On Mon, Jul 2, 2012 at 2:29 PM, Vitaly Chipounov
<vitaly.chipou...@epfl.ch> wrote:
> An instruction with address and segment size override triggers the bug.
> inc dword ptr gs:260h[ebx*4] gets incorrectly translated to:
> (uint32_t)(gs.base + ebx * 4 + 0x260)
> instead of
> gs.base + (uint32_t)(ebx * 4 + 0x260)
Do I understand it right that this fixes address calculation for
64-bit mode but breaks it for compatibility mode?
Quote from "Intel® 64 and IA-32 Architectures Software Developer’s Manual
Volume 3", "3.4.4 Segment Loading Instructions in IA-32e Mode":
When in compatibility mode, FS and GS overrides operate as defined by
32-bit mode
behavior regardless of the value loaded into the upper 32
linear-address bits of the
hidden descriptor register base field. Compatibility mode ignores the
upper 32 bits
when calculating an effective address.
>
> Signed-off-by: Vitaly Chipounov <vitaly.chipou...@epfl.ch>
> ---
> target-i386/translate.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/target-i386/translate.c b/target-i386/translate.c
> index a902f4a..9ca7375 100644
> --- a/target-i386/translate.c
> +++ b/target-i386/translate.c
> @@ -459,10 +459,10 @@ static inline void gen_op_movl_A0_seg(int reg)
> static inline void gen_op_addl_A0_seg(int reg)
> {
> tcg_gen_ld_tl(cpu_tmp0, cpu_env, offsetof(CPUX86State, segs[reg].base));
> - tcg_gen_add_tl(cpu_A0, cpu_A0, cpu_tmp0);
> #ifdef TARGET_X86_64
> tcg_gen_andi_tl(cpu_A0, cpu_A0, 0xffffffff);
> #endif
> + tcg_gen_add_tl(cpu_A0, cpu_A0, cpu_tmp0);
> }
>
> #ifdef TARGET_X86_64
> --
> 1.7.4.1
>
>
--
Thanks.
-- Max
