SCO kdb and scodb quick reference

scodb commands

OSR	UW7	Command	Description
x	x	alias [word [new_command]]	Set or list command aliases
x	x	bc [* | address | DRn | name ]	Clear breakpoint
x	x	bl [name]	List breakpoints
x	x	bp [en|dis|mod|name| [rwi] [b|s|l] |x]           addr [condition value ]	Set breakpoints
x	x	c|cb|cs|c1 address	Change memory
x	x	d|db|ds|dl|dn address	Dump memory
x	x	declare|dcl C_declaration	Give a system variable a type
x	x	dis|u [exact] [mode [ [-]names...] | address	Disassemble (unassemble)
x		editmode|edit|em [emacs|vi]	Change the editing mode
x	--	info expression	Get low-level information about an expression.
x	--	quitif expression	If (expression), then quit.
x	x	r|R [ stack_addr -p pid -p proc_addr	Display system or user registers
x	x	s|step -r	Single-step
x	x	stack|b|B [ stack_addr -p pid -p proc_addr	Stack backtrace
x	x	struct [-> member] [members] addr	Show structure member values
x	x	symname|sym address	Find symbol corresponding to an address.
x	--	tfe [depth]	Trace function entry
x	x	type expression	Show type of expression
x	x	unalias [*|aliases]	Unset alias
x	x	undeclare|undcl [*|variables...|	Undeclare system variables
x	x	unvar [*|variables...]	Remove debugger variables
x	x	var [name initvalue]	Create and list debugger variables
x	x	<Del>	Kill line
x	x	<Break>	Correct error on current line

Calling scodb functions

Function	Description
hexdump(addr, mode, len)	dump memory; useful from breakpoint commands
dgdt( )	dump global descriptor table
ddt(addr, nentries)	dump descriptor table, nentries long
ltop(addr)	convert a linear address to a physical address
ptol(addr)	convert a physical address to a linear address
patch_call(addr, func)	patch a call instruction to call a new function
patch_nop(addr)	patch out an instruction with nops
pkill(pid, signal)	send pid a signal
ps( )	show process table similar to ps(CP) or crash(ADM) proc
reboot( )	reboot machine
pidtoproc(pid)	return the proc structure for the PID of a process that is displayed in a ps( ) listing
dpt(addr)	dump out a page table
db_search_pt(addr, pfn)	search a page table for a page frame
db_search_region(pfn)	check if a page frame belongs to any region
dbtty(n)	switch the debugger between screen (0) and sio (1).
eps( )	similar to ps( ), but shows which processes are running on which processors in a multiprocessor configuration.
vuifile(&var, cpuindex)	display per-CPU variables for another CPU on a multiprocessor configuration
saveu(N)	save N swapped-out u-areas for stack backtrace
regions(pid_or_proc_adr)	display pregion and region info for process

scodb nomenclature

Nomenclature	Meaning
<num>	Hexadecimal input
$<num>	Decimal input
0<num>	Octal input
&<symbol>	Address of a symbol and segment type (data or text)
$<variable>	Debugger variable
%<register>	Access register
{list_of_specifiers}	Calculator input line
?	list output modifiers
>	no value output
b	output value as a byte
s	output value as a word
2	output value in binary
o	output value in octal
d	output value in decimal
:	output string

scodb registers

General registers:
eax	function return value
ebx	general use
ecx	general use, counter
edx	general use
ebp	stack frame base pointer
esp	kernel stack pointer
uesp	user process stack pointer
esi	general use, source index
edi	general use, destination index
Segment registers:
cs	code
ds	data
es	extra data
fs	extra data
gs	extra data
ss	stack
Memory management registers:
gdtr	Global Descriptor Table Register
ldtr	Local Descriptor Table Register
idtr	Interrupt Descriptor Table Register
tr	Task register
Control registers:
cr0	system control flags
cr1	unused
cr2	page fault linear address
cr3	page directory base
Other registers and pseudo-registers:
eip	location processor is executing code
efl	flags
trap	system trap number
proc	processor running on (for MPX)

kdb commands (Part 1/3)

Command	Affect
+	compute [TOS-1] + [TOS]; pop 2; push result
-	compute [TOS-1] - [TOS]; pop 2; push result
*	compute [TOS-1] * [TOS]; pop 2; push result
/	compute [TOS-1] / [TOS]; pop 2; push result
%	compute [TOS-1] % [TOS]; pop 2; push result
>>	compute [TOS-1] >> [TOS]; pop 2; push result
<<	compute [TOS-1] << [TOS]; pop 2; push result
<	compute [TOS-1] < [TOS]; pop 2; push result
>	compute [TOS-1] > [TOS]; pop 2; push result
==	compute [TOS-1] == [TOS]; pop 2; push result
!=	compute [TOS-1] != [TOS]; pop 2; push result
&	compute [TOS-1] & [TOS]; pop 2; push result
|	compute [TOS-1] | [TOS]; pop 2; push result
^	compute [TOS-1] ^ [TOS]; pop 2; push result
&&	compute [TOS-1] && [TOS]; pop 2; push result
||	compute [TOS-1] || [TOS]; pop 2; push result
!	replace [TOS] with ! [TOS]
++	replace [TOS] with [TOS] + 1
--	replace [TOS] with [TOS] - 1
%register	push the contents of the 32-, 16- or 8-bit register.
%trap	push the trap number
%ipl	push the interrupt priority level
= variable	store [TOS] in [variable]; pop 1
:: macro	define [macro] as command string [TOS]; pop 1
?	print a help message (same as help)
?brk	show current breakpoint settings
B	set breakpoint number [TOS] at address [TOS-1]; pop 2 or set breakpoint number [TOS] at address [TOS-2] with command string [TOS-1]; pop 3
b	set first free breakpoint address [TOS]; pop 1 or set first free breakpoint at address [TOS-1] with command string [TOS]; pop 2
bn	set breakpoint (like b) and push breakpoint number
brkoff	disable breakpoint number [TOS]; pop 1
brkon	re-enable breakpoint number [TOS]; pop 1
brksoff	disable all breakpoints
brkson	re-enable all (disabled) breakpoints
bs	branch step: execute until a branch is taken
bss	branch step through [TOS] branches; pop 1
call	call the function at address [TOS-1] with [TOS] arguments, given by [TOS-([TOS]+1)],...[TOS-2]; pop [TOS]+2; push function return value
clraddrbrks	clear all breakpoints for address [TOS]; pop 1

kdb commands (Part 2/3)

Command	Affect
clrbrk	clear breakpoint number [TOS]; pop 1
clrbrks	clear all breakpoints
clrstk	pop all values
cmds	print a list of all debugger commands
crreg	push the contents of the specified register. reg is 0, 2, 3, 4; for example, cr3.
curbrk	push the current breakpoint number, or -1 if not entered from a breakpoint
dis	disassemble [TOS] instructions starting at address [TOS-1]; pop 2
dump	show [TOS] bytes starting at virtual address [TOS-1]; pop 2
dup	push [TOS]
endif	end scope of then command
findsym	print kernel symbol with address closest to [TOS]; pop 1
fdump	show [TOS-1] formatted items at [TOS-2] with format [TOS]; pop 3
help	print a help message
ibase	set default input base to [TOS]; pop 1
iinput_base	set default input base. Values for input_base are binary (base 2), decimal (base 10), hex (base 16), octal (base 8).
kvtop	convert kernel virtual addr [TOS] to physical
lbr	show from- and to- address for last branch taken
lint	show from- and to- address for last interrupt or exception
lstack	kernel stack trace for LWP [TOS]; pop 1
newterm	switch kdb console I/O to device [TOS-1] unit number [TOS]; pop 2
newdebug	switch to another debugger on next debugger entry
nonverbose	turn verbose mode off
obase	set output base to [TOS]; pop 1
ooutput_base	Set output base. Values for output_base are decimal (base 10), hex (base 16), octal (base 8).
P	print [TOS] in raw form; pop 1
p	print [TOS]
PP	print [TOS] values in raw form, from [TOS-[TOS]],...[TOS-1]; pop [TOS]+1
pop	pop 1 value
ps	show process information
q	exit from the debugger
r	replace [TOS] with the value at virtual address [TOS]
S	single step 1 instruction (passing calls)
s	single step 1 instruction
SS	single step [TOS] instructions (passing calls); pop 1
ss	single step [TOS] instructions; pop 1
stack	kernel stack trace for the current process
stackargs	set the maximum number of arguments in the stack trace to [TOS]; pop 1
stk	print all values on the stack
then	if [TOS] = 0, skip to endif; pop 1

kdb commands (Part 3/3)

Command	Affect
trace	set breakpoint number [TOS] trace count to [TOS-1]; pop 2
tstack	``try'' kernel stack trace from [TOS]; pop 1
uvtop	convert user process number [TOS] address [TOS-1] to physical; pop 1
vars	show values of debugger variables
vcall	call the function at address [TOS-1] with [TOS] arguments, given by [TOS-([TOS]+1)],...[TOS-2]; pop [TOS]+2
verbose	turn verbose mode on
w	write [TOS-1] into virtual address [TOS]; pop 2
w%register	write [TOS] into register; pop 1
w%trap	write [TOS] into the trap number pseudo-register; pop 1

kdb command suffixes

Grouping	Suffix	Meaning
Operand size	/b	byte
	/w	word (2 bytes)
	/l	long (4 bytes) (default)
	/L	long long (8 bytes)
Address space	/k	kernel virtual (default)
	/p	physical
	/io	I/O port
	/un	user process number n virtual
	/cpun	CPU number n
	/cn	CPU number n (same as cpun)
Register set	/rsn	register set number n
Breakpoint type	/a	data access breakpoint
	/m	data modify breakpoint
	/i	instruction execution breakpoint (default)

kdb registers

32-bit registers	eax, ebx, ecx, edx, esi, edi, ebp, esp, eip, efl
16-bit registers	cs, ds, es, fs, gs, ax, bx, cx, dx, si, di, bp, sp, ip, fl
8-bit registers	al, ah, bl, bh, cl, ch, dl, dh

SCODB and KDB registers

scodb	kdb	General registers (32-bit):
x	x	eax	function return value
x	x	ebx	general use
x	x	ecx	general use, counter
x	x	edx	general use
x	x	ebp	stack frame base pointer
x	x	esp	kernel stack pointer
x	--	uesp	user process stack pointer
x	x	esi	general use, source index
x	?	edi	general use, destination index
--	x	eip
--	x	efl
		Segment registers (16-bit):
x	x	cs	code
x	x	ds	data
x	x	es	extra data
x	x	fs	extra data
x	x	gs	extra data
x	--	ss	stack
--	x	ax
--	x	bx
--	x	cx
--	x	dx
--	x	si
--	x	di
--	x	bp
--	x	sp
--	x	ip
--	x	fl
		8-bit registers:
--	x	al
--	x	ah
--	x	bl
--	x	bh
--	x	cl
--	x	ch
--	x	dl
--	x	dh
		Memory management registers:
x	?	gdtr	Global Descriptor Table Register
x	?	ldtr	Local Descriptor Table Register
x	?	idtr	Interrupt Descriptor Table Register
x	?	tr	Task register
		Control registers:
x	?	cr0	system control flags
x	?	cr1	unused
x	?	cr2	page fault linear address
x	?	cr3	page directory base
		Other registers and pseudo-registers:
x	?	eip	location processor is executing code
x	?	efl	flags
x	?	trap	system trap number
x	?	proc	processor running on (for MPX)