update

git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@283 c046a42c-6fe2-441c-8c8c-71466251a162

Changelog

@@ -1,19 +1,27 @@
+version 0.4:
+
+ - initial support for ring 0 x86 processor emulation
+ - fixed signal handling for correct dosemu DPMI emulation
+ - fast x86 MMU emulation with mmap()
+ - fixed popl (%esp) case
+ - Linux kernel can be executed by QEMU with the 'vl' command.
+
 version 0.3:
 
  - initial support for ARM emulation
  - added fnsave, frstor, fnstenv, fldenv FPU instructions
  - added FPU register save in signal emulation
- - ARM port
+ - initial ARM port
  - Sparc and Alpha ports work on the regression test
  - generic ioctl number conversion
  - fixed ioctl type conversion
 
 version 0.2:
 
- - PowerPC disassembly and ELF symbols output (Rusty Russel)
- - flock support (Rusty Russel)
- - ugetrlimit support (Rusty Russel)
- - fstat64 fix (Rusty Russel)
+ - PowerPC disassembly and ELF symbols output (Rusty Russell)
+ - flock support (Rusty Russell)
+ - ugetrlimit support (Rusty Russell)
+ - fstat64 fix (Rusty Russell)
  - initial Alpha port (Falk Hueffner)
  - initial IA64 port (Matt Wilson)
  - initial Sparc and Sparc64 port (David S. Miller)

Makefile

@@ -5,6 +5,7 @@ LDFLAGS=-g
 LIBS=
 DEFINES=-DHAVE_BYTESWAP_H
 HELPER_CFLAGS=$(CFLAGS)
+PROGS=qemu
 
 ifdef CONFIG_STATIC
 LDFLAGS+=-static
@@ -13,7 +14,7 @@ endif
 ifeq ($(ARCH),i386)
 CFLAGS+=-fomit-frame-pointer
 OP_CFLAGS=$(CFLAGS) -mpreferred-stack-boundary=2
-ifeq ($(GCC_MAJOR),3)
+ifeq ($(HAVE_GCC3_OPTIONS),yes)
 OP_CFLAGS+= -falign-functions=0
 else
 OP_CFLAGS+= -malign-functions=0
@@ -26,6 +27,9 @@ else
 # is the simplest way to make it self virtualizable!
 LDFLAGS+=-Wl,-shared
 endif
+ifeq ($(TARGET_ARCH), i386)
+PROGS+=vl
+endif
 endif
 
 ifeq ($(ARCH),ppc)
@@ -70,7 +74,7 @@ OP_CFLAGS=$(CFLAGS) -mno-sched-prolog
 LDFLAGS+=-Wl,-T,arm.ld
 endif
 
-ifeq ($(GCC_MAJOR),3)
+ifeq ($(HAVE_GCC3_OPTIONS),yes)
 # very important to generate a return at the end of every operation
 OP_CFLAGS+=-fno-reorder-blocks -fno-optimize-sibling-calls
 endif
@@ -125,7 +129,7 @@ ifeq ($(ARCH),ia64)
 OBJS += ia64-syscall.o
 endif
 
-all: qemu qemu-doc.html
+all: $(PROGS) qemu-doc.html
 
 qemu: $(OBJS)
 	$(CC) $(LDFLAGS) -o $@ $^  $(LIBS)
@@ -135,6 +139,10 @@ ifeq ($(ARCH),alpha)
 	echo -ne '\001\000\000\000' | dd of=qemu bs=1 seek=48 count=4 conv=notrunc
 endif
 
+# must use static linking to avoid leaving stuff in virtual address space
+vl: vl.o libqemu.a
+	$(CC) -static -Wl,-T,i386-vl.ld -o $@ $^  $(LIBS)
+
 depend: $(SRCS)
 	$(CC) -MM $(CFLAGS) $^ 1>.depend
 
@@ -180,8 +188,8 @@ clean:
 distclean: clean
 	rm -f config.mak config.h
 
-install: qemu
-	install -m 755 -s qemu $(prefix)/bin
+install: $(PROGS)
+	install -m 755 -s $(PROGS) $(prefix)/bin
 
 # various test targets
 test speed: qemu
@@ -200,7 +208,8 @@ configure \
 dyngen.c dyngen.h dyngen-exec.h ioctls.h syscall_types.h \
 Makefile elf.h elfload.c main.c signal.c qemu.h \
 syscall.c syscall_defs.h vm86.c path.c mmap.c \
-ppc.ld alpha.ld s390.ld sparc.ld arm.ld\
+i386.ld ppc.ld alpha.ld s390.ld sparc.ld arm.ld\
+vl.c i386-vl.ld\
 thunk.c cpu-exec.c translate.c cpu-all.h thunk.h exec.h\
 exec.c cpu-exec.c\
 cpu-i386.h op-i386.c helper-i386.c syscall-i386.h translate-i386.c \
@@ -211,7 +220,7 @@ arm-dis.c \
 tests/Makefile \
 tests/test-i386.c tests/test-i386-shift.h tests/test-i386.h \
 tests/test-i386-muldiv.h tests/test-i386-code16.S tests/test-i386-vm86.S \
-tests/hello.c tests/hello \
+tests/hello-i386.c tests/hello-i386 \
 tests/hello-arm.c tests/hello-arm \
 tests/sha1.c \
 tests/testsig.c tests/testclone.c tests/testthread.c \

README

@@ -45,22 +45,25 @@ that QEMU works if you do not use a tested gcc version. Look at
 'configure' and 'Makefile' if you want to make a different gcc
 version work.
 
-host      gcc      binutils      glibc    linux
--------------------------------------------------------
+host      gcc      binutils      glibc    linux       distribution
+----------------------------------------------------------------------
 x86       2.95.2   2.13.2        2.1.3    2.4.18           
+          3.2      2.13.2        2.1.3    2.4.18
+          2.96     2.11.93.0.2   2.2.5    2.4.18      Red Hat 7.3
 
-PowerPC   2.95.4   2.12.90.0.1   2.2.5    2.4.20-pre2
+PowerPC   2.95.4   2.12.90.0.1   2.2.5    2.4.20-pre2 Debian 3.0
 
-Alpha     3.3 [1]  2.14.90.0.4   2.2.5    2.2.20 [2]
+Alpha     3.3 [1]  2.14.90.0.4   2.2.5    2.2.20 [2]  Debian 3.0
 
-Sparc32   2.95.4   2.12.90.0.1   2.2.5    2.4.18
+Sparc32   2.95.4   2.12.90.0.1   2.2.5    2.4.18      Debian 3.0
 
-ARM       2.95.4   2.12.90.0.1   2.2.5    2.4.9-ac10-rmk2-np1-cerf2
+ARM       2.95.4   2.12.90.0.1   2.2.5    2.4.9 [3]   Debian 3.0
 
 [1] On Alpha, QEMU needs the gcc 'visibility' attribute only available
     for gcc version >= 3.3.
 [2] Linux >= 2.4.20 is necessary for precise exception support
     (untested).
+[3] 2.4.9-ac10-rmk2-np1-cerf2
 
 Documentation
 -------------

TODO

@@ -1,4 +1,5 @@
 
+- finish segment ops (call far, ret far, load_seg suppressed)
 - fix arm fpu rounding (at least for float->integer conversions)
 - fix CCOP optimisation
 - optimize FPU operations (evaluate x87 stack pointer statically) 
@@ -7,7 +8,6 @@
   state, find a solution for tb_flush()).
 - add gcc 2.96 test configure (some gcc3 flags are needed)
 - add IPC syscalls
-- submit a patch to fix DOSEMU coopthreads
 
 lower priority:
 --------------

VERSION

@@ -1 +1 @@
-0.3
+0.4

configure

@@ -153,20 +153,15 @@ fi
 
 fi
 
-# check gcc version
+# check gcc options support
 cat > $TMPC <<EOF
 int main(void) {
-#if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 2)
-return 0;
-#else
-#error gcc < 3.2
-#endif
 }
 EOF
 
-gcc_major="2"
-if $cc -o $TMPO $TMPC 2> /dev/null ; then
-   gcc_major="3"
+have_gcc3_options="no"
+if $cc -fno-reorder-blocks -fno-optimize-sibling-calls -o $TMPO $TMPC 2> /dev/null ; then
+   have_gcc3_options="yes"
 fi
 
 if test "$target_bigendian" = "default" ; then
@@ -224,7 +219,9 @@ echo "prefix=$prefix" >> config.mak
 echo "#define CONFIG_QEMU_PREFIX \"$interp_prefix\"" >> $TMPH
 echo "MAKE=$make" >> config.mak
 echo "CC=$cc" >> config.mak
-echo "GCC_MAJOR=$gcc_major" >> config.mak
+if test "$have_gcc3_options" = "yes" ; then
+  echo "HAVE_GCC3_OPTIONS=yes" >> config.mak
+fi
 echo "HOST_CC=$host_cc" >> config.mak
 echo "AR=$ar" >> config.mak
 echo "STRIP=$strip -s -R .comment -R .note" >> config.mak

cpu-all.h

@@ -302,6 +302,9 @@ void page_unprotect_range(uint8_t *data, unsigned long data_size);
 
 #endif
 
-#endif
+#endif /* SINGLE_CPU_DEFINES */
+
+void cpu_abort(CPUState *env, const char *fmt, ...);
+extern CPUState *cpu_single_env;
 
 #endif /* CPU_ALL_H */

cpu-arm.h

@@ -40,6 +40,8 @@ typedef struct CPUARMState {
     jmp_buf jmp_env;
     int exception_index;
     int interrupt_request;
+    struct TranslationBlock *current_tb;
+    int user_mode_only;
 
     /* user data */
     void *opaque;

cpu-exec.c

@@ -140,9 +140,55 @@ int cpu_exec(CPUState *env1)
 #error unsupported target CPU
 #endif
     env->interrupt_request = 0;
+    env->exception_index = -1;
 
     /* prepare setjmp context for exception handling */
+    for(;;) {
         if (setjmp(env->jmp_env) == 0) {
+            /* if an exception is pending, we execute it here */
+            if (env->exception_index >= 0) {
+                if (env->exception_index >= EXCP_INTERRUPT) {
+                    /* exit request from the cpu execution loop */
+                    ret = env->exception_index;
+                    break;
+                } else if (env->user_mode_only) {
+                    /* if user mode only, we simulate a fake exception
+                       which will be hanlded outside the cpu execution
+                       loop */
+#if defined(TARGET_I386)
+                    do_interrupt_user(env->exception_index, 
+                                      env->exception_is_int, 
+                                      env->error_code, 
+                                      env->exception_next_eip);
+#endif
+                    ret = env->exception_index;
+                    break;
+                } else {
+#if defined(TARGET_I386)
+                    /* simulate a real cpu exception. On i386, it can
+                       trigger new exceptions, but we do not handle
+                       double or triple faults yet. */
+                    do_interrupt(env->exception_index, 
+                                 env->exception_is_int, 
+                                 env->error_code, 
+                                 env->exception_next_eip);
+#endif
+                }
+                env->exception_index = -1;
+            }
+#if defined(TARGET_I386)
+            /* if hardware interrupt pending, we execute it */
+            if (env->hard_interrupt_request &&
+                (env->eflags & IF_MASK)) {
+                int intno;
+                intno = cpu_x86_get_pic_interrupt(env);
+                if (loglevel) {
+                    fprintf(logfile, "Servicing hardware INT=0x%02x\n", intno);
+                }
+                do_interrupt(intno, 0, 0, 0);
+                env->hard_interrupt_request = 0;
+            }
+#endif
             T0 = 0; /* force lookup of first TB */
             for(;;) {
 #ifdef __sparc__
@@ -178,21 +224,23 @@ int cpu_exec(CPUState *env1)
                 /* we compute the CPU state. We assume it will not
                    change during the whole generated block. */
 #if defined(TARGET_I386)
-            flags = env->seg_cache[R_CS].seg_32bit << GEN_FLAG_CODE32_SHIFT;
-            flags |= env->seg_cache[R_SS].seg_32bit << GEN_FLAG_SS32_SHIFT;
-            flags |= (((unsigned long)env->seg_cache[R_DS].base | 
-                       (unsigned long)env->seg_cache[R_ES].base |
-                       (unsigned long)env->seg_cache[R_SS].base) != 0) << 
+                flags = (env->segs[R_CS].flags & DESC_B_MASK)
+                    >> (DESC_B_SHIFT - GEN_FLAG_CODE32_SHIFT);
+                flags |= (env->segs[R_SS].flags & DESC_B_MASK)
+                    >> (DESC_B_SHIFT - GEN_FLAG_SS32_SHIFT);
+                flags |= (((unsigned long)env->segs[R_DS].base | 
+                           (unsigned long)env->segs[R_ES].base |
+                           (unsigned long)env->segs[R_SS].base) != 0) << 
                     GEN_FLAG_ADDSEG_SHIFT;
                 if (!(env->eflags & VM_MASK)) {
-                flags |= (env->segs[R_CS] & 3) << GEN_FLAG_CPL_SHIFT;
+                    flags |= (env->segs[R_CS].selector & 3) << GEN_FLAG_CPL_SHIFT;
                 } else {
                     /* NOTE: a dummy CPL is kept */
                     flags |= (1 << GEN_FLAG_VM_SHIFT);
                     flags |= (3 << GEN_FLAG_CPL_SHIFT);
                 }
                 flags |= (env->eflags & (IOPL_MASK | TF_MASK));
-            cs_base = env->seg_cache[R_CS].base;
+                cs_base = env->segs[R_CS].base;
                 pc = cs_base + env->eip;
 #elif defined(TARGET_ARM)
                 flags = 0;
@@ -258,7 +306,7 @@ int cpu_exec(CPUState *env1)
                     spin_unlock(&tb_lock);
                 }
                 tc_ptr = tb->tc_ptr;
-
+                env->current_tb = tb;
                 /* execute the generated code */
                 gen_func = (void *)tc_ptr;
 #if defined(__sparc__)
@@ -277,9 +325,12 @@ int cpu_exec(CPUState *env1)
 #else
                 gen_func();
 #endif
+                env->current_tb = NULL;
             }
+        } else {
         }
-    ret = env->exception_index;
+    } /* for(;;) */
+
 
 #if defined(TARGET_I386)
     /* restore flags in standard format */
@@ -330,12 +381,6 @@ int cpu_exec(CPUState *env1)
     return ret;
 }
 
-void cpu_interrupt(CPUState *s)
-{
-    s->interrupt_request = 1;
-}
-
-
 #if defined(TARGET_I386)
 
 void cpu_x86_load_seg(CPUX86State *s, int seg_reg, int selector)
@@ -347,13 +392,13 @@ void cpu_x86_load_seg(CPUX86State *s, int seg_reg, int selector)
     if (env->eflags & VM_MASK) {
         SegmentCache *sc;
         selector &= 0xffff;
-        sc = &env->seg_cache[seg_reg];
-        /* NOTE: in VM86 mode, limit and seg_32bit are never reloaded,
+        sc = &env->segs[seg_reg];
+        /* NOTE: in VM86 mode, limit and flags are never reloaded,
            so we must load them here */
         sc->base = (void *)(selector << 4);
         sc->limit = 0xffff;
-        sc->seg_32bit = 0;
-        env->segs[seg_reg] = selector;
+        sc->flags = 0;
+        sc->selector = selector;
     } else {
         load_seg(seg_reg, selector, 0);
     }
@@ -398,6 +443,8 @@ void cpu_x86_frstor(CPUX86State *s, uint8_t *ptr, int data32)
 #include <signal.h>
 #include <sys/ucontext.h>
 
+#if defined(TARGET_I386)
+
 /* 'pc' is the host PC at which the exception was raised. 'address' is
    the effective address of the memory exception. 'is_write' is 1 if a
    write caused the exception and otherwise 0'. 'old_set' is the
@@ -407,42 +454,52 @@ static inline int handle_cpu_signal(unsigned long pc, unsigned long address,
 {
     TranslationBlock *tb;
     int ret;
-    uint32_t found_pc;
     
+    if (cpu_single_env)
+        env = cpu_single_env; /* XXX: find a correct solution for multithread */
 #if defined(DEBUG_SIGNAL)
-    printf("qemu: SIGSEGV pc=0x%08lx address=%08lx wr=%d oldset=0x%08lx\n", 
+    printf("qemu: SIGSEGV pc=0x%08lx address=%08lx w=%d oldset=0x%08lx\n", 
            pc, address, is_write, *(unsigned long *)old_set);
 #endif
     /* XXX: locking issue */
     if (is_write && page_unprotect(address)) {
         return 1;
     }
+    /* see if it is an MMU fault */
+    ret = cpu_x86_handle_mmu_fault(env, address, is_write);
+    if (ret < 0)
+        return 0; /* not an MMU fault */
+    if (ret == 0)
+        return 1; /* the MMU fault was handled without causing real CPU fault */
+    /* now we have a real cpu fault */
     tb = tb_find_pc(pc);
     if (tb) {
         /* the PC is inside the translated code. It means that we have
            a virtual CPU fault */
-        ret = cpu_search_pc(tb, &found_pc, pc);
-        if (ret < 0)
-            return 0;
-#if defined(TARGET_I386)
-        env->eip = found_pc - tb->cs_base;
-        env->cr2 = address;
+        cpu_restore_state(tb, env, pc);
+    }
+#if 0
+    printf("PF exception: EIP=0x%08x CR2=0x%08x error=0x%x\n", 
+           env->eip, env->cr[2], env->error_code);
+#endif
     /* we restore the process signal mask as the sigreturn should
        do it (XXX: use sigsetjmp) */
     sigprocmask(SIG_SETMASK, old_set, NULL);
-        raise_exception_err(EXCP0E_PAGE, 4 | (is_write << 1));
+    raise_exception_err(EXCP0E_PAGE, env->error_code);
+    /* never comes here */
+    return 1;
+}
+
 #elif defined(TARGET_ARM)
-        env->regs[15] = found_pc;
+static inline int handle_cpu_signal(unsigned long pc, unsigned long address,
+                                    int is_write, sigset_t *old_set)
+{
     /* XXX: do more */
+    return 0;
+}
 #else
 #error unsupported target CPU
 #endif
-        /* never comes here */
-        return 1;
-    } else {
-        return 0;
-    }
-}
 
 #if defined(__i386__)
 
@@ -570,6 +627,6 @@ int cpu_signal_handler(int host_signum, struct siginfo *info,
 
 #else
 
-#error CPU specific signal handler needed
+#error host CPU specific signal handler needed
 
 #endif

cpu-i386.h

@@ -50,7 +50,8 @@
 
 /* segment descriptor fields */
 #define DESC_G_MASK     (1 << 23)
-#define DESC_B_MASK     (1 << 22)
+#define DESC_B_SHIFT    22
+#define DESC_B_MASK     (1 << DESC_B_SHIFT)
 #define DESC_AVL_MASK   (1 << 20)
 #define DESC_P_MASK     (1 << 15)
 #define DESC_DPL_SHIFT  13
@@ -85,6 +86,45 @@
 #define VIP_MASK                0x00100000
 #define ID_MASK                 0x00200000
 
+#define CR0_PE_MASK  (1 << 0)
+#define CR0_TS_MASK  (1 << 3)
+#define CR0_WP_MASK  (1 << 16)
+#define CR0_AM_MASK  (1 << 18)
+#define CR0_PG_MASK  (1 << 31)
+
+#define CR4_VME_MASK  (1 << 0)
+#define CR4_PVI_MASK  (1 << 1)
+#define CR4_TSD_MASK  (1 << 2)
+#define CR4_DE_MASK   (1 << 3)
+#define CR4_PSE_MASK  (1 << 4)
+
+#define PG_PRESENT_BIT	0
+#define PG_RW_BIT	1
+#define PG_USER_BIT	2
+#define PG_PWT_BIT	3
+#define PG_PCD_BIT	4
+#define PG_ACCESSED_BIT	5
+#define PG_DIRTY_BIT	6
+#define PG_PSE_BIT	7
+#define PG_GLOBAL_BIT	8
+
+#define PG_PRESENT_MASK  (1 << PG_PRESENT_BIT)
+#define PG_RW_MASK	 (1 << PG_RW_BIT)
+#define PG_USER_MASK	 (1 << PG_USER_BIT)
+#define PG_PWT_MASK	 (1 << PG_PWT_BIT)
+#define PG_PCD_MASK	 (1 << PG_PCD_BIT)
+#define PG_ACCESSED_MASK (1 << PG_ACCESSED_BIT)
+#define PG_DIRTY_MASK	 (1 << PG_DIRTY_BIT)
+#define PG_PSE_MASK	 (1 << PG_PSE_BIT)
+#define PG_GLOBAL_MASK	 (1 << PG_GLOBAL_BIT)
+
+#define PG_ERROR_W_BIT     1
+
+#define PG_ERROR_P_MASK    0x01
+#define PG_ERROR_W_MASK    (1 << PG_ERROR_W_BIT)
+#define PG_ERROR_U_MASK    0x04
+#define PG_ERROR_RSVD_MASK 0x08
+
 #define EXCP00_DIVZ	0
 #define EXCP01_SSTP	1
 #define EXCP02_NMI	2
@@ -105,6 +145,7 @@
 #define EXCP12_MCHK	18
 
 #define EXCP_INTERRUPT 	256 /* async interruption */
+#define EXCP_HLT        257 /* hlt instruction reached */
 
 enum {
     CC_OP_DYNAMIC, /* must use dynamic code to get cc_op */
@@ -161,19 +202,12 @@ typedef double CPU86_LDouble;
 #endif
 
 typedef struct SegmentCache {
+    uint32_t selector;
     uint8_t *base;
-    unsigned long limit;
-    uint8_t seg_32bit;
+    uint32_t limit;
+    uint32_t flags;
 } SegmentCache;
 
-typedef struct SegmentDescriptorTable {
-    uint8_t *base;
-    unsigned long limit;
-    /* this is the returned base when reading the register, just to
-    avoid that the emulated program modifies it */
-    unsigned long emu_base;
-} SegmentDescriptorTable;
-
 typedef struct CPUX86State {
     /* standard registers */
     uint32_t regs[8];
@@ -205,18 +239,26 @@ typedef struct CPUX86State {
     } fp_convert;
     
     /* segments */
-    uint32_t segs[6]; /* selector values */
-    SegmentCache seg_cache[6]; /* info taken from LDT/GDT */
-    SegmentDescriptorTable gdt;
-    SegmentDescriptorTable ldt;
-    SegmentDescriptorTable idt;
+    SegmentCache segs[6]; /* selector values */
+    SegmentCache ldt;
+    SegmentCache tr;
+    SegmentCache gdt; /* only base and limit are used */
+    SegmentCache idt; /* only base and limit are used */
     
     /* exception/interrupt handling */
     jmp_buf jmp_env;
     int exception_index;
     int error_code;
-    uint32_t cr2;
-    int interrupt_request;
+    int exception_is_int;
+    int exception_next_eip;
+    struct TranslationBlock *current_tb; /* currently executing TB */
+    uint32_t cr[5]; /* NOTE: cr1 is unused */
+    uint32_t dr[8]; /* debug registers */
+    int interrupt_request; /* if true, will exit from cpu_exec() ASAP */
+    /* if true, will call cpu_x86_get_pic_interrupt() ASAP to get the
+       request interrupt number */
+    int hard_interrupt_request; 
+    int user_mode_only; /* user mode only simulation */
     
     /* user data */
     void *opaque;
@@ -235,6 +277,7 @@ CPUX86State *cpu_x86_init(void);
 int cpu_x86_exec(CPUX86State *s);
 void cpu_x86_interrupt(CPUX86State *s);
 void cpu_x86_close(CPUX86State *s);
+int cpu_x86_get_pic_interrupt(CPUX86State *s);
 
 /* needed to load some predefinied segment registers */
 void cpu_x86_load_seg(CPUX86State *s, int seg_reg, int selector);
@@ -250,6 +293,12 @@ struct siginfo;
 int cpu_x86_signal_handler(int host_signum, struct siginfo *info, 
                            void *puc);
 
+/* MMU defines */
+void cpu_x86_init_mmu(CPUX86State *env);
+extern int phys_ram_size;
+extern int phys_ram_fd;
+extern uint8_t *phys_ram_base;
+
 /* used to debug */
 #define X86_DUMP_FPU  0x0001 /* dump FPU state too */
 #define X86_DUMP_CCOP 0x0002 /* dump qemu flag cache */

dyngen.c

@@ -654,7 +654,6 @@ void gen_code(const char *name, host_ulong offset, host_ulong size,
                 sym_name = strtab + sym->st_name;
                 if (strstart(sym_name, "__op_label", &p)) {
                     uint8_t *ptr;
-                    int addend;
                     unsigned long offset;
                     
                     /* test if the variable refers to a label inside
@@ -663,7 +662,7 @@ void gen_code(const char *name, host_ulong offset, host_ulong size,
                     if (!ptr)
                         error("__op_labelN in invalid section");
                     offset = sym->st_value;
-                    addend = 0;
+                    val = *(target_ulong *)(ptr + offset);
 #ifdef ELF_USES_RELOCA
                     {
                         int reloc_shndx, nb_relocs1, j;
@@ -676,7 +675,7 @@ void gen_code(const char *name, host_ulong offset, host_ulong size,
                             rel = (ELF_RELOC *)sdata[reloc_shndx];
                             for(j = 0; j < nb_relocs1; j++) {
                                 if (rel->r_offset == offset) {
-                                    addend = rel->r_addend;
+				    val = rel->r_addend;
                                     break;
                                 }
 				rel++;
@@ -684,8 +683,6 @@ void gen_code(const char *name, host_ulong offset, host_ulong size,
                         }
                     }
 #endif                    
-                    val = *(target_ulong *)(ptr + offset);
-                    val += addend;
 
                     if (val >= start_offset && val < start_offset + copy_size) {
                         n = strtol(p, NULL, 10);

exec-i386.h

@@ -123,8 +123,23 @@ typedef struct CCTable {
 extern CCTable cc_table[];
 
 void load_seg(int seg_reg, int selector, unsigned cur_eip);
+void jmp_seg(int selector, unsigned int new_eip);
+void helper_iret_protected(int shift);
+void helper_lldt_T0(void);
+void helper_ltr_T0(void);
+void helper_movl_crN_T0(int reg);
+void helper_movl_drN_T0(int reg);
+void helper_invlpg(unsigned int addr);
+void cpu_x86_update_cr0(CPUX86State *env);
+void cpu_x86_update_cr3(CPUX86State *env);
+void cpu_x86_flush_tlb(CPUX86State *env, uint32_t addr);
+int cpu_x86_handle_mmu_fault(CPUX86State *env, uint32_t addr, int is_write);
 void __hidden cpu_lock(void);
 void __hidden cpu_unlock(void);
+void do_interrupt(int intno, int is_int, int error_code, 
+                  unsigned int next_eip);
+void do_interrupt_user(int intno, int is_int, int error_code, 
+                       unsigned int next_eip);
 void raise_interrupt(int intno, int is_int, int error_code, 
                      unsigned int next_eip);
 void raise_exception_err(int exception_index, int error_code);
@@ -324,3 +339,22 @@ void helper_frstor(uint8_t *ptr, int data32);
 const uint8_t parity_table[256];
 const uint8_t rclw_table[32];
 const uint8_t rclb_table[32];
+
+static inline uint32_t compute_eflags(void)
+{
+    return env->eflags | cc_table[CC_OP].compute_all() | (DF & DF_MASK);
+}
+
+#define FL_UPDATE_MASK32 (TF_MASK | AC_MASK | ID_MASK)
+
+#define FL_UPDATE_CPL0_MASK (TF_MASK | IF_MASK | IOPL_MASK | NT_MASK | \
+                             RF_MASK | AC_MASK | ID_MASK)
+
+/* NOTE: CC_OP must be modified manually to CC_OP_EFLAGS */
+static inline void load_eflags(int eflags, int update_mask)
+{
+    CC_SRC = eflags & (CC_O | CC_S | CC_Z | CC_A | CC_P | CC_C);
+    DF = 1 - (2 * ((eflags >> 10) & 1));
+    env->eflags = (env->eflags & ~update_mask) | 
+        (eflags & update_mask);
+}

exec.c

@@ -26,11 +26,17 @@
 #include <inttypes.h>
 #include <sys/mman.h>
 
+#include "config.h"
+#ifdef TARGET_I386
 #include "cpu-i386.h"
+#endif
+#ifdef TARGET_ARM
+#include "cpu-arm.h"
+#endif
 #include "exec.h"
 
 //#define DEBUG_TB_INVALIDATE
-#define DEBUG_FLUSH
+//#define DEBUG_FLUSH
 
 /* make various TB consistency checks */
 //#define DEBUG_TB_CHECK 
@@ -563,3 +569,120 @@ TranslationBlock *tb_find_pc(unsigned long tc_ptr)
     } 
     return &tbs[m_max];
 }
+
+static void tb_reset_jump_recursive(TranslationBlock *tb);
+
+static inline void tb_reset_jump_recursive2(TranslationBlock *tb, int n)
+{
+    TranslationBlock *tb1, *tb_next, **ptb;
+    unsigned int n1;
+
+    tb1 = tb->jmp_next[n];
+    if (tb1 != NULL) {
+        /* find head of list */
+        for(;;) {
+            n1 = (long)tb1 & 3;
+            tb1 = (TranslationBlock *)((long)tb1 & ~3);
+            if (n1 == 2)
+                break;
+            tb1 = tb1->jmp_next[n1];
+        }
+        /* we are now sure now that tb jumps to tb1 */
+        tb_next = tb1;
+
+        /* remove tb from the jmp_first list */
+        ptb = &tb_next->jmp_first;
+        for(;;) {
+            tb1 = *ptb;
+            n1 = (long)tb1 & 3;
+            tb1 = (TranslationBlock *)((long)tb1 & ~3);
+            if (n1 == n && tb1 == tb)
+                break;
+            ptb = &tb1->jmp_next[n1];
+        }
+        *ptb = tb->jmp_next[n];
+        tb->jmp_next[n] = NULL;
+        
+        /* suppress the jump to next tb in generated code */
+        tb_reset_jump(tb, n);
+
+        /* suppress jumps in the tb on which we could have jump */
+        tb_reset_jump_recursive(tb_next);
+    }
+}
+
+static void tb_reset_jump_recursive(TranslationBlock *tb)
+{
+    tb_reset_jump_recursive2(tb, 0);
+    tb_reset_jump_recursive2(tb, 1);
+}
+
+void cpu_interrupt(CPUState *env)
+{
+    TranslationBlock *tb;
+
+    env->interrupt_request = 1;
+    /* if the cpu is currently executing code, we must unlink it and
+       all the potentially executing TB */
+    tb = env->current_tb;
+    if (tb) {
+        tb_reset_jump_recursive(tb);
+    }
+}
+
+
+void cpu_abort(CPUState *env, const char *fmt, ...)
+{
+    va_list ap;
+
+    va_start(ap, fmt);
+    fprintf(stderr, "qemu: fatal: ");
+    vfprintf(stderr, fmt, ap);
+    fprintf(stderr, "\n");
+#ifdef TARGET_I386
+    cpu_x86_dump_state(env, stderr, X86_DUMP_FPU | X86_DUMP_CCOP);
+#endif
+    va_end(ap);
+    abort();
+}
+
+#ifdef TARGET_I386
+/* unmap all maped pages and flush all associated code */
+void page_unmap(void)
+{
+    PageDesc *p, *pmap;
+    unsigned long addr;
+    int i, j, ret, j1;
+
+    for(i = 0; i < L1_SIZE; i++) {
+        pmap = l1_map[i];
+        if (pmap) {
+            p = pmap;
+            for(j = 0;j < L2_SIZE;) {
+                if (p->flags & PAGE_VALID) {
+                    addr = (i << (32 - L1_BITS)) | (j << TARGET_PAGE_BITS);
+                    /* we try to find a range to make less syscalls */
+                    j1 = j;
+                    p++;
+                    j++;
+                    while (j < L2_SIZE && (p->flags & PAGE_VALID)) {
+                        p++;
+                        j++;
+                    }
+                    ret = munmap((void *)addr, (j - j1) << TARGET_PAGE_BITS);
+                    if (ret != 0) {
+                        fprintf(stderr, "Could not unmap page 0x%08lx\n", addr);
+                        exit(1);
+                    }
+                } else {
+                    p++;
+                    j++;
+                }
+            }
+            free(pmap);
+            l1_map[i] = NULL;
+        }
+    }
+    tb_flush();
+}
+#endif

exec.h

@@ -39,6 +39,7 @@ struct TranslationBlock;
 extern uint16_t gen_opc_buf[OPC_BUF_SIZE];
 extern uint32_t gen_opparam_buf[OPPARAM_BUF_SIZE];
 extern uint32_t gen_opc_pc[OPC_BUF_SIZE];
+extern uint8_t gen_opc_cc_op[OPC_BUF_SIZE];
 extern uint8_t gen_opc_instr_start[OPC_BUF_SIZE];
 
 #if defined(TARGET_I386)
@@ -57,14 +58,16 @@ extern uint8_t gen_opc_instr_start[OPC_BUF_SIZE];
 extern FILE *logfile;
 extern int loglevel;
 
-int gen_intermediate_code(struct TranslationBlock *tb, int search_pc);
+int gen_intermediate_code(struct TranslationBlock *tb);
+int gen_intermediate_code_pc(struct TranslationBlock *tb);
 void dump_ops(const uint16_t *opc_buf, const uint32_t *opparam_buf);
 int cpu_gen_code(struct TranslationBlock *tb,
                  int max_code_size, int *gen_code_size_ptr);
-int cpu_search_pc(struct TranslationBlock *tb, 
-                  uint32_t *found_pc, unsigned long searched_pc);
+int cpu_restore_state(struct TranslationBlock *tb, 
+                      CPUState *env, unsigned long searched_pc);
 void cpu_exec_init(void);
 int page_unprotect(unsigned long address);
+void page_unmap(void);
 
 #define CODE_GEN_MAX_SIZE        65536
 #define CODE_GEN_ALIGN           16 /* must be >= of the size of a icache line */

helper-i386.c

@@ -126,16 +126,73 @@ void cpu_loop_exit(void)
     longjmp(env->jmp_env, 1);
 }
 
+static inline void get_ss_esp_from_tss(uint32_t *ss_ptr, 
+                                       uint32_t *esp_ptr, int dpl)
+{
+    int type, index, shift;
+    
 #if 0
-/* full interrupt support (only useful for real CPU emulation, not
-   finished) - I won't do it any time soon, finish it if you want ! */
-void raise_interrupt(int intno, int is_int, int error_code, 
+    {
+        int i;
+        printf("TR: base=%p limit=%x\n", env->tr.base, env->tr.limit);
+        for(i=0;i<env->tr.limit;i++) {
+            printf("%02x ", env->tr.base[i]);
+            if ((i & 7) == 7) printf("\n");
+        }
+        printf("\n");
+    }
+#endif
+
+    if (!(env->tr.flags & DESC_P_MASK))
+        cpu_abort(env, "invalid tss");
+    type = (env->tr.flags >> DESC_TYPE_SHIFT) & 0xf;
+    if ((type & 7) != 1)
+        cpu_abort(env, "invalid tss type");
+    shift = type >> 3;
+    index = (dpl * 4 + 2) << shift;
+    if (index + (4 << shift) - 1 > env->tr.limit)
+        raise_exception_err(EXCP0A_TSS, env->tr.selector & 0xfffc);
+    if (shift == 0) {
+        *esp_ptr = lduw(env->tr.base + index);
+        *ss_ptr = lduw(env->tr.base + index + 2);
+    } else {
+        *esp_ptr = ldl(env->tr.base + index);
+        *ss_ptr = lduw(env->tr.base + index + 4);
+    }
+}
+
+/* return non zero if error */
+static inline int load_segment(uint32_t *e1_ptr, uint32_t *e2_ptr,
+                               int selector)
+{
+    SegmentCache *dt;
+    int index;
+    uint8_t *ptr;
+
+    if (selector & 0x4)
+        dt = &env->ldt;
+    else
+        dt = &env->gdt;
+    index = selector & ~7;
+    if ((index + 7) > dt->limit)
+        return -1;
+    ptr = dt->base + index;
+    *e1_ptr = ldl(ptr);
+    *e2_ptr = ldl(ptr + 4);
+    return 0;
+}
+                                     
+
+/* protected mode interrupt */
+static void do_interrupt_protected(int intno, int is_int, int error_code,
                                       unsigned int next_eip)
 {
-    SegmentDescriptorTable *dt;
-    uint8_t *ptr;
-    int type, dpl, cpl;
-    uint32_t e1, e2;
+    SegmentCache *dt;
+    uint8_t *ptr, *ssp;
+    int type, dpl, cpl, selector, ss_dpl;
+    int has_error_code, new_stack, shift;
+    uint32_t e1, e2, offset, ss, esp, ss_e1, ss_e2, push_size;
+    uint32_t old_cs, old_ss, old_esp, old_eip;
 
     dt = &env->idt;
     if (intno * 8 + 7 > dt->limit)
@@ -147,6 +204,8 @@ void raise_interrupt(int intno, int is_int, int error_code,
     type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
     switch(type) {
     case 5: /* task gate */
+        cpu_abort(env, "task gate not supported");
+        break;
     case 6: /* 286 interrupt gate */
     case 7: /* 286 trap gate */
     case 14: /* 386 interrupt gate */
@@ -157,26 +216,196 @@ void raise_interrupt(int intno, int is_int, int error_code,
         break;
     }
     dpl = (e2 >> DESC_DPL_SHIFT) & 3;
-    cpl = env->segs[R_CS] & 3;
+    if (env->eflags & VM_MASK)
+        cpl = 3;
+    else
+        cpl = env->segs[R_CS].selector & 3;
     /* check privledge if software int */
     if (is_int && dpl < cpl)
         raise_exception_err(EXCP0D_GPF, intno * 8 + 2);
     /* check valid bit */
     if (!(e2 & DESC_P_MASK))
         raise_exception_err(EXCP0B_NOSEG, intno * 8 + 2);
+    selector = e1 >> 16;
+    offset = (e2 & 0xffff0000) | (e1 & 0x0000ffff);
+    if ((selector & 0xfffc) == 0)
+        raise_exception_err(EXCP0D_GPF, 0);
+
+    if (load_segment(&e1, &e2, selector) != 0)
+        raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+    if (!(e2 & DESC_S_MASK) || !(e2 & (DESC_CS_MASK)))
+        raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+    dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+    if (dpl > cpl)
+        raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+    if (!(e2 & DESC_P_MASK))
+        raise_exception_err(EXCP0B_NOSEG, selector & 0xfffc);
+    if (!(e2 & DESC_C_MASK) && dpl < cpl) {
+        /* to inner priviledge */
+        get_ss_esp_from_tss(&ss, &esp, dpl);
+        if ((ss & 0xfffc) == 0)
+            raise_exception_err(EXCP0A_TSS, ss & 0xfffc);
+        if ((ss & 3) != dpl)
+            raise_exception_err(EXCP0A_TSS, ss & 0xfffc);
+        if (load_segment(&ss_e1, &ss_e2, ss) != 0)
+            raise_exception_err(EXCP0A_TSS, ss & 0xfffc);
+        ss_dpl = (ss_e2 >> DESC_DPL_SHIFT) & 3;
+        if (ss_dpl != dpl)
+            raise_exception_err(EXCP0A_TSS, ss & 0xfffc);
+        if (!(ss_e2 & DESC_S_MASK) ||
+            (ss_e2 & DESC_CS_MASK) ||
+            !(ss_e2 & DESC_W_MASK))
+            raise_exception_err(EXCP0A_TSS, ss & 0xfffc);
+        if (!(ss_e2 & DESC_P_MASK))
+            raise_exception_err(EXCP0A_TSS, ss & 0xfffc);
+        new_stack = 1;
+    } else if ((e2 & DESC_C_MASK) || dpl == cpl) {
+        /* to same priviledge */
+        new_stack = 0;
+    } else {
+        raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+        new_stack = 0; /* avoid warning */
     }
 
-#else
+    shift = type >> 3;
+    has_error_code = 0;
+    if (!is_int) {
+        switch(intno) {
+        case 8:
+        case 10:
+        case 11:
+        case 12:
+        case 13:
+        case 14:
+        case 17:
+            has_error_code = 1;
+            break;
+        }
+    }
+    push_size = 6 + (new_stack << 2) + (has_error_code << 1);
+    if (env->eflags & VM_MASK)
+        push_size += 8;
+    push_size <<= shift;
 
-/*
- * is_int is TRUE if coming from the int instruction. next_eip is the
- * EIP value AFTER the interrupt instruction. It is only relevant if
- * is_int is TRUE.  
- */
-void raise_interrupt(int intno, int is_int, int error_code, 
+    /* XXX: check that enough room is available */
+    if (new_stack) {
+        old_esp = env->regs[R_ESP];
+        old_ss = env->segs[R_SS].selector;
+        load_seg(R_SS, ss, env->eip);
+    } else {
+        old_esp = 0;
+        old_ss = 0;
+        esp = env->regs[R_ESP];
+    }
+    if (is_int)
+        old_eip = next_eip;
+    else
+        old_eip = env->eip;
+    old_cs = env->segs[R_CS].selector;
+    load_seg(R_CS, selector, env->eip);
+    env->eip = offset;
+    env->regs[R_ESP] = esp - push_size;
+    ssp = env->segs[R_SS].base + esp;
+    if (shift == 1) {
+        int old_eflags;
+        if (env->eflags & VM_MASK) {
+            ssp -= 4;
+            stl(ssp, env->segs[R_GS].selector);
+            ssp -= 4;
+            stl(ssp, env->segs[R_FS].selector);
+            ssp -= 4;
+            stl(ssp, env->segs[R_DS].selector);
+            ssp -= 4;
+            stl(ssp, env->segs[R_ES].selector);
+        }
+        if (new_stack) {
+            ssp -= 4;
+            stl(ssp, old_ss);
+            ssp -= 4;
+            stl(ssp, old_esp);
+        }
+        ssp -= 4;
+        old_eflags = compute_eflags();
+        stl(ssp, old_eflags);
+        ssp -= 4;
+        stl(ssp, old_cs);
+        ssp -= 4;
+        stl(ssp, old_eip);
+        if (has_error_code) {
+            ssp -= 4;
+            stl(ssp, error_code);
+        }
+    } else {
+        if (new_stack) {
+            ssp -= 2;
+            stw(ssp, old_ss);
+            ssp -= 2;
+            stw(ssp, old_esp);
+        }
+        ssp -= 2;
+        stw(ssp, compute_eflags());
+        ssp -= 2;
+        stw(ssp, old_cs);
+        ssp -= 2;
+        stw(ssp, old_eip);
+        if (has_error_code) {
+            ssp -= 2;
+            stw(ssp, error_code);
+        }
+    }
+    
+    /* interrupt gate clear IF mask */
+    if ((type & 1) == 0) {
+        env->eflags &= ~IF_MASK;
+    }
+    env->eflags &= ~(TF_MASK | VM_MASK | RF_MASK | NT_MASK);
+}
+
+/* real mode interrupt */
+static void do_interrupt_real(int intno, int is_int, int error_code,
                                  unsigned int next_eip)
 {
-    SegmentDescriptorTable *dt;
+    SegmentCache *dt;
+    uint8_t *ptr, *ssp;
+    int selector;
+    uint32_t offset, esp;
+    uint32_t old_cs, old_eip;
+
+    /* real mode (simpler !) */
+    dt = &env->idt;
+    if (intno * 4 + 3 > dt->limit)
+        raise_exception_err(EXCP0D_GPF, intno * 8 + 2);
+    ptr = dt->base + intno * 4;
+    offset = lduw(ptr);
+    selector = lduw(ptr + 2);
+    esp = env->regs[R_ESP] & 0xffff;
+    ssp = env->segs[R_SS].base + esp;
+    if (is_int)
+        old_eip = next_eip;
+    else
+        old_eip = env->eip;
+    old_cs = env->segs[R_CS].selector;
+    ssp -= 2;
+    stw(ssp, compute_eflags());
+    ssp -= 2;
+    stw(ssp, old_cs);
+    ssp -= 2;
+    stw(ssp, old_eip);
+    esp -= 6;
+    
+    /* update processor state */
+    env->regs[R_ESP] = (env->regs[R_ESP] & ~0xffff) | (esp & 0xffff);
+    env->eip = offset;
+    env->segs[R_CS].selector = selector;
+    env->segs[R_CS].base = (uint8_t *)(selector << 4);
+    env->eflags &= ~(IF_MASK | TF_MASK | AC_MASK | RF_MASK);
+}
+
+/* fake user mode interrupt */
+void do_interrupt_user(int intno, int is_int, int error_code, 
+                       unsigned int next_eip)
+{
+    SegmentCache *dt;
     uint8_t *ptr;
     int dpl, cpl;
     uint32_t e2;
@@ -196,13 +425,38 @@ void raise_interrupt(int intno, int is_int, int error_code,
        code */
     if (is_int)
         EIP = next_eip;
-    env->exception_index = intno;
-    env->error_code = error_code;
-
-    cpu_loop_exit();
 }
 
-#endif
+/*
+ * Begin excution of an interruption. is_int is TRUE if coming from
+ * the int instruction. next_eip is the EIP value AFTER the interrupt
+ * instruction. It is only relevant if is_int is TRUE.  
+ */
+void do_interrupt(int intno, int is_int, int error_code, 
+                  unsigned int next_eip)
+{
+    if (env->cr[0] & CR0_PE_MASK) {
+        do_interrupt_protected(intno, is_int, error_code, next_eip);
+    } else {
+        do_interrupt_real(intno, is_int, error_code, next_eip);
+    }
+}
+
+/*
+ * Signal an interruption. It is executed in the main CPU loop.
+ * is_int is TRUE if coming from the int instruction. next_eip is the
+ * EIP value AFTER the interrupt instruction. It is only relevant if
+ * is_int is TRUE.  
+ */
+void raise_interrupt(int intno, int is_int, int error_code, 
+                     unsigned int next_eip)
+{
+    env->exception_index = intno;
+    env->error_code = error_code;
+    env->exception_is_int = is_int;
+    env->exception_next_eip = next_eip;
+    cpu_loop_exit();
+}
 
 /* shortcuts to generate exceptions */
 void raise_exception_err(int exception_index, int error_code)
@@ -321,50 +575,129 @@ void helper_cpuid(void)
         ECX = 0x6c65746e;
         EDX = 0x49656e69;
     } else if (EAX == 1) {
+        int family, model, stepping;
         /* EAX = 1 info */
-        EAX = 0x52b;
+#if 0
+        /* pentium 75-200 */
+        family = 5;
+        model = 2;
+        stepping = 11;
+#else
+        /* pentium pro */
+        family = 6;
+        model = 1;
+        stepping = 3;
+#endif
+        EAX = (family << 8) | (model << 4) | stepping;
         EBX = 0;
         ECX = 0;
         EDX = CPUID_FP87 | CPUID_DE | CPUID_PSE |
             CPUID_TSC | CPUID_MSR | CPUID_MCE |
-            CPUID_CX8;
+            CPUID_CX8 | CPUID_PGE | CPUID_CMOV;
     }
 }
 
+static inline void load_seg_cache(SegmentCache *sc, uint32_t e1, uint32_t e2)
+{
+    sc->base = (void *)((e1 >> 16) | ((e2 & 0xff) << 16) | (e2 & 0xff000000));
+    sc->limit = (e1 & 0xffff) | (e2 & 0x000f0000);
+    if (e2 & DESC_G_MASK)
+        sc->limit = (sc->limit << 12) | 0xfff;
+    sc->flags = e2;
+}
+
+void helper_lldt_T0(void)
+{
+    int selector;
+    SegmentCache *dt;
+    uint32_t e1, e2;
+    int index;
+    uint8_t *ptr;
+    
+    selector = T0 & 0xffff;
+    if ((selector & 0xfffc) == 0) {
+        /* XXX: NULL selector case: invalid LDT */
+        env->ldt.base = NULL;
+        env->ldt.limit = 0;
+    } else {
+        if (selector & 0x4)
+            raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+        dt = &env->gdt;
+        index = selector & ~7;
+        if ((index + 7) > dt->limit)
+            raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+        ptr = dt->base + index;
+        e1 = ldl(ptr);
+        e2 = ldl(ptr + 4);
+        if ((e2 & DESC_S_MASK) || ((e2 >> DESC_TYPE_SHIFT) & 0xf) != 2)
+            raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+        if (!(e2 & DESC_P_MASK))
+            raise_exception_err(EXCP0B_NOSEG, selector & 0xfffc);
+        load_seg_cache(&env->ldt, e1, e2);
+    }
+    env->ldt.selector = selector;
+}
+
+void helper_ltr_T0(void)
+{
+    int selector;
+    SegmentCache *dt;
+    uint32_t e1, e2;
+    int index, type;
+    uint8_t *ptr;
+    
+    selector = T0 & 0xffff;
+    if ((selector & 0xfffc) == 0) {
+        /* NULL selector case: invalid LDT */
+        env->tr.base = NULL;
+        env->tr.limit = 0;
+        env->tr.flags = 0;
+    } else {
+        if (selector & 0x4)
+            raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+        dt = &env->gdt;
+        index = selector & ~7;
+        if ((index + 7) > dt->limit)
+            raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+        ptr = dt->base + index;
+        e1 = ldl(ptr);
+        e2 = ldl(ptr + 4);
+        type = (e2 >> DESC_TYPE_SHIFT) & 0xf;
+        if ((e2 & DESC_S_MASK) || 
+            (type != 2 && type != 9))
+            raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+        if (!(e2 & DESC_P_MASK))
+            raise_exception_err(EXCP0B_NOSEG, selector & 0xfffc);
+        load_seg_cache(&env->tr, e1, e2);
+        e2 |= 0x00000200; /* set the busy bit */
+        stl(ptr + 4, e2);
+    }
+    env->tr.selector = selector;
+}
+
 /* only works if protected mode and not VM86 */
-void load_seg(int seg_reg, int selector, unsigned cur_eip)
+void load_seg(int seg_reg, int selector, unsigned int cur_eip)
 {
     SegmentCache *sc;
-    SegmentDescriptorTable *dt;
-    int index;
     uint32_t e1, e2;
-    uint8_t *ptr;
     
-    sc = &env->seg_cache[seg_reg];
+    sc = &env->segs[seg_reg];
     if ((selector & 0xfffc) == 0) {
         /* null selector case */
         if (seg_reg == R_SS) {
             EIP = cur_eip;
-            raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+            raise_exception_err(EXCP0D_GPF, 0);
         } else {
             /* XXX: each access should trigger an exception */
             sc->base = NULL;
             sc->limit = 0;
-            sc->seg_32bit = 1;
+            sc->flags = 0;
         }
     } else {
-        if (selector & 0x4)
-            dt = &env->ldt;
-        else
-            dt = &env->gdt;
-        index = selector & ~7;
-        if ((index + 7) > dt->limit) {
+        if (load_segment(&e1, &e2, selector) != 0) {
             EIP = cur_eip;
             raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
         }
-        ptr = dt->base + index;
-        e1 = ldl(ptr);
-        e2 = ldl(ptr + 4);
         if (!(e2 & DESC_S_MASK) ||
             (e2 & (DESC_CS_MASK | DESC_R_MASK)) == DESC_CS_MASK) {
             EIP = cur_eip;
@@ -390,18 +723,210 @@ void load_seg(int seg_reg, int selector, unsigned cur_eip)
             else
                 raise_exception_err(EXCP0B_NOSEG, selector & 0xfffc);
         }
-        
-        sc->base = (void *)((e1 >> 16) | ((e2 & 0xff) << 16) | (e2 & 0xff000000));
-        sc->limit = (e1 & 0xffff) | (e2 & 0x000f0000);
-        if (e2 & (1 << 23))
-            sc->limit = (sc->limit << 12) | 0xfff;
-        sc->seg_32bit = (e2 >> 22) & 1;
+        load_seg_cache(sc, e1, e2);
 #if 0
-        fprintf(logfile, "load_seg: sel=0x%04x base=0x%08lx limit=0x%08lx seg_32bit=%d\n", 
-                selector, (unsigned long)sc->base, sc->limit, sc->seg_32bit);
+        fprintf(logfile, "load_seg: sel=0x%04x base=0x%08lx limit=0x%08lx flags=%08x\n", 
+                selector, (unsigned long)sc->base, sc->limit, sc->flags);
 #endif
     }
-    env->segs[seg_reg] = selector;
+    sc->selector = selector;
+}
+
+/* protected mode jump */
+void jmp_seg(int selector, unsigned int new_eip)
+{
+    SegmentCache sc1;
+    uint32_t e1, e2, cpl, dpl, rpl;
+
+    if ((selector & 0xfffc) == 0) {
+        raise_exception_err(EXCP0D_GPF, 0);
+    }
+
+    if (load_segment(&e1, &e2, selector) != 0)
+        raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+    cpl = env->segs[R_CS].selector & 3;
+    if (e2 & DESC_S_MASK) {
+        if (!(e2 & DESC_CS_MASK))
+            raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+        dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+        if (e2 & DESC_CS_MASK) {
+            /* conforming code segment */
+            if (dpl > cpl)
+                raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+        } else {
+            /* non conforming code segment */
+            rpl = selector & 3;
+            if (rpl > cpl)
+                raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+            if (dpl != cpl)
+                raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+        }
+        if (!(e2 & DESC_P_MASK))
+            raise_exception_err(EXCP0B_NOSEG, selector & 0xfffc);
+        load_seg_cache(&sc1, e1, e2);
+        if (new_eip > sc1.limit)
+            raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
+        env->segs[R_CS].base = sc1.base;
+        env->segs[R_CS].limit = sc1.limit;
+        env->segs[R_CS].flags = sc1.flags;
+        env->segs[R_CS].selector = (selector & 0xfffc) | cpl;
+        EIP = new_eip;
+    } else {
+        cpu_abort(env, "jmp to call/task gate not supported 0x%04x:0x%08x", 
+                  selector, new_eip);
+    }
+}
+
+/* init the segment cache in vm86 mode */
+static inline void load_seg_vm(int seg, int selector)
+{
+    SegmentCache *sc = &env->segs[seg];
+    selector &= 0xffff;
+    sc->base = (uint8_t *)(selector << 4);
+    sc->selector = selector;
+    sc->flags = 0;
+    sc->limit = 0xffff;
+}
+
+/* protected mode iret */
+void helper_iret_protected(int shift)
+{
+    uint32_t sp, new_cs, new_eip, new_eflags, new_esp, new_ss;
+    uint32_t new_es, new_ds, new_fs, new_gs;
+    uint32_t e1, e2;
+    int cpl, dpl, rpl, eflags_mask;
+    uint8_t *ssp;
+    
+    sp = env->regs[R_ESP];
+    if (!(env->segs[R_SS].flags & DESC_B_MASK))
+        sp &= 0xffff;
+    ssp = env->segs[R_SS].base + sp;
+    if (shift == 1) {
+        /* 32 bits */
+        new_eflags = ldl(ssp + 8);
+        new_cs = ldl(ssp + 4) & 0xffff;
+        new_eip = ldl(ssp);
+        if (new_eflags & VM_MASK)
+            goto return_to_vm86;
+    } else {
+        /* 16 bits */
+        new_eflags = lduw(ssp + 4);
+        new_cs = lduw(ssp + 2);
+        new_eip = lduw(ssp);
+    }
+    if ((new_cs & 0xfffc) == 0)
+        raise_exception_err(EXCP0D_GPF, new_cs & 0xfffc);
+    if (load_segment(&e1, &e2, new_cs) != 0)
+        raise_exception_err(EXCP0D_GPF, new_cs & 0xfffc);
+    if (!(e2 & DESC_S_MASK) ||
+        !(e2 & DESC_CS_MASK))
+        raise_exception_err(EXCP0D_GPF, new_cs & 0xfffc);
+    cpl = env->segs[R_CS].selector & 3;
+    rpl = new_cs & 3; 
+    if (rpl < cpl)
+        raise_exception_err(EXCP0D_GPF, new_cs & 0xfffc);
+    dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+    if (e2 & DESC_CS_MASK) {
+        if (dpl > rpl)
+            raise_exception_err(EXCP0D_GPF, new_cs & 0xfffc);
+    } else {
+        if (dpl != rpl)
+            raise_exception_err(EXCP0D_GPF, new_cs & 0xfffc);
+    }
+    if (!(e2 & DESC_P_MASK))
+        raise_exception_err(EXCP0B_NOSEG, new_cs & 0xfffc);
+    
+    if (rpl == cpl) {
+        /* return to same priledge level */
+        load_seg(R_CS, new_cs, env->eip);
+        new_esp = sp + (6 << shift);
+    } else {
+        /* return to differentr priviledge level */
+        if (shift == 1) {
+            /* 32 bits */
+            new_esp = ldl(ssp + 12);
+            new_ss = ldl(ssp + 16) & 0xffff;
+        } else {
+            /* 16 bits */
+            new_esp = lduw(ssp + 6);
+            new_ss = lduw(ssp + 8);
+        }
+        
+        if ((new_ss & 3) != rpl)
+            raise_exception_err(EXCP0D_GPF, new_ss & 0xfffc);
+        if (load_segment(&e1, &e2, new_ss) != 0)
+            raise_exception_err(EXCP0D_GPF, new_ss & 0xfffc);
+        if (!(e2 & DESC_S_MASK) ||
+            (e2 & DESC_CS_MASK) ||
+            !(e2 & DESC_W_MASK))
+            raise_exception_err(EXCP0D_GPF, new_ss & 0xfffc);
+        dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+        if (dpl != rpl)
+            raise_exception_err(EXCP0D_GPF, new_ss & 0xfffc);
+        if (!(e2 & DESC_P_MASK))
+            raise_exception_err(EXCP0B_NOSEG, new_ss & 0xfffc);
+
+        load_seg(R_CS, new_cs, env->eip);
+        load_seg(R_SS, new_ss, env->eip);
+    }
+    if (env->segs[R_SS].flags & DESC_B_MASK)
+        env->regs[R_ESP] = new_esp;
+    else
+        env->regs[R_ESP] = (env->regs[R_ESP] & 0xffff0000) | 
+            (new_esp & 0xffff);
+    env->eip = new_eip;
+    if (cpl == 0)
+        eflags_mask = FL_UPDATE_CPL0_MASK;
+    else
+        eflags_mask = FL_UPDATE_MASK32;
+    if (shift == 0)
+        eflags_mask &= 0xffff;
+    load_eflags(new_eflags, eflags_mask);
+    return;
+
+ return_to_vm86:
+    new_esp = ldl(ssp + 12);
+    new_ss = ldl(ssp + 16);
+    new_es = ldl(ssp + 20);
+    new_ds = ldl(ssp + 24);
+    new_fs = ldl(ssp + 28);
+    new_gs = ldl(ssp + 32);
+    
+    /* modify processor state */
+    load_eflags(new_eflags, FL_UPDATE_CPL0_MASK | VM_MASK | VIF_MASK | VIP_MASK);
+    load_seg_vm(R_CS, new_cs);
+    load_seg_vm(R_SS, new_ss);
+    load_seg_vm(R_ES, new_es);
+    load_seg_vm(R_DS, new_ds);
+    load_seg_vm(R_FS, new_fs);
+    load_seg_vm(R_GS, new_gs);
+    
+    env->eip = new_eip;
+    env->regs[R_ESP] = new_esp;
+}
+
+void helper_movl_crN_T0(int reg)
+{
+    env->cr[reg] = T0;
+    switch(reg) {
+    case 0:
+        cpu_x86_update_cr0(env);
+        break;
+    case 3:
+        cpu_x86_update_cr3(env);
+        break;
+    }
+}
+
+/* XXX: do more */
+void helper_movl_drN_T0(int reg)
+{
+    env->dr[reg] = T0;
+}
+
+void helper_invlpg(unsigned int addr)
+{
+    cpu_x86_flush_tlb(env, addr);
 }
 
 /* rdtsc */
@@ -425,23 +950,12 @@ void helper_rdtsc(void)
 void helper_lsl(void)
 {
     unsigned int selector, limit;
-    SegmentDescriptorTable *dt;
-    int index;
     uint32_t e1, e2;
-    uint8_t *ptr;
 
     CC_SRC = cc_table[CC_OP].compute_all() & ~CC_Z;
     selector = T0 & 0xffff;
-    if (selector & 0x4)
-        dt = &env->ldt;
-    else
-        dt = &env->gdt;
-    index = selector & ~7;
-    if ((index + 7) > dt->limit)
+    if (load_segment(&e1, &e2, selector) != 0)
         return;
-    ptr = dt->base + index;
-    e1 = ldl(ptr);
-    e2 = ldl(ptr + 4);
     limit = (e1 & 0xffff) | (e2 & 0x000f0000);
     if (e2 & (1 << 23))
         limit = (limit << 12) | 0xfff;
@@ -452,22 +966,12 @@ void helper_lsl(void)
 void helper_lar(void)
 {
     unsigned int selector;
-    SegmentDescriptorTable *dt;
-    int index;
-    uint32_t e2;
-    uint8_t *ptr;
+    uint32_t e1, e2;
 
     CC_SRC = cc_table[CC_OP].compute_all() & ~CC_Z;
     selector = T0 & 0xffff;
-    if (selector & 0x4)
-        dt = &env->ldt;
-    else
-        dt = &env->gdt;
-    index = selector & ~7;
-    if ((index + 7) > dt->limit)
+    if (load_segment(&e1, &e2, selector) != 0)
         return;
-    ptr = dt->base + index;
-    e2 = ldl(ptr + 4);
     T1 = e2 & 0x00f0ff00;
     CC_SRC |= CC_Z;
 }

i386-vl.ld

@@ -0,0 +1,140 @@
+/* ld script to make i386 Linux kernel
+ * Written by Martin Mares <mj@atrey.karlin.mff.cuni.cz>;
+ */
+OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
+OUTPUT_ARCH(i386)
+SEARCH_DIR(/lib); SEARCH_DIR(/usr/lib); SEARCH_DIR(/usr/local/lib); SEARCH_DIR(/usr/alpha-unknown-linux-gnu/lib);
+ENTRY(_start)
+SECTIONS
+{
+  /* Read-only sections, merged into text segment: */
+  . = 0xa0000000 + SIZEOF_HEADERS;
+  .interp     : { *(.interp) 	}
+  .hash          : { *(.hash)		}
+  .dynsym        : { *(.dynsym)		}
+  .dynstr        : { *(.dynstr)		}
+  .gnu.version   : { *(.gnu.version)	}
+  .gnu.version_d   : { *(.gnu.version_d)	}
+  .gnu.version_r   : { *(.gnu.version_r)	}
+  .rel.text      :
+    { *(.rel.text) *(.rel.gnu.linkonce.t*) }
+  .rela.text     :
+    { *(.rela.text) *(.rela.gnu.linkonce.t*) }
+  .rel.data      :
+    { *(.rel.data) *(.rel.gnu.linkonce.d*) }
+  .rela.data     :
+    { *(.rela.data) *(.rela.gnu.linkonce.d*) }
+  .rel.rodata    :
+    { *(.rel.rodata) *(.rel.gnu.linkonce.r*) }
+  .rela.rodata   :
+    { *(.rela.rodata) *(.rela.gnu.linkonce.r*) }
+  .rel.got       : { *(.rel.got)		}
+  .rela.got      : { *(.rela.got)		}
+  .rel.ctors     : { *(.rel.ctors)	}
+  .rela.ctors    : { *(.rela.ctors)	}
+  .rel.dtors     : { *(.rel.dtors)	}
+  .rela.dtors    : { *(.rela.dtors)	}
+  .rel.init      : { *(.rel.init)	}
+  .rela.init     : { *(.rela.init)	}
+  .rel.fini      : { *(.rel.fini)	}
+  .rela.fini     : { *(.rela.fini)	}
+  .rel.bss       : { *(.rel.bss)		}
+  .rela.bss      : { *(.rela.bss)		}
+  .rel.plt       : { *(.rel.plt)		}
+  .rela.plt      : { *(.rela.plt)		}
+  .init          : { *(.init)	} =0x47ff041f
+  .text      :
+  {
+    *(.text)
+    /* .gnu.warning sections are handled specially by elf32.em.  */
+    *(.gnu.warning)
+    *(.gnu.linkonce.t*)
+  } =0x47ff041f
+  _etext = .;
+  PROVIDE (etext = .);
+  .fini      : { *(.fini)    } =0x47ff041f
+  .rodata    : { *(.rodata) *(.gnu.linkonce.r*) }
+  .rodata1   : { *(.rodata1) }
+  .reginfo : { *(.reginfo) }
+  __preinit_array_start = .;
+  .preinit_array : { *(.preinit_array) }
+  __preinit_array_end = .;
+  __init_array_start = .;
+  .init_array : { *(.init_array) }
+  __init_array_end = .;
+  __fini_array_start = .;
+  .fini_array : { *(.fini_array) }
+  __fini_array_end = .;
+
+  /* Adjust the address for the data segment.  We want to adjust up to
+     the same address within the page on the next page up.  */
+  . = ALIGN(0x100000) + (. & (0x100000 - 1));
+  .data    :
+  {
+    *(.data)
+    *(.gnu.linkonce.d*)
+    CONSTRUCTORS
+  }
+  .data1   : { *(.data1) }
+  .ctors         :
+  {
+    *(.ctors)
+  }
+  .dtors         :
+  {
+    *(.dtors)
+  }
+  .plt      : { *(.plt)	}
+  .got           : { *(.got.plt) *(.got) }
+  .dynamic       : { *(.dynamic) }
+  /* We want the small data sections together, so single-instruction offsets
+     can access them all, and initialized data all before uninitialized, so
+     we can shorten the on-disk segment size.  */
+  .sdata     : { *(.sdata) }
+  _edata  =  .;
+  PROVIDE (edata = .);
+  __bss_start = .;
+  .sbss      : { *(.sbss) *(.scommon) }
+  .bss       :
+  {
+   *(.dynbss)
+   *(.bss)
+   *(COMMON)
+  }
+  _end = . ;
+  PROVIDE (end = .);
+  /* Stabs debugging sections.  */
+  .stab 0 : { *(.stab) }
+  .stabstr 0 : { *(.stabstr) }
+  .stab.excl 0 : { *(.stab.excl) }
+  .stab.exclstr 0 : { *(.stab.exclstr) }
+  .stab.index 0 : { *(.stab.index) }
+  .stab.indexstr 0 : { *(.stab.indexstr) }
+  .comment 0 : { *(.comment) }
+  /* DWARF debug sections.
+     Symbols in the DWARF debugging sections are relative to the beginning
+     of the section so we begin them at 0.  */
+  /* DWARF 1 */
+  .debug          0 : { *(.debug) }
+  .line           0 : { *(.line) }
+  /* GNU DWARF 1 extensions */
+  .debug_srcinfo  0 : { *(.debug_srcinfo) }
+  .debug_sfnames  0 : { *(.debug_sfnames) }
+  /* DWARF 1.1 and DWARF 2 */
+  .debug_aranges  0 : { *(.debug_aranges) }
+  .debug_pubnames 0 : { *(.debug_pubnames) }
+  /* DWARF 2 */
+  .debug_info     0 : { *(.debug_info) }
+  .debug_abbrev   0 : { *(.debug_abbrev) }
+  .debug_line     0 : { *(.debug_line) }
+  .debug_frame    0 : { *(.debug_frame) }
+  .debug_str      0 : { *(.debug_str) }
+  .debug_loc      0 : { *(.debug_loc) }
+  .debug_macinfo  0 : { *(.debug_macinfo) }
+  /* SGI/MIPS DWARF 2 extensions */
+  .debug_weaknames 0 : { *(.debug_weaknames) }
+  .debug_funcnames 0 : { *(.debug_funcnames) }
+  .debug_typenames 0 : { *(.debug_typenames) }
+  .debug_varnames  0 : { *(.debug_varnames) }
+  /* These must appear regardless of  .  */
+}

linux-user/main.c

@@ -26,8 +26,6 @@
 
 #include "qemu.h"
 
-#include "cpu-i386.h"
-
 #define DEBUG_LOGFILE "/tmp/qemu.log"
 
 FILE *logfile = NULL;
@@ -100,6 +98,11 @@ int cpu_x86_inl(CPUX86State *env, int addr)
     return 0;
 }
 
+int cpu_x86_get_pic_interrupt(CPUX86State *env)
+{
+    return -1;
+}
+
 static void write_dt(void *ptr, unsigned long addr, unsigned long limit, 
                      int flags)
 {
@@ -176,7 +179,7 @@ void cpu_loop(CPUX86State *env)
                 info.si_code = TARGET_SEGV_MAPERR;
             else
                 info.si_code = TARGET_SEGV_ACCERR;
-            info._sifields._sigfault._addr = env->cr2;
+            info._sifields._sigfault._addr = env->cr[2];
             queue_signal(info.si_signo, &info);
             break;
         case EXCP00_DIVZ:
@@ -231,7 +234,7 @@ void cpu_loop(CPUX86State *env)
             /* just indicate that signals should be handled asap */
             break;
         default:
-            pc = env->seg_cache[R_CS].base + env->eip;
+            pc = env->segs[R_CS].base + env->eip;
             fprintf(stderr, "qemu: 0x%08lx: unhandled CPU exception 0x%x - aborting\n", 
                     (long)pc, trapnr);
             abort();
@@ -317,6 +320,9 @@ void usage(void)
 
 /* XXX: currently only used for async signals (see signal.c) */
 CPUState *global_env;
+/* used only if single thread */
+CPUState *cpu_single_env = NULL;
+
 /* used to free thread contexts */
 TaskState *first_task_state;
 
@@ -423,6 +429,7 @@ int main(int argc, char **argv)
     memset(ts, 0, sizeof(TaskState));
     env->opaque = ts;
     ts->used = 1;
+    env->user_mode_only = 1;
     
 #if defined(TARGET_I386)
     /* linux register setup */
@@ -476,6 +483,7 @@ int main(int argc, char **argv)
     cpu_x86_load_seg(env, R_SS, __USER_DS);
     cpu_x86_load_seg(env, R_FS, __USER_DS);
     cpu_x86_load_seg(env, R_GS, __USER_DS);
+
 #elif defined(TARGET_ARM)
     {
         int i;

linux-user/qemu.h

@@ -6,8 +6,15 @@
 #include <signal.h>
 #include "syscall_defs.h"
 
-#include "cpu-" TARGET_ARCH ".h"
-#include "syscall-" TARGET_ARCH ".h"
+#if defined(TARGET_I386)
+#include "cpu-i386.h"
+#include "syscall-i386.h"
+#elif defined(TARGET_ARM)
+#include "cpu-arm.h"
+#include "syscall-arm.h"
+#else
+#error unsupported target CPU
+#endif
 
 /* This struct is used to hold certain information about the image.
  * Basically, it replicates in user space what would be certain

linux-user/signal.c

@@ -517,10 +517,10 @@ setup_sigcontext(struct target_sigcontext *sc, struct target_fpstate *fpstate,
 {
 	int err = 0;
 
-	err |= __put_user(env->segs[R_GS], (unsigned int *)&sc->gs);
-	err |= __put_user(env->segs[R_FS], (unsigned int *)&sc->fs);
-	err |= __put_user(env->segs[R_ES], (unsigned int *)&sc->es);
-	err |= __put_user(env->segs[R_DS], (unsigned int *)&sc->ds);
+	err |= __put_user(env->segs[R_GS].selector, (unsigned int *)&sc->gs);
+	err |= __put_user(env->segs[R_FS].selector, (unsigned int *)&sc->fs);
+	err |= __put_user(env->segs[R_ES].selector, (unsigned int *)&sc->es);
+	err |= __put_user(env->segs[R_DS].selector, (unsigned int *)&sc->ds);
 	err |= __put_user(env->regs[R_EDI], &sc->edi);
 	err |= __put_user(env->regs[R_ESI], &sc->esi);
 	err |= __put_user(env->regs[R_EBP], &sc->ebp);
@@ -532,10 +532,10 @@ setup_sigcontext(struct target_sigcontext *sc, struct target_fpstate *fpstate,
 	err |= __put_user(env->exception_index, &sc->trapno);
 	err |= __put_user(env->error_code, &sc->err);
 	err |= __put_user(env->eip, &sc->eip);
-	err |= __put_user(env->segs[R_CS], (unsigned int *)&sc->cs);
+	err |= __put_user(env->segs[R_CS].selector, (unsigned int *)&sc->cs);
 	err |= __put_user(env->eflags, &sc->eflags);
 	err |= __put_user(env->regs[R_ESP], &sc->esp_at_signal);
-	err |= __put_user(env->segs[R_SS], (unsigned int *)&sc->ss);
+	err |= __put_user(env->segs[R_SS].selector, (unsigned int *)&sc->ss);
 
         cpu_x86_fsave(env, (void *)fpstate, 1);
         fpstate->status = fpstate->sw;
@@ -544,7 +544,7 @@ setup_sigcontext(struct target_sigcontext *sc, struct target_fpstate *fpstate,
 
 	/* non-iBCS2 extensions.. */
 	err |= __put_user(mask, &sc->oldmask);
-	err |= __put_user(env->cr2, &sc->cr2);
+	err |= __put_user(env->cr[2], &sc->cr2);
 	return err;
 }
 
@@ -567,12 +567,13 @@ get_sigframe(struct emulated_sigaction *ka, CPUX86State *env, size_t frame_size)
 	}
 
 	/* This is the legacy signal stack switching. */
-	else if ((regs->xss & 0xffff) != __USER_DS &&
-		 !(ka->sa.sa_flags & SA_RESTORER) &&
+	else 
+#endif
+        if ((env->segs[R_SS].selector & 0xffff) != __USER_DS &&
+            !(ka->sa.sa_flags & TARGET_SA_RESTORER) &&
             ka->sa.sa_restorer) {
             esp = (unsigned long) ka->sa.sa_restorer;
 	}
-#endif
         return (void *)((esp - frame_size) & -8ul);
 }
 

linux-user/vm86.c

@@ -73,17 +73,17 @@ void save_v86_state(CPUX86State *env)
     ts->target_v86->regs.ebp = tswap32(env->regs[R_EBP]);
     ts->target_v86->regs.esp = tswap32(env->regs[R_ESP]);
     ts->target_v86->regs.eip = tswap32(env->eip);
-    ts->target_v86->regs.cs = tswap16(env->segs[R_CS]);
-    ts->target_v86->regs.ss = tswap16(env->segs[R_SS]);
-    ts->target_v86->regs.ds = tswap16(env->segs[R_DS]);
-    ts->target_v86->regs.es = tswap16(env->segs[R_ES]);
-    ts->target_v86->regs.fs = tswap16(env->segs[R_FS]);
-    ts->target_v86->regs.gs = tswap16(env->segs[R_GS]);
+    ts->target_v86->regs.cs = tswap16(env->segs[R_CS].selector);
+    ts->target_v86->regs.ss = tswap16(env->segs[R_SS].selector);
+    ts->target_v86->regs.ds = tswap16(env->segs[R_DS].selector);
+    ts->target_v86->regs.es = tswap16(env->segs[R_ES].selector);
+    ts->target_v86->regs.fs = tswap16(env->segs[R_FS].selector);
+    ts->target_v86->regs.gs = tswap16(env->segs[R_GS].selector);
     set_flags(env->eflags, ts->v86flags, VIF_MASK | ts->v86mask);
     ts->target_v86->regs.eflags = tswap32(env->eflags);
 #ifdef DEBUG_VM86
     fprintf(logfile, "save_v86_state: eflags=%08x cs:ip=%04x:%04x\n", 
-            env->eflags, env->segs[R_CS], env->eip);
+            env->eflags, env->segs[R_CS].selector, env->eip);
 #endif
 
     /* restore 32 bit registers */
@@ -180,6 +180,7 @@ static inline unsigned int get_vflags(CPUX86State *env)
     flags = env->eflags & RETURN_MASK;
     if (ts->v86flags & VIF_MASK)
         flags |= IF_MASK;
+    flags |= IOPL_MASK;
     return flags | (ts->v86flags & ts->v86mask);
 }
 
@@ -194,7 +195,7 @@ static void do_int(CPUX86State *env, int intno)
     uint8_t *ssp;
     unsigned int sp;
 
-    if (env->segs[R_CS] == TARGET_BIOSSEG)
+    if (env->segs[R_CS].selector == TARGET_BIOSSEG)
         goto cannot_handle;
     if (is_revectored(intno, &ts->vm86plus.int_revectored))
         goto cannot_handle;
@@ -210,10 +211,10 @@ static void do_int(CPUX86State *env, int intno)
             intno, segoffs >> 16, segoffs & 0xffff);
 #endif
     /* save old state */
-    ssp = (uint8_t *)(env->segs[R_SS] << 4);
+    ssp = (uint8_t *)(env->segs[R_SS].selector << 4);
     sp = env->regs[R_ESP] & 0xffff;
     vm_putw(ssp, sp - 2, get_vflags(env));
-    vm_putw(ssp, sp - 4, env->segs[R_CS]);
+    vm_putw(ssp, sp - 4, env->segs[R_CS].selector);
     vm_putw(ssp, sp - 6, env->eip);
     ADD16(env->regs[R_ESP], -6);
     /* goto interrupt handler */
@@ -257,16 +258,16 @@ void handle_vm86_fault(CPUX86State *env)
     unsigned int ip, sp, newflags, newip, newcs, opcode, intno;
     int data32, pref_done;
 
-    csp = (uint8_t *)(env->segs[R_CS] << 4);
+    csp = (uint8_t *)(env->segs[R_CS].selector << 4);
     ip = env->eip & 0xffff;
     pc = csp + ip;
     
-    ssp = (uint8_t *)(env->segs[R_SS] << 4);
+    ssp = (uint8_t *)(env->segs[R_SS].selector << 4);
     sp = env->regs[R_ESP] & 0xffff;
 
 #if defined(DEBUG_VM86)
     fprintf(logfile, "VM86 exception %04x:%08x %02x %02x\n",
-            env->segs[R_CS], env->eip, pc[0], pc[1]);
+            env->segs[R_CS].selector, env->eip, pc[0], pc[1]);
 #endif
 
     data32 = 0;
@@ -413,12 +414,12 @@ int do_vm86(CPUX86State *env, long subfunction,
     ts->vm86_saved_regs.esp = env->regs[R_ESP];
     ts->vm86_saved_regs.eflags = env->eflags;
     ts->vm86_saved_regs.eip  = env->eip;
-    ts->vm86_saved_regs.cs = env->segs[R_CS];
-    ts->vm86_saved_regs.ss = env->segs[R_SS];
-    ts->vm86_saved_regs.ds = env->segs[R_DS];
-    ts->vm86_saved_regs.es = env->segs[R_ES];
-    ts->vm86_saved_regs.fs = env->segs[R_FS];
-    ts->vm86_saved_regs.gs = env->segs[R_GS];
+    ts->vm86_saved_regs.cs = env->segs[R_CS].selector;
+    ts->vm86_saved_regs.ss = env->segs[R_SS].selector;
+    ts->vm86_saved_regs.ds = env->segs[R_DS].selector;
+    ts->vm86_saved_regs.es = env->segs[R_ES].selector;
+    ts->vm86_saved_regs.fs = env->segs[R_FS].selector;
+    ts->vm86_saved_regs.gs = env->segs[R_GS].selector;
 
     /* build vm86 CPU state */
     ts->v86flags = tswap32(target_v86->regs.eflags);
@@ -466,7 +467,8 @@ int do_vm86(CPUX86State *env, long subfunction,
            target_v86->vm86plus.vm86dbg_intxxtab, 32);
     
 #ifdef DEBUG_VM86
-    fprintf(logfile, "do_vm86: cs:ip=%04x:%04x\n", env->segs[R_CS], env->eip);
+    fprintf(logfile, "do_vm86: cs:ip=%04x:%04x\n", 
+            env->segs[R_CS].selector, env->eip);
 #endif
     /* now the virtual CPU is ready for vm86 execution ! */
  out:

op-i386.c

@@ -357,6 +357,11 @@ void OPPROTO op_andl_T0_ffff(void)
     T0 = T0 & 0xffff;
 }
 
+void OPPROTO op_andl_T0_im(void)
+{
+    T0 = T0 & PARAM1;
+}
+
 void OPPROTO op_movl_T0_T1(void)
 {
     T0 = T1;
@@ -488,6 +493,12 @@ void OPPROTO op_jmp_im(void)
     EIP = PARAM1;
 }
 
+void OPPROTO op_hlt(void)
+{
+    env->exception_index = EXCP_HLT;
+    cpu_loop_exit();
+}
+
 void OPPROTO op_raise_interrupt(void)
 {
     int intno;
@@ -665,7 +676,7 @@ void op_pushl_ss32_T0(void)
 {
     uint32_t offset;
     offset = ESP - 4;
-    stl(env->seg_cache[R_SS].base + offset, T0);
+    stl(env->segs[R_SS].base + offset, T0);
     /* modify ESP after to handle exceptions correctly */
     ESP = offset;
 }
@@ -674,7 +685,7 @@ void op_pushw_ss32_T0(void)
 {
     uint32_t offset;
     offset = ESP - 2;
-    stw(env->seg_cache[R_SS].base + offset, T0);
+    stw(env->segs[R_SS].base + offset, T0);
     /* modify ESP after to handle exceptions correctly */
     ESP = offset;
 }
@@ -683,7 +694,7 @@ void op_pushl_ss16_T0(void)
 {
     uint32_t offset;
     offset = (ESP - 4) & 0xffff;
-    stl(env->seg_cache[R_SS].base + offset, T0);
+    stl(env->segs[R_SS].base + offset, T0);
     /* modify ESP after to handle exceptions correctly */
     ESP = (ESP & ~0xffff) | offset;
 }
@@ -692,7 +703,7 @@ void op_pushw_ss16_T0(void)
 {
     uint32_t offset;
     offset = (ESP - 2) & 0xffff;
-    stw(env->seg_cache[R_SS].base + offset, T0);
+    stw(env->segs[R_SS].base + offset, T0);
     /* modify ESP after to handle exceptions correctly */
     ESP = (ESP & ~0xffff) | offset;
 }
@@ -710,22 +721,22 @@ void op_popw_T0(void)
 
 void op_popl_ss32_T0(void)
 {
-    T0 = ldl(env->seg_cache[R_SS].base + ESP);
+    T0 = ldl(env->segs[R_SS].base + ESP);
 }
 
 void op_popw_ss32_T0(void)
 {
-    T0 = lduw(env->seg_cache[R_SS].base + ESP);
+    T0 = lduw(env->segs[R_SS].base + ESP);
 }
 
 void op_popl_ss16_T0(void)
 {
-    T0 = ldl(env->seg_cache[R_SS].base + (ESP & 0xffff));
+    T0 = ldl(env->segs[R_SS].base + (ESP & 0xffff));
 }
 
 void op_popw_ss16_T0(void)
 {
-    T0 = lduw(env->seg_cache[R_SS].base + (ESP & 0xffff));
+    T0 = lduw(env->segs[R_SS].base + (ESP & 0xffff));
 }
 
 void op_addl_ESP_4(void)
@@ -909,17 +920,18 @@ void OPPROTO op_movl_seg_T0(void)
 void OPPROTO op_movl_seg_T0_vm(void)
 {
     int selector;
+    SegmentCache *sc;
     
     selector = T0 & 0xffff;
     /* env->segs[] access */
-    *(uint32_t *)((char *)env + PARAM1) = selector;
-    /* env->seg_cache[] access */
-    ((SegmentCache *)((char *)env + PARAM2))->base = (void *)(selector << 4);
+    sc = (SegmentCache *)((char *)env + PARAM1);
+    sc->selector = selector;
+    sc->base = (void *)(selector << 4);
 }
 
 void OPPROTO op_movl_T0_seg(void)
 {
-    T0 = env->segs[PARAM1];
+    T0 = env->segs[PARAM1].selector;
 }
 
 void OPPROTO op_movl_A0_seg(void)
@@ -942,6 +954,71 @@ void OPPROTO op_lar(void)
     helper_lar();
 }
 
+/* T0: segment, T1:eip */
+void OPPROTO op_ljmp_T0_T1(void)
+{
+    jmp_seg(T0 & 0xffff, T1);
+}
+
+void OPPROTO op_iret_protected(void)
+{
+    helper_iret_protected(PARAM1);
+}
+
+void OPPROTO op_lldt_T0(void)
+{
+    helper_lldt_T0();
+}
+
+void OPPROTO op_ltr_T0(void)
+{
+    helper_ltr_T0();
+}
+
+/* CR registers access */
+void OPPROTO op_movl_crN_T0(void)
+{
+    helper_movl_crN_T0(PARAM1);
+}
+
+/* DR registers access */
+void OPPROTO op_movl_drN_T0(void)
+{
+    helper_movl_drN_T0(PARAM1);
+}
+
+void OPPROTO op_lmsw_T0(void)
+{
+    /* only 4 lower bits of CR0 are modified */
+    T0 = (env->cr[0] & ~0xf) | (T0 & 0xf);
+    helper_movl_crN_T0(0);
+}
+
+void OPPROTO op_invlpg_A0(void)
+{
+    helper_invlpg(A0);
+}
+
+void OPPROTO op_movl_T0_env(void)
+{
+    T0 = *(uint32_t *)((char *)env + PARAM1);
+}
+
+void OPPROTO op_movl_env_T0(void)
+{
+    *(uint32_t *)((char *)env + PARAM1) = T0;
+}
+
+void OPPROTO op_movl_env_T1(void)
+{
+    *(uint32_t *)((char *)env + PARAM1) = T1;
+}
+
+void OPPROTO op_clts(void)
+{
+    env->cr[0] &= ~CR0_TS_MASK;
+}
+
 /* flags handling */
 
 /* slow jumps cases : in order to avoid calling a function with a
@@ -1021,8 +1098,7 @@ void OPPROTO op_set_cc_op(void)
     CC_OP = PARAM1;
 }
 
-#define FL_UPDATE_MASK32 (TF_MASK | AC_MASK | ID_MASK)
-#define FL_UPDATE_MASK16 (TF_MASK)
+#define FL_UPDATE_MASK16 (FL_UPDATE_MASK32 & 0xffff)
 
 void OPPROTO op_movl_eflags_T0(void)
 {
@@ -1031,7 +1107,8 @@ void OPPROTO op_movl_eflags_T0(void)
     CC_SRC = eflags & (CC_O | CC_S | CC_Z | CC_A | CC_P | CC_C);
     DF = 1 - (2 * ((eflags >> 10) & 1));
     /* we also update some system flags as in user mode */
-    env->eflags = (env->eflags & ~FL_UPDATE_MASK32) | (eflags & FL_UPDATE_MASK32);
+    env->eflags = (env->eflags & ~FL_UPDATE_MASK32) | 
+        (eflags & FL_UPDATE_MASK32);
 }
 
 void OPPROTO op_movw_eflags_T0(void)
@@ -1041,7 +1118,18 @@ void OPPROTO op_movw_eflags_T0(void)
     CC_SRC = eflags & (CC_O | CC_S | CC_Z | CC_A | CC_P | CC_C);
     DF = 1 - (2 * ((eflags >> 10) & 1));
     /* we also update some system flags as in user mode */
-    env->eflags = (env->eflags & ~FL_UPDATE_MASK16) | (eflags & FL_UPDATE_MASK16);
+    env->eflags = (env->eflags & ~FL_UPDATE_MASK16) | 
+        (eflags & FL_UPDATE_MASK16);
+}
+
+void OPPROTO op_movl_eflags_T0_cpl0(void)
+{
+    load_eflags(T0, FL_UPDATE_CPL0_MASK);
+}
+
+void OPPROTO op_movw_eflags_T0_cpl0(void)
+{
+    load_eflags(T0, FL_UPDATE_CPL0_MASK & 0xffff);
 }
 
 #if 0

ops_template.h

@@ -828,7 +828,7 @@ void OPPROTO glue(glue(op_bsr, SUFFIX), _T0_cc)(void)
 
 #define STRING_SUFFIX _a32
 #define SI_ADDR (uint8_t *)A0 + ESI
-#define DI_ADDR env->seg_cache[R_ES].base + EDI
+#define DI_ADDR env->segs[R_ES].base + EDI
 #define INC_SI() ESI += inc
 #define INC_DI() EDI += inc
 #define CX ECX
@@ -837,7 +837,7 @@ void OPPROTO glue(glue(op_bsr, SUFFIX), _T0_cc)(void)
 
 #define STRING_SUFFIX _a16
 #define SI_ADDR (uint8_t *)A0 + (ESI & 0xffff)
-#define DI_ADDR env->seg_cache[R_ES].base + (EDI & 0xffff)
+#define DI_ADDR env->segs[R_ES].base + (EDI & 0xffff)
 #define INC_SI() ESI = (ESI & ~0xffff) | ((ESI + inc) & 0xffff)
 #define INC_DI() EDI = (EDI & ~0xffff) | ((EDI + inc) & 0xffff)
 #define CX (ECX & 0xffff)

qemu-doc.texi

@@ -1,51 +1,87 @@
 \input texinfo @c -*- texinfo -*-
 
-@settitle QEMU x86 Emulator Reference Documentation
+@settitle QEMU CPU Emulator Reference Documentation
 @titlepage
 @sp 7
-@center @titlefont{QEMU x86 Emulator Reference Documentation}
+@center @titlefont{QEMU CPU Emulator Reference Documentation}
 @sp 3
 @end titlepage
 
 @chapter Introduction
 
-QEMU is an x86 processor emulator. Its purpose is to run x86 Linux
-processes on non-x86 Linux architectures such as PowerPC. By using
-dynamic translation it achieves a reasonnable speed while being easy to
-port on new host CPUs. Its main goal is to be able to launch the
-@code{Wine} Windows API emulator (@url{http://www.winehq.org}) or
-@code{DOSEMU} (@url{http://www.dosemu.org}) on non-x86 CPUs.
+@section Features
 
-QEMU features:
+QEMU is a FAST! processor emulator. By using dynamic translation it
+achieves a reasonnable speed while being easy to port on new host
+CPUs.
+
+QEMU has two operating modes:
+@itemize
+@item User mode emulation. In this mode, QEMU can launch Linux processes
+compiled for one CPU on another CPU. Linux system calls are converted
+because of endianness and 32/64 bit mismatches. The Wine Windows API
+emulator (@url{http://www.winehq.org}) and the DOSEMU DOS emulator
+(@url{www.dosemu.org}) are the main targets for QEMU.
+
+@item Full system emulation. In this mode, QEMU emulates a full
+system, including a processor and various peripherials. Currently, it
+is only used to launch an x86 Linux kernel on an x86 Linux system. It
+enables easier testing and debugging of system code. It can also be
+used to provide virtual hosting of several virtual PCs on a single
+server.
+
+@end itemize
+
+As QEMU requires no host kernel patches to run, it is very safe and
+easy to use.
+
+QEMU generic features:
 
 @itemize 
 
-@item User space only x86 emulator.
-
-@item Currently ported on i386, PowerPC. Work in progress for S390, Alpha and Sparc.
+@item User space only or full system emulation.
 
 @item Using dynamic translation to native code for reasonnable speed.
 
-@item The virtual x86 CPU supports 16 bit and 32 bit addressing with segmentation. 
-User space LDT and GDT are emulated. VM86 mode is also supported.
+@item Working on x86 and PowerPC hosts. Being tested on ARM, Sparc32, Alpha and S390.
 
+@item Self-modifying code support.
+
+@item Precise exception support.
+
+@item The virtual CPU is a library (@code{libqemu}) which can be used 
+in other projects.
+
+@end itemize
+
+QEMU user mode emulation features:
+@itemize 
 @item Generic Linux system call converter, including most ioctls.
 
 @item clone() emulation using native CPU clone() to use Linux scheduler for threads.
 
-@item Accurate signal handling by remapping host signals to virtual x86 signals. 
+@item Accurate signal handling by remapping host signals to target signals. 
+@end itemize
+@end itemize
 
-@item Precise user space x86 exceptions.
+QEMU full system emulation features:
+@itemize 
+@item Using mmap() system calls to simulate the MMU
+@end itemize
 
-@item Self-modifying code support.
+@section x86 emulation
 
-@item Support of host page sizes bigger than 4KB.
+QEMU x86 target features:
+
+@itemize 
+
+@item The virtual x86 CPU supports 16 bit and 32 bit addressing with segmentation. 
+LDT/GDT and IDT are emulated. VM86 mode is also supported to run DOSEMU.
+
+@item Support of host page sizes bigger than 4KB in user mode emulation.
 
 @item QEMU can emulate itself on x86.
 
-@item The virtual x86 CPU is a library (@code{libqemu}) which can be used 
-in other projects.
-
 @item An extensive Linux x86 CPU test program is included @file{tests/test-i386}. 
 It can be used to test other x86 virtual CPUs.
 
@@ -62,18 +98,43 @@ Current QEMU limitations:
 @item IPC syscalls are missing.
 
 @item The x86 segment limits and access rights are not tested at every 
-memory access (and will never be to have good performances).
+memory access.
 
 @item On non x86 host CPUs, @code{double}s are used instead of the non standard 
 10 byte @code{long double}s of x86 for floating point emulation to get
 maximum performances.
 
+@item Full system emulation only works if no data are mapped above the virtual address 
+0xc0000000 (yet).
+
+@item Some priviledged instructions or behaviors are missing. Only the ones 
+needed for proper Linux kernel operation are emulated.
+
+@item No memory separation between the kernel and the user processes is done. 
+It will be implemented very soon.
+
 @end itemize
 
-@chapter Invocation
+@section ARM emulation
+
+@itemize
+
+@item ARM emulation can currently launch small programs while using the
+generic dynamic code generation architecture of QEMU.
+
+@item No FPU support (yet).
+
+@item No automatic regression testing (yet).
+
+@end itemize
+
+@chapter QEMU User space emulation invocation
 
 @section Quick Start
 
+If you need to compile QEMU, please read the @file{README} which gives
+the related information.
+
 In order to launch a Linux process, QEMU needs the process executable
 itself and all the target (x86) dynamic libraries used by it. 
 
@@ -171,27 +232,188 @@ Activate log (logfile=/tmp/qemu.log)
 Act as if the host page size was 'pagesize' bytes
 @end table
 
+@chapter QEMU System emulator invocation
+
+@section Quick Start
+
+This section explains how to launch a Linux kernel inside QEMU.
+
+@enumerate
+@item
+Download the archive @file{vl-test-xxx.tar.gz} containing a Linux kernel
+and an initrd (initial Ram Disk). The archive also contains a
+precompiled version of @file{vl}, the QEMU System emulator.
+
+@item Optional: If you want network support (for example to launch X11 examples), you
+must copy the script @file{vl-ifup} in @file{/etc} and configure
+properly @code{sudo} so that the command @code{ifconfig} contained in
+@file{vl-ifup} can be executed as root. You must verify that your host
+kernel supports the TUN/TAP network interfaces: the device
+@file{/dev/net/tun} must be present.
+
+When network is enabled, there is a virtual network connection between
+the host kernel and the emulated kernel. The emulated kernel is seen
+from the host kernel at IP address 172.20.0.2 and the host kernel is
+seen from the emulated kernel at IP address 172.20.0.1.
+
+@item Launch @code{vl.sh}. You should have the following output:
+
+@example
+> ./vl.sh 
+connected to host network interface: tun0
+Uncompressing Linux... Ok, booting the kernel.
+Linux version 2.4.20 (bellard@voyager) (gcc version 2.95.2 20000220 (Debian GNU/Linux)) #42 Wed Jun 25 14:16:12 CEST 2003
+BIOS-provided physical RAM map:
+ BIOS-88: 0000000000000000 - 000000000009f000 (usable)
+ BIOS-88: 0000000000100000 - 0000000002000000 (usable)
+32MB LOWMEM available.
+On node 0 totalpages: 8192
+zone(0): 4096 pages.
+zone(1): 4096 pages.
+zone(2): 0 pages.
+Kernel command line: root=/dev/ram ramdisk_size=6144
+Initializing CPU#0
+Detected 501.785 MHz processor.
+Calibrating delay loop... 973.20 BogoMIPS
+Memory: 24776k/32768k available (725k kernel code, 7604k reserved, 151k data, 48k init, 0k highmem)
+Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
+Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
+Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
+Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
+Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
+CPU: Intel Pentium Pro stepping 03
+Checking 'hlt' instruction... OK.
+POSIX conformance testing by UNIFIX
+Linux NET4.0 for Linux 2.4
+Based upon Swansea University Computer Society NET3.039
+Initializing RT netlink socket
+apm: BIOS not found.
+Starting kswapd
+pty: 256 Unix98 ptys configured
+Serial driver version 5.05c (2001-07-08) with no serial options enabled
+ttyS00 at 0x03f8 (irq = 4) is a 16450
+ne.c:v1.10 9/23/94 Donald Becker (becker@scyld.com)
+Last modified Nov 1, 2000 by Paul Gortmaker
+NE*000 ethercard probe at 0x300: 52 54 00 12 34 56
+eth0: NE2000 found at 0x300, using IRQ 9.
+RAMDISK driver initialized: 16 RAM disks of 6144K size 1024 blocksize
+NET4: Linux TCP/IP 1.0 for NET4.0
+IP Protocols: ICMP, UDP, TCP, IGMP
+IP: routing cache hash table of 512 buckets, 4Kbytes
+TCP: Hash tables configured (established 2048 bind 2048)
+NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
+RAMDISK: ext2 filesystem found at block 0
+RAMDISK: Loading 6144 blocks [1 disk] into ram disk... done.
+Freeing initrd memory: 6144k freed
+VFS: Mounted root (ext2 filesystem).
+Freeing unused kernel memory: 48k freed
+sh: can't access tty; job control turned off
+#
+@end example
+
+@item
+Then you can play with the kernel inside the virtual serial console. You
+can launch @code{ls} for example. Type @key{Ctrl-a h} to have an help
+about the keys you can type inside the virtual serial console. In
+particular @key{Ctrl-a b} is the Magic SysRq key.
+
+@item 
+If the network is enabled, launch the script @file{/etc/linuxrc} in the
+emulator (don't forget the leading dot):
+@example
+. /etc/linuxrc
+@end example
+
+Then enable X11 connections on your PC from the emulated Linux: 
+@example
+xhost +172.20.0.2
+@end example
+
+You can now launch @file{xterm} or @file{xlogo} and verify that you have
+a real Virtual Linux system !
+
+@end enumerate
+
+NOTE: the example initrd is a modified version of the one made by Kevin
+Lawton for the plex86 Project (@url{www.plex86.org}).
+
+@section Kernel Compilation
+
+You can use any Linux kernel within QEMU provided it is mapped at
+address 0x90000000 (the default is 0xc0000000). You must modify only two
+lines in the kernel source:
+
+In asm/page.h, replace
+@example
+#define __PAGE_OFFSET           (0xc0000000)
+@end example
+by
+@example
+#define __PAGE_OFFSET           (0x90000000)
+@end example
+
+And in arch/i386/vmlinux.lds, replace
+@example
+  . = 0xc0000000 + 0x100000;
+@end example
+by 
+@example
+  . = 0x90000000 + 0x100000;
+@end example
+
+The file config-2.4.20 gives the configuration of the example kernel.
+
+Just type
+@example
+make bzImage
+@end example
+
+As you would do to make a real kernel. Then you can use with QEMU
+exactly the same kernel as you would boot on your PC (in
+@file{arch/i386/boot/bzImage}).
+
+@section PC Emulation
+
+QEMU emulates the following PC peripherials:
+
+@itemize
+@item
+PIC (interrupt controler)
+@item
+PIT (timers)
+@item 
+CMOS memory
+@item
+Serial port (port=0x3f8, irq=4)
+@item 
+NE2000 network adapter (port=0x300, irq=9)
+@item
+Dumb VGA (to print the @code{uncompressing Linux kernel} message)
+@end itemize
+
 @chapter QEMU Internals
 
 @section QEMU compared to other emulators
 
-Unlike bochs [3], QEMU emulates only a user space x86 CPU. It means that
-you cannot launch an operating system with it. The benefit is that it is
-simpler and faster due to the fact that some of the low level CPU state
-can be ignored (in particular, no virtual memory needs to be emulated).
+Like bochs [3], QEMU emulates an x86 CPU. But QEMU is much faster than
+bochs as it uses dynamic compilation and because it uses the host MMU to
+simulate the x86 MMU. The downside is that currently the emulation is
+not as accurate as bochs (for example, you cannot currently run Windows
+inside QEMU).
 
 Like Valgrind [2], QEMU does user space emulation and dynamic
 translation. Valgrind is mainly a memory debugger while QEMU has no
-support for it (QEMU could be used to detect out of bound memory accesses
-as Valgrind, but it has no support to track uninitialised data as
-Valgrind does). Valgrind dynamic translator generates better code than
-QEMU (in particular it does register allocation) but it is closely tied
-to an x86 host.
+support for it (QEMU could be used to detect out of bound memory
+accesses as Valgrind, but it has no support to track uninitialised data
+as Valgrind does). Valgrind dynamic translator generates better code
+than QEMU (in particular it does register allocation) but it is closely
+tied to an x86 host and target and has no support for precise exception
+and system emulation.
 
-EM86 [4] is the closest project to QEMU (and QEMU still uses some of its
-code, in particular the ELF file loader). EM86 was limited to an alpha
-host and used a proprietary and slow interpreter (the interpreter part
-of the FX!32 Digital Win32 code translator [5]).
+EM86 [4] is the closest project to user space QEMU (and QEMU still uses
+some of its code, in particular the ELF file loader). EM86 was limited
+to an alpha host and used a proprietary and slow interpreter (the
+interpreter part of the FX!32 Digital Win32 code translator [5]).
 
 TWIN [6] is a Windows API emulator like Wine. It is less accurate than
 Wine but includes a protected mode x86 interpreter to launch x86 Windows
@@ -200,11 +422,25 @@ Windows API is executed natively but it is far more difficult to develop
 because all the data structures and function parameters exchanged
 between the API and the x86 code must be converted.
 
+User mode Linux [7] was the only solution before QEMU to launch a Linux
+kernel as a process while not needing any host kernel patches. However,
+user mode Linux requires heavy kernel patches while QEMU accepts
+unpatched Linux kernels. It would be interesting to compare the
+performance of the two approaches.
+
+The new Plex86 [8] PC virtualizer is done in the same spirit as the QEMU
+system emulator. It requires a patched Linux kernel to work (you cannot
+launch the same kernel on your PC), but the patches are really small. As
+it is a PC virtualizer (no emulation is done except for some priveledged
+instructions), it has the potential of being faster than QEMU. The
+downside is that a complicated (and potentially unsafe) kernel patch is
+needed.
+
 @section Portable dynamic translation
 
 QEMU is a dynamic translator. When it first encounters a piece of code,
 it converts it to the host instruction set. Usually dynamic translators
-are very complicated and highly CPU dependant. QEMU uses some tricks
+are very complicated and highly CPU dependent. QEMU uses some tricks
 which make it relatively easily portable and simple while achieving good
 performances.
 
@@ -382,6 +618,16 @@ space conflicts. QEMU solves this problem by being an executable ELF
 shared object as the ld-linux.so ELF interpreter. That way, it can be
 relocated at load time.
 
+@section MMU emulation
+
+For system emulation, QEMU uses the mmap() system call to emulate the
+target CPU MMU. It works as long the emulated OS does not use an area
+reserved by the host OS (such as the area above 0xc0000000 on x86
+Linux).
+
+It is planned to add a slower but more precise MMU emulation
+with a software MMU.
+
 @section Bibliography
 
 @table @asis
@@ -412,18 +658,31 @@ Chernoff and Ray Hookway.
 @url{http://www.willows.com/}, Windows API library emulation from
 Willows Software.
 
+@item [7]
+@url{http://user-mode-linux.sourceforge.net/}, 
+The User-mode Linux Kernel.
+
+@item [8]
+@url{http://www.plex86.org/}, 
+The new Plex86 project.
+
 @end table
 
 @chapter Regression Tests
 
-In the directory @file{tests/}, various interesting x86 testing programs
+In the directory @file{tests/}, various interesting testing programs
 are available. There are used for regression testing.
 
-@section @file{hello}
+@section @file{hello-i386}
 
 Very simple statically linked x86 program, just to test QEMU during a
 port to a new host CPU.
 
+@section @file{hello-arm}
+
+Very simple statically linked ARM program, just to test QEMU during a
+port to a new host CPU.
+
 @section @file{test-i386}
 
 This program executes most of the 16 bit and 32 bit x86 instructions and

tests/.cvsignore

@@ -1,6 +1,6 @@
  gmon.out
  testsig
- hello
+ hello-i386
  hello-arm
  sha1.test.c
  sha1.c

tests/Makefile

@@ -12,9 +12,9 @@ QEMU=../qemu
 
 all: $(TESTS)
 
-hello: hello.c
+hello-i386: hello-i386.c
 	$(CC) -nostdlib $(CFLAGS) -static $(LDFLAGS) -o $@ $<
-	strip hello
+	strip $@
 
 testclone: testclone.c
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<

tests/test-i386-code16.S

@@ -78,3 +78,20 @@ myfunc2:
 
 code16_end:
 
+
+/* other 32 bits tests */
+        .code32
+
+        .globl func_lret32
+func_lret32:
+        movl $0x87654321, %eax
+        lret
+
+        .globl func_iret32
+func_iret32:
+        movl $0xabcd4321, %eax
+        iret
+
+                
+
+        

tests/test-i386.c

@@ -1,6 +1,7 @@
 #define _GNU_SOURCE
 #include <stdlib.h>
 #include <stdio.h>
+#include <string.h>
 #include <inttypes.h>
 #include <math.h>
 #include <signal.h>
@@ -591,7 +592,7 @@ void test_fbcd(double a)
     asm("fld1\n"\
         prefix "fnstenv %1\n"\
         prefix "fldenv %1\n"\
-        : "=t" (res) : "m" (*(env)) : "st");\
+        : "=t" (res) : "m" (*(env)));\
     printf("res=%f\n", res);\
     printf("fpuc=%04x fpus=%04x fptag=%04x\n",\
            (env)->fpuc,\
@@ -601,7 +602,7 @@ void test_fbcd(double a)
     asm("fld1\n"\
         prefix "fnsave %1\n"\
         prefix "frstor %1\n"\
-        : "=t" (res) : "m" (*(env)) : "st");\
+        : "=t" (res) : "m" (*(env)));\
     printf("res=%f\n", res);\
     printf("fpuc=%04x fpus=%04x fptag=%04x\n",\
            (env)->fpuc,\
@@ -937,6 +938,9 @@ void test_code16(void)
     printf("func3() = 0x%08x\n", res);
 }
 
+extern char func_lret32;
+extern char func_iret32;
+
 void test_misc(void)
 {
     char table[256];
@@ -946,6 +950,21 @@ void test_misc(void)
     res = 0x12345678;
     asm ("xlat" : "=a" (res) : "b" (table), "0" (res));
     printf("xlat: EAX=%08x\n", res);
+
+    asm volatile ("pushl %%cs ; call %1" 
+                  : "=a" (res)
+                  : "m" (func_lret32): "memory", "cc");
+    printf("func_lret32=%x\n", res);
+
+    asm volatile ("pushfl ; pushl %%cs ; call %1" 
+                  : "=a" (res)
+                  : "m" (func_iret32): "memory", "cc");
+    printf("func_iret32=%x\n", res);
+
+    /* specific popl test */
+    asm volatile ("pushl $12345432 ; pushl $0x9abcdef ; popl (%%esp) ; popl %0"
+                  : "=g" (res));
+    printf("popl esp=%x\n", res);
 }
 
 uint8_t str_buffer[4096];

translate-arm.c

@@ -655,7 +655,7 @@ static void disas_arm_insn(DisasContext *s)
 /* generate intermediate code in gen_opc_buf and gen_opparam_buf for
    basic block 'tb'. If search_pc is TRUE, also generate PC
    information for each intermediate instruction. */
-int gen_intermediate_code(TranslationBlock *tb, int search_pc)
+static inline int gen_intermediate_code_internal(TranslationBlock *tb, int search_pc)
 {
     DisasContext dc1, *dc = &dc1;
     uint16_t *gen_opc_end;
@@ -717,6 +717,16 @@ int gen_intermediate_code(TranslationBlock *tb, int search_pc)
     return 0;
 }
 
+int gen_intermediate_code(TranslationBlock *tb)
+{
+    return gen_intermediate_code_internal(tb, 0);
+}
+
+int gen_intermediate_code_pc(TranslationBlock *tb)
+{
+    return gen_intermediate_code_internal(tb, 1);
+}
+
 CPUARMState *cpu_arm_init(void)
 {
     CPUARMState *env;

translate-i386.c

@@ -24,11 +24,14 @@
 #include <inttypes.h>
 #include <signal.h>
 #include <assert.h>
+#include <sys/mman.h>
 
 #include "cpu-i386.h"
 #include "exec.h"
 #include "disas.h"
 
+//#define DEBUG_MMU
+
 /* XXX: move that elsewhere */
 static uint16_t *gen_opc_ptr;
 static uint32_t *gen_opparam_ptr;
@@ -59,6 +62,7 @@ typedef struct DisasContext {
     int iopl;
     int tf;     /* TF cpu flag */
     struct TranslationBlock *tb;
+    int popl_esp_hack; /* for correct popl with esp base handling */
 } DisasContext;
 
 /* i386 arith/logic operations */
@@ -575,7 +579,7 @@ static inline void gen_string_ds(DisasContext *s, int ot, GenOpFunc **func)
         if (s->addseg && override < 0)
             override = R_DS;
         if (override >= 0) {
-            gen_op_movl_A0_seg(offsetof(CPUX86State,seg_cache[override].base));
+            gen_op_movl_A0_seg(offsetof(CPUX86State,segs[override].base));
             index = 3 + ot;
         } else {
             index = ot;
@@ -583,7 +587,7 @@ static inline void gen_string_ds(DisasContext *s, int ot, GenOpFunc **func)
     } else {
         if (override < 0)
             override = R_DS;
-        gen_op_movl_A0_seg(offsetof(CPUX86State,seg_cache[override].base));
+        gen_op_movl_A0_seg(offsetof(CPUX86State,segs[override].base));
         /* 16 address, always override */
         index = 6 + ot;
     }
@@ -862,12 +866,16 @@ static void gen_lea_modrm(DisasContext *s, int modrm, int *reg_ptr, int *offset_
         }
         
         if (base >= 0) {
+            /* for correct popl handling with esp */
+            if (base == 4 && s->popl_esp_hack)
+                disp += 4;
             gen_op_movl_A0_reg[base]();
             if (disp != 0)
                 gen_op_addl_A0_im(disp);
         } else {
             gen_op_movl_A0_im(disp);
         }
+        /* XXX: index == 4 is always invalid */
         if (havesib && (index != 4 || scale != 0)) {
             gen_op_addl_A0_reg_sN[scale][index]();
         }
@@ -878,7 +886,7 @@ static void gen_lea_modrm(DisasContext *s, int modrm, int *reg_ptr, int *offset_
                 else
                     override = R_DS;
             }
-            gen_op_addl_A0_seg(offsetof(CPUX86State,seg_cache[override].base));
+            gen_op_addl_A0_seg(offsetof(CPUX86State,segs[override].base));
         }
     } else {
         switch (mod) {
@@ -944,7 +952,7 @@ static void gen_lea_modrm(DisasContext *s, int modrm, int *reg_ptr, int *offset_
                 else
                     override = R_DS;
             }
-            gen_op_addl_A0_seg(offsetof(CPUX86State,seg_cache[override].base));
+            gen_op_addl_A0_seg(offsetof(CPUX86State,segs[override].base));
         }
     }
 
@@ -1146,8 +1154,7 @@ static void gen_movl_seg_T0(DisasContext *s, int seg_reg, unsigned int cur_eip)
     if (!s->vm86)
         gen_op_movl_seg_T0(seg_reg, cur_eip);
     else
-        gen_op_movl_seg_T0_vm(offsetof(CPUX86State,segs[seg_reg]),
-                              offsetof(CPUX86State,seg_cache[seg_reg].base));
+        gen_op_movl_seg_T0_vm(offsetof(CPUX86State,segs[seg_reg]));
     if (!s->addseg && seg_reg < R_FS)
         s->is_jmp = 2; /* abort translation because the register may
                           have a non zero base */
@@ -1230,7 +1237,7 @@ static void gen_stack_A0(DisasContext *s)
         gen_op_andl_A0_ffff();
     gen_op_movl_T1_A0();
     if (s->addseg)
-        gen_op_addl_A0_seg(offsetof(CPUX86State,seg_cache[R_SS].base));
+        gen_op_addl_A0_seg(offsetof(CPUX86State,segs[R_SS].base));
 }
 
 /* NOTE: wrap around in 16 bit not fully handled */
@@ -1243,7 +1250,7 @@ static void gen_pusha(DisasContext *s)
         gen_op_andl_A0_ffff();
     gen_op_movl_T1_A0();
     if (s->addseg)
-        gen_op_addl_A0_seg(offsetof(CPUX86State,seg_cache[R_SS].base));
+        gen_op_addl_A0_seg(offsetof(CPUX86State,segs[R_SS].base));
     for(i = 0;i < 8; i++) {
         gen_op_mov_TN_reg[OT_LONG][0][7 - i]();
         gen_op_st_T0_A0[OT_WORD + s->dflag]();
@@ -1262,7 +1269,7 @@ static void gen_popa(DisasContext *s)
     gen_op_movl_T1_A0();
     gen_op_addl_T1_im(16 <<  s->dflag);
     if (s->addseg)
-        gen_op_addl_A0_seg(offsetof(CPUX86State,seg_cache[R_SS].base));
+        gen_op_addl_A0_seg(offsetof(CPUX86State,segs[R_SS].base));
     for(i = 0;i < 8; i++) {
         /* ESP is not reloaded */
         if (i != 3) {
@@ -1291,7 +1298,7 @@ static void gen_enter(DisasContext *s, int esp_addend, int level)
         gen_op_andl_A0_ffff();
     gen_op_movl_T1_A0();
     if (s->addseg)
-        gen_op_addl_A0_seg(offsetof(CPUX86State,seg_cache[R_SS].base));
+        gen_op_addl_A0_seg(offsetof(CPUX86State,segs[R_SS].base));
     /* push bp */
     gen_op_mov_TN_reg[OT_LONG][0][R_EBP]();
     gen_op_st_T0_A0[ot]();
@@ -1714,9 +1721,15 @@ long disas_insn(DisasContext *s, uint8_t *pc_start)
             gen_op_ld_T1_A0[ot]();
             gen_op_addl_A0_im(1 << (ot - OT_WORD + 1));
             gen_op_lduw_T0_A0();
-            gen_movl_seg_T0(s, R_CS, pc_start - s->cs_base);
+            if (!s->vm86) {
+                /* we compute EIP to handle the exception case */
+                gen_op_jmp_im(pc_start - s->cs_base);
+                gen_op_ljmp_T0_T1();
+            } else {
+                gen_op_movl_seg_T0_vm(offsetof(CPUX86State,segs[R_CS]));
                 gen_op_movl_T0_T1();
                 gen_op_jmp_T0();
+            }
             s->is_jmp = 1;
             break;
         case 6: /* push Ev */
@@ -1889,7 +1902,9 @@ long disas_insn(DisasContext *s, uint8_t *pc_start)
         ot = dflag ? OT_LONG : OT_WORD;
         modrm = ldub(s->pc++);
         gen_pop_T0(s);
+        s->popl_esp_hack = 1;
         gen_ldst_modrm(s, modrm, ot, OR_TMP0, 1);
+        s->popl_esp_hack = 0;
         gen_pop_update(s);
         break;
     case 0xc8: /* enter */
@@ -2085,7 +2100,7 @@ long disas_insn(DisasContext *s, uint8_t *pc_start)
                 override = R_DS;
             }
             if (must_add_seg) {
-                gen_op_addl_A0_seg(offsetof(CPUX86State,seg_cache[override].base));
+                gen_op_addl_A0_seg(offsetof(CPUX86State,segs[override].base));
             }
         }
         if ((b & 2) == 0) {
@@ -2113,7 +2128,7 @@ long disas_insn(DisasContext *s, uint8_t *pc_start)
                 override = R_DS;
             }
             if (must_add_seg) {
-                gen_op_addl_A0_seg(offsetof(CPUX86State,seg_cache[override].base));
+                gen_op_addl_A0_seg(offsetof(CPUX86State,segs[override].base));
             }
         }
         gen_op_ldub_T0_A0();
@@ -2619,12 +2634,18 @@ long disas_insn(DisasContext *s, uint8_t *pc_start)
                 break;
             case 0x1c:
                 switch(rm) {
+                case 0: /* feni (287 only, just do nop here) */
+                    break;
+                case 1: /* fdisi (287 only, just do nop here) */
+                    break;
                 case 2: /* fclex */
                     gen_op_fclex();
                     break;
                 case 3: /* fninit */
                     gen_op_fninit();
                     break;
+                case 4: /* fsetpm (287 only, just do nop here) */
+                    break;
                 default:
                     goto illegal_op;
                 }
@@ -2929,29 +2950,10 @@ long disas_insn(DisasContext *s, uint8_t *pc_start)
         if (s->vm86 && s->iopl != 3) {
             gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base);
         } else {
-            /* XXX: not restartable */
-            gen_stack_A0(s);
-            /* pop offset */
-            gen_op_ld_T0_A0[1 + s->dflag]();
-            if (s->dflag == 0)
-                gen_op_andl_T0_ffff();
-            /* NOTE: keeping EIP updated is not a problem in case of
-               exception */
-            gen_op_jmp_T0(); 
-            /* pop selector */
-            gen_op_addl_A0_im(2 << s->dflag);
-            gen_op_ld_T0_A0[1 + s->dflag]();
-            /* pop eflags */
-            gen_op_addl_A0_im(2 << s->dflag);
-            gen_op_ld_T1_A0[1 + s->dflag]();
-            gen_movl_seg_T0(s, R_CS, pc_start - s->cs_base);
-            gen_op_movl_T0_T1();
-            if (s->dflag) {
-                gen_op_movl_eflags_T0();
-            } else {
-                gen_op_movw_eflags_T0();
-            }
-            gen_stack_update(s, (6 << s->dflag));
+            if (s->cc_op != CC_OP_DYNAMIC)
+                gen_op_set_cc_op(s->cc_op);
+            gen_op_jmp_im(pc_start - s->cs_base);
+            gen_op_iret_protected(s->dflag);
             s->cc_op = CC_OP_EFLAGS;
         }
         s->is_jmp = 1;
@@ -3011,8 +3013,15 @@ long disas_insn(DisasContext *s, uint8_t *pc_start)
             
             /* change cs and pc */
             gen_op_movl_T0_im(selector);
-            gen_movl_seg_T0(s, R_CS, pc_start - s->cs_base);
+            if (!s->vm86) {
+                /* we compute EIP to handle the exception case */
+                gen_op_jmp_im(pc_start - s->cs_base);
+                gen_op_movl_T1_im(offset);
+                gen_op_ljmp_T0_T1();
+            } else {
+                gen_op_movl_seg_T0_vm(offsetof(CPUX86State,segs[R_CS]));
                 gen_op_jmp_im((unsigned long)offset);
+            }
             s->is_jmp = 1;
         }
         break;
@@ -3078,11 +3087,19 @@ long disas_insn(DisasContext *s, uint8_t *pc_start)
             gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base);
         } else {
             gen_pop_T0(s);
+            if (s->cpl == 0) {
+                if (s->dflag) {
+                    gen_op_movl_eflags_T0_cpl0();
+                } else {
+                    gen_op_movw_eflags_T0_cpl0();
+                }
+            } else {
                 if (s->dflag) {
                     gen_op_movl_eflags_T0();
                 } else {
                     gen_op_movw_eflags_T0();
                 }
+            }
             gen_pop_update(s);
             s->cc_op = CC_OP_EFLAGS;
             s->is_jmp = 2; /* abort translation because TF flag may change */
@@ -3340,8 +3357,130 @@ long disas_insn(DisasContext *s, uint8_t *pc_start)
         gen_op_cpuid();
         break;
     case 0xf4: /* hlt */
-        /* XXX: if cpl == 0, then should do something else */
+        if (s->cpl != 0) {
             gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base);
+        } else {
+            if (s->cc_op != CC_OP_DYNAMIC)
+                gen_op_set_cc_op(s->cc_op);
+            gen_op_jmp_im(s->pc - s->cs_base);
+            gen_op_hlt();
+            s->is_jmp = 1;
+        }
+        break;
+    case 0x100:
+        modrm = ldub(s->pc++);
+        mod = (modrm >> 6) & 3;
+        op = (modrm >> 3) & 7;
+        switch(op) {
+        case 0: /* sldt */
+            gen_op_movl_T0_env(offsetof(CPUX86State,ldt.selector));
+            ot = OT_WORD;
+            if (mod == 3)
+                ot += s->dflag;
+            gen_ldst_modrm(s, modrm, ot, OR_TMP0, 1);
+            break;
+        case 2: /* lldt */
+            if (s->cpl != 0) {
+                gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base);
+            } else {
+                gen_ldst_modrm(s, modrm, OT_WORD, OR_TMP0, 0);
+                gen_op_jmp_im(pc_start - s->cs_base);
+                gen_op_lldt_T0();
+            }
+            break;
+        case 1: /* str */
+            gen_op_movl_T0_env(offsetof(CPUX86State,tr.selector));
+            ot = OT_WORD;
+            if (mod == 3)
+                ot += s->dflag;
+            gen_ldst_modrm(s, modrm, ot, OR_TMP0, 1);
+            break;
+        case 3: /* ltr */
+            if (s->cpl != 0) {
+                gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base);
+            } else {
+                gen_ldst_modrm(s, modrm, OT_WORD, OR_TMP0, 0);
+                gen_op_jmp_im(pc_start - s->cs_base);
+                gen_op_ltr_T0();
+            }
+            break;
+        case 4: /* verr */
+        case 5: /* verw */
+        default:
+            goto illegal_op;
+        }
+        break;
+    case 0x101:
+        modrm = ldub(s->pc++);
+        mod = (modrm >> 6) & 3;
+        op = (modrm >> 3) & 7;
+        switch(op) {
+        case 0: /* sgdt */
+        case 1: /* sidt */
+            if (mod == 3)
+                goto illegal_op;
+            gen_lea_modrm(s, modrm, &reg_addr, &offset_addr);
+            if (op == 0)
+                gen_op_movl_T0_env(offsetof(CPUX86State,gdt.limit));
+            else
+                gen_op_movl_T0_env(offsetof(CPUX86State,idt.limit));
+            gen_op_stw_T0_A0();
+            gen_op_addl_A0_im(2);
+            if (op == 0)
+                gen_op_movl_T0_env(offsetof(CPUX86State,gdt.base));
+            else
+                gen_op_movl_T0_env(offsetof(CPUX86State,idt.base));
+            if (!s->dflag)
+                gen_op_andl_T0_im(0xffffff);
+            gen_op_stl_T0_A0();
+            break;
+        case 2: /* lgdt */
+        case 3: /* lidt */
+            if (mod == 3)
+                goto illegal_op;
+            if (s->cpl != 0) {
+                gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base);
+            } else {
+                gen_lea_modrm(s, modrm, &reg_addr, &offset_addr);
+                gen_op_lduw_T1_A0();
+                gen_op_addl_A0_im(2);
+                gen_op_ldl_T0_A0();
+                if (!s->dflag)
+                    gen_op_andl_T0_im(0xffffff);
+                if (op == 2) {
+                    gen_op_movl_env_T0(offsetof(CPUX86State,gdt.base));
+                    gen_op_movl_env_T1(offsetof(CPUX86State,gdt.limit));
+                } else {
+                    gen_op_movl_env_T0(offsetof(CPUX86State,idt.base));
+                    gen_op_movl_env_T1(offsetof(CPUX86State,idt.limit));
+                }
+            }
+            break;
+        case 4: /* smsw */
+            gen_op_movl_T0_env(offsetof(CPUX86State,cr[0]));
+            gen_ldst_modrm(s, modrm, OT_WORD, OR_TMP0, 1);
+            break;
+        case 6: /* lmsw */
+            if (s->cpl != 0) {
+                gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base);
+            } else {
+                gen_ldst_modrm(s, modrm, OT_WORD, OR_TMP0, 0);
+                gen_op_lmsw_T0();
+            }
+            break;
+        case 7: /* invlpg */
+            if (s->cpl != 0) {
+                gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base);
+            } else {
+                if (mod == 3)
+                    goto illegal_op;
+                gen_lea_modrm(s, modrm, &reg_addr, &offset_addr);
+                gen_op_invlpg_A0();
+            }
+            break;
+        default:
+            goto illegal_op;
+        }
         break;
     case 0x102: /* lar */
     case 0x103: /* lsl */
@@ -3361,6 +3500,83 @@ long disas_insn(DisasContext *s, uint8_t *pc_start)
         s->cc_op = CC_OP_EFLAGS;
         gen_op_mov_reg_T1[ot][reg]();
         break;
+    case 0x118:
+        modrm = ldub(s->pc++);
+        mod = (modrm >> 6) & 3;
+        op = (modrm >> 3) & 7;
+        switch(op) {
+        case 0: /* prefetchnta */
+        case 1: /* prefetchnt0 */
+        case 2: /* prefetchnt0 */
+        case 3: /* prefetchnt0 */
+            if (mod == 3)
+                goto illegal_op;
+            gen_lea_modrm(s, modrm, &reg_addr, &offset_addr);
+            /* nothing more to do */
+            break;
+        default:
+            goto illegal_op;
+        }
+        break;
+    case 0x120: /* mov reg, crN */
+    case 0x122: /* mov crN, reg */
+        if (s->cpl != 0) {
+            gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base);
+        } else {
+            modrm = ldub(s->pc++);
+            if ((modrm & 0xc0) != 0xc0)
+                goto illegal_op;
+            rm = modrm & 7;
+            reg = (modrm >> 3) & 7;
+            switch(reg) {
+            case 0:
+            case 2:
+            case 3:
+            case 4:
+                if (b & 2) {
+                    gen_op_mov_TN_reg[OT_LONG][0][rm]();
+                    gen_op_movl_crN_T0(reg);
+                    s->is_jmp = 2;
+                } else {
+                    gen_op_movl_T0_env(offsetof(CPUX86State,cr[reg]));
+                    gen_op_mov_reg_T0[OT_LONG][rm]();
+                }
+                break;
+            default:
+                goto illegal_op;
+            }
+        }
+        break;
+    case 0x121: /* mov reg, drN */
+    case 0x123: /* mov drN, reg */
+        if (s->cpl != 0) {
+            gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base);
+        } else {
+            modrm = ldub(s->pc++);
+            if ((modrm & 0xc0) != 0xc0)
+                goto illegal_op;
+            rm = modrm & 7;
+            reg = (modrm >> 3) & 7;
+            /* XXX: do it dynamically with CR4.DE bit */
+            if (reg == 4 || reg == 5)
+                goto illegal_op;
+            if (b & 2) {
+                gen_op_mov_TN_reg[OT_LONG][0][rm]();
+                gen_op_movl_drN_T0(reg);
+                s->is_jmp = 2;
+            } else {
+                gen_op_movl_T0_env(offsetof(CPUX86State,dr[reg]));
+                gen_op_mov_reg_T0[OT_LONG][rm]();
+            }
+        }
+        break;
+    case 0x106: /* clts */
+        if (s->cpl != 0) {
+            gen_exception(s, EXCP0D_GPF, pc_start - s->cs_base);
+        } else {
+            gen_op_clts();
+        }
+        break;
     default:
         goto illegal_op;
     }
@@ -3666,7 +3882,7 @@ static void optimize_flags(uint16_t *opc_buf, int opc_buf_len)
 /* generate intermediate code in gen_opc_buf and gen_opparam_buf for
    basic block 'tb'. If search_pc is TRUE, also generate PC
    information for each intermediate instruction. */
-int gen_intermediate_code(TranslationBlock *tb, int search_pc)
+static inline int gen_intermediate_code_internal(TranslationBlock *tb, int search_pc)
 {
     DisasContext dc1, *dc = &dc1;
     uint8_t *pc_ptr;
@@ -3692,6 +3908,7 @@ int gen_intermediate_code(TranslationBlock *tb, int search_pc)
     dc->cc_op = CC_OP_DYNAMIC;
     dc->cs_base = cs_base;
     dc->tb = tb;
+    dc->popl_esp_hack = 0;
     
     gen_opc_ptr = gen_opc_buf;
     gen_opc_end = gen_opc_buf + OPC_MAX_SIZE;
@@ -3708,6 +3925,7 @@ int gen_intermediate_code(TranslationBlock *tb, int search_pc)
                 while (lj < j)
                     gen_opc_instr_start[lj++] = 0;
                 gen_opc_pc[lj] = (uint32_t)pc_ptr;
+                gen_opc_cc_op[lj] = dc->cc_op;
                 gen_opc_instr_start[lj] = 1;
             }
         }
@@ -3774,6 +3992,16 @@ int gen_intermediate_code(TranslationBlock *tb, int search_pc)
     return 0;
 }
 
+int gen_intermediate_code(TranslationBlock *tb)
+{
+    return gen_intermediate_code_internal(tb, 0);
+}
+
+int gen_intermediate_code_pc(TranslationBlock *tb)
+{
+    return gen_intermediate_code_internal(tb, 1);
+}
+
 CPUX86State *cpu_x86_init(void)
 {
     CPUX86State *env;
@@ -3806,6 +4034,208 @@ void cpu_x86_close(CPUX86State *env)
     free(env);
 }
 
+/***********************************************************/
+/* x86 mmu */
+/* XXX: add PGE support */
+
+/* called when cr3 or PG bit are modified */
+static int last_pg_state = -1;
+int phys_ram_size;
+int phys_ram_fd;
+uint8_t *phys_ram_base;
+
+void cpu_x86_update_cr0(CPUX86State *env)
+{
+    int pg_state;
+    void *map_addr;
+
+#ifdef DEBUG_MMU
+    printf("CR0 update: CR0=0x%08x\n", env->cr[0]);
+#endif
+    pg_state = env->cr[0] & CR0_PG_MASK;
+    if (pg_state != last_pg_state) {
+        if (!pg_state) {
+            /* we map the physical memory at address 0 */
+            
+            map_addr = mmap((void *)0, phys_ram_size, PROT_WRITE | PROT_READ, 
+                            MAP_SHARED | MAP_FIXED, phys_ram_fd, 0);
+            if (map_addr == MAP_FAILED) {
+                fprintf(stderr, 
+                        "Could not map physical memory at host address 0x%08x\n",
+                        0);
+                exit(1);
+            }
+            page_set_flags(0, phys_ram_size, 
+                           PAGE_VALID | PAGE_READ | PAGE_WRITE | PAGE_EXEC);
+        } else {
+            /* we unmap the physical memory */
+            munmap((void *)0, phys_ram_size);
+            page_set_flags(0, phys_ram_size, 0);
+        }
+        last_pg_state = pg_state;
+    }
+}
+
+void cpu_x86_update_cr3(CPUX86State *env)
+{
+    if (env->cr[0] & CR0_PG_MASK) {
+#ifdef DEBUG_MMU
+        printf("CR3 update: CR3=%08x\n", env->cr[3]);
+#endif
+        page_unmap();
+    }
+}
+
+void cpu_x86_init_mmu(CPUX86State *env)
+{
+    last_pg_state = -1;
+    cpu_x86_update_cr0(env);
+}
+
+/* XXX: also flush 4MB pages */
+void cpu_x86_flush_tlb(CPUX86State *env, uint32_t addr)
+{
+    int flags;
+    unsigned long virt_addr;
+
+    flags = page_get_flags(addr);
+    if (flags & PAGE_VALID) {
+        virt_addr = addr & ~0xfff;
+        munmap((void *)virt_addr, 4096);
+        page_set_flags(virt_addr, virt_addr + 4096, 0);
+    }
+}
+
+/* return value:
+   -1 = cannot handle fault 
+   0  = nothing more to do 
+   1  = generate PF fault
+*/
+int cpu_x86_handle_mmu_fault(CPUX86State *env, uint32_t addr, int is_write)
+{
+    uint8_t *pde_ptr, *pte_ptr;
+    uint32_t pde, pte, virt_addr;
+    int cpl, error_code, is_dirty, is_user, prot, page_size;
+    void *map_addr;
+
+    cpl = env->segs[R_CS].selector & 3;
+    is_user = (cpl == 3);
+    
+#ifdef DEBUG_MMU
+    printf("MMU fault: addr=0x%08x w=%d u=%d eip=%08x\n", 
+           addr, is_write, is_user, env->eip);
+#endif
+
+    if (env->user_mode_only) {
+        /* user mode only emulation */
+        error_code = 0;
+        goto do_fault;
+    }
+
+    if (!(env->cr[0] & CR0_PG_MASK))
+        return -1;
+
+    /* page directory entry */
+    pde_ptr = phys_ram_base + ((env->cr[3] & ~0xfff) + ((addr >> 20) & ~3));
+    pde = ldl(pde_ptr);
+    if (!(pde & PG_PRESENT_MASK)) {
+        error_code = 0;
+        goto do_fault;
+    }
+    if (is_user) {
+        if (!(pde & PG_USER_MASK))
+            goto do_fault_protect;
+        if (is_write && !(pde & PG_RW_MASK))
+            goto do_fault_protect;
+    } else {
+        if ((env->cr[0] & CR0_WP_MASK) && (pde & PG_USER_MASK) &&
+            is_write && !(pde & PG_RW_MASK)) 
+            goto do_fault_protect;
+    }
+    /* if PSE bit is set, then we use a 4MB page */
+    if ((pde & PG_PSE_MASK) && (env->cr[4] & CR4_PSE_MASK)) {
+        is_dirty = is_write && !(pde & PG_DIRTY_MASK);
+        if (!(pde & PG_ACCESSED_MASK)) {
+            pde |= PG_ACCESSED_MASK;
+            if (is_dirty)
+                pde |= PG_DIRTY_MASK;
+            stl(pde_ptr, pde);
+        }
+        
+        pte = pde & ~0x003ff000; /* align to 4MB */
+        page_size = 4096 * 1024;
+        virt_addr = addr & ~0x003fffff;
+    } else {
+        if (!(pde & PG_ACCESSED_MASK)) {
+            pde |= PG_ACCESSED_MASK;
+            stl(pde_ptr, pde);
+        }
+
+        /* page directory entry */
+        pte_ptr = phys_ram_base + ((pde & ~0xfff) + ((addr >> 10) & 0xffc));
+        pte = ldl(pte_ptr);
+        if (!(pte & PG_PRESENT_MASK)) {
+            error_code = 0;
+            goto do_fault;
+        }
+        if (is_user) {
+            if (!(pte & PG_USER_MASK))
+                goto do_fault_protect;
+            if (is_write && !(pte & PG_RW_MASK))
+                goto do_fault_protect;
+        } else {
+            if ((env->cr[0] & CR0_WP_MASK) && (pte & PG_USER_MASK) &&
+                is_write && !(pte & PG_RW_MASK)) 
+                goto do_fault_protect;
+        }
+        is_dirty = is_write && !(pte & PG_DIRTY_MASK);
+        if (!(pte & PG_ACCESSED_MASK) || is_dirty) {
+            pte |= PG_ACCESSED_MASK;
+            if (is_dirty)
+                pte |= PG_DIRTY_MASK;
+            stl(pte_ptr, pte);
+        }
+        page_size = 4096;
+        virt_addr = addr & ~0xfff;
+    }
+    /* the page can be put in the TLB */
+    prot = PROT_READ;
+    if (is_user) {
+        if (pte & PG_RW_MASK)
+            prot |= PROT_WRITE;
+    } else {
+        if (!(env->cr[0] & CR0_WP_MASK) || !(pte & PG_USER_MASK) ||
+            (pte & PG_RW_MASK))
+            prot |= PROT_WRITE;
+    }
+    map_addr = mmap((void *)virt_addr, page_size, prot, 
+                    MAP_SHARED | MAP_FIXED, phys_ram_fd, pte & ~0xfff);
+    if (map_addr == MAP_FAILED) {
+        fprintf(stderr, 
+                "mmap failed when mapped physical address 0x%08x to virtual address 0x%08x\n",
+                pte & ~0xfff, virt_addr);
+        exit(1);
+    }
+    page_set_flags(virt_addr, virt_addr + page_size, 
+                   PAGE_VALID | PAGE_EXEC | prot);
+#ifdef DEBUG_MMU
+    printf("mmaping 0x%08x to virt 0x%08x pse=%d\n", 
+           pte & ~0xfff, virt_addr, (page_size != 4096));
+#endif
+    return 0;
+ do_fault_protect:
+    error_code = PG_ERROR_P_MASK;
+ do_fault:
+    env->cr[2] = addr;
+    env->error_code = (is_write << PG_ERROR_W_BIT) | error_code;
+    if (is_user)
+        env->error_code |= PG_ERROR_U_MASK;
+    return 1;
+}
+
+/***********************************************************/
+/* x86 debug */
+
 static const char *cc_op_str[] = {
     "DYNAMIC",
     "EFLAGS",
@@ -3859,12 +4289,12 @@ void cpu_x86_dump_state(CPUX86State *env, FILE *f, int flags)
             eflags & CC_P ? 'P' : '-',
             eflags & CC_C ? 'C' : '-');
     fprintf(f, "CS=%04x SS=%04x DS=%04x ES=%04x FS=%04x GS=%04x\n",
-            env->segs[R_CS],
-            env->segs[R_SS],
-            env->segs[R_DS],
-            env->segs[R_ES],
-            env->segs[R_FS],
-            env->segs[R_GS]);
+            env->segs[R_CS].selector,
+            env->segs[R_SS].selector,
+            env->segs[R_DS].selector,
+            env->segs[R_ES].selector,
+            env->segs[R_FS].selector,
+            env->segs[R_GS].selector);
     if (flags & X86_DUMP_CCOP) {
         if ((unsigned)env->cc_op < CC_OP_NB)
             strcpy(cc_op_name, cc_op_str[env->cc_op]);

translate.c

@@ -24,37 +24,55 @@
 #include <inttypes.h>
 
 #include "config.h"
+
 #define IN_OP_I386
-#include "cpu-" TARGET_ARCH ".h"
+#if defined(TARGET_I386)
+#include "cpu-i386.h"
+#define OPC_CPU_H "opc-i386.h"
+#elif defined(TARGET_ARM)
+#include "cpu-arm.h"
+#define OPC_CPU_H "opc-arm.h"
+#else
+#error unsupported target CPU
+#endif
+
 #include "exec.h"
 #include "disas.h"
 
 enum {
 #define DEF(s, n, copy_size) INDEX_op_ ## s,
-#include "opc-" TARGET_ARCH ".h"
+#include OPC_CPU_H
 #undef DEF
     NB_OPS,
 };
 
 #include "dyngen.h"
-#include "op-" TARGET_ARCH ".h"
+#if defined(TARGET_I386)
+#include "op-i386.h"
+#elif defined(TARGET_ARM)
+#include "op-arm.h"
+#else
+#error unsupported target CPU
+#endif
 
 uint16_t gen_opc_buf[OPC_BUF_SIZE];
 uint32_t gen_opparam_buf[OPPARAM_BUF_SIZE];
 uint32_t gen_opc_pc[OPC_BUF_SIZE];
 uint8_t gen_opc_instr_start[OPC_BUF_SIZE];
-
+#if defined(TARGET_I386)
+uint8_t gen_opc_cc_op[OPC_BUF_SIZE];
+#endif
 
 #ifdef DEBUG_DISAS
 static const char *op_str[] = {
 #define DEF(s, n, copy_size) #s,
-#include "opc-" TARGET_ARCH ".h"
+#include OPC_CPU_H
 #undef DEF
 };
 
 static uint8_t op_nb_args[] = {
 #define DEF(s, n, copy_size) n,
-#include "opc-" TARGET_ARCH ".h"
+#include OPC_CPU_H
 #undef DEF
 };
 
@@ -95,7 +113,7 @@ int cpu_gen_code(TranslationBlock *tb,
     uint8_t *gen_code_buf;
     int gen_code_size;
 
-    if (gen_intermediate_code(tb, 0) < 0)
+    if (gen_intermediate_code(tb) < 0)
         return -1;
 
     /* generate machine code */
@@ -123,22 +141,20 @@ int cpu_gen_code(TranslationBlock *tb,
 
 static const unsigned short opc_copy_size[] = {
 #define DEF(s, n, copy_size) copy_size,
-#include "opc-" TARGET_ARCH ".h"
+#include OPC_CPU_H
 #undef DEF
 };
 
-/* The simulated PC corresponding to
-   'searched_pc' in the generated code is searched. 0 is returned if
-   found. *found_pc contains the found PC. 
+/* The cpu state corresponding to 'searched_pc' is restored. 
  */
-int cpu_search_pc(TranslationBlock *tb, 
-                  uint32_t *found_pc, unsigned long searched_pc)
+int cpu_restore_state(TranslationBlock *tb, 
+                      CPUState *env, unsigned long searched_pc)
 {
     int j, c;
     unsigned long tc_ptr;
     uint16_t *opc_ptr;
 
-    if (gen_intermediate_code(tb, 1) < 0)
+    if (gen_intermediate_code_pc(tb) < 0)
         return -1;
     
     /* find opc index corresponding to search_pc */
@@ -160,7 +176,18 @@ int cpu_search_pc(TranslationBlock *tb,
     /* now find start of instruction before */
     while (gen_opc_instr_start[j] == 0)
         j--;
-    *found_pc = gen_opc_pc[j];
+#if defined(TARGET_I386)
+    {
+        int cc_op;
+        
+        env->eip = gen_opc_pc[j] - tb->cs_base;
+        cc_op = gen_opc_cc_op[j];
+        if (cc_op != CC_OP_DYNAMIC)
+            env->cc_op = cc_op;
+    }
+#elif defined(TARGET_ARM)
+    env->regs[15] = gen_opc_pc[j];
+#endif
     return 0;
 }