I'm running into an issue with SeaBIOS compiled with older versions of gcc. I'm seeing:
$ qemu-system-x86_64 -d in_asm,int,exec,cpu,pcall IN: 0x00000000000f1096: mov %ebx,%eax 0x00000000000f1098: call 0xffff0f80 qemu: fatal: Trying to execute code outside RAM or ROM at 0xffffffffffff0f80 The emulator dies at this point. This code sequence is used to jump into the copy of SeaBIOS at the permanent rom location (at 0xfffe0000-0xffffffff) so it can safely enable ram in the 0xe0000-0x100000 memory area. The call insn looks okay to me: f1098: e8 e3 fe ef ff calll ffff0f80 So, I'm not sure why qemu dies. This is what I see on the i386 version of qemu: $ qemu -d in_asm,int,exec,cpu,pcall IN: 0x000f1096: mov %ebx,%eax 0x000f1098: call 0xffff0f80 IN: 0xffff0f80: push %ebp 0xffff0f81: push %edi [...] Newer versions of gcc emit code a little different and thus don't run into the issue - I see: $ qemu-system-x86_64 -d in_asm,int,exec,cpu,pcall IN: 0x00000000000f365e: mov %ecx,%eax 0x00000000000f3660: mov $0xfffeddea,%edx 0x00000000000f3665: call *%edx IN: 0x00000000fffeddea: push %ebp 0x00000000fffeddeb: push %edi [...] and: $ qemu -d in_asm,int,exec,cpu,pcall IN: 0x000f365e: mov %ecx,%eax 0x000f3660: mov $0xfffeddea,%edx 0x000f3665: call *%edx IN: 0xfffeddea: push %ebp 0xfffeddeb: push %edi [...] As a guess, qemu is not truncating the instruction pointer to 32bits in the 64bit emulator. In all of the above cases, the machine was in 32bit mode and running 32bit only code. It should be possible to reproduce this problem by downloading SeaBIOS and compiling with gcc34: git clone git://git.linuxtogo.org/home/kevin/seabios.git cd seabios CC=gcc34 make cp out/bios.bin /path/to/qemu/bios/ -Kevin
