diff --git a/HP2100/hp2100_bugfixes.txt b/HP2100/hp2100_bugfixes.txt
index 57ef7392..90c3bd0f 100644
--- a/HP2100/hp2100_bugfixes.txt
+++ b/HP2100/hp2100_bugfixes.txt
@@ -1,6 +1,6 @@
                        HP 2100 SIMULATOR BUG FIX WRITEUPS
                        ==================================
-                             Last update: 2012-03-20
+                             Last update: 2012-03-23
 
 
   1. PROBLEM:  Booting from magnetic tape reports "HALT instruction, P: 77756
@@ -6215,3 +6215,45 @@
      service only when a parameter word has been received with an ioIOO signal.
 
      STATUS:  Fixed in version 3.9-0.
+
+
+
+245. PROBLEM:  The EMA diagnostic sometimes aborts with a DM error.
+
+     VERSION:  3.8-1
+
+     OBSERVATION:  Running the RTE-IV EMA diagnostic "#EMA" may abort with a DMS
+     violation:
+
+       DM VIOL = 160377
+       DM INST = 105257
+       ABE 177750      15 1
+       XYO 116123   72137 0
+       DM    #EMA   16521
+       #EMA  ABORTED
+
+     The abort occurs in test 8, which executes the .EMAP instruction and passes
+     a negative number of dimensions.
+
+     CAUSE:  The test supplies a dimension count of -32768.  The offset of the
+     specified array element is calculated by the "cpu_ema_resolve" routine by
+     iterating through the array subscripts.  The 16-bit word containing the
+     dimension count is loaded into a 32-bit signed integer variable as an
+     unsigned value.  Therefore, +32678 dimensions are assumed.  However, only
+     one subscript value is supplied in the call, so subsequent instructions
+     after the call are interpreted as subscript addresses, yielding random
+     values from memory.  Also, the array descriptor only defines one subscript,
+     so subsequent memory values are interpreted as subscript bounds and element
+     counts.
+
+     If one of subscript offsets evaluates to a negative value, the routine
+     returns FALSE, and the instruction fails.  The diagnostic interprets the
+     cause of the failure as the negative dimension count and passes test 8.
+
+     However, if a subscript address points at a protected page of memory, the
+     instruction causes a DM violation when the value is retrieved.
+
+     RESOLUTION:  Modify "cpu_ema_resolve" (hp2100_cpu5.c) to sign-extend the
+     16-bit dimension count.
+
+     STATUS:  Fixed in version 3.9-0.
diff --git a/HP2100/hp2100_cpu5.c b/HP2100/hp2100_cpu5.c
index a680f864..9865f47a 100644
--- a/HP2100/hp2100_cpu5.c
+++ b/HP2100/hp2100_cpu5.c
@@ -26,7 +26,7 @@
 
    CPU5         RTE-6/VM and RTE-IV firmware option instructions
 
-   20-Mar-12    JDB     Added sign extension for dim count in "cpu_ema_resolve"
+   23-Mar-12    JDB     Added sign extension for dim count in "cpu_ema_resolve"
    28-Dec-11    JDB     Eliminated unused variable in "cpu_ema_vset"
    11-Sep-08    JDB     Moved microcode function prototypes to hp2100_cpu1.h
    05-Sep-08    JDB     Removed option-present tests (now in UIG dispatchers)
@@ -798,6 +798,12 @@ return reason;
      1. RTE-IV EMA and RTE-6 VMA instructions share the same address space, so a
         given machine can run one or the other, but not both.
 
+     2. The EMA diagnostic (92067-16013) reports bogus MMAP failures if it is
+        not loaded at the start of its partition (e.g., because of a LOADR "LO"
+        command).  The "ICMPS" map comparison check in the diagnostic assumes
+        that the starting page of the program's partition contains the first
+        instruction of the program and prints "MMAP ERROR" if it does not.
+
    Additional references:
     - RTE-IVB Programmer's Reference Manual (92068-90004, Dec-1983).
     - RTE-IVB Technical Specifications (92068-90013, Jan-1980).
@@ -813,10 +819,11 @@ static const OP_PAT op_ema[16] = {
 /* calculate the 32 bit EMA subscript for an array */
 static t_bool cpu_ema_resolve(uint32 dtbl,uint32 atbl,uint32* sum)
 {
-int32 sub, act, low, sz;
+int32 sub, act, low, sz, ndim;
 uint32 MA, base;
 
-int32 ndim = SEXT(ReadW(dtbl++));                       /* # dimensions */
+ndim = ReadW(dtbl++);                                   /* # dimensions */
+ndim = SEXT(ndim);                                      /* sign extend */
 if (ndim < 0) return FALSE;                             /* invalid? */
 
 *sum = 0;                                               /* accu for index calc */
diff --git a/sim_rev.h b/sim_rev.h
index 78259a30..35abe360 100644
--- a/sim_rev.h
+++ b/sim_rev.h
@@ -88,10 +88,11 @@ patch   date            module(s) and fix(es)
                         - Added OPSIZE casts to fp_accum calls in .FPWR/.TPWR
 
                         hp2100_cpu5.c (Dave Bryan):
-                        - Added OPSIZE casts to fp_accum calls in .FPWR/.TPWR
+                        - Added sign extension for dim count in "cpu_ema_resolve"
+                        - Eliminated unused variable in "cpu_ema_vset"
 
                         hp2100_cpu6.c (Dave Bryan):
-                        - Eliminated unused variable in "cpu_ema_vset"
+                        - DMA channels renamed from 0,1 to 1,2 to match documentation
 
                         hp2100_cpu7.c (Dave Bryan):
                         - Corrected "opsize" parameter type in vis_abs