target-i386 cpu_get_phys_page_debug checks bits in wrong order

In target-i386 cpu_get_phys_page_debug, the CR4_PAE bit is checked before CR0_PG. This means that if paging is disabled but the PAE bit has been set in CR4, cpu_get_phys_page_debug will return the wrong result (it will try to translate the address as virtual rather than using it as a physical address).

Although this might seem like an unusual case, it in fact happens consistently when booting Linux on amd64 (from linux-2.6.32.60/arch/x86/boot/compressed/head_64.S):

    /* Enable PAE mode */
    xorl %eax, %eax
    orl $(X86_CR4_PAE), %eax
    movl %eax, %cr4
[... code to set up page tables omitted ...]
    /* Enter paged protected Mode, activating Long Mode */
    movl $(X86_CR0_PG | X86_CR0_PE), %eax /* Enable Paging and Protected mode */
    movl %eax, %cr0

The most noticeable effect of this bug is that using the disassembler during this time will fetch the wrong data by trying to read from page tables that aren't there. One symptom is that booting Linux amd64 with -d in_asm will result in several "Disassembler disagrees with translator over instruction decoding" messages.

Attached is a patch that moves the CR0_PG check to the beginning. I'm still not 100% certain that the logic of cpu_get_phys_page_debug matches cpu_x86_handle_mmu_fault, but it's a start.