Keir Fraser
2008-May-23 17:29 UTC
[Xen-devel] Re: [PATCH] [HVM] [x86_emulate] Disallow setting EFLAGS_TF through POPF
Trolle, This is indeed bogus, since POPF certainly can be used to set TF. I don''t believe that real mode is a special case in this respect. What it could be is that the instruction that sets TF should not itself cause a debug exception when it is retired. So, if the end of the #DB handler is POPF ; IRET, and the POPF is setting EFLAGS.TF, then this would explain the endless (actually nested) handler execution. Could test this by changing the EXC_DB injection in x86_emulate.c to check ctxt->regs->eflags for TF before the line ''*ctxt->regs = _regs''. This would correctly correspond to using the value of EFLAGS.TF before the instruction was executed. -- Keir On 23/5/08 18:12, "Trolle Selander" <trolle.selander@eu.citrix.com> wrote:> This patch fixes the issue with running Freedos with HIMEM.SYS enabled. > > The issue turns out to be that it sets the trap flag through a push & > subsequent popf. This causes x86_emulate to later inject a hw_exception, > which results in the observed badness with the emulation spinning > endlessly on the same IRET. > > Note that disallowing TF to be set in this way appears not to match the > described behavior of POPF according to the Intel manuals. It also > results in POPF ending up always _clearing_ TF, which may not be the > right thing to do either. However, for what it''s worth, it does appear > to be the way QEMU deals with this code in Freedos/HIMEM.SYS. It might > be a good idea to take a look at real hardware and see what the behavior > is there - it wouldn''t be the first time that documentation does not > match reality. > A different and possibly more correct solution (that matches the > documentation) would be to not use TF on its own as the trigger for > inject_hw_exception, if POPF is going to be allowed to set the TF flag > without a real trap having happened, but for now, this solves the > Freedos/HIMEM issue in the simplest way possible. > > Signed-off-by: Trolle Selander <trolle.selander@eu.citrix.com > <mailto:trolle.selander@gmail.com>> > diff -uNr xen-unstable.hg/xen/arch/x86/x86_emulate/x86_emulate.c > xen-unstable.hg-patched/xen/arch/x86/x86_emulate/x86_emulate.c > --- xen-unstable.hg/xen/arch/x86/x86_emulate/x86_emulate.c 2008-05-23 > 17:33:51.000000000 +0100 > +++ xen-unstable.hg-patched/xen/arch/x86/x86_emulate/x86_emulate.c 2008-05-23 > 17:41:59.000000000 +0100 > @@ -2465,7 +2465,7 @@ > goto push; > > case 0x9d: /* popf */ { > - uint32_t mask = EFLG_VIP | EFLG_VIF | EFLG_VM; > + uint32_t mask = EFLG_VIP | EFLG_VIF | EFLG_VM | EFLG_TF; > if ( !mode_ring0() ) > mask |= EFLG_IOPL; > if ( !mode_iopl() )_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel