From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36804)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <froydnj@mozilla.org>) id 1VOwIr-0004Sw-K5
	for qemu-devel@nongnu.org; Wed, 25 Sep 2013 17:07:28 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <froydnj@mozilla.org>) id 1VOwIk-0006Fo-9D
	for qemu-devel@nongnu.org; Wed, 25 Sep 2013 17:07:21 -0400
Received: from mx1.corp.phx1.mozilla.com ([63.245.216.69]:47211
	helo=smtp.mozilla.org) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <froydnj@mozilla.org>) id 1VOwIk-0006Fg-4Z
	for qemu-devel@nongnu.org; Wed, 25 Sep 2013 17:07:14 -0400
Received: from localhost (cpe-107-10-245-88.indy.res.rr.com [107.10.245.88])
	(Authenticated sender: nfroyd@mozilla.com)
	by mx1.mail.corp.phx1.mozilla.com (Postfix) with ESMTPSA id 8F01AF2306
	for <qemu-devel@nongnu.org>; Wed, 25 Sep 2013 13:31:10 -0700 (PDT)
From: Nathan Froyd <froydnj@mozilla.com>
Date: Wed, 25 Sep 2013 16:20:27 -0400
Message-ID: <E1VOwIk-0006Fg-4Z@eggs.gnu.org>
Subject: [Qemu-devel] [PATCH] target-i386: fix translation of sse {,
 u}comis{s, d} instructions
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: froydnj@gmail.com

While the generic SSE translation codepath contains special logic to use
32-bit or 64-bit memory operands for some instructions, this logic doesn't
catch the SSE {,u}comis{s,d} instructions.  This oversight leads to too
many bytes being read when those instructions use memory operands, which
can in turn lead to page faults.

The fix is simple: add a special case for these instructions.  It did not
fit cleanly into the existing case, so some cut-and-paste was necesary.

Signed-off-by: Nathan Froyd <froydnj@mozilla.com>
---
 target-i386/translate.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/target-i386/translate.c b/target-i386/translate.c
index be74ebc..687859a 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -4576,6 +4576,16 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
                         /* 64 bit access */
                         gen_ldq_env_A0(s->mem_index, offsetof(CPUX86State,xmm_t0.XMM_D(0)));
                     }
+                } else if (b1 <= 1 && (b == 0x2e || b == 0x2f)) {
+                    /* specific case for SSE *comis{s,d} instructions */
+                    if (b1 == 0) {
+                        /* 32 bit access */
+                        gen_op_ld_T0_A0(OT_LONG + s->mem_index);
+                        tcg_gen_st32_tl(cpu_T[0], cpu_env, offsetof(CPUX86State,xmm_t0.XMM_L(0)));
+                    } else {
+                        /* 64 bit access */
+                        gen_ldq_env_A0(s->mem_index, offsetof(CPUX86State,xmm_t0.XMM_D(0)));
+                    }
                 } else {
                     gen_ldo_env_A0(s->mem_index, op2_offset);
                 }
-- 
1.7.10.4