| blob | 7ade09086aa51f02376da1acc0985cf1c17b449c |
1 /******************************************************************************
2 * x86_emulate.c
3 *
4 * Generic x86 (32-bit and 64-bit) instruction decoder and emulator.
5 *
6 * Copyright (c) 2005 Keir Fraser
7 *
8 * Linux coding style, mod r/m decoder, segment base fixes, real-mode
9 * privieged instructions:
10 *
11 * Copyright (C) 2006 Qumranet
12 *
13 * Avi Kivity <avi@qumranet.com>
14 * Yaniv Kamay <yaniv@qumranet.com>
15 *
16 * This work is licensed under the terms of the GNU GPL, version 2. See
17 * the COPYING file in the top-level directory.
18 *
19 * From: xen-unstable 10676:af9809f51f81a3c43f276f00c81a52ef558afda4
20 */
22 #ifndef __KERNEL__
23 #include <stdio.h>
24 #include <stdint.h>
25 #include <public/xen.h>
26 #define DPRINTF(_f, _a ...) printf( _f , ## _a )
27 #else
29 #define DPRINTF(x...) do {} while (0)
30 #endif
32 #include <linux/module.h>
34 /*
35 * Opcode effective-address decode tables.
36 * Note that we only emulate instructions that have at least one memory
37 * operand (excluding implicit stack references). We assume that stack
38 * references and instruction fetches will never occur in special memory
39 * areas that require emulation. So, for example, 'mov <imm>,<reg>' need
40 * not be handled.
41 */
43 /* Operand sizes: 8-bit operands or specified/overridden size. */
45 /* Destination operand type. */
49 #define DstMask (3<<1)
50 /* Source operand type. */
59 #define SrcMask (7<<3)
60 /* Generic ModRM decode. */
61 #define ModRM (1<<6)
62 /* Destination is only written; never read. */
63 #define Mov (1<<7)
64 #define BitOp (1<<8)
67 /* 0x00 - 0x07 */
71 /* 0x08 - 0x0F */
75 /* 0x10 - 0x17 */
79 /* 0x18 - 0x1F */
83 /* 0x20 - 0x27 */
87 /* 0x28 - 0x2F */
91 /* 0x30 - 0x37 */
95 /* 0x38 - 0x3F */
99 /* 0x40 - 0x4F */
101 /* 0x50 - 0x5F */
103 /* 0x60 - 0x6F */
106 /* 0x70 - 0x7F */
108 /* 0x80 - 0x87 */
113 /* 0x88 - 0x8F */
117 /* 0x90 - 0x9F */
119 /* 0xA0 - 0xA7 */
124 /* 0xA8 - 0xAF */
128 /* 0xB0 - 0xBF */
130 /* 0xC0 - 0xC7 */
134 /* 0xC8 - 0xCF */
136 /* 0xD0 - 0xD7 */
140 /* 0xD8 - 0xDF */
142 /* 0xE0 - 0xEF */
144 /* 0xF0 - 0xF7 */
147 /* 0xF8 - 0xFF */
150 };
153 /* 0x00 - 0x0F */
156 /* 0x10 - 0x1F */
158 /* 0x20 - 0x2F */
161 /* 0x30 - 0x3F */
163 /* 0x40 - 0x47 */
168 /* 0x48 - 0x4F */
173 /* 0x50 - 0x5F */
175 /* 0x60 - 0x6F */
177 /* 0x70 - 0x7F */
179 /* 0x80 - 0x8F */
181 /* 0x90 - 0x9F */
183 /* 0xA0 - 0xA7 */
185 /* 0xA8 - 0xAF */
187 /* 0xB0 - 0xB7 */
192 /* 0xB8 - 0xBF */
196 /* 0xC0 - 0xCF */
198 /* 0xD0 - 0xDF */
200 /* 0xE0 - 0xEF */
202 /* 0xF0 - 0xFF */
204 };
206 /*
207 * Tell the emulator that of the Group 7 instructions (sgdt, lidt, etc.) we
208 * are interested only in invlpg and not in any of the rest.
209 *
210 * invlpg is a special instruction in that the data it references may not
211 * be mapped.
212 */
214 {
216 }
219 /* Type, address-of, and value of an instruction's operand. */
224 };
226 /* EFLAGS bit definitions. */
227 #define EFLG_OF (1<<11)
228 #define EFLG_DF (1<<10)
229 #define EFLG_SF (1<<7)
230 #define EFLG_ZF (1<<6)
231 #define EFLG_AF (1<<4)
232 #define EFLG_PF (1<<2)
233 #define EFLG_CF (1<<0)
235 /*
236 * Instruction emulation:
237 * Most instructions are emulated directly via a fragment of inline assembly
238 * code. This allows us to save/restore EFLAGS and thus very easily pick up
239 * any modified flags.
240 */
242 #if defined(CONFIG_X86_64)
245 #elif defined(__i386__)
248 #endif
250 /*
251 * These EFLAGS bits are restored from saved value during emulation, and
252 * any changes are written back to the saved value after emulation.
253 */
254 #define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
256 /* Before executing instruction: restore necessary bits in EFLAGS. */
257 #define _PRE_EFLAGS(_sav, _msk, _tmp) \
273 /* After executing instruction: write-back necessary bits in EFLAGS. */
274 #define _POST_EFLAGS(_sav, _msk, _tmp) \
281 /* Raw emulation: instruction has two explicit operands. */
282 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
283 do { \
284 unsigned long _tmp; \
285 \
286 switch ((_dst).bytes) { \
287 case 2: \
288 __asm__ __volatile__ ( \
295 break; \
296 case 4: \
297 __asm__ __volatile__ ( \
304 break; \
305 case 8: \
306 __emulate_2op_8byte(_op, _src, _dst, \
307 _eflags, _qx, _qy); \
308 break; \
309 } \
310 } while (0)
312 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
313 do { \
314 unsigned long _tmp; \
315 switch ( (_dst).bytes ) \
316 { \
317 case 1: \
318 __asm__ __volatile__ ( \
325 break; \
326 default: \
327 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
328 _wx, _wy, _lx, _ly, _qx, _qy); \
329 break; \
330 } \
331 } while (0)
333 /* Source operand is byte-sized and may be restricted to just %cl. */
334 #define emulate_2op_SrcB(_op, _src, _dst, _eflags) \
335 __emulate_2op(_op, _src, _dst, _eflags, \
338 /* Source operand is byte, word, long or quad sized. */
339 #define emulate_2op_SrcV(_op, _src, _dst, _eflags) \
340 __emulate_2op(_op, _src, _dst, _eflags, \
343 /* Source operand is word, long or quad sized. */
344 #define emulate_2op_SrcV_nobyte(_op, _src, _dst, _eflags) \
345 __emulate_2op_nobyte(_op, _src, _dst, _eflags, \
348 /* Instruction has only one explicit operand (no source operand). */
349 #define emulate_1op(_op, _dst, _eflags) \
350 do { \
351 unsigned long _tmp; \
352 \
353 switch ( (_dst).bytes ) \
354 { \
355 case 1: \
356 __asm__ __volatile__ ( \
363 break; \
364 case 2: \
365 __asm__ __volatile__ ( \
372 break; \
373 case 4: \
374 __asm__ __volatile__ ( \
381 break; \
382 case 8: \
383 __emulate_1op_8byte(_op, _dst, _eflags); \
384 break; \
385 } \
386 } while (0)
388 /* Emulate an instruction with quadword operands (x86/64 only). */
389 #if defined(CONFIG_X86_64)
390 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy) \
391 do { \
392 __asm__ __volatile__ ( \
398 } while (0)
400 #define __emulate_1op_8byte(_op, _dst, _eflags) \
401 do { \
402 __asm__ __volatile__ ( \
408 } while (0)
410 #elif defined(__i386__)
411 #define __emulate_2op_8byte(_op, _src, _dst, _eflags, _qx, _qy)
412 #define __emulate_1op_8byte(_op, _dst, _eflags)
415 /* Fetch next part of the instruction being emulated. */
416 #define insn_fetch(_type, _size, _eip) \
417 ({ unsigned long _x; \
418 rc = ops->read_std((unsigned long)(_eip) + ctxt->cs_base, &_x, \
419 (_size), ctxt); \
420 if ( rc != 0 ) \
421 goto done; \
422 (_eip) += (_size); \
423 (_type)_x; \
424 })
426 /* Access/update address held in a register, based on addressing mode. */
427 #define register_address(base, reg) \
428 ((base) + ((ad_bytes == sizeof(unsigned long)) ? (reg) : \
429 ((reg) & ((1UL << (ad_bytes << 3)) - 1))))
431 #define register_address_increment(reg, inc) \
432 do { \
434 int _inc = (inc); \
435 if ( ad_bytes == sizeof(unsigned long) ) \
436 (reg) += _inc; \
437 else \
438 (reg) = ((reg) & ~((1UL << (ad_bytes << 3)) - 1)) | \
439 (((reg) + _inc) & ((1UL << (ad_bytes << 3)) - 1)); \
440 } while (0)
444 {
451 }
457 {
468 }
470 int
472 {
485 /* Shadow copy of register state. Committed on successful emulation. */
500 #ifdef CONFIG_X86_64
505 #endif
508 }
510 /* Legacy prefixes. */
519 else
550 }
551 }
553 done_prefixes:
555 /* REX prefix. */
564 }
566 /* Opcode byte(s). */
569 /* Two-byte opcode? */
574 }
576 /* Unrecognised? */
579 }
581 /* ModRM and SIB bytes. */
594 }
602 /* 16-bit ModR/M decode. */
614 }
641 }
648 /* 32/64-bit ModR/M decode. */
661 else
666 }
673 }
684 }
696 }
697 }
717 else
720 else
722 }
723 }
727 modrm_done:
728 ;
729 }
731 /*
732 * Decode and fetch the source operand: register, memory
733 * or immediate.
734 */
757 }
758 }
768 srcmem_common:
782 /* NB. Immediates are sign-extended as necessary. */
793 }
801 }
803 /* Decode and fetch the destination operand: register or memory. */
806 /* Special instructions do their own operand decoding. */
828 }
829 }
839 }
845 }
907 }
914 /* Write back the register source. */
928 }
929 /*
930 * Write back the memory destination with implicit LOCK
931 * prefix.
932 */
950 /* 64-bit mode: POP always pops a 64-bit operand. */
984 }
995 /*
996 * Special case in Grp3: test has an immediate
997 * source operand.
998 */
1014 }
1024 }
1035 /* 64-bit mode: PUSH always pushes a 64-bit operand. */
1042 }
1054 }
1056 }
1058 writeback:
1062 /* The 4-byte case *is* correct: in 64-bit mode we zero-extend. */
1076 }
1083 ctxt);
1084 else
1087 ctxt);
1092 }
1093 }
1095 /* Commit shadow register state. */
1100 done:
1103 special_insn:
1110 }
1113 }
1152 }
1155 twobyte_insn:
1159 u16 size;
1192 }
1207 /*
1208 * First, assume we're decoding an even cmov opcode
1209 * (lsb == 0).
1210 */
1232 /* fall through */
1237 }
1238 /* Odd cmov opcodes (lsb == 1) have inverted sense. */
1242 /*
1243 * Save real source value, then compare EAX against
1244 * destination.
1245 */
1249 /* Always write back. The question is: where to? */
1252 /* Success: write back to memory. */
1255 /* Failure: write the value we saw to EAX. */
1258 }
1294 }
1300 }
1303 twobyte_special_insn:
1304 /* Disable writeback. */
1324 {
1340 }
1342 }
1343 }
1346 cannot_emulate:
1349 }
1351 #ifdef __XEN__
1353 #include <asm/mm.h>
1354 #include <asm/uaccess.h>
1356 int
1360 {
1368 }
1371 }
1373 int
1377 {
1383 }
1386 }
1388 #endif