PPC checkpoints
What is the breakpoint implemented in PPC (for specific OS X)?
For example, on x86 this is usually done with INT 3 (0xCC) instruction - is there a command comparable to this for ppc? Or is there another way they are installed / implemented?
I was told by reliable (but currently intoxicated, so take it with a grain of salt) that it is instruction zero which is illegal and causes some kind of system trap.
EDIT: Made on the community wiki in case my friend is so drunk that he says insane rubbish :-)
In addition to software breakpoints, PPC also supports hardware breakpoints implemented through registers IABR
(and possibly IABR2
depending on the base version). These are instruction breakpoints, but there are also data breakpoints (implemented with DABR
and possibly DABR2
). If your kernel supports two sets of hardware breakpoint registers (for example, IABR2 and DABR2), you can do more than just trigger at a specific address: you can specify an entire contiguous range of addresses as a breakpoint. For data checkpoints, you can also specify whether you want them to run on write, read, or access.
With gdb and a function that does hexadecimal operations, I get 0x7fe00008. This seems to be tw instruction :
0b01111111111000000000000000001000
011111 31
11111 condition flags: lt, gt, ge, logical lt, logical gt
00000 rA
00000 rB
0000000100 constant 4
0 reserved
i.e. compare r0 with r0 and the trap for any result.
Parsing GDB is just an extended mnemonictrap
EDIT: I am using "GNU gdb 6.3.50-20050815 (Apple version gdb-696) (Sat Oct 20 18:20:28 GMT 2007)"
EDIT 2: It's also possible that conditional breakpoints will use other forms, tw
or twi
if the required values ββare already in the register and the debugger doesn't need to keep track of the hit counter.
The best guess is the "tw" or "twi" instruction.
You can dig into the PPC gdb source code, OS X probably uses the same functionality as FreeBSD's roots.
The PowerPC architecture uses pitfalls.
http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=/com.ibm.aix.aixassem/doc/alangref/twi.htm
Execution checkpoints are usually implemented with a command TRAP
or with IABR
.
Examples of implementation: ArchLinux , Apple's , the Wii and the Wii the U .