+ case CG3_REG_FBC_CURSTART ... CG3_REG_SIZE:
+ val = s->regs[addr - 0x10];
+ break;
+ default:
Something weird here, you can access regs[16] if addr == CG3_REG_SIZE.
The same happens in the write path.
Ping. I cannot fix it without access to the datasheet, though I suspect
you want CG3_REG_SIZE - 1.
Hi Paolo,
Sorry I didn't think you could access regs[16] since the MemoryRegion
size is set to CG3_REG_SIZE too (and so I hope should only handle
accesses from 0 to CG3_REG_SIZE - 1).
Anyway, I've quickly tried a Solaris 8 boot test replacing CG3_REG_SIZE
with CG3_REG_SIZE - 1 for the case statements in both the read and write
paths and everything still works, so happy for you to go ahead and fix it.