[Qemu-devel] [Bug 1031698] [NEW] Missing PPC TRACE exception on a branch

[Qemu-devel] [Bug 1031698] [NEW] Missing PPC TRACE exception on a branch

[Christophe PLE]

Public bug reported:

I am using qemu-1.1.1-1 to emulate a PPC PREP machine on intel host
linux ubuntu 11-10

In the following example, i will show that the POWERPC TRACE exception
at vector 0xD00 is not taken when executing a specific kind of branch.


I have the following stand-alone assembly source code for powerpc in file SE_TEST.s


	.text
	.global	_start


_start:

/* copy vector handler at address 0xD00 */
	addis	3,0,(0xD00)@ha
	addi 	3,3,(0xD00)@l
	addis	4,0,(vector_handler)@ha
	addi 	4,4,(vector_handler)@l
	addi	3,3,-4
	addi	4,4,-4
	lwzu	7,4(4)
	stwu	7,4(3)
	lwzu	7,4(4)
	stwu	7,4(3)
	lwzu	7,4(4)
	stwu	7,4(3)
	lwzu	7,4(4)
	stwu	7,4(3)


/* set branch address in SRR0 register */	
	addis	3,0,(branch)@ha
	addi 	3,3,(branch)@l
	mtspr	26,3

/* Read MSR */
/* Set SE bit and clear IP bit then set value in SSR1 */
	 		
	mfmsr	4
	ori	4,4,0x0400
	andi.	4,4,0xFFBF
	mtspr	27,4
/* Set CR condition to execute not taken branch after rfi */	
	addi	5,0,0
	cmpi	0,5,0
	rfi
	nop
	nop
	nop
	
branch:	
	bne     down       <- branch where the error is.
branch_plus_1:	
	nop
branch_plus_2:	
	nop
down:	nop
	nop
	nop
	nop

vector_handler:	
	mfspr	6,26
	nop
	nop
	nop
	

It compiles with powerpc-eabi-gcc SE_TEST.s -o SE_TEST.elf


Then I run Qemu with the command : "./qemu-system-ppc -M prep -s -S"

Then i run a cross gdb with the command: "powerpc-eabi-gdb --nx"

On gdb prompt i execute the following gdb command :

file SE_TEST.elf
target remote :1234
load SE_TEST.elf
set $pc =_start
b *0xD08
c

echo "srr0 value in trace handler  "
p/x $r6
echo "address of branch_plus_1   "
p/x &branch_plus_1
echo "address of branch_plus_2   "
p/x &branch_plus_2

The gdb command windows display the result:

(gdb) so co
0xfffffffc in ?? ()
Loading section .init, size 0x24 lma 0x1800074
Loading section .text, size 0x26c lma 0x1800098
Loading section .fini, size 0x20 lma 0x1800304
Loading section .eh_frame, size 0x8 lma 0x1810324
Loading section .ctors, size 0x8 lma 0x181032c
Loading section .dtors, size 0x8 lma 0x1810334
Loading section .jcr, size 0x4 lma 0x181033c
Loading section .data, size 0x4 lma 0x1810340
Start address 0x1800200, load size 720
Transfer rate: 5760 bits in <1 sec, 90 bytes/write.
Breakpoint 1 at 0xd08

Breakpoint 1, 0x00000d08 in ?? ()
"srr0 value in trace handler  "$1 = 0x1800274
"address of branch_plus_1   "$2 = 0x1800270
"address of branch_plus_2   "$3 = 0x1800274


In trace exception handler, the SRR0 register value should be the value of address just following the branch id 0x1800270.
But it is not the case, the SRR0 value is the address of the next next instruction after the branch instruction.

It seems that the singlestep exception was not taken after executing the
"bne down" instruction but was taken after executing the first following
nop instruction.

I have make some other test with other kind of branch, the behaviour is
correct and only for a conditionnal branch when it is not taken with
issue appears.

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1031698

Title:
  Missing PPC TRACE exception on a branch

Status in QEMU:
  New

Bug description:
  I am using qemu-1.1.1-1 to emulate a PPC PREP machine on intel host
  linux ubuntu 11-10

  In the following example, i will show that the POWERPC TRACE exception
  at vector 0xD00 is not taken when executing a specific kind of branch.

  
  I have the following stand-alone assembly source code for powerpc in file SE_TEST.s

  
  	.text
  	.global	_start

  
  _start:

  /* copy vector handler at address 0xD00 */
  	addis	3,0,(0xD00)@ha
  	addi 	3,3,(0xD00)@l
  	addis	4,0,(vector_handler)@ha
  	addi 	4,4,(vector_handler)@l
  	addi	3,3,-4
  	addi	4,4,-4
  	lwzu	7,4(4)
  	stwu	7,4(3)
  	lwzu	7,4(4)
  	stwu	7,4(3)
  	lwzu	7,4(4)
  	stwu	7,4(3)
  	lwzu	7,4(4)
  	stwu	7,4(3)

  
  /* set branch address in SRR0 register */	
  	addis	3,0,(branch)@ha
  	addi 	3,3,(branch)@l
  	mtspr	26,3

  /* Read MSR */
  /* Set SE bit and clear IP bit then set value in SSR1 */
  	 		
  	mfmsr	4
  	ori	4,4,0x0400
  	andi.	4,4,0xFFBF
  	mtspr	27,4
  /* Set CR condition to execute not taken branch after rfi */	
  	addi	5,0,0
  	cmpi	0,5,0
  	rfi
  	nop
  	nop
  	nop
  	
  branch:	
  	bne     down       <- branch where the error is.
  branch_plus_1:	
  	nop
  branch_plus_2:	
  	nop
  down:	nop
  	nop
  	nop
  	nop

  vector_handler:	
  	mfspr	6,26
  	nop
  	nop
  	nop
  	

  It compiles with powerpc-eabi-gcc SE_TEST.s -o SE_TEST.elf

  
  Then I run Qemu with the command : "./qemu-system-ppc -M prep -s -S"

  Then i run a cross gdb with the command: "powerpc-eabi-gdb --nx"

  On gdb prompt i execute the following gdb command :

  file SE_TEST.elf
  target remote :1234
  load SE_TEST.elf
  set $pc =_start
  b *0xD08
  c

  echo "srr0 value in trace handler  "
  p/x $r6
  echo "address of branch_plus_1   "
  p/x &branch_plus_1
  echo "address of branch_plus_2   "
  p/x &branch_plus_2

  The gdb command windows display the result:

  (gdb) so co
  0xfffffffc in ?? ()
  Loading section .init, size 0x24 lma 0x1800074
  Loading section .text, size 0x26c lma 0x1800098
  Loading section .fini, size 0x20 lma 0x1800304
  Loading section .eh_frame, size 0x8 lma 0x1810324
  Loading section .ctors, size 0x8 lma 0x181032c
  Loading section .dtors, size 0x8 lma 0x1810334
  Loading section .jcr, size 0x4 lma 0x181033c
  Loading section .data, size 0x4 lma 0x1810340
  Start address 0x1800200, load size 720
  Transfer rate: 5760 bits in <1 sec, 90 bytes/write.
  Breakpoint 1 at 0xd08

  Breakpoint 1, 0x00000d08 in ?? ()
  "srr0 value in trace handler  "$1 = 0x1800274
  "address of branch_plus_1   "$2 = 0x1800270
  "address of branch_plus_2   "$3 = 0x1800274

  
  In trace exception handler, the SRR0 register value should be the value of address just following the branch id 0x1800270.
  But it is not the case, the SRR0 value is the address of the next next instruction after the branch instruction.

  It seems that the singlestep exception was not taken after executing
  the "bne down" instruction but was taken after executing the first
  following nop instruction.

  I have make some other test with other kind of branch, the behaviour
  is correct and only for a conditionnal branch when it is not taken
  with issue appears.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1031698/+subscriptions

[Qemu-devel] [Bug 1031698] Re: Missing PPC TRACE exception on a branch

[Samuel Bronson]

** Tags added: ppc

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1031698

Title:
  Missing PPC TRACE exception on a branch

Status in QEMU:
  New

Bug description:
  I am using qemu-1.1.1-1 to emulate a PPC PREP machine on intel host
  linux ubuntu 11-10

  In the following example, i will show that the POWERPC TRACE exception
  at vector 0xD00 is not taken when executing a specific kind of branch.

  
  I have the following stand-alone assembly source code for powerpc in file SE_TEST.s

  
  	.text
  	.global	_start

  
  _start:

  /* copy vector handler at address 0xD00 */
  	addis	3,0,(0xD00)@ha
  	addi 	3,3,(0xD00)@l
  	addis	4,0,(vector_handler)@ha
  	addi 	4,4,(vector_handler)@l
  	addi	3,3,-4
  	addi	4,4,-4
  	lwzu	7,4(4)
  	stwu	7,4(3)
  	lwzu	7,4(4)
  	stwu	7,4(3)
  	lwzu	7,4(4)
  	stwu	7,4(3)
  	lwzu	7,4(4)
  	stwu	7,4(3)

  
  /* set branch address in SRR0 register */	
  	addis	3,0,(branch)@ha
  	addi 	3,3,(branch)@l
  	mtspr	26,3

  /* Read MSR */
  /* Set SE bit and clear IP bit then set value in SSR1 */
  	 		
  	mfmsr	4
  	ori	4,4,0x0400
  	andi.	4,4,0xFFBF
  	mtspr	27,4
  /* Set CR condition to execute not taken branch after rfi */	
  	addi	5,0,0
  	cmpi	0,5,0
  	rfi
  	nop
  	nop
  	nop
  	
  branch:	
  	bne     down       <- branch where the error is.
  branch_plus_1:	
  	nop
  branch_plus_2:	
  	nop
  down:	nop
  	nop
  	nop
  	nop

  vector_handler:	
  	mfspr	6,26
  	nop
  	nop
  	nop
  	

  It compiles with powerpc-eabi-gcc SE_TEST.s -o SE_TEST.elf

  
  Then I run Qemu with the command : "./qemu-system-ppc -M prep -s -S"

  Then i run a cross gdb with the command: "powerpc-eabi-gdb --nx"

  On gdb prompt i execute the following gdb command :

  file SE_TEST.elf
  target remote :1234
  load SE_TEST.elf
  set $pc =_start
  b *0xD08
  c

  echo "srr0 value in trace handler  "
  p/x $r6
  echo "address of branch_plus_1   "
  p/x &branch_plus_1
  echo "address of branch_plus_2   "
  p/x &branch_plus_2

  The gdb command windows display the result:

  (gdb) so co
  0xfffffffc in ?? ()
  Loading section .init, size 0x24 lma 0x1800074
  Loading section .text, size 0x26c lma 0x1800098
  Loading section .fini, size 0x20 lma 0x1800304
  Loading section .eh_frame, size 0x8 lma 0x1810324
  Loading section .ctors, size 0x8 lma 0x181032c
  Loading section .dtors, size 0x8 lma 0x1810334
  Loading section .jcr, size 0x4 lma 0x181033c
  Loading section .data, size 0x4 lma 0x1810340
  Start address 0x1800200, load size 720
  Transfer rate: 5760 bits in <1 sec, 90 bytes/write.
  Breakpoint 1 at 0xd08

  Breakpoint 1, 0x00000d08 in ?? ()
  "srr0 value in trace handler  "$1 = 0x1800274
  "address of branch_plus_1   "$2 = 0x1800270
  "address of branch_plus_2   "$3 = 0x1800274

  
  In trace exception handler, the SRR0 register value should be the value of address just following the branch id 0x1800270.
  But it is not the case, the SRR0 value is the address of the next next instruction after the branch instruction.

  It seems that the singlestep exception was not taken after executing
  the "bne down" instruction but was taken after executing the first
  following nop instruction.

  I have make some other test with other kind of branch, the behaviour
  is correct and only for a conditionnal branch when it is not taken
  with issue appears.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1031698/+subscriptions

[Qemu-devel] [Bug 1031698] Re: Missing PPC TRACE exception on a branch

[Michael Tokarev]

This is fixed by qemu commit f0cc4aa8450376ca2aee3ebb09db71f9f2ff333b
which went into qemu-1.3 release.

** Changed in: qemu
       Status: New => Fix Committed

** Changed in: qemu
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1031698

Title:
  Missing PPC TRACE exception on a branch

Status in QEMU:
  Fix Released

Bug description:
  I am using qemu-1.1.1-1 to emulate a PPC PREP machine on intel host
  linux ubuntu 11-10

  In the following example, i will show that the POWERPC TRACE exception
  at vector 0xD00 is not taken when executing a specific kind of branch.

  
  I have the following stand-alone assembly source code for powerpc in file SE_TEST.s

  
  	.text
  	.global	_start

  
  _start:

  /* copy vector handler at address 0xD00 */
  	addis	3,0,(0xD00)@ha
  	addi 	3,3,(0xD00)@l
  	addis	4,0,(vector_handler)@ha
  	addi 	4,4,(vector_handler)@l
  	addi	3,3,-4
  	addi	4,4,-4
  	lwzu	7,4(4)
  	stwu	7,4(3)
  	lwzu	7,4(4)
  	stwu	7,4(3)
  	lwzu	7,4(4)
  	stwu	7,4(3)
  	lwzu	7,4(4)
  	stwu	7,4(3)

  
  /* set branch address in SRR0 register */	
  	addis	3,0,(branch)@ha
  	addi 	3,3,(branch)@l
  	mtspr	26,3

  /* Read MSR */
  /* Set SE bit and clear IP bit then set value in SSR1 */
  	 		
  	mfmsr	4
  	ori	4,4,0x0400
  	andi.	4,4,0xFFBF
  	mtspr	27,4
  /* Set CR condition to execute not taken branch after rfi */	
  	addi	5,0,0
  	cmpi	0,5,0
  	rfi
  	nop
  	nop
  	nop
  	
  branch:	
  	bne     down       <- branch where the error is.
  branch_plus_1:	
  	nop
  branch_plus_2:	
  	nop
  down:	nop
  	nop
  	nop
  	nop

  vector_handler:	
  	mfspr	6,26
  	nop
  	nop
  	nop
  	

  It compiles with powerpc-eabi-gcc SE_TEST.s -o SE_TEST.elf

  
  Then I run Qemu with the command : "./qemu-system-ppc -M prep -s -S"

  Then i run a cross gdb with the command: "powerpc-eabi-gdb --nx"

  On gdb prompt i execute the following gdb command :

  file SE_TEST.elf
  target remote :1234
  load SE_TEST.elf
  set $pc =_start
  b *0xD08
  c

  echo "srr0 value in trace handler  "
  p/x $r6
  echo "address of branch_plus_1   "
  p/x &branch_plus_1
  echo "address of branch_plus_2   "
  p/x &branch_plus_2

  The gdb command windows display the result:

  (gdb) so co
  0xfffffffc in ?? ()
  Loading section .init, size 0x24 lma 0x1800074
  Loading section .text, size 0x26c lma 0x1800098
  Loading section .fini, size 0x20 lma 0x1800304
  Loading section .eh_frame, size 0x8 lma 0x1810324
  Loading section .ctors, size 0x8 lma 0x181032c
  Loading section .dtors, size 0x8 lma 0x1810334
  Loading section .jcr, size 0x4 lma 0x181033c
  Loading section .data, size 0x4 lma 0x1810340
  Start address 0x1800200, load size 720
  Transfer rate: 5760 bits in <1 sec, 90 bytes/write.
  Breakpoint 1 at 0xd08

  Breakpoint 1, 0x00000d08 in ?? ()
  "srr0 value in trace handler  "$1 = 0x1800274
  "address of branch_plus_1   "$2 = 0x1800270
  "address of branch_plus_2   "$3 = 0x1800274

  
  In trace exception handler, the SRR0 register value should be the value of address just following the branch id 0x1800270.
  But it is not the case, the SRR0 value is the address of the next next instruction after the branch instruction.

  It seems that the singlestep exception was not taken after executing
  the "bne down" instruction but was taken after executing the first
  following nop instruction.

  I have make some other test with other kind of branch, the behaviour
  is correct and only for a conditionnal branch when it is not taken
  with issue appears.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1031698/+subscriptions