[Qemu-devel] [PATCH] fix exception precision for cmpxchg8b

[Qemu-devel] [PATCH] fix exception precision for cmpxchg8b

[Nickolai Zeldovich]

In qemu-0.9.0, an exception in cmpxchg8b (e.g. page fault due to a
missing TLB entry) causes the wrong eip value to be pushed onto the
exception stack -- it seems to be the eip of the last exception or the
start of the translation block, whichever happened last.  This makes
it impossible to resume execution after such an exception.

The simple patch below fixes it, by explicitly saving the current eip
before invoking the cmpxchg8b helper; the same approach appears to be
taken in many other instructions before generating code that could
raise an exception.  Apologies for the non-tab-clean patch, but it's
simple enough to apply by hand.

I can't quite understand what's generating the equivalent piece of
code (to save pc_start into eip) for the cmpxchgl instruction (defined
right above cmpxchg8b in translate.c).  I'd be thankful if someone
could explain to me where it's getting saved.

Nickolai.

--- qemu-0.9.0/target-i386/translate.c	2007-02-05 15:01:54.000000000 -0800
+++ /home/nickolai/build/qemu-0.9.0/target-i386/translate.c	2007-04-24
19:33:47.000000000 -0700
@@ -3800,6 +3800,7 @@
         if (s->cc_op != CC_OP_DYNAMIC)
             gen_op_set_cc_op(s->cc_op);
         gen_lea_modrm(s, modrm, &reg_addr, &offset_addr);
+        gen_jmp_im(pc_start - s->cs_base);
         gen_op_cmpxchg8b();
         s->cc_op = CC_OP_EFLAGS;
         break;

Re: [Qemu-devel] [PATCH] fix exception precision for cmpxchg8b

[Ben Taylor]

a patch like this was posted about 6 weeks ago.  the 
only difference I can see between this and the 
previous patch is the location of the inserted 
function.

take a look at http://lists.gnu.org/archive/html/qemu-devel/2007-03/msg00123.html
for hints.  This patch fixed the Solaris/express install in a qemu
guest.

Ben


---- Nickolai Zeldovich <nickolai@cs.stanford.edu> wrote: 
> In qemu-0.9.0, an exception in cmpxchg8b (e.g. page fault due to a
> missing TLB entry) causes the wrong eip value to be pushed onto the
> exception stack -- it seems to be the eip of the last exception or the
> start of the translation block, whichever happened last.  This makes
> it impossible to resume execution after such an exception.
> 
> The simple patch below fixes it, by explicitly saving the current eip
> before invoking the cmpxchg8b helper; the same approach appears to be
> taken in many other instructions before generating code that could
> raise an exception.  Apologies for the non-tab-clean patch, but it's
> simple enough to apply by hand.
> 
> I can't quite understand what's generating the equivalent piece of
> code (to save pc_start into eip) for the cmpxchgl instruction (defined
> right above cmpxchg8b in translate.c).  I'd be thankful if someone
> could explain to me where it's getting saved.
> 
> Nickolai.
> 
> --- qemu-0.9.0/target-i386/translate.c	2007-02-05 15:01:54.000000000 -0800
> +++ /home/nickolai/build/qemu-0.9.0/target-i386/translate.c	2007-04-24
> 19:33:47.000000000 -0700
> @@ -3800,6 +3800,7 @@
>          if (s->cc_op != CC_OP_DYNAMIC)
>              gen_op_set_cc_op(s->cc_op);
>          gen_lea_modrm(s, modrm, &reg_addr, &offset_addr);
> +        gen_jmp_im(pc_start - s->cs_base);
>          gen_op_cmpxchg8b();
>          s->cc_op = CC_OP_EFLAGS;
>          break;
> 
> 

Re: [Qemu-devel] [PATCH] fix exception precision for cmpxchg8b

[Nickolai Zeldovich]

Thanks.  Looks like inline-generated instructions use
cpu_restore_state() to invert the translated PC into the simulated PC.

Nickolai.