ARM学习(22)断点认识以及调试

笔者来聊聊断点以及断点的调试

1、断点原理

断电的原理一般分为两种,插入断点指令或者利用硬件调试寄存器进行断点

  • 前者程序如果在RAM(SRAM、DDR)上,则调试器可以直接在断点地址处插入断点指令,例如BKPT(ARM)、HLT指令(x86),程序则可暂停,后续可以单步运行等操作。
  • 后者程序如果在ROM/Flash运行,调试器无法改写ROM或者Flash的内容,需要利用硬件支持的寄存器特性去进行调试。

Cortex-M3/4,利用Flash补丁或者断点单元(FPB)中的地址比较器进行设置断点,还有多个调试寄存器辅助调试,例如暂停、获取寄存器数据以及传递数据等。例如一个调试控制寄存器如下:

  • 支持暂停内核
  • 单步运行处理器
  • 单步时屏蔽中断
  • 读写状态等
  • .....
    调试访问的主要架构(CoreSight)如下所示:以CortexM3为例,

  • DP(Debug Port):调试端口,SWD下面称为SW-DP,JTAG下面称为JTAG-DP,将调试协议转为内部调试总线协议(32位的总线协议,与AMBA3.0规范中的高级外设总线APB非常类似)。
  • AP(Acess Port):访问端口,有AHB-AP模块,可以将内部调试总线协议转成高速性能总线,可以获取所有存储器、外设以及处理器内部的寄存器等数据。

接着来看一下SWD和Jtag链接时,扫描出的DP和AP端口。

SWD 链接时扫描DP和AP端口

 - Found SW-DP with ID 0x1BA01477
 - DPIDR: 0x1BA01477
 - Scanning AP map to find all available APs
 - AP[1]: Stopped AP scan as end of AP map has been reached
 - AP[0]: AHB-AP (IDR: 0x14770011)
 - Iterating through AP map to find AHB-AP to use
 - AP[0]: Core found
 - AP[0]: AHB-AP ROM base: 0xE00FF000
 - CPUID register: 0x411FC231. Implementer code: 0x41 (ARM)
 - Found Cortex-M3 r1p1, Little endian.

JTAG 链接时扫描DP和AP端口,支持菊花链,多个被调试主控串联起来。

 - TotalIRLen = 9, IRPrint = 0x0011
 - JTAG chain detection found 2 devices:
 -  #0 Id: 0x3BA00477, IRLen: 04, CoreSight JTAG-DP
 -  #1 Id: 0x06414041, IRLen: 05, STM32 Boundary Scan
 - DPv0 detected
 - Scanning AP map to find all available APs
 - AP[1]: Stopped AP scan as end of AP map has been reached
 - AP[0]: AHB-AP (IDR: 0x14770011)
 - Iterating through AP map to find AHB-AP to use
 - AP[0]: Core found
 - AP[0]: AHB-AP ROM base: 0xE00FF000
 - CPUID register: 0x411FC231. Implementer code: 0x41 (ARM)
 - Found Cortex-M3 r1p1, Little endian.

2、断点分类

2.1、实现原理分类

  • 硬件断点

    • 与芯片架构内核相关,调试器需要设置对应的断点寄存器
    • 应用于Flash、ROM以及RAM等区域
    • 数量有限

      CortexM3-M4的很多芯片比如STM32F1 F4都是Flash执行代码,所以只能设置onchip断点,且只有6个,多了会报错。


  • 软件断点

    • 调试器利用断点指令,在断点地址处插入断点指令
    • 在RAM(RAM、TCM以及DDR)等区域,
    • 断点数量无限
  • ETM断点

    • ARM部分芯片特有,CortexM系列没有
    • 设置ARM Coresight ETM寄存器来实现
    • 数量有限

2.2、使用场景分类

  • 程序断点

    • 程序运行到指定位置,则停止CPU
    • 可以是软件断点或者硬件断点
  • 读写断点

    • 只能是硬件断点
    • 指定内存/变量,发生读写行为时,停下CPU
  • 数据断点

    • 只能是硬件断点,
    • 指定内存/变量发生读写指定值时,停下CPU
    • 和读写断点,类似,只不过加了更细节的条件
  • 高级断点

    • 只能是硬件断点
    • 增加了更细节的条件,满足一定条件后停止,比如read 10次之后停止,又比如,当变量值>某个值时,然后停止。

2.3、对CPU的影响分类

  • 侵入式断点

    • 对CPU执行有影响,不断停下CPU,对相应的值或者条件判断,
  • 非侵入式断点

    • 对CPU执行没有影响,

      3、断点调试

  • 方法一:双击程序所在行即可设置对应的行断点

  • 方法二:利用symbol符号进行设置断点

  • 方法三:利用窗口进行设置:

  • 命令行设置:b.set addr/addr-range/name /options 后面可以跟地址、地址范、symbol名字以及选项

    • b.set 0x1000005FC 在0x1000005FC 地址处设置断点
    • b.set mstatic1 /readwrite 读写 mstatic1 该变量时,停止运行
    • b.set mstatic1 /write /DATA.Long 0xC 当变量mstatic1 写成0xC时,停止运行
    • b.set mstatic1 /Write /COUNT 10 当变量mstatic1被循环写10次之后,停止运行
    • b.set mstatic1 /Write /VarCONDition mstatic1>0xC 当变量mstatic1大于0xC时,停止断点

4、参考以及附录

Trace32 官方文档:5 断点.pdf
SWD 链接的打印完整log。

Connecting ...
 - Connecting via USB to probe/ programmer device 0
 - Probe/ Programmer firmware: J-Link V9 compiled May  7 2021 16:26:12
 - Device "STM32F105RC" selected.
 - Target interface speed: 4000 kHz (Fixed)
 - VTarget = 3.372V
 - InitTarget() start
 - InitTarget() end
 - Found SW-DP with ID 0x1BA01477
 - DPIDR: 0x1BA01477
 - Scanning AP map to find all available APs
 - AP[1]: Stopped AP scan as end of AP map has been reached
 - AP[0]: AHB-AP (IDR: 0x14770011)
 - Iterating through AP map to find AHB-AP to use
 - AP[0]: Core found
 - AP[0]: AHB-AP ROM base: 0xE00FF000
 - CPUID register: 0x411FC231. Implementer code: 0x41 (ARM)
 - Found Cortex-M3 r1p1, Little endian.
 - FPUnit: 6 code (BP) slots and 2 literal slots
 - CoreSight components:
 - ROMTbl[0] @ E00FF000
 - ROMTbl[0][0]: E000E000, CID: B105E00D, PID: 001BB000 SCS
 - ROMTbl[0][1]: E0001000, CID: B105E00D, PID: 001BB002 DWT
 - ROMTbl[0][2]: E0002000, CID: B105E00D, PID: 000BB003 FPB
 - ROMTbl[0][3]: E0000000, CID: B105E00D, PID: 001BB001 ITM
 - ROMTbl[0][4]: E0040000, CID: B105900D, PID: 001BB923 TPIU-Lite
 - ROMTbl[0][5]: E0041000, CID: B105900D, PID: 101BB924 ETM-M3
 - Executing init sequence ...
  - Initialized successfully
 - Target interface speed: 4000 kHz (Fixed)
 - Found 1 JTAG device. Core ID: 0x1BA01477 (None)
 - Connected successfully

JTag 链接的打印完整log。

Connecting ...
 - Connecting via USB to probe/ programmer device 0
 - Probe/ Programmer firmware: J-Link ARM V8 compiled Nov 28 2014 13:44:46
 - Device "STM32F103RC" selected.
 - Target interface speed: 4000 kHz (Fixed)
 - VTarget = 3.338V
 - InitTarget() start
 - TotalIRLen = 9, IRPrint = 0x0011
 - JTAG chain detection found 2 devices:
 -  #0 Id: 0x3BA00477, IRLen: 04, CoreSight JTAG-DP
 -  #1 Id: 0x06414041, IRLen: 05, STM32 Boundary Scan
 - InitTarget() end
 - TotalIRLen = 9, IRPrint = 0x0011
 - JTAG chain detection found 2 devices:
 -  #0 Id: 0x3BA00477, IRLen: 04, CoreSight JTAG-DP
 -  #1 Id: 0x06414041, IRLen: 05, STM32 Boundary Scan
 - DPv0 detected
 - Scanning AP map to find all available APs
 - AP[1]: Stopped AP scan as end of AP map has been reached
 - AP[0]: AHB-AP (IDR: 0x14770011)
 - Iterating through AP map to find AHB-AP to use
 - AP[0]: Core found
 - AP[0]: AHB-AP ROM base: 0xE00FF000
 - CPUID register: 0x411FC231. Implementer code: 0x41 (ARM)
 - Found Cortex-M3 r1p1, Little endian.
 - FPUnit: 6 code (BP) slots and 2 literal slots
 - CoreSight components:
 - ROMTbl[0] @ E00FF000
 - ROMTbl[0][0]: E000E000, CID: B105E00D, PID: 001BB000 SCS
 - ROMTbl[0][1]: E0001000, CID: B105E00D, PID: 001BB002 DWT
 - ROMTbl[0][2]: E0002000, CID: B105E00D, PID: 000BB003 FPB
 - ROMTbl[0][3]: E0000000, CID: B105E00D, PID: 001BB001 ITM
 - ROMTbl[0][4]: E0040000, CID: B105900D, PID: 001BB923 TPIU-Lite
 - ROMTbl[0][5]: E0041000, CID: B105900D, PID: 101BB924 ETM-M3
 - Executing init sequence ...
  - Initialized successfully
 - Target interface speed: 4000 kHz (Fixed)
 - Found 2 JTAG devices. Core ID: 0x3BA00477 (None)
 - Connected successfully

版权声明:
作者:ZhangYixi
链接:http://zyixi.xyz/arm%e5%ad%a6%e4%b9%a0%ef%bc%8822%ef%bc%89%e6%96%ad%e7%82%b9%e8%ae%a4%e8%af%86%e4%bb%a5%e5%8f%8a%e8%b0%83%e8%af%95/
来源:一西站点
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
打赏
< <上一篇
下一篇>>
文章目录
关闭
目 录