since fnsave mnemonic came up in one latest thread i thought ill post some
discrepencies in windbgs disassembly
windbg does not disassemble 0F 3F opcodes it shows ??? instead of
disassembly
*0:000> e eip 0f 3f 05 26 cc cc cc cc*
*0:000> ? eip;db eip l5; u eip l2;t;? eip;*
Evaluate expression: 2089872112 = 7c90eaf0
7c90eaf0 0f 3f 05 26 cc .?.&.
ntdll!KiUserExceptionDispatcher+0x4:
7c90eaf0 0f ???
7c90eaf1 3f aas
(9dc.9e0): Illegal instruction - code c000001d (first chance) *CREATES AN
EXCEPTION IN UM BUT IN KERNEL MODE IT Executes perfectly well it seems
*Evaluate expression: 2089872112 = 7c90eaf0
0:000>
*kd> u vpc_8042+0xd210 l4*
*vpc_8042+0xd210:
fa9b2210 0f ???
fa9b2211 3f aas
fa9b2212 0526*8b2d54 add eax,542D8B26h
fa9b2217 90 nop
kd> bp vpc_8042+0xd210
kd> g
*Breakpoint 0 hit
vpc_8042+0xd210:
fa9b2210 0f ???*
kd> kb 4
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be
wrong.
fafaf900 805c8dde 80000578 00000000 fafaf900 vpc_8042+0xd210
fafaf944 80591ce3 e15a1630 00000001 80000578
nt!PipCallDriverAddDeviceQueryRoutine+0x235
fafaf990 80592434 fafafa1c e15a161c fafaf9f0
nt!RtlpCallQueryRegistryRoutine+0x3b1
fafaf9f4 805addac 00000000 00000084 00000001 nt!RtlQueryRegistryValues+0x2a6
*kd> t
vpc_8042+0xd214:
*fa9b2214 8b2d54909afa mov ebp,dword ptr [vpc_8042+0x4054 (fa9a9054)]
what did those 4 bytes do ?
these both break too
kd> s -b fa9a5000 l? (fa9b6000-fa9a5000) 0f 3f
fa9a6e17 0f 3f 07 0b 83 4d fc ff-83 4d fc ff b0 01 eb 0d .?..M…M…
fa9a7cdd 0f 3f 05 22 85 d2 78 15-8b 45 08 89 58 10 89 48 .?."…x…E…X…H
fa9b2210 0f 3f 05 26 8b 2d 54 90-9a fa bb 38 30 34 32 53 .?.&.-T…8042S
kd> u fa9a6e17 l4
vpc_8042+0x1e17:
fa9a6e17 0f ???
fa9a6e18 3f aas
fa9a6e19 07 pop es
fa9a6e1a 0b834dfcff83 or eax,dword ptr [ebx-7C0003B3h]
kd> u fa9a7cdd l4
vpc_8042+0x2cdd:
fa9a7cdd 0f ???
fa9a7cde 3f aas
fa9a7cdf 052285d278 add eax,78D28522h
fa9a7ce4 158b450889 adc eax,8908458Bh
Breakpoint 2 hit
vpc_8042+0x2cdd:
fa9a7cdd 0f ???
kd> u eip l3
vpc_8042+0x2cdd:
fa9a7cdd 0f ???
fa9a7cde 3f aas
fa9a7cdf 052285d278 add eax,78D28522h
kd> kb 4
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be
wrong.
fafaf744 fa9b0b4c 811957a4 8122ca48 0000000c vpc_8042+0x2cdd
fafaf770 804dad9f 8122ca48 811954f0 0001001a vpc_8042+0xbb4c
fafaf770 fa9a7098 8122ca48 811954f0 0001001a nt!KiInterruptDispatch+0x3d
fafaf820 fa9a7eab 00000000 00000000 00000002 vpc_8042+0x2098
*kd> t <--------------------------------------------------------------- can
step perfectly well though no disassembly
vpc_8042+0x2ce1:
fa9a7ce1 85d2 test edx,edx *
**
*and 4 bytes again
*
likewise
i have seen windbg not differentiating between fsave / fnsave
a sample
0:000> a eip
7c93edc0 fsave [eax]
7c93edc3 fnsave [eax]
7c93edc5 fsave [ecx]
7c93edc8 fnsave [ecx]
7c93edca
0:000> u eip l5
ntdll!LdrpInitializeProcess+0xffa:
7c93edc0 9b wait
7c93edc1 dd30 fnsave [eax]
7c93edc3 dd30 fnsave [eax]
7c93edc5 9b wait
7c93edc6 dd31 fnsave [ecx]
0:000>
9B DD /6 FSAVE m94/108byte
Store FPU state to m94byte or m108byte after checking for pending unmasked
floating-point exceptions. Then re-initialize the FPU.
DD /6 FNSAVE* m94/108byte
Store FPU environment to m94byte or m108byte without checking for pending
unmasked floating-point exceptions. Then re-initialize the FPU
i remember reading somewhere in google that assembler issues FWAIT
and FNSAVE for FSAVE and processor executes them seperately
but didnt find specifics in intel man when i looked
regards
raj_r