diff options
| author | Christian Krinitsin <mail@krinitsin.com> | 2025-07-03 19:39:53 +0200 |
|---|---|---|
| committer | Christian Krinitsin <mail@krinitsin.com> | 2025-07-03 19:39:53 +0200 |
| commit | dee4dcba78baf712cab403d47d9db319ab7f95d6 (patch) | |
| tree | 418478faf06786701a56268672f73d6b0b4eb239 /results/classifier/deepseek-r1:14b/output/hypervisor/2226 | |
| parent | 4d9e26c0333abd39bdbd039dcdb30ed429c475ba (diff) | |
| download | qemu-analysis-dee4dcba78baf712cab403d47d9db319ab7f95d6.tar.gz qemu-analysis-dee4dcba78baf712cab403d47d9db319ab7f95d6.zip | |
restructure results
Diffstat (limited to 'results/classifier/deepseek-r1:14b/output/hypervisor/2226')
| -rw-r--r-- | results/classifier/deepseek-r1:14b/output/hypervisor/2226 | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/results/classifier/deepseek-r1:14b/output/hypervisor/2226 b/results/classifier/deepseek-r1:14b/output/hypervisor/2226 new file mode 100644 index 000000000..e9ccac292 --- /dev/null +++ b/results/classifier/deepseek-r1:14b/output/hypervisor/2226 @@ -0,0 +1,57 @@ + +arm HSTR trap settings routed to EL1 instead of EL2 +Description of problem: +ARM's HSTR register is used to trap CP15 access from EL1/0. qemu's implementation seems to be inconsistent with ARM's documentation. + +Take the system register VBAR for example, the following pseudo code is grabbed from ARM DDI 0487J.a ID042523 G8-10651, which is the logics behind when reading VBAR. +``` +if PSTATE.EL == EL0 then + UNDEFINED; +elsif PSTATE.EL == EL1 then + if EL2Enabled() && !ELUsingAArch32(EL2) && HSTR_EL2.T12 == '1' then + AArch64.AArch32SystemAccessTrap(EL2, 0x03); + elsif EL2Enabled() && ELUsingAArch32(EL2) && HSTR.T12 == '1' then + AArch32.TakeHypTrapException(0x03); + elsif HaveEL(EL3) && ELUsingAArch32(EL3) then + R[t] = VBAR_NS; + else + R[t] = VBAR; +elsif PSTATE.EL == EL2 then + if HaveEL(EL3) && ELUsingAArch32(EL3) then + R[t] = VBAR_NS; + else + R[t] = VBAR; +elsif PSTATE.EL == EL3 then + if SCR.NS == '0' then + R[t] = VBAR_S; + else + R[t] = VBAR_NS; +``` + +The main logics in my attached test program are: +1. Setting EL2 and EL1's exception table +2. Set HSTR.T12 +3. ERET to EL1, and read VBAR from EL1 + +As the document mentions, when CPU running on EL1 && HSTR.T12 is set, HypTrapException 0x3 should be taken, which is EL2. But the test program shows, on such circumstances, CPU is being routed to EL1's undefined exception. +Steps to reproduce: +1. Clone this repo https://github.com/roolrz/reproduce-qemu-arm-hstr-issue +2. Use make to build the test program +3. Use following command to launch it +``` +qemu-system-arm \ + -nographic \ + -cpu cortex-a7 \ + -M virt,virtualization=on \ + -m 1G \ + -kernel el2.elf +``` +4. The following message is printed by the program, problem reproduced +``` +EL2 Booted +Jumping to el1 +el1 reached, triggering trap +EL1 undefined sync triggered +``` +Additional information: + |