Re: [Qemu-devel] [PATCHv3 1/2] sun4m: Add Sun CG3 framebuffer and corres

From: Mark Cave-Ayland
Subject: Re: [Qemu-devel] [PATCHv3 1/2] sun4m: Add Sun CG3 framebuffer and corresponding OpenBIOS FCode ROM
Date: Thu, 08 May 2014 15:44:44 +0100
On 07/05/14 20:56, Paolo Bonzini wrote:

Il 05/03/2014 11:05, Paolo Bonzini ha scritto:
Il 19/02/2014 10:05, Mark Cave-Ayland ha scritto:
+#define CG3_REG_SIZE            0x20
+#define CG3_REG_FBC_CTRL        0x10
+#define CG3_REG_FBC_STATUS      0x11
+#define CG3_REG_FBC_CURSTART    0x12
+#define CG3_REG_FBC_CUREND      0x13
+#define CG3_REG_FBC_VCTRL       0x14
+typedef struct CG3State {

+    uint8_t regs[16];


+        val = s->regs[addr - 0x10];
+        break;
+    default:

Something weird here, you can access regs[16] if addr == CG3_REG_SIZE.

The same happens in the write path.

Ping.  I cannot fix it without access to the datasheet, though I suspect
you want CG3_REG_SIZE - 1.

Hi Paolo,

Sorry I didn't think you could access regs[16] since the MemoryRegion size is set to CG3_REG_SIZE too (and so I hope should only handle accesses from 0 to CG3_REG_SIZE - 1).

Anyway, I've quickly tried a Solaris 8 boot test replacing CG3_REG_SIZE with CG3_REG_SIZE - 1 for the case statements in both the read and write paths and everything still works, so happy for you to go ahead and fix it.



