Kernel Debugger
Tim Robinson
1.Introduction
The Möbius kernel has a simple command-line debugger built in. This
document contains a reference to its commands. The kernel debugger is started
when an unhandled exception or breakpoint is detected in the kernel. You
can trigger a breakpoint manually with the F12 key. Note that it is possible
to continue execution (with the go command) for breakpoints, but
generally not for other exceptions.
2.Commands
Exits the debugger and attempts to continue execution of the thread.
| Syntax: handles [process-ID] |
Displays a list of handles for the specified process. Defaults to the current
process if no ID is given. For each entry in the process's handle table, the
debugger displays:
- integer handle
- handle header pointer
- number of copies
- number of locks
- four-character tag
- source file and line number where the handle was allocated
- for threads: the thread ID
- for processes: the process ID and executable file name
- for files: the cookie pointer
The debugger also displays the number of handles in the process and the address
of the handle table itself.
|
Note: For null handles (those where the handle header pointer is null),
the only information displayed is the integer handle and the header
pointer. Handle zero should always be null, in all processes. |
|
Code listing 1: handle Command Output |
> hnd 0
/System/Boot/shell.exe: 17 handles, handled = e002deb8
Handle Pointer Cp Lk Tag Allocator
0 00000000 (null)
1 e0029978 2 0 proc proc.c(144) ID = 1, exe = /System/Boot/shell.exe
2 e002c02c 1 0 thrd thread.c(353) ID = 4
3 e0029b18 1 1 file fs.c(86) cookie = e0001268
4 e0029b98 1 1 file fs.c(86) cookie = e0000978
5 e0029c18 1 1 file fs.c(86) cookie = f0022ce0
6 e002c6a0 1 1 file fs.c(86) cookie = f0022cf0
7 e002c8a0 1 1 file fs.c(86) cookie = f0022d10
8 e002cae8 1 1 file fs.c(86) cookie = f0022d20
9 e002cd38 1 1 file fs.c(86) cookie = f0022d00
10 e002cf80 1 1 file fs.c(86) cookie = f0022d40
11 e002d180 1 1 file fs.c(86) cookie = f0022d30
12 e002d408 1 1 file fs.c(86) cookie = f0022da0
13 e002d610 1 1 file fs.c(86) cookie = f0022d50
14 e002d8a0 1 1 file fs.c(86) cookie = f0022d60
15 e002db20 1 1 file fs.c(86) cookie = f0022d70
16 e002de38 1 1 file fs.c(86) cookie = f0022d90
|
Displays a list of valid debugger commands.
Exits the debugger and terminates the current process if possible. If the
current process is the kernel process (ID 0), the system is halted.
Syntax: one of
leak hex-tag
leak dump
leak off
|
Controls malloc leak detection. Specify a 32-bit hexadecimal tag to
enable leak detection. Type leak dump to dump allocated blocks with
that tag. Type leak off to disable leak tracking.
|
Note: When the kernel starts, allocations are given a zero tag; when
you use leak off, subsequent allocations are given a zero tag. Hence,
if you type leak dump without enabling leak tracking, you are given
a list of all untagged kernel allocations. |
|
Code listing 2: leak Command Output |
> leak 12345678
Leak tracing on with tag 12345678; type "leak dump" to dump
> go
[Press F12]
Thread kernel/0: Interrupt 3 at 18:80091ded: 00613b28
[etc.]
> leak dump
i386/memory.c(451): memory leaked: e002e240
fs.c(602): memory leaked: e00003d0
device.c(371): memory leaked: e002e278
device.c(698): memory leaked: e002e2c8
device.c(713): memory leaked: e002e310
thread.c(112): memory leaked: e002e360
thread.c(112): memory leaked: e002e210
|
Displays information on a given memory block. The block must have been
allocated in the kernel using malloc. The debugger searches for
a block spanning the given address. At this point, it also checks allocation
headers for corruption (it checks the magic number and checksum in the header
of each block it visits when looking up the given pointer). The debugger
displays:
- start of the allocated block's header (the block's data begins that
address plus sizeof(__maldbg_header_t))
- size of the block header and block data
- source file and line number where the block was allocated
- leak tracking tag
- previous and next pointers in the linked list of allocations
|
Note: The kernel malloc heap is currently located between
addresses E0000000 and F0000000. The heap grows upwards from
E0000000 and kernel stacks grow downwards from F0000000. |
|
Code listing 3: malloc Command Output |
> mal e0000000
e0000000: block not found
> mal e0001000
e0001000: block at e0000fd0
32+76 bytes, allocated at vmm.c(95), tag = 00000000
prev = e0000f60, next = e0001040
|
| Syntax: modules [process-ID] |
Displays a list of modules loaded into the specified process. Defaults to the
current process if no ID is given. For each module (user DLL and kernel
driver/KLL) table, the debugger displays:
- image file name
- base address
- image length
|
Code listing 4: modules Command Output |
> mod 0
Name Base Length
/System/Boot/kernel.exe c0000000 01000000
/System/Boot/tty.drv 80110000 00008000
/System/Boot/keyboard.drv 80090000 00005000
/System/Boot/fdc.drv 80070000 00005000
/System/Boot/ata.drv 80030000 00007000
/System/Boot/fat.drv 80050000 00005000
/System/Boot/ext2.drv 800e0000 00004000
/System/Boot/pci.drv 80080000 00003000
/System/Boot/rtl8139.drv 80160000 00006000
|
Displays a list of processes. For each process, the debugger displays:
- process ID
- image file name
|
Code listing 5: processes Command Output |
> proc
0 kernel
1 /System/Boot/shell.exe
|
| Syntax: shutdown [reboot] |
Reboots the system or turns the power off. shutdown reboot reboots the
system; shutdown (with no parameter) attempts to shut down the system
power using APM, if supported.
Looks up an address in the symbol tables of the current process and displays
its name, if possible.
|
Note: The symbol command only works for symbols in the COFF
format. At the time of writing, the -gcoff flag to the Cygwin
gcc compiler is broken. |
|
Code listing 6: symbol Command Output |
> symbol c0001234
_KernelCpuMeter
|
| Syntax: threads [process-ID] |
Displays a list of threads running in the specified process. Lists all
threads in the system if no ID is given. For each thread, the debugger
displays:
- image file name
- thread ID
- for protected mode threads: current EIP
- for V86 mode threads: current CS:IP
|
Code listing 7: threads Command Output |
> thr
Listing all threads:
kernel 0 c0016c38
kernel 2 80161f4c
kernel 3 80161f4c
/System/Boot/shell.exe 4 0060112b
kernel 5 c00010ce
|
Displays a list of virtual memory areas for the specified process. Defaults
to the current process if no ID is given. For each VMM area, the debugger
displays:
-
vm_area_t structure pointer
- start address
- end address
- area type; one of:
- VM_AREA_EMPTY
- VM_AREA_NORMAL
- VM_AREA_MAP
- VM_AREA_SHARED
- VM_AREA_FILE
- VM_AREA_IMAGE
The debugger also displays the amount of free memory in the low-memory and
all-memory pools, in kilobytes.
|
Code listing 8: vmm Command Output |
> vmm 0
Low memory: 616KB
All memory: 95764KB
Block Start End Type
e0000028 00001000 80030000 VM_AREA_EMPTY
e00018b8 80030000 80037000 VM_AREA_IMAGE
e0001928 80037000 80050000 VM_AREA_EMPTY
e0009758 80050000 80055000 VM_AREA_IMAGE
e00097c8 80055000 80070000 VM_AREA_EMPTY
e0001460 80070000 80075000 VM_AREA_IMAGE
e00014d0 80075000 80080000 VM_AREA_EMPTY
e000af48 80080000 80083000 VM_AREA_IMAGE
e0028708 80083000 80090000 VM_AREA_EMPTY
e0000f80 80090000 80095000 VM_AREA_IMAGE
e0000ff0 80095000 800a0000 VM_AREA_EMPTY
e000aaf8 800a0000 800a5000 VM_AREA_IMAGE
e000ab68 800a5000 800e0000 VM_AREA_EMPTY
e0009fb8 800e0000 800e4000 VM_AREA_IMAGE
e000a028 800e4000 80011000 VM_AREA_EMPTY
e0000740 80110000 80118000 VM_AREA_IMAGE
e00007b0 80118000 80160000 VM_AREA_EMPTY
e0028e78 80160000 80166000 VM_AREA_IMAGE
e0028ee8 80166000 bfc00000 VM_AREA_EMPTY
|
Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/groups/m/mo/mobius/htdocs/p.php on line 174
|