From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33)
	id 1Bp6ON-0007yb-Kq
	for qemu-devel@nongnu.org; Mon, 26 Jul 2004 10:23:51 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33)
	id 1Bp6OM-0007yH-R7
	for qemu-devel@nongnu.org; Mon, 26 Jul 2004 10:23:51 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.33) id 1Bp6OM-0007yE-OZ
	for qemu-devel@nongnu.org; Mon, 26 Jul 2004 10:23:50 -0400
Received: from [80.91.224.249] (helo=main.gmane.org)
	by monty-python.gnu.org with esmtp (Exim 4.34) id 1Bp6L5-0006ke-0n
	for qemu-devel@nongnu.org; Mon, 26 Jul 2004 10:20:27 -0400
Received: from root by main.gmane.org with local (Exim 3.35 #1 (Debian))
	id 1Bp6Kz-0004cm-00
	for <qemu-devel@nongnu.org>; Mon, 26 Jul 2004 16:20:21 +0200
Received: from vserver.cs.uit.no ([129.242.16.151])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <qemu-devel@nongnu.org>; Mon, 26 Jul 2004 16:20:21 +0200
Received: from frodef by vserver.cs.uit.no with local (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <qemu-devel@nongnu.org>; Mon, 26 Jul 2004 16:20:21 +0200
From: Frode Vatvedt Fjeld <frodef@cs.uit.no>
Date: Mon, 26 Jul 2004 15:41:53 +0200
Message-ID: <2h4qnuevha.fsf@vserver.cs.uit.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: news <news@sea.gmane.org>
Subject: [Qemu-devel] Bug in emulation of 'bound' x86 instruction?
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

I'm suspecting that there's a bug in Qemu's emulation of the x86
'bound' instruction. The effect of this bug seems to be to add 1 to
the ESP register, which of course havocs everything.

I'm not confident I understand the information in /tmp/qemu.log, but
as I said I suspect that the following in_asm is the culprit:

  0x0015d716:  bound  %esp,%fs:0xffffffe7(%edi)

This instruction, in 32-bit protected mode, is intended to verify that
ESP is within some bounds. These bounds are located at the physical
address 0x100054, which is the result of the instruction's address
because EDI=0x6d and the FS selector points to a segment that starts
at 0x100000.

I have verified that the exact same thing happens when the FS-override
instruction prefix is removed from the bounds instruction above, so
that the DS segment, which happens to be identical to the FS segment,
is used.

The following is a piece of /tmp/qemu.log that I hope provides the
relevant context. As you can see, the value of ESP appears to change
to an odd value for no good reason.

EAX=000cdeb9 EBX=0005d713 ECX=00000001 EDX=00000001
ESI=0003750e EDI=0000006d EBP=000cded8 ESP=000cdeb8
EIP=0005d713 EFL=00040002 [-------]    CPL=0 II=0 A20=1
ES =0020 00100000 fff00fff 00cf9310
CS =0018 00100000 fff00fff 00cf9a10
SS =0020 00100000 fff00fff 00cf9310
DS =0020 00100000 fff00fff 00cf9310
FS =0028 00100000 fff00fff 00cf9310
GS =0010 00000000 ffffffff 00cf9300
LDT=0000 00000000 0000ffff 00008000
TR =0000 00000000 0000ffff 00008000
GDT=     00100330 0000003f
IDT=     001018a8 000003f7
CR0=60000011 CR2=00000000 CR3=00000000 CR4=00000000
CCS=00000001 CCD=00000000 CCO=SUBL    
----------------
IN: 
0x0015d713:  mov    %eax,0xfffffff8(%ebp)
0x0015d716:  bound  %esp,%fs:0xffffffe7(%edi)
0x0015d71a:  mov    0x5e(%esi),%ebx
0x0015d71d:  mov    0x21(%edi,%esi,1),%eax
0x0015d721:  mov    0x62(%esi),%edx
0x0015d724:  mov    0xfffffffd(%edx),%esi
0x0015d727:  call   *0x6(%esi)

OUT: [size=734]
0x087d8b40:  mov    0x14(%ebp),%edi
0x087d8b43:  add    $0xfffffff8,%edi
0x087d8b49:  add    0xe8(%ebp),%edi
0x087d8b4f:  mov    0x0(%ebp),%ebx
0x087d8b52:  push   %eax
0x087d8b53:  mov    %edi,%eax
0x087d8b55:  shr    $0xc,%eax
0x087d8b58:  movzbl %al,%edx
0x087d8b5b:  mov    %edi,%eax
0x087d8b5d:  and    $0xfffff003,%eax
0x087d8b62:  cmp    %eax,0x11fc(%ebp,%edx,8)
0x087d8b69:  mov    %edi,%ecx
0x087d8b6b:  mov    %ebx,(%esp,1)
0x087d8b6e:  je     0x87d8b82
0x087d8b70:  push   $0x0
0x087d8b72:  mov    0x4(%esp,1),%edx
0x087d8b76:  mov    %edi,%eax
0x087d8b78:  call   0x80a37c0
0x087d8b7d:  pop    %ecx
0x087d8b7e:  jmp    0x87d8b8e
0x087d8b80:  mov    %esi,%esi
0x087d8b82:  add    0x1200(%ebp,%edx,8),%ecx
0x087d8b89:  mov    (%esp,1),%eax
0x087d8b8c:  mov    %eax,(%ecx)
0x087d8b8e:  pop    %edx
0x087d8b8f:  mov    %ebx,0x10(%ebp)
0x087d8b92:  mov    0x1c(%ebp),%edi
0x087d8b95:  add    $0xffffffe7,%edi
0x087d8b9b:  add    0x108(%ebp),%edi
0x087d8ba1:  sub    $0x10,%esp
0x087d8ba4:  mov    0x38(%ebp),%eax
0x087d8ba7:  mov    %edi,%edx
0x087d8ba9:  shr    $0xc,%edx
0x087d8bac:  mov    %eax,(%esp,1)
0x087d8baf:  and    $0x3,%eax
0x087d8bb2:  and    $0xff,%edx
0x087d8bb8:  cmp    $0x3,%eax
0x087d8bbb:  sete   %al
0x087d8bbe:  movzbl %al,%eax
0x087d8bc1:  mov    %eax,0x8(%esp,1)
0x087d8bc5:  shl    $0x8,%eax
0x087d8bc8:  lea    (%edx,%eax,1),%edx
0x087d8bcb:  mov    %edi,%eax
0x087d8bcd:  and    $0xfffff003,%eax
0x087d8bd2:  cmp    %eax,0x1fc(%ebp,%edx,8)
0x087d8bd9:  mov    %edi,%ecx
0x087d8bdb:  je     0x87d8bf5
0x087d8bdd:  pushl  0x8(%esp,1)
0x087d8be1:  mov    %edi,%eax
0x087d8be3:  call   0x80a35c0
0x087d8be8:  pop    %ecx
0x087d8be9:  mov    %eax,0xc(%esp,1)
0x087d8bed:  mov    0x38(%ebp),%eax
0x087d8bf0:  mov    %eax,(%esp,1)
0x087d8bf3:  jmp    0x87d8c02
0x087d8bf5:  add    0x200(%ebp,%edx,8),%ecx
0x087d8bfc:  mov    (%ecx),%ecx
0x087d8bfe:  mov    %ecx,0xc(%esp,1)
0x087d8c02:  lea    0x4(%edi),%ecx
0x087d8c05:  mov    %ecx,%edx
0x087d8c07:  shr    $0xc,%edx
0x087d8c0a:  andl   $0x3,(%esp,1)
0x087d8c0e:  and    $0xff,%edx
0x087d8c14:  xor    %eax,%eax
0x087d8c16:  cmpl   $0x3,(%esp,1)
0x087d8c1a:  sete   %al
0x087d8c1d:  mov    %eax,0x4(%esp,1)
0x087d8c21:  shl    $0x8,%eax
0x087d8c24:  lea    (%edx,%eax,1),%edx
0x087d8c27:  mov    %ecx,%eax
0x087d8c29:  and    $0xfffff003,%eax
0x087d8c2e:  cmp    %eax,0x1fc(%ebp,%edx,8)
0x087d8c35:  je     0x87d8c45
0x087d8c37:  pushl  0x4(%esp,1)
0x087d8c3b:  mov    %ecx,%eax
0x087d8c3d:  call   0x80a35c0
0x087d8c42:  pop    %edx
0x087d8c43:  jmp    0x87d8c4e
0x087d8c45:  add    0x200(%ebp,%edx,8),%ecx
0x087d8c4c:  mov    (%ecx),%eax
0x087d8c4e:  cmp    0xc(%esp,1),%ebx
0x087d8c52:  jl     0x87d8c58
0x087d8c54:  cmp    %eax,%ebx
0x087d8c56:  jle    0x87d8c67
0x087d8c58:  push   $0x5
0x087d8c5a:  movl   $0x5d716,0x20(%ebp)
0x087d8c61:  call   0x809db68
0x087d8c66:  pop    %eax
0x087d8c67:  add    $0x10,%esp
0x087d8c6a:  mov    0x18(%ebp),%edi
0x087d8c6d:  add    $0x5e,%edi
0x087d8c73:  add    0xf8(%ebp),%edi
0x087d8c79:  mov    %edi,%eax
0x087d8c7b:  shr    $0xc,%eax
0x087d8c7e:  movzbl %al,%ecx
0x087d8c81:  mov    %edi,%eax
0x087d8c83:  and    $0xfffff003,%eax
0x087d8c88:  cmp    %eax,0x1fc(%ebp,%ecx,8)
0x087d8c8f:  mov    %edi,%edx
0x087d8c91:  je     0x87d8ca1
0x087d8c93:  push   $0x0
0x087d8c95:  mov    %edi,%eax
0x087d8c97:  call   0x80a35c0
0x087d8c9c:  pop    %edx
0x087d8c9d:  jmp    0x87d8caa
0x087d8c9f:  mov    %esi,%esi
0x087d8ca1:  add    0x200(%ebp,%ecx,8),%edx
0x087d8ca8:  mov    (%edx),%eax
0x087d8caa:  mov    %eax,%ebx
0x087d8cac:  mov    %ebx,0xc(%ebp)
0x087d8caf:  mov    0x1c(%ebp),%edi
0x087d8cb2:  add    $0x21,%edi
0x087d8cb8:  add    0x18(%ebp),%edi
0x087d8cbb:  add    0xf8(%ebp),%edi
0x087d8cc1:  mov    %edi,%eax
0x087d8cc3:  shr    $0xc,%eax
0x087d8cc6:  movzbl %al,%ecx
0x087d8cc9:  mov    %edi,%eax
0x087d8ccb:  and    $0xfffff003,%eax
0x087d8cd0:  cmp    %eax,0x1fc(%ebp,%ecx,8)
0x087d8cd7:  mov    %edi,%edx
0x087d8cd9:  je     0x87d8ce9
0x087d8cdb:  push   $0x0
0x087d8cdd:  mov    %edi,%eax
0x087d8cdf:  call   0x80a35c0
0x087d8ce4:  pop    %edx
0x087d8ce5:  jmp    0x87d8cf2
0x087d8ce7:  mov    %esi,%esi
0x087d8ce9:  add    0x200(%ebp,%ecx,8),%edx
0x087d8cf0:  mov    (%edx),%eax
0x087d8cf2:  mov    %eax,%ebx
0x087d8cf4:  mov    %ebx,0x0(%ebp)
0x087d8cf7:  mov    0x18(%ebp),%edi
0x087d8cfa:  add    $0x62,%edi
0x087d8d00:  add    0xf8(%ebp),%edi
0x087d8d06:  mov    %edi,%eax
0x087d8d08:  shr    $0xc,%eax
0x087d8d0b:  movzbl %al,%ecx
0x087d8d0e:  mov    %edi,%eax
0x087d8d10:  and    $0xfffff003,%eax
0x087d8d15:  cmp    %eax,0x1fc(%ebp,%ecx,8)
0x087d8d1c:  mov    %edi,%edx
0x087d8d1e:  je     0x87d8d2e
0x087d8d20:  push   $0x0
0x087d8d22:  mov    %edi,%eax
0x087d8d24:  call   0x80a35c0
0x087d8d29:  pop    %edx
0x087d8d2a:  jmp    0x87d8d37
0x087d8d2c:  mov    %esi,%esi
0x087d8d2e:  add    0x200(%ebp,%ecx,8),%edx
0x087d8d35:  mov    (%edx),%eax
0x087d8d37:  mov    %eax,%ebx
0x087d8d39:  mov    %ebx,0x8(%ebp)
0x087d8d3c:  mov    0x8(%ebp),%edi
0x087d8d3f:  add    $0xfffffffd,%edi
0x087d8d45:  add    0xf8(%ebp),%edi
0x087d8d4b:  mov    %edi,%eax
0x087d8d4d:  shr    $0xc,%eax
0x087d8d50:  movzbl %al,%ecx
0x087d8d53:  mov    %edi,%eax
0x087d8d55:  and    $0xfffff003,%eax
0x087d8d5a:  cmp    %eax,0x1fc(%ebp,%ecx,8)
0x087d8d61:  mov    %edi,%edx
0x087d8d63:  je     0x87d8d73
0x087d8d65:  push   $0x0
0x087d8d67:  mov    %edi,%eax
0x087d8d69:  call   0x80a35c0
0x087d8d6e:  pop    %edx
0x087d8d6f:  jmp    0x87d8d7c
0x087d8d71:  mov    %esi,%esi
0x087d8d73:  add    0x200(%ebp,%ecx,8),%edx
0x087d8d7a:  mov    (%edx),%eax
0x087d8d7c:  mov    %eax,%ebx
0x087d8d7e:  mov    %ebx,0x18(%ebp)
0x087d8d81:  mov    0x18(%ebp),%edi
0x087d8d84:  add    $0x6,%edi
0x087d8d8a:  add    0xf8(%ebp),%edi
0x087d8d90:  mov    %edi,%eax
0x087d8d92:  shr    $0xc,%eax
0x087d8d95:  movzbl %al,%ecx
0x087d8d98:  mov    %edi,%eax
0x087d8d9a:  and    $0xfffff003,%eax
0x087d8d9f:  cmp    %eax,0x1fc(%ebp,%ecx,8)
0x087d8da6:  mov    %edi,%edx
0x087d8da8:  je     0x87d8db8
0x087d8daa:  push   $0x0
0x087d8dac:  mov    %edi,%eax
0x087d8dae:  call   0x80a35c0
0x087d8db3:  pop    %edx
0x087d8db4:  jmp    0x87d8dc1
0x087d8db6:  mov    %esi,%esi
0x087d8db8:  add    0x200(%ebp,%ecx,8),%edx
0x087d8dbf:  mov    (%edx),%eax
0x087d8dc1:  mov    %eax,%ebx
0x087d8dc3:  mov    $0x5d72a,%esi
0x087d8dc8:  mov    0x10(%ebp),%edi
0x087d8dcb:  sub    $0x4,%edi
0x087d8dce:  add    0xe8(%ebp),%edi
0x087d8dd4:  mov    %edi,%eax
0x087d8dd6:  shr    $0xc,%eax
0x087d8dd9:  push   %edx
0x087d8dda:  movzbl %al,%edx
0x087d8ddd:  mov    %edi,%eax
0x087d8ddf:  and    $0xfffff003,%eax
0x087d8de4:  cmp    %eax,0x11fc(%ebp,%edx,8)
0x087d8deb:  mov    %edi,%ecx
0x087d8ded:  mov    %esi,(%esp,1)
0x087d8df0:  je     0x87d8e04
0x087d8df2:  push   $0x0
0x087d8df4:  mov    0x4(%esp,1),%edx
0x087d8df8:  mov    %edi,%eax
0x087d8dfa:  call   0x80a37c0
0x087d8dff:  pop    %eax
0x087d8e00:  jmp    0x87d8e10
0x087d8e02:  mov    %esi,%esi
0x087d8e04:  add    0x1200(%ebp,%edx,8),%ecx
0x087d8e0b:  mov    (%esp,1),%eax
0x087d8e0e:  mov    %eax,(%ecx)
0x087d8e10:  pop    %eax
0x087d8e11:  addl   $0xfffffffc,0x10(%ebp)
0x087d8e18:  mov    %ebx,0x20(%ebp)
0x087d8e1b:  xor    %ebx,%ebx
0x087d8e1d:  ret    

EAX=0002ba2f EBX=0001c9af ECX=000cebf0 EDX=00013417
ESI=0003750e EDI=0000006d EBP=000cded8 ESP=000cdeb9
EIP=0005d72a EFL=00040002 [-------]    CPL=0 II=0 A20=1
ES =0020 00100000 fff00fff 00cf9310
CS =0018 00100000 fff00fff 00cf9a10
SS =0020 00100000 fff00fff 00cf9310
DS =0020 00100000 fff00fff 00cf9310
FS =0028 00100000 fff00fff 00cf9310
GS =0010 00000000 ffffffff 00cf9300
LDT=0000 00000000 0000ffff 00008000
TR =0000 00000000 0000ffff 00008000
GDT=     00100330 0000003f
IDT=     001018a8 000003f7
CR0=60000011 CR2=00000000 CR3=00000000 CR4=00000000
CCS=00000044 CCD=00000000 CCO=EFLAGS  
----------------


Regards,
-- 
Frode Vatvedt Fjeld