The Debug Monitor Command Syntax

The debug monitor is entered when the kernel crashes, if a system process panics, or an unhandled processor exception occurs.

Under normal circumstances this ought not to happen, but when the kernel faults, the device enters the kernel debug monitor.

There may be circumstances where you need to force a kernel crash, for example, if the system is locking up. Running the test program crash.exe forces a crash. This program takes a parameter that defines the number of seconds that must elapse before the kernel crash is forced.

For example, when the system locks up under certain conditions, run "crash 60", and then recreate the conditions that lead to the lockup. After 60 seconds, the kernel crash is forced and the debug monitor is entered.

Notes:

  • the EKA2 debug monitor is very similar to the EKA1 version, although the details displayed may be different.

  • you will occasionally find references to the crash debugger; this is the same as the debug monitor.

Getting the debug monitor going

When the kernel faults, the device enters the debug monitor.

To make use of the debug monitor, do the following:

  • Plug the mains adaptor into the DC jack.

  • Connect the target device COM port to your PC, and set the PC serial port to 115200 baud, 8 bits, no parity, 1 stop bit, XON/XOFF flow control.

  • Press the ON key on the target device.

  • Start a terminal program on the PC (e.g. HyperTerminal.)

  • Press RETURN on the PC. The target device should reply with the prompt:

    Password:
  • Enter the password "replacement" (all lower case, but without the quotes) on the PC. The target device should now reply:

    *** DEBUG MONITOR ***

You can now enter debug monitor commands.

f - display kernel fault information

This command displays information about the the kernel fault that caused the debugger to be entered. The information has the following format.

Fault Category: Exception  Fault Reason: 10000000
ExcId 00000001 CodeAddr ffe0016c DataAddr 80000001 Extra 00000013
Exc 1 Cpsr=68000010 FAR=80000001 FSR=00000013
 R0=00000000  R1=00000000  R2=30000000  R3=80000001
 R4=00000001  R5=00403d68  R6=00002000  R7=00000000
 R8=00000000  R9=00000000 R10=00000000 R11=00403fa0
R12=00403d34 R13=00403d48 R14=500d41e8 R15=ffe0016c
R13Svc=81716000 R14Svc=500480b8 SpsrSvc=20000010

Notes:

  • R15 is the program counter

  • R14 is the link register,

  • R13 is the stack pointer

m - do a memory dump

This command dumps memory in both hexadecimal and ASCII format. Use one of the following command formats:

m start end
m start+length

start specifies the start address in hexadecimal, and end specifies the end address in hexadecimal. If the second parameter starts with a + character, then the following hexadecimal characters are interpreted as a length.

Address parameters are always virtual addresses (the MMU is still on).

The resulting format is similar to the EKA1 format.

For example:

.m 81c01c60+30

81C01C60: 00 00 00 00 15 00 00 10 E0 6A 13 50 01 00 00 80 .........j.P....
81C01C70: 30 3B C0 81 34 D9 03 50 00 00 FF FF E8 1C C0 81 0;..4..P........
81C01C80: 34 D9 03 50 30 3B C0 81 FC 4A 13 50 E8 1C C0 81 4..P0;...J.P.....

If an illegal memory access occurs, the debugger traps the exception and displays an error message.

z - do a memory dump, skipping over unmapped memory

This command dumps memory in both hexadecimal and ASCII format, but excludes any unmapped memory space. If an illegal memory access occurs, it does not stop, but skips to the next page instead. This is useful to inspect the content of discontiguous chunks.

The syntax and the display format is the same as for the m command.

i - display information for the current process and thread

This command displays information for the current process and thread.

SCHEDULER @80000d98: CurrentThread 8070dd28
RescheduleNeeded=00 DfcPending=00 KernCSLocked=00000001
DFCS: next 80000ea8 prev 80000ea8
ProcessHandler=5004b040, AddressSpace=8070d7c8
SYSLOCK: HoldingThread 8070dd28 iWaiting 00000000
Extras 0: 8070d7c8 1: 8070d7c8 2: 8070d7c8 3: 00000000
Extras 4: 00000000 5: 00000000 6: 00000000 7: 00000000
Extras 8: 00000000 9: 00000000 A: 00000000 B: 00000000
Extras C: 00000000 D: 00000000 E: 00000000 F: 00000000

The format for the thread is:

TheCurrentThread=8070da6c
THREAD at 8070da6c VPTR=50052b50 AccessCount=3 Owner=8070d7c8
Full name crash::Main
Thread MState READY
Default priority 28 WaitLink Priority 28
ExitInfo 3,0,
Flags 80000004, Handles 8070a79c
Superviso81715000 size 1000
User stack base 00402000 size 2000
Id=19, Heap=00600000, Created heap=00600000, Frame=00000000
Trap handler=00000000, ActiveScheduler=00000000, Exception
handler=00000000
TempObj=00000000 TempAlloc=00000000
NThread @ 8070dd28 Pri 28 NState READY
Next=8070dd28 Prev=8070dd28 Att=03 ExcInUserMode=10
HeldFM=80000eb8 WaitFM=00000000 AddrSp=8070d7c8
Time=0 Timeslice=20 ReqCount=0
SuspendCount=0 CsCount=0 CsFunction=00000000
SavedSP=81715d6c
CAR 00000001
DACR 30315507
R13_USR 00000000 R14_USR 81715dc4 SPSR_SVC 81715e10
 R4 30303031  R5 30303030  R6 81715dc4  R7 81715e14
 R8 81715dac  R9 81715da0 R10 50055c88 R11 50055c3c
 PC 81715dc0

The format for the process is:

TheCurrentProcess=8070d7c8
PROCESS at 8070d7c8 VPTR=50052bc4 AccessCount=5 Owner=00000000
Full name crash
ExitInfo 3,0,
Flags 00040000, Handles 80709c98, Attributes 60010000
DataBssChunk 8070a514, CodeChunk 8070a9a8
DllDataChunk 00000000, Process Lock 8070d90c
NumChunks=2
0: Chunk 8070a514, run 00400000, access count 1
1: Chunk 8070a704, run 00600000, access count 1
Domain -1, DACR 55555507
TheCurrentAddressSpace=8070d7c8
TheCurrentVMProcess=8070d7c8
PROCESS at 8070d7c8 VPTR=50052bc4 AccessCount=5 Owner=00000000
Full name crash
ExitInfo 3,0,
Flags 00040000, Handles 80709c98, Attributes 60010000
DataBssChunk 8070a514, CodeChunk 8070a9a8
DllDataChunk 00000000, Process Lock 8070d90c
NumChunks=2
0: Chunk 8070a514, run 00400000, access count 1
1: Chunk 8070a704, run 00600000, access count 1
Domain -1, DACR 55555507
TheCurrentDataSectionProcess=8070d7c8
TheCompleteDataSectionProcess=8070d7c8
PROCESS at 8070d7c8 VPTR=50052bc4 AccessCount=5 Owner=00000000
Full name crash
ExitInfo 3,0,
Flags 00040000, Handles 80709c98, Attributes 60010000
DataBssChunk 8070a514, CodeChunk 8070a9a8
DllDataChunk 00000000, Process Lock 8070d90c
NumChunks=2
0: Chunk 8070a514, run 00400000, access count 1
1: Chunk 8070a704, run 00600000, access count 1
Domain -1, DACR 55555507

o - display brief DObject information

This command in lower case displays basic information about the DObject. The command has the following syntax:

o address

where address specifies the address of the DObject.

For example:

o 6403c170

THREAD at 6403c170 VPTR=f8046c18 AccessCount=3 Owner=6403bb4c
Full name crash::Main

O - display full DObject information

This command in upper case displays full information about the DObject. The exact format displayed depends on the exact type of the DObject being referenced, for example, whether it is a thread, process, or a chunk. The command has the following syntax:

O address

where address specifies the address of the DObject.

p - display short information about code segments

This command in lower case displays basic information about one or more code segments, as encapsulated by DCodeSeg objects. The command has the following syntax:

p address | all

where:

  • address is the address of a specific code segment

  • all refers to all code segments.

For example:

p 64053b70

.p 64053b70
CodeSeg at 64053b70:
 FileName: Z:\sys\bin\crash.exe
 RunAddress: f83e3498

P - display full information about code segments

This command in upper case displays the full information about one or more code segments, as encapsulated by DCodeSeg objects. The command has the following syntax:

P address | all

where:

  • address is the address of a specific code segment

  • all refers to all code segments.

For example:

P 64053b70

.p 64053b70
CodeSeg at 64053b70:
 FileName: Z:\sys\bin\crash.exe
 RunAddress: f83e3498

 iLink:     Prev 64052f48 (64052f40) Next 640000e0 (640000d8)
 iTempLink: Prev dfdfdfdf (dfdfdfcf) Next 00000000 (00000000)
 iGbgLink:  Prev 00000000 (00000000) Next 00000000 (00000000)
 iAccessCount: 1
 iEntryPtVeneer: f83e3498
 iFileEntryPoint: f83e3498
 iExtOffset: 10
 iUids: 1000007a 00000000 00000000
 iDeps: 00000000 ( )
 iDepCount: 0
 iNextDep: 0
 iMark: 31
 iAttr: a
 iExeCodeSeg: 64053b70
 iAttachProcess: 00000000
 iModuleVersion: a0000
 iS:
   SecureId: 00000000, VendorId: 70000001
   Caps: 000fffff 00000000
 iSize: 370

 iXIP: 1
 iInfo: f83e3420 (TRomImageHeader*)
  iUid1: 1000007a, iUid2: 00000000, iUid3: 00000000
  iUidChecksum: 045ac39e
  iEntryPoint:  f83e3498
  iCodeAddress: f83e3498, iCodeSize: 00000370
  iDataAddress: 00000000, iDataSize: 00000000
  iTextSize:    00000370, iBssSize:  00000000
  iHeapSizeMin: 00001000, iHeapSizeMax: 00100000, iStackSize: 00002000
  iDllRefTable: 00000000
  iExportDirCount: 0, iExportDir: f83e33fc
  iS:
    SecureId: 00000000, VendorId: 70000001
    Caps: 000fffff 00000000
  iToolsVersion: Major 02 Minor 01 Build 0225
  iFlags: 0000002a
  iPriority: 352
  iDataBssLinearBase: 00400000
  iNextExtension: 00000000
  iHardwareVariant: 01000000
  iTotalDataSize: 00000000
  iModuleVersion: 000a0000
  iExceptionDescriptor: f83e34f4

 iCodeAllocBase: 80000000
 iDataAllocBase: 80000000
 iKernelData: 00000000

c - display contents of object container

This command in lower case displays the contents of one of the kernel's object containers, a DObjectCon type. Note that information is dumped very quickly without page breaks, which is useful in situations where the kernel is likely to become very unstable very shortly after crashing. There is an upper case version of this command, C, which generates output with a pause between pages.

The command has the following syntax:

c type

where type is a single hexadecimal digit between 0 and D inclusive that specifies which kernel container is to be dumped. The mapping between the hexadecimal digit and the kernel container is:

0

Threads

1

Processes

2

Chunks

3

Libraries

4

Semaphores

5

Mutexes

6

Timers

7

Servers

8

Sessions

9

LogicalDevices

A

PhysicalDevices

B

Channels

C

ChangeNotifiers

D

Undertakers

E

Message queues

F

Property references

For example:

c A

Container 10 at 640275c4 contains 3 PHYSICAL DEVICES:
PHYSICAL DEVICE at 64032dac VPTR=f805d9fc AccessCount=2 Owner=00000000
Full name Media.IRam
PHYSICAL DEVICE at 640339e8 VPTR=f8067e44 AccessCount=2 Owner=00000000
Full name Media.Flash
PHYSICAL DEVICE at 64033a64 VPTR=f806b9f8 AccessCount=2 Owner=00000000
Full name Media.Ata

c 0

Container 0 at 807022b8 contains 12 THREADS:
THREAD at 807011c0 VPTR=50052b04 AccessCount=1 Owner=8070107c
Full name EKern::Null
Thread MState READY
Default priority 0 WaitLink Priority 0
ExitInfo 3,0,
Flags 0000000c, Handles 80701520
Supervisor stack base 80700000 size 1000
User stack base 00000000 size 0
Id=0, Heap=00000000, Created heap=00000000, Frame=00000000
Trap handler=00000000, ActiveScheduler=00000000, Exception
handler=00000000
TempObj=00000000 TempAlloc=00000000
NThread @ 8070147c Pri 0 NState READY
Next=8070147c Prev=8070147c Att=00 ExcInUserMode=00
HeldFM=00000000 WaitFM=00000000 AddrSp=8070107c
Time=-1 Timeslice=-1 ReqCount=0
SuspendCount=0 CsCount=0 CsFunction=00000000
SavedSP=80700f50
CAR 00000001
DACR 55555547
R13_USR 00403ed4 R14_USR 500c88b4 SPSR_SVC 200000d3
 R4 00000009  R5 5004b7ec  R6 50000000  R7 dc911000
 R8 00000000  R9 807103c0 R10 50002140 R11 80700fb4
 PC 500481b4

The information displayed for each object is the same as that shown after using the q command. After displaying the information for each object, the debugger pauses until you press a key.

Notes

  • the DObjectCon class is internal to Symbian platform.

  • the type value passed as an argument to the command is one of the enum values of the TObjectType enum; this enum is internal to Symbian platform.

C - display contents of object container

This command in upper case is exactly the same as the lower case c command except that the display of output pauses between pages. If you need to dump output as fast as possible without pauses, use the lower case version.

r - dump register contents

This command dumps the full ARM register set.

On ARM this dumps the full set of user mode registers and all the alternate registers for other modes.

For example:

r

MODE_USR:
 R0=6571de54  R1=0000002a  R2=00000002  R3=ffffffff
 R4=0000002a  R5=f8170414  R6=6571df14  R7=6403cba8
 R8=00000001  R9=6403c41c R10=640002f8 R11=6571de70
R12=00000020 R13=00404e00 R14=f80818c0 R15=f800bfa8
CPSR=60000013
MODE_FIQ:
 R8=00000000  R9=ffffffff R10=ffffffff R11=00000000
R12=00000000 R13=64000d0c R14=c080079c SPSR=e00000dc
MODE_IRQ:
R13=6400110c R14=00000013 SPSR=20000013
MODE_SVC:
R13=6571de54 R14=f80328bc SPSR=60000010
MODE_ABT:
R13=6400090c R14=ffff0010 SPSR=400000d7
MODE_UND:
R13=6400090c R14=95221110 SPSR=f000009d

S - Dumps thread stack contents

This command, in upper case, dumps both the user and supervisor stacks used by each thread in the system. Some threads do not have a user thread, in which case this is indicated. Each set of stacks is displayed in turn, in the following format:

THREAD at c8052fa0 VPTR=80082304 AccessCount=6 Owner=c8044608
Full name efile.exe::LoaderThread
User stack base at 00410000, size == 1000
Stack pointer == 00413e30
Stack mapped at 00410000
00413e30: 10 01 70 01 99 93 1b 80 18 01 70 01 d0 56 1b 80 ..p.......p..V..
00413e40: 00 00 00 00 00 00 00 00 84 00 70 01 84 00 70 01 ..........p...p.
00413e50: 04 00 00 00 23 91 1b 80 38 01 70 01 10 01 70 01 ....#...8.p...p.
00413e60: 80 3e 41 00 01 00 00 00 10 01 70 01 00 00 00 00 .>A.......p.....
00413e70: 84 00 70 01 cd 91 1b 80 30 02 70 01 00 00 00 00 ..p.....0.p.....

Supervisor stack base at c9127000, size == 1000
Stack pointer == c9127fbc
c9127fb0: b0 d1 0a c8 0c 00 00 00 13 00 00 00 00 07 00 00 ................
c9127fc0: 00 00 f0 00 45 55 55 55 30 3e 41 00 89 ff 1b 80 ....EUUU0>A.....
c9127fd0: 10 00 00 20 10 01 70 01 80 3e 41 00 98 c7 23 80 ... ..p..>A...#.
c9127fe0: 58 3e 41 00 04 00 00 00 40 00 00 00 98 4b 04 c8 X>[email protected]..
c9127ff0: 60 04 00 c8 98 01 02 80 00 00 00 00 10 5a 1b 80 `............Z..
Note: With a multiple memory model, this command is the only way to reliably dump a stack.

x - leave debugger, cold restart of ROM image

This command, in lower case, leaves the debugger and does a cold restart of the current ROM image.

X - leave debugger, return to bootloader

This command, in upper case, leaves the debugger, and returns to the bootloader to wait for a new ROM image to be downloaded.

h - Help

Displays a short summery of the crash debugger commands.