Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error when tracing and emulating the instruction [90 fd] = > CALL (Y) #9

Open
konvikkor opened this issue Jun 3, 2024 · 6 comments

Comments

@konvikkor
Copy link

Error when tracing and emulating the instruction [90 fd] = > CALL (Y)
debugging at the chip level and in the Ghidra program showed that the instruction in the STM8S controller works differently than in the documentation.
How it works
CALL (Y) is equivalent to CALL Y without a request to address a jump by the value of register Y and the same with register X

@GaryOderNichts
Copy link

GaryOderNichts commented Jun 18, 2024

Something seems to be wrong with the emitted PCode for CALL (X)/CALL (Y) and JP (X)/ JP (Y).
All of those instructions always attempt to branch to address 0xeb80 resulting in issues with the decompile view:
image
image
image
image

@esaulenka
Copy link
Owner

Looks like 'my' binary had only CALL <fixed address> instructions, but all others seems to be broken.
Could you share some binary samples for debugging?

@konvikkor
Copy link
Author

image
All compilers know this problem and make such stubs using a register, but even here 3 bytes are written to the stack instead of 2

And also the transition must be not by the pointer but by the value of the register, the value of the register is the address of the beginning of the function

@GaryOderNichts
Copy link

Here's an example compiled with sdcc -mstm8 main.c --out-fmt-elf which emits both a CALL (X) and JP (X) instruction:

int test_function(void) {
    return 123;
}

int main(void) {
    volatile int(*function)(void) = test_function;
    function();
    return function();
}

main.elf.zip

What @konvikkor mentioned seems to be correct:
image
The function address gets loaded into X and CALL (X) then jumps directly to that function address.

@esaulenka
Copy link
Owner

Could you check that this fix haven't break anything?
https://github.com/esaulenka/ghidra_STM8/tree/fix_CALL_Y

And, maybe, you also have another CALL/JP cases with variable destination like JP [addr] or CALL offset, X ? All these thing seems also was broken.

@GaryOderNichts
Copy link

I'm getting the following error when using that branch with the test binary I uploaded:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants