I am running an ARM program in single-process mode with '-d exec', and
either the resulting traces are incomplete, I don't understand them, or
something else is going on. Tried with QEMU 2.2.0; more detailed info
about how things are built & run.
The suspicious part of the trace is:
----------------
IN: _IO_cleanup
0x0000cc94: e585606c str r6, [r5, #108]
0x0000cc98: e5955034 ldr r5, [r5, #52]
0x0000cc9c: e3550000 cmp r5, #0 ; 0x0
0x0000cca0: 1affffca bne 0xcbd0
Trace 0x7f448997aba0 [0000cc94] _IO_cleanup
...
Trace 0x7f8fb3b543c0 [0000cbec] _IO_cleanup
Trace 0x7f8fb3b54200 [0000cc94] _IO_cleanup <---
Trace 0x7f8fb3b54200 [0000cc94] _IO_cleanup<---** here **
In other words, it seems like the block starting at the guest's address
0xCC94 has two possible successors, 0xCCA4 (bne not taken) and 0xCBD0
(bne taken). But at least if I am inferring the log format correctly,
the lines marked with "<--" should be indicating that the 0xCC94 block
is executed twice in a row, but 0xCC94 isn't a successor of 0xCCA0.
Any idea what is happening?
(Or you can flip the question around a bit. The reason I'm doing this is
because I want a trace of the address of each instruction that is
executed. Is there a better tool to do this? Right now when I see an
"IN" block of instructions I record the addresses in that block and key
it off of the block's leader. Later when I see "Trace ... [address]" I
treat the address as the block leader and go look up the instructions in
that block from what it was seen before. Is there a better way to do
this? Maybe with the trace-events infrastructure? But there are a ton of
events and I don't know what to select.)
Detailed information:
QEMU is built with 'configure --target-list=arm-linux-user --cxx=g++
-prefix=...'. It is running on x64 Ubuntu.
The program in question is built with CodeSourcery's cross-compiling
build of GCC. Perhaps somewhat importantly (?), -static is passed to the
linker; for this program, the problem does not arise without -static.
(However, I have another program in which we think we are seeing
incomplete traces that is probably built without -static.) I'm not sure
what differs between the version of _IO_cleanup (or a caller of it) when
it is statically linked or loaded from a library.
I am running QEMU with 'qemu-arm -cpu cortex-a8 -d in_asm,exec
test.exe.arm'.
I can distribute source and/or binary of the test program if that would
be helpful. (Though the source won't be very enlightening; it's probably
less complicated than hello world.)
Thanks,
Evan Driscoll
