Comments (4)
Okay, we talked about the above and the suggestion didn't work. I did some digging today and I think I understand why; basically there might be a bug in bochscpu/mod.rs:
pub unsafe fn set_state(&self, s: &State) {
// ...
self.set_mxcsr(s.mxcsr);
self.set_mxcsr_mask(s.mxcsr);
}
So editing the regs.json['mxcsr_mask']
would be a no op. What it also means is that your initial mxcsr_mask
is 0x1fa1
which means both bits 1<<13
/ 1<<15
are set in the new value you are loading but aren't in your mask so you get a #GP
.
I'll talk to yrp604
about the above to verify that it is a bug, but to unblock you try to update regs.json['mxcsr']
to 0xBFA1
and re-launch your testcase to see if you get passed the ldmxcsr
issue.
Cheers
from wtf.
Okay, according to the manual, ldmxcsr #GP
s when it's trying to set reserved bits. If we check Bochs' code, we see the below:
void BX_CPP_AttrRegparmN(1) BX_CPU_C::LDMXCSR(bxInstruction_c *i)
{
#if BX_CPU_LEVEL >= 6
bx_address eaddr = BX_CPU_RESOLVE_ADDR(i);
Bit32u new_mxcsr = read_virtual_dword(i->seg(), eaddr);
if(new_mxcsr & ~MXCSR_MASK)
exception(BX_GP_EXCEPTION, 0);
BX_MXCSR_REGISTER = new_mxcsr;
#endif
BX_NEXT_INSTR(i);
}
This is MXCSR_MASK
:
#define MXCSR_MASK (BX_CPU_THIS_PTR mxcsr_mask)
And this is how it looks like it gets initialized (init.cc):
void BX_CPU_C::reset(unsigned source)
{
// ...
BX_CPU_THIS_PTR mxcsr_mask = 0x0000ffbf;
if (BX_CPUID_SUPPORT_ISA_EXTENSION(BX_ISA_SSE2))
BX_CPU_THIS_PTR mxcsr_mask |= MXCSR_DAZ;
if (BX_CPUID_SUPPORT_ISA_EXTENSION(BX_ISA_MISALIGNED_SSE))
BX_CPU_THIS_PTR mxcsr_mask |= MXCSR_MISALIGNED_EXCEPTION_MASK;
Could you dump the value that's getting loaded?
Cheers
from wtf.
state of mxcsr (mem.dmp) :
kd> r mxcsr
mxcsr=00001fa1
here: ldmxcsr dword ptr [rsp+8]
I dumped rsp+8 and its
[rsp+8] == 0x000000000000BFA1
from wtf.
Okay, I made a mistake; the mxcsr_mask
is actually set by bxcpu when we initialize the register via cpu_set_mxcsr_mask
:
BOCHSAPI void cpu_set_mxcsr_mask(unsigned id, Bit32u v) {
BX_CPU(id)->mxcsr_mask = v;
}
So in your case, mxcsr_mask
is 0b0001111110100001
and you are trying to load 0b1011111110100001
into it; but 0b1011111110100001
has two bits set (1<<13
& 1<<15
) that aren't set in the mask, so you take a #GP
:
mask =0b0001111110100001
value=0b1011111110100001
^ ^
| |
Here's the description of those two bits:
/* 31|30|29|28|27|26|25|24|23|22|21|20|19|18|17|16
* ==|==|=====|==|==|==|==|==|==|==|==|==|==|==|== (reserved)
* 0| 0| 0| 0| 0| 0| 0| 0| 0| 0| 0| 0| 0| 0|MM| 0
*
* 15|14|13|12|11|10| 9| 8| 7| 6| 5| 4| 3| 2| 1| 0
* ==|==|=====|==|==|==|==|==|==|==|==|==|==|==|==
* FZ| R C |PM|UM|OM|ZM|DM|IM|DZ|PE|UE|OE|ZE|DE|IE
*/
/* MXCSR REGISTER FIELDS DESCRIPTION */
/*
* RC 13-14 Floating-Point Rounding Control 00
* FZ 15 Flush-to-Zero for Masked Underflow 0
*/
To verify all of the above, can you change your regs.json
so that mxcsr_mask
is 0xbfa1
and not 0x1fa1
, and re-run your testcase?
Cheers
from wtf.
Related Issues (20)
- std::abort is too annoying on Windows
- If --target is not specified and the current directory looks like a target, use it!
- fuzzing different cpu architectures HOT 1
- Handle timeout testcases better
- Translation of GVA 0x1cdbb0e2000 failed HOT 4
- Trace memory and directly manipulate memory HOT 4
- New Feature: Redqueen/cmplog implementation
- [Question] Memory for testcase HOT 4
- Return failed of InsertTestcase() in RunTestcaseAndRestore() HOT 8
- wtf: cabi/mem-cabi.cc:34: static bool BX_MEM_C::dbg_fetch_mem(BX_CPU_C*, bx_phy_address, unsigned int, Bit8u*): Assertion `false' failed. HOT 18
- wtf on multi-threaded program HOT 3
- socket fuzzing error
- The corpus is empty, exiting HOT 10
- During bochscpu simulation, data from the heap is not fetched correctly. HOT 2
- Cannot reproduce HEVD because of OpenDumpFile(state\mem.dmp) failed with hr=-0x7ff8ffa9 or nt!ExGenRandom's code has changed HOT 4
- Try to find a way to copy WinDbgX dbgeng's DLLs instead of legacy WinDbg HOT 5
- Inserting a test-case in the SetBreakpoint() routine HOT 3
- Revert to latest clang when libgold.so is part of llvm18-linker-tools
- Implement RIP traces for KVM
- Implement RIP traces for winhv
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wtf.