[Qemu-devel] [Bug 1182344] Re: ARM: invalid code execution after subs in

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 1182344] Re: ARM: invalid code execution after subs in

From:	Sebastian Huber
Subject:	[Qemu-devel] [Bug 1182344] Re: ARM: invalid code execution after subs instruction
Date:	Wed, 22 May 2013 08:22:18 -0000

If I replace the idle thread with this code

void *_CPU_Thread_Idle_body( uintptr_t ignored )
{
  while ( true ) {
    __asm__ volatile ("wfi");
  }
}

void foobarblub(void)
{
  __asm__ volatile ("nop; nop; nop; nop; nop");
  bsp_reset();
}

then I get also an invalid execution sequence:

   0x00010214 <thread_dispatch_done+56>:        ldm     r0, {r0, r1, r2, r3, 
r4, r5, r12}
   0x00010218 <thread_dispatch_done+60>:        mov     lr, r4
   0x0001021c <thread_dispatch_done+64>:        msr     SPSR_fc, r5
   0x00010220 <thread_dispatch_done+68>:        pop     {r4, r5}
   0x00010224 <thread_dispatch_done+72>:        subs    pc, lr, #4
   0x00010306 <_CPU_Thread_Idle_body+10>:       b.n     0x10304 
<_CPU_Thread_Idle_body+8>
   0x00010308 <foobarblub+0>:   push    {r7, lr}
   0x0001030a <foobarblub+2>:   add     r7, sp, #0
   0x0001030c <foobarblub+4>:   nop
   0x0001030e <foobarblub+6>:   nop
   0x00010310 <foobarblub+8>:   nop
   0x00010312 <foobarblub+10>:  nop
   0x00010314 <foobarblub+12>:  nop
   0x00010316 <foobarblub+14>:  bl      0xe40 <bsp_reset>

Normally the execution sequence around the idle thread looks like this:

   0x00010210 <thread_dispatch_done+52>:        push    {r4, r5}
   0x00010214 <thread_dispatch_done+56>:        ldm     r0, {r0, r1, r2, r3, 
r4, r5, r12}
   0x00010218 <thread_dispatch_done+60>:        mov     lr, r4
   0x0001021c <thread_dispatch_done+64>:        msr     SPSR_fc, r5
   0x00010220 <thread_dispatch_done+68>:        pop     {r4, r5}
   0x00010224 <thread_dispatch_done+72>:        subs    pc, lr, #4
   0x00010306 <_CPU_Thread_Idle_body+10>:       b.n     0x10304 
<_CPU_Thread_Idle_body+8>
   0x00010304 <_CPU_Thread_Idle_body+8>:        wfi
   0x00000018 <bsp_vector_table_begin+24>:      ldr     pc, [pc, #24]   ; 0x38 
<handler_addr_irq>
   0x00010168 <_ARMV4_Exception_interrupt+0>:   stmdb   sp, {r4, r5, r6, r7}
   0x0001016c <_ARMV4_Exception_interrupt+4>:   mov     r4, lr
   0x00010170 <_ARMV4_Exception_interrupt+8>:   mrs     r5, SPSR
   0x00010174 <_ARMV4_Exception_interrupt+12>:  mrs     r6, CPSR

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1182344

Title:
  ARM: invalid code execution after subs instruction

Status in QEMU:
  New

Bug description:
  I use Qemu (Git 1239b472bb0dba8060f1af29d40dafbc1b2860d4) to test a
  SMP application on ARM.  I use the following command line:

  qemu-system-arm -S -s -net none -nographic -M realview-pbx-a9 -kernel
  app.exe -m 256M -no-reboot -smp 2 -icount 8

  The application crashes because Qemu executes the B.N instruction
  wrong after a SUBS (return from interrupt):

     0x00010428 <thread_dispatch_done+12>:      vldmia  r1!, {d16-d31}
     0x0001042c <thread_dispatch_done+16>:      ldr     r0, [r1]
     0x00010430 <thread_dispatch_done+20>:      add     sp, sp, #200    ; 0xc8
     0x00010434 <thread_dispatch_done+24>:      vmsr    fpscr, r0
     0x00010438 <thread_dispatch_done+28>:      ldmfd   sp!, {lr}
     0x0001043c <thread_dispatch_done+32>:      mov     r0, sp
     0x00010440 <thread_dispatch_done+36>:      add     sp, sp, #28
     0x00010444 <thread_dispatch_done+40>:      mrs     r1, CPSR
     0x00010448 <thread_dispatch_done+44>:      bic     r1, r1, #1
     0x0001044c <thread_dispatch_done+48>:      msr     CPSR_fc, r1
     0x00010450 <thread_dispatch_done+52>:      push    {r4, r5}
     0x00010454 <thread_dispatch_done+56>:      ldm     r0, {r0, r1, r2, r3, 
r4, r5, r12}
     0x00010458 <thread_dispatch_done+60>:      mov     lr, r4
     0x0001045c <thread_dispatch_done+64>:      msr     SPSR_fc, r5
     0x00010460 <thread_dispatch_done+68>:      pop     {r4, r5}
     0x00010464 <thread_dispatch_done+72>:      subs    pc, lr, #4
     0x00000690 <_Thread_Idle_body+8>:  b.n     0x690 <_Thread_Idle_body+8>
     0x00000692:        nop
     0x00000694 <__getreent+0>: push    {r7, lr}
     0x00000696 <__getreent+2>: add     r7, sp, #0
     0x00000698 <__getreent+4>: bl      0x1cf0 <bsp_smp_processor_id>
     0x00001cf0 <bsp_smp_processor_id+0>:       push    {r7, lr}

  This instruction trace was generated with the attached patch.

  The

     0x00000690 <_Thread_Idle_body+8>:    b.n     0x690
  <_Thread_Idle_body+8>

  should jump to itself.  Instead the next instruction is executed:

     0x00000692:  nop

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1182344/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v3] tests: set MALLOC_PERTURB_ to expose memory bugs, Stefan Hajnoczi, 2013/05/22

Prev by Date: Re: [Qemu-devel] [PATCH v1 1/1] configure: Probe for libfdt_env.h
Next by Date: Re: [Qemu-devel] [PATCH] makefile: detect corrupted elf files
Previous by thread: [Qemu-devel] [RFC PATCH v1 00/20] Refactor PC machine to take advantage of QOM
Index(es):
- Date
- Thread