From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1GMBAo-0003Ld-8B for qemu-devel@nongnu.org; Sat, 09 Sep 2006 18:19:38 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1GMBAl-0003LR-Pw for qemu-devel@nongnu.org; Sat, 09 Sep 2006 18:19:36 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GMBAl-0003LO-Kd for qemu-devel@nongnu.org; Sat, 09 Sep 2006 18:19:35 -0400 Received: from [194.217.242.86] (helo=anchor-post-36.mail.demon.net) by monty-python.gnu.org with esmtp (Exim 4.52) id 1GMBBg-0003cr-2W for qemu-devel@nongnu.org; Sat, 09 Sep 2006 18:20:32 -0400 Received: from dyn-62-56-125-231.dslaccess.co.uk ([62.56.125.231] helo=buttercup.gerph.org) by anchor-post-36.mail.demon.net with esmtpa (AUTH gerph) (Exim 4.42) id 1GMBAk-000OcR-LJ for qemu-devel@nongnu.org; Sat, 09 Sep 2006 22:19:34 +0000 Received: from localhost (localhost [127.0.0.1]) by buttercup.gerph.org (Postfix) with ESMTP id 099624B9A4 for ; Sat, 9 Sep 2006 23:19:11 +0100 (BST) Date: Sat, 9 Sep 2006 23:19:10 +0100 (BST) From: Justin Fletcher Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: [Qemu-devel] ARM load/store multiple bug Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Hiya, I have found a bug in the implementation of the load/store multiple instructions in ARM (LDM and STM). These are defined in the ARM ARM to ignore bits 0 and 1 of the address when the load takes place - that is the base register for these operations is always treated as a 32bit aligned value (although its value is only rounded internally). This differs from the LDR/STR operation which uses the full width of instructions. In other words : MOV r0, #9 LDMIA r0, {r1,r2} Is equivalent to loading r1 with the value at 8, and r2 with the value at 12. Contrast this with the following : MOV r0, #9 LDR r1, [r0] LDR r2, [r0,#4] which would load r1 with the value at 8, rotated right 8 bits, and r2 with the value at 12, rotated right 8 bits. I have not confirmed the behaviour or the LDR operation, but have found problems with the multiple register operations. My solution would be to add the equivalent of a BIC instruction in to the target-arm/translate.c to clear off the bottom two bits, around line 1695 : ---8<--- if (n != 1) gen_op_addl_T1_im(-((n - 1) * 4)); } } j = 0; /* Insert something like gen_op_bicl_T1_im(3); here */ for(i=0;i<16;i++) { if (insn & (1 << i)) { if (insn & (1 << 20)) { ---8<--- However, there isn't any such function and I'm unsure how to make that change. Any suggestions would be greatfully received. -- Gerph ... Find answers on the street, in cracks beneath my feet.