Project

General

Profile

Actions

Bug #14483

closed

bhyve should emulate testb imm8,r/m8

Added by Andy Fiddaman 6 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
bhyve
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

While testing a guest in a way which involved a few hard VM poweroffs, the VM eventually stopped booting and reported:

Failed to emulate instruction sequence [41, f6, 47, 04, 08, 74, 06, 4c, 01, 6d, b8, eb, 14, 4c, 89] @ rip = 3fbae67d

# mdb -b bob
mdb: target stopped at:
0x7bae67d:      testb  $0x8,0x4(%r15)
[0]> 7bae67d/I
0x7bae67d:      7bae67d 447f641: testb  $0x8,0x4(%r15)

This is reproducible by booting any VM with the attached UEFI variables file in use, that is, started with something like:

-l bootrom,usr/share/bhyve/firmware/BHYVE_RELEASE.fd,uefivar.test

Files

uefivar.test (128 KB) uefivar.test UEFI variables file that triggers emulation Andy Fiddaman, 2022-02-08 09:55 PM

Related issues

Related to illumos gate - Bug #14489: bhyve should emulate imulIn ProgressAndy Fiddaman

Actions
Actions #1

Updated by Andy Fiddaman 6 months ago

Actions #2

Updated by Electric Monk 6 months ago

  • Gerrit CR set to 2021
Actions #3

Updated by Andy Fiddaman 6 months ago

With the fix, the bootrom no longer triggers the emulation failure and using dtrace I was able to check that the emulation code is setting rflags correctly based on this assembly sequence. This is just an 8-bit variant of the existing emulation for 16/32/64, and is executing a real AND instruction to determine the flags.

Actions #4

Updated by Andy Fiddaman 6 months ago

The code that triggers this emulation is in the bootrom - MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c in the Reclaim() function. This explains why I only saw this after enabling persistent EFI variable storage, and on a VM which has some churn in the variables area:

The exact code involved is most likely this:

Variable->State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED))

Variable is a local variable, State is an 8-bit field, it is being compared against 0x8.

I used the following small bhyve config, together with the attached uefivar.test file:

memory.size=128M
x86.strictmsr=true
x86.vmexit_on_hlt=true
acpi_tables=false
cpus=4
lpc.bootrom=/usr/share/bhyve/firmware/BHYVE.fd,uefivar.bad
lpc.com1.path=socket,/tmp/test.cons
pci.0.0.0.device=hostbridge
pci.0.0.0.model=i440fx
pci.0.1.0.device=lpc
name=bob

and this dtrace script:

#!/bin/ksh

bhyvectl --vm=bob --destroy

cp ../uefivar.bad .
dtrace \
-n 'vie_emulate_test:entry/args[0]->op.op_byte==0xf6 && !self->t/{self->t++; printf("IMMEDIATE: %x", args[0]->immediate)}' \
-n 'vie_emulate_test:return/self->t/{self->t--; printf("%d", arg1)}' \
-n 'vie_mmio_read:entry/self->t/ { self->p = (uint64_t *)arg4 }' \
-n 'vie_mmio_read:return/self->t/ { printf("MMIO = %x", *(self->p)) }' \
-n 'getandflags:return/self->t/ { printf("RFLAGS2 = %x", arg1) }' \
-n 'vie_update_register:entry/self->t/ { printf("RFLAGS = %x", arg3) }' \
-c 'bhyve -k x.cfg'

Which produced output like:

  6  89928           vie_emulate_test:entry IMMEDIATE: 8
  6  89903             vie_mmio_read:return MMIO = 7
  6  89897               getandflags:return RFLAGS2 = 246
  6  89856        vie_update_register:entry RFLAGS = 10246
  6  89929          vie_emulate_test:return 0

Of note, the zero bit (0x40) is set in rflags.

Booting a system with a clean UEFI variables file did not trigger this emulation at all.

Actions #5

Updated by Electric Monk 6 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit e1ded6bd708926c1adf348bccd10d6df6a12eedb

commit  e1ded6bd708926c1adf348bccd10d6df6a12eedb
Author: Andy Fiddaman <omnios@citrus-it.co.uk>
Date:   2022-02-26T17:37:29.000Z

    14483 bhyve should emulate testb imm8,r/m8
    Reviewed by: Igor Kozhukhov <igor@dilos.org>
    Reviewed by: Jason King <jason.brian.king+illumos@gmail.com>
    Reviewed by: Patrick Mooney <pmooney@pfmooney.com>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions #6

Updated by Andy Fiddaman 6 months ago

  • Related to Bug #14489: bhyve should emulate imul added
Actions

Also available in: Atom PDF