2 * x86 segmentation related helpers:
3 * TSS, interrupts, system calls, jumps and call/task gates, descriptors
5 * Copyright (c) 2003 Fabrice Bellard
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2 of the License, or (at your option) any later version.
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
27 #if !defined(CONFIG_USER_ONLY)
28 #include "exec/softmmu_exec.h"
29 #endif /* !defined(CONFIG_USER_ONLY) */
32 # define LOG_PCALL(...) qemu_log_mask(CPU_LOG_PCALL, ## __VA_ARGS__)
33 # define LOG_PCALL_STATE(env) \
34 log_cpu_state_mask(CPU_LOG_PCALL, (env), CPU_DUMP_CCOP)
36 # define LOG_PCALL(...) do { } while (0)
37 # define LOG_PCALL_STATE(env) do { } while (0)
40 /* return non zero if error */
41 static inline int load_segment(CPUX86State *env, uint32_t *e1_ptr,
42 uint32_t *e2_ptr, int selector)
53 index = selector & ~7;
54 if ((index + 7) > dt->limit) {
57 ptr = dt->base + index;
58 *e1_ptr = cpu_ldl_kernel(env, ptr);
59 *e2_ptr = cpu_ldl_kernel(env, ptr + 4);
63 static inline unsigned int get_seg_limit(uint32_t e1, uint32_t e2)
67 limit = (e1 & 0xffff) | (e2 & 0x000f0000);
68 if (e2 & DESC_G_MASK) {
69 limit = (limit << 12) | 0xfff;
74 static inline uint32_t get_seg_base(uint32_t e1, uint32_t e2)
76 return (e1 >> 16) | ((e2 & 0xff) << 16) | (e2 & 0xff000000);
79 static inline void load_seg_cache_raw_dt(SegmentCache *sc, uint32_t e1,
82 sc->base = get_seg_base(e1, e2);
83 sc->limit = get_seg_limit(e1, e2);
87 /* init the segment cache in vm86 mode. */
88 static inline void load_seg_vm(CPUX86State *env, int seg, int selector)
91 cpu_x86_load_seg_cache(env, seg, selector,
92 (selector << 4), 0xffff, 0);
95 static inline void get_ss_esp_from_tss(CPUX86State *env, uint32_t *ss_ptr,
96 uint32_t *esp_ptr, int dpl)
98 int type, index, shift;
103 printf("TR: base=%p limit=%x\n", env->tr.base, env->tr.limit);
104 for (i = 0; i < env->tr.limit; i++) {
105 printf("%02x ", env->tr.base[i]);
114 if (!(env->tr.flags & DESC_P_MASK)) {
115 cpu_abort(env, "invalid tss");
117 type = (env->tr.flags >> DESC_TYPE_SHIFT) & 0xf;
118 if ((type & 7) != 1) {
119 cpu_abort(env, "invalid tss type");
122 index = (dpl * 4 + 2) << shift;
123 if (index + (4 << shift) - 1 > env->tr.limit) {
124 raise_exception_err(env, EXCP0A_TSS, env->tr.selector & 0xfffc);
127 *esp_ptr = cpu_lduw_kernel(env, env->tr.base + index);
128 *ss_ptr = cpu_lduw_kernel(env, env->tr.base + index + 2);
130 *esp_ptr = cpu_ldl_kernel(env, env->tr.base + index);
131 *ss_ptr = cpu_lduw_kernel(env, env->tr.base + index + 4);
135 /* XXX: merge with load_seg() */
136 static void tss_load_seg(CPUX86State *env, int seg_reg, int selector)
141 if ((selector & 0xfffc) != 0) {
142 if (load_segment(env, &e1, &e2, selector) != 0) {
143 raise_exception_err(env, EXCP0A_TSS, selector & 0xfffc);
145 if (!(e2 & DESC_S_MASK)) {
146 raise_exception_err(env, EXCP0A_TSS, selector & 0xfffc);
149 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
150 cpl = env->hflags & HF_CPL_MASK;
151 if (seg_reg == R_CS) {
152 if (!(e2 & DESC_CS_MASK)) {
153 raise_exception_err(env, EXCP0A_TSS, selector & 0xfffc);
155 /* XXX: is it correct? */
157 raise_exception_err(env, EXCP0A_TSS, selector & 0xfffc);
159 if ((e2 & DESC_C_MASK) && dpl > rpl) {
160 raise_exception_err(env, EXCP0A_TSS, selector & 0xfffc);
162 } else if (seg_reg == R_SS) {
163 /* SS must be writable data */
164 if ((e2 & DESC_CS_MASK) || !(e2 & DESC_W_MASK)) {
165 raise_exception_err(env, EXCP0A_TSS, selector & 0xfffc);
167 if (dpl != cpl || dpl != rpl) {
168 raise_exception_err(env, EXCP0A_TSS, selector & 0xfffc);
171 /* not readable code */
172 if ((e2 & DESC_CS_MASK) && !(e2 & DESC_R_MASK)) {
173 raise_exception_err(env, EXCP0A_TSS, selector & 0xfffc);
175 /* if data or non conforming code, checks the rights */
176 if (((e2 >> DESC_TYPE_SHIFT) & 0xf) < 12) {
177 if (dpl < cpl || dpl < rpl) {
178 raise_exception_err(env, EXCP0A_TSS, selector & 0xfffc);
182 if (!(e2 & DESC_P_MASK)) {
183 raise_exception_err(env, EXCP0B_NOSEG, selector & 0xfffc);
185 cpu_x86_load_seg_cache(env, seg_reg, selector,
186 get_seg_base(e1, e2),
187 get_seg_limit(e1, e2),
190 if (seg_reg == R_SS || seg_reg == R_CS) {
191 raise_exception_err(env, EXCP0A_TSS, selector & 0xfffc);
196 #define SWITCH_TSS_JMP 0
197 #define SWITCH_TSS_IRET 1
198 #define SWITCH_TSS_CALL 2
200 /* XXX: restore CPU state in registers (PowerPC case) */
201 static void switch_tss(CPUX86State *env, int tss_selector,
202 uint32_t e1, uint32_t e2, int source,
205 int tss_limit, tss_limit_max, type, old_tss_limit_max, old_type, v1, v2, i;
206 target_ulong tss_base;
207 uint32_t new_regs[8], new_segs[6];
208 uint32_t new_eflags, new_eip, new_cr3, new_ldt, new_trap;
209 uint32_t old_eflags, eflags_mask;
214 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
215 LOG_PCALL("switch_tss: sel=0x%04x type=%d src=%d\n", tss_selector, type,
218 /* if task gate, we read the TSS segment and we load it */
220 if (!(e2 & DESC_P_MASK)) {
221 raise_exception_err(env, EXCP0B_NOSEG, tss_selector & 0xfffc);
223 tss_selector = e1 >> 16;
224 if (tss_selector & 4) {
225 raise_exception_err(env, EXCP0A_TSS, tss_selector & 0xfffc);
227 if (load_segment(env, &e1, &e2, tss_selector) != 0) {
228 raise_exception_err(env, EXCP0D_GPF, tss_selector & 0xfffc);
230 if (e2 & DESC_S_MASK) {
231 raise_exception_err(env, EXCP0D_GPF, tss_selector & 0xfffc);
233 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
234 if ((type & 7) != 1) {
235 raise_exception_err(env, EXCP0D_GPF, tss_selector & 0xfffc);
239 if (!(e2 & DESC_P_MASK)) {
240 raise_exception_err(env, EXCP0B_NOSEG, tss_selector & 0xfffc);
248 tss_limit = get_seg_limit(e1, e2);
249 tss_base = get_seg_base(e1, e2);
250 if ((tss_selector & 4) != 0 ||
251 tss_limit < tss_limit_max) {
252 raise_exception_err(env, EXCP0A_TSS, tss_selector & 0xfffc);
254 old_type = (env->tr.flags >> DESC_TYPE_SHIFT) & 0xf;
256 old_tss_limit_max = 103;
258 old_tss_limit_max = 43;
261 /* read all the registers from the new TSS */
264 new_cr3 = cpu_ldl_kernel(env, tss_base + 0x1c);
265 new_eip = cpu_ldl_kernel(env, tss_base + 0x20);
266 new_eflags = cpu_ldl_kernel(env, tss_base + 0x24);
267 for (i = 0; i < 8; i++) {
268 new_regs[i] = cpu_ldl_kernel(env, tss_base + (0x28 + i * 4));
270 for (i = 0; i < 6; i++) {
271 new_segs[i] = cpu_lduw_kernel(env, tss_base + (0x48 + i * 4));
273 new_ldt = cpu_lduw_kernel(env, tss_base + 0x60);
274 new_trap = cpu_ldl_kernel(env, tss_base + 0x64);
278 new_eip = cpu_lduw_kernel(env, tss_base + 0x0e);
279 new_eflags = cpu_lduw_kernel(env, tss_base + 0x10);
280 for (i = 0; i < 8; i++) {
281 new_regs[i] = cpu_lduw_kernel(env, tss_base + (0x12 + i * 2)) |
284 for (i = 0; i < 4; i++) {
285 new_segs[i] = cpu_lduw_kernel(env, tss_base + (0x22 + i * 4));
287 new_ldt = cpu_lduw_kernel(env, tss_base + 0x2a);
292 /* XXX: avoid a compiler warning, see
293 http://support.amd.com/us/Processor_TechDocs/24593.pdf
294 chapters 12.2.5 and 13.2.4 on how to implement TSS Trap bit */
297 /* NOTE: we must avoid memory exceptions during the task switch,
298 so we make dummy accesses before */
299 /* XXX: it can still fail in some cases, so a bigger hack is
300 necessary to valid the TLB after having done the accesses */
302 v1 = cpu_ldub_kernel(env, env->tr.base);
303 v2 = cpu_ldub_kernel(env, env->tr.base + old_tss_limit_max);
304 cpu_stb_kernel(env, env->tr.base, v1);
305 cpu_stb_kernel(env, env->tr.base + old_tss_limit_max, v2);
307 /* clear busy bit (it is restartable) */
308 if (source == SWITCH_TSS_JMP || source == SWITCH_TSS_IRET) {
312 ptr = env->gdt.base + (env->tr.selector & ~7);
313 e2 = cpu_ldl_kernel(env, ptr + 4);
314 e2 &= ~DESC_TSS_BUSY_MASK;
315 cpu_stl_kernel(env, ptr + 4, e2);
317 old_eflags = cpu_compute_eflags(env);
318 if (source == SWITCH_TSS_IRET) {
319 old_eflags &= ~NT_MASK;
322 /* save the current state in the old TSS */
325 cpu_stl_kernel(env, env->tr.base + 0x20, next_eip);
326 cpu_stl_kernel(env, env->tr.base + 0x24, old_eflags);
327 cpu_stl_kernel(env, env->tr.base + (0x28 + 0 * 4), env->regs[R_EAX]);
328 cpu_stl_kernel(env, env->tr.base + (0x28 + 1 * 4), env->regs[R_ECX]);
329 cpu_stl_kernel(env, env->tr.base + (0x28 + 2 * 4), env->regs[R_EDX]);
330 cpu_stl_kernel(env, env->tr.base + (0x28 + 3 * 4), env->regs[R_EBX]);
331 cpu_stl_kernel(env, env->tr.base + (0x28 + 4 * 4), ESP);
332 cpu_stl_kernel(env, env->tr.base + (0x28 + 5 * 4), EBP);
333 cpu_stl_kernel(env, env->tr.base + (0x28 + 6 * 4), ESI);
334 cpu_stl_kernel(env, env->tr.base + (0x28 + 7 * 4), EDI);
335 for (i = 0; i < 6; i++) {
336 cpu_stw_kernel(env, env->tr.base + (0x48 + i * 4),
337 env->segs[i].selector);
341 cpu_stw_kernel(env, env->tr.base + 0x0e, next_eip);
342 cpu_stw_kernel(env, env->tr.base + 0x10, old_eflags);
343 cpu_stw_kernel(env, env->tr.base + (0x12 + 0 * 2), env->regs[R_EAX]);
344 cpu_stw_kernel(env, env->tr.base + (0x12 + 1 * 2), env->regs[R_ECX]);
345 cpu_stw_kernel(env, env->tr.base + (0x12 + 2 * 2), env->regs[R_EDX]);
346 cpu_stw_kernel(env, env->tr.base + (0x12 + 3 * 2), env->regs[R_EBX]);
347 cpu_stw_kernel(env, env->tr.base + (0x12 + 4 * 2), ESP);
348 cpu_stw_kernel(env, env->tr.base + (0x12 + 5 * 2), EBP);
349 cpu_stw_kernel(env, env->tr.base + (0x12 + 6 * 2), ESI);
350 cpu_stw_kernel(env, env->tr.base + (0x12 + 7 * 2), EDI);
351 for (i = 0; i < 4; i++) {
352 cpu_stw_kernel(env, env->tr.base + (0x22 + i * 4),
353 env->segs[i].selector);
357 /* now if an exception occurs, it will occurs in the next task
360 if (source == SWITCH_TSS_CALL) {
361 cpu_stw_kernel(env, tss_base, env->tr.selector);
362 new_eflags |= NT_MASK;
366 if (source == SWITCH_TSS_JMP || source == SWITCH_TSS_CALL) {
370 ptr = env->gdt.base + (tss_selector & ~7);
371 e2 = cpu_ldl_kernel(env, ptr + 4);
372 e2 |= DESC_TSS_BUSY_MASK;
373 cpu_stl_kernel(env, ptr + 4, e2);
376 /* set the new CPU state */
377 /* from this point, any exception which occurs can give problems */
378 env->cr[0] |= CR0_TS_MASK;
379 env->hflags |= HF_TS_MASK;
380 env->tr.selector = tss_selector;
381 env->tr.base = tss_base;
382 env->tr.limit = tss_limit;
383 env->tr.flags = e2 & ~DESC_TSS_BUSY_MASK;
385 if ((type & 8) && (env->cr[0] & CR0_PG_MASK)) {
386 cpu_x86_update_cr3(env, new_cr3);
389 /* load all registers without an exception, then reload them with
390 possible exception */
392 eflags_mask = TF_MASK | AC_MASK | ID_MASK |
393 IF_MASK | IOPL_MASK | VM_MASK | RF_MASK | NT_MASK;
395 eflags_mask &= 0xffff;
397 cpu_load_eflags(env, new_eflags, eflags_mask);
398 /* XXX: what to do in 16 bit case? */
399 env->regs[R_EAX] = new_regs[0];
400 env->regs[R_ECX] = new_regs[1];
401 env->regs[R_EDX] = new_regs[2];
402 env->regs[R_EBX] = new_regs[3];
407 if (new_eflags & VM_MASK) {
408 for (i = 0; i < 6; i++) {
409 load_seg_vm(env, i, new_segs[i]);
411 /* in vm86, CPL is always 3 */
412 cpu_x86_set_cpl(env, 3);
414 /* CPL is set the RPL of CS */
415 cpu_x86_set_cpl(env, new_segs[R_CS] & 3);
416 /* first just selectors as the rest may trigger exceptions */
417 for (i = 0; i < 6; i++) {
418 cpu_x86_load_seg_cache(env, i, new_segs[i], 0, 0, 0);
422 env->ldt.selector = new_ldt & ~4;
429 raise_exception_err(env, EXCP0A_TSS, new_ldt & 0xfffc);
432 if ((new_ldt & 0xfffc) != 0) {
434 index = new_ldt & ~7;
435 if ((index + 7) > dt->limit) {
436 raise_exception_err(env, EXCP0A_TSS, new_ldt & 0xfffc);
438 ptr = dt->base + index;
439 e1 = cpu_ldl_kernel(env, ptr);
440 e2 = cpu_ldl_kernel(env, ptr + 4);
441 if ((e2 & DESC_S_MASK) || ((e2 >> DESC_TYPE_SHIFT) & 0xf) != 2) {
442 raise_exception_err(env, EXCP0A_TSS, new_ldt & 0xfffc);
444 if (!(e2 & DESC_P_MASK)) {
445 raise_exception_err(env, EXCP0A_TSS, new_ldt & 0xfffc);
447 load_seg_cache_raw_dt(&env->ldt, e1, e2);
450 /* load the segments */
451 if (!(new_eflags & VM_MASK)) {
452 tss_load_seg(env, R_CS, new_segs[R_CS]);
453 tss_load_seg(env, R_SS, new_segs[R_SS]);
454 tss_load_seg(env, R_ES, new_segs[R_ES]);
455 tss_load_seg(env, R_DS, new_segs[R_DS]);
456 tss_load_seg(env, R_FS, new_segs[R_FS]);
457 tss_load_seg(env, R_GS, new_segs[R_GS]);
460 /* check that EIP is in the CS segment limits */
461 if (new_eip > env->segs[R_CS].limit) {
462 /* XXX: different exception if CALL? */
463 raise_exception_err(env, EXCP0D_GPF, 0);
466 #ifndef CONFIG_USER_ONLY
467 /* reset local breakpoints */
468 if (env->dr[7] & DR7_LOCAL_BP_MASK) {
469 for (i = 0; i < DR7_MAX_BP; i++) {
470 if (hw_local_breakpoint_enabled(env->dr[7], i) &&
471 !hw_global_breakpoint_enabled(env->dr[7], i)) {
472 hw_breakpoint_remove(env, i);
475 env->dr[7] &= ~DR7_LOCAL_BP_MASK;
480 static inline unsigned int get_sp_mask(unsigned int e2)
482 if (e2 & DESC_B_MASK) {
489 static int exception_has_error_code(int intno)
505 #define SET_ESP(val, sp_mask) \
507 if ((sp_mask) == 0xffff) { \
508 ESP = (ESP & ~0xffff) | ((val) & 0xffff); \
509 } else if ((sp_mask) == 0xffffffffLL) { \
510 ESP = (uint32_t)(val); \
516 #define SET_ESP(val, sp_mask) \
518 ESP = (ESP & ~(sp_mask)) | ((val) & (sp_mask)); \
522 /* in 64-bit machines, this can overflow. So this segment addition macro
523 * can be used to trim the value to 32-bit whenever needed */
524 #define SEG_ADDL(ssp, sp, sp_mask) ((uint32_t)((ssp) + (sp & (sp_mask))))
526 /* XXX: add a is_user flag to have proper security support */
527 #define PUSHW(ssp, sp, sp_mask, val) \
530 cpu_stw_kernel(env, (ssp) + (sp & (sp_mask)), (val)); \
533 #define PUSHL(ssp, sp, sp_mask, val) \
536 cpu_stl_kernel(env, SEG_ADDL(ssp, sp, sp_mask), (uint32_t)(val)); \
539 #define POPW(ssp, sp, sp_mask, val) \
541 val = cpu_lduw_kernel(env, (ssp) + (sp & (sp_mask))); \
545 #define POPL(ssp, sp, sp_mask, val) \
547 val = (uint32_t)cpu_ldl_kernel(env, SEG_ADDL(ssp, sp, sp_mask)); \
551 /* protected mode interrupt */
552 static void do_interrupt_protected(CPUX86State *env, int intno, int is_int,
553 int error_code, unsigned int next_eip,
557 target_ulong ptr, ssp;
558 int type, dpl, selector, ss_dpl, cpl;
559 int has_error_code, new_stack, shift;
560 uint32_t e1, e2, offset, ss = 0, esp, ss_e1 = 0, ss_e2 = 0;
561 uint32_t old_eip, sp_mask;
564 if (!is_int && !is_hw) {
565 has_error_code = exception_has_error_code(intno);
574 if (intno * 8 + 7 > dt->limit) {
575 raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
577 ptr = dt->base + intno * 8;
578 e1 = cpu_ldl_kernel(env, ptr);
579 e2 = cpu_ldl_kernel(env, ptr + 4);
580 /* check gate type */
581 type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
583 case 5: /* task gate */
584 /* must do that check here to return the correct error code */
585 if (!(e2 & DESC_P_MASK)) {
586 raise_exception_err(env, EXCP0B_NOSEG, intno * 8 + 2);
588 switch_tss(env, intno * 8, e1, e2, SWITCH_TSS_CALL, old_eip);
589 if (has_error_code) {
593 /* push the error code */
594 type = (env->tr.flags >> DESC_TYPE_SHIFT) & 0xf;
596 if (env->segs[R_SS].flags & DESC_B_MASK) {
601 esp = (ESP - (2 << shift)) & mask;
602 ssp = env->segs[R_SS].base + esp;
604 cpu_stl_kernel(env, ssp, error_code);
606 cpu_stw_kernel(env, ssp, error_code);
611 case 6: /* 286 interrupt gate */
612 case 7: /* 286 trap gate */
613 case 14: /* 386 interrupt gate */
614 case 15: /* 386 trap gate */
617 raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
620 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
621 cpl = env->hflags & HF_CPL_MASK;
622 /* check privilege if software int */
623 if (is_int && dpl < cpl) {
624 raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
626 /* check valid bit */
627 if (!(e2 & DESC_P_MASK)) {
628 raise_exception_err(env, EXCP0B_NOSEG, intno * 8 + 2);
631 offset = (e2 & 0xffff0000) | (e1 & 0x0000ffff);
632 if ((selector & 0xfffc) == 0) {
633 raise_exception_err(env, EXCP0D_GPF, 0);
635 if (load_segment(env, &e1, &e2, selector) != 0) {
636 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
638 if (!(e2 & DESC_S_MASK) || !(e2 & (DESC_CS_MASK))) {
639 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
641 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
643 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
645 if (!(e2 & DESC_P_MASK)) {
646 raise_exception_err(env, EXCP0B_NOSEG, selector & 0xfffc);
648 if (!(e2 & DESC_C_MASK) && dpl < cpl) {
649 /* to inner privilege */
650 get_ss_esp_from_tss(env, &ss, &esp, dpl);
651 if ((ss & 0xfffc) == 0) {
652 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
654 if ((ss & 3) != dpl) {
655 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
657 if (load_segment(env, &ss_e1, &ss_e2, ss) != 0) {
658 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
660 ss_dpl = (ss_e2 >> DESC_DPL_SHIFT) & 3;
662 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
664 if (!(ss_e2 & DESC_S_MASK) ||
665 (ss_e2 & DESC_CS_MASK) ||
666 !(ss_e2 & DESC_W_MASK)) {
667 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
669 if (!(ss_e2 & DESC_P_MASK)) {
670 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
673 sp_mask = get_sp_mask(ss_e2);
674 ssp = get_seg_base(ss_e1, ss_e2);
675 } else if ((e2 & DESC_C_MASK) || dpl == cpl) {
676 /* to same privilege */
677 if (env->eflags & VM_MASK) {
678 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
681 sp_mask = get_sp_mask(env->segs[R_SS].flags);
682 ssp = env->segs[R_SS].base;
686 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
687 new_stack = 0; /* avoid warning */
688 sp_mask = 0; /* avoid warning */
689 ssp = 0; /* avoid warning */
690 esp = 0; /* avoid warning */
696 /* XXX: check that enough room is available */
697 push_size = 6 + (new_stack << 2) + (has_error_code << 1);
698 if (env->eflags & VM_MASK) {
705 if (env->eflags & VM_MASK) {
706 PUSHL(ssp, esp, sp_mask, env->segs[R_GS].selector);
707 PUSHL(ssp, esp, sp_mask, env->segs[R_FS].selector);
708 PUSHL(ssp, esp, sp_mask, env->segs[R_DS].selector);
709 PUSHL(ssp, esp, sp_mask, env->segs[R_ES].selector);
711 PUSHL(ssp, esp, sp_mask, env->segs[R_SS].selector);
712 PUSHL(ssp, esp, sp_mask, ESP);
714 PUSHL(ssp, esp, sp_mask, cpu_compute_eflags(env));
715 PUSHL(ssp, esp, sp_mask, env->segs[R_CS].selector);
716 PUSHL(ssp, esp, sp_mask, old_eip);
717 if (has_error_code) {
718 PUSHL(ssp, esp, sp_mask, error_code);
722 if (env->eflags & VM_MASK) {
723 PUSHW(ssp, esp, sp_mask, env->segs[R_GS].selector);
724 PUSHW(ssp, esp, sp_mask, env->segs[R_FS].selector);
725 PUSHW(ssp, esp, sp_mask, env->segs[R_DS].selector);
726 PUSHW(ssp, esp, sp_mask, env->segs[R_ES].selector);
728 PUSHW(ssp, esp, sp_mask, env->segs[R_SS].selector);
729 PUSHW(ssp, esp, sp_mask, ESP);
731 PUSHW(ssp, esp, sp_mask, cpu_compute_eflags(env));
732 PUSHW(ssp, esp, sp_mask, env->segs[R_CS].selector);
733 PUSHW(ssp, esp, sp_mask, old_eip);
734 if (has_error_code) {
735 PUSHW(ssp, esp, sp_mask, error_code);
740 if (env->eflags & VM_MASK) {
741 cpu_x86_load_seg_cache(env, R_ES, 0, 0, 0, 0);
742 cpu_x86_load_seg_cache(env, R_DS, 0, 0, 0, 0);
743 cpu_x86_load_seg_cache(env, R_FS, 0, 0, 0, 0);
744 cpu_x86_load_seg_cache(env, R_GS, 0, 0, 0, 0);
746 ss = (ss & ~3) | dpl;
747 cpu_x86_load_seg_cache(env, R_SS, ss,
748 ssp, get_seg_limit(ss_e1, ss_e2), ss_e2);
750 SET_ESP(esp, sp_mask);
752 selector = (selector & ~3) | dpl;
753 cpu_x86_load_seg_cache(env, R_CS, selector,
754 get_seg_base(e1, e2),
755 get_seg_limit(e1, e2),
757 cpu_x86_set_cpl(env, dpl);
760 /* interrupt gate clear IF mask */
761 if ((type & 1) == 0) {
762 env->eflags &= ~IF_MASK;
764 env->eflags &= ~(TF_MASK | VM_MASK | RF_MASK | NT_MASK);
769 #define PUSHQ(sp, val) \
772 cpu_stq_kernel(env, sp, (val)); \
775 #define POPQ(sp, val) \
777 val = cpu_ldq_kernel(env, sp); \
781 static inline target_ulong get_rsp_from_tss(CPUX86State *env, int level)
786 printf("TR: base=" TARGET_FMT_lx " limit=%x\n",
787 env->tr.base, env->tr.limit);
790 if (!(env->tr.flags & DESC_P_MASK)) {
791 cpu_abort(env, "invalid tss");
793 index = 8 * level + 4;
794 if ((index + 7) > env->tr.limit) {
795 raise_exception_err(env, EXCP0A_TSS, env->tr.selector & 0xfffc);
797 return cpu_ldq_kernel(env, env->tr.base + index);
800 /* 64 bit interrupt */
801 static void do_interrupt64(CPUX86State *env, int intno, int is_int,
802 int error_code, target_ulong next_eip, int is_hw)
806 int type, dpl, selector, cpl, ist;
807 int has_error_code, new_stack;
808 uint32_t e1, e2, e3, ss;
809 target_ulong old_eip, esp, offset;
812 if (!is_int && !is_hw) {
813 has_error_code = exception_has_error_code(intno);
822 if (intno * 16 + 15 > dt->limit) {
823 raise_exception_err(env, EXCP0D_GPF, intno * 16 + 2);
825 ptr = dt->base + intno * 16;
826 e1 = cpu_ldl_kernel(env, ptr);
827 e2 = cpu_ldl_kernel(env, ptr + 4);
828 e3 = cpu_ldl_kernel(env, ptr + 8);
829 /* check gate type */
830 type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
832 case 14: /* 386 interrupt gate */
833 case 15: /* 386 trap gate */
836 raise_exception_err(env, EXCP0D_GPF, intno * 16 + 2);
839 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
840 cpl = env->hflags & HF_CPL_MASK;
841 /* check privilege if software int */
842 if (is_int && dpl < cpl) {
843 raise_exception_err(env, EXCP0D_GPF, intno * 16 + 2);
845 /* check valid bit */
846 if (!(e2 & DESC_P_MASK)) {
847 raise_exception_err(env, EXCP0B_NOSEG, intno * 16 + 2);
850 offset = ((target_ulong)e3 << 32) | (e2 & 0xffff0000) | (e1 & 0x0000ffff);
852 if ((selector & 0xfffc) == 0) {
853 raise_exception_err(env, EXCP0D_GPF, 0);
856 if (load_segment(env, &e1, &e2, selector) != 0) {
857 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
859 if (!(e2 & DESC_S_MASK) || !(e2 & (DESC_CS_MASK))) {
860 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
862 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
864 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
866 if (!(e2 & DESC_P_MASK)) {
867 raise_exception_err(env, EXCP0B_NOSEG, selector & 0xfffc);
869 if (!(e2 & DESC_L_MASK) || (e2 & DESC_B_MASK)) {
870 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
872 if ((!(e2 & DESC_C_MASK) && dpl < cpl) || ist != 0) {
873 /* to inner privilege */
875 esp = get_rsp_from_tss(env, ist + 3);
877 esp = get_rsp_from_tss(env, dpl);
879 esp &= ~0xfLL; /* align stack */
882 } else if ((e2 & DESC_C_MASK) || dpl == cpl) {
883 /* to same privilege */
884 if (env->eflags & VM_MASK) {
885 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
889 esp = get_rsp_from_tss(env, ist + 3);
893 esp &= ~0xfLL; /* align stack */
896 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
897 new_stack = 0; /* avoid warning */
898 esp = 0; /* avoid warning */
901 PUSHQ(esp, env->segs[R_SS].selector);
903 PUSHQ(esp, cpu_compute_eflags(env));
904 PUSHQ(esp, env->segs[R_CS].selector);
906 if (has_error_code) {
907 PUSHQ(esp, error_code);
912 cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, 0);
916 selector = (selector & ~3) | dpl;
917 cpu_x86_load_seg_cache(env, R_CS, selector,
918 get_seg_base(e1, e2),
919 get_seg_limit(e1, e2),
921 cpu_x86_set_cpl(env, dpl);
924 /* interrupt gate clear IF mask */
925 if ((type & 1) == 0) {
926 env->eflags &= ~IF_MASK;
928 env->eflags &= ~(TF_MASK | VM_MASK | RF_MASK | NT_MASK);
933 #if defined(CONFIG_USER_ONLY)
934 void helper_syscall(CPUX86State *env, int next_eip_addend)
936 env->exception_index = EXCP_SYSCALL;
937 env->exception_next_eip = env->eip + next_eip_addend;
941 void helper_syscall(CPUX86State *env, int next_eip_addend)
945 if (!(env->efer & MSR_EFER_SCE)) {
946 raise_exception_err(env, EXCP06_ILLOP, 0);
948 selector = (env->star >> 32) & 0xffff;
949 if (env->hflags & HF_LMA_MASK) {
952 env->regs[R_ECX] = env->eip + next_eip_addend;
953 env->regs[11] = cpu_compute_eflags(env);
955 code64 = env->hflags & HF_CS64_MASK;
957 cpu_x86_set_cpl(env, 0);
958 cpu_x86_load_seg_cache(env, R_CS, selector & 0xfffc,
960 DESC_G_MASK | DESC_P_MASK |
962 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK |
964 cpu_x86_load_seg_cache(env, R_SS, (selector + 8) & 0xfffc,
966 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
968 DESC_W_MASK | DESC_A_MASK);
969 env->eflags &= ~env->fmask;
970 cpu_load_eflags(env, env->eflags, 0);
972 env->eip = env->lstar;
974 env->eip = env->cstar;
977 env->regs[R_ECX] = (uint32_t)(env->eip + next_eip_addend);
979 cpu_x86_set_cpl(env, 0);
980 cpu_x86_load_seg_cache(env, R_CS, selector & 0xfffc,
982 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
984 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
985 cpu_x86_load_seg_cache(env, R_SS, (selector + 8) & 0xfffc,
987 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
989 DESC_W_MASK | DESC_A_MASK);
990 env->eflags &= ~(IF_MASK | RF_MASK | VM_MASK);
991 env->eip = (uint32_t)env->star;
998 void helper_sysret(CPUX86State *env, int dflag)
1002 if (!(env->efer & MSR_EFER_SCE)) {
1003 raise_exception_err(env, EXCP06_ILLOP, 0);
1005 cpl = env->hflags & HF_CPL_MASK;
1006 if (!(env->cr[0] & CR0_PE_MASK) || cpl != 0) {
1007 raise_exception_err(env, EXCP0D_GPF, 0);
1009 selector = (env->star >> 48) & 0xffff;
1010 if (env->hflags & HF_LMA_MASK) {
1012 cpu_x86_load_seg_cache(env, R_CS, (selector + 16) | 3,
1014 DESC_G_MASK | DESC_P_MASK |
1015 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
1016 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK |
1018 env->eip = env->regs[R_ECX];
1020 cpu_x86_load_seg_cache(env, R_CS, selector | 3,
1022 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
1023 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
1024 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
1025 env->eip = (uint32_t)env->regs[R_ECX];
1027 cpu_x86_load_seg_cache(env, R_SS, selector + 8,
1029 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
1030 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
1031 DESC_W_MASK | DESC_A_MASK);
1032 cpu_load_eflags(env, (uint32_t)(env->regs[11]), TF_MASK | AC_MASK
1033 | ID_MASK | IF_MASK | IOPL_MASK | VM_MASK | RF_MASK |
1035 cpu_x86_set_cpl(env, 3);
1037 cpu_x86_load_seg_cache(env, R_CS, selector | 3,
1039 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
1040 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
1041 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
1042 env->eip = (uint32_t)env->regs[R_ECX];
1043 cpu_x86_load_seg_cache(env, R_SS, selector + 8,
1045 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
1046 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
1047 DESC_W_MASK | DESC_A_MASK);
1048 env->eflags |= IF_MASK;
1049 cpu_x86_set_cpl(env, 3);
1054 /* real mode interrupt */
1055 static void do_interrupt_real(CPUX86State *env, int intno, int is_int,
1056 int error_code, unsigned int next_eip)
1059 target_ulong ptr, ssp;
1061 uint32_t offset, esp;
1062 uint32_t old_cs, old_eip;
1064 /* real mode (simpler!) */
1066 if (intno * 4 + 3 > dt->limit) {
1067 raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
1069 ptr = dt->base + intno * 4;
1070 offset = cpu_lduw_kernel(env, ptr);
1071 selector = cpu_lduw_kernel(env, ptr + 2);
1073 ssp = env->segs[R_SS].base;
1079 old_cs = env->segs[R_CS].selector;
1080 /* XXX: use SS segment size? */
1081 PUSHW(ssp, esp, 0xffff, cpu_compute_eflags(env));
1082 PUSHW(ssp, esp, 0xffff, old_cs);
1083 PUSHW(ssp, esp, 0xffff, old_eip);
1085 /* update processor state */
1086 ESP = (ESP & ~0xffff) | (esp & 0xffff);
1088 env->segs[R_CS].selector = selector;
1089 env->segs[R_CS].base = (selector << 4);
1090 env->eflags &= ~(IF_MASK | TF_MASK | AC_MASK | RF_MASK);
1093 #if defined(CONFIG_USER_ONLY)
1094 /* fake user mode interrupt */
1095 static void do_interrupt_user(CPUX86State *env, int intno, int is_int,
1096 int error_code, target_ulong next_eip)
1100 int dpl, cpl, shift;
1104 if (env->hflags & HF_LMA_MASK) {
1109 ptr = dt->base + (intno << shift);
1110 e2 = cpu_ldl_kernel(env, ptr + 4);
1112 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1113 cpl = env->hflags & HF_CPL_MASK;
1114 /* check privilege if software int */
1115 if (is_int && dpl < cpl) {
1116 raise_exception_err(env, EXCP0D_GPF, (intno << shift) + 2);
1119 /* Since we emulate only user space, we cannot do more than
1120 exiting the emulation with the suitable exception and error
1129 static void handle_even_inj(CPUX86State *env, int intno, int is_int,
1130 int error_code, int is_hw, int rm)
1132 uint32_t event_inj = ldl_phys(env->vm_vmcb + offsetof(struct vmcb,
1133 control.event_inj));
1135 if (!(event_inj & SVM_EVTINJ_VALID)) {
1139 type = SVM_EVTINJ_TYPE_SOFT;
1141 type = SVM_EVTINJ_TYPE_EXEPT;
1143 event_inj = intno | type | SVM_EVTINJ_VALID;
1144 if (!rm && exception_has_error_code(intno)) {
1145 event_inj |= SVM_EVTINJ_VALID_ERR;
1146 stl_phys(env->vm_vmcb + offsetof(struct vmcb,
1147 control.event_inj_err),
1150 stl_phys(env->vm_vmcb + offsetof(struct vmcb, control.event_inj),
1157 * Begin execution of an interruption. is_int is TRUE if coming from
1158 * the int instruction. next_eip is the EIP value AFTER the interrupt
1159 * instruction. It is only relevant if is_int is TRUE.
1161 static void do_interrupt_all(CPUX86State *env, int intno, int is_int,
1162 int error_code, target_ulong next_eip, int is_hw)
1164 if (qemu_loglevel_mask(CPU_LOG_INT)) {
1165 if ((env->cr[0] & CR0_PE_MASK)) {
1168 qemu_log("%6d: v=%02x e=%04x i=%d cpl=%d IP=%04x:" TARGET_FMT_lx
1169 " pc=" TARGET_FMT_lx " SP=%04x:" TARGET_FMT_lx,
1170 count, intno, error_code, is_int,
1171 env->hflags & HF_CPL_MASK,
1172 env->segs[R_CS].selector, EIP,
1173 (int)env->segs[R_CS].base + EIP,
1174 env->segs[R_SS].selector, ESP);
1175 if (intno == 0x0e) {
1176 qemu_log(" CR2=" TARGET_FMT_lx, env->cr[2]);
1178 qemu_log(" env->regs[R_EAX]=" TARGET_FMT_lx, env->regs[R_EAX]);
1181 log_cpu_state(env, CPU_DUMP_CCOP);
1188 ptr = env->segs[R_CS].base + env->eip;
1189 for (i = 0; i < 16; i++) {
1190 qemu_log(" %02x", ldub(ptr + i));
1198 if (env->cr[0] & CR0_PE_MASK) {
1199 #if !defined(CONFIG_USER_ONLY)
1200 if (env->hflags & HF_SVMI_MASK) {
1201 handle_even_inj(env, intno, is_int, error_code, is_hw, 0);
1204 #ifdef TARGET_X86_64
1205 if (env->hflags & HF_LMA_MASK) {
1206 do_interrupt64(env, intno, is_int, error_code, next_eip, is_hw);
1210 do_interrupt_protected(env, intno, is_int, error_code, next_eip,
1214 #if !defined(CONFIG_USER_ONLY)
1215 if (env->hflags & HF_SVMI_MASK) {
1216 handle_even_inj(env, intno, is_int, error_code, is_hw, 1);
1219 do_interrupt_real(env, intno, is_int, error_code, next_eip);
1222 #if !defined(CONFIG_USER_ONLY)
1223 if (env->hflags & HF_SVMI_MASK) {
1224 uint32_t event_inj = ldl_phys(env->vm_vmcb +
1225 offsetof(struct vmcb,
1226 control.event_inj));
1228 stl_phys(env->vm_vmcb + offsetof(struct vmcb, control.event_inj),
1229 event_inj & ~SVM_EVTINJ_VALID);
1234 void x86_cpu_do_interrupt(CPUState *cs)
1236 X86CPU *cpu = X86_CPU(cs);
1237 CPUX86State *env = &cpu->env;
1239 #if defined(CONFIG_USER_ONLY)
1240 /* if user mode only, we simulate a fake exception
1241 which will be handled outside the cpu execution
1243 do_interrupt_user(env, env->exception_index,
1244 env->exception_is_int,
1246 env->exception_next_eip);
1247 /* successfully delivered */
1248 env->old_exception = -1;
1250 /* simulate a real cpu exception. On i386, it can
1251 trigger new exceptions, but we do not handle
1252 double or triple faults yet. */
1253 do_interrupt_all(env, env->exception_index,
1254 env->exception_is_int,
1256 env->exception_next_eip, 0);
1257 /* successfully delivered */
1258 env->old_exception = -1;
1262 void do_interrupt_x86_hardirq(CPUX86State *env, int intno, int is_hw)
1264 do_interrupt_all(env, intno, 0, 0, 0, is_hw);
1267 void helper_enter_level(CPUX86State *env, int level, int data32,
1271 uint32_t esp_mask, esp, ebp;
1273 esp_mask = get_sp_mask(env->segs[R_SS].flags);
1274 ssp = env->segs[R_SS].base;
1283 cpu_stl_data(env, ssp + (esp & esp_mask),
1284 cpu_ldl_data(env, ssp + (ebp & esp_mask)));
1287 cpu_stl_data(env, ssp + (esp & esp_mask), t1);
1294 cpu_stw_data(env, ssp + (esp & esp_mask),
1295 cpu_lduw_data(env, ssp + (ebp & esp_mask)));
1298 cpu_stw_data(env, ssp + (esp & esp_mask), t1);
1302 #ifdef TARGET_X86_64
1303 void helper_enter64_level(CPUX86State *env, int level, int data64,
1306 target_ulong esp, ebp;
1317 cpu_stq_data(env, esp, cpu_ldq_data(env, ebp));
1320 cpu_stq_data(env, esp, t1);
1327 cpu_stw_data(env, esp, cpu_lduw_data(env, ebp));
1330 cpu_stw_data(env, esp, t1);
1335 void helper_lldt(CPUX86State *env, int selector)
1339 int index, entry_limit;
1343 if ((selector & 0xfffc) == 0) {
1344 /* XXX: NULL selector case: invalid LDT */
1348 if (selector & 0x4) {
1349 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1352 index = selector & ~7;
1353 #ifdef TARGET_X86_64
1354 if (env->hflags & HF_LMA_MASK) {
1361 if ((index + entry_limit) > dt->limit) {
1362 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1364 ptr = dt->base + index;
1365 e1 = cpu_ldl_kernel(env, ptr);
1366 e2 = cpu_ldl_kernel(env, ptr + 4);
1367 if ((e2 & DESC_S_MASK) || ((e2 >> DESC_TYPE_SHIFT) & 0xf) != 2) {
1368 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1370 if (!(e2 & DESC_P_MASK)) {
1371 raise_exception_err(env, EXCP0B_NOSEG, selector & 0xfffc);
1373 #ifdef TARGET_X86_64
1374 if (env->hflags & HF_LMA_MASK) {
1377 e3 = cpu_ldl_kernel(env, ptr + 8);
1378 load_seg_cache_raw_dt(&env->ldt, e1, e2);
1379 env->ldt.base |= (target_ulong)e3 << 32;
1383 load_seg_cache_raw_dt(&env->ldt, e1, e2);
1386 env->ldt.selector = selector;
1389 void helper_ltr(CPUX86State *env, int selector)
1393 int index, type, entry_limit;
1397 if ((selector & 0xfffc) == 0) {
1398 /* NULL selector case: invalid TR */
1403 if (selector & 0x4) {
1404 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1407 index = selector & ~7;
1408 #ifdef TARGET_X86_64
1409 if (env->hflags & HF_LMA_MASK) {
1416 if ((index + entry_limit) > dt->limit) {
1417 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1419 ptr = dt->base + index;
1420 e1 = cpu_ldl_kernel(env, ptr);
1421 e2 = cpu_ldl_kernel(env, ptr + 4);
1422 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
1423 if ((e2 & DESC_S_MASK) ||
1424 (type != 1 && type != 9)) {
1425 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1427 if (!(e2 & DESC_P_MASK)) {
1428 raise_exception_err(env, EXCP0B_NOSEG, selector & 0xfffc);
1430 #ifdef TARGET_X86_64
1431 if (env->hflags & HF_LMA_MASK) {
1434 e3 = cpu_ldl_kernel(env, ptr + 8);
1435 e4 = cpu_ldl_kernel(env, ptr + 12);
1436 if ((e4 >> DESC_TYPE_SHIFT) & 0xf) {
1437 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1439 load_seg_cache_raw_dt(&env->tr, e1, e2);
1440 env->tr.base |= (target_ulong)e3 << 32;
1444 load_seg_cache_raw_dt(&env->tr, e1, e2);
1446 e2 |= DESC_TSS_BUSY_MASK;
1447 cpu_stl_kernel(env, ptr + 4, e2);
1449 env->tr.selector = selector;
1452 /* only works if protected mode and not VM86. seg_reg must be != R_CS */
1453 void helper_load_seg(CPUX86State *env, int seg_reg, int selector)
1462 cpl = env->hflags & HF_CPL_MASK;
1463 if ((selector & 0xfffc) == 0) {
1464 /* null selector case */
1466 #ifdef TARGET_X86_64
1467 && (!(env->hflags & HF_CS64_MASK) || cpl == 3)
1470 raise_exception_err(env, EXCP0D_GPF, 0);
1472 cpu_x86_load_seg_cache(env, seg_reg, selector, 0, 0, 0);
1475 if (selector & 0x4) {
1480 index = selector & ~7;
1481 if ((index + 7) > dt->limit) {
1482 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1484 ptr = dt->base + index;
1485 e1 = cpu_ldl_kernel(env, ptr);
1486 e2 = cpu_ldl_kernel(env, ptr + 4);
1488 if (!(e2 & DESC_S_MASK)) {
1489 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1492 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1493 if (seg_reg == R_SS) {
1494 /* must be writable segment */
1495 if ((e2 & DESC_CS_MASK) || !(e2 & DESC_W_MASK)) {
1496 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1498 if (rpl != cpl || dpl != cpl) {
1499 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1502 /* must be readable segment */
1503 if ((e2 & (DESC_CS_MASK | DESC_R_MASK)) == DESC_CS_MASK) {
1504 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1507 if (!(e2 & DESC_CS_MASK) || !(e2 & DESC_C_MASK)) {
1508 /* if not conforming code, test rights */
1509 if (dpl < cpl || dpl < rpl) {
1510 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1515 if (!(e2 & DESC_P_MASK)) {
1516 if (seg_reg == R_SS) {
1517 raise_exception_err(env, EXCP0C_STACK, selector & 0xfffc);
1519 raise_exception_err(env, EXCP0B_NOSEG, selector & 0xfffc);
1523 /* set the access bit if not already set */
1524 if (!(e2 & DESC_A_MASK)) {
1526 cpu_stl_kernel(env, ptr + 4, e2);
1529 cpu_x86_load_seg_cache(env, seg_reg, selector,
1530 get_seg_base(e1, e2),
1531 get_seg_limit(e1, e2),
1534 qemu_log("load_seg: sel=0x%04x base=0x%08lx limit=0x%08lx flags=%08x\n",
1535 selector, (unsigned long)sc->base, sc->limit, sc->flags);
1540 /* protected mode jump */
1541 void helper_ljmp_protected(CPUX86State *env, int new_cs, target_ulong new_eip,
1542 int next_eip_addend)
1545 uint32_t e1, e2, cpl, dpl, rpl, limit;
1546 target_ulong next_eip;
1548 if ((new_cs & 0xfffc) == 0) {
1549 raise_exception_err(env, EXCP0D_GPF, 0);
1551 if (load_segment(env, &e1, &e2, new_cs) != 0) {
1552 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1554 cpl = env->hflags & HF_CPL_MASK;
1555 if (e2 & DESC_S_MASK) {
1556 if (!(e2 & DESC_CS_MASK)) {
1557 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1559 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1560 if (e2 & DESC_C_MASK) {
1561 /* conforming code segment */
1563 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1566 /* non conforming code segment */
1569 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1572 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1575 if (!(e2 & DESC_P_MASK)) {
1576 raise_exception_err(env, EXCP0B_NOSEG, new_cs & 0xfffc);
1578 limit = get_seg_limit(e1, e2);
1579 if (new_eip > limit &&
1580 !(env->hflags & HF_LMA_MASK) && !(e2 & DESC_L_MASK)) {
1581 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1583 cpu_x86_load_seg_cache(env, R_CS, (new_cs & 0xfffc) | cpl,
1584 get_seg_base(e1, e2), limit, e2);
1587 /* jump to call or task gate */
1588 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1590 cpl = env->hflags & HF_CPL_MASK;
1591 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
1593 case 1: /* 286 TSS */
1594 case 9: /* 386 TSS */
1595 case 5: /* task gate */
1596 if (dpl < cpl || dpl < rpl) {
1597 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1599 next_eip = env->eip + next_eip_addend;
1600 switch_tss(env, new_cs, e1, e2, SWITCH_TSS_JMP, next_eip);
1601 CC_OP = CC_OP_EFLAGS;
1603 case 4: /* 286 call gate */
1604 case 12: /* 386 call gate */
1605 if ((dpl < cpl) || (dpl < rpl)) {
1606 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1608 if (!(e2 & DESC_P_MASK)) {
1609 raise_exception_err(env, EXCP0B_NOSEG, new_cs & 0xfffc);
1612 new_eip = (e1 & 0xffff);
1614 new_eip |= (e2 & 0xffff0000);
1616 if (load_segment(env, &e1, &e2, gate_cs) != 0) {
1617 raise_exception_err(env, EXCP0D_GPF, gate_cs & 0xfffc);
1619 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1620 /* must be code segment */
1621 if (((e2 & (DESC_S_MASK | DESC_CS_MASK)) !=
1622 (DESC_S_MASK | DESC_CS_MASK))) {
1623 raise_exception_err(env, EXCP0D_GPF, gate_cs & 0xfffc);
1625 if (((e2 & DESC_C_MASK) && (dpl > cpl)) ||
1626 (!(e2 & DESC_C_MASK) && (dpl != cpl))) {
1627 raise_exception_err(env, EXCP0D_GPF, gate_cs & 0xfffc);
1629 if (!(e2 & DESC_P_MASK)) {
1630 raise_exception_err(env, EXCP0D_GPF, gate_cs & 0xfffc);
1632 limit = get_seg_limit(e1, e2);
1633 if (new_eip > limit) {
1634 raise_exception_err(env, EXCP0D_GPF, 0);
1636 cpu_x86_load_seg_cache(env, R_CS, (gate_cs & 0xfffc) | cpl,
1637 get_seg_base(e1, e2), limit, e2);
1641 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1647 /* real mode call */
1648 void helper_lcall_real(CPUX86State *env, int new_cs, target_ulong new_eip1,
1649 int shift, int next_eip)
1652 uint32_t esp, esp_mask;
1657 esp_mask = get_sp_mask(env->segs[R_SS].flags);
1658 ssp = env->segs[R_SS].base;
1660 PUSHL(ssp, esp, esp_mask, env->segs[R_CS].selector);
1661 PUSHL(ssp, esp, esp_mask, next_eip);
1663 PUSHW(ssp, esp, esp_mask, env->segs[R_CS].selector);
1664 PUSHW(ssp, esp, esp_mask, next_eip);
1667 SET_ESP(esp, esp_mask);
1669 env->segs[R_CS].selector = new_cs;
1670 env->segs[R_CS].base = (new_cs << 4);
1673 /* protected mode call */
1674 void helper_lcall_protected(CPUX86State *env, int new_cs, target_ulong new_eip,
1675 int shift, int next_eip_addend)
1678 uint32_t e1, e2, cpl, dpl, rpl, selector, offset, param_count;
1679 uint32_t ss = 0, ss_e1 = 0, ss_e2 = 0, sp, type, ss_dpl, sp_mask;
1680 uint32_t val, limit, old_sp_mask;
1681 target_ulong ssp, old_ssp, next_eip;
1683 next_eip = env->eip + next_eip_addend;
1684 LOG_PCALL("lcall %04x:%08x s=%d\n", new_cs, (uint32_t)new_eip, shift);
1685 LOG_PCALL_STATE(env);
1686 if ((new_cs & 0xfffc) == 0) {
1687 raise_exception_err(env, EXCP0D_GPF, 0);
1689 if (load_segment(env, &e1, &e2, new_cs) != 0) {
1690 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1692 cpl = env->hflags & HF_CPL_MASK;
1693 LOG_PCALL("desc=%08x:%08x\n", e1, e2);
1694 if (e2 & DESC_S_MASK) {
1695 if (!(e2 & DESC_CS_MASK)) {
1696 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1698 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1699 if (e2 & DESC_C_MASK) {
1700 /* conforming code segment */
1702 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1705 /* non conforming code segment */
1708 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1711 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1714 if (!(e2 & DESC_P_MASK)) {
1715 raise_exception_err(env, EXCP0B_NOSEG, new_cs & 0xfffc);
1718 #ifdef TARGET_X86_64
1719 /* XXX: check 16/32 bit cases in long mode */
1725 PUSHQ(rsp, env->segs[R_CS].selector);
1726 PUSHQ(rsp, next_eip);
1727 /* from this point, not restartable */
1729 cpu_x86_load_seg_cache(env, R_CS, (new_cs & 0xfffc) | cpl,
1730 get_seg_base(e1, e2),
1731 get_seg_limit(e1, e2), e2);
1737 sp_mask = get_sp_mask(env->segs[R_SS].flags);
1738 ssp = env->segs[R_SS].base;
1740 PUSHL(ssp, sp, sp_mask, env->segs[R_CS].selector);
1741 PUSHL(ssp, sp, sp_mask, next_eip);
1743 PUSHW(ssp, sp, sp_mask, env->segs[R_CS].selector);
1744 PUSHW(ssp, sp, sp_mask, next_eip);
1747 limit = get_seg_limit(e1, e2);
1748 if (new_eip > limit) {
1749 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1751 /* from this point, not restartable */
1752 SET_ESP(sp, sp_mask);
1753 cpu_x86_load_seg_cache(env, R_CS, (new_cs & 0xfffc) | cpl,
1754 get_seg_base(e1, e2), limit, e2);
1758 /* check gate type */
1759 type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
1760 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1763 case 1: /* available 286 TSS */
1764 case 9: /* available 386 TSS */
1765 case 5: /* task gate */
1766 if (dpl < cpl || dpl < rpl) {
1767 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1769 switch_tss(env, new_cs, e1, e2, SWITCH_TSS_CALL, next_eip);
1770 CC_OP = CC_OP_EFLAGS;
1772 case 4: /* 286 call gate */
1773 case 12: /* 386 call gate */
1776 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1781 if (dpl < cpl || dpl < rpl) {
1782 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
1784 /* check valid bit */
1785 if (!(e2 & DESC_P_MASK)) {
1786 raise_exception_err(env, EXCP0B_NOSEG, new_cs & 0xfffc);
1788 selector = e1 >> 16;
1789 offset = (e2 & 0xffff0000) | (e1 & 0x0000ffff);
1790 param_count = e2 & 0x1f;
1791 if ((selector & 0xfffc) == 0) {
1792 raise_exception_err(env, EXCP0D_GPF, 0);
1795 if (load_segment(env, &e1, &e2, selector) != 0) {
1796 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1798 if (!(e2 & DESC_S_MASK) || !(e2 & (DESC_CS_MASK))) {
1799 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1801 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1803 raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
1805 if (!(e2 & DESC_P_MASK)) {
1806 raise_exception_err(env, EXCP0B_NOSEG, selector & 0xfffc);
1809 if (!(e2 & DESC_C_MASK) && dpl < cpl) {
1810 /* to inner privilege */
1811 get_ss_esp_from_tss(env, &ss, &sp, dpl);
1812 LOG_PCALL("new ss:esp=%04x:%08x param_count=%d ESP=" TARGET_FMT_lx
1814 ss, sp, param_count, ESP);
1815 if ((ss & 0xfffc) == 0) {
1816 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
1818 if ((ss & 3) != dpl) {
1819 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
1821 if (load_segment(env, &ss_e1, &ss_e2, ss) != 0) {
1822 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
1824 ss_dpl = (ss_e2 >> DESC_DPL_SHIFT) & 3;
1825 if (ss_dpl != dpl) {
1826 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
1828 if (!(ss_e2 & DESC_S_MASK) ||
1829 (ss_e2 & DESC_CS_MASK) ||
1830 !(ss_e2 & DESC_W_MASK)) {
1831 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
1833 if (!(ss_e2 & DESC_P_MASK)) {
1834 raise_exception_err(env, EXCP0A_TSS, ss & 0xfffc);
1837 /* push_size = ((param_count * 2) + 8) << shift; */
1839 old_sp_mask = get_sp_mask(env->segs[R_SS].flags);
1840 old_ssp = env->segs[R_SS].base;
1842 sp_mask = get_sp_mask(ss_e2);
1843 ssp = get_seg_base(ss_e1, ss_e2);
1845 PUSHL(ssp, sp, sp_mask, env->segs[R_SS].selector);
1846 PUSHL(ssp, sp, sp_mask, ESP);
1847 for (i = param_count - 1; i >= 0; i--) {
1848 val = cpu_ldl_kernel(env, old_ssp + ((ESP + i * 4) &
1850 PUSHL(ssp, sp, sp_mask, val);
1853 PUSHW(ssp, sp, sp_mask, env->segs[R_SS].selector);
1854 PUSHW(ssp, sp, sp_mask, ESP);
1855 for (i = param_count - 1; i >= 0; i--) {
1856 val = cpu_lduw_kernel(env, old_ssp + ((ESP + i * 2) &
1858 PUSHW(ssp, sp, sp_mask, val);
1863 /* to same privilege */
1865 sp_mask = get_sp_mask(env->segs[R_SS].flags);
1866 ssp = env->segs[R_SS].base;
1867 /* push_size = (4 << shift); */
1872 PUSHL(ssp, sp, sp_mask, env->segs[R_CS].selector);
1873 PUSHL(ssp, sp, sp_mask, next_eip);
1875 PUSHW(ssp, sp, sp_mask, env->segs[R_CS].selector);
1876 PUSHW(ssp, sp, sp_mask, next_eip);
1879 /* from this point, not restartable */
1882 ss = (ss & ~3) | dpl;
1883 cpu_x86_load_seg_cache(env, R_SS, ss,
1885 get_seg_limit(ss_e1, ss_e2),
1889 selector = (selector & ~3) | dpl;
1890 cpu_x86_load_seg_cache(env, R_CS, selector,
1891 get_seg_base(e1, e2),
1892 get_seg_limit(e1, e2),
1894 cpu_x86_set_cpl(env, dpl);
1895 SET_ESP(sp, sp_mask);
1900 /* real and vm86 mode iret */
1901 void helper_iret_real(CPUX86State *env, int shift)
1903 uint32_t sp, new_cs, new_eip, new_eflags, sp_mask;
1907 sp_mask = 0xffff; /* XXXX: use SS segment size? */
1909 ssp = env->segs[R_SS].base;
1912 POPL(ssp, sp, sp_mask, new_eip);
1913 POPL(ssp, sp, sp_mask, new_cs);
1915 POPL(ssp, sp, sp_mask, new_eflags);
1918 POPW(ssp, sp, sp_mask, new_eip);
1919 POPW(ssp, sp, sp_mask, new_cs);
1920 POPW(ssp, sp, sp_mask, new_eflags);
1922 ESP = (ESP & ~sp_mask) | (sp & sp_mask);
1923 env->segs[R_CS].selector = new_cs;
1924 env->segs[R_CS].base = (new_cs << 4);
1926 if (env->eflags & VM_MASK) {
1927 eflags_mask = TF_MASK | AC_MASK | ID_MASK | IF_MASK | RF_MASK |
1930 eflags_mask = TF_MASK | AC_MASK | ID_MASK | IF_MASK | IOPL_MASK |
1934 eflags_mask &= 0xffff;
1936 cpu_load_eflags(env, new_eflags, eflags_mask);
1937 env->hflags2 &= ~HF2_NMI_MASK;
1940 static inline void validate_seg(CPUX86State *env, int seg_reg, int cpl)
1945 /* XXX: on x86_64, we do not want to nullify FS and GS because
1946 they may still contain a valid base. I would be interested to
1947 know how a real x86_64 CPU behaves */
1948 if ((seg_reg == R_FS || seg_reg == R_GS) &&
1949 (env->segs[seg_reg].selector & 0xfffc) == 0) {
1953 e2 = env->segs[seg_reg].flags;
1954 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
1955 if (!(e2 & DESC_CS_MASK) || !(e2 & DESC_C_MASK)) {
1956 /* data or non conforming code segment */
1958 cpu_x86_load_seg_cache(env, seg_reg, 0, 0, 0, 0);
1963 /* protected mode iret */
1964 static inline void helper_ret_protected(CPUX86State *env, int shift,
1965 int is_iret, int addend)
1967 uint32_t new_cs, new_eflags, new_ss;
1968 uint32_t new_es, new_ds, new_fs, new_gs;
1969 uint32_t e1, e2, ss_e1, ss_e2;
1970 int cpl, dpl, rpl, eflags_mask, iopl;
1971 target_ulong ssp, sp, new_eip, new_esp, sp_mask;
1973 #ifdef TARGET_X86_64
1979 sp_mask = get_sp_mask(env->segs[R_SS].flags);
1982 ssp = env->segs[R_SS].base;
1983 new_eflags = 0; /* avoid warning */
1984 #ifdef TARGET_X86_64
1990 POPQ(sp, new_eflags);
1997 POPL(ssp, sp, sp_mask, new_eip);
1998 POPL(ssp, sp, sp_mask, new_cs);
2001 POPL(ssp, sp, sp_mask, new_eflags);
2002 if (new_eflags & VM_MASK) {
2003 goto return_to_vm86;
2008 POPW(ssp, sp, sp_mask, new_eip);
2009 POPW(ssp, sp, sp_mask, new_cs);
2011 POPW(ssp, sp, sp_mask, new_eflags);
2015 LOG_PCALL("lret new %04x:" TARGET_FMT_lx " s=%d addend=0x%x\n",
2016 new_cs, new_eip, shift, addend);
2017 LOG_PCALL_STATE(env);
2018 if ((new_cs & 0xfffc) == 0) {
2019 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
2021 if (load_segment(env, &e1, &e2, new_cs) != 0) {
2022 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
2024 if (!(e2 & DESC_S_MASK) ||
2025 !(e2 & DESC_CS_MASK)) {
2026 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
2028 cpl = env->hflags & HF_CPL_MASK;
2031 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
2033 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2034 if (e2 & DESC_C_MASK) {
2036 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
2040 raise_exception_err(env, EXCP0D_GPF, new_cs & 0xfffc);
2043 if (!(e2 & DESC_P_MASK)) {
2044 raise_exception_err(env, EXCP0B_NOSEG, new_cs & 0xfffc);
2048 if (rpl == cpl && (!(env->hflags & HF_CS64_MASK) ||
2049 ((env->hflags & HF_CS64_MASK) && !is_iret))) {
2050 /* return to same privilege level */
2051 cpu_x86_load_seg_cache(env, R_CS, new_cs,
2052 get_seg_base(e1, e2),
2053 get_seg_limit(e1, e2),
2056 /* return to different privilege level */
2057 #ifdef TARGET_X86_64
2067 POPL(ssp, sp, sp_mask, new_esp);
2068 POPL(ssp, sp, sp_mask, new_ss);
2072 POPW(ssp, sp, sp_mask, new_esp);
2073 POPW(ssp, sp, sp_mask, new_ss);
2076 LOG_PCALL("new ss:esp=%04x:" TARGET_FMT_lx "\n",
2078 if ((new_ss & 0xfffc) == 0) {
2079 #ifdef TARGET_X86_64
2080 /* NULL ss is allowed in long mode if cpl != 3 */
2081 /* XXX: test CS64? */
2082 if ((env->hflags & HF_LMA_MASK) && rpl != 3) {
2083 cpu_x86_load_seg_cache(env, R_SS, new_ss,
2085 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2086 DESC_S_MASK | (rpl << DESC_DPL_SHIFT) |
2087 DESC_W_MASK | DESC_A_MASK);
2088 ss_e2 = DESC_B_MASK; /* XXX: should not be needed? */
2092 raise_exception_err(env, EXCP0D_GPF, 0);
2095 if ((new_ss & 3) != rpl) {
2096 raise_exception_err(env, EXCP0D_GPF, new_ss & 0xfffc);
2098 if (load_segment(env, &ss_e1, &ss_e2, new_ss) != 0) {
2099 raise_exception_err(env, EXCP0D_GPF, new_ss & 0xfffc);
2101 if (!(ss_e2 & DESC_S_MASK) ||
2102 (ss_e2 & DESC_CS_MASK) ||
2103 !(ss_e2 & DESC_W_MASK)) {
2104 raise_exception_err(env, EXCP0D_GPF, new_ss & 0xfffc);
2106 dpl = (ss_e2 >> DESC_DPL_SHIFT) & 3;
2108 raise_exception_err(env, EXCP0D_GPF, new_ss & 0xfffc);
2110 if (!(ss_e2 & DESC_P_MASK)) {
2111 raise_exception_err(env, EXCP0B_NOSEG, new_ss & 0xfffc);
2113 cpu_x86_load_seg_cache(env, R_SS, new_ss,
2114 get_seg_base(ss_e1, ss_e2),
2115 get_seg_limit(ss_e1, ss_e2),
2119 cpu_x86_load_seg_cache(env, R_CS, new_cs,
2120 get_seg_base(e1, e2),
2121 get_seg_limit(e1, e2),
2123 cpu_x86_set_cpl(env, rpl);
2125 #ifdef TARGET_X86_64
2126 if (env->hflags & HF_CS64_MASK) {
2131 sp_mask = get_sp_mask(ss_e2);
2134 /* validate data segments */
2135 validate_seg(env, R_ES, rpl);
2136 validate_seg(env, R_DS, rpl);
2137 validate_seg(env, R_FS, rpl);
2138 validate_seg(env, R_GS, rpl);
2142 SET_ESP(sp, sp_mask);
2145 /* NOTE: 'cpl' is the _old_ CPL */
2146 eflags_mask = TF_MASK | AC_MASK | ID_MASK | RF_MASK | NT_MASK;
2148 eflags_mask |= IOPL_MASK;
2150 iopl = (env->eflags >> IOPL_SHIFT) & 3;
2152 eflags_mask |= IF_MASK;
2155 eflags_mask &= 0xffff;
2157 cpu_load_eflags(env, new_eflags, eflags_mask);
2162 POPL(ssp, sp, sp_mask, new_esp);
2163 POPL(ssp, sp, sp_mask, new_ss);
2164 POPL(ssp, sp, sp_mask, new_es);
2165 POPL(ssp, sp, sp_mask, new_ds);
2166 POPL(ssp, sp, sp_mask, new_fs);
2167 POPL(ssp, sp, sp_mask, new_gs);
2169 /* modify processor state */
2170 cpu_load_eflags(env, new_eflags, TF_MASK | AC_MASK | ID_MASK |
2171 IF_MASK | IOPL_MASK | VM_MASK | NT_MASK | VIF_MASK |
2173 load_seg_vm(env, R_CS, new_cs & 0xffff);
2174 cpu_x86_set_cpl(env, 3);
2175 load_seg_vm(env, R_SS, new_ss & 0xffff);
2176 load_seg_vm(env, R_ES, new_es & 0xffff);
2177 load_seg_vm(env, R_DS, new_ds & 0xffff);
2178 load_seg_vm(env, R_FS, new_fs & 0xffff);
2179 load_seg_vm(env, R_GS, new_gs & 0xffff);
2181 env->eip = new_eip & 0xffff;
2185 void helper_iret_protected(CPUX86State *env, int shift, int next_eip)
2187 int tss_selector, type;
2190 /* specific case for TSS */
2191 if (env->eflags & NT_MASK) {
2192 #ifdef TARGET_X86_64
2193 if (env->hflags & HF_LMA_MASK) {
2194 raise_exception_err(env, EXCP0D_GPF, 0);
2197 tss_selector = cpu_lduw_kernel(env, env->tr.base + 0);
2198 if (tss_selector & 4) {
2199 raise_exception_err(env, EXCP0A_TSS, tss_selector & 0xfffc);
2201 if (load_segment(env, &e1, &e2, tss_selector) != 0) {
2202 raise_exception_err(env, EXCP0A_TSS, tss_selector & 0xfffc);
2204 type = (e2 >> DESC_TYPE_SHIFT) & 0x17;
2205 /* NOTE: we check both segment and busy TSS */
2207 raise_exception_err(env, EXCP0A_TSS, tss_selector & 0xfffc);
2209 switch_tss(env, tss_selector, e1, e2, SWITCH_TSS_IRET, next_eip);
2211 helper_ret_protected(env, shift, 1, 0);
2213 env->hflags2 &= ~HF2_NMI_MASK;
2216 void helper_lret_protected(CPUX86State *env, int shift, int addend)
2218 helper_ret_protected(env, shift, 0, addend);
2221 void helper_sysenter(CPUX86State *env)
2223 if (env->sysenter_cs == 0) {
2224 raise_exception_err(env, EXCP0D_GPF, 0);
2226 env->eflags &= ~(VM_MASK | IF_MASK | RF_MASK);
2227 cpu_x86_set_cpl(env, 0);
2229 #ifdef TARGET_X86_64
2230 if (env->hflags & HF_LMA_MASK) {
2231 cpu_x86_load_seg_cache(env, R_CS, env->sysenter_cs & 0xfffc,
2233 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2235 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK |
2240 cpu_x86_load_seg_cache(env, R_CS, env->sysenter_cs & 0xfffc,
2242 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2244 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
2246 cpu_x86_load_seg_cache(env, R_SS, (env->sysenter_cs + 8) & 0xfffc,
2248 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2250 DESC_W_MASK | DESC_A_MASK);
2251 ESP = env->sysenter_esp;
2252 EIP = env->sysenter_eip;
2255 void helper_sysexit(CPUX86State *env, int dflag)
2259 cpl = env->hflags & HF_CPL_MASK;
2260 if (env->sysenter_cs == 0 || cpl != 0) {
2261 raise_exception_err(env, EXCP0D_GPF, 0);
2263 cpu_x86_set_cpl(env, 3);
2264 #ifdef TARGET_X86_64
2266 cpu_x86_load_seg_cache(env, R_CS, ((env->sysenter_cs + 32) & 0xfffc) |
2268 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2269 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2270 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK |
2272 cpu_x86_load_seg_cache(env, R_SS, ((env->sysenter_cs + 40) & 0xfffc) |
2274 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2275 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2276 DESC_W_MASK | DESC_A_MASK);
2280 cpu_x86_load_seg_cache(env, R_CS, ((env->sysenter_cs + 16) & 0xfffc) |
2282 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2283 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2284 DESC_CS_MASK | DESC_R_MASK | DESC_A_MASK);
2285 cpu_x86_load_seg_cache(env, R_SS, ((env->sysenter_cs + 24) & 0xfffc) |
2287 DESC_G_MASK | DESC_B_MASK | DESC_P_MASK |
2288 DESC_S_MASK | (3 << DESC_DPL_SHIFT) |
2289 DESC_W_MASK | DESC_A_MASK);
2291 ESP = env->regs[R_ECX];
2292 EIP = env->regs[R_EDX];
2295 target_ulong helper_lsl(CPUX86State *env, target_ulong selector1)
2298 uint32_t e1, e2, eflags, selector;
2299 int rpl, dpl, cpl, type;
2301 selector = selector1 & 0xffff;
2302 eflags = cpu_cc_compute_all(env, CC_OP);
2303 if ((selector & 0xfffc) == 0) {
2306 if (load_segment(env, &e1, &e2, selector) != 0) {
2310 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2311 cpl = env->hflags & HF_CPL_MASK;
2312 if (e2 & DESC_S_MASK) {
2313 if ((e2 & DESC_CS_MASK) && (e2 & DESC_C_MASK)) {
2316 if (dpl < cpl || dpl < rpl) {
2321 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
2332 if (dpl < cpl || dpl < rpl) {
2334 CC_SRC = eflags & ~CC_Z;
2338 limit = get_seg_limit(e1, e2);
2339 CC_SRC = eflags | CC_Z;
2343 target_ulong helper_lar(CPUX86State *env, target_ulong selector1)
2345 uint32_t e1, e2, eflags, selector;
2346 int rpl, dpl, cpl, type;
2348 selector = selector1 & 0xffff;
2349 eflags = cpu_cc_compute_all(env, CC_OP);
2350 if ((selector & 0xfffc) == 0) {
2353 if (load_segment(env, &e1, &e2, selector) != 0) {
2357 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2358 cpl = env->hflags & HF_CPL_MASK;
2359 if (e2 & DESC_S_MASK) {
2360 if ((e2 & DESC_CS_MASK) && (e2 & DESC_C_MASK)) {
2363 if (dpl < cpl || dpl < rpl) {
2368 type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
2382 if (dpl < cpl || dpl < rpl) {
2384 CC_SRC = eflags & ~CC_Z;
2388 CC_SRC = eflags | CC_Z;
2389 return e2 & 0x00f0ff00;
2392 void helper_verr(CPUX86State *env, target_ulong selector1)
2394 uint32_t e1, e2, eflags, selector;
2397 selector = selector1 & 0xffff;
2398 eflags = cpu_cc_compute_all(env, CC_OP);
2399 if ((selector & 0xfffc) == 0) {
2402 if (load_segment(env, &e1, &e2, selector) != 0) {
2405 if (!(e2 & DESC_S_MASK)) {
2409 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2410 cpl = env->hflags & HF_CPL_MASK;
2411 if (e2 & DESC_CS_MASK) {
2412 if (!(e2 & DESC_R_MASK)) {
2415 if (!(e2 & DESC_C_MASK)) {
2416 if (dpl < cpl || dpl < rpl) {
2421 if (dpl < cpl || dpl < rpl) {
2423 CC_SRC = eflags & ~CC_Z;
2427 CC_SRC = eflags | CC_Z;
2430 void helper_verw(CPUX86State *env, target_ulong selector1)
2432 uint32_t e1, e2, eflags, selector;
2435 selector = selector1 & 0xffff;
2436 eflags = cpu_cc_compute_all(env, CC_OP);
2437 if ((selector & 0xfffc) == 0) {
2440 if (load_segment(env, &e1, &e2, selector) != 0) {
2443 if (!(e2 & DESC_S_MASK)) {
2447 dpl = (e2 >> DESC_DPL_SHIFT) & 3;
2448 cpl = env->hflags & HF_CPL_MASK;
2449 if (e2 & DESC_CS_MASK) {
2452 if (dpl < cpl || dpl < rpl) {
2455 if (!(e2 & DESC_W_MASK)) {
2457 CC_SRC = eflags & ~CC_Z;
2461 CC_SRC = eflags | CC_Z;
2464 #if defined(CONFIG_USER_ONLY)
2465 void cpu_x86_load_seg(CPUX86State *env, int seg_reg, int selector)
2467 if (!(env->cr[0] & CR0_PE_MASK) || (env->eflags & VM_MASK)) {
2469 cpu_x86_load_seg_cache(env, seg_reg, selector,
2470 (selector << 4), 0xffff, 0);
2472 helper_load_seg(env, seg_reg, selector);
projects / qemu.git / blob