From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NKpgC-0005cg-MF
	for qemu-devel@nongnu.org; Wed, 16 Dec 2009 03:56:20 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NKpg7-0005c3-8t
	for qemu-devel@nongnu.org; Wed, 16 Dec 2009 03:56:19 -0500
Received: from [199.232.76.173] (port=46263 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NKpg7-0005by-5O
	for qemu-devel@nongnu.org; Wed, 16 Dec 2009 03:56:15 -0500
Received: from www.seclab.tuwien.ac.at ([128.130.60.29]:58999
	helo=mail.seclab.tuwien.ac.at) by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <ck@iseclab.org>) id 1NKpg6-0006ES-P3
	for qemu-devel@nongnu.org; Wed, 16 Dec 2009 03:56:14 -0500
From: Clemens Kolbitsch <ck@iseclab.org>
Subject: Re: [Qemu-devel] i386 emulation bug: mov reg, [addr]
Date: Wed, 16 Dec 2009 09:56:10 +0100
References: <200912151948.53307.ck@iseclab.org> <4B27E95C.8040903@redhat.com>
In-Reply-To: <4B27E95C.8040903@redhat.com>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <200912160956.10748.ck@iseclab.org>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Avi Kivity <avi@redhat.com>

On Tuesday 15 December 2009 08:54:04 pm Avi Kivity wrote:
> On 12/15/2009 08:48 PM, Clemens Kolbitsch wrote:
> > Hi list,
> >
> > I'm experiencing a strange emulation bug with the op-code below. The
> > instruction raises a segfault in the application (running on the guest),
> > however, if I enable KVM to run the exact same application, no segfault
> > is raised.
> >
> > 0x0080023b:       8b 04 65 11 22 33 44    mov regEAX, [0x44332211]
> >
> > where "11 22 33 44" is just some address. According to gdb (on a 32bit
> > little- endian machine), this instruction can be disassembled as a "mov
> > address to reg-eax".
> 
> This is an odd encoding for this instruction, since there is a shorter
> one possible (8b 05 11 22 33 44).  So it is possible there is a bug in
> qemu that has never been triggered because compilers/assemblers don't
> generate this encoding.
> 
> btw, binutils disassembles this as
> 
>    8b 04 65 11 22 33 44     mov    0x44332211(,%eiz,2),%eax
> 
> I guess %eiz is some mnemonic for a "zero register" so the assembly can
> be reassembled into a 7-byte instruction later.

Hi all,
thanks for the quick replies. I also saw that the instruction is disassembled 
to the above instruction, but did not want to complicate my problem 
description :)
Is there anything I can provide to help testing possible patches?
--Clemens