I did a bit of digging, and the reason that QEMU is not taking the branch is that when control returns from the exception handler the CPSR ITSTATE fields are non-zero. This means that the branch instruction is UNPREDICTABLE (and therefore falling through is architecturally valid behaviour for QEMU to do). This seems likely to be a guest code bug (corrupted or wrong CPSR restored on return from exception?) -- at any rate I think you should probably start by doing further debugging at the guest code level rather than internally to QEMU.
-- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1182344 Title: ARM: invalid code execution after subs instruction Status in QEMU: New Bug description: I use Qemu (Git 1239b472bb0dba8060f1af29d40dafbc1b2860d4) to test a SMP application on ARM. I use the following command line: qemu-system-arm -S -s -net none -nographic -M realview-pbx-a9 -kernel app.exe -m 256M -no-reboot -smp 2 -icount 8 The application crashes because Qemu executes the B.N instruction wrong after a SUBS (return from interrupt): 0x00010428 <thread_dispatch_done+12>: vldmia r1!, {d16-d31} 0x0001042c <thread_dispatch_done+16>: ldr r0, [r1] 0x00010430 <thread_dispatch_done+20>: add sp, sp, #200 ; 0xc8 0x00010434 <thread_dispatch_done+24>: vmsr fpscr, r0 0x00010438 <thread_dispatch_done+28>: ldmfd sp!, {lr} 0x0001043c <thread_dispatch_done+32>: mov r0, sp 0x00010440 <thread_dispatch_done+36>: add sp, sp, #28 0x00010444 <thread_dispatch_done+40>: mrs r1, CPSR 0x00010448 <thread_dispatch_done+44>: bic r1, r1, #1 0x0001044c <thread_dispatch_done+48>: msr CPSR_fc, r1 0x00010450 <thread_dispatch_done+52>: push {r4, r5} 0x00010454 <thread_dispatch_done+56>: ldm r0, {r0, r1, r2, r3, r4, r5, r12} 0x00010458 <thread_dispatch_done+60>: mov lr, r4 0x0001045c <thread_dispatch_done+64>: msr SPSR_fc, r5 0x00010460 <thread_dispatch_done+68>: pop {r4, r5} 0x00010464 <thread_dispatch_done+72>: subs pc, lr, #4 0x00000690 <_Thread_Idle_body+8>: b.n 0x690 <_Thread_Idle_body+8> 0x00000692: nop 0x00000694 <__getreent+0>: push {r7, lr} 0x00000696 <__getreent+2>: add r7, sp, #0 0x00000698 <__getreent+4>: bl 0x1cf0 <bsp_smp_processor_id> 0x00001cf0 <bsp_smp_processor_id+0>: push {r7, lr} This instruction trace was generated with the attached patch. The 0x00000690 <_Thread_Idle_body+8>: b.n 0x690 <_Thread_Idle_body+8> should jump to itself. Instead the next instruction is executed: 0x00000692: nop To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1182344/+subscriptions