Hello Qemu Developers! I'm from the downstream project Unicorn
Engine (https://github.com/unicorn-engine/unicorn). I identified a simple
bug that triggers a tcg assertion in QEMU. Although I used a usermode
usecase to illustrate the bug, it shall also affect system emulation.
Assume a binary looks like:
```
08049845 <main>:
8049845: 55 push %ebp
8049846: 89 e5 mov %esp,%ebp
8049848: e8 0e 00 00 00 call 804985b <__x86.get_pc_thunk.ax>
804984d: 90 nop
804984e: 90 nop
804984f: 90 nop
8049850: 90 nop
8049851: 90 nop
8049852: f0 38 b8 00 00 00 00 lock cmp %bh,0x0(%eax)
8049859: 5d pop %ebp
804985a: c3 ret
```
Executing this with
```
./i386-linux-user/qemu-i386 -d op,op_opt ./tt 2>&1 | tail -100
```
gives:
```
OP:
...
...
---- 0000000008049852 0000000000000000
mov_i32 loc2,eax
extract_i32 loc1,ebx,$0x8,$0x8
mov_i32 cc_src,loc1
mov_i32 loc8,loc0 // loc0 undefined!
...
...
OP after optimization and liveness analysis:
...
...
---- 0000000008049852 0000000000000000
extract_i32 tmp1,ebx,$0x8,$0x8 dead: 1 pref=0xffff
mov_i32 cc_src,tmp1 sync: 0 dead: 1 pref=0xffff
sub_i32 cc_dst,tmp0,cc_src sync: 0 dead: 0 1 2 pref=0xffff // so does tmp0!
...
...
ERROR:../tcg/tcg.c:4446:temp_load: code should not be reached
Bail out! ERROR:../tcg/tcg.c:4446:temp_load: code should not be reached
```
This results an assertion error because when decoding "lock cmp %bh,0x0(%eax)",
s->T0 is not properly initialized in gen_op. However, the root cause is that
this instruction is illegal refering to the Intel manual. Therefore, I add
and extra check to generate corresponding illegal opcode exception.
Signed-off-by: Ziqiao Kong <ziqiaokong@gmail.com>
Ziqiao Kong (1):
Generate an illegal opcode exception on cmp instructions with lock
prefix
target/i386/tcg/translate.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--
2.40.1