QEMU abort on Cortex-M breakpoint exception

Host environment

Operating system: Arch Linux
OS/kernel version: 6.3.9-zen1-1-zen
Architecture: x86_64
QEMU flavor: qemu-system-arm
QEMU version: 8.0.90 (v8.1.0-rc0-21-gd1181d29), (commit d1181d29)

QEMU command line:

./qemu-system-arm -M stm32vldiscovery -nographic -device loader,file=raw-bkpt.hex -d in_asm,exec,int

Emulated/Virtualized environment

Operating system: -
OS/kernel version: -
Architecture: ARM

Description of problem

When a breakpoint exception is raised in a ARM Cortex-M board QEMU aborts.

$ qemu-system-arm --version
QEMU emulator version 8.0.90 (v8.1.0-rc0-21-gd1181d2937)

$ ./qemu-system-arm -M stm32vldiscovery -nographic -device loader,file=raw-bkpt.hex -d in_asm,exec,int 
[...]
Trace 0: 0x7fac6c000100 [00800400/0000000000000100/00000110/ff200000]
----------------
IN:
0x00000110:  be01       bkpt     #1

Linking TBs 0x7fac6c000100 index 0 -> 0x7fac6c0002c0
Trace 0: 0x7fac6c0002c0 [00800400/0000000000000110/00000110/ff200000]
qemu-system-arm: ../target/arm/helper.c:12224: arm_security_space_below_el3: Assertion `!arm_feature(env, ARM_FEATURE_M)' failed.

Expected behavior:

$ qemu-system-arm --version
QEMU emulator version 7.1.0

$ ./qemu-system-arm -M stm32vldiscovery -nographic -device loader,file=raw-bkpt.hex -d in_asm,exec,int 
[...]
Trace 0: 0x7f5408000100 [00800400/00000100/00000110/ff000000]
----------------
IN:
0x00000110:  be01       bkpt     #1

Linking TBs 0x7f5408000100 [00000100] index 0 -> 0x7f54080002c0 [00000110]
Trace 0: 0x7f54080002c0 [00800400/00000110/00000110/ff000000]
Taking exception 7 [Breakpoint] on CPU 0
...BusFault with BFSR.STKERR
...taking pending nonsecure exception 3
...loading from element 3 of non-secure vector table at 0xc
...loaded new PC 0x0
----------------

Steps to reproduce

Run any Cortex-M firmware that raises a breakpoint exception. (minimal example attached)

Additional information

Minimal Reproducer: raw-bkpt.hex
This is not a duplicate of #1658 (closed) / #1740 (closed)
Stacktrace:

#2  0x00007ffff5a68538 in abort () at /usr/lib/libc.so.6
#3  0x00007ffff5a6845c in  () at /usr/lib/libc.so.6
#4  0x00007ffff5a783d6 in  () at /usr/lib/libc.so.6
#5  0x0000555555c55921 in arm_security_space_below_el3 (env=0x555556dc1b40) at ../target/arm/helper.c:12224
#6  arm_security_space_below_el3 (env=env@entry=0x555556dc1b40) at ../target/arm/helper.c:12222
#7  0x0000555555c48b08 in arm_is_secure_below_el3 (env=0x555556dc1b40) at ../target/arm/cpu.h:2465
#8  arm_is_el2_enabled (env=0x555556dc1b40) at ../target/arm/cpu.h:2517
#9  arm_debug_target_el (env=env@entry=0x555556dc1b40) at ../target/arm/debug_helper.c:24
#10 0x0000555555c49cb5 in helper_exception_bkpt_insn (env=0x555556dc1b40, syndrome=0xe2000001) at ../target/arm/debug_helper.c:510
#11 0x00007fffac0002d9 in code_gen_buffer ()
[...]

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information