From: Tim Deegan <tim@xen.org>
To: Razvan Cojocaru <rzvncj@gmail.com>
Cc: Andres Lagar-Cavilla <andreslc@gridcentric.ca>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: [PATCH V2] mem_event: Allow emulating an instruction that caused a page fault
Date: Tue, 22 Jan 2013 12:31:49 +0000 [thread overview]
Message-ID: <20130122123149.GA86613@ocelot.phlegethon.org> (raw)
In-Reply-To: <50FDCBA8.1060000@gmail.com>
At 01:13 +0200 on 22 Jan (1358817224), Razvan Cojocaru wrote:
> Hello,
>
> > Tim's point is that you won't get all the mem events, because the instruction can easily touch multiple pages. It's a question that addresses the need for this patch in the first place.
>
> what would be an example of such an instruction?
x86 instructions aren't aligned, so any instruction that encodes as more
than one byte can touch two pages just in instruction fetch, if it
overlaps the end of a page. The same goes for explicit memory operands,
so an instruction like MOVSW that has two memory operands can touch six
pages - two for the instruction fetch and two for each operand.
Each of those accesses is to a virtual address; in 64-bit mode a TLB
miss can add four more memory accesses to walk the pagetables, so we're
looking at a worst case of 25 pages of memory that might be
touched by a successful MOVSW (the top-level pagetable only counts once).
But what if the last access caused a page fault? After up to 24
accesses, the CPU now needs to access the IDT to figure out what to do
with #PF (+4 = 28), and the stack to push an exception (+8 = 36), and if
the OS is using a task gate then it needs the old and new TSSes (+8 =
44). And if the stack faults, we nede to do the whole thing again for
#DF (-1, +12 = 55). Now that's a pretty unlikely scenario (and I may
have got some of the details wrong) but the upshot is: a single x86
instruction can access enormous amounts of memory, so turning off
protection and single-stepping, especially if you don't trust the OS, is
exposing a lot more than the single frame you took the first fault on.
Cheers,
Tim.
next prev parent reply other threads:[~2013-01-22 12:31 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <mailman.21624.1358431706.1399.xen-devel@lists.xen.org>
2013-01-17 15:38 ` [PATCH V2] mem_event: Allow emulating an instruction that caused a page fault Andres Lagar-Cavilla
2013-01-17 15:50 ` Razvan Cojocaru
2013-01-21 23:13 ` Razvan Cojocaru
2013-01-22 12:31 ` Tim Deegan [this message]
2013-01-22 12:53 ` Razvan Cojocaru
2013-01-22 13:20 ` Tim Deegan
2013-01-22 13:47 ` Razvan Cojocaru
2013-01-22 14:02 ` Andres Lagar-Cavilla
2013-01-22 14:22 ` Razvan Cojocaru
2013-01-22 14:26 ` Tim Deegan
2013-01-22 14:45 ` Razvan Cojocaru
2013-01-24 11:05 ` Tim Deegan
2013-01-24 11:34 ` Razvan Cojocaru
2013-01-17 14:02 Razvan Cojocaru
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130122123149.GA86613@ocelot.phlegethon.org \
--to=tim@xen.org \
--cc=andreslc@gridcentric.ca \
--cc=rzvncj@gmail.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).