Bug in the debugger
It seems like Dan's Report-an-Apple-Bug Friday and Mike's del.icio.us tag idea have been really catching on. However, it seems to be a lot of bitching and moaning about iTunes and the Finder. Let's try to find the coolest and weirdest bugs. That would improve things. (Yes, this isn't Friday. Too bad.)
This is one of my oldest and best. Some may remember Microsoft's cross-compiler for the Mac. It generated weird code, basically mimicking the x86's register-starved architecture with the PPC. It generated code that sometimes was flat-out broken and in general was just awful. When I started working at Baseview, I had to track down a crash in FoxPro. The crash was due to the brokenness of the generated code. But before I could figure that out, I needed to get MacsBug to work with the code. MacsBug was an incredibly stable debugger. But point it at Microsoft's cross-compiled code and sometimes it just couldn't take it.
Radar #2391373: MacsBug 6.5.4a7c1 crashes app while tracing over branch
Created: 27-Sep-1999 04:36 PM
Closed: Finally sometime in 2004
Fixed: No. (I'm not complaining.)
-- Steps to Reproduce:
Run Microsoft FoxPro 2.6. Examine WDEF 128. It is a stub jump to a routine descriptor to a routine in the heap. Place a breakpoint on the first instruction of the routine in the heap (PPC), and run.
When the WDEF is called and you hit the breakpoint, attempt to trace over the bl $+0x001C instruction 16 instructions from the start of the routine. MacsBug will then send the pc off into never-never land.
-- Expected Results:
I am not sure what to expect. The bl branches to code that modifies the LR and then returns. I'd imagine that MacsBug should, when tracing over the bl, return to one of the branch instructions following it (see the MacsBug log below for details). The one thing it shouldn't do is crash the app.
-- Actual Results:
MacsBug log follows:
// [Avi] This is the routine that I'm attempting to trace:
Disassembling PowerPC code from 0338A5C8 No procedure name 0338A5C8 ? extsh r3,r3 | 7C630734 0338A5CC ori r3,r4,0x0000 | 60830000 0338A5D0 extsh r4,r5 | 7CA40734 0338A5D4 ori r5,r4,0x0000 | 60850000 0338A5D8 ori r10,r5,0x0000 | 60AA0000 0338A5DC addi r10,r10,0x0000 | 394A0000 0338A5E0 cmplwi cr2,r10,0x0006 | 290A0006 0338A5E4 mflr r12 ; LR = 0x0008 | 7D8802A6 0338A5E8 ori r9,r6,0x0000 | 60C90000 0338A5EC stwu SP,-0x003C(SP) | 9421FFC4 0338A5F0 stw r12,0x0044(SP) | 91810044 0338A5F4 stw r31,0x0038(SP) | 93E10038 0338A5F8 li r31,0x0000 | 3BE00000 0338A5FC bge cr2,$+0x0098 ; 0x0338A694 | 40880098 0338A600 slwi r10,r10,0x02 | 554A103A 0338A604 bl $+0x001C ; 0x0338A620 | 4800001D 0338A608 b $+0x0028 ; 0x0338A630 | 48000028 0338A60C b $+0x0040 ; 0x0338A64C | 48000040 0338A610 b $+0x0058 ; 0x0338A668 | 48000058 0338A614 b $+0x005C ; 0x0338A670 | 4800005C 0338A618 b $+0x0060 ; 0x0338A678 | 48000060 0338A61C b $+0x0064 ; 0x0338A680 | 48000064 0338A620 mflr r0 ; LR = 0x0008 | 7C0802A6 0338A624 add r0,r0,r10 | 7C005214 0338A628 mtlr r0 ; LR = 0x0008 | 7C0803A6 0338A62C blr | 4E800020 0338A630 lbz r5,0x006E(r3) | 88A3006E 0338A634 cmplwi cr2,r5,0x0000 | 29050000 0338A638 beq cr2,$+0x005C ; 0x0338A694 | 418A005C 0338A63C extsh r5,r9 | 7D250734 0338A640 andi. r5,r5,0xFFFF | 70A5FFFF 0338A644 bl $-0x0F40 ; 0x03389704 | 4BFFF0C1 0338A648 b $+0x004C ; 0x0338A694 | 4800004C 0338A64C lbz r5,0x006E(r3) | 88A3006E 0338A650 cmplwi cr2,r5,0x0000 | 29050000 0338A654 beq cr2,$+0x0040 ; 0x0338A694 | 418A0040 0338A658 ori r5,r9,0x0000 | 61250000 0338A65C bl $-0x064C ; 0x0338A010 | 4BFFF9B5 0338A660 ori r31,r3,0x0000 | 607F0000 0338A664 b $+0x0030 ; 0x0338A694 | 48000030 0338A668 bl $-0x0820 ; 0x03389E48 | 4BFFF7E1 PowerPC breakpoint at 0338A5C8
// [Avi] When we hit the breakpoint, our registers look like:
PowerPC 604e Registers CR0 CR1 CR2 CR3 CR4 CR5 CR6 CR7 PC = 0338A5C8 CR 0010 1000 0000 0000 0000 1000 0000 0100 LR = 001A0920 <>=O XEVO CTR = 0338A5C8 MSR = 00000000 SOC Compare Count Int = 0 XER 000 00 00 MQ = 42800828 R0 = 0338A5C8 R8 = 0400A5BC R16 = 035BFACC R24 = 00000000 SP = 0400A500 R9 = 6806DC64 R17 = 035DE270 R25 = 0400A5BC TOC = 035C0F58 R10 = 00000006 R18 = 035B4188 R26 = 00003BB0 R3 = 00000000 R11 = 0019FDF4 R19 = 035B40B0 R27 = 00000000 R4 = 035E4F40 R12 = 035C5830 R20 = 035B4650 R28 = 0400A598 R5 = 00000001 R13 = 0400AC4C R21 = 035DD6D4 R29 = 035E4ABC R6 = 00730283 R14 = 035BF980 R22 = 00000000 R30 = 035E4AB0 R7 = 04000E10 R15 = 035BF984 R23 = 00000004 R31 = 68FFF740
// [Avi] ...and this is my attempt to trace over the code:
Step (over) No procedure name 0338A5C8 ? extsh r3,r3 | 7C630734 0338A5CC ori r3,r4,0x0000 | 60830000 0338A5D0 extsh r4,r5 | 7CA40734 0338A5D4 ori r5,r4,0x0000 | 60850000 0338A5D8 ori r10,r5,0x0000 | 60AA0000 0338A5DC addi r10,r10,0x0000 | 394A0000 0338A5E0 cmplwi cr2,r10,0x0006 | 290A0006 0338A5E4 mflr r12 ; LR = 0x0008 | 7D8802A6 0338A5E8 ori r9,r6,0x0000 | 60C90000 0338A5EC stwu SP,-0x003C(SP) | 9421FFC4 0338A5F0 stw r12,0x0044(SP) | 91810044 0338A5F4 stw r31,0x0038(SP) | 93E10038 0338A5F8 li r31,0x0000 | 3BE00000 0338A5FC bge cr2,$+0x0098 ; 0x0338A694 | 40880098 0338A600 slwi r10,r10,0x02 | 554A103A PowerPC illegal instruction at 05EAD33C Closing log
-- Workaround:
Because the “subroutine” is only there to perform a switch statement, stepping into it rather than over it is an option. However, tracing over code is very useful for getting an overview of it, and having a land mine waiting to be triggered if accidentally stepped on is not good.
-- Isolation:
Problem exists on MacOS 8.5.1, 8.6a5 (don't ask, it's not _my_ machine), 9.0f2 and 9.0f3 when running MacsBug 6.5.4a7c1. Observed on PowerTower Pro 225, WallStreet PowerBook G3, PowerMac 9500, PowerMac G3 (beige) and PowerMac G3 (B&W).
Comments
6.5.4a7c1 is an old version. Please regress with 6.6.6d1. :-)
Posted by: alexr | September 12, 2005 11:44 PM