Changeset 56628 in vbox for trunk/src/VBox

Timestamp:

Jun 24, 2015 7:44:56 PM (9 years ago)

Author:

vboxsync

Message:

IEM: Postpone INS memory writes to ring-3 if we hit an access handler. We cannot redo the read, that will only mess things us. This introduces a new per-cpu forced flag, VMCPU_FF_IEM, that must cause immediate return to ring-3 where it will be serviced ASAP. IEM will try return VINF_EM_RAW_TO_R3 as well to help make sure we get back to ring-3.

Location:

trunk/src/VBox/VMM

Files:

• VMMAll/IEMAll.cpp (modified) (4 diffs)
• VMMAll/IEMAllCImplStrInstr.cpp.h (modified) (4 diffs)
• VMMR0/HMVMXR0.cpp (modified) (1 diff)
• VMMR3/EM.cpp (modified) (1 diff)
• VMMR3/IEMR3.cpp (modified) (1 diff)
• VMMR3/VMM.cpp (modified) (1 diff)
• VMMRC/TRPMRCHandlers.cpp (modified) (2 diffs)
• include/IEMInternal.h (modified) (4 diffs)

trunk/src/VBox/VMM/VMMAll/IEMAll.cpp

@@ -769 +769 @@
     PVMCPU   pVCpu = IEMCPU_TO_VMCPU(pIemCpu);
 
+    Assert(!VMCPU_FF_IS_SET(pVCpu, VMCPU_FF_IEM));
+    Assert(pIemCpu->PendingCommit.enmFn == IEMCOMMIT_INVALID);
+
 #if defined(VBOX_STRICT) && (defined(IEM_VERIFICATION_MODE_FULL) || !defined(VBOX_WITH_RAW_MODE_NOT_R0))
     Assert(CPUMSELREG_ARE_HIDDEN_PARTS_VALID(pVCpu, &pCtx->cs));
@@ -829 +832 @@
     PCPUMCTX pCtx  = pIemCpu->CTX_SUFF(pCtx);
     PVMCPU   pVCpu = IEMCPU_TO_VMCPU(pIemCpu);
+
+    Assert(!VMCPU_FF_IS_SET(pVCpu, VMCPU_FF_IEM));
+    Assert(pIemCpu->PendingCommit.enmFn == IEMCOMMIT_INVALID);
 
 #if defined(VBOX_STRICT) && (defined(IEM_VERIFICATION_MODE_FULL) || !defined(VBOX_WITH_RAW_MODE_NOT_R0))
@@ -10712 +10718 @@
                       || rcStrict == VINF_CPUM_R3_MSR_WRITE
                       || rcStrict == VINF_EM_RAW_EMULATE_INSTR
+                      || rcStrict == VINF_EM_RAW_TO_R3
                       /* raw-mode / virt handlers only: */
                       || rcStrict == VINF_EM_RAW_EMULATE_INSTR_GDT_FAULT
@@ -11552 +11559 @@
 }
 
+#ifdef IN_RING3
+
+/**
+ * Called by force-flag handling code when VMCPU_FF_IEM is set.
+ *
+ * @returns Merge between @a rcStrict and what the commit operation returned.
+ * @param   pVCpu           Pointer to the cross context CPU structure for the
+ *                          calling EMT.
+ * @param   rcStrict        The status code returned by ring-0 or raw-mode.
+ */
+VMMR3_INT_DECL(VBOXSTRICTRC) IEMR3DoPendingAction(PVMCPU pVCpu, VBOXSTRICTRC rcStrict)
+{
+    PIEMCPU      pIemCpu = &pVCpu->iem.s;
+
+    /*
+     * Retrieve and reset the pending commit.
+     */
+    IEMCOMMIT const enmFn = pIemCpu->PendingCommit.enmFn;
+    pIemCpu->PendingCommit.enmFn = IEMCOMMIT_INVALID;
+    VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_IEM);
+
+    /*
+     * Must reset pass-up status code.
+     */
+    pIemCpu->rcPassUp = VINF_SUCCESS;
+
+    /*
+     * Call the function.  Currently using switch here instead of function
+     * pointer table as a switch won't get skewed.
+     */
+    VBOXSTRICTRC rcStrictCommit;
+    switch (enmFn)
+    {
+        case IEMCOMMIT_INS_OP8_ADDR16:          rcStrictCommit = iemR3CImpl_commit_ins_op8_addr16(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_INS_OP8_ADDR32:          rcStrictCommit = iemR3CImpl_commit_ins_op8_addr32(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_INS_OP8_ADDR64:          rcStrictCommit = iemR3CImpl_commit_ins_op8_addr64(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_INS_OP16_ADDR16:         rcStrictCommit = iemR3CImpl_commit_ins_op16_addr16(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_INS_OP16_ADDR32:         rcStrictCommit = iemR3CImpl_commit_ins_op16_addr32(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_INS_OP16_ADDR64:         rcStrictCommit = iemR3CImpl_commit_ins_op16_addr64(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_INS_OP32_ADDR16:         rcStrictCommit = iemR3CImpl_commit_ins_op32_addr16(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_INS_OP32_ADDR32:         rcStrictCommit = iemR3CImpl_commit_ins_op32_addr32(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_INS_OP32_ADDR64:         rcStrictCommit = iemR3CImpl_commit_ins_op32_addr64(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_REP_INS_OP8_ADDR16:      rcStrictCommit = iemR3CImpl_commit_rep_ins_op8_addr16(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_REP_INS_OP8_ADDR32:      rcStrictCommit = iemR3CImpl_commit_rep_ins_op8_addr32(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_REP_INS_OP8_ADDR64:      rcStrictCommit = iemR3CImpl_commit_rep_ins_op8_addr64(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_REP_INS_OP16_ADDR16:     rcStrictCommit = iemR3CImpl_commit_rep_ins_op16_addr16(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_REP_INS_OP16_ADDR32:     rcStrictCommit = iemR3CImpl_commit_rep_ins_op16_addr32(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_REP_INS_OP16_ADDR64:     rcStrictCommit = iemR3CImpl_commit_rep_ins_op16_addr64(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_REP_INS_OP32_ADDR16:     rcStrictCommit = iemR3CImpl_commit_rep_ins_op32_addr16(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_REP_INS_OP32_ADDR32:     rcStrictCommit = iemR3CImpl_commit_rep_ins_op32_addr32(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        case IEMCOMMIT_REP_INS_OP32_ADDR64:     rcStrictCommit = iemR3CImpl_commit_rep_ins_op32_addr64(pIemCpu, pIemCpu->PendingCommit.cbInstr); break;
+        default:
+            AssertLogRelMsgFailedReturn(("enmFn=%#x (%d)\n", pIemCpu->PendingCommit.enmFn, pIemCpu->PendingCommit.enmFn), VERR_IEM_IPE_2);
+    }
+
+    /*
+     * Merge status code (if any) with the incomming one.
+     */
+    rcStrictCommit = iemExecStatusCodeFiddling(pIemCpu, rcStrictCommit);
+    if (RT_LIKELY(rcStrictCommit == VINF_SUCCESS))
+        return rcStrict;
+    if (RT_LIKELY(rcStrict == VINF_SUCCESS || rcStrict == VINF_EM_RAW_TO_R3))
+        return rcStrictCommit;
+
+    /* Complicated. */
+    if (RT_FAILURE(rcStrict))
+        return rcStrict;
+    if (RT_FAILURE(rcStrictCommit))
+        return rcStrictCommit;
+    if (   rcStrict >= VINF_EM_FIRST
+        && rcStrict <= VINF_EM_LAST)
+    {
+        if (   rcStrictCommit >= VINF_EM_FIRST
+            && rcStrictCommit <= VINF_EM_LAST)
+            return rcStrict < rcStrictCommit ? rcStrict : rcStrictCommit;
+
+        /* This really shouldn't happen. Check PGM + handler code! */
+        AssertLogRelMsgFailedReturn(("rcStrictCommit=%Rrc rcStrict=%Rrc enmFn=%d\n", VBOXSTRICTRC_VAL(rcStrictCommit), VBOXSTRICTRC_VAL(rcStrict), enmFn), VERR_IEM_IPE_1);
+    }
+    /* This shouldn't really happen either, see IOM_SUCCESS. */
+    AssertLogRelMsgFailedReturn(("rcStrictCommit=%Rrc rcStrict=%Rrc enmFn=%d\n", VBOXSTRICTRC_VAL(rcStrictCommit), VBOXSTRICTRC_VAL(rcStrict), enmFn), VERR_IEM_IPE_2);
+}
+
+#endif /* IN_RING */
+

trunk/src/VBox/VMM/VMMAll/IEMAllCImplStrInstr.cpp.h

@@ -1015 +1015 @@
 #if OP_SIZE != 64
 
+# if !defined(IN_RING3) && !defined(IEMCIMPL_INS_INLINES)
+#  define IEMCIMPL_INS_INLINES 1
+
+/**
+ * Check if we should postpone committing an INS instruction to ring-3, or if we
+ * should rather panic.
+ *
+ * @returns true if we should postpone it, false if it's better to panic.
+ * @param   rcStrictMem     The status code returned by the memory write.
+ */
+DECLINLINE(bool) iemCImpl_ins_shouldPostponeCommitToRing3(VBOXSTRICTRC rcStrictMem)
+{
+    /*
+     * The following requires executing the write in ring-3.
+     * See PGMPhysWrite for status code explanations.
+     */
+    if (   rcStrictMem == VINF_IOM_R3_MMIO_WRITE
+        || rcStrictMem == VINF_IOM_R3_MMIO_READ_WRITE
+        || rcStrictMem == VINF_EM_RAW_EMULATE_INSTR
+# ifdef IN_RC
+        || rcStrictMem == VINF_EM_RAW_EMULATE_INSTR_LDT_FAULT
+        || rcStrictMem == VINF_EM_RAW_EMULATE_INSTR_TSS_FAULT
+        || rcStrictMem == VINF_EM_RAW_EMULATE_INSTR_IDT_FAULT
+        || rcStrictMem == VINF_CSAM_PENDING_ACTION
+        || rcStrictMem == VINF_PATM_CHECK_PATCH_PAGE
+# endif
+       )
+        return true;
+
+    /* For the other status code, the pass-up handling should already have
+       caught them. So, anything getting down here is a real problem worth
+       meditating over. */
+    return false;
+}
+
+
+/**
+ * Merges a iemCImpl_ins_shouldPostponeCommitToRing3() status with the I/O port
+ * status.
+ *
+ * @returns status code.
+ * @param   rcStrictPort    The status returned by the I/O port read.
+ * @param   rcStrictMem     The status code returned by the memory write.
+ */
+DECLINLINE(VBOXSTRICTRC) iemCImpl_ins_mergePostponedCommitStatuses(VBOXSTRICTRC rcStrictPort, VBOXSTRICTRC rcStrictMem)
+{
+    /* Turns out we don't need a lot of merging, since we'll be redoing the
+       write anyway.  (CSAM, PATM status codes, perhaps, but that's about it.) */
+    return rcStrictPort == VINF_SUCCESS ? VINF_EM_RAW_TO_R3 : rcStrictPort;
+}
+
+# endif /* !IN_RING3 || !IEMCIMPL_INS_INLINES */
+
+
 /**
  * Implements 'INS' (no rep)
@@ -1067 +1121 @@
             iemRegAddToRipAndClearRF(pIemCpu, cbInstr);
         }
+#ifndef IN_RING3
         /* iemMemMap already checked permissions, so this may only be real errors
-           or access handlers meddling. The access handler case is going to
-           cause misbehavior if the instruction is re-interpreted or smth. So,
-           we fail with an internal error here instead. */
+           or access handlers meddling. In the access handler case, we must postpone
+           the instruction committing to ring-3. */
+        else if (iemCImpl_ins_shouldPostponeCommitToRing3(rcStrict2))
+        {
+            pIemCpu->PendingCommit.cbInstr = cbInstr;
+            pIemCpu->PendingCommit.uValue  = u32Value;
+            pIemCpu->PendingCommit.enmFn   = RT_CONCAT4(IEMCOMMIT_INS_OP,OP_SIZE,_ADDR,ADDR_SIZE);
+            pIemCpu->cPendingCommit++;
+            VMCPU_FF_SET(IEMCPU_TO_VMCPU(pIemCpu), VMCPU_FF_IEM);
+            Log(("%s: Postponing to ring-3; cbInstr=%#x u32Value=%#x rcStrict2=%Rrc rcStrict=%Rrc\n", __FUNCTION__,
+                 cbInstr, u32Value, VBOXSTRICTRC_VAL(rcStrict2),  VBOXSTRICTRC_VAL(rcStrict)));
+            rcStrict = iemCImpl_ins_mergePostponedCommitStatuses(rcStrict, rcStrict2);
+        }
+#endif
         else
-            AssertLogRelMsgFailedReturn(("rcStrict2=%Rrc\n", VBOXSTRICTRC_VAL(rcStrict2)), VERR_IEM_IPE_1);
+            AssertLogRelMsgFailedReturn(("rcStrict2=%Rrc\n", VBOXSTRICTRC_VAL(rcStrict2)), RT_FAILURE_NP(rcStrict2) ? rcStrict2 : VERR_IEM_IPE_1);
     }
     return rcStrict;
 }
+
+
+# ifdef IN_RING3
+/**
+ * Called in ring-3 when raw-mode or ring-0 was forced to return while
+ * committing the instruction (hit access handler).
+ */
+IEM_CIMPL_DEF_0(RT_CONCAT4(iemR3CImpl_commit_ins_op,OP_SIZE,_addr,ADDR_SIZE))
+{
+    PCPUMCTX     pCtx     = pIemCpu->CTX_SUFF(pCtx);
+    VBOXSTRICTRC rcStrict = RT_CONCAT(iemMemStoreDataU,OP_SIZE)(pIemCpu, X86_SREG_ES, pCtx->ADDR_rDI, (OP_TYPE)pIemCpu->PendingCommit.uValue);
+    if (rcStrict == VINF_SUCCESS)
+    {
+        if (!pCtx->eflags.Bits.u1DF)
+            pCtx->ADDR_rDI += OP_SIZE / 8;
+        else
+            pCtx->ADDR_rDI -= OP_SIZE / 8;
+        iemRegAddToRipAndClearRF(pIemCpu, cbInstr);
+    }
+    return rcStrict;
+}
+# endif /* IN_RING3 */
 
 
@@ -1217 +1305 @@
             *puMem = (OP_TYPE)u32Value;
             VBOXSTRICTRC rcStrict2 = iemMemCommitAndUnmap(pIemCpu, puMem, IEM_ACCESS_DATA_W);
-            AssertLogRelMsgReturn(rcStrict2 == VINF_SUCCESS, ("rcStrict2=%Rrc\n", VBOXSTRICTRC_VAL(rcStrict2)),
-                                  VERR_IEM_IPE_1); /* See non-rep version. */
+            if (rcStrict2 == VINF_SUCCESS)
+            { /* likely */ }
+#ifndef IN_RING3
+            /* iemMemMap already checked permissions, so this may only be real errors
+               or access handlers meddling. In the access handler case, we must postpone
+               the instruction committing to ring-3. */
+            else if (iemCImpl_ins_shouldPostponeCommitToRing3(rcStrict2))
+            {
+                pIemCpu->PendingCommit.cbInstr = cbInstr;
+                pIemCpu->PendingCommit.uValue  = u32Value;
+                pIemCpu->PendingCommit.enmFn   = RT_CONCAT4(IEMCOMMIT_REP_INS_OP,OP_SIZE,_ADDR,ADDR_SIZE);
+                pIemCpu->cPendingCommit++;
+                VMCPU_FF_SET(IEMCPU_TO_VMCPU(pIemCpu), VMCPU_FF_IEM);
+                Log(("%s: Postponing to ring-3; cbInstr=%#x u32Value=%#x rcStrict2=%Rrc rcStrict=%Rrc\n", __FUNCTION__,
+                     cbInstr, u32Value, VBOXSTRICTRC_VAL(rcStrict2),  VBOXSTRICTRC_VAL(rcStrict)));
+                return iemCImpl_ins_mergePostponedCommitStatuses(rcStrict, rcStrict2);
+            }
+#endif
+            else
+                AssertLogRelMsgFailedReturn(("rcStrict2=%Rrc\n", VBOXSTRICTRC_VAL(rcStrict2)),
+                                            RT_FAILURE(rcStrict2) ? rcStrict2 : VERR_IEM_IPE_1);
 
             pCtx->ADDR_rDI = uAddrReg += cbIncr;
@@ -1240 +1347 @@
     return VINF_SUCCESS;
 }
+
+# ifdef IN_RING3
+/**
+ * Called in ring-3 when raw-mode or ring-0 was forced to return while
+ * committing the instruction (hit access handler).
+ */
+IEM_CIMPL_DEF_0(RT_CONCAT4(iemR3CImpl_commit_rep_ins_op,OP_SIZE,_addr,ADDR_SIZE))
+{
+    PCPUMCTX     pCtx     = pIemCpu->CTX_SUFF(pCtx);
+    VBOXSTRICTRC rcStrict = RT_CONCAT(iemMemStoreDataU,OP_SIZE)(pIemCpu, X86_SREG_ES, pCtx->ADDR_rDI, (OP_TYPE)pIemCpu->PendingCommit.uValue);
+    if (rcStrict == VINF_SUCCESS)
+    {
+        if (!pCtx->eflags.Bits.u1DF)
+            pCtx->ADDR_rDI += OP_SIZE / 8;
+        else
+            pCtx->ADDR_rDI -= OP_SIZE / 8;
+        pCtx->ADDR_rCX -= 1;
+        if (pCtx->ADDR_rCX == 0)
+            iemRegAddToRipAndClearRF(pIemCpu, cbInstr);
+    }
+    return rcStrict;
+}
+# endif /* IN_RING3 */
 
 

trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp

@@ -11366 +11366 @@
                   || rcStrict == VINF_EM_DBG_BREAKPOINT
                   || rcStrict == VINF_EM_RAW_GUEST_TRAP
+                  || rcStrict == VINF_EM_RAW_TO_R3
                   || rcStrict == VINF_TRPM_XCPT_DISPATCHED, ("%Rrc\n", VBOXSTRICTRC_VAL(rcStrict)));
     }

trunk/src/VBox/VMM/VMMR3/EM.cpp

@@ -1575 +1575 @@
     }
 
+    /* IEM has pending work (typically memory write after INS instruction). */
+    if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_IEM))
+        rc = VBOXSTRICTRC_TODO(IEMR3DoPendingAction(pVCpu, rc));
+
 #ifdef VBOX_WITH_RAW_MODE
     if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_CSAM_PENDING_ACTION))

trunk/src/VBox/VMM/VMMR3/IEMR3.cpp

@@ -65 +65 @@
         STAMR3RegisterF(pVM, &pVCpu->iem.s.cbWritten,                 STAMTYPE_U32,       STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES,
                         "Approx bytes written",              "/IEM/CPU%u/cbWritten", idCpu);
+        STAMR3RegisterF(pVM, &pVCpu->iem.s.cPendingCommit,            STAMTYPE_U32,       STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES,
+                        "Times RC/R0 had to postpone instruction committing to ring-3", "/IEM/CPU%u/cPendingCommit", idCpu);
 
         /*

trunk/src/VBox/VMM/VMMR3/VMM.cpp

@@ -2416 +2416 @@
         PRINT_FLAG(VMCPU_FF_,PDM_CRITSECT);
         PRINT_FLAG(VMCPU_FF_,UNHALT);
+        PRINT_FLAG(VMCPU_FF_,IEM);
         PRINT_FLAG(VMCPU_FF_,REQUEST);
         PRINT_FLAG(VMCPU_FF_,HM_UPDATE_CR3);

trunk/src/VBox/VMM/VMMRC/TRPMRCHandlers.cpp

@@ -213 +213 @@
                                           | VMCPU_FF_REQUEST | VMCPU_FF_PGM_SYNC_CR3 | VMCPU_FF_PGM_SYNC_CR3_NON_GLOBAL
                                           | VMCPU_FF_PDM_CRITSECT
+                                          | VMCPU_FF_IEM
                                           | VMCPU_FF_SELM_SYNC_GDT | VMCPU_FF_SELM_SYNC_LDT
                                           | VMCPU_FF_SELM_SYNC_TSS | VMCPU_FF_TRPM_SYNC_IDT
@@ -223 +224 @@
             rc = VINF_EM_NO_MEMORY;
         /* Pending Ring-3 action. */
-        else if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_TO_R3 | VMCPU_FF_PDM_CRITSECT))
+        else if (VMCPU_FF_IS_PENDING(pVCpu, VMCPU_FF_TO_R3 | VMCPU_FF_PDM_CRITSECT | VMCPU_FF_IEM))
         {
             VMCPU_FF_CLEAR(pVCpu, VMCPU_FF_TO_R3);

trunk/src/VBox/VMM/include/IEMInternal.h

@@ -123 +123 @@
 /** Pointer to a const FPU result consisting of two output values and FSW. */
 typedef IEMFPURESULTTWO const *PCIEMFPURESULTTWO;
+
+
+/**
+ * IEM pending commit function index.
+ */
+typedef enum IEMCOMMIT
+{
+    /** Invalid / nothing pending. */
+    IEMCOMMIT_INVALID = 0,
+    /** @name INS
+     * @{  */
+    IEMCOMMIT_INS_OP8_ADDR16,
+    IEMCOMMIT_INS_OP8_ADDR32,
+    IEMCOMMIT_INS_OP8_ADDR64,
+    IEMCOMMIT_INS_OP16_ADDR16,
+    IEMCOMMIT_INS_OP16_ADDR32,
+    IEMCOMMIT_INS_OP16_ADDR64,
+    IEMCOMMIT_INS_OP32_ADDR16,
+    IEMCOMMIT_INS_OP32_ADDR32,
+    IEMCOMMIT_INS_OP32_ADDR64,
+    /** @} */
+    /** @name REP INS
+     * @{  */
+    IEMCOMMIT_REP_INS_OP8_ADDR16,
+    IEMCOMMIT_REP_INS_OP8_ADDR32,
+    IEMCOMMIT_REP_INS_OP8_ADDR64,
+    IEMCOMMIT_REP_INS_OP16_ADDR16,
+    IEMCOMMIT_REP_INS_OP16_ADDR32,
+    IEMCOMMIT_REP_INS_OP16_ADDR64,
+    IEMCOMMIT_REP_INS_OP32_ADDR16,
+    IEMCOMMIT_REP_INS_OP32_ADDR32,
+    IEMCOMMIT_REP_INS_OP32_ADDR64,
+    /** @} */
+    /** End of valid functions. */
+    IEMCOMMIT_END,
+    /** Make sure the type is int in call contexts. */
+    IEMCOMMIT_32BIT_HACK = 0x7fffffff
+} IEMCOMMIT;
+AssertCompile(sizeof(IEMCOMMIT) == 4);
 
 
@@ -253 +292 @@
     /** Number of times rcPassUp has been used. */
     uint32_t                cRetPassUpStatus;
+    /** Number of times RZ left with instruction commit pending for ring-3. */
+    uint32_t                cPendingCommit;
 #ifdef IEM_VERIFICATION_MODE_FULL
     /** The Number of I/O port reads that has been performed. */
@@ -322 +363 @@
     /** @}*/
 
-    /** Alignment padding for aMemMappings. */
-    uint8_t                 abAlignment2[4];
-
     /** The number of active guest memory mappings. */
     uint8_t                 cActiveMappings;
@@ -376 +414 @@
         uint8_t             ab[512];
     } aBounceBuffers[3];
+
+    /** @name Pending Instruction Commit (R0/RC postponed it to Ring-3).
+     * @{ */
+    struct
+    {
+        /** The commit function to call. */
+        IEMCOMMIT           enmFn;
+        /** The instruction size. */
+        uint8_t             cbInstr;
+        /** Generic value to commit. */
+        uint64_t            uValue;
+    } PendingCommit;
+    /** @} */
 
     /** @name Target CPU information.