|
|
@@ -12,6 +12,7 @@
|
|
|
#include "cpu.h"
|
|
|
#include "exec/address-spaces.h"
|
|
|
#include "exec/ioport.h"
|
|
|
+#include "exec/gdbstub.h"
|
|
|
#include "qemu/accel.h"
|
|
|
#include "sysemu/whpx.h"
|
|
|
#include "sysemu/cpus.h"
|
|
|
@@ -147,6 +148,87 @@ struct whpx_register_set {
|
|
|
WHV_REGISTER_VALUE values[RTL_NUMBER_OF(whpx_register_names)];
|
|
|
};
|
|
|
|
|
|
+/*
|
|
|
+ * The current implementation of instruction stepping sets the TF flag
|
|
|
+ * in RFLAGS, causing the CPU to raise an INT1 after each instruction.
|
|
|
+ * This corresponds to the WHvX64ExceptionTypeDebugTrapOrFault exception.
|
|
|
+ *
|
|
|
+ * This approach has a few limitations:
|
|
|
+ * 1. Stepping over a PUSHF/SAHF instruction will save the TF flag
|
|
|
+ * along with the other flags, possibly restoring it later. It would
|
|
|
+ * result in another INT1 when the flags are restored, triggering
|
|
|
+ * a stop in gdb that could be cleared by doing another step.
|
|
|
+ *
|
|
|
+ * Stepping over a POPF/LAHF instruction will let it overwrite the
|
|
|
+ * TF flags, ending the stepping mode.
|
|
|
+ *
|
|
|
+ * 2. Stepping over an instruction raising an exception (e.g. INT, DIV,
|
|
|
+ * or anything that could result in a page fault) will save the flags
|
|
|
+ * to the stack, clear the TF flag, and let the guest execute the
|
|
|
+ * handler. Normally, the guest will restore the original flags,
|
|
|
+ * that will continue single-stepping.
|
|
|
+ *
|
|
|
+ * 3. Debuggers running on the guest may wish to set TF to do instruction
|
|
|
+ * stepping. INT1 events generated by it would be intercepted by us,
|
|
|
+ * as long as the gdb is connected to QEMU.
|
|
|
+ *
|
|
|
+ * In practice this means that:
|
|
|
+ * 1. Stepping through flags-modifying instructions may cause gdb to
|
|
|
+ * continue or stop in unexpected places. This will be fully recoverable
|
|
|
+ * and will not crash the target.
|
|
|
+ *
|
|
|
+ * 2. Stepping over an instruction that triggers an exception will step
|
|
|
+ * over the exception handler, not into it.
|
|
|
+ *
|
|
|
+ * 3. Debugging the guest via gdb, while running debugger on the guest
|
|
|
+ * at the same time may lead to unexpected effects. Removing all
|
|
|
+ * breakpoints set via QEMU will prevent any further interference
|
|
|
+ * with the guest-level debuggers.
|
|
|
+ *
|
|
|
+ * The limitations can be addressed as shown below:
|
|
|
+ * 1. PUSHF/SAHF/POPF/LAHF/IRET instructions can be emulated instead of
|
|
|
+ * stepping through them. The exact semantics of the instructions is
|
|
|
+ * defined in the "Combined Volume Set of Intel 64 and IA-32
|
|
|
+ * Architectures Software Developer's Manuals", however it involves a
|
|
|
+ * fair amount of corner cases due to compatibility with real mode,
|
|
|
+ * virtual 8086 mode, and differences between 64-bit and 32-bit modes.
|
|
|
+ *
|
|
|
+ * 2. We could step into the guest's exception handlers using the following
|
|
|
+ * sequence:
|
|
|
+ * a. Temporarily enable catching of all exception types via
|
|
|
+ * whpx_set_exception_exit_bitmap().
|
|
|
+ * b. Once an exception is intercepted, read the IDT/GDT and locate
|
|
|
+ * the original handler.
|
|
|
+ * c. Patch the original handler, injecting an INT3 at the beginning.
|
|
|
+ * d. Update the exception exit bitmap to only catch the
|
|
|
+ * WHvX64ExceptionTypeBreakpointTrap exception.
|
|
|
+ * e. Let the affected CPU run in the exclusive mode.
|
|
|
+ * f. Restore the original handler and the exception exit bitmap.
|
|
|
+ * Note that handling all corner cases related to IDT/GDT is harder
|
|
|
+ * than it may seem. See x86_cpu_get_phys_page_attrs_debug() for a
|
|
|
+ * rough idea.
|
|
|
+ *
|
|
|
+ * 3. In order to properly support guest-level debugging in parallel with
|
|
|
+ * the QEMU-level debugging, we would need to be able to pass some INT1
|
|
|
+ * events to the guest. This could be done via the following methods:
|
|
|
+ * a. Using the WHvRegisterPendingEvent register. As of Windows 21H1,
|
|
|
+ * it seems to only work for interrupts and not software
|
|
|
+ * exceptions.
|
|
|
+ * b. Locating and patching the original handler by parsing IDT/GDT.
|
|
|
+ * This involves relatively complex logic outlined in the previous
|
|
|
+ * paragraph.
|
|
|
+ * c. Emulating the exception invocation (i.e. manually updating RIP,
|
|
|
+ * RFLAGS, and pushing the old values to stack). This is even more
|
|
|
+ * complicated than the previous option, since it involves checking
|
|
|
+ * CPL, gate attributes, and doing various adjustments depending
|
|
|
+ * on the current CPU mode, whether the CPL is changing, etc.
|
|
|
+ */
|
|
|
+typedef enum WhpxStepMode {
|
|
|
+ WHPX_STEP_NONE = 0,
|
|
|
+ /* Halt other VCPUs */
|
|
|
+ WHPX_STEP_EXCLUSIVE,
|
|
|
+} WhpxStepMode;
|
|
|
+
|
|
|
struct whpx_vcpu {
|
|
|
WHV_EMULATOR_HANDLE emulator;
|
|
|
bool window_registered;
|
|
|
@@ -785,6 +867,517 @@ static int whpx_handle_portio(CPUState *cpu,
|
|
|
return 0;
|
|
|
}
|
|
|
|
|
|
+/*
|
|
|
+ * Controls whether we should intercept various exceptions on the guest,
|
|
|
+ * namely breakpoint/single-step events.
|
|
|
+ *
|
|
|
+ * The 'exceptions' argument accepts a bitmask, e.g:
|
|
|
+ * (1 << WHvX64ExceptionTypeDebugTrapOrFault) | (...)
|
|
|
+ */
|
|
|
+static HRESULT whpx_set_exception_exit_bitmap(UINT64 exceptions)
|
|
|
+{
|
|
|
+ struct whpx_state *whpx = &whpx_global;
|
|
|
+ WHV_PARTITION_PROPERTY prop = { 0, };
|
|
|
+ HRESULT hr;
|
|
|
+
|
|
|
+ if (exceptions == whpx->exception_exit_bitmap) {
|
|
|
+ return S_OK;
|
|
|
+ }
|
|
|
+
|
|
|
+ prop.ExceptionExitBitmap = exceptions;
|
|
|
+
|
|
|
+ hr = whp_dispatch.WHvSetPartitionProperty(
|
|
|
+ whpx->partition,
|
|
|
+ WHvPartitionPropertyCodeExceptionExitBitmap,
|
|
|
+ &prop,
|
|
|
+ sizeof(WHV_PARTITION_PROPERTY));
|
|
|
+
|
|
|
+ if (SUCCEEDED(hr)) {
|
|
|
+ whpx->exception_exit_bitmap = exceptions;
|
|
|
+ }
|
|
|
+
|
|
|
+ return hr;
|
|
|
+}
|
|
|
+
|
|
|
+
|
|
|
+/*
|
|
|
+ * This function is called before/after stepping over a single instruction.
|
|
|
+ * It will update the CPU registers to arm/disarm the instruction stepping
|
|
|
+ * accordingly.
|
|
|
+ */
|
|
|
+static HRESULT whpx_vcpu_configure_single_stepping(CPUState *cpu,
|
|
|
+ bool set,
|
|
|
+ uint64_t *exit_context_rflags)
|
|
|
+{
|
|
|
+ WHV_REGISTER_NAME reg_name;
|
|
|
+ WHV_REGISTER_VALUE reg_value;
|
|
|
+ HRESULT hr;
|
|
|
+ struct whpx_state *whpx = &whpx_global;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * If we are trying to step over a single instruction, we need to set the
|
|
|
+ * TF bit in rflags. Otherwise, clear it.
|
|
|
+ */
|
|
|
+ reg_name = WHvX64RegisterRflags;
|
|
|
+ hr = whp_dispatch.WHvGetVirtualProcessorRegisters(
|
|
|
+ whpx->partition,
|
|
|
+ cpu->cpu_index,
|
|
|
+ ®_name,
|
|
|
+ 1,
|
|
|
+ ®_value);
|
|
|
+
|
|
|
+ if (FAILED(hr)) {
|
|
|
+ error_report("WHPX: Failed to get rflags, hr=%08lx", hr);
|
|
|
+ return hr;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (exit_context_rflags) {
|
|
|
+ assert(*exit_context_rflags == reg_value.Reg64);
|
|
|
+ }
|
|
|
+
|
|
|
+ if (set) {
|
|
|
+ /* Raise WHvX64ExceptionTypeDebugTrapOrFault after each instruction */
|
|
|
+ reg_value.Reg64 |= TF_MASK;
|
|
|
+ } else {
|
|
|
+ reg_value.Reg64 &= ~TF_MASK;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (exit_context_rflags) {
|
|
|
+ *exit_context_rflags = reg_value.Reg64;
|
|
|
+ }
|
|
|
+
|
|
|
+ hr = whp_dispatch.WHvSetVirtualProcessorRegisters(
|
|
|
+ whpx->partition,
|
|
|
+ cpu->cpu_index,
|
|
|
+ ®_name,
|
|
|
+ 1,
|
|
|
+ ®_value);
|
|
|
+
|
|
|
+ if (FAILED(hr)) {
|
|
|
+ error_report("WHPX: Failed to set rflags,"
|
|
|
+ " hr=%08lx",
|
|
|
+ hr);
|
|
|
+ return hr;
|
|
|
+ }
|
|
|
+
|
|
|
+ reg_name = WHvRegisterInterruptState;
|
|
|
+ reg_value.Reg64 = 0;
|
|
|
+
|
|
|
+ /* Suspend delivery of hardware interrupts during single-stepping. */
|
|
|
+ reg_value.InterruptState.InterruptShadow = set != 0;
|
|
|
+
|
|
|
+ hr = whp_dispatch.WHvSetVirtualProcessorRegisters(
|
|
|
+ whpx->partition,
|
|
|
+ cpu->cpu_index,
|
|
|
+ ®_name,
|
|
|
+ 1,
|
|
|
+ ®_value);
|
|
|
+
|
|
|
+ if (FAILED(hr)) {
|
|
|
+ error_report("WHPX: Failed to set InterruptState,"
|
|
|
+ " hr=%08lx",
|
|
|
+ hr);
|
|
|
+ return hr;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (!set) {
|
|
|
+ /*
|
|
|
+ * We have just finished stepping over a single instruction,
|
|
|
+ * and intercepted the INT1 generated by it.
|
|
|
+ * We need to now hide the INT1 from the guest,
|
|
|
+ * as it would not be expecting it.
|
|
|
+ */
|
|
|
+
|
|
|
+ reg_name = WHvX64RegisterPendingDebugException;
|
|
|
+ hr = whp_dispatch.WHvGetVirtualProcessorRegisters(
|
|
|
+ whpx->partition,
|
|
|
+ cpu->cpu_index,
|
|
|
+ ®_name,
|
|
|
+ 1,
|
|
|
+ ®_value);
|
|
|
+
|
|
|
+ if (FAILED(hr)) {
|
|
|
+ error_report("WHPX: Failed to get pending debug exceptions,"
|
|
|
+ "hr=%08lx", hr);
|
|
|
+ return hr;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (reg_value.PendingDebugException.SingleStep) {
|
|
|
+ reg_value.PendingDebugException.SingleStep = 0;
|
|
|
+
|
|
|
+ hr = whp_dispatch.WHvSetVirtualProcessorRegisters(
|
|
|
+ whpx->partition,
|
|
|
+ cpu->cpu_index,
|
|
|
+ ®_name,
|
|
|
+ 1,
|
|
|
+ ®_value);
|
|
|
+
|
|
|
+ if (FAILED(hr)) {
|
|
|
+ error_report("WHPX: Failed to clear pending debug exceptions,"
|
|
|
+ "hr=%08lx", hr);
|
|
|
+ return hr;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ }
|
|
|
+
|
|
|
+ return S_OK;
|
|
|
+}
|
|
|
+
|
|
|
+/* Tries to find a breakpoint at the specified address. */
|
|
|
+static struct whpx_breakpoint *whpx_lookup_breakpoint_by_addr(uint64_t address)
|
|
|
+{
|
|
|
+ struct whpx_state *whpx = &whpx_global;
|
|
|
+ int i;
|
|
|
+
|
|
|
+ if (whpx->breakpoints.breakpoints) {
|
|
|
+ for (i = 0; i < whpx->breakpoints.breakpoints->used; i++) {
|
|
|
+ if (address == whpx->breakpoints.breakpoints->data[i].address) {
|
|
|
+ return &whpx->breakpoints.breakpoints->data[i];
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ return NULL;
|
|
|
+}
|
|
|
+
|
|
|
+/*
|
|
|
+ * Linux uses int3 (0xCC) during startup (see int3_selftest()) and for
|
|
|
+ * debugging user-mode applications. Since the WHPX API does not offer
|
|
|
+ * an easy way to pass the intercepted exception back to the guest, we
|
|
|
+ * resort to using INT1 instead, and let the guest always handle INT3.
|
|
|
+ */
|
|
|
+static const uint8_t whpx_breakpoint_instruction = 0xF1;
|
|
|
+
|
|
|
+/*
|
|
|
+ * The WHPX QEMU backend implements breakpoints by writing the INT1
|
|
|
+ * instruction into memory (ignoring the DRx registers). This raises a few
|
|
|
+ * issues that need to be carefully handled:
|
|
|
+ *
|
|
|
+ * 1. Although unlikely, other parts of QEMU may set multiple breakpoints
|
|
|
+ * at the same location, and later remove them in arbitrary order.
|
|
|
+ * This should not cause memory corruption, and should only remove the
|
|
|
+ * physical breakpoint instruction when the last QEMU breakpoint is gone.
|
|
|
+ *
|
|
|
+ * 2. Writing arbitrary virtual memory may fail if it's not mapped to a valid
|
|
|
+ * physical location. Hence, physically adding/removing a breakpoint can
|
|
|
+ * theoretically fail at any time. We need to keep track of it.
|
|
|
+ *
|
|
|
+ * The function below rebuilds a list of low-level breakpoints (one per
|
|
|
+ * address, tracking the original instruction and any errors) from the list of
|
|
|
+ * high-level breakpoints (set via cpu_breakpoint_insert()).
|
|
|
+ *
|
|
|
+ * In order to optimize performance, this function stores the list of
|
|
|
+ * high-level breakpoints (a.k.a. CPU breakpoints) used to compute the
|
|
|
+ * low-level ones, so that it won't be re-invoked until these breakpoints
|
|
|
+ * change.
|
|
|
+ *
|
|
|
+ * Note that this function decides which breakpoints should be inserted into,
|
|
|
+ * memory, but doesn't actually do it. The memory accessing is done in
|
|
|
+ * whpx_apply_breakpoints().
|
|
|
+ */
|
|
|
+static void whpx_translate_cpu_breakpoints(
|
|
|
+ struct whpx_breakpoints *breakpoints,
|
|
|
+ CPUState *cpu,
|
|
|
+ int cpu_breakpoint_count)
|
|
|
+{
|
|
|
+ CPUBreakpoint *bp;
|
|
|
+ int cpu_bp_index = 0;
|
|
|
+
|
|
|
+ breakpoints->original_addresses =
|
|
|
+ g_renew(vaddr, breakpoints->original_addresses, cpu_breakpoint_count);
|
|
|
+
|
|
|
+ breakpoints->original_address_count = cpu_breakpoint_count;
|
|
|
+
|
|
|
+ int max_breakpoints = cpu_breakpoint_count +
|
|
|
+ (breakpoints->breakpoints ? breakpoints->breakpoints->used : 0);
|
|
|
+
|
|
|
+ struct whpx_breakpoint_collection *new_breakpoints =
|
|
|
+ (struct whpx_breakpoint_collection *)g_malloc0(
|
|
|
+ sizeof(struct whpx_breakpoint_collection) +
|
|
|
+ max_breakpoints * sizeof(struct whpx_breakpoint));
|
|
|
+
|
|
|
+ new_breakpoints->allocated = max_breakpoints;
|
|
|
+ new_breakpoints->used = 0;
|
|
|
+
|
|
|
+ /*
|
|
|
+ * 1. Preserve all old breakpoints that could not be automatically
|
|
|
+ * cleared when the CPU got stopped.
|
|
|
+ */
|
|
|
+ if (breakpoints->breakpoints) {
|
|
|
+ int i;
|
|
|
+ for (i = 0; i < breakpoints->breakpoints->used; i++) {
|
|
|
+ if (breakpoints->breakpoints->data[i].state != WHPX_BP_CLEARED) {
|
|
|
+ new_breakpoints->data[new_breakpoints->used++] =
|
|
|
+ breakpoints->breakpoints->data[i];
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ /* 2. Map all CPU breakpoints to WHPX breakpoints */
|
|
|
+ QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) {
|
|
|
+ int i;
|
|
|
+ bool found = false;
|
|
|
+
|
|
|
+ /* This will be used to detect changed CPU breakpoints later. */
|
|
|
+ breakpoints->original_addresses[cpu_bp_index++] = bp->pc;
|
|
|
+
|
|
|
+ for (i = 0; i < new_breakpoints->used; i++) {
|
|
|
+ /*
|
|
|
+ * WARNING: This loop has O(N^2) complexity, where N is the
|
|
|
+ * number of breakpoints. It should not be a bottleneck in
|
|
|
+ * real-world scenarios, since it only needs to run once after
|
|
|
+ * the breakpoints have been modified.
|
|
|
+ * If this ever becomes a concern, it can be optimized by storing
|
|
|
+ * high-level breakpoint objects in a tree or hash map.
|
|
|
+ */
|
|
|
+
|
|
|
+ if (new_breakpoints->data[i].address == bp->pc) {
|
|
|
+ /* There was already a breakpoint at this address. */
|
|
|
+ if (new_breakpoints->data[i].state == WHPX_BP_CLEAR_PENDING) {
|
|
|
+ new_breakpoints->data[i].state = WHPX_BP_SET;
|
|
|
+ } else if (new_breakpoints->data[i].state == WHPX_BP_SET) {
|
|
|
+ new_breakpoints->data[i].state = WHPX_BP_SET_PENDING;
|
|
|
+ }
|
|
|
+
|
|
|
+ found = true;
|
|
|
+ break;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (!found && new_breakpoints->used < new_breakpoints->allocated) {
|
|
|
+ /* No WHPX breakpoint at this address. Create one. */
|
|
|
+ new_breakpoints->data[new_breakpoints->used].address = bp->pc;
|
|
|
+ new_breakpoints->data[new_breakpoints->used].state =
|
|
|
+ WHPX_BP_SET_PENDING;
|
|
|
+ new_breakpoints->used++;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (breakpoints->breakpoints) {
|
|
|
+ /*
|
|
|
+ * Free the previous breakpoint list. This can be optimized by keeping
|
|
|
+ * it as shadow buffer for the next computation instead of freeing
|
|
|
+ * it immediately.
|
|
|
+ */
|
|
|
+ g_free(breakpoints->breakpoints);
|
|
|
+ }
|
|
|
+
|
|
|
+ breakpoints->breakpoints = new_breakpoints;
|
|
|
+}
|
|
|
+
|
|
|
+/*
|
|
|
+ * Physically inserts/removes the breakpoints by reading and writing the
|
|
|
+ * physical memory, keeping a track of the failed attempts.
|
|
|
+ *
|
|
|
+ * Passing resuming=true will try to set all previously unset breakpoints.
|
|
|
+ * Passing resuming=false will remove all inserted ones.
|
|
|
+ */
|
|
|
+static void whpx_apply_breakpoints(
|
|
|
+ struct whpx_breakpoint_collection *breakpoints,
|
|
|
+ CPUState *cpu,
|
|
|
+ bool resuming)
|
|
|
+{
|
|
|
+ int i, rc;
|
|
|
+ if (!breakpoints) {
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ for (i = 0; i < breakpoints->used; i++) {
|
|
|
+ /* Decide what to do right now based on the last known state. */
|
|
|
+ WhpxBreakpointState state = breakpoints->data[i].state;
|
|
|
+ switch (state) {
|
|
|
+ case WHPX_BP_CLEARED:
|
|
|
+ if (resuming) {
|
|
|
+ state = WHPX_BP_SET_PENDING;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ case WHPX_BP_SET_PENDING:
|
|
|
+ if (!resuming) {
|
|
|
+ state = WHPX_BP_CLEARED;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ case WHPX_BP_SET:
|
|
|
+ if (!resuming) {
|
|
|
+ state = WHPX_BP_CLEAR_PENDING;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ case WHPX_BP_CLEAR_PENDING:
|
|
|
+ if (resuming) {
|
|
|
+ state = WHPX_BP_SET;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (state == WHPX_BP_SET_PENDING) {
|
|
|
+ /* Remember the original instruction. */
|
|
|
+ rc = cpu_memory_rw_debug(cpu,
|
|
|
+ breakpoints->data[i].address,
|
|
|
+ &breakpoints->data[i].original_instruction,
|
|
|
+ 1,
|
|
|
+ false);
|
|
|
+
|
|
|
+ if (!rc) {
|
|
|
+ /* Write the breakpoint instruction. */
|
|
|
+ rc = cpu_memory_rw_debug(cpu,
|
|
|
+ breakpoints->data[i].address,
|
|
|
+ (void *)&whpx_breakpoint_instruction,
|
|
|
+ 1,
|
|
|
+ true);
|
|
|
+ }
|
|
|
+
|
|
|
+ if (!rc) {
|
|
|
+ state = WHPX_BP_SET;
|
|
|
+ }
|
|
|
+
|
|
|
+ }
|
|
|
+
|
|
|
+ if (state == WHPX_BP_CLEAR_PENDING) {
|
|
|
+ /* Restore the original instruction. */
|
|
|
+ rc = cpu_memory_rw_debug(cpu,
|
|
|
+ breakpoints->data[i].address,
|
|
|
+ &breakpoints->data[i].original_instruction,
|
|
|
+ 1,
|
|
|
+ true);
|
|
|
+
|
|
|
+ if (!rc) {
|
|
|
+ state = WHPX_BP_CLEARED;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ breakpoints->data[i].state = state;
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+/*
|
|
|
+ * This function is called when the a VCPU is about to start and no other
|
|
|
+ * VCPUs have been started so far. Since the VCPU start order could be
|
|
|
+ * arbitrary, it doesn't have to be VCPU#0.
|
|
|
+ *
|
|
|
+ * It is used to commit the breakpoints into memory, and configure WHPX
|
|
|
+ * to intercept debug exceptions.
|
|
|
+ *
|
|
|
+ * Note that whpx_set_exception_exit_bitmap() cannot be called if one or
|
|
|
+ * more VCPUs are already running, so this is the best place to do it.
|
|
|
+ */
|
|
|
+static int whpx_first_vcpu_starting(CPUState *cpu)
|
|
|
+{
|
|
|
+ struct whpx_state *whpx = &whpx_global;
|
|
|
+ HRESULT hr;
|
|
|
+
|
|
|
+ g_assert(qemu_mutex_iothread_locked());
|
|
|
+
|
|
|
+ if (!QTAILQ_EMPTY(&cpu->breakpoints) ||
|
|
|
+ (whpx->breakpoints.breakpoints &&
|
|
|
+ whpx->breakpoints.breakpoints->used)) {
|
|
|
+ CPUBreakpoint *bp;
|
|
|
+ int i = 0;
|
|
|
+ bool update_pending = false;
|
|
|
+
|
|
|
+ QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) {
|
|
|
+ if (i >= whpx->breakpoints.original_address_count ||
|
|
|
+ bp->pc != whpx->breakpoints.original_addresses[i]) {
|
|
|
+ update_pending = true;
|
|
|
+ }
|
|
|
+
|
|
|
+ i++;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (i != whpx->breakpoints.original_address_count) {
|
|
|
+ update_pending = true;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (update_pending) {
|
|
|
+ /*
|
|
|
+ * The CPU breakpoints have changed since the last call to
|
|
|
+ * whpx_translate_cpu_breakpoints(). WHPX breakpoints must
|
|
|
+ * now be recomputed.
|
|
|
+ */
|
|
|
+ whpx_translate_cpu_breakpoints(&whpx->breakpoints, cpu, i);
|
|
|
+ }
|
|
|
+
|
|
|
+ /* Actually insert the breakpoints into the memory. */
|
|
|
+ whpx_apply_breakpoints(whpx->breakpoints.breakpoints, cpu, true);
|
|
|
+ }
|
|
|
+
|
|
|
+ uint64_t exception_mask;
|
|
|
+ if (whpx->step_pending ||
|
|
|
+ (whpx->breakpoints.breakpoints &&
|
|
|
+ whpx->breakpoints.breakpoints->used)) {
|
|
|
+ /*
|
|
|
+ * We are either attempting to single-step one or more CPUs, or
|
|
|
+ * have one or more breakpoints enabled. Both require intercepting
|
|
|
+ * the WHvX64ExceptionTypeBreakpointTrap exception.
|
|
|
+ */
|
|
|
+
|
|
|
+ exception_mask = 1UL << WHvX64ExceptionTypeDebugTrapOrFault;
|
|
|
+ } else {
|
|
|
+ /* Let the guest handle all exceptions. */
|
|
|
+ exception_mask = 0;
|
|
|
+ }
|
|
|
+
|
|
|
+ hr = whpx_set_exception_exit_bitmap(exception_mask);
|
|
|
+ if (!SUCCEEDED(hr)) {
|
|
|
+ error_report("WHPX: Failed to update exception exit mask,"
|
|
|
+ "hr=%08lx.", hr);
|
|
|
+ return 1;
|
|
|
+ }
|
|
|
+
|
|
|
+ return 0;
|
|
|
+}
|
|
|
+
|
|
|
+/*
|
|
|
+ * This function is called when the last VCPU has finished running.
|
|
|
+ * It is used to remove any previously set breakpoints from memory.
|
|
|
+ */
|
|
|
+static int whpx_last_vcpu_stopping(CPUState *cpu)
|
|
|
+{
|
|
|
+ whpx_apply_breakpoints(whpx_global.breakpoints.breakpoints, cpu, false);
|
|
|
+ return 0;
|
|
|
+}
|
|
|
+
|
|
|
+/* Returns the address of the next instruction that is about to be executed. */
|
|
|
+static vaddr whpx_vcpu_get_pc(CPUState *cpu, bool exit_context_valid)
|
|
|
+{
|
|
|
+ if (cpu->vcpu_dirty) {
|
|
|
+ /* The CPU registers have been modified by other parts of QEMU. */
|
|
|
+ CPUArchState *env = (CPUArchState *)(cpu->env_ptr);
|
|
|
+ return env->eip;
|
|
|
+ } else if (exit_context_valid) {
|
|
|
+ /*
|
|
|
+ * The CPU registers have not been modified by neither other parts
|
|
|
+ * of QEMU, nor this port by calling WHvSetVirtualProcessorRegisters().
|
|
|
+ * This is the most common case.
|
|
|
+ */
|
|
|
+ struct whpx_vcpu *vcpu = get_whpx_vcpu(cpu);
|
|
|
+ return vcpu->exit_ctx.VpContext.Rip;
|
|
|
+ } else {
|
|
|
+ /*
|
|
|
+ * The CPU registers have been modified by a call to
|
|
|
+ * WHvSetVirtualProcessorRegisters() and must be re-queried from
|
|
|
+ * the target.
|
|
|
+ */
|
|
|
+ WHV_REGISTER_VALUE reg_value;
|
|
|
+ WHV_REGISTER_NAME reg_name = WHvX64RegisterRip;
|
|
|
+ HRESULT hr;
|
|
|
+ struct whpx_state *whpx = &whpx_global;
|
|
|
+
|
|
|
+ hr = whp_dispatch.WHvGetVirtualProcessorRegisters(
|
|
|
+ whpx->partition,
|
|
|
+ cpu->cpu_index,
|
|
|
+ ®_name,
|
|
|
+ 1,
|
|
|
+ ®_value);
|
|
|
+
|
|
|
+ if (FAILED(hr)) {
|
|
|
+ error_report("WHPX: Failed to get PC, hr=%08lx", hr);
|
|
|
+ return 0;
|
|
|
+ }
|
|
|
+
|
|
|
+ return reg_value.Reg64;
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
static int whpx_handle_halt(CPUState *cpu)
|
|
|
{
|
|
|
CPUX86State *env = cpu->env_ptr;
|
|
|
@@ -996,17 +1589,75 @@ static int whpx_vcpu_run(CPUState *cpu)
|
|
|
HRESULT hr;
|
|
|
struct whpx_state *whpx = &whpx_global;
|
|
|
struct whpx_vcpu *vcpu = get_whpx_vcpu(cpu);
|
|
|
+ struct whpx_breakpoint *stepped_over_bp = NULL;
|
|
|
+ WhpxStepMode exclusive_step_mode = WHPX_STEP_NONE;
|
|
|
int ret;
|
|
|
|
|
|
- whpx_vcpu_process_async_events(cpu);
|
|
|
- if (cpu->halted && !whpx_apic_in_platform()) {
|
|
|
- cpu->exception_index = EXCP_HLT;
|
|
|
- qatomic_set(&cpu->exit_request, false);
|
|
|
- return 0;
|
|
|
+ g_assert(qemu_mutex_iothread_locked());
|
|
|
+
|
|
|
+ if (whpx->running_cpus++ == 0) {
|
|
|
+ /* Insert breakpoints into memory, update exception exit bitmap. */
|
|
|
+ ret = whpx_first_vcpu_starting(cpu);
|
|
|
+ if (ret != 0) {
|
|
|
+ return ret;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (whpx->breakpoints.breakpoints &&
|
|
|
+ whpx->breakpoints.breakpoints->used > 0)
|
|
|
+ {
|
|
|
+ uint64_t pc = whpx_vcpu_get_pc(cpu, true);
|
|
|
+ stepped_over_bp = whpx_lookup_breakpoint_by_addr(pc);
|
|
|
+ if (stepped_over_bp && stepped_over_bp->state != WHPX_BP_SET) {
|
|
|
+ stepped_over_bp = NULL;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (stepped_over_bp) {
|
|
|
+ /*
|
|
|
+ * We are trying to run the instruction overwritten by an active
|
|
|
+ * breakpoint. We will temporarily disable the breakpoint, suspend
|
|
|
+ * other CPUs, and step over the instruction.
|
|
|
+ */
|
|
|
+ exclusive_step_mode = WHPX_STEP_EXCLUSIVE;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if (exclusive_step_mode == WHPX_STEP_NONE) {
|
|
|
+ whpx_vcpu_process_async_events(cpu);
|
|
|
+ if (cpu->halted && !whpx_apic_in_platform()) {
|
|
|
+ cpu->exception_index = EXCP_HLT;
|
|
|
+ qatomic_set(&cpu->exit_request, false);
|
|
|
+ return 0;
|
|
|
+ }
|
|
|
}
|
|
|
|
|
|
qemu_mutex_unlock_iothread();
|
|
|
- cpu_exec_start(cpu);
|
|
|
+
|
|
|
+ if (exclusive_step_mode != WHPX_STEP_NONE) {
|
|
|
+ start_exclusive();
|
|
|
+ g_assert(cpu == current_cpu);
|
|
|
+ g_assert(!cpu->running);
|
|
|
+ cpu->running = true;
|
|
|
+
|
|
|
+ hr = whpx_set_exception_exit_bitmap(
|
|
|
+ 1UL << WHvX64ExceptionTypeDebugTrapOrFault);
|
|
|
+ if (!SUCCEEDED(hr)) {
|
|
|
+ error_report("WHPX: Failed to update exception exit mask, "
|
|
|
+ "hr=%08lx.", hr);
|
|
|
+ return 1;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (stepped_over_bp) {
|
|
|
+ /* Temporarily disable the triggered breakpoint. */
|
|
|
+ cpu_memory_rw_debug(cpu,
|
|
|
+ stepped_over_bp->address,
|
|
|
+ &stepped_over_bp->original_instruction,
|
|
|
+ 1,
|
|
|
+ true);
|
|
|
+ }
|
|
|
+ } else {
|
|
|
+ cpu_exec_start(cpu);
|
|
|
+ }
|
|
|
|
|
|
do {
|
|
|
if (cpu->vcpu_dirty) {
|
|
|
@@ -1014,10 +1665,16 @@ static int whpx_vcpu_run(CPUState *cpu)
|
|
|
cpu->vcpu_dirty = false;
|
|
|
}
|
|
|
|
|
|
- whpx_vcpu_pre_run(cpu);
|
|
|
+ if (exclusive_step_mode == WHPX_STEP_NONE) {
|
|
|
+ whpx_vcpu_pre_run(cpu);
|
|
|
+
|
|
|
+ if (qatomic_read(&cpu->exit_request)) {
|
|
|
+ whpx_vcpu_kick(cpu);
|
|
|
+ }
|
|
|
+ }
|
|
|
|
|
|
- if (qatomic_read(&cpu->exit_request)) {
|
|
|
- whpx_vcpu_kick(cpu);
|
|
|
+ if (exclusive_step_mode != WHPX_STEP_NONE || cpu->singlestep_enabled) {
|
|
|
+ whpx_vcpu_configure_single_stepping(cpu, true, NULL);
|
|
|
}
|
|
|
|
|
|
hr = whp_dispatch.WHvRunVirtualProcessor(
|
|
|
@@ -1031,6 +1688,12 @@ static int whpx_vcpu_run(CPUState *cpu)
|
|
|
break;
|
|
|
}
|
|
|
|
|
|
+ if (exclusive_step_mode != WHPX_STEP_NONE || cpu->singlestep_enabled) {
|
|
|
+ whpx_vcpu_configure_single_stepping(cpu,
|
|
|
+ false,
|
|
|
+ &vcpu->exit_ctx.VpContext.Rflags);
|
|
|
+ }
|
|
|
+
|
|
|
whpx_vcpu_post_run(cpu);
|
|
|
|
|
|
switch (vcpu->exit_ctx.ExitReason) {
|
|
|
@@ -1054,6 +1717,10 @@ static int whpx_vcpu_run(CPUState *cpu)
|
|
|
break;
|
|
|
|
|
|
case WHvRunVpExitReasonX64Halt:
|
|
|
+ /*
|
|
|
+ * WARNING: as of build 19043.1526 (21H1), this exit reason is no
|
|
|
+ * longer used.
|
|
|
+ */
|
|
|
ret = whpx_handle_halt(cpu);
|
|
|
break;
|
|
|
|
|
|
@@ -1152,10 +1819,19 @@ static int whpx_vcpu_run(CPUState *cpu)
|
|
|
}
|
|
|
|
|
|
case WHvRunVpExitReasonCanceled:
|
|
|
- cpu->exception_index = EXCP_INTERRUPT;
|
|
|
- ret = 1;
|
|
|
+ if (exclusive_step_mode != WHPX_STEP_NONE) {
|
|
|
+ /*
|
|
|
+ * We are trying to step over a single instruction, and
|
|
|
+ * likely got a request to stop from another thread.
|
|
|
+ * Delay it until we are done stepping
|
|
|
+ * over.
|
|
|
+ */
|
|
|
+ ret = 0;
|
|
|
+ } else {
|
|
|
+ cpu->exception_index = EXCP_INTERRUPT;
|
|
|
+ ret = 1;
|
|
|
+ }
|
|
|
break;
|
|
|
-
|
|
|
case WHvRunVpExitReasonX64MsrAccess: {
|
|
|
WHV_REGISTER_VALUE reg_values[3] = {0};
|
|
|
WHV_REGISTER_NAME reg_names[3];
|
|
|
@@ -1259,11 +1935,36 @@ static int whpx_vcpu_run(CPUState *cpu)
|
|
|
ret = 0;
|
|
|
break;
|
|
|
}
|
|
|
+ case WHvRunVpExitReasonException:
|
|
|
+ whpx_get_registers(cpu);
|
|
|
+
|
|
|
+ if ((vcpu->exit_ctx.VpException.ExceptionType ==
|
|
|
+ WHvX64ExceptionTypeDebugTrapOrFault) &&
|
|
|
+ (vcpu->exit_ctx.VpException.InstructionByteCount >= 1) &&
|
|
|
+ (vcpu->exit_ctx.VpException.InstructionBytes[0] ==
|
|
|
+ whpx_breakpoint_instruction)) {
|
|
|
+ /* Stopped at a software breakpoint. */
|
|
|
+ cpu->exception_index = EXCP_DEBUG;
|
|
|
+ } else if ((vcpu->exit_ctx.VpException.ExceptionType ==
|
|
|
+ WHvX64ExceptionTypeDebugTrapOrFault) &&
|
|
|
+ !cpu->singlestep_enabled) {
|
|
|
+ /*
|
|
|
+ * Just finished stepping over a breakpoint, but the
|
|
|
+ * gdb does not expect us to do single-stepping.
|
|
|
+ * Don't do anything special.
|
|
|
+ */
|
|
|
+ cpu->exception_index = EXCP_INTERRUPT;
|
|
|
+ } else {
|
|
|
+ /* Another exception or debug event. Report it to GDB. */
|
|
|
+ cpu->exception_index = EXCP_DEBUG;
|
|
|
+ }
|
|
|
+
|
|
|
+ ret = 1;
|
|
|
+ break;
|
|
|
case WHvRunVpExitReasonNone:
|
|
|
case WHvRunVpExitReasonUnrecoverableException:
|
|
|
case WHvRunVpExitReasonInvalidVpRegisterValue:
|
|
|
case WHvRunVpExitReasonUnsupportedFeature:
|
|
|
- case WHvRunVpExitReasonException:
|
|
|
default:
|
|
|
error_report("WHPX: Unexpected VP exit code %d",
|
|
|
vcpu->exit_ctx.ExitReason);
|
|
|
@@ -1276,10 +1977,32 @@ static int whpx_vcpu_run(CPUState *cpu)
|
|
|
|
|
|
} while (!ret);
|
|
|
|
|
|
- cpu_exec_end(cpu);
|
|
|
+ if (stepped_over_bp) {
|
|
|
+ /* Restore the breakpoint we stepped over */
|
|
|
+ cpu_memory_rw_debug(cpu,
|
|
|
+ stepped_over_bp->address,
|
|
|
+ (void *)&whpx_breakpoint_instruction,
|
|
|
+ 1,
|
|
|
+ true);
|
|
|
+ }
|
|
|
+
|
|
|
+ if (exclusive_step_mode != WHPX_STEP_NONE) {
|
|
|
+ g_assert(cpu_in_exclusive_context(cpu));
|
|
|
+ cpu->running = false;
|
|
|
+ end_exclusive();
|
|
|
+
|
|
|
+ exclusive_step_mode = WHPX_STEP_NONE;
|
|
|
+ } else {
|
|
|
+ cpu_exec_end(cpu);
|
|
|
+ }
|
|
|
+
|
|
|
qemu_mutex_lock_iothread();
|
|
|
current_cpu = cpu;
|
|
|
|
|
|
+ if (--whpx->running_cpus == 0) {
|
|
|
+ whpx_last_vcpu_stopping(cpu);
|
|
|
+ }
|
|
|
+
|
|
|
qatomic_set(&cpu->exit_request, false);
|
|
|
|
|
|
return ret < 0;
|
|
|
@@ -1339,6 +2062,11 @@ void whpx_cpu_synchronize_pre_loadvm(CPUState *cpu)
|
|
|
run_on_cpu(cpu, do_whpx_cpu_synchronize_pre_loadvm, RUN_ON_CPU_NULL);
|
|
|
}
|
|
|
|
|
|
+void whpx_cpu_synchronize_pre_resume(bool step_pending)
|
|
|
+{
|
|
|
+ whpx_global.step_pending = step_pending;
|
|
|
+}
|
|
|
+
|
|
|
/*
|
|
|
* Vcpu support.
|
|
|
*/
|
|
|
@@ -1838,6 +2566,7 @@ static int whpx_accel_init(MachineState *ms)
|
|
|
memset(&prop, 0, sizeof(WHV_PARTITION_PROPERTY));
|
|
|
prop.ExtendedVmExits.X64MsrExit = 1;
|
|
|
prop.ExtendedVmExits.X64CpuidExit = 1;
|
|
|
+ prop.ExtendedVmExits.ExceptionExit = 1;
|
|
|
if (whpx_apic_in_platform()) {
|
|
|
prop.ExtendedVmExits.X64ApicInitSipiExitTrap = 1;
|
|
|
}
|
|
|
@@ -1866,6 +2595,19 @@ static int whpx_accel_init(MachineState *ms)
|
|
|
goto error;
|
|
|
}
|
|
|
|
|
|
+ /*
|
|
|
+ * We do not want to intercept any exceptions from the guest,
|
|
|
+ * until we actually start debugging with gdb.
|
|
|
+ */
|
|
|
+ whpx->exception_exit_bitmap = -1;
|
|
|
+ hr = whpx_set_exception_exit_bitmap(0);
|
|
|
+
|
|
|
+ if (FAILED(hr)) {
|
|
|
+ error_report("WHPX: Failed to set exception exit bitmap, hr=%08lx", hr);
|
|
|
+ ret = -EINVAL;
|
|
|
+ goto error;
|
|
|
+ }
|
|
|
+
|
|
|
hr = whp_dispatch.WHvSetupPartition(whpx->partition);
|
|
|
if (FAILED(hr)) {
|
|
|
error_report("WHPX: Failed to setup partition, hr=%08lx", hr);
|
Ivan Shcherbakov