Skip to content

arm: TCG debug assertion failure when handling an ISB or SB insn inside an IT block

Host environment

  • Operating system: Arch Linux
  • OS/kernel version: 6.13.8-arch1-1
  • Architecture: x86_64
  • QEMU flavor: qemu-system-arm
  • QEMU version: 10.0.0
  • QEMU command line: 
    qemu-system-arm -M stm32vldiscovery -nographic -device loader,file=raw-it-bug.hex -d in_asm,exec,int

Emulated/Virtualized environment

  • Operating system: -
  • OS/kernel version: -
  • Architecture: ARM

Description of problem

ARM thumb IT instruction triggers TCG debug asserts.

$ ./qemu-system-arm --version
QEMU emulator version 10.0.0 (v10.0.0)

$ ./qemu-system-arm -M stm32vldiscovery -nographic -device loader,file=raw-it-bug.hex -d in_asm,exec
[...]
Trace 0: 0x72a584000800 [00800400/0000000000000164/00000110/ff020000]
----------------
IN:
0x00000108:  f000 f80a  bl       #0x120

Trace 0: 0x72a584000940 [00800400/0000000000000108/00000110/ff020000]
qemu-system-arm: ../tcg/tcg-op.c:3343: void tcg_gen_goto_tb(unsigned int): Assertion `(tcg_ctx->goto_tb_issue_mask & (1 << idx)) == 0' failed.

Expected behavior:

$ qemu-system-arm -M stm32vldiscovery -device loader,file=raw-hardfault.hex -d in_asm,exec,int
[...]
Trace 0: 0x7df6dc000800 [00800400/0000000000000164/00000110/ff020000]
----------------
IN:
0x00000108:  f000 f80a  bl       #0x120

Trace 0: 0x7df6dc000940 [00800400/0000000000000108/00000110/ff020000]
----------------
IN:
0x00000120:  2302       movs     r3, #2
0x00000122:  bf00       nop
0x00000124:  f04f 25e0  mov.w    r5, #-0x1fff2000
0x00000128:  f8d5 1d10  ldr.w    r1, [r5, #0xd10]
0x0000012c:  f041 0014  orr      r0, r1, #0x14
0x00000130:  f8c5 0d10  str.w    r0, [r5, #0xd10]
0x00000134:  f8d5 0200  ldr.w    r0, [r5, #0x200]
0x00000138:  f8d5 6100  ldr.w    r6, [r5, #0x100]
0x0000013c:  4206       tst      r6, r0
0x0000013e:  bf02       ittt     eq
0x00000140:  f3bf 8f4f  dsbeq    sy
0x00000144:  bf20       wfeeq

Linking TBs 0x7df6dc000940 index 0 -> 0x7df6dc000a80
Trace 0: 0x7df6dc000a80 [00800400/0000000000000120/00000110/ff020000]
[...]
Trace 0: 0x7df6dc001fc0 [00800400/0000000000000170/00000110/ff020000]
Taking exception 3 [Prefetch Abort] on CPU 0
...at fault address 0xdeadbeee
...with CFSR.IACCVIOL
...BusFault with BFSR.STKERR
...taking pending nonsecure exception 3
...loading from element 3 of non-secure vector table at 0xc
...loaded new PC 0x111
----------------
IN:
0x00000110:  e7fe       b        #0x110

Steps to reproduce

  1. Build QEMU with CONFIG_DEBUG_TCG enabled, e.g. with ./configure --enable-debug.
  2. Run Cortex-M firmware with IT instruction. (minimal example attached)

Additional information

  • Minimal Reproducer: raw-it-bug.hex
  • Reproduced on main, v10.0.0 and v9.1.0.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information