Professional Documents
Culture Documents
ST-370
Please
Recycle
Contents
iii
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
Display Format ................................................................................ 3-18
Locations and Sizes......................................................................... 3-20
Variables........................................................................................... 3-22
Additional Commands................................................................... 3-24
Process Control................................................................................ 3-26
Basic adb Analysis .......................................................................... 3-28
Lab Exercises for Module 3............................................................ 3-30
Header Files.................................................................................................4-1
Use and Location............................................................................... 4-2
Lab Exercises for Module 4.............................................................. 4-4
Symbol Tables ............................................................................................5-1
Symbol Tables.................................................................................... 5-2
Kernel Name List .............................................................................. 5-4
Example for nm .................................................................................. 5-6
nm Output ........................................................................................... 5-8
Lab Exercises for Module 5............................................................ 5-10
adb Macros (Part I) .....................................................................................6-1
Availability of adb Macros .............................................................. 6-2
Invoking adb Macros........................................................................ 6-4
Review of adb Commands............................................................... 6-6
Example Macro.................................................................................. 6-8
Lab Exercises for Module 6............................................................ 6-10
adb Macros (Part II) ...................................................................................7-1
The Message Buffer........................................................................... 7-2
The msgbuf Macro ............................................................................ 7-4
Counts Used in msgbuf.................................................................... 7-6
The msgbuf.wrap Macro ................................................................ 7-8
Flow Control .................................................................................... 7-10
adbgen .............................................................................................. 7-12
adbgen in Use................................................................................. 7-14
Including Standard Macros ........................................................... 7-16
Lab Exercises for Module 7............................................................ 7-18
SPARC Assembler .....................................................................................8-1
Assembler Characteristics................................................................ 8-2
CISC and RISC................................................................................... 8-4
Basic SPARC Characteristics ........................................................... 8-6
SPARC Instructions .......................................................................... 8-8
SPARC Registers ............................................................................. 8-10
Register Windows........................................................................... 8-12
SPARC Instruction Types .............................................................. 8-14
Synthetic Instructions ..................................................................... 8-16
SPARC Transfer of Control ........................................................... 8-18
Sources of Problems........................................................................ 8-20
Contents v
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
Lab Exercises for Module 13........................................................ 13-20
Watchdog Resets ......................................................................................14-1
Watchdog Reset Cause and Response ......................................... 14-2
OpenBoot PROM Commands ....................................................... 14-4
obpsym .............................................................................................. 14-6
Sun-4d Systems ............................................................................... 14-8
Lab Exercises for Module 14........................................................ 14-10
Locks...........................................................................................................15-1
Multithreading ................................................................................ 15-2
Race Conditions............................................................................... 15-4
Critical Sections ............................................................................... 15-6
Mutex Locks..................................................................................... 15-8
The ldstub Instruction ............................................................... 15-10
Semaphores.................................................................................... 15-12
Readers Writer Locks ................................................................... 15-14
Condition Variables ...................................................................... 15-16
Waiters............................................................................................ 15-18
Lab Exercises for Module 15........................................................ 15-20
Additional Exercises.................................................................................A-1
The crash Utility ...................................................................................... B-1
The crash Utility ............................................................................. B-2
crash Commands ............................................................................ B-3
Example Use of crash..................................................................... B-4
Overview
This course discusses the methods used to determine the causes of
system panics and hangs. The course is applicable to SPARC™
machines running the Solaris™ 2.5 operating environment.
The audience for this course includes system administrators who are
responsible for maintaining Solaris machines.
Extensive cross references are made to the SunSoft™ Press book, Panic!
by Chris Drake and Kimberley Brown, published by Prentice Hall,
ISBN 0-13-149386-8.
vii
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
Course Prerequisites
● Create adb macros to aid and simplify kernel core dump analysis.
● Initial Analysis
● adb Basics
● Header Files
● Symbol Tables
● SPARC Assembler
● Stacks
● Kernel Internals
● Device Drivers
● STREAMS
● Traps
● Watchdog Resets
● Locks
The following table describes the type changes and symbols used in
this book.
Typeface or
Meaning Example
Symbol
Lab Setup
This course has been written specifically for the Solaris 2.5
environment running on SPARC workstations.
At the top level of the Labs directory there is a file sourceMe which
can be run with . sourceMe to set the paths, if required.
The course involves crashing the operating system, which can result in
corrupt file systems. The ability to rapidly reinstall is a wise
precaution. A spare preinstalled root partition can be very useful.
Objectives
Upon completion of this module, you will be able to:
● Enable your system to save core files created from system panics
using savecore.
1-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
1
System Crashes
System Panics
● Controlled abort of system activities
Watchdog Resets
● Automatic detection of loss of control
Dropping Out
● Sudden loss of control
System Crashes
System Panics
A panic is induced from kernel routines when some unexpected and
inexplicable event or state is detected. To minimize the chance of
further errors, the kernel saves its state and aborts. After a panic, the
machine usually attempts to reboot, and can save information to
enable core dump analysis.
Watchdog Resets
Watchdog resets occur when the kernel, having disabling traps, should
be immune from further interruption . Should a trap occur while in
this state, the kernel cannot handle it and so stops. The kernel state is
not saved, but the CPU registers hold some information that may
assist in identifying the cause. Watchdog resets are explored later in
this course.
Dropping Out
Occasionally, catastrophic failures will cause the kernel to just stop.
Fortunately, these conditions are rare.
Cause of Panics
Integrity Safeguards
● Response to unexpected conditions
Bad Traps
● System trap at inappropriate time
Cause of Panics
Integrity Safeguards
Panics only happen when some unexpected conditions are detected.
Any error may be symptomatic of a larger-scale problem, and one
error may propagate and cause widespread data corruption. The
surest way of preventing further damage is to stop processing. Since
the kernel is running, code can be executed to save the state of the
CPU and memory for later analysis.
It is not possible to cause a panic from user code. The panic and
cmn_err routines can only be called from within the kernel.
Bad Traps
Traps occur to handle hardware interrupts, system calls, and memory
accesses. Most traps are safe, normal traps. Some traps are bad; they
are normal traps that occur at inappropriate times.
A common bad trap is a data fault from within the kernel, but there
are more, which are explored later in the course.
When a trap does occur at a bad time, the kernel automatically invokes
panic.
✓ ASSERT(9F) may also cause a panic if the assertion fails. ASSERT only works if DEBUG is
defined, which is unlikely in production code. Panics may turn up due to drivers having
been compiled with DEBUG defined.
Panic Sequence
Panic Messages
● Display cause and details of panic
Stack Traceback
● Lists addresses and parameters of kernel routines leading to panic
Dump
● Lists use of memory
Reboot
● Automatic attempt at recovery
Panic Sequence
Panic Messages
The panic message is the text string supplied by the kernel
programmer to the panic or cmn_err routine. Some panic messages
are lengthy, and some are much shorter. The first stage of a panic is to
briefly identify what has happened.
Stack Traceback
Following the panic message, the kernel displays the values found on
the current stack, indicating which routines have been called to lead to
this panic. At this stage the kernel cannot inspect a symbol table, so it
cannot give symbolic names for the routines called.
Dump
Following the stack traceback, the kernel syncs the disks to save any
cached file-system information and then saves the memory
information. The number of pages of memory used for each purpose is
shown. The kernel then states the destination of the dump, in terms of
the vnode pointer, which identifies a particular device.
Reboot
Once the dump is committed to disk, the system attempts to reboot. If
the panic was due to a serious failure, the reboot may fail or may
result in another panic. The system may panic and reboot repeatedly.
Usually the system reboots normally, not failing unless the same
conditions are encountered.
Core Dumps
Memory Contents
● Kernel text
● Kernel data
● State of processes
Core Contents
● Interesting chunks
● Kernel state
Dump Device
● Usually swap
Core Dumps
Memory Contents
At any time, memory holds all of the active kernel, active processes,
and cached data from file systems. Similar to user programs, the
kernel has routines stored in text segments and data stored in static
and dynamically allocated memory. Part of the data is used to describe
individual processes, while some is used to describe the system as a
whole.
Core Contents
As described in /usr/include/sys/dumphdr.h, crash dumps contain
only interesting chunks. The panic routine does not save the entire
contents of memory. Some data is old, and some is unrelated to the
panic.
Dump Device
The panic routine saves the core dump to the end of the dumpfile,
which is usually the primary swap partition.
The dump is saved at the end of the dumpfile to maximize the length
of time the dump will be valid once the system reboots. The dump is
written to the dump device with a header and a duplicate at the end of
the dump to enable checking for a valid dump.
savecore
Purpose
● Save core image
Location of Files
● Configured at boot
Size of Files
● No more than memory size
● Frequently less
savecore
Purpose
The savecore command searches the dump device for a core
generated by a panic. If a dump with intact headers is found, the data
is copied to two files within the specified directory. Subsequent panics
followed by savecore can save to the same directory, since each is
numbered according the sequence number held in the bounds file.
The file vmcore.n is the images of memory, and unix.n is a copy of the
kernel text at the time of panic.
Location of Files
Code within sysetup invokes savecore, specifying the directory to
which the core is saved. The default location is /var/crash/hostname,
but this can be changed to any existing directory on a local partition
with enough capacity.
Size of Files
The size of the vmcore file generated is dependent on the system
activity at the time. If the problem is due to a kernel memory leak,
then the core file is likely to approach memory size. If the panic
occurred during or soon after the boot up sequence, before much
system activity it is likely to be much smaller.
Use of savecore
Enabling savecore
/etc/init.d/sysetup
##
## Default is to not do a savecore
##
if [ ! -d /var/crash/`uname -n` ]
then mkdir -m 0700 -p /var/crash/`uname -n`
fi
echo 'checking for crash dump...\c '
savecore /var/crash/`uname -n`
echo ''
minfree
● Ascii file in core directory
● minfree threshold
● Unsuccessful panic
Use of savecore
Enabling savecore
By default, savecore is not usually run. The code to invoke savecore
is within /etc/rc2.d/S20sysetup (actually a link to
/etc/init.d/sysetup). To save cores automatically, this code must
be uncommented before the crash.
Before saving the core, savecore attempts to read the file minfree in
the target directory. The minfree file specifies the minimum number
of kilobytes that must remain free on the file system. If there is less
space available, the core will not be saved.
Hangs
Types of Hangs
● Program hangs
● Terminal hangs
● System hangs
● System slowdown
Causes of Hangs
● Deadlocks
● Resource shortage
● Hardware problems
No Panic
● Must force a core dump
Hangs
Types of Hang
A system hang is a subjective impression. When a user reports the
system is hung, it could be that the application being used has hung,
the terminal has hung, the system has hung, or that the user has
become impatient with the speed of the system.
Causes of Hangs
Hangs can be caused due to overloading, errors, or bad configuration.
Deadlocks occur when two or more processes are waiting for each
other to free a resource before they continue. Resource shortages can
occur in poorly tuned systems or in buggy code where resources are
not freed when finished with. Of course, hardware problems can
manifest themselves in many ways, including hanging the system.
No Panic
If the system has hung, it is unlikely you will see anything describing
why it has hung. To determine the cause, you must generate a core
dump file for analysis.
● L1-a
● STOP-a
● break
● Can be resumed
● go
● c
Force Panic
● Execute illegal instructions
● sync
● g0
● Synchronize disks
● Important to attempt
In some situations, the system may not respond to the first press of the
abort sequence, so extra presses may be required. At other times, the
first abort will be recognized, but only when there are more keystrokes
after the abort sequence.
Force Panic
If a core dump is required, the system can be made to panic by
executing an illegal instruction. If you type sync (or g0 at the >
prompt), the system will attempt to execute where it may not, and so
panic.
System Information
System History
● Date and time installed
● Previous problems
● /var/adm/messages
System Configuration
● Hardware details
● Additional devices
● Patches applied
● System tuning
System Activity
● Usual workload
● Applications in use
Anything Else?
● As much relevant information as possible
System Information
Disk Requirements
● Compress core files
● Save to tape
● Disable savecore
Disk Requirements
Core dumps can consume a lot of disk space. Although core dumps
cannot be analyzed when compressed, you should compress and
archive them until that time.
Multiple core files can be useful to confirm analysis, but if the system
repeatedly panics with the same symptoms, it is usually unnecessary
to save every core file.
a. Change into the Lab1 directory, and ensure both whiz and
byebye exist as executable files.
b. Become superuser.
g. Once your system has entered the PROM monitor and echoed
ok, type sync to force a panic. Wait for the system to reboot,
and watch the console messages as the crash dump is saved.
If your system does not panic immediately, use ls to list your root
directory. If your system still does not panic, ask your instructor
for assistance.
# cd /var/crash/hostname
# ls -ls
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
6. Compare the size of the vmcore files with the amount of memory
your machine has.
________________________________________________________
7. Compress the vmcore and unix files. How much disk space has
been retrieved?
________________________________________________________
Objectives
Upon completion of this module, you will be able to:
● List the basic commands that are useful in doing an initial analysis
on system crash dump files.
2-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
2
Basic Information
Hardware Architecture
Crash Messages
Kernel Statistics
Basic Information
Hardware Architecture
Different architectures require different kernel structures. Also,
analysis utilities such as adb require work on the basis of knowing the
kernel layout, which will be vary between different architectures.
Crash Messages
Crash messages are the initial indication as to what went wrong.
Kernel Statistics
Occasionally, unusual kernel statistics indicate a problem in a
particular area. System hangs are commonly due to overused
resources, such as kernel memory.
Basic Utilities
strings
● Most useful
netstat
● Network statistics
ipcs
● Interprocess communication facilities status
Basic Utilities
strings
The core dump file contains an image of memory, including current
text messages. By running the strings command on the core file, the
system message buffer can be displayed, including boot and crash
messages. From these messages, the hardware and software can be
identified.
Note that the messages buffer is a ring buffer, meaning the messages
may not be in chronological order.
netstat
ipcs
The netstat and ipcs commands can be used to extract information
from the running system or from system crash dumps.
Crash
# crash
dumpfile=/dev/mem,namelist=/dev/ksyms,outfile=stdout
>
> ?
Crash
The crash program has an extensive set of functions, all of which have
brief help messages available to describe which options are available.
Many of the crash functions take options to specify that all entries or
just a specific entry of a particular type should be displayed.
This course does not use crash to analyze core files. Understanding
the material from this course and reading the crash manual page
should enable you to use crash successfully. An example crash
session is shown in Appendix B.
2. Run strings on the core file, and count the number of lines of
output. You should use wc for this.
# strings vmcore.1 | wc -l
_________________________________________________________
3. Run strings on the core file, and redirect the output into a
temporary file.
SunOS ___________________________________________________
Patch ____________________________________________________
panic:____________________________________________________
_________________________________________________________
_________________________________________________________
a. netstat
_________________________________________________________
_________________________________________________________
b. ipcs
_________________________________________________________
_________________________________________________________
# crash
dumpfile=/dev/mem,namelist=/dev/ksyms,outfile=stdout
> proc
_________________________________________________________
_________________________________________________________
_________________________________________________________
8. Exit the crash session running on the current kernel, and start
crash against a core file. Investigate running different crash
commands including proc, defthread, user, and kmastat. Refer
to Appendix B for examples, and the man page for full details.
> quit
# crash vmcore.n unix.n
> kmastat
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
_________________________________________________________
Objectives
Upon completion of this module, you will be able to:
● Evaluate expressions.
● List the basic adb macros, and describe briefly how they are used.
3-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
3
Debuggers
adb
● Absolute debugger
kadb
● Kernel resident absolute debugger
Debuggers
adb
The adb utility is the absolute debugger. It is intended to work with
compiled code, and has no mechanism to use source code. The adb
utility is simple and straightforward, which are advantages when
attempting to analyze a core dump from a system crash. It is generally
accepted as the kernel debugger of choice.
kadb
The kadb program is the memory resident version of adb. adb is run as
a normal SunOS process. The kadb program is run before the
operating system, and itself loads the SunOS™ operating system.
Booting kadb before the operating system enables kadb to run when
the operating system itself stops (due to a Stop-a key sequence or a
panic).
adb Requirements
Files
● /usr/bin/adb
● /usr/platform/platform-name/lib/adb
● /usr/lib/adb
Use of kas
● As supplied on Panic! CD-ROM.
adb Requirements
The platform of the core file, if not known, may be found using
strings on the core file. The current machine’s kernel architecture is
found using uname -m, and the platformis found using uname -i.
Files
The adb executable is stored within the /usr/bin directory. The
standard adb macros are located in /usr/lib/adb and
/usr/platform/platform-name/lib/adb.
Use of kas
Through careful manipulation of directories and files, it is possible to
analyze core files on architectures other than where they were created.
Be careful to avoid misinterpreting the results. The Panic! CD-ROM
includes a utility, kas, to assist in the process.
Running adb
Object File
● Executable file
● Kernel or program
Core File
● Memory
● Image of memory
$ adb – corefile
$ adb executable –
$ adb
Live Systems
# adb -k /dev/ksyms /dev/mem
# adb -k
Running adb
Object File
adb expects an object file to allow it to use text (code), and also to use
the symbol table embedded in (unstripped) executables. If an
executable has been stripped (using strip), debugging becomes
difficult. The kernel modules are not stripped, so they are useful for
kernel debugging even though the text is not required (since in the
Solaris 2 software all kernel text is loaded into memory).
Core File
Memory is occasionally nostalgically referred to as core. Core files are
images of memory, either of a particular process or of the kernel.
Live Systems
The -k option can also be used to inspect the live kernel. The object file
and core file can be specified, although the -k option will change the
defaults correctly to /dev/ksyms and /dev/mem.
✓ The -P option can be used to specify a prompt for adb. By default there is no prompt.
✓ New in 2.5 is the -V option to specify the register display and disassemby mode.
kadb
Booting kadb
● From PROM
ok boot kadb
# reboot kadb
Memory Resident
● Stop-a straight to kernel debugger
● Single stepping
● Supplies a prompt
kadb
Booting kadb
The kadb program must be loaded before the SunOS operating system,
and so must be booted from the PROM.
Memory Resident
When booted, kadb is always in memory, ready to run. When the
kernel stops, such as due to the abort sequence, kadb is entered.
adb Commands
address
● Numeric
● Symbolic
● Expression
count
● Defaults to 1
Display Commands
● ?
● /
● =
format
● Amount of data
● Representation
● Pretty printing
adb Commands
address
The address can be specified using a numeric virtual address — by
using a symbol recognized by the object file, or by using expressions.
Address expressions can use numeric values, symbols, and (also) the
current address, referred to as dot (.). If the address is omitted, dot is
assumed.
count
The repetition count for the command defaults to 1, but it can be
specified as a constant in hexadecimal or decimal, or as the result of an
expression.
Display Commands
Data can be displayed from locations specified by the address in both
the object and the core file. The address can also be used as a constant
and can be displayed in a different format using the equal sign (=).
format
The format expression describes how much data is to be displayed and
in what format. It also enables the use of special formatting characters
to make the display more readable. Formatting is used extensively in
adb macros.
f00baa00/X
strioctl+0x4d4: deafbabe
foobaa00,2/X
strioctl+0x4d4: deafbabe deadbeef
*panicstr/s
cpr_info+0x7ac: zero
utsname/257c
utsname: SunOS
utsname+0t257/s
utsname+0x101: yoyo
utsname+(2*0t257)/4t"release:"16ts
utsname+0x202: release: 5.5
fork+4?i
fork+4: clr %o0
2*0t257=X
202
f00baa00/X
foobaa00,2/X
Requests two lots of 4 bytes from address f00baa00 in the core file to
be displayed.
*panicstr/s
Requests the data pointed to by the symbol panicstr in the core file
be displayed as a string.
utsname/257c
utsname+101/s
Requests the data starting 101 (hexadecimal) bytes after the address
referred to as utsname be displayed as a string.
utsname+(2*0t257)/4t"release:"16ts
fork+4?i
2*0t257=X
adb Expressions
Binary Operators
cpus+8
end-ptr
count*0t4
val%10000
val&ffff
addr|e0000000
acebabe#4
*(p+4)
Unary Operators
*panicstr
-1
~0
#(end-ptr)
adb Expressions
Binary Operators
+ Addition
- Subtraction
* Multiplication
% Integer division
| Bitwise OR
( ) Grouping
Unary Operators
* Pointer dereferencing through core file
- Unary negation
Data Formats
-0t1161901314=X
babecafe
-1=U
4294967295
ffffffff=O
037777777777
ffffffff=Q
-01
-1=B
ff
-1=b
0377
ffffffff=f
+NaN
ffffffff=c
ÿ
0=Y
1970 Jan 1 00:00:00
utsname/257c257c
utsname:
utsname: SunOSyoyo
f000baaa=xx
baaa baaa
Data Formats
X 4 bytes hexadecimal
D 4 bytes decimal
B Single-byte hexadecimal
b Single-byte octal
c A single character
i An instruction
Y Display as date
x, d, u, o, q
As X, D, U, O, Q, but 2 bytes, not 4
Display Format
="split"n"over"n"four"n"lines"
split
over
four
lines
="Stretching"16t"a"30t"point"
Stretching a point
fork,6?ai
fork: fork: save %sp, -0x60, %sp
fork+4: clr %o0
fork+8: call cfork
fork+0xc: clr %o1
fork+0x10: mov %o1, %i1
fork+0x14: ret
+4/X
-0t60/X
Display Format
"text"
Prints literal text from within the quotes.
n
Prints a single new line for each n. adb fits four 4-byte hexadecimal
values on one line.
nt
Prints a tab to specified position, n. adb uses 16 character positions to
print a 4-byte hexadecimal value.
a
Prints the address before each value shown.
+n
Moves the current address forward n bytes.
-n
Moves the current address back n bytes.
Dot (.)
● Known as "dot"
● Current address
Repeat Commands
● Reuse last format
Dot (.)
Dot (.) refers to the current address. This is useful when you want to
apply specific formatting to adb’s current address. It is used
extensively in adb macros.
Repeat Commands
If only an address is supplied (with no format), the previous format is
used. This is useful when you want to display many different variables
in the same format.
Variables
● A to Z
● 0 to 9
$v
● Displays current variable usage
$r
● Registers
Example
aba000>a
dab>b
2>c
<a+<b,<c="y"X"doo"n
Variables
$v
Variables and their values are displayed. Variables not explicitly set by
commands are not.
$r
The CPU has many internal registers, of which a subset is accessible at
any time. The register set can be displayed using $r. Individual
registers can be read and assigned to.
Additional Commands
$c, $C
● Display stack backtrace
$x, $X
● Display floating point register values
$<
● Read commands from specified file until end of file
$>
● Write output to specified file, or to standard output if no file is
specified
$M
● Display macros (kadb only)
$q or Control-d
● Exit adb
$Ptext
● Set a prompt
Additional Commands
$c and $C
The $c and $C commands display the stack backtrace, including six
arguments to each function call. Stack backtraces are central to crash
dump analysis.
$<
Reading commands from an external file is how adb makes use of
macros. $< is sometimes regarded as "executing the specified macro."
When using kadb, there is no access to external files, so $< does mean
execute the specified macro.
$>
adb output can be saved into an external file. While writing to an
external file, error messages are still written to the screen. When
analyzing core files, writing to an external file is useful because you
can use additional utilities (such as vi and grep) to interpret the
output.
$M
Lists the names of the kadb built-in macros.
$q or Control-d
Either $q or Control-d will exit adb. Exiting kadb is only possible
using $q, and will return to the boot PROM prompt.
$Ptext
The prompt is set to text, including any whitespace.
Process Control
Breakpoints
address:b Sets breakpoint at address.
Running
:r Run the program.
Stepping
:s Step a single instruction.
Process Control
Variables
● hw_provider
● architecture
● srpc_domain
● time
● lbolt
Macros
● utsname
● msgbuf
Variables
● hw_provider – Manufacturer of system.
● time – Time stored in core file. Time of crash for crash cores, or
current time if inspecting live kernel.
Macros
● utsname – Displays system information contained within
utsname structure.
2. Use adb to convert the IP address you have just found into a single
hexadecimal number. For example:
0t192=x
c0
0t29
1d
0t98
62
0t4
4
c01d6204=U
3223151108
5. Print the result of 1024 decimal * 1024 decimal in both decimal and
hexadecimal on the same line:
1048576 100000
0t1024*0t1024=DX___________________________________
4294967295
0xffffffff = U____________________________________
ffffffff or ffff
-1 = _____________________________________________
10. The time given is in Greenwich Mean Time (GMT). California can
be eight hours behind GMT. Use the value found in 8d above to
discover the time of the UNIX epoch in California.
1969 Dec 31 17:00:00
0-(value from 8d) = Y ___________________________________
It’s an hour wrong
Does the time look correct?________________________________
11. When does the operating system think is the time for deadbeef?
12. What does adb think the signed and unsigned decimal answer to
Hamlet’s question is?
-1 4294967295
2b|~2b = DU _______________________________________
ff
0xff0000%0x10000=X_________________________________
0xff000000%0x1000000=X_____________________________
ffffffff
16. Does adb preserve the sign when doing division using %?
-7 (yes, preserves sign)
-0t76%0t10=d_______________________________________
17. Print just the bee from deafbee using & as a mask
bee
0xdeafbee&0xfff=X__________________________________
18. Print just the deaf from deafbee using a combination of & and %.
deafbee&ffff000%1000=X
________________________________________________________
20. adb uses # to perform logical negation. What are the values of:
1
#0_________________________________________________
0
#1_________________________________________________
0
#f00baa____________________________________________
1
#(#1)______________________________________________
1
#(#f00baa)_________________________________________
1
##f00baa___________________________________________
0
###f00baa__________________________________________
1
########f00baa_____________________________________
21. adb uses variables with single letter names. Store 4096 decimal
into the variable p and the value of 1 Mbyte into the variable m.
Then find how many pages are in 1Mbyte.
0t4096>p
0t1024*0t1024>m
256
<m%<p=D ___________________________________________
24. Now exit adb and change into the directory where your crash files
are stored. Run adb specifying the core files from the corrupt
rootdir crash. For example, if that was your second crash:
25. Use the utsname macro to confirm the origin of the core file:
$<utsname
utsname:
utsname: sys _______________________
utsname+0x101: node _______________________
utsname+0x202: release _______________________
utsname+0x303: version _______________________
utsname+0x404: machine ___________________________
hw_provider/s
hw_provider: ____________________________________
architecture/s
architecture: ____________________________________
srpc_domain/s
srpc_domain: ____________________________________
27. Determine when your system crashed, and how long since it was
booted.
time/Y
time: ____________________________________
lbolt/D
lbolt: ____________________________________
28. Store the crash time and number of seconds of uptime into adb
variables, and then use the variables to find the boot time.
*time>t
*lbolt%0t100>l
<t-<l=Y ____________________________________
29. View the panic string to see the reason for the crash.
*panicstr/s
some_label: ____________________________________
30. Dump the message buffer with the msgbuf macro. Then redirect
the output to a new file, and save the msgbuf output in that file.
Remember to redirect the output back to the screen.
$<msgbuf
$>msgbuf.2
$<msgbuf
$>
31. Retrieve the stack backtrace, and store the output to another file.
$c
$>stack.2
$c
$>
Objectives
Upon completion of this module, you will be able to:
4-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
4
Definitions
● Types
● Macros
Declarations
● Functions
● Variables
Directories
● /usr/include
● /usr/include/sys
● /usr/include/vm
● /usr/platform/platform-name/include
Inclusion
● <subdirspec/filename>
Definitions
To improve readability, programmers define their own types based on
the standard predefined C data types. View the header files to
determine the actual data types and sizes.
Macros are also defined to improve readability. Macros are used for
symbolic constants and also to simplify expressions.
Declarations
Declarations do not define anything new but merely declare that the
functions or variables are available for access. Although the source
code containing the actual definitions of their types will not usually be
supplied, the declarations will declare the types.
Directories
The standard location for header files is within the /usr/include
directory.
Inclusion
To use the declarations and definitions from header files, they must be
included into program code. By default, angle brackets (< > ) refer to
files within /usr/include, so only the subdirectory specification (if
any) and the file name are required.
1. Change into the Lab4 directory, and run the count script to
display the display the number of files and directories stored
beneath the /usr/include directory.
panicstr___________________________________________
systm.h: extern char *
t0_________________________________________________
thread.h:extern struct _kthread
p0_________________________________________________
proc.h:extern proc_t
ncsize_____________________________________________
dnlc.h:extern int
kas________________________________________________
as.h:extern struct as
pt_cnt_____________________________________________
ptms.h:extern int
dumpfile___________________________________________
bootconf.h:extern struct bootobj
moddebug___________________________________________
modctl.h:extern int
4. The supplied program sizzle tells you the size of some basic
types. By counting the bytes or by extending sizzle, determine
the sizes of the following common data structures. If you prefer
not to take this challenge, use the supplied program cheat.
5. Assuming you did not use the cheat program, determine how
many bytes the following fields are into their structures:
1 _ 2 3 4 5
7
8 9 10
11
12 _
13
14 15 16
_ 17
18
19
Across Down
Objectives
Upon completion of this module, you will be able to:
5-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
5
Symbol Tables
Use
● Symbolic debugging
Generation
● Generated by compiler
Display
● nm
● dump
Removal
● strip
Symbol Tables
Use
Symbol tables (or namelists) enable symbols to be used to refer to
variables and functions when debugging the kernel or user programs.
Without symbol tables, all input to adb would have to be numeric and
all labels displayed by adb would be numeric.
Generation
When source code is compiled, global symbols are extracted from the
source code and placed into the object file. The Solaris 2 operating
system uses the executable and linking format, ELF. All ELF files have
the capability of holding symbol tables although some, such as core
files, may not use the facility.
Display
The nm utility is the name list printer, which will display the symbols
in an object file. Various options to nm modify the data displayed. See
nm(1) for more details; note that there are two versions of nm supplied
in release 5.5 of the operating system.
The dump utility can dump selected parts of an object file including the
symbol table, if requested. dump has many more capabilities than nm.
See dump(1) for more details.
Removal
Symbol tables can be removed using strip(1) to reduce the disk
storage requirements. However, when an object file is stripped, the file
cannot be used for symbolic debugging.
The kernel modules are typically not stripped, but utilities supplied
with the operating system (such as ls, grep, nm, dump and strip
itself) will be stripped. The saving can be large, especially for complex
programs.
Kernel Modules
● /kernel
● /platform/platform-name/kernel
● /usr/kernel
/dev/ksyms
● Symbols from currently loaded modules
Kernel Modules
The Solaris 2 operating system uses a dynamically loaded kernel. The
kernel is split into multiple modules that need not be loaded into
memory until required, thus saving memory.
Each module is an ELF object file, containing the code and symbols for
a particular kernel function.
/dev/ksyms
The symbols for loaded kernel modules are grouped together and
made accessible through the pseudo device, /dev/ksyms.
Example for nm
tiny.h
/* tiny.h */
#define BESTYEAR 66
struct mustang {
float ragtop;
int leather;
int candyapple; } dreamcar;
struct highway {
int speedlimit;
int smokey; };
tiny.c
/* tiny.c*/
#include"tiny.h"
main()
{
int tickets = 6;
dreamcar.ragtop = 123.5;
dreamcar.leather = 6;
dreamcar.candyapple = 10;
}
Example for nm
nm Output
nm Output
The bind column describes the scope of the symbols, whether LOCAL,
GLOBAL, or WEAK (which is similar to GLOBAL, but can be overridden
by GLOBALs of the same name).
The other column is reserved for future use and is currently set to
zero.
See Panic!, page 97, for a more complete nm output, and see the man
page for more details of the columns.
1. Change into the /kernel directory, and list the contents. You will
see several subdirectories plus the generic base kernel located in
the file genunix. The directories (with more under /usr/kernel
and /platform/platform-name/kernel) contain loadable kernel
modules.
________________________________________________________
ksyms: __________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
14. Now change into the Lab5 directory where you will find the files
penguin.h and penguin.c. View the files. Note which lines are
declarations and which are definitions of symbolic constants,
types, variables, and functions.
errno, appeal
Declarations _____________________________________________
FEATHERS_MCGRAW, TRUE, FALSE
Symbolic constant definition ______________________________
who_t, what_t, bool_t, struct crime
Type definition __________________________________________
Local variable definition __________________________________
suspect
Global variable definition _________________________________
convictions, pervicacious, sentence, fines_total
Function definition _______________________________________
appeal, main
Declarations _____________________________________________
Symbolic constant definition ______________________________
Type definition __________________________________________
Local variable definition __________________________________
convictions, pervicacious, sentence, fines_total
Global variable definition _________________________________
appeal, main
Function definition _______________________________________
17. adb can be used to inspect user programs. Run adb using penguin
as the object file. You need not specify a core file. (Do not expect a
prompt.)
$ adb penguin
18. Set a breakpoint at the entry to main, and then run the program
under adb’s control.
main:b
:r
19. List some of the assembly code, using the two commands below.
main?20i
main,20?i
The first requests 20 instructions from the object file, and the
second requests an instruction 20 times. Why do they give
different amounts of output?
20. Display the contents of the sentence variable, this time from
memory (using / instead of ?). Since sentence is a structure of a
bool_t (really an int), an int, and a float, the following is
suitable:
sentence: 0 0 +0.0000000e+00
sentence/DDf___________________________________________
pervicacious: 1
pervicacious/D_____________________________________
suspect/D ______________________________________________
symbol not found (it’s on the stack)
24. Why is only one found? (Where is the value of the other stored?)
26. Repeatedly single step through the code using :s until you notice
a comment involving sentence. (Assembler comments are
preceded by !) Single step two more instructions, and then display
the contents of sentence as above.
sentence: 1 0 +0.0000000e+00
________________________________________________________
28. Continue single stepping, and observe when variables are actually
changed.
29. Exit adb, and ensure floats.c is compiled into floats. Run
make, or use cc floats.c -o floats.
main:b
:r
32. Observe the first 14 values stored in the floats array, using the
following commands:
farray/14f
farray,e/f
33. Now observe all 15 elements of the array using similar commands
to the above. What do you think causes the output?
________________________________________________________
It seems to be used within adb, so cannot be used as a count.
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Objectives
Upon completion of this module, you will be able to:
6-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
6
Standard Macros
● /usr/lib/adb
● /usr/platform/platform-name/lib/adb
● Kernel architecture-specific
adbgen
● Generates adb scripts (macros)
Hand-Written Macros
● Supplement existing
adb -I dirspec
● Alternative locations
Standard Macros
The Solaris operating system contains a set of standard macros located
under /usr/lib/adb and /usr/platform/platform-name/lib/adb.
Over 200 macros are supplied to display many different kernel data
structures.
adbgen
adb macros refer to the fields within a data structure by means of
offsets from the start of the structure. The macro must print out values
using the correct number of bytes. To assist in the generation of
correctly formatted adb macros, adbgen can be used to compile
adbgen scripts. The header file defining the data structure of interest is
included in the adbgen script, and the fields can be referred to by
name. adbgen requires a compiler to create adb scripts, and is
restricted to generating macros that display the contents of a single
structure.
Hand-Written Macros
adb macros can be written to extend the set supplied with the
operating system. This might be appropriate if the structure of interest
does not have a suitable macro, or if the standard macros do not
display the needed data in the correct format.
adb -I dirspec
A colon-separated list of directories to be used instead of the standard
locations can be specified on the adb command line.
$< file
● Run macro
$<< file
● Include macro into execution of current
Start Address
● Embedded into macro
$< file
The $< syntax executes the commands (macro) in the named file. adb
will open the file and source the commands as if directly typed. When
all the commands within the file have been executed, adb returns to
standard input to read the next command.
$<< file
From within one macro, another may be called. If $< is used, then at
the end of the included macro, control will be passed back to standard
input rather than continuing the original macro.
$<< nests a macro, so when the called macro ends, the current macro is
resumed.
Start Address
Macros are usually used to format data that is at a particular address
within memory or the core file. Some macros are for specific kernel
structures that have global names, which are embedded into the
macro. An example is the msgbuf macro. If the macro defines its own
starting point, it is unnecessary to supply the $< command.
Other macros are used to format data structures that can occur in
many different locations. For these, the starting address is usually
supplied. However, $< or $<< can be used with no address if dot, the
current location, is already correct.
/t Tab over.
Example Macro
# cat /usr/lib/adb/bootobj
./"fstype"16t16C
+/"name"16t128C
+/"flags"16t"size"16t"vp"n3X
physmem 1e6d
rootfs$<bootobj
First Line
● Start at current address; supply address.
Second Line
● Move past last data.
Third Line
● Print flags.
● Print size.
● Print vp.
Example Macro
# ls /usr/lib/adb | wc -w
# ls /usr/platform/‘uname -i‘/lib/adb | wc -w
struct utsname {
char sysname[SYS_NMLN];
char nodename[SYS_NMLN];
char release[SYS_NMLN];
char version[SYS_NMLN];
char machine[SYS_NMLN];
};
The lines of the macro are executed as if entered directly. Type the
first line of the macro into your adb session.
utsname/"sys"8t257c
4. Try the following commands to see how the macro uses the
formatting capabilities of adb.
utsname/X _________________________________________
utsname/c _________________________________________
utsname/3c ________________________________________
utsname/257c ______________________________________
utsname/"sys" _____________________________________
utsname/"sys"257c _________________________________
utsname/"sys"40t257c ______________________________
utsname/"sys"8t257c _______________________________
5. Note how the next line of the adb macro starts with +. The +
ensures the next formatting is applied to the data after the
previous line.
6. Try replacing the tab (t) format character by a new line symbol, n.
utsname/"sys"n257c
__________________________________________________
__________________________________________________
7. The kernel contains the global symbols for p0 and t0. p0 is the
address of the proc structure for process 0 (to which all system
kernel threads refer), and t0 is the kernel thread for sched. Using
the proc and thread adb macros, display the contents of p0 and
t0, and compare with the declarations of the proc structure in
<sys/proc.h> and thread structure in <sys/thread.h>.
p0 $< proc
t0 $< thread
The proc and thread macros are long and do involve some syntax
not yet covered, but they should be mostly understandable.
8. Exit adb, change into the root directory, and run ls. Run adb
against the live kernel, and attempt to display the proc structure of
p0 and the thread structure of t0.
Objectives
Upon completion of this module, you will be able to:
7-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
7
From /usr/include/sys/mgsbuf.h
#define MSG_MAGIC 0x8724786
struct msgbuf {
struct msgbuf_hd {
long msgh_magic;
long msgh_size;
long msgh_bufx;
long msgh_bufr;
u_longlong_t msgh_map;
} msg_hd;
}
Then, when I
was nine,
The most recent system messages are held in a ring buffer, defined as
shown. There is one msgbuf in the system, at the location specified by
the symbol msgbuf.
The msgbuf structure acts as a header for the actual buffer, defining
the size of the buffer and where the latest message started and ended.
Messages are added after the end of the previous message, and will
wrap around to overwrite earlier messages once the end of the buffer
has been used. Thus it is possible that the start of the message may be
before or after the end of the message within the buffer.
msgbuf
msgbuf/"magic"16t"size"16t"bufx"16t"bufr"n4X
+,(*(msgbuf+0t8)-*(msgbuf+0t12))&80000000$<msgbuf.wrap
.+*(msgbuf+0t12),(*(msgbuf+0t8)-*(msgbuf+0t12))/c
First Line
● Starts at location specified by msgbuf
Second Line
● Moves across previously printed data
Third Line
● Prints characters from current location plus offset specified 12
bytes into msgbuf (msgh_bufr)
msgbuf
The use of the msgbuf macro has already been described. Here the
macro is broken down line by line to illustrate how complex macros
can be understood.
First Line
The msgbuf macro does not require a starting address to be specified
since it is intended to display the only msgbuf on the system.
Second Line
The expansion of the count portion of the second line is described on
the following pages. Depending on the count another macro,
msgbuf.wrap, is invoked.
Third Line
The count is explained on the following pages.
Macro References
Address Contains
msgbuf
msgbuf/"magic"16t"size"16t"bufx"16t"bufr"n4X
+,(*(msgbuf+0t8)-*(msgbuf+0t12))&80000000$<msgbuf.wrap
.+*(msgbuf+0t12),(*(msgbuf+0t8)-*(msgbuf+0t12))/c
Macro References
Address Contains
msgbuf.wrap
.+*(msgbuf+0t12),(*(msgbuf+0t4)-*(msgbuf+0t12))/c
msgbuf+0t16+0,*(msgbuf+0t8)/c
First Line
● Prints from msgh_bufr to end of buffer.
Second Line
● Prints from start of buffer to msgh_bufx.
msgbuf.wrap
If the message has wrapped around, then to print it correctly requires
two separate prints.
First Line
Prints the first portion of the message.
Second Line
Prints the second portion of the message.
Macro References
Address Contains
Flow Control
No Test Statements
● adb has no flow control constructs
Count
● Used for conditional printing
.,<a$<macro
.,<a$<
● It is useful to limit to 1 or 0.
Flow Control
No Test Statements
Since there are no test or decision-making constructs in adb, the count
must be used — usually in conjunction with an additional macro, as in
the case of msgbuf.
Count
The count field can be used to test whether extra lines should be
executed.
In the example, if a is not zero, the text is printed just once, regardless
of the actual value of a.
adbgen
adb Scripts
● No structure offset dependencies
● Requires C compiler
Script Format
● Header lines
● Blank line
● Structure name
● adb script
_kthread
./"flags"8t"state"n{t_flag,x}{t_state,X}
+/"pri"8t"epri"8t"procp"n{t_pri,d}{t_epri,d}{t_procp,X}
adbgen
adb Scripts
adbgen compiles scripts into adb macros. Unlike adb macros, adbgen
scripts do not require absolute offsets into data structures. Instead,
symbolic references can be made to the needed structure members.
Script Format
All text before a blank line is taken as header information, used to
interpret the following script. After the blank line, a single structure
from an included file may be referenced. The adb script that follows
uses member names to reference the elements within the structure,
rather than offsets. Each member name is paired with an adb format
character and enclosed in braces ({}). See the adbgen man page for
additional allowed constructs.
adbgen in Use
Macro Generation
● Store the script in a file with the suffix .adb.
# vi tstate.adb
● Run adbgen.
# /usr/lib/adb/adbgen tstate.adb
● The generated file has no suffix.
# cat tstate
./"flags"8t"state"n20+x6+X
+/"pri"8t"epri"8t"procp"n2d132+X
Macro Use
● Refer to the new script within adb as normal.
fc2b8360$<tstate
0xfc2b8360: flags state
0 4
0xfc2b8380: pri epri procp
59 0 fc2b3328
adbgen in Use
Macro Generation
adbgen input file names must end in .adb. adbgen creates a C
program from the script, and compiles and runs the program, which
then writes the adb macro. The C program is then removed.
Macro Use
Subject to the usual directory searching of adb, the macro can then be
used by name as shown.
✓ Note that cpu2 is NOT a standard macro. The standard macro cpus is a better (but more
involved) macro.
The example given illustrates a macro that calls one of the standard
macros. The cpu2 macro must be in the current directory, both cpu2
and the standard macros must be in the same directory, or the -I
option must be used with adb to specify the directories to use.
2. Start adb against one of your core files, and invoke the
threadlist macro. Expect to see many lines of output; the
threadlist macro displays a stack backtrace of every thread on
the system.
*allthreads>t
<t>e
5. e is used to indicate the end of the list. Why do you think the
address of the first thread is used as the end?
To cater for circular lists
________________________________________________________
#(#(<t))=D _____________________________________________
11. Lower in the macro you will see the $c command being applied at
another address. Again, using the cheat program, what is $c
being applied to?
________________________________________________________
The thread’s stack pointer
12. Applying $< without a file name indicates adb should read from
standard input again. When does threadlist.nxt terminate?
________________________________________________________
When the next thread is the original thread (addr stored in e)
13. Exit from adb, and change into the Lab7 directory where you will
find a simple C program involving a linked list, ll.c. Compile the
program, if necessary, and then run it. Look at the source code to
ensure you understand its operation.
# adb ll
donowt:b
:r
breakpoint donowt: save %sp, -0x60, %sp
*head/D
a:
a: 1
*(.+4)>n
<n/D
b:
b: 2
15. Repeat the last two last lines until adb cannot find an address.
(This is when you have reached the end of the list.) Can you
formulate an expression that would test for the end of the list? It
would involve checking that the value stored in n is not the NULL
pointer (which is equal to 0).
________________________________________________________
##<n
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
16. Try modifying the adb macro almost.adb (in the Lab7 directory),
to use your expression. When working, the macro should print the
list as below.
# adb ll
donowt:b
:r
breakpoint donowt: save %sp, -0x60, %sp
*head $< almost.adb
a:
a: key 1
b:
b: key 2
c:
c: key 3
d:
d: key 4
17. Write a macro called thr, which produces the following output
when supplied a kernel thread address. The pc and sp are the two
elements within the t_pcb member of the thread structure.
t_state: decimal
t_pri: decimal
t_pc,sp: hex, hex
t_clfuncs: hex
t_forw: hex
a. Scan all processes and print their PID. (Use practive as the
head of the list of processes.)
b. Scan all the LWPs of a process; for each one, print whether it is
in kernel mode or user mode, the accumulated system time
and user time, and the resource usage.
Objectives
Upon completion of this module, you will be able to:
8-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
8
Assembler Characteristics
High-Level languages
● C, Fortran, C++, Java™, BASIC, COBOL
Low-Level Languages
● Assembly language
● Specific to architecture
● Complicated to write
Assembler Characteristics
High-Level languages
Statements within programs written in high-level languages do not
directly correspond to the instructions used to implement the
program. A single statement can result in many instructions, or some
statements may result in no instructions at all if an optimizing
compiler detects redundant code.
Low-Level languages
Low-level languages are symbolic or mnemonic representations of the
actual instructions to be performed by the hardware.
● Complex decoders
Older Architectures
An older, third class of architecture exists — which is not complex as
CISC, but old, simple, and slow.
RISC architecture
● Few, fast instructions
Register-Intensive
● Many registers per CPU.
Memory Alignments
● Bytes (8 bits) – anywhere
RISC Architecture
The SPARC architecture was designed to fully exploit the benefits
offered by RISC architectures. As a result, fewer instructions are
available than on a CISC architecture, but each one executes rapidly.
To perform any task, a large number of SPARC operations may be
required, but each of them is handled quickly.
Register Intensive
Memory speed has not increased at the same rate as CPU speed, so
frequent use of memory locations causes the processor to stall while
waiting for data. To reduce the number of loads from and stores to
memory, SPARC processors provide many general purpose registers.
With many registers, data can be held within the processor longer,
increasing the likelihood that an operation will not need to access
memory so frequently.
Instructions that reference registers are usually simpler than those that
reference memory.
Memory Alignments
To simplify the requirements of memory access whenever instructions
or data do need to be fetched, the SPARC architecture imposes
restrictions on how data must be stored. All data types must reside on
their natural boundaries.
SPARC Instructions
Alignment Constraints
● All instructions are one full word.
Instruction Pipelining
SPARC Instructions
Alignment Constraints
Just as with all data that is stored in memory, SPARC instructions must
be aligned to their natural boundary.
Instruction Pipelining
Rapid processing of instructions is obtained by simultaneously
performing the stages of execution on multiple instructions. This is
possible due the similarity and constant size of instructions. Compilers
for pipelined architectures will attempt to take advantage of the
pipeline by ordering the instructions in the most suitable manner. A
particular challenge is to order the instructions around conditional
branches, since the partial processing of instructions may be unused if
the branch causes the following code to be skipped.
SPARC Registers
EC EF
31 0
N Z VC S PS ET
SPARC Registers
Register Windows
%i0
8 Input to
%i7
%g0 %l0
to 8 Global 8 Local to
%g7 %l7
%o0
8 Output to
%o7
Reserved Registers
● %g0 always zero
Argument Passing
● Stores arguments in output registers
● Redefines window
Register Windows
Reserved Registers
Global register %g0 is always zero. Reading from %g0 will return zero,
and writing to %g0 will not change its value. This enables %g0 to be
used as a destination register in certain operations where no output is
wanted. This is particularly useful for setting the integer condition
codes for the benefit of a subsequent conditional branch.
Argument Passing
Although different functions have different registers available, by
arranging that the new set of registers overlap with the old set of
registers, arguments can be passed without having to write to the
stack.
ld [address], reg
st reg, [address]
Transfer of Control
● Jumps, conditional branches, and traps
Miscellaneous
● Flush instruction cache
Synthetic Instructions
● Convenience instructions
Synthetic Instructions
The instructions shown are used to set the condition codes (as a result
of performing a bitwise OR with 0), and for loading an immediate
value into a register.
Unconditional
call label
Conditional
ba
bleu
bpos
Delay Instruction
● Load output register
nop
Annul Bit
● Only execute delay instruction if branch is taken
bne,a
tleu
tpos
Sources of Problems
● Alignment faults
Branches
● Jumps to incorrect address
Illegal Instructions
● Jumps to data
Sources of Problems
When debugging crash dumps, the crashes can often identify the
instruction that caused the problems. However, the instruction is an
assembler instruction, which may simply be using data that it was
incorrectly handed.
1. Change into the Lab8 directory, and view the file cards.c. Ensure
you understand the operation of the program.
# cc -S cards.c
# cc -o cards cards.s
6. Notice how the variables point1 and point2 have their values
stored at a location relative to the frame pointer, %fp. The values
are then retrieved into local registers and copied into output
registers before the call to brucey.
Edit the cards.s file and remove some of the unnecessary register
transfers. To test your hand optimization, compile and run the
edited assembler.
# cc -o hand cards.s
# ./hand
# make
9. Inspect the optimized assembler and see where you could have
done better.
10. The file sumem.c adds two numbers and prints the result. Compile
the file and run the executable to verify the program functions
correctly.
# cc sumem.c -o sumem
# ./sumem
Sum is 7
# cc lostem.s -o lostem
# ./lostem
Sum is 0
12. Edit lostem.s, and replace the missing lines in the three blocks as
described by the comments within the file.
# cc -S sumem.c
# cc woops.s -o woops
# ./woops
Before swap, M=5, N=10
Segmentation Fault(coredump)
15. By viewing woops.s, see if you can spot where the bug is, and
relate this back to woops.c.
✓ diff woops.c swoop.c will identify the bug.
Objectives
Upon completion of this module, you will be able to:
9-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
Use of Stacks
Function Calling
● Nested functions
Generic Frame
fr_arg[]
Array of calling arguments
Pushing
● Creating a new frame
Popping
● Returning to use previous frame
Use of Stacks
Function Calling
In programming languages such as C, functions may be called in any
order, and may themselves call other functions. At the time of writing
the program, the order of function execution and the degree of
function call nesting are not usually known. Since each function
requires some storage space, a dynamically sized area is required.
Stack Frames
Each time a function is called, the called function must be able to
return back to the caller at the point of call to carry on executing the
original function. The return address is stored on the stack with space
allocated for any locally defined variables. The return information, and
the local storage is known as the stack frame. A generic stack frame is
shown, which includes space for storing the previous extent of the
stack, the point at which the function was called, and the arguments.
Pushing
Whenever a new stack frame is allocated it is pushed onto the stack,
growing it in size.
Popping
Returning from a function enables function data to be discarded, and
so the stack frame is popped off the stack, leaving the caller’s frame
back at the top of the stack.
Stacks 9-3
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
main()
{
fred(1, 2, 3);
}
0xefff ffe8 3
0xefff ffec 0
0xefff fff0 0
0xefff fff8 0
0xefff fffc 0
The frame contains the previous frame pointer, so that when main is
resumed, the location to store any further stack frames will be known.
The saved program counter is an indication of where execution should
continue after returning from fred. On a SPARC processor, the
address of the instruction that called fred is stored, so execution will
resume after that address.
Note that the stack usually grows from high addresses to lower
addresses. The analogy of pushing something onto the stack works
best if you think of a diagram with high addresses at the bottom.
Stacks 9-5
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
From <sys/stack.h>
/*
* A stack frame looks like:
*
* %fp->| |
* |-------------------------------|
* | Locals, temps, saved floats |
* |-------------------------------|
* | outgoing parameters past 6 |
* |-------------------------------|-\
* | 6 words for callee to dump | |
* | register arguments | |
* |-------------------------------| > minimum stack frame
* | One word struct-ret address | |
* |-------------------------------| |
* | 16 words to save IN and | |
* %sp->| LOCAL register on overflow | |
* |-------------------------------|-/
*/
From <sys/frame.h>
/*
* Definition of the sparc stack frame (when it is pushed on the stack).
*/
struct frame {
int fr_local[8]; /* saved locals */
int fr_arg[6]; /* saved arguments [0 - 5] */
struct frame *fr_savfp; /* saved frame pointer */
int fr_savpc; /* saved program counter */
char *fr_stret; /* struct return addr */
int fr_argd[6]; /* arg dump area */
int fr_argx[1]; /* array of args past the sixth */
};
From <sys/stack.h>
The /usr/include/sys/stack.h header file contains a few symbolic
constant definitions, but most usefully it contains a diagram of how
SPARC processors use stacks. The diagram shows high addresses at
the bottom.
From <sys/frame.h>
The actual definition of a stack frame is contained within
/usr/include/sys/frame.h. Since the first elements will be at the
lower addresses when using structures, it is necessary to remember the
required inversion when relating the structure to the diagram on the
previous page.
The location of the saved frame pointer and program counter mean
that the fifteenth and sixteenth words of a stack frame can normally be
inspected to determine where the function was called from.
The structure return address is for functions that return structures. The
structure will be placed elsewhere, with the stack containing its
address.
The arg dump area used is to reserve some temporary space for the
called function to copy the arguments to it.
Beyond the minimum stack frame from the diagram, more memory
can be used to store extra arguments and local variables. Since it is
unknown how many there will be, the stack frame is not of fixed sized.
It is always at least 24 words.
Stacks 9-7
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
Register Windows
Processor Registers
Window N-3
8 registers 8 out registers
8 registers 8 locals
Call function Window N-2
8 registers 8 out registers 8 in registers
8 registers 8 locals
Window N-1
8 registers 8 out registers 8 in registers
8 registers 8 locals
Window N
8 registers 8 out registers 8 in registers
8 registers 8 locals Registers available
from current
8 registers function
8 in registers
8 registers
Globals
Return from function
Register Windows
To increase the speed of argument passing, SPARC processors store the
arguments to a function in output registers of their current window.
When a function call is made, a new register window can be made
available by shifting the current window pointer (CWP). Since the shift
overlaps the out and in registers, the arguments to the called function
are available from the in register set of the new window.
Arguments to functions are only copied from the registers to the stack
when the registers must be flushed. Registers are flushed on a context
switch, when a windows overflow trap is handled, and by the panic
sequence.
Stacks 9-9
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
Saving
save %sp, -0x60, %sp
Restoring
restore
Return Address
● Stored in %o7
Saving
A called function shifts the register window to create its own set of
registers. Atomically with shifting the window pointer, the new %sp is
set to be the value of the old %sp, plus whatever increment is specified
(-0x60 in the example shown).
If the newly called routine does not require any registers other than
the output registers of the calling function and (itself) does not call any
other functions, then there is no need to call save. Such a routine is
known as a leaf routine.
Restoring
restore is usually used as a synthetic instruction with no arguments.
(see the SPARC instruction set for additional arguments.)
Calling restore does not return to the calling function, but makes the
caller’s register set current.
Stacks 9-11
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
● Decremented by save
● Incremented by restore
Stacks 9-13
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
Simple program
main()
{
fred(1, 2, 3);
}
Disassembled Code
The program shown here is from Panic!, Chapters 17 and 18. The first
stage of this module’s exercises will use this program to work through
the presentation in Panic!.
Stacks 9-15
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
Outs
Window N Locals
Locals
Ins
Memory
Frame for
Window N-2 Window N-2
%sp
Window N-1
Frame for %sp %fp
Window N-1
%sp %fp
Frame for
%fp
Window N
Window N
SPARC processors do not have a dedicated stack pointer, but use one
of the general purpose registers (%o6) instead.
After a register window shift, the output registers become the next
window’s input registers. Consequently, the previous frame’s stack
pointer is always available. It is referred to as the frame pointer (%fp).
Stacks 9-17
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
Individual Registers
<o7/i
complete_panic+0xf8: call setjmp
<sp/16X
0xf05b0b00: 44000c0 0 1 f0152400
fc32f6c0 fc32f6e4 f0172f54 f05b0ae4
f0048b38 f05b0c74 f05b0b00 306ce
0 1 f05b0b68 f0048718
fr_savfp fr_savPC
Individual Registers
Individual registers are accessed and used in adb as if they were
variables.
Stacks 9-19
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
Since two of the eight output registers are always used for the stack
pointer and the saved program counter, passing more than six
arguments requires another method.
Stacks 9-21
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
# cc spaghetti.c -o spaghetti
# spaghetti
Segmentation Fault(coredump)
$c
___________________________________________________
___________________________________________________
___________________________________________________
<sp/16X
___________________________________________________
5. Display the calling instruction and the previous stack frame, again
noting the 15th and 16th words from the stack frame.
16th_word?i _____________________________________________
15th_word/16X___________________________________________
16th_word?i _____________________________________________
15th_word/16X___________________________________________
<pc?i
________________________________________________________
incr_pv?10i
11. Where is the value for the faulting load coming from? What do
you think is happening?
________________________________________________________
Calling function passes value instead of reference
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
Stacks 9-23
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
9
Objectives
Upon completion of this module, you will be able to:
10-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
10
Kernel Mode
Processes
Library code
User code
User mode
Scheduling
Interprocess communication
Memory management
I/O handling
Device drivers
Hardware
Kernel Mode
Programs
● Written
● Compiled
● Stored on disk
Processes
● In some state of execution
● Instances of programs
● Require resources
● Memory
● CPU
Programs
Programs are written, compiled, and stored on disk. They may exist
for long periods of time, but they cannot change any state of the
machine or of other programs.
Processes
A process must be created to execute the program. At startup of the
process, the kernel allocates a collection of resources. Thereafter, the
process carries out the instructions of the program and may request
further resources or kernel services.
At any one time, several processes can run the same program.
Threads
User-level threads
User space
LWP LWP
Kernel
Kernel threads
Threads
The Solaris 2 kernel schedules kernel threads rather than the more
traditional UNIX scheduling of processes.
Scheduling
TS_ONPROC
Resume
Block Preempt
cpu
TS_RUN
TS_SLEEP
Wake up
TS_STOPPED
Preemption
● Time-sliced
● Higher-priority thread
Scheduling
Virtual Memory
0xffffffff
Stack
shared library
Data
Text
Secondary memory
Physical memory
Virtual address
Physical address
Virtual Memory
If the MMU does not have a valid record of the requested virtual
address, a fault occurs asking the kernel to run the appropriate
routines to make the data available and load the MMU with the data’s
location. If the data is successfully loaded, the CPU reissues the
request, which is translated to the appropriate physical address in
memory.
Stack seg
Library seg
Data seg
Text
seg
as
proc
lwp
lwp thread tsproc
These exercises lead you through the analysis of a core dump after
the system performs very poorly. The techniques can be applied to
a crash dump obtained from hung systems.
4. When the computer has successfully rebooted and saved the core
files, go to the crash directory and perform initial analysis.
Use strings and grep to verify that the core file was obtained
forcefully by checking for the panic: zero message.
________________________________________________________
6. Use the threadlist adb macro to save the state of all the kernel
threads to a file.
7. View the file you have saved the list of threads into, and look for
any threads that may be of interest.
Use crash to list the processes at the time of the panic. Save the
listing to a file, and use the full listing of the rattle process to
determine the threadp of rattle. Use the slot number for the
rattle process.
________________________________________________________
9. Display the thread at the address above using the thread adb
macro. Note the values for the fields below.
kthread_t
state
pri
pc
sp
clfuncs
cpu
forw
procp
10. Supply the address of procp to the proc2u macro, and look at the
ps_args fields to verify that you are inspecting the rattle
process.
11. Supply the procp address to the proc macro to determine the
number of LWPs in the rattle process.
________________________________________________________
12. Use the forward pointer (forw) from the thread displayed in step 9
to trace through the next kernel thread of the rattle process.
Continue using the forward pointers until you have noted the
details of all the kernel threads of the process. Use the thr macro
you wrote in module 7, or the thr macro provided.
forw from step 9
kthread_t kthread_t kthread_t kthread_t
state
pri
pc
sp
clfuncs
forw
c. For each thread, use the address you noted for sp and the $c
adb function, and record the function name at the top.
sp_value$c_______________________________________________
sp_value$c_______________________________________________
sp_value$c_______________________________________________
sp_value$c_______________________________________________
d. Using the address you noted for the pc for each thread,
determine the last instructions they called.
pc_value/i_______________________________________________
pc_value/i_______________________________________________
pc_value/i_______________________________________________
pc_value/i_______________________________________________
The first dispatch queue’s address is listed by the cpu macro under
the queue heading. The queues are at the following addresses,
each taking three 4-byte words as described in <sys/disp.h>.
Using the address under queue in the CPU structure, dump three
words at a time until you find a queue with runnable threads.
queue_value/3X
Return
struct cpu
queue
14. The address within the dispatch queues are of threads waiting to
run. Use the first nonzero address found to display the thread,
note the procp value, and use the proc2u macro to determine the
name of the process.
___________________________________________________________
___________________________________________________________
Queue _____________________________________________________
Address of thread ___________________________________________
Address of proc_____________________________________________
✓ The roll process is likely to be the first one found, since it is run with a very low priority.
15. Using the thread macro, determine the state, priority, program
counter, and scheduling class of the thread you have found. What
do the state and clfuncs fields indicate?
kthread_t
state
pri
pc
clfuncs
___________________________________________________________
17. The dispatch queues are in priority order. Does the first queue
represent the lowest or the highest priority?
___________________________________________________________
proc
thread
Last ran on
proc
cpu
Current thread
cpu
Dispatch queues
thread
first last cnt
first last cnt
First on queue
thread
proc
18. Using the roll process you found waiting on the dispatch queue,
trace through the relevant data structures to determine the
composition of its address space.
b. Supply the above address to the as macro and record the value
given under segs (and the number of segs).
segs __________________________________________
nsegs _________________________________________
0xfffffffff 0xfffffffff
Address Address
Size =
Base =
Size =
Base =
Size =
Base =
Size =
Base =
Text Size =
0 Base = 0
NOT TO SCALE
The roll program is statically linked. Dynamically linked
processes normally have more segments.
19. The segment with the highest base address is the stack of the
process. Beneath the stack is a segment from an mmapped file.
a. Check that the adb has displayed the ops field for the seg
under the stack as segvn_ops, then use the segvn macro on the
data value. Continue to fill out the diagram below to discover
which inode represents the file mapped in.
seg
data
segvn
vnode
vnode
data
pages
page inode
vnode ino
offset
pagenum
c. How many pages are in memory for this file? (Use the page’s
vpprev and vpnext pointers to help.) ____________________
20. The roll process also has the mmapped file still open. Again using
the procp field from step 14, display the user structure (see
<sys/user.h>) using the proc2u macro.
At the end of the user structure is the start of the process’s open
file table. The first three entries are for standard input, output, and
error. The next entry is the file opened. Supply the address of the
fourth entry to the file macro and complete the diagram.
To /dev/tty
user
file
vnode
vnode
data
inode
ino
Note – In this case the open file has been mapped in, and so is also
referenced through the segments. Commonly, opened files are not
mapped in, and so do not necessarily have segments associated.
You have now traced through several more important kernel data
structures. The diagram below shows their relationship.
page page
inode inode
vnode vnode
seg
seg segvn
file
seg
user
as seg
proc
lwp thread
Objectives
Upon completion of this module, you will be able to:
11-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
11
User Requests
● Translating system calls into device specific actions
User Requests
Device drivers are responsible for servicing user requests resulting
from system calls. The standard system call interfaces will require
translation into the device-specific operations.
Loadable Drivers
ufs
sd
sbus genunix
scsi
unix
dma
mydrv
TS specfs
Loadable Drivers
Driver Functions
● XXattach()/XXdetach()
● XXidentify()
User Level
● XXopen()
● XXclose()
● XXstrategy()
● XXprint()
● XXread()
● XXwrite()
● XXioctl()
● XXmmap()
● XXsegmap()
● XXchpoll()
Driver Functions
User Level
Device driver routines conventionally have standard names prefixed
by a short identifier of the device.
Installing Drivers
Install
# cp driver /usr/kernel/drv
# add_drv driver
Configuration Files
● Required for non self-identifying devices
# cp driver.conf /usr/kernel/drv
Installing Drivers
Install
Kernel modules must reside in a location known to the kernel at boot
time. The /etc/system file enables the definition of the module path,
which defaults to the directories /platform/platform-name/kernel,
/kernel, and /usr/kernel. Under these module path directories, the
kernel will expect to find various subdirectories including drv for
device drivers.
Configuration Files
Some devices, known as self-identifying, have a small amount of code
on the device itself, which can be executed to identify the
characteristics of the device. Other devices require configuration files,
which must reside in the same directory as the driver and named as
the driver module with a .conf extension.
● Heavy use?
● moddebug
set moddebug | 0x80000000
Core Analysis
● Save multiple cores
Core Analysis
If multiple core files all contain stack backtraces involving the driver
routines, or if multiple threads within one core seem to be using the
same driver routines, there is a strong case to suspect the driver. Also,
if a newly installed driver is corrupting kernel memory in
unpredictable ways, then a single core file may produce misleading
results.
In these exercises you will build, install, and use the device driver
to gain experience of the procedure and to discover when the
various functions are called.
Part I
1. Go to the Lab11 directory, and read the README file.
# ./build
b. Place the driver in the correct directory, and notify the system.
# ./install
# ./mkfsmnt
3. Now run some basic commands (while still watching the console).
# ls /mnt
# echo hiya > /mnt/text
# sync
# umount /mnt
# modinfo
# modunload -i ramdisk_id
Part II
4. Ensure savecore is enabled, and run the mkfsmnt command from
the Lab11 directory again. Now exercise the driver by running the
soak script.
# ./soak
7. Make notes relating to the details of the core dump, and retain for
later examination.
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
✓ The core file should be much larger than the others so far collected; the driver has a
kernel heap core leak. The threadlist macro should show threads waiting for pages.
crash/kmastat should show an excessive amount of memory used.
Objectives
Upon completion of this module, you will be able to:
12-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
12
Purpose
● Efficient character-based I/O
Structure
● Stream head
● Queues
● STREAMS modules
● Device driver
User space
Driver
Purpose
The STREAMS facility was introduced into the UNIX system to
provide an efficient yet uniform and flexible method of handling
character-based communications.
STREAMS are used within the Solaris 2 operating system for terminal
and network handling; STREAMS device drivers can be written for
additional character-based devices.
Structure
Each stream is a connection between the user-level interface (known as
the stream head) and the device driver. Characters to be sent to the
device are passed downstream, while those incoming from the device
travel upstream to the user process. Between the stream head and the
device driver, additional processing of the data can be performed by
loadable streams modules. Each module implements a different
function; and by selecting appropriate modules, the stream can be
used to implement various protocols.
STREAMS 12-3
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
12
STREAMS Queues
stdata
Stream head
qinit
queue
qband
module_info
module_stat
mblk
qinit
queue
qband
module_info
module_stat
mblk
queue
STREAMS Queues
Queue-Processing Functions
There are a number of standard functions to process STREAMS
queues. Stack traces involving functions such as putnext, putq,
qprocson, and qprocsoff indicate STREAMS activity. See section 9F
of the man pages for more functions.
STREAMS 12-5
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
12
2. In that shell, change to the Lab12 directory, and run the program
watneys, which prints ad nauseam to the screen. Run the program
in the background, and note its process ID. Soon after starting it,
suspend the terminal output in that window by pressing ^S.
# ./watneys&
^S
PID ____________________________________________________
4. As in module 10, access the open file table of the process, and
display the vnode. This time use standard output, which is the
second file descriptor listed by the proc2u macro.
address_under_stream$<stdata
address_under_wrq$<queue
7. If the address under first is 0, then this queue is empty, and the
address under next can be supplied to the queue macro to inspect
the next queue. Continue doing so until you arrive at a queue with
data, indicated by a nonzero value for first. Note the address
under qinfo.
________________________________________________________
8. When you have a nonzero value for first, you can inspect the
message blocks pointed to by first.
address_under_first$<mblk
9. The difference between the values under rptr and wptr indicate
the number of characters in this block. Calculate the difference,
then dump that many characters from the address under rptr.
addr_under_rptr,(addr_under_wptr - addr_under_rptr)/c
________________________________________________________
10. Using the address you noted from under qinfo (step 7), display
the data and look at the label adb prints at the left. This should
indicate on which STREAMS module you have data.
addr_under_qinfo/X
________________________________________________________
11. Are the data and the module as you would expect?
________________________________________________________
________________________________________________________
STREAMS 12-7
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
12
Objectives
Upon completion of this module, you will be able to:
● List the various trap types and give a brief description of each.
13-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
Trap Usage
SPARC Traps
● Immediate jump to kernel code
Causes
● System calls
● Page faults
● Hardware interrupts
CPU Responsibilities
● Identify trap type
Trap Usage
SPARC Traps
A trap causes an immediate jump to kernel code from wherever the
CPU was currently executing. Traps can occur while executing user
programs or kernel code. The sequence is interrupted and, hopefully,
resumed after processing the trap. On some occasions it is not possible
to continue from where the trap was caused.
Causes
Any operation that requires kernel code to be executed must invoke a
trap. A common example is system calls, where a trap instruction is
part of the system call wrapper function.
CPU Responsibilities
Whenever a trap occurs, the kernel must identify why the trap
occurred and take the appropriate action. If the trap can be
satisfactorily handled, the CPU must resume whatever was being
executed.
Traps 13-3
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
Trap Types
Synchronous
● Caused during instruction execution
● Trap instructions
● Hardware errors
Asynchronous
● Requested at any time
Trap Types
Synchronous
Synchronous traps occur because of the executed instruction. System
calls fall into this type of trap — where a trap instruction is used as the
method to transfer execution to the kernel functions that implement
the system call.
Asynchronous
Asynchronous traps can be requested at any time, independent and
asynchronously of whatever instructions are executing. The trap is
handled after the completion of the current instruction, so as not to
disrupt the unrelated current operation.
At times, traps occur when they should not. In such situations, the
kernel may be unable to continue — either by design, where the
operating system recognizes a fatal error, or due to inability of the
hardware to resolve problems. When a trap occurs that cannot be
handled, a bad trap is reported and the system panics. The trap
function calls panic by way of the die routine, supplying the trap
type and the address of the saved registers as the first and second
arguments. The registers can be inspected using the regs macro
within adb.
Traps 13-5
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
Trap Sequence
Trap Sequence
The value of the supervisor bit within the PSR is transferred into the
previous supervisor bit. This enables the trap-handling code to
determine where the trap originated. For example, page faults from
supervisor mode are somewhat more serious than those from user
mode.
Traps 13-7
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
Format
T_TEXT_FAULT 0x01
T_DATA_FAULT 0x09
T_SOFTWARE_TRAP 0x80
Format
The trap base register always has the bottom four bits cleared. The
next eight bits are set by the processor (in hardware) when a trap
occurs, giving an offset into the page defined by the top 20 bits.
This implies that the trap-handling code for each trap type is 16 bytes
away from the previous and next trap’s code. With four bytes for each
instruction, this allows four instructions per trap type.
Traps 13-9
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
Trap Handling
Register Usage
● Address of trapping instruction in register %l1
Handler Code
● Four instructions available
Returning
● rett
Trap Handling
Register Usage
Due to the restricted availability of registers during trap handling (no
explicit save, no overflows detected), the program counter is saved in a
local register. The next program counter is held in %l2. During
handling of some traps, the processor status register is also stored. The
trap code generally has five local registers available.
Handler Code
Since only four instructions are available at the address specified by
the trap base register, they usually consist of saving some state
followed by a jump to a routine located in memory without such tight
space restrictions.
Returning
The special instruction to return from a trap is rett, undoing all that
was done to get to the trap handling code and setting the program
counter to the value saved in %l1.
Traps 13-11
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
Trap Types
31 Interrupt level 15
128 Software trap 0
136 Software trap 8 – 126
Trap Types
Of the 256 traps available, half are used for hardware traps and half
for software traps. Software traps are generated by the SPARC
assembler ticc instructions, and are used, for example, inside the
system call wrapper functions. Software traps are identified by the
software trap number, which always has 128 added before use as the
tt field in the trap base register.
Although the previous table does not show all traps used within the
Solaris environment, most types are unused.
Traps 13-13
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
Interrupts
Delivery
● External hardware requires attention
Asynchronous
● CPU checks before each instruction fetch
● Time criticality
Response
● Trap
Interrupts
Delivery
Interrupts occur when hardware external to the processor needs
attention. The external hardware notifies the processor that data
require collection. The data may be that previously requested, or some
incoming data from a source external to the system. An interrupt also
notifies condition changes, or possibly just that a condition has
occurred.
Asynchronous
External devices generate interrupts asynchronously to the current
execution stream. Even if they are in response to data requests, it is
likely that the requesting thread is asleep and another is running in its
place. Consequently, the current instruction is unlikely to be related to
the source of the interrupt and is allowed to complete before the
interrupt is handled.
After completing each instruction and before fetching the next, the
processor checks for outstanding interrupts.
Response
When an interrupt is noticed, the standard trap handling sequence is
used, with the trap handler branching to the interrupt service routine.
Traps 13-15
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
SPARC Interrupts
Cause Traps
● Traps 17 to 31
Prioritized
● 15 levels
Level 0 (Spurious)
Level 1 (Softclock)
Level 2 SBus/VME level 1
Level 3 SBus/VME level 2
Level 4 On-board SCSI
Level 5 SBus/VME level 3
Level 6 On-board Ethernet
Level 7 SBus/VME level 4
Level 8 On-board video (retrace)
Level 9 SBus/VME level 5
Level 10 Normal clock (100Hz)
Level 11 SBus/VME level 6, floppy drive
Level 12 Serial I/O (zs)
Level 13 SBus/VME level 7, audio device
Level 14 High-level clock (kernel profiling)
Level 15 Asynchronous error (memory errors)
SPARC Interrupts
Cause Traps
An interrupt is delivered to the processor as a trap, where the trap
type indicates the level of interrupt. Each level is used for an
individual device, or the interrupt handler may polls several devices
to determine which caused the shared interrupt level.
Prioritized
SPARC allows fifteen levels of interrupt, which are allocated according
to how urgently devices require attention. The lower the level of
interrupt, the lower priority it has. For example, a device interrupting
at level 6 is always serviced before a device interrupting at level 2.
When any interrupt is serviced, the processor interrupt level (PIL) field
of the PSR is set to prevent any lower-level interrupts being serviced.
The higher priority interrupt levels are used for devices that require
urgent attention. This is often due to the amount of buffering available
on the device. For example, a disk with a large amount of buffering
will interrupt at a lower level than the serial lines (zs), which have a
two-byte buffer.
Level 0 indicates that all interrupts are enabled. User code runs at level
0. If an interrupt does occur at level 0, it is reported as a spurious
interrupt.
Traps 13-17
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
Interrupt Tracebacks
Trap
● Trap recognition code
● Trap frame
Interrupt Polling
● Determine which device
Interrupt Tracebacks
Traps 13-19
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
meltdown 180
Part I
2. Reboot your system to run kadb.
# reboot kadb
3. When the system has fully rebooted, press Stop-a to enter kadb.
kadb[0] <tbr=X
________________________________________________________
kadb[0] <tbr/4i
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
8. Take the value of the register found in step 4, and extract the two
hexadecimal digits indicating the trap type:
Trap base address Trap type
tbr: 0
9. View the <sys/trap.h> header file, and find the symbolic name
of this trap type. (Remember that software trap types are all above
0x80)
________________________________________________________
kadb[0] $c
11. To receive the Stop-a sequence, the keyboard uses the serial line
driver to send an interrupt through the zsintr routine. Why is
there no keyboard interrupt (zsintr) in the backtrace?
________________________________________________________
T_DATA_FAULT___________________________________________
T_SYSCALL ______________________________________________
T_OSYSCALL _____________________________________________
Traps 13-21
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
13. From these trap numbers and the value already found from the
trap base register, determine the location of the trap-handling code
for each.
T_DATA_FAULT___________________________________________
T_SYSCALL ______________________________________________
T_OSYSCALL _____________________________________________
T_DATA_FAULT___________________________________________
T_SYSCALL ______________________________________________
T_OSYSCALL _____________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
15. Now attempt to single step through the trap-handling code. Set a
breakpoint at the first instruction for the T_SYSCALL trap handling
code found in step 13.
Stop-a
kadb[0] addr:b
16. Continue UNIX, then attempt to single step through the trap code
to determine what trap occurred.
kadb[0] :c
________________________________________________________
18. Why?
________________________________________________________
Part II
20. Change into the Lab13 directory where there is the code for a
loadable system call. Build and install the loadable module, plus a
program to utilize it, by running the make command.
# make
21. Ensure you have savecore enabled, then run the runme program
and wait a short time. Note what happens.
________________________________________________________
Traps 13-23
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
22. When the system reboots, change into the crash file directory and
start adb on the core dump. (Ensure you are using a scrollable
window.)
# cd /var/crash/hostname
# adb -k unix.n vmcore.n
23. Perform initial analysis. Display the message buffer, find the crash
time, and use the current thread from the cpu structure to find the
name of the process that caused the crash.
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
$c
die(0x7, addr
trap
sys_trap(?)
________________________________________________________
meltdown_sys
26. Remember that traps use the stack in a different fashion from
function calls.
addr$<regs
addr psr pc npc
_______
addr_under_pc?i
________________________________________________________
28. Is the faulting instruction within the function found in step 24?
<sp$<stacktrace
30. Look for a stack frame where %l1 (second value in frame)
corresponds to the instruction found in step 27.
31. Look at the stack frame before (printed after), the frame containing
the instruction from step 27. From that frame write down the
value stored in the register the instruction uses. Remember the
first value shown in a stack frame is that stored in %l0.
32. Given the instruction that was attempted, why did it fault?
________________________________________________________
Traps 13-25
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
13
Objectives
Upon completion of this module, you will be able to:
14-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
14
Cause
● Trap while traps disabled
Response
● OpenBoot PROM commands
● kadb is of no use
● Reboot
Cause
Watchdog resets occur to return control of the system after the
processor has entered an error mode. The error mode is entered if a
trap is received while traps are disabled. The SPARC version 8
architecture cannot handle nested traps, so while processing one trap,
the ET bit in the PSR is cleared to indicate traps are unwelcome.
Asynchronous traps such as those due to interrupts are delayed, but
synchronous traps such as data faults cannot be delayed.
Response
After a watchdog reset, there is very little that can be done to analyze
the system. Due to the catastrophic nature of a reset, it is impossible to
execute any sophisticated code as required by the panic() routine or
kadb.
The only possibilities available after a reset are offered by the boot
PROM. The system can be booted in an attempt to salvage the
operating system; but, additionally, a small number of OpenBoot
PROM commands can be used to determine a small amount of
information from the processor.
After booting the system, the hexadecimal addresses from the ctrace
command can be used to identify which functions were called prior to
the fatal trap. Unfortunately, using adb does not always identify the
routines correctly. The addresses can be used by different kernel
routines after the boot, due to the unpredictability of the order of
loading kernel modules. The only routines guaranteed to be at the
same location are those present within the
/platform/platform_name/kernel/genunix module.
obpsym
● modload
obpsym
forceload: misc/obpsym
modload -p misc/obpsym
Sun-4d Systems
● Automatic reboot
Sun-4d Systems
# make zap
2. Run zap.
# ./zap
3. What happens?
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
________________________________________________________
ok sync
________________________________________________________
________________________________________________________
________________________________________________________
6. Reboot the system and load the obpsym module. Run zap and use
ctrace. Use the value indicated for PC as the input to the dis
OpenBoot command to view the code executed.
ok addr dis
________________________________________________________
________________________________________________________
________________________________________________________
8. Reboot the system, view the file zap.c, and verify your answer.
Objectives
Upon completion of this module, you will be able to:
15-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
Multithreading
Thread of Execution
● Sequence of instructions being executed
Concurrency
● Measure of number of simultaneous operations
Multithreaded Kernel
● Multiple threads simultaneously executing kernel code
Multithreading
Thread of Execution
A thread is a single sequence of execution. All processes have at least
one thread.
Concurrency
Concurrency is a measure of how many threads of execution can be
performed at any one time.
Multithreaded Kernel
A multithreaded kernel allows more than one sequence of operation to
be carried out inside the kernel at any one time. This is particularly
important for multiprocessor systems. If a multiprocessor system runs
a single threaded kernel, then only one sequence can be executed in
the kernel at any one time, meaning that only one CPU can be
executing kernel code at any time.
Locks 15-3
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
Race Conditions
InUse = False;
}
Incomplete Operation
● One thread sets up to use structure
Race Conditions
Incomplete Operation
A more difficult race condition to avoid is when one thread initializes
a structure that is then used by a second thread before initialization is
complete. System V semaphores suffer from this type of race condition
— where the creation of a semaphore, and the initialization of its value
are two separate operations.
Locks 15-5
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
Critical Sections
Definition
● Code segment executable by only one thread at any time
Serialization
● No parallel access
Mutual Exclusion
● If any one thread in critical section, all other excluded
Parallel Execution
Critical Sections
Serialization
To avoid problems during critical sections, it is necessary to restrict
access to the critical section by a single thread at any time. Thus, if
multiple threads attempt the operation in parallel, the operations must
be serialized.
Mutual Exclusion
To enforce safety in a critical section such as a test and set operation, a
method of mutual exclusion must be provided. When any thread
enters the critical sections, all other threads must be excluded.
Locks 15-7
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
Mutex Locks
Code Locking
● Mutex for functions
Data Locking
● Mutex for variables
int global
mutex_t mutex;
mutex_enter(&mutex);
Critical section
global++;
mutex_exit(&mutex);
Mutex Locks
Code Locking
Code locking occurs when only one thread may be executing a portion
of code, regardless of the data being operated upon. To implement
code locking, a mutex is associated with the section of code.
Data Locking
Data locking enables multiple threads to execute the same code but
not on the same data. To implement data locking, each shared variable
requires an associated lock.
Locks 15-9
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
Lock in memory
Register
Example Use
ldstub [%o0 + 3] , %g6 !Get & set lock byte
Atomic Operation
● Loading previous contents and storing new are indivisible
Using the ldstub instruction effectively replaces the test and set
metaphor with a set and test. However, by following the ldstub
instruction with a test on the retrieved value, it is possible to
determine if the lock was previously set. If previously locked, the
ldstub instruction would have previously written 0xff to the
memory location, so writing a new 0xff does not change the lock
status. If the previous value was 0, the lock was free, but has now been
acquired.
Locks 15-11
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
Semaphores
Resources Counter
● Initialized to count of resources
sema_p
● Atomic test and decrement
sema_v
● Increment count
Semaphores
Resources Counter
Semaphores are used when a count of resources must be atomically
tested and decremented. If the value of the semaphore is greater than
zero after the decrement, a resource was available.
Locks 15-13
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
● Usually read
Read Read
Read Read
Read Read
OR
Write
rw_rdlock()
● Add another reader
rw_wrlock()
● Become writer
Readers writer locks are an optimization for access to shared data that
on occasion is modified, but is usually just read. Since the data is
sometimes written, it must be locked to prevent two or more threads
from trying to change the value simultaneously. However, acquiring a
mutex results in only a single thread reading the data at a time. Such
serialization can have an adverse effect on performance.
Readers writer locks can be locked for read access or for write access.
If an attempt is made for read access, it succeeds if the lock is not held,
or being waited for, by a writer. Attempts to acquire the lock for
writing only succeed if the lock is not held by any other thread for
reading or writing.
The Solaris kernel gives writers preference in that writers waiting will
prevent more readers from obtaining the lock. If both writers and
readers are waiting when a writer releases the lock, the waiting writer
gains the lock. Thus, if such a lock is used when writing is frequent,
readers may be starved of access to the critical section.
Locks 15-15
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
Condition Variables
cv_wait()
● Sleep until awakened
cv_signal()
● Wake up one sleeper
int busy;
mutex_t lock;
cond_t cv;
mutex_enter(&lock); mutex_enter(&lock);
Condition Variables
Locks 15-17
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
Waiters
Waiters
Locks 15-19
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
✓ Target objectives here are to illustrate mutexes and ldstub, note leaf routines, and to
demonstrate how threads stuck in drivers cannot be terminated.
# reboot kadb
# make install
# ./openrd &
kadb[0] rd_open:b
kadb[0] :c
# ./openrd &
Caution – This replaces the save instruction of the clock routine with
! a return, effectively disabling any clock processing. Do not expect the
operating system to multitask until you have restored the correct
instruction.
kadb[0] clock/i
clock:
clock: jmp %o7+0x8
8. Display the instructions for rd_open, and note the address of the
first call to mutex_enter.
kadb[0] rd_open,10/ai
kadb[0] rd_open+<offset>:b
10. Continue the operating system, then single step into mutex_enter.
kadb[0] :c
kadb[0] :s
kadb[0] :s
kadb[0] mutex_enter,6/i
__________________________________________________
__________________________________________________
12. Register %o0 holds the address of the mutex to be locked. Display
the value, and format the mutex.
kadb[0] <o0=X
kadb[0] <o0$<mutex
13. Single step past the ldstub instruction, and display the contents
of the destination register (second argument) of the ldstub. This
now holds the previous value of the lock byte.
Locks 15-21
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
Lab Exercises for Module 15
The owner field should now be set to the current thread. Confirm
this by comparing the owner with the value stored in %g7. Note
that, due to the way the mutex macro has been written, the lock
field may appear clear.
kadb[0] :s
kadb[0] :s
kadb[0] :s
stopped at mutex_enter:
kadb[0] <o0$<mutex
owner______________________________________________
19. Now, set breakpoints on the following routines, and decide the
order in which they will be called.
kadb[0] 5
disp:b ____________________________________
kadb[0] 4
swtch:b ___________________________________
kadb[0] 3
sleepq_insert:b ___________________________
kadb[0] 1
t_block:b _________________________________
kadb[0] 2
ts_sleep:b ________________________________
kadb[0] 6
resume:b __________________________________
20. Use :c to continue the operating system until you have entered
resume. Note the order in which the routines are called.
21. Remove all breakpoints, and restore the first instruction of the
clock routine to the correct value as noted in step 8.
kadb[0] :c
23. Use the ps command to find the process IDs of the two openrd
processes, then attempt to kill them. Will they die?
__________________________________________________
Locks 15-23
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
15
A-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
A
Additional Exercises
By the end of this course, you should have several core files in your
crash directory. During the course, your instructor has introduced
methods of analysis that you can now apply to these core files.
Follow the steps below to create another crash with which you can
work. Start with the initial analysis, and determine as much
information as possible. Try to identify what causes the crash and why.
If you have SunSolve available, search for any related bug reports.
6. Now, attempt to increase the size of your swap file using mkfile.
If this does not cause a panic, ask your instructor for assistance.
Notes
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Notes
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Notes
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Notes
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
B-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
B
Dumpfile
Defaults to /dev/mem
vmcore.n
Namelist
Defaults to /dev/ksyms
unix.n
Output File
Defaults to standard output
crash Commands
Command Syntax
function [ argument ]
Functions Available
> ?
as hment prnode strstat
b (buffer) kfp proc t (trace)
base kmastat pte trace
buf (bufhdr) l (lck) pty thread
buffer lck q (quit) ts
bufhdr linkblk qrun tsdptbl
c (callout) lwp queue tsproc
callout m (vfs) quit tty
class major rd (od) u (user)
cpu map redirect user
ctx mblock rtdptbl ui (uinode)
dblock mode rtproc uinode
defproc mount (vfs) rwlock v (var)
defthread mutex s (stack) var
dispq mutextable search vfs
ds nfsnode sema vfssw
f (file) nm size vnode
file od sment vtop
findaddr p (proc) smgrp ?
findslot page snode !cmd
fs (vfssw) pcb stack
hat pcfsnode status
help pmgrp stream
Function Arguments
-e Display every entry
-f Display full structure
-p Interpret all adresses as physical addresses
-s slot Use specified process slot
-w file Redirect output to named file
> p -f 23
PROC TABLE SIZE = 490
SLOT ST PID PPID PGID SID UID PRI CPU NAME FLAGS
23 r 214 1 214 0 0 98 80 vold load jctl
> p -p #118
PROC TABLE SIZE = 490
SLOT ST PID PPID PGID SID UID PRI CPU NAME FLAGS
11 r 118 1 118 118 0 98 80 rpc.nisd load
> help defthread
defthread [-p] [-r] [-w filename] [-c address]
set default thread
alias:
acceptable aliases are uniquely identifiable initial substrings
> defthread -r fc1ce5c0
Current Thread = fc1ce5c0
> help defproc
defproc [-w filename] [-c | -r | slot]
set default process slot
alias:
acceptable aliases are uniquely identifiable initial substrings
> defproc
Procslot = 23
> u
PER PROCESS USER AREA FOR PROCESS 23
PROCESS MISC:
command: vold, psargs: /usr/sbin/vold
start: Thu Feb 1 17:10:53 1996
mem: 146, type: exec
vnode of current directory: fc3121a8
OPEN FILES, POFILE FLAGS, AND THREAD REFCNT:
[0]: F 0xfc30c0e0, 0, 0 [1]: F 0xfc30cc70, 0, 0
[2]: F 0xfc30cc70, 0, 0 [3]: F 0xfc30cd60, 0, 0
[4]: F 0xfc30c3b0, 1, 0 [5]: F 0xfc30c180, 0, 0
[6]: F 0xfc30c7c0, 1, 0 [7]: F 0xfc30c1a8, 1, 0
[8]: F 0xfc30c810, 0, 0 [9]: F 0xfc30cef0, 0, 0
[10]: F 0xfc30c748, 0, 0 [11]: F 0xfc30c360, 1, 0
cmask: 0000
RESOURCE LIMITS:
cpu time: unlimited/unlimited
file size: unlimited/unlimited
swap size: 2147479552/2147479552
stack size: 8388608/2147479552
coredump size: unlimited/unlimited
file descriptors: 1024/1024
address space: unlimited/unlimited
SIGNAL DISPOSITION:
1: ef77d67c 2: ef77d67c 3: ignore 4: default
5: default 6: default 7: default 8: default
9: default 10: default 11: default 12: default
13: default 14: default 15: ef77d67c 16: ef77d67c
17: ef77d67c 18: ef77d67c 19: default 20: default
21: default 22: default 23: default 24: default
25: default 26: ignore 27: default 28: default
29: default 30: ignore 31: ignore 32: ignore
33: ef77d67c 34: default 35: default 36: default
37: default 38: default 39: default 40: default
41: default 42: default 43: default
> file 0xfc30c0e0
ADDRESS RCNT TYPE/ADDR OFFSET FLAGS
fc30c0e0 1 SPEC/fc1dd404 0 read
> file 0xfc30cd60
ADDRESS RCNT TYPE/ADDR OFFSET FLAGS
fc30cd60 1 UFS /fc2d2a38 0 write appen
VNODE :
VCNT VFSMNTED VFSP STREAMP VTYPE RDEV VDATA VFILOCKS VFLAG
2 0 fc244b60 0 f - fc2d2a30 0 -
mutex v_lock: waiters 0 lock 0
type: MUTEX_ADAPTIVE owner 0
Condition variable v_cv: 0
> kmastat
buf buf buf memory #allocations
cache name size avail total in use succeed fail
---------- ----- ----- ----- -------- ------- ----
kmem_slab_cache 32 65 254 8192 189 0
kmem_bufctl_cache 12 238 762 12288 524 0
kmem_alloc_8 8 153 1524 12288 5411 0
kmem_alloc_16 16 210 1016 16384 2499 0
kmem_alloc_24 24 135 338 8192 912 0
kmem_alloc_32 32 132 381 12288 1019 0
kmem_alloc_40 40 44 202 8192 405 0
kmem_alloc_48 48 50 84 4096 885 0
kmem_alloc_56 56 60 72 4096 153 0
kmem_alloc_64 64 27 126 8192 3452 0
kmem_alloc_80 80 11 150 12288 2480 0
kmem_alloc_96 96 24 126 12288 361 0
kmem_alloc_112 112 14 144 16384 620 0
kmem_alloc_128 128 3 31 4096 251 0
kmem_alloc_144 144 11 84 12288 112 0
kmem_alloc_160 160 24 25 4096 213 0
kmem_alloc_176 176 16 138 24576 317 0
kmem_alloc_192 192 23 84 16384 537 0
kmem_alloc_208 208 18 19 4096 18 0
kmem_alloc_224 224 9 18 4096 20 0
kmem_alloc_240 240 14 16 4096 17 0
kmem_alloc_256 256 3 60 16384 75 0
kmem_alloc_320 320 2 12 4096 49 0
kmem_alloc_384 384 3 10 4096 20 0
kmem_alloc_448 448 4 9 4096 92 0
kmem_alloc_512 512 4 16 8192 28 0
kmem_alloc_576 576 8 105 61440 137 0
kmem_alloc_672 672 3 12 8192 22 0
kmem_alloc_800 800 5 10 8192 19 0
kmem_alloc_1024 1024 7 20 20480 7099 0
^C
> quit
#
The Panic! CD-ROM also contains a script, iscda, which can assist in
the initial analysis.
C-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService March 1996
C
Checklist
● OS Release
● Name of system
● Particular hardware?
● panic: zero?
● Use threadlist.