The crash command is used to examine the system memory image of a running or a crashed system by formatting and printing control structures, tables, and other information. Command line arguments to crash are dumpfile, namelist, and output-file.
The following options are supported:
Specify dumpfile as the file containing the system memory image. The default dumpfile is /dev/mem. The system image can also be the pathname of a dump file generated by the savecore(1M) utility.
Specify the text file namelist which contains the symbol table information needed for symbolic access to the system memory image to be examined. The default namelist is /dev/ksyms. Note: It is recommended that crash dumps be analyzed on a machine having the same kernel architecture as the machine from which the dump was taken.
When the crash command is invoked, a session is initiated. The output from a crash session is directed to output-file. The default output-file is the standard output.
Input during a crash session is of the form:
function [ argument. . . ]
where function is one of the crash functions described in the Functions subsection of this manual page, and arguments are qualifying data that indicate which items of the system image are to be printed.
The default for process-related items is the current process for a running system or the process that was running at the time of the crash for a crashed system. Similarly, the default for thread-related items is the current thread for a running system or the thread that was running at the time of the crash for a crash system. If the contents of a table are being dumped, the default is all active table entries.
The following function options are available to crash functions wherever they are semantically valid. Valid function options are shown in Functions.
Display every entry in a table.
Display the full structure.
Interpret all address arguments in the command line as physical addresses. If the addresses specified are not physical addresses, results are inconsistent.
Specify a process slot other than the default.
Redirect the output of a function to filename.
Output from crash functions may be piped to another program in the following way:
function [ argument. . . ] ! shell_command
The redirection option -w cannot be used with this feature.
Depending on the context of the function, numeric arguments are assumed to be in a specific radix. Counts are assumed to be decimal. Addresses are always hexadecimal. Table address arguments larger than the size of the function table are interpreted as hexadecimal addresses; those smaller are assumed to be decimal slots in the table. Default bases on all arguments may be overridden. The C conventions for designating the bases of numbers are recognized. A number that is usually interpreted as decimal is interpreted as hexadecimal if it is preceded by 0x and as octal if it is preceded by 0. Decimal override is designated by 0d, and binary by 0b.
Aliases for functions may be any uniquely identifiable initial substring of the function name. Traditional aliases of one letter, such as b for buffer, remain valid.
Many functions accept different forms of entry for the same argument. Requests for table information accept a table entry number, a physical address, a virtual address, a symbol, a range, or an expression. A range of slot numbers may be specified in the form a-b where a and b are decimal numbers. An expression consists of two operands and an operator. An operand may be an address, a symbol, or a number; the operator may be +, -, *, /, &, or |. An operand that is a number should be preceded by a radix prefix if it is not a decimal number (0 for octal, 0x for hexadecimal, 0b for binary). The expression must be enclosed in parentheses. Other functions accept any of these argument forms that are meaningful.
Two abbreviated arguments to crash functions are used throughout. Both accept data entered in several forms. They may be expanded into the following:
table_entry = slot number | address | symbol | range | expression
start_addr = address | symbol | expression
List available functions.
Escape to the shell and execute command.
Print number in binary, octal, decimal, and hexadecimal. A number in a radix other than decimal should be preceded by a prefix that indicates its radix as follows: 0x, hexadecimal; 0, octal; and 0b, binary.
Print the contents of a buffer in the designated format. The following format designations are recognized: -b, byte; -c, character; -d, decimal; -x, hexadecimal; -o, octal; and, -i, inode. If no format is given, the previous format is used. The default format at the beginning of a crash session is hexadecimal.
Print system buffer headers.
Print the callout table. If the -l option is specified, the contents of the locks pertaining to the callout structure are also displayed.
Print information about process scheduler classes.
Print a description of the named function, including syntax and aliases.
Display events in a kernel memory allocator transaction log. Events are displayed in time-reverse order, with the most recent event displayed first. For each event, kmalog displays the time relative to the most recent event in T-minus notation (for example, T-0.000151879), the bufctl, the buffer address, the kmem cache name, and the stack trace at the time of the event.
Without arguments, kmalog displays the kmem transaction log, which is present only if KMF_AUDIT is set in kmem_flags.
kmalog fail displays the allocation failure log, which is always present; this can be useful in debugging drivers that don't cope with allocation failure correctly.
kmalog slab displays the slab create log, which is always present. kmalog slab can be useful when searching for memory leaks.
Print kernel memory allocator statistics.
Print the information about the medium and large users of the kernel memory allocator that have current memory allocations. The output consists of one entry for each unique stack trace specifying the total amount of memory and number of allocations that was made with that stack trace.
This function is only available if the kernel has the KMF_AUDIT flag set in kmem_flags. (See NOTES.)
If one or more cache names (for example, kmem_alloc_256) are specified, the scan of memory usage is restricted to those caches. By default all caches are included.
If the -e option is used, the small users of the allocator are included. The small users are allocations that total less than 1024 bytes of memory or for which there are less than 10 allocations with the same stack trace.
If the -f option is used, the stack traces are printed for each individual allocation.
Print record locking information. If the -e option is used or lock address arguments are given, the record lock list is printed. If no argument is entered, information on locks relative to UFS inodes is printed.
Print allocated streams message block and data block headers.
Alias: m, vfs
Print information about mounted filename systems.
Print value and type for the given symbol.
Print count values starting at start_addr in one of the following formats: character (-c), decimal (-d), hexadecimal (-x), octal (-o), ASCII (-a), or hexadecimal/character (-h), and one of the following modes: long (-l), short (-t), or byte (-b). The default mode for character and ASCII formats is byte; the default mode for decimal, hexadecimal, and octal formats is long. The format -h prints both hexadecimal and character representations of the addresses dumped; no mode needs to be specified. When format or mode is omitted, the previous value is used. At the start of a crash session, the format is hexadecimal and the mode is long. If no count is entered, 1 is assumed.
Print the process table. Process table information may be specified in two ways. First, any mixture of table entries and process IDs may be entered. Each process ID must be preceded by a #. Alternatively, process table information for runnable processes may be specified with the runnable option -r. If the -l option is specified, all relevant locking information is displayed.
Print information about open special filenames. If the -l option is specified, all relevant locking information is also displayed.
Print STREAMS statistics.
Print the time-sharing dispatcher parameter table. See ts_dptbl(4).
Print the UFS inode table. The -d option will list the address and i-number of all UFS inodes in use and on the free list. If the -l option is specified, all relevant locking information is also displayed. The -r option will display all free UFS inodes.
Print the tunable system parameters.
Alias: m, mount
Print information about mounted filename systems.
Print information about configured filename system types.
Print information about vnodes.
Print the physical address translation of the virtual address start_addr.
See largefile(5) for the description of the behavior of crash when encountering files greater than or equal to 2 Gbyte ( 231 bytes).
See attributes(5) for descriptions of the following attributes:
|ATTRIBUTE TYPE||ATTRIBUTE VALUE|
The crash utility may not be present in versions of the Solaris operating environment after Solaris 8. The crash command is a utility for examining system crash dump files, whose functionality is superseded by the new mdb(1) utility. The crash command's interface was structured around implementation details, such as slots, that have no relation to the Solaris operating environment implementation. Solaris 8 will include documentation that explains the mdb syntax that is equivalent to each crash subcommand to enable the transition.
Kernel core dumps should be examined on the same platform on which they were created.
The kmausers and mblkusers commands require that KMF_AUDIT is set in kmem_flags. To do this, perform the following steps:
Add the following line to /etc/system:
kmem auditing is quite expensive in both memory consumption and CPU time because it records a complete stack trace for every allocation.SunOS 5.8 Last Revised 9 Sep 1999