[Qemu-devel] ARM load/store multiple bug

[Justin Fletcher <gerph@gerph.org>]

Hiya,

I have found a bug in the implementation of the load/store multiple 
instructions in ARM (LDM and STM). These are defined in the ARM ARM to 
ignore bits 0 and 1 of the address when the load takes place - that is the 
base register for these operations is always treated as a 32bit aligned 
value (although its value is only rounded internally). This differs from 
the LDR/STR operation which uses the full width of instructions.

In other words :

    MOV   r0, #9
    LDMIA r0, {r1,r2}

Is equivalent to loading r1 with the value at 8, and r2 with the value at 
12. Contrast this with the following :

    MOV   r0, #9
    LDR   r1, [r0]
    LDR   r2, [r0,#4]

which would load r1 with the value at 8, rotated right 8 bits, and r2 with 
the value at 12, rotated right 8 bits.

I have not confirmed the behaviour or the LDR operation, but have found 
problems with the multiple register operations. My solution would be to 
add the equivalent of a BIC instruction in to the target-arm/translate.c 
to clear off the bottom two bits, around line 1695 :

---8<---
                         if (n != 1)
                             gen_op_addl_T1_im(-((n - 1) * 4));
                     }
                 }
                 j = 0;
/* Insert something like gen_op_bicl_T1_im(3); here */
                 for(i=0;i<16;i++) {
                     if (insn & (1 << i)) {
                         if (insn & (1 << 20)) {
---8<---

However, there isn't any such function and I'm unsure how to make that 
change. Any suggestions would be greatfully received.

-- 
Gerph <http://gerph.org/>
... Find answers on the street, in cracks beneath my feet.