diff --git a/qemu/cputlb.c b/qemu/cputlb.c index 87f14f75..fd0bb806 100644 --- a/qemu/cputlb.c +++ b/qemu/cputlb.c @@ -295,6 +295,11 @@ tb_page_addr_t get_page_addr_code(CPUArchState *env1, target_ulong addr) page_index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); mmu_idx = cpu_mmu_index(env1); + + if ((mmu_idx < 0) || (mmu_idx >= NB_MMU_MODES)) { + return -1; + } + if (unlikely(env1->tlb_table[mmu_idx][page_index].addr_code != (addr & TARGET_PAGE_MASK))) { cpu_ldub_code(env1, addr); diff --git a/qemu/target-i386/ops_sse.h b/qemu/target-i386/ops_sse.h index e5fa7c7f..f142f335 100644 --- a/qemu/target-i386/ops_sse.h +++ b/qemu/target-i386/ops_sse.h @@ -1941,7 +1941,7 @@ SSE_HELPER_Q(helper_pcmpgtq, FCMPGTQ) static inline int pcmp_elen(CPUX86State *env, int reg, uint32_t ctrl) { - int val; + unsigned int val; /* Presence of REX.W is indicated by a bit higher than 7 set */ if (ctrl >> 8) { @@ -1959,6 +1959,9 @@ static inline int pcmp_elen(CPUX86State *env, int reg, uint32_t ctrl) return 16; } } + if (val == 0x80000000) { + val = 0; + } return val; } diff --git a/qemu/tcg/optimize.c b/qemu/tcg/optimize.c index d525f15b..fcf7a90a 100644 --- a/qemu/tcg/optimize.c +++ b/qemu/tcg/optimize.c @@ -1370,6 +1370,9 @@ static TCGArg *tcg_constant_folding(TCGContext *s, uint16_t *tcg_opc_ptr, } else { do_reset_output: for (i = 0; i < nb_oargs; i++) { + if (args[i] < 0 || args[i] >= TCG_MAX_TEMPS) { + continue; + } reset_temp(s, args[i]); /* Save the corresponding known-zero bits mask for the first output argument (only one supported so far). */ diff --git a/qemu/tcg/tcg.c b/qemu/tcg/tcg.c index 93a327e8..b438b7e2 100644 --- a/qemu/tcg/tcg.c +++ b/qemu/tcg/tcg.c @@ -1719,6 +1719,9 @@ static void tcg_liveness_analysis(TCGContext *s) implies side effects */ if (!(def->flags & TCG_OPF_SIDE_EFFECTS) && nb_oargs != 0) { for(i = 0; i < nb_oargs; i++) { + if (args[i] < 0 || args[i] >= TCG_MAX_TEMPS) { + continue; + } arg = args[i]; if (!dead_temps[arg] || mem_temps[arg]) { goto do_not_remove;