Changeset 105072 in vbox for trunk/src/VBox/VMM/VMMAll

Timestamp:

Jun 28, 2024 12:03:20 PM (7 months ago)

Author:

vboxsync

Message:

VMM/IEM,DBGF,bs3-cpu-weird-1: Early data breakpoint support, mostly untested except for the ring transition tests in bs3-cpu-weird-1. bugref:10715

Location:

trunk/src/VBox/VMM/VMMAll

Files:

• DBGFAll.cpp (modified) (4 diffs)
• IEMAll.cpp (modified) (14 diffs)
• IEMAllCImpl.cpp (modified) (1 diff)
• IEMAllInstOneByte.cpp.h (modified) (1 diff)
• IEMAllThrdFuncsBltIn.cpp (modified) (1 diff)

trunk/src/VBox/VMM/VMMAll/DBGFAll.cpp

@@ -52 +52 @@
 AssertCompileMembersSameSizeAndOffset(VM, dbgf.s.cSelectedEvents,       VM, dbgf.ro.cSelectedEvents);
 
-
 #if !defined(VBOX_VMM_TARGET_ARMV8)
+
+
 /**
  * Gets the hardware breakpoint configuration as DR7.
@@ -184 +185 @@
  * @param   pVCpu       The cross context virtual CPU structure of the calling EMT.
  * @param   GCPtrPC     The unsegmented PC address.
- */
-VMM_INT_DECL(VBOXSTRICTRC)  DBGFBpCheckInstruction(PVMCC pVM, PVMCPUCC pVCpu, RTGCPTR GCPtrPC)
+ * @param   fCheckGuest Whether to include guest breakpoints or not.
+ */
+VMM_INT_DECL(VBOXSTRICTRC)  DBGFBpCheckInstruction(PVMCC pVM, PVMCPUCC pVCpu, RTGCPTR GCPtrPC, bool fCheckGuest)
 {
     CPUM_ASSERT_NOT_EXTRN(pVCpu, CPUMCTX_EXTRN_DR7);
@@ -218 +220 @@
      * Check the guest.
      */
+    if (fCheckGuest)
+    {
+        uint32_t const fDr7 = (uint32_t)pVCpu->cpum.GstCtx.dr[7];
+        if (X86_DR7_ANY_EO_ENABLED(fDr7) && !pVCpu->cpum.GstCtx.eflags.Bits.u1RF)
+        {
+            /*
+             * The CPU (10980XE & 6700K at least) will set the DR6.BPx bits for any
+             * DRx that matches the current PC and is configured as an execution
+             * breakpoint (RWx=EO, LENx=1byte).  They don't have to be enabled,
+             * however one that is enabled must match for the #DB to be raised and
+             * DR6 to be modified, of course.
+             */
+            CPUM_IMPORT_EXTRN_RET(pVCpu, CPUMCTX_EXTRN_DR0_DR3);
+            uint32_t fMatched = 0;
+            uint32_t fEnabled = 0;
+            for (unsigned iBp = 0, uBpMask = 1; iBp < 4; iBp++, uBpMask <<= 1)
+                if (X86_DR7_IS_EO_CFG(fDr7, iBp))
+                {
+                    if (fDr7 & X86_DR7_L_G(iBp))
+                        fEnabled |= uBpMask;
+                    if (pVCpu->cpum.GstCtx.dr[iBp] == GCPtrPC)
+                        fMatched |= uBpMask;
+                }
+            if (!(fEnabled & fMatched))
+            { /*likely*/ }
+            else
+            {
+                /*
+                 * Update DR6 and DR7.
+                 *
+                 * See "AMD64 Architecture Programmer's Manual Volume 2", chapter
+                 * 13.1.1.3 for details on DR6 bits.  The basics is that the B0..B3
+                 * bits are always cleared while the others must be cleared by software.
+                 *
+                 * The following sub chapters says the GD bit is always cleared when
+                 * generating a #DB so the handler can safely access the debug registers.
+                 */
+                CPUM_IMPORT_EXTRN_RET(pVCpu, CPUMCTX_EXTRN_DR6);
+                pVCpu->cpum.GstCtx.dr[6] &= ~X86_DR6_B_MASK;
+                if (pVM->cpum.ro.GuestFeatures.enmCpuVendor != CPUMCPUVENDOR_INTEL)
+                    pVCpu->cpum.GstCtx.dr[6] |= fMatched & fEnabled;
+                else
+                    pVCpu->cpum.GstCtx.dr[6] |= fMatched;    /* Intel: All matched, regardless of whether they're enabled or not  */
+                pVCpu->cpum.GstCtx.dr[7] &= ~X86_DR7_GD;
+                LogFlow(("DBGFBpCheckInstruction: hit hw breakpoints %#x at %04x:%RGv (%RGv)\n",
+                         fMatched, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip, GCPtrPC));
+                return VINF_EM_RAW_GUEST_TRAP;
+            }
+        }
+    }
+    return VINF_SUCCESS;
+}
+
+
+/**
+ * Common worker for DBGFBpCheckDataRead and DBGFBpCheckDataWrite.
+ */
+template<bool const a_fRead>
+DECL_FORCE_INLINE(uint32_t) dbgfBpCheckData(PVMCC pVM, PVMCPUCC pVCpu, RTGCPTR GCPtrAccess, uint32_t cbAccess, bool fSysAccess)
+{
+    AssertCompile((X86_DR7_RW_RW & 1) && (X86_DR7_RW_WO & 1));
+    CPUM_ASSERT_NOT_EXTRN(pVCpu, CPUMCTX_EXTRN_DR7);
+
+    uint32_t      fRet           = 0;
+    RTGCPTR const GCPtrAccessPfn = GCPtrAccess >> GUEST_PAGE_SHIFT;
+    Assert(((GCPtrAccess + cbAccess - 1) >> GUEST_PAGE_SHIFT) == GCPtrAccessPfn); /* No page crossing expected here! */
+
+    /*
+     * Check hyper breakpoints first as the VMM debugger has priority over
+     * the guest.
+     */
+    if (pVM->dbgf.s.cEnabledHwBreakpoints > 0)
+        for (unsigned iBp = 0; iBp < RT_ELEMENTS(pVM->dbgf.s.aHwBreakpoints); iBp++)
+        {
+            if (   (pVM->dbgf.s.aHwBreakpoints[iBp].GCPtr >> GUEST_PAGE_SHIFT) != GCPtrAccessPfn
+                || (  a_fRead
+                    ? pVM->dbgf.s.aHwBreakpoints[iBp].fType != X86_DR7_RW_RW
+                    : !(pVM->dbgf.s.aHwBreakpoints[iBp].fType & 1))
+                || pVM->dbgf.s.aHwBreakpoints[iBp].cb    != 0
+                || !pVM->dbgf.s.aHwBreakpoints[iBp].fEnabled
+                || pVM->dbgf.s.aHwBreakpoints[iBp].hBp   == NIL_DBGFBP)
+            { /*likely*/ }
+            else
+            {
+                /* The page is of interest. */
+                AssertCompile(!((CPUMCTX_DBG_HIT_DRX_MASK | CPUMCTX_DBG_DBGF_MASK) & UINT32_C(1)));
+                fRet |= UINT32_C(1);
+
+                /* If the access overlapping the breakpoint area, we have a hit. */
+                if (   GCPtrAccess            < pVM->dbgf.s.aHwBreakpoints[iBp].GCPtr + pVM->dbgf.s.aHwBreakpoints[iBp].cb
+                    && GCPtrAccess + cbAccess > pVM->dbgf.s.aHwBreakpoints[iBp].GCPtr)
+                {
+                    pVCpu->dbgf.s.hBpActive          = pVM->dbgf.s.aHwBreakpoints[iBp].hBp; /* ? */
+                    pVCpu->dbgf.s.fSingleSteppingRaw = false;
+                    LogFlow(("DBGFBpCheckData%s: hit hw breakpoint %u when accessing %RGv LB %#x\n",
+                             a_fRead ? "Read" : "Write", iBp, GCPtrAccess, cbAccess));
+                    fRet |= CPUMCTX_DBG_DBGF_BP;
+                }
+            }
+        }
+
+    /*
+     * Check the guest.
+     */
     uint32_t const fDr7 = (uint32_t)pVCpu->cpum.GstCtx.dr[7];
-    if (X86_DR7_ANY_EO_ENABLED(fDr7) && !pVCpu->cpum.GstCtx.eflags.Bits.u1RF)
+    if (    (a_fRead ? X86_DR7_ANY_RW_ENABLED(fDr7) : X86_DR7_ANY_W_ENABLED(fDr7))
+        && !pVCpu->cpum.GstCtx.eflags.Bits.u1RF)
     {
-        /*
-         * The CPU (10980XE & 6700K at least) will set the DR6.BPx bits for any
-         * DRx that matches the current PC and is configured as an execution
-         * breakpoint (RWx=EO, LENx=1byte).  They don't have to be enabled,
-         * however one that is enabled must match for the #DB to be raised and
-         * DR6 to be modified, of course.
-         */
-        CPUM_IMPORT_EXTRN_RET(pVCpu, CPUMCTX_EXTRN_DR0_DR3);
+        /* This is a bit suboptimal... Need a NORET variant. */
+        int rcIgn = VINF_SUCCESS;
+        CPUM_IMPORT_EXTRN_RCSTRICT(pVCpu, CPUMCTX_EXTRN_DR0_DR3, rcIgn);
+        RT_NOREF(rcIgn);
+
+        /** @todo Not sure what exactly intel and amd CPUs does here wrt disabled
+         *        breakpoint configurations.  We need a testcase for this.  Following
+         *        the guidelines of the execution breakpoints for now and making
+         *        intel CPUs set status flags regardless of enabled or not. */
         uint32_t fMatched = 0;
         uint32_t fEnabled = 0;
-        for (unsigned iBp = 0, uBpMask = 1; iBp < 4; iBp++, uBpMask <<= 1)
-            if (X86_DR7_IS_EO_CFG(fDr7, iBp))
-            {
-                if (fDr7 & X86_DR7_L_G(iBp))
-                    fEnabled |= uBpMask;
-                if (pVCpu->cpum.GstCtx.dr[iBp] == GCPtrPC)
-                    fMatched |= uBpMask;
+        for (uint32_t iBp = 0, fBpMask = CPUMCTX_DBG_HIT_DR0, fDr7Cfg = fDr7 >> 16, fDr7En = fDr7;
+             iBp < 4;
+             iBp++, fBpMask <<= 1, fDr7Cfg >>= 4, fDr7En >>= 2)
+            if (   (a_fRead ? (fDr7Cfg & 3) == X86_DR7_RW_RW : (fDr7Cfg & 1) != 0)
+                && (pVCpu->cpum.GstCtx.dr[iBp] >> GUEST_PAGE_SHIFT) == GCPtrAccessPfn)
+            {
+                if (fDr7En & 3)
+                {
+                    fEnabled |= fBpMask;
+                    fRet     |= UINT32_C(1);
+                }
+                static uint8_t const s_acbBp[] = { 1, 2, 8, 4 };
+                uint8_t const        cbBp      = s_acbBp[(fDr7Cfg >> 2) & 3];
+                if (   GCPtrAccess            < pVCpu->cpum.GstCtx.dr[iBp] + cbBp
+                    && GCPtrAccess + cbAccess > pVCpu->cpum.GstCtx.dr[iBp])
+                    fMatched |= fBpMask;
             }
         if (!(fEnabled & fMatched))
         { /*likely*/ }
-        else if (fEnabled & fMatched)
-        {
-            /*
-             * Update DR6 and DR7.
-             *
-             * See "AMD64 Architecture Programmer's Manual Volume 2", chapter
-             * 13.1.1.3 for details on DR6 bits.  The basics is that the B0..B3
-             * bits are always cleared while the others must be cleared by software.
-             *
-             * The following sub chapters says the GD bit is always cleared when
-             * generating a #DB so the handler can safely access the debug registers.
-             */
-            CPUM_IMPORT_EXTRN_RET(pVCpu, CPUMCTX_EXTRN_DR6);
-            pVCpu->cpum.GstCtx.dr[6] &= ~X86_DR6_B_MASK;
+        else
+        {
             if (pVM->cpum.ro.GuestFeatures.enmCpuVendor != CPUMCPUVENDOR_INTEL)
-                pVCpu->cpum.GstCtx.dr[6] |= fMatched & fEnabled;
+                fRet |= fMatched & fEnabled;
+            else if (!fSysAccess)
+                fRet |= fMatched;
             else
-                pVCpu->cpum.GstCtx.dr[6] |= fMatched;    /* Intel: All matched, regardless of whether they're enabled or not  */
-            pVCpu->cpum.GstCtx.dr[7] &= ~X86_DR7_GD;
-            LogFlow(("DBGFBpCheckInstruction: hit hw breakpoints %#x at %04x:%RGv (%RGv)\n",
-                     fMatched, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip, GCPtrPC));
-            return VINF_EM_RAW_GUEST_TRAP;
+                fRet |= CPUMCTX_DBG_HIT_DRX_SILENT; /* see bs3-cpu-weird-1 for special intel behviour  */
+            LogFlow(("DBGFBpCheckData%s: hit hw breakpoints %#x (fRet=%#x) when accessing %RGv LB %#x\n",
+                     a_fRead ? "Read" : "Write", fMatched, fRet, GCPtrAccess, cbAccess));
         }
     }
-    return VINF_SUCCESS;
+
+    return fRet;
+}
+
+
+/**
+ * Checks read data access for guest or hypervisor hardware breakpoints.
+ *
+ * @returns Anything in CPUMCTX_DBG_HIT_DRX_MASK and CPUMCTX_DBG_DBGF_MASK if
+ *          there is a hit, zero or one if no hit.  Bit 0 is set if the page
+ *          being accessed has a data breakpoint associated with it and needs
+ *          special handling.
+ *
+ * @param   pVM         The cross context VM structure.
+ * @param   pVCpu       The cross context virtual CPU structure of the calling EMT.
+ * @param   GCPtrAccess The address being accessed.
+ * @param   cbAccess    The size of the access.  Must not cross a page
+ *                      boundrary.
+ * @param   fSysAccess  Set if a system access, like GDT, LDT or IDT.
+ */
+VMM_INT_DECL(uint32_t) DBGFBpCheckDataRead(PVMCC pVM, PVMCPUCC pVCpu, RTGCPTR GCPtrAccess, uint32_t cbAccess, bool fSysAccess)
+{
+    return dbgfBpCheckData<true /*a_fRead*/>(pVM, pVCpu, GCPtrAccess, cbAccess, fSysAccess);
+}
+
+
+/**
+ * Checks read data access for guest or hypervisor hardware breakpoints.
+ *
+ * @returns Anything in CPUMCTX_DBG_DBGF_MASK if there is a hit, zero or one if
+ *          no hit.  Bit 0 is set if the page being accessed has a data
+ *          breakpoint associated with it and needs special handling.
+ *
+ * @param   pVM         The cross context VM structure.
+ * @param   pVCpu       The cross context virtual CPU structure of the calling EMT.
+ * @param   GCPtrAccess The address being accessed.
+ * @param   cbAccess    The size of the access.  Must not cross a page
+ *                      boundrary.
+ * @param   fSysAccess  Set if a system access, like GDT, LDT or IDT.
+ */
+VMM_INT_DECL(uint32_t) DBGFBpCheckDataWrite(PVMCC pVM, PVMCPUCC pVCpu, RTGCPTR GCPtrAccess, uint32_t cbAccess, bool fSysAccess)
+{
+    return dbgfBpCheckData<false /*a_fRead*/>(pVM, pVCpu, GCPtrAccess, cbAccess, fSysAccess);
 }
 
@@ -445 +592 @@
     return 0;
 }
-#endif /* VBOX_VMM_TARGET_ARMV8 */
-
+
+#endif /* !VBOX_VMM_TARGET_ARMV8 */
 
 /**

trunk/src/VBox/VMM/VMMAll/IEMAll.cpp

@@ -199 +199 @@
  * path.
  *
+ * This will also invalidate TLB entries for any pages with active data
+ * breakpoints on them.
+ *
  * @returns IEM_F_BRK_PENDING_XXX or zero.
  * @param   pVCpu               The cross context virtual CPU structure of the
@@ -210 +213 @@
 
     /*
+     * Helper for invalidate the data TLB for breakpoint addresses.
+     *
+     * This is to make sure any access to the page will always trigger a TLB
+     * load for as long as the breakpoint is enabled.
+     */
+#ifdef IEM_WITH_DATA_TLB
+# define INVALID_TLB_ENTRY_FOR_BP(a_uValue) do { \
+        RTGCPTR uTagNoRev = (a_uValue); \
+        uTagNoRev = IEMTLB_CALC_TAG_NO_REV(uTagNoRev); \
+        uintptr_t const idxEven = IEMTLB_TAG_TO_EVEN_INDEX(uTagNoRev); \
+        if (pVCpu->iem.s.DataTlb.aEntries[idxEven].uTag == (uTagNoRev | pVCpu->iem.s.DataTlb.uTlbRevision)) \
+            pVCpu->iem.s.DataTlb.aEntries[idxEven].uTag = 0; \
+        if (pVCpu->iem.s.DataTlb.aEntries[idxEven + 1].uTag == (uTagNoRev | pVCpu->iem.s.DataTlb.uTlbRevisionGlobal)) \
+            pVCpu->iem.s.DataTlb.aEntries[idxEven + 1].uTag = 0; \
+    } while (0)
+#else
+# define INVALID_TLB_ENTRY_FOR_BP(a_uValue) do { } while (0)
+#endif
+
+    /*
      * Process guest breakpoints.
      */
-#define PROCESS_ONE_BP(a_fDr7, a_iBp) do { \
+#define PROCESS_ONE_BP(a_fDr7, a_iBp, a_uValue) do { \
         if (a_fDr7 & X86_DR7_L_G(a_iBp)) \
         { \
@@ -223 +246 @@
                 case X86_DR7_RW_RW: \
                     fExec |= IEM_F_PENDING_BRK_DATA; \
+                    INVALID_TLB_ENTRY_FOR_BP(a_uValue); \
                     break; \
                 case X86_DR7_RW_IO: \
@@ -234 +258 @@
     if (fGstDr7 & X86_DR7_ENABLED_MASK)
     {
-        PROCESS_ONE_BP(fGstDr7, 0);
-        PROCESS_ONE_BP(fGstDr7, 1);
-        PROCESS_ONE_BP(fGstDr7, 2);
-        PROCESS_ONE_BP(fGstDr7, 3);
+/** @todo extract more details here to simplify matching later. */
+#ifdef IEM_WITH_DATA_TLB
+        IEM_CTX_IMPORT_NORET(pVCpu, CPUMCTX_EXTRN_DR0_DR3);
+#endif
+        PROCESS_ONE_BP(fGstDr7, 0, pVCpu->cpum.GstCtx.dr[0]);
+        PROCESS_ONE_BP(fGstDr7, 1, pVCpu->cpum.GstCtx.dr[1]);
+        PROCESS_ONE_BP(fGstDr7, 2, pVCpu->cpum.GstCtx.dr[2]);
+        PROCESS_ONE_BP(fGstDr7, 3, pVCpu->cpum.GstCtx.dr[3]);
     }
 
@@ -243 +271 @@
      * Process hypervisor breakpoints.
      */
-    uint32_t const fHyperDr7 = DBGFBpGetDR7(pVCpu->CTX_SUFF(pVM));
+    PVMCC const    pVM       = pVCpu->CTX_SUFF(pVM);
+    uint32_t const fHyperDr7 = DBGFBpGetDR7(pVM);
     if (fHyperDr7 & X86_DR7_ENABLED_MASK)
     {
-        PROCESS_ONE_BP(fHyperDr7, 0);
-        PROCESS_ONE_BP(fHyperDr7, 1);
-        PROCESS_ONE_BP(fHyperDr7, 2);
-        PROCESS_ONE_BP(fHyperDr7, 3);
+/** @todo extract more details here to simplify matching later. */
+        PROCESS_ONE_BP(fHyperDr7, 0, DBGFBpGetDR0(pVM));
+        PROCESS_ONE_BP(fHyperDr7, 1, DBGFBpGetDR1(pVM));
+        PROCESS_ONE_BP(fHyperDr7, 2, DBGFBpGetDR2(pVM));
+        PROCESS_ONE_BP(fHyperDr7, 3, DBGFBpGetDR3(pVM));
     }
 
@@ -2241 +2271 @@
         iemRaiseXcptAdjustState(pVCpu, u8Vector);
 
+    /*
+     * Deal with debug events that follows the exception and clear inhibit flags.
+     */
+    if (   !(fFlags & IEM_XCPT_FLAGS_T_SOFT_INT)
+        || !(pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK))
+        pVCpu->cpum.GstCtx.eflags.uBoth &= ~(CPUMCTX_DBG_HIT_DRX_MASK | CPUMCTX_INHIBIT_SHADOW);
+    else
+    {
+        Log(("iemRaiseXcptOrIntInRealMode: Raising #DB after %#x; pending=%#x\n",
+             u8Vector, pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK));
+        IEM_CTX_IMPORT_RET(pVCpu, CPUMCTX_EXTRN_DR6);
+        pVCpu->cpum.GstCtx.dr[6] |= (pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK_NONSILENT)
+                                  >> CPUMCTX_DBG_HIT_DRX_SHIFT;
+        pVCpu->cpum.GstCtx.eflags.uBoth &= ~(CPUMCTX_DBG_HIT_DRX_MASK | CPUMCTX_INHIBIT_SHADOW);
+        return iemRaiseDebugException(pVCpu);
+    }
+
     /* The IEM_F_MODE_XXX and IEM_F_X86_CPL_MASK doesn't really change here,
        so best leave them alone in case we're in a weird kind of real mode... */
@@ -3207 +3254 @@
 
     /*
+     * Hack alert! Convert incoming debug events to slient on Intel.
+     * See bs3-cpu-weird-1.
+     */
+    if (   !(fFlags & IEM_XCPT_FLAGS_T_SOFT_INT)
+        || !(pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK_NONSILENT)
+        || !IEM_IS_GUEST_CPU_INTEL(pVCpu))
+    { /* ignore */ }
+    else
+    {
+        Log(("iemRaiseXcptOrIntInProtMode: Converting pending %#x debug events to a silent one (intel hack)\n",
+             u8Vector, pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK));
+        pVCpu->cpum.GstCtx.eflags.uBoth = (pVCpu->cpum.GstCtx.eflags.uBoth & ~CPUMCTX_DBG_HIT_DRX_MASK)
+                                        | CPUMCTX_DBG_HIT_DRX_SILENT;
+    }
+
+    /*
      * Read the IDT entry.
      */
@@ -3664 +3727 @@
     Assert(IEM_GET_CPL(pVCpu) == uNewCpl);
 
+    /*
+     * Deal with debug events that follows the exception and clear inhibit flags.
+     */
+    if (   !(fFlags & IEM_XCPT_FLAGS_T_SOFT_INT)
+        || !(pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK))
+        pVCpu->cpum.GstCtx.eflags.uBoth &= ~(CPUMCTX_DBG_HIT_DRX_MASK | CPUMCTX_INHIBIT_SHADOW);
+    else
+    {
+        Log(("iemRaiseXcptOrIntInProtMode: Raising #DB after %#x; pending=%#x\n",
+             u8Vector, pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK));
+        IEM_CTX_IMPORT_RET(pVCpu, CPUMCTX_EXTRN_DR6);
+        pVCpu->cpum.GstCtx.dr[6] |= (pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK_NONSILENT)
+                                  >> CPUMCTX_DBG_HIT_DRX_SHIFT;
+        pVCpu->cpum.GstCtx.eflags.uBoth &= ~(CPUMCTX_DBG_HIT_DRX_MASK | CPUMCTX_INHIBIT_SHADOW);
+        return iemRaiseDebugException(pVCpu);
+    }
+
     return fFlags & IEM_XCPT_FLAGS_T_CPU_XCPT ? VINF_IEM_RAISED_XCPT : VINF_SUCCESS;
 }
@@ -3689 +3769 @@
 {
     IEM_CTX_ASSERT(pVCpu, IEM_CPUMCTX_EXTRN_XCPT_MASK);
+
+    /*
+     * Hack alert! Convert incoming debug events to slient on Intel.
+     * See bs3-cpu-weird-1.
+     */
+    if (   !(fFlags & IEM_XCPT_FLAGS_T_SOFT_INT)
+        || !(pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK_NONSILENT)
+        || !IEM_IS_GUEST_CPU_INTEL(pVCpu))
+    { /* ignore */ }
+    else
+    {
+        Log(("iemRaiseXcptOrIntInLongMode: Converting pending %#x debug events to a silent one (intel hack)\n",
+             u8Vector, pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK));
+        pVCpu->cpum.GstCtx.eflags.uBoth = (pVCpu->cpum.GstCtx.eflags.uBoth & ~CPUMCTX_DBG_HIT_DRX_MASK)
+                                        | CPUMCTX_DBG_HIT_DRX_SILENT;
+    }
 
     /*
@@ -3920 +4016 @@
 
     iemRecalcExecModeAndCplAndAcFlags(pVCpu);
+
+    /*
+     * Deal with debug events that follows the exception and clear inhibit flags.
+     */
+    if (   !(fFlags & IEM_XCPT_FLAGS_T_SOFT_INT)
+        || !(pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK))
+        pVCpu->cpum.GstCtx.eflags.uBoth &= ~(CPUMCTX_DBG_HIT_DRX_MASK | CPUMCTX_INHIBIT_SHADOW);
+    else
+    {
+        Log(("iemRaiseXcptOrIntInLongMode: Raising #DB after %#x; pending=%#x\n",
+             u8Vector, pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK));
+        IEM_CTX_IMPORT_RET(pVCpu, CPUMCTX_EXTRN_DR6);
+        pVCpu->cpum.GstCtx.dr[6] |= (pVCpu->cpum.GstCtx.eflags.uBoth & CPUMCTX_DBG_HIT_DRX_MASK_NONSILENT)
+                                  >> CPUMCTX_DBG_HIT_DRX_SHIFT;
+        pVCpu->cpum.GstCtx.eflags.uBoth &= ~(CPUMCTX_DBG_HIT_DRX_MASK | CPUMCTX_INHIBIT_SHADOW);
+        return iemRaiseDebugException(pVCpu);
+    }
 
     return fFlags & IEM_XCPT_FLAGS_T_CPU_XCPT ? VINF_IEM_RAISED_XCPT : VINF_SUCCESS;
@@ -6045 +6158 @@
 
 /**
+ * Helper for iemMemMap, iemMemMapJmp and iemMemBounceBufferMapCrossPage.
+ */
+DECL_FORCE_INLINE(uint32_t)
+iemMemCheckDataBreakpoint(PVMCC pVM, PVMCPUCC pVCpu, RTGCPTR GCPtrMem, size_t cbMem, uint32_t fAccess)
+{
+    bool const  fSysAccess = (fAccess & IEM_ACCESS_WHAT_MASK) == IEM_ACCESS_WHAT_SYS;
+    if (fAccess & IEM_ACCESS_TYPE_WRITE)
+        return DBGFBpCheckDataWrite(pVM, pVCpu, GCPtrMem, (uint32_t)cbMem, fSysAccess);
+    return DBGFBpCheckDataRead(pVM, pVCpu, GCPtrMem, (uint32_t)cbMem, fSysAccess);
+}
+
+
+/**
  * iemMemMap worker that deals with a request crossing pages.
  */
@@ -6074 +6200 @@
 
     PVMCC pVM = pVCpu->CTX_SUFF(pVM);
+
+    /*
+     * Check for data breakpoints.
+     */
+    if (RT_LIKELY(!(pVCpu->iem.s.fExec & IEM_F_PENDING_BRK_DATA)))
+    { /* likely */ }
+    else
+    {
+        uint32_t fDataBps = iemMemCheckDataBreakpoint(pVM, pVCpu, GCPtrFirst, cbFirstPage, fAccess);
+        fDataBps         |= iemMemCheckDataBreakpoint(pVM, pVCpu, (GCPtrFirst + (cbMem - 1)) & ~(RTGCPTR)GUEST_PAGE_OFFSET_MASK,
+                                                      cbSecondPage, fAccess);
+        pVCpu->cpum.GstCtx.eflags.uBoth |= fDataBps & (CPUMCTX_DBG_HIT_DRX_MASK | CPUMCTX_DBG_DBGF_MASK);
+        if (fDataBps > 1)
+            LogEx(LOG_GROUP_IEM, ("iemMemBounceBufferMapCrossPage: Data breakpoint: fDataBps=%#x for %RGv LB %zx; fAccess=%#x cs:rip=%04x:%08RX64\n",
+                                  fDataBps, GCPtrFirst, cbMem, fAccess, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip));
+    }
 
     /*
@@ -6504 +6646 @@
         }
 
-        if (   !(WalkFast.fEffective & PGM_PTATTRS_G_MASK)
-            || IEM_GET_CPL(pVCpu) != 0) /* optimization: Only use the PTE.G=1 entries in ring-0. */
-        {
-            pTlbe--;
-            pTlbe->uTag         = uTagNoRev | pVCpu->iem.s.DataTlb.uTlbRevision;
+        uint32_t fDataBps;
+        if (   RT_LIKELY(!(pVCpu->iem.s.fExec & IEM_F_PENDING_BRK_DATA))
+            || RT_LIKELY(!(fDataBps = iemMemCheckDataBreakpoint(pVCpu->CTX_SUFF(pVM), pVCpu, GCPtrMem, cbMem, fAccess))))
+        {
+            if (   !(WalkFast.fEffective & PGM_PTATTRS_G_MASK)
+                || IEM_GET_CPL(pVCpu) != 0) /* optimization: Only use the PTE.G=1 entries in ring-0. */
+            {
+                pTlbe--;
+                pTlbe->uTag         = uTagNoRev | pVCpu->iem.s.DataTlb.uTlbRevision;
+            }
+            else
+            {
+                pVCpu->iem.s.DataTlb.cTlbCoreGlobalLoads++;
+                pTlbe->uTag         = uTagNoRev | pVCpu->iem.s.DataTlb.uTlbRevisionGlobal;
+            }
         }
         else
         {
-            pVCpu->iem.s.DataTlb.cTlbCoreGlobalLoads++;
-            pTlbe->uTag         = uTagNoRev | pVCpu->iem.s.DataTlb.uTlbRevisionGlobal;
+            /* If we hit a data breakpoint, we use a dummy TLBE to force all accesses
+               to the page with the data access breakpoint armed on it to pass thru here. */
+            if (fDataBps > 1)
+                LogEx(LOG_GROUP_IEM, ("iemMemMap: Data breakpoint: fDataBps=%#x for %RGv LB %zx; fAccess=%#x cs:rip=%04x:%08RX64\n",
+                                      fDataBps, GCPtrMem, cbMem, fAccess, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip));
+            pVCpu->cpum.GstCtx.eflags.uBoth |= fDataBps & (CPUMCTX_DBG_HIT_DRX_MASK | CPUMCTX_DBG_DBGF_MASK);
+            pTlbe = &pVCpu->iem.s.DataBreakpointTlbe;
+            pTlbe->uTag = uTagNoRev;
         }
         pTlbe->fFlagsAndPhysRev = ~WalkFast.fEffective & (X86_PTE_US | X86_PTE_RW | X86_PTE_D | X86_PTE_A); /* skipping NX */
@@ -6879 +7037 @@
         }
 
-        if (   !(WalkFast.fEffective & PGM_PTATTRS_G_MASK)
-            || IEM_GET_CPL(pVCpu) != 0) /* optimization: Only use the PTE.G=1 entries in ring-0. */
-        {
-            pTlbe--;
-            pTlbe->uTag         = uTagNoRev | pVCpu->iem.s.DataTlb.uTlbRevision;
+        uint32_t fDataBps;
+        if (   RT_LIKELY(!(pVCpu->iem.s.fExec & IEM_F_PENDING_BRK_DATA))
+            || RT_LIKELY(!(fDataBps = iemMemCheckDataBreakpoint(pVCpu->CTX_SUFF(pVM), pVCpu, GCPtrMem, cbMem, fAccess))))
+        {
+            if (   !(WalkFast.fEffective & PGM_PTATTRS_G_MASK)
+                || IEM_GET_CPL(pVCpu) != 0) /* optimization: Only use the PTE.G=1 entries in ring-0. */
+            {
+                pTlbe--;
+                pTlbe->uTag         = uTagNoRev | pVCpu->iem.s.DataTlb.uTlbRevision;
+            }
+            else
+            {
+                if (a_fSafeCall)
+                    pVCpu->iem.s.DataTlb.cTlbSafeGlobalLoads++;
+                else
+                    pVCpu->iem.s.DataTlb.cTlbCoreGlobalLoads++;
+                pTlbe->uTag         = uTagNoRev | pVCpu->iem.s.DataTlb.uTlbRevisionGlobal;
+            }
         }
         else
         {
-            if (a_fSafeCall)
-                pVCpu->iem.s.DataTlb.cTlbSafeGlobalLoads++;
-            else
-                pVCpu->iem.s.DataTlb.cTlbCoreGlobalLoads++;
-            pTlbe->uTag         = uTagNoRev | pVCpu->iem.s.DataTlb.uTlbRevisionGlobal;
+            /* If we hit a data breakpoint, we use a dummy TLBE to force all accesses
+               to the page with the data access breakpoint armed on it to pass thru here. */
+            if (fDataBps > 1)
+                LogEx(LOG_GROUP_IEM, ("iemMemMapJmp<%d>: Data breakpoint: fDataBps=%#x for %RGv LB %zx; fAccess=%#x cs:rip=%04x:%08RX64\n",
+                                      a_fSafeCall, fDataBps, GCPtrMem, cbMem, fAccess, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip));
+            pVCpu->cpum.GstCtx.eflags.uBoth |= fDataBps & (CPUMCTX_DBG_HIT_DRX_MASK | CPUMCTX_DBG_DBGF_MASK);
+            pTlbe = &pVCpu->iem.s.DataBreakpointTlbe;
+            pTlbe->uTag = uTagNoRev;
         }
         pTlbe->fFlagsAndPhysRev = ~WalkFast.fEffective & (X86_PTE_US | X86_PTE_RW | X86_PTE_D | X86_PTE_A); /* skipping NX */

trunk/src/VBox/VMM/VMMAll/IEMAllCImpl.cpp

@@ -6643 +6643 @@
     /*
      * Re-init hardware breakpoint summary if it was DR7 that got changed.
-     */
-    if (iDrReg == 7)
+     *
+     * We also do this when an active data breakpoint is updated so that the
+     * TLB entry can be correctly invalidated.
+     */
+    if (   iDrReg == 7
+#ifdef IEM_WITH_DATA_TLB
+        || (   iDrReg <= 3
+            && (X86_DR7_L_G(iDrReg) & pVCpu->cpum.GstCtx.dr[7])
+            && X86_DR7_IS_W_CFG(pVCpu->cpum.GstCtx.dr[7], iDrReg) )
+#endif
+       )
         iemRecalcExecDbgFlags(pVCpu);
 

trunk/src/VBox/VMM/VMMAll/IEMAllInstOneByte.cpp.h

@@ -9617 +9617 @@
     IEMOP_MNEMONIC(into, "into");
     IEMOP_HLP_NO_64BIT();
+/** @todo INTO instruction is completely wrong.   */
     IEM_MC_DEFER_TO_CIMPL_2_RET(IEM_CIMPL_F_BRANCH_INDIRECT | IEM_CIMPL_F_BRANCH_FAR | IEM_CIMPL_F_BRANCH_STACK_FAR
                                 | IEM_CIMPL_F_BRANCH_CONDITIONAL | IEM_CIMPL_F_MODE | IEM_CIMPL_F_VMEXIT | IEM_CIMPL_F_RFLAGS,

trunk/src/VBox/VMM/VMMAll/IEMAllThrdFuncsBltIn.cpp

@@ -206 +206 @@
 {
     VBOXSTRICTRC rcStrict = DBGFBpCheckInstruction(pVCpu->CTX_SUFF(pVM), pVCpu,
-                                                   pVCpu->cpum.GstCtx.rip + pVCpu->cpum.GstCtx.cs.u64Base);
+                                                   pVCpu->cpum.GstCtx.rip + pVCpu->cpum.GstCtx.cs.u64Base,
+                                                      !(pVCpu->cpum.GstCtx.rflags.uBoth & CPUMCTX_INHIBIT_SHADOW_SS)
+                                                   || IEM_IS_GUEST_CPU_AMD(pVCpu));
     if (RT_LIKELY(rcStrict == VINF_SUCCESS))
         return VINF_SUCCESS;