ARM conditional branch after if-then instruction not working
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hello
There seems to be an issue with QEMU when debugging if-then condition blocks from the thumb2 instruction set. The following snippet runs fine during normal execution, but keeps hanging at the conditional branch when debugging. The jump at the branch should only be executed as long as $r0 is lower than $r1. Problem is that once both are equal, the execution is not continued past the branch and the program counter never gets popped.
2000407a: push {lr}
2000407c: movs r0, r6
2000407e: ldmia r7!, {r1, r6}
20004080: push {r0, r1}
20004082: str.w r6, [r7, #-4]!
20004086: ldr r6, [sp, #0]
20004088: pop {r0, r1}
2000408a: adds r0, #1
2000408c: cmp r0, r1
2000408e: itt lt
20004090: pushlt {r0, r1}
20004092: blt.w 0x20004082 ; unpredictable <IT:lt> // <-- GDB hangs here
20004096: pop {pc}
I have tried to reproduce the problem with inline assembly but for some reason the following example just worked:
void f() {
static uint8_t stack[256]{};
stack[255] = 4;
asm volatile("\n\t"
// pre-conditions
"1:"
"ldr r6, [sp, #0]"
"pop {r0, r1}"
"cmp r0, r1"
"itt lt"
// Original instruction
// Trying to fake it
"pop {pc}"
:
: [stack] "r"(&stack[255]));
}
The only real major difference I see to the other code snipped is that the inline assembly is running from flash memory where as the original code runs in ram? Maybe that's a clue somehow?
Quickly reading through already reported ARM bugs I think this might be related:
https:/
At least the symptoms sound identical.
The versions I'm running are:
QEMU 3.0.0
arm-none-eabi-gdb 8.2
I've also captured some trace output for single stepping from the pushlt to the blt.w instruction with the trace arguments unimp, guest_errors, op, int, exec.
Changed in qemu: | |
status: | New → Incomplete |
The disassembler is giving you a hint here:
2000408e: itt lt
20004090: pushlt {r0, r1}
20004092: blt.w 0x20004082 ; unpredictable <IT:lt> // <-- GDB hangs here
Your code has a "blt" instruction inside an IT block in a way that is archictecturally UNPREDICTABLE, and the CPU is allowed to not behave in the way you might expect it to.
Your attempt to reproduce the problem is likely generating different instructions (specifically probably a different encoding of the branch instruction).
On the other hand having QEMU behave differently in singlestep mode and just hang (rather than, say, making the insn UNDEF or treating it as a condition-failed or a condition-passed) is not ideal.
Do you have a sample binary and QEMU command line that reproduces this?