VirtualBox

Browse Source

Changeset 95410 in vbox

Timestamp:

Jun 28, 2022 6:33:26 PM (3 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

152012

Message:

VMM/IEM: Alignment checks (#AC(0)/#GP(0)). bugref:9898

Location:

trunk/src/VBox/VMM

Files:

: 6 edited

VMMAll/IEMAll.cpp (modified) (81 diffs)
VMMAll/IEMAllCImpl.cpp (modified) (40 diffs)
VMMAll/IEMAllCImplStrInstr.cpp.h (modified) (2 diffs)
include/IEMInline.h (modified) (1 diff)
include/IEMInternal.h (modified) (3 diffs)
include/IEMMc.h (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/src/VBox/VMM/VMMAll/IEMAll.cpp

-              r95307
+              r95410
     uint16_t *pu16Frame;
     uint64_t  uNewRsp;
     rcStrict = iemMemStackPushBeginSpecial(pVCpu, 6, (void **)&pu16Frame, &uNewRsp);
+    rcStrict = iemMemStackPushBeginSpecial(pVCpu, 6, 3, (void **)&pu16Frame, &uNewRsp);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
      *        not perform correct translation if this happens. See Intel spec. 7.2.1
      *        "Task-State Segment". */
     VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &pvNewTSS, cbNewTSS, UINT8_MAX, GCPtrNewTSS, IEM_ACCESS_SYS_RW);
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &pvNewTSS, cbNewTSS, UINT8_MAX, GCPtrNewTSS, IEM_ACCESS_SYS_RW, 0);
     if (rcStrict != VINF_SUCCESS)
+    {
 …
         PX86DESC pDescCurTSS;
         rcStrict = iemMemMap(pVCpu, (void **)&pDescCurTSS, sizeof(*pDescCurTSS), UINT8_MAX,
                              pVCpu->cpum.GstCtx.gdtr.pGdt + (pVCpu->cpum.GstCtx.tr.Sel & X86_SEL_MASK), IEM_ACCESS_SYS_RW);
+                             pVCpu->cpum.GstCtx.gdtr.pGdt + (pVCpu->cpum.GstCtx.tr.Sel & X86_SEL_MASK), IEM_ACCESS_SYS_RW, 0);
         if (rcStrict != VINF_SUCCESS)
+        {
 …
         uint32_t const cbCurTSS  = RT_UOFFSETOF(X86TSS32, selLdt) - RT_UOFFSETOF(X86TSS32, eip);
         AssertCompile(RTASSERT_OFFSET_OF(X86TSS32, selLdt) - RTASSERT_OFFSET_OF(X86TSS32, eip) == 64);
         rcStrict = iemMemMap(pVCpu, &pvCurTSS32, cbCurTSS, UINT8_MAX, GCPtrCurTSS + offCurTSS, IEM_ACCESS_SYS_RW);
+        rcStrict = iemMemMap(pVCpu, &pvCurTSS32, cbCurTSS, UINT8_MAX, GCPtrCurTSS + offCurTSS, IEM_ACCESS_SYS_RW, 0);
         if (rcStrict != VINF_SUCCESS)
+        {
 …
         uint32_t const cbCurTSS  = RT_UOFFSETOF(X86TSS16, selLdt) - RT_UOFFSETOF(X86TSS16, ip);
         AssertCompile(RTASSERT_OFFSET_OF(X86TSS16, selLdt) - RTASSERT_OFFSET_OF(X86TSS16, ip) == 28);
         rcStrict = iemMemMap(pVCpu, &pvCurTSS16, cbCurTSS, UINT8_MAX, GCPtrCurTSS + offCurTSS, IEM_ACCESS_SYS_RW);
+        rcStrict = iemMemMap(pVCpu, &pvCurTSS16, cbCurTSS, UINT8_MAX, GCPtrCurTSS + offCurTSS, IEM_ACCESS_SYS_RW, 0);
         if (rcStrict != VINF_SUCCESS)
+        {
 …
+    {
         rcStrict = iemMemMap(pVCpu, (void **)&pNewDescTSS, sizeof(*pNewDescTSS), UINT8_MAX,
                              pVCpu->cpum.GstCtx.gdtr.pGdt + (SelTSS & X86_SEL_MASK), IEM_ACCESS_SYS_RW);
+                             pVCpu->cpum.GstCtx.gdtr.pGdt + (SelTSS & X86_SEL_MASK), IEM_ACCESS_SYS_RW, 0);
         if (rcStrict != VINF_SUCCESS)
+        {
 …
         RTPTRUNION uStackFrame;
         rcStrict = iemMemMap(pVCpu, &uStackFrame.pv, cbStackFrame, UINT8_MAX,
+                             uNewEsp - cbStackFrame + X86DESC_BASE(&DescSS.Legacy), IEM_ACCESS_STACK_W | IEM_ACCESS_WHAT_SYS); /* _SYS is a hack ... */
+                             uNewEsp - cbStackFrame + X86DESC_BASE(&DescSS.Legacy),
+                             IEM_ACCESS_STACK_W | IEM_ACCESS_WHAT_SYS, 0); /* _SYS is a hack ... */
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
 …
         RTPTRUNION      uStackFrame;
         uint8_t const   cbStackFrame = (fFlags & IEM_XCPT_FLAGS_ERR ? 8 : 6) << f32BitGate;
         rcStrict = iemMemStackPushBeginSpecial(pVCpu, cbStackFrame, &uStackFrame.pv, &uNewRsp);
+        rcStrict = iemMemStackPushBeginSpecial(pVCpu, cbStackFrame, f32BitGate ? 3 : 1, &uStackFrame.pv, &uNewRsp);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
 …
     RTPTRUNION uStackFrame;
     rcStrict = iemMemMap(pVCpu, &uStackFrame.pv, cbStackFrame, UINT8_MAX,
                          uNewRsp - cbStackFrame, IEM_ACCESS_STACK_W | IEM_ACCESS_WHAT_SYS); /* _SYS is a hack ... */
+                         uNewRsp - cbStackFrame, IEM_ACCESS_STACK_W | IEM_ACCESS_WHAT_SYS, 0); /* _SYS is a hack ... */
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
 VBOXSTRICTRC iemRaiseAlignmentCheckException(PVMCPUCC pVCpu)
+{
     return iemRaiseXcptOrInt(pVCpu, 0, X86_XCPT_AC, IEM_XCPT_FLAGS_T_CPU_XCPT, 0, 0);
+    return iemRaiseXcptOrInt(pVCpu, 0, X86_XCPT_AC, IEM_XCPT_FLAGS_T_CPU_XCPT | IEM_XCPT_FLAGS_ERR, 0, 0);
+}
 …
  * @returns VBox strict status code.
+ *
+ * @param   pVCpu               The cross context virtual CPU structure of the calling thread.
+ * @param   ppvMem              Where to return the pointer to the mapped
+ *                              memory.
+ * @param   cbMem               The number of bytes to map.  This is usually 1,
+ *                              2, 4, 6, 8, 12, 16, 32 or 512.  When used by
+ *                              string operations it can be up to a page.
+ * @param   iSegReg             The index of the segment register to use for
+ *                              this access.  The base and limits are checked.
+ *                              Use UINT8_MAX to indicate that no segmentation
+ *                              is required (for IDT, GDT and LDT accesses).
+ * @param   GCPtrMem            The address of the guest memory.
+ * @param   fAccess             How the memory is being accessed.  The
+ *                              IEM_ACCESS_TYPE_XXX bit is used to figure out
+ *                              how to map the memory, while the
+ *                              IEM_ACCESS_WHAT_XXX bit is used when raising
+ *                              exceptions.
+ */
+VBOXSTRICTRC iemMemMap(PVMCPUCC pVCpu, void **ppvMem, size_t cbMem, uint8_t iSegReg, RTGCPTR GCPtrMem, uint32_t fAccess) RT_NOEXCEPT
+ * @param   pVCpu       The cross context virtual CPU structure of the calling thread.
+ * @param   ppvMem      Where to return the pointer to the mapped memory.
+ * @param   cbMem       The number of bytes to map.  This is usually 1, 2, 4, 6,
+ *                      8, 12, 16, 32 or 512.  When used by string operations
+ *                      it can be up to a page.
+ * @param   iSegReg     The index of the segment register to use for this
+ *                      access.  The base and limits are checked. Use UINT8_MAX
+ *                      to indicate that no segmentation is required (for IDT,
+ *                      GDT and LDT accesses).
+ * @param   GCPtrMem    The address of the guest memory.
+ * @param   fAccess     How the memory is being accessed.  The
+ *                      IEM_ACCESS_TYPE_XXX bit is used to figure out how to map
+ *                      the memory, while the IEM_ACCESS_WHAT_XXX bit is used
+ *                      when raising exceptions.
+ * @param   uAlignCtl   Alignment control:
+ *                          - Bits 15:0 is the alignment mask.
+ *                          - Bits 31:16 for flags like IEM_MEMMAP_F_ALIGN_GP,
+ *                            IEM_MEMMAP_F_ALIGN_SSE, and
+ *                            IEM_MEMMAP_F_ALIGN_GP_OR_AC.
+ *                      Pass zero to skip alignment.
+ */
+VBOXSTRICTRC iemMemMap(PVMCPUCC pVCpu, void **ppvMem, size_t cbMem, uint8_t iSegReg, RTGCPTR GCPtrMem,
+                       uint32_t fAccess, uint32_t uAlignCtl) RT_NOEXCEPT
+{
     /*
 …
     else
         return iemMemBounceBufferMapCrossPage(pVCpu, iMemMap, ppvMem, cbMem, GCPtrMem, fAccess);
+    /*
+     * Alignment check.
+     */
+    if ( (GCPtrMem & (uAlignCtl & UINT16_MAX)) == 0 )
+    { /* likelyish */ }
+    else
+    {
+        /* Misaligned access. */
+        if ((fAccess & IEM_ACCESS_WHAT_MASK) != IEM_ACCESS_WHAT_SYS)
+        {
+            if (   !(uAlignCtl & IEM_MEMMAP_F_ALIGN_GP)
+                || (   (uAlignCtl & IEM_MEMMAP_F_ALIGN_SSE)
+                    && (pVCpu->cpum.GstCtx.XState.x87.MXCSR & X86_MXCSR_MM)) )
+            {
+                AssertCompile(X86_CR0_AM == X86_EFL_AC);
+                if (iemMemAreAlignmentChecksEnabled(pVCpu))
+                    return iemRaiseAlignmentCheckException(pVCpu);
+            }
+            else if (   (uAlignCtl & IEM_MEMMAP_F_ALIGN_GP_OR_AC)
+                     && iemMemAreAlignmentChecksEnabled(pVCpu)
+/** @todo may only apply to 2, 4 or 8 byte misalignments depending on the CPU
+ *        implementation. See FXSAVE/FRSTOR/XSAVE/XRSTOR/++. */
+                    )
+                return iemRaiseAlignmentCheckException(pVCpu);
+            else
+                return iemRaiseGeneralProtectionFault0(pVCpu);
+        }
+    }
 #ifdef IEM_WITH_DATA_TLB
 …
  * @returns Pointer to the mapped memory.
+ *
+ * @param   pVCpu               The cross context virtual CPU structure of the calling thread.
+ * @param   cbMem               The number of bytes to map.  This is usually 1,
+ *                              2, 4, 6, 8, 12, 16, 32 or 512.  When used by
+ *                              string operations it can be up to a page.
+ * @param   iSegReg             The index of the segment register to use for
+ *                              this access.  The base and limits are checked.
+ *                              Use UINT8_MAX to indicate that no segmentation
+ *                              is required (for IDT, GDT and LDT accesses).
+ * @param   GCPtrMem            The address of the guest memory.
+ * @param   fAccess             How the memory is being accessed.  The
+ *                              IEM_ACCESS_TYPE_XXX bit is used to figure out
+ *                              how to map the memory, while the
+ *                              IEM_ACCESS_WHAT_XXX bit is used when raising
+ *                              exceptions.
+ */
+void *iemMemMapJmp(PVMCPUCC pVCpu, size_t cbMem, uint8_t iSegReg, RTGCPTR GCPtrMem, uint32_t fAccess) RT_NOEXCEPT
+ * @param   pVCpu       The cross context virtual CPU structure of the calling thread.
+ * @param   cbMem       The number of bytes to map.  This is usually 1,
+ *                      2, 4, 6, 8, 12, 16, 32 or 512.  When used by
+ *                      string operations it can be up to a page.
+ * @param   iSegReg     The index of the segment register to use for
+ *                      this access.  The base and limits are checked.
+ *                      Use UINT8_MAX to indicate that no segmentation
+ *                      is required (for IDT, GDT and LDT accesses).
+ * @param   GCPtrMem    The address of the guest memory.
+ * @param   fAccess     How the memory is being accessed.  The
+ *                      IEM_ACCESS_TYPE_XXX bit is used to figure out
+ *                      how to map the memory, while the
+ *                      IEM_ACCESS_WHAT_XXX bit is used when raising
+ *                      exceptions.
+ * @param   uAlignCtl   Alignment control:
+ *                          - Bits 15:0 is the alignment mask.
+ *                          - Bits 31:16 for flags like IEM_MEMMAP_F_ALIGN_GP,
+ *                            IEM_MEMMAP_F_ALIGN_SSE, and
+ *                            IEM_MEMMAP_F_ALIGN_GP_OR_AC.
+ *                      Pass zero to skip alignment.
+ */
+void *iemMemMapJmp(PVMCPUCC pVCpu, size_t cbMem, uint8_t iSegReg, RTGCPTR GCPtrMem, uint32_t fAccess,
+                   uint32_t uAlignCtl) RT_NOEXCEPT
+{
     /*
 …
     if (rcStrict == VINF_SUCCESS) { /*likely*/ }
     else longjmp(*pVCpu->iem.s.CTX_SUFF(pJmpBuf), VBOXSTRICTRC_VAL(rcStrict));
+    /*
+     * Alignment check.
+     */
+    if ( (GCPtrMem & (uAlignCtl & UINT16_MAX)) == 0 )
+    { /* likelyish */ }
+    else
+    {
+        /* Misaligned access. */
+        if ((fAccess & IEM_ACCESS_WHAT_MASK) != IEM_ACCESS_WHAT_SYS)
+        {
+            if (   !(uAlignCtl & IEM_MEMMAP_F_ALIGN_GP)
+                || (   (uAlignCtl & IEM_MEMMAP_F_ALIGN_SSE)
+                    && (pVCpu->cpum.GstCtx.XState.x87.MXCSR & X86_MXCSR_MM)) )
+            {
+                AssertCompile(X86_CR0_AM == X86_EFL_AC);
+                if (iemMemAreAlignmentChecksEnabled(pVCpu))
+                    iemRaiseAlignmentCheckExceptionJmp(pVCpu);
+            }
+            else if (   (uAlignCtl & IEM_MEMMAP_F_ALIGN_GP_OR_AC)
+                     && iemMemAreAlignmentChecksEnabled(pVCpu)
+/** @todo may only apply to 2, 4 or 8 byte misalignments depending on the CPU
+ *        implementation. See FXSAVE/FRSTOR/XSAVE/XRSTOR/++. */
+                    )
+                iemRaiseAlignmentCheckExceptionJmp(pVCpu);
+            else
+                iemRaiseGeneralProtectionFault0Jmp(pVCpu);
+        }
+    }
     /*
 …
     /* The lazy approach for now... */
     uint8_t const *pu8Src;
     VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu8Src, sizeof(*pu8Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu8Src, sizeof(*pu8Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R, 0);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
     uint8_t const *pu8Src = (uint8_t const *)iemMemMapJmp(pVCpu, sizeof(*pu8Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    uint8_t const *pu8Src = (uint8_t const *)iemMemMapJmp(pVCpu, sizeof(*pu8Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R, 0);
     uint8_t const  bRet   = *pu8Src;
     iemMemCommitAndUnmapJmp(pVCpu, (void *)pu8Src, IEM_ACCESS_DATA_R);
 …
     /* The lazy approach for now... */
     uint16_t const *pu16Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Src, sizeof(*pu16Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Src, sizeof(*pu16Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, sizeof(*pu16Src) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    uint16_t const *pu16Src = (uint16_t const *)iemMemMapJmp(pVCpu, sizeof(*pu16Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    uint16_t const *pu16Src = (uint16_t const *)iemMemMapJmp(pVCpu, sizeof(*pu16Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R,
+                                                             sizeof(*pu16Src) - 1);
     uint16_t const u16Ret = *pu16Src;
     iemMemCommitAndUnmapJmp(pVCpu, (void *)pu16Src, IEM_ACCESS_DATA_R);
 …
     /* The lazy approach for now... */
     uint32_t const *pu32Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Src, sizeof(*pu32Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Src, sizeof(*pu32Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, sizeof(*pu32Src) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* The lazy approach for now... */
     uint32_t const *pu32Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Src, sizeof(*pu32Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Src, sizeof(*pu32Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, sizeof(*pu32Src) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
 uint32_t iemMemFetchDataU32SafeJmp(PVMCPUCC pVCpu, uint8_t iSegReg, RTGCPTR GCPtrMem) RT_NOEXCEPT
+{
+    uint32_t const *pu32Src = (uint32_t const *)iemMemMapJmp(pVCpu, sizeof(*pu32Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    uint32_t const *pu32Src = (uint32_t const *)iemMemMapJmp(pVCpu, sizeof(*pu32Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R,
+                                                             sizeof(*pu32Src) - 1);
     uint32_t const  u32Ret  = *pu32Src;
     iemMemCommitAndUnmapJmp(pVCpu, (void *)pu32Src, IEM_ACCESS_DATA_R);
 …
 # else
+    uint32_t const *pu32Src = (uint32_t const *)iemMemMapJmp(pVCpu, sizeof(*pu32Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    uint32_t const *pu32Src = (uint32_t const *)iemMemMapJmp(pVCpu, sizeof(*pu32Src), iSegReg, GCPtrMem,
+                                                             IEM_ACCESS_DATA_R, sizeof(*pu32Src) - 1);
     uint32_t const  u32Ret  = *pu32Src;
     iemMemCommitAndUnmapJmp(pVCpu, (void *)pu32Src, IEM_ACCESS_DATA_R);
 …
     /* The lazy approach for now... */
     int32_t const *pi32Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pi32Src, sizeof(*pi32Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pi32Src, sizeof(*pi32Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, sizeof(*pi32Src) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* The lazy approach for now... */
     uint64_t const *pu64Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Src, sizeof(*pu64Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Src, sizeof(*pu64Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, sizeof(*pu64Src) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    uint64_t const *pu64Src = (uint64_t const *)iemMemMapJmp(pVCpu, sizeof(*pu64Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    uint64_t const *pu64Src = (uint64_t const *)iemMemMapJmp(pVCpu, sizeof(*pu64Src), iSegReg, GCPtrMem,
+                                                             IEM_ACCESS_DATA_R, sizeof(*pu64Src) - 1);
     uint64_t const u64Ret = *pu64Src;
     iemMemCommitAndUnmapJmp(pVCpu, (void *)pu64Src, IEM_ACCESS_DATA_R);
 …
+{
     /* The lazy approach for now... */
-    /** @todo testcase: Ordering of \#SS(0) vs \#GP() vs \#PF on SSE stuff. */
-    if (RT_UNLIKELY(GCPtrMem & 15))
-        return iemRaiseGeneralProtectionFault0(pVCpu);
     uint64_t const *pu64Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Src, sizeof(*pu64Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Src, sizeof(*pu64Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, 15 | IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_SSE);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    /** @todo testcase: Ordering of \#SS(0) vs \#GP() vs \#PF on SSE stuff. */
+    if (RT_LIKELY(!(GCPtrMem & 15)))
+    {
+        uint64_t const *pu64Src = (uint64_t const *)iemMemMapJmp(pVCpu, sizeof(*pu64Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+        uint64_t const u64Ret = *pu64Src;
+        iemMemCommitAndUnmapJmp(pVCpu, (void *)pu64Src, IEM_ACCESS_DATA_R);
+        return u64Ret;
+    }
+    VBOXSTRICTRC rc = iemRaiseGeneralProtectionFault0(pVCpu);
+    longjmp(*pVCpu->iem.s.CTX_SUFF(pJmpBuf), VBOXSTRICTRC_VAL(rc));
+    uint64_t const *pu64Src = (uint64_t const *)iemMemMapJmp(pVCpu, sizeof(*pu64Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R,
+| IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_SSE);
+    uint64_t const u64Ret = *pu64Src;
+    iemMemCommitAndUnmapJmp(pVCpu, (void *)pu64Src, IEM_ACCESS_DATA_R);
+    return u64Ret;
+}
 #endif
 …
     /* The lazy approach for now... */
     PCRTFLOAT80U pr80Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pr80Src, sizeof(*pr80Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pr80Src, sizeof(*pr80Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, 7 /** @todo FLD alignment check */ );
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    PCRTFLOAT80U pr80Src = (PCRTFLOAT80U)iemMemMapJmp(pVCpu, sizeof(*pr80Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    PCRTFLOAT80U pr80Src = (PCRTFLOAT80U)iemMemMapJmp(pVCpu, sizeof(*pr80Src), iSegReg, GCPtrMem,
+                                                      IEM_ACCESS_DATA_R, 7 /** @todo FLD alignment check */);
     *pr80Dst = *pr80Src;
     iemMemCommitAndUnmapJmp(pVCpu, (void *)pr80Src, IEM_ACCESS_DATA_R);
 …
     /* The lazy approach for now... */
     PCRTPBCD80U pd80Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pd80Src, sizeof(*pd80Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pd80Src, sizeof(*pd80Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, 7 /** @todo FBLD alignment check */);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    PCRTPBCD80U pd80Src = (PCRTPBCD80U)iemMemMapJmp(pVCpu, sizeof(*pd80Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    PCRTPBCD80U pd80Src = (PCRTPBCD80U)iemMemMapJmp(pVCpu, sizeof(*pd80Src), iSegReg, GCPtrMem,
+                                                    IEM_ACCESS_DATA_R, 7 /** @todo FBSTP alignment check */);
     *pd80Dst = *pd80Src;
     iemMemCommitAndUnmapJmp(pVCpu, (void *)pd80Src, IEM_ACCESS_DATA_R);
 …
     /* The lazy approach for now... */
     PCRTUINT128U pu128Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu128Src, sizeof(*pu128Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu128Src, sizeof(*pu128Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, 0 /* NO_AC variant */);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    PCRTUINT128U pu128Src = (PCRTUINT128U)iemMemMapJmp(pVCpu, sizeof(*pu128Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    PCRTUINT128U pu128Src = (PCRTUINT128U)iemMemMapJmp(pVCpu, sizeof(*pu128Src), iSegReg, GCPtrMem,
+                                                       IEM_ACCESS_DATA_R, 0 /* NO_AC variant */);
     pu128Dst->au64[0] = pu128Src->au64[0];
     pu128Dst->au64[1] = pu128Src->au64[1];
 …
+{
     /* The lazy approach for now... */
-    /** @todo testcase: Ordering of \#SS(0) vs \#GP() vs \#PF on SSE stuff. */
-    if (   (GCPtrMem & 15)
-        && !(pVCpu->cpum.GstCtx.XState.x87.MXCSR & X86_MXCSR_MM)) /** @todo should probably check this *after* applying seg.u64Base... Check real HW. */
-        return iemRaiseGeneralProtectionFault0(pVCpu);
     PCRTUINT128U pu128Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu128Src, sizeof(*pu128Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu128Src, sizeof(*pu128Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, (sizeof(*pu128Src) - 1) | IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_SSE);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    /** @todo testcase: Ordering of \#SS(0) vs \#GP() vs \#PF on SSE stuff. */
+    if (   (GCPtrMem & 15) == 0
+        || (pVCpu->cpum.GstCtx.XState.x87.MXCSR & X86_MXCSR_MM)) /** @todo should probably check this *after* applying seg.u64Base... Check real HW. */
+    {
+        PCRTUINT128U pu128Src = (PCRTUINT128U)iemMemMapJmp(pVCpu, sizeof(*pu128Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+        pu128Dst->au64[0] = pu128Src->au64[0];
+        pu128Dst->au64[1] = pu128Src->au64[1];
+        iemMemCommitAndUnmapJmp(pVCpu, (void *)pu128Src, IEM_ACCESS_DATA_R);
+        return;
+    }
+    VBOXSTRICTRC rcStrict = iemRaiseGeneralProtectionFault0(pVCpu);
+    longjmp(*pVCpu->iem.s.CTX_SUFF(pJmpBuf), VBOXSTRICTRC_VAL(rcStrict));
+    PCRTUINT128U pu128Src = (PCRTUINT128U)iemMemMapJmp(pVCpu, sizeof(*pu128Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R,
+                                                       (sizeof(*pu128Src) - 1) | IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_SSE);
+    pu128Dst->au64[0] = pu128Src->au64[0];
+    pu128Dst->au64[1] = pu128Src->au64[1];
+    iemMemCommitAndUnmapJmp(pVCpu, (void *)pu128Src, IEM_ACCESS_DATA_R);
+}
 #endif
 …
     /* The lazy approach for now... */
     PCRTUINT256U pu256Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu256Src, sizeof(*pu256Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu256Src, sizeof(*pu256Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, 0 /* NO_AC variant */);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    PCRTUINT256U pu256Src = (PCRTUINT256U)iemMemMapJmp(pVCpu, sizeof(*pu256Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    PCRTUINT256U pu256Src = (PCRTUINT256U)iemMemMapJmp(pVCpu, sizeof(*pu256Src), iSegReg, GCPtrMem,
+                                                       IEM_ACCESS_DATA_R, 0 /* NO_AC variant */);
     pu256Dst->au64[0] = pu256Src->au64[0];
     pu256Dst->au64[1] = pu256Src->au64[1];
 …
+{
     /* The lazy approach for now... */
-    /** @todo testcase: Ordering of \#SS(0) vs \#GP() vs \#PF on AVX stuff. */
-    if (GCPtrMem & 31)
-        return iemRaiseGeneralProtectionFault0(pVCpu);
     PCRTUINT256U pu256Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu256Src, sizeof(*pu256Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu256Src, sizeof(*pu256Src), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_R, (sizeof(*pu256Src) - 1) | IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_SSE);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    /** @todo testcase: Ordering of \#SS(0) vs \#GP() vs \#PF on AVX stuff. */
+    if ((GCPtrMem & 31) == 0)
+    {
+        PCRTUINT256U pu256Src = (PCRTUINT256U)iemMemMapJmp(pVCpu, sizeof(*pu256Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R);
+        pu256Dst->au64[0] = pu256Src->au64[0];
+        pu256Dst->au64[1] = pu256Src->au64[1];
+        pu256Dst->au64[2] = pu256Src->au64[2];
+        pu256Dst->au64[3] = pu256Src->au64[3];
+        iemMemCommitAndUnmapJmp(pVCpu, (void *)pu256Src, IEM_ACCESS_DATA_R);
+        return;
+    }
+    VBOXSTRICTRC rcStrict = iemRaiseGeneralProtectionFault0(pVCpu);
+    longjmp(*pVCpu->iem.s.CTX_SUFF(pJmpBuf), VBOXSTRICTRC_VAL(rcStrict));
+    PCRTUINT256U pu256Src = (PCRTUINT256U)iemMemMapJmp(pVCpu, sizeof(*pu256Src), iSegReg, GCPtrMem, IEM_ACCESS_DATA_R,
+                                                       (sizeof(*pu256Src) - 1) | IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_SSE);
+    pu256Dst->au64[0] = pu256Src->au64[0];
+    pu256Dst->au64[1] = pu256Src->au64[1];
+    pu256Dst->au64[2] = pu256Src->au64[2];
+    pu256Dst->au64[3] = pu256Src->au64[3];
+    iemMemCommitAndUnmapJmp(pVCpu, (void *)pu256Src, IEM_ACCESS_DATA_R);
+}
 #endif
 …
     /* The lazy approach for now... */
     uint8_t *pu8Dst;
     VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu8Dst, sizeof(*pu8Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu8Dst, sizeof(*pu8Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W, 0);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
     uint8_t *pu8Dst = (uint8_t *)iemMemMapJmp(pVCpu, sizeof(*pu8Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    uint8_t *pu8Dst = (uint8_t *)iemMemMapJmp(pVCpu, sizeof(*pu8Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W, 0);
     *pu8Dst = u8Value;
     iemMemCommitAndUnmapJmp(pVCpu, pu8Dst, IEM_ACCESS_DATA_W);
 …
     /* The lazy approach for now... */
     uint16_t *pu16Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Dst, sizeof(*pu16Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Dst, sizeof(*pu16Dst), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_W, sizeof(*pu16Dst) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    uint16_t *pu16Dst = (uint16_t *)iemMemMapJmp(pVCpu, sizeof(*pu16Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    uint16_t *pu16Dst = (uint16_t *)iemMemMapJmp(pVCpu, sizeof(*pu16Dst), iSegReg, GCPtrMem,
+                                                 IEM_ACCESS_DATA_W, sizeof(*pu16Dst) - 1);
     *pu16Dst = u16Value;
     iemMemCommitAndUnmapJmp(pVCpu, pu16Dst, IEM_ACCESS_DATA_W);
 …
     /* The lazy approach for now... */
     uint32_t *pu32Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Dst, sizeof(*pu32Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Dst, sizeof(*pu32Dst), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_W, sizeof(*pu32Dst) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    uint32_t *pu32Dst = (uint32_t *)iemMemMapJmp(pVCpu, sizeof(*pu32Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    uint32_t *pu32Dst = (uint32_t *)iemMemMapJmp(pVCpu, sizeof(*pu32Dst), iSegReg, GCPtrMem,
+                                                 IEM_ACCESS_DATA_W, sizeof(*pu32Dst) - 1);
     *pu32Dst = u32Value;
     iemMemCommitAndUnmapJmp(pVCpu, pu32Dst, IEM_ACCESS_DATA_W);
 …
     /* The lazy approach for now... */
     uint64_t *pu64Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Dst, sizeof(*pu64Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Dst, sizeof(*pu64Dst), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_W, sizeof(*pu64Dst) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    uint64_t *pu64Dst = (uint64_t *)iemMemMapJmp(pVCpu, sizeof(*pu64Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    uint64_t *pu64Dst = (uint64_t *)iemMemMapJmp(pVCpu, sizeof(*pu64Dst), iSegReg, GCPtrMem,
+                                                 IEM_ACCESS_DATA_W, sizeof(*pu64Dst) - 1);
     *pu64Dst = u64Value;
     iemMemCommitAndUnmapJmp(pVCpu, pu64Dst, IEM_ACCESS_DATA_W);
 …
     /* The lazy approach for now... */
     PRTUINT128U pu128Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu128Dst, sizeof(*pu128Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu128Dst, sizeof(*pu128Dst), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_W, 0 /* NO_AC variant */);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    PRTUINT128U pu128Dst = (PRTUINT128U)iemMemMapJmp(pVCpu, sizeof(*pu128Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    PRTUINT128U pu128Dst = (PRTUINT128U)iemMemMapJmp(pVCpu, sizeof(*pu128Dst), iSegReg, GCPtrMem,
+                                                     IEM_ACCESS_DATA_W, 0 /* NO_AC variant */);
     pu128Dst->au64[0] = u128Value.au64[0];
     pu128Dst->au64[1] = u128Value.au64[1];
 …
+{
     /* The lazy approach for now... */
-    if (   (GCPtrMem & 15)
-        && !(pVCpu->cpum.GstCtx.XState.x87.MXCSR & X86_MXCSR_MM)) /** @todo should probably check this *after* applying seg.u64Base... Check real HW. */
-        return iemRaiseGeneralProtectionFault0(pVCpu);
     PRTUINT128U pu128Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu128Dst, sizeof(*pu128Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu128Dst, sizeof(*pu128Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W,
+                                (sizeof(*pu128Dst) - 1) | IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_SSE);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    if (   (GCPtrMem & 15) == 0
+        || (pVCpu->cpum.GstCtx.XState.x87.MXCSR & X86_MXCSR_MM)) /** @todo should probably check this *after* applying seg.u64Base... Check real HW. */
+    {
+        PRTUINT128U pu128Dst = (PRTUINT128U)iemMemMapJmp(pVCpu, sizeof(*pu128Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+        pu128Dst->au64[0] = u128Value.au64[0];
+        pu128Dst->au64[1] = u128Value.au64[1];
+        iemMemCommitAndUnmapJmp(pVCpu, pu128Dst, IEM_ACCESS_DATA_W);
+        return;
+    }
+    VBOXSTRICTRC rcStrict = iemRaiseGeneralProtectionFault0(pVCpu);
+    longjmp(*pVCpu->iem.s.CTX_SUFF(pJmpBuf), VBOXSTRICTRC_VAL(rcStrict));
+    PRTUINT128U pu128Dst = (PRTUINT128U)iemMemMapJmp(pVCpu, sizeof(*pu128Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W,
+                                                     (sizeof(*pu128Dst) - 1) | IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_SSE);
+    pu128Dst->au64[0] = u128Value.au64[0];
+    pu128Dst->au64[1] = u128Value.au64[1];
+    iemMemCommitAndUnmapJmp(pVCpu, pu128Dst, IEM_ACCESS_DATA_W);
+}
 #endif
 …
     /* The lazy approach for now... */
     PRTUINT256U pu256Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu256Dst, sizeof(*pu256Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu256Dst, sizeof(*pu256Dst), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_W, 0 /* NO_AC variant */);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    PRTUINT256U pu256Dst = (PRTUINT256U)iemMemMapJmp(pVCpu, sizeof(*pu256Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    PRTUINT256U pu256Dst = (PRTUINT256U)iemMemMapJmp(pVCpu, sizeof(*pu256Dst), iSegReg, GCPtrMem,
+                                                     IEM_ACCESS_DATA_W, 0 /* NO_AC variant */);
     pu256Dst->au64[0] = pu256Value->au64[0];
     pu256Dst->au64[1] = pu256Value->au64[1];
 …
 /**
  * Stores a data dqword, AVX aligned.
+ * Stores a data dqword, AVX \#GP(0) aligned.
+ *
  * @returns Strict VBox status code.
 …
+{
     /* The lazy approach for now... */
-    if (GCPtrMem & 31)
-        return iemRaiseGeneralProtectionFault0(pVCpu);
     PRTUINT256U pu256Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu256Dst, sizeof(*pu256Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu256Dst, sizeof(*pu256Dst), iSegReg, GCPtrMem,
+                                IEM_ACCESS_DATA_W, (sizeof(*pu256Dst) - 1) | IEM_MEMMAP_F_ALIGN_GP);
     if (rc == VINF_SUCCESS)
+    {
 …
+{
     /* The lazy approach for now... */
+    if ((GCPtrMem & 31) == 0)
+    {
+        PRTUINT256U pu256Dst = (PRTUINT256U)iemMemMapJmp(pVCpu, sizeof(*pu256Dst), iSegReg, GCPtrMem, IEM_ACCESS_DATA_W);
+        pu256Dst->au64[0] = pu256Value->au64[0];
+        pu256Dst->au64[1] = pu256Value->au64[1];
+        pu256Dst->au64[2] = pu256Value->au64[2];
+        pu256Dst->au64[3] = pu256Value->au64[3];
+        iemMemCommitAndUnmapJmp(pVCpu, pu256Dst, IEM_ACCESS_DATA_W);
+        return;
+    }
+    VBOXSTRICTRC rcStrict = iemRaiseGeneralProtectionFault0(pVCpu);
+    longjmp(*pVCpu->iem.s.CTX_SUFF(pJmpBuf), VBOXSTRICTRC_VAL(rcStrict));
+    PRTUINT256U pu256Dst = (PRTUINT256U)iemMemMapJmp(pVCpu, sizeof(*pu256Dst), iSegReg, GCPtrMem,
+                                                     IEM_ACCESS_DATA_W, (sizeof(*pu256Dst) - 1) | IEM_MEMMAP_F_ALIGN_GP);
+    pu256Dst->au64[0] = pu256Value->au64[0];
+    pu256Dst->au64[1] = pu256Value->au64[1];
+    pu256Dst->au64[2] = pu256Value->au64[2];
+    pu256Dst->au64[3] = pu256Value->au64[3];
+    iemMemCommitAndUnmapJmp(pVCpu, pu256Dst, IEM_ACCESS_DATA_W);
+}
 #endif
 …
     /*
      * The SIDT and SGDT instructions actually stores the data using two
+     * independent writes.  The instructions does not respond to opsize prefixes.
+     * independent writes (see bs3CpuBasic2_sidt_sgdt_One).  The instructions
+     * does not respond to opsize prefixes.
      */
     VBOXSTRICTRC rcStrict = iemMemStoreDataU16(pVCpu, iSegReg, GCPtrMem, cbLimit);
 …
     /* Write the word the lazy way. */
     uint16_t *pu16Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Dst, sizeof(*pu16Dst), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Dst, sizeof(*pu16Dst), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_W, sizeof(*pu16Dst) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* Write the dword the lazy way. */
     uint32_t *pu32Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Dst, sizeof(*pu32Dst), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Dst, sizeof(*pu32Dst), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_W, sizeof(*pu32Dst) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
      * ancient hardware when it actually did change. */
     uint16_t *pu16Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Dst, sizeof(uint32_t), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_RW);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Dst, sizeof(uint32_t), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_RW, sizeof(*pu16Dst) - 1); /** @todo 2 or 4 alignment check for PUSH SS? */
     if (rc == VINF_SUCCESS)
+    {
 …
     /* Write the word the lazy way. */
     uint64_t *pu64Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Dst, sizeof(*pu64Dst), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Dst, sizeof(*pu64Dst), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_W, sizeof(*pu64Dst) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* Write the word the lazy way. */
     uint16_t const *pu16Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Src, sizeof(*pu16Src), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Src, sizeof(*pu16Src), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_R, sizeof(*pu16Src) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* Write the word the lazy way. */
     uint32_t const *pu32Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Src, sizeof(*pu32Src), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Src, sizeof(*pu32Src), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_R, sizeof(*pu32Src) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* Write the word the lazy way. */
     uint64_t const *pu64Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Src, sizeof(*pu64Src), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Src, sizeof(*pu64Src), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_R, sizeof(*pu64Src) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* Write the word the lazy way. */
     uint16_t *pu16Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Dst, sizeof(*pu16Dst), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Dst, sizeof(*pu16Dst), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_W, sizeof(*pu16Dst) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* Write the word the lazy way. */
     uint32_t *pu32Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Dst, sizeof(*pu32Dst), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Dst, sizeof(*pu32Dst), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_W, sizeof(*pu32Dst) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* Write the word the lazy way. */
     uint64_t *pu64Dst;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Dst, sizeof(*pu64Dst), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_W);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Dst, sizeof(*pu64Dst), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_W, sizeof(*pu64Dst) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* Write the word the lazy way. */
     uint16_t const *pu16Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Src, sizeof(*pu16Src), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Src, sizeof(*pu16Src), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_R, sizeof(*pu16Src) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* Write the word the lazy way. */
     uint32_t const *pu32Src;
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Src, sizeof(*pu32Src), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Src, sizeof(*pu32Src), X86_SREG_SS, GCPtrTop,
+                                IEM_ACCESS_STACK_R, sizeof(*pu32Src) - 1);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* Write the word the lazy way. */
     uint64_t const *pu64Src;
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, (void **)&pu64Src, sizeof(*pu64Src), X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_R);
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, (void **)&pu64Src, sizeof(*pu64Src), X86_SREG_SS, GCPtrTop,
+                                      IEM_ACCESS_STACK_R, sizeof(*pu64Src) - 1);
     if (rcStrict == VINF_SUCCESS)
+    {
 …
  * @param   pVCpu               The cross context virtual CPU structure of the calling thread.
  * @param   cbMem               The number of bytes to push onto the stack.
+ * @param   cbAlign             The alignment mask (7, 3, 1).
  * @param   ppvMem              Where to return the pointer to the stack memory.
  *                              As with the other memory functions this could be
 …
  *                              iemMemStackPushCommitSpecial().
  */
+VBOXSTRICTRC iemMemStackPushBeginSpecial(PVMCPUCC pVCpu, size_t cbMem, void **ppvMem, uint64_t *puNewRsp) RT_NOEXCEPT
+VBOXSTRICTRC iemMemStackPushBeginSpecial(PVMCPUCC pVCpu, size_t cbMem, uint32_t cbAlign,
+                                         void **ppvMem, uint64_t *puNewRsp) RT_NOEXCEPT
+{
     Assert(cbMem < UINT8_MAX);
     RTGCPTR     GCPtrTop = iemRegGetRspForPush(pVCpu, (uint8_t)cbMem, puNewRsp);
+    return iemMemMap(pVCpu, ppvMem, cbMem, X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_W);
+    return iemMemMap(pVCpu, ppvMem, cbMem, X86_SREG_SS, GCPtrTop,
+                     IEM_ACCESS_STACK_W, cbAlign);
+}
 …
 /**
  * Begin a special stack pop (used by iret, retf and such).
+ *
+ * This will raise \#SS or \#PF if appropriate.
+ *
+ * @returns Strict VBox status code.
+ * @param   pVCpu               The cross context virtual CPU structure of the calling thread.
+ * @param   cbMem               The number of bytes to pop from the stack.
+ * @param   cbAlign             The alignment mask (7, 3, 1).
+ * @param   ppvMem              Where to return the pointer to the stack memory.
+ * @param   puNewRsp            Where to return the new RSP value.  This must be
+ *                              assigned to CPUMCTX::rsp manually some time
+ *                              after iemMemStackPopDoneSpecial() has been
+ *                              called.
+ */
+VBOXSTRICTRC iemMemStackPopBeginSpecial(PVMCPUCC pVCpu, size_t cbMem, uint32_t cbAlign,
+                                        void const **ppvMem, uint64_t *puNewRsp) RT_NOEXCEPT
+{
+    Assert(cbMem < UINT8_MAX);
+    RTGCPTR     GCPtrTop = iemRegGetRspForPop(pVCpu, (uint8_t)cbMem, puNewRsp);
+    return iemMemMap(pVCpu, (void **)ppvMem, cbMem, X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_R, cbAlign);
+}
+/**
+ * Continue a special stack pop (used by iret and retf).
+ *
  * This will raise \#SS or \#PF if appropriate.
 …
  *                              called.
  */
-VBOXSTRICTRC iemMemStackPopBeginSpecial(PVMCPUCC pVCpu, size_t cbMem, void const **ppvMem, uint64_t *puNewRsp) RT_NOEXCEPT
+{
-    Assert(cbMem < UINT8_MAX);
-    RTGCPTR     GCPtrTop = iemRegGetRspForPop(pVCpu, (uint8_t)cbMem, puNewRsp);
-    return iemMemMap(pVCpu, (void **)ppvMem, cbMem, X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_R);
+}
-/**
- * Continue a special stack pop (used by iret and retf).
+ *
- * This will raise \#SS or \#PF if appropriate.
+ *
- * @returns Strict VBox status code.
- * @param   pVCpu               The cross context virtual CPU structure of the calling thread.
- * @param   cbMem               The number of bytes to pop from the stack.
- * @param   ppvMem              Where to return the pointer to the stack memory.
- * @param   puNewRsp            Where to return the new RSP value.  This must be
- *                              assigned to CPUMCTX::rsp manually some time
- *                              after iemMemStackPopDoneSpecial() has been
- *                              called.
- */
 VBOXSTRICTRC iemMemStackPopContinueSpecial(PVMCPUCC pVCpu, size_t cbMem, void const **ppvMem, uint64_t *puNewRsp) RT_NOEXCEPT
+{
 …
     RTGCPTR     GCPtrTop = iemRegGetRspForPopEx(pVCpu, &NewRsp, 8);
     *puNewRsp = NewRsp.u;
+    return iemMemMap(pVCpu, (void **)ppvMem, cbMem, X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_R);
+    return iemMemMap(pVCpu, (void **)ppvMem, cbMem, X86_SREG_SS, GCPtrTop, IEM_ACCESS_STACK_R,
+/* checked in iemMemStackPopBeginSpecial */);
+}
 …
     /* The lazy approach for now... */
     uint8_t const *pbSrc;
     VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pbSrc, sizeof(*pbSrc), iSegReg, GCPtrMem, IEM_ACCESS_SYS_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pbSrc, sizeof(*pbSrc), iSegReg, GCPtrMem, IEM_ACCESS_SYS_R, 0);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* The lazy approach for now... */
     uint16_t const *pu16Src;
     VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Src, sizeof(*pu16Src), iSegReg, GCPtrMem, IEM_ACCESS_SYS_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu16Src, sizeof(*pu16Src), iSegReg, GCPtrMem, IEM_ACCESS_SYS_R, 0);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* The lazy approach for now... */
     uint32_t const *pu32Src;
     VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Src, sizeof(*pu32Src), iSegReg, GCPtrMem, IEM_ACCESS_SYS_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu32Src, sizeof(*pu32Src), iSegReg, GCPtrMem, IEM_ACCESS_SYS_R, 0);
     if (rc == VINF_SUCCESS)
+    {
 …
     /* The lazy approach for now... */
     uint64_t const *pu64Src;
     VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Src, sizeof(*pu64Src), iSegReg, GCPtrMem, IEM_ACCESS_SYS_R);
+    VBOXSTRICTRC rc = iemMemMap(pVCpu, (void **)&pu64Src, sizeof(*pu64Src), iSegReg, GCPtrMem, IEM_ACCESS_SYS_R, 0);
     if (rc == VINF_SUCCESS)
+    {
 …
         /* The normal case, map the 32-bit bits around the accessed bit (40). */
         GCPtr += 2 + 2;
         rcStrict = iemMemMap(pVCpu, (void **)&pu32, 4, UINT8_MAX, GCPtr, IEM_ACCESS_SYS_RW);
+        rcStrict = iemMemMap(pVCpu, (void **)&pu32, 4, UINT8_MAX, GCPtr, IEM_ACCESS_SYS_RW, 0);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
 …
+    {
         /* The misaligned GDT/LDT case, map the whole thing. */
         rcStrict = iemMemMap(pVCpu, (void **)&pu32, 8, UINT8_MAX, GCPtr, IEM_ACCESS_SYS_RW);
+        rcStrict = iemMemMap(pVCpu, (void **)&pu32, 8, UINT8_MAX, GCPtr, IEM_ACCESS_SYS_RW, 0);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;

trunk/src/VBox/VMM/VMMAll/IEMAllCImpl.cpp

-              r95403
+              r95410
+    {
         uint16_t const *pa16Mem = NULL;
         rcStrict = iemMemMap(pVCpu, (void **)&pa16Mem, 16, X86_SREG_SS, GCPtrStart, IEM_ACCESS_STACK_R);
+        rcStrict = iemMemMap(pVCpu, (void **)&pa16Mem, 16, X86_SREG_SS, GCPtrStart, IEM_ACCESS_STACK_R, sizeof(*pa16Mem) - 1);
         if (rcStrict == VINF_SUCCESS)
+        {
 …
+    {
         uint32_t const *pa32Mem;
         rcStrict = iemMemMap(pVCpu, (void **)&pa32Mem, 32, X86_SREG_SS, GCPtrStart, IEM_ACCESS_STACK_R);
+        rcStrict = iemMemMap(pVCpu, (void **)&pa32Mem, 32, X86_SREG_SS, GCPtrStart, IEM_ACCESS_STACK_R, sizeof(*pa32Mem) - 1);
         if (rcStrict == VINF_SUCCESS)
+        {
 …
         GCPtrBottom--;
         uint16_t *pa16Mem = NULL;
         rcStrict = iemMemMap(pVCpu, (void **)&pa16Mem, 16, X86_SREG_SS, GCPtrBottom, IEM_ACCESS_STACK_W);
+        rcStrict = iemMemMap(pVCpu, (void **)&pa16Mem, 16, X86_SREG_SS, GCPtrBottom, IEM_ACCESS_STACK_W, sizeof(*pa16Mem) - 1);
         if (rcStrict == VINF_SUCCESS)
+        {
 …
         GCPtrBottom--;
         uint32_t *pa32Mem;
         rcStrict = iemMemMap(pVCpu, (void **)&pa32Mem, 32, X86_SREG_SS, GCPtrBottom, IEM_ACCESS_STACK_W);
+        rcStrict = iemMemMap(pVCpu, (void **)&pa32Mem, 32, X86_SREG_SS, GCPtrBottom, IEM_ACCESS_STACK_W, sizeof(*pa32Mem) - 1);
         if (rcStrict == VINF_SUCCESS)
+        {
 …
             GCPtrTSS = pVCpu->cpum.GstCtx.tr.u64Base + offNewStack;
             rcStrict = iemMemMap(pVCpu, &uPtrTSS.pv, cbNewStack, UINT8_MAX, GCPtrTSS, IEM_ACCESS_SYS_R);
+            rcStrict = iemMemMap(pVCpu, &uPtrTSS.pv, cbNewStack, UINT8_MAX, GCPtrTSS, IEM_ACCESS_SYS_R, 0);
             if (rcStrict != VINF_SUCCESS)
+            {
 …
             void    *pvNewFrame;
             RTGCPTR  GCPtrNewStack = X86DESC_BASE(&DescSS.Legacy) + uNewRsp - cbNewStack;
             rcStrict = iemMemMap(pVCpu, &pvNewFrame, cbNewStack, UINT8_MAX, GCPtrNewStack, IEM_ACCESS_SYS_RW);
+            rcStrict = iemMemMap(pVCpu, &pvNewFrame, cbNewStack, UINT8_MAX, GCPtrNewStack, IEM_ACCESS_SYS_RW, 0);
             if (rcStrict != VINF_SUCCESS)
+            {
 …
             pVCpu->cpum.GstCtx.ss.fFlags   = CPUMSELREG_FLAGS_VALID;
             pVCpu->cpum.GstCtx.rsp         = uNewRsp;
             pVCpu->iem.s.uCpl = uNewCSDpl;
+            pVCpu->iem.s.uCpl = uNewCSDpl; /** @todo is the parameter words accessed using the new CPL or the old CPL? */
             Assert(CPUMSELREG_ARE_HIDDEN_PARTS_VALID(pVCpu, &pVCpu->cpum.GstCtx.ss));
             CPUMSetChangedFlags(pVCpu, CPUM_CHANGED_HIDDEN_SEL_REGS);
 …
             /** @todo this can still fail due to SS.LIMIT not check.   */
             rcStrict = iemMemStackPushBeginSpecial(pVCpu, cbNewStack,
+                                                   IEM_IS_LONG_MODE(pVCpu) ? 7
+                                                   : pDesc->Legacy.Gate.u4Type == X86_SEL_TYPE_SYS_386_CALL_GATE ? 3 : 1,
                                                    &uPtrRet.pv, &uNewRsp);
             AssertMsgReturn(rcStrict == VINF_SUCCESS, ("BranchCallGate: New stack mapping failed (%Rrc)\n", VBOXSTRICTRC_VAL(rcStrict)),
 …
                 if (pDesc->Legacy.Gate.u4Type == X86_SEL_TYPE_SYS_386_CALL_GATE)
+                {
-                    /* Push the old CS:rIP. */
-                    uPtrRet.pu32[0] = pVCpu->cpum.GstCtx.eip + cbInstr;
-                    uPtrRet.pu32[1] = pVCpu->cpum.GstCtx.cs.Sel; /** @todo Testcase: What is written to the high word when pushing CS? */
                     if (cbWords)
+                    {
                         /* Map the relevant chunk of the old stack. */
+                        rcStrict = iemMemMap(pVCpu, &uPtrParmWds.pv, cbWords * 4, UINT8_MAX, GCPtrParmWds, IEM_ACCESS_DATA_R);
+                        rcStrict = iemMemMap(pVCpu, &uPtrParmWds.pv, cbWords * 4, UINT8_MAX, GCPtrParmWds,
+                                             IEM_ACCESS_DATA_R, 0 /** @todo Can uNewCSDpl == 3? Then we need alignment mask here! */);
                         if (rcStrict != VINF_SUCCESS)
+                        {
 …
+                    }
+                    /* Push the old CS:rIP. */
+                    uPtrRet.pu32[0] = pVCpu->cpum.GstCtx.eip + cbInstr;
+                    uPtrRet.pu32[1] = pVCpu->cpum.GstCtx.cs.Sel; /** @todo Testcase: What is written to the high word when pushing CS? */
                     /* Push the old SS:rSP. */
                     uPtrRet.pu32[2 + cbWords + 0] = uOldRsp;
 …
                     Assert(pDesc->Legacy.Gate.u4Type == X86_SEL_TYPE_SYS_286_CALL_GATE);
-                    /* Push the old CS:rIP. */
-                    uPtrRet.pu16[0] = pVCpu->cpum.GstCtx.ip + cbInstr;
-                    uPtrRet.pu16[1] = pVCpu->cpum.GstCtx.cs.Sel;
                     if (cbWords)
+                    {
                         /* Map the relevant chunk of the old stack. */
+                        rcStrict = iemMemMap(pVCpu, &uPtrParmWds.pv, cbWords * 2, UINT8_MAX, GCPtrParmWds, IEM_ACCESS_DATA_R);
+                        rcStrict = iemMemMap(pVCpu, &uPtrParmWds.pv, cbWords * 2, UINT8_MAX, GCPtrParmWds,
+                                             IEM_ACCESS_DATA_R, 0 /** @todo Can uNewCSDpl == 3? Then we need alignment mask here! */);
                         if (rcStrict != VINF_SUCCESS)
+                        {
 …
+                        }
+                    }
+                    /* Push the old CS:rIP. */
+                    uPtrRet.pu16[0] = pVCpu->cpum.GstCtx.ip + cbInstr;
+                    uPtrRet.pu16[1] = pVCpu->cpum.GstCtx.cs.Sel;
                     /* Push the old SS:rSP. */
 …
                                                    IEM_IS_LONG_MODE(pVCpu) ? 8+8
                                                    : pDesc->Legacy.Gate.u4Type == X86_SEL_TYPE_SYS_386_CALL_GATE ? 4+4 : 2+2,
+                                                   IEM_IS_LONG_MODE(pVCpu) ? 7
+                                                   : pDesc->Legacy.Gate.u4Type == X86_SEL_TYPE_SYS_386_CALL_GATE ? 3 : 2,
                                                    &uPtrRet.pv, &uNewRsp);
             if (rcStrict != VINF_SUCCESS)
 …
         /* Check stack first - may #SS(0). */
         rcStrict = iemMemStackPushBeginSpecial(pVCpu, enmEffOpSize == IEMMODE_32BIT ? 4+4 : 2+2,
+                                               enmEffOpSize == IEMMODE_32BIT ? 3 : 1,
                                                &uPtrRet.pv, &uNewRsp);
         if (rcStrict != VINF_SUCCESS)
 …
      *        16-bit code cause a two or four byte CS to be pushed? */
     rcStrict = iemMemStackPushBeginSpecial(pVCpu,
                                            enmEffOpSize == IEMMODE_64BIT   ? 8+8
                                            : enmEffOpSize == IEMMODE_32BIT ? 4+4 : 2+2,
+                                           enmEffOpSize == IEMMODE_64BIT ? 8+8 : enmEffOpSize == IEMMODE_32BIT ? 4+4 : 2+2,
+                                           enmEffOpSize == IEMMODE_64BIT ? 7   : enmEffOpSize == IEMMODE_32BIT ? 3   : 1,
                                            &uPtrRet.pv, &uNewRsp);
     if (rcStrict != VINF_SUCCESS)
 …
     uint32_t        cbRetPtr = enmEffOpSize == IEMMODE_16BIT ? 2+2
                              : enmEffOpSize == IEMMODE_32BIT ? 4+4 : 8+8;
+    rcStrict = iemMemStackPopBeginSpecial(pVCpu, cbRetPtr, &uPtrFrame.pv, &uNewRsp);
+    rcStrict = iemMemStackPopBeginSpecial(pVCpu, cbRetPtr,
+                                          enmEffOpSize == IEMMODE_16BIT ? 1 : enmEffOpSize == IEMMODE_32BIT ? 3 : 7,
+                                          &uPtrFrame.pv, &uNewRsp);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
     if (enmEffOpSize == IEMMODE_32BIT)
+    {
         rcStrict = iemMemStackPopBeginSpecial(pVCpu, 12, &uFrame.pv, &uNewRsp);
+        rcStrict = iemMemStackPopBeginSpecial(pVCpu, 12, 1, &uFrame.pv, &uNewRsp);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
 …
     else
+    {
         rcStrict = iemMemStackPopBeginSpecial(pVCpu, 6, &uFrame.pv, &uNewRsp);
+        rcStrict = iemMemStackPopBeginSpecial(pVCpu, 6, 1, &uFrame.pv, &uNewRsp);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
 …
     if (enmEffOpSize == IEMMODE_32BIT)
+    {
         rcStrict = iemMemStackPopBeginSpecial(pVCpu, 12, &uFrame.pv, &uNewRsp);
+        rcStrict = iemMemStackPopBeginSpecial(pVCpu, 12, 3, &uFrame.pv, &uNewRsp);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
 …
     else
+    {
         rcStrict = iemMemStackPopBeginSpecial(pVCpu, 6, &uFrame.pv, &uNewRsp);
+        rcStrict = iemMemStackPopBeginSpecial(pVCpu, 6, 1, &uFrame.pv, &uNewRsp);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
 …
     if (enmEffOpSize == IEMMODE_64BIT)
+    {
         rcStrict = iemMemStackPopBeginSpecial(pVCpu, 5*8, &uFrame.pv, &uNewRsp);
+        rcStrict = iemMemStackPopBeginSpecial(pVCpu, 5*8, 7, &uFrame.pv, &uNewRsp);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
 …
     else if (enmEffOpSize == IEMMODE_32BIT)
+    {
         rcStrict = iemMemStackPopBeginSpecial(pVCpu, 5*4, &uFrame.pv, &uNewRsp);
+        rcStrict = iemMemStackPopBeginSpecial(pVCpu, 5*4, 3, &uFrame.pv, &uNewRsp);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
 …
+    {
         Assert(enmEffOpSize == IEMMODE_16BIT);
         rcStrict = iemMemStackPopBeginSpecial(pVCpu, 5*2, &uFrame.pv, &uNewRsp);
+        rcStrict = iemMemStackPopBeginSpecial(pVCpu, 5*2, 1, &uFrame.pv, &uNewRsp);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
 …
     uint8_t const *pa8Mem;
     RTGCPHYS GCPtrStart = 0x800;    /* Fixed table location. */
     VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, (void **)&pbMem, 0x66, UINT8_MAX, GCPtrStart, IEM_ACCESS_SYS_R);
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, (void **)&pbMem, 0x66, UINT8_MAX, GCPtrStart, IEM_ACCESS_SYS_R, 0);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
      */
     void *pvDesc;
+    rcStrict = iemMemMap(pVCpu, &pvDesc, 8, UINT8_MAX, pVCpu->cpum.GstCtx.gdtr.pGdt + (uNewTr & X86_SEL_MASK_OFF_RPL), IEM_ACCESS_DATA_RW);
+    rcStrict = iemMemMap(pVCpu, &pvDesc, 8, UINT8_MAX, pVCpu->cpum.GstCtx.gdtr.pGdt + (uNewTr & X86_SEL_MASK_OFF_RPL),
+                         IEM_ACCESS_DATA_RW, 0);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
     if (pVCpu->cpum.GstCtx.cr0 & (X86_CR0_TS | X86_CR0_EM))
         return iemRaiseDeviceNotAvailable(pVCpu);
-    if (GCPtrEff & 15)
+    {
-        /** @todo CPU/VM detection possible! \#AC might not be signal for
-         * all/any misalignment sizes, intel says its an implementation detail. */
-        if (   (pVCpu->cpum.GstCtx.cr0 & X86_CR0_AM)
-            && pVCpu->cpum.GstCtx.eflags.Bits.u1AC
-            && pVCpu->iem.s.uCpl == 3)
-            return iemRaiseAlignmentCheckException(pVCpu);
-        return iemRaiseGeneralProtectionFault0(pVCpu);
+    }
     /*
 …
      */
     void *pvMem512;
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &pvMem512, 512, iEffSeg, GCPtrEff, IEM_ACCESS_DATA_W | IEM_ACCESS_PARTIAL_WRITE);
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &pvMem512, 512, iEffSeg, GCPtrEff, IEM_ACCESS_DATA_W | IEM_ACCESS_PARTIAL_WRITE,
+| IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_GP_OR_AC);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
     if (pVCpu->cpum.GstCtx.cr0 & (X86_CR0_TS | X86_CR0_EM))
         return iemRaiseDeviceNotAvailable(pVCpu);
-    if (GCPtrEff & 15)
+    {
-        /** @todo CPU/VM detection possible! \#AC might not be signal for
-         * all/any misalignment sizes, intel says its an implementation detail. */
-        if (   (pVCpu->cpum.GstCtx.cr0 & X86_CR0_AM)
-            && pVCpu->cpum.GstCtx.eflags.Bits.u1AC
-            && pVCpu->iem.s.uCpl == 3)
-            return iemRaiseAlignmentCheckException(pVCpu);
-        return iemRaiseGeneralProtectionFault0(pVCpu);
+    }
     /*
 …
      */
     void *pvMem512;
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &pvMem512, 512, iEffSeg, GCPtrEff, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &pvMem512, 512, iEffSeg, GCPtrEff, IEM_ACCESS_DATA_R,
+| IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_GP_OR_AC);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
     if (pVCpu->cpum.GstCtx.cr0 & X86_CR0_TS)
         return iemRaiseDeviceNotAvailable(pVCpu);
-    if (GCPtrEff & 63)
+    {
-        /** @todo CPU/VM detection possible! \#AC might not be signal for
-         * all/any misalignment sizes, intel says its an implementation detail. */
-        if (   (pVCpu->cpum.GstCtx.cr0 & X86_CR0_AM)
-            && pVCpu->cpum.GstCtx.eflags.Bits.u1AC
-            && pVCpu->iem.s.uCpl == 3)
-            return iemRaiseAlignmentCheckException(pVCpu);
-        return iemRaiseGeneralProtectionFault0(pVCpu);
+    }
     /*
 …
     /* The x87+SSE state.  */
     void *pvMem512;
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &pvMem512, 512, iEffSeg, GCPtrEff, IEM_ACCESS_DATA_W | IEM_ACCESS_PARTIAL_WRITE);
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &pvMem512, 512, iEffSeg, GCPtrEff, IEM_ACCESS_DATA_W | IEM_ACCESS_PARTIAL_WRITE,
+| IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_GP_OR_AC);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
     /* The header.  */
     PX86XSAVEHDR pHdr;
     rcStrict = iemMemMap(pVCpu, (void **)&pHdr, sizeof(&pHdr), iEffSeg, GCPtrEff + 512, IEM_ACCESS_DATA_RW);
+    rcStrict = iemMemMap(pVCpu, (void **)&pHdr, sizeof(&pHdr), iEffSeg, GCPtrEff + 512, IEM_ACCESS_DATA_RW, 0 /* checked above */);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
         PX86XSAVEYMMHI  pCompDst;
         rcStrict = iemMemMap(pVCpu, (void **)&pCompDst, sizeof(*pCompDst), iEffSeg, GCPtrEff + pVCpu->cpum.GstCtx.aoffXState[XSAVE_C_YMM_BIT],
                              IEM_ACCESS_DATA_W | IEM_ACCESS_PARTIAL_WRITE);
+                             IEM_ACCESS_DATA_W | IEM_ACCESS_PARTIAL_WRITE, 0 /* checked above */);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
 …
     /* The x87+SSE state.  */
     void *pvMem512;
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &pvMem512, 512, iEffSeg, GCPtrEff, IEM_ACCESS_DATA_R);
+    VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &pvMem512, 512, iEffSeg, GCPtrEff, IEM_ACCESS_DATA_R,
+| IEM_MEMMAP_F_ALIGN_GP | IEM_MEMMAP_F_ALIGN_GP_OR_AC);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
     PX86XSAVEHDR  pHdrDst = &pVCpu->cpum.GstCtx.XState.Hdr;
     PCX86XSAVEHDR pHdrSrc;
+    rcStrict = iemMemMap(pVCpu, (void **)&pHdrSrc, sizeof(&pHdrSrc), iEffSeg, GCPtrEff + 512, IEM_ACCESS_DATA_R);
+    rcStrict = iemMemMap(pVCpu, (void **)&pHdrSrc, sizeof(&pHdrSrc), iEffSeg, GCPtrEff + 512,
+                         IEM_ACCESS_DATA_R, 0 /* checked above */);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
             PCX86XSAVEYMMHI pCompSrc;
             rcStrict = iemMemMap(pVCpu, (void **)&pCompSrc, sizeof(*pCompDst),
+                                 iEffSeg, GCPtrEff + pVCpu->cpum.GstCtx.aoffXState[XSAVE_C_YMM_BIT], IEM_ACCESS_DATA_R);
+                                 iEffSeg, GCPtrEff + pVCpu->cpum.GstCtx.aoffXState[XSAVE_C_YMM_BIT],
+                                 IEM_ACCESS_DATA_R, 0 /* checked above */);
             if (rcStrict != VINF_SUCCESS)
                 return rcStrict;
 …
     RTPTRUNION   uPtr;
     VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &uPtr.pv, enmEffOpSize == IEMMODE_16BIT ? 14 : 28,
+                                      iEffSeg, GCPtrEffDst, IEM_ACCESS_DATA_W | IEM_ACCESS_PARTIAL_WRITE);
+                                      iEffSeg, GCPtrEffDst, IEM_ACCESS_DATA_W | IEM_ACCESS_PARTIAL_WRITE,
+                                      enmEffOpSize == IEMMODE_16BIT ? 1 : 3 /** @todo ? */);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
     RTPTRUNION   uPtr;
     VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, &uPtr.pv, enmEffOpSize == IEMMODE_16BIT ? 94 : 108,
                                       iEffSeg, GCPtrEffDst, IEM_ACCESS_DATA_W | IEM_ACCESS_PARTIAL_WRITE);
+                                      iEffSeg, GCPtrEffDst, IEM_ACCESS_DATA_W | IEM_ACCESS_PARTIAL_WRITE, 3 /** @todo ? */);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
     RTCPTRUNION  uPtr;
     VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, (void **)&uPtr.pv, enmEffOpSize == IEMMODE_16BIT ? 14 : 28,
+                                      iEffSeg, GCPtrEffSrc, IEM_ACCESS_DATA_R);
+                                      iEffSeg, GCPtrEffSrc, IEM_ACCESS_DATA_R,
+                                      enmEffOpSize == IEMMODE_16BIT ? 1 : 3 /** @todo ?*/);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
     RTCPTRUNION  uPtr;
     VBOXSTRICTRC rcStrict = iemMemMap(pVCpu, (void **)&uPtr.pv, enmEffOpSize == IEMMODE_16BIT ? 94 : 108,
                                       iEffSeg, GCPtrEffSrc, IEM_ACCESS_DATA_R);
+                                      iEffSeg, GCPtrEffSrc, IEM_ACCESS_DATA_R, 3 /** @todo ?*/ );
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;

trunk/src/VBox/VMM/VMMAll/IEMAllCImplStrInstr.cpp.h

-              r94768
+              r95410
     OP_TYPE        *puMem;
+    rcStrict = iemMemMap(pVCpu, (void **)&puMem, OP_SIZE / 8, X86_SREG_ES, pVCpu->cpum.GstCtx.ADDR_rDI, IEM_ACCESS_DATA_W);
+    rcStrict = iemMemMap(pVCpu, (void **)&puMem, OP_SIZE / 8, X86_SREG_ES, pVCpu->cpum.GstCtx.ADDR_rDI,
+                         IEM_ACCESS_DATA_W, OP_SIZE / 8 - 1);
     if (rcStrict != VINF_SUCCESS)
         return rcStrict;
 …
+        {
             OP_TYPE *puMem;
+            rcStrict = iemMemMap(pVCpu, (void **)&puMem, OP_SIZE / 8, X86_SREG_ES, uAddrReg, IEM_ACCESS_DATA_W);
+            rcStrict = iemMemMap(pVCpu, (void **)&puMem, OP_SIZE / 8, X86_SREG_ES, uAddrReg,
+                                 IEM_ACCESS_DATA_W, OP_SIZE / 8 - 1);
             if (rcStrict != VINF_SUCCESS)
                 return rcStrict;

trunk/src/VBox/VMM/include/IEMInline.h

-              r94838
+              r95410
  */
+/**
+ * Checks whether alignment checks are enabled or not.
+ *
+ * @returns true if enabled, false if not.
+ * @param   pVCpu               The cross context virtual CPU structure of the calling thread.
+ */
+DECLINLINE(bool) iemMemAreAlignmentChecksEnabled(PVMCPUCC pVCpu)
+{
+    AssertCompile(X86_CR0_AM == X86_EFL_AC);
+    return pVCpu->iem.s.uCpl == 3
+        && (((uint32_t)pVCpu->cpum.GstCtx.cr0 & pVCpu->cpum.GstCtx.eflags.u) & X86_CR0_AM);
+}
 /**
  * Checks if the given segment can be written to, raise the appropriate

trunk/src/VBox/VMM/include/IEMInternal.h

-              r95403
+              r95410
 /** @name   Memory access.
  * @{ */
+VBOXSTRICTRC    iemMemMap(PVMCPUCC pVCpu, void **ppvMem, size_t cbMem, uint8_t iSegReg, RTGCPTR GCPtrMem, uint32_t fAccess) RT_NOEXCEPT;
+/** Report a \#GP instead of \#AC and do not restrict to ring-3 */
+#define IEM_MEMMAP_F_ALIGN_GP       RT_BIT_32(16)
+/** SSE access that should report a \#GP instead of \#AC, unless MXCSR.MM=1
+ *  when it works like normal \#AC. Always used with IEM_MEMMAP_F_ALIGN_GP. */
+#define IEM_MEMMAP_F_ALIGN_SSE      RT_BIT_32(17)
+/** If \#AC is applicable, raise it. Always used with IEM_MEMMAP_F_ALIGN_GP.
+ * Users include FXSAVE & FXRSTOR. */
+#define IEM_MEMMAP_F_ALIGN_GP_OR_AC RT_BIT_32(18)
+VBOXSTRICTRC    iemMemMap(PVMCPUCC pVCpu, void **ppvMem, size_t cbMem, uint8_t iSegReg, RTGCPTR GCPtrMem,
+                          uint32_t fAccess, uint32_t uAlignCtl) RT_NOEXCEPT;
 VBOXSTRICTRC    iemMemCommitAndUnmap(PVMCPUCC pVCpu, void *pvMem, uint32_t fAccess) RT_NOEXCEPT;
 #ifndef IN_RING3
 …
 #endif
+VBOXSTRICTRC    iemMemStackPushBeginSpecial(PVMCPUCC pVCpu, size_t cbMem, void **ppvMem, uint64_t *puNewRsp) RT_NOEXCEPT;
+VBOXSTRICTRC    iemMemStackPushBeginSpecial(PVMCPUCC pVCpu, size_t cbMem, uint32_t cbAlign,
+                                            void **ppvMem, uint64_t *puNewRsp) RT_NOEXCEPT;
 VBOXSTRICTRC    iemMemStackPushCommitSpecial(PVMCPUCC pVCpu, void *pvMem, uint64_t uNewRsp) RT_NOEXCEPT;
 VBOXSTRICTRC    iemMemStackPushU16(PVMCPUCC pVCpu, uint16_t u16Value) RT_NOEXCEPT;
 …
 VBOXSTRICTRC    iemMemStackPushU64Ex(PVMCPUCC pVCpu, uint64_t u64Value, PRTUINT64U pTmpRsp) RT_NOEXCEPT;
 VBOXSTRICTRC    iemMemStackPushU32SReg(PVMCPUCC pVCpu, uint32_t u32Value) RT_NOEXCEPT;
+VBOXSTRICTRC    iemMemStackPopBeginSpecial(PVMCPUCC pVCpu, size_t cbMem, void const **ppvMem, uint64_t *puNewRsp) RT_NOEXCEPT;
+VBOXSTRICTRC    iemMemStackPopBeginSpecial(PVMCPUCC pVCpu, size_t cbMem, uint32_t cbAlign,
+                                           void const **ppvMem, uint64_t *puNewRsp) RT_NOEXCEPT;
 VBOXSTRICTRC    iemMemStackPopContinueSpecial(PVMCPUCC pVCpu, size_t cbMem, void const **ppvMem, uint64_t *puNewRsp) RT_NOEXCEPT;
 VBOXSTRICTRC    iemMemStackPopDoneSpecial(PVMCPUCC pVCpu, void const *pvMem) RT_NOEXCEPT;

trunk/src/VBox/VMM/include/IEMMc.h

-              r95403
+              r95410
  */
 #define IEM_MC_MEM_MAP(a_pMem, a_fAccess, a_iSeg, a_GCPtrMem, a_iArg) \
+    IEM_MC_RETURN_ON_FAILURE(iemMemMap(pVCpu, (void **)&(a_pMem), sizeof(*(a_pMem)), (a_iSeg), (a_GCPtrMem), (a_fAccess)))
+    IEM_MC_RETURN_ON_FAILURE(iemMemMap(pVCpu, (void **)&(a_pMem), sizeof(*(a_pMem)), (a_iSeg), \
+                                       (a_GCPtrMem), (a_fAccess), sizeof(*(a_pMem)) - 1))
 /** Maps guest memory for direct or bounce buffered access.
 …
  */
 #define IEM_MC_MEM_MAP_EX(a_pvMem, a_fAccess, a_cbMem, a_iSeg, a_GCPtrMem, a_iArg) \
+    IEM_MC_RETURN_ON_FAILURE(iemMemMap(pVCpu, (void **)&(a_pvMem), (a_cbMem), (a_iSeg), (a_GCPtrMem), (a_fAccess)))
+    IEM_MC_RETURN_ON_FAILURE(iemMemMap(pVCpu, (void **)&(a_pvMem), (a_cbMem), (a_iSeg), \
+                                       (a_GCPtrMem), (a_fAccess), (a_cbMem) - 1))
 /** Commits the memory and unmaps the guest memory.

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats:

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette