--- np2/i386c/ia32/exception.c	2011/12/17 02:39:06	1.25
+++ np2/i386c/ia32/exception.c	2011/12/21 16:27:10	1.29
@@ -92,6 +92,8 @@ exception(int num, int error_code)
 	case NM_EXCEPTION:	/* (F) デバイス使用不可 (FPU が無い) */
 	case MF_EXCEPTION:	/* (F) 浮動小数点エラー */
 		CPU_EIP = CPU_PREV_EIP;
+		if (CPU_STATSAVE.cpu_stat.backout_sp)
+			CPU_ESP = CPU_PREV_ESP;
 		/*FALLTHROUGH*/
 	case NMI_EXCEPTION:	/* (I) NMI 割り込み */
 	case BP_EXCEPTION:	/* (T) ブレークポイント */
@@ -113,6 +115,8 @@ exception(int num, int error_code)
 	case GP_EXCEPTION:	/* (F) 一般保護例外 (errcode) */
 	case PF_EXCEPTION:	/* (F) ページフォルト (errcode) */
 		CPU_EIP = CPU_PREV_EIP;
+		if (CPU_STATSAVE.cpu_stat.backout_sp)
+			CPU_ESP = CPU_PREV_ESP;
 		errorp = 1;
 		break;
 
@@ -121,12 +125,6 @@ exception(int num, int error_code)
 		break;
 	}
 
-	if (CPU_STATSAVE.cpu_stat.backout_sp) {
-		VERBOSE(("exception: restore stack pointer."));
-		CPU_ESP = CPU_PREV_ESP;
-		CPU_STATSAVE.cpu_stat.backout_sp = 0;
-	}
-
 	if (CPU_STAT_EXCEPTION_COUNTER >= 2) {
 		if (dftable[exctype[CPU_STAT_PREV_EXCEPTION]][exctype[num]]) {
 			num = DF_EXCEPTION;
@@ -138,7 +136,7 @@ exception(int num, int error_code)
 
 	VERBOSE(("exception: ---------------------------------------------------------------- end"));
 
-	interrupt(num, 0, errorp, error_code);
+	interrupt(num, INTR_TYPE_EXTINTR, errorp, error_code);
 #if defined(IA32_SUPPORT_DEBUG_REGISTER)
 	if (num != BP_EXCEPTION) {
 		if (CPU_INST_OP32) {
@@ -220,6 +218,8 @@ interrupt(int num, int intrtype, int err
 
 	VERBOSE(("interrupt: num = 0x%02x, intrtype = %s, errorp = %s, error_code = %08x", num, intrtype ? "on" : "off", errorp ? "on" : "off", error_code));
 
+	CPU_SET_PREV_ESP();
+
 	if (!CPU_STAT_PM) {
 		/* real mode */
 		CPU_WORKCLOCK(20);
@@ -231,6 +231,7 @@ interrupt(int num, int intrtype, int err
 		}
 
 		if ((intrtype == INTR_TYPE_EXTINTR) && CPU_STAT_HLT) {
+			VERBOSE(("interrupt: reset HTL in real mode"));
 			CPU_EIP++;
 			CPU_STAT_HLT = 0;
 		}
@@ -308,6 +309,7 @@ interrupt(int num, int intrtype, int err
 		}
 
 		if ((intrtype == INTR_TYPE_EXTINTR) && CPU_STAT_HLT) {
+			VERBOSE(("interrupt: reset HTL in protected mode"));
 			CPU_EIP++;
 			CPU_STAT_HLT = 0;
 		}
@@ -331,6 +333,8 @@ interrupt(int num, int intrtype, int err
 
 		VERBOSE(("interrupt: ---------------------------------------------------------------- end"));
 	}
+
+	CPU_CLEAR_PREV_ESP();
 }
 
 static void
@@ -371,9 +375,17 @@ interrupt_task_gate(const descriptor_t *
 
 	task_switch(&task_sel, TASK_SWITCH_INTR);
 
+	CPU_SET_PREV_ESP();
+
 	if (errorp) {
 		XPUSH0(error_code);
 	}
+
+	/* out of range */
+	if (CPU_EIP > CPU_STAT_CS_LIMIT) {
+		VERBOSE(("interrupt: new_ip is out of range. new_ip = %08x, limit = %08x", CPU_EIP, CPU_STAT_CS_LIMIT));
+		EXCEPTION(GP_EXCEPTION, 0);
+	}
 }
 
 static void
@@ -418,7 +430,7 @@ interrupt_intr_or_trap(const descriptor_
 		break;
 	}
 
-	exc_errcode = cs_sel.idx;
+	exc_errcode = gsdp->u.gate.selector & ~3;
 	if (intrtype == INTR_TYPE_EXTINTR)
 		exc_errcode++;
 
@@ -572,7 +584,7 @@ interrupt_intr_or_trap(const descriptor_
 			EXCEPTION(GP_EXCEPTION, exc_errcode);
 		}
 		if (!SEG_IS_CONFORMING_CODE(&cs_sel.desc) && (cs_sel.desc.dpl != CPU_STAT_CPL)) {
-			VERBOSE(("interrupt: %sCONFORMING-CODE-SEGMENT(%s) && DPL[CS](%d) != CPL", SEG_IS_CONFORMING_CODE(&cs_sel.desc) ? "" : "NON-", cs_sel.desc.dpl, CPU_STAT_CPL));
+			VERBOSE(("interrupt: %sCONFORMING-CODE-SEGMENT(%d) && DPL[CS](%d) != CPL", SEG_IS_CONFORMING_CODE(&cs_sel.desc) ? "" : "NON-", cs_sel.desc.dpl, CPU_STAT_CPL));
 			EXCEPTION(GP_EXCEPTION, exc_errcode);
 		}