QEMU

ARM: QEMU crashes with segmentation fault on supervisor call

Bug #912216 reported by Arie on 2012-01-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Invalid	Undecided	Unassigned

Bug Description

I am working on some mixed C/ASM code for the ARM Cortex-M3 but when I try to simulate it, QEMU crashes with a segmentation fault. The exact instruction it crashes on is a supervisor call from the assembly file.
I am using the default Sourcery CodeBench Lite 2011.09-69 for ARM\EABI (Not GNU\Linux). The build environment is mingw32 on a win7 x64 machine.

The following code is what I used to trigger the segmentation fault.

main.c:
extern void testFunc( void );

int main()
{
testFunc();

while(1);
}

test.s:
    .syntax unified
    .global testFunc
    .global __cs3_isr_svcall

    .text
    .balign 4
__cs3_isr_svcall:
    bx lr

.balign 4
testFunc:
svc #1

BX LR

.end

This is build in an MSYS shell with the command:
arm-none-eabi-gcc -o test1.elf main.c test.s -g -mcpu=cortex-m3 -march=armv7-m -mthumb -lc -lgcc -T generic-m-hosted.ld

The output elf file is also attached to this bug report.

To get information on the segmentation fault I start Qemu from GDB in a debian-6 Virtual Machine (VMWare Player). This Qemu is configured with --enable-debug and the output of this configure is:
Install prefix /usr/local
BIOS directory /usr/local/share/qemu
binary directory /usr/local/bin
library directory /usr/local/lib
include directory /usr/local/include
config directory /usr/local/etc
Manual directory /usr/local/share/man
ELF interp prefix /usr/gnemul/qemu-%M
Source path /home/testbox/Downloads/qemu-1.0
C compiler gcc
Host C compiler gcc
CFLAGS -g
QEMU_CFLAGS -fPIE -DPIE -m64 -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wall -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fstack-protector-all -Wendif-labels -Wmissing-include-dirs -Wempty-body -Wnested-externs -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wold-style-declaration -Wold-style-definition -Wtype-limits -I/usr/include/libpng12
LDFLAGS -Wl,--warn-common -Wl,-z,relro -Wl,-z,now -pie -m64 -g
make make
install install
python python
smbd /usr/sbin/smbd
host CPU x86_64
host big endian no
target list i386-softmmu x86_64-softmmu alpha-softmmu arm-softmmu cris-softmmu lm32-softmmu m68k-softmmu microblaze-softmmu microblazeel-softmmu mips-softmmu mipsel-softmmu mips64-softmmu mips64el-softmmu ppc-softmmu ppcemb-softmmu ppc64-softmmu sh4-softmmu sh4eb-softmmu sparc-softmmu sparc64-softmmu s390x-softmmu xtensa-softmmu xtensaeb-softmmu i386-linux-user x86_64-linux-user alpha-linux-user arm-linux-user armeb-linux-user cris-linux-user m68k-linux-user microblaze-linux-user microblazeel-linux-user mips-linux-user mipsel-linux-user ppc-linux-user ppc64-linux-user ppc64abi32-linux-user sh4-linux-user sh4eb-linux-user sparc-linux-user sparc64-linux-user sparc32plus-linux-user unicore32-linux-user s390x-linux-user
tcg debug enabled yes
Mon debug enabled yes
gprof enabled no
sparse enabled no
strip binaries no
profiler no
static build no
-Werror enabled no
SDL support no
curses support yes
curl support no
check support no
mingw32 support no
Audio drivers oss
Extra audio cards ac97 es1370 sb16 hda
Block whitelist
Mixer emulation no
VNC support yes
VNC TLS support yes
VNC SASL support no
VNC JPEG support yes
VNC PNG support yes
VNC thread no
xen support no
brlapi support no
bluez support no
Documentation yes
NPTL support yes
GUEST_BASE yes
PIE yes
vde support no
Linux AIO support no
ATTR/XATTR support yes
Install blobs yes
KVM support yes
TCG interpreter no
fdt support no
preadv support yes
fdatasync yes
madvise yes
posix_madvise yes
uuid support no
vhost-net support yes
Trace backend nop
Trace output file trace-<pid>
spice support no
rbd support no
xfsctl support no
nss used no
usb net redir no
OpenGL support yes
libiscsi support no
build guest agent yes

The result of the debug session of GDB (note the parameters to Qemu on the command line):

testbox@debian-6-testbox:/mnt/build_test1$ gdb -args /home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm -cpu cortex-m3 -nographic -monitor null -serial null -semihosting -kernel test1.elf -gdb tcp::2200
GNU gdb (GDB) 7.3.1
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm...done.
(gdb) run
Starting program: /home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm -cpu cortex-m3 -nographic -monitor null -serial null -semihosting -kernel test1.elf -gdb tcp::2200
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff36a2700 (LWP 4139)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff36a2700 (LWP 4139)]
0x00007ffff7dc0697 in gic_set_pending_private (s=0x0, cpu=0, irq=11)
at /home/testbox/Downloads/qemu-1.0/hw/arm_gic.c:154
154 if (GIC_TEST_PENDING(irq, cm))
(gdb) thread apply all bt full

Thread 2 (Thread 0x7ffff36a2700 (LWP 4139)):
#0 0x00007ffff7dc0697 in gic_set_pending_private (s=0x0, cpu=0, irq=11)
    at /home/testbox/Downloads/qemu-1.0/hw/arm_gic.c:154
        cm = 1
#1 0x00007ffff7dc228f in armv7m_nvic_set_pending (opaque=0x0, irq=11)
    at /home/testbox/Downloads/qemu-1.0/hw/armv7m_nvic.c:95
        s = 0x0
#2 0x00007ffff7df39c7 in do_interrupt_v7m (env=0x7ffff8abb810)
    at /home/testbox/Downloads/qemu-1.0/target-arm/helper.c:788
        xpsr = 1627389952
        lr = 4294967289
        addr = 1243751108
#3 0x00007ffff7df3c3d in do_interrupt (env=0x7ffff8abb810)
    at /home/testbox/Downloads/qemu-1.0/target-arm/helper.c:850
        addr = 32767
        mask = 4128067360
        new_mode = 0
        offset = 0
#4 0x00007ffff7dc8cbc in cpu_arm_exec (env=0x7ffff8abb810)
    at /home/testbox/Downloads/qemu-1.0/cpu-exec.c:257
        ret = 0
        interrupt_request = 0
---Type <return> to continue, or q <return> to quit---
        tb = 0x7ffff36a4120
        tc_ptr = 0x400020f0 "\277\002"
        next_tb = 140737277214896
#5 0x00007ffff7dcb824 in tcg_cpu_exec (env=0x7ffff8abb810)
    at /home/testbox/Downloads/qemu-1.0/cpus.c:1007
        ret = 16809983
#6 0x00007ffff7dcb93d in tcg_exec_all ()
    at /home/testbox/Downloads/qemu-1.0/cpus.c:1039
        env = 0x7ffff8abb810
        r = 0
#7 0x00007ffff7dcaf2d in qemu_tcg_cpu_thread_fn (arg=0x7ffff8abb810)
    at /home/testbox/Downloads/qemu-1.0/cpus.c:774
        env = 0x0
#8 0x00007ffff60ca8ba in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#9 0x00007ffff5e3202d in clone () from /lib/libc.so.6
No symbol table info available.
#10 0x0000000000000000 in ?? ()
No symbol table info available.

Thread 1 (Thread 0x7ffff7b8e700 (LWP 4136)):
#0 0x00007ffff5e2b8d3 in select () from /lib/libc.so.6
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#1 0x00007ffff7d1cb93 in main_loop_wait (nonblocking=0) at main-loop.c:456
        rfds = {fds_bits = {3456, 0 <repeats 15 times>}}
        wfds = {fds_bits = {0 <repeats 16 times>}}
        xfds = {fds_bits = {0 <repeats 16 times>}}
        ret = 32767
        nfds = 11
        tv = {tv_sec = 0, tv_usec = 996976}
        timeout = 1000
#2 0x00007ffff7d14628 in main_loop ()
    at /home/testbox/Downloads/qemu-1.0/vl.c:1481
        nonblocking = false
        last_io = 0
#3 0x00007ffff7d19484 in main (argc=13, argv=0x7fffffffe268,
    envp=0x7fffffffe2d8) at /home/testbox/Downloads/qemu-1.0/vl.c:3485
        gdbstub_dev = 0x7fffffffe5ee "tcp::2200"
        i = 64
        snapshot = 0
        linux_boot = 1
        icount_option = 0x0
        initrd_filename = 0x0
        kernel_filename = 0x7fffffffe5df "test1.elf"
        kernel_cmdline = 0x7ffff7f594af ""
        boot_devices = "cad", '\000' <repeats 29 times>
---Type <return> to continue, or q <return> to quit---
        ds = 0x7ffff8ccbdb0
        dcl = 0x0
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = 0x0
        opts = 0x7fffffffe020
        olist = 0x7ffff7b92358
        optind = 13
        optarg = 0x7fffffffe5ee "tcp::2200"
        loadvm = 0x0
        machine = 0x7ffff82796c0
        cpu_model = 0x7fffffffe59a "cortex-m3"
        pid_file = 0x0
        incoming = 0x0
        show_vnc_port = 0
        defconfig = 1
        log_mask = 0x0
        log_file = 0x0
        mem_trace = {malloc = 0x7ffff7d15ed0 <malloc_and_trace>,
          realloc = 0x7ffff7d15f28 <realloc_and_trace>,
          free = 0x7ffff7d15f8f <free_and_trace>, calloc = 0, try_malloc = 0,
---Type <return> to continue, or q <return> to quit---
          try_realloc = 0}
        trace_events = 0x0
        trace_file = 0x0
(gdb)

Also tested with GIT commit c47f322 (Wed, 4 Jan 2012 16:06:25).
This produces the same crash, but the line in the source file arm_gic.c it crashes on has moved to 161.

I hope I have supplied all the necessary information.

Revision history for this message

Arie (arie-7) wrote on 2012-01-05:

Elf file to be loaded by QEMU Edit (40.7 KiB, application/octet-stream)

Revision history for this message

Peter Maydell (pmaydell) wrote on 2012-01-05:

This is user error (although we don't handle it very cleanly):

Starting program: /home/testbox/Downloads/qemu-1.0/arm-softmmu/qemu-system-arm -cpu cortex-m3 -nographic -monitor null -serial null -semihosting -kernel test1.elf -gdb tcp::2200

You're starting a model of the (default) "integratorcp" board. This board doesn't support M profile cores, so trying to use -cpu cortex-m3 with it is doomed to failure.

You need to use one of the M3 based boards (ie pass "-M lm3s811evb" or "-M lm3s6965evb" to QEMU).

Revision history for this message

Arie (arie-7) wrote on 2012-01-05:

Thanks for pointing this out. This indeed solves my issue.

Revision history for this message

Peter Maydell (pmaydell) wrote on 2012-01-05:

Cool. (There is some internal restructuring of QEMU's device/object model in progress which may let us diagnose this error better by effectively making it impossible to instantiate a "bare" M3 CPU without its obligatory internal peripherals. But for now I'm going to close this bug report.)

Changed in qemu:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Elf file to be loaded by QEMU Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.