1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406
//! An implementation of the //! [GDB Remote Serial Protocol](https://sourceware.org/gdb/onlinedocs/gdb/Remote-Protocol.html#Remote-Protocol) //! in Rust. //! //! `gdbstub` tries to make as few assumptions as possible about a project's //! architecture, and aims to provide a "drop-in" way to add GDB support, //! _without_ requiring any large refactoring / ownership juggling. It is //! particularly useful in _emulators_, where it provides a powerful, //! non-intrusive way to debug code running within an emulated system. //! //! **Disclaimer:** `gdbstub` is still in it's early stages of development! //! Expect breaking API changes between minor releases. //! //! ## Debugging Features //! //! At the moment, `gdbstub` implements enough of the GDB Remote Serial Protocol //! to support step-through + breakpoint debugging of single-threaded code. //! //! - Core GDB Protocol //! - Step + Continue //! - Add + Remove Breakpoints //! - Read/Write memory //! - Read/Write registers //! - Read/Write/Access Watchpoints (i.e: value breakpoints) (_currently //! broken_) //! - Extended GDB Protocol //! - (optional) Automatic architecture detection //! //! The GDB Remote Serial Protocol is surprisingly complex, supporting advanced //! features such as remote file I/O, spawning new processes, "rewinding" //! program execution, and much, _much_ more. Thankfully, most of these features //! are completely optional, and getting a basic debugging session //! up-and-running only requires a small subset of commands to be implemented. //! //! ## Feature flags //! //! `gdbstub` is `no_std` by default, though it does have a dependency on //! `alloc`. //! //! Additional functionality can be enabled by activating certain features. //! //! - `std` - (disabled by default) //! - Implements [`Connection`](trait.Connection.html) for //! `std::net::TcpStream`. //! - Implements [`std::error::Error`](https://doc.rust-lang.org/std/error/trait.Error.html) //! for [`gdbstub::Error`](enum.Error.html). //! - Outputs protocol responses via `log::trace!` //! //! ## Example //! //! **Note:** Please refer to the [Real-World Examples](#real-world-examples) //! for examples that can be compiled and run. The example below merely provides //! a high-level overview of what a `gdbstub` integration might look like. //! //! Consider a project with the following structure: //! //! ```compile_fail //! struct EmuError { /* ... */ } //! //! struct Emu { /* ... */ } //! impl Emu { //! /// tick the system a single instruction //! fn step(&mut self) -> Result<(), EmuError> { /* ... */ } //! /// read a register's value //! fn read_reg(&self, idx: usize) -> u32 { /* ... */ } //! /// read a byte from a given address //! fn r8(&mut self, addr: u32) -> u8 { /* ... */ } //! // ... etc ... //! } //! //! fn main() -> Result<(), Box<dyn std::error::Error>> { //! let mut emu = Emu::new(); //! loop { //! emu.step()?; //! } //! } //! ``` //! //! ### The `Target` trait //! //! The [`Target`](trait.Target.html) trait is used to modify and control a //! system's execution state during a GDB debugging session. Since each project //! is different, it's up to the user to provide methods to read/write memory, //! step execution, etc... //! //! ```compile_fail //! use gdbstub::{GdbStub, Access, AccessKind, Target, TargetState}; //! //! impl Target for Emu { //! // The target's pointer size. //! type Usize = u32; //! // Project-specific error type. //! type Error = EmuError; //! //! // Run the system for a single "step", using the provided callback to log //! // any memory accesses which may have occurred //! fn step( //! &mut self, //! mut log_mem_access: impl FnMut(Access<u32>), //! ) -> Result<TargetState, Self::Error> { //! // run the system //! self.step()?; // <-- can use `?` to propagate project-specific errors! //! //! // log any memory accesses which might have occurred //! for (read_or_write, addr, val) in self.mem.recent_accesses.drain(..) { //! log_mem_access(Access { //! kind: if read_or_write { //! AccessKind::Read //! } else { //! AccessKind::Write //! }, //! addr, //! val //! }) //! } //! //! Ok(TargetState::Running) //! } //! //! // Read-out the CPU's register values in the order specified in the arch's //! // `target.xml` file. //! // e.g: for ARM: binutils-gdb/blob/master/gdb/features/arm/arm-core.xml //! fn read_registers(&mut self, mut push_reg: impl FnMut(&[u8])) { //! // general purpose registers //! for i in 0..13 { //! push_reg(&self.cpu.reg_get(i).to_le_bytes()); //! } //! push_reg(&self.cpu.reg_get(reg::SP).to_le_bytes()); //! push_reg(&self.cpu.reg_get(reg::LR).to_le_bytes()); //! push_reg(&self.cpu.reg_get(reg::PC).to_le_bytes()); //! // Floating point registers, unused //! for _ in 0..25 { //! push_reg(&[0, 0, 0, 0]); //! } //! push_reg(&self.cpu.reg_get(reg::CPSR).to_le_bytes()); //! } //! //! // Write to the CPU's register values in the order specified in the arch's //! // `target.xml` file. //! fn write_registers(&mut self, regs: &[u8]) { //! /* ... similar to read_registers ... */ //! } //! //! fn read_pc(&mut self) -> u32 { //! self.cpu.reg_get(reg::PC) //! } //! //! // read the specified memory addresses from the target //! fn read_addrs(&mut self, addr: std::ops::Range<u32>, mut push_byte: impl FnMut(u8)) { //! for addr in addr { //! push_byte(self.mem.r8(addr)) //! } //! } //! //! // write data to the specified memory addresses //! fn write_addrs(&mut self, mut get_addr_val: impl FnMut() -> Option<(u32, u8)>) { //! while let Some((addr, val)) = get_addr_val() { //! self.mem.w8(addr, val); //! } //! } //! //! // there are several other methods whose default implementations can be //! // overridden to enable certain advanced GDB features //! // (e.g: automatic arch detection). //! // //! // See the docs for details. //! } //! ``` //! //! ### The `Connection` trait //! //! The GDB Remote Serial Protocol is transport agnostic, only requiring that //! the transport provides in-order, bytewise I/O (such as TCP, UDS, UART, //! etc...). This transport requirement is encoded in the //! [`Connection`](trait.Connection.html) trait. //! //! `gdbstub` includes a pre-defined implementation of `Connection` for //! `std::net::TcpStream` (assuming the `std` feature flag is enabled). //! //! A common way to begin a remote debugging is connecting to a target via TCP: //! //! ``` //! use std::net::{TcpListener, TcpStream}; //! //! fn wait_for_gdb_connection(port: u16) -> std::io::Result<TcpStream> { //! let sockaddr = format!("localhost:{}", port); //! eprintln!("Waiting for a GDB connection on {:?}...", sockaddr); //! let sock = TcpListener::bind(sockaddr)?; //! let (stream, addr) = sock.accept()?; //! //! // Blocks until a GDB client connects via TCP. //! // i.e: Running `target remote localhost:<port>` from the GDB prompt. //! //! eprintln!("Debugger connected from {}", addr); //! Ok(stream) //! } //! ``` //! //! ### Creating the `GdbStub` //! //! All that's left is to create a new [`GdbStub`](struct.GdbStub.html), pass it //! your `Connection` and `Target`, and call `run`! //! //! ```compile_fail //! fn main() -> Result<(), Box<dyn std::error::Error>> { //! // Pre-existing setup code //! let mut system = Emu::new()?; //! // ... etc ... //! //! // Establish a `Connection` //! let stream = wait_for_gdb_connection(9001); //! //! // Create a new `GdbStub` using the established `Connection`. //! let debugger = GdbStub::new(stream); //! //! // Instead of taking ownership of the system, GdbStub takes a &mut, yielding //! // ownership once the debugging session is closed, or an error occurs. //! let system_result = match debugger.run(&mut system) { //! Ok(state) => { //! eprintln!("Disconnected from GDB. Target state: {:?}", state); //! Ok(()) //! } //! // handle any target-specific errors //! Err(gdbstub::Error::TargetError(e)) => Err(e), //! // connection / gdbstub internal errors //! Err(e) => return Err(e.into()), //! }; //! //! eprintln!("{:?}", system_result); //! } //! ``` //! //! ## Real-World Examples //! //! There are already several projects which are using `gdbstub`: //! //! - [rustyboyadvance-ng](https://github.com/michelhe/rustboyadvance-ng/) - //! Nintendo GameBoy Advance emulator and debugger //! - [microcorruption-emu](https://github.com/sapir/microcorruption-emu) - //! msp430 emulator for the microcorruption.com ctf //! - [ts7200](https://github.com/daniel5151/ts7200/) - An emulator for the //! TS-7200, a somewhat bespoke embedded ARMv4t platform //! //! If you happen to use `gdbstub` in one of your own projects, feel free to //! open a PR to add it to this list! #![cfg_attr(not(feature = "std"), no_std)] extern crate alloc; use core::fmt::Debug; use num_traits::{PrimInt, Unsigned}; mod connection_impls; mod error; mod protocol; mod stub; pub use error::Error; pub use stub::GdbStub; /// Describes a target system which can be debugged using /// [`GdbStub`](struct.GdbStub.html). /// /// This trait describes the architecture and capabilities of a target system, /// and provides an interface for `GdbStub` to modify and control the system's /// state. /// /// Several of the trait's "Provided methods" can be overwritten to enable /// certain advanced GDB debugging features. For example, the /// [`target_description_xml`](#method.target_description_xml) method can be /// overwritten to enable automatic architecture detection. /// /// ### What's `<target>.xml`? /// /// Some required methods rely on target-specific information which can only be /// found in GDB's internal `<target>.xml` files. For example, a basic 32-bit /// ARM target uses the register layout described in the /// [`arm-core.xml`](https://github.com/bminor/binutils-gdb/blob/master/gdb/features/arm/arm-core.xml) /// file. // TODO: modify all signatures to return Result<(), Self::Error> // TODO: Introduce a `Registers` trait to abstract register read/write // - i.e: provide "built-in" `Registers` implementations for common // architectures which match GDB's XML files. // - always easier to work with structured data instead of unstructured data... pub trait Target { /// The target architecture's pointer size (e.g: `u32` on a 32-bit system). type Usize: PrimInt + Unsigned + Debug; /// A target-specific fatal error. type Error; /// Perform a single "step" of the emulated system. A step should be a /// single CPU instruction or less. /// /// The provided `log_mem_access` function should be called each time a /// memory location is accessed. fn step( &mut self, log_mem_access: impl FnMut(Access<Self::Usize>), ) -> Result<TargetState, Self::Error>; /// Read the target's registers. /// /// The registers should be read in the order specified in the /// [`<target>.xml`](#whats-targetxml). The provided `push_reg` function /// should be called with the register's value. // e.g: for ARM: binutils-gdb/blob/master/gdb/features/arm/arm-core.xml fn read_registers(&mut self, push_reg: impl FnMut(&[u8])); /// Write the target's registers. /// /// The bytes are provided in the order specified in the target's registers /// are provided in the order specified in the /// [`<target>.xml`](#whats-targetxml). /// /// e.g: for ARM: binutils-gdb/blob/master/gdb/features/arm/arm-core.xml fn write_registers(&mut self, regs: &[u8]); /// Read the target's current PC. fn read_pc(&mut self) -> Self::Usize; /// Read bytes from the specified address range. fn read_addrs(&mut self, addr: core::ops::Range<Self::Usize>, val: impl FnMut(u8)); /// Write bytes to the specified address range. fn write_addrs(&mut self, get_addr_val: impl FnMut() -> Option<(Self::Usize, u8)>); /// Return the platform's `features.xml` file. /// /// Implementing this method enables `gdb` to automatically detect the /// target's architecture, saving the hassle of having to run `set /// architecture <arch>` when starting a debugging session. /// /// These descriptions can be quite succinct. For example, the target /// description for an `armv4t` platform can be as simple as: /// /// ``` /// r#"<target version="1.0"><architecture>armv4t</architecture></target>"# /// # ; /// ``` /// /// See the [GDB docs](https://sourceware.org/gdb/current/onlinedocs/gdb/Target-Description-Format.html) /// for details on the target description XML format. fn target_description_xml() -> Option<&'static str> { None } } /// The kind of memory access being performed #[derive(Clone, Copy, Debug, PartialEq, Eq)] pub enum AccessKind { /// Read Read, /// Write Write, } /// Describes a memory access. #[derive(Clone, Copy, Debug)] pub struct Access<U> { /// The kind of memory access (Read or Write). pub kind: AccessKind, /// The associated address. pub addr: U, /// The byte that was read / written. pub val: u8, } /// The underlying system's execution state. // TODO: explore if TargetState is really necessary... #[derive(Clone, Copy, Debug, PartialEq, Eq)] pub enum TargetState { /// Running Running, /// Halted Halted, /// Running, but system triggered a software breakpoint, e.g. due to a trap instruction. /// This is not necessarily a breakpoint configured by the client/user. SoftwareBreakpoint, } /// A trait for reading / writing bytes across some transport layer. pub trait Connection { /// Transport-specific error type. type Error; /// Read a single byte. fn read(&mut self) -> Result<u8, Self::Error>; /// Write a single byte. fn write(&mut self, byte: u8) -> Result<(), Self::Error>; /// Try to read a single byte, returning None if no data is available. fn read_nonblocking(&mut self) -> Result<Option<u8>, Self::Error>; /// Read the exact number of bytes required to fill buf, blocking if /// necessary. fn read_exact(&mut self, buf: &mut [u8]) -> Result<(), Self::Error> { buf.iter_mut().try_for_each(|b| { *b = self.read()?; Ok(()) }) } }