Here's my suggestion, provided source code is available: you could instrument all PLAs with:
Code: Select all
PLA -> PLA
JSR --+
|
V
PHP
CMP #$55
BNE --+
BRK |
NOP |
PLP <-+
RTS
This would even work on real hardware.
When the condition is met, the BRK instruction is executed ... a native monitor then leaves you with the pushed copy of the status register and the JSR return address on stack, and from the latter you can derive which PLA did pop $55:
The example at $02A1 just pushes A and pulls A again, calls the instrumentation at $02F7 and ends with BRK for a planned return to the monitor prompt.
The first call with
G 02A1 has A=$00 from the initial register dump and returns normally.
In a copy of the register dump, I change A to $55 and do a second
G 02A1. This one promptly gets intercepted by the instrumentation. I use the current value of
SP=$F4 in the register dump to do a stack dump with
M 01F4 01FF, which shows the return address - 1 of JSR in the 3rd and 4th byte,
$02A5. I then count 3 bytes backwards and arrive at the "offending" PLA at $02A2.
Another
G (without address) continues from the breakpoint in the instrumentation and the example terminates normally at $02A6.