11. Kernel Debugger

The GNU Mach kernel debugger ddb is a powerful built-in debugger with a gdb like syntax. It is enabled at compile time using the `--enable-kdb' option. Whenever you want to enter the debugger while running the kernel, you can press the key combination Ctrl-Alt-D.

11.1 Operation		Basic architecture of the kernel debugger.
11.2 Commands		Available commands in the kernel debugger.
11.3 Variables		Access of variables from the kernel debugger.
11.4 Expressions		Usage of expressions in the kernel debugger.

[ < ]

[ > ]

[ << ]

[ Up ]

[ >> ]

[Top]

[Contents]

[Index]

[ ? ]

11.1 Operation

The current location is called dot. The dot is displayed with a hexadecimal format at a prompt. Examine and write commands update dot to the address of the last line examined or the last location modified, and set next to the address of the next location to be examined or changed. Other commands don't change dot, and set next to be the same as dot.

The general command syntax is:

command[/modifier] address [,count]

!! repeats the previous command, and a blank line repeats from the address next with count 1 and no modifiers. Specifying address sets dot to the address. Omitting address uses dot. A missing count is taken to be 1 for printing commands or infinity for stack traces.

Current ddb is enhanced to support multi-thread debugging. A break point can be set only for a specific thread, and the address space or registers of non current thread can be examined or modified if supported by machine dependent routines. For example,

break/t mach_msg_trap $task11.0

sets a break point at mach_msg_trap for the first thread of task 11 listed by a show all threads command.

In the above example, $task11.0 is translated to the corresponding thread structure's address by variable translation mechanism described later. If a default target thread is set in a variable $thread, the $task11.0 can be omitted. In general, if t is specified in a modifier of a command line, a specified thread or a default target thread is used as a target thread instead of the current one. The t modifier in a command line is not valid in evaluating expressions in a command line. If you want to get a value indirectly from a specific thread's address space or access to its registers within an expression, you have to specify a default target thread in advance, and to use :t modifier immediately after the indirect access or the register reference like as follows:

set $thread $task11.0
print $eax:t *(0x100):tuh

No sign extension and indirection size(long, half word, byte) can be specified with u, l, h and b respectively for the indirect access.

Note: Support of non current space/register access and user space break point depend on the machines. If not supported, attempts of such operation may provide incorrect information or may cause strange behavior. Even if supported, the user space access is limited to the pages resident in the main memory at that time. If a target page is not in the main memory, an error will be reported.

ddb has a feature like a command more for the output. If an output line exceeds the number set in the $lines variable, it displays `--db_more--' and waits for a response. The valid responses for it are:

SPC: one more page
RET: one more line
q: abort the current command, and return to the command input mode

[ < ]

[ > ]

[ << ]

[ Up ]

[ >> ]

[Top]

[Contents]

[Index]

[ ? ]

11.2 Commands

examine(x) [/modifier] addr[,count] [ thread ]

Display the addressed locations according to the formats in the modifier. Multiple modifier formats display multiple locations. If no format is specified, the last formats specified for this command is used. Address space other than that of the current thread can be specified with t option in the modifier and thread parameter. The format characters are

b

look at by bytes(8 bits)

h

look at by half words(16 bits)

l

look at by long words(32 bits)

a

print the location being displayed

,

skip one unit producing no output

A

print the location with a line number if possible

x

display in unsigned hex

z

display in signed hex

o

display in unsigned octal

d

display in signed decimal

u

display in unsigned decimal

r

display in current radix, signed

c

display low 8 bits as a character. Non-printing characters are displayed as an octal escape code (e.g. '\000').

s

display the null-terminated string at the location. Non-printing characters are displayed as octal escapes.

m

display in unsigned hex with character dump at the end of each line. The location is also displayed in hex at the beginning of each line.

i

display as an instruction

I

display as an instruction with possible alternate formats depending on the machine:

vax: don't assume that each external label is a procedure entry mask
i386: don't round to the next long word boundary
mips: print register contents

xf

Examine forward. It executes an examine command with the last specified parameters to it except that the next address displayed by it is used as the start address.

xb

Examine backward. It executes an examine command with the last specified parameters to it except that the last start address subtracted by the size displayed by it is used as the start address.

print[/axzodurc] addr1 [ addr2 ... ]

Print addr's according to the modifier character. Valid formats are: a x z o d u r c. If no modifier is specified, the last one specified to it is used. addr can be a string, and it is printed as it is. For example,

print/x "eax = " $eax "\necx = " $ecx "\n"

will print like

eax = xxxxxx
ecx = yyyyyy

write[/bhlt] addr [ thread ] expr1 [ expr2 ... ]

Write the expressions at succeeding locations. The write unit size can be specified in the modifier with a letter b (byte), h (half word) or l(long word) respectively. If omitted, long word is assumed. Target address space can also be specified with t option in the modifier and thread parameter. Warning: since there is no delimiter between expressions, strange things may happen. It's best to enclose each expression in parentheses.

set $variable [=] expr

Set the named variable or register with the value of expr. Valid variable names are described below.

break[/tuTU] addr[,count] [ thread1 ... ]

Set a break point at addr. If count is supplied, continues (count-1) times before stopping at the break point. If the break point is set, a break point number is printed with `#'. This number can be used in deleting the break point or adding conditions to it.

t: Set a break point only for a specific thread. The thread is specified by thread parameter, or default one is used if the parameter is omitted.
u: Set a break point in user space address. It may be combined with t or T option to specify the non-current target user space. Without u option, the address is considered in the kernel space, and wrong space address is rejected with an error message. This option can be used only if it is supported by machine dependent routines.
T: Set a break point only for threads in a specific task. It is like t option except that the break point is valid for all threads which belong to the same task as the specified target thread.
U: Set a break point in shared user space address. It is like u option, except that the break point is valid for all threads which share the same address space even if t option is specified. t option is used only to specify the target shared space. Without t option, u and U have the same meanings. U is useful for setting a user space break point in non-current address space with t option such as in an emulation library space. This option can be used only if it is supported by machine dependent routines.

Warning: if a user text is shadowed by a normal user space debugger, user space break points may not work correctly. Setting a break point at the low-level code paths may also cause strange behavior.

delete[/tuTU] addr|#number [ thread1 ... ]

Delete the break point. The target break point can be specified by a break point number with #, or by addr like specified in break command.

cond #number [ condition commands ]

Set or delete a condition for the break point specified by the number. If the condition and commands are null, the condition is deleted. Otherwise the condition is set for it. When the break point is hit, the condition is evaluated. The commands will be executed if the condition is true and the break point count set by a break point command becomes zero. commands is a list of commands separated by semicolons. Each command in the list is executed in that order, but if a continue command is executed, the command execution stops there, and the stopped thread resumes execution. If the command execution reaches the end of the list, and it enters into a command input mode. For example,

set $work0 0
break/Tu xxx_start $task7.0
cond #1  (1)  set $work0 1; set $work1 0; cont
break/T  vm_fault $task7.0
cond #2  ($work0) set $work1 ($work1+1); cont
break/Tu xxx_end $task7.0
cond #3  ($work0) print $work1 " faults\n"; set $work0 0
cont

will print page fault counts from xxx_start to xxx_end in task7.

step[/p] [,count]

Single step count times. If p option is specified, print each instruction at each step. Otherwise, only print the last instruction.

Warning: depending on machine type, it may not be possible to single-step through some low-level code paths or user space code. On machines with software-emulated single-stepping (e.g., pmax), stepping through code executed by interrupt handlers will probably do the wrong thing.

continue[/c]

Continue execution until a breakpoint or watchpoint. If /c, count instructions while executing. Some machines (e.g., pmax) also count loads and stores.

Warning: when counting, the debugger is really silently single-stepping. This means that single-stepping on low-level code may cause strange behavior.

until

Stop at the next call or return instruction.

next[/p]

Stop at the matching return instruction. If p option is specified, print the call nesting depth and the cumulative instruction count at each call or return. Otherwise, only print when the matching return is hit.

match[/p]

A synonym for next.

trace[/tu] [ frame_addr|thread ][,count]

Stack trace. u option traces user space; if omitted, only traces kernel space. If t option is specified, it shows the stack trace of the specified thread or a default target thread. Otherwise, it shows the stack trace of the current thread from the frame address specified by a parameter or from the current frame. count is the number of frames to be traced. If the count is omitted, all frames are printed.

Warning: If the target thread's stack is not in the main memory at that time, the stack trace will fail. User space stack trace is valid only if the machine dependent code supports it.

search[/bhl] addr value [mask] [,count]

Search memory for a value. This command might fail in interesting ways if it doesn't find the searched-for value. This is because ddb doesn't always recover from touching bad memory. The optional count argument limits the search.

macro name commands

Define a debugger macro as name. commands is a list of commands to be associated with the macro. In the expressions of the command list, a variable $argxx can be used to get a parameter passed to the macro. When a macro is called, each argument is evaluated as an expression, and the value is assigned to each parameter, $arg1, $arg2, ... respectively. 10 $arg variables are reserved to each level of macros, and they can be used as local variables. The nesting of macro can be allowed up to 5 levels. For example,

macro xinit set $work0 $arg1
macro xlist examine/m $work0,4; set $work0 *($work0)
xinit *(xxx_list)
xlist
....

will print the contents of a list starting from xxx_list by each xlist command.

dmacro name

Delete the macro named name.

show all threads[/ul]

Display all tasks and threads information. This version of ddb prints more information than previous one. It shows UNIX process information like ps for each task. The UNIX process information may not be shown if it is not supported in the machine, or the bottom of the stack of the target task is not in the main memory at that time. It also shows task and thread identification numbers. These numbers can be used to specify a task or a thread symbolically in various commands. The numbers are valid only in the same debugger session. If the execution is resumed again, the numbers may change. The current thread can be distinguished from others by a # after the thread id instead of :. Without l option, it only shows thread id, thread structure address and the status for each thread. The status consists of 5 letters, R(run), W(wait), S(sus� pended), O(swapped out) and N(interruptible), and if corresponding status bit is off, . is printed instead. If l option is specified, more detail information is printed for each thread.

show task [ addr ]

Display the information of a task specified by addr. If addr is omitted, current task information is displayed.

show thread [ addr ]

Display the information of a thread specified by addr. If addr is omitted, current thread information is displayed.

show registers[/tu [ thread ]]

Display the register set. Target thread can be specified with t option and thread parameter. If u option is specified, it displays user registers instead of kernel or currently saved one.

Warning: The support of t and u option depends on the machine. If not supported, incorrect information will be displayed.

show map addr

Prints the vm_map at addr.

show object addr

Prints the vm_object at addr.

show page addr

Prints the vm_page structure at addr.

show port addr

Prints the ipc_port structure at addr.

show ipc_port[/t [ thread ]]

Prints all ipc_port structure's addresses the target thread has. The target thread is a current thread or that specified by a parameter.

show macro [ name ]

Show the definitions of macros. If name is specified, only the definition of it is displayed. Otherwise, definitions of all macros are displayed.

show watches

Displays all watchpoints.

watch[/T] addr,size [ task ]

Set a watchpoint for a region. Execution stops when an attempt to modify the region occurs. The size argument defaults to 4. Without T option, addr is assumed to be a kernel address. If you want to set a watch point in user space, specify T and task parameter where the address belongs to. If the task parameter is omitted, a task of the default target thread or a current task is assumed. If you specify a wrong space address, the request is rejected with an error message.

Warning: Attempts to watch wired kernel memory may cause unrecoverable error in some systems such as i386. Watchpoints on user addresses work best.

[ < ]

[ > ]

[ << ]

[ Up ]

[ >> ]

[Top]

[Contents]

[Index]

[ ? ]

11.3 Variables

The debugger accesses registers and variables as $name. Register names are as in the show registers command. Some variables are suffixed with numbers, and may have some modifier following a colon immediately after the variable name. For example, register variables can have u and t modifier to indicate user register and that of a default target thread instead of that of the current thread (e.g. $eax:tu).

Built-in variables currently supported are:

taskxx[.yy]: Task or thread structure address. xx and yy are task and thread identification numbers printed by a show all threads command respectively. This variable is read only.
thread: The default target thread. The value is used when t option is specified without explicit thread structure address parameter in command lines or expression evaluation.
radix: Input and output radix
maxoff: Addresses are printed as symbol+offset unless offset is greater than maxoff.
maxwidth: The width of the displayed line.
lines: The number of lines. It is used by more feature.
tabstops: Tab stop width.
argxx: Parameters passed to a macro. xx can be 1 to 10.
workxx: Work variable. xx can be 0 to 31.

[ < ]

[ > ]

[ << ]

[ Up ]

[ >> ]

[Top]

[Contents]

[Index]

[ ? ]

11.4 Expressions

Almost all expression operators in C are supported except ~, ^, and unary &. Special rules in ddb are:

identifier

name of a symbol. It is translated to the address(or value) of it. . and : can be used in the identifier. If supported by an object format dependent routine, [file_name:]func[:line_number] [file_name:]variable, and file_name[:line_number] can be accepted as a symbol. The symbol may be prefixed with symbol_table_name:: like emulator::mach_msg_trap to specify other than kernel symbols.

number