tralamazza/arm_debug.md

## arm_debug.md

      
    Raw
  

              arm_debug.md
            
          
    (gdb) info r
r0             0x20006d90	536898960
r1             0x6f015	454677
r2             0x0	0
r3             0x0	0
r4             0x20005390	536892304
r5             0x200070a0	536899744
r6             0x20001778	536876920
r7             0x20005390	536892304
r8             0xa5a5a5a5	2779096485
r9             0x20005798	536893336
r10            0xa5a5a5a5	2779096485
r11            0xa5a5a5a5	2779096485
r12            0x20008c94	536906900
sp             0x2002ff98	0x2002ff98
lr             0xffffffed	4294967277
pc             0x18528	0x18528 <WDOG_EWM_IRQHandler>
xpsr           0x1000003	16777219
MSP            0x2002ff98	537067416
PSP            0x20006cd8	536898776
PRIMASK        0x0	0
BASEPRI        0x0	0
FAULTMASK      0x0	0
CONTROL        0x0	0

lr             0xffffffed indicates return to PSP (magic number)
(gdb) x/64x 0x20006cd8
0x20006cd8:	0x20006d90	0x0006f015	0x00000000	0x00000000
0x20006ce8:	0x20008c94	0x0002c595	0x0002bbbe	0x01000000
0x20006cf8:	0x20005798	0xa5a5a5a5	0xa5a5a5a5	0x0004429d
0x20006d08:	0x00000013	0x0005c049	0x00000013	0x0002c57b
0x20006d18:	0x00000000	0x0006f004	0x20006d90	0x20006d8c
0x20006d28:	0x20005390	0x0005c897	0x20005390	0x200070a0
0x20006d38:	0x20001778	0x0002bbbd	0xa5a5a5a5	0xa5a5a5a5
0x20006d48:	0x20008c74	0x1fff6fbc	0x20008c01	0x00000014
0x20006d58:	0x00000000	0x200003f8	0x00000000	0x000236f9
0x20006d68:	0x00000001	0x20008bd8	0x00000019	0x0006d79f
0x20006d78:	0x20008bd0	0x00060cd7	0x00000001	0x00042683
0x20006d88:	0x000725b0	0x20008b50	0x20008c94	0x0000000f
0x20006d98:	0x0000000f	0x0000000f	0x200070c8	0x20008b50
0x20006da8:	0x0000000f	0x20006e0c	0x200070d8	0x0003c3ed
0x20006db8:	0x0000000f	0x0000000f	0x00000000	0x20005798
0x20006dc8:	0x1fff6fbc	0x200070c8	0x20007070	0x000287a3

Note the 0xa5a5a5a5 stack filler (RTOS).
Exception entry behavior ARM Section B1.5.6
0x20006cd8:	0x20006d90	0x0006f015	0x00000000	0x00000000
0x20006ce8:	0x20008c94	0x0002c595	0x0002bbbe	0x01000000


xPSR 0x01000000
ReturnAddress() 0x0002bbbe
LR (R14) 0x0002c595
R12 0x20008c94
R3 0x00000000
R2 0x00000000
R1 0x0006f015
R0 0x20006d90

return address symbol:
(gdb) info symbol 0x0002bbbe

std::_Function_handler<void (std::string), Transmitter::Transmitter(Connection&, std::string, Transmitter::Callbacks)::{lambda(std::experimental::optional<std::string>)#1}>::_M_invoke(std::_Any_data const&, std::string) + 42 in section .

check the instruction
(gdb) x/i 0x0002bbbe

0x2bbbe <std::_Function_handler<void (std::string), Transmitter::Transmitter(Connection&, std::string, Transmitter::Callbacks)::{lambda(std::experimental::optional<std::string>)#1}>::_M_invoke(std::_Any_data const&, std::string)+42>:	ldr.w	r3, [r2, #-12]

We can see that ldr.w	r3, [r2, #-12] is a clear NULL deref (R2 is 0x00000000).