2 .\" Mach Operating System
3 .\" Copyright (c) 1991,1990 Carnegie Mellon University
4 .\" Copyright (c) 2007 Robert N. M. Watson
5 .\" All Rights Reserved.
7 .\" Permission to use, copy, modify and distribute this software and its
8 .\" documentation is hereby granted, provided that both the copyright
9 .\" notice and this permission notice appear in all copies of the
10 .\" software, derivative works or modified versions, and any portions
11 .\" thereof, and that both notices appear in supporting documentation.
13 .\" CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
14 .\" CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
15 .\" ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
17 .\" Carnegie Mellon requests users of this software to return to
19 .\" Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU
20 .\" School of Computer Science
21 .\" Carnegie Mellon University
22 .\" Pittsburgh PA 15213-3890
24 .\" any improvements or extensions that they make and grant Carnegie Mellon
25 .\" the rights to redistribute these changes.
27 .\" changed a \# to #, since groff choked on it.
31 .\" Revision 1.1 1993/07/15 18:41:02 brezak
34 .\" Revision 2.6 92/04/08 08:52:57 rpd
36 .\" [92/01/17 14:19:22 jsb]
37 .\" Changes for OSF debugger modifications.
40 .\" Revision 2.5 91/06/25 13:50:22 rpd
41 .\" Added some watchpoint explanation.
44 .\" Revision 2.4 91/06/17 15:47:31 jsb
45 .\" Added documentation for continue/c, match, search, and watchpoints.
46 .\" I've not actually explained what a watchpoint is; maybe Rich can
47 .\" do that (hint, hint).
48 .\" [91/06/17 10:58:08 jsb]
50 .\" Revision 2.3 91/05/14 17:04:23 mrt
51 .\" Correcting copyright
53 .\" Revision 2.2 91/02/14 14:10:06 mrt
54 .\" Changed to new Mach copyright
55 .\" [91/02/12 18:10:12 mrt]
57 .\" Revision 2.2 90/08/30 14:23:15 dbg
68 .Nd interactive kernel debugger
73 To prevent activation of the debugger on kernel
75 .Cd options KDB_UNATTENDED
79 kernel debugger has most of the features of the old
81 but with a more rational syntax
84 If linked into the running kernel,
85 it can be invoked locally with the
89 The debugger is also invoked on kernel
92 .Va debug.debugger_on_panic
94 MIB variable is set non-zero,
100 The current location is called
105 a hexadecimal format at a prompt.
112 to the address of the last line
113 examined or the last location modified, and set
116 the next location to be examined or changed.
117 Other commands do not change
124 The general command syntax is:
125 .Ar command Ns Op Li / Ns Ar modifier
126 .Ar address Ns Op Li , Ns Ar count
128 A blank line repeats the previous command from the address
131 count 1 and no modifiers.
144 to be 1 for printing commands or infinity for stack traces.
148 debugger has a pager feature (like the
152 If an output line exceeds the number set in the
154 variable, it displays
156 and waits for a response.
157 The valid responses for it are:
159 .Bl -tag -compact -width ".Li SPC"
165 abort the current command, and return to the command input mode
170 provides a small (currently 10 items) command history, and offers
173 command line editing capabilities.
177 control keys, the usual
179 arrow keys might be used to
180 browse through the history buffer, and move the cursor within the
183 .Bl -tag -width indent -compact
186 Display the addressed locations according to the formats in the modifier.
187 Multiple modifier formats display multiple locations.
188 If no format is specified, the last format specified for this command
191 The format characters are:
192 .Bl -tag -compact -width indent
194 look at by bytes (8 bits)
196 look at by half words (16 bits)
198 look at by long words (32 bits)
200 print the location being displayed
202 print the location with a line number if possible
204 display in unsigned hex
206 display in signed hex
208 display in unsigned octal
210 display in signed decimal
212 display in unsigned decimal
214 display in current radix, signed
216 display low 8 bits as a character.
217 Non-printing characters are displayed as an octal escape code (e.g.,
220 display the null-terminated string at the location.
221 Non-printing characters are displayed as octal escapes.
223 display in unsigned hex with character dump at the end of each line.
224 The location is also displayed in hex at the beginning of each line.
226 display as an instruction
228 display as an instruction with possible alternate formats depending on the
230 .Bl -tag -width ".Tn powerpc" -compact
232 Show the registers of the instruction.
245 display a symbol name for the pointer stored at the address
252 command with the last specified parameters to it
253 except that the next address displayed by it is used as the start address.
259 command with the last specified parameters to it
260 except that the last start address subtracted by the size displayed by it
261 is used as the start address.
263 .It Ic print Ns Op Li / Ns Cm acdoruxz
264 .It Ic p Ns Op Li / Ns Cm acdoruxz
267 according to the modifier character (as described above for
270 .Cm a , x , z , o , d , u , r ,
273 If no modifier is specified, the last one specified to it is used.
276 can be a string, in which case it is printed as it is.
278 .Bd -literal -offset indent
279 print/x "eax = " $eax "\enecx = " $ecx "\en"
283 .Bd -literal -offset indent
289 .Ic write Ns Op Li / Ns Cm bhl
290 .Ar addr expr1 Op Ar expr2 ...
293 .Ic w Ns Op Li / Ns Cm bhl
294 .Ar addr expr1 Op Ar expr2 ...
296 Write the expressions specified after
298 on the command line at succeeding locations starting with
300 The write unit size can be specified in the modifier with a letter
306 (long word) respectively.
308 long word is assumed.
311 since there is no delimiter between expressions, strange
313 It is best to enclose each expression in parentheses.
315 .It Ic set Li $ Ns Ar variable Oo Li = Oc Ar expr
316 Set the named variable or register with the value of
318 Valid variable names are described below.
320 .It Ic break Ns Op Li / Ns Cm u
321 .It Ic b Ns Op Li / Ns Cm u
326 is supplied, continues
328 \- 1 times before stopping at the
330 If the break point is set, a break point number is
333 This number can be used in deleting the break point
334 or adding conditions to it.
338 modifier is specified, this command sets a break point in user space
342 option, the address is considered in the kernel
343 space, and wrong space address is rejected with an error message.
344 This modifier can be used only if it is supported by machine dependent
348 If a user text is shadowed by a normal user space debugger,
349 user space break points may not work correctly.
351 point at the low-level code paths may also cause strange behavior.
353 .It Ic delete Ar addr
355 .It Ic delete Li # Ns Ar number
356 .It Ic d Li # Ns Ar number
357 Delete the break point.
358 The target break point can be specified by a
359 break point number with
363 specified in the original
367 .It Ic watch Ar addr Ns Li , Ns Ar size
368 Set a watchpoint for a region.
369 Execution stops when an attempt to modify the region occurs.
372 argument defaults to 4.
373 If you specify a wrong space address, the request is rejected
374 with an error message.
377 Attempts to watch wired kernel memory
378 may cause unrecoverable error in some systems such as i386.
379 Watchpoints on user addresses work best.
381 .It Ic hwatch Ar addr Ns Li , Ns Ar size
382 Set a hardware watchpoint for a region if supported by the
384 Execution stops when an attempt to modify the region occurs.
387 argument defaults to 4.
390 The hardware debug facilities do not have a concept of separate
391 address spaces like the watch command does.
394 for setting watchpoints on kernel address locations only, and avoid
395 its use on user mode address spaces.
397 .It Ic dhwatch Ar addr Ns Li , Ns Ar size
398 Delete specified hardware watchpoint.
400 .It Ic step Ns Op Li / Ns Cm p
401 .It Ic s Ns Op Li / Ns Cm p
404 times (the comma is a mandatory part of the syntax).
407 modifier is specified, print each instruction at each step.
408 Otherwise, only print the last instruction.
411 depending on machine type, it may not be possible to
412 single-step through some low-level code paths or user space code.
413 On machines with software-emulated single-stepping (e.g., pmax),
414 stepping through code executed by interrupt handlers will probably
417 .It Ic continue Ns Op Li / Ns Cm c
418 .It Ic c Ns Op Li / Ns Cm c
419 Continue execution until a breakpoint or watchpoint.
422 modifier is specified, count instructions while executing.
423 Some machines (e.g., pmax) also count loads and stores.
426 when counting, the debugger is really silently single-stepping.
427 This means that single-stepping on low-level code may cause strange
430 .It Ic until Ns Op Li / Ns Cm p
431 Stop at the next call or return instruction.
434 modifier is specified, print the call nesting depth and the
435 cumulative instruction count at each call or return.
437 only print when the matching return is hit.
439 .It Ic next Ns Op Li / Ns Cm p
440 .It Ic match Ns Op Li / Ns Cm p
441 Stop at the matching return instruction.
444 modifier is specified, print the call nesting depth and the
445 cumulative instruction count at each call or return.
446 Otherwise, only print when the matching return is hit.
449 .Ic trace Ns Op Li / Ns Cm u
454 .Ic t Ns Op Li / Ns Cm u
459 .Ic where Ns Op Li / Ns Cm u
464 .Ic bt Ns Op Li / Ns Cm u
471 option traces user space; if omitted,
475 The optional argument
477 is the number of frames to be traced.
480 is omitted, all frames are printed.
483 User space stack trace is valid
484 only if the machine dependent code supports it.
487 .Ic search Ns Op Li / Ns Cm bhl
495 This command might fail in interesting
496 ways if it does not find the searched-for value.
499 does not always recover from touching bad memory.
502 argument limits the search.
504 .It Ic show Cm all procs Ns Op Li / Ns Cm m
505 .It Ic ps Ns Op Li / Ns Cm m
506 Display all process information.
507 The process information may not be shown if it is not
508 supported in the machine, or the bottom of the stack of the
509 target process is not in the main memory at that time.
512 modifier will alter the display to show VM map
513 addresses for the process and not show other info.
515 .It Ic show Cm registers Ns Op Li / Ns Cm u
516 Display the register set.
519 modifier is specified, it displays user registers instead of
520 kernel or currently saved one.
525 modifier depends on the machine.
526 If not supported, incorrect information will be displayed.
528 .It Ic show Cm sysregs
529 Show system registers (e.g.,
532 Not present on some platforms.
534 .It Ic show Cm geom Op Ar addr
537 argument is not given, displays the entire GEOM topology.
540 is given, displays details about the given GEOM object (class, geom, provider
550 shows, also list kernel internal details.
553 .It Ic show Cm map Ns Oo Li / Ns Cm f Oc Ar addr
558 modifier is specified the
559 complete map is printed.
561 .It Ic show Cm object Ns Oo Li / Ns Cm f Oc Ar addr
562 Prints the VM object at
566 option is specified the
567 complete object is printed.
569 .It Ic show Cm vnode Ar addr
570 Displays details about the given vnode.
572 .It Ic show Cm watches
573 Displays all watchpoints.
576 Toggles between remote GDB and DDB mode.
577 In remote GDB mode, another machine is required that runs
579 using the remote debug feature, with a connection to the serial
580 console port on the target machine.
581 Currently only available on the
588 .It Ic kill Ar sig pid
593 The signal is acted on upon returning from the debugger.
594 This command can be used to kill a process causing resource contention
595 in the case of a hung system.
598 for a list of signals.
599 Note that the arguments are reversed relative to
604 Hard reset the system.
607 Print a short summary of the available commands and command
613 .It Ic capture status
615 supports a basic output capture facility, which can be used to retrieve the
616 results of debugging commands from userpsace using
619 enables output capture;
623 will clear the capture buffer and disable capture.
625 will report current buffer use, buffer size, and disposition of output
628 Userspace processes may inspect and manage
633 .Dv debug.ddb.capture.bufsize
634 may be used to query or set the current capture buffer size.
636 .Dv debug.ddb.capture.maxbufsize
637 may be used to query the compile-time limit on the capture buffer size.
639 .Dv debug.ddb.capture.bytes
640 may be used to query the number of bytes of output currently in the capture
643 .Dv debug.ddb.capture.data
644 returns the contents of the buffer as a string to an appropriately privileged
647 This facility is particularly useful in concert with the scripting and
649 facilities, allowing scripted debugging output to be captured and
650 committed to disk as part of a textdump for later analysis.
651 The contents of the capture buffer may also be inspected in a kernel core dump
659 Run, define, list, and delete scripts.
662 section for more information on the scripting facility.
665 .It Ic textdump status
666 .It Ic textdump unset
669 command may be used to force the next kernel core dump to be a textdump
670 rather than a traditional memory dump or minidump.
672 reports whether a textdump has been scheduled.
674 cancels a request to perform a textdump as the next kernel core dump.
675 More information may be found in
679 The debugger accesses registers and variables as
681 Register names are as in the
682 .Dq Ic show Cm registers
684 Some variables are suffixed with numbers, and may have some modifier
685 following a colon immediately after the variable name.
686 For example, register variables can have a
688 modifier to indicate user register (e.g.,
691 Built-in variables currently supported are:
693 .Bl -tag -width ".Va tabstops" -compact
695 Input and output radix.
697 Addresses are printed as
698 .Dq Ar symbol Ns Li + Ns Ar offset
704 The width of the displayed line.
707 It is used by the built-in pager.
713 can take values from 0 to 31.
716 Most expression operators in C are supported except
724 .Bl -tag -width ".No Identifiers"
726 The name of a symbol is translated to the value of the symbol, which
727 is the address of the corresponding object.
731 can be used in the identifier.
732 If supported by an object format dependent routine,
734 .Oo Ar filename : Oc Ar func : lineno ,
736 .Oo Ar filename : Oc Ns Ar variable ,
738 .Oo Ar filename : Oc Ns Ar lineno
739 can be accepted as a symbol.
741 Radix is determined by the first two letters:
747 decimal; otherwise, follow current radix.
753 address of the start of the last line examined.
758 this is only changed by
764 last address explicitly specified.
765 .It Li $ Ns Ar variable
766 Translated to the value of the specified variable.
767 It may be followed by a
769 and modifiers as described above.
770 .It Ar a Ns Li # Ns Ar b
771 A binary operator which rounds up the left hand side to the next
772 multiple of right hand side.
775 It may be followed by a
777 and modifiers as described above.
781 supports a basic scripting facility to allow automating tasks or responses to
783 Each script consists of a list of DDB commands to be executed sequentially,
784 and is assigned a unique name.
785 Certain script names have special meaning, and will be automatically run on
788 events if scripts by those names have been defined.
792 command may be used to define a script by name.
793 Scripts consist of a series of
795 commands separated with the
799 .Bd -literal -offset indent
800 script kdb.enter.panic=bt; show pcpu
801 script lockinfo=show alllocks; show lockedvnods
806 command lists currently defined scripts.
810 command execute a script by name.
812 .Bd -literal -offset indent
818 command may be used to delete a script by name.
820 .Bd -literal -offset indent
821 unscript kdb.enter.panic
824 These functions may also be performed from userspace using the
828 Certain scripts are run automatically, if defined, for specific
831 The follow scripts are run when various events occur:
832 .Bl -tag -width kdb.enter.powerfail
833 .It Dv kdb.enter.acpi
834 The kernel debugger was entered as a result of an
837 .It Dv kdb.enter.bootflags
838 The kernel debugger was entered at boot as a result of the debugger boot
840 .It Dv kdb.enter.break
841 The kernel debugger was entered as a result of a serial or console break.
843 The kernel debugger was entered as a result of a
847 The kernel debugger was entered as a result of an assertion failure in the
850 TrustedBSD MAC Framework.
851 .It Dv kdb.enter.ndis
852 The kernel debugger was entered as a result of an
855 .It Dv kdb.enter.netgraph
856 The kernel debugger was entered as a result of a
859 .It Dv kdb.enter.panic
862 .It Dv kdb.enter.powerfail
863 The kernel debugger was entered as a result of a powerfail NMI on the sparc64
865 .It Dv kdb.enter.powerpc
866 The kernel debugger was entered as a result of an unimplemented interrupt
867 type on the powerpc platform.
868 .It Dv kdb.enter.sysctl
869 The kernel debugger was entered as a result of the
872 .It Dv kdb.enter.trapsig
873 The kernel debugger was entered as a result of a trapsig event on the sparc64
875 .It Dv kdb.enter.unionfs
876 The kernel debugger was entered as a result of an assertion failure in the
878 .It Dv kdb.enter.unknown
879 The kernel debugger was entered, but no reason has been set.
880 .It Dv kdb.enter.vfslock
881 The kernel debugger was entered as a result of a VFS lock violation.
882 .It Dv kdb.enter.watchdog
883 The kernel debugger was entered as a result of a watchdog firing.
884 .It Dv kdb.enter.witness
885 The kernel debugger was entered as a result of a
890 In the event that none of these scripts is found,
892 will attempt to execute a default script:
893 .Bl -tag -width kdb.enter.powerfail
894 .It Dv kdb.enter.default
895 The kernel debugger was entered, but a script exactly matching the reason for
896 entering was not defined.
897 This can be used as a catch-all to handle cases not specifically of interest;
899 .Dv kdb.enter.witness
900 might be defined to have special handling, and
901 .Dv kdb.enter.default
902 might be defined to simply panic and reboot.
905 On machines with an ISA expansion bus, a simple NMI generation card can be
906 constructed by connecting a push button between the A01 and B01 (CHCHK# and
908 Momentarily shorting these two fingers together may cause the bridge chipset to
909 generate an NMI, which causes the kernel to pass control to
911 Some bridge chipsets do not generate a NMI on CHCHK#, so your mileage may vary.
912 The NMI allows one to break into the debugger on a wedged machine to
914 Other bus' bridge chipsets may be able to generate NMI using bus specific
932 debugger was developed for Mach, and ported to
934 This manual page translated from
937 .An Garrett Wollman .
939 .An Robert N. M. Watson