i think to have found it in translate.c: /* sign does not matter, except for lidt/lgdt call (TODO: fix it) */ static GenOpFunc *gen_op_ld_T0_A0[3 * 4] = { gen_op_ldub_raw_T0_A0, gen_op_lduw_raw_T0_A0, gen_op_ldl_raw_T0_A0, X86_64_ONLY(gen_op_ldq_raw_T0_A0),
#ifndef CONFIG_USER_ONLY gen_op_ldub_kernel_T0_A0, gen_op_lduw_kernel_T0_A0, gen_op_ldl_kernel_T0_A0, X86_64_ONLY(gen_op_ldq_kernel_T0_A0), gen_op_ldub_user_T0_A0, gen_op_lduw_user_T0_A0, gen_op_ldl_user_T0_A0, X86_64_ONLY(gen_op_ldq_user_T0_A0), #endif }; gen_op_ldl_kernel_T0_A0 looks quite promising. however, i still have not found the code (e.g. in op.c) that actually includes the "call" opcode (i find it in the disassembled code of the qemu-binary, though). is it generated somehow by gcc? the only thing that looks similar are the ld-functions in softmmu_header: static inline RES_TYPE glue(glue(ld, USUFFIX), MEMSUFFIX)(target_ulong ptr) however, if i understand the macro-defs right, these functions are not built... maybe someone could point that out? On Wednesday 25 July 2007 02:04:47 pm you wrote: > hi! > i tried asking this in the irc but got no answer, hope someone can help me > here :-) > > i'm working on memory-protection for my mather's thesis and have to dig > into qemu memory management... could someone help me here please? i have > the following problem: > > i'm trying to understand the dynamic translation for the following > mov-opcode (it's taken from the qemu log with "log asm_in,asm_out"): > > IN: > 0xc011c9f2: mov 0x60(%esi),%edx > the hex-code would be "0x8b 0x56 0x60" > ... > > OUT: > OUT: [size=455] > 0x08d30fa0: mov 0x18(%ebp),%edi > 0x08d30fa3: add $0x60,%edi > 0x08d30fa9: mov %edi,%edx > 0x08d30fab: mov %edi,%eax > 0x08d30fad: shr $0x8,%edx > 0x08d30fb0: and $0xfffff003,%eax > 0x08d30fb5: and $0xff0,%edx > 0x08d30fbb: lea 0x350(%edx,%ebp,1),%edx > 0x08d30fc2: cmp (%edx),%eax > 0x08d30fc4: mov %edi,%eax > 0x08d30fc6: je 0x8d30fd4 > 0x08d30fc8: push $0x0 > 0x08d30fca: call 0x80ee06a // __ldl_mmu > 0x08d30fcf: pop %edx > 0x08d30fd0: mov %eax,%ebx > 0x08d30fd2: jmp 0x8d30fd9 > 0x08d30fd4: add 0xc(%edx),%eax > 0x08d30fd7: mov (%eax),%ebx // possibly the output of > gen_op_ld_T0_A0 > [ot]+ s->mem_index](); > 0x08d30fd9: mov %ebx,0x8(%ebp) // this is the output of > gen_op_mov_reg_T0 [ot][reg](); (translate.c:4005) > ... > > > therefore, i think the following code in translate.c should be executed: > > case 0x8b: /* mov Ev, Gv */ > if ((b & 1) == 0) > ot = OT_BYTE; > else > ot = OT_WORD + dflag; > modrm = ldub_code(s->pc++); > reg = ((modrm >> 3) & 7) | rex_r; > > gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0); > gen_op_mov_reg_T0[ot][reg](); > break; > > > i debugged some time and found out that the last gen_op > > gen_op_mov_reg_T0[ot][reg](); > > only produces > > mov %ebx,0x8(%ebp). > > thus, the rest of the OUT-codes is produced by > > gen_ldst_modrm(s, modrm, ot, OR_TMP0, 0); > > however, i tried reading through the code but i could not find the function > where > > 0x08d30fca: call 0x80ee06a // __ldl_mmu > > is inserted into the translation-buffer... i (think to) know why it must be > inserted, but i just cannot figure out where it is put into the buffer. > > if someone could point that out, it would help me a LOT! > thanks, > Clemens