--- np2/i386c/ia32/cpu_mem.c	2012/01/08 19:09:40	1.33
+++ np2/i386c/ia32/cpu_mem.c	2012/06/18 14:30:27	1.35
@@ -31,12 +31,12 @@
 /*
  * memory access check
  */
-static int MEMCALL check_limit_upstairs(descriptor_t *sdp, UINT32 offset, UINT len);
+static int MEMCALL check_limit_upstairs(descriptor_t *sdp, UINT32 offset, UINT len, BOOL is32bit);
 static void MEMCALL cpu_memoryread_check(descriptor_t *sdp, UINT32 offset, UINT len, int e);
 static void MEMCALL cpu_memorywrite_check(descriptor_t *sdp, UINT32 offset, UINT len, int e);
 
 static int MEMCALL
-check_limit_upstairs(descriptor_t *sdp, UINT32 offset, UINT len)
+check_limit_upstairs(descriptor_t *sdp, UINT32 offset, UINT len, BOOL is32bit)
 {
 	UINT32 limit;
 	UINT32 end;
@@ -46,10 +46,10 @@ check_limit_upstairs(descriptor_t *sdp, 
 
 	len--;
 	end = offset + len;
-	limit = SEG_IS_32BIT(sdp) ? 0xffffffff : 0x0000ffff;
 
 	if (SEG_IS_DATA(sdp) && SEG_IS_EXPANDDOWN_DATA(sdp)) {
 		/* expand-down data segment */
+		limit = SEG_IS_32BIT(sdp) ? 0xffffffff : 0x0000ffff;
 		if (sdp->u.seg.limit == 0) {
 			/*
 			 *   32bit       16bit
@@ -93,37 +93,30 @@ check_limit_upstairs(descriptor_t *sdp, 
 		}
 	} else {
 		/* expand-up data or code segment */
-		if (sdp->u.seg.limit == limit) {
+		if (sdp->u.seg.limit == 0xffffffff) {
 			/*
-			 *   32bit       16bit
-			 * +-------+   +-------+ FFFFFFFFh
-			 * |       |   |       |
-			 * |       |   +  [1]  + 0000FFFFh
-			 * | valid |   |       |
-			 * |       |   +-------+ 0000FFFFh - len - 1
-			 * |       |   | valid |
-			 * +-------+   +-------+ 00000000h
+			 *  16/32bit
+			 * +-------+ FFFFFFFFh
+			 * |       |
+			 * |       |
+			 * | valid |
+			 * |       |
+			 * |       |
+			 * +-------+ 00000000h
 			 */
-			if (!SEG_IS_32BIT(sdp)) {
-				if ((len > limit)		/* len check */
-				 || (offset + len > limit)) {	/* [1] */
-					goto exc;
-				}
-			} else {
-				sdp->flag |= CPU_DESC_FLAG_WHOLEADR;
-			}
+			sdp->flag |= CPU_DESC_FLAG_WHOLEADR;
 		} else {
 			/*
-			 *   32bit       16bit
-			 * +-------+   +-------+ FFFFFFFFh
-			 * |       |   |       |
-			 * |       |   +.......+ 0000FFFFh
-			 * |  [1]  |   |  [1]  |
-			 * +.......+   +.......+ seg.limit
-			 * |       |   |       |
-			 * +-------+   +-------+ seg.limit - len - 1
-			 * | valid |   | valid |
-			 * +-------+   +-------+ 00000000h
+			 *  16/32bit
+			 * +-------+ FFFFFFFFh
+			 * |       |
+			 * |       |
+			 * |  [1]  |
+			 * +.......+ seg.limit
+			 * |       |
+			 * +-------+ seg.limit - len - 1
+			 * | valid |
+			 * +-------+ 00000000h
 			 */
 			if ((len > sdp->u.seg.limit)		/* len check */
 			 || (end < offset)			/* wrap check */
@@ -166,7 +159,7 @@ cpu_memoryread_check(descriptor_t *sdp, 
 	case 6:  case 7:	/* rw (expand down) */
 	case 10: case 11:	/* rx */
 	case 14: case 15:	/* rxc */
-		if (!check_limit_upstairs(sdp, offset, len))
+		if (!check_limit_upstairs(sdp, offset, len, SEG_IS_32BIT(sdp)))
 			goto exc;
 		break;
 
@@ -205,7 +198,7 @@ cpu_memorywrite_check(descriptor_t *sdp,
 	switch (sdp->type) {
 	case 2: case 3:	/* rw */
 	case 6: case 7:	/* rw (expand down) */
-		if (!check_limit_upstairs(sdp, offset, len))
+		if (!check_limit_upstairs(sdp, offset, len, SEG_IS_32BIT(sdp)))
 			goto exc;
 		break;
 
@@ -224,7 +217,8 @@ exc:
 }
 
 void MEMCALL
-cpu_stack_push_check(UINT16 s, descriptor_t *sdp, UINT32 sp, UINT len)
+cpu_stack_push_check(UINT16 s, descriptor_t *sdp, UINT32 sp, UINT len,
+    BOOL is32bit)
 {
 	UINT32 limit;
 	UINT32 start;
@@ -243,7 +237,7 @@ cpu_stack_push_check(UINT16 s, descripto
 	}
 
 	start = sp - len;
-	limit = SEG_IS_32BIT(sdp) ? 0xffffffff : 0x0000ffff;
+	limit = is32bit ? 0xffffffff : 0x0000ffff;
 
 	if (SEG_IS_EXPANDDOWN_DATA(sdp)) {
 		/* expand-down stack */
@@ -342,7 +336,8 @@ exc:
 }
 
 void MEMCALL
-cpu_stack_pop_check(UINT16 s, descriptor_t *sdp, UINT32 sp, UINT len)
+cpu_stack_pop_check(UINT16 s, descriptor_t *sdp, UINT32 sp, UINT len,
+    BOOL is32bit)
 {
 
 	__ASSERT(sdp != NULL);
@@ -356,7 +351,7 @@ cpu_stack_pop_check(UINT16 s, descriptor
 		goto exc;
 	}
 
-	if (!check_limit_upstairs(sdp, sp, len))
+	if (!check_limit_upstairs(sdp, sp, len, is32bit))
 		goto exc;
 	return;
 
@@ -512,7 +507,7 @@ cpu_vmemoryread_f(int idx, UINT32 offset
 	if (!(sdp->flag & CPU_DESC_FLAG_READABLE)) {
 		cpu_memoryread_check(sdp, offset, 10, CHOOSE_EXCEPTION(idx));
 	} else if (!(sdp->flag & CPU_DESC_FLAG_WHOLEADR)) {
-		if (!check_limit_upstairs(sdp, offset, 10))
+		if (!check_limit_upstairs(sdp, offset, 10, SEG_IS_32BIT(sdp)))
 			goto range_failure;
 	} 
 	return cpu_lmemoryread_f(addr, CPU_PAGE_READ_DATA | CPU_STAT_USER_MODE);
@@ -553,7 +548,7 @@ cpu_vmemorywrite_f(int idx, UINT32 offse
 	if (!(sdp->flag & CPU_DESC_FLAG_WRITABLE)) {
 		cpu_memorywrite_check(sdp, offset, 10, CHOOSE_EXCEPTION(idx));
 	} else if (!(sdp->flag & CPU_DESC_FLAG_WHOLEADR)) {
-		if (!check_limit_upstairs(sdp, offset, 10))
+		if (!check_limit_upstairs(sdp, offset, 10, SEG_IS_32BIT(sdp)))
 			goto range_failure;
 	}
 	cpu_lmemorywrite_f(addr, value, CPU_PAGE_WRITE_DATA | CPU_STAT_USER_MODE);