Ticket #225 (Fixed)Mon Nov 30 18:25:02 UTC 2009
FP instruction emulated incorrectly in SVC mode
| Reported by: | Martin Wuerthner (146) | Severity: | Normal |
| Part: | RISC OS: Module | Release: | |
| Milestone: | Status | Fixed |
Details by Martin Wuerthner (146):
Starting with RISC OS 4.00, FPEmulator could emulate FP instructions in SVC mode, too, so it became valid to use FP instructions in module code. Unfortunately, FPEmulator gets one particular instruction class wrong leading to random FP value corruptions in module code making use of FP computations. This also affects code in CLib using these instructions (but again, only when being called from an SVC mode client).
The instruction in question is LDFD Fx,[r13],#imm – i.e., post-indexed loading via r13. Such instructions are used in compiled code to move FP parameter values passed in an ARM register pair to an FP register via stmfd r13!,{r1,r2}:ldfd f4,[r13],#8
Somtimes, this instruction loads a corrupted value into the FP register – maybe due to the increment happening too early and interrupt code using the SVC stack. On RISC OS 5, the corruption happens very frequently. On others it is less frequent, but the bug is present in all tested RISC OS variants (4.02-RedSquirrel, 4.39-VRPC, 4.42-A9home, 6.17-VRPC, 5.14-Iyonix). Pressing Shift makes the corruption more frequent.
This code effectively prevents the PS3 driver from working reliably.
Changelog:
Modified by Martin Wuerthner (146) Mon, November 30 2009 - 18:27:55 GMT
- Attachment added: FPE_bug2,ffb
BASIC assembler test program to demonstrate the bug. The code enters SVC mode, stores a value on the stack and reads it back via LDFD. If the value is different from what was stored, it prints an error message. This goes wrong reliably after a few thousand iterations.
Modified by Steve Revill (20) Tue, December 08 2009 - 16:35:01 GMT
- Status changed from Open to Fixed
Fixed in FPEmulator 4.28.
