[coreboot] romcc -mcpu=p3?

Andriy Gapon avg at icyb.net.ua
Fri Oct 31 08:31:52 CET 2008 

on 30/10/2008 11:16 Andriy Gapon said the following:
> 
> It seems that romcc with -mcpu=p3 -O produces incorrect code for 
> cpu/x86/16bit/reset16.inc. -mpcu=p2 -O does work fine.
> 
> I will try to provide more hard data later but it looks like the 
> following code is compiled into an (slightly) incorrect jump which 
> breaks things terribly, of course.
>  .section ".reset"
>  .code16
> .globl reset_vector
> reset_vector:
>  .byte 0xe9
>  .int _start - ( . + 2 )
>  . = 0x8;
>  .code32
> 
> Jump seems to be off by -4 bytes.

My original analysis was quite incorrect.
I did thorougher analysis now and here are the main differences.
Indeed there are some changes in offsets but the jumps seem to be correct:
--- fallback-p2/coreboot.map    2008-10-30 23:29:14.000000000 +0200
+++ fallback-p3/coreboot.map    2008-10-30 23:39:44.000000000 +0200
@@ -112,10 +112,10 @@
  00004000 A HEAP_SIZE
  00004000 A _RAMBASE
  00004000 A _iseg
-0000b889 A _binary_coreboot_ram_rom_size
-0000b890 A _start_offset
-0000b8c8 A gdtptr16_offset
-0000f889 A _eiseg
+0000b887 A _binary_coreboot_ram_rom_size
+0000b88c A _start_offset
+0000b8c4 A gdtptr16_offset
+0000f887 A _eiseg
  00010000 A ROM_IMAGE_SIZE
  00010000 A XIP_ROM_SIZE
  0001c200 A TTYS0_BAUD

I wonder where these small 2-4 byte shifts came from. but this is not 
important.

What is much more important is that all mmN registers were replaced with 
xmmN registers.

So here are qemu execution logs for comparison (best done side-by-side).
With cpu=p2:
----------------
IN:
0xfffffff0:  jmp    0xb890

----------------
IN:
0xffffb890:  cli
0xffffb891:  mov    %eax,%ebp
0xffffb894:  xor    %eax,%eax
0xffffb897:  mov    %eax,%cr3

----------------
IN:
0xffffb89a:  mov    %cs,%ax
0xffffb89c:  shl    $0x4,%ax
0xffffb89f:  mov    $0xb8c8,%bx
0xffffb8a2:  sub    %ax,%bx
0xffffb8a4:  lgdtl  %cs:(%bx)
0xffffb8a9:  mov    %cr0,%eax
0xffffb8ac:  and    $0x7ffaffd1,%eax
0xffffb8b2:  or     $0x60000001,%eax
0xffffb8b8:  mov    %eax,%cr0

----------------
IN:
0xffffb8bb:  mov    %ebp,%eax
0xffffb8be:  ljmpl  $0x8,$0xffffb8f7

----------------
IN:
0xffffb8f7:  mov    %eax,%ebp
0xffffb8f9:  mov    $0x10,%al
0xffffb8fb:  out    %al,$0x80
0xffffb8fd:  mov    $0x10,%ax
0xffffb901:  mov    %eax,%ds

outb: 0080 10
dma: extra page register write addr=0x80 data=0x10
ioport80_write 0X10
----------------
IN:
0xffffb903:  mov    %eax,%es

----------------
IN:
0xffffb905:  mov    %eax,%ss

----------------
IN:
0xffffb907:  mov    %eax,%fs

----------------
IN:
0xffffb909:  mov    %eax,%gs
0xffffb90b:  mov    %ebp,%eax
0xffffb90d:  jmp    0xffffb919

----------------
IN:
0xffffb919:  movd   %eax,%mm0
0xffffb91c:  mov    $0xd,%al
.
.
.


With cpu=p3:
----------------
IN:
0xfffffff0:  jmp    0xb88c

----------------
IN:
0xffffb88c:  cli
0xffffb88d:  mov    %eax,%ebp
0xffffb890:  xor    %eax,%eax
0xffffb893:  mov    %eax,%cr3

----------------
IN:
0xffffb896:  mov    %cs,%ax
0xffffb898:  shl    $0x4,%ax
0xffffb89b:  mov    $0xb8c4,%bx
0xffffb89e:  sub    %ax,%bx
0xffffb8a0:  lgdtl  %cs:(%bx)
0xffffb8a5:  mov    %cr0,%eax
0xffffb8a8:  and    $0x7ffaffd1,%eax
0xffffb8ae:  or     $0x60000001,%eax
0xffffb8b4:  mov    %eax,%cr0

----------------
IN:
0xffffb8b7:  mov    %ebp,%eax
0xffffb8ba:  ljmpl  $0x8,$0xffffb8f3

----------------
IN:
0xffffb8f3:  mov    %eax,%ebp
0xffffb8f5:  mov    $0x10,%al
0xffffb8f7:  out    %al,$0x80
0xffffb8f9:  mov    $0x10,%ax
0xffffb8fd:  mov    %eax,%ds

outb: 0080 10
dma: extra page register write addr=0x80 data=0x10
ioport80_write 0X10
----------------
IN:
0xffffb8ff:  mov    %eax,%es

----------------
IN:
0xffffb901:  mov    %eax,%ss

----------------
IN:
0xffffb903:  mov    %eax,%fs

----------------
IN:
0xffffb905:  mov    %eax,%gs
0xffffb907:  mov    %ebp,%eax
0xffffb909:  jmp    0xffffb915

----------------
IN:
0xffffb915:  movd   %eax,%xmm0

qemu: fatal: triple fault
EAX=00000000 EBX=0000b8c4 ECX=00000000 EDX=00000673
ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000
EIP=ffffb915 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0010 00000000 ffffffff 00cf9300
CS =0008 00000000 ffffffff 00cf9b00
SS =0010 00000000 ffffffff 00cf9300
DS =0010 00000000 ffffffff 00cf9300
FS =0010 00000000 ffffffff 00cf9300
GS =0010 00000000 ffffffff 00cf9300
LDT=0000 00000000 0000ffff 00008200
TR =0000 00000000 0000ffff 00008b00
GDT=     ffffb8cc 00000017
IDT=     00000000 0000ffff
CR0=60000011 CR2=00000000 CR3=00000000 CR4=00000000
CCS=00000000 CCD=60000011 CCO=LOGICL
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 FPR1=0000000000000000
FPR2=0000000000000000 FPR3=0000000000000000
FPR4=0000000000000000 FPR5=0000000000000000
FPR6=0000000000000000 FPR7=0000000000000000
XMM00=00000000000000000000000000000000 
XMM01=00000000000000000000000000000000
XMM02=00000000000000000000000000000000 
XMM03=00000000000000000000000000000000
XMM04=00000000000000000000000000000000 
XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 
XMM07=00000000000000000000000000000000

So the logs are practically identical (but for small changes in 
addresses), only in p3 case there is a mov to SSE register (as opposed 
to MMX one) and it results in triple fault.

I wonder if it was my mistake to specify p3 for romcc compilation of 
fallback.c? I searched through the code and it seems that p3 is only 
used for normal images, fallback images typically have no cpu option and 
p2 in one or two cases.

Maybe access to SSE registers requires some prior initialization?
I would be very grateful for my education :)

-- 
Andriy Gapon

More information about the coreboot mailing list