From nobody Mon Feb 9 08:41:33 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=yadro.com Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1539870354869175.04167555798915; Thu, 18 Oct 2018 06:45:54 -0700 (PDT) Received: from localhost ([::1]:42488 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gD8cS-0007TG-EM for importer@patchew.org; Thu, 18 Oct 2018 09:45:44 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50903) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gD8bZ-00077X-AT for qemu-devel@nongnu.org; Thu, 18 Oct 2018 09:44:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gD8bW-00045R-3A for qemu-devel@nongnu.org; Thu, 18 Oct 2018 09:44:49 -0400 Received: from mta-01.yadro.com ([89.207.88.251]:56124) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gD8bV-00044W-DQ for qemu-devel@nongnu.org; Thu, 18 Oct 2018 09:44:46 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-01.yadro.com (Postfix) with ESMTP id CF1624120B; Thu, 18 Oct 2018 13:44:43 +0000 (UTC) Received: from mta-01.yadro.com ([127.0.0.1]) by localhost (mta-01.yadro.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9yY8CPM6kbFD; Thu, 18 Oct 2018 16:44:42 +0300 (MSK) Received: from T-EXCH-02.corp.yadro.com (t-exch-02.corp.yadro.com [172.17.10.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mta-01.yadro.com (Postfix) with ESMTPS id 9FAD34120A; Thu, 18 Oct 2018 16:44:41 +0300 (MSK) Received: from localhost (172.17.128.60) by T-EXCH-02.corp.yadro.com (172.17.10.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.32; Thu, 18 Oct 2018 16:44:41 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yadro.com; h= content-type:content-type:mime-version:x-mailer:message-id:date :date:subject:subject:from:from:received:received:received; s= mta-01; t=1539870282; x=1541684683; bh=OiaILjf7OERdpQuV2FBc8vs6J uDPZHs9d6z3ntbF8zs=; b=q7cVVgCdn6kuz++mFaDma5IJ3hzocHCWWUmpQ7mED /9/T53PHOnU0xPAQWm6FjCmH6qItdoDFPH1qr1zqorc5NKduz2oy/h6uyS4ynw3A 320sSc3ZYFtInubOc9clZ6UkmhZRsovpA66pWduNJ9j5mJZZMBH+lLlkFF+KIHmO s8= X-Virus-Scanned: amavisd-new at yadro.com From: Roman Bolshakov To: Date: Thu, 18 Oct 2018 16:44:01 +0300 Message-ID: <20181018134401.44471-1-r.bolshakov@yadro.com> X-Mailer: git-send-email 2.17.1 (Apple Git-112) MIME-Version: 1.0 X-Originating-IP: [172.17.128.60] X-ClientProxiedBy: T-EXCH-01.corp.yadro.com (172.17.10.101) To T-EXCH-02.corp.yadro.com (172.17.10.102) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 89.207.88.251 Subject: [Qemu-devel] [PATCH] i386: hvf: Fix register refs if REX is present X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Paolo Bonzini , Roman Bolshakov , Eduardo Habkost , Richard Henderson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" According to Intel(R)64 and IA-32 Architectures Software Developer's Manual, the following one-byte registers should be fetched when REX prefix is present (sorted by reg encoding index): AL, CL, DL, BL, SPL, BPL, SIL, DIL, R8L - R15L The first 8 are fetched if REX.R is zero, the last 8 if non-zero. The following registers should be fetched for instructions without REX prefix (also sorted by reg encoding index): AL, CL, DL, BL, AH, CH, DH, BH Current emulation code doesn't handle accesses to SPL, BPL, SIL, DIL when REX is present, thefore an instruction 40883e "mov %dil,(%rsi)" is decoded as "mov %bh,(%rsi)". That caused an infinite loop in vp_reset: https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg03293.html Signed-off-by: Roman Bolshakov --- target/i386/hvf/x86_decode.c | 67 ++++++++++++++++++++---------------- target/i386/hvf/x86_decode.h | 6 ++-- 2 files changed, 42 insertions(+), 31 deletions(-) diff --git a/target/i386/hvf/x86_decode.c b/target/i386/hvf/x86_decode.c index 2d7540fe7c..2e33b69541 100644 --- a/target/i386/hvf/x86_decode.c +++ b/target/i386/hvf/x86_decode.c @@ -113,7 +113,8 @@ static void decode_modrm_reg(CPUX86State *env, struct x= 86_decode *decode, { op->type =3D X86_VAR_REG; op->reg =3D decode->modrm.reg; - op->ptr =3D get_reg_ref(env, op->reg, decode->rex.r, decode->operand_s= ize); + op->ptr =3D get_reg_ref(env, op->reg, decode->rex.rex, decode->rex.r, + decode->operand_size); } =20 static void decode_rax(CPUX86State *env, struct x86_decode *decode, @@ -121,7 +122,8 @@ static void decode_rax(CPUX86State *env, struct x86_dec= ode *decode, { op->type =3D X86_VAR_REG; op->reg =3D R_EAX; - op->ptr =3D get_reg_ref(env, op->reg, 0, decode->operand_size); + op->ptr =3D get_reg_ref(env, op->reg, decode->rex.rex, 0, + decode->operand_size); } =20 static inline void decode_immediate(CPUX86State *env, struct x86_decode *d= ecode, @@ -263,16 +265,16 @@ static void decode_incgroup(CPUX86State *env, struct = x86_decode *decode) { decode->op[0].type =3D X86_VAR_REG; decode->op[0].reg =3D decode->opcode[0] - 0x40; - decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= b, - decode->operand_size); + decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= rex, + decode->rex.b, decode->operand_size); } =20 static void decode_decgroup(CPUX86State *env, struct x86_decode *decode) { decode->op[0].type =3D X86_VAR_REG; decode->op[0].reg =3D decode->opcode[0] - 0x48; - decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= b, - decode->operand_size); + decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= rex, + decode->rex.b, decode->operand_size); } =20 static void decode_incgroup2(CPUX86State *env, struct x86_decode *decode) @@ -288,16 +290,16 @@ static void decode_pushgroup(CPUX86State *env, struct= x86_decode *decode) { decode->op[0].type =3D X86_VAR_REG; decode->op[0].reg =3D decode->opcode[0] - 0x50; - decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= b, - decode->operand_size); + decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= rex, + decode->rex.b, decode->operand_size); } =20 static void decode_popgroup(CPUX86State *env, struct x86_decode *decode) { decode->op[0].type =3D X86_VAR_REG; decode->op[0].reg =3D decode->opcode[0] - 0x58; - decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= b, - decode->operand_size); + decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= rex, + decode->rex.b, decode->operand_size); } =20 static void decode_jxx(CPUX86State *env, struct x86_decode *decode) @@ -378,16 +380,16 @@ static void decode_xchgroup(CPUX86State *env, struct = x86_decode *decode) { decode->op[0].type =3D X86_VAR_REG; decode->op[0].reg =3D decode->opcode[0] - 0x90; - decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= b, - decode->operand_size); + decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= rex, + decode->rex.b, decode->operand_size); } =20 static void decode_movgroup(CPUX86State *env, struct x86_decode *decode) { decode->op[0].type =3D X86_VAR_REG; decode->op[0].reg =3D decode->opcode[0] - 0xb8; - decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= b, - decode->operand_size); + decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= rex, + decode->rex.b, decode->operand_size); decode_immediate(env, decode, &decode->op[1], decode->operand_size); } =20 @@ -402,8 +404,8 @@ static void decode_movgroup8(CPUX86State *env, struct x= 86_decode *decode) { decode->op[0].type =3D X86_VAR_REG; decode->op[0].reg =3D decode->opcode[0] - 0xb0; - decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= b, - decode->operand_size); + decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= rex, + decode->rex.b, decode->operand_size); decode_immediate(env, decode, &decode->op[1], decode->operand_size); } =20 @@ -412,7 +414,8 @@ static void decode_rcx(CPUX86State *env, struct x86_dec= ode *decode, { op->type =3D X86_VAR_REG; op->reg =3D R_ECX; - op->ptr =3D get_reg_ref(env, op->reg, decode->rex.b, decode->operand_s= ize); + op->ptr =3D get_reg_ref(env, op->reg, decode->rex.rex, decode->rex.b, + decode->operand_size); } =20 struct decode_tbl { @@ -639,8 +642,8 @@ static void decode_bswap(CPUX86State *env, struct x86_d= ecode *decode) { decode->op[0].type =3D X86_VAR_REG; decode->op[0].reg =3D decode->opcode[1] - 0xc8; - decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= b, - decode->operand_size); + decode->op[0].ptr =3D get_reg_ref(env, decode->op[0].reg, decode->rex.= rex, + decode->rex.b, decode->operand_size); } =20 static void decode_d9_4(CPUX86State *env, struct x86_decode *decode) @@ -1686,7 +1689,8 @@ calc_addr: } } =20 -target_ulong get_reg_ref(CPUX86State *env, int reg, int is_extended, int s= ize) +target_ulong get_reg_ref(CPUX86State *env, int reg, int rex, int is_extend= ed, + int size) { target_ulong ptr =3D 0; int which =3D 0; @@ -1698,7 +1702,7 @@ target_ulong get_reg_ref(CPUX86State *env, int reg, i= nt is_extended, int size) =20 switch (size) { case 1: - if (is_extended || reg < 4) { + if (is_extended || reg < 4 || rex) { which =3D 1; ptr =3D (target_ulong)&RL(env, reg); } else { @@ -1714,10 +1718,11 @@ target_ulong get_reg_ref(CPUX86State *env, int reg,= int is_extended, int size) return ptr; } =20 -target_ulong get_reg_val(CPUX86State *env, int reg, int is_extended, int s= ize) +target_ulong get_reg_val(CPUX86State *env, int reg, int rex, int is_extend= ed, + int size) { target_ulong val =3D 0; - memcpy(&val, (void *)get_reg_ref(env, reg, is_extended, size), size); + memcpy(&val, (void *)get_reg_ref(env, reg, rex, is_extended, size), si= ze); return val; } =20 @@ -1739,7 +1744,8 @@ static target_ulong get_sib_val(CPUX86State *env, str= uct x86_decode *decode, if (base_reg =3D=3D R_ESP || base_reg =3D=3D R_EBP) { *sel =3D R_SS; } - base =3D get_reg_val(env, decode->sib.base, decode->rex.b, addr_si= ze); + base =3D get_reg_val(env, decode->sib.base, decode->rex.rex, + decode->rex.b, addr_size); } =20 if (decode->rex.x) { @@ -1747,7 +1753,8 @@ static target_ulong get_sib_val(CPUX86State *env, str= uct x86_decode *decode, } =20 if (index_reg !=3D R_ESP) { - scaled_index =3D get_reg_val(env, index_reg, decode->rex.x, addr_s= ize) << + scaled_index =3D get_reg_val(env, index_reg, decode->rex.rex, + decode->rex.x, addr_size) << decode->sib.scale; } return base + scaled_index; @@ -1776,7 +1783,8 @@ void calc_modrm_operand32(CPUX86State *env, struct x8= 6_decode *decode, if (decode->modrm.rm =3D=3D R_EBP || decode->modrm.rm =3D=3D R_ESP= ) { seg =3D R_SS; } - ptr +=3D get_reg_val(env, decode->modrm.rm, decode->rex.b, addr_si= ze); + ptr +=3D get_reg_val(env, decode->modrm.rm, decode->rex.rex, + decode->rex.b, addr_size); } =20 if (X86_DECODE_CMD_LEA =3D=3D decode->cmd) { @@ -1805,7 +1813,8 @@ void calc_modrm_operand64(CPUX86State *env, struct x8= 6_decode *decode, } else if (0 =3D=3D mod && 5 =3D=3D rm) { ptr =3D RIP(env) + decode->len + (int32_t) offset; } else { - ptr =3D get_reg_val(env, src, decode->rex.b, 8) + (int64_t) offset; + ptr =3D get_reg_val(env, src, decode->rex.rex, decode->rex.b, 8) + + (int64_t) offset; } =20 if (X86_DECODE_CMD_LEA =3D=3D decode->cmd) { @@ -1822,8 +1831,8 @@ void calc_modrm_operand(CPUX86State *env, struct x86_= decode *decode, if (3 =3D=3D decode->modrm.mod) { op->reg =3D decode->modrm.reg; op->type =3D X86_VAR_REG; - op->ptr =3D get_reg_ref(env, decode->modrm.rm, decode->rex.b, - decode->operand_size); + op->ptr =3D get_reg_ref(env, decode->modrm.rm, decode->rex.rex, + decode->rex.b, decode->operand_size); return; } =20 diff --git a/target/i386/hvf/x86_decode.h b/target/i386/hvf/x86_decode.h index 5ab6f31fa5..ef4bcab310 100644 --- a/target/i386/hvf/x86_decode.h +++ b/target/i386/hvf/x86_decode.h @@ -303,8 +303,10 @@ uint64_t sign(uint64_t val, int size); =20 uint32_t decode_instruction(CPUX86State *env, struct x86_decode *decode); =20 -target_ulong get_reg_ref(CPUX86State *env, int reg, int is_extended, int s= ize); -target_ulong get_reg_val(CPUX86State *env, int reg, int is_extended, int s= ize); +target_ulong get_reg_ref(CPUX86State *env, int reg, int rex, int is_extend= ed, + int size); +target_ulong get_reg_val(CPUX86State *env, int reg, int rex, int is_extend= ed, + int size); void calc_modrm_operand(CPUX86State *env, struct x86_decode *decode, struct x86_decode_op *op); target_ulong decode_linear_addr(CPUX86State *env, struct x86_decode *decod= e, --=20 2.17.1 (Apple Git-112)