From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1FZT1G-0008G1-1D
	for qemu-devel@nongnu.org; Fri, 28 Apr 2006 09:28:26 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1FZT1C-0008CR-3I
	for qemu-devel@nongnu.org; Fri, 28 Apr 2006 09:28:24 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1FZT1A-0008C3-VO
	for qemu-devel@nongnu.org; Fri, 28 Apr 2006 09:28:21 -0400
Received: from [66.93.172.17] (helo=nevyn.them.org)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.52) id 1FZT4J-00048r-Ql
	for qemu-devel@nongnu.org; Fri, 28 Apr 2006 09:31:35 -0400
Received: from drow by nevyn.them.org with local (Exim 4.54)
	id 1FZT18-00079r-4x
	for qemu-devel@nongnu.org; Fri, 28 Apr 2006 09:28:18 -0400
Date: Fri, 28 Apr 2006 09:28:18 -0400
From: Daniel Jacobowitz <drow@false.org>
Subject: Re: [Qemu-devel] [PATCH] Fix overflow conditions for MIPS add /
	subtract
Message-ID: <20060428132818.GA27384@nevyn.them.org>
References: <443E9D2F.5050807@mail.berlios.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <443E9D2F.5050807@mail.berlios.de>
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

On Thu, Apr 13, 2006 at 08:49:19PM +0200, Stefan Weil wrote:
> -    if ((T0 >> 31) ^ (T1 >> 31) ^ (tmp >> 31)) {
> +    if (((tmp ^ T1 ^ (-1)) & (T0 ^ T1)) >> 31) {
> +       /* operands of same sign, result different sign */
>         CALL_FROM_TB1(do_raise_exception_direct, EXCP_OVERFLOW);
>     }

I see this went in, but - huh?  The math doesn't make sense.

T0 ^ T1 -> operands of different sign
tmp ^ T1 ^ (-1) -> result has same sign as T1

Which is a "who cares" case.  This is addition, it can't overflow if
the operands have the same sign.

> -    if (!((T0 >> 31) ^ (T1 >> 31) ^ (tmp >> 31))) {
> +    if (((tmp ^ T1) & (tmp ^ T0)) >> 31) {
> +       /* operands of different sign, first operand and result 
> different sign */
>         CALL_FROM_TB1(do_raise_exception_direct, EXCP_OVERFLOW);
>     }

tmp ^ T1 -> result and T1 of different sign
tmp ^ T0 -> result and T0 of different sign

Which implies that the operands have the same sign.  Again, this case
can't overflow.

I haven't tested the patched qemu, but I did test the expressions
themselves in standalone code, and they definitely do not detect
overflow.

-- 
Daniel Jacobowitz
CodeSourcery