How do I set a software breakpoint on an ARM processor?

Question

How do I do the equivalent of an x86 software interrupt:

asm( "int $3" )

on an ARM processor (specifically a Cortex A8) to generate an event that will break execution under gdb?

Using the BKPT instruction generates a SIGBUS that seems to mess up the program counter. — engie, Jul 05 '12 at 13:30
use the swi instruction, I believe svc is another name for that instruction depending on which flavor of arm. — old_timer, Jul 05 '12 at 13:49
The SWI instruction is OS/debugger dependent. The Angel debugger defines code 0x18 as ReportException, and subcode 0x20020 as breakpoint. It's not portable. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0058d/BACBEFAA.html — Mark Lakata, Jun 26 '13 at 21:48
See this posted answer which provides a list of alternatives for both ARM and Intel processors, https://stackoverflow.com/a/49079078/1466970 . — Richard Chambers, Apr 07 '23 at 01:43

score 27 · Answer 1 · answered Mar 13 '14 at 23:23

27

Using arm-none-eabi-gdb.exe cross compiler, this works great for me (thanks to Igor's answer):

__asm__("BKPT");

answered Mar 13 '14 at 23:23

benathon

7,455
2
41
70

score 21 · Answer 2 · answered Jul 05 '12 at 13:55

21

ARM does not define a specific breakpoint instruction. It can be different in different OSes. On ARM Linux it's usually an UND opcode (e.g. FE DE FF E7) in ARM mode and BKPT (BE BE) in Thumb.

With GCC compilers, you can usually use __builtin_trap() intrinsic to generate a platform-specific breakpoint. Another option is raise(SIGTRAP).

answered Jul 05 '12 at 13:55

Igor Skochinsky

24,629
2
72
109

4

**GCC/clang assume that code after `__builtin_trap()` is unreachable, even at `-O0`**. On https://godbolt.org/z/RNc7kY, we can see that for ARM, there's nothing after `.inst 0xe7f000f0`, not even a `bx lr` at the end of a function. And on x86, it compiles to `ud2` (illegal instruction), again leaving out code to implement later C statements. Even at `-O0`, ARM gcc8.2 still leaves out function epilogues, although there is code for a later C statement. But that makes it unusable. – Peter Cordes Mar 05 '19 at 10:01
@PeterCordes: I'd suggest putting it under a run-time condition then. – Igor Skochinsky Mar 06 '19 at 15:18
@yfr24493AzzrggAcom you can ask a new question about it – Igor Skochinsky May 08 '20 at 13:51
Hi friend I already did that but didn't get a good answer https://stackoverflow.com/questions/61649711/how-to-put-breakpoint-with-ptrace-by-address – yfr24493AzzrggAcom May 08 '20 at 14:10

score 8 · Answer 3 · answered Jul 07 '15 at 10:28

8

I have a simple library (scottt/debugbreak) just for this:

#include <debugbreak.h>
...
debug_break();

Just copy the single debugbreak.h header into your code and it'll correctly handle ARM, AArch64, i386, x86-64 and even MSVC.

answered Jul 07 '15 at 10:28

scottt

7,008
27
37

score 6 · Answer 4 · answered Jul 29 '15 at 08:27

6

__asm__ __volatile__ ("bkpt #0");

See BKPT man entry.

answered Jul 29 '15 at 08:27

Benny

4,095
1
26
27

1

You don't need `volatile` if your assembly doesn't take args. – L29Ah Feb 07 '19 at 17:36
2

@L29Ah: Without `volatile`, the compiler reordered the location of my breakpoint. That's bad... – Ben Voigt Aug 29 '23 at 20:01

score 3 · Answer 5 · answered Sep 23 '14 at 08:36

3

For Windows on ARM, the instrinsic __debugbreak() still works which utilizes undefined opcode.

nt!DbgBreakPointWithStatus:
defe     __debugbreak

answered Sep 23 '14 at 08:36

Thomson

20,586
28
90
134

Looks like `__debugbreak()` is an intrinsic available for "x86, x64, ARM, ARM64" and whose use requires the `intrin.h` include file., [topic __debugbreak in Microsoft Learn](https://learn.microsoft.com/en-us/cpp/intrinsics/debugbreak?view=msvc-170). – Richard Chambers Apr 07 '23 at 02:33

Philippe De Muyter · Answer 6 · 2017-08-23T16:09:36.907

3

On my armv7hl (i.MX6q with linux 4.1.15) system, to set a breakpoint in another process, I use :

ptrace(PTRACE_POKETEXT, pid, address, 0xe7f001f0)

I choose that value after strace'ing gdb :)

This works perfectly : I can examine the traced process, restore the original instruction, and restart the process with PTRACE_CONT.

edited Aug 23 '17 at 16:09

answered Aug 23 '17 at 12:52

Philippe De Muyter

251
2
5

is that instruction fix only to armv7 or maybe to arm v4 too? – yfr24493AzzrggAcom May 09 '20 at 17:50
Which signal do you get in host process for the ptraced process once the breakpoint is hit? – Mitar Aug 29 '23 at 23:03

score 3 · Answer 7 · answered Mar 04 '19 at 20:24

3

Although the original question asked about Cortex-A7 which is ARMv7-A, on ARMv8 GDB uses

brk #0

answered Mar 04 '19 at 20:24

Olsonist

2,051
1
20
35

score 2 · Answer 8 · answered Mar 30 '19 at 09:40

2

We can use breakpoint inst:

For A32: use BRK #imm instruction
For Arm and Thumb: use BKPT #imme instruction.

Or we can use UND pseudo-instruction to generate undefined instruction which will cause exception if processor attempt to execute it.

answered Mar 30 '19 at 09:40

J1ngB0

41
3

In the first bullet item, did you perhaps mean A64, not A32? And then, I believe the second bullet should be "for A32 and T16" – Cognitive Hazard Jun 05 '20 at 16:15

How do I set a software breakpoint on an ARM processor?

8 Answers8

Linked