[Qemu-devel] ARM load/store multiple bug

[Justin Fletcher]

Hiya,

I have found a bug in the implementation of the load/store multiple 
instructions in ARM (LDM and STM). These are defined in the ARM ARM to 
ignore bits 0 and 1 of the address when the load takes place - that is the 
base register for these operations is always treated as a 32bit aligned 
value (although its value is only rounded internally). This differs from 
the LDR/STR operation which uses the full width of instructions.

In other words :

   MOV   r0, #9
   LDMIA r0, {r1,r2}

Is equivalent to loading r1 with the value at 8, and r2 with the value at 
12. Contrast this with the following :

   MOV   r0, #9
   LDR   r1, [r0]
   LDR   r2, [r0,#4]

which would load r1 with the value at 8, rotated right 8 bits, and r2 with 
the value at 12, rotated right 8 bits.

I have not confirmed the behaviour or the LDR operation, but have found 
problems with the multiple register operations. My solution would be to 
add the equivalent of a BIC instruction in to the target-arm/translate.c 
to clear off the bottom two bits, around line 1695 :

---8<---
                        if (n != 1)
                            gen_op_addl_T1_im(-((n - 1) * 4));
                    }
                }
                j = 0;
/* Insert something like gen_op_bicl_T1_im(3); here */
                for(i=0;i<16;i++) {
                    if (insn & (1 << i)) {
                        if (insn & (1 << 20)) {
---8<---

However, there isn't any such function and I'm unsure how to make that 
change. Any suggestions would be greatfully received.

--
Gerph <http://gerph.org/>
... Find answers on the street, in cracks beneath my feet.