QEMU

  1. Bug #1641861
  2. Activity log

Activity log for bug #1641861

Date Who What changed Old value New value Message
2016-11-15 07:51:12 Jie bug added bug
2016-11-15 07:54:16 Jie description Hi all, we systematically tested the QEMU implementation for emulating arm user mode programs. We found that QEMU incorrectly emulate the FPSCR register. The following the proof of code: /*********** Beginning of the bug: arm.c **********/ int printf(const char *format, ...); unsigned char i0[0x10]; unsigned char o[0x10]; int main() { int k = 0; asm("mov r2, %0\n" "ldr r0, [r2]\n"::"r"((char *)(i0)));; asm("vmsr fpscr, r0"); asm("mov r2, %0\n" "vmrs r4, fpscr\n" "str r4, [r2]\n"::"r"((char *)(o)));; for (k = 0; k < 0x10; k++) printf("%02x", o[0x10 - 1 - k]); printf("\n"); } unsigned char i0[0x10] = {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x28, 0x1c, 0xc7, 0x01, 0x00, 0x00, 0x00, 0x00}; /*********** End fo the bug **********/ When the program is compiled into arm binary code and running on a real arm machine, and running in qemu, we have the following result $ arm-linux-gnueabihf-gcc arm.c -o arm -static $ ./arm 000000000000000000000000fff7009f $ qemu-arm arm 000000000000000000000000ffffffff According to the ARM manual, bits[19, 14:13, 6:5] of FPSCR should be reserved as zero. However, arm qemu fails to keep these bits to be zero: these bits can be actually modified in QEMU. Thanks! Hi all, we systematically tested the QEMU implementation for emulating arm user mode programs. We found that QEMU incorrectly emulate the FPSCR register. The following the proof of code: /*********** Beginning of the bug: arm.c **********/ int printf(const char *format, ...); unsigned char i0[0x10]; unsigned char o[0x10]; int main() {     int k = 0;     asm("mov r2, %0\n"         "ldr r0, [r2]\n"::"r"((char *)(i0)));;     asm("vmsr fpscr, r0");     asm("mov r2, %0\n"         "vmrs r4, fpscr\n"         "str r4, [r2]\n"::"r"((char *)(o)));;     for (k = 0; k < 0x10; k++)         printf("%02x", o[0x10 - 1 - k]);     printf("\n"); } unsigned char i0[0x10] = {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x28, 0x1c, 0xc7, 0x01, 0x00, 0x00, 0x00, 0x00}; /*********** End fo the bug **********/ When the program is compiled into arm binary code and running on a real arm machine, and running in qemu, we have the following result $ arm-linux-gnueabihf-gcc arm.c -o arm -static $ ./arm 000000000000000000000000fff7009f $ qemu-arm arm 000000000000000000000000ffffffff According to the ARM manual, bits[19, 14:13, 6:5] of FPSCR should be reserved as zero. However, arm qemu fails to keep these bits to be zero: these bits can be actually modified in QEMU. QEMU version is 2.7.0. The operating system is Linux 3.13.0. x86_64. Thanks!
2017-11-06 14:41:36 Peter Maydell summary fail to correctly emulate FPSCR register on arm ARM QEMU doesn't enforce that RES0 bits in FPSCR are non-writeable
2017-11-06 14:41:39 Peter Maydell qemu: status New Confirmed
2017-11-06 14:41:41 Peter Maydell tags arm
2020-11-10 15:59:43 Peter Maydell qemu: status Confirmed Fix Released