2 .\" Copyright (c) 2005, Sun Microsystems, Inc. All Rights Reserved.
3 .\" Copyright (c) 2012, Joyent, Inc. All Rights Reserved.
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH MDB 1 "May 13, 2017"
9 mdb \- modular debugger
13 \fBmdb\fR [\fB-fkmuwyAFKMSUW\fR] [\(+-o \fIoption\fR] [\fB-p\fR \fIpid\fR] [\fB-s\fR \fIdistance\fR]
14 [\fB-I\fR \fIpath\fR] [\fB-L\fR \fIpath\fR] [\fB-P\fR \fIprompt\fR] [\fB-R\fR \fIroot\fR]
15 [\fB-V\fR \fIdis-version\fR] [\fB-e\fR \fIexpr\fR] [object [core] | core | suffix]
21 The \fBmdb\fR utility is an extensible utility for low-level debugging and
22 editing of the live operating system, operating system crash dumps, user
23 processes, user process core dumps, and object files. For a more detailed
24 description of \fBmdb\fR features, refer to the manual, \fISolaris Modular
28 Debugging is the process of analyzing the execution and state of a software
29 program in order to remove defects. Traditional debugging tools provide
30 facilities for execution control so that programmers can re-execute programs in
31 a controlled environment and display the current state of program data or
32 evaluate expressions in the source language used to develop the program.
35 Unfortunately, these techniques are often inappropriate for debugging complex
36 software systems such as an operating system, where bugs might not be
37 reproducible and program state is massive and distributed, for programs that
38 are highly optimized, have had their debug information removed, or are
39 themselves low-level debugging tools, or for customer situations where the
40 developer can only access post-mortem information.
43 \fBmdb\fR provides a completely customizable environment for debugging these
44 programs and scenarios, including a dynamic module facility that programmers
45 can use to implement their own debugging commands to perform program-specific
46 analysis. Each \fBmdb\fR module can be used to examine the program in several
47 different contexts, including live and post-mortem.
50 The \fItarget\fR is the program being inspected by the debugger. \fBmdb\fR
51 currently provides support for the following types of targets: user processes,
52 user process core files, the live operating system (via \fB/dev/kmem\fR and
53 \fB/dev/ksyms\fR), operating system crash dumps, user process images recorded
54 inside an operating system crash dump, \fBELF\fR object files, and raw binary
55 files. Each target exports a standard set of properties, including one or more
56 address spaces, one or more symbol tables, a set of load objects, and a set of
57 threads that can be examined using the debugger commands described below.
60 A debugger command, or \fIdcmd\fR (pronounced dee-command) in \fBmdb\fR
61 terminology, is a routine in the debugger that can access any of the properties
62 of the current target. \fBmdb\fR parses commands from standard input, and then
63 executes the corresponding dcmds. Each dcmd can also accept a list of string or
64 numerical arguments, as shown in the syntax description below. \fBmdb\fR
65 contains a set of built-in dcmds, described below, that are always available.
66 You can also extend the capabilities of \fBmdb\fR itself by writing your own
67 dcmds, as described in the \fISolaris Modular Debugger Guide\fR.
70 A \fIwalker\fR is a set of routines that describe how to walk, or iterate,
71 through the elements of a particular program data structure. A walker
72 encapsulates the data structure's implementation from dcmds and from \fBmdb\fR
73 itself. You can use walkers interactively, or use them as a primitive to build
74 other dcmds or walkers. As with dcmds, you can extend \fBmdb\fR by implementing
75 your own walkers as part of a debugger module.
78 A debugger module, or \fIdmod\fR (pronounced dee-mod), is a dynamically loaded
79 library containing a set of dcmds and walkers. During initialization, \fBmdb\fR
80 attempts to load dmods corresponding to the load objects present in the target.
81 You can subsequently load or unload dmods at any time while running \fBmdb\fR.
82 \fBmdb\fR ships with a set of standard dmods for debugging the Solaris kernel.
83 The \fISolaris Modular Debugger Guide\fR contains more information on
84 developing your own debugger modules.
87 A \fImacro file\fR is a text file containing a set of commands to execute.
88 Macro files are typically used to automate the process of displaying a simple
89 data structure. \fBmdb\fR provides complete backward compatibility for the
90 execution of macro files written for \fBadb\fR(1), and the Solaris installation
91 includes a set of macro files for debugging the Solaris kernel that can be used
95 The debugger processes commands from standard input. If standard input is a
96 terminal, \fBmdb\fR provides terminal editing capabilities. \fBmdb\fR can also
97 process commands from macro files and from dcmd pipelines, described below. The
98 language syntax is designed around the concept of computing the value of an
99 expression (typically a memory address in the target), and then applying a dcmd
100 to that address. The current address location is referred to as \fIdot\fR, and
101 its value is referenced using ``.''.
104 A \fImetacharacter\fR is one of the following characters:
108 [ ] | ! / \e ? = > $ : ;
109 \fINEWLINE\fR \fISPACE\fR \fITAB\fR
116 A \fIblank\fR is a \fITAB\fR or a \fISPACE\fR. A \fIword\fR is a sequence of
117 characters separated by one or more non-quoted metacharacters. Some of the
118 metacharacters only function as delimiters in certain contexts, as described
119 below. An \fIidentifier\fR is a sequence of letters, digits, underscores,
120 periods, or backquotes beginning with a letter, underscore, or period.
121 Identifiers are used as the names of symbols, variables, dcmds, and walkers.
122 Commands are delimited by a \fINEWLINE\fR or semicolon ( \fB;\fR ).
125 A dcmd is denoted by one of the following words or metacharacters:
129 / \e ? = > $character :character ::identifier
136 dcmds named by metacharacters or prefixed by a single \fB$\fR or \fB:\fR are
137 provided as built-in operators, and implement complete compatibility with the
138 command set of the legacy \fBadb\fR(1) utility. Once a dcmd has been parsed,
139 the \fB/\fR, \fB\e\fR, \fB?\fR, \fB=\fR, \fB>\fR, \fB$\fR, and \fB:\fR
140 characters are no longer recognized as metacharacters until the termination of
144 A \fIsimple-command\fR is a dcmd followed by a sequence of zero or more
145 blank-separated words. The words are passed as arguments to the invoked dcmd,
146 except as specified under \fBQuoting and Arithmetic Expansion\fR below. Each
147 dcmd returns an exit status that indicates it was either successful, failed, or
148 was invoked with invalid arguments.
151 A \fIpipeline\fR is a sequence of one or more simple commands separated by
152 \fB|\fR. Unlike the shell, dcmds in \fBmdb\fR pipelines are not executed as
153 separate processes. After the pipeline has been parsed, each dcmd is invoked in
154 order from left to right. Each dcmd's output is processed and stored as
155 described under \fBdcmd Pipelines\fR below. Once the left-hand dcmd is
156 complete, its processed output is used as input for the next dcmd in the
157 pipeline. If any dcmd does not return a successful exit status, the pipeline is
161 An \fIexpression\fR is a sequence of words that is evaluated to compute a
162 64-bit unsigned integer value. The words are evaluated using the rules
163 described under \fBArithmetic Expansion\fR below.
166 A \fIcommand\fR is one of the following:
170 \fB\fIpipeline\fR [\fB!\fR \fIword\fR .\|.\|.] [ \fB;\fR ]\fR
174 A simple-command or pipeline can be optionally suffixed with the \fB!\fR
175 character, indicating that the debugger should open a \fBpipe\fR(2) and send
176 the standard output of the last dcmd in the \fBmdb\fR pipeline to an external
177 process created by executing \fB$SHELL\fR \fB-c\fR followed by the string
178 formed by concatenating the words after the \fB!\fR character. For more
179 details, refer to \fBShell Escapes\fR below.
185 \fB\fIexpression\fR \fI pipeline\fR [\fB!\fR \fIword\fR .\|.\|.] [ \fB;\fR ]\fR
189 A simple-command or pipeline can be prefixed with an expression. Before
190 execution of the pipeline, the value of dot (the variable denoted by
191 ``\fB\&.\fR'') is set to the value of the expression.
197 \fB\fIexpression\fR\fB ,\fR \fIexpression\fR \fIpipeline \fR [\fB!\fR
198 \fIword\fR .\|.\|.] [ \fB;\fR ]\fR
202 A simple-command or pipeline can be prefixed with two expressions. The first is
203 evaluated to determine the new value of dot, and the second is evaluated to
204 determine a repeat count for the first dcmd in the pipeline. This dcmd is
205 executed \fIcount\fR times before the next dcmd in the pipeline is executed.
206 The repeat count only applies to the first dcmd in the pipeline.
212 \fB\fB,\fR \fIexpression\fR \fIpipeline\fR [\fB!\fR \fIword\fR .\|.\|.] [
217 If the initial expression is omitted, dot is not modified but the first dcmd in
218 the pipeline is repeated according to the value of the expression.
224 \fB\fIexpression\fR [\fB!\fR \fIword\fR .\|.\|.] [ \fB;\fR ]\fR
228 A command can consist only of an arithmetic expression. The expression is
229 evaluated and the dot variable is set to its value, and then the previous dcmd
230 and arguments are executed using the new value of dot.
236 \fB\fIexpression\fR\fB,\fR \fIexpression\fR [\fB!\fR \fI word\fR .\|.\|.] [
241 A command can consist only of a dot expression and repeat count expression.
242 After dot is set to the value of the first expression, the previous dcmd and
243 arguments are repeatedly executed the number of times specified by the value of
244 the second expression.
250 \fB\fB,\fR \fIexpression \fR [\fB!\fR \fIword\fR .\|.\|.] [ \fB;\fR ]\fR
254 If the initial expression is omitted, dot is not modified but the previous dcmd
255 and arguments are repeatedly executed the number of times specified by the
256 value of the count expression.
262 \fB\fB!\fR \fIword\fR .\|.\|. [ \fB;\fR ]\fR
266 If the command begins with the \fB!\fR character, no dcmds are executed and the
267 debugger simply executes \fB$SHELL\fR \fB-c\fR followed by the string formed by
268 concatenating the words after the \fB!\fR character.
273 A word beginning with \fB//\fR causes that word and all the subsequent
274 characters up to a \fINEWLINE\fR to be ignored.
275 .SS "Arithmetic Expansion"
277 Arithmetic expansion is performed when an \fBmdb\fR command is preceded by an
278 optional expression representing a start address, or a start address and a
279 repeat count. Arithmetic expansion can also be performed to compute a numerical
280 argument for a dcmd. An arithmetic expression can appear in an argument list
281 enclosed in square brackets preceded by a dollar sign (\fB$[ expression ]\fR),
282 and is replaced by the value of the expression.
285 Expressions can contain any of the following special words:
292 The specified integer value. Integer values can be prefixed with \fB0i\fR or
293 \fB0I\fR to indicate binary values, \fB0o\fR or \fB0O\fR to indicate octal
294 values, \fB0t\fR or \fB0T\fR to indicate decimal values, and \fB0x\fR or
295 \fB0X\fR to indicate hexadecimal values (the default).
301 \fB0[tT][0-9]+.[0-9]+\fR
304 The specified decimal floating point value, converted to its \fBIEEE\fR
305 double-precision floating point representation.
311 \fB\&'\fIcccccccc\fR'\fR
314 The integer value computed by converting each character to a byte equal to its
315 \fBASCII\fR value. Up to eight characters can be specified in a character
316 constant. Characters are packed into the integer in reverse order
317 (right-to-left) beginning at the least significant byte.
323 \fB<\fIidentifier\fR\fR
326 The value of the variable named by \fIidentifier\fR.
332 \fB\fIidentifier\fR\fR
335 The value of the symbol named by \fIidentifier\fR.
341 \fB(\fIexpression\fR)\fR
344 The value of \fIexpression\fR.
362 The most recent value of dot used to execute a dcmd.
371 The value of dot incremented by the current increment.
380 The value of dot decremented by the current increment.
385 The increment is a global variable that stores the total bytes read by the last
386 formatting dcmd. For more information on the increment, refer to the discussion
387 of \fBFormatting dcmds\fR below.
390 Unary operators are right associative and have higher precedence than binary
391 operators. The unary operators are:
395 \fB#\fIexpression\fR\fR
404 \fB~\fIexpression\fR\fR
413 \fB-\fIexpression\fR\fR
422 \fB%\fIexpression\fR\fR
425 The value of a pointer-sized quantity at the object file location corresponding
426 to virtual address \fIexpression\fR in the target's virtual address space.
432 \fB%/[csil]/\fIexpression\fR\fR
435 The value of a char, short, int, or long-sized quantity at the object file
436 location corresponding to virtual address \fIexpression\fR in the target's
437 virtual address space.
443 \fB%/[1248]/\fIexpression\fR\fR
446 The value of a one, two, four, or eight-byte quantity at the object file
447 location corresponding to virtual address \fIexpression\fR in the target's
448 virtual address space.
454 \fB*\fIexpression\fR\fR
457 The value of a pointer-sized quantity at virtual address \fIexpression\fR in
458 the target's virtual address space.
464 \fB*/[csil]/\fIexpression\fR\fR
467 The value of a char, short, int, or long-sized quantity at virtual address
468 \fIexpression\fR in the target's virtual address space.
474 \fB*/[1248]/\fIexpression\fR\fR
477 The value of a one, two, four, or eight-byte quantity at virtual address
478 \fIexpression\fR in the target's virtual address space.
483 Binary operators are left associative and have lower precedence than unary
484 operators. The binary operators, in order of precedence from highest to lowest,
492 Integer multiplication.
510 Left-hand side rounded up to next multiple of right-hand side.
582 Bitwise exclusive OR.
591 Bitwise inclusive OR.
596 Each metacharacter described above (see \fBSyntax\fR) terminates a word unless
597 quoted. Characters can be quoted (forcing \fBmdb\fR to interpret each character
598 as itself without any special significance) by enclosing them in a pair of
599 single (\fB\&' '\fR) or double (\fB" "\fR) quote marks. A single quote cannot
600 appear within single quotes. Inside double quotes, \fBmdb\fR recognizes the C
601 programming language character escape sequences.
604 The \fB!\fR character can be used to create a pipeline between an \fBmdb\fR
605 command and the user's shell. If the $\fBSHELL\fR environment variable is set,
606 \fBmdb\fR forks and execs this program for shell escapes; otherwise
607 \fB/bin/sh\fR is used. The shell is invoked with the \fB-c\fR option followed
608 by a string formed by concatenating the words after the \fB!\fR character. The
609 \fB!\fR character takes precedence over all other metacharacters, except
610 semicolon (\fB;\fR) and \fINEWLINE\fR. Once a shell escape is detected, the
611 remaining characters up to the next semicolon or \fINEWLINE\fR are passed as is
612 to the shell. The output of shell commands can not be piped to \fBmdb\fR dcmds.
613 Commands executed by a shell escape have their output sent directly to the
614 terminal, not to \fBmdb\fR.
617 A \fIvariable\fR is a variable name, a corresponding integer value, and a set
618 of attributes. A variable name is a sequence of letters, digits, underscores,
619 or periods. A variable can be assigned a value using the \fB>\fR dcmd or
620 \fB::typeset\fR dcmd, and its attributes can be manipulated using the
621 \fB::typeset\fR dcmd. Each variable's value is represented as a 64-bit unsigned
622 integer. A variable can have one or more of the following attributes: read-only
623 (cannot be modified by the user), persistent (cannot be unset by the user), and
624 tagged (user-defined indicator).
627 The following variables are defined as persistent:
634 The most recent value printed using the \fB/\fR, \fB\e\fR, \fB?\fR, or \fB=\fR
644 The most recent count used with the \fB$<\fR dcmd.
653 The virtual address of the base of the data section.
662 The size of the data section in bytes.
671 The virtual address of the entry point.
680 The initial bytes (magic number) of the target's primary object file, or zero
681 if no object file has been read yet.
690 The size of the text section in bytes.
699 The count of the number of times the matched software event specifier has been
700 matched. See \fBEvent Callbacks\fR, below.
709 The thread identifier of the current representative thread. The value of the
710 identifier depends on the threading model used by the current target. See
711 \fBThread Support\fR, below.
716 In addition, the \fBmdb\fR kernel and process targets export the current values
717 of the representative thread's register set as named variables. The names of
718 these variables depend on the target's platform and instruction set
720 .SS "Symbol Name Resolution"
722 As explained in the \fBSyntax\fR description above, a symbol identifier present
723 in an expression context evaluates to the value of this symbol. The value
724 typically denotes the virtual address of the storage associated with the symbol
725 in the target's virtual address space. A target can support multiple symbol
726 tables including, but not limited to, a primary executable symbol table, a
727 primary dynamic symbol table, a run-time link-editor symbol table, and standard
728 and dynamic symbol tables for each of a number of load objects (such as shared
729 libraries in a user process, or kernel modules in the Solaris kernel). The
730 target typically searches the primary executable's symbol tables first, and
731 then one or more of the other symbol tables. Notice that \fBELF\fR symbol
732 tables only contain entries for external, global, and static symbols; automatic
733 symbols do not appear in the symbol tables processed by \fBmdb\fR.
736 Additionally, \fBmdb\fR provides a private user-defined symbol table that is
737 searched prior to any of the target symbol tables. The private symbol table is
738 initially empty, and can be manipulated using the \fB::nmadd\fR and
739 \fB::nmdel\fR dcmds. The \fB::nm\fR \fB-P\fR option can be used to display the
740 contents of the private symbol table. The private symbol table allows the user
741 to create symbol definitions for program functions or data that were either
742 missing from the original program or stripped out. These definitions are then
743 used whenever \fBmdb\fR converts a symbolic name to an address, or an address
744 to the nearest symbol.
747 As targets contain multiple symbol tables, and each symbol table can include
748 symbols from multiple object files, different symbols with the same name can
749 exist. \fBmdb\fR uses the backquote (\fB`\fR) character as a symbol name
750 scoping operator to allow the programmer to obtain the value of the desired
751 symbol in this situation. The programmer can specify the scope used to resolve
752 a symbol name as either: \fIobject\fR\fB`\fR\fIname\fR, or
753 \fIfile\fR\fB`\fR\fIname\fR, or \fIobject\fR\fB`\fR\fIfile\fR\fB`\fR\fIname\fR.
754 The object identifier refers to the name of a load object. The file identifier
755 refers to the basename of a source file that has a symbol of type
756 \fBSTT_FILE\fR in the specified object's symbol table. The object identifier's
757 interpretation depends on the target type.
760 The \fBmdb\fR kernel target expects \fIobject\fR to specify the basename of a
761 loaded kernel module. For example, the symbol name
772 evaluates to the value of the \fB_init\fR symbol in the \fBspecfs\fR kernel
776 The \fBmdb\fR process target expects \fIobject\fR to specify the name of the
777 executable or of a loaded shared library. It can take any of the following
782 An exact match (that is, a full pathname): \fB/usr/lib/libc.so.1\fR
787 An exact basename match: \fBlibc.so.1\fR
792 An initial basename match up to a ``\fB\&.\fR'' suffix: \fBlibc.so\fR or
798 The literal string \fBa.out\fR is accepted as an alias for the executable.
802 The process target also accepts any of the four forms described above preceded
803 by an optional link-map id (lmid). The lmid prefix is specified by an initial
804 "\fBLM\fR" followed by the link-map id in hexadecimal followed by an additional
805 backquote. For example, the symbol name
816 evaluates to the value of the \fB_init\fR symbol in the \fBlibc.so.1\fR library
817 that is loaded on link-map 0 (\fBLM_ID_BASE\fR). The link-map specifier can be
818 necessary to resolve symbol naming conflicts in the event that the same library
819 is loaded on more than one link map. For more information on link maps, refer
820 to the \fILinker and Libraries Guide\fR and \fBdlopen\fR(3C). Link-map
821 identifiers are displayed when symbols are printed according to the setting of
822 the \fBshowlmid\fR option, as described under OPTIONS.
825 In the case of a naming conflict between symbols and hexadecimal integer
826 values, \fBmdb\fR attempts to evaluate an ambiguous token as a symbol first,
827 before evaluating it as an integer value. For example, the token \fBf\fR can
828 either refer to the decimal integer value \fB15\fR specified in hexadecimal
829 (the default base), or to a global variable named \fBf\fR in the target's
830 symbol table. If a symbol with an ambiguous name is present, the integer value
831 can be specified by using an explicit \fB0x\fR or \fB0X\fR prefix.
832 .SS "dcmd and Walker Name Resolution"
834 As described earlier, each \fBmdb\fR dmod provides a set of dcmds and walkers.
835 dcmds and walkers are tracked in two distinct, global namespaces. \fBmdb\fR
836 also keeps track of a dcmd and walker namespace associated with each dmod.
837 Identically named dcmds or walkers within a given dmod are not allowed: a dmod
838 with this type of naming conflict fails to load. Name conflicts between dcmds
839 or walkers from different dmods are allowed in the global namespace. In the
840 case of a conflict, the first dcmd or walker with that particular name to be
841 loaded is given precedence in the global namespace. Alternate definitions are
842 kept in a list in load order. The backquote character (\fB`\fR) can be used in
843 a dcmd or walker name as a scoping operator to select an alternate definition.
844 For example, if dmods \fBm1\fR and \fBm2\fR each provide a dcmd \fBd\fR, and
845 \fBm1\fR is loaded prior to \fBm2\fR, then:
852 Executes \fBm1\fR's definition of \fBd\fR.
861 Executes \fBm1\fR's definition of \fBd\fR.
870 Executes \fBm2'\fRs definition of \fBd\fR.
875 If module \fBm1\fR were now unloaded, the next dcmd on the global definition
876 list (\fBm2`d\fR) would be promoted to global visibility. The current
877 definition of a dcmd or walker can be determined using the \fB::which\fR dcmd,
878 described below. The global definition list can be displayed using the
879 \fB::which\fR \fB-v\fR option.
882 dcmds can be composed into a pipeline using the \fB|\fR operator. The purpose
883 of a pipeline is to pass a list of values, typically virtual addresses, from
884 one dcmd or walker to another. Pipeline stages might be used to map a pointer
885 from one type of data structure to a pointer to a corresponding data structure,
886 to sort a list of addresses, or to select the addresses of structures with
890 \fBmdb\fR executes each dcmd in the pipeline in order from left to right. The
891 leftmost dcmd is executed using the current value of dot, or using the value
892 specified by an explicit expression at the start of the command. When a \fB|\fR
893 operator is encountered, \fBmdb\fR creates a pipe (a shared buffer) between the
894 output of the dcmd to its left and the \fBmdb\fR parser, and an empty list of
895 values. As the dcmd executes, its standard output is placed in the pipe and
896 then consumed and evaluated by the parser, as if \fBmdb\fR were reading this
897 data from standard input. Each line must consist of an arithmetic expression
898 terminated by a \fINEWLINE\fR or semicolon (\fB;\fR). The value of the
899 expression is appended to the list of values associated with the pipe. If a
900 syntax error is detected, the pipeline is aborted.
903 When the dcmd to the left of a \fB|\fR operator completes, the list of values
904 associated with the pipe is then used to invoke the dcmd to the right of the
905 \fB|\fR operator. For each value in the list, dot is set to this value and the
906 right-hand dcmd is executed. Only the rightmost dcmd in the pipeline has its
907 output printed to standard output. If any dcmd in the pipeline produces output
908 to standard error, these messages are printed directly to standard error and
909 are not processed as part of the pipeline.
910 .SS "Signal Handling"
912 The debugger ignores the \fBPIPE\fR and \fBQUIT\fR signals. The \fBINT\fR
913 signal aborts the command that is currently executing. The debugger intercepts
914 and provides special handling for the \fBILL\fR, \fBTRAP\fR, \fBEMT\fR,
915 \fBFPE\fR, \fBBUS\fR, and \fBSEGV\fR signals. If any of these signals are
916 generated asynchronously (that is, delivered from another process using
917 \fBkill\fR(2)), \fBmdb\fR restores the signal to its default disposition and
918 dump core. However, if any of these signals are generated synchronously by the
919 debugger process itself and a dcmd from an externally loaded dmod is currently
920 executing, and standard input is a terminal, \fBmdb\fR provides a menu of
921 choices allowing the user to force a core dump, quit without producing a core
922 dump, stop for attach by a debugger, or attempt to resume. The resume option
923 aborts all active commands and unload the dmod whose dcmd was active at the
924 time the fault occurred. It can then be subsequently re-loaded by the user. The
925 resume option provides limited protection against buggy dcmds. Refer to
926 WARNINGS, \fBUse of the Error Recovery Mechanism\fR, below for information
927 about the risks associated with the resume option.
928 .SS "Command Re-entry"
930 The text of the last \fBHISTSIZE \fR (default 128) commands entered from a
931 terminal device are saved in memory. The in-line editing facility, described
932 next, provides key mappings for searching and fetching elements from the
934 .SS "In-line Editing"
936 If standard input is a terminal device, \fBmdb\fR provides some simple
937 emacs-style facilities for editing the command line. The \fBsearch\fR,
938 \fBprevious\fR, and \fBnext\fR commands in edit mode provide access to the
939 history list. Only strings, not patterns, are matched when searching. In the
940 table below, the notation for control characters is caret (\fB^\fR) followed by
941 a character shown in upper case. The notation for escape sequences is \fBM-\fR
942 followed by a character. For example, \fBM-f\fR (pronounced meta-eff) is
943 entered by depressing ESC followed by '\fBf\fR', or by depressing Meta followed
944 by '\fBf\fR' on keyboards that support a \fBMeta\fR key. A command line is
945 committed and executed using \fIRETURN\fR or \fINEWLINE\fR. The edit commands
953 Move cursor forward (right) one character.
962 Move cursor forward one word.
971 Move cursor backward (left) one character.
980 Move cursor backward one word.
989 Move cursor to start of line.
998 Move cursor to end of line.
1007 Delete current character, if the current line is not empty. If the current line
1008 is empty, \fB^D\fR denotes \fBEOF\fR and the debugger exits.
1017 (Meta-backspace) Delete previous word.
1026 Delete from the cursor to the end of the line.
1035 Clear the screen and reprint the current line.
1044 Transpose current character with next character.
1053 Fetch the next command from the history. Each time \fB^N\fR is entered, the
1054 next command forward in time is retrieved.
1063 Fetch the previous command from the history. Each time \fB^P\fR is entered, the
1064 next command backward in time is retrieved.
1070 \fB^R[\fIstring\fR]\fR
1073 Search backward in the history for a previous command line containing
1074 \fIstring\fR. The string should be terminated by a \fIRETURN\fR or
1075 \fINEWLINE\fR. If \fIstring\fR is omitted, the previous history element
1076 containing the most recent string is retrieved.
1081 The editing mode also interprets the following user-defined sequences as
1082 editing commands. User defined sequences can be read or modified using the
1083 \fBstty\fR(1) command.
1090 User defined erase character (usually \fB^H\fR or \fB^?\fR). Delete previous
1100 User defined interrupt character (usually \fB^C\fR). Abort the current command
1101 and print a new prompt.
1110 User defined kill character (usually \fB^U\fR). Kill the entire current command
1120 User defined quit character (usually \fB^\e\fR). Quit the debugger.
1129 User defined suspend character (usually \fB^Z\fR). Suspend the debugger.
1138 User defined word erase character (usually \fB^W\fR). Erase the preceding word.
1143 On keyboards that support an extended keypad with arrow keys, \fBmdb\fR
1144 interprets these keystrokes as editing commands:
1151 Fetch the previous command from the history (same as \fB^P\fR).
1160 Fetch the next command from the history (same as \fB^N\fR).
1169 Move cursor backward one character (same as \fB^B\fR).
1178 Move cursor forward one character (same as \fB^F\fR).
1183 \fBmdb\fR provides a built-in output pager. The output pager is enabled if the
1184 debugger's standard output is a terminal device. Each time a command is
1185 executed, \fBmdb\fR pauses after one screenful of output is produced and
1186 displays a pager prompt:
1190 >> More [<space>, <cr>, q, n, c, a] ?
1197 The following key sequences are recognized by the pager:
1204 Display the next screenful of output.
1213 Abort the current top-level command and return to the prompt.
1222 Continue displaying output without pausing at each screenful until the current
1223 top-level command is complete.
1229 \fBn, N, \fINEWLINE\fR, \fIRETURN\fR\fR
1232 Display the next line of output.
1241 Quit (abort) the current dcmd only.
1244 .SS "Formatting dcmds"
1246 The \fB/\fR, \fB\e\fR, \fB?\fR, and \fB=\fR metacharacters are used to denote
1247 the special output formatting dcmds. Each of these dcmds accepts an argument
1248 list consisting of one or more format characters, repeat counts, or quoted
1249 strings. A format character is one of the \fBASCII\fR characters shown in the
1250 table below. Format characters are used to read and format data from the
1251 target. A repeat count is a positive integer preceding the format character
1252 that is always interpreted in base 10 (decimal). A repeat count can also be
1253 specified as an expression enclosed in square brackets preceded by a dollar
1254 sign (\fB$[ ]\fR). A string argument must be enclosed in double-quotes (\fB"
1255 "\fR). No blanks are necessary between format arguments.
1258 The formatting dcmds are:
1265 Display data from the target's virtual address space starting at the virtual
1266 address specified by dot.
1275 Display data from the target's physical address space starting at the physical
1276 address specified by dot.
1285 Display data from the target's primary object file starting at the object file
1286 location corresponding to the virtual address specified by dot.
1295 Display the value of dot itself in each of the specified data formats. The
1296 \fB=\fR dcmd is therefore useful for converting between bases and performing
1302 In addition to dot, \fBmdb\fR keeps track of another global value called the
1303 \fIincrement\fR. The increment represents the distance between dot and the
1304 address following all the data read by the last formatting dcmd. For example,
1305 if a formatting dcmd is executed with dot equal to address A, and displays a
1306 4-byte integer, then after this dcmd completes, dot is still A, but the
1307 increment is set to \fB4\fR. The \fB+\fR character (described under
1308 \fBArithmetic Expansion\fR above) would now evaluate to the value \fBA + 4\fR,
1309 and could be used to reset dot to the address of the next data object for a
1313 Most format characters increase the value of the increment by the number of
1314 bytes corresponding to the size of the data format, shown in the table. The
1315 table of format characters can be displayed from within \fBmdb\fR using the
1316 \fB::formats\fR dcmd. The format characters are:
1324 increment dot by the count (variable size)
1327 decrement dot by the count (variable size)
1329 B hexadecimal int (1 byte)
1331 character using C character notation (1 byte)
1333 D decimal signed int (4 bytes)
1334 E decimal unsigned long long (8 bytes)
1336 G octal unsigned long long (8 bytes)
1337 H swap bytes and shorts (4 bytes)
1339 address and disassembled instruction (variable size)
1341 J hexadecimal long long (8 bytes)
1342 K hexadecimal uintptr_t (4 or 8 bytes)
1344 O octal unsigned int (4 bytes)
1345 P symbol (4 or 8 bytes)
1346 Q octal signed int (4 bytes)
1347 R binary int (8 bytes)
1349 string using C string notation (variable size)
1352 U decimal unsigned int (4 bytes)
1353 V decimal unsigned int (1 byte)
1354 W default radix unsigned int (4 bytes)
1355 X hexadecimal int (4 bytes)
1356 Y decoded time32_t (4 bytes)
1357 Z hexadecimal long long (8 bytes)
1359 decrement dot by increment * count (variable size)
1361 a dot as symbol+offset
1362 b octal unsigned int (1 byte)
1363 c character (1 byte)
1364 d decimal signed short (2 bytes)
1365 e decimal signed long long (8 bytes)
1367 g octal signed long long (8 bytes)
1368 h swap bytes (2 bytes)
1369 i disassembled instruction (variable size)
1371 o octal unsigned short (2 bytes)
1372 p symbol (4 or 8 bytes)
1373 q octal signed short (2 bytes)
1375 s raw string (variable size)
1377 u decimal unsigned short (2 bytes)
1378 v decimal signed int (1 byte)
1379 w default radix unsigned short (2 bytes)
1380 x hexadecimal short (2 bytes)
1381 y decoded time64_t (8 bytes)
1386 The \fB/\fR, \fB\e\fR, and \fB?\fR formatting dcmds can also be used to write
1387 to the target's virtual address space, physical address space, or object file
1388 by specifying one of the following modifiers as the first format character, and
1389 then specifying a list of words that are either immediate values or expressions
1390 enclosed in square brackets preceded by a dollar sign (\fB$[ ]\fR).
1393 The write modifiers are:
1400 Write the lowest byte of the value of each expression to the target beginning
1401 at the location specified by dot.
1410 Write the lowest two bytes of the value of each expression to the target
1411 beginning at the location specified by dot.
1420 Write the lowest 4 bytes of the value of each expression to the target
1421 beginning at the location specified by dot.
1430 Write the complete 8 bytes of the value of each expression to the target
1431 beginning at the location specified by dot.
1436 The \fB/\fR, \fB\e\fR, and \fB?\fR formatting dcmds can also be used to search
1437 for a particular integer value in the target's virtual address space, physical
1438 address space, and object file, respectively, by specifying one of the
1439 following modifiers as the first format character, and then specifying a value
1440 and optional mask. The value and mask are each specified as either immediate
1441 values or expressions enclosed in square brackets preceded by a dollar sign. If
1442 only a value is specified, \fBmdb\fR reads integers of the appropriate size and
1443 stops at the address containing the matching value. If a value \fBV\fR and mask
1444 \fBM\fR are specified, \fBmdb\fR reads integers of the appropriate size and
1445 stops at the address containing a value \fBX\fR where \fB(X & M) == V\fR. At
1446 the completion of the dcmd, dot is updated to the address containing the match.
1447 If no match is found, dot is left at the last address that was read.
1450 The search modifiers are:
1457 l Search for the specified 2-byte value.
1458 L Search for the specified 4-byte value.
1459 M Search for the specified 8-byte value.
1464 Notice that for both user and kernel targets, an address space is typically
1465 composed of a set of discontiguous segments. It is not legal to read from an
1466 address that does not have a corresponding segment. If a search reaches a
1467 segment boundary without finding a match, it aborts when the read past the end
1468 of the segment boundary fails.
1469 .SS "Execution Control"
1471 \fBmdb\fR provides facilities for controlling and tracing the execution of a
1472 live running program. Currently, only the user process target provides support
1473 for execution control. \fBmdb\fR provides a simple model of execution control:
1474 a target process can be started from within the debugger using \fB::run\fR, or
1475 \fBmdb\fR can attach to an existing process using \fB:A\fR, \fB::attach\fR, or
1476 the \fB-p\fR command-line option, as described below. A list of traced software
1477 events can be specified by the user. Each time a traced event occurs in the
1478 target process, all threads in the target stop, the thread that triggered the
1479 event is chosen as the representative thread, and control returns to the
1480 debugger. Once the target program is set running, control can be asynchronously
1481 returned to the debugger by typing the user-defined interrupt character
1482 (typically \fB^C\fR).
1485 A \fBsoftware event\fR is a state transition in the target program that is
1486 observed by the debugger. For example, the debugger can observe the transition
1487 of a program counter register to a value of interest (a breakpoint) or the
1488 delivery of a particular signal.
1491 A \fBsoftware event specifier\fR is a description of a class of software events
1492 that is used by the debugger to instrument the target program in order to
1493 observe these events. The \fB::events\fR dcmd is used to list the software
1494 event specifiers. A set of standard properties is associated with each event
1495 specifier, as described under \fB::events\fR, below.
1498 The debugger can observe a variety of different software events, including
1499 breakpoints, watchpoints, signals, machine faults, and system calls. New
1500 specifiers can be created using \fB::bp\fR, \fB::fltbp\fR, \fB::sigbp\fR,
1501 \fB::sysbp\fR, or \fB::wp\fR. Each specifier has an associated callback (an
1502 \fBmdb\fR command string to execute as if it had been typed at the command
1503 prompt) and a set of properties, as described below. Any number of specifiers
1504 for the same event can be created, each with different callbacks and
1505 properties. The current list of traced events and the properties of the
1506 corresponding event specifiers can be displayed using the \fB::events\fR dcmd.
1507 The event specifier properties are defined as part of the description of the
1508 \fB::events\fR and \fB::evset\fR dcmds, below.
1511 The execution control built-in dcmds, described below, are always available,
1512 but issues an error message indicating they are not supported if applied to a
1513 target that does not support execution control. For more information about the
1514 interaction of exec, attach, release, and job control with debugger execution
1515 control, refer to NOTES, below.
1516 .SS "Event Callbacks"
1518 The \fB::evset\fR dcmd and event tracing dcmds allow you to associate an event
1519 callback (using the \fB-c\fR option) with each event specifier. The event
1520 callbacks are strings that represent \fBmdb\fR commands to execute when the
1521 corresponding event occurs in the target. These commands are executed as if
1522 they had been typed at the command prompt. Before executing each callback, the
1523 dot variable is set to the value of the representative thread's program counter
1524 and the "\fBhits\fR" variable is set to the number of times this specifier has
1525 been matched, including the current match.
1528 If the event callbacks themselves contain one or more commands to continue the
1529 target (for example, \fB::cont\fR or \fB::step\fR), these commands do not
1530 immediately continue the target and wait for it to stop again. Instead, inside
1531 of an event callback, the continue dcmds note that a continue operation is now
1532 pending, and then return immediately. Therefore, if multiple dcmds are included
1533 in an event callback, the step or continue dcmd should be the last command
1534 specified. Following the execution of \fBall\fR event callbacks, the target
1535 immediately resumes execution if \fBall\fR matching event callbacks requested a
1536 continue. If conflicting continue operations are requested, the operation with
1537 the highest precedence determines what type of continue occurs. The order of
1538 precedence from highest to lowest is: step, step-over (next), step-out,
1540 .SS "Thread Support"
1542 \fBmdb\fR provides facilities to examine the stacks and registers of each
1543 thread associated with the target. The persistent "\fBthread\fR" variable
1544 contains the current representative thread identifier. The format of the thread
1545 identifier depends on the target. The \fB::regs\fR and \fB::fpregs\fR dcmds can
1546 be used to examine the register set of the representative thread, or of another
1547 thread if its register set is currently available. In addition, the register
1548 set of the representative thread is exported as a set of named variables. The
1549 user can modify the value of one or more registers by applying the \fB>\fR dcmd
1550 to the corresponding named variable.
1553 The \fBmdb\fR kernel target exports the virtual address of the corresponding
1554 internal thread structure as the identifier for a given thread. The \fISolaris
1555 Modular Debugger Guide\fR provides more information on debugging support for
1556 threads in the Solaris kernel. The \fBmdb\fR process target provides proper
1557 support for examination of multi-threaded user processes that use the native
1558 \fBlwp_*\fR interfaces, \fB/usr/lib/libthread.so\fR or
1559 \fB/usr/lib/lwp/libthread.so\fR. When debugging a live user process, \fBmdb\fR
1560 detects if a single threaded process \fBdlopen\fRs or closes \fBlibthread\fR
1561 and automatically adjusts its view of the threading model on-the-fly. The
1562 process target thread identifiers corresponds to either the \fBlwpid_t\fR,
1563 \fBthread_t\fR, or \fBpthread_t\fR of the representative, depending on the
1564 threading model used by the application.
1567 If \fBmdb\fR is debugging a user process target and the target makes use of
1568 compiler-supported thread-local storage, \fBmdb\fR automatically evaluates
1569 symbol names referring to thread-local storage to the address of the storage
1570 corresponding to the current representative thread. The \fB::tls\fR built-in
1571 dcmd can be used to display the value of the symbol for threads other than the
1572 representative thread.
1573 .SS "Built-in dcmds"
1575 \fBmdb\fR provides a set of built-in dcmds that are always defined. Some of
1576 these dcmds are only applicable to certain targets: if a dcmd is not applicable
1577 to the current target, it fails and prints a message indicating "command is not
1578 supported by current target". In many cases, \fBmdb\fR provides a mnemonic
1579 equivalent (\fB::identifier\fR) for the legacy \fBadb\fR(1) dcmd names. For
1580 example, \fB::quit\fR is provided as the equivalent of \fB$q\fR. Programmers
1581 who are experienced with \fBadb\fR(1) or who appreciate brevity or arcana can
1582 prefer the \fB$\fR or \fB:\fR forms of the built-ins. Programmers who are new
1583 to \fBmdb\fR might prefer the more verbose \fB::\fR form. The built-ins are
1584 shown in alphabetical order. If a \fB$\fR or \fB:\fR form has a
1585 \fB::identifier\fR equivalent, it is shown underneath the \fB::identifier\fR
1586 form. The built-in dcmds are:
1590 \fB> \fIvariable-name\fR\fR
1594 \fB\fB>\fR/\fImodifier\fR/\fIvariable-name\fR\fR
1598 Assign the value of dot to the specified named variable. Some variables are
1599 read-only and can not be modified. If the \fB>\fR is followed by a modifier
1600 character surrounded by \fB/ /\fR, then the value is modified as part of the
1601 assignment. The modifier characters are:
1608 unsigned char quantity (1-byte)
1617 unsigned short quantity (2-byte)
1626 unsigned int quantity (4-byte)
1635 unsigned long quantity (4-byte in 32-bit, 8-byte in 64-bit)
1638 Notice that these operators do not perform a cast. Instead, they fetch the
1639 specified number of low-order bytes (on little-endian architectures) or
1640 high-order bytes (big-endian architectures). Modifiers are provided for
1641 backwards compatibility; the \fBmdb\fR */\fImodifier\fR/ and %/\fImodifier\fR/
1642 syntax should be used instead.
1648 \fB\fB$<\fR \fImacro-name\fR\fR
1652 Read and execute commands from the specified macro file. The filename can be
1653 given as an absolute or relative path. If the filename is a simple name (that
1654 is, if it does not contain a '\fB/\fR'), \fBmdb\fR searches for it in the macro
1655 file include path. If another macro file is currently being processed, this
1656 file is closed and replaced with the new file.
1662 \fB\fB$<<\fR \fImacro-name\fR\fR
1666 Read and execute commands from the specified macro file (as with \fB$<\fR), but
1667 do not close the current open macro file.
1677 Print the process-\fBID\fR and current signal of the target if it is a user
1678 process or core file, and then print the general register set of the
1679 representative thread.
1685 \fB[ \fIaddress\fR ] \fB$C\fR [ \fIcount\fR ]\fR
1689 Print a C stack backtrace, including stack frame pointer information. If the
1690 dcmd is preceded by an explicit \fIaddress\fR, a backtrace beginning at this
1691 virtual memory address is displayed. Otherwise the stack of the representative
1692 thread is displayed. If an optional count value is given as an argument, no
1693 more than \fIcount\fR arguments are displayed for each stack frame in the
1700 \fB[ \fIbase\fR ] \fB$d\fR\fR
1704 Get or set the default output radix. If the dcmd is preceded by an explicit
1705 expression, the default output radix is set to the given \fIbase\fR; otherwise
1706 the current radix is printed in base 10 (decimal). The default radix is base 16
1717 Print a list of all known external (global) symbols of type object or function,
1718 the value of the symbol, and the first 4 (32-bit \fBmdb\fR) or 8 (64-bit
1719 \fBmdb\fR) bytes stored at this location in the target's virtual address space.
1720 The \fB::nm\fR dcmd provides more flexible options for displaying symbol
1727 \fB\fB$P\fR \fIprompt-string\fR\fR
1731 Set the prompt to the specified \fIprompt-string\fR. The default prompt
1732 is '\fB>\fR '. The prompt can also be set using \fB::set\fR \fB-P\fR or the
1733 \fB-P\fR command-line option.
1739 \fB\fIdistance\fR \fB$s\fR\fR
1743 Get or set the symbol matching \fIdistance\fR for address-to-symbol-name
1744 conversions. The symbol matching distance modes are discussed along with the
1745 \fB-s\fR command-line option under OPTIONS. The symbol matching distance can
1746 also be modified using the \fB::set\fR \fB-s\fR option. If no distance is
1747 specified, the current setting is displayed.
1757 Print a list of the named variables that have non-zero values. The \fB::vars\fR
1758 dcmd provides other options for listing variables.
1764 \fB\fIwidth\fR \fB$w\fR\fR
1768 Set the output page \fIwidth\fR to the specified value. Typically, this command
1769 is not necessary as \fBmdb\fR queries the terminal for its width and handles
1780 Re-open the target for writing, as if \fBmdb\fR had been executed with the
1781 \fB-w\fR option on the command line. Write mode can also be enabled with the
1782 \fB::set\fR \fB-w\fR option.
1788 \fB[ \fIpid\fR ] \fB::attach \fR [ \fIcore\fR | \fIpid\fR ]\fR
1792 \fB[ \fIpid\fR ] \fB:A\fR [ \fI core\fR | \fIpid\fR ]\fR
1796 If the user process target is active, attach to and debug the specified
1797 process-\fBID\fR or \fIcore\fR file. The core file pathname should be specified
1798 as a string argument. The process-\fBID\fR can be specified as the string
1799 argument, or as the value of the expression preceding the dcmd. Recall that the
1800 default base is hexadecimal, so decimal \fBPID\fRs obtained using
1801 \fBpgrep\fR(1) or \fBps\fR(1) should be preceded with "\fB0t\fR" when specified
1808 \fB[\fIaddress\fR] \fB::bp\fR [\fB-/\fR\fB-dDesT\fR] [\fB-c\fR \fIcmd\fR]
1809 [\fB-n\fR \fIcount\fR] \fIsym\fR ...\fR
1813 \fB\fIaddress\fR \fB:b\fR [\fIcmd\fR ...]\fR
1817 Set a breakpoint at the specified locations. The \fB::bp\fR dcmd sets a
1818 breakpoint at each address or symbol specified, including an optional address
1819 specified by an explicit expression preceding the dcmd, and each string or
1820 immediate value following the dcmd. The arguments can either be symbol names or
1821 immediate values denoting a particular virtual address of interest. If a symbol
1822 name is specified, it can refer to a symbol that cannot yet be evaluated in the
1823 target process. That is, it can consist of an object name and function name in
1824 a load object that has not yet been opened. In this case, the breakpoint is
1825 deferred and is not active in the target until an object matching the given
1826 name is loaded. The breakpoint is automatically enabled when the load object is
1827 opened. Breakpoints on symbols defined in a shared library should always be set
1828 using a symbol name and not using an address expression, as the address can
1829 refer to the corresponding Procedure Linkage Table (\fBPLT\fR) entry instead of
1830 the actual symbol definition. Breakpoints set on \fBPLT\fR entries can be
1831 overwritten by the run-time link-editor when the \fBPLT\fR entry is
1832 subsequently resolved to the actual symbol definition. The \fB-d\fR, \fB-D\fR,
1833 \fB-e\fR, \fB-s\fR, \fB-t\fR, \fB-T\fR, \fB-c\fR, and \fB-n\fR options have the
1834 same meaning as they do for the \fB::evset\fR dcmd, as described below. If the
1835 \fB:b\fR form of the dcmd is used, a breakpoint is only set at the virtual
1836 address specified by the expression preceding the dcmd. The arguments following
1837 the \fB:b\fR dcmd are concatenated together to form the callback string. If
1838 this string contains meta-characters, it must be quoted.
1844 \fB\fB::cat\fR \fIfilename\fR ...\fR
1848 Concatenate and display files. Each filename can be specified as a relative or
1849 absolute pathname. The file contents are printed to standard output, but are
1850 not passed to the output pager. This dcmd is intended to be used with the
1851 \fB|\fR operator; the programmer can initiate a pipeline using a list of
1852 addresses stored in an external file.
1858 \fB\fB::cont\fR [ \fISIG\fR ]\fR
1862 \fB\fB:c\fR [ \fISIG\fR ]\fR
1866 Suspend the debugger, continue the target program, and wait for it to terminate
1867 or stop following a software event of interest. If the target is already
1868 running because the debugger was attached to a running program with the
1869 \fB-o\fR \fBnostop\fR option enabled, this dcmd simply waits for the target to
1870 terminate or stop after an event of interest. If an optional signal name or
1871 number (see \fBsignal.h\fR(3HEAD)) is specified as an argument, the signal is
1872 immediately delivered to the target as part of resuming its execution. If the
1873 \fBSIGINT\fR signal is traced, control can be asynchronously returned to the
1874 debugger by typing the user-defined interrupt character (usually \fB^C\fR).
1875 This \fBSIGINT\fR signal is automatically cleared and is not observed by the
1876 target the next time it is continued. If no target program is currently
1877 running, \fB::cont\fR starts a new program running as if by \fB::run\fR.
1883 \fB\fIaddress\fR \fB::context\fR\fR
1887 \fB\fIaddress\fR \fB$p\fR\fR
1891 Context switch to the specified process. A context switch operation is only
1892 valid when using the kernel target. The process context is specified using the
1893 \fIaddress\fR of its proc structure in the kernel's virtual address space. The
1894 special context address "\fB0\fR" is used to denote the context of the kernel
1895 itself. \fBmdb\fR can only perform a context switch when examining a crash dump
1896 if the dump contains the physical memory pages of the specified user process
1897 (as opposed to just kernel pages). The kernel crash dump facility can be
1898 configured to dump all pages or the pages of the current user process using
1899 \fBdumpadm\fR(1M). The \fB::status\fR dcmd can be used to display the contents
1900 of the current crash dump.
1902 When the user requests a context switch from the kernel target, \fBmdb\fR
1903 constructs a new target representing the specified user process. Once the
1904 switch occurs, the new target interposes its dcmds at the global level: thus
1905 the \fB/\fR dcmd now formats and displays data from the virtual address space
1906 of the user process, the \fB::mappings\fR dcmd displays the mappings in the
1907 address space of the user process, and so on. The kernel target can be restored
1908 by executing \fB0::context\fR.
1918 List the available dcmds and print a brief description for each one.
1924 \fB[ \fIaddress\fR ] \fB::delete\fR [ \fIid\fR | \fBall\fR ]\fR
1928 \fB[ \fIaddress\fR ] \fB:d\fR [ \fIid\fR | \fBall\fR ]\fR
1932 Delete the event specifiers with the given id number. The id number argument is
1933 interpreted in decimal by default. If an optional address is specified
1934 preceding the dcmd, all event specifiers that are associated with the given
1935 virtual address are deleted (for example, all breakpoints or watchpoints
1936 affecting that address). If the special argument "\fBall\fR" is given, all
1937 event specifiers are deleted, except those that are marked sticky (\fBT\fR
1938 flag). The \fB::events\fR dcmd displays the current list of event specifiers.
1944 \fB[ \fIaddress\fR ] \fB::dis\fR [ \fB-fw\fR ] [ \fB-n\fR \fIcount\fR ] [
1949 Disassemble starting at or around the \fIaddress\fR specified by the final
1950 argument, or the current value of dot. If the address matches the start of a
1951 known function, the entire function is disassembled. Otherwise, a "window" of
1952 instructions before and after the specified address is printed in order to
1953 provide context. By default, instructions are read from the target's virtual
1954 address space. If the \fB-f\fR option is present, instructions are read from
1955 the target's object file instead. The \fB-f\fR option is enabled by default if
1956 the debugger is not currently attached to a live process, core file, or crash
1957 dump. The \fB-w\fR option can be used to force "window"-mode, even if the
1958 address is the start of a known function. The size of the window defaults to
1959 ten instructions; the number of instructions can be specified explicitly using
1960 the \fB-n\fR option.
1966 \fB\fB::disasms\fR\fR
1970 List the available disassembler modes. When a target is initialized, \fBmdb\fR
1971 attempts to select the appropriate disassembler mode. The user can change the
1972 mode to any of the modes listed using the \fB::dismode\fR dcmd.
1978 \fB\fB::dismode\fR [ \fImode\fR ]\fR
1982 \fB\fB$V\fR [ \fImode\fR ] \fR
1986 Get or set the disassembler mode. If no argument is specified, print the
1987 current disassembler mode. If a \fImode\fR argument is specified, switch the
1988 disassembler to the specified mode. The list of available disassemblers can be
1989 displayed using the \fB::disasms\fR dcmd.
1995 \fB\fB::dmods\fR [ \fB-l\fR ] [ \fImodule-name\fR ]\fR
1999 List the loaded debugger modules. If the \fB-l\fR option is specified, the list
2000 of the dcmds and walkers associated with each dmod is printed below its name.
2001 The output can be restricted to a particular dmod by specifying its name as an
2002 additional argument.
2008 \fB[ \fIaddress\fR ] \fB::dump\fR [ \fB-eqrstu\fR ] [ \fB-f\fR|\fB-p\fR ]\fR
2012 \fB#sp;#sp;[ \fB-g\fR \fIbytes\fR ] [ \fB-w\fR \fIparagraphs\fR ]\fR
2016 Print a hexadecimal and ASCII memory dump of the 16-byte aligned region of
2017 memory containing the address specified by dot. If a repeat count is specified
2018 for \fB::dump\fR, this is interpreted as a number of bytes to dump rather than
2019 a number of iterations. The \fB::dump\fR dcmd also recognizes the following
2027 Adjusts for endian-ness. The \fB-e\fR option assumes 4-byte words. The \fB-g\fR
2028 option can be used to change the default word size.
2037 Reads data from the object file location corresponding to the given virtual
2038 address instead of from the target's virtual address space. The \fB-f\fR option
2039 is enabled by default if the debugger is not currently attached to a live
2040 process, core file, or crash dump.
2046 \fB\fB-g\fR \fIbytes\fR\fR
2049 Displays bytes in groups of \fIbytes\fR. The default group size is 4 bytes. The
2050 group size must be a power of two that divides the line width.
2059 Interprets \fIaddress\fR as a physical address location in the target's address
2060 space instead of a virtual address.
2069 Does not print an ASCII decoding of the data.
2078 Numbers lines relative to the start address instead of with the explicit
2079 address of each line. This option implies the \fB-u\fR option.
2088 Elides repeated lines.
2097 Only reads from and displays the contents of the specified addresses, instead
2098 of reading and printing entire lines.
2107 Unaligns output instead of aligning the output at a paragraph boundary.
2113 \fB\fB-w\fR \fIparagraphs\fR\fR
2116 Displays paragraphs at 16-byte paragraphs per line. The default number of
2117 \fIparagraphs\fR is one. The maximum value accepted for \fB-w\fR is \fB16\fR.
2125 \fB\fB::echo\fR [ \fIstring\fR | \fIvalue\fR ...]\fR
2129 Print the arguments separated by blanks and terminated by a \fINEWLINE\fR to
2130 standard output. Expressions enclosed in \fB$[ ]\fR is evaluated to a value
2131 and printed in the default base.
2137 \fB\fB::eval\fR \fIcommand\fR\fR
2141 Evaluate and execute the specified string as a command. If the command contains
2142 metacharacters or whitespace, it should be enclosed in double or single quotes.
2148 \fB\fB::events\fR [ \fB-av\fR ]\fR
2152 \fB\fB$b\fR [ \fB-av\fR ]\fR
2156 Display the list of software event specifiers. Each event specifier is assigned
2157 a unique \fBID\fR number that can be used to delete or modify it at a later
2158 time. The debugger can also have its own internal events enabled for tracing.
2159 These events are only be displayed if the \fB-a\fR option is present. If the
2160 \fB-v\fR option is present, a more verbose display, including the reason for
2161 any specifier inactivity, are shown. Here is some sample output:
2166 ID S TA HT LM Description Action
2167 ----- - -- -- -- -------------------------------- ------
2168 [ 1 ] - T 1 0 stop on SIGINT -
2169 [ 2 ] - T 0 0 stop on SIGQUIT -
2170 [ 3 ] - T 0 0 stop on SIGILL -
2172 [ 11] - T 0 0 stop on SIGXCPU -
2173 [ 12] - T 0 0 stop on SIGXFSZ -
2174 [ 13] - 2 0 stop at libc`printf ::echo printf
2180 The following table explains the meaning of each column. A summary of this
2181 information is available using \fB::help\fR \fBevents\fR.
2188 The event specifier identifier. The identifier is shown in square brackets \fB[
2189 ]\fR if the specifier is enabled, in parentheses \fB( )\fR if the specifier is
2190 disabled, or in angle brackets \fB< >\fR if the target program is currently
2191 stopped on an event that matches the given specifier.
2200 The event specifier state. The state is one of the following symbols:
2207 The event specifier is idle. When no target program is running, all specifiers
2208 are idle. When the target program is running, a specifier can be idle if it
2209 cannot be evaluated (for example, a deferred breakpoint in a shared object that
2219 The event specifier is active. When the target is continued, events of this
2220 type is detected by the debugger.
2229 The event specifier is armed. This state means that the target is currently
2230 running with instrumentation for this type of event. This state is only visible
2231 if the debugger is attached to a running program with the \fB-o\fR \fBnostop\fR
2241 The event specifier was not armed due to an operating system error. The
2242 \fB::events\fR \fB-v\fR option can be used to display more information about
2243 the reason the instrumentation failed.
2254 The Temporary, Sticky, and Automatic event specifier properties. One or more of
2255 the following symbols can be shown:
2262 The event specifier is temporary, and is deleted the next time the target
2263 stops, regardless of whether it is matched.
2272 The event specifier is sticky, and is not be deleted by \fB::delete\fR
2273 \fBall\fR or \fB:z\fR. The specifier can be deleted by explicitly specifying
2274 its id number to \fB::delete\fR.
2283 The event specifier is automatically disabled when the hit count is equal to
2293 The event specifier is automatically deleted when the hit count is equal to the
2303 The target automatically stops when the hit count is equal to the hit limit.
2314 The current hit count. This column displays the number of times the
2315 corresponding software event has occurred in the target since the creation of
2316 this event specifier.
2325 The current hit limit. This column displays the limit on the hit count at which
2326 the auto-disable, auto-delete, or auto-stop behavior takes effect. These
2327 behaviors can be configured using the \fB::evset\fR dcmd, described below.
2333 \fB\fBDescription\fR\fR
2336 A description of the type of software event that is matched by the given
2346 The callback string to execute when the corresponding software event occurs.
2347 This callback is executed as if it had been typed at the command prompt.
2355 \fB[\fIid\fR] \fB::evset\fR [\fB-/\fR\fB-dDestT\fR] [\fB-c\fR \fIcmd\fR]
2356 [\fB-n\fR \fIcount\fR] \fIid\fR ...\fR
2360 Modify the properties of one or more software event specifiers. The properties
2361 are set for each specifier identified by the optional expression preceding the
2362 dcmd and an optional list of arguments following the dcmd. The argument list is
2363 interpreted as a list of decimal integers, unless an explicit radix is
2364 specified. The \fB::evset\fR dcmd recognizes the following options:
2371 Disables the event specifier when the hit count reaches the hit limit. If the
2372 \fB-d\fR form of the option is given, this behavior is disabled. Once an event
2373 specifier is disabled, the debugger removes any corresponding instrumentation
2374 and ignores the corresponding software events until the specifier is
2375 subsequently re-enabled. If the \fB-n\fR option is not present, the specifier
2376 is disabled immediately.
2385 Deletes the event specifier when the hit count reaches the hit limit. If the
2386 \fB-D\fR form of the option is given, this behavior is disabled. The \fB-D\fR
2387 option takes precedence over the \fB-d\fR option. The hit limit can be
2388 configured using the \fB-n\fR option.
2397 Enables the event specifier. If the \fB-e\fR form of the option is given, the
2398 specifier is disabled.
2407 Stops the target program when the hit count reaches the hit limit. If the
2408 \fB-s\fR form of the option is given, this behavior is disabled. The \fB-s\fR
2409 behavior tells the debugger to act as if the \fB::cont\fR were issued following
2410 each execution of the specifier's callback, except for the \fIN\fRth execution,
2411 where \fIN\fR is the current value of the specifier's hit limit. The \fB-s\fR
2412 option takes precedence over both the \fB-D\fR option and the \fB-d\fR option.
2421 Marks the event specifier as temporary. Temporary specifiers are automatically
2422 deleted the next time the target stops, regardless of whether it stopped as the
2423 result of a software event corresponding to the given specifier. If the
2424 \fB-t\fR form of the option is given, the temporary marker is removed. The
2425 \fB-t\fR option takes precedence over the \fB-T\fR option.
2434 Marks the event specifier as sticky. Sticky specifiers are not deleted by
2435 \fB::delete\fR \fBall\fR or \fB:z.\fR They can be deleted by specifying the
2436 corresponding specifier \fBID\fR as an explicit argument to \fB::delete\fR. If
2437 the \fB-T\fR form of the option is given, the sticky property is removed. The
2438 default set of event specifiers are all initially marked sticky.
2447 Executes the specified \fIcmd\fR string each time the corresponding software
2448 event occurs in the target program. The current callback string can be
2449 displayed using \fB::events\fR.
2458 Sets the current value of the hit limit to \fIcount\fR. If no hit limit is
2459 currently set and the \fB-n\fR option does not accompany \fB-s\fR or D, the hit
2460 limit is set to one.
2463 A summary of this information is available using \fB::help\fR \fBevset\fR.
2477 Print a list of the known source files (symbols of type \fISTT_FILE\fR present
2478 in the various target symbol tables).
2484 \fB[\fIflt\fR] \fB::fltbp\fR [\fB-/\fR\fB-dDestT\fR] [\fB-c\fR \fIcmd\fR]
2485 [\fB-n\fR \fIcount\fR] \fIflt\fR ...\fR
2489 Trace the specified machine faults. The faults are identified using an optional
2490 fault number preceding the dcmd, or a list of fault names or numbers (see
2491 \fB<sys/fault.h>\fR) following the dcmd. The \fB-d\fR, \fB-D\fR, \fB-e\fR,
2492 \fB-s\fR, \fB-t\fR, \fB-T\fR, \fB-c\fR, and \fB-n\fR options have the same
2493 meaning as they do for the \fB::evset\fR dcmd.
2499 \fB[ \fB\fIthread\fR\fR ] \fB::fpregs\fR\fR
2503 \fB[ \fB\fIthread\fR\fR ] \fB$x\fR, \fB$X\fR, \fB$y\fR, \fB$Y\fR\fR
2507 Print the floating-point register set of the representative thread. If a thread
2508 is specified, the floating point registers of that thread are displayed. The
2509 thread expression should be one of the thread identifiers described under
2510 \fBThread Support\fR, above.
2516 \fB\fB::formats\fR\fR
2520 List the available output format characters for use with the \fB/\fR, \fB\e\fR,
2521 \fB?\fR, and \fB=\fR formatting dcmds. The formats and their use is described
2522 under \fBFormatting dcmds\fR, above.
2528 \fB\fB::grep\fR \fIcommand\fR\fR
2532 Evaluate the specified command string, and then print the old value of dot if
2533 the new value of dot is non-zero. If the \fIcommand\fR contains whitespace or
2534 metacharacters, it must be quoted. The \fB::grep\fR dcmd can be used in
2535 pipelines to filter a list of addresses.
2541 \fB\fB::help\fR [ \fIdcmd-name\fR ]\fR
2545 With no arguments, the \fB::help\fR dcmd prints a brief overview of the help
2546 facilities available in \fBmdb\fR. If a \fIdcmd-name\fR is specified, \fBmdb\fR
2547 prints a usage summary for that dcmd.
2553 \fB\fIsignal\fR \fB:i\fR\fR
2557 If the target is a live user process, ignore the specified signal and allow it
2558 to be delivered transparently to the target. All event specifiers that are
2559 tracing delivery of the specified signal is deleted from the list of traced
2560 events. By default, the set of ignored signals is initialized to the complement
2561 of the set of signals that cause a process to dump core by default (see
2562 \fBsignal.h\fR(3HEAD)), except for \fBSIGINT\fR, which is traced by default.
2572 Display the list of signals that are ignored by the debugger and that is
2573 handled directly by the target. More information on traced signals can be
2574 obtained using the \fB::events\fR dcmd.
2588 Forcibly terminate the target if it is a live user process. The target is also
2589 forcibly terminated when the debugger exits if it was created by the debugger
2600 Print the \fBLWPID\fR of the representative thread, if the target is a user
2611 Print the \fBLWPID\fRs of each \fBLWP\fR in the target, if the target is a user
2618 \fB[ \fIaddress\fR ] \fB::list\fR \fItype\fR \fImember\fR [ \fIvariable-name\fR
2623 Walk through the elements of a linked list data structure and print the address
2624 of each element in the list. The address of the first element in the list can
2625 be specified using an optional address. Otherwise, the list is assumed to start
2626 at the current value of dot. The type parameter must name a C struct or union
2627 type and is used to describe the type of the list elements so that \fBmdb\fR
2628 can read in objects of the appropriate size. The member parameter is used to
2629 name the \fImember\fR of \fItype\fR that contains a pointer to the next list
2630 element. The \fB::list\fR dcmd continues iterating until a \fBNULL\fR pointer
2631 is encountered, the first element is reached again (a circular list), or an
2632 error occurs while reading an element. If the optional \fIvariable-name\fR is
2633 specified, the specified variable is assigned the value returned at each step
2634 of the walk when \fBmdb\fR invokes the next stage of a pipeline. The
2635 \fB::list\fR dcmd can only be used with objects that contain symbolic debugging
2636 information designed for use with mdb. Refer to NOTES, \fBSymbolic Debugging
2637 Information\fR, below for more information.
2643 \fB\fB::load\fR [ \fB-s\fR ] \fImodule-name\fR\fR
2647 Load the specified dmod. The module name can be given as an absolute or
2648 relative path. If \fImodule-name\fR is a simple name (that is, does not contain
2649 a '\fB/\fR'), \fBmdb\fR searches for it in the module library path. Modules
2650 with conflicting names can not be loaded; the existing module must be unloaded
2651 first. If the \fB-s\fR option is present, \fBmdb\fR remains silent and not
2652 issue any error messages if the module is not found or could not be loaded.
2658 \fB\fB::log\fR [ \fB-d\fR | [ \fB-e\fR ] \fIfilename\fR ]\fR
2662 \fB\fB$>\fR [ \fIfilename\fR ]\fR
2666 Enable or disable the output log. \fBmdb\fR provides an interactive logging
2667 facility where both the input commands and standard output can be logged to a
2668 file while still interacting with the user. The \fB-e\fR option enables logging
2669 to the specified file, or re-enables logging to the previous log file if no
2670 filename is given. The \fB-d\fR option disables logging. If the \fB$>\fR dcmd
2671 is used, logging is enabled if a filename argument is specified; otherwise,
2672 logging is disabled. If the specified log file already exists, \fBmdb\fR
2673 appends any new log output to the file.
2679 \fB\fB::map\fR \fIcommand\fR\fR
2683 Map the value of dot to a corresponding value using the \fIcommand\fR specified
2684 as a string argument, and then print the new value of dot. If the command
2685 contains whitespace or metacharacters, it must be quoted. The \fB::map\fR dcmd
2686 can be used in pipelines to transform the list of addresses into a new list of
2693 \fB[ \fIaddress\fR ] \fB::mappings\fR [ \fIname\fR ]\fR
2697 \fB[ \fI address\fR ] \fB$m\fR [ \fIname\fR ]\fR
2701 Print a list of each mapping in the target's virtual address space, including
2702 the address, size, and description of each mapping. If the dcmd is preceded by
2703 an \fIaddress\fR, \fBmdb\fR only shows the mapping that contains the given
2704 address. If a string \fIname\fR argument is given, \fBmdb\fR only shows the
2705 mapping matching that description.
2711 \fB\fB::next\fR [ \fISIG\fR ]\fR
2715 \fB\fB:e\fR [ \fISIG\fR ]\fR
2719 Step the target program one instruction, but step over subroutine calls. If an
2720 optional signal name or number (see \fBsignal.h\fR(3HEAD)) is specified as an
2721 argument, the signal is immediately delivered to the target as part of resuming
2722 its execution. If no target program is currently running, \fB::next\fR starts a
2723 new program running as if by \fB::run\fR and stop at the first instruction.
2729 \fB[ \fIaddress\fR ] \fB::nm\fR [ \fB-DPdghnopuvx\fR ] [ \fB-t\fR \fItypes\fR
2734 \fB#sp;#sp;[ \fB-f\fR \fIformat\fR ] [ \fIobject\fR ]\fR
2738 Print the symbol tables associated with the current target. If an optional
2739 address preceding the dcmd is specified, only the symbol table entry for the
2740 symbol corresponding to \fIaddress\fR is displayed. If an \fIobject\fR is
2741 specified, only the symbol table for this load object is displayed. The
2742 \fB::nm\fR dcmd also recognizes the following options:
2749 Prints \fB\&.dynsym\fR (dynamic symbol table) instead of \fB\&.symtab\fR.
2758 Prints the private symbol table instead of \fB\&.symtab\fR.
2767 Prints value and size fields in decimal.
2776 Prints only global symbols.
2785 Suppresses the header line.
2794 Sorts symbols by name.
2803 Prints value and size fields in octal.
2812 Prints symbols as a series of \fB::nmadd\fR commands. This option can be used
2813 with \fB-P\fR to produce a macro file that can be subsequently read into the
2814 debugger with \fB$<\fR.
2823 Prints only undefined symbols.
2832 Sorts symbols by value.
2841 Prints value and size fields in hexadecimal.
2847 \fB\fB-t\fR \fItype\fR[,\fItype\fR ... ]\fR
2850 Prints only symbols of the specified type(s). The valid \fItype\fR argument
2921 \fISTT_SPARC_REGISTER\fR
2929 \fB\fB-f\fR \fIformat\fR[,\fIformat\fR ... ]\fR
2932 Prints only the specified symbol information. The valid \fIformat\fR argument
3012 C type for symbol (if known)
3021 object which defines symbol
3031 \fB\fIvalue\fR \fB::nmadd\fR [ \fB-fo\fR ] [ \fB-e\fR \fIend\fR ] [ \fB-s\fR
3032 \fIsize\fR ] \fIname \fR\fR
3036 Add the specified symbol \fIname\fR to the private symbol table. \fBmdb\fR
3037 provides a private, configurable symbol table that can be used to interpose on
3038 the target's symbol table, as described under \fBSymbol Name Resolution\fR
3039 above. The \fB::nmadd\fR dcmd also recognizes the following options:
3046 Sets the size of the symbol to \fIend\fR - \fIvalue\fR.
3055 Sets the type of the symbol to \fBSTT_FUNC\fR.
3064 Sets the type of the symbol to \fBSTT_OBJECT\fR.
3073 Sets the size of the symbol to \fIsize\fR.
3081 \fB\fB::nmdel\fR \fIname\fR\fR
3085 Delete the specified symbol \fIname\fR from the private symbol table.
3091 \fB\fB::objects\fR [ \fB-v\fR ]\fR
3095 Print a map of the target's virtual address space, showing only those mappings
3096 that correspond to the primary mapping (usually the text section) of each of
3097 the known load objects. The \fB-v\fR option displays the version of each load
3098 object. Version information is not available for all load objects. Load objects
3099 without version information is listed as having a version of "\fBUnknown\fR" in
3100 the output for the \fB-v\fR option.
3106 \fB\fB::offsetof\fR \fItype member\fR\fR
3110 Print the offset of the specified \fImember\fR of the specified \fItype\fR. The
3111 \fItype\fR should be the name of a C structure. The offset is printed in bytes,
3112 unless the member is a bit-field, in which case the offset can be printed in
3113 bits. The output is always suffixed with the appropriate units for clarity. The
3114 type name can use the backquote (\fB`\fR) scoping operator described under
3115 \fBSymbol Name Resolution\fR, above. The \fB::offsetof\fR dcmd can only be used
3116 with objects that contain symbolic debugging information designed for use with
3117 \fBmdb\fR. Refer to NOTES, \fBSymbolic Debugging Information\fR, below for more
3124 \fB\fIaddress\fR \fB::print\fR [ \fB-aCdiLptx\fR ] [ \fB-c\fR \fIlim\fR ]\fR
3128 \fB#sp;#sp;[ \fB-l\fR \fIlim\fR ] [ \fItype\fR [ \fImember\fR ... ] ]\fR
3132 Print the data structure at the specified virtual \fIaddress\fR using the given
3133 \fItype\fR information. The \fItype\fR parameter can name a C struct, union,
3134 enum, fundamental integer type, or a pointer to any of these types. If the type
3135 name contains whitespace (for example, "\fBstruct foo\fR"), it must be enclosed
3136 in single or double quotes. The type name can use the backquote (\fB`\fR)
3137 scoping operator described under \fBSymbol Name Resolution\fR, above. If the
3138 type is a structured type, the \fB::print\fR dcmd recursively prints each
3139 member of the struct or union. If the \fItype\fR argument is not present and a
3140 static or global \fISTT_OBJECT\fR symbol matches the address, \fB::print\fR
3141 infers the appropriate type automatically. If the \fItype\fR argument is
3142 specified, it can be followed by an optional list of \fImember\fR expressions,
3143 in which case only those members and submembers of the specified \fItype\fR are
3144 displayed. If \fItype\fR contains other structured types, each member string
3145 can refer to a sub-structure element by forming a list of member names
3146 separated by period ('\fB\&.\fR') delimiters. The \fB::print\fR dcmd can only
3147 be used with objects that contain symbolic debugging information designed for
3148 use with \fBmdb\fR. Refer to NOTES, \fBSymbolic Debugging Information\fR, below
3149 for more information. After displaying the data structure, \fB::print\fR
3150 increments dot by the size of \fItype\fR in bytes.
3152 If the \fB-a\fR option is present, the address of each member is displayed. If
3153 the \fB-p\fR option is present, \fB::print\fR interprets \fIaddress\fR as a
3154 physical memory address instead of a virtual memory address. If the \fB-t\fR
3155 option is present, the type of each member is displayed. If the \fB-d\fR or
3156 \fB-x\fR options are present, all integers are displayed in decimal (\fB-d\fR)
3157 or hexadecimal (\fB-x\fR). By default, a heuristic is used to determine if the
3158 value should be displayed in decimal or hexadecimal. The number of characters
3159 in a character array that is read and displayed as a string can be limited with
3160 the \fB-c\fR option. If the \fB-C\fR option is present, no limit is enforced.
3161 The number of elements in a standard array that is read and displayed can be
3162 limited with the \fB-l\fR option. If the \fB-L\fR option is present, no limit
3163 is enforced and all array elements are shown. The default values for \fB-c\fR
3164 and \fB-l\fR can be modified using \fB::set\fR or the \fB-o\fR command-line
3165 option as described under OPTIONS.
3167 If the \fB-i\fR option is specified, the address value is interpreted as an
3168 immediate value to be printed. You must give a type with which to interpret the
3169 value. If the type is smaller than 64 bits, the immediate value is interpreted
3170 as if it were the size of the type. The \fB-i\fR option cannot be used in
3171 conjunction with the \fB-p\fR option. If the \fB-a\fR option is given, the
3172 addresses shown are byte offsets starting at zero.
3192 \fB[ \fIthread\fR ] \fB::regs\fR\fR
3196 \fB[ \fIthread\fR ] \fB$r\fR\fR
3200 Print the general purpose register set of the representative thread. If a
3201 thread is specified, the general purpose register set of that thread is
3202 displayed. The thread expression should be one of the thread identifiers
3203 described under \fBThread Support\fR, above.
3209 \fB\fB::release\fR [ \fB-a\fR ]\fR
3213 \fB\fB:R\fR [ \fB-a\fR ]\fR
3217 Release the previously attached process or core file. If the \fB-a\fR option is
3218 present, the process is released and left stopped and abandoned. It can
3219 subsequently be continued by \fBprun\fR(1) (see \fBproc\fR(1)) or it can be
3220 resumed by applying \fBmdb\fR or another debugger. By default, a released
3221 process is forcibly terminated if it was created by \fBmdb\fR using
3222 \fB::run\fR, or it is released and set running if it was attached to by
3223 \fBmdb\fR using the \fB-p\fR option or using the \fB::attach\fR or \fB:A\fR
3230 \fB\fB::run\fR [ \fIargs\fR . . . ]\fR
3234 \fB\fB:r\fR [ \fIargs\fR . . . ]\fR
3238 Start a new target program running with the specified arguments and attach to
3239 it. The arguments are not interpreted by the shell. If the debugger is already
3240 examining a live running program, it first detaches from this program as if by
3247 \fB\fB::set\fR [ \fB-wF\fR ] [ \fB-/\fR\fB-o\fR \fIoption\fR ] [ \fB-s\fR
3248 \fIdistance\fR ] [ \fB-I\fR \fIpath\fR ]\fR
3252 \fB#sp;#sp;[ \fB-L\fR \fIpath\fR ] [ \fB-P\fR \fIprompt\fR ]\fR
3256 Get or set miscellaneous debugger properties. If no options are specified, the
3257 current set of debugger properties is displayed. The \fB::set\fR dcmd
3258 recognizes the following options:
3265 Forcibly takes over the next user process that \fB::attach\fR is applied to, as
3266 if \fBmdb\fR had been executed with the \fB-F\fR option on the command line.
3275 Sets the default path for locating macro files. The path argument can contain
3276 any of the special tokens described for the \fB-I\fR command-line option under
3286 Sets the default path for locating debugger modules. The path argument can
3287 contain any of the special tokens described for the \fB-I\fR command-line
3288 option under OPTIONS.
3297 Enables the specified debugger option. If the \fB-o\fR form is used, the option
3298 is disabled. The option strings are described along with the \fB-o\fR
3299 command-line option under OPTIONS.
3308 Sets the command prompt to the specified prompt string.
3317 Sets the symbol matching distance to the specified distance. Refer to the
3318 description of the \fB-s\fR command-line option under OPTIONS for more
3328 Re-opens the target for writing, as if \fBmdb\fR had been executed with the
3329 \fB-w\fR option on the command line.
3337 \fB\fB::showrev\fR [ \fB-pv\fR ]\fR
3341 Display revision information for the hardware and software. With no options
3342 specified, general system information is displayed. The \fB-v\fR option
3343 displays version information for all load objects, whereas the \fB-p\fR option
3344 displays the version information only for the load objects that have been
3345 installed on the system as part of a patch. Version information is not
3346 available for all load objects. Load objects without version information is
3347 omitted from the output for the \fB-p\fR option and is listed as having a
3348 version of "\fBUnknown\fR" in the output for the \fB-v\fR option.
3354 \fB[\fIsignal\fR] \fB::sigbp\fR [\fB-/\fR\fB-dDestT\fR] [\fB-c\fR \fIcmd\fR]
3355 [\fB-n\fR \fIcount\fR] \fISIG\fR ...\fR
3359 \fB[\fIsignal\fR] \fB:t\fR [\fB-/\fR\fB-dDestT\fR] [\fB-c\fR \fIcmd\fR]
3360 [\fB-n\fR \fIcount\fR] \fISIG\fR ...\fR
3364 Trace delivery of the specified signals. The signals are identified using an
3365 optional signal number preceding the dcmd, or a list of signal names or numbers
3366 (see \fBsignal.h\fR(3HEAD)) following the dcmd. The \fB-d\fR, \fB-D\fR,
3367 \fB-e\fR, \fB-s\fR, \fB-t\fR, \fB-T\fR, \fB-c\fR, and \fB-n\fR options have the
3368 same meaning as they do for the \fB::evset\fR dcmd. Initially, the set of
3369 signals that cause the process to dump core by default (see
3370 \fBsignal.h\fR(3HEAD)) and \fBSIGINT\fR are traced.
3376 \fB\fB::sizeof\fR \fItype\fR \fR
3380 Print the size of the specified \fItype\fR in bytes. The \fItype\fR parameter
3381 can name a C struct, union, enum, fundamental integer type, or a pointer to any
3382 of these types. The type name can use the backquote (\fB`\fR) scoping operator
3383 described under \fBSymbol Name Resolution\fR, above. The \fB::sizeof\fR dcmd
3384 can only be used with objects that contain symbolic debugging information
3385 designed for use with \fBmdb\fR. Refer to NOTES, \fBSymbolic Debugging
3386 Information\fR, below for more information.
3392 \fB[ \fIaddress\fR ] \fB::stack \fR [ \fIcount\fR ]\fR
3396 \fB[ \fI address\fR ] \fB$c\fR [ \fIcount\fR ]\fR
3400 Print a C stack backtrace. If the dcmd is preceded by an explicit
3401 \fIaddress\fR, a backtrace beginning at this virtual memory address is
3402 displayed. Otherwise the stack of the representative thread is displayed. If an
3403 optional count value is given as an argument, no more than \fIcount\fR
3404 arguments are displayed for each stack frame in the output.
3410 \fB\fB::status\fR\fR
3414 Print a summary of information related to the current target.
3420 \fB\fB::step\fR [ \fBover\fR | \fBout\fR ] [ \fISIG\fR ]\fR
3424 \fB\fB:s\fR [ \fISIG\fR ]\fR
3428 \fB\fB:u\fR [ \fISIG\fR ]\fR
3432 Step the target program one instruction. If an optional signal name or number
3433 (see \fBsignal.h\fR(3HEAD)) is specified as an argument, the signal is
3434 immediately delivered to the target as part of resuming its execution. If the
3435 optional "\fBover\fR" argument is specified, \fB::step\fR steps over subroutine
3436 calls. The \fB::step\fR \fBover\fR argument is the same as the \fB::next\fR
3437 dcmd. If the optional "\fBout\fR" argument is specified, the target program
3438 continues until the representative thread returns from the current function. If
3439 no target program is currently running, \fB::step\fR \fBout\fR starts a new
3440 program running as if by \fB::run\fR and stop at the first instruction. The
3441 \fB:s\fR dcmd is the same as \fB::step\fR. The \fB:u\fR dcmd is the same as
3442 \fB::step\fR \fBout\fR.
3448 \fB[ \fIsyscall\fR ] \fB::sysbp\fR [ \fB-/\fR\fB-dDestT\fR ] [ \fB-io\fR ] [
3449 \fB-c\fR \fIcmd\fR ]\fR
3453 \fB#sp;#sp;[ \fB-n\fR \fIcount\fR ] \fIsyscall\fR...\fR
3457 Trace entry to or exit from the specified system calls. The system calls are
3458 identified using an optional system call number preceding the dcmd, or a list
3459 of system call names or numbers (see \fB<sys/syscall.h>\fR) following the dcmd.
3460 If the \fB-i\fR option is specified (the default), the event specifiers trigger
3461 on entry into the kernel for each system call. If the \fB-o\fR option is
3462 specified, the event specifiers trigger on exit out from the kernel. The
3463 \fB-d\fR, \fB-D\fR, \fB-e\fR, \fB-s\fR, \fB-t\fR, \fB-T\fR, \fB-c\fR, and
3464 \fB-n\fR options have the same meaning as they do for the \fB::evset\fR dcmd.
3470 \fB\fIthread\fR \fB::tls\fR \fIsymbol\fR\fR
3474 Print the address of the storage for the specified thread-local storage
3475 (\fBTLS\fR) symbol in the context of the specified thread. The thread
3476 expression should be one of the thread identifiers described under \fBThread
3477 Support\fR, above. The symbol name can use any of the scoping operators
3478 described under \fBSymbol Name Resolution\fR, above.
3484 \fB\fB::typeset\fR [ \fB-/\fR\fB-t\fR] \fIvariable-name\fR . . .\fR
3488 Set attributes for named variables. If one or more variable names are
3489 specified, they are defined and set to the value of dot. If the \fB-t\fR option
3490 is present, the user-defined tag associated with each variable is set. If the
3491 \fB-t\fR option is present, the tag is cleared. If no variable names are
3492 specified, the list of variables and their values is printed.
3498 \fB\fB::unload\fR \fImodule-name\fR\fR
3502 Unload the specified dmod. The list of active dmods can be printed using the
3503 \fB::dmods\fR dcmd. Built-in modules can not be unloaded. Modules that are busy
3504 (that is, provide dcmds that are currently executing) can not be unloaded.
3510 \fB\fB::unset\fR \fIvariable-name\fR . . .\fR
3514 Unset (remove) the specified variable(s) from the list of defined variables.
3515 Some variables exported by \fBmdb\fR are marked as persistent, and can not be
3522 \fB\fB::vars\fR [ \fB-npt\fR] \fR
3526 Print a listing of named variables. If the \fB-n\fR option is present, the
3527 output is restricted to variables that currently have non-zero values. If the
3528 \fB-p\fR option is present, the variables are printed in a form suitable for
3529 re-processing by the debugger using the \fB$<\fR dcmd. This option can be used
3530 to record the variables to a macro file and then restore these values later. If
3531 the \fB-t\fR option is present, only the tagged variables are printed.
3532 Variables can be tagged using the \fB-t\fR option of the \fB::typeset\fR dcmd.
3538 \fB\fB::version\fR\fR
3542 Print the debugger version number.
3548 \fB\fIaddress\fR \fB::vtop\fR [\fB-a\fR \fIas\fR]\fR
3552 Print the physical address mapping for the specified virtual address, if
3553 possible. The \fB::vtop\fR dcmd is only available when examining a kernel
3554 target, or when examining a user process inside a kernel crash dump (after a
3555 \fB::context\fR dcmd has been issued).
3557 When examining a kernel target from the kernel context, the \fB-a\fR option can
3558 be used to specify the address (\fIas\fR) of an alternate address space
3559 structure that should be used for the virtual to physical translation. By
3560 default, the kernel's address space is used for translation. This option is
3561 available for active address spaces even when the dump content only contains
3568 \fB[ \fIaddress\fR ] \fB::walk\fR \fIwalker-name\fR [ \fIvariable-name\fR ]\fR
3572 Walk through the elements of a data structure using the specified walker. The
3573 available walkers can be listed using the \fB::walkers\fR dcmd. Some walkers
3574 operate on a global data structure and do not require a starting address. For
3575 example, walk the list of proc structures in the kernel. Other walkers operate
3576 on a specific data structure whose address must be specified explicitly. For
3577 example, given a pointer to an address space, walk the list of segments. When
3578 used interactively, the \fB::walk\fR dcmd prints the address of each element of
3579 the data structure in the default base. The dcmd can also be used to provide a
3580 list of addresses for a pipeline. The walker name can use the backquote
3581 (\fB`\fR) scoping operator described under \fBdcmd and Walker Name
3582 Resolution\fR, above. If the optional \fIvariable-name\fR is specified, the
3583 specified variable is assigned the value returned at each step of the walk when
3584 \fBmdb\fR invokes the next stage of the pipeline.
3590 \fB\fB::walkers\fR\fR
3594 List the available walkers and print a brief description for each one.
3600 \fB\fB::whence\fR [ \fB-v\fR ] \fIname\fR . . .\fR
3604 \fB\fB::which\fR [ \fB-v\fR ] \fIname\fR ...\fR
3608 Print the dmod that exports the specified dcmds and walkers. These dcmds can be
3609 used to determine which dmod is currently providing the global definition of
3610 the given dcmd or walker. Refer to the section on \fBdcmd and Walker Name
3611 Resolution\fR above for more information on global name resolution. The
3612 \fB-v\fR option causes the dcmd to print the alternate definitions of each dcmd
3613 and walker in order of precedence.
3619 \fB\fIaddr\fR [ ,\fIlen\fR ]\fB::wp\fR [ \fB-/\fR\fB-dDestT\fR ] [ \fB-rwx\fR
3620 ] [ \fB-c\fR \fIcmd\fR ]\fR
3624 \fB#sp;#sp; [ \fB-n\fR \fIcount\fR ]\fR
3628 \fB\fIaddr\fR [ ,\fIlen\fR ] \fB:a\fR [ \fIcmd\fR . . . ]\fR
3632 \fB\fIaddr\fR [ ,\fIlen\fR ] \fB:p\fR [ \fIcmd\fR . \&. . ]\fR
3636 \fB\fIaddr\fR [ ,\fIlen\fR ] \fB:w\fR [ \fIcmd\fR . . . ]\fR
3640 Set a watchpoint at the specified address. The length in bytes of the watched
3641 region can be set by specifying an optional repeat count preceding the dcmd. If
3642 no length is explicitly set, the default is one byte. The \fB::wp\fR dcmd
3643 allows the watchpoint to be configured to trigger on any combination of read
3644 (\fB-r\fR option), write (\fB-w\fR option), or execute (\fB-x\fR option)
3645 access. The \fB-d\fR, \fB-D\fR, \fB-e\fR, \fB-s\fR, \fB-t\fR, \fB-T\fR,
3646 \fB-c\fR, and \fB-n\fR options have the same meaning as they do for the
3647 \fB::evset\fR dcmd. The \fB:a\fR dcmd sets a read access watchpoint at the
3648 specified address. The \fB:p\fR dcmd sets an execute access watchpoint at the
3649 specified address. The \fB:w\fR dcmd sets a write access watchpoint at the
3650 specified address. The arguments following the \fB:a\fR, \fB:p\fR, and \fB:w\fR
3651 dcmds are concatenated together to form the callback string. If this string
3652 contains meta-characters, it must be quoted.
3662 List the external data buffers exported by the current target. External data
3663 buffers represent information associated with the target that can not be
3664 accessed through standard target facilities (that is, an address space, symbol
3665 table, or register set). These buffers can be consumed by dcmds; for more
3666 information, refer to the \fISolaris Modular Debugger Guide\fR.
3676 Delete all event specifiers from the list of traced software events. Event
3677 specifiers can also be deleted using \fB::delete\fR.
3682 The following options are supported:
3689 Disables automatic loading of \fBmdb\fR modules. By default, \fBmdb\fR attempts
3690 to load debugger modules corresponding to the active shared libraries in a user
3691 process or core file, or to the loaded kernel modules in the live operating
3692 system or an operating system crash dump.
3698 \fB\fB-e\fR \fIexpr\fR\fR
3701 Causes \fBmdb\fR to ignore standard input and instead evaluate the \fBmdb\fR
3702 expression \fIexpr\fR. Upon completing evaluation, \fBmdb\fR terminates and
3703 returns a status code. A non-zero return code from \fBmdb\fR indicates that
3704 either \fBmdb\fR or the evaluation of \fIexpr\fR failed.
3713 Forces raw file debugging mode. By default, \fBmdb\fR attempts to infer whether
3714 the object and core file operands refer to a user executable and core dump or
3715 to a pair of operating system crash dump files. If the file type cannot be
3716 inferred, the debugger defaults to examining the files as plain binary data.
3717 The \fB-f\fR option forces \fBmdb\fR to interpret the arguments as a set of raw
3727 Forcibly takes over the specified user process, if necessary. By default,
3728 \fBmdb\fR refuses to attach to a user process that is already under the control
3729 of another debugging tool, such as \fBtruss\fR(1). With the \fB-F\fR option,
3730 \fBmdb\fR attaches to these processes anyway. This can produce unexpected
3731 interactions between \fBmdb\fR and the other tools attempting to control the
3738 \fB\fB-I\fR \fIpath\fR\fR
3741 Sets default path for locating macro files. Macro files are read using the
3742 \fB$<\fR or \fB$<<\fR dcmds. The path is a sequence of directory names
3743 delimited by colon (\fB:\fR) characters. The \fB-I\fR \fBinclude\fR path and
3744 \fB-L\fR \fBlibrary\fR path (see below) can also contain any of the following
3752 Expands to the current instruction set architecture (\fBISA\fR) name
3753 ('sparc', 'sparcv9', or 'i386').
3762 Expands to the old value of the path being modified. This is useful for
3763 appending or prepending directories to an existing path.
3772 Expands to the current platform string (either \fBuname\fR \fB-i\fR or the
3773 platform string stored in the process core file or crash dump).
3782 Expands to the pathname of the root directory. An alternate root directory can
3783 be specified using the \fB-R\fR option. If no \fB-R\fR option is present, the
3784 root directory is derived dynamically from the path to the \fBmdb\fR executable
3785 itself. For example, if \fB/bin/mdb\fR is executed, the root directory is
3786 \fB/\fR. If \fB/net/hostname/bin/mdb\fR were executed, the root directory would
3787 be derived as \fB/net/hostname\fR.
3796 Expands to the name of the current target. This is either be the literal
3797 string '\fBproc\fR' (a user process or user process core file), '\fBkvm\fR' (a kernel
3798 crash dump or the live operating system), or '\fBraw\fR' (a raw file).
3801 The default include path for 32-bit \fBmdb\fR is:
3805 %r/usr/platform/%p/lib/adb:%r/usr/lib/adb
3810 The default include path for 64-bit \fBmdb\fR is:
3814 %r/usr/platform/%p/lib/adb/%i:%r/usr/lib/adb/%i
3827 Forces kernel debugging mode. By default, \fBmdb\fR attempts to infer whether
3828 the object and core file operands refer to a user executable and core dump, or
3829 to a pair of operating system crash dump files. The \fB-k\fR option forces
3830 \fBmdb\fR to assume these files are operating system crash dump files. If no
3831 object or core operand is specified, but the \fB-k\fR option is specified,
3832 \fBmdb\fR defaults to an object file of \fB/dev/ksyms\fR and a core file of
3833 \fB/dev/kmem\fR. Read access to \fB/dev/kmem\fR is restricted to group sys.
3834 Write access requires ALL privileges.
3843 Load \fBkmdb\fR, stop the live running operating system kernel, and proceed to
3844 the \fBkmdb\fR debugger prompt. This option should only be used on the system
3845 console, as the subsequent \fBkmdb\fR prompt appears on the system console.
3851 \fB\fB-L\fR \fIpath\fR\fR
3854 Sets default path for locating debugger modules. Modules are loaded
3855 automatically on startup or using the \fB::load\fR dcmd. The path is a sequence
3856 of directory names delimited by colon (\fB:\fR) characters. The \fB-L\fR
3857 library path can also contain any of the tokens shown for \fB-I\fR above.
3866 Disables demand-loading of kernel module symbols. By default, \fBmdb\fR
3867 processes the list of loaded kernel modules and performs demand loading of
3868 per-module symbol tables. If the \fB-m\fR option is specified, \fBmdb\fR does
3869 not attempt to process the kernel module list or provide per-module symbol
3870 tables. As a result, \fBmdb\fR modules corresponding to active kernel modules
3871 are not loaded on startup.
3880 Preloads all kernel module symbols. By default, \fBmdb\fR performs
3881 demand-loading for kernel module symbols: the complete symbol table for a
3882 module is read when an address is that module's text or data section is
3883 referenced. With the \fB-M\fR option, \fBmdb\fR loads the complete symbol table
3884 of all kernel modules during startup.
3890 \fB\fB-o\fR \fIoption\fR\fR
3893 Enables the specified debugger option. If the \fB-o\fR form of the option is
3894 used, the specified \fIoption\fR is disabled. Unless noted below, each option
3895 is off by default. \fBmdb\fR recognizes the following \fIoption\fR arguments:
3902 Enables stricter \fBadb\fR(1) compatibility. The prompt is set to the empty
3903 string and many \fBmdb\fR features, such as the output pager, is disabled.
3909 \fB\fBarray_mem_limit=\fR\fIlimit\fR\fR
3912 Sets the default limit on the number of array members that \fB::print\fR
3913 displays. If \fIlimit\fR is the special token \fBnone\fR, all array members are
3914 displayed by default.
3920 \fB\fBarray_str_limit=\fR\fIlimit\fR\fR
3923 Sets the default limit on the number of characters that \fB::print\fR attempts
3924 to display as an ASCII string when printing a char array. If \fIlimit\fR is the
3925 special token \fBnone\fR, the entire char array is displayed as a string by
3932 \fB\fBfollow_exec_mode=\fR\fImode\fR\fR
3935 Sets the debugger behavior for following an \fBexec\fR(2) system call. The
3936 \fImode\fR should be one of the following named constants:
3943 If stdout is a terminal device, the debugger stops after the \fBexec\fR(2)
3944 system call has returned and then prompts the user to decide whether to follow
3945 the exec or stop. If stdout is not a terminal device, the \fBask\fR mode
3946 defaults to \fBstop\fR.
3955 The debugger follows the exec by automatically continuing the target process
3956 and resetting all of its mappings and symbol tables based on the new
3957 executable. The \fBfollow\fR behavior is discussed in more detail under NOTES,
3958 \fBInteraction with Exec\fR, below.
3967 The debugger stops following return from the exec system call. The \fBstop\fR
3968 behavior is discussed in more detail under NOTES, \fBInteraction with Exec\fR,
3977 \fB\fBfollow_fork_mode=\fR\fImode\fR\fR
3980 Sets the debugger behavior for following a \fBfork\fR(2), \fBfork1\fR(2), or
3981 \fBvfork\fR(2) system call. The \fImode\fR should be one of the following named
3989 If stdout is a terminal device, the debugger stops after the \fBfork\fR(2)
3990 system call has returned and then prompts the user to decide whether to follow
3991 the parent or child. If stdout is not a terminal device, the \fBask\fR mode
3992 defaults to \fBparent\fR.
4001 The debugger follows the parent process, and detaches from the child process
4002 and sets it running.
4011 The debugger follows the child process, and detaches from the parent process
4012 and sets it running.
4020 \fB\fBignoreeof\fR\fR
4023 The debugger does not exit when an \fBEOF\fR sequence (\fB^D\fR) is entered at
4024 the terminal. The \fB::quit\fR dcmd must be used to quit.
4033 Does not stop a user process when attaching to it when the \fB-p\fR option is
4034 specified or when the \fB::attach\fR or \fB:A\fR dcmds are applied. The
4035 \fBnostop\fR behavior is described in more detail under NOTES, \fBProcess
4036 Attach and Release\fR, below.
4045 Enables the output pager (default).
4051 \fB\fBrepeatlast\fR\fR
4054 If a \fINEWLINE\fR is entered as the complete command at the terminal,
4055 \fBmdb\fR repeats the previous command with the current value of dot. This
4056 option is implied by \fB-o\fR \fBadb\fR.
4062 \fB\fBshowlmid\fR\fR
4065 \fBmdb\fR provides support for symbol naming and identification in user
4066 applications that make use of link maps other than \fILM_ID_BASE\fR and
4067 \fILM_ID_LDSO\fR, as described in \fBSymbol Name Resolution\fR, above. Symbols
4068 on link maps other than \fILM_ID_BASE\fR or \fILM_ID_LDSO\fR is shown as
4069 \fBLMlmid`library`symbol\fR, where \fBlmid\fR is the link-map \fBID\fR in the
4070 default output radix (16). The user can optionally configure \fBmdb\fR to show
4071 the link-map \fBID\fR scope of all symbols and objects, including those
4072 associated with \fILM_ID_BASE\fR and \fILM_ID_LDSO\fR, by enabling the
4073 \fBshowlmid\fR option. Built-in dcmds that deal with object file names displays
4074 link-map \fBID\fRs according to the value of \fBshowlmid\fR above, including
4075 \fB::nm\fR, \fB::mappings\fR, \fB$m\fR, and \fB::objects\fR.
4083 \fB\fB-p\fR \fIpid\fR\fR
4086 Attaches to and stops the specified process-id. \fBmdb\fR uses the
4087 \fB/proc/\fIpid\fR/object/a.out\fR file as the executable file pathname.
4093 \fB\fB-P\fR \fIprompt\fR\fR
4096 Sets the command prompt. The default prompt is '\fB>\fR '.
4102 \fB\fB-R\fR \fIroot\fR\fR
4105 Sets root directory for pathname expansion. By default, the root directory is
4106 derived from the pathname of the \fBmdb\fR executable itself. The root
4107 directory is substituted in place of the \fB%r\fR token during pathname
4114 \fB\fB-s\fR \fIdistance\fR\fR
4117 Sets the symbol matching distance for address-to-symbol-name conversions to the
4118 specified \fIdistance\fR. By default, \fBmdb\fR sets the distance to zero,
4119 which enables a smart-matching mode. Each \fBELF\fR symbol table entry includes
4120 a value V and size S, representing the size of the function or data object in
4121 bytes. In smart mode, \fBmdb\fR matches an address A with the given symbol if A
4122 is in the range [ V, V + S ). If any non-zero distance is specified, the same
4123 algorithm is used, but S in the expression above is always the specified
4124 absolute distance and the symbol size is ignored.
4133 Suppresses processing of the user's \fB~/.mdbrc\fR file. By default, \fBmdb\fR
4134 reads and processes the macro file \fB\&.mdbrc\fR if one is present in the
4135 user's home directory, as defined by $\fBHOME\fR. If the \fB-S\fR option is
4136 present, this file is not read.
4145 Forces user debugging mode. By default, \fBmdb\fR attempts to infer whether the
4146 object and core file operands refer to a user executable and core dump, or to a
4147 pair of operating system crash dump files. The \fB-u\fR option forces \fBmdb\fR
4148 to assume these files are not operating system crash dump files.
4157 Unload \fBkmdb\fR if it is loaded. You should unload \fBkmdb\fR when it is not
4158 in use to release the memory used by the kernel debugger back to the free
4159 memory available to the operating system.
4165 \fB\fB-V\fR \fIversion\fR\fR
4168 Sets disassembler version. By default, \fBmdb\fR attempts to infer the
4169 appropriate disassembler version for the debug target. The disassembler can be
4170 set explicitly using the \fB-V\fR option. The \fB::disasms\fR dcmd lists the
4171 available disassembler versions.
4180 Opens the specified object and core files for writing.
4189 Permit access to memory addresses that are mapped to I/O devices. By default,
4190 \fBmdb\fR does not allow such access because many devices do not provide
4191 hardware protection against invalid software manipulations. Use this option
4192 only when debugging device drivers and with caution.
4201 Sends explicit terminal initialization sequences for tty mode. Some legacy
4202 terminal emulators require explicit initialization sequences to switch
4203 into a tty mode. Without this initialization sequence, terminal features such
4204 as standout mode will not be available to \fBmdb\fR.
4209 The following operands are supported:
4216 Specifies an \fBELF\fR format object file to examine. \fBmdb\fR provides the
4217 ability to examine and edit \fBELF\fR format executables (\fBET_EXEC\fR),
4218 \fBELF\fR dynamic library files (\fBET_DYN\fR), \fBELF\fR relocatable object
4219 files (\fBET_REL\fR), and operating system unix.X symbol table files.
4228 Specifies an \fBELF\fR process core file (\fBET_CORE\fR), or an operating
4229 system crash dump vmcore.X file. If an \fBELF\fR core file operand is provided
4230 without a corresponding object file, \fBmdb\fR attempts to infer the name of
4231 the executable file that produced the core using several different algorithms.
4232 If no executable is found, \fBmdb\fR still executes, but some symbol
4233 information can be unavailable.
4242 Specifies the numerical suffix representing a pair of operating system crash
4243 dump files. For example, if the suffix is '\fB3\fR', \fBmdb\fR infers that it
4244 should examine the files '\fBunix.3\fR' and '\fBvmcore.3\fR'. The string of
4245 digits are not interpreted as a suffix if an actual file of the same name is
4246 present in the current directory.
4251 \fBmdb\fR processes all input files (including scripts, object files, core
4252 files, and raw data files) in a large file aware fashion. See
4253 \fBlargefile\fR(5) for more information about the processing of large files,
4254 which are files greater than or equal to 2 Gbytes (2^31 bytes).
4257 The following exit values are returned:
4264 Debugger completed execution successfully.
4273 A fatal error occurred.
4282 Invalid command line options were specified.
4285 .SH ENVIRONMENT VARIABLES
4288 \fB\fBHISTSIZE\fR\fR
4291 This variable is used to determine the maximum length of the command history
4292 list. If this variable is not present, the default length is \fB128\fR.
4301 This variable is used to determine the pathname of the user's home directory,
4302 where a \fB\&.mdbrc\fR file can reside. If this variable is not present, no
4303 \fB\&.mdbrc\fR processing occurs.
4312 This variable is used to determine the pathname of the shell used to process
4313 shell escapes requested using the \fB!\fR meta-character. If this variable is
4314 not present, \fB/bin/sh\fR is used.
4320 \fB\fB$HOME/.mdbrc\fR\fR
4324 User \fBmdb\fR initialization file. The \fB\&.mdbrc\fR file, if present, is
4325 processed after the debug target has been initialized, but before module
4326 auto-loading is performed or any commands have been read from standard input.
4332 \fB\fB/dev/kmem\fR\fR
4336 Kernel virtual memory image device. This device special file is used as the
4337 core file when examining the live operating system.
4343 \fB\fB/dev/ksyms\fR\fR
4347 Kernel symbol table device. This device special file is used as the object file
4348 when examining the live operating system.
4354 \fB\fB/proc/\fIpid\fR/*\fR\fR
4358 Process information files that are read when examining and controlling user
4365 \fB\fB/usr/lib/adb\fR\fR
4369 \fB\fB/usr/platform/\fIplatform-name\fR/lib/adb\fR\fR
4373 Default directories for macro files that are read with the \fB$<\fR and
4374 \fB$<<\fR dcmds. \fIplatform-name\fR is the name of the platform, derived
4375 either from information in a core file or crash dump, or from the current
4376 machine as if by \fBuname\fR \fB-i\fR (see \fBuname\fR(1)).
4382 \fB\fB/usr/lib/mdb\fR\fR
4386 \fB\fB/usr/platform/\fIplatform-name\fR/lib/mdb\fR\fR
4390 Default directories for debugger modules that are loaded using the \fB::load\fR
4391 dcmd. \fIplatform-name\fR is the name of the platform, derived either from
4392 information in a core file or crash dump, or from the current machine as if by
4393 \fBuname\fR \fB-i\fR (see \fBuname\fR(1)).
4398 See \fBattributes\fR(5) for descriptions of the following attributes:
4406 ATTRIBUTE TYPE ATTRIBUTE VALUE
4408 Interface Stability Evolving
4413 \fBadb\fR(1), \fBcmdtool\fR(1), \fBgcore\fR(1), \fBproc\fR(1), \fBpgrep\fR(1),
4414 \fBps\fR(1), \fBstty\fR(1), \fBtruss\fR(1), \fBuname\fR(1), \fBcoreadm\fR(1M),
4415 \fBdumpadm\fR(1M), \fBlargefile\fR(5), \fBsavecore\fR(1M), \fBexec\fR(2),
4416 \fBfork\fR(2), \fB_lwp_self\fR(2), \fBpipe\fR(2), \fBvfork\fR(2),
4417 \fBdlopen\fR(3C), \fBelf\fR(3ELF), \fBlibc_db\fR(3LIB), \fBlibkvm\fR(3LIB),
4418 \fBlibthread\fR(3LIB), \fBsignal\fR(3C), \fBsignal.h\fR(3HEAD),
4419 \fBthr_self\fR(3C), \fBcore\fR(4), \fBproc\fR(4), \fBattributes\fR(5),
4420 \fBlargefile\fR(5), \fBthreads\fR(5), \fBksyms\fR(7D), \fBmem\fR(7D)
4423 \fILinker and Libraries Guide\fR
4426 \fISolaris Modular Debugger Guide\fR
4428 .SS "Use of the Error Recovery Mechanism"
4430 The debugger and its dmods execute in the same address space, and thus it is
4431 quite possible that a buggy dmod can cause \fBmdb\fR to dump core or otherwise
4432 misbehave. The \fBmdb\fR resume capability, described above under \fBSignal
4433 Handling\fR, provides a limited recovery mechanism for these situations.
4434 However, it is not possible for \fBmdb\fR to know definitively whether the dmod
4435 in question has corrupted only its own state, or the debugger's global state.
4436 Therefore a resume operation cannot be guaranteed to be safe, or to prevent a
4437 subsequent crash of the debugger. The safest course of action following a
4438 resume is to save any important debug information, and then quit and restart
4440 .SS "Use of the Debugger to Modify the Live Operating System"
4442 The use of the debugger to modify (that is, write to) the address space of live
4443 running operating system is extremely dangerous, and can result in a system
4444 panic in the event the user damages a kernel data structure.
4446 .SS "Limitations on Examining Process Core Files"
4448 \fBmdb\fR does not provide support for examining process core files that were
4449 generated by a release of Solaris preceding Solaris 2.6. When debugging core
4450 files generated by a release of Solaris 9 or an earlier release, symbol
4451 information might not be available. Since the text section and read-only data
4452 is not present in those core files, the symbol information might not match the
4453 data present in the process at the time it dumped core. In releases later than
4454 Solaris 9, text sections and read-only data are included in core files by
4455 default. Users can configure their processes to exclude that information from
4456 core files using \fBcoreadm\fR(1M). Thus, the information presented by
4457 \fBmdb\fR for those core files can not match the data that was present at the
4458 time the process dumped core. Core files from Solaris x86 systems can not be
4459 examined on Solaris SPARC systems, and vice-versa.
4460 .SS "Limitations on Examining Crash Dump Files"
4462 Crash dumps from Solaris 7 and earlier releases can only be examined with the
4463 aid of the libkvm from the corresponding operating system release. If a crash
4464 dump from one operating system release is examined using the dmods from a
4465 different operating system release, changes in the kernel implementation can
4466 prevent some dcmds or walkers from working properly. \fBmdb\fR issues a warning
4467 message if it detects this condition. Crash dumps from Solaris x86 systems can
4468 not be examined on Solaris SPARC systems, and vice-versa.
4469 .SS "Relationship Between 32-bit and 64-bit Debugger"
4471 \fBmdb\fR provides support for debugging both 32-bit and 64-bit programs. Once
4472 it has examined the target and determined its data model, \fBmdb\fR
4473 automatically re-executes the \fBmdb\fR binary that has the same data model as
4474 the target, if necessary. This approach simplifies the task of writing debugger
4475 modules, because the modules that are loaded use the same data model as the
4476 primary target. Only the 64-bit debugger can be used to debug 64-bit target
4477 programs. The 64-bit debugger can only be used on a system that is running the
4478 64-bit operating environment.
4481 The debugger can also need to re-execute itself when debugging a 32-bit process
4482 that execs a 64-bit process, or vice-versa. The handling of this situation is
4483 discussed in more detail under \fBInteraction with Exec\fR, below.
4484 .SS "Interaction with Exec"
4486 When a controlled process performs a successful \fBexec\fR(2), the behavior of
4487 the debugger is controlled by the \fB::set\fR \fB-o\fR \fBfollow_exec_mode\fR
4488 option, as described above. If the debugger and victim process have the same
4489 data model, then the "\fBstop\fR" and "\fBfollow\fR" modes determine whether
4490 \fBmdb\fR automatically continues the target or returns to the debugger prompt
4491 following the exec. If the debugger and victim process have a different data
4492 model, then the "\fBfollow\fR" behavior causes \fBmdb\fR to automatically
4493 re-exec the \fBmdb\fR binary with the appropriate data model and to re-attach
4494 to the process, still stopped on return from the exec. Not all debugger state
4495 is preserved across this re-exec.
4498 If a 32-bit victim process execs a 64-bit program, then "\fBstop\fR" returns to
4499 the command prompt, but the debugger is no longer able to examine the process
4500 because it is now using the 64-bit data model. To resume debugging, execute the
4501 \fB::release\fR \fB-a\fR dcmd, quit \fBmdb\fR, and then execute \fBmdb\fR
4502 \fB-p\fR \fIpid\fR to re-attach the 64-bit debugger to the process.
4505 If a 64-bit victim process execs a 32-bit program, then "\fBstop\fR" returns to
4506 the command prompt, but the debugger only provides limited capabilities for
4507 examining the new process. All built-in dcmds work as advertised, but loadable
4508 dcmds do not since they do not perform data model conversion of structures. The
4509 user should release and re-attach the debugger to the process as described
4510 above in order to restore full debugging capabilities.
4511 .SS "Interaction with Job Control"
4513 If the debugger is attached to a process that is stopped by job control (that
4514 is, it stopped in response to \fBSIGTSTP\fR, \fBSIGTTIN\fR, or \fBSIGTTOU\fR),
4515 the process can not be able to be set running again when it is continued by a
4516 continue dcmd. If the victim process is a member of the same session (that is,
4517 it shares the same controlling terminal as \fBmdb\fR), \fBmdb\fR attempts to
4518 bring the associated process group to the foreground and to continue the
4519 process with \fBSIGCONT\fR to resume it from job control stop. When \fBmdb\fR
4520 is detached from such a process, it restores the process group to the
4521 background before exiting. If the victim process is not a member of the same
4522 session, \fBmdb\fR cannot safely bring the process group to the foreground, so
4523 it continues the process with respect to the debugger, but the process remains
4524 stopped by job control. \fBmdb\fR prints a warning in this case, and the user
4525 must issue an "\fBfg\fR" command from the appropriate shell in order to resume
4527 .SS "Process Attach and Release"
4529 When \fBmdb\fR attaches to a running process, the process is stopped and
4530 remains stopped until one of the continue dcmds is applied, or the debugger
4531 quits. If the \fB-o\fR \fBnostop\fR option is enabled prior to attaching the
4532 debugger to a process with \fB-p\fR, or prior to issuing an \fB::attach\fR or
4533 \fB:A\fR command, \fBmdb\fR attaches to the process but does not stop it. While
4534 the process is still running, it can be inspected as usual (albeit with
4535 inconsistent results) and breakpoints or other tracing flags might be enabled.
4536 If the \fB:c\fR or \fB::cont\fR dcmds are executed while the process is
4537 running, the debugger waits for the process to stop. If no traced software
4538 events occur, the user can send an interrupt (\fB^C\fR) after \fB:c\fR or
4539 \fB::cont\fR to force the process to stop and return control to the debugger.
4542 \fBmdb\fR releases the current running process (if any) when the \fB:R\fR,
4543 \fB::release\fR, \fB:r\fR, \fB::run\fR, \fB$q\fR, or \fB::quit\fR dcmds are
4544 executed, or when the debugger terminates as the result of an \fBEOF\fR or
4545 signal. If the process was originally created by the debugger using \fB:r\fR or
4546 \fB::run\fR, it is forcibly terminated as if by \fBSIGKILL\fR when it is
4547 released. If the process was already running prior to attaching \fBmdb\fR to
4548 it, it is set running again when it is released. A process can be released and
4549 left stopped and abandoned using the \fB::release\fR \fB-a\fR option.
4550 .SS "Symbolic Debugging Information"
4552 The \fB::list\fR, \fB::offsetof\fR, \fB::print\fR, and \fB::sizeof\fR dcmds
4553 require that one or more load objects contain compressed symbolic debugging
4554 information suitable for use with \fBmdb\fR. This information is currently only
4555 available for certain Solaris kernel modules.
4556 .SS "Developer Information"
4558 The \fISolaris Modular Debugger Guide\fR provides a more detailed description
4559 of \fBmdb\fR features, as well as information for debugger module developers.
4562 The header file \fB<sys/mdb_modapi.h>\fR contains prototypes for the functions
4563 in the MDB Module \fBAPI\fR.