hi!
i tried asking this in the irc but got no answer, hope someone can help me
here :-)
i'm working on memory-protection for my mather's thesis and have to dig into
qemu memory management... could someone help me here please? i have the
following problem:
i'm trying to understand the dynamic translation for the following mov-opcode
(it's taken from the qemu log with "log asm_in,asm_out"):
IN:
0xc011c9f2: mov 0x60(%esi),%edx
the hex-code would be "0x8b 0x56 0x60"
...
OUT:
OUT: [size=455]
0x08d30fa0: mov 0x18(%ebp),%edi
0x08d30fa3: add $0x60,%edi
0x08d30fa9: mov %edi,%edx
0x08d30fab: mov %edi,%eax
0x08d30fad: shr $0x8,%edx
0x08d30fb0: and $0xfffff003,%eax
0x08d30fb5: and $0xff0,%edx
0x08d30fbb: lea 0x350(%edx,%ebp,1),%edx
0x08d30fc2: cmp (%edx),%eax
0x08d30fc4: mov %edi,%eax
0x08d30fc6: je 0x8d30fd4
0x08d30fc8: push $0x0
0x08d30fca: call 0x80ee06a // __ldl_mmu
0x08d30fcf: pop %edx
0x08d30fd0: mov %eax,%ebx
0x08d30fd2: jmp 0x8d30fd9
0x08d30fd4: add 0xc(%edx),%eax
0x08d30fd7: mov (%eax),%ebx // possibly the output of
gen_op_ld_T0_A0
[ot]+ s->mem_index]();
0x08d30fd9: mov %ebx,0x8(%ebp) // this is the output of
gen_op_mov_reg_T0
[ot][reg](); (translate.c:4005)
...
therefore, i think the following code in translate.c should be executed:
case 0x8b: /* mov Ev, Gv */
if ((b & 1) == 0)
ot = OT_BYTE;
else
ot = OT_WORD + dflag;
modrm = ldub_code(s->pc++);
reg = ((modrm >> 3) & 7) | rex_r;
gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0);
gen_op_mov_reg_T0[ot][reg]();
break;
i debugged some time and found out that the last gen_op
gen_op_mov_reg_T0[ot][reg]();
only produces
mov %ebx,0x8(%ebp).
thus, the rest of the OUT-codes is produced by
gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0);
however, i tried reading through the code but i could not find the function
where
0x08d30fca: call 0x80ee06a // __ldl_mmu
is inserted into the translation-buffer... i (think to) know why it must be
inserted, but i just cannot figure out where it is put into the buffer.
if someone could point that out, it would help me a LOT!
thanks,
Clemens
