From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50166) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aboe7-0002zZ-Ds for qemu-devel@nongnu.org; Fri, 04 Mar 2016 07:15:52 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aboe4-0001NE-7i for qemu-devel@nongnu.org; Fri, 04 Mar 2016 07:15:51 -0500 Received: from mail-wm0-x244.google.com ([2a00:1450:400c:c09::244]:34257) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aboe3-0001N2-Vx for qemu-devel@nongnu.org; Fri, 04 Mar 2016 07:15:48 -0500 Received: by mail-wm0-x244.google.com with SMTP id p65so3875341wmp.1 for ; Fri, 04 Mar 2016 04:15:47 -0800 (PST) Sender: Paolo Bonzini References: <1456983051-14707-1-git-send-email-rth@twiddle.net> <1456983051-14707-5-git-send-email-rth@twiddle.net> <56D7E054.2040703@reactos.org> <56D80D2C.3060706@redhat.com> <56D88B42.7060208@twiddle.net> From: Paolo Bonzini Message-ID: <56D97C70.4060208@redhat.com> Date: Fri, 4 Mar 2016 13:15:44 +0100 MIME-Version: 1.0 In-Reply-To: <56D88B42.7060208@twiddle.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Subject: Re: [Qemu-devel] [PATCH 4/7] target-i386: Dump illegal opcodes with -d unimp List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Richard Henderson , =?UTF-8?Q?Herv=c3=a9_Poussineau?= , qemu-devel@nongnu.org On 03/03/2016 20:06, Richard Henderson wrote: > On 03/03/2016 02:08 AM, Paolo Bonzini wrote: >>> Do you want LOG_UNIMP or LOG_GUEST_ERROR? >> >> I would actually use LOG_IN_ASM. As you noticed, guests sometimes use >> illegal opcodes; another example is Xen's hypercall interface. >> >> On 03/03/2016 07:57, Hervé Poussineau wrote: >>> This patch is not quiet on some operating systems: >>> OS/2: >>> ILLOPC: 000172e1: 0f a6 >>> >>> Windows XP: >>> ILLOPC: 00020d1a: c4 c4 >>> >>> And very verbose in Windows 3.11, Windows 9x: >>> ILLOPC: 000ffb17: 63 >>> ILLOPC: 000ffb17: 63 >>> >>> Is it normal? >> >> Yes, it is. As usual, Raymond Chen explains what's going on: >> >> https://blogs.msdn.microsoft.com/oldnewthing/20041215-00/?p=37003 > > Wow. That's... interesting. It's actually even more interesting (the explanation is in the book) if you notice that 0xffb17 is in the middle of the BIOS. Indeed Windows 95 first locates a single 0x63 in the BIOS (so that it's ROM and no one can write a different byte). Then the 32-bit code can use a system service that allocates a callback from 16-bit MS-DOS. That service gets a 32-bit address for the 32-bit code and returns a real-mode address to be used in 16-bit code. The kick is that all the real-mode addresses point to that single 0x63 that was found in ROM. For example in the case above the real-mode addresses could be FFB1:07, FFB0:17, FFAF:27, etc. The illegal opcode exception handler looks at the segment to figure out which 32-bit address to jump to. There are also cases where the ARPL is patched into existing code (like a breakpoint) to trap that code to 32-bit. But this one using the ROM is much cooler. Paolo