From owner-freebsd-hackers Mon Nov 10 01:11:58 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id BAA15641 for hackers-outgoing; Mon, 10 Nov 1997 01:11:58 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from unix.tfs.net (root@unix.tfs.net [199.79.146.60]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id BAA15617 for ; Mon, 10 Nov 1997 01:11:49 -0800 (PST) (envelope-from jbryant@argus.tfs.net) Received: from argus.tfs.net (node6.tfs.net [207.2.220.6]) by unix.tfs.net (8.8.5/8.8.5) with ESMTP id DAA06602; Mon, 10 Nov 1997 03:10:25 -0600 Received: (from jbryant@localhost) by argus.tfs.net (8.8.7/8.8.5) id DAA07810; Mon, 10 Nov 1997 03:11:41 -0600 (CST) From: Jim Bryant Message-Id: <199711100911.DAA07810@argus.tfs.net> Subject: Re: Newest Pentium bug (fatal) In-Reply-To: <199711100737.AAA10415@usr06.primenet.com> from Terry Lambert at "Nov 10, 97 07:37:17 am" To: tlambert@primenet.com (Terry Lambert) Date: Mon, 10 Nov 1997 03:11:40 -0600 (CST) Cc: freebsd-hackers@freebsd.org Reply-to: jbryant@tfs.net X-Windows: R00LZ!@# MS-Winbl0wz DR00LZ!@# X-Operating-System: FreeBSD 2.2.2-RELEASE #0: Wed Jul 9 01:01:24 CDT 1997 X-Mailer: ELM [version 2.4ME+ PL31H (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In reply: > > LOCK CMPXCHG8B EDX:EAX, ECX:EBX ; crash... pp 25-72 to > > ; 25-73 of intel's arch & prog > > ; manual for the pentium > > The same manual states that the CMPXCHG8B asserts a "#LOCK" signal, as > does the "#LOCK" command. Also some paging situations, and "XCHG". where do you see this? what page? defintely not in the "Instruction Set" chapter [chapter 25]... p 25-72: "Operation if edx:eax = dest zf <- 1 dest <- ecx:ebx else zf <- 0 edx:eax <- dest" p 25-73: "Notes This instruction can be used with the LOCK prefix. In order to simplify interface to the processor's bus, the destination operand receives a write cycle without regard to the result of the comparison. DEST is written back if the comparison fails, and SRC is written into the destination otherwise. (The processor never produces a locked read without also producing a locked write.)" > It looks to me like they took the 486 macrocell, and extended it (easiest > way to get binary compatability), and "forgot" the new registers when > implementing the "#LOCK" assert test. the 0C8h r/m byte specifies the proper extended regs... > I can verify that using non-extended registers doesn't crash. if the backwards compatable 32-bit instruction CMPXCHG was buggy we would have found out about this a long time ago... intel was obviously betting that things would remain 486 backwards compatable for the market lifetime of the pentium. they had to have tested this very early in the production cycle or late in the tooling process. if i'm right about a coverup, it must have been a good one, so good that they put it into the MMX. > As someone else noticed, ther emay also be a cache fetch interaction > (page fault was another thing referenced by #LOCK). > > Clearly, it's self-deadlocking trying to assert #LOCK. hmmmmmm.... just so we are talking apples <-> apples, i am referencing intel's "Pentium(R) Processor Family Developer's Manual, Volume 3: Archetecture and Programming Manual", ISBN 1-55512-247-7, (c) 1995, order number 241430-004. covering the 1110/133, 1000/120, 815/100, 735/90, and 615/75 cpus. jim -- All opinions expressed are mine, if you | "I will not be pushed, stamped, think otherwise, then go jump into turbid | briefed, debriefed, indexed, or radioactive waters and yell WAHOO !!! | numbered!" - #1, "The Prisoner" ------------------------------------------------------------------------------ Inet: jbryant@tfs.net AX.25: kc5vdj@wv0t.#neks.ks.usa.noam grid: EM28pw voice: KC5VDJ - 6 & 2 Meters AM/FM/SSB, 70cm FM. http://www.tfs.net/~jbryant ------------------------------------------------------------------------------ HF/6M/2M: IC-706-MkII, 2M: HTX-212, 2M: HTX-202, 70cm: HTX-404, Packet: KPC-3+