[Qemu-ppc] Missing PPC TRACE exception on a branch

[PLE Christophe]

Dear all,

 

 

I am using qemu-1.1.1-1 to emulate a PPC PREP machine on intel host linux ubuntu 11-10

 

In the following example, i will show that the POWERPC TRACE exception at vector 0xD00 is not taken when executing a specific kind of branch.

 

 

I have the following stand-alone assembly source code for powerpc in file SE_TEST.s

 

 

                .text

                .global  _start

 

 

_start:

 

/* copy vector handler at address 0xD00 */

                addis     3,0,(0xD00)@ha

                addi       3,3,(0xD00)@l

                addis     4,0,(vector_handler)@ha

                addi       4,4,(vector_handler)@l

                addi       3,3,-4

                addi       4,4,-4

                lwzu      7,4(4)

                stwu      7,4(3)

                lwzu      7,4(4)

                stwu      7,4(3)

                lwzu      7,4(4)

                stwu      7,4(3)

                lwzu      7,4(4)

                stwu      7,4(3)

 

 

/* set branch address in SRR0 register */           

                addis     3,0,(branch)@ha

                addi       3,3,(branch)@l

                mtspr    26,3

 

/* Read MSR */

/* Set SE bit and clear IP bit then set value in SSR1 */

                                              

                mfmsr  4

                ori          4,4,0x0400

                andi.      4,4,0xFFBF

                mtspr    27,4

/* Set CR condition to execute not taken branch after rfi */     

                addi       5,0,0

                cmpi      0,5,0

                rfi

                nop

                nop

                nop

               

branch:               

                bne     down       <- branch where the error is.

branch_plus_1:               

                nop

branch_plus_2:               

                nop

down:   nop

                nop

                nop

                nop

 

vector_handler:             

                mfspr    6,26

                nop

                nop

                nop

               

 

It compiles with powerpc-eabi-gcc SE_TEST.s -o SE_TEST.elf

 

 

Then I run Qemu with the command : "./qemu-system-ppc -M prep -s -S"

 

Then i run a cross gdb with the command: "powerpc-eabi-gdb --nx"

 

On gdb prompt i execute the following gdb command :

 

file SE_TEST.elf

target remote :1234

load SE_TEST.elf

set $pc =_start

b *0xD08

c

 

echo "srr0 value in trace handler  "

p/x $r6

echo "address of branch_plus_1   "

p/x &branch_plus_1

echo "address of branch_plus_2   "

p/x &branch_plus_2

 

The gdb command windows display the result:

 

(gdb) so co

0xfffffffc in ?? ()

Loading section .init, size 0x24 lma 0x1800074

Loading section .text, size 0x26c lma 0x1800098

Loading section .fini, size 0x20 lma 0x1800304

Loading section .eh_frame, size 0x8 lma 0x1810324

Loading section .ctors, size 0x8 lma 0x181032c

Loading section .dtors, size 0x8 lma 0x1810334

Loading section .jcr, size 0x4 lma 0x181033c

Loading section .data, size 0x4 lma 0x1810340

Start address 0x1800200, load size 720

Transfer rate: 5760 bits in <1 sec, 90 bytes/write.

Breakpoint 1 at 0xd08

 

Breakpoint 1, 0x00000d08 in ?? ()

"srr0 value in trace handler  "$1 = 0x1800274

"address of branch_plus_1   "$2 = 0x1800270

"address of branch_plus_2   "$3 = 0x1800274

 

 

In trace exception handler, the SRR0 register value should be the value of address just following the branch (id 0x1800270).

But it is not the case, the SRR0 value is the address of the next next instruction after the branch instruction (id 0x1800274)..

 

It seems that the singlestep exception was not taken after executing the "bne down" instruction but was taken after executing the first following nop instruction.

 

I have make some other test with other kind of branch, the behaviour is correct and only for a conditionnal branch when it is not taken with issue appears.

 

Can you help me with this issue ?

 

 

Regards