I noticed that when I do not use Exact Match for my breakpoint, the BP will trigger on an instruction that is, for instance, reading/writing the memory address one word greater than the one on which the BP is placed. I just wanted to confirm that this is the purpose for Exact Match. Are there any drawbacks to using Exact Match?
A normal PowerPC Breakpoint has double-word alignment. That is, the processor takes the address that's being loaded/stored, masks it with 0xFFFFFFF8, and compares it with the Breakpoint address (also masked with 0xFFFFFFF8!). This effectively means the lower 3 bits are "don't cares".
So if you set a breakpoint on 0x80123456, you will actually hit any load/store that addresses 0x80123450 through 0x80123457, inclusive.
This can be kinda crappy if you're trying to break on a value that's next to a very active value. That's what an Exact breakpoint addresses. Exact is something special supported by Gecko OS; it only breaks if the load/store address exactly matches the breakpoint address.
This has an interesting side effect. If your breakpoint address is 0x80123456, you will not break on 32-bit accesses to 0x80123454, because the load/store address ends in 4, not 6. This is in spite of the 32-bit access affecting bytes that include the breakpoint address; the memory access must match EXACTLY, not one byte more or less.
You will see alignment play out a lot here. 0x80123456 is h-word aligned, so an Exact breakpoint on that address would only ever stop on 16-bit and 8-bit memory accesses (sth, lha, stb, lbz). 0x80123455 and 0x80123457 are byte-aligned, so they would only stop on 8-bit accesses (stb, lbz).
That leads to the drawback. If you think you found something like health, and the health *looks* like it's stored as a 32-bit value with stw (i.e. 000000003), but it is actually a 16-bit value in the lower 16 bits (0003), then your Exact breakpoint will never hit because the game is using sth to write to an h-word aligned address.
Very informative and complete description. I really appreciate this information! So, it seems that a good approach is to not do an Exact Match unless the results coming back from the BP triggers do not seem to relate to the value of interest in the memory address.