I am working on Cortex M3 family, so I refers to the ARMv7 Thumb/Thumb-2 instruction.
I have disassembled an elf image and got an following snippet:
Disassembly of section .text:
1f002f58 <Reset_IRQHandler>:
1f002f58: 4b01 ldr r3, [pc, #4] ; (1f002f60 <Reset_IRQHandler+0x8>)
1f002f5a: 469d mov sp, r3
1f002f5c: f000 b950 b.w 1f003200 <Reset_IRQHandler_C>
1f002f60: 20020000 andcs r0, r2, r0
1f002f64 <Setup_RC32M>:
1f002f64: b57f push {r0, r1, r2, r3, r4, r5, r6, lr}
...
...
1f003200 <Reset_IRQHandler_C>:
1f003200: 4829 ldr r0, [pc, #164] ; (1f0032a8 <Reset_IRQHandler_C+0xa8>)
1f003202: 4a2a ldr r2, [pc, #168] ; (1f0032ac <Reset_IRQHandler_C+0xac>)
1f003204: b510 push {r4, lr}
In Reset_IRQHandler there is an b.w instruction which encoded as f000 b950, and the target address of b.w in the disassembled text is 0x1f003200 <Reset_IRQHandler_C>. I want to calculate the target address per to the encoded instruction f000 b950 by myself, but I can not get the result --- 0x1f003200 at any case...
I have referred to the ARMv7-M Architecture Reference Manual and know that the encoded f000 b950 is the T4 encoding of b instruction. Then I extract the imm10, imm11 and other essential parameters like S, I1, I2 specified in the manual to form a bitstring, and finally I do an signed extended on this bitstring to get a 32-bit immediate offset.
In this case, after my calculation, the immediate offset I got is 0x150, I know, since it's an Thumb2 (32-bit) instruction, it should be multiplied by 4 --- so got 0x540;
But, obviously, the current pc value: 0x1f002f60 (0x1f002f5c + 0x4 for prefetch), plus 0x540 is 0x1f0034a0 --- not 0x1f003200
I have struggle on this for almost whole day... any help will be appreciated...
