From 9ecac5dad16722ce2a8c3e88d8eeba5794990031 Mon Sep 17 00:00:00 2001
From: Richard Henderson <rth@twiddle.net>
Date: Tue, 17 Nov 2015 12:41:47 +0100
Subject: [PATCH] target-i386: Fix mulx for identical target regs

The Intel specification clearly indicates that the low part
of the result is written first and the high part of the result
is written second; thus if ModRM:reg and VEX.vvvv are identical,
the final result should be the high part of the result.

At present, TCG may either produce incorrect results or crash
with --enable-checking.

Reported-by: Toni Nedialkov <farmdve@gmail.com>
Reported-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
---
 target-i386/translate.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/target-i386/translate.c b/target-i386/translate.c
index fbe4f80aa6..a3dd167a9b 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -3848,8 +3848,10 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
                     break;
 #ifdef TARGET_X86_64
                 case MO_64:
-                    tcg_gen_mulu2_i64(cpu_regs[s->vex_v], cpu_regs[reg],
+                    tcg_gen_mulu2_i64(cpu_T[0], cpu_T[1],
                                       cpu_T[0], cpu_regs[R_EDX]);
+                    tcg_gen_mov_i64(cpu_regs[s->vex_v], cpu_T[0]);
+                    tcg_gen_mov_i64(cpu_regs[reg], cpu_T[1]);
                     break;
 #endif
                 }
-- 
2.11.0