From: Ziqiao Kong <ziqiaokong@gmail.com>
To: qemu-devel@nongnu.org
Cc: Ziqiao Kong <ziqiaokong@gmail.com>,
qemu-trivial@nongnu.org,
Richard Henderson <richard.henderson@linaro.org>
Subject: [PATCH 0/1] Fix tcg assert when decoding "lock cmp"
Date: Thu, 15 Feb 2024 17:50:15 +0800 [thread overview]
Message-ID: <20240215095015.570748-1-ziqiaokong@gmail.com> (raw)
(Resending again because I found I accidentally unsubscribed the list. And
sorry for disturbance for Richard.)
Hello QEMU Developers! I'm from the downstream project Unicorn
Engine (https://github.com/unicorn-engine/unicorn). I identified a simple
bug that triggers a tcg assertion in QEMU. Although I used a usermode
usecase to illustrate the bug, it shall also affect system emulation.
Assume a binary looks like:
```
08049845 <main>:
8049845: 55 push %ebp
8049846: 89 e5 mov %esp,%ebp
8049848: e8 0e 00 00 00 call 804985b <__x86.get_pc_thunk.ax>
804984d: 90 nop
804984e: 90 nop
804984f: 90 nop
8049850: 90 nop
8049851: 90 nop
8049852: f0 38 b8 00 00 00 00 lock cmp %bh,0x0(%eax)
8049859: 5d pop %ebp
804985a: c3 ret
```
Executing this with
```
./i386-linux-user/qemu-i386 -d op,op_opt ./tt 2>&1 | tail -100
```
gives:
```
OP:
...
...
---- 0000000008049852 0000000000000000
mov_i32 loc2,eax
extract_i32 loc1,ebx,$0x8,$0x8
mov_i32 cc_src,loc1
mov_i32 loc8,loc0 // loc0 undefined!
...
...
OP after optimization and liveness analysis:
...
...
---- 0000000008049852 0000000000000000
extract_i32 tmp1,ebx,$0x8,$0x8 dead: 1 pref=0xffff
mov_i32 cc_src,tmp1 sync: 0 dead: 1 pref=0xffff
sub_i32 cc_dst,tmp0,cc_src sync: 0 dead: 0 1 2 pref=0xffff // so does tmp0!
...
...
ERROR:../tcg/tcg.c:4446:temp_load: code should not be reached
Bail out! ERROR:../tcg/tcg.c:4446:temp_load: code should not be reached
```
This results an assertion error because when decoding "lock cmp %bh,0x0(%eax)",
s->T0 is not properly initialized in gen_op. However, the root cause is that
this instruction is illegal refering to the Intel manual. Therefore, I add
and extra check to generate corresponding illegal opcode exception.
Signed-off-by: Ziqiao Kong <ziqiaokong@gmail.com>
Ziqiao Kong (1):
Generate an illegal opcode exception on cmp instructions with lock
prefix
target/i386/tcg/translate.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--
2.40.1
next reply other threads:[~2024-02-15 9:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-15 9:50 Ziqiao Kong [this message]
2024-02-15 9:50 ` [PATCH 1/1] target/i386: Generate an illegal opcode exception on cmp instructions with lock prefix Ziqiao Kong
2024-02-15 12:41 ` Paolo Bonzini
-- strict thread matches above, loose matches on Subject: below --
2024-02-15 9:29 [PATCH 0/1] Fix tcg assert when decoding "lock cmp" Ziqiao Kong
2024-02-15 7:56 Ziqiao Kong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240215095015.570748-1-ziqiaokong@gmail.com \
--to=ziqiaokong@gmail.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).