On 26 June 2017 at 13:50, Lluís Vilanova <vilan...@ac.upc.edu> wrote: > Not that I've seen (at the level of the translation loop). Now I wonder if > QEMU > w/ TCG has a bug that lets it successfully execute instructions that cross > page > boundaries, one of them with invalid permissions (haven't checked).
ARM takes care to get this right -- we stop the TB if the next insn is going to span the page boundary (or in some corner cases merely if we think it might span the boundary, because if we guess wrong that way round the worst that happens is an unnecessarily short TB). Then the next TB will get the prefetch abort in the right place if the next page is inaccessible (we will longjump out of the translate.c code when we attempt the arm_lduw_code for the 2nd half of the insn). This was fixed in commit 541ebcd401ee4. The key thing is: * first insn in TB: read all its bytes (may result in longjump) * subsequent insns in same TB: don't even try to read bytes which aren't in pages already known to be safe because of having dealt with the first insn (longjump will result in a fault with the wrong address) x86 definitely gets this totally wrong. I would be unsurprised to find that other variable-length-insn targets do too. > What I can say is that this check is a very weak one (but common to all > targets), and that targets like i386 and arm need to refine it further in the > target-specific code. In fact, now I suspect all targets will need to refine > it, > so it probably makes sense to simply drop this generic check and burden all > targets with handling it. For targets which can never have instructions that cross the page boundary, the only requirement is that we do not attempt to fetch an instruction from a page other than the one we started on (otherwise we will cause a spurious instruction fetch abort). The simple test program I used to test Thumb page-boundary crossing instructions is here: http://people.linaro.org/~peter.maydell/thumb-over-page.c The signal handler it installs prints the r0 and pc values reported to the handler so you can check the correct insns executed and the reported PC was right. Works in linux-user mode and also system mode (you'll need to sort out your own guest kernel and filesystem). thanks -- PMM
