[Qemu-devel] [Bug 1201446] [NEW] Instructions not supported by targeted

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 1201446] [NEW] Instructions not supported by targeted

From:	Jonathan Morton
Subject:	[Qemu-devel] [Bug 1201446] [NEW] Instructions not supported by targeted CPU do not throw SIGILL
Date:	Mon, 15 Jul 2013 14:17:48 -0000

Public bug reported:

We encountered a bug in another package that caused it to include CMOV
instructions when targetting i486, resulting in an inability to run the
package on real i486 and i586 hardware.  We then attempted to use QEMU
to reproduce the bug for easier debugging, since most developers have
long since got rid of such old hardware.

QEMU appears to continue to support *all* instructions when -cpu=486 is
selected, regardless of what is advertised in CPUID to the guest.  CPUID
describes the host environment as a reasonably close approximation to a
late-model i486, with very few instruction extensions - specifically
excluding CMOV, which on real hardware is an optional extension to the
i686 architecture.

The result was that we could not reproduce the bug using QEMU, and must
therefore attempt to debug it using a very limited stock of real
hardware, which also has very limited performance for rebuilding the
package.  This completely defeats one of the main uses of QEMU, in our
opinion.

If this bug extends to other CPU architectures, it would affect all
developers wishing to check whether their code conforms to restrictions
imposed by any older or more restrictive ISA specification than the
latest that QEMU supports, including the distinctions between
ARMv7-A-NEON, ARMv7-A-VFPv3, ARMv7-A-VFPv3-d16, ARMv7-R, ARMv7-M,
ARMv6-VFPv2, ARMv5-TE, ARMv4-T...  all of which are currently shipping
in new devices.

Attached is a small C program which can easily be compiled to include
CMOV instructions.  It can be used to reproduce the bug:

$ gcc -march=i486 -O2 -c minmax.c -o minmax
$ ./minmax
No arguments!
$ ./minmax 5 6 7
max: 7  min: 5
$ gcc -march=pentium2 -O2 -c minmax.c -o minmax-p2
$ ./minmax-p2
No arguments!
$ ./minmax-p2 5 6 7
[Expected, occurs on real i4/586 hardware:] Illegal instruction
[Actual, within QEMU v1.2.0 with -cpu=486:] max: 7  min: 5
$

The bug is likely not limited to CMOV, but would also apply to more
recent ISA extensions - so 3DNow! instructions would appear to run on
Intel guest CPUs, AVX on a Pentium-2, and other such weirdness.

** Affects: qemu
     Importance: Undecided
         Status: New


** Tags: cmov cpuid i486 i586 sigill tcg

** Attachment added: "Small program to generate CMOV instructions."
   https://bugs.launchpad.net/bugs/1201446/+attachment/3737561/+files/minmax.c

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1201446

Title:
  Instructions not supported by targeted CPU do not throw SIGILL

Status in QEMU:
  New

Bug description:
  We encountered a bug in another package that caused it to include CMOV
  instructions when targetting i486, resulting in an inability to run
  the package on real i486 and i586 hardware.  We then attempted to use
  QEMU to reproduce the bug for easier debugging, since most developers
  have long since got rid of such old hardware.

  QEMU appears to continue to support *all* instructions when -cpu=486
  is selected, regardless of what is advertised in CPUID to the guest.
  CPUID describes the host environment as a reasonably close
  approximation to a late-model i486, with very few instruction
  extensions - specifically excluding CMOV, which on real hardware is an
  optional extension to the i686 architecture.

  The result was that we could not reproduce the bug using QEMU, and
  must therefore attempt to debug it using a very limited stock of real
  hardware, which also has very limited performance for rebuilding the
  package.  This completely defeats one of the main uses of QEMU, in our
  opinion.

  If this bug extends to other CPU architectures, it would affect all
  developers wishing to check whether their code conforms to
  restrictions imposed by any older or more restrictive ISA
  specification than the latest that QEMU supports, including the
  distinctions between ARMv7-A-NEON, ARMv7-A-VFPv3, ARMv7-A-VFPv3-d16,
  ARMv7-R, ARMv7-M, ARMv6-VFPv2, ARMv5-TE, ARMv4-T...  all of which are
  currently shipping in new devices.

  Attached is a small C program which can easily be compiled to include
  CMOV instructions.  It can be used to reproduce the bug:

  $ gcc -march=i486 -O2 -c minmax.c -o minmax
  $ ./minmax
  No arguments!
  $ ./minmax 5 6 7
  max: 7  min: 5
  $ gcc -march=pentium2 -O2 -c minmax.c -o minmax-p2
  $ ./minmax-p2
  No arguments!
  $ ./minmax-p2 5 6 7
  [Expected, occurs on real i4/586 hardware:] Illegal instruction
  [Actual, within QEMU v1.2.0 with -cpu=486:] max: 7  min: 5
  $

  The bug is likely not limited to CMOV, but would also apply to more
  recent ISA extensions - so 3DNow! instructions would appear to run on
  Intel guest CPUs, AVX on a Pentium-2, and other such weirdness.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1201446/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH V3 0/2] Implement sync modes for drive-backup., Ian Main, 2013/07/15
- [Qemu-devel] [PATCH V3 2/2] Add tests for sync modes 'TOP' and 'NONE', Ian Main, 2013/07/15
- [Qemu-devel] [PATCH V3 1/2] Implement sync modes for drive-backup., Ian Main, 2013/07/15

Prev by Date: [Qemu-devel] support using KVM_MEM_READONLY flag for regions commit and OVMF UEFI incompatibility
Next by Date: [Qemu-devel] [Bug 1201447] [NEW] Blue screen when disk uses cache='writeback'
Previous by thread: [Qemu-devel] seccomp: remove unused syscalls - for 1.6
Next by thread: [Qemu-devel] [PATCH V3 2/2] Add tests for sync modes 'TOP' and 'NONE'
Index(es):
- Date
- Thread