[Qemu-devel] bug: qemu-0.9.0 emulating mipsel (32-bit R3000) on amd64

[John Reiser <jreiser@BitWagon.com>]

Hi,

qemu-0.9.0 compiled and running on Debian 2.6.18-4-amd64,
[compiled by gcc (GCC) 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)],
emulating Debian 2.6.18-4-qemu mipsel (32-bit MIPS R3000 little endian),
errs when gdb 6.4.90-debian (running on the emulated mipsel)
single-steps the user-mode instruction:
	lw      a2,-44(s7)
After single-stepping the 'lw', then register a2 contains garbage
instead of the memory contents at address -44(s7).
This is reproducible every time (and the bad value is the same.)
Also, executing the 'lw' by some means other than single stepping
(such as by setting a breakpoint _beyond_ the 'lw' and continuing)
apparently works correctly.

Here is the gdb console log:
-----
0x001060e4 in ?? ()
0x1060e4:       lw      a2,-44(s7)
(gdb) p $a2
$3 = 0x0
(gdb) x/x $s7-44
0x105458:       0x00120000
(gdb) g   # step one instruction and show next instruction
warning: GDB can't find the start of the function at 0x1060e8.
warning: GDB can't find the start of the function at 0x1060e8.
0x001060e8 in ?? ()
0x1060e8:       addiu   sp,sp,-32
(gdb) p $a2
$4 = 0x5000d
-----
where 'g' is a single-step macro for gdb:
   define g
   stepi
   x/i $pc
   end

I have posted the user-mode executable (28KB) at
    http://bitwagon.com/ftp/date.qemu-0.9.0.bug
The complete gdb session is eight (8) instructions:
-----
(gdb) set output-radix 16
(gdb) run
Program received signal SIGTRAP, Trace/breakpoint trap.
0x00105478 in ?? ()   # the entry point
(gdb) x/i $pc
0x105478:       break
(gdb) set $pc+=4   # skip over the 'break' at entry
(gdb) x/i $pc
0x10547c:       bal     0x10617c    # use 'g' or 'stepi' 5 times
0x105480:         addiu   s7,ra,0   # delay slot; executed but not stopped
0x10617c:       lw      s5,-48(s7)  # this 'lw' executes correctly
0x106180:       bal     0x1060e0
0x106184:         move    s6,ra   # delay slot
0x1060e0:       addiu   s5,s5,-92
0x1060e4:       lw      a2,-44(s7)  # bug: register a2 gets bad value
0x1060e8:       addiu   sp,sp,-32
(gdb) p $a2
$1 = 0x5000d   # (Even after allowing for 1-cycle load delay.)
(gdb) x/x $s7-44
0x105458:       0x00120000   # value that should be in register a2, but is not
-----

The emulated Debian system was installed using the directions at
   http://www.aurel32.net/info/debian_mips_qemu.php
and the actual installed kernel and initrd was:
   http://people.debian.org/~ths/d-i/mipsel/images/20070503-02:00/qemu/netboot/initrd.gz
   http://people.debian.org/~ths/d-i/mipsel/images/20070503-02:00/qemu/netboot/vmlinux-2.6.18-4-qemu
After installation, then the emulation is invoked by:
   qemu-system-mipsel -kernel vmlinux-2.6.18-4-qemu -initrd initrd.gz \
        -hda hda.img -append "root=/dev/hda1 console=ttyS0" -nographic \
        -net nic -net tap
The gdb transcript was copy+paste from an xterm running ssh into the
emulated system.  ["apt-get install ssh" on the emulated system.]

Please suggest how to find and fix this bug?
(It's hard to remember to avoid single-stepping 'lw'.)

-- 
John Reiser, jreiser@BitWagon.com