This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is in the October release 1.3 of Morello IE?

Arm has released Morello instruction emulator 1.3 on 14th of October 2021. What are the main changes and improvements that are included in this release?

  • October release of Morello instruction emulator (version 1.3) marks first anniversary since the original release of the tool back in October 2020. This time it is focused on improving support for running and debugging multi-threaded Morello applications and experimenting with Morello compartments.

    New functionality

    We've improved debugger by adding more convenient way to specify memory addresses and PC values. We have also updated cache model adding support for level 3 cache and counting system calls in the event counter. Other improvements include:

    • Added compulsory misses metric to cache model.
    • View memory range as a sequence of capabilities in debugger.
    • Support using register names and signed offsets for memory addresses in debugger.
    • Support using function names and unsigned offsets for PC addresses in debugger.
    • Allow modification of CCTRL control bits from command line.
    • Support all DynamoRIO runtime options when using morelloie launcher via -Dr, prefix.
    • Allow to fail early when switching from C64 mode to A64.

    Bug fixes

    This release fixes some important bugs in implementation of memory tags and PCC permissions checking. This is crucial for working with multi-threaded Morello applications.

    Fixed in this release:

    • Emulated memory tags are not translated during memory re-map.
    • Every thread of execution has independent set of emulated memory tags.
    • System permission in PCC is not checked when accessing system registers.
    • Capability tags in memory are not always cleared during non-Morello writes.
    • Non-Morello write tag invalidation is not reflected in memory trace.
    • Child process on a system with many environment variables may lead to a crash.
    • Debugger backtrace occasionally causes emulator to crash.
    • Branch to a sealed capability may not clear target tag.


    The debugger allows interrupting execution of a Morello application at a given point and exploring the current CPU state (including real and emulated registers and memory tags).

    Previously it was possible to provide initial breakpoint address from command line by using -break <pc> option where <pc> is either a hexadecimal literal value or a symbol name (in which case it is translated to start address of a known symbol). It is now also possible to use unsigned offsets in bytes with respect to the start of a given symbol:

    morelloie -break main+8 -- ./app

    In the same way, it is now possible to add a new breakpoint while in the debug mode:

    [28700:2103d8] br add main+16
    Added breakpoint at 2103e0
    [28700:2103d8] br list
     - breakpoint at 2103e0 main+16
     - breakpoint at 2103d8 main+8

    The debugger will also show current thread ID in the prompt in front of current PC value. This can be toggled on and off by using th on and th off debugger commands.

    To inspect memory at some address, you may now use register names with signed offsets for specifying the address value:

    [28730:2103d0] cap c1+16
    [0000000031336010] -- 0x1:dc1f4000:40000000:00000000:00000000 (tag exists)

    This command will load capability from memory at address written in C1 register plus 16 bytes.

    In addition to viewing memory blocks and capabilities using mem and cap commands, it is now possible to enumerate 16-byte aligned blocks of memory as capabilities. You can do it for a stack frame using the frame command:

    [28730:2103d0] frame 1

    This command will show memory in previous stack frame as a list of capabilities with their metadata.

    Alternatively, you may use start and end addresses with the view command:

    [28730:2103dc] view c1 c1+32
    Address           T Capability                          Base             Limit                      Offset Permissions    Seal
    0000000031336020:   00000000:00000000:00000000:00000000
    0000000031336010: 1 dc1f4000:40000000:00000000:00000000 0000000000000000 0000000000000000                0 rw.RW.ML.....G         
    0000000031336000: 1 dc1f4000:466dc667:0000ffff:c203c667 0000ffffc203c667 0000ffffc203c66d                0 rw.RW.ML.....G

    DynamoRIO runtime options

    Morello IE uses custom launcher application morelloie that uses DynamoRIO under the hood. Previously, only limited set of DynamoRIO options were supported. Now any runtime option supported by DynamoRIO can be provided in command line using the -Dr,<option> or -Dr,<option> <value> syntax. This can be helpful when default behaviour of DynamoRIO needs to be modified for running your application.

    Capability control register

    It is now possible to set specific bits of the capability control register CCTLR_EL0 from command line. Options -SBL, -DDCBO, -PCCBO, -ADRDPB are available to set corresponding control bits before application starts. By default, all these bits are unset. You may experiment with sealing link register at function call by setting SBL bit.

    Cache model

    Cache model now provides compulsory misses metric for all cache levels. It is now equipped with L3 cache as well. This cache can be configured using options -l3-size for the size of the cache in bytes and -l3-ways for cache associativity.