From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NKppu-0006JP-Pm for qemu-devel@nongnu.org; Wed, 16 Dec 2009 04:06:22 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1NKppp-0006FC-LB for qemu-devel@nongnu.org; Wed, 16 Dec 2009 04:06:21 -0500 Received: from [199.232.76.173] (port=53777 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NKppp-0006F3-B2 for qemu-devel@nongnu.org; Wed, 16 Dec 2009 04:06:17 -0500 Received: from mx1.redhat.com ([209.132.183.28]:48862) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1NKppo-00074i-NS for qemu-devel@nongnu.org; Wed, 16 Dec 2009 04:06:17 -0500 Message-ID: <4B28A2F5.5060402@redhat.com> Date: Wed, 16 Dec 2009 11:05:57 +0200 From: Avi Kivity MIME-Version: 1.0 Subject: Re: [Qemu-devel] i386 emulation bug: mov reg, [addr] References: <200912151948.53307.ck@iseclab.org> <4B27E95C.8040903@redhat.com> <200912160956.10748.ck@iseclab.org> In-Reply-To: <200912160956.10748.ck@iseclab.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Clemens Kolbitsch Cc: qemu-devel@nongnu.org On 12/16/2009 10:56 AM, Clemens Kolbitsch wrote: > On Tuesday 15 December 2009 08:54:04 pm Avi Kivity wrote: > >> On 12/15/2009 08:48 PM, Clemens Kolbitsch wrote: >> >>> Hi list, >>> >>> I'm experiencing a strange emulation bug with the op-code below. The >>> instruction raises a segfault in the application (running on the guest), >>> however, if I enable KVM to run the exact same application, no segfault >>> is raised. >>> >>> 0x0080023b: 8b 04 65 11 22 33 44 mov regEAX, [0x44332211] >>> >>> where "11 22 33 44" is just some address. According to gdb (on a 32bit >>> little- endian machine), this instruction can be disassembled as a "mov >>> address to reg-eax". >>> >> This is an odd encoding for this instruction, since there is a shorter >> one possible (8b 05 11 22 33 44). So it is possible there is a bug in >> qemu that has never been triggered because compilers/assemblers don't >> generate this encoding. >> >> btw, binutils disassembles this as >> >> 8b 04 65 11 22 33 44 mov 0x44332211(,%eiz,2),%eax >> >> I guess %eiz is some mnemonic for a "zero register" so the assembly can >> be reassembled into a 7-byte instruction later. >> > Hi all, > thanks for the quick replies. I also saw that the instruction is disassembled > to the above instruction, but did not want to complicate my problem > description :) > Is there anything I can provide to help testing possible patches? > A good first step is to write those possible patches. It shouldn't be difficult, start in target-i386/translate.c:disas_insn(). -- error compiling committee.c: too many arguments to function