netbsd-bugs: port-pmax/2731: Patch for uninitialized var in MachEmulateBranch that caused panic

Subject: port-pmax/2731: Patch for uninitialized var in MachEmulateBranch that caused panic
To: None <gnats-bugs@NetBSD.ORG>
From: None <benco@pendor.mckusick.com>
List: netbsd-bugs
Date: 09/03/1996 17:34:08

>Number:         2731
>Category:       port-pmax
>Synopsis:       Patch for uninitialized var in MachEmulateBranch that caused panic
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Sep  3 21:05:05 1996
>Last-Modified:
>Originator:     Ben Cottrell
>Organization:
Marshall Kirk McKusick Consultancy
>Release:        1.2_BETA
>Environment:
	
System: NetBSD pendor.mckusick.com 1.2_BETA NetBSD 1.2_BETA (PENDOR) #1: Tue Sep 3 14:06:24 PDT 1996 benco@pendor.mckusick.com:/usr/src/netbsd/sys/arch/pmax/compile/PENDOR pmax


>Description:
In /sys/arch/pmax/pmax/trap.c, in the MachEmulateBranch() function, there is
a potential panic if the instruction that caused the exception is not a branch.
However, the instruction is not actually loaded unless the "notyet" macro is
defined, which it is not on my system.
>How-To-Repeat:
I was able to consistently reproduce the bug using POVray, although I had
occasionally seen it when running one of my own programs as well. The
POVray input file I used for testing is under copyright, though, so if it's
necessary I'll ask the author for permission to send it.
>Fix:
The fix is to eliminate the dependency on the "notyet" macro by moving the
#endif two lines up, so that inst.word is assigned a value before it is
checked in the immediately following switch.

Note that inst is a union, so that assigning a value to inst.word actually does
make the access to inst.JType valid.

The following patch may be used on /sys/arch/pmax/pmax/trap.c to effect this
change:

*** trap.c.dist	Tue Sep  3 17:10:36 1996
--- trap.c	Tue Sep  3 17:11:11 1996
***************
*** 1146,1156 ****
  #ifdef notyet	/*  Compute desination of r4000 squashed branches */
  #define GetBranchDest(InstPtr, inst) \
  	((unsigned)InstPtr + 4 + ((short)inst.IType.imm << 2))
  
  	inst.word = (instPC < MACH_CACHED_MEMORY_ADDR) ?
  		fuiword((caddr_t)instPC) : *(unsigned*)instPC;
- #endif
  #if 0
  	printf("regsPtr=%x PC=%x Inst=%x fpcCsr=%x\n", regsPtr, instPC,
  		inst.word, fpcCSR); /* XXX */
  #endif
--- 1146,1156 ----
  #ifdef notyet	/*  Compute desination of r4000 squashed branches */
  #define GetBranchDest(InstPtr, inst) \
  	((unsigned)InstPtr + 4 + ((short)inst.IType.imm << 2))
  
+ #endif
  	inst.word = (instPC < MACH_CACHED_MEMORY_ADDR) ?
  		fuiword((caddr_t)instPC) : *(unsigned*)instPC;
  #if 0
  	printf("regsPtr=%x PC=%x Inst=%x fpcCsr=%x\n", regsPtr, instPC,
  		inst.word, fpcCSR); /* XXX */
  #endif
>Audit-Trail:
>Unformatted:
>synopsis:	MachEmulateBranch tries to check opcode it never loads