[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] MOV instructions spanning page boundaries cause access viol

From: pacifist
Subject: [Qemu-devel] MOV instructions spanning page boundaries cause access violations
Date: Sat, 07 Jul 2007 22:23:41 +0000


I'm running qemu 0.9.0 under Fedora Core 6 on a Pentium 4M machine.
I have Windows Server 2003 Standard Edition running in the qemu
emulator. Basically, what I intended to do was build up a machine
according to the directions here:
and then install a windows application on it to see how
it ran.

Unfortunately, under qemu my app gets a lot of access violations.
It runs normally on a real x86 machine. The problem occurs
when certain MOV instructions fall on addresses that span
page boundaries. Consider this sequence of instructions:

0x016C8FCD <hhi+0x5C4>:    SUB      ESP,04
0x016C8FD0 <hhi+0x5C7>:    LEA      EAX,DWORD PTR [EBP-04]
0x016C8FD3 <hhi+0x5CA>:    PUSH     EAX
0x016C8FD4 <hhi+0x5CB>:    PUSH     DWORD PTR [EBP-18]
0x016C8FD7 <hhi+0x5CE>:    PUSH     DWORD PTR [EBP-14]
0x016C8FDA <hhi+0x5D1>:    MOV      EAX,[0183BE90]
0x016C8FDF <hhi+0x5D6>:    CALL     setval 50 (prolog)
0x016C8FE4 <hhi+0x5DB>:    ADD      ESP,10
0x016C8FE7 <hhi+0x5DE>:    MOV      ECX,DWORD PTR [EBP-0C]
0x016C8FEA <hhi+0x5E1>:    MOV      ESI,DWORD PTR [ECX+000000C4]
0x016C8FF0 <hhi+0x5E7>:    SUB      ESP,04
0x016C8FF3 <hhi+0x5EA>:    LEA      EDX,DWORD PTR [EBP-04]
0x016C8FF6 <hhi+0x5ED>:    PUSH     EDX
0x016C8FF7 <hhi+0x5EE>:    PUSH     DWORD PTR [EBP-18]
0x016C8FFA <hhi+0x5F1>:    PUSH     DWORD PTR [ESI]
0x016C8FFC <hhi+0x5F3>:    MOV      EAX,[01EEBE90]
0x016C9001 <hhi+0x5F8>:    CALL     setval 50 (prolog)
0x016C9006 <hhi+0x5FD>:    ADD      ESP,10
0x016C9009 <hhi+0x600>:    MOV      EAX,[0183BE90]
0x016C900E <hhi+0x605>:    CALL     val_export 52 (prolog)
0x016C9013 <hhi+0x60A>:    MOV      EAX,DWORD PTR [EBP-0C]
0x016C9016 <hhi+0x60D>:    OR       DWORD PTR [EAX+000000B8],00000040
0x016C9020 <hhi+0x617>:    MOV      EAX,[0183BE90]
0x016C9025 <hhi+0x61C>:    CALL     hcheck 143 (prolog)
0x016C902A <hhi+0x621>:    POP      EBX
0x016C902B <hhi+0x622>:    POP      ESI
0x016C902C <hhi+0x623>:    POP      EDI
0x016C902D <hhi+0x624>:    MOV      ESP,EBP
0x016C902F <hhi+0x626>:    POP      EBP
0x016C9030 <hhi+0x627>:    RET

Note that there are 4 CALL instructions.
Before each CALL, a MOV instruction loads EAX. This is due to some
instrumentation we have in our compiler which validates certain
calling conventions. Anyway, all these MOV instructions should be
the same:

  MOV      EAX,[0183BE90]

and indeed, when running on a real machine they always are. You'll
note, however, that one of these instructions spans a page boundary:

0x016C8FFC <hhi+0x5F3>:    MOV      EAX,[01EEBE90]

and in this case the address operand is off by 0x6B0000.
That causes an access violation.

To reiterate, this instruction will fall across a page boundary
on a real machine as well, but the operand has the correct value.

Finding the actual emulation problem closer to the root cause here
would probably involve stepping through the Windows loader as it
fixes up addresses when loading DLLs. I don't have the time
to do that, but maybe this clue can give you an idea where to look.
Good luck.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]