1

I want to modify the implementation of rdtsc assembly instruction, i.e., I want to modify at the fundamental level, what happens when rdtsc assembly instruction is invoked.

I am working on a QEMU Virtual Machine running on an Intel Core2 Duo processor. The Instruction Set Architecture is i686.

To locate the portion of QEMU Source Code dealing with rdtsc call, I did a grep over the entire source code and found the function helper_rdtsc() in the file target-i386/misc_helper.c to be the key suspect. So I did the following modification in this file: 

.
.

/* modification start at header inclusion */
#include <stdio.h>
#include <inttypes.h>
static const uint64_t myconst = 81926483;
/* modification end at header inclusion */
.
.

void helper_rdtsc(CPUX86State *env)
{
    uint64_t val;

    if ((env->cr[4] & CR4_TSD_MASK) && ((env->hflags & HF_CPL_MASK) != 0)) {
        raise_exception(env, EXCP0D_GPF);
    }
    cpu_svm_check_intercept_param(env, SVM_EXIT_RDTSC, 0);

    val = cpu_get_tsc(env) + env->tsc_offset;

    /* modification start within helper_rdtsc() */
    val = val % myconst;
    printf("rdtsc return = %" PRIu64 "//printed from source code\n", val);
    /* modification end within helper_rdtsc() */

    env->regs[R_EAX] = (uint32_t)(val);
    env->regs[R_EDX] = (uint32_t)(val >> 32);
}

Then I compiled QEMU from this modified source code, mounted Ubuntu 12.04 as the Guest-OS, and ran a test C code which accessed rdtsc through the following function:

int64_t myrdtsc(void)
{
    int64_t tick;
    asm volatile("rdtsc" : "=A" (tick));
    return tick;
}

Naturally, on executing this test code, I expected the value returned through tick to be less than myconst. Also I expected the statement rdtsc return = <somevalue> //printed from source code to be printed as a part of the rdtsc call. However none of it happened.

Am I modifying the right portion of the QEMU source code? If yes, is there an error in the modifications I have made? If no, where should I look for in the source code to do the desired modification?

hardcoder
  • 415
  • 1
  • 5
  • 13
  • You mean the way qemu implements that instruction, or the way it executes on the host hardware? The latter involves applying for a job at Intel and convincing the management that changing meaning of well known commands is a good idea. The former involves digging in the QEMU sources; it's open source. – Seva Alekseyev Mar 06 '14 at 19:01
  • @sevaalekseyev I meant the former one. I have tried digging in the QEMU source code and even attempted several changes, but all in vain. Hence, I wished if someone could point where exactly should I look for in the source code. Thanks. – hardcoder Mar 06 '14 at 19:06
  • Did you try searching the code for "rdtsc"? A quick grep seems to indicate helper_rdtsc in target-i386/misc_helper.c as a likely candidate – doynax Mar 06 '14 at 19:12
  • Have you tried searching for string "rdtsc" in them? :) – Seva Alekseyev Mar 06 '14 at 19:14
  • @doynax - Yeah, I did a grep and just like you, I too found helper_rdtsc in target-i386/misc_helper.c as the most probable candidate. However doing the desired modifications and then recompiling QEMU from the source code, didn't give the expected results, indicating that helper_rdtsc in target-i386/misc_helper.c is not probably what I am looking for. – hardcoder Mar 06 '14 at 19:22
  • 1
    @hardcoder: That sort of work might have been worth sharing in your post you know. I don't suppose you're using the KVM version or anything? – doynax Mar 06 '14 at 19:33
  • Nope, I didn't use the KVM version. – hardcoder Mar 06 '14 at 19:34
  • I have tested with a simple real-mode bootsector code, and indeed you found the right function and I could make it return whatever I wanted. – Jester Mar 07 '14 at 01:57
  • @Jester - So do you mean there is an error in the modifications I made? Because when I compiled the QEMU from this modified source code, I didn't get the return value I was expecting. – hardcoder Mar 07 '14 at 02:34
  • The modification seems fine, you are probably not running it due to bad build or different qemu binary being used (or kvm as doynax suggested). Attach gdb to qemu and verify. – Jester Mar 07 '14 at 02:53

1 Answers1

0

Well,in fact,I find another place which is more suspicious:target-i386/translate.c.After I add a printf there and recompile&&install it.I got nothing I want.So I guess you have to do your job down to the VMM level,which says KVM source code.

ioilala
  • 277
  • 2
  • 10