From 01eec9340162a1c8382141cc0fe725b23b31f84a Mon Sep 17 00:00:00 2001
From: Vitaly Chipounov <vitaly@cyberhaven.io>
Date: Wed, 22 May 2019 22:49:44 +0200
Subject: [PATCH] i386: fixed incorrect wrapping in an mmx helper

Signed-off-by: Vitaly Chipounov <vitaly@cyberhaven.io>
---
 src/target-i386/cpu.h     | 14 +++++++-------
 src/target-i386/ops_sse.h |  9 +++++++--
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/src/target-i386/cpu.h b/src/target-i386/cpu.h
index cfc85e0..5a4e5a9 100644
--- a/src/target-i386/cpu.h
+++ b/src/target-i386/cpu.h
@@ -64,7 +64,7 @@
 #if defined(CONFIG_SYMBEX) && !defined(SYMBEX_LLVM_LIB)
 
 /* uncomment this to compile assertions in */
-/* #define DO_SANITY_CHECK */
+// #define DO_SANITY_CHECK
 
 #ifdef DO_SANITY_CHECK
 #define CHECK_ASSERT(x) assert(x)
@@ -154,9 +154,9 @@ static inline void __WR_env_large(CPUArchState *cpuState, unsigned offset, void
 }
 
 static inline uint64_t __RR_env_dyn(void *p, unsigned size) {
-    int off = (char *) p - (char *) env;
-    CHECK_ASSERT(size <= sizeof(uint64_t) && off >= 0 && (off + size) <= offsetof(CPUArchState, eip) &&
-                 "unexpected calling context");
+    int off = (uintptr_t) p - (uintptr_t) env;
+    CHECK_ASSERT(size <= sizeof(uint64_t) && ((uintptr_t) p >= (uintptr_t) env) && off >= 0 &&
+                 (off + size) <= offsetof(CPUArchState, eip) && "unexpected calling context");
 
     if (size <= sizeof(target_ulong)) {
         return __RR_env_raw(env, off, size);
@@ -167,9 +167,9 @@ static inline uint64_t __RR_env_dyn(void *p, unsigned size) {
 }
 
 static inline uint64_t __WR_env_dyn(void *p, unsigned size, uint64_t v) {
-    int off = (char *) p - (char *) env;
-    CHECK_ASSERT(size <= sizeof(uint64_t) && off >= 0 && (off + size) <= offsetof(CPUArchState, eip) &&
-                 "unexpected calling context");
+    int off = (uintptr_t) p - (uintptr_t) env;
+    CHECK_ASSERT(size <= sizeof(uint64_t) && ((uintptr_t) p >= (uintptr_t) env) && off >= 0 &&
+                 (off + size) <= offsetof(CPUArchState, eip) && "unexpected calling context");
 
     if (size <= sizeof(target_ulong)) {
         __WR_env_raw(env, off, v, size);
diff --git a/src/target-i386/ops_sse.h b/src/target-i386/ops_sse.h
index 5325943..087015b 100644
--- a/src/target-i386/ops_sse.h
+++ b/src/target-i386/ops_sse.h
@@ -390,8 +390,13 @@ void glue(helper_pmaddwd, SUFFIX)(Reg *d, Reg *s) {
     int i;
 
     for (i = 0; i < (2 << SHIFT); i++) {
-        W_D(d, L(i), (int16_t) R_S(s, W(2 * i)) *
-                         (int16_t) R_D(d, W(2 * i) + (int16_t) R_S(s, W(2 * i + 1)) * (int16_t) R_D(d, W(2 * i + 1))));
+        int16_t v1 = (int16_t) R_S(s, W(2 * i));
+        int16_t v2 = (int16_t) R_D(d, W(2 * i));
+
+        int16_t v11 = (int16_t) R_S(s, W(2 * i + 1));
+        int16_t v12 = (int16_t) R_D(d, W(2 * i + 1));
+
+        W_D(d, L(i), v1 * v2 + v11 * v12);
     }
 }