Handling of partial instruction trickery

[ibrumby]

There are several common 6502 tricks used to skip one or two bytes when executing.

An example is the $C300 firmware:

C305: SEC
C306: BCC (partial instruction)
C307: CLC
C308: (more code)

If you enter at $C305 then it sets the carry, skips the next two bytes, and runs the common code. If you enter at $C307 then it clears the carry, and runs the common code.

This pattern is replicated for BCS, BVC, BVS, for example.

Another example is using BIT. Here is an example from Ultima V:

8D9E: LDA #0
8DA0: BIT-$2C (partial instruction)
8DA1: LDA #3
8DA3: (more code)

If you enter at $8D9E it sets A to zero, skips the next three bytes, and runs the common code. If you enter at $8DA1 it sets A to 3 and runs the common code.

Ok, back to the $C300 firmware.

1. If I tag $C307 as a "Code Start Point" and then tag $C304 as a "Code Start Point" then I get the correct disassembly but with a label generated that I don't want (it can never branch to that address).
2. If I tag $C304 as a "Code Start Point", I get the wrong disassembly. I'm not really sure how best to fix the disassembly. I can Undo, which is fantastic, but I'm looking more for a command to mark a section of memory as unknown, i.e. neither code or data, equivalent to the starting state before I started disassembling. I would have expected the "Remove Formatting" command to work, but it doesn't - not sure if this is by design or not.

[fadden]

First, you can remove tags by selecting a block and using Ctrl+H Ctrl+R, or use Actions > Remove Analyzer Tags. (Remove Formatting strips away operand formats and clears any embedded labels, but does not affect tags.) FWIW, tags are noted with a 'T' in the Attr column, and are listed in the Info panel in the bottom left, in case you're unsure whether something is tagged.

For the Apple IIc disassembly, I decided to mimic the original source code. All I did was put an "inline data" tag on the BCC (plus a code start at the $c305 entry point) . The result looks like this:

Offset  Addr  Bytes        Flags    Attr  Label           Opcd  Operand         Comment
+000305 c305: 38           ??--di?? @T... C3KEYIN         sec                   ;Pascal 1.1 ID byte
+000306 c306: 90                    .T...                 .dd1  $90             ;BCC OPCODE (NEVER TAKEN)
+000307 c307: 18           ??--di?C ..... C3COUT1         clc                   ;Pascal 1.1 ID byte
+000308 c308: 80 1a        ??--di?c ...#.                 bra   BASICENT        ;=>go print/read char

This is fine, though this approach is slightly flawed because it doesn't actually exercise all code paths: the code analyzer doesn't think you can get to $c308 with the carry set, which is noted in the Flags column (lower case 'c'). For this code it doesn't matter, but there was a place elsewhere where it did (see below).

BTW, an easy way to actually perform this step is to tag $c305 as a code end point (Ctrl+H Ctrl+D) so the subsequent bytes are not formatted as instructions, then Ctrl+H Ctrl+I on $c306, and finally change $c305 back to code entry with Ctrl+H Ctrl+C.

The other approach is to flag both $c305 and $c307 as entry points. The code analysis flows naturally, and correctly notes that the BCC is never taken ('!' in the Attr column)... but it creates the auto-label anyway.

Offset  Addr  Bytes        Flags    Attr  Label           Opcd  Operand         Comment
+000305 c305: 38           ??--di?? @T... C3KEYIN         sec                   ;Pascal 1.1 ID byte
+000306 c306: 90           ??--di?C ..!..                 bcc ▼ LC320           ;BCC OPCODE (NEVER TAKEN)
+000307 c307: 18           ??--di?? @T... C3COUT1         clc                   ;Pascal 1.1 ID byte
+000308 c308: 80 1a        ??--di?? ...#.                 bra   BASICENT        ;=>go print/read char

There are a couple of possibilities for dealing with the bogus auto-label. One is to stop creating auto-labels for branches that are never taken, though this might be confusing unless there's an additional visual indication of why the branch is being ignored (I'm probably the only person who actually looks at the Attr field). I might be able to do it in a different color or with strikethrough type. I'm not sure how much code this would affect, i.e. how often do projects have a "dead" branch that nobody notices. (Example I've run into: LDA #$00 / BNE can never be taken... unless the LDA operand is changed by self-modifying code. This requires a flag override.)

Another idea, which came up while sorting out the 32KB IIc ROM, is to have a "do not follow" checkbox in the operand editor dialog. This could be used for this and for the weird cross-bank stuff that spawned the idea initially. I like this a little less because it requires manual intervention, but it has the advantage of not doing unexpected things.

I'm kind of leaning toward the "stop creating auto-labels for dead ends", or at least "stop creating auto-labels for dead ends that have mid-instruction branch targets". The latter would allow not-actually-dead branches to continue to work as expected, while handling the specific case that most often leads to irritation. The behavior could be a project property, though it feels pretty obscure and I don't see many people discovering it as a way to solve a specific problem.

---

BTW, here's the code in the 16KB IIc disasm that required a flag override:

Offset  Addr  Bytes        Flags    Attr  Label           Opcd  Operand         Comment
+000a79 ca79: a9 1f        ??--di?? .T... cmdd            lda   #$1f            ;Mask off high three bits
+000a7b ca7b: 38           n?--diz? .....                 sec                   ;C=1 means high 3 bits
+000a7c ca7c: 90                    .T...                 .dd1  $90             ;BCC opcode to skip next byte
+000a7d ca7d: a9 f0        n?--dizC ..... cmdb            lda   #$f0            ;mask off lower 4 bits F0 = BNE [BEQ]
+000a7f ca7f: 18           N?--dizC .....                 clc                   ;F0 will skip this if cmdp or cmdd
+000a80 ca80: 39 fb bf     N?--dizc .....                 and   scntl,y         ;Mask off bits being changed
+000a83 ca83: 8d f8 06     ??--di?c .....                 sta   temp            ;Save it
+000a86 ca86: fa           ??--di?c .....                 plx
+000a87 ca87: ad 7f 04     ??--di?c .....                 lda   number          ;Get inputed number
+000a8a ca8a: 29 0f        ??--di?c .....                 and   #$0f            ;Only lower nibble valid
+000a8c ca8c: 90 05        n?--di?c ...#.                 bcc   noshift         ;If C=1 shift to upper 3 bits

+000a8e ca8e: 0a                    .....                 .dd1  $0a

The carry was apparently clear in all paths to $ca8c. In practice, $ca7b sets it, $ca7c skips the LDA, and the #$f0 is both the correct mask and a BEQ instruction that is never taken. Somebody was pretty happy when they came up with this one. (So happy they wrote "BNE" instead of "BEQ" in the comment in the sources.)

With the entry points tagged, the code analyzer correctly traces it. But with $ca7c tagged as inline data, the carry-is-set path isn't found, and so it's necessary to override the flags at $ca8c, by double-clicking on the Flags field and changing 'C' to "indeterminate". (You could also tag $ca8e as a code entry point, but that's not quite right.)

[ibrumby]

Thanks for the detailed reply. You've given me multiple solutions to my problem.
I can see the Attr field being very useful, but it has a learning curve. Maybe a tooltip if you hover over one of the letters would help speed that up. The help is comprehensive, but nothing beats instant hints.

[fadden]

I think floating tooltips tend to get in the way in a "work area" like this. If your mouse pointer ends up in the wrong place, you get annoying clutter. Some more detail or verbosity could be added to the Info panel though.

I'm leaning back toward adding an explicit "do not follow" or "disregard operand" checkbox in the Edit Operand dialog, rather than automatically ignoring "dead" labels, for a few reasons.

1. It needs to work for situations other than a never-taken branch, e.g. using BIT absolute to hide 2+ bytes.
2. I still want the feature for wacky multi-bank ROMs. (The address isolation stuff that fixed the 32KB //c ROM issues didn't quite solve everything for NES Metroid.)
3. While it's very likely that the address formed from a concealed instruction is bogus, it's not guaranteed. If we automatically do something, there needs to be a way to manually override it.

One approach that might provide the best of both worlds is to make the checkbox a tri-state value (disregard, don't disregard, default), and condition the default to "disregard" if one or more bytes of the operand are doing double duty as an opcode. The downside is that it makes the GUI a bit more cluttered than a simple checkbox. (Could be a one-line "Disregard operand? ()yes ()no ()default... not too bad. Probably a good place for a helpful tooltip though.)

---

Another example of how this stuff gets weird weird: consider JSR $EA60, which is 20 60 EA. It's possible for space-conscious code to branch to the middle byte $60 to get a "free" RTS. There's a routine in the code analyzer dedicated to detecting this specific situation, because the JMP can be reached, and the RTS can be reached, but the third byte (NOP) can't be, so the source code generator gets perturbed when the start of the next instruction is unreachable.

[fadden]

I added a simple "disregard operand address" checkbox to the Edit Instruction Operand dialog. If checked, the analyzer will not attempt to link the address to a file offset or external symbol. This seems to get the job done. In the initial examples, the box would be checked on the BCC and BIT instructions. This should also resolve issues with weird inter-bank stuff in multi-bank ROMs.

I decided to give the minor version a bump, so this makes its first appearance in v1.10.0-alpha1.