WindISS Simulator and Disassembler -

31 WindISS Simulator and Disassembler

Synopsis 458
Simulator mode 458
Syntax (simulator mode) 458
Compiling for the windiss simulator 459
Description 460
Batch disassembler mode 464
Syntax (disassembler mode) 464
Description 465
Interactive disassembler mode 465
Syntax (interactive disassembler mode) 465
Description 465
Examples 466

Synopsis

WindISS, the Diab instruction-set simulator, is a simulator for executables and a disassembler for object files and executables. The disassembler mode provides both batch and interactive disassembly. The three modes of operation are selected by:

windiss -i...
windiss -ir...
windiss ... (with no -i option)

Batch disassembly.
Interactive disassembly.
Simulation.

The modes of operation are described next.

Simulator mode

In simulator mode, windiss can take command line arguments, input from standard input, and send output to standard output.

Syntax (simulator mode)

`windiss`	[-b binary-offset]	Load file at address; requires -t option.
	[-d debug-mask]	Write debugging information.
	[-Df trace-file]	Send -D... trace output to file.
	[-Di trigger-address[.. stop-address]	Trace only on execution in address range;
	[, trace-count]]	trace for count instructions.
	[-Dm range-start[.. range-stop]	Start trace on first read/write in address range.
	[, trace-count]]	trace for count instructions.
	[-Ds skip-count[, trace-count]]	Start trace after skip-count instructions; trace for count.
	[-Dx max-count]	Execute max-count instructions, then stop.
	[-e entry-point]	Set entry point address.
	[-h hex-offset]	Load at offset; requires -t option.
	[-I mem-init-value]	Initialize memory to low byte of value, else to 0.
	[-m mem-size]	Set memory size in bytes; suffixes K (kilo) or M (mega).
	[-ma]	Allocate memory automatically when accessed.
	[-mm range-start[..range-end] [r][w][x] [,range-start[..range-end] [r][w][x]] [, ...]]	Specify memory map in address range(s); r, w, and x set memory type to read, write, and execute.
	[-M address-mask]	Specify address mask applied to simulated target.
	[-N nice-value]	Run with lower priority on windows; nice-value can be 0 (default) to 6 (lowest priority).
	[-p]	Generate count profile without using -Xprof... options.
	[-q]	Quiet mode - no messages except user output.
	[-r]	Internal use by RTA.
	[-s clock-speed]	Set clock speed (in megahertz).
	[-S stack-address]	Specify initial value of stack and environment area.
	[-t target-name]	Set target with dctrl -t option.
	[-V]	Display version number.
	[-X exception-mask]	Set exception mask.
	filename [argument...]	Executable file to simulate and arguments to it if any.

Compiling for the windiss simulator

The windiss simulator is easiest to use with ELF files that were compiled for the windiss environment. To select the windiss environment when compiling, assembling, and linking, either:

Use -ttof:windiss on the compiler, assembler, or linker command line.
Use dctrl -t to specify the target and environment. When dctrl prompts "Select environment", select "other", and then enter windiss.

If object files were not compiled with ELF object file coding, the linker option -Xelf can be used to produce ELF file executables. Also, special switches described below allow for simulation using binary and hex files.

Description

The following table shows options for running windiss in simulator mode. The space between the option and its value is optional unless otherwise noted. When an option has multiple values, no other spaces are allowed. All numeric values may be specified in decimal or hex, e.g. 16 or 0x10.

Table 31-1   windiss simulation mode options

-b address
Load binary file at address. The -t option must be used to indicate the target.
-d debug-mask
Write debugging information using debug-mask to indicate options. Mask bits may be ORed and are specified in hex, e.g. 0xc. Mask bits not listed below are reserved. The mask bits are as follows:

1, 2
Turn logging on for the RTA server. Bit 2 requests more detail than bit 1.

4
Cannot be used without bit 8. When used with bit 8, windiss displays the contents of buffers for POSIX calls.

8
Log POSIX calls.

16
Log exceptions, if exceptions are enabled. For example, the timer interrupt can be logged.

64
Log target memory handling.
-Df trace-file
Direct output from all -D tracing options (-Di, -Dm, and -Ds) to the trace-file.
-Di trigger-address
   [.. stop-address]
   [, trace-count]
Enable tracing, displaying each instruction as it executes and any registers modified by it on stdout. No space is allowed in the arguments except after -Di.
Start tracing when the PC enters the range from trigger-address..stop-address. The default for stop-address gives a range of one instruction at the trigger-address.

Addresses may be symbols.

Stop tracing when execution reaches the stop-address or after trace-count instructions. If neither is present, tracing continues until the program terminates. Note that the program does not terminate when tracing stops - the program always runs until completion unless the -Dx option is present.

If trace-count is 0, tracing is enabled as long as the PC is within the specified function or range. When the PC is outside of range (e.g. when executing a subroutine), tracing is disabled.

Program output to stdout is intermixed with trace output unless the -Df option is used to redirect trace output to a different file.

Examples:

windiss -Di main hello.out

    Trace beginning at main.

windiss -Di main,1 hello.out

    Trace one instruction beginning at main.

windiss -Di main..printf hello.out

    Trace from main through the first entry to printf.

windiss -Di printf,0 hello.out

    Trace printf, skipping subroutine calls.

Note: simulation is slower with this option.
-Dm range-start
   [.. range-stop]
   [, trace-count]
Start tracing on the first read or write to any memory location in the given range. Stop tracing after trace-count instructions if present.
See -Di for other details and related examples.
-Ds skip-count[, trace-count]
Execute at full speed until skip-count instructions have been executed and then begin tracing each instruction as executed. Stop tracing after trace-count instructions if present.
See -Di for other details and related examples.
-Dx max-count
Execute max-count instructions and then stop.
-e entry-point
Specify the entry point of binary file.
-El
-Eb
Specify endianity for a binary file: -Eb for big-endian, or -El for little-endian.
-h address
Load hex file at address. The -t option must be used to indicate the target.
-I mem-init-value
Initialize memory to the low-order byte of the given value. Memory is cleared to 0 without this option.
-m mem-size
Specify size of memory in simulator. Sizes can be specified in bytes, kilobytes with `k' or `K', or megabytes with `m' or `M'. For example, the following are equivalent: -m 2M, -m 2048K, -m 2097152, and -m 0x200000. The program terminates with an error if the end of memory is reached.
-ma
Use automatic memory allocation. Memory is allocated when accessed.
-mm range-start[..range-end ] [r][w][x] [,range-start[..range-end] [r][w][x]] [, ...]
Specify a memory map starting at range-start and ending at range-end. The r, w, and x flags set the memory type to read, write, and execute; the default is rwx. Multiple ranges can be specified.
-M memory-mask
Specify an address mask to be applied to all target addresses before access to the simulated memory. Used to mask off high address bits to fit applications linked to high memory.
-N nice-value
Run windiss using lower priority on windows. nice-value can be 0 to 6, where 0 is the default (normal execution) and 6 is the lowest priority.
(none) or -?
Use windiss alone on the command line to see a list of windiss options.
-p
Generate count profile data even for programs not compiled with -Xprof-... options, effectively using -Xprof-count (p.100; hierarchical profile data not available). Without -r, upon program completion, the profile data will be written to stdout. With -r, the RTA will collect the profile data as usual.
-q
Run in quiet mode: do not print messages other than output from the user's program.
-r
Not for direct use. Used for connection to the RTA.
-s clock-speed
Set simulated clock speed in megahertz. The default is 10 (MHz). clock-speed must be an integer. This does not change the execution speed of windiss itself - rather, it changes the simulated time reported by windiss to, for example, the RTA.
-S stack-address
Specify the initial value of the stack and environment area. The default is to use the highest available memory address, or 0x80000000 if automatic memory allocation is used (see -ma above).
-t target-name
Specify target processor for program. Not needed for ELF files. Abbreviated names are used for specifying target processors: ARM, M32R, MC68K, MCF (for ColdFire), MCORE, MIPS, NEC, PPC, SH, SPARC, and X86. (Note that these abbreviated names are only the initial part of the t component of the -ttof:environ option to the compiler, linker and assembler. Only the abbreviated forms shown are currently permitted with windiss.)
-V
Print windiss version.
-X exception-mask

exception-mask is a 32-bit target-specific value that controls which exceptions are handled by windiss. The least significant bit corresponds to exception 0, the next bit to exception 1, and so on. If a bit is 1, windiss simulates the corresponding exception (branching to the exception handler, which must be supplied by the application program). If the bit is 0 (the default), windiss terminates the program when the exception occurs.
Only the following exceptions are implemented (by bit number):

3
DSI (handler at 0x300): page fault. Generated if an attempt is made to access an address outside the simulated memory space.

4
Instruction Access (handler at 0x400): page fault. Generated if an attempt is made to execute at an address outside the simulated memory space.

6
Alignment (handler at 0x600). Generated if an operand is not word aligned. Checked only for the lmw and stmw instructions.

7
Program (handler at 0x700). Generated on an illegal instruction only (no other program exceptions are simulated currently).

12
System Call (handler at 0xC00). Generated by the SC instruction.

13
Trace (handler at 0xD00). Generated after each instruction when the processor is in trace mode (the MSR[SE] bit is set; note that branch trace mode, MSR[BE] bit, is not supported).

16
Instruction Translation Miss (handler at 0x1000). Generated when the MMU is enabled and the effective address for an instruction fetch cannot be translated by the TLB.

17
Data Load Translation Miss (handler at 0x1100). Generated when the MMU is enabled and the effective address for a data load cannot be translated by the TLB.

18
Data Store Translation Miss (handler at 0x1200). Generated when the MMU is enabled and the effective address for a data store cannot be translated by the TLB.

Batch disassembler mode

Syntax (disassembler mode)




windiss
  
-i[o | e | l] [label] [-R1 start-address [-R2 end-address]] filename

[label] is only used with the `l' modifier.

Note: for the -ir option, see Interactive disassembler mode, p.465.

Description

Batch disassembly mode is selected by the -i option with no `r' modifier. In batch disassembler mode, windiss disassembles ELF object files and executables and writes the assembly code to standard output. The -i stands for instructions. windiss can disassemble programs compiled either:

For the windiss environment, without hardware floating point support. See Compiling for the windiss simulator, p.459.
For other environments, if there are no floating point instructions.

The modifiers `o', `e', and `l' are appended to the -i without an additional hyphen and with no spaces allowed. Modifiers may be used together in any order. To disassemble code use:

-i alone to disassemble the whole file.
"[e] -R1 start-address [-R2 end-address]" to specify code addresses. Use 0x for hex numbers. If part of a function is specified by a -R1 and -R2 options, the entire function is disassembled unless the `e' option is used to request exact addresses. A space is required between either the -R1 or -R2 option and the address.
`o' to also show machine code.
"l label" to specify the name of a function to be disassembled.

Interactive disassembler mode

Syntax (interactive disassembler mode)

windiss -ir[o] filename

Description

In interactive disassembler mode, windiss prints the disassembled ELF object code and executables interactively. The -i stands for instructions; the `r' modifier selects interactive mode; the `o' modifier shows hex machine code in addition to assembly language. windiss can disassemble programs compiled either:

For the windiss environment, without hardware floating point support. See Compiling for the windiss simulator, p.459.
For other environments, if there are no floating point instructions.

To disassemble code in interactive mode:

: d[isasm] label | [-e] start-address [end-address]

If part of a function is specified, the entire function will be disassembled unless the -e option is given. The -e option requests that exact addresses be disassembled, without other code.

To quit interactive mode:

: q[uit]

Examples

Example 1 - Simulate using all defaults

Run windiss in simulator mode. The program output is 17.

: windiss a.out

: 17
: windiss: task finished, exit code: 83521, Instructions executed: 2118
: windiss: interrupts were never enabled

Example 2 - Simulate with specified memory sizes

Run windiss in simulator mode, specifying memory size as 20,000 bytes, and then 1 megabyte:

: windiss -m 20000 a.out

: windiss: loading outside of memory, EA=0x4c00 (increase by using -m <size>)

: windiss -m 1M a.out

: 17
: windiss: task finished, exit code: 83521, Instructions executed: 2118
: windiss: interrupts were never enabled

Example 3 - Simulate showing POSIX calls

Run windiss in simulator mode, and use the debug option with a mask to show POSIX calls.

: windiss -d 8 a.out
: %% posix call 120: isatty(1), ret=1, errno=0
: %% posix call 4: write(1, 0x6bfc, 4)

: 17
: windiss: task finished, exit code: 83521, Instructions executed: 2118
: windiss: interrupts were never enabled

Example 4 - Batch disassemble entire file

Disassemble a.out:

: windiss -i a.out

Example 5 - Batch disassemble one function in file

Disassemble main in a.out:

: windiss -il main a.out

Example 6 - Batch disassemble functions in address range

Disassemble all code in function which includes addressees from 0x9c to 0x4e:

: windiss -i -R1 0x9c -R2 0x4e a.out

Disassemble only code from 0x9c to 0x4e:

: windiss -ie -R1 0x9c -R2 0x4e a.out

Example 7 - Interactive disassembly

Disassemble a.out in interactive mode, examine main and addresses 0xa0 to 0xa4:

: windiss -ir a.out Command line
: d main Interactive command
: 00000070: <main>: stwu r1,-8(r1) windiss output
: 00000074: <main+4>: mfspr r0,8
: 00000078: <main+8>: stw r0,12(r1)
: 0000007c: <main+12>: addi r3,r0,10
: 00000080: <main+16>: lwz r0,12(r1)
: 00000084: <main+20>: mtspr 8,r0
: 00000088: <main+24>: addi r1,r1,8
: 0000008c: <main+28>: bclr 20,0
: d -e 0xa0 0xa4 Exact address range
: 000000a0: <exit+16>: stw r0,20(r1) windiss output
: q Quit

Example 8 - Simulate, showing instructions and data as executed

Run windiss in simulator mode. Run normally until 1944 instructions are executed and then show the register contents and all instructions until the end of the program. Note: the 17 that appears first is output from the program. Lines containing register information are indented one space.

Figure 31-1   windiss output starting with specified instruction number

windiss -Ds 1944 a.out

17
MSR  00000000 CTR  00002818 LR   0000018c SRR0 00000000
SRR1 00000000 R0   0000018c R1   001ffdf0 R2   0000d314
R3   ffffffff R4   00000000 R5   00000004 R6   00001678
R7   00000064 R8   00000000 R9   000053f8 R10  00000008
R11  00000006 R12  00000000 R13  0000d31c R14  00000000
R15  00000000 R16  00000000 R17  00000000 R18  00000000
R19  00000000 R20  00000000 R21  00000000 R22  00000000
R23  00000000 R24  00000000 R25  00000000 R26  00000000
R27  00000000 R28  001ffe34 R29  00000001 R30  00014641
R31  00000968
0x00000a4c: <_cleanup+228>:        bclr        20,0
0x0000018c: <exit+116>:            addi        r3,r30,0
R3   00014641
0x00000190: <exit+120>:            b           <___exit>
0x00000394: <___exit>:             addi        r0,r0,1
R0   00000001
0x00000398: <___exit+4>:           b           <__trap>
0x0000037c: <__trap>:              tw          0,r31,r31

-b address	Load binary file at address. The -t option must be used to indicate the target.
-d debug-mask	Write debugging information using debug-mask to indicate options. Mask bits may be ORed and are specified in hex, e.g. 0xc. Mask bits not listed below are reserved. The mask bits are as follows:
	1, 2	Turn logging on for the RTA server. Bit 2 requests more detail than bit 1.
	4	Cannot be used without bit 8. When used with bit 8, windiss displays the contents of buffers for POSIX calls.
	8	Log POSIX calls.
	16	Log exceptions, if exceptions are enabled. For example, the timer interrupt can be logged.
	64	Log target memory handling.
-Df trace-file	Direct output from all -D tracing options (-Di, -Dm, and -Ds) to the trace-file.
-Di trigger-address [.. stop-address] [, trace-count]	Enable tracing, displaying each instruction as it executes and any registers modified by it on stdout. No space is allowed in the arguments except after -Di. Start tracing when the PC enters the range from trigger-address..stop-address. The default for stop-address gives a range of one instruction at the trigger-address.
	Addresses may be symbols.
	Stop tracing when execution reaches the stop-address or after trace-count instructions. If neither is present, tracing continues until the program terminates. Note that the program does not terminate when tracing stops - the program always runs until completion unless the -Dx option is present.
	If trace-count is 0, tracing is enabled as long as the PC is within the specified function or range. When the PC is outside of range (e.g. when executing a subroutine), tracing is disabled.
	Program output to stdout is intermixed with trace output unless the -Df option is used to redirect trace output to a different file.
	Examples: `windiss -Di main hello.out` Trace beginning at main. `windiss -Di main,1 hello.out` Trace one instruction beginning at main. `windiss -Di main..printf hello.out` Trace from main through the first entry to printf. `windiss -Di printf,0 hello.out` Trace printf, skipping subroutine calls. Note: simulation is slower with this option.
-Dm range-start [.. range-stop] [, trace-count]	Start tracing on the first read or write to any memory location in the given range. Stop tracing after trace-count instructions if present. See -Di for other details and related examples.
-Ds skip-count[, trace-count]	Execute at full speed until skip-count instructions have been executed and then begin tracing each instruction as executed. Stop tracing after trace-count instructions if present. See -Di for other details and related examples.
-Dx max-count	Execute max-count instructions and then stop.
-e entry-point	Specify the entry point of binary file.
-El -Eb	Specify endianity for a binary file: -Eb for big-endian, or -El for little-endian.
-h address	Load hex file at address. The -t option must be used to indicate the target.
-I mem-init-value	Initialize memory to the low-order byte of the given value. Memory is cleared to 0 without this option.
-m mem-size	Specify size of memory in simulator. Sizes can be specified in bytes, kilobytes with `k' or `K', or megabytes with `m' or `M'. For example, the following are equivalent: -m 2M, -m 2048K, -m 2097152, and -m 0x200000. The program terminates with an error if the end of memory is reached.
-ma	Use automatic memory allocation. Memory is allocated when accessed.
-mm range-start[..range-end ] [r][w][x] [,range-start[..range-end] [r][w][x]] [, ...]	Specify a memory map starting at range-start and ending at range-end. The r, w, and x flags set the memory type to read, write, and execute; the default is rwx. Multiple ranges can be specified.
-M memory-mask	Specify an address mask to be applied to all target addresses before access to the simulated memory. Used to mask off high address bits to fit applications linked to high memory.
-N nice-value	Run windiss using lower priority on windows. nice-value can be 0 to 6, where 0 is the default (normal execution) and 6 is the lowest priority.
(none) or -?	Use windiss alone on the command line to see a list of windiss options.
-p	Generate count profile data even for programs not compiled with -Xprof-... options, effectively using -Xprof-count (p.100; hierarchical profile data not available). Without -r, upon program completion, the profile data will be written to stdout. With -r, the RTA will collect the profile data as usual.
-q	Run in quiet mode: do not print messages other than output from the user's program.
-r	Not for direct use. Used for connection to the RTA.
-s clock-speed	Set simulated clock speed in megahertz. The default is 10 (MHz). clock-speed must be an integer. This does not change the execution speed of windiss itself - rather, it changes the simulated time reported by windiss to, for example, the RTA.
-S stack-address	Specify the initial value of the stack and environment area. The default is to use the highest available memory address, or 0x80000000 if automatic memory allocation is used (see -ma above).
-t target-name	Specify target processor for program. Not needed for ELF files. Abbreviated names are used for specifying target processors: ARM, M32R, MC68K, MCF (for ColdFire), MCORE, MIPS, NEC, PPC, SH, SPARC, and X86. (Note that these abbreviated names are only the initial part of the t component of the -ttof:environ option to the compiler, linker and assembler. Only the abbreviated forms shown are currently permitted with windiss.)
-V	Print windiss version.
-X exception-mask	exception-mask is a 32-bit target-specific value that controls which exceptions are handled by windiss. The least significant bit corresponds to exception 0, the next bit to exception 1, and so on. If a bit is 1, windiss simulates the corresponding exception (branching to the exception handler, which must be supplied by the application program). If the bit is 0 (the default), windiss terminates the program when the exception occurs. Only the following exceptions are implemented (by bit number):
	3	DSI (handler at 0x300): page fault. Generated if an attempt is made to access an address outside the simulated memory space.
	4	Instruction Access (handler at 0x400): page fault. Generated if an attempt is made to execute at an address outside the simulated memory space.
	6	Alignment (handler at 0x600). Generated if an operand is not word aligned. Checked only for the lmw and stmw instructions.
	7	Program (handler at 0x700). Generated on an illegal instruction only (no other program exceptions are simulated currently).
	12	System Call (handler at 0xC00). Generated by the SC instruction.
	13	Trace (handler at 0xD00). Generated after each instruction when the processor is in trace mode (the MSR[SE] bit is set; note that branch trace mode, MSR[BE] bit, is not supported).
	16	Instruction Translation Miss (handler at 0x1000). Generated when the MMU is enabled and the effective address for an instruction fetch cannot be translated by the TLB.
	17	Data Load Translation Miss (handler at 0x1100). Generated when the MMU is enabled and the effective address for a data load cannot be translated by the TLB.
	18	Data Store Translation Miss (handler at 0x1200). Generated when the MMU is enabled and the effective address for a data store cannot be translated by the TLB.