you for your reply. I'm using official released version 3.1.0. actually I could boot the linux (/dev/sda2) in xen hvm guest. but failed to boot window (/dev/sda1). the windows in sda1 is not installed in xen hvm guest, it's installed in the native environment. I'm trying to boot the windows as xen guest. you know, it's wasting of time to reboot and change to windows. On 8/7/07, Keir Fraser <Keir.Fraser@cl.cam.ac.uk> wrote: > Could be something to do with virtual hard disk geometry. Are you running > latest xen-unstable? Was your OS installed with latest xen-unstable, or an > older version? > > -- KEir > > > On 7/8/07 06:48, "Brady Chen" <chenchp@gmail.com> wrote: > > > cc to xen-devel, > > > > Hi all, > > someone saw this kind of error before? > > it's a Trap 6 error when start the windows. Does it mean that some > > opcodes in real mode are not be simulated? How can I get the > > instruction which is not be simulated? > > > > I tried to fetch8(regs) in function trap of > > xen-3.1.0-src/tools/firmware/vmxassist/vm86.c, but it cause more > > traps, and the hvm is reset immediately. > > > > thank you in advance > > > > On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: > >> Hi Z24, AL, > >> ccing tygrawy@gazeta,pl, for I found he got the same issue. > >> > >> I tried in ThinkPad T60, > >> /dev/sda1 -- windows > >> /dev/sda2 -- Linux + Xen 3.1.0 > >> > >> in xen guest, the whole sda is mapped to virtual hda. > >> disk = [ 'phy:/dev/sda, hda, w' ] > >> > >> I could see the grub menu in xen guest, and could boot in to the linux > >> (you know, it's re-enter into the linux), but when I select windows > >> from grub menu, it will hang after print "chainloader +1" > >> the xen dmesg shows: > >> (XEN) HVM1: Trap (0x6) while in real mode > >> (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E > >> (XEN) HVM1: esp D7384 ebp D73D0 esi D7364 edi D00 > >> (XEN) HVM1: trapno 6 errno 0 > >> (XEN) HVM1: eip D0800 cs 10 eflags 13046 > >> (XEN) HVM1: uesp D7474 uss 2 > >> (XEN) HVM1: ves D4AB8 vds D4C1D vfs D07FE vgs D7474 > >> (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651 > >> (XEN) HVM1: > >> (XEN) HVM1: Halt called from %eip 0xD037 > >> > >> tygrawy: > >> I found you have the same issue months ago, have you find out the > >> reason? Thank you very much. > >> > >> http://lists.xensource.com/archives/html/xen-users/2007-07/msg00521.html > >> > >> On 8/2/07, Brady Chen <chenchp@gmail.com> wrote: > >>> On 8/2/07, Z24 <z24@gmx.net> wrote: > >>>> On Thu, 2 Aug 2007 17:47:59 +0800, you wrote: > >>>> > >>>>> thank you all, > >>>>> looks like it's possible. it's great! > >>>>> > >>>>> Z24, > >>>>> do you get the hardware issue Archie said, that's my concern too. > >>>>> you know, windows may be bluescreen if the hardware changes. > >>>> > >>>> Before booting the Windows domU I copied the current Windows HW > >>>> Profile to a new HW Profile, then when I boot the domU I choose the > >>>> new HW profile. > >>>> The first time I booted the domU, Windows took some minutes more than > >>>> usual to load, I suppose it was setting automatically the hardware > >>>> drivers; the next time it booted only a little slower than when I boot > >>>> it natively (due to virtualization). > >>>> > >>> thanks, I will have a try. > >>> > >>>>> and for your case, i think you could install another grub in the windows > >>>>> disk > >>>> > >>>> What do you mean? > >>>> Xen VM configuration with 'phy:/dev/hda,ioemu:hda,w' only (hda is > >>>> Windows disk) and grub-install on /dev/hda without mapping? > >>> yup, install grub on /dev/hda, it will not be used when you not using > >>> xen (i mean when you reboot your PC, and choose windows from the grub > >>> menu). but when you use xen to boot /dev/hda, the grub on /dev/hda > >>> could be used to load the windows. Don't know if it really works, > >>> don't have a try now. > >>>> > >>>> -- > >>>> Z24 > >>>> http://www.mycomputingart.com/ > >>>> > >>> > >> > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 6:06 ` Brady Chen @ 2007-08-07 6:32 ` Keir Fraser 2007-08-07 7:58 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-07 6:32 UTC (permalink / raw) To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Try downloading http://xenbits.xensource.com/staging/xen-unstable.hg, and build inside tools/firmware. Then use tools/firmware/hvmloader/hvmloader as your HVM 'kernel' (what you specify as the 'kernel' in your HVM config file). If that doesn't help, then track down the crashing %cs:%eip inside vmxassist (objdump -d tools/firmware/vmxassist/vmxassist) and we'll see if that shows up anything interesting. -- Keir On 7/8/07 07:06, "Brady Chen" <chenchp@gmail.com> wrote: > Hi Keir, > > Thank you for your reply. > I'm using official released version 3.1.0. > actually I could boot the linux (/dev/sda2) in xen hvm guest. > but failed to boot window (/dev/sda1). > > the windows in sda1 is not installed in xen hvm guest, it's installed > in the native environment. I'm trying to boot the windows as xen > guest. you know, it's wasting of time to reboot and change to windows. > > > On 8/7/07, Keir Fraser <Keir.Fraser@cl.cam.ac.uk> wrote: >> Could be something to do with virtual hard disk geometry. Are you running >> latest xen-unstable? Was your OS installed with latest xen-unstable, or an >> older version? >> >> -- KEir >> >> >> On 7/8/07 06:48, "Brady Chen" <chenchp@gmail.com> wrote: >> >>> cc to xen-devel, >>> >>> Hi all, >>> someone saw this kind of error before? >>> it's a Trap 6 error when start the windows. Does it mean that some >>> opcodes in real mode are not be simulated? How can I get the >>> instruction which is not be simulated? >>> >>> I tried to fetch8(regs) in function trap of >>> xen-3.1.0-src/tools/firmware/vmxassist/vm86.c, but it cause more >>> traps, and the hvm is reset immediately. >>> >>> thank you in advance >>> >>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: >>>> Hi Z24, AL, >>>> ccing tygrawy@gazeta,pl, for I found he got the same issue. >>>> >>>> I tried in ThinkPad T60, >>>> /dev/sda1 -- windows >>>> /dev/sda2 -- Linux + Xen 3.1.0 >>>> >>>> in xen guest, the whole sda is mapped to virtual hda. >>>> disk = [ 'phy:/dev/sda, hda, w' ] >>>> >>>> I could see the grub menu in xen guest, and could boot in to the linux >>>> (you know, it's re-enter into the linux), but when I select windows >>>> from grub menu, it will hang after print "chainloader +1" >>>> the xen dmesg shows: >>>> (XEN) HVM1: Trap (0x6) while in real mode >>>> (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E >>>> (XEN) HVM1: esp D7384 ebp D73D0 esi D7364 edi D00 >>>> (XEN) HVM1: trapno 6 errno 0 >>>> (XEN) HVM1: eip D0800 cs 10 eflags 13046 >>>> (XEN) HVM1: uesp D7474 uss 2 >>>> (XEN) HVM1: ves D4AB8 vds D4C1D vfs D07FE vgs D7474 >>>> (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651 >>>> (XEN) HVM1: >>>> (XEN) HVM1: Halt called from %eip 0xD037 >>>> >>>> tygrawy: >>>> I found you have the same issue months ago, have you find out the >>>> reason? Thank you very much. >>>> >>>> http://lists.xensource.com/archives/html/xen-users/2007-07/msg00521.html >>>> >>>> On 8/2/07, Brady Chen <chenchp@gmail.com> wrote: >>>>> On 8/2/07, Z24 <z24@gmx.net> wrote: >>>>>> On Thu, 2 Aug 2007 17:47:59 +0800, you wrote: >>>>>> >>>>>>> thank you all, >>>>>>> looks like it's possible. it's great! >>>>>>> >>>>>>> Z24, >>>>>>> do you get the hardware issue Archie said, that's my concern too. >>>>>>> you know, windows may be bluescreen if the hardware changes. >>>>>> >>>>>> Before booting the Windows domU I copied the current Windows HW >>>>>> Profile to a new HW Profile, then when I boot the domU I choose the >>>>>> new HW profile. >>>>>> The first time I booted the domU, Windows took some minutes more than >>>>>> usual to load, I suppose it was setting automatically the hardware >>>>>> drivers; the next time it booted only a little slower than when I boot >>>>>> it natively (due to virtualization). >>>>>> >>>>> thanks, I will have a try. >>>>> >>>>>>> and for your case, i think you could install another grub in the windows >>>>>>> disk >>>>>> >>>>>> What do you mean? >>>>>> Xen VM configuration with 'phy:/dev/hda,ioemu:hda,w' only (hda is >>>>>> Windows disk) and grub-install on /dev/hda without mapping? >>>>> yup, install grub on /dev/hda, it will not be used when you not using >>>>> xen (i mean when you reboot your PC, and choose windows from the grub >>>>> menu). but when you use xen to boot /dev/hda, the grub on /dev/hda >>>>> could be used to load the windows. Don't know if it really works, >>>>> don't have a try now. >>>>>> >>>>>> -- >>>>>> Z24 >>>>>> http://www.mycomputingart.com/ >>>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> Xen-devel mailing list >>> Xen-devel@lists.xensource.com >>> http://lists.xensource.com/xen-devel >> >> >> ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 6:32 ` Keir Fraser @ 2007-08-07 7:58 ` Brady Chen 2007-08-07 8:02 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-07 7:58 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX [-- Attachment #1: Type: text/plain, Size: 6880 bytes --] Keir, thank you very much. now I'm using the un-stable version to build hvmloader (only hvmloader rebuild, xen and doman0 kernel is not touched), the same problem. (XEN) HVM1: Trap (0x6) while in real mode (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E (XEN) HVM1: esp D74D4 ebp D7520 esi 0 edi D00 (XEN) HVM1: trapno 6 errno 0 (XEN) HVM1: eip D0800 cs 10 eflags 13046 (XEN) HVM1: uesp D75B4 uss 2 (XEN) HVM1: ves D4BC8 vds D4D26 vfs D07FE vgs D75B4 (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651 (XEN) HVM1: (XEN) HVM1: Halt called from %eip 0xD037C here is some snip from objdump, and i attach the whole objdump as the attachment. 000d0360 <common_trap>: d0360: 60 pusha d0361: b8 18 00 00 00 mov $0x18,%eax d0366: 8e d8 mov %eax,%ds d0368: 8e c0 mov %eax,%es d036a: 8e e0 mov %eax,%fs d036c: 8e e8 mov %eax,%gs d036e: 89 e5 mov %esp,%ebp d0370: 55 push %ebp d0371: ff 75 24 pushl 0x24(%ebp) d0374: ff 75 20 pushl 0x20(%ebp) d0377: e8 d4 2a 00 00 call d2e50 <trap> d037c: 83 c4 0c add $0xc,%esp 000d037f <trap_return>: d037f: 61 popa d0380: 83 c4 08 add $0x8,%esp d0383: cf iret d0384: 8d b6 00 00 00 00 lea 0x0(%esi),%esi d038a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi On 8/7/07, Keir Fraser <Keir.Fraser@cl.cam.ac.uk> wrote: > Try downloading http://xenbits.xensource.com/staging/xen-unstable.hg, and > build inside tools/firmware. Then use tools/firmware/hvmloader/hvmloader as > your HVM 'kernel' (what you specify as the 'kernel' in your HVM config > file). > > If that doesn't help, then track down the crashing %cs:%eip inside vmxassist > (objdump -d tools/firmware/vmxassist/vmxassist) and we'll see if that shows > up anything interesting. > > -- Keir > > On 7/8/07 07:06, "Brady Chen" <chenchp@gmail.com> wrote: > > > Hi Keir, > > > > Thank you for your reply. > > I'm using official released version 3.1.0. > > actually I could boot the linux (/dev/sda2) in xen hvm guest. > > but failed to boot window (/dev/sda1). > > > > the windows in sda1 is not installed in xen hvm guest, it's installed > > in the native environment. I'm trying to boot the windows as xen > > guest. you know, it's wasting of time to reboot and change to windows. > > > > > > On 8/7/07, Keir Fraser <Keir.Fraser@cl.cam.ac.uk> wrote: > >> Could be something to do with virtual hard disk geometry. Are you running > >> latest xen-unstable? Was your OS installed with latest xen-unstable, or an > >> older version? > >> > >> -- KEir > >> > >> > >> On 7/8/07 06:48, "Brady Chen" <chenchp@gmail.com> wrote: > >> > >>> cc to xen-devel, > >>> > >>> Hi all, > >>> someone saw this kind of error before? > >>> it's a Trap 6 error when start the windows. Does it mean that some > >>> opcodes in real mode are not be simulated? How can I get the > >>> instruction which is not be simulated? > >>> > >>> I tried to fetch8(regs) in function trap of > >>> xen-3.1.0-src/tools/firmware/vmxassist/vm86.c, but it cause more > >>> traps, and the hvm is reset immediately. > >>> > >>> thank you in advance > >>> > >>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: > >>>> Hi Z24, AL, > >>>> ccing tygrawy@gazeta,pl, for I found he got the same issue. > >>>> > >>>> I tried in ThinkPad T60, > >>>> /dev/sda1 -- windows > >>>> /dev/sda2 -- Linux + Xen 3.1.0 > >>>> > >>>> in xen guest, the whole sda is mapped to virtual hda. > >>>> disk = [ 'phy:/dev/sda, hda, w' ] > >>>> > >>>> I could see the grub menu in xen guest, and could boot in to the linux > >>>> (you know, it's re-enter into the linux), but when I select windows > >>>> from grub menu, it will hang after print "chainloader +1" > >>>> the xen dmesg shows: > >>>> (XEN) HVM1: Trap (0x6) while in real mode > >>>> (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E > >>>> (XEN) HVM1: esp D7384 ebp D73D0 esi D7364 edi D00 > >>>> (XEN) HVM1: trapno 6 errno 0 > >>>> (XEN) HVM1: eip D0800 cs 10 eflags 13046 > >>>> (XEN) HVM1: uesp D7474 uss 2 > >>>> (XEN) HVM1: ves D4AB8 vds D4C1D vfs D07FE vgs D7474 > >>>> (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651 > >>>> (XEN) HVM1: > >>>> (XEN) HVM1: Halt called from %eip 0xD037 > >>>> > >>>> tygrawy: > >>>> I found you have the same issue months ago, have you find out the > >>>> reason? Thank you very much. > >>>> > >>>> http://lists.xensource.com/archives/html/xen-users/2007-07/msg00521.html > >>>> > >>>> On 8/2/07, Brady Chen <chenchp@gmail.com> wrote: > >>>>> On 8/2/07, Z24 <z24@gmx.net> wrote: > >>>>>> On Thu, 2 Aug 2007 17:47:59 +0800, you wrote: > >>>>>> > >>>>>>> thank you all, > >>>>>>> looks like it's possible. it's great! > >>>>>>> > >>>>>>> Z24, > >>>>>>> do you get the hardware issue Archie said, that's my concern too. > >>>>>>> you know, windows may be bluescreen if the hardware changes. > >>>>>> > >>>>>> Before booting the Windows domU I copied the current Windows HW > >>>>>> Profile to a new HW Profile, then when I boot the domU I choose the > >>>>>> new HW profile. > >>>>>> The first time I booted the domU, Windows took some minutes more than > >>>>>> usual to load, I suppose it was setting automatically the hardware > >>>>>> drivers; the next time it booted only a little slower than when I boot > >>>>>> it natively (due to virtualization). > >>>>>> > >>>>> thanks, I will have a try. > >>>>> > >>>>>>> and for your case, i think you could install another grub in the windows > >>>>>>> disk > >>>>>> > >>>>>> What do you mean? > >>>>>> Xen VM configuration with 'phy:/dev/hda,ioemu:hda,w' only (hda is > >>>>>> Windows disk) and grub-install on /dev/hda without mapping? > >>>>> yup, install grub on /dev/hda, it will not be used when you not using > >>>>> xen (i mean when you reboot your PC, and choose windows from the grub > >>>>> menu). but when you use xen to boot /dev/hda, the grub on /dev/hda > >>>>> could be used to load the windows. Don't know if it really works, > >>>>> don't have a try now. > >>>>>> > >>>>>> -- > >>>>>> Z24 > >>>>>> http://www.mycomputingart.com/ > >>>>>> > >>>>> > >>>> > >>> > >>> _______________________________________________ > >>> Xen-devel mailing list > >>> Xen-devel@lists.xensource.com > >>> http://lists.xensource.com/xen-devel > >> > >> > >> > > > [-- Attachment #2: vmxassist.objdump --] [-- Type: application/octet-stream, Size: 289767 bytes --] tools/firmware/vmxassist/vmxassist: file format elf32-i386 Disassembly of section .text: 000d0000 <_start-0x14>: d0000: e9 0f 00 00 00 jmp d0014 <_start> d0005: 8d 76 00 lea 0x0(%esi),%esi d0008: 66 19 10 sbb %dx,(%eax) d000b: 17 pop %ss d000c: 00 97 0d 00 c0 97 add %dl,0x97c0000d(%edi) d0012: 0d 00 fa fc 30 or $0x30fcfa00,%eax 000d0014 <_start>: d0014: fa cli d0015: fc cld d0016: 30 c0 xor %al,%al d0018: bf 00 56 0d 00 mov $0xd5600,%edi d001d: b9 04 9a 0d 00 mov $0xd9a04,%ecx d0022: 29 f9 sub %edi,%ecx d0024: f3 aa repz stos %al,%es:(%edi) d0026: 89 15 80 76 0d 00 mov %edx,0xd7680 d002c: 89 1d 6c 98 0d 00 mov %ebx,0xd986c d0032: 0f 06 clts d0034: bc 00 76 0d 00 mov $0xd7600,%esp d0039: 89 e5 mov %esp,%ebp d003b: e8 90 35 00 00 call d35d0 <main> d0040: e9 03 00 00 00 jmp d0048 <halt> d0045: 8d 76 00 lea 0x0(%esi),%esi 000d0048 <halt>: d0048: 68 20 55 0d 00 push $0xd5520 d004d: e8 7e 39 00 00 call d39d0 <printf> d0052: fa cli d0053: eb fe jmp d0053 <halt+0xb> ... d005d: 00 00 add %al,(%eax) d005f: 00 6a 00 add %ch,0x0(%edx) d0062: 6a 00 push $0x0 d0064: e9 f7 02 00 00 jmp d0360 <common_trap> d0069: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0070: 6a 00 push $0x0 d0072: 6a 01 push $0x1 d0074: e9 e7 02 00 00 jmp d0360 <common_trap> d0079: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0080: 6a 00 push $0x0 d0082: 6a 02 push $0x2 d0084: e9 d7 02 00 00 jmp d0360 <common_trap> d0089: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0090: 6a 00 push $0x0 d0092: 6a 03 push $0x3 d0094: e9 c7 02 00 00 jmp d0360 <common_trap> d0099: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d00a0: 6a 00 push $0x0 d00a2: 6a 04 push $0x4 d00a4: e9 b7 02 00 00 jmp d0360 <common_trap> d00a9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d00b0: 6a 00 push $0x0 d00b2: 6a 05 push $0x5 d00b4: e9 a7 02 00 00 jmp d0360 <common_trap> d00b9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d00c0: 6a 00 push $0x0 d00c2: 6a 06 push $0x6 d00c4: e9 97 02 00 00 jmp d0360 <common_trap> d00c9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d00d0: 6a 00 push $0x0 d00d2: 6a 07 push $0x7 d00d4: e9 87 02 00 00 jmp d0360 <common_trap> d00d9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d00e0: 6a 08 push $0x8 d00e2: e9 79 02 00 00 jmp d0360 <common_trap> d00e7: 89 f6 mov %esi,%esi d00e9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d00f0: 6a 00 push $0x0 d00f2: 6a 09 push $0x9 d00f4: e9 67 02 00 00 jmp d0360 <common_trap> d00f9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0100: 6a 0a push $0xa d0102: e9 59 02 00 00 jmp d0360 <common_trap> d0107: 89 f6 mov %esi,%esi d0109: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0110: 6a 0b push $0xb d0112: e9 49 02 00 00 jmp d0360 <common_trap> d0117: 89 f6 mov %esi,%esi d0119: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0120: 6a 0c push $0xc d0122: e9 39 02 00 00 jmp d0360 <common_trap> d0127: 89 f6 mov %esi,%esi d0129: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0130: 6a 0d push $0xd d0132: e9 29 02 00 00 jmp d0360 <common_trap> d0137: 89 f6 mov %esi,%esi d0139: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0140: 6a 0e push $0xe d0142: e9 19 02 00 00 jmp d0360 <common_trap> d0147: 89 f6 mov %esi,%esi d0149: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0150: 6a 00 push $0x0 d0152: 6a 0f push $0xf d0154: e9 07 02 00 00 jmp d0360 <common_trap> d0159: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0160: 6a 00 push $0x0 d0162: 6a 10 push $0x10 d0164: e9 f7 01 00 00 jmp d0360 <common_trap> d0169: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0170: 6a 11 push $0x11 d0172: e9 e9 01 00 00 jmp d0360 <common_trap> d0177: 89 f6 mov %esi,%esi d0179: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0180: 6a 00 push $0x0 d0182: 6a 12 push $0x12 d0184: e9 d7 01 00 00 jmp d0360 <common_trap> d0189: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0190: 6a 00 push $0x0 d0192: 6a 13 push $0x13 d0194: e9 c7 01 00 00 jmp d0360 <common_trap> d0199: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d01a0: 6a 00 push $0x0 d01a2: 6a 14 push $0x14 d01a4: e9 b7 01 00 00 jmp d0360 <common_trap> d01a9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d01b0: 6a 00 push $0x0 d01b2: 6a 15 push $0x15 d01b4: e9 a7 01 00 00 jmp d0360 <common_trap> d01b9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d01c0: 6a 00 push $0x0 d01c2: 6a 16 push $0x16 d01c4: e9 97 01 00 00 jmp d0360 <common_trap> d01c9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d01d0: 6a 00 push $0x0 d01d2: 6a 17 push $0x17 d01d4: e9 87 01 00 00 jmp d0360 <common_trap> d01d9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d01e0: 6a 00 push $0x0 d01e2: 6a 18 push $0x18 d01e4: e9 77 01 00 00 jmp d0360 <common_trap> d01e9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d01f0: 6a 00 push $0x0 d01f2: 6a 19 push $0x19 d01f4: e9 67 01 00 00 jmp d0360 <common_trap> d01f9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0200: 6a 00 push $0x0 d0202: 6a 1a push $0x1a d0204: e9 57 01 00 00 jmp d0360 <common_trap> d0209: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0210: 6a 00 push $0x0 d0212: 6a 1b push $0x1b d0214: e9 47 01 00 00 jmp d0360 <common_trap> d0219: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0220: 6a 00 push $0x0 d0222: 6a 1c push $0x1c d0224: e9 37 01 00 00 jmp d0360 <common_trap> d0229: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0230: 6a 00 push $0x0 d0232: 6a 1d push $0x1d d0234: e9 27 01 00 00 jmp d0360 <common_trap> d0239: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0240: 6a 00 push $0x0 d0242: 6a 1e push $0x1e d0244: e9 17 01 00 00 jmp d0360 <common_trap> d0249: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0250: 6a 00 push $0x0 d0252: 6a 1f push $0x1f d0254: e9 07 01 00 00 jmp d0360 <common_trap> d0259: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0260: 6a 00 push $0x0 d0262: 6a 20 push $0x20 d0264: e9 f7 00 00 00 jmp d0360 <common_trap> d0269: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0270: 6a 00 push $0x0 d0272: 6a 21 push $0x21 d0274: e9 e7 00 00 00 jmp d0360 <common_trap> d0279: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0280: 6a 00 push $0x0 d0282: 6a 22 push $0x22 d0284: e9 d7 00 00 00 jmp d0360 <common_trap> d0289: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d0290: 6a 00 push $0x0 d0292: 6a 23 push $0x23 d0294: e9 c7 00 00 00 jmp d0360 <common_trap> d0299: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d02a0: 6a 00 push $0x0 d02a2: 6a 24 push $0x24 d02a4: e9 b7 00 00 00 jmp d0360 <common_trap> d02a9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d02b0: 6a 00 push $0x0 d02b2: 6a 25 push $0x25 d02b4: e9 a7 00 00 00 jmp d0360 <common_trap> d02b9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d02c0: 6a 00 push $0x0 d02c2: 6a 26 push $0x26 d02c4: e9 97 00 00 00 jmp d0360 <common_trap> d02c9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d02d0: 6a 00 push $0x0 d02d2: 6a 27 push $0x27 d02d4: e9 87 00 00 00 jmp d0360 <common_trap> d02d9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d02e0: 6a 00 push $0x0 d02e2: 6a 28 push $0x28 d02e4: eb 7a jmp d0360 <common_trap> d02e6: 8d 76 00 lea 0x0(%esi),%esi d02e9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d02f0: 6a 00 push $0x0 d02f2: 6a 29 push $0x29 d02f4: eb 6a jmp d0360 <common_trap> d02f6: 8d 76 00 lea 0x0(%esi),%esi d02f9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0300: 6a 00 push $0x0 d0302: 6a 2a push $0x2a d0304: eb 5a jmp d0360 <common_trap> d0306: 8d 76 00 lea 0x0(%esi),%esi d0309: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0310: 6a 00 push $0x0 d0312: 6a 2b push $0x2b d0314: eb 4a jmp d0360 <common_trap> d0316: 8d 76 00 lea 0x0(%esi),%esi d0319: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0320: 6a 00 push $0x0 d0322: 6a 2c push $0x2c d0324: eb 3a jmp d0360 <common_trap> d0326: 8d 76 00 lea 0x0(%esi),%esi d0329: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0330: 6a 00 push $0x0 d0332: 6a 2d push $0x2d d0334: eb 2a jmp d0360 <common_trap> d0336: 8d 76 00 lea 0x0(%esi),%esi d0339: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0340: 6a 00 push $0x0 d0342: 6a 2e push $0x2e d0344: eb 1a jmp d0360 <common_trap> d0346: 8d 76 00 lea 0x0(%esi),%esi d0349: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0350: 6a 00 push $0x0 d0352: 6a 2f push $0x2f d0354: eb 0a jmp d0360 <common_trap> d0356: 8d 76 00 lea 0x0(%esi),%esi d0359: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 000d0360 <common_trap>: d0360: 60 pusha d0361: b8 18 00 00 00 mov $0x18,%eax d0366: 8e d8 mov %eax,%ds d0368: 8e c0 mov %eax,%es d036a: 8e e0 mov %eax,%fs d036c: 8e e8 mov %eax,%gs d036e: 89 e5 mov %esp,%ebp d0370: 55 push %ebp d0371: ff 75 24 pushl 0x24(%ebp) d0374: ff 75 20 pushl 0x20(%ebp) d0377: e8 d4 2a 00 00 call d2e50 <trap> d037c: 83 c4 0c add $0xc,%esp 000d037f <trap_return>: d037f: 61 popa d0380: 83 c4 08 add $0x8,%esp d0383: cf iret d0384: 8d b6 00 00 00 00 lea 0x0(%esi),%esi d038a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi 000d0390 <switch_to_real_mode>: d0390: ff 35 38 98 0d 00 pushl 0xd9838 d0396: ff 35 28 98 0d 00 pushl 0xd9828 d039c: ff 35 f8 97 0d 00 pushl 0xd97f8 d03a2: ff 35 08 98 0d 00 pushl 0xd9808 d03a8: ff 35 18 98 0d 00 pushl 0xd9818 d03ae: ff 35 c4 97 0d 00 pushl 0xd97c4 d03b4: ff 35 c8 97 0d 00 pushl 0xd97c8 d03ba: ff 35 e8 97 0d 00 pushl 0xd97e8 d03c0: ff 35 c0 97 0d 00 pushl 0xd97c0 d03c6: 6a ff push $0xffffffff d03c8: 6a ff push $0xffffffff d03ca: 60 pusha d03cb: 89 e5 mov %esp,%ebp d03cd: 55 push %ebp d03ce: e8 3d 2e 00 00 call d3210 <enter_real_mode> d03d3: 83 c4 04 add $0x4,%esp d03d6: eb a7 jmp d037f <trap_return> d03d8: 90 nop d03d9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi 000d03e0 <switch_to_protected_mode>: d03e0: 8b 25 cc 97 0d 00 mov 0xd97cc,%esp d03e6: 0f 22 c4 mov %esp,%cr0 d03e9: 68 40 55 0d 00 push $0xd5540 d03ee: e8 8d 35 00 00 call d3980 <panic> d03f3: eb fe jmp d03f3 <switch_to_protected_mode+0x13> ... 000d0400 <guest_linear_to_phys>: d0400: 55 push %ebp d0401: 89 e5 mov %esp,%ebp d0403: 83 ec 48 sub $0x48,%esp d0406: 89 5d f4 mov %ebx,0xfffffff4(%ebp) d0409: 89 75 f8 mov %esi,0xfffffff8(%ebp) d040c: 89 7d fc mov %edi,0xfffffffc(%ebp) d040f: 8b 15 d0 97 0d 00 mov 0xd97d0,%edx d0415: 89 45 dc mov %eax,0xffffffdc(%ebp) d0418: a1 cc 97 0d 00 mov 0xd97cc,%eax d041d: 85 c0 test %eax,%eax d041f: 78 16 js d0437 <guest_linear_to_phys+0x37> d0421: 8b 4d dc mov 0xffffffdc(%ebp),%ecx d0424: 31 db xor %ebx,%ebx d0426: 89 da mov %ebx,%edx d0428: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d042b: 89 c8 mov %ecx,%eax d042d: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d0430: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0433: 89 ec mov %ebp,%esp d0435: 5d pop %ebp d0436: c3 ret d0437: 8b 0d d4 97 0d 00 mov 0xd97d4,%ecx d043d: f6 c1 20 test $0x20,%cl d0440: 0f 84 b1 00 00 00 je d04f7 <guest_linear_to_phys+0xf7> d0446: 8b 45 dc mov 0xffffffdc(%ebp),%eax d0449: c1 e8 1e shr $0x1e,%eax d044c: 8b 0c c2 mov (%edx,%eax,8),%ecx d044f: 8b 5c c2 04 mov 0x4(%edx,%eax,8),%ebx d0453: 89 4d d0 mov %ecx,0xffffffd0(%ebp) d0456: 8b 45 d0 mov 0xffffffd0(%ebp),%eax d0459: 89 5d d4 mov %ebx,0xffffffd4(%ebp) d045c: 83 f0 01 xor $0x1,%eax d045f: a8 01 test $0x1,%al d0461: 0f 85 56 02 00 00 jne d06bd <guest_linear_to_phys+0x2bd> d0467: 8b 7d d4 mov 0xffffffd4(%ebp),%edi d046a: 31 c0 xor %eax,%eax d046c: 8b 75 d0 mov 0xffffffd0(%ebp),%esi d046f: 83 e7 0f and $0xf,%edi d0472: 89 fa mov %edi,%edx d0474: 81 e6 00 f0 ff ff and $0xfffff000,%esi d047a: 83 e2 0f and $0xf,%edx d047d: 89 d3 mov %edx,%ebx d047f: 09 c3 or %eax,%ebx d0481: 0f 85 fb 01 00 00 jne d0682 <guest_linear_to_phys+0x282> d0487: 8b 45 dc mov 0xffffffdc(%ebp),%eax d048a: 89 f2 mov %esi,%edx d048c: c1 e8 12 shr $0x12,%eax d048f: 25 f8 0f 00 00 and $0xff8,%eax d0494: 8b 34 30 mov (%eax,%esi,1),%esi d0497: 8b 7c 10 04 mov 0x4(%eax,%edx,1),%edi d049b: 89 75 e8 mov %esi,0xffffffe8(%ebp) d049e: 89 7d ec mov %edi,0xffffffec(%ebp) d04a1: 89 f0 mov %esi,%eax d04a3: 83 f0 01 xor $0x1,%eax d04a6: a8 01 test $0x1,%al d04a8: 0f 85 bd 01 00 00 jne d066b <guest_linear_to_phys+0x26b> d04ae: 89 f0 mov %esi,%eax d04b0: 0f ac f8 07 shrd $0x7,%edi,%eax d04b4: a8 01 test $0x1,%al d04b6: 0f 84 c3 00 00 00 je d057f <guest_linear_to_phys+0x17f> d04bc: 8b 4d dc mov 0xffffffdc(%ebp),%ecx d04bf: 89 f0 mov %esi,%eax d04c1: 89 fa mov %edi,%edx d04c3: 25 00 00 e0 ff and $0xffe00000,%eax d04c8: 83 e2 0f and $0xf,%edx d04cb: 89 c6 mov %eax,%esi d04cd: 89 45 e0 mov %eax,0xffffffe0(%ebp) d04d0: 89 c8 mov %ecx,%eax d04d2: 89 d7 mov %edx,%edi d04d4: 89 55 e4 mov %edx,0xffffffe4(%ebp) d04d7: 25 ff ff 1f 00 and $0x1fffff,%eax d04dc: 31 d2 xor %edx,%edx d04de: 89 c1 mov %eax,%ecx d04e0: 89 d3 mov %edx,%ebx d04e2: 01 f1 add %esi,%ecx d04e4: 11 fb adc %edi,%ebx d04e6: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d04e9: 89 c8 mov %ecx,%eax d04eb: 89 da mov %ebx,%edx d04ed: 8b 7d fc mov 0xfffffffc(%ebp),%edi d04f0: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d04f3: 89 ec mov %ebp,%esp d04f5: 5d pop %ebp d04f6: c3 ret d04f7: 8b 45 dc mov 0xffffffdc(%ebp),%eax d04fa: 31 ff xor %edi,%edi d04fc: c1 e8 16 shr $0x16,%eax d04ff: 8b 34 82 mov (%edx,%eax,4),%esi d0502: 89 7d ec mov %edi,0xffffffec(%ebp) d0505: 89 f0 mov %esi,%eax d0507: 83 f0 01 xor $0x1,%eax d050a: 89 75 e8 mov %esi,0xffffffe8(%ebp) d050d: a8 01 test $0x1,%al d050f: 0f 85 39 01 00 00 jne d064e <guest_linear_to_phys+0x24e> d0515: f6 c1 10 test $0x10,%cl d0518: 74 0e je d0528 <guest_linear_to_phys+0x128> d051a: 89 f0 mov %esi,%eax d051c: 0f ac f8 07 shrd $0x7,%edi,%eax d0520: a8 01 test $0x1,%al d0522: 0f 85 c7 00 00 00 jne d05ef <guest_linear_to_phys+0x1ef> d0528: 89 f0 mov %esi,%eax d052a: 31 d2 xor %edx,%edx d052c: 25 00 f0 ff ff and $0xfffff000,%eax d0531: 89 45 e8 mov %eax,0xffffffe8(%ebp) d0534: 8b 45 dc mov 0xffffffdc(%ebp),%eax d0537: 31 ff xor %edi,%edi d0539: 89 55 ec mov %edx,0xffffffec(%ebp) d053c: 8b 55 e8 mov 0xffffffe8(%ebp),%edx d053f: c1 e8 0c shr $0xc,%eax d0542: 25 ff 03 00 00 and $0x3ff,%eax d0547: 8b 34 82 mov (%edx,%eax,4),%esi d054a: 89 7d e4 mov %edi,0xffffffe4(%ebp) d054d: 89 f0 mov %esi,%eax d054f: 83 f0 01 xor $0x1,%eax d0552: 89 75 e0 mov %esi,0xffffffe0(%ebp) d0555: a8 01 test $0x1,%al d0557: 0f 85 71 01 00 00 jne d06ce <guest_linear_to_phys+0x2ce> d055d: 8b 4d dc mov 0xffffffdc(%ebp),%ecx d0560: 89 f0 mov %esi,%eax d0562: 31 d2 xor %edx,%edx d0564: 89 55 e4 mov %edx,0xffffffe4(%ebp) d0567: 25 00 f0 ff ff and $0xfffff000,%eax d056c: 89 d7 mov %edx,%edi d056e: 89 45 e0 mov %eax,0xffffffe0(%ebp) d0571: 89 c6 mov %eax,%esi d0573: 89 c8 mov %ecx,%eax d0575: 25 ff 0f 00 00 and $0xfff,%eax d057a: e9 5f ff ff ff jmp d04de <guest_linear_to_phys+0xde> d057f: 89 fb mov %edi,%ebx d0581: 89 f1 mov %esi,%ecx d0583: 83 e3 0f and $0xf,%ebx d0586: 89 5d ec mov %ebx,0xffffffec(%ebp) d0589: 89 da mov %ebx,%edx d058b: 81 e1 00 f0 ff ff and $0xfffff000,%ecx d0591: 89 4d e8 mov %ecx,0xffffffe8(%ebp) d0594: 83 e2 0f and $0xf,%edx d0597: 31 c0 xor %eax,%eax d0599: 89 d1 mov %edx,%ecx d059b: 09 c1 or %eax,%ecx d059d: 75 72 jne d0611 <guest_linear_to_phys+0x211> d059f: 8b 45 dc mov 0xffffffdc(%ebp),%eax d05a2: 8b 55 e8 mov 0xffffffe8(%ebp),%edx d05a5: c1 e8 0c shr $0xc,%eax d05a8: 25 ff 01 00 00 and $0x1ff,%eax d05ad: 8b 34 c2 mov (%edx,%eax,8),%esi d05b0: 8b 7c c2 04 mov 0x4(%edx,%eax,8),%edi d05b4: 89 75 e0 mov %esi,0xffffffe0(%ebp) d05b7: 89 7d e4 mov %edi,0xffffffe4(%ebp) d05ba: 89 f0 mov %esi,%eax d05bc: 83 f0 01 xor $0x1,%eax d05bf: a8 01 test $0x1,%al d05c1: 0f 85 1b 01 00 00 jne d06e2 <guest_linear_to_phys+0x2e2> d05c7: 89 f0 mov %esi,%eax d05c9: 8b 75 dc mov 0xffffffdc(%ebp),%esi d05cc: 89 fa mov %edi,%edx d05ce: 25 00 f0 ff ff and $0xfffff000,%eax d05d3: 83 e2 0f and $0xf,%edx d05d6: 31 db xor %ebx,%ebx d05d8: 89 45 e0 mov %eax,0xffffffe0(%ebp) d05db: 89 f1 mov %esi,%ecx d05dd: 81 e1 ff 0f 00 00 and $0xfff,%ecx d05e3: 89 55 e4 mov %edx,0xffffffe4(%ebp) d05e6: 01 c1 add %eax,%ecx d05e8: 11 d3 adc %edx,%ebx d05ea: e9 37 fe ff ff jmp d0426 <guest_linear_to_phys+0x26> d05ef: 8b 4d dc mov 0xffffffdc(%ebp),%ecx d05f2: 89 f0 mov %esi,%eax d05f4: 31 d2 xor %edx,%edx d05f6: 89 55 e4 mov %edx,0xffffffe4(%ebp) d05f9: 25 00 00 c0 ff and $0xffc00000,%eax d05fe: 89 d7 mov %edx,%edi d0600: 89 45 e0 mov %eax,0xffffffe0(%ebp) d0603: 89 c6 mov %eax,%esi d0605: 89 c8 mov %ecx,%eax d0607: 25 ff ff 3f 00 and $0x3fffff,%eax d060c: e9 cd fe ff ff jmp d04de <guest_linear_to_phys+0xde> d0611: c7 04 24 ad 4a 0d 00 movl $0xd4aad,(%esp) d0618: e8 b3 33 00 00 call d39d0 <printf> d061d: 8d 45 e0 lea 0xffffffe0(%ebp),%eax d0620: 31 d2 xor %edx,%edx d0622: 89 44 24 08 mov %eax,0x8(%esp) d0626: 8b 45 dc mov 0xffffffdc(%ebp),%eax d0629: c1 e8 09 shr $0x9,%eax d062c: 25 f8 0f 00 00 and $0xff8,%eax d0631: 03 45 e8 add 0xffffffe8(%ebp),%eax d0634: 13 55 ec adc 0xffffffec(%ebp),%edx d0637: 89 04 24 mov %eax,(%esp) d063a: 89 54 24 04 mov %edx,0x4(%esp) d063e: e8 ed 2f 00 00 call d3630 <cpuid_addr_value> d0643: 8b 75 e0 mov 0xffffffe0(%ebp),%esi d0646: 8b 7d e4 mov 0xffffffe4(%ebp),%edi d0649: e9 6c ff ff ff jmp d05ba <guest_linear_to_phys+0x1ba> d064e: c7 04 24 bf 4a 0d 00 movl $0xd4abf,(%esp) d0655: e8 26 33 00 00 call d3980 <panic> d065a: 8b 0d d4 97 0d 00 mov 0xd97d4,%ecx d0660: 8b 75 e8 mov 0xffffffe8(%ebp),%esi d0663: 8b 7d ec mov 0xffffffec(%ebp),%edi d0666: e9 aa fe ff ff jmp d0515 <guest_linear_to_phys+0x115> d066b: c7 04 24 bf 4a 0d 00 movl $0xd4abf,(%esp) d0672: e8 09 33 00 00 call d3980 <panic> d0677: 8b 75 e8 mov 0xffffffe8(%ebp),%esi d067a: 8b 7d ec mov 0xffffffec(%ebp),%edi d067d: e9 2c fe ff ff jmp d04ae <guest_linear_to_phys+0xae> d0682: c7 04 24 d5 4a 0d 00 movl $0xd4ad5,(%esp) d0689: e8 42 33 00 00 call d39d0 <printf> d068e: 8d 45 e8 lea 0xffffffe8(%ebp),%eax d0691: 31 d2 xor %edx,%edx d0693: 89 44 24 08 mov %eax,0x8(%esp) d0697: 8b 45 dc mov 0xffffffdc(%ebp),%eax d069a: c1 e8 12 shr $0x12,%eax d069d: 25 f8 0f 00 00 and $0xff8,%eax d06a2: 01 f0 add %esi,%eax d06a4: 11 fa adc %edi,%edx d06a6: 89 04 24 mov %eax,(%esp) d06a9: 89 54 24 04 mov %edx,0x4(%esp) d06ad: e8 7e 2f 00 00 call d3630 <cpuid_addr_value> d06b2: 8b 75 e8 mov 0xffffffe8(%ebp),%esi d06b5: 8b 7d ec mov 0xffffffec(%ebp),%edi d06b8: e9 e4 fd ff ff jmp d04a1 <guest_linear_to_phys+0xa1> d06bd: c7 04 24 e7 4a 0d 00 movl $0xd4ae7,(%esp) d06c4: e8 b7 32 00 00 call d3980 <panic> d06c9: e9 99 fd ff ff jmp d0467 <guest_linear_to_phys+0x67> d06ce: c7 04 24 fd 4a 0d 00 movl $0xd4afd,(%esp) d06d5: e8 a6 32 00 00 call d3980 <panic> d06da: 8b 75 e0 mov 0xffffffe0(%ebp),%esi d06dd: e9 7b fe ff ff jmp d055d <guest_linear_to_phys+0x15d> d06e2: c7 04 24 fd 4a 0d 00 movl $0xd4afd,(%esp) d06e9: e8 92 32 00 00 call d3980 <panic> d06ee: 8b 75 e0 mov 0xffffffe0(%ebp),%esi d06f1: 8b 7d e4 mov 0xffffffe4(%ebp),%edi d06f4: e9 ce fe ff ff jmp d05c7 <guest_linear_to_phys+0x1c7> d06f9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi 000d0700 <address>: d0700: 55 push %ebp d0701: 89 e5 mov %esp,%ebp d0703: 83 ec 38 sub $0x38,%esp d0706: 89 5d f4 mov %ebx,0xfffffff4(%ebp) d0709: 85 d2 test %edx,%edx d070b: 89 c3 mov %eax,%ebx d070d: 89 7d fc mov %edi,0xfffffffc(%ebp) d0710: 89 d7 mov %edx,%edi d0712: 89 75 f8 mov %esi,0xfffffff8(%ebp) d0715: 75 29 jne d0740 <address+0x40> d0717: 83 3d 04 76 0d 00 01 cmpl $0x1,0xd7604 d071e: 8b 45 08 mov 0x8(%ebp),%eax d0721: 77 0d ja d0730 <address+0x30> d0723: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d0726: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d0729: 8b 7d fc mov 0xfffffffc(%ebp),%edi d072c: 89 ec mov %ebp,%esp d072e: 5d pop %ebp d072f: c3 ret d0730: c7 04 24 5c 4e 0d 00 movl $0xd4e5c,(%esp) d0737: e8 44 32 00 00 call d3980 <panic> d073c: 8d 74 26 00 lea 0x0(%esi),%esi d0740: a1 04 76 0d 00 mov 0xd7604,%eax d0745: 85 c0 test %eax,%eax d0747: 0f 84 a7 00 00 00 je d07f4 <address+0xf4> d074d: 39 3d e0 97 0d 00 cmp %edi,0xd97e0 d0753: 0f 82 9b 00 00 00 jb d07f4 <address+0xf4> d0759: 48 dec %eax d075a: 75 0a jne d0766 <address+0x66> d075c: 39 7b 2c cmp %edi,0x2c(%ebx) d075f: 90 nop d0760: 0f 84 8e 00 00 00 je d07f4 <address+0xf4> d0766: a1 e4 97 0d 00 mov 0xd97e4,%eax d076b: e8 90 fc ff ff call d0400 <guest_linear_to_phys> d0770: 89 45 e0 mov %eax,0xffffffe0(%ebp) d0773: 89 c3 mov %eax,%ebx d0775: 89 d6 mov %edx,%esi d0777: 8b 45 e0 mov 0xffffffe0(%ebp),%eax d077a: 31 d2 xor %edx,%edx d077c: 89 d1 mov %edx,%ecx d077e: 31 f1 xor %esi,%ecx d0780: 31 d8 xor %ebx,%eax d0782: 09 c1 or %eax,%ecx d0784: 0f 85 c4 00 00 00 jne d084e <address+0x14e> d078a: 8b 55 e0 mov 0xffffffe0(%ebp),%edx d078d: 89 f8 mov %edi,%eax d078f: 83 e0 f8 and $0xfffffff8,%eax d0792: 8b 0c 10 mov (%eax,%edx,1),%ecx d0795: 8b 5c 10 04 mov 0x4(%eax,%edx,1),%ebx d0799: 89 4d e8 mov %ecx,0xffffffe8(%ebp) d079c: 89 5d ec mov %ebx,0xffffffec(%ebp) d079f: 0f ac d9 10 shrd $0x10,%ebx,%ecx d07a3: 8b 45 e8 mov 0xffffffe8(%ebp),%eax d07a6: 89 de mov %ebx,%esi d07a8: 81 e6 00 00 00 ff and $0xff000000,%esi d07ae: 89 da mov %ebx,%edx d07b0: 89 45 e4 mov %eax,0xffffffe4(%ebp) d07b3: 89 c8 mov %ecx,%eax d07b5: 25 ff ff ff 00 and $0xffffff,%eax d07ba: 09 c6 or %eax,%esi d07bc: 0f b7 45 e4 movzwl 0xffffffe4(%ebp),%eax d07c0: 89 d9 mov %ebx,%ecx d07c2: 81 e1 00 00 0f 00 and $0xf0000,%ecx d07c8: 09 c1 or %eax,%ecx d07ca: f7 c3 00 80 00 00 test $0x8000,%ebx d07d0: 74 4a je d081c <address+0x11c> d07d2: c1 eb 17 shr $0x17,%ebx d07d5: f6 c3 01 test $0x1,%bl d07d8: 75 36 jne d0810 <address+0x110> d07da: 83 f3 01 xor $0x1,%ebx d07dd: 31 c0 xor %eax,%eax d07df: 39 4d 08 cmp %ecx,0x8(%ebp) d07e2: 0f 96 c0 setbe %al d07e5: 85 d8 test %ebx,%eax d07e7: 74 33 je d081c <address+0x11c> d07e9: 8b 55 08 mov 0x8(%ebp),%edx d07ec: 8d 04 16 lea (%esi,%edx,1),%eax d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> d07f4: 8b 55 08 mov 0x8(%ebp),%edx d07f7: 89 f8 mov %edi,%eax d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d07ff: 25 ff ff 00 00 and $0xffff,%eax d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0807: 89 ec mov %ebp,%esp d0809: c1 e0 04 shl $0x4,%eax d080c: 01 d0 add %edx,%eax d080e: 5d pop %ebp d080f: c3 ret d0810: 8b 45 08 mov 0x8(%ebp),%eax d0813: c1 e8 0c shr $0xc,%eax d0816: 39 c8 cmp %ecx,%eax d0818: 76 cf jbe d07e9 <address+0xe9> d081a: eb be jmp d07da <address+0xda> d081c: 8b 45 08 mov 0x8(%ebp),%eax d081f: 89 7c 24 10 mov %edi,0x10(%esp) d0823: 89 44 24 14 mov %eax,0x14(%esp) d0827: a1 04 76 0d 00 mov 0xd7604,%eax d082c: 89 44 24 0c mov %eax,0xc(%esp) d0830: 8b 45 e4 mov 0xffffffe4(%ebp),%eax d0833: 89 54 24 04 mov %edx,0x4(%esp) d0837: c7 04 24 84 4e 0d 00 movl $0xd4e84,(%esp) d083e: 89 44 24 08 mov %eax,0x8(%esp) d0842: e8 39 31 00 00 call d3980 <panic> d0847: 31 c0 xor %eax,%eax d0849: e9 d5 fe ff ff jmp d0723 <address+0x23> d084e: c7 04 24 13 4b 0d 00 movl $0xd4b13,(%esp) d0855: e8 76 31 00 00 call d39d0 <printf> d085a: 8d 45 e8 lea 0xffffffe8(%ebp),%eax d085d: 31 d2 xor %edx,%edx d085f: 89 44 24 08 mov %eax,0x8(%esp) d0863: 89 f8 mov %edi,%eax d0865: 83 e0 f8 and $0xfffffff8,%eax d0868: 01 d8 add %ebx,%eax d086a: 11 f2 adc %esi,%edx d086c: 89 04 24 mov %eax,(%esp) d086f: 89 54 24 04 mov %edx,0x4(%esp) d0873: e8 b8 2d 00 00 call d3630 <cpuid_addr_value> d0878: 8b 4d e8 mov 0xffffffe8(%ebp),%ecx d087b: 8b 5d ec mov 0xffffffec(%ebp),%ebx d087e: e9 1c ff ff ff jmp d079f <address+0x9f> d0883: 8d b6 00 00 00 00 lea 0x0(%esi),%esi d0889: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 000d0890 <trace>: d0890: 55 push %ebp d0891: 89 e5 mov %esp,%ebp d0893: 83 ec 28 sub $0x28,%esp d0896: 89 75 f8 mov %esi,0xfffffff8(%ebp) d0899: 8b 75 08 mov 0x8(%ebp),%esi d089c: 8b 4d 0c mov 0xc(%ebp),%ecx d089f: 89 7d fc mov %edi,0xfffffffc(%ebp) d08a2: 8b 7d 10 mov 0x10(%ebp),%edi d08a5: 89 5d f4 mov %ebx,0xfffffff4(%ebp) d08a8: 8b 5e 28 mov 0x28(%esi),%ebx d08ab: 8b 15 00 76 0d 00 mov 0xd7600,%edx d08b1: 29 cb sub %ecx,%ebx d08b3: 8b 0d 04 76 0d 00 mov 0xd7604,%ecx d08b9: 89 d0 mov %edx,%eax d08bb: d3 f8 sar %cl,%eax d08bd: a8 01 test $0x1,%al d08bf: 74 09 je d08ca <trace+0x3a> d08c1: 83 f9 01 cmp $0x1,%ecx d08c4: 0f 86 86 00 00 00 jbe d0950 <trace+0xc0> d08ca: d3 fa sar %cl,%edx d08cc: f6 c2 01 test $0x1,%dl d08cf: 74 08 je d08d9 <trace+0x49> d08d1: 8d 41 fe lea 0xfffffffe(%ecx),%eax d08d4: 83 f8 01 cmp $0x1,%eax d08d7: 76 0d jbe d08e6 <trace+0x56> d08d9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d08dc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d08df: 8b 7d fc mov 0xfffffffc(%ebp),%edi d08e2: 89 ec mov %ebp,%esp d08e4: 5d pop %ebp d08e5: c3 ret d08e6: 8b 56 2c mov 0x2c(%esi),%edx d08e9: 89 f0 mov %esi,%eax d08eb: 89 1c 24 mov %ebx,(%esp) d08ee: e8 0d fe ff ff call d0700 <address> d08f3: 89 5c 24 0c mov %ebx,0xc(%esp) d08f7: 8b 56 2c mov 0x2c(%esi),%edx d08fa: 89 44 24 04 mov %eax,0x4(%esp) d08fe: c7 04 24 2e 4b 0d 00 movl $0xd4b2e,(%esp) d0905: 89 54 24 08 mov %edx,0x8(%esp) d0909: e8 c2 30 00 00 call d39d0 <printf> d090e: a1 04 76 0d 00 mov 0xd7604,%eax d0913: c7 04 24 43 4b 0d 00 movl $0xd4b43,(%esp) d091a: 89 44 24 04 mov %eax,0x4(%esp) d091e: e8 ad 30 00 00 call d39d0 <printf> d0923: 89 3c 24 mov %edi,(%esp) d0926: 8d 45 14 lea 0x14(%ebp),%eax d0929: 89 44 24 04 mov %eax,0x4(%esp) d092d: e8 7e 30 00 00 call d39b0 <vprintf> d0932: c7 04 24 a0 51 0d 00 movl $0xd51a0,(%esp) d0939: e8 92 30 00 00 call d39d0 <printf> d093e: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d0941: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d0944: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0947: 89 ec mov %ebp,%esp d0949: 5d pop %ebp d094a: c3 ret d094b: 90 nop d094c: 8d 74 26 00 lea 0x0(%esi),%esi d0950: 8b 56 2c mov 0x2c(%esi),%edx d0953: 89 f0 mov %esi,%eax d0955: 89 1c 24 mov %ebx,(%esp) d0958: e8 a3 fd ff ff call d0700 <address> d095d: 89 5c 24 0c mov %ebx,0xc(%esp) d0961: 8b 56 2c mov 0x2c(%esi),%edx d0964: 89 44 24 04 mov %eax,0x4(%esp) d0968: c7 04 24 49 4b 0d 00 movl $0xd4b49,(%esp) d096f: 89 54 24 08 mov %edx,0x8(%esp) d0973: e8 58 30 00 00 call d39d0 <printf> d0978: a1 04 76 0d 00 mov 0xd7604,%eax d097d: c7 04 24 43 4b 0d 00 movl $0xd4b43,(%esp) d0984: 89 44 24 04 mov %eax,0x4(%esp) d0988: e8 43 30 00 00 call d39d0 <printf> d098d: 89 3c 24 mov %edi,(%esp) d0990: 8d 45 14 lea 0x14(%ebp),%eax d0993: 89 44 24 04 mov %eax,0x4(%esp) d0997: e8 14 30 00 00 call d39b0 <vprintf> d099c: c7 04 24 a0 51 0d 00 movl $0xd51a0,(%esp) d09a3: e8 28 30 00 00 call d39d0 <printf> d09a8: 8b 15 00 76 0d 00 mov 0xd7600,%edx d09ae: 8b 0d 04 76 0d 00 mov 0xd7604,%ecx d09b4: e9 11 ff ff ff jmp d08ca <trace+0x3a> d09b9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi 000d09c0 <getreg32>: d09c0: 55 push %ebp d09c1: 83 e2 07 and $0x7,%edx d09c4: 83 fa 07 cmp $0x7,%edx d09c7: 89 e5 mov %esp,%ebp d09c9: b9 ff ff ff ff mov $0xffffffff,%ecx d09ce: 77 09 ja d09d9 <getreg32+0x19> d09d0: ff 24 95 58 44 0d 00 jmp *0xd4458(,%edx,4) d09d7: 8b 08 mov (%eax),%ecx d09d9: 5d pop %ebp d09da: 89 c8 mov %ecx,%eax d09dc: c3 ret d09dd: 8d 76 00 lea 0x0(%esi),%esi d09e0: 5d pop %ebp d09e1: 8b 48 1c mov 0x1c(%eax),%ecx d09e4: 89 c8 mov %ecx,%eax d09e6: c3 ret d09e7: 5d pop %ebp d09e8: 8b 48 18 mov 0x18(%eax),%ecx d09eb: 89 c8 mov %ecx,%eax d09ed: c3 ret d09ee: 89 f6 mov %esi,%esi d09f0: 5d pop %ebp d09f1: 8b 48 14 mov 0x14(%eax),%ecx d09f4: 89 c8 mov %ecx,%eax d09f6: c3 ret d09f7: 5d pop %ebp d09f8: 8b 48 10 mov 0x10(%eax),%ecx d09fb: 89 c8 mov %ecx,%eax d09fd: c3 ret d09fe: 89 f6 mov %esi,%esi d0a00: 5d pop %ebp d0a01: 8b 48 34 mov 0x34(%eax),%ecx d0a04: 89 c8 mov %ecx,%eax d0a06: c3 ret d0a07: 5d pop %ebp d0a08: 8b 48 08 mov 0x8(%eax),%ecx d0a0b: 89 c8 mov %ecx,%eax d0a0d: c3 ret d0a0e: 89 f6 mov %esi,%esi d0a10: 5d pop %ebp d0a11: 8b 48 04 mov 0x4(%eax),%ecx d0a14: 89 c8 mov %ecx,%eax d0a16: c3 ret d0a17: 89 f6 mov %esi,%esi d0a19: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 000d0a20 <getreg16>: d0a20: 55 push %ebp d0a21: 89 e5 mov %esp,%ebp d0a23: e8 98 ff ff ff call d09c0 <getreg32> d0a28: 5d pop %ebp d0a29: 25 ff ff 00 00 and $0xffff,%eax d0a2e: c3 ret d0a2f: 90 nop 000d0a30 <setreg32>: d0a30: 55 push %ebp d0a31: 83 e2 07 and $0x7,%edx d0a34: 89 e5 mov %esp,%ebp d0a36: 83 fa 07 cmp $0x7,%edx d0a39: 8b 4d 08 mov 0x8(%ebp),%ecx d0a3c: 77 12 ja d0a50 <setreg32+0x20> d0a3e: ff 24 95 78 44 0d 00 jmp *0xd4478(,%edx,4) d0a45: 89 08 mov %ecx,(%eax) d0a47: 89 f6 mov %esi,%esi d0a49: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d0a50: 5d pop %ebp d0a51: c3 ret d0a52: 5d pop %ebp d0a53: 89 48 1c mov %ecx,0x1c(%eax) d0a56: c3 ret d0a57: 5d pop %ebp d0a58: 89 48 18 mov %ecx,0x18(%eax) d0a5b: c3 ret d0a5c: 5d pop %ebp d0a5d: 89 48 14 mov %ecx,0x14(%eax) d0a60: c3 ret d0a61: 5d pop %ebp d0a62: 89 48 10 mov %ecx,0x10(%eax) d0a65: c3 ret d0a66: 5d pop %ebp d0a67: 89 48 34 mov %ecx,0x34(%eax) d0a6a: c3 ret d0a6b: 5d pop %ebp d0a6c: 89 48 08 mov %ecx,0x8(%eax) d0a6f: 90 nop d0a70: c3 ret d0a71: 5d pop %ebp d0a72: 89 48 04 mov %ecx,0x4(%eax) d0a75: c3 ret d0a76: 8d 76 00 lea 0x0(%esi),%esi d0a79: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 000d0a80 <setreg16>: d0a80: 55 push %ebp d0a81: 89 e5 mov %esp,%ebp d0a83: 83 ec 0c sub $0xc,%esp d0a86: 89 5d f8 mov %ebx,0xfffffff8(%ebp) d0a89: 89 d3 mov %edx,%ebx d0a8b: 89 75 fc mov %esi,0xfffffffc(%ebp) d0a8e: 89 c6 mov %eax,%esi d0a90: e8 2b ff ff ff call d09c0 <getreg32> d0a95: 0f b7 55 08 movzwl 0x8(%ebp),%edx d0a99: 25 00 00 ff ff and $0xffff0000,%eax d0a9e: 09 c2 or %eax,%edx d0aa0: 89 55 08 mov %edx,0x8(%ebp) d0aa3: 89 f0 mov %esi,%eax d0aa5: 89 da mov %ebx,%edx d0aa7: 8b 75 fc mov 0xfffffffc(%ebp),%esi d0aaa: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx d0aad: 89 ec mov %ebp,%esp d0aaf: 5d pop %ebp d0ab0: e9 7b ff ff ff jmp d0a30 <setreg32> d0ab5: 8d 74 26 00 lea 0x0(%esi),%esi d0ab9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 000d0ac0 <segment>: d0ac0: 55 push %ebp d0ac1: 89 c1 mov %eax,%ecx d0ac3: 89 e5 mov %esp,%ebp d0ac5: f6 c1 10 test $0x10,%cl d0ac8: 8b 45 08 mov 0x8(%ebp),%eax d0acb: 74 03 je d0ad0 <segment+0x10> d0acd: 8b 42 3c mov 0x3c(%edx),%eax d0ad0: f6 c1 08 test $0x8,%cl d0ad3: 74 03 je d0ad8 <segment+0x18> d0ad5: 8b 42 40 mov 0x40(%edx),%eax d0ad8: f6 c1 04 test $0x4,%cl d0adb: 74 03 je d0ae0 <segment+0x20> d0add: 8b 42 2c mov 0x2c(%edx),%eax d0ae0: f6 c1 20 test $0x20,%cl d0ae3: 74 03 je d0ae8 <segment+0x28> d0ae5: 8b 42 38 mov 0x38(%edx),%eax d0ae8: f6 c1 40 test $0x40,%cl d0aeb: 74 03 je d0af0 <segment+0x30> d0aed: 8b 42 44 mov 0x44(%edx),%eax d0af0: 81 e1 80 00 00 00 and $0x80,%ecx d0af6: 74 03 je d0afb <segment+0x3b> d0af8: 8b 42 48 mov 0x48(%edx),%eax d0afb: 5d pop %ebp d0afc: c3 ret d0afd: 8d 76 00 lea 0x0(%esi),%esi 000d0b00 <sib>: d0b00: 55 push %ebp d0b01: 89 e5 mov %esp,%ebp d0b03: 83 ec 18 sub $0x18,%esp d0b06: 89 75 f8 mov %esi,0xfffffff8(%ebp) d0b09: 89 c6 mov %eax,%esi d0b0b: 8b 45 08 mov 0x8(%ebp),%eax d0b0e: 89 7d fc mov %edi,0xfffffffc(%ebp) d0b11: 89 5d f4 mov %ebx,0xfffffff4(%ebp) d0b14: 89 c1 mov %eax,%ecx d0b16: 89 c7 mov %eax,%edi d0b18: c1 e9 06 shr $0x6,%ecx d0b1b: 83 e0 07 and $0x7,%eax d0b1e: c1 ef 03 shr $0x3,%edi d0b21: 83 e1 03 and $0x3,%ecx d0b24: 83 e7 07 and $0x7,%edi d0b27: 31 db xor %ebx,%ebx d0b29: 89 4d f0 mov %ecx,0xfffffff0(%ebp) d0b2c: 83 fa 01 cmp $0x1,%edx d0b2f: 74 47 je d0b78 <sib+0x78> d0b31: 7e 2f jle d0b62 <sib+0x62> d0b33: 83 fa 02 cmp $0x2,%edx d0b36: 74 68 je d0ba0 <sib+0xa0> d0b38: 83 ff 04 cmp $0x4,%edi d0b3b: 90 nop d0b3c: 8d 74 26 00 lea 0x0(%esi),%esi d0b40: 74 11 je d0b53 <sib+0x53> d0b42: 89 fa mov %edi,%edx d0b44: 89 f0 mov %esi,%eax d0b46: e8 75 fe ff ff call d09c0 <getreg32> d0b4b: 0f b6 4d f0 movzbl 0xfffffff0(%ebp),%ecx d0b4f: d3 e0 shl %cl,%eax d0b51: 01 c3 add %eax,%ebx d0b53: 89 d8 mov %ebx,%eax d0b55: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d0b58: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d0b5b: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0b5e: 89 ec mov %ebp,%esp d0b60: 5d pop %ebp d0b61: c3 ret d0b62: 85 d2 test %edx,%edx d0b64: 75 d2 jne d0b38 <sib+0x38> d0b66: 83 f8 05 cmp $0x5,%eax d0b69: 74 5e je d0bc9 <sib+0xc9> d0b6b: 89 c2 mov %eax,%edx d0b6d: 89 f0 mov %esi,%eax d0b6f: e8 4c fe ff ff call d09c0 <getreg32> d0b74: 89 c3 mov %eax,%ebx d0b76: eb c0 jmp d0b38 <sib+0x38> d0b78: 89 c2 mov %eax,%edx d0b7a: 89 f0 mov %esi,%eax d0b7c: e8 3f fe ff ff call d09c0 <getreg32> d0b81: 89 c3 mov %eax,%ebx d0b83: 0f b7 46 28 movzwl 0x28(%esi),%eax d0b87: 8b 56 2c mov 0x2c(%esi),%edx d0b8a: 89 04 24 mov %eax,(%esp) d0b8d: 89 f0 mov %esi,%eax d0b8f: e8 6c fb ff ff call d0700 <address> d0b94: ff 46 28 incl 0x28(%esi) d0b97: 0f be 00 movsbl (%eax),%eax d0b9a: 01 c3 add %eax,%ebx d0b9c: eb 9a jmp d0b38 <sib+0x38> d0b9e: 89 f6 mov %esi,%esi d0ba0: 89 c2 mov %eax,%edx d0ba2: 89 f0 mov %esi,%eax d0ba4: e8 17 fe ff ff call d09c0 <getreg32> d0ba9: 89 c3 mov %eax,%ebx d0bab: 0f b7 46 28 movzwl 0x28(%esi),%eax d0baf: 8b 56 2c mov 0x2c(%esi),%edx d0bb2: 89 04 24 mov %eax,(%esp) d0bb5: 89 f0 mov %esi,%eax d0bb7: e8 44 fb ff ff call d0700 <address> d0bbc: 83 46 28 04 addl $0x4,0x28(%esi) d0bc0: 8b 10 mov (%eax),%edx d0bc2: 01 d3 add %edx,%ebx d0bc4: e9 6f ff ff ff jmp d0b38 <sib+0x38> d0bc9: 0f b7 46 28 movzwl 0x28(%esi),%eax d0bcd: 8b 56 2c mov 0x2c(%esi),%edx d0bd0: 89 04 24 mov %eax,(%esp) d0bd3: 89 f0 mov %esi,%eax d0bd5: e8 26 fb ff ff call d0700 <address> d0bda: 83 46 28 04 addl $0x4,0x28(%esi) d0bde: 8b 18 mov (%eax),%ebx d0be0: e9 53 ff ff ff jmp d0b38 <sib+0x38> d0be5: 8d 74 26 00 lea 0x0(%esi),%esi d0be9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 000d0bf0 <operand>: d0bf0: 55 push %ebp d0bf1: 89 e5 mov %esp,%ebp d0bf3: 83 ec 18 sub $0x18,%esp d0bf6: 89 5d f4 mov %ebx,0xfffffff4(%ebp) d0bf9: 89 c3 mov %eax,%ebx d0bfb: 89 75 f8 mov %esi,0xfffffff8(%ebp) d0bfe: 89 d6 mov %edx,%esi d0c00: 89 7d fc mov %edi,0xfffffffc(%ebp) d0c03: 8b 7d 08 mov 0x8(%ebp),%edi d0c06: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp) d0c0d: 8b 42 40 mov 0x40(%edx),%eax d0c10: 89 04 24 mov %eax,(%esp) d0c13: 89 d8 mov %ebx,%eax d0c15: e8 a6 fe ff ff call d0ac0 <segment> d0c1a: 89 45 ec mov %eax,0xffffffec(%ebp) d0c1d: f6 c3 02 test $0x2,%bl d0c20: 74 5e je d0c80 <operand+0x90> d0c22: 89 fb mov %edi,%ebx d0c24: c1 eb 06 shr $0x6,%ebx d0c27: 83 e3 03 and $0x3,%ebx d0c2a: 83 fb 02 cmp $0x2,%ebx d0c2d: 0f 8f ad 00 00 00 jg d0ce0 <operand+0xf0> d0c33: 83 fb 01 cmp $0x1,%ebx d0c36: 0f 8c ee 00 00 00 jl d0d2a <operand+0x13a> d0c3c: 89 f8 mov %edi,%eax d0c3e: 83 e0 07 and $0x7,%eax d0c41: 83 f8 04 cmp $0x4,%eax d0c44: 74 23 je d0c69 <operand+0x79> d0c46: 83 fb 01 cmp $0x1,%ebx d0c49: 0f 84 a6 02 00 00 je d0ef5 <operand+0x305> d0c4f: 0f b7 46 28 movzwl 0x28(%esi),%eax d0c53: 8b 56 2c mov 0x2c(%esi),%edx d0c56: 89 04 24 mov %eax,(%esp) d0c59: 89 f0 mov %esi,%eax d0c5b: e8 a0 fa ff ff call d0700 <address> d0c60: 83 46 28 04 addl $0x4,0x28(%esi) d0c64: 8b 00 mov (%eax),%eax d0c66: 89 45 f0 mov %eax,0xfffffff0(%ebp) d0c69: 89 f8 mov %edi,%eax d0c6b: 83 e0 07 and $0x7,%eax d0c6e: 83 f8 07 cmp $0x7,%eax d0c71: 77 5d ja d0cd0 <operand+0xe0> d0c73: ff 24 85 98 44 0d 00 jmp *0xd4498(,%eax,4) d0c7a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi d0c80: 89 fb mov %edi,%ebx d0c82: c1 eb 06 shr $0x6,%ebx d0c85: 83 e3 03 and $0x3,%ebx d0c88: 83 fb 02 cmp $0x2,%ebx d0c8b: 7f 3b jg d0cc8 <operand+0xd8> d0c8d: 83 fb 01 cmp $0x1,%ebx d0c90: 0f 8c 7f 00 00 00 jl d0d15 <operand+0x125> d0c96: 0f 84 a3 00 00 00 je d0d3f <operand+0x14f> d0c9c: 0f b7 46 28 movzwl 0x28(%esi),%eax d0ca0: 8b 56 2c mov 0x2c(%esi),%edx d0ca3: 89 04 24 mov %eax,(%esp) d0ca6: 89 f0 mov %esi,%eax d0ca8: e8 53 fa ff ff call d0700 <address> d0cad: 83 46 28 02 addl $0x2,0x28(%esi) d0cb1: 0f b7 00 movzwl (%eax),%eax d0cb4: 89 45 f0 mov %eax,0xfffffff0(%ebp) d0cb7: 89 f8 mov %edi,%eax d0cb9: 83 e0 07 and $0x7,%eax d0cbc: 83 f8 07 cmp $0x7,%eax d0cbf: 77 0f ja d0cd0 <operand+0xe0> d0cc1: ff 24 85 b8 44 0d 00 jmp *0xd44b8(,%eax,4) d0cc8: 83 fb 03 cmp $0x3,%ebx d0ccb: 74 33 je d0d00 <operand+0x110> d0ccd: 8d 76 00 lea 0x0(%esi),%esi d0cd0: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d0cd3: 31 c0 xor %eax,%eax d0cd5: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d0cd8: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0cdb: 89 ec mov %ebp,%esp d0cdd: 5d pop %ebp d0cde: c3 ret d0cdf: 90 nop d0ce0: 83 fb 03 cmp $0x3,%ebx d0ce3: 75 eb jne d0cd0 <operand+0xe0> d0ce5: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d0ce8: 89 fa mov %edi,%edx d0cea: 89 f0 mov %esi,%eax d0cec: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0cef: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d0cf2: 89 ec mov %ebp,%esp d0cf4: 5d pop %ebp d0cf5: e9 c6 fc ff ff jmp d09c0 <getreg32> d0cfa: 8d b6 00 00 00 00 lea 0x0(%esi),%esi d0d00: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d0d03: 89 fa mov %edi,%edx d0d05: 89 f0 mov %esi,%eax d0d07: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0d0a: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d0d0d: 89 ec mov %ebp,%esp d0d0f: 5d pop %ebp d0d10: e9 0b fd ff ff jmp d0a20 <getreg16> d0d15: 85 db test %ebx,%ebx d0d17: 75 b7 jne d0cd0 <operand+0xe0> d0d19: 89 f8 mov %edi,%eax d0d1b: 83 e0 07 and $0x7,%eax d0d1e: 83 f8 07 cmp $0x7,%eax d0d21: 77 ad ja d0cd0 <operand+0xe0> d0d23: ff 24 85 d8 44 0d 00 jmp *0xd44d8(,%eax,4) d0d2a: 85 db test %ebx,%ebx d0d2c: 75 a2 jne d0cd0 <operand+0xe0> d0d2e: 89 f8 mov %edi,%eax d0d30: 83 e0 07 and $0x7,%eax d0d33: 83 f8 07 cmp $0x7,%eax d0d36: 77 98 ja d0cd0 <operand+0xe0> d0d38: ff 24 85 f8 44 0d 00 jmp *0xd44f8(,%eax,4) d0d3f: 0f b7 46 28 movzwl 0x28(%esi),%eax d0d43: 8b 56 2c mov 0x2c(%esi),%edx d0d46: 89 04 24 mov %eax,(%esp) d0d49: 89 f0 mov %esi,%eax d0d4b: e8 b0 f9 ff ff call d0700 <address> d0d50: ff 46 28 incl 0x28(%esi) d0d53: 0f be 00 movsbl (%eax),%eax d0d56: e9 59 ff ff ff jmp d0cb4 <operand+0xc4> d0d5b: 8b 06 mov (%esi),%eax d0d5d: 01 45 f0 add %eax,0xfffffff0(%ebp) d0d60: 8b 45 f0 mov 0xfffffff0(%ebp),%eax d0d63: 89 45 08 mov %eax,0x8(%ebp) d0d66: 8b 55 ec mov 0xffffffec(%ebp),%edx d0d69: 89 f0 mov %esi,%eax d0d6b: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d0d6e: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d0d71: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0d74: 89 ec mov %ebp,%esp d0d76: 5d pop %ebp d0d77: e9 84 f9 ff ff jmp d0700 <address> d0d7c: 8b 46 04 mov 0x4(%esi),%eax d0d7f: eb dc jmp d0d5d <operand+0x16d> d0d81: 8b 46 08 mov 0x8(%esi),%eax d0d84: eb d7 jmp d0d5d <operand+0x16d> d0d86: 0f b7 46 28 movzwl 0x28(%esi),%eax d0d8a: 8b 56 2c mov 0x2c(%esi),%edx d0d8d: 89 04 24 mov %eax,(%esp) d0d90: 89 f0 mov %esi,%eax d0d92: e8 69 f9 ff ff call d0700 <address> d0d97: ff 46 28 incl 0x28(%esi) d0d9a: 89 da mov %ebx,%edx d0d9c: 0f b6 00 movzbl (%eax),%eax d0d9f: 89 04 24 mov %eax,(%esp) d0da2: 89 f0 mov %esi,%eax d0da4: e8 57 fd ff ff call d0b00 <sib> d0da9: eb b8 jmp d0d63 <operand+0x173> d0dab: 8b 46 10 mov 0x10(%esi),%eax d0dae: eb ad jmp d0d5d <operand+0x16d> d0db0: 8b 46 14 mov 0x14(%esi),%eax d0db3: eb a8 jmp d0d5d <operand+0x16d> d0db5: 8b 46 18 mov 0x18(%esi),%eax d0db8: eb a3 jmp d0d5d <operand+0x16d> d0dba: 8b 46 1c mov 0x1c(%esi),%eax d0dbd: 8d 76 00 lea 0x0(%esi),%esi d0dc0: eb 9b jmp d0d5d <operand+0x16d> d0dc2: 0f b7 46 10 movzwl 0x10(%esi),%eax d0dc6: 8b 4d f0 mov 0xfffffff0(%ebp),%ecx d0dc9: 01 c8 add %ecx,%eax d0dcb: eb 96 jmp d0d63 <operand+0x173> d0dcd: 0f b7 46 08 movzwl 0x8(%esi),%eax d0dd1: 8b 4d f0 mov 0xfffffff0(%ebp),%ecx d0dd4: 01 c8 add %ecx,%eax d0dd6: eb 8b jmp d0d63 <operand+0x173> d0dd8: 0f b7 06 movzwl (%esi),%eax d0ddb: 8b 4d f0 mov 0xfffffff0(%ebp),%ecx d0dde: 01 c8 add %ecx,%eax d0de0: eb 81 jmp d0d63 <operand+0x173> d0de2: 0f b7 46 04 movzwl 0x4(%esi),%eax d0de6: 8b 4d f0 mov 0xfffffff0(%ebp),%ecx d0de9: 01 c8 add %ecx,%eax d0deb: e9 73 ff ff ff jmp d0d63 <operand+0x173> d0df0: 0f b7 46 08 movzwl 0x8(%esi),%eax d0df4: 0f b7 16 movzwl (%esi),%edx d0df7: 01 d0 add %edx,%eax d0df9: 8b 4d f0 mov 0xfffffff0(%ebp),%ecx d0dfc: 01 c8 add %ecx,%eax d0dfe: e9 60 ff ff ff jmp d0d63 <operand+0x173> d0e03: 0f b7 46 08 movzwl 0x8(%esi),%eax d0e07: 0f b7 56 04 movzwl 0x4(%esi),%edx d0e0b: 01 d0 add %edx,%eax d0e0d: eb ea jmp d0df9 <operand+0x209> d0e0f: 0f b7 46 10 movzwl 0x10(%esi),%eax d0e13: 0f b7 16 movzwl (%esi),%edx d0e16: eb df jmp d0df7 <operand+0x207> d0e18: 0f b7 46 10 movzwl 0x10(%esi),%eax d0e1c: 0f b7 56 04 movzwl 0x4(%esi),%edx d0e20: eb e9 jmp d0e0b <operand+0x21b> d0e22: 0f b7 46 10 movzwl 0x10(%esi),%eax d0e26: e9 38 ff ff ff jmp d0d63 <operand+0x173> d0e2b: 0f b7 46 28 movzwl 0x28(%esi),%eax d0e2f: 8b 56 2c mov 0x2c(%esi),%edx d0e32: 89 04 24 mov %eax,(%esp) d0e35: 89 f0 mov %esi,%eax d0e37: e8 c4 f8 ff ff call d0700 <address> d0e3c: 83 46 28 02 addl $0x2,0x28(%esi) d0e40: 0f b7 00 movzwl (%eax),%eax d0e43: e9 1b ff ff ff jmp d0d63 <operand+0x173> d0e48: 0f b7 06 movzwl (%esi),%eax d0e4b: e9 13 ff ff ff jmp d0d63 <operand+0x173> d0e50: 0f b7 46 04 movzwl 0x4(%esi),%eax d0e54: e9 0a ff ff ff jmp d0d63 <operand+0x173> d0e59: 0f b7 46 08 movzwl 0x8(%esi),%eax d0e5d: 0f b7 16 movzwl (%esi),%edx d0e60: 01 d0 add %edx,%eax d0e62: e9 fc fe ff ff jmp d0d63 <operand+0x173> d0e67: 0f b7 46 08 movzwl 0x8(%esi),%eax d0e6b: 0f b7 56 04 movzwl 0x4(%esi),%edx d0e6f: 01 d0 add %edx,%eax d0e71: e9 ed fe ff ff jmp d0d63 <operand+0x173> d0e76: 0f b7 46 10 movzwl 0x10(%esi),%eax d0e7a: 0f b7 16 movzwl (%esi),%edx d0e7d: eb e1 jmp d0e60 <operand+0x270> d0e7f: 0f b7 46 10 movzwl 0x10(%esi),%eax d0e83: 0f b7 56 04 movzwl 0x4(%esi),%edx d0e87: eb e6 jmp d0e6f <operand+0x27f> d0e89: 8b 06 mov (%esi),%eax d0e8b: e9 d3 fe ff ff jmp d0d63 <operand+0x173> d0e90: 8b 46 04 mov 0x4(%esi),%eax d0e93: e9 cb fe ff ff jmp d0d63 <operand+0x173> d0e98: 0f b7 46 28 movzwl 0x28(%esi),%eax d0e9c: 8b 56 2c mov 0x2c(%esi),%edx d0e9f: 89 04 24 mov %eax,(%esp) d0ea2: 89 f0 mov %esi,%eax d0ea4: e8 57 f8 ff ff call d0700 <address> d0ea9: 83 46 28 04 addl $0x4,0x28(%esi) d0ead: 8b 00 mov (%eax),%eax d0eaf: e9 af fe ff ff jmp d0d63 <operand+0x173> d0eb4: 0f b7 46 28 movzwl 0x28(%esi),%eax d0eb8: 8b 56 2c mov 0x2c(%esi),%edx d0ebb: 89 04 24 mov %eax,(%esp) d0ebe: 89 f0 mov %esi,%eax d0ec0: e8 3b f8 ff ff call d0700 <address> d0ec5: ff 46 28 incl 0x28(%esi) d0ec8: 31 d2 xor %edx,%edx d0eca: 0f b6 00 movzbl (%eax),%eax d0ecd: 89 04 24 mov %eax,(%esp) d0ed0: e9 cd fe ff ff jmp d0da2 <operand+0x1b2> d0ed5: 8b 46 10 mov 0x10(%esi),%eax d0ed8: e9 86 fe ff ff jmp d0d63 <operand+0x173> d0edd: 8b 46 14 mov 0x14(%esi),%eax d0ee0: e9 7e fe ff ff jmp d0d63 <operand+0x173> d0ee5: 8b 46 18 mov 0x18(%esi),%eax d0ee8: e9 76 fe ff ff jmp d0d63 <operand+0x173> d0eed: 8b 46 1c mov 0x1c(%esi),%eax d0ef0: e9 6e fe ff ff jmp d0d63 <operand+0x173> d0ef5: 0f b7 46 28 movzwl 0x28(%esi),%eax d0ef9: 8b 56 2c mov 0x2c(%esi),%edx d0efc: 89 04 24 mov %eax,(%esp) d0eff: 89 f0 mov %esi,%eax d0f01: e8 fa f7 ff ff call d0700 <address> d0f06: ff 46 28 incl 0x28(%esi) d0f09: 0f be 00 movsbl (%eax),%eax d0f0c: e9 55 fd ff ff jmp d0c66 <operand+0x76> d0f11: eb 0d jmp d0f20 <movr> d0f13: 90 nop d0f14: 90 nop d0f15: 90 nop d0f16: 90 nop d0f17: 90 nop d0f18: 90 nop d0f19: 90 nop d0f1a: 90 nop d0f1b: 90 nop d0f1c: 90 nop d0f1d: 90 nop d0f1e: 90 nop d0f1f: 90 nop 000d0f20 <movr>: d0f20: 55 push %ebp d0f21: 89 e5 mov %esp,%ebp d0f23: 83 ec 38 sub $0x38,%esp d0f26: 89 5d f4 mov %ebx,0xfffffff4(%ebp) d0f29: 89 75 f8 mov %esi,0xfffffff8(%ebp) d0f2c: 89 c6 mov %eax,%esi d0f2e: 89 7d fc mov %edi,0xfffffffc(%ebp) d0f31: 89 55 f0 mov %edx,0xfffffff0(%ebp) d0f34: 8b 40 28 mov 0x28(%eax),%eax d0f37: 8d 50 ff lea 0xffffffff(%eax),%edx d0f3a: 89 55 ec mov %edx,0xffffffec(%ebp) d0f3d: 25 ff ff 00 00 and $0xffff,%eax d0f42: 8b 56 2c mov 0x2c(%esi),%edx d0f45: 89 04 24 mov %eax,(%esp) d0f48: 89 f0 mov %esi,%eax d0f4a: e8 b1 f7 ff ff call d0700 <address> d0f4f: ff 46 28 incl 0x28(%esi) d0f52: 89 f2 mov %esi,%edx d0f54: 0f b6 18 movzbl (%eax),%ebx d0f57: 89 df mov %ebx,%edi d0f59: c1 ef 03 shr $0x3,%edi d0f5c: 89 1c 24 mov %ebx,(%esp) d0f5f: 83 e7 07 and $0x7,%edi d0f62: 8b 45 f0 mov 0xfffffff0(%ebp),%eax d0f65: e8 86 fc ff ff call d0bf0 <operand> d0f6a: 89 45 e8 mov %eax,0xffffffe8(%ebp) d0f6d: 89 d8 mov %ebx,%eax d0f6f: 25 c0 00 00 00 and $0xc0,%eax d0f74: 3d c0 00 00 00 cmp $0xc0,%eax d0f79: 0f 84 b1 00 00 00 je d1030 <movr+0x110> d0f7f: 81 7d 08 8a 00 00 00 cmpl $0x8a,0x8(%ebp) d0f86: 0f 84 29 01 00 00 je d10b5 <movr+0x195> d0f8c: 77 29 ja d0fb7 <movr+0x97> d0f8e: 81 7d 08 88 00 00 00 cmpl $0x88,0x8(%ebp) d0f95: 0f 84 64 01 00 00 je d10ff <movr+0x1df> d0f9b: 81 7d 08 89 00 00 00 cmpl $0x89,0x8(%ebp) d0fa2: 0f 84 a4 00 00 00 je d104c <movr+0x12c> d0fa8: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d0fab: 31 c0 xor %eax,%eax d0fad: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d0fb0: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0fb3: 89 ec mov %ebp,%esp d0fb5: 5d pop %ebp d0fb6: c3 ret d0fb7: 81 7d 08 8b 00 00 00 cmpl $0x8b,0x8(%ebp) d0fbe: 0f 84 53 01 00 00 je d1117 <movr+0x1f7> d0fc4: 81 7d 08 c6 00 00 00 cmpl $0xc6,0x8(%ebp) d0fcb: 75 db jne d0fa8 <movr+0x88> d0fcd: 31 c0 xor %eax,%eax d0fcf: f6 c3 38 test $0x38,%bl d0fd2: 75 6b jne d103f <movr+0x11f> d0fd4: 0f b7 46 28 movzwl 0x28(%esi),%eax d0fd8: bf 5e 4b 0d 00 mov $0xd4b5e,%edi d0fdd: 8b 56 2c mov 0x2c(%esi),%edx d0fe0: 89 04 24 mov %eax,(%esp) d0fe3: 89 f0 mov %esi,%eax d0fe5: e8 16 f7 ff ff call d0700 <address> d0fea: ff 46 28 incl 0x28(%esi) d0fed: 8b 55 e8 mov 0xffffffe8(%ebp),%edx d0ff0: 0f b6 00 movzbl (%eax),%eax d0ff3: 88 02 mov %al,(%edx) d0ff5: 89 54 24 10 mov %edx,0x10(%esp) d0ff9: 89 44 24 0c mov %eax,0xc(%esp) d0ffd: 89 7c 24 08 mov %edi,0x8(%esp) d1001: 8b 46 28 mov 0x28(%esi),%eax d1004: 8b 5d ec mov 0xffffffec(%ebp),%ebx d1007: 89 34 24 mov %esi,(%esp) d100a: 29 d8 sub %ebx,%eax d100c: 89 44 24 04 mov %eax,0x4(%esp) d1010: e8 7b f8 ff ff call d0890 <trace> d1015: b8 01 00 00 00 mov $0x1,%eax d101a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi d1020: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d1023: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d1026: 8b 7d fc mov 0xfffffffc(%ebp),%edi d1029: 89 ec mov %ebp,%esp d102b: 5d pop %ebp d102c: c3 ret d102d: 8d 76 00 lea 0x0(%esi),%esi d1030: 31 c0 xor %eax,%eax d1032: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d1039: 0f 84 40 ff ff ff je d0f7f <movr+0x5f> d103f: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d1042: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d1045: 8b 7d fc mov 0xfffffffc(%ebp),%edi d1048: 89 ec mov %ebp,%esp d104a: 5d pop %ebp d104b: c3 ret d104c: 89 fa mov %edi,%edx d104e: 89 f0 mov %esi,%eax d1050: e8 6b f9 ff ff call d09c0 <getreg32> d1055: 89 45 e4 mov %eax,0xffffffe4(%ebp) d1058: 89 d8 mov %ebx,%eax d105a: 25 c0 00 00 00 and $0xc0,%eax d105f: 3d c0 00 00 00 cmp $0xc0,%eax d1064: 0f 84 aa 01 00 00 je d1214 <movr+0x2f4> d106a: f6 45 f0 01 testb $0x1,0xfffffff0(%ebp) d106e: 0f 84 a8 02 00 00 je d131c <movr+0x3fc> d1074: 8b 45 e8 mov 0xffffffe8(%ebp),%eax d1077: 89 44 24 10 mov %eax,0x10(%esp) d107b: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax d1082: bf 70 4b 0d 00 mov $0xd4b70,%edi d1087: 89 7c 24 08 mov %edi,0x8(%esp) d108b: 89 44 24 0c mov %eax,0xc(%esp) d108f: 8b 46 28 mov 0x28(%esi),%eax d1092: 8b 5d ec mov 0xffffffec(%ebp),%ebx d1095: 89 34 24 mov %esi,(%esp) d1098: 29 d8 sub %ebx,%eax d109a: 89 44 24 04 mov %eax,0x4(%esp) d109e: e8 ed f7 ff ff call d0890 <trace> d10a3: 8b 45 e4 mov 0xffffffe4(%ebp),%eax d10a6: 8b 55 e8 mov 0xffffffe8(%ebp),%edx d10a9: 89 02 mov %eax,(%edx) d10ab: b8 01 00 00 00 mov $0x1,%eax d10b0: e9 6b ff ff ff jmp d1020 <movr+0x100> d10b5: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax d10bc: b9 82 4b 0d 00 mov $0xd4b82,%ecx d10c1: 89 44 24 10 mov %eax,0x10(%esp) d10c5: 8b 55 e8 mov 0xffffffe8(%ebp),%edx d10c8: 89 4c 24 08 mov %ecx,0x8(%esp) d10cc: 89 54 24 0c mov %edx,0xc(%esp) d10d0: 8b 55 ec mov 0xffffffec(%ebp),%edx d10d3: 8b 46 28 mov 0x28(%esi),%eax d10d6: 89 34 24 mov %esi,(%esp) d10d9: 29 d0 sub %edx,%eax d10db: 89 44 24 04 mov %eax,0x4(%esp) d10df: e8 ac f7 ff ff call d0890 <trace> d10e4: 8b 45 e8 mov 0xffffffe8(%ebp),%eax d10e7: 0f b6 10 movzbl (%eax),%edx d10ea: 89 f8 mov %edi,%eax d10ec: 83 e0 07 and $0x7,%eax d10ef: 83 f8 07 cmp $0x7,%eax d10f2: 0f 87 1d ff ff ff ja d1015 <movr+0xf5> d10f8: ff 24 85 18 45 0d 00 jmp *0xd4518(,%eax,4) d10ff: 89 fa mov %edi,%edx d1101: b8 ff ff ff ff mov $0xffffffff,%eax d1106: 83 e2 07 and $0x7,%edx d1109: 83 fa 07 cmp $0x7,%edx d110c: 77 76 ja d1184 <movr+0x264> d110e: 89 f6 mov %esi,%esi d1110: ff 24 95 38 45 0d 00 jmp *0xd4538(,%edx,4) d1117: 81 e3 c0 00 00 00 and $0xc0,%ebx d111d: 81 fb c0 00 00 00 cmp $0xc0,%ebx d1123: 0f 84 e5 01 00 00 je d130e <movr+0x3ee> d1129: f6 45 f0 01 testb $0x1,0xfffffff0(%ebp) d112d: 8d 76 00 lea 0x0(%esi),%esi d1130: 0f 84 93 00 00 00 je d11c9 <movr+0x2a9> d1136: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax d113d: 89 44 24 10 mov %eax,0x10(%esp) d1141: 8b 55 e8 mov 0xffffffe8(%ebp),%edx d1144: b8 93 4b 0d 00 mov $0xd4b93,%eax d1149: 89 44 24 08 mov %eax,0x8(%esp) d114d: 89 54 24 0c mov %edx,0xc(%esp) d1151: 8b 46 28 mov 0x28(%esi),%eax d1154: 8b 5d ec mov 0xffffffec(%ebp),%ebx d1157: 89 34 24 mov %esi,(%esp) d115a: 29 d8 sub %ebx,%eax d115c: 89 44 24 04 mov %eax,0x4(%esp) d1160: e8 2b f7 ff ff call d0890 <trace> d1165: 8b 55 e8 mov 0xffffffe8(%ebp),%edx d1168: 8b 02 mov (%edx),%eax d116a: 89 04 24 mov %eax,(%esp) d116d: 89 fa mov %edi,%edx d116f: 89 f0 mov %esi,%eax d1171: e8 ba f8 ff ff call d0a30 <setreg32> d1176: b8 01 00 00 00 mov $0x1,%eax d117b: e9 a0 fe ff ff jmp d1020 <movr+0x100> d1180: 0f b6 46 11 movzbl 0x11(%esi),%eax d1184: 89 45 e4 mov %eax,0xffffffe4(%ebp) d1187: 8b 45 e8 mov 0xffffffe8(%ebp),%eax d118a: 89 44 24 10 mov %eax,0x10(%esp) d118e: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax d1195: bf a5 4b 0d 00 mov $0xd4ba5,%edi d119a: 89 7c 24 08 mov %edi,0x8(%esp) d119e: 89 44 24 0c mov %eax,0xc(%esp) d11a2: 8b 46 28 mov 0x28(%esi),%eax d11a5: 8b 5d ec mov 0xffffffec(%ebp),%ebx d11a8: 89 34 24 mov %esi,(%esp) d11ab: 29 d8 sub %ebx,%eax d11ad: 89 44 24 04 mov %eax,0x4(%esp) d11b1: e8 da f6 ff ff call d0890 <trace> d11b6: 0f b6 55 e4 movzbl 0xffffffe4(%ebp),%edx d11ba: 8b 45 e8 mov 0xffffffe8(%ebp),%eax d11bd: 88 10 mov %dl,(%eax) d11bf: b8 01 00 00 00 mov $0x1,%eax d11c4: e9 57 fe ff ff jmp d1020 <movr+0x100> d11c9: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax d11d0: b9 b7 4b 0d 00 mov $0xd4bb7,%ecx d11d5: 89 44 24 10 mov %eax,0x10(%esp) d11d9: 8b 45 e8 mov 0xffffffe8(%ebp),%eax d11dc: 89 4c 24 08 mov %ecx,0x8(%esp) d11e0: 89 44 24 0c mov %eax,0xc(%esp) d11e4: 8b 55 ec mov 0xffffffec(%ebp),%edx d11e7: 8b 46 28 mov 0x28(%esi),%eax d11ea: 89 34 24 mov %esi,(%esp) d11ed: 29 d0 sub %edx,%eax d11ef: 89 44 24 04 mov %eax,0x4(%esp) d11f3: e8 98 f6 ff ff call d0890 <trace> d11f8: 8b 55 e8 mov 0xffffffe8(%ebp),%edx d11fb: 0f b7 02 movzwl (%edx),%eax d11fe: 89 04 24 mov %eax,(%esp) d1201: 89 fa mov %edi,%edx d1203: 89 f0 mov %esi,%eax d1205: e8 76 f8 ff ff call d0a80 <setreg16> d120a: b8 01 00 00 00 mov $0x1,%eax d120f: e9 0c fe ff ff jmp d1020 <movr+0x100> d1214: f6 45 f0 01 testb $0x1,0xfffffff0(%ebp) d1218: 0f 84 49 01 00 00 je d1367 <movr+0x447> d121e: 8b 55 e4 mov 0xffffffe4(%ebp),%edx d1221: 83 e3 07 and $0x7,%ebx d1224: 89 14 24 mov %edx,(%esp) d1227: 89 da mov %ebx,%edx d1229: e9 41 ff ff ff jmp d116f <movr+0x24f> d122e: 88 56 18 mov %dl,0x18(%esi) d1231: b8 01 00 00 00 mov $0x1,%eax d1236: e9 e5 fd ff ff jmp d1020 <movr+0x100> d123b: 88 56 1c mov %dl,0x1c(%esi) d123e: b8 01 00 00 00 mov $0x1,%eax d1243: e9 d8 fd ff ff jmp d1020 <movr+0x100> d1248: 8b 46 10 mov 0x10(%esi),%eax d124b: c1 e2 08 shl $0x8,%edx d124e: 25 ff 00 ff ff and $0xffff00ff,%eax d1253: 09 d0 or %edx,%eax d1255: 89 46 10 mov %eax,0x10(%esi) d1258: b8 01 00 00 00 mov $0x1,%eax d125d: e9 be fd ff ff jmp d1020 <movr+0x100> d1262: 8b 46 14 mov 0x14(%esi),%eax d1265: c1 e2 08 shl $0x8,%edx d1268: 25 ff 00 ff ff and $0xffff00ff,%eax d126d: 09 d0 or %edx,%eax d126f: 89 46 14 mov %eax,0x14(%esi) d1272: b8 01 00 00 00 mov $0x1,%eax d1277: e9 a4 fd ff ff jmp d1020 <movr+0x100> d127c: 8b 46 18 mov 0x18(%esi),%eax d127f: c1 e2 08 shl $0x8,%edx d1282: 25 ff 00 ff ff and $0xffff00ff,%eax d1287: 09 d0 or %edx,%eax d1289: 89 46 18 mov %eax,0x18(%esi) d128c: b8 01 00 00 00 mov $0x1,%eax d1291: e9 8a fd ff ff jmp d1020 <movr+0x100> d1296: 8b 46 1c mov 0x1c(%esi),%eax d1299: c1 e2 08 shl $0x8,%edx d129c: 25 ff 00 ff ff and $0xffff00ff,%eax d12a1: 09 d0 or %edx,%eax d12a3: 89 46 1c mov %eax,0x1c(%esi) d12a6: b8 01 00 00 00 mov $0x1,%eax d12ab: e9 70 fd ff ff jmp d1020 <movr+0x100> d12b0: 88 56 10 mov %dl,0x10(%esi) d12b3: b8 01 00 00 00 mov $0x1,%eax d12b8: e9 63 fd ff ff jmp d1020 <movr+0x100> d12bd: 88 56 14 mov %dl,0x14(%esi) d12c0: b8 01 00 00 00 mov $0x1,%eax d12c5: e9 56 fd ff ff jmp d1020 <movr+0x100> d12ca: 0f b6 46 15 movzbl 0x15(%esi),%eax d12ce: e9 b1 fe ff ff jmp d1184 <movr+0x264> d12d3: 0f b6 46 19 movzbl 0x19(%esi),%eax d12d7: e9 a8 fe ff ff jmp d1184 <movr+0x264> d12dc: 0f b6 46 1d movzbl 0x1d(%esi),%eax d12e0: e9 9f fe ff ff jmp d1184 <movr+0x264> d12e5: 0f b6 46 10 movzbl 0x10(%esi),%eax d12e9: e9 96 fe ff ff jmp d1184 <movr+0x264> d12ee: 0f b6 46 14 movzbl 0x14(%esi),%eax d12f2: e9 8d fe ff ff jmp d1184 <movr+0x264> d12f7: 0f b6 46 18 movzbl 0x18(%esi),%eax d12fb: 90 nop d12fc: 8d 74 26 00 lea 0x0(%esi),%esi d1300: e9 7f fe ff ff jmp d1184 <movr+0x264> d1305: 0f b6 46 1c movzbl 0x1c(%esi),%eax d1309: e9 76 fe ff ff jmp d1184 <movr+0x264> d130e: f6 45 f0 01 testb $0x1,0xfffffff0(%ebp) d1312: 74 4a je d135e <movr+0x43e> d1314: 8b 45 e8 mov 0xffffffe8(%ebp),%eax d1317: e9 4e fe ff ff jmp d116a <movr+0x24a> d131c: 8b 55 e8 mov 0xffffffe8(%ebp),%edx d131f: b9 c8 4b 0d 00 mov $0xd4bc8,%ecx d1324: 89 54 24 10 mov %edx,0x10(%esp) d1328: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax d132f: 89 4c 24 08 mov %ecx,0x8(%esp) d1333: 89 44 24 0c mov %eax,0xc(%esp) d1337: 8b 55 ec mov 0xffffffec(%ebp),%edx d133a: 8b 46 28 mov 0x28(%esi),%eax d133d: 89 34 24 mov %esi,(%esp) d1340: 29 d0 sub %edx,%eax d1342: 89 44 24 04 mov %eax,0x4(%esp) d1346: e8 45 f5 ff ff call d0890 <trace> d134b: 8b 45 e8 mov 0xffffffe8(%ebp),%eax d134e: 8b 55 e4 mov 0xffffffe4(%ebp),%edx d1351: 66 89 10 mov %dx,(%eax) d1354: b8 01 00 00 00 mov $0x1,%eax d1359: e9 c2 fc ff ff jmp d1020 <movr+0x100> d135e: 0f b7 45 e8 movzwl 0xffffffe8(%ebp),%eax d1362: e9 97 fe ff ff jmp d11fe <movr+0x2de> d1367: 0f b7 45 e4 movzwl 0xffffffe4(%ebp),%eax d136b: 83 e3 07 and $0x7,%ebx d136e: 89 da mov %ebx,%edx d1370: 89 04 24 mov %eax,(%esp) d1373: e9 8b fe ff ff jmp d1203 <movr+0x2e3> d1378: 90 nop d1379: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi 000d1380 <load_seg>: d1380: 55 push %ebp d1381: 89 e5 mov %esp,%ebp d1383: 83 ec 48 sub $0x48,%esp d1386: 89 5d f4 mov %ebx,0xfffffff4(%ebp) d1389: 31 db xor %ebx,%ebx d138b: 39 05 e0 97 0d 00 cmp %eax,0xd97e0 d1391: 89 7d fc mov %edi,0xfffffffc(%ebp) d1394: 89 c7 mov %eax,%edi d1396: 89 75 f8 mov %esi,0xfffffff8(%ebp) d1399: 89 55 e4 mov %edx,0xffffffe4(%ebp) d139c: 72 10 jb d13ae <load_seg+0x2e> d139e: 85 c0 test %eax,%eax d13a0: 75 1e jne d13c0 <load_seg+0x40> d13a2: 8b 45 0c mov 0xc(%ebp),%eax d13a5: 80 48 02 01 orb $0x1,0x2(%eax) d13a9: bb 01 00 00 00 mov $0x1,%ebx d13ae: 89 d8 mov %ebx,%eax d13b0: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d13b3: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d13b6: 8b 7d fc mov 0xfffffffc(%ebp),%edi d13b9: 89 ec mov %ebp,%esp d13bb: 5d pop %ebp d13bc: c3 ret d13bd: 8d 76 00 lea 0x0(%esi),%esi d13c0: a1 e4 97 0d 00 mov 0xd97e4,%eax d13c5: e8 36 f0 ff ff call d0400 <guest_linear_to_phys> d13ca: 89 45 e0 mov %eax,0xffffffe0(%ebp) d13cd: 89 c3 mov %eax,%ebx d13cf: 89 d6 mov %edx,%esi d13d1: 8b 45 e0 mov 0xffffffe0(%ebp),%eax d13d4: 31 d2 xor %edx,%edx d13d6: 89 d1 mov %edx,%ecx d13d8: 31 f1 xor %esi,%ecx d13da: 31 d8 xor %ebx,%eax d13dc: 09 c1 or %eax,%ecx d13de: 0f 85 65 01 00 00 jne d1549 <load_seg+0x1c9> d13e4: 8b 5d e0 mov 0xffffffe0(%ebp),%ebx d13e7: 89 f8 mov %edi,%eax d13e9: 83 e0 f8 and $0xfffffff8,%eax d13ec: 8b 0c 18 mov (%eax,%ebx,1),%ecx d13ef: 8b 5c 18 04 mov 0x4(%eax,%ebx,1),%ebx d13f3: 89 4d d0 mov %ecx,0xffffffd0(%ebp) d13f6: 89 5d d4 mov %ebx,0xffffffd4(%ebp) d13f9: 89 4d e8 mov %ecx,0xffffffe8(%ebp) d13fc: 89 5d ec mov %ebx,0xffffffec(%ebp) d13ff: 8b 55 d4 mov 0xffffffd4(%ebp),%edx d1402: 31 c9 xor %ecx,%ecx d1404: 89 d0 mov %edx,%eax d1406: c1 e8 0f shr $0xf,%eax d1409: 31 d2 xor %edx,%edx d140b: 89 45 d8 mov %eax,0xffffffd8(%ebp) d140e: 8b 45 d8 mov 0xffffffd8(%ebp),%eax d1411: 89 55 dc mov %edx,0xffffffdc(%ebp) d1414: 83 f0 01 xor $0x1,%eax d1417: 85 ff test %edi,%edi d1419: 0f 95 c1 setne %cl d141c: 31 db xor %ebx,%ebx d141e: 85 c8 test %ecx,%eax d1420: 75 8c jne d13ae <load_seg+0x2e> d1422: 8b 4d d4 mov 0xffffffd4(%ebp),%ecx d1425: 8b 55 d0 mov 0xffffffd0(%ebp),%edx d1428: 8b 7d d4 mov 0xffffffd4(%ebp),%edi d142b: 0f ac ca 10 shrd $0x10,%ecx,%edx d142f: 89 d3 mov %edx,%ebx d1431: 89 f8 mov %edi,%eax d1433: 81 e3 00 00 ff 00 and $0xff0000,%ebx d1439: 25 00 00 00 ff and $0xff000000,%eax d143e: 09 d8 or %ebx,%eax d1440: 81 e2 ff ff 00 00 and $0xffff,%edx d1446: 09 d0 or %edx,%eax d1448: 8b 55 e4 mov 0xffffffe4(%ebp),%edx d144b: 89 02 mov %eax,(%edx) d144d: 8b 4d 08 mov 0x8(%ebp),%ecx d1450: 89 f8 mov %edi,%eax d1452: 0f b7 55 e8 movzwl 0xffffffe8(%ebp),%edx d1456: 25 00 00 0f 00 and $0xf0000,%eax d145b: 09 d0 or %edx,%eax d145d: 89 01 mov %eax,(%ecx) d145f: 8b 55 d4 mov 0xffffffd4(%ebp),%edx d1462: 8b 5d 0c mov 0xc(%ebp),%ebx d1465: 89 d0 mov %edx,%eax d1467: 8b 55 d4 mov 0xffffffd4(%ebp),%edx d146a: c1 e8 08 shr $0x8,%eax d146d: 89 c1 mov %eax,%ecx d146f: 83 e1 0f and $0xf,%ecx d1472: 89 d0 mov %edx,%eax d1474: c1 e8 0c shr $0xc,%eax d1477: 83 e0 01 and $0x1,%eax d147a: c1 e0 04 shl $0x4,%eax d147d: 09 c1 or %eax,%ecx d147f: 89 0b mov %ecx,(%ebx) d1481: 0f b6 03 movzbl (%ebx),%eax d1484: a8 10 test $0x10,%al d1486: 0f 85 a7 00 00 00 jne d1533 <load_seg+0x1b3> d148c: 8b 55 d4 mov 0xffffffd4(%ebp),%edx d148f: 8b 5d 0c mov 0xc(%ebp),%ebx d1492: 89 d0 mov %edx,%eax d1494: c1 e8 0d shr $0xd,%eax d1497: 31 d2 xor %edx,%edx d1499: 89 45 d0 mov %eax,0xffffffd0(%ebp) d149c: 8b 4d d0 mov 0xffffffd0(%ebp),%ecx d149f: 89 55 d4 mov %edx,0xffffffd4(%ebp) d14a2: 8b 13 mov (%ebx),%edx d14a4: 8b 5d d4 mov 0xffffffd4(%ebp),%ebx d14a7: 83 e1 03 and $0x3,%ecx d14aa: 8b 45 d8 mov 0xffffffd8(%ebp),%eax d14ad: c1 e1 05 shl $0x5,%ecx d14b0: 81 e2 1f ff ff ff and $0xffffff1f,%edx d14b6: 09 ca or %ecx,%edx d14b8: 8b 4d d0 mov 0xffffffd0(%ebp),%ecx d14bb: 83 e0 01 and $0x1,%eax d14be: c1 e0 07 shl $0x7,%eax d14c1: 09 c2 or %eax,%edx d14c3: 0f ac d9 07 shrd $0x7,%ebx,%ecx d14c7: 81 e2 ff af ff ff and $0xffffafff,%edx d14cd: c1 eb 07 shr $0x7,%ebx d14d0: 89 4d d0 mov %ecx,0xffffffd0(%ebp) d14d3: 8b 4d d0 mov 0xffffffd0(%ebp),%ecx d14d6: 89 5d d4 mov %ebx,0xffffffd4(%ebp) d14d9: 8b 75 d4 mov 0xffffffd4(%ebp),%esi d14dc: 8b 5d d0 mov 0xffffffd0(%ebp),%ebx d14df: 83 e1 01 and $0x1,%ecx d14e2: c1 e1 0c shl $0xc,%ecx d14e5: 09 ca or %ecx,%edx d14e7: 0f ac f3 02 shrd $0x2,%esi,%ebx d14eb: c1 ee 02 shr $0x2,%esi d14ee: 89 5d d0 mov %ebx,0xffffffd0(%ebp) d14f1: 8b 45 d0 mov 0xffffffd0(%ebp),%eax d14f4: 89 75 d4 mov %esi,0xffffffd4(%ebp) d14f7: 8b 75 0c mov 0xc(%ebp),%esi d14fa: 83 e0 01 and $0x1,%eax d14fd: c1 e0 0e shl $0xe,%eax d1500: 09 c2 or %eax,%edx d1502: 89 16 mov %edx,(%esi) d1504: 8b 45 d0 mov 0xffffffd0(%ebp),%eax d1507: 8b 55 d4 mov 0xffffffd4(%ebp),%edx d150a: 0f ac d0 01 shrd $0x1,%edx,%eax d150e: a8 01 test $0x1,%al d1510: 0f 84 93 fe ff ff je d13a9 <load_seg+0x29> d1516: 80 4e 01 80 orb $0x80,0x1(%esi) d151a: bb 01 00 00 00 mov $0x1,%ebx d151f: 8b 55 08 mov 0x8(%ebp),%edx d1522: 8b 02 mov (%edx),%eax d1524: c1 e0 0c shl $0xc,%eax d1527: 0d ff 0f 00 00 or $0xfff,%eax d152c: 89 02 mov %eax,(%edx) d152e: e9 7b fe ff ff jmp d13ae <load_seg+0x2e> d1533: 89 c2 mov %eax,%edx d1535: 83 e2 0f and $0xf,%edx d1538: 89 c8 mov %ecx,%eax d153a: 83 ca 01 or $0x1,%edx d153d: 83 e0 f0 and $0xfffffff0,%eax d1540: 09 d0 or %edx,%eax d1542: 89 03 mov %eax,(%ebx) d1544: e9 43 ff ff ff jmp d148c <load_seg+0x10c> d1549: c7 04 24 13 4b 0d 00 movl $0xd4b13,(%esp) d1550: e8 7b 24 00 00 call d39d0 <printf> d1555: 8d 45 e8 lea 0xffffffe8(%ebp),%eax d1558: 31 d2 xor %edx,%edx d155a: 89 44 24 08 mov %eax,0x8(%esp) d155e: 89 f8 mov %edi,%eax d1560: 83 e0 f8 and $0xfffffff8,%eax d1563: 01 d8 add %ebx,%eax d1565: 11 f2 adc %esi,%edx d1567: 89 54 24 04 mov %edx,0x4(%esp) d156b: 89 04 24 mov %eax,(%esp) d156e: e8 bd 20 00 00 call d3630 <cpuid_addr_value> d1573: 8b 55 e8 mov 0xffffffe8(%ebp),%edx d1576: 8b 4d ec mov 0xffffffec(%ebp),%ecx d1579: 89 55 d0 mov %edx,0xffffffd0(%ebp) d157c: 89 4d d4 mov %ecx,0xffffffd4(%ebp) d157f: e9 7b fe ff ff jmp d13ff <load_seg+0x7f> d1584: 8d b6 00 00 00 00 lea 0x0(%esi),%esi d158a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi 000d1590 <load_or_clear_seg>: d1590: 55 push %ebp d1591: 89 e5 mov %esp,%ebp d1593: 83 ec 18 sub $0x18,%esp d1596: 89 5d f4 mov %ebx,0xfffffff4(%ebp) d1599: 8b 5d 0c mov 0xc(%ebp),%ebx d159c: 89 75 f8 mov %esi,0xfffffff8(%ebp) d159f: 8b 75 08 mov 0x8(%ebp),%esi d15a2: 89 7d fc mov %edi,0xfffffffc(%ebp) d15a5: 89 d7 mov %edx,%edi d15a7: 89 5c 24 04 mov %ebx,0x4(%esp) d15ab: 89 34 24 mov %esi,(%esp) d15ae: e8 cd fd ff ff call d1380 <load_seg> d15b3: 85 c0 test %eax,%eax d15b5: 74 0d je d15c4 <load_or_clear_seg+0x34> d15b7: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d15ba: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d15bd: 8b 7d fc mov 0xfffffffc(%ebp),%edi d15c0: 89 ec mov %ebp,%esp d15c2: 5d pop %ebp d15c3: c3 ret d15c4: 89 5d 0c mov %ebx,0xc(%ebp) d15c7: 89 fa mov %edi,%edx d15c9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d15cc: 89 75 08 mov %esi,0x8(%ebp) d15cf: 8b 7d fc mov 0xfffffffc(%ebp),%edi d15d2: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d15d5: 89 ec mov %ebp,%esp d15d7: 5d pop %ebp d15d8: e9 a3 fd ff ff jmp d1380 <load_seg> d15dd: 8d 76 00 lea 0x0(%esi),%esi 000d15e0 <set_mode>: d15e0: 55 push %ebp d15e1: 89 e5 mov %esp,%ebp d15e3: 56 push %esi d15e4: 53 push %ebx d15e5: 83 ec 10 sub $0x10,%esp d15e8: 8b 75 0c mov 0xc(%ebp),%esi d15eb: 8b 5d 08 mov 0x8(%ebp),%ebx d15ee: 83 fe 01 cmp $0x1,%esi d15f1: 0f 84 f1 00 00 00 je d16e8 <set_mode+0x108> d15f7: 72 47 jb d1640 <set_mode+0x60> d15f9: 83 fe 02 cmp $0x2,%esi d15fc: 0f 84 be 02 00 00 je d18c0 <set_mode+0x2e0> d1602: 83 fe 03 cmp $0x3,%esi d1605: 0f 84 7d 01 00 00 je d1788 <set_mode+0x1a8> d160b: 90 nop d160c: 8d 74 26 00 lea 0x0(%esi),%esi d1610: 89 35 04 76 0d 00 mov %esi,0xd7604 d1616: 83 fe 03 cmp $0x3,%esi d1619: 74 19 je d1634 <set_mode+0x54> d161b: 89 1c 24 mov %ebx,(%esp) d161e: 8b 04 b5 80 55 0d 00 mov 0xd5580(,%esi,4),%eax d1625: 89 44 24 08 mov %eax,0x8(%esp) d1629: 31 c0 xor %eax,%eax d162b: 89 44 24 04 mov %eax,0x4(%esp) d162f: e8 5c f2 ff ff call d0890 <trace> d1634: 83 c4 10 add $0x10,%esp d1637: 5b pop %ebx d1638: 5e pop %esi d1639: 5d pop %ebp d163a: c3 ret d163b: 90 nop d163c: 8d 74 26 00 lea 0x0(%esi),%esi d1640: 8b 15 04 76 0d 00 mov 0xd7604,%edx d1646: 8d 42 ff lea 0xffffffff(%edx),%eax d1649: 83 f8 01 cmp $0x1,%eax d164c: 0f 87 be 00 00 00 ja d1710 <set_mode+0x130> d1652: 8b 43 30 mov 0x30(%ebx),%eax d1655: 8b 53 38 mov 0x38(%ebx),%edx d1658: 25 ff fe ff ff and $0xfffffeff,%eax d165d: 0d 02 30 02 00 or $0x23002,%eax d1662: 85 d2 test %edx,%edx d1664: 89 43 30 mov %eax,0x30(%ebx) d1667: 0f 84 88 02 00 00 je d18f5 <set_mode+0x315> d166d: 81 fa ff ff 0f 00 cmp $0xfffff,%edx d1673: 0f 87 86 02 00 00 ja d18ff <set_mode+0x31f> d1679: c7 04 24 00 00 00 00 movl $0x0,(%esp) d1680: 89 d8 mov %ebx,%eax d1682: e8 79 f0 ff ff call d0700 <address> d1687: c1 e8 04 shr $0x4,%eax d168a: 89 43 38 mov %eax,0x38(%ebx) d168d: 8b 53 40 mov 0x40(%ebx),%edx d1690: 85 d2 test %edx,%edx d1692: 0f 84 53 02 00 00 je d18eb <set_mode+0x30b> d1698: 81 fa ff ff 0f 00 cmp $0xfffff,%edx d169e: 0f 87 8b 02 00 00 ja d192f <set_mode+0x34f> d16a4: c7 04 24 00 00 00 00 movl $0x0,(%esp) d16ab: 89 d8 mov %ebx,%eax d16ad: e8 4e f0 ff ff call d0700 <address> d16b2: c1 e8 04 shr $0x4,%eax d16b5: 89 43 40 mov %eax,0x40(%ebx) d16b8: 8b 53 3c mov 0x3c(%ebx),%edx d16bb: 85 d2 test %edx,%edx d16bd: 0f 84 1b 02 00 00 je d18de <set_mode+0x2fe> d16c3: 81 fa ff ff 0f 00 cmp $0xfffff,%edx d16c9: 0f 87 48 02 00 00 ja d1917 <set_mode+0x337> d16cf: c7 04 24 00 00 00 00 movl $0x0,(%esp) d16d6: 89 d8 mov %ebx,%eax d16d8: e8 23 f0 ff ff call d0700 <address> d16dd: c1 e8 04 shr $0x4,%eax d16e0: 89 43 3c mov %eax,0x3c(%ebx) d16e3: e9 28 ff ff ff jmp d1610 <set_mode+0x30> d16e8: a1 04 76 0d 00 mov 0xd7604,%eax d16ed: 85 c0 test %eax,%eax d16ef: 74 3f je d1730 <set_mode+0x150> d16f1: 48 dec %eax d16f2: 0f 84 18 ff ff ff je d1610 <set_mode+0x30> d16f8: c7 04 24 ec 4e 0d 00 movl $0xd4eec,(%esp) d16ff: e8 7c 22 00 00 call d3980 <panic> d1704: e9 07 ff ff ff jmp d1610 <set_mode+0x30> d1709: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d1710: 85 d2 test %edx,%edx d1712: 0f 84 f8 fe ff ff je d1610 <set_mode+0x30> d1718: c7 04 24 1c 4f 0d 00 movl $0xd4f1c,(%esp) d171f: e8 5c 22 00 00 call d3980 <panic> d1724: e9 e7 fe ff ff jmp d1610 <set_mode+0x30> d1729: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d1730: 81 4b 30 00 01 00 00 orl $0x100,0x30(%ebx) d1737: 31 c9 xor %ecx,%ecx d1739: 8b 43 40 mov 0x40(%ebx),%eax d173c: a3 60 76 0d 00 mov %eax,0xd7660 d1741: 8b 43 3c mov 0x3c(%ebx),%eax d1744: a3 5c 76 0d 00 mov %eax,0xd765c d1749: 8b 43 44 mov 0x44(%ebx),%eax d174c: a3 64 76 0d 00 mov %eax,0xd7664 d1751: 8b 43 48 mov 0x48(%ebx),%eax d1754: a3 68 76 0d 00 mov %eax,0xd7668 d1759: 8b 43 38 mov 0x38(%ebx),%eax d175c: 89 0d 18 98 0d 00 mov %ecx,0xd9818 d1762: a3 58 76 0d 00 mov %eax,0xd7658 d1767: 31 c0 xor %eax,%eax d1769: a3 f8 97 0d 00 mov %eax,0xd97f8 d176e: 31 c0 xor %eax,%eax d1770: a3 08 98 0d 00 mov %eax,0xd9808 d1775: 31 c0 xor %eax,%eax d1777: a3 28 98 0d 00 mov %eax,0xd9828 d177c: 31 c0 xor %eax,%eax d177e: a3 38 98 0d 00 mov %eax,0xd9838 d1783: e9 88 fe ff ff jmp d1610 <set_mode+0x30> d1788: 83 3d 04 76 0d 00 01 cmpl $0x1,0xd7604 d178f: 74 0c je d179d <set_mode+0x1bd> d1791: c7 04 24 3c 4f 0d 00 movl $0xd4f3c,(%esp) d1798: e8 e3 21 00 00 call d3980 <panic> d179d: 0f b6 05 6c 76 0d 00 movzbl 0xd766c,%eax d17a4: ba f4 97 0d 00 mov $0xd97f4,%edx d17a9: a2 68 98 0d 00 mov %al,0xd9868 d17ae: 0f b6 05 6d 76 0d 00 movzbl 0xd766d,%eax d17b5: a2 69 98 0d 00 mov %al,0xd9869 d17ba: 8b 43 28 mov 0x28(%ebx),%eax d17bd: 81 63 30 ff ce fd ff andl $0xfffdceff,0x30(%ebx) d17c4: a3 c0 97 0d 00 mov %eax,0xd97c0 d17c9: 8b 43 34 mov 0x34(%ebx),%eax d17cc: a3 c4 97 0d 00 mov %eax,0xd97c4 d17d1: 8b 43 30 mov 0x30(%ebx),%eax d17d4: a3 c8 97 0d 00 mov %eax,0xd97c8 d17d9: 8b 43 2c mov 0x2c(%ebx),%eax d17dc: 89 54 24 04 mov %edx,0x4(%esp) d17e0: ba f0 97 0d 00 mov $0xd97f0,%edx d17e5: c7 04 24 ec 97 0d 00 movl $0xd97ec,(%esp) d17ec: e8 8f fb ff ff call d1380 <load_seg> d17f1: 85 c0 test %eax,%eax d17f3: 0f 84 4e 01 00 00 je d1947 <set_mode+0x367> d17f9: 8b 43 2c mov 0x2c(%ebx),%eax d17fc: ba 10 98 0d 00 mov $0xd9810,%edx d1801: c7 04 24 0c 98 0d 00 movl $0xd980c,(%esp) d1808: a3 e8 97 0d 00 mov %eax,0xd97e8 d180d: b8 14 98 0d 00 mov $0xd9814,%eax d1812: 89 44 24 04 mov %eax,0x4(%esp) d1816: a1 08 98 0d 00 mov 0xd9808,%eax d181b: e8 70 fd ff ff call d1590 <load_or_clear_seg> d1820: c7 04 24 1c 98 0d 00 movl $0xd981c,(%esp) d1827: b8 24 98 0d 00 mov $0xd9824,%eax d182c: ba 20 98 0d 00 mov $0xd9820,%edx d1831: 89 44 24 04 mov %eax,0x4(%esp) d1835: a1 18 98 0d 00 mov 0xd9818,%eax d183a: e8 51 fd ff ff call d1590 <load_or_clear_seg> d183f: c7 04 24 fc 97 0d 00 movl $0xd97fc,(%esp) d1846: b8 04 98 0d 00 mov $0xd9804,%eax d184b: ba 00 98 0d 00 mov $0xd9800,%edx d1850: 89 44 24 04 mov %eax,0x4(%esp) d1854: a1 f8 97 0d 00 mov 0xd97f8,%eax d1859: e8 32 fd ff ff call d1590 <load_or_clear_seg> d185e: c7 04 24 2c 98 0d 00 movl $0xd982c,(%esp) d1865: b8 34 98 0d 00 mov $0xd9834,%eax d186a: ba 30 98 0d 00 mov $0xd9830,%edx d186f: 89 44 24 04 mov %eax,0x4(%esp) d1873: a1 28 98 0d 00 mov 0xd9828,%eax d1878: e8 13 fd ff ff call d1590 <load_or_clear_seg> d187d: c7 04 24 3c 98 0d 00 movl $0xd983c,(%esp) d1884: b8 44 98 0d 00 mov $0xd9844,%eax d1889: ba 40 98 0d 00 mov $0xd9840,%edx d188e: 89 44 24 04 mov %eax,0x4(%esp) d1892: a1 38 98 0d 00 mov 0xd9838,%eax d1897: e8 f4 fc ff ff call d1590 <load_or_clear_seg> d189c: c7 43 38 18 00 00 00 movl $0x18,0x38(%ebx) d18a3: c7 43 34 00 76 0d 00 movl $0xd7600,0x34(%ebx) d18aa: c7 43 2c 10 00 00 00 movl $0x10,0x2c(%ebx) d18b1: c7 43 28 e0 03 0d 00 movl $0xd03e0,0x28(%ebx) d18b8: e9 53 fd ff ff jmp d1610 <set_mode+0x30> d18bd: 8d 76 00 lea 0x0(%esi),%esi d18c0: 83 3d 04 76 0d 00 03 cmpl $0x3,0xd7604 d18c7: 0f 84 43 fd ff ff je d1610 <set_mode+0x30> d18cd: c7 04 24 64 4f 0d 00 movl $0xd4f64,(%esp) d18d4: e8 a7 20 00 00 call d3980 <panic> d18d9: e9 32 fd ff ff jmp d1610 <set_mode+0x30> d18de: a1 5c 76 0d 00 mov 0xd765c,%eax d18e3: 89 43 3c mov %eax,0x3c(%ebx) d18e6: e9 25 fd ff ff jmp d1610 <set_mode+0x30> d18eb: a1 60 76 0d 00 mov 0xd7660,%eax d18f0: e9 c0 fd ff ff jmp d16b5 <set_mode+0xd5> d18f5: a1 58 76 0d 00 mov 0xd7658,%eax d18fa: e9 8b fd ff ff jmp d168a <set_mode+0xaa> d18ff: 89 54 24 04 mov %edx,0x4(%esp) d1903: c7 04 24 d9 4b 0d 00 movl $0xd4bd9,(%esp) d190a: e8 71 20 00 00 call d3980 <panic> d190f: 8b 53 38 mov 0x38(%ebx),%edx d1912: e9 62 fd ff ff jmp d1679 <set_mode+0x99> d1917: 89 54 24 04 mov %edx,0x4(%esp) d191b: c7 04 24 f4 4b 0d 00 movl $0xd4bf4,(%esp) d1922: e8 59 20 00 00 call d3980 <panic> d1927: 8b 53 3c mov 0x3c(%ebx),%edx d192a: e9 a0 fd ff ff jmp d16cf <set_mode+0xef> d192f: 89 54 24 04 mov %edx,0x4(%esp) d1933: c7 04 24 0f 4c 0d 00 movl $0xd4c0f,(%esp) d193a: e8 41 20 00 00 call d3980 <panic> d193f: 8b 53 40 mov 0x40(%ebx),%edx d1942: e9 5d fd ff ff jmp d16a4 <set_mode+0xc4> d1947: 8b 43 2c mov 0x2c(%ebx),%eax d194a: c7 04 24 94 4f 0d 00 movl $0xd4f94,(%esp) d1951: 89 44 24 04 mov %eax,0x4(%esp) d1955: e8 26 20 00 00 call d3980 <panic> d195a: e9 9a fe ff ff jmp d17f9 <set_mode+0x219> d195f: 90 nop 000d1960 <interrupt>: d1960: 55 push %ebp d1961: 89 e5 mov %esp,%ebp d1963: 57 push %edi d1964: 89 d7 mov %edx,%edi d1966: 56 push %esi d1967: 53 push %ebx d1968: 83 ec 1c sub $0x1c,%esp d196b: 89 c3 mov %eax,%ebx d196d: 89 54 24 0c mov %edx,0xc(%esp) d1971: b8 2a 4c 0d 00 mov $0xd4c2a,%eax d1976: 89 44 24 08 mov %eax,0x8(%esp) d197a: 31 c0 xor %eax,%eax d197c: 89 44 24 04 mov %eax,0x4(%esp) d1980: 89 1c 24 mov %ebx,(%esp) d1983: e8 08 ef ff ff call d0890 <trace> d1988: 8b 43 34 mov 0x34(%ebx),%eax d198b: 8b 53 38 mov 0x38(%ebx),%edx d198e: 8b 73 30 mov 0x30(%ebx),%esi d1991: 83 e8 02 sub $0x2,%eax d1994: 89 43 34 mov %eax,0x34(%ebx) d1997: 25 ff ff 00 00 and $0xffff,%eax d199c: 89 04 24 mov %eax,(%esp) d199f: 89 d8 mov %ebx,%eax d19a1: e8 5a ed ff ff call d0700 <address> d19a6: 66 89 30 mov %si,(%eax) d19a9: 8b 43 34 mov 0x34(%ebx),%eax d19ac: 8b 53 38 mov 0x38(%ebx),%edx d19af: 8b 73 2c mov 0x2c(%ebx),%esi d19b2: 83 e8 02 sub $0x2,%eax d19b5: 89 43 34 mov %eax,0x34(%ebx) d19b8: 25 ff ff 00 00 and $0xffff,%eax d19bd: 89 04 24 mov %eax,(%esp) d19c0: 89 d8 mov %ebx,%eax d19c2: e8 39 ed ff ff call d0700 <address> d19c7: 66 89 30 mov %si,(%eax) d19ca: 8b 43 34 mov 0x34(%ebx),%eax d19cd: 8b 53 38 mov 0x38(%ebx),%edx d19d0: 8b 73 28 mov 0x28(%ebx),%esi d19d3: 83 e8 02 sub $0x2,%eax d19d6: 89 43 34 mov %eax,0x34(%ebx) d19d9: 25 ff ff 00 00 and $0xffff,%eax d19de: 89 04 24 mov %eax,(%esp) d19e1: 89 d8 mov %ebx,%eax d19e3: e8 18 ed ff ff call d0700 <address> d19e8: 66 89 30 mov %si,(%eax) d19eb: 31 d2 xor %edx,%edx d19ed: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi d19f4: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx) d19fb: 89 d8 mov %ebx,%eax d19fd: 89 34 24 mov %esi,(%esp) d1a00: e8 fb ec ff ff call d0700 <address> d1a05: 0f b7 00 movzwl (%eax),%eax d1a08: 31 d2 xor %edx,%edx d1a0a: 89 43 28 mov %eax,0x28(%ebx) d1a0d: 8d 46 02 lea 0x2(%esi),%eax d1a10: 89 04 24 mov %eax,(%esp) d1a13: 89 d8 mov %ebx,%eax d1a15: e8 e6 ec ff ff call d0700 <address> d1a1a: 0f b7 00 movzwl (%eax),%eax d1a1d: 89 43 2c mov %eax,0x2c(%ebx) d1a20: 83 c4 1c add $0x1c,%esp d1a23: 5b pop %ebx d1a24: 5e pop %esi d1a25: 5f pop %edi d1a26: 5d pop %ebp d1a27: c3 ret d1a28: 90 nop d1a29: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi 000d1a30 <outbyte>: d1a30: 55 push %ebp d1a31: 89 e5 mov %esp,%ebp d1a33: 83 ec 18 sub $0x18,%esp d1a36: 89 5d f8 mov %ebx,0xfffffff8(%ebp) d1a39: 89 c3 mov %eax,%ebx d1a3b: 8b 45 08 mov 0x8(%ebp),%eax d1a3e: 89 75 fc mov %esi,0xfffffffc(%ebp) d1a41: 3d e6 00 00 00 cmp $0xe6,%eax d1a46: 74 6f je d1ab7 <outbyte+0x87> d1a48: 3d ee 00 00 00 cmp $0xee,%eax d1a4d: 74 11 je d1a60 <outbyte+0x30> d1a4f: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx d1a52: 31 c0 xor %eax,%eax d1a54: 8b 75 fc mov 0xfffffffc(%ebp),%esi d1a57: 89 ec mov %ebp,%esp d1a59: 5d pop %ebp d1a5a: c3 ret d1a5b: 90 nop d1a5c: 8d 74 26 00 lea 0x0(%esi),%esi d1a60: 0f b7 73 14 movzwl 0x14(%ebx),%esi d1a64: 0f b6 5b 1c movzbl 0x1c(%ebx),%ebx d1a68: 83 fe 21 cmp $0x21,%esi d1a6b: 74 6a je d1ad7 <outbyte+0xa7> d1a6d: 7e 35 jle d1aa4 <outbyte+0x74> d1a6f: 81 fe a0 00 00 00 cmp $0xa0,%esi d1a75: 0f 84 92 00 00 00 je d1b0d <outbyte+0xdd> d1a7b: 81 fe a1 00 00 00 cmp $0xa1,%esi d1a81: 0f 84 9b 00 00 00 je d1b22 <outbyte+0xf2> d1a87: 89 f6 mov %esi,%esi d1a89: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d1a90: 89 f2 mov %esi,%edx d1a92: 88 d8 mov %bl,%al d1a94: ee out %al,(%dx) d1a95: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx d1a98: b8 01 00 00 00 mov $0x1,%eax d1a9d: 8b 75 fc mov 0xfffffffc(%ebp),%esi d1aa0: 89 ec mov %ebp,%esp d1aa2: 5d pop %ebp d1aa3: c3 ret d1aa4: 83 fe 20 cmp $0x20,%esi d1aa7: 75 e7 jne d1a90 <outbyte+0x60> d1aa9: f6 c3 10 test $0x10,%bl d1aac: 74 e2 je d1a90 <outbyte+0x60> d1aae: c6 05 0c 76 0d 00 01 movb $0x1,0xd760c d1ab5: eb d9 jmp d1a90 <outbyte+0x60> d1ab7: 0f b7 43 28 movzwl 0x28(%ebx),%eax d1abb: 8b 53 2c mov 0x2c(%ebx),%edx d1abe: 89 04 24 mov %eax,(%esp) d1ac1: 89 d8 mov %ebx,%eax d1ac3: e8 38 ec ff ff call d0700 <address> d1ac8: ff 43 28 incl 0x28(%ebx) d1acb: 0f b6 5b 1c movzbl 0x1c(%ebx),%ebx d1acf: 0f b6 30 movzbl (%eax),%esi d1ad2: 83 fe 21 cmp $0x21,%esi d1ad5: 75 96 jne d1a6d <outbyte+0x3d> d1ad7: 80 3d 0c 76 0d 00 00 cmpb $0x0,0xd760c d1ade: 74 b0 je d1a90 <outbyte+0x60> d1ae0: c6 05 0c 76 0d 00 00 movb $0x0,0xd760c d1ae7: b9 20 00 00 00 mov $0x20,%ecx d1aec: 89 5c 24 04 mov %ebx,0x4(%esp) d1af0: 89 4c 24 08 mov %ecx,0x8(%esp) d1af4: c7 04 24 bc 4f 0d 00 movl $0xd4fbc,(%esp) d1afb: e8 d0 1e 00 00 call d39d0 <printf> d1b00: 88 1d 6c 76 0d 00 mov %bl,0xd766c d1b06: bb 20 00 00 00 mov $0x20,%ebx d1b0b: eb 83 jmp d1a90 <outbyte+0x60> d1b0d: f6 c3 10 test $0x10,%bl d1b10: 0f 84 7a ff ff ff je d1a90 <outbyte+0x60> d1b16: c6 05 0d 76 0d 00 01 movb $0x1,0xd760d d1b1d: e9 6e ff ff ff jmp d1a90 <outbyte+0x60> d1b22: 80 3d 0d 76 0d 00 00 cmpb $0x0,0xd760d d1b29: 0f 84 61 ff ff ff je d1a90 <outbyte+0x60> d1b2f: c6 05 0d 76 0d 00 00 movb $0x0,0xd760d d1b36: ba 28 00 00 00 mov $0x28,%edx d1b3b: 89 5c 24 04 mov %ebx,0x4(%esp) d1b3f: 89 54 24 08 mov %edx,0x8(%esp) d1b43: c7 04 24 e4 4f 0d 00 movl $0xd4fe4,(%esp) d1b4a: e8 81 1e 00 00 call d39d0 <printf> d1b4f: 88 1d 6d 76 0d 00 mov %bl,0xd766d d1b55: bb 28 00 00 00 mov $0x28,%ebx d1b5a: e9 31 ff ff ff jmp d1a90 <outbyte+0x60> d1b5f: 90 nop 000d1b60 <inbyte>: d1b60: 55 push %ebp d1b61: 89 e5 mov %esp,%ebp d1b63: 53 push %ebx d1b64: 83 ec 04 sub $0x4,%esp d1b67: 89 c3 mov %eax,%ebx d1b69: 8b 45 08 mov 0x8(%ebp),%eax d1b6c: 3d e4 00 00 00 cmp $0xe4,%eax d1b71: 74 2d je d1ba0 <inbyte+0x40> d1b73: 3d ec 00 00 00 cmp $0xec,%eax d1b78: 74 06 je d1b80 <inbyte+0x20> d1b7a: 5b pop %ebx d1b7b: 31 c0 xor %eax,%eax d1b7d: 5b pop %ebx d1b7e: 5d pop %ebp d1b7f: c3 ret d1b80: 0f b7 53 14 movzwl 0x14(%ebx),%edx d1b84: 8b 4b 1c mov 0x1c(%ebx),%ecx d1b87: 81 e1 00 ff ff ff and $0xffffff00,%ecx d1b8d: ec in (%dx),%al d1b8e: 0f b6 d0 movzbl %al,%edx d1b91: 09 d1 or %edx,%ecx d1b93: b8 01 00 00 00 mov $0x1,%eax d1b98: 89 4b 1c mov %ecx,0x1c(%ebx) d1b9b: 5b pop %ebx d1b9c: 5b pop %ebx d1b9d: 5d pop %ebp d1b9e: c3 ret d1b9f: 90 nop d1ba0: 0f b7 43 28 movzwl 0x28(%ebx),%eax d1ba4: 8b 53 2c mov 0x2c(%ebx),%edx d1ba7: 89 04 24 mov %eax,(%esp) d1baa: 89 d8 mov %ebx,%eax d1bac: e8 4f eb ff ff call d0700 <address> d1bb1: ff 43 28 incl 0x28(%ebx) d1bb4: 0f b6 10 movzbl (%eax),%edx d1bb7: eb cb jmp d1b84 <inbyte+0x24> d1bb9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi 000d1bc0 <emulate>: d1bc0: 55 push %ebp d1bc1: 89 e5 mov %esp,%ebp d1bc3: 57 push %edi d1bc4: 56 push %esi d1bc5: 53 push %ebx d1bc6: 83 ec 6c sub $0x6c,%esp d1bc9: 8b 7d 08 mov 0x8(%ebp),%edi d1bcc: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp) d1bd3: 8b 77 28 mov 0x28(%edi),%esi d1bd6: 89 75 ec mov %esi,0xffffffec(%ebp) d1bd9: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d1be0: c7 45 e0 00 00 00 00 movl $0x0,0xffffffe0(%ebp) d1be7: 74 74 je d1c5d <emulate+0x9d> d1be9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d1bf0: 8b 57 2c mov 0x2c(%edi),%edx d1bf3: 89 f0 mov %esi,%eax d1bf5: 25 ff ff 00 00 and $0xffff,%eax d1bfa: 89 04 24 mov %eax,(%esp) d1bfd: 89 f8 mov %edi,%eax d1bff: e8 fc ea ff ff call d0700 <address> d1c04: 8b 5f 28 mov 0x28(%edi),%ebx d1c07: 43 inc %ebx d1c08: 89 5f 28 mov %ebx,0x28(%edi) d1c0b: 0f b6 30 movzbl (%eax),%esi d1c0e: 89 f0 mov %esi,%eax d1c10: 83 e8 07 sub $0x7,%eax d1c13: 89 75 e8 mov %esi,0xffffffe8(%ebp) d1c16: 3d f8 00 00 00 cmp $0xf8,%eax d1c1b: 0f 87 a1 00 00 00 ja d1cc2 <emulate+0x102> d1c21: ff 24 85 64 45 0d 00 jmp *0xd4564(,%eax,4) d1c28: 89 34 24 mov %esi,(%esp) d1c2b: 8b 55 e0 mov 0xffffffe0(%ebp),%edx d1c2e: 89 f8 mov %edi,%eax d1c30: e8 fb fd ff ff call d1a30 <outbyte> d1c35: 8d 74 26 00 lea 0x0(%esi),%esi d1c39: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d1c40: 85 c0 test %eax,%eax d1c42: 74 7e je d1cc2 <emulate+0x102> d1c44: 8b 77 28 mov 0x28(%edi),%esi d1c47: ff 45 f0 incl 0xfffffff0(%ebp) d1c4a: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d1c51: 89 75 ec mov %esi,0xffffffec(%ebp) d1c54: c7 45 e0 00 00 00 00 movl $0x0,0xffffffe0(%ebp) d1c5b: 75 93 jne d1bf0 <emulate+0x30> d1c5d: f6 05 f5 97 0d 00 40 testb $0x40,0xd97f5 d1c64: 74 8a je d1bf0 <emulate+0x30> d1c66: c7 45 e0 03 00 00 00 movl $0x3,0xffffffe0(%ebp) d1c6d: eb 81 jmp d1bf0 <emulate+0x30> d1c6f: 89 34 24 mov %esi,(%esp) d1c72: 8b 55 e0 mov 0xffffffe0(%ebp),%edx d1c75: 89 f8 mov %edi,%eax d1c77: e8 e4 fe ff ff call d1b60 <inbyte> d1c7c: eb c2 jmp d1c40 <emulate+0x80> d1c7e: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d1c85: 74 3b je d1cc2 <emulate+0x102> d1c87: f6 45 e0 02 testb $0x2,0xffffffe0(%ebp) d1c8b: 74 35 je d1cc2 <emulate+0x102> d1c8d: 89 34 24 mov %esi,(%esp) d1c90: 8b 55 e0 mov 0xffffffe0(%ebp),%edx d1c93: 89 f8 mov %edi,%eax d1c95: e8 86 f2 ff ff call d0f20 <movr> d1c9a: eb a4 jmp d1c40 <emulate+0x80> d1c9c: 89 74 24 0c mov %esi,0xc(%esp) d1ca0: bb 58 45 0d 00 mov $0xd4558,%ebx d1ca5: be 76 03 00 00 mov $0x376,%esi d1caa: 89 54 24 10 mov %edx,0x10(%esp) d1cae: 89 74 24 08 mov %esi,0x8(%esp) d1cb2: 89 5c 24 04 mov %ebx,0x4(%esp) d1cb6: c7 04 24 08 50 0d 00 movl $0xd5008,(%esp) d1cbd: e8 0e 1d 00 00 call d39d0 <printf> d1cc2: 8b 55 ec mov 0xffffffec(%ebp),%edx d1cc5: b8 40 4c 0d 00 mov $0xd4c40,%eax d1cca: 89 57 28 mov %edx,0x28(%edi) d1ccd: 8b 4d e8 mov 0xffffffe8(%ebp),%ecx d1cd0: 89 44 24 08 mov %eax,0x8(%esp) d1cd4: 31 c0 xor %eax,%eax d1cd6: 89 4c 24 0c mov %ecx,0xc(%esp) d1cda: 89 44 24 04 mov %eax,0x4(%esp) d1cde: 89 3c 24 mov %edi,(%esp) d1ce1: e8 aa eb ff ff call d0890 <trace> d1ce6: 8b 45 f0 mov 0xfffffff0(%ebp),%eax d1ce9: 8b 77 28 mov 0x28(%edi),%esi d1cec: 85 c0 test %eax,%eax d1cee: 75 0c jne d1cfc <emulate+0x13c> d1cf0: 3b 35 08 76 0d 00 cmp 0xd7608,%esi d1cf6: 0f 84 5c 0c 00 00 je d2958 <emulate+0xd98> d1cfc: 89 35 08 76 0d 00 mov %esi,0xd7608 d1d02: 83 c4 6c add $0x6c,%esp d1d05: 5b pop %ebx d1d06: 5e pop %esi d1d07: 5f pop %edi d1d08: 5d pop %ebp d1d09: c3 ret d1d0a: a1 04 76 0d 00 mov 0xd7604,%eax d1d0f: 48 dec %eax d1d10: 83 f8 01 cmp $0x1,%eax d1d13: 77 ad ja d1cc2 <emulate+0x102> d1d15: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d1d19: 0f 84 d9 0b 00 00 je d28f8 <emulate+0xd38> d1d1f: 0f b7 47 34 movzwl 0x34(%edi),%eax d1d23: 8b 57 38 mov 0x38(%edi),%edx d1d26: 89 04 24 mov %eax,(%esp) d1d29: 89 f8 mov %edi,%eax d1d2b: e8 d0 e9 ff ff call d0700 <address> d1d30: 8b 10 mov (%eax),%edx d1d32: 8b 47 34 mov 0x34(%edi),%eax d1d35: 89 d6 mov %edx,%esi d1d37: 83 c0 04 add $0x4,%eax d1d3a: 8b 57 38 mov 0x38(%edi),%edx d1d3d: 89 47 34 mov %eax,0x34(%edi) d1d40: 25 ff ff 00 00 and $0xffff,%eax d1d45: 89 04 24 mov %eax,(%esp) d1d48: 89 f8 mov %edi,%eax d1d4a: e8 b1 e9 ff ff call d0700 <address> d1d4f: 8b 00 mov (%eax),%eax d1d51: 83 47 34 04 addl $0x4,0x34(%edi) d1d55: 0f b7 d8 movzwl %ax,%ebx d1d58: 89 74 24 10 mov %esi,0x10(%esp) d1d5c: b8 49 4c 0d 00 mov $0xd4c49,%eax d1d61: b9 01 00 00 00 mov $0x1,%ecx d1d66: 89 44 24 08 mov %eax,0x8(%esp) d1d6a: 89 5c 24 0c mov %ebx,0xc(%esp) d1d6e: 89 4c 24 04 mov %ecx,0x4(%esp) d1d72: 89 3c 24 mov %edi,(%esp) d1d75: e8 16 eb ff ff call d0890 <trace> d1d7a: 89 5f 2c mov %ebx,0x2c(%edi) d1d7d: 89 77 28 mov %esi,0x28(%edi) d1d80: a1 04 76 0d 00 mov 0xd7604,%eax d1d85: 83 f8 01 cmp $0x1,%eax d1d88: 0f 84 5a 0f 00 00 je d2ce8 <emulate+0x1128> d1d8e: 83 f8 02 cmp $0x2,%eax d1d91: 0f 84 3e 0f 00 00 je d2cd5 <emulate+0x1115> d1d97: c7 04 24 5d 4c 0d 00 movl $0xd4c5d,(%esp) d1d9e: e8 dd 1b 00 00 call d3980 <panic> d1da3: e9 3e ff ff ff jmp d1ce6 <emulate+0x126> d1da8: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d1dac: 0f 84 5e 09 00 00 je d2710 <emulate+0xb50> d1db2: 0f b7 47 34 movzwl 0x34(%edi),%eax d1db6: 8b 57 38 mov 0x38(%edi),%edx d1db9: 89 04 24 mov %eax,(%esp) d1dbc: 89 f8 mov %edi,%eax d1dbe: e8 3d e9 ff ff call d0700 <address> d1dc3: 8b 00 mov (%eax),%eax d1dc5: 83 47 34 04 addl $0x4,0x34(%edi) d1dc9: 89 47 3c mov %eax,0x3c(%edi) d1dcc: b9 62 4c 0d 00 mov $0xd4c62,%ecx d1dd1: 8b 55 ec mov 0xffffffec(%ebp),%edx d1dd4: 89 4c 24 08 mov %ecx,0x8(%esp) d1dd8: 8b 47 28 mov 0x28(%edi),%eax d1ddb: 89 3c 24 mov %edi,(%esp) d1dde: 29 d0 sub %edx,%eax d1de0: 89 44 24 04 mov %eax,0x4(%esp) d1de4: e8 a7 ea ff ff call d0890 <trace> d1de9: 83 3d 04 76 0d 00 01 cmpl $0x1,0xd7604 d1df0: 0f 85 4e fe ff ff jne d1c44 <emulate+0x84> d1df6: 31 c0 xor %eax,%eax d1df8: a3 5c 76 0d 00 mov %eax,0xd765c d1dfd: 8b 47 3c mov 0x3c(%edi),%eax d1e00: a3 08 98 0d 00 mov %eax,0xd9808 d1e05: 8b 77 28 mov 0x28(%edi),%esi d1e08: e9 3a fe ff ff jmp d1c47 <emulate+0x87> d1e0d: 8b 57 2c mov 0x2c(%edi),%edx d1e10: 0f b7 c3 movzwl %bx,%eax d1e13: 89 04 24 mov %eax,(%esp) d1e16: 89 f8 mov %edi,%eax d1e18: e8 e3 e8 ff ff call d0700 <address> d1e1d: 8b 57 28 mov 0x28(%edi),%edx d1e20: 42 inc %edx d1e21: 89 55 ac mov %edx,0xffffffac(%ebp) d1e24: 89 57 28 mov %edx,0x28(%edi) d1e27: 0f b6 10 movzbl (%eax),%edx d1e2a: 89 d0 mov %edx,%eax d1e2c: c1 e8 03 shr $0x3,%eax d1e2f: 83 e0 07 and $0x7,%eax d1e32: 83 f8 05 cmp $0x5,%eax d1e35: 0f 84 94 0f 00 00 je d2dcf <emulate+0x120f> d1e3b: 83 f8 06 cmp $0x6,%eax d1e3e: 0f 85 7e fe ff ff jne d1cc2 <emulate+0x102> d1e44: 89 14 24 mov %edx,(%esp) d1e47: 8b 45 e0 mov 0xffffffe0(%ebp),%eax d1e4a: 89 fa mov %edi,%edx d1e4c: e8 9f ed ff ff call d0bf0 <operand> d1e51: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d1e55: 89 c3 mov %eax,%ebx d1e57: 0f 85 11 0a 00 00 jne d286e <emulate+0xcae> d1e5d: 0f b7 30 movzwl (%eax),%esi d1e60: 8b 47 34 mov 0x34(%edi),%eax d1e63: 8b 57 38 mov 0x38(%edi),%edx d1e66: 83 e8 02 sub $0x2,%eax d1e69: 89 47 34 mov %eax,0x34(%edi) d1e6c: 25 ff ff 00 00 and $0xffff,%eax d1e71: 89 04 24 mov %eax,(%esp) d1e74: 89 f8 mov %edi,%eax d1e76: e8 85 e8 ff ff call d0700 <address> d1e7b: 66 89 30 mov %si,(%eax) d1e7e: 89 5c 24 0c mov %ebx,0xc(%esp) d1e82: b9 6b 4c 0d 00 mov $0xd4c6b,%ecx d1e87: 8b 55 ac mov 0xffffffac(%ebp),%edx d1e8a: 89 4c 24 08 mov %ecx,0x8(%esp) d1e8e: 8b 47 28 mov 0x28(%edi),%eax d1e91: 29 d0 sub %edx,%eax d1e93: 40 inc %eax d1e94: e9 7a 05 00 00 jmp d2413 <emulate+0x853> d1e99: 89 3c 24 mov %edi,(%esp) d1e9c: b8 76 4c 0d 00 mov $0xd4c76,%eax d1ea1: 89 44 24 08 mov %eax,0x8(%esp) d1ea5: 8b 45 ec mov 0xffffffec(%ebp),%eax d1ea8: 29 c3 sub %eax,%ebx d1eaa: 89 5c 24 04 mov %ebx,0x4(%esp) d1eae: e8 dd e9 ff ff call d0890 <trace> d1eb3: 81 4f 30 00 02 00 00 orl $0x200,0x30(%edi) d1eba: 8b 77 28 mov 0x28(%edi),%esi d1ebd: e9 85 fd ff ff jmp d1c47 <emulate+0x87> d1ec2: 89 3c 24 mov %edi,(%esp) d1ec5: 8b 45 ec mov 0xffffffec(%ebp),%eax d1ec8: ba 7a 4c 0d 00 mov $0xd4c7a,%edx d1ecd: 89 54 24 08 mov %edx,0x8(%esp) d1ed1: 29 c3 sub %eax,%ebx d1ed3: 89 5c 24 04 mov %ebx,0x4(%esp) d1ed7: e8 b4 e9 ff ff call d0890 <trace> d1edc: 81 67 30 ff fd ff ff andl $0xfffffdff,0x30(%edi) d1ee3: 8b 77 28 mov 0x28(%edi),%esi d1ee6: e9 5c fd ff ff jmp d1c47 <emulate+0x87> d1eeb: f6 45 e0 02 testb $0x2,0xffffffe0(%ebp) d1eef: 0f 84 cd fd ff ff je d1cc2 <emulate+0x102> d1ef5: 8d 43 ff lea 0xffffffff(%ebx),%eax d1ef8: 89 45 a4 mov %eax,0xffffffa4(%ebp) d1efb: 8b 57 2c mov 0x2c(%edi),%edx d1efe: 0f b7 c3 movzwl %bx,%eax d1f01: 89 04 24 mov %eax,(%esp) d1f04: 89 f8 mov %edi,%eax d1f06: e8 f5 e7 ff ff call d0700 <address> d1f0b: ff 47 28 incl 0x28(%edi) d1f0e: 89 fa mov %edi,%edx d1f10: 0f b6 18 movzbl (%eax),%ebx d1f13: 8b 45 e0 mov 0xffffffe0(%ebp),%eax d1f16: 89 1c 24 mov %ebx,(%esp) d1f19: e8 d2 ec ff ff call d0bf0 <operand> d1f1e: 89 45 a0 mov %eax,0xffffffa0(%ebp) d1f21: 89 d8 mov %ebx,%eax d1f23: 25 c0 00 00 00 and $0xc0,%eax d1f28: 3d c0 00 00 00 cmp $0xc0,%eax d1f2d: 0f 84 8f fd ff ff je d1cc2 <emulate+0x102> d1f33: 81 fe f6 00 00 00 cmp $0xf6,%esi d1f39: 0f 85 05 fd ff ff jne d1c44 <emulate+0x84> d1f3f: f6 c3 38 test $0x38,%bl d1f42: 0f 85 7a fd ff ff jne d1cc2 <emulate+0x102> d1f48: 0f b7 47 28 movzwl 0x28(%edi),%eax d1f4c: 8b 57 2c mov 0x2c(%edi),%edx d1f4f: 89 04 24 mov %eax,(%esp) d1f52: 89 f8 mov %edi,%eax d1f54: e8 a7 e7 ff ff call d0700 <address> d1f59: 8b 4f 28 mov 0x28(%edi),%ecx d1f5c: 41 inc %ecx d1f5d: 89 4f 28 mov %ecx,0x28(%edi) d1f60: 8b 5d a0 mov 0xffffffa0(%ebp),%ebx d1f63: 0f b6 10 movzbl (%eax),%edx d1f66: 0f b6 03 movzbl (%ebx),%eax d1f69: 21 d0 and %edx,%eax d1f6b: 0f 84 03 0c 00 00 je d2b74 <emulate+0xfb4> d1f71: 83 67 30 bf andl $0xffffffbf,0x30(%edi) d1f75: 89 44 24 14 mov %eax,0x14(%esp) d1f79: 8b 5d a4 mov 0xffffffa4(%ebp),%ebx d1f7c: be 7e 4c 0d 00 mov $0xd4c7e,%esi d1f81: 89 54 24 0c mov %edx,0xc(%esp) d1f85: 8b 45 a0 mov 0xffffffa0(%ebp),%eax d1f88: 89 74 24 08 mov %esi,0x8(%esp) d1f8c: 29 d9 sub %ebx,%ecx d1f8e: 89 44 24 10 mov %eax,0x10(%esp) d1f92: 89 4c 24 04 mov %ecx,0x4(%esp) d1f96: 89 3c 24 mov %edi,(%esp) d1f99: e8 f2 e8 ff ff call d0890 <trace> d1f9e: 8b 77 28 mov 0x28(%edi),%esi d1fa1: e9 a1 fc ff ff jmp d1c47 <emulate+0x87> d1fa6: 89 3c 24 mov %edi,(%esp) d1fa9: b8 98 4c 0d 00 mov $0xd4c98,%eax d1fae: 89 44 24 08 mov %eax,0x8(%esp) d1fb2: 8b 45 ec mov 0xffffffec(%ebp),%eax d1fb5: 29 c3 sub %eax,%ebx d1fb7: 89 5c 24 04 mov %ebx,0x4(%esp) d1fbb: e8 d0 e8 ff ff call d0890 <trace> d1fc0: 8b 77 28 mov 0x28(%edi),%esi d1fc3: e9 28 fc ff ff jmp d1bf0 <emulate+0x30> d1fc8: 89 3c 24 mov %edi,(%esp) d1fcb: 8b 55 ec mov 0xffffffec(%ebp),%edx d1fce: b9 9d 4c 0d 00 mov $0xd4c9d,%ecx d1fd3: 89 4c 24 08 mov %ecx,0x8(%esp) d1fd7: 29 d3 sub %edx,%ebx d1fd9: 89 5c 24 04 mov %ebx,0x4(%esp) d1fdd: e8 ae e8 ff ff call d0890 <trace> d1fe2: 83 4d e0 40 orl $0x40,0xffffffe0(%ebp) d1fe6: 8b 77 28 mov 0x28(%edi),%esi d1fe9: e9 02 fc ff ff jmp d1bf0 <emulate+0x30> d1fee: 89 3c 24 mov %edi,(%esp) d1ff1: 8b 75 ec mov 0xffffffec(%ebp),%esi d1ff4: b8 a3 4c 0d 00 mov $0xd4ca3,%eax d1ff9: 89 44 24 08 mov %eax,0x8(%esp) d1ffd: 29 f3 sub %esi,%ebx d1fff: 89 5c 24 04 mov %ebx,0x4(%esp) d2003: e8 88 e8 ff ff call d0890 <trace> d2008: 83 4d e0 08 orl $0x8,0xffffffe0(%ebp) d200c: 8b 77 28 mov 0x28(%edi),%esi d200f: e9 dc fb ff ff jmp d1bf0 <emulate+0x30> d2014: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d201b: 0f 84 a1 fc ff ff je d1cc2 <emulate+0x102> d2021: f6 45 e0 02 testb $0x2,0xffffffe0(%ebp) d2025: 0f 84 97 fc ff ff je d1cc2 <emulate+0x102> d202b: 8d 43 ff lea 0xffffffff(%ebx),%eax d202e: 89 45 cc mov %eax,0xffffffcc(%ebp) d2031: 8b 57 2c mov 0x2c(%edi),%edx d2034: 0f b7 c3 movzwl %bx,%eax d2037: 89 04 24 mov %eax,(%esp) d203a: 89 f8 mov %edi,%eax d203c: e8 bf e6 ff ff call d0700 <address> d2041: ff 47 28 incl 0x28(%edi) d2044: 89 fa mov %edi,%edx d2046: 0f b6 00 movzbl (%eax),%eax d2049: 89 45 c8 mov %eax,0xffffffc8(%ebp) d204c: 89 04 24 mov %eax,(%esp) d204f: 8b 45 e0 mov 0xffffffe0(%ebp),%eax d2052: e8 99 eb ff ff call d0bf0 <operand> d2057: 89 45 c4 mov %eax,0xffffffc4(%ebp) d205a: 8b 55 c8 mov 0xffffffc8(%ebp),%edx d205d: 81 65 c8 c0 00 00 00 andl $0xc0,0xffffffc8(%ebp) d2064: c1 ea 03 shr $0x3,%edx d2067: 83 e2 07 and $0x7,%edx d206a: 81 7d c8 c0 00 00 00 cmpl $0xc0,0xffffffc8(%ebp) d2071: 89 55 c0 mov %edx,0xffffffc0(%ebp) d2074: 0f 84 48 fc ff ff je d1cc2 <emulate+0x102> d207a: 83 fe 39 cmp $0x39,%esi d207d: 0f 85 c1 fb ff ff jne d1c44 <emulate+0x84> d2083: 89 f8 mov %edi,%eax d2085: e8 36 e9 ff ff call d09c0 <getreg32> d208a: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d208e: 89 c2 mov %eax,%edx d2090: 0f 85 e7 0a 00 00 jne d2b7d <emulate+0xfbd> d2096: 8b 4d c4 mov 0xffffffc4(%ebp),%ecx d2099: 0f b7 01 movzwl (%ecx),%eax d209c: 29 d0 sub %edx,%eax d209e: 66 85 c0 test %ax,%ax d20a1: 0f 85 4c 0c 00 00 jne d2cf3 <emulate+0x1133> d20a7: 83 4f 30 40 orl $0x40,0x30(%edi) d20ab: 89 44 24 14 mov %eax,0x14(%esp) d20af: 8b 55 c0 mov 0xffffffc0(%ebp),%edx d20b2: b9 a9 4c 0d 00 mov $0xd4ca9,%ecx d20b7: 89 4c 24 08 mov %ecx,0x8(%esp) d20bb: 8b 5d c4 mov 0xffffffc4(%ebp),%ebx d20be: 8b 04 95 a0 55 0d 00 mov 0xd55a0(,%edx,4),%eax d20c5: 89 5c 24 10 mov %ebx,0x10(%esp) d20c9: 89 44 24 0c mov %eax,0xc(%esp) d20cd: 8b 47 28 mov 0x28(%edi),%eax d20d0: 8b 55 cc mov 0xffffffcc(%ebp),%edx d20d3: 29 d0 sub %edx,%eax d20d5: 89 44 24 04 mov %eax,0x4(%esp) d20d9: e9 b8 fe ff ff jmp d1f96 <emulate+0x3d6> d20de: 89 3c 24 mov %edi,(%esp) d20e1: 8b 75 ec mov 0xffffffec(%ebp),%esi d20e4: b8 c0 4c 0d 00 mov $0xd4cc0,%eax d20e9: 89 44 24 08 mov %eax,0x8(%esp) d20ed: 29 f3 sub %esi,%ebx d20ef: 89 5c 24 04 mov %ebx,0x4(%esp) d20f3: e8 98 e7 ff ff call d0890 <trace> d20f8: 83 4d e0 20 orl $0x20,0xffffffe0(%ebp) d20fc: 8b 77 28 mov 0x28(%edi),%esi d20ff: e9 ec fa ff ff jmp d1bf0 <emulate+0x30> d2104: 89 3c 24 mov %edi,(%esp) d2107: b8 c6 4c 0d 00 mov $0xd4cc6,%eax d210c: 89 44 24 08 mov %eax,0x8(%esp) d2110: 8b 45 ec mov 0xffffffec(%ebp),%eax d2113: 29 c3 sub %eax,%ebx d2115: 89 5c 24 04 mov %ebx,0x4(%esp) d2119: e8 72 e7 ff ff call d0890 <trace> d211e: 83 4d e0 04 orl $0x4,0xffffffe0(%ebp) d2122: 8b 77 28 mov 0x28(%edi),%esi d2125: e9 c6 fa ff ff jmp d1bf0 <emulate+0x30> d212a: 89 3c 24 mov %edi,(%esp) d212d: b8 cc 4c 0d 00 mov $0xd4ccc,%eax d2132: 89 44 24 08 mov %eax,0x8(%esp) d2136: 8b 45 ec mov 0xffffffec(%ebp),%eax d2139: 29 c3 sub %eax,%ebx d213b: 89 5c 24 04 mov %ebx,0x4(%esp) d213f: e8 4c e7 ff ff call d0890 <trace> d2144: 83 4d e0 10 orl $0x10,0xffffffe0(%ebp) d2148: 8b 77 28 mov 0x28(%edi),%esi d214b: e9 a0 fa ff ff jmp d1bf0 <emulate+0x30> d2150: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d2154: 0f 85 9a 05 00 00 jne d26f4 <emulate+0xb34> d215a: 0f b7 47 34 movzwl 0x34(%edi),%eax d215e: 8b 57 38 mov 0x38(%edi),%edx d2161: 89 04 24 mov %eax,(%esp) d2164: 89 f8 mov %edi,%eax d2166: e8 95 e5 ff ff call d0700 <address> d216b: 0f b7 00 movzwl (%eax),%eax d216e: 83 47 34 02 addl $0x2,0x34(%edi) d2172: 89 47 40 mov %eax,0x40(%edi) d2175: b9 d2 4c 0d 00 mov $0xd4cd2,%ecx d217a: 8b 55 ec mov 0xffffffec(%ebp),%edx d217d: 89 4c 24 08 mov %ecx,0x8(%esp) d2181: 8b 47 28 mov 0x28(%edi),%eax d2184: 89 3c 24 mov %edi,(%esp) d2187: 29 d0 sub %edx,%eax d2189: 89 44 24 04 mov %eax,0x4(%esp) d218d: e8 fe e6 ff ff call d0890 <trace> d2192: 83 3d 04 76 0d 00 01 cmpl $0x1,0xd7604 d2199: 0f 85 a5 fa ff ff jne d1c44 <emulate+0x84> d219f: 31 c0 xor %eax,%eax d21a1: a3 60 76 0d 00 mov %eax,0xd7660 d21a6: 8b 47 40 mov 0x40(%edi),%eax d21a9: a3 f8 97 0d 00 mov %eax,0xd97f8 d21ae: 8b 77 28 mov 0x28(%edi),%esi d21b1: e9 91 fa ff ff jmp d1c47 <emulate+0x87> d21b6: 83 3d 04 76 0d 00 03 cmpl $0x3,0xd7604 d21bd: 0f 84 ff fa ff ff je d1cc2 <emulate+0x102> d21c3: 8b 57 2c mov 0x2c(%edi),%edx d21c6: 0f b7 c3 movzwl %bx,%eax d21c9: 89 04 24 mov %eax,(%esp) d21cc: 89 f8 mov %edi,%eax d21ce: e8 2d e5 ff ff call d0700 <address> d21d3: 8b 4f 28 mov 0x28(%edi),%ecx d21d6: 41 inc %ecx d21d7: 89 ce mov %ecx,%esi d21d9: 89 4f 28 mov %ecx,0x28(%edi) d21dc: 0f b6 18 movzbl (%eax),%ebx d21df: 83 fb 32 cmp $0x32,%ebx d21e2: 89 5d e8 mov %ebx,0xffffffe8(%ebp) d21e5: 0f 87 d7 fa ff ff ja d1cc2 <emulate+0x102> d21eb: ff 24 9d 48 49 0d 00 jmp *0xd4948(,%ebx,4) d21f2: a1 04 76 0d 00 mov 0xd7604,%eax d21f7: 48 dec %eax d21f8: 83 f8 01 cmp $0x1,%eax d21fb: 0f 87 c1 fa ff ff ja d1cc2 <emulate+0x102> d2201: 8b 57 2c mov 0x2c(%edi),%edx d2204: 0f b7 c3 movzwl %bx,%eax d2207: 89 04 24 mov %eax,(%esp) d220a: 89 f8 mov %edi,%eax d220c: e8 ef e4 ff ff call d0700 <address> d2211: 8b 77 28 mov 0x28(%edi),%esi d2214: 46 inc %esi d2215: 89 77 28 mov %esi,0x28(%edi) d2218: 0f be 00 movsbl (%eax),%eax d221b: 89 3c 24 mov %edi,(%esp) d221e: 89 45 e4 mov %eax,0xffffffe4(%ebp) d2221: 8d 04 06 lea (%esi,%eax,1),%eax d2224: 89 44 24 0c mov %eax,0xc(%esp) d2228: b8 db 4c 0d 00 mov $0xd4cdb,%eax d222d: 89 44 24 08 mov %eax,0x8(%esp) d2231: b8 02 00 00 00 mov $0x2,%eax d2236: 89 44 24 04 mov %eax,0x4(%esp) d223a: e8 51 e6 ff ff call d0890 <trace> d223f: 8b 47 28 mov 0x28(%edi),%eax d2242: 8b 75 e4 mov 0xffffffe4(%ebp),%esi d2245: 01 c6 add %eax,%esi d2247: 89 77 28 mov %esi,0x28(%edi) d224a: ff 45 f0 incl 0xfffffff0(%ebp) d224d: e9 f8 f9 ff ff jmp d1c4a <emulate+0x8a> d2252: a1 04 76 0d 00 mov 0xd7604,%eax d2257: 48 dec %eax d2258: 83 f8 01 cmp $0x1,%eax d225b: 0f 87 61 fa ff ff ja d1cc2 <emulate+0x102> d2261: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d2265: 0f 84 cc 06 00 00 je d2937 <emulate+0xd77> d226b: 8b 57 2c mov 0x2c(%edi),%edx d226e: 0f b7 c3 movzwl %bx,%eax d2271: 89 04 24 mov %eax,(%esp) d2274: 89 f8 mov %edi,%eax d2276: e8 85 e4 ff ff call d0700 <address> d227b: 8b 77 28 mov 0x28(%edi),%esi d227e: 83 c6 04 add $0x4,%esi d2281: 89 77 28 mov %esi,0x28(%edi) d2284: 8b 00 mov (%eax),%eax d2286: 89 45 b4 mov %eax,0xffffffb4(%ebp) d2289: 8b 57 2c mov 0x2c(%edi),%edx d228c: 89 f0 mov %esi,%eax d228e: 25 ff ff 00 00 and $0xffff,%eax d2293: 89 04 24 mov %eax,(%esp) d2296: 89 f8 mov %edi,%eax d2298: e8 63 e4 ff ff call d0700 <address> d229d: 8b 77 28 mov 0x28(%edi),%esi d22a0: 83 c6 02 add $0x2,%esi d22a3: 89 77 28 mov %esi,0x28(%edi) d22a6: 29 de sub %ebx,%esi d22a8: 0f b7 00 movzwl (%eax),%eax d22ab: 89 3c 24 mov %edi,(%esp) d22ae: 89 45 b0 mov %eax,0xffffffb0(%ebp) d22b1: 8b 45 b4 mov 0xffffffb4(%ebp),%eax d22b4: 8b 55 b0 mov 0xffffffb0(%ebp),%edx d22b7: 89 44 24 10 mov %eax,0x10(%esp) d22bb: b8 e4 4c 0d 00 mov $0xd4ce4,%eax d22c0: 89 44 24 08 mov %eax,0x8(%esp) d22c4: 8d 46 01 lea 0x1(%esi),%eax d22c7: 89 54 24 0c mov %edx,0xc(%esp) d22cb: 89 44 24 04 mov %eax,0x4(%esp) d22cf: e8 bc e5 ff ff call d0890 <trace> d22d4: 8b 4d b0 mov 0xffffffb0(%ebp),%ecx d22d7: 89 4f 2c mov %ecx,0x2c(%edi) d22da: 8b 5d b4 mov 0xffffffb4(%ebp),%ebx d22dd: 89 5f 28 mov %ebx,0x28(%edi) d22e0: a1 04 76 0d 00 mov 0xd7604,%eax d22e5: 83 f8 01 cmp $0x1,%eax d22e8: 0f 84 fa 09 00 00 je d2ce8 <emulate+0x1128> d22ee: 83 f8 02 cmp $0x2,%eax d22f1: 0f 84 de 09 00 00 je d2cd5 <emulate+0x1115> d22f7: c7 04 24 f3 4c 0d 00 movl $0xd4cf3,(%esp) d22fe: e8 7d 16 00 00 call d3980 <panic> d2303: e9 de f9 ff ff jmp d1ce6 <emulate+0x126> d2308: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d230c: 0f 84 d2 04 00 00 je d27e4 <emulate+0xc24> d2312: 89 3c 24 mov %edi,(%esp) d2315: b8 f8 4c 0d 00 mov $0xd4cf8,%eax d231a: 89 44 24 08 mov %eax,0x8(%esp) d231e: 8b 45 ec mov 0xffffffec(%ebp),%eax d2321: 29 c3 sub %eax,%ebx d2323: 89 5c 24 04 mov %ebx,0x4(%esp) d2327: e8 64 e5 ff ff call d0890 <trace> d232c: 0f b7 47 34 movzwl 0x34(%edi),%eax d2330: 8b 57 38 mov 0x38(%edi),%edx d2333: 89 04 24 mov %eax,(%esp) d2336: 89 f8 mov %edi,%eax d2338: e8 c3 e3 ff ff call d0700 <address> d233d: 8b 10 mov (%eax),%edx d233f: 8b 47 34 mov 0x34(%edi),%eax d2342: 89 57 28 mov %edx,0x28(%edi) d2345: 83 c0 04 add $0x4,%eax d2348: 8b 57 38 mov 0x38(%edi),%edx d234b: 89 47 34 mov %eax,0x34(%edi) d234e: 25 ff ff 00 00 and $0xffff,%eax d2353: 89 04 24 mov %eax,(%esp) d2356: 89 f8 mov %edi,%eax d2358: e8 a3 e3 ff ff call d0700 <address> d235d: 8b 10 mov (%eax),%edx d235f: 8b 47 34 mov 0x34(%edi),%eax d2362: 89 57 2c mov %edx,0x2c(%edi) d2365: 83 c0 04 add $0x4,%eax d2368: 8b 57 38 mov 0x38(%edi),%edx d236b: 89 47 34 mov %eax,0x34(%edi) d236e: 25 ff ff 00 00 and $0xffff,%eax d2373: 89 04 24 mov %eax,(%esp) d2376: 89 f8 mov %edi,%eax d2378: e8 83 e3 ff ff call d0700 <address> d237d: 8b 00 mov (%eax),%eax d237f: 83 47 34 04 addl $0x4,0x34(%edi) d2383: 89 47 30 mov %eax,0x30(%edi) d2386: 8b 77 28 mov 0x28(%edi),%esi d2389: e9 b9 f8 ff ff jmp d1c47 <emulate+0x87> d238e: 89 3c 24 mov %edi,(%esp) d2391: 8b 45 ec mov 0xffffffec(%ebp),%eax d2394: ba 05 4d 0d 00 mov $0xd4d05,%edx d2399: 89 54 24 08 mov %edx,0x8(%esp) d239d: 29 c3 sub %eax,%ebx d239f: 89 5c 24 04 mov %ebx,0x4(%esp) d23a3: e8 e8 e4 ff ff call d0890 <trace> d23a8: 0f b7 47 28 movzwl 0x28(%edi),%eax d23ac: 8b 57 2c mov 0x2c(%edi),%edx d23af: 89 04 24 mov %eax,(%esp) d23b2: 89 f8 mov %edi,%eax d23b4: e8 47 e3 ff ff call d0700 <address> d23b9: ff 47 28 incl 0x28(%edi) d23bc: 0f b6 10 movzbl (%eax),%edx d23bf: 89 f8 mov %edi,%eax d23c1: e8 9a f5 ff ff call d1960 <interrupt> d23c6: 8b 77 28 mov 0x28(%edi),%esi d23c9: e9 79 f8 ff ff jmp d1c47 <emulate+0x87> d23ce: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d23d2: 0f 85 e2 03 00 00 jne d27ba <emulate+0xbfa> d23d8: 8b 57 2c mov 0x2c(%edi),%edx d23db: 0f b7 c3 movzwl %bx,%eax d23de: 89 04 24 mov %eax,(%esp) d23e1: 89 f8 mov %edi,%eax d23e3: e8 18 e3 ff ff call d0700 <address> d23e8: 83 47 28 02 addl $0x2,0x28(%edi) d23ec: ba 03 00 00 00 mov $0x3,%edx d23f1: 0f b7 18 movzwl (%eax),%ebx d23f4: 89 f8 mov %edi,%eax d23f6: 89 1c 24 mov %ebx,(%esp) d23f9: e8 82 e6 ff ff call d0a80 <setreg16> d23fe: 89 5c 24 0c mov %ebx,0xc(%esp) d2402: b9 09 4d 0d 00 mov $0xd4d09,%ecx d2407: 8b 55 ec mov 0xffffffec(%ebp),%edx d240a: 89 4c 24 08 mov %ecx,0x8(%esp) d240e: 8b 47 28 mov 0x28(%edi),%eax d2411: 29 d0 sub %edx,%eax d2413: 89 44 24 04 mov %eax,0x4(%esp) d2417: 89 3c 24 mov %edi,(%esp) d241a: e8 71 e4 ff ff call d0890 <trace> d241f: 8b 77 28 mov 0x28(%edi),%esi d2422: e9 20 f8 ff ff jmp d1c47 <emulate+0x87> d2427: 8b 47 40 mov 0x40(%edi),%eax d242a: 89 fa mov %edi,%edx d242c: 89 04 24 mov %eax,(%esp) d242f: 8b 45 e0 mov 0xffffffe0(%ebp),%eax d2432: e8 89 e6 ff ff call d0ac0 <segment> d2437: f6 45 e0 02 testb $0x2,0xffffffe0(%ebp) d243b: 89 c6 mov %eax,%esi d243d: 0f 85 35 03 00 00 jne d2778 <emulate+0xbb8> d2443: 8b 57 2c mov 0x2c(%edi),%edx d2446: 0f b7 c3 movzwl %bx,%eax d2449: 89 04 24 mov %eax,(%esp) d244c: 89 f8 mov %edi,%eax d244e: e8 ad e2 ff ff call d0700 <address> d2453: 83 47 28 02 addl $0x2,0x28(%edi) d2457: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d245b: 0f b7 00 movzwl (%eax),%eax d245e: 0f 84 34 03 00 00 je d2798 <emulate+0xbd8> d2464: 89 04 24 mov %eax,(%esp) d2467: 89 f2 mov %esi,%edx d2469: 89 f8 mov %edi,%eax d246b: e8 90 e2 ff ff call d0700 <address> d2470: 89 c3 mov %eax,%ebx d2472: 8b 00 mov (%eax),%eax d2474: 31 d2 xor %edx,%edx d2476: 89 04 24 mov %eax,(%esp) d2479: 89 f8 mov %edi,%eax d247b: e8 b0 e5 ff ff call d0a30 <setreg32> d2480: 89 5c 24 0c mov %ebx,0xc(%esp) d2484: bb 19 4d 0d 00 mov $0xd4d19,%ebx d2489: 8b 55 ec mov 0xffffffec(%ebp),%edx d248c: 89 5c 24 08 mov %ebx,0x8(%esp) d2490: 8b 47 28 mov 0x28(%edi),%eax d2493: e9 79 ff ff ff jmp d2411 <emulate+0x851> d2498: 89 3c 24 mov %edi,(%esp) d249b: 8b 75 ec mov 0xffffffec(%ebp),%esi d249e: b8 29 4d 0d 00 mov $0xd4d29,%eax d24a3: 89 44 24 08 mov %eax,0x8(%esp) d24a7: 29 f3 sub %esi,%ebx d24a9: 89 5c 24 04 mov %ebx,0x4(%esp) d24ad: e8 de e3 ff ff call d0890 <trace> d24b2: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d24b6: 0f 85 a0 02 00 00 jne d275c <emulate+0xb9c> d24bc: 0f b7 47 34 movzwl 0x34(%edi),%eax d24c0: 8b 57 38 mov 0x38(%edi),%edx d24c3: 8b 77 30 mov 0x30(%edi),%esi d24c6: 89 04 24 mov %eax,(%esp) d24c9: 89 f8 mov %edi,%eax d24cb: 81 e6 00 00 ff ff and $0xffff0000,%esi d24d1: e8 2a e2 ff ff call d0700 <address> d24d6: 0f b7 00 movzwl (%eax),%eax d24d9: 83 47 34 02 addl $0x2,0x34(%edi) d24dd: 09 f0 or %esi,%eax d24df: 0d 00 30 02 00 or $0x23000,%eax d24e4: 89 47 30 mov %eax,0x30(%edi) d24e7: e9 9a fe ff ff jmp d2386 <emulate+0x7c6> d24ec: 89 3c 24 mov %edi,(%esp) d24ef: b8 2e 4d 0d 00 mov $0xd4d2e,%eax d24f4: 89 44 24 08 mov %eax,0x8(%esp) d24f8: 8b 45 ec mov 0xffffffec(%ebp),%eax d24fb: 29 c3 sub %eax,%ebx d24fd: 89 5c 24 04 mov %ebx,0x4(%esp) d2501: e8 8a e3 ff ff call d0890 <trace> d2506: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d250a: 0f 84 1d 02 00 00 je d272d <emulate+0xb6d> d2510: 8b 47 34 mov 0x34(%edi),%eax d2513: 8b 77 30 mov 0x30(%edi),%esi d2516: 8b 57 38 mov 0x38(%edi),%edx d2519: 83 e8 04 sub $0x4,%eax d251c: 81 e6 ff cf fd ff and $0xfffdcfff,%esi d2522: 89 47 34 mov %eax,0x34(%edi) d2525: 25 ff ff 00 00 and $0xffff,%eax d252a: 89 04 24 mov %eax,(%esp) d252d: 89 f8 mov %edi,%eax d252f: e8 cc e1 ff ff call d0700 <address> d2534: 89 30 mov %esi,(%eax) d2536: 8b 77 28 mov 0x28(%edi),%esi d2539: e9 09 f7 ff ff jmp d1c47 <emulate+0x87> d253e: 89 3c 24 mov %edi,(%esp) d2541: b8 34 4d 0d 00 mov $0xd4d34,%eax d2546: 89 44 24 08 mov %eax,0x8(%esp) d254a: 8b 45 ec mov 0xffffffec(%ebp),%eax d254d: 29 c3 sub %eax,%ebx d254f: 89 5c 24 04 mov %ebx,0x4(%esp) d2553: e8 38 e3 ff ff call d0890 <trace> d2558: 8b 77 28 mov 0x28(%edi),%esi d255b: e9 e7 f6 ff ff jmp d1c47 <emulate+0x87> d2560: f6 45 e0 02 testb $0x2,0xffffffe0(%ebp) d2564: 0f 84 58 f7 ff ff je d1cc2 <emulate+0x102> d256a: 8d 4b ff lea 0xffffffff(%ebx),%ecx d256d: 0f b7 c3 movzwl %bx,%eax d2570: 89 4d bc mov %ecx,0xffffffbc(%ebp) d2573: 8b 57 2c mov 0x2c(%edi),%edx d2576: 89 04 24 mov %eax,(%esp) d2579: 89 f8 mov %edi,%eax d257b: e8 80 e1 ff ff call d0700 <address> d2580: ff 47 28 incl 0x28(%edi) d2583: 89 fa mov %edi,%edx d2585: 0f b6 18 movzbl (%eax),%ebx d2588: 8b 45 e0 mov 0xffffffe0(%ebp),%eax d258b: 89 1c 24 mov %ebx,(%esp) d258e: e8 5d e6 ff ff call d0bf0 <operand> d2593: 89 45 b8 mov %eax,0xffffffb8(%ebp) d2596: 89 d8 mov %ebx,%eax d2598: 25 c0 00 00 00 and $0xc0,%eax d259d: 3d c0 00 00 00 cmp $0xc0,%eax d25a2: 0f 84 1a f7 ff ff je d1cc2 <emulate+0x102> d25a8: 81 fe 8f 00 00 00 cmp $0x8f,%esi d25ae: 0f 85 90 f6 ff ff jne d1c44 <emulate+0x84> d25b4: f6 c3 38 test $0x38,%bl d25b7: 0f 85 05 f7 ff ff jne d1cc2 <emulate+0x102> d25bd: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d25c1: 0f 85 ee 05 00 00 jne d2bb5 <emulate+0xff5> d25c7: 0f b7 47 34 movzwl 0x34(%edi),%eax d25cb: 8b 57 38 mov 0x38(%edi),%edx d25ce: 89 04 24 mov %eax,(%esp) d25d1: 89 f8 mov %edi,%eax d25d3: e8 28 e1 ff ff call d0700 <address> d25d8: 0f b7 00 movzwl (%eax),%eax d25db: 83 47 34 02 addl $0x2,0x34(%edi) d25df: 8b 55 b8 mov 0xffffffb8(%ebp),%edx d25e2: 66 89 02 mov %ax,(%edx) d25e5: 8b 4d b8 mov 0xffffffb8(%ebp),%ecx d25e8: 8b 55 bc mov 0xffffffbc(%ebp),%edx d25eb: 89 4c 24 0c mov %ecx,0xc(%esp) d25ef: b9 38 4d 0d 00 mov $0xd4d38,%ecx d25f4: 89 4c 24 08 mov %ecx,0x8(%esp) d25f8: 8b 47 28 mov 0x28(%edi),%eax d25fb: e9 11 fe ff ff jmp d2411 <emulate+0x851> d2600: 8b 57 2c mov 0x2c(%edi),%edx d2603: 0f b7 c3 movzwl %bx,%eax d2606: 89 04 24 mov %eax,(%esp) d2609: 89 f8 mov %edi,%eax d260b: e8 f0 e0 ff ff call d0700 <address> d2610: ff 47 28 incl 0x28(%edi) d2613: 0f b6 10 movzbl (%eax),%edx d2616: a1 04 76 0d 00 mov 0xd7604,%eax d261b: 48 dec %eax d261c: 83 f8 01 cmp $0x1,%eax d261f: 0f 87 9d f6 ff ff ja d1cc2 <emulate+0x102> d2625: 89 d0 mov %edx,%eax d2627: 25 c0 00 00 00 and $0xc0,%eax d262c: 3d c0 00 00 00 cmp $0xc0,%eax d2631: 0f 85 65 f6 ff ff jne d1c9c <emulate+0xdc> d2637: 89 d0 mov %edx,%eax d2639: 83 e0 38 and $0x38,%eax d263c: c1 e8 03 shr $0x3,%eax d263f: 83 f8 05 cmp $0x5,%eax d2642: 0f 87 54 f6 ff ff ja d1c9c <emulate+0xdc> d2648: ff 24 85 14 4a 0d 00 jmp *0xd4a14(,%eax,4) d264f: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d2656: 0f 85 2b f6 ff ff jne d1c87 <emulate+0xc7> d265c: 8d 74 26 00 lea 0x0(%esi),%esi d2660: e9 28 f6 ff ff jmp d1c8d <emulate+0xcd> d2665: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d266c: 0f 84 20 02 00 00 je d2892 <emulate+0xcd2> d2672: 89 3c 24 mov %edi,(%esp) d2675: 8b 45 ec mov 0xffffffec(%ebp),%eax d2678: ba 42 4d 0d 00 mov $0xd4d42,%edx d267d: 89 54 24 08 mov %edx,0x8(%esp) d2681: 29 c3 sub %eax,%ebx d2683: 89 5c 24 04 mov %ebx,0x4(%esp) d2687: e8 04 e2 ff ff call d0890 <trace> d268c: 83 4d e0 02 orl $0x2,0xffffffe0(%ebp) d2690: 8b 77 28 mov 0x28(%edi),%esi d2693: e9 58 f5 ff ff jmp d1bf0 <emulate+0x30> d2698: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d269f: 0f 84 20 02 00 00 je d28c5 <emulate+0xd05> d26a5: 89 3c 24 mov %edi,(%esp) d26a8: b8 49 4d 0d 00 mov $0xd4d49,%eax d26ad: 89 44 24 08 mov %eax,0x8(%esp) d26b1: 8b 45 ec mov 0xffffffec(%ebp),%eax d26b4: 29 c3 sub %eax,%ebx d26b6: 89 5c 24 04 mov %ebx,0x4(%esp) d26ba: e8 d1 e1 ff ff call d0890 <trace> d26bf: 83 4d e0 01 orl $0x1,0xffffffe0(%ebp) d26c3: 8b 77 28 mov 0x28(%edi),%esi d26c6: e9 25 f5 ff ff jmp d1bf0 <emulate+0x30> d26cb: 89 3c 24 mov %edi,(%esp) d26ce: b8 50 4d 0d 00 mov $0xd4d50,%eax d26d3: 89 44 24 08 mov %eax,0x8(%esp) d26d7: 8b 45 ec mov 0xffffffec(%ebp),%eax d26da: 29 c3 sub %eax,%ebx d26dc: 89 5c 24 04 mov %ebx,0x4(%esp) d26e0: e8 ab e1 ff ff call d0890 <trace> d26e5: 81 4d e0 80 00 00 00 orl $0x80,0xffffffe0(%ebp) d26ec: 8b 77 28 mov 0x28(%edi),%esi d26ef: e9 fc f4 ff ff jmp d1bf0 <emulate+0x30> d26f4: 0f b7 47 34 movzwl 0x34(%edi),%eax d26f8: 8b 57 38 mov 0x38(%edi),%edx d26fb: 89 04 24 mov %eax,(%esp) d26fe: 89 f8 mov %edi,%eax d2700: e8 fb df ff ff call d0700 <address> d2705: 8b 00 mov (%eax),%eax d2707: 83 47 34 04 addl $0x4,0x34(%edi) d270b: e9 62 fa ff ff jmp d2172 <emulate+0x5b2> d2710: 0f b7 47 34 movzwl 0x34(%edi),%eax d2714: 8b 57 38 mov 0x38(%edi),%edx d2717: 89 04 24 mov %eax,(%esp) d271a: 89 f8 mov %edi,%eax d271c: e8 df df ff ff call d0700 <address> d2721: 0f b7 00 movzwl (%eax),%eax d2724: 83 47 34 02 addl $0x2,0x34(%edi) d2728: e9 9c f6 ff ff jmp d1dc9 <emulate+0x209> d272d: 8b 47 34 mov 0x34(%edi),%eax d2730: 8b 77 30 mov 0x30(%edi),%esi d2733: 8b 57 38 mov 0x38(%edi),%edx d2736: 83 e8 02 sub $0x2,%eax d2739: 81 e6 ff cf fd ff and $0xfffdcfff,%esi d273f: 89 47 34 mov %eax,0x34(%edi) d2742: 25 ff ff 00 00 and $0xffff,%eax d2747: 89 04 24 mov %eax,(%esp) d274a: 89 f8 mov %edi,%eax d274c: e8 af df ff ff call d0700 <address> d2751: 66 89 30 mov %si,(%eax) d2754: 8b 77 28 mov 0x28(%edi),%esi d2757: e9 eb f4 ff ff jmp d1c47 <emulate+0x87> d275c: 0f b7 47 34 movzwl 0x34(%edi),%eax d2760: 8b 57 38 mov 0x38(%edi),%edx d2763: 89 04 24 mov %eax,(%esp) d2766: 89 f8 mov %edi,%eax d2768: e8 93 df ff ff call d0700 <address> d276d: 8b 00 mov (%eax),%eax d276f: 83 47 34 04 addl $0x4,0x34(%edi) d2773: e9 67 fd ff ff jmp d24df <emulate+0x91f> d2778: 8b 57 2c mov 0x2c(%edi),%edx d277b: 0f b7 c3 movzwl %bx,%eax d277e: 89 04 24 mov %eax,(%esp) d2781: 89 f8 mov %edi,%eax d2783: e8 78 df ff ff call d0700 <address> d2788: 83 47 28 04 addl $0x4,0x28(%edi) d278c: 8b 00 mov (%eax),%eax d278e: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d2792: 0f 85 cc fc ff ff jne d2464 <emulate+0x8a4> d2798: 89 04 24 mov %eax,(%esp) d279b: 89 f2 mov %esi,%edx d279d: 89 f8 mov %edi,%eax d279f: e8 5c df ff ff call d0700 <address> d27a4: 89 c3 mov %eax,%ebx d27a6: 0f b7 00 movzwl (%eax),%eax d27a9: 31 d2 xor %edx,%edx d27ab: 89 04 24 mov %eax,(%esp) d27ae: 89 f8 mov %edi,%eax d27b0: e8 cb e2 ff ff call d0a80 <setreg16> d27b5: e9 c6 fc ff ff jmp d2480 <emulate+0x8c0> d27ba: 8b 57 2c mov 0x2c(%edi),%edx d27bd: 0f b7 c3 movzwl %bx,%eax d27c0: 89 04 24 mov %eax,(%esp) d27c3: 89 f8 mov %edi,%eax d27c5: e8 36 df ff ff call d0700 <address> d27ca: 83 47 28 04 addl $0x4,0x28(%edi) d27ce: ba 03 00 00 00 mov $0x3,%edx d27d3: 8b 18 mov (%eax),%ebx d27d5: 89 f8 mov %edi,%eax d27d7: 89 1c 24 mov %ebx,(%esp) d27da: e8 51 e2 ff ff call d0a30 <setreg32> d27df: e9 1a fc ff ff jmp d23fe <emulate+0x83e> d27e4: 89 3c 24 mov %edi,(%esp) d27e7: b8 56 4d 0d 00 mov $0xd4d56,%eax d27ec: 89 44 24 08 mov %eax,0x8(%esp) d27f0: 8b 45 ec mov 0xffffffec(%ebp),%eax d27f3: 29 c3 sub %eax,%ebx d27f5: 89 5c 24 04 mov %ebx,0x4(%esp) d27f9: e8 92 e0 ff ff call d0890 <trace> d27fe: 0f b7 47 34 movzwl 0x34(%edi),%eax d2802: 8b 57 38 mov 0x38(%edi),%edx d2805: 89 04 24 mov %eax,(%esp) d2808: 89 f8 mov %edi,%eax d280a: e8 f1 de ff ff call d0700 <address> d280f: 0f b7 10 movzwl (%eax),%edx d2812: 8b 47 34 mov 0x34(%edi),%eax d2815: 83 c0 02 add $0x2,%eax d2818: 89 57 28 mov %edx,0x28(%edi) d281b: 8b 57 38 mov 0x38(%edi),%edx d281e: 89 47 34 mov %eax,0x34(%edi) d2821: 25 ff ff 00 00 and $0xffff,%eax d2826: 89 04 24 mov %eax,(%esp) d2829: 89 f8 mov %edi,%eax d282b: e8 d0 de ff ff call d0700 <address> d2830: 0f b7 10 movzwl (%eax),%edx d2833: 8b 47 34 mov 0x34(%edi),%eax d2836: 8b 77 30 mov 0x30(%edi),%esi d2839: 89 57 2c mov %edx,0x2c(%edi) d283c: 83 c0 02 add $0x2,%eax d283f: 8b 57 38 mov 0x38(%edi),%edx d2842: 89 47 34 mov %eax,0x34(%edi) d2845: 25 ff ff 00 00 and $0xffff,%eax d284a: 81 e6 00 00 ff ff and $0xffff0000,%esi d2850: 89 04 24 mov %eax,(%esp) d2853: 89 f8 mov %edi,%eax d2855: e8 a6 de ff ff call d0700 <address> d285a: 0f b7 00 movzwl (%eax),%eax d285d: 83 47 34 02 addl $0x2,0x34(%edi) d2861: 09 c6 or %eax,%esi d2863: 89 77 30 mov %esi,0x30(%edi) d2866: 8b 77 28 mov 0x28(%edi),%esi d2869: e9 d9 f3 ff ff jmp d1c47 <emulate+0x87> d286e: 8b 30 mov (%eax),%esi d2870: 8b 47 34 mov 0x34(%edi),%eax d2873: 8b 57 38 mov 0x38(%edi),%edx d2876: 83 e8 04 sub $0x4,%eax d2879: 89 47 34 mov %eax,0x34(%edi) d287c: 25 ff ff 00 00 and $0xffff,%eax d2881: 89 04 24 mov %eax,(%esp) d2884: 89 f8 mov %edi,%eax d2886: e8 75 de ff ff call d0700 <address> d288b: 89 30 mov %esi,(%eax) d288d: e9 ec f5 ff ff jmp d1e7e <emulate+0x2be> d2892: f6 05 f5 97 0d 00 40 testb $0x40,0xd97f5 d2899: 0f 84 d3 fd ff ff je d2672 <emulate+0xab2> d289f: 89 3c 24 mov %edi,(%esp) d28a2: 8b 4d ec mov 0xffffffec(%ebp),%ecx d28a5: be 5b 4d 0d 00 mov $0xd4d5b,%esi d28aa: 89 74 24 08 mov %esi,0x8(%esp) d28ae: 29 cb sub %ecx,%ebx d28b0: 89 5c 24 04 mov %ebx,0x4(%esp) d28b4: e8 d7 df ff ff call d0890 <trace> d28b9: 83 65 e0 fd andl $0xfffffffd,0xffffffe0(%ebp) d28bd: 8b 77 28 mov 0x28(%edi),%esi d28c0: e9 2b f3 ff ff jmp d1bf0 <emulate+0x30> d28c5: f6 05 f5 97 0d 00 40 testb $0x40,0xd97f5 d28cc: 0f 84 d3 fd ff ff je d26a5 <emulate+0xae5> d28d2: 89 3c 24 mov %edi,(%esp) d28d5: b8 62 4d 0d 00 mov $0xd4d62,%eax d28da: 89 44 24 08 mov %eax,0x8(%esp) d28de: 8b 45 ec mov 0xffffffec(%ebp),%eax d28e1: 29 c3 sub %eax,%ebx d28e3: 89 5c 24 04 mov %ebx,0x4(%esp) d28e7: e8 a4 df ff ff call d0890 <trace> d28ec: 83 65 e0 fe andl $0xfffffffe,0xffffffe0(%ebp) d28f0: 8b 77 28 mov 0x28(%edi),%esi d28f3: e9 f8 f2 ff ff jmp d1bf0 <emulate+0x30> d28f8: 0f b7 47 34 movzwl 0x34(%edi),%eax d28fc: 8b 57 38 mov 0x38(%edi),%edx d28ff: 89 04 24 mov %eax,(%esp) d2902: 89 f8 mov %edi,%eax d2904: e8 f7 dd ff ff call d0700 <address> d2909: 0f b7 10 movzwl (%eax),%edx d290c: 8b 47 34 mov 0x34(%edi),%eax d290f: 89 d6 mov %edx,%esi d2911: 83 c0 02 add $0x2,%eax d2914: 8b 57 38 mov 0x38(%edi),%edx d2917: 89 47 34 mov %eax,0x34(%edi) d291a: 25 ff ff 00 00 and $0xffff,%eax d291f: 89 04 24 mov %eax,(%esp) d2922: 89 f8 mov %edi,%eax d2924: e8 d7 dd ff ff call d0700 <address> d2929: 0f b7 00 movzwl (%eax),%eax d292c: 83 47 34 02 addl $0x2,0x34(%edi) d2930: 89 c3 mov %eax,%ebx d2932: e9 21 f4 ff ff jmp d1d58 <emulate+0x198> d2937: 8b 57 2c mov 0x2c(%edi),%edx d293a: 0f b7 c3 movzwl %bx,%eax d293d: 89 04 24 mov %eax,(%esp) d2940: 89 f8 mov %edi,%eax d2942: e8 b9 dd ff ff call d0700 <address> d2947: 8b 77 28 mov 0x28(%edi),%esi d294a: 83 c6 02 add $0x2,%esi d294d: 89 77 28 mov %esi,0x28(%edi) d2950: 0f b7 00 movzwl (%eax),%eax d2953: e9 2e f9 ff ff jmp d2286 <emulate+0x6c6> d2958: 0f b7 57 2c movzwl 0x2c(%edi),%edx d295c: 89 f8 mov %edi,%eax d295e: 89 34 24 mov %esi,(%esp) d2961: e8 9a dd ff ff call d0700 <address> d2966: 89 44 24 0c mov %eax,0xc(%esp) d296a: 8b 47 28 mov 0x28(%edi),%eax d296d: 89 44 24 08 mov %eax,0x8(%esp) d2971: 0f b7 47 2c movzwl 0x2c(%edi),%eax d2975: c7 04 24 28 50 0d 00 movl $0xd5028,(%esp) d297c: 89 44 24 04 mov %eax,0x4(%esp) d2980: e8 fb 0f 00 00 call d3980 <panic> d2985: e9 78 f3 ff ff jmp d1d02 <emulate+0x142> d298a: 8b 57 2c mov 0x2c(%edi),%edx d298d: 0f b7 c1 movzwl %cx,%eax d2990: 89 04 24 mov %eax,(%esp) d2993: 89 f8 mov %edi,%eax d2995: e8 66 dd ff ff call d0700 <address> d299a: 8b 57 28 mov 0x28(%edi),%edx d299d: 42 inc %edx d299e: 89 57 28 mov %edx,0x28(%edi) d29a1: 0f b6 08 movzbl (%eax),%ecx d29a4: 89 c8 mov %ecx,%eax d29a6: c1 e8 03 shr $0x3,%eax d29a9: 83 e0 07 and $0x7,%eax d29ac: 83 f8 07 cmp $0x7,%eax d29af: 0f 87 0d f3 ff ff ja d1cc2 <emulate+0x102> d29b5: ff 24 85 2c 4a 0d 00 jmp *0xd4a2c(,%eax,4) d29bc: 8d 41 fe lea 0xfffffffe(%ecx),%eax d29bf: 89 45 d8 mov %eax,0xffffffd8(%ebp) d29c2: 8b 57 2c mov 0x2c(%edi),%edx d29c5: 0f b7 c1 movzwl %cx,%eax d29c8: 89 04 24 mov %eax,(%esp) d29cb: 89 f8 mov %edi,%eax d29cd: e8 2e dd ff ff call d0700 <address> d29d2: 8b 77 28 mov 0x28(%edi),%esi d29d5: 46 inc %esi d29d6: 89 77 28 mov %esi,0x28(%edi) d29d9: 0f b6 00 movzbl (%eax),%eax d29dc: 89 45 d4 mov %eax,0xffffffd4(%ebp) d29df: c1 e8 03 shr $0x3,%eax d29e2: 83 e0 07 and $0x7,%eax d29e5: 89 45 d0 mov %eax,0xffffffd0(%ebp) d29e8: 8b 45 d4 mov 0xffffffd4(%ebp),%eax d29eb: 25 c0 00 00 00 and $0xc0,%eax d29f0: 3d c0 00 00 00 cmp $0xc0,%eax d29f5: 0f 85 c7 f2 ff ff jne d1cc2 <emulate+0x102> d29fb: 83 fb 20 cmp $0x20,%ebx d29fe: 0f 84 01 03 00 00 je d2d05 <emulate+0x1145> d2a04: 83 fb 22 cmp $0x22,%ebx d2a07: 0f 85 37 f2 ff ff jne d1c44 <emulate+0x84> d2a0d: 89 3c 24 mov %edi,(%esp) d2a10: b8 69 4d 0d 00 mov $0xd4d69,%eax d2a15: 8b 4d d0 mov 0xffffffd0(%ebp),%ecx d2a18: 89 44 24 08 mov %eax,0x8(%esp) d2a1c: 8b 45 d8 mov 0xffffffd8(%ebp),%eax d2a1f: 89 4c 24 0c mov %ecx,0xc(%esp) d2a23: 29 c6 sub %eax,%esi d2a25: 89 74 24 04 mov %esi,0x4(%esp) d2a29: e8 62 de ff ff call d0890 <trace> d2a2e: 83 7d d0 03 cmpl $0x3,0xffffffd0(%ebp) d2a32: 0f 84 4f 03 00 00 je d2d87 <emulate+0x11c7> d2a38: 0f 87 60 03 00 00 ja d2d9e <emulate+0x11de> d2a3e: 8b 45 d0 mov 0xffffffd0(%ebp),%eax d2a41: 85 c0 test %eax,%eax d2a43: 0f 85 fb f1 ff ff jne d1c44 <emulate+0x84> d2a49: 8b 55 d4 mov 0xffffffd4(%ebp),%edx d2a4c: 89 f8 mov %edi,%eax d2a4e: e8 6d df ff ff call d09c0 <getreg32> d2a53: 8b 55 d4 mov 0xffffffd4(%ebp),%edx d2a56: 83 c8 21 or $0x21,%eax d2a59: a3 cc 97 0d 00 mov %eax,0xd97cc d2a5e: 89 f8 mov %edi,%eax d2a60: e8 5b df ff ff call d09c0 <getreg32> d2a65: a8 01 test $0x1,%al d2a67: 0f 84 57 03 00 00 je d2dc4 <emulate+0x1204> d2a6d: be 01 00 00 00 mov $0x1,%esi d2a72: 89 74 24 04 mov %esi,0x4(%esp) d2a76: 89 3c 24 mov %edi,(%esp) d2a79: e8 62 eb ff ff call d15e0 <set_mode> d2a7e: 8b 77 28 mov 0x28(%edi),%esi d2a81: e9 c1 f1 ff ff jmp d1c47 <emulate+0x87> d2a86: 8b 4f 18 mov 0x18(%edi),%ecx d2a89: 8b 47 1c mov 0x1c(%edi),%eax d2a8c: 8b 57 14 mov 0x14(%edi),%edx d2a8f: 0f 30 wrmsr d2a91: ff 45 f0 incl 0xfffffff0(%ebp) d2a94: e9 b1 f1 ff ff jmp d1c4a <emulate+0x8a> d2a99: 8b 4f 18 mov 0x18(%edi),%ecx d2a9c: 0f 32 rdmsr d2a9e: 89 47 1c mov %eax,0x1c(%edi) d2aa1: 89 57 14 mov %edx,0x14(%edi) d2aa4: ff 45 f0 incl 0xfffffff0(%ebp) d2aa7: e9 9e f1 ff ff jmp d1c4a <emulate+0x8a> d2aac: 89 f8 mov %edi,%eax d2aae: e8 6d df ff ff call d0a20 <getreg16> d2ab3: 89 47 38 mov %eax,0x38(%edi) d2ab6: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d2abd: 0f 84 81 f1 ff ff je d1c44 <emulate+0x84> d2ac3: 31 c0 xor %eax,%eax d2ac5: a3 58 76 0d 00 mov %eax,0xd7658 d2aca: 8b 47 38 mov 0x38(%edi),%eax d2acd: a3 18 98 0d 00 mov %eax,0xd9818 d2ad2: 8b 77 28 mov 0x28(%edi),%esi d2ad5: e9 6d f1 ff ff jmp d1c47 <emulate+0x87> d2ada: 89 f8 mov %edi,%eax d2adc: e8 3f df ff ff call d0a20 <getreg16> d2ae1: 89 47 40 mov %eax,0x40(%edi) d2ae4: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d2aeb: 0f 85 ae f6 ff ff jne d219f <emulate+0x5df> d2af1: 8b 77 28 mov 0x28(%edi),%esi d2af4: e9 4e f1 ff ff jmp d1c47 <emulate+0x87> d2af9: 89 f8 mov %edi,%eax d2afb: e8 20 df ff ff call d0a20 <getreg16> d2b00: 89 47 44 mov %eax,0x44(%edi) d2b03: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d2b0a: 0f 84 34 f1 ff ff je d1c44 <emulate+0x84> d2b10: 31 c0 xor %eax,%eax d2b12: a3 64 76 0d 00 mov %eax,0xd7664 d2b17: 8b 47 44 mov 0x44(%edi),%eax d2b1a: a3 28 98 0d 00 mov %eax,0xd9828 d2b1f: 8b 77 28 mov 0x28(%edi),%esi d2b22: e9 20 f1 ff ff jmp d1c47 <emulate+0x87> d2b27: 89 f8 mov %edi,%eax d2b29: e8 f2 de ff ff call d0a20 <getreg16> d2b2e: 89 47 48 mov %eax,0x48(%edi) d2b31: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d2b38: 0f 84 06 f1 ff ff je d1c44 <emulate+0x84> d2b3e: 31 c0 xor %eax,%eax d2b40: a3 68 76 0d 00 mov %eax,0xd7668 d2b45: 8b 47 48 mov 0x48(%edi),%eax d2b48: a3 38 98 0d 00 mov %eax,0xd9838 d2b4d: 8b 77 28 mov 0x28(%edi),%esi d2b50: e9 f2 f0 ff ff jmp d1c47 <emulate+0x87> d2b55: 89 f8 mov %edi,%eax d2b57: e8 c4 de ff ff call d0a20 <getreg16> d2b5c: 89 47 3c mov %eax,0x3c(%edi) d2b5f: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604 d2b66: 0f 85 8a f2 ff ff jne d1df6 <emulate+0x236> d2b6c: 8b 77 28 mov 0x28(%edi),%esi d2b6f: e9 d3 f0 ff ff jmp d1c47 <emulate+0x87> d2b74: 83 4f 30 40 orl $0x40,0x30(%edi) d2b78: e9 f8 f3 ff ff jmp d1f75 <emulate+0x3b5> d2b7d: 8b 4d c4 mov 0xffffffc4(%ebp),%ecx d2b80: 8b 01 mov (%ecx),%eax d2b82: 29 d0 sub %edx,%eax d2b84: 0f 85 72 01 00 00 jne d2cfc <emulate+0x113c> d2b8a: 83 4f 30 40 orl $0x40,0x30(%edi) d2b8e: 89 44 24 14 mov %eax,0x14(%esp) d2b92: 8b 55 c0 mov 0xffffffc0(%ebp),%edx d2b95: 8b 5d c4 mov 0xffffffc4(%ebp),%ebx d2b98: 8b 04 95 a0 55 0d 00 mov 0xd55a0(,%edx,4),%eax d2b9f: 89 5c 24 10 mov %ebx,0x10(%esp) d2ba3: bb 7c 4d 0d 00 mov $0xd4d7c,%ebx d2ba8: 89 44 24 0c mov %eax,0xc(%esp) d2bac: 89 5c 24 08 mov %ebx,0x8(%esp) d2bb0: e9 18 f5 ff ff jmp d20cd <emulate+0x50d> d2bb5: 0f b7 47 34 movzwl 0x34(%edi),%eax d2bb9: 8b 57 38 mov 0x38(%edi),%edx d2bbc: 89 04 24 mov %eax,(%esp) d2bbf: 89 f8 mov %edi,%eax d2bc1: e8 3a db ff ff call d0700 <address> d2bc6: 8b 00 mov (%eax),%eax d2bc8: 83 47 34 04 addl $0x4,0x34(%edi) d2bcc: 8b 5d b8 mov 0xffffffb8(%ebp),%ebx d2bcf: 89 03 mov %eax,(%ebx) d2bd1: e9 0f fa ff ff jmp d25e5 <emulate+0xa25> d2bd6: 89 0c 24 mov %ecx,(%esp) d2bd9: 8b 45 e0 mov 0xffffffe0(%ebp),%eax d2bdc: 8d 72 fd lea 0xfffffffd(%edx),%esi d2bdf: 89 fa mov %edi,%edx d2be1: e8 0a e0 ff ff call d0bf0 <operand> d2be6: 8b 15 cc 97 0d 00 mov 0xd97cc,%edx d2bec: 83 e0 0f and $0xf,%eax d2bef: 89 44 24 0c mov %eax,0xc(%esp) d2bf3: 83 e2 f0 and $0xfffffff0,%edx d2bf6: 09 c2 or %eax,%edx d2bf8: 89 55 dc mov %edx,0xffffffdc(%ebp) d2bfb: ba 94 4d 0d 00 mov $0xd4d94,%edx d2c00: 89 54 24 08 mov %edx,0x8(%esp) d2c04: 8b 47 28 mov 0x28(%edi),%eax d2c07: 89 3c 24 mov %edi,(%esp) d2c0a: 29 f0 sub %esi,%eax d2c0c: 89 44 24 04 mov %eax,0x4(%esp) d2c10: e8 7b dc ff ff call d0890 <trace> d2c15: 8b 45 dc mov 0xffffffdc(%ebp),%eax d2c18: 83 c8 21 or $0x21,%eax d2c1b: f6 45 dc 01 testb $0x1,0xffffffdc(%ebp) d2c1f: a3 cc 97 0d 00 mov %eax,0xd97cc d2c24: 0f 85 43 fe ff ff jne d2a6d <emulate+0xead> d2c2a: 8b 77 28 mov 0x28(%edi),%esi d2c2d: e9 15 f0 ff ff jmp d1c47 <emulate+0x87> d2c32: 89 0c 24 mov %ecx,(%esp) d2c35: 8b 45 e0 mov 0xffffffe0(%ebp),%eax d2c38: 8d 5a fd lea 0xfffffffd(%edx),%ebx d2c3b: 89 fa mov %edi,%edx d2c3d: e8 ae df ff ff call d0bf0 <operand> d2c42: 0f b7 08 movzwl (%eax),%ecx d2c45: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d2c49: 89 0d d8 97 0d 00 mov %ecx,0xd97d8 d2c4f: 0f 85 05 01 00 00 jne d2d5a <emulate+0x119a> d2c55: 8b 50 02 mov 0x2(%eax),%edx d2c58: 81 e2 ff ff ff 00 and $0xffffff,%edx d2c5e: 89 4c 24 10 mov %ecx,0x10(%esp) d2c62: b9 9e 4d 0d 00 mov $0xd4d9e,%ecx d2c67: 89 15 dc 97 0d 00 mov %edx,0xd97dc d2c6d: 89 54 24 14 mov %edx,0x14(%esp) d2c71: 89 44 24 0c mov %eax,0xc(%esp) d2c75: 89 4c 24 08 mov %ecx,0x8(%esp) d2c79: 8b 47 28 mov 0x28(%edi),%eax d2c7c: 29 d8 sub %ebx,%eax d2c7e: 89 44 24 04 mov %eax,0x4(%esp) d2c82: e9 0f f3 ff ff jmp d1f96 <emulate+0x3d6> d2c87: 89 0c 24 mov %ecx,(%esp) d2c8a: 8b 45 e0 mov 0xffffffe0(%ebp),%eax d2c8d: 8d 5a fd lea 0xfffffffd(%edx),%ebx d2c90: 89 fa mov %edi,%edx d2c92: e8 59 df ff ff call d0bf0 <operand> d2c97: 0f b7 08 movzwl (%eax),%ecx d2c9a: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d2c9e: 89 0d e0 97 0d 00 mov %ecx,0xd97e0 d2ca4: 0f 85 b8 00 00 00 jne d2d62 <emulate+0x11a2> d2caa: 8b 50 02 mov 0x2(%eax),%edx d2cad: 81 e2 ff ff ff 00 and $0xffffff,%edx d2cb3: 89 15 e4 97 0d 00 mov %edx,0xd97e4 d2cb9: be b3 4d 0d 00 mov $0xd4db3,%esi d2cbe: 89 54 24 14 mov %edx,0x14(%esp) d2cc2: 89 4c 24 10 mov %ecx,0x10(%esp) d2cc6: 89 44 24 0c mov %eax,0xc(%esp) d2cca: 89 74 24 08 mov %esi,0x8(%esp) d2cce: 8b 47 28 mov 0x28(%edi),%eax d2cd1: 29 d8 sub %ebx,%eax d2cd3: eb a9 jmp d2c7e <emulate+0x10be> d2cd5: 31 db xor %ebx,%ebx d2cd7: 89 5c 24 04 mov %ebx,0x4(%esp) d2cdb: 89 3c 24 mov %edi,(%esp) d2cde: e8 fd e8 ff ff call d15e0 <set_mode> d2ce3: e9 fe ef ff ff jmp d1ce6 <emulate+0x126> d2ce8: be 03 00 00 00 mov $0x3,%esi d2ced: 89 74 24 04 mov %esi,0x4(%esp) d2cf1: eb e8 jmp d2cdb <emulate+0x111b> d2cf3: 83 67 30 bf andl $0xffffffbf,0x30(%edi) d2cf7: e9 af f3 ff ff jmp d20ab <emulate+0x4eb> d2cfc: 83 67 30 bf andl $0xffffffbf,0x30(%edi) d2d00: e9 89 fe ff ff jmp d2b8e <emulate+0xfce> d2d05: 89 3c 24 mov %edi,(%esp) d2d08: b8 c8 4d 0d 00 mov $0xd4dc8,%eax d2d0d: 8b 55 d0 mov 0xffffffd0(%ebp),%edx d2d10: 89 44 24 08 mov %eax,0x8(%esp) d2d14: 8b 45 d8 mov 0xffffffd8(%ebp),%eax d2d17: 89 54 24 0c mov %edx,0xc(%esp) d2d1b: 29 c6 sub %eax,%esi d2d1d: 89 74 24 04 mov %esi,0x4(%esp) d2d21: e8 6a db ff ff call d0890 <trace> d2d26: 83 7d d0 02 cmpl $0x2,0xffffffd0(%ebp) d2d2a: 0f 84 8f 00 00 00 je d2dbf <emulate+0x11ff> d2d30: 77 38 ja d2d6a <emulate+0x11aa> d2d32: 8b 45 d0 mov 0xffffffd0(%ebp),%eax d2d35: 85 c0 test %eax,%eax d2d37: 0f 85 07 ef ff ff jne d1c44 <emulate+0x84> d2d3d: a1 cc 97 0d 00 mov 0xd97cc,%eax d2d42: 83 e0 de and $0xffffffde,%eax d2d45: 89 04 24 mov %eax,(%esp) d2d48: 8b 55 d4 mov 0xffffffd4(%ebp),%edx d2d4b: 89 f8 mov %edi,%eax d2d4d: e8 de dc ff ff call d0a30 <setreg32> d2d52: 8b 77 28 mov 0x28(%edi),%esi d2d55: e9 ed ee ff ff jmp d1c47 <emulate+0x87> d2d5a: 8b 50 02 mov 0x2(%eax),%edx d2d5d: e9 fc fe ff ff jmp d2c5e <emulate+0x109e> d2d62: 8b 50 02 mov 0x2(%eax),%edx d2d65: e9 49 ff ff ff jmp d2cb3 <emulate+0x10f3> d2d6a: 83 7d d0 03 cmpl $0x3,0xffffffd0(%ebp) d2d6e: 89 f6 mov %esi,%esi d2d70: 0f 84 c6 00 00 00 je d2e3c <emulate+0x127c> d2d76: 83 7d d0 04 cmpl $0x4,0xffffffd0(%ebp) d2d7a: 0f 85 c4 ee ff ff jne d1c44 <emulate+0x84> d2d80: a1 d4 97 0d 00 mov 0xd97d4,%eax d2d85: eb be jmp d2d45 <emulate+0x1185> d2d87: 8b 55 d4 mov 0xffffffd4(%ebp),%edx d2d8a: 89 f8 mov %edi,%eax d2d8c: e8 2f dc ff ff call d09c0 <getreg32> d2d91: a3 d0 97 0d 00 mov %eax,0xd97d0 d2d96: 8b 77 28 mov 0x28(%edi),%esi d2d99: e9 a9 ee ff ff jmp d1c47 <emulate+0x87> d2d9e: 83 7d d0 04 cmpl $0x4,0xffffffd0(%ebp) d2da2: 0f 85 9c ee ff ff jne d1c44 <emulate+0x84> d2da8: 8b 55 d4 mov 0xffffffd4(%ebp),%edx d2dab: 89 f8 mov %edi,%eax d2dad: e8 0e dc ff ff call d09c0 <getreg32> d2db2: a3 d4 97 0d 00 mov %eax,0xd97d4 d2db7: 8b 77 28 mov 0x28(%edi),%esi d2dba: e9 88 ee ff ff jmp d1c47 <emulate+0x87> d2dbf: 0f 20 d0 mov %cr2,%eax d2dc2: eb 81 jmp d2d45 <emulate+0x1185> d2dc4: 31 db xor %ebx,%ebx d2dc6: 89 5c 24 04 mov %ebx,0x4(%esp) d2dca: e9 a7 fc ff ff jmp d2a76 <emulate+0xeb6> d2dcf: a1 04 76 0d 00 mov 0xd7604,%eax d2dd4: 48 dec %eax d2dd5: 83 f8 01 cmp $0x1,%eax d2dd8: 0f 87 e4 ee ff ff ja d1cc2 <emulate+0x102> d2dde: 89 14 24 mov %edx,(%esp) d2de1: 8b 45 e0 mov 0xffffffe0(%ebp),%eax d2de4: 89 fa mov %edi,%edx d2de6: e8 05 de ff ff call d0bf0 <operand> d2deb: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d2def: 89 c2 mov %eax,%edx d2df1: 74 53 je d2e46 <emulate+0x1286> d2df3: 8b 30 mov (%eax),%esi d2df5: 8d 42 04 lea 0x4(%edx),%eax d2df8: 83 c2 02 add $0x2,%edx d2dfb: b9 e4 4c 0d 00 mov $0xd4ce4,%ecx d2e00: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp) d2e04: 0f 44 c2 cmove %edx,%eax d2e07: 8b 55 ac mov 0xffffffac(%ebp),%edx d2e0a: 0f b7 00 movzwl (%eax),%eax d2e0d: 89 4c 24 08 mov %ecx,0x8(%esp) d2e11: 89 74 24 10 mov %esi,0x10(%esp) d2e15: 89 45 a8 mov %eax,0xffffffa8(%ebp) d2e18: 89 44 24 0c mov %eax,0xc(%esp) d2e1c: 8b 47 28 mov 0x28(%edi),%eax d2e1f: 89 3c 24 mov %edi,(%esp) d2e22: 29 d0 sub %edx,%eax d2e24: 40 inc %eax d2e25: 89 44 24 04 mov %eax,0x4(%esp) d2e29: e8 62 da ff ff call d0890 <trace> d2e2e: 8b 4d a8 mov 0xffffffa8(%ebp),%ecx d2e31: 89 77 28 mov %esi,0x28(%edi) d2e34: 89 4f 2c mov %ecx,0x2c(%edi) d2e37: e9 a4 f4 ff ff jmp d22e0 <emulate+0x720> d2e3c: a1 d0 97 0d 00 mov 0xd97d0,%eax d2e41: e9 ff fe ff ff jmp d2d45 <emulate+0x1185> d2e46: 0f b7 30 movzwl (%eax),%esi d2e49: eb aa jmp d2df5 <emulate+0x1235> d2e4b: 90 nop d2e4c: 8d 74 26 00 lea 0x0(%esi),%esi 000d2e50 <trap>: d2e50: 55 push %ebp d2e51: 89 e5 mov %esp,%ebp d2e53: 83 ec 18 sub $0x18,%esp d2e56: 89 5d f8 mov %ebx,0xfffffff8(%ebp) d2e59: 8b 5d 08 mov 0x8(%ebp),%ebx d2e5c: 89 75 fc mov %esi,0xfffffffc(%ebp) d2e5f: 8b 75 10 mov 0x10(%ebp),%esi d2e62: 83 fb 1f cmp $0x1f,%ebx d2e65: 7e 1e jle d2e85 <trap+0x35> d2e67: 8d 43 e0 lea 0xffffffe0(%ebx),%eax d2e6a: 83 f8 07 cmp $0x7,%eax d2e6d: 8d 53 e8 lea 0xffffffe8(%ebx),%edx d2e70: 7e 03 jle d2e75 <trap+0x25> d2e72: 8d 53 48 lea 0x48(%ebx),%edx d2e75: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx d2e78: 89 f0 mov %esi,%eax d2e7a: 8b 75 fc mov 0xfffffffc(%ebp),%esi d2e7d: 89 ec mov %ebp,%esp d2e7f: 5d pop %ebp d2e80: e9 db ea ff ff jmp d1960 <interrupt> d2e85: 83 fb 01 cmp $0x1,%ebx d2e88: 74 4a je d2ed4 <trap+0x84> d2e8a: 83 fb 0d cmp $0xd,%ebx d2e8d: 74 71 je d2f00 <trap+0xb0> d2e8f: 8b 56 30 mov 0x30(%esi),%edx d2e92: 89 5c 24 04 mov %ebx,0x4(%esp) d2e96: 81 e2 00 30 02 00 and $0x23000,%edx d2e9c: b8 db 4d 0d 00 mov $0xd4ddb,%eax d2ea1: c7 04 24 e0 4d 0d 00 movl $0xd4de0,(%esp) d2ea8: ba fe 4d 0d 00 mov $0xd4dfe,%edx d2ead: 0f 44 c2 cmove %edx,%eax d2eb0: 89 44 24 08 mov %eax,0x8(%esp) d2eb4: e8 17 0b 00 00 call d39d0 <printf> d2eb9: 83 fb 0e cmp $0xe,%ebx d2ebc: 74 71 je d2f2f <trap+0xdf> d2ebe: 89 34 24 mov %esi,(%esp) d2ec1: e8 6a 13 00 00 call d4230 <dump_regs> d2ec6: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx d2ec9: 8b 75 fc mov 0xfffffffc(%ebp),%esi d2ecc: 89 ec mov %ebp,%esp d2ece: 5d pop %ebp d2ecf: e9 74 d1 ff ff jmp d0048 <halt> d2ed4: 8b 56 30 mov 0x30(%esi),%edx d2ed7: f7 c2 00 30 02 00 test $0x23000,%edx d2edd: 74 b3 je d2e92 <trap+0x42> d2edf: a1 04 76 0d 00 mov 0xd7604,%eax d2ee4: 85 c0 test %eax,%eax d2ee6: 74 3d je d2f25 <trap+0xd5> d2ee8: 48 dec %eax d2ee9: 74 29 je d2f14 <trap+0xc4> d2eeb: c7 04 24 08 4e 0d 00 movl $0xd4e08,(%esp) d2ef2: e8 89 0a 00 00 call d3980 <panic> d2ef7: eb 1b jmp d2f14 <trap+0xc4> d2ef9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d2f00: 8b 56 30 mov 0x30(%esi),%edx d2f03: f7 c2 00 30 02 00 test $0x23000,%edx d2f09: 74 87 je d2e92 <trap+0x42> d2f0b: 83 3d 04 76 0d 00 03 cmpl $0x3,0xd7604 d2f12: 74 33 je d2f47 <trap+0xf7> d2f14: 89 75 08 mov %esi,0x8(%ebp) d2f17: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx d2f1a: 8b 75 fc mov 0xfffffffc(%ebp),%esi d2f1d: 89 ec mov %ebp,%esp d2f1f: 5d pop %ebp d2f20: e9 9b ec ff ff jmp d1bc0 <emulate> d2f25: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx d2f28: 8b 75 fc mov 0xfffffffc(%ebp),%esi d2f2b: 89 ec mov %ebp,%esp d2f2d: 5d pop %ebp d2f2e: c3 ret d2f2f: 0f 20 d0 mov %cr2,%eax d2f32: 89 44 24 04 mov %eax,0x4(%esp) d2f36: c7 04 24 26 4e 0d 00 movl $0xd4e26,(%esp) d2f3d: e8 8e 0a 00 00 call d39d0 <printf> d2f42: e9 77 ff ff ff jmp d2ebe <trap+0x6e> d2f47: c7 04 24 3f 4e 0d 00 movl $0xd4e3f,(%esp) d2f4e: e8 2d 0a 00 00 call d3980 <panic> d2f53: eb bf jmp d2f14 <trap+0xc4> ... 000d2f60 <banner>: d2f60: 55 push %ebp d2f61: b8 49 50 0d 00 mov $0xd5049,%eax d2f66: 89 e5 mov %esp,%ebp d2f68: 56 push %esi d2f69: 53 push %ebx d2f6a: 83 ec 10 sub $0x10,%esp d2f6d: 89 44 24 04 mov %eax,0x4(%esp) d2f71: c7 04 24 55 50 0d 00 movl $0xd5055,(%esp) d2f78: e8 53 0a 00 00 call d39d0 <printf> d2f7d: b9 70 00 00 00 mov $0x70,%ecx d2f82: b0 35 mov $0x35,%al d2f84: 89 ca mov %ecx,%edx d2f86: ee out %al,(%dx) d2f87: e4 71 in $0x71,%al d2f89: 0f b6 d8 movzbl %al,%ebx d2f8c: c1 e3 08 shl $0x8,%ebx d2f8f: b0 34 mov $0x34,%al d2f91: ee out %al,(%dx) d2f92: e4 71 in $0x71,%al d2f94: 0f b6 c0 movzbl %al,%eax d2f97: 09 c3 or %eax,%ebx d2f99: c1 e3 06 shl $0x6,%ebx d2f9c: 81 fb 01 c0 3b 00 cmp $0x3bc001,%ebx d2fa2: b8 00 c0 3b 00 mov $0x3bc000,%eax d2fa7: 0f 42 c3 cmovb %ebx,%eax d2faa: a3 ac 97 0d 00 mov %eax,0xd97ac d2faf: c1 e0 0a shl $0xa,%eax d2fb2: 05 00 00 f0 00 add $0xf00000,%eax d2fb7: 3d 00 00 f0 00 cmp $0xf00000,%eax d2fbc: 77 23 ja d2fe1 <banner+0x81> d2fbe: b0 31 mov $0x31,%al d2fc0: ee out %al,(%dx) d2fc1: e4 71 in $0x71,%al d2fc3: be 30 00 00 00 mov $0x30,%esi d2fc8: 0f b6 d8 movzbl %al,%ebx d2fcb: c1 e3 08 shl $0x8,%ebx d2fce: 89 f0 mov %esi,%eax d2fd0: ee out %al,(%dx) d2fd1: e4 71 in $0x71,%al d2fd3: 0f b6 d0 movzbl %al,%edx d2fd6: 09 d3 or %edx,%ebx d2fd8: 8d 83 00 04 00 00 lea 0x400(%ebx),%eax d2fde: c1 e0 0a shl $0xa,%eax d2fe1: a3 ac 97 0d 00 mov %eax,0xd97ac d2fe6: a1 ac 97 0d 00 mov 0xd97ac,%eax d2feb: c7 04 24 65 50 0d 00 movl $0xd5065,(%esp) d2ff2: 05 00 00 10 00 add $0x100000,%eax d2ff7: a3 ac 97 0d 00 mov %eax,0xd97ac d2ffc: c1 e8 14 shr $0x14,%eax d2fff: 89 44 24 04 mov %eax,0x4(%esp) d3003: e8 c8 09 00 00 call d39d0 <printf> d3008: c7 04 24 79 50 0d 00 movl $0xd5079,(%esp) d300f: e8 bc 09 00 00 call d39d0 <printf> d3014: 0f b6 05 e8 01 09 00 movzbl 0x901e8,%eax d301b: c7 04 24 d0 02 09 00 movl $0x902d0,(%esp) d3022: 89 44 24 04 mov %eax,0x4(%esp) d3026: e8 f5 0f 00 00 call d4020 <print_e820_map> d302b: c7 04 24 a0 51 0d 00 movl $0xd51a0,(%esp) d3032: e8 99 09 00 00 call d39d0 <printf> d3037: 83 c4 10 add $0x10,%esp d303a: 5b pop %ebx d303b: 5e pop %esi d303c: 5d pop %ebp d303d: c3 ret d303e: 89 f6 mov %esi,%esi 000d3040 <setup_gdt>: d3040: 55 push %ebp d3041: b8 84 76 0d 00 mov $0xd7684,%eax d3046: 89 e5 mov %esp,%ebp d3048: 57 push %edi d3049: ba 6c 20 00 00 mov $0x206c,%edx d304e: 31 ff xor %edi,%edi d3050: 56 push %esi d3051: 89 c6 mov %eax,%esi d3053: 53 push %ebx d3054: 83 ec 0c sub $0xc,%esp d3057: bb 18 00 00 00 mov $0x18,%ebx d305c: 89 54 24 08 mov %edx,0x8(%esp) d3060: 89 7c 24 04 mov %edi,0x4(%esp) d3064: 89 04 24 mov %eax,(%esp) d3067: e8 d4 12 00 00 call d4340 <memset> d306c: 66 89 1d 8c 76 0d 00 mov %bx,0xd768c d3073: b9 00 76 0d 00 mov $0xd7600,%ecx d3078: ba 68 00 00 00 mov $0x68,%edx d307d: 89 0d 88 76 0d 00 mov %ecx,0xd7688 d3083: 89 f0 mov %esi,%eax d3085: 89 f1 mov %esi,%ecx d3087: 66 89 15 ea 76 0d 00 mov %dx,0xd76ea d308e: 81 e1 00 00 00 ff and $0xff000000,%ecx d3094: 25 00 00 ff 00 and $0xff0000,%eax d3099: c6 05 ec 96 0d 00 ff movb $0xff,0xd96ec d30a0: 31 d2 xor %edx,%edx d30a2: 89 cb mov %ecx,%ebx d30a4: 0f a4 c2 10 shld $0x10,%eax,%edx d30a8: 31 c9 xor %ecx,%ecx d30aa: c1 e0 10 shl $0x10,%eax d30ad: 09 c1 or %eax,%ecx d30af: 89 f0 mov %esi,%eax d30b1: 09 d3 or %edx,%ebx d30b3: 25 ff ff 00 00 and $0xffff,%eax d30b8: 31 d2 xor %edx,%edx d30ba: 0f a4 c2 10 shld $0x10,%eax,%edx d30be: c1 e0 10 shl $0x10,%eax d30c1: 09 d3 or %edx,%ebx d30c3: 09 c1 or %eax,%ecx d30c5: a1 e8 55 0d 00 mov 0xd55e8,%eax d30ca: 8b 15 ec 55 0d 00 mov 0xd55ec,%edx d30d0: 09 c8 or %ecx,%eax d30d2: 09 da or %ebx,%edx d30d4: 0d 6b 20 00 00 or $0x206b,%eax d30d9: a3 e8 55 0d 00 mov %eax,0xd55e8 d30de: 89 15 ec 55 0d 00 mov %edx,0xd55ec d30e4: 0f 01 15 c6 55 0d 00 lgdtl 0xd55c6 d30eb: b8 18 00 00 00 mov $0x18,%eax d30f0: 8e d8 mov %eax,%ds d30f2: 8e c0 mov %eax,%es d30f4: 8e e0 mov %eax,%fs d30f6: 8e e8 mov %eax,%gs d30f8: 8e d0 mov %eax,%ss d30fa: ea 01 31 0d 00 10 00 ljmp $0x10,$0xd3101 d3101: b8 08 00 00 00 mov $0x8,%eax d3106: 0f 00 d8 ltr %ax d3109: 83 c4 0c add $0xc,%esp d310c: 5b pop %ebx d310d: 5e pop %esi d310e: 5f pop %edi d310f: 5d pop %ebp d3110: c3 ret d3111: eb 0d jmp d3120 <set_intr_gate> d3113: 90 nop d3114: 90 nop d3115: 90 nop d3116: 90 nop d3117: 90 nop d3118: 90 nop d3119: 90 nop d311a: 90 nop d311b: 90 nop d311c: 90 nop d311d: 90 nop d311e: 90 nop d311f: 90 nop 000d3120 <set_intr_gate>: d3120: 55 push %ebp d3121: 31 d2 xor %edx,%edx d3123: 89 e5 mov %esp,%ebp d3125: 53 push %ebx d3126: 8b 45 0c mov 0xc(%ebp),%eax d3129: 89 c1 mov %eax,%ecx d312b: 81 e1 00 00 ff ff and $0xffff0000,%ecx d3131: 25 ff ff 00 00 and $0xffff,%eax d3136: 89 cb mov %ecx,%ebx d3138: 31 c9 xor %ecx,%ecx d313a: 09 d3 or %edx,%ebx d313c: 09 c1 or %eax,%ecx d313e: 8b 45 08 mov 0x8(%ebp),%eax d3141: 81 cb 00 8e 00 00 or $0x8e00,%ebx d3147: 81 c9 00 00 10 00 or $0x100000,%ecx d314d: 89 1c c5 84 98 0d 00 mov %ebx,0xd9884(,%eax,8) d3154: 5b pop %ebx d3155: 89 0c c5 80 98 0d 00 mov %ecx,0xd9880(,%eax,8) d315c: 5d pop %ebp d315d: c3 ret d315e: 89 f6 mov %esi,%esi 000d3160 <setup_idt>: d3160: 55 push %ebp d3161: 89 e5 mov %esp,%ebp d3163: 53 push %ebx d3164: 83 ec 08 sub $0x8,%esp d3167: 31 db xor %ebx,%ebx d3169: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d3170: 89 1c 24 mov %ebx,(%esp) d3173: 8b 04 9d 98 43 0d 00 mov 0xd4398(,%ebx,4),%eax d317a: 43 inc %ebx d317b: 89 44 24 04 mov %eax,0x4(%esp) d317f: e8 9c ff ff ff call d3120 <set_intr_gate> d3184: 83 fb 2f cmp $0x2f,%ebx d3187: 7e e7 jle d3170 <setup_idt+0x10> d3189: 0f 01 1d c0 55 0d 00 lidtl 0xd55c0 d3190: 83 c4 08 add $0x8,%esp d3193: 5b pop %ebx d3194: 5d pop %ebp d3195: c3 ret d3196: 8d 76 00 lea 0x0(%esi),%esi d3199: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 000d31a0 <setup_pic>: d31a0: 55 push %ebp d31a1: ba 21 00 00 00 mov $0x21,%edx d31a6: 89 e5 mov %esp,%ebp d31a8: b0 ff mov $0xff,%al d31aa: ee out %al,(%dx) d31ab: ba a1 00 00 00 mov $0xa1,%edx d31b0: ee out %al,(%dx) d31b1: ba 20 00 00 00 mov $0x20,%edx d31b6: b0 11 mov $0x11,%al d31b8: ee out %al,(%dx) d31b9: ba 21 00 00 00 mov $0x21,%edx d31be: b0 20 mov $0x20,%al d31c0: ee out %al,(%dx) d31c1: b0 04 mov $0x4,%al d31c3: ee out %al,(%dx) d31c4: b0 01 mov $0x1,%al d31c6: ee out %al,(%dx) d31c7: ba a0 00 00 00 mov $0xa0,%edx d31cc: b0 11 mov $0x11,%al d31ce: ee out %al,(%dx) d31cf: ba a1 00 00 00 mov $0xa1,%edx d31d4: b0 28 mov $0x28,%al d31d6: ee out %al,(%dx) d31d7: b0 02 mov $0x2,%al d31d9: ee out %al,(%dx) d31da: b0 01 mov $0x1,%al d31dc: ee out %al,(%dx) d31dd: ba 21 00 00 00 mov $0x21,%edx d31e2: 31 c0 xor %eax,%eax d31e4: ee out %al,(%dx) d31e5: ba a1 00 00 00 mov $0xa1,%edx d31ea: ee out %al,(%dx) d31eb: 5d pop %ebp d31ec: c3 ret d31ed: 8d 76 00 lea 0x0(%esi),%esi 000d31f0 <setiomap>: d31f0: 55 push %ebp d31f1: b8 01 00 00 00 mov $0x1,%eax d31f6: 89 e5 mov %esp,%ebp d31f8: 8b 4d 08 mov 0x8(%ebp),%ecx d31fb: 5d pop %ebp d31fc: 89 ca mov %ecx,%edx d31fe: 83 e1 07 and $0x7,%ecx d3201: c1 fa 03 sar $0x3,%edx d3204: d3 e0 shl %cl,%eax d3206: 08 82 ec 76 0d 00 or %al,0xd76ec(%edx) d320c: c3 ret d320d: 8d 76 00 lea 0x0(%esi),%esi 000d3210 <enter_real_mode>: d3210: 55 push %ebp d3211: 89 e5 mov %esp,%ebp d3213: 53 push %ebx d3214: 83 ec 14 sub $0x14,%esp d3217: a1 e8 55 0d 00 mov 0xd55e8,%eax d321c: 8b 15 ec 55 0d 00 mov 0xd55ec,%edx d3222: 8b 5d 08 mov 0x8(%ebp),%ebx d3225: a3 e8 55 0d 00 mov %eax,0xd55e8 d322a: a1 00 9a 0d 00 mov 0xd9a00,%eax d322f: 81 e2 ff fd ff ff and $0xfffffdff,%edx d3235: 89 15 ec 55 0d 00 mov %edx,0xd55ec d323b: 85 c0 test %eax,%eax d323d: 0f 84 0d 01 00 00 je d3350 <enter_real_mode+0x140> d3243: 31 c0 xor %eax,%eax d3245: a3 00 9a 0d 00 mov %eax,0xd9a00 d324a: 81 4b 30 02 30 02 00 orl $0x23002,0x30(%ebx) d3251: c7 43 48 00 f0 00 00 movl $0xf000,0x48(%ebx) d3258: c7 43 44 00 f0 00 00 movl $0xf000,0x44(%ebx) d325f: c7 43 40 00 f0 00 00 movl $0xf000,0x40(%ebx) d3266: c7 43 3c 00 f0 00 00 movl $0xf000,0x3c(%ebx) d326d: a1 80 76 0d 00 mov 0xd7680,%eax d3272: 85 c0 test %eax,%eax d3274: 0f 84 bc 00 00 00 je d3336 <enter_real_mode+0x126> d327a: a1 6c 98 0d 00 mov 0xd986c,%eax d327f: c7 43 28 00 00 00 00 movl $0x0,0x28(%ebx) d3286: c1 e0 08 shl $0x8,%eax d3289: 89 43 2c mov %eax,0x2c(%ebx) d328c: c7 43 38 00 00 00 00 movl $0x0,0x38(%ebx) d3293: c7 43 34 00 00 00 00 movl $0x0,0x34(%ebx) d329a: c7 43 10 00 00 00 00 movl $0x0,0x10(%ebx) d32a1: c7 43 14 00 00 00 00 movl $0x0,0x14(%ebx) d32a8: c7 43 18 00 00 00 00 movl $0x0,0x18(%ebx) d32af: c7 43 1c 00 00 00 00 movl $0x0,0x1c(%ebx) d32b6: c7 03 00 00 00 00 movl $0x0,(%ebx) d32bc: c7 43 04 00 00 00 00 movl $0x0,0x4(%ebx) d32c3: c7 43 08 00 00 00 00 movl $0x0,0x8(%ebx) d32ca: c7 43 0c 00 00 00 00 movl $0x0,0xc(%ebx) d32d1: c7 04 24 20 00 00 00 movl $0x20,(%esp) d32d8: e8 13 ff ff ff call d31f0 <setiomap> d32dd: c7 04 24 21 00 00 00 movl $0x21,(%esp) d32e4: e8 07 ff ff ff call d31f0 <setiomap> d32e9: c7 04 24 a0 00 00 00 movl $0xa0,(%esp) d32f0: e8 fb fe ff ff call d31f0 <setiomap> d32f5: c7 04 24 a1 00 00 00 movl $0xa1,(%esp) d32fc: e8 ef fe ff ff call d31f0 <setiomap> d3301: 8b 43 28 mov 0x28(%ebx),%eax d3304: 89 44 24 08 mov %eax,0x8(%esp) d3308: 8b 43 2c mov 0x2c(%ebx),%eax d330b: c7 04 24 c4 50 0d 00 movl $0xd50c4,(%esp) d3312: 89 44 24 04 mov %eax,0x4(%esp) d3316: e8 b5 06 00 00 call d39d0 <printf> d331b: 89 1c 24 mov %ebx,(%esp) d331e: 31 c0 xor %eax,%eax d3320: a3 04 76 0d 00 mov %eax,0xd7604 d3325: 31 c0 xor %eax,%eax d3327: 89 44 24 04 mov %eax,0x4(%esp) d332b: e8 b0 e2 ff ff call d15e0 <set_mode> d3330: 83 c4 14 add $0x14,%esp d3333: 5b pop %ebx d3334: 5d pop %ebp d3335: c3 ret d3336: c7 43 2c 00 f0 00 00 movl $0xf000,0x2c(%ebx) d333d: c7 43 28 f0 ff 00 00 movl $0xfff0,0x28(%ebx) d3344: e9 43 ff ff ff jmp d328c <enter_real_mode+0x7c> d3349: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d3350: 89 1c 24 mov %ebx,(%esp) d3353: b8 02 00 00 00 mov $0x2,%eax d3358: 89 44 24 04 mov %eax,0x4(%esp) d335c: e8 7f e2 ff ff call d15e0 <set_mode> d3361: 89 1c 24 mov %ebx,(%esp) d3364: e8 57 e8 ff ff call d1bc0 <emulate> d3369: 8b 0d 04 76 0d 00 mov 0xd7604,%ecx d336f: 85 c9 test %ecx,%ecx d3371: 74 bd je d3330 <enter_real_mode+0x120> d3373: c7 45 08 f8 50 0d 00 movl $0xd50f8,0x8(%ebp) d337a: 83 c4 14 add $0x14,%esp d337d: 5b pop %ebx d337e: 5d pop %ebp d337f: e9 fc 05 00 00 jmp d3980 <panic> d3384: 8d b6 00 00 00 00 lea 0x0(%esi),%esi d338a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi 000d3390 <setup_ctx>: d3390: 55 push %ebp d3391: b8 ac 00 00 00 mov $0xac,%eax d3396: 89 e5 mov %esp,%ebp d3398: 83 ec 18 sub $0x18,%esp d339b: 89 44 24 08 mov %eax,0x8(%esp) d339f: 31 c0 xor %eax,%eax d33a1: 89 44 24 04 mov %eax,0x4(%esp) d33a5: c7 04 24 00 97 0d 00 movl $0xd9700,(%esp) d33ac: e8 8f 0f 00 00 call d4340 <memset> d33b1: b9 90 03 0d 00 mov $0xd0390,%ecx d33b6: ba 00 76 0d 00 mov $0xd7600,%edx d33bb: b8 02 00 00 00 mov $0x2,%eax d33c0: 89 0d 00 97 0d 00 mov %ecx,0xd9700 d33c6: 89 15 04 97 0d 00 mov %edx,0xd9704 d33cc: a3 08 97 0d 00 mov %eax,0xd9708 d33d1: 0f 20 c0 mov %cr0,%eax d33d4: 83 c8 20 or $0x20,%eax d33d7: 83 e0 fe and $0xfffffffe,%eax d33da: a3 0c 97 0d 00 mov %eax,0xd970c d33df: 31 c0 xor %eax,%eax d33e1: a3 10 97 0d 00 mov %eax,0xd9710 d33e6: 0f 20 e0 mov %cr4,%eax d33e9: a3 14 97 0d 00 mov %eax,0xd9714 d33ee: b8 7f 01 00 00 mov $0x17f,%eax d33f3: b9 10 00 00 00 mov $0x10,%ecx d33f8: a3 18 97 0d 00 mov %eax,0xd9718 d33fd: b8 80 98 0d 00 mov $0xd9880,%eax d3402: ba ff ff ff ff mov $0xffffffff,%edx d3407: a3 1c 97 0d 00 mov %eax,0xd971c d340c: b8 1f 00 00 00 mov $0x1f,%eax d3411: a3 20 97 0d 00 mov %eax,0xd9720 d3416: b8 e0 55 0d 00 mov $0xd55e0,%eax d341b: a3 24 97 0d 00 mov %eax,0xd9724 d3420: 31 c0 xor %eax,%eax d3422: a3 30 97 0d 00 mov %eax,0xd9730 d3427: 0f b6 05 35 97 0d 00 movzbl 0xd9735,%eax d342e: c6 05 34 97 0d 00 9b movb $0x9b,0xd9734 d3435: 89 0d 28 97 0d 00 mov %ecx,0xd9728 d343b: 31 c9 xor %ecx,%ecx d343d: 24 ef and $0xef,%al d343f: 89 15 2c 97 0d 00 mov %edx,0xd972c d3445: 0c c0 or $0xc0,%al d3447: ba 18 00 00 00 mov $0x18,%edx d344c: a2 35 97 0d 00 mov %al,0xd9735 d3451: b8 18 00 00 00 mov $0x18,%eax d3456: a3 38 97 0d 00 mov %eax,0xd9738 d345b: b8 ff ff ff ff mov $0xffffffff,%eax d3460: a3 3c 97 0d 00 mov %eax,0xd973c d3465: 31 c0 xor %eax,%eax d3467: a3 40 97 0d 00 mov %eax,0xd9740 d346c: a1 34 97 0d 00 mov 0xd9734,%eax d3471: 89 0d 50 97 0d 00 mov %ecx,0xd9750 d3477: b9 ff ff ff ff mov $0xffffffff,%ecx d347c: a3 44 97 0d 00 mov %eax,0xd9744 d3481: 0f b6 05 44 97 0d 00 movzbl 0xd9744,%eax d3488: 89 15 58 97 0d 00 mov %edx,0xd9758 d348e: 31 d2 xor %edx,%edx d3490: 89 0d 5c 97 0d 00 mov %ecx,0xd975c d3496: 24 f0 and $0xf0,%al d3498: 89 15 60 97 0d 00 mov %edx,0xd9760 d349e: 0c 03 or $0x3,%al d34a0: b9 18 00 00 00 mov $0x18,%ecx d34a5: a2 44 97 0d 00 mov %al,0xd9744 d34aa: b8 18 00 00 00 mov $0x18,%eax d34af: ba ff ff ff ff mov $0xffffffff,%edx d34b4: a3 48 97 0d 00 mov %eax,0xd9748 d34b9: b8 ff ff ff ff mov $0xffffffff,%eax d34be: a3 4c 97 0d 00 mov %eax,0xd974c d34c3: a1 44 97 0d 00 mov 0xd9744,%eax d34c8: 89 0d 68 97 0d 00 mov %ecx,0xd9768 d34ce: 31 c9 xor %ecx,%ecx d34d0: 89 15 6c 97 0d 00 mov %edx,0xd976c d34d6: ba 18 00 00 00 mov $0x18,%edx d34db: 89 0d 70 97 0d 00 mov %ecx,0xd9770 d34e1: b9 ff ff ff ff mov $0xffffffff,%ecx d34e6: 89 15 78 97 0d 00 mov %edx,0xd9778 d34ec: 31 d2 xor %edx,%edx d34ee: 89 0d 7c 97 0d 00 mov %ecx,0xd977c d34f4: b9 08 00 00 00 mov $0x8,%ecx d34f9: a3 54 97 0d 00 mov %eax,0xd9754 d34fe: a3 64 97 0d 00 mov %eax,0xd9764 d3503: a3 74 97 0d 00 mov %eax,0xd9774 d3508: 89 15 80 97 0d 00 mov %edx,0xd9780 d350e: ba 6b 20 00 00 mov $0x206b,%edx d3513: 89 0d 88 97 0d 00 mov %ecx,0xd9788 d3519: b9 84 76 0d 00 mov $0xd7684,%ecx d351e: 89 15 8c 97 0d 00 mov %edx,0xd978c d3524: 31 d2 xor %edx,%edx d3526: a3 a4 97 0d 00 mov %eax,0xd97a4 d352b: 89 0d 90 97 0d 00 mov %ecx,0xd9790 d3531: 31 c9 xor %ecx,%ecx d3533: 89 15 98 97 0d 00 mov %edx,0xd9798 d3539: 31 d2 xor %edx,%edx d353b: a3 84 97 0d 00 mov %eax,0xd9784 d3540: c6 05 94 97 0d 00 8b movb $0x8b,0xd9794 d3547: 80 25 95 97 0d 00 2f andb $0x2f,0xd9795 d354e: 89 0d 9c 97 0d 00 mov %ecx,0xd979c d3554: 89 15 a0 97 0d 00 mov %edx,0xd97a0 d355a: c6 05 a4 97 0d 00 82 movb $0x82,0xd97a4 d3561: 80 25 a5 97 0d 00 2f andb $0x2f,0xd97a5 d3568: c9 leave d3569: c3 ret d356a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 000d3570 <start_bios>: d3570: 55 push %ebp d3571: 89 e5 mov %esp,%ebp d3573: 83 ec 18 sub $0x18,%esp d3576: 8b 15 80 76 0d 00 mov 0xd7680,%edx d357c: 85 d2 test %edx,%edx d357e: 75 30 jne d35b0 <start_bios+0x40> d3580: c7 04 24 84 50 0d 00 movl $0xd5084,(%esp) d3587: e8 44 04 00 00 call d39d0 <printf> d358c: b8 01 00 00 00 mov $0x1,%eax d3591: a3 00 9a 0d 00 mov %eax,0xd9a00 d3596: 0f 20 c0 mov %cr0,%eax d3599: 83 e0 fe and $0xfffffffe,%eax d359c: 0f 22 c0 mov %eax,%cr0 d359f: eb 00 jmp d35a1 <start_bios+0x31> d35a1: 90 nop d35a2: c7 04 24 94 50 0d 00 movl $0xd5094,(%esp) d35a9: e8 d2 03 00 00 call d3980 <panic> d35ae: c9 leave d35af: c3 ret d35b0: 89 54 24 04 mov %edx,0x4(%esp) d35b4: a1 6c 98 0d 00 mov 0xd986c,%eax d35b9: c7 04 24 a7 50 0d 00 movl $0xd50a7,(%esp) d35c0: c1 e0 0c shl $0xc,%eax d35c3: 89 44 24 08 mov %eax,0x8(%esp) d35c7: e8 04 04 00 00 call d39d0 <printf> d35cc: eb be jmp d358c <start_bios+0x1c> d35ce: 89 f6 mov %esi,%esi 000d35d0 <main>: d35d0: 55 push %ebp d35d1: 89 e5 mov %esp,%ebp d35d3: 83 ec 08 sub $0x8,%esp d35d6: a1 80 76 0d 00 mov 0xd7680,%eax d35db: 83 e4 f0 and $0xfffffff0,%esp d35de: 83 ec 10 sub $0x10,%esp d35e1: 85 c0 test %eax,%eax d35e3: 74 2b je d3610 <main+0x40> d35e5: e8 56 fa ff ff call d3040 <setup_gdt> d35ea: e8 71 fb ff ff call d3160 <setup_idt> d35ef: 0f 20 e0 mov %cr4,%eax d35f2: 83 c8 01 or $0x1,%eax d35f5: 0f 22 e0 mov %eax,%cr4 d35f8: e8 93 fd ff ff call d3390 <setup_ctx> d35fd: a1 80 76 0d 00 mov 0xd7680,%eax d3602: 85 c0 test %eax,%eax d3604: 74 11 je d3617 <main+0x47> d3606: e8 65 ff ff ff call d3570 <start_bios> d360b: c9 leave d360c: 31 c0 xor %eax,%eax d360e: c3 ret d360f: 90 nop d3610: e8 4b f9 ff ff call d2f60 <banner> d3615: eb ce jmp d35e5 <main+0x15> d3617: e8 84 fb ff ff call d31a0 <setup_pic> d361c: 8d 74 26 00 lea 0x0(%esi),%esi d3620: e8 4b ff ff ff call d3570 <start_bios> d3625: c9 leave d3626: 31 c0 xor %eax,%eax d3628: c3 ret d3629: 00 00 add %al,(%eax) d362b: 00 00 add %al,(%eax) d362d: 00 00 add %al,(%eax) ... 000d3630 <cpuid_addr_value>: d3630: 55 push %ebp d3631: 89 e5 mov %esp,%ebp d3633: 83 ec 0c sub $0xc,%esp d3636: 89 7c 24 08 mov %edi,0x8(%esp) d363a: 8b 45 08 mov 0x8(%ebp),%eax d363d: 8b 55 0c mov 0xc(%ebp),%edx d3640: 89 74 24 04 mov %esi,0x4(%esp) d3644: 89 c7 mov %eax,%edi d3646: a1 70 76 0d 00 mov 0xd7670,%eax d364b: 89 1c 24 mov %ebx,(%esp) d364e: 89 d6 mov %edx,%esi d3650: 85 c0 test %eax,%eax d3652: 75 0d jne d3661 <cpuid_addr_value+0x31> d3654: b8 00 00 00 40 mov $0x40000000,%eax d3659: 0f a2 cpuid d365b: 40 inc %eax d365c: a3 70 76 0d 00 mov %eax,0xd7670 d3661: 89 f9 mov %edi,%ecx d3663: 89 f2 mov %esi,%edx d3665: 0f a2 cpuid d3667: 31 c0 xor %eax,%eax d3669: 31 db xor %ebx,%ebx d366b: 09 c8 or %ecx,%eax d366d: 8b 4d 10 mov 0x10(%ebp),%ecx d3670: 09 da or %ebx,%edx d3672: 89 01 mov %eax,(%ecx) d3674: 89 51 04 mov %edx,0x4(%ecx) d3677: 8b 1c 24 mov (%esp),%ebx d367a: 8b 74 24 04 mov 0x4(%esp),%esi d367e: 8b 7c 24 08 mov 0x8(%esp),%edi d3682: 89 ec mov %ebp,%esp d3684: 5d pop %ebp d3685: c3 ret d3686: 8d 76 00 lea 0x0(%esi),%esi d3689: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 000d3690 <putchar>: d3690: 55 push %ebp d3691: ba e9 00 00 00 mov $0xe9,%edx d3696: 89 e5 mov %esp,%ebp d3698: 0f b6 45 08 movzbl 0x8(%ebp),%eax d369c: ee out %al,(%dx) d369d: 5d pop %ebp d369e: c3 ret d369f: 90 nop 000d36a0 <strlen>: d36a0: 55 push %ebp d36a1: 89 e5 mov %esp,%ebp d36a3: 8b 55 08 mov 0x8(%ebp),%edx d36a6: 89 d1 mov %edx,%ecx d36a8: 90 nop d36a9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d36b0: 0f b6 02 movzbl (%edx),%eax d36b3: 42 inc %edx d36b4: 84 c0 test %al,%al d36b6: 75 f8 jne d36b0 <strlen+0x10> d36b8: 5d pop %ebp d36b9: 29 ca sub %ecx,%edx d36bb: 8d 42 ff lea 0xffffffff(%edx),%eax d36be: c3 ret d36bf: 90 nop 000d36c0 <printnum>: d36c0: 55 push %ebp d36c1: 89 c1 mov %eax,%ecx d36c3: 89 e5 mov %esp,%ebp d36c5: 83 ec 0c sub $0xc,%esp d36c8: 89 75 fc mov %esi,0xfffffffc(%ebp) d36cb: 8b 75 08 mov 0x8(%ebp),%esi d36ce: 89 d0 mov %edx,%eax d36d0: 89 5d f8 mov %ebx,0xfffffff8(%ebp) d36d3: 31 d2 xor %edx,%edx d36d5: f7 f6 div %esi d36d7: 85 c0 test %eax,%eax d36d9: 89 d3 mov %edx,%ebx d36db: 75 19 jne d36f6 <printnum+0x36> d36dd: 0f b6 83 2b 51 0d 00 movzbl 0xd512b(%ebx),%eax d36e4: 88 01 mov %al,(%ecx) d36e6: 41 inc %ecx d36e7: 89 c8 mov %ecx,%eax d36e9: c6 01 00 movb $0x0,(%ecx) d36ec: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx d36ef: 8b 75 fc mov 0xfffffffc(%ebp),%esi d36f2: 89 ec mov %ebp,%esp d36f4: 5d pop %ebp d36f5: c3 ret d36f6: 89 34 24 mov %esi,(%esp) d36f9: 89 c2 mov %eax,%edx d36fb: 89 c8 mov %ecx,%eax d36fd: e8 be ff ff ff call d36c0 <printnum> d3702: 89 c1 mov %eax,%ecx d3704: 0f b6 83 2b 51 0d 00 movzbl 0xd512b(%ebx),%eax d370b: 88 01 mov %al,(%ecx) d370d: 41 inc %ecx d370e: 89 c8 mov %ecx,%eax d3710: c6 01 00 movb $0x0,(%ecx) d3713: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx d3716: 8b 75 fc mov 0xfffffffc(%ebp),%esi d3719: 89 ec mov %ebp,%esp d371b: 5d pop %ebp d371c: c3 ret d371d: 8d 76 00 lea 0x0(%esi),%esi 000d3720 <_doprint>: d3720: 55 push %ebp d3721: 89 e5 mov %esp,%ebp d3723: 57 push %edi d3724: 89 c7 mov %eax,%edi d3726: 56 push %esi d3727: 89 d6 mov %edx,%esi d3729: 53 push %ebx d372a: 83 ec 5c sub $0x5c,%esp d372d: 0f b6 0e movzbl (%esi),%ecx d3730: 84 c9 test %cl,%cl d3732: 0f 84 39 01 00 00 je d3871 <_doprint+0x151> d3738: 90 nop d3739: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d3740: c7 45 bc 00 00 00 00 movl $0x0,0xffffffbc(%ebp) d3747: 31 db xor %ebx,%ebx d3749: 80 f9 25 cmp $0x25,%cl d374c: c7 45 c0 00 00 00 00 movl $0x0,0xffffffc0(%ebp) d3753: c7 45 b4 00 00 00 00 movl $0x0,0xffffffb4(%ebp) d375a: 0f 85 40 01 00 00 jne d38a0 <_doprint+0x180> d3760: 46 inc %esi d3761: 0f b6 0e movzbl (%esi),%ecx d3764: 80 f9 2d cmp $0x2d,%cl d3767: 88 c8 mov %cl,%al d3769: 0f 94 c2 sete %dl d376c: 2c 30 sub $0x30,%al d376e: 3c 09 cmp $0x9,%al d3770: 0f 96 c0 setbe %al d3773: 09 d0 or %edx,%eax d3775: a8 01 test $0x1,%al d3777: 74 33 je d37ac <_doprint+0x8c> d3779: 80 f9 2d cmp $0x2d,%cl d377c: 0f 84 5c 01 00 00 je d38de <_doprint+0x1be> d3782: 31 c0 xor %eax,%eax d3784: 80 f9 30 cmp $0x30,%cl d3787: 0f 94 c0 sete %al d378a: 89 45 c0 mov %eax,0xffffffc0(%ebp) d378d: eb 15 jmp d37a4 <_doprint+0x84> d378f: 90 nop d3790: 8b 55 b4 mov 0xffffffb4(%ebp),%edx d3793: 46 inc %esi d3794: 8d 04 92 lea (%edx,%edx,4),%eax d3797: 0f be d1 movsbl %cl,%edx d379a: 8d 44 42 d0 lea 0xffffffd0(%edx,%eax,2),%eax d379e: 0f b6 0e movzbl (%esi),%ecx d37a1: 89 45 b4 mov %eax,0xffffffb4(%ebp) d37a4: 88 c8 mov %cl,%al d37a6: 2c 30 sub $0x30,%al d37a8: 3c 09 cmp $0x9,%al d37aa: 76 e4 jbe d3790 <_doprint+0x70> d37ac: 80 f9 6c cmp $0x6c,%cl d37af: 0f 84 20 01 00 00 je d38d5 <_doprint+0x1b5> d37b5: 80 f9 64 cmp $0x64,%cl d37b8: 0f 94 c0 sete %al d37bb: 80 f9 75 cmp $0x75,%cl d37be: 0f 94 c2 sete %dl d37c1: 09 d0 or %edx,%eax d37c3: a8 01 test $0x1,%al d37c5: 75 16 jne d37dd <_doprint+0xbd> d37c7: 80 f9 6f cmp $0x6f,%cl d37ca: 0f 94 c0 sete %al d37cd: 80 f9 78 cmp $0x78,%cl d37d0: 0f 94 c2 sete %dl d37d3: 09 d0 or %edx,%eax d37d5: a8 01 test $0x1,%al d37d7: 0f 84 9c 00 00 00 je d3879 <_doprint+0x159> d37dd: 8b 45 08 mov 0x8(%ebp),%eax d37e0: bb 08 00 00 00 mov $0x8,%ebx d37e5: 83 45 08 04 addl $0x4,0x8(%ebp) d37e9: 80 f9 6f cmp $0x6f,%cl d37ec: 8b 10 mov (%eax),%edx d37ee: 8d 45 c8 lea 0xffffffc8(%ebp),%eax d37f1: 89 45 c4 mov %eax,0xffffffc4(%ebp) d37f4: 74 10 je d3806 <_doprint+0xe6> d37f6: bb 10 00 00 00 mov $0x10,%ebx d37fb: 80 f9 78 cmp $0x78,%cl d37fe: b8 0a 00 00 00 mov $0xa,%eax d3803: 0f 45 d8 cmovne %eax,%ebx d3806: 89 1c 24 mov %ebx,(%esp) d3809: 8b 45 c4 mov 0xffffffc4(%ebp),%eax d380c: e8 af fe ff ff call d36c0 <printnum> d3811: 8b 55 c4 mov 0xffffffc4(%ebp),%edx d3814: 89 14 24 mov %edx,(%esp) d3817: e8 84 fe ff ff call d36a0 <strlen> d381c: 8b 5d b4 mov 0xffffffb4(%ebp),%ebx d381f: 29 c3 sub %eax,%ebx d3821: eb 12 jmp d3835 <_doprint+0x115> d3823: 83 7d c0 01 cmpl $0x1,0xffffffc0(%ebp) d3827: 19 c0 sbb %eax,%eax d3829: 83 e0 f0 and $0xfffffff0,%eax d382c: 83 c0 30 add $0x30,%eax d382f: 4b dec %ebx d3830: 89 04 24 mov %eax,(%esp) d3833: ff d7 call *%edi d3835: 85 db test %ebx,%ebx d3837: 7f ea jg d3823 <_doprint+0x103> d3839: 8b 55 c4 mov 0xffffffc4(%ebp),%edx d383c: 0f b6 02 movzbl (%edx),%eax d383f: 84 c0 test %al,%al d3841: 74 22 je d3865 <_doprint+0x145> d3843: 8d b6 00 00 00 00 lea 0x0(%esi),%esi d3849: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d3850: ff 45 c4 incl 0xffffffc4(%ebp) d3853: 0f be c0 movsbl %al,%eax d3856: 89 04 24 mov %eax,(%esp) d3859: ff d7 call *%edi d385b: 8b 55 c4 mov 0xffffffc4(%ebp),%edx d385e: 0f b6 02 movzbl (%edx),%eax d3861: 84 c0 test %al,%al d3863: 75 eb jne d3850 <_doprint+0x130> d3865: 46 inc %esi d3866: 0f b6 0e movzbl (%esi),%ecx d3869: 84 c9 test %cl,%cl d386b: 0f 85 cf fe ff ff jne d3740 <_doprint+0x20> d3871: 83 c4 5c add $0x5c,%esp d3874: 5b pop %ebx d3875: 5e pop %esi d3876: 5f pop %edi d3877: 5d pop %ebp d3878: c3 ret d3879: 80 f9 4f cmp $0x4f,%cl d387c: 0f 94 c0 sete %al d387f: 80 f9 44 cmp $0x44,%cl d3882: 0f 94 c2 sete %dl d3885: 09 d0 or %edx,%eax d3887: a8 01 test $0x1,%al d3889: 75 20 jne d38ab <_doprint+0x18b> d388b: 80 f9 58 cmp $0x58,%cl d388e: 74 1b je d38ab <_doprint+0x18b> d3890: 80 f9 73 cmp $0x73,%cl d3893: 74 69 je d38fe <_doprint+0x1de> d3895: 80 f9 63 cmp $0x63,%cl d3898: 74 54 je d38ee <_doprint+0x1ce> d389a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi d38a0: 0f be c1 movsbl %cl,%eax d38a3: 89 04 24 mov %eax,(%esp) d38a6: ff d7 call *%edi d38a8: 46 inc %esi d38a9: eb bb jmp d3866 <_doprint+0x146> d38ab: 8b 45 08 mov 0x8(%ebp),%eax d38ae: bb 08 00 00 00 mov $0x8,%ebx d38b3: 83 45 08 04 addl $0x4,0x8(%ebp) d38b7: 80 f9 4f cmp $0x4f,%cl d38ba: 8b 10 mov (%eax),%edx d38bc: 8d 45 c8 lea 0xffffffc8(%ebp),%eax d38bf: 89 45 c4 mov %eax,0xffffffc4(%ebp) d38c2: 0f 84 3e ff ff ff je d3806 <_doprint+0xe6> d38c8: bb 10 00 00 00 mov $0x10,%ebx d38cd: 80 f9 58 cmp $0x58,%cl d38d0: e9 29 ff ff ff jmp d37fe <_doprint+0xde> d38d5: 46 inc %esi d38d6: 0f b6 0e movzbl (%esi),%ecx d38d9: e9 d7 fe ff ff jmp d37b5 <_doprint+0x95> d38de: c7 45 bc 01 00 00 00 movl $0x1,0xffffffbc(%ebp) d38e5: 46 inc %esi d38e6: 0f b6 0e movzbl (%esi),%ecx d38e9: e9 94 fe ff ff jmp d3782 <_doprint+0x62> d38ee: 8b 45 08 mov 0x8(%ebp),%eax d38f1: 83 45 08 04 addl $0x4,0x8(%ebp) d38f5: 8b 00 mov (%eax),%eax d38f7: 89 04 24 mov %eax,(%esp) d38fa: ff d7 call *%edi d38fc: eb aa jmp d38a8 <_doprint+0x188> d38fe: 8b 45 08 mov 0x8(%ebp),%eax d3901: 83 45 08 04 addl $0x4,0x8(%ebp) d3905: 8b 00 mov (%eax),%eax d3907: 89 45 c4 mov %eax,0xffffffc4(%ebp) d390a: 89 04 24 mov %eax,(%esp) d390d: e8 8e fd ff ff call d36a0 <strlen> d3912: 89 45 b8 mov %eax,0xffffffb8(%ebp) d3915: 8b 4d bc mov 0xffffffbc(%ebp),%ecx d3918: 85 c9 test %ecx,%ecx d391a: 75 16 jne d3932 <_doprint+0x212> d391c: 8b 5d b4 mov 0xffffffb4(%ebp),%ebx d391f: 29 c3 sub %eax,%ebx d3921: eb 0a jmp d392d <_doprint+0x20d> d3923: c7 04 24 20 00 00 00 movl $0x20,(%esp) d392a: ff d7 call *%edi d392c: 4b dec %ebx d392d: 85 db test %ebx,%ebx d392f: 90 nop d3930: 7f f1 jg d3923 <_doprint+0x203> d3932: 8b 55 c4 mov 0xffffffc4(%ebp),%edx d3935: 0f b6 02 movzbl (%edx),%eax d3938: 84 c0 test %al,%al d393a: 74 15 je d3951 <_doprint+0x231> d393c: ff 45 c4 incl 0xffffffc4(%ebp) d393f: 0f be c0 movsbl %al,%eax d3942: 89 04 24 mov %eax,(%esp) d3945: ff d7 call *%edi d3947: 8b 55 c4 mov 0xffffffc4(%ebp),%edx d394a: 0f b6 02 movzbl (%edx),%eax d394d: 84 c0 test %al,%al d394f: 75 eb jne d393c <_doprint+0x21c> d3951: 8b 55 bc mov 0xffffffbc(%ebp),%edx d3954: 85 d2 test %edx,%edx d3956: 0f 84 09 ff ff ff je d3865 <_doprint+0x145> d395c: 8b 5d b4 mov 0xffffffb4(%ebp),%ebx d395f: 8b 45 b8 mov 0xffffffb8(%ebp),%eax d3962: 29 c3 sub %eax,%ebx d3964: eb 0a jmp d3970 <_doprint+0x250> d3966: c7 04 24 20 00 00 00 movl $0x20,(%esp) d396d: ff d7 call *%edi d396f: 4b dec %ebx d3970: 85 db test %ebx,%ebx d3972: 7f f2 jg d3966 <_doprint+0x246> d3974: 46 inc %esi d3975: e9 ec fe ff ff jmp d3866 <_doprint+0x146> d397a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 000d3980 <panic>: d3980: 55 push %ebp d3981: 89 e5 mov %esp,%ebp d3983: 83 ec 08 sub $0x8,%esp d3986: 8b 55 08 mov 0x8(%ebp),%edx d3989: 8d 45 0c lea 0xc(%ebp),%eax d398c: 89 04 24 mov %eax,(%esp) d398f: b8 90 36 0d 00 mov $0xd3690,%eax d3994: e8 87 fd ff ff call d3720 <_doprint> d3999: c7 04 24 0a 00 00 00 movl $0xa,(%esp) d39a0: e8 eb fc ff ff call d3690 <putchar> d39a5: e8 9e c6 ff ff call d0048 <halt> d39aa: c9 leave d39ab: c3 ret d39ac: 8d 74 26 00 lea 0x0(%esi),%esi 000d39b0 <vprintf>: d39b0: 55 push %ebp d39b1: 89 e5 mov %esp,%ebp d39b3: 83 ec 08 sub $0x8,%esp d39b6: 8b 45 0c mov 0xc(%ebp),%eax d39b9: 8b 55 08 mov 0x8(%ebp),%edx d39bc: 89 04 24 mov %eax,(%esp) d39bf: b8 90 36 0d 00 mov $0xd3690,%eax d39c4: e8 57 fd ff ff call d3720 <_doprint> d39c9: c9 leave d39ca: 31 c0 xor %eax,%eax d39cc: c3 ret d39cd: 8d 76 00 lea 0x0(%esi),%esi 000d39d0 <printf>: d39d0: 55 push %ebp d39d1: 89 e5 mov %esp,%ebp d39d3: 83 ec 08 sub $0x8,%esp d39d6: 8b 55 08 mov 0x8(%ebp),%edx d39d9: 8d 45 0c lea 0xc(%ebp),%eax d39dc: 89 04 24 mov %eax,(%esp) d39df: b8 90 36 0d 00 mov $0xd3690,%eax d39e4: e8 37 fd ff ff call d3720 <_doprint> d39e9: c9 leave d39ea: 31 c0 xor %eax,%eax d39ec: c3 ret d39ed: 8d 76 00 lea 0x0(%esi),%esi 000d39f0 <dump_dtr>: d39f0: 55 push %ebp d39f1: 89 e5 mov %esp,%ebp d39f3: 57 push %edi d39f4: 56 push %esi d39f5: 53 push %ebx d39f6: 83 ec 2c sub $0x2c,%esp d39f9: 8b 45 0c mov 0xc(%ebp),%eax d39fc: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp) d3a03: 39 45 ec cmp %eax,0xffffffec(%ebp) d3a06: e9 8d 00 00 00 jmp d3a98 <dump_dtr+0xa8> d3a0b: 90 nop d3a0c: 8d 74 26 00 lea 0x0(%esi),%esi d3a10: 8b 45 ec mov 0xffffffec(%ebp),%eax d3a13: 8b 55 08 mov 0x8(%ebp),%edx d3a16: c1 f8 03 sar $0x3,%eax d3a19: 8b 74 c2 04 mov 0x4(%edx,%eax,8),%esi d3a1d: 8b 1c c2 mov (%edx,%eax,8),%ebx d3a20: 31 d2 xor %edx,%edx d3a22: 89 75 e0 mov %esi,0xffffffe0(%ebp) d3a25: 8b 7d e0 mov 0xffffffe0(%ebp),%edi d3a28: 89 d8 mov %ebx,%eax d3a2a: 0f ac f0 10 shrd $0x10,%esi,%eax d3a2e: 89 c1 mov %eax,%ecx d3a30: 81 e1 00 00 ff 00 and $0xff0000,%ecx d3a36: 89 55 e4 mov %edx,0xffffffe4(%ebp) d3a39: 81 e7 00 00 00 ff and $0xff000000,%edi d3a3f: 25 ff ff 00 00 and $0xffff,%eax d3a44: 09 cf or %ecx,%edi d3a46: 8b 4d e0 mov 0xffffffe0(%ebp),%ecx d3a49: 09 c7 or %eax,%edi d3a4b: 0f b7 c3 movzwl %bx,%eax d3a4e: 81 e1 00 00 0f 00 and $0xf0000,%ecx d3a54: 09 c1 or %eax,%ecx d3a56: 89 f0 mov %esi,%eax d3a58: c1 e8 17 shr $0x17,%eax d3a5b: a8 01 test $0x1,%al d3a5d: 74 09 je d3a68 <dump_dtr+0x78> d3a5f: c1 e1 0c shl $0xc,%ecx d3a62: 81 c9 ff 0f 00 00 or $0xfff,%ecx d3a68: 89 4c 24 14 mov %ecx,0x14(%esp) d3a6c: 8b 55 e0 mov 0xffffffe0(%ebp),%edx d3a6f: 8b 45 ec mov 0xffffffec(%ebp),%eax d3a72: 89 7c 24 10 mov %edi,0x10(%esp) d3a76: 89 54 24 08 mov %edx,0x8(%esp) d3a7a: 89 5c 24 0c mov %ebx,0xc(%esp) d3a7e: 89 44 24 04 mov %eax,0x4(%esp) d3a82: c7 04 24 e8 51 0d 00 movl $0xd51e8,(%esp) d3a89: e8 42 ff ff ff call d39d0 <printf> d3a8e: 83 45 ec 08 addl $0x8,0xffffffec(%ebp) d3a92: 8b 55 0c mov 0xc(%ebp),%edx d3a95: 39 55 ec cmp %edx,0xffffffec(%ebp) d3a98: 0f 82 72 ff ff ff jb d3a10 <dump_dtr+0x20> d3a9e: 83 c4 2c add $0x2c,%esp d3aa1: 5b pop %ebx d3aa2: 5e pop %esi d3aa3: 5f pop %edi d3aa4: 5d pop %ebp d3aa5: c3 ret d3aa6: 8d 76 00 lea 0x0(%esi),%esi d3aa9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 000d3ab0 <dump_vmx_context>: d3ab0: 55 push %ebp d3ab1: 89 e5 mov %esp,%ebp d3ab3: 53 push %ebx d3ab4: 83 ec 24 sub $0x24,%esp d3ab7: 8b 5d 08 mov 0x8(%ebp),%ebx d3aba: 8b 43 08 mov 0x8(%ebx),%eax d3abd: 89 44 24 0c mov %eax,0xc(%esp) d3ac1: 8b 43 04 mov 0x4(%ebx),%eax d3ac4: 89 44 24 08 mov %eax,0x8(%esp) d3ac8: 8b 03 mov (%ebx),%eax d3aca: c7 04 24 18 52 0d 00 movl $0xd5218,(%esp) d3ad1: 89 44 24 04 mov %eax,0x4(%esp) d3ad5: e8 f6 fe ff ff call d39d0 <printf> d3ada: 8b 43 14 mov 0x14(%ebx),%eax d3add: 89 44 24 0c mov %eax,0xc(%esp) d3ae1: 8b 43 10 mov 0x10(%ebx),%eax d3ae4: 89 44 24 08 mov %eax,0x8(%esp) d3ae8: 8b 43 0c mov 0xc(%ebx),%eax d3aeb: c7 04 24 3c 52 0d 00 movl $0xd523c,(%esp) d3af2: 89 44 24 04 mov %eax,0x4(%esp) d3af6: e8 d5 fe ff ff call d39d0 <printf> d3afb: 8b 43 1c mov 0x1c(%ebx),%eax d3afe: 89 44 24 08 mov %eax,0x8(%esp) d3b02: 8b 43 18 mov 0x18(%ebx),%eax d3b05: c7 04 24 60 52 0d 00 movl $0xd5260,(%esp) d3b0c: 89 44 24 04 mov %eax,0x4(%esp) d3b10: e8 bb fe ff ff call d39d0 <printf> d3b15: 8b 43 24 mov 0x24(%ebx),%eax d3b18: 89 44 24 08 mov %eax,0x8(%esp) d3b1c: 8b 43 20 mov 0x20(%ebx),%eax d3b1f: c7 04 24 80 52 0d 00 movl $0xd5280,(%esp) d3b26: 89 44 24 04 mov %eax,0x4(%esp) d3b2a: e8 a1 fe ff ff call d39d0 <printf> d3b2f: 8b 43 30 mov 0x30(%ebx),%eax d3b32: 89 44 24 0c mov %eax,0xc(%esp) d3b36: 8b 43 2c mov 0x2c(%ebx),%eax d3b39: 89 44 24 08 mov %eax,0x8(%esp) d3b3d: 8b 43 28 mov 0x28(%ebx),%eax d3b40: c7 04 24 a0 52 0d 00 movl $0xd52a0,(%esp) d3b47: 89 44 24 04 mov %eax,0x4(%esp) d3b4b: e8 80 fe ff ff call d39d0 <printf> d3b50: 0f b6 43 36 movzbl 0x36(%ebx),%eax d3b54: 83 e0 01 and $0x1,%eax d3b57: 89 44 24 20 mov %eax,0x20(%esp) d3b5b: 0f b6 53 35 movzbl 0x35(%ebx),%edx d3b5f: 88 d0 mov %dl,%al d3b61: c0 e8 07 shr $0x7,%al d3b64: 0f b6 c0 movzbl %al,%eax d3b67: 89 44 24 1c mov %eax,0x1c(%esp) d3b6b: 88 d0 mov %dl,%al d3b6d: c0 e8 06 shr $0x6,%al d3b70: 83 e0 01 and $0x1,%eax d3b73: c0 ea 04 shr $0x4,%dl d3b76: 89 44 24 18 mov %eax,0x18(%esp) d3b7a: 89 d0 mov %edx,%eax d3b7c: 83 e0 01 and $0x1,%eax d3b7f: 89 44 24 14 mov %eax,0x14(%esp) d3b83: 0f b6 53 34 movzbl 0x34(%ebx),%edx d3b87: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp) d3b8e: 88 d0 mov %dl,%al d3b90: c0 e8 07 shr $0x7,%al d3b93: 0f b6 c0 movzbl %al,%eax d3b96: 89 44 24 10 mov %eax,0x10(%esp) d3b9a: 88 d0 mov %dl,%al d3b9c: c0 e8 05 shr $0x5,%al d3b9f: 83 e0 03 and $0x3,%eax d3ba2: 89 44 24 0c mov %eax,0xc(%esp) d3ba6: 88 d0 mov %dl,%al d3ba8: c0 e8 04 shr $0x4,%al d3bab: 83 e0 01 and $0x1,%eax d3bae: 89 44 24 08 mov %eax,0x8(%esp) d3bb2: 89 d0 mov %edx,%eax d3bb4: 83 e0 0f and $0xf,%eax d3bb7: 89 44 24 04 mov %eax,0x4(%esp) d3bbb: e8 10 fe ff ff call d39d0 <printf> d3bc0: 8b 43 40 mov 0x40(%ebx),%eax d3bc3: 89 44 24 0c mov %eax,0xc(%esp) d3bc7: 8b 43 3c mov 0x3c(%ebx),%eax d3bca: 89 44 24 08 mov %eax,0x8(%esp) d3bce: 8b 43 38 mov 0x38(%ebx),%eax d3bd1: c7 04 24 04 53 0d 00 movl $0xd5304,(%esp) d3bd8: 89 44 24 04 mov %eax,0x4(%esp) d3bdc: e8 ef fd ff ff call d39d0 <printf> d3be1: 0f b6 43 46 movzbl 0x46(%ebx),%eax d3be5: 83 e0 01 and $0x1,%eax d3be8: 89 44 24 20 mov %eax,0x20(%esp) d3bec: 0f b6 53 45 movzbl 0x45(%ebx),%edx d3bf0: 88 d0 mov %dl,%al d3bf2: c0 e8 07 shr $0x7,%al d3bf5: 0f b6 c0 movzbl %al,%eax d3bf8: 89 44 24 1c mov %eax,0x1c(%esp) d3bfc: 88 d0 mov %dl,%al d3bfe: c0 e8 06 shr $0x6,%al d3c01: 83 e0 01 and $0x1,%eax d3c04: c0 ea 04 shr $0x4,%dl d3c07: 89 44 24 18 mov %eax,0x18(%esp) d3c0b: 89 d0 mov %edx,%eax d3c0d: 83 e0 01 and $0x1,%eax d3c10: 89 44 24 14 mov %eax,0x14(%esp) d3c14: 0f b6 53 44 movzbl 0x44(%ebx),%edx d3c18: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp) d3c1f: 88 d0 mov %dl,%al d3c21: c0 e8 07 shr $0x7,%al d3c24: 0f b6 c0 movzbl %al,%eax d3c27: 89 44 24 10 mov %eax,0x10(%esp) d3c2b: 88 d0 mov %dl,%al d3c2d: c0 e8 05 shr $0x5,%al d3c30: 83 e0 03 and $0x3,%eax d3c33: 89 44 24 0c mov %eax,0xc(%esp) d3c37: 88 d0 mov %dl,%al d3c39: c0 e8 04 shr $0x4,%al d3c3c: 83 e0 01 and $0x1,%eax d3c3f: 89 44 24 08 mov %eax,0x8(%esp) d3c43: 89 d0 mov %edx,%eax d3c45: 83 e0 0f and $0xf,%eax d3c48: 89 44 24 04 mov %eax,0x4(%esp) d3c4c: e8 7f fd ff ff call d39d0 <printf> d3c51: 8b 43 50 mov 0x50(%ebx),%eax d3c54: 89 44 24 0c mov %eax,0xc(%esp) d3c58: 8b 43 4c mov 0x4c(%ebx),%eax d3c5b: 89 44 24 08 mov %eax,0x8(%esp) d3c5f: 8b 43 48 mov 0x48(%ebx),%eax d3c62: c7 04 24 2c 53 0d 00 movl $0xd532c,(%esp) d3c69: 89 44 24 04 mov %eax,0x4(%esp) d3c6d: e8 5e fd ff ff call d39d0 <printf> d3c72: 0f b6 43 56 movzbl 0x56(%ebx),%eax d3c76: 83 e0 01 and $0x1,%eax d3c79: 89 44 24 20 mov %eax,0x20(%esp) d3c7d: 0f b6 53 55 movzbl 0x55(%ebx),%edx d3c81: 88 d0 mov %dl,%al d3c83: c0 e8 07 shr $0x7,%al d3c86: 0f b6 c0 movzbl %al,%eax d3c89: 89 44 24 1c mov %eax,0x1c(%esp) d3c8d: 88 d0 mov %dl,%al d3c8f: c0 e8 06 shr $0x6,%al d3c92: 83 e0 01 and $0x1,%eax d3c95: c0 ea 04 shr $0x4,%dl d3c98: 89 44 24 18 mov %eax,0x18(%esp) d3c9c: 89 d0 mov %edx,%eax d3c9e: 83 e0 01 and $0x1,%eax d3ca1: 89 44 24 14 mov %eax,0x14(%esp) d3ca5: 0f b6 53 54 movzbl 0x54(%ebx),%edx d3ca9: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp) d3cb0: 88 d0 mov %dl,%al d3cb2: c0 e8 07 shr $0x7,%al d3cb5: 0f b6 c0 movzbl %al,%eax d3cb8: 89 44 24 10 mov %eax,0x10(%esp) d3cbc: 88 d0 mov %dl,%al d3cbe: c0 e8 05 shr $0x5,%al d3cc1: 83 e0 03 and $0x3,%eax d3cc4: 89 44 24 0c mov %eax,0xc(%esp) d3cc8: 88 d0 mov %dl,%al d3cca: c0 e8 04 shr $0x4,%al d3ccd: 83 e0 01 and $0x1,%eax d3cd0: 89 44 24 08 mov %eax,0x8(%esp) d3cd4: 89 d0 mov %edx,%eax d3cd6: 83 e0 0f and $0xf,%eax d3cd9: 89 44 24 04 mov %eax,0x4(%esp) d3cdd: e8 ee fc ff ff call d39d0 <printf> d3ce2: 8b 43 60 mov 0x60(%ebx),%eax d3ce5: 89 44 24 0c mov %eax,0xc(%esp) d3ce9: 8b 43 5c mov 0x5c(%ebx),%eax d3cec: 89 44 24 08 mov %eax,0x8(%esp) d3cf0: 8b 43 58 mov 0x58(%ebx),%eax d3cf3: c7 04 24 54 53 0d 00 movl $0xd5354,(%esp) d3cfa: 89 44 24 04 mov %eax,0x4(%esp) d3cfe: e8 cd fc ff ff call d39d0 <printf> d3d03: 0f b6 43 66 movzbl 0x66(%ebx),%eax d3d07: 83 e0 01 and $0x1,%eax d3d0a: 89 44 24 20 mov %eax,0x20(%esp) d3d0e: 0f b6 53 65 movzbl 0x65(%ebx),%edx d3d12: 88 d0 mov %dl,%al d3d14: c0 e8 07 shr $0x7,%al d3d17: 0f b6 c0 movzbl %al,%eax d3d1a: 89 44 24 1c mov %eax,0x1c(%esp) d3d1e: 88 d0 mov %dl,%al d3d20: c0 e8 06 shr $0x6,%al d3d23: 83 e0 01 and $0x1,%eax d3d26: c0 ea 04 shr $0x4,%dl d3d29: 89 44 24 18 mov %eax,0x18(%esp) d3d2d: 89 d0 mov %edx,%eax d3d2f: 83 e0 01 and $0x1,%eax d3d32: 89 44 24 14 mov %eax,0x14(%esp) d3d36: 0f b6 53 64 movzbl 0x64(%ebx),%edx d3d3a: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp) d3d41: 88 d0 mov %dl,%al d3d43: c0 e8 07 shr $0x7,%al d3d46: 0f b6 c0 movzbl %al,%eax d3d49: 89 44 24 10 mov %eax,0x10(%esp) d3d4d: 88 d0 mov %dl,%al d3d4f: c0 e8 05 shr $0x5,%al d3d52: 83 e0 03 and $0x3,%eax d3d55: 89 44 24 0c mov %eax,0xc(%esp) d3d59: 88 d0 mov %dl,%al d3d5b: c0 e8 04 shr $0x4,%al d3d5e: 83 e0 01 and $0x1,%eax d3d61: 89 44 24 08 mov %eax,0x8(%esp) d3d65: 89 d0 mov %edx,%eax d3d67: 83 e0 0f and $0xf,%eax d3d6a: 89 44 24 04 mov %eax,0x4(%esp) d3d6e: e8 5d fc ff ff call d39d0 <printf> d3d73: 8b 43 70 mov 0x70(%ebx),%eax d3d76: 89 44 24 0c mov %eax,0xc(%esp) d3d7a: 8b 43 6c mov 0x6c(%ebx),%eax d3d7d: 89 44 24 08 mov %eax,0x8(%esp) d3d81: 8b 43 68 mov 0x68(%ebx),%eax d3d84: c7 04 24 7c 53 0d 00 movl $0xd537c,(%esp) d3d8b: 89 44 24 04 mov %eax,0x4(%esp) d3d8f: e8 3c fc ff ff call d39d0 <printf> d3d94: 0f b6 43 76 movzbl 0x76(%ebx),%eax d3d98: 83 e0 01 and $0x1,%eax d3d9b: 89 44 24 20 mov %eax,0x20(%esp) d3d9f: 0f b6 53 75 movzbl 0x75(%ebx),%edx d3da3: 88 d0 mov %dl,%al d3da5: c0 e8 07 shr $0x7,%al d3da8: 0f b6 c0 movzbl %al,%eax d3dab: 89 44 24 1c mov %eax,0x1c(%esp) d3daf: 88 d0 mov %dl,%al d3db1: c0 e8 06 shr $0x6,%al d3db4: 83 e0 01 and $0x1,%eax d3db7: c0 ea 04 shr $0x4,%dl d3dba: 89 44 24 18 mov %eax,0x18(%esp) d3dbe: 89 d0 mov %edx,%eax d3dc0: 83 e0 01 and $0x1,%eax d3dc3: 89 44 24 14 mov %eax,0x14(%esp) d3dc7: 0f b6 53 74 movzbl 0x74(%ebx),%edx d3dcb: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp) d3dd2: 88 d0 mov %dl,%al d3dd4: c0 e8 07 shr $0x7,%al d3dd7: 0f b6 c0 movzbl %al,%eax d3dda: 89 44 24 10 mov %eax,0x10(%esp) d3dde: 88 d0 mov %dl,%al d3de0: c0 e8 05 shr $0x5,%al d3de3: 83 e0 03 and $0x3,%eax d3de6: 89 44 24 0c mov %eax,0xc(%esp) d3dea: 88 d0 mov %dl,%al d3dec: c0 e8 04 shr $0x4,%al d3def: 83 e0 01 and $0x1,%eax d3df2: 89 44 24 08 mov %eax,0x8(%esp) d3df6: 89 d0 mov %edx,%eax d3df8: 83 e0 0f and $0xf,%eax d3dfb: 89 44 24 04 mov %eax,0x4(%esp) d3dff: e8 cc fb ff ff call d39d0 <printf> d3e04: 8b 83 80 00 00 00 mov 0x80(%ebx),%eax d3e0a: 89 44 24 0c mov %eax,0xc(%esp) d3e0e: 8b 43 7c mov 0x7c(%ebx),%eax d3e11: 89 44 24 08 mov %eax,0x8(%esp) d3e15: 8b 43 78 mov 0x78(%ebx),%eax d3e18: c7 04 24 a4 53 0d 00 movl $0xd53a4,(%esp) d3e1f: 89 44 24 04 mov %eax,0x4(%esp) d3e23: e8 a8 fb ff ff call d39d0 <printf> d3e28: 0f b6 83 86 00 00 00 movzbl 0x86(%ebx),%eax d3e2f: 83 e0 01 and $0x1,%eax d3e32: 89 44 24 20 mov %eax,0x20(%esp) d3e36: 0f b6 93 85 00 00 00 movzbl 0x85(%ebx),%edx d3e3d: 88 d0 mov %dl,%al d3e3f: c0 e8 07 shr $0x7,%al d3e42: 0f b6 c0 movzbl %al,%eax d3e45: 89 44 24 1c mov %eax,0x1c(%esp) d3e49: 88 d0 mov %dl,%al d3e4b: c0 e8 06 shr $0x6,%al d3e4e: 83 e0 01 and $0x1,%eax d3e51: c0 ea 04 shr $0x4,%dl d3e54: 89 44 24 18 mov %eax,0x18(%esp) d3e58: 89 d0 mov %edx,%eax d3e5a: 83 e0 01 and $0x1,%eax d3e5d: 89 44 24 14 mov %eax,0x14(%esp) d3e61: 0f b6 93 84 00 00 00 movzbl 0x84(%ebx),%edx d3e68: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp) d3e6f: 88 d0 mov %dl,%al d3e71: c0 e8 07 shr $0x7,%al d3e74: 0f b6 c0 movzbl %al,%eax d3e77: 89 44 24 10 mov %eax,0x10(%esp) d3e7b: 88 d0 mov %dl,%al d3e7d: c0 e8 05 shr $0x5,%al d3e80: 83 e0 03 and $0x3,%eax d3e83: 89 44 24 0c mov %eax,0xc(%esp) d3e87: 88 d0 mov %dl,%al d3e89: c0 e8 04 shr $0x4,%al d3e8c: 83 e0 01 and $0x1,%eax d3e8f: 89 44 24 08 mov %eax,0x8(%esp) d3e93: 89 d0 mov %edx,%eax d3e95: 83 e0 0f and $0xf,%eax d3e98: 89 44 24 04 mov %eax,0x4(%esp) d3e9c: e8 2f fb ff ff call d39d0 <printf> d3ea1: 8b 83 90 00 00 00 mov 0x90(%ebx),%eax d3ea7: 89 44 24 0c mov %eax,0xc(%esp) d3eab: 8b 83 8c 00 00 00 mov 0x8c(%ebx),%eax d3eb1: 89 44 24 08 mov %eax,0x8(%esp) d3eb5: 8b 83 88 00 00 00 mov 0x88(%ebx),%eax d3ebb: c7 04 24 cc 53 0d 00 movl $0xd53cc,(%esp) d3ec2: 89 44 24 04 mov %eax,0x4(%esp) d3ec6: e8 05 fb ff ff call d39d0 <printf> d3ecb: 0f b6 83 96 00 00 00 movzbl 0x96(%ebx),%eax d3ed2: 83 e0 01 and $0x1,%eax d3ed5: 89 44 24 20 mov %eax,0x20(%esp) d3ed9: 0f b6 93 95 00 00 00 movzbl 0x95(%ebx),%edx d3ee0: 88 d0 mov %dl,%al d3ee2: c0 e8 07 shr $0x7,%al d3ee5: 0f b6 c0 movzbl %al,%eax d3ee8: 89 44 24 1c mov %eax,0x1c(%esp) d3eec: 88 d0 mov %dl,%al d3eee: c0 e8 06 shr $0x6,%al d3ef1: 83 e0 01 and $0x1,%eax d3ef4: c0 ea 04 shr $0x4,%dl d3ef7: 89 44 24 18 mov %eax,0x18(%esp) d3efb: 89 d0 mov %edx,%eax d3efd: 83 e0 01 and $0x1,%eax d3f00: 89 44 24 14 mov %eax,0x14(%esp) d3f04: 0f b6 93 94 00 00 00 movzbl 0x94(%ebx),%edx d3f0b: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp) d3f12: 88 d0 mov %dl,%al d3f14: c0 e8 07 shr $0x7,%al d3f17: 0f b6 c0 movzbl %al,%eax d3f1a: 89 44 24 10 mov %eax,0x10(%esp) d3f1e: 88 d0 mov %dl,%al d3f20: c0 e8 05 shr $0x5,%al d3f23: 83 e0 03 and $0x3,%eax d3f26: 89 44 24 0c mov %eax,0xc(%esp) d3f2a: 88 d0 mov %dl,%al d3f2c: c0 e8 04 shr $0x4,%al d3f2f: 83 e0 01 and $0x1,%eax d3f32: 89 44 24 08 mov %eax,0x8(%esp) d3f36: 89 d0 mov %edx,%eax d3f38: 83 e0 0f and $0xf,%eax d3f3b: 89 44 24 04 mov %eax,0x4(%esp) d3f3f: e8 8c fa ff ff call d39d0 <printf> d3f44: 8b 83 a0 00 00 00 mov 0xa0(%ebx),%eax d3f4a: 89 44 24 0c mov %eax,0xc(%esp) d3f4e: 8b 83 9c 00 00 00 mov 0x9c(%ebx),%eax d3f54: 89 44 24 08 mov %eax,0x8(%esp) d3f58: 8b 83 98 00 00 00 mov 0x98(%ebx),%eax d3f5e: c7 04 24 f4 53 0d 00 movl $0xd53f4,(%esp) d3f65: 89 44 24 04 mov %eax,0x4(%esp) d3f69: e8 62 fa ff ff call d39d0 <printf> d3f6e: 0f b6 83 a6 00 00 00 movzbl 0xa6(%ebx),%eax d3f75: 83 e0 01 and $0x1,%eax d3f78: 89 44 24 20 mov %eax,0x20(%esp) d3f7c: 0f b6 93 a5 00 00 00 movzbl 0xa5(%ebx),%edx d3f83: 88 d0 mov %dl,%al d3f85: c0 e8 07 shr $0x7,%al d3f88: 0f b6 c0 movzbl %al,%eax d3f8b: 89 44 24 1c mov %eax,0x1c(%esp) d3f8f: 88 d0 mov %dl,%al d3f91: c0 e8 06 shr $0x6,%al d3f94: 83 e0 01 and $0x1,%eax d3f97: c0 ea 04 shr $0x4,%dl d3f9a: 89 44 24 18 mov %eax,0x18(%esp) d3f9e: 89 d0 mov %edx,%eax d3fa0: 83 e0 01 and $0x1,%eax d3fa3: 89 44 24 14 mov %eax,0x14(%esp) d3fa7: 0f b6 93 a4 00 00 00 movzbl 0xa4(%ebx),%edx d3fae: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp) d3fb5: 88 d0 mov %dl,%al d3fb7: c0 e8 07 shr $0x7,%al d3fba: 0f b6 c0 movzbl %al,%eax d3fbd: 89 44 24 10 mov %eax,0x10(%esp) d3fc1: 88 d0 mov %dl,%al d3fc3: c0 e8 05 shr $0x5,%al d3fc6: 83 e0 03 and $0x3,%eax d3fc9: 89 44 24 0c mov %eax,0xc(%esp) d3fcd: 88 d0 mov %dl,%al d3fcf: c0 e8 04 shr $0x4,%al d3fd2: 83 e0 01 and $0x1,%eax d3fd5: 89 44 24 08 mov %eax,0x8(%esp) d3fd9: 89 d0 mov %edx,%eax d3fdb: 83 e0 0f and $0xf,%eax d3fde: 89 44 24 04 mov %eax,0x4(%esp) d3fe2: e8 e9 f9 ff ff call d39d0 <printf> d3fe7: 8b 43 20 mov 0x20(%ebx),%eax d3fea: 89 44 24 08 mov %eax,0x8(%esp) d3fee: 8b 43 24 mov 0x24(%ebx),%eax d3ff1: c7 04 24 3c 51 0d 00 movl $0xd513c,(%esp) d3ff8: 89 44 24 04 mov %eax,0x4(%esp) d3ffc: e8 cf f9 ff ff call d39d0 <printf> d4001: 8b 43 20 mov 0x20(%ebx),%eax d4004: 89 44 24 04 mov %eax,0x4(%esp) d4008: 8b 43 24 mov 0x24(%ebx),%eax d400b: 89 04 24 mov %eax,(%esp) d400e: e8 dd f9 ff ff call d39f0 <dump_dtr> d4013: 83 c4 24 add $0x24,%esp d4016: 5b pop %ebx d4017: 5d pop %ebp d4018: c3 ret d4019: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi 000d4020 <print_e820_map>: d4020: 55 push %ebp d4021: ba 20 00 00 00 mov $0x20,%edx d4026: 89 e5 mov %esp,%ebp d4028: 57 push %edi d4029: 56 push %esi d402a: 53 push %ebx d402b: 83 ec 1c sub $0x1c,%esp d402e: 8b 45 0c mov 0xc(%ebp),%eax d4031: 8b 7d 08 mov 0x8(%ebp),%edi d4034: 83 f8 21 cmp $0x21,%eax d4037: 0f 4d c2 cmovge %edx,%eax d403a: 8d 04 80 lea (%eax,%eax,4),%eax d403d: 8d 04 87 lea (%edi,%eax,4),%eax d4040: 39 f8 cmp %edi,%eax d4042: 0f 86 98 00 00 00 jbe d40e0 <print_e820_map+0xc0> d4048: 89 45 f0 mov %eax,0xfffffff0(%ebp) d404b: eb 24 jmp d4071 <print_e820_map+0x51> d404d: 8d 76 00 lea 0x0(%esi),%esi d4050: 83 f8 01 cmp $0x1,%eax d4053: 0f 84 ab 00 00 00 je d4104 <print_e820_map+0xe4> d4059: 89 44 24 04 mov %eax,0x4(%esp) d405d: 83 c7 14 add $0x14,%edi d4060: c7 04 24 51 51 0d 00 movl $0xd5151,(%esp) d4067: e8 64 f9 ff ff call d39d0 <printf> d406c: 39 7d f0 cmp %edi,0xfffffff0(%ebp) d406f: 76 6f jbe d40e0 <print_e820_map+0xc0> d4071: 8b 37 mov (%edi),%esi d4073: 8b 5f 08 mov 0x8(%edi),%ebx d4076: 89 f0 mov %esi,%eax d4078: 01 d8 add %ebx,%eax d407a: 89 44 24 10 mov %eax,0x10(%esp) d407e: 8b 0f mov (%edi),%ecx d4080: 8b 5f 04 mov 0x4(%edi),%ebx d4083: 89 c8 mov %ecx,%eax d4085: 89 da mov %ebx,%edx d4087: 03 47 08 add 0x8(%edi),%eax d408a: 13 57 0c adc 0xc(%edi),%edx d408d: 89 74 24 08 mov %esi,0x8(%esp) d4091: 89 5c 24 04 mov %ebx,0x4(%esp) d4095: c7 04 24 5d 51 0d 00 movl $0xd515d,(%esp) d409c: 89 54 24 0c mov %edx,0xc(%esp) d40a0: e8 2b f9 ff ff call d39d0 <printf> d40a5: 8b 47 10 mov 0x10(%edi),%eax d40a8: 83 f8 02 cmp $0x2,%eax d40ab: 74 3b je d40e8 <print_e820_map+0xc8> d40ad: 76 a1 jbe d4050 <print_e820_map+0x30> d40af: 83 f8 03 cmp $0x3,%eax d40b2: 74 42 je d40f6 <print_e820_map+0xd6> d40b4: 83 f8 04 cmp $0x4,%eax d40b7: 75 a0 jne d4059 <print_e820_map+0x39> d40b9: c7 04 24 76 51 0d 00 movl $0xd5176,(%esp) d40c0: e8 0b f9 ff ff call d39d0 <printf> d40c5: 8d 74 26 00 lea 0x0(%esi),%esi d40c9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d40d0: 83 c7 14 add $0x14,%edi d40d3: 39 7d f0 cmp %edi,0xfffffff0(%ebp) d40d6: 77 99 ja d4071 <print_e820_map+0x51> d40d8: 90 nop d40d9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d40e0: 83 c4 1c add $0x1c,%esp d40e3: 5b pop %ebx d40e4: 5e pop %esi d40e5: 5f pop %edi d40e6: 5d pop %ebp d40e7: c3 ret d40e8: c7 04 24 82 51 0d 00 movl $0xd5182,(%esp) d40ef: e8 dc f8 ff ff call d39d0 <printf> d40f4: eb da jmp d40d0 <print_e820_map+0xb0> d40f6: c7 04 24 8e 51 0d 00 movl $0xd518e,(%esp) d40fd: e8 ce f8 ff ff call d39d0 <printf> d4102: eb cc jmp d40d0 <print_e820_map+0xb0> d4104: c7 04 24 9b 51 0d 00 movl $0xd519b,(%esp) d410b: e8 c0 f8 ff ff call d39d0 <printf> d4110: eb be jmp d40d0 <print_e820_map+0xb0> d4112: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d4119: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 000d4120 <hexdump>: d4120: 55 push %ebp d4121: 89 e5 mov %esp,%ebp d4123: 57 push %edi d4124: 56 push %esi d4125: 53 push %ebx d4126: 83 ec 0c sub $0xc,%esp d4129: 8b 7d 0c mov 0xc(%ebp),%edi d412c: 8b 75 08 mov 0x8(%ebp),%esi d412f: 85 ff test %edi,%edi d4131: 0f 8e e9 00 00 00 jle d4220 <hexdump+0x100> d4137: 83 7d 0c 11 cmpl $0x11,0xc(%ebp) d413b: bf 10 00 00 00 mov $0x10,%edi d4140: 89 74 24 04 mov %esi,0x4(%esp) d4144: c7 04 24 a2 51 0d 00 movl $0xd51a2,(%esp) d414b: 0f 4c 7d 0c cmovl 0xc(%ebp),%edi d414f: 31 db xor %ebx,%ebx d4151: e8 7a f8 ff ff call d39d0 <printf> d4156: 39 fb cmp %edi,%ebx d4158: 7d 46 jge d41a0 <hexdump+0x80> d415a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi d4160: 83 fb 07 cmp $0x7,%ebx d4163: ba 20 00 00 00 mov $0x20,%edx d4168: b8 2d 00 00 00 mov $0x2d,%eax d416d: 0f 45 c2 cmovne %edx,%eax d4170: 89 44 24 08 mov %eax,0x8(%esp) d4174: 0f b6 04 1e movzbl (%esi,%ebx,1),%eax d4178: 43 inc %ebx d4179: c7 04 24 a9 51 0d 00 movl $0xd51a9,(%esp) d4180: 89 44 24 04 mov %eax,0x4(%esp) d4184: e8 47 f8 ff ff call d39d0 <printf> d4189: 39 fb cmp %edi,%ebx d418b: 7c d3 jl d4160 <hexdump+0x40> d418d: 83 fb 0f cmp $0xf,%ebx d4190: 7f 34 jg d41c6 <hexdump+0xa6> d4192: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi d4199: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi d41a0: c7 04 24 b0 51 0d 00 movl $0xd51b0,(%esp) d41a7: 83 fb 07 cmp $0x7,%ebx d41aa: ba 20 00 00 00 mov $0x20,%edx d41af: b8 2d 00 00 00 mov $0x2d,%eax d41b4: 0f 45 c2 cmovne %edx,%eax d41b7: 43 inc %ebx d41b8: 89 44 24 04 mov %eax,0x4(%esp) d41bc: e8 0f f8 ff ff call d39d0 <printf> d41c1: 83 fb 0f cmp $0xf,%ebx d41c4: 7e da jle d41a0 <hexdump+0x80> d41c6: c7 04 24 b5 51 0d 00 movl $0xd51b5,(%esp) d41cd: 31 db xor %ebx,%ebx d41cf: e8 fc f7 ff ff call d39d0 <printf> d41d4: eb 28 jmp d41fe <hexdump+0xde> d41d6: 0f b6 04 1e movzbl (%esi,%ebx,1),%eax d41da: c7 04 24 b2 51 0d 00 movl $0xd51b2,(%esp) d41e1: 88 c2 mov %al,%dl d41e3: 0f b6 c8 movzbl %al,%ecx d41e6: 80 ea 20 sub $0x20,%dl d41e9: b8 2e 00 00 00 mov $0x2e,%eax d41ee: 80 fa 5e cmp $0x5e,%dl d41f1: 0f 46 c1 cmovbe %ecx,%eax d41f4: 43 inc %ebx d41f5: 89 44 24 04 mov %eax,0x4(%esp) d41f9: e8 d2 f7 ff ff call d39d0 <printf> d41fe: 39 fb cmp %edi,%ebx d4200: 7c d4 jl d41d6 <hexdump+0xb6> d4202: c7 04 24 a0 51 0d 00 movl $0xd51a0,(%esp) d4209: e8 c2 f7 ff ff call d39d0 <printf> d420e: 83 6d 0c 10 subl $0x10,0xc(%ebp) d4212: 83 c6 10 add $0x10,%esi d4215: 8b 7d 0c mov 0xc(%ebp),%edi d4218: 85 ff test %edi,%edi d421a: 0f 8f 17 ff ff ff jg d4137 <hexdump+0x17> d4220: 83 c4 0c add $0xc,%esp d4223: 5b pop %ebx d4224: 5e pop %esi d4225: 5f pop %edi d4226: 5d pop %ebp d4227: c3 ret d4228: 90 nop d4229: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi 000d4230 <dump_regs>: d4230: 55 push %ebp d4231: 89 e5 mov %esp,%ebp d4233: 53 push %ebx d4234: 83 ec 14 sub $0x14,%esp d4237: 8b 5d 08 mov 0x8(%ebp),%ebx d423a: 8b 43 10 mov 0x10(%ebx),%eax d423d: 89 44 24 10 mov %eax,0x10(%esp) d4241: 8b 43 14 mov 0x14(%ebx),%eax d4244: 89 44 24 0c mov %eax,0xc(%esp) d4248: 8b 43 18 mov 0x18(%ebx),%eax d424b: 89 44 24 08 mov %eax,0x8(%esp) d424f: 8b 43 1c mov 0x1c(%ebx),%eax d4252: c7 04 24 20 54 0d 00 movl $0xd5420,(%esp) d4259: 89 44 24 04 mov %eax,0x4(%esp) d425d: e8 6e f7 ff ff call d39d0 <printf> d4262: 8b 03 mov (%ebx),%eax d4264: 89 44 24 10 mov %eax,0x10(%esp) d4268: 8b 43 04 mov 0x4(%ebx),%eax d426b: 89 44 24 0c mov %eax,0xc(%esp) d426f: 8b 43 08 mov 0x8(%ebx),%eax d4272: 89 44 24 08 mov %eax,0x8(%esp) d4276: 8b 43 0c mov 0xc(%ebx),%eax d4279: c7 04 24 50 54 0d 00 movl $0xd5450,(%esp) d4280: 89 44 24 04 mov %eax,0x4(%esp) d4284: e8 47 f7 ff ff call d39d0 <printf> d4289: 8b 43 24 mov 0x24(%ebx),%eax d428c: 89 44 24 08 mov %eax,0x8(%esp) d4290: 8b 43 20 mov 0x20(%ebx),%eax d4293: c7 04 24 b9 51 0d 00 movl $0xd51b9,(%esp) d429a: 89 44 24 04 mov %eax,0x4(%esp) d429e: e8 2d f7 ff ff call d39d0 <printf> d42a3: 8b 43 30 mov 0x30(%ebx),%eax d42a6: 89 44 24 0c mov %eax,0xc(%esp) d42aa: 8b 43 2c mov 0x2c(%ebx),%eax d42ad: 89 44 24 08 mov %eax,0x8(%esp) d42b1: 8b 43 28 mov 0x28(%ebx),%eax d42b4: c7 04 24 80 54 0d 00 movl $0xd5480,(%esp) d42bb: 89 44 24 04 mov %eax,0x4(%esp) d42bf: e8 0c f7 ff ff call d39d0 <printf> d42c4: 8b 43 38 mov 0x38(%ebx),%eax d42c7: 89 44 24 08 mov %eax,0x8(%esp) d42cb: 8b 43 34 mov 0x34(%ebx),%eax d42ce: c7 04 24 d0 51 0d 00 movl $0xd51d0,(%esp) d42d5: 89 44 24 04 mov %eax,0x4(%esp) d42d9: e8 f2 f6 ff ff call d39d0 <printf> d42de: 8b 43 48 mov 0x48(%ebx),%eax d42e1: 89 44 24 10 mov %eax,0x10(%esp) d42e5: 8b 43 44 mov 0x44(%ebx),%eax d42e8: 89 44 24 0c mov %eax,0xc(%esp) d42ec: 8b 43 40 mov 0x40(%ebx),%eax d42ef: 89 44 24 08 mov %eax,0x8(%esp) d42f3: 8b 43 3c mov 0x3c(%ebx),%eax d42f6: c7 04 24 a4 54 0d 00 movl $0xd54a4,(%esp) d42fd: 89 44 24 04 mov %eax,0x4(%esp) d4301: e8 ca f6 ff ff call d39d0 <printf> d4306: 0f 20 d2 mov %cr2,%edx d4309: 89 54 24 08 mov %edx,0x8(%esp) d430d: a1 d4 97 0d 00 mov 0xd97d4,%eax d4312: c7 04 24 d4 54 0d 00 movl $0xd54d4,(%esp) d4319: 89 44 24 10 mov %eax,0x10(%esp) d431d: a1 d0 97 0d 00 mov 0xd97d0,%eax d4322: 89 44 24 0c mov %eax,0xc(%esp) d4326: a1 cc 97 0d 00 mov 0xd97cc,%eax d432b: 89 44 24 04 mov %eax,0x4(%esp) d432f: e8 9c f6 ff ff call d39d0 <printf> d4334: 83 c4 14 add $0x14,%esp d4337: 5b pop %ebx d4338: 5d pop %ebp d4339: c3 ret d433a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 000d4340 <memset>: d4340: 55 push %ebp d4341: 89 e5 mov %esp,%ebp d4343: 57 push %edi d4344: 83 ec 04 sub $0x4,%esp d4347: 8b 55 08 mov 0x8(%ebp),%edx d434a: 8b 45 0c mov 0xc(%ebp),%eax d434d: 8b 4d 10 mov 0x10(%ebp),%ecx d4350: 89 d7 mov %edx,%edi d4352: fc cld d4353: f3 aa repz stos %al,%es:(%edi) d4355: 89 d0 mov %edx,%eax d4357: 5a pop %edx d4358: 5f pop %edi d4359: 5d pop %ebp d435a: c3 ret d435b: 90 nop d435c: 8d 74 26 00 lea 0x0(%esi),%esi 000d4360 <memcpy>: d4360: 55 push %ebp d4361: 89 e5 mov %esp,%ebp d4363: 83 ec 0c sub $0xc,%esp d4366: 89 75 f8 mov %esi,0xfffffff8(%ebp) d4369: 8b 45 10 mov 0x10(%ebp),%eax d436c: 8b 55 08 mov 0x8(%ebp),%edx d436f: 89 7d fc mov %edi,0xfffffffc(%ebp) d4372: 8b 75 0c mov 0xc(%ebp),%esi d4375: 89 c1 mov %eax,%ecx d4377: c1 e9 02 shr $0x2,%ecx d437a: 89 d7 mov %edx,%edi d437c: fc cld d437d: f3 a5 repz movsl %ds:(%esi),%es:(%edi) d437f: a8 02 test $0x2,%al d4381: 74 02 je d4385 <memcpy+0x25> d4383: 66 a5 movsw %ds:(%esi),%es:(%edi) d4385: a8 01 test $0x1,%al d4387: 74 01 je d438a <memcpy+0x2a> d4389: a4 movsb %ds:(%esi),%es:(%edi) d438a: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d438d: 89 d0 mov %edx,%eax d438f: 8b 7d fc mov 0xfffffffc(%ebp),%edi d4392: 89 ec mov %ebp,%esp d4394: 5d pop %ebp d4395: c3 ret ... 000d4398 <trap_handlers>: d4398: 60 pusha d4399: 00 0d 00 70 00 0d add %cl,0xd007000 d439f: 00 80 00 0d 00 90 add %al,0x90000d00(%eax) d43a5: 00 0d 00 a0 00 0d add %cl,0xd00a000 d43ab: 00 b0 00 0d 00 c0 add %dh,0xc0000d00(%eax) d43b1: 00 0d 00 d0 00 0d add %cl,0xd00d000 d43b7: 00 e0 add %ah,%al d43b9: 00 0d 00 f0 00 0d add %cl,0xd00f000 d43bf: 00 00 add %al,(%eax) d43c1: 01 0d 00 10 01 0d add %ecx,0xd011000 d43c7: 00 20 add %ah,(%eax) d43c9: 01 0d 00 30 01 0d add %ecx,0xd013000 d43cf: 00 40 01 add %al,0x1(%eax) d43d2: 0d 00 50 01 0d or $0xd015000,%eax d43d7: 00 60 01 add %ah,0x1(%eax) d43da: 0d 00 70 01 0d or $0xd017000,%eax d43df: 00 80 01 0d 00 90 add %al,0x90000d01(%eax) d43e5: 01 0d 00 a0 01 0d add %ecx,0xd01a000 d43eb: 00 b0 01 0d 00 c0 add %dh,0xc0000d01(%eax) d43f1: 01 0d 00 d0 01 0d add %ecx,0xd01d000 d43f7: 00 e0 add %ah,%al d43f9: 01 0d 00 f0 01 0d add %ecx,0xd01f000 d43ff: 00 00 add %al,(%eax) d4401: 02 0d 00 10 02 0d add 0xd021000,%cl d4407: 00 20 add %ah,(%eax) d4409: 02 0d 00 30 02 0d add 0xd023000,%cl d440f: 00 40 02 add %al,0x2(%eax) d4412: 0d 00 50 02 0d or $0xd025000,%eax d4417: 00 60 02 add %ah,0x2(%eax) d441a: 0d 00 70 02 0d or $0xd027000,%eax d441f: 00 80 02 0d 00 90 add %al,0x90000d02(%eax) d4425: 02 0d 00 a0 02 0d add 0xd02a000,%cl d442b: 00 b0 02 0d 00 c0 add %dh,0xc0000d02(%eax) d4431: 02 0d 00 d0 02 0d add 0xd02d000,%cl d4437: 00 e0 add %ah,%al d4439: 02 0d 00 f0 02 0d add 0xd02f000,%cl d443f: 00 00 add %al,(%eax) d4441: 03 0d 00 10 03 0d add 0xd031000,%ecx d4447: 00 20 add %ah,(%eax) d4449: 03 0d 00 30 03 0d add 0xd033000,%ecx d444f: 00 40 03 add %al,0x3(%eax) d4452: 0d 00 50 03 0d or $0xd035000,%eax d4457: 00 e0 add %ah,%al d4459: 09 0d 00 e7 09 0d or %ecx,0xd09e700 d445f: 00 f0 add %dh,%al d4461: 09 0d 00 f7 09 0d or %ecx,0xd09f700 d4467: 00 00 add %al,(%eax) d4469: 0a 0d 00 07 0a 0d or 0xd0a0700,%cl d446f: 00 10 add %dl,(%eax) d4471: 0a 0d 00 d7 09 0d or 0xd09d700,%cl d4477: 00 52 0a add %dl,0xa(%edx) d447a: 0d 00 57 0a 0d or $0xd0a5700,%eax d447f: 00 5c 0a 0d add %bl,0xd(%edx,%ecx,1) d4483: 00 61 0a add %ah,0xa(%ecx) d4486: 0d 00 66 0a 0d or $0xd0a6600,%eax d448b: 00 6b 0a add %ch,0xa(%ebx) d448e: 0d 00 71 0a 0d or $0xd0a7100,%eax d4493: 00 45 0a add %al,0xa(%ebp) d4496: 0d 00 ba 0d 0d or $0xd0dba00,%eax d449b: 00 b5 0d 0d 00 b0 add %dh,0xb0000d0d(%ebp) d44a1: 0d 0d 00 ab 0d or $0xdab000d,%eax d44a6: 0d 00 86 0d 0d or $0xd0d8600,%eax d44ab: 00 81 0d 0d 00 7c add %al,0x7c000d0d(%ecx) d44b1: 0d 0d 00 5b 0d or $0xd5b000d,%eax d44b6: 0d 00 18 0e 0d or $0xd0e1800,%eax d44bb: 00 0f add %cl,(%edi) d44bd: 0e push %cs d44be: 0d 00 03 0e 0d or $0xd0e0300,%eax d44c3: 00 f0 add %dh,%al d44c5: 0d 0d 00 e2 0d or $0xde2000d,%eax d44ca: 0d 00 d8 0d 0d or $0xd0dd800,%eax d44cf: 00 cd add %cl,%ch d44d1: 0d 0d 00 c2 0d or $0xdc2000d,%eax d44d6: 0d 00 7f 0e 0d or $0xd0e7f00,%eax d44db: 00 76 0e add %dh,0xe(%esi) d44de: 0d 00 67 0e 0d or $0xd0e6700,%eax d44e3: 00 59 0e add %bl,0xe(%ecx) d44e6: 0d 00 50 0e 0d or $0xd0e5000,%eax d44eb: 00 48 0e add %cl,0xe(%eax) d44ee: 0d 00 2b 0e 0d or $0xd0e2b00,%eax d44f3: 00 22 add %ah,(%edx) d44f5: 0e push %cs d44f6: 0d 00 ed 0e 0d or $0xd0eed00,%eax d44fb: 00 e5 add %ah,%ch d44fd: 0e push %cs d44fe: 0d 00 dd 0e 0d or $0xd0edd00,%eax d4503: 00 d5 add %dl,%ch d4505: 0e push %cs d4506: 0d 00 b4 0e 0d or $0xd0eb400,%eax d450b: 00 98 0e 0d 00 90 add %bl,0x90000d0e(%eax) d4511: 0e push %cs d4512: 0d 00 89 0e 0d or $0xd0e8900,%eax d4517: 00 3b add %bh,(%ebx) d4519: 12 0d 00 2e 12 0d adc 0xd122e00,%cl d451f: 00 bd 12 0d 00 b0 add %bh,0xb0000d12(%ebp) d4525: 12 0d 00 96 12 0d adc 0xd129600,%cl d452b: 00 7c 12 0d add %bh,0xd(%edx,%edx,1) d452f: 00 62 12 add %ah,0x12(%edx) d4532: 0d 00 48 12 0d or $0xd124800,%eax d4537: 00 05 13 0d 00 f7 add %al,0xf7000d13 d453d: 12 0d 00 ee 12 0d adc 0xd12ee00,%cl d4543: 00 e5 add %ah,%ch d4545: 12 0d 00 dc 12 0d adc 0xd12dc00,%cl d454b: 00 d3 add %dl,%bl d454d: 12 0d 00 ca 12 0d adc 0xd12ca00,%cl d4553: 00 80 11 0d 00 6d add %al,0x6d000d11(%eax) 000d4558 <__FUNCTION__.0>: d4558: 6d 6f 76 5f 74 6f 5f 73 65 67 00 00 a8 1d 0d 00 mov_to_seg...... d4568: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4578: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 b6 21 0d 00 .............!.. d4588: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4598: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d45a8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d45b8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 50 21 0d 00 ............P!.. d45c8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d45d8: c2 1c 0d 00 c2 1c 0d 00 2a 21 0d 00 c2 1c 0d 00 ........*!...... d45e8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d45f8: c2 1c 0d 00 c2 1c 0d 00 04 21 0d 00 c2 1c 0d 00 .........!...... d4608: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4618: c2 1c 0d 00 c2 1c 0d 00 de 20 0d 00 c2 1c 0d 00 ......... ...... d4628: c2 1c 0d 00 14 20 0d 00 c2 1c 0d 00 14 20 0d 00 ..... ....... .. d4638: c2 1c 0d 00 c2 1c 0d 00 ee 1f 0d 00 c2 1c 0d 00 ................ d4648: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4658: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4668: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4678: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4688: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4698: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d46a8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d46b8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d46c8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d46d8: c8 1f 0d 00 cb 26 0d 00 98 26 0d 00 65 26 0d 00 .....&...&..e&.. d46e8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d46f8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4708: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4718: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4728: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4738: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4748: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4758: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4768: 7e 1c 0d 00 4f 26 0d 00 7e 1c 0d 00 4f 26 0d 00 ~...O&..~...O&.. d4778: c2 1c 0d 00 c2 1c 0d 00 00 26 0d 00 60 25 0d 00 .........&..`%.. d4788: 3e 25 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 >%.............. d4798: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d47a8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d47b8: ec 24 0d 00 98 24 0d 00 c2 1c 0d 00 c2 1c 0d 00 .$...$.......... d47c8: c2 1c 0d 00 27 24 0d 00 c2 1c 0d 00 c2 1c 0d 00 ....'$.......... d47d8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d47e8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d47f8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4808: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4818: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4828: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ce 23 0d 00 .............#.. d4838: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4848: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4858: c2 1c 0d 00 c2 1c 0d 00 87 1c 0d 00 c2 1c 0d 00 ................ d4868: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 0a 1d 0d 00 ................ d4878: c2 1c 0d 00 8e 23 0d 00 c2 1c 0d 00 08 23 0d 00 .....#.......#.. d4888: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4898: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d48a8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d48b8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d48c8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d48d8: 6f 1c 0d 00 c2 1c 0d 00 28 1c 0d 00 c2 1c 0d 00 o.......(....... d48e8: c2 1c 0d 00 c2 1c 0d 00 52 22 0d 00 f2 21 0d 00 ........R"...!.. d48f8: 6f 1c 0d 00 c2 1c 0d 00 28 1c 0d 00 c2 1c 0d 00 o.......(....... d4908: a6 1f 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4918: c2 1c 0d 00 c2 1c 0d 00 eb 1e 0d 00 c2 1c 0d 00 ................ d4928: c2 1c 0d 00 c2 1c 0d 00 c2 1e 0d 00 99 1e 0d 00 ................ d4938: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 0d 1e 0d 00 ................ d4948: c2 1c 0d 00 8a 29 0d 00 c2 1c 0d 00 c2 1c 0d 00 .....).......... d4958: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4968: c2 1c 0d 00 47 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ....G........... d4978: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4988: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4998: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d49a8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d49b8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d49c8: bc 29 0d 00 c2 1c 0d 00 bc 29 0d 00 c2 1c 0d 00 .).......)...... d49d8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d49e8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d49f8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................ d4a08: 86 2a 0d 00 c2 1c 0d 00 99 2a 0d 00 55 2b 0d 00 .*.......*..U+.. d4a18: 9c 1c 0d 00 ac 2a 0d 00 da 2a 0d 00 f9 2a 0d 00 .....*...*...*.. d4a28: 27 2b 0d 00 c2 1c 0d 00 c2 1c 0d 00 87 2c 0d 00 '+...........,.. d4a38: 32 2c 0d 00 c2 1c 0d 00 c2 1c 0d 00 d6 2b 0d 00 2,...........+.. d4a48: c2 1c 0d 00 3c 56 4d 38 36 5f 52 45 41 4c 3e 00 ....<VM86_REAL>. d4a58: 3c 56 4d 38 36 5f 52 45 41 4c 5f 54 4f 5f 50 52 <VM86_REAL_TO_PR d4a68: 4f 54 45 43 54 45 44 3e 00 3c 56 4d 38 36 5f 50 OTECTED>.<VM86_P d4a78: 52 4f 54 45 43 54 45 44 5f 54 4f 5f 52 45 41 4c ROTECTED_TO_REAL d4a88: 3e 00 3c 56 4d 38 36 5f 50 52 4f 54 45 43 54 45 >.<VM86_PROTECTE d4a98: 44 3e 00 63 78 00 64 78 00 73 70 00 62 70 00 73 D>.cx.dx.sp.bp.s d4aa8: 69 00 64 69 00 6c 31 20 70 61 67 65 20 61 62 6f i.di.l1 page abo d4ab8: 76 65 20 34 47 0a 00 6c 32 20 65 6e 74 72 79 20 ve 4G..l2 entry d4ac8: 6e 6f 74 20 70 72 65 73 65 6e 74 0a 00 6c 32 20 not present..l2 d4ad8: 70 61 67 65 20 61 62 6f 76 65 20 34 47 0a 00 6c page above 4G..l d4ae8: 33 20 65 6e 74 72 79 20 6e 6f 74 20 70 72 65 73 3 entry not pres d4af8: 65 6e 74 0a 00 6c 31 20 65 6e 74 72 79 20 6e 6f ent..l1 entry no d4b08: 74 20 70 72 65 73 65 6e 74 0a 00 67 64 74 20 62 t present..gdt b d4b18: 61 73 65 20 61 64 64 72 65 73 73 20 61 62 6f 76 ase address abov d4b28: 65 20 34 47 0a 00 30 78 25 30 38 78 3a 20 30 78 e 4G..0x%08x: 0x d4b38: 25 78 3a 30 78 25 30 38 78 20 00 28 25 64 29 20 %x:0x%08x .(%d) d4b48: 00 30 78 25 30 38 78 3a 20 30 78 25 78 3a 30 78 .0x%08x: 0x%x:0x d4b58: 25 30 34 78 20 00 6d 6f 76 62 20 24 30 78 25 78 %04x .movb $0x%x d4b68: 2c 20 2a 30 78 25 78 00 6d 6f 76 6c 20 25 25 65 , *0x%x.movl %%e d4b78: 25 73 2c 20 2a 30 78 25 78 00 6d 6f 76 62 20 2a %s, *0x%x.movb * d4b88: 30 78 25 78 2c 20 25 25 25 73 00 6d 6f 76 6c 20 0x%x, %%%s.movl d4b98: 2a 30 78 25 78 2c 20 25 25 65 25 73 00 6d 6f 76 *0x%x, %%e%s.mov d4ba8: 62 20 25 25 65 25 73 2c 20 2a 30 78 25 78 00 6d b %%e%s, *0x%x.m d4bb8: 6f 76 77 20 2a 30 78 25 78 2c 20 25 25 25 73 00 ovw *0x%x, %%%s. d4bc8: 6d 6f 76 77 20 25 25 25 73 2c 20 2a 30 78 25 78 movw %%%s, *0x%x d4bd8: 00 25 25 73 73 20 30 78 25 6c 78 20 68 69 67 68 .%%ss 0x%lx high d4be8: 65 72 20 74 68 61 6e 20 31 4d 42 00 25 25 65 73 er than 1MB.%%es d4bf8: 20 30 78 25 6c 78 20 68 69 67 68 65 72 20 74 68 0x%lx higher th d4c08: 61 6e 20 31 4d 42 00 25 25 64 73 20 30 78 25 6c an 1MB.%%ds 0x%l d4c18: 78 20 68 69 67 68 65 72 20 74 68 61 6e 20 31 4d x higher than 1M d4c28: 42 00 65 78 74 65 72 6e 61 6c 20 69 6e 74 65 72 B.external inter d4c38: 72 75 70 74 20 25 64 00 6f 70 63 20 30 78 25 78 rupt %d.opc 0x%x d4c48: 00 72 65 74 6c 20 28 74 6f 20 30 78 25 78 3a 30 .retl (to 0x%x:0 d4c58: 78 25 78 29 00 72 65 74 6c 00 70 6f 70 20 25 25 x%x).retl.pop %% d4c68: 65 73 00 70 75 73 68 20 2a 30 78 25 78 00 73 74 es.push *0x%x.st d4c78: 69 00 63 6c 69 00 74 65 73 74 62 20 24 30 78 25 i.cli.testb $0x% d4c88: 78 2c 20 2a 30 78 25 78 20 28 30 78 25 78 29 00 x, *0x%x (0x%x). d4c98: 6c 6f 63 6b 00 25 25 66 73 3a 00 25 25 64 73 3a lock.%%fs:.%%ds: d4ca8: 00 63 6d 70 20 25 25 25 73 2c 20 2a 30 78 25 78 .cmp %%%s, *0x%x d4cb8: 20 28 30 78 25 78 29 00 25 25 73 73 3a 00 25 25 (0x%x).%%ss:.%% d4cc8: 63 73 3a 00 25 25 65 73 3a 00 70 6f 70 20 25 25 cs:.%%es:.pop %% d4cd8: 64 73 00 6a 6d 70 20 30 78 25 78 00 6a 6d 70 6c ds.jmp 0x%x.jmpl d4ce8: 20 30 78 25 78 3a 30 78 25 78 00 6a 6d 70 6c 00 0x%x:0x%x.jmpl. d4cf8: 64 61 74 61 33 32 20 69 72 65 74 64 00 69 6e 74 data32 iretd.int d4d08: 00 6d 6f 76 20 24 30 78 25 78 2c 20 25 25 62 78 .mov $0x%x, %%bx d4d18: 00 6d 6f 76 20 2a 30 78 25 78 2c 20 25 25 61 78 .mov *0x%x, %%ax d4d28: 00 70 6f 70 66 00 70 75 73 68 66 00 6e 6f 70 00 .popf.pushf.nop. d4d38: 70 6f 70 20 2a 30 78 25 78 00 61 64 64 72 33 32 pop *0x%x.addr32 d4d48: 00 64 61 74 61 33 32 00 25 25 67 73 3a 00 69 72 .data32.%%gs:.ir d4d58: 65 74 00 61 64 64 72 31 36 00 64 61 74 61 31 36 et.addr16.data16 d4d68: 00 6d 6f 76 6c 20 25 25 65 61 78 2c 20 25 25 63 .movl %%eax, %%c d4d78: 72 25 64 00 63 6d 70 20 25 25 65 25 73 2c 20 2a r%d.cmp %%e%s, * d4d88: 30 78 25 78 20 28 30 78 25 78 29 00 6c 6d 73 77 0x%x (0x%x).lmsw d4d98: 20 30 78 25 78 00 6c 69 64 74 20 30 78 25 78 20 0x%x.lidt 0x%x d4da8: 3c 25 64 2c 20 30 78 25 78 3e 00 6c 67 64 74 20 <%d, 0x%x>.lgdt d4db8: 30 78 25 78 20 3c 25 64 2c 20 30 78 25 78 3e 00 0x%x <%d, 0x%x>. d4dc8: 6d 6f 76 6c 20 25 25 63 72 25 64 2c 20 25 25 65 movl %%cr%d, %%e d4dd8: 61 78 00 72 65 61 6c 00 54 72 61 70 20 28 30 78 ax.real.Trap (0x d4de8: 25 78 29 20 77 68 69 6c 65 20 69 6e 20 25 73 20 %x) while in %s d4df8: 6d 6f 64 65 0a 00 70 72 6f 74 65 63 74 65 64 00 mode..protected. d4e08: 6e 6f 74 20 69 6e 20 72 65 61 6c 2d 74 6f 2d 70 not in real-to-p d4e18: 72 6f 74 65 63 74 65 64 20 6d 6f 64 65 00 50 61 rotected mode.Pa d4e28: 67 65 20 66 61 75 6c 74 20 61 64 64 72 65 73 73 ge fault address d4e38: 20 30 78 25 78 0a 00 75 6e 65 78 70 65 63 74 65 0x%x..unexpecte d4e48: 64 20 70 72 6f 74 65 63 74 65 64 20 6d 6f 64 65 d protected mode d4e58: 00 00 00 00 73 65 67 6d 65 6e 74 20 69 73 20 7a ....segment is z d4e68: 65 72 6f 2c 20 62 75 74 20 6e 6f 74 20 69 6e 20 ero, but not in d4e78: 72 65 61 6c 20 6d 6f 64 65 21 0a 00 73 68 6f 75 real mode!..shou d4e88: 6c 64 20 6e 65 76 65 72 20 72 65 61 63 68 20 68 ld never reach h d4e98: 65 72 65 20 69 6e 20 66 75 6e 63 74 69 6f 6e 20 ere in function d4ea8: 61 64 64 72 65 73 73 28 29 3a 0a 09 65 6e 74 72 address():..entr d4eb8: 79 3d 30 78 25 30 38 78 25 30 38 78 2c 20 6d 6f y=0x%08x%08x, mo d4ec8: 64 65 3d 25 64 2c 20 73 65 67 3d 30 78 25 30 38 de=%d, seg=0x%08 d4ed8: 78 2c 20 6f 66 66 73 65 74 3d 30 78 25 30 38 78 x, offset=0x%08x d4ee8: 0a 00 00 00 75 6e 65 78 70 65 63 74 65 64 20 72 ....unexpected r d4ef8: 65 61 6c 2d 74 6f 2d 70 72 6f 74 65 63 74 65 64 eal-to-protected d4f08: 20 6d 6f 64 65 20 74 72 61 6e 73 69 74 69 6f 6e mode transition d4f18: 00 00 00 00 75 6e 65 78 70 65 63 74 65 64 20 72 ....unexpected r d4f28: 65 61 6c 20 6d 6f 64 65 20 74 72 61 6e 73 69 74 eal mode transit d4f38: 69 6f 6e 00 75 6e 65 78 70 65 63 74 65 64 20 70 ion.unexpected p d4f48: 72 6f 74 65 63 74 65 64 20 6d 6f 64 65 20 74 72 rotected mode tr d4f58: 61 6e 73 69 74 69 6f 6e 00 00 00 00 75 6e 65 78 ansition....unex d4f68: 70 65 63 74 65 64 20 70 72 6f 74 65 63 74 65 64 pected protected d4f78: 2d 74 6f 2d 72 65 61 6c 20 6d 6f 64 65 20 74 72 -to-real mode tr d4f88: 61 6e 73 69 74 69 6f 6e 00 00 00 00 49 6e 76 61 ansition....Inva d4f98: 6c 69 64 20 25 25 63 73 3d 30 78 25 78 20 66 6f lid %%cs=0x%x fo d4fa8: 72 20 70 72 6f 74 65 63 74 65 64 20 6d 6f 64 65 r protected mode d4fb8: 0a 00 00 00 52 65 6d 61 70 70 69 6e 67 20 6d 61 ....Remapping ma d4fc8: 73 74 65 72 3a 20 49 43 57 32 20 30 78 25 78 20 ster: ICW2 0x%x d4fd8: 2d 3e 20 30 78 25 78 0a 00 00 00 00 52 65 6d 61 -> 0x%x.....Rema d4fe8: 70 70 69 6e 67 20 73 6c 61 76 65 3a 20 49 43 57 pping slave: ICW d4ff8: 32 20 30 78 25 78 20 2d 3e 20 30 78 25 78 0a 00 2 0x%x -> 0x%x.. d5008: 25 73 3a 25 64 3a 20 6d 69 73 73 65 64 20 6f 70 %s:%d: missed op d5018: 63 6f 64 65 20 25 30 32 78 20 25 30 32 78 0a 00 code %02x %02x.. d5028: 55 6e 6b 6e 6f 77 6e 20 6f 70 63 6f 64 65 20 61 Unknown opcode a d5038: 74 20 25 30 34 78 3a 25 30 34 78 3d 30 78 25 78 t %04x:%04x=0x%x d5048: 00 41 75 67 20 20 37 20 32 30 30 37 00 56 4d 58 .Aug 7 2007.VMX d5058: 41 73 73 69 73 74 20 28 25 73 29 0a 00 4d 65 6d Assist (%s)..Mem d5068: 6f 72 79 20 73 69 7a 65 20 25 6c 64 20 4d 42 0a ory size %ld MB. d5078: 00 45 38 32 30 20 6d 61 70 3a 0a 00 53 74 61 72 .E820 map:..Star d5088: 74 20 42 49 4f 53 20 2e 2e 2e 0a 00 76 6d 78 61 t BIOS .....vmxa d5098: 73 73 69 73 74 20 72 65 74 75 72 6e 65 64 00 53 ssist returned.S d50a8: 74 61 72 74 20 41 50 20 25 64 20 66 72 6f 6d 20 tart AP %d from d50b8: 25 30 38 78 20 2e 2e 2e 0a 00 00 00 53 74 61 72 %08x .......Star d50c8: 74 69 6e 67 20 65 6d 75 6c 61 74 65 64 20 31 36 ting emulated 16 d50d8: 2d 62 69 74 20 72 65 61 6c 2d 6d 6f 64 65 3a 20 -bit real-mode: d50e8: 69 70 3d 25 30 34 78 3a 25 30 34 78 0a 00 00 00 ip=%04x:%04x.... d50f8: 66 61 69 6c 65 64 20 74 6f 20 65 6d 75 6c 61 74 failed to emulat d5108: 65 20 62 65 74 77 65 65 6e 20 63 6c 65 61 72 20 e between clear d5118: 50 45 20 61 6e 64 20 6c 6f 6e 67 20 6a 75 6d 70 PE and long jump d5128: 2e 0a 00 30 31 32 33 34 35 36 37 38 39 41 42 43 ...0123456789ABC d5138: 44 45 46 00 47 44 54 52 20 3c 30 78 25 6c 78 2c DEF.GDTR <0x%lx, d5148: 30 78 25 6c 78 3e 3a 0a 00 28 54 79 70 65 20 25 0x%lx>:..(Type % d5158: 6c 64 29 0a 00 25 30 38 6c 78 25 30 38 6c 78 20 ld)..%08lx%08lx d5168: 2d 20 25 30 38 6c 78 25 30 38 6c 78 20 00 28 41 - %08lx%08lx .(A d5178: 43 50 49 20 4e 56 53 29 0a 00 28 52 65 73 65 72 CPI NVS)..(Reser d5188: 76 65 64 29 0a 00 28 41 43 50 49 20 44 61 74 61 ved)..(ACPI Data d5198: 29 0a 00 28 52 41 4d 29 0a 00 25 30 38 78 3a 20 )..(RAM)..%08x: d51a8: 00 25 30 32 78 25 63 00 20 20 25 63 00 20 20 20 .%02x%c. %c. d51b8: 00 74 72 61 70 6e 6f 20 25 38 78 20 65 72 72 6e .trapno %8x errn d51c8: 6f 20 20 25 38 78 0a 00 75 65 73 70 20 20 20 25 o %8x..uesp % d51d8: 38 78 20 75 73 73 20 20 20 20 25 38 78 0a 00 00 8x uss %8x... d51e8: 5b 30 78 25 78 5d 20 3d 20 30 78 25 30 38 78 25 [0x%x] = 0x%08x% d51f8: 30 38 78 2c 20 62 61 73 65 20 30 78 25 6c 78 2c 08x, base 0x%lx, d5208: 20 6c 69 6d 69 74 20 30 78 25 6c 78 0a 00 00 00 limit 0x%lx.... d5218: 65 69 70 20 30 78 25 6c 78 2c 20 65 73 70 20 30 eip 0x%lx, esp 0 d5228: 78 25 6c 78 2c 20 65 66 6c 61 67 73 20 30 78 25 x%lx, eflags 0x% d5238: 6c 78 0a 00 63 72 30 20 30 78 25 6c 78 2c 20 63 lx..cr0 0x%lx, c d5248: 72 33 20 30 78 25 6c 78 2c 20 63 72 34 20 30 78 r3 0x%lx, cr4 0x d5258: 25 6c 78 0a 00 00 00 00 69 64 74 72 3a 20 6c 69 %lx.....idtr: li d5268: 6d 69 74 20 30 78 25 6c 78 2c 20 62 61 73 65 20 mit 0x%lx, base d5278: 30 78 25 6c 78 0a 00 00 67 64 74 72 3a 20 6c 69 0x%lx...gdtr: li d5288: 6d 69 74 20 30 78 25 6c 78 2c 20 62 61 73 65 20 mit 0x%lx, base d5298: 30 78 25 6c 78 0a 00 00 63 73 3a 20 73 65 6c 20 0x%lx...cs: sel d52a8: 30 78 25 6c 78 2c 20 6c 69 6d 69 74 20 30 78 25 0x%lx, limit 0x% d52b8: 6c 78 2c 20 62 61 73 65 20 30 78 25 6c 78 0a 00 lx, base 0x%lx.. d52c8: 09 74 79 70 65 20 25 64 2c 20 73 20 25 64 2c 20 .type %d, s %d, d52d8: 64 70 6c 20 25 64 2c 20 70 20 25 64 2c 20 61 76 dpl %d, p %d, av d52e8: 6c 20 25 64 2c 20 6f 70 73 20 25 64 2c 20 67 20 l %d, ops %d, g d52f8: 25 64 2c 20 6e 75 6c 20 25 64 0a 00 64 73 3a 20 %d, nul %d..ds: d5308: 73 65 6c 20 30 78 25 6c 78 2c 20 6c 69 6d 69 74 sel 0x%lx, limit d5318: 20 30 78 25 6c 78 2c 20 62 61 73 65 20 30 78 25 0x%lx, base 0x% d5328: 6c 78 0a 00 65 73 3a 20 73 65 6c 20 30 78 25 6c lx..es: sel 0x%l d5338: 78 2c 20 6c 69 6d 69 74 20 30 78 25 6c 78 2c 20 x, limit 0x%lx, d5348: 62 61 73 65 20 30 78 25 6c 78 0a 00 73 73 3a 20 base 0x%lx..ss: d5358: 73 65 6c 20 30 78 25 6c 78 2c 20 6c 69 6d 69 74 sel 0x%lx, limit d5368: 20 30 78 25 6c 78 2c 20 62 61 73 65 20 30 78 25 0x%lx, base 0x% d5378: 6c 78 0a 00 66 73 3a 20 73 65 6c 20 30 78 25 6c lx..fs: sel 0x%l d5388: 78 2c 20 6c 69 6d 69 74 20 30 78 25 6c 78 2c 20 x, limit 0x%lx, d5398: 62 61 73 65 20 30 78 25 6c 78 0a 00 67 73 3a 20 base 0x%lx..gs: d53a8: 73 65 6c 20 30 78 25 6c 78 2c 20 6c 69 6d 69 74 sel 0x%lx, limit d53b8: 20 30 78 25 6c 78 2c 20 62 61 73 65 20 30 78 25 0x%lx, base 0x% d53c8: 6c 78 0a 00 74 72 3a 20 73 65 6c 20 30 78 25 6c lx..tr: sel 0x%l d53d8: 78 2c 20 6c 69 6d 69 74 20 30 78 25 6c 78 2c 20 x, limit 0x%lx, d53e8: 62 61 73 65 20 30 78 25 6c 78 0a 00 6c 64 74 72 base 0x%lx..ldtr d53f8: 3a 20 73 65 6c 20 30 78 25 6c 78 2c 20 6c 69 6d : sel 0x%lx, lim d5408: 69 74 20 30 78 25 6c 78 2c 20 62 61 73 65 20 30 it 0x%lx, base 0 d5418: 78 25 6c 78 0a 00 00 00 65 61 78 20 20 20 20 25 x%lx....eax % d5428: 38 78 20 65 63 78 20 20 20 20 25 38 78 20 65 64 8x ecx %8x ed d5438: 78 20 20 20 20 25 38 78 20 65 62 78 20 20 20 20 x %8x ebx d5448: 25 38 78 0a 00 00 00 00 65 73 70 20 20 20 20 25 %8x.....esp % d5458: 38 78 20 65 62 70 20 20 20 20 25 38 78 20 65 73 8x ebp %8x es d5468: 69 20 20 20 20 25 38 78 20 65 64 69 20 20 20 20 i %8x edi d5478: 25 38 78 0a 00 00 00 00 65 69 70 20 20 20 20 25 %8x.....eip % d5488: 38 78 20 63 73 20 20 20 20 20 25 38 78 20 65 66 8x cs %8x ef d5498: 6c 61 67 73 20 25 38 78 0a 00 00 00 76 65 73 20 lags %8x....ves d54a8: 20 20 20 25 38 78 20 76 64 73 20 20 20 20 25 38 %8x vds %8 d54b8: 78 20 76 66 73 20 20 20 20 25 38 78 20 76 67 73 x vfs %8x vgs d54c8: 20 20 20 20 25 38 78 0a 00 00 00 00 63 72 30 20 %8x.....cr0 d54d8: 20 20 20 25 38 6c 78 20 63 72 32 20 20 20 20 25 %8lx cr2 % d54e8: 38 78 20 63 72 33 20 20 20 20 25 38 6c 78 20 63 8x cr3 %8lx c d54f8: 72 34 20 20 20 20 25 38 6c 78 0a 0a 00 r4 %8lx... [-- Attachment #3: Type: text/plain, Size: 138 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 7:58 ` Brady Chen @ 2007-08-07 8:02 ` Keir Fraser 2007-08-07 8:22 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-07 8:02 UTC (permalink / raw) To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX D037C is not particularly interesting. It is just showing that the trap handler called halt() after dumping the register state. More interesting is cs:eip=10:d0800. This looks like the original trap-6 occurred at linear address (0x10<<4)+0xd0800 == 0xd0900. Is there anything interesting in the objdump at 0xd0900? (or 0xd0800, as I'm not 100% sure about the cs value). -- Keir On 7/8/07 08:58, "Brady Chen" <chenchp@gmail.com> wrote: > now I'm using the un-stable version to build hvmloader (only hvmloader > rebuild, xen and doman0 kernel is not touched), the same problem. > > (XEN) HVM1: Trap (0x6) while in real mode > (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E > (XEN) HVM1: esp D74D4 ebp D7520 esi 0 edi D00 > (XEN) HVM1: trapno 6 errno 0 > (XEN) HVM1: eip D0800 cs 10 eflags 13046 > (XEN) HVM1: uesp D75B4 uss 2 > (XEN) HVM1: ves D4BC8 vds D4D26 vfs D07FE vgs D75B4 > (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651 > (XEN) HVM1: > (XEN) HVM1: Halt called from %eip 0xD037C > > here is some snip from objdump, and i attach the whole objdump as the > attachment. ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 8:02 ` Keir Fraser @ 2007-08-07 8:22 ` Brady Chen 2007-08-07 8:47 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-07 8:22 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Hi, here the output, you could get the whole dump from the attachment of my last mail. so, there should be a non-support instruction in 0xd0900 or 0xd0800? thanks d07ec: 8d 04 16 lea (%esi,%edx,1),%eax d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> d07f4: 8b 55 08 mov 0x8(%ebp),%edx d07f7: 89 f8 mov %edi,%eax d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d07ff: 25 ff ff 00 00 and $0xffff,%eax d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0807: 89 ec mov %ebp,%esp d0809: c1 e0 04 shl $0x4,%eax d080c: 01 d0 add %edx,%eax d08e6: 8b 56 2c mov 0x2c(%esi),%edx d08e9: 89 f0 mov %esi,%eax d08eb: 89 1c 24 mov %ebx,(%esp) d08ee: e8 0d fe ff ff call d0700 <address> d08f3: 89 5c 24 0c mov %ebx,0xc(%esp) d08f7: 8b 56 2c mov 0x2c(%esi),%edx d08fa: 89 44 24 04 mov %eax,0x4(%esp) d08fe: c7 04 24 2e 4b 0d 00 movl $0xd4b2e,(%esp) d0905: 89 54 24 08 mov %edx,0x8(%esp) d0909: e8 c2 30 00 00 call d39d0 <printf> d090e: a1 04 76 0d 00 mov 0xd7604,%eax d0913: c7 04 24 43 4b 0d 00 movl $0xd4b43,(%esp) d091a: 89 44 24 04 mov %eax,0x4(%esp) d091e: e8 ad 30 00 00 call d39d0 <printf> d0923: 89 3c 24 mov %edi,(%esp) d0926: 8d 45 14 lea 0x14(%ebp),%eax d0929: 89 44 24 04 mov %eax,0x4(%esp) d092d: e8 7e 30 00 00 call d39b0 <vprintf On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > D037C is not particularly interesting. It is just showing that the trap > handler called halt() after dumping the register state. More interesting is > cs:eip=10:d0800. This looks like the original trap-6 occurred at linear > address (0x10<<4)+0xd0800 == 0xd0900. Is there anything interesting in the > objdump at 0xd0900? (or 0xd0800, as I'm not 100% sure about the cs value). > > -- Keir > > On 7/8/07 08:58, "Brady Chen" <chenchp@gmail.com> wrote: > > > now I'm using the un-stable version to build hvmloader (only hvmloader > > rebuild, xen and doman0 kernel is not touched), the same problem. > > > > (XEN) HVM1: Trap (0x6) while in real mode > > (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E > > (XEN) HVM1: esp D74D4 ebp D7520 esi 0 edi D00 > > (XEN) HVM1: trapno 6 errno 0 > > (XEN) HVM1: eip D0800 cs 10 eflags 13046 > > (XEN) HVM1: uesp D75B4 uss 2 > > (XEN) HVM1: ves D4BC8 vds D4D26 vfs D07FE vgs D75B4 > > (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651 > > (XEN) HVM1: > > (XEN) HVM1: Halt called from %eip 0xD037C > > > > here is some snip from objdump, and i attach the whole objdump as the > > attachment. > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 8:22 ` Brady Chen @ 2007-08-07 8:47 ` Keir Fraser 2007-08-07 9:06 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-07 8:47 UTC (permalink / raw) To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX On 7/8/07 09:22, "Brady Chen" <chenchp@gmail.com> wrote: > Hi, here the output, you could get the whole dump from the attachment > of my last mail. Oh, I missed that! > so, there should be a non-support instruction in 0xd0900 or 0xd0800? Well, there is no instruction boundary at either of those addresses. Either the register dump is bogus or somehow we ended up jumping into the middle of an instruction inside vmxassist. Bogus. :-( You could try initialising the traceset variable in vmxassist/vm86.c to ~0 instead of 0. That should get you a whole load of extra tracing about exactly what vmxassist is emulating and where. We might be able to work out a bit more from that. -- Keir ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 8:47 ` Keir Fraser @ 2007-08-07 9:06 ` Brady Chen 2007-08-07 9:29 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-07 9:06 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX [-- Attachment #1: Type: text/plain, Size: 2767 bytes --] Hi Keir, the whole dmesg and a new objdump is attached. # tar zcvf xendmesg_vmxdump.tar.gz xen_dmesg vmxassist.objdump2 xen_dmesg vmxassist.objdump2 here are some snip for your convenience: (XEN) HVM2: 0x0000D71F: 0xD00:0x071F (0) data32 (XEN) HVM2: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 (XEN) HVM2: 0x0000D71B: 0xD00:0x071B (0) %es: (XEN) HVM2: 0x0000D71B: 0xD00:0x071B (0) addr32 (XEN) HVM2: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE (XEN) HVM2: Trap (0x6) while in real mode (XEN) HVM2: eax D00 ecx 0 edx 71F ebx 71E (XEN) HVM2: esp D74D4 ebp D7520 esi D74B0 edi D00 (XEN) HVM2: trapno 6 errno 0 (XEN) HVM2: eip D0800 cs 10 eflags 13046 (XEN) HVM2: uesp D75B4 uss 2 (XEN) HVM2: ves D4BC8 vds D4D26 vfs D07FE vgs D7534 (XEN) HVM2: cr0 50032 cr2 0 cr3 0 cr4 651 (XEN) HVM2: (XEN) HVM2: Halt called from %eip 0xD037C d07f7: 89 f8 mov %edi,%eax d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d07ff: 25 ff ff 00 00 and $0xffff,%eax d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0807: 89 ec mov %ebp,%esp d0809: c1 e0 04 shl $0x4,%eax d080c: 01 d0 add %edx,%eax d08f7: 8b 56 2c mov 0x2c(%esi),%edx d08fa: 89 44 24 04 mov %eax,0x4(%esp) d08fe: c7 04 24 2e 4b 0d 00 movl $0xd4b2e,(%esp) d0905: 89 54 24 08 mov %edx,0x8(%esp) d0909: e8 c2 30 00 00 call d39d0 <printf> d090e: a1 00 76 0d 00 mov 0xd7600,%eax the dmesg shows some instructions have being simulated. so they should be the codes just before d0900 or d0800, am i right? On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > On 7/8/07 09:22, "Brady Chen" <chenchp@gmail.com> wrote: > > > Hi, here the output, you could get the whole dump from the attachment > > of my last mail. > > Oh, I missed that! > > > so, there should be a non-support instruction in 0xd0900 or 0xd0800? > > Well, there is no instruction boundary at either of those addresses. Either > the register dump is bogus or somehow we ended up jumping into the middle of > an instruction inside vmxassist. Bogus. :-( > > You could try initialising the traceset variable in vmxassist/vm86.c to ~0 > instead of 0. That should get you a whole load of extra tracing about > exactly what vmxassist is emulating and where. We might be able to work out > a bit more from that. > > -- Keir > > [-- Attachment #2: xendmesg_vmxdump.tar.gz --] [-- Type: application/x-gzip, Size: 48963 bytes --] [-- Attachment #3: Type: text/plain, Size: 138 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 9:06 ` Brady Chen @ 2007-08-07 9:29 ` Keir Fraser 2007-08-07 9:35 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-07 9:29 UTC (permalink / raw) To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX On 7/8/07 10:06, "Brady Chen" <chenchp@gmail.com> wrote: > the dmesg shows some instructions have being simulated. > so they should be the codes just before d0900 or d0800, am i right? No. What is happening is that vmxassist is trying to emulate as far as it can into real-mode execution at around linear address d71b-d71f, until it sees an instruction that it cannot decode. When it sees an instruction it does not understand it prints out "opc <opcode number>". Since there is no such output immediately before the trap, this means that vmxassist was still in its emulation loop and vmxassist itself crashed. This makes sense because the faulting eip is somewhere in vmxassist's code (albeit not on an instruction boundary!). The faulting linear address is definitely d0800, so that is the interesting area of the vmxassist objdump. What would be useful is to try to add tracing to see how far vmxassist gets after its last line of tracing before the trap occurs. That last line is currently from vm86.c, line 620. You might try adding extra printf() statements imemdiately after the write16() on line 622, and also at the top of the opcode() function. We need to find out at what point vmxassist is jumping to this bogus address d0800. -- Keir ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 9:29 ` Keir Fraser @ 2007-08-07 9:35 ` Keir Fraser 2007-08-07 10:30 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-07 9:35 UTC (permalink / raw) To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: > What would be useful is to try to add tracing to see how far vmxassist gets > after its last line of tracing before the trap occurs. That last line is > currently from vm86.c, line 620. You might try adding extra printf() > statements imemdiately after the write16() on line 622, and also at the top > of the opcode() function. We need to find out at what point vmxassist is > jumping to this bogus address d0800. Oh, another possibility is that vmxassist has been corrupted in memory. This is particularly likely because, according to the objdump, the 'instruction' that starts at d0800 is actually valid (it'd be an ADD of some sort). So, within trap() you might want to read say 16 bytes starting at 0xd0800 and printf() them. So we can see if they match what objdump says should be there. -- Keir ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 9:35 ` Keir Fraser @ 2007-08-07 10:30 ` Brady Chen 2007-08-07 10:37 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-07 10:30 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Hi, Keir, I made the change as you said: change diff is: [root@localhost firmware]# hg diff vmxassist/vm86.c diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800 @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; static struct regs saved_rm_regs; #ifdef DEBUG -int traceset = 0; +int traceset = ~0; char *states[] = { "<VM86_REAL>", @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, TRACE((regs, regs->eip - eip, "movw %%%s, *0x%x", rnames[r], addr)); write16(addr, MASK16(val)); + printf("after write16 of movw\n"); } return 1; @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) unsigned eip = regs->eip; unsigned opc, modrm, disp; unsigned prefix = 0; + printf("top of opcode\n"); if (mode == VM86_PROTECTED_TO_REAL && oldctx.cs_arbytes.fields.default_ops_size) { @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs if (trapno == 14) printf("Page fault address 0x%x\n", get_cr2()); dump_regs(regs); + printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800)); + printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804)); halt(); } } here is the output: (XEN) HVM6: top of opcode (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 (XEN) HVM6: top of opcode (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE (XEN) HVM6: after write16 of movw (XEN) HVM6: top of opcode (XEN) HVM6: Trap (0x6) while in real mode (XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00 (XEN) HVM6: trapno 6 errno 0 (XEN) HVM6: eip D0800 cs 10 eflags 13046 (XEN) HVM6: uesp D4C29 uss 2 (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4 (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651 (XEN) HVM6: (XEN) HVM6: 0xd0800 is 0xFFFF (XEN) HVM6: 0xd0804 is 0x7D8B (XEN) HVM6: Halt called from %eip 0xD037C objdump: d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> d07f4: 8b 55 08 mov 0x8(%ebp),%edx d07f7: 89 f8 mov %edi,%eax d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi d07ff: 25 ff ff 00 00 and $0xffff,%eax d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi d0807: 89 ec mov %ebp,%esp d0809: c1 e0 04 shl $0x4,%eax d080c: 01 d0 add %edx,%eax d080e: 5d pop %ebp seems the memory is correct, it's crashed in opcode() and i think it's fetch8(regs) which crash the system. I tried fetch8(regs) in trap(), but it cause more traps, and let the hvm guest be reset. On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: > > > What would be useful is to try to add tracing to see how far vmxassist gets > > after its last line of tracing before the trap occurs. That last line is > > currently from vm86.c, line 620. You might try adding extra printf() > > statements imemdiately after the write16() on line 622, and also at the top > > of the opcode() function. We need to find out at what point vmxassist is > > jumping to this bogus address d0800. > > Oh, another possibility is that vmxassist has been corrupted in memory. This > is particularly likely because, according to the objdump, the 'instruction' > that starts at d0800 is actually valid (it'd be an ADD of some sort). > > So, within trap() you might want to read say 16 bytes starting at 0xd0800 > and printf() them. So we can see if they match what objdump says should be > there. > > -- Keir > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 10:30 ` Brady Chen @ 2007-08-07 10:37 ` Keir Fraser 2007-08-07 11:03 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-07 10:37 UTC (permalink / raw) To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX How about trying: printf("Before fetch8\n"); dump_regs(regs); opc = fetch8(regs); printf("After fetch8\n"); switch (opc) { ... This will let you see what eip is being fetched from, and also confirm that the crash happens within fetch8(). You could also try adding more printf()s inside fetch8() and address() to find out which specific bit of fetch8() is crashing (if that indeed the function that is crashing). -- Keir On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: > Hi, Keir, > I made the change as you said: > change diff is: > [root@localhost firmware]# hg diff vmxassist/vm86.c > diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800 > @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > static struct regs saved_rm_regs; > > #ifdef DEBUG > -int traceset = 0; > +int traceset = ~0; > > char *states[] = { > "<VM86_REAL>", > @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, > TRACE((regs, regs->eip - eip, > "movw %%%s, *0x%x", rnames[r], addr)); > write16(addr, MASK16(val)); > + printf("after write16 of movw\n"); > } > return 1; > > @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) > unsigned eip = regs->eip; > unsigned opc, modrm, disp; > unsigned prefix = 0; > + printf("top of opcode\n"); > > if (mode == VM86_PROTECTED_TO_REAL && > oldctx.cs_arbytes.fields.default_ops_size) { > @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs > if (trapno == 14) > printf("Page fault address 0x%x\n", get_cr2()); > dump_regs(regs); > + printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800)); > + printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804)); > halt(); > } > } > > > here is the output: > (XEN) HVM6: top of opcode > (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 > (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > (XEN) HVM6: top of opcode > (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: > (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 > (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE > (XEN) HVM6: after write16 of movw > (XEN) HVM6: top of opcode > (XEN) HVM6: Trap (0x6) while in real mode > (XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E > (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00 > (XEN) HVM6: trapno 6 errno 0 > (XEN) HVM6: eip D0800 cs 10 eflags 13046 > (XEN) HVM6: uesp D4C29 uss 2 > (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4 > (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651 > (XEN) HVM6: > (XEN) HVM6: 0xd0800 is 0xFFFF > (XEN) HVM6: 0xd0804 is 0x7D8B > (XEN) HVM6: Halt called from %eip 0xD037C > > objdump: > d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> > d07f4: 8b 55 08 mov 0x8(%ebp),%edx > d07f7: 89 f8 mov %edi,%eax > d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx > d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi > d07ff: 25 ff ff 00 00 and $0xffff,%eax > d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi > d0807: 89 ec mov %ebp,%esp > d0809: c1 e0 04 shl $0x4,%eax > d080c: 01 d0 add %edx,%eax > d080e: 5d pop %ebp > > seems the memory is correct, it's crashed in opcode() > and i think it's fetch8(regs) which crash the system. I tried > fetch8(regs) in trap(), but it cause more traps, and let the hvm guest > be reset. > > On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: >> >>> What would be useful is to try to add tracing to see how far vmxassist gets >>> after its last line of tracing before the trap occurs. That last line is >>> currently from vm86.c, line 620. You might try adding extra printf() >>> statements imemdiately after the write16() on line 622, and also at the top >>> of the opcode() function. We need to find out at what point vmxassist is >>> jumping to this bogus address d0800. >> >> Oh, another possibility is that vmxassist has been corrupted in memory. This >> is particularly likely because, according to the objdump, the 'instruction' >> that starts at d0800 is actually valid (it'd be an ADD of some sort). >> >> So, within trap() you might want to read say 16 bytes starting at 0xd0800 >> and printf() them. So we can see if they match what objdump says should be >> there. >> >> -- Keir >> >> > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 10:37 ` Keir Fraser @ 2007-08-07 11:03 ` Brady Chen 2007-08-07 11:35 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-07 11:03 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Hi, yes, it's crashed in fetch8. it's very slow after I add this print info. the main function of fetch8 seems to be address(). seems crashed in address(). (XEN) HVM7: after write16 of movw (XEN) HVM7: top of opcode (XEN) HVM7: Before fetch8 (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE (XEN) HVM7: trapno D errno 0 (XEN) HVM7: eip 71F cs D00 eflags 33206 (XEN) HVM7: uesp CFB4 uss 0 (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0 (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 (XEN) HVM7: (XEN) HVM7: Trap (0x6) while in real mode (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89 (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00 (XEN) HVM7: trapno 6 errno 0 (XEN) HVM7: eip D0800 cs 10 eflags 13046 (XEN) HVM7: uesp 71F uss D76D4 (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644 (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 (XEN) HVM7: (XEN) HVM7: 0xd0800 is 0xFFFF (XEN) HVM7: 0xd0804 is 0x7D8B (XEN) HVM7: Halt called from %eip 0xD037C On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > How about trying: > printf("Before fetch8\n"); > dump_regs(regs); > opc = fetch8(regs); > printf("After fetch8\n"); > switch (opc) { ... > > This will let you see what eip is being fetched from, and also confirm that > the crash happens within fetch8(). > > You could also try adding more printf()s inside fetch8() and address() to > find out which specific bit of fetch8() is crashing (if that indeed the > function that is crashing). > > -- Keir > > On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: > > > Hi, Keir, > > I made the change as you said: > > change diff is: > > [root@localhost firmware]# hg diff vmxassist/vm86.c > > diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > > --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > > +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800 > > @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > > static struct regs saved_rm_regs; > > > > #ifdef DEBUG > > -int traceset = 0; > > +int traceset = ~0; > > > > char *states[] = { > > "<VM86_REAL>", > > @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, > > TRACE((regs, regs->eip - eip, > > "movw %%%s, *0x%x", rnames[r], addr)); > > write16(addr, MASK16(val)); > > + printf("after write16 of movw\n"); > > } > > return 1; > > > > @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) > > unsigned eip = regs->eip; > > unsigned opc, modrm, disp; > > unsigned prefix = 0; > > + printf("top of opcode\n"); > > > > if (mode == VM86_PROTECTED_TO_REAL && > > oldctx.cs_arbytes.fields.default_ops_size) { > > @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs > > if (trapno == 14) > > printf("Page fault address 0x%x\n", get_cr2()); > > dump_regs(regs); > > + printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800)); > > + printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804)); > > halt(); > > } > > } > > > > > > here is the output: > > (XEN) HVM6: top of opcode > > (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 > > (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > > (XEN) HVM6: top of opcode > > (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: > > (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 > > (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE > > (XEN) HVM6: after write16 of movw > > (XEN) HVM6: top of opcode > > (XEN) HVM6: Trap (0x6) while in real mode > > (XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E > > (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00 > > (XEN) HVM6: trapno 6 errno 0 > > (XEN) HVM6: eip D0800 cs 10 eflags 13046 > > (XEN) HVM6: uesp D4C29 uss 2 > > (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4 > > (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651 > > (XEN) HVM6: > > (XEN) HVM6: 0xd0800 is 0xFFFF > > (XEN) HVM6: 0xd0804 is 0x7D8B > > (XEN) HVM6: Halt called from %eip 0xD037C > > > > objdump: > > d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> > > d07f4: 8b 55 08 mov 0x8(%ebp),%edx > > d07f7: 89 f8 mov %edi,%eax > > d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx > > d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi > > d07ff: 25 ff ff 00 00 and $0xffff,%eax > > d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi > > d0807: 89 ec mov %ebp,%esp > > d0809: c1 e0 04 shl $0x4,%eax > > d080c: 01 d0 add %edx,%eax > > d080e: 5d pop %ebp > > > > seems the memory is correct, it's crashed in opcode() > > and i think it's fetch8(regs) which crash the system. I tried > > fetch8(regs) in trap(), but it cause more traps, and let the hvm guest > > be reset. > > > > On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: > >> > >>> What would be useful is to try to add tracing to see how far vmxassist gets > >>> after its last line of tracing before the trap occurs. That last line is > >>> currently from vm86.c, line 620. You might try adding extra printf() > >>> statements imemdiately after the write16() on line 622, and also at the top > >>> of the opcode() function. We need to find out at what point vmxassist is > >>> jumping to this bogus address d0800. > >> > >> Oh, another possibility is that vmxassist has been corrupted in memory. This > >> is particularly likely because, according to the objdump, the 'instruction' > >> that starts at d0800 is actually valid (it'd be an ADD of some sort). > >> > >> So, within trap() you might want to read say 16 bytes starting at 0xd0800 > >> and printf() them. So we can see if they match what objdump says should be > >> there. > >> > >> -- Keir > >> > >> > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 11:03 ` Brady Chen @ 2007-08-07 11:35 ` Brady Chen 2007-08-07 11:50 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-07 11:35 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX it's strange: if i add these prints, i get " Unknown opcode", not "trap". ===added printf [root@localhost firmware]# hg diff -p vmxassist/vm86.c diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800 @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; static struct regs saved_rm_regs; #ifdef DEBUG -int traceset = 0; +int traceset = ~0; char *states[] = { "<VM86_REAL>", @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, unsigned seg_base, seg_limit; unsigned entry_low, entry_high; + printf("f 1\n"); if (seg == 0) { if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) return off; @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, panic("segment is zero, but not in real mode!\n"); } + printf("f 2\n"); if (mode == VM86_REAL || seg > oldctx.gdtr_limit || (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) return ((seg & 0xFFFF) << 4) + off; + printf("f 3\n"); gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); + printf("f 4\n"); if (gdt_phys_base != (uint32_t)gdt_phys_base) { + printf("f 5\n"); printf("gdt base address above 4G\n"); cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry); } else @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF); seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); + printf("f 6\n"); if (entry_high & 0x8000 && ((entry_high & 0x800000 && off >> 12 <= seg_limit) || (!(entry_high & 0x800000) && off <= seg_limit))) return seg_base + off; + printf("f 7\n"); panic("should never reach here in function address():\n\t" "entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n", entry_high, entry_low, mode, seg, off); + printf("f 8\n"); return 0; } @@ -286,6 +294,7 @@ fetch8(struct regs *regs) unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); regs->eip++; + printf("f 9\n"); return read8(addr); } ===output when add many printf (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 (XEN) HVM12: f 2 (XEN) HVM12: f 9 (XEN) HVM12: f 1 (XEN) HVM12: f 2 (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 (XEN) HVM12: f 2 (XEN) HVM12: f 9 (XEN) HVM12: f 1 (XEN) HVM12: f 2 (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 (XEN) HVM12: f 2 (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 (XEN) HVM12: Halt called from %eip 0xD3B4A On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: > Hi, yes, it's crashed in fetch8. it's very slow after I add this print info. > the main function of fetch8 seems to be address(). seems crashed in address(). > > (XEN) HVM7: after write16 of movw > (XEN) HVM7: top of opcode > (XEN) HVM7: Before fetch8 > (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E > (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE > (XEN) HVM7: trapno D errno 0 > (XEN) HVM7: eip 71F cs D00 eflags 33206 > (XEN) HVM7: uesp CFB4 uss 0 > (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0 > (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 > (XEN) HVM7: > (XEN) HVM7: Trap (0x6) while in real mode > (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89 > (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00 > (XEN) HVM7: trapno 6 errno 0 > (XEN) HVM7: eip D0800 cs 10 eflags 13046 > (XEN) HVM7: uesp 71F uss D76D4 > (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644 > (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 > (XEN) HVM7: > (XEN) HVM7: 0xd0800 is 0xFFFF > (XEN) HVM7: 0xd0804 is 0x7D8B > (XEN) HVM7: Halt called from %eip 0xD037C > > > On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > > How about trying: > > printf("Before fetch8\n"); > > dump_regs(regs); > > opc = fetch8(regs); > > printf("After fetch8\n"); > > switch (opc) { ... > > > > This will let you see what eip is being fetched from, and also confirm that > > the crash happens within fetch8(). > > > > You could also try adding more printf()s inside fetch8() and address() to > > find out which specific bit of fetch8() is crashing (if that indeed the > > function that is crashing). > > > > -- Keir > > > > On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: > > > > > Hi, Keir, > > > I made the change as you said: > > > change diff is: > > > [root@localhost firmware]# hg diff vmxassist/vm86.c > > > diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > > > --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > > > +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800 > > > @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > > > static struct regs saved_rm_regs; > > > > > > #ifdef DEBUG > > > -int traceset = 0; > > > +int traceset = ~0; > > > > > > char *states[] = { > > > "<VM86_REAL>", > > > @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, > > > TRACE((regs, regs->eip - eip, > > > "movw %%%s, *0x%x", rnames[r], addr)); > > > write16(addr, MASK16(val)); > > > + printf("after write16 of movw\n"); > > > } > > > return 1; > > > > > > @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) > > > unsigned eip = regs->eip; > > > unsigned opc, modrm, disp; > > > unsigned prefix = 0; > > > + printf("top of opcode\n"); > > > > > > if (mode == VM86_PROTECTED_TO_REAL && > > > oldctx.cs_arbytes.fields.default_ops_size) { > > > @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs > > > if (trapno == 14) > > > printf("Page fault address 0x%x\n", get_cr2()); > > > dump_regs(regs); > > > + printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800)); > > > + printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804)); > > > halt(); > > > } > > > } > > > > > > > > > here is the output: > > > (XEN) HVM6: top of opcode > > > (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 > > > (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > > > (XEN) HVM6: top of opcode > > > (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: > > > (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 > > > (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE > > > (XEN) HVM6: after write16 of movw > > > (XEN) HVM6: top of opcode > > > (XEN) HVM6: Trap (0x6) while in real mode > > > (XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E > > > (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00 > > > (XEN) HVM6: trapno 6 errno 0 > > > (XEN) HVM6: eip D0800 cs 10 eflags 13046 > > > (XEN) HVM6: uesp D4C29 uss 2 > > > (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4 > > > (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651 > > > (XEN) HVM6: > > > (XEN) HVM6: 0xd0800 is 0xFFFF > > > (XEN) HVM6: 0xd0804 is 0x7D8B > > > (XEN) HVM6: Halt called from %eip 0xD037C > > > > > > objdump: > > > d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> > > > d07f4: 8b 55 08 mov 0x8(%ebp),%edx > > > d07f7: 89 f8 mov %edi,%eax > > > d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx > > > d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi > > > d07ff: 25 ff ff 00 00 and $0xffff,%eax > > > d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi > > > d0807: 89 ec mov %ebp,%esp > > > d0809: c1 e0 04 shl $0x4,%eax > > > d080c: 01 d0 add %edx,%eax > > > d080e: 5d pop %ebp > > > > > > seems the memory is correct, it's crashed in opcode() > > > and i think it's fetch8(regs) which crash the system. I tried > > > fetch8(regs) in trap(), but it cause more traps, and let the hvm guest > > > be reset. > > > > > > On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > > >> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: > > >> > > >>> What would be useful is to try to add tracing to see how far vmxassist gets > > >>> after its last line of tracing before the trap occurs. That last line is > > >>> currently from vm86.c, line 620. You might try adding extra printf() > > >>> statements imemdiately after the write16() on line 622, and also at the top > > >>> of the opcode() function. We need to find out at what point vmxassist is > > >>> jumping to this bogus address d0800. > > >> > > >> Oh, another possibility is that vmxassist has been corrupted in memory. This > > >> is particularly likely because, according to the objdump, the 'instruction' > > >> that starts at d0800 is actually valid (it'd be an ADD of some sort). > > >> > > >> So, within trap() you might want to read say 16 bytes starting at 0xd0800 > > >> and printf() them. So we can see if they match what objdump says should be > > >> there. > > >> > > >> -- Keir > > >> > > >> > > > > > > _______________________________________________ > > > Xen-devel mailing list > > > Xen-devel@lists.xensource.com > > > http://lists.xensource.com/xen-devel > > > > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 11:35 ` Brady Chen @ 2007-08-07 11:50 ` Keir Fraser 2007-08-07 16:06 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-07 11:50 UTC (permalink / raw) To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Very weird. The emulations now aren't at the same address as before either (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these printf()s -- is it at all possible that the guest is executing down a different path here for other reasons? If it's really down to the printf()s then I guess you'll have to shuffle/remove printf()s to get the old behaviour back. -- Keir On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: > it's strange: > if i add these prints, i get " Unknown opcode", not "trap". > ===added printf > [root@localhost firmware]# hg diff -p vmxassist/vm86.c > diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800 > @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > static struct regs saved_rm_regs; > > #ifdef DEBUG > -int traceset = 0; > +int traceset = ~0; > > char *states[] = { > "<VM86_REAL>", > @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, > unsigned seg_base, seg_limit; > unsigned entry_low, entry_high; > > + printf("f 1\n"); > if (seg == 0) { > if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) > return off; > @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, > panic("segment is zero, but not in real mode!\n"); > } > > + printf("f 2\n"); > if (mode == VM86_REAL || seg > oldctx.gdtr_limit || > (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) > return ((seg & 0xFFFF) << 4) + off; > > + printf("f 3\n"); > gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); > + printf("f 4\n"); > if (gdt_phys_base != (uint32_t)gdt_phys_base) { > + printf("f 5\n"); > printf("gdt base address above 4G\n"); > cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry); > } else > @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, > seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF); > seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); > > + printf("f 6\n"); > if (entry_high & 0x8000 && > ((entry_high & 0x800000 && off >> 12 <= seg_limit) || > (!(entry_high & 0x800000) && off <= seg_limit))) > return seg_base + off; > + printf("f 7\n"); > > panic("should never reach here in function address():\n\t" > "entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n", > entry_high, entry_low, mode, seg, off); > + printf("f 8\n"); > > return 0; > } > @@ -286,6 +294,7 @@ fetch8(struct regs *regs) > unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); > > regs->eip++; > + printf("f 9\n"); > return read8(addr); > } > > ===output when add many printf > (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 > (XEN) HVM12: f 2 > (XEN) HVM12: f 9 > (XEN) HVM12: f 1 > (XEN) HVM12: f 2 > (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 > (XEN) HVM12: f 2 > (XEN) HVM12: f 9 > (XEN) HVM12: f 1 > (XEN) HVM12: f 2 > (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 > (XEN) HVM12: f 2 > (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 > (XEN) HVM12: Halt called from %eip 0xD3B4A > > On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: >> Hi, yes, it's crashed in fetch8. it's very slow after I add this print info. >> the main function of fetch8 seems to be address(). seems crashed in >> address(). >> >> (XEN) HVM7: after write16 of movw >> (XEN) HVM7: top of opcode >> (XEN) HVM7: Before fetch8 >> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E >> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE >> (XEN) HVM7: trapno D errno 0 >> (XEN) HVM7: eip 71F cs D00 eflags 33206 >> (XEN) HVM7: uesp CFB4 uss 0 >> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0 >> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 >> (XEN) HVM7: >> (XEN) HVM7: Trap (0x6) while in real mode >> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89 >> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00 >> (XEN) HVM7: trapno 6 errno 0 >> (XEN) HVM7: eip D0800 cs 10 eflags 13046 >> (XEN) HVM7: uesp 71F uss D76D4 >> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644 >> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 >> (XEN) HVM7: >> (XEN) HVM7: 0xd0800 is 0xFFFF >> (XEN) HVM7: 0xd0804 is 0x7D8B >> (XEN) HVM7: Halt called from %eip 0xD037C >> >> >> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>> How about trying: >>> printf("Before fetch8\n"); >>> dump_regs(regs); >>> opc = fetch8(regs); >>> printf("After fetch8\n"); >>> switch (opc) { ... >>> >>> This will let you see what eip is being fetched from, and also confirm that >>> the crash happens within fetch8(). >>> >>> You could also try adding more printf()s inside fetch8() and address() to >>> find out which specific bit of fetch8() is crashing (if that indeed the >>> function that is crashing). >>> >>> -- Keir >>> >>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: >>> >>>> Hi, Keir, >>>> I made the change as you said: >>>> change diff is: >>>> [root@localhost firmware]# hg diff vmxassist/vm86.c >>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c >>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 >>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800 >>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; >>>> static struct regs saved_rm_regs; >>>> >>>> #ifdef DEBUG >>>> -int traceset = 0; >>>> +int traceset = ~0; >>>> >>>> char *states[] = { >>>> "<VM86_REAL>", >>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, >>>> TRACE((regs, regs->eip - eip, >>>> "movw %%%s, *0x%x", rnames[r], addr)); >>>> write16(addr, MASK16(val)); >>>> + printf("after write16 of movw\n"); >>>> } >>>> return 1; >>>> >>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) >>>> unsigned eip = regs->eip; >>>> unsigned opc, modrm, disp; >>>> unsigned prefix = 0; >>>> + printf("top of opcode\n"); >>>> >>>> if (mode == VM86_PROTECTED_TO_REAL && >>>> oldctx.cs_arbytes.fields.default_ops_size) { >>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs >>>> if (trapno == 14) >>>> printf("Page fault address 0x%x\n", get_cr2()); >>>> dump_regs(regs); >>>> + printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800)); >>>> + printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804)); >>>> halt(); >>>> } >>>> } >>>> >>>> >>>> here is the output: >>>> (XEN) HVM6: top of opcode >>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 >>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 >>>> (XEN) HVM6: top of opcode >>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: >>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 >>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE >>>> (XEN) HVM6: after write16 of movw >>>> (XEN) HVM6: top of opcode >>>> (XEN) HVM6: Trap (0x6) while in real mode >>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E >>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00 >>>> (XEN) HVM6: trapno 6 errno 0 >>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 >>>> (XEN) HVM6: uesp D4C29 uss 2 >>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4 >>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651 >>>> (XEN) HVM6: >>>> (XEN) HVM6: 0xd0800 is 0xFFFF >>>> (XEN) HVM6: 0xd0804 is 0x7D8B >>>> (XEN) HVM6: Halt called from %eip 0xD037C >>>> >>>> objdump: >>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> >>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx >>>> d07f7: 89 f8 mov %edi,%eax >>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx >>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi >>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax >>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi >>>> d0807: 89 ec mov %ebp,%esp >>>> d0809: c1 e0 04 shl $0x4,%eax >>>> d080c: 01 d0 add %edx,%eax >>>> d080e: 5d pop %ebp >>>> >>>> seems the memory is correct, it's crashed in opcode() >>>> and i think it's fetch8(regs) which crash the system. I tried >>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest >>>> be reset. >>>> >>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: >>>>> >>>>>> What would be useful is to try to add tracing to see how far vmxassist >>>>>> gets >>>>>> after its last line of tracing before the trap occurs. That last line is >>>>>> currently from vm86.c, line 620. You might try adding extra printf() >>>>>> statements imemdiately after the write16() on line 622, and also at the >>>>>> top >>>>>> of the opcode() function. We need to find out at what point vmxassist is >>>>>> jumping to this bogus address d0800. >>>>> >>>>> Oh, another possibility is that vmxassist has been corrupted in memory. >>>>> This >>>>> is particularly likely because, according to the objdump, the >>>>> 'instruction' >>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort). >>>>> >>>>> So, within trap() you might want to read say 16 bytes starting at 0xd0800 >>>>> and printf() them. So we can see if they match what objdump says should be >>>>> there. >>>>> >>>>> -- Keir >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Xen-devel mailing list >>>> Xen-devel@lists.xensource.com >>>> http://lists.xensource.com/xen-devel >>> >>> >> > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 11:50 ` Keir Fraser @ 2007-08-07 16:06 ` Brady Chen 2007-08-07 16:26 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-07 16:06 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Yes, the printfs are the only changes. once I remove these prints, the trap comes back, with the same EIP (D0800) I tried to keep the first two printfs, the trap comes with different EIP(D19FD) static unsigned address(struct regs *regs, unsigned seg, unsigned off) { uint64_t gdt_phys_base; unsigned long long entry; unsigned seg_base, seg_limit; unsigned entry_low, entry_high; printf("f 1\n"); if (seg == 0) { if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) return off; else panic("segment is zero, but not in real mode!\n"); } printf("f 2\n"); xen dmesg output: (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 (XEN) HVM3: f 1 (XEN) HVM3: f 2 (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 (XEN) HVM3: f 1 (XEN) HVM3: f 1 (XEN) HVM3: f 1 (XEN) HVM3: Trap (0x6) while in real mode (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4 (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8 (XEN) HVM3: trapno 6 errno 0 (XEN) HVM3: eip D19FD cs 10 eflags 13046 (XEN) HVM3: uesp CFAE uss 0 (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651 (XEN) HVM3: (XEN) HVM3: Halt called from %eip 0xD037C and the objdump shows that: 000d1970 <interrupt>: d1970: 55 push %ebp d1971: 89 e5 mov %esp,%ebp d1973: 57 push %edi d1974: 89 d7 mov %edx,%edi d1976: 56 push %esi .... d19f8: 66 89 30 mov %si,(%eax) d19fb: 31 d2 xor %edx,%edx d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx) d1a0b: 89 d8 mov %ebx,%eax d1a0d: 89 34 24 mov %esi,(%esp) On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > Very weird. The emulations now aren't at the same address as before either > (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these > printf()s -- is it at all possible that the guest is executing down a > different path here for other reasons? If it's really down to the printf()s > then I guess you'll have to shuffle/remove printf()s to get the old > behaviour back. > > -- Keir > > On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: > > > it's strange: > > if i add these prints, i get " Unknown opcode", not "trap". > > ===added printf > > [root@localhost firmware]# hg diff -p vmxassist/vm86.c > > diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > > --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > > +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800 > > @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > > static struct regs saved_rm_regs; > > > > #ifdef DEBUG > > -int traceset = 0; > > +int traceset = ~0; > > > > char *states[] = { > > "<VM86_REAL>", > > @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, > > unsigned seg_base, seg_limit; > > unsigned entry_low, entry_high; > > > > + printf("f 1\n"); > > if (seg == 0) { > > if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) > > return off; > > @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, > > panic("segment is zero, but not in real mode!\n"); > > } > > > > + printf("f 2\n"); > > if (mode == VM86_REAL || seg > oldctx.gdtr_limit || > > (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) > > return ((seg & 0xFFFF) << 4) + off; > > > > + printf("f 3\n"); > > gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); > > + printf("f 4\n"); > > if (gdt_phys_base != (uint32_t)gdt_phys_base) { > > + printf("f 5\n"); > > printf("gdt base address above 4G\n"); > > cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry); > > } else > > @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, > > seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF); > > seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); > > > > + printf("f 6\n"); > > if (entry_high & 0x8000 && > > ((entry_high & 0x800000 && off >> 12 <= seg_limit) || > > (!(entry_high & 0x800000) && off <= seg_limit))) > > return seg_base + off; > > + printf("f 7\n"); > > > > panic("should never reach here in function address():\n\t" > > "entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n", > > entry_high, entry_low, mode, seg, off); > > + printf("f 8\n"); > > > > return 0; > > } > > @@ -286,6 +294,7 @@ fetch8(struct regs *regs) > > unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); > > > > regs->eip++; > > + printf("f 9\n"); > > return read8(addr); > > } > > > > ===output when add many printf > > (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 > > (XEN) HVM12: f 2 > > (XEN) HVM12: f 9 > > (XEN) HVM12: f 1 > > (XEN) HVM12: f 2 > > (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 > > (XEN) HVM12: f 2 > > (XEN) HVM12: f 9 > > (XEN) HVM12: f 1 > > (XEN) HVM12: f 2 > > (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 > > (XEN) HVM12: f 2 > > (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 > > (XEN) HVM12: Halt called from %eip 0xD3B4A > > > > On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: > >> Hi, yes, it's crashed in fetch8. it's very slow after I add this print info. > >> the main function of fetch8 seems to be address(). seems crashed in > >> address(). > >> > >> (XEN) HVM7: after write16 of movw > >> (XEN) HVM7: top of opcode > >> (XEN) HVM7: Before fetch8 > >> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E > >> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE > >> (XEN) HVM7: trapno D errno 0 > >> (XEN) HVM7: eip 71F cs D00 eflags 33206 > >> (XEN) HVM7: uesp CFB4 uss 0 > >> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0 > >> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 > >> (XEN) HVM7: > >> (XEN) HVM7: Trap (0x6) while in real mode > >> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89 > >> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00 > >> (XEN) HVM7: trapno 6 errno 0 > >> (XEN) HVM7: eip D0800 cs 10 eflags 13046 > >> (XEN) HVM7: uesp 71F uss D76D4 > >> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644 > >> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 > >> (XEN) HVM7: > >> (XEN) HVM7: 0xd0800 is 0xFFFF > >> (XEN) HVM7: 0xd0804 is 0x7D8B > >> (XEN) HVM7: Halt called from %eip 0xD037C > >> > >> > >> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>> How about trying: > >>> printf("Before fetch8\n"); > >>> dump_regs(regs); > >>> opc = fetch8(regs); > >>> printf("After fetch8\n"); > >>> switch (opc) { ... > >>> > >>> This will let you see what eip is being fetched from, and also confirm that > >>> the crash happens within fetch8(). > >>> > >>> You could also try adding more printf()s inside fetch8() and address() to > >>> find out which specific bit of fetch8() is crashing (if that indeed the > >>> function that is crashing). > >>> > >>> -- Keir > >>> > >>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: > >>> > >>>> Hi, Keir, > >>>> I made the change as you said: > >>>> change diff is: > >>>> [root@localhost firmware]# hg diff vmxassist/vm86.c > >>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > >>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > >>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800 > >>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > >>>> static struct regs saved_rm_regs; > >>>> > >>>> #ifdef DEBUG > >>>> -int traceset = 0; > >>>> +int traceset = ~0; > >>>> > >>>> char *states[] = { > >>>> "<VM86_REAL>", > >>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, > >>>> TRACE((regs, regs->eip - eip, > >>>> "movw %%%s, *0x%x", rnames[r], addr)); > >>>> write16(addr, MASK16(val)); > >>>> + printf("after write16 of movw\n"); > >>>> } > >>>> return 1; > >>>> > >>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) > >>>> unsigned eip = regs->eip; > >>>> unsigned opc, modrm, disp; > >>>> unsigned prefix = 0; > >>>> + printf("top of opcode\n"); > >>>> > >>>> if (mode == VM86_PROTECTED_TO_REAL && > >>>> oldctx.cs_arbytes.fields.default_ops_size) { > >>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs > >>>> if (trapno == 14) > >>>> printf("Page fault address 0x%x\n", get_cr2()); > >>>> dump_regs(regs); > >>>> + printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800)); > >>>> + printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804)); > >>>> halt(); > >>>> } > >>>> } > >>>> > >>>> > >>>> here is the output: > >>>> (XEN) HVM6: top of opcode > >>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 > >>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > >>>> (XEN) HVM6: top of opcode > >>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: > >>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 > >>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE > >>>> (XEN) HVM6: after write16 of movw > >>>> (XEN) HVM6: top of opcode > >>>> (XEN) HVM6: Trap (0x6) while in real mode > >>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E > >>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00 > >>>> (XEN) HVM6: trapno 6 errno 0 > >>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 > >>>> (XEN) HVM6: uesp D4C29 uss 2 > >>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4 > >>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651 > >>>> (XEN) HVM6: > >>>> (XEN) HVM6: 0xd0800 is 0xFFFF > >>>> (XEN) HVM6: 0xd0804 is 0x7D8B > >>>> (XEN) HVM6: Halt called from %eip 0xD037C > >>>> > >>>> objdump: > >>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> > >>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx > >>>> d07f7: 89 f8 mov %edi,%eax > >>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx > >>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi > >>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax > >>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi > >>>> d0807: 89 ec mov %ebp,%esp > >>>> d0809: c1 e0 04 shl $0x4,%eax > >>>> d080c: 01 d0 add %edx,%eax > >>>> d080e: 5d pop %ebp > >>>> > >>>> seems the memory is correct, it's crashed in opcode() > >>>> and i think it's fetch8(regs) which crash the system. I tried > >>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest > >>>> be reset. > >>>> > >>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: > >>>>> > >>>>>> What would be useful is to try to add tracing to see how far vmxassist > >>>>>> gets > >>>>>> after its last line of tracing before the trap occurs. That last line is > >>>>>> currently from vm86.c, line 620. You might try adding extra printf() > >>>>>> statements imemdiately after the write16() on line 622, and also at the > >>>>>> top > >>>>>> of the opcode() function. We need to find out at what point vmxassist is > >>>>>> jumping to this bogus address d0800. > >>>>> > >>>>> Oh, another possibility is that vmxassist has been corrupted in memory. > >>>>> This > >>>>> is particularly likely because, according to the objdump, the > >>>>> 'instruction' > >>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort). > >>>>> > >>>>> So, within trap() you might want to read say 16 bytes starting at 0xd0800 > >>>>> and printf() them. So we can see if they match what objdump says should be > >>>>> there. > >>>>> > >>>>> -- Keir > >>>>> > >>>>> > >>>> > >>>> _______________________________________________ > >>>> Xen-devel mailing list > >>>> Xen-devel@lists.xensource.com > >>>> http://lists.xensource.com/xen-devel > >>> > >>> > >> > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 16:06 ` Brady Chen @ 2007-08-07 16:26 ` Keir Fraser 2007-08-08 7:37 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-07 16:26 UTC (permalink / raw) To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Stack corruption/overflow, possibly? K. On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote: > Yes, the printfs are the only changes. once I remove these prints, the > trap comes back, with the same EIP (D0800) > > I tried to keep the first two printfs, the trap comes with different > EIP(D19FD) > static unsigned > address(struct regs *regs, unsigned seg, unsigned off) > { > uint64_t gdt_phys_base; > unsigned long long entry; > unsigned seg_base, seg_limit; > unsigned entry_low, entry_high; > > printf("f 1\n"); > if (seg == 0) { > if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) > return off; > else > panic("segment is zero, but not in real mode!\n"); > } > > printf("f 2\n"); > > xen dmesg output: > (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > (XEN) HVM3: f 1 > (XEN) HVM3: f 2 > (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 > (XEN) HVM3: f 1 > (XEN) HVM3: f 1 > (XEN) HVM3: f 1 > (XEN) HVM3: Trap (0x6) while in real mode > (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4 > (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8 > (XEN) HVM3: trapno 6 errno 0 > (XEN) HVM3: eip D19FD cs 10 eflags 13046 > (XEN) HVM3: uesp CFAE uss 0 > (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F > (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651 > (XEN) HVM3: > (XEN) HVM3: Halt called from %eip 0xD037C > > > and the objdump shows that: > 000d1970 <interrupt>: > d1970: 55 push %ebp > d1971: 89 e5 mov %esp,%ebp > d1973: 57 push %edi > d1974: 89 d7 mov %edx,%edi > d1976: 56 push %esi > .... > d19f8: 66 89 30 mov %si,(%eax) > d19fb: 31 d2 xor %edx,%edx > d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi > d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx) > d1a0b: 89 d8 mov %ebx,%eax > d1a0d: 89 34 24 mov %esi,(%esp) > > > On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >> Very weird. The emulations now aren't at the same address as before either >> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these >> printf()s -- is it at all possible that the guest is executing down a >> different path here for other reasons? If it's really down to the printf()s >> then I guess you'll have to shuffle/remove printf()s to get the old >> behaviour back. >> >> -- Keir >> >> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: >> >>> it's strange: >>> if i add these prints, i get " Unknown opcode", not "trap". >>> ===added printf >>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c >>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c >>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 >>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800 >>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; >>> static struct regs saved_rm_regs; >>> >>> #ifdef DEBUG >>> -int traceset = 0; >>> +int traceset = ~0; >>> >>> char *states[] = { >>> "<VM86_REAL>", >>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, >>> unsigned seg_base, seg_limit; >>> unsigned entry_low, entry_high; >>> >>> + printf("f 1\n"); >>> if (seg == 0) { >>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) >>> return off; >>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, >>> panic("segment is zero, but not in real mode!\n"); >>> } >>> >>> + printf("f 2\n"); >>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit || >>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) >>> return ((seg & 0xFFFF) << 4) + off; >>> >>> + printf("f 3\n"); >>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); >>> + printf("f 4\n"); >>> if (gdt_phys_base != (uint32_t)gdt_phys_base) { >>> + printf("f 5\n"); >>> printf("gdt base address above 4G\n"); >>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry); >>> } else >>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, >>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF); >>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); >>> >>> + printf("f 6\n"); >>> if (entry_high & 0x8000 && >>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) || >>> (!(entry_high & 0x800000) && off <= seg_limit))) >>> return seg_base + off; >>> + printf("f 7\n"); >>> >>> panic("should never reach here in function address():\n\t" >>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n", >>> entry_high, entry_low, mode, seg, off); >>> + printf("f 8\n"); >>> >>> return 0; >>> } >>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs) >>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); >>> >>> regs->eip++; >>> + printf("f 9\n"); >>> return read8(addr); >>> } >>> >>> ===output when add many printf >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 >>> (XEN) HVM12: f 2 >>> (XEN) HVM12: f 9 >>> (XEN) HVM12: f 1 >>> (XEN) HVM12: f 2 >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 >>> (XEN) HVM12: f 2 >>> (XEN) HVM12: f 9 >>> (XEN) HVM12: f 1 >>> (XEN) HVM12: f 2 >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 >>> (XEN) HVM12: f 2 >>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 >>> (XEN) HVM12: Halt called from %eip 0xD3B4A >>> >>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: >>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print >>>> info. >>>> the main function of fetch8 seems to be address(). seems crashed in >>>> address(). >>>> >>>> (XEN) HVM7: after write16 of movw >>>> (XEN) HVM7: top of opcode >>>> (XEN) HVM7: Before fetch8 >>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E >>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE >>>> (XEN) HVM7: trapno D errno 0 >>>> (XEN) HVM7: eip 71F cs D00 eflags 33206 >>>> (XEN) HVM7: uesp CFB4 uss 0 >>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0 >>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 >>>> (XEN) HVM7: >>>> (XEN) HVM7: Trap (0x6) while in real mode >>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89 >>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00 >>>> (XEN) HVM7: trapno 6 errno 0 >>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046 >>>> (XEN) HVM7: uesp 71F uss D76D4 >>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644 >>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 >>>> (XEN) HVM7: >>>> (XEN) HVM7: 0xd0800 is 0xFFFF >>>> (XEN) HVM7: 0xd0804 is 0x7D8B >>>> (XEN) HVM7: Halt called from %eip 0xD037C >>>> >>>> >>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>> How about trying: >>>>> printf("Before fetch8\n"); >>>>> dump_regs(regs); >>>>> opc = fetch8(regs); >>>>> printf("After fetch8\n"); >>>>> switch (opc) { ... >>>>> >>>>> This will let you see what eip is being fetched from, and also confirm >>>>> that >>>>> the crash happens within fetch8(). >>>>> >>>>> You could also try adding more printf()s inside fetch8() and address() to >>>>> find out which specific bit of fetch8() is crashing (if that indeed the >>>>> function that is crashing). >>>>> >>>>> -- Keir >>>>> >>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: >>>>> >>>>>> Hi, Keir, >>>>>> I made the change as you said: >>>>>> change diff is: >>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c >>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c >>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 >>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800 >>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; >>>>>> static struct regs saved_rm_regs; >>>>>> >>>>>> #ifdef DEBUG >>>>>> -int traceset = 0; >>>>>> +int traceset = ~0; >>>>>> >>>>>> char *states[] = { >>>>>> "<VM86_REAL>", >>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, >>>>>> TRACE((regs, regs->eip - eip, >>>>>> "movw %%%s, *0x%x", rnames[r], addr)); >>>>>> write16(addr, MASK16(val)); >>>>>> + printf("after write16 of movw\n"); >>>>>> } >>>>>> return 1; >>>>>> >>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) >>>>>> unsigned eip = regs->eip; >>>>>> unsigned opc, modrm, disp; >>>>>> unsigned prefix = 0; >>>>>> + printf("top of opcode\n"); >>>>>> >>>>>> if (mode == VM86_PROTECTED_TO_REAL && >>>>>> oldctx.cs_arbytes.fields.default_ops_size) { >>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs >>>>>> if (trapno == 14) >>>>>> printf("Page fault address 0x%x\n", get_cr2()); >>>>>> dump_regs(regs); >>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned >>>>>> short*)0xd0800)); >>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned >>>>>> short*)0xd0804)); >>>>>> halt(); >>>>>> } >>>>>> } >>>>>> >>>>>> >>>>>> here is the output: >>>>>> (XEN) HVM6: top of opcode >>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 >>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 >>>>>> (XEN) HVM6: top of opcode >>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: >>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 >>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE >>>>>> (XEN) HVM6: after write16 of movw >>>>>> (XEN) HVM6: top of opcode >>>>>> (XEN) HVM6: Trap (0x6) while in real mode >>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx >>>>>> 71E >>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi >>>>>> D00 >>>>>> (XEN) HVM6: trapno 6 errno 0 >>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 >>>>>> (XEN) HVM6: uesp D4C29 uss 2 >>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs >>>>>> D75B4 >>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 >>>>>> 651 >>>>>> (XEN) HVM6: >>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF >>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B >>>>>> (XEN) HVM6: Halt called from %eip 0xD037C >>>>>> >>>>>> objdump: >>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> >>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx >>>>>> d07f7: 89 f8 mov %edi,%eax >>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx >>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi >>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax >>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi >>>>>> d0807: 89 ec mov %ebp,%esp >>>>>> d0809: c1 e0 04 shl $0x4,%eax >>>>>> d080c: 01 d0 add %edx,%eax >>>>>> d080e: 5d pop %ebp >>>>>> >>>>>> seems the memory is correct, it's crashed in opcode() >>>>>> and i think it's fetch8(regs) which crash the system. I tried >>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest >>>>>> be reset. >>>>>> >>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: >>>>>>> >>>>>>>> What would be useful is to try to add tracing to see how far vmxassist >>>>>>>> gets >>>>>>>> after its last line of tracing before the trap occurs. That last line >>>>>>>> is >>>>>>>> currently from vm86.c, line 620. You might try adding extra printf() >>>>>>>> statements imemdiately after the write16() on line 622, and also at the >>>>>>>> top >>>>>>>> of the opcode() function. We need to find out at what point vmxassist >>>>>>>> is >>>>>>>> jumping to this bogus address d0800. >>>>>>> >>>>>>> Oh, another possibility is that vmxassist has been corrupted in memory. >>>>>>> This >>>>>>> is particularly likely because, according to the objdump, the >>>>>>> 'instruction' >>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort). >>>>>>> >>>>>>> So, within trap() you might want to read say 16 bytes starting at >>>>>>> 0xd0800 >>>>>>> and printf() them. So we can see if they match what objdump says should >>>>>>> be >>>>>>> there. >>>>>>> >>>>>>> -- Keir >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Xen-devel mailing list >>>>>> Xen-devel@lists.xensource.com >>>>>> http://lists.xensource.com/xen-devel >>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> Xen-devel mailing list >>> Xen-devel@lists.xensource.com >>> http://lists.xensource.com/xen-devel >> >> > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-07 16:26 ` Keir Fraser @ 2007-08-08 7:37 ` Brady Chen 2007-08-08 8:25 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-08 7:37 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX it's possible. any ideas to trace the function stack of xen guest? like "bt" command in gdb. I did some analysis: 1. the call flow is opcode()->fetch8()->address() 2. only the printf in address() will change the behaver of crash. 3. and the crash EIP (0xD0800) is in the address() from the objdump. 4. the address() will be invoked more then 40, 000 times in one simulation, before the crash. 5. seems there are no recursive invoking in opcode(), fetch8(), address() 6. from the output of "xen dmesg", before the crash, a instructions sequence is simulated several times (you could check the previous mails i send for "xen dmesg" output) 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE", and the "*0xD07FE" is just the address of address(), (you could get the objdump output from previous mails too), so i think it's the simulation which crash the memory of address(). On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > Stack corruption/overflow, possibly? > > K. > > On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote: > > > Yes, the printfs are the only changes. once I remove these prints, the > > trap comes back, with the same EIP (D0800) > > > > I tried to keep the first two printfs, the trap comes with different > > EIP(D19FD) > > static unsigned > > address(struct regs *regs, unsigned seg, unsigned off) > > { > > uint64_t gdt_phys_base; > > unsigned long long entry; > > unsigned seg_base, seg_limit; > > unsigned entry_low, entry_high; > > > > printf("f 1\n"); > > if (seg == 0) { > > if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) > > return off; > > else > > panic("segment is zero, but not in real mode!\n"); > > } > > > > printf("f 2\n"); > > > > xen dmesg output: > > (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > > (XEN) HVM3: f 1 > > (XEN) HVM3: f 2 > > (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 > > (XEN) HVM3: f 1 > > (XEN) HVM3: f 1 > > (XEN) HVM3: f 1 > > (XEN) HVM3: Trap (0x6) while in real mode > > (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4 > > (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8 > > (XEN) HVM3: trapno 6 errno 0 > > (XEN) HVM3: eip D19FD cs 10 eflags 13046 > > (XEN) HVM3: uesp CFAE uss 0 > > (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F > > (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651 > > (XEN) HVM3: > > (XEN) HVM3: Halt called from %eip 0xD037C > > > > > > and the objdump shows that: > > 000d1970 <interrupt>: > > d1970: 55 push %ebp > > d1971: 89 e5 mov %esp,%ebp > > d1973: 57 push %edi > > d1974: 89 d7 mov %edx,%edi > > d1976: 56 push %esi > > .... > > d19f8: 66 89 30 mov %si,(%eax) > > d19fb: 31 d2 xor %edx,%edx > > d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi > > d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx) > > d1a0b: 89 d8 mov %ebx,%eax > > d1a0d: 89 34 24 mov %esi,(%esp) > > > > > > On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >> Very weird. The emulations now aren't at the same address as before either > >> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these > >> printf()s -- is it at all possible that the guest is executing down a > >> different path here for other reasons? If it's really down to the printf()s > >> then I guess you'll have to shuffle/remove printf()s to get the old > >> behaviour back. > >> > >> -- Keir > >> > >> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: > >> > >>> it's strange: > >>> if i add these prints, i get " Unknown opcode", not "trap". > >>> ===added printf > >>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c > >>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > >>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > >>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800 > >>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > >>> static struct regs saved_rm_regs; > >>> > >>> #ifdef DEBUG > >>> -int traceset = 0; > >>> +int traceset = ~0; > >>> > >>> char *states[] = { > >>> "<VM86_REAL>", > >>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, > >>> unsigned seg_base, seg_limit; > >>> unsigned entry_low, entry_high; > >>> > >>> + printf("f 1\n"); > >>> if (seg == 0) { > >>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) > >>> return off; > >>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, > >>> panic("segment is zero, but not in real mode!\n"); > >>> } > >>> > >>> + printf("f 2\n"); > >>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit || > >>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) > >>> return ((seg & 0xFFFF) << 4) + off; > >>> > >>> + printf("f 3\n"); > >>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); > >>> + printf("f 4\n"); > >>> if (gdt_phys_base != (uint32_t)gdt_phys_base) { > >>> + printf("f 5\n"); > >>> printf("gdt base address above 4G\n"); > >>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry); > >>> } else > >>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, > >>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF); > >>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); > >>> > >>> + printf("f 6\n"); > >>> if (entry_high & 0x8000 && > >>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) || > >>> (!(entry_high & 0x800000) && off <= seg_limit))) > >>> return seg_base + off; > >>> + printf("f 7\n"); > >>> > >>> panic("should never reach here in function address():\n\t" > >>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n", > >>> entry_high, entry_low, mode, seg, off); > >>> + printf("f 8\n"); > >>> > >>> return 0; > >>> } > >>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs) > >>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); > >>> > >>> regs->eip++; > >>> + printf("f 9\n"); > >>> return read8(addr); > >>> } > >>> > >>> ===output when add many printf > >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 > >>> (XEN) HVM12: f 2 > >>> (XEN) HVM12: f 9 > >>> (XEN) HVM12: f 1 > >>> (XEN) HVM12: f 2 > >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 > >>> (XEN) HVM12: f 2 > >>> (XEN) HVM12: f 9 > >>> (XEN) HVM12: f 1 > >>> (XEN) HVM12: f 2 > >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 > >>> (XEN) HVM12: f 2 > >>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 > >>> (XEN) HVM12: Halt called from %eip 0xD3B4A > >>> > >>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: > >>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print > >>>> info. > >>>> the main function of fetch8 seems to be address(). seems crashed in > >>>> address(). > >>>> > >>>> (XEN) HVM7: after write16 of movw > >>>> (XEN) HVM7: top of opcode > >>>> (XEN) HVM7: Before fetch8 > >>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E > >>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE > >>>> (XEN) HVM7: trapno D errno 0 > >>>> (XEN) HVM7: eip 71F cs D00 eflags 33206 > >>>> (XEN) HVM7: uesp CFB4 uss 0 > >>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0 > >>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 > >>>> (XEN) HVM7: > >>>> (XEN) HVM7: Trap (0x6) while in real mode > >>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89 > >>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00 > >>>> (XEN) HVM7: trapno 6 errno 0 > >>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046 > >>>> (XEN) HVM7: uesp 71F uss D76D4 > >>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644 > >>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 > >>>> (XEN) HVM7: > >>>> (XEN) HVM7: 0xd0800 is 0xFFFF > >>>> (XEN) HVM7: 0xd0804 is 0x7D8B > >>>> (XEN) HVM7: Halt called from %eip 0xD037C > >>>> > >>>> > >>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>> How about trying: > >>>>> printf("Before fetch8\n"); > >>>>> dump_regs(regs); > >>>>> opc = fetch8(regs); > >>>>> printf("After fetch8\n"); > >>>>> switch (opc) { ... > >>>>> > >>>>> This will let you see what eip is being fetched from, and also confirm > >>>>> that > >>>>> the crash happens within fetch8(). > >>>>> > >>>>> You could also try adding more printf()s inside fetch8() and address() to > >>>>> find out which specific bit of fetch8() is crashing (if that indeed the > >>>>> function that is crashing). > >>>>> > >>>>> -- Keir > >>>>> > >>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>> > >>>>>> Hi, Keir, > >>>>>> I made the change as you said: > >>>>>> change diff is: > >>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c > >>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > >>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > >>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800 > >>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > >>>>>> static struct regs saved_rm_regs; > >>>>>> > >>>>>> #ifdef DEBUG > >>>>>> -int traceset = 0; > >>>>>> +int traceset = ~0; > >>>>>> > >>>>>> char *states[] = { > >>>>>> "<VM86_REAL>", > >>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, > >>>>>> TRACE((regs, regs->eip - eip, > >>>>>> "movw %%%s, *0x%x", rnames[r], addr)); > >>>>>> write16(addr, MASK16(val)); > >>>>>> + printf("after write16 of movw\n"); > >>>>>> } > >>>>>> return 1; > >>>>>> > >>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) > >>>>>> unsigned eip = regs->eip; > >>>>>> unsigned opc, modrm, disp; > >>>>>> unsigned prefix = 0; > >>>>>> + printf("top of opcode\n"); > >>>>>> > >>>>>> if (mode == VM86_PROTECTED_TO_REAL && > >>>>>> oldctx.cs_arbytes.fields.default_ops_size) { > >>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs > >>>>>> if (trapno == 14) > >>>>>> printf("Page fault address 0x%x\n", get_cr2()); > >>>>>> dump_regs(regs); > >>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned > >>>>>> short*)0xd0800)); > >>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned > >>>>>> short*)0xd0804)); > >>>>>> halt(); > >>>>>> } > >>>>>> } > >>>>>> > >>>>>> > >>>>>> here is the output: > >>>>>> (XEN) HVM6: top of opcode > >>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 > >>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > >>>>>> (XEN) HVM6: top of opcode > >>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: > >>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 > >>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE > >>>>>> (XEN) HVM6: after write16 of movw > >>>>>> (XEN) HVM6: top of opcode > >>>>>> (XEN) HVM6: Trap (0x6) while in real mode > >>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx > >>>>>> 71E > >>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi > >>>>>> D00 > >>>>>> (XEN) HVM6: trapno 6 errno 0 > >>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 > >>>>>> (XEN) HVM6: uesp D4C29 uss 2 > >>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs > >>>>>> D75B4 > >>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>> 651 > >>>>>> (XEN) HVM6: > >>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF > >>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B > >>>>>> (XEN) HVM6: Halt called from %eip 0xD037C > >>>>>> > >>>>>> objdump: > >>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> > >>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx > >>>>>> d07f7: 89 f8 mov %edi,%eax > >>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx > >>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi > >>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax > >>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi > >>>>>> d0807: 89 ec mov %ebp,%esp > >>>>>> d0809: c1 e0 04 shl $0x4,%eax > >>>>>> d080c: 01 d0 add %edx,%eax > >>>>>> d080e: 5d pop %ebp > >>>>>> > >>>>>> seems the memory is correct, it's crashed in opcode() > >>>>>> and i think it's fetch8(regs) which crash the system. I tried > >>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest > >>>>>> be reset. > >>>>>> > >>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: > >>>>>>> > >>>>>>>> What would be useful is to try to add tracing to see how far vmxassist > >>>>>>>> gets > >>>>>>>> after its last line of tracing before the trap occurs. That last line > >>>>>>>> is > >>>>>>>> currently from vm86.c, line 620. You might try adding extra printf() > >>>>>>>> statements imemdiately after the write16() on line 622, and also at the > >>>>>>>> top > >>>>>>>> of the opcode() function. We need to find out at what point vmxassist > >>>>>>>> is > >>>>>>>> jumping to this bogus address d0800. > >>>>>>> > >>>>>>> Oh, another possibility is that vmxassist has been corrupted in memory. > >>>>>>> This > >>>>>>> is particularly likely because, according to the objdump, the > >>>>>>> 'instruction' > >>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort). > >>>>>>> > >>>>>>> So, within trap() you might want to read say 16 bytes starting at > >>>>>>> 0xd0800 > >>>>>>> and printf() them. So we can see if they match what objdump says should > >>>>>>> be > >>>>>>> there. > >>>>>>> > >>>>>>> -- Keir > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> Xen-devel mailing list > >>>>>> Xen-devel@lists.xensource.com > >>>>>> http://lists.xensource.com/xen-devel > >>>>> > >>>>> > >>>> > >>> > >>> _______________________________________________ > >>> Xen-devel mailing list > >>> Xen-devel@lists.xensource.com > >>> http://lists.xensource.com/xen-devel > >> > >> > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 7:37 ` Brady Chen @ 2007-08-08 8:25 ` Brady Chen 2007-08-08 8:41 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-08 8:25 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Hi Keir, I think the 7th issue I mentioned is the root cause, so I have a question. For real mode simulation, the simulator is running in the same space with the codes to-be-simulated? then how to protect simulator from being modified by to-be-simulated code? can I change the address of vmxassist to a higher address? just try to give more space to the to-be-simulated windows. On 8/8/07, Brady Chen <chenchp@gmail.com> wrote: > it's possible. > any ideas to trace the function stack of xen guest? like "bt" command in gdb. > > I did some analysis: > 1. the call flow is opcode()->fetch8()->address() > 2. only the printf in address() will change the behaver of crash. > 3. and the crash EIP (0xD0800) is in the address() from the objdump. > 4. the address() will be invoked more then 40, 000 times in one > simulation, before the crash. > 5. seems there are no recursive invoking in opcode(), fetch8(), address() > 6. from the output of "xen dmesg", before the crash, a instructions > sequence is simulated several times (you could check the previous > mails i send for "xen dmesg" output) > 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE", > and the "*0xD07FE" is just the address of address(), (you could get > the objdump output from previous mails too), so i think it's the > simulation which crash the memory of address(). > > On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > > Stack corruption/overflow, possibly? > > > > K. > > > > On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote: > > > > > Yes, the printfs are the only changes. once I remove these prints, the > > > trap comes back, with the same EIP (D0800) > > > > > > I tried to keep the first two printfs, the trap comes with different > > > EIP(D19FD) > > > static unsigned > > > address(struct regs *regs, unsigned seg, unsigned off) > > > { > > > uint64_t gdt_phys_base; > > > unsigned long long entry; > > > unsigned seg_base, seg_limit; > > > unsigned entry_low, entry_high; > > > > > > printf("f 1\n"); > > > if (seg == 0) { > > > if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) > > > return off; > > > else > > > panic("segment is zero, but not in real mode!\n"); > > > } > > > > > > printf("f 2\n"); > > > > > > xen dmesg output: > > > (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > > > (XEN) HVM3: f 1 > > > (XEN) HVM3: f 2 > > > (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 > > > (XEN) HVM3: f 1 > > > (XEN) HVM3: f 1 > > > (XEN) HVM3: f 1 > > > (XEN) HVM3: Trap (0x6) while in real mode > > > (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4 > > > (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8 > > > (XEN) HVM3: trapno 6 errno 0 > > > (XEN) HVM3: eip D19FD cs 10 eflags 13046 > > > (XEN) HVM3: uesp CFAE uss 0 > > > (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F > > > (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651 > > > (XEN) HVM3: > > > (XEN) HVM3: Halt called from %eip 0xD037C > > > > > > > > > and the objdump shows that: > > > 000d1970 <interrupt>: > > > d1970: 55 push %ebp > > > d1971: 89 e5 mov %esp,%ebp > > > d1973: 57 push %edi > > > d1974: 89 d7 mov %edx,%edi > > > d1976: 56 push %esi > > > .... > > > d19f8: 66 89 30 mov %si,(%eax) > > > d19fb: 31 d2 xor %edx,%edx > > > d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi > > > d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx) > > > d1a0b: 89 d8 mov %ebx,%eax > > > d1a0d: 89 34 24 mov %esi,(%esp) > > > > > > > > > On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > > >> Very weird. The emulations now aren't at the same address as before either > > >> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these > > >> printf()s -- is it at all possible that the guest is executing down a > > >> different path here for other reasons? If it's really down to the printf()s > > >> then I guess you'll have to shuffle/remove printf()s to get the old > > >> behaviour back. > > >> > > >> -- Keir > > >> > > >> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: > > >> > > >>> it's strange: > > >>> if i add these prints, i get " Unknown opcode", not "trap". > > >>> ===added printf > > >>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c > > >>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > > >>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > > >>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800 > > >>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > > >>> static struct regs saved_rm_regs; > > >>> > > >>> #ifdef DEBUG > > >>> -int traceset = 0; > > >>> +int traceset = ~0; > > >>> > > >>> char *states[] = { > > >>> "<VM86_REAL>", > > >>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, > > >>> unsigned seg_base, seg_limit; > > >>> unsigned entry_low, entry_high; > > >>> > > >>> + printf("f 1\n"); > > >>> if (seg == 0) { > > >>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) > > >>> return off; > > >>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, > > >>> panic("segment is zero, but not in real mode!\n"); > > >>> } > > >>> > > >>> + printf("f 2\n"); > > >>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit || > > >>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) > > >>> return ((seg & 0xFFFF) << 4) + off; > > >>> > > >>> + printf("f 3\n"); > > >>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); > > >>> + printf("f 4\n"); > > >>> if (gdt_phys_base != (uint32_t)gdt_phys_base) { > > >>> + printf("f 5\n"); > > >>> printf("gdt base address above 4G\n"); > > >>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry); > > >>> } else > > >>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, > > >>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF); > > >>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); > > >>> > > >>> + printf("f 6\n"); > > >>> if (entry_high & 0x8000 && > > >>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) || > > >>> (!(entry_high & 0x800000) && off <= seg_limit))) > > >>> return seg_base + off; > > >>> + printf("f 7\n"); > > >>> > > >>> panic("should never reach here in function address():\n\t" > > >>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n", > > >>> entry_high, entry_low, mode, seg, off); > > >>> + printf("f 8\n"); > > >>> > > >>> return 0; > > >>> } > > >>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs) > > >>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); > > >>> > > >>> regs->eip++; > > >>> + printf("f 9\n"); > > >>> return read8(addr); > > >>> } > > >>> > > >>> ===output when add many printf > > >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 > > >>> (XEN) HVM12: f 2 > > >>> (XEN) HVM12: f 9 > > >>> (XEN) HVM12: f 1 > > >>> (XEN) HVM12: f 2 > > >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 > > >>> (XEN) HVM12: f 2 > > >>> (XEN) HVM12: f 9 > > >>> (XEN) HVM12: f 1 > > >>> (XEN) HVM12: f 2 > > >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 > > >>> (XEN) HVM12: f 2 > > >>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 > > >>> (XEN) HVM12: Halt called from %eip 0xD3B4A > > >>> > > >>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: > > >>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print > > >>>> info. > > >>>> the main function of fetch8 seems to be address(). seems crashed in > > >>>> address(). > > >>>> > > >>>> (XEN) HVM7: after write16 of movw > > >>>> (XEN) HVM7: top of opcode > > >>>> (XEN) HVM7: Before fetch8 > > >>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E > > >>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE > > >>>> (XEN) HVM7: trapno D errno 0 > > >>>> (XEN) HVM7: eip 71F cs D00 eflags 33206 > > >>>> (XEN) HVM7: uesp CFB4 uss 0 > > >>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0 > > >>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 > > >>>> (XEN) HVM7: > > >>>> (XEN) HVM7: Trap (0x6) while in real mode > > >>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89 > > >>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00 > > >>>> (XEN) HVM7: trapno 6 errno 0 > > >>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046 > > >>>> (XEN) HVM7: uesp 71F uss D76D4 > > >>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644 > > >>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651 > > >>>> (XEN) HVM7: > > >>>> (XEN) HVM7: 0xd0800 is 0xFFFF > > >>>> (XEN) HVM7: 0xd0804 is 0x7D8B > > >>>> (XEN) HVM7: Halt called from %eip 0xD037C > > >>>> > > >>>> > > >>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > > >>>>> How about trying: > > >>>>> printf("Before fetch8\n"); > > >>>>> dump_regs(regs); > > >>>>> opc = fetch8(regs); > > >>>>> printf("After fetch8\n"); > > >>>>> switch (opc) { ... > > >>>>> > > >>>>> This will let you see what eip is being fetched from, and also confirm > > >>>>> that > > >>>>> the crash happens within fetch8(). > > >>>>> > > >>>>> You could also try adding more printf()s inside fetch8() and address() to > > >>>>> find out which specific bit of fetch8() is crashing (if that indeed the > > >>>>> function that is crashing). > > >>>>> > > >>>>> -- Keir > > >>>>> > > >>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: > > >>>>> > > >>>>>> Hi, Keir, > > >>>>>> I made the change as you said: > > >>>>>> change diff is: > > >>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c > > >>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > > >>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > > >>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800 > > >>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > > >>>>>> static struct regs saved_rm_regs; > > >>>>>> > > >>>>>> #ifdef DEBUG > > >>>>>> -int traceset = 0; > > >>>>>> +int traceset = ~0; > > >>>>>> > > >>>>>> char *states[] = { > > >>>>>> "<VM86_REAL>", > > >>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, > > >>>>>> TRACE((regs, regs->eip - eip, > > >>>>>> "movw %%%s, *0x%x", rnames[r], addr)); > > >>>>>> write16(addr, MASK16(val)); > > >>>>>> + printf("after write16 of movw\n"); > > >>>>>> } > > >>>>>> return 1; > > >>>>>> > > >>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) > > >>>>>> unsigned eip = regs->eip; > > >>>>>> unsigned opc, modrm, disp; > > >>>>>> unsigned prefix = 0; > > >>>>>> + printf("top of opcode\n"); > > >>>>>> > > >>>>>> if (mode == VM86_PROTECTED_TO_REAL && > > >>>>>> oldctx.cs_arbytes.fields.default_ops_size) { > > >>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs > > >>>>>> if (trapno == 14) > > >>>>>> printf("Page fault address 0x%x\n", get_cr2()); > > >>>>>> dump_regs(regs); > > >>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned > > >>>>>> short*)0xd0800)); > > >>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned > > >>>>>> short*)0xd0804)); > > >>>>>> halt(); > > >>>>>> } > > >>>>>> } > > >>>>>> > > >>>>>> > > >>>>>> here is the output: > > >>>>>> (XEN) HVM6: top of opcode > > >>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 > > >>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > > >>>>>> (XEN) HVM6: top of opcode > > >>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: > > >>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 > > >>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE > > >>>>>> (XEN) HVM6: after write16 of movw > > >>>>>> (XEN) HVM6: top of opcode > > >>>>>> (XEN) HVM6: Trap (0x6) while in real mode > > >>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx > > >>>>>> 71E > > >>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi > > >>>>>> D00 > > >>>>>> (XEN) HVM6: trapno 6 errno 0 > > >>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 > > >>>>>> (XEN) HVM6: uesp D4C29 uss 2 > > >>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs > > >>>>>> D75B4 > > >>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 > > >>>>>> 651 > > >>>>>> (XEN) HVM6: > > >>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF > > >>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B > > >>>>>> (XEN) HVM6: Halt called from %eip 0xD037C > > >>>>>> > > >>>>>> objdump: > > >>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> > > >>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx > > >>>>>> d07f7: 89 f8 mov %edi,%eax > > >>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx > > >>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi > > >>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax > > >>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi > > >>>>>> d0807: 89 ec mov %ebp,%esp > > >>>>>> d0809: c1 e0 04 shl $0x4,%eax > > >>>>>> d080c: 01 d0 add %edx,%eax > > >>>>>> d080e: 5d pop %ebp > > >>>>>> > > >>>>>> seems the memory is correct, it's crashed in opcode() > > >>>>>> and i think it's fetch8(regs) which crash the system. I tried > > >>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest > > >>>>>> be reset. > > >>>>>> > > >>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > > >>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: > > >>>>>>> > > >>>>>>>> What would be useful is to try to add tracing to see how far vmxassist > > >>>>>>>> gets > > >>>>>>>> after its last line of tracing before the trap occurs. That last line > > >>>>>>>> is > > >>>>>>>> currently from vm86.c, line 620. You might try adding extra printf() > > >>>>>>>> statements imemdiately after the write16() on line 622, and also at the > > >>>>>>>> top > > >>>>>>>> of the opcode() function. We need to find out at what point vmxassist > > >>>>>>>> is > > >>>>>>>> jumping to this bogus address d0800. > > >>>>>>> > > >>>>>>> Oh, another possibility is that vmxassist has been corrupted in memory. > > >>>>>>> This > > >>>>>>> is particularly likely because, according to the objdump, the > > >>>>>>> 'instruction' > > >>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort). > > >>>>>>> > > >>>>>>> So, within trap() you might want to read say 16 bytes starting at > > >>>>>>> 0xd0800 > > >>>>>>> and printf() them. So we can see if they match what objdump says should > > >>>>>>> be > > >>>>>>> there. > > >>>>>>> > > >>>>>>> -- Keir > > >>>>>>> > > >>>>>>> > > >>>>>> > > >>>>>> _______________________________________________ > > >>>>>> Xen-devel mailing list > > >>>>>> Xen-devel@lists.xensource.com > > >>>>>> http://lists.xensource.com/xen-devel > > >>>>> > > >>>>> > > >>>> > > >>> > > >>> _______________________________________________ > > >>> Xen-devel mailing list > > >>> Xen-devel@lists.xensource.com > > >>> http://lists.xensource.com/xen-devel > > >> > > >> > > > > > > _______________________________________________ > > > Xen-devel mailing list > > > Xen-devel@lists.xensource.com > > > http://lists.xensource.com/xen-devel > > > > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 8:25 ` Brady Chen @ 2007-08-08 8:41 ` Keir Fraser 2007-08-08 9:38 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-08 8:41 UTC (permalink / raw) To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX You could give that a try, but really it shouldn't be going at 0xc0000-0x100000 at all. There are usually ROM images residing there. This is more likely to be a mis-emulation. Can you get a dump of the bytes around 0xd680-0xd780? Then we could try and work out what the guest is trying to execute, and see whether emulation is going wrong. A register dump from the guest (dump_regs()) at the start of every call to opcode() might also be useful. -- Keir On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote: > Hi Keir, > I think the 7th issue I mentioned is the root cause, > so I have a question. > For real mode simulation, the simulator is running in the same space > with the codes to-be-simulated? then how to protect simulator from > being modified by to-be-simulated code? > > can I change the address of vmxassist to a higher address? just try to > give more space to the to-be-simulated windows. > > On 8/8/07, Brady Chen <chenchp@gmail.com> wrote: >> it's possible. >> any ideas to trace the function stack of xen guest? like "bt" command in gdb. >> >> I did some analysis: >> 1. the call flow is opcode()->fetch8()->address() >> 2. only the printf in address() will change the behaver of crash. >> 3. and the crash EIP (0xD0800) is in the address() from the objdump. >> 4. the address() will be invoked more then 40, 000 times in one >> simulation, before the crash. >> 5. seems there are no recursive invoking in opcode(), fetch8(), address() >> 6. from the output of "xen dmesg", before the crash, a instructions >> sequence is simulated several times (you could check the previous >> mails i send for "xen dmesg" output) >> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE", >> and the "*0xD07FE" is just the address of address(), (you could get >> the objdump output from previous mails too), so i think it's the >> simulation which crash the memory of address(). >> >> On 8/8/07, Keir Fraser <keir@xensource.com> wrote: >>> Stack corruption/overflow, possibly? >>> >>> K. >>> >>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote: >>> >>>> Yes, the printfs are the only changes. once I remove these prints, the >>>> trap comes back, with the same EIP (D0800) >>>> >>>> I tried to keep the first two printfs, the trap comes with different >>>> EIP(D19FD) >>>> static unsigned >>>> address(struct regs *regs, unsigned seg, unsigned off) >>>> { >>>> uint64_t gdt_phys_base; >>>> unsigned long long entry; >>>> unsigned seg_base, seg_limit; >>>> unsigned entry_low, entry_high; >>>> >>>> printf("f 1\n"); >>>> if (seg == 0) { >>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) >>>> return off; >>>> else >>>> panic("segment is zero, but not in real mode!\n"); >>>> } >>>> >>>> printf("f 2\n"); >>>> >>>> xen dmesg output: >>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 >>>> (XEN) HVM3: f 1 >>>> (XEN) HVM3: f 2 >>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 >>>> (XEN) HVM3: f 1 >>>> (XEN) HVM3: f 1 >>>> (XEN) HVM3: f 1 >>>> (XEN) HVM3: Trap (0x6) while in real mode >>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4 >>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8 >>>> (XEN) HVM3: trapno 6 errno 0 >>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046 >>>> (XEN) HVM3: uesp CFAE uss 0 >>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F >>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651 >>>> (XEN) HVM3: >>>> (XEN) HVM3: Halt called from %eip 0xD037C >>>> >>>> >>>> and the objdump shows that: >>>> 000d1970 <interrupt>: >>>> d1970: 55 push %ebp >>>> d1971: 89 e5 mov %esp,%ebp >>>> d1973: 57 push %edi >>>> d1974: 89 d7 mov %edx,%edi >>>> d1976: 56 push %esi >>>> .... >>>> d19f8: 66 89 30 mov %si,(%eax) >>>> d19fb: 31 d2 xor %edx,%edx >>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi >>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx) >>>> d1a0b: 89 d8 mov %ebx,%eax >>>> d1a0d: 89 34 24 mov %esi,(%esp) >>>> >>>> >>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>> Very weird. The emulations now aren't at the same address as before either >>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these >>>>> printf()s -- is it at all possible that the guest is executing down a >>>>> different path here for other reasons? If it's really down to the >>>>> printf()s >>>>> then I guess you'll have to shuffle/remove printf()s to get the old >>>>> behaviour back. >>>>> >>>>> -- Keir >>>>> >>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: >>>>> >>>>>> it's strange: >>>>>> if i add these prints, i get " Unknown opcode", not "trap". >>>>>> ===added printf >>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c >>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c >>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 >>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800 >>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; >>>>>> static struct regs saved_rm_regs; >>>>>> >>>>>> #ifdef DEBUG >>>>>> -int traceset = 0; >>>>>> +int traceset = ~0; >>>>>> >>>>>> char *states[] = { >>>>>> "<VM86_REAL>", >>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, >>>>>> unsigned seg_base, seg_limit; >>>>>> unsigned entry_low, entry_high; >>>>>> >>>>>> + printf("f 1\n"); >>>>>> if (seg == 0) { >>>>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) >>>>>> return off; >>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, >>>>>> panic("segment is zero, but not in real >>>>>> mode!\n"); >>>>>> } >>>>>> >>>>>> + printf("f 2\n"); >>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit || >>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) >>>>>> return ((seg & 0xFFFF) << 4) + off; >>>>>> >>>>>> + printf("f 3\n"); >>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); >>>>>> + printf("f 4\n"); >>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) { >>>>>> + printf("f 5\n"); >>>>>> printf("gdt base address above 4G\n"); >>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry); >>>>>> } else >>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, >>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & >>>>>> 0xFFFFFF); >>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); >>>>>> >>>>>> + printf("f 6\n"); >>>>>> if (entry_high & 0x8000 && >>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) || >>>>>> (!(entry_high & 0x800000) && off <= seg_limit))) >>>>>> return seg_base + off; >>>>>> + printf("f 7\n"); >>>>>> >>>>>> panic("should never reach here in function address():\n\t" >>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, >>>>>> offset=0x%08x\n", >>>>>> entry_high, entry_low, mode, seg, off); >>>>>> + printf("f 8\n"); >>>>>> >>>>>> return 0; >>>>>> } >>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs) >>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); >>>>>> >>>>>> regs->eip++; >>>>>> + printf("f 9\n"); >>>>>> return read8(addr); >>>>>> } >>>>>> >>>>>> ===output when add many printf >>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 >>>>>> (XEN) HVM12: f 2 >>>>>> (XEN) HVM12: f 9 >>>>>> (XEN) HVM12: f 1 >>>>>> (XEN) HVM12: f 2 >>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 >>>>>> (XEN) HVM12: f 2 >>>>>> (XEN) HVM12: f 9 >>>>>> (XEN) HVM12: f 1 >>>>>> (XEN) HVM12: f 2 >>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 >>>>>> (XEN) HVM12: f 2 >>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 >>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A >>>>>> >>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: >>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print >>>>>>> info. >>>>>>> the main function of fetch8 seems to be address(). seems crashed in >>>>>>> address(). >>>>>>> >>>>>>> (XEN) HVM7: after write16 of movw >>>>>>> (XEN) HVM7: top of opcode >>>>>>> (XEN) HVM7: Before fetch8 >>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx >>>>>>> 404E >>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi >>>>>>> C37FE >>>>>>> (XEN) HVM7: trapno D errno 0 >>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206 >>>>>>> (XEN) HVM7: uesp CFB4 uss 0 >>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs >>>>>>> 0 >>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 >>>>>>> 651 >>>>>>> (XEN) HVM7: >>>>>>> (XEN) HVM7: Trap (0x6) while in real mode >>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx >>>>>>> 89 >>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi >>>>>>> D00 >>>>>>> (XEN) HVM7: trapno 6 errno 0 >>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046 >>>>>>> (XEN) HVM7: uesp 71F uss D76D4 >>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs >>>>>>> D7644 >>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 >>>>>>> 651 >>>>>>> (XEN) HVM7: >>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF >>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B >>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C >>>>>>> >>>>>>> >>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>>>>> How about trying: >>>>>>>> printf("Before fetch8\n"); >>>>>>>> dump_regs(regs); >>>>>>>> opc = fetch8(regs); >>>>>>>> printf("After fetch8\n"); >>>>>>>> switch (opc) { ... >>>>>>>> >>>>>>>> This will let you see what eip is being fetched from, and also confirm >>>>>>>> that >>>>>>>> the crash happens within fetch8(). >>>>>>>> >>>>>>>> You could also try adding more printf()s inside fetch8() and address() >>>>>>>> to >>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed the >>>>>>>> function that is crashing). >>>>>>>> >>>>>>>> -- Keir >>>>>>>> >>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi, Keir, >>>>>>>>> I made the change as you said: >>>>>>>>> change diff is: >>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c >>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c >>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 >>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800 >>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; >>>>>>>>> static struct regs saved_rm_regs; >>>>>>>>> >>>>>>>>> #ifdef DEBUG >>>>>>>>> -int traceset = 0; >>>>>>>>> +int traceset = ~0; >>>>>>>>> >>>>>>>>> char *states[] = { >>>>>>>>> "<VM86_REAL>", >>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, >>>>>>>>> TRACE((regs, regs->eip - eip, >>>>>>>>> "movw %%%s, *0x%x", rnames[r], addr)); >>>>>>>>> write16(addr, MASK16(val)); >>>>>>>>> + printf("after write16 of movw\n"); >>>>>>>>> } >>>>>>>>> return 1; >>>>>>>>> >>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) >>>>>>>>> unsigned eip = regs->eip; >>>>>>>>> unsigned opc, modrm, disp; >>>>>>>>> unsigned prefix = 0; >>>>>>>>> + printf("top of opcode\n"); >>>>>>>>> >>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL && >>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) { >>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs >>>>>>>>> if (trapno == 14) >>>>>>>>> printf("Page fault address 0x%x\n", >>>>>>>>> get_cr2()); >>>>>>>>> dump_regs(regs); >>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned >>>>>>>>> short*)0xd0800)); >>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned >>>>>>>>> short*)0xd0804)); >>>>>>>>> halt(); >>>>>>>>> } >>>>>>>>> } >>>>>>>>> >>>>>>>>> >>>>>>>>> here is the output: >>>>>>>>> (XEN) HVM6: top of opcode >>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 >>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 >>>>>>>>> (XEN) HVM6: top of opcode >>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: >>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 >>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE >>>>>>>>> (XEN) HVM6: after write16 of movw >>>>>>>>> (XEN) HVM6: top of opcode >>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode >>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx >>>>>>>>> 71E >>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi >>>>>>>>> D00 >>>>>>>>> (XEN) HVM6: trapno 6 errno 0 >>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 >>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2 >>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs >>>>>>>>> D75B4 >>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 >>>>>>>>> 651 >>>>>>>>> (XEN) HVM6: >>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF >>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B >>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C >>>>>>>>> >>>>>>>>> objdump: >>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> >>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx >>>>>>>>> d07f7: 89 f8 mov %edi,%eax >>>>>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx >>>>>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi >>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax >>>>>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi >>>>>>>>> d0807: 89 ec mov %ebp,%esp >>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax >>>>>>>>> d080c: 01 d0 add %edx,%eax >>>>>>>>> d080e: 5d pop %ebp >>>>>>>>> >>>>>>>>> seems the memory is correct, it's crashed in opcode() >>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried >>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest >>>>>>>>> be reset. >>>>>>>>> >>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: >>>>>>>>>> >>>>>>>>>>> What would be useful is to try to add tracing to see how far >>>>>>>>>>> vmxassist >>>>>>>>>>> gets >>>>>>>>>>> after its last line of tracing before the trap occurs. That last >>>>>>>>>>> line >>>>>>>>>>> is >>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra printf() >>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at >>>>>>>>>>> the >>>>>>>>>>> top >>>>>>>>>>> of the opcode() function. We need to find out at what point >>>>>>>>>>> vmxassist >>>>>>>>>>> is >>>>>>>>>>> jumping to this bogus address d0800. >>>>>>>>>> >>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in >>>>>>>>>> memory. >>>>>>>>>> This >>>>>>>>>> is particularly likely because, according to the objdump, the >>>>>>>>>> 'instruction' >>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort). >>>>>>>>>> >>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at >>>>>>>>>> 0xd0800 >>>>>>>>>> and printf() them. So we can see if they match what objdump says >>>>>>>>>> should >>>>>>>>>> be >>>>>>>>>> there. >>>>>>>>>> >>>>>>>>>> -- Keir >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Xen-devel mailing list >>>>>>>>> Xen-devel@lists.xensource.com >>>>>>>>> http://lists.xensource.com/xen-devel >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Xen-devel mailing list >>>>>> Xen-devel@lists.xensource.com >>>>>> http://lists.xensource.com/xen-devel >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Xen-devel mailing list >>>> Xen-devel@lists.xensource.com >>>> http://lists.xensource.com/xen-devel >>> >>> >> > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 8:41 ` Keir Fraser @ 2007-08-08 9:38 ` Brady Chen 2007-08-08 10:26 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-08 9:38 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Thanks, can you show me a way to dump bytes around 0xd680 ~ 0xd780? just printf in trap() of vmxassist? On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > You could give that a try, but really it shouldn't be going at > 0xc0000-0x100000 at all. There are usually ROM images residing there. > > This is more likely to be a mis-emulation. Can you get a dump of the bytes > around 0xd680-0xd780? Then we could try and work out what the guest is > trying to execute, and see whether emulation is going wrong. A register dump > from the guest (dump_regs()) at the start of every call to opcode() might > also be useful. > > -- Keir > > On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote: > > > Hi Keir, > > I think the 7th issue I mentioned is the root cause, > > so I have a question. > > For real mode simulation, the simulator is running in the same space > > with the codes to-be-simulated? then how to protect simulator from > > being modified by to-be-simulated code? > > > > can I change the address of vmxassist to a higher address? just try to > > give more space to the to-be-simulated windows. > > > > On 8/8/07, Brady Chen <chenchp@gmail.com> wrote: > >> it's possible. > >> any ideas to trace the function stack of xen guest? like "bt" command in gdb. > >> > >> I did some analysis: > >> 1. the call flow is opcode()->fetch8()->address() > >> 2. only the printf in address() will change the behaver of crash. > >> 3. and the crash EIP (0xD0800) is in the address() from the objdump. > >> 4. the address() will be invoked more then 40, 000 times in one > >> simulation, before the crash. > >> 5. seems there are no recursive invoking in opcode(), fetch8(), address() > >> 6. from the output of "xen dmesg", before the crash, a instructions > >> sequence is simulated several times (you could check the previous > >> mails i send for "xen dmesg" output) > >> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE", > >> and the "*0xD07FE" is just the address of address(), (you could get > >> the objdump output from previous mails too), so i think it's the > >> simulation which crash the memory of address(). > >> > >> On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > >>> Stack corruption/overflow, possibly? > >>> > >>> K. > >>> > >>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote: > >>> > >>>> Yes, the printfs are the only changes. once I remove these prints, the > >>>> trap comes back, with the same EIP (D0800) > >>>> > >>>> I tried to keep the first two printfs, the trap comes with different > >>>> EIP(D19FD) > >>>> static unsigned > >>>> address(struct regs *regs, unsigned seg, unsigned off) > >>>> { > >>>> uint64_t gdt_phys_base; > >>>> unsigned long long entry; > >>>> unsigned seg_base, seg_limit; > >>>> unsigned entry_low, entry_high; > >>>> > >>>> printf("f 1\n"); > >>>> if (seg == 0) { > >>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) > >>>> return off; > >>>> else > >>>> panic("segment is zero, but not in real mode!\n"); > >>>> } > >>>> > >>>> printf("f 2\n"); > >>>> > >>>> xen dmesg output: > >>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > >>>> (XEN) HVM3: f 1 > >>>> (XEN) HVM3: f 2 > >>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 > >>>> (XEN) HVM3: f 1 > >>>> (XEN) HVM3: f 1 > >>>> (XEN) HVM3: f 1 > >>>> (XEN) HVM3: Trap (0x6) while in real mode > >>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4 > >>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8 > >>>> (XEN) HVM3: trapno 6 errno 0 > >>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046 > >>>> (XEN) HVM3: uesp CFAE uss 0 > >>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F > >>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651 > >>>> (XEN) HVM3: > >>>> (XEN) HVM3: Halt called from %eip 0xD037C > >>>> > >>>> > >>>> and the objdump shows that: > >>>> 000d1970 <interrupt>: > >>>> d1970: 55 push %ebp > >>>> d1971: 89 e5 mov %esp,%ebp > >>>> d1973: 57 push %edi > >>>> d1974: 89 d7 mov %edx,%edi > >>>> d1976: 56 push %esi > >>>> .... > >>>> d19f8: 66 89 30 mov %si,(%eax) > >>>> d19fb: 31 d2 xor %edx,%edx > >>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi > >>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx) > >>>> d1a0b: 89 d8 mov %ebx,%eax > >>>> d1a0d: 89 34 24 mov %esi,(%esp) > >>>> > >>>> > >>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>> Very weird. The emulations now aren't at the same address as before either > >>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these > >>>>> printf()s -- is it at all possible that the guest is executing down a > >>>>> different path here for other reasons? If it's really down to the > >>>>> printf()s > >>>>> then I guess you'll have to shuffle/remove printf()s to get the old > >>>>> behaviour back. > >>>>> > >>>>> -- Keir > >>>>> > >>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>> > >>>>>> it's strange: > >>>>>> if i add these prints, i get " Unknown opcode", not "trap". > >>>>>> ===added printf > >>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c > >>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > >>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > >>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800 > >>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > >>>>>> static struct regs saved_rm_regs; > >>>>>> > >>>>>> #ifdef DEBUG > >>>>>> -int traceset = 0; > >>>>>> +int traceset = ~0; > >>>>>> > >>>>>> char *states[] = { > >>>>>> "<VM86_REAL>", > >>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, > >>>>>> unsigned seg_base, seg_limit; > >>>>>> unsigned entry_low, entry_high; > >>>>>> > >>>>>> + printf("f 1\n"); > >>>>>> if (seg == 0) { > >>>>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) > >>>>>> return off; > >>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, > >>>>>> panic("segment is zero, but not in real > >>>>>> mode!\n"); > >>>>>> } > >>>>>> > >>>>>> + printf("f 2\n"); > >>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit || > >>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) > >>>>>> return ((seg & 0xFFFF) << 4) + off; > >>>>>> > >>>>>> + printf("f 3\n"); > >>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); > >>>>>> + printf("f 4\n"); > >>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) { > >>>>>> + printf("f 5\n"); > >>>>>> printf("gdt base address above 4G\n"); > >>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry); > >>>>>> } else > >>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, > >>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & > >>>>>> 0xFFFFFF); > >>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); > >>>>>> > >>>>>> + printf("f 6\n"); > >>>>>> if (entry_high & 0x8000 && > >>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) || > >>>>>> (!(entry_high & 0x800000) && off <= seg_limit))) > >>>>>> return seg_base + off; > >>>>>> + printf("f 7\n"); > >>>>>> > >>>>>> panic("should never reach here in function address():\n\t" > >>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, > >>>>>> offset=0x%08x\n", > >>>>>> entry_high, entry_low, mode, seg, off); > >>>>>> + printf("f 8\n"); > >>>>>> > >>>>>> return 0; > >>>>>> } > >>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs) > >>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); > >>>>>> > >>>>>> regs->eip++; > >>>>>> + printf("f 9\n"); > >>>>>> return read8(addr); > >>>>>> } > >>>>>> > >>>>>> ===output when add many printf > >>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 > >>>>>> (XEN) HVM12: f 2 > >>>>>> (XEN) HVM12: f 9 > >>>>>> (XEN) HVM12: f 1 > >>>>>> (XEN) HVM12: f 2 > >>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 > >>>>>> (XEN) HVM12: f 2 > >>>>>> (XEN) HVM12: f 9 > >>>>>> (XEN) HVM12: f 1 > >>>>>> (XEN) HVM12: f 2 > >>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 > >>>>>> (XEN) HVM12: f 2 > >>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 > >>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A > >>>>>> > >>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: > >>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print > >>>>>>> info. > >>>>>>> the main function of fetch8 seems to be address(). seems crashed in > >>>>>>> address(). > >>>>>>> > >>>>>>> (XEN) HVM7: after write16 of movw > >>>>>>> (XEN) HVM7: top of opcode > >>>>>>> (XEN) HVM7: Before fetch8 > >>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx > >>>>>>> 404E > >>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi > >>>>>>> C37FE > >>>>>>> (XEN) HVM7: trapno D errno 0 > >>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206 > >>>>>>> (XEN) HVM7: uesp CFB4 uss 0 > >>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs > >>>>>>> 0 > >>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>> 651 > >>>>>>> (XEN) HVM7: > >>>>>>> (XEN) HVM7: Trap (0x6) while in real mode > >>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx > >>>>>>> 89 > >>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi > >>>>>>> D00 > >>>>>>> (XEN) HVM7: trapno 6 errno 0 > >>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046 > >>>>>>> (XEN) HVM7: uesp 71F uss D76D4 > >>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs > >>>>>>> D7644 > >>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>> 651 > >>>>>>> (XEN) HVM7: > >>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF > >>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B > >>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C > >>>>>>> > >>>>>>> > >>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>>> How about trying: > >>>>>>>> printf("Before fetch8\n"); > >>>>>>>> dump_regs(regs); > >>>>>>>> opc = fetch8(regs); > >>>>>>>> printf("After fetch8\n"); > >>>>>>>> switch (opc) { ... > >>>>>>>> > >>>>>>>> This will let you see what eip is being fetched from, and also confirm > >>>>>>>> that > >>>>>>>> the crash happens within fetch8(). > >>>>>>>> > >>>>>>>> You could also try adding more printf()s inside fetch8() and address() > >>>>>>>> to > >>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed the > >>>>>>>> function that is crashing). > >>>>>>>> > >>>>>>>> -- Keir > >>>>>>>> > >>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>>>>> > >>>>>>>>> Hi, Keir, > >>>>>>>>> I made the change as you said: > >>>>>>>>> change diff is: > >>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c > >>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > >>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > >>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800 > >>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > >>>>>>>>> static struct regs saved_rm_regs; > >>>>>>>>> > >>>>>>>>> #ifdef DEBUG > >>>>>>>>> -int traceset = 0; > >>>>>>>>> +int traceset = ~0; > >>>>>>>>> > >>>>>>>>> char *states[] = { > >>>>>>>>> "<VM86_REAL>", > >>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, > >>>>>>>>> TRACE((regs, regs->eip - eip, > >>>>>>>>> "movw %%%s, *0x%x", rnames[r], addr)); > >>>>>>>>> write16(addr, MASK16(val)); > >>>>>>>>> + printf("after write16 of movw\n"); > >>>>>>>>> } > >>>>>>>>> return 1; > >>>>>>>>> > >>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) > >>>>>>>>> unsigned eip = regs->eip; > >>>>>>>>> unsigned opc, modrm, disp; > >>>>>>>>> unsigned prefix = 0; > >>>>>>>>> + printf("top of opcode\n"); > >>>>>>>>> > >>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL && > >>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) { > >>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs > >>>>>>>>> if (trapno == 14) > >>>>>>>>> printf("Page fault address 0x%x\n", > >>>>>>>>> get_cr2()); > >>>>>>>>> dump_regs(regs); > >>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned > >>>>>>>>> short*)0xd0800)); > >>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned > >>>>>>>>> short*)0xd0804)); > >>>>>>>>> halt(); > >>>>>>>>> } > >>>>>>>>> } > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> here is the output: > >>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 > >>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > >>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: > >>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 > >>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE > >>>>>>>>> (XEN) HVM6: after write16 of movw > >>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode > >>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx > >>>>>>>>> 71E > >>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi > >>>>>>>>> D00 > >>>>>>>>> (XEN) HVM6: trapno 6 errno 0 > >>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 > >>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2 > >>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs > >>>>>>>>> D75B4 > >>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>>> 651 > >>>>>>>>> (XEN) HVM6: > >>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF > >>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B > >>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C > >>>>>>>>> > >>>>>>>>> objdump: > >>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> > >>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx > >>>>>>>>> d07f7: 89 f8 mov %edi,%eax > >>>>>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx > >>>>>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi > >>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax > >>>>>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi > >>>>>>>>> d0807: 89 ec mov %ebp,%esp > >>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax > >>>>>>>>> d080c: 01 d0 add %edx,%eax > >>>>>>>>> d080e: 5d pop %ebp > >>>>>>>>> > >>>>>>>>> seems the memory is correct, it's crashed in opcode() > >>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried > >>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest > >>>>>>>>> be reset. > >>>>>>>>> > >>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: > >>>>>>>>>> > >>>>>>>>>>> What would be useful is to try to add tracing to see how far > >>>>>>>>>>> vmxassist > >>>>>>>>>>> gets > >>>>>>>>>>> after its last line of tracing before the trap occurs. That last > >>>>>>>>>>> line > >>>>>>>>>>> is > >>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra printf() > >>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at > >>>>>>>>>>> the > >>>>>>>>>>> top > >>>>>>>>>>> of the opcode() function. We need to find out at what point > >>>>>>>>>>> vmxassist > >>>>>>>>>>> is > >>>>>>>>>>> jumping to this bogus address d0800. > >>>>>>>>>> > >>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in > >>>>>>>>>> memory. > >>>>>>>>>> This > >>>>>>>>>> is particularly likely because, according to the objdump, the > >>>>>>>>>> 'instruction' > >>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort). > >>>>>>>>>> > >>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at > >>>>>>>>>> 0xd0800 > >>>>>>>>>> and printf() them. So we can see if they match what objdump says > >>>>>>>>>> should > >>>>>>>>>> be > >>>>>>>>>> there. > >>>>>>>>>> > >>>>>>>>>> -- Keir > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> _______________________________________________ > >>>>>>>>> Xen-devel mailing list > >>>>>>>>> Xen-devel@lists.xensource.com > >>>>>>>>> http://lists.xensource.com/xen-devel > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> Xen-devel mailing list > >>>>>> Xen-devel@lists.xensource.com > >>>>>> http://lists.xensource.com/xen-devel > >>>>> > >>>>> > >>>> > >>>> _______________________________________________ > >>>> Xen-devel mailing list > >>>> Xen-devel@lists.xensource.com > >>>> http://lists.xensource.com/xen-devel > >>> > >>> > >> > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 9:38 ` Brady Chen @ 2007-08-08 10:26 ` Keir Fraser 2007-08-08 12:12 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-08 10:26 UTC (permalink / raw) To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Well, some bytes are already screwed at that point, so I'd try to do it earlier (e.g., when you are emulating one of the earlier MOVs, for example). But yes, dumping by printf() is fine. Put address at start of line, and then dump 16 bytes as "%02x ". Should end up with 16 lines of 16 bytes each. -- Keir On 8/8/07 10:38, "Brady Chen" <chenchp@gmail.com> wrote: > Thanks, > can you show me a way to dump bytes around 0xd680 ~ 0xd780? > just printf in trap() of vmxassist? > > On 8/8/07, Keir Fraser <keir@xensource.com> wrote: >> You could give that a try, but really it shouldn't be going at >> 0xc0000-0x100000 at all. There are usually ROM images residing there. >> >> This is more likely to be a mis-emulation. Can you get a dump of the bytes >> around 0xd680-0xd780? Then we could try and work out what the guest is >> trying to execute, and see whether emulation is going wrong. A register dump >> from the guest (dump_regs()) at the start of every call to opcode() might >> also be useful. >> >> -- Keir >> >> On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote: >> >>> Hi Keir, >>> I think the 7th issue I mentioned is the root cause, >>> so I have a question. >>> For real mode simulation, the simulator is running in the same space >>> with the codes to-be-simulated? then how to protect simulator from >>> being modified by to-be-simulated code? >>> >>> can I change the address of vmxassist to a higher address? just try to >>> give more space to the to-be-simulated windows. >>> >>> On 8/8/07, Brady Chen <chenchp@gmail.com> wrote: >>>> it's possible. >>>> any ideas to trace the function stack of xen guest? like "bt" command in >>>> gdb. >>>> >>>> I did some analysis: >>>> 1. the call flow is opcode()->fetch8()->address() >>>> 2. only the printf in address() will change the behaver of crash. >>>> 3. and the crash EIP (0xD0800) is in the address() from the objdump. >>>> 4. the address() will be invoked more then 40, 000 times in one >>>> simulation, before the crash. >>>> 5. seems there are no recursive invoking in opcode(), fetch8(), address() >>>> 6. from the output of "xen dmesg", before the crash, a instructions >>>> sequence is simulated several times (you could check the previous >>>> mails i send for "xen dmesg" output) >>>> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE", >>>> and the "*0xD07FE" is just the address of address(), (you could get >>>> the objdump output from previous mails too), so i think it's the >>>> simulation which crash the memory of address(). >>>> >>>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote: >>>>> Stack corruption/overflow, possibly? >>>>> >>>>> K. >>>>> >>>>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote: >>>>> >>>>>> Yes, the printfs are the only changes. once I remove these prints, the >>>>>> trap comes back, with the same EIP (D0800) >>>>>> >>>>>> I tried to keep the first two printfs, the trap comes with different >>>>>> EIP(D19FD) >>>>>> static unsigned >>>>>> address(struct regs *regs, unsigned seg, unsigned off) >>>>>> { >>>>>> uint64_t gdt_phys_base; >>>>>> unsigned long long entry; >>>>>> unsigned seg_base, seg_limit; >>>>>> unsigned entry_low, entry_high; >>>>>> >>>>>> printf("f 1\n"); >>>>>> if (seg == 0) { >>>>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) >>>>>> return off; >>>>>> else >>>>>> panic("segment is zero, but not in real >>>>>> mode!\n"); >>>>>> } >>>>>> >>>>>> printf("f 2\n"); >>>>>> >>>>>> xen dmesg output: >>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 >>>>>> (XEN) HVM3: f 1 >>>>>> (XEN) HVM3: f 2 >>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 >>>>>> (XEN) HVM3: f 1 >>>>>> (XEN) HVM3: f 1 >>>>>> (XEN) HVM3: f 1 >>>>>> (XEN) HVM3: Trap (0x6) while in real mode >>>>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx >>>>>> D75B4 >>>>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi >>>>>> 8 >>>>>> (XEN) HVM3: trapno 6 errno 0 >>>>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046 >>>>>> (XEN) HVM3: uesp CFAE uss 0 >>>>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs >>>>>> 71F >>>>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 >>>>>> 651 >>>>>> (XEN) HVM3: >>>>>> (XEN) HVM3: Halt called from %eip 0xD037C >>>>>> >>>>>> >>>>>> and the objdump shows that: >>>>>> 000d1970 <interrupt>: >>>>>> d1970: 55 push %ebp >>>>>> d1971: 89 e5 mov %esp,%ebp >>>>>> d1973: 57 push %edi >>>>>> d1974: 89 d7 mov %edx,%edi >>>>>> d1976: 56 push %esi >>>>>> .... >>>>>> d19f8: 66 89 30 mov %si,(%eax) >>>>>> d19fb: 31 d2 xor %edx,%edx >>>>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi >>>>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx) >>>>>> d1a0b: 89 d8 mov %ebx,%eax >>>>>> d1a0d: 89 34 24 mov %esi,(%esp) >>>>>> >>>>>> >>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>>>> Very weird. The emulations now aren't at the same address as before >>>>>>> either >>>>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added >>>>>>> these >>>>>>> printf()s -- is it at all possible that the guest is executing down a >>>>>>> different path here for other reasons? If it's really down to the >>>>>>> printf()s >>>>>>> then I guess you'll have to shuffle/remove printf()s to get the old >>>>>>> behaviour back. >>>>>>> >>>>>>> -- Keir >>>>>>> >>>>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: >>>>>>> >>>>>>>> it's strange: >>>>>>>> if i add these prints, i get " Unknown opcode", not "trap". >>>>>>>> ===added printf >>>>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c >>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c >>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 >>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800 >>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; >>>>>>>> static struct regs saved_rm_regs; >>>>>>>> >>>>>>>> #ifdef DEBUG >>>>>>>> -int traceset = 0; >>>>>>>> +int traceset = ~0; >>>>>>>> >>>>>>>> char *states[] = { >>>>>>>> "<VM86_REAL>", >>>>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, >>>>>>>> unsigned seg_base, seg_limit; >>>>>>>> unsigned entry_low, entry_high; >>>>>>>> >>>>>>>> + printf("f 1\n"); >>>>>>>> if (seg == 0) { >>>>>>>> if (mode == VM86_REAL || mode == >>>>>>>> VM86_REAL_TO_PROTECTED) >>>>>>>> return off; >>>>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, >>>>>>>> panic("segment is zero, but not in real >>>>>>>> mode!\n"); >>>>>>>> } >>>>>>>> >>>>>>>> + printf("f 2\n"); >>>>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit || >>>>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) >>>>>>>> return ((seg & 0xFFFF) << 4) + off; >>>>>>>> >>>>>>>> + printf("f 3\n"); >>>>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); >>>>>>>> + printf("f 4\n"); >>>>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) { >>>>>>>> + printf("f 5\n"); >>>>>>>> printf("gdt base address above 4G\n"); >>>>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), >>>>>>>> &entry); >>>>>>>> } else >>>>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, >>>>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & >>>>>>>> 0xFFFFFF); >>>>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); >>>>>>>> >>>>>>>> + printf("f 6\n"); >>>>>>>> if (entry_high & 0x8000 && >>>>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) || >>>>>>>> (!(entry_high & 0x800000) && off <= seg_limit))) >>>>>>>> return seg_base + off; >>>>>>>> + printf("f 7\n"); >>>>>>>> >>>>>>>> panic("should never reach here in function address():\n\t" >>>>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, >>>>>>>> offset=0x%08x\n", >>>>>>>> entry_high, entry_low, mode, seg, off); >>>>>>>> + printf("f 8\n"); >>>>>>>> >>>>>>>> return 0; >>>>>>>> } >>>>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs) >>>>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); >>>>>>>> >>>>>>>> regs->eip++; >>>>>>>> + printf("f 9\n"); >>>>>>>> return read8(addr); >>>>>>>> } >>>>>>>> >>>>>>>> ===output when add many printf >>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 >>>>>>>> (XEN) HVM12: f 2 >>>>>>>> (XEN) HVM12: f 9 >>>>>>>> (XEN) HVM12: f 1 >>>>>>>> (XEN) HVM12: f 2 >>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 >>>>>>>> (XEN) HVM12: f 2 >>>>>>>> (XEN) HVM12: f 9 >>>>>>>> (XEN) HVM12: f 1 >>>>>>>> (XEN) HVM12: f 2 >>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 >>>>>>>> (XEN) HVM12: f 2 >>>>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 >>>>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A >>>>>>>> >>>>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: >>>>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print >>>>>>>>> info. >>>>>>>>> the main function of fetch8 seems to be address(). seems crashed in >>>>>>>>> address(). >>>>>>>>> >>>>>>>>> (XEN) HVM7: after write16 of movw >>>>>>>>> (XEN) HVM7: top of opcode >>>>>>>>> (XEN) HVM7: Before fetch8 >>>>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx >>>>>>>>> 404E >>>>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi >>>>>>>>> C37FE >>>>>>>>> (XEN) HVM7: trapno D errno 0 >>>>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206 >>>>>>>>> (XEN) HVM7: uesp CFB4 uss 0 >>>>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs >>>>>>>>> 0 >>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 >>>>>>>>> 651 >>>>>>>>> (XEN) HVM7: >>>>>>>>> (XEN) HVM7: Trap (0x6) while in real mode >>>>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx >>>>>>>>> 89 >>>>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi >>>>>>>>> D00 >>>>>>>>> (XEN) HVM7: trapno 6 errno 0 >>>>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046 >>>>>>>>> (XEN) HVM7: uesp 71F uss D76D4 >>>>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs >>>>>>>>> D7644 >>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 >>>>>>>>> 651 >>>>>>>>> (XEN) HVM7: >>>>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF >>>>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B >>>>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C >>>>>>>>> >>>>>>>>> >>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>>>>>>> How about trying: >>>>>>>>>> printf("Before fetch8\n"); >>>>>>>>>> dump_regs(regs); >>>>>>>>>> opc = fetch8(regs); >>>>>>>>>> printf("After fetch8\n"); >>>>>>>>>> switch (opc) { ... >>>>>>>>>> >>>>>>>>>> This will let you see what eip is being fetched from, and also >>>>>>>>>> confirm >>>>>>>>>> that >>>>>>>>>> the crash happens within fetch8(). >>>>>>>>>> >>>>>>>>>> You could also try adding more printf()s inside fetch8() and >>>>>>>>>> address() >>>>>>>>>> to >>>>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed >>>>>>>>>> the >>>>>>>>>> function that is crashing). >>>>>>>>>> >>>>>>>>>> -- Keir >>>>>>>>>> >>>>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, Keir, >>>>>>>>>>> I made the change as you said: >>>>>>>>>>> change diff is: >>>>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c >>>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c >>>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 >>>>>>>>>>> +0100 >>>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 >>>>>>>>>>> +0800 >>>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; >>>>>>>>>>> static struct regs saved_rm_regs; >>>>>>>>>>> >>>>>>>>>>> #ifdef DEBUG >>>>>>>>>>> -int traceset = 0; >>>>>>>>>>> +int traceset = ~0; >>>>>>>>>>> >>>>>>>>>>> char *states[] = { >>>>>>>>>>> "<VM86_REAL>", >>>>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, >>>>>>>>>>> TRACE((regs, regs->eip - eip, >>>>>>>>>>> "movw %%%s, *0x%x", rnames[r], >>>>>>>>>>> addr)); >>>>>>>>>>> write16(addr, MASK16(val)); >>>>>>>>>>> + printf("after write16 of movw\n"); >>>>>>>>>>> } >>>>>>>>>>> return 1; >>>>>>>>>>> >>>>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) >>>>>>>>>>> unsigned eip = regs->eip; >>>>>>>>>>> unsigned opc, modrm, disp; >>>>>>>>>>> unsigned prefix = 0; >>>>>>>>>>> + printf("top of opcode\n"); >>>>>>>>>>> >>>>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL && >>>>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) { >>>>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs >>>>>>>>>>> if (trapno == 14) >>>>>>>>>>> printf("Page fault address 0x%x\n", >>>>>>>>>>> get_cr2()); >>>>>>>>>>> dump_regs(regs); >>>>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned >>>>>>>>>>> short*)0xd0800)); >>>>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned >>>>>>>>>>> short*)0xd0804)); >>>>>>>>>>> halt(); >>>>>>>>>>> } >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> here is the output: >>>>>>>>>>> (XEN) HVM6: top of opcode >>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 >>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 >>>>>>>>>>> (XEN) HVM6: top of opcode >>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: >>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 >>>>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE >>>>>>>>>>> (XEN) HVM6: after write16 of movw >>>>>>>>>>> (XEN) HVM6: top of opcode >>>>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode >>>>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx >>>>>>>>>>> 71E >>>>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi >>>>>>>>>>> D00 >>>>>>>>>>> (XEN) HVM6: trapno 6 errno 0 >>>>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 >>>>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2 >>>>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs >>>>>>>>>>> D75B4 >>>>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 >>>>>>>>>>> 651 >>>>>>>>>>> (XEN) HVM6: >>>>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF >>>>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B >>>>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C >>>>>>>>>>> >>>>>>>>>>> objdump: >>>>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> >>>>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx >>>>>>>>>>> d07f7: 89 f8 mov %edi,%eax >>>>>>>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx >>>>>>>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi >>>>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax >>>>>>>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi >>>>>>>>>>> d0807: 89 ec mov %ebp,%esp >>>>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax >>>>>>>>>>> d080c: 01 d0 add %edx,%eax >>>>>>>>>>> d080e: 5d pop %ebp >>>>>>>>>>> >>>>>>>>>>> seems the memory is correct, it's crashed in opcode() >>>>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried >>>>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm >>>>>>>>>>> guest >>>>>>>>>>> be reset. >>>>>>>>>>> >>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>> What would be useful is to try to add tracing to see how far >>>>>>>>>>>> vmxassist >>>>>>>>>>>> gets >>>>>>>>>>>> after its last line of tracing before the trap occurs. That last >>>>>>>>>>>> line >>>>>>>>>>>> is >>>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra >>>>>>>>>>>> printf() >>>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at >>>>>>>>>>>> the >>>>>>>>>>>> top >>>>>>>>>>>> of the opcode() function. We need to find out at what point >>>>>>>>>>>> vmxassist >>>>>>>>>>>> is >>>>>>>>>>>> jumping to this bogus address d0800. >>>>>>>>>>>> >>>>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in >>>>>>>>>>>> memory. >>>>>>>>>>>> This >>>>>>>>>>>> is particularly likely because, according to the objdump, the >>>>>>>>>>>> 'instruction' >>>>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some >>>>>>>>>>>> sort). >>>>>>>>>>>> >>>>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at >>>>>>>>>>>> 0xd0800 >>>>>>>>>>>> and printf() them. So we can see if they match what objdump says >>>>>>>>>>>> should >>>>>>>>>>>> be >>>>>>>>>>>> there. >>>>>>>>>>>> >>>>>>>>>>>> -- Keir >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Xen-devel mailing list >>>>>>>>>>> Xen-devel@lists.xensource.com >>>>>>>>>>> http://lists.xensource.com/xen-devel >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Xen-devel mailing list >>>>>>>> Xen-devel@lists.xensource.com >>>>>>>> http://lists.xensource.com/xen-devel >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Xen-devel mailing list >>>>>> Xen-devel@lists.xensource.com >>>>>> http://lists.xensource.com/xen-devel >>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> Xen-devel mailing list >>> Xen-devel@lists.xensource.com >>> http://lists.xensource.com/xen-devel >> >> > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 10:26 ` Keir Fraser @ 2007-08-08 12:12 ` Brady Chen 2007-08-08 13:32 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-08 12:12 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Hi Keir, here the memory dump from D680 ~ D780, how to analyze it? any tools? thanks (XEN) HVM17: 0x0000D680: D2 0F 84 0B 00 66 8B FE 1E 07 66 8B C2 E8 71 03 (XEN) HVM17: 0x0000D690: 66 8B C6 66 5A 66 59 66 42 66 51 66 56 E8 3F 06 (XEN) HVM17: 0x0000D6A0: 66 85 C0 0F 84 BA FA 66 5E 66 59 66 8B FE 1E 07 (XEN) HVM17: 0x0000D6B0: E8 4E 03 66 8B C6 66 8B D9 66 59 66 5A 66 51 66 (XEN) HVM17: 0x0000D6C0: 56 66 D1 E9 E8 F8 FD 66 85 C0 0F 84 93 FA 66 5E (XEN) HVM17: 0x0000D6D0: 66 59 66 03 E1 07 66 5F 66 59 66 8B D0 66 58 66 (XEN) HVM17: 0x0000D6E0: 5B 66 8B DA E9 F5 FE 06 1E 66 60 26 67 66 0F B7 (XEN) HVM17: 0x0000D6F0: 5F 04 26 67 66 0F B7 4F 06 66 0B C9 0F 84 61 FA (XEN) HVM17: 0x0000D700: 66 03 DF 66 83 C3 02 66 81 C7 FE 01 00 00 66 49 (XEN) HVM17: 0x0000D710: 66 0B C9 0F 84 17 00 26 67 8B 03 26 67 89 07 66 (XEN) HVM17: 0x0000D720: 83 C3 02 66 81 C7 00 02 00 00 66 49 EB E2 66 61 (XEN) HVM17: 0x0000D730: 90 1F 07 C3 06 1E 66 60 66 B8 01 00 00 00 66 A3 (XEN) HVM17: 0x0000D740: 1E 02 66 A1 1A 02 66 03 06 52 02 66 A3 5A 02 66 (XEN) HVM17: 0x0000D750: 03 06 52 02 66 A3 4A 02 66 A1 30 00 66 0F B6 1E (XEN) HVM17: 0x0000D760: 0D 00 66 F7 E3 66 8B 1E 4A 02 66 89 07 66 A3 10 (XEN) HVM17: 0x0000D770: 00 83 C3 04 66 A1 56 02 66 89 07 A3 0E 00 83 C3 (XEN) HVM17: 0x0000D780: 04 66 89 1E 4A 02 66 8B 1E 1A 02 1E 07 E8 37 F9 On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > Well, some bytes are already screwed at that point, so I'd try to do it > earlier (e.g., when you are emulating one of the earlier MOVs, for example). > But yes, dumping by printf() is fine. Put address at start of line, and then > dump 16 bytes as "%02x ". Should end up with 16 lines of 16 bytes each. > > -- Keir > > On 8/8/07 10:38, "Brady Chen" <chenchp@gmail.com> wrote: > > > Thanks, > > can you show me a way to dump bytes around 0xd680 ~ 0xd780? > > just printf in trap() of vmxassist? > > > > On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > >> You could give that a try, but really it shouldn't be going at > >> 0xc0000-0x100000 at all. There are usually ROM images residing there. > >> > >> This is more likely to be a mis-emulation. Can you get a dump of the bytes > >> around 0xd680-0xd780? Then we could try and work out what the guest is > >> trying to execute, and see whether emulation is going wrong. A register dump > >> from the guest (dump_regs()) at the start of every call to opcode() might > >> also be useful. > >> > >> -- Keir > >> > >> On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote: > >> > >>> Hi Keir, > >>> I think the 7th issue I mentioned is the root cause, > >>> so I have a question. > >>> For real mode simulation, the simulator is running in the same space > >>> with the codes to-be-simulated? then how to protect simulator from > >>> being modified by to-be-simulated code? > >>> > >>> can I change the address of vmxassist to a higher address? just try to > >>> give more space to the to-be-simulated windows. > >>> > >>> On 8/8/07, Brady Chen <chenchp@gmail.com> wrote: > >>>> it's possible. > >>>> any ideas to trace the function stack of xen guest? like "bt" command in > >>>> gdb. > >>>> > >>>> I did some analysis: > >>>> 1. the call flow is opcode()->fetch8()->address() > >>>> 2. only the printf in address() will change the behaver of crash. > >>>> 3. and the crash EIP (0xD0800) is in the address() from the objdump. > >>>> 4. the address() will be invoked more then 40, 000 times in one > >>>> simulation, before the crash. > >>>> 5. seems there are no recursive invoking in opcode(), fetch8(), address() > >>>> 6. from the output of "xen dmesg", before the crash, a instructions > >>>> sequence is simulated several times (you could check the previous > >>>> mails i send for "xen dmesg" output) > >>>> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE", > >>>> and the "*0xD07FE" is just the address of address(), (you could get > >>>> the objdump output from previous mails too), so i think it's the > >>>> simulation which crash the memory of address(). > >>>> > >>>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > >>>>> Stack corruption/overflow, possibly? > >>>>> > >>>>> K. > >>>>> > >>>>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>> > >>>>>> Yes, the printfs are the only changes. once I remove these prints, the > >>>>>> trap comes back, with the same EIP (D0800) > >>>>>> > >>>>>> I tried to keep the first two printfs, the trap comes with different > >>>>>> EIP(D19FD) > >>>>>> static unsigned > >>>>>> address(struct regs *regs, unsigned seg, unsigned off) > >>>>>> { > >>>>>> uint64_t gdt_phys_base; > >>>>>> unsigned long long entry; > >>>>>> unsigned seg_base, seg_limit; > >>>>>> unsigned entry_low, entry_high; > >>>>>> > >>>>>> printf("f 1\n"); > >>>>>> if (seg == 0) { > >>>>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED) > >>>>>> return off; > >>>>>> else > >>>>>> panic("segment is zero, but not in real > >>>>>> mode!\n"); > >>>>>> } > >>>>>> > >>>>>> printf("f 2\n"); > >>>>>> > >>>>>> xen dmesg output: > >>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > >>>>>> (XEN) HVM3: f 1 > >>>>>> (XEN) HVM3: f 2 > >>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 > >>>>>> (XEN) HVM3: f 1 > >>>>>> (XEN) HVM3: f 1 > >>>>>> (XEN) HVM3: f 1 > >>>>>> (XEN) HVM3: Trap (0x6) while in real mode > >>>>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx > >>>>>> D75B4 > >>>>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi > >>>>>> 8 > >>>>>> (XEN) HVM3: trapno 6 errno 0 > >>>>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046 > >>>>>> (XEN) HVM3: uesp CFAE uss 0 > >>>>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs > >>>>>> 71F > >>>>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>> 651 > >>>>>> (XEN) HVM3: > >>>>>> (XEN) HVM3: Halt called from %eip 0xD037C > >>>>>> > >>>>>> > >>>>>> and the objdump shows that: > >>>>>> 000d1970 <interrupt>: > >>>>>> d1970: 55 push %ebp > >>>>>> d1971: 89 e5 mov %esp,%ebp > >>>>>> d1973: 57 push %edi > >>>>>> d1974: 89 d7 mov %edx,%edi > >>>>>> d1976: 56 push %esi > >>>>>> .... > >>>>>> d19f8: 66 89 30 mov %si,(%eax) > >>>>>> d19fb: 31 d2 xor %edx,%edx > >>>>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi > >>>>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx) > >>>>>> d1a0b: 89 d8 mov %ebx,%eax > >>>>>> d1a0d: 89 34 24 mov %esi,(%esp) > >>>>>> > >>>>>> > >>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>> Very weird. The emulations now aren't at the same address as before > >>>>>>> either > >>>>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added > >>>>>>> these > >>>>>>> printf()s -- is it at all possible that the guest is executing down a > >>>>>>> different path here for other reasons? If it's really down to the > >>>>>>> printf()s > >>>>>>> then I guess you'll have to shuffle/remove printf()s to get the old > >>>>>>> behaviour back. > >>>>>>> > >>>>>>> -- Keir > >>>>>>> > >>>>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>>>> > >>>>>>>> it's strange: > >>>>>>>> if i add these prints, i get " Unknown opcode", not "trap". > >>>>>>>> ===added printf > >>>>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c > >>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > >>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100 > >>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800 > >>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > >>>>>>>> static struct regs saved_rm_regs; > >>>>>>>> > >>>>>>>> #ifdef DEBUG > >>>>>>>> -int traceset = 0; > >>>>>>>> +int traceset = ~0; > >>>>>>>> > >>>>>>>> char *states[] = { > >>>>>>>> "<VM86_REAL>", > >>>>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, > >>>>>>>> unsigned seg_base, seg_limit; > >>>>>>>> unsigned entry_low, entry_high; > >>>>>>>> > >>>>>>>> + printf("f 1\n"); > >>>>>>>> if (seg == 0) { > >>>>>>>> if (mode == VM86_REAL || mode == > >>>>>>>> VM86_REAL_TO_PROTECTED) > >>>>>>>> return off; > >>>>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, > >>>>>>>> panic("segment is zero, but not in real > >>>>>>>> mode!\n"); > >>>>>>>> } > >>>>>>>> > >>>>>>>> + printf("f 2\n"); > >>>>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit || > >>>>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) > >>>>>>>> return ((seg & 0xFFFF) << 4) + off; > >>>>>>>> > >>>>>>>> + printf("f 3\n"); > >>>>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); > >>>>>>>> + printf("f 4\n"); > >>>>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) { > >>>>>>>> + printf("f 5\n"); > >>>>>>>> printf("gdt base address above 4G\n"); > >>>>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), > >>>>>>>> &entry); > >>>>>>>> } else > >>>>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, > >>>>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & > >>>>>>>> 0xFFFFFF); > >>>>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); > >>>>>>>> > >>>>>>>> + printf("f 6\n"); > >>>>>>>> if (entry_high & 0x8000 && > >>>>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) || > >>>>>>>> (!(entry_high & 0x800000) && off <= seg_limit))) > >>>>>>>> return seg_base + off; > >>>>>>>> + printf("f 7\n"); > >>>>>>>> > >>>>>>>> panic("should never reach here in function address():\n\t" > >>>>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, > >>>>>>>> offset=0x%08x\n", > >>>>>>>> entry_high, entry_low, mode, seg, off); > >>>>>>>> + printf("f 8\n"); > >>>>>>>> > >>>>>>>> return 0; > >>>>>>>> } > >>>>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs) > >>>>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); > >>>>>>>> > >>>>>>>> regs->eip++; > >>>>>>>> + printf("f 9\n"); > >>>>>>>> return read8(addr); > >>>>>>>> } > >>>>>>>> > >>>>>>>> ===output when add many printf > >>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 > >>>>>>>> (XEN) HVM12: f 2 > >>>>>>>> (XEN) HVM12: f 9 > >>>>>>>> (XEN) HVM12: f 1 > >>>>>>>> (XEN) HVM12: f 2 > >>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 > >>>>>>>> (XEN) HVM12: f 2 > >>>>>>>> (XEN) HVM12: f 9 > >>>>>>>> (XEN) HVM12: f 1 > >>>>>>>> (XEN) HVM12: f 2 > >>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 > >>>>>>>> (XEN) HVM12: f 2 > >>>>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 > >>>>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A > >>>>>>>> > >>>>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: > >>>>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print > >>>>>>>>> info. > >>>>>>>>> the main function of fetch8 seems to be address(). seems crashed in > >>>>>>>>> address(). > >>>>>>>>> > >>>>>>>>> (XEN) HVM7: after write16 of movw > >>>>>>>>> (XEN) HVM7: top of opcode > >>>>>>>>> (XEN) HVM7: Before fetch8 > >>>>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx > >>>>>>>>> 404E > >>>>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi > >>>>>>>>> C37FE > >>>>>>>>> (XEN) HVM7: trapno D errno 0 > >>>>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206 > >>>>>>>>> (XEN) HVM7: uesp CFB4 uss 0 > >>>>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs > >>>>>>>>> 0 > >>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>>> 651 > >>>>>>>>> (XEN) HVM7: > >>>>>>>>> (XEN) HVM7: Trap (0x6) while in real mode > >>>>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx > >>>>>>>>> 89 > >>>>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi > >>>>>>>>> D00 > >>>>>>>>> (XEN) HVM7: trapno 6 errno 0 > >>>>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046 > >>>>>>>>> (XEN) HVM7: uesp 71F uss D76D4 > >>>>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs > >>>>>>>>> D7644 > >>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>>> 651 > >>>>>>>>> (XEN) HVM7: > >>>>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF > >>>>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B > >>>>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>>>>> How about trying: > >>>>>>>>>> printf("Before fetch8\n"); > >>>>>>>>>> dump_regs(regs); > >>>>>>>>>> opc = fetch8(regs); > >>>>>>>>>> printf("After fetch8\n"); > >>>>>>>>>> switch (opc) { ... > >>>>>>>>>> > >>>>>>>>>> This will let you see what eip is being fetched from, and also > >>>>>>>>>> confirm > >>>>>>>>>> that > >>>>>>>>>> the crash happens within fetch8(). > >>>>>>>>>> > >>>>>>>>>> You could also try adding more printf()s inside fetch8() and > >>>>>>>>>> address() > >>>>>>>>>> to > >>>>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed > >>>>>>>>>> the > >>>>>>>>>> function that is crashing). > >>>>>>>>>> > >>>>>>>>>> -- Keir > >>>>>>>>>> > >>>>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>>>>>>> > >>>>>>>>>>> Hi, Keir, > >>>>>>>>>>> I made the change as you said: > >>>>>>>>>>> change diff is: > >>>>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c > >>>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > >>>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 > >>>>>>>>>>> +0100 > >>>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 > >>>>>>>>>>> +0800 > >>>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > >>>>>>>>>>> static struct regs saved_rm_regs; > >>>>>>>>>>> > >>>>>>>>>>> #ifdef DEBUG > >>>>>>>>>>> -int traceset = 0; > >>>>>>>>>>> +int traceset = ~0; > >>>>>>>>>>> > >>>>>>>>>>> char *states[] = { > >>>>>>>>>>> "<VM86_REAL>", > >>>>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, > >>>>>>>>>>> TRACE((regs, regs->eip - eip, > >>>>>>>>>>> "movw %%%s, *0x%x", rnames[r], > >>>>>>>>>>> addr)); > >>>>>>>>>>> write16(addr, MASK16(val)); > >>>>>>>>>>> + printf("after write16 of movw\n"); > >>>>>>>>>>> } > >>>>>>>>>>> return 1; > >>>>>>>>>>> > >>>>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) > >>>>>>>>>>> unsigned eip = regs->eip; > >>>>>>>>>>> unsigned opc, modrm, disp; > >>>>>>>>>>> unsigned prefix = 0; > >>>>>>>>>>> + printf("top of opcode\n"); > >>>>>>>>>>> > >>>>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL && > >>>>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) { > >>>>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs > >>>>>>>>>>> if (trapno == 14) > >>>>>>>>>>> printf("Page fault address 0x%x\n", > >>>>>>>>>>> get_cr2()); > >>>>>>>>>>> dump_regs(regs); > >>>>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned > >>>>>>>>>>> short*)0xd0800)); > >>>>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned > >>>>>>>>>>> short*)0xd0804)); > >>>>>>>>>>> halt(); > >>>>>>>>>>> } > >>>>>>>>>>> } > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> here is the output: > >>>>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 > >>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > >>>>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: > >>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 > >>>>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE > >>>>>>>>>>> (XEN) HVM6: after write16 of movw > >>>>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode > >>>>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx > >>>>>>>>>>> 71E > >>>>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi > >>>>>>>>>>> D00 > >>>>>>>>>>> (XEN) HVM6: trapno 6 errno 0 > >>>>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 > >>>>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2 > >>>>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs > >>>>>>>>>>> D75B4 > >>>>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>>>>> 651 > >>>>>>>>>>> (XEN) HVM6: > >>>>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF > >>>>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B > >>>>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C > >>>>>>>>>>> > >>>>>>>>>>> objdump: > >>>>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> > >>>>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx > >>>>>>>>>>> d07f7: 89 f8 mov %edi,%eax > >>>>>>>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx > >>>>>>>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi > >>>>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax > >>>>>>>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi > >>>>>>>>>>> d0807: 89 ec mov %ebp,%esp > >>>>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax > >>>>>>>>>>> d080c: 01 d0 add %edx,%eax > >>>>>>>>>>> d080e: 5d pop %ebp > >>>>>>>>>>> > >>>>>>>>>>> seems the memory is correct, it's crashed in opcode() > >>>>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried > >>>>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm > >>>>>>>>>>> guest > >>>>>>>>>>> be reset. > >>>>>>>>>>> > >>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> What would be useful is to try to add tracing to see how far > >>>>>>>>>>>> vmxassist > >>>>>>>>>>>> gets > >>>>>>>>>>>> after its last line of tracing before the trap occurs. That last > >>>>>>>>>>>> line > >>>>>>>>>>>> is > >>>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra > >>>>>>>>>>>> printf() > >>>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at > >>>>>>>>>>>> the > >>>>>>>>>>>> top > >>>>>>>>>>>> of the opcode() function. We need to find out at what point > >>>>>>>>>>>> vmxassist > >>>>>>>>>>>> is > >>>>>>>>>>>> jumping to this bogus address d0800. > >>>>>>>>>>>> > >>>>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in > >>>>>>>>>>>> memory. > >>>>>>>>>>>> This > >>>>>>>>>>>> is particularly likely because, according to the objdump, the > >>>>>>>>>>>> 'instruction' > >>>>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some > >>>>>>>>>>>> sort). > >>>>>>>>>>>> > >>>>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at > >>>>>>>>>>>> 0xd0800 > >>>>>>>>>>>> and printf() them. So we can see if they match what objdump says > >>>>>>>>>>>> should > >>>>>>>>>>>> be > >>>>>>>>>>>> there. > >>>>>>>>>>>> > >>>>>>>>>>>> -- Keir > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> _______________________________________________ > >>>>>>>>>>> Xen-devel mailing list > >>>>>>>>>>> Xen-devel@lists.xensource.com > >>>>>>>>>>> http://lists.xensource.com/xen-devel > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>>> _______________________________________________ > >>>>>>>> Xen-devel mailing list > >>>>>>>> Xen-devel@lists.xensource.com > >>>>>>>> http://lists.xensource.com/xen-devel > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> Xen-devel mailing list > >>>>>> Xen-devel@lists.xensource.com > >>>>>> http://lists.xensource.com/xen-devel > >>>>> > >>>>> > >>>> > >>> > >>> _______________________________________________ > >>> Xen-devel mailing list > >>> Xen-devel@lists.xensource.com > >>> http://lists.xensource.com/xen-devel > >> > >> > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 12:12 ` Brady Chen @ 2007-08-08 13:32 ` Keir Fraser 2007-08-08 14:52 ` Mats Petersson 2007-08-08 15:42 ` Brady Chen 0 siblings, 2 replies; 37+ messages in thread From: Keir Fraser @ 2007-08-08 13:32 UTC (permalink / raw) To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Disassembled the interesting bit by hand: D700: 66 03 DF add %edi,%ebx D703: 66 83 C3 02 add $2,%ebx D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi D70E: 66 49 dec %ecx D710: 66 0B C9 or %ecx,%ecx D713: 0F 84 17 00 jz 0xd72e D717: 26 67 8B 03 mov %es:(%ebx),%ax D71B: 26 67 89 07 mov %ax,%es:(%edi) D71F: 66 83 C3 02 add $2,%ebx D723: 66 81 C7 00 02 00 00 add $0x200,%edi D72A: 66 49 dec %ecx D72C: EB E2 jmp 0xd710 D72E: 66 61 popal D730: 90 nop D731: 1F pop %ds D732: 07 pop %es D733: C3 ret It's a fairly odd copy loop! It'd be nice to get a register dump when emulating this so that we can see e.g., what memory range is supposed to be affected. -- Keir On 8/8/07 13:12, "Brady Chen" <chenchp@gmail.com> wrote: > Hi Keir, > here the memory dump from D680 ~ D780, how to analyze it? any tools? thanks > > (XEN) HVM17: 0x0000D680: D2 0F 84 0B 00 66 8B FE 1E 07 66 8B C2 E8 71 03 > (XEN) HVM17: 0x0000D690: 66 8B C6 66 5A 66 59 66 42 66 51 66 56 E8 3F 06 > (XEN) HVM17: 0x0000D6A0: 66 85 C0 0F 84 BA FA 66 5E 66 59 66 8B FE 1E 07 > (XEN) HVM17: 0x0000D6B0: E8 4E 03 66 8B C6 66 8B D9 66 59 66 5A 66 51 66 > (XEN) HVM17: 0x0000D6C0: 56 66 D1 E9 E8 F8 FD 66 85 C0 0F 84 93 FA 66 5E > (XEN) HVM17: 0x0000D6D0: 66 59 66 03 E1 07 66 5F 66 59 66 8B D0 66 58 66 > (XEN) HVM17: 0x0000D6E0: 5B 66 8B DA E9 F5 FE 06 1E 66 60 26 67 66 0F B7 > (XEN) HVM17: 0x0000D6F0: 5F 04 26 67 66 0F B7 4F 06 66 0B C9 0F 84 61 FA > (XEN) HVM17: 0x0000D700: 66 03 DF 66 83 C3 02 66 81 C7 FE 01 00 00 66 49 > (XEN) HVM17: 0x0000D710: 66 0B C9 0F 84 17 00 26 67 8B 03 26 67 89 07 66 > (XEN) HVM17: 0x0000D720: 83 C3 02 66 81 C7 00 02 00 00 66 49 EB E2 66 61 > (XEN) HVM17: 0x0000D730: 90 1F 07 C3 06 1E 66 60 66 B8 01 00 00 00 66 A3 > (XEN) HVM17: 0x0000D740: 1E 02 66 A1 1A 02 66 03 06 52 02 66 A3 5A 02 66 > (XEN) HVM17: 0x0000D750: 03 06 52 02 66 A3 4A 02 66 A1 30 00 66 0F B6 1E > (XEN) HVM17: 0x0000D760: 0D 00 66 F7 E3 66 8B 1E 4A 02 66 89 07 66 A3 10 > (XEN) HVM17: 0x0000D770: 00 83 C3 04 66 A1 56 02 66 89 07 A3 0E 00 83 C3 > (XEN) HVM17: 0x0000D780: 04 66 89 1E 4A 02 66 8B 1E 1A 02 1E 07 E8 37 F9 > > > On 8/8/07, Keir Fraser <keir@xensource.com> wrote: >> Well, some bytes are already screwed at that point, so I'd try to do it >> earlier (e.g., when you are emulating one of the earlier MOVs, for example). >> But yes, dumping by printf() is fine. Put address at start of line, and then >> dump 16 bytes as "%02x ". Should end up with 16 lines of 16 bytes each. >> >> -- Keir >> >> On 8/8/07 10:38, "Brady Chen" <chenchp@gmail.com> wrote: >> >>> Thanks, >>> can you show me a way to dump bytes around 0xd680 ~ 0xd780? >>> just printf in trap() of vmxassist? >>> >>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote: >>>> You could give that a try, but really it shouldn't be going at >>>> 0xc0000-0x100000 at all. There are usually ROM images residing there. >>>> >>>> This is more likely to be a mis-emulation. Can you get a dump of the bytes >>>> around 0xd680-0xd780? Then we could try and work out what the guest is >>>> trying to execute, and see whether emulation is going wrong. A register >>>> dump >>>> from the guest (dump_regs()) at the start of every call to opcode() might >>>> also be useful. >>>> >>>> -- Keir >>>> >>>> On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote: >>>> >>>>> Hi Keir, >>>>> I think the 7th issue I mentioned is the root cause, >>>>> so I have a question. >>>>> For real mode simulation, the simulator is running in the same space >>>>> with the codes to-be-simulated? then how to protect simulator from >>>>> being modified by to-be-simulated code? >>>>> >>>>> can I change the address of vmxassist to a higher address? just try to >>>>> give more space to the to-be-simulated windows. >>>>> >>>>> On 8/8/07, Brady Chen <chenchp@gmail.com> wrote: >>>>>> it's possible. >>>>>> any ideas to trace the function stack of xen guest? like "bt" command in >>>>>> gdb. >>>>>> >>>>>> I did some analysis: >>>>>> 1. the call flow is opcode()->fetch8()->address() >>>>>> 2. only the printf in address() will change the behaver of crash. >>>>>> 3. and the crash EIP (0xD0800) is in the address() from the objdump. >>>>>> 4. the address() will be invoked more then 40, 000 times in one >>>>>> simulation, before the crash. >>>>>> 5. seems there are no recursive invoking in opcode(), fetch8(), address() >>>>>> 6. from the output of "xen dmesg", before the crash, a instructions >>>>>> sequence is simulated several times (you could check the previous >>>>>> mails i send for "xen dmesg" output) >>>>>> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE", >>>>>> and the "*0xD07FE" is just the address of address(), (you could get >>>>>> the objdump output from previous mails too), so i think it's the >>>>>> simulation which crash the memory of address(). >>>>>> >>>>>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote: >>>>>>> Stack corruption/overflow, possibly? >>>>>>> >>>>>>> K. >>>>>>> >>>>>>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote: >>>>>>> >>>>>>>> Yes, the printfs are the only changes. once I remove these prints, the >>>>>>>> trap comes back, with the same EIP (D0800) >>>>>>>> >>>>>>>> I tried to keep the first two printfs, the trap comes with different >>>>>>>> EIP(D19FD) >>>>>>>> static unsigned >>>>>>>> address(struct regs *regs, unsigned seg, unsigned off) >>>>>>>> { >>>>>>>> uint64_t gdt_phys_base; >>>>>>>> unsigned long long entry; >>>>>>>> unsigned seg_base, seg_limit; >>>>>>>> unsigned entry_low, entry_high; >>>>>>>> >>>>>>>> printf("f 1\n"); >>>>>>>> if (seg == 0) { >>>>>>>> if (mode == VM86_REAL || mode == >>>>>>>> VM86_REAL_TO_PROTECTED) >>>>>>>> return off; >>>>>>>> else >>>>>>>> panic("segment is zero, but not in real >>>>>>>> mode!\n"); >>>>>>>> } >>>>>>>> >>>>>>>> printf("f 2\n"); >>>>>>>> >>>>>>>> xen dmesg output: >>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 >>>>>>>> (XEN) HVM3: f 1 >>>>>>>> (XEN) HVM3: f 2 >>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 >>>>>>>> (XEN) HVM3: f 1 >>>>>>>> (XEN) HVM3: f 1 >>>>>>>> (XEN) HVM3: f 1 >>>>>>>> (XEN) HVM3: Trap (0x6) while in real mode >>>>>>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx >>>>>>>> D75B4 >>>>>>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi >>>>>>>> 8 >>>>>>>> (XEN) HVM3: trapno 6 errno 0 >>>>>>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046 >>>>>>>> (XEN) HVM3: uesp CFAE uss 0 >>>>>>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs >>>>>>>> 71F >>>>>>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 >>>>>>>> 651 >>>>>>>> (XEN) HVM3: >>>>>>>> (XEN) HVM3: Halt called from %eip 0xD037C >>>>>>>> >>>>>>>> >>>>>>>> and the objdump shows that: >>>>>>>> 000d1970 <interrupt>: >>>>>>>> d1970: 55 push %ebp >>>>>>>> d1971: 89 e5 mov %esp,%ebp >>>>>>>> d1973: 57 push %edi >>>>>>>> d1974: 89 d7 mov %edx,%edi >>>>>>>> d1976: 56 push %esi >>>>>>>> .... >>>>>>>> d19f8: 66 89 30 mov %si,(%eax) >>>>>>>> d19fb: 31 d2 xor %edx,%edx >>>>>>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi >>>>>>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx) >>>>>>>> d1a0b: 89 d8 mov %ebx,%eax >>>>>>>> d1a0d: 89 34 24 mov %esi,(%esp) >>>>>>>> >>>>>>>> >>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>>>>>> Very weird. The emulations now aren't at the same address as before >>>>>>>>> either >>>>>>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added >>>>>>>>> these >>>>>>>>> printf()s -- is it at all possible that the guest is executing down a >>>>>>>>> different path here for other reasons? If it's really down to the >>>>>>>>> printf()s >>>>>>>>> then I guess you'll have to shuffle/remove printf()s to get the old >>>>>>>>> behaviour back. >>>>>>>>> >>>>>>>>> -- Keir >>>>>>>>> >>>>>>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> it's strange: >>>>>>>>>> if i add these prints, i get " Unknown opcode", not "trap". >>>>>>>>>> ===added printf >>>>>>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c >>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c >>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 >>>>>>>>>> +0100 >>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 >>>>>>>>>> +0800 >>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; >>>>>>>>>> static struct regs saved_rm_regs; >>>>>>>>>> >>>>>>>>>> #ifdef DEBUG >>>>>>>>>> -int traceset = 0; >>>>>>>>>> +int traceset = ~0; >>>>>>>>>> >>>>>>>>>> char *states[] = { >>>>>>>>>> "<VM86_REAL>", >>>>>>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, >>>>>>>>>> unsigned seg_base, seg_limit; >>>>>>>>>> unsigned entry_low, entry_high; >>>>>>>>>> >>>>>>>>>> + printf("f 1\n"); >>>>>>>>>> if (seg == 0) { >>>>>>>>>> if (mode == VM86_REAL || mode == >>>>>>>>>> VM86_REAL_TO_PROTECTED) >>>>>>>>>> return off; >>>>>>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, >>>>>>>>>> panic("segment is zero, but not in real >>>>>>>>>> mode!\n"); >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> + printf("f 2\n"); >>>>>>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit || >>>>>>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) >>>>>>>>>> return ((seg & 0xFFFF) << 4) + off; >>>>>>>>>> >>>>>>>>>> + printf("f 3\n"); >>>>>>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); >>>>>>>>>> + printf("f 4\n"); >>>>>>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) { >>>>>>>>>> + printf("f 5\n"); >>>>>>>>>> printf("gdt base address above 4G\n"); >>>>>>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), >>>>>>>>>> &entry); >>>>>>>>>> } else >>>>>>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, >>>>>>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & >>>>>>>>>> 0xFFFFFF); >>>>>>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); >>>>>>>>>> >>>>>>>>>> + printf("f 6\n"); >>>>>>>>>> if (entry_high & 0x8000 && >>>>>>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) || >>>>>>>>>> (!(entry_high & 0x800000) && off <= seg_limit))) >>>>>>>>>> return seg_base + off; >>>>>>>>>> + printf("f 7\n"); >>>>>>>>>> >>>>>>>>>> panic("should never reach here in function address():\n\t" >>>>>>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, >>>>>>>>>> offset=0x%08x\n", >>>>>>>>>> entry_high, entry_low, mode, seg, off); >>>>>>>>>> + printf("f 8\n"); >>>>>>>>>> >>>>>>>>>> return 0; >>>>>>>>>> } >>>>>>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs) >>>>>>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); >>>>>>>>>> >>>>>>>>>> regs->eip++; >>>>>>>>>> + printf("f 9\n"); >>>>>>>>>> return read8(addr); >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> ===output when add many printf >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 >>>>>>>>>> (XEN) HVM12: f 2 >>>>>>>>>> (XEN) HVM12: f 9 >>>>>>>>>> (XEN) HVM12: f 1 >>>>>>>>>> (XEN) HVM12: f 2 >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 >>>>>>>>>> (XEN) HVM12: f 2 >>>>>>>>>> (XEN) HVM12: f 9 >>>>>>>>>> (XEN) HVM12: f 1 >>>>>>>>>> (XEN) HVM12: f 2 >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 >>>>>>>>>> (XEN) HVM12: f 2 >>>>>>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 >>>>>>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A >>>>>>>>>> >>>>>>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: >>>>>>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this >>>>>>>>>>> print >>>>>>>>>>> info. >>>>>>>>>>> the main function of fetch8 seems to be address(). seems crashed in >>>>>>>>>>> address(). >>>>>>>>>>> >>>>>>>>>>> (XEN) HVM7: after write16 of movw >>>>>>>>>>> (XEN) HVM7: top of opcode >>>>>>>>>>> (XEN) HVM7: Before fetch8 >>>>>>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx >>>>>>>>>>> 404E >>>>>>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi >>>>>>>>>>> C37FE >>>>>>>>>>> (XEN) HVM7: trapno D errno 0 >>>>>>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206 >>>>>>>>>>> (XEN) HVM7: uesp CFB4 uss 0 >>>>>>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs >>>>>>>>>>> 0 >>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 >>>>>>>>>>> 651 >>>>>>>>>>> (XEN) HVM7: >>>>>>>>>>> (XEN) HVM7: Trap (0x6) while in real mode >>>>>>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx >>>>>>>>>>> 89 >>>>>>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi >>>>>>>>>>> D00 >>>>>>>>>>> (XEN) HVM7: trapno 6 errno 0 >>>>>>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046 >>>>>>>>>>> (XEN) HVM7: uesp 71F uss D76D4 >>>>>>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs >>>>>>>>>>> D7644 >>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 >>>>>>>>>>> 651 >>>>>>>>>>> (XEN) HVM7: >>>>>>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF >>>>>>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B >>>>>>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>>>>>>>>> How about trying: >>>>>>>>>>>> printf("Before fetch8\n"); >>>>>>>>>>>> dump_regs(regs); >>>>>>>>>>>> opc = fetch8(regs); >>>>>>>>>>>> printf("After fetch8\n"); >>>>>>>>>>>> switch (opc) { ... >>>>>>>>>>>> >>>>>>>>>>>> This will let you see what eip is being fetched from, and also >>>>>>>>>>>> confirm >>>>>>>>>>>> that >>>>>>>>>>>> the crash happens within fetch8(). >>>>>>>>>>>> >>>>>>>>>>>> You could also try adding more printf()s inside fetch8() and >>>>>>>>>>>> address() >>>>>>>>>>>> to >>>>>>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed >>>>>>>>>>>> the >>>>>>>>>>>> function that is crashing). >>>>>>>>>>>> >>>>>>>>>>>> -- Keir >>>>>>>>>>>> >>>>>>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi, Keir, >>>>>>>>>>>> I made the change as you said: >>>>>>>>>>>> change diff is: >>>>>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c >>>>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c >>>>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 >>>>>>>>>>>> +0100 >>>>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 >>>>>>>>>>>> +0800 >>>>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; >>>>>>>>>>>> static struct regs saved_rm_regs; >>>>>>>>>>>> >>>>>>>>>>>> #ifdef DEBUG >>>>>>>>>>>> -int traceset = 0; >>>>>>>>>>>> +int traceset = ~0; >>>>>>>>>>>> >>>>>>>>>>>> char *states[] = { >>>>>>>>>>>> "<VM86_REAL>", >>>>>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, >>>>>>>>>>>> TRACE((regs, regs->eip - eip, >>>>>>>>>>>> "movw %%%s, *0x%x", rnames[r], >>>>>>>>>>>> addr)); >>>>>>>>>>>> write16(addr, MASK16(val)); >>>>>>>>>>>> + printf("after write16 of movw\n"); >>>>>>>>>>>> } >>>>>>>>>>>> return 1; >>>>>>>>>>>> >>>>>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) >>>>>>>>>>>> unsigned eip = regs->eip; >>>>>>>>>>>> unsigned opc, modrm, disp; >>>>>>>>>>>> unsigned prefix = 0; >>>>>>>>>>>> + printf("top of opcode\n"); >>>>>>>>>>>> >>>>>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL && >>>>>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) { >>>>>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs >>>>>>>>>>>> if (trapno == 14) >>>>>>>>>>>> printf("Page fault address 0x%x\n", >>>>>>>>>>>> get_cr2()); >>>>>>>>>>>> dump_regs(regs); >>>>>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned >>>>>>>>>>>> short*)0xd0800)); >>>>>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned >>>>>>>>>>>> short*)0xd0804)); >>>>>>>>>>>> halt(); >>>>>>>>>>>> } >>>>>>>>>>>> } >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> here is the output: >>>>>>>>>>>> (XEN) HVM6: top of opcode >>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 >>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 >>>>>>>>>>>> (XEN) HVM6: top of opcode >>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: >>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 >>>>>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE >>>>>>>>>>>> (XEN) HVM6: after write16 of movw >>>>>>>>>>>> (XEN) HVM6: top of opcode >>>>>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode >>>>>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx >>>>>>>>>>>> 71E >>>>>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi >>>>>>>>>>>> D00 >>>>>>>>>>>> (XEN) HVM6: trapno 6 errno 0 >>>>>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 >>>>>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2 >>>>>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs >>>>>>>>>>>> D75B4 >>>>>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 >>>>>>>>>>>> 651 >>>>>>>>>>>> (XEN) HVM6: >>>>>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF >>>>>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B >>>>>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C >>>>>>>>>>>> >>>>>>>>>>>> objdump: >>>>>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> >>>>>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx >>>>>>>>>>>> d07f7: 89 f8 mov %edi,%eax >>>>>>>>>>>> d07f9: 8b 5d f4 mov >>>>>>>>>>>> 0xfffffff4(%ebp),%ebx >>>>>>>>>>>> d07fc: 8b 75 f8 mov >>>>>>>>>>>> 0xfffffff8(%ebp),%esi >>>>>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax >>>>>>>>>>>> d0804: 8b 7d fc mov >>>>>>>>>>>> 0xfffffffc(%ebp),%edi >>>>>>>>>>>> d0807: 89 ec mov %ebp,%esp >>>>>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax >>>>>>>>>>>> d080c: 01 d0 add %edx,%eax >>>>>>>>>>>> d080e: 5d pop %ebp >>>>>>>>>>>> >>>>>>>>>>>> seems the memory is correct, it's crashed in opcode() >>>>>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried >>>>>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm >>>>>>>>>>>> guest >>>>>>>>>>>> be reset. >>>>>>>>>>>> >>>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: >>>>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>> What would be useful is to try to add tracing to see how far >>>>>>>>>>>> vmxassist >>>>>>>>>>>> gets >>>>>>>>>>>> after its last line of tracing before the trap occurs. That last >>>>>>>>>>>> line >>>>>>>>>>>> is >>>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra >>>>>>>>>>>> printf() >>>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at >>>>>>>>>>>> the >>>>>>>>>>>> top >>>>>>>>>>>> of the opcode() function. We need to find out at what point >>>>>>>>>>>> vmxassist >>>>>>>>>>>> is >>>>>>>>>>>> jumping to this bogus address d0800. >>>>>>>>>>>> >>>>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in >>>>>>>>>>>> memory. >>>>>>>>>>>> This >>>>>>>>>>>> is particularly likely because, according to the objdump, the >>>>>>>>>>>> 'instruction' >>>>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some >>>>>>>>>>>> sort). >>>>>>>>>>>> >>>>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at >>>>>>>>>>>> 0xd0800 >>>>>>>>>>>> and printf() them. So we can see if they match what objdump says >>>>>>>>>>>> should >>>>>>>>>>>> be >>>>>>>>>>>> there. >>>>>>>>>>>> >>>>>>>>>>>> -- Keir >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Xen-devel mailing list >>>>>>>>>>>> Xen-devel@lists.xensource.com >>>>>>>>>>>> http://lists.xensource.com/xen-devel >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Xen-devel mailing list >>>>>>>>>> Xen-devel@lists.xensource.com >>>>>>>>>> http://lists.xensource.com/xen-devel >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Xen-devel mailing list >>>>>>>> Xen-devel@lists.xensource.com >>>>>>>> http://lists.xensource.com/xen-devel >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Xen-devel mailing list >>>>> Xen-devel@lists.xensource.com >>>>> http://lists.xensource.com/xen-devel >>>> >>>> >>> >>> _______________________________________________ >>> Xen-devel mailing list >>> Xen-devel@lists.xensource.com >>> http://lists.xensource.com/xen-devel >> >> > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 13:32 ` Keir Fraser @ 2007-08-08 14:52 ` Mats Petersson 2007-08-08 15:50 ` Brady Chen 2007-08-08 15:42 ` Brady Chen 1 sibling, 1 reply; 37+ messages in thread From: Mats Petersson @ 2007-08-08 14:52 UTC (permalink / raw) To: Keir Fraser, Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX At 14:32 08/08/2007, Keir Fraser wrote: >Disassembled the interesting bit by hand: > >D700: 66 03 DF add %edi,%ebx >D703: 66 83 C3 02 add $2,%ebx >D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi >D70E: 66 49 dec %ecx >D710: 66 0B C9 or %ecx,%ecx >D713: 0F 84 17 00 jz 0xd72e >D717: 26 67 8B 03 mov %es:(%ebx),%ax >D71B: 26 67 89 07 mov %ax,%es:(%edi) >D71F: 66 83 C3 02 add $2,%ebx >D723: 66 81 C7 00 02 00 00 add $0x200,%edi >D72A: 66 49 dec %ecx >D72C: EB E2 jmp 0xd710 >D72E: 66 61 popal >D730: 90 nop >D731: 1F pop %ds >D732: 07 pop %es >D733: C3 ret Any chance that the segment(s) involved are "big-real-mode"? -- Mats >It's a fairly odd copy loop! It'd be nice to get a register dump when >emulating this so that we can see e.g., what memory range is supposed to be >affected. > > -- Keir > > >On 8/8/07 13:12, "Brady Chen" <chenchp@gmail.com> wrote: > > > Hi Keir, > > here the memory dump from D680 ~ D780, how to analyze it? any tools? thanks > > > > (XEN) HVM17: 0x0000D680: D2 0F 84 0B 00 66 8B FE 1E 07 66 8B C2 E8 71 03 > > (XEN) HVM17: 0x0000D690: 66 8B C6 66 5A 66 59 66 42 66 51 66 56 E8 3F 06 > > (XEN) HVM17: 0x0000D6A0: 66 85 C0 0F 84 BA FA 66 5E 66 59 66 8B FE 1E 07 > > (XEN) HVM17: 0x0000D6B0: E8 4E 03 66 8B C6 66 8B D9 66 59 66 5A 66 51 66 > > (XEN) HVM17: 0x0000D6C0: 56 66 D1 E9 E8 F8 FD 66 85 C0 0F 84 93 FA 66 5E > > (XEN) HVM17: 0x0000D6D0: 66 59 66 03 E1 07 66 5F 66 59 66 8B D0 66 58 66 > > (XEN) HVM17: 0x0000D6E0: 5B 66 8B DA E9 F5 FE 06 1E 66 60 26 67 66 0F B7 > > (XEN) HVM17: 0x0000D6F0: 5F 04 26 67 66 0F B7 4F 06 66 0B C9 0F 84 61 FA > > (XEN) HVM17: 0x0000D700: 66 03 DF 66 83 C3 02 66 81 C7 FE 01 00 00 66 49 > > (XEN) HVM17: 0x0000D710: 66 0B C9 0F 84 17 00 26 67 8B 03 26 67 89 07 66 > > (XEN) HVM17: 0x0000D720: 83 C3 02 66 81 C7 00 02 00 00 66 49 EB E2 66 61 > > (XEN) HVM17: 0x0000D730: 90 1F 07 C3 06 1E 66 60 66 B8 01 00 00 00 66 A3 > > (XEN) HVM17: 0x0000D740: 1E 02 66 A1 1A 02 66 03 06 52 02 66 A3 5A 02 66 > > (XEN) HVM17: 0x0000D750: 03 06 52 02 66 A3 4A 02 66 A1 30 00 66 0F B6 1E > > (XEN) HVM17: 0x0000D760: 0D 00 66 F7 E3 66 8B 1E 4A 02 66 89 07 66 A3 10 > > (XEN) HVM17: 0x0000D770: 00 83 C3 04 66 A1 56 02 66 89 07 A3 0E 00 83 C3 > > (XEN) HVM17: 0x0000D780: 04 66 89 1E 4A 02 66 8B 1E 1A 02 1E 07 E8 37 F9 > > > > > > On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > >> Well, some bytes are already screwed at that point, so I'd try to do it > >> earlier (e.g., when you are emulating one of the earlier MOVs, > for example). > >> But yes, dumping by printf() is fine. Put address at start of > line, and then > >> dump 16 bytes as "%02x ". Should end up with 16 lines of 16 bytes each. > >> > >> -- Keir > >> > >> On 8/8/07 10:38, "Brady Chen" <chenchp@gmail.com> wrote: > >> > >>> Thanks, > >>> can you show me a way to dump bytes around 0xd680 ~ 0xd780? > >>> just printf in trap() of vmxassist? > >>> > >>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > >>>> You could give that a try, but really it shouldn't be going at > >>>> 0xc0000-0x100000 at all. There are usually ROM images residing there. > >>>> > >>>> This is more likely to be a mis-emulation. Can you get a dump > of the bytes > >>>> around 0xd680-0xd780? Then we could try and work out what the guest is > >>>> trying to execute, and see whether emulation is going wrong. A register > >>>> dump > >>>> from the guest (dump_regs()) at the start of every call to > opcode() might > >>>> also be useful. > >>>> > >>>> -- Keir > >>>> > >>>> On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote: > >>>> > >>>>> Hi Keir, > >>>>> I think the 7th issue I mentioned is the root cause, > >>>>> so I have a question. > >>>>> For real mode simulation, the simulator is running in the same space > >>>>> with the codes to-be-simulated? then how to protect simulator from > >>>>> being modified by to-be-simulated code? > >>>>> > >>>>> can I change the address of vmxassist to a higher address? just try to > >>>>> give more space to the to-be-simulated windows. > >>>>> > >>>>> On 8/8/07, Brady Chen <chenchp@gmail.com> wrote: > >>>>>> it's possible. > >>>>>> any ideas to trace the function stack of xen guest? like > "bt" command in > >>>>>> gdb. > >>>>>> > >>>>>> I did some analysis: > >>>>>> 1. the call flow is opcode()->fetch8()->address() > >>>>>> 2. only the printf in address() will change the behaver of crash. > >>>>>> 3. and the crash EIP (0xD0800) is in the address() from the objdump. > >>>>>> 4. the address() will be invoked more then 40, 000 times in one > >>>>>> simulation, before the crash. > >>>>>> 5. seems there are no recursive invoking in opcode(), > fetch8(), address() > >>>>>> 6. from the output of "xen dmesg", before the crash, a instructions > >>>>>> sequence is simulated several times (you could check the previous > >>>>>> mails i send for "xen dmesg" output) > >>>>>> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE", > >>>>>> and the "*0xD07FE" is just the address of address(), (you could get > >>>>>> the objdump output from previous mails too), so i think it's the > >>>>>> simulation which crash the memory of address(). > >>>>>> > >>>>>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>> Stack corruption/overflow, possibly? > >>>>>>> > >>>>>>> K. > >>>>>>> > >>>>>>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>>>> > >>>>>>>> Yes, the printfs are the only changes. once I remove these > prints, the > >>>>>>>> trap comes back, with the same EIP (D0800) > >>>>>>>> > >>>>>>>> I tried to keep the first two printfs, the trap comes with different > >>>>>>>> EIP(D19FD) > >>>>>>>> static unsigned > >>>>>>>> address(struct regs *regs, unsigned seg, unsigned off) > >>>>>>>> { > >>>>>>>> uint64_t gdt_phys_base; > >>>>>>>> unsigned long long entry; > >>>>>>>> unsigned seg_base, seg_limit; > >>>>>>>> unsigned entry_low, entry_high; > >>>>>>>> > >>>>>>>> printf("f 1\n"); > >>>>>>>> if (seg == 0) { > >>>>>>>> if (mode == VM86_REAL || mode == > >>>>>>>> VM86_REAL_TO_PROTECTED) > >>>>>>>> return off; > >>>>>>>> else > >>>>>>>> panic("segment is zero, but not in real > >>>>>>>> mode!\n"); > >>>>>>>> } > >>>>>>>> > >>>>>>>> printf("f 2\n"); > >>>>>>>> > >>>>>>>> xen dmesg output: > >>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > >>>>>>>> (XEN) HVM3: f 1 > >>>>>>>> (XEN) HVM3: f 2 > >>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 > >>>>>>>> (XEN) HVM3: f 1 > >>>>>>>> (XEN) HVM3: f 1 > >>>>>>>> (XEN) HVM3: f 1 > >>>>>>>> (XEN) HVM3: Trap (0x6) while in real mode > >>>>>>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx > >>>>>>>> D75B4 > >>>>>>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi > >>>>>>>> 8 > >>>>>>>> (XEN) HVM3: trapno 6 errno 0 > >>>>>>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046 > >>>>>>>> (XEN) HVM3: uesp CFAE uss 0 > >>>>>>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs > >>>>>>>> 71F > >>>>>>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>> 651 > >>>>>>>> (XEN) HVM3: > >>>>>>>> (XEN) HVM3: Halt called from %eip 0xD037C > >>>>>>>> > >>>>>>>> > >>>>>>>> and the objdump shows that: > >>>>>>>> 000d1970 <interrupt>: > >>>>>>>> d1970: 55 push %ebp > >>>>>>>> d1971: 89 e5 mov %esp,%ebp > >>>>>>>> d1973: 57 push %edi > >>>>>>>> d1974: 89 d7 mov %edx,%edi > >>>>>>>> d1976: 56 push %esi > >>>>>>>> .... > >>>>>>>> d19f8: 66 89 30 mov %si,(%eax) > >>>>>>>> d19fb: 31 d2 xor %edx,%edx > >>>>>>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi > >>>>>>>> d1a04: 81 63 30 ff fd ff > ff andl $0xfffffdff,0x30(%ebx) > >>>>>>>> d1a0b: 89 d8 mov %ebx,%eax > >>>>>>>> d1a0d: 89 34 24 mov %esi,(%esp) > >>>>>>>> > >>>>>>>> > >>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>>>> Very weird. The emulations now aren't at the same address as before > >>>>>>>>> either > >>>>>>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference > that you added > >>>>>>>>> these > >>>>>>>>> printf()s -- is it at all possible that the guest is > executing down a > >>>>>>>>> different path here for other reasons? If it's really down to the > >>>>>>>>> printf()s > >>>>>>>>> then I guess you'll have to shuffle/remove printf()s to get the old > >>>>>>>>> behaviour back. > >>>>>>>>> > >>>>>>>>> -- Keir > >>>>>>>>> > >>>>>>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>>>>>> > >>>>>>>>>> it's strange: > >>>>>>>>>> if i add these prints, i get " Unknown opcode", not "trap". > >>>>>>>>>> ===added printf > >>>>>>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c > >>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > >>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 > >>>>>>>>>> +0100 > >>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 > >>>>>>>>>> +0800 > >>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > >>>>>>>>>> static struct regs saved_rm_regs; > >>>>>>>>>> > >>>>>>>>>> #ifdef DEBUG > >>>>>>>>>> -int traceset = 0; > >>>>>>>>>> +int traceset = ~0; > >>>>>>>>>> > >>>>>>>>>> char *states[] = { > >>>>>>>>>> "<VM86_REAL>", > >>>>>>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, > >>>>>>>>>> unsigned seg_base, seg_limit; > >>>>>>>>>> unsigned entry_low, entry_high; > >>>>>>>>>> > >>>>>>>>>> + printf("f 1\n"); > >>>>>>>>>> if (seg == 0) { > >>>>>>>>>> if (mode == VM86_REAL || mode == > >>>>>>>>>> VM86_REAL_TO_PROTECTED) > >>>>>>>>>> return off; > >>>>>>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, > >>>>>>>>>> panic("segment is zero, but not in real > >>>>>>>>>> mode!\n"); > >>>>>>>>>> } > >>>>>>>>>> > >>>>>>>>>> + printf("f 2\n"); > >>>>>>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit || > >>>>>>>>>> (mode == VM86_REAL_TO_PROTECTED && > regs->cs == seg)) > >>>>>>>>>> return ((seg & 0xFFFF) << 4) + off; > >>>>>>>>>> > >>>>>>>>>> + printf("f 3\n"); > >>>>>>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); > >>>>>>>>>> + printf("f 4\n"); > >>>>>>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) { > >>>>>>>>>> + printf("f 5\n"); > >>>>>>>>>> printf("gdt base address above 4G\n"); > >>>>>>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), > >>>>>>>>>> &entry); > >>>>>>>>>> } else > >>>>>>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, > >>>>>>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & > >>>>>>>>>> 0xFFFFFF); > >>>>>>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); > >>>>>>>>>> > >>>>>>>>>> + printf("f 6\n"); > >>>>>>>>>> if (entry_high & 0x8000 && > >>>>>>>>>> ((entry_high & 0x800000 && off >> 12 <= > seg_limit) || > >>>>>>>>>> (!(entry_high & 0x800000) && off <= seg_limit))) > >>>>>>>>>> return seg_base + off; > >>>>>>>>>> + printf("f 7\n"); > >>>>>>>>>> > >>>>>>>>>> panic("should never reach here in function address():\n\t" > >>>>>>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, > >>>>>>>>>> offset=0x%08x\n", > >>>>>>>>>> entry_high, entry_low, mode, seg, off); > >>>>>>>>>> + printf("f 8\n"); > >>>>>>>>>> > >>>>>>>>>> return 0; > >>>>>>>>>> } > >>>>>>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs) > >>>>>>>>>> unsigned addr = address(regs, regs->cs, > MASK16(regs->eip)); > >>>>>>>>>> > >>>>>>>>>> regs->eip++; > >>>>>>>>>> + printf("f 9\n"); > >>>>>>>>>> return read8(addr); > >>>>>>>>>> } > >>>>>>>>>> > >>>>>>>>>> ===output when add many printf > >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 > >>>>>>>>>> (XEN) HVM12: f 2 > >>>>>>>>>> (XEN) HVM12: f 9 > >>>>>>>>>> (XEN) HVM12: f 1 > >>>>>>>>>> (XEN) HVM12: f 2 > >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 > >>>>>>>>>> (XEN) HVM12: f 2 > >>>>>>>>>> (XEN) HVM12: f 9 > >>>>>>>>>> (XEN) HVM12: f 1 > >>>>>>>>>> (XEN) HVM12: f 2 > >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 > >>>>>>>>>> (XEN) HVM12: f 2 > >>>>>>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 > >>>>>>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A > >>>>>>>>>> > >>>>>>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: > >>>>>>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this > >>>>>>>>>>> print > >>>>>>>>>>> info. > >>>>>>>>>>> the main function of fetch8 seems to be address(). > seems crashed in > >>>>>>>>>>> address(). > >>>>>>>>>>> > >>>>>>>>>>> (XEN) HVM7: after write16 of movw > >>>>>>>>>>> (XEN) HVM7: top of opcode > >>>>>>>>>>> (XEN) HVM7: Before fetch8 > >>>>>>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx > >>>>>>>>>>> 404E > >>>>>>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi > >>>>>>>>>>> C37FE > >>>>>>>>>>> (XEN) HVM7: trapno D errno 0 > >>>>>>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206 > >>>>>>>>>>> (XEN) HVM7: uesp CFB4 uss 0 > >>>>>>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs > >>>>>>>>>>> 0 > >>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>>>>> 651 > >>>>>>>>>>> (XEN) HVM7: > >>>>>>>>>>> (XEN) HVM7: Trap (0x6) while in real mode > >>>>>>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx > >>>>>>>>>>> 89 > >>>>>>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi > >>>>>>>>>>> D00 > >>>>>>>>>>> (XEN) HVM7: trapno 6 errno 0 > >>>>>>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046 > >>>>>>>>>>> (XEN) HVM7: uesp 71F uss D76D4 > >>>>>>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs > >>>>>>>>>>> D7644 > >>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>>>>> 651 > >>>>>>>>>>> (XEN) HVM7: > >>>>>>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF > >>>>>>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B > >>>>>>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>>>>>>> How about trying: > >>>>>>>>>>>> printf("Before fetch8\n"); > >>>>>>>>>>>> dump_regs(regs); > >>>>>>>>>>>> opc = fetch8(regs); > >>>>>>>>>>>> printf("After fetch8\n"); > >>>>>>>>>>>> switch (opc) { ... > >>>>>>>>>>>> > >>>>>>>>>>>> This will let you see what eip is being fetched from, and also > >>>>>>>>>>>> confirm > >>>>>>>>>>>> that > >>>>>>>>>>>> the crash happens within fetch8(). > >>>>>>>>>>>> > >>>>>>>>>>>> You could also try adding more printf()s inside fetch8() and > >>>>>>>>>>>> address() > >>>>>>>>>>>> to > >>>>>>>>>>>> find out which specific bit of fetch8() is crashing > (if that indeed > >>>>>>>>>>>> the > >>>>>>>>>>>> function that is crashing). > >>>>>>>>>>>> > >>>>>>>>>>>> -- Keir > >>>>>>>>>>>> > >>>>>>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Hi, Keir, > >>>>>>>>>>>> I made the change as you said: > >>>>>>>>>>>> change diff is: > >>>>>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c > >>>>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > >>>>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 > >>>>>>>>>>>> +0100 > >>>>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 > >>>>>>>>>>>> +0800 > >>>>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > >>>>>>>>>>>> static struct regs saved_rm_regs; > >>>>>>>>>>>> > >>>>>>>>>>>> #ifdef DEBUG > >>>>>>>>>>>> -int traceset = 0; > >>>>>>>>>>>> +int traceset = ~0; > >>>>>>>>>>>> > >>>>>>>>>>>> char *states[] = { > >>>>>>>>>>>> "<VM86_REAL>", > >>>>>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, > >>>>>>>>>>>> TRACE((regs, regs->eip - eip, > >>>>>>>>>>>> "movw %%%s, *0x%x", rnames[r], > >>>>>>>>>>>> addr)); > >>>>>>>>>>>> write16(addr, MASK16(val)); > >>>>>>>>>>>> + printf("after write16 of movw\n"); > >>>>>>>>>>>> } > >>>>>>>>>>>> return 1; > >>>>>>>>>>>> > >>>>>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) > >>>>>>>>>>>> unsigned eip = regs->eip; > >>>>>>>>>>>> unsigned opc, modrm, disp; > >>>>>>>>>>>> unsigned prefix = 0; > >>>>>>>>>>>> + printf("top of opcode\n"); > >>>>>>>>>>>> > >>>>>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL && > >>>>>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) { > >>>>>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs > >>>>>>>>>>>> if (trapno == 14) > >>>>>>>>>>>> printf("Page fault address 0x%x\n", > >>>>>>>>>>>> get_cr2()); > >>>>>>>>>>>> dump_regs(regs); > >>>>>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned > >>>>>>>>>>>> short*)0xd0800)); > >>>>>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned > >>>>>>>>>>>> short*)0xd0804)); > >>>>>>>>>>>> halt(); > >>>>>>>>>>>> } > >>>>>>>>>>>> } > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> here is the output: > >>>>>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 > >>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > >>>>>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: > >>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 > >>>>>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE > >>>>>>>>>>>> (XEN) HVM6: after write16 of movw > >>>>>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode > >>>>>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx > >>>>>>>>>>>> 71E > >>>>>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi > >>>>>>>>>>>> D00 > >>>>>>>>>>>> (XEN) HVM6: trapno 6 errno 0 > >>>>>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 > >>>>>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2 > >>>>>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs > >>>>>>>>>>>> D75B4 > >>>>>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>>>>>> 651 > >>>>>>>>>>>> (XEN) HVM6: > >>>>>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF > >>>>>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B > >>>>>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C > >>>>>>>>>>>> > >>>>>>>>>>>> objdump: > >>>>>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 > <address+0x23> > >>>>>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx > >>>>>>>>>>>> d07f7: 89 f8 mov %edi,%eax > >>>>>>>>>>>> d07f9: 8b 5d f4 mov > >>>>>>>>>>>> 0xfffffff4(%ebp),%ebx > >>>>>>>>>>>> d07fc: 8b 75 f8 mov > >>>>>>>>>>>> 0xfffffff8(%ebp),%esi > >>>>>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax > >>>>>>>>>>>> d0804: 8b 7d fc mov > >>>>>>>>>>>> 0xfffffffc(%ebp),%edi > >>>>>>>>>>>> d0807: 89 ec mov %ebp,%esp > >>>>>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax > >>>>>>>>>>>> d080c: 01 d0 add %edx,%eax > >>>>>>>>>>>> d080e: 5d pop %ebp > >>>>>>>>>>>> > >>>>>>>>>>>> seems the memory is correct, it's crashed in opcode() > >>>>>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried > >>>>>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm > >>>>>>>>>>>> guest > >>>>>>>>>>>> be reset. > >>>>>>>>>>>> > >>>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> What would be useful is to try to add tracing to see how far > >>>>>>>>>>>> vmxassist > >>>>>>>>>>>> gets > >>>>>>>>>>>> after its last line of tracing before the trap occurs. That last > >>>>>>>>>>>> line > >>>>>>>>>>>> is > >>>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra > >>>>>>>>>>>> printf() > >>>>>>>>>>>> statements imemdiately after the write16() on line > 622, and also at > >>>>>>>>>>>> the > >>>>>>>>>>>> top > >>>>>>>>>>>> of the opcode() function. We need to find out at what point > >>>>>>>>>>>> vmxassist > >>>>>>>>>>>> is > >>>>>>>>>>>> jumping to this bogus address d0800. > >>>>>>>>>>>> > >>>>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in > >>>>>>>>>>>> memory. > >>>>>>>>>>>> This > >>>>>>>>>>>> is particularly likely because, according to the objdump, the > >>>>>>>>>>>> 'instruction' > >>>>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some > >>>>>>>>>>>> sort). > >>>>>>>>>>>> > >>>>>>>>>>>> So, within trap() you might want to read say 16 bytes > starting at > >>>>>>>>>>>> 0xd0800 > >>>>>>>>>>>> and printf() them. So we can see if they match what objdump says > >>>>>>>>>>>> should > >>>>>>>>>>>> be > >>>>>>>>>>>> there. > >>>>>>>>>>>> > >>>>>>>>>>>> -- Keir > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>> Xen-devel mailing list > >>>>>>>>>>>> Xen-devel@lists.xensource.com > >>>>>>>>>>>> http://lists.xensource.com/xen-devel > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> _______________________________________________ > >>>>>>>>>> Xen-devel mailing list > >>>>>>>>>> Xen-devel@lists.xensource.com > >>>>>>>>>> http://lists.xensource.com/xen-devel > >>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>>> _______________________________________________ > >>>>>>>> Xen-devel mailing list > >>>>>>>> Xen-devel@lists.xensource.com > >>>>>>>> http://lists.xensource.com/xen-devel > >>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Xen-devel mailing list > >>>>> Xen-devel@lists.xensource.com > >>>>> http://lists.xensource.com/xen-devel > >>>> > >>>> > >>> > >>> _______________________________________________ > >>> Xen-devel mailing list > >>> Xen-devel@lists.xensource.com > >>> http://lists.xensource.com/xen-devel > >> > >> > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > > >_______________________________________________ >Xen-devel mailing list >Xen-devel@lists.xensource.com >http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 14:52 ` Mats Petersson @ 2007-08-08 15:50 ` Brady Chen 2007-08-08 16:19 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-08 15:50 UTC (permalink / raw) To: Mats Petersson; +Cc: Z24, tygrawy, xen-devel, Keir Fraser, AL.LINUX "big-real-mode"? is it something related to PAE? my CPU is Intel T2400, Centrino Duo thanks [root@localhost firmware]# cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 14 model name : Genuine Intel(R) CPU T2400 @ 1.83GHz stepping : 8 cpu MHz : 1828.831 cache size : 2048 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 10 wp : yes flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc pni monitor vmx est tm2 xtpr bogomips : 3660.35 processor : 1 vendor_id : GenuineIntel cpu family : 6 model : 14 model name : Genuine Intel(R) CPU T2400 @ 1.83GHz stepping : 8 cpu MHz : 1828.831 cache size : 2048 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 10 wp : yes flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc up pni monitor vmx est tm2 xtprbogomips : 3660.35 On 8/8/07, Mats Petersson <mats@planetcatfish.com> wrote: > At 14:32 08/08/2007, Keir Fraser wrote: > >Disassembled the interesting bit by hand: > > > >D700: 66 03 DF add %edi,%ebx > >D703: 66 83 C3 02 add $2,%ebx > >D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi > >D70E: 66 49 dec %ecx > >D710: 66 0B C9 or %ecx,%ecx > >D713: 0F 84 17 00 jz 0xd72e > >D717: 26 67 8B 03 mov %es:(%ebx),%ax > >D71B: 26 67 89 07 mov %ax,%es:(%edi) > >D71F: 66 83 C3 02 add $2,%ebx > >D723: 66 81 C7 00 02 00 00 add $0x200,%edi > >D72A: 66 49 dec %ecx > >D72C: EB E2 jmp 0xd710 > >D72E: 66 61 popal > >D730: 90 nop > >D731: 1F pop %ds > >D732: 07 pop %es > >D733: C3 ret > > > Any chance that the segment(s) involved are "big-real-mode"? > > -- > Mats ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 15:50 ` Brady Chen @ 2007-08-08 16:19 ` Keir Fraser 2007-08-08 17:45 ` Mats Petersson 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-08 16:19 UTC (permalink / raw) To: Brady Chen, Mats Petersson; +Cc: Keir Fraser, tygrawy, xen-devel, Z24, AL.LINUX No, it's a processor mode halfway between real mode and protected mode which all x86 processors support, but which vmxassist is really rather bad at handling. If this is a big-real-mode copy loop then that might explain why the loop is executing so bizarrely, and may mean you are out of luck until we retire vmxassist. -- Keir On 8/8/07 16:50, "Brady Chen" <chenchp@gmail.com> wrote: > "big-real-mode"? is it something related to PAE? my CPU is Intel > T2400, Centrino Duo > thanks > > [root@localhost firmware]# cat /proc/cpuinfo > processor : 0 > vendor_id : GenuineIntel > cpu family : 6 > model : 14 > model name : Genuine Intel(R) CPU T2400 @ 1.83GHz > stepping : 8 > cpu MHz : 1828.831 > cache size : 2048 KB > fdiv_bug : no > hlt_bug : no > f00f_bug : no > coma_bug : no > fpu : yes > fpu_exception : yes > cpuid level : 10 > wp : yes > flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat > clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc pni > monitor vmx est tm2 xtpr > bogomips : 3660.35 > > processor : 1 > vendor_id : GenuineIntel > cpu family : 6 > model : 14 > model name : Genuine Intel(R) CPU T2400 @ 1.83GHz > stepping : 8 > cpu MHz : 1828.831 > cache size : 2048 KB > fdiv_bug : no > hlt_bug : no > f00f_bug : no > coma_bug : no > fpu : yes > fpu_exception : yes > cpuid level : 10 > wp : yes > flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat > clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc up pni > monitor vmx est tm2 xtprbogomips : 3660.35 > > > On 8/8/07, Mats Petersson <mats@planetcatfish.com> wrote: >> At 14:32 08/08/2007, Keir Fraser wrote: >>> Disassembled the interesting bit by hand: >>> >>> D700: 66 03 DF add %edi,%ebx >>> D703: 66 83 C3 02 add $2,%ebx >>> D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi >>> D70E: 66 49 dec %ecx >>> D710: 66 0B C9 or %ecx,%ecx >>> D713: 0F 84 17 00 jz 0xd72e >>> D717: 26 67 8B 03 mov %es:(%ebx),%ax >>> D71B: 26 67 89 07 mov %ax,%es:(%edi) >>> D71F: 66 83 C3 02 add $2,%ebx >>> D723: 66 81 C7 00 02 00 00 add $0x200,%edi >>> D72A: 66 49 dec %ecx >>> D72C: EB E2 jmp 0xd710 >>> D72E: 66 61 popal >>> D730: 90 nop >>> D731: 1F pop %ds >>> D732: 07 pop %es >>> D733: C3 ret >> >> >> Any chance that the segment(s) involved are "big-real-mode"? >> >> -- >> Mats > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 16:19 ` Keir Fraser @ 2007-08-08 17:45 ` Mats Petersson 2007-08-08 20:26 ` Keir Fraser 0 siblings, 1 reply; 37+ messages in thread From: Mats Petersson @ 2007-08-08 17:45 UTC (permalink / raw) To: Brady Chen; +Cc: Keir Fraser, tygrawy, xen-devel, Z24, AL.LINUX At 17:19 08/08/2007, Keir Fraser wrote: >No, it's a processor mode halfway between real mode and protected mode which >all x86 processors support, but which vmxassist is really rather bad at >handling. If this is a big-real-mode copy loop then that might explain why >the loop is executing so bizarrely, and may mean you are out of luck until >we retire vmxassist. And the fact that EDI is 0xC33FE when it tries to write to the memory at address of EDI indicates that it's Big-Real-Mode. In real-mode, any register access beyond segment+0xFFFF is a GP-fault on 386 and later processors. To get around this and simplify the process of for example loading large chunks of data into memory, someone figured out that segment register limits (and base-address) is not being RESET by the processor when resetting the protected-mode bit in CR0, so one can go into protected mode, load a segment register with a bigger limit (e.g. a "no limit" of 4GB), and a base-addres of (say) zero. Unfortunately, since VMXassist uses the VM806 mode of the processor, it doesn't support transitions back and forth between protected mode with segment registers preserved (you can't run in Real Mode with VMX enabled). The other option for possibly getting this working (plug for my former employer) is to use an AMD processor, as that supports "real-mode virtualization", so you can run real-mode with "SVM" enabled, and in this case, the segment registers can be manipulated in protected mode, and then go back to real-mode, without any loss of segment data. As Keir hints, there is work to "remove" the VMXassist mode (which by all accounts, and I don't think I'm offending anyone by saying this, is a quick hack to get around the fact that real-mode code is needed to boot the OS). -- Mats > -- Keir > >On 8/8/07 16:50, "Brady Chen" <chenchp@gmail.com> wrote: > > > "big-real-mode"? is it something related to PAE? my CPU is Intel > > T2400, Centrino Duo > > thanks > > > > [root@localhost firmware]# cat /proc/cpuinfo > > processor : 0 > > vendor_id : GenuineIntel > > cpu family : 6 > > model : 14 > > model name : Genuine Intel(R) CPU T2400 @ 1.83GHz > > stepping : 8 > > cpu MHz : 1828.831 > > cache size : 2048 KB > > fdiv_bug : no > > hlt_bug : no > > f00f_bug : no > > coma_bug : no > > fpu : yes > > fpu_exception : yes > > cpuid level : 10 > > wp : yes > > flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat > > clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc pni > > monitor vmx est tm2 xtpr > > bogomips : 3660.35 > > > > processor : 1 > > vendor_id : GenuineIntel > > cpu family : 6 > > model : 14 > > model name : Genuine Intel(R) CPU T2400 @ 1.83GHz > > stepping : 8 > > cpu MHz : 1828.831 > > cache size : 2048 KB > > fdiv_bug : no > > hlt_bug : no > > f00f_bug : no > > coma_bug : no > > fpu : yes > > fpu_exception : yes > > cpuid level : 10 > > wp : yes > > flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat > > clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc up pni > > monitor vmx est tm2 xtprbogomips : 3660.35 > > > > > > On 8/8/07, Mats Petersson <mats@planetcatfish.com> wrote: > >> At 14:32 08/08/2007, Keir Fraser wrote: > >>> Disassembled the interesting bit by hand: > >>> > >>> D700: 66 03 DF add %edi,%ebx > >>> D703: 66 83 C3 02 add $2,%ebx > >>> D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi > >>> D70E: 66 49 dec %ecx > >>> D710: 66 0B C9 or %ecx,%ecx > >>> D713: 0F 84 17 00 jz 0xd72e > >>> D717: 26 67 8B 03 mov %es:(%ebx),%ax > >>> D71B: 26 67 89 07 mov %ax,%es:(%edi) > >>> D71F: 66 83 C3 02 add $2,%ebx > >>> D723: 66 81 C7 00 02 00 00 add $0x200,%edi > >>> D72A: 66 49 dec %ecx > >>> D72C: EB E2 jmp 0xd710 > >>> D72E: 66 61 popal > >>> D730: 90 nop > >>> D731: 1F pop %ds > >>> D732: 07 pop %es > >>> D733: C3 ret > >> > >> > >> Any chance that the segment(s) involved are "big-real-mode"? > >> > >> -- > >> Mats > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 17:45 ` Mats Petersson @ 2007-08-08 20:26 ` Keir Fraser 2007-08-09 3:05 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-08 20:26 UTC (permalink / raw) To: Mats Petersson, Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX On 8/8/07 18:45, "Mats Petersson" <mats@planetcatfish.com> wrote: > At 17:19 08/08/2007, Keir Fraser wrote: >> No, it's a processor mode halfway between real mode and protected mode which >> all x86 processors support, but which vmxassist is really rather bad at >> handling. If this is a big-real-mode copy loop then that might explain why >> the loop is executing so bizarrely, and may mean you are out of luck until >> we retire vmxassist. > > And the fact that EDI is 0xC33FE when it tries to write to the memory > at address of EDI indicates that it's Big-Real-Mode. Yes, that's a giveaway. So I think the 'fix' here is to not try booting your native Windows partition on Xen. It's not likely to work too well anyway, as it'll look like all your hardware has changed, causing activation problems and also big driver changes whenever you switch between running on Xen and running natively. You're better off having a dedicated Xen Windows installation, perhaps on an LVM partition. The problems that others have been seeing are quite likely not the same root cause as yours. Most times there's an early boot problem it will end up with a trap and backtrace in vmxassist, when running on Intel CPUs. -- Keir ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 20:26 ` Keir Fraser @ 2007-08-09 3:05 ` Brady Chen 2007-08-09 4:01 ` Brady Chen 2007-08-09 7:13 ` Keir Fraser 0 siblings, 2 replies; 37+ messages in thread From: Brady Chen @ 2007-08-09 3:05 UTC (permalink / raw) To: Keir Fraser, Mats Petersson, AL.LINUX; +Cc: tygrawy, xen-devel, Z24 Keir, Mats, Archie, and all others Thank you guys all. I just read this thread:http://lists.xensource.com/archives/html/xen-devel/2006-05/msg01442.html seems Randy Thelen tried to fix this issue one year ago, unfortunately that patch doesn't work for me. Finally I think we have the conclusion that I have to give it up on my T60 Laptop now. But I'd like to try in this way: install windows in xen hvm guest, and then try to boot it in native environment. Hope it works. BTW, Keir, Mats, Any plan/schedule to support a full functional real mode simulator? Or do you know anyone are working on this? thanks On 8/9/07, Keir Fraser <keir@xensource.com> wrote: > On 8/8/07 18:45, "Mats Petersson" <mats@planetcatfish.com> wrote: > > > At 17:19 08/08/2007, Keir Fraser wrote: > >> No, it's a processor mode halfway between real mode and protected mode which > >> all x86 processors support, but which vmxassist is really rather bad at > >> handling. If this is a big-real-mode copy loop then that might explain why > >> the loop is executing so bizarrely, and may mean you are out of luck until > >> we retire vmxassist. > > > > And the fact that EDI is 0xC33FE when it tries to write to the memory > > at address of EDI indicates that it's Big-Real-Mode. > > Yes, that's a giveaway. > > So I think the 'fix' here is to not try booting your native Windows > partition on Xen. It's not likely to work too well anyway, as it'll look > like all your hardware has changed, causing activation problems and also big > driver changes whenever you switch between running on Xen and running > natively. > > You're better off having a dedicated Xen Windows installation, perhaps on an > LVM partition. > > The problems that others have been seeing are quite likely not the same root > cause as yours. Most times there's an early boot problem it will end up with > a trap and backtrace in vmxassist, when running on Intel CPUs. > > -- Keir > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-09 3:05 ` Brady Chen @ 2007-08-09 4:01 ` Brady Chen 2007-08-09 7:10 ` Keir Fraser 2007-08-09 7:13 ` Keir Fraser 1 sibling, 1 reply; 37+ messages in thread From: Brady Chen @ 2007-08-09 4:01 UTC (permalink / raw) To: Keir Fraser, Mats Petersson, AL.LINUX; +Cc: tygrawy, xen-devel, Z24 another question: The same windows installation CD could be used in xen guest. So why windows bootloader use Big-Real-Mode for the native installation, but not use the mode for Xen-HVM guest installation? Thanks, On 8/9/07, Brady Chen <chenchp@gmail.com> wrote: > Keir, Mats, Archie, and all others > Thank you guys all. > > I just read this > thread:http://lists.xensource.com/archives/html/xen-devel/2006-05/msg01442.html > > seems Randy Thelen tried to fix this issue one year ago, unfortunately > that patch doesn't work for me. > > Finally I think we have the conclusion that I have to give it up on my > T60 Laptop now. > But I'd like to try in this way: > install windows in xen hvm guest, and then try to boot it in native > environment. Hope it works. > > BTW, Keir, Mats, Any plan/schedule to support a full functional real > mode simulator? Or do you know anyone are working on this? thanks > > > > On 8/9/07, Keir Fraser <keir@xensource.com> wrote: > > On 8/8/07 18:45, "Mats Petersson" <mats@planetcatfish.com> wrote: > > > > > At 17:19 08/08/2007, Keir Fraser wrote: > > >> No, it's a processor mode halfway between real mode and protected mode which > > >> all x86 processors support, but which vmxassist is really rather bad at > > >> handling. If this is a big-real-mode copy loop then that might explain why > > >> the loop is executing so bizarrely, and may mean you are out of luck until > > >> we retire vmxassist. > > > > > > And the fact that EDI is 0xC33FE when it tries to write to the memory > > > at address of EDI indicates that it's Big-Real-Mode. > > > > Yes, that's a giveaway. > > > > So I think the 'fix' here is to not try booting your native Windows > > partition on Xen. It's not likely to work too well anyway, as it'll look > > like all your hardware has changed, causing activation problems and also big > > driver changes whenever you switch between running on Xen and running > > natively. > > > > You're better off having a dedicated Xen Windows installation, perhaps on an > > LVM partition. > > > > The problems that others have been seeing are quite likely not the same root > > cause as yours. Most times there's an early boot problem it will end up with > > a trap and backtrace in vmxassist, when running on Intel CPUs. > > > > -- Keir > > > > > ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-09 4:01 ` Brady Chen @ 2007-08-09 7:10 ` Keir Fraser 2007-08-09 10:35 ` Brady Chen 0 siblings, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-09 7:10 UTC (permalink / raw) To: Brady Chen, Mats Petersson, AL.LINUX; +Cc: tygrawy, xen-devel, Z24 On 9/8/07 05:01, "Brady Chen" <chenchp@gmail.com> wrote: > another question: > The same windows installation CD could be used in xen guest. So why > windows bootloader use Big-Real-Mode for the native installation, but > not use the mode for Xen-HVM guest installation? Is this a retail Windows install CD, or an OEM CD supplied with your laptop? -- Keir ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-09 7:10 ` Keir Fraser @ 2007-08-09 10:35 ` Brady Chen 0 siblings, 0 replies; 37+ messages in thread From: Brady Chen @ 2007-08-09 10:35 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, Mats Petersson, AL.LINUX > Is this a retail Windows install CD, or an OEM CD supplied with your laptop? it's an OEM CD Thanks -Brady ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-09 3:05 ` Brady Chen 2007-08-09 4:01 ` Brady Chen @ 2007-08-09 7:13 ` Keir Fraser 2007-08-09 10:40 ` Brady Chen 1 sibling, 1 reply; 37+ messages in thread From: Keir Fraser @ 2007-08-09 7:13 UTC (permalink / raw) To: Brady Chen, Mats Petersson, AL.LINUX; +Cc: tygrawy, xen-devel, Z24 On 9/8/07 04:05, "Brady Chen" <chenchp@gmail.com> wrote: > Finally I think we have the conclusion that I have to give it up on my > T60 Laptop now. > But I'd like to try in this way: > install windows in xen hvm guest, and then try to boot it in native > environment. Hope it works. Neither way round is going to work very well. The platform hardware will look (to Windows) to be entirely different in the two cases. Thus it will most liekly require you to re-activate your license. Also it'll have the wrong drivers installed and hence you'll have a bunch of driver re-installation every time you switch between native and Xen. > BTW, Keir, Mats, Any plan/schedule to support a full functional real > mode simulator? Or do you know anyone are working on this? thanks There's a plan, but not much of a schedule. Some of the cleanup work I've been doing in xen-unstable just now will help. I'd like to think we'll have it done by Xen 3.3; Xen 3.2 is probably too close at this point. -- Keir ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-09 7:13 ` Keir Fraser @ 2007-08-09 10:40 ` Brady Chen 0 siblings, 0 replies; 37+ messages in thread From: Brady Chen @ 2007-08-09 10:40 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, Mats Petersson, AL.LINUX > Neither way round is going to work very well. The platform hardware will > look (to Windows) to be entirely different in the two cases. Thus it will > most liekly require you to re-activate your license. Also it'll have the > wrong drivers installed and hence you'll have a bunch of driver > re-installation every time you switch between native and Xen. re-activate maybe the issue. For the hardware drivers, z24 said that he got it works by selecting the hardware profile of windows. here is the thread: http://lists.xensource.com/archives/html/xen-users/2007-02/msg00822.html I'd like to have a try. > There's a plan, but not much of a schedule. Some of the cleanup work I've > been doing in xen-unstable just now will help. I'd like to think we'll have > it done by Xen 3.3; Xen 3.2 is probably too close at this point. thank you very much, is there any time table(a document or a link) about the release? I'm new to xen, and don't know the frequency of release. -Brady ^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain 2007-08-08 13:32 ` Keir Fraser 2007-08-08 14:52 ` Mats Petersson @ 2007-08-08 15:42 ` Brady Chen 1 sibling, 0 replies; 37+ messages in thread From: Brady Chen @ 2007-08-08 15:42 UTC (permalink / raw) To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX Hi, Keir, thanks for your patient. I dumped the registers when eip is D71F, seems it's a large buffer copy. (XEN) HVM8: eax 7E80 ecx 2D1E edx 0 ebx 4048 (XEN) HVM8: esp D7B74 ebp 1FF0 esi 7BE edi C31FE (XEN) HVM8: trapno D errno 0 (XEN) HVM8: eip 71F cs D00 eflags 33206 (XEN) HVM8: uesp CFB4 uss 0 (XEN) HVM8: ves D00 vds D00 vfs 0 vgs 0 (XEN) HVM8: cr0 50032 cr2 0 cr3 0 cr4 651 (XEN) HVM8: (XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) data32 (XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 (XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) %es: (XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) addr32 (XEN) HVM8: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD03FE (XEN) HVM8: eax 64FF ecx 2D1D edx 0 ebx 404A (XEN) HVM8: esp D7B74 ebp 1FF0 esi 7BE edi C33FE (XEN) HVM8: trapno D errno 0 (XEN) HVM8: eip 71F cs D00 eflags 33206 (XEN) HVM8: uesp CFB4 uss 0 (XEN) HVM8: ves D00 vds D00 vfs 0 vgs 0 (XEN) HVM8: cr0 50032 cr2 0 cr3 0 cr4 651 (XEN) HVM8: (XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) data32 (XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 (XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) %es: (XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) addr32 (XEN) HVM8: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD05FE (XEN) HVM8: eax A75 ecx 2D1C edx 0 ebx 404C (XEN) HVM8: esp D7B74 ebp 1FF0 esi 7BE edi C35FE (XEN) HVM8: trapno D errno 0 (XEN) HVM8: eip 71F cs D00 eflags 33202 (XEN) HVM8: uesp CFB4 uss 0 (XEN) HVM8: ves D00 vds D00 vfs 0 vgs 0 (XEN) HVM8: cr0 50032 cr2 0 cr3 0 cr4 651 (XEN) HVM8: (XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) data32 (XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 (XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 (XEN) HVM8: 0x000F9BF7: 0xF000:0x9BF7 (0) opc 0xC3 (XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) %es: (XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) addr32 (XEN) HVM8: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE (XEN) HVM8: Trap (0x6) while in real mode (XEN) HVM8: eax D00 ecx D7B54 edx 71F ebx D7B54 (XEN) HVM8: esp D7A94 ebp D7AE0 esi D7A70 edi D00 (XEN) HVM8: trapno 6 errno 0 (XEN) HVM8: eip D0800 cs 10 eflags 13046 (XEN) HVM8: uesp D7B54 uss 2 (XEN) HVM8: ves D5178 vds D5246 vfs D07FE vgs D7AF4 (XEN) HVM8: cr0 50032 cr2 0 cr3 0 cr4 651 (XEN) HVM8: (XEN) HVM8: Halt called from %eip 0xD037C On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > Disassembled the interesting bit by hand: > > D700: 66 03 DF add %edi,%ebx > D703: 66 83 C3 02 add $2,%ebx > D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi > D70E: 66 49 dec %ecx > D710: 66 0B C9 or %ecx,%ecx > D713: 0F 84 17 00 jz 0xd72e > D717: 26 67 8B 03 mov %es:(%ebx),%ax > D71B: 26 67 89 07 mov %ax,%es:(%edi) > D71F: 66 83 C3 02 add $2,%ebx > D723: 66 81 C7 00 02 00 00 add $0x200,%edi > D72A: 66 49 dec %ecx > D72C: EB E2 jmp 0xd710 > D72E: 66 61 popal > D730: 90 nop > D731: 1F pop %ds > D732: 07 pop %es > D733: C3 ret > > It's a fairly odd copy loop! It'd be nice to get a register dump when > emulating this so that we can see e.g., what memory range is supposed to be > affected. > > -- Keir > > > On 8/8/07 13:12, "Brady Chen" <chenchp@gmail.com> wrote: > > > Hi Keir, > > here the memory dump from D680 ~ D780, how to analyze it? any tools? thanks > > > > (XEN) HVM17: 0x0000D680: D2 0F 84 0B 00 66 8B FE 1E 07 66 8B C2 E8 71 03 > > (XEN) HVM17: 0x0000D690: 66 8B C6 66 5A 66 59 66 42 66 51 66 56 E8 3F 06 > > (XEN) HVM17: 0x0000D6A0: 66 85 C0 0F 84 BA FA 66 5E 66 59 66 8B FE 1E 07 > > (XEN) HVM17: 0x0000D6B0: E8 4E 03 66 8B C6 66 8B D9 66 59 66 5A 66 51 66 > > (XEN) HVM17: 0x0000D6C0: 56 66 D1 E9 E8 F8 FD 66 85 C0 0F 84 93 FA 66 5E > > (XEN) HVM17: 0x0000D6D0: 66 59 66 03 E1 07 66 5F 66 59 66 8B D0 66 58 66 > > (XEN) HVM17: 0x0000D6E0: 5B 66 8B DA E9 F5 FE 06 1E 66 60 26 67 66 0F B7 > > (XEN) HVM17: 0x0000D6F0: 5F 04 26 67 66 0F B7 4F 06 66 0B C9 0F 84 61 FA > > (XEN) HVM17: 0x0000D700: 66 03 DF 66 83 C3 02 66 81 C7 FE 01 00 00 66 49 > > (XEN) HVM17: 0x0000D710: 66 0B C9 0F 84 17 00 26 67 8B 03 26 67 89 07 66 > > (XEN) HVM17: 0x0000D720: 83 C3 02 66 81 C7 00 02 00 00 66 49 EB E2 66 61 > > (XEN) HVM17: 0x0000D730: 90 1F 07 C3 06 1E 66 60 66 B8 01 00 00 00 66 A3 > > (XEN) HVM17: 0x0000D740: 1E 02 66 A1 1A 02 66 03 06 52 02 66 A3 5A 02 66 > > (XEN) HVM17: 0x0000D750: 03 06 52 02 66 A3 4A 02 66 A1 30 00 66 0F B6 1E > > (XEN) HVM17: 0x0000D760: 0D 00 66 F7 E3 66 8B 1E 4A 02 66 89 07 66 A3 10 > > (XEN) HVM17: 0x0000D770: 00 83 C3 04 66 A1 56 02 66 89 07 A3 0E 00 83 C3 > > (XEN) HVM17: 0x0000D780: 04 66 89 1E 4A 02 66 8B 1E 1A 02 1E 07 E8 37 F9 > > > > > > On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > >> Well, some bytes are already screwed at that point, so I'd try to do it > >> earlier (e.g., when you are emulating one of the earlier MOVs, for example). > >> But yes, dumping by printf() is fine. Put address at start of line, and then > >> dump 16 bytes as "%02x ". Should end up with 16 lines of 16 bytes each. > >> > >> -- Keir > >> > >> On 8/8/07 10:38, "Brady Chen" <chenchp@gmail.com> wrote: > >> > >>> Thanks, > >>> can you show me a way to dump bytes around 0xd680 ~ 0xd780? > >>> just printf in trap() of vmxassist? > >>> > >>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > >>>> You could give that a try, but really it shouldn't be going at > >>>> 0xc0000-0x100000 at all. There are usually ROM images residing there. > >>>> > >>>> This is more likely to be a mis-emulation. Can you get a dump of the bytes > >>>> around 0xd680-0xd780? Then we could try and work out what the guest is > >>>> trying to execute, and see whether emulation is going wrong. A register > >>>> dump > >>>> from the guest (dump_regs()) at the start of every call to opcode() might > >>>> also be useful. > >>>> > >>>> -- Keir > >>>> > >>>> On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote: > >>>> > >>>>> Hi Keir, > >>>>> I think the 7th issue I mentioned is the root cause, > >>>>> so I have a question. > >>>>> For real mode simulation, the simulator is running in the same space > >>>>> with the codes to-be-simulated? then how to protect simulator from > >>>>> being modified by to-be-simulated code? > >>>>> > >>>>> can I change the address of vmxassist to a higher address? just try to > >>>>> give more space to the to-be-simulated windows. > >>>>> > >>>>> On 8/8/07, Brady Chen <chenchp@gmail.com> wrote: > >>>>>> it's possible. > >>>>>> any ideas to trace the function stack of xen guest? like "bt" command in > >>>>>> gdb. > >>>>>> > >>>>>> I did some analysis: > >>>>>> 1. the call flow is opcode()->fetch8()->address() > >>>>>> 2. only the printf in address() will change the behaver of crash. > >>>>>> 3. and the crash EIP (0xD0800) is in the address() from the objdump. > >>>>>> 4. the address() will be invoked more then 40, 000 times in one > >>>>>> simulation, before the crash. > >>>>>> 5. seems there are no recursive invoking in opcode(), fetch8(), address() > >>>>>> 6. from the output of "xen dmesg", before the crash, a instructions > >>>>>> sequence is simulated several times (you could check the previous > >>>>>> mails i send for "xen dmesg" output) > >>>>>> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE", > >>>>>> and the "*0xD07FE" is just the address of address(), (you could get > >>>>>> the objdump output from previous mails too), so i think it's the > >>>>>> simulation which crash the memory of address(). > >>>>>> > >>>>>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>> Stack corruption/overflow, possibly? > >>>>>>> > >>>>>>> K. > >>>>>>> > >>>>>>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>>>> > >>>>>>>> Yes, the printfs are the only changes. once I remove these prints, the > >>>>>>>> trap comes back, with the same EIP (D0800) > >>>>>>>> > >>>>>>>> I tried to keep the first two printfs, the trap comes with different > >>>>>>>> EIP(D19FD) > >>>>>>>> static unsigned > >>>>>>>> address(struct regs *regs, unsigned seg, unsigned off) > >>>>>>>> { > >>>>>>>> uint64_t gdt_phys_base; > >>>>>>>> unsigned long long entry; > >>>>>>>> unsigned seg_base, seg_limit; > >>>>>>>> unsigned entry_low, entry_high; > >>>>>>>> > >>>>>>>> printf("f 1\n"); > >>>>>>>> if (seg == 0) { > >>>>>>>> if (mode == VM86_REAL || mode == > >>>>>>>> VM86_REAL_TO_PROTECTED) > >>>>>>>> return off; > >>>>>>>> else > >>>>>>>> panic("segment is zero, but not in real > >>>>>>>> mode!\n"); > >>>>>>>> } > >>>>>>>> > >>>>>>>> printf("f 2\n"); > >>>>>>>> > >>>>>>>> xen dmesg output: > >>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > >>>>>>>> (XEN) HVM3: f 1 > >>>>>>>> (XEN) HVM3: f 2 > >>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8 > >>>>>>>> (XEN) HVM3: f 1 > >>>>>>>> (XEN) HVM3: f 1 > >>>>>>>> (XEN) HVM3: f 1 > >>>>>>>> (XEN) HVM3: Trap (0x6) while in real mode > >>>>>>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx > >>>>>>>> D75B4 > >>>>>>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi > >>>>>>>> 8 > >>>>>>>> (XEN) HVM3: trapno 6 errno 0 > >>>>>>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046 > >>>>>>>> (XEN) HVM3: uesp CFAE uss 0 > >>>>>>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs > >>>>>>>> 71F > >>>>>>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>> 651 > >>>>>>>> (XEN) HVM3: > >>>>>>>> (XEN) HVM3: Halt called from %eip 0xD037C > >>>>>>>> > >>>>>>>> > >>>>>>>> and the objdump shows that: > >>>>>>>> 000d1970 <interrupt>: > >>>>>>>> d1970: 55 push %ebp > >>>>>>>> d1971: 89 e5 mov %esp,%ebp > >>>>>>>> d1973: 57 push %edi > >>>>>>>> d1974: 89 d7 mov %edx,%edi > >>>>>>>> d1976: 56 push %esi > >>>>>>>> .... > >>>>>>>> d19f8: 66 89 30 mov %si,(%eax) > >>>>>>>> d19fb: 31 d2 xor %edx,%edx > >>>>>>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi > >>>>>>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx) > >>>>>>>> d1a0b: 89 d8 mov %ebx,%eax > >>>>>>>> d1a0d: 89 34 24 mov %esi,(%esp) > >>>>>>>> > >>>>>>>> > >>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>>>> Very weird. The emulations now aren't at the same address as before > >>>>>>>>> either > >>>>>>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added > >>>>>>>>> these > >>>>>>>>> printf()s -- is it at all possible that the guest is executing down a > >>>>>>>>> different path here for other reasons? If it's really down to the > >>>>>>>>> printf()s > >>>>>>>>> then I guess you'll have to shuffle/remove printf()s to get the old > >>>>>>>>> behaviour back. > >>>>>>>>> > >>>>>>>>> -- Keir > >>>>>>>>> > >>>>>>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>>>>>> > >>>>>>>>>> it's strange: > >>>>>>>>>> if i add these prints, i get " Unknown opcode", not "trap". > >>>>>>>>>> ===added printf > >>>>>>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c > >>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > >>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 > >>>>>>>>>> +0100 > >>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 > >>>>>>>>>> +0800 > >>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > >>>>>>>>>> static struct regs saved_rm_regs; > >>>>>>>>>> > >>>>>>>>>> #ifdef DEBUG > >>>>>>>>>> -int traceset = 0; > >>>>>>>>>> +int traceset = ~0; > >>>>>>>>>> > >>>>>>>>>> char *states[] = { > >>>>>>>>>> "<VM86_REAL>", > >>>>>>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg, > >>>>>>>>>> unsigned seg_base, seg_limit; > >>>>>>>>>> unsigned entry_low, entry_high; > >>>>>>>>>> > >>>>>>>>>> + printf("f 1\n"); > >>>>>>>>>> if (seg == 0) { > >>>>>>>>>> if (mode == VM86_REAL || mode == > >>>>>>>>>> VM86_REAL_TO_PROTECTED) > >>>>>>>>>> return off; > >>>>>>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg, > >>>>>>>>>> panic("segment is zero, but not in real > >>>>>>>>>> mode!\n"); > >>>>>>>>>> } > >>>>>>>>>> > >>>>>>>>>> + printf("f 2\n"); > >>>>>>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit || > >>>>>>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg)) > >>>>>>>>>> return ((seg & 0xFFFF) << 4) + off; > >>>>>>>>>> > >>>>>>>>>> + printf("f 3\n"); > >>>>>>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base); > >>>>>>>>>> + printf("f 4\n"); > >>>>>>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) { > >>>>>>>>>> + printf("f 5\n"); > >>>>>>>>>> printf("gdt base address above 4G\n"); > >>>>>>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), > >>>>>>>>>> &entry); > >>>>>>>>>> } else > >>>>>>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg, > >>>>>>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & > >>>>>>>>>> 0xFFFFFF); > >>>>>>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF); > >>>>>>>>>> > >>>>>>>>>> + printf("f 6\n"); > >>>>>>>>>> if (entry_high & 0x8000 && > >>>>>>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) || > >>>>>>>>>> (!(entry_high & 0x800000) && off <= seg_limit))) > >>>>>>>>>> return seg_base + off; > >>>>>>>>>> + printf("f 7\n"); > >>>>>>>>>> > >>>>>>>>>> panic("should never reach here in function address():\n\t" > >>>>>>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, > >>>>>>>>>> offset=0x%08x\n", > >>>>>>>>>> entry_high, entry_low, mode, seg, off); > >>>>>>>>>> + printf("f 8\n"); > >>>>>>>>>> > >>>>>>>>>> return 0; > >>>>>>>>>> } > >>>>>>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs) > >>>>>>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip)); > >>>>>>>>>> > >>>>>>>>>> regs->eip++; > >>>>>>>>>> + printf("f 9\n"); > >>>>>>>>>> return read8(addr); > >>>>>>>>>> } > >>>>>>>>>> > >>>>>>>>>> ===output when add many printf > >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1 > >>>>>>>>>> (XEN) HVM12: f 2 > >>>>>>>>>> (XEN) HVM12: f 9 > >>>>>>>>>> (XEN) HVM12: f 1 > >>>>>>>>>> (XEN) HVM12: f 2 > >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1 > >>>>>>>>>> (XEN) HVM12: f 2 > >>>>>>>>>> (XEN) HVM12: f 9 > >>>>>>>>>> (XEN) HVM12: f 1 > >>>>>>>>>> (XEN) HVM12: f 2 > >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1 > >>>>>>>>>> (XEN) HVM12: f 2 > >>>>>>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3 > >>>>>>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A > >>>>>>>>>> > >>>>>>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote: > >>>>>>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this > >>>>>>>>>>> print > >>>>>>>>>>> info. > >>>>>>>>>>> the main function of fetch8 seems to be address(). seems crashed in > >>>>>>>>>>> address(). > >>>>>>>>>>> > >>>>>>>>>>> (XEN) HVM7: after write16 of movw > >>>>>>>>>>> (XEN) HVM7: top of opcode > >>>>>>>>>>> (XEN) HVM7: Before fetch8 > >>>>>>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx > >>>>>>>>>>> 404E > >>>>>>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi > >>>>>>>>>>> C37FE > >>>>>>>>>>> (XEN) HVM7: trapno D errno 0 > >>>>>>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206 > >>>>>>>>>>> (XEN) HVM7: uesp CFB4 uss 0 > >>>>>>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs > >>>>>>>>>>> 0 > >>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>>>>> 651 > >>>>>>>>>>> (XEN) HVM7: > >>>>>>>>>>> (XEN) HVM7: Trap (0x6) while in real mode > >>>>>>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx > >>>>>>>>>>> 89 > >>>>>>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi > >>>>>>>>>>> D00 > >>>>>>>>>>> (XEN) HVM7: trapno 6 errno 0 > >>>>>>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046 > >>>>>>>>>>> (XEN) HVM7: uesp 71F uss D76D4 > >>>>>>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs > >>>>>>>>>>> D7644 > >>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>>>>> 651 > >>>>>>>>>>> (XEN) HVM7: > >>>>>>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF > >>>>>>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B > >>>>>>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>>>>>>> How about trying: > >>>>>>>>>>>> printf("Before fetch8\n"); > >>>>>>>>>>>> dump_regs(regs); > >>>>>>>>>>>> opc = fetch8(regs); > >>>>>>>>>>>> printf("After fetch8\n"); > >>>>>>>>>>>> switch (opc) { ... > >>>>>>>>>>>> > >>>>>>>>>>>> This will let you see what eip is being fetched from, and also > >>>>>>>>>>>> confirm > >>>>>>>>>>>> that > >>>>>>>>>>>> the crash happens within fetch8(). > >>>>>>>>>>>> > >>>>>>>>>>>> You could also try adding more printf()s inside fetch8() and > >>>>>>>>>>>> address() > >>>>>>>>>>>> to > >>>>>>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed > >>>>>>>>>>>> the > >>>>>>>>>>>> function that is crashing). > >>>>>>>>>>>> > >>>>>>>>>>>> -- Keir > >>>>>>>>>>>> > >>>>>>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Hi, Keir, > >>>>>>>>>>>> I made the change as you said: > >>>>>>>>>>>> change diff is: > >>>>>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c > >>>>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c > >>>>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 > >>>>>>>>>>>> +0100 > >>>>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 > >>>>>>>>>>>> +0800 > >>>>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs; > >>>>>>>>>>>> static struct regs saved_rm_regs; > >>>>>>>>>>>> > >>>>>>>>>>>> #ifdef DEBUG > >>>>>>>>>>>> -int traceset = 0; > >>>>>>>>>>>> +int traceset = ~0; > >>>>>>>>>>>> > >>>>>>>>>>>> char *states[] = { > >>>>>>>>>>>> "<VM86_REAL>", > >>>>>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix, > >>>>>>>>>>>> TRACE((regs, regs->eip - eip, > >>>>>>>>>>>> "movw %%%s, *0x%x", rnames[r], > >>>>>>>>>>>> addr)); > >>>>>>>>>>>> write16(addr, MASK16(val)); > >>>>>>>>>>>> + printf("after write16 of movw\n"); > >>>>>>>>>>>> } > >>>>>>>>>>>> return 1; > >>>>>>>>>>>> > >>>>>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs) > >>>>>>>>>>>> unsigned eip = regs->eip; > >>>>>>>>>>>> unsigned opc, modrm, disp; > >>>>>>>>>>>> unsigned prefix = 0; > >>>>>>>>>>>> + printf("top of opcode\n"); > >>>>>>>>>>>> > >>>>>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL && > >>>>>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) { > >>>>>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs > >>>>>>>>>>>> if (trapno == 14) > >>>>>>>>>>>> printf("Page fault address 0x%x\n", > >>>>>>>>>>>> get_cr2()); > >>>>>>>>>>>> dump_regs(regs); > >>>>>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned > >>>>>>>>>>>> short*)0xd0800)); > >>>>>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned > >>>>>>>>>>>> short*)0xd0804)); > >>>>>>>>>>>> halt(); > >>>>>>>>>>>> } > >>>>>>>>>>>> } > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> here is the output: > >>>>>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32 > >>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83 > >>>>>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es: > >>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32 > >>>>>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE > >>>>>>>>>>>> (XEN) HVM6: after write16 of movw > >>>>>>>>>>>> (XEN) HVM6: top of opcode > >>>>>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode > >>>>>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx > >>>>>>>>>>>> 71E > >>>>>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi > >>>>>>>>>>>> D00 > >>>>>>>>>>>> (XEN) HVM6: trapno 6 errno 0 > >>>>>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046 > >>>>>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2 > >>>>>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs > >>>>>>>>>>>> D75B4 > >>>>>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 > >>>>>>>>>>>> 651 > >>>>>>>>>>>> (XEN) HVM6: > >>>>>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF > >>>>>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B > >>>>>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C > >>>>>>>>>>>> > >>>>>>>>>>>> objdump: > >>>>>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23> > >>>>>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx > >>>>>>>>>>>> d07f7: 89 f8 mov %edi,%eax > >>>>>>>>>>>> d07f9: 8b 5d f4 mov > >>>>>>>>>>>> 0xfffffff4(%ebp),%ebx > >>>>>>>>>>>> d07fc: 8b 75 f8 mov > >>>>>>>>>>>> 0xfffffff8(%ebp),%esi > >>>>>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax > >>>>>>>>>>>> d0804: 8b 7d fc mov > >>>>>>>>>>>> 0xfffffffc(%ebp),%edi > >>>>>>>>>>>> d0807: 89 ec mov %ebp,%esp > >>>>>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax > >>>>>>>>>>>> d080c: 01 d0 add %edx,%eax > >>>>>>>>>>>> d080e: 5d pop %ebp > >>>>>>>>>>>> > >>>>>>>>>>>> seems the memory is correct, it's crashed in opcode() > >>>>>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried > >>>>>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm > >>>>>>>>>>>> guest > >>>>>>>>>>>> be reset. > >>>>>>>>>>>> > >>>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote: > >>>>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> What would be useful is to try to add tracing to see how far > >>>>>>>>>>>> vmxassist > >>>>>>>>>>>> gets > >>>>>>>>>>>> after its last line of tracing before the trap occurs. That last > >>>>>>>>>>>> line > >>>>>>>>>>>> is > >>>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra > >>>>>>>>>>>> printf() > >>>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at > >>>>>>>>>>>> the > >>>>>>>>>>>> top > >>>>>>>>>>>> of the opcode() function. We need to find out at what point > >>>>>>>>>>>> vmxassist > >>>>>>>>>>>> is > >>>>>>>>>>>> jumping to this bogus address d0800. > >>>>>>>>>>>> > >>>>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in > >>>>>>>>>>>> memory. > >>>>>>>>>>>> This > >>>>>>>>>>>> is particularly likely because, according to the objdump, the > >>>>>>>>>>>> 'instruction' > >>>>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some > >>>>>>>>>>>> sort). > >>>>>>>>>>>> > >>>>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at > >>>>>>>>>>>> 0xd0800 > >>>>>>>>>>>> and printf() them. So we can see if they match what objdump says > >>>>>>>>>>>> should > >>>>>>>>>>>> be > >>>>>>>>>>>> there. > >>>>>>>>>>>> > >>>>>>>>>>>> -- Keir > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>> Xen-devel mailing list > >>>>>>>>>>>> Xen-devel@lists.xensource.com > >>>>>>>>>>>> http://lists.xensource.com/xen-devel > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> _______________________________________________ > >>>>>>>>>> Xen-devel mailing list > >>>>>>>>>> Xen-devel@lists.xensource.com > >>>>>>>>>> http://lists.xensource.com/xen-devel > >>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>>> _______________________________________________ > >>>>>>>> Xen-devel mailing list > >>>>>>>> Xen-devel@lists.xensource.com > >>>>>>>> http://lists.xensource.com/xen-devel > >>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Xen-devel mailing list > >>>>> Xen-devel@lists.xensource.com > >>>>> http://lists.xensource.com/xen-devel > >>>> > >>>> > >>> > >>> _______________________________________________ > >>> Xen-devel mailing list > >>> Xen-devel@lists.xensource.com > >>> http://lists.xensource.com/xen-devel > >> > >> > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > > ^ permalink raw reply [flat|nested] 37+ messages in thread
end of thread, other threads:[~2007-08-09 10:40 UTC | newest]
Thread overview: 37+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <8fec1fce0707300537g5a1f9e2dgdb4cc27add99d218@mail.gmail.com>
[not found] ` <f8sbfr.2so.1@z24.net.invalid.my>
[not found] ` <8fec1fce0708020247k242c53f9ne3eab45cc85aaad1@mail.gmail.com>
[not found] ` <f8srjg.1no.1@z24.net.invalid.my>
[not found] ` <8fec1fce0708020811q73017eb7g85f8fd353a3a20dc@mail.gmail.com>
[not found] ` <8fec1fce0708061955xb5018b4tf1e51863154e0f1a@mail.gmail.com>
2007-08-07 5:48 ` [Xen-users] boot a existing windows in hvm domain Brady Chen
2007-08-07 5:59 ` Keir Fraser
2007-08-07 6:06 ` Brady Chen
2007-08-07 6:32 ` Keir Fraser
2007-08-07 7:58 ` Brady Chen
2007-08-07 8:02 ` Keir Fraser
2007-08-07 8:22 ` Brady Chen
2007-08-07 8:47 ` Keir Fraser
2007-08-07 9:06 ` Brady Chen
2007-08-07 9:29 ` Keir Fraser
2007-08-07 9:35 ` Keir Fraser
2007-08-07 10:30 ` Brady Chen
2007-08-07 10:37 ` Keir Fraser
2007-08-07 11:03 ` Brady Chen
2007-08-07 11:35 ` Brady Chen
2007-08-07 11:50 ` Keir Fraser
2007-08-07 16:06 ` Brady Chen
2007-08-07 16:26 ` Keir Fraser
2007-08-08 7:37 ` Brady Chen
2007-08-08 8:25 ` Brady Chen
2007-08-08 8:41 ` Keir Fraser
2007-08-08 9:38 ` Brady Chen
2007-08-08 10:26 ` Keir Fraser
2007-08-08 12:12 ` Brady Chen
2007-08-08 13:32 ` Keir Fraser
2007-08-08 14:52 ` Mats Petersson
2007-08-08 15:50 ` Brady Chen
2007-08-08 16:19 ` Keir Fraser
2007-08-08 17:45 ` Mats Petersson
2007-08-08 20:26 ` Keir Fraser
2007-08-09 3:05 ` Brady Chen
2007-08-09 4:01 ` Brady Chen
2007-08-09 7:10 ` Keir Fraser
2007-08-09 10:35 ` Brady Chen
2007-08-09 7:13 ` Keir Fraser
2007-08-09 10:40 ` Brady Chen
2007-08-08 15:42 ` Brady Chen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.