• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Breakpoint Implementation
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Breakpoint Implementation

  • Subject: Re: Breakpoint Implementation
  • From: Terry Lambert <email@hidden>
  • Date: Wed, 6 Oct 2010 12:13:49 -0700
On Oct 4, 2010, at 1:20 AM, Dave Keck wrote:
> Hey list,
>
> I'm implementing breakpoint functionality in a hobby i386 debugger
> using the INT3 instruction. Let's say Thread 1 hits Breakpoint A:
>
>  1. Suspend every thread
>  2. Restore original instruction that was replaced by INT3
>  3. In Thread 1, EIP--, let Thread 1 single-step (using EFL_TF flag)
>  4. Revert instruction back to INT3
>  5. Resume every thread
>
> This technique appears to work as expected, but let's say:
>
>  1. Breakpoint A is at the very 'syscall' instruction within
> pthread_create() that causes Thread B to spawn
>  2. Thread B will hit Breakpoint A
>
> Due to the race between Thread B executing and step #4 completing,
> couldn't Thread B bypass Breakpoint A? Is there a way to fix this?
>
> Thanks very much!
>
> David

INT3 is problematic because it's used by dtrace.  Since it's a single byte, rather than replacing an instruction and forcing emulation, which is what FBT does, SDT declares a label with a single byte NOP and replaces the NOP with the INT3.

The issue you are going to see is that it's not going to be possible to wire into the trap handler for the INT3 trap, without compiling your own kernel to implement the trap handler.

Alternately, you could use hardware breakpoints; see the gdb sources for details.

If you pursue instruction replacement, your instruction emulation is going to have to understand that the breakpoint is on a particular thread, which is NOT thread B, and fix up any traps you get on thread B to be as if they had never happened.

The typical way gdb deals with this is by being privileged due to code signing with regard to taskgated, such that taskgated permits it to do a task_for_pid() call on the process, get the task port, and handle the event as a Mach exception, rather than trying to handle it as a signal.  This assumes it's either running under the same credential as the target process, or is running as a privileged used (e.g. via sudo).

-- Terry _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Breakpoint Implementation
      • From: Dave Keck <email@hidden>
References: 
 >Breakpoint Implementation (From: Dave Keck <email@hidden>)

  • Prev by Date: How to decrypt files?
  • Next by Date: Re: Breakpoint Implementation
  • Previous by thread: Breakpoint Implementation
  • Next by thread: Re: Breakpoint Implementation
  • Index(es):
    • Date
    • Thread