summaryrefslogtreecommitdiffstats
path: root/share/man/man4/gdb.4
diff options
context:
space:
mode:
Diffstat (limited to 'share/man/man4/gdb.4')
-rw-r--r--share/man/man4/gdb.4603
1 files changed, 603 insertions, 0 deletions
diff --git a/share/man/man4/gdb.4 b/share/man/man4/gdb.4
new file mode 100644
index 0000000..f81ef40
--- /dev/null
+++ b/share/man/man4/gdb.4
@@ -0,0 +1,603 @@
+.\" Copyright (c) 2003 Greg Lehey
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd February 8, 2005
+.Dt GDB 4
+.Os
+.Sh NAME
+.Nm gdb
+.Nd external kernel debugger
+.Sh SYNOPSIS
+.Cd "makeoptions DEBUG=-g"
+.Cd "options DDB"
+.Sh DESCRIPTION
+The
+.Nm
+kernel debugger is a variation of
+.Xr gdb 1
+which understands some aspects of the
+.Fx
+kernel environment.
+It can be used in a number of ways:
+.Bl -bullet
+.It
+It can be used to examine the memory of the processor on which it runs.
+.It
+It can be used to analyse a processor dump after a panic.
+.It
+It can be used to debug another system interactively via a serial or firewire
+link.
+In this mode, the processor can be stopped and single stepped.
+.It
+With a firewire link, it can be used to examine the memory of a remote system
+without the participation of that system.
+In this mode, the processor cannot be stopped and single stepped, but it can be
+of use when the remote system has crashed and is no longer responding.
+.El
+.Pp
+When used for remote debugging,
+.Nm
+requires the presence of the
+.Xr ddb 4
+kernel debugger.
+Commands exist to switch between
+.Nm
+and
+.Xr ddb 4 .
+.Sh PREPARING FOR DEBUGGING
+When debugging kernels, it is practically essential to have built a kernel with
+debugging symbols
+.Pq Cd "makeoptions DEBUG=-g" .
+It is easiest to perform operations from the kernel build directory, by default
+.Pa /usr/obj/usr/src/sys/GENERIC .
+.Pp
+First, ensure you have a copy of the debug macros in the directory:
+.Pp
+.Dl "make gdbinit"
+.Pp
+This command performs some transformations on the macros installed in
+.Pa /usr/src/tools/debugscripts
+to adapt them to the local environment.
+.Ss "Inspecting the environment of the local machine"
+To look at and change the contents of the memory of the system you are running
+on,
+.Pp
+.Dl "gdb -k -wcore kernel.debug /dev/mem"
+.Pp
+In this mode, you need the
+.Fl k
+flag to indicate to
+.Xr gdb 1
+that the
+.Dq "dump file"
+.Pa /dev/mem
+is a kernel data file.
+You can look at live data, and if you include the
+.Fl wcore
+option, you can change it at your peril.
+The system does not stop (obviously), so a number of things will not work.
+You can set breakpoints, but you cannot
+.Dq continue
+execution, so they will not work.
+.Ss "Debugging a crash dump"
+By default, crash dumps are stored in the directory
+.Pa /var/crash .
+Investigate them from the kernel build directory with:
+.Pp
+.Dl "gdb -k kernel.debug /var/crash/vmcore.29"
+.Pp
+In this mode, the system is obviously stopped, so you can only look at it.
+.Ss "Debugging a live system with a remote link"
+In the following discussion, the term
+.Dq "local system"
+refers to the system running the debugger, and
+.Dq "remote system"
+refers to the live system being debugged.
+.Pp
+To debug a live system with a remote link, the kernel must be compiled with the
+option
+.Cd "options DDB" .
+The option
+.Cd "options BREAK_TO_DEBUGGER"
+enables the debugging machine stop the debugged machine once a connection has
+been established by pressing
+.Ql ^C .
+.Ss "Debugging a live system with a remote serial link"
+When using a serial port for the remote link on the i386 platform, the serial
+port must be identified by setting the flag bit
+.Li 0x80
+for the specified interface.
+Generally, this port will also be used as a serial console (flag bit
+.Li 0x10 ) ,
+so the entry in
+.Pa /boot/device.hints
+should be:
+.Pp
+.Dl hint.sio.0.flags="0x90"
+.Ss "Debugging a live system with a remote firewire link"
+As with serial debugging, to debug a live system with a firewire link, the
+kernel must be compiled with the option
+.Cd "options DDB" .
+.Pp
+A number of steps must be performed to set up a firewire link:
+.Bl -bullet
+.It
+Ensure that both systems have
+.Xr firewire 4
+support, and that the kernel of the remote system includes the
+.Xr dcons 4
+and
+.Xr dcons_crom 4
+drivers.
+If they are not compiled into the kernel, load the KLDs:
+.Pp
+.Dl "kldload firewire"
+.Pp
+On the remote system only:
+.Bd -literal -offset indent
+kldload dcons
+kldload dcons_crom
+.Ed
+.Pp
+You should see something like this in the
+.Xr dmesg 8
+output of the remote system:
+.Bd -literal -offset indent
+fwohci0: BUS reset
+fwohci0: node_id=0x8800ffc0, gen=2, non CYCLEMASTER mode
+firewire0: 2 nodes, maxhop <= 1, cable IRM = 1
+firewire0: bus manager 1
+firewire0: New S400 device ID:00c04f3226e88061
+dcons_crom0: <dcons configuration ROM> on firewire0
+dcons_crom0: bus_addr 0x22a000
+.Ed
+.Pp
+It is a good idea to load these modules at boot time with the following entry in
+.Pa /boot/loader.conf :
+.Pp
+.Dl dcons_crom_enable="YES"
+.Pp
+This ensures that all three modules are loaded.
+There is no harm in loading
+.Xr dcons 4
+and
+.Xr dcons_crom 4
+on the local system, but if you only want to load the
+.Xr firewire 4
+module, include the following in
+.Pa /boot/loader.conf :
+.Pp
+.Dl firewire_enable="YES"
+.It
+Next, use
+.Xr fwcontrol 8
+to find the firewire node corresponding to the remote machine.
+On the local machine you might see:
+.Bd -literal -offset indent
+# fwcontrol
+2 devices (info_len=2)
+node EUI64 status
+ 1 0x00c04f3226e88061 0
+ 0 0x000199000003622b 1
+.Ed
+.Pp
+The first node is always the local system, so in this case, node 0 is the remote
+system.
+If there are more than two systems, check from the other end to find which node
+corresponds to the remote system.
+On the remote machine, it looks like this:
+.Bd -literal -offset indent
+# fwcontrol
+2 devices (info_len=2)
+node EUI64 status
+ 0 0x000199000003622b 0
+ 1 0x00c04f3226e88061 1
+.Ed
+.It
+Next, establish a firewire connection with
+.Xr dconschat 8 :
+.Pp
+.Dl "dconschat -br -G 5556 -t 0x000199000003622b"
+.Pp
+.Li 0x000199000003622b
+is the EUI64 address of the remote node, as determined from the output of
+.Xr fwcontrol 8
+above.
+When started in this manner,
+.Xr dconschat 8
+establishes a local tunnel connection from port
+.Li localhost:5556
+to the remote debugger.
+You can also establish a console port connection with the
+.Fl C
+option to the same invocation
+.Xr dconschat 8 .
+See the
+.Xr dconschat 8
+manpage for further details.
+.Pp
+The
+.Xr dconschat 8
+utility
+does not return control to the user.
+It displays error messages and console output for the remote system, so it is a
+good idea to start it in its own window.
+.It
+Finally, establish connection:
+.Bd -literal -offset indent
+# gdb kernel.debug
+GNU gdb 5.2.1 (FreeBSD)
+.Em "(political statements omitted)"
+Ready to go. Enter 'tr' to connect to the remote target
+with /dev/cuau0, 'tr /dev/cuau1' to connect to a different port
+or 'trf portno' to connect to the remote target with the firewire
+interface. portno defaults to 5556.
+
+Type 'getsyms' after connection to load kld symbols.
+
+If you are debugging a local system, you can use 'kldsyms' instead
+to load the kld symbols. That is a less obnoxious interface.
+(gdb) trf
+0xc21bd378 in ?? ()
+.Ed
+.Pp
+The
+.Ic trf
+macro assumes a connection on port 5556.
+If you want to use a different port (by changing the invocation of
+.Xr dconschat 8
+above), use the
+.Ic tr
+macro instead.
+For example, if you want to use port 4711, run
+.Xr dconschat 8
+like this:
+.Pp
+.Dl "dconschat -br -G 4711 -t 0x000199000003622b"
+.Pp
+Then establish connection with:
+.Bd -literal -offset indent
+(gdb) tr localhost:4711
+0xc21bd378 in ?? ()
+.Ed
+.El
+.Ss "Non-cooperative debugging a live system with a remote firewire link"
+In addition to the conventional debugging via firewire described in the previous
+section, it is possible to debug a remote system without its cooperation, once
+an initial connection has been established.
+This corresponds to debugging a local machine using
+.Pa /dev/mem .
+It can be very useful if a system crashes and the debugger no longer responds.
+To use this method, set the
+.Xr sysctl 8
+variables
+.Va hw.firewire.fwmem.eui64_hi
+and
+.Va hw.firewire.fwmem.eui64_lo
+to the upper and lower halves of the EUI64 ID of the remote system,
+respectively.
+From the previous example, the remote machine shows:
+.Bd -literal -offset indent
+# fwcontrol
+2 devices (info_len=2)
+node EUI64 status
+ 0 0x000199000003622b 0
+ 1 0x00c04f3226e88061 1
+.Ed
+.Pp
+Enter:
+.Bd -literal -offset indent
+# sysctl -w hw.firewire.fwmem.eui64_hi=0x00019900
+hw.firewire.fwmem.eui64_hi: 0 -> 104704
+# sysctl -w hw.firewire.fwmem.eui64_lo=0x0003622b
+hw.firewire.fwmem.eui64_lo: 0 -> 221739
+.Ed
+.Pp
+Note that the variables must be explicitly stated in hexadecimal.
+After this, you can examine the remote machine's state with the following input:
+.Bd -literal -offset indent
+# gdb -k kernel.debug /dev/fwmem0.0
+GNU gdb 5.2.1 (FreeBSD)
+.Em "(messages omitted)"
+Reading symbols from /boot/kernel/dcons.ko...done.
+Loaded symbols for /boot/kernel/dcons.ko
+Reading symbols from /boot/kernel/dcons_crom.ko...done.
+Loaded symbols for /boot/kernel/dcons_crom.ko
+#0 sched_switch (td=0xc0922fe0) at /usr/src/sys/kern/sched_4bsd.c:621
+0xc21bd378 in ?? ()
+.Ed
+.Pp
+In this case, it is not necessary to load the symbols explicitly.
+The remote system continues to run.
+.Sh COMMANDS
+The user interface to
+.Nm
+is via
+.Xr gdb 1 ,
+so
+.Xr gdb 1
+commands also work.
+This section discusses only the extensions for kernel debugging that get
+installed in the kernel build directory.
+.Ss "Debugging environment"
+The following macros manipulate the debugging environment:
+.Bl -tag -width indent
+.It Ic ddb
+Switch back to
+.Xr ddb 4 .
+This command is only meaningful when performing remote debugging.
+.It Ic getsyms
+Display
+.Ic kldstat
+information for the target machine and invite user to paste it back in.
+This is required because
+.Nm
+does not allow data to be passed to shell scripts.
+It is necessary for remote debugging and crash dumps; for local memory debugging
+use
+.Ic kldsyms
+instead.
+.It Ic kldsyms
+Read in the symbol tables for the debugging machine.
+This does not work for
+remote debugging and crash dumps; use
+.Ic getsyms
+instead.
+.It Ic tr Ar interface
+Debug a remote system via the specified serial or firewire interface.
+.It Ic tr0
+Debug a remote system via serial interface
+.Pa /dev/cuau0 .
+.It Ic tr1
+Debug a remote system via serial interface
+.Pa /dev/cuau1 .
+.It Ic trf
+Debug a remote system via firewire interface at default port 5556.
+.El
+.Pp
+The commands
+.Ic tr0 , tr1
+and
+.Ic trf
+are convenience commands which invoke
+.Ic tr .
+.Ss "The current process environment"
+The following macros are convenience functions intended to make things easier
+than the standard
+.Xr gdb 1
+commands.
+.Bl -tag -width indent
+.It Ic f0
+Select stack frame 0 and show assembler-level details.
+.It Ic f1
+Select stack frame 1 and show assembler-level details.
+.It Ic f2
+Select stack frame 2 and show assembler-level details.
+.It Ic f3
+Select stack frame 3 and show assembler-level details.
+.It Ic f4
+Select stack frame 4 and show assembler-level details.
+.It Ic f5
+Select stack frame 5 and show assembler-level details.
+.It Ic xb
+Show 12 words in hex, starting at current
+.Va ebp
+value.
+.It Ic xi
+List the next 10 instructions from the current
+.Va eip
+value.
+.It Ic xp
+Show the register contents and the first four parameters of the current stack
+frame.
+.It Ic xp0
+Show the first parameter of current stack frame in various formats.
+.It Ic xp1
+Show the second parameter of current stack frame in various formats.
+.It Ic xp2
+Show the third parameter of current stack frame in various formats.
+.It Ic xp3
+Show the fourth parameter of current stack frame in various formats.
+.It Ic xp4
+Show the fifth parameter of current stack frame in various formats.
+.It Ic xs
+Show the last 12 words on stack in hexadecimal.
+.It Ic xxp
+Show the register contents and the first ten parameters.
+.It Ic z
+Single step 1 instruction (over calls) and show next instruction.
+.It Ic zs
+Single step 1 instruction (through calls) and show next instruction.
+.El
+.Ss "Examining other processes"
+The following macros access other processes.
+The
+.Nm
+debugger
+does not understand the concept of multiple processes, so they effectively
+bypass the entire
+.Nm
+environment.
+.Bl -tag -width indent
+.It Ic btp Ar pid
+Show a backtrace for the process
+.Ar pid .
+.It Ic btpa
+Show backtraces for all processes in the system.
+.It Ic btpp
+Show a backtrace for the process previously selected with
+.Ic defproc .
+.It Ic btr Ar ebp
+Show a backtrace from the
+.Ar ebp
+address specified.
+.It Ic defproc Ar pid
+Specify the PID of the process for some other commands in this section.
+.It Ic fr Ar frame
+Show frame
+.Ar frame
+of the stack of the process previously selected with
+.Ic defproc .
+.It Ic pcb Ar proc
+Show some PCB contents of the process
+.Ar proc .
+.El
+.Ss "Examining data structures"
+You can use standard
+.Xr gdb 1
+commands to look at most data structures.
+The macros in this section are
+convenience functions which typically display the data in a more readable
+format, or which omit less interesting parts of the structure.
+.Bl -tag -width indent
+.It Ic bp
+Show information about the buffer header pointed to by the variable
+.Va bp
+in the current frame.
+.It Ic bpd
+Show the contents
+.Pq Vt "char *"
+of
+.Va bp->data
+in the current frame.
+.It Ic bpl
+Show detailed information about the buffer header
+.Pq Vt "struct bp"
+pointed at by the local variable
+.Va bp .
+.It Ic bpp Ar bp
+Show summary information about the buffer header
+.Pq Vt "struct bp"
+pointed at by the parameter
+.Ar bp .
+.It Ic bx
+Print a number of fields from the buffer header pointed at in by the pointer
+.Ar bp
+in the current environment.
+.It Ic vdev
+Show some information of the
+.Vt vnode
+pointed to by the local variable
+.Va vp .
+.El
+.Ss "Miscellaneous macros"
+.Bl -tag -width indent
+.It Ic checkmem
+Check unallocated memory for modifications.
+This assumes that the kernel has been compiled with
+.Cd "options DIAGNOSTIC" .
+This causes the contents of free memory to be set to
+.Li 0xdeadc0de .
+.It Ic dmesg
+Print the system message buffer.
+This corresponds to the
+.Xr dmesg 8
+utility.
+This macro used to be called
+.Ic msgbuf .
+It can take a very long time over a serial line,
+and it is even slower via firewire
+or local memory due to inefficiencies in
+.Nm .
+When debugging a crash dump or over firewire, it is not necessary to start
+.Nm
+to access the message buffer: instead, use an appropriate variation of
+.Bd -literal -offset indent
+dmesg -M /var/crash/vmcore.0 -N kernel.debug
+dmesg -M /dev/fwmem0.0 -N kernel.debug
+.Ed
+.It Ic kldstat
+Equivalent of the
+.Xr kldstat 8
+utility without options.
+.It Ic pname
+Print the command name of the current process.
+.It Ic ps
+Show process status.
+This corresponds in concept, but not in appearance, to the
+.Xr ps 1
+utility.
+When debugging a crash dump or over firewire, it is not necessary to start
+.Nm
+to display the
+.Xr ps 1
+output: instead, use an appropriate variation of
+.Bd -literal -offset indent
+ps -M /var/crash/vmcore.0 -N kernel.debug
+ps -M /dev/fwmem0.0 -N kernel.debug
+.Ed
+.It Ic y
+Kludge for writing macros.
+When writing macros, it is convenient to paste them
+back into the
+.Nm
+window.
+Unfortunately, if the macro is already defined,
+.Nm
+insists on asking
+.Pp
+.Dl "Redefine foo?"
+.Pp
+It will not give up until you answer
+.Ql y .
+This command is that answer.
+It does nothing else except to print a warning
+message to remind you to remove it again.
+.El
+.Sh SEE ALSO
+.Xr gdb 1 ,
+.Xr ps 1 ,
+.Xr ddb 4 ,
+.Xr firewire 4 ,
+.Xr dconschat 8 ,
+.Xr dmesg 8 ,
+.Xr fwcontrol 8 ,
+.Xr kldload 8
+.Sh AUTHORS
+This man page was written by
+.An "Greg Lehey" Aq grog@FreeBSD.org .
+.Sh BUGS
+The
+.Xr gdb 1
+debugger
+was never designed to debug kernels, and it is not a very good match.
+Many problems exist.
+.Pp
+The
+.Nm
+implementation is very inefficient, and many operations are slow.
+.Pp
+Serial debugging is even slower, and race conditions can make it difficult to
+run the link at more than 9600 bps.
+Firewire connections do not have this problem.
+.Pp
+The debugging macros
+.Dq "just grown" .
+In general, the person who wrote them did so while looking for a specific
+problem, so they may not be general enough, and they may behave badly when used
+in ways for which they were not intended, even if those ways make sense.
+.Pp
+Many of these commands only work on the ia32 architecture.
OpenPOWER on IntegriCloud