[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] i386 emulation bug: mov reg, [addr]
From: |
Jamie Lokier |
Subject: |
Re: [Qemu-devel] i386 emulation bug: mov reg, [addr] |
Date: |
Tue, 15 Dec 2009 21:21:27 +0000 |
User-agent: |
Mutt/1.5.13 (2006-08-11) |
Avi Kivity wrote:
> On 12/15/2009 08:48 PM, Clemens Kolbitsch wrote:
> >Hi list,
> >
> >I'm experiencing a strange emulation bug with the op-code below. The
> >instruction raises a segfault in the application (running on the guest),
> >however, if I enable KVM to run the exact same application, no segfault is
> >raised.
> >
> >0x0080023b: 8b 04 65 11 22 33 44 mov regEAX, [0x44332211]
> >
> >where "11 22 33 44" is just some address. According to gdb (on a 32bit
> >little-
> >endian machine), this instruction can be disassembled as a "mov address to
> >reg-eax".
> >
>
> This is an odd encoding for this instruction, since there is a shorter
> one possible (8b 05 11 22 33 44). So it is possible there is a bug in
> qemu that has never been triggered because compilers/assemblers don't
> generate this encoding.
>
> btw, binutils disassembles this as
>
> 8b 04 65 11 22 33 44 mov 0x44332211(,%eiz,2),%eax
>
> I guess %eiz is some mnemonic for a "zero register" so the assembly can
> be reassembled into a 7-byte instruction later.
That's right. Gas accepts it if given the undocumented -mindex-reg
flag, apparently. %eiz / eiz appears to be a Gas-specific invention,
not standard AT&T or Intel syntax.
-- Jamie