QSP-CPU Release Notes

1 Introduction

This document identifies important information for the QSP-CPU package for Simics 6. All users of this specific package should review this document carefully.

2 Changes Since Version 6.0.0

The following is a list of changes since the initial 6.0.0 release.

• 6.0.21 (build 6274)

  • Intel® 64 public cores
    • The architectural features LASS, WRMSRNS and UMIP have been added to the x86-experimental-fred CPU class.
  • New features and bug fixes
    • Fixed missed #PF raise, in case of reserved PML4E.PS and PML5E.PS bit violation in page table entries (bug #HSD-22019212777).
    • Fixed many EVEX-encoded instructions to correctly report unmasked SIMD exceptions as #XM on CR4.OSXMMEXCPT.

• 6.0.20 (build 6271)

  • APIC
    • Setting the x2apic_mode_only attribute to true now also automatically enables x2APIC mode (bug #HSD-15014662327).
  • New features and bug fixes
    • Fix disassembly of "suppress all exceptions" for instructions that do not apply rounding:VMIN|MAX PD|PS, VMIN|MAX SS|SD (bug #SIMICSTS-1174).
    • Fix disassembly of "suppress all exceptions" for instructions that do not apply rounding: VCMP PS|PD (bug #SIMICSTS-1174).
    • Fix dirty bit not being set in the page table entry after writes to the memory. After any write within a page the dirty bit in the page table entry should be set for this page. This didn't happen. This causes problems such as TLB trashing (any write will not go through TLB since the dirty bit is never set in the TLB entry either) and possibly more bugs in filesystems and other software using copy-on-write techniques (bug #HSD-22018547150).

• 6.0.19 (build 6253)

  • Flexible Return and Event Delivery (FRED)
    • The guest IA32_PL0_SSP VMCS field has been removed.

• 6.0.18 (build 6248)

  • APIC
    • Add the interrupt_subscriber attribute for connecting an object that can subscribe to interrupts triggered from the APIC.

      Limitation: Interrupts that are triggered through the APIC bus (apic_bus_to_apic interface) cannot be distinguished and are all reported as Interrupt_Source_Icr_Ipr.

    • APICs in xAPIC mode now recognize broadcasts from APICs in x2APIC mode (bug #HSD-15013420590).
  • Flexible Return and Event Delivery (FRED)
    • Bit 25 of the return state CS word is no longer set for the INT1, INT3 and INTO instructions.
    • VM entry now fails if the guest is in CPL 0 compatibility mode, i.e., SS.DPL is 0 and CS.L is 0, and guest FRED transitions are enabled.
    • The x86-experimental-fred CPU class has been updated to FRED 5.0. Other classes implementing FRED still implement FRED 3.0.
    • ERETU now raises #GP if it is run at non-0 stack level.
    • The IA32_PL0_SSP/IA32_FRED_SSP0 MSR can now be accessed by CPUs implementing FRED even if they do not implement CET.
    • Fixed a bug in ERETU where the RPL bits of the CS and SS selectors were cleared before comparing them to IA32_STAR[63:48].

• 6.0.13 (build 6196)

  • Flexible Return and Event Delivery (FRED)
    • Fixed a bug in ERETS that could leave interrupts permanently disabled if if the STI interrupt blocking bit was set in the return context.

• 6.0.11 (build 6188)

  • Flexible Return and Event Delivery (FRED)
    • FRED support has been removed from the x86QSP2 CPU class. Use the x86-experimental-fred CPU class for FRED support.
    • Fixed ERETS to raise #GP if CS or SS in the return context do not match the current CS or SS.

• 6.0.10 (build 6176)

  • Flexible Return and Event Delivery (FRED)
    • Fixed a bug in ERETU that caused incorrect RIP after returning to a code segment with non-zero base (bug #HSD-14017032910).

• 6.0.9 (build 6173)

  • Flexible Return and Event Delivery (FRED)
    • Updated the ERETS and ERETU instructions to expect RSP to point to RIP of the return context, not the error code pushed by event delivery.
    • Updated the ERETU instruction to check that the return CS.RPL and SS.RPL fields are 3 even if the selectors match IA32_STAR.
    • Updated the ERETS and ERETU instructions to ignore bits 63:32 of the word containing the SS selector.
    • Updated the ERETS and ERETU instructions to not raise #GP if bit 28 of the word containing the CS selector is set.
    • Updated the ERETS and ERETU instructions to report the original RSP in the exception context if they raise an exception, not the RSP after popping parts or all of the return context (bug #HSD-14017032184).

• 6.0.8 (build 6166)

  • APIC
    • Event queue overflows that could occur in some situations have been fixed (bug #HSD-16015793807).
  • Flexible Return and Event Delivery (FRED)
    • Implemented the changes from version 2.0 to version 3.0 of the FRED specification.

• 6.0.7 (build 6158)

  • Flexible Return and Event Delivery (FRED)
    • Fixed clearing of RF flag at the start of the next instruction after ERETU/ERETS.

• 6.0.6 (build 6155)

  • Flexible Return and Event Delivery (FRED)
    • Implemented enumeration of VMX nested-exception support in MSR IA32_VMX_BASIC (index 480H) of x86-experimental-fred processor class.

• 6.0.4 (build 6137)

  • Flexible Return and Event Delivery (FRED)
    • Fixed restoring of segment registers in case if FRED delivery incurs a nested exception.

• 6.0.3 (build 6134)

  • Flexible Return and Event Delivery (FRED)
    • Fixed VMX guest state check and VMX CR4 capability reporting.
    • Fixed VMX capability reporting.

• 6.0.2 (build 6127)

  • APIC
    • One-shot and periodic timer modes will use core crystal clock (otherwise known as ART) frequency to measure time intervals, if attached processor enumerates this frequency in CPUID.0x15. This behavior matches the description given in modern SDM.
  • Common
    • Simics no longer comes with documentation in PDF format.
  • Flexible Return and Event Delivery (FRED)
    • Changed the treatment of RPL fields for CS and SS: event delivery ensures that SS.RPL in the new context is 0, ERETS generates general-protection exception if either CS.RPL or SS.RPL of the return context is not 0.
    • WRMSR to IA32_FRED_CONFIG MSR generates general-protection exception if its source operand sets reserved bits. WRMSR to IA32_FRED_RSPx MSRs generates general-protection exception if its source operand is not 64-byte aligned.
    • An execution of far CALL or far JMP instructions that encounters a call gate generates general-protection exception. An execution of IRET or far RET instructions that would change CPL generates general-protection exception.
    • State of STI blocking is now saved on event delivery and restored on ERETS execution.
    • ERETU instruction loads CS and SS descriptors now from the GDT or LDT as would be done by an execution of IRET (the case 3 of CS and SS registers configuration).
    • ERETU instruction generates general-protection exception if it would load I/O privilege level (IOPL) with a non-zero value.
    • Delivery of device-not-available exception (#NM) pushes the identity of feature triggering #NM, i.e. the value being loaded into IA32_XFD_ERR MSR.
    • Changes to the RSM instruction are implemented.
    • VMX interactions with FRED transitions are implemented.
    • The following changes in draft specification 2.0, June 2021, have been implemented:
      • They entry point offset for events occurring in ring 0 has changed from 64 bytes to 256 bytes.
      • CS.L is saved in the event information.
      • The instruction length is saved in the event information when an event is caused by an INTn, INT1, INT3, INTO, SYSCALL or SYSENTER instruction.
      • New format used for reporting the cause of #DB.
      • Event delivery always clears EFLAGS.TF.
      • ERETU clears any pending UMONITOR.
      • Interrupt blocking after POP or MOV to SS is disabled when FRED is enabled.
    • Added a new x86-experimental-fred processor class.

• 6.0.1 (build 6096)

  • Flexible Return and Event Delivery (FRED)
    • Flexible Return and Event Delivery (FRED) feature is supported in x86QSP2 CPU model as technology preview and is subject to change based on customer feedback and internal analysis. The FRED implementation has several limitations described in the Limitations section. To use the model, set cpu_comp_class parameter to x86QSP2 before running a Simics script.

3 Changes in version 6

4 Limitations

This section briefly describes the known limitations of the QSP-CPU package. Please refer to section 5 for a more technical description.

For model oriented packages, additional limitations may be found in the model target guides.

5 Detailed List of Limitations

This section describes in detail the known limitations of the QSP-CPU package. Please refer to section 4 for a more general description.

A register or field marked as Not implemented is present with read-write semantics but has no side effects on simulation. A register marked as Not implemented (design limitation) has the same semantics as a "Not implemented" register and there is no plan to extend the model with this functionality. A register with Lack of documentation has not been implemented because there is no available documentation describing its semantics.