[PATCH 1/2] KVM: x86 emulator: Disable writeback for CMP emulation

[PATCH 1/2] KVM: x86 emulator: Disable writeback for CMP emulation

[Takuya Yoshikawa]

From: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>

This stops "CMP r/m, reg" to write back the data into memory.
Pointed out by Avi.

Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
---
 arch/x86/kvm/emulate.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 14c5ad5..8a73805 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -3084,6 +3084,7 @@ special_insn:
 		emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
 		break;
 	case 0x38 ... 0x3d:
+		c->dst.type = OP_NONE; /* Disable writeback. */
 	      cmp:		/* cmp */
 		emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
 		break;
@@ -3138,6 +3139,7 @@ special_insn:
 		case 6:
 			goto xor;
 		case 7:
+			c->dst.type = OP_NONE; /* Disable writeback. */
 			goto cmp;
 		}
 		break;
-- 
1.7.1

[RFC PATCH 2/2] KVM: x86 emulator: Cleanup emulate_push() writebacks

[Takuya Yoshikawa]

From: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>

Recently, emulate_push family functions started to call writeback()
during their emulation.  This clearly shows that the usual writeback()
which is done at the end of x86_emulate_insn() cannot cover all cases.
Furthermore, suppressing writeback by changing dst operand's type is
not simple when conditional writeback must be taken care of.

This patch improves this situation a bit by making emulate_push()
itself do writeback and removes scattered writebacks from callers.

This is done by splitting the writeback for OP_MEM case out from
writeback() as a new helper function, writeback_to_mem(), and call it
directly from emulate_push().

Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
---
 arch/x86/kvm/emulate.c |  111 ++++++++++++++++++++---------------------------
 1 files changed, 47 insertions(+), 64 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 8a73805..fe3419a 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1069,6 +1069,20 @@ static void write_register_operand(struct operand *op)
 	}
 }
 
+static int writeback_to_mem(struct x86_emulate_ctxt *ctxt,
+			    struct x86_emulate_ops *ops,
+			    struct decode_cache *c)
+{
+	if (c->lock_prefix)
+		return ops->cmpxchg_emulated(linear(ctxt, c->dst.addr.mem),
+				&c->dst.orig_val, &c->dst.val, c->dst.bytes,
+				&ctxt->exception, ctxt->vcpu);
+	else
+		return ops->write_emulated(linear(ctxt, c->dst.addr.mem),
+					&c->dst.val, c->dst.bytes,
+					&ctxt->exception, ctxt->vcpu);
+}
+
 static inline int writeback(struct x86_emulate_ctxt *ctxt,
 			    struct x86_emulate_ops *ops)
 {
@@ -1080,21 +1094,7 @@ static inline int writeback(struct x86_emulate_ctxt *ctxt,
 		write_register_operand(&c->dst);
 		break;
 	case OP_MEM:
-		if (c->lock_prefix)
-			rc = ops->cmpxchg_emulated(
-					linear(ctxt, c->dst.addr.mem),
-					&c->dst.orig_val,
-					&c->dst.val,
-					c->dst.bytes,
-					&ctxt->exception,
-					ctxt->vcpu);
-		else
-			rc = ops->write_emulated(
-					linear(ctxt, c->dst.addr.mem),
-					&c->dst.val,
-					c->dst.bytes,
-					&ctxt->exception,
-					ctxt->vcpu);
+		rc = writeback_to_mem(ctxt, ops, c);
 		if (rc != X86EMUL_CONTINUE)
 			return rc;
 		break;
@@ -1107,17 +1107,21 @@ static inline int writeback(struct x86_emulate_ctxt *ctxt,
 	return X86EMUL_CONTINUE;
 }
 
-static inline void emulate_push(struct x86_emulate_ctxt *ctxt,
-				struct x86_emulate_ops *ops)
+static inline int emulate_push(struct x86_emulate_ctxt *ctxt,
+			       struct x86_emulate_ops *ops)
 {
 	struct decode_cache *c = &ctxt->decode;
+	int rc;
 
-	c->dst.type  = OP_MEM;
 	c->dst.bytes = c->op_bytes;
 	c->dst.val = c->src.val;
 	register_address_increment(c, &c->regs[VCPU_REGS_RSP], -c->op_bytes);
 	c->dst.addr.mem.ea = register_address(c, c->regs[VCPU_REGS_RSP]);
 	c->dst.addr.mem.seg = VCPU_SREG_SS;
+
+	rc = writeback_to_mem(ctxt, ops, c);
+	c->dst.type = OP_NONE;
+	return rc;
 }
 
 static int emulate_pop(struct x86_emulate_ctxt *ctxt,
@@ -1179,14 +1183,13 @@ static int emulate_popf(struct x86_emulate_ctxt *ctxt,
 	return rc;
 }
 
-static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
-			      struct x86_emulate_ops *ops, int seg)
+static int emulate_push_sreg(struct x86_emulate_ctxt *ctxt,
+			     struct x86_emulate_ops *ops, int seg)
 {
 	struct decode_cache *c = &ctxt->decode;
 
 	c->src.val = ops->get_segment_selector(seg, ctxt->vcpu);
-
-	emulate_push(ctxt, ops);
+	return emulate_push(ctxt, ops);
 }
 
 static int emulate_pop_sreg(struct x86_emulate_ctxt *ctxt,
@@ -1216,18 +1219,13 @@ static int emulate_pusha(struct x86_emulate_ctxt *ctxt,
 		(reg == VCPU_REGS_RSP) ?
 		(c->src.val = old_esp) : (c->src.val = c->regs[reg]);
 
-		emulate_push(ctxt, ops);
-
-		rc = writeback(ctxt, ops);
+		rc = emulate_push(ctxt, ops);
 		if (rc != X86EMUL_CONTINUE)
 			return rc;
 
 		++reg;
 	}
 
-	/* Disable writeback. */
-	c->dst.type = OP_NONE;
-
 	return rc;
 }
 
@@ -1265,22 +1263,19 @@ int emulate_int_real(struct x86_emulate_ctxt *ctxt,
 
 	/* TODO: Add limit checks */
 	c->src.val = ctxt->eflags;
-	emulate_push(ctxt, ops);
-	rc = writeback(ctxt, ops);
+	rc = emulate_push(ctxt, ops);
 	if (rc != X86EMUL_CONTINUE)
 		return rc;
 
 	ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
 
 	c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
-	emulate_push(ctxt, ops);
-	rc = writeback(ctxt, ops);
+	rc = emulate_push(ctxt, ops);
 	if (rc != X86EMUL_CONTINUE)
 		return rc;
 
 	c->src.val = c->eip;
-	emulate_push(ctxt, ops);
-	rc = writeback(ctxt, ops);
+	rc = emulate_push(ctxt, ops);
 	if (rc != X86EMUL_CONTINUE)
 		return rc;
 
@@ -1475,6 +1470,7 @@ static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
 			       struct x86_emulate_ops *ops)
 {
 	struct decode_cache *c = &ctxt->decode;
+	int rc = X86EMUL_CONTINUE;
 
 	switch (c->modrm_reg) {
 	case 0:	/* inc */
@@ -1488,17 +1484,17 @@ static inline int emulate_grp45(struct x86_emulate_ctxt *ctxt,
 		old_eip = c->eip;
 		c->eip = c->src.val;
 		c->src.val = old_eip;
-		emulate_push(ctxt, ops);
+		rc = emulate_push(ctxt, ops);
 		break;
 	}
 	case 4: /* jmp abs */
 		c->eip = c->src.val;
 		break;
 	case 6:	/* push */
-		emulate_push(ctxt, ops);
+		rc = emulate_push(ctxt, ops);
 		break;
 	}
-	return X86EMUL_CONTINUE;
+	return rc;
 }
 
 static inline int emulate_grp9(struct x86_emulate_ctxt *ctxt,
@@ -2142,7 +2138,7 @@ static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
 		c->op_bytes = c->ad_bytes = (next_tss_desc.type & 8) ? 4 : 2;
 		c->lock_prefix = 0;
 		c->src.val = (unsigned long) error_code;
-		emulate_push(ctxt, ops);
+		ret = emulate_push(ctxt, ops);
 	}
 
 	return ret;
@@ -2157,16 +2153,12 @@ int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
 	int rc;
 
 	c->eip = ctxt->eip;
-	c->dst.type = OP_NONE;
 
 	rc = emulator_do_task_switch(ctxt, ops, tss_selector, reason,
 				     has_error_code, error_code);
 
-	if (rc == X86EMUL_CONTINUE) {
-		rc = writeback(ctxt, ops);
-		if (rc == X86EMUL_CONTINUE)
-			ctxt->eip = c->eip;
-	}
+	if (rc == X86EMUL_CONTINUE)
+		ctxt->eip = c->eip;
 
 	return (rc == X86EMUL_UNHANDLEABLE) ? -1 : 0;
 }
@@ -2184,8 +2176,7 @@ static void string_addr_inc(struct x86_emulate_ctxt *ctxt, unsigned seg,
 
 static int em_push(struct x86_emulate_ctxt *ctxt)
 {
-	emulate_push(ctxt, ctxt->ops);
-	return X86EMUL_CONTINUE;
+	return emulate_push(ctxt, ctxt->ops);
 }
 
 static int em_das(struct x86_emulate_ctxt *ctxt)
@@ -2245,20 +2236,12 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt)
 	memcpy(&c->eip, c->src.valptr, c->op_bytes);
 
 	c->src.val = old_cs;
-	emulate_push(ctxt, ctxt->ops);
-	rc = writeback(ctxt, ctxt->ops);
+	rc = emulate_push(ctxt, ctxt->ops);
 	if (rc != X86EMUL_CONTINUE)
 		return rc;
 
 	c->src.val = old_eip;
-	emulate_push(ctxt, ctxt->ops);
-	rc = writeback(ctxt, ctxt->ops);
-	if (rc != X86EMUL_CONTINUE)
-		return rc;
-
-	c->dst.type = OP_NONE;
-
-	return X86EMUL_CONTINUE;
+	return emulate_push(ctxt, ctxt->ops);
 }
 
 static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
@@ -3039,7 +3022,7 @@ special_insn:
 		emulate_2op_SrcV("add", c->src, c->dst, ctxt->eflags);
 		break;
 	case 0x06:		/* push es */
-		emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
+		rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_ES);
 		break;
 	case 0x07:		/* pop es */
 		rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_ES);
@@ -3049,14 +3032,14 @@ special_insn:
 		emulate_2op_SrcV("or", c->src, c->dst, ctxt->eflags);
 		break;
 	case 0x0e:		/* push cs */
-		emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
+		rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_CS);
 		break;
 	case 0x10 ... 0x15:
 	      adc:		/* adc */
 		emulate_2op_SrcV("adc", c->src, c->dst, ctxt->eflags);
 		break;
 	case 0x16:		/* push ss */
-		emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
+		rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_SS);
 		break;
 	case 0x17:		/* pop ss */
 		rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_SS);
@@ -3066,7 +3049,7 @@ special_insn:
 		emulate_2op_SrcV("sbb", c->src, c->dst, ctxt->eflags);
 		break;
 	case 0x1e:		/* push ds */
-		emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
+		rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_DS);
 		break;
 	case 0x1f:		/* pop ds */
 		rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_DS);
@@ -3204,7 +3187,7 @@ special_insn:
 		break;
 	case 0x9c: /* pushf */
 		c->src.val =  (unsigned long) ctxt->eflags;
-		emulate_push(ctxt, ops);
+		rc = emulate_push(ctxt, ops);
 		break;
 	case 0x9d: /* popf */
 		c->dst.type = OP_REG;
@@ -3280,7 +3263,7 @@ special_insn:
 		long int rel = c->src.val;
 		c->src.val = (unsigned long) c->eip;
 		jmp_rel(c, rel);
-		emulate_push(ctxt, ops);
+		rc = emulate_push(ctxt, ops);
 		break;
 	}
 	case 0xe9: /* jmp rel */
@@ -3605,7 +3588,7 @@ twobyte_insn:
 		c->dst.val = test_cc(c->b, ctxt->eflags);
 		break;
 	case 0xa0:	  /* push fs */
-		emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
+		rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_FS);
 		break;
 	case 0xa1:	 /* pop fs */
 		rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_FS);
@@ -3622,7 +3605,7 @@ twobyte_insn:
 		emulate_2op_cl("shld", c->src2, c->src, c->dst, ctxt->eflags);
 		break;
 	case 0xa8:	/* push gs */
-		emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
+		rc = emulate_push_sreg(ctxt, ops, VCPU_SREG_GS);
 		break;
 	case 0xa9:	/* pop gs */
 		rc = emulate_pop_sreg(ctxt, ops, VCPU_SREG_GS);
-- 
1.7.1

Re: [RFC PATCH 2/2] KVM: x86 emulator: Cleanup emulate_push() writebacks

[Takuya Yoshikawa]

Takuya Yoshikawa <takuya.yoshikawa@gmail.com> wrote:
> @@ -1265,22 +1263,19 @@ int emulate_int_real(struct x86_emulate_ctxt *ctxt,
>  
>  	/* TODO: Add limit checks */
>  	c->src.val = ctxt->eflags;
> -	emulate_push(ctxt, ops);
> -	rc = writeback(ctxt, ops);
> +	rc = emulate_push(ctxt, ops);
>  	if (rc != X86EMUL_CONTINUE)
>  		return rc;
>  
>  	ctxt->eflags &= ~(EFLG_IF | EFLG_TF | EFLG_AC);
>  
>  	c->src.val = ops->get_segment_selector(VCPU_SREG_CS, ctxt->vcpu);
> -	emulate_push(ctxt, ops);
> -	rc = writeback(ctxt, ops);
> +	rc = emulate_push(ctxt, ops);
>  	if (rc != X86EMUL_CONTINUE)
>  		return rc;
>  
>  	c->src.val = c->eip;
> -	emulate_push(ctxt, ops);
> -	rc = writeback(ctxt, ops);
> +	rc = emulate_push(ctxt, ops);
>  	if (rc != X86EMUL_CONTINUE)
>  		return rc;

I could also delete "c->dst.type = OP_NONE;" line here.

...

>  
>  static int em_push(struct x86_emulate_ctxt *ctxt)
>  {
> -	emulate_push(ctxt, ctxt->ops);
> -	return X86EMUL_CONTINUE;
> +	return emulate_push(ctxt, ctxt->ops);
>  }

em_push() can be used instead of emulate_push() if we rearrange
the place to put em_push().


There seems to be some conflicting patches around.  So If I get
some other comments, I'll rebase and resend later!

Takuya

Re: [RFC PATCH 2/2] KVM: x86 emulator: Cleanup emulate_push() writebacks

[Avi Kivity]

On 03/28/2011 06:34 PM, Takuya Yoshikawa wrote:
> From: Takuya Yoshikawa<yoshikawa.takuya@oss.ntt.co.jp>
>
> Recently, emulate_push family functions started to call writeback()
> during their emulation.  This clearly shows that the usual writeback()
> which is done at the end of x86_emulate_insn() cannot cover all cases.
> Furthermore, suppressing writeback by changing dst operand's type is
> not simple when conditional writeback must be taken care of.
>
> This patch improves this situation a bit by making emulate_push()
> itself do writeback and removes scattered writebacks from callers.
>
> This is done by splitting the writeback for OP_MEM case out from
> writeback() as a new helper function, writeback_to_mem(), and call it
> directly from emulate_push().

I think it's easier to just write directly instead of going through 
'struct operand'.

Probably emulate_push() should do the write (look at segmented_write() 
in my 'Emulator segment checks' patchset), and everything else can call 
that.  'struct operand' is for multiplexing register/memory accesses, 
which is not the case with the stack.

-- 
error compiling committee.c: too many arguments to function

Re: [RFC PATCH 2/2] KVM: x86 emulator: Cleanup emulate_push() writebacks

[Takuya Yoshikawa]

> I think it's easier to just write directly instead of going through 
> 'struct operand'.
> 
> Probably emulate_push() should do the write (look at segmented_write() 
> in my 'Emulator segment checks' patchset), and everything else can call 
> that.  'struct operand' is for multiplexing register/memory accesses, 
> which is not the case with the stack.

I agree with you.  I will update!


IMHO, we are using dst operand for too many things.

In the case of CMP, I first tried to use src2 to clearly follow the
SDM's "second source operand" terminology.  But it seemed not worth
it now.


Takuya


-- 
Takuya Yoshikawa <takuya.yoshikawa@gmail.com>

Re: [RFC PATCH 2/2] KVM: x86 emulator: Cleanup emulate_push() writebacks

[Avi Kivity]

On 04/03/2011 06:59 PM, Takuya Yoshikawa wrote:
> >  I think it's easier to just write directly instead of going through
> >  'struct operand'.
> >
> >  Probably emulate_push() should do the write (look at segmented_write()
> >  in my 'Emulator segment checks' patchset), and everything else can call
> >  that.  'struct operand' is for multiplexing register/memory accesses,
> >  which is not the case with the stack.
>
> I agree with you.  I will update!
>
>
> IMHO, we are using dst operand for too many things.
>
> In the case of CMP, I first tried to use src2 to clearly follow the
> SDM's "second source operand" terminology.  But it seemed not worth
> it now.
>

Ah, CMP is encoded as dst/src, so it's best to just disable writeback 
there.  We could have a bit in the decode tables to auto-disable 
writeback, but not sure it is worth it.

-- 
error compiling committee.c: too many arguments to function

Re: [RFC PATCH 2/2] KVM: x86 emulator: Cleanup emulate_push() writebacks

[Takuya Yoshikawa]

> > IMHO, we are using dst operand for too many things.
> >
> > In the case of CMP, I first tried to use src2 to clearly follow the
> > SDM's "second source operand" terminology.  But it seemed not worth
> > it now.
> >
> 
> Ah, CMP is encoded as dst/src, so it's best to just disable writeback 
> there.  We could have a bit in the decode tables to auto-disable 
> writeback, but not sure it is worth it.

One more question:

Why some functions in this file are defined using
"static inline" not just "static" ?

I should keep these "inline" ?

Takuya


-- 
Takuya Yoshikawa <takuya.yoshikawa@gmail.com>

Re: [RFC PATCH 2/2] KVM: x86 emulator: Cleanup emulate_push() writebacks

[Avi Kivity]

On 04/03/2011 07:09 PM, Takuya Yoshikawa wrote:
> >  >  IMHO, we are using dst operand for too many things.
> >  >
> >  >  In the case of CMP, I first tried to use src2 to clearly follow the
> >  >  SDM's "second source operand" terminology.  But it seemed not worth
> >  >  it now.
> >  >
> >
> >  Ah, CMP is encoded as dst/src, so it's best to just disable writeback
> >  there.  We could have a bit in the decode tables to auto-disable
> >  writeback, but not sure it is worth it.
>
> One more question:
>
> Why some functions in this file are defined using
> "static inline" not just "static" ?
>
> I should keep these "inline" ?
>

Just 'static' is enough, the compiler can usually make the best decision 
wrt. inline.

-- 
error compiling committee.c: too many arguments to function

Re: [PATCH 1/2] KVM: x86 emulator: Disable writeback for CMP emulation

[Avi Kivity]

On 03/28/2011 06:32 PM, Takuya Yoshikawa wrote:
> From: Takuya Yoshikawa<yoshikawa.takuya@oss.ntt.co.jp>
>
> This stops "CMP r/m, reg" to write back the data into memory.
> Pointed out by Avi.
>
> Signed-off-by: Takuya Yoshikawa<yoshikawa.takuya@oss.ntt.co.jp>
> ---
>   arch/x86/kvm/emulate.c |    2 ++
>   1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 14c5ad5..8a73805 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -3084,6 +3084,7 @@ special_insn:
>   		emulate_2op_SrcV("xor", c->src, c->dst, ctxt->eflags);
>   		break;
>   	case 0x38 ... 0x3d:
> +		c->dst.type = OP_NONE; /* Disable writeback. */
>   	      cmp:		/* cmp */

Why not disable writeback here?  As a prelude to having em_cmp() which 
does everything?

I see SCAS also does a 'goto cmp', but it also benefits from disabling 
writeback.

>   		emulate_2op_SrcV("cmp", c->src, c->dst, ctxt->eflags);
>   		break;
> @@ -3138,6 +3139,7 @@ special_insn:
>   		case 6:
>   			goto xor;
>   		case 7:
> +			c->dst.type = OP_NONE; /* Disable writeback. */
>   			goto cmp;
>   		}
>   		break;


-- 
error compiling committee.c: too many arguments to function