From nobody Fri May 17 13:59:15 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of _spf.google.com designates 209.85.221.45 as permitted sender) client-ip=209.85.221.45; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-f45.google.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.45 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1615847869; cv=none; d=zohomail.com; s=zohoarc; b=TbcF3jmPOPbaLlyLd5obvqI4bZ3oRpkBH1RmNfHkR+DJOgJOTYSY/CRGBDayRQKDUp00aFWddaAXwUXa6iXTKbBsvO7vuK6WvuPOb2amaYshv5dVVT9v+Y4Q8p+vhd3CB3mIsxu3H9rVMp//gCggDmSnHUhb/jcg9elHW2takCg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1615847869; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Sender:Subject:To; bh=p8kjF7cpyYa4xnbMW3L3fyQa9LkcB1fz6I8q6DcPdWU=; b=RXHc1XN6lF2VH8TxXak2+nrv0hdJE6aqDnM3EBXczOGTJECO0/Y/o2Yu1yQmDNNkSbGvat7fio/F1gbMNAtLMMQepn0lJx+zJ9fw7MFJTvwByMoMzs9uKHXw67SbOOtvOwTu3kQYqtVlOPCH83mr8ok8n3PS6toN6MzI7rsWCVk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of _spf.google.com designates 209.85.221.45 as permitted sender) smtp.mailfrom=philippe.mathieu.daude@gmail.com Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) by mx.zohomail.com with SMTPS id 161584786943296.64029190505062; Mon, 15 Mar 2021 15:37:49 -0700 (PDT) Received: by mail-wr1-f45.google.com with SMTP id x13so6476039wrs.9 for ; Mon, 15 Mar 2021 15:37:48 -0700 (PDT) Return-Path: Return-Path: Received: from x1w.redhat.com (17.red-88-21-201.staticip.rima-tde.net. [88.21.201.17]) by smtp.gmail.com with ESMTPSA id d204sm1006701wmc.17.2021.03.15.15.37.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Mar 2021 15:37:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=p8kjF7cpyYa4xnbMW3L3fyQa9LkcB1fz6I8q6DcPdWU=; b=rPqzB1VhTYPC2PZCQ1eXCEKK4e+7wEi+gc3PWYShbjuwZc5QIrJCMryEw+CEbcBI/J 750HaGQhUKP4mrbA8n/cK3gZYfhZYptZ1mjhWY6krih7qP1qUQVzIjskXrzP92C7gtd+ DDckCqyUu1ehA2saRjMjLgrf8Nc779cxLE879Zt76FI4fK8jkRim9NVjTgHBKTvgBDx2 JMk8+WdxX+ZQckTvBL5rCCt4iblPy0+KAKO1oiS2qDr8X932c96amy7XrO3bUdtj1cnI 8whevz8xdwluajVzFxb0wSM0ggaH8Rmxz1/cBhdgwTJ1/291aYci6UKLkoOiCVnakyqE Wwlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=p8kjF7cpyYa4xnbMW3L3fyQa9LkcB1fz6I8q6DcPdWU=; b=rY3BxZJAACJTGKeOM2z0ma15O/REuh4ND1q/41g4tP5FHJ3Woc1UF6OtHyjKCK85wd Cg/bBLb6yie4tD3ahOVB3U0uQb+Uyvz7nadlCmzhunDexH7aBuNkC5hWLBIx4v3XKX5O /Z1c2NqXCBZX2e4uhnWNxdB5edA8FS2vU4W89WNjJwfr1oDVEPgmbI8d64NmPmfV2GSE LLGw6KhU54DM96LHDyMinaCD55I6hIrjP0G74H5cBFdUrUWVl+edA44X9Sd8wnP4WILY 9EvES0gPGrHIoUv2dHMFNc8iisr/C5LhWXC3qzWniG51HeebwJlZeKuvW33x+V1kNrQC Aabw== X-Gm-Message-State: AOAM530aMqdZ4b3w5uBWsfj6q98a83lliXYsAMCl/TATAujENHO5dXQ8 TRoYDm8p0LxtPh4JNYwPfpA= X-Google-Smtp-Source: ABdhPJx/6joA7yUY3Dcnhd0gsDEgmVH55BIKGke3pA/cdxDkkvfIBxUUIZNDUiZER9vwC9Pd8SPE1Q== X-Received: by 2002:a05:6000:c7:: with SMTP id q7mr1724543wrx.356.1615847867637; Mon, 15 Mar 2021 15:37:47 -0700 (PDT) Sender: =?UTF-8?Q?Philippe_Mathieu=2DDaud=C3=A9?= From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Aleksandar Rikalo , Jiaxun Yang , Richard Henderson , Aurelien Jarno , Craig Janeczek Subject: [PATCH] target/mips/mxu: Rewrite D16MIN / D16MAX opcodes Date: Mon, 15 Mar 2021 23:37:45 +0100 Message-Id: <20210315223745.2953548-1-f4bug@amsat.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @gmail.com) Coverity reported (CID 1450831) an array overrun in gen_mxu_D16MAX_D16MIN(): 1103 } else if (unlikely((XRb =3D=3D 0) || (XRa =3D=3D 0))) { .... 1112 if (opc =3D=3D OPC_MXU_D16MAX) { 1113 tcg_gen_smax_i32(mxu_gpr[XRa - 1], t0, t1); 1114 } else { 1115 tcg_gen_smin_i32(mxu_gpr[XRa - 1], t0, t1); 1116 } >>> Overrunning array "mxu_gpr" of 15 8-byte elements at element index 4294967295 (byte offset 34359738367) using index "XRa - 1U" (which evaluates to 4294967295). Because we check if 'XRa =3D=3D 0' then access 'XRa - 1' in array. I figured it could be easier to rewrite this function to something simpler rather than trying to understand it. Cc: Craig Janeczek Fixes: bb84cbf3850 ("target/mips: MXU: Add handlers for max/min instruction= s") Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- target/mips/mxu_translate.c | 116 ++++++++++++------------------------ 1 file changed, 38 insertions(+), 78 deletions(-) diff --git a/target/mips/mxu_translate.c b/target/mips/mxu_translate.c index afc008eeeef..8673a0139d4 100644 --- a/target/mips/mxu_translate.c +++ b/target/mips/mxu_translate.c @@ -1086,89 +1086,49 @@ static void gen_mxu_S32MAX_S32MIN(DisasContext *ctx) static void gen_mxu_D16MAX_D16MIN(DisasContext *ctx) { uint32_t pad, opc, XRc, XRb, XRa; + TCGv_i32 b, c, bs, cs; + TCGCond cond; =20 pad =3D extract32(ctx->opcode, 21, 5); - opc =3D extract32(ctx->opcode, 18, 3); - XRc =3D extract32(ctx->opcode, 14, 4); - XRb =3D extract32(ctx->opcode, 10, 4); - XRa =3D extract32(ctx->opcode, 6, 4); - if (unlikely(pad !=3D 0)) { /* opcode padding incorrect -> do nothing */ - } else if (unlikely(XRc =3D=3D 0)) { - /* destination is zero register -> do nothing */ - } else if (unlikely((XRb =3D=3D 0) && (XRa =3D=3D 0))) { - /* both operands zero registers -> just set destination to zero */ - tcg_gen_movi_i32(mxu_gpr[XRc - 1], 0); - } else if (unlikely((XRb =3D=3D 0) || (XRa =3D=3D 0))) { - /* exactly one operand is zero register - find which one is not...= */ - uint32_t XRx =3D XRb ? XRb : XRc; - /* ...and do half-word-wise max/min with one operand 0 */ - TCGv_i32 t0 =3D tcg_temp_new(); - TCGv_i32 t1 =3D tcg_const_i32(0); - - /* the left half-word first */ - tcg_gen_andi_i32(t0, mxu_gpr[XRx - 1], 0xFFFF0000); - if (opc =3D=3D OPC_MXU_D16MAX) { - tcg_gen_smax_i32(mxu_gpr[XRa - 1], t0, t1); - } else { - tcg_gen_smin_i32(mxu_gpr[XRa - 1], t0, t1); - } - - /* the right half-word */ - tcg_gen_andi_i32(t0, mxu_gpr[XRx - 1], 0x0000FFFF); - /* move half-words to the leftmost position */ - tcg_gen_shli_i32(t0, t0, 16); - /* t0 will be max/min of t0 and t1 */ - if (opc =3D=3D OPC_MXU_D16MAX) { - tcg_gen_smax_i32(t0, t0, t1); - } else { - tcg_gen_smin_i32(t0, t0, t1); - } - /* return resulting half-words to its original position */ - tcg_gen_shri_i32(t0, t0, 16); - /* finally update the destination */ - tcg_gen_or_i32(mxu_gpr[XRa - 1], mxu_gpr[XRa - 1], t0); - - tcg_temp_free(t1); - tcg_temp_free(t0); - } else if (unlikely(XRb =3D=3D XRc)) { - /* both operands same -> just set destination to one of them */ - tcg_gen_mov_i32(mxu_gpr[XRa - 1], mxu_gpr[XRb - 1]); - } else { - /* the most general case */ - TCGv_i32 t0 =3D tcg_temp_new(); - TCGv_i32 t1 =3D tcg_temp_new(); - - /* the left half-word first */ - tcg_gen_andi_i32(t0, mxu_gpr[XRb - 1], 0xFFFF0000); - tcg_gen_andi_i32(t1, mxu_gpr[XRc - 1], 0xFFFF0000); - if (opc =3D=3D OPC_MXU_D16MAX) { - tcg_gen_smax_i32(mxu_gpr[XRa - 1], t0, t1); - } else { - tcg_gen_smin_i32(mxu_gpr[XRa - 1], t0, t1); - } - - /* the right half-word */ - tcg_gen_andi_i32(t0, mxu_gpr[XRb - 1], 0x0000FFFF); - tcg_gen_andi_i32(t1, mxu_gpr[XRc - 1], 0x0000FFFF); - /* move half-words to the leftmost position */ - tcg_gen_shli_i32(t0, t0, 16); - tcg_gen_shli_i32(t1, t1, 16); - /* t0 will be max/min of t0 and t1 */ - if (opc =3D=3D OPC_MXU_D16MAX) { - tcg_gen_smax_i32(t0, t0, t1); - } else { - tcg_gen_smin_i32(t0, t0, t1); - } - /* return resulting half-words to its original position */ - tcg_gen_shri_i32(t0, t0, 16); - /* finally update the destination */ - tcg_gen_or_i32(mxu_gpr[XRa - 1], mxu_gpr[XRa - 1], t0); - - tcg_temp_free(t1); - tcg_temp_free(t0); + return; } + + XRa =3D extract32(ctx->opcode, 6, 4); + if (unlikely(XRa =3D=3D 0)) { + /* destination is zero register -> do nothing */ + return; + } + b =3D tcg_temp_new(); + c =3D tcg_temp_new(); + bs =3D tcg_temp_new(); + cs =3D tcg_temp_new(); + + opc =3D extract32(ctx->opcode, 18, 3); + cond =3D (opc =3D=3D OPC_MXU_D16MAX) ? TCG_COND_GT : TCG_COND_LE; + + XRb =3D extract32(ctx->opcode, 10, 4); + XRc =3D extract32(ctx->opcode, 14, 4); + gen_load_mxu_gpr(b, XRb); + gen_load_mxu_gpr(c, XRc); + + /* short0 */ + tcg_gen_sextract_i32(bs, b, 0, 16); + tcg_gen_sextract_i32(cs, c, 0, 16); + tcg_gen_movcond_i32(cond, mxu_gpr[XRa - 1], bs, cs, bs, cs); + + /* short1 */ + tcg_gen_sextract_i32(bs, b, 16, 16); + tcg_gen_sextract_i32(cs, c, 16, 16); + tcg_gen_movcond_i32(cond, b, bs, cs, bs, cs); + + tcg_gen_deposit_i32(mxu_gpr[XRa - 1], mxu_gpr[XRa - 1], b, 16, 16); + + tcg_temp_free(cs); + tcg_temp_free(bs); + tcg_temp_free(c); + tcg_temp_free(b); } =20 /* --=20 2.26.2