The current code for translating FXSAVE area into FSAVE-alike struct for PT_GETFPREGS on i386 is oversimplifying the translation of FPU Tag Word (.en_tw). The code maps all non-empty registers into 00 (i.e. normalized value) without distinguishing between normalized values, zeroes and specials like FSAVE does. Simple reproducer (works with -m32 on amd64): #include <assert.h> #include <pthread.h> #include <signal.h> #include <stdio.h> #include <unistd.h> #include <sys/ptrace.h> #include <sys/wait.h> #include <machine/reg.h> int main() { int ret; int pid = fork(); assert(pid != -1); if (pid == 0) { int i; pthread_t t2, t3; ret = ptrace(PT_TRACE_ME, 0, NULL, 0); assert(ret != -1); __asm__ __volatile__ ( "finit\n\t" "fldz\n\t" "fld1\n\t" "fdiv %st(1),%st(0) \n\t" "fld1\n\t" "int3\n\t" ); return 0; } pid_t waited = waitpid(pid, &ret, 0); assert(waited == pid); printf("wait: %d\n", ret); struct fpreg fpr; ret = ptrace(PT_GETFPREGS, pid, &fpr, 0); assert (ret == 0); printf("ftw = 0x%04x\n", fpr.fpr_env[2]); ret = ptrace(PT_CONTINUE, pid, (void*)1, 0); assert(ret == 0); waited = waitpid(pid, &ret, 0); assert(waited == pid); printf("wait: %d\n", ret); return 0; }
Created attachment 218882 [details] Proposed patch Here's a patch based on the similar problem fixed on NetBSD. Without the patch, the test program outputs 0x03ff, i.e.: 0000 0011 1111 1111 With the patch, it outputs 0x63ff: 0110 0011 1111 1111 Please note that I've only been able to test the compat32 version on amd64. FreeBSD/i386 does not seem to boot on qemu for me.
It was deliberate decision when I did r320308. Can you explain why more precise translation from abridged to compat tags is important ? Reasoning for not doing it was that Intel was fine with such limited reporting in HW, so why we should care ? Please put the patch into phab, https://reviews.freebsd.org/differential.
> Can you explain why more precise translation from abridged to compat tags is > important ? Reasoning for not doing it was that Intel was fine with such > limited reporting in HW, so why we should care ? I'm not saying it's important. I'm going to correctness. One place where this bit me are tests. It's better to have them rely on the correct value. > Please put the patch into phab, https://reviews.freebsd.org/differential. I've managed to boot i386. I'll do that once I test the patch there.
A commit references this bug: Author: kib Date: Wed Oct 21 00:15:13 UTC 2020 New revision: 366904 URL: https://svnweb.freebsd.org/changeset/base/366904 Log: Improve FPU Tag Word reconstruction on i386 to indicate register states. Improve the code reconstructing en_tw in struct fpreg32 from FXSAVE results so that all register states are indicated correctly. The previous code unconditionally mapped non-empty register state to 'normalized value' constant. The new code explicitly distinguishes the 'zero value' and 'special value' constants as well. This improves consistency between real FSAVE and translation from FXSAVE, and ensures that tests using PT_GETFPREGS can rely on a single correct value independently of the underlying implementation. PR: 250454 Sponsored by: The FreeBSD Foundation Obtained from: Moritz Systems Submitted by: Micha? G?rny <mgorny@moritz.systems> Discussed with: emaste MFC after: 1 week Differential revision: https://reviews.freebsd.org/D26856 Changes: head/sys/amd64/ia32/ia32_reg.c head/sys/i386/i386/npx.c
A commit references this bug: Author: kib Date: Wed Oct 28 21:01:01 UTC 2020 New revision: 367115 URL: https://svnweb.freebsd.org/changeset/base/367115 Log: MFC r366904: Improve FPU Tag Word reconstruction on i386 to indicate register states. PR: 250454 Changes: _U stable/12/ stable/12/sys/amd64/ia32/ia32_reg.c stable/12/sys/i386/i386/npx.c