Instruction not restored when GDB breakpoint hit

Question

Background

I am debugging an Android (ARM) application using gdb and gdbserver (gdb version 7.11). My host gdb is running on Windows 10, while the debugged Android is a Samsung Galaxy J7, connected by USB.

The host and target are well connected, gdb seems to work well. I am able to set a breakpoint on a location in the target/debugged application, and to make the breakpoint be hit.

The Problem

When the breakpoint is hit, the following problems are observed:

• the ARM instruction at the breakpoint address reads udf #16 , rather than the original instruction.
  • The ARM udf instruction is a ' permanently UNDEFINED encoding ', which seems to be used for implementing the breakpoint trapping internal mechanism. When the udf #16 instruction is executed, which throws a TRAP signal picked up by the debugger.
• The debugger should always restore the original instruction when the breakpoint is hit. This is not happening on my system.
• Executing a ni (next instruction) command executes the udf #16 instruction again and again.
• Deleting the breakpoint does not restore the original instruction. Instead, the udf #16 instruction remains in memory.
• Incrementing the $pc register by four (4) simply skips the original instruction that should have been there.
• Removing all breakpoints and continuing gdb simply hits the udf #16 command again and again.

Here's what the instructions look like before the breakpoint is hit:

(gdb) x/3i 0xd04dc520
0xd04dc520:  mov     r0, r4
0xd04dc524:  bl      0xd04d7af4 <avio_rb32>
0xd04dc528:  ldr     r6, [sp, #40]   ; 0x28

And here's what it looks like after the breakpoint is hit:

 (gdb) x/3i 0xd04dc520
 0xd04dc520:  udf     #16
 0xd04dc524:  bl      0xd04d7af4 <avio_rb32>
 0xd04dc528:  ldr     r6, [sp, #40]   ; 0x28

The gdb debugger fails to restore the original instruction at the breakpoint when it is hit. Searching the web has not turned up anyone suffering from the same problem.

The "set breakpoint always-inserted" parameter

The purpose of the breakpoint always-inserted [off/on] parameter is apparently meant exactly to control whether the debugger restores the instruction at the breakpoint or not. Quoting the documentation :

GDB normally implements breakpoints by replacing the program code at the breakpoint address with a special instruction, which, when executed, given control to the debugger. By default, the program code is so modified only when the program is resumed. As soon as the program stops, GDB restores the original instructions. This behaviour guards against leaving breakpoints inserted in the target should gdb abruptly disconnect. However, with slow remote targets, inserting and removing breakpoint can reduce the performance. This behavior can be controlled with the following commands:

set breakpoint always-inserted off

All breakpoints, including newly added by the user, are inserted in the target only when the target is resumed. All breakpoints are removed from the target when it stops. This is the default mode.

set breakpoint always-inserted on

Causes all breakpoints to be inserted in the target at all times. If the user adds a new breakpoint, or changes an existing breakpoint, the breakpoints in the target are updated immediately. A breakpoint is removed from the target only when breakpoint itself is deleted.

A value of off for breakpoint always-inserted is exactly what we want. Indeed, this is the value of my gdb when the problem occurs (see the settable parameters below), so the mystery deepens.

Relevant Information

Following is a numbered gdb session log which shows the problem clearly, together with my comments.

1. (gdb) show version
2. GNU gdb (GDB) 7.11
3. Copyright (C) 2016 Free Software Foundation, Inc.
4. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
5. This is free software: you are free to change and redistribute it.
6. There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
7. and "show warranty" for details.
8. This GDB was configured as "x86_64-w64-mingw32".
9. Type "show configuration" for configuration details.
10.  For bug reporting instructions, please see:
11.  <http://www.gnu.org/software/gdb/bugs/>.
12.  Find the GDB manual and other documentation resources online at:
13.  <http://www.gnu.org/software/gdb/documentation/>.
14.  For help, type "help".
15.  Type "apropos word" to search for commands related to "word".
16.  (gdb) handle SIG33 nostop noprint
17.  Signal        Stop      Print   Pass to program Description
18.  SIG33         No        No      Yes             Real-time event 33
19.  (gdb) handle SIGSEGV nostop print
20.  Signal        Stop      Print   Pass to program Description
21.  SIGSEGV       No        Yes     Yes             Segmentation fault
22.  (gdb) set pagination off
23.  (gdb) info set
24.  ...
25.  (gdb) target remote :9999
26.  Remote debugging using :9999
27.  Reading /system/bin/app_process32 from remote target...
28.  ...
29.  Reading /system/bin/linker from remote target...
30.  0xf72480b0 in __epoll_pwait () from target:/system/lib/libc.so
31.  (gdb) info sharedlibrary libFFmpeg
32.  From        To          Syms Read   Shared Object Library
33.  0xd04b2f80  0xd063ec98  Yes (*)     target:/data/app/com.test.media/lib/arm/libFFmpeg.so
34.  (*): Shared library is missing debugging information.
35.  (gdb) x/3i 0xd04dc520
36.     0xd04dc520:  mov     r0, r4
37.     0xd04dc524:  bl      0xd04d7af4 <avio_rb32>
38.     0xd04dc528:  ldr     r6, [sp, #40]   ; 0x28
39.  (gdb) b *0xd04dc520
40.  Breakpoint 1 at 0xd04dc520
41.  (gdb) x/3i 0xd04dc520
42.     0xd04dc520:  mov     r0, r4
43.     0xd04dc524:  bl      0xd04d7af4 <avio_rb32>
44.     0xd04dc528:  ldr     r6, [sp, #40]   ; 0x28
45.  (gdb) info break
46.  Num     Type           Disp Enb Address    What
47.  1       breakpoint     keep y   0xd04dc520
48.  (gdb) c
49.  Continuing.
50.  [New Thread 3313.12241]
51.  [New Thread 3313.12243]
52.  [New Thread 3313.12257]
53.  [New Thread 3313.12271]
54.  [New Thread 3313.12323]
55.  [New Thread 3313.12326]
56.  [New Thread 3313.12335]
57.  [New Thread 3313.12338]
58.  [New Thread 3313.12339]
59.  [New Thread 3313.12342]
60.  [New Thread 3313.12343]
61.  [New Thread 3313.12344]
62.  [New Thread 3313.12355]
63.  Reading /system/lib/libsfextcmn.so from remote target...
64.  [New Thread 3313.12360]
65.  Reading /system/lib/libsfextcmn.so from remote target...
66.  [New Thread 3313.12409]
67.  [Switching to Thread 3313.12343]
68.  
69.  Thread 160 "mmt_hVideoPlaye" hit Breakpoint 1, 0xd04dc520 in ?? () from target:/data/app/com.test.media/lib/arm/libFFmpeg.so
70.  (gdb) x/3i 0xd04dc520
71.  => 0xd04dc520:  udf     #16
72.     0xd04dc524:  bl      0xd04d7af4 <avio_rb32>
73.     0xd04dc528:  ldr     r6, [sp, #40]   ; 0x28
74.  (gdb) ni
75.  
76.  Thread 160 "mmt_hVideoPlaye" hit Breakpoint 1, 0xd04dc520 in ?? () from target:/data/app/com.test.media/lib/arm/libFFmpeg.so
77.  (gdb) info reg pc
78.  pc             0xd04dc520       0xd04dc520
79.  (gdb) x/i $pc
80.  => 0xd04dc520:  udf     #16
81.  (gdb) ni
82.  
83.  Thread 160 "mmt_hVideoPlaye" hit Breakpoint 1, 0xd04dc520 in ?? () from target:/data/app/com.test.media/lib/arm/libFFmpeg.so
84.  (gdb) ni
85.  
86.  Thread 160 "mmt_hVideoPlaye" hit Breakpoint 1, 0xd04dc520 in ?? () from target:/data/app/com.test.media/lib/arm/libFFmpeg.so
87.  (gdb) ni
88.  
89.  Thread 160 "mmt_hVideoPlaye" hit Breakpoint 1, 0xd04dc520 in ?? () from target:/data/app/com.test.media/lib/arm/libFFmpeg.so
90.  (gdb) c
91.  Continuing.
92.  
93.  Thread 160 "mmt_hVideoPlaye" hit Breakpoint 1, 0xd04dc520 in ?? () from target:/data/app/com.test.media/lib/arm/libFFmpeg.so
94.  (gdb) delete 1
95.  (gdb) info break
96.  No breakpoints or watchpoints.
97.  (gdb) c
98.  Continuing.
99.  [New Thread 3313.12547]
100.  
101.  Thread 160 "mmt_hVideoPlaye" received signal SIGTRAP, Trace/breakpoint trap.
102.  0xd04dc520 in ?? () from target:/data/app/com.test.media/lib/arm/libFFmpeg.so
103.  (gdb)

Lines 2-8: GDB version is 7.11, configured for x86_64-w64-mingw32.

Lines 16-21: Handling SIG33 and SIGSEGV signals.

Lines 31-33: Determine loaded address of libFFmpeg shared object .text segment (0xd04b2f80). This allowed me to compute the precise instruction breakpoint address I wanted (0xd04dc520).

Lines 35-38: Dumping the instructions at, and following, the intended breakpoint address.

Line 39: Setting breakpoint 1 at 0xd04dc520.

Lines 41-44: Dumping the instructions at, and following, the intended breakpoint address, after setting the breakpoint.

Line 48: Continue execution.

Lines 50-68: Execution continues, interaction with the device causes the breakpoint to be hit.

Line 69: Breakpoint 1 is hit.

Lines 70-73: Listing the instruction at the breakpoint address. The instruction, which was originally mov r0, r4 , is now udf #16 .

Lines 74-80: Executing an ni command keeps $pc in the same place, the udf #16 traps us completely.

Lines 81-89: Multiple ni keep us in the same location.

Lines 90-93: The continue command likewise keeps us trapped.

Lines 94-102: Removing all breakpoints does not restore the instruction, a continue command hits the udf #16 which has not been restored.

---

Here are some relevant gdb settable parameters:

architecture:  The target architecture is set automatically (currently arm)
arm abi:  The current ARM ABI is "auto" (currently "AAPCS").
arm apcs32:  Usage of ARM 32-bit mode is on.
arm disassembler:  The disassembly style is "std".
arm fallback-mode:  The current execution mode assumed (when symbols are unavailable) is "auto".
arm force-mode:  The current execution mode assumed (even when symbols are available) is "auto".
arm fpu:  The current ARM floating point model is "auto".
auto-connect-native-target:  Whether GDB may automatically connect to the native target is on.
auto-load gdb-scripts:  Auto-loading of canned sequences of commands scripts is on.
auto-load local-gdbinit:  Auto-loading of .gdbinit script from current directory is on.
auto-load python-scripts:  Auto-loading of Python scripts is on.
auto-load safe-path:  List of directories from which it is safe to auto-load files is $debugdir:$datadir/auto-load.
auto-load scripts-directory:  List of directories from which to load auto-loaded scripts is $debugdir:$datadir/auto-load.
auto-load-scripts:  Auto-loading of Python scripts is on.
auto-solib-add:  Autoloading of shared library symbols is on.
breakpoint always-inserted:  Always inserted breakpoint mode is off.
breakpoint auto-hw:  Automatic usage of hardware breakpoints is on.
breakpoint condition-evaluation:  Breakpoint condition evaluation mode is auto (currently host).
breakpoint pending:  Debugger's behavior regarding pending breakpoints is auto.
can-use-hw-watchpoints:  Debugger's willingness to use watchpoint hardware is 1.
debug aarch64:  AArch64 debugging is off.
debug arch:  Architecture debugging is 0.
debug arm:  ARM debugging is off.
disassemble-next-line:  Debugger's willingness to use disassemble-next-line is off.
disassembly-flavor:  The disassembly flavor is "att".
osabi:  The current OS ABI is "auto" (currently "Cygwin").
The default OS ABI is "Cygwin".remote breakpoint-commands-packet:  Support for the `BreakpointCommands' packet is auto-detected, currently unknown.
remote btrace-conf-bts-size-packet:  Support for the `Qbtrace-conf:bts:size' packet is auto-detected, currently unknown.
remote btrace-conf-pt-size-packet:  Support for the `Qbtrace-conf:pt:size' packet is auto-detected, currently unknown.
remote catch-syscalls-packet:  Support for the `QCatchSyscalls' packet is auto-detected, currently unknown.
remote conditional-breakpoints-packet:  Support for the `ConditionalBreakpoints' packet is auto-detected, currently unknown.
remote conditional-tracepoints-packet:  Support for the `ConditionalTracepoints' packet is auto-detected, currently unknown.
remote ctrl-c-packet:  Support for the `vCtrlC' packet is auto-detected, currently unknown.
remote disable-btrace-packet:  Support for the `Qbtrace:off' packet is auto-detected, currently unknown.
remote disable-randomization-packet:  Support for the `QDisableRandomization' packet is auto-detected, currently unknown.
remote enable-btrace-bts-packet:  Support for the `Qbtrace:bts' packet is auto-detected, currently unknown.
remote enable-btrace-pt-packet:  Support for the `Qbtrace:pt' packet is auto-detected, currently unknown.
remote exec-event-feature-packet:  Support for the `exec-event-feature' packet is auto-detected, currently unknown.
remote exec-file:  (null)
remote fast-tracepoints-packet:  Support for the `FastTracepoints' packet is auto-detected, currently unknown.
remote fetch-register-packet:  Support for the `p' packet is auto-detected, currently unknown.
remote fork-event-feature-packet:  Support for the `fork-event-feature' packet is auto-detected, currently unknown.
remote get-thread-information-block-address-packet:  Support for the `qGetTIBAddr' packet is auto-detected, currently unknown.
remote get-thread-local-storage-address-packet:  Support for the `qGetTLSAddr' packet is auto-detected, currently unknown.
remote hardware-breakpoint-limit:  The maximum number of target hardware breakpoints is -1.
remote hardware-breakpoint-packet:  Support for the `Z1' packet is auto-detected, currently unknown.
remote hardware-watchpoint-length-limit:  The maximum length (in bytes) of a target hardware watchpoint is -1.
remote hardware-watchpoint-limit:  The maximum number of target hardware watchpoints is -1.
remote hostio-close-packet:  Support for the `vFile:close' packet is auto-detected, currently unknown.
remote hostio-fstat-packet:  Support for the `vFile:fstat' packet is auto-detected, currently unknown.
remote hostio-open-packet:  Support for the `vFile:open' packet is auto-detected, currently unknown.
remote hostio-pread-packet:  Support for the `vFile:pread' packet is auto-detected, currently unknown.
remote hostio-pwrite-packet:  Support for the `vFile:pwrite' packet is auto-detected, currently unknown.
remote hostio-readlink-packet:  Support for the `vFile:readlink' packet is auto-detected, currently unknown.
remote hostio-setfs-packet:  Support for the `vFile:setfs' packet is auto-detected, currently unknown.
remote hostio-unlink-packet:  Support for the `vFile:unlink' packet is auto-detected, currently unknown.
remote hwbreak-feature-packet:  Support for the `hwbreak-feature' packet is auto-detected, currently unknown.
remote install-in-trace-packet:  Support for the `InstallInTrace' packet is auto-detected, currently unknown.
remote interrupt-on-connect:  W whether interrupt-sequence is sent to remote target when gdb connects to is off.
remote interrupt-sequence:  Send the ASCII ETX character (Ctrl-c) to the remote target to interrupt the execution of the program.
remote kill-packet:  Support for the `vKill' packet is auto-detected, currently unknown.
remote library-info-packet:  Support for the `qXfer:libraries:read' packet is auto-detected, currently unknown.
remote library-info-svr4-packet:  Support for the `qXfer:libraries-svr4:read' packet is auto-detected, currently unknown.
remote memory-map-packet:  Support for the `qXfer:memory-map:read' packet is auto-detected, currently unknown.
remote memory-read-packet-size:  The memory-read-packet-size is 0. Packets are limited to 648 bytes.
remote memory-write-packet-size:  The memory-write-packet-size is 0. Packets are limited to 648 bytes.
remote multiprocess-feature-packet:  Support for the `multiprocess-feature' packet is auto-detected, currently unknown.
remote no-resumed-stop-reply-packet:  Support for the `N stop reply' packet is auto-detected, currently unknown.
remote noack-packet:  Support for the `QStartNoAckMode' packet is auto-detected, currently unknown.
remote osdata-packet:  Support for the `qXfer:osdata:read' packet is auto-detected, currently unknown.
remote p-packet:  remote pass-signals-packet:  Support for the `QPassSignals' packet is auto-detected, currently unknown.
remote pid-to-exec-file-packet:  Support for the `qXfer:exec-file:read' packet is auto-detected, currently unknown.
remote program-signals-packet:  Support for the `QProgramSignals' packet is auto-detected, currently unknown.
remote query-attached-packet:  Support for the `qAttached' packet is auto-detected, currently unknown.
remote read-aux-vector-packet:  Support for the `qXfer:auxv:read' packet is auto-detected, currently unknown.
remote read-btrace-conf-packet:  Support for the `qXfer:btrace-conf' packet is auto-detected, currently unknown.
remote read-btrace-packet:  Support for the `qXfer:btrace' packet is auto-detected, currently unknown.
remote read-fdpic-loadmap-packet:  Support for the `qXfer:fdpic:read' packet is auto-detected, currently unknown.
remote read-sdata-object-packet:  Support for the `qXfer:statictrace:read' packet is auto-detected, currently unknown.
remote read-siginfo-object-packet:  Support for the `qXfer:siginfo:read' packet is auto-detected, currently unknown.
remote read-spu-object-packet:  Support for the `qXfer:spu:read' packet is auto-detected, currently unknown.
remote read-watchpoint-packet:  Support for the `Z3' packet is auto-detected, currently unknown.
remote reverse-continue-packet:  Support for the `bc' packet is auto-detected, currently unknown.
remote reverse-step-packet:  Support for the `bs' packet is auto-detected, currently unknown.
remote run-packet:  Support for the `vRun' packet is auto-detected, currently unknown.
remote search-memory-packet:  Support for the `qSearch:memory' packet is auto-detected, currently unknown.
remote set-register-packet:  Support for the `P' packet is auto-detected, currently unknown.
remote software-breakpoint-packet:  Support for the `Z0' packet is auto-detected, currently unknown.
remote static-tracepoints-packet:  Support for the `StaticTracepoints' packet is auto-detected, currently unknown.
remote supported-packets-packet:  Support for the `qSupported' packet is auto-detected, currently unknown.
remote swbreak-feature-packet:  Support for the `swbreak-feature' packet is auto-detected, currently unknown.
remote symbol-lookup-packet:  Support for the `qSymbol' packet is auto-detected, currently unknown.
remote system-call-allowed:  Calling host system(3) call from target is not allowed
remote target-features-packet:  Support for the `qXfer:features:read' packet is auto-detected, currently unknown.
remote thread-events-packet:  Support for the `QThreadEvents' packet is auto-detected, currently unknown.
remote threads-packet:  Support for the `qXfer:threads:read' packet is auto-detected, currently unknown.
remote trace-buffer-size-packet:  Support for the `QTBuffer:size' packet is auto-detected, currently unknown.
remote trace-status-packet:  Support for the `qTStatus' packet is auto-detected, currently unknown.
remote traceframe-info-packet:  Support for the `qXfer:traceframe-info:read' packet is auto-detected, currently unknown.
remote unwind-info-block-packet:  Support for the `qXfer:uib:read' packet is auto-detected, currently unknown.
remote verbose-resume-packet:  Support for the `vCont' packet is auto-detected, currently unknown.
remote verbose-resume-supported-packet:  Support for the `vContSupported' packet is auto-detected, currently unknown.
remote vfork-event-feature-packet:  Support for the `vfork-event-feature' packet is auto-detected, currently unknown.
remote write-siginfo-object-packet:  Support for the `qXfer:siginfo:write' packet is auto-detected, currently unknown.
remote write-spu-object-packet:  Support for the `qXfer:spu:write' packet is auto-detected, currently unknown.
remote write-watchpoint-packet:  Support for the `Z2' packet is auto-detected, currently unknown.
remoteaddresssize:  The maximum size of the address (in bits) in a memory packet is 0.
remotebreak:  remotecache:  Deprecated remotecache flag is off.
step-mode:  Mode of the step operation is off.

Question

Why is the gdb debugger failing to perform one of the simplest and most critical debugger operations, ie, restoring an instruction when the breakpoint is hit?

Answer 1

just try:

set arm fallback-mode arm