From: Anup Patel <757702@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [Bug 757702] Re: Undefined instruction exception starts at offset 0x8 instead of 0x4
Date: Tue, 12 Apr 2011 11:03:37 -0000 [thread overview]
Message-ID: <BANLkTi=5YP11QszpVTfqzYdr91D9nMFWMA@mail.gmail.com> (raw)
In-Reply-To: 20110412104919.23935.45193.malone@wampee.canonical.com
Actually, the undefined instruction that I have used is documented as
undefined at two places in "ARM Instruction Set Encoding" section of ARMv7a
reference manual:
1. Refer "Table A5-22 Supervisor Call, and coprocessor instructions"
2. Refer "A8.6.188 STC, STC2"
So you see one can easily get confused that this instruction belongs to STC
space. Actually speaking this UNDEF instruction spans not only in STC space
but also in LDC space.
--Anup
On Tue, Apr 12, 2011 at 4:19 PM, Peter Maydell
<peter.maydell@linaro.org>wrote:
> > Also, the instruction "0xec019800" does not belong to STC instruction
> space.
>
> Yes it does. STC encoding A1 is: cond:4 110 p u d w 0 rn:4 crd:4 coproc:4
> imm:8
> For STC the combination of P=0 U=0 D=0 W=0 is UNDEFINED, but it's still in
> STC space. This is not "permanently UNDEF", it might be allocated to do
> something in future.
>
> > PFA, my test elf file.
>
> Thanks. Your test case appears to be broken in that it doesn't actually set
> up the vector table at address 0:
> cam-vm-266:karmic:qemu-misc-tests$ objdump --disassemble
> ~/Desktop/arm_test.elf |less
>
> [...]
> Disassembly of section .text:
>
> 00100000 <_start_vect>:
> 100000: e59ff018 ldr pc, [pc, #24] ; 100020 <__reset>
> 100004: e59ff018 ldr pc, [pc, #24] ; 100024
> <__undefined_instruction>
> 100008: e59ff018 ldr pc, [pc, #24] ; 100028
> <__software_interrupt>
> 10000c: e59ff018 ldr pc, [pc, #24] ; 10002c
> <__prefetch_abort>
> 100010: e59ff018 ldr pc, [pc, #24] ; 100030
> <__data_abort>
> 100014: e59ff018 ldr pc, [pc, #24] ; 100034
> <__not_used>
> 100018: e59ff018 ldr pc, [pc, #24] ; 100038 <__irq>
> 10001c: e59ff018 ldr pc, [pc, #24] ; 10003c <__fiq>
>
> So what happens is:
> 0x00100000: e59ff018 ldr pc, [pc, #24] # qemu starts us at the ELF
> entry point
> 0x00100054: e3a08000 mov r8, #0 ; 0x0
> 0x00100054: e3a08000 mov r8, #0 ; 0x0
> 0x00100058: ec019800 stc 8, cr9, [r1], {0} # here's our UNDEF
> 0x00000004: 00000000 andeq r0, r0, r0 # jump to UNDEF vector
> at 0x4 as expected
> ...but since nothing was loaded at address 0 the code is all NOPs and we
> just execute through it...
> 0x00000008: 00000000 andeq r0, r0, r0
> 0x0000000c: 00000000 andeq r0, r0, r0
> 0x00000010: 00000000 andeq r0, r0, r0
> ...etc...
>
> and eventually we fall into the actual image start at 0x100000, and we
> go round in a big loop.
>
> You can tell we're going to the correct vector if you ask gdb to put a
> breakpoint there with "break *0x4" -- we hit it after executing the
> undef.
>
> --
> You received this bug notification because you are a direct subscriber
> of the bug.
> https://bugs.launchpad.net/bugs/757702
>
> Title:
> Undefined instruction exception starts at offset 0x8 instead of 0x4
>
> Status in QEMU:
> New
>
> Bug description:
> ARMv7a has lot of undefined instruction from its instruction opcode
> space. This undefined instructions are very useful for replacing
> sensitive non-priviledged instructions of guest operating systems
> (virtualization). The undefined instruction exception executes at
> <exception_base> + 0x4, where <exception_base> can be 0x0 or
> 0xfff00000. Currently, in qemu 0.14.0 undefined instruction fault at
> 0x8 offset instead of 0x4. This was not a problem with qemu 0.13.0,
> seems like this is a new bug. As as example, if we try to execute
> value "0xec019800" in qemu 0.14.0 then it should cause undefined
> exception at <exception_base>+0x4 since "0xec019800" is an undefined
> instruction.
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/qemu/+bug/757702/+subscribe
>
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/757702
Title:
Undefined instruction exception starts at offset 0x8 instead of 0x4
Status in QEMU:
New
Bug description:
ARMv7a has lot of undefined instruction from its instruction opcode
space. This undefined instructions are very useful for replacing
sensitive non-priviledged instructions of guest operating systems
(virtualization). The undefined instruction exception executes at
<exception_base> + 0x4, where <exception_base> can be 0x0 or
0xfff00000. Currently, in qemu 0.14.0 undefined instruction fault at
0x8 offset instead of 0x4. This was not a problem with qemu 0.13.0,
seems like this is a new bug. As as example, if we try to execute
value "0xec019800" in qemu 0.14.0 then it should cause undefined
exception at <exception_base>+0x4 since "0xec019800" is an undefined
instruction.
next prev parent reply other threads:[~2011-04-12 11:11 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-11 16:12 [Qemu-devel] [Bug 757702] [NEW] Undefined instruction exception starts at offset 0x8 instead of 0x4 Anup Patel
2011-04-12 9:29 ` [Qemu-devel] [Bug 757702] " Peter Maydell
2011-04-12 9:29 ` Peter Maydell
2011-04-12 9:30 ` Peter Maydell
2011-04-12 9:43 ` Peter Maydell
2011-04-12 10:18 ` Anup Patel
2011-04-12 10:38 ` Anup Patel
2011-04-12 10:49 ` Peter Maydell
2011-04-12 11:03 ` Anup Patel [this message]
2011-04-12 11:10 ` Anup Patel
2011-04-12 11:16 ` Peter Maydell
2011-04-12 11:42 ` Peter Maydell
2011-04-12 12:10 ` Anup Patel
2011-04-12 12:27 ` Anup Patel
2011-04-13 4:34 ` Anup Patel
2011-04-13 11:54 ` Peter Maydell
2011-04-13 15:57 ` Anup Patel
2011-04-13 16:19 ` [Qemu-devel] [Bug 757702] Re: ARM: singlestepping insn which UNDEFs should stop at UNDEF vector insn, not after it Peter Maydell
2017-05-19 19:42 ` Thomas Huth
2017-07-19 4:17 ` Launchpad Bug Tracker
2018-11-27 16:32 ` Peter Maydell
2020-08-20 14:59 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='BANLkTi=5YP11QszpVTfqzYdr91D9nMFWMA@mail.gmail.com' \
--to=757702@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).