crash(1M)
crash --
examine system images
Synopsis
/usr/sbin/crash
[-b batchfile]
[-d dumpfile] [-n namelist] [-m moduledir] [-w outputfile]
Description
The crash command is used to examine the system memory image
of a running or a crashed
system by formatting and printing
control structures, tables, and other
information.
The size and type of information stored in a system memory dump can be
altered by using the kernel parameter
SYSDUMP_SELECTIVE.
To use this parameter you must include it in the UNIX kernel.
Use SYSDUMP_SELECTIVE to specify if the system memory dump includes just
kernel mapped memory or kernel and user mapped memory. Set SYSDUMP_SELECTIVE
to 1 for just kernel mapped or 0 for both kernel and user mapped
memory.
Options
crash takes the following options:
- -b batchfile
-
Use the text file batchfile, containing a list of
crash commands to be executed on the dump.
- -d dumpfile
-
Use
dumpfile for the file containing the system memory image.
The default dumpfile is /dev/mem.
If you enter a value other than /dev/mem, it is assumed
that the system is crashed.
- -n namelist
-
Use the text file namelist,
containing the symbol table
information needed for symbolic access to the system memory image
to be examined.
The default namelist is /stand/unix.
If a system image from another machine is to be
examined, the corresponding text file must be copied from that
machine.
For active systems, crash uses system calls to the
running kernel to get symbol table information.
For that reason, only global symbols are available.
- -m moduledir
-
Use the specified directory, moduledir to look for modules.
When working on a dump,
crash looks for the modules that were
loaded at the time of the dump, and adds those symbols
to its symbol table information.
By default, crash tries to find the modules in
the directories from which they were loaded.
The -m option specifies a directory where crash
should look for the modules instead.
If you use the -m option, crash only looks in the
specified directory.
You can only use a single instance of the -m
option on the command line, and
if you attempt to use the -m option more
than once, only the last one is valid; the others are
ignored.
- -w outputfile
-
The output from a crash session is directed to outputfile.
The default outputfile is the standard output.
Input
When you execute the
crash command, a session is initiated.
If you enter the ``?'' character at the command
prompt, crash provides
a help menu of the available commands.
Input during a crash session is of the form:
function [argument...]
where function is one of the crash functions described in
``Usage'', and argument is a list of qualifying data
that indicate which items of the system image are to be printed.
The default for process-related items is
the current process for a running system or
the process that was running at the time of the
crash for a crashed system.
If the contents of a table are being dumped, the default is all active
table entries.
The following function options are available
to crash functions wherever they are semantically valid.
- -e
-
Display every entry in a table.
- -f
-
Display the full structure.
- -n
-
Display privilege names symbolically.
Default is to display in
hexadecimal.
- -p
-
Interpret all address arguments in the command
line as physical addresses.
If they are not physical addresses, results are inconsistent.
- -s process
-
Specify a process slot other than the default.
- -w file
-
Redirect the output of a function
to file.
The functions mode, defproc, and redirect
correspond to the function options -p, -s,
and -w.
The mode function may be used to set the address
translation mode to physical or
virtual for all subsequently entered functions;
defproc sets the value of the process slot argument
for subsequent functions; and
redirect redirects all subsequent output.
Output
Output from crash functions may be piped to another program
as follows:
function [argument . . .] ! shell_command
For example, mount ! grep rw
writes all mount table entries with an rw flag to the
standard output. The redirection option (-w) cannot be used with
this feature.
An argument can be either a symbol or a numeric argument.
Numeric arguments are assumed to be decimal unless
preceded by 0x or 0b prefixes for
hexadecimal or binary numbers.
Any argument that is not either a symbol or a number will be
reported as an error.
Each function, when executed, determines whether the
argument specified a valid slot or address.
Default bases on all arguments may be overridden.
The C conventions for designating the bases of numbers are recognized.
Aliases for functions may be any uniquely
identifiable initial substring of the
function name.
Traditional aliases of one letter, such as p for
proc, remain valid.
Many functions accept different forms of entry for the same argument.
Requests for table information will accept a table entry number or
a range.
A range of slot numbers may be specified in the form a-b where
a and b are decimal numbers.
An expression consists of two operands
and an operator.
An operand may be an address, a symbol, or a number; the operator
may be +, -, *, /, &, or |.
An operand that is a number should be preceded by a radix prefix
if it is not a decimal
number (0 for octal, 0x for hexadecimal,
0b for binary).
The expression must be enclosed in parentheses.
Other functions accept any of these argument forms
that are meaningful.
Two abbreviated arguments to crash functions are
used throughout.
Both accept data entered in several forms.
They may be expanded into the following:
table_entry = address | slot | range
start_addr = address | symbol | expression
Usage
Following are the available functions in crash:
- ? [-w file]
-
List available functions.
- !command
-
Escape to the shell and execute
command.
- abuf [-w file] [-mode]
-
Print audit buffer data in mode format.
mode is one of
long (-l), short (-t), or byte
(-b).
The default mode for character and ASCII formats is byte;
the default mode for decimal, hexadecimal, and octal formats is long.
When mode is omitted, the previous value is used.
At the start of a crash session, the mode is long.
- as [-e] [-f] [-w file] [proc...]
-
Print address space information on process segments.
- base [-w file] number...
-
Print number in binary, octal, decimal, and
hexadecimal.
A number in a radix other than decimal should be preceded by a prefix that
indicates its radix as
follows:
0x, hexadecimal;
0, octal; and 0b, binary.
- buffer [-w file] [-format] [-p] addr
-
Alias: b
Print the contents of a buffer in the designated format.
The following format designations are recognized: -b,
byte: -c, character; -d, decimal; -x, hexadecimal;
-o, octal; and, -i, inode.
If no format is given, the previous format is used.
The default format at the beginning of a crash session is hexadecimal.
- bufhdr [-f] [-w file] [[-p] addr...]
-
Alias: buf
Print system buffer headers.
The -f option produces different output depending on
whether the buffer is local or remote.
- cg [-w file] [cgnum]
-
Set the current CPU group to cgnum.
If cgnum is not specified then the current CPU
group is displayed.
- cglocal [-w file]
-
Print the local information for the current CPU group.
- class [-w file] [table_entry...]
-
Print information about process scheduler classes.
- deflwp [-w file] [slot]
-
Set the value of the lwp slot for the current process.
If slot is not specified, the current slot is
displayed.
The default lwp slot for each process is 0.
- defproc [-w file] [-c]
-
- defproc [-w file] [slot]
-
Set the value of the default process slot argument.
The default process slot argument may be set to the
current slot number (-c) or
the slot number may be specified.
If no argument
is entered, the value of the previously set slot number is printed.
At the start of a crash session, the process slot is set to
the current process.
- dis [-w file] [-a] start_addr [count]
-
- dis [-w file] [-a] -c [count]
-
Disassemble count instructions starting at start_addr.
The default count is 1.
The absolute option (-a) specifies a
non-symbolic disassembly.
The -c option can be used in place of start_addr to
continue disassembly at the address at
which a previous disassembly ended.
- dispq [-l|-g] [-w file] [table_entry...]
-
Print the dispatcher (scheduler) queues.
The -l option prints only the local dispatcher queues.
The -g option prints only the global dispatcher queue.
- ds [-w file] virtual_address...
-
Print the data symbol whose address is closest to, but not
greater than, the address entered.
- eng [-w file] [eng_num]
-
Set the current engine to eng_num.
If no eng_num is specified, then the
current engine number is displayed.
- evactive [-w file] [-f] [event_name]
-
Print the active event queue.
The -f option provides a verbose display.
- evmm [-w file]
-
Print the events memory management information.
- file [-e] [-w file] [[-p] table_entry...]
-
Alias: f
Print the file table.
- filepriv [-e] [-n] [-w file] [[-p] table_entry...]
-
Print the kernel privilege table.
- findaddr [-w file] table slot
-
Print the address of slot in table.
Only tables available to the size function
are available to findaddr.
- findslot [-w file] virtual_address...
-
Print the table, entry slot number, and offset for the
address entered.
Only tables available to the size function are available to
findslot.
- fs [-w file] [[-p] table_entry...]
-
Print the file system information table.
- gdp [-e] [-f] [-w file] [[-p] table_entry...]
-
Print the gift descriptor protocol table.
- gdt [-e] [-w file] [slot [count]] table_entry...]
-
Print the global descriptor table.
- help [-w file] function...
-
Print a description of function, including syntax and aliases.
- idt [-e] [-w file ] [slot [count]]
-
Print the interrupt descriptor table.
- hrt [-w file]
-
Print the high resolution timer information.
- inode [-e] [-f] [-w file] [[-p] table_entry...]
-
Alias: i
Print the inode table, including file system switch information.
- kfp [-w file] [value...]
-
Print the kernel frame pointer (kfp) for the start of a kernel stack trace.
If the value argument is supplied, the kfp is set to that value.
If no argument is entered, the current value of the kfp is printed.
- kmastat [-w file]
-
Print kernel memory allocator statistics.
- lck [-e] [-w file] [[-p] table_entry...]
-
Alias: l
Print record locking information.
If the -e option is used or
table address arguments are given, the record lock list is printed.
If no argument is
entered, information on locks relative to inodes is printed.
- ldt [-e] [-w file] [process [slot [count]]]
-
Print the local descriptor table for the given process,
for the current process if none is given.
- lidcache [-w file]
-
Print out the level identifier (LID) translation cache.
The LID cache is supported only if the Enhanced Security Utilities are
installed and running.
- linkblk [-e] [-w file] [[-p] table_entry...]
-
Print the linkblk table.
- map [-w file] mapname...
-
Print the map structure of the given mapname.
- mode [-w file] [mode]
-
Set address translation of arguments to virtual (v) or physical (p) mode.
If no
mode argument is given, the current mode is printed.
At the start
of a crash session, the mode is virtual.
- mount [-e] [-w file] [[-p] table_entry...]
-
Alias: m, vfs
Print information about mounted file systems.
- nm [-w file] symbol...
-
Print value and type for the given symbol.
- od [-p] [-w file] [-format] [-mode] [-s process] start_addr [count]
-
Alias: rd
Print count values starting
at start_addr in one of the following
formats: character (-c),
decimal (-d), hexadecimal (-x),
octal (-o), ASCII (-a), or
hexadecimal\/character (-h),
and one of the following
modes: long (-l), short (-t), or byte
(-b).
The default mode for character and ASCII formats is byte;
the default mode for decimal, hexadecimal, and octal formats is long.
The format -h prints both hexadecimal and character
representations of the addresses dumped;
no mode needs to be specified.
When format or mode is omitted, the previous value is used.
At the start of a
crash session, the format is hexadecimal and the mode
is long.
If no count is entered, 1 is assumed.
- panic
-
Print the latest system notices, warnings, and panic messages
from the limited circular buffer kept in memory.
- page [-e] [-w file] [[-p] table_entry...]
-
Print information about pages.
- pcb [-w file] [process]
-
Print the process control block
(TSS).
If no arguments are given,
the active
TSS
for the current process is printed.
- pcinode
-
Print cdfs_inodes.
- plocal [-w file]
-
Print the processor local data for the current engine.
- prnode [-e] [-w file] [[-p] table_entry...]
-
Print information about the private data of processes being traced.
- proc [-e] [-f [-n]] [-w file] [[-p] table_entry...#procid...]
-
- proc [-f [-n]] [-w file] [-r]
-
Alias: p
Print the process table.
Process table information may be specified in two ways.
First, any mixture of table entries and process IDs may be entered.
Each process ID must be preceded by a ``#''.
Alternatively, process table information
for runnable processes may be specified with
the runnable option (-r).
The full option (-f) details most of the information in the
process table as well as the region for that process.
- ptbl [-e] [-w file] [-sprocess] [[-p] addr [count]]
-
Print information on page descriptor tables.
- pty [-f] [-e] [-w file] [-s] [-h] [-l]
-
Print the pseudo ttys presently configured.
The -l, -h and -h options give
information about the STREAMS
modules ldterm, ptem and pckt, respectively.
- qrun [-w file]
-
Print the list of scheduled streams queues.
- queue [-e] [-s] [-w file] [[-p] table_entry...]
-
Print streams queues.
The -s option displays the symbolic streams configuration.
- quit
-
Alias: q
Terminate the crash session.
- rcvd [-e] [-f] [-w file] [[-p] table_entry...]
-
Print the receive descriptor table.
- rduser [-e] [-f] [-w file] [[-p] table_entry...]
-
Print the receive descriptor user table.
- redirect [-w file] [-c]
-
- redirect [-w file] [newfile]
-
Used with a file name, redirects output
of a crash session to newfile.
If no argument
is given, the file name to which output is being redirected
is printed.
Alternatively, the close option (-c) closes the previously set file
and redirects output to the standard output.
- resource [-e] [-w file] [[-p] table_entry...]
-
Print the advertise table.
- rtdptbl [-w file] [table_entry...]
-
Print the real-time scheduler parameter table.
See
fp_dptbl(4).
- rtproc [-w file]
-
Print information about processes in the real-time scheduler class.
- search [-p] [-w file] [-m mask] [-s process] pattern start_addr length
-
Print the
long
words in memory that match
pattern,
beginning at the start_addr for
length long
words.
The mask is ANDed (&) with each memory word and the result
compared against the pattern.
The mask defaults to
0xffffffff.
- sinode [-e] [-f] [-w file] [[-p] table_entry...]
-
Alias: si
Print the inode table for ufs or sfs file
systems.
Since the ufs\/sfs incore inode contains the icommon
inode and the alternate inode, this function displays,
in addition to the icommon inode information,
all security data stored in the alternate inode.
This includes the level identifier, the Access Control List (ACL) count, the
extended ACL disk block pointer, and any inode resident
ACL entries.
- size [-w file] [-x] [structure_name...]
-
Print the size of the designated structure.
The (-x) option prints the size in hexadecimal.
If no argument is given,
a list of the structure names for which sizes are available is printed.
- sndd [-e] [-f] [-w file] [[-p] table_entry...]
-
Print the send descriptor table.
- snode [-e] [-f] [-w file] [[-p] table_entry...]
-
Print information about open special files.
Along with other information, it prints
the security attributes of a device: mode, stat, high level range,
low level range, release flag, and other security flags;
these attributes are
supported only if the Enhanced Security Utilities are installed and running.
- srmount [-e] [-w file] [[-p] table_entry...]
-
Print the server mount table.
- stack [-w file] [process]
-
Alias: s
Dump the stack.
If no arguments are entered, the kernel stack
for the current process is printed.
The interrupt stack and the stack for the current process are not
available on a running system.
- stat [-w file]
-
Print system statistics.
- stream [-e] [-f] [-w file] [[-p] table_entry...]
-
Print the streams table.
- strstat [-w file]
-
Print streams statistics.
- trace [-w file] [-r] [process]
-
Alias: t
Print stack trace.
The kfp value is used with the -r option;
the kfp function prints or sets the kfp (kernel frame pointer) value.
- ts [-w file] virtual_address...
-
Print text symbol closest to the designated address.
- tsdptbl [-w file] [table_entry...]
-
Print the time-sharing scheduler parameter table.
See
ts_dptbl(4).
- tslwp [-w file]
-
Print information about light-weight processes (LWPs)
in the time-sharing scheduler class.
- tty [-e] [-f] [-l] [-w file] [-t type [[-p] table_entry...]|[-p] start addr]
-
Valid types: console, sr, sx, sc.
Print the tty table.
If no arguments are given, the tty table for both
tty types is printed.
If the -t option is used, the table for the single tty type
specified is printed.
If no argument follows the type
option, all entries in the table are printed.
A single tty entry may be specified using start_addr.
The -l option prints the line discipline information.
- user [-f] [-w file] [process]
-
Alias: u
Print the ublock for the designated process.
- var [-w file]
-
Alias: v
Print the tunable system parameters.
- vfs [-e] [-w file] [[-p] table_entry...]
-
Alias: mount, m
Print information about mounted file systems.
- vfssw [-w file] [[-p] table_entry...]
-
Print information about configured file system types.
- vnode [-w file] [[-p] vnode_addr...]
-
Print information about vnodes.
- vtop [-w file] [-s process] start_addr...
-
Print the physical address translation of the virtual address start_addr.
- vxinode [-w file] [-e] [-f] [-l] [-r] [vx_inodeaddr...]
-
Alias: vxi
Print the VxFS file system (vxfs) inode table;
valid only for vxfs type file systems.
- -l
-
Print the contents of all the icache lists (these hold the
vx_inodes) together with information for each inode indicating
if it is a free or attribute (or both) inode.
- -r
-
Print all the free vx_inodes.
- vx_inodeaddr
-
Print the vx_inode located at address vx_inodeaddr.
Extensible functions
It is possible to add functions to crash without having access
to the source code. This is useful for writing platform specific functions
or to obtain more information than is available in the default command set.
Adding new functions is accomplished with shared objects.
The shared object is created from a file consisting of the functions
that are to be added to the existing command set.
When crash is started, these
shared objects are read and the additional functions are incorporated
in the command set.
To create a shared object:
-
Create a file that contains the new commands. This file should define
the variable functab, which should be an array type
struct func. This array points to the new commands that
need to be added.
-
Compile the file with the same options as the kernel
build. For example, if crash is going to be run on top of a
uniprocessor kernel, then the file should be compiled with the
appropriate definitions for a uniprocessor kernel.
-
Use the -G option to the compiler to create the shared object.
crash reads the shared objects from directory
/usr/lib/crash and also from
files defined by environment variable CRASH_LIBS.
Extension example
An example of a file containing a new command (lbolt) is given
below:
#include <stdio.h>
#include <sys/types.h>
#include <syms.h>
extern int get_lbolt();
/* function definition */
struct func {
char *name;
char *syntax;
int (*call)();
char *description;
};
struct func functab[] = {
"lbolt", " ", get_lbolt, "lbolt",
0,0,0,0
};
static struct syment *lbolt_sym = NULL;
extern struct syment *symsrch(char *);
extern FILE *fp;
get_lbolt(void)
{
time_t lbolt;
if (lbolt_sym == NULL && (lbolt_sym = symsrch("lbolt")) == NULL)
return 0;
readmem((void *)(lbolt_sym->n_value), 1, -1, &lbolt, sizeof(lbolt),
"lbolt");
fprintf(fp, "%lx\n",lbolt);
}
30 January 1998
© 1998 The Santa Cruz Operation, Inc. All rights reserved.