Commit graph

60 commits

Author SHA1 Message Date
Richard Henderson 2af9cf7113
target/i386: Generate #UD when applying LOCK to a register destination
Fixes a TCG crash due to attempting the atomic operation without
having set up the address first. This does not attempt to fix
all of the other missing checks for LOCK.

Fixes: a7cee522f35
Fixes: https://bugs.launchpad.net/qemu/+bug/1803160

Backports commit e84fcd7f662a0d8198703f6f89416d7ac2c32767 from qemu
2018-12-01 20:13:02 -05:00
Catena cyber 43c48b72ea
Initializes i386 prefix value
Backports commit 4a86318cf45b7f0b8e01748ce700de1b7688d1e3 from unicorn
2018-10-06 04:57:06 -04:00
Pavel Dovgalyuk 461fbaa9eb
target/i386: fix translation for icount mode
This patch fixes the checking of boundary crossing instructions.
In icount mode only first instruction of the block may cross
the page boundary to keep the translation deterministic.
These conditions already existed, but compared the wrong variable.

Backports commit 41d54dc09f1f327dedc79d5ba0b1b437ab7b0e94 from qemu
2018-10-04 04:32:26 -04:00
Paolo Bonzini 752aea8379
target/i386: rename HF_SVMI_MASK to HF_GUEST_MASK
This flag will be used for KVM's nested VMX migration; the HF_GUEST_MASK name
is already used in KVM, adopt it in QEMU as well.

Backports commit f8dc4c645ec2956a6cd97e0ca0fdd4753181f735 from qemu
2018-10-04 04:24:39 -04:00
Emilio G. Cota b9bb6cead9
target/i386: move x86_64_hregs to DisasContext
And convert it to a bool to use an existing hole
in the struct.

Backports commit 1dbe15ef57abdf7b6a26c8e638abf6413a4b9d0c from qemu
2018-10-04 04:02:50 -04:00
Emilio G. Cota 90e189ca24
target/i386: move cpu_tmp1_i64 to DisasContext
Backports commit 776678b2961848a80387509c433dc04b0f761592 from qemu
2018-10-04 03:59:13 -04:00
Emilio G. Cota 04530acab2
target/i386: move cpu_tmp3_i32 to DisasContext
Backports commit 4f82446de695f080ed148a0e47fc141e928665af from qemu
2018-10-04 03:56:05 -04:00
Emilio G. Cota 781e6bde41
target/i386: move cpu_tmp2_i32 to DisasContext
Backports commit 6bd48f6f206b6f32a5bbeebc3ae6886d4f587981 from qemu
2018-10-04 03:53:31 -04:00
Emilio G. Cota c13337d1bc
target/i386: move cpu_ptr1 to DisasContext
Backports commit 6387e8303ffb26cfb40b0f93372f1519229b4d2c from qemu
2018-10-04 03:48:09 -04:00
Emilio G. Cota 3e442d4480
target/i386: move cpu_ptr0 to DisasContext
Backports commit 2ee2646491a293a92d1c85e90e12419a8c199ed0 from qemu
2018-10-04 03:46:53 -04:00
Emilio G. Cota cc872aa711
target/i386: move cpu_tmp4 to DisasContext
Backports commit 5022f28f1e4033eb369b744ad61b96d086beca1b from qemu
2018-10-04 03:45:28 -04:00
Emilio G. Cota d2752ebc42
target/i386: move cpu_tmp0 to DisasContext
Backports commit fbd80f02df3fe272ba0f4825df27b8459dafbc14 from qemu
2018-10-04 03:41:13 -04:00
Emilio G. Cota b704b6c205
target/i386: move cpu_T1 to DisasContext
Backports commit b48597b0eda32d4c7ade2ba3f98f06f62289e3e2 from qemu
2018-10-04 03:35:10 -04:00
Emilio G. Cota 70b327dc82
target/i386: move cpu_T0 to DisasContext
Backports commit c66f97273f677d76afaaeb0e688eb08499701b1b from qemu
2018-10-04 03:29:13 -04:00
Emilio G. Cota c1d70758ea
target/i386: move cpu_A0 to DisasContext
Backports commit 6b672b5d6b14422c131969c5725f738751e12847 from qemu
2018-10-04 01:16:35 -04:00
Emilio G. Cota 30c66bcca3
target/i386: move cpu_cc_srcT to DisasContext
Backports commit 93a3e108eb6a9bb781ab7db6e92d91528e482030 from qemu
2018-10-04 00:59:00 -04:00
vardyh 8ca718367f
x86::trans: handle illegal case for opc c6/c7
Reference Intel software developer manual vol2 Appendix A Table A-6 for
detailed decoding information.

Re-applies commit ad767abda8 from qemu
2018-09-07 19:28:01 -04:00
Lioncash fffc31e7e2
target/i386/translate: Synchronize EIP if read/write callbacks are set
This is another feature that was left by the wayside when upgrading
qemu. It's fairly trivial to restore.
2018-09-03 14:40:46 -04:00
Lioncash 0d0d8b6db9
target/i386/translate: Report proper instruction size in code hooks
This was intentionally broken to make updating qemu as quick as possible
when it was woefully out of date, particularly because the interface of
qemu's TCG changed quite a bit, so this code would have needed to be
changed anyways.

Now that qemu is up to date for this variant of Unicorn, we can repair
this functionality and also--and I put massive emphasis on this, since
this wasn't done in the original Unicorn repo--*actually document what
the heck we're doing in this case*, so it's not a pain to change in the
future if we actually need to do that. It makes it much, much, simpler
for people not involved with qemu to understand what is going on in this
case.
2018-09-03 14:09:05 -04:00
Lioncash dce6dde483
target/i386/translate: Remove unnecessary (and incorrect) pointer casts from some gen_op functions
These used to be necessary, as the relevant variables used to be void*,
thus making the casts necessary. Given they were changed to concrete
types over the course of backporting, these are unnecessary.
2018-09-03 10:44:55 -04:00
Jan Kiszka fab6f4cd3a
target-i386: Allow interrupt injection after STGI
We need to terminate the translation block after STGI so that pending
interrupts can be injected.

This fixes pending NMI injection for Jailhouse which uses "stgi; clgi"
to open a brief injection window.

Backports commit df2518aa587a0157bbfbc635fe47295629d9914a from qemu
2018-07-03 01:29:43 -04:00
Richard Henderson 91359e67f9
target/i386: Fix BLSR and BLSI
The implementation of these two instructions was swapped.
At the same time, unify the setup of eflags for the insn group.

Backports commit 13672386a93fef64cfd33bd72fbf3d80f2c00e94 from qemu
2018-07-03 01:22:04 -04:00
Richard Henderson 10e2b13650
tcg: Pass tb and index to tcg_gen_exit_tb separately
Do the cast to uintptr_t within the helper, so that the compiler
can type check the pointer argument. We can also do some more
sanity checking of the index argument.

Backports commit 07ea28b41830f946de3841b0ac61a3413679feb9 from qemu
2018-06-07 11:56:32 -04:00
Emilio G. Cota 7e8902eccc
tcg: fix s/compliment/complement/ typos
Backports commit 1d349821551c2da4dfefe36c6ac17319f33ebbd5 from qemu
2018-05-22 00:29:51 -04:00
Emilio G. Cota d26bf1d446
translator: merge max_insns into DisasContextBase
While at it, use int for both num_insns and max_insns to make
sure we have same-type comparisons.

Backports commit b542683d77b4f56cef0221b267c341616d87bce9 from qemu
2018-05-11 13:59:17 -04:00
Eugene Minibaev 87180dd231
Add missing bit for SSE instr in VEX decoding
The 2-byte VEX prefix imples a leading 0Fh opcode byte.

Backports commit e0014d4b3a955cfd8d517674703bfa87f340290a from qemu
2018-04-10 08:49:15 -04:00
Alexandro Sanchez Bach 4a1de154ef
target/i386: Fix andn instruction
In commit 7073fbada733c8d10992f00772c9b9299d740e9b, the `andn` instruction
was implemented via `tcg_gen_andc` but passes the operands in the wrong
order:
- X86 defines `andn dest,src1,src2` as: dest = ~src1 & src2
- TCG defines `andc dest,src1,src2` as: dest = src1 & ~src2

The following simple test shows the issue:

int main(void) {
uint32_t ret = 0;
__asm (
"mov $0xFF00, %%ecx\n"
"mov $0x0F0F, %%eax\n"
"andn %%ecx, %%eax, %%ecx\n"
"mov %%ecx, %0\n"
: "=r" (ret));
printf("%08X\n", ret);
return 0;
}

This patch fixes the problem by simply swapping the order of the two last
arguments in `tcg_gen_andc_tl`.

Backports commit 5cd10051c2e02b7a86eae49919d6c65a87dbea46 from qemu
2018-04-10 08:48:05 -04:00
Lioncash 0d0dd2ba98
target/i386/translate: Perform comparison pass against qemu
Ensure code and formatting match qemu where applicable
2018-03-12 13:12:01 -04:00
Richard Henderson 5f074f09ab
tcg: Remove TCGV_UNUSED* and TCGV_IS_UNUSED*
These are now trivial sets and tests against NULL. Unwrap.

Backports commit f764718d0cb30af9f1f8e1d6a33622cc05ca4155 from qemu
2018-03-05 15:58:15 -05:00
Stefan Weil 55b19c099e
target/i386: Fix compiler warnings
These gcc warnings are fixed:

target/i386/translate.c:4461:12: warning:
variable 'prefixes' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]
target/i386/translate.c:4466:9: warning:
variable 'rex_w' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]
target/i386/translate.c:4466:16: warning:
variable 'rex_r' might be clobbered by 'longjmp' or 'vfork' [-Wclobbered]

Tested with x86_64-w64-mingw32-gcc from Debian stretch.

Backports commit a4926d99129a1d8072fc4681cd4efdb214f65ed4 from qemu
2018-03-05 14:20:36 -05:00
Peter Maydell d89704eb0f
target/i386: Fix handling of VEX prefixes
In commit e3af7c788b73a6495eb9d94992ef11f6ad6f3c56 we
replaced direct calls to to cpu_ld*_code() with calls
to the x86_ld*_code() wrappers which incorporate an
advance of s->pc. Unfortunately we didn't notice that
in one place the old code was deliberately not incrementing
s->pc:

@@ -4501,7 +4528,7 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
static const int pp_prefix[4] = {
0, PREFIX_DATA, PREFIX_REPZ, PREFIX_REPNZ
};
- int vex3, vex2 = cpu_ldub_code(env, s->pc);
+ int vex3, vex2 = x86_ldub_code(env, s);

if (!CODE64(s) && (vex2 & 0xc0) != 0xc0) {
/* 4.1.4.6: In 32-bit mode, bits [7:6] must be 11b,

This meant we were mishandling this set of instructions.
Remove the manual advance of s->pc for the "is VEX" case
(which is now done by x86_ldub_code()) and instead rewind
PC in the case where we decide that this isn't really VEX.

Backports commit 817a9fcba8043faa467929e7b0193df6bdc92211 from qemu
2018-03-05 13:48:29 -05:00
Richard Henderson 28061c2e59
qom: Introduce CPUClass.tcg_initialize
Move target cpu tcg initialization to common code,
called from cpu_exec_realizefn.

Backports commit 55c3ceef61fcf06fc98ddc752b7cce788ce7680b from qemu
2018-03-05 09:49:26 -05:00
Richard Henderson 4d9c8583fa
tcg: Remove TCGV_EQUAL*
When we used structures for TCGv_*, we needed a macro in order to
perform a comparison. Now that we use pointers, this is just clutter

Backports commit 11f4e8f8bfaa2caaab24bef6bbbb8a0205015119 from qemu
2018-03-05 09:16:07 -05:00
Richard Henderson eb488f5bd6
tcg: Merge opcode arguments into TCGOp
Rather than have a separate buffer of 10*max_ops entries,
give each opcode 10 entries. The result is actually a bit
smaller and should have slightly more cache locality.

Backports commit 75e8b9b7aa0b95a761b9add7e2f09248b101a392 from qemu
2018-03-05 04:45:20 -05:00
Paolo Bonzini 7dd4afd8d9
target/i386: trap on instructions longer than >15 bytes
Besides being more correct, arbitrarily long instruction allow the
generation of a translation block that spans three pages. This
confuses the generator and even allows ring 3 code to poison the
translation block cache and inject code into other processes that are
in guest ring 3.

This is an improved (and more invasive) fix for commit 30663fd ("tcg/i386:
Check the size of instruction being translated", 2017-03-24). In addition
to being more precise (and generating the right exception, which is #GP
rather than #UD), it distinguishes better between page faults and too long
instructions, as shown by this test case:

int main()
{
char *x = mmap(NULL, 8192, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANON, -1, 0);
memset(x, 0x66, 4096);
x[4096] = 0x90;
x[4097] = 0xc3;
char *i = x + 4096 - 15;
mprotect(x + 4096, 4096, PROT_READ|PROT_WRITE);
((void(*)(void)) i) ();
}

... which produces a #GP without the mprotect, and a #PF with it.

Backports commit b066c5375737ad0d630196dab2a2b329515a1d00 from qemu
2018-03-05 04:12:28 -05:00
Paolo Bonzini 44f87a8fbf
target/i386: introduce x86_ld*_code
These take care of advancing s->pc, and will provide a unified point
where to check for the 15-byte instruction length limit.

Backports commit e3af7c788b73a6495eb9d94992ef11f6ad6f3c56 from qemu
2018-03-05 04:11:02 -05:00
Emilio G. Cota 5fae6dd433
tcg: remove addr argument from lookup_tb_ptr
It is unlikely that we will ever want to call this helper passing
an argument other than the current PC. So just remove the argument,
and use the pc we already get from cpu_get_tb_cpu_state.

This change paves the way to having a common "tb_lookup" function.

Backports commit 7f11636dbee89b0e4d03e9e2b96e14649a7db778 from qemu
2018-03-05 02:16:34 -05:00
Todd Eisenberger 75bdfd85a7
x86: Correct translation of some rdgsbase and wrgsbase encodings
It looks like there was a transcription error when writing this code
initially. The code previously only decoded src or dst of rax. This
resolves
https://bugs.launchpad.net/qemu/+bug/1719984.

Backports commit e0dd5fd41a1a38766009f442967fab700d2d0550 from qemu
2018-03-05 02:05:26 -05:00
Joseph Myers 84b3c54b18
target/i386: set rip_offset for further SSE instructions
It turns out that my recent fix to set rip_offset when emulating some
SSE4.1 instructions needs generalizing to cover a wider class of
instructions. Specifically, every instruction in the sse_op_table7
table, coming from various instruction set extensions, has an 8-bit
immediate operand that comes after any memory operand, and so needs
rip_offset set for correctness if there is a memory operand that is
rip-relative, and my patch only set it for a subset of those
instructions. This patch moves the rip_offset setting to cover the
wider class of instructions, so fixing 9 further gcc testsuite
failures in my GCC 6-based testing. (I do not know whether there
might be still further classes of instructions missing this setting.)

Backports commit c6a8242915328cda0df0fbc0803da3448137e614 from qemu
2018-03-04 23:57:12 -05:00
Lioncash 6586c88706
target/i386: Remove unnecessary unicorn hooking code in i386_tr_init_disas_context
This is all centralized in translator_loop now
2018-03-04 20:31:07 -05:00
Lluís Vilanova c40f5eb73e
target/i386: [tcg] Port to generic translation framework
Backports commit d2e6eedf5078d0f2ac17fc1a0d24f6be79c071d7 from qemu
2018-03-04 17:42:42 -05:00
Lluís Vilanova 579a23cfa0
target/i386: [tcg] Port to disas_log
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit e0d110d943891b719de7ca075fc17fa8ea5749b8 from qemu
2018-03-04 17:31:25 -05:00
Lluís Vilanova 75ddf81d2c
target/i386: [tcg] Port to tb_stop
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit 47e981b42553f00110024c33897354f9014e83e9 from qemu
2018-03-04 17:27:45 -05:00
Lluís Vilanova bea36e432c
target/i386: [tcg] Port to translate_insn
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit 2c2f8cacd8cf4f67d6f1384b19d38f9a0a25878b from qemu
2018-03-04 17:24:32 -05:00
Lluís Vilanova 5f020bdf07
target/i386: [tcg] Port to breakpoint_check
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit e6b41ec37f0a9742374dfdb90e662745969cd7ea from qemu
2018-03-04 17:19:43 -05:00
Lluís Vilanova e3ea2c0393
target/i386: [tcg] Port to breakpoint_check
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit e6b41ec37f0a9742374dfdb90e662745969cd7ea from qemu
2018-03-04 17:16:55 -05:00
Lluís Vilanova 1f0f1fb302
target/i386: [tcg] Port to insn_start
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit 9d75f52b34053066b8e8fc37610d5f300d67538b from qemu
2018-03-04 17:15:37 -05:00
Lluís Vilanova 8896a2887e
target/i386: [tcg] Port to init_disas_context
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit 9761d39b09c4beb1340bf3074be3d3e0a5d453a4 from qemu
2018-03-04 17:14:16 -05:00
Lluís Vilanova 4babc3ff64
target/i386: [tcg] Port to DisasContextBase
Incrementally paves the way towards using the generic instruction translation
loop.

Backports commit 6cf147aa299e49f7794858609a1e8ef19f81c007 from qemu
2018-03-04 14:48:29 -05:00
Paolo Bonzini 6997a5a090
gen-icount: check cflags instead of use_icount global
Backports commit cd42d5b23691ad73edfd6dbcfc935a960a9c5a65 from qemu
2018-03-04 14:26:26 -05:00