Public bug reported:
I am working on some mixed C/ASM code for the ARM Cortex-M3 but when I try to
simulate it, QEMU crashes with a segmentation fault. The exact instruction it
crashes on is a supervisor call from the assembly file.
I am using the default Sourcery CodeBench Lite 2011.09-69 for ARM\EABI (Not
GNU\Linux). The build environment is mingw32 on a win7 x64 machine.
The following code is what I used to trigger the segmentation fault.
main.c:
extern void testFunc( void );
int main()
{
testFunc();
while(1);
}
test.s:
.syntax unified
.global testFunc
.global __cs3_isr_svcall
.text
.balign 4
__cs3_isr_svcall:
bx lr
.balign 4
testFunc:
svc #1
BX LR
.end
This is build in an MSYS shell with the command:
arm-none-eabi-gcc -o test1.elf main.c test.s -g -mcpu=cortex-m3 -march=armv7-m
-mthumb -lc -lgcc -T generic-m-hosted.ld
The output elf file is also attached to this bug report.
To get information on the segmentation fault I start Qemu from GDB in a
debian-6 Virtual Machine (VMWare Player). This Qemu is configured with
--enable-debug and the output of this configure is:
Install prefix /usr/local
BIOS directory /usr/local/share/qemu
binary directory /usr/local/bin
library directory /usr/local/lib
include directory /usr/local/include
config directory /usr/local/etc
Manual directory /usr/local/share/man
ELF interp prefix /usr/gnemul/qemu-%M
Source path /home/testbox/Downloads/qemu-1.0
C compiler gcc
Host C compiler gcc
CFLAGS -g
QEMU_CFLAGS -fPIE -DPIE -m64 -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes
-Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes
-fno-strict-aliasing -fstack-protector-all -Wendif-labels
-Wmissing-include-dirs -Wempty-body -Wnested-externs -Wformat-security
-Wformat-y2k -Winit-self -Wignored-qualifiers -Wold-style-declaration
-Wold-style-definition -Wtype-limits -I/usr/include/libpng12
LDFLAGS -Wl,--warn-common -Wl,-z,relro -Wl,-z,now -pie -m64 -g
make make
install install
python python
smbd /usr/sbin/smbd
host CPU x86_64
host big endian no
target list i386-softmmu x86_64-softmmu alpha-softmmu arm-softmmu
cris-softmmu lm32-softmmu m68k-softmmu microblaze-softmmu microblazeel-softmmu
mips-softmmu mipsel-softmmu mips64-softmmu mips64el-softmmu ppc-softmmu
ppcemb-softmmu ppc64-softmmu sh4-softmmu sh4eb-softmmu sparc-softmmu
sparc64-softmmu s390x-softmmu xtensa-softmmu xtensaeb-softmmu i386-linux-user
x86_64-linux-user alpha-linux-user arm-linux-user armeb-linux-user
cris-linux-user m68k-linux-user microblaze-linux-user microblazeel-linux-user
mips-linux-user mipsel-linux-user ppc-linux-user ppc64-linux-user
ppc64abi32-linux-user sh4-linux-user sh4eb-linux-user sparc-linux-user
sparc64-linux-user sparc32plus-linux-user unicore32-linux-user s390x-linux-user
tcg debug enabled yes
Mon debug enabled yes
gprof enabled no
sparse enabled no
strip binaries no
profiler no
static build no
-Werror enabled no
SDL support no
curses support yes
curl support no
check support no
mingw32 support no
Audio drivers oss
Extra audio cards ac97 es1370 sb16 hda
Block whitelist
Mixer emulation no
VNC support yes
VNC TLS support yes
VNC SASL support no
VNC JPEG support yes
VNC PNG support yes
VNC thread no
xen support no
brlapi support no
bluez support no
Documentation yes
NPTL support yes
GUEST_BASE yes
PIE yes
vde support no
Linux AIO support no
ATTR/XATTR support yes
Install blobs yes
KVM support yes
TCG interpreter no
fdt support no
preadv support yes
fdatasync yes
madvise yes
posix_madvise yes
uuid support no
vhost-net support yes
Trace backend nop
Trace output file trace-<pid>
spice support no
rbd support no
xfsctl support no
nss used no
usb net redir no
OpenGL support yes
libiscsi support no
build guest agent yes
The result of the debug session of GDB (note the parameters to Qemu on the
command line):
testbox@debian-6-testbox:/mnt/build_test1$ gdb -args
/home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm -cpu cortex-m3
-nographic -monitor null -serial null -semihosting -kernel test1.elf -gdb
tcp::2200
GNU gdb (GDB) 7.3.1
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from
/home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm...done.
(gdb) run
Starting program: /home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm
-cpu cortex-m3 -nographic -monitor null -serial null -semihosting -kernel
test1.elf -gdb tcp::2200
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff36a2700 (LWP 4139)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff36a2700 (LWP 4139)]
0x00007ffff7dc0697 in gic_set_pending_private (s=0x0, cpu=0, irq=11)
at /home/testbox/Downloads/qemu-1.0/hw/arm_gic.c:154
154 if (GIC_TEST_PENDING(irq, cm))
(gdb) thread apply all bt full
Thread 2 (Thread 0x7ffff36a2700 (LWP 4139)):
#0 0x00007ffff7dc0697 in gic_set_pending_private (s=0x0, cpu=0, irq=11)
at /home/testbox/Downloads/qemu-1.0/hw/arm_gic.c:154
cm = 1
#1 0x00007ffff7dc228f in armv7m_nvic_set_pending (opaque=0x0, irq=11)
at /home/testbox/Downloads/qemu-1.0/hw/armv7m_nvic.c:95
s = 0x0
#2 0x00007ffff7df39c7 in do_interrupt_v7m (env=0x7ffff8abb810)
at /home/testbox/Downloads/qemu-1.0/target-arm/helper.c:788
xpsr = 1627389952
lr = 4294967289
addr = 1243751108
#3 0x00007ffff7df3c3d in do_interrupt (env=0x7ffff8abb810)
at /home/testbox/Downloads/qemu-1.0/target-arm/helper.c:850
addr = 32767
mask = 4128067360
new_mode = 0
offset = 0
#4 0x00007ffff7dc8cbc in cpu_arm_exec (env=0x7ffff8abb810)
at /home/testbox/Downloads/qemu-1.0/cpu-exec.c:257
ret = 0
interrupt_request = 0
---Type <return> to continue, or q <return> to quit---
tb = 0x7ffff36a4120
tc_ptr = 0x400020f0 "\277\002"
next_tb = 140737277214896
#5 0x00007ffff7dcb824 in tcg_cpu_exec (env=0x7ffff8abb810)
at /home/testbox/Downloads/qemu-1.0/cpus.c:1007
ret = 16809983
#6 0x00007ffff7dcb93d in tcg_exec_all ()
at /home/testbox/Downloads/qemu-1.0/cpus.c:1039
env = 0x7ffff8abb810
r = 0
#7 0x00007ffff7dcaf2d in qemu_tcg_cpu_thread_fn (arg=0x7ffff8abb810)
at /home/testbox/Downloads/qemu-1.0/cpus.c:774
env = 0x0
#8 0x00007ffff60ca8ba in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#9 0x00007ffff5e3202d in clone () from /lib/libc.so.6
No symbol table info available.
#10 0x0000000000000000 in ?? ()
No symbol table info available.
Thread 1 (Thread 0x7ffff7b8e700 (LWP 4136)):
#0 0x00007ffff5e2b8d3 in select () from /lib/libc.so.6
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#1 0x00007ffff7d1cb93 in main_loop_wait (nonblocking=0) at main-loop.c:456
rfds = {fds_bits = {3456, 0 <repeats 15 times>}}
wfds = {fds_bits = {0 <repeats 16 times>}}
xfds = {fds_bits = {0 <repeats 16 times>}}
ret = 32767
nfds = 11
tv = {tv_sec = 0, tv_usec = 996976}
timeout = 1000
#2 0x00007ffff7d14628 in main_loop ()
at /home/testbox/Downloads/qemu-1.0/vl.c:1481
nonblocking = false
last_io = 0
#3 0x00007ffff7d19484 in main (argc=13, argv=0x7fffffffe268,
envp=0x7fffffffe2d8) at /home/testbox/Downloads/qemu-1.0/vl.c:3485
gdbstub_dev = 0x7fffffffe5ee "tcp::2200"
i = 64
snapshot = 0
linux_boot = 1
icount_option = 0x0
initrd_filename = 0x0
kernel_filename = 0x7fffffffe5df "test1.elf"
kernel_cmdline = 0x7ffff7f594af ""
boot_devices = "cad", '\000' <repeats 29 times>
---Type <return> to continue, or q <return> to quit---
ds = 0x7ffff8ccbdb0
dcl = 0x0
cyls = 0
heads = 0
secs = 0
translation = 0
hda_opts = 0x0
opts = 0x7fffffffe020
olist = 0x7ffff7b92358
optind = 13
optarg = 0x7fffffffe5ee "tcp::2200"
loadvm = 0x0
machine = 0x7ffff82796c0
cpu_model = 0x7fffffffe59a "cortex-m3"
pid_file = 0x0
incoming = 0x0
show_vnc_port = 0
defconfig = 1
log_mask = 0x0
log_file = 0x0
mem_trace = {malloc = 0x7ffff7d15ed0 <malloc_and_trace>,
realloc = 0x7ffff7d15f28 <realloc_and_trace>,
free = 0x7ffff7d15f8f <free_and_trace>, calloc = 0, try_malloc = 0,
---Type <return> to continue, or q <return> to quit---
try_realloc = 0}
trace_events = 0x0
trace_file = 0x0
(gdb)
Also tested with GIT commit c47f322 (Wed, 4 Jan 2012 16:06:25).
This produces the same crash, but the line in the source file arm_gic.c it
crashes on has moved to 161.
I hope I have supplied all the necessary information.
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/912216
Title:
ARM: QEMU crashes with segmentation fault on supervisor call
Status in QEMU:
New
Bug description:
I am working on some mixed C/ASM code for the ARM Cortex-M3 but when I try to
simulate it, QEMU crashes with a segmentation fault. The exact instruction it
crashes on is a supervisor call from the assembly file.
I am using the default Sourcery CodeBench Lite 2011.09-69 for ARM\EABI (Not
GNU\Linux). The build environment is mingw32 on a win7 x64 machine.
The following code is what I used to trigger the segmentation fault.
main.c:
extern void testFunc( void );
int main()
{
testFunc();
while(1);
}
test.s:
.syntax unified
.global testFunc
.global __cs3_isr_svcall
.text
.balign 4
__cs3_isr_svcall:
bx lr
.balign 4
testFunc:
svc #1
BX LR
.end
This is build in an MSYS shell with the command:
arm-none-eabi-gcc -o test1.elf main.c test.s -g -mcpu=cortex-m3
-march=armv7-m -mthumb -lc -lgcc -T generic-m-hosted.ld
The output elf file is also attached to this bug report.
To get information on the segmentation fault I start Qemu from GDB in a
debian-6 Virtual Machine (VMWare Player). This Qemu is configured with
--enable-debug and the output of this configure is:
Install prefix /usr/local
BIOS directory /usr/local/share/qemu
binary directory /usr/local/bin
library directory /usr/local/lib
include directory /usr/local/include
config directory /usr/local/etc
Manual directory /usr/local/share/man
ELF interp prefix /usr/gnemul/qemu-%M
Source path /home/testbox/Downloads/qemu-1.0
C compiler gcc
Host C compiler gcc
CFLAGS -g
QEMU_CFLAGS -fPIE -DPIE -m64 -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes
-Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes
-fno-strict-aliasing -fstack-protector-all -Wendif-labels
-Wmissing-include-dirs -Wempty-body -Wnested-externs -Wformat-security
-Wformat-y2k -Winit-self -Wignored-qualifiers -Wold-style-declaration
-Wold-style-definition -Wtype-limits -I/usr/include/libpng12
LDFLAGS -Wl,--warn-common -Wl,-z,relro -Wl,-z,now -pie -m64 -g
make make
install install
python python
smbd /usr/sbin/smbd
host CPU x86_64
host big endian no
target list i386-softmmu x86_64-softmmu alpha-softmmu arm-softmmu
cris-softmmu lm32-softmmu m68k-softmmu microblaze-softmmu microblazeel-softmmu
mips-softmmu mipsel-softmmu mips64-softmmu mips64el-softmmu ppc-softmmu
ppcemb-softmmu ppc64-softmmu sh4-softmmu sh4eb-softmmu sparc-softmmu
sparc64-softmmu s390x-softmmu xtensa-softmmu xtensaeb-softmmu i386-linux-user
x86_64-linux-user alpha-linux-user arm-linux-user armeb-linux-user
cris-linux-user m68k-linux-user microblaze-linux-user microblazeel-linux-user
mips-linux-user mipsel-linux-user ppc-linux-user ppc64-linux-user
ppc64abi32-linux-user sh4-linux-user sh4eb-linux-user sparc-linux-user
sparc64-linux-user sparc32plus-linux-user unicore32-linux-user s390x-linux-user
tcg debug enabled yes
Mon debug enabled yes
gprof enabled no
sparse enabled no
strip binaries no
profiler no
static build no
-Werror enabled no
SDL support no
curses support yes
curl support no
check support no
mingw32 support no
Audio drivers oss
Extra audio cards ac97 es1370 sb16 hda
Block whitelist
Mixer emulation no
VNC support yes
VNC TLS support yes
VNC SASL support no
VNC JPEG support yes
VNC PNG support yes
VNC thread no
xen support no
brlapi support no
bluez support no
Documentation yes
NPTL support yes
GUEST_BASE yes
PIE yes
vde support no
Linux AIO support no
ATTR/XATTR support yes
Install blobs yes
KVM support yes
TCG interpreter no
fdt support no
preadv support yes
fdatasync yes
madvise yes
posix_madvise yes
uuid support no
vhost-net support yes
Trace backend nop
Trace output file trace-<pid>
spice support no
rbd support no
xfsctl support no
nss used no
usb net redir no
OpenGL support yes
libiscsi support no
build guest agent yes
The result of the debug session of GDB (note the parameters to Qemu on the
command line):
testbox@debian-6-testbox:/mnt/build_test1$ gdb -args
/home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm -cpu cortex-m3
-nographic -monitor null -serial null -semihosting -kernel test1.elf -gdb
tcp::2200
GNU gdb (GDB) 7.3.1
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from
/home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm...done.
(gdb) run
Starting program:
/home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm -cpu cortex-m3
-nographic -monitor null -serial null -semihosting -kernel test1.elf -gdb
tcp::2200
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff36a2700 (LWP 4139)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff36a2700 (LWP 4139)]
0x00007ffff7dc0697 in gic_set_pending_private (s=0x0, cpu=0, irq=11)
at /home/testbox/Downloads/qemu-1.0/hw/arm_gic.c:154
154 if (GIC_TEST_PENDING(irq, cm))
(gdb) thread apply all bt full
Thread 2 (Thread 0x7ffff36a2700 (LWP 4139)):
#0 0x00007ffff7dc0697 in gic_set_pending_private (s=0x0, cpu=0, irq=11)
at /home/testbox/Downloads/qemu-1.0/hw/arm_gic.c:154
cm = 1
#1 0x00007ffff7dc228f in armv7m_nvic_set_pending (opaque=0x0, irq=11)
at /home/testbox/Downloads/qemu-1.0/hw/armv7m_nvic.c:95
s = 0x0
#2 0x00007ffff7df39c7 in do_interrupt_v7m (env=0x7ffff8abb810)
at /home/testbox/Downloads/qemu-1.0/target-arm/helper.c:788
xpsr = 1627389952
lr = 4294967289
addr = 1243751108
#3 0x00007ffff7df3c3d in do_interrupt (env=0x7ffff8abb810)
at /home/testbox/Downloads/qemu-1.0/target-arm/helper.c:850
addr = 32767
mask = 4128067360
new_mode = 0
offset = 0
#4 0x00007ffff7dc8cbc in cpu_arm_exec (env=0x7ffff8abb810)
at /home/testbox/Downloads/qemu-1.0/cpu-exec.c:257
ret = 0
interrupt_request = 0
---Type <return> to continue, or q <return> to quit---
tb = 0x7ffff36a4120
tc_ptr = 0x400020f0 "\277\002"
next_tb = 140737277214896
#5 0x00007ffff7dcb824 in tcg_cpu_exec (env=0x7ffff8abb810)
at /home/testbox/Downloads/qemu-1.0/cpus.c:1007
ret = 16809983
#6 0x00007ffff7dcb93d in tcg_exec_all ()
at /home/testbox/Downloads/qemu-1.0/cpus.c:1039
env = 0x7ffff8abb810
r = 0
#7 0x00007ffff7dcaf2d in qemu_tcg_cpu_thread_fn (arg=0x7ffff8abb810)
at /home/testbox/Downloads/qemu-1.0/cpus.c:774
env = 0x0
#8 0x00007ffff60ca8ba in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#9 0x00007ffff5e3202d in clone () from /lib/libc.so.6
No symbol table info available.
#10 0x0000000000000000 in ?? ()
No symbol table info available.
Thread 1 (Thread 0x7ffff7b8e700 (LWP 4136)):
#0 0x00007ffff5e2b8d3 in select () from /lib/libc.so.6
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#1 0x00007ffff7d1cb93 in main_loop_wait (nonblocking=0) at main-loop.c:456
rfds = {fds_bits = {3456, 0 <repeats 15 times>}}
wfds = {fds_bits = {0 <repeats 16 times>}}
xfds = {fds_bits = {0 <repeats 16 times>}}
ret = 32767
nfds = 11
tv = {tv_sec = 0, tv_usec = 996976}
timeout = 1000
#2 0x00007ffff7d14628 in main_loop ()
at /home/testbox/Downloads/qemu-1.0/vl.c:1481
nonblocking = false
last_io = 0
#3 0x00007ffff7d19484 in main (argc=13, argv=0x7fffffffe268,
envp=0x7fffffffe2d8) at /home/testbox/Downloads/qemu-1.0/vl.c:3485
gdbstub_dev = 0x7fffffffe5ee "tcp::2200"
i = 64
snapshot = 0
linux_boot = 1
icount_option = 0x0
initrd_filename = 0x0
kernel_filename = 0x7fffffffe5df "test1.elf"
kernel_cmdline = 0x7ffff7f594af ""
boot_devices = "cad", '\000' <repeats 29 times>
---Type <return> to continue, or q <return> to quit---
ds = 0x7ffff8ccbdb0
dcl = 0x0
cyls = 0
heads = 0
secs = 0
translation = 0
hda_opts = 0x0
opts = 0x7fffffffe020
olist = 0x7ffff7b92358
optind = 13
optarg = 0x7fffffffe5ee "tcp::2200"
loadvm = 0x0
machine = 0x7ffff82796c0
cpu_model = 0x7fffffffe59a "cortex-m3"
pid_file = 0x0
incoming = 0x0
show_vnc_port = 0
defconfig = 1
log_mask = 0x0
log_file = 0x0
mem_trace = {malloc = 0x7ffff7d15ed0 <malloc_and_trace>,
realloc = 0x7ffff7d15f28 <realloc_and_trace>,
free = 0x7ffff7d15f8f <free_and_trace>, calloc = 0, try_malloc = 0,
---Type <return> to continue, or q <return> to quit---
try_realloc = 0}
trace_events = 0x0
trace_file = 0x0
(gdb)
Also tested with GIT commit c47f322 (Wed, 4 Jan 2012 16:06:25).
This produces the same crash, but the line in the source file arm_gic.c it
crashes on has moved to 161.
I hope I have supplied all the necessary information.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/912216/+subscriptions
