OpenBSD-4.6/share/man/man4/ddb.4

Compare this file to the similar file:
Show the results in this format: 

.\"	$OpenBSD: ddb.4,v 1.58 2009/02/22 15:10:41 jsing Exp $
.\"	$NetBSD: ddb.4,v 1.5 1994/11/30 16:22:09 jtc Exp $
.\"
.\" Mach Operating System
.\" Copyright (c) 1991,1990 Carnegie Mellon University
.\" All Rights Reserved.
.\"
.\" Permission to use, copy, modify and distribute this software and its
.\" documentation is hereby granted, provided that both the copyright
.\" notice and this permission notice appear in all copies of the
.\" software, derivative works or modified versions, and any portions
.\" thereof, and that both notices appear in supporting documentation.
.\"
.\" CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
.\" CONDITION.  CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
.\" ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
.\"
.\" Carnegie Mellon requests users of this software to return to
.\"
.\"  Software Distribution Coordinator  or  Software.Distribution@CS.CMU.EDU
.\"  School of Computer Science
.\"  Carnegie Mellon University
.\"  Pittsburgh PA 15213-3890
.\"
.\" any improvements or extensions that they make and grant Carnegie Mellon
.\" the rights to redistribute these changes.
.\"
.Dd $Mdocdate: February 22 2009 $
.Dt DDB 4
.Os
.Sh NAME
.Nm ddb
.Nd kernel debugger
.Sh DESCRIPTION
The
.Nm
debugger provides a means for debugging the kernel,
and analysing the kernel after a system crash ("panic"), with a
.Xr gdb 1 Ns \&-like
syntax.
.Pp
.Nm
is invoked upon a kernel panic when the
.Xr sysctl 8
.Va ddb.panic
is set to 1.
It may be invoked from the console when the sysctl
.Va ddb.console
is set to 1, using any of the following methods:
.Pp
.Bl -dash -offset 3n
.It
Using the key sequence
.Li Ctrl-Alt-Esc .
.It
Sending a
.Dv BREAK
when using a serial console.
.It
Writing to the sysctl
.Va ddb.trigger .
.It
For i386 and amd64 architectures,
using the key sequence
.Li Ctrl-Alt-Delete
when the sysctl
.Va machdep.kbdreset
is set to 2.
.El
.Pp
.Nm
prompts for commands on the console with:
.Pp
.Dl ddb\*(Gt
.Pp
The general syntax of a
.Nm
command is:
.Bd -ragged -offset indent
.Ar command
.Oo Ic / Ns Ar modifiers Oc " "
.Oo Ar address Oc Ns
.Op Ic \&, Ns Ar count
.Ed
.Pp
To save typing,
.Nm
makes use of a context inferred from previous commands.
In this context,
the current location is called
.Va dot .
.\" The
.\" .Va dot
.\" is displayed with
.\" a hexadecimal format at a prompt.
The
.Ic examine ,
.Ic search ,
and
.Ic write
commands update
.Va dot
to be that of the last address
examined or the last location modified, and
have intuitive effects on
.Va next
and
.Va prev .
All the other commands do not change
.Va dot ,
and set
.Va next
to be the same.
(See
.Sx VARIABLES . )
.Pp
.\" Specifying
.\" .Ar address
.\" in a command sets
.\" .Va dot .
An expression can be used in place of
.Ar address
(see
.Sx EXPRESSIONS ) .
Omitting
.Ar address
in a command uses the last value of
.Va dot .
A missing
.Ar count
is taken to be 1 for printing commands or \*(If
for stack traces.
Entering a blank line causes the last command to be repeated using
.Va next
in place of
.Ar address ,
a
.Ar count
of 1, and no modifiers.
.Pp
.Nm
has a feature like
.Xr more 1
for the output.
If the number of lines output in response to one command exceeds the number
set in the
.Va $lines
variable, it displays the message
.Ql "--db_more--"
and waits for a response.
.Pp
The valid responses are:
.Pp
.Bl -tag -width 10n -offset indent -compact
.It Aq Ic space
One more page.
.It Aq Ic return
One more line.
.It Ic q
Abort the current command, and return to the command input mode.
.El
.Pp
The following command line editing keys are provided:
.Pp
.Bl -tag -width 10n -offset indent -compact
.It Ic ^b
back one character
.It Ic ^f
forward one character
.It Ic ^a
beginning of line
.It Ic ^e
end of line
.It Ic ^w
erase word back
.It Ic ^h | Aq Ic del
erase previous character
.It Ic ^d
erase next character
.It Ic ^k
delete to end of line
.It Ic ^u
delete line
.It Ic ^p
previous in command history
.It Ic ^n
next in command history
.It Ic ^r
redraw line
.It Ic ^t
exchange the two characters to the left of the cursor
.El
.Sh COMMANDS
The following commands may be typed at the
.Ql ddb\*(Gt
prompt.
Some commands consist of more than one word, and if only the first word
or words are entered, the possible alternatives to complete the command
are displayed and no other action is performed.
.Bl -tag -width 10n
.\" --------------------
.It Ic help
List the available commands.
.\" --------------------
.It Xo
.Oo Ic e Oc Ns
.Ic x Ns Op Ic amine
.Op Cm /bhlaAxzodurcsmiI
.Op Ar addr Ns
.Op Ic \&, Ns Ar count
.Xc
Display the contents at address
.Ar addr
according to the formats in the modifier.
Multiple modifier formats display multiple locations.
If no format is specified, the last formats specified for this command
are used.
.Pp
The format characters are:
.Pp
.Bl -tag -width 4n -compact
.It Cm /b
look at by bytes (8 bits)
.It Cm /h
look at by half words (16 bits)
.It Cm /l
look at by long words (32 bits) (default)
.It Cm /q
look at by long longs (64 bits) (only available on 64-bit platforms)
.It Cm /a
print the location being displayed
.It Cm /A
print the location with a line number if possible
.It Cm /x
display in unsigned hex
.It Cm /z
display in signed hex
.It Cm /o
display in unsigned octal
.It Cm /d
display in signed decimal
.It Cm /u
display in unsigned decimal
.It Cm /r
display in current radix, signed
.It Cm /c
display low 8 bits as a character.
Non-printing characters are displayed as an octal escape code (e.g., '\\000').
.It Cm /s
display the null-terminated string at the location.
Non-printing characters are displayed as octal escapes.
.It Cm /m
display in unsigned hex with character dump at the end of each line.
The location is also displayed in hex at the beginning of each line.
.It Cm /i
display as an instruction
.It Cm /I
display as an alternate format instruction depending on the
machine:
.Pp
.Bl -tag -width powerpc_ -compact
.It alpha
Print affected register contents for every instruction.
.It amd64 ,
.It i386
Do not skip padding to the next long word boundary for unconditional jumps.
.It m68k
Use
.Tn Motorola
assembly syntax.
.It m88k
Decode instructions for the opposite CPU model (e.g. m88110 when running on an
m88100 processor).
.It vax
Don't assume that each external label is a procedure entry mask.
.El
.El
.Pp
The value of
.Va next
is set to the
.Ar addr
plus the size of the data examined.
.\" --------------------
.It Xo
.Ic print
.Op Cm /axzodurc
.Op Ar addr Op Ar addr ...
.Xc
Print each
.Ar addr
according to the modifier character.
The valid modifiers are a subset of those from the
.Ic examine
command, and act as described there.
If no modifier is specified, the last one specified in a
previous use of
.Ic print
is used.
The
.Ar addr
argument
can be a string, and it is printed as a literal.
.Pp
For example,
.Bd -literal -offset indent
print/x "eax = " $eax "\enecx = " $ecx "\en"
.Ed
.Pp
will print something like this:
.Bd -literal -offset indent
eax = xxxxxx
ecx = yyyyyy
.Ed
.\" --------------------
.\" .It Xo Ic w Ns Op Cm /bhl
.\" .Op Ar addr
.\" .Ar expr Op expr ...
.\" .Xc
.It Xo
.Ic w Ns Op Ic rite
.Op Cm /bhl
.Op Ar addr
.Ar expr Op Ar expr ...
.Xc
Write the value of each
.Ar expr
expression at succeeding locations start at
.Ar addr .
The write unit size can be specified using one of the modifiers:
.Pp
.Bl -tag -width 4n -offset indent -compact
.It Cm /b
byte (8 bits)
.It Cm /h
half word (16 bits)
.It Cm /l
long word (32 bits) (default)
.El
.Pp
The value of
.Va next
is set to
.Ar addr
plus the size of values written.
.Pp
.Sy Warning:
since there is no delimiter between expressions, the
command may not parse as you expect.
It is best to enclose each expression in parentheses.
.\" --------------------
.It Xo Ic set
.Ic $ Ns Ar name
.Op Ic =
.Ar expr
.Xc
Set the named variable or register with the value of
.Ar expr .
Valid variable names are described below.
.It Ic boot Ar how
Reboot the machine depending on
.Ar how :
.Pp
.Bl -tag -width "boot poweroff" -compact
.It Ic boot sync
Sync disks and reboot.
.It Ic boot crash
Dump core and reboot.
.It Ic boot dump
Sync disks, dump core and reboot.
.It Ic boot halt
Just halt.
.It Ic boot reboot
Just reboot.
.It Ic boot poweroff
Power down the machine whenever possible; if it fails, just halt.
.El
.\" --------------------
.It Xo
.Ic break
.Op Ar addr Ns
.Op Ic \&, Ns Ar count
.Xc
Set a break point at
.Ar addr .
If
.Ar count
is supplied,
.Nm
allows the breakpoint to be silently hit
.Ar ( count No \- 1 )
times before stopping at the
break point.
.Pp
If the break point is successfully set, a break point number is
displayed, in the form
.Ic # Ns Ar number .
This can later be used in deleting the break point
or for adding conditions to it.
.\" --------------------
.\" .It Xo Ic d
.\" .Op Ar addr | Ic # Ns Ar number
.\" .Xc
.It Xo
.Ic d Ns Op Ic elete
.Op Ar addr | Ic # Ns Ar number
.Xc
Delete the break point set with the
.Ic break
command.
.\" --------------------
.\" .It Xo Ic s Ns Op Cm /p
.\" .Op Ic \&, Ns Ar count
.\" .Xc
.It Xo
.Ic s Ns Op Ic tep
.Op Cm /p
.Op Ic \&, Ns Ar count
.Xc
Single step
.Ar count
times.
If the
.Cm /p
modifier is specified, print each instruction at each step.
Otherwise, only print the last instruction.
.Pp
.Sy Warning:
depending on machine type, it may not be possible to
single-step through some low-level code paths or user space code.
On machines with software-emulated single-stepping (e.g., pmax),
stepping through code executed by interrupt handlers will probably
do the wrong thing.
.\" --------------------
.It Ic call Ar name Ns Xo
.Ic \&( Ns Ar expr
.Op Ic \&, Ar expr ...
.Ic \&)
.Xc
Call the function named by
.Ar name
with the argument(s) listed in parentheses.
Parentheses may be omitted if the function takes no arguments.
The number of arguments is currently limited to 10.
.\" --------------------
.\" .It Ic c Ns Op Cm /c
.It Xo
.Ic c Ns Op Ic ontinue
.Op Cm /c
.Xc
Continue execution until a breakpoint or watchpoint.
If the
.Cm /c
modifier is given, instructions are counted while executing.
Some machines (e.g., pmax) also count loads and stores.
.Pp
.Sy Warning:
when counting with
.Cm /c ,
.Nm
is really silently single-stepping.
This means that single-stepping on low-level code may cause strange
behavior.
.\" --------------------
.It Xo
.Ic watch
.Ar addr
.Op Ic \&, Ns Ar size
.Xc
Set a watchpoint for the region starting at
.Ar addr .
Execution stops and control returns to
.Nm
when an attempt is made to modify a watched region.
The
.Ar size
argument defaults to 4.
.Pp
If you specify a wrong space address, the request is rejected
with an error message.
.Pp
.Sy Warning:
attempts to watch wired kernel memory
may cause an unrecoverable error on some systems (e.g., i386).
Watchpoints on user addresses work best.
.\" --------------------
.It Ic dwatch Ar addr
Delete the watchpoint at address
.Ar addr
that was previously set with a
.Ic watch
command.
.\" --------------------
.It Xo
.Ic hangman
.Op Cm /s Ns Op Ic 0-9
.Xc
This is a tiny and handy tool for random kernel hangs analysis, of which its
depth is controlled by the optional argument of the default value of five.
It uses some sophisticated heuristics to spot the global symbol that
caused the hang.
Since the discovering algorithm is a probabilistic one,
you may spend substantial time to figure the exact symbol name.
This smart thing requires a little of your attention, the input it accepts
is mostly of the same format as that of the famous
.Xr hangman 6
game, to which it, apparently, is obliged by the name.
Hint: the
.Xr nm 1
utility might help.
.\" --------------------
.It Ic until Op Cm /p
Stop at the next
.Qq call
or
.Qq return
instruction.
If the
.Cm /p
modifier is specified,
.Nm
prints the call nesting depth and the
cumulative instruction count at each call or return.
Otherwise, it stays silent until the matching return is hit.
.\" --------------------
.It Ic match Op Cm /p
Stop at the next matching return instruction.
If the
.Cm /p
modifier is specified,
.Nm
prints the call nesting depth and the
cumulative instruction count at each call or return.
Otherwise, it remains mostly quiet.
.\" --------------------
.It Ic next Op Cm /p
The
.Ic next
command is a synonym for
.Ic match .
.\" --------------------
.It Xo
.Ic trace
.Op Cm /pu
.Op Ar frameaddr Ns
.Op Ic \&, Ns Ar count
.Xc
Show the stack trace.
The
.Cm /p
modifier interprets the
.Ar frameaddr
argument as the PID of a process and shows the stack trace of
that process.
The
.Cm /p
modifier is not supported on all platforms.
The
.Cm /u
modifier shows the stack trace of user space;
if omitted, the kernel stack is traced instead.
The
.Ar count
argument is the limit on the number of frames to be followed.
If
.Ar count
is omitted, all frames are printed.
.Pp
.Sy Warning:
user space stack trace is valid
only if the machine dependent code supports it.
.\" --------------------
.It Xo
.Ic search
.Op Cm /bhl
.Op Ar addr
.Ar value
.Op Ar mask
.Op Ic \&, Ns Ar count
.Xc
Search memory for a value beginning at
.Ar addr .
This command might fail in interesting
ways if it doesn't find the searched-for value.
This is because
.Nm
doesn't always recover from touching bad memory.
The optional
.Ar count
argument limits the search.
The modifiers are the same as those of the
.Ic write
command.
.Pp
The
.Va next
address is set to the address where
.Ar value
is found, or just after where the search area finishes.
.\" --------------------
.It Ic show Ar what
Displays various things, depending on
.Ar what :
.Bl -tag -width 4n
.\" --------------------
.It Ic show breaks
Prints a list of all breakpoints that have been set with the
.Ic break
command.
.\" --------------------
.It Xo
.Ic show buf
.Op Cm /f
.Ar addr
.Xc
Prints the
.Li struct buf
at
.Ar addr .
If the
.Cm /f
modifier is specified output will also include
.Li softdep
printout, if those are available.
.\" --------------------
.It Ic show extents
Prints a detailed list of all extents.
.\" --------------------
.It Ic show malloc Op Ar addr
Prints malloc debugging information if available.
If an optional address is specified, only information about that address
is printed.
.\" --------------------
.It Xo
.Ic show map
.Op Cm /f
.Ar addr
.Xc
Prints the
.Li vm_map
at
.Ar addr .
If the
.Cm /f
modifier is specified the complete map is printed.
.\" --------------------
.It Xo
.Ic show mount
.Op Cm /f
.Ar addr
.Xc
Prints the
.Li struct mount
at
.Ar addr .
If the
.Cm /f
modifier is specified prints out all
.Li vnodes
(see also
.Cm show vnode )
and also all
.Li bufs
(see also
.Cm show buf )
on all those vnodes.
.\" --------------------
.It Xo
.Ic show object
.Op Cm /f
.Ar addr
.Xc
Prints the
.Li vm_object
at
.Ar addr .
If the
.Cm /f
modifier is specified the complete object is printed.
.\" --------------------
.It Xo
.Ic show page
.Op Cm /f
.Ar addr
.Xc
Prints the
.Li vm_page
at
.Ar addr .
If the
.Cm /f
modifier is specified the complete page is printed.
.\" --------------------
.It Ic show panic
Prints the panic string.
.\" --------------------
.It Xo
.Ic show pool
.Op Cm /clp
.Ar addr
.Xc
Prints the
.Li pool
at
.Ar addr .
Valid modifiers:
.Bl -tag -width xxx -compact
.It Cm /c
Print the cachelist and its statistics for this pool.
.It Cm /l
Print the log entries for this pool.
.It Cm /p
Print the pagelist for this pool.
.El
.\" --------------------
.It Ic show proc Op Ar addr
Prints the
.Li struct proc
at
.Ar addr .
If an optional address is not specified
.Li curproc
is assumed.
.\" --------------------
.It Ic show registers Op Cm /u
Display the register set.
If the
.Cm /u
modifier is specified, it displays user registers (or the currently
saved registers) instead of the kernel's.
Note: The
.Cm /u
modifier is not supported on every machine, in which case
incorrect information may be displayed.
.\" --------------------
.It Ic show uvmexp
Displays a selection of uvm counters and statistics.
.\" --------------------
.It Xo
.Ic show vnode
.Op Cm /f
.Ar addr
.Xc
Prints the
.Li struct vnode
at
.Ar addr .
If the
.Cm /f
modifier is specified prints out all
.Li bufs
(see also
.Cm show buf )
currently attached to this
.Li vnode .
.\" --------------------
.It Xo
.Ic show nfsreq
.Op Cm /f
.Ar addr
.Xc
Prints the
.Li struct nfsreq
at
.Ar addr.
If the
.Cm /f
modifier is specified prints out additional
information as well.
.\" --------------------
.It Ic show watches
Displays all watchpoints set with the
.Ic watch
command.
.\" --------------------
.It Ic show all procs Op Cm /anw
Display information on all processes.
.Pp
.Bl -tag -width foo -compact
.It Cm /n
(Default) Show process information in a
.Xr ps 1 Ns \&-like
format.
Information printed includes process ID, parent
process ID, process group, UID, process status, process flags, process
command name, and process wait channel message.
.It Cm /a
Shows the kernel virtual addresses of each process'
proc structure, u-area, and vmspace structure.
The vmspace address is also the address of the process'
.Li vm_map
structure
and can be used in the
.Ic show map
command.
.It Cm /w
Shows each process' PID, command, system call emulation,
wait channel address, and wait channel message.
.El
.\" --------------------
.It Ic show all callout
Display the contents of the callout table.
.\" --------------------
.It Ic show all pools Op Cm /a
Display information about all system pools in a format similar to
.Xr vmstat 8 .
.Pp
.Bl -tag -width foo -compact
.It Cm /a
Displays
.Dq interesting
address information.
.El
.\" --------------------
.It Ic show all mounts Op Cm /f
Display information on all mounted filesystems.
.Pp
.Bl -tag -width foo -compact
.It Cm /f
For each filesystem, list all its struct vnode addresses.
These addresses can be used in the
.Ic show vnode
command.
.El
.\" --------------------
.It Ic show all nfsreq
Display a list of pointers to all outstanding nfs requests.
.Pp
.El
.It Ic callout
A synonym for the
.Ic show all callout
command.
.\" --------------------
.It Ic ps Op Cm /anw
A synonym for
.Ic show all procs .
.\" --------------------
.El
.Sh VARIABLES
.Nm
denotes registers and variables by
.Ic $ Ns Va name .
Register names can be found with the
.Ic show registers
command.
.Pp
Some variable names are suffixed with numbers, and some may have a modifier
following a colon immediately after the variable name.
For example, register variables can have the
.Ql :u
modifier to indicate a
user register (e.g.,
.Ql $eax:u ) .
.Pp
Built-in debugger variables currently supported are:
.Bl -tag -width 10n -compact -offset indent
.It Va $radix
Input and output radix.
.It Va $maxoff
Addresses are printed as
.Ar symbol Ns Li + Ns Ar offset
unless
.Ar offset
is greater than
.Va $maxoff .
.It Va $maxwidth
The width of the displayed lines.
.It Va $lines
The number of lines to page.
This is used by the
.Dq more
feature.
.It Va $tabstops
Tab stop width.
.It Va $log
Controls whether the output of ddb will also appear in the system message
buffer.
.El
.Pp
These variables can also be controlled outside ddb via the
.Sq ddb
.Xr sysctl 8
hierarchy.
.Sh EXPRESSIONS
Almost all expression operators in C are supported except for
.Ql ~ ,
.Ql ^ ,
and unary
.Ql & .
Special rules for expressions in
.Nm
are:
.Bl -tag -width 15n -compact -offset indent
.It Ar identifier
The name of a symbol.
It is translated to the address (or value) of the symbol.
.Ql \&.
and
.Ql \&:
can be used in the identifier.
The following can be accepted as an identifier,
if supported by an object format dependent routine:
.Bl -item -offset indent -compact
.It
.Sm off
.Oo Ar filename Li \&: Oc Ar func
.Op \&: Ar linenumber
.It
.Op Ar filename \&:
.Ar variable
.It
.Ar filename
.Op \&: Ar linenumber
.Sm on
.El
The symbol may be prefixed with
.Sq Ar symboltablename Ns ::
(e.g.,
.Ql emulator::mach_msg_trap )
to specify other than kernel symbols.
.It Ar number
The radix is determined by the first two letters:
.Ql 0x :
hex,
.Ql 0o :
octal,
.Ql 0t :
decimal, otherwise, the value of
.Va $radix
is used.
.It Li \&.
.Va dot :
the current address.
.It Li +
.Va next :
the next address.
.It Li ..
The address of the start of the last line examined.
Unlike
.Va dot
or
.Va next ,
this is only changed by the
.Ic examine
or
.Ic write
command.
.It Li '
The last address explicitly specified.
.It Li $ Ns Ar variable
The value of a register or variable.
The name may be followed by a
.Ql \&:
and modifiers as described above with
.Ar identifier .
.It Ar expr Li # Ar expr
A binary operator which rounds up the left hand side to the next
multiple of right hand side.
.It Li * Ns Ar expr
Indirection.
It may be followed by a ':' and modifiers as described above.
.El
.Sh SEE ALSO
.Xr gdb 1 ,
.Xr nm 1 ,
.Xr sysctl.conf 5 ,
.Xr hangman 6 ,
.Xr kgdb 7 ,
.Xr crash 8 ,
.Xr sysctl 8 ,
.Xr extent 9 ,
.Xr pool 9 ,
.Xr uvm 9
.Sh HISTORY
This kernel facility first appeared in the MACH 2 operating system
developed by CMU.
Hangman (which stands for "hangs maniacal analyzer") first appeared in
.Ox 1.2 .