Re: [Qemu-devel] softMMU / MOV translation

["Eddie C. Dost" <ecd@brainaid.de>]

Hi  Clemens,

if you enable "log asm_in,op,op_opt,asm_out" you will see the
intermediate code used during translation.

The opcodes are generated from the macros you already found in
softmmu_header.h by target-i386/ops_mem.h included from target-i386/op.c

Hope this helps,
Eddie

On Wed, Jul 25, 2007 at 02:04:47PM +0200, Clemens Kolbitsch wrote:
> hi!
> i tried asking this in the irc  but got no answer, hope someone can help me 
> here :-)
> 
> i'm working on memory-protection for my mather's thesis and have to dig into 
> qemu memory management... could someone help me here please? i have the 
> following problem:
> 
> i'm trying to understand the dynamic translation for the following mov-opcode 
> (it's taken from the qemu log with "log asm_in,asm_out"):
> 
> IN:
> 0xc011c9f2:  mov    0x60(%esi),%edx
> the hex-code would be "0x8b 0x56 0x60"
> ...
> 
> OUT:
> OUT: [size=455]
> 0x08d30fa0:  mov    0x18(%ebp),%edi
> 0x08d30fa3:  add    $0x60,%edi
> 0x08d30fa9:  mov    %edi,%edx
> 0x08d30fab:  mov    %edi,%eax
> 0x08d30fad:  shr    $0x8,%edx
> 0x08d30fb0:  and    $0xfffff003,%eax
> 0x08d30fb5:  and    $0xff0,%edx
> 0x08d30fbb:  lea    0x350(%edx,%ebp,1),%edx
> 0x08d30fc2:  cmp    (%edx),%eax
> 0x08d30fc4:  mov    %edi,%eax
> 0x08d30fc6:  je     0x8d30fd4
> 0x08d30fc8:  push   $0x0
> 0x08d30fca:  call   0x80ee06a		// __ldl_mmu
> 0x08d30fcf:  pop    %edx
> 0x08d30fd0:  mov    %eax,%ebx
> 0x08d30fd2:  jmp    0x8d30fd9
> 0x08d30fd4:  add    0xc(%edx),%eax
> 0x08d30fd7:  mov    (%eax),%ebx		// possibly the output of gen_op_ld_T0_A0
> [ot]+ s->mem_index]();
> 0x08d30fd9:  mov    %ebx,0x8(%ebp)	// this is the output of gen_op_mov_reg_T0
> [ot][reg](); (translate.c:4005)
> ...
> 
> 
> therefore, i think the following code in translate.c should be executed:
> 
> case 0x8b: /* mov Ev, Gv */
>         if ((b & 1) == 0)
>             ot = OT_BYTE;
>         else
>             ot = OT_WORD + dflag;
>         modrm = ldub_code(s->pc++);
>         reg = ((modrm >> 3) & 7) | rex_r;
>         
>         gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0);
>         gen_op_mov_reg_T0[ot][reg]();
>         break;
> 
> 
> i debugged some time and found out that the last gen_op
> 
>         gen_op_mov_reg_T0[ot][reg]();
> 
> only produces 
> 
>         mov    %ebx,0x8(%ebp).
> 
> thus, the rest of the OUT-codes is produced by
> 
>        gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0);
> 
> however, i tried reading through the code but i could not find the function 
> where
> 
>       0x08d30fca:  call   0x80ee06a           // __ldl_mmu
> 
> is inserted into the translation-buffer... i (think to) know why it must be 
> inserted, but i just cannot figure out where it is put into the buffer.
> 
> if someone could point that out, it would help me a LOT!
> thanks,
>   Clemens
> 
> 

-- 
___________________________________________________brainaid_____________
Eddie C. Dost           Rue de la Chapelle 51      phone +32 87 788817
                        B-4850 Moresnet            fax   +32 87 788818
ecd@brainaid.de         Belgium                    cell  +49 172 9312808