[Qemu-devel] Modify TLB entry

[Tommy Huang]

Hi All,

I was trying to redirect the instruction fetch from a different page.
The way I used is to modify the TLB entry. The following is the code I extract from SecureQEMU project.
The code is inside a function which is called by "gen_intermediate_code".

if(pte1 = cte[env->eip >> TARGET_PAGE_BITS]) {
 
         cpu_x86_handle_mmu_fault(env, env->eip, 0, 1, 1);
         cpu_x86_handle_mmu_fault(env, env->eip + TARGET_PAGE_SIZE, 0, 1, 1);

         //Poison TLB Cache (Current Page + next page if needed)
         index1 = (env->eip >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
         temp_addend1 = env->tlb_table[1][index1].addend;
         env->tlb_table[1][index1].addend = (pte1 - (env->eip & TARGET_PAGE_MASK));

         ret = gen_intermediate_code_internal(env, tb, search_pc);

         //Unpoison the TLB
         env->tlb_table[1][index1].addend = temp_addend1;
         if(pte2)
            env->tlb_table[1][index2].addend = temp_addend2;
        
         ...
}

In my case, it still fetches codes from original page instead of pte1. I am sure control flow really entered this if block.
Poisoning TLB seems not working to me. What is wrong here? I was wondering if soft MMU is not turned on here so it never uses the tlb_table.
btw, I use qemu 0.9.0, a pretty old version for compatibility.
Any hint or suggestion is appreciated. Thanks in advance.

Regards,
Tommy

---

Windows Live™ SkyDrive™: Get 25 GB of free online storage. Get it on your BlackBerry or iPhone.