From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:46650)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1UDGfR-0003bh-P4
	for qemu-devel@nongnu.org; Wed, 06 Mar 2013 10:54:12 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1UDGfP-0001Ip-1g
	for qemu-devel@nongnu.org; Wed, 06 Mar 2013 10:54:09 -0500
Received: from mx1.redhat.com ([209.132.183.28]:44710)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lersek@redhat.com>) id 1UDGfO-0001IU-R5
	for qemu-devel@nongnu.org; Wed, 06 Mar 2013 10:54:06 -0500
Message-ID: <51376719.50602@redhat.com>
Date: Wed, 06 Mar 2013 16:56:09 +0100
From: Laszlo Ersek <lersek@redhat.com>
MIME-Version: 1.0
References: <24E144B8C0207547AD09C467A8259F7557B2BE14@lisa.maurer-it.com>
In-Reply-To: <24E144B8C0207547AD09C467A8259F7557B2BE14@lisa.maurer-it.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] problems with freeBSD
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Dietmar Maurer <dietmar@proxmox.com>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

On 03/06/13 09:21, Dietmar Maurer wrote:
> Using qemu 1.4.0:
>=20
> =20
>=20
> # qemu -hda test.raw -m 512 -cdrom
> pfSense-LiveCD-2.0.2-RELEASE-amd64-20121207-2239.iso
>=20
> =20
>=20
> Results in:
>=20
> =20
>=20
> trap 12: page fault while in kernel mode
>=20
> =85
>=20
> stopped at x86bios_emu_rdw+0x2f: movzwl (%rbx),%eax
>=20
> =20
>=20
> Any ideas? Can somebody reproduce that?

I found this on the web:

351	static uint16_t
352	x86bios_emu_rdw(struct x86emu *emu, uint32_t addr)
353	{
354		uint16_t *va;
355=09
356		va =3D x86bios_get_pages(addr, sizeof(*va));
357		if (va =3D=3D NULL)
358			x86bios_set_fault(emu, addr);
359=09
360	#ifndef __NO_STRICT_ALIGNMENT
361		if ((addr & 1) !=3D 0)
362			return (le16dec(va));
363		else
364	#endif
365		return (le16toh(*va));
366	}

"movzwl (%rbx),%eax" reads the 16-bit word at %rbx, copies it into the
low 16 bits of %eax, and clears the rest of the bits in %eax.

This probably corresponds to the *va dereference at the end of the
function. (le16toh() is compiled out if the platform is little endian.)
Either x86bios_get_pages() returns garbage, or "addr" is garbage on input.

You'll have to trace back the callpath from x86bios_emu_rdw(), possibly
instrumenting it with printk()s (or whatever it's called in FreeBSD).

Laszlo