DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH
 

crash(ADM)


crash -- examine a live system or saved system images

Syntax

/etc/crash [ -d dump ] [ -D level ] [ -H server | -m ] [ -i ] [ -m ] [ -n namelist ] [ -p prompt ] [ -r ] [ -w file ]

Description

An experienced system administrator can use crash to examine the system memory image of a live or crashed system by formatting and printing control structures, tables, and other information.

crash accepts the following command line options:


-d dump
Defines dump as the file containing the system memory image, also referred to as a panic dump. The default dump file is /dev/mem. If the dump file contains a namelist (as is the case for dump files generated by sysdump(ADM)), it will be used automatically, unless overridden by the -n namelist option.

-D level
Specifies the debug level. level is an integer, where ``0'' specifies no debugging and values of ``1'', ``2'', and ``3'' turn on increasing levels of verbosity during certain operations.

-H server
Specifies a remote server's kernel and memory image. This option works using the utsinfo TCP/IP service that is part of the SCO POS Toolkit. This option cannot be used with the -m option.

-i
Specifies interactive mode. Prompts are printed even if stdin is not a tty device.

-m
Uses mmap(S) with MAP_KVMEM to map kernel memory tino crash address space, instead of lseek(S) and read(S) calls. This option cannot be used with the -H option.

-n namelist
Defines namelist as the program file that contains the symbol table information needed for access to the system memory image to be examined. If a system image from another machine is to be examined, the corresponding program file must be copied from that machine. The default namelist is /unix.

-p prompt
Sets the prompt to ``prompt'' instead of the default ``>'' character. Also turns on interactive mode.

-r
Directs the od command to dump output in raw form.

-w file
Directs the output from a crash session to file. The default file is the standard output.

Interacting with crash

crash is an interactive command with a large set of commands for examining a system image.

Input lines to crash take the form:

command [ argument ... ]

command is one of the crash commands described in the ``Commands available in crash'' section. arguments are qualifying data that indicate which items of the system image are to be printed.

Aliases for commands may be any uniquely identifiable initial substring of the command name. Traditional aliases of one letter, such as ``p'' for proc, remain valid.

Sending output to a file or command

You can send output to a file using the redirection operators ``>'' and ``>>'' in the same way as they are used in the Korn, C, or Bourne shells:

command [ argument ... ] >> file

The ``>>'' operator appends output to a file if it already exists. The ``>'' operator overwrites a file with its output and removes any existing contents.

Similarly, the pipe operator ``|'' allows external commands to filter the output from crash:

command [ argument ... ] | command ...

For example, mount | grep rw writes all mount table entries with an rw flag to the standard output. You can also copy the output to a file by piping the output through tee(C):

mount | tee raw_mount.op | grep rw

Default system objects

The default process for a running system is the current process. For a crashed system, the default process is the one that was executing at the time of the crash.

If the contents of a table are being dumped, all active entries are selected by default.

Evaluation of expressions

Many crash commands accept expressions as arguments. crash provides most of the operators that exist in the C programming language with the exception of the logical operators !, <, <=, ==, !=, >, or >=, and some unary operators such as &, ++, and --.

The operators provided have precedence and associativity similar to C. An additional binary operator # is provided; for example, a#b rounds a up to the next nearest multiple of b. (This operator also exists in adb(CP).)

The following table shows the available operators and their associativity in decreasing order of precedence:

Operator Associativity Description
- ~ * () right to left unary operators
* / % # left to right binary operators
+ - left to right
<< >> left to right
& left to right
^ left to right
| left to right
= += -= *= /= #= %= &= |= ^= >>= <<= right to left assignment operators

 +-------------------+---------------+----------------------+
 |Operator           | Associativity | Description          |
 +-------------------+---------------+----------------------+
 |-  ~  *  ()        | right to left | unary operators      |
 +-------------------+---------------+----------------------+
 |*  /  %  #         | left to right | binary operators     |
 +-------------------+---------------+----------------------+
 |+  -               | left to right |                      |
 +-------------------+---------------+----------------------+
 |<<  >>             | left to right |                      |
 +-------------------+---------------+----------------------+
 |&                  | left to right |                      |
 +-------------------+---------------+----------------------+
 |^                  | left to right |                      |
 +-------------------+---------------+----------------------+
 ||                  | left to right |                      |
 +-------------------+---------------+----------------------+
 |=  +=  -=  *=  /=  | right to left | assignment operators |
 |#=  %=  &=  |=  ^= |               |                      |
 |>>=  <<=           |               |                      |
 +-------------------+---------------+----------------------+

Identifiers (symbols) are always treated as pointers except for the od command. To de-reference the pointer and obtain the value stored at that address, you must apply the * unary operator. This operator always returns a long word value. For example, *foo is evaluated as the long word stored at the address referenced by foo. If you use the od command to print the value stored at an address, the de-reference is implicit.

crash does not discard static symbols. Unless they are ambiguous (more than one of the same name), they can be used in any expression. An extern is always preferred over a static with the same name.

No scaling is done; for example, address-1 is not the address of the object preceding address but the address of the byte preceding address.

Commands that return table information accept a table entry number (a slot) or a range of table entries. Commands make a heuristic choice if it is ambiguous whether an expression refers to a slot or an address. To force crash to interpret an expression as an address, prefix the expression with ``@''. The prefix ``='' forces interpretation as a slot number.

A range of table slots, a through b, is specified as a..b. The alternative syntax a-b, provided for historical compatibility, can also be used, though it may be interpreted as a subtraction of address b from address a.

crash provides 26 local variables (accumulators) represented by ``$a'' through ``$z''. The following read-only accumulators hold useful values:


$$
value of the most recently evaluated expression

$A
set to 1 if an active system is being examined; set to 0 otherwise

$C
number of active CPUs in addition to the base processor

$P
number of the slot for the current process

$U
size of the u-area excluding the Task State Segment (TSS)
Accumulator names are always prefixed by ``$''.

A limitation of the parser is that an expression that includes spaces must be enclosed in parentheses ().

Specifying a radix

Depending on the context in which a command is used, numeric arguments that do not specify the radix are assumed to be hexadecimal for addresses, and decimal for counts and table slots. A table slot number larger than the size of the table will not be interpreted correctly. You can use findslot to translate from an address to a table slot number.

The following C prefixes for designating the bases of numbers are recognized:


0
octal

0b
binary

0d

0t
decimal

0x
hexadecimal

Commands available in crash

The commands available in crash may be grouped according to their purpose and the kernel structures they examine:

Abbreviated commands

The short form of the command name listed for each command can be obtained by omitting the characters within the square brackets. For example, h is the short form of h[elp].

Abbreviated arguments to crash

Three abbreviated arguments to crash commands are used throughout:

process
Processes may be identified by their slot numbers in the process table, or by their process ID number prefixed by a ``#'' (for example, #3091). A ``#'' on its own specifies the currently defined process.

table_entry
Table entries are identified by their slot number, a range of slot numbers, or a mixture of these (for example, 2 4 6..8)

start_addr
A start address is expressed as a numeric value, a symbol, or an expression (for example, symbol+offset)

Common command options

The following command options are available to crash commands wherever valid.

-e
Display every entry in a table.

-f
Display the full structure.

-p
Interpret all address arguments in the command line as physical addresses. If they are not physical addresses, the output results will be meaningless.

-s process
Specify a process other than the default. The process may be specified by its slot in the process table, or its process ID (as reported by ps(C) or the proc command, for example) prefixed by a ``#''. A ``#'' on its own specifies the currently defined process.

-w file
Redirect the output of a command to file. This is an alternative to using the redirection operator ``>>''. All crash commands accept the -w option except plock and quit.
The commands mode, defproc, and redirect correspond to the command options -p, -s, and -w. They affect all subsequent output until reset.

The -w file option has been omitted from the command syntax for clarity.

General purpose commands


?
List all available commands.

!command
Escape to the shell to execute command.

bas[e] expression ...

ev[al] expression ...
Evaluate an expression in each of the following formats:

 
The hexadecimal, decimal, unsigned decimal, and octal formats display each expression as one long word, two short words (least significant first), and four bytes (least significant first).

Note that you must de-reference an address in order to display the value at that address. For example, eval runrun displays the address associated with runrun; eval *runrun displays the value of runrun. If you use the od command, the de-reference is implicit; od runrun displays the value of runrun.


cu[rproc] [ -c | process ]

de[fproc] [ -c | process ]
Set the value of the process slot argument. If no argument is entered, the value of the previously set slot number is printed. The current process at the start of a crash session is the value of the kernel variable curproc found from the dump file; the -c option reselects this process.

ds virtual_addr ...
Print the data symbol whose address is closest to, but not greater than, the virtual address entered.

di[s] [ -a ] start_addr [ count ]
Disassemble from the start address for count instructions. The default count is 1. The -a option specifies non-symbolic (absolute) disassembly.

A symbol or expression may be specified for the start address. Suitable symbols are the names of routines and assembler routine labels; these are listed by the nm -e command as being of type .text.


finda[ddr] table slot
Print the address of slot in table. Only tables recognized by the size command are available to findaddr. For example, finda file 2 returns the address of slot 2 in the file table.

finds[lot] virtual_addr ...
Print the table, entry slot number, and offset for the address entered. Only tables available to the size command are available to findslot.

h[elp] command ...
Print the syntax of command, a short description, and any aliases (equivalent commands).

kmstat
Displays kernel memory allocator statistics.

mod[e] [ p | v ]
With the v argument, all address arguments are assumed to be virtual addresses, and all addresses are shown as virtual addresses.

With the p argument, all address arguments are assumed to be physical addresses, and all addresses are shown as physical addresses.

With no arguments, crash prints the current address mode; this is virtual at the start of a crash session.


n[m] symbol ... | -e
Print the address and type of symbol. The -e option prints the value and type of all symbols. The output from this command can be piped through a command such as awk, grep, sed, or sort in order to filter it. The following example would produce a sorted list of all symbols that start with the letters ``a'' or ``z'':

nm -e | grep '^[az]' | sort


o[d] [ -p ] [ format ] [ mode ] [ -s process ][ -p ] start_addr [ count ]
If crash was invoked with the -r option, all formats are ignored and the requested data is written in raw format.

rd [ -p ] [ format ] [ mode ] [ -s process ][ -p ] start_addr [ count ]
Print count symbol values beginning at the start address. The following formats may be selected:

-a
ASCII

-c
character

-d
decimal

-h
hexadecimal and character (mode not needed)

-o
octal

-x
hexadecimal

and one of the following modes:


-b
byte; default mode for character and ASCII formats

-l
long; default mode for decimal, hexadecimal, and octal formats

-t
short

If format or mode is omitted, the previous setting is used. At the start of a crash session, the format is hexadecimal and the mode is long. The default count is 1.

This example dumps the first four long words starting at virtual address 0x0:

   > od 0 4
   00000000:  0008014c   256471ed   00000000   00000000  

pagesym [ -a ] [ virtual_address ... ]
Displays the names of symbols found within the same 4K page of memory as virtual_address.

The -a option causes symbol addresses to be printed along with names.


pa[nic]
Print the most recent system notices, warnings, and panic messages from the limited circular buffer kept in memory. The most important information displayed is:

pl[ock] [ -d | -t | -u ]
Without options, plock locks the entire crash process (text, data, and stack segments) in memory. The -d option locks its data and stack segments, and -t locks its text in memory. The -u option removes any locks.

q[uit]
Exit the crash session.

rd
See the description for od.

red[irect] [ -c | file ]
Used with a filename, redirects output of a crash session to file. If no argument is given, crash prints the filename to which it is redirecting output. The -c option closes the output file and redirects output to the standard output.

se[arch] [ -p ] [ -s process ] [ -m mask ] pattern start_addr length
Print long words in memory that match pattern, beginning at the start address, and ending at the start address plus length. crash performs a bitwise AND (&) of each memory word with mask, and compares the result with pattern. The default mask is 0xffffffff.

This example searches four long words from the address 0x0 for any that have the pattern ``0xed'' in their next to lowest order byte:

> od 0 4
00000000:  0008ed4c   0004014c   2c7aabae   2564ed71
> se -m 0xff00 0xed00 0 0x10
MASK = 0xff00, PATTERN = 0xed00, START = 0, LENGTH = 0x10

MATCH AT 0x0: 0x0008ed4c MATCH AT 0xc: 0x2564ed71 >


si[ze] [ -x ] [ structure ... ]
Print the size of the structure given as a name or symbol. The (-x) option prints the size in hexadecimal. If no argument is given, a list of the structure names for which sizes are available is printed.

size knows about the following structures:

Argument Name of struct Header file Reported by this
to size crash command
buf buf /usr/include/sys/buf.h buffer
datab,
dblk,
dblock,
edblock
extdatab /usr/include/sys/stream.h dblock
dtnode dtnode /usr/include/sys/fs/dtnode.h inode
eproc eproc /usr/include/sys/eproc.h eproc
file file /usr/include/sys/file.h file
filock,
flox
filock /usr/include/sys/flock.h lck
fsinfo fsinfo /usr/include/sys/conf.h fs
fstypsw fstypsw /usr/include/sys/conf.h inode
hinode hinode /usr/include/sys/inode.h inode
htinode htinode /usr/include/sys/fs/htinode.h inode
inode inode /usr/include/sys/inode.h inode
linkblk linkblk /usr/include/sys/stream.h linkblk
mblk,
mblock,
msgb
msgb /usr/include/sys/stream.h mblock
mount mount /usr/include/sys/mount.h mount
pageb,
pblock,
pblk
pageb /usr/include/sys/stream.h pblock
pfdat pfdat /usr/include/sys/pfdat.h pfdat
proc proc /usr/include/sys/proc.h proc
queue queue /usr/include/sys/stream.h queue
region region /usr/include/sys/region.h region
stdata,
streams
stdata /usr/include/sys/stream.h stream
tty tty /usr/include/sys/tty.h tty

 Argument     Name of struct   Header file                     Reported by this
 to size                                                       crash command
 buf          buf              /usr/include/sys/buf.h          buffer
 datab,       extdatab         /usr/include/sys/stream.h       dblock
 dblk,
 dblock,
 edblock
 dtnode       dtnode           /usr/include/sys/fs/dtnode.h    inode
 eproc        eproc            /usr/include/sys/eproc.h        eproc
 file         file             /usr/include/sys/file.h         file
 filock,      filock           /usr/include/sys/flock.h        lck
 flox
 fsinfo       fsinfo           /usr/include/sys/conf.h         fs
 fstypsw      fstypsw          /usr/include/sys/conf.h         inode
 hinode       hinode           /usr/include/sys/inode.h        inode
 htinode      htinode          /usr/include/sys/fs/htinode.h   inode
 inode        inode            /usr/include/sys/inode.h        inode
 linkblk      linkblk          /usr/include/sys/stream.h       linkblk
 mblk,        msgb             /usr/include/sys/stream.h       mblock
 mblock,
 msgb
 mount        mount            /usr/include/sys/mount.h        mount
 pageb,       pageb            /usr/include/sys/stream.h       pblock
 pblock,
 pblk
 pfdat        pfdat            /usr/include/sys/pfdat.h        pfdat
 proc         proc             /usr/include/sys/proc.h         proc
 queue        queue            /usr/include/sys/stream.h       queue
 region       region           /usr/include/sys/region.h       region
 stdata,      stdata           /usr/include/sys/stream.h       stream
 streams
 tty          tty              /usr/include/sys/tty.h          tty

stat
Print information about the operating system including:

test [ mode ]
Turns on internal debugging for crash. mode is an integer, where ``0'' specifies no debugging and values of ``1'', ``2'', and ``3'' turn on increasing levels of verbosity during certain operations.

ts virtual_addr ...
Print the text symbol that is closest to, but not greater than, the address.

v[ar]
Print the values of the members of the kernel structure v that holds the tunable system parameters and the current size of the dynamic kernel tables. The structure v, and the equivalent tunable parameter for each of its members are defined in the file <sys/var.h>.

vt[op] [ -s process ] start_addr ...
Print the physical address corresponding to the virtual start address. This example finds the physical address corresponding to the virtual address 0x0 for the current process. The od command is used to demonstrate that these addresses reference the same memory location:
> vtop 0
VIRTUAL  PHYSICAL
    0x0  0x1eb000
> od -p 0x1eb000 4
001eb000:  0008014c   256471ed   00000000   00000000  
> od 0x0 4
001eb000:  0008014c   256471ed   00000000   00000000  
Note that if the memory locations being dumped cross a page boundary, there is no guarantee that the corresponding physical memory locations are contiguous. Kernel memory is usually physically contiguous. Memory used by user processes may or may not be physically contiguous.

Boot structures

This command prints information that is passed to the kernel when the system is booted.

bo[ot] [ -ef ] [ -p boot_info [ boot_misc [ boot_apm ] ] ]
Print boot configuration information including:

boot_info, boot_misc, and boot_apm can be used to specify the addresses of bootinfo, bootmisc, and bootapm structures.

boot uses the structures bootinfo, bootmem, and bootmisc defined in <sys/boot.h>, and bootapm defined in <sys/apm.h>.

Callout table

The callout table contains entries for functions that will be called after the desired delay has elapsed. These are sometimes referred to as timeouts.

c[allout]
Print the callout table. For multiprocessor systems, this also displays the number of the processor on which the callout will run.

callout uses the callo structure defined in <sys/callo.h>.

Memory maps

Memory maps maintain a resource such as free memory space; on request, the kernel allocates contiguous blocks of this resource.

ma[p] mapname ...
Print the map structure of mapname.

For example, map sptmap displays the unallocated memory segments in the map of system virtual memory:

> map sptmap
MAPSIZE: 47   SLEEP VALUE: 0

SIZE ADDRESS 1793 0x1128 1 SEGMENTS, 1793 UNITS

This example shows one unallocated segment of 1793 pages.

Other maps that can be examined include piomap, the map of pages that can be allocated to programmed I/O, and tablemap, the map of pages that can be allocated to dynamic kernel tables.

Note that the table of available swap space, swaptab, cannot be examined using this command.

map uses the map structure defined in <sys/map.h>.

Filesystem buffers

These commands show the contents of the buffers and their associated buffer headers in the filesystem buffer cache.

b[uffer] [ format ] table_entry | [ -p ] start_addr
Print the contents of a filesystem buffer in one of the following formats:

-b
byte

-c
character

-d
decimal

-x
hexadecimal

-o
octal

-r [ -S | -H | -D]
directory, where the filesystem type is specified with -S (S51K), -H (HTFS - default), and -D (DTFS). The flags are only meaningful with the -i option (print buffer as directory entries). Once specified, a filesystem type remains the default until a new one is specified.

-i
inode list
If no format is given, the previously used format is used. The default format at the beginning of a crash session is hexadecimal.

buffer uses the buf structure defined in <sys/buf.h>.


buf[hdr] [ -f ] [ [ -p ] table_entry ... ]
Print filesystem buffer headers.

bufhdr uses the bufhdr structure defined in <sys/buf.h>.

Filesystem tables

These commands return information about the files processes have open, and the filesystems that the system has mounted.

f[ile] [ -e ] [ [ -p ] table_entry ... ]
Print the file table. References to slots in the incore inode table are prefixed by I#. A reference to the next file table slot on the free list is prefixed by F#. The flags displayed for each slot control file access and correspond to the flags defined in <sys/fcntl.h>; for example, append is equivalent to FAPPEND.

file uses the file structure defined in <sys/file.h>.


fs [ [ -p ] table_entry ... ]
Print the filesystem information table including the following information for each filesystem type:

fs uses the fsinfo structure defined in <sys/conf.h>.


i[node] [ -eflr ] [ [ -p ] table_entry ... ]
Print the incore inode table including the following information:

The -f option prints additional information including:

The -r option displays inodes that are on the free list.

The -l option lists the numbers of incore inodes that are in use, on the free list, on the free list with non-zero reference count, or in an unknown state.

inode uses the structures hinode and inode defined in <sys/inode.h>, dtnode defined in <sys/fs/dtnode.h>, htinode defined in <sys/fs/htinode.h>, and S5inode defined in <sys/fs/s5inode.h>.


m[ount] [ -e ] [-f] [-n] [ [ -p ] [ -v ] table_entry ... ]
Print the mount table information including:

mount uses the mount structure defined in <sys/mount.h>.

The -n option displays NFS-specific mount information for NFS mounts.

The -f option displays additional NFS-specific mount information for NFS mounts.

Record locks

Record locks provide a mechanism by which a process can gain exclusive access to part or all of a file.

l[ck] [ -e ] [ [ -p ] table_entry ... ]
Print record-locking information. If the -e option is used or table address arguments are given, crash prints the list of record locks. If no argument is given, crash prints information on locks relative to inodes.

lck uses the structures filock and flckinfo defined in <sys/flock.h>.

Processor-specific structures

These crash commands examine structures that are specific to the way that i80386, i80486, and Pentium(TM) family processors handle memory management and interrupts.

The system maintains two tables of virtual memory segments per CPU:

Each user process also has a Local Descriptor Table (LDT) that defines the objects it uses, including its data and text segments.

g[dt] [ -e ] [ -c cpu ] [ slot [ count ] ]
Print the GDT. On multiprocessor systems, the argument to the -c option specifies the cpu; every CPU's GDT is displayed by default. The base processor is cpu 0.

gdt uses the dscr structure defined in <sys/seg.h>.


id[t] [ -e ] [ -c cpu ] [ slot [ count ] ]
Print the IDT. On multiprocessor systems, the argument to the -c option specifies the cpu; every CPU's IDT is displayed by default. The base processor is cpu 0. See trap(M) for a description of the various traps, interrupts, and exceptions.

idt uses the dscr structure defined in <sys/seg.h>.


ld[t] [ -e ] [ process [ slot [ count ] ] ]
Print the LDT for a specified process.

ldt uses the dscr structure defined in <sys/seg.h>.

Region, page frame data, page directory, and page tables

These commands show information about the usage of memory by processes on the system.

pd[t] [ -e ] [ -s process ] [ -p ] slot | start_addr [ count ]
Print count page table entries specified by the slot or start_addr of the system's page directory table. This command prints the virtual and physical addresses of the page frames, and their corresponding entries in the page frame data table.

The sdt command may be used to examine the page directory table entries of a process.

A process' page table cannot be printed if it has been swapped out.

pdt uses the pde structure defined in <sys/immu.h>.


pfd[at] [ -e ] [ [ -p ] table_entry ... ]
Print the page frame data table.

pfdat uses the pfdat structure defined in <sys/pfdat.h>.


pfdfreeq [ -e ] [ -f ] [ [ -p ] tbl_entry ... ]
Displays page frame data table statistics.

reg[ion] [-ef ] [ [ -p ] table_entry ... ]
Print the region table. With the -f option, region also prints information about the associated page table and disk block descriptor entries.

region uses the region structure defined in <sys/region.h>, the pde structure defined in <sys/immu.h>, and the dbd structure defined in <sys/region.h>.


rt[op] [ -l | -q ] [ -p ] [ table_entry ... ]
Print the process table entries of all processes that are using the specified region table entries. The -l and -q options have the same effect as for the proc command.

rtop uses the pregion structure defined in <sys/region.h>, and the proc structure defined in <sys/proc.h>.


sd[t] [ -ef ] [ -s process ] [ -p ] [ slot | start_addr [ count ] ]
Print the page directory table entries for a process. (This table is also known as the segment descriptor table.) By default, sdt prints information from the page directory table pointed to by control register CR3; this register is also known as the page directory base register (PDBR).

Note that there is only one page directory table per system; the table is shared by the kernel and all processes.

sdt uses the pde structure defined in <sys/immu.h>.

Process table and run queue

The kernel maintains a process table that contains key information for every process on the system. This table is always present in memory, unlike a process' u-area which can be swapped out.

ep[roc] [ -ef ] [ [ -p ] process ... | [ -r ] ]
Print the extended process table.

eproc uses the eproc structure defined in <sys/eproc.h>, and the proc structure defined in <sys/proc.h>.


pre[gion] [ -e ] [ -p ] process ...
Print the pregion table for a process; this describes the regions attached to the process.

pregion uses the pregion structure defined in <sys/region.h>, and the proc structure defined in <sys/proc.h>.


p[roc] [-ef ] [ -q | -l ] [ [ -p ] process ... | -r ]
Print the process table. Process table information can be specified using a mixture of process table slot numbers and process IDs. A process ID (as reported by ps(C)) must be prefixed by a ``#''.

The -r option reports information only for processes that are executing or are on the run queue.

With the -f option, proc displays most of the information in the process table, and also the pregion table for that process.

The -l option selects the wakeup channel value in the EVENT column to be displayed as a symbolic name plus an offset address. The -q option selects it to be displayed as an address. The setting is remembered for the next proc command; the initial setting is -l.

proc uses the proc structure defined in <sys/proc.h>, and the pregion structure defined in <sys/region.h>.


ru[nq]
Print details of processes that are on the run queue in the short format of the proc command.

Process u-areas

The u-area contains information about a process that is used when the process is running.

kf[p] [ -s process ] [ -r | kfp ]
Print the frame pointer for the start of a kernel (system) stack trace. The kernel frame pointer is set to the value of kfp if this is specified. The -r option sets the kernel frame pointer to the base of the kernel stack for the current process.

kfp uses the t_ebp member of the tss386 structure defined in <sys/tss.h>.


ks[p] [ -s process ] [ -r | ksp ]
Print the kernel stack pointer. The kernel stack pointer is set to the value of ksp if this is specified. The -r option resets the kernel stack pointer to the top of the kernel stack for the current process.

ksp uses the t_esp member of the tss386 structure defined in <sys/tss.h>.


s[tack] [ -u | -k | -l ] [ process ... ]
Dump the user or system (kernel) stack for the specified process. The -k option prints a hexadecimal dump of the system stack; the -l option prints a more detailed dump including translation of function calls into symbols and offsets. If no arguments are entered, stack prints the kernel stack for the current process as though the -l option were specified.

The -u option prints a hexadecimal dump of the user stack.

The user and kernel stacks associated with the current process are not accessible on a running system.

stack uses the proc structure defined in <sys/proc.h>, the tss386 structure defined in <sys/tss.h>, and the user structure defined in <sys/user.h>.


t[race] [ -e ] [ -q | -l ] [ -r ] [ process ... ]
Print a system (kernel) stack trace. The -r option causes trace to examine the stack frame set by the kfp command. The -l option translates function arguments into symbols and offsets; the -q option suppresses this translation.

Following an interrupt or exception, the kernel creates an additional stack frame on the system stack for the interrupt handler to use. If there was an interrupt outstanding on the crashed system being examined, crash also displays this interrupt stack.

If no arguments are entered, trace prints the kernel stack trace for the current process as though the -l option were specified.

trace uses the proc structure defined in <sys/proc.h>, the tss386 structure defined in <sys/tss.h>, and the user structure defined in <sys/user.h>.


tss [ -u | -k ] [ process ] | -i [ -p ] start_addr

pc[b] [ -u | -k ] [ process ] | -i [ -p ] start_addr
Print the Task State Segment (TSS) of a process; also known as the process control block (PCB). With no argument, tss prints the kernel's TSS pointed to by the u_tss member in the u-area of the current process. The -k option also prints the kernel's TSS.

The -u option prints a process' TSS; this is always saved on the system (kernel) stack in the process' u-area following every fault.

The -i option prints a process' TSS that is saved to the user stack when an interrupt or trap is encountered in user mode. This option requires that the start address of the TSS be provided.

tss uses the proc structure defined in <sys/proc.h>, the tss386 structure defined in <sys/tss.h>, and the user structure defined in <sys/user.h>.


u[ser] [ -f ] [ process ... ]
Print information about the u-area of a process including:

 
A swapped-out u-area can only be examined on a live system.

user uses the user structure defined in <sys/user.h>.

Cblock and tty structures

The cblock structures are used to implement the raw input, canonical input, and output character list (clist) data queues, and the transmit and receive control blocks for the clist-based console and terminal drivers. The system maintains a tty structure for each console and terminal device known to it.

cb[lock] [ -eft ] [ -p ] table_entry ... ]
Print cblock structures. The -f option additionally prints the contents of the cblock in hexadecimal and character format. The -t option prints the chain of cblock entries that form a clist, starting with table_entry.

cblock uses the cblock structure defined in <sys/tty.h>.


tt[y] [ -ef ] [ -t type [ [ -p ] table_entry ... ] | [ -p ] start_addr ] ]
Print entries in the tty table. When the -f flag is used, the information displayed includes:

The -t option prints the table for the tty type specified. These include:


cn
console multiscreens

pa
parallel ports

sio
serial ports

spt
pseudo-ttys

tty uses the tty structure defined in <sys/tty.h>.

STREAMS structures

The STREAMS interface is commonly used by networking software to implement layered protocol stacks as modules within device drivers.

dbf[ree] [ class ... ]
Print STREAMS data block headers in the edblock free list. Data block headers are printed only for the specified buffer class; if none are specified, dbfree prints block headers for all buffer classes.

dbfree uses the extdatab structure defined in <sys/stream.h>.


dbl[ock] [ -e ] [ -c class ... | [ -p ] table_entry ... ]
Print allocated STREAMS data block headers. The -c option prints only data block headers for the specified buffer class.

dblock uses the extdatab structure defined in <sys/stream.h>.


li[nkblk] [ -e ] [ [ -p ] table_entry ... ]
Print the linkblk table. (A linkblk structure stores triples of multiplexed STREAMS.)

linkblk uses the linkblk structure defined in <sys/stream.h>.


mbf[ree]
Print STREAMS message block headers in the mblock free list.

mbfree uses the msgb structure defined in <sys/stream.h>.


mbl[ock] [ -e ] [ [ -p ] table_entry ... ]
Print allocated STREAMS message block headers.

mblock uses the msgb structure defined in <sys/stream.h>.


pbf[ree]
Print STREAMS page descriptor entries held on the pageb free list.

pbfree uses the pageb structure defined in <sys/stream.h>.


pbl[ock] [ -e ] [ -c class ... | [ -p ] table_entry ... ]
Print the STREAMS page table; entries in this table are descriptors for pages of memory allocated to STREAMS buffers. The -c option displays entries for memory allocated to the specified buffer class.

pblock uses the pageb structure defined in <sys/stream.h>.


pbp[ool]
Display STREAMS page descriptor entries allocated to the pool of memory reserved for interrupt time allocations.

pbpool uses the pageb structure defined in <sys/stream.h>.


qr[un]
Print the list of STREAMS queue slots that are scheduled for service.

qrun uses the queue structure defined in <sys/stream.h>.


que[ue] [ -e ] [ -f ] [ [ -p ] table_entry ... ]
Print the table of allocated STREAMS queues.

queue uses the queue structure defined in <sys/stream.h>.


stre[am] [ -ef ] [ [ -p ] table_entry ... ]
Print allocated slots in the STREAMS table.

stream uses the stdata and strevent structures defined in <sys/stream.h>.


strs[tat]
Print STREAMS statistics including the allocated and free numbers of STREAMS, STREAMS queues, message and buffer headers, and data blocks of different sizes.

strstat uses the stdata, queue, and pagestat structures defined in <sys/stream.h>, and the strstat structure defined in <sys/strstat.h>.

TCP/IP structures

These commands display information about TCP/IP networking structures:

ar[ppcb] [ -e ] [ [ -p ] tbl_entry ... ]
Displays ARP (Address Resolution Protocol) control blocks.

if[net] [ -e ] [ -f ]
Displays IP (Internet Protocol) interface information.

inodetosocket [ -f ] [ inode_tbl_entry ... ]
Displays socket information related to an inode.

inp [ -e ] [ -p ] [ -f ]
Displays IP (Internet Protocol) multiplexor information.

ip [ -e ] [ -p ] [ -f ]
Displays IP (Internet Protocol) connection information.

ne[tstat [ -p proto ]
Displays per-protocol statistics.

ro[ute] [ -f ] [ -e ] [ [ -p] tbl_entry ... ]
Displays routing table information.

so[cket] [ -e ] [ -f ] [ [ -p ] tbl_entry ... ]
Displays socket information.

tc[b] [ -f ]
Displays TCP (Transmission Control Protocol) control blocks.

ud[p] [ -e ] [ -p ] [ -f ]
Displays UDP (User Datagram Protocol) control blocks.

NFS structures

These commands display information about NFS (Network Filesystem) structures:

ch[tab] [ address ... ]
Displays NFS client handle table entries.

cln[t] [ address ... ]
Displays NFS client handles.

clt[p] [ address ... ]
Displays NFS transport endpoints.

rl[cks] [ -f ] [ tbl_entry ... ]
Displays NFS record lock (NLM) entries.

rn[ode] [ -d ] [ -f ] [ -l ] [ tbl_entry ... ]
Displays NFS rnodes.

Limitations

crash only examines the state of a panic dump or live system. If necessary, adb(CP) can be used to patch the kernel or device drivers.

The dis command can only be used to disassemble kernel text.

Authorization

When used to examine a live system, this utility access /dev/mem, /dev/kmwm, and /unix. These files are accessible only by the root user and members of the mem group. Non-trusted users should not be given access to these files, or to previously created kernel memory dumps, as they contain privileged information that could compromise system security or user privacy.

This security is enforced by file permissions. The utility does not prevent regular users from examining kernel images and dumps that have been made readable by a privileged user.

Files


/dev/kmem
provides access to the virtual memory used only by the currently running kernel; these pages are always resident in main memory and are never swapped out

/dev/mem
provides access to all virtual memory used by the kernel and processes; some of these pages may be swapped out to disk

/unix
provides a namelist for the default current kernel

See also

adb(CP), dumpsave(ADM), ldsysdump(ADM), memsize(ADM), ncheck(ADM), nodnm(ADM), ps(C), scodb(ADM), sysdump(ADM), trap(M)
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003