xref: /freebsd/share/man/man4/gdb.4 (revision 02e9120893770924227138ba49df1edb3896112a)
1.\" Copyright (c) 2003 Greg Lehey
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.Dd May 17, 2016
26.Dt GDB 4
27.Os
28.Sh NAME
29.Nm gdb
30.Nd external kernel debugger
31.Sh SYNOPSIS
32.Cd "makeoptions DEBUG=-g"
33.Cd "options DDB"
34.Sh DESCRIPTION
35The
36.Nm
37kernel debugger is a variation of
38.Xr gdb 1 Pq Pa ports/devel/gdb
39which understands some aspects of the
40.Fx
41kernel environment.
42It can be used in a number of ways:
43.Bl -bullet
44.It
45It can be used to examine the memory of the processor on which it runs.
46.It
47It can be used to analyse a processor dump after a panic.
48.It
49It can be used to debug another system interactively via a serial or firewire
50link.
51In this mode, the processor can be stopped and single stepped.
52.It
53With a firewire link, it can be used to examine the memory of a remote system
54without the participation of that system.
55In this mode, the processor cannot be stopped and single stepped, but it can be
56of use when the remote system has crashed and is no longer responding.
57.El
58.Pp
59When used for remote debugging,
60.Nm
61requires the presence of the
62.Xr ddb 4
63kernel debugger.
64Commands exist to switch between
65.Nm
66and
67.Xr ddb 4 .
68.Sh PREPARING FOR DEBUGGING
69When debugging kernels, it is practically essential to have built a kernel with
70debugging symbols
71.Pq Cd "makeoptions DEBUG=-g" .
72It is easiest to perform operations from the kernel build directory, by default
73.Pa /usr/obj/usr/src/sys/GENERIC .
74.Pp
75First, ensure you have a copy of the debug macros in the directory:
76.Pp
77.Dl "make gdbinit"
78.Pp
79This command performs some transformations on the macros installed in
80.Pa /usr/src/tools/debugscripts
81to adapt them to the local environment.
82.Ss "Inspecting the environment of the local machine"
83To look at and change the contents of the memory of the system you are running
84on,
85.Pp
86.Dl "gdb -k -wcore kernel.debug /dev/mem"
87.Pp
88In this mode, you need the
89.Fl k
90flag to indicate to
91.Xr gdb 1 Pq Pa ports/devel/gdb
92that the
93.Dq "dump file"
94.Pa /dev/mem
95is a kernel data file.
96You can look at live data, and if you include the
97.Fl wcore
98option, you can change it at your peril.
99The system does not stop (obviously), so a number of things will not work.
100You can set breakpoints, but you cannot
101.Dq continue
102execution, so they will not work.
103.Ss "Debugging a crash dump"
104By default, crash dumps are stored in the directory
105.Pa /var/crash .
106Investigate them from the kernel build directory with:
107.Pp
108.Dl "gdb -k kernel.debug /var/crash/vmcore.29"
109.Pp
110In this mode, the system is obviously stopped, so you can only look at it.
111.Ss "Debugging a live system with a remote link"
112In the following discussion, the term
113.Dq "local system"
114refers to the system running the debugger, and
115.Dq "remote system"
116refers to the live system being debugged.
117.Pp
118To debug a live system with a remote link, the kernel must be compiled with the
119option
120.Cd "options DDB" .
121The option
122.Cd "options BREAK_TO_DEBUGGER"
123enables the debugging machine stop the debugged machine once a connection has
124been established by pressing
125.Ql ^C .
126.Ss "Debugging a live system with a remote serial link"
127When using a serial port for the remote link on the i386 platform, the serial
128port must be identified by setting the flag bit
129.Li 0x80
130for the specified interface.
131Generally, this port will also be used as a serial console (flag bit
132.Li 0x10 ) ,
133so the entry in
134.Pa /boot/device.hints
135should be:
136.Pp
137.Dl hint.sio.0.flags="0x90"
138.Ss "Debugging a live system with a remote firewire link"
139As with serial debugging, to debug a live system with a firewire link, the
140kernel must be compiled with the option
141.Cd "options DDB" .
142.Pp
143A number of steps must be performed to set up a firewire link:
144.Bl -bullet
145.It
146Ensure that both systems have
147.Xr firewire 4
148support, and that the kernel of the remote system includes the
149.Xr dcons 4
150and
151.Xr dcons_crom 4
152drivers.
153If they are not compiled into the kernel, load the KLDs:
154.Pp
155.Dl "kldload firewire"
156.Pp
157On the remote system only:
158.Bd -literal -offset indent
159kldload dcons
160kldload dcons_crom
161.Ed
162.Pp
163You should see something like this in the
164.Xr dmesg 8
165output of the remote system:
166.Bd -literal -offset indent
167fwohci0: BUS reset
168fwohci0: node_id=0x8800ffc0, gen=2, non CYCLEMASTER mode
169firewire0: 2 nodes, maxhop <= 1, cable IRM = 1
170firewire0: bus manager 1
171firewire0: New S400 device ID:00c04f3226e88061
172dcons_crom0: <dcons configuration ROM> on firewire0
173dcons_crom0: bus_addr 0x22a000
174.Ed
175.Pp
176It is a good idea to load these modules at boot time with the following entry in
177.Pa /boot/loader.conf :
178.Pp
179.Dl dcons_crom_enable="YES"
180.Pp
181This ensures that all three modules are loaded.
182There is no harm in loading
183.Xr dcons 4
184and
185.Xr dcons_crom 4
186on the local system, but if you only want to load the
187.Xr firewire 4
188module, include the following in
189.Pa /boot/loader.conf :
190.Pp
191.Dl firewire_enable="YES"
192.It
193Next, use
194.Xr fwcontrol 8
195to find the firewire node corresponding to the remote machine.
196On the local machine you might see:
197.Bd -literal -offset indent
198# fwcontrol
1992 devices (info_len=2)
200node        EUI64        status
201   1  0x00c04f3226e88061      0
202   0  0x000199000003622b      1
203.Ed
204.Pp
205The first node is always the local system, so in this case, node 0 is the remote
206system.
207If there are more than two systems, check from the other end to find which node
208corresponds to the remote system.
209On the remote machine, it looks like this:
210.Bd -literal -offset indent
211# fwcontrol
2122 devices (info_len=2)
213node        EUI64        status
214   0  0x000199000003622b      0
215   1  0x00c04f3226e88061      1
216.Ed
217.It
218Next, establish a firewire connection with
219.Xr dconschat 8 :
220.Pp
221.Dl "dconschat -br -G 5556 -t 0x000199000003622b"
222.Pp
223.Li 0x000199000003622b
224is the EUI64 address of the remote node, as determined from the output of
225.Xr fwcontrol 8
226above.
227When started in this manner,
228.Xr dconschat 8
229establishes a local tunnel connection from port
230.Li localhost:5556
231to the remote debugger.
232You can also establish a console port connection with the
233.Fl C
234option to the same invocation
235.Xr dconschat 8 .
236See the
237.Xr dconschat 8
238manpage for further details.
239.Pp
240The
241.Xr dconschat 8
242utility
243does not return control to the user.
244It displays error messages and console output for the remote system, so it is a
245good idea to start it in its own window.
246.It
247Finally, establish connection:
248.Bd -literal -offset indent
249# gdb kernel.debug
250GNU gdb 5.2.1 (FreeBSD)
251.Em "(political statements omitted)"
252Ready to go.  Enter 'tr' to connect to the remote target
253with /dev/cuau0, 'tr /dev/cuau1' to connect to a different port
254or 'trf portno' to connect to the remote target with the firewire
255interface.  portno defaults to 5556.
256
257Type 'getsyms' after connection to load kld symbols.
258
259If you are debugging a local system, you can use 'kldsyms' instead
260to load the kld symbols.  That is a less obnoxious interface.
261(gdb) trf
2620xc21bd378 in ?? ()
263.Ed
264.Pp
265The
266.Ic trf
267macro assumes a connection on port 5556.
268If you want to use a different port (by changing the invocation of
269.Xr dconschat 8
270above), use the
271.Ic tr
272macro instead.
273For example, if you want to use port 4711, run
274.Xr dconschat 8
275like this:
276.Pp
277.Dl "dconschat -br -G 4711 -t 0x000199000003622b"
278.Pp
279Then establish connection with:
280.Bd -literal -offset indent
281(gdb) tr localhost:4711
2820xc21bd378 in ?? ()
283.Ed
284.El
285.Ss "Non-cooperative debugging a live system with a remote firewire link"
286In addition to the conventional debugging via firewire described in the previous
287section, it is possible to debug a remote system without its cooperation, once
288an initial connection has been established.
289This corresponds to debugging a local machine using
290.Pa /dev/mem .
291It can be very useful if a system crashes and the debugger no longer responds.
292To use this method, set the
293.Xr sysctl 8
294variables
295.Va hw.firewire.fwmem.eui64_hi
296and
297.Va hw.firewire.fwmem.eui64_lo
298to the upper and lower halves of the EUI64 ID of the remote system,
299respectively.
300From the previous example, the remote machine shows:
301.Bd -literal -offset indent
302# fwcontrol
3032 devices (info_len=2)
304node        EUI64        status
305   0  0x000199000003622b      0
306   1  0x00c04f3226e88061      1
307.Ed
308.Pp
309Enter:
310.Bd -literal -offset indent
311# sysctl -w hw.firewire.fwmem.eui64_hi=0x00019900
312hw.firewire.fwmem.eui64_hi: 0 -> 104704
313# sysctl -w hw.firewire.fwmem.eui64_lo=0x0003622b
314hw.firewire.fwmem.eui64_lo: 0 -> 221739
315.Ed
316.Pp
317Note that the variables must be explicitly stated in hexadecimal.
318After this, you can examine the remote machine's state with the following input:
319.Bd -literal -offset indent
320# gdb -k kernel.debug /dev/fwmem0.0
321GNU gdb 5.2.1 (FreeBSD)
322.Em "(messages omitted)"
323Reading symbols from /boot/kernel/dcons.ko...done.
324Loaded symbols for /boot/kernel/dcons.ko
325Reading symbols from /boot/kernel/dcons_crom.ko...done.
326Loaded symbols for /boot/kernel/dcons_crom.ko
327#0  sched_switch (td=0xc0922fe0) at /usr/src/sys/kern/sched_4bsd.c:621
3280xc21bd378 in ?? ()
329.Ed
330.Pp
331In this case, it is not necessary to load the symbols explicitly.
332The remote system continues to run.
333.Sh COMMANDS
334The user interface to
335.Nm
336is via
337.Xr gdb 1 Pq Pa ports/devel/gdb ,
338so
339.Xr gdb 1 Pq Pa ports/devel/gdb
340commands also work.
341This section discusses only the extensions for kernel debugging that get
342installed in the kernel build directory.
343.Ss "Debugging environment"
344The following macros manipulate the debugging environment:
345.Bl -tag -width indent
346.It Ic ddb
347Switch back to
348.Xr ddb 4 .
349This command is only meaningful when performing remote debugging.
350.It Ic getsyms
351Display
352.Ic kldstat
353information for the target machine and invite user to paste it back in.
354This is required because
355.Nm
356does not allow data to be passed to shell scripts.
357It is necessary for remote debugging and crash dumps; for local memory debugging
358use
359.Ic kldsyms
360instead.
361.It Ic kldsyms
362Read in the symbol tables for the debugging machine.
363This does not work for
364remote debugging and crash dumps; use
365.Ic getsyms
366instead.
367.It Ic tr Ar interface
368Debug a remote system via the specified serial or firewire interface.
369.It Ic tr0
370Debug a remote system via serial interface
371.Pa /dev/cuau0 .
372.It Ic tr1
373Debug a remote system via serial interface
374.Pa /dev/cuau1 .
375.It Ic trf
376Debug a remote system via firewire interface at default port 5556.
377.El
378.Pp
379The commands
380.Ic tr0 , tr1
381and
382.Ic trf
383are convenience commands which invoke
384.Ic tr .
385.Ss "The current process environment"
386The following macros are convenience functions intended to make things easier
387than the standard
388.Xr gdb 1 Pq Pa ports/devel/gdb
389commands.
390.Bl -tag -width indent
391.It Ic f0
392Select stack frame 0 and show assembler-level details.
393.It Ic f1
394Select stack frame 1 and show assembler-level details.
395.It Ic f2
396Select stack frame 2 and show assembler-level details.
397.It Ic f3
398Select stack frame 3 and show assembler-level details.
399.It Ic f4
400Select stack frame 4 and show assembler-level details.
401.It Ic f5
402Select stack frame 5 and show assembler-level details.
403.It Ic xb
404Show 12 words in hex, starting at current
405.Va ebp
406value.
407.It Ic xi
408List the next 10 instructions from the current
409.Va eip
410value.
411.It Ic xp
412Show the register contents and the first four parameters of the current stack
413frame.
414.It Ic xp0
415Show the first parameter of current stack frame in various formats.
416.It Ic xp1
417Show the second parameter of current stack frame in various formats.
418.It Ic xp2
419Show the third parameter of current stack frame in various formats.
420.It Ic xp3
421Show the fourth parameter of current stack frame in various formats.
422.It Ic xp4
423Show the fifth parameter of current stack frame in various formats.
424.It Ic xs
425Show the last 12 words on stack in hexadecimal.
426.It Ic xxp
427Show the register contents and the first ten parameters.
428.It Ic z
429Single step 1 instruction (over calls) and show next instruction.
430.It Ic zs
431Single step 1 instruction (through calls) and show next instruction.
432.El
433.Ss "Examining other processes"
434The following macros access other processes.
435The
436.Nm
437debugger
438does not understand the concept of multiple processes, so they effectively
439bypass the entire
440.Nm
441environment.
442.Bl -tag -width indent
443.It Ic btp Ar pid
444Show a backtrace for the process
445.Ar pid .
446.It Ic btpa
447Show backtraces for all processes in the system.
448.It Ic btpp
449Show a backtrace for the process previously selected with
450.Ic defproc .
451.It Ic btr Ar ebp
452Show a backtrace from the
453.Ar ebp
454address specified.
455.It Ic defproc Ar pid
456Specify the PID of the process for some other commands in this section.
457.It Ic fr Ar frame
458Show frame
459.Ar frame
460of the stack of the process previously selected with
461.Ic defproc .
462.It Ic pcb Ar proc
463Show some PCB contents of the process
464.Ar proc .
465.El
466.Ss "Examining data structures"
467You can use standard
468.Xr gdb 1 Pq Pa ports/devel/gdb
469commands to look at most data structures.
470The macros in this section are
471convenience functions which typically display the data in a more readable
472format, or which omit less interesting parts of the structure.
473.Bl -tag -width indent
474.It Ic bp
475Show information about the buffer header pointed to by the variable
476.Va bp
477in the current frame.
478.It Ic bpd
479Show the contents
480.Pq Vt "char *"
481of
482.Va bp->data
483in the current frame.
484.It Ic bpl
485Show detailed information about the buffer header
486.Pq Vt "struct bp"
487pointed at by the local variable
488.Va bp .
489.It Ic bpp Ar bp
490Show summary information about the buffer header
491.Pq Vt "struct bp"
492pointed at by the parameter
493.Ar bp .
494.It Ic bx
495Print a number of fields from the buffer header pointed at in by the pointer
496.Ar bp
497in the current environment.
498.It Ic vdev
499Show some information of the
500.Vt vnode
501pointed to by the local variable
502.Va vp .
503.El
504.Ss "Miscellaneous macros"
505.Bl -tag -width indent
506.It Ic checkmem
507Check unallocated memory for modifications.
508This assumes that the kernel has been compiled with
509.Cd "options DIAGNOSTIC" .
510This causes the contents of free memory to be set to
511.Li 0xdeadc0de .
512.It Ic dmesg
513Print the system message buffer.
514This corresponds to the
515.Xr dmesg 8
516utility.
517This macro used to be called
518.Ic msgbuf .
519It can take a very long time over a serial line,
520and it is even slower via firewire
521or local memory due to inefficiencies in
522.Nm .
523When debugging a crash dump or over firewire, it is not necessary to start
524.Nm
525to access the message buffer: instead, use an appropriate variation of
526.Bd -literal -offset indent
527dmesg -M /var/crash/vmcore.0 -N kernel.debug
528dmesg -M /dev/fwmem0.0 -N kernel.debug
529.Ed
530.It Ic kldstat
531Equivalent of the
532.Xr kldstat 8
533utility without options.
534.It Ic pname
535Print the command name of the current process.
536.It Ic ps
537Show process status.
538This corresponds in concept, but not in appearance, to the
539.Xr ps 1
540utility.
541When debugging a crash dump or over firewire, it is not necessary to start
542.Nm
543to display the
544.Xr ps 1
545output: instead, use an appropriate variation of
546.Bd -literal -offset indent
547ps -M /var/crash/vmcore.0 -N kernel.debug
548ps -M /dev/fwmem0.0 -N kernel.debug
549.Ed
550.It Ic y
551Kludge for writing macros.
552When writing macros, it is convenient to paste them
553back into the
554.Nm
555window.
556Unfortunately, if the macro is already defined,
557.Nm
558insists on asking
559.Pp
560.Dl "Redefine foo?"
561.Pp
562It will not give up until you answer
563.Ql y .
564This command is that answer.
565It does nothing else except to print a warning
566message to remind you to remove it again.
567.El
568.Sh SEE ALSO
569.Xr gdb 1 Pq Pa ports/devel/gdb ,
570.Xr ps 1 ,
571.Xr ddb 4 ,
572.Xr firewire 4 ,
573.Xr dconschat 8 ,
574.Xr dmesg 8 ,
575.Xr fwcontrol 8 ,
576.Xr kldload 8
577.Sh AUTHORS
578This man page was written by
579.An Greg Lehey Aq Mt grog@FreeBSD.org .
580.Sh BUGS
581The
582.Xr gdb 1 Pq Pa ports/devel/gdb
583debugger
584was never designed to debug kernels, and it is not a very good match.
585Many problems exist.
586.Pp
587The
588.Nm
589implementation is very inefficient, and many operations are slow.
590.Pp
591Serial debugging is even slower, and race conditions can make it difficult to
592run the link at more than 9600 bps.
593Firewire connections do not have this problem.
594.Pp
595The debugging macros
596.Dq just grew.
597In general, the person who wrote them did so while looking for a specific
598problem, so they may not be general enough, and they may behave badly when used
599in ways for which they were not intended, even if those ways make sense.
600.Pp
601Many of these commands only work on the ia32 architecture.
602