How to step over interrupt calls when debugging a bootloader/bios with gdb and QEMU?

Question

For educational purposes, I have adapted this bootloader from mikeos.berlios.de/write-your-own-os.html rewriting it to specifically load at address 0x7c00.

The final code is this:

[BITS 16]           ; Tells nasm to build 16 bits code
[ORG 0x7C00]        ; The address the code will start

start: 
    mov ax, 0       ; Reserves 4Kbytes after the bootloader
    add ax, 288 ; (4096 + 512)/ 16 bytes per paragraph 
    mov ss, ax 
    mov sp, 4096 
mov ax, 0   ; Sets the data segment 
    mov ds, ax 
    mov si, texto   ; Sets the text position 
    call imprime    ; Calls the printing routine
jmp $       ; Infinite loop 
    texto db 'It works! :-D', 0 
imprime:            ; Prints the text on screen
    mov ah, 0Eh     ; int 10h - printing function 
.repeat: 
    lodsb           ; Grabs one char 
    cmp al, 0 
    je .done        ; If char is zero, ends 
    int 10h         ; Else prints char 
jmp .repeat 
.done: 
ret 
times 510-($-$$) db 0 ; Fills the remaining boot sector with 0s 
dw 0xAA55             ; Standard boot signature

I can step through the program and see the registers changing, along with the instruction being executed, stepping with gdb (si) and inspecting with QEMU monitor (info registers, x /i $eip, etc).

After I get into int 10h (the BIOS printing routine), things get a little strange. If I step 500 instructions at once, I can see the character "I" (the first of char of my text string) printed on the screen. So I restarted again and stepped 400 steps (si 400) and then I did one step at a time to see in which exact step "I" got printed. It never happened. I actually stepped 200 steps one by one and nothing happened. As soon as I stepped 100 steps at once (si 100) I got "I" printed on the screen again.

So, I wonder if there is a timing issue (some system interrupt gets in the way as I do a step by step debug). What else could this be?

Anyway, is there a way of skipping the whole BIOS interrupt and other functions and just go back and keep stepping the bootloader code? As suggested by Peter Quiring in the comments, I tried using next. This did not work.

(gdb) next 
Cannot find bounds of current function

So I tried nexti and it just behaves as si.

Thanks!

Answer 1

I've automated your procedure with a Python script that:

• calculates the length of the current instruction
• sets a temporary breakpoint on the next instruction
• continues

This will also work for any other instruction, but I don't see many other use cases for it, since nexti already jumps over call.

class NextInstructionAddress(gdb.Command):
    """
Run until Next Instruction address.

Usage: nia

Put a temporary breakpoint at the address of the next instruction, and continue.

Useful to step over int interrupts.

See also: http://stackoverflow.com/questions/24491516/how-to-step-over-interrupt-calls-when-debugging-a-bootloader-bios-with-gdb-and-q
"""
    def __init__(self):
        super().__init__(
            'nia',
            gdb.COMMAND_BREAKPOINTS,
            gdb.COMPLETE_NONE,
            False
        )
    def invoke(self, arg, from_tty):
        frame = gdb.selected_frame()
        arch = frame.architecture()
        pc = gdb.selected_frame().pc()
        length = arch.disassemble(pc)[0]['length']
        gdb.Breakpoint('*' + str(pc + length), temporary = True)
        gdb.execute('continue')
NextInstructionAddress()

Just drop that into ~/.gdbinit.py and add source ~/.gdbinit.py to your ~/.gdbinit file.

Tested on GDB 7.7.1, Ubuntu 14.04.

Answer 2

This is actually a work around that fits my purposes. What I did was setting breakpoints so I can use "continue" on gdb along with "si" and follow the message being printed on the screen, one character at a time. Here are the steps.

In the first run, I do step my bootloader, so I can actually check the memory positions where the instructions are stored.

Linux shell:

# qemu-system-i386 -fda loader.img -boot a -s -S -monitor stdio
QEMU 1.5.0 monitor - type 'help' for more information
(qemu) 

Other Linux shell (some lines have been supressed [...]):

# gdb
GNU gdb (GDB) 7.6.1-ubuntu
[...]
(gdb) target remote localhost:1234
Remote debugging using localhost:1234
0x0000fff0 in ?? ()
(gdb) set architecture i8086
[...]
(gdb) br *0x7c00
Ponto de parada 1 at 0x7c00
(gdb) c
Continuando.
Breakpoint 1, 0x00007c00 in ?? ()
(gdb) si
0x00007c03 in ?? ()

In the terminal I am running QEMU monitor, I find the address of the instructions executing this command after every si on gdb:

(qemu) x /i $eip
0x00007c03:  add    $0x120,%ax

For those new to QEMU, x display the contents of a register, /i translates it into an instruction and $eip is the instruction point register. By repeating these steps, I find out the addresses for the lodsb and int 10h instructions:

0x00007c29:  lods   %ds:(%si),%al 
0x00007c2e:  int    $0x10 

So, on gdb I just set the breakpoints for these aditional positions:

(gdb) br *0x7c29
Ponto de parada 2 at 0x7c29
(gdb) br *0x7c2e
Ponto de parada 3 at 0x7c2e

Now I can use a combination of "continue" (c) and stepi (si) on gdb and skip through the whole BIOS stuff.

There is probably better ways to do this. However, for my pedagogical purposes, this method works quite well.

Answer 3

There are some efforts to deal with this problem. It's really annoying when you are not instrested in the irq/exception handlers.

QEMU

Actually, QEMU has already considered this situation. QEMU gdbstub internally has two flags: NOIRQ and NOTIMER. These two flags will prevent irqs been injected to guest and pause timer clock emulation in single step mode. You can query the capbility of your qemu by:

(gdb) maintenance packet qqemu.sstepbits
sending: "qqemu.sstepbits"
received: "ENABLE=1,NOIRQ=2,NOTIMER=4"

For KVM, you probably need linux kernel v5.12+ for your host to support NOIRQ, which implements ioctl KVM_CAP_SET_GUEST_DEBUG2.

But plase note, NOIRQ only prevents irqs, execptions/traps are still been injected.

GDB

The NOIRQ and NOTIMER flags in QEMU still can not prevent exception/trap handler been executed. So you probablly go into 'unexpected' code out of a sudden. For example, a store instruction can lead to a page-fault exception. So, it's better to solve it in gdb client, that is using breakpoints to soft stepping instead of hardware stepping.

GDB has different stepping implementation for various architectures:

• x86: always uses hardware stepping.
• arm: prefer hardware stepping if supported by target. Otherwise, soft stepping is used.
• aarch64: always uses hardware stepping but atomic sequence.
• loongarch: always uses soft stepping.
• riscv: always uses soft stepping.

So you never hit such issue for loongarch and riscv. Here I wrote a gdb extension as 'gdb-os-helper.py' which can basically support soft stepping for x86/arm/aarch64 architectures.

# -*- coding: utf-8 -*-
"""gdb command extensions for better stepping with qemu guest os.

The main purpose is to get rid of the influence of cpu exceptions.

Provided commands:
    - bni/bsi: stepping over/into next instruction.
    - bn/bs: stepping over/into next source line.

Copyright (C) 2022 Author Changbin Du <changbin.du@gmail.com>
"""

try:
    from capstone import *
    from capstone.arm import *
    from capstone.arm64 import *
    from capstone.x86 import *
except ModuleNotFoundError:
    print("python module 'capstone' is not installed")


class BniBreakpoint(gdb.Breakpoint):
    """
    Our special breakpoint.
    """
    def __init__(self, addr):
        if hasattr(gdb, 'BP_HARDWARE_BREAKPOINT'):
            # BP_HARDWARE_BREAKPOINT is not supported on old gdb
            type = gdb.BP_HARDWARE_BREAKPOINT
        else:
            type = gdb.BP_BREAKPOINT
        super().__init__(f'*{addr}', type = type, internal = True, temporary = False)

class BreakpointBasedNextInstruction(gdb.Command):
    """
    Stepping with breakpoints. Useful for debugging OS in QEMU.
    """
    def __init__(self, name, step_into):
        super().__init__(name, gdb.COMMAND_BREAKPOINTS, gdb.COMPLETE_NONE, False)
        self.step_into = step_into

    def invoke(self, arg, from_tty):
        frame = gdb.selected_frame()
        arch = frame.architecture()
        pc = frame.pc()

        # print(arch.disassemble(pc)[0]['asm'])
        if arch.name() == 'aarch64':
            pcs = self.do_aarch64(frame, pc)
        elif arch.name() == 'armv7':
            pcs = self.do_arm(frame, pc)
        elif arch.name() == 'i386:x86-64':
            pcs = self.do_x86(frame, pc, CS_MODE_64)
        elif arch.name() == 'i386':
            pcs = self.do_x86(frame, pc, CS_MODE_32)
        else:
            print(f'not supported arch {arch.name()}')
            return

        # setup breakpoints on all possible pc
        bps = []
        for addr in pcs:
            bps.append(BniBreakpoint(addr))
        # go
        gdb.execute('continue')
        # delete breakpoints after stopped
        for bp in bps:
            bp.delete()

    def do_x86(self, frame, pc, mode):
        insn_len = frame.architecture().disassemble(pc)[0]['length']
        insn = gdb.selected_inferior().read_memory(pc, insn_len)
        md = Cs(CS_ARCH_X86, mode)
        md.detail = True
        insn = next(md.disasm(insn.tobytes(), pc))

        pcs = [pc + insn_len,]
        if insn.group(X86_GRP_JUMP) or (self.step_into and insn.group(X86_GRP_CALL)):
            if insn.operands[0].type == X86_OP_REG:
                addr = frame.read_register(insn.reg_name(insn.operands[0].reg))
                pcs.append(addr)
            elif insn.operands[0].type == X86_OP_IMM:
                pcs.append(insn.operands[0].imm)
            else:
                print(f'unsupported insn {insn}')
        elif insn.group(X86_GRP_RET):
            # get return address from stack
            addr = gdb.selected_inferior().read_memory(frame.read_register('sp'),
                                                                8 if mode == CS_MODE_64 else 4)
            addr = int.from_bytes(addr.tobytes(), "little")
            pcs.append(addr)

        return pcs

    def do_arm(self, frame, pc):
        insn = gdb.selected_inferior().read_memory(pc, 4)
        md = Cs(CS_ARCH_ARM, CS_MODE_ARM)
        md.detail = True
        insn = next(md.disasm(insn.tobytes(), pc))

        # deal with multiple load
        def _ldm(rn, reglist, step, inc):
            addr = frame.read_register(rn) + inc
            for i, opd in enumerate(reglist):
                if opd.type == ARM_OP_REG and opd.reg == ARM_REG_PC:
                    pc = gdb.selected_inferior().read_memory(addr + step * i, 4)
                    pc = int.from_bytes(pc.tobytes(), "little")
                    return pc
            return None

        pcs = [pc + 4,]
        if insn.id == ARM_INS_B or (self.step_into and insn.id == ARM_INS_BL):
            pcs.append(insn.operands[0].imm)
        elif insn.id == ARM_INS_BX or (self.step_into and insn.id == ARM_INS_BLX):
            addr = frame.read_register(insn.reg_name(insn.operands[0].reg))
            pcs.append(addr)
        elif insn.id in (ARM_INS_CBZ, ARM_INS_CBNZ):
            pcs.append(insn.operands[1].imm)
        elif insn.id == ARM_INS_POP:
            addr = _ldm('sp', insn.operands, 4, 0)
            pcs.append(addr)
        elif insn.id in (ARM_INS_LDM, ARM_INS_LDMIB, ARM_INS_LDMDA, ARM_INS_LDMDB):
            step = (4 if insn.id in (ARM_INS_LDM, ARM_INS_LDMIB) else -4)
            inc = (0 if insn.id in (ARM_INS_LDM, ARM_INS_LDMDA) else 1) * step
            addr = _ldm(insn.reg_name(insn.operands[0].reg),
                        insn.operands[1:], step, inc)
            pcs.append(addr)
        elif insn.group(ARM_GRP_JUMP):
            print(f'unsupported insn {insn}')

        return pcs

    def do_aarch64(self, frame, pc):
        insn = gdb.selected_inferior().read_memory(pc, 4)
        md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
        md.detail = True
        insn = next(md.disasm(insn.tobytes(), pc))

        pcs = [pc + 4,]
        if insn.id == ARM64_INS_B or (self.step_into and insn.id == ARM64_INS_BL):
            pcs.append(insn.operands[0].imm)
        elif insn.id == ARM64_INS_BR or (self.step_into and insn.id == ARM64_INS_BLR):
            addr = frame.read_register(insn.reg_name(insn.operands[0].reg))
            pcs.append(addr)
        elif insn.id in (ARM64_INS_CBZ, ARM64_INS_CBNZ):
            pcs.append(insn.operands[1].imm)
        elif insn.id in (ARM64_INS_TBZ, ARM64_INS_TBNZ):
            pcs.append(insn.operands[2].imm)
        elif insn.id == ARM64_INS_RET:
            reg = insn.reg_name(insn.operands[0].reg) if len(insn.operands) > 0 else 'lr'
            pcs.append(frame.read_register(reg))
        elif insn.group(ARM64_GRP_JUMP):
            print(f'unsupported insn {insn}')

        return pcs

class BreakpointBasedNextLine(gdb.Command):
    """
    Run until next line. Soure level stepping with breakpoints.
    """
    def __init__(self, name, step_into):
        super().__init__(name, gdb.COMMAND_BREAKPOINTS, gdb.COMPLETE_NONE, False)
        self.step_into = step_into

    def do_step(self):
        gdb.execute('bsi' if self.step_into else 'bni', to_string = True)

    def invoke(self, arg, from_tty):
        pc = gdb.selected_frame().pc()
        cur_line = gdb.current_progspace().find_pc_line(pc)
        if cur_line.symtab is None:
            # on source info, stepping by instruction
            self.do_step()
        else:
            # okay, stepping until leaving current line
            while True:
                self.do_step()
                pc = gdb.selected_frame().pc()
                line = gdb.current_progspace().find_pc_line(pc)
                if line.symtab is None or line.line != cur_line.line:
                    break

BreakpointBasedNextInstruction('bni', False)
BreakpointBasedNextInstruction('bsi', True)
BreakpointBasedNextLine('bn', False)
BreakpointBasedNextLine('bs', True)

print("""usage:
    - bni/bsi: stepping over/into next instruction.
    - bn/bs:   stepping over/into next source line.""")

You can use it as below:

(gdb) target remote :1234
Remote debugging using :1234
0xffffffff81eb4234 in default_idle () at arch/x86/kernel/process.c:731
731 }
=> 0xffffffff81eb4234 <default_idle+20>:    c3  ret    
   0xffffffff81eb4235:  66 66 2e 0f 1f 84 00 00 00 00 00    data16 cs nopw 0x0(%rax,%rax,1)
(gdb) source ~/work/gdb-os-helper.py 
usage:
    - bni/bsi: stepping over/into next instruction.
    - bn/bs:   stepping over/into next source line.
(gdb) bni
[Switching to Thread 1.5]

Thread 5 hit Breakpoint -2, default_idle_call () at kernel/sched/idle.c:117
117         raw_local_irq_disable();
(gdb) bn

Thread 1 hit Breakpoint -3, default_idle_call () at kernel/sched/idle.c:119
119         ct_idle_exit();
=> 0xffffffff81eb4562 <default_idle_call+114>:  e8 e9 d0 fe ff  call   0xffffffff81ea1650 <ct_idle_exit>
(gdb) 

Thread 1 hit Breakpoint -4, default_idle_call () at kernel/sched/idle.c:121
121         raw_local_irq_enable();

Enjoy!