[Qemu-devel] [PATCH 1/1] AArch64: Fix single stepping of ERET instruction
Previously when single stepping through ERET instruction via GDB
would result in debugger entering the "next" PC after ERET instruction.
When debugging in kernel mode, this will also cause unintended behavior,
because debugger will try to access memory from EL0 point of view.
Signed-off-by: Jaroslaw Pelczar <j.pelc...@samsung.com>
---
target/arm/translate-a64.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 9017e30510..1bc12d93ca 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -11348,6 +11348,7 @@ static void aarch64_tr_tb_stop(DisasContextBase
*dcbase, CPUState *cpu)
default:
gen_a64_set_pc_im(dc->pc);
/* fall through */
+case DISAS_EXIT:
case DISAS_JUMP:
if (dc->base.singlestep_enabled) {
gen_exception_internal(EXCP_DEBUG);
--
2.14.1
[Qemu-devel] [PATCH 1/1] AArch64: Fix single stepping of ERET instruction
Previously when single stepping through ERET instruction via GDB
would result in debugger entering the "next" PC after ERET instruction.
When debugging in kernel mode, this will also cause unintended behavior,
because debugger will try to access memory from EL0 point of view.
Signed-off-by: Jaroslaw Pelczar <j.pelc...@samsung.com>
---
target/arm/translate-a64.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 9017e30510..1bc12d93ca 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -11348,6 +11348,7 @@ static void aarch64_tr_tb_stop(DisasContextBase
*dcbase, CPUState *cpu)
default:
gen_a64_set_pc_im(dc->pc);
/* fall through */
+case DISAS_EXIT:
case DISAS_JUMP:
if (dc->base.singlestep_enabled) {
gen_exception_internal(EXCP_DEBUG);
--
2.14.1
[Qemu-devel] [PATCH 1/1] tcg/tci: Remove unnecessary TODO() for INDEX_op_bswap16_i64
Running Ubuntu with systemd on AArch64 Cortex-A53 and qemu is compiled with ./configure --target-list=aarch64-softmmu --enable-tcg-interpreter System gives the following log: Welcome to Ubuntu 16.04.1 LTS! systemd[1]: Set hostname to . TODO (...)/qemu/tcg/tci.c:1049: tcg_qemu_tb_exec() (...)/qemu/tcg/tci.c:1049: tcg fatal error Aborted (core dumped) After investigation it turns out that TCG generates bswap16_i64 opcode, which looks fine in the implementation. Signed-off-by: Jaroslaw Pelczar <j.pelc...@samsung.com> --- tcg/tci.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tcg/tci.c b/tcg/tci.c index 4bdc645..f39bfb9 100644 --- a/tcg/tci.c +++ b/tcg/tci.c @@ -1046,7 +1046,6 @@ uintptr_t tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr) break; #if TCG_TARGET_HAS_bswap16_i64 case INDEX_op_bswap16_i64: -TODO(); t0 = *tb_ptr++; t1 = tci_read_r16(_ptr); tci_write_reg64(t0, bswap16(t1)); -- 2.7.4
[Qemu-devel] [PATCH 1/1] tcg/tci: Remove unnecessary TODO() for INDEX_op_bswap16_i64
Running Ubuntu with systemd on AArch64 Cortex-A53 and qemu is compiled with ./configure --target-list=aarch64-softmmu --enable-tcg-interpreter System gives the following log: Welcome to Ubuntu 16.04.1 LTS! systemd[1]: Set hostname to . TODO (...)/qemu/tcg/tci.c:1049: tcg_qemu_tb_exec() (...)/qemu/tcg/tci.c:1049: tcg fatal error Aborted (core dumped) After investigation it turns out that TCG generates bswap16_i64 opcode, which looks fine in the implementation. Signed-off-by: Jaroslaw Pelczar <j.pelc...@samsung.com> --- tcg/tci.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tcg/tci.c b/tcg/tci.c index 4bdc645..f39bfb9 100644 --- a/tcg/tci.c +++ b/tcg/tci.c @@ -1046,7 +1046,6 @@ uintptr_t tcg_qemu_tb_exec(CPUArchState *env, uint8_t *tb_ptr) break; #if TCG_TARGET_HAS_bswap16_i64 case INDEX_op_bswap16_i64: -TODO(); t0 = *tb_ptr++; t1 = tci_read_r16(_ptr); tci_write_reg64(t0, bswap16(t1)); -- 2.7.4
[Qemu-devel] target/arm: Fix abort on exception return from AArch64 to AArch32
Problem manifests itself when we handle the following sequence:
1. 64-bit Secure EL3 returns to 32-bit Secure EL1
2. 32-bit Secure EL1 performs SMC call to 64-bit Secure EL3
3. 64-bit Secure EL3 performs return ERET to 32-bit Secure EL1]
4. 32-bit Secure EL1 receives prefetch abort
If CPU's env->pc is not set to the same value as env->regs[15],
during ERET the simulator will try to fetch instruction from EL3's
virtual address inside 32-bit Secure EL1 virtual address space.
This will cause Prefetch Abort in 32-bit Secure EL1.
Problem occurs because of the following code generation scheme:
1. disas_uncond_b_reg will decode ERET
2. gen_helper_exception_return(cpu_env) will generate thunk to
helper_exception_return
3. s->is_jmp is set to DISAS_JUMP
4. gen_intermediate_code_a64 will see dc->is_jmp == DISAS_JUMP
5. tcg_gen_lookup_and_goto_ptr(cpu_pc) will be called which trigger
access cpu->pc to fetch next opcode
At this point cpu->pc will have EL3's PC value.
Signed-off-by: Jaroslaw Pelczar <j.pelc...@samsung.com>
---
target/arm/op_helper.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index 2a85666..8222c19 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -1027,6 +1027,9 @@ void HELPER(exception_return)(CPUARMState *env)
} else {
env->regs[15] = env->elr_el[cur_el] & ~0x3;
}
+
+env->pc = env->regs[15];
+
qemu_log_mask(CPU_LOG_INT, "Exception return from AArch64 EL%d to "
"AArch32 EL%d PC 0x%" PRIx32 "\n",
cur_el, new_el, env->regs[15]);
--
2.7.4
