Abhinav Srivastava
2008-Jun-24 03:14 UTC
[Xen-devel] Question related to Single-step execution and Emulation
Hi all,
I am trying to perform single-stepping and instruction emulation both in
Xen-3.2.1. I am using the following approach:
First, I mark a guest page "not present" inside the shadow page table
so that I could intercept any operation that involves this page. When the guest
tries to access that page, it faults and control goes to Xen (sh_page_fault
function). There, I emulate that operation and return the control to guest to
execute next instruction. I could get my first part working.
In the second part after emulating the instruction inside Xen, I want to perform
single-step execution from next instruction onwards so that I could monitor
further execution of guest from that point.
To achieve that I did following: After emulating an instruction inside Xen and
before sending the control back to guest OS, I set the EFLAGS''s trap
bit set by doing following operation:
regs->eflag |= X86_EFLAGS_TF
And return the control from sh_page_fault function by saying "return
EFAULT_FIXED".
My understanding is that with this flag set when guest completes the execution
of the next instruction, it traps to Xen with exit reason TRAP_debug and
do_debug handler should be invoked inside x86/traps.c. From there, again I set
X86_EFLAGS_TF flag to get guest trapped for next instruction and so on. When i
want it to be end I will set X86_EFLAGS_RF flag.
However, when I perform above-mentioned procedure I get to see a message
"Trace/breakpoint trap" in my guest OS only once and my do_debug or
(debugger_trap_entry method with vector = Trap_debug) does not get invoked at
all inside Xen. Since trap is not coming into Xen, I am not able to get the
control after execution of instructions.
It seems like with my above-described method, I am injecting TRAP_debug
exception for the instruction that I emulate inside the Xen. And, eflag is not
set in the context of next instruction that will be executed inside the guest,
which should trap with debug exception.
It would be great if someone could explain me what i am doing wrong here and if
yes what would be the right approach to perform single-step execution in Xen.
Thanks in advance.
Regards,
Abhinav
Explore your hobbies and interests. Go to
http://in.promos.yahoo.com/groups/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Grzegorz Miłoś
2008-Jun-24 09:21 UTC
Re: [Xen-devel] Question related to Single-step execution and Emulation
Are you working with an HVM or PV domain? Gr(z)egor(z)> > Hi all, > > > I am trying to perform single-stepping and instruction emulation both in Xen-3.2.1. I am using the following approach: > > First, I mark a guest page "not present" inside the shadow page table so that I could intercept any operation that involves this page. When the guest tries to access that page, it faults and control goes to Xen (sh_page_fault function). There, I emulate that operation and return the control to guest to execute next instruction. I could get my first part working. > > In the second part after emulating the instruction inside Xen, I want to perform single-step execution from next instruction onwards so that I could monitor further execution of guest from that point. > > To achieve that I did following: After emulating an instruction inside Xen and before sending the control back to guest OS, I set the EFLAGS''s trap bit set by doing following operation: > > regs->eflag |= X86_EFLAGS_TF > > And return the control from sh_page_fault function by saying "return EFAULT_FIXED". > > My understanding is that with this flag set when guest completes the execution of the next instruction, it traps to Xen with exit reason TRAP_debug and do_debug handler should be invoked inside x86/traps.c. From there, again I set X86_EFLAGS_TF flag to get guest trapped for next instruction and so on. When i want it to be end I will set X86_EFLAGS_RF flag. > > However, when I perform above-mentioned procedure I get to see a message "Trace/breakpoint trap" in my guest OS only once and my do_debug or (debugger_trap_entry method with vector = Trap_debug) does not get invoked at all inside Xen. Since trap is not coming into Xen, I am not able to get the control after execution of instructions. > > It seems like with my above-described method, I am injecting TRAP_debug exception for the instruction that I emulate inside the Xen. And, eflag is not set in the context of next instruction that will be executed inside the guest, which should trap with debug exception.> > > It would be great if someone could explain me what i am doing wrong here and if yes what would be the right approach to perform single-step execution in Xen. > > > Thanks in advance. > > Regards, > Abhinav > > > > Explore your hobbies and interests. Go to http://in.promos.yahoo.com/groups/ > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Abhinav Srivastava
2008-Jun-24 17:42 UTC
Re: [Xen-devel] Question related to Single-step execution and Emulation
Hi Grzegorz, I am working with HVM domain. Also, I forgot to mention in my previous email that I am setting debug register DR0 using set_debugreg with the value of next instruction so that I could trap on that. The way I am setting debug register with the next instruction value is next-eip = regs->eip + __get_instruction_length(). Still, I am not seeing it working. Thanks, Abhinav --- On Tue, 24/6/08, Grzegorz Miłoś <gm281@cam.ac.uk> wrote:> From: Grzegorz Miłoś <gm281@cam.ac.uk> > Subject: Re: [Xen-devel] Question related to Single-step execution and Emulation > To: abhinavs_iitkgp@yahoo.co.in > Cc: "xen-devel" <xen-devel@lists.xensource.com> > Date: Tuesday, 24 June, 2008, 2:51 PM > Are you working with an HVM or PV domain? > Gr(z)egor(z) > > > > > Hi all, > > > > > > I am trying to perform single-stepping and instruction > emulation both in Xen-3.2.1. I am using the following > approach: > > > > First, I mark a guest page "not present" > inside the shadow page table so that I could intercept any > operation that involves this page. When the guest tries to > access that page, it faults and control goes to Xen > (sh_page_fault function). There, I emulate that operation > and return the control to guest to execute next > instruction. I could get my first part working. > > > > In the second part after emulating the instruction > inside Xen, I want to perform single-step execution from > next instruction onwards so that I could monitor further > execution of guest from that point. > > > > To achieve that I did following: After emulating an > instruction inside Xen and before sending the control back > to guest OS, I set the EFLAGS''s trap bit set by doing > following operation: > > > > regs->eflag |= X86_EFLAGS_TF > > > > And return the control from sh_page_fault function by > saying "return EFAULT_FIXED". > > > > My understanding is that with this flag set when guest > completes the execution of the next instruction, it traps to > Xen with exit reason TRAP_debug and do_debug handler should > be invoked inside x86/traps.c. From there, again I set > X86_EFLAGS_TF flag to get guest trapped for next > instruction and so on. When i want it to be end I will set > X86_EFLAGS_RF flag. > > > > However, when I perform above-mentioned procedure I > get to see a message "Trace/breakpoint trap" in > my guest OS only once and my do_debug or > (debugger_trap_entry method with vector = Trap_debug) does > not get invoked at all inside Xen. Since trap is not coming > into Xen, I am not able to get the control after execution > of instructions. > > > > It seems like with my above-described method, I am > injecting TRAP_debug exception for the instruction that I > emulate inside the Xen. And, eflag is not set in the > context of next instruction that will be executed inside > the guest, which should trap with debug exception. > > > > > > > It would be great if someone could explain me what i > am doing wrong here and if yes what would be the right > approach to perform single-step execution in Xen. > > > > > > Thanks in advance. > > > > Regards, > > Abhinav > > > > > > > > Explore your hobbies and interests. Go to > http://in.promos.yahoo.com/groups/ > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > >Unlimited freedom, unlimited storage. Get it now, on http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/ _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Grzegorz Miłoś
2008-Jun-24 19:11 UTC
Re: [Xen-devel] Question related to Single-step execution and Emulation
Assuming that you have an AMD CPU (I'm sure you can figure out how to achieve the same thing with an Intel CPU) make sure that you have TRAP_no_device bit set in v->arch.hvm_svm.vmcb->exception_intercepts (as per svm_do_resume with a debugger attached). After that, you should get VMEXIT_EXCEPTION_DB in svm_vmexit_handler. Cheers Gr(z)egor(z) On Tue, Jun 24, 2008 at 6:42 PM, Abhinav Srivastava <abhinavs_iitkgp@yahoo.co.in> wrote:> > Hi Grzegorz, > > I am working with HVM domain. Also, I forgot to mention in my previous email that I am setting debug register DR0 using set_debugreg with the value of next instruction so that I could trap on that. The way I am setting debug register with the next instruction value is > > next-eip = regs->eip + __get_instruction_length(). > > Still, I am not seeing it working. > > Thanks, > Abhinav > > --- On Tue, 24/6/08, Grzegorz Miłoś <gm281@cam.ac.uk> wrote: > >> From: Grzegorz Miłoś <gm281@cam.ac.uk> >> Subject: Re: [Xen-devel] Question related to Single-step execution and Emulation >> To: abhinavs_iitkgp@yahoo.co.in >> Cc: "xen-devel" <xen-devel@lists.xensource.com> >> Date: Tuesday, 24 June, 2008, 2:51 PM >> Are you working with an HVM or PV domain? >> Gr(z)egor(z) >> >> > >> > Hi all, >> > >> > >> > I am trying to perform single-stepping and instruction >> emulation both in Xen-3.2.1. I am using the following >> approach: >> > >> > First, I mark a guest page "not present" >> inside the shadow page table so that I could intercept any >> operation that involves this page. When the guest tries to >> access that page, it faults and control goes to Xen >> (sh_page_fault function). There, I emulate that operation >> and return the control to guest to execute next >> instruction. I could get my first part working. >> > >> > In the second part after emulating the instruction >> inside Xen, I want to perform single-step execution from >> next instruction onwards so that I could monitor further >> execution of guest from that point. >> > >> > To achieve that I did following: After emulating an >> instruction inside Xen and before sending the control back >> to guest OS, I set the EFLAGS's trap bit set by doing >> following operation: >> > >> > regs->eflag |= X86_EFLAGS_TF >> > >> > And return the control from sh_page_fault function by >> saying "return EFAULT_FIXED". >> > >> > My understanding is that with this flag set when guest >> completes the execution of the next instruction, it traps to >> Xen with exit reason TRAP_debug and do_debug handler should >> be invoked inside x86/traps.c. From there, again I set >> X86_EFLAGS_TF flag to get guest trapped for next >> instruction and so on. When i want it to be end I will set >> X86_EFLAGS_RF flag. >> > >> > However, when I perform above-mentioned procedure I >> get to see a message "Trace/breakpoint trap" in >> my guest OS only once and my do_debug or >> (debugger_trap_entry method with vector = Trap_debug) does >> not get invoked at all inside Xen. Since trap is not coming >> into Xen, I am not able to get the control after execution >> of instructions. >> > >> > It seems like with my above-described method, I am >> injecting TRAP_debug exception for the instruction that I >> emulate inside the Xen. And, eflag is not set in the >> context of next instruction that will be executed inside >> the guest, which should trap with debug exception. >> >> > >> > >> > It would be great if someone could explain me what i >> am doing wrong here and if yes what would be the right >> approach to perform single-step execution in Xen. >> > >> > >> > Thanks in advance. >> > >> > Regards, >> > Abhinav >> > >> > >> > >> > Explore your hobbies and interests. Go to >> http://in.promos.yahoo.com/groups/ >> > >> > _______________________________________________ >> > Xen-devel mailing list >> > Xen-devel@lists.xensource.com >> > http://lists.xensource.com/xen-devel >> > > > > Unlimited freedom, unlimited storage. Get it now, on http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/ > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel