* Re: [Xen-users] boot a existing windows in hvm domain
[not found] ` <8fec1fce0708061955xb5018b4tf1e51863154e0f1a@mail.gmail.com>
@ 2007-08-07 5:48 ` Brady Chen
2007-08-07 5:59 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-07 5:48 UTC (permalink / raw)
To: Z24, AL.LINUX, tygrawy; +Cc: xen-devel
cc to xen-devel,
Hi all,
someone saw this kind of error before?
it's a Trap 6 error when start the windows. Does it mean that some
opcodes in real mode are not be simulated? How can I get the
instruction which is not be simulated?
I tried to fetch8(regs) in function trap of
xen-3.1.0-src/tools/firmware/vmxassist/vm86.c, but it cause more
traps, and the hvm is reset immediately.
thank you in advance
On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
> Hi Z24, AL,
> ccing tygrawy@gazeta,pl, for I found he got the same issue.
>
> I tried in ThinkPad T60,
> /dev/sda1 -- windows
> /dev/sda2 -- Linux + Xen 3.1.0
>
> in xen guest, the whole sda is mapped to virtual hda.
> disk = [ 'phy:/dev/sda, hda, w' ]
>
> I could see the grub menu in xen guest, and could boot in to the linux
> (you know, it's re-enter into the linux), but when I select windows
> from grub menu, it will hang after print "chainloader +1"
> the xen dmesg shows:
> (XEN) HVM1: Trap (0x6) while in real mode
> (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E
> (XEN) HVM1: esp D7384 ebp D73D0 esi D7364 edi D00
> (XEN) HVM1: trapno 6 errno 0
> (XEN) HVM1: eip D0800 cs 10 eflags 13046
> (XEN) HVM1: uesp D7474 uss 2
> (XEN) HVM1: ves D4AB8 vds D4C1D vfs D07FE vgs D7474
> (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651
> (XEN) HVM1:
> (XEN) HVM1: Halt called from %eip 0xD037
>
> tygrawy:
> I found you have the same issue months ago, have you find out the
> reason? Thank you very much.
>
> http://lists.xensource.com/archives/html/xen-users/2007-07/msg00521.html
>
> On 8/2/07, Brady Chen <chenchp@gmail.com> wrote:
> > On 8/2/07, Z24 <z24@gmx.net> wrote:
> > > On Thu, 2 Aug 2007 17:47:59 +0800, you wrote:
> > >
> > > >thank you all,
> > > >looks like it's possible. it's great!
> > > >
> > > >Z24,
> > > >do you get the hardware issue Archie said, that's my concern too.
> > > >you know, windows may be bluescreen if the hardware changes.
> > >
> > > Before booting the Windows domU I copied the current Windows HW
> > > Profile to a new HW Profile, then when I boot the domU I choose the
> > > new HW profile.
> > > The first time I booted the domU, Windows took some minutes more than
> > > usual to load, I suppose it was setting automatically the hardware
> > > drivers; the next time it booted only a little slower than when I boot
> > > it natively (due to virtualization).
> > >
> > thanks, I will have a try.
> >
> > > >and for your case, i think you could install another grub in the windows disk
> > >
> > > What do you mean?
> > > Xen VM configuration with 'phy:/dev/hda,ioemu:hda,w' only (hda is
> > > Windows disk) and grub-install on /dev/hda without mapping?
> > yup, install grub on /dev/hda, it will not be used when you not using
> > xen (i mean when you reboot your PC, and choose windows from the grub
> > menu). but when you use xen to boot /dev/hda, the grub on /dev/hda
> > could be used to load the windows. Don't know if it really works,
> > don't have a try now.
> > >
> > > --
> > > Z24
> > > http://www.mycomputingart.com/
> > >
> >
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 5:48 ` [Xen-users] boot a existing windows in hvm domain Brady Chen
@ 2007-08-07 5:59 ` Keir Fraser
2007-08-07 6:06 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-07 5:59 UTC (permalink / raw)
To: Brady Chen, Z24, AL.LINUX, tygrawy; +Cc: xen-devel
Could be something to do with virtual hard disk geometry. Are you running
latest xen-unstable? Was your OS installed with latest xen-unstable, or an
older version?
-- KEir
On 7/8/07 06:48, "Brady Chen" <chenchp@gmail.com> wrote:
> cc to xen-devel,
>
> Hi all,
> someone saw this kind of error before?
> it's a Trap 6 error when start the windows. Does it mean that some
> opcodes in real mode are not be simulated? How can I get the
> instruction which is not be simulated?
>
> I tried to fetch8(regs) in function trap of
> xen-3.1.0-src/tools/firmware/vmxassist/vm86.c, but it cause more
> traps, and the hvm is reset immediately.
>
> thank you in advance
>
> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
>> Hi Z24, AL,
>> ccing tygrawy@gazeta,pl, for I found he got the same issue.
>>
>> I tried in ThinkPad T60,
>> /dev/sda1 -- windows
>> /dev/sda2 -- Linux + Xen 3.1.0
>>
>> in xen guest, the whole sda is mapped to virtual hda.
>> disk = [ 'phy:/dev/sda, hda, w' ]
>>
>> I could see the grub menu in xen guest, and could boot in to the linux
>> (you know, it's re-enter into the linux), but when I select windows
>> from grub menu, it will hang after print "chainloader +1"
>> the xen dmesg shows:
>> (XEN) HVM1: Trap (0x6) while in real mode
>> (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E
>> (XEN) HVM1: esp D7384 ebp D73D0 esi D7364 edi D00
>> (XEN) HVM1: trapno 6 errno 0
>> (XEN) HVM1: eip D0800 cs 10 eflags 13046
>> (XEN) HVM1: uesp D7474 uss 2
>> (XEN) HVM1: ves D4AB8 vds D4C1D vfs D07FE vgs D7474
>> (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651
>> (XEN) HVM1:
>> (XEN) HVM1: Halt called from %eip 0xD037
>>
>> tygrawy:
>> I found you have the same issue months ago, have you find out the
>> reason? Thank you very much.
>>
>> http://lists.xensource.com/archives/html/xen-users/2007-07/msg00521.html
>>
>> On 8/2/07, Brady Chen <chenchp@gmail.com> wrote:
>>> On 8/2/07, Z24 <z24@gmx.net> wrote:
>>>> On Thu, 2 Aug 2007 17:47:59 +0800, you wrote:
>>>>
>>>>> thank you all,
>>>>> looks like it's possible. it's great!
>>>>>
>>>>> Z24,
>>>>> do you get the hardware issue Archie said, that's my concern too.
>>>>> you know, windows may be bluescreen if the hardware changes.
>>>>
>>>> Before booting the Windows domU I copied the current Windows HW
>>>> Profile to a new HW Profile, then when I boot the domU I choose the
>>>> new HW profile.
>>>> The first time I booted the domU, Windows took some minutes more than
>>>> usual to load, I suppose it was setting automatically the hardware
>>>> drivers; the next time it booted only a little slower than when I boot
>>>> it natively (due to virtualization).
>>>>
>>> thanks, I will have a try.
>>>
>>>>> and for your case, i think you could install another grub in the windows
>>>>> disk
>>>>
>>>> What do you mean?
>>>> Xen VM configuration with 'phy:/dev/hda,ioemu:hda,w' only (hda is
>>>> Windows disk) and grub-install on /dev/hda without mapping?
>>> yup, install grub on /dev/hda, it will not be used when you not using
>>> xen (i mean when you reboot your PC, and choose windows from the grub
>>> menu). but when you use xen to boot /dev/hda, the grub on /dev/hda
>>> could be used to load the windows. Don't know if it really works,
>>> don't have a try now.
>>>>
>>>> --
>>>> Z24
>>>> http://www.mycomputingart.com/
>>>>
>>>
>>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 5:59 ` Keir Fraser
@ 2007-08-07 6:06 ` Brady Chen
2007-08-07 6:32 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-07 6:06 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Hi Keir,
Thank you for your reply.
I'm using official released version 3.1.0.
actually I could boot the linux (/dev/sda2) in xen hvm guest.
but failed to boot window (/dev/sda1).
the windows in sda1 is not installed in xen hvm guest, it's installed
in the native environment. I'm trying to boot the windows as xen
guest. you know, it's wasting of time to reboot and change to windows.
On 8/7/07, Keir Fraser <Keir.Fraser@cl.cam.ac.uk> wrote:
> Could be something to do with virtual hard disk geometry. Are you running
> latest xen-unstable? Was your OS installed with latest xen-unstable, or an
> older version?
>
> -- KEir
>
>
> On 7/8/07 06:48, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > cc to xen-devel,
> >
> > Hi all,
> > someone saw this kind of error before?
> > it's a Trap 6 error when start the windows. Does it mean that some
> > opcodes in real mode are not be simulated? How can I get the
> > instruction which is not be simulated?
> >
> > I tried to fetch8(regs) in function trap of
> > xen-3.1.0-src/tools/firmware/vmxassist/vm86.c, but it cause more
> > traps, and the hvm is reset immediately.
> >
> > thank you in advance
> >
> > On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
> >> Hi Z24, AL,
> >> ccing tygrawy@gazeta,pl, for I found he got the same issue.
> >>
> >> I tried in ThinkPad T60,
> >> /dev/sda1 -- windows
> >> /dev/sda2 -- Linux + Xen 3.1.0
> >>
> >> in xen guest, the whole sda is mapped to virtual hda.
> >> disk = [ 'phy:/dev/sda, hda, w' ]
> >>
> >> I could see the grub menu in xen guest, and could boot in to the linux
> >> (you know, it's re-enter into the linux), but when I select windows
> >> from grub menu, it will hang after print "chainloader +1"
> >> the xen dmesg shows:
> >> (XEN) HVM1: Trap (0x6) while in real mode
> >> (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E
> >> (XEN) HVM1: esp D7384 ebp D73D0 esi D7364 edi D00
> >> (XEN) HVM1: trapno 6 errno 0
> >> (XEN) HVM1: eip D0800 cs 10 eflags 13046
> >> (XEN) HVM1: uesp D7474 uss 2
> >> (XEN) HVM1: ves D4AB8 vds D4C1D vfs D07FE vgs D7474
> >> (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651
> >> (XEN) HVM1:
> >> (XEN) HVM1: Halt called from %eip 0xD037
> >>
> >> tygrawy:
> >> I found you have the same issue months ago, have you find out the
> >> reason? Thank you very much.
> >>
> >> http://lists.xensource.com/archives/html/xen-users/2007-07/msg00521.html
> >>
> >> On 8/2/07, Brady Chen <chenchp@gmail.com> wrote:
> >>> On 8/2/07, Z24 <z24@gmx.net> wrote:
> >>>> On Thu, 2 Aug 2007 17:47:59 +0800, you wrote:
> >>>>
> >>>>> thank you all,
> >>>>> looks like it's possible. it's great!
> >>>>>
> >>>>> Z24,
> >>>>> do you get the hardware issue Archie said, that's my concern too.
> >>>>> you know, windows may be bluescreen if the hardware changes.
> >>>>
> >>>> Before booting the Windows domU I copied the current Windows HW
> >>>> Profile to a new HW Profile, then when I boot the domU I choose the
> >>>> new HW profile.
> >>>> The first time I booted the domU, Windows took some minutes more than
> >>>> usual to load, I suppose it was setting automatically the hardware
> >>>> drivers; the next time it booted only a little slower than when I boot
> >>>> it natively (due to virtualization).
> >>>>
> >>> thanks, I will have a try.
> >>>
> >>>>> and for your case, i think you could install another grub in the windows
> >>>>> disk
> >>>>
> >>>> What do you mean?
> >>>> Xen VM configuration with 'phy:/dev/hda,ioemu:hda,w' only (hda is
> >>>> Windows disk) and grub-install on /dev/hda without mapping?
> >>> yup, install grub on /dev/hda, it will not be used when you not using
> >>> xen (i mean when you reboot your PC, and choose windows from the grub
> >>> menu). but when you use xen to boot /dev/hda, the grub on /dev/hda
> >>> could be used to load the windows. Don't know if it really works,
> >>> don't have a try now.
> >>>>
> >>>> --
> >>>> Z24
> >>>> http://www.mycomputingart.com/
> >>>>
> >>>
> >>
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
>
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 6:06 ` Brady Chen
@ 2007-08-07 6:32 ` Keir Fraser
2007-08-07 7:58 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-07 6:32 UTC (permalink / raw)
To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Try downloading http://xenbits.xensource.com/staging/xen-unstable.hg, and
build inside tools/firmware. Then use tools/firmware/hvmloader/hvmloader as
your HVM 'kernel' (what you specify as the 'kernel' in your HVM config
file).
If that doesn't help, then track down the crashing %cs:%eip inside vmxassist
(objdump -d tools/firmware/vmxassist/vmxassist) and we'll see if that shows
up anything interesting.
-- Keir
On 7/8/07 07:06, "Brady Chen" <chenchp@gmail.com> wrote:
> Hi Keir,
>
> Thank you for your reply.
> I'm using official released version 3.1.0.
> actually I could boot the linux (/dev/sda2) in xen hvm guest.
> but failed to boot window (/dev/sda1).
>
> the windows in sda1 is not installed in xen hvm guest, it's installed
> in the native environment. I'm trying to boot the windows as xen
> guest. you know, it's wasting of time to reboot and change to windows.
>
>
> On 8/7/07, Keir Fraser <Keir.Fraser@cl.cam.ac.uk> wrote:
>> Could be something to do with virtual hard disk geometry. Are you running
>> latest xen-unstable? Was your OS installed with latest xen-unstable, or an
>> older version?
>>
>> -- KEir
>>
>>
>> On 7/8/07 06:48, "Brady Chen" <chenchp@gmail.com> wrote:
>>
>>> cc to xen-devel,
>>>
>>> Hi all,
>>> someone saw this kind of error before?
>>> it's a Trap 6 error when start the windows. Does it mean that some
>>> opcodes in real mode are not be simulated? How can I get the
>>> instruction which is not be simulated?
>>>
>>> I tried to fetch8(regs) in function trap of
>>> xen-3.1.0-src/tools/firmware/vmxassist/vm86.c, but it cause more
>>> traps, and the hvm is reset immediately.
>>>
>>> thank you in advance
>>>
>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
>>>> Hi Z24, AL,
>>>> ccing tygrawy@gazeta,pl, for I found he got the same issue.
>>>>
>>>> I tried in ThinkPad T60,
>>>> /dev/sda1 -- windows
>>>> /dev/sda2 -- Linux + Xen 3.1.0
>>>>
>>>> in xen guest, the whole sda is mapped to virtual hda.
>>>> disk = [ 'phy:/dev/sda, hda, w' ]
>>>>
>>>> I could see the grub menu in xen guest, and could boot in to the linux
>>>> (you know, it's re-enter into the linux), but when I select windows
>>>> from grub menu, it will hang after print "chainloader +1"
>>>> the xen dmesg shows:
>>>> (XEN) HVM1: Trap (0x6) while in real mode
>>>> (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E
>>>> (XEN) HVM1: esp D7384 ebp D73D0 esi D7364 edi D00
>>>> (XEN) HVM1: trapno 6 errno 0
>>>> (XEN) HVM1: eip D0800 cs 10 eflags 13046
>>>> (XEN) HVM1: uesp D7474 uss 2
>>>> (XEN) HVM1: ves D4AB8 vds D4C1D vfs D07FE vgs D7474
>>>> (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651
>>>> (XEN) HVM1:
>>>> (XEN) HVM1: Halt called from %eip 0xD037
>>>>
>>>> tygrawy:
>>>> I found you have the same issue months ago, have you find out the
>>>> reason? Thank you very much.
>>>>
>>>> http://lists.xensource.com/archives/html/xen-users/2007-07/msg00521.html
>>>>
>>>> On 8/2/07, Brady Chen <chenchp@gmail.com> wrote:
>>>>> On 8/2/07, Z24 <z24@gmx.net> wrote:
>>>>>> On Thu, 2 Aug 2007 17:47:59 +0800, you wrote:
>>>>>>
>>>>>>> thank you all,
>>>>>>> looks like it's possible. it's great!
>>>>>>>
>>>>>>> Z24,
>>>>>>> do you get the hardware issue Archie said, that's my concern too.
>>>>>>> you know, windows may be bluescreen if the hardware changes.
>>>>>>
>>>>>> Before booting the Windows domU I copied the current Windows HW
>>>>>> Profile to a new HW Profile, then when I boot the domU I choose the
>>>>>> new HW profile.
>>>>>> The first time I booted the domU, Windows took some minutes more than
>>>>>> usual to load, I suppose it was setting automatically the hardware
>>>>>> drivers; the next time it booted only a little slower than when I boot
>>>>>> it natively (due to virtualization).
>>>>>>
>>>>> thanks, I will have a try.
>>>>>
>>>>>>> and for your case, i think you could install another grub in the windows
>>>>>>> disk
>>>>>>
>>>>>> What do you mean?
>>>>>> Xen VM configuration with 'phy:/dev/hda,ioemu:hda,w' only (hda is
>>>>>> Windows disk) and grub-install on /dev/hda without mapping?
>>>>> yup, install grub on /dev/hda, it will not be used when you not using
>>>>> xen (i mean when you reboot your PC, and choose windows from the grub
>>>>> menu). but when you use xen to boot /dev/hda, the grub on /dev/hda
>>>>> could be used to load the windows. Don't know if it really works,
>>>>> don't have a try now.
>>>>>>
>>>>>> --
>>>>>> Z24
>>>>>> http://www.mycomputingart.com/
>>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Xen-devel mailing list
>>> Xen-devel@lists.xensource.com
>>> http://lists.xensource.com/xen-devel
>>
>>
>>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 6:32 ` Keir Fraser
@ 2007-08-07 7:58 ` Brady Chen
2007-08-07 8:02 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-07 7:58 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
[-- Attachment #1: Type: text/plain, Size: 6880 bytes --]
Keir,
thank you very much.
now I'm using the un-stable version to build hvmloader (only hvmloader
rebuild, xen and doman0 kernel is not touched), the same problem.
(XEN) HVM1: Trap (0x6) while in real mode
(XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E
(XEN) HVM1: esp D74D4 ebp D7520 esi 0 edi D00
(XEN) HVM1: trapno 6 errno 0
(XEN) HVM1: eip D0800 cs 10 eflags 13046
(XEN) HVM1: uesp D75B4 uss 2
(XEN) HVM1: ves D4BC8 vds D4D26 vfs D07FE vgs D75B4
(XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651
(XEN) HVM1:
(XEN) HVM1: Halt called from %eip 0xD037C
here is some snip from objdump, and i attach the whole objdump as the
attachment.
000d0360 <common_trap>:
d0360: 60 pusha
d0361: b8 18 00 00 00 mov $0x18,%eax
d0366: 8e d8 mov %eax,%ds
d0368: 8e c0 mov %eax,%es
d036a: 8e e0 mov %eax,%fs
d036c: 8e e8 mov %eax,%gs
d036e: 89 e5 mov %esp,%ebp
d0370: 55 push %ebp
d0371: ff 75 24 pushl 0x24(%ebp)
d0374: ff 75 20 pushl 0x20(%ebp)
d0377: e8 d4 2a 00 00 call d2e50 <trap>
d037c: 83 c4 0c add $0xc,%esp
000d037f <trap_return>:
d037f: 61 popa
d0380: 83 c4 08 add $0x8,%esp
d0383: cf iret
d0384: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
d038a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
On 8/7/07, Keir Fraser <Keir.Fraser@cl.cam.ac.uk> wrote:
> Try downloading http://xenbits.xensource.com/staging/xen-unstable.hg, and
> build inside tools/firmware. Then use tools/firmware/hvmloader/hvmloader as
> your HVM 'kernel' (what you specify as the 'kernel' in your HVM config
> file).
>
> If that doesn't help, then track down the crashing %cs:%eip inside vmxassist
> (objdump -d tools/firmware/vmxassist/vmxassist) and we'll see if that shows
> up anything interesting.
>
> -- Keir
>
> On 7/8/07 07:06, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > Hi Keir,
> >
> > Thank you for your reply.
> > I'm using official released version 3.1.0.
> > actually I could boot the linux (/dev/sda2) in xen hvm guest.
> > but failed to boot window (/dev/sda1).
> >
> > the windows in sda1 is not installed in xen hvm guest, it's installed
> > in the native environment. I'm trying to boot the windows as xen
> > guest. you know, it's wasting of time to reboot and change to windows.
> >
> >
> > On 8/7/07, Keir Fraser <Keir.Fraser@cl.cam.ac.uk> wrote:
> >> Could be something to do with virtual hard disk geometry. Are you running
> >> latest xen-unstable? Was your OS installed with latest xen-unstable, or an
> >> older version?
> >>
> >> -- KEir
> >>
> >>
> >> On 7/8/07 06:48, "Brady Chen" <chenchp@gmail.com> wrote:
> >>
> >>> cc to xen-devel,
> >>>
> >>> Hi all,
> >>> someone saw this kind of error before?
> >>> it's a Trap 6 error when start the windows. Does it mean that some
> >>> opcodes in real mode are not be simulated? How can I get the
> >>> instruction which is not be simulated?
> >>>
> >>> I tried to fetch8(regs) in function trap of
> >>> xen-3.1.0-src/tools/firmware/vmxassist/vm86.c, but it cause more
> >>> traps, and the hvm is reset immediately.
> >>>
> >>> thank you in advance
> >>>
> >>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
> >>>> Hi Z24, AL,
> >>>> ccing tygrawy@gazeta,pl, for I found he got the same issue.
> >>>>
> >>>> I tried in ThinkPad T60,
> >>>> /dev/sda1 -- windows
> >>>> /dev/sda2 -- Linux + Xen 3.1.0
> >>>>
> >>>> in xen guest, the whole sda is mapped to virtual hda.
> >>>> disk = [ 'phy:/dev/sda, hda, w' ]
> >>>>
> >>>> I could see the grub menu in xen guest, and could boot in to the linux
> >>>> (you know, it's re-enter into the linux), but when I select windows
> >>>> from grub menu, it will hang after print "chainloader +1"
> >>>> the xen dmesg shows:
> >>>> (XEN) HVM1: Trap (0x6) while in real mode
> >>>> (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E
> >>>> (XEN) HVM1: esp D7384 ebp D73D0 esi D7364 edi D00
> >>>> (XEN) HVM1: trapno 6 errno 0
> >>>> (XEN) HVM1: eip D0800 cs 10 eflags 13046
> >>>> (XEN) HVM1: uesp D7474 uss 2
> >>>> (XEN) HVM1: ves D4AB8 vds D4C1D vfs D07FE vgs D7474
> >>>> (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651
> >>>> (XEN) HVM1:
> >>>> (XEN) HVM1: Halt called from %eip 0xD037
> >>>>
> >>>> tygrawy:
> >>>> I found you have the same issue months ago, have you find out the
> >>>> reason? Thank you very much.
> >>>>
> >>>> http://lists.xensource.com/archives/html/xen-users/2007-07/msg00521.html
> >>>>
> >>>> On 8/2/07, Brady Chen <chenchp@gmail.com> wrote:
> >>>>> On 8/2/07, Z24 <z24@gmx.net> wrote:
> >>>>>> On Thu, 2 Aug 2007 17:47:59 +0800, you wrote:
> >>>>>>
> >>>>>>> thank you all,
> >>>>>>> looks like it's possible. it's great!
> >>>>>>>
> >>>>>>> Z24,
> >>>>>>> do you get the hardware issue Archie said, that's my concern too.
> >>>>>>> you know, windows may be bluescreen if the hardware changes.
> >>>>>>
> >>>>>> Before booting the Windows domU I copied the current Windows HW
> >>>>>> Profile to a new HW Profile, then when I boot the domU I choose the
> >>>>>> new HW profile.
> >>>>>> The first time I booted the domU, Windows took some minutes more than
> >>>>>> usual to load, I suppose it was setting automatically the hardware
> >>>>>> drivers; the next time it booted only a little slower than when I boot
> >>>>>> it natively (due to virtualization).
> >>>>>>
> >>>>> thanks, I will have a try.
> >>>>>
> >>>>>>> and for your case, i think you could install another grub in the windows
> >>>>>>> disk
> >>>>>>
> >>>>>> What do you mean?
> >>>>>> Xen VM configuration with 'phy:/dev/hda,ioemu:hda,w' only (hda is
> >>>>>> Windows disk) and grub-install on /dev/hda without mapping?
> >>>>> yup, install grub on /dev/hda, it will not be used when you not using
> >>>>> xen (i mean when you reboot your PC, and choose windows from the grub
> >>>>> menu). but when you use xen to boot /dev/hda, the grub on /dev/hda
> >>>>> could be used to load the windows. Don't know if it really works,
> >>>>> don't have a try now.
> >>>>>>
> >>>>>> --
> >>>>>> Z24
> >>>>>> http://www.mycomputingart.com/
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>> _______________________________________________
> >>> Xen-devel mailing list
> >>> Xen-devel@lists.xensource.com
> >>> http://lists.xensource.com/xen-devel
> >>
> >>
> >>
>
>
>
[-- Attachment #2: vmxassist.objdump --]
[-- Type: application/octet-stream, Size: 289767 bytes --]
tools/firmware/vmxassist/vmxassist: file format elf32-i386
Disassembly of section .text:
000d0000 <_start-0x14>:
d0000: e9 0f 00 00 00 jmp d0014 <_start>
d0005: 8d 76 00 lea 0x0(%esi),%esi
d0008: 66 19 10 sbb %dx,(%eax)
d000b: 17 pop %ss
d000c: 00 97 0d 00 c0 97 add %dl,0x97c0000d(%edi)
d0012: 0d 00 fa fc 30 or $0x30fcfa00,%eax
000d0014 <_start>:
d0014: fa cli
d0015: fc cld
d0016: 30 c0 xor %al,%al
d0018: bf 00 56 0d 00 mov $0xd5600,%edi
d001d: b9 04 9a 0d 00 mov $0xd9a04,%ecx
d0022: 29 f9 sub %edi,%ecx
d0024: f3 aa repz stos %al,%es:(%edi)
d0026: 89 15 80 76 0d 00 mov %edx,0xd7680
d002c: 89 1d 6c 98 0d 00 mov %ebx,0xd986c
d0032: 0f 06 clts
d0034: bc 00 76 0d 00 mov $0xd7600,%esp
d0039: 89 e5 mov %esp,%ebp
d003b: e8 90 35 00 00 call d35d0 <main>
d0040: e9 03 00 00 00 jmp d0048 <halt>
d0045: 8d 76 00 lea 0x0(%esi),%esi
000d0048 <halt>:
d0048: 68 20 55 0d 00 push $0xd5520
d004d: e8 7e 39 00 00 call d39d0 <printf>
d0052: fa cli
d0053: eb fe jmp d0053 <halt+0xb>
...
d005d: 00 00 add %al,(%eax)
d005f: 00 6a 00 add %ch,0x0(%edx)
d0062: 6a 00 push $0x0
d0064: e9 f7 02 00 00 jmp d0360 <common_trap>
d0069: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0070: 6a 00 push $0x0
d0072: 6a 01 push $0x1
d0074: e9 e7 02 00 00 jmp d0360 <common_trap>
d0079: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0080: 6a 00 push $0x0
d0082: 6a 02 push $0x2
d0084: e9 d7 02 00 00 jmp d0360 <common_trap>
d0089: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0090: 6a 00 push $0x0
d0092: 6a 03 push $0x3
d0094: e9 c7 02 00 00 jmp d0360 <common_trap>
d0099: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d00a0: 6a 00 push $0x0
d00a2: 6a 04 push $0x4
d00a4: e9 b7 02 00 00 jmp d0360 <common_trap>
d00a9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d00b0: 6a 00 push $0x0
d00b2: 6a 05 push $0x5
d00b4: e9 a7 02 00 00 jmp d0360 <common_trap>
d00b9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d00c0: 6a 00 push $0x0
d00c2: 6a 06 push $0x6
d00c4: e9 97 02 00 00 jmp d0360 <common_trap>
d00c9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d00d0: 6a 00 push $0x0
d00d2: 6a 07 push $0x7
d00d4: e9 87 02 00 00 jmp d0360 <common_trap>
d00d9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d00e0: 6a 08 push $0x8
d00e2: e9 79 02 00 00 jmp d0360 <common_trap>
d00e7: 89 f6 mov %esi,%esi
d00e9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d00f0: 6a 00 push $0x0
d00f2: 6a 09 push $0x9
d00f4: e9 67 02 00 00 jmp d0360 <common_trap>
d00f9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0100: 6a 0a push $0xa
d0102: e9 59 02 00 00 jmp d0360 <common_trap>
d0107: 89 f6 mov %esi,%esi
d0109: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0110: 6a 0b push $0xb
d0112: e9 49 02 00 00 jmp d0360 <common_trap>
d0117: 89 f6 mov %esi,%esi
d0119: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0120: 6a 0c push $0xc
d0122: e9 39 02 00 00 jmp d0360 <common_trap>
d0127: 89 f6 mov %esi,%esi
d0129: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0130: 6a 0d push $0xd
d0132: e9 29 02 00 00 jmp d0360 <common_trap>
d0137: 89 f6 mov %esi,%esi
d0139: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0140: 6a 0e push $0xe
d0142: e9 19 02 00 00 jmp d0360 <common_trap>
d0147: 89 f6 mov %esi,%esi
d0149: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0150: 6a 00 push $0x0
d0152: 6a 0f push $0xf
d0154: e9 07 02 00 00 jmp d0360 <common_trap>
d0159: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0160: 6a 00 push $0x0
d0162: 6a 10 push $0x10
d0164: e9 f7 01 00 00 jmp d0360 <common_trap>
d0169: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0170: 6a 11 push $0x11
d0172: e9 e9 01 00 00 jmp d0360 <common_trap>
d0177: 89 f6 mov %esi,%esi
d0179: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0180: 6a 00 push $0x0
d0182: 6a 12 push $0x12
d0184: e9 d7 01 00 00 jmp d0360 <common_trap>
d0189: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0190: 6a 00 push $0x0
d0192: 6a 13 push $0x13
d0194: e9 c7 01 00 00 jmp d0360 <common_trap>
d0199: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d01a0: 6a 00 push $0x0
d01a2: 6a 14 push $0x14
d01a4: e9 b7 01 00 00 jmp d0360 <common_trap>
d01a9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d01b0: 6a 00 push $0x0
d01b2: 6a 15 push $0x15
d01b4: e9 a7 01 00 00 jmp d0360 <common_trap>
d01b9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d01c0: 6a 00 push $0x0
d01c2: 6a 16 push $0x16
d01c4: e9 97 01 00 00 jmp d0360 <common_trap>
d01c9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d01d0: 6a 00 push $0x0
d01d2: 6a 17 push $0x17
d01d4: e9 87 01 00 00 jmp d0360 <common_trap>
d01d9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d01e0: 6a 00 push $0x0
d01e2: 6a 18 push $0x18
d01e4: e9 77 01 00 00 jmp d0360 <common_trap>
d01e9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d01f0: 6a 00 push $0x0
d01f2: 6a 19 push $0x19
d01f4: e9 67 01 00 00 jmp d0360 <common_trap>
d01f9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0200: 6a 00 push $0x0
d0202: 6a 1a push $0x1a
d0204: e9 57 01 00 00 jmp d0360 <common_trap>
d0209: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0210: 6a 00 push $0x0
d0212: 6a 1b push $0x1b
d0214: e9 47 01 00 00 jmp d0360 <common_trap>
d0219: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0220: 6a 00 push $0x0
d0222: 6a 1c push $0x1c
d0224: e9 37 01 00 00 jmp d0360 <common_trap>
d0229: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0230: 6a 00 push $0x0
d0232: 6a 1d push $0x1d
d0234: e9 27 01 00 00 jmp d0360 <common_trap>
d0239: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0240: 6a 00 push $0x0
d0242: 6a 1e push $0x1e
d0244: e9 17 01 00 00 jmp d0360 <common_trap>
d0249: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0250: 6a 00 push $0x0
d0252: 6a 1f push $0x1f
d0254: e9 07 01 00 00 jmp d0360 <common_trap>
d0259: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0260: 6a 00 push $0x0
d0262: 6a 20 push $0x20
d0264: e9 f7 00 00 00 jmp d0360 <common_trap>
d0269: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0270: 6a 00 push $0x0
d0272: 6a 21 push $0x21
d0274: e9 e7 00 00 00 jmp d0360 <common_trap>
d0279: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0280: 6a 00 push $0x0
d0282: 6a 22 push $0x22
d0284: e9 d7 00 00 00 jmp d0360 <common_trap>
d0289: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d0290: 6a 00 push $0x0
d0292: 6a 23 push $0x23
d0294: e9 c7 00 00 00 jmp d0360 <common_trap>
d0299: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d02a0: 6a 00 push $0x0
d02a2: 6a 24 push $0x24
d02a4: e9 b7 00 00 00 jmp d0360 <common_trap>
d02a9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d02b0: 6a 00 push $0x0
d02b2: 6a 25 push $0x25
d02b4: e9 a7 00 00 00 jmp d0360 <common_trap>
d02b9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d02c0: 6a 00 push $0x0
d02c2: 6a 26 push $0x26
d02c4: e9 97 00 00 00 jmp d0360 <common_trap>
d02c9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d02d0: 6a 00 push $0x0
d02d2: 6a 27 push $0x27
d02d4: e9 87 00 00 00 jmp d0360 <common_trap>
d02d9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d02e0: 6a 00 push $0x0
d02e2: 6a 28 push $0x28
d02e4: eb 7a jmp d0360 <common_trap>
d02e6: 8d 76 00 lea 0x0(%esi),%esi
d02e9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d02f0: 6a 00 push $0x0
d02f2: 6a 29 push $0x29
d02f4: eb 6a jmp d0360 <common_trap>
d02f6: 8d 76 00 lea 0x0(%esi),%esi
d02f9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0300: 6a 00 push $0x0
d0302: 6a 2a push $0x2a
d0304: eb 5a jmp d0360 <common_trap>
d0306: 8d 76 00 lea 0x0(%esi),%esi
d0309: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0310: 6a 00 push $0x0
d0312: 6a 2b push $0x2b
d0314: eb 4a jmp d0360 <common_trap>
d0316: 8d 76 00 lea 0x0(%esi),%esi
d0319: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0320: 6a 00 push $0x0
d0322: 6a 2c push $0x2c
d0324: eb 3a jmp d0360 <common_trap>
d0326: 8d 76 00 lea 0x0(%esi),%esi
d0329: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0330: 6a 00 push $0x0
d0332: 6a 2d push $0x2d
d0334: eb 2a jmp d0360 <common_trap>
d0336: 8d 76 00 lea 0x0(%esi),%esi
d0339: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0340: 6a 00 push $0x0
d0342: 6a 2e push $0x2e
d0344: eb 1a jmp d0360 <common_trap>
d0346: 8d 76 00 lea 0x0(%esi),%esi
d0349: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0350: 6a 00 push $0x0
d0352: 6a 2f push $0x2f
d0354: eb 0a jmp d0360 <common_trap>
d0356: 8d 76 00 lea 0x0(%esi),%esi
d0359: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
000d0360 <common_trap>:
d0360: 60 pusha
d0361: b8 18 00 00 00 mov $0x18,%eax
d0366: 8e d8 mov %eax,%ds
d0368: 8e c0 mov %eax,%es
d036a: 8e e0 mov %eax,%fs
d036c: 8e e8 mov %eax,%gs
d036e: 89 e5 mov %esp,%ebp
d0370: 55 push %ebp
d0371: ff 75 24 pushl 0x24(%ebp)
d0374: ff 75 20 pushl 0x20(%ebp)
d0377: e8 d4 2a 00 00 call d2e50 <trap>
d037c: 83 c4 0c add $0xc,%esp
000d037f <trap_return>:
d037f: 61 popa
d0380: 83 c4 08 add $0x8,%esp
d0383: cf iret
d0384: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
d038a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
000d0390 <switch_to_real_mode>:
d0390: ff 35 38 98 0d 00 pushl 0xd9838
d0396: ff 35 28 98 0d 00 pushl 0xd9828
d039c: ff 35 f8 97 0d 00 pushl 0xd97f8
d03a2: ff 35 08 98 0d 00 pushl 0xd9808
d03a8: ff 35 18 98 0d 00 pushl 0xd9818
d03ae: ff 35 c4 97 0d 00 pushl 0xd97c4
d03b4: ff 35 c8 97 0d 00 pushl 0xd97c8
d03ba: ff 35 e8 97 0d 00 pushl 0xd97e8
d03c0: ff 35 c0 97 0d 00 pushl 0xd97c0
d03c6: 6a ff push $0xffffffff
d03c8: 6a ff push $0xffffffff
d03ca: 60 pusha
d03cb: 89 e5 mov %esp,%ebp
d03cd: 55 push %ebp
d03ce: e8 3d 2e 00 00 call d3210 <enter_real_mode>
d03d3: 83 c4 04 add $0x4,%esp
d03d6: eb a7 jmp d037f <trap_return>
d03d8: 90 nop
d03d9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
000d03e0 <switch_to_protected_mode>:
d03e0: 8b 25 cc 97 0d 00 mov 0xd97cc,%esp
d03e6: 0f 22 c4 mov %esp,%cr0
d03e9: 68 40 55 0d 00 push $0xd5540
d03ee: e8 8d 35 00 00 call d3980 <panic>
d03f3: eb fe jmp d03f3 <switch_to_protected_mode+0x13>
...
000d0400 <guest_linear_to_phys>:
d0400: 55 push %ebp
d0401: 89 e5 mov %esp,%ebp
d0403: 83 ec 48 sub $0x48,%esp
d0406: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
d0409: 89 75 f8 mov %esi,0xfffffff8(%ebp)
d040c: 89 7d fc mov %edi,0xfffffffc(%ebp)
d040f: 8b 15 d0 97 0d 00 mov 0xd97d0,%edx
d0415: 89 45 dc mov %eax,0xffffffdc(%ebp)
d0418: a1 cc 97 0d 00 mov 0xd97cc,%eax
d041d: 85 c0 test %eax,%eax
d041f: 78 16 js d0437 <guest_linear_to_phys+0x37>
d0421: 8b 4d dc mov 0xffffffdc(%ebp),%ecx
d0424: 31 db xor %ebx,%ebx
d0426: 89 da mov %ebx,%edx
d0428: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d042b: 89 c8 mov %ecx,%eax
d042d: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d0430: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0433: 89 ec mov %ebp,%esp
d0435: 5d pop %ebp
d0436: c3 ret
d0437: 8b 0d d4 97 0d 00 mov 0xd97d4,%ecx
d043d: f6 c1 20 test $0x20,%cl
d0440: 0f 84 b1 00 00 00 je d04f7 <guest_linear_to_phys+0xf7>
d0446: 8b 45 dc mov 0xffffffdc(%ebp),%eax
d0449: c1 e8 1e shr $0x1e,%eax
d044c: 8b 0c c2 mov (%edx,%eax,8),%ecx
d044f: 8b 5c c2 04 mov 0x4(%edx,%eax,8),%ebx
d0453: 89 4d d0 mov %ecx,0xffffffd0(%ebp)
d0456: 8b 45 d0 mov 0xffffffd0(%ebp),%eax
d0459: 89 5d d4 mov %ebx,0xffffffd4(%ebp)
d045c: 83 f0 01 xor $0x1,%eax
d045f: a8 01 test $0x1,%al
d0461: 0f 85 56 02 00 00 jne d06bd <guest_linear_to_phys+0x2bd>
d0467: 8b 7d d4 mov 0xffffffd4(%ebp),%edi
d046a: 31 c0 xor %eax,%eax
d046c: 8b 75 d0 mov 0xffffffd0(%ebp),%esi
d046f: 83 e7 0f and $0xf,%edi
d0472: 89 fa mov %edi,%edx
d0474: 81 e6 00 f0 ff ff and $0xfffff000,%esi
d047a: 83 e2 0f and $0xf,%edx
d047d: 89 d3 mov %edx,%ebx
d047f: 09 c3 or %eax,%ebx
d0481: 0f 85 fb 01 00 00 jne d0682 <guest_linear_to_phys+0x282>
d0487: 8b 45 dc mov 0xffffffdc(%ebp),%eax
d048a: 89 f2 mov %esi,%edx
d048c: c1 e8 12 shr $0x12,%eax
d048f: 25 f8 0f 00 00 and $0xff8,%eax
d0494: 8b 34 30 mov (%eax,%esi,1),%esi
d0497: 8b 7c 10 04 mov 0x4(%eax,%edx,1),%edi
d049b: 89 75 e8 mov %esi,0xffffffe8(%ebp)
d049e: 89 7d ec mov %edi,0xffffffec(%ebp)
d04a1: 89 f0 mov %esi,%eax
d04a3: 83 f0 01 xor $0x1,%eax
d04a6: a8 01 test $0x1,%al
d04a8: 0f 85 bd 01 00 00 jne d066b <guest_linear_to_phys+0x26b>
d04ae: 89 f0 mov %esi,%eax
d04b0: 0f ac f8 07 shrd $0x7,%edi,%eax
d04b4: a8 01 test $0x1,%al
d04b6: 0f 84 c3 00 00 00 je d057f <guest_linear_to_phys+0x17f>
d04bc: 8b 4d dc mov 0xffffffdc(%ebp),%ecx
d04bf: 89 f0 mov %esi,%eax
d04c1: 89 fa mov %edi,%edx
d04c3: 25 00 00 e0 ff and $0xffe00000,%eax
d04c8: 83 e2 0f and $0xf,%edx
d04cb: 89 c6 mov %eax,%esi
d04cd: 89 45 e0 mov %eax,0xffffffe0(%ebp)
d04d0: 89 c8 mov %ecx,%eax
d04d2: 89 d7 mov %edx,%edi
d04d4: 89 55 e4 mov %edx,0xffffffe4(%ebp)
d04d7: 25 ff ff 1f 00 and $0x1fffff,%eax
d04dc: 31 d2 xor %edx,%edx
d04de: 89 c1 mov %eax,%ecx
d04e0: 89 d3 mov %edx,%ebx
d04e2: 01 f1 add %esi,%ecx
d04e4: 11 fb adc %edi,%ebx
d04e6: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d04e9: 89 c8 mov %ecx,%eax
d04eb: 89 da mov %ebx,%edx
d04ed: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d04f0: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d04f3: 89 ec mov %ebp,%esp
d04f5: 5d pop %ebp
d04f6: c3 ret
d04f7: 8b 45 dc mov 0xffffffdc(%ebp),%eax
d04fa: 31 ff xor %edi,%edi
d04fc: c1 e8 16 shr $0x16,%eax
d04ff: 8b 34 82 mov (%edx,%eax,4),%esi
d0502: 89 7d ec mov %edi,0xffffffec(%ebp)
d0505: 89 f0 mov %esi,%eax
d0507: 83 f0 01 xor $0x1,%eax
d050a: 89 75 e8 mov %esi,0xffffffe8(%ebp)
d050d: a8 01 test $0x1,%al
d050f: 0f 85 39 01 00 00 jne d064e <guest_linear_to_phys+0x24e>
d0515: f6 c1 10 test $0x10,%cl
d0518: 74 0e je d0528 <guest_linear_to_phys+0x128>
d051a: 89 f0 mov %esi,%eax
d051c: 0f ac f8 07 shrd $0x7,%edi,%eax
d0520: a8 01 test $0x1,%al
d0522: 0f 85 c7 00 00 00 jne d05ef <guest_linear_to_phys+0x1ef>
d0528: 89 f0 mov %esi,%eax
d052a: 31 d2 xor %edx,%edx
d052c: 25 00 f0 ff ff and $0xfffff000,%eax
d0531: 89 45 e8 mov %eax,0xffffffe8(%ebp)
d0534: 8b 45 dc mov 0xffffffdc(%ebp),%eax
d0537: 31 ff xor %edi,%edi
d0539: 89 55 ec mov %edx,0xffffffec(%ebp)
d053c: 8b 55 e8 mov 0xffffffe8(%ebp),%edx
d053f: c1 e8 0c shr $0xc,%eax
d0542: 25 ff 03 00 00 and $0x3ff,%eax
d0547: 8b 34 82 mov (%edx,%eax,4),%esi
d054a: 89 7d e4 mov %edi,0xffffffe4(%ebp)
d054d: 89 f0 mov %esi,%eax
d054f: 83 f0 01 xor $0x1,%eax
d0552: 89 75 e0 mov %esi,0xffffffe0(%ebp)
d0555: a8 01 test $0x1,%al
d0557: 0f 85 71 01 00 00 jne d06ce <guest_linear_to_phys+0x2ce>
d055d: 8b 4d dc mov 0xffffffdc(%ebp),%ecx
d0560: 89 f0 mov %esi,%eax
d0562: 31 d2 xor %edx,%edx
d0564: 89 55 e4 mov %edx,0xffffffe4(%ebp)
d0567: 25 00 f0 ff ff and $0xfffff000,%eax
d056c: 89 d7 mov %edx,%edi
d056e: 89 45 e0 mov %eax,0xffffffe0(%ebp)
d0571: 89 c6 mov %eax,%esi
d0573: 89 c8 mov %ecx,%eax
d0575: 25 ff 0f 00 00 and $0xfff,%eax
d057a: e9 5f ff ff ff jmp d04de <guest_linear_to_phys+0xde>
d057f: 89 fb mov %edi,%ebx
d0581: 89 f1 mov %esi,%ecx
d0583: 83 e3 0f and $0xf,%ebx
d0586: 89 5d ec mov %ebx,0xffffffec(%ebp)
d0589: 89 da mov %ebx,%edx
d058b: 81 e1 00 f0 ff ff and $0xfffff000,%ecx
d0591: 89 4d e8 mov %ecx,0xffffffe8(%ebp)
d0594: 83 e2 0f and $0xf,%edx
d0597: 31 c0 xor %eax,%eax
d0599: 89 d1 mov %edx,%ecx
d059b: 09 c1 or %eax,%ecx
d059d: 75 72 jne d0611 <guest_linear_to_phys+0x211>
d059f: 8b 45 dc mov 0xffffffdc(%ebp),%eax
d05a2: 8b 55 e8 mov 0xffffffe8(%ebp),%edx
d05a5: c1 e8 0c shr $0xc,%eax
d05a8: 25 ff 01 00 00 and $0x1ff,%eax
d05ad: 8b 34 c2 mov (%edx,%eax,8),%esi
d05b0: 8b 7c c2 04 mov 0x4(%edx,%eax,8),%edi
d05b4: 89 75 e0 mov %esi,0xffffffe0(%ebp)
d05b7: 89 7d e4 mov %edi,0xffffffe4(%ebp)
d05ba: 89 f0 mov %esi,%eax
d05bc: 83 f0 01 xor $0x1,%eax
d05bf: a8 01 test $0x1,%al
d05c1: 0f 85 1b 01 00 00 jne d06e2 <guest_linear_to_phys+0x2e2>
d05c7: 89 f0 mov %esi,%eax
d05c9: 8b 75 dc mov 0xffffffdc(%ebp),%esi
d05cc: 89 fa mov %edi,%edx
d05ce: 25 00 f0 ff ff and $0xfffff000,%eax
d05d3: 83 e2 0f and $0xf,%edx
d05d6: 31 db xor %ebx,%ebx
d05d8: 89 45 e0 mov %eax,0xffffffe0(%ebp)
d05db: 89 f1 mov %esi,%ecx
d05dd: 81 e1 ff 0f 00 00 and $0xfff,%ecx
d05e3: 89 55 e4 mov %edx,0xffffffe4(%ebp)
d05e6: 01 c1 add %eax,%ecx
d05e8: 11 d3 adc %edx,%ebx
d05ea: e9 37 fe ff ff jmp d0426 <guest_linear_to_phys+0x26>
d05ef: 8b 4d dc mov 0xffffffdc(%ebp),%ecx
d05f2: 89 f0 mov %esi,%eax
d05f4: 31 d2 xor %edx,%edx
d05f6: 89 55 e4 mov %edx,0xffffffe4(%ebp)
d05f9: 25 00 00 c0 ff and $0xffc00000,%eax
d05fe: 89 d7 mov %edx,%edi
d0600: 89 45 e0 mov %eax,0xffffffe0(%ebp)
d0603: 89 c6 mov %eax,%esi
d0605: 89 c8 mov %ecx,%eax
d0607: 25 ff ff 3f 00 and $0x3fffff,%eax
d060c: e9 cd fe ff ff jmp d04de <guest_linear_to_phys+0xde>
d0611: c7 04 24 ad 4a 0d 00 movl $0xd4aad,(%esp)
d0618: e8 b3 33 00 00 call d39d0 <printf>
d061d: 8d 45 e0 lea 0xffffffe0(%ebp),%eax
d0620: 31 d2 xor %edx,%edx
d0622: 89 44 24 08 mov %eax,0x8(%esp)
d0626: 8b 45 dc mov 0xffffffdc(%ebp),%eax
d0629: c1 e8 09 shr $0x9,%eax
d062c: 25 f8 0f 00 00 and $0xff8,%eax
d0631: 03 45 e8 add 0xffffffe8(%ebp),%eax
d0634: 13 55 ec adc 0xffffffec(%ebp),%edx
d0637: 89 04 24 mov %eax,(%esp)
d063a: 89 54 24 04 mov %edx,0x4(%esp)
d063e: e8 ed 2f 00 00 call d3630 <cpuid_addr_value>
d0643: 8b 75 e0 mov 0xffffffe0(%ebp),%esi
d0646: 8b 7d e4 mov 0xffffffe4(%ebp),%edi
d0649: e9 6c ff ff ff jmp d05ba <guest_linear_to_phys+0x1ba>
d064e: c7 04 24 bf 4a 0d 00 movl $0xd4abf,(%esp)
d0655: e8 26 33 00 00 call d3980 <panic>
d065a: 8b 0d d4 97 0d 00 mov 0xd97d4,%ecx
d0660: 8b 75 e8 mov 0xffffffe8(%ebp),%esi
d0663: 8b 7d ec mov 0xffffffec(%ebp),%edi
d0666: e9 aa fe ff ff jmp d0515 <guest_linear_to_phys+0x115>
d066b: c7 04 24 bf 4a 0d 00 movl $0xd4abf,(%esp)
d0672: e8 09 33 00 00 call d3980 <panic>
d0677: 8b 75 e8 mov 0xffffffe8(%ebp),%esi
d067a: 8b 7d ec mov 0xffffffec(%ebp),%edi
d067d: e9 2c fe ff ff jmp d04ae <guest_linear_to_phys+0xae>
d0682: c7 04 24 d5 4a 0d 00 movl $0xd4ad5,(%esp)
d0689: e8 42 33 00 00 call d39d0 <printf>
d068e: 8d 45 e8 lea 0xffffffe8(%ebp),%eax
d0691: 31 d2 xor %edx,%edx
d0693: 89 44 24 08 mov %eax,0x8(%esp)
d0697: 8b 45 dc mov 0xffffffdc(%ebp),%eax
d069a: c1 e8 12 shr $0x12,%eax
d069d: 25 f8 0f 00 00 and $0xff8,%eax
d06a2: 01 f0 add %esi,%eax
d06a4: 11 fa adc %edi,%edx
d06a6: 89 04 24 mov %eax,(%esp)
d06a9: 89 54 24 04 mov %edx,0x4(%esp)
d06ad: e8 7e 2f 00 00 call d3630 <cpuid_addr_value>
d06b2: 8b 75 e8 mov 0xffffffe8(%ebp),%esi
d06b5: 8b 7d ec mov 0xffffffec(%ebp),%edi
d06b8: e9 e4 fd ff ff jmp d04a1 <guest_linear_to_phys+0xa1>
d06bd: c7 04 24 e7 4a 0d 00 movl $0xd4ae7,(%esp)
d06c4: e8 b7 32 00 00 call d3980 <panic>
d06c9: e9 99 fd ff ff jmp d0467 <guest_linear_to_phys+0x67>
d06ce: c7 04 24 fd 4a 0d 00 movl $0xd4afd,(%esp)
d06d5: e8 a6 32 00 00 call d3980 <panic>
d06da: 8b 75 e0 mov 0xffffffe0(%ebp),%esi
d06dd: e9 7b fe ff ff jmp d055d <guest_linear_to_phys+0x15d>
d06e2: c7 04 24 fd 4a 0d 00 movl $0xd4afd,(%esp)
d06e9: e8 92 32 00 00 call d3980 <panic>
d06ee: 8b 75 e0 mov 0xffffffe0(%ebp),%esi
d06f1: 8b 7d e4 mov 0xffffffe4(%ebp),%edi
d06f4: e9 ce fe ff ff jmp d05c7 <guest_linear_to_phys+0x1c7>
d06f9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
000d0700 <address>:
d0700: 55 push %ebp
d0701: 89 e5 mov %esp,%ebp
d0703: 83 ec 38 sub $0x38,%esp
d0706: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
d0709: 85 d2 test %edx,%edx
d070b: 89 c3 mov %eax,%ebx
d070d: 89 7d fc mov %edi,0xfffffffc(%ebp)
d0710: 89 d7 mov %edx,%edi
d0712: 89 75 f8 mov %esi,0xfffffff8(%ebp)
d0715: 75 29 jne d0740 <address+0x40>
d0717: 83 3d 04 76 0d 00 01 cmpl $0x1,0xd7604
d071e: 8b 45 08 mov 0x8(%ebp),%eax
d0721: 77 0d ja d0730 <address+0x30>
d0723: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d0726: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d0729: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d072c: 89 ec mov %ebp,%esp
d072e: 5d pop %ebp
d072f: c3 ret
d0730: c7 04 24 5c 4e 0d 00 movl $0xd4e5c,(%esp)
d0737: e8 44 32 00 00 call d3980 <panic>
d073c: 8d 74 26 00 lea 0x0(%esi),%esi
d0740: a1 04 76 0d 00 mov 0xd7604,%eax
d0745: 85 c0 test %eax,%eax
d0747: 0f 84 a7 00 00 00 je d07f4 <address+0xf4>
d074d: 39 3d e0 97 0d 00 cmp %edi,0xd97e0
d0753: 0f 82 9b 00 00 00 jb d07f4 <address+0xf4>
d0759: 48 dec %eax
d075a: 75 0a jne d0766 <address+0x66>
d075c: 39 7b 2c cmp %edi,0x2c(%ebx)
d075f: 90 nop
d0760: 0f 84 8e 00 00 00 je d07f4 <address+0xf4>
d0766: a1 e4 97 0d 00 mov 0xd97e4,%eax
d076b: e8 90 fc ff ff call d0400 <guest_linear_to_phys>
d0770: 89 45 e0 mov %eax,0xffffffe0(%ebp)
d0773: 89 c3 mov %eax,%ebx
d0775: 89 d6 mov %edx,%esi
d0777: 8b 45 e0 mov 0xffffffe0(%ebp),%eax
d077a: 31 d2 xor %edx,%edx
d077c: 89 d1 mov %edx,%ecx
d077e: 31 f1 xor %esi,%ecx
d0780: 31 d8 xor %ebx,%eax
d0782: 09 c1 or %eax,%ecx
d0784: 0f 85 c4 00 00 00 jne d084e <address+0x14e>
d078a: 8b 55 e0 mov 0xffffffe0(%ebp),%edx
d078d: 89 f8 mov %edi,%eax
d078f: 83 e0 f8 and $0xfffffff8,%eax
d0792: 8b 0c 10 mov (%eax,%edx,1),%ecx
d0795: 8b 5c 10 04 mov 0x4(%eax,%edx,1),%ebx
d0799: 89 4d e8 mov %ecx,0xffffffe8(%ebp)
d079c: 89 5d ec mov %ebx,0xffffffec(%ebp)
d079f: 0f ac d9 10 shrd $0x10,%ebx,%ecx
d07a3: 8b 45 e8 mov 0xffffffe8(%ebp),%eax
d07a6: 89 de mov %ebx,%esi
d07a8: 81 e6 00 00 00 ff and $0xff000000,%esi
d07ae: 89 da mov %ebx,%edx
d07b0: 89 45 e4 mov %eax,0xffffffe4(%ebp)
d07b3: 89 c8 mov %ecx,%eax
d07b5: 25 ff ff ff 00 and $0xffffff,%eax
d07ba: 09 c6 or %eax,%esi
d07bc: 0f b7 45 e4 movzwl 0xffffffe4(%ebp),%eax
d07c0: 89 d9 mov %ebx,%ecx
d07c2: 81 e1 00 00 0f 00 and $0xf0000,%ecx
d07c8: 09 c1 or %eax,%ecx
d07ca: f7 c3 00 80 00 00 test $0x8000,%ebx
d07d0: 74 4a je d081c <address+0x11c>
d07d2: c1 eb 17 shr $0x17,%ebx
d07d5: f6 c3 01 test $0x1,%bl
d07d8: 75 36 jne d0810 <address+0x110>
d07da: 83 f3 01 xor $0x1,%ebx
d07dd: 31 c0 xor %eax,%eax
d07df: 39 4d 08 cmp %ecx,0x8(%ebp)
d07e2: 0f 96 c0 setbe %al
d07e5: 85 d8 test %ebx,%eax
d07e7: 74 33 je d081c <address+0x11c>
d07e9: 8b 55 08 mov 0x8(%ebp),%edx
d07ec: 8d 04 16 lea (%esi,%edx,1),%eax
d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
d07f4: 8b 55 08 mov 0x8(%ebp),%edx
d07f7: 89 f8 mov %edi,%eax
d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d07ff: 25 ff ff 00 00 and $0xffff,%eax
d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0807: 89 ec mov %ebp,%esp
d0809: c1 e0 04 shl $0x4,%eax
d080c: 01 d0 add %edx,%eax
d080e: 5d pop %ebp
d080f: c3 ret
d0810: 8b 45 08 mov 0x8(%ebp),%eax
d0813: c1 e8 0c shr $0xc,%eax
d0816: 39 c8 cmp %ecx,%eax
d0818: 76 cf jbe d07e9 <address+0xe9>
d081a: eb be jmp d07da <address+0xda>
d081c: 8b 45 08 mov 0x8(%ebp),%eax
d081f: 89 7c 24 10 mov %edi,0x10(%esp)
d0823: 89 44 24 14 mov %eax,0x14(%esp)
d0827: a1 04 76 0d 00 mov 0xd7604,%eax
d082c: 89 44 24 0c mov %eax,0xc(%esp)
d0830: 8b 45 e4 mov 0xffffffe4(%ebp),%eax
d0833: 89 54 24 04 mov %edx,0x4(%esp)
d0837: c7 04 24 84 4e 0d 00 movl $0xd4e84,(%esp)
d083e: 89 44 24 08 mov %eax,0x8(%esp)
d0842: e8 39 31 00 00 call d3980 <panic>
d0847: 31 c0 xor %eax,%eax
d0849: e9 d5 fe ff ff jmp d0723 <address+0x23>
d084e: c7 04 24 13 4b 0d 00 movl $0xd4b13,(%esp)
d0855: e8 76 31 00 00 call d39d0 <printf>
d085a: 8d 45 e8 lea 0xffffffe8(%ebp),%eax
d085d: 31 d2 xor %edx,%edx
d085f: 89 44 24 08 mov %eax,0x8(%esp)
d0863: 89 f8 mov %edi,%eax
d0865: 83 e0 f8 and $0xfffffff8,%eax
d0868: 01 d8 add %ebx,%eax
d086a: 11 f2 adc %esi,%edx
d086c: 89 04 24 mov %eax,(%esp)
d086f: 89 54 24 04 mov %edx,0x4(%esp)
d0873: e8 b8 2d 00 00 call d3630 <cpuid_addr_value>
d0878: 8b 4d e8 mov 0xffffffe8(%ebp),%ecx
d087b: 8b 5d ec mov 0xffffffec(%ebp),%ebx
d087e: e9 1c ff ff ff jmp d079f <address+0x9f>
d0883: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
d0889: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
000d0890 <trace>:
d0890: 55 push %ebp
d0891: 89 e5 mov %esp,%ebp
d0893: 83 ec 28 sub $0x28,%esp
d0896: 89 75 f8 mov %esi,0xfffffff8(%ebp)
d0899: 8b 75 08 mov 0x8(%ebp),%esi
d089c: 8b 4d 0c mov 0xc(%ebp),%ecx
d089f: 89 7d fc mov %edi,0xfffffffc(%ebp)
d08a2: 8b 7d 10 mov 0x10(%ebp),%edi
d08a5: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
d08a8: 8b 5e 28 mov 0x28(%esi),%ebx
d08ab: 8b 15 00 76 0d 00 mov 0xd7600,%edx
d08b1: 29 cb sub %ecx,%ebx
d08b3: 8b 0d 04 76 0d 00 mov 0xd7604,%ecx
d08b9: 89 d0 mov %edx,%eax
d08bb: d3 f8 sar %cl,%eax
d08bd: a8 01 test $0x1,%al
d08bf: 74 09 je d08ca <trace+0x3a>
d08c1: 83 f9 01 cmp $0x1,%ecx
d08c4: 0f 86 86 00 00 00 jbe d0950 <trace+0xc0>
d08ca: d3 fa sar %cl,%edx
d08cc: f6 c2 01 test $0x1,%dl
d08cf: 74 08 je d08d9 <trace+0x49>
d08d1: 8d 41 fe lea 0xfffffffe(%ecx),%eax
d08d4: 83 f8 01 cmp $0x1,%eax
d08d7: 76 0d jbe d08e6 <trace+0x56>
d08d9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d08dc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d08df: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d08e2: 89 ec mov %ebp,%esp
d08e4: 5d pop %ebp
d08e5: c3 ret
d08e6: 8b 56 2c mov 0x2c(%esi),%edx
d08e9: 89 f0 mov %esi,%eax
d08eb: 89 1c 24 mov %ebx,(%esp)
d08ee: e8 0d fe ff ff call d0700 <address>
d08f3: 89 5c 24 0c mov %ebx,0xc(%esp)
d08f7: 8b 56 2c mov 0x2c(%esi),%edx
d08fa: 89 44 24 04 mov %eax,0x4(%esp)
d08fe: c7 04 24 2e 4b 0d 00 movl $0xd4b2e,(%esp)
d0905: 89 54 24 08 mov %edx,0x8(%esp)
d0909: e8 c2 30 00 00 call d39d0 <printf>
d090e: a1 04 76 0d 00 mov 0xd7604,%eax
d0913: c7 04 24 43 4b 0d 00 movl $0xd4b43,(%esp)
d091a: 89 44 24 04 mov %eax,0x4(%esp)
d091e: e8 ad 30 00 00 call d39d0 <printf>
d0923: 89 3c 24 mov %edi,(%esp)
d0926: 8d 45 14 lea 0x14(%ebp),%eax
d0929: 89 44 24 04 mov %eax,0x4(%esp)
d092d: e8 7e 30 00 00 call d39b0 <vprintf>
d0932: c7 04 24 a0 51 0d 00 movl $0xd51a0,(%esp)
d0939: e8 92 30 00 00 call d39d0 <printf>
d093e: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d0941: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d0944: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0947: 89 ec mov %ebp,%esp
d0949: 5d pop %ebp
d094a: c3 ret
d094b: 90 nop
d094c: 8d 74 26 00 lea 0x0(%esi),%esi
d0950: 8b 56 2c mov 0x2c(%esi),%edx
d0953: 89 f0 mov %esi,%eax
d0955: 89 1c 24 mov %ebx,(%esp)
d0958: e8 a3 fd ff ff call d0700 <address>
d095d: 89 5c 24 0c mov %ebx,0xc(%esp)
d0961: 8b 56 2c mov 0x2c(%esi),%edx
d0964: 89 44 24 04 mov %eax,0x4(%esp)
d0968: c7 04 24 49 4b 0d 00 movl $0xd4b49,(%esp)
d096f: 89 54 24 08 mov %edx,0x8(%esp)
d0973: e8 58 30 00 00 call d39d0 <printf>
d0978: a1 04 76 0d 00 mov 0xd7604,%eax
d097d: c7 04 24 43 4b 0d 00 movl $0xd4b43,(%esp)
d0984: 89 44 24 04 mov %eax,0x4(%esp)
d0988: e8 43 30 00 00 call d39d0 <printf>
d098d: 89 3c 24 mov %edi,(%esp)
d0990: 8d 45 14 lea 0x14(%ebp),%eax
d0993: 89 44 24 04 mov %eax,0x4(%esp)
d0997: e8 14 30 00 00 call d39b0 <vprintf>
d099c: c7 04 24 a0 51 0d 00 movl $0xd51a0,(%esp)
d09a3: e8 28 30 00 00 call d39d0 <printf>
d09a8: 8b 15 00 76 0d 00 mov 0xd7600,%edx
d09ae: 8b 0d 04 76 0d 00 mov 0xd7604,%ecx
d09b4: e9 11 ff ff ff jmp d08ca <trace+0x3a>
d09b9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
000d09c0 <getreg32>:
d09c0: 55 push %ebp
d09c1: 83 e2 07 and $0x7,%edx
d09c4: 83 fa 07 cmp $0x7,%edx
d09c7: 89 e5 mov %esp,%ebp
d09c9: b9 ff ff ff ff mov $0xffffffff,%ecx
d09ce: 77 09 ja d09d9 <getreg32+0x19>
d09d0: ff 24 95 58 44 0d 00 jmp *0xd4458(,%edx,4)
d09d7: 8b 08 mov (%eax),%ecx
d09d9: 5d pop %ebp
d09da: 89 c8 mov %ecx,%eax
d09dc: c3 ret
d09dd: 8d 76 00 lea 0x0(%esi),%esi
d09e0: 5d pop %ebp
d09e1: 8b 48 1c mov 0x1c(%eax),%ecx
d09e4: 89 c8 mov %ecx,%eax
d09e6: c3 ret
d09e7: 5d pop %ebp
d09e8: 8b 48 18 mov 0x18(%eax),%ecx
d09eb: 89 c8 mov %ecx,%eax
d09ed: c3 ret
d09ee: 89 f6 mov %esi,%esi
d09f0: 5d pop %ebp
d09f1: 8b 48 14 mov 0x14(%eax),%ecx
d09f4: 89 c8 mov %ecx,%eax
d09f6: c3 ret
d09f7: 5d pop %ebp
d09f8: 8b 48 10 mov 0x10(%eax),%ecx
d09fb: 89 c8 mov %ecx,%eax
d09fd: c3 ret
d09fe: 89 f6 mov %esi,%esi
d0a00: 5d pop %ebp
d0a01: 8b 48 34 mov 0x34(%eax),%ecx
d0a04: 89 c8 mov %ecx,%eax
d0a06: c3 ret
d0a07: 5d pop %ebp
d0a08: 8b 48 08 mov 0x8(%eax),%ecx
d0a0b: 89 c8 mov %ecx,%eax
d0a0d: c3 ret
d0a0e: 89 f6 mov %esi,%esi
d0a10: 5d pop %ebp
d0a11: 8b 48 04 mov 0x4(%eax),%ecx
d0a14: 89 c8 mov %ecx,%eax
d0a16: c3 ret
d0a17: 89 f6 mov %esi,%esi
d0a19: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
000d0a20 <getreg16>:
d0a20: 55 push %ebp
d0a21: 89 e5 mov %esp,%ebp
d0a23: e8 98 ff ff ff call d09c0 <getreg32>
d0a28: 5d pop %ebp
d0a29: 25 ff ff 00 00 and $0xffff,%eax
d0a2e: c3 ret
d0a2f: 90 nop
000d0a30 <setreg32>:
d0a30: 55 push %ebp
d0a31: 83 e2 07 and $0x7,%edx
d0a34: 89 e5 mov %esp,%ebp
d0a36: 83 fa 07 cmp $0x7,%edx
d0a39: 8b 4d 08 mov 0x8(%ebp),%ecx
d0a3c: 77 12 ja d0a50 <setreg32+0x20>
d0a3e: ff 24 95 78 44 0d 00 jmp *0xd4478(,%edx,4)
d0a45: 89 08 mov %ecx,(%eax)
d0a47: 89 f6 mov %esi,%esi
d0a49: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d0a50: 5d pop %ebp
d0a51: c3 ret
d0a52: 5d pop %ebp
d0a53: 89 48 1c mov %ecx,0x1c(%eax)
d0a56: c3 ret
d0a57: 5d pop %ebp
d0a58: 89 48 18 mov %ecx,0x18(%eax)
d0a5b: c3 ret
d0a5c: 5d pop %ebp
d0a5d: 89 48 14 mov %ecx,0x14(%eax)
d0a60: c3 ret
d0a61: 5d pop %ebp
d0a62: 89 48 10 mov %ecx,0x10(%eax)
d0a65: c3 ret
d0a66: 5d pop %ebp
d0a67: 89 48 34 mov %ecx,0x34(%eax)
d0a6a: c3 ret
d0a6b: 5d pop %ebp
d0a6c: 89 48 08 mov %ecx,0x8(%eax)
d0a6f: 90 nop
d0a70: c3 ret
d0a71: 5d pop %ebp
d0a72: 89 48 04 mov %ecx,0x4(%eax)
d0a75: c3 ret
d0a76: 8d 76 00 lea 0x0(%esi),%esi
d0a79: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
000d0a80 <setreg16>:
d0a80: 55 push %ebp
d0a81: 89 e5 mov %esp,%ebp
d0a83: 83 ec 0c sub $0xc,%esp
d0a86: 89 5d f8 mov %ebx,0xfffffff8(%ebp)
d0a89: 89 d3 mov %edx,%ebx
d0a8b: 89 75 fc mov %esi,0xfffffffc(%ebp)
d0a8e: 89 c6 mov %eax,%esi
d0a90: e8 2b ff ff ff call d09c0 <getreg32>
d0a95: 0f b7 55 08 movzwl 0x8(%ebp),%edx
d0a99: 25 00 00 ff ff and $0xffff0000,%eax
d0a9e: 09 c2 or %eax,%edx
d0aa0: 89 55 08 mov %edx,0x8(%ebp)
d0aa3: 89 f0 mov %esi,%eax
d0aa5: 89 da mov %ebx,%edx
d0aa7: 8b 75 fc mov 0xfffffffc(%ebp),%esi
d0aaa: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx
d0aad: 89 ec mov %ebp,%esp
d0aaf: 5d pop %ebp
d0ab0: e9 7b ff ff ff jmp d0a30 <setreg32>
d0ab5: 8d 74 26 00 lea 0x0(%esi),%esi
d0ab9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
000d0ac0 <segment>:
d0ac0: 55 push %ebp
d0ac1: 89 c1 mov %eax,%ecx
d0ac3: 89 e5 mov %esp,%ebp
d0ac5: f6 c1 10 test $0x10,%cl
d0ac8: 8b 45 08 mov 0x8(%ebp),%eax
d0acb: 74 03 je d0ad0 <segment+0x10>
d0acd: 8b 42 3c mov 0x3c(%edx),%eax
d0ad0: f6 c1 08 test $0x8,%cl
d0ad3: 74 03 je d0ad8 <segment+0x18>
d0ad5: 8b 42 40 mov 0x40(%edx),%eax
d0ad8: f6 c1 04 test $0x4,%cl
d0adb: 74 03 je d0ae0 <segment+0x20>
d0add: 8b 42 2c mov 0x2c(%edx),%eax
d0ae0: f6 c1 20 test $0x20,%cl
d0ae3: 74 03 je d0ae8 <segment+0x28>
d0ae5: 8b 42 38 mov 0x38(%edx),%eax
d0ae8: f6 c1 40 test $0x40,%cl
d0aeb: 74 03 je d0af0 <segment+0x30>
d0aed: 8b 42 44 mov 0x44(%edx),%eax
d0af0: 81 e1 80 00 00 00 and $0x80,%ecx
d0af6: 74 03 je d0afb <segment+0x3b>
d0af8: 8b 42 48 mov 0x48(%edx),%eax
d0afb: 5d pop %ebp
d0afc: c3 ret
d0afd: 8d 76 00 lea 0x0(%esi),%esi
000d0b00 <sib>:
d0b00: 55 push %ebp
d0b01: 89 e5 mov %esp,%ebp
d0b03: 83 ec 18 sub $0x18,%esp
d0b06: 89 75 f8 mov %esi,0xfffffff8(%ebp)
d0b09: 89 c6 mov %eax,%esi
d0b0b: 8b 45 08 mov 0x8(%ebp),%eax
d0b0e: 89 7d fc mov %edi,0xfffffffc(%ebp)
d0b11: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
d0b14: 89 c1 mov %eax,%ecx
d0b16: 89 c7 mov %eax,%edi
d0b18: c1 e9 06 shr $0x6,%ecx
d0b1b: 83 e0 07 and $0x7,%eax
d0b1e: c1 ef 03 shr $0x3,%edi
d0b21: 83 e1 03 and $0x3,%ecx
d0b24: 83 e7 07 and $0x7,%edi
d0b27: 31 db xor %ebx,%ebx
d0b29: 89 4d f0 mov %ecx,0xfffffff0(%ebp)
d0b2c: 83 fa 01 cmp $0x1,%edx
d0b2f: 74 47 je d0b78 <sib+0x78>
d0b31: 7e 2f jle d0b62 <sib+0x62>
d0b33: 83 fa 02 cmp $0x2,%edx
d0b36: 74 68 je d0ba0 <sib+0xa0>
d0b38: 83 ff 04 cmp $0x4,%edi
d0b3b: 90 nop
d0b3c: 8d 74 26 00 lea 0x0(%esi),%esi
d0b40: 74 11 je d0b53 <sib+0x53>
d0b42: 89 fa mov %edi,%edx
d0b44: 89 f0 mov %esi,%eax
d0b46: e8 75 fe ff ff call d09c0 <getreg32>
d0b4b: 0f b6 4d f0 movzbl 0xfffffff0(%ebp),%ecx
d0b4f: d3 e0 shl %cl,%eax
d0b51: 01 c3 add %eax,%ebx
d0b53: 89 d8 mov %ebx,%eax
d0b55: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d0b58: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d0b5b: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0b5e: 89 ec mov %ebp,%esp
d0b60: 5d pop %ebp
d0b61: c3 ret
d0b62: 85 d2 test %edx,%edx
d0b64: 75 d2 jne d0b38 <sib+0x38>
d0b66: 83 f8 05 cmp $0x5,%eax
d0b69: 74 5e je d0bc9 <sib+0xc9>
d0b6b: 89 c2 mov %eax,%edx
d0b6d: 89 f0 mov %esi,%eax
d0b6f: e8 4c fe ff ff call d09c0 <getreg32>
d0b74: 89 c3 mov %eax,%ebx
d0b76: eb c0 jmp d0b38 <sib+0x38>
d0b78: 89 c2 mov %eax,%edx
d0b7a: 89 f0 mov %esi,%eax
d0b7c: e8 3f fe ff ff call d09c0 <getreg32>
d0b81: 89 c3 mov %eax,%ebx
d0b83: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0b87: 8b 56 2c mov 0x2c(%esi),%edx
d0b8a: 89 04 24 mov %eax,(%esp)
d0b8d: 89 f0 mov %esi,%eax
d0b8f: e8 6c fb ff ff call d0700 <address>
d0b94: ff 46 28 incl 0x28(%esi)
d0b97: 0f be 00 movsbl (%eax),%eax
d0b9a: 01 c3 add %eax,%ebx
d0b9c: eb 9a jmp d0b38 <sib+0x38>
d0b9e: 89 f6 mov %esi,%esi
d0ba0: 89 c2 mov %eax,%edx
d0ba2: 89 f0 mov %esi,%eax
d0ba4: e8 17 fe ff ff call d09c0 <getreg32>
d0ba9: 89 c3 mov %eax,%ebx
d0bab: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0baf: 8b 56 2c mov 0x2c(%esi),%edx
d0bb2: 89 04 24 mov %eax,(%esp)
d0bb5: 89 f0 mov %esi,%eax
d0bb7: e8 44 fb ff ff call d0700 <address>
d0bbc: 83 46 28 04 addl $0x4,0x28(%esi)
d0bc0: 8b 10 mov (%eax),%edx
d0bc2: 01 d3 add %edx,%ebx
d0bc4: e9 6f ff ff ff jmp d0b38 <sib+0x38>
d0bc9: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0bcd: 8b 56 2c mov 0x2c(%esi),%edx
d0bd0: 89 04 24 mov %eax,(%esp)
d0bd3: 89 f0 mov %esi,%eax
d0bd5: e8 26 fb ff ff call d0700 <address>
d0bda: 83 46 28 04 addl $0x4,0x28(%esi)
d0bde: 8b 18 mov (%eax),%ebx
d0be0: e9 53 ff ff ff jmp d0b38 <sib+0x38>
d0be5: 8d 74 26 00 lea 0x0(%esi),%esi
d0be9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
000d0bf0 <operand>:
d0bf0: 55 push %ebp
d0bf1: 89 e5 mov %esp,%ebp
d0bf3: 83 ec 18 sub $0x18,%esp
d0bf6: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
d0bf9: 89 c3 mov %eax,%ebx
d0bfb: 89 75 f8 mov %esi,0xfffffff8(%ebp)
d0bfe: 89 d6 mov %edx,%esi
d0c00: 89 7d fc mov %edi,0xfffffffc(%ebp)
d0c03: 8b 7d 08 mov 0x8(%ebp),%edi
d0c06: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp)
d0c0d: 8b 42 40 mov 0x40(%edx),%eax
d0c10: 89 04 24 mov %eax,(%esp)
d0c13: 89 d8 mov %ebx,%eax
d0c15: e8 a6 fe ff ff call d0ac0 <segment>
d0c1a: 89 45 ec mov %eax,0xffffffec(%ebp)
d0c1d: f6 c3 02 test $0x2,%bl
d0c20: 74 5e je d0c80 <operand+0x90>
d0c22: 89 fb mov %edi,%ebx
d0c24: c1 eb 06 shr $0x6,%ebx
d0c27: 83 e3 03 and $0x3,%ebx
d0c2a: 83 fb 02 cmp $0x2,%ebx
d0c2d: 0f 8f ad 00 00 00 jg d0ce0 <operand+0xf0>
d0c33: 83 fb 01 cmp $0x1,%ebx
d0c36: 0f 8c ee 00 00 00 jl d0d2a <operand+0x13a>
d0c3c: 89 f8 mov %edi,%eax
d0c3e: 83 e0 07 and $0x7,%eax
d0c41: 83 f8 04 cmp $0x4,%eax
d0c44: 74 23 je d0c69 <operand+0x79>
d0c46: 83 fb 01 cmp $0x1,%ebx
d0c49: 0f 84 a6 02 00 00 je d0ef5 <operand+0x305>
d0c4f: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0c53: 8b 56 2c mov 0x2c(%esi),%edx
d0c56: 89 04 24 mov %eax,(%esp)
d0c59: 89 f0 mov %esi,%eax
d0c5b: e8 a0 fa ff ff call d0700 <address>
d0c60: 83 46 28 04 addl $0x4,0x28(%esi)
d0c64: 8b 00 mov (%eax),%eax
d0c66: 89 45 f0 mov %eax,0xfffffff0(%ebp)
d0c69: 89 f8 mov %edi,%eax
d0c6b: 83 e0 07 and $0x7,%eax
d0c6e: 83 f8 07 cmp $0x7,%eax
d0c71: 77 5d ja d0cd0 <operand+0xe0>
d0c73: ff 24 85 98 44 0d 00 jmp *0xd4498(,%eax,4)
d0c7a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
d0c80: 89 fb mov %edi,%ebx
d0c82: c1 eb 06 shr $0x6,%ebx
d0c85: 83 e3 03 and $0x3,%ebx
d0c88: 83 fb 02 cmp $0x2,%ebx
d0c8b: 7f 3b jg d0cc8 <operand+0xd8>
d0c8d: 83 fb 01 cmp $0x1,%ebx
d0c90: 0f 8c 7f 00 00 00 jl d0d15 <operand+0x125>
d0c96: 0f 84 a3 00 00 00 je d0d3f <operand+0x14f>
d0c9c: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0ca0: 8b 56 2c mov 0x2c(%esi),%edx
d0ca3: 89 04 24 mov %eax,(%esp)
d0ca6: 89 f0 mov %esi,%eax
d0ca8: e8 53 fa ff ff call d0700 <address>
d0cad: 83 46 28 02 addl $0x2,0x28(%esi)
d0cb1: 0f b7 00 movzwl (%eax),%eax
d0cb4: 89 45 f0 mov %eax,0xfffffff0(%ebp)
d0cb7: 89 f8 mov %edi,%eax
d0cb9: 83 e0 07 and $0x7,%eax
d0cbc: 83 f8 07 cmp $0x7,%eax
d0cbf: 77 0f ja d0cd0 <operand+0xe0>
d0cc1: ff 24 85 b8 44 0d 00 jmp *0xd44b8(,%eax,4)
d0cc8: 83 fb 03 cmp $0x3,%ebx
d0ccb: 74 33 je d0d00 <operand+0x110>
d0ccd: 8d 76 00 lea 0x0(%esi),%esi
d0cd0: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d0cd3: 31 c0 xor %eax,%eax
d0cd5: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d0cd8: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0cdb: 89 ec mov %ebp,%esp
d0cdd: 5d pop %ebp
d0cde: c3 ret
d0cdf: 90 nop
d0ce0: 83 fb 03 cmp $0x3,%ebx
d0ce3: 75 eb jne d0cd0 <operand+0xe0>
d0ce5: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d0ce8: 89 fa mov %edi,%edx
d0cea: 89 f0 mov %esi,%eax
d0cec: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0cef: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d0cf2: 89 ec mov %ebp,%esp
d0cf4: 5d pop %ebp
d0cf5: e9 c6 fc ff ff jmp d09c0 <getreg32>
d0cfa: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
d0d00: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d0d03: 89 fa mov %edi,%edx
d0d05: 89 f0 mov %esi,%eax
d0d07: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0d0a: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d0d0d: 89 ec mov %ebp,%esp
d0d0f: 5d pop %ebp
d0d10: e9 0b fd ff ff jmp d0a20 <getreg16>
d0d15: 85 db test %ebx,%ebx
d0d17: 75 b7 jne d0cd0 <operand+0xe0>
d0d19: 89 f8 mov %edi,%eax
d0d1b: 83 e0 07 and $0x7,%eax
d0d1e: 83 f8 07 cmp $0x7,%eax
d0d21: 77 ad ja d0cd0 <operand+0xe0>
d0d23: ff 24 85 d8 44 0d 00 jmp *0xd44d8(,%eax,4)
d0d2a: 85 db test %ebx,%ebx
d0d2c: 75 a2 jne d0cd0 <operand+0xe0>
d0d2e: 89 f8 mov %edi,%eax
d0d30: 83 e0 07 and $0x7,%eax
d0d33: 83 f8 07 cmp $0x7,%eax
d0d36: 77 98 ja d0cd0 <operand+0xe0>
d0d38: ff 24 85 f8 44 0d 00 jmp *0xd44f8(,%eax,4)
d0d3f: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0d43: 8b 56 2c mov 0x2c(%esi),%edx
d0d46: 89 04 24 mov %eax,(%esp)
d0d49: 89 f0 mov %esi,%eax
d0d4b: e8 b0 f9 ff ff call d0700 <address>
d0d50: ff 46 28 incl 0x28(%esi)
d0d53: 0f be 00 movsbl (%eax),%eax
d0d56: e9 59 ff ff ff jmp d0cb4 <operand+0xc4>
d0d5b: 8b 06 mov (%esi),%eax
d0d5d: 01 45 f0 add %eax,0xfffffff0(%ebp)
d0d60: 8b 45 f0 mov 0xfffffff0(%ebp),%eax
d0d63: 89 45 08 mov %eax,0x8(%ebp)
d0d66: 8b 55 ec mov 0xffffffec(%ebp),%edx
d0d69: 89 f0 mov %esi,%eax
d0d6b: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d0d6e: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d0d71: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0d74: 89 ec mov %ebp,%esp
d0d76: 5d pop %ebp
d0d77: e9 84 f9 ff ff jmp d0700 <address>
d0d7c: 8b 46 04 mov 0x4(%esi),%eax
d0d7f: eb dc jmp d0d5d <operand+0x16d>
d0d81: 8b 46 08 mov 0x8(%esi),%eax
d0d84: eb d7 jmp d0d5d <operand+0x16d>
d0d86: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0d8a: 8b 56 2c mov 0x2c(%esi),%edx
d0d8d: 89 04 24 mov %eax,(%esp)
d0d90: 89 f0 mov %esi,%eax
d0d92: e8 69 f9 ff ff call d0700 <address>
d0d97: ff 46 28 incl 0x28(%esi)
d0d9a: 89 da mov %ebx,%edx
d0d9c: 0f b6 00 movzbl (%eax),%eax
d0d9f: 89 04 24 mov %eax,(%esp)
d0da2: 89 f0 mov %esi,%eax
d0da4: e8 57 fd ff ff call d0b00 <sib>
d0da9: eb b8 jmp d0d63 <operand+0x173>
d0dab: 8b 46 10 mov 0x10(%esi),%eax
d0dae: eb ad jmp d0d5d <operand+0x16d>
d0db0: 8b 46 14 mov 0x14(%esi),%eax
d0db3: eb a8 jmp d0d5d <operand+0x16d>
d0db5: 8b 46 18 mov 0x18(%esi),%eax
d0db8: eb a3 jmp d0d5d <operand+0x16d>
d0dba: 8b 46 1c mov 0x1c(%esi),%eax
d0dbd: 8d 76 00 lea 0x0(%esi),%esi
d0dc0: eb 9b jmp d0d5d <operand+0x16d>
d0dc2: 0f b7 46 10 movzwl 0x10(%esi),%eax
d0dc6: 8b 4d f0 mov 0xfffffff0(%ebp),%ecx
d0dc9: 01 c8 add %ecx,%eax
d0dcb: eb 96 jmp d0d63 <operand+0x173>
d0dcd: 0f b7 46 08 movzwl 0x8(%esi),%eax
d0dd1: 8b 4d f0 mov 0xfffffff0(%ebp),%ecx
d0dd4: 01 c8 add %ecx,%eax
d0dd6: eb 8b jmp d0d63 <operand+0x173>
d0dd8: 0f b7 06 movzwl (%esi),%eax
d0ddb: 8b 4d f0 mov 0xfffffff0(%ebp),%ecx
d0dde: 01 c8 add %ecx,%eax
d0de0: eb 81 jmp d0d63 <operand+0x173>
d0de2: 0f b7 46 04 movzwl 0x4(%esi),%eax
d0de6: 8b 4d f0 mov 0xfffffff0(%ebp),%ecx
d0de9: 01 c8 add %ecx,%eax
d0deb: e9 73 ff ff ff jmp d0d63 <operand+0x173>
d0df0: 0f b7 46 08 movzwl 0x8(%esi),%eax
d0df4: 0f b7 16 movzwl (%esi),%edx
d0df7: 01 d0 add %edx,%eax
d0df9: 8b 4d f0 mov 0xfffffff0(%ebp),%ecx
d0dfc: 01 c8 add %ecx,%eax
d0dfe: e9 60 ff ff ff jmp d0d63 <operand+0x173>
d0e03: 0f b7 46 08 movzwl 0x8(%esi),%eax
d0e07: 0f b7 56 04 movzwl 0x4(%esi),%edx
d0e0b: 01 d0 add %edx,%eax
d0e0d: eb ea jmp d0df9 <operand+0x209>
d0e0f: 0f b7 46 10 movzwl 0x10(%esi),%eax
d0e13: 0f b7 16 movzwl (%esi),%edx
d0e16: eb df jmp d0df7 <operand+0x207>
d0e18: 0f b7 46 10 movzwl 0x10(%esi),%eax
d0e1c: 0f b7 56 04 movzwl 0x4(%esi),%edx
d0e20: eb e9 jmp d0e0b <operand+0x21b>
d0e22: 0f b7 46 10 movzwl 0x10(%esi),%eax
d0e26: e9 38 ff ff ff jmp d0d63 <operand+0x173>
d0e2b: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0e2f: 8b 56 2c mov 0x2c(%esi),%edx
d0e32: 89 04 24 mov %eax,(%esp)
d0e35: 89 f0 mov %esi,%eax
d0e37: e8 c4 f8 ff ff call d0700 <address>
d0e3c: 83 46 28 02 addl $0x2,0x28(%esi)
d0e40: 0f b7 00 movzwl (%eax),%eax
d0e43: e9 1b ff ff ff jmp d0d63 <operand+0x173>
d0e48: 0f b7 06 movzwl (%esi),%eax
d0e4b: e9 13 ff ff ff jmp d0d63 <operand+0x173>
d0e50: 0f b7 46 04 movzwl 0x4(%esi),%eax
d0e54: e9 0a ff ff ff jmp d0d63 <operand+0x173>
d0e59: 0f b7 46 08 movzwl 0x8(%esi),%eax
d0e5d: 0f b7 16 movzwl (%esi),%edx
d0e60: 01 d0 add %edx,%eax
d0e62: e9 fc fe ff ff jmp d0d63 <operand+0x173>
d0e67: 0f b7 46 08 movzwl 0x8(%esi),%eax
d0e6b: 0f b7 56 04 movzwl 0x4(%esi),%edx
d0e6f: 01 d0 add %edx,%eax
d0e71: e9 ed fe ff ff jmp d0d63 <operand+0x173>
d0e76: 0f b7 46 10 movzwl 0x10(%esi),%eax
d0e7a: 0f b7 16 movzwl (%esi),%edx
d0e7d: eb e1 jmp d0e60 <operand+0x270>
d0e7f: 0f b7 46 10 movzwl 0x10(%esi),%eax
d0e83: 0f b7 56 04 movzwl 0x4(%esi),%edx
d0e87: eb e6 jmp d0e6f <operand+0x27f>
d0e89: 8b 06 mov (%esi),%eax
d0e8b: e9 d3 fe ff ff jmp d0d63 <operand+0x173>
d0e90: 8b 46 04 mov 0x4(%esi),%eax
d0e93: e9 cb fe ff ff jmp d0d63 <operand+0x173>
d0e98: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0e9c: 8b 56 2c mov 0x2c(%esi),%edx
d0e9f: 89 04 24 mov %eax,(%esp)
d0ea2: 89 f0 mov %esi,%eax
d0ea4: e8 57 f8 ff ff call d0700 <address>
d0ea9: 83 46 28 04 addl $0x4,0x28(%esi)
d0ead: 8b 00 mov (%eax),%eax
d0eaf: e9 af fe ff ff jmp d0d63 <operand+0x173>
d0eb4: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0eb8: 8b 56 2c mov 0x2c(%esi),%edx
d0ebb: 89 04 24 mov %eax,(%esp)
d0ebe: 89 f0 mov %esi,%eax
d0ec0: e8 3b f8 ff ff call d0700 <address>
d0ec5: ff 46 28 incl 0x28(%esi)
d0ec8: 31 d2 xor %edx,%edx
d0eca: 0f b6 00 movzbl (%eax),%eax
d0ecd: 89 04 24 mov %eax,(%esp)
d0ed0: e9 cd fe ff ff jmp d0da2 <operand+0x1b2>
d0ed5: 8b 46 10 mov 0x10(%esi),%eax
d0ed8: e9 86 fe ff ff jmp d0d63 <operand+0x173>
d0edd: 8b 46 14 mov 0x14(%esi),%eax
d0ee0: e9 7e fe ff ff jmp d0d63 <operand+0x173>
d0ee5: 8b 46 18 mov 0x18(%esi),%eax
d0ee8: e9 76 fe ff ff jmp d0d63 <operand+0x173>
d0eed: 8b 46 1c mov 0x1c(%esi),%eax
d0ef0: e9 6e fe ff ff jmp d0d63 <operand+0x173>
d0ef5: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0ef9: 8b 56 2c mov 0x2c(%esi),%edx
d0efc: 89 04 24 mov %eax,(%esp)
d0eff: 89 f0 mov %esi,%eax
d0f01: e8 fa f7 ff ff call d0700 <address>
d0f06: ff 46 28 incl 0x28(%esi)
d0f09: 0f be 00 movsbl (%eax),%eax
d0f0c: e9 55 fd ff ff jmp d0c66 <operand+0x76>
d0f11: eb 0d jmp d0f20 <movr>
d0f13: 90 nop
d0f14: 90 nop
d0f15: 90 nop
d0f16: 90 nop
d0f17: 90 nop
d0f18: 90 nop
d0f19: 90 nop
d0f1a: 90 nop
d0f1b: 90 nop
d0f1c: 90 nop
d0f1d: 90 nop
d0f1e: 90 nop
d0f1f: 90 nop
000d0f20 <movr>:
d0f20: 55 push %ebp
d0f21: 89 e5 mov %esp,%ebp
d0f23: 83 ec 38 sub $0x38,%esp
d0f26: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
d0f29: 89 75 f8 mov %esi,0xfffffff8(%ebp)
d0f2c: 89 c6 mov %eax,%esi
d0f2e: 89 7d fc mov %edi,0xfffffffc(%ebp)
d0f31: 89 55 f0 mov %edx,0xfffffff0(%ebp)
d0f34: 8b 40 28 mov 0x28(%eax),%eax
d0f37: 8d 50 ff lea 0xffffffff(%eax),%edx
d0f3a: 89 55 ec mov %edx,0xffffffec(%ebp)
d0f3d: 25 ff ff 00 00 and $0xffff,%eax
d0f42: 8b 56 2c mov 0x2c(%esi),%edx
d0f45: 89 04 24 mov %eax,(%esp)
d0f48: 89 f0 mov %esi,%eax
d0f4a: e8 b1 f7 ff ff call d0700 <address>
d0f4f: ff 46 28 incl 0x28(%esi)
d0f52: 89 f2 mov %esi,%edx
d0f54: 0f b6 18 movzbl (%eax),%ebx
d0f57: 89 df mov %ebx,%edi
d0f59: c1 ef 03 shr $0x3,%edi
d0f5c: 89 1c 24 mov %ebx,(%esp)
d0f5f: 83 e7 07 and $0x7,%edi
d0f62: 8b 45 f0 mov 0xfffffff0(%ebp),%eax
d0f65: e8 86 fc ff ff call d0bf0 <operand>
d0f6a: 89 45 e8 mov %eax,0xffffffe8(%ebp)
d0f6d: 89 d8 mov %ebx,%eax
d0f6f: 25 c0 00 00 00 and $0xc0,%eax
d0f74: 3d c0 00 00 00 cmp $0xc0,%eax
d0f79: 0f 84 b1 00 00 00 je d1030 <movr+0x110>
d0f7f: 81 7d 08 8a 00 00 00 cmpl $0x8a,0x8(%ebp)
d0f86: 0f 84 29 01 00 00 je d10b5 <movr+0x195>
d0f8c: 77 29 ja d0fb7 <movr+0x97>
d0f8e: 81 7d 08 88 00 00 00 cmpl $0x88,0x8(%ebp)
d0f95: 0f 84 64 01 00 00 je d10ff <movr+0x1df>
d0f9b: 81 7d 08 89 00 00 00 cmpl $0x89,0x8(%ebp)
d0fa2: 0f 84 a4 00 00 00 je d104c <movr+0x12c>
d0fa8: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d0fab: 31 c0 xor %eax,%eax
d0fad: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d0fb0: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0fb3: 89 ec mov %ebp,%esp
d0fb5: 5d pop %ebp
d0fb6: c3 ret
d0fb7: 81 7d 08 8b 00 00 00 cmpl $0x8b,0x8(%ebp)
d0fbe: 0f 84 53 01 00 00 je d1117 <movr+0x1f7>
d0fc4: 81 7d 08 c6 00 00 00 cmpl $0xc6,0x8(%ebp)
d0fcb: 75 db jne d0fa8 <movr+0x88>
d0fcd: 31 c0 xor %eax,%eax
d0fcf: f6 c3 38 test $0x38,%bl
d0fd2: 75 6b jne d103f <movr+0x11f>
d0fd4: 0f b7 46 28 movzwl 0x28(%esi),%eax
d0fd8: bf 5e 4b 0d 00 mov $0xd4b5e,%edi
d0fdd: 8b 56 2c mov 0x2c(%esi),%edx
d0fe0: 89 04 24 mov %eax,(%esp)
d0fe3: 89 f0 mov %esi,%eax
d0fe5: e8 16 f7 ff ff call d0700 <address>
d0fea: ff 46 28 incl 0x28(%esi)
d0fed: 8b 55 e8 mov 0xffffffe8(%ebp),%edx
d0ff0: 0f b6 00 movzbl (%eax),%eax
d0ff3: 88 02 mov %al,(%edx)
d0ff5: 89 54 24 10 mov %edx,0x10(%esp)
d0ff9: 89 44 24 0c mov %eax,0xc(%esp)
d0ffd: 89 7c 24 08 mov %edi,0x8(%esp)
d1001: 8b 46 28 mov 0x28(%esi),%eax
d1004: 8b 5d ec mov 0xffffffec(%ebp),%ebx
d1007: 89 34 24 mov %esi,(%esp)
d100a: 29 d8 sub %ebx,%eax
d100c: 89 44 24 04 mov %eax,0x4(%esp)
d1010: e8 7b f8 ff ff call d0890 <trace>
d1015: b8 01 00 00 00 mov $0x1,%eax
d101a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
d1020: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d1023: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d1026: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d1029: 89 ec mov %ebp,%esp
d102b: 5d pop %ebp
d102c: c3 ret
d102d: 8d 76 00 lea 0x0(%esi),%esi
d1030: 31 c0 xor %eax,%eax
d1032: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d1039: 0f 84 40 ff ff ff je d0f7f <movr+0x5f>
d103f: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d1042: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d1045: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d1048: 89 ec mov %ebp,%esp
d104a: 5d pop %ebp
d104b: c3 ret
d104c: 89 fa mov %edi,%edx
d104e: 89 f0 mov %esi,%eax
d1050: e8 6b f9 ff ff call d09c0 <getreg32>
d1055: 89 45 e4 mov %eax,0xffffffe4(%ebp)
d1058: 89 d8 mov %ebx,%eax
d105a: 25 c0 00 00 00 and $0xc0,%eax
d105f: 3d c0 00 00 00 cmp $0xc0,%eax
d1064: 0f 84 aa 01 00 00 je d1214 <movr+0x2f4>
d106a: f6 45 f0 01 testb $0x1,0xfffffff0(%ebp)
d106e: 0f 84 a8 02 00 00 je d131c <movr+0x3fc>
d1074: 8b 45 e8 mov 0xffffffe8(%ebp),%eax
d1077: 89 44 24 10 mov %eax,0x10(%esp)
d107b: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax
d1082: bf 70 4b 0d 00 mov $0xd4b70,%edi
d1087: 89 7c 24 08 mov %edi,0x8(%esp)
d108b: 89 44 24 0c mov %eax,0xc(%esp)
d108f: 8b 46 28 mov 0x28(%esi),%eax
d1092: 8b 5d ec mov 0xffffffec(%ebp),%ebx
d1095: 89 34 24 mov %esi,(%esp)
d1098: 29 d8 sub %ebx,%eax
d109a: 89 44 24 04 mov %eax,0x4(%esp)
d109e: e8 ed f7 ff ff call d0890 <trace>
d10a3: 8b 45 e4 mov 0xffffffe4(%ebp),%eax
d10a6: 8b 55 e8 mov 0xffffffe8(%ebp),%edx
d10a9: 89 02 mov %eax,(%edx)
d10ab: b8 01 00 00 00 mov $0x1,%eax
d10b0: e9 6b ff ff ff jmp d1020 <movr+0x100>
d10b5: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax
d10bc: b9 82 4b 0d 00 mov $0xd4b82,%ecx
d10c1: 89 44 24 10 mov %eax,0x10(%esp)
d10c5: 8b 55 e8 mov 0xffffffe8(%ebp),%edx
d10c8: 89 4c 24 08 mov %ecx,0x8(%esp)
d10cc: 89 54 24 0c mov %edx,0xc(%esp)
d10d0: 8b 55 ec mov 0xffffffec(%ebp),%edx
d10d3: 8b 46 28 mov 0x28(%esi),%eax
d10d6: 89 34 24 mov %esi,(%esp)
d10d9: 29 d0 sub %edx,%eax
d10db: 89 44 24 04 mov %eax,0x4(%esp)
d10df: e8 ac f7 ff ff call d0890 <trace>
d10e4: 8b 45 e8 mov 0xffffffe8(%ebp),%eax
d10e7: 0f b6 10 movzbl (%eax),%edx
d10ea: 89 f8 mov %edi,%eax
d10ec: 83 e0 07 and $0x7,%eax
d10ef: 83 f8 07 cmp $0x7,%eax
d10f2: 0f 87 1d ff ff ff ja d1015 <movr+0xf5>
d10f8: ff 24 85 18 45 0d 00 jmp *0xd4518(,%eax,4)
d10ff: 89 fa mov %edi,%edx
d1101: b8 ff ff ff ff mov $0xffffffff,%eax
d1106: 83 e2 07 and $0x7,%edx
d1109: 83 fa 07 cmp $0x7,%edx
d110c: 77 76 ja d1184 <movr+0x264>
d110e: 89 f6 mov %esi,%esi
d1110: ff 24 95 38 45 0d 00 jmp *0xd4538(,%edx,4)
d1117: 81 e3 c0 00 00 00 and $0xc0,%ebx
d111d: 81 fb c0 00 00 00 cmp $0xc0,%ebx
d1123: 0f 84 e5 01 00 00 je d130e <movr+0x3ee>
d1129: f6 45 f0 01 testb $0x1,0xfffffff0(%ebp)
d112d: 8d 76 00 lea 0x0(%esi),%esi
d1130: 0f 84 93 00 00 00 je d11c9 <movr+0x2a9>
d1136: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax
d113d: 89 44 24 10 mov %eax,0x10(%esp)
d1141: 8b 55 e8 mov 0xffffffe8(%ebp),%edx
d1144: b8 93 4b 0d 00 mov $0xd4b93,%eax
d1149: 89 44 24 08 mov %eax,0x8(%esp)
d114d: 89 54 24 0c mov %edx,0xc(%esp)
d1151: 8b 46 28 mov 0x28(%esi),%eax
d1154: 8b 5d ec mov 0xffffffec(%ebp),%ebx
d1157: 89 34 24 mov %esi,(%esp)
d115a: 29 d8 sub %ebx,%eax
d115c: 89 44 24 04 mov %eax,0x4(%esp)
d1160: e8 2b f7 ff ff call d0890 <trace>
d1165: 8b 55 e8 mov 0xffffffe8(%ebp),%edx
d1168: 8b 02 mov (%edx),%eax
d116a: 89 04 24 mov %eax,(%esp)
d116d: 89 fa mov %edi,%edx
d116f: 89 f0 mov %esi,%eax
d1171: e8 ba f8 ff ff call d0a30 <setreg32>
d1176: b8 01 00 00 00 mov $0x1,%eax
d117b: e9 a0 fe ff ff jmp d1020 <movr+0x100>
d1180: 0f b6 46 11 movzbl 0x11(%esi),%eax
d1184: 89 45 e4 mov %eax,0xffffffe4(%ebp)
d1187: 8b 45 e8 mov 0xffffffe8(%ebp),%eax
d118a: 89 44 24 10 mov %eax,0x10(%esp)
d118e: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax
d1195: bf a5 4b 0d 00 mov $0xd4ba5,%edi
d119a: 89 7c 24 08 mov %edi,0x8(%esp)
d119e: 89 44 24 0c mov %eax,0xc(%esp)
d11a2: 8b 46 28 mov 0x28(%esi),%eax
d11a5: 8b 5d ec mov 0xffffffec(%ebp),%ebx
d11a8: 89 34 24 mov %esi,(%esp)
d11ab: 29 d8 sub %ebx,%eax
d11ad: 89 44 24 04 mov %eax,0x4(%esp)
d11b1: e8 da f6 ff ff call d0890 <trace>
d11b6: 0f b6 55 e4 movzbl 0xffffffe4(%ebp),%edx
d11ba: 8b 45 e8 mov 0xffffffe8(%ebp),%eax
d11bd: 88 10 mov %dl,(%eax)
d11bf: b8 01 00 00 00 mov $0x1,%eax
d11c4: e9 57 fe ff ff jmp d1020 <movr+0x100>
d11c9: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax
d11d0: b9 b7 4b 0d 00 mov $0xd4bb7,%ecx
d11d5: 89 44 24 10 mov %eax,0x10(%esp)
d11d9: 8b 45 e8 mov 0xffffffe8(%ebp),%eax
d11dc: 89 4c 24 08 mov %ecx,0x8(%esp)
d11e0: 89 44 24 0c mov %eax,0xc(%esp)
d11e4: 8b 55 ec mov 0xffffffec(%ebp),%edx
d11e7: 8b 46 28 mov 0x28(%esi),%eax
d11ea: 89 34 24 mov %esi,(%esp)
d11ed: 29 d0 sub %edx,%eax
d11ef: 89 44 24 04 mov %eax,0x4(%esp)
d11f3: e8 98 f6 ff ff call d0890 <trace>
d11f8: 8b 55 e8 mov 0xffffffe8(%ebp),%edx
d11fb: 0f b7 02 movzwl (%edx),%eax
d11fe: 89 04 24 mov %eax,(%esp)
d1201: 89 fa mov %edi,%edx
d1203: 89 f0 mov %esi,%eax
d1205: e8 76 f8 ff ff call d0a80 <setreg16>
d120a: b8 01 00 00 00 mov $0x1,%eax
d120f: e9 0c fe ff ff jmp d1020 <movr+0x100>
d1214: f6 45 f0 01 testb $0x1,0xfffffff0(%ebp)
d1218: 0f 84 49 01 00 00 je d1367 <movr+0x447>
d121e: 8b 55 e4 mov 0xffffffe4(%ebp),%edx
d1221: 83 e3 07 and $0x7,%ebx
d1224: 89 14 24 mov %edx,(%esp)
d1227: 89 da mov %ebx,%edx
d1229: e9 41 ff ff ff jmp d116f <movr+0x24f>
d122e: 88 56 18 mov %dl,0x18(%esi)
d1231: b8 01 00 00 00 mov $0x1,%eax
d1236: e9 e5 fd ff ff jmp d1020 <movr+0x100>
d123b: 88 56 1c mov %dl,0x1c(%esi)
d123e: b8 01 00 00 00 mov $0x1,%eax
d1243: e9 d8 fd ff ff jmp d1020 <movr+0x100>
d1248: 8b 46 10 mov 0x10(%esi),%eax
d124b: c1 e2 08 shl $0x8,%edx
d124e: 25 ff 00 ff ff and $0xffff00ff,%eax
d1253: 09 d0 or %edx,%eax
d1255: 89 46 10 mov %eax,0x10(%esi)
d1258: b8 01 00 00 00 mov $0x1,%eax
d125d: e9 be fd ff ff jmp d1020 <movr+0x100>
d1262: 8b 46 14 mov 0x14(%esi),%eax
d1265: c1 e2 08 shl $0x8,%edx
d1268: 25 ff 00 ff ff and $0xffff00ff,%eax
d126d: 09 d0 or %edx,%eax
d126f: 89 46 14 mov %eax,0x14(%esi)
d1272: b8 01 00 00 00 mov $0x1,%eax
d1277: e9 a4 fd ff ff jmp d1020 <movr+0x100>
d127c: 8b 46 18 mov 0x18(%esi),%eax
d127f: c1 e2 08 shl $0x8,%edx
d1282: 25 ff 00 ff ff and $0xffff00ff,%eax
d1287: 09 d0 or %edx,%eax
d1289: 89 46 18 mov %eax,0x18(%esi)
d128c: b8 01 00 00 00 mov $0x1,%eax
d1291: e9 8a fd ff ff jmp d1020 <movr+0x100>
d1296: 8b 46 1c mov 0x1c(%esi),%eax
d1299: c1 e2 08 shl $0x8,%edx
d129c: 25 ff 00 ff ff and $0xffff00ff,%eax
d12a1: 09 d0 or %edx,%eax
d12a3: 89 46 1c mov %eax,0x1c(%esi)
d12a6: b8 01 00 00 00 mov $0x1,%eax
d12ab: e9 70 fd ff ff jmp d1020 <movr+0x100>
d12b0: 88 56 10 mov %dl,0x10(%esi)
d12b3: b8 01 00 00 00 mov $0x1,%eax
d12b8: e9 63 fd ff ff jmp d1020 <movr+0x100>
d12bd: 88 56 14 mov %dl,0x14(%esi)
d12c0: b8 01 00 00 00 mov $0x1,%eax
d12c5: e9 56 fd ff ff jmp d1020 <movr+0x100>
d12ca: 0f b6 46 15 movzbl 0x15(%esi),%eax
d12ce: e9 b1 fe ff ff jmp d1184 <movr+0x264>
d12d3: 0f b6 46 19 movzbl 0x19(%esi),%eax
d12d7: e9 a8 fe ff ff jmp d1184 <movr+0x264>
d12dc: 0f b6 46 1d movzbl 0x1d(%esi),%eax
d12e0: e9 9f fe ff ff jmp d1184 <movr+0x264>
d12e5: 0f b6 46 10 movzbl 0x10(%esi),%eax
d12e9: e9 96 fe ff ff jmp d1184 <movr+0x264>
d12ee: 0f b6 46 14 movzbl 0x14(%esi),%eax
d12f2: e9 8d fe ff ff jmp d1184 <movr+0x264>
d12f7: 0f b6 46 18 movzbl 0x18(%esi),%eax
d12fb: 90 nop
d12fc: 8d 74 26 00 lea 0x0(%esi),%esi
d1300: e9 7f fe ff ff jmp d1184 <movr+0x264>
d1305: 0f b6 46 1c movzbl 0x1c(%esi),%eax
d1309: e9 76 fe ff ff jmp d1184 <movr+0x264>
d130e: f6 45 f0 01 testb $0x1,0xfffffff0(%ebp)
d1312: 74 4a je d135e <movr+0x43e>
d1314: 8b 45 e8 mov 0xffffffe8(%ebp),%eax
d1317: e9 4e fe ff ff jmp d116a <movr+0x24a>
d131c: 8b 55 e8 mov 0xffffffe8(%ebp),%edx
d131f: b9 c8 4b 0d 00 mov $0xd4bc8,%ecx
d1324: 89 54 24 10 mov %edx,0x10(%esp)
d1328: 8b 04 bd a0 55 0d 00 mov 0xd55a0(,%edi,4),%eax
d132f: 89 4c 24 08 mov %ecx,0x8(%esp)
d1333: 89 44 24 0c mov %eax,0xc(%esp)
d1337: 8b 55 ec mov 0xffffffec(%ebp),%edx
d133a: 8b 46 28 mov 0x28(%esi),%eax
d133d: 89 34 24 mov %esi,(%esp)
d1340: 29 d0 sub %edx,%eax
d1342: 89 44 24 04 mov %eax,0x4(%esp)
d1346: e8 45 f5 ff ff call d0890 <trace>
d134b: 8b 45 e8 mov 0xffffffe8(%ebp),%eax
d134e: 8b 55 e4 mov 0xffffffe4(%ebp),%edx
d1351: 66 89 10 mov %dx,(%eax)
d1354: b8 01 00 00 00 mov $0x1,%eax
d1359: e9 c2 fc ff ff jmp d1020 <movr+0x100>
d135e: 0f b7 45 e8 movzwl 0xffffffe8(%ebp),%eax
d1362: e9 97 fe ff ff jmp d11fe <movr+0x2de>
d1367: 0f b7 45 e4 movzwl 0xffffffe4(%ebp),%eax
d136b: 83 e3 07 and $0x7,%ebx
d136e: 89 da mov %ebx,%edx
d1370: 89 04 24 mov %eax,(%esp)
d1373: e9 8b fe ff ff jmp d1203 <movr+0x2e3>
d1378: 90 nop
d1379: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
000d1380 <load_seg>:
d1380: 55 push %ebp
d1381: 89 e5 mov %esp,%ebp
d1383: 83 ec 48 sub $0x48,%esp
d1386: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
d1389: 31 db xor %ebx,%ebx
d138b: 39 05 e0 97 0d 00 cmp %eax,0xd97e0
d1391: 89 7d fc mov %edi,0xfffffffc(%ebp)
d1394: 89 c7 mov %eax,%edi
d1396: 89 75 f8 mov %esi,0xfffffff8(%ebp)
d1399: 89 55 e4 mov %edx,0xffffffe4(%ebp)
d139c: 72 10 jb d13ae <load_seg+0x2e>
d139e: 85 c0 test %eax,%eax
d13a0: 75 1e jne d13c0 <load_seg+0x40>
d13a2: 8b 45 0c mov 0xc(%ebp),%eax
d13a5: 80 48 02 01 orb $0x1,0x2(%eax)
d13a9: bb 01 00 00 00 mov $0x1,%ebx
d13ae: 89 d8 mov %ebx,%eax
d13b0: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d13b3: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d13b6: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d13b9: 89 ec mov %ebp,%esp
d13bb: 5d pop %ebp
d13bc: c3 ret
d13bd: 8d 76 00 lea 0x0(%esi),%esi
d13c0: a1 e4 97 0d 00 mov 0xd97e4,%eax
d13c5: e8 36 f0 ff ff call d0400 <guest_linear_to_phys>
d13ca: 89 45 e0 mov %eax,0xffffffe0(%ebp)
d13cd: 89 c3 mov %eax,%ebx
d13cf: 89 d6 mov %edx,%esi
d13d1: 8b 45 e0 mov 0xffffffe0(%ebp),%eax
d13d4: 31 d2 xor %edx,%edx
d13d6: 89 d1 mov %edx,%ecx
d13d8: 31 f1 xor %esi,%ecx
d13da: 31 d8 xor %ebx,%eax
d13dc: 09 c1 or %eax,%ecx
d13de: 0f 85 65 01 00 00 jne d1549 <load_seg+0x1c9>
d13e4: 8b 5d e0 mov 0xffffffe0(%ebp),%ebx
d13e7: 89 f8 mov %edi,%eax
d13e9: 83 e0 f8 and $0xfffffff8,%eax
d13ec: 8b 0c 18 mov (%eax,%ebx,1),%ecx
d13ef: 8b 5c 18 04 mov 0x4(%eax,%ebx,1),%ebx
d13f3: 89 4d d0 mov %ecx,0xffffffd0(%ebp)
d13f6: 89 5d d4 mov %ebx,0xffffffd4(%ebp)
d13f9: 89 4d e8 mov %ecx,0xffffffe8(%ebp)
d13fc: 89 5d ec mov %ebx,0xffffffec(%ebp)
d13ff: 8b 55 d4 mov 0xffffffd4(%ebp),%edx
d1402: 31 c9 xor %ecx,%ecx
d1404: 89 d0 mov %edx,%eax
d1406: c1 e8 0f shr $0xf,%eax
d1409: 31 d2 xor %edx,%edx
d140b: 89 45 d8 mov %eax,0xffffffd8(%ebp)
d140e: 8b 45 d8 mov 0xffffffd8(%ebp),%eax
d1411: 89 55 dc mov %edx,0xffffffdc(%ebp)
d1414: 83 f0 01 xor $0x1,%eax
d1417: 85 ff test %edi,%edi
d1419: 0f 95 c1 setne %cl
d141c: 31 db xor %ebx,%ebx
d141e: 85 c8 test %ecx,%eax
d1420: 75 8c jne d13ae <load_seg+0x2e>
d1422: 8b 4d d4 mov 0xffffffd4(%ebp),%ecx
d1425: 8b 55 d0 mov 0xffffffd0(%ebp),%edx
d1428: 8b 7d d4 mov 0xffffffd4(%ebp),%edi
d142b: 0f ac ca 10 shrd $0x10,%ecx,%edx
d142f: 89 d3 mov %edx,%ebx
d1431: 89 f8 mov %edi,%eax
d1433: 81 e3 00 00 ff 00 and $0xff0000,%ebx
d1439: 25 00 00 00 ff and $0xff000000,%eax
d143e: 09 d8 or %ebx,%eax
d1440: 81 e2 ff ff 00 00 and $0xffff,%edx
d1446: 09 d0 or %edx,%eax
d1448: 8b 55 e4 mov 0xffffffe4(%ebp),%edx
d144b: 89 02 mov %eax,(%edx)
d144d: 8b 4d 08 mov 0x8(%ebp),%ecx
d1450: 89 f8 mov %edi,%eax
d1452: 0f b7 55 e8 movzwl 0xffffffe8(%ebp),%edx
d1456: 25 00 00 0f 00 and $0xf0000,%eax
d145b: 09 d0 or %edx,%eax
d145d: 89 01 mov %eax,(%ecx)
d145f: 8b 55 d4 mov 0xffffffd4(%ebp),%edx
d1462: 8b 5d 0c mov 0xc(%ebp),%ebx
d1465: 89 d0 mov %edx,%eax
d1467: 8b 55 d4 mov 0xffffffd4(%ebp),%edx
d146a: c1 e8 08 shr $0x8,%eax
d146d: 89 c1 mov %eax,%ecx
d146f: 83 e1 0f and $0xf,%ecx
d1472: 89 d0 mov %edx,%eax
d1474: c1 e8 0c shr $0xc,%eax
d1477: 83 e0 01 and $0x1,%eax
d147a: c1 e0 04 shl $0x4,%eax
d147d: 09 c1 or %eax,%ecx
d147f: 89 0b mov %ecx,(%ebx)
d1481: 0f b6 03 movzbl (%ebx),%eax
d1484: a8 10 test $0x10,%al
d1486: 0f 85 a7 00 00 00 jne d1533 <load_seg+0x1b3>
d148c: 8b 55 d4 mov 0xffffffd4(%ebp),%edx
d148f: 8b 5d 0c mov 0xc(%ebp),%ebx
d1492: 89 d0 mov %edx,%eax
d1494: c1 e8 0d shr $0xd,%eax
d1497: 31 d2 xor %edx,%edx
d1499: 89 45 d0 mov %eax,0xffffffd0(%ebp)
d149c: 8b 4d d0 mov 0xffffffd0(%ebp),%ecx
d149f: 89 55 d4 mov %edx,0xffffffd4(%ebp)
d14a2: 8b 13 mov (%ebx),%edx
d14a4: 8b 5d d4 mov 0xffffffd4(%ebp),%ebx
d14a7: 83 e1 03 and $0x3,%ecx
d14aa: 8b 45 d8 mov 0xffffffd8(%ebp),%eax
d14ad: c1 e1 05 shl $0x5,%ecx
d14b0: 81 e2 1f ff ff ff and $0xffffff1f,%edx
d14b6: 09 ca or %ecx,%edx
d14b8: 8b 4d d0 mov 0xffffffd0(%ebp),%ecx
d14bb: 83 e0 01 and $0x1,%eax
d14be: c1 e0 07 shl $0x7,%eax
d14c1: 09 c2 or %eax,%edx
d14c3: 0f ac d9 07 shrd $0x7,%ebx,%ecx
d14c7: 81 e2 ff af ff ff and $0xffffafff,%edx
d14cd: c1 eb 07 shr $0x7,%ebx
d14d0: 89 4d d0 mov %ecx,0xffffffd0(%ebp)
d14d3: 8b 4d d0 mov 0xffffffd0(%ebp),%ecx
d14d6: 89 5d d4 mov %ebx,0xffffffd4(%ebp)
d14d9: 8b 75 d4 mov 0xffffffd4(%ebp),%esi
d14dc: 8b 5d d0 mov 0xffffffd0(%ebp),%ebx
d14df: 83 e1 01 and $0x1,%ecx
d14e2: c1 e1 0c shl $0xc,%ecx
d14e5: 09 ca or %ecx,%edx
d14e7: 0f ac f3 02 shrd $0x2,%esi,%ebx
d14eb: c1 ee 02 shr $0x2,%esi
d14ee: 89 5d d0 mov %ebx,0xffffffd0(%ebp)
d14f1: 8b 45 d0 mov 0xffffffd0(%ebp),%eax
d14f4: 89 75 d4 mov %esi,0xffffffd4(%ebp)
d14f7: 8b 75 0c mov 0xc(%ebp),%esi
d14fa: 83 e0 01 and $0x1,%eax
d14fd: c1 e0 0e shl $0xe,%eax
d1500: 09 c2 or %eax,%edx
d1502: 89 16 mov %edx,(%esi)
d1504: 8b 45 d0 mov 0xffffffd0(%ebp),%eax
d1507: 8b 55 d4 mov 0xffffffd4(%ebp),%edx
d150a: 0f ac d0 01 shrd $0x1,%edx,%eax
d150e: a8 01 test $0x1,%al
d1510: 0f 84 93 fe ff ff je d13a9 <load_seg+0x29>
d1516: 80 4e 01 80 orb $0x80,0x1(%esi)
d151a: bb 01 00 00 00 mov $0x1,%ebx
d151f: 8b 55 08 mov 0x8(%ebp),%edx
d1522: 8b 02 mov (%edx),%eax
d1524: c1 e0 0c shl $0xc,%eax
d1527: 0d ff 0f 00 00 or $0xfff,%eax
d152c: 89 02 mov %eax,(%edx)
d152e: e9 7b fe ff ff jmp d13ae <load_seg+0x2e>
d1533: 89 c2 mov %eax,%edx
d1535: 83 e2 0f and $0xf,%edx
d1538: 89 c8 mov %ecx,%eax
d153a: 83 ca 01 or $0x1,%edx
d153d: 83 e0 f0 and $0xfffffff0,%eax
d1540: 09 d0 or %edx,%eax
d1542: 89 03 mov %eax,(%ebx)
d1544: e9 43 ff ff ff jmp d148c <load_seg+0x10c>
d1549: c7 04 24 13 4b 0d 00 movl $0xd4b13,(%esp)
d1550: e8 7b 24 00 00 call d39d0 <printf>
d1555: 8d 45 e8 lea 0xffffffe8(%ebp),%eax
d1558: 31 d2 xor %edx,%edx
d155a: 89 44 24 08 mov %eax,0x8(%esp)
d155e: 89 f8 mov %edi,%eax
d1560: 83 e0 f8 and $0xfffffff8,%eax
d1563: 01 d8 add %ebx,%eax
d1565: 11 f2 adc %esi,%edx
d1567: 89 54 24 04 mov %edx,0x4(%esp)
d156b: 89 04 24 mov %eax,(%esp)
d156e: e8 bd 20 00 00 call d3630 <cpuid_addr_value>
d1573: 8b 55 e8 mov 0xffffffe8(%ebp),%edx
d1576: 8b 4d ec mov 0xffffffec(%ebp),%ecx
d1579: 89 55 d0 mov %edx,0xffffffd0(%ebp)
d157c: 89 4d d4 mov %ecx,0xffffffd4(%ebp)
d157f: e9 7b fe ff ff jmp d13ff <load_seg+0x7f>
d1584: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
d158a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
000d1590 <load_or_clear_seg>:
d1590: 55 push %ebp
d1591: 89 e5 mov %esp,%ebp
d1593: 83 ec 18 sub $0x18,%esp
d1596: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
d1599: 8b 5d 0c mov 0xc(%ebp),%ebx
d159c: 89 75 f8 mov %esi,0xfffffff8(%ebp)
d159f: 8b 75 08 mov 0x8(%ebp),%esi
d15a2: 89 7d fc mov %edi,0xfffffffc(%ebp)
d15a5: 89 d7 mov %edx,%edi
d15a7: 89 5c 24 04 mov %ebx,0x4(%esp)
d15ab: 89 34 24 mov %esi,(%esp)
d15ae: e8 cd fd ff ff call d1380 <load_seg>
d15b3: 85 c0 test %eax,%eax
d15b5: 74 0d je d15c4 <load_or_clear_seg+0x34>
d15b7: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d15ba: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d15bd: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d15c0: 89 ec mov %ebp,%esp
d15c2: 5d pop %ebp
d15c3: c3 ret
d15c4: 89 5d 0c mov %ebx,0xc(%ebp)
d15c7: 89 fa mov %edi,%edx
d15c9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d15cc: 89 75 08 mov %esi,0x8(%ebp)
d15cf: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d15d2: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d15d5: 89 ec mov %ebp,%esp
d15d7: 5d pop %ebp
d15d8: e9 a3 fd ff ff jmp d1380 <load_seg>
d15dd: 8d 76 00 lea 0x0(%esi),%esi
000d15e0 <set_mode>:
d15e0: 55 push %ebp
d15e1: 89 e5 mov %esp,%ebp
d15e3: 56 push %esi
d15e4: 53 push %ebx
d15e5: 83 ec 10 sub $0x10,%esp
d15e8: 8b 75 0c mov 0xc(%ebp),%esi
d15eb: 8b 5d 08 mov 0x8(%ebp),%ebx
d15ee: 83 fe 01 cmp $0x1,%esi
d15f1: 0f 84 f1 00 00 00 je d16e8 <set_mode+0x108>
d15f7: 72 47 jb d1640 <set_mode+0x60>
d15f9: 83 fe 02 cmp $0x2,%esi
d15fc: 0f 84 be 02 00 00 je d18c0 <set_mode+0x2e0>
d1602: 83 fe 03 cmp $0x3,%esi
d1605: 0f 84 7d 01 00 00 je d1788 <set_mode+0x1a8>
d160b: 90 nop
d160c: 8d 74 26 00 lea 0x0(%esi),%esi
d1610: 89 35 04 76 0d 00 mov %esi,0xd7604
d1616: 83 fe 03 cmp $0x3,%esi
d1619: 74 19 je d1634 <set_mode+0x54>
d161b: 89 1c 24 mov %ebx,(%esp)
d161e: 8b 04 b5 80 55 0d 00 mov 0xd5580(,%esi,4),%eax
d1625: 89 44 24 08 mov %eax,0x8(%esp)
d1629: 31 c0 xor %eax,%eax
d162b: 89 44 24 04 mov %eax,0x4(%esp)
d162f: e8 5c f2 ff ff call d0890 <trace>
d1634: 83 c4 10 add $0x10,%esp
d1637: 5b pop %ebx
d1638: 5e pop %esi
d1639: 5d pop %ebp
d163a: c3 ret
d163b: 90 nop
d163c: 8d 74 26 00 lea 0x0(%esi),%esi
d1640: 8b 15 04 76 0d 00 mov 0xd7604,%edx
d1646: 8d 42 ff lea 0xffffffff(%edx),%eax
d1649: 83 f8 01 cmp $0x1,%eax
d164c: 0f 87 be 00 00 00 ja d1710 <set_mode+0x130>
d1652: 8b 43 30 mov 0x30(%ebx),%eax
d1655: 8b 53 38 mov 0x38(%ebx),%edx
d1658: 25 ff fe ff ff and $0xfffffeff,%eax
d165d: 0d 02 30 02 00 or $0x23002,%eax
d1662: 85 d2 test %edx,%edx
d1664: 89 43 30 mov %eax,0x30(%ebx)
d1667: 0f 84 88 02 00 00 je d18f5 <set_mode+0x315>
d166d: 81 fa ff ff 0f 00 cmp $0xfffff,%edx
d1673: 0f 87 86 02 00 00 ja d18ff <set_mode+0x31f>
d1679: c7 04 24 00 00 00 00 movl $0x0,(%esp)
d1680: 89 d8 mov %ebx,%eax
d1682: e8 79 f0 ff ff call d0700 <address>
d1687: c1 e8 04 shr $0x4,%eax
d168a: 89 43 38 mov %eax,0x38(%ebx)
d168d: 8b 53 40 mov 0x40(%ebx),%edx
d1690: 85 d2 test %edx,%edx
d1692: 0f 84 53 02 00 00 je d18eb <set_mode+0x30b>
d1698: 81 fa ff ff 0f 00 cmp $0xfffff,%edx
d169e: 0f 87 8b 02 00 00 ja d192f <set_mode+0x34f>
d16a4: c7 04 24 00 00 00 00 movl $0x0,(%esp)
d16ab: 89 d8 mov %ebx,%eax
d16ad: e8 4e f0 ff ff call d0700 <address>
d16b2: c1 e8 04 shr $0x4,%eax
d16b5: 89 43 40 mov %eax,0x40(%ebx)
d16b8: 8b 53 3c mov 0x3c(%ebx),%edx
d16bb: 85 d2 test %edx,%edx
d16bd: 0f 84 1b 02 00 00 je d18de <set_mode+0x2fe>
d16c3: 81 fa ff ff 0f 00 cmp $0xfffff,%edx
d16c9: 0f 87 48 02 00 00 ja d1917 <set_mode+0x337>
d16cf: c7 04 24 00 00 00 00 movl $0x0,(%esp)
d16d6: 89 d8 mov %ebx,%eax
d16d8: e8 23 f0 ff ff call d0700 <address>
d16dd: c1 e8 04 shr $0x4,%eax
d16e0: 89 43 3c mov %eax,0x3c(%ebx)
d16e3: e9 28 ff ff ff jmp d1610 <set_mode+0x30>
d16e8: a1 04 76 0d 00 mov 0xd7604,%eax
d16ed: 85 c0 test %eax,%eax
d16ef: 74 3f je d1730 <set_mode+0x150>
d16f1: 48 dec %eax
d16f2: 0f 84 18 ff ff ff je d1610 <set_mode+0x30>
d16f8: c7 04 24 ec 4e 0d 00 movl $0xd4eec,(%esp)
d16ff: e8 7c 22 00 00 call d3980 <panic>
d1704: e9 07 ff ff ff jmp d1610 <set_mode+0x30>
d1709: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d1710: 85 d2 test %edx,%edx
d1712: 0f 84 f8 fe ff ff je d1610 <set_mode+0x30>
d1718: c7 04 24 1c 4f 0d 00 movl $0xd4f1c,(%esp)
d171f: e8 5c 22 00 00 call d3980 <panic>
d1724: e9 e7 fe ff ff jmp d1610 <set_mode+0x30>
d1729: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d1730: 81 4b 30 00 01 00 00 orl $0x100,0x30(%ebx)
d1737: 31 c9 xor %ecx,%ecx
d1739: 8b 43 40 mov 0x40(%ebx),%eax
d173c: a3 60 76 0d 00 mov %eax,0xd7660
d1741: 8b 43 3c mov 0x3c(%ebx),%eax
d1744: a3 5c 76 0d 00 mov %eax,0xd765c
d1749: 8b 43 44 mov 0x44(%ebx),%eax
d174c: a3 64 76 0d 00 mov %eax,0xd7664
d1751: 8b 43 48 mov 0x48(%ebx),%eax
d1754: a3 68 76 0d 00 mov %eax,0xd7668
d1759: 8b 43 38 mov 0x38(%ebx),%eax
d175c: 89 0d 18 98 0d 00 mov %ecx,0xd9818
d1762: a3 58 76 0d 00 mov %eax,0xd7658
d1767: 31 c0 xor %eax,%eax
d1769: a3 f8 97 0d 00 mov %eax,0xd97f8
d176e: 31 c0 xor %eax,%eax
d1770: a3 08 98 0d 00 mov %eax,0xd9808
d1775: 31 c0 xor %eax,%eax
d1777: a3 28 98 0d 00 mov %eax,0xd9828
d177c: 31 c0 xor %eax,%eax
d177e: a3 38 98 0d 00 mov %eax,0xd9838
d1783: e9 88 fe ff ff jmp d1610 <set_mode+0x30>
d1788: 83 3d 04 76 0d 00 01 cmpl $0x1,0xd7604
d178f: 74 0c je d179d <set_mode+0x1bd>
d1791: c7 04 24 3c 4f 0d 00 movl $0xd4f3c,(%esp)
d1798: e8 e3 21 00 00 call d3980 <panic>
d179d: 0f b6 05 6c 76 0d 00 movzbl 0xd766c,%eax
d17a4: ba f4 97 0d 00 mov $0xd97f4,%edx
d17a9: a2 68 98 0d 00 mov %al,0xd9868
d17ae: 0f b6 05 6d 76 0d 00 movzbl 0xd766d,%eax
d17b5: a2 69 98 0d 00 mov %al,0xd9869
d17ba: 8b 43 28 mov 0x28(%ebx),%eax
d17bd: 81 63 30 ff ce fd ff andl $0xfffdceff,0x30(%ebx)
d17c4: a3 c0 97 0d 00 mov %eax,0xd97c0
d17c9: 8b 43 34 mov 0x34(%ebx),%eax
d17cc: a3 c4 97 0d 00 mov %eax,0xd97c4
d17d1: 8b 43 30 mov 0x30(%ebx),%eax
d17d4: a3 c8 97 0d 00 mov %eax,0xd97c8
d17d9: 8b 43 2c mov 0x2c(%ebx),%eax
d17dc: 89 54 24 04 mov %edx,0x4(%esp)
d17e0: ba f0 97 0d 00 mov $0xd97f0,%edx
d17e5: c7 04 24 ec 97 0d 00 movl $0xd97ec,(%esp)
d17ec: e8 8f fb ff ff call d1380 <load_seg>
d17f1: 85 c0 test %eax,%eax
d17f3: 0f 84 4e 01 00 00 je d1947 <set_mode+0x367>
d17f9: 8b 43 2c mov 0x2c(%ebx),%eax
d17fc: ba 10 98 0d 00 mov $0xd9810,%edx
d1801: c7 04 24 0c 98 0d 00 movl $0xd980c,(%esp)
d1808: a3 e8 97 0d 00 mov %eax,0xd97e8
d180d: b8 14 98 0d 00 mov $0xd9814,%eax
d1812: 89 44 24 04 mov %eax,0x4(%esp)
d1816: a1 08 98 0d 00 mov 0xd9808,%eax
d181b: e8 70 fd ff ff call d1590 <load_or_clear_seg>
d1820: c7 04 24 1c 98 0d 00 movl $0xd981c,(%esp)
d1827: b8 24 98 0d 00 mov $0xd9824,%eax
d182c: ba 20 98 0d 00 mov $0xd9820,%edx
d1831: 89 44 24 04 mov %eax,0x4(%esp)
d1835: a1 18 98 0d 00 mov 0xd9818,%eax
d183a: e8 51 fd ff ff call d1590 <load_or_clear_seg>
d183f: c7 04 24 fc 97 0d 00 movl $0xd97fc,(%esp)
d1846: b8 04 98 0d 00 mov $0xd9804,%eax
d184b: ba 00 98 0d 00 mov $0xd9800,%edx
d1850: 89 44 24 04 mov %eax,0x4(%esp)
d1854: a1 f8 97 0d 00 mov 0xd97f8,%eax
d1859: e8 32 fd ff ff call d1590 <load_or_clear_seg>
d185e: c7 04 24 2c 98 0d 00 movl $0xd982c,(%esp)
d1865: b8 34 98 0d 00 mov $0xd9834,%eax
d186a: ba 30 98 0d 00 mov $0xd9830,%edx
d186f: 89 44 24 04 mov %eax,0x4(%esp)
d1873: a1 28 98 0d 00 mov 0xd9828,%eax
d1878: e8 13 fd ff ff call d1590 <load_or_clear_seg>
d187d: c7 04 24 3c 98 0d 00 movl $0xd983c,(%esp)
d1884: b8 44 98 0d 00 mov $0xd9844,%eax
d1889: ba 40 98 0d 00 mov $0xd9840,%edx
d188e: 89 44 24 04 mov %eax,0x4(%esp)
d1892: a1 38 98 0d 00 mov 0xd9838,%eax
d1897: e8 f4 fc ff ff call d1590 <load_or_clear_seg>
d189c: c7 43 38 18 00 00 00 movl $0x18,0x38(%ebx)
d18a3: c7 43 34 00 76 0d 00 movl $0xd7600,0x34(%ebx)
d18aa: c7 43 2c 10 00 00 00 movl $0x10,0x2c(%ebx)
d18b1: c7 43 28 e0 03 0d 00 movl $0xd03e0,0x28(%ebx)
d18b8: e9 53 fd ff ff jmp d1610 <set_mode+0x30>
d18bd: 8d 76 00 lea 0x0(%esi),%esi
d18c0: 83 3d 04 76 0d 00 03 cmpl $0x3,0xd7604
d18c7: 0f 84 43 fd ff ff je d1610 <set_mode+0x30>
d18cd: c7 04 24 64 4f 0d 00 movl $0xd4f64,(%esp)
d18d4: e8 a7 20 00 00 call d3980 <panic>
d18d9: e9 32 fd ff ff jmp d1610 <set_mode+0x30>
d18de: a1 5c 76 0d 00 mov 0xd765c,%eax
d18e3: 89 43 3c mov %eax,0x3c(%ebx)
d18e6: e9 25 fd ff ff jmp d1610 <set_mode+0x30>
d18eb: a1 60 76 0d 00 mov 0xd7660,%eax
d18f0: e9 c0 fd ff ff jmp d16b5 <set_mode+0xd5>
d18f5: a1 58 76 0d 00 mov 0xd7658,%eax
d18fa: e9 8b fd ff ff jmp d168a <set_mode+0xaa>
d18ff: 89 54 24 04 mov %edx,0x4(%esp)
d1903: c7 04 24 d9 4b 0d 00 movl $0xd4bd9,(%esp)
d190a: e8 71 20 00 00 call d3980 <panic>
d190f: 8b 53 38 mov 0x38(%ebx),%edx
d1912: e9 62 fd ff ff jmp d1679 <set_mode+0x99>
d1917: 89 54 24 04 mov %edx,0x4(%esp)
d191b: c7 04 24 f4 4b 0d 00 movl $0xd4bf4,(%esp)
d1922: e8 59 20 00 00 call d3980 <panic>
d1927: 8b 53 3c mov 0x3c(%ebx),%edx
d192a: e9 a0 fd ff ff jmp d16cf <set_mode+0xef>
d192f: 89 54 24 04 mov %edx,0x4(%esp)
d1933: c7 04 24 0f 4c 0d 00 movl $0xd4c0f,(%esp)
d193a: e8 41 20 00 00 call d3980 <panic>
d193f: 8b 53 40 mov 0x40(%ebx),%edx
d1942: e9 5d fd ff ff jmp d16a4 <set_mode+0xc4>
d1947: 8b 43 2c mov 0x2c(%ebx),%eax
d194a: c7 04 24 94 4f 0d 00 movl $0xd4f94,(%esp)
d1951: 89 44 24 04 mov %eax,0x4(%esp)
d1955: e8 26 20 00 00 call d3980 <panic>
d195a: e9 9a fe ff ff jmp d17f9 <set_mode+0x219>
d195f: 90 nop
000d1960 <interrupt>:
d1960: 55 push %ebp
d1961: 89 e5 mov %esp,%ebp
d1963: 57 push %edi
d1964: 89 d7 mov %edx,%edi
d1966: 56 push %esi
d1967: 53 push %ebx
d1968: 83 ec 1c sub $0x1c,%esp
d196b: 89 c3 mov %eax,%ebx
d196d: 89 54 24 0c mov %edx,0xc(%esp)
d1971: b8 2a 4c 0d 00 mov $0xd4c2a,%eax
d1976: 89 44 24 08 mov %eax,0x8(%esp)
d197a: 31 c0 xor %eax,%eax
d197c: 89 44 24 04 mov %eax,0x4(%esp)
d1980: 89 1c 24 mov %ebx,(%esp)
d1983: e8 08 ef ff ff call d0890 <trace>
d1988: 8b 43 34 mov 0x34(%ebx),%eax
d198b: 8b 53 38 mov 0x38(%ebx),%edx
d198e: 8b 73 30 mov 0x30(%ebx),%esi
d1991: 83 e8 02 sub $0x2,%eax
d1994: 89 43 34 mov %eax,0x34(%ebx)
d1997: 25 ff ff 00 00 and $0xffff,%eax
d199c: 89 04 24 mov %eax,(%esp)
d199f: 89 d8 mov %ebx,%eax
d19a1: e8 5a ed ff ff call d0700 <address>
d19a6: 66 89 30 mov %si,(%eax)
d19a9: 8b 43 34 mov 0x34(%ebx),%eax
d19ac: 8b 53 38 mov 0x38(%ebx),%edx
d19af: 8b 73 2c mov 0x2c(%ebx),%esi
d19b2: 83 e8 02 sub $0x2,%eax
d19b5: 89 43 34 mov %eax,0x34(%ebx)
d19b8: 25 ff ff 00 00 and $0xffff,%eax
d19bd: 89 04 24 mov %eax,(%esp)
d19c0: 89 d8 mov %ebx,%eax
d19c2: e8 39 ed ff ff call d0700 <address>
d19c7: 66 89 30 mov %si,(%eax)
d19ca: 8b 43 34 mov 0x34(%ebx),%eax
d19cd: 8b 53 38 mov 0x38(%ebx),%edx
d19d0: 8b 73 28 mov 0x28(%ebx),%esi
d19d3: 83 e8 02 sub $0x2,%eax
d19d6: 89 43 34 mov %eax,0x34(%ebx)
d19d9: 25 ff ff 00 00 and $0xffff,%eax
d19de: 89 04 24 mov %eax,(%esp)
d19e1: 89 d8 mov %ebx,%eax
d19e3: e8 18 ed ff ff call d0700 <address>
d19e8: 66 89 30 mov %si,(%eax)
d19eb: 31 d2 xor %edx,%edx
d19ed: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
d19f4: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx)
d19fb: 89 d8 mov %ebx,%eax
d19fd: 89 34 24 mov %esi,(%esp)
d1a00: e8 fb ec ff ff call d0700 <address>
d1a05: 0f b7 00 movzwl (%eax),%eax
d1a08: 31 d2 xor %edx,%edx
d1a0a: 89 43 28 mov %eax,0x28(%ebx)
d1a0d: 8d 46 02 lea 0x2(%esi),%eax
d1a10: 89 04 24 mov %eax,(%esp)
d1a13: 89 d8 mov %ebx,%eax
d1a15: e8 e6 ec ff ff call d0700 <address>
d1a1a: 0f b7 00 movzwl (%eax),%eax
d1a1d: 89 43 2c mov %eax,0x2c(%ebx)
d1a20: 83 c4 1c add $0x1c,%esp
d1a23: 5b pop %ebx
d1a24: 5e pop %esi
d1a25: 5f pop %edi
d1a26: 5d pop %ebp
d1a27: c3 ret
d1a28: 90 nop
d1a29: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
000d1a30 <outbyte>:
d1a30: 55 push %ebp
d1a31: 89 e5 mov %esp,%ebp
d1a33: 83 ec 18 sub $0x18,%esp
d1a36: 89 5d f8 mov %ebx,0xfffffff8(%ebp)
d1a39: 89 c3 mov %eax,%ebx
d1a3b: 8b 45 08 mov 0x8(%ebp),%eax
d1a3e: 89 75 fc mov %esi,0xfffffffc(%ebp)
d1a41: 3d e6 00 00 00 cmp $0xe6,%eax
d1a46: 74 6f je d1ab7 <outbyte+0x87>
d1a48: 3d ee 00 00 00 cmp $0xee,%eax
d1a4d: 74 11 je d1a60 <outbyte+0x30>
d1a4f: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx
d1a52: 31 c0 xor %eax,%eax
d1a54: 8b 75 fc mov 0xfffffffc(%ebp),%esi
d1a57: 89 ec mov %ebp,%esp
d1a59: 5d pop %ebp
d1a5a: c3 ret
d1a5b: 90 nop
d1a5c: 8d 74 26 00 lea 0x0(%esi),%esi
d1a60: 0f b7 73 14 movzwl 0x14(%ebx),%esi
d1a64: 0f b6 5b 1c movzbl 0x1c(%ebx),%ebx
d1a68: 83 fe 21 cmp $0x21,%esi
d1a6b: 74 6a je d1ad7 <outbyte+0xa7>
d1a6d: 7e 35 jle d1aa4 <outbyte+0x74>
d1a6f: 81 fe a0 00 00 00 cmp $0xa0,%esi
d1a75: 0f 84 92 00 00 00 je d1b0d <outbyte+0xdd>
d1a7b: 81 fe a1 00 00 00 cmp $0xa1,%esi
d1a81: 0f 84 9b 00 00 00 je d1b22 <outbyte+0xf2>
d1a87: 89 f6 mov %esi,%esi
d1a89: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d1a90: 89 f2 mov %esi,%edx
d1a92: 88 d8 mov %bl,%al
d1a94: ee out %al,(%dx)
d1a95: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx
d1a98: b8 01 00 00 00 mov $0x1,%eax
d1a9d: 8b 75 fc mov 0xfffffffc(%ebp),%esi
d1aa0: 89 ec mov %ebp,%esp
d1aa2: 5d pop %ebp
d1aa3: c3 ret
d1aa4: 83 fe 20 cmp $0x20,%esi
d1aa7: 75 e7 jne d1a90 <outbyte+0x60>
d1aa9: f6 c3 10 test $0x10,%bl
d1aac: 74 e2 je d1a90 <outbyte+0x60>
d1aae: c6 05 0c 76 0d 00 01 movb $0x1,0xd760c
d1ab5: eb d9 jmp d1a90 <outbyte+0x60>
d1ab7: 0f b7 43 28 movzwl 0x28(%ebx),%eax
d1abb: 8b 53 2c mov 0x2c(%ebx),%edx
d1abe: 89 04 24 mov %eax,(%esp)
d1ac1: 89 d8 mov %ebx,%eax
d1ac3: e8 38 ec ff ff call d0700 <address>
d1ac8: ff 43 28 incl 0x28(%ebx)
d1acb: 0f b6 5b 1c movzbl 0x1c(%ebx),%ebx
d1acf: 0f b6 30 movzbl (%eax),%esi
d1ad2: 83 fe 21 cmp $0x21,%esi
d1ad5: 75 96 jne d1a6d <outbyte+0x3d>
d1ad7: 80 3d 0c 76 0d 00 00 cmpb $0x0,0xd760c
d1ade: 74 b0 je d1a90 <outbyte+0x60>
d1ae0: c6 05 0c 76 0d 00 00 movb $0x0,0xd760c
d1ae7: b9 20 00 00 00 mov $0x20,%ecx
d1aec: 89 5c 24 04 mov %ebx,0x4(%esp)
d1af0: 89 4c 24 08 mov %ecx,0x8(%esp)
d1af4: c7 04 24 bc 4f 0d 00 movl $0xd4fbc,(%esp)
d1afb: e8 d0 1e 00 00 call d39d0 <printf>
d1b00: 88 1d 6c 76 0d 00 mov %bl,0xd766c
d1b06: bb 20 00 00 00 mov $0x20,%ebx
d1b0b: eb 83 jmp d1a90 <outbyte+0x60>
d1b0d: f6 c3 10 test $0x10,%bl
d1b10: 0f 84 7a ff ff ff je d1a90 <outbyte+0x60>
d1b16: c6 05 0d 76 0d 00 01 movb $0x1,0xd760d
d1b1d: e9 6e ff ff ff jmp d1a90 <outbyte+0x60>
d1b22: 80 3d 0d 76 0d 00 00 cmpb $0x0,0xd760d
d1b29: 0f 84 61 ff ff ff je d1a90 <outbyte+0x60>
d1b2f: c6 05 0d 76 0d 00 00 movb $0x0,0xd760d
d1b36: ba 28 00 00 00 mov $0x28,%edx
d1b3b: 89 5c 24 04 mov %ebx,0x4(%esp)
d1b3f: 89 54 24 08 mov %edx,0x8(%esp)
d1b43: c7 04 24 e4 4f 0d 00 movl $0xd4fe4,(%esp)
d1b4a: e8 81 1e 00 00 call d39d0 <printf>
d1b4f: 88 1d 6d 76 0d 00 mov %bl,0xd766d
d1b55: bb 28 00 00 00 mov $0x28,%ebx
d1b5a: e9 31 ff ff ff jmp d1a90 <outbyte+0x60>
d1b5f: 90 nop
000d1b60 <inbyte>:
d1b60: 55 push %ebp
d1b61: 89 e5 mov %esp,%ebp
d1b63: 53 push %ebx
d1b64: 83 ec 04 sub $0x4,%esp
d1b67: 89 c3 mov %eax,%ebx
d1b69: 8b 45 08 mov 0x8(%ebp),%eax
d1b6c: 3d e4 00 00 00 cmp $0xe4,%eax
d1b71: 74 2d je d1ba0 <inbyte+0x40>
d1b73: 3d ec 00 00 00 cmp $0xec,%eax
d1b78: 74 06 je d1b80 <inbyte+0x20>
d1b7a: 5b pop %ebx
d1b7b: 31 c0 xor %eax,%eax
d1b7d: 5b pop %ebx
d1b7e: 5d pop %ebp
d1b7f: c3 ret
d1b80: 0f b7 53 14 movzwl 0x14(%ebx),%edx
d1b84: 8b 4b 1c mov 0x1c(%ebx),%ecx
d1b87: 81 e1 00 ff ff ff and $0xffffff00,%ecx
d1b8d: ec in (%dx),%al
d1b8e: 0f b6 d0 movzbl %al,%edx
d1b91: 09 d1 or %edx,%ecx
d1b93: b8 01 00 00 00 mov $0x1,%eax
d1b98: 89 4b 1c mov %ecx,0x1c(%ebx)
d1b9b: 5b pop %ebx
d1b9c: 5b pop %ebx
d1b9d: 5d pop %ebp
d1b9e: c3 ret
d1b9f: 90 nop
d1ba0: 0f b7 43 28 movzwl 0x28(%ebx),%eax
d1ba4: 8b 53 2c mov 0x2c(%ebx),%edx
d1ba7: 89 04 24 mov %eax,(%esp)
d1baa: 89 d8 mov %ebx,%eax
d1bac: e8 4f eb ff ff call d0700 <address>
d1bb1: ff 43 28 incl 0x28(%ebx)
d1bb4: 0f b6 10 movzbl (%eax),%edx
d1bb7: eb cb jmp d1b84 <inbyte+0x24>
d1bb9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
000d1bc0 <emulate>:
d1bc0: 55 push %ebp
d1bc1: 89 e5 mov %esp,%ebp
d1bc3: 57 push %edi
d1bc4: 56 push %esi
d1bc5: 53 push %ebx
d1bc6: 83 ec 6c sub $0x6c,%esp
d1bc9: 8b 7d 08 mov 0x8(%ebp),%edi
d1bcc: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp)
d1bd3: 8b 77 28 mov 0x28(%edi),%esi
d1bd6: 89 75 ec mov %esi,0xffffffec(%ebp)
d1bd9: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d1be0: c7 45 e0 00 00 00 00 movl $0x0,0xffffffe0(%ebp)
d1be7: 74 74 je d1c5d <emulate+0x9d>
d1be9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d1bf0: 8b 57 2c mov 0x2c(%edi),%edx
d1bf3: 89 f0 mov %esi,%eax
d1bf5: 25 ff ff 00 00 and $0xffff,%eax
d1bfa: 89 04 24 mov %eax,(%esp)
d1bfd: 89 f8 mov %edi,%eax
d1bff: e8 fc ea ff ff call d0700 <address>
d1c04: 8b 5f 28 mov 0x28(%edi),%ebx
d1c07: 43 inc %ebx
d1c08: 89 5f 28 mov %ebx,0x28(%edi)
d1c0b: 0f b6 30 movzbl (%eax),%esi
d1c0e: 89 f0 mov %esi,%eax
d1c10: 83 e8 07 sub $0x7,%eax
d1c13: 89 75 e8 mov %esi,0xffffffe8(%ebp)
d1c16: 3d f8 00 00 00 cmp $0xf8,%eax
d1c1b: 0f 87 a1 00 00 00 ja d1cc2 <emulate+0x102>
d1c21: ff 24 85 64 45 0d 00 jmp *0xd4564(,%eax,4)
d1c28: 89 34 24 mov %esi,(%esp)
d1c2b: 8b 55 e0 mov 0xffffffe0(%ebp),%edx
d1c2e: 89 f8 mov %edi,%eax
d1c30: e8 fb fd ff ff call d1a30 <outbyte>
d1c35: 8d 74 26 00 lea 0x0(%esi),%esi
d1c39: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d1c40: 85 c0 test %eax,%eax
d1c42: 74 7e je d1cc2 <emulate+0x102>
d1c44: 8b 77 28 mov 0x28(%edi),%esi
d1c47: ff 45 f0 incl 0xfffffff0(%ebp)
d1c4a: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d1c51: 89 75 ec mov %esi,0xffffffec(%ebp)
d1c54: c7 45 e0 00 00 00 00 movl $0x0,0xffffffe0(%ebp)
d1c5b: 75 93 jne d1bf0 <emulate+0x30>
d1c5d: f6 05 f5 97 0d 00 40 testb $0x40,0xd97f5
d1c64: 74 8a je d1bf0 <emulate+0x30>
d1c66: c7 45 e0 03 00 00 00 movl $0x3,0xffffffe0(%ebp)
d1c6d: eb 81 jmp d1bf0 <emulate+0x30>
d1c6f: 89 34 24 mov %esi,(%esp)
d1c72: 8b 55 e0 mov 0xffffffe0(%ebp),%edx
d1c75: 89 f8 mov %edi,%eax
d1c77: e8 e4 fe ff ff call d1b60 <inbyte>
d1c7c: eb c2 jmp d1c40 <emulate+0x80>
d1c7e: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d1c85: 74 3b je d1cc2 <emulate+0x102>
d1c87: f6 45 e0 02 testb $0x2,0xffffffe0(%ebp)
d1c8b: 74 35 je d1cc2 <emulate+0x102>
d1c8d: 89 34 24 mov %esi,(%esp)
d1c90: 8b 55 e0 mov 0xffffffe0(%ebp),%edx
d1c93: 89 f8 mov %edi,%eax
d1c95: e8 86 f2 ff ff call d0f20 <movr>
d1c9a: eb a4 jmp d1c40 <emulate+0x80>
d1c9c: 89 74 24 0c mov %esi,0xc(%esp)
d1ca0: bb 58 45 0d 00 mov $0xd4558,%ebx
d1ca5: be 76 03 00 00 mov $0x376,%esi
d1caa: 89 54 24 10 mov %edx,0x10(%esp)
d1cae: 89 74 24 08 mov %esi,0x8(%esp)
d1cb2: 89 5c 24 04 mov %ebx,0x4(%esp)
d1cb6: c7 04 24 08 50 0d 00 movl $0xd5008,(%esp)
d1cbd: e8 0e 1d 00 00 call d39d0 <printf>
d1cc2: 8b 55 ec mov 0xffffffec(%ebp),%edx
d1cc5: b8 40 4c 0d 00 mov $0xd4c40,%eax
d1cca: 89 57 28 mov %edx,0x28(%edi)
d1ccd: 8b 4d e8 mov 0xffffffe8(%ebp),%ecx
d1cd0: 89 44 24 08 mov %eax,0x8(%esp)
d1cd4: 31 c0 xor %eax,%eax
d1cd6: 89 4c 24 0c mov %ecx,0xc(%esp)
d1cda: 89 44 24 04 mov %eax,0x4(%esp)
d1cde: 89 3c 24 mov %edi,(%esp)
d1ce1: e8 aa eb ff ff call d0890 <trace>
d1ce6: 8b 45 f0 mov 0xfffffff0(%ebp),%eax
d1ce9: 8b 77 28 mov 0x28(%edi),%esi
d1cec: 85 c0 test %eax,%eax
d1cee: 75 0c jne d1cfc <emulate+0x13c>
d1cf0: 3b 35 08 76 0d 00 cmp 0xd7608,%esi
d1cf6: 0f 84 5c 0c 00 00 je d2958 <emulate+0xd98>
d1cfc: 89 35 08 76 0d 00 mov %esi,0xd7608
d1d02: 83 c4 6c add $0x6c,%esp
d1d05: 5b pop %ebx
d1d06: 5e pop %esi
d1d07: 5f pop %edi
d1d08: 5d pop %ebp
d1d09: c3 ret
d1d0a: a1 04 76 0d 00 mov 0xd7604,%eax
d1d0f: 48 dec %eax
d1d10: 83 f8 01 cmp $0x1,%eax
d1d13: 77 ad ja d1cc2 <emulate+0x102>
d1d15: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d1d19: 0f 84 d9 0b 00 00 je d28f8 <emulate+0xd38>
d1d1f: 0f b7 47 34 movzwl 0x34(%edi),%eax
d1d23: 8b 57 38 mov 0x38(%edi),%edx
d1d26: 89 04 24 mov %eax,(%esp)
d1d29: 89 f8 mov %edi,%eax
d1d2b: e8 d0 e9 ff ff call d0700 <address>
d1d30: 8b 10 mov (%eax),%edx
d1d32: 8b 47 34 mov 0x34(%edi),%eax
d1d35: 89 d6 mov %edx,%esi
d1d37: 83 c0 04 add $0x4,%eax
d1d3a: 8b 57 38 mov 0x38(%edi),%edx
d1d3d: 89 47 34 mov %eax,0x34(%edi)
d1d40: 25 ff ff 00 00 and $0xffff,%eax
d1d45: 89 04 24 mov %eax,(%esp)
d1d48: 89 f8 mov %edi,%eax
d1d4a: e8 b1 e9 ff ff call d0700 <address>
d1d4f: 8b 00 mov (%eax),%eax
d1d51: 83 47 34 04 addl $0x4,0x34(%edi)
d1d55: 0f b7 d8 movzwl %ax,%ebx
d1d58: 89 74 24 10 mov %esi,0x10(%esp)
d1d5c: b8 49 4c 0d 00 mov $0xd4c49,%eax
d1d61: b9 01 00 00 00 mov $0x1,%ecx
d1d66: 89 44 24 08 mov %eax,0x8(%esp)
d1d6a: 89 5c 24 0c mov %ebx,0xc(%esp)
d1d6e: 89 4c 24 04 mov %ecx,0x4(%esp)
d1d72: 89 3c 24 mov %edi,(%esp)
d1d75: e8 16 eb ff ff call d0890 <trace>
d1d7a: 89 5f 2c mov %ebx,0x2c(%edi)
d1d7d: 89 77 28 mov %esi,0x28(%edi)
d1d80: a1 04 76 0d 00 mov 0xd7604,%eax
d1d85: 83 f8 01 cmp $0x1,%eax
d1d88: 0f 84 5a 0f 00 00 je d2ce8 <emulate+0x1128>
d1d8e: 83 f8 02 cmp $0x2,%eax
d1d91: 0f 84 3e 0f 00 00 je d2cd5 <emulate+0x1115>
d1d97: c7 04 24 5d 4c 0d 00 movl $0xd4c5d,(%esp)
d1d9e: e8 dd 1b 00 00 call d3980 <panic>
d1da3: e9 3e ff ff ff jmp d1ce6 <emulate+0x126>
d1da8: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d1dac: 0f 84 5e 09 00 00 je d2710 <emulate+0xb50>
d1db2: 0f b7 47 34 movzwl 0x34(%edi),%eax
d1db6: 8b 57 38 mov 0x38(%edi),%edx
d1db9: 89 04 24 mov %eax,(%esp)
d1dbc: 89 f8 mov %edi,%eax
d1dbe: e8 3d e9 ff ff call d0700 <address>
d1dc3: 8b 00 mov (%eax),%eax
d1dc5: 83 47 34 04 addl $0x4,0x34(%edi)
d1dc9: 89 47 3c mov %eax,0x3c(%edi)
d1dcc: b9 62 4c 0d 00 mov $0xd4c62,%ecx
d1dd1: 8b 55 ec mov 0xffffffec(%ebp),%edx
d1dd4: 89 4c 24 08 mov %ecx,0x8(%esp)
d1dd8: 8b 47 28 mov 0x28(%edi),%eax
d1ddb: 89 3c 24 mov %edi,(%esp)
d1dde: 29 d0 sub %edx,%eax
d1de0: 89 44 24 04 mov %eax,0x4(%esp)
d1de4: e8 a7 ea ff ff call d0890 <trace>
d1de9: 83 3d 04 76 0d 00 01 cmpl $0x1,0xd7604
d1df0: 0f 85 4e fe ff ff jne d1c44 <emulate+0x84>
d1df6: 31 c0 xor %eax,%eax
d1df8: a3 5c 76 0d 00 mov %eax,0xd765c
d1dfd: 8b 47 3c mov 0x3c(%edi),%eax
d1e00: a3 08 98 0d 00 mov %eax,0xd9808
d1e05: 8b 77 28 mov 0x28(%edi),%esi
d1e08: e9 3a fe ff ff jmp d1c47 <emulate+0x87>
d1e0d: 8b 57 2c mov 0x2c(%edi),%edx
d1e10: 0f b7 c3 movzwl %bx,%eax
d1e13: 89 04 24 mov %eax,(%esp)
d1e16: 89 f8 mov %edi,%eax
d1e18: e8 e3 e8 ff ff call d0700 <address>
d1e1d: 8b 57 28 mov 0x28(%edi),%edx
d1e20: 42 inc %edx
d1e21: 89 55 ac mov %edx,0xffffffac(%ebp)
d1e24: 89 57 28 mov %edx,0x28(%edi)
d1e27: 0f b6 10 movzbl (%eax),%edx
d1e2a: 89 d0 mov %edx,%eax
d1e2c: c1 e8 03 shr $0x3,%eax
d1e2f: 83 e0 07 and $0x7,%eax
d1e32: 83 f8 05 cmp $0x5,%eax
d1e35: 0f 84 94 0f 00 00 je d2dcf <emulate+0x120f>
d1e3b: 83 f8 06 cmp $0x6,%eax
d1e3e: 0f 85 7e fe ff ff jne d1cc2 <emulate+0x102>
d1e44: 89 14 24 mov %edx,(%esp)
d1e47: 8b 45 e0 mov 0xffffffe0(%ebp),%eax
d1e4a: 89 fa mov %edi,%edx
d1e4c: e8 9f ed ff ff call d0bf0 <operand>
d1e51: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d1e55: 89 c3 mov %eax,%ebx
d1e57: 0f 85 11 0a 00 00 jne d286e <emulate+0xcae>
d1e5d: 0f b7 30 movzwl (%eax),%esi
d1e60: 8b 47 34 mov 0x34(%edi),%eax
d1e63: 8b 57 38 mov 0x38(%edi),%edx
d1e66: 83 e8 02 sub $0x2,%eax
d1e69: 89 47 34 mov %eax,0x34(%edi)
d1e6c: 25 ff ff 00 00 and $0xffff,%eax
d1e71: 89 04 24 mov %eax,(%esp)
d1e74: 89 f8 mov %edi,%eax
d1e76: e8 85 e8 ff ff call d0700 <address>
d1e7b: 66 89 30 mov %si,(%eax)
d1e7e: 89 5c 24 0c mov %ebx,0xc(%esp)
d1e82: b9 6b 4c 0d 00 mov $0xd4c6b,%ecx
d1e87: 8b 55 ac mov 0xffffffac(%ebp),%edx
d1e8a: 89 4c 24 08 mov %ecx,0x8(%esp)
d1e8e: 8b 47 28 mov 0x28(%edi),%eax
d1e91: 29 d0 sub %edx,%eax
d1e93: 40 inc %eax
d1e94: e9 7a 05 00 00 jmp d2413 <emulate+0x853>
d1e99: 89 3c 24 mov %edi,(%esp)
d1e9c: b8 76 4c 0d 00 mov $0xd4c76,%eax
d1ea1: 89 44 24 08 mov %eax,0x8(%esp)
d1ea5: 8b 45 ec mov 0xffffffec(%ebp),%eax
d1ea8: 29 c3 sub %eax,%ebx
d1eaa: 89 5c 24 04 mov %ebx,0x4(%esp)
d1eae: e8 dd e9 ff ff call d0890 <trace>
d1eb3: 81 4f 30 00 02 00 00 orl $0x200,0x30(%edi)
d1eba: 8b 77 28 mov 0x28(%edi),%esi
d1ebd: e9 85 fd ff ff jmp d1c47 <emulate+0x87>
d1ec2: 89 3c 24 mov %edi,(%esp)
d1ec5: 8b 45 ec mov 0xffffffec(%ebp),%eax
d1ec8: ba 7a 4c 0d 00 mov $0xd4c7a,%edx
d1ecd: 89 54 24 08 mov %edx,0x8(%esp)
d1ed1: 29 c3 sub %eax,%ebx
d1ed3: 89 5c 24 04 mov %ebx,0x4(%esp)
d1ed7: e8 b4 e9 ff ff call d0890 <trace>
d1edc: 81 67 30 ff fd ff ff andl $0xfffffdff,0x30(%edi)
d1ee3: 8b 77 28 mov 0x28(%edi),%esi
d1ee6: e9 5c fd ff ff jmp d1c47 <emulate+0x87>
d1eeb: f6 45 e0 02 testb $0x2,0xffffffe0(%ebp)
d1eef: 0f 84 cd fd ff ff je d1cc2 <emulate+0x102>
d1ef5: 8d 43 ff lea 0xffffffff(%ebx),%eax
d1ef8: 89 45 a4 mov %eax,0xffffffa4(%ebp)
d1efb: 8b 57 2c mov 0x2c(%edi),%edx
d1efe: 0f b7 c3 movzwl %bx,%eax
d1f01: 89 04 24 mov %eax,(%esp)
d1f04: 89 f8 mov %edi,%eax
d1f06: e8 f5 e7 ff ff call d0700 <address>
d1f0b: ff 47 28 incl 0x28(%edi)
d1f0e: 89 fa mov %edi,%edx
d1f10: 0f b6 18 movzbl (%eax),%ebx
d1f13: 8b 45 e0 mov 0xffffffe0(%ebp),%eax
d1f16: 89 1c 24 mov %ebx,(%esp)
d1f19: e8 d2 ec ff ff call d0bf0 <operand>
d1f1e: 89 45 a0 mov %eax,0xffffffa0(%ebp)
d1f21: 89 d8 mov %ebx,%eax
d1f23: 25 c0 00 00 00 and $0xc0,%eax
d1f28: 3d c0 00 00 00 cmp $0xc0,%eax
d1f2d: 0f 84 8f fd ff ff je d1cc2 <emulate+0x102>
d1f33: 81 fe f6 00 00 00 cmp $0xf6,%esi
d1f39: 0f 85 05 fd ff ff jne d1c44 <emulate+0x84>
d1f3f: f6 c3 38 test $0x38,%bl
d1f42: 0f 85 7a fd ff ff jne d1cc2 <emulate+0x102>
d1f48: 0f b7 47 28 movzwl 0x28(%edi),%eax
d1f4c: 8b 57 2c mov 0x2c(%edi),%edx
d1f4f: 89 04 24 mov %eax,(%esp)
d1f52: 89 f8 mov %edi,%eax
d1f54: e8 a7 e7 ff ff call d0700 <address>
d1f59: 8b 4f 28 mov 0x28(%edi),%ecx
d1f5c: 41 inc %ecx
d1f5d: 89 4f 28 mov %ecx,0x28(%edi)
d1f60: 8b 5d a0 mov 0xffffffa0(%ebp),%ebx
d1f63: 0f b6 10 movzbl (%eax),%edx
d1f66: 0f b6 03 movzbl (%ebx),%eax
d1f69: 21 d0 and %edx,%eax
d1f6b: 0f 84 03 0c 00 00 je d2b74 <emulate+0xfb4>
d1f71: 83 67 30 bf andl $0xffffffbf,0x30(%edi)
d1f75: 89 44 24 14 mov %eax,0x14(%esp)
d1f79: 8b 5d a4 mov 0xffffffa4(%ebp),%ebx
d1f7c: be 7e 4c 0d 00 mov $0xd4c7e,%esi
d1f81: 89 54 24 0c mov %edx,0xc(%esp)
d1f85: 8b 45 a0 mov 0xffffffa0(%ebp),%eax
d1f88: 89 74 24 08 mov %esi,0x8(%esp)
d1f8c: 29 d9 sub %ebx,%ecx
d1f8e: 89 44 24 10 mov %eax,0x10(%esp)
d1f92: 89 4c 24 04 mov %ecx,0x4(%esp)
d1f96: 89 3c 24 mov %edi,(%esp)
d1f99: e8 f2 e8 ff ff call d0890 <trace>
d1f9e: 8b 77 28 mov 0x28(%edi),%esi
d1fa1: e9 a1 fc ff ff jmp d1c47 <emulate+0x87>
d1fa6: 89 3c 24 mov %edi,(%esp)
d1fa9: b8 98 4c 0d 00 mov $0xd4c98,%eax
d1fae: 89 44 24 08 mov %eax,0x8(%esp)
d1fb2: 8b 45 ec mov 0xffffffec(%ebp),%eax
d1fb5: 29 c3 sub %eax,%ebx
d1fb7: 89 5c 24 04 mov %ebx,0x4(%esp)
d1fbb: e8 d0 e8 ff ff call d0890 <trace>
d1fc0: 8b 77 28 mov 0x28(%edi),%esi
d1fc3: e9 28 fc ff ff jmp d1bf0 <emulate+0x30>
d1fc8: 89 3c 24 mov %edi,(%esp)
d1fcb: 8b 55 ec mov 0xffffffec(%ebp),%edx
d1fce: b9 9d 4c 0d 00 mov $0xd4c9d,%ecx
d1fd3: 89 4c 24 08 mov %ecx,0x8(%esp)
d1fd7: 29 d3 sub %edx,%ebx
d1fd9: 89 5c 24 04 mov %ebx,0x4(%esp)
d1fdd: e8 ae e8 ff ff call d0890 <trace>
d1fe2: 83 4d e0 40 orl $0x40,0xffffffe0(%ebp)
d1fe6: 8b 77 28 mov 0x28(%edi),%esi
d1fe9: e9 02 fc ff ff jmp d1bf0 <emulate+0x30>
d1fee: 89 3c 24 mov %edi,(%esp)
d1ff1: 8b 75 ec mov 0xffffffec(%ebp),%esi
d1ff4: b8 a3 4c 0d 00 mov $0xd4ca3,%eax
d1ff9: 89 44 24 08 mov %eax,0x8(%esp)
d1ffd: 29 f3 sub %esi,%ebx
d1fff: 89 5c 24 04 mov %ebx,0x4(%esp)
d2003: e8 88 e8 ff ff call d0890 <trace>
d2008: 83 4d e0 08 orl $0x8,0xffffffe0(%ebp)
d200c: 8b 77 28 mov 0x28(%edi),%esi
d200f: e9 dc fb ff ff jmp d1bf0 <emulate+0x30>
d2014: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d201b: 0f 84 a1 fc ff ff je d1cc2 <emulate+0x102>
d2021: f6 45 e0 02 testb $0x2,0xffffffe0(%ebp)
d2025: 0f 84 97 fc ff ff je d1cc2 <emulate+0x102>
d202b: 8d 43 ff lea 0xffffffff(%ebx),%eax
d202e: 89 45 cc mov %eax,0xffffffcc(%ebp)
d2031: 8b 57 2c mov 0x2c(%edi),%edx
d2034: 0f b7 c3 movzwl %bx,%eax
d2037: 89 04 24 mov %eax,(%esp)
d203a: 89 f8 mov %edi,%eax
d203c: e8 bf e6 ff ff call d0700 <address>
d2041: ff 47 28 incl 0x28(%edi)
d2044: 89 fa mov %edi,%edx
d2046: 0f b6 00 movzbl (%eax),%eax
d2049: 89 45 c8 mov %eax,0xffffffc8(%ebp)
d204c: 89 04 24 mov %eax,(%esp)
d204f: 8b 45 e0 mov 0xffffffe0(%ebp),%eax
d2052: e8 99 eb ff ff call d0bf0 <operand>
d2057: 89 45 c4 mov %eax,0xffffffc4(%ebp)
d205a: 8b 55 c8 mov 0xffffffc8(%ebp),%edx
d205d: 81 65 c8 c0 00 00 00 andl $0xc0,0xffffffc8(%ebp)
d2064: c1 ea 03 shr $0x3,%edx
d2067: 83 e2 07 and $0x7,%edx
d206a: 81 7d c8 c0 00 00 00 cmpl $0xc0,0xffffffc8(%ebp)
d2071: 89 55 c0 mov %edx,0xffffffc0(%ebp)
d2074: 0f 84 48 fc ff ff je d1cc2 <emulate+0x102>
d207a: 83 fe 39 cmp $0x39,%esi
d207d: 0f 85 c1 fb ff ff jne d1c44 <emulate+0x84>
d2083: 89 f8 mov %edi,%eax
d2085: e8 36 e9 ff ff call d09c0 <getreg32>
d208a: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d208e: 89 c2 mov %eax,%edx
d2090: 0f 85 e7 0a 00 00 jne d2b7d <emulate+0xfbd>
d2096: 8b 4d c4 mov 0xffffffc4(%ebp),%ecx
d2099: 0f b7 01 movzwl (%ecx),%eax
d209c: 29 d0 sub %edx,%eax
d209e: 66 85 c0 test %ax,%ax
d20a1: 0f 85 4c 0c 00 00 jne d2cf3 <emulate+0x1133>
d20a7: 83 4f 30 40 orl $0x40,0x30(%edi)
d20ab: 89 44 24 14 mov %eax,0x14(%esp)
d20af: 8b 55 c0 mov 0xffffffc0(%ebp),%edx
d20b2: b9 a9 4c 0d 00 mov $0xd4ca9,%ecx
d20b7: 89 4c 24 08 mov %ecx,0x8(%esp)
d20bb: 8b 5d c4 mov 0xffffffc4(%ebp),%ebx
d20be: 8b 04 95 a0 55 0d 00 mov 0xd55a0(,%edx,4),%eax
d20c5: 89 5c 24 10 mov %ebx,0x10(%esp)
d20c9: 89 44 24 0c mov %eax,0xc(%esp)
d20cd: 8b 47 28 mov 0x28(%edi),%eax
d20d0: 8b 55 cc mov 0xffffffcc(%ebp),%edx
d20d3: 29 d0 sub %edx,%eax
d20d5: 89 44 24 04 mov %eax,0x4(%esp)
d20d9: e9 b8 fe ff ff jmp d1f96 <emulate+0x3d6>
d20de: 89 3c 24 mov %edi,(%esp)
d20e1: 8b 75 ec mov 0xffffffec(%ebp),%esi
d20e4: b8 c0 4c 0d 00 mov $0xd4cc0,%eax
d20e9: 89 44 24 08 mov %eax,0x8(%esp)
d20ed: 29 f3 sub %esi,%ebx
d20ef: 89 5c 24 04 mov %ebx,0x4(%esp)
d20f3: e8 98 e7 ff ff call d0890 <trace>
d20f8: 83 4d e0 20 orl $0x20,0xffffffe0(%ebp)
d20fc: 8b 77 28 mov 0x28(%edi),%esi
d20ff: e9 ec fa ff ff jmp d1bf0 <emulate+0x30>
d2104: 89 3c 24 mov %edi,(%esp)
d2107: b8 c6 4c 0d 00 mov $0xd4cc6,%eax
d210c: 89 44 24 08 mov %eax,0x8(%esp)
d2110: 8b 45 ec mov 0xffffffec(%ebp),%eax
d2113: 29 c3 sub %eax,%ebx
d2115: 89 5c 24 04 mov %ebx,0x4(%esp)
d2119: e8 72 e7 ff ff call d0890 <trace>
d211e: 83 4d e0 04 orl $0x4,0xffffffe0(%ebp)
d2122: 8b 77 28 mov 0x28(%edi),%esi
d2125: e9 c6 fa ff ff jmp d1bf0 <emulate+0x30>
d212a: 89 3c 24 mov %edi,(%esp)
d212d: b8 cc 4c 0d 00 mov $0xd4ccc,%eax
d2132: 89 44 24 08 mov %eax,0x8(%esp)
d2136: 8b 45 ec mov 0xffffffec(%ebp),%eax
d2139: 29 c3 sub %eax,%ebx
d213b: 89 5c 24 04 mov %ebx,0x4(%esp)
d213f: e8 4c e7 ff ff call d0890 <trace>
d2144: 83 4d e0 10 orl $0x10,0xffffffe0(%ebp)
d2148: 8b 77 28 mov 0x28(%edi),%esi
d214b: e9 a0 fa ff ff jmp d1bf0 <emulate+0x30>
d2150: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d2154: 0f 85 9a 05 00 00 jne d26f4 <emulate+0xb34>
d215a: 0f b7 47 34 movzwl 0x34(%edi),%eax
d215e: 8b 57 38 mov 0x38(%edi),%edx
d2161: 89 04 24 mov %eax,(%esp)
d2164: 89 f8 mov %edi,%eax
d2166: e8 95 e5 ff ff call d0700 <address>
d216b: 0f b7 00 movzwl (%eax),%eax
d216e: 83 47 34 02 addl $0x2,0x34(%edi)
d2172: 89 47 40 mov %eax,0x40(%edi)
d2175: b9 d2 4c 0d 00 mov $0xd4cd2,%ecx
d217a: 8b 55 ec mov 0xffffffec(%ebp),%edx
d217d: 89 4c 24 08 mov %ecx,0x8(%esp)
d2181: 8b 47 28 mov 0x28(%edi),%eax
d2184: 89 3c 24 mov %edi,(%esp)
d2187: 29 d0 sub %edx,%eax
d2189: 89 44 24 04 mov %eax,0x4(%esp)
d218d: e8 fe e6 ff ff call d0890 <trace>
d2192: 83 3d 04 76 0d 00 01 cmpl $0x1,0xd7604
d2199: 0f 85 a5 fa ff ff jne d1c44 <emulate+0x84>
d219f: 31 c0 xor %eax,%eax
d21a1: a3 60 76 0d 00 mov %eax,0xd7660
d21a6: 8b 47 40 mov 0x40(%edi),%eax
d21a9: a3 f8 97 0d 00 mov %eax,0xd97f8
d21ae: 8b 77 28 mov 0x28(%edi),%esi
d21b1: e9 91 fa ff ff jmp d1c47 <emulate+0x87>
d21b6: 83 3d 04 76 0d 00 03 cmpl $0x3,0xd7604
d21bd: 0f 84 ff fa ff ff je d1cc2 <emulate+0x102>
d21c3: 8b 57 2c mov 0x2c(%edi),%edx
d21c6: 0f b7 c3 movzwl %bx,%eax
d21c9: 89 04 24 mov %eax,(%esp)
d21cc: 89 f8 mov %edi,%eax
d21ce: e8 2d e5 ff ff call d0700 <address>
d21d3: 8b 4f 28 mov 0x28(%edi),%ecx
d21d6: 41 inc %ecx
d21d7: 89 ce mov %ecx,%esi
d21d9: 89 4f 28 mov %ecx,0x28(%edi)
d21dc: 0f b6 18 movzbl (%eax),%ebx
d21df: 83 fb 32 cmp $0x32,%ebx
d21e2: 89 5d e8 mov %ebx,0xffffffe8(%ebp)
d21e5: 0f 87 d7 fa ff ff ja d1cc2 <emulate+0x102>
d21eb: ff 24 9d 48 49 0d 00 jmp *0xd4948(,%ebx,4)
d21f2: a1 04 76 0d 00 mov 0xd7604,%eax
d21f7: 48 dec %eax
d21f8: 83 f8 01 cmp $0x1,%eax
d21fb: 0f 87 c1 fa ff ff ja d1cc2 <emulate+0x102>
d2201: 8b 57 2c mov 0x2c(%edi),%edx
d2204: 0f b7 c3 movzwl %bx,%eax
d2207: 89 04 24 mov %eax,(%esp)
d220a: 89 f8 mov %edi,%eax
d220c: e8 ef e4 ff ff call d0700 <address>
d2211: 8b 77 28 mov 0x28(%edi),%esi
d2214: 46 inc %esi
d2215: 89 77 28 mov %esi,0x28(%edi)
d2218: 0f be 00 movsbl (%eax),%eax
d221b: 89 3c 24 mov %edi,(%esp)
d221e: 89 45 e4 mov %eax,0xffffffe4(%ebp)
d2221: 8d 04 06 lea (%esi,%eax,1),%eax
d2224: 89 44 24 0c mov %eax,0xc(%esp)
d2228: b8 db 4c 0d 00 mov $0xd4cdb,%eax
d222d: 89 44 24 08 mov %eax,0x8(%esp)
d2231: b8 02 00 00 00 mov $0x2,%eax
d2236: 89 44 24 04 mov %eax,0x4(%esp)
d223a: e8 51 e6 ff ff call d0890 <trace>
d223f: 8b 47 28 mov 0x28(%edi),%eax
d2242: 8b 75 e4 mov 0xffffffe4(%ebp),%esi
d2245: 01 c6 add %eax,%esi
d2247: 89 77 28 mov %esi,0x28(%edi)
d224a: ff 45 f0 incl 0xfffffff0(%ebp)
d224d: e9 f8 f9 ff ff jmp d1c4a <emulate+0x8a>
d2252: a1 04 76 0d 00 mov 0xd7604,%eax
d2257: 48 dec %eax
d2258: 83 f8 01 cmp $0x1,%eax
d225b: 0f 87 61 fa ff ff ja d1cc2 <emulate+0x102>
d2261: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d2265: 0f 84 cc 06 00 00 je d2937 <emulate+0xd77>
d226b: 8b 57 2c mov 0x2c(%edi),%edx
d226e: 0f b7 c3 movzwl %bx,%eax
d2271: 89 04 24 mov %eax,(%esp)
d2274: 89 f8 mov %edi,%eax
d2276: e8 85 e4 ff ff call d0700 <address>
d227b: 8b 77 28 mov 0x28(%edi),%esi
d227e: 83 c6 04 add $0x4,%esi
d2281: 89 77 28 mov %esi,0x28(%edi)
d2284: 8b 00 mov (%eax),%eax
d2286: 89 45 b4 mov %eax,0xffffffb4(%ebp)
d2289: 8b 57 2c mov 0x2c(%edi),%edx
d228c: 89 f0 mov %esi,%eax
d228e: 25 ff ff 00 00 and $0xffff,%eax
d2293: 89 04 24 mov %eax,(%esp)
d2296: 89 f8 mov %edi,%eax
d2298: e8 63 e4 ff ff call d0700 <address>
d229d: 8b 77 28 mov 0x28(%edi),%esi
d22a0: 83 c6 02 add $0x2,%esi
d22a3: 89 77 28 mov %esi,0x28(%edi)
d22a6: 29 de sub %ebx,%esi
d22a8: 0f b7 00 movzwl (%eax),%eax
d22ab: 89 3c 24 mov %edi,(%esp)
d22ae: 89 45 b0 mov %eax,0xffffffb0(%ebp)
d22b1: 8b 45 b4 mov 0xffffffb4(%ebp),%eax
d22b4: 8b 55 b0 mov 0xffffffb0(%ebp),%edx
d22b7: 89 44 24 10 mov %eax,0x10(%esp)
d22bb: b8 e4 4c 0d 00 mov $0xd4ce4,%eax
d22c0: 89 44 24 08 mov %eax,0x8(%esp)
d22c4: 8d 46 01 lea 0x1(%esi),%eax
d22c7: 89 54 24 0c mov %edx,0xc(%esp)
d22cb: 89 44 24 04 mov %eax,0x4(%esp)
d22cf: e8 bc e5 ff ff call d0890 <trace>
d22d4: 8b 4d b0 mov 0xffffffb0(%ebp),%ecx
d22d7: 89 4f 2c mov %ecx,0x2c(%edi)
d22da: 8b 5d b4 mov 0xffffffb4(%ebp),%ebx
d22dd: 89 5f 28 mov %ebx,0x28(%edi)
d22e0: a1 04 76 0d 00 mov 0xd7604,%eax
d22e5: 83 f8 01 cmp $0x1,%eax
d22e8: 0f 84 fa 09 00 00 je d2ce8 <emulate+0x1128>
d22ee: 83 f8 02 cmp $0x2,%eax
d22f1: 0f 84 de 09 00 00 je d2cd5 <emulate+0x1115>
d22f7: c7 04 24 f3 4c 0d 00 movl $0xd4cf3,(%esp)
d22fe: e8 7d 16 00 00 call d3980 <panic>
d2303: e9 de f9 ff ff jmp d1ce6 <emulate+0x126>
d2308: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d230c: 0f 84 d2 04 00 00 je d27e4 <emulate+0xc24>
d2312: 89 3c 24 mov %edi,(%esp)
d2315: b8 f8 4c 0d 00 mov $0xd4cf8,%eax
d231a: 89 44 24 08 mov %eax,0x8(%esp)
d231e: 8b 45 ec mov 0xffffffec(%ebp),%eax
d2321: 29 c3 sub %eax,%ebx
d2323: 89 5c 24 04 mov %ebx,0x4(%esp)
d2327: e8 64 e5 ff ff call d0890 <trace>
d232c: 0f b7 47 34 movzwl 0x34(%edi),%eax
d2330: 8b 57 38 mov 0x38(%edi),%edx
d2333: 89 04 24 mov %eax,(%esp)
d2336: 89 f8 mov %edi,%eax
d2338: e8 c3 e3 ff ff call d0700 <address>
d233d: 8b 10 mov (%eax),%edx
d233f: 8b 47 34 mov 0x34(%edi),%eax
d2342: 89 57 28 mov %edx,0x28(%edi)
d2345: 83 c0 04 add $0x4,%eax
d2348: 8b 57 38 mov 0x38(%edi),%edx
d234b: 89 47 34 mov %eax,0x34(%edi)
d234e: 25 ff ff 00 00 and $0xffff,%eax
d2353: 89 04 24 mov %eax,(%esp)
d2356: 89 f8 mov %edi,%eax
d2358: e8 a3 e3 ff ff call d0700 <address>
d235d: 8b 10 mov (%eax),%edx
d235f: 8b 47 34 mov 0x34(%edi),%eax
d2362: 89 57 2c mov %edx,0x2c(%edi)
d2365: 83 c0 04 add $0x4,%eax
d2368: 8b 57 38 mov 0x38(%edi),%edx
d236b: 89 47 34 mov %eax,0x34(%edi)
d236e: 25 ff ff 00 00 and $0xffff,%eax
d2373: 89 04 24 mov %eax,(%esp)
d2376: 89 f8 mov %edi,%eax
d2378: e8 83 e3 ff ff call d0700 <address>
d237d: 8b 00 mov (%eax),%eax
d237f: 83 47 34 04 addl $0x4,0x34(%edi)
d2383: 89 47 30 mov %eax,0x30(%edi)
d2386: 8b 77 28 mov 0x28(%edi),%esi
d2389: e9 b9 f8 ff ff jmp d1c47 <emulate+0x87>
d238e: 89 3c 24 mov %edi,(%esp)
d2391: 8b 45 ec mov 0xffffffec(%ebp),%eax
d2394: ba 05 4d 0d 00 mov $0xd4d05,%edx
d2399: 89 54 24 08 mov %edx,0x8(%esp)
d239d: 29 c3 sub %eax,%ebx
d239f: 89 5c 24 04 mov %ebx,0x4(%esp)
d23a3: e8 e8 e4 ff ff call d0890 <trace>
d23a8: 0f b7 47 28 movzwl 0x28(%edi),%eax
d23ac: 8b 57 2c mov 0x2c(%edi),%edx
d23af: 89 04 24 mov %eax,(%esp)
d23b2: 89 f8 mov %edi,%eax
d23b4: e8 47 e3 ff ff call d0700 <address>
d23b9: ff 47 28 incl 0x28(%edi)
d23bc: 0f b6 10 movzbl (%eax),%edx
d23bf: 89 f8 mov %edi,%eax
d23c1: e8 9a f5 ff ff call d1960 <interrupt>
d23c6: 8b 77 28 mov 0x28(%edi),%esi
d23c9: e9 79 f8 ff ff jmp d1c47 <emulate+0x87>
d23ce: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d23d2: 0f 85 e2 03 00 00 jne d27ba <emulate+0xbfa>
d23d8: 8b 57 2c mov 0x2c(%edi),%edx
d23db: 0f b7 c3 movzwl %bx,%eax
d23de: 89 04 24 mov %eax,(%esp)
d23e1: 89 f8 mov %edi,%eax
d23e3: e8 18 e3 ff ff call d0700 <address>
d23e8: 83 47 28 02 addl $0x2,0x28(%edi)
d23ec: ba 03 00 00 00 mov $0x3,%edx
d23f1: 0f b7 18 movzwl (%eax),%ebx
d23f4: 89 f8 mov %edi,%eax
d23f6: 89 1c 24 mov %ebx,(%esp)
d23f9: e8 82 e6 ff ff call d0a80 <setreg16>
d23fe: 89 5c 24 0c mov %ebx,0xc(%esp)
d2402: b9 09 4d 0d 00 mov $0xd4d09,%ecx
d2407: 8b 55 ec mov 0xffffffec(%ebp),%edx
d240a: 89 4c 24 08 mov %ecx,0x8(%esp)
d240e: 8b 47 28 mov 0x28(%edi),%eax
d2411: 29 d0 sub %edx,%eax
d2413: 89 44 24 04 mov %eax,0x4(%esp)
d2417: 89 3c 24 mov %edi,(%esp)
d241a: e8 71 e4 ff ff call d0890 <trace>
d241f: 8b 77 28 mov 0x28(%edi),%esi
d2422: e9 20 f8 ff ff jmp d1c47 <emulate+0x87>
d2427: 8b 47 40 mov 0x40(%edi),%eax
d242a: 89 fa mov %edi,%edx
d242c: 89 04 24 mov %eax,(%esp)
d242f: 8b 45 e0 mov 0xffffffe0(%ebp),%eax
d2432: e8 89 e6 ff ff call d0ac0 <segment>
d2437: f6 45 e0 02 testb $0x2,0xffffffe0(%ebp)
d243b: 89 c6 mov %eax,%esi
d243d: 0f 85 35 03 00 00 jne d2778 <emulate+0xbb8>
d2443: 8b 57 2c mov 0x2c(%edi),%edx
d2446: 0f b7 c3 movzwl %bx,%eax
d2449: 89 04 24 mov %eax,(%esp)
d244c: 89 f8 mov %edi,%eax
d244e: e8 ad e2 ff ff call d0700 <address>
d2453: 83 47 28 02 addl $0x2,0x28(%edi)
d2457: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d245b: 0f b7 00 movzwl (%eax),%eax
d245e: 0f 84 34 03 00 00 je d2798 <emulate+0xbd8>
d2464: 89 04 24 mov %eax,(%esp)
d2467: 89 f2 mov %esi,%edx
d2469: 89 f8 mov %edi,%eax
d246b: e8 90 e2 ff ff call d0700 <address>
d2470: 89 c3 mov %eax,%ebx
d2472: 8b 00 mov (%eax),%eax
d2474: 31 d2 xor %edx,%edx
d2476: 89 04 24 mov %eax,(%esp)
d2479: 89 f8 mov %edi,%eax
d247b: e8 b0 e5 ff ff call d0a30 <setreg32>
d2480: 89 5c 24 0c mov %ebx,0xc(%esp)
d2484: bb 19 4d 0d 00 mov $0xd4d19,%ebx
d2489: 8b 55 ec mov 0xffffffec(%ebp),%edx
d248c: 89 5c 24 08 mov %ebx,0x8(%esp)
d2490: 8b 47 28 mov 0x28(%edi),%eax
d2493: e9 79 ff ff ff jmp d2411 <emulate+0x851>
d2498: 89 3c 24 mov %edi,(%esp)
d249b: 8b 75 ec mov 0xffffffec(%ebp),%esi
d249e: b8 29 4d 0d 00 mov $0xd4d29,%eax
d24a3: 89 44 24 08 mov %eax,0x8(%esp)
d24a7: 29 f3 sub %esi,%ebx
d24a9: 89 5c 24 04 mov %ebx,0x4(%esp)
d24ad: e8 de e3 ff ff call d0890 <trace>
d24b2: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d24b6: 0f 85 a0 02 00 00 jne d275c <emulate+0xb9c>
d24bc: 0f b7 47 34 movzwl 0x34(%edi),%eax
d24c0: 8b 57 38 mov 0x38(%edi),%edx
d24c3: 8b 77 30 mov 0x30(%edi),%esi
d24c6: 89 04 24 mov %eax,(%esp)
d24c9: 89 f8 mov %edi,%eax
d24cb: 81 e6 00 00 ff ff and $0xffff0000,%esi
d24d1: e8 2a e2 ff ff call d0700 <address>
d24d6: 0f b7 00 movzwl (%eax),%eax
d24d9: 83 47 34 02 addl $0x2,0x34(%edi)
d24dd: 09 f0 or %esi,%eax
d24df: 0d 00 30 02 00 or $0x23000,%eax
d24e4: 89 47 30 mov %eax,0x30(%edi)
d24e7: e9 9a fe ff ff jmp d2386 <emulate+0x7c6>
d24ec: 89 3c 24 mov %edi,(%esp)
d24ef: b8 2e 4d 0d 00 mov $0xd4d2e,%eax
d24f4: 89 44 24 08 mov %eax,0x8(%esp)
d24f8: 8b 45 ec mov 0xffffffec(%ebp),%eax
d24fb: 29 c3 sub %eax,%ebx
d24fd: 89 5c 24 04 mov %ebx,0x4(%esp)
d2501: e8 8a e3 ff ff call d0890 <trace>
d2506: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d250a: 0f 84 1d 02 00 00 je d272d <emulate+0xb6d>
d2510: 8b 47 34 mov 0x34(%edi),%eax
d2513: 8b 77 30 mov 0x30(%edi),%esi
d2516: 8b 57 38 mov 0x38(%edi),%edx
d2519: 83 e8 04 sub $0x4,%eax
d251c: 81 e6 ff cf fd ff and $0xfffdcfff,%esi
d2522: 89 47 34 mov %eax,0x34(%edi)
d2525: 25 ff ff 00 00 and $0xffff,%eax
d252a: 89 04 24 mov %eax,(%esp)
d252d: 89 f8 mov %edi,%eax
d252f: e8 cc e1 ff ff call d0700 <address>
d2534: 89 30 mov %esi,(%eax)
d2536: 8b 77 28 mov 0x28(%edi),%esi
d2539: e9 09 f7 ff ff jmp d1c47 <emulate+0x87>
d253e: 89 3c 24 mov %edi,(%esp)
d2541: b8 34 4d 0d 00 mov $0xd4d34,%eax
d2546: 89 44 24 08 mov %eax,0x8(%esp)
d254a: 8b 45 ec mov 0xffffffec(%ebp),%eax
d254d: 29 c3 sub %eax,%ebx
d254f: 89 5c 24 04 mov %ebx,0x4(%esp)
d2553: e8 38 e3 ff ff call d0890 <trace>
d2558: 8b 77 28 mov 0x28(%edi),%esi
d255b: e9 e7 f6 ff ff jmp d1c47 <emulate+0x87>
d2560: f6 45 e0 02 testb $0x2,0xffffffe0(%ebp)
d2564: 0f 84 58 f7 ff ff je d1cc2 <emulate+0x102>
d256a: 8d 4b ff lea 0xffffffff(%ebx),%ecx
d256d: 0f b7 c3 movzwl %bx,%eax
d2570: 89 4d bc mov %ecx,0xffffffbc(%ebp)
d2573: 8b 57 2c mov 0x2c(%edi),%edx
d2576: 89 04 24 mov %eax,(%esp)
d2579: 89 f8 mov %edi,%eax
d257b: e8 80 e1 ff ff call d0700 <address>
d2580: ff 47 28 incl 0x28(%edi)
d2583: 89 fa mov %edi,%edx
d2585: 0f b6 18 movzbl (%eax),%ebx
d2588: 8b 45 e0 mov 0xffffffe0(%ebp),%eax
d258b: 89 1c 24 mov %ebx,(%esp)
d258e: e8 5d e6 ff ff call d0bf0 <operand>
d2593: 89 45 b8 mov %eax,0xffffffb8(%ebp)
d2596: 89 d8 mov %ebx,%eax
d2598: 25 c0 00 00 00 and $0xc0,%eax
d259d: 3d c0 00 00 00 cmp $0xc0,%eax
d25a2: 0f 84 1a f7 ff ff je d1cc2 <emulate+0x102>
d25a8: 81 fe 8f 00 00 00 cmp $0x8f,%esi
d25ae: 0f 85 90 f6 ff ff jne d1c44 <emulate+0x84>
d25b4: f6 c3 38 test $0x38,%bl
d25b7: 0f 85 05 f7 ff ff jne d1cc2 <emulate+0x102>
d25bd: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d25c1: 0f 85 ee 05 00 00 jne d2bb5 <emulate+0xff5>
d25c7: 0f b7 47 34 movzwl 0x34(%edi),%eax
d25cb: 8b 57 38 mov 0x38(%edi),%edx
d25ce: 89 04 24 mov %eax,(%esp)
d25d1: 89 f8 mov %edi,%eax
d25d3: e8 28 e1 ff ff call d0700 <address>
d25d8: 0f b7 00 movzwl (%eax),%eax
d25db: 83 47 34 02 addl $0x2,0x34(%edi)
d25df: 8b 55 b8 mov 0xffffffb8(%ebp),%edx
d25e2: 66 89 02 mov %ax,(%edx)
d25e5: 8b 4d b8 mov 0xffffffb8(%ebp),%ecx
d25e8: 8b 55 bc mov 0xffffffbc(%ebp),%edx
d25eb: 89 4c 24 0c mov %ecx,0xc(%esp)
d25ef: b9 38 4d 0d 00 mov $0xd4d38,%ecx
d25f4: 89 4c 24 08 mov %ecx,0x8(%esp)
d25f8: 8b 47 28 mov 0x28(%edi),%eax
d25fb: e9 11 fe ff ff jmp d2411 <emulate+0x851>
d2600: 8b 57 2c mov 0x2c(%edi),%edx
d2603: 0f b7 c3 movzwl %bx,%eax
d2606: 89 04 24 mov %eax,(%esp)
d2609: 89 f8 mov %edi,%eax
d260b: e8 f0 e0 ff ff call d0700 <address>
d2610: ff 47 28 incl 0x28(%edi)
d2613: 0f b6 10 movzbl (%eax),%edx
d2616: a1 04 76 0d 00 mov 0xd7604,%eax
d261b: 48 dec %eax
d261c: 83 f8 01 cmp $0x1,%eax
d261f: 0f 87 9d f6 ff ff ja d1cc2 <emulate+0x102>
d2625: 89 d0 mov %edx,%eax
d2627: 25 c0 00 00 00 and $0xc0,%eax
d262c: 3d c0 00 00 00 cmp $0xc0,%eax
d2631: 0f 85 65 f6 ff ff jne d1c9c <emulate+0xdc>
d2637: 89 d0 mov %edx,%eax
d2639: 83 e0 38 and $0x38,%eax
d263c: c1 e8 03 shr $0x3,%eax
d263f: 83 f8 05 cmp $0x5,%eax
d2642: 0f 87 54 f6 ff ff ja d1c9c <emulate+0xdc>
d2648: ff 24 85 14 4a 0d 00 jmp *0xd4a14(,%eax,4)
d264f: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d2656: 0f 85 2b f6 ff ff jne d1c87 <emulate+0xc7>
d265c: 8d 74 26 00 lea 0x0(%esi),%esi
d2660: e9 28 f6 ff ff jmp d1c8d <emulate+0xcd>
d2665: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d266c: 0f 84 20 02 00 00 je d2892 <emulate+0xcd2>
d2672: 89 3c 24 mov %edi,(%esp)
d2675: 8b 45 ec mov 0xffffffec(%ebp),%eax
d2678: ba 42 4d 0d 00 mov $0xd4d42,%edx
d267d: 89 54 24 08 mov %edx,0x8(%esp)
d2681: 29 c3 sub %eax,%ebx
d2683: 89 5c 24 04 mov %ebx,0x4(%esp)
d2687: e8 04 e2 ff ff call d0890 <trace>
d268c: 83 4d e0 02 orl $0x2,0xffffffe0(%ebp)
d2690: 8b 77 28 mov 0x28(%edi),%esi
d2693: e9 58 f5 ff ff jmp d1bf0 <emulate+0x30>
d2698: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d269f: 0f 84 20 02 00 00 je d28c5 <emulate+0xd05>
d26a5: 89 3c 24 mov %edi,(%esp)
d26a8: b8 49 4d 0d 00 mov $0xd4d49,%eax
d26ad: 89 44 24 08 mov %eax,0x8(%esp)
d26b1: 8b 45 ec mov 0xffffffec(%ebp),%eax
d26b4: 29 c3 sub %eax,%ebx
d26b6: 89 5c 24 04 mov %ebx,0x4(%esp)
d26ba: e8 d1 e1 ff ff call d0890 <trace>
d26bf: 83 4d e0 01 orl $0x1,0xffffffe0(%ebp)
d26c3: 8b 77 28 mov 0x28(%edi),%esi
d26c6: e9 25 f5 ff ff jmp d1bf0 <emulate+0x30>
d26cb: 89 3c 24 mov %edi,(%esp)
d26ce: b8 50 4d 0d 00 mov $0xd4d50,%eax
d26d3: 89 44 24 08 mov %eax,0x8(%esp)
d26d7: 8b 45 ec mov 0xffffffec(%ebp),%eax
d26da: 29 c3 sub %eax,%ebx
d26dc: 89 5c 24 04 mov %ebx,0x4(%esp)
d26e0: e8 ab e1 ff ff call d0890 <trace>
d26e5: 81 4d e0 80 00 00 00 orl $0x80,0xffffffe0(%ebp)
d26ec: 8b 77 28 mov 0x28(%edi),%esi
d26ef: e9 fc f4 ff ff jmp d1bf0 <emulate+0x30>
d26f4: 0f b7 47 34 movzwl 0x34(%edi),%eax
d26f8: 8b 57 38 mov 0x38(%edi),%edx
d26fb: 89 04 24 mov %eax,(%esp)
d26fe: 89 f8 mov %edi,%eax
d2700: e8 fb df ff ff call d0700 <address>
d2705: 8b 00 mov (%eax),%eax
d2707: 83 47 34 04 addl $0x4,0x34(%edi)
d270b: e9 62 fa ff ff jmp d2172 <emulate+0x5b2>
d2710: 0f b7 47 34 movzwl 0x34(%edi),%eax
d2714: 8b 57 38 mov 0x38(%edi),%edx
d2717: 89 04 24 mov %eax,(%esp)
d271a: 89 f8 mov %edi,%eax
d271c: e8 df df ff ff call d0700 <address>
d2721: 0f b7 00 movzwl (%eax),%eax
d2724: 83 47 34 02 addl $0x2,0x34(%edi)
d2728: e9 9c f6 ff ff jmp d1dc9 <emulate+0x209>
d272d: 8b 47 34 mov 0x34(%edi),%eax
d2730: 8b 77 30 mov 0x30(%edi),%esi
d2733: 8b 57 38 mov 0x38(%edi),%edx
d2736: 83 e8 02 sub $0x2,%eax
d2739: 81 e6 ff cf fd ff and $0xfffdcfff,%esi
d273f: 89 47 34 mov %eax,0x34(%edi)
d2742: 25 ff ff 00 00 and $0xffff,%eax
d2747: 89 04 24 mov %eax,(%esp)
d274a: 89 f8 mov %edi,%eax
d274c: e8 af df ff ff call d0700 <address>
d2751: 66 89 30 mov %si,(%eax)
d2754: 8b 77 28 mov 0x28(%edi),%esi
d2757: e9 eb f4 ff ff jmp d1c47 <emulate+0x87>
d275c: 0f b7 47 34 movzwl 0x34(%edi),%eax
d2760: 8b 57 38 mov 0x38(%edi),%edx
d2763: 89 04 24 mov %eax,(%esp)
d2766: 89 f8 mov %edi,%eax
d2768: e8 93 df ff ff call d0700 <address>
d276d: 8b 00 mov (%eax),%eax
d276f: 83 47 34 04 addl $0x4,0x34(%edi)
d2773: e9 67 fd ff ff jmp d24df <emulate+0x91f>
d2778: 8b 57 2c mov 0x2c(%edi),%edx
d277b: 0f b7 c3 movzwl %bx,%eax
d277e: 89 04 24 mov %eax,(%esp)
d2781: 89 f8 mov %edi,%eax
d2783: e8 78 df ff ff call d0700 <address>
d2788: 83 47 28 04 addl $0x4,0x28(%edi)
d278c: 8b 00 mov (%eax),%eax
d278e: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d2792: 0f 85 cc fc ff ff jne d2464 <emulate+0x8a4>
d2798: 89 04 24 mov %eax,(%esp)
d279b: 89 f2 mov %esi,%edx
d279d: 89 f8 mov %edi,%eax
d279f: e8 5c df ff ff call d0700 <address>
d27a4: 89 c3 mov %eax,%ebx
d27a6: 0f b7 00 movzwl (%eax),%eax
d27a9: 31 d2 xor %edx,%edx
d27ab: 89 04 24 mov %eax,(%esp)
d27ae: 89 f8 mov %edi,%eax
d27b0: e8 cb e2 ff ff call d0a80 <setreg16>
d27b5: e9 c6 fc ff ff jmp d2480 <emulate+0x8c0>
d27ba: 8b 57 2c mov 0x2c(%edi),%edx
d27bd: 0f b7 c3 movzwl %bx,%eax
d27c0: 89 04 24 mov %eax,(%esp)
d27c3: 89 f8 mov %edi,%eax
d27c5: e8 36 df ff ff call d0700 <address>
d27ca: 83 47 28 04 addl $0x4,0x28(%edi)
d27ce: ba 03 00 00 00 mov $0x3,%edx
d27d3: 8b 18 mov (%eax),%ebx
d27d5: 89 f8 mov %edi,%eax
d27d7: 89 1c 24 mov %ebx,(%esp)
d27da: e8 51 e2 ff ff call d0a30 <setreg32>
d27df: e9 1a fc ff ff jmp d23fe <emulate+0x83e>
d27e4: 89 3c 24 mov %edi,(%esp)
d27e7: b8 56 4d 0d 00 mov $0xd4d56,%eax
d27ec: 89 44 24 08 mov %eax,0x8(%esp)
d27f0: 8b 45 ec mov 0xffffffec(%ebp),%eax
d27f3: 29 c3 sub %eax,%ebx
d27f5: 89 5c 24 04 mov %ebx,0x4(%esp)
d27f9: e8 92 e0 ff ff call d0890 <trace>
d27fe: 0f b7 47 34 movzwl 0x34(%edi),%eax
d2802: 8b 57 38 mov 0x38(%edi),%edx
d2805: 89 04 24 mov %eax,(%esp)
d2808: 89 f8 mov %edi,%eax
d280a: e8 f1 de ff ff call d0700 <address>
d280f: 0f b7 10 movzwl (%eax),%edx
d2812: 8b 47 34 mov 0x34(%edi),%eax
d2815: 83 c0 02 add $0x2,%eax
d2818: 89 57 28 mov %edx,0x28(%edi)
d281b: 8b 57 38 mov 0x38(%edi),%edx
d281e: 89 47 34 mov %eax,0x34(%edi)
d2821: 25 ff ff 00 00 and $0xffff,%eax
d2826: 89 04 24 mov %eax,(%esp)
d2829: 89 f8 mov %edi,%eax
d282b: e8 d0 de ff ff call d0700 <address>
d2830: 0f b7 10 movzwl (%eax),%edx
d2833: 8b 47 34 mov 0x34(%edi),%eax
d2836: 8b 77 30 mov 0x30(%edi),%esi
d2839: 89 57 2c mov %edx,0x2c(%edi)
d283c: 83 c0 02 add $0x2,%eax
d283f: 8b 57 38 mov 0x38(%edi),%edx
d2842: 89 47 34 mov %eax,0x34(%edi)
d2845: 25 ff ff 00 00 and $0xffff,%eax
d284a: 81 e6 00 00 ff ff and $0xffff0000,%esi
d2850: 89 04 24 mov %eax,(%esp)
d2853: 89 f8 mov %edi,%eax
d2855: e8 a6 de ff ff call d0700 <address>
d285a: 0f b7 00 movzwl (%eax),%eax
d285d: 83 47 34 02 addl $0x2,0x34(%edi)
d2861: 09 c6 or %eax,%esi
d2863: 89 77 30 mov %esi,0x30(%edi)
d2866: 8b 77 28 mov 0x28(%edi),%esi
d2869: e9 d9 f3 ff ff jmp d1c47 <emulate+0x87>
d286e: 8b 30 mov (%eax),%esi
d2870: 8b 47 34 mov 0x34(%edi),%eax
d2873: 8b 57 38 mov 0x38(%edi),%edx
d2876: 83 e8 04 sub $0x4,%eax
d2879: 89 47 34 mov %eax,0x34(%edi)
d287c: 25 ff ff 00 00 and $0xffff,%eax
d2881: 89 04 24 mov %eax,(%esp)
d2884: 89 f8 mov %edi,%eax
d2886: e8 75 de ff ff call d0700 <address>
d288b: 89 30 mov %esi,(%eax)
d288d: e9 ec f5 ff ff jmp d1e7e <emulate+0x2be>
d2892: f6 05 f5 97 0d 00 40 testb $0x40,0xd97f5
d2899: 0f 84 d3 fd ff ff je d2672 <emulate+0xab2>
d289f: 89 3c 24 mov %edi,(%esp)
d28a2: 8b 4d ec mov 0xffffffec(%ebp),%ecx
d28a5: be 5b 4d 0d 00 mov $0xd4d5b,%esi
d28aa: 89 74 24 08 mov %esi,0x8(%esp)
d28ae: 29 cb sub %ecx,%ebx
d28b0: 89 5c 24 04 mov %ebx,0x4(%esp)
d28b4: e8 d7 df ff ff call d0890 <trace>
d28b9: 83 65 e0 fd andl $0xfffffffd,0xffffffe0(%ebp)
d28bd: 8b 77 28 mov 0x28(%edi),%esi
d28c0: e9 2b f3 ff ff jmp d1bf0 <emulate+0x30>
d28c5: f6 05 f5 97 0d 00 40 testb $0x40,0xd97f5
d28cc: 0f 84 d3 fd ff ff je d26a5 <emulate+0xae5>
d28d2: 89 3c 24 mov %edi,(%esp)
d28d5: b8 62 4d 0d 00 mov $0xd4d62,%eax
d28da: 89 44 24 08 mov %eax,0x8(%esp)
d28de: 8b 45 ec mov 0xffffffec(%ebp),%eax
d28e1: 29 c3 sub %eax,%ebx
d28e3: 89 5c 24 04 mov %ebx,0x4(%esp)
d28e7: e8 a4 df ff ff call d0890 <trace>
d28ec: 83 65 e0 fe andl $0xfffffffe,0xffffffe0(%ebp)
d28f0: 8b 77 28 mov 0x28(%edi),%esi
d28f3: e9 f8 f2 ff ff jmp d1bf0 <emulate+0x30>
d28f8: 0f b7 47 34 movzwl 0x34(%edi),%eax
d28fc: 8b 57 38 mov 0x38(%edi),%edx
d28ff: 89 04 24 mov %eax,(%esp)
d2902: 89 f8 mov %edi,%eax
d2904: e8 f7 dd ff ff call d0700 <address>
d2909: 0f b7 10 movzwl (%eax),%edx
d290c: 8b 47 34 mov 0x34(%edi),%eax
d290f: 89 d6 mov %edx,%esi
d2911: 83 c0 02 add $0x2,%eax
d2914: 8b 57 38 mov 0x38(%edi),%edx
d2917: 89 47 34 mov %eax,0x34(%edi)
d291a: 25 ff ff 00 00 and $0xffff,%eax
d291f: 89 04 24 mov %eax,(%esp)
d2922: 89 f8 mov %edi,%eax
d2924: e8 d7 dd ff ff call d0700 <address>
d2929: 0f b7 00 movzwl (%eax),%eax
d292c: 83 47 34 02 addl $0x2,0x34(%edi)
d2930: 89 c3 mov %eax,%ebx
d2932: e9 21 f4 ff ff jmp d1d58 <emulate+0x198>
d2937: 8b 57 2c mov 0x2c(%edi),%edx
d293a: 0f b7 c3 movzwl %bx,%eax
d293d: 89 04 24 mov %eax,(%esp)
d2940: 89 f8 mov %edi,%eax
d2942: e8 b9 dd ff ff call d0700 <address>
d2947: 8b 77 28 mov 0x28(%edi),%esi
d294a: 83 c6 02 add $0x2,%esi
d294d: 89 77 28 mov %esi,0x28(%edi)
d2950: 0f b7 00 movzwl (%eax),%eax
d2953: e9 2e f9 ff ff jmp d2286 <emulate+0x6c6>
d2958: 0f b7 57 2c movzwl 0x2c(%edi),%edx
d295c: 89 f8 mov %edi,%eax
d295e: 89 34 24 mov %esi,(%esp)
d2961: e8 9a dd ff ff call d0700 <address>
d2966: 89 44 24 0c mov %eax,0xc(%esp)
d296a: 8b 47 28 mov 0x28(%edi),%eax
d296d: 89 44 24 08 mov %eax,0x8(%esp)
d2971: 0f b7 47 2c movzwl 0x2c(%edi),%eax
d2975: c7 04 24 28 50 0d 00 movl $0xd5028,(%esp)
d297c: 89 44 24 04 mov %eax,0x4(%esp)
d2980: e8 fb 0f 00 00 call d3980 <panic>
d2985: e9 78 f3 ff ff jmp d1d02 <emulate+0x142>
d298a: 8b 57 2c mov 0x2c(%edi),%edx
d298d: 0f b7 c1 movzwl %cx,%eax
d2990: 89 04 24 mov %eax,(%esp)
d2993: 89 f8 mov %edi,%eax
d2995: e8 66 dd ff ff call d0700 <address>
d299a: 8b 57 28 mov 0x28(%edi),%edx
d299d: 42 inc %edx
d299e: 89 57 28 mov %edx,0x28(%edi)
d29a1: 0f b6 08 movzbl (%eax),%ecx
d29a4: 89 c8 mov %ecx,%eax
d29a6: c1 e8 03 shr $0x3,%eax
d29a9: 83 e0 07 and $0x7,%eax
d29ac: 83 f8 07 cmp $0x7,%eax
d29af: 0f 87 0d f3 ff ff ja d1cc2 <emulate+0x102>
d29b5: ff 24 85 2c 4a 0d 00 jmp *0xd4a2c(,%eax,4)
d29bc: 8d 41 fe lea 0xfffffffe(%ecx),%eax
d29bf: 89 45 d8 mov %eax,0xffffffd8(%ebp)
d29c2: 8b 57 2c mov 0x2c(%edi),%edx
d29c5: 0f b7 c1 movzwl %cx,%eax
d29c8: 89 04 24 mov %eax,(%esp)
d29cb: 89 f8 mov %edi,%eax
d29cd: e8 2e dd ff ff call d0700 <address>
d29d2: 8b 77 28 mov 0x28(%edi),%esi
d29d5: 46 inc %esi
d29d6: 89 77 28 mov %esi,0x28(%edi)
d29d9: 0f b6 00 movzbl (%eax),%eax
d29dc: 89 45 d4 mov %eax,0xffffffd4(%ebp)
d29df: c1 e8 03 shr $0x3,%eax
d29e2: 83 e0 07 and $0x7,%eax
d29e5: 89 45 d0 mov %eax,0xffffffd0(%ebp)
d29e8: 8b 45 d4 mov 0xffffffd4(%ebp),%eax
d29eb: 25 c0 00 00 00 and $0xc0,%eax
d29f0: 3d c0 00 00 00 cmp $0xc0,%eax
d29f5: 0f 85 c7 f2 ff ff jne d1cc2 <emulate+0x102>
d29fb: 83 fb 20 cmp $0x20,%ebx
d29fe: 0f 84 01 03 00 00 je d2d05 <emulate+0x1145>
d2a04: 83 fb 22 cmp $0x22,%ebx
d2a07: 0f 85 37 f2 ff ff jne d1c44 <emulate+0x84>
d2a0d: 89 3c 24 mov %edi,(%esp)
d2a10: b8 69 4d 0d 00 mov $0xd4d69,%eax
d2a15: 8b 4d d0 mov 0xffffffd0(%ebp),%ecx
d2a18: 89 44 24 08 mov %eax,0x8(%esp)
d2a1c: 8b 45 d8 mov 0xffffffd8(%ebp),%eax
d2a1f: 89 4c 24 0c mov %ecx,0xc(%esp)
d2a23: 29 c6 sub %eax,%esi
d2a25: 89 74 24 04 mov %esi,0x4(%esp)
d2a29: e8 62 de ff ff call d0890 <trace>
d2a2e: 83 7d d0 03 cmpl $0x3,0xffffffd0(%ebp)
d2a32: 0f 84 4f 03 00 00 je d2d87 <emulate+0x11c7>
d2a38: 0f 87 60 03 00 00 ja d2d9e <emulate+0x11de>
d2a3e: 8b 45 d0 mov 0xffffffd0(%ebp),%eax
d2a41: 85 c0 test %eax,%eax
d2a43: 0f 85 fb f1 ff ff jne d1c44 <emulate+0x84>
d2a49: 8b 55 d4 mov 0xffffffd4(%ebp),%edx
d2a4c: 89 f8 mov %edi,%eax
d2a4e: e8 6d df ff ff call d09c0 <getreg32>
d2a53: 8b 55 d4 mov 0xffffffd4(%ebp),%edx
d2a56: 83 c8 21 or $0x21,%eax
d2a59: a3 cc 97 0d 00 mov %eax,0xd97cc
d2a5e: 89 f8 mov %edi,%eax
d2a60: e8 5b df ff ff call d09c0 <getreg32>
d2a65: a8 01 test $0x1,%al
d2a67: 0f 84 57 03 00 00 je d2dc4 <emulate+0x1204>
d2a6d: be 01 00 00 00 mov $0x1,%esi
d2a72: 89 74 24 04 mov %esi,0x4(%esp)
d2a76: 89 3c 24 mov %edi,(%esp)
d2a79: e8 62 eb ff ff call d15e0 <set_mode>
d2a7e: 8b 77 28 mov 0x28(%edi),%esi
d2a81: e9 c1 f1 ff ff jmp d1c47 <emulate+0x87>
d2a86: 8b 4f 18 mov 0x18(%edi),%ecx
d2a89: 8b 47 1c mov 0x1c(%edi),%eax
d2a8c: 8b 57 14 mov 0x14(%edi),%edx
d2a8f: 0f 30 wrmsr
d2a91: ff 45 f0 incl 0xfffffff0(%ebp)
d2a94: e9 b1 f1 ff ff jmp d1c4a <emulate+0x8a>
d2a99: 8b 4f 18 mov 0x18(%edi),%ecx
d2a9c: 0f 32 rdmsr
d2a9e: 89 47 1c mov %eax,0x1c(%edi)
d2aa1: 89 57 14 mov %edx,0x14(%edi)
d2aa4: ff 45 f0 incl 0xfffffff0(%ebp)
d2aa7: e9 9e f1 ff ff jmp d1c4a <emulate+0x8a>
d2aac: 89 f8 mov %edi,%eax
d2aae: e8 6d df ff ff call d0a20 <getreg16>
d2ab3: 89 47 38 mov %eax,0x38(%edi)
d2ab6: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d2abd: 0f 84 81 f1 ff ff je d1c44 <emulate+0x84>
d2ac3: 31 c0 xor %eax,%eax
d2ac5: a3 58 76 0d 00 mov %eax,0xd7658
d2aca: 8b 47 38 mov 0x38(%edi),%eax
d2acd: a3 18 98 0d 00 mov %eax,0xd9818
d2ad2: 8b 77 28 mov 0x28(%edi),%esi
d2ad5: e9 6d f1 ff ff jmp d1c47 <emulate+0x87>
d2ada: 89 f8 mov %edi,%eax
d2adc: e8 3f df ff ff call d0a20 <getreg16>
d2ae1: 89 47 40 mov %eax,0x40(%edi)
d2ae4: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d2aeb: 0f 85 ae f6 ff ff jne d219f <emulate+0x5df>
d2af1: 8b 77 28 mov 0x28(%edi),%esi
d2af4: e9 4e f1 ff ff jmp d1c47 <emulate+0x87>
d2af9: 89 f8 mov %edi,%eax
d2afb: e8 20 df ff ff call d0a20 <getreg16>
d2b00: 89 47 44 mov %eax,0x44(%edi)
d2b03: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d2b0a: 0f 84 34 f1 ff ff je d1c44 <emulate+0x84>
d2b10: 31 c0 xor %eax,%eax
d2b12: a3 64 76 0d 00 mov %eax,0xd7664
d2b17: 8b 47 44 mov 0x44(%edi),%eax
d2b1a: a3 28 98 0d 00 mov %eax,0xd9828
d2b1f: 8b 77 28 mov 0x28(%edi),%esi
d2b22: e9 20 f1 ff ff jmp d1c47 <emulate+0x87>
d2b27: 89 f8 mov %edi,%eax
d2b29: e8 f2 de ff ff call d0a20 <getreg16>
d2b2e: 89 47 48 mov %eax,0x48(%edi)
d2b31: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d2b38: 0f 84 06 f1 ff ff je d1c44 <emulate+0x84>
d2b3e: 31 c0 xor %eax,%eax
d2b40: a3 68 76 0d 00 mov %eax,0xd7668
d2b45: 8b 47 48 mov 0x48(%edi),%eax
d2b48: a3 38 98 0d 00 mov %eax,0xd9838
d2b4d: 8b 77 28 mov 0x28(%edi),%esi
d2b50: e9 f2 f0 ff ff jmp d1c47 <emulate+0x87>
d2b55: 89 f8 mov %edi,%eax
d2b57: e8 c4 de ff ff call d0a20 <getreg16>
d2b5c: 89 47 3c mov %eax,0x3c(%edi)
d2b5f: 83 3d 04 76 0d 00 02 cmpl $0x2,0xd7604
d2b66: 0f 85 8a f2 ff ff jne d1df6 <emulate+0x236>
d2b6c: 8b 77 28 mov 0x28(%edi),%esi
d2b6f: e9 d3 f0 ff ff jmp d1c47 <emulate+0x87>
d2b74: 83 4f 30 40 orl $0x40,0x30(%edi)
d2b78: e9 f8 f3 ff ff jmp d1f75 <emulate+0x3b5>
d2b7d: 8b 4d c4 mov 0xffffffc4(%ebp),%ecx
d2b80: 8b 01 mov (%ecx),%eax
d2b82: 29 d0 sub %edx,%eax
d2b84: 0f 85 72 01 00 00 jne d2cfc <emulate+0x113c>
d2b8a: 83 4f 30 40 orl $0x40,0x30(%edi)
d2b8e: 89 44 24 14 mov %eax,0x14(%esp)
d2b92: 8b 55 c0 mov 0xffffffc0(%ebp),%edx
d2b95: 8b 5d c4 mov 0xffffffc4(%ebp),%ebx
d2b98: 8b 04 95 a0 55 0d 00 mov 0xd55a0(,%edx,4),%eax
d2b9f: 89 5c 24 10 mov %ebx,0x10(%esp)
d2ba3: bb 7c 4d 0d 00 mov $0xd4d7c,%ebx
d2ba8: 89 44 24 0c mov %eax,0xc(%esp)
d2bac: 89 5c 24 08 mov %ebx,0x8(%esp)
d2bb0: e9 18 f5 ff ff jmp d20cd <emulate+0x50d>
d2bb5: 0f b7 47 34 movzwl 0x34(%edi),%eax
d2bb9: 8b 57 38 mov 0x38(%edi),%edx
d2bbc: 89 04 24 mov %eax,(%esp)
d2bbf: 89 f8 mov %edi,%eax
d2bc1: e8 3a db ff ff call d0700 <address>
d2bc6: 8b 00 mov (%eax),%eax
d2bc8: 83 47 34 04 addl $0x4,0x34(%edi)
d2bcc: 8b 5d b8 mov 0xffffffb8(%ebp),%ebx
d2bcf: 89 03 mov %eax,(%ebx)
d2bd1: e9 0f fa ff ff jmp d25e5 <emulate+0xa25>
d2bd6: 89 0c 24 mov %ecx,(%esp)
d2bd9: 8b 45 e0 mov 0xffffffe0(%ebp),%eax
d2bdc: 8d 72 fd lea 0xfffffffd(%edx),%esi
d2bdf: 89 fa mov %edi,%edx
d2be1: e8 0a e0 ff ff call d0bf0 <operand>
d2be6: 8b 15 cc 97 0d 00 mov 0xd97cc,%edx
d2bec: 83 e0 0f and $0xf,%eax
d2bef: 89 44 24 0c mov %eax,0xc(%esp)
d2bf3: 83 e2 f0 and $0xfffffff0,%edx
d2bf6: 09 c2 or %eax,%edx
d2bf8: 89 55 dc mov %edx,0xffffffdc(%ebp)
d2bfb: ba 94 4d 0d 00 mov $0xd4d94,%edx
d2c00: 89 54 24 08 mov %edx,0x8(%esp)
d2c04: 8b 47 28 mov 0x28(%edi),%eax
d2c07: 89 3c 24 mov %edi,(%esp)
d2c0a: 29 f0 sub %esi,%eax
d2c0c: 89 44 24 04 mov %eax,0x4(%esp)
d2c10: e8 7b dc ff ff call d0890 <trace>
d2c15: 8b 45 dc mov 0xffffffdc(%ebp),%eax
d2c18: 83 c8 21 or $0x21,%eax
d2c1b: f6 45 dc 01 testb $0x1,0xffffffdc(%ebp)
d2c1f: a3 cc 97 0d 00 mov %eax,0xd97cc
d2c24: 0f 85 43 fe ff ff jne d2a6d <emulate+0xead>
d2c2a: 8b 77 28 mov 0x28(%edi),%esi
d2c2d: e9 15 f0 ff ff jmp d1c47 <emulate+0x87>
d2c32: 89 0c 24 mov %ecx,(%esp)
d2c35: 8b 45 e0 mov 0xffffffe0(%ebp),%eax
d2c38: 8d 5a fd lea 0xfffffffd(%edx),%ebx
d2c3b: 89 fa mov %edi,%edx
d2c3d: e8 ae df ff ff call d0bf0 <operand>
d2c42: 0f b7 08 movzwl (%eax),%ecx
d2c45: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d2c49: 89 0d d8 97 0d 00 mov %ecx,0xd97d8
d2c4f: 0f 85 05 01 00 00 jne d2d5a <emulate+0x119a>
d2c55: 8b 50 02 mov 0x2(%eax),%edx
d2c58: 81 e2 ff ff ff 00 and $0xffffff,%edx
d2c5e: 89 4c 24 10 mov %ecx,0x10(%esp)
d2c62: b9 9e 4d 0d 00 mov $0xd4d9e,%ecx
d2c67: 89 15 dc 97 0d 00 mov %edx,0xd97dc
d2c6d: 89 54 24 14 mov %edx,0x14(%esp)
d2c71: 89 44 24 0c mov %eax,0xc(%esp)
d2c75: 89 4c 24 08 mov %ecx,0x8(%esp)
d2c79: 8b 47 28 mov 0x28(%edi),%eax
d2c7c: 29 d8 sub %ebx,%eax
d2c7e: 89 44 24 04 mov %eax,0x4(%esp)
d2c82: e9 0f f3 ff ff jmp d1f96 <emulate+0x3d6>
d2c87: 89 0c 24 mov %ecx,(%esp)
d2c8a: 8b 45 e0 mov 0xffffffe0(%ebp),%eax
d2c8d: 8d 5a fd lea 0xfffffffd(%edx),%ebx
d2c90: 89 fa mov %edi,%edx
d2c92: e8 59 df ff ff call d0bf0 <operand>
d2c97: 0f b7 08 movzwl (%eax),%ecx
d2c9a: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d2c9e: 89 0d e0 97 0d 00 mov %ecx,0xd97e0
d2ca4: 0f 85 b8 00 00 00 jne d2d62 <emulate+0x11a2>
d2caa: 8b 50 02 mov 0x2(%eax),%edx
d2cad: 81 e2 ff ff ff 00 and $0xffffff,%edx
d2cb3: 89 15 e4 97 0d 00 mov %edx,0xd97e4
d2cb9: be b3 4d 0d 00 mov $0xd4db3,%esi
d2cbe: 89 54 24 14 mov %edx,0x14(%esp)
d2cc2: 89 4c 24 10 mov %ecx,0x10(%esp)
d2cc6: 89 44 24 0c mov %eax,0xc(%esp)
d2cca: 89 74 24 08 mov %esi,0x8(%esp)
d2cce: 8b 47 28 mov 0x28(%edi),%eax
d2cd1: 29 d8 sub %ebx,%eax
d2cd3: eb a9 jmp d2c7e <emulate+0x10be>
d2cd5: 31 db xor %ebx,%ebx
d2cd7: 89 5c 24 04 mov %ebx,0x4(%esp)
d2cdb: 89 3c 24 mov %edi,(%esp)
d2cde: e8 fd e8 ff ff call d15e0 <set_mode>
d2ce3: e9 fe ef ff ff jmp d1ce6 <emulate+0x126>
d2ce8: be 03 00 00 00 mov $0x3,%esi
d2ced: 89 74 24 04 mov %esi,0x4(%esp)
d2cf1: eb e8 jmp d2cdb <emulate+0x111b>
d2cf3: 83 67 30 bf andl $0xffffffbf,0x30(%edi)
d2cf7: e9 af f3 ff ff jmp d20ab <emulate+0x4eb>
d2cfc: 83 67 30 bf andl $0xffffffbf,0x30(%edi)
d2d00: e9 89 fe ff ff jmp d2b8e <emulate+0xfce>
d2d05: 89 3c 24 mov %edi,(%esp)
d2d08: b8 c8 4d 0d 00 mov $0xd4dc8,%eax
d2d0d: 8b 55 d0 mov 0xffffffd0(%ebp),%edx
d2d10: 89 44 24 08 mov %eax,0x8(%esp)
d2d14: 8b 45 d8 mov 0xffffffd8(%ebp),%eax
d2d17: 89 54 24 0c mov %edx,0xc(%esp)
d2d1b: 29 c6 sub %eax,%esi
d2d1d: 89 74 24 04 mov %esi,0x4(%esp)
d2d21: e8 6a db ff ff call d0890 <trace>
d2d26: 83 7d d0 02 cmpl $0x2,0xffffffd0(%ebp)
d2d2a: 0f 84 8f 00 00 00 je d2dbf <emulate+0x11ff>
d2d30: 77 38 ja d2d6a <emulate+0x11aa>
d2d32: 8b 45 d0 mov 0xffffffd0(%ebp),%eax
d2d35: 85 c0 test %eax,%eax
d2d37: 0f 85 07 ef ff ff jne d1c44 <emulate+0x84>
d2d3d: a1 cc 97 0d 00 mov 0xd97cc,%eax
d2d42: 83 e0 de and $0xffffffde,%eax
d2d45: 89 04 24 mov %eax,(%esp)
d2d48: 8b 55 d4 mov 0xffffffd4(%ebp),%edx
d2d4b: 89 f8 mov %edi,%eax
d2d4d: e8 de dc ff ff call d0a30 <setreg32>
d2d52: 8b 77 28 mov 0x28(%edi),%esi
d2d55: e9 ed ee ff ff jmp d1c47 <emulate+0x87>
d2d5a: 8b 50 02 mov 0x2(%eax),%edx
d2d5d: e9 fc fe ff ff jmp d2c5e <emulate+0x109e>
d2d62: 8b 50 02 mov 0x2(%eax),%edx
d2d65: e9 49 ff ff ff jmp d2cb3 <emulate+0x10f3>
d2d6a: 83 7d d0 03 cmpl $0x3,0xffffffd0(%ebp)
d2d6e: 89 f6 mov %esi,%esi
d2d70: 0f 84 c6 00 00 00 je d2e3c <emulate+0x127c>
d2d76: 83 7d d0 04 cmpl $0x4,0xffffffd0(%ebp)
d2d7a: 0f 85 c4 ee ff ff jne d1c44 <emulate+0x84>
d2d80: a1 d4 97 0d 00 mov 0xd97d4,%eax
d2d85: eb be jmp d2d45 <emulate+0x1185>
d2d87: 8b 55 d4 mov 0xffffffd4(%ebp),%edx
d2d8a: 89 f8 mov %edi,%eax
d2d8c: e8 2f dc ff ff call d09c0 <getreg32>
d2d91: a3 d0 97 0d 00 mov %eax,0xd97d0
d2d96: 8b 77 28 mov 0x28(%edi),%esi
d2d99: e9 a9 ee ff ff jmp d1c47 <emulate+0x87>
d2d9e: 83 7d d0 04 cmpl $0x4,0xffffffd0(%ebp)
d2da2: 0f 85 9c ee ff ff jne d1c44 <emulate+0x84>
d2da8: 8b 55 d4 mov 0xffffffd4(%ebp),%edx
d2dab: 89 f8 mov %edi,%eax
d2dad: e8 0e dc ff ff call d09c0 <getreg32>
d2db2: a3 d4 97 0d 00 mov %eax,0xd97d4
d2db7: 8b 77 28 mov 0x28(%edi),%esi
d2dba: e9 88 ee ff ff jmp d1c47 <emulate+0x87>
d2dbf: 0f 20 d0 mov %cr2,%eax
d2dc2: eb 81 jmp d2d45 <emulate+0x1185>
d2dc4: 31 db xor %ebx,%ebx
d2dc6: 89 5c 24 04 mov %ebx,0x4(%esp)
d2dca: e9 a7 fc ff ff jmp d2a76 <emulate+0xeb6>
d2dcf: a1 04 76 0d 00 mov 0xd7604,%eax
d2dd4: 48 dec %eax
d2dd5: 83 f8 01 cmp $0x1,%eax
d2dd8: 0f 87 e4 ee ff ff ja d1cc2 <emulate+0x102>
d2dde: 89 14 24 mov %edx,(%esp)
d2de1: 8b 45 e0 mov 0xffffffe0(%ebp),%eax
d2de4: 89 fa mov %edi,%edx
d2de6: e8 05 de ff ff call d0bf0 <operand>
d2deb: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d2def: 89 c2 mov %eax,%edx
d2df1: 74 53 je d2e46 <emulate+0x1286>
d2df3: 8b 30 mov (%eax),%esi
d2df5: 8d 42 04 lea 0x4(%edx),%eax
d2df8: 83 c2 02 add $0x2,%edx
d2dfb: b9 e4 4c 0d 00 mov $0xd4ce4,%ecx
d2e00: f6 45 e0 01 testb $0x1,0xffffffe0(%ebp)
d2e04: 0f 44 c2 cmove %edx,%eax
d2e07: 8b 55 ac mov 0xffffffac(%ebp),%edx
d2e0a: 0f b7 00 movzwl (%eax),%eax
d2e0d: 89 4c 24 08 mov %ecx,0x8(%esp)
d2e11: 89 74 24 10 mov %esi,0x10(%esp)
d2e15: 89 45 a8 mov %eax,0xffffffa8(%ebp)
d2e18: 89 44 24 0c mov %eax,0xc(%esp)
d2e1c: 8b 47 28 mov 0x28(%edi),%eax
d2e1f: 89 3c 24 mov %edi,(%esp)
d2e22: 29 d0 sub %edx,%eax
d2e24: 40 inc %eax
d2e25: 89 44 24 04 mov %eax,0x4(%esp)
d2e29: e8 62 da ff ff call d0890 <trace>
d2e2e: 8b 4d a8 mov 0xffffffa8(%ebp),%ecx
d2e31: 89 77 28 mov %esi,0x28(%edi)
d2e34: 89 4f 2c mov %ecx,0x2c(%edi)
d2e37: e9 a4 f4 ff ff jmp d22e0 <emulate+0x720>
d2e3c: a1 d0 97 0d 00 mov 0xd97d0,%eax
d2e41: e9 ff fe ff ff jmp d2d45 <emulate+0x1185>
d2e46: 0f b7 30 movzwl (%eax),%esi
d2e49: eb aa jmp d2df5 <emulate+0x1235>
d2e4b: 90 nop
d2e4c: 8d 74 26 00 lea 0x0(%esi),%esi
000d2e50 <trap>:
d2e50: 55 push %ebp
d2e51: 89 e5 mov %esp,%ebp
d2e53: 83 ec 18 sub $0x18,%esp
d2e56: 89 5d f8 mov %ebx,0xfffffff8(%ebp)
d2e59: 8b 5d 08 mov 0x8(%ebp),%ebx
d2e5c: 89 75 fc mov %esi,0xfffffffc(%ebp)
d2e5f: 8b 75 10 mov 0x10(%ebp),%esi
d2e62: 83 fb 1f cmp $0x1f,%ebx
d2e65: 7e 1e jle d2e85 <trap+0x35>
d2e67: 8d 43 e0 lea 0xffffffe0(%ebx),%eax
d2e6a: 83 f8 07 cmp $0x7,%eax
d2e6d: 8d 53 e8 lea 0xffffffe8(%ebx),%edx
d2e70: 7e 03 jle d2e75 <trap+0x25>
d2e72: 8d 53 48 lea 0x48(%ebx),%edx
d2e75: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx
d2e78: 89 f0 mov %esi,%eax
d2e7a: 8b 75 fc mov 0xfffffffc(%ebp),%esi
d2e7d: 89 ec mov %ebp,%esp
d2e7f: 5d pop %ebp
d2e80: e9 db ea ff ff jmp d1960 <interrupt>
d2e85: 83 fb 01 cmp $0x1,%ebx
d2e88: 74 4a je d2ed4 <trap+0x84>
d2e8a: 83 fb 0d cmp $0xd,%ebx
d2e8d: 74 71 je d2f00 <trap+0xb0>
d2e8f: 8b 56 30 mov 0x30(%esi),%edx
d2e92: 89 5c 24 04 mov %ebx,0x4(%esp)
d2e96: 81 e2 00 30 02 00 and $0x23000,%edx
d2e9c: b8 db 4d 0d 00 mov $0xd4ddb,%eax
d2ea1: c7 04 24 e0 4d 0d 00 movl $0xd4de0,(%esp)
d2ea8: ba fe 4d 0d 00 mov $0xd4dfe,%edx
d2ead: 0f 44 c2 cmove %edx,%eax
d2eb0: 89 44 24 08 mov %eax,0x8(%esp)
d2eb4: e8 17 0b 00 00 call d39d0 <printf>
d2eb9: 83 fb 0e cmp $0xe,%ebx
d2ebc: 74 71 je d2f2f <trap+0xdf>
d2ebe: 89 34 24 mov %esi,(%esp)
d2ec1: e8 6a 13 00 00 call d4230 <dump_regs>
d2ec6: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx
d2ec9: 8b 75 fc mov 0xfffffffc(%ebp),%esi
d2ecc: 89 ec mov %ebp,%esp
d2ece: 5d pop %ebp
d2ecf: e9 74 d1 ff ff jmp d0048 <halt>
d2ed4: 8b 56 30 mov 0x30(%esi),%edx
d2ed7: f7 c2 00 30 02 00 test $0x23000,%edx
d2edd: 74 b3 je d2e92 <trap+0x42>
d2edf: a1 04 76 0d 00 mov 0xd7604,%eax
d2ee4: 85 c0 test %eax,%eax
d2ee6: 74 3d je d2f25 <trap+0xd5>
d2ee8: 48 dec %eax
d2ee9: 74 29 je d2f14 <trap+0xc4>
d2eeb: c7 04 24 08 4e 0d 00 movl $0xd4e08,(%esp)
d2ef2: e8 89 0a 00 00 call d3980 <panic>
d2ef7: eb 1b jmp d2f14 <trap+0xc4>
d2ef9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d2f00: 8b 56 30 mov 0x30(%esi),%edx
d2f03: f7 c2 00 30 02 00 test $0x23000,%edx
d2f09: 74 87 je d2e92 <trap+0x42>
d2f0b: 83 3d 04 76 0d 00 03 cmpl $0x3,0xd7604
d2f12: 74 33 je d2f47 <trap+0xf7>
d2f14: 89 75 08 mov %esi,0x8(%ebp)
d2f17: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx
d2f1a: 8b 75 fc mov 0xfffffffc(%ebp),%esi
d2f1d: 89 ec mov %ebp,%esp
d2f1f: 5d pop %ebp
d2f20: e9 9b ec ff ff jmp d1bc0 <emulate>
d2f25: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx
d2f28: 8b 75 fc mov 0xfffffffc(%ebp),%esi
d2f2b: 89 ec mov %ebp,%esp
d2f2d: 5d pop %ebp
d2f2e: c3 ret
d2f2f: 0f 20 d0 mov %cr2,%eax
d2f32: 89 44 24 04 mov %eax,0x4(%esp)
d2f36: c7 04 24 26 4e 0d 00 movl $0xd4e26,(%esp)
d2f3d: e8 8e 0a 00 00 call d39d0 <printf>
d2f42: e9 77 ff ff ff jmp d2ebe <trap+0x6e>
d2f47: c7 04 24 3f 4e 0d 00 movl $0xd4e3f,(%esp)
d2f4e: e8 2d 0a 00 00 call d3980 <panic>
d2f53: eb bf jmp d2f14 <trap+0xc4>
...
000d2f60 <banner>:
d2f60: 55 push %ebp
d2f61: b8 49 50 0d 00 mov $0xd5049,%eax
d2f66: 89 e5 mov %esp,%ebp
d2f68: 56 push %esi
d2f69: 53 push %ebx
d2f6a: 83 ec 10 sub $0x10,%esp
d2f6d: 89 44 24 04 mov %eax,0x4(%esp)
d2f71: c7 04 24 55 50 0d 00 movl $0xd5055,(%esp)
d2f78: e8 53 0a 00 00 call d39d0 <printf>
d2f7d: b9 70 00 00 00 mov $0x70,%ecx
d2f82: b0 35 mov $0x35,%al
d2f84: 89 ca mov %ecx,%edx
d2f86: ee out %al,(%dx)
d2f87: e4 71 in $0x71,%al
d2f89: 0f b6 d8 movzbl %al,%ebx
d2f8c: c1 e3 08 shl $0x8,%ebx
d2f8f: b0 34 mov $0x34,%al
d2f91: ee out %al,(%dx)
d2f92: e4 71 in $0x71,%al
d2f94: 0f b6 c0 movzbl %al,%eax
d2f97: 09 c3 or %eax,%ebx
d2f99: c1 e3 06 shl $0x6,%ebx
d2f9c: 81 fb 01 c0 3b 00 cmp $0x3bc001,%ebx
d2fa2: b8 00 c0 3b 00 mov $0x3bc000,%eax
d2fa7: 0f 42 c3 cmovb %ebx,%eax
d2faa: a3 ac 97 0d 00 mov %eax,0xd97ac
d2faf: c1 e0 0a shl $0xa,%eax
d2fb2: 05 00 00 f0 00 add $0xf00000,%eax
d2fb7: 3d 00 00 f0 00 cmp $0xf00000,%eax
d2fbc: 77 23 ja d2fe1 <banner+0x81>
d2fbe: b0 31 mov $0x31,%al
d2fc0: ee out %al,(%dx)
d2fc1: e4 71 in $0x71,%al
d2fc3: be 30 00 00 00 mov $0x30,%esi
d2fc8: 0f b6 d8 movzbl %al,%ebx
d2fcb: c1 e3 08 shl $0x8,%ebx
d2fce: 89 f0 mov %esi,%eax
d2fd0: ee out %al,(%dx)
d2fd1: e4 71 in $0x71,%al
d2fd3: 0f b6 d0 movzbl %al,%edx
d2fd6: 09 d3 or %edx,%ebx
d2fd8: 8d 83 00 04 00 00 lea 0x400(%ebx),%eax
d2fde: c1 e0 0a shl $0xa,%eax
d2fe1: a3 ac 97 0d 00 mov %eax,0xd97ac
d2fe6: a1 ac 97 0d 00 mov 0xd97ac,%eax
d2feb: c7 04 24 65 50 0d 00 movl $0xd5065,(%esp)
d2ff2: 05 00 00 10 00 add $0x100000,%eax
d2ff7: a3 ac 97 0d 00 mov %eax,0xd97ac
d2ffc: c1 e8 14 shr $0x14,%eax
d2fff: 89 44 24 04 mov %eax,0x4(%esp)
d3003: e8 c8 09 00 00 call d39d0 <printf>
d3008: c7 04 24 79 50 0d 00 movl $0xd5079,(%esp)
d300f: e8 bc 09 00 00 call d39d0 <printf>
d3014: 0f b6 05 e8 01 09 00 movzbl 0x901e8,%eax
d301b: c7 04 24 d0 02 09 00 movl $0x902d0,(%esp)
d3022: 89 44 24 04 mov %eax,0x4(%esp)
d3026: e8 f5 0f 00 00 call d4020 <print_e820_map>
d302b: c7 04 24 a0 51 0d 00 movl $0xd51a0,(%esp)
d3032: e8 99 09 00 00 call d39d0 <printf>
d3037: 83 c4 10 add $0x10,%esp
d303a: 5b pop %ebx
d303b: 5e pop %esi
d303c: 5d pop %ebp
d303d: c3 ret
d303e: 89 f6 mov %esi,%esi
000d3040 <setup_gdt>:
d3040: 55 push %ebp
d3041: b8 84 76 0d 00 mov $0xd7684,%eax
d3046: 89 e5 mov %esp,%ebp
d3048: 57 push %edi
d3049: ba 6c 20 00 00 mov $0x206c,%edx
d304e: 31 ff xor %edi,%edi
d3050: 56 push %esi
d3051: 89 c6 mov %eax,%esi
d3053: 53 push %ebx
d3054: 83 ec 0c sub $0xc,%esp
d3057: bb 18 00 00 00 mov $0x18,%ebx
d305c: 89 54 24 08 mov %edx,0x8(%esp)
d3060: 89 7c 24 04 mov %edi,0x4(%esp)
d3064: 89 04 24 mov %eax,(%esp)
d3067: e8 d4 12 00 00 call d4340 <memset>
d306c: 66 89 1d 8c 76 0d 00 mov %bx,0xd768c
d3073: b9 00 76 0d 00 mov $0xd7600,%ecx
d3078: ba 68 00 00 00 mov $0x68,%edx
d307d: 89 0d 88 76 0d 00 mov %ecx,0xd7688
d3083: 89 f0 mov %esi,%eax
d3085: 89 f1 mov %esi,%ecx
d3087: 66 89 15 ea 76 0d 00 mov %dx,0xd76ea
d308e: 81 e1 00 00 00 ff and $0xff000000,%ecx
d3094: 25 00 00 ff 00 and $0xff0000,%eax
d3099: c6 05 ec 96 0d 00 ff movb $0xff,0xd96ec
d30a0: 31 d2 xor %edx,%edx
d30a2: 89 cb mov %ecx,%ebx
d30a4: 0f a4 c2 10 shld $0x10,%eax,%edx
d30a8: 31 c9 xor %ecx,%ecx
d30aa: c1 e0 10 shl $0x10,%eax
d30ad: 09 c1 or %eax,%ecx
d30af: 89 f0 mov %esi,%eax
d30b1: 09 d3 or %edx,%ebx
d30b3: 25 ff ff 00 00 and $0xffff,%eax
d30b8: 31 d2 xor %edx,%edx
d30ba: 0f a4 c2 10 shld $0x10,%eax,%edx
d30be: c1 e0 10 shl $0x10,%eax
d30c1: 09 d3 or %edx,%ebx
d30c3: 09 c1 or %eax,%ecx
d30c5: a1 e8 55 0d 00 mov 0xd55e8,%eax
d30ca: 8b 15 ec 55 0d 00 mov 0xd55ec,%edx
d30d0: 09 c8 or %ecx,%eax
d30d2: 09 da or %ebx,%edx
d30d4: 0d 6b 20 00 00 or $0x206b,%eax
d30d9: a3 e8 55 0d 00 mov %eax,0xd55e8
d30de: 89 15 ec 55 0d 00 mov %edx,0xd55ec
d30e4: 0f 01 15 c6 55 0d 00 lgdtl 0xd55c6
d30eb: b8 18 00 00 00 mov $0x18,%eax
d30f0: 8e d8 mov %eax,%ds
d30f2: 8e c0 mov %eax,%es
d30f4: 8e e0 mov %eax,%fs
d30f6: 8e e8 mov %eax,%gs
d30f8: 8e d0 mov %eax,%ss
d30fa: ea 01 31 0d 00 10 00 ljmp $0x10,$0xd3101
d3101: b8 08 00 00 00 mov $0x8,%eax
d3106: 0f 00 d8 ltr %ax
d3109: 83 c4 0c add $0xc,%esp
d310c: 5b pop %ebx
d310d: 5e pop %esi
d310e: 5f pop %edi
d310f: 5d pop %ebp
d3110: c3 ret
d3111: eb 0d jmp d3120 <set_intr_gate>
d3113: 90 nop
d3114: 90 nop
d3115: 90 nop
d3116: 90 nop
d3117: 90 nop
d3118: 90 nop
d3119: 90 nop
d311a: 90 nop
d311b: 90 nop
d311c: 90 nop
d311d: 90 nop
d311e: 90 nop
d311f: 90 nop
000d3120 <set_intr_gate>:
d3120: 55 push %ebp
d3121: 31 d2 xor %edx,%edx
d3123: 89 e5 mov %esp,%ebp
d3125: 53 push %ebx
d3126: 8b 45 0c mov 0xc(%ebp),%eax
d3129: 89 c1 mov %eax,%ecx
d312b: 81 e1 00 00 ff ff and $0xffff0000,%ecx
d3131: 25 ff ff 00 00 and $0xffff,%eax
d3136: 89 cb mov %ecx,%ebx
d3138: 31 c9 xor %ecx,%ecx
d313a: 09 d3 or %edx,%ebx
d313c: 09 c1 or %eax,%ecx
d313e: 8b 45 08 mov 0x8(%ebp),%eax
d3141: 81 cb 00 8e 00 00 or $0x8e00,%ebx
d3147: 81 c9 00 00 10 00 or $0x100000,%ecx
d314d: 89 1c c5 84 98 0d 00 mov %ebx,0xd9884(,%eax,8)
d3154: 5b pop %ebx
d3155: 89 0c c5 80 98 0d 00 mov %ecx,0xd9880(,%eax,8)
d315c: 5d pop %ebp
d315d: c3 ret
d315e: 89 f6 mov %esi,%esi
000d3160 <setup_idt>:
d3160: 55 push %ebp
d3161: 89 e5 mov %esp,%ebp
d3163: 53 push %ebx
d3164: 83 ec 08 sub $0x8,%esp
d3167: 31 db xor %ebx,%ebx
d3169: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d3170: 89 1c 24 mov %ebx,(%esp)
d3173: 8b 04 9d 98 43 0d 00 mov 0xd4398(,%ebx,4),%eax
d317a: 43 inc %ebx
d317b: 89 44 24 04 mov %eax,0x4(%esp)
d317f: e8 9c ff ff ff call d3120 <set_intr_gate>
d3184: 83 fb 2f cmp $0x2f,%ebx
d3187: 7e e7 jle d3170 <setup_idt+0x10>
d3189: 0f 01 1d c0 55 0d 00 lidtl 0xd55c0
d3190: 83 c4 08 add $0x8,%esp
d3193: 5b pop %ebx
d3194: 5d pop %ebp
d3195: c3 ret
d3196: 8d 76 00 lea 0x0(%esi),%esi
d3199: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
000d31a0 <setup_pic>:
d31a0: 55 push %ebp
d31a1: ba 21 00 00 00 mov $0x21,%edx
d31a6: 89 e5 mov %esp,%ebp
d31a8: b0 ff mov $0xff,%al
d31aa: ee out %al,(%dx)
d31ab: ba a1 00 00 00 mov $0xa1,%edx
d31b0: ee out %al,(%dx)
d31b1: ba 20 00 00 00 mov $0x20,%edx
d31b6: b0 11 mov $0x11,%al
d31b8: ee out %al,(%dx)
d31b9: ba 21 00 00 00 mov $0x21,%edx
d31be: b0 20 mov $0x20,%al
d31c0: ee out %al,(%dx)
d31c1: b0 04 mov $0x4,%al
d31c3: ee out %al,(%dx)
d31c4: b0 01 mov $0x1,%al
d31c6: ee out %al,(%dx)
d31c7: ba a0 00 00 00 mov $0xa0,%edx
d31cc: b0 11 mov $0x11,%al
d31ce: ee out %al,(%dx)
d31cf: ba a1 00 00 00 mov $0xa1,%edx
d31d4: b0 28 mov $0x28,%al
d31d6: ee out %al,(%dx)
d31d7: b0 02 mov $0x2,%al
d31d9: ee out %al,(%dx)
d31da: b0 01 mov $0x1,%al
d31dc: ee out %al,(%dx)
d31dd: ba 21 00 00 00 mov $0x21,%edx
d31e2: 31 c0 xor %eax,%eax
d31e4: ee out %al,(%dx)
d31e5: ba a1 00 00 00 mov $0xa1,%edx
d31ea: ee out %al,(%dx)
d31eb: 5d pop %ebp
d31ec: c3 ret
d31ed: 8d 76 00 lea 0x0(%esi),%esi
000d31f0 <setiomap>:
d31f0: 55 push %ebp
d31f1: b8 01 00 00 00 mov $0x1,%eax
d31f6: 89 e5 mov %esp,%ebp
d31f8: 8b 4d 08 mov 0x8(%ebp),%ecx
d31fb: 5d pop %ebp
d31fc: 89 ca mov %ecx,%edx
d31fe: 83 e1 07 and $0x7,%ecx
d3201: c1 fa 03 sar $0x3,%edx
d3204: d3 e0 shl %cl,%eax
d3206: 08 82 ec 76 0d 00 or %al,0xd76ec(%edx)
d320c: c3 ret
d320d: 8d 76 00 lea 0x0(%esi),%esi
000d3210 <enter_real_mode>:
d3210: 55 push %ebp
d3211: 89 e5 mov %esp,%ebp
d3213: 53 push %ebx
d3214: 83 ec 14 sub $0x14,%esp
d3217: a1 e8 55 0d 00 mov 0xd55e8,%eax
d321c: 8b 15 ec 55 0d 00 mov 0xd55ec,%edx
d3222: 8b 5d 08 mov 0x8(%ebp),%ebx
d3225: a3 e8 55 0d 00 mov %eax,0xd55e8
d322a: a1 00 9a 0d 00 mov 0xd9a00,%eax
d322f: 81 e2 ff fd ff ff and $0xfffffdff,%edx
d3235: 89 15 ec 55 0d 00 mov %edx,0xd55ec
d323b: 85 c0 test %eax,%eax
d323d: 0f 84 0d 01 00 00 je d3350 <enter_real_mode+0x140>
d3243: 31 c0 xor %eax,%eax
d3245: a3 00 9a 0d 00 mov %eax,0xd9a00
d324a: 81 4b 30 02 30 02 00 orl $0x23002,0x30(%ebx)
d3251: c7 43 48 00 f0 00 00 movl $0xf000,0x48(%ebx)
d3258: c7 43 44 00 f0 00 00 movl $0xf000,0x44(%ebx)
d325f: c7 43 40 00 f0 00 00 movl $0xf000,0x40(%ebx)
d3266: c7 43 3c 00 f0 00 00 movl $0xf000,0x3c(%ebx)
d326d: a1 80 76 0d 00 mov 0xd7680,%eax
d3272: 85 c0 test %eax,%eax
d3274: 0f 84 bc 00 00 00 je d3336 <enter_real_mode+0x126>
d327a: a1 6c 98 0d 00 mov 0xd986c,%eax
d327f: c7 43 28 00 00 00 00 movl $0x0,0x28(%ebx)
d3286: c1 e0 08 shl $0x8,%eax
d3289: 89 43 2c mov %eax,0x2c(%ebx)
d328c: c7 43 38 00 00 00 00 movl $0x0,0x38(%ebx)
d3293: c7 43 34 00 00 00 00 movl $0x0,0x34(%ebx)
d329a: c7 43 10 00 00 00 00 movl $0x0,0x10(%ebx)
d32a1: c7 43 14 00 00 00 00 movl $0x0,0x14(%ebx)
d32a8: c7 43 18 00 00 00 00 movl $0x0,0x18(%ebx)
d32af: c7 43 1c 00 00 00 00 movl $0x0,0x1c(%ebx)
d32b6: c7 03 00 00 00 00 movl $0x0,(%ebx)
d32bc: c7 43 04 00 00 00 00 movl $0x0,0x4(%ebx)
d32c3: c7 43 08 00 00 00 00 movl $0x0,0x8(%ebx)
d32ca: c7 43 0c 00 00 00 00 movl $0x0,0xc(%ebx)
d32d1: c7 04 24 20 00 00 00 movl $0x20,(%esp)
d32d8: e8 13 ff ff ff call d31f0 <setiomap>
d32dd: c7 04 24 21 00 00 00 movl $0x21,(%esp)
d32e4: e8 07 ff ff ff call d31f0 <setiomap>
d32e9: c7 04 24 a0 00 00 00 movl $0xa0,(%esp)
d32f0: e8 fb fe ff ff call d31f0 <setiomap>
d32f5: c7 04 24 a1 00 00 00 movl $0xa1,(%esp)
d32fc: e8 ef fe ff ff call d31f0 <setiomap>
d3301: 8b 43 28 mov 0x28(%ebx),%eax
d3304: 89 44 24 08 mov %eax,0x8(%esp)
d3308: 8b 43 2c mov 0x2c(%ebx),%eax
d330b: c7 04 24 c4 50 0d 00 movl $0xd50c4,(%esp)
d3312: 89 44 24 04 mov %eax,0x4(%esp)
d3316: e8 b5 06 00 00 call d39d0 <printf>
d331b: 89 1c 24 mov %ebx,(%esp)
d331e: 31 c0 xor %eax,%eax
d3320: a3 04 76 0d 00 mov %eax,0xd7604
d3325: 31 c0 xor %eax,%eax
d3327: 89 44 24 04 mov %eax,0x4(%esp)
d332b: e8 b0 e2 ff ff call d15e0 <set_mode>
d3330: 83 c4 14 add $0x14,%esp
d3333: 5b pop %ebx
d3334: 5d pop %ebp
d3335: c3 ret
d3336: c7 43 2c 00 f0 00 00 movl $0xf000,0x2c(%ebx)
d333d: c7 43 28 f0 ff 00 00 movl $0xfff0,0x28(%ebx)
d3344: e9 43 ff ff ff jmp d328c <enter_real_mode+0x7c>
d3349: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d3350: 89 1c 24 mov %ebx,(%esp)
d3353: b8 02 00 00 00 mov $0x2,%eax
d3358: 89 44 24 04 mov %eax,0x4(%esp)
d335c: e8 7f e2 ff ff call d15e0 <set_mode>
d3361: 89 1c 24 mov %ebx,(%esp)
d3364: e8 57 e8 ff ff call d1bc0 <emulate>
d3369: 8b 0d 04 76 0d 00 mov 0xd7604,%ecx
d336f: 85 c9 test %ecx,%ecx
d3371: 74 bd je d3330 <enter_real_mode+0x120>
d3373: c7 45 08 f8 50 0d 00 movl $0xd50f8,0x8(%ebp)
d337a: 83 c4 14 add $0x14,%esp
d337d: 5b pop %ebx
d337e: 5d pop %ebp
d337f: e9 fc 05 00 00 jmp d3980 <panic>
d3384: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
d338a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
000d3390 <setup_ctx>:
d3390: 55 push %ebp
d3391: b8 ac 00 00 00 mov $0xac,%eax
d3396: 89 e5 mov %esp,%ebp
d3398: 83 ec 18 sub $0x18,%esp
d339b: 89 44 24 08 mov %eax,0x8(%esp)
d339f: 31 c0 xor %eax,%eax
d33a1: 89 44 24 04 mov %eax,0x4(%esp)
d33a5: c7 04 24 00 97 0d 00 movl $0xd9700,(%esp)
d33ac: e8 8f 0f 00 00 call d4340 <memset>
d33b1: b9 90 03 0d 00 mov $0xd0390,%ecx
d33b6: ba 00 76 0d 00 mov $0xd7600,%edx
d33bb: b8 02 00 00 00 mov $0x2,%eax
d33c0: 89 0d 00 97 0d 00 mov %ecx,0xd9700
d33c6: 89 15 04 97 0d 00 mov %edx,0xd9704
d33cc: a3 08 97 0d 00 mov %eax,0xd9708
d33d1: 0f 20 c0 mov %cr0,%eax
d33d4: 83 c8 20 or $0x20,%eax
d33d7: 83 e0 fe and $0xfffffffe,%eax
d33da: a3 0c 97 0d 00 mov %eax,0xd970c
d33df: 31 c0 xor %eax,%eax
d33e1: a3 10 97 0d 00 mov %eax,0xd9710
d33e6: 0f 20 e0 mov %cr4,%eax
d33e9: a3 14 97 0d 00 mov %eax,0xd9714
d33ee: b8 7f 01 00 00 mov $0x17f,%eax
d33f3: b9 10 00 00 00 mov $0x10,%ecx
d33f8: a3 18 97 0d 00 mov %eax,0xd9718
d33fd: b8 80 98 0d 00 mov $0xd9880,%eax
d3402: ba ff ff ff ff mov $0xffffffff,%edx
d3407: a3 1c 97 0d 00 mov %eax,0xd971c
d340c: b8 1f 00 00 00 mov $0x1f,%eax
d3411: a3 20 97 0d 00 mov %eax,0xd9720
d3416: b8 e0 55 0d 00 mov $0xd55e0,%eax
d341b: a3 24 97 0d 00 mov %eax,0xd9724
d3420: 31 c0 xor %eax,%eax
d3422: a3 30 97 0d 00 mov %eax,0xd9730
d3427: 0f b6 05 35 97 0d 00 movzbl 0xd9735,%eax
d342e: c6 05 34 97 0d 00 9b movb $0x9b,0xd9734
d3435: 89 0d 28 97 0d 00 mov %ecx,0xd9728
d343b: 31 c9 xor %ecx,%ecx
d343d: 24 ef and $0xef,%al
d343f: 89 15 2c 97 0d 00 mov %edx,0xd972c
d3445: 0c c0 or $0xc0,%al
d3447: ba 18 00 00 00 mov $0x18,%edx
d344c: a2 35 97 0d 00 mov %al,0xd9735
d3451: b8 18 00 00 00 mov $0x18,%eax
d3456: a3 38 97 0d 00 mov %eax,0xd9738
d345b: b8 ff ff ff ff mov $0xffffffff,%eax
d3460: a3 3c 97 0d 00 mov %eax,0xd973c
d3465: 31 c0 xor %eax,%eax
d3467: a3 40 97 0d 00 mov %eax,0xd9740
d346c: a1 34 97 0d 00 mov 0xd9734,%eax
d3471: 89 0d 50 97 0d 00 mov %ecx,0xd9750
d3477: b9 ff ff ff ff mov $0xffffffff,%ecx
d347c: a3 44 97 0d 00 mov %eax,0xd9744
d3481: 0f b6 05 44 97 0d 00 movzbl 0xd9744,%eax
d3488: 89 15 58 97 0d 00 mov %edx,0xd9758
d348e: 31 d2 xor %edx,%edx
d3490: 89 0d 5c 97 0d 00 mov %ecx,0xd975c
d3496: 24 f0 and $0xf0,%al
d3498: 89 15 60 97 0d 00 mov %edx,0xd9760
d349e: 0c 03 or $0x3,%al
d34a0: b9 18 00 00 00 mov $0x18,%ecx
d34a5: a2 44 97 0d 00 mov %al,0xd9744
d34aa: b8 18 00 00 00 mov $0x18,%eax
d34af: ba ff ff ff ff mov $0xffffffff,%edx
d34b4: a3 48 97 0d 00 mov %eax,0xd9748
d34b9: b8 ff ff ff ff mov $0xffffffff,%eax
d34be: a3 4c 97 0d 00 mov %eax,0xd974c
d34c3: a1 44 97 0d 00 mov 0xd9744,%eax
d34c8: 89 0d 68 97 0d 00 mov %ecx,0xd9768
d34ce: 31 c9 xor %ecx,%ecx
d34d0: 89 15 6c 97 0d 00 mov %edx,0xd976c
d34d6: ba 18 00 00 00 mov $0x18,%edx
d34db: 89 0d 70 97 0d 00 mov %ecx,0xd9770
d34e1: b9 ff ff ff ff mov $0xffffffff,%ecx
d34e6: 89 15 78 97 0d 00 mov %edx,0xd9778
d34ec: 31 d2 xor %edx,%edx
d34ee: 89 0d 7c 97 0d 00 mov %ecx,0xd977c
d34f4: b9 08 00 00 00 mov $0x8,%ecx
d34f9: a3 54 97 0d 00 mov %eax,0xd9754
d34fe: a3 64 97 0d 00 mov %eax,0xd9764
d3503: a3 74 97 0d 00 mov %eax,0xd9774
d3508: 89 15 80 97 0d 00 mov %edx,0xd9780
d350e: ba 6b 20 00 00 mov $0x206b,%edx
d3513: 89 0d 88 97 0d 00 mov %ecx,0xd9788
d3519: b9 84 76 0d 00 mov $0xd7684,%ecx
d351e: 89 15 8c 97 0d 00 mov %edx,0xd978c
d3524: 31 d2 xor %edx,%edx
d3526: a3 a4 97 0d 00 mov %eax,0xd97a4
d352b: 89 0d 90 97 0d 00 mov %ecx,0xd9790
d3531: 31 c9 xor %ecx,%ecx
d3533: 89 15 98 97 0d 00 mov %edx,0xd9798
d3539: 31 d2 xor %edx,%edx
d353b: a3 84 97 0d 00 mov %eax,0xd9784
d3540: c6 05 94 97 0d 00 8b movb $0x8b,0xd9794
d3547: 80 25 95 97 0d 00 2f andb $0x2f,0xd9795
d354e: 89 0d 9c 97 0d 00 mov %ecx,0xd979c
d3554: 89 15 a0 97 0d 00 mov %edx,0xd97a0
d355a: c6 05 a4 97 0d 00 82 movb $0x82,0xd97a4
d3561: 80 25 a5 97 0d 00 2f andb $0x2f,0xd97a5
d3568: c9 leave
d3569: c3 ret
d356a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
000d3570 <start_bios>:
d3570: 55 push %ebp
d3571: 89 e5 mov %esp,%ebp
d3573: 83 ec 18 sub $0x18,%esp
d3576: 8b 15 80 76 0d 00 mov 0xd7680,%edx
d357c: 85 d2 test %edx,%edx
d357e: 75 30 jne d35b0 <start_bios+0x40>
d3580: c7 04 24 84 50 0d 00 movl $0xd5084,(%esp)
d3587: e8 44 04 00 00 call d39d0 <printf>
d358c: b8 01 00 00 00 mov $0x1,%eax
d3591: a3 00 9a 0d 00 mov %eax,0xd9a00
d3596: 0f 20 c0 mov %cr0,%eax
d3599: 83 e0 fe and $0xfffffffe,%eax
d359c: 0f 22 c0 mov %eax,%cr0
d359f: eb 00 jmp d35a1 <start_bios+0x31>
d35a1: 90 nop
d35a2: c7 04 24 94 50 0d 00 movl $0xd5094,(%esp)
d35a9: e8 d2 03 00 00 call d3980 <panic>
d35ae: c9 leave
d35af: c3 ret
d35b0: 89 54 24 04 mov %edx,0x4(%esp)
d35b4: a1 6c 98 0d 00 mov 0xd986c,%eax
d35b9: c7 04 24 a7 50 0d 00 movl $0xd50a7,(%esp)
d35c0: c1 e0 0c shl $0xc,%eax
d35c3: 89 44 24 08 mov %eax,0x8(%esp)
d35c7: e8 04 04 00 00 call d39d0 <printf>
d35cc: eb be jmp d358c <start_bios+0x1c>
d35ce: 89 f6 mov %esi,%esi
000d35d0 <main>:
d35d0: 55 push %ebp
d35d1: 89 e5 mov %esp,%ebp
d35d3: 83 ec 08 sub $0x8,%esp
d35d6: a1 80 76 0d 00 mov 0xd7680,%eax
d35db: 83 e4 f0 and $0xfffffff0,%esp
d35de: 83 ec 10 sub $0x10,%esp
d35e1: 85 c0 test %eax,%eax
d35e3: 74 2b je d3610 <main+0x40>
d35e5: e8 56 fa ff ff call d3040 <setup_gdt>
d35ea: e8 71 fb ff ff call d3160 <setup_idt>
d35ef: 0f 20 e0 mov %cr4,%eax
d35f2: 83 c8 01 or $0x1,%eax
d35f5: 0f 22 e0 mov %eax,%cr4
d35f8: e8 93 fd ff ff call d3390 <setup_ctx>
d35fd: a1 80 76 0d 00 mov 0xd7680,%eax
d3602: 85 c0 test %eax,%eax
d3604: 74 11 je d3617 <main+0x47>
d3606: e8 65 ff ff ff call d3570 <start_bios>
d360b: c9 leave
d360c: 31 c0 xor %eax,%eax
d360e: c3 ret
d360f: 90 nop
d3610: e8 4b f9 ff ff call d2f60 <banner>
d3615: eb ce jmp d35e5 <main+0x15>
d3617: e8 84 fb ff ff call d31a0 <setup_pic>
d361c: 8d 74 26 00 lea 0x0(%esi),%esi
d3620: e8 4b ff ff ff call d3570 <start_bios>
d3625: c9 leave
d3626: 31 c0 xor %eax,%eax
d3628: c3 ret
d3629: 00 00 add %al,(%eax)
d362b: 00 00 add %al,(%eax)
d362d: 00 00 add %al,(%eax)
...
000d3630 <cpuid_addr_value>:
d3630: 55 push %ebp
d3631: 89 e5 mov %esp,%ebp
d3633: 83 ec 0c sub $0xc,%esp
d3636: 89 7c 24 08 mov %edi,0x8(%esp)
d363a: 8b 45 08 mov 0x8(%ebp),%eax
d363d: 8b 55 0c mov 0xc(%ebp),%edx
d3640: 89 74 24 04 mov %esi,0x4(%esp)
d3644: 89 c7 mov %eax,%edi
d3646: a1 70 76 0d 00 mov 0xd7670,%eax
d364b: 89 1c 24 mov %ebx,(%esp)
d364e: 89 d6 mov %edx,%esi
d3650: 85 c0 test %eax,%eax
d3652: 75 0d jne d3661 <cpuid_addr_value+0x31>
d3654: b8 00 00 00 40 mov $0x40000000,%eax
d3659: 0f a2 cpuid
d365b: 40 inc %eax
d365c: a3 70 76 0d 00 mov %eax,0xd7670
d3661: 89 f9 mov %edi,%ecx
d3663: 89 f2 mov %esi,%edx
d3665: 0f a2 cpuid
d3667: 31 c0 xor %eax,%eax
d3669: 31 db xor %ebx,%ebx
d366b: 09 c8 or %ecx,%eax
d366d: 8b 4d 10 mov 0x10(%ebp),%ecx
d3670: 09 da or %ebx,%edx
d3672: 89 01 mov %eax,(%ecx)
d3674: 89 51 04 mov %edx,0x4(%ecx)
d3677: 8b 1c 24 mov (%esp),%ebx
d367a: 8b 74 24 04 mov 0x4(%esp),%esi
d367e: 8b 7c 24 08 mov 0x8(%esp),%edi
d3682: 89 ec mov %ebp,%esp
d3684: 5d pop %ebp
d3685: c3 ret
d3686: 8d 76 00 lea 0x0(%esi),%esi
d3689: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
000d3690 <putchar>:
d3690: 55 push %ebp
d3691: ba e9 00 00 00 mov $0xe9,%edx
d3696: 89 e5 mov %esp,%ebp
d3698: 0f b6 45 08 movzbl 0x8(%ebp),%eax
d369c: ee out %al,(%dx)
d369d: 5d pop %ebp
d369e: c3 ret
d369f: 90 nop
000d36a0 <strlen>:
d36a0: 55 push %ebp
d36a1: 89 e5 mov %esp,%ebp
d36a3: 8b 55 08 mov 0x8(%ebp),%edx
d36a6: 89 d1 mov %edx,%ecx
d36a8: 90 nop
d36a9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d36b0: 0f b6 02 movzbl (%edx),%eax
d36b3: 42 inc %edx
d36b4: 84 c0 test %al,%al
d36b6: 75 f8 jne d36b0 <strlen+0x10>
d36b8: 5d pop %ebp
d36b9: 29 ca sub %ecx,%edx
d36bb: 8d 42 ff lea 0xffffffff(%edx),%eax
d36be: c3 ret
d36bf: 90 nop
000d36c0 <printnum>:
d36c0: 55 push %ebp
d36c1: 89 c1 mov %eax,%ecx
d36c3: 89 e5 mov %esp,%ebp
d36c5: 83 ec 0c sub $0xc,%esp
d36c8: 89 75 fc mov %esi,0xfffffffc(%ebp)
d36cb: 8b 75 08 mov 0x8(%ebp),%esi
d36ce: 89 d0 mov %edx,%eax
d36d0: 89 5d f8 mov %ebx,0xfffffff8(%ebp)
d36d3: 31 d2 xor %edx,%edx
d36d5: f7 f6 div %esi
d36d7: 85 c0 test %eax,%eax
d36d9: 89 d3 mov %edx,%ebx
d36db: 75 19 jne d36f6 <printnum+0x36>
d36dd: 0f b6 83 2b 51 0d 00 movzbl 0xd512b(%ebx),%eax
d36e4: 88 01 mov %al,(%ecx)
d36e6: 41 inc %ecx
d36e7: 89 c8 mov %ecx,%eax
d36e9: c6 01 00 movb $0x0,(%ecx)
d36ec: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx
d36ef: 8b 75 fc mov 0xfffffffc(%ebp),%esi
d36f2: 89 ec mov %ebp,%esp
d36f4: 5d pop %ebp
d36f5: c3 ret
d36f6: 89 34 24 mov %esi,(%esp)
d36f9: 89 c2 mov %eax,%edx
d36fb: 89 c8 mov %ecx,%eax
d36fd: e8 be ff ff ff call d36c0 <printnum>
d3702: 89 c1 mov %eax,%ecx
d3704: 0f b6 83 2b 51 0d 00 movzbl 0xd512b(%ebx),%eax
d370b: 88 01 mov %al,(%ecx)
d370d: 41 inc %ecx
d370e: 89 c8 mov %ecx,%eax
d3710: c6 01 00 movb $0x0,(%ecx)
d3713: 8b 5d f8 mov 0xfffffff8(%ebp),%ebx
d3716: 8b 75 fc mov 0xfffffffc(%ebp),%esi
d3719: 89 ec mov %ebp,%esp
d371b: 5d pop %ebp
d371c: c3 ret
d371d: 8d 76 00 lea 0x0(%esi),%esi
000d3720 <_doprint>:
d3720: 55 push %ebp
d3721: 89 e5 mov %esp,%ebp
d3723: 57 push %edi
d3724: 89 c7 mov %eax,%edi
d3726: 56 push %esi
d3727: 89 d6 mov %edx,%esi
d3729: 53 push %ebx
d372a: 83 ec 5c sub $0x5c,%esp
d372d: 0f b6 0e movzbl (%esi),%ecx
d3730: 84 c9 test %cl,%cl
d3732: 0f 84 39 01 00 00 je d3871 <_doprint+0x151>
d3738: 90 nop
d3739: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d3740: c7 45 bc 00 00 00 00 movl $0x0,0xffffffbc(%ebp)
d3747: 31 db xor %ebx,%ebx
d3749: 80 f9 25 cmp $0x25,%cl
d374c: c7 45 c0 00 00 00 00 movl $0x0,0xffffffc0(%ebp)
d3753: c7 45 b4 00 00 00 00 movl $0x0,0xffffffb4(%ebp)
d375a: 0f 85 40 01 00 00 jne d38a0 <_doprint+0x180>
d3760: 46 inc %esi
d3761: 0f b6 0e movzbl (%esi),%ecx
d3764: 80 f9 2d cmp $0x2d,%cl
d3767: 88 c8 mov %cl,%al
d3769: 0f 94 c2 sete %dl
d376c: 2c 30 sub $0x30,%al
d376e: 3c 09 cmp $0x9,%al
d3770: 0f 96 c0 setbe %al
d3773: 09 d0 or %edx,%eax
d3775: a8 01 test $0x1,%al
d3777: 74 33 je d37ac <_doprint+0x8c>
d3779: 80 f9 2d cmp $0x2d,%cl
d377c: 0f 84 5c 01 00 00 je d38de <_doprint+0x1be>
d3782: 31 c0 xor %eax,%eax
d3784: 80 f9 30 cmp $0x30,%cl
d3787: 0f 94 c0 sete %al
d378a: 89 45 c0 mov %eax,0xffffffc0(%ebp)
d378d: eb 15 jmp d37a4 <_doprint+0x84>
d378f: 90 nop
d3790: 8b 55 b4 mov 0xffffffb4(%ebp),%edx
d3793: 46 inc %esi
d3794: 8d 04 92 lea (%edx,%edx,4),%eax
d3797: 0f be d1 movsbl %cl,%edx
d379a: 8d 44 42 d0 lea 0xffffffd0(%edx,%eax,2),%eax
d379e: 0f b6 0e movzbl (%esi),%ecx
d37a1: 89 45 b4 mov %eax,0xffffffb4(%ebp)
d37a4: 88 c8 mov %cl,%al
d37a6: 2c 30 sub $0x30,%al
d37a8: 3c 09 cmp $0x9,%al
d37aa: 76 e4 jbe d3790 <_doprint+0x70>
d37ac: 80 f9 6c cmp $0x6c,%cl
d37af: 0f 84 20 01 00 00 je d38d5 <_doprint+0x1b5>
d37b5: 80 f9 64 cmp $0x64,%cl
d37b8: 0f 94 c0 sete %al
d37bb: 80 f9 75 cmp $0x75,%cl
d37be: 0f 94 c2 sete %dl
d37c1: 09 d0 or %edx,%eax
d37c3: a8 01 test $0x1,%al
d37c5: 75 16 jne d37dd <_doprint+0xbd>
d37c7: 80 f9 6f cmp $0x6f,%cl
d37ca: 0f 94 c0 sete %al
d37cd: 80 f9 78 cmp $0x78,%cl
d37d0: 0f 94 c2 sete %dl
d37d3: 09 d0 or %edx,%eax
d37d5: a8 01 test $0x1,%al
d37d7: 0f 84 9c 00 00 00 je d3879 <_doprint+0x159>
d37dd: 8b 45 08 mov 0x8(%ebp),%eax
d37e0: bb 08 00 00 00 mov $0x8,%ebx
d37e5: 83 45 08 04 addl $0x4,0x8(%ebp)
d37e9: 80 f9 6f cmp $0x6f,%cl
d37ec: 8b 10 mov (%eax),%edx
d37ee: 8d 45 c8 lea 0xffffffc8(%ebp),%eax
d37f1: 89 45 c4 mov %eax,0xffffffc4(%ebp)
d37f4: 74 10 je d3806 <_doprint+0xe6>
d37f6: bb 10 00 00 00 mov $0x10,%ebx
d37fb: 80 f9 78 cmp $0x78,%cl
d37fe: b8 0a 00 00 00 mov $0xa,%eax
d3803: 0f 45 d8 cmovne %eax,%ebx
d3806: 89 1c 24 mov %ebx,(%esp)
d3809: 8b 45 c4 mov 0xffffffc4(%ebp),%eax
d380c: e8 af fe ff ff call d36c0 <printnum>
d3811: 8b 55 c4 mov 0xffffffc4(%ebp),%edx
d3814: 89 14 24 mov %edx,(%esp)
d3817: e8 84 fe ff ff call d36a0 <strlen>
d381c: 8b 5d b4 mov 0xffffffb4(%ebp),%ebx
d381f: 29 c3 sub %eax,%ebx
d3821: eb 12 jmp d3835 <_doprint+0x115>
d3823: 83 7d c0 01 cmpl $0x1,0xffffffc0(%ebp)
d3827: 19 c0 sbb %eax,%eax
d3829: 83 e0 f0 and $0xfffffff0,%eax
d382c: 83 c0 30 add $0x30,%eax
d382f: 4b dec %ebx
d3830: 89 04 24 mov %eax,(%esp)
d3833: ff d7 call *%edi
d3835: 85 db test %ebx,%ebx
d3837: 7f ea jg d3823 <_doprint+0x103>
d3839: 8b 55 c4 mov 0xffffffc4(%ebp),%edx
d383c: 0f b6 02 movzbl (%edx),%eax
d383f: 84 c0 test %al,%al
d3841: 74 22 je d3865 <_doprint+0x145>
d3843: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
d3849: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d3850: ff 45 c4 incl 0xffffffc4(%ebp)
d3853: 0f be c0 movsbl %al,%eax
d3856: 89 04 24 mov %eax,(%esp)
d3859: ff d7 call *%edi
d385b: 8b 55 c4 mov 0xffffffc4(%ebp),%edx
d385e: 0f b6 02 movzbl (%edx),%eax
d3861: 84 c0 test %al,%al
d3863: 75 eb jne d3850 <_doprint+0x130>
d3865: 46 inc %esi
d3866: 0f b6 0e movzbl (%esi),%ecx
d3869: 84 c9 test %cl,%cl
d386b: 0f 85 cf fe ff ff jne d3740 <_doprint+0x20>
d3871: 83 c4 5c add $0x5c,%esp
d3874: 5b pop %ebx
d3875: 5e pop %esi
d3876: 5f pop %edi
d3877: 5d pop %ebp
d3878: c3 ret
d3879: 80 f9 4f cmp $0x4f,%cl
d387c: 0f 94 c0 sete %al
d387f: 80 f9 44 cmp $0x44,%cl
d3882: 0f 94 c2 sete %dl
d3885: 09 d0 or %edx,%eax
d3887: a8 01 test $0x1,%al
d3889: 75 20 jne d38ab <_doprint+0x18b>
d388b: 80 f9 58 cmp $0x58,%cl
d388e: 74 1b je d38ab <_doprint+0x18b>
d3890: 80 f9 73 cmp $0x73,%cl
d3893: 74 69 je d38fe <_doprint+0x1de>
d3895: 80 f9 63 cmp $0x63,%cl
d3898: 74 54 je d38ee <_doprint+0x1ce>
d389a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
d38a0: 0f be c1 movsbl %cl,%eax
d38a3: 89 04 24 mov %eax,(%esp)
d38a6: ff d7 call *%edi
d38a8: 46 inc %esi
d38a9: eb bb jmp d3866 <_doprint+0x146>
d38ab: 8b 45 08 mov 0x8(%ebp),%eax
d38ae: bb 08 00 00 00 mov $0x8,%ebx
d38b3: 83 45 08 04 addl $0x4,0x8(%ebp)
d38b7: 80 f9 4f cmp $0x4f,%cl
d38ba: 8b 10 mov (%eax),%edx
d38bc: 8d 45 c8 lea 0xffffffc8(%ebp),%eax
d38bf: 89 45 c4 mov %eax,0xffffffc4(%ebp)
d38c2: 0f 84 3e ff ff ff je d3806 <_doprint+0xe6>
d38c8: bb 10 00 00 00 mov $0x10,%ebx
d38cd: 80 f9 58 cmp $0x58,%cl
d38d0: e9 29 ff ff ff jmp d37fe <_doprint+0xde>
d38d5: 46 inc %esi
d38d6: 0f b6 0e movzbl (%esi),%ecx
d38d9: e9 d7 fe ff ff jmp d37b5 <_doprint+0x95>
d38de: c7 45 bc 01 00 00 00 movl $0x1,0xffffffbc(%ebp)
d38e5: 46 inc %esi
d38e6: 0f b6 0e movzbl (%esi),%ecx
d38e9: e9 94 fe ff ff jmp d3782 <_doprint+0x62>
d38ee: 8b 45 08 mov 0x8(%ebp),%eax
d38f1: 83 45 08 04 addl $0x4,0x8(%ebp)
d38f5: 8b 00 mov (%eax),%eax
d38f7: 89 04 24 mov %eax,(%esp)
d38fa: ff d7 call *%edi
d38fc: eb aa jmp d38a8 <_doprint+0x188>
d38fe: 8b 45 08 mov 0x8(%ebp),%eax
d3901: 83 45 08 04 addl $0x4,0x8(%ebp)
d3905: 8b 00 mov (%eax),%eax
d3907: 89 45 c4 mov %eax,0xffffffc4(%ebp)
d390a: 89 04 24 mov %eax,(%esp)
d390d: e8 8e fd ff ff call d36a0 <strlen>
d3912: 89 45 b8 mov %eax,0xffffffb8(%ebp)
d3915: 8b 4d bc mov 0xffffffbc(%ebp),%ecx
d3918: 85 c9 test %ecx,%ecx
d391a: 75 16 jne d3932 <_doprint+0x212>
d391c: 8b 5d b4 mov 0xffffffb4(%ebp),%ebx
d391f: 29 c3 sub %eax,%ebx
d3921: eb 0a jmp d392d <_doprint+0x20d>
d3923: c7 04 24 20 00 00 00 movl $0x20,(%esp)
d392a: ff d7 call *%edi
d392c: 4b dec %ebx
d392d: 85 db test %ebx,%ebx
d392f: 90 nop
d3930: 7f f1 jg d3923 <_doprint+0x203>
d3932: 8b 55 c4 mov 0xffffffc4(%ebp),%edx
d3935: 0f b6 02 movzbl (%edx),%eax
d3938: 84 c0 test %al,%al
d393a: 74 15 je d3951 <_doprint+0x231>
d393c: ff 45 c4 incl 0xffffffc4(%ebp)
d393f: 0f be c0 movsbl %al,%eax
d3942: 89 04 24 mov %eax,(%esp)
d3945: ff d7 call *%edi
d3947: 8b 55 c4 mov 0xffffffc4(%ebp),%edx
d394a: 0f b6 02 movzbl (%edx),%eax
d394d: 84 c0 test %al,%al
d394f: 75 eb jne d393c <_doprint+0x21c>
d3951: 8b 55 bc mov 0xffffffbc(%ebp),%edx
d3954: 85 d2 test %edx,%edx
d3956: 0f 84 09 ff ff ff je d3865 <_doprint+0x145>
d395c: 8b 5d b4 mov 0xffffffb4(%ebp),%ebx
d395f: 8b 45 b8 mov 0xffffffb8(%ebp),%eax
d3962: 29 c3 sub %eax,%ebx
d3964: eb 0a jmp d3970 <_doprint+0x250>
d3966: c7 04 24 20 00 00 00 movl $0x20,(%esp)
d396d: ff d7 call *%edi
d396f: 4b dec %ebx
d3970: 85 db test %ebx,%ebx
d3972: 7f f2 jg d3966 <_doprint+0x246>
d3974: 46 inc %esi
d3975: e9 ec fe ff ff jmp d3866 <_doprint+0x146>
d397a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
000d3980 <panic>:
d3980: 55 push %ebp
d3981: 89 e5 mov %esp,%ebp
d3983: 83 ec 08 sub $0x8,%esp
d3986: 8b 55 08 mov 0x8(%ebp),%edx
d3989: 8d 45 0c lea 0xc(%ebp),%eax
d398c: 89 04 24 mov %eax,(%esp)
d398f: b8 90 36 0d 00 mov $0xd3690,%eax
d3994: e8 87 fd ff ff call d3720 <_doprint>
d3999: c7 04 24 0a 00 00 00 movl $0xa,(%esp)
d39a0: e8 eb fc ff ff call d3690 <putchar>
d39a5: e8 9e c6 ff ff call d0048 <halt>
d39aa: c9 leave
d39ab: c3 ret
d39ac: 8d 74 26 00 lea 0x0(%esi),%esi
000d39b0 <vprintf>:
d39b0: 55 push %ebp
d39b1: 89 e5 mov %esp,%ebp
d39b3: 83 ec 08 sub $0x8,%esp
d39b6: 8b 45 0c mov 0xc(%ebp),%eax
d39b9: 8b 55 08 mov 0x8(%ebp),%edx
d39bc: 89 04 24 mov %eax,(%esp)
d39bf: b8 90 36 0d 00 mov $0xd3690,%eax
d39c4: e8 57 fd ff ff call d3720 <_doprint>
d39c9: c9 leave
d39ca: 31 c0 xor %eax,%eax
d39cc: c3 ret
d39cd: 8d 76 00 lea 0x0(%esi),%esi
000d39d0 <printf>:
d39d0: 55 push %ebp
d39d1: 89 e5 mov %esp,%ebp
d39d3: 83 ec 08 sub $0x8,%esp
d39d6: 8b 55 08 mov 0x8(%ebp),%edx
d39d9: 8d 45 0c lea 0xc(%ebp),%eax
d39dc: 89 04 24 mov %eax,(%esp)
d39df: b8 90 36 0d 00 mov $0xd3690,%eax
d39e4: e8 37 fd ff ff call d3720 <_doprint>
d39e9: c9 leave
d39ea: 31 c0 xor %eax,%eax
d39ec: c3 ret
d39ed: 8d 76 00 lea 0x0(%esi),%esi
000d39f0 <dump_dtr>:
d39f0: 55 push %ebp
d39f1: 89 e5 mov %esp,%ebp
d39f3: 57 push %edi
d39f4: 56 push %esi
d39f5: 53 push %ebx
d39f6: 83 ec 2c sub $0x2c,%esp
d39f9: 8b 45 0c mov 0xc(%ebp),%eax
d39fc: c7 45 ec 00 00 00 00 movl $0x0,0xffffffec(%ebp)
d3a03: 39 45 ec cmp %eax,0xffffffec(%ebp)
d3a06: e9 8d 00 00 00 jmp d3a98 <dump_dtr+0xa8>
d3a0b: 90 nop
d3a0c: 8d 74 26 00 lea 0x0(%esi),%esi
d3a10: 8b 45 ec mov 0xffffffec(%ebp),%eax
d3a13: 8b 55 08 mov 0x8(%ebp),%edx
d3a16: c1 f8 03 sar $0x3,%eax
d3a19: 8b 74 c2 04 mov 0x4(%edx,%eax,8),%esi
d3a1d: 8b 1c c2 mov (%edx,%eax,8),%ebx
d3a20: 31 d2 xor %edx,%edx
d3a22: 89 75 e0 mov %esi,0xffffffe0(%ebp)
d3a25: 8b 7d e0 mov 0xffffffe0(%ebp),%edi
d3a28: 89 d8 mov %ebx,%eax
d3a2a: 0f ac f0 10 shrd $0x10,%esi,%eax
d3a2e: 89 c1 mov %eax,%ecx
d3a30: 81 e1 00 00 ff 00 and $0xff0000,%ecx
d3a36: 89 55 e4 mov %edx,0xffffffe4(%ebp)
d3a39: 81 e7 00 00 00 ff and $0xff000000,%edi
d3a3f: 25 ff ff 00 00 and $0xffff,%eax
d3a44: 09 cf or %ecx,%edi
d3a46: 8b 4d e0 mov 0xffffffe0(%ebp),%ecx
d3a49: 09 c7 or %eax,%edi
d3a4b: 0f b7 c3 movzwl %bx,%eax
d3a4e: 81 e1 00 00 0f 00 and $0xf0000,%ecx
d3a54: 09 c1 or %eax,%ecx
d3a56: 89 f0 mov %esi,%eax
d3a58: c1 e8 17 shr $0x17,%eax
d3a5b: a8 01 test $0x1,%al
d3a5d: 74 09 je d3a68 <dump_dtr+0x78>
d3a5f: c1 e1 0c shl $0xc,%ecx
d3a62: 81 c9 ff 0f 00 00 or $0xfff,%ecx
d3a68: 89 4c 24 14 mov %ecx,0x14(%esp)
d3a6c: 8b 55 e0 mov 0xffffffe0(%ebp),%edx
d3a6f: 8b 45 ec mov 0xffffffec(%ebp),%eax
d3a72: 89 7c 24 10 mov %edi,0x10(%esp)
d3a76: 89 54 24 08 mov %edx,0x8(%esp)
d3a7a: 89 5c 24 0c mov %ebx,0xc(%esp)
d3a7e: 89 44 24 04 mov %eax,0x4(%esp)
d3a82: c7 04 24 e8 51 0d 00 movl $0xd51e8,(%esp)
d3a89: e8 42 ff ff ff call d39d0 <printf>
d3a8e: 83 45 ec 08 addl $0x8,0xffffffec(%ebp)
d3a92: 8b 55 0c mov 0xc(%ebp),%edx
d3a95: 39 55 ec cmp %edx,0xffffffec(%ebp)
d3a98: 0f 82 72 ff ff ff jb d3a10 <dump_dtr+0x20>
d3a9e: 83 c4 2c add $0x2c,%esp
d3aa1: 5b pop %ebx
d3aa2: 5e pop %esi
d3aa3: 5f pop %edi
d3aa4: 5d pop %ebp
d3aa5: c3 ret
d3aa6: 8d 76 00 lea 0x0(%esi),%esi
d3aa9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
000d3ab0 <dump_vmx_context>:
d3ab0: 55 push %ebp
d3ab1: 89 e5 mov %esp,%ebp
d3ab3: 53 push %ebx
d3ab4: 83 ec 24 sub $0x24,%esp
d3ab7: 8b 5d 08 mov 0x8(%ebp),%ebx
d3aba: 8b 43 08 mov 0x8(%ebx),%eax
d3abd: 89 44 24 0c mov %eax,0xc(%esp)
d3ac1: 8b 43 04 mov 0x4(%ebx),%eax
d3ac4: 89 44 24 08 mov %eax,0x8(%esp)
d3ac8: 8b 03 mov (%ebx),%eax
d3aca: c7 04 24 18 52 0d 00 movl $0xd5218,(%esp)
d3ad1: 89 44 24 04 mov %eax,0x4(%esp)
d3ad5: e8 f6 fe ff ff call d39d0 <printf>
d3ada: 8b 43 14 mov 0x14(%ebx),%eax
d3add: 89 44 24 0c mov %eax,0xc(%esp)
d3ae1: 8b 43 10 mov 0x10(%ebx),%eax
d3ae4: 89 44 24 08 mov %eax,0x8(%esp)
d3ae8: 8b 43 0c mov 0xc(%ebx),%eax
d3aeb: c7 04 24 3c 52 0d 00 movl $0xd523c,(%esp)
d3af2: 89 44 24 04 mov %eax,0x4(%esp)
d3af6: e8 d5 fe ff ff call d39d0 <printf>
d3afb: 8b 43 1c mov 0x1c(%ebx),%eax
d3afe: 89 44 24 08 mov %eax,0x8(%esp)
d3b02: 8b 43 18 mov 0x18(%ebx),%eax
d3b05: c7 04 24 60 52 0d 00 movl $0xd5260,(%esp)
d3b0c: 89 44 24 04 mov %eax,0x4(%esp)
d3b10: e8 bb fe ff ff call d39d0 <printf>
d3b15: 8b 43 24 mov 0x24(%ebx),%eax
d3b18: 89 44 24 08 mov %eax,0x8(%esp)
d3b1c: 8b 43 20 mov 0x20(%ebx),%eax
d3b1f: c7 04 24 80 52 0d 00 movl $0xd5280,(%esp)
d3b26: 89 44 24 04 mov %eax,0x4(%esp)
d3b2a: e8 a1 fe ff ff call d39d0 <printf>
d3b2f: 8b 43 30 mov 0x30(%ebx),%eax
d3b32: 89 44 24 0c mov %eax,0xc(%esp)
d3b36: 8b 43 2c mov 0x2c(%ebx),%eax
d3b39: 89 44 24 08 mov %eax,0x8(%esp)
d3b3d: 8b 43 28 mov 0x28(%ebx),%eax
d3b40: c7 04 24 a0 52 0d 00 movl $0xd52a0,(%esp)
d3b47: 89 44 24 04 mov %eax,0x4(%esp)
d3b4b: e8 80 fe ff ff call d39d0 <printf>
d3b50: 0f b6 43 36 movzbl 0x36(%ebx),%eax
d3b54: 83 e0 01 and $0x1,%eax
d3b57: 89 44 24 20 mov %eax,0x20(%esp)
d3b5b: 0f b6 53 35 movzbl 0x35(%ebx),%edx
d3b5f: 88 d0 mov %dl,%al
d3b61: c0 e8 07 shr $0x7,%al
d3b64: 0f b6 c0 movzbl %al,%eax
d3b67: 89 44 24 1c mov %eax,0x1c(%esp)
d3b6b: 88 d0 mov %dl,%al
d3b6d: c0 e8 06 shr $0x6,%al
d3b70: 83 e0 01 and $0x1,%eax
d3b73: c0 ea 04 shr $0x4,%dl
d3b76: 89 44 24 18 mov %eax,0x18(%esp)
d3b7a: 89 d0 mov %edx,%eax
d3b7c: 83 e0 01 and $0x1,%eax
d3b7f: 89 44 24 14 mov %eax,0x14(%esp)
d3b83: 0f b6 53 34 movzbl 0x34(%ebx),%edx
d3b87: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp)
d3b8e: 88 d0 mov %dl,%al
d3b90: c0 e8 07 shr $0x7,%al
d3b93: 0f b6 c0 movzbl %al,%eax
d3b96: 89 44 24 10 mov %eax,0x10(%esp)
d3b9a: 88 d0 mov %dl,%al
d3b9c: c0 e8 05 shr $0x5,%al
d3b9f: 83 e0 03 and $0x3,%eax
d3ba2: 89 44 24 0c mov %eax,0xc(%esp)
d3ba6: 88 d0 mov %dl,%al
d3ba8: c0 e8 04 shr $0x4,%al
d3bab: 83 e0 01 and $0x1,%eax
d3bae: 89 44 24 08 mov %eax,0x8(%esp)
d3bb2: 89 d0 mov %edx,%eax
d3bb4: 83 e0 0f and $0xf,%eax
d3bb7: 89 44 24 04 mov %eax,0x4(%esp)
d3bbb: e8 10 fe ff ff call d39d0 <printf>
d3bc0: 8b 43 40 mov 0x40(%ebx),%eax
d3bc3: 89 44 24 0c mov %eax,0xc(%esp)
d3bc7: 8b 43 3c mov 0x3c(%ebx),%eax
d3bca: 89 44 24 08 mov %eax,0x8(%esp)
d3bce: 8b 43 38 mov 0x38(%ebx),%eax
d3bd1: c7 04 24 04 53 0d 00 movl $0xd5304,(%esp)
d3bd8: 89 44 24 04 mov %eax,0x4(%esp)
d3bdc: e8 ef fd ff ff call d39d0 <printf>
d3be1: 0f b6 43 46 movzbl 0x46(%ebx),%eax
d3be5: 83 e0 01 and $0x1,%eax
d3be8: 89 44 24 20 mov %eax,0x20(%esp)
d3bec: 0f b6 53 45 movzbl 0x45(%ebx),%edx
d3bf0: 88 d0 mov %dl,%al
d3bf2: c0 e8 07 shr $0x7,%al
d3bf5: 0f b6 c0 movzbl %al,%eax
d3bf8: 89 44 24 1c mov %eax,0x1c(%esp)
d3bfc: 88 d0 mov %dl,%al
d3bfe: c0 e8 06 shr $0x6,%al
d3c01: 83 e0 01 and $0x1,%eax
d3c04: c0 ea 04 shr $0x4,%dl
d3c07: 89 44 24 18 mov %eax,0x18(%esp)
d3c0b: 89 d0 mov %edx,%eax
d3c0d: 83 e0 01 and $0x1,%eax
d3c10: 89 44 24 14 mov %eax,0x14(%esp)
d3c14: 0f b6 53 44 movzbl 0x44(%ebx),%edx
d3c18: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp)
d3c1f: 88 d0 mov %dl,%al
d3c21: c0 e8 07 shr $0x7,%al
d3c24: 0f b6 c0 movzbl %al,%eax
d3c27: 89 44 24 10 mov %eax,0x10(%esp)
d3c2b: 88 d0 mov %dl,%al
d3c2d: c0 e8 05 shr $0x5,%al
d3c30: 83 e0 03 and $0x3,%eax
d3c33: 89 44 24 0c mov %eax,0xc(%esp)
d3c37: 88 d0 mov %dl,%al
d3c39: c0 e8 04 shr $0x4,%al
d3c3c: 83 e0 01 and $0x1,%eax
d3c3f: 89 44 24 08 mov %eax,0x8(%esp)
d3c43: 89 d0 mov %edx,%eax
d3c45: 83 e0 0f and $0xf,%eax
d3c48: 89 44 24 04 mov %eax,0x4(%esp)
d3c4c: e8 7f fd ff ff call d39d0 <printf>
d3c51: 8b 43 50 mov 0x50(%ebx),%eax
d3c54: 89 44 24 0c mov %eax,0xc(%esp)
d3c58: 8b 43 4c mov 0x4c(%ebx),%eax
d3c5b: 89 44 24 08 mov %eax,0x8(%esp)
d3c5f: 8b 43 48 mov 0x48(%ebx),%eax
d3c62: c7 04 24 2c 53 0d 00 movl $0xd532c,(%esp)
d3c69: 89 44 24 04 mov %eax,0x4(%esp)
d3c6d: e8 5e fd ff ff call d39d0 <printf>
d3c72: 0f b6 43 56 movzbl 0x56(%ebx),%eax
d3c76: 83 e0 01 and $0x1,%eax
d3c79: 89 44 24 20 mov %eax,0x20(%esp)
d3c7d: 0f b6 53 55 movzbl 0x55(%ebx),%edx
d3c81: 88 d0 mov %dl,%al
d3c83: c0 e8 07 shr $0x7,%al
d3c86: 0f b6 c0 movzbl %al,%eax
d3c89: 89 44 24 1c mov %eax,0x1c(%esp)
d3c8d: 88 d0 mov %dl,%al
d3c8f: c0 e8 06 shr $0x6,%al
d3c92: 83 e0 01 and $0x1,%eax
d3c95: c0 ea 04 shr $0x4,%dl
d3c98: 89 44 24 18 mov %eax,0x18(%esp)
d3c9c: 89 d0 mov %edx,%eax
d3c9e: 83 e0 01 and $0x1,%eax
d3ca1: 89 44 24 14 mov %eax,0x14(%esp)
d3ca5: 0f b6 53 54 movzbl 0x54(%ebx),%edx
d3ca9: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp)
d3cb0: 88 d0 mov %dl,%al
d3cb2: c0 e8 07 shr $0x7,%al
d3cb5: 0f b6 c0 movzbl %al,%eax
d3cb8: 89 44 24 10 mov %eax,0x10(%esp)
d3cbc: 88 d0 mov %dl,%al
d3cbe: c0 e8 05 shr $0x5,%al
d3cc1: 83 e0 03 and $0x3,%eax
d3cc4: 89 44 24 0c mov %eax,0xc(%esp)
d3cc8: 88 d0 mov %dl,%al
d3cca: c0 e8 04 shr $0x4,%al
d3ccd: 83 e0 01 and $0x1,%eax
d3cd0: 89 44 24 08 mov %eax,0x8(%esp)
d3cd4: 89 d0 mov %edx,%eax
d3cd6: 83 e0 0f and $0xf,%eax
d3cd9: 89 44 24 04 mov %eax,0x4(%esp)
d3cdd: e8 ee fc ff ff call d39d0 <printf>
d3ce2: 8b 43 60 mov 0x60(%ebx),%eax
d3ce5: 89 44 24 0c mov %eax,0xc(%esp)
d3ce9: 8b 43 5c mov 0x5c(%ebx),%eax
d3cec: 89 44 24 08 mov %eax,0x8(%esp)
d3cf0: 8b 43 58 mov 0x58(%ebx),%eax
d3cf3: c7 04 24 54 53 0d 00 movl $0xd5354,(%esp)
d3cfa: 89 44 24 04 mov %eax,0x4(%esp)
d3cfe: e8 cd fc ff ff call d39d0 <printf>
d3d03: 0f b6 43 66 movzbl 0x66(%ebx),%eax
d3d07: 83 e0 01 and $0x1,%eax
d3d0a: 89 44 24 20 mov %eax,0x20(%esp)
d3d0e: 0f b6 53 65 movzbl 0x65(%ebx),%edx
d3d12: 88 d0 mov %dl,%al
d3d14: c0 e8 07 shr $0x7,%al
d3d17: 0f b6 c0 movzbl %al,%eax
d3d1a: 89 44 24 1c mov %eax,0x1c(%esp)
d3d1e: 88 d0 mov %dl,%al
d3d20: c0 e8 06 shr $0x6,%al
d3d23: 83 e0 01 and $0x1,%eax
d3d26: c0 ea 04 shr $0x4,%dl
d3d29: 89 44 24 18 mov %eax,0x18(%esp)
d3d2d: 89 d0 mov %edx,%eax
d3d2f: 83 e0 01 and $0x1,%eax
d3d32: 89 44 24 14 mov %eax,0x14(%esp)
d3d36: 0f b6 53 64 movzbl 0x64(%ebx),%edx
d3d3a: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp)
d3d41: 88 d0 mov %dl,%al
d3d43: c0 e8 07 shr $0x7,%al
d3d46: 0f b6 c0 movzbl %al,%eax
d3d49: 89 44 24 10 mov %eax,0x10(%esp)
d3d4d: 88 d0 mov %dl,%al
d3d4f: c0 e8 05 shr $0x5,%al
d3d52: 83 e0 03 and $0x3,%eax
d3d55: 89 44 24 0c mov %eax,0xc(%esp)
d3d59: 88 d0 mov %dl,%al
d3d5b: c0 e8 04 shr $0x4,%al
d3d5e: 83 e0 01 and $0x1,%eax
d3d61: 89 44 24 08 mov %eax,0x8(%esp)
d3d65: 89 d0 mov %edx,%eax
d3d67: 83 e0 0f and $0xf,%eax
d3d6a: 89 44 24 04 mov %eax,0x4(%esp)
d3d6e: e8 5d fc ff ff call d39d0 <printf>
d3d73: 8b 43 70 mov 0x70(%ebx),%eax
d3d76: 89 44 24 0c mov %eax,0xc(%esp)
d3d7a: 8b 43 6c mov 0x6c(%ebx),%eax
d3d7d: 89 44 24 08 mov %eax,0x8(%esp)
d3d81: 8b 43 68 mov 0x68(%ebx),%eax
d3d84: c7 04 24 7c 53 0d 00 movl $0xd537c,(%esp)
d3d8b: 89 44 24 04 mov %eax,0x4(%esp)
d3d8f: e8 3c fc ff ff call d39d0 <printf>
d3d94: 0f b6 43 76 movzbl 0x76(%ebx),%eax
d3d98: 83 e0 01 and $0x1,%eax
d3d9b: 89 44 24 20 mov %eax,0x20(%esp)
d3d9f: 0f b6 53 75 movzbl 0x75(%ebx),%edx
d3da3: 88 d0 mov %dl,%al
d3da5: c0 e8 07 shr $0x7,%al
d3da8: 0f b6 c0 movzbl %al,%eax
d3dab: 89 44 24 1c mov %eax,0x1c(%esp)
d3daf: 88 d0 mov %dl,%al
d3db1: c0 e8 06 shr $0x6,%al
d3db4: 83 e0 01 and $0x1,%eax
d3db7: c0 ea 04 shr $0x4,%dl
d3dba: 89 44 24 18 mov %eax,0x18(%esp)
d3dbe: 89 d0 mov %edx,%eax
d3dc0: 83 e0 01 and $0x1,%eax
d3dc3: 89 44 24 14 mov %eax,0x14(%esp)
d3dc7: 0f b6 53 74 movzbl 0x74(%ebx),%edx
d3dcb: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp)
d3dd2: 88 d0 mov %dl,%al
d3dd4: c0 e8 07 shr $0x7,%al
d3dd7: 0f b6 c0 movzbl %al,%eax
d3dda: 89 44 24 10 mov %eax,0x10(%esp)
d3dde: 88 d0 mov %dl,%al
d3de0: c0 e8 05 shr $0x5,%al
d3de3: 83 e0 03 and $0x3,%eax
d3de6: 89 44 24 0c mov %eax,0xc(%esp)
d3dea: 88 d0 mov %dl,%al
d3dec: c0 e8 04 shr $0x4,%al
d3def: 83 e0 01 and $0x1,%eax
d3df2: 89 44 24 08 mov %eax,0x8(%esp)
d3df6: 89 d0 mov %edx,%eax
d3df8: 83 e0 0f and $0xf,%eax
d3dfb: 89 44 24 04 mov %eax,0x4(%esp)
d3dff: e8 cc fb ff ff call d39d0 <printf>
d3e04: 8b 83 80 00 00 00 mov 0x80(%ebx),%eax
d3e0a: 89 44 24 0c mov %eax,0xc(%esp)
d3e0e: 8b 43 7c mov 0x7c(%ebx),%eax
d3e11: 89 44 24 08 mov %eax,0x8(%esp)
d3e15: 8b 43 78 mov 0x78(%ebx),%eax
d3e18: c7 04 24 a4 53 0d 00 movl $0xd53a4,(%esp)
d3e1f: 89 44 24 04 mov %eax,0x4(%esp)
d3e23: e8 a8 fb ff ff call d39d0 <printf>
d3e28: 0f b6 83 86 00 00 00 movzbl 0x86(%ebx),%eax
d3e2f: 83 e0 01 and $0x1,%eax
d3e32: 89 44 24 20 mov %eax,0x20(%esp)
d3e36: 0f b6 93 85 00 00 00 movzbl 0x85(%ebx),%edx
d3e3d: 88 d0 mov %dl,%al
d3e3f: c0 e8 07 shr $0x7,%al
d3e42: 0f b6 c0 movzbl %al,%eax
d3e45: 89 44 24 1c mov %eax,0x1c(%esp)
d3e49: 88 d0 mov %dl,%al
d3e4b: c0 e8 06 shr $0x6,%al
d3e4e: 83 e0 01 and $0x1,%eax
d3e51: c0 ea 04 shr $0x4,%dl
d3e54: 89 44 24 18 mov %eax,0x18(%esp)
d3e58: 89 d0 mov %edx,%eax
d3e5a: 83 e0 01 and $0x1,%eax
d3e5d: 89 44 24 14 mov %eax,0x14(%esp)
d3e61: 0f b6 93 84 00 00 00 movzbl 0x84(%ebx),%edx
d3e68: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp)
d3e6f: 88 d0 mov %dl,%al
d3e71: c0 e8 07 shr $0x7,%al
d3e74: 0f b6 c0 movzbl %al,%eax
d3e77: 89 44 24 10 mov %eax,0x10(%esp)
d3e7b: 88 d0 mov %dl,%al
d3e7d: c0 e8 05 shr $0x5,%al
d3e80: 83 e0 03 and $0x3,%eax
d3e83: 89 44 24 0c mov %eax,0xc(%esp)
d3e87: 88 d0 mov %dl,%al
d3e89: c0 e8 04 shr $0x4,%al
d3e8c: 83 e0 01 and $0x1,%eax
d3e8f: 89 44 24 08 mov %eax,0x8(%esp)
d3e93: 89 d0 mov %edx,%eax
d3e95: 83 e0 0f and $0xf,%eax
d3e98: 89 44 24 04 mov %eax,0x4(%esp)
d3e9c: e8 2f fb ff ff call d39d0 <printf>
d3ea1: 8b 83 90 00 00 00 mov 0x90(%ebx),%eax
d3ea7: 89 44 24 0c mov %eax,0xc(%esp)
d3eab: 8b 83 8c 00 00 00 mov 0x8c(%ebx),%eax
d3eb1: 89 44 24 08 mov %eax,0x8(%esp)
d3eb5: 8b 83 88 00 00 00 mov 0x88(%ebx),%eax
d3ebb: c7 04 24 cc 53 0d 00 movl $0xd53cc,(%esp)
d3ec2: 89 44 24 04 mov %eax,0x4(%esp)
d3ec6: e8 05 fb ff ff call d39d0 <printf>
d3ecb: 0f b6 83 96 00 00 00 movzbl 0x96(%ebx),%eax
d3ed2: 83 e0 01 and $0x1,%eax
d3ed5: 89 44 24 20 mov %eax,0x20(%esp)
d3ed9: 0f b6 93 95 00 00 00 movzbl 0x95(%ebx),%edx
d3ee0: 88 d0 mov %dl,%al
d3ee2: c0 e8 07 shr $0x7,%al
d3ee5: 0f b6 c0 movzbl %al,%eax
d3ee8: 89 44 24 1c mov %eax,0x1c(%esp)
d3eec: 88 d0 mov %dl,%al
d3eee: c0 e8 06 shr $0x6,%al
d3ef1: 83 e0 01 and $0x1,%eax
d3ef4: c0 ea 04 shr $0x4,%dl
d3ef7: 89 44 24 18 mov %eax,0x18(%esp)
d3efb: 89 d0 mov %edx,%eax
d3efd: 83 e0 01 and $0x1,%eax
d3f00: 89 44 24 14 mov %eax,0x14(%esp)
d3f04: 0f b6 93 94 00 00 00 movzbl 0x94(%ebx),%edx
d3f0b: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp)
d3f12: 88 d0 mov %dl,%al
d3f14: c0 e8 07 shr $0x7,%al
d3f17: 0f b6 c0 movzbl %al,%eax
d3f1a: 89 44 24 10 mov %eax,0x10(%esp)
d3f1e: 88 d0 mov %dl,%al
d3f20: c0 e8 05 shr $0x5,%al
d3f23: 83 e0 03 and $0x3,%eax
d3f26: 89 44 24 0c mov %eax,0xc(%esp)
d3f2a: 88 d0 mov %dl,%al
d3f2c: c0 e8 04 shr $0x4,%al
d3f2f: 83 e0 01 and $0x1,%eax
d3f32: 89 44 24 08 mov %eax,0x8(%esp)
d3f36: 89 d0 mov %edx,%eax
d3f38: 83 e0 0f and $0xf,%eax
d3f3b: 89 44 24 04 mov %eax,0x4(%esp)
d3f3f: e8 8c fa ff ff call d39d0 <printf>
d3f44: 8b 83 a0 00 00 00 mov 0xa0(%ebx),%eax
d3f4a: 89 44 24 0c mov %eax,0xc(%esp)
d3f4e: 8b 83 9c 00 00 00 mov 0x9c(%ebx),%eax
d3f54: 89 44 24 08 mov %eax,0x8(%esp)
d3f58: 8b 83 98 00 00 00 mov 0x98(%ebx),%eax
d3f5e: c7 04 24 f4 53 0d 00 movl $0xd53f4,(%esp)
d3f65: 89 44 24 04 mov %eax,0x4(%esp)
d3f69: e8 62 fa ff ff call d39d0 <printf>
d3f6e: 0f b6 83 a6 00 00 00 movzbl 0xa6(%ebx),%eax
d3f75: 83 e0 01 and $0x1,%eax
d3f78: 89 44 24 20 mov %eax,0x20(%esp)
d3f7c: 0f b6 93 a5 00 00 00 movzbl 0xa5(%ebx),%edx
d3f83: 88 d0 mov %dl,%al
d3f85: c0 e8 07 shr $0x7,%al
d3f88: 0f b6 c0 movzbl %al,%eax
d3f8b: 89 44 24 1c mov %eax,0x1c(%esp)
d3f8f: 88 d0 mov %dl,%al
d3f91: c0 e8 06 shr $0x6,%al
d3f94: 83 e0 01 and $0x1,%eax
d3f97: c0 ea 04 shr $0x4,%dl
d3f9a: 89 44 24 18 mov %eax,0x18(%esp)
d3f9e: 89 d0 mov %edx,%eax
d3fa0: 83 e0 01 and $0x1,%eax
d3fa3: 89 44 24 14 mov %eax,0x14(%esp)
d3fa7: 0f b6 93 a4 00 00 00 movzbl 0xa4(%ebx),%edx
d3fae: c7 04 24 c8 52 0d 00 movl $0xd52c8,(%esp)
d3fb5: 88 d0 mov %dl,%al
d3fb7: c0 e8 07 shr $0x7,%al
d3fba: 0f b6 c0 movzbl %al,%eax
d3fbd: 89 44 24 10 mov %eax,0x10(%esp)
d3fc1: 88 d0 mov %dl,%al
d3fc3: c0 e8 05 shr $0x5,%al
d3fc6: 83 e0 03 and $0x3,%eax
d3fc9: 89 44 24 0c mov %eax,0xc(%esp)
d3fcd: 88 d0 mov %dl,%al
d3fcf: c0 e8 04 shr $0x4,%al
d3fd2: 83 e0 01 and $0x1,%eax
d3fd5: 89 44 24 08 mov %eax,0x8(%esp)
d3fd9: 89 d0 mov %edx,%eax
d3fdb: 83 e0 0f and $0xf,%eax
d3fde: 89 44 24 04 mov %eax,0x4(%esp)
d3fe2: e8 e9 f9 ff ff call d39d0 <printf>
d3fe7: 8b 43 20 mov 0x20(%ebx),%eax
d3fea: 89 44 24 08 mov %eax,0x8(%esp)
d3fee: 8b 43 24 mov 0x24(%ebx),%eax
d3ff1: c7 04 24 3c 51 0d 00 movl $0xd513c,(%esp)
d3ff8: 89 44 24 04 mov %eax,0x4(%esp)
d3ffc: e8 cf f9 ff ff call d39d0 <printf>
d4001: 8b 43 20 mov 0x20(%ebx),%eax
d4004: 89 44 24 04 mov %eax,0x4(%esp)
d4008: 8b 43 24 mov 0x24(%ebx),%eax
d400b: 89 04 24 mov %eax,(%esp)
d400e: e8 dd f9 ff ff call d39f0 <dump_dtr>
d4013: 83 c4 24 add $0x24,%esp
d4016: 5b pop %ebx
d4017: 5d pop %ebp
d4018: c3 ret
d4019: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
000d4020 <print_e820_map>:
d4020: 55 push %ebp
d4021: ba 20 00 00 00 mov $0x20,%edx
d4026: 89 e5 mov %esp,%ebp
d4028: 57 push %edi
d4029: 56 push %esi
d402a: 53 push %ebx
d402b: 83 ec 1c sub $0x1c,%esp
d402e: 8b 45 0c mov 0xc(%ebp),%eax
d4031: 8b 7d 08 mov 0x8(%ebp),%edi
d4034: 83 f8 21 cmp $0x21,%eax
d4037: 0f 4d c2 cmovge %edx,%eax
d403a: 8d 04 80 lea (%eax,%eax,4),%eax
d403d: 8d 04 87 lea (%edi,%eax,4),%eax
d4040: 39 f8 cmp %edi,%eax
d4042: 0f 86 98 00 00 00 jbe d40e0 <print_e820_map+0xc0>
d4048: 89 45 f0 mov %eax,0xfffffff0(%ebp)
d404b: eb 24 jmp d4071 <print_e820_map+0x51>
d404d: 8d 76 00 lea 0x0(%esi),%esi
d4050: 83 f8 01 cmp $0x1,%eax
d4053: 0f 84 ab 00 00 00 je d4104 <print_e820_map+0xe4>
d4059: 89 44 24 04 mov %eax,0x4(%esp)
d405d: 83 c7 14 add $0x14,%edi
d4060: c7 04 24 51 51 0d 00 movl $0xd5151,(%esp)
d4067: e8 64 f9 ff ff call d39d0 <printf>
d406c: 39 7d f0 cmp %edi,0xfffffff0(%ebp)
d406f: 76 6f jbe d40e0 <print_e820_map+0xc0>
d4071: 8b 37 mov (%edi),%esi
d4073: 8b 5f 08 mov 0x8(%edi),%ebx
d4076: 89 f0 mov %esi,%eax
d4078: 01 d8 add %ebx,%eax
d407a: 89 44 24 10 mov %eax,0x10(%esp)
d407e: 8b 0f mov (%edi),%ecx
d4080: 8b 5f 04 mov 0x4(%edi),%ebx
d4083: 89 c8 mov %ecx,%eax
d4085: 89 da mov %ebx,%edx
d4087: 03 47 08 add 0x8(%edi),%eax
d408a: 13 57 0c adc 0xc(%edi),%edx
d408d: 89 74 24 08 mov %esi,0x8(%esp)
d4091: 89 5c 24 04 mov %ebx,0x4(%esp)
d4095: c7 04 24 5d 51 0d 00 movl $0xd515d,(%esp)
d409c: 89 54 24 0c mov %edx,0xc(%esp)
d40a0: e8 2b f9 ff ff call d39d0 <printf>
d40a5: 8b 47 10 mov 0x10(%edi),%eax
d40a8: 83 f8 02 cmp $0x2,%eax
d40ab: 74 3b je d40e8 <print_e820_map+0xc8>
d40ad: 76 a1 jbe d4050 <print_e820_map+0x30>
d40af: 83 f8 03 cmp $0x3,%eax
d40b2: 74 42 je d40f6 <print_e820_map+0xd6>
d40b4: 83 f8 04 cmp $0x4,%eax
d40b7: 75 a0 jne d4059 <print_e820_map+0x39>
d40b9: c7 04 24 76 51 0d 00 movl $0xd5176,(%esp)
d40c0: e8 0b f9 ff ff call d39d0 <printf>
d40c5: 8d 74 26 00 lea 0x0(%esi),%esi
d40c9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d40d0: 83 c7 14 add $0x14,%edi
d40d3: 39 7d f0 cmp %edi,0xfffffff0(%ebp)
d40d6: 77 99 ja d4071 <print_e820_map+0x51>
d40d8: 90 nop
d40d9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d40e0: 83 c4 1c add $0x1c,%esp
d40e3: 5b pop %ebx
d40e4: 5e pop %esi
d40e5: 5f pop %edi
d40e6: 5d pop %ebp
d40e7: c3 ret
d40e8: c7 04 24 82 51 0d 00 movl $0xd5182,(%esp)
d40ef: e8 dc f8 ff ff call d39d0 <printf>
d40f4: eb da jmp d40d0 <print_e820_map+0xb0>
d40f6: c7 04 24 8e 51 0d 00 movl $0xd518e,(%esp)
d40fd: e8 ce f8 ff ff call d39d0 <printf>
d4102: eb cc jmp d40d0 <print_e820_map+0xb0>
d4104: c7 04 24 9b 51 0d 00 movl $0xd519b,(%esp)
d410b: e8 c0 f8 ff ff call d39d0 <printf>
d4110: eb be jmp d40d0 <print_e820_map+0xb0>
d4112: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d4119: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
000d4120 <hexdump>:
d4120: 55 push %ebp
d4121: 89 e5 mov %esp,%ebp
d4123: 57 push %edi
d4124: 56 push %esi
d4125: 53 push %ebx
d4126: 83 ec 0c sub $0xc,%esp
d4129: 8b 7d 0c mov 0xc(%ebp),%edi
d412c: 8b 75 08 mov 0x8(%ebp),%esi
d412f: 85 ff test %edi,%edi
d4131: 0f 8e e9 00 00 00 jle d4220 <hexdump+0x100>
d4137: 83 7d 0c 11 cmpl $0x11,0xc(%ebp)
d413b: bf 10 00 00 00 mov $0x10,%edi
d4140: 89 74 24 04 mov %esi,0x4(%esp)
d4144: c7 04 24 a2 51 0d 00 movl $0xd51a2,(%esp)
d414b: 0f 4c 7d 0c cmovl 0xc(%ebp),%edi
d414f: 31 db xor %ebx,%ebx
d4151: e8 7a f8 ff ff call d39d0 <printf>
d4156: 39 fb cmp %edi,%ebx
d4158: 7d 46 jge d41a0 <hexdump+0x80>
d415a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
d4160: 83 fb 07 cmp $0x7,%ebx
d4163: ba 20 00 00 00 mov $0x20,%edx
d4168: b8 2d 00 00 00 mov $0x2d,%eax
d416d: 0f 45 c2 cmovne %edx,%eax
d4170: 89 44 24 08 mov %eax,0x8(%esp)
d4174: 0f b6 04 1e movzbl (%esi,%ebx,1),%eax
d4178: 43 inc %ebx
d4179: c7 04 24 a9 51 0d 00 movl $0xd51a9,(%esp)
d4180: 89 44 24 04 mov %eax,0x4(%esp)
d4184: e8 47 f8 ff ff call d39d0 <printf>
d4189: 39 fb cmp %edi,%ebx
d418b: 7c d3 jl d4160 <hexdump+0x40>
d418d: 83 fb 0f cmp $0xf,%ebx
d4190: 7f 34 jg d41c6 <hexdump+0xa6>
d4192: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
d4199: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
d41a0: c7 04 24 b0 51 0d 00 movl $0xd51b0,(%esp)
d41a7: 83 fb 07 cmp $0x7,%ebx
d41aa: ba 20 00 00 00 mov $0x20,%edx
d41af: b8 2d 00 00 00 mov $0x2d,%eax
d41b4: 0f 45 c2 cmovne %edx,%eax
d41b7: 43 inc %ebx
d41b8: 89 44 24 04 mov %eax,0x4(%esp)
d41bc: e8 0f f8 ff ff call d39d0 <printf>
d41c1: 83 fb 0f cmp $0xf,%ebx
d41c4: 7e da jle d41a0 <hexdump+0x80>
d41c6: c7 04 24 b5 51 0d 00 movl $0xd51b5,(%esp)
d41cd: 31 db xor %ebx,%ebx
d41cf: e8 fc f7 ff ff call d39d0 <printf>
d41d4: eb 28 jmp d41fe <hexdump+0xde>
d41d6: 0f b6 04 1e movzbl (%esi,%ebx,1),%eax
d41da: c7 04 24 b2 51 0d 00 movl $0xd51b2,(%esp)
d41e1: 88 c2 mov %al,%dl
d41e3: 0f b6 c8 movzbl %al,%ecx
d41e6: 80 ea 20 sub $0x20,%dl
d41e9: b8 2e 00 00 00 mov $0x2e,%eax
d41ee: 80 fa 5e cmp $0x5e,%dl
d41f1: 0f 46 c1 cmovbe %ecx,%eax
d41f4: 43 inc %ebx
d41f5: 89 44 24 04 mov %eax,0x4(%esp)
d41f9: e8 d2 f7 ff ff call d39d0 <printf>
d41fe: 39 fb cmp %edi,%ebx
d4200: 7c d4 jl d41d6 <hexdump+0xb6>
d4202: c7 04 24 a0 51 0d 00 movl $0xd51a0,(%esp)
d4209: e8 c2 f7 ff ff call d39d0 <printf>
d420e: 83 6d 0c 10 subl $0x10,0xc(%ebp)
d4212: 83 c6 10 add $0x10,%esi
d4215: 8b 7d 0c mov 0xc(%ebp),%edi
d4218: 85 ff test %edi,%edi
d421a: 0f 8f 17 ff ff ff jg d4137 <hexdump+0x17>
d4220: 83 c4 0c add $0xc,%esp
d4223: 5b pop %ebx
d4224: 5e pop %esi
d4225: 5f pop %edi
d4226: 5d pop %ebp
d4227: c3 ret
d4228: 90 nop
d4229: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
000d4230 <dump_regs>:
d4230: 55 push %ebp
d4231: 89 e5 mov %esp,%ebp
d4233: 53 push %ebx
d4234: 83 ec 14 sub $0x14,%esp
d4237: 8b 5d 08 mov 0x8(%ebp),%ebx
d423a: 8b 43 10 mov 0x10(%ebx),%eax
d423d: 89 44 24 10 mov %eax,0x10(%esp)
d4241: 8b 43 14 mov 0x14(%ebx),%eax
d4244: 89 44 24 0c mov %eax,0xc(%esp)
d4248: 8b 43 18 mov 0x18(%ebx),%eax
d424b: 89 44 24 08 mov %eax,0x8(%esp)
d424f: 8b 43 1c mov 0x1c(%ebx),%eax
d4252: c7 04 24 20 54 0d 00 movl $0xd5420,(%esp)
d4259: 89 44 24 04 mov %eax,0x4(%esp)
d425d: e8 6e f7 ff ff call d39d0 <printf>
d4262: 8b 03 mov (%ebx),%eax
d4264: 89 44 24 10 mov %eax,0x10(%esp)
d4268: 8b 43 04 mov 0x4(%ebx),%eax
d426b: 89 44 24 0c mov %eax,0xc(%esp)
d426f: 8b 43 08 mov 0x8(%ebx),%eax
d4272: 89 44 24 08 mov %eax,0x8(%esp)
d4276: 8b 43 0c mov 0xc(%ebx),%eax
d4279: c7 04 24 50 54 0d 00 movl $0xd5450,(%esp)
d4280: 89 44 24 04 mov %eax,0x4(%esp)
d4284: e8 47 f7 ff ff call d39d0 <printf>
d4289: 8b 43 24 mov 0x24(%ebx),%eax
d428c: 89 44 24 08 mov %eax,0x8(%esp)
d4290: 8b 43 20 mov 0x20(%ebx),%eax
d4293: c7 04 24 b9 51 0d 00 movl $0xd51b9,(%esp)
d429a: 89 44 24 04 mov %eax,0x4(%esp)
d429e: e8 2d f7 ff ff call d39d0 <printf>
d42a3: 8b 43 30 mov 0x30(%ebx),%eax
d42a6: 89 44 24 0c mov %eax,0xc(%esp)
d42aa: 8b 43 2c mov 0x2c(%ebx),%eax
d42ad: 89 44 24 08 mov %eax,0x8(%esp)
d42b1: 8b 43 28 mov 0x28(%ebx),%eax
d42b4: c7 04 24 80 54 0d 00 movl $0xd5480,(%esp)
d42bb: 89 44 24 04 mov %eax,0x4(%esp)
d42bf: e8 0c f7 ff ff call d39d0 <printf>
d42c4: 8b 43 38 mov 0x38(%ebx),%eax
d42c7: 89 44 24 08 mov %eax,0x8(%esp)
d42cb: 8b 43 34 mov 0x34(%ebx),%eax
d42ce: c7 04 24 d0 51 0d 00 movl $0xd51d0,(%esp)
d42d5: 89 44 24 04 mov %eax,0x4(%esp)
d42d9: e8 f2 f6 ff ff call d39d0 <printf>
d42de: 8b 43 48 mov 0x48(%ebx),%eax
d42e1: 89 44 24 10 mov %eax,0x10(%esp)
d42e5: 8b 43 44 mov 0x44(%ebx),%eax
d42e8: 89 44 24 0c mov %eax,0xc(%esp)
d42ec: 8b 43 40 mov 0x40(%ebx),%eax
d42ef: 89 44 24 08 mov %eax,0x8(%esp)
d42f3: 8b 43 3c mov 0x3c(%ebx),%eax
d42f6: c7 04 24 a4 54 0d 00 movl $0xd54a4,(%esp)
d42fd: 89 44 24 04 mov %eax,0x4(%esp)
d4301: e8 ca f6 ff ff call d39d0 <printf>
d4306: 0f 20 d2 mov %cr2,%edx
d4309: 89 54 24 08 mov %edx,0x8(%esp)
d430d: a1 d4 97 0d 00 mov 0xd97d4,%eax
d4312: c7 04 24 d4 54 0d 00 movl $0xd54d4,(%esp)
d4319: 89 44 24 10 mov %eax,0x10(%esp)
d431d: a1 d0 97 0d 00 mov 0xd97d0,%eax
d4322: 89 44 24 0c mov %eax,0xc(%esp)
d4326: a1 cc 97 0d 00 mov 0xd97cc,%eax
d432b: 89 44 24 04 mov %eax,0x4(%esp)
d432f: e8 9c f6 ff ff call d39d0 <printf>
d4334: 83 c4 14 add $0x14,%esp
d4337: 5b pop %ebx
d4338: 5d pop %ebp
d4339: c3 ret
d433a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
000d4340 <memset>:
d4340: 55 push %ebp
d4341: 89 e5 mov %esp,%ebp
d4343: 57 push %edi
d4344: 83 ec 04 sub $0x4,%esp
d4347: 8b 55 08 mov 0x8(%ebp),%edx
d434a: 8b 45 0c mov 0xc(%ebp),%eax
d434d: 8b 4d 10 mov 0x10(%ebp),%ecx
d4350: 89 d7 mov %edx,%edi
d4352: fc cld
d4353: f3 aa repz stos %al,%es:(%edi)
d4355: 89 d0 mov %edx,%eax
d4357: 5a pop %edx
d4358: 5f pop %edi
d4359: 5d pop %ebp
d435a: c3 ret
d435b: 90 nop
d435c: 8d 74 26 00 lea 0x0(%esi),%esi
000d4360 <memcpy>:
d4360: 55 push %ebp
d4361: 89 e5 mov %esp,%ebp
d4363: 83 ec 0c sub $0xc,%esp
d4366: 89 75 f8 mov %esi,0xfffffff8(%ebp)
d4369: 8b 45 10 mov 0x10(%ebp),%eax
d436c: 8b 55 08 mov 0x8(%ebp),%edx
d436f: 89 7d fc mov %edi,0xfffffffc(%ebp)
d4372: 8b 75 0c mov 0xc(%ebp),%esi
d4375: 89 c1 mov %eax,%ecx
d4377: c1 e9 02 shr $0x2,%ecx
d437a: 89 d7 mov %edx,%edi
d437c: fc cld
d437d: f3 a5 repz movsl %ds:(%esi),%es:(%edi)
d437f: a8 02 test $0x2,%al
d4381: 74 02 je d4385 <memcpy+0x25>
d4383: 66 a5 movsw %ds:(%esi),%es:(%edi)
d4385: a8 01 test $0x1,%al
d4387: 74 01 je d438a <memcpy+0x2a>
d4389: a4 movsb %ds:(%esi),%es:(%edi)
d438a: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d438d: 89 d0 mov %edx,%eax
d438f: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d4392: 89 ec mov %ebp,%esp
d4394: 5d pop %ebp
d4395: c3 ret
...
000d4398 <trap_handlers>:
d4398: 60 pusha
d4399: 00 0d 00 70 00 0d add %cl,0xd007000
d439f: 00 80 00 0d 00 90 add %al,0x90000d00(%eax)
d43a5: 00 0d 00 a0 00 0d add %cl,0xd00a000
d43ab: 00 b0 00 0d 00 c0 add %dh,0xc0000d00(%eax)
d43b1: 00 0d 00 d0 00 0d add %cl,0xd00d000
d43b7: 00 e0 add %ah,%al
d43b9: 00 0d 00 f0 00 0d add %cl,0xd00f000
d43bf: 00 00 add %al,(%eax)
d43c1: 01 0d 00 10 01 0d add %ecx,0xd011000
d43c7: 00 20 add %ah,(%eax)
d43c9: 01 0d 00 30 01 0d add %ecx,0xd013000
d43cf: 00 40 01 add %al,0x1(%eax)
d43d2: 0d 00 50 01 0d or $0xd015000,%eax
d43d7: 00 60 01 add %ah,0x1(%eax)
d43da: 0d 00 70 01 0d or $0xd017000,%eax
d43df: 00 80 01 0d 00 90 add %al,0x90000d01(%eax)
d43e5: 01 0d 00 a0 01 0d add %ecx,0xd01a000
d43eb: 00 b0 01 0d 00 c0 add %dh,0xc0000d01(%eax)
d43f1: 01 0d 00 d0 01 0d add %ecx,0xd01d000
d43f7: 00 e0 add %ah,%al
d43f9: 01 0d 00 f0 01 0d add %ecx,0xd01f000
d43ff: 00 00 add %al,(%eax)
d4401: 02 0d 00 10 02 0d add 0xd021000,%cl
d4407: 00 20 add %ah,(%eax)
d4409: 02 0d 00 30 02 0d add 0xd023000,%cl
d440f: 00 40 02 add %al,0x2(%eax)
d4412: 0d 00 50 02 0d or $0xd025000,%eax
d4417: 00 60 02 add %ah,0x2(%eax)
d441a: 0d 00 70 02 0d or $0xd027000,%eax
d441f: 00 80 02 0d 00 90 add %al,0x90000d02(%eax)
d4425: 02 0d 00 a0 02 0d add 0xd02a000,%cl
d442b: 00 b0 02 0d 00 c0 add %dh,0xc0000d02(%eax)
d4431: 02 0d 00 d0 02 0d add 0xd02d000,%cl
d4437: 00 e0 add %ah,%al
d4439: 02 0d 00 f0 02 0d add 0xd02f000,%cl
d443f: 00 00 add %al,(%eax)
d4441: 03 0d 00 10 03 0d add 0xd031000,%ecx
d4447: 00 20 add %ah,(%eax)
d4449: 03 0d 00 30 03 0d add 0xd033000,%ecx
d444f: 00 40 03 add %al,0x3(%eax)
d4452: 0d 00 50 03 0d or $0xd035000,%eax
d4457: 00 e0 add %ah,%al
d4459: 09 0d 00 e7 09 0d or %ecx,0xd09e700
d445f: 00 f0 add %dh,%al
d4461: 09 0d 00 f7 09 0d or %ecx,0xd09f700
d4467: 00 00 add %al,(%eax)
d4469: 0a 0d 00 07 0a 0d or 0xd0a0700,%cl
d446f: 00 10 add %dl,(%eax)
d4471: 0a 0d 00 d7 09 0d or 0xd09d700,%cl
d4477: 00 52 0a add %dl,0xa(%edx)
d447a: 0d 00 57 0a 0d or $0xd0a5700,%eax
d447f: 00 5c 0a 0d add %bl,0xd(%edx,%ecx,1)
d4483: 00 61 0a add %ah,0xa(%ecx)
d4486: 0d 00 66 0a 0d or $0xd0a6600,%eax
d448b: 00 6b 0a add %ch,0xa(%ebx)
d448e: 0d 00 71 0a 0d or $0xd0a7100,%eax
d4493: 00 45 0a add %al,0xa(%ebp)
d4496: 0d 00 ba 0d 0d or $0xd0dba00,%eax
d449b: 00 b5 0d 0d 00 b0 add %dh,0xb0000d0d(%ebp)
d44a1: 0d 0d 00 ab 0d or $0xdab000d,%eax
d44a6: 0d 00 86 0d 0d or $0xd0d8600,%eax
d44ab: 00 81 0d 0d 00 7c add %al,0x7c000d0d(%ecx)
d44b1: 0d 0d 00 5b 0d or $0xd5b000d,%eax
d44b6: 0d 00 18 0e 0d or $0xd0e1800,%eax
d44bb: 00 0f add %cl,(%edi)
d44bd: 0e push %cs
d44be: 0d 00 03 0e 0d or $0xd0e0300,%eax
d44c3: 00 f0 add %dh,%al
d44c5: 0d 0d 00 e2 0d or $0xde2000d,%eax
d44ca: 0d 00 d8 0d 0d or $0xd0dd800,%eax
d44cf: 00 cd add %cl,%ch
d44d1: 0d 0d 00 c2 0d or $0xdc2000d,%eax
d44d6: 0d 00 7f 0e 0d or $0xd0e7f00,%eax
d44db: 00 76 0e add %dh,0xe(%esi)
d44de: 0d 00 67 0e 0d or $0xd0e6700,%eax
d44e3: 00 59 0e add %bl,0xe(%ecx)
d44e6: 0d 00 50 0e 0d or $0xd0e5000,%eax
d44eb: 00 48 0e add %cl,0xe(%eax)
d44ee: 0d 00 2b 0e 0d or $0xd0e2b00,%eax
d44f3: 00 22 add %ah,(%edx)
d44f5: 0e push %cs
d44f6: 0d 00 ed 0e 0d or $0xd0eed00,%eax
d44fb: 00 e5 add %ah,%ch
d44fd: 0e push %cs
d44fe: 0d 00 dd 0e 0d or $0xd0edd00,%eax
d4503: 00 d5 add %dl,%ch
d4505: 0e push %cs
d4506: 0d 00 b4 0e 0d or $0xd0eb400,%eax
d450b: 00 98 0e 0d 00 90 add %bl,0x90000d0e(%eax)
d4511: 0e push %cs
d4512: 0d 00 89 0e 0d or $0xd0e8900,%eax
d4517: 00 3b add %bh,(%ebx)
d4519: 12 0d 00 2e 12 0d adc 0xd122e00,%cl
d451f: 00 bd 12 0d 00 b0 add %bh,0xb0000d12(%ebp)
d4525: 12 0d 00 96 12 0d adc 0xd129600,%cl
d452b: 00 7c 12 0d add %bh,0xd(%edx,%edx,1)
d452f: 00 62 12 add %ah,0x12(%edx)
d4532: 0d 00 48 12 0d or $0xd124800,%eax
d4537: 00 05 13 0d 00 f7 add %al,0xf7000d13
d453d: 12 0d 00 ee 12 0d adc 0xd12ee00,%cl
d4543: 00 e5 add %ah,%ch
d4545: 12 0d 00 dc 12 0d adc 0xd12dc00,%cl
d454b: 00 d3 add %dl,%bl
d454d: 12 0d 00 ca 12 0d adc 0xd12ca00,%cl
d4553: 00 80 11 0d 00 6d add %al,0x6d000d11(%eax)
000d4558 <__FUNCTION__.0>:
d4558: 6d 6f 76 5f 74 6f 5f 73 65 67 00 00 a8 1d 0d 00 mov_to_seg......
d4568: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4578: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 b6 21 0d 00 .............!..
d4588: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4598: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d45a8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d45b8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 50 21 0d 00 ............P!..
d45c8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d45d8: c2 1c 0d 00 c2 1c 0d 00 2a 21 0d 00 c2 1c 0d 00 ........*!......
d45e8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d45f8: c2 1c 0d 00 c2 1c 0d 00 04 21 0d 00 c2 1c 0d 00 .........!......
d4608: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4618: c2 1c 0d 00 c2 1c 0d 00 de 20 0d 00 c2 1c 0d 00 ......... ......
d4628: c2 1c 0d 00 14 20 0d 00 c2 1c 0d 00 14 20 0d 00 ..... ....... ..
d4638: c2 1c 0d 00 c2 1c 0d 00 ee 1f 0d 00 c2 1c 0d 00 ................
d4648: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4658: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4668: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4678: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4688: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4698: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d46a8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d46b8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d46c8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d46d8: c8 1f 0d 00 cb 26 0d 00 98 26 0d 00 65 26 0d 00 .....&...&..e&..
d46e8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d46f8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4708: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4718: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4728: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4738: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4748: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4758: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4768: 7e 1c 0d 00 4f 26 0d 00 7e 1c 0d 00 4f 26 0d 00 ~...O&..~...O&..
d4778: c2 1c 0d 00 c2 1c 0d 00 00 26 0d 00 60 25 0d 00 .........&..`%..
d4788: 3e 25 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 >%..............
d4798: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d47a8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d47b8: ec 24 0d 00 98 24 0d 00 c2 1c 0d 00 c2 1c 0d 00 .$...$..........
d47c8: c2 1c 0d 00 27 24 0d 00 c2 1c 0d 00 c2 1c 0d 00 ....'$..........
d47d8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d47e8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d47f8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4808: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4818: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4828: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ce 23 0d 00 .............#..
d4838: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4848: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4858: c2 1c 0d 00 c2 1c 0d 00 87 1c 0d 00 c2 1c 0d 00 ................
d4868: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 0a 1d 0d 00 ................
d4878: c2 1c 0d 00 8e 23 0d 00 c2 1c 0d 00 08 23 0d 00 .....#.......#..
d4888: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4898: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d48a8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d48b8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d48c8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d48d8: 6f 1c 0d 00 c2 1c 0d 00 28 1c 0d 00 c2 1c 0d 00 o.......(.......
d48e8: c2 1c 0d 00 c2 1c 0d 00 52 22 0d 00 f2 21 0d 00 ........R"...!..
d48f8: 6f 1c 0d 00 c2 1c 0d 00 28 1c 0d 00 c2 1c 0d 00 o.......(.......
d4908: a6 1f 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4918: c2 1c 0d 00 c2 1c 0d 00 eb 1e 0d 00 c2 1c 0d 00 ................
d4928: c2 1c 0d 00 c2 1c 0d 00 c2 1e 0d 00 99 1e 0d 00 ................
d4938: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 0d 1e 0d 00 ................
d4948: c2 1c 0d 00 8a 29 0d 00 c2 1c 0d 00 c2 1c 0d 00 .....)..........
d4958: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4968: c2 1c 0d 00 47 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ....G...........
d4978: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4988: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4998: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d49a8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d49b8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d49c8: bc 29 0d 00 c2 1c 0d 00 bc 29 0d 00 c2 1c 0d 00 .).......)......
d49d8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d49e8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d49f8: c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 c2 1c 0d 00 ................
d4a08: 86 2a 0d 00 c2 1c 0d 00 99 2a 0d 00 55 2b 0d 00 .*.......*..U+..
d4a18: 9c 1c 0d 00 ac 2a 0d 00 da 2a 0d 00 f9 2a 0d 00 .....*...*...*..
d4a28: 27 2b 0d 00 c2 1c 0d 00 c2 1c 0d 00 87 2c 0d 00 '+...........,..
d4a38: 32 2c 0d 00 c2 1c 0d 00 c2 1c 0d 00 d6 2b 0d 00 2,...........+..
d4a48: c2 1c 0d 00 3c 56 4d 38 36 5f 52 45 41 4c 3e 00 ....<VM86_REAL>.
d4a58: 3c 56 4d 38 36 5f 52 45 41 4c 5f 54 4f 5f 50 52 <VM86_REAL_TO_PR
d4a68: 4f 54 45 43 54 45 44 3e 00 3c 56 4d 38 36 5f 50 OTECTED>.<VM86_P
d4a78: 52 4f 54 45 43 54 45 44 5f 54 4f 5f 52 45 41 4c ROTECTED_TO_REAL
d4a88: 3e 00 3c 56 4d 38 36 5f 50 52 4f 54 45 43 54 45 >.<VM86_PROTECTE
d4a98: 44 3e 00 63 78 00 64 78 00 73 70 00 62 70 00 73 D>.cx.dx.sp.bp.s
d4aa8: 69 00 64 69 00 6c 31 20 70 61 67 65 20 61 62 6f i.di.l1 page abo
d4ab8: 76 65 20 34 47 0a 00 6c 32 20 65 6e 74 72 79 20 ve 4G..l2 entry
d4ac8: 6e 6f 74 20 70 72 65 73 65 6e 74 0a 00 6c 32 20 not present..l2
d4ad8: 70 61 67 65 20 61 62 6f 76 65 20 34 47 0a 00 6c page above 4G..l
d4ae8: 33 20 65 6e 74 72 79 20 6e 6f 74 20 70 72 65 73 3 entry not pres
d4af8: 65 6e 74 0a 00 6c 31 20 65 6e 74 72 79 20 6e 6f ent..l1 entry no
d4b08: 74 20 70 72 65 73 65 6e 74 0a 00 67 64 74 20 62 t present..gdt b
d4b18: 61 73 65 20 61 64 64 72 65 73 73 20 61 62 6f 76 ase address abov
d4b28: 65 20 34 47 0a 00 30 78 25 30 38 78 3a 20 30 78 e 4G..0x%08x: 0x
d4b38: 25 78 3a 30 78 25 30 38 78 20 00 28 25 64 29 20 %x:0x%08x .(%d)
d4b48: 00 30 78 25 30 38 78 3a 20 30 78 25 78 3a 30 78 .0x%08x: 0x%x:0x
d4b58: 25 30 34 78 20 00 6d 6f 76 62 20 24 30 78 25 78 %04x .movb $0x%x
d4b68: 2c 20 2a 30 78 25 78 00 6d 6f 76 6c 20 25 25 65 , *0x%x.movl %%e
d4b78: 25 73 2c 20 2a 30 78 25 78 00 6d 6f 76 62 20 2a %s, *0x%x.movb *
d4b88: 30 78 25 78 2c 20 25 25 25 73 00 6d 6f 76 6c 20 0x%x, %%%s.movl
d4b98: 2a 30 78 25 78 2c 20 25 25 65 25 73 00 6d 6f 76 *0x%x, %%e%s.mov
d4ba8: 62 20 25 25 65 25 73 2c 20 2a 30 78 25 78 00 6d b %%e%s, *0x%x.m
d4bb8: 6f 76 77 20 2a 30 78 25 78 2c 20 25 25 25 73 00 ovw *0x%x, %%%s.
d4bc8: 6d 6f 76 77 20 25 25 25 73 2c 20 2a 30 78 25 78 movw %%%s, *0x%x
d4bd8: 00 25 25 73 73 20 30 78 25 6c 78 20 68 69 67 68 .%%ss 0x%lx high
d4be8: 65 72 20 74 68 61 6e 20 31 4d 42 00 25 25 65 73 er than 1MB.%%es
d4bf8: 20 30 78 25 6c 78 20 68 69 67 68 65 72 20 74 68 0x%lx higher th
d4c08: 61 6e 20 31 4d 42 00 25 25 64 73 20 30 78 25 6c an 1MB.%%ds 0x%l
d4c18: 78 20 68 69 67 68 65 72 20 74 68 61 6e 20 31 4d x higher than 1M
d4c28: 42 00 65 78 74 65 72 6e 61 6c 20 69 6e 74 65 72 B.external inter
d4c38: 72 75 70 74 20 25 64 00 6f 70 63 20 30 78 25 78 rupt %d.opc 0x%x
d4c48: 00 72 65 74 6c 20 28 74 6f 20 30 78 25 78 3a 30 .retl (to 0x%x:0
d4c58: 78 25 78 29 00 72 65 74 6c 00 70 6f 70 20 25 25 x%x).retl.pop %%
d4c68: 65 73 00 70 75 73 68 20 2a 30 78 25 78 00 73 74 es.push *0x%x.st
d4c78: 69 00 63 6c 69 00 74 65 73 74 62 20 24 30 78 25 i.cli.testb $0x%
d4c88: 78 2c 20 2a 30 78 25 78 20 28 30 78 25 78 29 00 x, *0x%x (0x%x).
d4c98: 6c 6f 63 6b 00 25 25 66 73 3a 00 25 25 64 73 3a lock.%%fs:.%%ds:
d4ca8: 00 63 6d 70 20 25 25 25 73 2c 20 2a 30 78 25 78 .cmp %%%s, *0x%x
d4cb8: 20 28 30 78 25 78 29 00 25 25 73 73 3a 00 25 25 (0x%x).%%ss:.%%
d4cc8: 63 73 3a 00 25 25 65 73 3a 00 70 6f 70 20 25 25 cs:.%%es:.pop %%
d4cd8: 64 73 00 6a 6d 70 20 30 78 25 78 00 6a 6d 70 6c ds.jmp 0x%x.jmpl
d4ce8: 20 30 78 25 78 3a 30 78 25 78 00 6a 6d 70 6c 00 0x%x:0x%x.jmpl.
d4cf8: 64 61 74 61 33 32 20 69 72 65 74 64 00 69 6e 74 data32 iretd.int
d4d08: 00 6d 6f 76 20 24 30 78 25 78 2c 20 25 25 62 78 .mov $0x%x, %%bx
d4d18: 00 6d 6f 76 20 2a 30 78 25 78 2c 20 25 25 61 78 .mov *0x%x, %%ax
d4d28: 00 70 6f 70 66 00 70 75 73 68 66 00 6e 6f 70 00 .popf.pushf.nop.
d4d38: 70 6f 70 20 2a 30 78 25 78 00 61 64 64 72 33 32 pop *0x%x.addr32
d4d48: 00 64 61 74 61 33 32 00 25 25 67 73 3a 00 69 72 .data32.%%gs:.ir
d4d58: 65 74 00 61 64 64 72 31 36 00 64 61 74 61 31 36 et.addr16.data16
d4d68: 00 6d 6f 76 6c 20 25 25 65 61 78 2c 20 25 25 63 .movl %%eax, %%c
d4d78: 72 25 64 00 63 6d 70 20 25 25 65 25 73 2c 20 2a r%d.cmp %%e%s, *
d4d88: 30 78 25 78 20 28 30 78 25 78 29 00 6c 6d 73 77 0x%x (0x%x).lmsw
d4d98: 20 30 78 25 78 00 6c 69 64 74 20 30 78 25 78 20 0x%x.lidt 0x%x
d4da8: 3c 25 64 2c 20 30 78 25 78 3e 00 6c 67 64 74 20 <%d, 0x%x>.lgdt
d4db8: 30 78 25 78 20 3c 25 64 2c 20 30 78 25 78 3e 00 0x%x <%d, 0x%x>.
d4dc8: 6d 6f 76 6c 20 25 25 63 72 25 64 2c 20 25 25 65 movl %%cr%d, %%e
d4dd8: 61 78 00 72 65 61 6c 00 54 72 61 70 20 28 30 78 ax.real.Trap (0x
d4de8: 25 78 29 20 77 68 69 6c 65 20 69 6e 20 25 73 20 %x) while in %s
d4df8: 6d 6f 64 65 0a 00 70 72 6f 74 65 63 74 65 64 00 mode..protected.
d4e08: 6e 6f 74 20 69 6e 20 72 65 61 6c 2d 74 6f 2d 70 not in real-to-p
d4e18: 72 6f 74 65 63 74 65 64 20 6d 6f 64 65 00 50 61 rotected mode.Pa
d4e28: 67 65 20 66 61 75 6c 74 20 61 64 64 72 65 73 73 ge fault address
d4e38: 20 30 78 25 78 0a 00 75 6e 65 78 70 65 63 74 65 0x%x..unexpecte
d4e48: 64 20 70 72 6f 74 65 63 74 65 64 20 6d 6f 64 65 d protected mode
d4e58: 00 00 00 00 73 65 67 6d 65 6e 74 20 69 73 20 7a ....segment is z
d4e68: 65 72 6f 2c 20 62 75 74 20 6e 6f 74 20 69 6e 20 ero, but not in
d4e78: 72 65 61 6c 20 6d 6f 64 65 21 0a 00 73 68 6f 75 real mode!..shou
d4e88: 6c 64 20 6e 65 76 65 72 20 72 65 61 63 68 20 68 ld never reach h
d4e98: 65 72 65 20 69 6e 20 66 75 6e 63 74 69 6f 6e 20 ere in function
d4ea8: 61 64 64 72 65 73 73 28 29 3a 0a 09 65 6e 74 72 address():..entr
d4eb8: 79 3d 30 78 25 30 38 78 25 30 38 78 2c 20 6d 6f y=0x%08x%08x, mo
d4ec8: 64 65 3d 25 64 2c 20 73 65 67 3d 30 78 25 30 38 de=%d, seg=0x%08
d4ed8: 78 2c 20 6f 66 66 73 65 74 3d 30 78 25 30 38 78 x, offset=0x%08x
d4ee8: 0a 00 00 00 75 6e 65 78 70 65 63 74 65 64 20 72 ....unexpected r
d4ef8: 65 61 6c 2d 74 6f 2d 70 72 6f 74 65 63 74 65 64 eal-to-protected
d4f08: 20 6d 6f 64 65 20 74 72 61 6e 73 69 74 69 6f 6e mode transition
d4f18: 00 00 00 00 75 6e 65 78 70 65 63 74 65 64 20 72 ....unexpected r
d4f28: 65 61 6c 20 6d 6f 64 65 20 74 72 61 6e 73 69 74 eal mode transit
d4f38: 69 6f 6e 00 75 6e 65 78 70 65 63 74 65 64 20 70 ion.unexpected p
d4f48: 72 6f 74 65 63 74 65 64 20 6d 6f 64 65 20 74 72 rotected mode tr
d4f58: 61 6e 73 69 74 69 6f 6e 00 00 00 00 75 6e 65 78 ansition....unex
d4f68: 70 65 63 74 65 64 20 70 72 6f 74 65 63 74 65 64 pected protected
d4f78: 2d 74 6f 2d 72 65 61 6c 20 6d 6f 64 65 20 74 72 -to-real mode tr
d4f88: 61 6e 73 69 74 69 6f 6e 00 00 00 00 49 6e 76 61 ansition....Inva
d4f98: 6c 69 64 20 25 25 63 73 3d 30 78 25 78 20 66 6f lid %%cs=0x%x fo
d4fa8: 72 20 70 72 6f 74 65 63 74 65 64 20 6d 6f 64 65 r protected mode
d4fb8: 0a 00 00 00 52 65 6d 61 70 70 69 6e 67 20 6d 61 ....Remapping ma
d4fc8: 73 74 65 72 3a 20 49 43 57 32 20 30 78 25 78 20 ster: ICW2 0x%x
d4fd8: 2d 3e 20 30 78 25 78 0a 00 00 00 00 52 65 6d 61 -> 0x%x.....Rema
d4fe8: 70 70 69 6e 67 20 73 6c 61 76 65 3a 20 49 43 57 pping slave: ICW
d4ff8: 32 20 30 78 25 78 20 2d 3e 20 30 78 25 78 0a 00 2 0x%x -> 0x%x..
d5008: 25 73 3a 25 64 3a 20 6d 69 73 73 65 64 20 6f 70 %s:%d: missed op
d5018: 63 6f 64 65 20 25 30 32 78 20 25 30 32 78 0a 00 code %02x %02x..
d5028: 55 6e 6b 6e 6f 77 6e 20 6f 70 63 6f 64 65 20 61 Unknown opcode a
d5038: 74 20 25 30 34 78 3a 25 30 34 78 3d 30 78 25 78 t %04x:%04x=0x%x
d5048: 00 41 75 67 20 20 37 20 32 30 30 37 00 56 4d 58 .Aug 7 2007.VMX
d5058: 41 73 73 69 73 74 20 28 25 73 29 0a 00 4d 65 6d Assist (%s)..Mem
d5068: 6f 72 79 20 73 69 7a 65 20 25 6c 64 20 4d 42 0a ory size %ld MB.
d5078: 00 45 38 32 30 20 6d 61 70 3a 0a 00 53 74 61 72 .E820 map:..Star
d5088: 74 20 42 49 4f 53 20 2e 2e 2e 0a 00 76 6d 78 61 t BIOS .....vmxa
d5098: 73 73 69 73 74 20 72 65 74 75 72 6e 65 64 00 53 ssist returned.S
d50a8: 74 61 72 74 20 41 50 20 25 64 20 66 72 6f 6d 20 tart AP %d from
d50b8: 25 30 38 78 20 2e 2e 2e 0a 00 00 00 53 74 61 72 %08x .......Star
d50c8: 74 69 6e 67 20 65 6d 75 6c 61 74 65 64 20 31 36 ting emulated 16
d50d8: 2d 62 69 74 20 72 65 61 6c 2d 6d 6f 64 65 3a 20 -bit real-mode:
d50e8: 69 70 3d 25 30 34 78 3a 25 30 34 78 0a 00 00 00 ip=%04x:%04x....
d50f8: 66 61 69 6c 65 64 20 74 6f 20 65 6d 75 6c 61 74 failed to emulat
d5108: 65 20 62 65 74 77 65 65 6e 20 63 6c 65 61 72 20 e between clear
d5118: 50 45 20 61 6e 64 20 6c 6f 6e 67 20 6a 75 6d 70 PE and long jump
d5128: 2e 0a 00 30 31 32 33 34 35 36 37 38 39 41 42 43 ...0123456789ABC
d5138: 44 45 46 00 47 44 54 52 20 3c 30 78 25 6c 78 2c DEF.GDTR <0x%lx,
d5148: 30 78 25 6c 78 3e 3a 0a 00 28 54 79 70 65 20 25 0x%lx>:..(Type %
d5158: 6c 64 29 0a 00 25 30 38 6c 78 25 30 38 6c 78 20 ld)..%08lx%08lx
d5168: 2d 20 25 30 38 6c 78 25 30 38 6c 78 20 00 28 41 - %08lx%08lx .(A
d5178: 43 50 49 20 4e 56 53 29 0a 00 28 52 65 73 65 72 CPI NVS)..(Reser
d5188: 76 65 64 29 0a 00 28 41 43 50 49 20 44 61 74 61 ved)..(ACPI Data
d5198: 29 0a 00 28 52 41 4d 29 0a 00 25 30 38 78 3a 20 )..(RAM)..%08x:
d51a8: 00 25 30 32 78 25 63 00 20 20 25 63 00 20 20 20 .%02x%c. %c.
d51b8: 00 74 72 61 70 6e 6f 20 25 38 78 20 65 72 72 6e .trapno %8x errn
d51c8: 6f 20 20 25 38 78 0a 00 75 65 73 70 20 20 20 25 o %8x..uesp %
d51d8: 38 78 20 75 73 73 20 20 20 20 25 38 78 0a 00 00 8x uss %8x...
d51e8: 5b 30 78 25 78 5d 20 3d 20 30 78 25 30 38 78 25 [0x%x] = 0x%08x%
d51f8: 30 38 78 2c 20 62 61 73 65 20 30 78 25 6c 78 2c 08x, base 0x%lx,
d5208: 20 6c 69 6d 69 74 20 30 78 25 6c 78 0a 00 00 00 limit 0x%lx....
d5218: 65 69 70 20 30 78 25 6c 78 2c 20 65 73 70 20 30 eip 0x%lx, esp 0
d5228: 78 25 6c 78 2c 20 65 66 6c 61 67 73 20 30 78 25 x%lx, eflags 0x%
d5238: 6c 78 0a 00 63 72 30 20 30 78 25 6c 78 2c 20 63 lx..cr0 0x%lx, c
d5248: 72 33 20 30 78 25 6c 78 2c 20 63 72 34 20 30 78 r3 0x%lx, cr4 0x
d5258: 25 6c 78 0a 00 00 00 00 69 64 74 72 3a 20 6c 69 %lx.....idtr: li
d5268: 6d 69 74 20 30 78 25 6c 78 2c 20 62 61 73 65 20 mit 0x%lx, base
d5278: 30 78 25 6c 78 0a 00 00 67 64 74 72 3a 20 6c 69 0x%lx...gdtr: li
d5288: 6d 69 74 20 30 78 25 6c 78 2c 20 62 61 73 65 20 mit 0x%lx, base
d5298: 30 78 25 6c 78 0a 00 00 63 73 3a 20 73 65 6c 20 0x%lx...cs: sel
d52a8: 30 78 25 6c 78 2c 20 6c 69 6d 69 74 20 30 78 25 0x%lx, limit 0x%
d52b8: 6c 78 2c 20 62 61 73 65 20 30 78 25 6c 78 0a 00 lx, base 0x%lx..
d52c8: 09 74 79 70 65 20 25 64 2c 20 73 20 25 64 2c 20 .type %d, s %d,
d52d8: 64 70 6c 20 25 64 2c 20 70 20 25 64 2c 20 61 76 dpl %d, p %d, av
d52e8: 6c 20 25 64 2c 20 6f 70 73 20 25 64 2c 20 67 20 l %d, ops %d, g
d52f8: 25 64 2c 20 6e 75 6c 20 25 64 0a 00 64 73 3a 20 %d, nul %d..ds:
d5308: 73 65 6c 20 30 78 25 6c 78 2c 20 6c 69 6d 69 74 sel 0x%lx, limit
d5318: 20 30 78 25 6c 78 2c 20 62 61 73 65 20 30 78 25 0x%lx, base 0x%
d5328: 6c 78 0a 00 65 73 3a 20 73 65 6c 20 30 78 25 6c lx..es: sel 0x%l
d5338: 78 2c 20 6c 69 6d 69 74 20 30 78 25 6c 78 2c 20 x, limit 0x%lx,
d5348: 62 61 73 65 20 30 78 25 6c 78 0a 00 73 73 3a 20 base 0x%lx..ss:
d5358: 73 65 6c 20 30 78 25 6c 78 2c 20 6c 69 6d 69 74 sel 0x%lx, limit
d5368: 20 30 78 25 6c 78 2c 20 62 61 73 65 20 30 78 25 0x%lx, base 0x%
d5378: 6c 78 0a 00 66 73 3a 20 73 65 6c 20 30 78 25 6c lx..fs: sel 0x%l
d5388: 78 2c 20 6c 69 6d 69 74 20 30 78 25 6c 78 2c 20 x, limit 0x%lx,
d5398: 62 61 73 65 20 30 78 25 6c 78 0a 00 67 73 3a 20 base 0x%lx..gs:
d53a8: 73 65 6c 20 30 78 25 6c 78 2c 20 6c 69 6d 69 74 sel 0x%lx, limit
d53b8: 20 30 78 25 6c 78 2c 20 62 61 73 65 20 30 78 25 0x%lx, base 0x%
d53c8: 6c 78 0a 00 74 72 3a 20 73 65 6c 20 30 78 25 6c lx..tr: sel 0x%l
d53d8: 78 2c 20 6c 69 6d 69 74 20 30 78 25 6c 78 2c 20 x, limit 0x%lx,
d53e8: 62 61 73 65 20 30 78 25 6c 78 0a 00 6c 64 74 72 base 0x%lx..ldtr
d53f8: 3a 20 73 65 6c 20 30 78 25 6c 78 2c 20 6c 69 6d : sel 0x%lx, lim
d5408: 69 74 20 30 78 25 6c 78 2c 20 62 61 73 65 20 30 it 0x%lx, base 0
d5418: 78 25 6c 78 0a 00 00 00 65 61 78 20 20 20 20 25 x%lx....eax %
d5428: 38 78 20 65 63 78 20 20 20 20 25 38 78 20 65 64 8x ecx %8x ed
d5438: 78 20 20 20 20 25 38 78 20 65 62 78 20 20 20 20 x %8x ebx
d5448: 25 38 78 0a 00 00 00 00 65 73 70 20 20 20 20 25 %8x.....esp %
d5458: 38 78 20 65 62 70 20 20 20 20 25 38 78 20 65 73 8x ebp %8x es
d5468: 69 20 20 20 20 25 38 78 20 65 64 69 20 20 20 20 i %8x edi
d5478: 25 38 78 0a 00 00 00 00 65 69 70 20 20 20 20 25 %8x.....eip %
d5488: 38 78 20 63 73 20 20 20 20 20 25 38 78 20 65 66 8x cs %8x ef
d5498: 6c 61 67 73 20 25 38 78 0a 00 00 00 76 65 73 20 lags %8x....ves
d54a8: 20 20 20 25 38 78 20 76 64 73 20 20 20 20 25 38 %8x vds %8
d54b8: 78 20 76 66 73 20 20 20 20 25 38 78 20 76 67 73 x vfs %8x vgs
d54c8: 20 20 20 20 25 38 78 0a 00 00 00 00 63 72 30 20 %8x.....cr0
d54d8: 20 20 20 25 38 6c 78 20 63 72 32 20 20 20 20 25 %8lx cr2 %
d54e8: 38 78 20 63 72 33 20 20 20 20 25 38 6c 78 20 63 8x cr3 %8lx c
d54f8: 72 34 20 20 20 20 25 38 6c 78 0a 0a 00 r4 %8lx...
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 7:58 ` Brady Chen
@ 2007-08-07 8:02 ` Keir Fraser
2007-08-07 8:22 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-07 8:02 UTC (permalink / raw)
To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
D037C is not particularly interesting. It is just showing that the trap
handler called halt() after dumping the register state. More interesting is
cs:eip=10:d0800. This looks like the original trap-6 occurred at linear
address (0x10<<4)+0xd0800 == 0xd0900. Is there anything interesting in the
objdump at 0xd0900? (or 0xd0800, as I'm not 100% sure about the cs value).
-- Keir
On 7/8/07 08:58, "Brady Chen" <chenchp@gmail.com> wrote:
> now I'm using the un-stable version to build hvmloader (only hvmloader
> rebuild, xen and doman0 kernel is not touched), the same problem.
>
> (XEN) HVM1: Trap (0x6) while in real mode
> (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E
> (XEN) HVM1: esp D74D4 ebp D7520 esi 0 edi D00
> (XEN) HVM1: trapno 6 errno 0
> (XEN) HVM1: eip D0800 cs 10 eflags 13046
> (XEN) HVM1: uesp D75B4 uss 2
> (XEN) HVM1: ves D4BC8 vds D4D26 vfs D07FE vgs D75B4
> (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651
> (XEN) HVM1:
> (XEN) HVM1: Halt called from %eip 0xD037C
>
> here is some snip from objdump, and i attach the whole objdump as the
> attachment.
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 8:02 ` Keir Fraser
@ 2007-08-07 8:22 ` Brady Chen
2007-08-07 8:47 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-07 8:22 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Hi, here the output, you could get the whole dump from the attachment
of my last mail.
so, there should be a non-support instruction in 0xd0900 or 0xd0800?
thanks
d07ec: 8d 04 16 lea (%esi,%edx,1),%eax
d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
d07f4: 8b 55 08 mov 0x8(%ebp),%edx
d07f7: 89 f8 mov %edi,%eax
d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d07ff: 25 ff ff 00 00 and $0xffff,%eax
d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0807: 89 ec mov %ebp,%esp
d0809: c1 e0 04 shl $0x4,%eax
d080c: 01 d0 add %edx,%eax
d08e6: 8b 56 2c mov 0x2c(%esi),%edx
d08e9: 89 f0 mov %esi,%eax
d08eb: 89 1c 24 mov %ebx,(%esp)
d08ee: e8 0d fe ff ff call d0700 <address>
d08f3: 89 5c 24 0c mov %ebx,0xc(%esp)
d08f7: 8b 56 2c mov 0x2c(%esi),%edx
d08fa: 89 44 24 04 mov %eax,0x4(%esp)
d08fe: c7 04 24 2e 4b 0d 00 movl $0xd4b2e,(%esp)
d0905: 89 54 24 08 mov %edx,0x8(%esp)
d0909: e8 c2 30 00 00 call d39d0 <printf>
d090e: a1 04 76 0d 00 mov 0xd7604,%eax
d0913: c7 04 24 43 4b 0d 00 movl $0xd4b43,(%esp)
d091a: 89 44 24 04 mov %eax,0x4(%esp)
d091e: e8 ad 30 00 00 call d39d0 <printf>
d0923: 89 3c 24 mov %edi,(%esp)
d0926: 8d 45 14 lea 0x14(%ebp),%eax
d0929: 89 44 24 04 mov %eax,0x4(%esp)
d092d: e8 7e 30 00 00 call d39b0 <vprintf
On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> D037C is not particularly interesting. It is just showing that the trap
> handler called halt() after dumping the register state. More interesting is
> cs:eip=10:d0800. This looks like the original trap-6 occurred at linear
> address (0x10<<4)+0xd0800 == 0xd0900. Is there anything interesting in the
> objdump at 0xd0900? (or 0xd0800, as I'm not 100% sure about the cs value).
>
> -- Keir
>
> On 7/8/07 08:58, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > now I'm using the un-stable version to build hvmloader (only hvmloader
> > rebuild, xen and doman0 kernel is not touched), the same problem.
> >
> > (XEN) HVM1: Trap (0x6) while in real mode
> > (XEN) HVM1: eax D00 ecx 0 edx 71F ebx 71E
> > (XEN) HVM1: esp D74D4 ebp D7520 esi 0 edi D00
> > (XEN) HVM1: trapno 6 errno 0
> > (XEN) HVM1: eip D0800 cs 10 eflags 13046
> > (XEN) HVM1: uesp D75B4 uss 2
> > (XEN) HVM1: ves D4BC8 vds D4D26 vfs D07FE vgs D75B4
> > (XEN) HVM1: cr0 50032 cr2 0 cr3 0 cr4 651
> > (XEN) HVM1:
> > (XEN) HVM1: Halt called from %eip 0xD037C
> >
> > here is some snip from objdump, and i attach the whole objdump as the
> > attachment.
>
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 8:22 ` Brady Chen
@ 2007-08-07 8:47 ` Keir Fraser
2007-08-07 9:06 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-07 8:47 UTC (permalink / raw)
To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
On 7/8/07 09:22, "Brady Chen" <chenchp@gmail.com> wrote:
> Hi, here the output, you could get the whole dump from the attachment
> of my last mail.
Oh, I missed that!
> so, there should be a non-support instruction in 0xd0900 or 0xd0800?
Well, there is no instruction boundary at either of those addresses. Either
the register dump is bogus or somehow we ended up jumping into the middle of
an instruction inside vmxassist. Bogus. :-(
You could try initialising the traceset variable in vmxassist/vm86.c to ~0
instead of 0. That should get you a whole load of extra tracing about
exactly what vmxassist is emulating and where. We might be able to work out
a bit more from that.
-- Keir
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 8:47 ` Keir Fraser
@ 2007-08-07 9:06 ` Brady Chen
2007-08-07 9:29 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-07 9:06 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
[-- Attachment #1: Type: text/plain, Size: 2767 bytes --]
Hi Keir,
the whole dmesg and a new objdump is attached.
# tar zcvf xendmesg_vmxdump.tar.gz xen_dmesg vmxassist.objdump2
xen_dmesg
vmxassist.objdump2
here are some snip for your convenience:
(XEN) HVM2: 0x0000D71F: 0xD00:0x071F (0) data32
(XEN) HVM2: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
(XEN) HVM2: 0x0000D71B: 0xD00:0x071B (0) %es:
(XEN) HVM2: 0x0000D71B: 0xD00:0x071B (0) addr32
(XEN) HVM2: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
(XEN) HVM2: Trap (0x6) while in real mode
(XEN) HVM2: eax D00 ecx 0 edx 71F ebx 71E
(XEN) HVM2: esp D74D4 ebp D7520 esi D74B0 edi D00
(XEN) HVM2: trapno 6 errno 0
(XEN) HVM2: eip D0800 cs 10 eflags 13046
(XEN) HVM2: uesp D75B4 uss 2
(XEN) HVM2: ves D4BC8 vds D4D26 vfs D07FE vgs D7534
(XEN) HVM2: cr0 50032 cr2 0 cr3 0 cr4 651
(XEN) HVM2:
(XEN) HVM2: Halt called from %eip 0xD037C
d07f7: 89 f8 mov %edi,%eax
d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d07ff: 25 ff ff 00 00 and $0xffff,%eax
d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0807: 89 ec mov %ebp,%esp
d0809: c1 e0 04 shl $0x4,%eax
d080c: 01 d0 add %edx,%eax
d08f7: 8b 56 2c mov 0x2c(%esi),%edx
d08fa: 89 44 24 04 mov %eax,0x4(%esp)
d08fe: c7 04 24 2e 4b 0d 00 movl $0xd4b2e,(%esp)
d0905: 89 54 24 08 mov %edx,0x8(%esp)
d0909: e8 c2 30 00 00 call d39d0 <printf>
d090e: a1 00 76 0d 00 mov 0xd7600,%eax
the dmesg shows some instructions have being simulated.
so they should be the codes just before d0900 or d0800, am i right?
On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> On 7/8/07 09:22, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > Hi, here the output, you could get the whole dump from the attachment
> > of my last mail.
>
> Oh, I missed that!
>
> > so, there should be a non-support instruction in 0xd0900 or 0xd0800?
>
> Well, there is no instruction boundary at either of those addresses. Either
> the register dump is bogus or somehow we ended up jumping into the middle of
> an instruction inside vmxassist. Bogus. :-(
>
> You could try initialising the traceset variable in vmxassist/vm86.c to ~0
> instead of 0. That should get you a whole load of extra tracing about
> exactly what vmxassist is emulating and where. We might be able to work out
> a bit more from that.
>
> -- Keir
>
>
[-- Attachment #2: xendmesg_vmxdump.tar.gz --]
[-- Type: application/x-gzip, Size: 48963 bytes --]
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 9:06 ` Brady Chen
@ 2007-08-07 9:29 ` Keir Fraser
2007-08-07 9:35 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-07 9:29 UTC (permalink / raw)
To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
On 7/8/07 10:06, "Brady Chen" <chenchp@gmail.com> wrote:
> the dmesg shows some instructions have being simulated.
> so they should be the codes just before d0900 or d0800, am i right?
No. What is happening is that vmxassist is trying to emulate as far as it
can into real-mode execution at around linear address d71b-d71f, until it
sees an instruction that it cannot decode. When it sees an instruction it
does not understand it prints out "opc <opcode number>". Since there is no
such output immediately before the trap, this means that vmxassist was still
in its emulation loop and vmxassist itself crashed. This makes sense because
the faulting eip is somewhere in vmxassist's code (albeit not on an
instruction boundary!). The faulting linear address is definitely d0800, so
that is the interesting area of the vmxassist objdump.
What would be useful is to try to add tracing to see how far vmxassist gets
after its last line of tracing before the trap occurs. That last line is
currently from vm86.c, line 620. You might try adding extra printf()
statements imemdiately after the write16() on line 622, and also at the top
of the opcode() function. We need to find out at what point vmxassist is
jumping to this bogus address d0800.
-- Keir
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 9:29 ` Keir Fraser
@ 2007-08-07 9:35 ` Keir Fraser
2007-08-07 10:30 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-07 9:35 UTC (permalink / raw)
To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
> What would be useful is to try to add tracing to see how far vmxassist gets
> after its last line of tracing before the trap occurs. That last line is
> currently from vm86.c, line 620. You might try adding extra printf()
> statements imemdiately after the write16() on line 622, and also at the top
> of the opcode() function. We need to find out at what point vmxassist is
> jumping to this bogus address d0800.
Oh, another possibility is that vmxassist has been corrupted in memory. This
is particularly likely because, according to the objdump, the 'instruction'
that starts at d0800 is actually valid (it'd be an ADD of some sort).
So, within trap() you might want to read say 16 bytes starting at 0xd0800
and printf() them. So we can see if they match what objdump says should be
there.
-- Keir
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 9:35 ` Keir Fraser
@ 2007-08-07 10:30 ` Brady Chen
2007-08-07 10:37 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-07 10:30 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Hi, Keir,
I made the change as you said:
change diff is:
[root@localhost firmware]# hg diff vmxassist/vm86.c
diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
--- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
+++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800
@@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
static struct regs saved_rm_regs;
#ifdef DEBUG
-int traceset = 0;
+int traceset = ~0;
char *states[] = {
"<VM86_REAL>",
@@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
TRACE((regs, regs->eip - eip,
"movw %%%s, *0x%x", rnames[r], addr));
write16(addr, MASK16(val));
+ printf("after write16 of movw\n");
}
return 1;
@@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
unsigned eip = regs->eip;
unsigned opc, modrm, disp;
unsigned prefix = 0;
+ printf("top of opcode\n");
if (mode == VM86_PROTECTED_TO_REAL &&
oldctx.cs_arbytes.fields.default_ops_size) {
@@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
if (trapno == 14)
printf("Page fault address 0x%x\n", get_cr2());
dump_regs(regs);
+ printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800));
+ printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804));
halt();
}
}
here is the output:
(XEN) HVM6: top of opcode
(XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
(XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
(XEN) HVM6: top of opcode
(XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
(XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
(XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
(XEN) HVM6: after write16 of movw
(XEN) HVM6: top of opcode
(XEN) HVM6: Trap (0x6) while in real mode
(XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E
(XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00
(XEN) HVM6: trapno 6 errno 0
(XEN) HVM6: eip D0800 cs 10 eflags 13046
(XEN) HVM6: uesp D4C29 uss 2
(XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4
(XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651
(XEN) HVM6:
(XEN) HVM6: 0xd0800 is 0xFFFF
(XEN) HVM6: 0xd0804 is 0x7D8B
(XEN) HVM6: Halt called from %eip 0xD037C
objdump:
d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
d07f4: 8b 55 08 mov 0x8(%ebp),%edx
d07f7: 89 f8 mov %edi,%eax
d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
d07ff: 25 ff ff 00 00 and $0xffff,%eax
d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
d0807: 89 ec mov %ebp,%esp
d0809: c1 e0 04 shl $0x4,%eax
d080c: 01 d0 add %edx,%eax
d080e: 5d pop %ebp
seems the memory is correct, it's crashed in opcode()
and i think it's fetch8(regs) which crash the system. I tried
fetch8(regs) in trap(), but it cause more traps, and let the hvm guest
be reset.
On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
>
> > What would be useful is to try to add tracing to see how far vmxassist gets
> > after its last line of tracing before the trap occurs. That last line is
> > currently from vm86.c, line 620. You might try adding extra printf()
> > statements imemdiately after the write16() on line 622, and also at the top
> > of the opcode() function. We need to find out at what point vmxassist is
> > jumping to this bogus address d0800.
>
> Oh, another possibility is that vmxassist has been corrupted in memory. This
> is particularly likely because, according to the objdump, the 'instruction'
> that starts at d0800 is actually valid (it'd be an ADD of some sort).
>
> So, within trap() you might want to read say 16 bytes starting at 0xd0800
> and printf() them. So we can see if they match what objdump says should be
> there.
>
> -- Keir
>
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 10:30 ` Brady Chen
@ 2007-08-07 10:37 ` Keir Fraser
2007-08-07 11:03 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-07 10:37 UTC (permalink / raw)
To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
How about trying:
printf("Before fetch8\n");
dump_regs(regs);
opc = fetch8(regs);
printf("After fetch8\n");
switch (opc) { ...
This will let you see what eip is being fetched from, and also confirm that
the crash happens within fetch8().
You could also try adding more printf()s inside fetch8() and address() to
find out which specific bit of fetch8() is crashing (if that indeed the
function that is crashing).
-- Keir
On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
> Hi, Keir,
> I made the change as you said:
> change diff is:
> [root@localhost firmware]# hg diff vmxassist/vm86.c
> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800
> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> static struct regs saved_rm_regs;
>
> #ifdef DEBUG
> -int traceset = 0;
> +int traceset = ~0;
>
> char *states[] = {
> "<VM86_REAL>",
> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
> TRACE((regs, regs->eip - eip,
> "movw %%%s, *0x%x", rnames[r], addr));
> write16(addr, MASK16(val));
> + printf("after write16 of movw\n");
> }
> return 1;
>
> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
> unsigned eip = regs->eip;
> unsigned opc, modrm, disp;
> unsigned prefix = 0;
> + printf("top of opcode\n");
>
> if (mode == VM86_PROTECTED_TO_REAL &&
> oldctx.cs_arbytes.fields.default_ops_size) {
> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
> if (trapno == 14)
> printf("Page fault address 0x%x\n", get_cr2());
> dump_regs(regs);
> + printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800));
> + printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804));
> halt();
> }
> }
>
>
> here is the output:
> (XEN) HVM6: top of opcode
> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> (XEN) HVM6: top of opcode
> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
> (XEN) HVM6: after write16 of movw
> (XEN) HVM6: top of opcode
> (XEN) HVM6: Trap (0x6) while in real mode
> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E
> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00
> (XEN) HVM6: trapno 6 errno 0
> (XEN) HVM6: eip D0800 cs 10 eflags 13046
> (XEN) HVM6: uesp D4C29 uss 2
> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4
> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651
> (XEN) HVM6:
> (XEN) HVM6: 0xd0800 is 0xFFFF
> (XEN) HVM6: 0xd0804 is 0x7D8B
> (XEN) HVM6: Halt called from %eip 0xD037C
>
> objdump:
> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
> d07f7: 89 f8 mov %edi,%eax
> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
> d07ff: 25 ff ff 00 00 and $0xffff,%eax
> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
> d0807: 89 ec mov %ebp,%esp
> d0809: c1 e0 04 shl $0x4,%eax
> d080c: 01 d0 add %edx,%eax
> d080e: 5d pop %ebp
>
> seems the memory is correct, it's crashed in opcode()
> and i think it's fetch8(regs) which crash the system. I tried
> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest
> be reset.
>
> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
>>
>>> What would be useful is to try to add tracing to see how far vmxassist gets
>>> after its last line of tracing before the trap occurs. That last line is
>>> currently from vm86.c, line 620. You might try adding extra printf()
>>> statements imemdiately after the write16() on line 622, and also at the top
>>> of the opcode() function. We need to find out at what point vmxassist is
>>> jumping to this bogus address d0800.
>>
>> Oh, another possibility is that vmxassist has been corrupted in memory. This
>> is particularly likely because, according to the objdump, the 'instruction'
>> that starts at d0800 is actually valid (it'd be an ADD of some sort).
>>
>> So, within trap() you might want to read say 16 bytes starting at 0xd0800
>> and printf() them. So we can see if they match what objdump says should be
>> there.
>>
>> -- Keir
>>
>>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 10:37 ` Keir Fraser
@ 2007-08-07 11:03 ` Brady Chen
2007-08-07 11:35 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-07 11:03 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Hi, yes, it's crashed in fetch8. it's very slow after I add this print info.
the main function of fetch8 seems to be address(). seems crashed in address().
(XEN) HVM7: after write16 of movw
(XEN) HVM7: top of opcode
(XEN) HVM7: Before fetch8
(XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E
(XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE
(XEN) HVM7: trapno D errno 0
(XEN) HVM7: eip 71F cs D00 eflags 33206
(XEN) HVM7: uesp CFB4 uss 0
(XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0
(XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
(XEN) HVM7:
(XEN) HVM7: Trap (0x6) while in real mode
(XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89
(XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00
(XEN) HVM7: trapno 6 errno 0
(XEN) HVM7: eip D0800 cs 10 eflags 13046
(XEN) HVM7: uesp 71F uss D76D4
(XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644
(XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
(XEN) HVM7:
(XEN) HVM7: 0xd0800 is 0xFFFF
(XEN) HVM7: 0xd0804 is 0x7D8B
(XEN) HVM7: Halt called from %eip 0xD037C
On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> How about trying:
> printf("Before fetch8\n");
> dump_regs(regs);
> opc = fetch8(regs);
> printf("After fetch8\n");
> switch (opc) { ...
>
> This will let you see what eip is being fetched from, and also confirm that
> the crash happens within fetch8().
>
> You could also try adding more printf()s inside fetch8() and address() to
> find out which specific bit of fetch8() is crashing (if that indeed the
> function that is crashing).
>
> -- Keir
>
> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > Hi, Keir,
> > I made the change as you said:
> > change diff is:
> > [root@localhost firmware]# hg diff vmxassist/vm86.c
> > diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> > --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> > +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800
> > @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> > static struct regs saved_rm_regs;
> >
> > #ifdef DEBUG
> > -int traceset = 0;
> > +int traceset = ~0;
> >
> > char *states[] = {
> > "<VM86_REAL>",
> > @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
> > TRACE((regs, regs->eip - eip,
> > "movw %%%s, *0x%x", rnames[r], addr));
> > write16(addr, MASK16(val));
> > + printf("after write16 of movw\n");
> > }
> > return 1;
> >
> > @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
> > unsigned eip = regs->eip;
> > unsigned opc, modrm, disp;
> > unsigned prefix = 0;
> > + printf("top of opcode\n");
> >
> > if (mode == VM86_PROTECTED_TO_REAL &&
> > oldctx.cs_arbytes.fields.default_ops_size) {
> > @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
> > if (trapno == 14)
> > printf("Page fault address 0x%x\n", get_cr2());
> > dump_regs(regs);
> > + printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800));
> > + printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804));
> > halt();
> > }
> > }
> >
> >
> > here is the output:
> > (XEN) HVM6: top of opcode
> > (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
> > (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> > (XEN) HVM6: top of opcode
> > (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
> > (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
> > (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
> > (XEN) HVM6: after write16 of movw
> > (XEN) HVM6: top of opcode
> > (XEN) HVM6: Trap (0x6) while in real mode
> > (XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E
> > (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00
> > (XEN) HVM6: trapno 6 errno 0
> > (XEN) HVM6: eip D0800 cs 10 eflags 13046
> > (XEN) HVM6: uesp D4C29 uss 2
> > (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4
> > (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651
> > (XEN) HVM6:
> > (XEN) HVM6: 0xd0800 is 0xFFFF
> > (XEN) HVM6: 0xd0804 is 0x7D8B
> > (XEN) HVM6: Halt called from %eip 0xD037C
> >
> > objdump:
> > d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
> > d07f4: 8b 55 08 mov 0x8(%ebp),%edx
> > d07f7: 89 f8 mov %edi,%eax
> > d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
> > d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
> > d07ff: 25 ff ff 00 00 and $0xffff,%eax
> > d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
> > d0807: 89 ec mov %ebp,%esp
> > d0809: c1 e0 04 shl $0x4,%eax
> > d080c: 01 d0 add %edx,%eax
> > d080e: 5d pop %ebp
> >
> > seems the memory is correct, it's crashed in opcode()
> > and i think it's fetch8(regs) which crash the system. I tried
> > fetch8(regs) in trap(), but it cause more traps, and let the hvm guest
> > be reset.
> >
> > On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
> >>
> >>> What would be useful is to try to add tracing to see how far vmxassist gets
> >>> after its last line of tracing before the trap occurs. That last line is
> >>> currently from vm86.c, line 620. You might try adding extra printf()
> >>> statements imemdiately after the write16() on line 622, and also at the top
> >>> of the opcode() function. We need to find out at what point vmxassist is
> >>> jumping to this bogus address d0800.
> >>
> >> Oh, another possibility is that vmxassist has been corrupted in memory. This
> >> is particularly likely because, according to the objdump, the 'instruction'
> >> that starts at d0800 is actually valid (it'd be an ADD of some sort).
> >>
> >> So, within trap() you might want to read say 16 bytes starting at 0xd0800
> >> and printf() them. So we can see if they match what objdump says should be
> >> there.
> >>
> >> -- Keir
> >>
> >>
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 11:03 ` Brady Chen
@ 2007-08-07 11:35 ` Brady Chen
2007-08-07 11:50 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-07 11:35 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
it's strange:
if i add these prints, i get " Unknown opcode", not "trap".
===added printf
[root@localhost firmware]# hg diff -p vmxassist/vm86.c
diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
--- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
+++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800
@@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
static struct regs saved_rm_regs;
#ifdef DEBUG
-int traceset = 0;
+int traceset = ~0;
char *states[] = {
"<VM86_REAL>",
@@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
unsigned seg_base, seg_limit;
unsigned entry_low, entry_high;
+ printf("f 1\n");
if (seg == 0) {
if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
return off;
@@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
panic("segment is zero, but not in real mode!\n");
}
+ printf("f 2\n");
if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
(mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
return ((seg & 0xFFFF) << 4) + off;
+ printf("f 3\n");
gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
+ printf("f 4\n");
if (gdt_phys_base != (uint32_t)gdt_phys_base) {
+ printf("f 5\n");
printf("gdt base address above 4G\n");
cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry);
} else
@@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF);
seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
+ printf("f 6\n");
if (entry_high & 0x8000 &&
((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
(!(entry_high & 0x800000) && off <= seg_limit)))
return seg_base + off;
+ printf("f 7\n");
panic("should never reach here in function address():\n\t"
"entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n",
entry_high, entry_low, mode, seg, off);
+ printf("f 8\n");
return 0;
}
@@ -286,6 +294,7 @@ fetch8(struct regs *regs)
unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
regs->eip++;
+ printf("f 9\n");
return read8(addr);
}
===output when add many printf
(XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
(XEN) HVM12: f 2
(XEN) HVM12: f 9
(XEN) HVM12: f 1
(XEN) HVM12: f 2
(XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
(XEN) HVM12: f 2
(XEN) HVM12: f 9
(XEN) HVM12: f 1
(XEN) HVM12: f 2
(XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
(XEN) HVM12: f 2
(XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
(XEN) HVM12: Halt called from %eip 0xD3B4A
On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
> Hi, yes, it's crashed in fetch8. it's very slow after I add this print info.
> the main function of fetch8 seems to be address(). seems crashed in address().
>
> (XEN) HVM7: after write16 of movw
> (XEN) HVM7: top of opcode
> (XEN) HVM7: Before fetch8
> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E
> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE
> (XEN) HVM7: trapno D errno 0
> (XEN) HVM7: eip 71F cs D00 eflags 33206
> (XEN) HVM7: uesp CFB4 uss 0
> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0
> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
> (XEN) HVM7:
> (XEN) HVM7: Trap (0x6) while in real mode
> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89
> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00
> (XEN) HVM7: trapno 6 errno 0
> (XEN) HVM7: eip D0800 cs 10 eflags 13046
> (XEN) HVM7: uesp 71F uss D76D4
> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644
> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
> (XEN) HVM7:
> (XEN) HVM7: 0xd0800 is 0xFFFF
> (XEN) HVM7: 0xd0804 is 0x7D8B
> (XEN) HVM7: Halt called from %eip 0xD037C
>
>
> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> > How about trying:
> > printf("Before fetch8\n");
> > dump_regs(regs);
> > opc = fetch8(regs);
> > printf("After fetch8\n");
> > switch (opc) { ...
> >
> > This will let you see what eip is being fetched from, and also confirm that
> > the crash happens within fetch8().
> >
> > You could also try adding more printf()s inside fetch8() and address() to
> > find out which specific bit of fetch8() is crashing (if that indeed the
> > function that is crashing).
> >
> > -- Keir
> >
> > On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
> >
> > > Hi, Keir,
> > > I made the change as you said:
> > > change diff is:
> > > [root@localhost firmware]# hg diff vmxassist/vm86.c
> > > diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> > > --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> > > +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800
> > > @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> > > static struct regs saved_rm_regs;
> > >
> > > #ifdef DEBUG
> > > -int traceset = 0;
> > > +int traceset = ~0;
> > >
> > > char *states[] = {
> > > "<VM86_REAL>",
> > > @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
> > > TRACE((regs, regs->eip - eip,
> > > "movw %%%s, *0x%x", rnames[r], addr));
> > > write16(addr, MASK16(val));
> > > + printf("after write16 of movw\n");
> > > }
> > > return 1;
> > >
> > > @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
> > > unsigned eip = regs->eip;
> > > unsigned opc, modrm, disp;
> > > unsigned prefix = 0;
> > > + printf("top of opcode\n");
> > >
> > > if (mode == VM86_PROTECTED_TO_REAL &&
> > > oldctx.cs_arbytes.fields.default_ops_size) {
> > > @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
> > > if (trapno == 14)
> > > printf("Page fault address 0x%x\n", get_cr2());
> > > dump_regs(regs);
> > > + printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800));
> > > + printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804));
> > > halt();
> > > }
> > > }
> > >
> > >
> > > here is the output:
> > > (XEN) HVM6: top of opcode
> > > (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
> > > (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> > > (XEN) HVM6: top of opcode
> > > (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
> > > (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
> > > (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
> > > (XEN) HVM6: after write16 of movw
> > > (XEN) HVM6: top of opcode
> > > (XEN) HVM6: Trap (0x6) while in real mode
> > > (XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E
> > > (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00
> > > (XEN) HVM6: trapno 6 errno 0
> > > (XEN) HVM6: eip D0800 cs 10 eflags 13046
> > > (XEN) HVM6: uesp D4C29 uss 2
> > > (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4
> > > (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651
> > > (XEN) HVM6:
> > > (XEN) HVM6: 0xd0800 is 0xFFFF
> > > (XEN) HVM6: 0xd0804 is 0x7D8B
> > > (XEN) HVM6: Halt called from %eip 0xD037C
> > >
> > > objdump:
> > > d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
> > > d07f4: 8b 55 08 mov 0x8(%ebp),%edx
> > > d07f7: 89 f8 mov %edi,%eax
> > > d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
> > > d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
> > > d07ff: 25 ff ff 00 00 and $0xffff,%eax
> > > d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
> > > d0807: 89 ec mov %ebp,%esp
> > > d0809: c1 e0 04 shl $0x4,%eax
> > > d080c: 01 d0 add %edx,%eax
> > > d080e: 5d pop %ebp
> > >
> > > seems the memory is correct, it's crashed in opcode()
> > > and i think it's fetch8(regs) which crash the system. I tried
> > > fetch8(regs) in trap(), but it cause more traps, and let the hvm guest
> > > be reset.
> > >
> > > On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> > >> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
> > >>
> > >>> What would be useful is to try to add tracing to see how far vmxassist gets
> > >>> after its last line of tracing before the trap occurs. That last line is
> > >>> currently from vm86.c, line 620. You might try adding extra printf()
> > >>> statements imemdiately after the write16() on line 622, and also at the top
> > >>> of the opcode() function. We need to find out at what point vmxassist is
> > >>> jumping to this bogus address d0800.
> > >>
> > >> Oh, another possibility is that vmxassist has been corrupted in memory. This
> > >> is particularly likely because, according to the objdump, the 'instruction'
> > >> that starts at d0800 is actually valid (it'd be an ADD of some sort).
> > >>
> > >> So, within trap() you might want to read say 16 bytes starting at 0xd0800
> > >> and printf() them. So we can see if they match what objdump says should be
> > >> there.
> > >>
> > >> -- Keir
> > >>
> > >>
> > >
> > > _______________________________________________
> > > Xen-devel mailing list
> > > Xen-devel@lists.xensource.com
> > > http://lists.xensource.com/xen-devel
> >
> >
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 11:35 ` Brady Chen
@ 2007-08-07 11:50 ` Keir Fraser
2007-08-07 16:06 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-07 11:50 UTC (permalink / raw)
To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Very weird. The emulations now aren't at the same address as before either
(0xd4c3 rather than 0xd71b). Is the *only* difference that you added these
printf()s -- is it at all possible that the guest is executing down a
different path here for other reasons? If it's really down to the printf()s
then I guess you'll have to shuffle/remove printf()s to get the old
behaviour back.
-- Keir
On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
> it's strange:
> if i add these prints, i get " Unknown opcode", not "trap".
> ===added printf
> [root@localhost firmware]# hg diff -p vmxassist/vm86.c
> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800
> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> static struct regs saved_rm_regs;
>
> #ifdef DEBUG
> -int traceset = 0;
> +int traceset = ~0;
>
> char *states[] = {
> "<VM86_REAL>",
> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
> unsigned seg_base, seg_limit;
> unsigned entry_low, entry_high;
>
> + printf("f 1\n");
> if (seg == 0) {
> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
> return off;
> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
> panic("segment is zero, but not in real mode!\n");
> }
>
> + printf("f 2\n");
> if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
> return ((seg & 0xFFFF) << 4) + off;
>
> + printf("f 3\n");
> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
> + printf("f 4\n");
> if (gdt_phys_base != (uint32_t)gdt_phys_base) {
> + printf("f 5\n");
> printf("gdt base address above 4G\n");
> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry);
> } else
> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF);
> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
>
> + printf("f 6\n");
> if (entry_high & 0x8000 &&
> ((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
> (!(entry_high & 0x800000) && off <= seg_limit)))
> return seg_base + off;
> + printf("f 7\n");
>
> panic("should never reach here in function address():\n\t"
> "entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n",
> entry_high, entry_low, mode, seg, off);
> + printf("f 8\n");
>
> return 0;
> }
> @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
> unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
>
> regs->eip++;
> + printf("f 9\n");
> return read8(addr);
> }
>
> ===output when add many printf
> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
> (XEN) HVM12: f 2
> (XEN) HVM12: f 9
> (XEN) HVM12: f 1
> (XEN) HVM12: f 2
> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
> (XEN) HVM12: f 2
> (XEN) HVM12: f 9
> (XEN) HVM12: f 1
> (XEN) HVM12: f 2
> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
> (XEN) HVM12: f 2
> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
> (XEN) HVM12: Halt called from %eip 0xD3B4A
>
> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print info.
>> the main function of fetch8 seems to be address(). seems crashed in
>> address().
>>
>> (XEN) HVM7: after write16 of movw
>> (XEN) HVM7: top of opcode
>> (XEN) HVM7: Before fetch8
>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E
>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE
>> (XEN) HVM7: trapno D errno 0
>> (XEN) HVM7: eip 71F cs D00 eflags 33206
>> (XEN) HVM7: uesp CFB4 uss 0
>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0
>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
>> (XEN) HVM7:
>> (XEN) HVM7: Trap (0x6) while in real mode
>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89
>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00
>> (XEN) HVM7: trapno 6 errno 0
>> (XEN) HVM7: eip D0800 cs 10 eflags 13046
>> (XEN) HVM7: uesp 71F uss D76D4
>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644
>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
>> (XEN) HVM7:
>> (XEN) HVM7: 0xd0800 is 0xFFFF
>> (XEN) HVM7: 0xd0804 is 0x7D8B
>> (XEN) HVM7: Halt called from %eip 0xD037C
>>
>>
>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>> How about trying:
>>> printf("Before fetch8\n");
>>> dump_regs(regs);
>>> opc = fetch8(regs);
>>> printf("After fetch8\n");
>>> switch (opc) { ...
>>>
>>> This will let you see what eip is being fetched from, and also confirm that
>>> the crash happens within fetch8().
>>>
>>> You could also try adding more printf()s inside fetch8() and address() to
>>> find out which specific bit of fetch8() is crashing (if that indeed the
>>> function that is crashing).
>>>
>>> -- Keir
>>>
>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
>>>
>>>> Hi, Keir,
>>>> I made the change as you said:
>>>> change diff is:
>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800
>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
>>>> static struct regs saved_rm_regs;
>>>>
>>>> #ifdef DEBUG
>>>> -int traceset = 0;
>>>> +int traceset = ~0;
>>>>
>>>> char *states[] = {
>>>> "<VM86_REAL>",
>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
>>>> TRACE((regs, regs->eip - eip,
>>>> "movw %%%s, *0x%x", rnames[r], addr));
>>>> write16(addr, MASK16(val));
>>>> + printf("after write16 of movw\n");
>>>> }
>>>> return 1;
>>>>
>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
>>>> unsigned eip = regs->eip;
>>>> unsigned opc, modrm, disp;
>>>> unsigned prefix = 0;
>>>> + printf("top of opcode\n");
>>>>
>>>> if (mode == VM86_PROTECTED_TO_REAL &&
>>>> oldctx.cs_arbytes.fields.default_ops_size) {
>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
>>>> if (trapno == 14)
>>>> printf("Page fault address 0x%x\n", get_cr2());
>>>> dump_regs(regs);
>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800));
>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804));
>>>> halt();
>>>> }
>>>> }
>>>>
>>>>
>>>> here is the output:
>>>> (XEN) HVM6: top of opcode
>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
>>>> (XEN) HVM6: top of opcode
>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
>>>> (XEN) HVM6: after write16 of movw
>>>> (XEN) HVM6: top of opcode
>>>> (XEN) HVM6: Trap (0x6) while in real mode
>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E
>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00
>>>> (XEN) HVM6: trapno 6 errno 0
>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
>>>> (XEN) HVM6: uesp D4C29 uss 2
>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4
>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651
>>>> (XEN) HVM6:
>>>> (XEN) HVM6: 0xd0800 is 0xFFFF
>>>> (XEN) HVM6: 0xd0804 is 0x7D8B
>>>> (XEN) HVM6: Halt called from %eip 0xD037C
>>>>
>>>> objdump:
>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
>>>> d07f7: 89 f8 mov %edi,%eax
>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
>>>> d0807: 89 ec mov %ebp,%esp
>>>> d0809: c1 e0 04 shl $0x4,%eax
>>>> d080c: 01 d0 add %edx,%eax
>>>> d080e: 5d pop %ebp
>>>>
>>>> seems the memory is correct, it's crashed in opcode()
>>>> and i think it's fetch8(regs) which crash the system. I tried
>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest
>>>> be reset.
>>>>
>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
>>>>>
>>>>>> What would be useful is to try to add tracing to see how far vmxassist
>>>>>> gets
>>>>>> after its last line of tracing before the trap occurs. That last line is
>>>>>> currently from vm86.c, line 620. You might try adding extra printf()
>>>>>> statements imemdiately after the write16() on line 622, and also at the
>>>>>> top
>>>>>> of the opcode() function. We need to find out at what point vmxassist is
>>>>>> jumping to this bogus address d0800.
>>>>>
>>>>> Oh, another possibility is that vmxassist has been corrupted in memory.
>>>>> This
>>>>> is particularly likely because, according to the objdump, the
>>>>> 'instruction'
>>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort).
>>>>>
>>>>> So, within trap() you might want to read say 16 bytes starting at 0xd0800
>>>>> and printf() them. So we can see if they match what objdump says should be
>>>>> there.
>>>>>
>>>>> -- Keir
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-devel mailing list
>>>> Xen-devel@lists.xensource.com
>>>> http://lists.xensource.com/xen-devel
>>>
>>>
>>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 11:50 ` Keir Fraser
@ 2007-08-07 16:06 ` Brady Chen
2007-08-07 16:26 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-07 16:06 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Yes, the printfs are the only changes. once I remove these prints, the
trap comes back, with the same EIP (D0800)
I tried to keep the first two printfs, the trap comes with different EIP(D19FD)
static unsigned
address(struct regs *regs, unsigned seg, unsigned off)
{
uint64_t gdt_phys_base;
unsigned long long entry;
unsigned seg_base, seg_limit;
unsigned entry_low, entry_high;
printf("f 1\n");
if (seg == 0) {
if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
return off;
else
panic("segment is zero, but not in real mode!\n");
}
printf("f 2\n");
xen dmesg output:
(XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
(XEN) HVM3: f 1
(XEN) HVM3: f 2
(XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
(XEN) HVM3: f 1
(XEN) HVM3: f 1
(XEN) HVM3: f 1
(XEN) HVM3: Trap (0x6) while in real mode
(XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4
(XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8
(XEN) HVM3: trapno 6 errno 0
(XEN) HVM3: eip D19FD cs 10 eflags 13046
(XEN) HVM3: uesp CFAE uss 0
(XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F
(XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651
(XEN) HVM3:
(XEN) HVM3: Halt called from %eip 0xD037C
and the objdump shows that:
000d1970 <interrupt>:
d1970: 55 push %ebp
d1971: 89 e5 mov %esp,%ebp
d1973: 57 push %edi
d1974: 89 d7 mov %edx,%edi
d1976: 56 push %esi
....
d19f8: 66 89 30 mov %si,(%eax)
d19fb: 31 d2 xor %edx,%edx
d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx)
d1a0b: 89 d8 mov %ebx,%eax
d1a0d: 89 34 24 mov %esi,(%esp)
On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> Very weird. The emulations now aren't at the same address as before either
> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these
> printf()s -- is it at all possible that the guest is executing down a
> different path here for other reasons? If it's really down to the printf()s
> then I guess you'll have to shuffle/remove printf()s to get the old
> behaviour back.
>
> -- Keir
>
> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > it's strange:
> > if i add these prints, i get " Unknown opcode", not "trap".
> > ===added printf
> > [root@localhost firmware]# hg diff -p vmxassist/vm86.c
> > diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> > --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> > +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800
> > @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> > static struct regs saved_rm_regs;
> >
> > #ifdef DEBUG
> > -int traceset = 0;
> > +int traceset = ~0;
> >
> > char *states[] = {
> > "<VM86_REAL>",
> > @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
> > unsigned seg_base, seg_limit;
> > unsigned entry_low, entry_high;
> >
> > + printf("f 1\n");
> > if (seg == 0) {
> > if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
> > return off;
> > @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
> > panic("segment is zero, but not in real mode!\n");
> > }
> >
> > + printf("f 2\n");
> > if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
> > (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
> > return ((seg & 0xFFFF) << 4) + off;
> >
> > + printf("f 3\n");
> > gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
> > + printf("f 4\n");
> > if (gdt_phys_base != (uint32_t)gdt_phys_base) {
> > + printf("f 5\n");
> > printf("gdt base address above 4G\n");
> > cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry);
> > } else
> > @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
> > seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF);
> > seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
> >
> > + printf("f 6\n");
> > if (entry_high & 0x8000 &&
> > ((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
> > (!(entry_high & 0x800000) && off <= seg_limit)))
> > return seg_base + off;
> > + printf("f 7\n");
> >
> > panic("should never reach here in function address():\n\t"
> > "entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n",
> > entry_high, entry_low, mode, seg, off);
> > + printf("f 8\n");
> >
> > return 0;
> > }
> > @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
> > unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
> >
> > regs->eip++;
> > + printf("f 9\n");
> > return read8(addr);
> > }
> >
> > ===output when add many printf
> > (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
> > (XEN) HVM12: f 2
> > (XEN) HVM12: f 9
> > (XEN) HVM12: f 1
> > (XEN) HVM12: f 2
> > (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
> > (XEN) HVM12: f 2
> > (XEN) HVM12: f 9
> > (XEN) HVM12: f 1
> > (XEN) HVM12: f 2
> > (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
> > (XEN) HVM12: f 2
> > (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
> > (XEN) HVM12: Halt called from %eip 0xD3B4A
> >
> > On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
> >> Hi, yes, it's crashed in fetch8. it's very slow after I add this print info.
> >> the main function of fetch8 seems to be address(). seems crashed in
> >> address().
> >>
> >> (XEN) HVM7: after write16 of movw
> >> (XEN) HVM7: top of opcode
> >> (XEN) HVM7: Before fetch8
> >> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E
> >> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE
> >> (XEN) HVM7: trapno D errno 0
> >> (XEN) HVM7: eip 71F cs D00 eflags 33206
> >> (XEN) HVM7: uesp CFB4 uss 0
> >> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0
> >> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
> >> (XEN) HVM7:
> >> (XEN) HVM7: Trap (0x6) while in real mode
> >> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89
> >> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00
> >> (XEN) HVM7: trapno 6 errno 0
> >> (XEN) HVM7: eip D0800 cs 10 eflags 13046
> >> (XEN) HVM7: uesp 71F uss D76D4
> >> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644
> >> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
> >> (XEN) HVM7:
> >> (XEN) HVM7: 0xd0800 is 0xFFFF
> >> (XEN) HVM7: 0xd0804 is 0x7D8B
> >> (XEN) HVM7: Halt called from %eip 0xD037C
> >>
> >>
> >> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>> How about trying:
> >>> printf("Before fetch8\n");
> >>> dump_regs(regs);
> >>> opc = fetch8(regs);
> >>> printf("After fetch8\n");
> >>> switch (opc) { ...
> >>>
> >>> This will let you see what eip is being fetched from, and also confirm that
> >>> the crash happens within fetch8().
> >>>
> >>> You could also try adding more printf()s inside fetch8() and address() to
> >>> find out which specific bit of fetch8() is crashing (if that indeed the
> >>> function that is crashing).
> >>>
> >>> -- Keir
> >>>
> >>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>
> >>>> Hi, Keir,
> >>>> I made the change as you said:
> >>>> change diff is:
> >>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
> >>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> >>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> >>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800
> >>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> >>>> static struct regs saved_rm_regs;
> >>>>
> >>>> #ifdef DEBUG
> >>>> -int traceset = 0;
> >>>> +int traceset = ~0;
> >>>>
> >>>> char *states[] = {
> >>>> "<VM86_REAL>",
> >>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
> >>>> TRACE((regs, regs->eip - eip,
> >>>> "movw %%%s, *0x%x", rnames[r], addr));
> >>>> write16(addr, MASK16(val));
> >>>> + printf("after write16 of movw\n");
> >>>> }
> >>>> return 1;
> >>>>
> >>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
> >>>> unsigned eip = regs->eip;
> >>>> unsigned opc, modrm, disp;
> >>>> unsigned prefix = 0;
> >>>> + printf("top of opcode\n");
> >>>>
> >>>> if (mode == VM86_PROTECTED_TO_REAL &&
> >>>> oldctx.cs_arbytes.fields.default_ops_size) {
> >>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
> >>>> if (trapno == 14)
> >>>> printf("Page fault address 0x%x\n", get_cr2());
> >>>> dump_regs(regs);
> >>>> + printf("0xd0800 is 0x%0x\n", *((unsigned short*)0xd0800));
> >>>> + printf("0xd0804 is 0x%0x\n", *((unsigned short*)0xd0804));
> >>>> halt();
> >>>> }
> >>>> }
> >>>>
> >>>>
> >>>> here is the output:
> >>>> (XEN) HVM6: top of opcode
> >>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
> >>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> >>>> (XEN) HVM6: top of opcode
> >>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
> >>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
> >>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
> >>>> (XEN) HVM6: after write16 of movw
> >>>> (XEN) HVM6: top of opcode
> >>>> (XEN) HVM6: Trap (0x6) while in real mode
> >>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx 71E
> >>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi D00
> >>>> (XEN) HVM6: trapno 6 errno 0
> >>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
> >>>> (XEN) HVM6: uesp D4C29 uss 2
> >>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs D75B4
> >>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4 651
> >>>> (XEN) HVM6:
> >>>> (XEN) HVM6: 0xd0800 is 0xFFFF
> >>>> (XEN) HVM6: 0xd0804 is 0x7D8B
> >>>> (XEN) HVM6: Halt called from %eip 0xD037C
> >>>>
> >>>> objdump:
> >>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
> >>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
> >>>> d07f7: 89 f8 mov %edi,%eax
> >>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
> >>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
> >>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
> >>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
> >>>> d0807: 89 ec mov %ebp,%esp
> >>>> d0809: c1 e0 04 shl $0x4,%eax
> >>>> d080c: 01 d0 add %edx,%eax
> >>>> d080e: 5d pop %ebp
> >>>>
> >>>> seems the memory is correct, it's crashed in opcode()
> >>>> and i think it's fetch8(regs) which crash the system. I tried
> >>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest
> >>>> be reset.
> >>>>
> >>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
> >>>>>
> >>>>>> What would be useful is to try to add tracing to see how far vmxassist
> >>>>>> gets
> >>>>>> after its last line of tracing before the trap occurs. That last line is
> >>>>>> currently from vm86.c, line 620. You might try adding extra printf()
> >>>>>> statements imemdiately after the write16() on line 622, and also at the
> >>>>>> top
> >>>>>> of the opcode() function. We need to find out at what point vmxassist is
> >>>>>> jumping to this bogus address d0800.
> >>>>>
> >>>>> Oh, another possibility is that vmxassist has been corrupted in memory.
> >>>>> This
> >>>>> is particularly likely because, according to the objdump, the
> >>>>> 'instruction'
> >>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort).
> >>>>>
> >>>>> So, within trap() you might want to read say 16 bytes starting at 0xd0800
> >>>>> and printf() them. So we can see if they match what objdump says should be
> >>>>> there.
> >>>>>
> >>>>> -- Keir
> >>>>>
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>>> Xen-devel mailing list
> >>>> Xen-devel@lists.xensource.com
> >>>> http://lists.xensource.com/xen-devel
> >>>
> >>>
> >>
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 16:06 ` Brady Chen
@ 2007-08-07 16:26 ` Keir Fraser
2007-08-08 7:37 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-07 16:26 UTC (permalink / raw)
To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Stack corruption/overflow, possibly?
K.
On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote:
> Yes, the printfs are the only changes. once I remove these prints, the
> trap comes back, with the same EIP (D0800)
>
> I tried to keep the first two printfs, the trap comes with different
> EIP(D19FD)
> static unsigned
> address(struct regs *regs, unsigned seg, unsigned off)
> {
> uint64_t gdt_phys_base;
> unsigned long long entry;
> unsigned seg_base, seg_limit;
> unsigned entry_low, entry_high;
>
> printf("f 1\n");
> if (seg == 0) {
> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
> return off;
> else
> panic("segment is zero, but not in real mode!\n");
> }
>
> printf("f 2\n");
>
> xen dmesg output:
> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> (XEN) HVM3: f 1
> (XEN) HVM3: f 2
> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
> (XEN) HVM3: f 1
> (XEN) HVM3: f 1
> (XEN) HVM3: f 1
> (XEN) HVM3: Trap (0x6) while in real mode
> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4
> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8
> (XEN) HVM3: trapno 6 errno 0
> (XEN) HVM3: eip D19FD cs 10 eflags 13046
> (XEN) HVM3: uesp CFAE uss 0
> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F
> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651
> (XEN) HVM3:
> (XEN) HVM3: Halt called from %eip 0xD037C
>
>
> and the objdump shows that:
> 000d1970 <interrupt>:
> d1970: 55 push %ebp
> d1971: 89 e5 mov %esp,%ebp
> d1973: 57 push %edi
> d1974: 89 d7 mov %edx,%edi
> d1976: 56 push %esi
> ....
> d19f8: 66 89 30 mov %si,(%eax)
> d19fb: 31 d2 xor %edx,%edx
> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx)
> d1a0b: 89 d8 mov %ebx,%eax
> d1a0d: 89 34 24 mov %esi,(%esp)
>
>
> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>> Very weird. The emulations now aren't at the same address as before either
>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these
>> printf()s -- is it at all possible that the guest is executing down a
>> different path here for other reasons? If it's really down to the printf()s
>> then I guess you'll have to shuffle/remove printf()s to get the old
>> behaviour back.
>>
>> -- Keir
>>
>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
>>
>>> it's strange:
>>> if i add these prints, i get " Unknown opcode", not "trap".
>>> ===added printf
>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c
>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800
>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
>>> static struct regs saved_rm_regs;
>>>
>>> #ifdef DEBUG
>>> -int traceset = 0;
>>> +int traceset = ~0;
>>>
>>> char *states[] = {
>>> "<VM86_REAL>",
>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
>>> unsigned seg_base, seg_limit;
>>> unsigned entry_low, entry_high;
>>>
>>> + printf("f 1\n");
>>> if (seg == 0) {
>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
>>> return off;
>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
>>> panic("segment is zero, but not in real mode!\n");
>>> }
>>>
>>> + printf("f 2\n");
>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
>>> return ((seg & 0xFFFF) << 4) + off;
>>>
>>> + printf("f 3\n");
>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
>>> + printf("f 4\n");
>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) {
>>> + printf("f 5\n");
>>> printf("gdt base address above 4G\n");
>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry);
>>> } else
>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF);
>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
>>>
>>> + printf("f 6\n");
>>> if (entry_high & 0x8000 &&
>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
>>> (!(entry_high & 0x800000) && off <= seg_limit)))
>>> return seg_base + off;
>>> + printf("f 7\n");
>>>
>>> panic("should never reach here in function address():\n\t"
>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n",
>>> entry_high, entry_low, mode, seg, off);
>>> + printf("f 8\n");
>>>
>>> return 0;
>>> }
>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
>>>
>>> regs->eip++;
>>> + printf("f 9\n");
>>> return read8(addr);
>>> }
>>>
>>> ===output when add many printf
>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
>>> (XEN) HVM12: f 2
>>> (XEN) HVM12: f 9
>>> (XEN) HVM12: f 1
>>> (XEN) HVM12: f 2
>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
>>> (XEN) HVM12: f 2
>>> (XEN) HVM12: f 9
>>> (XEN) HVM12: f 1
>>> (XEN) HVM12: f 2
>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
>>> (XEN) HVM12: f 2
>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
>>> (XEN) HVM12: Halt called from %eip 0xD3B4A
>>>
>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print
>>>> info.
>>>> the main function of fetch8 seems to be address(). seems crashed in
>>>> address().
>>>>
>>>> (XEN) HVM7: after write16 of movw
>>>> (XEN) HVM7: top of opcode
>>>> (XEN) HVM7: Before fetch8
>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E
>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE
>>>> (XEN) HVM7: trapno D errno 0
>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206
>>>> (XEN) HVM7: uesp CFB4 uss 0
>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0
>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
>>>> (XEN) HVM7:
>>>> (XEN) HVM7: Trap (0x6) while in real mode
>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89
>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00
>>>> (XEN) HVM7: trapno 6 errno 0
>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046
>>>> (XEN) HVM7: uesp 71F uss D76D4
>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644
>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
>>>> (XEN) HVM7:
>>>> (XEN) HVM7: 0xd0800 is 0xFFFF
>>>> (XEN) HVM7: 0xd0804 is 0x7D8B
>>>> (XEN) HVM7: Halt called from %eip 0xD037C
>>>>
>>>>
>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>> How about trying:
>>>>> printf("Before fetch8\n");
>>>>> dump_regs(regs);
>>>>> opc = fetch8(regs);
>>>>> printf("After fetch8\n");
>>>>> switch (opc) { ...
>>>>>
>>>>> This will let you see what eip is being fetched from, and also confirm
>>>>> that
>>>>> the crash happens within fetch8().
>>>>>
>>>>> You could also try adding more printf()s inside fetch8() and address() to
>>>>> find out which specific bit of fetch8() is crashing (if that indeed the
>>>>> function that is crashing).
>>>>>
>>>>> -- Keir
>>>>>
>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
>>>>>
>>>>>> Hi, Keir,
>>>>>> I made the change as you said:
>>>>>> change diff is:
>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800
>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
>>>>>> static struct regs saved_rm_regs;
>>>>>>
>>>>>> #ifdef DEBUG
>>>>>> -int traceset = 0;
>>>>>> +int traceset = ~0;
>>>>>>
>>>>>> char *states[] = {
>>>>>> "<VM86_REAL>",
>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
>>>>>> TRACE((regs, regs->eip - eip,
>>>>>> "movw %%%s, *0x%x", rnames[r], addr));
>>>>>> write16(addr, MASK16(val));
>>>>>> + printf("after write16 of movw\n");
>>>>>> }
>>>>>> return 1;
>>>>>>
>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
>>>>>> unsigned eip = regs->eip;
>>>>>> unsigned opc, modrm, disp;
>>>>>> unsigned prefix = 0;
>>>>>> + printf("top of opcode\n");
>>>>>>
>>>>>> if (mode == VM86_PROTECTED_TO_REAL &&
>>>>>> oldctx.cs_arbytes.fields.default_ops_size) {
>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
>>>>>> if (trapno == 14)
>>>>>> printf("Page fault address 0x%x\n", get_cr2());
>>>>>> dump_regs(regs);
>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned
>>>>>> short*)0xd0800));
>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned
>>>>>> short*)0xd0804));
>>>>>> halt();
>>>>>> }
>>>>>> }
>>>>>>
>>>>>>
>>>>>> here is the output:
>>>>>> (XEN) HVM6: top of opcode
>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
>>>>>> (XEN) HVM6: top of opcode
>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
>>>>>> (XEN) HVM6: after write16 of movw
>>>>>> (XEN) HVM6: top of opcode
>>>>>> (XEN) HVM6: Trap (0x6) while in real mode
>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx
>>>>>> 71E
>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi
>>>>>> D00
>>>>>> (XEN) HVM6: trapno 6 errno 0
>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
>>>>>> (XEN) HVM6: uesp D4C29 uss 2
>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs
>>>>>> D75B4
>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4
>>>>>> 651
>>>>>> (XEN) HVM6:
>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF
>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B
>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C
>>>>>>
>>>>>> objdump:
>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
>>>>>> d07f7: 89 f8 mov %edi,%eax
>>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
>>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
>>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
>>>>>> d0807: 89 ec mov %ebp,%esp
>>>>>> d0809: c1 e0 04 shl $0x4,%eax
>>>>>> d080c: 01 d0 add %edx,%eax
>>>>>> d080e: 5d pop %ebp
>>>>>>
>>>>>> seems the memory is correct, it's crashed in opcode()
>>>>>> and i think it's fetch8(regs) which crash the system. I tried
>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest
>>>>>> be reset.
>>>>>>
>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
>>>>>>>
>>>>>>>> What would be useful is to try to add tracing to see how far vmxassist
>>>>>>>> gets
>>>>>>>> after its last line of tracing before the trap occurs. That last line
>>>>>>>> is
>>>>>>>> currently from vm86.c, line 620. You might try adding extra printf()
>>>>>>>> statements imemdiately after the write16() on line 622, and also at the
>>>>>>>> top
>>>>>>>> of the opcode() function. We need to find out at what point vmxassist
>>>>>>>> is
>>>>>>>> jumping to this bogus address d0800.
>>>>>>>
>>>>>>> Oh, another possibility is that vmxassist has been corrupted in memory.
>>>>>>> This
>>>>>>> is particularly likely because, according to the objdump, the
>>>>>>> 'instruction'
>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort).
>>>>>>>
>>>>>>> So, within trap() you might want to read say 16 bytes starting at
>>>>>>> 0xd0800
>>>>>>> and printf() them. So we can see if they match what objdump says should
>>>>>>> be
>>>>>>> there.
>>>>>>>
>>>>>>> -- Keir
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Xen-devel mailing list
>>>>>> Xen-devel@lists.xensource.com
>>>>>> http://lists.xensource.com/xen-devel
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Xen-devel mailing list
>>> Xen-devel@lists.xensource.com
>>> http://lists.xensource.com/xen-devel
>>
>>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-07 16:26 ` Keir Fraser
@ 2007-08-08 7:37 ` Brady Chen
2007-08-08 8:25 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-08 7:37 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
it's possible.
any ideas to trace the function stack of xen guest? like "bt" command in gdb.
I did some analysis:
1. the call flow is opcode()->fetch8()->address()
2. only the printf in address() will change the behaver of crash.
3. and the crash EIP (0xD0800) is in the address() from the objdump.
4. the address() will be invoked more then 40, 000 times in one
simulation, before the crash.
5. seems there are no recursive invoking in opcode(), fetch8(), address()
6. from the output of "xen dmesg", before the crash, a instructions
sequence is simulated several times (you could check the previous
mails i send for "xen dmesg" output)
7. before the trap, the simulated instruction is "movw %ax, *0xD07FE",
and the "*0xD07FE" is just the address of address(), (you could get
the objdump output from previous mails too), so i think it's the
simulation which crash the memory of address().
On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> Stack corruption/overflow, possibly?
>
> K.
>
> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > Yes, the printfs are the only changes. once I remove these prints, the
> > trap comes back, with the same EIP (D0800)
> >
> > I tried to keep the first two printfs, the trap comes with different
> > EIP(D19FD)
> > static unsigned
> > address(struct regs *regs, unsigned seg, unsigned off)
> > {
> > uint64_t gdt_phys_base;
> > unsigned long long entry;
> > unsigned seg_base, seg_limit;
> > unsigned entry_low, entry_high;
> >
> > printf("f 1\n");
> > if (seg == 0) {
> > if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
> > return off;
> > else
> > panic("segment is zero, but not in real mode!\n");
> > }
> >
> > printf("f 2\n");
> >
> > xen dmesg output:
> > (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> > (XEN) HVM3: f 1
> > (XEN) HVM3: f 2
> > (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
> > (XEN) HVM3: f 1
> > (XEN) HVM3: f 1
> > (XEN) HVM3: f 1
> > (XEN) HVM3: Trap (0x6) while in real mode
> > (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4
> > (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8
> > (XEN) HVM3: trapno 6 errno 0
> > (XEN) HVM3: eip D19FD cs 10 eflags 13046
> > (XEN) HVM3: uesp CFAE uss 0
> > (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F
> > (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651
> > (XEN) HVM3:
> > (XEN) HVM3: Halt called from %eip 0xD037C
> >
> >
> > and the objdump shows that:
> > 000d1970 <interrupt>:
> > d1970: 55 push %ebp
> > d1971: 89 e5 mov %esp,%ebp
> > d1973: 57 push %edi
> > d1974: 89 d7 mov %edx,%edi
> > d1976: 56 push %esi
> > ....
> > d19f8: 66 89 30 mov %si,(%eax)
> > d19fb: 31 d2 xor %edx,%edx
> > d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
> > d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx)
> > d1a0b: 89 d8 mov %ebx,%eax
> > d1a0d: 89 34 24 mov %esi,(%esp)
> >
> >
> > On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >> Very weird. The emulations now aren't at the same address as before either
> >> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these
> >> printf()s -- is it at all possible that the guest is executing down a
> >> different path here for other reasons? If it's really down to the printf()s
> >> then I guess you'll have to shuffle/remove printf()s to get the old
> >> behaviour back.
> >>
> >> -- Keir
> >>
> >> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
> >>
> >>> it's strange:
> >>> if i add these prints, i get " Unknown opcode", not "trap".
> >>> ===added printf
> >>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c
> >>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> >>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> >>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800
> >>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> >>> static struct regs saved_rm_regs;
> >>>
> >>> #ifdef DEBUG
> >>> -int traceset = 0;
> >>> +int traceset = ~0;
> >>>
> >>> char *states[] = {
> >>> "<VM86_REAL>",
> >>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
> >>> unsigned seg_base, seg_limit;
> >>> unsigned entry_low, entry_high;
> >>>
> >>> + printf("f 1\n");
> >>> if (seg == 0) {
> >>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
> >>> return off;
> >>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
> >>> panic("segment is zero, but not in real mode!\n");
> >>> }
> >>>
> >>> + printf("f 2\n");
> >>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
> >>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
> >>> return ((seg & 0xFFFF) << 4) + off;
> >>>
> >>> + printf("f 3\n");
> >>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
> >>> + printf("f 4\n");
> >>> if (gdt_phys_base != (uint32_t)gdt_phys_base) {
> >>> + printf("f 5\n");
> >>> printf("gdt base address above 4G\n");
> >>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry);
> >>> } else
> >>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
> >>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF);
> >>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
> >>>
> >>> + printf("f 6\n");
> >>> if (entry_high & 0x8000 &&
> >>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
> >>> (!(entry_high & 0x800000) && off <= seg_limit)))
> >>> return seg_base + off;
> >>> + printf("f 7\n");
> >>>
> >>> panic("should never reach here in function address():\n\t"
> >>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n",
> >>> entry_high, entry_low, mode, seg, off);
> >>> + printf("f 8\n");
> >>>
> >>> return 0;
> >>> }
> >>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
> >>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
> >>>
> >>> regs->eip++;
> >>> + printf("f 9\n");
> >>> return read8(addr);
> >>> }
> >>>
> >>> ===output when add many printf
> >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
> >>> (XEN) HVM12: f 2
> >>> (XEN) HVM12: f 9
> >>> (XEN) HVM12: f 1
> >>> (XEN) HVM12: f 2
> >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
> >>> (XEN) HVM12: f 2
> >>> (XEN) HVM12: f 9
> >>> (XEN) HVM12: f 1
> >>> (XEN) HVM12: f 2
> >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
> >>> (XEN) HVM12: f 2
> >>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
> >>> (XEN) HVM12: Halt called from %eip 0xD3B4A
> >>>
> >>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
> >>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print
> >>>> info.
> >>>> the main function of fetch8 seems to be address(). seems crashed in
> >>>> address().
> >>>>
> >>>> (XEN) HVM7: after write16 of movw
> >>>> (XEN) HVM7: top of opcode
> >>>> (XEN) HVM7: Before fetch8
> >>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E
> >>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE
> >>>> (XEN) HVM7: trapno D errno 0
> >>>> (XEN) HVM7: eip 71F cs D00 eflags 33206
> >>>> (XEN) HVM7: uesp CFB4 uss 0
> >>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0
> >>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
> >>>> (XEN) HVM7:
> >>>> (XEN) HVM7: Trap (0x6) while in real mode
> >>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89
> >>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00
> >>>> (XEN) HVM7: trapno 6 errno 0
> >>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046
> >>>> (XEN) HVM7: uesp 71F uss D76D4
> >>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644
> >>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
> >>>> (XEN) HVM7:
> >>>> (XEN) HVM7: 0xd0800 is 0xFFFF
> >>>> (XEN) HVM7: 0xd0804 is 0x7D8B
> >>>> (XEN) HVM7: Halt called from %eip 0xD037C
> >>>>
> >>>>
> >>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>> How about trying:
> >>>>> printf("Before fetch8\n");
> >>>>> dump_regs(regs);
> >>>>> opc = fetch8(regs);
> >>>>> printf("After fetch8\n");
> >>>>> switch (opc) { ...
> >>>>>
> >>>>> This will let you see what eip is being fetched from, and also confirm
> >>>>> that
> >>>>> the crash happens within fetch8().
> >>>>>
> >>>>> You could also try adding more printf()s inside fetch8() and address() to
> >>>>> find out which specific bit of fetch8() is crashing (if that indeed the
> >>>>> function that is crashing).
> >>>>>
> >>>>> -- Keir
> >>>>>
> >>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>
> >>>>>> Hi, Keir,
> >>>>>> I made the change as you said:
> >>>>>> change diff is:
> >>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
> >>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> >>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> >>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800
> >>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> >>>>>> static struct regs saved_rm_regs;
> >>>>>>
> >>>>>> #ifdef DEBUG
> >>>>>> -int traceset = 0;
> >>>>>> +int traceset = ~0;
> >>>>>>
> >>>>>> char *states[] = {
> >>>>>> "<VM86_REAL>",
> >>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
> >>>>>> TRACE((regs, regs->eip - eip,
> >>>>>> "movw %%%s, *0x%x", rnames[r], addr));
> >>>>>> write16(addr, MASK16(val));
> >>>>>> + printf("after write16 of movw\n");
> >>>>>> }
> >>>>>> return 1;
> >>>>>>
> >>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
> >>>>>> unsigned eip = regs->eip;
> >>>>>> unsigned opc, modrm, disp;
> >>>>>> unsigned prefix = 0;
> >>>>>> + printf("top of opcode\n");
> >>>>>>
> >>>>>> if (mode == VM86_PROTECTED_TO_REAL &&
> >>>>>> oldctx.cs_arbytes.fields.default_ops_size) {
> >>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
> >>>>>> if (trapno == 14)
> >>>>>> printf("Page fault address 0x%x\n", get_cr2());
> >>>>>> dump_regs(regs);
> >>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned
> >>>>>> short*)0xd0800));
> >>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned
> >>>>>> short*)0xd0804));
> >>>>>> halt();
> >>>>>> }
> >>>>>> }
> >>>>>>
> >>>>>>
> >>>>>> here is the output:
> >>>>>> (XEN) HVM6: top of opcode
> >>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
> >>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> >>>>>> (XEN) HVM6: top of opcode
> >>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
> >>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
> >>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
> >>>>>> (XEN) HVM6: after write16 of movw
> >>>>>> (XEN) HVM6: top of opcode
> >>>>>> (XEN) HVM6: Trap (0x6) while in real mode
> >>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx
> >>>>>> 71E
> >>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi
> >>>>>> D00
> >>>>>> (XEN) HVM6: trapno 6 errno 0
> >>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
> >>>>>> (XEN) HVM6: uesp D4C29 uss 2
> >>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs
> >>>>>> D75B4
> >>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>> 651
> >>>>>> (XEN) HVM6:
> >>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF
> >>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B
> >>>>>> (XEN) HVM6: Halt called from %eip 0xD037C
> >>>>>>
> >>>>>> objdump:
> >>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
> >>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
> >>>>>> d07f7: 89 f8 mov %edi,%eax
> >>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
> >>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
> >>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
> >>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
> >>>>>> d0807: 89 ec mov %ebp,%esp
> >>>>>> d0809: c1 e0 04 shl $0x4,%eax
> >>>>>> d080c: 01 d0 add %edx,%eax
> >>>>>> d080e: 5d pop %ebp
> >>>>>>
> >>>>>> seems the memory is correct, it's crashed in opcode()
> >>>>>> and i think it's fetch8(regs) which crash the system. I tried
> >>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest
> >>>>>> be reset.
> >>>>>>
> >>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
> >>>>>>>
> >>>>>>>> What would be useful is to try to add tracing to see how far vmxassist
> >>>>>>>> gets
> >>>>>>>> after its last line of tracing before the trap occurs. That last line
> >>>>>>>> is
> >>>>>>>> currently from vm86.c, line 620. You might try adding extra printf()
> >>>>>>>> statements imemdiately after the write16() on line 622, and also at the
> >>>>>>>> top
> >>>>>>>> of the opcode() function. We need to find out at what point vmxassist
> >>>>>>>> is
> >>>>>>>> jumping to this bogus address d0800.
> >>>>>>>
> >>>>>>> Oh, another possibility is that vmxassist has been corrupted in memory.
> >>>>>>> This
> >>>>>>> is particularly likely because, according to the objdump, the
> >>>>>>> 'instruction'
> >>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort).
> >>>>>>>
> >>>>>>> So, within trap() you might want to read say 16 bytes starting at
> >>>>>>> 0xd0800
> >>>>>>> and printf() them. So we can see if they match what objdump says should
> >>>>>>> be
> >>>>>>> there.
> >>>>>>>
> >>>>>>> -- Keir
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Xen-devel mailing list
> >>>>>> Xen-devel@lists.xensource.com
> >>>>>> http://lists.xensource.com/xen-devel
> >>>>>
> >>>>>
> >>>>
> >>>
> >>> _______________________________________________
> >>> Xen-devel mailing list
> >>> Xen-devel@lists.xensource.com
> >>> http://lists.xensource.com/xen-devel
> >>
> >>
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 7:37 ` Brady Chen
@ 2007-08-08 8:25 ` Brady Chen
2007-08-08 8:41 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-08 8:25 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Hi Keir,
I think the 7th issue I mentioned is the root cause,
so I have a question.
For real mode simulation, the simulator is running in the same space
with the codes to-be-simulated? then how to protect simulator from
being modified by to-be-simulated code?
can I change the address of vmxassist to a higher address? just try to
give more space to the to-be-simulated windows.
On 8/8/07, Brady Chen <chenchp@gmail.com> wrote:
> it's possible.
> any ideas to trace the function stack of xen guest? like "bt" command in gdb.
>
> I did some analysis:
> 1. the call flow is opcode()->fetch8()->address()
> 2. only the printf in address() will change the behaver of crash.
> 3. and the crash EIP (0xD0800) is in the address() from the objdump.
> 4. the address() will be invoked more then 40, 000 times in one
> simulation, before the crash.
> 5. seems there are no recursive invoking in opcode(), fetch8(), address()
> 6. from the output of "xen dmesg", before the crash, a instructions
> sequence is simulated several times (you could check the previous
> mails i send for "xen dmesg" output)
> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE",
> and the "*0xD07FE" is just the address of address(), (you could get
> the objdump output from previous mails too), so i think it's the
> simulation which crash the memory of address().
>
> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> > Stack corruption/overflow, possibly?
> >
> > K.
> >
> > On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote:
> >
> > > Yes, the printfs are the only changes. once I remove these prints, the
> > > trap comes back, with the same EIP (D0800)
> > >
> > > I tried to keep the first two printfs, the trap comes with different
> > > EIP(D19FD)
> > > static unsigned
> > > address(struct regs *regs, unsigned seg, unsigned off)
> > > {
> > > uint64_t gdt_phys_base;
> > > unsigned long long entry;
> > > unsigned seg_base, seg_limit;
> > > unsigned entry_low, entry_high;
> > >
> > > printf("f 1\n");
> > > if (seg == 0) {
> > > if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
> > > return off;
> > > else
> > > panic("segment is zero, but not in real mode!\n");
> > > }
> > >
> > > printf("f 2\n");
> > >
> > > xen dmesg output:
> > > (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> > > (XEN) HVM3: f 1
> > > (XEN) HVM3: f 2
> > > (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
> > > (XEN) HVM3: f 1
> > > (XEN) HVM3: f 1
> > > (XEN) HVM3: f 1
> > > (XEN) HVM3: Trap (0x6) while in real mode
> > > (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4
> > > (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8
> > > (XEN) HVM3: trapno 6 errno 0
> > > (XEN) HVM3: eip D19FD cs 10 eflags 13046
> > > (XEN) HVM3: uesp CFAE uss 0
> > > (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F
> > > (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651
> > > (XEN) HVM3:
> > > (XEN) HVM3: Halt called from %eip 0xD037C
> > >
> > >
> > > and the objdump shows that:
> > > 000d1970 <interrupt>:
> > > d1970: 55 push %ebp
> > > d1971: 89 e5 mov %esp,%ebp
> > > d1973: 57 push %edi
> > > d1974: 89 d7 mov %edx,%edi
> > > d1976: 56 push %esi
> > > ....
> > > d19f8: 66 89 30 mov %si,(%eax)
> > > d19fb: 31 d2 xor %edx,%edx
> > > d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
> > > d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx)
> > > d1a0b: 89 d8 mov %ebx,%eax
> > > d1a0d: 89 34 24 mov %esi,(%esp)
> > >
> > >
> > > On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> > >> Very weird. The emulations now aren't at the same address as before either
> > >> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these
> > >> printf()s -- is it at all possible that the guest is executing down a
> > >> different path here for other reasons? If it's really down to the printf()s
> > >> then I guess you'll have to shuffle/remove printf()s to get the old
> > >> behaviour back.
> > >>
> > >> -- Keir
> > >>
> > >> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
> > >>
> > >>> it's strange:
> > >>> if i add these prints, i get " Unknown opcode", not "trap".
> > >>> ===added printf
> > >>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c
> > >>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> > >>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> > >>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800
> > >>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> > >>> static struct regs saved_rm_regs;
> > >>>
> > >>> #ifdef DEBUG
> > >>> -int traceset = 0;
> > >>> +int traceset = ~0;
> > >>>
> > >>> char *states[] = {
> > >>> "<VM86_REAL>",
> > >>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
> > >>> unsigned seg_base, seg_limit;
> > >>> unsigned entry_low, entry_high;
> > >>>
> > >>> + printf("f 1\n");
> > >>> if (seg == 0) {
> > >>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
> > >>> return off;
> > >>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
> > >>> panic("segment is zero, but not in real mode!\n");
> > >>> }
> > >>>
> > >>> + printf("f 2\n");
> > >>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
> > >>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
> > >>> return ((seg & 0xFFFF) << 4) + off;
> > >>>
> > >>> + printf("f 3\n");
> > >>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
> > >>> + printf("f 4\n");
> > >>> if (gdt_phys_base != (uint32_t)gdt_phys_base) {
> > >>> + printf("f 5\n");
> > >>> printf("gdt base address above 4G\n");
> > >>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry);
> > >>> } else
> > >>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
> > >>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) & 0xFFFFFF);
> > >>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
> > >>>
> > >>> + printf("f 6\n");
> > >>> if (entry_high & 0x8000 &&
> > >>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
> > >>> (!(entry_high & 0x800000) && off <= seg_limit)))
> > >>> return seg_base + off;
> > >>> + printf("f 7\n");
> > >>>
> > >>> panic("should never reach here in function address():\n\t"
> > >>> "entry=0x%08x%08x, mode=%d, seg=0x%08x, offset=0x%08x\n",
> > >>> entry_high, entry_low, mode, seg, off);
> > >>> + printf("f 8\n");
> > >>>
> > >>> return 0;
> > >>> }
> > >>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
> > >>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
> > >>>
> > >>> regs->eip++;
> > >>> + printf("f 9\n");
> > >>> return read8(addr);
> > >>> }
> > >>>
> > >>> ===output when add many printf
> > >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
> > >>> (XEN) HVM12: f 2
> > >>> (XEN) HVM12: f 9
> > >>> (XEN) HVM12: f 1
> > >>> (XEN) HVM12: f 2
> > >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
> > >>> (XEN) HVM12: f 2
> > >>> (XEN) HVM12: f 9
> > >>> (XEN) HVM12: f 1
> > >>> (XEN) HVM12: f 2
> > >>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
> > >>> (XEN) HVM12: f 2
> > >>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
> > >>> (XEN) HVM12: Halt called from %eip 0xD3B4A
> > >>>
> > >>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
> > >>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print
> > >>>> info.
> > >>>> the main function of fetch8 seems to be address(). seems crashed in
> > >>>> address().
> > >>>>
> > >>>> (XEN) HVM7: after write16 of movw
> > >>>> (XEN) HVM7: top of opcode
> > >>>> (XEN) HVM7: Before fetch8
> > >>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx 404E
> > >>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi C37FE
> > >>>> (XEN) HVM7: trapno D errno 0
> > >>>> (XEN) HVM7: eip 71F cs D00 eflags 33206
> > >>>> (XEN) HVM7: uesp CFB4 uss 0
> > >>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs 0
> > >>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
> > >>>> (XEN) HVM7:
> > >>>> (XEN) HVM7: Trap (0x6) while in real mode
> > >>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx 89
> > >>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi D00
> > >>>> (XEN) HVM7: trapno 6 errno 0
> > >>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046
> > >>>> (XEN) HVM7: uesp 71F uss D76D4
> > >>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs D7644
> > >>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4 651
> > >>>> (XEN) HVM7:
> > >>>> (XEN) HVM7: 0xd0800 is 0xFFFF
> > >>>> (XEN) HVM7: 0xd0804 is 0x7D8B
> > >>>> (XEN) HVM7: Halt called from %eip 0xD037C
> > >>>>
> > >>>>
> > >>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> > >>>>> How about trying:
> > >>>>> printf("Before fetch8\n");
> > >>>>> dump_regs(regs);
> > >>>>> opc = fetch8(regs);
> > >>>>> printf("After fetch8\n");
> > >>>>> switch (opc) { ...
> > >>>>>
> > >>>>> This will let you see what eip is being fetched from, and also confirm
> > >>>>> that
> > >>>>> the crash happens within fetch8().
> > >>>>>
> > >>>>> You could also try adding more printf()s inside fetch8() and address() to
> > >>>>> find out which specific bit of fetch8() is crashing (if that indeed the
> > >>>>> function that is crashing).
> > >>>>>
> > >>>>> -- Keir
> > >>>>>
> > >>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
> > >>>>>
> > >>>>>> Hi, Keir,
> > >>>>>> I made the change as you said:
> > >>>>>> change diff is:
> > >>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
> > >>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> > >>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> > >>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800
> > >>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> > >>>>>> static struct regs saved_rm_regs;
> > >>>>>>
> > >>>>>> #ifdef DEBUG
> > >>>>>> -int traceset = 0;
> > >>>>>> +int traceset = ~0;
> > >>>>>>
> > >>>>>> char *states[] = {
> > >>>>>> "<VM86_REAL>",
> > >>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
> > >>>>>> TRACE((regs, regs->eip - eip,
> > >>>>>> "movw %%%s, *0x%x", rnames[r], addr));
> > >>>>>> write16(addr, MASK16(val));
> > >>>>>> + printf("after write16 of movw\n");
> > >>>>>> }
> > >>>>>> return 1;
> > >>>>>>
> > >>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
> > >>>>>> unsigned eip = regs->eip;
> > >>>>>> unsigned opc, modrm, disp;
> > >>>>>> unsigned prefix = 0;
> > >>>>>> + printf("top of opcode\n");
> > >>>>>>
> > >>>>>> if (mode == VM86_PROTECTED_TO_REAL &&
> > >>>>>> oldctx.cs_arbytes.fields.default_ops_size) {
> > >>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
> > >>>>>> if (trapno == 14)
> > >>>>>> printf("Page fault address 0x%x\n", get_cr2());
> > >>>>>> dump_regs(regs);
> > >>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned
> > >>>>>> short*)0xd0800));
> > >>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned
> > >>>>>> short*)0xd0804));
> > >>>>>> halt();
> > >>>>>> }
> > >>>>>> }
> > >>>>>>
> > >>>>>>
> > >>>>>> here is the output:
> > >>>>>> (XEN) HVM6: top of opcode
> > >>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
> > >>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> > >>>>>> (XEN) HVM6: top of opcode
> > >>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
> > >>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
> > >>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
> > >>>>>> (XEN) HVM6: after write16 of movw
> > >>>>>> (XEN) HVM6: top of opcode
> > >>>>>> (XEN) HVM6: Trap (0x6) while in real mode
> > >>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx
> > >>>>>> 71E
> > >>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi
> > >>>>>> D00
> > >>>>>> (XEN) HVM6: trapno 6 errno 0
> > >>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
> > >>>>>> (XEN) HVM6: uesp D4C29 uss 2
> > >>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs
> > >>>>>> D75B4
> > >>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4
> > >>>>>> 651
> > >>>>>> (XEN) HVM6:
> > >>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF
> > >>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B
> > >>>>>> (XEN) HVM6: Halt called from %eip 0xD037C
> > >>>>>>
> > >>>>>> objdump:
> > >>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
> > >>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
> > >>>>>> d07f7: 89 f8 mov %edi,%eax
> > >>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
> > >>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
> > >>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
> > >>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
> > >>>>>> d0807: 89 ec mov %ebp,%esp
> > >>>>>> d0809: c1 e0 04 shl $0x4,%eax
> > >>>>>> d080c: 01 d0 add %edx,%eax
> > >>>>>> d080e: 5d pop %ebp
> > >>>>>>
> > >>>>>> seems the memory is correct, it's crashed in opcode()
> > >>>>>> and i think it's fetch8(regs) which crash the system. I tried
> > >>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest
> > >>>>>> be reset.
> > >>>>>>
> > >>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> > >>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
> > >>>>>>>
> > >>>>>>>> What would be useful is to try to add tracing to see how far vmxassist
> > >>>>>>>> gets
> > >>>>>>>> after its last line of tracing before the trap occurs. That last line
> > >>>>>>>> is
> > >>>>>>>> currently from vm86.c, line 620. You might try adding extra printf()
> > >>>>>>>> statements imemdiately after the write16() on line 622, and also at the
> > >>>>>>>> top
> > >>>>>>>> of the opcode() function. We need to find out at what point vmxassist
> > >>>>>>>> is
> > >>>>>>>> jumping to this bogus address d0800.
> > >>>>>>>
> > >>>>>>> Oh, another possibility is that vmxassist has been corrupted in memory.
> > >>>>>>> This
> > >>>>>>> is particularly likely because, according to the objdump, the
> > >>>>>>> 'instruction'
> > >>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort).
> > >>>>>>>
> > >>>>>>> So, within trap() you might want to read say 16 bytes starting at
> > >>>>>>> 0xd0800
> > >>>>>>> and printf() them. So we can see if they match what objdump says should
> > >>>>>>> be
> > >>>>>>> there.
> > >>>>>>>
> > >>>>>>> -- Keir
> > >>>>>>>
> > >>>>>>>
> > >>>>>>
> > >>>>>> _______________________________________________
> > >>>>>> Xen-devel mailing list
> > >>>>>> Xen-devel@lists.xensource.com
> > >>>>>> http://lists.xensource.com/xen-devel
> > >>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>> _______________________________________________
> > >>> Xen-devel mailing list
> > >>> Xen-devel@lists.xensource.com
> > >>> http://lists.xensource.com/xen-devel
> > >>
> > >>
> > >
> > > _______________________________________________
> > > Xen-devel mailing list
> > > Xen-devel@lists.xensource.com
> > > http://lists.xensource.com/xen-devel
> >
> >
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 8:25 ` Brady Chen
@ 2007-08-08 8:41 ` Keir Fraser
2007-08-08 9:38 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-08 8:41 UTC (permalink / raw)
To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
You could give that a try, but really it shouldn't be going at
0xc0000-0x100000 at all. There are usually ROM images residing there.
This is more likely to be a mis-emulation. Can you get a dump of the bytes
around 0xd680-0xd780? Then we could try and work out what the guest is
trying to execute, and see whether emulation is going wrong. A register dump
from the guest (dump_regs()) at the start of every call to opcode() might
also be useful.
-- Keir
On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote:
> Hi Keir,
> I think the 7th issue I mentioned is the root cause,
> so I have a question.
> For real mode simulation, the simulator is running in the same space
> with the codes to-be-simulated? then how to protect simulator from
> being modified by to-be-simulated code?
>
> can I change the address of vmxassist to a higher address? just try to
> give more space to the to-be-simulated windows.
>
> On 8/8/07, Brady Chen <chenchp@gmail.com> wrote:
>> it's possible.
>> any ideas to trace the function stack of xen guest? like "bt" command in gdb.
>>
>> I did some analysis:
>> 1. the call flow is opcode()->fetch8()->address()
>> 2. only the printf in address() will change the behaver of crash.
>> 3. and the crash EIP (0xD0800) is in the address() from the objdump.
>> 4. the address() will be invoked more then 40, 000 times in one
>> simulation, before the crash.
>> 5. seems there are no recursive invoking in opcode(), fetch8(), address()
>> 6. from the output of "xen dmesg", before the crash, a instructions
>> sequence is simulated several times (you could check the previous
>> mails i send for "xen dmesg" output)
>> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE",
>> and the "*0xD07FE" is just the address of address(), (you could get
>> the objdump output from previous mails too), so i think it's the
>> simulation which crash the memory of address().
>>
>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
>>> Stack corruption/overflow, possibly?
>>>
>>> K.
>>>
>>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote:
>>>
>>>> Yes, the printfs are the only changes. once I remove these prints, the
>>>> trap comes back, with the same EIP (D0800)
>>>>
>>>> I tried to keep the first two printfs, the trap comes with different
>>>> EIP(D19FD)
>>>> static unsigned
>>>> address(struct regs *regs, unsigned seg, unsigned off)
>>>> {
>>>> uint64_t gdt_phys_base;
>>>> unsigned long long entry;
>>>> unsigned seg_base, seg_limit;
>>>> unsigned entry_low, entry_high;
>>>>
>>>> printf("f 1\n");
>>>> if (seg == 0) {
>>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
>>>> return off;
>>>> else
>>>> panic("segment is zero, but not in real mode!\n");
>>>> }
>>>>
>>>> printf("f 2\n");
>>>>
>>>> xen dmesg output:
>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
>>>> (XEN) HVM3: f 1
>>>> (XEN) HVM3: f 2
>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
>>>> (XEN) HVM3: f 1
>>>> (XEN) HVM3: f 1
>>>> (XEN) HVM3: f 1
>>>> (XEN) HVM3: Trap (0x6) while in real mode
>>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4
>>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8
>>>> (XEN) HVM3: trapno 6 errno 0
>>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046
>>>> (XEN) HVM3: uesp CFAE uss 0
>>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F
>>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651
>>>> (XEN) HVM3:
>>>> (XEN) HVM3: Halt called from %eip 0xD037C
>>>>
>>>>
>>>> and the objdump shows that:
>>>> 000d1970 <interrupt>:
>>>> d1970: 55 push %ebp
>>>> d1971: 89 e5 mov %esp,%ebp
>>>> d1973: 57 push %edi
>>>> d1974: 89 d7 mov %edx,%edi
>>>> d1976: 56 push %esi
>>>> ....
>>>> d19f8: 66 89 30 mov %si,(%eax)
>>>> d19fb: 31 d2 xor %edx,%edx
>>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
>>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx)
>>>> d1a0b: 89 d8 mov %ebx,%eax
>>>> d1a0d: 89 34 24 mov %esi,(%esp)
>>>>
>>>>
>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>> Very weird. The emulations now aren't at the same address as before either
>>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these
>>>>> printf()s -- is it at all possible that the guest is executing down a
>>>>> different path here for other reasons? If it's really down to the
>>>>> printf()s
>>>>> then I guess you'll have to shuffle/remove printf()s to get the old
>>>>> behaviour back.
>>>>>
>>>>> -- Keir
>>>>>
>>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
>>>>>
>>>>>> it's strange:
>>>>>> if i add these prints, i get " Unknown opcode", not "trap".
>>>>>> ===added printf
>>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c
>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800
>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
>>>>>> static struct regs saved_rm_regs;
>>>>>>
>>>>>> #ifdef DEBUG
>>>>>> -int traceset = 0;
>>>>>> +int traceset = ~0;
>>>>>>
>>>>>> char *states[] = {
>>>>>> "<VM86_REAL>",
>>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
>>>>>> unsigned seg_base, seg_limit;
>>>>>> unsigned entry_low, entry_high;
>>>>>>
>>>>>> + printf("f 1\n");
>>>>>> if (seg == 0) {
>>>>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
>>>>>> return off;
>>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
>>>>>> panic("segment is zero, but not in real
>>>>>> mode!\n");
>>>>>> }
>>>>>>
>>>>>> + printf("f 2\n");
>>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
>>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
>>>>>> return ((seg & 0xFFFF) << 4) + off;
>>>>>>
>>>>>> + printf("f 3\n");
>>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
>>>>>> + printf("f 4\n");
>>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) {
>>>>>> + printf("f 5\n");
>>>>>> printf("gdt base address above 4G\n");
>>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry);
>>>>>> } else
>>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
>>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) &
>>>>>> 0xFFFFFF);
>>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
>>>>>>
>>>>>> + printf("f 6\n");
>>>>>> if (entry_high & 0x8000 &&
>>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
>>>>>> (!(entry_high & 0x800000) && off <= seg_limit)))
>>>>>> return seg_base + off;
>>>>>> + printf("f 7\n");
>>>>>>
>>>>>> panic("should never reach here in function address():\n\t"
>>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x,
>>>>>> offset=0x%08x\n",
>>>>>> entry_high, entry_low, mode, seg, off);
>>>>>> + printf("f 8\n");
>>>>>>
>>>>>> return 0;
>>>>>> }
>>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
>>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
>>>>>>
>>>>>> regs->eip++;
>>>>>> + printf("f 9\n");
>>>>>> return read8(addr);
>>>>>> }
>>>>>>
>>>>>> ===output when add many printf
>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
>>>>>> (XEN) HVM12: f 2
>>>>>> (XEN) HVM12: f 9
>>>>>> (XEN) HVM12: f 1
>>>>>> (XEN) HVM12: f 2
>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
>>>>>> (XEN) HVM12: f 2
>>>>>> (XEN) HVM12: f 9
>>>>>> (XEN) HVM12: f 1
>>>>>> (XEN) HVM12: f 2
>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
>>>>>> (XEN) HVM12: f 2
>>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
>>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A
>>>>>>
>>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
>>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print
>>>>>>> info.
>>>>>>> the main function of fetch8 seems to be address(). seems crashed in
>>>>>>> address().
>>>>>>>
>>>>>>> (XEN) HVM7: after write16 of movw
>>>>>>> (XEN) HVM7: top of opcode
>>>>>>> (XEN) HVM7: Before fetch8
>>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx
>>>>>>> 404E
>>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi
>>>>>>> C37FE
>>>>>>> (XEN) HVM7: trapno D errno 0
>>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206
>>>>>>> (XEN) HVM7: uesp CFB4 uss 0
>>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs
>>>>>>> 0
>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
>>>>>>> 651
>>>>>>> (XEN) HVM7:
>>>>>>> (XEN) HVM7: Trap (0x6) while in real mode
>>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx
>>>>>>> 89
>>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi
>>>>>>> D00
>>>>>>> (XEN) HVM7: trapno 6 errno 0
>>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046
>>>>>>> (XEN) HVM7: uesp 71F uss D76D4
>>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs
>>>>>>> D7644
>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
>>>>>>> 651
>>>>>>> (XEN) HVM7:
>>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF
>>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B
>>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C
>>>>>>>
>>>>>>>
>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>>>>> How about trying:
>>>>>>>> printf("Before fetch8\n");
>>>>>>>> dump_regs(regs);
>>>>>>>> opc = fetch8(regs);
>>>>>>>> printf("After fetch8\n");
>>>>>>>> switch (opc) { ...
>>>>>>>>
>>>>>>>> This will let you see what eip is being fetched from, and also confirm
>>>>>>>> that
>>>>>>>> the crash happens within fetch8().
>>>>>>>>
>>>>>>>> You could also try adding more printf()s inside fetch8() and address()
>>>>>>>> to
>>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed the
>>>>>>>> function that is crashing).
>>>>>>>>
>>>>>>>> -- Keir
>>>>>>>>
>>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi, Keir,
>>>>>>>>> I made the change as you said:
>>>>>>>>> change diff is:
>>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800
>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
>>>>>>>>> static struct regs saved_rm_regs;
>>>>>>>>>
>>>>>>>>> #ifdef DEBUG
>>>>>>>>> -int traceset = 0;
>>>>>>>>> +int traceset = ~0;
>>>>>>>>>
>>>>>>>>> char *states[] = {
>>>>>>>>> "<VM86_REAL>",
>>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
>>>>>>>>> TRACE((regs, regs->eip - eip,
>>>>>>>>> "movw %%%s, *0x%x", rnames[r], addr));
>>>>>>>>> write16(addr, MASK16(val));
>>>>>>>>> + printf("after write16 of movw\n");
>>>>>>>>> }
>>>>>>>>> return 1;
>>>>>>>>>
>>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
>>>>>>>>> unsigned eip = regs->eip;
>>>>>>>>> unsigned opc, modrm, disp;
>>>>>>>>> unsigned prefix = 0;
>>>>>>>>> + printf("top of opcode\n");
>>>>>>>>>
>>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL &&
>>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) {
>>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
>>>>>>>>> if (trapno == 14)
>>>>>>>>> printf("Page fault address 0x%x\n",
>>>>>>>>> get_cr2());
>>>>>>>>> dump_regs(regs);
>>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned
>>>>>>>>> short*)0xd0800));
>>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned
>>>>>>>>> short*)0xd0804));
>>>>>>>>> halt();
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> here is the output:
>>>>>>>>> (XEN) HVM6: top of opcode
>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
>>>>>>>>> (XEN) HVM6: top of opcode
>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
>>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
>>>>>>>>> (XEN) HVM6: after write16 of movw
>>>>>>>>> (XEN) HVM6: top of opcode
>>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode
>>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx
>>>>>>>>> 71E
>>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi
>>>>>>>>> D00
>>>>>>>>> (XEN) HVM6: trapno 6 errno 0
>>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
>>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2
>>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs
>>>>>>>>> D75B4
>>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4
>>>>>>>>> 651
>>>>>>>>> (XEN) HVM6:
>>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF
>>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B
>>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C
>>>>>>>>>
>>>>>>>>> objdump:
>>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
>>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
>>>>>>>>> d07f7: 89 f8 mov %edi,%eax
>>>>>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
>>>>>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
>>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
>>>>>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
>>>>>>>>> d0807: 89 ec mov %ebp,%esp
>>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax
>>>>>>>>> d080c: 01 d0 add %edx,%eax
>>>>>>>>> d080e: 5d pop %ebp
>>>>>>>>>
>>>>>>>>> seems the memory is correct, it's crashed in opcode()
>>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried
>>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest
>>>>>>>>> be reset.
>>>>>>>>>
>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> What would be useful is to try to add tracing to see how far
>>>>>>>>>>> vmxassist
>>>>>>>>>>> gets
>>>>>>>>>>> after its last line of tracing before the trap occurs. That last
>>>>>>>>>>> line
>>>>>>>>>>> is
>>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra printf()
>>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at
>>>>>>>>>>> the
>>>>>>>>>>> top
>>>>>>>>>>> of the opcode() function. We need to find out at what point
>>>>>>>>>>> vmxassist
>>>>>>>>>>> is
>>>>>>>>>>> jumping to this bogus address d0800.
>>>>>>>>>>
>>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in
>>>>>>>>>> memory.
>>>>>>>>>> This
>>>>>>>>>> is particularly likely because, according to the objdump, the
>>>>>>>>>> 'instruction'
>>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort).
>>>>>>>>>>
>>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at
>>>>>>>>>> 0xd0800
>>>>>>>>>> and printf() them. So we can see if they match what objdump says
>>>>>>>>>> should
>>>>>>>>>> be
>>>>>>>>>> there.
>>>>>>>>>>
>>>>>>>>>> -- Keir
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Xen-devel mailing list
>>>>>>>>> Xen-devel@lists.xensource.com
>>>>>>>>> http://lists.xensource.com/xen-devel
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Xen-devel mailing list
>>>>>> Xen-devel@lists.xensource.com
>>>>>> http://lists.xensource.com/xen-devel
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-devel mailing list
>>>> Xen-devel@lists.xensource.com
>>>> http://lists.xensource.com/xen-devel
>>>
>>>
>>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 8:41 ` Keir Fraser
@ 2007-08-08 9:38 ` Brady Chen
2007-08-08 10:26 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-08 9:38 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Thanks,
can you show me a way to dump bytes around 0xd680 ~ 0xd780?
just printf in trap() of vmxassist?
On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> You could give that a try, but really it shouldn't be going at
> 0xc0000-0x100000 at all. There are usually ROM images residing there.
>
> This is more likely to be a mis-emulation. Can you get a dump of the bytes
> around 0xd680-0xd780? Then we could try and work out what the guest is
> trying to execute, and see whether emulation is going wrong. A register dump
> from the guest (dump_regs()) at the start of every call to opcode() might
> also be useful.
>
> -- Keir
>
> On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > Hi Keir,
> > I think the 7th issue I mentioned is the root cause,
> > so I have a question.
> > For real mode simulation, the simulator is running in the same space
> > with the codes to-be-simulated? then how to protect simulator from
> > being modified by to-be-simulated code?
> >
> > can I change the address of vmxassist to a higher address? just try to
> > give more space to the to-be-simulated windows.
> >
> > On 8/8/07, Brady Chen <chenchp@gmail.com> wrote:
> >> it's possible.
> >> any ideas to trace the function stack of xen guest? like "bt" command in gdb.
> >>
> >> I did some analysis:
> >> 1. the call flow is opcode()->fetch8()->address()
> >> 2. only the printf in address() will change the behaver of crash.
> >> 3. and the crash EIP (0xD0800) is in the address() from the objdump.
> >> 4. the address() will be invoked more then 40, 000 times in one
> >> simulation, before the crash.
> >> 5. seems there are no recursive invoking in opcode(), fetch8(), address()
> >> 6. from the output of "xen dmesg", before the crash, a instructions
> >> sequence is simulated several times (you could check the previous
> >> mails i send for "xen dmesg" output)
> >> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE",
> >> and the "*0xD07FE" is just the address of address(), (you could get
> >> the objdump output from previous mails too), so i think it's the
> >> simulation which crash the memory of address().
> >>
> >> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> >>> Stack corruption/overflow, possibly?
> >>>
> >>> K.
> >>>
> >>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>
> >>>> Yes, the printfs are the only changes. once I remove these prints, the
> >>>> trap comes back, with the same EIP (D0800)
> >>>>
> >>>> I tried to keep the first two printfs, the trap comes with different
> >>>> EIP(D19FD)
> >>>> static unsigned
> >>>> address(struct regs *regs, unsigned seg, unsigned off)
> >>>> {
> >>>> uint64_t gdt_phys_base;
> >>>> unsigned long long entry;
> >>>> unsigned seg_base, seg_limit;
> >>>> unsigned entry_low, entry_high;
> >>>>
> >>>> printf("f 1\n");
> >>>> if (seg == 0) {
> >>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
> >>>> return off;
> >>>> else
> >>>> panic("segment is zero, but not in real mode!\n");
> >>>> }
> >>>>
> >>>> printf("f 2\n");
> >>>>
> >>>> xen dmesg output:
> >>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> >>>> (XEN) HVM3: f 1
> >>>> (XEN) HVM3: f 2
> >>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
> >>>> (XEN) HVM3: f 1
> >>>> (XEN) HVM3: f 1
> >>>> (XEN) HVM3: f 1
> >>>> (XEN) HVM3: Trap (0x6) while in real mode
> >>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx D75B4
> >>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi 8
> >>>> (XEN) HVM3: trapno 6 errno 0
> >>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046
> >>>> (XEN) HVM3: uesp CFAE uss 0
> >>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs 71F
> >>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4 651
> >>>> (XEN) HVM3:
> >>>> (XEN) HVM3: Halt called from %eip 0xD037C
> >>>>
> >>>>
> >>>> and the objdump shows that:
> >>>> 000d1970 <interrupt>:
> >>>> d1970: 55 push %ebp
> >>>> d1971: 89 e5 mov %esp,%ebp
> >>>> d1973: 57 push %edi
> >>>> d1974: 89 d7 mov %edx,%edi
> >>>> d1976: 56 push %esi
> >>>> ....
> >>>> d19f8: 66 89 30 mov %si,(%eax)
> >>>> d19fb: 31 d2 xor %edx,%edx
> >>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
> >>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx)
> >>>> d1a0b: 89 d8 mov %ebx,%eax
> >>>> d1a0d: 89 34 24 mov %esi,(%esp)
> >>>>
> >>>>
> >>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>> Very weird. The emulations now aren't at the same address as before either
> >>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added these
> >>>>> printf()s -- is it at all possible that the guest is executing down a
> >>>>> different path here for other reasons? If it's really down to the
> >>>>> printf()s
> >>>>> then I guess you'll have to shuffle/remove printf()s to get the old
> >>>>> behaviour back.
> >>>>>
> >>>>> -- Keir
> >>>>>
> >>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>
> >>>>>> it's strange:
> >>>>>> if i add these prints, i get " Unknown opcode", not "trap".
> >>>>>> ===added printf
> >>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c
> >>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> >>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> >>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800
> >>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> >>>>>> static struct regs saved_rm_regs;
> >>>>>>
> >>>>>> #ifdef DEBUG
> >>>>>> -int traceset = 0;
> >>>>>> +int traceset = ~0;
> >>>>>>
> >>>>>> char *states[] = {
> >>>>>> "<VM86_REAL>",
> >>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
> >>>>>> unsigned seg_base, seg_limit;
> >>>>>> unsigned entry_low, entry_high;
> >>>>>>
> >>>>>> + printf("f 1\n");
> >>>>>> if (seg == 0) {
> >>>>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
> >>>>>> return off;
> >>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
> >>>>>> panic("segment is zero, but not in real
> >>>>>> mode!\n");
> >>>>>> }
> >>>>>>
> >>>>>> + printf("f 2\n");
> >>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
> >>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
> >>>>>> return ((seg & 0xFFFF) << 4) + off;
> >>>>>>
> >>>>>> + printf("f 3\n");
> >>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
> >>>>>> + printf("f 4\n");
> >>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) {
> >>>>>> + printf("f 5\n");
> >>>>>> printf("gdt base address above 4G\n");
> >>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3), &entry);
> >>>>>> } else
> >>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
> >>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) &
> >>>>>> 0xFFFFFF);
> >>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
> >>>>>>
> >>>>>> + printf("f 6\n");
> >>>>>> if (entry_high & 0x8000 &&
> >>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
> >>>>>> (!(entry_high & 0x800000) && off <= seg_limit)))
> >>>>>> return seg_base + off;
> >>>>>> + printf("f 7\n");
> >>>>>>
> >>>>>> panic("should never reach here in function address():\n\t"
> >>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x,
> >>>>>> offset=0x%08x\n",
> >>>>>> entry_high, entry_low, mode, seg, off);
> >>>>>> + printf("f 8\n");
> >>>>>>
> >>>>>> return 0;
> >>>>>> }
> >>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
> >>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
> >>>>>>
> >>>>>> regs->eip++;
> >>>>>> + printf("f 9\n");
> >>>>>> return read8(addr);
> >>>>>> }
> >>>>>>
> >>>>>> ===output when add many printf
> >>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
> >>>>>> (XEN) HVM12: f 2
> >>>>>> (XEN) HVM12: f 9
> >>>>>> (XEN) HVM12: f 1
> >>>>>> (XEN) HVM12: f 2
> >>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
> >>>>>> (XEN) HVM12: f 2
> >>>>>> (XEN) HVM12: f 9
> >>>>>> (XEN) HVM12: f 1
> >>>>>> (XEN) HVM12: f 2
> >>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
> >>>>>> (XEN) HVM12: f 2
> >>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
> >>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A
> >>>>>>
> >>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
> >>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print
> >>>>>>> info.
> >>>>>>> the main function of fetch8 seems to be address(). seems crashed in
> >>>>>>> address().
> >>>>>>>
> >>>>>>> (XEN) HVM7: after write16 of movw
> >>>>>>> (XEN) HVM7: top of opcode
> >>>>>>> (XEN) HVM7: Before fetch8
> >>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx
> >>>>>>> 404E
> >>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi
> >>>>>>> C37FE
> >>>>>>> (XEN) HVM7: trapno D errno 0
> >>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206
> >>>>>>> (XEN) HVM7: uesp CFB4 uss 0
> >>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs
> >>>>>>> 0
> >>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>> 651
> >>>>>>> (XEN) HVM7:
> >>>>>>> (XEN) HVM7: Trap (0x6) while in real mode
> >>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx
> >>>>>>> 89
> >>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi
> >>>>>>> D00
> >>>>>>> (XEN) HVM7: trapno 6 errno 0
> >>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046
> >>>>>>> (XEN) HVM7: uesp 71F uss D76D4
> >>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs
> >>>>>>> D7644
> >>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>> 651
> >>>>>>> (XEN) HVM7:
> >>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF
> >>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B
> >>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C
> >>>>>>>
> >>>>>>>
> >>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>>> How about trying:
> >>>>>>>> printf("Before fetch8\n");
> >>>>>>>> dump_regs(regs);
> >>>>>>>> opc = fetch8(regs);
> >>>>>>>> printf("After fetch8\n");
> >>>>>>>> switch (opc) { ...
> >>>>>>>>
> >>>>>>>> This will let you see what eip is being fetched from, and also confirm
> >>>>>>>> that
> >>>>>>>> the crash happens within fetch8().
> >>>>>>>>
> >>>>>>>> You could also try adding more printf()s inside fetch8() and address()
> >>>>>>>> to
> >>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed the
> >>>>>>>> function that is crashing).
> >>>>>>>>
> >>>>>>>> -- Keir
> >>>>>>>>
> >>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>>>>
> >>>>>>>>> Hi, Keir,
> >>>>>>>>> I made the change as you said:
> >>>>>>>>> change diff is:
> >>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
> >>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> >>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> >>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007 +0800
> >>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> >>>>>>>>> static struct regs saved_rm_regs;
> >>>>>>>>>
> >>>>>>>>> #ifdef DEBUG
> >>>>>>>>> -int traceset = 0;
> >>>>>>>>> +int traceset = ~0;
> >>>>>>>>>
> >>>>>>>>> char *states[] = {
> >>>>>>>>> "<VM86_REAL>",
> >>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
> >>>>>>>>> TRACE((regs, regs->eip - eip,
> >>>>>>>>> "movw %%%s, *0x%x", rnames[r], addr));
> >>>>>>>>> write16(addr, MASK16(val));
> >>>>>>>>> + printf("after write16 of movw\n");
> >>>>>>>>> }
> >>>>>>>>> return 1;
> >>>>>>>>>
> >>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
> >>>>>>>>> unsigned eip = regs->eip;
> >>>>>>>>> unsigned opc, modrm, disp;
> >>>>>>>>> unsigned prefix = 0;
> >>>>>>>>> + printf("top of opcode\n");
> >>>>>>>>>
> >>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL &&
> >>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) {
> >>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
> >>>>>>>>> if (trapno == 14)
> >>>>>>>>> printf("Page fault address 0x%x\n",
> >>>>>>>>> get_cr2());
> >>>>>>>>> dump_regs(regs);
> >>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned
> >>>>>>>>> short*)0xd0800));
> >>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned
> >>>>>>>>> short*)0xd0804));
> >>>>>>>>> halt();
> >>>>>>>>> }
> >>>>>>>>> }
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> here is the output:
> >>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
> >>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> >>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
> >>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
> >>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
> >>>>>>>>> (XEN) HVM6: after write16 of movw
> >>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode
> >>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx
> >>>>>>>>> 71E
> >>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi
> >>>>>>>>> D00
> >>>>>>>>> (XEN) HVM6: trapno 6 errno 0
> >>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
> >>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2
> >>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs
> >>>>>>>>> D75B4
> >>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>>> 651
> >>>>>>>>> (XEN) HVM6:
> >>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF
> >>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B
> >>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C
> >>>>>>>>>
> >>>>>>>>> objdump:
> >>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
> >>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
> >>>>>>>>> d07f7: 89 f8 mov %edi,%eax
> >>>>>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
> >>>>>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
> >>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
> >>>>>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
> >>>>>>>>> d0807: 89 ec mov %ebp,%esp
> >>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax
> >>>>>>>>> d080c: 01 d0 add %edx,%eax
> >>>>>>>>> d080e: 5d pop %ebp
> >>>>>>>>>
> >>>>>>>>> seems the memory is correct, it's crashed in opcode()
> >>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried
> >>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm guest
> >>>>>>>>> be reset.
> >>>>>>>>>
> >>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>>> What would be useful is to try to add tracing to see how far
> >>>>>>>>>>> vmxassist
> >>>>>>>>>>> gets
> >>>>>>>>>>> after its last line of tracing before the trap occurs. That last
> >>>>>>>>>>> line
> >>>>>>>>>>> is
> >>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra printf()
> >>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at
> >>>>>>>>>>> the
> >>>>>>>>>>> top
> >>>>>>>>>>> of the opcode() function. We need to find out at what point
> >>>>>>>>>>> vmxassist
> >>>>>>>>>>> is
> >>>>>>>>>>> jumping to this bogus address d0800.
> >>>>>>>>>>
> >>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in
> >>>>>>>>>> memory.
> >>>>>>>>>> This
> >>>>>>>>>> is particularly likely because, according to the objdump, the
> >>>>>>>>>> 'instruction'
> >>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some sort).
> >>>>>>>>>>
> >>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at
> >>>>>>>>>> 0xd0800
> >>>>>>>>>> and printf() them. So we can see if they match what objdump says
> >>>>>>>>>> should
> >>>>>>>>>> be
> >>>>>>>>>> there.
> >>>>>>>>>>
> >>>>>>>>>> -- Keir
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> Xen-devel mailing list
> >>>>>>>>> Xen-devel@lists.xensource.com
> >>>>>>>>> http://lists.xensource.com/xen-devel
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Xen-devel mailing list
> >>>>>> Xen-devel@lists.xensource.com
> >>>>>> http://lists.xensource.com/xen-devel
> >>>>>
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>>> Xen-devel mailing list
> >>>> Xen-devel@lists.xensource.com
> >>>> http://lists.xensource.com/xen-devel
> >>>
> >>>
> >>
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 9:38 ` Brady Chen
@ 2007-08-08 10:26 ` Keir Fraser
2007-08-08 12:12 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-08 10:26 UTC (permalink / raw)
To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Well, some bytes are already screwed at that point, so I'd try to do it
earlier (e.g., when you are emulating one of the earlier MOVs, for example).
But yes, dumping by printf() is fine. Put address at start of line, and then
dump 16 bytes as "%02x ". Should end up with 16 lines of 16 bytes each.
-- Keir
On 8/8/07 10:38, "Brady Chen" <chenchp@gmail.com> wrote:
> Thanks,
> can you show me a way to dump bytes around 0xd680 ~ 0xd780?
> just printf in trap() of vmxassist?
>
> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
>> You could give that a try, but really it shouldn't be going at
>> 0xc0000-0x100000 at all. There are usually ROM images residing there.
>>
>> This is more likely to be a mis-emulation. Can you get a dump of the bytes
>> around 0xd680-0xd780? Then we could try and work out what the guest is
>> trying to execute, and see whether emulation is going wrong. A register dump
>> from the guest (dump_regs()) at the start of every call to opcode() might
>> also be useful.
>>
>> -- Keir
>>
>> On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote:
>>
>>> Hi Keir,
>>> I think the 7th issue I mentioned is the root cause,
>>> so I have a question.
>>> For real mode simulation, the simulator is running in the same space
>>> with the codes to-be-simulated? then how to protect simulator from
>>> being modified by to-be-simulated code?
>>>
>>> can I change the address of vmxassist to a higher address? just try to
>>> give more space to the to-be-simulated windows.
>>>
>>> On 8/8/07, Brady Chen <chenchp@gmail.com> wrote:
>>>> it's possible.
>>>> any ideas to trace the function stack of xen guest? like "bt" command in
>>>> gdb.
>>>>
>>>> I did some analysis:
>>>> 1. the call flow is opcode()->fetch8()->address()
>>>> 2. only the printf in address() will change the behaver of crash.
>>>> 3. and the crash EIP (0xD0800) is in the address() from the objdump.
>>>> 4. the address() will be invoked more then 40, 000 times in one
>>>> simulation, before the crash.
>>>> 5. seems there are no recursive invoking in opcode(), fetch8(), address()
>>>> 6. from the output of "xen dmesg", before the crash, a instructions
>>>> sequence is simulated several times (you could check the previous
>>>> mails i send for "xen dmesg" output)
>>>> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE",
>>>> and the "*0xD07FE" is just the address of address(), (you could get
>>>> the objdump output from previous mails too), so i think it's the
>>>> simulation which crash the memory of address().
>>>>
>>>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
>>>>> Stack corruption/overflow, possibly?
>>>>>
>>>>> K.
>>>>>
>>>>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote:
>>>>>
>>>>>> Yes, the printfs are the only changes. once I remove these prints, the
>>>>>> trap comes back, with the same EIP (D0800)
>>>>>>
>>>>>> I tried to keep the first two printfs, the trap comes with different
>>>>>> EIP(D19FD)
>>>>>> static unsigned
>>>>>> address(struct regs *regs, unsigned seg, unsigned off)
>>>>>> {
>>>>>> uint64_t gdt_phys_base;
>>>>>> unsigned long long entry;
>>>>>> unsigned seg_base, seg_limit;
>>>>>> unsigned entry_low, entry_high;
>>>>>>
>>>>>> printf("f 1\n");
>>>>>> if (seg == 0) {
>>>>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
>>>>>> return off;
>>>>>> else
>>>>>> panic("segment is zero, but not in real
>>>>>> mode!\n");
>>>>>> }
>>>>>>
>>>>>> printf("f 2\n");
>>>>>>
>>>>>> xen dmesg output:
>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
>>>>>> (XEN) HVM3: f 1
>>>>>> (XEN) HVM3: f 2
>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
>>>>>> (XEN) HVM3: f 1
>>>>>> (XEN) HVM3: f 1
>>>>>> (XEN) HVM3: f 1
>>>>>> (XEN) HVM3: Trap (0x6) while in real mode
>>>>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx
>>>>>> D75B4
>>>>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi
>>>>>> 8
>>>>>> (XEN) HVM3: trapno 6 errno 0
>>>>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046
>>>>>> (XEN) HVM3: uesp CFAE uss 0
>>>>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs
>>>>>> 71F
>>>>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4
>>>>>> 651
>>>>>> (XEN) HVM3:
>>>>>> (XEN) HVM3: Halt called from %eip 0xD037C
>>>>>>
>>>>>>
>>>>>> and the objdump shows that:
>>>>>> 000d1970 <interrupt>:
>>>>>> d1970: 55 push %ebp
>>>>>> d1971: 89 e5 mov %esp,%ebp
>>>>>> d1973: 57 push %edi
>>>>>> d1974: 89 d7 mov %edx,%edi
>>>>>> d1976: 56 push %esi
>>>>>> ....
>>>>>> d19f8: 66 89 30 mov %si,(%eax)
>>>>>> d19fb: 31 d2 xor %edx,%edx
>>>>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
>>>>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx)
>>>>>> d1a0b: 89 d8 mov %ebx,%eax
>>>>>> d1a0d: 89 34 24 mov %esi,(%esp)
>>>>>>
>>>>>>
>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>>>> Very weird. The emulations now aren't at the same address as before
>>>>>>> either
>>>>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added
>>>>>>> these
>>>>>>> printf()s -- is it at all possible that the guest is executing down a
>>>>>>> different path here for other reasons? If it's really down to the
>>>>>>> printf()s
>>>>>>> then I guess you'll have to shuffle/remove printf()s to get the old
>>>>>>> behaviour back.
>>>>>>>
>>>>>>> -- Keir
>>>>>>>
>>>>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
>>>>>>>
>>>>>>>> it's strange:
>>>>>>>> if i add these prints, i get " Unknown opcode", not "trap".
>>>>>>>> ===added printf
>>>>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c
>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800
>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
>>>>>>>> static struct regs saved_rm_regs;
>>>>>>>>
>>>>>>>> #ifdef DEBUG
>>>>>>>> -int traceset = 0;
>>>>>>>> +int traceset = ~0;
>>>>>>>>
>>>>>>>> char *states[] = {
>>>>>>>> "<VM86_REAL>",
>>>>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
>>>>>>>> unsigned seg_base, seg_limit;
>>>>>>>> unsigned entry_low, entry_high;
>>>>>>>>
>>>>>>>> + printf("f 1\n");
>>>>>>>> if (seg == 0) {
>>>>>>>> if (mode == VM86_REAL || mode ==
>>>>>>>> VM86_REAL_TO_PROTECTED)
>>>>>>>> return off;
>>>>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
>>>>>>>> panic("segment is zero, but not in real
>>>>>>>> mode!\n");
>>>>>>>> }
>>>>>>>>
>>>>>>>> + printf("f 2\n");
>>>>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
>>>>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
>>>>>>>> return ((seg & 0xFFFF) << 4) + off;
>>>>>>>>
>>>>>>>> + printf("f 3\n");
>>>>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
>>>>>>>> + printf("f 4\n");
>>>>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) {
>>>>>>>> + printf("f 5\n");
>>>>>>>> printf("gdt base address above 4G\n");
>>>>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3),
>>>>>>>> &entry);
>>>>>>>> } else
>>>>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
>>>>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) &
>>>>>>>> 0xFFFFFF);
>>>>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
>>>>>>>>
>>>>>>>> + printf("f 6\n");
>>>>>>>> if (entry_high & 0x8000 &&
>>>>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
>>>>>>>> (!(entry_high & 0x800000) && off <= seg_limit)))
>>>>>>>> return seg_base + off;
>>>>>>>> + printf("f 7\n");
>>>>>>>>
>>>>>>>> panic("should never reach here in function address():\n\t"
>>>>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x,
>>>>>>>> offset=0x%08x\n",
>>>>>>>> entry_high, entry_low, mode, seg, off);
>>>>>>>> + printf("f 8\n");
>>>>>>>>
>>>>>>>> return 0;
>>>>>>>> }
>>>>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
>>>>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
>>>>>>>>
>>>>>>>> regs->eip++;
>>>>>>>> + printf("f 9\n");
>>>>>>>> return read8(addr);
>>>>>>>> }
>>>>>>>>
>>>>>>>> ===output when add many printf
>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
>>>>>>>> (XEN) HVM12: f 2
>>>>>>>> (XEN) HVM12: f 9
>>>>>>>> (XEN) HVM12: f 1
>>>>>>>> (XEN) HVM12: f 2
>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
>>>>>>>> (XEN) HVM12: f 2
>>>>>>>> (XEN) HVM12: f 9
>>>>>>>> (XEN) HVM12: f 1
>>>>>>>> (XEN) HVM12: f 2
>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
>>>>>>>> (XEN) HVM12: f 2
>>>>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
>>>>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A
>>>>>>>>
>>>>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
>>>>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print
>>>>>>>>> info.
>>>>>>>>> the main function of fetch8 seems to be address(). seems crashed in
>>>>>>>>> address().
>>>>>>>>>
>>>>>>>>> (XEN) HVM7: after write16 of movw
>>>>>>>>> (XEN) HVM7: top of opcode
>>>>>>>>> (XEN) HVM7: Before fetch8
>>>>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx
>>>>>>>>> 404E
>>>>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi
>>>>>>>>> C37FE
>>>>>>>>> (XEN) HVM7: trapno D errno 0
>>>>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206
>>>>>>>>> (XEN) HVM7: uesp CFB4 uss 0
>>>>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs
>>>>>>>>> 0
>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
>>>>>>>>> 651
>>>>>>>>> (XEN) HVM7:
>>>>>>>>> (XEN) HVM7: Trap (0x6) while in real mode
>>>>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx
>>>>>>>>> 89
>>>>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi
>>>>>>>>> D00
>>>>>>>>> (XEN) HVM7: trapno 6 errno 0
>>>>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046
>>>>>>>>> (XEN) HVM7: uesp 71F uss D76D4
>>>>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs
>>>>>>>>> D7644
>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
>>>>>>>>> 651
>>>>>>>>> (XEN) HVM7:
>>>>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF
>>>>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B
>>>>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>>>>>>> How about trying:
>>>>>>>>>> printf("Before fetch8\n");
>>>>>>>>>> dump_regs(regs);
>>>>>>>>>> opc = fetch8(regs);
>>>>>>>>>> printf("After fetch8\n");
>>>>>>>>>> switch (opc) { ...
>>>>>>>>>>
>>>>>>>>>> This will let you see what eip is being fetched from, and also
>>>>>>>>>> confirm
>>>>>>>>>> that
>>>>>>>>>> the crash happens within fetch8().
>>>>>>>>>>
>>>>>>>>>> You could also try adding more printf()s inside fetch8() and
>>>>>>>>>> address()
>>>>>>>>>> to
>>>>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed
>>>>>>>>>> the
>>>>>>>>>> function that is crashing).
>>>>>>>>>>
>>>>>>>>>> -- Keir
>>>>>>>>>>
>>>>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi, Keir,
>>>>>>>>>>> I made the change as you said:
>>>>>>>>>>> change diff is:
>>>>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
>>>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
>>>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007
>>>>>>>>>>> +0100
>>>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007
>>>>>>>>>>> +0800
>>>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
>>>>>>>>>>> static struct regs saved_rm_regs;
>>>>>>>>>>>
>>>>>>>>>>> #ifdef DEBUG
>>>>>>>>>>> -int traceset = 0;
>>>>>>>>>>> +int traceset = ~0;
>>>>>>>>>>>
>>>>>>>>>>> char *states[] = {
>>>>>>>>>>> "<VM86_REAL>",
>>>>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
>>>>>>>>>>> TRACE((regs, regs->eip - eip,
>>>>>>>>>>> "movw %%%s, *0x%x", rnames[r],
>>>>>>>>>>> addr));
>>>>>>>>>>> write16(addr, MASK16(val));
>>>>>>>>>>> + printf("after write16 of movw\n");
>>>>>>>>>>> }
>>>>>>>>>>> return 1;
>>>>>>>>>>>
>>>>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
>>>>>>>>>>> unsigned eip = regs->eip;
>>>>>>>>>>> unsigned opc, modrm, disp;
>>>>>>>>>>> unsigned prefix = 0;
>>>>>>>>>>> + printf("top of opcode\n");
>>>>>>>>>>>
>>>>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL &&
>>>>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) {
>>>>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
>>>>>>>>>>> if (trapno == 14)
>>>>>>>>>>> printf("Page fault address 0x%x\n",
>>>>>>>>>>> get_cr2());
>>>>>>>>>>> dump_regs(regs);
>>>>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned
>>>>>>>>>>> short*)0xd0800));
>>>>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned
>>>>>>>>>>> short*)0xd0804));
>>>>>>>>>>> halt();
>>>>>>>>>>> }
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> here is the output:
>>>>>>>>>>> (XEN) HVM6: top of opcode
>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
>>>>>>>>>>> (XEN) HVM6: top of opcode
>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
>>>>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
>>>>>>>>>>> (XEN) HVM6: after write16 of movw
>>>>>>>>>>> (XEN) HVM6: top of opcode
>>>>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode
>>>>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx
>>>>>>>>>>> 71E
>>>>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi
>>>>>>>>>>> D00
>>>>>>>>>>> (XEN) HVM6: trapno 6 errno 0
>>>>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
>>>>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2
>>>>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs
>>>>>>>>>>> D75B4
>>>>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4
>>>>>>>>>>> 651
>>>>>>>>>>> (XEN) HVM6:
>>>>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF
>>>>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B
>>>>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C
>>>>>>>>>>>
>>>>>>>>>>> objdump:
>>>>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
>>>>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
>>>>>>>>>>> d07f7: 89 f8 mov %edi,%eax
>>>>>>>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
>>>>>>>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
>>>>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
>>>>>>>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
>>>>>>>>>>> d0807: 89 ec mov %ebp,%esp
>>>>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax
>>>>>>>>>>> d080c: 01 d0 add %edx,%eax
>>>>>>>>>>> d080e: 5d pop %ebp
>>>>>>>>>>>
>>>>>>>>>>> seems the memory is correct, it's crashed in opcode()
>>>>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried
>>>>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm
>>>>>>>>>>> guest
>>>>>>>>>>> be reset.
>>>>>>>>>>>
>>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> What would be useful is to try to add tracing to see how far
>>>>>>>>>>>> vmxassist
>>>>>>>>>>>> gets
>>>>>>>>>>>> after its last line of tracing before the trap occurs. That last
>>>>>>>>>>>> line
>>>>>>>>>>>> is
>>>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra
>>>>>>>>>>>> printf()
>>>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at
>>>>>>>>>>>> the
>>>>>>>>>>>> top
>>>>>>>>>>>> of the opcode() function. We need to find out at what point
>>>>>>>>>>>> vmxassist
>>>>>>>>>>>> is
>>>>>>>>>>>> jumping to this bogus address d0800.
>>>>>>>>>>>>
>>>>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in
>>>>>>>>>>>> memory.
>>>>>>>>>>>> This
>>>>>>>>>>>> is particularly likely because, according to the objdump, the
>>>>>>>>>>>> 'instruction'
>>>>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some
>>>>>>>>>>>> sort).
>>>>>>>>>>>>
>>>>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at
>>>>>>>>>>>> 0xd0800
>>>>>>>>>>>> and printf() them. So we can see if they match what objdump says
>>>>>>>>>>>> should
>>>>>>>>>>>> be
>>>>>>>>>>>> there.
>>>>>>>>>>>>
>>>>>>>>>>>> -- Keir
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Xen-devel mailing list
>>>>>>>>>>> Xen-devel@lists.xensource.com
>>>>>>>>>>> http://lists.xensource.com/xen-devel
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Xen-devel mailing list
>>>>>>>> Xen-devel@lists.xensource.com
>>>>>>>> http://lists.xensource.com/xen-devel
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Xen-devel mailing list
>>>>>> Xen-devel@lists.xensource.com
>>>>>> http://lists.xensource.com/xen-devel
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Xen-devel mailing list
>>> Xen-devel@lists.xensource.com
>>> http://lists.xensource.com/xen-devel
>>
>>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 10:26 ` Keir Fraser
@ 2007-08-08 12:12 ` Brady Chen
2007-08-08 13:32 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-08 12:12 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Hi Keir,
here the memory dump from D680 ~ D780, how to analyze it? any tools? thanks
(XEN) HVM17: 0x0000D680: D2 0F 84 0B 00 66 8B FE 1E 07 66 8B C2 E8 71 03
(XEN) HVM17: 0x0000D690: 66 8B C6 66 5A 66 59 66 42 66 51 66 56 E8 3F 06
(XEN) HVM17: 0x0000D6A0: 66 85 C0 0F 84 BA FA 66 5E 66 59 66 8B FE 1E 07
(XEN) HVM17: 0x0000D6B0: E8 4E 03 66 8B C6 66 8B D9 66 59 66 5A 66 51 66
(XEN) HVM17: 0x0000D6C0: 56 66 D1 E9 E8 F8 FD 66 85 C0 0F 84 93 FA 66 5E
(XEN) HVM17: 0x0000D6D0: 66 59 66 03 E1 07 66 5F 66 59 66 8B D0 66 58 66
(XEN) HVM17: 0x0000D6E0: 5B 66 8B DA E9 F5 FE 06 1E 66 60 26 67 66 0F B7
(XEN) HVM17: 0x0000D6F0: 5F 04 26 67 66 0F B7 4F 06 66 0B C9 0F 84 61 FA
(XEN) HVM17: 0x0000D700: 66 03 DF 66 83 C3 02 66 81 C7 FE 01 00 00 66 49
(XEN) HVM17: 0x0000D710: 66 0B C9 0F 84 17 00 26 67 8B 03 26 67 89 07 66
(XEN) HVM17: 0x0000D720: 83 C3 02 66 81 C7 00 02 00 00 66 49 EB E2 66 61
(XEN) HVM17: 0x0000D730: 90 1F 07 C3 06 1E 66 60 66 B8 01 00 00 00 66 A3
(XEN) HVM17: 0x0000D740: 1E 02 66 A1 1A 02 66 03 06 52 02 66 A3 5A 02 66
(XEN) HVM17: 0x0000D750: 03 06 52 02 66 A3 4A 02 66 A1 30 00 66 0F B6 1E
(XEN) HVM17: 0x0000D760: 0D 00 66 F7 E3 66 8B 1E 4A 02 66 89 07 66 A3 10
(XEN) HVM17: 0x0000D770: 00 83 C3 04 66 A1 56 02 66 89 07 A3 0E 00 83 C3
(XEN) HVM17: 0x0000D780: 04 66 89 1E 4A 02 66 8B 1E 1A 02 1E 07 E8 37 F9
On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> Well, some bytes are already screwed at that point, so I'd try to do it
> earlier (e.g., when you are emulating one of the earlier MOVs, for example).
> But yes, dumping by printf() is fine. Put address at start of line, and then
> dump 16 bytes as "%02x ". Should end up with 16 lines of 16 bytes each.
>
> -- Keir
>
> On 8/8/07 10:38, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > Thanks,
> > can you show me a way to dump bytes around 0xd680 ~ 0xd780?
> > just printf in trap() of vmxassist?
> >
> > On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> >> You could give that a try, but really it shouldn't be going at
> >> 0xc0000-0x100000 at all. There are usually ROM images residing there.
> >>
> >> This is more likely to be a mis-emulation. Can you get a dump of the bytes
> >> around 0xd680-0xd780? Then we could try and work out what the guest is
> >> trying to execute, and see whether emulation is going wrong. A register dump
> >> from the guest (dump_regs()) at the start of every call to opcode() might
> >> also be useful.
> >>
> >> -- Keir
> >>
> >> On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote:
> >>
> >>> Hi Keir,
> >>> I think the 7th issue I mentioned is the root cause,
> >>> so I have a question.
> >>> For real mode simulation, the simulator is running in the same space
> >>> with the codes to-be-simulated? then how to protect simulator from
> >>> being modified by to-be-simulated code?
> >>>
> >>> can I change the address of vmxassist to a higher address? just try to
> >>> give more space to the to-be-simulated windows.
> >>>
> >>> On 8/8/07, Brady Chen <chenchp@gmail.com> wrote:
> >>>> it's possible.
> >>>> any ideas to trace the function stack of xen guest? like "bt" command in
> >>>> gdb.
> >>>>
> >>>> I did some analysis:
> >>>> 1. the call flow is opcode()->fetch8()->address()
> >>>> 2. only the printf in address() will change the behaver of crash.
> >>>> 3. and the crash EIP (0xD0800) is in the address() from the objdump.
> >>>> 4. the address() will be invoked more then 40, 000 times in one
> >>>> simulation, before the crash.
> >>>> 5. seems there are no recursive invoking in opcode(), fetch8(), address()
> >>>> 6. from the output of "xen dmesg", before the crash, a instructions
> >>>> sequence is simulated several times (you could check the previous
> >>>> mails i send for "xen dmesg" output)
> >>>> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE",
> >>>> and the "*0xD07FE" is just the address of address(), (you could get
> >>>> the objdump output from previous mails too), so i think it's the
> >>>> simulation which crash the memory of address().
> >>>>
> >>>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>> Stack corruption/overflow, possibly?
> >>>>>
> >>>>> K.
> >>>>>
> >>>>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>
> >>>>>> Yes, the printfs are the only changes. once I remove these prints, the
> >>>>>> trap comes back, with the same EIP (D0800)
> >>>>>>
> >>>>>> I tried to keep the first two printfs, the trap comes with different
> >>>>>> EIP(D19FD)
> >>>>>> static unsigned
> >>>>>> address(struct regs *regs, unsigned seg, unsigned off)
> >>>>>> {
> >>>>>> uint64_t gdt_phys_base;
> >>>>>> unsigned long long entry;
> >>>>>> unsigned seg_base, seg_limit;
> >>>>>> unsigned entry_low, entry_high;
> >>>>>>
> >>>>>> printf("f 1\n");
> >>>>>> if (seg == 0) {
> >>>>>> if (mode == VM86_REAL || mode == VM86_REAL_TO_PROTECTED)
> >>>>>> return off;
> >>>>>> else
> >>>>>> panic("segment is zero, but not in real
> >>>>>> mode!\n");
> >>>>>> }
> >>>>>>
> >>>>>> printf("f 2\n");
> >>>>>>
> >>>>>> xen dmesg output:
> >>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> >>>>>> (XEN) HVM3: f 1
> >>>>>> (XEN) HVM3: f 2
> >>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
> >>>>>> (XEN) HVM3: f 1
> >>>>>> (XEN) HVM3: f 1
> >>>>>> (XEN) HVM3: f 1
> >>>>>> (XEN) HVM3: Trap (0x6) while in real mode
> >>>>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx
> >>>>>> D75B4
> >>>>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi
> >>>>>> 8
> >>>>>> (XEN) HVM3: trapno 6 errno 0
> >>>>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046
> >>>>>> (XEN) HVM3: uesp CFAE uss 0
> >>>>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs
> >>>>>> 71F
> >>>>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>> 651
> >>>>>> (XEN) HVM3:
> >>>>>> (XEN) HVM3: Halt called from %eip 0xD037C
> >>>>>>
> >>>>>>
> >>>>>> and the objdump shows that:
> >>>>>> 000d1970 <interrupt>:
> >>>>>> d1970: 55 push %ebp
> >>>>>> d1971: 89 e5 mov %esp,%ebp
> >>>>>> d1973: 57 push %edi
> >>>>>> d1974: 89 d7 mov %edx,%edi
> >>>>>> d1976: 56 push %esi
> >>>>>> ....
> >>>>>> d19f8: 66 89 30 mov %si,(%eax)
> >>>>>> d19fb: 31 d2 xor %edx,%edx
> >>>>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
> >>>>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx)
> >>>>>> d1a0b: 89 d8 mov %ebx,%eax
> >>>>>> d1a0d: 89 34 24 mov %esi,(%esp)
> >>>>>>
> >>>>>>
> >>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>> Very weird. The emulations now aren't at the same address as before
> >>>>>>> either
> >>>>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added
> >>>>>>> these
> >>>>>>> printf()s -- is it at all possible that the guest is executing down a
> >>>>>>> different path here for other reasons? If it's really down to the
> >>>>>>> printf()s
> >>>>>>> then I guess you'll have to shuffle/remove printf()s to get the old
> >>>>>>> behaviour back.
> >>>>>>>
> >>>>>>> -- Keir
> >>>>>>>
> >>>>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>>>
> >>>>>>>> it's strange:
> >>>>>>>> if i add these prints, i get " Unknown opcode", not "trap".
> >>>>>>>> ===added printf
> >>>>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c
> >>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> >>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007 +0100
> >>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007 +0800
> >>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> >>>>>>>> static struct regs saved_rm_regs;
> >>>>>>>>
> >>>>>>>> #ifdef DEBUG
> >>>>>>>> -int traceset = 0;
> >>>>>>>> +int traceset = ~0;
> >>>>>>>>
> >>>>>>>> char *states[] = {
> >>>>>>>> "<VM86_REAL>",
> >>>>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
> >>>>>>>> unsigned seg_base, seg_limit;
> >>>>>>>> unsigned entry_low, entry_high;
> >>>>>>>>
> >>>>>>>> + printf("f 1\n");
> >>>>>>>> if (seg == 0) {
> >>>>>>>> if (mode == VM86_REAL || mode ==
> >>>>>>>> VM86_REAL_TO_PROTECTED)
> >>>>>>>> return off;
> >>>>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
> >>>>>>>> panic("segment is zero, but not in real
> >>>>>>>> mode!\n");
> >>>>>>>> }
> >>>>>>>>
> >>>>>>>> + printf("f 2\n");
> >>>>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
> >>>>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
> >>>>>>>> return ((seg & 0xFFFF) << 4) + off;
> >>>>>>>>
> >>>>>>>> + printf("f 3\n");
> >>>>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
> >>>>>>>> + printf("f 4\n");
> >>>>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) {
> >>>>>>>> + printf("f 5\n");
> >>>>>>>> printf("gdt base address above 4G\n");
> >>>>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3),
> >>>>>>>> &entry);
> >>>>>>>> } else
> >>>>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
> >>>>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) &
> >>>>>>>> 0xFFFFFF);
> >>>>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
> >>>>>>>>
> >>>>>>>> + printf("f 6\n");
> >>>>>>>> if (entry_high & 0x8000 &&
> >>>>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
> >>>>>>>> (!(entry_high & 0x800000) && off <= seg_limit)))
> >>>>>>>> return seg_base + off;
> >>>>>>>> + printf("f 7\n");
> >>>>>>>>
> >>>>>>>> panic("should never reach here in function address():\n\t"
> >>>>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x,
> >>>>>>>> offset=0x%08x\n",
> >>>>>>>> entry_high, entry_low, mode, seg, off);
> >>>>>>>> + printf("f 8\n");
> >>>>>>>>
> >>>>>>>> return 0;
> >>>>>>>> }
> >>>>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
> >>>>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
> >>>>>>>>
> >>>>>>>> regs->eip++;
> >>>>>>>> + printf("f 9\n");
> >>>>>>>> return read8(addr);
> >>>>>>>> }
> >>>>>>>>
> >>>>>>>> ===output when add many printf
> >>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
> >>>>>>>> (XEN) HVM12: f 2
> >>>>>>>> (XEN) HVM12: f 9
> >>>>>>>> (XEN) HVM12: f 1
> >>>>>>>> (XEN) HVM12: f 2
> >>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
> >>>>>>>> (XEN) HVM12: f 2
> >>>>>>>> (XEN) HVM12: f 9
> >>>>>>>> (XEN) HVM12: f 1
> >>>>>>>> (XEN) HVM12: f 2
> >>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
> >>>>>>>> (XEN) HVM12: f 2
> >>>>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
> >>>>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A
> >>>>>>>>
> >>>>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
> >>>>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this print
> >>>>>>>>> info.
> >>>>>>>>> the main function of fetch8 seems to be address(). seems crashed in
> >>>>>>>>> address().
> >>>>>>>>>
> >>>>>>>>> (XEN) HVM7: after write16 of movw
> >>>>>>>>> (XEN) HVM7: top of opcode
> >>>>>>>>> (XEN) HVM7: Before fetch8
> >>>>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx
> >>>>>>>>> 404E
> >>>>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi
> >>>>>>>>> C37FE
> >>>>>>>>> (XEN) HVM7: trapno D errno 0
> >>>>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206
> >>>>>>>>> (XEN) HVM7: uesp CFB4 uss 0
> >>>>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs
> >>>>>>>>> 0
> >>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>>> 651
> >>>>>>>>> (XEN) HVM7:
> >>>>>>>>> (XEN) HVM7: Trap (0x6) while in real mode
> >>>>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx
> >>>>>>>>> 89
> >>>>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi
> >>>>>>>>> D00
> >>>>>>>>> (XEN) HVM7: trapno 6 errno 0
> >>>>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046
> >>>>>>>>> (XEN) HVM7: uesp 71F uss D76D4
> >>>>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs
> >>>>>>>>> D7644
> >>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>>> 651
> >>>>>>>>> (XEN) HVM7:
> >>>>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF
> >>>>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B
> >>>>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>>>>> How about trying:
> >>>>>>>>>> printf("Before fetch8\n");
> >>>>>>>>>> dump_regs(regs);
> >>>>>>>>>> opc = fetch8(regs);
> >>>>>>>>>> printf("After fetch8\n");
> >>>>>>>>>> switch (opc) { ...
> >>>>>>>>>>
> >>>>>>>>>> This will let you see what eip is being fetched from, and also
> >>>>>>>>>> confirm
> >>>>>>>>>> that
> >>>>>>>>>> the crash happens within fetch8().
> >>>>>>>>>>
> >>>>>>>>>> You could also try adding more printf()s inside fetch8() and
> >>>>>>>>>> address()
> >>>>>>>>>> to
> >>>>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed
> >>>>>>>>>> the
> >>>>>>>>>> function that is crashing).
> >>>>>>>>>>
> >>>>>>>>>> -- Keir
> >>>>>>>>>>
> >>>>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>>> Hi, Keir,
> >>>>>>>>>>> I made the change as you said:
> >>>>>>>>>>> change diff is:
> >>>>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
> >>>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> >>>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007
> >>>>>>>>>>> +0100
> >>>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007
> >>>>>>>>>>> +0800
> >>>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> >>>>>>>>>>> static struct regs saved_rm_regs;
> >>>>>>>>>>>
> >>>>>>>>>>> #ifdef DEBUG
> >>>>>>>>>>> -int traceset = 0;
> >>>>>>>>>>> +int traceset = ~0;
> >>>>>>>>>>>
> >>>>>>>>>>> char *states[] = {
> >>>>>>>>>>> "<VM86_REAL>",
> >>>>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
> >>>>>>>>>>> TRACE((regs, regs->eip - eip,
> >>>>>>>>>>> "movw %%%s, *0x%x", rnames[r],
> >>>>>>>>>>> addr));
> >>>>>>>>>>> write16(addr, MASK16(val));
> >>>>>>>>>>> + printf("after write16 of movw\n");
> >>>>>>>>>>> }
> >>>>>>>>>>> return 1;
> >>>>>>>>>>>
> >>>>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
> >>>>>>>>>>> unsigned eip = regs->eip;
> >>>>>>>>>>> unsigned opc, modrm, disp;
> >>>>>>>>>>> unsigned prefix = 0;
> >>>>>>>>>>> + printf("top of opcode\n");
> >>>>>>>>>>>
> >>>>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL &&
> >>>>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) {
> >>>>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
> >>>>>>>>>>> if (trapno == 14)
> >>>>>>>>>>> printf("Page fault address 0x%x\n",
> >>>>>>>>>>> get_cr2());
> >>>>>>>>>>> dump_regs(regs);
> >>>>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned
> >>>>>>>>>>> short*)0xd0800));
> >>>>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned
> >>>>>>>>>>> short*)0xd0804));
> >>>>>>>>>>> halt();
> >>>>>>>>>>> }
> >>>>>>>>>>> }
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> here is the output:
> >>>>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
> >>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> >>>>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
> >>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
> >>>>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
> >>>>>>>>>>> (XEN) HVM6: after write16 of movw
> >>>>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode
> >>>>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx
> >>>>>>>>>>> 71E
> >>>>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi
> >>>>>>>>>>> D00
> >>>>>>>>>>> (XEN) HVM6: trapno 6 errno 0
> >>>>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
> >>>>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2
> >>>>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs
> >>>>>>>>>>> D75B4
> >>>>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>>>>> 651
> >>>>>>>>>>> (XEN) HVM6:
> >>>>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF
> >>>>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B
> >>>>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C
> >>>>>>>>>>>
> >>>>>>>>>>> objdump:
> >>>>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
> >>>>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
> >>>>>>>>>>> d07f7: 89 f8 mov %edi,%eax
> >>>>>>>>>>> d07f9: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
> >>>>>>>>>>> d07fc: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
> >>>>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
> >>>>>>>>>>> d0804: 8b 7d fc mov 0xfffffffc(%ebp),%edi
> >>>>>>>>>>> d0807: 89 ec mov %ebp,%esp
> >>>>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax
> >>>>>>>>>>> d080c: 01 d0 add %edx,%eax
> >>>>>>>>>>> d080e: 5d pop %ebp
> >>>>>>>>>>>
> >>>>>>>>>>> seems the memory is correct, it's crashed in opcode()
> >>>>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried
> >>>>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm
> >>>>>>>>>>> guest
> >>>>>>>>>>> be reset.
> >>>>>>>>>>>
> >>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> What would be useful is to try to add tracing to see how far
> >>>>>>>>>>>> vmxassist
> >>>>>>>>>>>> gets
> >>>>>>>>>>>> after its last line of tracing before the trap occurs. That last
> >>>>>>>>>>>> line
> >>>>>>>>>>>> is
> >>>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra
> >>>>>>>>>>>> printf()
> >>>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at
> >>>>>>>>>>>> the
> >>>>>>>>>>>> top
> >>>>>>>>>>>> of the opcode() function. We need to find out at what point
> >>>>>>>>>>>> vmxassist
> >>>>>>>>>>>> is
> >>>>>>>>>>>> jumping to this bogus address d0800.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in
> >>>>>>>>>>>> memory.
> >>>>>>>>>>>> This
> >>>>>>>>>>>> is particularly likely because, according to the objdump, the
> >>>>>>>>>>>> 'instruction'
> >>>>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some
> >>>>>>>>>>>> sort).
> >>>>>>>>>>>>
> >>>>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at
> >>>>>>>>>>>> 0xd0800
> >>>>>>>>>>>> and printf() them. So we can see if they match what objdump says
> >>>>>>>>>>>> should
> >>>>>>>>>>>> be
> >>>>>>>>>>>> there.
> >>>>>>>>>>>>
> >>>>>>>>>>>> -- Keir
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> _______________________________________________
> >>>>>>>>>>> Xen-devel mailing list
> >>>>>>>>>>> Xen-devel@lists.xensource.com
> >>>>>>>>>>> http://lists.xensource.com/xen-devel
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> Xen-devel mailing list
> >>>>>>>> Xen-devel@lists.xensource.com
> >>>>>>>> http://lists.xensource.com/xen-devel
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Xen-devel mailing list
> >>>>>> Xen-devel@lists.xensource.com
> >>>>>> http://lists.xensource.com/xen-devel
> >>>>>
> >>>>>
> >>>>
> >>>
> >>> _______________________________________________
> >>> Xen-devel mailing list
> >>> Xen-devel@lists.xensource.com
> >>> http://lists.xensource.com/xen-devel
> >>
> >>
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 12:12 ` Brady Chen
@ 2007-08-08 13:32 ` Keir Fraser
2007-08-08 14:52 ` Mats Petersson
2007-08-08 15:42 ` Brady Chen
0 siblings, 2 replies; 37+ messages in thread
From: Keir Fraser @ 2007-08-08 13:32 UTC (permalink / raw)
To: Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Disassembled the interesting bit by hand:
D700: 66 03 DF add %edi,%ebx
D703: 66 83 C3 02 add $2,%ebx
D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi
D70E: 66 49 dec %ecx
D710: 66 0B C9 or %ecx,%ecx
D713: 0F 84 17 00 jz 0xd72e
D717: 26 67 8B 03 mov %es:(%ebx),%ax
D71B: 26 67 89 07 mov %ax,%es:(%edi)
D71F: 66 83 C3 02 add $2,%ebx
D723: 66 81 C7 00 02 00 00 add $0x200,%edi
D72A: 66 49 dec %ecx
D72C: EB E2 jmp 0xd710
D72E: 66 61 popal
D730: 90 nop
D731: 1F pop %ds
D732: 07 pop %es
D733: C3 ret
It's a fairly odd copy loop! It'd be nice to get a register dump when
emulating this so that we can see e.g., what memory range is supposed to be
affected.
-- Keir
On 8/8/07 13:12, "Brady Chen" <chenchp@gmail.com> wrote:
> Hi Keir,
> here the memory dump from D680 ~ D780, how to analyze it? any tools? thanks
>
> (XEN) HVM17: 0x0000D680: D2 0F 84 0B 00 66 8B FE 1E 07 66 8B C2 E8 71 03
> (XEN) HVM17: 0x0000D690: 66 8B C6 66 5A 66 59 66 42 66 51 66 56 E8 3F 06
> (XEN) HVM17: 0x0000D6A0: 66 85 C0 0F 84 BA FA 66 5E 66 59 66 8B FE 1E 07
> (XEN) HVM17: 0x0000D6B0: E8 4E 03 66 8B C6 66 8B D9 66 59 66 5A 66 51 66
> (XEN) HVM17: 0x0000D6C0: 56 66 D1 E9 E8 F8 FD 66 85 C0 0F 84 93 FA 66 5E
> (XEN) HVM17: 0x0000D6D0: 66 59 66 03 E1 07 66 5F 66 59 66 8B D0 66 58 66
> (XEN) HVM17: 0x0000D6E0: 5B 66 8B DA E9 F5 FE 06 1E 66 60 26 67 66 0F B7
> (XEN) HVM17: 0x0000D6F0: 5F 04 26 67 66 0F B7 4F 06 66 0B C9 0F 84 61 FA
> (XEN) HVM17: 0x0000D700: 66 03 DF 66 83 C3 02 66 81 C7 FE 01 00 00 66 49
> (XEN) HVM17: 0x0000D710: 66 0B C9 0F 84 17 00 26 67 8B 03 26 67 89 07 66
> (XEN) HVM17: 0x0000D720: 83 C3 02 66 81 C7 00 02 00 00 66 49 EB E2 66 61
> (XEN) HVM17: 0x0000D730: 90 1F 07 C3 06 1E 66 60 66 B8 01 00 00 00 66 A3
> (XEN) HVM17: 0x0000D740: 1E 02 66 A1 1A 02 66 03 06 52 02 66 A3 5A 02 66
> (XEN) HVM17: 0x0000D750: 03 06 52 02 66 A3 4A 02 66 A1 30 00 66 0F B6 1E
> (XEN) HVM17: 0x0000D760: 0D 00 66 F7 E3 66 8B 1E 4A 02 66 89 07 66 A3 10
> (XEN) HVM17: 0x0000D770: 00 83 C3 04 66 A1 56 02 66 89 07 A3 0E 00 83 C3
> (XEN) HVM17: 0x0000D780: 04 66 89 1E 4A 02 66 8B 1E 1A 02 1E 07 E8 37 F9
>
>
> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
>> Well, some bytes are already screwed at that point, so I'd try to do it
>> earlier (e.g., when you are emulating one of the earlier MOVs, for example).
>> But yes, dumping by printf() is fine. Put address at start of line, and then
>> dump 16 bytes as "%02x ". Should end up with 16 lines of 16 bytes each.
>>
>> -- Keir
>>
>> On 8/8/07 10:38, "Brady Chen" <chenchp@gmail.com> wrote:
>>
>>> Thanks,
>>> can you show me a way to dump bytes around 0xd680 ~ 0xd780?
>>> just printf in trap() of vmxassist?
>>>
>>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
>>>> You could give that a try, but really it shouldn't be going at
>>>> 0xc0000-0x100000 at all. There are usually ROM images residing there.
>>>>
>>>> This is more likely to be a mis-emulation. Can you get a dump of the bytes
>>>> around 0xd680-0xd780? Then we could try and work out what the guest is
>>>> trying to execute, and see whether emulation is going wrong. A register
>>>> dump
>>>> from the guest (dump_regs()) at the start of every call to opcode() might
>>>> also be useful.
>>>>
>>>> -- Keir
>>>>
>>>> On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote:
>>>>
>>>>> Hi Keir,
>>>>> I think the 7th issue I mentioned is the root cause,
>>>>> so I have a question.
>>>>> For real mode simulation, the simulator is running in the same space
>>>>> with the codes to-be-simulated? then how to protect simulator from
>>>>> being modified by to-be-simulated code?
>>>>>
>>>>> can I change the address of vmxassist to a higher address? just try to
>>>>> give more space to the to-be-simulated windows.
>>>>>
>>>>> On 8/8/07, Brady Chen <chenchp@gmail.com> wrote:
>>>>>> it's possible.
>>>>>> any ideas to trace the function stack of xen guest? like "bt" command in
>>>>>> gdb.
>>>>>>
>>>>>> I did some analysis:
>>>>>> 1. the call flow is opcode()->fetch8()->address()
>>>>>> 2. only the printf in address() will change the behaver of crash.
>>>>>> 3. and the crash EIP (0xD0800) is in the address() from the objdump.
>>>>>> 4. the address() will be invoked more then 40, 000 times in one
>>>>>> simulation, before the crash.
>>>>>> 5. seems there are no recursive invoking in opcode(), fetch8(), address()
>>>>>> 6. from the output of "xen dmesg", before the crash, a instructions
>>>>>> sequence is simulated several times (you could check the previous
>>>>>> mails i send for "xen dmesg" output)
>>>>>> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE",
>>>>>> and the "*0xD07FE" is just the address of address(), (you could get
>>>>>> the objdump output from previous mails too), so i think it's the
>>>>>> simulation which crash the memory of address().
>>>>>>
>>>>>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
>>>>>>> Stack corruption/overflow, possibly?
>>>>>>>
>>>>>>> K.
>>>>>>>
>>>>>>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote:
>>>>>>>
>>>>>>>> Yes, the printfs are the only changes. once I remove these prints, the
>>>>>>>> trap comes back, with the same EIP (D0800)
>>>>>>>>
>>>>>>>> I tried to keep the first two printfs, the trap comes with different
>>>>>>>> EIP(D19FD)
>>>>>>>> static unsigned
>>>>>>>> address(struct regs *regs, unsigned seg, unsigned off)
>>>>>>>> {
>>>>>>>> uint64_t gdt_phys_base;
>>>>>>>> unsigned long long entry;
>>>>>>>> unsigned seg_base, seg_limit;
>>>>>>>> unsigned entry_low, entry_high;
>>>>>>>>
>>>>>>>> printf("f 1\n");
>>>>>>>> if (seg == 0) {
>>>>>>>> if (mode == VM86_REAL || mode ==
>>>>>>>> VM86_REAL_TO_PROTECTED)
>>>>>>>> return off;
>>>>>>>> else
>>>>>>>> panic("segment is zero, but not in real
>>>>>>>> mode!\n");
>>>>>>>> }
>>>>>>>>
>>>>>>>> printf("f 2\n");
>>>>>>>>
>>>>>>>> xen dmesg output:
>>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
>>>>>>>> (XEN) HVM3: f 1
>>>>>>>> (XEN) HVM3: f 2
>>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
>>>>>>>> (XEN) HVM3: f 1
>>>>>>>> (XEN) HVM3: f 1
>>>>>>>> (XEN) HVM3: f 1
>>>>>>>> (XEN) HVM3: Trap (0x6) while in real mode
>>>>>>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx
>>>>>>>> D75B4
>>>>>>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi
>>>>>>>> 8
>>>>>>>> (XEN) HVM3: trapno 6 errno 0
>>>>>>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046
>>>>>>>> (XEN) HVM3: uesp CFAE uss 0
>>>>>>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs
>>>>>>>> 71F
>>>>>>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4
>>>>>>>> 651
>>>>>>>> (XEN) HVM3:
>>>>>>>> (XEN) HVM3: Halt called from %eip 0xD037C
>>>>>>>>
>>>>>>>>
>>>>>>>> and the objdump shows that:
>>>>>>>> 000d1970 <interrupt>:
>>>>>>>> d1970: 55 push %ebp
>>>>>>>> d1971: 89 e5 mov %esp,%ebp
>>>>>>>> d1973: 57 push %edi
>>>>>>>> d1974: 89 d7 mov %edx,%edi
>>>>>>>> d1976: 56 push %esi
>>>>>>>> ....
>>>>>>>> d19f8: 66 89 30 mov %si,(%eax)
>>>>>>>> d19fb: 31 d2 xor %edx,%edx
>>>>>>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
>>>>>>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx)
>>>>>>>> d1a0b: 89 d8 mov %ebx,%eax
>>>>>>>> d1a0d: 89 34 24 mov %esi,(%esp)
>>>>>>>>
>>>>>>>>
>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>>>>>> Very weird. The emulations now aren't at the same address as before
>>>>>>>>> either
>>>>>>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added
>>>>>>>>> these
>>>>>>>>> printf()s -- is it at all possible that the guest is executing down a
>>>>>>>>> different path here for other reasons? If it's really down to the
>>>>>>>>> printf()s
>>>>>>>>> then I guess you'll have to shuffle/remove printf()s to get the old
>>>>>>>>> behaviour back.
>>>>>>>>>
>>>>>>>>> -- Keir
>>>>>>>>>
>>>>>>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> it's strange:
>>>>>>>>>> if i add these prints, i get " Unknown opcode", not "trap".
>>>>>>>>>> ===added printf
>>>>>>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c
>>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
>>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007
>>>>>>>>>> +0100
>>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007
>>>>>>>>>> +0800
>>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
>>>>>>>>>> static struct regs saved_rm_regs;
>>>>>>>>>>
>>>>>>>>>> #ifdef DEBUG
>>>>>>>>>> -int traceset = 0;
>>>>>>>>>> +int traceset = ~0;
>>>>>>>>>>
>>>>>>>>>> char *states[] = {
>>>>>>>>>> "<VM86_REAL>",
>>>>>>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
>>>>>>>>>> unsigned seg_base, seg_limit;
>>>>>>>>>> unsigned entry_low, entry_high;
>>>>>>>>>>
>>>>>>>>>> + printf("f 1\n");
>>>>>>>>>> if (seg == 0) {
>>>>>>>>>> if (mode == VM86_REAL || mode ==
>>>>>>>>>> VM86_REAL_TO_PROTECTED)
>>>>>>>>>> return off;
>>>>>>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
>>>>>>>>>> panic("segment is zero, but not in real
>>>>>>>>>> mode!\n");
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> + printf("f 2\n");
>>>>>>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
>>>>>>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
>>>>>>>>>> return ((seg & 0xFFFF) << 4) + off;
>>>>>>>>>>
>>>>>>>>>> + printf("f 3\n");
>>>>>>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
>>>>>>>>>> + printf("f 4\n");
>>>>>>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) {
>>>>>>>>>> + printf("f 5\n");
>>>>>>>>>> printf("gdt base address above 4G\n");
>>>>>>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3),
>>>>>>>>>> &entry);
>>>>>>>>>> } else
>>>>>>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
>>>>>>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) &
>>>>>>>>>> 0xFFFFFF);
>>>>>>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
>>>>>>>>>>
>>>>>>>>>> + printf("f 6\n");
>>>>>>>>>> if (entry_high & 0x8000 &&
>>>>>>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
>>>>>>>>>> (!(entry_high & 0x800000) && off <= seg_limit)))
>>>>>>>>>> return seg_base + off;
>>>>>>>>>> + printf("f 7\n");
>>>>>>>>>>
>>>>>>>>>> panic("should never reach here in function address():\n\t"
>>>>>>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x,
>>>>>>>>>> offset=0x%08x\n",
>>>>>>>>>> entry_high, entry_low, mode, seg, off);
>>>>>>>>>> + printf("f 8\n");
>>>>>>>>>>
>>>>>>>>>> return 0;
>>>>>>>>>> }
>>>>>>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
>>>>>>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
>>>>>>>>>>
>>>>>>>>>> regs->eip++;
>>>>>>>>>> + printf("f 9\n");
>>>>>>>>>> return read8(addr);
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> ===output when add many printf
>>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
>>>>>>>>>> (XEN) HVM12: f 2
>>>>>>>>>> (XEN) HVM12: f 9
>>>>>>>>>> (XEN) HVM12: f 1
>>>>>>>>>> (XEN) HVM12: f 2
>>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
>>>>>>>>>> (XEN) HVM12: f 2
>>>>>>>>>> (XEN) HVM12: f 9
>>>>>>>>>> (XEN) HVM12: f 1
>>>>>>>>>> (XEN) HVM12: f 2
>>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
>>>>>>>>>> (XEN) HVM12: f 2
>>>>>>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
>>>>>>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A
>>>>>>>>>>
>>>>>>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
>>>>>>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this
>>>>>>>>>>> print
>>>>>>>>>>> info.
>>>>>>>>>>> the main function of fetch8 seems to be address(). seems crashed in
>>>>>>>>>>> address().
>>>>>>>>>>>
>>>>>>>>>>> (XEN) HVM7: after write16 of movw
>>>>>>>>>>> (XEN) HVM7: top of opcode
>>>>>>>>>>> (XEN) HVM7: Before fetch8
>>>>>>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx
>>>>>>>>>>> 404E
>>>>>>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi
>>>>>>>>>>> C37FE
>>>>>>>>>>> (XEN) HVM7: trapno D errno 0
>>>>>>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206
>>>>>>>>>>> (XEN) HVM7: uesp CFB4 uss 0
>>>>>>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs
>>>>>>>>>>> 0
>>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
>>>>>>>>>>> 651
>>>>>>>>>>> (XEN) HVM7:
>>>>>>>>>>> (XEN) HVM7: Trap (0x6) while in real mode
>>>>>>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx
>>>>>>>>>>> 89
>>>>>>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi
>>>>>>>>>>> D00
>>>>>>>>>>> (XEN) HVM7: trapno 6 errno 0
>>>>>>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046
>>>>>>>>>>> (XEN) HVM7: uesp 71F uss D76D4
>>>>>>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs
>>>>>>>>>>> D7644
>>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
>>>>>>>>>>> 651
>>>>>>>>>>> (XEN) HVM7:
>>>>>>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF
>>>>>>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B
>>>>>>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>>>>>>>>> How about trying:
>>>>>>>>>>>> printf("Before fetch8\n");
>>>>>>>>>>>> dump_regs(regs);
>>>>>>>>>>>> opc = fetch8(regs);
>>>>>>>>>>>> printf("After fetch8\n");
>>>>>>>>>>>> switch (opc) { ...
>>>>>>>>>>>>
>>>>>>>>>>>> This will let you see what eip is being fetched from, and also
>>>>>>>>>>>> confirm
>>>>>>>>>>>> that
>>>>>>>>>>>> the crash happens within fetch8().
>>>>>>>>>>>>
>>>>>>>>>>>> You could also try adding more printf()s inside fetch8() and
>>>>>>>>>>>> address()
>>>>>>>>>>>> to
>>>>>>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed
>>>>>>>>>>>> the
>>>>>>>>>>>> function that is crashing).
>>>>>>>>>>>>
>>>>>>>>>>>> -- Keir
>>>>>>>>>>>>
>>>>>>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Hi, Keir,
>>>>>>>>>>>> I made the change as you said:
>>>>>>>>>>>> change diff is:
>>>>>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
>>>>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
>>>>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007
>>>>>>>>>>>> +0100
>>>>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007
>>>>>>>>>>>> +0800
>>>>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
>>>>>>>>>>>> static struct regs saved_rm_regs;
>>>>>>>>>>>>
>>>>>>>>>>>> #ifdef DEBUG
>>>>>>>>>>>> -int traceset = 0;
>>>>>>>>>>>> +int traceset = ~0;
>>>>>>>>>>>>
>>>>>>>>>>>> char *states[] = {
>>>>>>>>>>>> "<VM86_REAL>",
>>>>>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
>>>>>>>>>>>> TRACE((regs, regs->eip - eip,
>>>>>>>>>>>> "movw %%%s, *0x%x", rnames[r],
>>>>>>>>>>>> addr));
>>>>>>>>>>>> write16(addr, MASK16(val));
>>>>>>>>>>>> + printf("after write16 of movw\n");
>>>>>>>>>>>> }
>>>>>>>>>>>> return 1;
>>>>>>>>>>>>
>>>>>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
>>>>>>>>>>>> unsigned eip = regs->eip;
>>>>>>>>>>>> unsigned opc, modrm, disp;
>>>>>>>>>>>> unsigned prefix = 0;
>>>>>>>>>>>> + printf("top of opcode\n");
>>>>>>>>>>>>
>>>>>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL &&
>>>>>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) {
>>>>>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
>>>>>>>>>>>> if (trapno == 14)
>>>>>>>>>>>> printf("Page fault address 0x%x\n",
>>>>>>>>>>>> get_cr2());
>>>>>>>>>>>> dump_regs(regs);
>>>>>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned
>>>>>>>>>>>> short*)0xd0800));
>>>>>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned
>>>>>>>>>>>> short*)0xd0804));
>>>>>>>>>>>> halt();
>>>>>>>>>>>> }
>>>>>>>>>>>> }
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> here is the output:
>>>>>>>>>>>> (XEN) HVM6: top of opcode
>>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
>>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
>>>>>>>>>>>> (XEN) HVM6: top of opcode
>>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
>>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
>>>>>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
>>>>>>>>>>>> (XEN) HVM6: after write16 of movw
>>>>>>>>>>>> (XEN) HVM6: top of opcode
>>>>>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode
>>>>>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx
>>>>>>>>>>>> 71E
>>>>>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi
>>>>>>>>>>>> D00
>>>>>>>>>>>> (XEN) HVM6: trapno 6 errno 0
>>>>>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
>>>>>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2
>>>>>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs
>>>>>>>>>>>> D75B4
>>>>>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4
>>>>>>>>>>>> 651
>>>>>>>>>>>> (XEN) HVM6:
>>>>>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF
>>>>>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B
>>>>>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C
>>>>>>>>>>>>
>>>>>>>>>>>> objdump:
>>>>>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
>>>>>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
>>>>>>>>>>>> d07f7: 89 f8 mov %edi,%eax
>>>>>>>>>>>> d07f9: 8b 5d f4 mov
>>>>>>>>>>>> 0xfffffff4(%ebp),%ebx
>>>>>>>>>>>> d07fc: 8b 75 f8 mov
>>>>>>>>>>>> 0xfffffff8(%ebp),%esi
>>>>>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
>>>>>>>>>>>> d0804: 8b 7d fc mov
>>>>>>>>>>>> 0xfffffffc(%ebp),%edi
>>>>>>>>>>>> d0807: 89 ec mov %ebp,%esp
>>>>>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax
>>>>>>>>>>>> d080c: 01 d0 add %edx,%eax
>>>>>>>>>>>> d080e: 5d pop %ebp
>>>>>>>>>>>>
>>>>>>>>>>>> seems the memory is correct, it's crashed in opcode()
>>>>>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried
>>>>>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm
>>>>>>>>>>>> guest
>>>>>>>>>>>> be reset.
>>>>>>>>>>>>
>>>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
>>>>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> What would be useful is to try to add tracing to see how far
>>>>>>>>>>>> vmxassist
>>>>>>>>>>>> gets
>>>>>>>>>>>> after its last line of tracing before the trap occurs. That last
>>>>>>>>>>>> line
>>>>>>>>>>>> is
>>>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra
>>>>>>>>>>>> printf()
>>>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at
>>>>>>>>>>>> the
>>>>>>>>>>>> top
>>>>>>>>>>>> of the opcode() function. We need to find out at what point
>>>>>>>>>>>> vmxassist
>>>>>>>>>>>> is
>>>>>>>>>>>> jumping to this bogus address d0800.
>>>>>>>>>>>>
>>>>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in
>>>>>>>>>>>> memory.
>>>>>>>>>>>> This
>>>>>>>>>>>> is particularly likely because, according to the objdump, the
>>>>>>>>>>>> 'instruction'
>>>>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some
>>>>>>>>>>>> sort).
>>>>>>>>>>>>
>>>>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at
>>>>>>>>>>>> 0xd0800
>>>>>>>>>>>> and printf() them. So we can see if they match what objdump says
>>>>>>>>>>>> should
>>>>>>>>>>>> be
>>>>>>>>>>>> there.
>>>>>>>>>>>>
>>>>>>>>>>>> -- Keir
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Xen-devel mailing list
>>>>>>>>>>>> Xen-devel@lists.xensource.com
>>>>>>>>>>>> http://lists.xensource.com/xen-devel
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Xen-devel mailing list
>>>>>>>>>> Xen-devel@lists.xensource.com
>>>>>>>>>> http://lists.xensource.com/xen-devel
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Xen-devel mailing list
>>>>>>>> Xen-devel@lists.xensource.com
>>>>>>>> http://lists.xensource.com/xen-devel
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Xen-devel mailing list
>>>>> Xen-devel@lists.xensource.com
>>>>> http://lists.xensource.com/xen-devel
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Xen-devel mailing list
>>> Xen-devel@lists.xensource.com
>>> http://lists.xensource.com/xen-devel
>>
>>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 13:32 ` Keir Fraser
@ 2007-08-08 14:52 ` Mats Petersson
2007-08-08 15:50 ` Brady Chen
2007-08-08 15:42 ` Brady Chen
1 sibling, 1 reply; 37+ messages in thread
From: Mats Petersson @ 2007-08-08 14:52 UTC (permalink / raw)
To: Keir Fraser, Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
At 14:32 08/08/2007, Keir Fraser wrote:
>Disassembled the interesting bit by hand:
>
>D700: 66 03 DF add %edi,%ebx
>D703: 66 83 C3 02 add $2,%ebx
>D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi
>D70E: 66 49 dec %ecx
>D710: 66 0B C9 or %ecx,%ecx
>D713: 0F 84 17 00 jz 0xd72e
>D717: 26 67 8B 03 mov %es:(%ebx),%ax
>D71B: 26 67 89 07 mov %ax,%es:(%edi)
>D71F: 66 83 C3 02 add $2,%ebx
>D723: 66 81 C7 00 02 00 00 add $0x200,%edi
>D72A: 66 49 dec %ecx
>D72C: EB E2 jmp 0xd710
>D72E: 66 61 popal
>D730: 90 nop
>D731: 1F pop %ds
>D732: 07 pop %es
>D733: C3 ret
Any chance that the segment(s) involved are "big-real-mode"?
--
Mats
>It's a fairly odd copy loop! It'd be nice to get a register dump when
>emulating this so that we can see e.g., what memory range is supposed to be
>affected.
>
> -- Keir
>
>
>On 8/8/07 13:12, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > Hi Keir,
> > here the memory dump from D680 ~ D780, how to analyze it? any tools? thanks
> >
> > (XEN) HVM17: 0x0000D680: D2 0F 84 0B 00 66 8B FE 1E 07 66 8B C2 E8 71 03
> > (XEN) HVM17: 0x0000D690: 66 8B C6 66 5A 66 59 66 42 66 51 66 56 E8 3F 06
> > (XEN) HVM17: 0x0000D6A0: 66 85 C0 0F 84 BA FA 66 5E 66 59 66 8B FE 1E 07
> > (XEN) HVM17: 0x0000D6B0: E8 4E 03 66 8B C6 66 8B D9 66 59 66 5A 66 51 66
> > (XEN) HVM17: 0x0000D6C0: 56 66 D1 E9 E8 F8 FD 66 85 C0 0F 84 93 FA 66 5E
> > (XEN) HVM17: 0x0000D6D0: 66 59 66 03 E1 07 66 5F 66 59 66 8B D0 66 58 66
> > (XEN) HVM17: 0x0000D6E0: 5B 66 8B DA E9 F5 FE 06 1E 66 60 26 67 66 0F B7
> > (XEN) HVM17: 0x0000D6F0: 5F 04 26 67 66 0F B7 4F 06 66 0B C9 0F 84 61 FA
> > (XEN) HVM17: 0x0000D700: 66 03 DF 66 83 C3 02 66 81 C7 FE 01 00 00 66 49
> > (XEN) HVM17: 0x0000D710: 66 0B C9 0F 84 17 00 26 67 8B 03 26 67 89 07 66
> > (XEN) HVM17: 0x0000D720: 83 C3 02 66 81 C7 00 02 00 00 66 49 EB E2 66 61
> > (XEN) HVM17: 0x0000D730: 90 1F 07 C3 06 1E 66 60 66 B8 01 00 00 00 66 A3
> > (XEN) HVM17: 0x0000D740: 1E 02 66 A1 1A 02 66 03 06 52 02 66 A3 5A 02 66
> > (XEN) HVM17: 0x0000D750: 03 06 52 02 66 A3 4A 02 66 A1 30 00 66 0F B6 1E
> > (XEN) HVM17: 0x0000D760: 0D 00 66 F7 E3 66 8B 1E 4A 02 66 89 07 66 A3 10
> > (XEN) HVM17: 0x0000D770: 00 83 C3 04 66 A1 56 02 66 89 07 A3 0E 00 83 C3
> > (XEN) HVM17: 0x0000D780: 04 66 89 1E 4A 02 66 8B 1E 1A 02 1E 07 E8 37 F9
> >
> >
> > On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> >> Well, some bytes are already screwed at that point, so I'd try to do it
> >> earlier (e.g., when you are emulating one of the earlier MOVs,
> for example).
> >> But yes, dumping by printf() is fine. Put address at start of
> line, and then
> >> dump 16 bytes as "%02x ". Should end up with 16 lines of 16 bytes each.
> >>
> >> -- Keir
> >>
> >> On 8/8/07 10:38, "Brady Chen" <chenchp@gmail.com> wrote:
> >>
> >>> Thanks,
> >>> can you show me a way to dump bytes around 0xd680 ~ 0xd780?
> >>> just printf in trap() of vmxassist?
> >>>
> >>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> >>>> You could give that a try, but really it shouldn't be going at
> >>>> 0xc0000-0x100000 at all. There are usually ROM images residing there.
> >>>>
> >>>> This is more likely to be a mis-emulation. Can you get a dump
> of the bytes
> >>>> around 0xd680-0xd780? Then we could try and work out what the guest is
> >>>> trying to execute, and see whether emulation is going wrong. A register
> >>>> dump
> >>>> from the guest (dump_regs()) at the start of every call to
> opcode() might
> >>>> also be useful.
> >>>>
> >>>> -- Keir
> >>>>
> >>>> On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>
> >>>>> Hi Keir,
> >>>>> I think the 7th issue I mentioned is the root cause,
> >>>>> so I have a question.
> >>>>> For real mode simulation, the simulator is running in the same space
> >>>>> with the codes to-be-simulated? then how to protect simulator from
> >>>>> being modified by to-be-simulated code?
> >>>>>
> >>>>> can I change the address of vmxassist to a higher address? just try to
> >>>>> give more space to the to-be-simulated windows.
> >>>>>
> >>>>> On 8/8/07, Brady Chen <chenchp@gmail.com> wrote:
> >>>>>> it's possible.
> >>>>>> any ideas to trace the function stack of xen guest? like
> "bt" command in
> >>>>>> gdb.
> >>>>>>
> >>>>>> I did some analysis:
> >>>>>> 1. the call flow is opcode()->fetch8()->address()
> >>>>>> 2. only the printf in address() will change the behaver of crash.
> >>>>>> 3. and the crash EIP (0xD0800) is in the address() from the objdump.
> >>>>>> 4. the address() will be invoked more then 40, 000 times in one
> >>>>>> simulation, before the crash.
> >>>>>> 5. seems there are no recursive invoking in opcode(),
> fetch8(), address()
> >>>>>> 6. from the output of "xen dmesg", before the crash, a instructions
> >>>>>> sequence is simulated several times (you could check the previous
> >>>>>> mails i send for "xen dmesg" output)
> >>>>>> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE",
> >>>>>> and the "*0xD07FE" is just the address of address(), (you could get
> >>>>>> the objdump output from previous mails too), so i think it's the
> >>>>>> simulation which crash the memory of address().
> >>>>>>
> >>>>>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>> Stack corruption/overflow, possibly?
> >>>>>>>
> >>>>>>> K.
> >>>>>>>
> >>>>>>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>>>
> >>>>>>>> Yes, the printfs are the only changes. once I remove these
> prints, the
> >>>>>>>> trap comes back, with the same EIP (D0800)
> >>>>>>>>
> >>>>>>>> I tried to keep the first two printfs, the trap comes with different
> >>>>>>>> EIP(D19FD)
> >>>>>>>> static unsigned
> >>>>>>>> address(struct regs *regs, unsigned seg, unsigned off)
> >>>>>>>> {
> >>>>>>>> uint64_t gdt_phys_base;
> >>>>>>>> unsigned long long entry;
> >>>>>>>> unsigned seg_base, seg_limit;
> >>>>>>>> unsigned entry_low, entry_high;
> >>>>>>>>
> >>>>>>>> printf("f 1\n");
> >>>>>>>> if (seg == 0) {
> >>>>>>>> if (mode == VM86_REAL || mode ==
> >>>>>>>> VM86_REAL_TO_PROTECTED)
> >>>>>>>> return off;
> >>>>>>>> else
> >>>>>>>> panic("segment is zero, but not in real
> >>>>>>>> mode!\n");
> >>>>>>>> }
> >>>>>>>>
> >>>>>>>> printf("f 2\n");
> >>>>>>>>
> >>>>>>>> xen dmesg output:
> >>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> >>>>>>>> (XEN) HVM3: f 1
> >>>>>>>> (XEN) HVM3: f 2
> >>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
> >>>>>>>> (XEN) HVM3: f 1
> >>>>>>>> (XEN) HVM3: f 1
> >>>>>>>> (XEN) HVM3: f 1
> >>>>>>>> (XEN) HVM3: Trap (0x6) while in real mode
> >>>>>>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx
> >>>>>>>> D75B4
> >>>>>>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi
> >>>>>>>> 8
> >>>>>>>> (XEN) HVM3: trapno 6 errno 0
> >>>>>>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046
> >>>>>>>> (XEN) HVM3: uesp CFAE uss 0
> >>>>>>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs
> >>>>>>>> 71F
> >>>>>>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>> 651
> >>>>>>>> (XEN) HVM3:
> >>>>>>>> (XEN) HVM3: Halt called from %eip 0xD037C
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> and the objdump shows that:
> >>>>>>>> 000d1970 <interrupt>:
> >>>>>>>> d1970: 55 push %ebp
> >>>>>>>> d1971: 89 e5 mov %esp,%ebp
> >>>>>>>> d1973: 57 push %edi
> >>>>>>>> d1974: 89 d7 mov %edx,%edi
> >>>>>>>> d1976: 56 push %esi
> >>>>>>>> ....
> >>>>>>>> d19f8: 66 89 30 mov %si,(%eax)
> >>>>>>>> d19fb: 31 d2 xor %edx,%edx
> >>>>>>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
> >>>>>>>> d1a04: 81 63 30 ff fd ff
> ff andl $0xfffffdff,0x30(%ebx)
> >>>>>>>> d1a0b: 89 d8 mov %ebx,%eax
> >>>>>>>> d1a0d: 89 34 24 mov %esi,(%esp)
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>>>> Very weird. The emulations now aren't at the same address as before
> >>>>>>>>> either
> >>>>>>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference
> that you added
> >>>>>>>>> these
> >>>>>>>>> printf()s -- is it at all possible that the guest is
> executing down a
> >>>>>>>>> different path here for other reasons? If it's really down to the
> >>>>>>>>> printf()s
> >>>>>>>>> then I guess you'll have to shuffle/remove printf()s to get the old
> >>>>>>>>> behaviour back.
> >>>>>>>>>
> >>>>>>>>> -- Keir
> >>>>>>>>>
> >>>>>>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>>>>>
> >>>>>>>>>> it's strange:
> >>>>>>>>>> if i add these prints, i get " Unknown opcode", not "trap".
> >>>>>>>>>> ===added printf
> >>>>>>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c
> >>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> >>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007
> >>>>>>>>>> +0100
> >>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007
> >>>>>>>>>> +0800
> >>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> >>>>>>>>>> static struct regs saved_rm_regs;
> >>>>>>>>>>
> >>>>>>>>>> #ifdef DEBUG
> >>>>>>>>>> -int traceset = 0;
> >>>>>>>>>> +int traceset = ~0;
> >>>>>>>>>>
> >>>>>>>>>> char *states[] = {
> >>>>>>>>>> "<VM86_REAL>",
> >>>>>>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
> >>>>>>>>>> unsigned seg_base, seg_limit;
> >>>>>>>>>> unsigned entry_low, entry_high;
> >>>>>>>>>>
> >>>>>>>>>> + printf("f 1\n");
> >>>>>>>>>> if (seg == 0) {
> >>>>>>>>>> if (mode == VM86_REAL || mode ==
> >>>>>>>>>> VM86_REAL_TO_PROTECTED)
> >>>>>>>>>> return off;
> >>>>>>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
> >>>>>>>>>> panic("segment is zero, but not in real
> >>>>>>>>>> mode!\n");
> >>>>>>>>>> }
> >>>>>>>>>>
> >>>>>>>>>> + printf("f 2\n");
> >>>>>>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
> >>>>>>>>>> (mode == VM86_REAL_TO_PROTECTED &&
> regs->cs == seg))
> >>>>>>>>>> return ((seg & 0xFFFF) << 4) + off;
> >>>>>>>>>>
> >>>>>>>>>> + printf("f 3\n");
> >>>>>>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
> >>>>>>>>>> + printf("f 4\n");
> >>>>>>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) {
> >>>>>>>>>> + printf("f 5\n");
> >>>>>>>>>> printf("gdt base address above 4G\n");
> >>>>>>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3),
> >>>>>>>>>> &entry);
> >>>>>>>>>> } else
> >>>>>>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
> >>>>>>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) &
> >>>>>>>>>> 0xFFFFFF);
> >>>>>>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
> >>>>>>>>>>
> >>>>>>>>>> + printf("f 6\n");
> >>>>>>>>>> if (entry_high & 0x8000 &&
> >>>>>>>>>> ((entry_high & 0x800000 && off >> 12 <=
> seg_limit) ||
> >>>>>>>>>> (!(entry_high & 0x800000) && off <= seg_limit)))
> >>>>>>>>>> return seg_base + off;
> >>>>>>>>>> + printf("f 7\n");
> >>>>>>>>>>
> >>>>>>>>>> panic("should never reach here in function address():\n\t"
> >>>>>>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x,
> >>>>>>>>>> offset=0x%08x\n",
> >>>>>>>>>> entry_high, entry_low, mode, seg, off);
> >>>>>>>>>> + printf("f 8\n");
> >>>>>>>>>>
> >>>>>>>>>> return 0;
> >>>>>>>>>> }
> >>>>>>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
> >>>>>>>>>> unsigned addr = address(regs, regs->cs,
> MASK16(regs->eip));
> >>>>>>>>>>
> >>>>>>>>>> regs->eip++;
> >>>>>>>>>> + printf("f 9\n");
> >>>>>>>>>> return read8(addr);
> >>>>>>>>>> }
> >>>>>>>>>>
> >>>>>>>>>> ===output when add many printf
> >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
> >>>>>>>>>> (XEN) HVM12: f 2
> >>>>>>>>>> (XEN) HVM12: f 9
> >>>>>>>>>> (XEN) HVM12: f 1
> >>>>>>>>>> (XEN) HVM12: f 2
> >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
> >>>>>>>>>> (XEN) HVM12: f 2
> >>>>>>>>>> (XEN) HVM12: f 9
> >>>>>>>>>> (XEN) HVM12: f 1
> >>>>>>>>>> (XEN) HVM12: f 2
> >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
> >>>>>>>>>> (XEN) HVM12: f 2
> >>>>>>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
> >>>>>>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A
> >>>>>>>>>>
> >>>>>>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
> >>>>>>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this
> >>>>>>>>>>> print
> >>>>>>>>>>> info.
> >>>>>>>>>>> the main function of fetch8 seems to be address().
> seems crashed in
> >>>>>>>>>>> address().
> >>>>>>>>>>>
> >>>>>>>>>>> (XEN) HVM7: after write16 of movw
> >>>>>>>>>>> (XEN) HVM7: top of opcode
> >>>>>>>>>>> (XEN) HVM7: Before fetch8
> >>>>>>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx
> >>>>>>>>>>> 404E
> >>>>>>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi
> >>>>>>>>>>> C37FE
> >>>>>>>>>>> (XEN) HVM7: trapno D errno 0
> >>>>>>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206
> >>>>>>>>>>> (XEN) HVM7: uesp CFB4 uss 0
> >>>>>>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs
> >>>>>>>>>>> 0
> >>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>>>>> 651
> >>>>>>>>>>> (XEN) HVM7:
> >>>>>>>>>>> (XEN) HVM7: Trap (0x6) while in real mode
> >>>>>>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx
> >>>>>>>>>>> 89
> >>>>>>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi
> >>>>>>>>>>> D00
> >>>>>>>>>>> (XEN) HVM7: trapno 6 errno 0
> >>>>>>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046
> >>>>>>>>>>> (XEN) HVM7: uesp 71F uss D76D4
> >>>>>>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs
> >>>>>>>>>>> D7644
> >>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>>>>> 651
> >>>>>>>>>>> (XEN) HVM7:
> >>>>>>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF
> >>>>>>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B
> >>>>>>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>>>>>>> How about trying:
> >>>>>>>>>>>> printf("Before fetch8\n");
> >>>>>>>>>>>> dump_regs(regs);
> >>>>>>>>>>>> opc = fetch8(regs);
> >>>>>>>>>>>> printf("After fetch8\n");
> >>>>>>>>>>>> switch (opc) { ...
> >>>>>>>>>>>>
> >>>>>>>>>>>> This will let you see what eip is being fetched from, and also
> >>>>>>>>>>>> confirm
> >>>>>>>>>>>> that
> >>>>>>>>>>>> the crash happens within fetch8().
> >>>>>>>>>>>>
> >>>>>>>>>>>> You could also try adding more printf()s inside fetch8() and
> >>>>>>>>>>>> address()
> >>>>>>>>>>>> to
> >>>>>>>>>>>> find out which specific bit of fetch8() is crashing
> (if that indeed
> >>>>>>>>>>>> the
> >>>>>>>>>>>> function that is crashing).
> >>>>>>>>>>>>
> >>>>>>>>>>>> -- Keir
> >>>>>>>>>>>>
> >>>>>>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Hi, Keir,
> >>>>>>>>>>>> I made the change as you said:
> >>>>>>>>>>>> change diff is:
> >>>>>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
> >>>>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> >>>>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007
> >>>>>>>>>>>> +0100
> >>>>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007
> >>>>>>>>>>>> +0800
> >>>>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> >>>>>>>>>>>> static struct regs saved_rm_regs;
> >>>>>>>>>>>>
> >>>>>>>>>>>> #ifdef DEBUG
> >>>>>>>>>>>> -int traceset = 0;
> >>>>>>>>>>>> +int traceset = ~0;
> >>>>>>>>>>>>
> >>>>>>>>>>>> char *states[] = {
> >>>>>>>>>>>> "<VM86_REAL>",
> >>>>>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
> >>>>>>>>>>>> TRACE((regs, regs->eip - eip,
> >>>>>>>>>>>> "movw %%%s, *0x%x", rnames[r],
> >>>>>>>>>>>> addr));
> >>>>>>>>>>>> write16(addr, MASK16(val));
> >>>>>>>>>>>> + printf("after write16 of movw\n");
> >>>>>>>>>>>> }
> >>>>>>>>>>>> return 1;
> >>>>>>>>>>>>
> >>>>>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
> >>>>>>>>>>>> unsigned eip = regs->eip;
> >>>>>>>>>>>> unsigned opc, modrm, disp;
> >>>>>>>>>>>> unsigned prefix = 0;
> >>>>>>>>>>>> + printf("top of opcode\n");
> >>>>>>>>>>>>
> >>>>>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL &&
> >>>>>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) {
> >>>>>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
> >>>>>>>>>>>> if (trapno == 14)
> >>>>>>>>>>>> printf("Page fault address 0x%x\n",
> >>>>>>>>>>>> get_cr2());
> >>>>>>>>>>>> dump_regs(regs);
> >>>>>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned
> >>>>>>>>>>>> short*)0xd0800));
> >>>>>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned
> >>>>>>>>>>>> short*)0xd0804));
> >>>>>>>>>>>> halt();
> >>>>>>>>>>>> }
> >>>>>>>>>>>> }
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> here is the output:
> >>>>>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
> >>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> >>>>>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
> >>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
> >>>>>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
> >>>>>>>>>>>> (XEN) HVM6: after write16 of movw
> >>>>>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode
> >>>>>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx
> >>>>>>>>>>>> 71E
> >>>>>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi
> >>>>>>>>>>>> D00
> >>>>>>>>>>>> (XEN) HVM6: trapno 6 errno 0
> >>>>>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
> >>>>>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2
> >>>>>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs
> >>>>>>>>>>>> D75B4
> >>>>>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>>>>>> 651
> >>>>>>>>>>>> (XEN) HVM6:
> >>>>>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF
> >>>>>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B
> >>>>>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C
> >>>>>>>>>>>>
> >>>>>>>>>>>> objdump:
> >>>>>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723
> <address+0x23>
> >>>>>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
> >>>>>>>>>>>> d07f7: 89 f8 mov %edi,%eax
> >>>>>>>>>>>> d07f9: 8b 5d f4 mov
> >>>>>>>>>>>> 0xfffffff4(%ebp),%ebx
> >>>>>>>>>>>> d07fc: 8b 75 f8 mov
> >>>>>>>>>>>> 0xfffffff8(%ebp),%esi
> >>>>>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
> >>>>>>>>>>>> d0804: 8b 7d fc mov
> >>>>>>>>>>>> 0xfffffffc(%ebp),%edi
> >>>>>>>>>>>> d0807: 89 ec mov %ebp,%esp
> >>>>>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax
> >>>>>>>>>>>> d080c: 01 d0 add %edx,%eax
> >>>>>>>>>>>> d080e: 5d pop %ebp
> >>>>>>>>>>>>
> >>>>>>>>>>>> seems the memory is correct, it's crashed in opcode()
> >>>>>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried
> >>>>>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm
> >>>>>>>>>>>> guest
> >>>>>>>>>>>> be reset.
> >>>>>>>>>>>>
> >>>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> What would be useful is to try to add tracing to see how far
> >>>>>>>>>>>> vmxassist
> >>>>>>>>>>>> gets
> >>>>>>>>>>>> after its last line of tracing before the trap occurs. That last
> >>>>>>>>>>>> line
> >>>>>>>>>>>> is
> >>>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra
> >>>>>>>>>>>> printf()
> >>>>>>>>>>>> statements imemdiately after the write16() on line
> 622, and also at
> >>>>>>>>>>>> the
> >>>>>>>>>>>> top
> >>>>>>>>>>>> of the opcode() function. We need to find out at what point
> >>>>>>>>>>>> vmxassist
> >>>>>>>>>>>> is
> >>>>>>>>>>>> jumping to this bogus address d0800.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in
> >>>>>>>>>>>> memory.
> >>>>>>>>>>>> This
> >>>>>>>>>>>> is particularly likely because, according to the objdump, the
> >>>>>>>>>>>> 'instruction'
> >>>>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some
> >>>>>>>>>>>> sort).
> >>>>>>>>>>>>
> >>>>>>>>>>>> So, within trap() you might want to read say 16 bytes
> starting at
> >>>>>>>>>>>> 0xd0800
> >>>>>>>>>>>> and printf() them. So we can see if they match what objdump says
> >>>>>>>>>>>> should
> >>>>>>>>>>>> be
> >>>>>>>>>>>> there.
> >>>>>>>>>>>>
> >>>>>>>>>>>> -- Keir
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>> Xen-devel mailing list
> >>>>>>>>>>>> Xen-devel@lists.xensource.com
> >>>>>>>>>>>> http://lists.xensource.com/xen-devel
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> Xen-devel mailing list
> >>>>>>>>>> Xen-devel@lists.xensource.com
> >>>>>>>>>> http://lists.xensource.com/xen-devel
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> Xen-devel mailing list
> >>>>>>>> Xen-devel@lists.xensource.com
> >>>>>>>> http://lists.xensource.com/xen-devel
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Xen-devel mailing list
> >>>>> Xen-devel@lists.xensource.com
> >>>>> http://lists.xensource.com/xen-devel
> >>>>
> >>>>
> >>>
> >>> _______________________________________________
> >>> Xen-devel mailing list
> >>> Xen-devel@lists.xensource.com
> >>> http://lists.xensource.com/xen-devel
> >>
> >>
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
>
>_______________________________________________
>Xen-devel mailing list
>Xen-devel@lists.xensource.com
>http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 13:32 ` Keir Fraser
2007-08-08 14:52 ` Mats Petersson
@ 2007-08-08 15:42 ` Brady Chen
1 sibling, 0 replies; 37+ messages in thread
From: Brady Chen @ 2007-08-08 15:42 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
Hi, Keir, thanks for your patient.
I dumped the registers when eip is D71F, seems it's a large buffer copy.
(XEN) HVM8: eax 7E80 ecx 2D1E edx 0 ebx 4048
(XEN) HVM8: esp D7B74 ebp 1FF0 esi 7BE edi C31FE
(XEN) HVM8: trapno D errno 0
(XEN) HVM8: eip 71F cs D00 eflags 33206
(XEN) HVM8: uesp CFB4 uss 0
(XEN) HVM8: ves D00 vds D00 vfs 0 vgs 0
(XEN) HVM8: cr0 50032 cr2 0 cr3 0 cr4 651
(XEN) HVM8:
(XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) data32
(XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
(XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) %es:
(XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) addr32
(XEN) HVM8: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD03FE
(XEN) HVM8: eax 64FF ecx 2D1D edx 0 ebx 404A
(XEN) HVM8: esp D7B74 ebp 1FF0 esi 7BE edi C33FE
(XEN) HVM8: trapno D errno 0
(XEN) HVM8: eip 71F cs D00 eflags 33206
(XEN) HVM8: uesp CFB4 uss 0
(XEN) HVM8: ves D00 vds D00 vfs 0 vgs 0
(XEN) HVM8: cr0 50032 cr2 0 cr3 0 cr4 651
(XEN) HVM8:
(XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) data32
(XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
(XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) %es:
(XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) addr32
(XEN) HVM8: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD05FE
(XEN) HVM8: eax A75 ecx 2D1C edx 0 ebx 404C
(XEN) HVM8: esp D7B74 ebp 1FF0 esi 7BE edi C35FE
(XEN) HVM8: trapno D errno 0
(XEN) HVM8: eip 71F cs D00 eflags 33202
(XEN) HVM8: uesp CFB4 uss 0
(XEN) HVM8: ves D00 vds D00 vfs 0 vgs 0
(XEN) HVM8: cr0 50032 cr2 0 cr3 0 cr4 651
(XEN) HVM8:
(XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) data32
(XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
(XEN) HVM8: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
(XEN) HVM8: 0x000F9BF7: 0xF000:0x9BF7 (0) opc 0xC3
(XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) %es:
(XEN) HVM8: 0x0000D71B: 0xD00:0x071B (0) addr32
(XEN) HVM8: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
(XEN) HVM8: Trap (0x6) while in real mode
(XEN) HVM8: eax D00 ecx D7B54 edx 71F ebx D7B54
(XEN) HVM8: esp D7A94 ebp D7AE0 esi D7A70 edi D00
(XEN) HVM8: trapno 6 errno 0
(XEN) HVM8: eip D0800 cs 10 eflags 13046
(XEN) HVM8: uesp D7B54 uss 2
(XEN) HVM8: ves D5178 vds D5246 vfs D07FE vgs D7AF4
(XEN) HVM8: cr0 50032 cr2 0 cr3 0 cr4 651
(XEN) HVM8:
(XEN) HVM8: Halt called from %eip 0xD037C
On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> Disassembled the interesting bit by hand:
>
> D700: 66 03 DF add %edi,%ebx
> D703: 66 83 C3 02 add $2,%ebx
> D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi
> D70E: 66 49 dec %ecx
> D710: 66 0B C9 or %ecx,%ecx
> D713: 0F 84 17 00 jz 0xd72e
> D717: 26 67 8B 03 mov %es:(%ebx),%ax
> D71B: 26 67 89 07 mov %ax,%es:(%edi)
> D71F: 66 83 C3 02 add $2,%ebx
> D723: 66 81 C7 00 02 00 00 add $0x200,%edi
> D72A: 66 49 dec %ecx
> D72C: EB E2 jmp 0xd710
> D72E: 66 61 popal
> D730: 90 nop
> D731: 1F pop %ds
> D732: 07 pop %es
> D733: C3 ret
>
> It's a fairly odd copy loop! It'd be nice to get a register dump when
> emulating this so that we can see e.g., what memory range is supposed to be
> affected.
>
> -- Keir
>
>
> On 8/8/07 13:12, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > Hi Keir,
> > here the memory dump from D680 ~ D780, how to analyze it? any tools? thanks
> >
> > (XEN) HVM17: 0x0000D680: D2 0F 84 0B 00 66 8B FE 1E 07 66 8B C2 E8 71 03
> > (XEN) HVM17: 0x0000D690: 66 8B C6 66 5A 66 59 66 42 66 51 66 56 E8 3F 06
> > (XEN) HVM17: 0x0000D6A0: 66 85 C0 0F 84 BA FA 66 5E 66 59 66 8B FE 1E 07
> > (XEN) HVM17: 0x0000D6B0: E8 4E 03 66 8B C6 66 8B D9 66 59 66 5A 66 51 66
> > (XEN) HVM17: 0x0000D6C0: 56 66 D1 E9 E8 F8 FD 66 85 C0 0F 84 93 FA 66 5E
> > (XEN) HVM17: 0x0000D6D0: 66 59 66 03 E1 07 66 5F 66 59 66 8B D0 66 58 66
> > (XEN) HVM17: 0x0000D6E0: 5B 66 8B DA E9 F5 FE 06 1E 66 60 26 67 66 0F B7
> > (XEN) HVM17: 0x0000D6F0: 5F 04 26 67 66 0F B7 4F 06 66 0B C9 0F 84 61 FA
> > (XEN) HVM17: 0x0000D700: 66 03 DF 66 83 C3 02 66 81 C7 FE 01 00 00 66 49
> > (XEN) HVM17: 0x0000D710: 66 0B C9 0F 84 17 00 26 67 8B 03 26 67 89 07 66
> > (XEN) HVM17: 0x0000D720: 83 C3 02 66 81 C7 00 02 00 00 66 49 EB E2 66 61
> > (XEN) HVM17: 0x0000D730: 90 1F 07 C3 06 1E 66 60 66 B8 01 00 00 00 66 A3
> > (XEN) HVM17: 0x0000D740: 1E 02 66 A1 1A 02 66 03 06 52 02 66 A3 5A 02 66
> > (XEN) HVM17: 0x0000D750: 03 06 52 02 66 A3 4A 02 66 A1 30 00 66 0F B6 1E
> > (XEN) HVM17: 0x0000D760: 0D 00 66 F7 E3 66 8B 1E 4A 02 66 89 07 66 A3 10
> > (XEN) HVM17: 0x0000D770: 00 83 C3 04 66 A1 56 02 66 89 07 A3 0E 00 83 C3
> > (XEN) HVM17: 0x0000D780: 04 66 89 1E 4A 02 66 8B 1E 1A 02 1E 07 E8 37 F9
> >
> >
> > On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> >> Well, some bytes are already screwed at that point, so I'd try to do it
> >> earlier (e.g., when you are emulating one of the earlier MOVs, for example).
> >> But yes, dumping by printf() is fine. Put address at start of line, and then
> >> dump 16 bytes as "%02x ". Should end up with 16 lines of 16 bytes each.
> >>
> >> -- Keir
> >>
> >> On 8/8/07 10:38, "Brady Chen" <chenchp@gmail.com> wrote:
> >>
> >>> Thanks,
> >>> can you show me a way to dump bytes around 0xd680 ~ 0xd780?
> >>> just printf in trap() of vmxassist?
> >>>
> >>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> >>>> You could give that a try, but really it shouldn't be going at
> >>>> 0xc0000-0x100000 at all. There are usually ROM images residing there.
> >>>>
> >>>> This is more likely to be a mis-emulation. Can you get a dump of the bytes
> >>>> around 0xd680-0xd780? Then we could try and work out what the guest is
> >>>> trying to execute, and see whether emulation is going wrong. A register
> >>>> dump
> >>>> from the guest (dump_regs()) at the start of every call to opcode() might
> >>>> also be useful.
> >>>>
> >>>> -- Keir
> >>>>
> >>>> On 8/8/07 09:25, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>
> >>>>> Hi Keir,
> >>>>> I think the 7th issue I mentioned is the root cause,
> >>>>> so I have a question.
> >>>>> For real mode simulation, the simulator is running in the same space
> >>>>> with the codes to-be-simulated? then how to protect simulator from
> >>>>> being modified by to-be-simulated code?
> >>>>>
> >>>>> can I change the address of vmxassist to a higher address? just try to
> >>>>> give more space to the to-be-simulated windows.
> >>>>>
> >>>>> On 8/8/07, Brady Chen <chenchp@gmail.com> wrote:
> >>>>>> it's possible.
> >>>>>> any ideas to trace the function stack of xen guest? like "bt" command in
> >>>>>> gdb.
> >>>>>>
> >>>>>> I did some analysis:
> >>>>>> 1. the call flow is opcode()->fetch8()->address()
> >>>>>> 2. only the printf in address() will change the behaver of crash.
> >>>>>> 3. and the crash EIP (0xD0800) is in the address() from the objdump.
> >>>>>> 4. the address() will be invoked more then 40, 000 times in one
> >>>>>> simulation, before the crash.
> >>>>>> 5. seems there are no recursive invoking in opcode(), fetch8(), address()
> >>>>>> 6. from the output of "xen dmesg", before the crash, a instructions
> >>>>>> sequence is simulated several times (you could check the previous
> >>>>>> mails i send for "xen dmesg" output)
> >>>>>> 7. before the trap, the simulated instruction is "movw %ax, *0xD07FE",
> >>>>>> and the "*0xD07FE" is just the address of address(), (you could get
> >>>>>> the objdump output from previous mails too), so i think it's the
> >>>>>> simulation which crash the memory of address().
> >>>>>>
> >>>>>> On 8/8/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>> Stack corruption/overflow, possibly?
> >>>>>>>
> >>>>>>> K.
> >>>>>>>
> >>>>>>> On 7/8/07 17:06, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>>>
> >>>>>>>> Yes, the printfs are the only changes. once I remove these prints, the
> >>>>>>>> trap comes back, with the same EIP (D0800)
> >>>>>>>>
> >>>>>>>> I tried to keep the first two printfs, the trap comes with different
> >>>>>>>> EIP(D19FD)
> >>>>>>>> static unsigned
> >>>>>>>> address(struct regs *regs, unsigned seg, unsigned off)
> >>>>>>>> {
> >>>>>>>> uint64_t gdt_phys_base;
> >>>>>>>> unsigned long long entry;
> >>>>>>>> unsigned seg_base, seg_limit;
> >>>>>>>> unsigned entry_low, entry_high;
> >>>>>>>>
> >>>>>>>> printf("f 1\n");
> >>>>>>>> if (seg == 0) {
> >>>>>>>> if (mode == VM86_REAL || mode ==
> >>>>>>>> VM86_REAL_TO_PROTECTED)
> >>>>>>>> return off;
> >>>>>>>> else
> >>>>>>>> panic("segment is zero, but not in real
> >>>>>>>> mode!\n");
> >>>>>>>> }
> >>>>>>>>
> >>>>>>>> printf("f 2\n");
> >>>>>>>>
> >>>>>>>> xen dmesg output:
> >>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> >>>>>>>> (XEN) HVM3: f 1
> >>>>>>>> (XEN) HVM3: f 2
> >>>>>>>> (XEN) HVM3: 0x0000D71F: 0xD00:0x071F (0) external interrupt 8
> >>>>>>>> (XEN) HVM3: f 1
> >>>>>>>> (XEN) HVM3: f 1
> >>>>>>>> (XEN) HVM3: f 1
> >>>>>>>> (XEN) HVM3: Trap (0x6) while in real mode
> >>>>>>>> (XEN) HVM3: eax CFAE ecx 0 edx 0 ebx
> >>>>>>>> D75B4
> >>>>>>>> (XEN) HVM3: esp D7564 ebp D75A0 esi 71F edi
> >>>>>>>> 8
> >>>>>>>> (XEN) HVM3: trapno 6 errno 0
> >>>>>>>> (XEN) HVM3: eip D19FD cs 10 eflags 13046
> >>>>>>>> (XEN) HVM3: uesp CFAE uss 0
> >>>>>>>> (XEN) HVM3: ves D4C44 vds 8 vfs 83 vgs
> >>>>>>>> 71F
> >>>>>>>> (XEN) HVM3: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>> 651
> >>>>>>>> (XEN) HVM3:
> >>>>>>>> (XEN) HVM3: Halt called from %eip 0xD037C
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> and the objdump shows that:
> >>>>>>>> 000d1970 <interrupt>:
> >>>>>>>> d1970: 55 push %ebp
> >>>>>>>> d1971: 89 e5 mov %esp,%ebp
> >>>>>>>> d1973: 57 push %edi
> >>>>>>>> d1974: 89 d7 mov %edx,%edi
> >>>>>>>> d1976: 56 push %esi
> >>>>>>>> ....
> >>>>>>>> d19f8: 66 89 30 mov %si,(%eax)
> >>>>>>>> d19fb: 31 d2 xor %edx,%edx
> >>>>>>>> d19fd: 8d 34 bd 00 00 00 00 lea 0x0(,%edi,4),%esi
> >>>>>>>> d1a04: 81 63 30 ff fd ff ff andl $0xfffffdff,0x30(%ebx)
> >>>>>>>> d1a0b: 89 d8 mov %ebx,%eax
> >>>>>>>> d1a0d: 89 34 24 mov %esi,(%esp)
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>>>> Very weird. The emulations now aren't at the same address as before
> >>>>>>>>> either
> >>>>>>>>> (0xd4c3 rather than 0xd71b). Is the *only* difference that you added
> >>>>>>>>> these
> >>>>>>>>> printf()s -- is it at all possible that the guest is executing down a
> >>>>>>>>> different path here for other reasons? If it's really down to the
> >>>>>>>>> printf()s
> >>>>>>>>> then I guess you'll have to shuffle/remove printf()s to get the old
> >>>>>>>>> behaviour back.
> >>>>>>>>>
> >>>>>>>>> -- Keir
> >>>>>>>>>
> >>>>>>>>> On 7/8/07 12:35, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>>>>>
> >>>>>>>>>> it's strange:
> >>>>>>>>>> if i add these prints, i get " Unknown opcode", not "trap".
> >>>>>>>>>> ===added printf
> >>>>>>>>>> [root@localhost firmware]# hg diff -p vmxassist/vm86.c
> >>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> >>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007
> >>>>>>>>>> +0100
> >>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 19:33:55 2007
> >>>>>>>>>> +0800
> >>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> >>>>>>>>>> static struct regs saved_rm_regs;
> >>>>>>>>>>
> >>>>>>>>>> #ifdef DEBUG
> >>>>>>>>>> -int traceset = 0;
> >>>>>>>>>> +int traceset = ~0;
> >>>>>>>>>>
> >>>>>>>>>> char *states[] = {
> >>>>>>>>>> "<VM86_REAL>",
> >>>>>>>>>> @@ -128,6 +128,7 @@ address(struct regs *regs, unsigned seg,
> >>>>>>>>>> unsigned seg_base, seg_limit;
> >>>>>>>>>> unsigned entry_low, entry_high;
> >>>>>>>>>>
> >>>>>>>>>> + printf("f 1\n");
> >>>>>>>>>> if (seg == 0) {
> >>>>>>>>>> if (mode == VM86_REAL || mode ==
> >>>>>>>>>> VM86_REAL_TO_PROTECTED)
> >>>>>>>>>> return off;
> >>>>>>>>>> @@ -135,12 +136,16 @@ address(struct regs *regs, unsigned seg,
> >>>>>>>>>> panic("segment is zero, but not in real
> >>>>>>>>>> mode!\n");
> >>>>>>>>>> }
> >>>>>>>>>>
> >>>>>>>>>> + printf("f 2\n");
> >>>>>>>>>> if (mode == VM86_REAL || seg > oldctx.gdtr_limit ||
> >>>>>>>>>> (mode == VM86_REAL_TO_PROTECTED && regs->cs == seg))
> >>>>>>>>>> return ((seg & 0xFFFF) << 4) + off;
> >>>>>>>>>>
> >>>>>>>>>> + printf("f 3\n");
> >>>>>>>>>> gdt_phys_base = guest_linear_to_phys(oldctx.gdtr_base);
> >>>>>>>>>> + printf("f 4\n");
> >>>>>>>>>> if (gdt_phys_base != (uint32_t)gdt_phys_base) {
> >>>>>>>>>> + printf("f 5\n");
> >>>>>>>>>> printf("gdt base address above 4G\n");
> >>>>>>>>>> cpuid_addr_value(gdt_phys_base + 8 * (seg >> 3),
> >>>>>>>>>> &entry);
> >>>>>>>>>> } else
> >>>>>>>>>> @@ -152,14 +157,17 @@ address(struct regs *regs, unsigned seg,
> >>>>>>>>>> seg_base = (entry_high & 0xFF000000) | ((entry >> 16) &
> >>>>>>>>>> 0xFFFFFF);
> >>>>>>>>>> seg_limit = (entry_high & 0xF0000) | (entry_low & 0xFFFF);
> >>>>>>>>>>
> >>>>>>>>>> + printf("f 6\n");
> >>>>>>>>>> if (entry_high & 0x8000 &&
> >>>>>>>>>> ((entry_high & 0x800000 && off >> 12 <= seg_limit) ||
> >>>>>>>>>> (!(entry_high & 0x800000) && off <= seg_limit)))
> >>>>>>>>>> return seg_base + off;
> >>>>>>>>>> + printf("f 7\n");
> >>>>>>>>>>
> >>>>>>>>>> panic("should never reach here in function address():\n\t"
> >>>>>>>>>> "entry=0x%08x%08x, mode=%d, seg=0x%08x,
> >>>>>>>>>> offset=0x%08x\n",
> >>>>>>>>>> entry_high, entry_low, mode, seg, off);
> >>>>>>>>>> + printf("f 8\n");
> >>>>>>>>>>
> >>>>>>>>>> return 0;
> >>>>>>>>>> }
> >>>>>>>>>> @@ -286,6 +294,7 @@ fetch8(struct regs *regs)
> >>>>>>>>>> unsigned addr = address(regs, regs->cs, MASK16(regs->eip));
> >>>>>>>>>>
> >>>>>>>>>> regs->eip++;
> >>>>>>>>>> + printf("f 9\n");
> >>>>>>>>>> return read8(addr);
> >>>>>>>>>> }
> >>>>>>>>>>
> >>>>>>>>>> ===output when add many printf
> >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) addr32addr32f 1
> >>>>>>>>>> (XEN) HVM12: f 2
> >>>>>>>>>> (XEN) HVM12: f 9
> >>>>>>>>>> (XEN) HVM12: f 1
> >>>>>>>>>> (XEN) HVM12: f 2
> >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) data32data32f 1
> >>>>>>>>>> (XEN) HVM12: f 2
> >>>>>>>>>> (XEN) HVM12: f 9
> >>>>>>>>>> (XEN) HVM12: f 1
> >>>>>>>>>> (XEN) HVM12: f 2
> >>>>>>>>>> (XEN) HVM12: 0x0000D4C3: 0xD00:0x04C3 (0) opc 0x83opc 0xD7704f 1
> >>>>>>>>>> (XEN) HVM12: f 2
> >>>>>>>>>> (XEN) HVM12: Unknown opcode at 0D00:04C3=0xD4C3
> >>>>>>>>>> (XEN) HVM12: Halt called from %eip 0xD3B4A
> >>>>>>>>>>
> >>>>>>>>>> On 8/7/07, Brady Chen <chenchp@gmail.com> wrote:
> >>>>>>>>>>> Hi, yes, it's crashed in fetch8. it's very slow after I add this
> >>>>>>>>>>> print
> >>>>>>>>>>> info.
> >>>>>>>>>>> the main function of fetch8 seems to be address(). seems crashed in
> >>>>>>>>>>> address().
> >>>>>>>>>>>
> >>>>>>>>>>> (XEN) HVM7: after write16 of movw
> >>>>>>>>>>> (XEN) HVM7: top of opcode
> >>>>>>>>>>> (XEN) HVM7: Before fetch8
> >>>>>>>>>>> (XEN) HVM7: eax 7E80 ecx 2D1B edx 0 ebx
> >>>>>>>>>>> 404E
> >>>>>>>>>>> (XEN) HVM7: esp D76F4 ebp 1FF0 esi 7BE edi
> >>>>>>>>>>> C37FE
> >>>>>>>>>>> (XEN) HVM7: trapno D errno 0
> >>>>>>>>>>> (XEN) HVM7: eip 71F cs D00 eflags 33206
> >>>>>>>>>>> (XEN) HVM7: uesp CFB4 uss 0
> >>>>>>>>>>> (XEN) HVM7: ves D00 vds D00 vfs 0 vgs
> >>>>>>>>>>> 0
> >>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>>>>> 651
> >>>>>>>>>>> (XEN) HVM7:
> >>>>>>>>>>> (XEN) HVM7: Trap (0x6) while in real mode
> >>>>>>>>>>> (XEN) HVM7: eax D00 ecx 0 edx 71F ebx
> >>>>>>>>>>> 89
> >>>>>>>>>>> (XEN) HVM7: esp D75E4 ebp D7630 esi D7620 edi
> >>>>>>>>>>> D00
> >>>>>>>>>>> (XEN) HVM7: trapno 6 errno 0
> >>>>>>>>>>> (XEN) HVM7: eip D0800 cs 10 eflags 13046
> >>>>>>>>>>> (XEN) HVM7: uesp 71F uss D76D4
> >>>>>>>>>>> (XEN) HVM7: ves D7610 vds D3AB9 vfs D762C vgs
> >>>>>>>>>>> D7644
> >>>>>>>>>>> (XEN) HVM7: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>>>>> 651
> >>>>>>>>>>> (XEN) HVM7:
> >>>>>>>>>>> (XEN) HVM7: 0xd0800 is 0xFFFF
> >>>>>>>>>>> (XEN) HVM7: 0xd0804 is 0x7D8B
> >>>>>>>>>>> (XEN) HVM7: Halt called from %eip 0xD037C
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>>>>>>> How about trying:
> >>>>>>>>>>>> printf("Before fetch8\n");
> >>>>>>>>>>>> dump_regs(regs);
> >>>>>>>>>>>> opc = fetch8(regs);
> >>>>>>>>>>>> printf("After fetch8\n");
> >>>>>>>>>>>> switch (opc) { ...
> >>>>>>>>>>>>
> >>>>>>>>>>>> This will let you see what eip is being fetched from, and also
> >>>>>>>>>>>> confirm
> >>>>>>>>>>>> that
> >>>>>>>>>>>> the crash happens within fetch8().
> >>>>>>>>>>>>
> >>>>>>>>>>>> You could also try adding more printf()s inside fetch8() and
> >>>>>>>>>>>> address()
> >>>>>>>>>>>> to
> >>>>>>>>>>>> find out which specific bit of fetch8() is crashing (if that indeed
> >>>>>>>>>>>> the
> >>>>>>>>>>>> function that is crashing).
> >>>>>>>>>>>>
> >>>>>>>>>>>> -- Keir
> >>>>>>>>>>>>
> >>>>>>>>>>>> On 7/8/07 11:30, "Brady Chen" <chenchp@gmail.com> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Hi, Keir,
> >>>>>>>>>>>> I made the change as you said:
> >>>>>>>>>>>> change diff is:
> >>>>>>>>>>>> [root@localhost firmware]# hg diff vmxassist/vm86.c
> >>>>>>>>>>>> diff -r 6f18f5bdeea3 tools/firmware/vmxassist/vm86.c
> >>>>>>>>>>>> --- a/tools/firmware/vmxassist/vm86.c Mon Aug 06 15:33:42 2007
> >>>>>>>>>>>> +0100
> >>>>>>>>>>>> +++ b/tools/firmware/vmxassist/vm86.c Tue Aug 07 18:26:12 2007
> >>>>>>>>>>>> +0800
> >>>>>>>>>>>> @@ -40,7 +40,7 @@ static struct regs saved_rm_regs;
> >>>>>>>>>>>> static struct regs saved_rm_regs;
> >>>>>>>>>>>>
> >>>>>>>>>>>> #ifdef DEBUG
> >>>>>>>>>>>> -int traceset = 0;
> >>>>>>>>>>>> +int traceset = ~0;
> >>>>>>>>>>>>
> >>>>>>>>>>>> char *states[] = {
> >>>>>>>>>>>> "<VM86_REAL>",
> >>>>>>>>>>>> @@ -620,6 +620,7 @@ movr(struct regs *regs, unsigned prefix,
> >>>>>>>>>>>> TRACE((regs, regs->eip - eip,
> >>>>>>>>>>>> "movw %%%s, *0x%x", rnames[r],
> >>>>>>>>>>>> addr));
> >>>>>>>>>>>> write16(addr, MASK16(val));
> >>>>>>>>>>>> + printf("after write16 of movw\n");
> >>>>>>>>>>>> }
> >>>>>>>>>>>> return 1;
> >>>>>>>>>>>>
> >>>>>>>>>>>> @@ -1305,6 +1306,7 @@ opcode(struct regs *regs)
> >>>>>>>>>>>> unsigned eip = regs->eip;
> >>>>>>>>>>>> unsigned opc, modrm, disp;
> >>>>>>>>>>>> unsigned prefix = 0;
> >>>>>>>>>>>> + printf("top of opcode\n");
> >>>>>>>>>>>>
> >>>>>>>>>>>> if (mode == VM86_PROTECTED_TO_REAL &&
> >>>>>>>>>>>> oldctx.cs_arbytes.fields.default_ops_size) {
> >>>>>>>>>>>> @@ -1712,6 +1714,8 @@ trap(int trapno, int errno, struct regs
> >>>>>>>>>>>> if (trapno == 14)
> >>>>>>>>>>>> printf("Page fault address 0x%x\n",
> >>>>>>>>>>>> get_cr2());
> >>>>>>>>>>>> dump_regs(regs);
> >>>>>>>>>>>> + printf("0xd0800 is 0x%0x\n", *((unsigned
> >>>>>>>>>>>> short*)0xd0800));
> >>>>>>>>>>>> + printf("0xd0804 is 0x%0x\n", *((unsigned
> >>>>>>>>>>>> short*)0xd0804));
> >>>>>>>>>>>> halt();
> >>>>>>>>>>>> }
> >>>>>>>>>>>> }
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> here is the output:
> >>>>>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) data32
> >>>>>>>>>>>> (XEN) HVM6: 0x0000D71F: 0xD00:0x071F (0) opc 0x83
> >>>>>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) %es:
> >>>>>>>>>>>> (XEN) HVM6: 0x0000D71B: 0xD00:0x071B (0) addr32
> >>>>>>>>>>>> (XEN) HVM6: 0x0000D71D: 0xD00:0x071D (0) movw %ax, *0xD07FE
> >>>>>>>>>>>> (XEN) HVM6: after write16 of movw
> >>>>>>>>>>>> (XEN) HVM6: top of opcode
> >>>>>>>>>>>> (XEN) HVM6: Trap (0x6) while in real mode
> >>>>>>>>>>>> (XEN) HVM6: eax D00 ecx 0 edx 71F ebx
> >>>>>>>>>>>> 71E
> >>>>>>>>>>>> (XEN) HVM6: esp D7554 ebp D75A0 esi D7590 edi
> >>>>>>>>>>>> D00
> >>>>>>>>>>>> (XEN) HVM6: trapno 6 errno 0
> >>>>>>>>>>>> (XEN) HVM6: eip D0800 cs 10 eflags 13046
> >>>>>>>>>>>> (XEN) HVM6: uesp D4C29 uss 2
> >>>>>>>>>>>> (XEN) HVM6: ves D4C18 vds D4D9C vfs D07FE vgs
> >>>>>>>>>>>> D75B4
> >>>>>>>>>>>> (XEN) HVM6: cr0 50032 cr2 0 cr3 0 cr4
> >>>>>>>>>>>> 651
> >>>>>>>>>>>> (XEN) HVM6:
> >>>>>>>>>>>> (XEN) HVM6: 0xd0800 is 0xFFFF
> >>>>>>>>>>>> (XEN) HVM6: 0xd0804 is 0x7D8B
> >>>>>>>>>>>> (XEN) HVM6: Halt called from %eip 0xD037C
> >>>>>>>>>>>>
> >>>>>>>>>>>> objdump:
> >>>>>>>>>>>> d07ef: e9 2f ff ff ff jmp d0723 <address+0x23>
> >>>>>>>>>>>> d07f4: 8b 55 08 mov 0x8(%ebp),%edx
> >>>>>>>>>>>> d07f7: 89 f8 mov %edi,%eax
> >>>>>>>>>>>> d07f9: 8b 5d f4 mov
> >>>>>>>>>>>> 0xfffffff4(%ebp),%ebx
> >>>>>>>>>>>> d07fc: 8b 75 f8 mov
> >>>>>>>>>>>> 0xfffffff8(%ebp),%esi
> >>>>>>>>>>>> d07ff: 25 ff ff 00 00 and $0xffff,%eax
> >>>>>>>>>>>> d0804: 8b 7d fc mov
> >>>>>>>>>>>> 0xfffffffc(%ebp),%edi
> >>>>>>>>>>>> d0807: 89 ec mov %ebp,%esp
> >>>>>>>>>>>> d0809: c1 e0 04 shl $0x4,%eax
> >>>>>>>>>>>> d080c: 01 d0 add %edx,%eax
> >>>>>>>>>>>> d080e: 5d pop %ebp
> >>>>>>>>>>>>
> >>>>>>>>>>>> seems the memory is correct, it's crashed in opcode()
> >>>>>>>>>>>> and i think it's fetch8(regs) which crash the system. I tried
> >>>>>>>>>>>> fetch8(regs) in trap(), but it cause more traps, and let the hvm
> >>>>>>>>>>>> guest
> >>>>>>>>>>>> be reset.
> >>>>>>>>>>>>
> >>>>>>>>>>>> On 8/7/07, Keir Fraser <keir@xensource.com> wrote:
> >>>>>>>>>>>> On 7/8/07 10:29, "Keir Fraser" <keir@xensource.com> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> What would be useful is to try to add tracing to see how far
> >>>>>>>>>>>> vmxassist
> >>>>>>>>>>>> gets
> >>>>>>>>>>>> after its last line of tracing before the trap occurs. That last
> >>>>>>>>>>>> line
> >>>>>>>>>>>> is
> >>>>>>>>>>>> currently from vm86.c, line 620. You might try adding extra
> >>>>>>>>>>>> printf()
> >>>>>>>>>>>> statements imemdiately after the write16() on line 622, and also at
> >>>>>>>>>>>> the
> >>>>>>>>>>>> top
> >>>>>>>>>>>> of the opcode() function. We need to find out at what point
> >>>>>>>>>>>> vmxassist
> >>>>>>>>>>>> is
> >>>>>>>>>>>> jumping to this bogus address d0800.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Oh, another possibility is that vmxassist has been corrupted in
> >>>>>>>>>>>> memory.
> >>>>>>>>>>>> This
> >>>>>>>>>>>> is particularly likely because, according to the objdump, the
> >>>>>>>>>>>> 'instruction'
> >>>>>>>>>>>> that starts at d0800 is actually valid (it'd be an ADD of some
> >>>>>>>>>>>> sort).
> >>>>>>>>>>>>
> >>>>>>>>>>>> So, within trap() you might want to read say 16 bytes starting at
> >>>>>>>>>>>> 0xd0800
> >>>>>>>>>>>> and printf() them. So we can see if they match what objdump says
> >>>>>>>>>>>> should
> >>>>>>>>>>>> be
> >>>>>>>>>>>> there.
> >>>>>>>>>>>>
> >>>>>>>>>>>> -- Keir
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>> Xen-devel mailing list
> >>>>>>>>>>>> Xen-devel@lists.xensource.com
> >>>>>>>>>>>> http://lists.xensource.com/xen-devel
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> Xen-devel mailing list
> >>>>>>>>>> Xen-devel@lists.xensource.com
> >>>>>>>>>> http://lists.xensource.com/xen-devel
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> Xen-devel mailing list
> >>>>>>>> Xen-devel@lists.xensource.com
> >>>>>>>> http://lists.xensource.com/xen-devel
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Xen-devel mailing list
> >>>>> Xen-devel@lists.xensource.com
> >>>>> http://lists.xensource.com/xen-devel
> >>>>
> >>>>
> >>>
> >>> _______________________________________________
> >>> Xen-devel mailing list
> >>> Xen-devel@lists.xensource.com
> >>> http://lists.xensource.com/xen-devel
> >>
> >>
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
>
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 14:52 ` Mats Petersson
@ 2007-08-08 15:50 ` Brady Chen
2007-08-08 16:19 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-08 15:50 UTC (permalink / raw)
To: Mats Petersson; +Cc: Z24, tygrawy, xen-devel, Keir Fraser, AL.LINUX
"big-real-mode"? is it something related to PAE? my CPU is Intel
T2400, Centrino Duo
thanks
[root@localhost firmware]# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 14
model name : Genuine Intel(R) CPU T2400 @ 1.83GHz
stepping : 8
cpu MHz : 1828.831
cache size : 2048 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat
clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc pni
monitor vmx est tm2 xtpr
bogomips : 3660.35
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 14
model name : Genuine Intel(R) CPU T2400 @ 1.83GHz
stepping : 8
cpu MHz : 1828.831
cache size : 2048 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat
clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc up pni
monitor vmx est tm2 xtprbogomips : 3660.35
On 8/8/07, Mats Petersson <mats@planetcatfish.com> wrote:
> At 14:32 08/08/2007, Keir Fraser wrote:
> >Disassembled the interesting bit by hand:
> >
> >D700: 66 03 DF add %edi,%ebx
> >D703: 66 83 C3 02 add $2,%ebx
> >D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi
> >D70E: 66 49 dec %ecx
> >D710: 66 0B C9 or %ecx,%ecx
> >D713: 0F 84 17 00 jz 0xd72e
> >D717: 26 67 8B 03 mov %es:(%ebx),%ax
> >D71B: 26 67 89 07 mov %ax,%es:(%edi)
> >D71F: 66 83 C3 02 add $2,%ebx
> >D723: 66 81 C7 00 02 00 00 add $0x200,%edi
> >D72A: 66 49 dec %ecx
> >D72C: EB E2 jmp 0xd710
> >D72E: 66 61 popal
> >D730: 90 nop
> >D731: 1F pop %ds
> >D732: 07 pop %es
> >D733: C3 ret
>
>
> Any chance that the segment(s) involved are "big-real-mode"?
>
> --
> Mats
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 15:50 ` Brady Chen
@ 2007-08-08 16:19 ` Keir Fraser
2007-08-08 17:45 ` Mats Petersson
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-08 16:19 UTC (permalink / raw)
To: Brady Chen, Mats Petersson; +Cc: Keir Fraser, tygrawy, xen-devel, Z24, AL.LINUX
No, it's a processor mode halfway between real mode and protected mode which
all x86 processors support, but which vmxassist is really rather bad at
handling. If this is a big-real-mode copy loop then that might explain why
the loop is executing so bizarrely, and may mean you are out of luck until
we retire vmxassist.
-- Keir
On 8/8/07 16:50, "Brady Chen" <chenchp@gmail.com> wrote:
> "big-real-mode"? is it something related to PAE? my CPU is Intel
> T2400, Centrino Duo
> thanks
>
> [root@localhost firmware]# cat /proc/cpuinfo
> processor : 0
> vendor_id : GenuineIntel
> cpu family : 6
> model : 14
> model name : Genuine Intel(R) CPU T2400 @ 1.83GHz
> stepping : 8
> cpu MHz : 1828.831
> cache size : 2048 KB
> fdiv_bug : no
> hlt_bug : no
> f00f_bug : no
> coma_bug : no
> fpu : yes
> fpu_exception : yes
> cpuid level : 10
> wp : yes
> flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat
> clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc pni
> monitor vmx est tm2 xtpr
> bogomips : 3660.35
>
> processor : 1
> vendor_id : GenuineIntel
> cpu family : 6
> model : 14
> model name : Genuine Intel(R) CPU T2400 @ 1.83GHz
> stepping : 8
> cpu MHz : 1828.831
> cache size : 2048 KB
> fdiv_bug : no
> hlt_bug : no
> f00f_bug : no
> coma_bug : no
> fpu : yes
> fpu_exception : yes
> cpuid level : 10
> wp : yes
> flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat
> clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc up pni
> monitor vmx est tm2 xtprbogomips : 3660.35
>
>
> On 8/8/07, Mats Petersson <mats@planetcatfish.com> wrote:
>> At 14:32 08/08/2007, Keir Fraser wrote:
>>> Disassembled the interesting bit by hand:
>>>
>>> D700: 66 03 DF add %edi,%ebx
>>> D703: 66 83 C3 02 add $2,%ebx
>>> D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi
>>> D70E: 66 49 dec %ecx
>>> D710: 66 0B C9 or %ecx,%ecx
>>> D713: 0F 84 17 00 jz 0xd72e
>>> D717: 26 67 8B 03 mov %es:(%ebx),%ax
>>> D71B: 26 67 89 07 mov %ax,%es:(%edi)
>>> D71F: 66 83 C3 02 add $2,%ebx
>>> D723: 66 81 C7 00 02 00 00 add $0x200,%edi
>>> D72A: 66 49 dec %ecx
>>> D72C: EB E2 jmp 0xd710
>>> D72E: 66 61 popal
>>> D730: 90 nop
>>> D731: 1F pop %ds
>>> D732: 07 pop %es
>>> D733: C3 ret
>>
>>
>> Any chance that the segment(s) involved are "big-real-mode"?
>>
>> --
>> Mats
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 16:19 ` Keir Fraser
@ 2007-08-08 17:45 ` Mats Petersson
2007-08-08 20:26 ` Keir Fraser
0 siblings, 1 reply; 37+ messages in thread
From: Mats Petersson @ 2007-08-08 17:45 UTC (permalink / raw)
To: Brady Chen; +Cc: Keir Fraser, tygrawy, xen-devel, Z24, AL.LINUX
At 17:19 08/08/2007, Keir Fraser wrote:
>No, it's a processor mode halfway between real mode and protected mode which
>all x86 processors support, but which vmxassist is really rather bad at
>handling. If this is a big-real-mode copy loop then that might explain why
>the loop is executing so bizarrely, and may mean you are out of luck until
>we retire vmxassist.
And the fact that EDI is 0xC33FE when it tries to write to the memory
at address of EDI indicates that it's Big-Real-Mode.
In real-mode, any register access beyond segment+0xFFFF is a GP-fault
on 386 and later processors. To get around this and simplify the
process of for example loading large chunks of data into memory,
someone figured out that segment register limits (and base-address)
is not being RESET by the processor when resetting the protected-mode
bit in CR0, so one can go into protected mode, load a segment
register with a bigger limit (e.g. a "no limit" of 4GB), and a
base-addres of (say) zero.
Unfortunately, since VMXassist uses the VM806 mode of the processor,
it doesn't support transitions back and forth between protected mode
with segment registers preserved (you can't run in Real Mode with VMX
enabled).
The other option for possibly getting this working (plug for my
former employer) is to use an AMD processor, as that supports
"real-mode virtualization", so you can run real-mode with "SVM"
enabled, and in this case, the segment registers can be manipulated
in protected mode, and then go back to real-mode, without any loss of
segment data.
As Keir hints, there is work to "remove" the VMXassist mode (which by
all accounts, and I don't think I'm offending anyone by saying this,
is a quick hack to get around the fact that real-mode code is needed
to boot the OS).
--
Mats
> -- Keir
>
>On 8/8/07 16:50, "Brady Chen" <chenchp@gmail.com> wrote:
>
> > "big-real-mode"? is it something related to PAE? my CPU is Intel
> > T2400, Centrino Duo
> > thanks
> >
> > [root@localhost firmware]# cat /proc/cpuinfo
> > processor : 0
> > vendor_id : GenuineIntel
> > cpu family : 6
> > model : 14
> > model name : Genuine Intel(R) CPU T2400 @ 1.83GHz
> > stepping : 8
> > cpu MHz : 1828.831
> > cache size : 2048 KB
> > fdiv_bug : no
> > hlt_bug : no
> > f00f_bug : no
> > coma_bug : no
> > fpu : yes
> > fpu_exception : yes
> > cpuid level : 10
> > wp : yes
> > flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat
> > clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc pni
> > monitor vmx est tm2 xtpr
> > bogomips : 3660.35
> >
> > processor : 1
> > vendor_id : GenuineIntel
> > cpu family : 6
> > model : 14
> > model name : Genuine Intel(R) CPU T2400 @ 1.83GHz
> > stepping : 8
> > cpu MHz : 1828.831
> > cache size : 2048 KB
> > fdiv_bug : no
> > hlt_bug : no
> > f00f_bug : no
> > coma_bug : no
> > fpu : yes
> > fpu_exception : yes
> > cpuid level : 10
> > wp : yes
> > flags : fpu tsc msr pae mce cx8 apic mtrr mca cmov pat
> > clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc up pni
> > monitor vmx est tm2 xtprbogomips : 3660.35
> >
> >
> > On 8/8/07, Mats Petersson <mats@planetcatfish.com> wrote:
> >> At 14:32 08/08/2007, Keir Fraser wrote:
> >>> Disassembled the interesting bit by hand:
> >>>
> >>> D700: 66 03 DF add %edi,%ebx
> >>> D703: 66 83 C3 02 add $2,%ebx
> >>> D707: 66 81 C7 FE 01 00 00 add $0x1fe,%edi
> >>> D70E: 66 49 dec %ecx
> >>> D710: 66 0B C9 or %ecx,%ecx
> >>> D713: 0F 84 17 00 jz 0xd72e
> >>> D717: 26 67 8B 03 mov %es:(%ebx),%ax
> >>> D71B: 26 67 89 07 mov %ax,%es:(%edi)
> >>> D71F: 66 83 C3 02 add $2,%ebx
> >>> D723: 66 81 C7 00 02 00 00 add $0x200,%edi
> >>> D72A: 66 49 dec %ecx
> >>> D72C: EB E2 jmp 0xd710
> >>> D72E: 66 61 popal
> >>> D730: 90 nop
> >>> D731: 1F pop %ds
> >>> D732: 07 pop %es
> >>> D733: C3 ret
> >>
> >>
> >> Any chance that the segment(s) involved are "big-real-mode"?
> >>
> >> --
> >> Mats
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.xensource.com
> > http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 17:45 ` Mats Petersson
@ 2007-08-08 20:26 ` Keir Fraser
2007-08-09 3:05 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-08 20:26 UTC (permalink / raw)
To: Mats Petersson, Brady Chen; +Cc: tygrawy, xen-devel, Z24, AL.LINUX
On 8/8/07 18:45, "Mats Petersson" <mats@planetcatfish.com> wrote:
> At 17:19 08/08/2007, Keir Fraser wrote:
>> No, it's a processor mode halfway between real mode and protected mode which
>> all x86 processors support, but which vmxassist is really rather bad at
>> handling. If this is a big-real-mode copy loop then that might explain why
>> the loop is executing so bizarrely, and may mean you are out of luck until
>> we retire vmxassist.
>
> And the fact that EDI is 0xC33FE when it tries to write to the memory
> at address of EDI indicates that it's Big-Real-Mode.
Yes, that's a giveaway.
So I think the 'fix' here is to not try booting your native Windows
partition on Xen. It's not likely to work too well anyway, as it'll look
like all your hardware has changed, causing activation problems and also big
driver changes whenever you switch between running on Xen and running
natively.
You're better off having a dedicated Xen Windows installation, perhaps on an
LVM partition.
The problems that others have been seeing are quite likely not the same root
cause as yours. Most times there's an early boot problem it will end up with
a trap and backtrace in vmxassist, when running on Intel CPUs.
-- Keir
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-08 20:26 ` Keir Fraser
@ 2007-08-09 3:05 ` Brady Chen
2007-08-09 4:01 ` Brady Chen
2007-08-09 7:13 ` Keir Fraser
0 siblings, 2 replies; 37+ messages in thread
From: Brady Chen @ 2007-08-09 3:05 UTC (permalink / raw)
To: Keir Fraser, Mats Petersson, AL.LINUX; +Cc: tygrawy, xen-devel, Z24
Keir, Mats, Archie, and all others
Thank you guys all.
I just read this
thread:http://lists.xensource.com/archives/html/xen-devel/2006-05/msg01442.html
seems Randy Thelen tried to fix this issue one year ago, unfortunately
that patch doesn't work for me.
Finally I think we have the conclusion that I have to give it up on my
T60 Laptop now.
But I'd like to try in this way:
install windows in xen hvm guest, and then try to boot it in native
environment. Hope it works.
BTW, Keir, Mats, Any plan/schedule to support a full functional real
mode simulator? Or do you know anyone are working on this? thanks
On 8/9/07, Keir Fraser <keir@xensource.com> wrote:
> On 8/8/07 18:45, "Mats Petersson" <mats@planetcatfish.com> wrote:
>
> > At 17:19 08/08/2007, Keir Fraser wrote:
> >> No, it's a processor mode halfway between real mode and protected mode which
> >> all x86 processors support, but which vmxassist is really rather bad at
> >> handling. If this is a big-real-mode copy loop then that might explain why
> >> the loop is executing so bizarrely, and may mean you are out of luck until
> >> we retire vmxassist.
> >
> > And the fact that EDI is 0xC33FE when it tries to write to the memory
> > at address of EDI indicates that it's Big-Real-Mode.
>
> Yes, that's a giveaway.
>
> So I think the 'fix' here is to not try booting your native Windows
> partition on Xen. It's not likely to work too well anyway, as it'll look
> like all your hardware has changed, causing activation problems and also big
> driver changes whenever you switch between running on Xen and running
> natively.
>
> You're better off having a dedicated Xen Windows installation, perhaps on an
> LVM partition.
>
> The problems that others have been seeing are quite likely not the same root
> cause as yours. Most times there's an early boot problem it will end up with
> a trap and backtrace in vmxassist, when running on Intel CPUs.
>
> -- Keir
>
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-09 3:05 ` Brady Chen
@ 2007-08-09 4:01 ` Brady Chen
2007-08-09 7:10 ` Keir Fraser
2007-08-09 7:13 ` Keir Fraser
1 sibling, 1 reply; 37+ messages in thread
From: Brady Chen @ 2007-08-09 4:01 UTC (permalink / raw)
To: Keir Fraser, Mats Petersson, AL.LINUX; +Cc: tygrawy, xen-devel, Z24
another question:
The same windows installation CD could be used in xen guest. So why
windows bootloader use Big-Real-Mode for the native installation, but
not use the mode for Xen-HVM guest installation?
Thanks,
On 8/9/07, Brady Chen <chenchp@gmail.com> wrote:
> Keir, Mats, Archie, and all others
> Thank you guys all.
>
> I just read this
> thread:http://lists.xensource.com/archives/html/xen-devel/2006-05/msg01442.html
>
> seems Randy Thelen tried to fix this issue one year ago, unfortunately
> that patch doesn't work for me.
>
> Finally I think we have the conclusion that I have to give it up on my
> T60 Laptop now.
> But I'd like to try in this way:
> install windows in xen hvm guest, and then try to boot it in native
> environment. Hope it works.
>
> BTW, Keir, Mats, Any plan/schedule to support a full functional real
> mode simulator? Or do you know anyone are working on this? thanks
>
>
>
> On 8/9/07, Keir Fraser <keir@xensource.com> wrote:
> > On 8/8/07 18:45, "Mats Petersson" <mats@planetcatfish.com> wrote:
> >
> > > At 17:19 08/08/2007, Keir Fraser wrote:
> > >> No, it's a processor mode halfway between real mode and protected mode which
> > >> all x86 processors support, but which vmxassist is really rather bad at
> > >> handling. If this is a big-real-mode copy loop then that might explain why
> > >> the loop is executing so bizarrely, and may mean you are out of luck until
> > >> we retire vmxassist.
> > >
> > > And the fact that EDI is 0xC33FE when it tries to write to the memory
> > > at address of EDI indicates that it's Big-Real-Mode.
> >
> > Yes, that's a giveaway.
> >
> > So I think the 'fix' here is to not try booting your native Windows
> > partition on Xen. It's not likely to work too well anyway, as it'll look
> > like all your hardware has changed, causing activation problems and also big
> > driver changes whenever you switch between running on Xen and running
> > natively.
> >
> > You're better off having a dedicated Xen Windows installation, perhaps on an
> > LVM partition.
> >
> > The problems that others have been seeing are quite likely not the same root
> > cause as yours. Most times there's an early boot problem it will end up with
> > a trap and backtrace in vmxassist, when running on Intel CPUs.
> >
> > -- Keir
> >
> >
>
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-09 4:01 ` Brady Chen
@ 2007-08-09 7:10 ` Keir Fraser
2007-08-09 10:35 ` Brady Chen
0 siblings, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-09 7:10 UTC (permalink / raw)
To: Brady Chen, Mats Petersson, AL.LINUX; +Cc: tygrawy, xen-devel, Z24
On 9/8/07 05:01, "Brady Chen" <chenchp@gmail.com> wrote:
> another question:
> The same windows installation CD could be used in xen guest. So why
> windows bootloader use Big-Real-Mode for the native installation, but
> not use the mode for Xen-HVM guest installation?
Is this a retail Windows install CD, or an OEM CD supplied with your laptop?
-- Keir
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-09 3:05 ` Brady Chen
2007-08-09 4:01 ` Brady Chen
@ 2007-08-09 7:13 ` Keir Fraser
2007-08-09 10:40 ` Brady Chen
1 sibling, 1 reply; 37+ messages in thread
From: Keir Fraser @ 2007-08-09 7:13 UTC (permalink / raw)
To: Brady Chen, Mats Petersson, AL.LINUX; +Cc: tygrawy, xen-devel, Z24
On 9/8/07 04:05, "Brady Chen" <chenchp@gmail.com> wrote:
> Finally I think we have the conclusion that I have to give it up on my
> T60 Laptop now.
> But I'd like to try in this way:
> install windows in xen hvm guest, and then try to boot it in native
> environment. Hope it works.
Neither way round is going to work very well. The platform hardware will
look (to Windows) to be entirely different in the two cases. Thus it will
most liekly require you to re-activate your license. Also it'll have the
wrong drivers installed and hence you'll have a bunch of driver
re-installation every time you switch between native and Xen.
> BTW, Keir, Mats, Any plan/schedule to support a full functional real
> mode simulator? Or do you know anyone are working on this? thanks
There's a plan, but not much of a schedule. Some of the cleanup work I've
been doing in xen-unstable just now will help. I'd like to think we'll have
it done by Xen 3.3; Xen 3.2 is probably too close at this point.
-- Keir
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-09 7:10 ` Keir Fraser
@ 2007-08-09 10:35 ` Brady Chen
0 siblings, 0 replies; 37+ messages in thread
From: Brady Chen @ 2007-08-09 10:35 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, Mats Petersson, AL.LINUX
> Is this a retail Windows install CD, or an OEM CD supplied with your laptop?
it's an OEM CD
Thanks
-Brady
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: Re: [Xen-users] boot a existing windows in hvm domain
2007-08-09 7:13 ` Keir Fraser
@ 2007-08-09 10:40 ` Brady Chen
0 siblings, 0 replies; 37+ messages in thread
From: Brady Chen @ 2007-08-09 10:40 UTC (permalink / raw)
To: Keir Fraser; +Cc: tygrawy, xen-devel, Z24, Mats Petersson, AL.LINUX
> Neither way round is going to work very well. The platform hardware will
> look (to Windows) to be entirely different in the two cases. Thus it will
> most liekly require you to re-activate your license. Also it'll have the
> wrong drivers installed and hence you'll have a bunch of driver
> re-installation every time you switch between native and Xen.
re-activate maybe the issue. For the hardware drivers, z24 said that
he got it works by selecting the hardware profile of windows.
here is the thread:
http://lists.xensource.com/archives/html/xen-users/2007-02/msg00822.html
I'd like to have a try.
> There's a plan, but not much of a schedule. Some of the cleanup work I've
> been doing in xen-unstable just now will help. I'd like to think we'll have
> it done by Xen 3.3; Xen 3.2 is probably too close at this point.
thank you very much, is there any time table(a document or a link)
about the release? I'm new to xen, and don't know the frequency of
release.
-Brady
^ permalink raw reply [flat|nested] 37+ messages in thread
end of thread, other threads:[~2007-08-09 10:40 UTC | newest]
Thread overview: 37+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <8fec1fce0707300537g5a1f9e2dgdb4cc27add99d218@mail.gmail.com>
[not found] ` <f8sbfr.2so.1@z24.net.invalid.my>
[not found] ` <8fec1fce0708020247k242c53f9ne3eab45cc85aaad1@mail.gmail.com>
[not found] ` <f8srjg.1no.1@z24.net.invalid.my>
[not found] ` <8fec1fce0708020811q73017eb7g85f8fd353a3a20dc@mail.gmail.com>
[not found] ` <8fec1fce0708061955xb5018b4tf1e51863154e0f1a@mail.gmail.com>
2007-08-07 5:48 ` [Xen-users] boot a existing windows in hvm domain Brady Chen
2007-08-07 5:59 ` Keir Fraser
2007-08-07 6:06 ` Brady Chen
2007-08-07 6:32 ` Keir Fraser
2007-08-07 7:58 ` Brady Chen
2007-08-07 8:02 ` Keir Fraser
2007-08-07 8:22 ` Brady Chen
2007-08-07 8:47 ` Keir Fraser
2007-08-07 9:06 ` Brady Chen
2007-08-07 9:29 ` Keir Fraser
2007-08-07 9:35 ` Keir Fraser
2007-08-07 10:30 ` Brady Chen
2007-08-07 10:37 ` Keir Fraser
2007-08-07 11:03 ` Brady Chen
2007-08-07 11:35 ` Brady Chen
2007-08-07 11:50 ` Keir Fraser
2007-08-07 16:06 ` Brady Chen
2007-08-07 16:26 ` Keir Fraser
2007-08-08 7:37 ` Brady Chen
2007-08-08 8:25 ` Brady Chen
2007-08-08 8:41 ` Keir Fraser
2007-08-08 9:38 ` Brady Chen
2007-08-08 10:26 ` Keir Fraser
2007-08-08 12:12 ` Brady Chen
2007-08-08 13:32 ` Keir Fraser
2007-08-08 14:52 ` Mats Petersson
2007-08-08 15:50 ` Brady Chen
2007-08-08 16:19 ` Keir Fraser
2007-08-08 17:45 ` Mats Petersson
2007-08-08 20:26 ` Keir Fraser
2007-08-09 3:05 ` Brady Chen
2007-08-09 4:01 ` Brady Chen
2007-08-09 7:10 ` Keir Fraser
2007-08-09 10:35 ` Brady Chen
2007-08-09 7:13 ` Keir Fraser
2007-08-09 10:40 ` Brady Chen
2007-08-08 15:42 ` Brady Chen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.