1.\" Copyright (c) 2003 Greg Lehey 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.\" $FreeBSD$ 26.\" 27.Dd May 17, 2016 28.Dt GDB 4 29.Os 30.Sh NAME 31.Nm gdb 32.Nd external kernel debugger 33.Sh SYNOPSIS 34.Cd "makeoptions DEBUG=-g" 35.Cd "options DDB" 36.Sh DESCRIPTION 37The 38.Nm 39kernel debugger is a variation of 40.Xr gdb 1 41which understands some aspects of the 42.Fx 43kernel environment. 44It can be used in a number of ways: 45.Bl -bullet 46.It 47It can be used to examine the memory of the processor on which it runs. 48.It 49It can be used to analyse a processor dump after a panic. 50.It 51It can be used to debug another system interactively via a serial or firewire 52link. 53In this mode, the processor can be stopped and single stepped. 54.It 55With a firewire link, it can be used to examine the memory of a remote system 56without the participation of that system. 57In this mode, the processor cannot be stopped and single stepped, but it can be 58of use when the remote system has crashed and is no longer responding. 59.El 60.Pp 61When used for remote debugging, 62.Nm 63requires the presence of the 64.Xr ddb 4 65kernel debugger. 66Commands exist to switch between 67.Nm 68and 69.Xr ddb 4 . 70.Sh PREPARING FOR DEBUGGING 71When debugging kernels, it is practically essential to have built a kernel with 72debugging symbols 73.Pq Cd "makeoptions DEBUG=-g" . 74It is easiest to perform operations from the kernel build directory, by default 75.Pa /usr/obj/usr/src/sys/GENERIC . 76.Pp 77First, ensure you have a copy of the debug macros in the directory: 78.Pp 79.Dl "make gdbinit" 80.Pp 81This command performs some transformations on the macros installed in 82.Pa /usr/src/tools/debugscripts 83to adapt them to the local environment. 84.Ss "Inspecting the environment of the local machine" 85To look at and change the contents of the memory of the system you are running 86on, 87.Pp 88.Dl "gdb -k -wcore kernel.debug /dev/mem" 89.Pp 90In this mode, you need the 91.Fl k 92flag to indicate to 93.Xr gdb 1 94that the 95.Dq "dump file" 96.Pa /dev/mem 97is a kernel data file. 98You can look at live data, and if you include the 99.Fl wcore 100option, you can change it at your peril. 101The system does not stop (obviously), so a number of things will not work. 102You can set breakpoints, but you cannot 103.Dq continue 104execution, so they will not work. 105.Ss "Debugging a crash dump" 106By default, crash dumps are stored in the directory 107.Pa /var/crash . 108Investigate them from the kernel build directory with: 109.Pp 110.Dl "gdb -k kernel.debug /var/crash/vmcore.29" 111.Pp 112In this mode, the system is obviously stopped, so you can only look at it. 113.Ss "Debugging a live system with a remote link" 114In the following discussion, the term 115.Dq "local system" 116refers to the system running the debugger, and 117.Dq "remote system" 118refers to the live system being debugged. 119.Pp 120To debug a live system with a remote link, the kernel must be compiled with the 121option 122.Cd "options DDB" . 123The option 124.Cd "options BREAK_TO_DEBUGGER" 125enables the debugging machine stop the debugged machine once a connection has 126been established by pressing 127.Ql ^C . 128.Ss "Debugging a live system with a remote serial link" 129When using a serial port for the remote link on the i386 platform, the serial 130port must be identified by setting the flag bit 131.Li 0x80 132for the specified interface. 133Generally, this port will also be used as a serial console (flag bit 134.Li 0x10 ) , 135so the entry in 136.Pa /boot/device.hints 137should be: 138.Pp 139.Dl hint.sio.0.flags="0x90" 140.Ss "Debugging a live system with a remote firewire link" 141As with serial debugging, to debug a live system with a firewire link, the 142kernel must be compiled with the option 143.Cd "options DDB" . 144.Pp 145A number of steps must be performed to set up a firewire link: 146.Bl -bullet 147.It 148Ensure that both systems have 149.Xr firewire 4 150support, and that the kernel of the remote system includes the 151.Xr dcons 4 152and 153.Xr dcons_crom 4 154drivers. 155If they are not compiled into the kernel, load the KLDs: 156.Pp 157.Dl "kldload firewire" 158.Pp 159On the remote system only: 160.Bd -literal -offset indent 161kldload dcons 162kldload dcons_crom 163.Ed 164.Pp 165You should see something like this in the 166.Xr dmesg 8 167output of the remote system: 168.Bd -literal -offset indent 169fwohci0: BUS reset 170fwohci0: node_id=0x8800ffc0, gen=2, non CYCLEMASTER mode 171firewire0: 2 nodes, maxhop <= 1, cable IRM = 1 172firewire0: bus manager 1 173firewire0: New S400 device ID:00c04f3226e88061 174dcons_crom0: <dcons configuration ROM> on firewire0 175dcons_crom0: bus_addr 0x22a000 176.Ed 177.Pp 178It is a good idea to load these modules at boot time with the following entry in 179.Pa /boot/loader.conf : 180.Pp 181.Dl dcons_crom_enable="YES" 182.Pp 183This ensures that all three modules are loaded. 184There is no harm in loading 185.Xr dcons 4 186and 187.Xr dcons_crom 4 188on the local system, but if you only want to load the 189.Xr firewire 4 190module, include the following in 191.Pa /boot/loader.conf : 192.Pp 193.Dl firewire_enable="YES" 194.It 195Next, use 196.Xr fwcontrol 8 197to find the firewire node corresponding to the remote machine. 198On the local machine you might see: 199.Bd -literal -offset indent 200# fwcontrol 2012 devices (info_len=2) 202node EUI64 status 203 1 0x00c04f3226e88061 0 204 0 0x000199000003622b 1 205.Ed 206.Pp 207The first node is always the local system, so in this case, node 0 is the remote 208system. 209If there are more than two systems, check from the other end to find which node 210corresponds to the remote system. 211On the remote machine, it looks like this: 212.Bd -literal -offset indent 213# fwcontrol 2142 devices (info_len=2) 215node EUI64 status 216 0 0x000199000003622b 0 217 1 0x00c04f3226e88061 1 218.Ed 219.It 220Next, establish a firewire connection with 221.Xr dconschat 8 : 222.Pp 223.Dl "dconschat -br -G 5556 -t 0x000199000003622b" 224.Pp 225.Li 0x000199000003622b 226is the EUI64 address of the remote node, as determined from the output of 227.Xr fwcontrol 8 228above. 229When started in this manner, 230.Xr dconschat 8 231establishes a local tunnel connection from port 232.Li localhost:5556 233to the remote debugger. 234You can also establish a console port connection with the 235.Fl C 236option to the same invocation 237.Xr dconschat 8 . 238See the 239.Xr dconschat 8 240manpage for further details. 241.Pp 242The 243.Xr dconschat 8 244utility 245does not return control to the user. 246It displays error messages and console output for the remote system, so it is a 247good idea to start it in its own window. 248.It 249Finally, establish connection: 250.Bd -literal -offset indent 251# gdb kernel.debug 252GNU gdb 5.2.1 (FreeBSD) 253.Em "(political statements omitted)" 254Ready to go. Enter 'tr' to connect to the remote target 255with /dev/cuau0, 'tr /dev/cuau1' to connect to a different port 256or 'trf portno' to connect to the remote target with the firewire 257interface. portno defaults to 5556. 258 259Type 'getsyms' after connection to load kld symbols. 260 261If you are debugging a local system, you can use 'kldsyms' instead 262to load the kld symbols. That is a less obnoxious interface. 263(gdb) trf 2640xc21bd378 in ?? () 265.Ed 266.Pp 267The 268.Ic trf 269macro assumes a connection on port 5556. 270If you want to use a different port (by changing the invocation of 271.Xr dconschat 8 272above), use the 273.Ic tr 274macro instead. 275For example, if you want to use port 4711, run 276.Xr dconschat 8 277like this: 278.Pp 279.Dl "dconschat -br -G 4711 -t 0x000199000003622b" 280.Pp 281Then establish connection with: 282.Bd -literal -offset indent 283(gdb) tr localhost:4711 2840xc21bd378 in ?? () 285.Ed 286.El 287.Ss "Non-cooperative debugging a live system with a remote firewire link" 288In addition to the conventional debugging via firewire described in the previous 289section, it is possible to debug a remote system without its cooperation, once 290an initial connection has been established. 291This corresponds to debugging a local machine using 292.Pa /dev/mem . 293It can be very useful if a system crashes and the debugger no longer responds. 294To use this method, set the 295.Xr sysctl 8 296variables 297.Va hw.firewire.fwmem.eui64_hi 298and 299.Va hw.firewire.fwmem.eui64_lo 300to the upper and lower halves of the EUI64 ID of the remote system, 301respectively. 302From the previous example, the remote machine shows: 303.Bd -literal -offset indent 304# fwcontrol 3052 devices (info_len=2) 306node EUI64 status 307 0 0x000199000003622b 0 308 1 0x00c04f3226e88061 1 309.Ed 310.Pp 311Enter: 312.Bd -literal -offset indent 313# sysctl -w hw.firewire.fwmem.eui64_hi=0x00019900 314hw.firewire.fwmem.eui64_hi: 0 -> 104704 315# sysctl -w hw.firewire.fwmem.eui64_lo=0x0003622b 316hw.firewire.fwmem.eui64_lo: 0 -> 221739 317.Ed 318.Pp 319Note that the variables must be explicitly stated in hexadecimal. 320After this, you can examine the remote machine's state with the following input: 321.Bd -literal -offset indent 322# gdb -k kernel.debug /dev/fwmem0.0 323GNU gdb 5.2.1 (FreeBSD) 324.Em "(messages omitted)" 325Reading symbols from /boot/kernel/dcons.ko...done. 326Loaded symbols for /boot/kernel/dcons.ko 327Reading symbols from /boot/kernel/dcons_crom.ko...done. 328Loaded symbols for /boot/kernel/dcons_crom.ko 329#0 sched_switch (td=0xc0922fe0) at /usr/src/sys/kern/sched_4bsd.c:621 3300xc21bd378 in ?? () 331.Ed 332.Pp 333In this case, it is not necessary to load the symbols explicitly. 334The remote system continues to run. 335.Sh COMMANDS 336The user interface to 337.Nm 338is via 339.Xr gdb 1 , 340so 341.Xr gdb 1 342commands also work. 343This section discusses only the extensions for kernel debugging that get 344installed in the kernel build directory. 345.Ss "Debugging environment" 346The following macros manipulate the debugging environment: 347.Bl -tag -width indent 348.It Ic ddb 349Switch back to 350.Xr ddb 4 . 351This command is only meaningful when performing remote debugging. 352.It Ic getsyms 353Display 354.Ic kldstat 355information for the target machine and invite user to paste it back in. 356This is required because 357.Nm 358does not allow data to be passed to shell scripts. 359It is necessary for remote debugging and crash dumps; for local memory debugging 360use 361.Ic kldsyms 362instead. 363.It Ic kldsyms 364Read in the symbol tables for the debugging machine. 365This does not work for 366remote debugging and crash dumps; use 367.Ic getsyms 368instead. 369.It Ic tr Ar interface 370Debug a remote system via the specified serial or firewire interface. 371.It Ic tr0 372Debug a remote system via serial interface 373.Pa /dev/cuau0 . 374.It Ic tr1 375Debug a remote system via serial interface 376.Pa /dev/cuau1 . 377.It Ic trf 378Debug a remote system via firewire interface at default port 5556. 379.El 380.Pp 381The commands 382.Ic tr0 , tr1 383and 384.Ic trf 385are convenience commands which invoke 386.Ic tr . 387.Ss "The current process environment" 388The following macros are convenience functions intended to make things easier 389than the standard 390.Xr gdb 1 391commands. 392.Bl -tag -width indent 393.It Ic f0 394Select stack frame 0 and show assembler-level details. 395.It Ic f1 396Select stack frame 1 and show assembler-level details. 397.It Ic f2 398Select stack frame 2 and show assembler-level details. 399.It Ic f3 400Select stack frame 3 and show assembler-level details. 401.It Ic f4 402Select stack frame 4 and show assembler-level details. 403.It Ic f5 404Select stack frame 5 and show assembler-level details. 405.It Ic xb 406Show 12 words in hex, starting at current 407.Va ebp 408value. 409.It Ic xi 410List the next 10 instructions from the current 411.Va eip 412value. 413.It Ic xp 414Show the register contents and the first four parameters of the current stack 415frame. 416.It Ic xp0 417Show the first parameter of current stack frame in various formats. 418.It Ic xp1 419Show the second parameter of current stack frame in various formats. 420.It Ic xp2 421Show the third parameter of current stack frame in various formats. 422.It Ic xp3 423Show the fourth parameter of current stack frame in various formats. 424.It Ic xp4 425Show the fifth parameter of current stack frame in various formats. 426.It Ic xs 427Show the last 12 words on stack in hexadecimal. 428.It Ic xxp 429Show the register contents and the first ten parameters. 430.It Ic z 431Single step 1 instruction (over calls) and show next instruction. 432.It Ic zs 433Single step 1 instruction (through calls) and show next instruction. 434.El 435.Ss "Examining other processes" 436The following macros access other processes. 437The 438.Nm 439debugger 440does not understand the concept of multiple processes, so they effectively 441bypass the entire 442.Nm 443environment. 444.Bl -tag -width indent 445.It Ic btp Ar pid 446Show a backtrace for the process 447.Ar pid . 448.It Ic btpa 449Show backtraces for all processes in the system. 450.It Ic btpp 451Show a backtrace for the process previously selected with 452.Ic defproc . 453.It Ic btr Ar ebp 454Show a backtrace from the 455.Ar ebp 456address specified. 457.It Ic defproc Ar pid 458Specify the PID of the process for some other commands in this section. 459.It Ic fr Ar frame 460Show frame 461.Ar frame 462of the stack of the process previously selected with 463.Ic defproc . 464.It Ic pcb Ar proc 465Show some PCB contents of the process 466.Ar proc . 467.El 468.Ss "Examining data structures" 469You can use standard 470.Xr gdb 1 471commands to look at most data structures. 472The macros in this section are 473convenience functions which typically display the data in a more readable 474format, or which omit less interesting parts of the structure. 475.Bl -tag -width indent 476.It Ic bp 477Show information about the buffer header pointed to by the variable 478.Va bp 479in the current frame. 480.It Ic bpd 481Show the contents 482.Pq Vt "char *" 483of 484.Va bp->data 485in the current frame. 486.It Ic bpl 487Show detailed information about the buffer header 488.Pq Vt "struct bp" 489pointed at by the local variable 490.Va bp . 491.It Ic bpp Ar bp 492Show summary information about the buffer header 493.Pq Vt "struct bp" 494pointed at by the parameter 495.Ar bp . 496.It Ic bx 497Print a number of fields from the buffer header pointed at in by the pointer 498.Ar bp 499in the current environment. 500.It Ic vdev 501Show some information of the 502.Vt vnode 503pointed to by the local variable 504.Va vp . 505.El 506.Ss "Miscellaneous macros" 507.Bl -tag -width indent 508.It Ic checkmem 509Check unallocated memory for modifications. 510This assumes that the kernel has been compiled with 511.Cd "options DIAGNOSTIC" . 512This causes the contents of free memory to be set to 513.Li 0xdeadc0de . 514.It Ic dmesg 515Print the system message buffer. 516This corresponds to the 517.Xr dmesg 8 518utility. 519This macro used to be called 520.Ic msgbuf . 521It can take a very long time over a serial line, 522and it is even slower via firewire 523or local memory due to inefficiencies in 524.Nm . 525When debugging a crash dump or over firewire, it is not necessary to start 526.Nm 527to access the message buffer: instead, use an appropriate variation of 528.Bd -literal -offset indent 529dmesg -M /var/crash/vmcore.0 -N kernel.debug 530dmesg -M /dev/fwmem0.0 -N kernel.debug 531.Ed 532.It Ic kldstat 533Equivalent of the 534.Xr kldstat 8 535utility without options. 536.It Ic pname 537Print the command name of the current process. 538.It Ic ps 539Show process status. 540This corresponds in concept, but not in appearance, to the 541.Xr ps 1 542utility. 543When debugging a crash dump or over firewire, it is not necessary to start 544.Nm 545to display the 546.Xr ps 1 547output: instead, use an appropriate variation of 548.Bd -literal -offset indent 549ps -M /var/crash/vmcore.0 -N kernel.debug 550ps -M /dev/fwmem0.0 -N kernel.debug 551.Ed 552.It Ic y 553Kludge for writing macros. 554When writing macros, it is convenient to paste them 555back into the 556.Nm 557window. 558Unfortunately, if the macro is already defined, 559.Nm 560insists on asking 561.Pp 562.Dl "Redefine foo?" 563.Pp 564It will not give up until you answer 565.Ql y . 566This command is that answer. 567It does nothing else except to print a warning 568message to remind you to remove it again. 569.El 570.Sh SEE ALSO 571.Xr gdb 1 , 572.Xr ps 1 , 573.Xr ddb 4 , 574.Xr firewire 4 , 575.Xr dconschat 8 , 576.Xr dmesg 8 , 577.Xr fwcontrol 8 , 578.Xr kldload 8 579.Sh AUTHORS 580This man page was written by 581.An Greg Lehey Aq Mt grog@FreeBSD.org . 582.Sh BUGS 583The 584.Xr gdb 1 585debugger 586was never designed to debug kernels, and it is not a very good match. 587Many problems exist. 588.Pp 589The 590.Nm 591implementation is very inefficient, and many operations are slow. 592.Pp 593Serial debugging is even slower, and race conditions can make it difficult to 594run the link at more than 9600 bps. 595Firewire connections do not have this problem. 596.Pp 597The debugging macros 598.Dq just grew. 599In general, the person who wrote them did so while looking for a specific 600problem, so they may not be general enough, and they may behave badly when used 601in ways for which they were not intended, even if those ways make sense. 602.Pp 603Many of these commands only work on the ia32 architecture. 604