Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: libusb overflow with JLink #1673

Merged
merged 4 commits into from
Nov 11, 2023
Merged

Fix: libusb overflow with JLink #1673

merged 4 commits into from
Nov 11, 2023

Conversation

ALTracer
Copy link
Contributor

@ALTracer ALTracer commented Nov 5, 2023
edited
Loading

Detailed description

  • Trying to use BMDA with JLink adapters may raise a LIBUSB_ERROR_OVERFLOW under specific conditions.
  • This pull request solves this problem by properly anticipating full-length responses in USB read calls.

RM08001 states that the IO TRANSACTION (JTAG3) command should return TDO (or SWDIO) data according to requested nBytes length, like JTAG2, and one more byte for OK status from adapter (or nonzero error). Requesting that in two libusb calls may not work on [my] setup and render BMDA inoperable with this adapter type.

Reading some libusb docs I figured that we should optimistically request a read for length of entire possible packet, then check whether we got handed that 1 byte less (apparently some firmwares give it in a separate bulk packet), and only then do a second read for it. The 1028-byte stack buffer of hosted (4+2*512 for header, tms & tdi) allows for receiving (512+1), but a dedicated smaller buffer could also suffice.

I consider this an intermittent bug because I cannot reproduce it after rebooting the machine. Detected against a STLinkReflashed adapter after a week of uptime on an Intel Pentium N6000 host, that is with Jasper Lake PCH USB3 HCI.
Once you let J-Link Commander software interact with their adapter firmware, it changes the responses' framing. I suppose anything else using libjlinkarm.so also will, like RTTViewer and GDBServer. I reproduced the bug on two different machines running Linux, and on three different adapters (V8 from 2015 and Reflash from 2017). V5 from 2008 are not affected and always split the status byte. I could NOT reproduce the bug on Windows 10, and it required swapping drivers between proprietary and WinUSB a lot. Still,
I believe fixing BMDA for developers toggling between JLink gdbserver and BMDA on Linux machines (this is possible in Eclipse CDT and derived IDEs) is useful, and might even reduce the number of libusb calls. I tried V7.88k, V6.98, V6.34, V5.12h.

Below that change I also tacked two other commits. One avoids discarding the copyright string returned by adapter in firmware version behind a nul byte (which is treated like a terminator by printf), another queries any extended capabilities of adapters, when supported. These are not strictly required to fix the problem I faced.

Your checklist for this pull request

  • I've read the Code of Conduct
  • I've read the guidelines for contributing to this repository
  • It builds for hardware native (make PROBE_HOST=native) -- not applicable
  • It builds as BMDA (make PROBE_HOST=hosted)
  • I've tested it to the best of my ability
  • My commit messages provide a useful short description of what the commits do

Closing issues

None reported yet.

@ALTracer
Copy link
Contributor Author

ALTracer commented Nov 5, 2023

Log from latest main:

$ ./src/blackmagic -tv 1 -f 2000k
Black Magic Debug App v1.10.0-181-ga9697dd9
 for Black Magic Probe, ST-Link v2 and v3, CMSIS-DAP, J-Link and FTDI (MPSSE)
Using 1366:0105 000772256119 SEGGER
 J-Link ---
Capabilities: 0x98ea5a33
Firmware version: J-Link STLink V21 compiled Aug 12 2019 10:29:20
Hardware version: J-Link v1.0.0
Available interfaces: 
        1: SWD* 
Running in Test Mode
Target voltage:  3.300V Volt
SWD interface frequency:
        Base frequency: 72000000Hz
        Minimum divisor: 18
Speed set to 2.000MHz for SWD
Switching out of dormant state into SWD
bmda_usb_transfer: Receiving response from adaptor failed (-8): LIBUSB_ERROR_OVERFLOW
jlink_swd_seq_out failed
bmda_usb_transfer: Receiving response from adaptor failed (-8): LIBUSB_ERROR_OVERFLOW
jlink_swd_seq_out failed

Log with this patchset:

./src/blackmagic -tv 1 -f 2000k
Black Magic Debug App v1.10.0-184-gee8cb420
 for Black Magic Probe, ST-Link v2 and v3, CMSIS-DAP, J-Link and FTDI (MPSSE)
Using 1366:0105 000772256119 SEGGER
 J-Link ---
Capabilities: 0x98ea5a33
Extended capabilities: 0x98ea5a33 0x52b17c0c 0x00000021 0x00000000
Firmware version: J-Link STLink V21 compiled Aug 12 2019 10:29:20
Copyright 2016-2019 SEGGER: www.segger.com
Hardware version: J-Link v1.0.0
Available interfaces: 
        1: SWD* 
Running in Test Mode
Target voltage:  3.300V Volt
SWD interface frequency:
        Base frequency: 72000000Hz
        Minimum divisor: 18
Speed set to 2.000MHz for SWD
Switching out of dormant state into SWD
DP DPIDR 0x0bc11477 (v1 MINDP rev0) designer 0x43b partno 0xbc
AP   0: IDR=04770031 CFG=00000000 BASE=f0000003 CSW=83000040 (AHB3-AP var3 rev0)
Halt via DHCSR(01030003): success after 4ms
ROM: Table BASE=0xf0000000 SYSMEM=0x00000001, Manufacturer 020 Partno 460
ROM: Table BASE=0xe00ff000 SYSMEM=0x00000001, Manufacturer 43b Partno 4c0
 0 0xe000e000: Generic IP component - Cortex-M0 SCS (System Control Space) (PIDR = 0x00000004000bb008 DEVTYPE = 0x00 ARCHID = 0x0000)
 -> cortexm_probe
CPUID 0x410cc601 (M0+ var 0 rev 1)
ID Code: 00000000
 1 0xe0001000: Generic IP component - Cortex-M0 DWT (Data Watchpoint and Trace) (PIDR = 0x00000004000bb00a DEVTYPE = 0x00 ARCHID = 0x0000)
 2 0xe0002000: Generic IP component - Cortex-M0 BPU (Breakpoint Unit) (PIDR = 0x00000004000bb00b DEVTYPE = 0x00 ARCHID = 0x0000)
 ROM: Table END
1 Entry 0x200002 -> Not present
2 Entry 0x10000002 -> Not present
3 Entry 0x10000002 -> Not present
ROM: Table END
***  1   STM32G07/8 M0+
RAM   Start: 0x20000000 length = 0x9000
Flash Start: 0x08000000 length = 0x20000 blocksize 0x800
Flash Start: 0x1fff7000 length = 0x400 blocksize 0x8

This is Nucleo-G071RB. Hosted RTT performs at only 6700 chars/s.

@ALTracer
Copy link
Contributor Author

ALTracer commented Nov 5, 2023

Verbose log from latest main. Each timeout error takes 5 seconds. Could also crank LIBUSB_DEBUG to 4.

$ ./src/blackmagic -tv 61
Black Magic Debug App v1.10.0-181-ga9697dd9
 for Black Magic Probe, ST-Link v2 and v3, CMSIS-DAP, J-Link and FTDI (MPSSE)
Using 1366:0105 000772256119 SEGGER
 J-Link ---
 request: e8
response: 33 5a ea 98
Capabilities: 0x98ea5a33
 request: 01
response: 70 00
response: 4a 2d 4c 69 6e 6b 20 53 54 4c 69 6e 6b 20 56 32 31 20 63 6f 6d 70 69 6c 65 64 20 41 75 67 20 31 ...
Firmware version: J-Link STLink V21 compiled Aug 12 2019 10:29:20
 request: f0
response: 10 27 00 00
Hardware version: J-Link v1.0.0
 request: c7 ff
response: 02 00 00 00
 request: c7 fe
response: 01 00 00 00
Available interfaces:
        1: SWD*
 request: dd
Running in Test Mode
 request: 07
response: e4 0c 00 80 40 00 01 ff
Target voltage:  3.300V Volt
 request: c7 fe
response: 01 00 00 00
 request: c7 fe
response: 01 00 00 00
 request: c0
response: 00 a2 4a 04 12 00
SWD interface frequency:
        Base frequency: 72000000Hz
        Minimum divisor: 18
 request: 05 a0 0f
Speed set to 4.000MHz for SWD
-> jlink_swd_init(0)
 request: c7 fe
response: 01 00 00 00
Switching out of dormant state into SWD
jlink_swd_seq_out 32 clock_cycles: ffffffff
 request: cf 00 20 00 ff ff ff ff ff ff ff ff
bmda_usb_transfer: Receiving response from adaptor failed (-8): LIBUSB_ERROR_OVERFLOW
jlink_swd_seq_out failed
jlink_swd_seq_out 28 clock_cycles: 0fffffff
 request: cf 00 1c 00 ff ff ff ff ff ff ff 0f
bmda_usb_transfer: Receiving response from adaptor failed (-8): LIBUSB_ERROR_OVERFLOW
jlink_swd_seq_out failed
jlink_swd_seq_out 32 clock_cycles: 6209f392
 request: cf 00 20 00 ff ff ff ff 92 f3 09 62
bmda_usb_transfer: Receiving response from adaptor failed (-7): LIBUSB_ERROR_TIMEOUT
jlink_swd_seq_out failed
jlink_swd_seq_out 32 clock_cycles: 86852d95
 request: cf 00 20 00 ff ff ff ff 95 2d 85 86
bmda_usb_transfer: Receiving response from adaptor failed (-8): LIBUSB_ERROR_OVERFLOW
jlink_swd_seq_out failed
jlink_swd_seq_out 32 clock_cycles: e3ddafe9
 request: cf 00 20 00 ff ff ff ff e9 af dd e3
bmda_usb_transfer: Receiving response from adaptor failed (-7): LIBUSB_ERROR_TIMEOUT
jlink_swd_seq_out failed
jlink_swd_seq_out 32 clock_cycles: 19bc0ea2
 request: cf 00 20 00 ff ff ff ff a2 0e bc 19
bmda_usb_transfer: Receiving response from adaptor failed (-8): LIBUSB_ERROR_OVERFLOW
jlink_swd_seq_out failed
jlink_swd_seq_out 12 clock_cycles: 000001a0
 request: cf 00 0c 00 ff ff a0 01
bmda_usb_transfer: Receiving response from adaptor failed (-7): LIBUSB_ERROR_TIMEOUT
jlink_swd_seq_out failed
jlink_swd_seq_out 32 clock_cycles: ffffffff
 request: cf 00 20 00 ff ff ff ff ff ff ff ff
bmda_usb_transfer: Receiving response from adaptor failed (-8): LIBUSB_ERROR_OVERFLOW
jlink_swd_seq_out failed
jlink_swd_seq_out 32 clock_cycles: 0fffffff
 request: cf 00 20 00 ff ff ff ff ff ff ff 0f
bmda_usb_transfer: Receiving response from adaptor failed (-7): LIBUSB_ERROR_TIMEOUT
jlink_swd_seq_out failed
jlink_adiv5_raw_access: Attempting access to addr 0000
 request: cf 00 0b 00 ff f0 a5 00
bmda_usb_transfer: Receiving response from adaptor failed (-8): LIBUSB_ERROR_OVERFLOW
Deprecated JTAG to SWD sequence
jlink_swd_seq_out 32 clock_cycles: ffffffff
 request: cf 00 20 00 ff ff ff ff ff ff ff ff
bmda_usb_transfer: Receiving response from adaptor failed (-7): LIBUSB_ERROR_TIMEOUT
jlink_swd_seq_out failed
jlink_swd_seq_out 28 clock_cycles: 0fffffff
 request: cf 00 1c 00 ff ff ff ff ff ff ff 0f
bmda_usb_transfer: Receiving response from adaptor failed (-8): LIBUSB_ERROR_OVERFLOW
jlink_swd_seq_out failed
jlink_swd_seq_out 16 clock_cycles: 0000e79e
 request: cf 00 10 00 ff ff 9e e7
bmda_usb_transfer: Receiving response from adaptor failed (-7): LIBUSB_ERROR_TIMEOUT
jlink_swd_seq_out failed
jlink_swd_seq_out 32 clock_cycles: ffffffff
 request: cf 00 20 00 ff ff ff ff ff ff ff ff
bmda_usb_transfer: Receiving response from adaptor failed (-8): LIBUSB_ERROR_OVERFLOW
jlink_swd_seq_out failed
jlink_swd_seq_out 32 clock_cycles: 0fffffff
 request: cf 00 20 00 ff ff ff ff ff ff ff 0f
bmda_usb_transfer: Receiving response from adaptor failed (-7): LIBUSB_ERROR_TIMEOUT
jlink_swd_seq_out failed
jlink_adiv5_raw_access: Attempting access to addr 0000
 request: cf 00 0b 00 ff f0 a5 00
bmda_usb_transfer: Receiving response from adaptor failed (-8): LIBUSB_ERROR_OVERFLOW
No usable DP found
No target found
[255] $

@dragonmux dragonmux added this to the v2.0 release milestone Nov 5, 2023
@dragonmux dragonmux added Bug Confirmed bug HwIssue Mitigation Solving or mitigating a Hardware issue in Software BMD App Black Magic Debug App (aka. PC hosted) (not firmware) labels Nov 5, 2023
perigoso
perigoso suggested changes Nov 6, 2023
View reviewed changes
Copy link
Contributor

@perigoso perigoso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, good catch 😃! I have just a couple notes

src/platforms/hosted/jlink.c Outdated Show resolved Hide resolved
src/platforms/hosted/jlink.c Outdated Show resolved Hide resolved
src/platforms/hosted/jlink.c Outdated Show resolved Hide resolved
src/platforms/hosted/jlink.c Outdated Show resolved Hide resolved
@ALTracer ALTracer force-pushed the jlink-overflow branch 2 times, most recently from bbc6e72 to 4ee6908 Compare November 6, 2023 20:53
@ALTracer
Copy link
Contributor Author

ALTracer commented Nov 6, 2023

Thank you very much @perigoso for coming up and reviewing this. Applied the review items and rebased on main.
By the way, can you test any of this for regressions on your adapters? I wouldn't mean to break any existing setups, rather the opposite.

dragonmux
dragonmux reviewed Nov 7, 2023
View reviewed changes
Copy link
Member

@dragonmux dragonmux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two small items from us, see the review below, and then we're happy to merge this.

Tested against our LPC Link-2 running the J-Link "OB" firmware, and it works great.

❯ src/blackmagic -s 000611000000 -tjv 5
Black Magic Debug App v1.10.0-186-gfe848f23
 for Black Magic Probe, ST-Link v2 and v3, CMSIS-DAP, J-Link and FTDI (MPSSE)
Using 1366:0101 000611000000 SEGGER
 J-Link ---
Extended capabilities: 0xb9ff7bbf 0x00003c0d 0x00000000 0x00000000
Firmware version: J-Link LPC-Link 2 compiled May 31 2013 17:31:46
Copyright 2003-2013 SEGGER: www.segger.com
Hardware version: LPC-Link2 v1.0.0
Available interfaces:
        0: JTAG*
        1: SWD
Running in Test Mode
Target voltage:  3.300V Volt
JTAG interface frequency:
        Base frequency: 48000000Hz
        Minimum divisor: 8
Speed set to 4.000MHz for JTAG

src/platforms/hosted/jlink.c Outdated Show resolved Hide resolved
src/platforms/hosted/jlink.c Outdated Show resolved Hide resolved
@ALTracer
hosted/jlink: Query and log extended capabilities
b50182a 
* Try to print extended capabilities. If the adapter doesn't advertise
  support for them, then just print standard capabilities, like it was before.
@ALTracer
hosted/jlink: Store extended capabilities as an array in struct jlink
ec90959
@ALTracer
hosted/jlink: Avoid stripping the copyright string located after a nu…
7061f22 
…l byte

* According to Wireshark usbmon dumps, the firmware returns 112 bytes of version,
  including some copyright information after an effectively 0-terminator.
* Use strchr() instead of index() for Windows reasons.
* Make sure the version buffer contains at least one NULL
* And avoid replacing the only NULL with LF, losing null-termination in the process
@ALTracer
hosted/jlink: Expect the last byte for JTAG3 result in a single packet
fab71d6 
* Asking for 1 byte less raises a libusb OVERFLOW error
  when using JLink V8 and newer with BMDA on Linux hosts
  after the proprietary software stack touches the adapter (but not before).
* libusb docs recommend receiving into a bigger buffer (1028=512*2+4)
  and checking whether all of expected data got indeed received.
* For firmwares which send that transaction-error byte in a separate packet,
  keep the second read call (V5 ones do this regardless).
dragonmux
dragonmux approved these changes Nov 11, 2023
View reviewed changes
Copy link
Member

@dragonmux dragonmux left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It all LGTM now. We'll get this merged - thanks for the contribution!

Think we should also backport this to v1.10.

@dragonmux dragonmux merged commit 4315ede into blackmagic-debug:main Nov 11, 2023
6 checks passed
@ALTracer ALTracer deleted the jlink-overflow branch November 22, 2023 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@perigoso perigoso perigoso requested changes

@dragonmux dragonmux dragonmux approved these changes

Assignees
No one assigned
Labels
BMD App Black Magic Debug App (aka. PC hosted) (not firmware) Bug Confirmed bug HwIssue Mitigation Solving or mitigating a Hardware issue in Software
Projects
None yet
Milestone
v2.0 release
Development

Successfully merging this pull request may close these issues.
3 participants
@ALTracer @dragonmux @perigoso