amiga-bootcamp/05_reversing/dynamic/enforcer_mungwall.md

[← Home](../../README.md) · [Reverse Engineering](../README.md)

# Enforcer and MungWall — Memory Violation Tracing

## Overview

**Enforcer** (by Michael Sinz) and **MungWall** are the two canonical Amiga memory debugging tools. They catch illegal memory accesses and heap corruption at runtime, providing the equivalent of AddressSanitizer for AmigaOS.

---

## Enforcer

Enforcer uses the 68020+ MMU (or software patching on 68000) to trap accesses to:
- Address `$0000–$07FF` (lower 2 KB — reserved vectors and exec structures)
- Odd-addressed word/longword reads
- Accesses above the installed RAM
- Writes to ROM addresses

### Installation

```
; AmigaOS Shell:
run enforcer
; or for logging:
run enforcer QUIET LOG enforcer.log
```

Enforcer patches the `BusError` exception vector (`$8`). Any illegal access causes a bus error, which Enforcer catches, logs, and (usually) continues.

### Output Format

```
ENFORCER HIT: by Unknown (Task: "DPaint" at $001234AB)
  Program Counter: $0023AB12
  Address Accessed: $0000012C   (read longword)
  Stack Dump: $001234C0 $0001A2B4 ...
```

- **Program Counter** — instruction that caused the hit
- **Address Accessed** — illegal address
- Cross-reference PC against `HUNK_SYMBOL` names or IDA disassembly

### Common Causes

| Hit Pattern | Likely Cause |
|---|---|
| Access to `$0–$3FF` | NULL pointer dereference |
| Access to `$4` (SysBase) without read | Null exec base |
| Odd address read (word/long) | Misaligned pointer |
| Access to `$B80000–$BFFFFF` | CIA access without correct alignment |
| Write to ROM `$F80000+` | Write to Kickstart ROM |

---

## MungWall

MungWall fills `AllocMem()` allocations with a known pattern (`$ABADCAFE`) and adds guard longwords before and after each block (`$DEADBEEF`). On `FreeMem()`, it verifies the guards.

### What It Catches

- **Heap underrun** — write before the allocated block (guard before = corrupted)
- **Heap overrun** — write past the end of block (guard after = corrupted)
- **Use after free** — block is filled with `$DEADBEEF` on free; reads from it will fail if Enforcer is also running

### Installation

```
run mungwall
```

### Output on Corruption

```
MUNGWALL: Block $001A2000 (size 128) has been overwritten!
  Header guard: OK
  Trailer guard: CORRUPTED at +132
  Caller: $0023BC44  (FreeMem called from here)
```

---

## Combined Workflow

1. `run mungwall` first — patches AllocMem/FreeMem
2. `run enforcer` — adds MMU-level illegal access detection
3. Launch the suspect program
4. Any crash produces Enforcer + MungWall output on the serial port / `enforcer.log`
5. Cross-reference the PC value with `HUNK_SYMBOL` or IDA to find the exact line

---

## Serial Port Logging

Both tools output via `kprintf` to serial port (115200 8N1). Capture on host:

```bash
# macOS / Linux:
screen /dev/cu.usbserial-XXXX 115200
# or
minicom -D /dev/cu.usbserial-XXXX -b 115200
```

---

## References

- Enforcer: Michael Sinz — available on Aminet (`util/misc/Enforcer.lha`)
- MungWall: original CBM debug tool, available on Aminet
- `dynamic/serial_debug.md` — serial output setup
- *Amiga ROM Kernel Reference Manual: Libraries* — exec memory management
-												docs(amiga): complete AmigaOS 3.1/3.2 developer reference — 172 files across 17 sections

Comprehensive technical documentation covering:
- Hardware: OCS/ECS/AGA custom chip registers, Copper & Blitter deep dives
- Boot sequence: cold boot through startup-sequence
- Binary format: HUNK executable spec, relocation, debug info
- Linking & ABI: .fd files, LVO tables, register calling conventions
- Exec kernel: tasks, interrupts, memory, signals, semaphores
- AmigaDOS: file I/O, FFS/OFS layout, CLI/Shell scripting
- Graphics: planar bitmaps, Copper programming, HAM/EHB modes
- Intuition: screens, windows, IDCMP, BOOPSI
- Devices: trackdisk, SCSI, serial, timer, audio, keyboard
- Libraries: utility, expansion, IFFParse, locale, ARexx
- Networking: bsdsocket API, SANA-II, TCP/IP stack comparison
- Toolchain: GCC, vasm/vlink, SAS/C, NDK, debugging
- Reverse engineering: IDA/Ghidra setup, compiler fingerprints, case studies
- CPU & MMU: 68040/060 emulation libs, PMMU, cache management
- Driver development: SANA-II, Picasso96/RTG, AHI audio

All files include breadcrumb navigation. No local paths or proprietary content.

											
										
										
											2026-04-23 12:16:52 -04:00
+								[← Home](../../README.md) · [Reverse Engineering](../README.md)
 								# Enforcer and MungWall — Memory Violation Tracing
 								## Overview
 								**Enforcer** (by Michael Sinz) and **MungWall** are the two canonical Amiga memory debugging tools. They catch illegal memory accesses and heap corruption at runtime, providing the equivalent of AddressSanitizer for AmigaOS.
 								---
 								## Enforcer
 								Enforcer uses the 68020+ MMU (or software patching on 68000) to trap accesses to:
 								- Address `$0000–$07FF` (lower 2 KB — reserved vectors and exec structures)
 								- Odd-addressed word/longword reads
 								- Accesses above the installed RAM
 								- Writes to ROM addresses
 								### Installation
 								```
 								; AmigaOS Shell:
 								run enforcer
 								; or for logging:
 								run enforcer QUIET LOG enforcer.log
 								```
 								Enforcer patches the `BusError` exception vector (`$8`). Any illegal access causes a bus error, which Enforcer catches, logs, and (usually) continues.
 								### Output Format
 								```
 								ENFORCER HIT: by Unknown (Task: "DPaint" at $001234AB)
 								  Program Counter: $0023AB12
 								  Address Accessed: $0000012C   (read longword)
 								  Stack Dump: $001234C0 $0001A2B4 ...
 								```
 								- **Program Counter** — instruction that caused the hit
 								- **Address Accessed** — illegal address
 								- Cross-reference PC against `HUNK_SYMBOL` names or IDA disassembly
 								### Common Causes
 								| Hit Pattern | Likely Cause |
 								|---|---|
 								| Access to `$0–$3FF` | NULL pointer dereference |
 								| Access to `$4` (SysBase) without read | Null exec base |
 								| Odd address read (word/long) | Misaligned pointer |
 								| Access to `$B80000–$BFFFFF` | CIA access without correct alignment |
 								| Write to ROM `$F80000+` | Write to Kickstart ROM |
 								---
 								## MungWall
 								MungWall fills `AllocMem()` allocations with a known pattern (`$ABADCAFE`) and adds guard longwords before and after each block (`$DEADBEEF`). On `FreeMem()`, it verifies the guards.
 								### What It Catches
 								- **Heap underrun** — write before the allocated block (guard before = corrupted)
 								- **Heap overrun** — write past the end of block (guard after = corrupted)
 								- **Use after free** — block is filled with `$DEADBEEF` on free; reads from it will fail if Enforcer is also running
 								### Installation
 								```
 								run mungwall
 								```
 								### Output on Corruption
 								```
 								MUNGWALL: Block $001A2000 (size 128) has been overwritten!
 								  Header guard: OK
 								  Trailer guard: CORRUPTED at +132
 								  Caller: $0023BC44  (FreeMem called from here)
 								```
 								---
 								## Combined Workflow
 . `run mungwall` first — patches AllocMem/FreeMem
 . `run enforcer` — adds MMU-level illegal access detection
 . Launch the suspect program
 . Any crash produces Enforcer + MungWall output on the serial port / `enforcer.log`
 . Cross-reference the PC value with `HUNK_SYMBOL` or IDA to find the exact line
 								---
 								## Serial Port Logging
 								Both tools output via `kprintf` to serial port (115200 8N1). Capture on host:
 								```bash
 								# macOS / Linux:
 								screen /dev/cu.usbserial-XXXX 115200
 								# or
 								minicom -D /dev/cu.usbserial-XXXX -b 115200
 								```
 								---
 								## References
 								- Enforcer: Michael Sinz — available on Aminet (`util/misc/Enforcer.lha`)
 								- MungWall: original CBM debug tool, available on Aminet
 								- `dynamic/serial_debug.md` — serial output setup
 								- *Amiga ROM Kernel Reference Manual: Libraries* — exec memory management