ddb - kernel debugger
The ddb debugger provides a means for debugging the kernel,
and analysing
the kernel after a system crash ("panic"), with a
gdb(1)-like syntax.
ddb is only available if the kernel was configured with the
DDB option.
ddb will be invoked upon a kernel panic when the sysctl(8)
name ddb.panic
is set to 1. ddb may be invoked from the console by the key
sequence
Ctl-Alt-Esc or by sending a BREAK if using a serial console,
when the
sysctl(8) name ddb.console is set to 1.
ddb prompts for commands on the console with:
ddb>
The general syntax of a ddb command is:
command [/modifiers] [address][,count]
To save typing, ddb makes use of a context inferred from
previous commands.
In this context, the current location is called dot.
The
examine, search, and write commands update dot to be that of
the last address
examined or the last location modified, and have intuitive effects
on next and prev. All the other commands do not change dot,
and set next
to be the same. (See VARIABLES.)
An expression can be used in place of address (see
EXPRESSIONS). Omitting
address in a command uses the last value of dot. A
missing count is
taken to be 1 for printing commands or Infinity for stack
traces. Entering
a blank line causes the last command to be repeated using next in
place of address, a count of 1, and no modifiers.
ddb has a feature like more(1) for the output. If the number of lines
output in response to one command exceeds the number set in
the $lines
variable, it displays the message `--db_more--' and waits
for a response.
The valid responses are:
<space> One more page.
<return> One more line.
q Abort the current command, and return to
the command
input mode.
The following command line editing keys are provided:
^b back one character
^f forward one character
^a beginning of line
^e end of line
^w erase word back
^h | <del> erase previous character
^d erase next character
^k delete to end of line
^u delete line
^p previous in command history
^n next in command history
^r redraw line
The following commands may be typed at the `ddb>' prompt.
Some commands
consist of more than one word, and if only the first word or
words are
entered, the possible alternatives to complete the command
are displayed
and no other action is performed.
help List the available commands.
[e]x[amine] [/bhlaAxzodurcsmiI] [addr][,count]
Display the contents at address addr according
to the formats
in the modifier. Multiple modifier formats display multiple
locations. If no format is specified, the last
formats specified
for this command are used.
The format characters are:
/b look at by bytes (8 bits)
/h look at by half words (16 bits)
/l look at by long words (32 bits) (default)
/a print the location being displayed
/A print the location with a line number if
possible
/x display in unsigned hex
/z display in signed hex
/o display in unsigned octal
/d display in signed decimal
/u display in unsigned decimal
/r display in current radix, signed
/c display low 8 bits as a character. Nonprinting characters
are displayed as an octal escape
code (e.g.,
' 00').
/s display the null-terminated string at the
location.
Non-printing characters are displayed as
octal escapes.
/m display in unsigned hex with character
dump at the end
of each line. The location is also displayed in hex at
the beginning of each line.
/i display as an instruction
/I display as an alternate format instruction
depending on
the machine:
vax Don't assume that each external
label is a
procedure entry mask.
i386 Don't round to the next long
word boundary.
mips Print register contents.
The value of next is set to the addr plus the
size of the data
examined.
xf Examine forward. Execute an examine command
with the last
specified parameters to it except that the next
address displayed
by it is used as the start address.
xb Examine backward. Execute an examine command
with the last
specified parameters to it except that the last
start address
subtracted by the size displayed by it is used
as the start
address.
print [/axzodurc] [addr [addr ...]]
Print each addr according to the modifier character. The
valid modifiers are a subset of those from the
examine command,
and act as described there. If no modifier is specified,
the last one specified in a previous use
of print is
used. The addr argument can be a string, and it
is printed
as a literal.
For example,
print/x "eax = " $eax "0cx = " $ecx "0
will print something like this:
eax = xxxxxx
ecx = yyyyyy
w[rite] [/bhl] [addr] expr [expr ...]
Write the value of each expr expression at succeeding locations
start at addr. The write unit size can be
specified
using one of the modifiers:
/b byte (8 bits)
/h half word (16 bits)
/l long word (32 bits) (default)
The value of next is set to addr plus the size
of values
written.
Warning: since there is no delimiter between expressions, the
command may not parse as you expect. It is best
to enclose
each expression in parentheses.
set $name [=] expr
Set the named variable or register with the value of expr.
Valid variable names are described below.
boot how Reboot the machine depending on how:
boot sync Sync disks and reboot.
boot crash Dump core and reboot.
boot dump Sync disks, dump core and reboot.
boot halt Just halt.
boot reboot Just reboot.
boot poweroff Power down the machine whenever
possible; if
it fails, just halt.
break [/u] [addr][,count]
Set a break point at addr. If count is supplied, ddb allows
the breakpoint to be silently hit (count - 1)
times before
stopping at the break point.
If the break point is successfully set, a break
point number
is displayed, in the form #number. This can
later be used in
deleting the break point or for adding conditions to it.
When the /u modifier is specified, addr is taken
as a user
space address. Without it, the address is considered as a
kernel space address. Wrong space addresses are
rejected
with an error message. The /u modifier can be
used only if
it is supported by machine dependent routines.
Warning: if a user text is shadowed by a normal
user space
debugger, user space break points may not work
correctly.
Setting a breakpoint at the low-level code paths
may also
cause strange behavior.
d[elete] [addr | #number]
Delete the break point set with the break command.
s[tep] [/p] [,count]
Single step count times. If the /p modifier is
specified,
print each instruction at each step. Otherwise,
only print
the last instruction.
Warning: depending on machine type, it may not
be possible to
single-step through some low-level code paths or
user space
code. On machines with software-emulated single-stepping
(e.g., pmax), stepping through code executed by
interrupt
handlers will probably do the wrong thing.
call name(expr [, expr ...] )
Call the function named by name with the argument(s) listed
in parentheses. Parentheses may be omitted if
the function
takes no arguments. The number of arguments is
currently
limited to 10.
c[ontinue] [/c]
Continue execution until a breakpoint or watchpoint. If the
/c modifier is given, instructions are counted
while executing.
Some machines (e.g., pmax) also count
loads and stores.
Warning: when counting with /c, ddb is really
silently single-stepping.
This means that single-stepping
on low-level
code may cause strange behavior.
watch addr [,size]
Set a watchpoint for the region starting at
addr. Execution
stops and control returns to ddb when an attempt
is made to
modify a watched region. The size argument defaults to 4.
If you specify a wrong space address, the request is rejected
with an error message.
Warning: attempts to watch wired kernel memory
may cause an
unrecoverable error on some systems (e.g.,
i386). Watchpoints
on user addresses work best.
dwatch addr
Delete the watchpoint at address addr that was
previously set
with a watch command.
hangman [/s[0-9]]
This is a tiny and handy tool for random kernel
hangs analysis,
of which its depth is controlled by the optional argument
of the default value of five. It uses some
sophisticated
heuristics to spot the global symbol that
caused the hang.
Since the discovering algorithm is a probabilistic one, you
may spend substantial time to figure the exact
symbol name.
This smart thing requires a little of your attention, the input
it accepts is mostly of the same format as
that of the
famous hangman(6) game, to which it, apparently,
is obliged
by the name. Hint: the nm(1) utility might
help.
until [/p] Stop at the next "call" or "return" instruction.
If the /p
modifier is specified, ddb prints the call nesting depth and
the cumulative instruction count at each call or
return.
Otherwise, it stays silent until the matching
return is hit.
match [/p] Stop at the next matching return instruction.
If the /p modifier
is specified, ddb prints the call nesting
depth and the
cumulative instruction count at each call or return. Otherwise,
it remains mostly quiet.
next [/p] The next command is a synonym for match.
trace [/u] [frameaddr][,count]
Show the stack trace. The /u modifier shows the
stack trace
of user space; if omitted, the kernel stack is
traced instead.
The count argument is the limit on the
number of
frames to be followed. If count is omitted, all
frames are
printed.
Warning: user space stack trace is valid only if
the machine
dependent code supports it.
search [/bhl] [addr] value [mask] [,count]
Search memory for a value beginning at addr.
This command
might fail in interesting ways if it doesn't
find the
searched-for value. This is because ddb doesn't
always recover
from touching bad memory. The optional
count argument
limits the search. The modifiers are the same
as those of
the write command.
The next address is set to the address where
value is found,
or just after where the search area finishes.
show what Displays various things, depending on what:
show breaks
Prints a list of all breakpoints that have
been set
with the break command.
show extents
Prints a detailed list of all extents.
show malloc [addr]
Prints malloc debugging information if
available. If
an optional address is specified, only information
about that address is printed.
show map [/f] addr
Prints the vm_map at addr. If the /f modifier is specified
the complete map is printed.
show object [/f] addr
Prints the vm_object at addr. If the /f
modifier is
specified the complete object is printed.
show page [/f] addr
Prints the vm_page at addr. If the /f
modifier is
specified the complete page is printed.
show pool [/clp] addr
Prints the pool at addr. Valid modifiers:
/c Print the cachelist and its statistics for this
pool.
/l Print the log entries for this pool.
/p Print the pagelist for this pool.
show proc [addr]
Prints the struct proc at addr. If an optional address
is not specified curproc is assumed.
show registers [/u]
Display the register set. If the /u modifier is specified,
it displays user registers (or the
currently
saved registers) instead of the kernel's.
Note: The /u
modifier is not supported on every machine, in which
case incorrect information may be displayed.
show uvmexp
Displays a selection of uvm counters and
statistics.
show watches
Displays all watchpoints set with the
watch command.
show all procs [/anw]
Display information on all processes.
/n (Default) Show process information in
a ps(1)-like
format. Information printed includes
process ID,
parent process ID, process group,
UID, process
status, process flags, process command name, and
process wait channel message.
/a Shows the kernel virtual addresses of
each process'
proc structure, u-area, and
vmspace structure.
The vmspace address is also
the address of
the process' vm_map structure and can
be used in
the show map command.
/w Shows each process' PID, command,
system call emulation,
wait channel address, and
wait channel
message.
show all callout
Display the contents of the callout table.
callout A synonym for the show all callout command.
ps [/anw] A synonym for show all procs.
ddb denotes registers and variables by $name. Register
names can be
found with the show registers command.
Some variable names are suffixed with numbers, and some may
have a modifier
following a colon immediately after the variable name.
For example,
register variables can have the `:u' modifier to indicate a
user register
(e.g., `$eax:u').
Built-in debugger variables currently supported are:
$radix Input and output radix.
$maxoff Addresses are printed as symbol+offset unless offset is
greater than $maxoff.
$maxwidth The width of the displayed lines.
$lines The number of lines to page. This is used
by the
``more'' feature.
$tabstops Tab stop width.
$workxx Work variables. The suffix xx is a number
from 0 to
31.
Almost all expression operators in C are supported except
for `~', `^',
and unary `&'. Special rules for expressions in ddb are:
identifier The name of a symbol. It is translated to the address
(or value) of the symbol. `.'
and `:' can
be used in the identifier. The following can be
accepted as an identifier, if supported by an object
format dependent routine:
[filename:]func [:linenumber]
[filename:] variable
filename [:linenumber]
The symbol may be prefixed with
`symboltablename::' (e.g.,
`emulator::mach_msg_trap') to specify
other than
kernel symbols.
number The radix is determined by the first
two letters:
`0x': hex, `0o': octal, `0t': decimal, otherwise,
the value of $radix is used.
. dot: the current address.
+ next: the next address.
.. The address of the start of the last
line examined.
Unlike dot or next, this is
only changed by
the examine or write command.
' The last address explicitly specified.
$variable The value of a register or variable.
The name may
be followed by a `:' and modifiers as
described
above with identifier.
expr # expr A binary operator which rounds up the
left hand
side to the next multiple of right
hand side.
*expr Indirection. It may be followed by a
':' and modifiers
as described above.
gdb(1), nm(1), sysctl.conf(5), hangman(6), kgdb(7),
crash(8), sysctl(8),
extent(9), pool(9), uvm(9)
This kernel facility first appeared in MACH 2 operating system developed
by CMU. Hangman (which stands for "hangs maniacal analyzer") first appeared
in OpenBSD 1.2.
OpenBSD 3.6 November 30, 1993
[ Back ] |
