From edaea7020b9bc3c6d6930be1fa04a57a49f1b8c9 Mon Sep 17 00:00:00 2001
From: Nguyen Anh Quynh <aquynh@gmail.com>
Date: Mon, 16 Nov 2015 21:55:42 +0800
Subject: [PATCH] x86: on self-modifying code, generate JIT code until end of
 block. this fixes issue #266

---
 qemu/target-i386/translate.c                | 7 +++----
 qemu/translate-all.c                        | 1 +
 tests/regress/invalid_read_in_cpu_tb_exec.c | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/qemu/target-i386/translate.c b/qemu/target-i386/translate.c
index 3eab1e32..2e7a822e 100644
--- a/qemu/target-i386/translate.c
+++ b/qemu/target-i386/translate.c
@@ -8360,6 +8360,8 @@ static inline void gen_intermediate_code_internal(uint8_t *gen_opc_cc_op,
     // done with initializing TCG variables
     env->uc->init_tcg = true;
 
+    pc_ptr = pc_start;
+
     // early check to see if the address of this block is the until address
     if (tb->pc == env->uc->addr_end) {
         // imitate the HLT instruction
@@ -8367,17 +8369,15 @@ static inline void gen_intermediate_code_internal(uint8_t *gen_opc_cc_op,
         gen_jmp_im(dc, tb->pc - tb->cs_base);
         gen_helper_hlt(tcg_ctx, tcg_ctx->cpu_env, tcg_const_i32(tcg_ctx, 0));
         dc->is_jmp = DISAS_TB_JUMP;
-        pc_ptr = pc_start;
         goto done_generating;
     }
 
     gen_opc_end = tcg_ctx->gen_opc_buf + OPC_MAX_SIZE;
 
     dc->is_jmp = DISAS_NEXT;
-    pc_ptr = pc_start;
     lj = -1;
     max_insns = tb->cflags & CF_COUNT_MASK;
-    if (max_insns == 0)
+    if (max_insns <= 1)
         max_insns = CF_COUNT_MASK;
 
     // Unicorn: trace this block on request
@@ -8460,7 +8460,6 @@ done_generating:
 
     if (!search_pc) {
         tb->size = pc_ptr - pc_start;
-        // tb->icount = num_insns;
     }
 
     env->uc->block_full = block_full;
diff --git a/qemu/translate-all.c b/qemu/translate-all.c
index 8f1c43eb..17a1ae6f 100644
--- a/qemu/translate-all.c
+++ b/qemu/translate-all.c
@@ -1202,6 +1202,7 @@ void tb_invalidate_phys_page_range(struct uc_struct *uc, tb_page_addr_t start, t
                 restore the CPU state */
 
                 current_tb_modified = 1;
+                // self-modifying code will restore state from TB
                 cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc);
                 cpu_get_tb_cpu_state(env, &current_pc, &current_cs_base,
                                      &current_flags);
diff --git a/tests/regress/invalid_read_in_cpu_tb_exec.c b/tests/regress/invalid_read_in_cpu_tb_exec.c
index 7e4f2656..f9fe162c 100644
--- a/tests/regress/invalid_read_in_cpu_tb_exec.c
+++ b/tests/regress/invalid_read_in_cpu_tb_exec.c
@@ -27,7 +27,7 @@ int main(int argc, char **argv, char **envp) {
   uc_hook hook;
   uc_hook_add(uc, &hook, UC_HOOK_BLOCK, hook_block, NULL, (uint64_t)1, (uint64_t)0);
   printf("uc_emu_start(…)\n");
-  uc_emu_start(uc, STARTING_ADDRESS, STARTING_ADDRESS + sizeof(BINARY) - 1, 0, 0);
+  uc_emu_start(uc, STARTING_ADDRESS, STARTING_ADDRESS + sizeof(BINARY) - 1, 0, 20);
   printf("done\n");
   return 0;
 }