Generally speaking, the display memory subcommands allow read or write access to be done in virtual or real mode, using an effective address or a real address as input:
The d (display bytes) dw (display words) dd (display double words) subcommands may be used to dump memory areas, specified address is an effective address. Access is done in real mode.
The dp (display bytes) dpw (display words) dpd (display double words) subcommands may be used to dump memory areas, specified address is a real address.
Count argument is in hexadecimal base for display data, so 10 bytes is one line and 10 words is 4 lines. To display from symbol to symbol+0080 the subcommand is d symbol 80 or dw symbol 20
Default count is one line, and <CR/LF> continues display.
KDB(0)> d utsname 40 print utsname byte per byte utsname+000000: 4149 5820 0000 0000 0000 0000 0000 0000 AIX............. utsname+000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ utsname+000020: 3030 3030 3030 3030 4130 3030 0000 0000 00000000A000.... utsname+000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ KDB(0)> <CR/LF> repeat last command utsname+000040: 3100 0000 0000 0000 0000 0000 0000 0000 1............... utsname+000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ utsname+000060: 3400 0000 0000 0000 0000 0000 0000 0000 4............... utsname+000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ KDB(0)> <CR/LF> repeat last command utsname+000080: 3030 3030 3030 3030 4130 3030 0000 0000 00000000A000.... utsname+000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................ xutsname+000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................ devcnt+000000: 0000 0100 0000 0000 0001 239C 0001 23A8 ..........#...#. KDB(0)> dw utsname 10 print utsname word per word utsname+000000: 41495820 00000000 00000000 00000000 AIX............. utsname+000010: 00000000 00000000 00000000 00000000 ................ utsname+000020: 30303030 30303030 41303030 00000000 00000000A000.... utsname+000030: 00000000 00000000 00000000 00000000 ................ KDB(0)> tr utsname find utsname physical address Physical Address = 00027E98 KDB(0)> dp 00027E98 40 print utsname using physical address 00027E98: 4149 5820 0000 0000 0000 0000 0000 0000 AIX............. 00027EA8: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00027EB8: 3030 3030 3030 3030 4130 3030 0000 0000 00000000A000.... 00027EC8: 0000 0000 0000 0000 0000 0000 0000 0000 ................ KDB(0)> dpw 00027E98 print utsname using physical address 00027E98: 41495820 00000000 00000000 00000000 AIX............. KDB(0)>
The display code subcommands may be used to decode instructions.
Breakpoints are not seen, KDB prints the real instruction.
KDB(0)> set 4 set toggle for Power PC syntax power_pc_syntax is true KDB(0)> dc resume_pc 10 prints 10 instructions .resume_pc+000000 lbz r0,3454(0) 3454=Trconflag .resume_pc+000004 mfsprg r15,0 .resume_pc+000008 cmpi cr0,r0,0 .resume_pc+00000C lwz toc,4208(0) toc=TOC,4208=g_toc .resume_pc+000010 lwz r30,4C(r15) .resume_pc+000014 lwz r14,40(r15) .resume_pc+000018 lwz r31,8(r30) .resume_pc+00001C bne- cr0.eq,<.resume_pc+0001BC> .resume_pc+000020 lha r28,2(r30) .resume_pc+000024 lwz r29,0(r14) KDB(0)> dc mttb 5 prints mttb function .mttb+000000 li r0,0 .mttb+000004 mttbl X r0 X shows that these instructions .mttb+000008 mttbu X r3 are not supported by the current architecture .mttb+00000C mttbl X r4 POWER PC 601 processor .mttb+000010 blr KDB(0)> set 4 set toggle for Power RS syntax power_pc_syntax is false KDB(0)> dc resume_pc 10 prints 10 instructions .resume_pc+000000 lbz r0,3454(0) 3454=Trconflag .resume_pc+000004 mfspr r15,110 .resume_pc+000008 cmpi cr0,r0,0 .resume_pc+00000C l toc,4208(0) toc=TOC,4208=g_toc .resume_pc+000010 l r30,4C(r15) .resume_pc+000014 l r14,40(r15) .resume_pc+000018 l r31,8(r30) .resume_pc+00001C bne cr0.eq,<.resume_pc+0001BC> .resume_pc+000020 lha r28,2(r30) .resume_pc+000024 l r29,0(r14) KDB(4)> dc scdisk_pm_handler .scdisk_pm_handler+000000 stmw r26,FFFFFFE8(stkp) KDB(4)> tr scdisk_pm_handler Physical Address = 1D7CA1C0 KDB(4)> dpc 1D7CA1C0 1D7CA1C0 stmw r26,FFFFFFE8(stkp)
The display registers subcommand may be used to display general purpose, segment or special registers. The current context is used to find values. After switching from current thread to another one, KDB shows registers of the new one.
For BATs registers, dbat and ibat subcommands must be used.
KDB(0)> dr ? print usage
is not a valid register name
Usage: dr [sp|sr|gp|fp|<reg. name>]
sp reg. name: iar msr cr lr ctr xer mq tid asr
............. dsisr dar dec sdr0 sdr1 srr0 srr1 dabr rtcu rtcl
............. tbu tbl sprg0 sprg1 sprg2 sprg3 pir fpecr ear pvr
............. hid0 hid1 iabr dmiss imiss dcmp icmp hash1 hash2 rpa
............. buscsr l2cr l2sr mmcr0 mmcr1 pmc1 pmc2 pmc3 pmc4 pmc5
............. pmc6 pmc7 pmc8 sia sda
sr reg. name: s0 s1 s2 s3 s4 s5 s6 s7 s8 s9
............. s10 s11 s12 s13 s14 s15
gp reg. name: r0 r1 r2 r3 r4 r5 r6 r7 r8 r9
............. r10 r11 r12 r13 r14 r15 r16 r17 r18 r19
............. r20 r21 r22 r23 r24 r25 r26 r27 r28 r29
............. r30 r31
fp reg. name: f0 f1 f2 f3 f4 f5 f6 f7 f8 f9
............. f10 f11 f12 f13 f14 f15 f16 f17 f18 f19
............. f20 f21 f22 f23 f24 f25 f26 f27 f28 f29
............. f30 f31 fpscr
KDB(0)> dr print general purpose registers
r0 : 00003730 r1 : 2FEDFF88 r2 : 00211B6C r3 : 00000000 r4 : 00000003
r5 : 007FFFFF r6 : 0002F930 r7 : 2FEAFFFC r8 : 00000009 r9 : 20019CC8
r10 : 00000008 r11 : 00040B40 r12 : 0009B700 r13 : 2003FC60 r14 : DEADBEEF
r15 : 00000000 r16 : DEADBEEF r17 : 2003FD28 r18 : 00000000 r19 : 20009168
r20 : 2003FD38 r21 : 2FEAFF3C r22 : 00000001 r23 : 2003F700 r24 : 2FEE02E0
r25 : 2FEE0000 r26 : D0005454 r27 : 2A820846 r28 : E3000E00 r29 : E60008C0
r30 : 00353A6C r31 : 00000511
KDB(0)> dr sp print special registers
iar : 10001C48 msr : 0000F030 cr : 28202884 lr : 100DAF18
ctr : 100DA1D4 xer : 00000003 mq : 00000DF4
dsisr : 42000000 dar : 394A8000 dec : 007DDC00
sdr1 : 00380007 srr0 : 10001C48 srr1 : 0000F030
dabr : 00000000 rtcu : 2DC05E64 rtcl : 2E993E00
sprg0 : 000A5740 sprg1 : 00000000 sprg2 : 00000000 sprg3 : 00000000
pid : 00000000 fpecr : 00000000 ear : 00000000 pvr : 00010001
hid0 : 8101FBC1 hid1 : 00004000 iabr : 00000000
KDB(0)> dr sr print segment registers
s0 : 60000000 s1 : 60001377 s2 : 60001BDE s3 : 60001B7D s4 : 6000143D
s5 : 60001F3D s6 : 600005C9 s7 : 007FFFFF s8 : 007FFFFF s9 : 007FFFFF
s10 : 007FFFFF s11 : 007FFFFF s12 : 007FFFFF s13 : 60000A0A s14 : 007FFFFF
s15 : 600011D2
KDB(0)> dr fp print floating point registers
f0 : C027C28F5C28F5C3 f1 : 000333335999999A f2 : 3FE3333333333333
f3 : 3FC9999999999999 f4 : 7FF0000000000000 f5 : 00100000C0000000
f6 : 4000000000000000 f7 : 000000009A068000 f8 : 7FF8000000000000
f9 : 00000000BA411000 f10 : 0000000000000000 f11 : 0000000000000000
f12 : 0000000000000000 f13 : 0000000000000000 f14 : 0000000000000000
f15 : 0000000000000000 f16 : 0000000000000000 f17 : 0000000000000000
f18 : 0000000000000000 f19 : 0000000000000000 f20 : 0000000000000000
f21 : 0000000000000000 f22 : 0000000000000000 f23 : 0000000000000000
f24 : 0000000000000000 f25 : 0000000000000000 f26 : 0000000000000000
f27 : 0000000000000000 f28 : 0000000000000000 f29 : 0000000000000000
f30 : 0000000000000000 f31 : 0000000000000000 fpscr : BA411000
KDB(0)> dr ctr print CTR register
ctr : 100DA1D4
100DA1D4 cmpi cr0,r3,E7 r3=2FEAB008
KDB(0)> dr msr print MSR register
msr : 0000F030 bit set: EE PR FP ME IR DR
KDB(0)> dr cr
cr : 28202884 bits set in CR0 : EQ
..............................CR1 : LT
..............................CR2 : EQ
..............................CR4 : EQ
..............................CR5 : LT
..............................CR6 : LT
..............................CR7 : GT
KDB(0)> dr xer print XER register
xer : 00000003 comparison byte: 0 length: 3
KDB(0)> dr iar print IAR register
iar : 10001C48
10001C48 stw r12,4(stkp) r12=28202884,4(stkp)=2FEAAFD4
KDB(0)> set 11 enable 64 bits display on 620 machine
64_bit is true
KDB(0)> dr display 620 general purpose registers
r0 : 0000000000244CF0 r1 : 0000000000259EB4 r2 : 000000000025A110
r3 : 00000000000A4B60 r4 : 0000000000000001 r5 : 0000000000000001
r6 : 00000000000000F0 r7 : 0000000000001090 r8 : 000000000018DAD0
r9 : 000000000015AB20 r10 : 000000000018D9D0 r11 : 0000000000000000
r12 : 000000000023F05C r13 : 00000000000001C8 r14 : 00000000000000BC
r15 : 0000000000000040 r16 : 0000000000000040 r17 : 00000000080300F0
r18 : 0000000000000000 r19 : 0000000000000000 r20 : 0000000000225A48
r21 : 0000000001FF3E00 r22 : 00000000002259D0 r23 : 000000000025A12C
r24 : 0000000000000001 r25 : 0000000000000001 r26 : 0000000001FF42E0
r27 : 0000000000000000 r28 : 0000000001FF4A64 r29 : 0000000001FF4000
r30 : 00000000000034CC r31 : 0000000001FF4A64
KDB(0)> dr sp display 620 special registers
iar : 000000000023F288 msr : 0000000000021080 cr : 42000440
lr : 0000000000245738 ctr : 0000000000000000 xer : 00000000
mq : 00000000 asr : 0000000000000000
dsisr : 42000000 dar : 00000000000000EC dec : C3528E2F
sdr1 : 01EC0000 srr0 : 000000000023F288 srr1 : 0000000000021080
dabr : 0000000000000000 tbu : 00000002 tbl : AF33287B
sprg0 : 00000000000A4C00 sprg1 : 0000000000000040
sprg2 : 0000000000000000 sprg3 : 0000000000000000
pir : 0000000000000000 ear : 00000000 pvr : 00140201
hid0 : 7001C080 iabr : 0000000000000000
buscsr : 00000000008DC800 l2cr : 000000000000421A l2sr : 0000000000000000
mmcr0 : 00000000 pmc1 : 00000000 pmc2 : 00000000
sia : 0000000000000000 sda : 0000000000000000
KDB(0)>
Note: This subcommand is only available within the kdb command; it is not included in the KDB Kernel Debugger.
IO space memory (Direct Store Segment (T=1)) can not be accessed when translation is disabled (see Storage model in POWER PC Operating Environment Architecture book III). bat mapped area must also be accessed with translation enabled, else cache controls are ignored.
Access can be done in bytes, half words, words or double words.
Address can be an effective address or a real address.
Four special subcommands ddvb, ddvh, ddvw and ddvd may be used to access these areas in translated mode, giving an effective address already mapped. On 64-bit machine, double words correctly aligned are accessed (ddvd) in a single load (ld) instruction.
Four special subcommands ddpb, ddph, ddpw and ddpd may be used to access these areas in translated mode, giving a physical address that will be mapped. On 64-bit machine, double words correctly aligned are accessed (ddpd) in a single load (ld) instruction. DBAT interface is used to translate this address in cache inhibited mode (POWER PC only).
WARNING: Interface with effective address (ddv.) assume that mapping to real address is currently valid. No check is done by KDB. Interface with real address (ddp.) can be used to let KDB doing th mapping (attach and detach).
KDB(0)> tr fff19610 show current mapping
BAT mapping for FFF19610
DBAT0 FFC0003A FFC0005F
bepi 7FE0 brpn 7FE0 bl 001F v 1 wim 3 ks 1 kp 0 pp 2 s 0
eaddr = FFC00000, paddr = FFC00000 size = 4096 KBytes
KDB(0)> ddvb fff19610 10 print 10 bytes using data relocate mode enable
FFF19610: 0041 96B0 6666 CEEA 0041 A0B0 0041 AAB0 .A..ff...A...A..
KDB(0)> ddvw fff19610 4 print 4 words using data relocate mode enable
FFF19610: 004196B0 76763346 0041A0B0 0041AAB0
KDB(0)>
KDB(0)> ddpw 80000cfc print one word at physical address 80000cfc 80000CFC: D0000080 Read is done in relocated mode, cache inhibited KDB(0)>
The search in memory subcommands may be used to search a specific pattern in memory.
Usage: find -s effective_address string [delta]
find effective_address pattern [mask [delta]]
Usage: findp -s physical_address string [delta]
findp physical_address pattern [mask [delta]]
string from one to 256 characters.
pattern is a 32-bits word.
mask is the mask applied on the pattern.
delta is address increment, default one char if -s or one word.
KDB(0)> tpid print current thread
SLOT NAME STATE TID PRI CPUID CPU FLAGS WCHAN
thread+002F40 63*nfsd RUN 03F8F 03C 000 00000000
KDB(0)> find lock_pinned 03F8F 00ffffff 20 search TID in the lock area
compare only 24 low bits, on cache aligned addresses (delta 0x20)
lock_pinned+00D760: 00003F8F 00000000 00000005 00000000
KDB(0)> <CR/LF> repeat last command
Invalid address E800F000, skip to (^C to interrupt)
............... E8800000
Invalid address E8840000, skip to (^C to interrupt)
............... E9000000
Invalid address E9012000, skip to (^C to interrupt)
............... F0000000
KDB(0)> findp 0 E819D200 search in physical memory
00F97C7C: E819D200 00000000 00000000 00000000
KDB(0)> <CR/LF> repeat last command
05C4FB18: E819D200 00000000 00000000 00000000
KDB(0)> <CR/LF> repeat last command
0F7550F0: E819D200 00000000 E60009C0 00000000
KDB(0)> <CR/LF> repeat last command
0F927EE8: E819D200 00000000 05E62D28 00000000
KDB(0)> <CR/LF> repeat last command
0FAE16E8: E819D200 00000000 05D3B528 00000000
KDB(0)> <CR/LF> repeat last command
kdb_get_real_memory: Out of range address 1FFFFFFF
KDB(0)>
The -s option can be used to enter string of characters. The '.' character is used to match any character.
KDB(0)>find -s 01A86260 pse search "pse" in pse text code 01A86ED4: 7073 655F 6B64 6200 8062 0518 8063 0000 pse_kdb..b...c.. KDB(0)> <CR/LF> repeat last command 01A92952: 7073 6562 7566 6361 6C6C 735F 696E 6974 psebufcalls_init KDB(0)> <CR/LF> repeat last command 01A939AE: 7073 655F 6275 6663 616C 6C00 0000 BF81 pse_bufcall..... KDB(0)> <CR/LF> repeat last command 01A94F5A: 7073 655F 7265 766F 6B65 BEA1 FFD4 7D80 pse_revoke....}. KDB(0)> <CR/LF> repeat last command 01A9547E: 7073 655F 7365 6C65 6374 BE41 FFC8 7D80 pse_select.A..}. KDB(0)> find -s 01A86260 pse_....._thread how to use '.' 01A9F586: 7073 655F 626C 6F63 6B5F 7468 7265 6164 pse_block_thread KDB(0)> <CR/LF> repeat last command 01A9F6EA: 7073 655F 736C 6565 705F 7468 7265 6164 pse_sleep_thread
The extract from memory subcommands may be used to extract specific zone from memory.
ext will display the number of words at the start address, then display the number of words at address = address + delta, and keep doing this until 'count' loops are done.
extp will display the number of words at the start address, then display the number of words at address = *(address + delta), and keep doing this until 'count' loops are done.
Usage: ext effective_address delta [size [count]]
ext -p effective_address delta [size [count]]
Usage: extp physical_address delta [size [count]]
extp -p physical_address delta [size [count]]
delta is address increment or next address offset.
size is how many words to print, default one line
count is how many extractions to do, default one.
(0)> ext thread+7c 0000C0 1 20 extract scheduler information from threads thread+00007C: 00021001 .... thread+00013C: 00024800 ..H. thread+0001FC: 00007F01 .... thread+0002BC: 00017F01 .... thread+00037C: 00027F01 .... thread+00043C: 00037F01 .... thread+0004FC: 00021001 .... thread+0005BC: 00012402 ..$. thread+00067C: 00002502 ..%. thread+00073C: 00002502 ..%. thread+0007FC: 00002502 ..%. thread+0008BC: 00032502 ..%. thread+00097C: 00002502 ..%. thread+000A3C: 00033C00 ..<. ... KDB(0)> extp 0 4000000 4 100 extract memory using real address 00000000: 00000000 00000000 00000000 00000000 ................ 04000000: 00004001 00000000 00000000 00000000 ..@............. 08000000: 00008001 00000000 00000000 00000000 ................ 0C000000: D0071128 F010EA08 F010EA68 F010F028 ...(.......h...( 10000000: 00000000 00000000 00000000 00000000 ................ 14000000: 746C2E63 2C206C69 62636673 2C20626F tl.c, libcfs, bo 18000000: 20005924 0000031D 20001B04 20005924 .Y$.... ... .Y$ 1C000000: 000C000D 000E000F 00100011 00120013 ................ 20000000: kdb_get_real_memory: Out of range address 20000000
The -p option specifies that delta is offset of the field giving the next address. A list can be printed by this way.
(0)> ext -p proc+500 14 8 10 print siblings of a process proc+000500: 07000000 00000303 00000000 00000000 ................ proc+000510: 00000000 E3000400 E3000500 00000000 ................ proc+000400: 07000000 00000303 00000000 00000000 ................ proc+000410: 00000000 E3000300 E3000400 00000000 ................ proc+000300: 07000000 00000303 00000000 00000000 ................ proc+000310: 00000000 E3000200 E3000300 00000000 ................ proc+000200: 07000000 00000303 00000000 00000000 ................ proc+000210: 00000000 00000000 E3000200 00000000 ................