crash(1M)


crash -- examine system images

Synopsis

/usr/sbin/crash [-b batchfile] [-d dumpfile] [-n namelist] [-m moduledir] [-w outputfile]

Description

The crash command is used to examine the system memory image of a running or a crashed system by formatting and printing control structures, tables, and other information.

The size and type of information stored in a system memory dump can be altered by using the kernel parameter SYSDUMP_SELECTIVE. To use this parameter you must include it in the UNIX kernel.

Use SYSDUMP_SELECTIVE to specify if the system memory dump includes just kernel mapped memory or kernel and user mapped memory. Set SYSDUMP_SELECTIVE to 1 for just kernel mapped or 0 for both kernel and user mapped memory.

Options

crash takes the following options:

-b batchfile
Use the text file batchfile, containing a list of crash commands to be executed on the dump.

-d dumpfile
Use dumpfile for the file containing the system memory image. The default dumpfile is /dev/mem. If you enter a value other than /dev/mem, it is assumed that the system is crashed.

-n namelist
Use the text file namelist, containing the symbol table information needed for symbolic access to the system memory image to be examined. The default namelist is /stand/unix. If a system image from another machine is to be examined, the corresponding text file must be copied from that machine. For active systems, crash uses system calls to the running kernel to get symbol table information. For that reason, only global symbols are available.

-m moduledir
Use the specified directory, moduledir to look for modules. When working on a dump, crash looks for the modules that were loaded at the time of the dump, and adds those symbols to its symbol table information. By default, crash tries to find the modules in the directories from which they were loaded. The -m option specifies a directory where crash should look for the modules instead. If you use the -m option, crash only looks in the specified directory. You can only use a single instance of the -m option on the command line, and if you attempt to use the -m option more than once, only the last one is valid; the others are ignored.

-w outputfile
The output from a crash session is directed to outputfile. The default outputfile is the standard output.

Input

When you execute the crash command, a session is initiated. If you enter the ``?'' character at the command prompt, crash provides a help menu of the available commands.

Input during a crash session is of the form:

function [argument...]

where function is one of the crash functions described in ``Usage'', and argument is a list of qualifying data that indicate which items of the system image are to be printed.

The default for process-related items is the current process for a running system or the process that was running at the time of the crash for a crashed system. If the contents of a table are being dumped, the default is all active table entries.

The following function options are available to crash functions wherever they are semantically valid.

-e
Display every entry in a table.

-f
Display the full structure.

-n
Display privilege names symbolically. Default is to display in hexadecimal.

-p
Interpret all address arguments in the command line as physical addresses. If they are not physical addresses, results are inconsistent.

-s process
Specify a process slot other than the default.

-w file
Redirect the output of a function to file.

The functions mode, defproc, and redirect correspond to the function options -p, -s, and -w. The mode function may be used to set the address translation mode to physical or virtual for all subsequently entered functions; defproc sets the value of the process slot argument for subsequent functions; and redirect redirects all subsequent output.

Output

Output from crash functions may be piped to another program as follows:

function [argument . . .] ! shell_command

For example, mount ! grep rw writes all mount table entries with an rw flag to the standard output. The redirection option (-w) cannot be used with this feature.

An argument can be either a symbol or a numeric argument. Numeric arguments are assumed to be decimal unless preceded by 0x or 0b prefixes for hexadecimal or binary numbers. Any argument that is not either a symbol or a number will be reported as an error. Each function, when executed, determines whether the argument specified a valid slot or address.

Default bases on all arguments may be overridden. The C conventions for designating the bases of numbers are recognized.

Aliases for functions may be any uniquely identifiable initial substring of the function name. Traditional aliases of one letter, such as p for proc, remain valid.

Many functions accept different forms of entry for the same argument. Requests for table information will accept a table entry number or a range. A range of slot numbers may be specified in the form a-b where a and b are decimal numbers. An expression consists of two operands and an operator. An operand may be an address, a symbol, or a number; the operator may be +, -, *, /, &, or |. An operand that is a number should be preceded by a radix prefix if it is not a decimal number (0 for octal, 0x for hexadecimal, 0b for binary). The expression must be enclosed in parentheses. Other functions accept any of these argument forms that are meaningful.

Two abbreviated arguments to crash functions are used throughout. Both accept data entered in several forms. They may be expanded into the following:

table_entry = address | slot | range

start_addr = address | symbol | expression

Usage

Following are the available functions in crash:

? [-w file]
List available functions.

!command
Escape to the shell and execute command.

abuf [-w file] [-mode]
Print audit buffer data in mode format. mode is one of long (-l), short (-t), or byte (-b). The default mode for character and ASCII formats is byte; the default mode for decimal, hexadecimal, and octal formats is long. When mode is omitted, the previous value is used. At the start of a crash session, the mode is long.

as [-e] [-f] [-w file] [proc...]
Print address space information on process segments.

base [-w file] number...
Print number in binary, octal, decimal, and hexadecimal. A number in a radix other than decimal should be preceded by a prefix that indicates its radix as follows: 0x, hexadecimal; 0, octal; and 0b, binary.

buffer [-w file] [-format] [-p] addr
Alias: b
Print the contents of a buffer in the designated format. The following format designations are recognized: -b, byte: -c, character; -d, decimal; -x, hexadecimal; -o, octal; and, -i, inode. If no format is given, the previous format is used. The default format at the beginning of a crash session is hexadecimal.

bufhdr [-f] [-w file] [[-p] addr...]
Alias: buf
Print system buffer headers. The -f option produces different output depending on whether the buffer is local or remote.

cg [-w file] [cgnum]
Set the current CPU group to cgnum. If cgnum is not specified then the current CPU group is displayed.

cglocal [-w file]
Print the local information for the current CPU group.

class [-w file] [table_entry...]
Print information about process scheduler classes.

deflwp [-w file] [slot]
Set the value of the lwp slot for the current process. If slot is not specified, the current slot is displayed. The default lwp slot for each process is 0.

defproc [-w file] [-c]

defproc [-w file] [slot]
Set the value of the default process slot argument. The default process slot argument may be set to the current slot number (-c) or the slot number may be specified. If no argument is entered, the value of the previously set slot number is printed. At the start of a crash session, the process slot is set to the current process.

dis [-w file] [-a] start_addr [count]

dis [-w file] [-a] -c [count]
Disassemble count instructions starting at start_addr. The default count is 1. The absolute option (-a) specifies a non-symbolic disassembly. The -c option can be used in place of start_addr to continue disassembly at the address at which a previous disassembly ended.

dispq [-l|-g] [-w file] [table_entry...]
Print the dispatcher (scheduler) queues. The -l option prints only the local dispatcher queues. The -g option prints only the global dispatcher queue.

ds [-w file] virtual_address...
Print the data symbol whose address is closest to, but not greater than, the address entered.

eng [-w file] [eng_num]
Set the current engine to eng_num. If no eng_num is specified, then the current engine number is displayed.

evactive [-w file] [-f] [event_name]
Print the active event queue. The -f option provides a verbose display.

evmm [-w file]
Print the events memory management information.

file [-e] [-w file] [[-p] table_entry...]
Alias: f
Print the file table.

filepriv [-e] [-n] [-w file] [[-p] table_entry...]
Print the kernel privilege table.

findaddr [-w file] table slot
Print the address of slot in table. Only tables available to the size function are available to findaddr.

findslot [-w file] virtual_address...
Print the table, entry slot number, and offset for the address entered. Only tables available to the size function are available to findslot.

fs [-w file] [[-p] table_entry...]
Print the file system information table.

gdp [-e] [-f] [-w file] [[-p] table_entry...]
Print the gift descriptor protocol table.

gdt [-e] [-w file] [slot [count]] table_entry...]
Print the global descriptor table.

help [-w file] function...
Print a description of function, including syntax and aliases.

idt [-e] [-w file ] [slot [count]]
Print the interrupt descriptor table.

hrt [-w file]
Print the high resolution timer information.

inode [-e] [-f] [-w file] [[-p] table_entry...]
Alias: i
Print the inode table, including file system switch information.

kfp [-w file] [value...]
Print the kernel frame pointer (kfp) for the start of a kernel stack trace. If the value argument is supplied, the kfp is set to that value. If no argument is entered, the current value of the kfp is printed.

kmastat [-w file]
Print kernel memory allocator statistics.

lck [-e] [-w file] [[-p] table_entry...]
Alias: l
Print record locking information. If the -e option is used or table address arguments are given, the record lock list is printed. If no argument is entered, information on locks relative to inodes is printed.

ldt [-e] [-w file] [process [slot [count]]]
Print the local descriptor table for the given process, for the current process if none is given.

lidcache [-w file]
Print out the level identifier (LID) translation cache. The LID cache is supported only if the Enhanced Security Utilities are installed and running.

linkblk [-e] [-w file] [[-p] table_entry...]
Print the linkblk table.

map [-w file] mapname...
Print the map structure of the given mapname.

mode [-w file] [mode]
Set address translation of arguments to virtual (v) or physical (p) mode. If no mode argument is given, the current mode is printed. At the start of a crash session, the mode is virtual.

mount [-e] [-w file] [[-p] table_entry...]
Alias: m, vfs
Print information about mounted file systems.

nm [-w file] symbol...
Print value and type for the given symbol.

od [-p] [-w file] [-format] [-mode] [-s process] start_addr [count]
Alias: rd
Print count values starting at start_addr in one of the following formats: character (-c), decimal (-d), hexadecimal (-x), octal (-o), ASCII (-a), or hexadecimal\/character (-h), and one of the following modes: long (-l), short (-t), or byte (-b). The default mode for character and ASCII formats is byte; the default mode for decimal, hexadecimal, and octal formats is long. The format -h prints both hexadecimal and character representations of the addresses dumped; no mode needs to be specified. When format or mode is omitted, the previous value is used. At the start of a crash session, the format is hexadecimal and the mode is long. If no count is entered, 1 is assumed.

panic
Print the latest system notices, warnings, and panic messages from the limited circular buffer kept in memory.

page [-e] [-w file] [[-p] table_entry...]
Print information about pages.

pcb [-w file] [process]
Print the process control block (TSS). If no arguments are given, the active TSS for the current process is printed.

pcinode
Print cdfs_inodes.

plocal [-w file]
Print the processor local data for the current engine.

prnode [-e] [-w file] [[-p] table_entry...]
Print information about the private data of processes being traced.

proc [-e] [-f [-n]] [-w file] [[-p] table_entry...#procid...]

proc [-f [-n]] [-w file] [-r]
Alias: p
Print the process table. Process table information may be specified in two ways. First, any mixture of table entries and process IDs may be entered. Each process ID must be preceded by a ``#''. Alternatively, process table information for runnable processes may be specified with the runnable option (-r). The full option (-f) details most of the information in the process table as well as the region for that process.

ptbl [-e] [-w file] [-sprocess] [[-p] addr [count]]
Print information on page descriptor tables.

pty [-f] [-e] [-w file] [-s] [-h] [-l]
Print the pseudo ttys presently configured. The -l, -h and -h options give information about the STREAMS modules ldterm, ptem and pckt, respectively.

qrun [-w file]
Print the list of scheduled streams queues.

queue [-e] [-s] [-w file] [[-p] table_entry...]
Print streams queues. The -s option displays the symbolic streams configuration.

quit
Alias: q
Terminate the crash session.

rcvd [-e] [-f] [-w file] [[-p] table_entry...]
Print the receive descriptor table.

rduser [-e] [-f] [-w file] [[-p] table_entry...]
Print the receive descriptor user table.

redirect [-w file] [-c]

redirect [-w file] [newfile]
Used with a file name, redirects output of a crash session to newfile. If no argument is given, the file name to which output is being redirected is printed. Alternatively, the close option (-c) closes the previously set file and redirects output to the standard output.

resource [-e] [-w file] [[-p] table_entry...]
Print the advertise table.

rtdptbl [-w file] [table_entry...]
Print the real-time scheduler parameter table. See fp_dptbl(4).

rtproc [-w file]
Print information about processes in the real-time scheduler class.

search [-p] [-w file] [-m mask] [-s process] pattern start_addr length
Print the long words in memory that match pattern, beginning at the start_addr for length long words. The mask is ANDed (&) with each memory word and the result compared against the pattern. The mask defaults to 0xffffffff.

sinode [-e] [-f] [-w file] [[-p] table_entry...]
Alias: si
Print the inode table for ufs or sfs file systems. Since the ufs\/sfs incore inode contains the icommon inode and the alternate inode, this function displays, in addition to the icommon inode information, all security data stored in the alternate inode. This includes the level identifier, the Access Control List (ACL) count, the extended ACL disk block pointer, and any inode resident ACL entries.

size [-w file] [-x] [structure_name...]
Print the size of the designated structure. The (-x) option prints the size in hexadecimal. If no argument is given, a list of the structure names for which sizes are available is printed.

sndd [-e] [-f] [-w file] [[-p] table_entry...]
Print the send descriptor table.

snode [-e] [-f] [-w file] [[-p] table_entry...]
Print information about open special files. Along with other information, it prints the security attributes of a device: mode, stat, high level range, low level range, release flag, and other security flags; these attributes are supported only if the Enhanced Security Utilities are installed and running.

srmount [-e] [-w file] [[-p] table_entry...]
Print the server mount table.

stack [-w file] [process]
Alias: s
Dump the stack. If no arguments are entered, the kernel stack for the current process is printed. The interrupt stack and the stack for the current process are not available on a running system.

stat [-w file]
Print system statistics.

stream [-e] [-f] [-w file] [[-p] table_entry...]
Print the streams table.

strstat [-w file]
Print streams statistics.

trace [-w file] [-r] [process]
Alias: t
Print stack trace. The kfp value is used with the -r option; the kfp function prints or sets the kfp (kernel frame pointer) value.

ts [-w file] virtual_address...
Print text symbol closest to the designated address.

tsdptbl [-w file] [table_entry...]
Print the time-sharing scheduler parameter table. See ts_dptbl(4).

tslwp [-w file]
Print information about light-weight processes (LWPs) in the time-sharing scheduler class.

tty [-e] [-f] [-l] [-w file] [-t type [[-p] table_entry...]|[-p] start addr]

Valid types: console, sr, sx, sc.
Print the tty table. If no arguments are given, the tty table for both tty types is printed. If the -t option is used, the table for the single tty type specified is printed. If no argument follows the type option, all entries in the table are printed. A single tty entry may be specified using start_addr. The -l option prints the line discipline information.

user [-f] [-w file] [process]
Alias: u
Print the ublock for the designated process.

var [-w file]
Alias: v
Print the tunable system parameters.

vfs [-e] [-w file] [[-p] table_entry...]
Alias: mount, m
Print information about mounted file systems.

vfssw [-w file] [[-p] table_entry...]
Print information about configured file system types.

vnode [-w file] [[-p] vnode_addr...]
Print information about vnodes.

vtop [-w file] [-s process] start_addr...
Print the physical address translation of the virtual address start_addr.

vxinode [-w file] [-e] [-f] [-l] [-r] [vx_inodeaddr...]
Alias: vxi
Print the VxFS file system (vxfs) inode table; valid only for vxfs type file systems.

-l
Print the contents of all the icache lists (these hold the vx_inodes) together with information for each inode indicating if it is a free or attribute (or both) inode.

-r
Print all the free vx_inodes.

vx_inodeaddr
Print the vx_inode located at address vx_inodeaddr.

Extensible functions

It is possible to add functions to crash without having access to the source code. This is useful for writing platform specific functions or to obtain more information than is available in the default command set.

Adding new functions is accomplished with shared objects. The shared object is created from a file consisting of the functions that are to be added to the existing command set. When crash is started, these shared objects are read and the additional functions are incorporated in the command set.

To create a shared object:

  1. Create a file that contains the new commands. This file should define the variable functab, which should be an array type struct func. This array points to the new commands that need to be added.

  2. Compile the file with the same options as the kernel build. For example, if crash is going to be run on top of a uniprocessor kernel, then the file should be compiled with the appropriate definitions for a uniprocessor kernel.

  3. Use the -G option to the compiler to create the shared object.
crash reads the shared objects from directory /usr/lib/crash and also from files defined by environment variable CRASH_LIBS.

Extension example

An example of a file containing a new command (lbolt) is given below:
   #include <stdio.h> 
   #include <sys/types.h> 
   #include <syms.h> 
   

extern int get_lbolt();

/* function definition */ struct func { char *name; char *syntax; int (*call)(); char *description; };

struct func functab[] = { "lbolt", " ", get_lbolt, "lbolt", 0,0,0,0 };

static struct syment *lbolt_sym = NULL; extern struct syment *symsrch(char *); extern FILE *fp;

get_lbolt(void) { time_t lbolt;

if (lbolt_sym == NULL && (lbolt_sym = symsrch("lbolt")) == NULL) return 0; readmem((void *)(lbolt_sym->n_value), 1, -1, &lbolt, sizeof(lbolt), "lbolt"); fprintf(fp, "%lx\n",lbolt); }


30 January 1998
© 1998 The Santa Cruz Operation, Inc. All rights reserved.