Debug RCE applications with xmd

XMD (Xilinx Microprocessor Debugger) is a low-level (assembly language) debugger that is provided by Xilinx as part of a product called EDK (Embedded Development Kit). It communicates with the FPGA powerPC over a JTAG interface. The secret of a large portion of this magic is that it is able to inject instructions into the processor over JTAG (interestingly, these instructions can be recorded to text files and disassembled with some work).

The main features of XMD that we have been using are:

  • read/write memory (both off-chip and integrated on-chip FPGA Block RAM)
  • read/write powerPC cache/tags
  • read/write powerPC registers
  • read/write registers on the FPGA DCR bus
  • download/control powerPC elf executables, including setting breakpoints/watchpoints.

An example XMD session:

[cpo@rdcds204]$ xmd
(some output deleted)
XMD% rst -processor
Target reset successfully

XMD% dow pgpforward
System Reset .... DONE
Downloading Program -- pgpforward
        section, .vectors: 0x00000100-0x00002003
        section, .text: 0x00002020-0x00079c73
        section, .data: 0x00079c78-0x0007cc13
        section, .gcc_except_table: 0x0007cc14-0x0007dd8f
        section, .got: 0x0007dd90-0x0007e7c3
        section, .jcr: 0x0007e7c4-0x0007e7c7
        section, .bss: 0x0007e7d0-0x000986eb
Setting PC with Program Start Address 0x00002020

XMD% con
Info:Processor started. Type "stop" to stop processor

RUNNING> XMD%

When connecting to the powerPC, XMD must be told which memory ranges to map onto memory/DCR/cache. We have been doing this with an "xmd.ini" file which is executed by XMD on startup:

connect ppc hw -debugdevice isocmstartadr 0xFFFFF000 isocmsize 4096 isocmdcrstartadr 0x0000000 icachestartadr 0x10000000 itagstartadr 0x20000000 dcachestartadr 0x30000000 dtagstartadr 0x40000000 dcrstartadr 0x50000000

One can also use gdb to connect to XMD over the network, as a full source-code debugger. An example session:

[cpo@rdcds204]$ powerpc-rtems-gdb -nw pgpforward
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "--host=i686-redhat-linux-gnu --target=powerpc-rtems4.7"...
(gdb) target remote localhost:1234
Remote debugging using localhost:1234
download_entry ()
    at ../../../../../../../../RTEMS/c/src/lib/libbsp/powerpc/rce405/dlentry/dlentry.S:14
14      ../../../../../../../../RTEMS/c/src/lib/libbsp/powerpc/rce405/dlentry/dlentry.S: No such file or directory.
        in ../../../../../../../../RTEMS/c/src/lib/libbsp/powerpc/rce405/dlentry/dlentry.S
warning: no shared library support for this OS / ABI
Current language:  auto; currently asm
(gdb) break init_executive
Breakpoint 1 at 0x24f0
(gdb) c
Continuing.
Can't send signals to this remote system.  SIGUSR2 not sent.

Breakpoint 1, 0x000024f0 in init_executive ()

Debug RCE applications with the Multi-Function-Display

Each RCE has 2 8-character LED multi-function-display (MFD) chips on the front-panel (4 MFDs per board, since there are 2 RCEs per board). The first of these two is controlled by powerPC software in the FX60: it displays the value stored in a DCR register. The second is controlled by firmware in the 4 FX20 FPGAs (2 characters per FX20).

Debug RCE applications with the console

The default console application is usually stored as image 0 in the configuration flash and can be loaded by setting the front panel boot selector to 0 and by resetting the RC element. The console application provides three servers, each one with different functionality and each one accessed through a different UNIX application:

console

From a machine connected on the base interface subnet of the RCE with IP address/name <hostname> type:

console_host -h <hostname>

The application above will show a command line prompt if the connection to <hostname> is successful. Currently the following commands may be issued through this command line:

reboot: Reboot the processor
remove <filenum>: Remove the file specified by <filenum>
bootcfg <index> <image> <flags>: Sets boot vector <index> to load image <image>
                                 and switch configuration <flags>
bootdir: Dumps flash boot directory contents
filedir: Dumps flash file directory contents
echo <message>: Enter a time-stamped message in the system log
log: Dumps system log
clear: Clears system log

debug

From a machine connected on the base interface subnet of the RCE with IP address/name <hostname> type:

debug_host -h <hostname> -f <exename>

Where <exename> is the file name, in the local UNIX file system, of the application which is currently running in the RCE and that is being debugged. The application above will show a command line prompt if the connection to <hostname> is successful. Currently the following commands may be issued through this command line:

gettime: Print the current time in the RCE
settime: Set the current time in the RCE to be the same as in the UNIX host
getexceptions: Print the exceptions (if any) recorded by the RCE since the last reset/power-on
clearexceptions: Clear all the recorded exceptions
log: Print all messages recorded by the RCE since the last reset/power-on
clearlog: Clear all the recorded messages
context: Shows a stack dump of the different threads running in the RCE
stats: Shows a dump of local and RCE network statistics
resetstats: Reset local and RCE network statistics
burst <npackets> <nbytes>: Sends <npackets> UDP ethernet packets from the UNIX host to the RCE
burstrequest <npackets> <nbytes>: Sends <npackets> raw ethernet packets from the RCE to the UNIX host
echorequest <npackets> <nbytes>: Sends <npackets> UDP packets from the UNIX host to the RCE,
                                 the RCE echoes back each packet it receives

Note that the <nbytes> arguments in the commands above indicates the maximum number of bytes contained in the packet payload. The actual number of payload bytes is a flat distribution random number between 0 and <nbytes>.

upload

From a machine connected on the base interface subnet of the RCE with IP address/name <hostname> type:

upload_elf_host -h <hostname> -i <imgnum> -f <filename>

Where <filename> is the file name, in the local UNIX file system, of the ELF file which is to be stored at image number <imgnum> in the RCE configuration flash memory. Note the image number must be between 1 and 15. Image 0 is a protected "safe" image that can only be programmed via the JTAG cable. You can then use the bootcfg command described in the console command line above to make the newly flashed image boot-able from the RCE.

  • No labels