如何在没有jtag，断点，模拟器，仿真器的情况下单步执行目标代码 [英] how to single-step code on-target with no jtag, breakpoints, simulator, emulator

问题描述

比方说，您有一个指向该函数的指针，该函数没有其源，并且是不受信任的"，因为它可能 读/写到不允许的内存区域.

Let's say you have a pointer to function whose source you do not have and which is "untrusted" because it might read/write to disallowed memory region.

在执行每条汇编指令之前，您需要验证其是否不访问不允许的内存区域.

Before it executes each assembly instruction, you want to verify that it doesn't access disallowed memory regions.

操作系统几乎是裸机，即自定义RTOS(因此没有Linux或QNX).

The OS is (almost) bare-metal i.e. a custom RTOS (so no Linux or QNX).

这是一项功能，不仅需要在开发期间启用，还需要在正常运行时启用.

This is for a functionality that needs to be enabled not only during development but during normal runtime.

理想情况下，它将运行以下内容:

Ideally, it'd run something like this:

void (*fptr)(int);
fptr = &someFunction; // untrusted, don't have source
// enable interrupts for each assembly instruction
_EN_INT();
// call the function
fptr();
// everytime the PC increments, some other code runs which verifies that if any load/stores are executed, it doesn't access some disallowed memory range

// disable interrupts for each assembly instruction
_DIS_INT();

问题

是否可以在每个汇编指令之后调用该函数并暂停执行?

Is it possible to call that function and pause execution after every assembly instruction?

推荐答案

操作系统几乎是裸机，即自定义RTOS(因此没有Linux或QNX).

The OS is (almost) bare-metal i.e. a custom RTOS (so no Linux or QNX).

我的回答假设您可以根据需要修改操作系统" ...

My answer assumes that you can modify the "OS" the way you need it...

Cortex MK20DX256VLH7

Cortex MK20DX256VLH7

这似乎是Cortex M4 CPU.

This seems to be a Cortex M4 CPU.

如何在没有jtag，断点的情况下对目标进行单步编码

how to single-step code on-target with no jtag, breakpoints

在文档中，并没有说明您是否需要外部调试器来恢复执行.

From the doc, it doesn't say whether you NEED an external debugger to resume execution.

如果CPU确实处于停止状态，则肯定需要外部信号(例如来自调试器的信号).

If the CPU is really stopped, you'll definitely need an external signal (e.g. from a debugger).

但是，大多数CPU支持软件调试.这意味着无论何时遇到断点，都会执行中断服务程序.要继续执行，您只需从中断服务程序中返回即可.

However most CPUs support software debugging. This means that an interrupt service routine is executed whenever a breakpoint is hit. To continue execution you simply return from the interrupt service routine.

我不了解Cortex M4，但是对于Cortex M3，您必须设置一些特殊的寄存器来启用该功能.每当命中"BKPT"指令时，就会执行中断#12(*).

I don't know about the Cortex M4 but for the Cortex M3 you'll have to set some special registers to enable that feature. Whenever a "BKPT" instruction is hit then interrupt #12 (*) is executed.

对于RAM中的代码，您只需将BKPT指令(0xBExx，例如0xBEBE)写入要设置断点的地址即可. (在写之前，您读出该值以便以后可以恢复它.)

For code in RAM you simply write an BKPT instruction (0xBExx, e.g. 0xBEBE) to the address where you want to set your breakpoint. (Before writing you read out the value to be able to restore it later on).

对于Flash中的代码，M3具有一个"Flash修补单元"，它允许您最多指定三个地址，即使其中存储了其他数据，也应将其读出为0xBExx(0xBEBE?).这样一来，您可以在Flash中最多设置3个断点.

For code in Flash the M3 has a "Flash patching unit" which allows you to specify up to three addresses which shall be read out as 0xBExx (0xBEBE ?) even if other data is stored there. This allows you to set up to 3 breakpoints in Flash.

有趣的是:控制M3中调试功能的寄存器(名为"DEMCR")也有一个名为"MON_STEP"的位:

Interesting for you: The register controlling the debug features in the M3 (named "DEMCR") also has a bit named "MON_STEP":

如果在中断处理程序#12中将该位置1，则从中断处理程序返回后，仅执行一条指令，并再次触发中断#12.当然，此功能的用例是单步代码！

If you set this bit in interrupt handler #12 then exactly one instruction is executed after returning from the interrupt handler and interrupt #12 is triggered again. The use case for this feature is - of course - single-stepping code!

要停止单步运行，您必须再次清除MON_STEP位...

To stop single-stepping you'll have to clear the MON_STEP bit again...

重要1:

我不知道，MK20DX256VLH7是否真的具有所有这些功能.但是，因为它是Cortex M4芯片，并且M4应该具有M3的几乎所有功能，所以这些功能应该存在...

I don't know if the MK20DX256VLH7 really has all these features. However because it is a Cortex M4 chip and the M4 should have nearly all features of the M3 these features should be present...

重要2:

实现单步调试不很快.汇编语言知识将非常有帮助，您将需要很多时间...

Implementing single-stepping and debugging is not done quickly. Assembly language knowledge will be very helpful and you'll need a lot of time...

从文档中，...

From the doc, ...

您不仅需要NXP的MK20DX256VLH7的文档，还需要ARM的Cortex M4文档.

You will not only need the documentation for the MK20DX256VLH7 from NXP but you'll also need the Cortex M4 documentation from ARM.

(*)偏移量是4 * 12(在某些ARM文档中称为"IRQ(-4)").不是IRQ12.

(*) Offset 4*12 in the vector table is meant here (which is named "IRQ(-4)" in some ARM documents); not IRQ12.

这篇关于如何在没有jtag，断点，模拟器，仿真器的情况下单步执行目标代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！