Debugging390.txt 78 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143
  1. Debugging on Linux for s/390 & z/Architecture
  2. by
  3. Denis Joseph Barrow (djbarrow@de.ibm.com,barrow_dj@yahoo.com)
  4. Copyright (C) 2000-2001 IBM Deutschland Entwicklung GmbH, IBM Corporation
  5. Best viewed with fixed width fonts
  6. Overview of Document:
  7. =====================
  8. This document is intended to give a good overview of how to debug Linux for
  9. s/390 and z/Architecture. It is not intended as a complete reference and not a
  10. tutorial on the fundamentals of C & assembly. It doesn't go into
  11. 390 IO in any detail. It is intended to complement the documents in the
  12. reference section below & any other worthwhile references you get.
  13. It is intended like the Enterprise Systems Architecture/390 Reference Summary
  14. to be printed out & used as a quick cheat sheet self help style reference when
  15. problems occur.
  16. Contents
  17. ========
  18. Register Set
  19. Address Spaces on Intel Linux
  20. Address Spaces on Linux for s/390 & z/Architecture
  21. The Linux for s/390 & z/Architecture Kernel Task Structure
  22. Register Usage & Stackframes on Linux for s/390 & z/Architecture
  23. A sample program with comments
  24. Compiling programs for debugging on Linux for s/390 & z/Architecture
  25. Debugging under VM
  26. s/390 & z/Architecture IO Overview
  27. Debugging IO on s/390 & z/Architecture under VM
  28. GDB on s/390 & z/Architecture
  29. Stack chaining in gdb by hand
  30. Examining core dumps
  31. ldd
  32. Debugging modules
  33. The proc file system
  34. SysRq
  35. References
  36. Special Thanks
  37. Register Set
  38. ============
  39. The current architectures have the following registers.
  40. 16 General propose registers, 32 bit on s/390 and 64 bit on z/Architecture,
  41. r0-r15 (or gpr0-gpr15), used for arithmetic and addressing.
  42. 16 Control registers, 32 bit on s/390 and 64 bit on z/Architecture, cr0-cr15,
  43. kernel usage only, used for memory management, interrupt control, debugging
  44. control etc.
  45. 16 Access registers (ar0-ar15), 32 bit on both s/390 and z/Architecture,
  46. normally not used by normal programs but potentially could be used as
  47. temporary storage. These registers have a 1:1 association with general
  48. purpose registers and are designed to be used in the so-called access
  49. register mode to select different address spaces.
  50. Access register 0 (and access register 1 on z/Architecture, which needs a
  51. 64 bit pointer) is currently used by the pthread library as a pointer to
  52. the current running threads private area.
  53. 16 64 bit floating point registers (fp0-fp15 ) IEEE & HFP floating
  54. point format compliant on G5 upwards & a Floating point control reg (FPC)
  55. 4 64 bit registers (fp0,fp2,fp4 & fp6) HFP only on older machines.
  56. Note:
  57. Linux (currently) always uses IEEE & emulates G5 IEEE format on older machines,
  58. ( provided the kernel is configured for this ).
  59. The PSW is the most important register on the machine it
  60. is 64 bit on s/390 & 128 bit on z/Architecture & serves the roles of
  61. a program counter (pc), condition code register,memory space designator.
  62. In IBM standard notation I am counting bit 0 as the MSB.
  63. It has several advantages over a normal program counter
  64. in that you can change address translation & program counter
  65. in a single instruction. To change address translation,
  66. e.g. switching address translation off requires that you
  67. have a logical=physical mapping for the address you are
  68. currently running at.
  69. Bit Value
  70. s/390 z/Architecture
  71. 0 0 Reserved ( must be 0 ) otherwise specification exception occurs.
  72. 1 1 Program Event Recording 1 PER enabled,
  73. PER is used to facilitate debugging e.g. single stepping.
  74. 2-4 2-4 Reserved ( must be 0 ).
  75. 5 5 Dynamic address translation 1=DAT on.
  76. 6 6 Input/Output interrupt Mask
  77. 7 7 External interrupt Mask used primarily for interprocessor
  78. signalling and clock interrupts.
  79. 8-11 8-11 PSW Key used for complex memory protection mechanism
  80. (not used under linux)
  81. 12 12 1 on s/390 0 on z/Architecture
  82. 13 13 Machine Check Mask 1=enable machine check interrupts
  83. 14 14 Wait State. Set this to 1 to stop the processor except for
  84. interrupts and give time to other LPARS. Used in CPU idle in
  85. the kernel to increase overall usage of processor resources.
  86. 15 15 Problem state ( if set to 1 certain instructions are disabled )
  87. all linux user programs run with this bit 1
  88. ( useful info for debugging under VM ).
  89. 16-17 16-17 Address Space Control
  90. 00 Primary Space Mode:
  91. The register CR1 contains the primary address-space control ele-
  92. ment (PASCE), which points to the primary space region/segment
  93. table origin.
  94. 01 Access register mode
  95. 10 Secondary Space Mode:
  96. The register CR7 contains the secondary address-space control
  97. element (SASCE), which points to the secondary space region or
  98. segment table origin.
  99. 11 Home Space Mode:
  100. The register CR13 contains the home space address-space control
  101. element (HASCE), which points to the home space region/segment
  102. table origin.
  103. See "Address Spaces on Linux for s/390 & z/Architecture" below
  104. for more information about address space usage in Linux.
  105. 18-19 18-19 Condition codes (CC)
  106. 20 20 Fixed point overflow mask if 1=FPU exceptions for this event
  107. occur ( normally 0 )
  108. 21 21 Decimal overflow mask if 1=FPU exceptions for this event occur
  109. ( normally 0 )
  110. 22 22 Exponent underflow mask if 1=FPU exceptions for this event occur
  111. ( normally 0 )
  112. 23 23 Significance Mask if 1=FPU exceptions for this event occur
  113. ( normally 0 )
  114. 24-31 24-30 Reserved Must be 0.
  115. 31 Extended Addressing Mode
  116. 32 Basic Addressing Mode
  117. Used to set addressing mode
  118. PSW 31 PSW 32
  119. 0 0 24 bit
  120. 0 1 31 bit
  121. 1 1 64 bit
  122. 32 1=31 bit addressing mode 0=24 bit addressing mode (for backward
  123. compatibility), linux always runs with this bit set to 1
  124. 33-64 Instruction address.
  125. 33-63 Reserved must be 0
  126. 64-127 Address
  127. In 24 bits mode bits 64-103=0 bits 104-127 Address
  128. In 31 bits mode bits 64-96=0 bits 97-127 Address
  129. Note: unlike 31 bit mode on s/390 bit 96 must be zero
  130. when loading the address with LPSWE otherwise a
  131. specification exception occurs, LPSW is fully backward
  132. compatible.
  133. Prefix Page(s)
  134. --------------
  135. This per cpu memory area is too intimately tied to the processor not to mention.
  136. It exists between the real addresses 0-4096 on s/390 and between 0-8192 on
  137. z/Architecture and is exchanged with one page on s/390 or two pages on
  138. z/Architecture in absolute storage by the set prefix instruction during Linux
  139. startup.
  140. This page is mapped to a different prefix for each processor in an SMP
  141. configuration (assuming the OS designer is sane of course).
  142. Bytes 0-512 (200 hex) on s/390 and 0-512, 4096-4544, 4604-5119 currently on
  143. z/Architecture are used by the processor itself for holding such information
  144. as exception indications and entry points for exceptions.
  145. Bytes after 0xc00 hex are used by linux for per processor globals on s/390 and
  146. z/Architecture (there is a gap on z/Architecture currently between 0xc00 and
  147. 0x1000, too, which is used by Linux).
  148. The closest thing to this on traditional architectures is the interrupt
  149. vector table. This is a good thing & does simplify some of the kernel coding
  150. however it means that we now cannot catch stray NULL pointers in the
  151. kernel without hard coded checks.
  152. Address Spaces on Intel Linux
  153. =============================
  154. The traditional Intel Linux is approximately mapped as follows forgive
  155. the ascii art.
  156. 0xFFFFFFFF 4GB Himem *****************
  157. * *
  158. * Kernel Space *
  159. * *
  160. ***************** ****************
  161. User Space Himem * User Stack * * *
  162. (typically 0xC0000000 3GB ) ***************** * *
  163. * Shared Libs * * Next Process *
  164. ***************** * to *
  165. * * <== * Run * <==
  166. * User Program * * *
  167. * Data BSS * * *
  168. * Text * * *
  169. * Sections * * *
  170. 0x00000000 ***************** ****************
  171. Now it is easy to see that on Intel it is quite easy to recognise a kernel
  172. address as being one greater than user space himem (in this case 0xC0000000),
  173. and addresses of less than this are the ones in the current running program on
  174. this processor (if an smp box).
  175. If using the virtual machine ( VM ) as a debugger it is quite difficult to
  176. know which user process is running as the address space you are looking at
  177. could be from any process in the run queue.
  178. The limitation of Intels addressing technique is that the linux
  179. kernel uses a very simple real address to virtual addressing technique
  180. of Real Address=Virtual Address-User Space Himem.
  181. This means that on Intel the kernel linux can typically only address
  182. Himem=0xFFFFFFFF-0xC0000000=1GB & this is all the RAM these machines
  183. can typically use.
  184. They can lower User Himem to 2GB or lower & thus be
  185. able to use 2GB of RAM however this shrinks the maximum size
  186. of User Space from 3GB to 2GB they have a no win limit of 4GB unless
  187. they go to 64 Bit.
  188. On 390 our limitations & strengths make us slightly different.
  189. For backward compatibility we are only allowed use 31 bits (2GB)
  190. of our 32 bit addresses, however, we use entirely separate address
  191. spaces for the user & kernel.
  192. This means we can support 2GB of non Extended RAM on s/390, & more
  193. with the Extended memory management swap device &
  194. currently 4TB of physical memory currently on z/Architecture.
  195. Address Spaces on Linux for s/390 & z/Architecture
  196. ==================================================
  197. Our addressing scheme is basically as follows:
  198. Primary Space Home Space
  199. Himem 0x7fffffff 2GB on s/390 ***************** ****************
  200. currently 0x3ffffffffff (2^42)-1 * User Stack * * *
  201. on z/Architecture. ***************** * *
  202. * Shared Libs * * *
  203. ***************** * *
  204. * * * Kernel *
  205. * User Program * * *
  206. * Data BSS * * *
  207. * Text * * *
  208. * Sections * * *
  209. 0x00000000 ***************** ****************
  210. This also means that we need to look at the PSW problem state bit and the
  211. addressing mode to decide whether we are looking at user or kernel space.
  212. User space runs in primary address mode (or access register mode within
  213. the vdso code).
  214. The kernel usually also runs in home space mode, however when accessing
  215. user space the kernel switches to primary or secondary address mode if
  216. the mvcos instruction is not available or if a compare-and-swap (futex)
  217. instruction on a user space address is performed.
  218. When also looking at the ASCE control registers, this means:
  219. User space:
  220. - runs in primary or access register mode
  221. - cr1 contains the user asce
  222. - cr7 contains the user asce
  223. - cr13 contains the kernel asce
  224. Kernel space:
  225. - runs in home space mode
  226. - cr1 contains the user or kernel asce
  227. -> the kernel asce is loaded when a uaccess requires primary or
  228. secondary address mode
  229. - cr7 contains the user or kernel asce, (changed with set_fs())
  230. - cr13 contains the kernel asce
  231. In case of uaccess the kernel changes to:
  232. - primary space mode in case of a uaccess (copy_to_user) and uses
  233. e.g. the mvcp instruction to access user space. However the kernel
  234. will stay in home space mode if the mvcos instruction is available
  235. - secondary space mode in case of futex atomic operations, so that the
  236. instructions come from primary address space and data from secondary
  237. space
  238. In case of KVM, the kernel runs in home space mode, but cr1 gets switched
  239. to contain the gmap asce before the SIE instruction gets executed. When
  240. the SIE instruction is finished, cr1 will be switched back to contain the
  241. user asce.
  242. Virtual Addresses on s/390 & z/Architecture
  243. ===========================================
  244. A virtual address on s/390 is made up of 3 parts
  245. The SX (segment index, roughly corresponding to the PGD & PMD in Linux
  246. terminology) being bits 1-11.
  247. The PX (page index, corresponding to the page table entry (pte) in Linux
  248. terminology) being bits 12-19.
  249. The remaining bits BX (the byte index are the offset in the page )
  250. i.e. bits 20 to 31.
  251. On z/Architecture in linux we currently make up an address from 4 parts.
  252. The region index bits (RX) 0-32 we currently use bits 22-32
  253. The segment index (SX) being bits 33-43
  254. The page index (PX) being bits 44-51
  255. The byte index (BX) being bits 52-63
  256. Notes:
  257. 1) s/390 has no PMD so the PMD is really the PGD also.
  258. A lot of this stuff is defined in pgtable.h.
  259. 2) Also seeing as s/390's page indexes are only 1k in size
  260. (bits 12-19 x 4 bytes per pte ) we use 1 ( page 4k )
  261. to make the best use of memory by updating 4 segment indices
  262. entries each time we mess with a PMD & use offsets
  263. 0,1024,2048 & 3072 in this page as for our segment indexes.
  264. On z/Architecture our page indexes are now 2k in size
  265. ( bits 12-19 x 8 bytes per pte ) we do a similar trick
  266. but only mess with 2 segment indices each time we mess with
  267. a PMD.
  268. 3) As z/Architecture supports up to a massive 5-level page table lookup we
  269. can only use 3 currently on Linux ( as this is all the generic kernel
  270. currently supports ) however this may change in future
  271. this allows us to access ( according to my sums )
  272. 4TB of virtual storage per process i.e.
  273. 4096*512(PTES)*1024(PMDS)*2048(PGD) = 4398046511104 bytes,
  274. enough for another 2 or 3 of years I think :-).
  275. to do this we use a region-third-table designation type in
  276. our address space control registers.
  277. The Linux for s/390 & z/Architecture Kernel Task Structure
  278. ==========================================================
  279. Each process/thread under Linux for S390 has its own kernel task_struct
  280. defined in linux/include/linux/sched.h
  281. The S390 on initialisation & resuming of a process on a cpu sets
  282. the __LC_KERNEL_STACK variable in the spare prefix area for this cpu
  283. (which we use for per-processor globals).
  284. The kernel stack pointer is intimately tied with the task structure for
  285. each processor as follows.
  286. s/390
  287. ************************
  288. * 1 page kernel stack *
  289. * ( 4K ) *
  290. ************************
  291. * 1 page task_struct *
  292. * ( 4K ) *
  293. 8K aligned ************************
  294. z/Architecture
  295. ************************
  296. * 2 page kernel stack *
  297. * ( 8K ) *
  298. ************************
  299. * 2 page task_struct *
  300. * ( 8K ) *
  301. 16K aligned ************************
  302. What this means is that we don't need to dedicate any register or global
  303. variable to point to the current running process & can retrieve it with the
  304. following very simple construct for s/390 & one very similar for z/Architecture.
  305. static inline struct task_struct * get_current(void)
  306. {
  307. struct task_struct *current;
  308. __asm__("lhi %0,-8192\n\t"
  309. "nr %0,15"
  310. : "=r" (current) );
  311. return current;
  312. }
  313. i.e. just anding the current kernel stack pointer with the mask -8192.
  314. Thankfully because Linux doesn't have support for nested IO interrupts
  315. & our devices have large buffers can survive interrupts being shut for
  316. short amounts of time we don't need a separate stack for interrupts.
  317. Register Usage & Stackframes on Linux for s/390 & z/Architecture
  318. =================================================================
  319. Overview:
  320. ---------
  321. This is the code that gcc produces at the top & the bottom of
  322. each function. It usually is fairly consistent & similar from
  323. function to function & if you know its layout you can probably
  324. make some headway in finding the ultimate cause of a problem
  325. after a crash without a source level debugger.
  326. Note: To follow stackframes requires a knowledge of C or Pascal &
  327. limited knowledge of one assembly language.
  328. It should be noted that there are some differences between the
  329. s/390 and z/Architecture stack layouts as the z/Architecture stack layout
  330. didn't have to maintain compatibility with older linkage formats.
  331. Glossary:
  332. ---------
  333. alloca:
  334. This is a built in compiler function for runtime allocation
  335. of extra space on the callers stack which is obviously freed
  336. up on function exit ( e.g. the caller may choose to allocate nothing
  337. of a buffer of 4k if required for temporary purposes ), it generates
  338. very efficient code ( a few cycles ) when compared to alternatives
  339. like malloc.
  340. automatics: These are local variables on the stack,
  341. i.e they aren't in registers & they aren't static.
  342. back-chain:
  343. This is a pointer to the stack pointer before entering a
  344. framed functions ( see frameless function ) prologue got by
  345. dereferencing the address of the current stack pointer,
  346. i.e. got by accessing the 32 bit value at the stack pointers
  347. current location.
  348. base-pointer:
  349. This is a pointer to the back of the literal pool which
  350. is an area just behind each procedure used to store constants
  351. in each function.
  352. call-clobbered: The caller probably needs to save these registers if there
  353. is something of value in them, on the stack or elsewhere before making a
  354. call to another procedure so that it can restore it later.
  355. epilogue:
  356. The code generated by the compiler to return to the caller.
  357. frameless-function
  358. A frameless function in Linux for s390 & z/Architecture is one which doesn't
  359. need more than the register save area (96 bytes on s/390, 160 on z/Architecture)
  360. given to it by the caller.
  361. A frameless function never:
  362. 1) Sets up a back chain.
  363. 2) Calls alloca.
  364. 3) Calls other normal functions
  365. 4) Has automatics.
  366. GOT-pointer:
  367. This is a pointer to the global-offset-table in ELF
  368. ( Executable Linkable Format, Linux'es most common executable format ),
  369. all globals & shared library objects are found using this pointer.
  370. lazy-binding
  371. ELF shared libraries are typically only loaded when routines in the shared
  372. library are actually first called at runtime. This is lazy binding.
  373. procedure-linkage-table
  374. This is a table found from the GOT which contains pointers to routines
  375. in other shared libraries which can't be called to by easier means.
  376. prologue:
  377. The code generated by the compiler to set up the stack frame.
  378. outgoing-args:
  379. This is extra area allocated on the stack of the calling function if the
  380. parameters for the callee's cannot all be put in registers, the same
  381. area can be reused by each function the caller calls.
  382. routine-descriptor:
  383. A COFF executable format based concept of a procedure reference
  384. actually being 8 bytes or more as opposed to a simple pointer to the routine.
  385. This is typically defined as follows
  386. Routine Descriptor offset 0=Pointer to Function
  387. Routine Descriptor offset 4=Pointer to Table of Contents
  388. The table of contents/TOC is roughly equivalent to a GOT pointer.
  389. & it means that shared libraries etc. can be shared between several
  390. environments each with their own TOC.
  391. static-chain: This is used in nested functions a concept adopted from pascal
  392. by gcc not used in ansi C or C++ ( although quite useful ), basically it
  393. is a pointer used to reference local variables of enclosing functions.
  394. You might come across this stuff once or twice in your lifetime.
  395. e.g.
  396. The function below should return 11 though gcc may get upset & toss warnings
  397. about unused variables.
  398. int FunctionA(int a)
  399. {
  400. int b;
  401. FunctionC(int c)
  402. {
  403. b=c+1;
  404. }
  405. FunctionC(10);
  406. return(b);
  407. }
  408. s/390 & z/Architecture Register usage
  409. =====================================
  410. r0 used by syscalls/assembly call-clobbered
  411. r1 used by syscalls/assembly call-clobbered
  412. r2 argument 0 / return value 0 call-clobbered
  413. r3 argument 1 / return value 1 (if long long) call-clobbered
  414. r4 argument 2 call-clobbered
  415. r5 argument 3 call-clobbered
  416. r6 argument 4 saved
  417. r7 pointer-to arguments 5 to ... saved
  418. r8 this & that saved
  419. r9 this & that saved
  420. r10 static-chain ( if nested function ) saved
  421. r11 frame-pointer ( if function used alloca ) saved
  422. r12 got-pointer saved
  423. r13 base-pointer saved
  424. r14 return-address saved
  425. r15 stack-pointer saved
  426. f0 argument 0 / return value ( float/double ) call-clobbered
  427. f2 argument 1 call-clobbered
  428. f4 z/Architecture argument 2 saved
  429. f6 z/Architecture argument 3 saved
  430. The remaining floating points
  431. f1,f3,f5 f7-f15 are call-clobbered.
  432. Notes:
  433. ------
  434. 1) The only requirement is that registers which are used
  435. by the callee are saved, e.g. the compiler is perfectly
  436. capable of using r11 for purposes other than a frame a
  437. frame pointer if a frame pointer is not needed.
  438. 2) In functions with variable arguments e.g. printf the calling procedure
  439. is identical to one without variable arguments & the same number of
  440. parameters. However, the prologue of this function is somewhat more
  441. hairy owing to it having to move these parameters to the stack to
  442. get va_start, va_arg & va_end to work.
  443. 3) Access registers are currently unused by gcc but are used in
  444. the kernel. Possibilities exist to use them at the moment for
  445. temporary storage but it isn't recommended.
  446. 4) Only 4 of the floating point registers are used for
  447. parameter passing as older machines such as G3 only have only 4
  448. & it keeps the stack frame compatible with other compilers.
  449. However with IEEE floating point emulation under linux on the
  450. older machines you are free to use the other 12.
  451. 5) A long long or double parameter cannot be have the
  452. first 4 bytes in a register & the second four bytes in the
  453. outgoing args area. It must be purely in the outgoing args
  454. area if crossing this boundary.
  455. 6) Floating point parameters are mixed with outgoing args
  456. on the outgoing args area in the order the are passed in as parameters.
  457. 7) Floating point arguments 2 & 3 are saved in the outgoing args area for
  458. z/Architecture
  459. Stack Frame Layout
  460. ------------------
  461. s/390 z/Architecture
  462. 0 0 back chain ( a 0 here signifies end of back chain )
  463. 4 8 eos ( end of stack, not used on Linux for S390 used in other linkage formats )
  464. 8 16 glue used in other s/390 linkage formats for saved routine descriptors etc.
  465. 12 24 glue used in other s/390 linkage formats for saved routine descriptors etc.
  466. 16 32 scratch area
  467. 20 40 scratch area
  468. 24 48 saved r6 of caller function
  469. 28 56 saved r7 of caller function
  470. 32 64 saved r8 of caller function
  471. 36 72 saved r9 of caller function
  472. 40 80 saved r10 of caller function
  473. 44 88 saved r11 of caller function
  474. 48 96 saved r12 of caller function
  475. 52 104 saved r13 of caller function
  476. 56 112 saved r14 of caller function
  477. 60 120 saved r15 of caller function
  478. 64 128 saved f4 of caller function
  479. 72 132 saved f6 of caller function
  480. 80 undefined
  481. 96 160 outgoing args passed from caller to callee
  482. 96+x 160+x possible stack alignment ( 8 bytes desirable )
  483. 96+x+y 160+x+y alloca space of caller ( if used )
  484. 96+x+y+z 160+x+y+z automatics of caller ( if used )
  485. 0 back-chain
  486. A sample program with comments.
  487. ===============================
  488. Comments on the function test
  489. -----------------------------
  490. 1) It didn't need to set up a pointer to the constant pool gpr13 as it is not
  491. used ( :-( ).
  492. 2) This is a frameless function & no stack is bought.
  493. 3) The compiler was clever enough to recognise that it could return the
  494. value in r2 as well as use it for the passed in parameter ( :-) ).
  495. 4) The basr ( branch relative & save ) trick works as follows the instruction
  496. has a special case with r0,r0 with some instruction operands is understood as
  497. the literal value 0, some risc architectures also do this ). So now
  498. we are branching to the next address & the address new program counter is
  499. in r13,so now we subtract the size of the function prologue we have executed
  500. + the size of the literal pool to get to the top of the literal pool
  501. 0040037c int test(int b)
  502. { # Function prologue below
  503. 40037c: 90 de f0 34 stm %r13,%r14,52(%r15) # Save registers r13 & r14
  504. 400380: 0d d0 basr %r13,%r0 # Set up pointer to constant pool using
  505. 400382: a7 da ff fa ahi %r13,-6 # basr trick
  506. return(5+b);
  507. # Huge main program
  508. 400386: a7 2a 00 05 ahi %r2,5 # add 5 to r2
  509. # Function epilogue below
  510. 40038a: 98 de f0 34 lm %r13,%r14,52(%r15) # restore registers r13 & 14
  511. 40038e: 07 fe br %r14 # return
  512. }
  513. Comments on the function main
  514. -----------------------------
  515. 1) The compiler did this function optimally ( 8-) )
  516. Literal pool for main.
  517. 400390: ff ff ff ec .long 0xffffffec
  518. main(int argc,char *argv[])
  519. { # Function prologue below
  520. 400394: 90 bf f0 2c stm %r11,%r15,44(%r15) # Save necessary registers
  521. 400398: 18 0f lr %r0,%r15 # copy stack pointer to r0
  522. 40039a: a7 fa ff a0 ahi %r15,-96 # Make area for callee saving
  523. 40039e: 0d d0 basr %r13,%r0 # Set up r13 to point to
  524. 4003a0: a7 da ff f0 ahi %r13,-16 # literal pool
  525. 4003a4: 50 00 f0 00 st %r0,0(%r15) # Save backchain
  526. return(test(5)); # Main Program Below
  527. 4003a8: 58 e0 d0 00 l %r14,0(%r13) # load relative address of test from
  528. # literal pool
  529. 4003ac: a7 28 00 05 lhi %r2,5 # Set first parameter to 5
  530. 4003b0: 4d ee d0 00 bas %r14,0(%r14,%r13) # jump to test setting r14 as return
  531. # address using branch & save instruction.
  532. # Function Epilogue below
  533. 4003b4: 98 bf f0 8c lm %r11,%r15,140(%r15)# Restore necessary registers.
  534. 4003b8: 07 fe br %r14 # return to do program exit
  535. }
  536. Compiler updates
  537. ----------------
  538. main(int argc,char *argv[])
  539. {
  540. 4004fc: 90 7f f0 1c stm %r7,%r15,28(%r15)
  541. 400500: a7 d5 00 04 bras %r13,400508 <main+0xc>
  542. 400504: 00 40 04 f4 .long 0x004004f4
  543. # compiler now puts constant pool in code to so it saves an instruction
  544. 400508: 18 0f lr %r0,%r15
  545. 40050a: a7 fa ff a0 ahi %r15,-96
  546. 40050e: 50 00 f0 00 st %r0,0(%r15)
  547. return(test(5));
  548. 400512: 58 10 d0 00 l %r1,0(%r13)
  549. 400516: a7 28 00 05 lhi %r2,5
  550. 40051a: 0d e1 basr %r14,%r1
  551. # compiler adds 1 extra instruction to epilogue this is done to
  552. # avoid processor pipeline stalls owing to data dependencies on g5 &
  553. # above as register 14 in the old code was needed directly after being loaded
  554. # by the lm %r11,%r15,140(%r15) for the br %14.
  555. 40051c: 58 40 f0 98 l %r4,152(%r15)
  556. 400520: 98 7f f0 7c lm %r7,%r15,124(%r15)
  557. 400524: 07 f4 br %r4
  558. }
  559. Hartmut ( our compiler developer ) also has been threatening to take out the
  560. stack backchain in optimised code as this also causes pipeline stalls, you
  561. have been warned.
  562. 64 bit z/Architecture code disassembly
  563. --------------------------------------
  564. If you understand the stuff above you'll understand the stuff
  565. below too so I'll avoid repeating myself & just say that
  566. some of the instructions have g's on the end of them to indicate
  567. they are 64 bit & the stack offsets are a bigger,
  568. the only other difference you'll find between 32 & 64 bit is that
  569. we now use f4 & f6 for floating point arguments on 64 bit.
  570. 00000000800005b0 <test>:
  571. int test(int b)
  572. {
  573. return(5+b);
  574. 800005b0: a7 2a 00 05 ahi %r2,5
  575. 800005b4: b9 14 00 22 lgfr %r2,%r2 # downcast to integer
  576. 800005b8: 07 fe br %r14
  577. 800005ba: 07 07 bcr 0,%r7
  578. }
  579. 00000000800005bc <main>:
  580. main(int argc,char *argv[])
  581. {
  582. 800005bc: eb bf f0 58 00 24 stmg %r11,%r15,88(%r15)
  583. 800005c2: b9 04 00 1f lgr %r1,%r15
  584. 800005c6: a7 fb ff 60 aghi %r15,-160
  585. 800005ca: e3 10 f0 00 00 24 stg %r1,0(%r15)
  586. return(test(5));
  587. 800005d0: a7 29 00 05 lghi %r2,5
  588. # brasl allows jumps > 64k & is overkill here bras would do fune
  589. 800005d4: c0 e5 ff ff ff ee brasl %r14,800005b0 <test>
  590. 800005da: e3 40 f1 10 00 04 lg %r4,272(%r15)
  591. 800005e0: eb bf f0 f8 00 04 lmg %r11,%r15,248(%r15)
  592. 800005e6: 07 f4 br %r4
  593. }
  594. Compiling programs for debugging on Linux for s/390 & z/Architecture
  595. ====================================================================
  596. -gdwarf-2 now works it should be considered the default debugging
  597. format for s/390 & z/Architecture as it is more reliable for debugging
  598. shared libraries, normal -g debugging works much better now
  599. Thanks to the IBM java compiler developers bug reports.
  600. This is typically done adding/appending the flags -g or -gdwarf-2 to the
  601. CFLAGS & LDFLAGS variables Makefile of the program concerned.
  602. If using gdb & you would like accurate displays of registers &
  603. stack traces compile without optimisation i.e make sure
  604. that there is no -O2 or similar on the CFLAGS line of the Makefile &
  605. the emitted gcc commands, obviously this will produce worse code
  606. ( not advisable for shipment ) but it is an aid to the debugging process.
  607. This aids debugging because the compiler will copy parameters passed in
  608. in registers onto the stack so backtracing & looking at passed in
  609. parameters will work, however some larger programs which use inline functions
  610. will not compile without optimisation.
  611. Debugging with optimisation has since much improved after fixing
  612. some bugs, please make sure you are using gdb-5.0 or later developed
  613. after Nov'2000.
  614. Debugging under VM
  615. ==================
  616. Notes
  617. -----
  618. Addresses & values in the VM debugger are always hex never decimal
  619. Address ranges are of the format <HexValue1>-<HexValue2> or
  620. <HexValue1>.<HexValue2>
  621. For example, the address range 0x2000 to 0x3000 can be described as 2000-3000
  622. or 2000.1000
  623. The VM Debugger is case insensitive.
  624. VM's strengths are usually other debuggers weaknesses you can get at any
  625. resource no matter how sensitive e.g. memory management resources, change
  626. address translation in the PSW. For kernel hacking you will reap dividends if
  627. you get good at it.
  628. The VM Debugger displays operators but not operands, and also the debugger
  629. displays useful information on the same line as the author of the code probably
  630. felt that it was a good idea not to go over the 80 columns on the screen.
  631. This isn't as unintuitive as it may seem as the s/390 instructions are easy to
  632. decode mentally and you can make a good guess at a lot of them as all the
  633. operands are nibble (half byte aligned).
  634. So if you have an objdump listing by hand, it is quite easy to follow, and if
  635. you don't have an objdump listing keep a copy of the s/390 Reference Summary
  636. or alternatively the s/390 principles of operation next to you.
  637. e.g. even I can guess that
  638. 0001AFF8' LR 180F CC 0
  639. is a ( load register ) lr r0,r15
  640. Also it is very easy to tell the length of a 390 instruction from the 2 most
  641. significant bits in the instruction (not that this info is really useful except
  642. if you are trying to make sense of a hexdump of code).
  643. Here is a table
  644. Bits Instruction Length
  645. ------------------------------------------
  646. 00 2 Bytes
  647. 01 4 Bytes
  648. 10 4 Bytes
  649. 11 6 Bytes
  650. The debugger also displays other useful info on the same line such as the
  651. addresses being operated on destination addresses of branches & condition codes.
  652. e.g.
  653. 00019736' AHI A7DAFF0E CC 1
  654. 000198BA' BRC A7840004 -> 000198C2' CC 0
  655. 000198CE' STM 900EF068 >> 0FA95E78 CC 2
  656. Useful VM debugger commands
  657. ---------------------------
  658. I suppose I'd better mention this before I start
  659. to list the current active traces do
  660. Q TR
  661. there can be a maximum of 255 of these per set
  662. ( more about trace sets later ).
  663. To stop traces issue a
  664. TR END.
  665. To delete a particular breakpoint issue
  666. TR DEL <breakpoint number>
  667. The PA1 key drops to CP mode so you can issue debugger commands,
  668. Doing alt c (on my 3270 console at least ) clears the screen.
  669. hitting b <enter> comes back to the running operating system
  670. from cp mode ( in our case linux ).
  671. It is typically useful to add shortcuts to your profile.exec file
  672. if you have one ( this is roughly equivalent to autoexec.bat in DOS ).
  673. file here are a few from mine.
  674. /* this gives me command history on issuing f12 */
  675. set pf12 retrieve
  676. /* this continues */
  677. set pf8 imm b
  678. /* goes to trace set a */
  679. set pf1 imm tr goto a
  680. /* goes to trace set b */
  681. set pf2 imm tr goto b
  682. /* goes to trace set c */
  683. set pf3 imm tr goto c
  684. Instruction Tracing
  685. -------------------
  686. Setting a simple breakpoint
  687. TR I PSWA <address>
  688. To debug a particular function try
  689. TR I R <function address range>
  690. TR I on its own will single step.
  691. TR I DATA <MNEMONIC> <OPTIONAL RANGE> will trace for particular mnemonics
  692. e.g.
  693. TR I DATA 4D R 0197BC.4000
  694. will trace for BAS'es ( opcode 4D ) in the range 0197BC.4000
  695. if you were inclined you could add traces for all branch instructions &
  696. suffix them with the run prefix so you would have a backtrace on screen
  697. when a program crashes.
  698. TR BR <INTO OR FROM> will trace branches into or out of an address.
  699. e.g.
  700. TR BR INTO 0 is often quite useful if a program is getting awkward & deciding
  701. to branch to 0 & crashing as this will stop at the address before in jumps to 0.
  702. TR I R <address range> RUN cmd d g
  703. single steps a range of addresses but stays running &
  704. displays the gprs on each step.
  705. Displaying & modifying Registers
  706. --------------------------------
  707. D G will display all the gprs
  708. Adding a extra G to all the commands is necessary to access the full 64 bit
  709. content in VM on z/Architecture. Obviously this isn't required for access
  710. registers as these are still 32 bit.
  711. e.g. DGG instead of DG
  712. D X will display all the control registers
  713. D AR will display all the access registers
  714. D AR4-7 will display access registers 4 to 7
  715. CPU ALL D G will display the GRPS of all CPUS in the configuration
  716. D PSW will display the current PSW
  717. st PSW 2000 will put the value 2000 into the PSW &
  718. cause crash your machine.
  719. D PREFIX displays the prefix offset
  720. Displaying Memory
  721. -----------------
  722. To display memory mapped using the current PSW's mapping try
  723. D <range>
  724. To make VM display a message each time it hits a particular address and
  725. continue try
  726. D I<range> will disassemble/display a range of instructions.
  727. ST addr 32 bit word will store a 32 bit aligned address
  728. D T<range> will display the EBCDIC in an address (if you are that way inclined)
  729. D R<range> will display real addresses ( without DAT ) but with prefixing.
  730. There are other complex options to display if you need to get at say home space
  731. but are in primary space the easiest thing to do is to temporarily
  732. modify the PSW to the other addressing mode, display the stuff & then
  733. restore it.
  734. Hints
  735. -----
  736. If you want to issue a debugger command without halting your virtual machine
  737. with the PA1 key try prefixing the command with #CP e.g.
  738. #cp tr i pswa 2000
  739. also suffixing most debugger commands with RUN will cause them not
  740. to stop just display the mnemonic at the current instruction on the console.
  741. If you have several breakpoints you want to put into your program &
  742. you get fed up of cross referencing with System.map
  743. you can do the following trick for several symbols.
  744. grep do_signal System.map
  745. which emits the following among other things
  746. 0001f4e0 T do_signal
  747. now you can do
  748. TR I PSWA 0001f4e0 cmd msg * do_signal
  749. This sends a message to your own console each time do_signal is entered.
  750. ( As an aside I wrote a perl script once which automatically generated a REXX
  751. script with breakpoints on every kernel procedure, this isn't a good idea
  752. because there are thousands of these routines & VM can only set 255 breakpoints
  753. at a time so you nearly had to spend as long pruning the file down as you would
  754. entering the msgs by hand), however, the trick might be useful for a single
  755. object file. In the 3270 terminal emulator x3270 there is a very useful option
  756. in the file menu called "Save Screen In File" - this is very good for keeping a
  757. copy of traces.
  758. From CMS help <command name> will give you online help on a particular command.
  759. e.g.
  760. HELP DISPLAY
  761. Also CP has a file called profile.exec which automatically gets called
  762. on startup of CMS ( like autoexec.bat ), keeping on a DOS analogy session
  763. CP has a feature similar to doskey, it may be useful for you to
  764. use profile.exec to define some keystrokes.
  765. e.g.
  766. SET PF9 IMM B
  767. This does a single step in VM on pressing F8.
  768. SET PF10 ^
  769. This sets up the ^ key.
  770. which can be used for ^c (ctrl-c),^z (ctrl-z) which can't be typed directly
  771. into some 3270 consoles.
  772. SET PF11 ^-
  773. This types the starting keystrokes for a sysrq see SysRq below.
  774. SET PF12 RETRIEVE
  775. This retrieves command history on pressing F12.
  776. Sometimes in VM the display is set up to scroll automatically this
  777. can be very annoying if there are messages you wish to look at
  778. to stop this do
  779. TERM MORE 255 255
  780. This will nearly stop automatic screen updates, however it will
  781. cause a denial of service if lots of messages go to the 3270 console,
  782. so it would be foolish to use this as the default on a production machine.
  783. Tracing particular processes
  784. ----------------------------
  785. The kernel's text segment is intentionally at an address in memory that it will
  786. very seldom collide with text segments of user programs ( thanks Martin ),
  787. this simplifies debugging the kernel.
  788. However it is quite common for user processes to have addresses which collide
  789. this can make debugging a particular process under VM painful under normal
  790. circumstances as the process may change when doing a
  791. TR I R <address range>.
  792. Thankfully after reading VM's online help I figured out how to debug
  793. I particular process.
  794. Your first problem is to find the STD ( segment table designation )
  795. of the program you wish to debug.
  796. There are several ways you can do this here are a few
  797. 1) objdump --syms <program to be debugged> | grep main
  798. To get the address of main in the program.
  799. tr i pswa <address of main>
  800. Start the program, if VM drops to CP on what looks like the entry
  801. point of the main function this is most likely the process you wish to debug.
  802. Now do a D X13 or D XG13 on z/Architecture.
  803. On 31 bit the STD is bits 1-19 ( the STO segment table origin )
  804. & 25-31 ( the STL segment table length ) of CR13.
  805. now type
  806. TR I R STD <CR13's value> 0.7fffffff
  807. e.g.
  808. TR I R STD 8F32E1FF 0.7fffffff
  809. Another very useful variation is
  810. TR STORE INTO STD <CR13's value> <address range>
  811. for finding out when a particular variable changes.
  812. An alternative way of finding the STD of a currently running process
  813. is to do the following, ( this method is more complex but
  814. could be quite convenient if you aren't updating the kernel much &
  815. so your kernel structures will stay constant for a reasonable period of
  816. time ).
  817. grep task /proc/<pid>/status
  818. from this you should see something like
  819. task: 0f160000 ksp: 0f161de8 pt_regs: 0f161f68
  820. This now gives you a pointer to the task structure.
  821. Now make CC:="s390-gcc -g" kernel/sched.s
  822. To get the task_struct stabinfo.
  823. ( task_struct is defined in include/linux/sched.h ).
  824. Now we want to look at
  825. task->active_mm->pgd
  826. on my machine the active_mm in the task structure stab is
  827. active_mm:(4,12),672,32
  828. its offset is 672/8=84=0x54
  829. the pgd member in the mm_struct stab is
  830. pgd:(4,6)=*(29,5),96,32
  831. so its offset is 96/8=12=0xc
  832. so we'll
  833. hexdump -s 0xf160054 /dev/mem | more
  834. i.e. task_struct+active_mm offset
  835. to look at the active_mm member
  836. f160054 0fee cc60 0019 e334 0000 0000 0000 0011
  837. hexdump -s 0x0feecc6c /dev/mem | more
  838. i.e. active_mm+pgd offset
  839. feecc6c 0f2c 0000 0000 0001 0000 0001 0000 0010
  840. we get something like
  841. now do
  842. TR I R STD <pgd|0x7f> 0.7fffffff
  843. i.e. the 0x7f is added because the pgd only
  844. gives the page table origin & we need to set the low bits
  845. to the maximum possible segment table length.
  846. TR I R STD 0f2c007f 0.7fffffff
  847. on z/Architecture you'll probably need to do
  848. TR I R STD <pgd|0x7> 0.ffffffffffffffff
  849. to set the TableType to 0x1 & the Table length to 3.
  850. Tracing Program Exceptions
  851. --------------------------
  852. If you get a crash which says something like
  853. illegal operation or specification exception followed by a register dump
  854. You can restart linux & trace these using the tr prog <range or value> trace
  855. option.
  856. The most common ones you will normally be tracing for is
  857. 1=operation exception
  858. 2=privileged operation exception
  859. 4=protection exception
  860. 5=addressing exception
  861. 6=specification exception
  862. 10=segment translation exception
  863. 11=page translation exception
  864. The full list of these is on page 22 of the current s/390 Reference Summary.
  865. e.g.
  866. tr prog 10 will trace segment translation exceptions.
  867. tr prog on its own will trace all program interruption codes.
  868. Trace Sets
  869. ----------
  870. On starting VM you are initially in the INITIAL trace set.
  871. You can do a Q TR to verify this.
  872. If you have a complex tracing situation where you wish to wait for instance
  873. till a driver is open before you start tracing IO, but know in your
  874. heart that you are going to have to make several runs through the code till you
  875. have a clue whats going on.
  876. What you can do is
  877. TR I PSWA <Driver open address>
  878. hit b to continue till breakpoint
  879. reach the breakpoint
  880. now do your
  881. TR GOTO B
  882. TR IO 7c08-7c09 inst int run
  883. or whatever the IO channels you wish to trace are & hit b
  884. To got back to the initial trace set do
  885. TR GOTO INITIAL
  886. & the TR I PSWA <Driver open address> will be the only active breakpoint again.
  887. Tracing linux syscalls under VM
  888. -------------------------------
  889. Syscalls are implemented on Linux for S390 by the Supervisor call instruction
  890. (SVC). There 256 possibilities of these as the instruction is made up of a 0xA
  891. opcode and the second byte being the syscall number. They are traced using the
  892. simple command:
  893. TR SVC <Optional value or range>
  894. the syscalls are defined in linux/arch/s390/include/asm/unistd.h
  895. e.g. to trace all file opens just do
  896. TR SVC 5 ( as this is the syscall number of open )
  897. SMP Specific commands
  898. ---------------------
  899. To find out how many cpus you have
  900. Q CPUS displays all the CPU's available to your virtual machine
  901. To find the cpu that the current cpu VM debugger commands are being directed at
  902. do Q CPU to change the current cpu VM debugger commands are being directed at do
  903. CPU <desired cpu no>
  904. On a SMP guest issue a command to all CPUs try prefixing the command with cpu
  905. all. To issue a command to a particular cpu try cpu <cpu number> e.g.
  906. CPU 01 TR I R 2000.3000
  907. If you are running on a guest with several cpus & you have a IO related problem
  908. & cannot follow the flow of code but you know it isn't smp related.
  909. from the bash prompt issue
  910. shutdown -h now or halt.
  911. do a Q CPUS to find out how many cpus you have
  912. detach each one of them from cp except cpu 0
  913. by issuing a
  914. DETACH CPU 01-(number of cpus in configuration)
  915. & boot linux again.
  916. TR SIGP will trace inter processor signal processor instructions.
  917. DEFINE CPU 01-(number in configuration)
  918. will get your guests cpus back.
  919. Help for displaying ascii textstrings
  920. -------------------------------------
  921. On the very latest VM Nucleus'es VM can now display ascii
  922. ( thanks Neale for the hint ) by doing
  923. D TX<lowaddr>.<len>
  924. e.g.
  925. D TX0.100
  926. Alternatively
  927. =============
  928. Under older VM debuggers (I love EBDIC too) you can use following little
  929. program which converts a command line of hex digits to ascii text. It can be
  930. compiled under linux and you can copy the hex digits from your x3270 terminal
  931. to your xterm if you are debugging from a linuxbox.
  932. This is quite useful when looking at a parameter passed in as a text string
  933. under VM ( unless you are good at decoding ASCII in your head ).
  934. e.g. consider tracing an open syscall
  935. TR SVC 5
  936. We have stopped at a breakpoint
  937. 000151B0' SVC 0A05 -> 0001909A' CC 0
  938. D 20.8 to check the SVC old psw in the prefix area and see was it from userspace
  939. (for the layout of the prefix area consult the "Fixed Storage Locations"
  940. chapter of the s/390 Reference Summary if you have it available).
  941. V00000020 070C2000 800151B2
  942. The problem state bit wasn't set & it's also too early in the boot sequence
  943. for it to be a userspace SVC if it was we would have to temporarily switch the
  944. psw to user space addressing so we could get at the first parameter of the open
  945. in gpr2.
  946. Next do a
  947. D G2
  948. GPR 2 = 00014CB4
  949. Now display what gpr2 is pointing to
  950. D 00014CB4.20
  951. V00014CB4 2F646576 2F636F6E 736F6C65 00001BF5
  952. V00014CC4 FC00014C B4001001 E0001000 B8070707
  953. Now copy the text till the first 00 hex ( which is the end of the string
  954. to an xterm & do hex2ascii on it.
  955. hex2ascii 2F646576 2F636F6E 736F6C65 00
  956. outputs
  957. Decoded Hex:=/ d e v / c o n s o l e 0x00
  958. We were opening the console device,
  959. You can compile the code below yourself for practice :-),
  960. /*
  961. * hex2ascii.c
  962. * a useful little tool for converting a hexadecimal command line to ascii
  963. *
  964. * Author(s): Denis Joseph Barrow (djbarrow@de.ibm.com,barrow_dj@yahoo.com)
  965. * (C) 2000 IBM Deutschland Entwicklung GmbH, IBM Corporation.
  966. */
  967. #include <stdio.h>
  968. int main(int argc,char *argv[])
  969. {
  970. int cnt1,cnt2,len,toggle=0;
  971. int startcnt=1;
  972. unsigned char c,hex;
  973. if(argc>1&&(strcmp(argv[1],"-a")==0))
  974. startcnt=2;
  975. printf("Decoded Hex:=");
  976. for(cnt1=startcnt;cnt1<argc;cnt1++)
  977. {
  978. len=strlen(argv[cnt1]);
  979. for(cnt2=0;cnt2<len;cnt2++)
  980. {
  981. c=argv[cnt1][cnt2];
  982. if(c>='0'&&c<='9')
  983. c=c-'0';
  984. if(c>='A'&&c<='F')
  985. c=c-'A'+10;
  986. if(c>='a'&&c<='f')
  987. c=c-'a'+10;
  988. switch(toggle)
  989. {
  990. case 0:
  991. hex=c<<4;
  992. toggle=1;
  993. break;
  994. case 1:
  995. hex+=c;
  996. if(hex<32||hex>127)
  997. {
  998. if(startcnt==1)
  999. printf("0x%02X ",(int)hex);
  1000. else
  1001. printf(".");
  1002. }
  1003. else
  1004. {
  1005. printf("%c",hex);
  1006. if(startcnt==1)
  1007. printf(" ");
  1008. }
  1009. toggle=0;
  1010. break;
  1011. }
  1012. }
  1013. }
  1014. printf("\n");
  1015. }
  1016. Stack tracing under VM
  1017. ----------------------
  1018. A basic backtrace
  1019. -----------------
  1020. Here are the tricks I use 9 out of 10 times it works pretty well,
  1021. When your backchain reaches a dead end
  1022. --------------------------------------
  1023. This can happen when an exception happens in the kernel and the kernel is
  1024. entered twice. If you reach the NULL pointer at the end of the back chain you
  1025. should be able to sniff further back if you follow the following tricks.
  1026. 1) A kernel address should be easy to recognise since it is in
  1027. primary space & the problem state bit isn't set & also
  1028. The Hi bit of the address is set.
  1029. 2) Another backchain should also be easy to recognise since it is an
  1030. address pointing to another address approximately 100 bytes or 0x70 hex
  1031. behind the current stackpointer.
  1032. Here is some practice.
  1033. boot the kernel & hit PA1 at some random time
  1034. d g to display the gprs, this should display something like
  1035. GPR 0 = 00000001 00156018 0014359C 00000000
  1036. GPR 4 = 00000001 001B8888 000003E0 00000000
  1037. GPR 8 = 00100080 00100084 00000000 000FE000
  1038. GPR 12 = 00010400 8001B2DC 8001B36A 000FFED8
  1039. Note that GPR14 is a return address but as we are real men we are going to
  1040. trace the stack.
  1041. display 0x40 bytes after the stack pointer.
  1042. V000FFED8 000FFF38 8001B838 80014C8E 000FFF38
  1043. V000FFEE8 00000000 00000000 000003E0 00000000
  1044. V000FFEF8 00100080 00100084 00000000 000FE000
  1045. V000FFF08 00010400 8001B2DC 8001B36A 000FFED8
  1046. Ah now look at whats in sp+56 (sp+0x38) this is 8001B36A our saved r14 if
  1047. you look above at our stackframe & also agrees with GPR14.
  1048. now backchain
  1049. d 000FFF38.40
  1050. we now are taking the contents of SP to get our first backchain.
  1051. V000FFF38 000FFFA0 00000000 00014995 00147094
  1052. V000FFF48 00147090 001470A0 000003E0 00000000
  1053. V000FFF58 00100080 00100084 00000000 001BF1D0
  1054. V000FFF68 00010400 800149BA 80014CA6 000FFF38
  1055. This displays a 2nd return address of 80014CA6
  1056. now do d 000FFFA0.40 for our 3rd backchain
  1057. V000FFFA0 04B52002 0001107F 00000000 00000000
  1058. V000FFFB0 00000000 00000000 FF000000 0001107F
  1059. V000FFFC0 00000000 00000000 00000000 00000000
  1060. V000FFFD0 00010400 80010802 8001085A 000FFFA0
  1061. our 3rd return address is 8001085A
  1062. as the 04B52002 looks suspiciously like rubbish it is fair to assume that the
  1063. kernel entry routines for the sake of optimisation don't set up a backchain.
  1064. now look at System.map to see if the addresses make any sense.
  1065. grep -i 0001b3 System.map
  1066. outputs among other things
  1067. 0001b304 T cpu_idle
  1068. so 8001B36A
  1069. is cpu_idle+0x66 ( quiet the cpu is asleep, don't wake it )
  1070. grep -i 00014 System.map
  1071. produces among other things
  1072. 00014a78 T start_kernel
  1073. so 0014CA6 is start_kernel+some hex number I can't add in my head.
  1074. grep -i 00108 System.map
  1075. this produces
  1076. 00010800 T _stext
  1077. so 8001085A is _stext+0x5a
  1078. Congrats you've done your first backchain.
  1079. s/390 & z/Architecture IO Overview
  1080. ==================================
  1081. I am not going to give a course in 390 IO architecture as this would take me
  1082. quite a while and I'm no expert. Instead I'll give a 390 IO architecture
  1083. summary for Dummies. If you have the s/390 principles of operation available
  1084. read this instead. If nothing else you may find a few useful keywords in here
  1085. and be able to use them on a web search engine to find more useful information.
  1086. Unlike other bus architectures modern 390 systems do their IO using mostly
  1087. fibre optics and devices such as tapes and disks can be shared between several
  1088. mainframes. Also S390 can support up to 65536 devices while a high end PC based
  1089. system might be choking with around 64.
  1090. Here is some of the common IO terminology:
  1091. Subchannel:
  1092. This is the logical number most IO commands use to talk to an IO device. There
  1093. can be up to 0x10000 (65536) of these in a configuration, typically there are a
  1094. few hundred. Under VM for simplicity they are allocated contiguously, however
  1095. on the native hardware they are not. They typically stay consistent between
  1096. boots provided no new hardware is inserted or removed.
  1097. Under Linux for s390 we use these as IRQ's and also when issuing an IO command
  1098. (CLEAR SUBCHANNEL, HALT SUBCHANNEL, MODIFY SUBCHANNEL, RESUME SUBCHANNEL,
  1099. START SUBCHANNEL, STORE SUBCHANNEL and TEST SUBCHANNEL). We use this as the ID
  1100. of the device we wish to talk to. The most important of these instructions are
  1101. START SUBCHANNEL (to start IO), TEST SUBCHANNEL (to check whether the IO
  1102. completed successfully) and HALT SUBCHANNEL (to kill IO). A subchannel can have
  1103. up to 8 channel paths to a device, this offers redundancy if one is not
  1104. available.
  1105. Device Number:
  1106. This number remains static and is closely tied to the hardware. There are 65536
  1107. of these, made up of a CHPID (Channel Path ID, the most significant 8 bits) and
  1108. another lsb 8 bits. These remain static even if more devices are inserted or
  1109. removed from the hardware. There is a 1 to 1 mapping between subchannels and
  1110. device numbers, provided devices aren't inserted or removed.
  1111. Channel Control Words:
  1112. CCWs are linked lists of instructions initially pointed to by an operation
  1113. request block (ORB), which is initially given to Start Subchannel (SSCH)
  1114. command along with the subchannel number for the IO subsystem to process
  1115. while the CPU continues executing normal code.
  1116. CCWs come in two flavours, Format 0 (24 bit for backward compatibility) and
  1117. Format 1 (31 bit). These are typically used to issue read and write (and many
  1118. other) instructions. They consist of a length field and an absolute address
  1119. field.
  1120. Each IO typically gets 1 or 2 interrupts, one for channel end (primary status)
  1121. when the channel is idle, and the second for device end (secondary status).
  1122. Sometimes you get both concurrently. You check how the IO went on by issuing a
  1123. TEST SUBCHANNEL at each interrupt, from which you receive an Interruption
  1124. response block (IRB). If you get channel and device end status in the IRB
  1125. without channel checks etc. your IO probably went okay. If you didn't you
  1126. probably need to examine the IRB, extended status word etc.
  1127. If an error occurs, more sophisticated control units have a facility known as
  1128. concurrent sense. This means that if an error occurs Extended sense information
  1129. will be presented in the Extended status word in the IRB. If not you have to
  1130. issue a subsequent SENSE CCW command after the test subchannel.
  1131. TPI (Test pending interrupt) can also be used for polled IO, but in
  1132. multitasking multiprocessor systems it isn't recommended except for
  1133. checking special cases (i.e. non looping checks for pending IO etc.).
  1134. Store Subchannel and Modify Subchannel can be used to examine and modify
  1135. operating characteristics of a subchannel (e.g. channel paths).
  1136. Other IO related Terms:
  1137. Sysplex: S390's Clustering Technology
  1138. QDIO: S390's new high speed IO architecture to support devices such as gigabit
  1139. ethernet, this architecture is also designed to be forward compatible with
  1140. upcoming 64 bit machines.
  1141. General Concepts
  1142. Input Output Processors (IOP's) are responsible for communicating between
  1143. the mainframe CPU's & the channel & relieve the mainframe CPU's from the
  1144. burden of communicating with IO devices directly, this allows the CPU's to
  1145. concentrate on data processing.
  1146. IOP's can use one or more links ( known as channel paths ) to talk to each
  1147. IO device. It first checks for path availability & chooses an available one,
  1148. then starts ( & sometimes terminates IO ).
  1149. There are two types of channel path: ESCON & the Parallel IO interface.
  1150. IO devices are attached to control units, control units provide the
  1151. logic to interface the channel paths & channel path IO protocols to
  1152. the IO devices, they can be integrated with the devices or housed separately
  1153. & often talk to several similar devices ( typical examples would be raid
  1154. controllers or a control unit which connects to 1000 3270 terminals ).
  1155. +---------------------------------------------------------------+
  1156. | +-----+ +-----+ +-----+ +-----+ +----------+ +----------+ |
  1157. | | CPU | | CPU | | CPU | | CPU | | Main | | Expanded | |
  1158. | | | | | | | | | | Memory | | Storage | |
  1159. | +-----+ +-----+ +-----+ +-----+ +----------+ +----------+ |
  1160. |---------------------------------------------------------------+
  1161. | IOP | IOP | IOP |
  1162. |---------------------------------------------------------------
  1163. | C | C | C | C | C | C | C | C | C | C | C | C | C | C | C | C |
  1164. ----------------------------------------------------------------
  1165. || ||
  1166. || Bus & Tag Channel Path || ESCON
  1167. || ====================== || Channel
  1168. || || || || Path
  1169. +----------+ +----------+ +----------+
  1170. | | | | | |
  1171. | CU | | CU | | CU |
  1172. | | | | | |
  1173. +----------+ +----------+ +----------+
  1174. | | | | |
  1175. +----------+ +----------+ +----------+ +----------+ +----------+
  1176. |I/O Device| |I/O Device| |I/O Device| |I/O Device| |I/O Device|
  1177. +----------+ +----------+ +----------+ +----------+ +----------+
  1178. CPU = Central Processing Unit
  1179. C = Channel
  1180. IOP = IP Processor
  1181. CU = Control Unit
  1182. The 390 IO systems come in 2 flavours the current 390 machines support both
  1183. The Older 360 & 370 Interface,sometimes called the Parallel I/O interface,
  1184. sometimes called Bus-and Tag & sometimes Original Equipment Manufacturers
  1185. Interface (OEMI).
  1186. This byte wide Parallel channel path/bus has parity & data on the "Bus" cable
  1187. and control lines on the "Tag" cable. These can operate in byte multiplex mode
  1188. for sharing between several slow devices or burst mode and monopolize the
  1189. channel for the whole burst. Up to 256 devices can be addressed on one of these
  1190. cables. These cables are about one inch in diameter. The maximum unextended
  1191. length supported by these cables is 125 Meters but this can be extended up to
  1192. 2km with a fibre optic channel extended such as a 3044. The maximum burst speed
  1193. supported is 4.5 megabytes per second. However, some really old processors
  1194. support only transfer rates of 3.0, 2.0 & 1.0 MB/sec.
  1195. One of these paths can be daisy chained to up to 8 control units.
  1196. ESCON if fibre optic it is also called FICON
  1197. Was introduced by IBM in 1990. Has 2 fibre optic cables and uses either leds or
  1198. lasers for communication at a signaling rate of up to 200 megabits/sec. As
  1199. 10bits are transferred for every 8 bits info this drops to 160 megabits/sec
  1200. and to 18.6 Megabytes/sec once control info and CRC are added. ESCON only
  1201. operates in burst mode.
  1202. ESCONs typical max cable length is 3km for the led version and 20km for the
  1203. laser version known as XDF (extended distance facility). This can be further
  1204. extended by using an ESCON director which triples the above mentioned ranges.
  1205. Unlike Bus & Tag as ESCON is serial it uses a packet switching architecture,
  1206. the standard Bus & Tag control protocol is however present within the packets.
  1207. Up to 256 devices can be attached to each control unit that uses one of these
  1208. interfaces.
  1209. Common 390 Devices include:
  1210. Network adapters typically OSA2,3172's,2116's & OSA-E gigabit ethernet adapters,
  1211. Consoles 3270 & 3215 (a teletype emulated under linux for a line mode console).
  1212. DASD's direct access storage devices ( otherwise known as hard disks ).
  1213. Tape Drives.
  1214. CTC ( Channel to Channel Adapters ),
  1215. ESCON or Parallel Cables used as a very high speed serial link
  1216. between 2 machines.
  1217. Debugging IO on s/390 & z/Architecture under VM
  1218. ===============================================
  1219. Now we are ready to go on with IO tracing commands under VM
  1220. A few self explanatory queries:
  1221. Q OSA
  1222. Q CTC
  1223. Q DISK ( This command is CMS specific )
  1224. Q DASD
  1225. Q OSA on my machine returns
  1226. OSA 7C08 ON OSA 7C08 SUBCHANNEL = 0000
  1227. OSA 7C09 ON OSA 7C09 SUBCHANNEL = 0001
  1228. OSA 7C14 ON OSA 7C14 SUBCHANNEL = 0002
  1229. OSA 7C15 ON OSA 7C15 SUBCHANNEL = 0003
  1230. If you have a guest with certain privileges you may be able to see devices
  1231. which don't belong to you. To avoid this, add the option V.
  1232. e.g.
  1233. Q V OSA
  1234. Now using the device numbers returned by this command we will
  1235. Trace the io starting up on the first device 7c08 & 7c09
  1236. In our simplest case we can trace the
  1237. start subchannels
  1238. like TR SSCH 7C08-7C09
  1239. or the halt subchannels
  1240. or TR HSCH 7C08-7C09
  1241. MSCH's ,STSCH's I think you can guess the rest
  1242. A good trick is tracing all the IO's and CCWS and spooling them into the reader
  1243. of another VM guest so he can ftp the logfile back to his own machine. I'll do
  1244. a small bit of this and give you a look at the output.
  1245. 1) Spool stdout to VM reader
  1246. SP PRT TO (another vm guest ) or * for the local vm guest
  1247. 2) Fill the reader with the trace
  1248. TR IO 7c08-7c09 INST INT CCW PRT RUN
  1249. 3) Start up linux
  1250. i 00c
  1251. 4) Finish the trace
  1252. TR END
  1253. 5) close the reader
  1254. C PRT
  1255. 6) list reader contents
  1256. RDRLIST
  1257. 7) copy it to linux4's minidisk
  1258. RECEIVE / LOG TXT A1 ( replace
  1259. 8)
  1260. filel & press F11 to look at it
  1261. You should see something like:
  1262. 00020942' SSCH B2334000 0048813C CC 0 SCH 0000 DEV 7C08
  1263. CPA 000FFDF0 PARM 00E2C9C4 KEY 0 FPI C0 LPM 80
  1264. CCW 000FFDF0 E4200100 00487FE8 0000 E4240100 ........
  1265. IDAL 43D8AFE8
  1266. IDAL 0FB76000
  1267. 00020B0A' I/O DEV 7C08 -> 000197BC' SCH 0000 PARM 00E2C9C4
  1268. 00021628' TSCH B2354000 >> 00488164 CC 0 SCH 0000 DEV 7C08
  1269. CCWA 000FFDF8 DEV STS 0C SCH STS 00 CNT 00EC
  1270. KEY 0 FPI C0 CC 0 CTLS 4007
  1271. 00022238' STSCH B2344000 >> 00488108 CC 0 SCH 0000 DEV 7C08
  1272. If you don't like messing up your readed ( because you possibly booted from it )
  1273. you can alternatively spool it to another readers guest.
  1274. Other common VM device related commands
  1275. ---------------------------------------------
  1276. These commands are listed only because they have
  1277. been of use to me in the past & may be of use to
  1278. you too. For more complete info on each of the commands
  1279. use type HELP <command> from CMS.
  1280. detaching devices
  1281. DET <devno range>
  1282. ATT <devno range> <guest>
  1283. attach a device to guest * for your own guest
  1284. READY <devno> cause VM to issue a fake interrupt.
  1285. The VARY command is normally only available to VM administrators.
  1286. VARY ON PATH <path> TO <devno range>
  1287. VARY OFF PATH <PATH> FROM <devno range>
  1288. This is used to switch on or off channel paths to devices.
  1289. Q CHPID <channel path ID>
  1290. This displays state of devices using this channel path
  1291. D SCHIB <subchannel>
  1292. This displays the subchannel information SCHIB block for the device.
  1293. this I believe is also only available to administrators.
  1294. DEFINE CTC <devno>
  1295. defines a virtual CTC channel to channel connection
  1296. 2 need to be defined on each guest for the CTC driver to use.
  1297. COUPLE devno userid remote devno
  1298. Joins a local virtual device to a remote virtual device
  1299. ( commonly used for the CTC driver ).
  1300. Building a VM ramdisk under CMS which linux can use
  1301. def vfb-<blocksize> <subchannel> <number blocks>
  1302. blocksize is commonly 4096 for linux.
  1303. Formatting it
  1304. format <subchannel> <driver letter e.g. x> (blksize <blocksize>
  1305. Sharing a disk between multiple guests
  1306. LINK userid devno1 devno2 mode password
  1307. GDB on S390
  1308. ===========
  1309. N.B. if compiling for debugging gdb works better without optimisation
  1310. ( see Compiling programs for debugging )
  1311. invocation
  1312. ----------
  1313. gdb <victim program> <optional corefile>
  1314. Online help
  1315. -----------
  1316. help: gives help on commands
  1317. e.g.
  1318. help
  1319. help display
  1320. Note gdb's online help is very good use it.
  1321. Assembly
  1322. --------
  1323. info registers: displays registers other than floating point.
  1324. info all-registers: displays floating points as well.
  1325. disassemble: disassembles
  1326. e.g.
  1327. disassemble without parameters will disassemble the current function
  1328. disassemble $pc $pc+10
  1329. Viewing & modifying variables
  1330. -----------------------------
  1331. print or p: displays variable or register
  1332. e.g. p/x $sp will display the stack pointer
  1333. display: prints variable or register each time program stops
  1334. e.g.
  1335. display/x $pc will display the program counter
  1336. display argc
  1337. undisplay : undo's display's
  1338. info breakpoints: shows all current breakpoints
  1339. info stack: shows stack back trace (if this doesn't work too well, I'll show
  1340. you the stacktrace by hand below).
  1341. info locals: displays local variables.
  1342. info args: display current procedure arguments.
  1343. set args: will set argc & argv each time the victim program is invoked.
  1344. set <variable>=value
  1345. set argc=100
  1346. set $pc=0
  1347. Modifying execution
  1348. -------------------
  1349. step: steps n lines of sourcecode
  1350. step steps 1 line.
  1351. step 100 steps 100 lines of code.
  1352. next: like step except this will not step into subroutines
  1353. stepi: steps a single machine code instruction.
  1354. e.g. stepi 100
  1355. nexti: steps a single machine code instruction but will not step into
  1356. subroutines.
  1357. finish: will run until exit of the current routine
  1358. run: (re)starts a program
  1359. cont: continues a program
  1360. quit: exits gdb.
  1361. breakpoints
  1362. ------------
  1363. break
  1364. sets a breakpoint
  1365. e.g.
  1366. break main
  1367. break *$pc
  1368. break *0x400618
  1369. Here's a really useful one for large programs
  1370. rbr
  1371. Set a breakpoint for all functions matching REGEXP
  1372. e.g.
  1373. rbr 390
  1374. will set a breakpoint with all functions with 390 in their name.
  1375. info breakpoints
  1376. lists all breakpoints
  1377. delete: delete breakpoint by number or delete them all
  1378. e.g.
  1379. delete 1 will delete the first breakpoint
  1380. delete will delete them all
  1381. watch: This will set a watchpoint ( usually hardware assisted ),
  1382. This will watch a variable till it changes
  1383. e.g.
  1384. watch cnt, will watch the variable cnt till it changes.
  1385. As an aside unfortunately gdb's, architecture independent watchpoint code
  1386. is inconsistent & not very good, watchpoints usually work but not always.
  1387. info watchpoints: Display currently active watchpoints
  1388. condition: ( another useful one )
  1389. Specify breakpoint number N to break only if COND is true.
  1390. Usage is `condition N COND', where N is an integer and COND is an
  1391. expression to be evaluated whenever breakpoint N is reached.
  1392. User defined functions/macros
  1393. -----------------------------
  1394. define: ( Note this is very very useful,simple & powerful )
  1395. usage define <name> <list of commands> end
  1396. examples which you should consider putting into .gdbinit in your home directory
  1397. define d
  1398. stepi
  1399. disassemble $pc $pc+10
  1400. end
  1401. define e
  1402. nexti
  1403. disassemble $pc $pc+10
  1404. end
  1405. Other hard to classify stuff
  1406. ----------------------------
  1407. signal n:
  1408. sends the victim program a signal.
  1409. e.g. signal 3 will send a SIGQUIT.
  1410. info signals:
  1411. what gdb does when the victim receives certain signals.
  1412. list:
  1413. e.g.
  1414. list lists current function source
  1415. list 1,10 list first 10 lines of current file.
  1416. list test.c:1,10
  1417. directory:
  1418. Adds directories to be searched for source if gdb cannot find the source.
  1419. (note it is a bit sensitive about slashes)
  1420. e.g. To add the root of the filesystem to the searchpath do
  1421. directory //
  1422. call <function>
  1423. This calls a function in the victim program, this is pretty powerful
  1424. e.g.
  1425. (gdb) call printf("hello world")
  1426. outputs:
  1427. $1 = 11
  1428. You might now be thinking that the line above didn't work, something extra had
  1429. to be done.
  1430. (gdb) call fflush(stdout)
  1431. hello world$2 = 0
  1432. As an aside the debugger also calls malloc & free under the hood
  1433. to make space for the "hello world" string.
  1434. hints
  1435. -----
  1436. 1) command completion works just like bash
  1437. ( if you are a bad typist like me this really helps )
  1438. e.g. hit br <TAB> & cursor up & down :-).
  1439. 2) if you have a debugging problem that takes a few steps to recreate
  1440. put the steps into a file called .gdbinit in your current working directory
  1441. if you have defined a few extra useful user defined commands put these in
  1442. your home directory & they will be read each time gdb is launched.
  1443. A typical .gdbinit file might be.
  1444. break main
  1445. run
  1446. break runtime_exception
  1447. cont
  1448. stack chaining in gdb by hand
  1449. -----------------------------
  1450. This is done using a the same trick described for VM
  1451. p/x (*($sp+56))&0x7fffffff get the first backchain.
  1452. For z/Architecture
  1453. Replace 56 with 112 & ignore the &0x7fffffff
  1454. in the macros below & do nasty casts to longs like the following
  1455. as gdb unfortunately deals with printed arguments as ints which
  1456. messes up everything.
  1457. i.e. here is a 3rd backchain dereference
  1458. p/x *(long *)(***(long ***)$sp+112)
  1459. this outputs
  1460. $5 = 0x528f18
  1461. on my machine.
  1462. Now you can use
  1463. info symbol (*($sp+56))&0x7fffffff
  1464. you might see something like.
  1465. rl_getc + 36 in section .text telling you what is located at address 0x528f18
  1466. Now do.
  1467. p/x (*(*$sp+56))&0x7fffffff
  1468. This outputs
  1469. $6 = 0x528ed0
  1470. Now do.
  1471. info symbol (*(*$sp+56))&0x7fffffff
  1472. rl_read_key + 180 in section .text
  1473. now do
  1474. p/x (*(**$sp+56))&0x7fffffff
  1475. & so on.
  1476. Disassembling instructions without debug info
  1477. ---------------------------------------------
  1478. gdb typically complains if there is a lack of debugging
  1479. symbols in the disassemble command with
  1480. "No function contains specified address." To get around
  1481. this do
  1482. x/<number lines to disassemble>xi <address>
  1483. e.g.
  1484. x/20xi 0x400730
  1485. Note: Remember gdb has history just like bash you don't need to retype the
  1486. whole line just use the up & down arrows.
  1487. For more info
  1488. -------------
  1489. From your linuxbox do
  1490. man gdb or info gdb.
  1491. core dumps
  1492. ----------
  1493. What a core dump ?,
  1494. A core dump is a file generated by the kernel (if allowed) which contains the
  1495. registers and all active pages of the program which has crashed.
  1496. From this file gdb will allow you to look at the registers, stack trace and
  1497. memory of the program as if it just crashed on your system. It is usually
  1498. called core and created in the current working directory.
  1499. This is very useful in that a customer can mail a core dump to a technical
  1500. support department and the technical support department can reconstruct what
  1501. happened. Provided they have an identical copy of this program with debugging
  1502. symbols compiled in and the source base of this build is available.
  1503. In short it is far more useful than something like a crash log could ever hope
  1504. to be.
  1505. Why have I never seen one ?.
  1506. Probably because you haven't used the command
  1507. ulimit -c unlimited in bash
  1508. to allow core dumps, now do
  1509. ulimit -a
  1510. to verify that the limit was accepted.
  1511. A sample core dump
  1512. To create this I'm going to do
  1513. ulimit -c unlimited
  1514. gdb
  1515. to launch gdb (my victim app. ) now be bad & do the following from another
  1516. telnet/xterm session to the same machine
  1517. ps -aux | grep gdb
  1518. kill -SIGSEGV <gdb's pid>
  1519. or alternatively use killall -SIGSEGV gdb if you have the killall command.
  1520. Now look at the core dump.
  1521. ./gdb core
  1522. Displays the following
  1523. GNU gdb 4.18
  1524. Copyright 1998 Free Software Foundation, Inc.
  1525. GDB is free software, covered by the GNU General Public License, and you are
  1526. welcome to change it and/or distribute copies of it under certain conditions.
  1527. Type "show copying" to see the conditions.
  1528. There is absolutely no warranty for GDB. Type "show warranty" for details.
  1529. This GDB was configured as "s390-ibm-linux"...
  1530. Core was generated by `./gdb'.
  1531. Program terminated with signal 11, Segmentation fault.
  1532. Reading symbols from /usr/lib/libncurses.so.4...done.
  1533. Reading symbols from /lib/libm.so.6...done.
  1534. Reading symbols from /lib/libc.so.6...done.
  1535. Reading symbols from /lib/ld-linux.so.2...done.
  1536. #0 0x40126d1a in read () from /lib/libc.so.6
  1537. Setting up the environment for debugging gdb.
  1538. Breakpoint 1 at 0x4dc6f8: file utils.c, line 471.
  1539. Breakpoint 2 at 0x4d87a4: file top.c, line 2609.
  1540. (top-gdb) info stack
  1541. #0 0x40126d1a in read () from /lib/libc.so.6
  1542. #1 0x528f26 in rl_getc (stream=0x7ffffde8) at input.c:402
  1543. #2 0x528ed0 in rl_read_key () at input.c:381
  1544. #3 0x5167e6 in readline_internal_char () at readline.c:454
  1545. #4 0x5168ee in readline_internal_charloop () at readline.c:507
  1546. #5 0x51692c in readline_internal () at readline.c:521
  1547. #6 0x5164fe in readline (prompt=0x7ffff810)
  1548. at readline.c:349
  1549. #7 0x4d7a8a in command_line_input (prompt=0x564420 "(gdb) ", repeat=1,
  1550. annotation_suffix=0x4d6b44 "prompt") at top.c:2091
  1551. #8 0x4d6cf0 in command_loop () at top.c:1345
  1552. #9 0x4e25bc in main (argc=1, argv=0x7ffffdf4) at main.c:635
  1553. LDD
  1554. ===
  1555. This is a program which lists the shared libraries which a library needs,
  1556. Note you also get the relocations of the shared library text segments which
  1557. help when using objdump --source.
  1558. e.g.
  1559. ldd ./gdb
  1560. outputs
  1561. libncurses.so.4 => /usr/lib/libncurses.so.4 (0x40018000)
  1562. libm.so.6 => /lib/libm.so.6 (0x4005e000)
  1563. libc.so.6 => /lib/libc.so.6 (0x40084000)
  1564. /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
  1565. Debugging shared libraries
  1566. ==========================
  1567. Most programs use shared libraries, however it can be very painful
  1568. when you single step instruction into a function like printf for the
  1569. first time & you end up in functions like _dl_runtime_resolve this is
  1570. the ld.so doing lazy binding, lazy binding is a concept in ELF where
  1571. shared library functions are not loaded into memory unless they are
  1572. actually used, great for saving memory but a pain to debug.
  1573. To get around this either relink the program -static or exit gdb type
  1574. export LD_BIND_NOW=true this will stop lazy binding & restart the gdb'ing
  1575. the program in question.
  1576. Debugging modules
  1577. =================
  1578. As modules are dynamically loaded into the kernel their address can be
  1579. anywhere to get around this use the -m option with insmod to emit a load
  1580. map which can be piped into a file if required.
  1581. The proc file system
  1582. ====================
  1583. What is it ?.
  1584. It is a filesystem created by the kernel with files which are created on demand
  1585. by the kernel if read, or can be used to modify kernel parameters,
  1586. it is a powerful concept.
  1587. e.g.
  1588. cat /proc/sys/net/ipv4/ip_forward
  1589. On my machine outputs
  1590. 0
  1591. telling me ip_forwarding is not on to switch it on I can do
  1592. echo 1 > /proc/sys/net/ipv4/ip_forward
  1593. cat it again
  1594. cat /proc/sys/net/ipv4/ip_forward
  1595. On my machine now outputs
  1596. 1
  1597. IP forwarding is on.
  1598. There is a lot of useful info in here best found by going in and having a look
  1599. around, so I'll take you through some entries I consider important.
  1600. All the processes running on the machine have their own entry defined by
  1601. /proc/<pid>
  1602. So lets have a look at the init process
  1603. cd /proc/1
  1604. cat cmdline
  1605. emits
  1606. init [2]
  1607. cd /proc/1/fd
  1608. This contains numerical entries of all the open files,
  1609. some of these you can cat e.g. stdout (2)
  1610. cat /proc/29/maps
  1611. on my machine emits
  1612. 00400000-00478000 r-xp 00000000 5f:00 4103 /bin/bash
  1613. 00478000-0047e000 rw-p 00077000 5f:00 4103 /bin/bash
  1614. 0047e000-00492000 rwxp 00000000 00:00 0
  1615. 40000000-40015000 r-xp 00000000 5f:00 14382 /lib/ld-2.1.2.so
  1616. 40015000-40016000 rw-p 00014000 5f:00 14382 /lib/ld-2.1.2.so
  1617. 40016000-40017000 rwxp 00000000 00:00 0
  1618. 40017000-40018000 rw-p 00000000 00:00 0
  1619. 40018000-4001b000 r-xp 00000000 5f:00 14435 /lib/libtermcap.so.2.0.8
  1620. 4001b000-4001c000 rw-p 00002000 5f:00 14435 /lib/libtermcap.so.2.0.8
  1621. 4001c000-4010d000 r-xp 00000000 5f:00 14387 /lib/libc-2.1.2.so
  1622. 4010d000-40111000 rw-p 000f0000 5f:00 14387 /lib/libc-2.1.2.so
  1623. 40111000-40114000 rw-p 00000000 00:00 0
  1624. 40114000-4011e000 r-xp 00000000 5f:00 14408 /lib/libnss_files-2.1.2.so
  1625. 4011e000-4011f000 rw-p 00009000 5f:00 14408 /lib/libnss_files-2.1.2.so
  1626. 7fffd000-80000000 rwxp ffffe000 00:00 0
  1627. Showing us the shared libraries init uses where they are in memory
  1628. & memory access permissions for each virtual memory area.
  1629. /proc/1/cwd is a softlink to the current working directory.
  1630. /proc/1/root is the root of the filesystem for this process.
  1631. /proc/1/mem is the current running processes memory which you
  1632. can read & write to like a file.
  1633. strace uses this sometimes as it is a bit faster than the
  1634. rather inefficient ptrace interface for peeking at DATA.
  1635. cat status
  1636. Name: init
  1637. State: S (sleeping)
  1638. Pid: 1
  1639. PPid: 0
  1640. Uid: 0 0 0 0
  1641. Gid: 0 0 0 0
  1642. Groups:
  1643. VmSize: 408 kB
  1644. VmLck: 0 kB
  1645. VmRSS: 208 kB
  1646. VmData: 24 kB
  1647. VmStk: 8 kB
  1648. VmExe: 368 kB
  1649. VmLib: 0 kB
  1650. SigPnd: 0000000000000000
  1651. SigBlk: 0000000000000000
  1652. SigIgn: 7fffffffd7f0d8fc
  1653. SigCgt: 00000000280b2603
  1654. CapInh: 00000000fffffeff
  1655. CapPrm: 00000000ffffffff
  1656. CapEff: 00000000fffffeff
  1657. User PSW: 070de000 80414146
  1658. task: 004b6000 tss: 004b62d8 ksp: 004b7ca8 pt_regs: 004b7f68
  1659. User GPRS:
  1660. 00000400 00000000 0000000b 7ffffa90
  1661. 00000000 00000000 00000000 0045d9f4
  1662. 0045cafc 7ffffa90 7fffff18 0045cb08
  1663. 00010400 804039e8 80403af8 7ffff8b0
  1664. User ACRS:
  1665. 00000000 00000000 00000000 00000000
  1666. 00000001 00000000 00000000 00000000
  1667. 00000000 00000000 00000000 00000000
  1668. 00000000 00000000 00000000 00000000
  1669. Kernel BackChain CallChain BackChain CallChain
  1670. 004b7ca8 8002bd0c 004b7d18 8002b92c
  1671. 004b7db8 8005cd50 004b7e38 8005d12a
  1672. 004b7f08 80019114
  1673. Showing among other things memory usage & status of some signals &
  1674. the processes'es registers from the kernel task_structure
  1675. as well as a backchain which may be useful if a process crashes
  1676. in the kernel for some unknown reason.
  1677. Some driver debugging techniques
  1678. ================================
  1679. debug feature
  1680. -------------
  1681. Some of our drivers now support a "debug feature" in
  1682. /proc/s390dbf see s390dbf.txt in the linux/Documentation directory
  1683. for more info.
  1684. e.g.
  1685. to switch on the lcs "debug feature"
  1686. echo 5 > /proc/s390dbf/lcs/level
  1687. & then after the error occurred.
  1688. cat /proc/s390dbf/lcs/sprintf >/logfile
  1689. the logfile now contains some information which may help
  1690. tech support resolve a problem in the field.
  1691. high level debugging network drivers
  1692. ------------------------------------
  1693. ifconfig is a quite useful command
  1694. it gives the current state of network drivers.
  1695. If you suspect your network device driver is dead
  1696. one way to check is type
  1697. ifconfig <network device>
  1698. e.g. tr0
  1699. You should see something like
  1700. tr0 Link encap:16/4 Mbps Token Ring (New) HWaddr 00:04:AC:20:8E:48
  1701. inet addr:9.164.185.132 Bcast:9.164.191.255 Mask:255.255.224.0
  1702. UP BROADCAST RUNNING MULTICAST MTU:2000 Metric:1
  1703. RX packets:246134 errors:0 dropped:0 overruns:0 frame:0
  1704. TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
  1705. collisions:0 txqueuelen:100
  1706. if the device doesn't say up
  1707. try
  1708. /etc/rc.d/init.d/network start
  1709. ( this starts the network stack & hopefully calls ifconfig tr0 up ).
  1710. ifconfig looks at the output of /proc/net/dev and presents it in a more
  1711. presentable form.
  1712. Now ping the device from a machine in the same subnet.
  1713. if the RX packets count & TX packets counts don't increment you probably
  1714. have problems.
  1715. next
  1716. cat /proc/net/arp
  1717. Do you see any hardware addresses in the cache if not you may have problems.
  1718. Next try
  1719. ping -c 5 <broadcast_addr> i.e. the Bcast field above in the output of
  1720. ifconfig. Do you see any replies from machines other than the local machine
  1721. if not you may have problems. also if the TX packets count in ifconfig
  1722. hasn't incremented either you have serious problems in your driver
  1723. (e.g. the txbusy field of the network device being stuck on )
  1724. or you may have multiple network devices connected.
  1725. chandev
  1726. -------
  1727. There is a new device layer for channel devices, some
  1728. drivers e.g. lcs are registered with this layer.
  1729. If the device uses the channel device layer you'll be
  1730. able to find what interrupts it uses & the current state
  1731. of the device.
  1732. See the manpage chandev.8 &type cat /proc/chandev for more info.
  1733. SysRq
  1734. =====
  1735. This is now supported by linux for s/390 & z/Architecture.
  1736. To enable it do compile the kernel with
  1737. Kernel Hacking -> Magic SysRq Key Enabled
  1738. echo "1" > /proc/sys/kernel/sysrq
  1739. also type
  1740. echo "8" >/proc/sys/kernel/printk
  1741. To make printk output go to console.
  1742. On 390 all commands are prefixed with
  1743. ^-
  1744. e.g.
  1745. ^-t will show tasks.
  1746. ^-? or some unknown command will display help.
  1747. The sysrq key reading is very picky ( I have to type the keys in an
  1748. xterm session & paste them into the x3270 console )
  1749. & it may be wise to predefine the keys as described in the VM hints above
  1750. This is particularly useful for syncing disks unmounting & rebooting
  1751. if the machine gets partially hung.
  1752. Read Documentation/sysrq.txt for more info
  1753. References:
  1754. ===========
  1755. Enterprise Systems Architecture Reference Summary
  1756. Enterprise Systems Architecture Principles of Operation
  1757. Hartmut Penners s390 stack frame sheet.
  1758. IBM Mainframe Channel Attachment a technology brief from a CISCO webpage
  1759. Various bits of man & info pages of Linux.
  1760. Linux & GDB source.
  1761. Various info & man pages.
  1762. CMS Help on tracing commands.
  1763. Linux for s/390 Elf Application Binary Interface
  1764. Linux for z/Series Elf Application Binary Interface ( Both Highly Recommended )
  1765. z/Architecture Principles of Operation SA22-7832-00
  1766. Enterprise Systems Architecture/390 Reference Summary SA22-7209-01 & the
  1767. Enterprise Systems Architecture/390 Principles of Operation SA22-7201-05
  1768. Special Thanks
  1769. ==============
  1770. Special thanks to Neale Ferguson who maintains a much
  1771. prettier HTML version of this page at
  1772. http://linuxvm.org/penguinvm/
  1773. Bob Grainger Stefan Bader & others for reporting bugs