From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57000)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <glaubitz@physik.fu-berlin.de>) id 1aQts8-0007M2-77
	for qemu-devel@nongnu.org; Wed, 03 Feb 2016 04:37:13 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <glaubitz@physik.fu-berlin.de>) id 1aQts3-0000Ir-4k
	for qemu-devel@nongnu.org; Wed, 03 Feb 2016 04:37:12 -0500
Received: from outpost5.zedat.fu-berlin.de ([130.133.4.89]:48577)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <glaubitz@physik.fu-berlin.de>) id 1aQts2-0000In-UL
	for qemu-devel@nongnu.org; Wed, 03 Feb 2016 04:37:07 -0500
From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Date: Wed,  3 Feb 2016 10:36:59 +0100
Message-Id: <1454492221-30625-1-git-send-email-glaubitz@physik.fu-berlin.de>
Subject: [Qemu-devel] m68k: More bug fixes for translation code
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: laurent@vivier.eu

Hi Laurent!

As promised, here are the fixes for the two recently discovered
bugs in the m68k translation code.

The first patch fixes the opcode mask for the fbcc instruction which
is currently incorrect as it masks the 6th bit as constant (0xffc0).
However, according to the ColdFire reference manual, this bit is
used to determine the size of the displacement for the jump, either
16 or 32 bits:

> http://www.nxp.com/files/dsp/doc/ref_manual/CFPRM.pdf (p. 229)

Looking at DISAS_INSN(fbcc), the emulated instruction actually tests
for the 6th bit and sets the offset accordingly. However, since the
current opcode mask ignores this bit, long jumps can never work. In
fact, what we actually see is an illegal instruction: 0xf2e0.

Changing the opcode mask to 0xff80 makes the 6th bit variable and
allows long jumps to work as expected.

The second patch addresses a problem with the thread safety of
register_m68k_insns(). It turns out, that the opcode table is
rebuild for every thread that is started which means that in
a multithreaded environment, one thread can destroy the opcode
table of a concurrent thread which makes this thread crash
with an illegal instruction.

This patch changes register_m68k_insns() such that it returns
without doing anything in case the opcode table has already been
built and re-registering the instructions is therefore not necessary
but rather harmful.

Credits go to Michael Karcher for helping to debug these issues!

Cheers,
Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913