From: Richard Henderson <richard.henderson@linaro.org>
Date: Tue, 17 Apr 2018 02:53:28 +0000 (-1000)
Subject: fpu: Bound increment for scalbn
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=ce8d4082054519f2eaac39958edde502860a7fc6;p=qemu.git

fpu: Bound increment for scalbn

Without bounding the increment, we can overflow exp either here
in scalbn_decomposed or when adding the bias in round_canonical.
This can result in e.g. underflowing to 0 instead of overflowing
to infinity.

The old softfloat code did bound the increment.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---

diff --git a/fpu/softfloat.c b/fpu/softfloat.c
index d90d79d777..70e0c40a1c 100644
--- a/fpu/softfloat.c
+++ b/fpu/softfloat.c
@@ -1878,6 +1878,12 @@ static FloatParts scalbn_decomposed(FloatParts a, int n, float_status *s)
         return return_nan(a, s);
     }
     if (a.cls == float_class_normal) {
+        /* The largest float type (even though not supported by FloatParts)
+         * is float128, which has a 15 bit exponent.  Bounding N to 16 bits
+         * still allows rounding to infinity, without allowing overflow
+         * within the int32_t that backs FloatParts.exp.
+         */
+        n = MIN(MAX(n, -0x10000), 0x10000);
         a.exp += n;
     }
     return a;