Wangzhenguo
2011-Jun-15 11:51 UTC
[Xen-devel] Is there a bug in the emulation of fucomip instruction?
It''s different between the implementation of the fucomip instruction in the function of x86_emulate and the spec of the fucomip in Intel 64 and IA-32 architectures Software Developer''s Manual Volume 2A. The opcode of the fucomip is described "DF E8+i", but in the implementation in the function of 86_emulate it''s "df f8+i": --------------------------------------------------------- case 0xdf: /* FPU 0xdf */ switch ( modrm ) { case 0xe0: /* fnstsw %ax */ dst.bytes = 2; dst.type = OP_REG; dst.reg = (unsigned long *)&_regs.eax; emulate_fpu_insn_memdst("fnstsw", dst.val); break; case 0xf0 ... 0xf7: /* fcomip %stN */ case 0xf8 ... 0xff: /* fucomip %stN */ <--here--> emulate_fpu_insn_stub(0xdf, modrm); break; default: fail_if(modrm >= 0xc0); --------------------------------------------------------- So, xen will panic and say it''s an invalid opcode if the guest executes the invalid instruction, "fd ff", for example. Is it right? There is the panic message as follow: (XEN) RIP: e008:[<ffff83203fd1fae8>] ??? (XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (XEN) rax: ffff83203fd1fae8 rbx: 00000000000000df rcx: ffff83203fd1fda8 (XEN) rdx: 0000000000000000 rsi: ffff83203fd1fc78 rdi: ffff82c480179bf0 (XEN) rbp: 0000000000000000 rsp: ffff83203fd1f910 r8: ffff82c48019c9f0 (XEN) r9: 0000000000000000 r10: 00000000000000c8 r11: 0000000000000000 (XEN) r12: 0000000000000004 r13: 00000000000000df r14: ffff83203fd1fda8 (XEN) r15: 0000000000000004 cr0: 0000000080050033 cr4: 00000000000026b0 (XEN) cr3: 0000001f10da5000 cr2: 00000000fffe0080 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: 0000 cs: e008 (XEN) Xen stack trace from rsp=ffff83203fd1f910: (XEN) ffff82c48018248e 0000000000000022 ffff82c480179daf 0000ffff009322f4 (XEN) 00000000000000c8 0000000000000000 ffff82c480180234 000000023fd1fde8 (XEN) ffff83203fd1fca0 0000000000000001 00000000000000df 0000000000000000 (XEN) ffff83203fd1fa18 0000000400000000 ffff82c48022e800 000000003fd1fa1c (XEN) 0000000000000022 ffff83203fd1fc78 00c883203fd1fa48 00000004000000ff (XEN) ffff8200000000004 (XEN) 0000000000000000 0000000800000000 0000000000040041 0000000000000000 (XEN) 0000000000000002 0000000000000000 0000000000000000 0000000000000000 (XEN) 0000000000000000 000000000004006c 0000000000040148 0000000000000000 (XEN) 0000000000000000 0000000000000000 0000000000000000 000000008055d0c0 (XEN) 0000000000000000 000000000000001f 0000000000000000 00000000fffe0080 (XEN) 0000000000000000 000000008055d5a4 0000000000000000 0000000000010246 (XEN) 000000000004001c 0000000000000000 0000000000000000 0000000000000000 (XEN) 0000000000000000 0000000000000000 0000000000000001 0000000000c3ffdf (XEN) ffff82c4801ea708 0000000300000000 ffff83203fd1fb20 ffff83203fd1fb9c (XEN) 000000093fd1fb2c 0000000000000002 0000000000000bc5 0000000000000000 (XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000 (XEN) ffff83203fd1fa8808 0000000300000003 (XEN) ffff83203fd1fb90 ffff83203fd1fc24 0000000910dca000 0000000000000002 (XEN) Xen call trace: (XEN) [<ffff83203fd1fae8>] ??? (XEN) [<ffff82c48018248e>] x86_emulate+0x7e9e/0x11b10 (XEN) [<ffff82c480179daf>] get_cpl+0x3f/0x60 (XEN) [<ffff82c480180234>] x86_emulate+0x5c44/0x11b10 (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 (XEN) [<ffff82c4801a352e>] __hvm_copy+0x30e/0x3e0 (XEN) [<ffff82c48019cec9>] hvm_emulate_one+0xc9/0x1b0 (XEN) [<ffff82c4801bd895>] vmx_vmexit_handler+0x10b5/0x1d70 (XEN) [<ffff82c480118a0d>] _csched_cpu_pick+0xfd/0x360 (XEN) [<ffff82c480118c80>] csched_tick+0x0/0x250pt_update_irq+0x33/0x230 (XEN) [<ffff82c48011f6b4>] execute_timer+0x34/0x50 (XEN) [<ffff82c4801a87eb>] hvm_vcpu_has_pending_irq+0x6b/0xb0 (XEN) [<ffff82c4801b67bc>] vmx_intr_assist+0x5c/0x240 (XEN) [<ffff82c4801b9bfb>] vmx_vmenter_helper+0x5b/0x140 (XEN) [<ffff82c4801b6573>] vmx_asm_do_vmentry+0x0/0xdd (XEN) (XEN) (XEN) **************************************** (XEN) Panic on CPU 8: (XEN) FATAL TRAP: vector = 6 (invalid opcode) (XEN) **************************************** _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2011-Jun-15 19:36 UTC
Re: [Xen-devel] Is there a bug in the emulation of fucomip instruction?
On 15/06/2011 12:51, "Wangzhenguo" <wangzhenguo@huawei.com> wrote:> It''s different between the implementation of the fucomip instruction in the > function of x86_emulate and the spec of the fucomip in Intel 64 and IA-32 > architectures Software Developer''s Manual Volume 2A. The opcode of the fucomip > is described "DF E8+i", but in the implementation in the function of > 86_emulate it''s "df f8+i":Good catch. Fixed as of xen-unstable:23546. I''ll backport it to our maintained stable branches too. Thanks, Keir> --------------------------------------------------------- > case 0xdf: /* FPU 0xdf */ > switch ( modrm ) > { > case 0xe0: > /* fnstsw %ax */ > dst.bytes = 2; > dst.type = OP_REG; > dst.reg = (unsigned long *)&_regs.eax; > emulate_fpu_insn_memdst("fnstsw", dst.val); > break; > case 0xf0 ... 0xf7: /* fcomip %stN */ > case 0xf8 ... 0xff: /* fucomip %stN */ <--here--> > emulate_fpu_insn_stub(0xdf, modrm); > break; > default: > fail_if(modrm >= 0xc0); > --------------------------------------------------------- > So, xen will panic and say it''s an invalid opcode if the guest executes the > invalid instruction, "fd ff", for example. > Is it right? > > There is the panic message as follow: > (XEN) RIP: e008:[<ffff83203fd1fae8>] ??? > (XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor > (XEN) rax: ffff83203fd1fae8 rbx: 00000000000000df rcx: ffff83203fd1fda8 > (XEN) rdx: 0000000000000000 rsi: ffff83203fd1fc78 rdi: ffff82c480179bf0 > (XEN) rbp: 0000000000000000 rsp: ffff83203fd1f910 r8: ffff82c48019c9f0 > (XEN) r9: 0000000000000000 r10: 00000000000000c8 r11: 0000000000000000 > (XEN) r12: 0000000000000004 r13: 00000000000000df r14: ffff83203fd1fda8 > (XEN) r15: 0000000000000004 cr0: 0000000080050033 cr4: 00000000000026b0 > (XEN) cr3: 0000001f10da5000 cr2: 00000000fffe0080 > (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: 0000 cs: e008 > (XEN) Xen stack trace from rsp=ffff83203fd1f910: > (XEN) ffff82c48018248e 0000000000000022 ffff82c480179daf 0000ffff009322f4 > (XEN) 00000000000000c8 0000000000000000 ffff82c480180234 000000023fd1fde8 > (XEN) ffff83203fd1fca0 0000000000000001 00000000000000df 0000000000000000 > (XEN) ffff83203fd1fa18 0000000400000000 ffff82c48022e800 000000003fd1fa1c > (XEN) 0000000000000022 ffff83203fd1fc78 00c883203fd1fa48 00000004000000ff > (XEN) ffff8200000000004 > (XEN) 0000000000000000 0000000800000000 0000000000040041 0000000000000000 > (XEN) 0000000000000002 0000000000000000 0000000000000000 0000000000000000 > (XEN) 0000000000000000 000000000004006c 0000000000040148 0000000000000000 > (XEN) 0000000000000000 0000000000000000 0000000000000000 000000008055d0c0 > (XEN) 0000000000000000 000000000000001f 0000000000000000 00000000fffe0080 > (XEN) 0000000000000000 000000008055d5a4 0000000000000000 0000000000010246 > (XEN) 000000000004001c 0000000000000000 0000000000000000 0000000000000000 > (XEN) 0000000000000000 0000000000000000 0000000000000001 0000000000c3ffdf > (XEN) ffff82c4801ea708 0000000300000000 ffff83203fd1fb20 ffff83203fd1fb9c > (XEN) 000000093fd1fb2c 0000000000000002 0000000000000bc5 0000000000000000 > (XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000 > (XEN) ffff83203fd1fa8808 0000000300000003 > (XEN) ffff83203fd1fb90 ffff83203fd1fc24 0000000910dca000 0000000000000002 > (XEN) Xen call trace: > (XEN) [<ffff83203fd1fae8>] ??? > (XEN) [<ffff82c48018248e>] x86_emulate+0x7e9e/0x11b10 > (XEN) [<ffff82c480179daf>] get_cpl+0x3f/0x60 > (XEN) [<ffff82c480180234>] x86_emulate+0x5c44/0x11b10 > (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 > (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 > (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 > (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 > (XEN) [<ffff82c4801a352e>] __hvm_copy+0x30e/0x3e0 > (XEN) [<ffff82c48019cec9>] hvm_emulate_one+0xc9/0x1b0 > (XEN) [<ffff82c4801bd895>] vmx_vmexit_handler+0x10b5/0x1d70 > (XEN) [<ffff82c480118a0d>] _csched_cpu_pick+0xfd/0x360 > (XEN) [<ffff82c480118c80>] csched_tick+0x0/0x250pt_update_irq+0x33/0x230 > (XEN) [<ffff82c48011f6b4>] execute_timer+0x34/0x50 > (XEN) [<ffff82c4801a87eb>] hvm_vcpu_has_pending_irq+0x6b/0xb0 > (XEN) [<ffff82c4801b67bc>] vmx_intr_assist+0x5c/0x240 > (XEN) [<ffff82c4801b9bfb>] vmx_vmenter_helper+0x5b/0x140 > (XEN) [<ffff82c4801b6573>] vmx_asm_do_vmentry+0x0/0xdd > (XEN) > (XEN) > (XEN) **************************************** > (XEN) Panic on CPU 8: > (XEN) FATAL TRAP: vector = 6 (invalid opcode) > (XEN) **************************************** > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel