Attempting to emulate some baremetal ARM cortex-M* firmware with gdb causes a segfault every time.
qemu invocation:
qemu-system-arm -machine none -cpu cortex-m3 -nographic -monitor null -serial null -s -S -device loader,file=firmware.elf
qemu seems to startup fine with that command. Segfault happens as soon as I connect from another console with
arm-none-eabi-gdb firmware.elf
> target remote localhost:1234
# qemu segfaults, and kills arm-none-eabi-gdb along with it
Here's a bt from qemu-system-arm :
*********************************
#0 armv7m_nvic_neg_prio_requested (opaque=0x0, secure=false)
at /home/sac/qemu/src/qemu/hw/intc/armv7m_nvic.c:383
s = 0x0
#1 0x006e4806 in arm_v7m_mmu_idx_for_secstate (secstate=<optimized out>, env=0xb620263c)
at /home/sac/qemu/src/qemu/target/arm/cpu.h:2345
el = <optimized out>
mmu_idx = ARMMMUIdx_MPriv
el = <optimized out>
mmu_idx = <optimized out>
#2 cpu_mmu_index (ifetch=false, env=0xb620263c) at /home/sac/qemu/src/qemu/target/arm/cpu.h:2358
mmu_idx = <optimized out>
el = <optimized out>
ifetch = <optimized out>
env = 0xb620263c
el = <optimized out>
mmu_idx = <optimized out>
el = <optimized out>
el = <optimized out>
mmu_idx = <optimized out>
#3 arm_cpu_get_phys_page_attrs_debug (cs=0xb61fe480, addr=0, attrs=0xbfffc668)
at /home/sac/qemu/src/qemu/target/arm/helper.c:9858
cpu = 0xb61fe480
__func__ = "arm_cpu_get_phys_page_attrs_debug"
env = 0xb620263c
phys_addr = 6402535376434480864
page_size = 5
prot = -1239242724
ret = <optimized out>
fsr = 4294967041
fi = {s2addr = 0, stage2 = false, s1ptw = false, ea = false}
mmu_idx = <optimized out>
#4 0x005729d1 in cpu_get_phys_page_attrs_debug (attrs=<optimized out>, addr=<optimized out>,
cpu=<optimized out>) at /home/sac/qemu/src/qemu/include/qom/cpu.h:580
cc = <optimized out>
cc = <optimized out>
#5 cpu_memory_rw_debug (cpu=0xb61fe480, addr=0, buf=0xbfffd6dc "", len=4, is_write=0)
at /home/sac/qemu/src/qemu/exec.c:3524
asidx = <optimized out>
attrs = {unspecified = 0, secure = 0, user = 0, requester_id = 15525}
l = <optimized out>
phys_addr = <optimized out>
page = 0
__PRETTY_FUNCTION__ = "cpu_memory_rw_debug"
#6 0x005b4c5e in target_memory_rw_debug (is_write=false, len=4, buf=<optimized out>, addr=0,
cpu=0xb61fe480) at /home/sac/qemu/src/qemu/gdbstub.c:56
cc = <optimized out>
cc = <optimized out>
#7 gdb_handle_packet (s=s@entry=0xb6229800, line_buf=line_buf@entry=0xb6229810 "m0,4")
at /home/sac/qemu/src/qemu/gdbstub.c:1109
cpu = <optimized out>
cc = <optimized out>
p = 0xb6229813 "4"
thread = <optimized out>
ch = <optimized out>
reg_size = <optimized out>
type = <optimized out>
res = <optimized out>
buf = "m1\000", '\060' <repeats 109 times>, "ffffffff00000000d3010040\000t modification,\n are permitted in any medium without royalt"...
mem_buf = '\000' <repeats 56 times>, "\377\377\377\377\000\000\000\000\323\001\000@", '\000' <repeats 716 times>...
registers = <optimized out>
addr = 0
len = 4
__func__ = "gdb_handle_packet"
#8 0x005b55b3 in gdb_read_byte (ch=100, s=0xb6229800) at /home/sac/qemu/src/qemu/gdbstub.c:1664
reply = 43 '+'
reply = <optimized out>
repeat = <optimized out>
#9 gdb_chr_receive (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>)
at /home/sac/qemu/src/qemu/gdbstub.c:1868
i = <optimized out>
#10 0x00980319 in tcp_chr_read (chan=0xb6c86200, cond=G_IO_IN, opaque=0xb63fc6e0)
at chardev/char-socket.c:440
chr = <optimized out>
__func__ = "tcp_chr_read"
s = 0xb63fc6e0
buf = "$m0,4#fddInfo#c8read:arm-core.xml:0,ffb#08+;qRelocInsn+;fork-events+;vfork-events+;exec-events+;vContSupported+;QThreadEvents+;no-resumed+#df\363\377\377\000\000\000\000\274\354\377\277", '\000' <repeats 16 times>, "\272\356\377 \274\354\377\277", '\000' <repeats 16 times>, "\373\377\377\377\005\000\000\000"...
len = <optimized out>
size = <optimized out>
#11 0xb7808c44 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#12 0x009e14d2 in glib_pollfds_poll () at util/main-loop.c:214
context = 0xb645f740
pfds = <optimized out>
context = <optimized out>
pfds = <optimized out>
#13 os_host_main_loop_wait (timeout=<optimized out>) at util/main-loop.c:261
context = 0xb645f740
ret = 1
spin_counter = 0
context = <optimized out>
ret = <optimized out>
spin_counter = 0
notified = false
#14 main_loop_wait (nonblocking=0) at util/main-loop.c:515
ret = <optimized out>
timeout = 1000
timeout_ns = <optimized out>
#15 0x00561781 in main_loop () at vl.c:1995
No locals.
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4911
i = <optimized out>
snapshot = <optimized out>
linux_boot = <optimized out>
initrd_filename = <optimized out>
kernel_filename = <optimized out>
kernel_cmdline = <optimized out>
boot_order = <optimized out>
boot_once = <optimized out>
ds = <optimized out>
cyls = <optimized out>
heads = <optimized out>
secs = <optimized out>
translation = <optimized out>
opts = <optimized out>
machine_opts = <optimized out>
hda_opts = <optimized out>
icount_opts = <optimized out>
accel_opts = <optimized out>
olist = <optimized out>
optind = 14
optarg = 0xbffffcf6 "loader,file=firmware.elf"
loadvm = <optimized out>
machine_class = <optimized out>
cpu_model = <optimized out>
vga_model = <optimized out>
qtest_chrdev = <optimized out>
qtest_log = <optimized out>
pid_file = <optimized out>
incoming = <optimized out>
userconfig = <optimized out>
nographic = <optimized out>
display_type = <optimized out>
display_remote = <optimized out>
log_mask = <optimized out>
log_file = <optimized out>
trace_file = <optimized out>
maxram_size = <optimized out>
ram_slots = <optimized out>
vmstate_dump_file = <optimized out>
main_loop_err = 0x0
err = 0x0
list_data_dirs = <optimized out>
dirs = <optimized out>
bdo_queue = {sqh_first = 0x0, sqh_last = 0xbffff918}
__func__ = "main"
follow-up to IRC discussions with stsquad and danpb : the problem is "-machine none" which prevents all the data structures from being initialized properly.