Xen project Mailing List

Re: [Xen-devel] Is there a bug in the emulation of fucomip instruction?

To: Wangzhenguo <wangzhenguo@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>

From: Keir Fraser <keir@xxxxxxx>

Date: Wed, 15 Jun 2011 20:36:43 +0100

Cc: Xiaowei Yang <xiaowei.yang@xxxxxxxxxx>

Delivery-date: Wed, 15 Jun 2011 12:37:53 -0700

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:user-agent:date:subject:from:to:cc:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=OTDeGP1Gi5tJUK2Lp0GtR8FY+bLPUlyvVoA3d/moPCnH4OhPVfF3eML83Vss5iZgiR HymiKPMcv8Sxt+ZtY8SUEzDP7iPPl7dw7akjKTS/YoHMIXDRt+l9vIhGZOI4XH1leBuA 8zNOytJHDz5ImBUzfKdKPNQkqk1auBmtTEp6Y=

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Thread-index: AcwrUo3Re1fucIOUQ62a0WTsINv68QAQQA22

Thread-topic: [Xen-devel] Is there a bug in the emulation of fucomip instruction?

On 15/06/2011 12:51, "Wangzhenguo" <wangzhenguo@xxxxxxxxxx> wrote: > It's different between the implementation of the fucomip instruction in the > function of x86_emulate and the spec of the fucomip in Intel 64 and IA-32 > architectures Software Developer's Manual Volume 2A. The opcode of the fucomip > is described "DF E8+i", but in the implementation in the function of > 86_emulate it's "df f8+i": Good catch. Fixed as of xen-unstable:23546. I'll backport it to our maintained stable branches too. Thanks, Keir > --------------------------------------------------------- > case 0xdf: /* FPU 0xdf */ > switch ( modrm ) > { > case 0xe0: > /* fnstsw %ax */ > dst.bytes = 2; > dst.type = OP_REG; > dst.reg = (unsigned long *)&_regs.eax; > emulate_fpu_insn_memdst("fnstsw", dst.val); > break; > case 0xf0 ... 0xf7: /* fcomip %stN */ > case 0xf8 ... 0xff: /* fucomip %stN */ <--here--> > emulate_fpu_insn_stub(0xdf, modrm); > break; > default: > fail_if(modrm >= 0xc0); > --------------------------------------------------------- > So, xen will panic and say it's an invalid opcode if the guest executes the > invalid instruction, "fd ff", for example. > Is it right? > > There is the panic message as follow: > (XEN) RIP: e008:[<ffff83203fd1fae8>] ??? > (XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor > (XEN) rax: ffff83203fd1fae8 rbx: 00000000000000df rcx: ffff83203fd1fda8 > (XEN) rdx: 0000000000000000 rsi: ffff83203fd1fc78 rdi: ffff82c480179bf0 > (XEN) rbp: 0000000000000000 rsp: ffff83203fd1f910 r8: ffff82c48019c9f0 > (XEN) r9: 0000000000000000 r10: 00000000000000c8 r11: 0000000000000000 > (XEN) r12: 0000000000000004 r13: 00000000000000df r14: ffff83203fd1fda8 > (XEN) r15: 0000000000000004 cr0: 0000000080050033 cr4: 00000000000026b0 > (XEN) cr3: 0000001f10da5000 cr2: 00000000fffe0080 > (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: 0000 cs: e008 > (XEN) Xen stack trace from rsp=ffff83203fd1f910: > (XEN) ffff82c48018248e 0000000000000022 ffff82c480179daf 0000ffff009322f4 > (XEN) 00000000000000c8 0000000000000000 ffff82c480180234 000000023fd1fde8 > (XEN) ffff83203fd1fca0 0000000000000001 00000000000000df 0000000000000000 > (XEN) ffff83203fd1fa18 0000000400000000 ffff82c48022e800 000000003fd1fa1c > (XEN) 0000000000000022 ffff83203fd1fc78 00c883203fd1fa48 00000004000000ff > (XEN) ffff8200000000004 > (XEN) 0000000000000000 0000000800000000 0000000000040041 0000000000000000 > (XEN) 0000000000000002 0000000000000000 0000000000000000 0000000000000000 > (XEN) 0000000000000000 000000000004006c 0000000000040148 0000000000000000 > (XEN) 0000000000000000 0000000000000000 0000000000000000 000000008055d0c0 > (XEN) 0000000000000000 000000000000001f 0000000000000000 00000000fffe0080 > (XEN) 0000000000000000 000000008055d5a4 0000000000000000 0000000000010246 > (XEN) 000000000004001c 0000000000000000 0000000000000000 0000000000000000 > (XEN) 0000000000000000 0000000000000000 0000000000000001 0000000000c3ffdf > (XEN) ffff82c4801ea708 0000000300000000 ffff83203fd1fb20 ffff83203fd1fb9c > (XEN) 000000093fd1fb2c 0000000000000002 0000000000000bc5 0000000000000000 > (XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000 > (XEN) ffff83203fd1fa8808 0000000300000003 > (XEN) ffff83203fd1fb90 ffff83203fd1fc24 0000000910dca000 0000000000000002 > (XEN) Xen call trace: > (XEN) [<ffff83203fd1fae8>] ??? > (XEN) [<ffff82c48018248e>] x86_emulate+0x7e9e/0x11b10 > (XEN) [<ffff82c480179daf>] get_cpl+0x3f/0x60 > (XEN) [<ffff82c480180234>] x86_emulate+0x5c44/0x11b10 > (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 > (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 > (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 > (XEN) [<ffff82c4801ea708>] ept_get_entry+0xd8/0x230 > (XEN) [<ffff82c4801a352e>] __hvm_copy+0x30e/0x3e0 > (XEN) [<ffff82c48019cec9>] hvm_emulate_one+0xc9/0x1b0 > (XEN) [<ffff82c4801bd895>] vmx_vmexit_handler+0x10b5/0x1d70 > (XEN) [<ffff82c480118a0d>] _csched_cpu_pick+0xfd/0x360 > (XEN) [<ffff82c480118c80>] csched_tick+0x0/0x250pt_update_irq+0x33/0x230 > (XEN) [<ffff82c48011f6b4>] execute_timer+0x34/0x50 > (XEN) [<ffff82c4801a87eb>] hvm_vcpu_has_pending_irq+0x6b/0xb0 > (XEN) [<ffff82c4801b67bc>] vmx_intr_assist+0x5c/0x240 > (XEN) [<ffff82c4801b9bfb>] vmx_vmenter_helper+0x5b/0x140 > (XEN) [<ffff82c4801b6573>] vmx_asm_do_vmentry+0x0/0xdd > (XEN) > (XEN) > (XEN) **************************************** > (XEN) Panic on CPU 8: > (XEN) FATAL TRAP: vector = 6 (invalid opcode) > (XEN) **************************************** > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.