How do GDB rwatch and awatch commands work?

Question

I see it is possible in GDB to set a breakpoint which will fire when a specific memory address will be read or written. I am wondering how it works. Does GDB have a sort of copy of the process memory and check what has changed between each instruction ? Or is it a syscall or kernel feature for that ?

(Intel x86 32 and 64 bits architecture)

Answer 1

I am wondering how it works.

There are two ways: software watchpoints and hardware watchpoints (only available on some architectures).

Software watchpoints work by single-stepping the application, and checking whether the value has changed after every instruction. These are painfully slow (1000x slower), and in practice aren't usable for anything other than a toy program. They also can't detect access, only change of the value in watched location.

Hardware watchpoints require processor support. Intel x86 chips have debug registers, which could be programmed to watch for access (awatch, rwatch) or change (watch) of a given memory location. When the processor detects that the location of interest has been accessed, it raises debug exception, which the OS translates into a signal, and (as usual) a signal is given to the debugger before the target sees it.

HW watchpoints execute at native speed, but (on x86) you can have only up to 4 distinct addresses (in practice, I've never needed more than 2).

Does execution of current instruction fire a watch read at eip address?

It should. You could trivially answer this yourself. Just try it.

Does push on stack fire a write on stack memory address?

Likewise.