From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33) id 1BwMQS-0006rp-HR for qemu-devel@nongnu.org; Sun, 15 Aug 2004 10:56:00 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33) id 1BwMQR-0006rc-Iz for qemu-devel@nongnu.org; Sun, 15 Aug 2004 10:56:00 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.33) id 1BwMQR-0006rS-Gv for qemu-devel@nongnu.org; Sun, 15 Aug 2004 10:55:59 -0400 Received: from [129.104.30.34] (helo=a.mx.polytechnique.org) by monty-python.gnu.org with esmtp (Exim 4.34) id 1BwMMJ-0000T0-Vw for qemu-devel@nongnu.org; Sun, 15 Aug 2004 10:51:44 -0400 Received: from localhost (localhost [127.0.0.1]) by djali.m4x.org (Postfix) with ESMTP id 7FDDD3326B for ; Sun, 15 Aug 2004 16:51:42 +0200 (CEST) Received: from djali.m4x.org ([127.0.0.1]) by localhost (djali [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 13481-03 for ; Sun, 15 Aug 2004 16:51:42 +0200 (CEST) Received: from bellard.org (nas-cbv-9-213-228-47-200.dial.proxad.net [213.228.47.200]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTP id 3000433202 for ; Sun, 15 Aug 2004 16:51:41 +0200 (CEST) Message-ID: <411F7885.6060302@bellard.org> Date: Sun, 15 Aug 2004 16:51:49 +0200 From: Fabrice Bellard MIME-Version: 1.0 Subject: Re: [Qemu-devel] Bug in emulation of 'bound' x86 instruction? References: <2h4qnuevha.fsf@vserver.cs.uit.no> In-Reply-To: <2h4qnuevha.fsf@vserver.cs.uit.no> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Hi, I just fixed the bug you mentionned regarding the 'bound' instruction. Any code using the bound instruction was likely to fail, so this fix may allow new OSes or programs to run... Thank you for the bug report ! Fabrice. Frode Vatvedt Fjeld wrote: > I'm suspecting that there's a bug in Qemu's emulation of the x86 > 'bound' instruction. The effect of this bug seems to be to add 1 to > the ESP register, which of course havocs everything. > > I'm not confident I understand the information in /tmp/qemu.log, but > as I said I suspect that the following in_asm is the culprit: > > 0x0015d716: bound %esp,%fs:0xffffffe7(%edi) > > This instruction, in 32-bit protected mode, is intended to verify that > ESP is within some bounds. These bounds are located at the physical > address 0x100054, which is the result of the instruction's address > because EDI=0x6d and the FS selector points to a segment that starts > at 0x100000. > > I have verified that the exact same thing happens when the FS-override > instruction prefix is removed from the bounds instruction above, so > that the DS segment, which happens to be identical to the FS segment, > is used. > > The following is a piece of /tmp/qemu.log that I hope provides the > relevant context. As you can see, the value of ESP appears to change > to an odd value for no good reason.