To be precise, as I was doing my own investigation, this only happens when *both* the following hold:
- a breakpoint instruction is executed in EL2 (as you mentionned). - ELD is EL1. This does **not** happen **if ELD is EL2**, after setting e.g. MDCR_EL2.TDE to 1. As mentionned above, it's a regression in implementing "AArch64 Self- hosted Debug, D2.3 Routing debug exceptions". ** Summary changed: - qemu-system-aarch64: regression: TCG sometimes using wrong values for VBAR_EL2 despite it being correctly reported to GDB + qemu-system-aarch64: regression in 3.1: breakpoint instructions routed to EL1 from EL2 when ELD is EL1 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1838277 Title: qemu-system-aarch64: regression in 3.1: breakpoint instructions routed to EL1 from EL2 when ELD is EL1 Status in QEMU: New Bug description: Affects 3.1.0 (latest stable release) and latest commit (893dc8300c80e3dc32f31e968cf7aa0904da50c3) but did *not* affect 2.11 (qemu from bionic ubuntu LTS). With the following code and shell commands: test.s: .text mov x0, #0x60000000 msr vbar_el2, x0 dsb sy isb sy $ aarch64-none-elf-as test.s -o test.o $ aarch64-none-elf-objcopy -S -O binary test.o test.bin $ qemu-system-aarch64 -nographic -machine virt,virtualization=on -cpu cortex-a57 -kernel test.bin -s -S vbar_el2 is still 0 after the code, instead of being the expected 0x60000000. (see screenshot). This regression doesn't seem to happen for vbar_el1 & virtualization=off. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1838277/+subscriptions
