[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Is there a bug in the emulation of fucomip instruction?


  • To: Wangzhenguo <wangzhenguo@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
  • From: Keir Fraser <keir@xxxxxxx>
  • Date: Wed, 15 Jun 2011 20:36:43 +0100
  • Cc: Xiaowei Yang <xiaowei.yang@xxxxxxxxxx>
  • Delivery-date: Wed, 15 Jun 2011 12:37:53 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:user-agent:date:subject:from:to:cc:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=OTDeGP1Gi5tJUK2Lp0GtR8FY+bLPUlyvVoA3d/moPCnH4OhPVfF3eML83Vss5iZgiR HymiKPMcv8Sxt+ZtY8SUEzDP7iPPl7dw7akjKTS/YoHMIXDRt+l9vIhGZOI4XH1leBuA 8zNOytJHDz5ImBUzfKdKPNQkqk1auBmtTEp6Y=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: AcwrUo3Re1fucIOUQ62a0WTsINv68QAQQA22
  • Thread-topic: [Xen-devel] Is there a bug in the emulation of fucomip instruction?

On 15/06/2011 12:51, "Wangzhenguo" <wangzhenguo@xxxxxxxxxx> wrote:

> It's different between the implementation of the fucomip instruction in the
> function of x86_emulate and the spec of the fucomip in Intel 64 and IA-32
> architectures Software Developer's Manual Volume 2A. The opcode of the fucomip
> is described "DF E8+i", but in the implementation in the function of
> 86_emulate it's "df f8+i":

Good catch. Fixed as of xen-unstable:23546. I'll backport it to our
maintained stable branches too.

 Thanks,
 Keir

> ---------------------------------------------------------
>     case 0xdf: /* FPU 0xdf */
>         switch ( modrm )
>         {
>         case 0xe0:
>             /* fnstsw %ax */
>             dst.bytes = 2;
>             dst.type = OP_REG;
>             dst.reg = (unsigned long *)&_regs.eax;
>             emulate_fpu_insn_memdst("fnstsw", dst.val);
>             break;
>         case 0xf0 ... 0xf7: /* fcomip %stN */
>         case 0xf8 ... 0xff: /* fucomip %stN */            <--here-->
>             emulate_fpu_insn_stub(0xdf, modrm);
>             break;
>         default:
>             fail_if(modrm >= 0xc0);
> ---------------------------------------------------------
> So, xen will panic and say it's an invalid opcode if the guest executes the
> invalid instruction, "fd ff", for example.
> Is it right?
> 
> There is the panic message as follow:
> (XEN) RIP:    e008:[<ffff83203fd1fae8>] ???
> (XEN) RFLAGS: 0000000000010246   CONTEXT: hypervisor
> (XEN) rax: ffff83203fd1fae8   rbx: 00000000000000df   rcx: ffff83203fd1fda8
> (XEN) rdx: 0000000000000000   rsi: ffff83203fd1fc78   rdi: ffff82c480179bf0
> (XEN) rbp: 0000000000000000   rsp: ffff83203fd1f910   r8:  ffff82c48019c9f0
> (XEN) r9:  0000000000000000   r10: 00000000000000c8   r11: 0000000000000000
> (XEN) r12: 0000000000000004   r13: 00000000000000df   r14: ffff83203fd1fda8
> (XEN) r15: 0000000000000004   cr0: 0000000080050033   cr4: 00000000000026b0
> (XEN) cr3: 0000001f10da5000   cr2: 00000000fffe0080
> (XEN) ds: 0000   es: 0000   fs: 0000   gs: 0000   ss: 0000   cs: e008
> (XEN) Xen stack trace from rsp=ffff83203fd1f910:
> (XEN)    ffff82c48018248e 0000000000000022 ffff82c480179daf 0000ffff009322f4
> (XEN)    00000000000000c8 0000000000000000 ffff82c480180234 000000023fd1fde8
> (XEN)    ffff83203fd1fca0 0000000000000001 00000000000000df 0000000000000000
> (XEN)    ffff83203fd1fa18 0000000400000000 ffff82c48022e800 000000003fd1fa1c
> (XEN)    0000000000000022 ffff83203fd1fc78 00c883203fd1fa48 00000004000000ff
> (XEN)    ffff8200000000004
> (XEN)    0000000000000000 0000000800000000 0000000000040041 0000000000000000
> (XEN)    0000000000000002 0000000000000000 0000000000000000 0000000000000000
> (XEN)    0000000000000000 000000000004006c 0000000000040148 0000000000000000
> (XEN)    0000000000000000 0000000000000000 0000000000000000 000000008055d0c0
> (XEN)    0000000000000000 000000000000001f 0000000000000000 00000000fffe0080
> (XEN)    0000000000000000 000000008055d5a4 0000000000000000 0000000000010246
> (XEN)    000000000004001c 0000000000000000 0000000000000000 0000000000000000
> (XEN)    0000000000000000 0000000000000000 0000000000000001 0000000000c3ffdf
> (XEN)    ffff82c4801ea708 0000000300000000 ffff83203fd1fb20 ffff83203fd1fb9c
> (XEN)    000000093fd1fb2c 0000000000000002 0000000000000bc5 0000000000000000
> (XEN)    0000000000000000 0000000000000000 0000000000000000 0000000000000000
> (XEN)    ffff83203fd1fa8808 0000000300000003
> (XEN)    ffff83203fd1fb90 ffff83203fd1fc24 0000000910dca000 0000000000000002
> (XEN) Xen call trace:
> (XEN)    [<ffff83203fd1fae8>] ???
> (XEN)    [<ffff82c48018248e>] x86_emulate+0x7e9e/0x11b10
> (XEN)    [<ffff82c480179daf>] get_cpl+0x3f/0x60
> (XEN)    [<ffff82c480180234>] x86_emulate+0x5c44/0x11b10
> (XEN)    [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230
> (XEN)    [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230
> (XEN)    [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230
> (XEN)    [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230
> (XEN)    [<ffff82c4801a352e>] __hvm_copy+0x30e/0x3e0
> (XEN)    [<ffff82c48019cec9>] hvm_emulate_one+0xc9/0x1b0
> (XEN)    [<ffff82c4801bd895>] vmx_vmexit_handler+0x10b5/0x1d70
> (XEN)    [<ffff82c480118a0d>] _csched_cpu_pick+0xfd/0x360
> (XEN)    [<ffff82c480118c80>] csched_tick+0x0/0x250pt_update_irq+0x33/0x230
> (XEN)    [<ffff82c48011f6b4>] execute_timer+0x34/0x50
> (XEN)    [<ffff82c4801a87eb>] hvm_vcpu_has_pending_irq+0x6b/0xb0
> (XEN)    [<ffff82c4801b67bc>] vmx_intr_assist+0x5c/0x240
> (XEN)    [<ffff82c4801b9bfb>] vmx_vmenter_helper+0x5b/0x140
> (XEN)    [<ffff82c4801b6573>] vmx_asm_do_vmentry+0x0/0xdd
> (XEN)    
> (XEN) 
> (XEN) ****************************************
> (XEN) Panic on CPU 8:
> (XEN) FATAL TRAP: vector = 6 (invalid opcode)
> (XEN) ****************************************
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.