From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NKeq8-0003eO-E0
	for qemu-devel@nongnu.org; Tue, 15 Dec 2009 16:21:52 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NKeq3-0003c1-Am
	for qemu-devel@nongnu.org; Tue, 15 Dec 2009 16:21:52 -0500
Received: from [199.232.76.173] (port=50562 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NKeq3-0003bs-2D
	for qemu-devel@nongnu.org; Tue, 15 Dec 2009 16:21:47 -0500
Received: from mail2.shareable.org ([80.68.89.115]:43740)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <jamie@shareable.org>) id 1NKeq2-0002a9-PE
	for qemu-devel@nongnu.org; Tue, 15 Dec 2009 16:21:47 -0500
Date: Tue, 15 Dec 2009 21:21:27 +0000
From: Jamie Lokier <jamie@shareable.org>
Subject: Re: [Qemu-devel] i386 emulation bug: mov reg, [addr]
Message-ID: <20091215212127.GB26319@shareable.org>
References: <200912151948.53307.ck@iseclab.org> <4B27E95C.8040903@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4B27E95C.8040903@redhat.com>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Avi Kivity <avi@redhat.com>
Cc: Clemens Kolbitsch <ck@iseclab.org>, qemu-devel@nongnu.org

Avi Kivity wrote:
> On 12/15/2009 08:48 PM, Clemens Kolbitsch wrote:
> >Hi list,
> >
> >I'm experiencing a strange emulation bug with the op-code below. The
> >instruction raises a segfault in the application (running on the guest),
> >however, if I enable KVM to run the exact same application, no segfault is
> >raised.
> >
> >0x0080023b:       8b 04 65 11 22 33 44    mov regEAX, [0x44332211]
> >
> >where "11 22 33 44" is just some address. According to gdb (on a 32bit 
> >little-
> >endian machine), this instruction can be disassembled as a "mov address to
> >reg-eax".
> >   
> 
> This is an odd encoding for this instruction, since there is a shorter 
> one possible (8b 05 11 22 33 44).  So it is possible there is a bug in 
> qemu that has never been triggered because compilers/assemblers don't 
> generate this encoding.
> 
> btw, binutils disassembles this as
> 
>   8b 04 65 11 22 33 44     mov    0x44332211(,%eiz,2),%eax
> 
> I guess %eiz is some mnemonic for a "zero register" so the assembly can 
> be reassembled into a 7-byte instruction later.

That's right.  Gas accepts it if given the undocumented -mindex-reg
flag, apparently.  %eiz / eiz appears to be a Gas-specific invention,
not standard AT&T or Intel syntax.

-- Jamie