6.828 lab1 Exercise 2 死循环问题

https://pdos.csail.mit.edu/6.828/2018/labs/lab1/

版本：

• qemu：QEMU emulator version 1.5.3 (qemu-kvm-1.5.-167.el7_7.4), Copyright (c) 2003-2008 Fabrice Bellard
• centos：CentOS-7-x86_64-Minimal-1908
• gdb：GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-115.el7

The ROM BIOS 这个章节，A 窗口 make qemu-gdb，B 窗口 make gdb

A：

/usr/libexec/qemu-kvm -drive file=obj/kern/kernel.img,index=0,media=disk,format=raw -serial mon:stdio -gdb tcp::25000 -D qemu.log -S VNC server running on `::1:5900' 

B si 单步调试:

[f000:fff0] 0xffff0: ljmp $0xf000,$0xe05b [f000:e05b] 0xfe05b: cmpl $0x0,%cs:0x69c8 [f000:e062] 0xfe062: jne 0xfd0f7 [f000:e066] 0xfe066: xor %dx,%dx [f000:e068] 0xfe068: mov %dx,%ss [f000:e070] 0xfe070: mov $0xf1399,%edx [f000:e076] 0xfe076: jmp 0xfcf8c [f000:cf8c] 0xfcf8c: cli [f000:cf8d] 0xfcf8d: cld [f000:cf8e] 0xfcf8e: mov %eax,%ecx [f000:cf91] 0xfcf91: mov $0x8f,%eax [f000:cf97] 0xfcf97: out %al,$0x70 [f000:cf9b] 0xfcf9b: in $0x92,%al [f000:cf9d] 0xfcf9d: or $0x2,%al [f000:cf9f] 0xfcf9f: out %al,$0x92 [f000:cfa4] 0xfcfa4: lidtw %cs:0x69b8 [f000:cfaa] 0xfcfaa: lgdtw %cs:0x6974 [f000:cfb0] 0xfcfb0: mov %cr0,%ecx [f000:cfb3] 0xfcfb3: and $0x1fffffff,%ecx [f000:cfba] 0xfcfba: or $0x1,%ecx [f000:cfbe] 0xfcfbe: mov %ecx,%cr0 

切入 PE 之后：

The target architecture is assumed to be i386 => 0xfcfc9: mov $0x10,%ecx => 0xfcfce: mov %ecx,%ds => 0xfcfd0: mov %ecx,%es => 0xfcfd2: mov %ecx,%ss => 0xfcfd6: mov %ecx,%gs => 0xfcfd8: jmp *%edx => 0xf1399: sub $0x8,%esp => 0xf139c: movl $0xf4254,0x4(%esp) => 0xf13a4: movl $0xf390a,(%esp) => 0xf13ab: call 0xee4dd => 0xee4dd: lea 0x8(%esp),%ecx => 0xee4e1: mov 0x4(%esp),%edx => 0xee4e5: mov $0xf4200,%eax => 0xee4ea: call 0xedd5a => 0xedd5a: push %ebp => 0xedd5b: push %edi => 0xedd5c: push %esi => 0xedd5d: push %ebx => 0xedd5e: sub $0xc,%esp => 0xedd61: mov %eax,%ebx => 0xedd63: mov %edx,0x4(%esp) => 0xedd67: mov %ecx,%ebp => 0xedd69: mov 0x4(%esp),%esi => 0xedd6d: movsbl (%esi),%edx => 0xedd70: test %dl,%dl => 0xedd72: je 0xedfb6 => 0xedd78: cmp $0x25,%dl => 0xedd7b: jne 0xede1b => 0xede1b: mov %ebx,%eax => 0xede1d: call 0xec570 => 0xec570: mov %eax,%ecx => 0xec572: movsbl %dl,%edx => 0xec575: call *(%ecx) => 0xec565: mov %edx,%eax => 0xec567: mov 0xf683c,%dx => 0xec56e: out %al,(%dx) => 0xec577: ret => 0xede22: jmp 0xedfaa => 0xedfaa: lea 0x1(%esi),%eax => 0xedfad: mov %eax,0x4(%esp) => 0xedfb1: jmp 0xedd69 => 0xedd69: mov 0x4(%esp),%esi => 0xedd6d: movsbl (%esi),%edx => 0xedd70: test %dl,%dl => 0xedd72: je 0xedfb6 => 0xedd78: cmp $0x25,%dl => 0xedd7b: jne 0xede1b => 0xede1b: mov %ebx,%eax => 0xede1d: call 0xec570 => 0xec570: mov %eax,%ecx => 0xec572: movsbl %dl,%edx => 0xec575: call *(%ecx) => 0xec565: mov %edx,%eax => 0xec567: mov 0xf683c,%dx => 0xec56e: out %al,(%dx) => 0xec577: ret ... 

中间隔开的那一段一直到 ... 就是死循环，但是如果这个时候 c continue 的话 A 又可以进 kernel，而且试了断点，并没有进 0x7c00。

找到一篇：https://stackoverflow.com/questions/11408041/how-to-debug-the-linux-kernel-with-gdb-and-qemu/33203642#33203642，把 A 窗口换成直接执行：

/usr/libexec/qemu-kvm -drive file=obj/kern/kernel.img,index=0,media=disk,format=raw -serial mon:stdio -D qemu.log -S -s 

其实就是换了 gdb TCP 1234 端口，然后按照 stackoverflow 上在 B 连 1234：

target remote localhost:1234 

最终 si 还是进了死循环... 另外试了 -bios 参数，也确实是使用的 seabios.bin。

已经查不动了，求大佬解答~