re: [Qemu-devel] Host API escape

re: [Qemu-devel] Host API escape

[EricNorthup]

On Mon, 13 Sep 2004 23:45:07 +0100, Derek Fawcus wrote:

>On Mon, Sep 13, 2004 at 11:16:14PM +0200, Fabrice Bellard wrote:
>> Derek Fawcus wrote:
>> > I was adding a fake instruction
>
>So will you at all interested in this bit,  want to wait for it to
>cook some more first,  or not interested?
>
>It's basically a "new" instruction,  using opcodes that should normally
>generate undefined/illegal opcode traps,  hence it should still be
>usable
>(in some form) if/when doing fast/native x86-on-x86.  The point
> being to provide a a controlled escape to talk with the host -
therefore it's
> called "hostapi"...
[. . .]

Ok, I think the things you can achieve with this mechanism are very
exciting.  But please, *please* do not make another fork in x86!

What if you use the WRMSR instructions instead?  Then you can define
MSRs which have certain behavior when written to / read from.  The whole
point of MSRs is that they are model-specific, and that is the way to do
this compatibly.

Just a suggestion

--Eric

Re: [Qemu-devel] Host API escape

[Derek Fawcus]

On Mon, Sep 13, 2004 at 10:43:00PM -0400, EricNorthup wrote:
> Ok, I think the things you can achieve with this mechanism are very
> exciting.  But please, *please* do not make another fork in x86!

Huh?  What do you mean by "another fork in x86"?  Or are you simply
referring to the fact that I've (re)defined a special instruction?

> What if you use the WRMSR instructions instead?  Then you can define
> MSRs which have certain behavior when written to / read from.  The whole
> point of MSRs is that they are model-specific, and that is the way to do
> this compatibly.

Hmm - a possibility.

I can look at changing to that once I've got the redir stuff working.
My initial concern was actually not to use / change any target visible
register,  so that I can inject this anywhere as a debug hook - where
it's currently quite useful.

DF

[Qemu-devel] Re: Host API escape

[Ben Pfaff]

Derek Fawcus <dfawcus@cisco.com> writes:

> On Mon, Sep 13, 2004 at 10:43:00PM -0400, EricNorthup wrote:
>> What if you use the WRMSR instructions instead?  Then you can define
>> MSRs which have certain behavior when written to / read from.  The whole
>> point of MSRs is that they are model-specific, and that is the way to do
>> this compatibly.
>
> Hmm - a possibility.

For what it's worth, VMware products use a magic I/O port for
guest<->host communication according to
http://chitchat.at.infoseek.co.jp/vmware/backdoor.html
-- 
Ben Pfaff 
email: blp@cs.stanford.edu
web: http://benpfaff.org

[Qemu-devel] Patch: Bugfix in monitor, tidy in translate

[Derek Fawcus]

[-- Attachment #1: Type: text/plain, Size: 483 bytes --]

Attached are a couple of patches,  i386 target only.

The first fixes a bug in monitor.c which prevented one from utilising edi,
and also adds the ability to utilise the ss segment register,

The second simply tidies up the code in target-i386/translate.c so that
all assignments of '3' to is_jmp get replaced with DISAS_TB_JUMP,  since
I guess the latter was a late addition to the code.  (I was adding a
fake instruction,  and this just made it easier for me to read the code)

DF

[-- Attachment #2: dd-monitor --]
[-- Type: text/plain, Size: 813 bytes --]

diff -rup -U 5 ../qemu-snap/monitor.c ./monitor.c
--- ../qemu-snap/monitor.c	2004-08-26 19:53:10.000000000 +0100
+++ ./monitor.c	2004-09-07 02:38:05.000000000 +0100
@@ -780,16 +780,17 @@ static MonitorDef monitor_defs[] = {
     { "edx", offsetof(CPUState, regs[2]) },
     { "ebx", offsetof(CPUState, regs[3]) },
     { "esp|sp", offsetof(CPUState, regs[4]) },
     { "ebp|fp", offsetof(CPUState, regs[5]) },
     { "esi", offsetof(CPUState, regs[6]) },
-    { "esi", offsetof(CPUState, regs[7]) },
+    { "edi", offsetof(CPUState, regs[7]) },
     { "eflags", offsetof(CPUState, eflags) },
     { "eip", offsetof(CPUState, eip) },
     SEG("cs", R_CS)
     SEG("ds", R_DS)
     SEG("es", R_ES)
+    SEG("ss", R_SS)
     SEG("fs", R_FS)
     SEG("gs", R_GS)
     { "pc", 0, monitor_get_pc, },
     { NULL },
 };

[-- Attachment #3: dd-translate --]
[-- Type: text/plain, Size: 3588 bytes --]

diff -rup -U 5 ../qemu-snap/target-i386/translate.c ./target-i386/translate.c
--- ../qemu-snap/target-i386/translate.c	2004-09-05 23:52:37.000000000 +0100
+++ ./target-i386/translate.c	2004-09-07 01:38:38.000000000 +0100
@@ -1431,11 +1431,11 @@ static inline void gen_jcc(DisasContext 
         if (!inv) {
             func((long)tb, val, next_eip);
         } else {
             func((long)tb, next_eip, val);
         }
-        s->is_jmp = 3;
+        s->is_jmp = DISAS_TB_JUMP;
     } else {
         if (s->cc_op != CC_OP_DYNAMIC) {
             gen_op_set_cc_op(s->cc_op);
             s->cc_op = CC_OP_DYNAMIC;
         }
@@ -1519,15 +1519,15 @@ static void gen_movl_seg_T0(DisasContext
         /* abort translation because the addseg value may change or
            because ss32 may change. For R_SS, translation must always
            stop as a special handling must be done to disable hardware
            interrupts for the next instruction */
         if (seg_reg == R_SS || (s->code32 && seg_reg < R_FS))
-            s->is_jmp = 3;
+            s->is_jmp = DISAS_TB_JUMP;
     } else {
         gen_op_movl_seg_T0_vm(offsetof(CPUX86State,segs[seg_reg]));
         if (seg_reg == R_SS)
-            s->is_jmp = 3;
+            s->is_jmp = DISAS_TB_JUMP;
     }
 }
 
 static inline void gen_stack_update(DisasContext *s, int addend)
 {
@@ -1710,11 +1710,11 @@ static void gen_exception(DisasContext *
 {
     if (s->cc_op != CC_OP_DYNAMIC)
         gen_op_set_cc_op(s->cc_op);
     gen_op_jmp_im(cur_eip);
     gen_op_raise_exception(trapno);
-    s->is_jmp = 3;
+    s->is_jmp = DISAS_TB_JUMP;
 }
 
 /* an interrupt is different from an exception because of the
    priviledge checks */
 static void gen_interrupt(DisasContext *s, int intno, 
@@ -1722,20 +1722,20 @@ static void gen_interrupt(DisasContext *
 {
     if (s->cc_op != CC_OP_DYNAMIC)
         gen_op_set_cc_op(s->cc_op);
     gen_op_jmp_im(cur_eip);
     gen_op_raise_interrupt(intno, next_eip);
-    s->is_jmp = 3;
+    s->is_jmp = DISAS_TB_JUMP;
 }
 
 static void gen_debug(DisasContext *s, unsigned int cur_eip)
 {
     if (s->cc_op != CC_OP_DYNAMIC)
         gen_op_set_cc_op(s->cc_op);
     gen_op_jmp_im(cur_eip);
     gen_op_debug();
-    s->is_jmp = 3;
+    s->is_jmp = DISAS_TB_JUMP;
 }
 
 /* generate a generic end of block. Trace exception is also generated
    if needed */
 static void gen_eob(DisasContext *s)
@@ -1751,11 +1751,11 @@ static void gen_eob(DisasContext *s)
         gen_op_raise_exception(EXCP01_SSTP);
     } else {
         gen_op_movl_T0_0();
         gen_op_exit_tb();
     }
-    s->is_jmp = 3;
+    s->is_jmp = DISAS_TB_JUMP;
 }
 
 /* generate a jump to eip. No segment change must happen before as a
    direct call to the next block may occur */
 static void gen_jmp(DisasContext *s, unsigned int eip)
@@ -1764,11 +1764,11 @@ static void gen_jmp(DisasContext *s, uns
 
     if (s->jmp_opt) {
         if (s->cc_op != CC_OP_DYNAMIC)
             gen_op_set_cc_op(s->cc_op);
         gen_op_jmp((long)tb, eip);
-        s->is_jmp = 3;
+        s->is_jmp = DISAS_TB_JUMP;
     } else {
         gen_op_jmp_im(eip);
         gen_eob(s);
     }
 }
@@ -3904,11 +3904,11 @@ static uint8_t *disas_insn(DisasContext 
         } else {
             if (s->cc_op != CC_OP_DYNAMIC)
                 gen_op_set_cc_op(s->cc_op);
             gen_op_jmp_im(s->pc - s->cs_base);
             gen_op_hlt();
-            s->is_jmp = 3;
+            s->is_jmp = DISAS_TB_JUMP;
         }
         break;
     case 0x100:
         modrm = ldub_code(s->pc++);
         mod = (modrm >> 6) & 3;

Re: [Qemu-devel] Patch: Bugfix in monitor, tidy in translate

[Fabrice Bellard]

Derek Fawcus wrote:
> Attached are a couple of patches,  i386 target only.
> 
> The first fixes a bug in monitor.c which prevented one from utilising edi,
> and also adds the ability to utilise the ss segment register,

Applied!

> The second simply tidies up the code in target-i386/translate.c so that
> all assignments of '3' to is_jmp get replaced with DISAS_TB_JUMP,  since
> I guess the latter was a late addition to the code.  (I was adding a
> fake instruction,  and this just made it easier for me to read the code)

I plan to suppress the other values, so this patch is not useful now.

Fabrice.

[Qemu-devel] Host API escape

[Derek Fawcus]

On Mon, Sep 13, 2004 at 11:16:14PM +0200, Fabrice Bellard wrote:
> Derek Fawcus wrote:
> > I was adding a fake instruction

So will you at all interested in this bit,  want to wait for it to
cook some more first,  or not interested?

It's basically a "new" instruction,  using opcodes that should normally
generate undefined/illegal opcode traps,  hence it should still be usable
(in some form) if/when doing fast/native x86-on-x86.  The point being to
provide a a controlled escape to talk with the host - therefore it's
called "hostapi"...

At the moment I've defined a hidden "address register" which can be loaded
with an immediate value 16/32 bit offset from a specified segment register,
the address register getting the equivalent linear address and causing the
emulation to break ala a trap/debug.

>From there I then treat the address as a pointer to an argument block in
memory specifying what the request is;  service the request and return.

No real target registers are altered,  but arbitrary modifications to
target memory can be performed.  What I suspect I'll want at somepoint
is the ability to convert a set of virtual region descriptions into
scatter-gather physical descriptions,  such that they can be passed
to an external process which happens to mmap the target physical memory
file.

I've got it going well enought that I'm now working on the target and host
code which are communicating,  and seeing what if anything needs to alter
in the hostapi stuff.

I said I was working on a more complex form of file access...

My plan at the moment is DOS REDIR access (8.3 filenames) which should be
usable in all DOS derivatives (inc Win 3.1/WFW 3.11/w95/w98/wMe).

Other stuff,  say cut through video/mouse/kbd support,  LFN support,
virtual network (winsocks) can be done later,  but maybe not by me :-)
Once I started on this I realised that the ultimate progression is
effectivly the same as Win4Lin.  Hmm...

DF

Re: [Qemu-devel] Host API escape

[Gwenole Beauchesne]

On Mon, 13 Sep 2004, Derek Fawcus wrote:

> Other stuff,  say cut through video/mouse/kbd support,  LFN support,
> virtual network (winsocks) can be done later,  but maybe not by me :-)

Exactly. In BasiliskII/SheepShaver jargon, that's called an "EmulOp". And
purposes cover native driver hooks (e.g. audio, ethernet), copy/paste,
Native QuickDraw acceleration, host file system access, etc.

However, this kind of optimization is specific to certain systems as you
would need to either run-time patch the OS, or provide necessary drivers
with those hooks compiled in (MoL).

The problem on x86 side is to find out a particular instruction sequence
that is not (and won't be) meaningful.

Re: [Qemu-devel] Host API escape

[Derek Fawcus]

On Tue, Sep 14, 2004 at 09:54:29AM +0200, Gwenole Beauchesne wrote:
> However, this kind of optimization is specific to certain systems as you
> would need to either run-time patch the OS, or provide necessary drivers
> with those hooks compiled in (MoL).

Yeah - well I see the qemu core having a number of potential uses.

One is the simple "virtual PC" type of scenario,  whereby it's useful
for running (together with debug and test of) complete systems;  another
for specific OS optimised hosting (i.e. Win4Lin type stuff);  and a
third being as a soft ICE type of environment,  allowing all sorts of
interesting fun.

DF