Facilities for x86 debugging Introduction to x86 CPU features that can assist programmers in the debugging of their software

Any project ‘bugs’? As you work on designing your solution for the programming assignment in Project #2 it is possible (likely?) that you may run into some program failures What can you do if your program doesn’t behave as you had expected it would? How can you diagnose the causes? Where does your problem first appear?

Single-stepping An ability to trace through your program’s code, one instruction at a time, often can be extremely helpful in identifying where a program flaw is occurring – and also why Intel’s x86 processor provides hardware assistance in implementing a ‘debugging’ capability such as ‘single-stepping’.

RFRF The EFLAGS register TFTF 816 RF = RESUME flag (bit 16) By setting this flag-bit in the EFLAGS register-image that gets saved on the stack, the ‘iret’ instruction will be inhibited from generating yet another CPU exception TF = TRAP flag (bit 8) By setting this flag-bit in the EFLAGS register-image that gets saved on the stack when a ‘pushfl’ is executed, and then executing ‘popfl’, the CPU will begin triggering a ‘single-step’ exception after each instruction-executes

TF-bit in EFLAGS Our ‘usedebug.s’ demo shows how to use the TF-bit to perform ‘single-stepping’ of a Linux application (e.g., our ‘linuxapp.o’) The ‘popfw’ instruction is used to set TF The exception-handler for INT-1 displays information about the state of the program But single-stepping starts only AFTER the immediately following instruction executes

How to do it Here’s a code-fragment that we could use to initiate single-stepping from the start of our ‘ring3’ application-progam: pushw$userSS# selector for ring3 stack-segment pushw$userTOS# offset for ring3 ‘top-of-stack’ pushw$userCS# selector for ring3 code-segment pushw$0# offset for the ring3 entry-point pushfw# push current FLAGS btsw$8, (%esp)# set image of the TF-bit popfw# modify FLAGS to set TF lret# transfer to ring3 application

Using assembler listings You can generate an assembler ‘listing’ of the instructions in our ‘linuxapp.o’ file, then use that listing to follow along while you’re ‘single-stepping’ through that file’s code Here’s how to do it: $ as –al linuxapp.s > linuxapp.lst (The ‘-al’ option is for ‘assembly listing’)

A slight ‘flaw’ We cannot single-step the execution of an ‘int-0x80’ instruction (Linux’s system-calls) Our exception-handler’s ‘iret’ instruction will restore the TF-bit to EFLAGS, but the single-step ‘trap’ doesn’t take effect until after the immediately following instruction This means we ‘skip’ seeing a display of the registers immediately after ‘int-0x80’

Fixing that ‘flaw’ The x86 offers us a way to overcome the delayed effect of TF when ‘iret’ executes We can use the Debug Registers to set an instruction ‘breakpoint’ which will interrupt the CPU at a specific instruction-address There are six Debug Registers: DR0, DR1, DR2, DR3(breakpoints) DR6 (the Debug Status register) DR7(the Debug Control register)

Breakpoint Address Registers DR0 DR1 DR2 DR3

Special ‘MOV’ instructions Use ‘mov %reg, %DRn’ to write into DRn Use ‘mov %DRn, %reg’ to read from DRn Here ‘reg’ stands for any one of the CPU’s general-purpose registers (e.g., EAX, etc.) These special instructions are ‘privileged’ (i.e., they can only be executed by code that is running in ring0)

Debug Control Register (DR7) 00 GDGD 001 GEGE LELE G3G3 L3L3 G2G2 L2L2 G1G1 L1L1 G0G0 L0L0 LEN 3 R/W 3 LEN 2 R/W 2 LEN 1 R/W 1 LEN 0 R/W Least significant word Most significant word

What kinds of breakpoints? LENR/W LEN 00 = one byte 01 = two bytes 10 = undefined 11 = four bytes R/W 00 = break on instruction fetch only 01 = break on data writes only 10 = undefined (unless DE set in CR4) 11 = break on data reads or writes (but not on instruction fetches)

Control Register CR4 The x86 CPU uses Control Register CR4 to activate certain extended features of the processor, while still allowing for backward compatibility of software written for earlier Intel x86 processors An example: Debug Extensions (DE-bit) other feature bits CR4 DEDE

Debug Status Register (DR6) BDBD B3B3 B2B2 B1B1 unused ( all bits here are set to 1 ) Least significant word Most significant word BSBS B T 1 B0B0 LEGEND:B0 (Breakpoint by DR0) BT (Break on Task-switch trap)B1 (Breakpoint by DR1) BS (Break on Single-step trap) B2 (Breakpoint by DR2) BD (Break on Debug-register access)B3 (Breakpoint by DR3)

Where to set a breakpoint Suppose you want to trigger a ‘debug’ trap at the instruction immediately following the Linux software ‘int $0x80’ system-call Your debug exception-handler can use the saved CS:EIP values on its stack to check that ‘int $0x80’ has caused an exception Machine-code is: 0xCD, 0x80 (2 bytes) So set a ‘breakpoint’ at address EIP+2

Computing a code-breakpoint isrDBG:pushal# preserve general registers pushl$ds# preserve DS register pushl$es# preserve ES register lds40(%esp), %esi# point DS:ESI to faulting instruction cmpb$0xCD, (%esi)# a software interrupt instruction? jnenotINT# if not, don’t set a breakpoint add$2, %esi# else point past 2-byte instruction # now we want to compute the ‘linear address’ represented by # the logical-address (i.e., segment:offset values) in DS:ESI #NOTE # It’s easy for operating systems like Linux, where segments # for code and data have a base-address that’s equal to zero # but our current program-examples use memory-segments # that don’t begin at address 0x

Segment-selector format array-index for descriptor-table entry RPLRPL TITI TI (Table Indicator) 0 = GDT 1 = LDT

Segment-Descriptor Format Base[31..24]GD RSVRSV AVLAVL Limit [19..16] P DPLDPL SX C/DC/D R/WR/W ABase[23..16] Base[15..0]Limit[15..0] Several instances of this basic ‘segment-descriptor’ data-structure will occur in the Global Descriptor Table (and maybe also in some Local Descriptor Tables)

Getting the base-address # The base-address for the memory-segment whose segment-selector is # in register DS will need to be extracted from its segment-descriptor mov%ds, %ecx# segment-selector to ECX leatheGDT, %ebx# setup GDT’s offset in EBX bt$2, %ecx# is the selector’s TI-bit set? jncuseEBX# no, do table-lookup in GDT leatheLDT, %ebx# else do the lookup in LDT useEBX: and$0xFFF8, %ecx# isolate selector’s index-field mov%cs:0(%ebx, %ecx), %eax# descriptor [31..0] mov%cs:4(%ebx, %ecx), %al# descriptor [39..32] mov%cs:7(%ebx, %ecx), %ah# descriptor [63..56] rol$16, %eax# rotate these bits into position

Enabling the breakpoint # instruction linear-address is base-address plus segment-offset add%eax, %esi# add base-address to offset # setup this breakpoint-address in Debug Register DR0 mov%esi, %dr0# breakpoint-address in DR0 # now activate a ‘local’ code-breakpoint for the address in DR0 mov %dr7, %eax bts $0, %eax# set LE0 (Local Enable 0) mov %eax, %dr7 … popl%es popl%ds popal iret

Detecting a ‘breakpoint’ Your debug exception-handler can read DR6 to check for an occurrence of breakpoint0 mov %dr6, %eax; get debug status bt $0, %eax; breakpoint #0? jnc notBP0; no, another cause btsl $16, 12(%ebp) ; set the RF-bit # or disable breakpoint0 in register DR7 notBP0:

Detecting a ‘breakpoint’ Your debug exception-handler reads DR6 to learn why a debug-exception occurred #EXAMPLE # was this exception triggered by a breakpoint defined in DR0…DR3? mov%dr6, %eax# read debug status-register test$0xF, %eax# any breakpoint matches? jznotBP# no, leave RF-bit unchanged # OK, we need to set the RF-bit (Resume Flag) before we execute ‘iret’ # (so as not to immediately encounter the very same breakpoint again) btsl$16, 48(%esp)# set RF-bit in EFLAGS image notBP:

In-class exercise #1 Our ‘usedebug.s’ demo illustrates the idea of single-stepping through a program, but after several steps it encounter a General Protection Exception (i.e., interrupt $0x0D) You will recognize a display of information from registers that gets saved on the stack Can you determine why this fault occurs, and then modify our code to eliminate it?

The GP Fault’s stack-layout EFLAGS CS EIP error-code EAX ECX EDX EBX ESP EBP ESI EDI DS ES FS GS

Intel x86 instruction-format Intel’s instructions vary in length from 1 to 15 bytes, and are comprised of five fields: instruction prefixes 0,1,2 or 3 bytes opcode field 1 or 2 bytes addressing mode field 0, 1 or 2 bytes address displacement 0, 1, 2 or 4 bytes immediate data 0, 1, 2 or 4 bytes Maximum number of bytes = 15 NOTE: When the processor’s IA32e mode is activated, some of these field-sizes may be larger, to accommodate additional addressing-modes and operand-sizes

A few examples 1-byte instruction: in %dx, %al 2-byte instruction: int $0x16 A prefixed instruction:rep movsb And here’s a 12-byte instruction: cmpl $0, %fs:0x400(%ebx, %edi, 2) –1 prefix byte –1 opcode byte –2 address-mode bytes –4 address-displacement bytes –4 immediate-data bytes

In-class exercise #2 Modify the debug exception-handler in our ‘usedebug.s’ demo-program so it will use a different Debug Register (i.e.,, DR1, DR2, or DR3) to set an instruction-breakpoint at the entry-point to your ‘int $0x80’ system- service interrupt-routine (i.e., at ‘isrDBG’) This can allow you to do single-stepping of your system-call handlers (e.g., ‘do_write’)