The Möbius Operating System: Kernel Debugger

Kernel Debugger

Tim Robinson


The Möbius kernel has a simple command-line debugger built in. This document contains a reference to its commands. The kernel debugger is started when an unhandled exception or breakpoint is detected in the kernel. You can trigger a breakpoint manually with the F12 key. Note that it is possible to continue execution (with the go command) for breakpoints, but generally not for other exceptions.



Alias: go

Exits the debugger and attempts to continue execution of the thread.


Alias: hnd
Syntax: handles [process-ID]

Displays a list of handles for the specified process. Defaults to the current process if no ID is given. For each entry in the process's handle table, the debugger displays:

  • integer handle
  • handle header pointer
  • number of copies
  • number of locks
  • four-character tag
  • source file and line number where the handle was allocated
  • for threads: the thread ID
  • for processes: the process ID and executable file name
  • for files: the cookie pointer
The debugger also displays the number of handles in the process and the address of the handle table itself.

Note: For null handles (those where the handle header pointer is null), the only information displayed is the integer handle and the header pointer. Handle zero should always be null, in all processes.
Code listing 1: handle Command Output
> hnd 0
/System/Boot/shell.exe: 17 handles, handled = e002deb8
Handle  Pointer   Cp Lk Tag  Allocator
   0    00000000        (null)
   1    e0029978   2  0 proc proc.c(144) ID = 1, exe = /System/Boot/shell.exe
   2    e002c02c   1  0 thrd thread.c(353) ID = 4
   3    e0029b18   1  1 file fs.c(86) cookie = e0001268
   4    e0029b98   1  1 file fs.c(86) cookie = e0000978
   5    e0029c18   1  1 file fs.c(86) cookie = f0022ce0
   6    e002c6a0   1  1 file fs.c(86) cookie = f0022cf0
   7    e002c8a0   1  1 file fs.c(86) cookie = f0022d10
   8    e002cae8   1  1 file fs.c(86) cookie = f0022d20
   9    e002cd38   1  1 file fs.c(86) cookie = f0022d00
  10    e002cf80   1  1 file fs.c(86) cookie = f0022d40
  11    e002d180   1  1 file fs.c(86) cookie = f0022d30
  12    e002d408   1  1 file fs.c(86) cookie = f0022da0
  13    e002d610   1  1 file fs.c(86) cookie = f0022d50
  14    e002d8a0   1  1 file fs.c(86) cookie = f0022d60
  15    e002db20   1  1 file fs.c(86) cookie = f0022d70
  16    e002de38   1  1 file fs.c(86) cookie = f0022d90


Displays a list of valid debugger commands.


Exits the debugger and terminates the current process if possible. If the current process is the kernel process (ID 0), the system is halted.


Syntax: one of
leak hex-tag
leak dump
leak off

Controls malloc leak detection. Specify a 32-bit hexadecimal tag to enable leak detection. Type leak dump to dump allocated blocks with that tag. Type leak off to disable leak tracking.

Note: When the kernel starts, allocations are given a zero tag; when you use leak off, subsequent allocations are given a zero tag. Hence, if you type leak dump without enabling leak tracking, you are given a list of all untagged kernel allocations.
Code listing 2: leak Command Output
> leak 12345678
Leak tracing on with tag 12345678; type "leak dump" to dump
> go
[Press F12]
Thread kernel/0: Interrupt 3 at 18:80091ded: 00613b28
> leak dump
i386/memory.c(451): memory leaked: e002e240
fs.c(602): memory leaked: e00003d0
device.c(371): memory leaked: e002e278
device.c(698): memory leaked: e002e2c8
device.c(713): memory leaked: e002e310
thread.c(112): memory leaked: e002e360
thread.c(112): memory leaked: e002e210


Alias: mal
Syntax: malloc pointer

Displays information on a given memory block. The block must have been allocated in the kernel using malloc. The debugger searches for a block spanning the given address. At this point, it also checks allocation headers for corruption (it checks the magic number and checksum in the header of each block it visits when looking up the given pointer). The debugger displays:

  • start of the allocated block's header (the block's data begins that address plus sizeof(__maldbg_header_t))
  • size of the block header and block data
  • source file and line number where the block was allocated
  • leak tracking tag
  • previous and next pointers in the linked list of allocations

Note: The kernel malloc heap is currently located between addresses E0000000 and F0000000. The heap grows upwards from E0000000 and kernel stacks grow downwards from F0000000.
Code listing 3: malloc Command Output
> mal e0000000
e0000000: block not found
> mal e0001000
e0001000: block at e0000fd0
32+76 bytes, allocated at vmm.c(95), tag = 00000000
prev = e0000f60, next = e0001040


Alias: mod
Syntax: modules [process-ID]

Displays a list of modules loaded into the specified process. Defaults to the current process if no ID is given. For each module (user DLL and kernel driver/KLL) table, the debugger displays:

  • image file name
  • base address
  • image length

Code listing 4: modules Command Output
> mod 0
Name                                   Base        Length
/System/Boot/kernel.exe                c0000000    01000000
/System/Boot/tty.drv                   80110000    00008000
/System/Boot/keyboard.drv              80090000    00005000
/System/Boot/fdc.drv                   80070000    00005000
/System/Boot/ata.drv                   80030000    00007000
/System/Boot/fat.drv                   80050000    00005000
/System/Boot/ext2.drv                  800e0000    00004000
/System/Boot/pci.drv                   80080000    00003000
/System/Boot/rtl8139.drv               80160000    00006000


Alias: proc

Displays a list of processes. For each process, the debugger displays:

  • process ID
  • image file name

Code listing 5: processes Command Output
> proc
0   kernel
1   /System/Boot/shell.exe


Syntax: shutdown [reboot]

Reboots the system or turns the power off. shutdown reboot reboots the system; shutdown (with no parameter) attempts to shut down the system power using APM, if supported.


Alias: sym
Syntax: symbol address

Looks up an address in the symbol tables of the current process and displays its name, if possible.

Note: The symbol command only works for symbols in the COFF format. At the time of writing, the -gcoff flag to the Cygwin gcc compiler is broken.
Code listing 6: symbol Command Output
> symbol c0001234


Alias: thr
Syntax: threads [process-ID]

Displays a list of threads running in the specified process. Lists all threads in the system if no ID is given. For each thread, the debugger displays:

  • image file name
  • thread ID
  • for protected mode threads: current EIP
  • for V86 mode threads: current CS:IP

Code listing 7: threads Command Output
> thr
Listing all threads:
kernel                                 0    c0016c38
kernel                                 2    80161f4c
kernel                                 3    80161f4c
/System/Boot/shell.exe                 4    0060112b
kernel                                 5    c00010ce


Syntax: vmm [process-ID]

Displays a list of virtual memory areas for the specified process. Defaults to the current process if no ID is given. For each VMM area, the debugger displays:

  • vm_area_t structure pointer
  • start address
  • end address
  • area type; one of:
The debugger also displays the amount of free memory in the low-memory and all-memory pools, in kilobytes.

Code listing 8: vmm Command Output
> vmm 0
Low memory: 616KB
All memory: 95764KB
    Block       Start           End             Type
    e0000028    00001000        80030000        VM_AREA_EMPTY
    e00018b8    80030000        80037000        VM_AREA_IMAGE
    e0001928    80037000        80050000        VM_AREA_EMPTY
    e0009758    80050000        80055000        VM_AREA_IMAGE
    e00097c8    80055000        80070000        VM_AREA_EMPTY
    e0001460    80070000        80075000        VM_AREA_IMAGE
    e00014d0    80075000        80080000        VM_AREA_EMPTY
    e000af48    80080000        80083000        VM_AREA_IMAGE
    e0028708    80083000        80090000        VM_AREA_EMPTY
    e0000f80    80090000        80095000        VM_AREA_IMAGE
    e0000ff0    80095000        800a0000        VM_AREA_EMPTY
    e000aaf8    800a0000        800a5000        VM_AREA_IMAGE
    e000ab68    800a5000        800e0000        VM_AREA_EMPTY
    e0009fb8    800e0000        800e4000        VM_AREA_IMAGE
    e000a028    800e4000        80011000        VM_AREA_EMPTY
    e0000740    80110000        80118000        VM_AREA_IMAGE
    e00007b0    80118000        80160000        VM_AREA_EMPTY
    e0028e78    80160000        80166000        VM_AREA_IMAGE
    e0028ee8    80166000        bfc00000        VM_AREA_EMPTY
Post a comment