From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42251)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <serge.fdrv@gmail.com>) id 1ZTvfT-0008Nb-7U
	for qemu-devel@nongnu.org; Mon, 24 Aug 2015 13:36:24 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <serge.fdrv@gmail.com>) id 1ZTvfN-0004aB-Tb
	for qemu-devel@nongnu.org; Mon, 24 Aug 2015 13:36:23 -0400
Received: from mail-la0-x22e.google.com ([2a00:1450:4010:c03::22e]:35181)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <serge.fdrv@gmail.com>) id 1ZTvfN-0004Wa-GC
	for qemu-devel@nongnu.org; Mon, 24 Aug 2015 13:36:17 -0400
Received: by labgv11 with SMTP id gv11so14619576lab.2
	for <qemu-devel@nongnu.org>; Mon, 24 Aug 2015 10:36:15 -0700 (PDT)
Message-ID: <55DB560D.5060108@gmail.com>
Date: Mon, 24 Aug 2015 20:36:13 +0300
From: Sergey Fedorov <serge.fdrv@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] ARM softmmu breakpoint misbehavior
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: QEMU Developers <qemu-devel@nongnu.org>
Cc: Peter Maydell <peter.maydell@linaro.org>

Hi all,

Seems there is a bug in ARM breakpoint emulation. I am not sure how to
fix it and I would appreciate any suggestion. It is best illustrated by
a simple test which sets up and enables an unlinked address match
breakpoint but does not enable debug exceptions globally by
MDSCR_EL1.MDE bit.

cat >test.s <<EOF               
    .text
    .global _start
_start:
    adr     x0, bp
    msr     dbgbvr0_el1, x0
    mov     x0, #1
    orr     x0, x0, #(0xf << 5)
    msr     dbgbcr0_el1, x0
bp:
    nop
    wfi
    b       .
EOF

aarch64-linux-gnu-as -o test.o test.s
aarch64-linux-gnu-ld -Ttext=0x40000000 -o test.elf test.o
qemu-system-aarch64 -nographic -machine virt -cpu cortex-a57 -kernel
test.elf -D qemu.log -d in_asm,exec -singlestep

First, it fails with segmentation fault. What actually happens is a CPU
breakpoint is inserted in hw_breakpoint_update(). After that, when
translating bp() an internal debug exception is generated in
gen_intermediate_code_internal_a64() since there is a CPU breakpoint
which matches the address of the instruction being translated. Then
arm_debug_excp_handler() get called in order to handle this breakpoint.
It calls check_breakpoints() and discovers there is no breakpoints
enabled since MDSCR_EL1.MDE is not set. It simply returns and we
eventually get to cpu_handle_guest_debug(), then gdb_set_stop_cpu()
which does segmentation fault.

I managed to avoid this segmentation fault with this patch:

diff --git a/target-arm/op_helper.c b/target-arm/op_helper.c
index 663c05d..223b939 100644
--- a/target-arm/op_helper.c
+++ b/target-arm/op_helper.c
@@ -889,6 +889,15 @@ void arm_debug_excp_handler(CPUState *cs)
             }
         }
     } else {
+        CPUBreakpoint *bp;
+        uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
+
+        QTAILQ_FOREACH(bp, &cs->breakpoints, entry) {
+            if (bp->pc == pc && !(bp->flags & BP_CPU)) {
+                return;
+            }
+        }
+
         if (check_breakpoints(cpu)) {
             bool same_el = (arm_debug_target_el(env) ==
arm_current_el(env));
             if (extended_addresses_enabled(env)) {
@@ -900,6 +909,8 @@ void arm_debug_excp_handler(CPUState *cs)
             raise_exception(env, EXCP_PREFETCH_ABORT,
                             syn_breakpoint(same_el),
                             arm_debug_target_el(env));
+        } else {
+            cpu_resume_from_signal(cs, NULL);
         }
     }
 }

The patch adds a check for non-CPU breakpoints first, then calls
cpu_resume_from_signal() if no CPU breakpoint matches.

With this patch Qemu hangs generating internal debug exception over and
over:

head -40 qemu.log
----------------
IN:
0x0000000040000000:  100000a0      adr x0, #+0x14 (addr 0x40000014)

Trace 0x7ff11e237000 [0000000040000000]
----------------
IN:
0x0000000040000004:  d5100080      msr (unknown), x0

Trace 0x7ff11e237040 [0000000040000004]
----------------
IN:
0x0000000040000008:  d2800020      mov x0, #0x1

Trace 0x7ff11e237080 [0000000040000008]
----------------
IN:
0x000000004000000c:  b27b0c00      orr x0, x0, #0x1e0

Trace 0x7ff11e2370c0 [000000004000000c]
----------------
IN:
0x0000000040000010:  d51000a0      msr (unknown), x0

Trace 0x7ff11e237110 [0000000040000010]
----------------
IN:
0x0000000040000014:  d503201f      nop
Disassembler disagrees with translator over instruction decoding
Please report this to qemu-devel@nongnu.org

Trace 0x7ff11e237150 [0000000040000014]
Trace 0x7ff11e237150 [0000000040000014]
Trace 0x7ff11e237150 [0000000040000014]
Trace 0x7ff11e237150 [0000000040000014]
Trace 0x7ff11e237150 [0000000040000014]
Trace 0x7ff11e237150 [0000000040000014]
Trace 0x7ff11e237150 [0000000040000014]
Trace 0x7ff11e237150 [0000000040000014]
Trace 0x7ff11e237150 [0000000040000014]

It looks like a bug, but I actually have no idea how would be best to
overcome this situation. I would be thankful for any suggestion :)

Best regards,
Sergey