[vbox-dev] Debugging with wrapped 32 bit physical address
Slavik Gnatenko
moveton at gmail.com
Thu Jan 3 00:15:49 GMT 2013
Hi All!
I took VBox 4.2.6 to work with fork of OS/2 kernel. At early init stage this
kernel uses quite unusual addressing:
- CPU is in protected mode but paging is NOT enabled
- segments are mainly 4GiB in size but with not zero base
- offsets are near end of 4GiB. So physical address is wrapped to the
beginning of memory
Such mode seems to be supported by VM but I see several problems.
1) Debugger refuses to decompile the code. I suspect that it calculates
physical address as 64 bit and doesn't wrap it. Here is the debug session
snippet which shows that even simple "db" doesn't read the memory:
VBoxDbg> rg
eax=0000000a ebx=ffed53fb ecx=ffe41f42 edx=000003f8 esi=ffdf0100 edi=ffe41f2a
eip=fffa2da6 esp=0000cf1e ebp=0000cf9a iopl=0 rf nv up di pl nz na pe nc
cs=0178 ds=0170 es=0170 fs=0000 gs=0000 ss=2a48 eflags=00010002
Failed to disassemble instruction, skipping one byte.
u: error: Too many disassembly failures. Giving up: VINF_SUCCESS
VBoxDbg> db cs:eip
error: VERR_PGM_INVALID_GC_PHYSICAL_ADDRESS: Reading memory at 0178:fffa2da6
But this memory can be read and disassembled if physical address is
calculated by hands:
VBoxDbg> dg 178
0178 CodeER Bas=0024d000 Lim=fffff000 DPL=0 P A G BIG AVL=0 L=0
VBoxDbg> db %(24d000 + fffa2da6)
error: VERR_PGM_INVALID_GC_PHYSICAL_ADDRESS: Reading memory at
%00000001001efda6.
VBoxDbg> db %(24d000 + fffa2da6 - 100000000)
%00000000001efda6: 83 3d 88 0a 80 ff ff 75-13 be 01 00 00 00 87 35
.=.....u.......5
%00000000001efdb6: c0 2a ed ff f7 c6 01 00-00 00 75 ed 8b 74 24 08
.*........u..t$.
%00000000001efdc6: 66 9c fc 33 c0 ac 0a c0-74 09 50 e8 c1 ff ff ff
f..3....t.P.....
%00000000001efdd6: 58 eb f0 83 3d 88 0a 80-ff ff 75 08 33 f6 87 35
X...=.....u.3..5
%00000000001efde6: c0 2a ed ff 66 9d 5e c3-56 8b 74 24 08 66 9c fc
.*..f.^.V.t$.f..
%00000000001efdf6: 33 c0 ac 0a c0 74 1a 3c-0a 75 09 66 3d 0a 0d 74
3....t.<.u.f=..t
VBoxDbg> u %(24d000 + fffa2da6 - 100000000)
%00000000001efda6 83 3d 88 0a 80 ff ff cmp dword [0ff800a88h], byte
0ffffffffh
%00000000001efdad 75 13 jne +013h (0001efdc2h)
%00000000001efdaf be 01 00 00 00 mov esi, 000000001h
%00000000001efdb4 87 35 c0 2a ed ff xchg dword [0ffed2ac0h], esi
%00000000001efdba f7 c6 01 00 00 00 test esi, 000000001h
%00000000001efdc0 75 ed jne -013h (0001efdafh)
%00000000001efdc2 8b 74 24 08 mov esi, dword [esp+008h]
%00000000001efdc6 66 9c pushfw
%00000000001efdc8 fc cld
%00000000001efdc9 33 c0 xor eax, eax
Is it known bug? Is it possible to force debugger to use 32 bit arithmetic?
-------------------------------------------------------------------------
2) Now let's look to "cmp dword [0ff800a88h], byte 0ffffffffh" instruction
at which the VM is stopped with fatal error:
VBoxDbg>
dbf event: Fatal error! (hyper)
.eax=00000000 .ebx=00000000 .ecx=00000000 .edx=00000000 .esi=00000000
.edi=00000000
.eip=00000000 .esp=ff560000 .ebp=00000000 .iopl=0 nv up di pl nz na pe nc
.cs=fff8 .ds=fff0 .es=fff0 .fs=0000 .gs=0000 .ss=fff0
.eflags=00000000
Failed to disassemble instruction, skipping one byte.
u: error: Too many disassembly failures. Giving up: VINF_SUCCESS
VBoxDbg> db %(24d000 + ff800a88)
error: VERR_PAGE_NOT_PRESENT: Reading memory at %00000000ffa4da88.
Yeah. We really have no memory at this address. But is it intentional
feature to completely stop a VM in this case? On real hardware such reading
doesn't cause problems. And I suspect that such VM behavior breaks a code
which searches for physical memory or specific ROM extension by scanning of
wide range of possible addresses. Is this feature configurable?
-------------------------------------------------------------------------
3) And the related but may be separate topic. Should bp/br do something more
than just patching the code and add the breakpoint to "bl" output? Even in
simple real mode of CPU I don't get VBox debugger popup when control goes
via these breakpoints. And even worse the injected "int3" is executed
completely in the guest and previous command at this address is lost.
This is all for now. I think that many of these weird things should be filed
as bugs but let's discuss them before this.
Regards, Slavik
More information about the vbox-dev
mailing list