On 10 April 2017 at 11:39, Peter Maydell <peter.mayd...@linaro.org> wrote: > On M profile, return from exceptions happen when privileged code > executes one of the following function call return instructions: > * POP or LDM which loads the PC > * LDR to PC > * BX register > and the new PC value is 0xFFxxxxxx.
So this isn't quite right -- the special behaviour happens only when in Handler mode. (Handler is always privileged, but not all privileged code is in Handler mode)... > +static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var) > +{ > + /* Generate the same code here as for a simple bx, but flag via > + * s->is_jmp that we need to do the rest of the work later. > + */ > + gen_bx(s, var); > + if (!IS_USER(s) && arm_dc_feature(s, ARM_FEATURE_M)) { ...so we need to track "are we in Handler mode" (ie env->v7m.exception != 0) in the TB flags and test that here rather than testing IS_USER. (Otherwise if you have code which executes the same 'bx' instruction both as a legitimate exception return and as a fake exception return while in privileged thread mode then we assert() in do_v7m_exception_exit. I have a test case that does this but no real code would ever do it.) thanks -- PMM