现在的位置: 首页 > 综合 > 正文

Solaris mdb使用简介

2013年11月16日 ⁄ 综合 ⁄ 共 11972字 ⁄ 字号 评论关闭

13.2. MDB Command Syntax

The MDB debugger lets us interact with the target program and the memory image of the target. The syntax is an enhanced form of that used with debuggers like adb, in which basic form is expressed as value and a command.

[value] [,count ] command

The language syntax is designed around the concept of computing the value of an expression (typically a memory address in the target), and applying a command to that expression. A command in MDB can be of several forms. It can be a macro file, a metacharacter, or a dcmd pipeline. A simple command is a metacharacter or dcmd followed by a sequence of zero or more blank-separated words. The words are typically passed as arguments. Each command returns an exit status that indicates it succeeded, failed, or was invoked with invalid arguments.

For example, if we wanted to display the contents of the word at address fec4b8d0, we could use the / metacharacter with the word X as a format specifier, and optionally a count specifying the number of iterations.

> fec4b8d0 /X
lotsfree:
lotsfree:       f5e
> fec4b8d0,4 /X
lotsfree:
lotsfree:       f5e             7af             3d7             28

MDB retains the notion of dot (.) as the current address or value, retained from the last successful command. A command with no supplied expression uses the value of dot for its argument.

> /X
lotsfree:
lotsfree:       f5e
> . /X
lotsfree:
lotsfree:       f5e

A pipeline is a sequence of one or more simple commands separated by |. Unlike the shell, dcmds in MDB pipelines are not executed as separate processes. After the pipeline has been parsed, each dcmd is invoked in order from left to right. The full definition of a command involving pipelines is as follows.

[expr] [,count ] pipeline [words...]

Each dcmd's output is processed and stored as described in "dcmd Pipelines" in Section 13.2.8. After the left-hand dcmd is complete, its processed output is used as input for the next dcmd in the pipeline. If any dcmd does not return a successful exit status, the pipeline is aborted.

For reference, Table 13.1 lists the full set of expression and pipeline combinations that form commands.

Table 13.1. General MDB Command Syntax

Command

Description

pipeline [!word...] [;]

basic

expr pipeline [!word...] [;]

set dot, run once

expr, expr pipeline [!word...] [;]

set dot, repeat

, expr pipeline [!word...] [;]

repeat

expr [!word...] [;]

set dot, last pipeline, run once

, expr [!word...] [;]

last pipeline, repeat

expr, expr [!word...] [;]

set dot, last pipeline, repeat

!word... [;]

shell escape

13.2.1. Expressions

Arithmetic expansion is performed when an MDB command is preceded by an optional expression representing a numerical argument for a dcmd. A list of common expressions is summarized in Tables 13.2, 13.3, and 13.4.

Table 13.2. Arithmetic Expressions

Operator

Expression

integer

0i binary
0o octal
0t decimal
0x hex

0t[0-9]+/.[0-9]+

IEEE floating point

'cccccccc'

little-endian character const

<identifier

variable lookup

identifier

symbol lookup

(expr)

the value of expr

.

the value of dot

&

last dot used by dcmd

+

dot+increment

^

dot-increment (increment is effected by the last formatting dcmd)

Table 13.3. Unary Operators

Operator

Expression

#expr

logical NOT

~expr

bitwise NOT

-expr

integer negation

%expr

object-file pointer dereference

%/[csil]/expr

object-file typed dereference

%/[1248]/expr

object-file sized dereference

*expr

virtual-address pointer dereference

*/[csil]/expr

virtual-address typed dereference

*/[1248]/expr

virtual-address sized dereference

[csil] is char-, short-, int-, or long-sized

  

Table 13.4. Binary Operators

Operator

Description

expr * expr

integer multiplication

expr % expr

integer division

left # right

left rounded up to next right multiple

expr + expr

integer addition

expr - expr

integer subtraction

expr << expr

bitwise left shift

expr >> expr

bitwise right shift (logical)

expr == expr

logical equality

expr != expr

logical inequality

expr & expr

bitwise AND

expr ^ expr

bitwise XOR

expr | expr

bitwise OR

An example of a simple expression is adding an integer to an address.

> d7c662e0+0t8/X
0xd7c662e8:      d2998b80
> d7c662e0+0t8::print int
0xd7c662e8:      d2998b80

13.2.2. Symbols

MDB can reference memory or objects according to the value of a symbol of the target. A symbol is the name of either a function or a global variable in the target.

For example, you compute the address of the kernel's global variable lotsfree by entering it as an expression, and display it by using the = metacharacter. You display the value of the lotsfree symbol by using the / metacharacter.

>  lotsfree=X
                fec4b8d0
>  lotsfree/D
lotsfree:
lotsfree:       3934

Symbol names can be resolved from kernel and userland process targets. In the kernel, the resolution of the symbol names can optionally be defined with a scope by specifying the module or object file name. In a process, symbols' scope can be defined by library or object file names. They take the form shown in Table 13.5.

Table 13.5. Resolving Symbol Names

Target

Form

kernel

{module`}{file`}symbol

process

{LM[0-9]+`}{library`}{file`}symbol

The target typically searches the primary executable's symbol tables first, then one or more of the other symbol tables. Notice that ELF symbol tables contain only entries for external, global, and static symbols; automatic symbols do not appear in the symbol tables processed by MDB.

Additionally, MDB provides a private user-defined symbol table that is searched before any of the target symbol tables are searched. The private symbol table is initially empty and can be manipulated with the ::nmadd and ::nmdel dcmds.

The ::nm -P option displays the contents of the private symbol table. The private symbol table allows the user to create symbol definitions for program functions or data that were either missing from the original program or stripped out.

> ::nm
Value      Size       Type  Bind  Other Shndx    Name
0x00000000|0x00000000|NOTY |LOCL |0x0  |UNDEF   |
0xfec40038|0x00000000|OBJT |LOCL |0x0  |14      |_END_
0xfe800000|0x00000000|OBJT |LOCL |0x0  |1       |_START_
0xfec00000|0x00000000|NOTY |LOCL |0x0  |10      |__return_from_main
...

These definitions are then used whenever MDB converts a symbolic name to an address, or an address to the nearest symbol. Because targets contain multiple symbol tables and each symbol table can include symbols from multiple object files, different symbols with the same name can exist. MDB uses the backquote "`" character as a symbol-name scoping operator to allow the programmer to obtain the value of the desired symbol in this situation.

13.2.3. Formatting Metacharacters

The /, /, ?, and = metacharacters denote the special output formatting dcmds. Each of these dcmds accepts an argument list consisting of one or more format characters, repeat counts, or quoted strings. A format character is one of the ASCII characters shown in Table 13.6.

Table 13.6. Formatting Metacharacters

Metacharacter

Description

/

Read or write virtual address from. (dot)

/

Read or write physical address from.

?

Read or write primary object file, using virtual address from.

=

Read or write the value of.

13.2.4. Formatting Characters

Format characters read or write and format data from the target. They are combined with the formatting metacharacters to read, write, or search memory. For example, if we want to display or set the value of a memory location, we could represent that location by its hexadecimal address or by its symbol name. Typically, we use a metacharacter with a format or a dcmd to indicate what we want MDB to do with the memory at the indicated address.

In the following example, we display the address of the kernel's lotsfree symbol. We use the = metacharacter to display the absolute value of the symbol, lotsfree and the X format to display the address in 32-bit hexadecimal notation.

> lotsfree=X
fec4b8d0

In a more common example, we can use the / metacharacter to format for display the value at the address of the lotsfree symbol.

> lotsfree/D
lotsfree:
lotsfree:       4062

Optionally, a repeat count can be supplied with a format. A repeat count is a positive integer preceding the format character and is always interpreted in base 10 (decimal). A repeat count can also be specified as an expression enclosed in square brackets preceded by a dollar sign ($[ ]). A string argument must be enclosed in double-quotes (" "). No blanks are necessary between format arguments.

> lotsfree/4D
lotsfree:
lotsfree:       3934            1967            983             40

If MDB is started in writable (-w) mode, then write formats are enabled. Note that this should be considered MDB's dangerous mode, especially if operating on live kernels or applications. For example, if we wanted to rewrite the value indicated by lotsfree to a new value, we could use the W write format with a valid MDB value or arithmetic expression as shown in the summary at the start of this section. For example, the W format writes the 32-bit value to the given address. In this example, we use an integer value, represented by the 0t arithmetic expression prefix.

> lotsfree/W 0t5000
lotsfree:
lotsfree:       f5e

A complete list of format strings can be found with the ::formats dcmd.

> ::formats
+ - increment dot by the count (variable size)
- - decrement dot by the count (variable size)
B - hexadecimal int (1 byte)
C - character using C character notation (1 byte)
D - decimal signed int (4 bytes)
E - decimal unsigned long long (8 bytes)
...

A summary of the common formatting characters and the required metacharacters is shown in Table 13.7 through Table 13.9.

Table 13.7. Metacharacters and Formats for Reading

Metacharacter

Description

[//?=][BCVbcdhoquDHOQ+-^NnTrtaIiSsE]

value is immediate or $[expr]

/

    

format VA from . (dot)

/

    

format PA from.

?

    

format primary object file, using VA from.

=

    

format value of.

Format

Description

Format

Description

B (1)

hex

+

dot += increment

C (1)

char (C-encoded)

-

dot -= increment

V (1)

unsigned

^ (var)

dot -= incr*count

b (1)

octal

N

newline

c (1)

char (raw)

n

newline

d (2)

signed

T

tab

h (2)

hex, swap endianness

r

whitespace

o (2)

octal

t

tab

q (2)

signed octal

a

dot as symbol+offset

u (2)

decimal

I (var)

address and instruction

D (4)

signed

i (var)

instruction

H (4)

hex, swap endianness

S (var)

string (C-encoded)

O (4)

octal

s (var)

string (raw)

Q (4)

signed octal

E (8)

unsigned

U (4)

unsigned

F (8)

double

X (4)

hex

G (8)

octal

Y (4)

decoded time32_t

J (8)

hex

f (4)

float

R (8)

binary

K (4|8)

hex uintptr_t

e (8)

signed

P (4|8)

symbol

g (8)

signed octal

p (4|8)

symbol

y (8)

decoded time64_t

Table 13.8. Metacharacters and Formats for Writing

Metacharacter

Description

[//?][vwWZ] value...

value is immediate or $[expr]

/

write virtual addresses

/

write physical addresses

?

write object file

Format

Description

v (1)

write low byte of each value, starting at dot

w (2)

write low 2 bytes of each value, starting at dot

W (4)

write low 4 bytes of each value, starting at dot

Z (8)

write all 8 bytes of each value, starting at dot

Table 13.9. Metacharacters and Formats for Searching

Metacharacter

Description

[//?][lLM] value [mask]

value and mask are immediate or $[expr]

   

/

search virtual addresses

/

search physical addresses

?

search object file

Format

Description

l (2)

search for 2-byte value, optionally masked

L (4)

search for 4-byte value, optionally masked

M (8)

search for 8-byte value, optionally masked

13.2.5. dcmds

The metacharacters we explored in the previous section are actually forms of dcmds. The more general form of a dcmd is ::name, where name is the command name, as summarized by the following:

::{module`}d
expr>var        write the value of expr into var

A list of dcmds can be obtained with ::dcmds. Alternatively, the ::dmods command displays information about both dcmds and walkers, conveniently grouped per MDB module.

> ::dmods -l
genunix
...
  dcmd pfiles               - print process file information
  dcmd pgrep                - pattern match against all processes
  dcmd pid2proc             - convert PID to proc_t address
  dcmd pmap                 - print process memory map
  dcmd project              - display kernel project(s)
  dcmd prtconf              - print devinfo tree
  dcmd ps                   - list processes (and associated thr,lwp)
  dcmd ptree                - print process tree
...

Help on individual dcmds is available with the help dcmd. Yes, almost everything in MDB is implemented as a dcmd!

> ::help ps

NAME
  ps - list processes (and associated thr,lwp)

SYNOPSIS
  ::ps [-fltzTP]

ATTRIBUTES

  Target: kvm
  Module: genunix
  Interface Stability: Unstable

For example, we can optionally use ::ps as a simple dcmd with no arguments.

> ::ps
S    PID   PPID   PGID    SID    UID      FLAGS             ADDR NAME
R      0      0      0      0      0 0x00000001 fffffffffbc23640 sched
R      3      0      0      0      0 0x00020001 ffffffff812278f8 fsflush
R      2      0      0      0      0 0x00020001 ffffffff81228520 pageout
R      1      0      0      0      0 0x42004000 ffffffff81229148 init
R   1782      1   1782   1782      1 0x42000000 ffffffff8121cc38 lockd
R    524      1    524    524      0 0x42000000 ffffffff8b7fd548 dmispd
R    513      1    513    513      0 0x42010000 ffffffff87bd2878 snmpdx
R    482      1      7      7      0 0x42004000 ffffffff87be90b8 intrd
R    467      1    466    466      0 0x42010000 ffffffff87bd8020 smcboot

Optionally, we could use the same ::ps dcmd with an address supplied in hexadecimal.

> ffffffff87be90b8::ps
S    PID   PPID   PGID    SID    UID      FLAGS             ADDR NAME
R    482      1      7      7      0 0x42004000 ffffffff87be90b8 intrd
> ffffffff87be90b8::ps -ft
S    PID   PPID   PGID    SID    UID      FLAGS             ADDR NAME
R    482      1      7      7      0 0x42004000 ffffffff87be90b8 /usr/perl5/bin/perl /
usr/lib/intrd
        T  0xffffffff8926d4e0 <TS_SLEEP>

13.2.6. Walkers

A walker is used to traverse a connect set of data. Walkers are a type of plugin that is coded to iterate over the specified type of data. In addition to the ::dcmds dcmd, the ::walkers dcmd lists walkers.

> ::walkers
Client_entry_cache       - walk the Client_entry_cache cache
DelegStateID_entry_cache - walk the DelegStateID_entry_cache cache
File_entry_cache         - walk the File_entry_cache cache
HatHash                  - walk the HatHash cache
...

For example, the ::proc walker could be used to traverse set of process structures (proc_ts). Many walkers also have a default data item to walk if none is specified.

> ::walk proc
fffffffffbc23640
ffffffff812278f8
ffffffff81228520
...

There are walkers to traverse common generic data structure indexes. For example, simple linked lists can be traversed with the ::list walker, and AVL trees with the ::avl walker.

> ffffffff9a647ae0::walk avl
ffffffff9087a990
fffffe85ad8aa878
fffffe85ad8aa170
...
> fffffffffbc23640::list proc_t p_prev
fffffffffbc23640
ffffffff81229148
返回
【上篇】
【下篇】

作者:

抱歉!评论已关闭.

返回首页

Copyright © 2013-2018 学步园  保留所有权利.
软文销售 QQ客服:2265327166 点击这里给我发消息(其他合作也可洽谈)