Specifications
Jump address tables and switch/case statements
When a switch/case statement has a dense (numerically consecutive) set of case labels the
compiler often implements the statement with an indexed jump. The code contains a table
with the addresses of the case branches. The table is indexed by the switch/case variable. In
the H8/300 processor, the following instruction sequence seems to be used:
mov.w @(base, Ri), Rj
jmp @Rj
Here the constant displacement (base) is the address of the table, the register Ri contains the
offset into the table as computed from the switch/case variable, and Rj (which may be the
same register as Ri) contains the address of the chosen case branch.
Bound-T detects this code pattern and tries to find all the case branches by deriving an upper
bound on the value of Ri at the first instruction (mov.w). A lower bound of zero is assumed. If a
reasonable upper bound on Ri is found, it defines the full length of the address table (from
base to base + upper bound - 1). Assuming that the table has a constant content, as loaded
from the binary executable file, we can read out the addresses of all case branches, that is, all
possible targets of the dynamic jump instruction (jmp @Rj). Bound-T uses this method to
resolve the dynamic jump and complete the control-flow graph. It also emits a warning that it
has assumed a constant address table.
Vectored (memory-indirect) jumps and calls
The memory-indirect dynamic call instruction JSR @@aa:8 seems to occur frequently in
H8/300 code. Bound-T supports it under the assumption that the memory word that holds the
target address is constant. In other words we assume that the memory area 0 .. 255 contains
constant "vectors" or pointers to frequently used subprograms and that the apparently
"dynamic" call JSR @@aa:8 is merely an abbreviation for the normal JSR which needs an
additional instruction word for the 16-bit address. The similar assumption is taken for the
memory-indirect jump instruction JMP @@aa:8.
If the @@aa:8 operand refers to a vector address (aa) that is defined (loaded) by the memory
image in the binary executable file, Bound-T reads the final target address from the memory
image and models the JSR or JMP as a call or jump with this static target address.
Otherwise, that is if the vector address is not defined in the memory image, Bound-T concludes
that the final target is dynamically computed. In this case, a JSR is modelled as a dynamic call
that can be resolved by analysis or by an assertion. A JMP is modelled as a subprogram return
point, with an error message to alert the user.
5.7 Memory configurations
Typical H8/300 chips have internal ROM (or PROM) and RAM but can also use external ROM
and RAM.
External memory can be used together with internal memory when the chip is configured so
that the internal and external memories use different regions of the address space.
External memory can be used instead of internal memory when the chip is configured so that
the address regions that usually map to internal memory instead map to external memory.
Some addresses are mapped to the on-chip register field, and some address ranges may be
unmappped (reserved) and should not be accessed.
The term memory map means the division of the 16-bit address space into internal address,
external addresses, on-chip register addresses and unused address. The memory map depends
on the type of the chip and the configuration of the chip.
Bound-T for H8/300 Supported H8/300 Features 29