[Qemu-devel] softMMU / MOV translation

[Qemu-devel] softMMU / MOV translation

[Clemens Kolbitsch]

hi!
i tried asking this in the irc  but got no answer, hope someone can help me 
here :-)

i'm working on memory-protection for my mather's thesis and have to dig into 
qemu memory management... could someone help me here please? i have the 
following problem:

i'm trying to understand the dynamic translation for the following mov-opcode 
(it's taken from the qemu log with "log asm_in,asm_out"):

IN:
0xc011c9f2:  mov    0x60(%esi),%edx
the hex-code would be "0x8b 0x56 0x60"
...

OUT:
OUT: [size=455]
0x08d30fa0:  mov    0x18(%ebp),%edi
0x08d30fa3:  add    $0x60,%edi
0x08d30fa9:  mov    %edi,%edx
0x08d30fab:  mov    %edi,%eax
0x08d30fad:  shr    $0x8,%edx
0x08d30fb0:  and    $0xfffff003,%eax
0x08d30fb5:  and    $0xff0,%edx
0x08d30fbb:  lea    0x350(%edx,%ebp,1),%edx
0x08d30fc2:  cmp    (%edx),%eax
0x08d30fc4:  mov    %edi,%eax
0x08d30fc6:  je     0x8d30fd4
0x08d30fc8:  push   $0x0
0x08d30fca:  call   0x80ee06a		// __ldl_mmu
0x08d30fcf:  pop    %edx
0x08d30fd0:  mov    %eax,%ebx
0x08d30fd2:  jmp    0x8d30fd9
0x08d30fd4:  add    0xc(%edx),%eax
0x08d30fd7:  mov    (%eax),%ebx		// possibly the output of gen_op_ld_T0_A0
[ot]+ s->mem_index]();
0x08d30fd9:  mov    %ebx,0x8(%ebp)	// this is the output of gen_op_mov_reg_T0
[ot][reg](); (translate.c:4005)
...


therefore, i think the following code in translate.c should be executed:

case 0x8b: /* mov Ev, Gv */
        if ((b & 1) == 0)
            ot = OT_BYTE;
        else
            ot = OT_WORD + dflag;
        modrm = ldub_code(s->pc++);
        reg = ((modrm >> 3) & 7) | rex_r;
        
        gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0);
        gen_op_mov_reg_T0[ot][reg]();
        break;


i debugged some time and found out that the last gen_op

        gen_op_mov_reg_T0[ot][reg]();

only produces 

        mov    %ebx,0x8(%ebp).

thus, the rest of the OUT-codes is produced by

       gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0);

however, i tried reading through the code but i could not find the function 
where

      0x08d30fca:  call   0x80ee06a           // __ldl_mmu

is inserted into the translation-buffer... i (think to) know why it must be 
inserted, but i just cannot figure out where it is put into the buffer.

if someone could point that out, it would help me a LOT!
thanks,
  Clemens

[Qemu-devel] Re: softMMU / MOV translation

[Clemens Kolbitsch]

i think to have found it in translate.c:

/* sign does not matter, except for lidt/lgdt call (TODO: fix it) */
static GenOpFunc *gen_op_ld_T0_A0[3 * 4] = {
    gen_op_ldub_raw_T0_A0,
    gen_op_lduw_raw_T0_A0,
    gen_op_ldl_raw_T0_A0,
    X86_64_ONLY(gen_op_ldq_raw_T0_A0),

#ifndef CONFIG_USER_ONLY
    gen_op_ldub_kernel_T0_A0,
    gen_op_lduw_kernel_T0_A0,
    gen_op_ldl_kernel_T0_A0,
    X86_64_ONLY(gen_op_ldq_kernel_T0_A0),

    gen_op_ldub_user_T0_A0,
    gen_op_lduw_user_T0_A0,
    gen_op_ldl_user_T0_A0,
    X86_64_ONLY(gen_op_ldq_user_T0_A0),
#endif
};


    gen_op_ldl_kernel_T0_A0

looks quite promising. however, i still have not found the code (e.g. in op.c) 
that actually includes the "call" opcode (i find it in the disassembled code 
of the qemu-binary, though).

is it generated somehow by gcc? the only thing that looks similar are the 
ld-functions in softmmu_header:

static inline RES_TYPE glue(glue(ld, USUFFIX), MEMSUFFIX)(target_ulong ptr)

however, if i understand the macro-defs right, these functions are not 
built...

maybe someone could point that out?


On Wednesday 25 July 2007 02:04:47 pm you wrote:
> hi!
> i tried asking this in the irc  but got no answer, hope someone can help me
> here :-)
>
> i'm working on memory-protection for my mather's thesis and have to dig
> into qemu memory management... could someone help me here please? i have
> the following problem:
>
> i'm trying to understand the dynamic translation for the following
> mov-opcode (it's taken from the qemu log with "log asm_in,asm_out"):
>
> IN:
> 0xc011c9f2:  mov    0x60(%esi),%edx
> the hex-code would be "0x8b 0x56 0x60"
> ...
>
> OUT:
> OUT: [size=455]
> 0x08d30fa0:  mov    0x18(%ebp),%edi
> 0x08d30fa3:  add    $0x60,%edi
> 0x08d30fa9:  mov    %edi,%edx
> 0x08d30fab:  mov    %edi,%eax
> 0x08d30fad:  shr    $0x8,%edx
> 0x08d30fb0:  and    $0xfffff003,%eax
> 0x08d30fb5:  and    $0xff0,%edx
> 0x08d30fbb:  lea    0x350(%edx,%ebp,1),%edx
> 0x08d30fc2:  cmp    (%edx),%eax
> 0x08d30fc4:  mov    %edi,%eax
> 0x08d30fc6:  je     0x8d30fd4
> 0x08d30fc8:  push   $0x0
> 0x08d30fca:  call   0x80ee06a		// __ldl_mmu
> 0x08d30fcf:  pop    %edx
> 0x08d30fd0:  mov    %eax,%ebx
> 0x08d30fd2:  jmp    0x8d30fd9
> 0x08d30fd4:  add    0xc(%edx),%eax
> 0x08d30fd7:  mov    (%eax),%ebx		// possibly the output of gen_op_ld_T0_A0
> [ot]+ s->mem_index]();
> 0x08d30fd9:  mov    %ebx,0x8(%ebp)	// this is the output of
> gen_op_mov_reg_T0 [ot][reg](); (translate.c:4005)
> ...
>
>
> therefore, i think the following code in translate.c should be executed:
>
> case 0x8b: /* mov Ev, Gv */
>         if ((b & 1) == 0)
>             ot = OT_BYTE;
>         else
>             ot = OT_WORD + dflag;
>         modrm = ldub_code(s->pc++);
>         reg = ((modrm >> 3) & 7) | rex_r;
>
>         gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0);
>         gen_op_mov_reg_T0[ot][reg]();
>         break;
>
>
> i debugged some time and found out that the last gen_op
>
>         gen_op_mov_reg_T0[ot][reg]();
>
> only produces
>
>         mov    %ebx,0x8(%ebp).
>
> thus, the rest of the OUT-codes is produced by
>
>        gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0);
>
> however, i tried reading through the code but i could not find the function
> where
>
>       0x08d30fca:  call   0x80ee06a           // __ldl_mmu
>
> is inserted into the translation-buffer... i (think to) know why it must be
> inserted, but i just cannot figure out where it is put into the buffer.
>
> if someone could point that out, it would help me a LOT!
> thanks,
>   Clemens

Re: [Qemu-devel] softMMU / MOV translation

[Eddie C. Dost]

Hi  Clemens,

if you enable "log asm_in,op,op_opt,asm_out" you will see the
intermediate code used during translation.

The opcodes are generated from the macros you already found in
softmmu_header.h by target-i386/ops_mem.h included from target-i386/op.c

Hope this helps,
Eddie

On Wed, Jul 25, 2007 at 02:04:47PM +0200, Clemens Kolbitsch wrote:
> hi!
> i tried asking this in the irc  but got no answer, hope someone can help me 
> here :-)
> 
> i'm working on memory-protection for my mather's thesis and have to dig into 
> qemu memory management... could someone help me here please? i have the 
> following problem:
> 
> i'm trying to understand the dynamic translation for the following mov-opcode 
> (it's taken from the qemu log with "log asm_in,asm_out"):
> 
> IN:
> 0xc011c9f2:  mov    0x60(%esi),%edx
> the hex-code would be "0x8b 0x56 0x60"
> ...
> 
> OUT:
> OUT: [size=455]
> 0x08d30fa0:  mov    0x18(%ebp),%edi
> 0x08d30fa3:  add    $0x60,%edi
> 0x08d30fa9:  mov    %edi,%edx
> 0x08d30fab:  mov    %edi,%eax
> 0x08d30fad:  shr    $0x8,%edx
> 0x08d30fb0:  and    $0xfffff003,%eax
> 0x08d30fb5:  and    $0xff0,%edx
> 0x08d30fbb:  lea    0x350(%edx,%ebp,1),%edx
> 0x08d30fc2:  cmp    (%edx),%eax
> 0x08d30fc4:  mov    %edi,%eax
> 0x08d30fc6:  je     0x8d30fd4
> 0x08d30fc8:  push   $0x0
> 0x08d30fca:  call   0x80ee06a		// __ldl_mmu
> 0x08d30fcf:  pop    %edx
> 0x08d30fd0:  mov    %eax,%ebx
> 0x08d30fd2:  jmp    0x8d30fd9
> 0x08d30fd4:  add    0xc(%edx),%eax
> 0x08d30fd7:  mov    (%eax),%ebx		// possibly the output of gen_op_ld_T0_A0
> [ot]+ s->mem_index]();
> 0x08d30fd9:  mov    %ebx,0x8(%ebp)	// this is the output of gen_op_mov_reg_T0
> [ot][reg](); (translate.c:4005)
> ...
> 
> 
> therefore, i think the following code in translate.c should be executed:
> 
> case 0x8b: /* mov Ev, Gv */
>         if ((b & 1) == 0)
>             ot = OT_BYTE;
>         else
>             ot = OT_WORD + dflag;
>         modrm = ldub_code(s->pc++);
>         reg = ((modrm >> 3) & 7) | rex_r;
>         
>         gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0);
>         gen_op_mov_reg_T0[ot][reg]();
>         break;
> 
> 
> i debugged some time and found out that the last gen_op
> 
>         gen_op_mov_reg_T0[ot][reg]();
> 
> only produces 
> 
>         mov    %ebx,0x8(%ebp).
> 
> thus, the rest of the OUT-codes is produced by
> 
>        gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0);
> 
> however, i tried reading through the code but i could not find the function 
> where
> 
>       0x08d30fca:  call   0x80ee06a           // __ldl_mmu
> 
> is inserted into the translation-buffer... i (think to) know why it must be 
> inserted, but i just cannot figure out where it is put into the buffer.
> 
> if someone could point that out, it would help me a LOT!
> thanks,
>   Clemens
> 
> 

-- 
___________________________________________________brainaid_____________
Eddie C. Dost           Rue de la Chapelle 51      phone +32 87 788817
                        B-4850 Moresnet            fax   +32 87 788818
ecd@brainaid.de         Belgium                    cell  +49 172 9312808

[Qemu-devel] Re: Re: softMMU / MOV translation

[Clemens Kolbitsch]

found the functions in target-xxx/ops_mem.h

the macros confused my grepping, but how much more self-speaking can a 
filename be *gg* ??

oh well... i found it :-)