T - Trace Instruction Execution

Trace instruction execution singly or for a specific number or instructions or to a specific address.

Syntax:

───┬─  T   ──┬──┬────────────────────┬───┬─────────┬──────────
     ├─  TX  ──┤  └─ = ── start-addr ──┘   └─ count ─┘
     ├─  TN  ──┤
     ├─  TT  ──┘
     │
     │
     ├─  TA  ──┬──┬────────────────────┬───── break-addr ───────
     ├─  TC  ──┤  └─ = ── start-addr ──┘
     └─  TS  ──┘

Parameters:

• Default)
  Trace one or more instructions, excluding known bad areas (see X subcommand below.
  A
  Trace all instructions to break-addr.

  This option requires break-addr to be specified.

  C
  Counts all instructions executed until break-addr is reached.

  Note: Counting is suspended when the system switches out of the current context in which the TC command was executed. It is resumed when that context switches back.

  This option requires break-addr to be specified.

  N
  Trace instructions but suppress the register display after each instruction is executed.
  S
  The trace special option is similar to TC except that an intermediate instruction count is displayed before execution of each CALL instruction and after each return.

  This option requires break-addr to be specified.

  Notes

  Counting is suspended when the system switches out of the current context in which the TS command was executed. It is resumed when that context switches back.

  TS does not attempt to match CALL with RET instructions. Instead it inserts a temporary breakpoint at the instruction address following the CALL. In addition TS maintains a 'stack' of return addresses and always checks the most recent two entries, as it single-instruction steps through the traced code, for a matching return address. This technique enables code that uses JMP instructions to return from a call to be better detected. This is not a foolproof technique, especially where mutually recursive code is traced.

  T
  This option causes the Kernel Debugger's trap vector handlers to be removed temporarily from the IDT and the system's re-instated until after then next instruction has executed. After execution of the next instruction the the Kernel Debugger's V commands are re-instated.

  This is a convenience option that saves manually unhooking a Kernel Debugger trap vector handlers from the IDT. using a command sequence similar to:

  VC n
  T
  VS n
  

  X
  This option forces the Kernel Debugger to trace areas of system code that are known to be unsuitable for tracing. Normally, when Trace encounters one of the following routines:

          _Debug_CtrlC32   through _EndCtrlC32
          _DebugLoadSymMTE through EndDebugLoadSymMTE
          _PGSwitchContext through pgSwitchRet
  
  

  a temporary breakpoint is inserted at the routine's return address and the system is allowed to go to that address uninterruptedly. When TX is used the Kernel Debugger will attempt to trace instructions within these routines.

  The consequence of forcing tracing in these routines may be at worst, the system is left in an unrecoverable state, and at best certain Kernel Debugger commands will give erroneous information.

  start-addr
  The address from which execution is to continue. This must be a valid address for the current context. If start-addr is omitted then execution continues from the current CS:EIP, as shown by the R command.

  Warning: Be very careful to ensure that the start address is valid for the privileged level and addressability of the code and data selectors in use. If the Kernel Debugger attempts to load a segment register that is invalid the system may trap in the debugger code.
  

  break-addr
  The address at which tracing will stop and the Kernel Debugger will be re-entered unless one of the following conditions is encountered:
  A fatal exception occurs
  An Internal Processing Error (IPE) occurs.
  A 'sticky' breakpoint fires
  A non-maskable interrupt occurs
  An INT 3 instruction is executed
  The user enters Ctrl-C from the debugging console. The break-addr only remains in effect until the Kernel Debugger is next re-entered.
  count
  The number of instructions to trace before re-entering the Kernel Debugger unless one of the following conditions is encountered:
  A fatal exception occurs
  An Internal Processing Error (IPE) occurs.
  A 'sticky' breakpoint fires
  A non-maskable interrupt occurs
  An INT 3 instruction is executed
  The user enters Ctrl-C from the debugging console.

  If omitted then count defaults to 1 instruction.

  Results & Notes:

  Except for TN, TC and TS the default command is executed when control returns to the debugging console. This defaults to the R command unless respecified through use of the ZS command.

  TN suppresses the register display from the automatic R command, but still displays an unassembled next instruction for each traced instruction. If the ZS command has been used to specify a different default command then TN behaves exactly as T.

  An example of the output from TN is as follows:

  ##TN 50170:fff4521f 803d9e53e0ffff cmp     byte ptr [InterruptLevel (ffe0539e)],ff
  0170:fff45226 75b4           jnz     fff451dc
  0170:fff45228 803d9643e0ff00 cmp     byte ptr [_cTKNoBlock (ffe04396)],00
  0170:fff4522f 75be           jnz     fff451ef
  0170:fff45231 0f01e1         smsw    cx
  ##
  

  Note: The last traced instruction is the next to be executed.

  TC displays the total number of instructions trace in the following message:

  
  Total traced instructions: nnnn (decimal)
  

  where nnnn is the number of traced instructions.

  Following this message the default command is executed. See the Z command for details.

  TS displays a variety of different messages, examples of which are:

  ----------------------------------------------------------------------
     Instruction Count: 101
  d0df:0000f319 9a0000c810     call    10c8:0000
  

  Accumulated number of instructions executed before the CALL instruction.

  ----------------------------------------------------------------------
  Exit: 108
  

  Accumulated number of instructions executed when the return address is encountered.

  Note: This does not include the instruction at the return address.

  ----------------------------------------------------------------------
   ...Special exit follows...
   Exit: 360
  

  Accumulated number of instructions executed when the second most recent return address is encountered. In this case the most recent return addres is discarded from the 'stack'.

  Note: This does not include the instruction at the return address.

  ----------------------------------------------------------------------
  Switching context...
     ...Back in context
  

  Signifies context switching occurring and the suspension and resumption of instruction counting.

  ----------------------------------------------------------------------
  Total traced instructions: nnnn (decimal)
  

  The total number of instructions traced when the break-addr is encountered.

  Notes

  REP and REPNE string instruction prefixes are handled differently to other instructions when single stepping. The Kernel Debugger generates a temporary break-point following the repeated string instructions (MOVS, CMPS, SCAS, LODS and STOS) and returns control to the system until the temporary break-point fires.

  INT 3 instructions encountered when single-stepping are reported but in actual fact stepped over, thereby avoiding a double break-point at the same address.

  Warning:

  If any of the Trace commands is interrupted, the Kernel Debugger may leave a temporary break-point active. This will result in a Trap 1 when the system is next given control. If this occurs then either of the TT or GT commands will clear this condition.

  ---

  [Back: S - Search Memory for Data]
  [Next: U - Unassemble]