xref: /openbsd-src/share/man/man4/ddb.4 (revision b2ea75c1b17e1a9a339660e7ed45cd24946b230e)

.\"	$OpenBSD: ddb.4,v 1.27 2001/08/03 15:21:16 mpech Exp $
.\"	$NetBSD: ddb.4,v 1.5 1994/11/30 16:22:09 jtc Exp $
.\"
.\" Mach Operating System
.\" Copyright (c) 1991,1990 Carnegie Mellon University
.\" All Rights Reserved.
.\"
.\" Permission to use, copy, modify and distribute this software and its
.\" documentation is hereby granted, provided that both the copyright
.\" notice and this permission notice appear in all copies of the
.\" software, derivative works or modified versions, and any portions
.\" thereof, and that both notices appear in supporting documentation.
.\"
.\" CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
.\" CONDITION.  CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
.\" ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
.\"
.\" Carnegie Mellon requests users of this software to return to
.\"
.\"  Software Distribution Coordinator  or  Software.Distribution@CS.CMU.EDU
.\"  School of Computer Science
.\"  Carnegie Mellon University
.\"  Pittsburgh PA 15213-3890
.\"
.\" any improvements or extensions that they make and grant Carnegie Mellon
.\" the rights to redistribute these changes.
.\"
.Dd November 30, 1993
.Dt DDB 4
.Os
.Sh NAME
.Nm ddb
.Nd kernel debugger
.Sh DESCRIPTION
The kernel debugger has most of the features of the old kdb,
but with a more rational
.Pf ( Xr gdb 1 No Ns \&-like )
syntax.
.Pp
.Nm
prompts for commands on the console with:
.Pp
.Bd -literal -offset indent
ddb>
.Ed
.Pp
The general syntax of a
.Nm
command is:
.Pp
.Bd -ragged -offset indent
.Ar command
.Oo Ic / Ns Ar modifiers Oc " "
.Oo Ar address Oc Ns
.Oo Ic \&, Ns Ar count Oc
.Ed
.Pp
To save typing,
.Nm
makes use of a context inferred from previous commands.
In this context,
the current location is called
.Va dot .
.\" The
.\" .Va dot
.\" is displayed with
.\" a hexadecimal format at a prompt.
The
.Ic examine ,
.Ic search ,
and
.Ic write
commands update
.Va dot
to be that of the last address
examined or the last location modified, and
have intuitive effects on
.Va next
and
.Va prev .
All the other commands do not change
.Va dot ,
and set
.Va next
to be the same.
(See
.Sx VARIABLES . )
.Pp
.\" Specifying
.\" .Ar address
.\" in a command sets
.\" .Va dot .
An expression can be used in place of
.Ar address
(see
.Sx EXPRESSIONS ) .
Omitting
.Ar address
in a command uses the last value of
.Va dot .
A missing
.Ar count
is taken to be 1 for printing commands or \*(If
for stack traces.
Entering a blank line causes the last command to be repeated using
.Va next
in place of
.Ar address ,
a
.Ar count
of 1, and no modifiers.
.Pp
.Nm
has a feature like
.Xr more 1
for the output.
If the number of lines output in response to one command exceeds the number
set in the
.Va \&$lines
variable, it displays the message
.Ql "--db_more--"
and waits for a response.
.Pp
The valid responses are:
.Pp
.Bl -tag -width 10n -offset indent -compact
.It <space>
One more page.
.It <return>
One more line.
.It Ic q
Abort the current command, and return to the command input mode.
.El
.Pp
The following command line editing keys are provided:
.Pp
.Bl -tag -width 10n -offset indent -compact
.It Ic \&^b
back up one character
.It Ic \&^f
forward up one character
.It Ic \&^a
beginning of line
.It Ic \&^e
end of line
.It Ic \&^w
erase word back
.It Ic \&^h No | <del>
erase previous character
.It Ic \&^d
erase next character
.It Ic \&^k
delete to end of line
.It Ic \&^u
delete line
.It Ic \&^p
previous in command history
.It Ic \&^n
next in command history
.It Ic \&^r
redraw line
.El
.\" .Pp
.\" During command execution,
.\" .Nm ddb
.\" is sensitive only to the following keystrokes:
.\" .Bl -tag -width 10n -compact -offset indent
.\" .It Ic \&^s
.\" pause
.\" .It Ic \&^q
.\" unpause
.\" .It Ic \&^c
.\" abort command (even if paused)
.\" .El
.Pp
.Nm
is only available if the kernel was configured with the DDB option.
.Nm
will be invoked upon a kernel panic when the
.Xr sysctl 8
name
.Va ddb.panic
is set to 1.
.Nm
may be invoked from the console by the key sequence
.Li Ctl-Alt-Esc
when the
.Xr sysctl 8
name
.Va ddb.console
is set to 1.
.Sh COMMANDS
The following commands may be typed at the
.Ql ddb>
prompt.
Some commands consist of more than one word, and if only the first word
or words are entered, the possible alternatives to complete the command
are displayed and no other action is performed.
.Bl -tag -width 10n
.\" --------------------
.It Ic help
List the available commands.
.\" --------------------
.It Xo
.Oo Ic e Oc Ns
.Ic x Ns Oo Ic amine Oc
.Op Cm /bhlaAxzodurcsmiI
.Op Ar addr Ns
.Op Ic \&, Ns Ar count
.Xc
Display the contents at address
.Ar addr
according to the formats in the modifier.
Multiple modifier formats display multiple locations.
If no format is specified, the last formats specified for this command
is used.
.Pp
The format characters are:
.Pp
.Bl -tag -width 4n -compact
.It Cm /b
look at by bytes (8 bits)
.It Cm /h
look at by half words (16 bits)
.It Cm /l
look at by long words (32 bits) (default)
.It Cm /a
print the location being displayed
.It Cm /A
print the location with a line number if possible
.It Cm /x
display in unsigned hex
.It Cm /z
display in signed hex
.It Cm /o
display in unsigned octal
.It Cm /d
display in signed decimal
.It Cm /u
display in unsigned decimal
.It Cm /r
display in current radix, signed
.It Cm /c
display low 8 bits as a character.
Non-printing characters are displayed as an octal escape code (e.g., '\\000').
.It Cm /s
display the null-terminated string at the location.
Non-printing characters are displayed as octal escapes.
.It Cm /m
display in unsigned hex with character dump at the end of each line.
The location is also displayed in hex at the beginning of each line.
.It Cm /i
display as an instruction
.It Cm /I
display as an alternate format instruction depending on the
machine:
.Pp
.Bl -tag -width powerpc_ -compact
.It vax
Don't assume that each external label is a procedure entry mask.
.It i386
Don't round to the next long word boundary.
.It mips
Print register contents.
.El
.El
.Pp
The value of
.Va next
is set to the
.Ar addr
plus the size of the data examined.
.\" --------------------
.It Ic xf
Examine forward.
Execute an
.Ic examine
command with the last specified parameters to it
except that the next address displayed by it is used as the start address.
.\" --------------------
.It Ic xb
Examine backward.
Executes an
.Ic examine
command with the last specified parameters to it
except that the last start address subtracted by the size displayed by it
is used as the start address.
.\" --------------------
.It Xo
.Ic print
.Op Cm /axzodurc
.Op Ar addr Op addr ...
.Xc
Print each
.Ar addr
according to the modifier character.
The valid modifiers are a subset of those from the
.Ic examine
command, and act as described there.
If no modifier is specified, the last one specified in a
previous use of
.Ic print
is used.
The
.Ar addr
argument
can be a string, and it is printed as a literal.
.Pp
For example,
.Bd -literal -offset indent
print/x "eax = " $eax "\enecx = " $ecx "\en"
.Ed
.Pp
will print something like this:
.Bd -literal -offset indent
eax = xxxxxx
ecx = yyyyyy
.Ed
.\" --------------------
.\" .It Xo Ic w Ns Op Cm /bhl
.\" .Op Ar addr
.\" .Ar expr Op expr ...
.\" .Xc
.It Xo
.Ic w Ns Oo Ic rite Oc
.Op Cm /bhl
.Op Ar addr
.Ar expr Op expr ...
.Xc
Write the value of each
.Ar expr
expression at succeeding locations start at
.Ar addr .
The write unit size can be specified using one of the modifiers:
.Pp
.Bl -tag -width 4n -offset indent -compact
.It Cm /b
byte (8 bits)
.It Cm /h
half word (16 bits)
.It Cm /l
long word (32 bits) (default)
.El
.Pp
The value of
.Va next
is set to
.Ar addr
plus the size of values written.
.Pp
.Sy Warning:
since there is no delimiter between expressions, the
command may not parse as you expect.
It is best to enclose each expression in parentheses.
.\" --------------------
.It Xo Ic set
.Ic \&$ Ns Ar name
.Op Ic \&=
.Ar expr
.Xc
Set the named variable or register with the value of
.Ar expr .
Valid variable names are described below.
.It Ic boot Ar how
Reboot the machine depending on
.Ar how :
.Bl -tag -width "boot crashx" -compact -indent offset
.It Ic boot sync
Sync disks and reboot.
.It Ic boot crash
Dump core and reboot.
.It Ic boot dump
Sync disks, dump core and reboot.
.It Ic boot halt
Just halt.
.El
.\" --------------------
.It Xo
.Ic break
.Op Cm /u
.Op Ar addr Ns
.Op Ic \&, Ns Ar count
.Xc
Set a break point at
.Ar addr .
If
.Ar count
is supplied,
.Nm
allows the breakpoint to be silently hit
.Ar ( count No \&- 1 )
times before stopping at the
break point.
.Pp
If the break point is successfully set, a break point number is
displayed, in the form
.Ic # Ns Ar number .
This can later be used in deleting the break point
or for adding conditions to it.
.Pp
When the
.Cm /u
modifier is specified,
.Ar addr
is taken as a user space address.
Without it, the address is considered in the kernel space.
Wrong space addresses are rejected with an error message.
The
.Cm /u
modifier can be used only if it is supported by machine dependent
routines.
.Pp
.Sy Warning:
if a user text is shadowed by a normal user space debugger,
user space break points may not work correctly.
Setting a breakpoint at the low-level code paths may also cause strange
behavior.
.\" --------------------
.\" .It Xo Ic d
.\" .Op Ar addr | Ic # Ns Ar number
.\" .Xc
.It Xo
.Ic d Ns Oo Ic elete Oc
.Op Ar addr | Ic # Ns Ar number
.Xc
Delete the break point set with the
.Ic break
command.
.\" --------------------
.\" .It Xo Ic s Ns Op Cm /p
.\" .Op Ic \&, Ns Ar count
.\" .Xc
.It Xo
.Ic s Ns Oo Ic tep Oc
.Op Cm /p
.Op Ic \&, Ns Ar count
.Xc
Single step
.Ar count
times.
If the
.Cm /p
modifier is specified, print each instruction at each step.
Otherwise, only print the last instruction.
.Pp
.Sy Warning:
depending on machine type, it may not be possible to
single-step through some low-level code paths or user space code.
On machines with software-emulated single-stepping (e.g., pmax),
stepping through code executed by interrupt handlers will probably
do the wrong thing.
.\" --------------------
.It Ic call Ar name Ns Xo
.Ic \&( Ns Ar expr
.Op Ic \&, Ar expr ...
.Ic \&)
.Xc
Call the function named by
.Ar name
with the argument(s) listed in parentheses.
Parentheses may be omitted if the function takes no arguments.
The number of arguments is currently limited to 10.
.\" --------------------
.\" .It Ic c Ns Op Cm /c
.It Xo
.Ic c Ns Oo Ic ontinue Oc
.Op Cm /c
.Xc
Continue execution until a breakpoint or watchpoint.
If the
.Cm /c
modifier is given, instructions are counted while executing.
Some machines (e.g., pmax) also count loads and stores.
.Pp
.Sy Warning:
when counting with
.Cm /c ,
.Nm
is really silently single-stepping.
This means that single-stepping on low-level code may cause strange
behavior.
.\" --------------------
.It Xo
.Ic watch
.Ar addr
.Op Ic \&, Ns Ar size
.Xc
Set a watchpoint for the region starting at
.Ar addr .
Execution stops and control returns to
.Nm
when an attempt is made to modify a watched region.
The
.Ar size
argument defaults to 4.
.Pp
If you specify a wrong space address, the request is rejected
with an error message.
.Pp
.Sy Warning:
attempts to watch wired kernel memory
may cause unrecoverable error on some systems (e.g., i386).
Watchpoints on user addresses work best.
.\" --------------------
.It Ic dwatch Ar addr
Delete the watchpoint at address
.Ar addr
that was previously set with
.Ic watch
command.
.\" --------------------
.It Xo
.Ic hangman
.Op Cm /s Ns Op Ic 0-9
.Xc
This is tiny and handy tool for random kernel hangs analysis, of which its
depth is controlled by the optional argument of the default value of five.
It uses some sophisticated heuristics to spot the global symbol that
caused the hang.
Since the discovering algorithm is a probabilistic one
you may spend substantial time to figure the exact symbol name.
This smart thing requires a little of your attention, the input it accepts
is mostly of the same format as that of the famous
.Xr hangman 6
game, to which it, apparently, is obliged by the name.
Hint: the
.Xr nm 1
utility might help.
.\" --------------------
.It Xo
.Ic until
.Op Cm /p
.Xc
Stop at the next
.Qq call
or
.Qq return
instruction.
If
.Cm /p
modifier is specified,
.Nm
prints the call nesting depth and the
cumulative instruction count at each call or return.
Otherwise, it stays silent until the matching return is hit.
.\" --------------------
.It Ic match Op Cm /p
Stop at the next matching return instruction.
If the
.Cm /p
modifier is specified,
.Nm
prints the call nesting depth and the
cumulative instruction count at each call or return.
Otherwise, it remains mostly quiet.
.\" --------------------
.It Ic next Op Cm /p
The
.Ic next
command is a synonym for
.Ic match .
.\" --------------------
.It Xo
.Ic trace
.Op Cm /u
.Op Ar frameaddr Ns
.Op Ic \&, Ns Ar count
.Xc
Show the stack trace.
The
.Cm /u
modifier shows the stack trace of user space;
If omitted, the kernel stack is traced instead.
The
.Ar count
argument is the limit on the number of frames to be followed.
If
.Ar count
is omitted, all frames are printed.
.Pp
.Sy Warning:
user space stack trace is valid
only if the machine dependent code supports it.
.\" --------------------
.It Xo
.Ic search
.Op Cm /bhl
.Op Ar addr
.Ar value
.Op Ar mask
.Op Ic \&, Ns Ar count
.Xc
Search memory for a value beginning at
.Ar addr .
This command might fail in interesting
ways if it doesn't find the searched-for value.
This is because
.Nm
doesn't always recover from touching bad memory.
The optional
.Ar count
argument limits the search.
The modifiers are the same as those of the
.Ic write
command.
.Pp
The
.Va next
address is set to the address where
.Ar value
is found, or just after where the search area finishes.
.\" --------------------
.It Ic show Ar what
Displays various things, depending on
.Ar what :
.Bl -tag -width 4n
.\" --------------------
.It Ic show breaks
Prints a list of all breakpoints that have been set with the
.Ic break
command.
.\" --------------------
.It Ic show extents
Prints a detailed list of all extents.
.\" --------------------
.It Xo
.Ic show map
.Op Cm /f
.Ar addr
.Xc
Prints the
.Li vm_map
at
.Ar addr .
If the
.Cm /f
modifier is specified the complete map is printed.
.\" --------------------
.It Xo
.Ic show malloc
.Op Ar addr
.Xc
Prints malloc debugging information if available.
If an optional address is specified, only information about that address
is printed.
.\" --------------------
.It Xo
.Ic show object
.Op Cm /f
.Ar addr
.Xc
Prints the
.Li vm_object
at
.Ar addr .
If the
.Cm /f
modifier is specified the complete object is printed.
.\" --------------------
.It Xo
.Ic show registers
.Op Cm /u
.Xc
Display the register set.
If the
.Cm /u
modifier is specified, it displays user registers (or the currently
saved registers) instead of the kernel's.
Note: The
.Cm /u
modifier is not supported on every machine, in which case
incorrect information may be displayed.
.\" --------------------
.It Ic show watches
Displays all watchpoints set with the
.Ic watch
command.
.\" --------------------
.It Xo
.Ic show all procs
.Op Cm /anw
.Xc
Display information on all processes.
.Pp
.Bl -tag -width foo -compact
.It Cm /n
(Default) Show process information in a
.Xr ps 1 No Ns \&-like
format.
Information printed includes process ID, parent
process ID, process group, UID, process status, process flags, process
command name, and process wait channel message.
.It Cm /a
Shows the kernel virtual addresses of each process'
proc structure, u-area, and vmspace structure.
The vmspace address is also the address of the process'
.Li vm_map
structure
and can be used in the
.Ic show map
command.
.It Cm /w
Shows each process' PID, command, system call emulation,
wait channel address, and wait channel message.
.El
.\" --------------------
.It Ic show all callout
Display the contents of the callout table.
.El
.It Ic callout
A synonym for the
.Ic show all callout
command.
.\" --------------------
.It Xo
.Ic ps
.Op Cm /anw
.Xc
A synonym for
.Ic show all procs .
.\" --------------------
.El
.Sh VARIABLES
.Nm
denotes registers and variables by
.Ic $ Ns Va name .
Register names can be found with the
.Ic show registers
command.
.Pp
Some variables names are suffixed with numbers, and some may have a modifier
following a colon immediately after the variable name.
For example, register variables can have the
.Ql :u
modifier to indicate a
user register (e.g.,
.Ql \&$eax:u ) .
.Pp
Built-in debugger variables currently supported are:
.Bl -tag -width 10n -compact -offset indent
.It Va \&$radix
Input and output radix
.It Va \&$maxoff
Addresses are printed as
.Ar symbol Ns Li + Ns Ar offset
unless
.Ar offset
is greater than
.Va \&$maxoff.
.It Va \&$maxwidth
The width of the displayed lines.
.It Va \&$lines
The number of lines to page.
This is used by the
.Dq more
feature.
.It Va \&$tabstops
Tab stop width.
.It Va \&$work Ns Ar xx
Work variables.
The suffix
.Ar xx
is a number from 0 to 31.
.El
.Sh EXPRESSIONS
Almost all expression operators in C are supported except for
.Ql \&~ ,
.Ql \&^ ,
and unary
.Ql \&& .
Special rules for expressions in
.Nm
are:
.Bl -tag -width 15n -compact -offset indent
.It Ar identifier
The name of a symbol.
It is translated to the address (or value) of the symbol.
.Ql \&.
and
.Ql \&:
can be used in the identifier.
The following can be accepted as an identifier,
if supported by an object format dependent routine:
.Bl -item -offset indent -compact
.It
.Sm off
.Oo Ar filename Li \&: Oc Ar func
.Oo \&: Ar linenumber Oc
.It
.Op Ar filename \&:
.Ar variable
.It
.Ar filename
.Op \&: Ar linenumber
.Sm on
.El
The symbol may be prefixed with
.Ql Ar symboltablename Ns \&::
(e.g.,
.Ql emulator::mach_msg_trap )
to specify other than kernel symbols.
.It Ar number
The radix is determined by the first two letters:
.Ql 0x :
hex,
.Ql 0o :
octal,
.Ql 0t :
decimal, otherwise, the value of
.Va \&$radix
is used.
.It Li \&.
.Va dot :
the current address.
.It Li \&+
.Va next :
the next address.
.It Li \..
The address of the start of the last line examined.
Unlike
.Va dot
or
.Va next ,
this is only changed by the
.Ic examine
or
.Ic write
command.
.It Li \&'
The last address explicitly specified.
.It Li \&$ Ns Ar variable
The value of a register or variable.
The name may be followed by a
.Ql \&:
and modifiers as described above with
.Ar identifier .
.It Ar expr Li \&# Ar expr
A binary operator which rounds up the left hand side to the next
multiple of right hand side.
.It Li \&* Ns Ar expr
Indirection.
It may be followed by a ':' and  modifiers as described above.
.El
.Sh SEE ALSO
.Xr gdb 1 ,
.Xr nm 1 ,
.Xr sysctl.conf 5 ,
.Xr hangman 6 ,
.Xr sysctl 8 ,
.Xr extent 9
.Sh HISTORY
This kernel facility first appeared in MACH 2 operating system
developed by CMU.
Hangman (which stands for "hangs maniacal analyzer") first appeared in
.Ox 1.2 .