Facilities for x86 debuggingAny project ‘bugs’?Single-steppingThe EFLAGS registerTF-bit in EFLAGSHow to do itUsing ‘objdump’ outputA slight ‘flaw’Fixing that ‘flaw’Breakpoint Address RegistersSpecial ‘MOV’ instructionsDebug Control Register (DR7)What kinds of breakpoints?Control Register 4Debug Status Register (DR6)Where to set a breakpointHow to set this breakpointSetting a breakpoint (continued)Detecting a ‘breakpoint’In-class exercise #1The unlabeled stack layoutIntel x86 instruction-formatA few examplesIn-class exercise #2Facilities for x86 debuggingIntroduction to Pentium features that can assist programmers in their debugging of softwareAny project ‘bugs’?•As you work on designing your solution for the programming assignment in Project #1 it is possible (likely?) that you may run into some program failures•What can you do if your program doesn’t behave as you had expected it world?•How can you diagnose the causes?•Where does your problem first appear?Single-stepping•An ability to trace through your program’s code, one instruction at a time, often can be extremely helpful in identifying where a program flaw is occurring – and also why•The Pentium processor provides hardware assistance in implementing a ‘debugging’ capability such as ‘single-steping’.RFThe EFLAGS registerTF816RF = RESUME flag (bit 16) By setting this flag-bit in the EFLAGS register-image that got saved on the stack, the ‘iret’ instruction will be inhibited from generating yet another CPU exception TF = TRAP flag (bit 8) By setting this flag-bit in the EFLAGS register-image that gets saved on the stack when ‘pushfl’ was executed, and then executing ‘popfl’, the CPU will begin executing a ‘single-step’ exception after each instruction-executesTF-bit in EFLAGS•Our ‘trydebug.s’ demo shows how to use the TF-bit to perform ‘single-stepping’ of a Linux application program (e.g., ‘hello’)•The ‘popfl’ instruction is used to set TF•The exception-handler for INT-1 displays information about the state of the task •But single-stepping starts only AFTER the immediately following instruction executesHow to do it•Here’s a code-fragment that we could use to initiate single-stepping from the start of our ‘ring3’ application-progam:pushw $userSS # selector for ring3 stack-segmentpushw $userTOS # offset for ring3 ‘top-of-stack’ pushw $userCS # selector for ring3 code-segmentpushw $0 # offset for the ring3 entry-pointpushfl # push current EFLAGSbtsl $8, (%esp) # set image of the TF-bitpopfl # modify EFLAGS to set TFlret # transfer to ring3 applicationUsing ‘objdump’ output•You can generate an assembler ‘listing’ of the instructions in our ‘hello’ application•You can then use the listing to follow along with the ‘single-stepping’ through that code•Here’s how to do it:$ objdump –d hello > hello.u•(The ‘-d’ option stands for ‘disassembly’)A slight ‘flaw’•We cannot single-step the execution of an ‘int-0x80’ instruction (Linux’s system-calls)•Our exception-handler’s ‘iret’ instruction will restore the TF-bit to EFLAGS, but the single-step ‘trap’ doesn’t take effect until after the immediately following instruction •This means we ‘skip’ seeing a display of the registers immediately after ‘int-0x80’Fixing that ‘flaw’•The Pentium offers a way to overcome the problem of a delayed effect when TF is set •We can use the Debug Registers to set an instruction ‘breakpoint’ which will interrupt the CPU at a specific instruction-address •There are six Debug Registers:DR0, DR1, DR2, DR3 (breakpoints)DR6 (the Debug Status register)DR7 (the Debug Control register)Breakpoint Address RegistersDR0DR1DR2DR3Special ‘MOV’ instructions•Use ‘mov %reg, %DRn’ to write into DRn•Use ‘mov %DRn, %reg’ to read from DRn•Here ‘reg’ stands for any one of the CPU’s general-purpose registers (e.g., EAX, etc.)•These instructions are ‘privileged’ (i.e., can only be executed by code running in ring0)Debug Control Register (DR7)0 0GD0 0 1GELEG3L3G2L2G1L1G0L0LEN3R/W3LEN2R/W2LEN1R/W1LEN0R/W01503116Least significant wordMost significant wordWhat kinds of breakpoints?LEN R/WLEN 00 = one byte 01 = two bytes 10 = undefined 11 = four bytesR/W 00 = break on instruction fetch only 01 = break on data writes only 10 = undefine d (unless DE set in CR4) 11 = break on data reads or writes (butnot on instruction fetches)Control Register 4•The Pentium uses Control Register 4 to activate certain extended features of the processor, while still allowing for backward compatibility of software written for earlier Intel x86 processors•An example: Debug Extensions (DE-bit) other feature bitsCR4DE3310Debug Status Register (DR6)BD0 1 1 1 1 1 1 1B3B2B1 unused ( all bits here are set to 1 )1503116Least significant wordMost significant wordBS BT1B0Where to set a breakpoint•Suppose you want to trigger a ‘debug’ trap at the instruction immediately following the Linux software ‘int $0x80’ system-call•Your debug exception-handler can use the saved CS:EIP values on its stack to check that ‘int $0x80’ has caused an exception•Machine-code is: 0xCD, 0x80 (2 bytes)•So set a ‘breakpoint’ at address EIP+2How to set this breakpointisrDBG: push %ebpmov %esp, %ebppushal# put breakpoint-address in DR0mov 4(%ebp), %eaxadd $2, %eaxmov %eax, %dr0Setting a breakpoint (continued)# enable local breakpoint for DR0mov %dr7, %eaxbts $0, %eax # set LE0mov %eax, %dr7…popalpop %ebpiretDetecting a ‘breakpoint’•Your debug exception-handler can read DR6 to check for any occurrences of breakpointsmov %dr6, %eax ; get debug statusbt $0, %eax ; breakpoint #0?jnc notBP0 ; no, another causebts $16, 12(%ebp) ; set the RF-bit# or disable breakpoint0 in register DR7 notBP0:In-class exercise #1•Our ‘trydebug.s’ demo illustrates the idea of single-stepping through a program, but after several steps it encounter a General Protection Exception (i.e., interrupt $0x0D)•You will recognize a display of information from registers that gets saved on the stack•Can you determine why this fault occurs, and then modify our code to eliminate it?The unlabeled stack layout•Our ‘isrGPF’ handler doesn’t label its info:----- ES----- DS EDI ESI EBP ESP EBX