xref: /xnu-12377.81.4/tools/lldbmacros/README.md (revision 043036a2b3718f7f0be807e2870f8f47d3fa0796) 
1Table of Contents
2=================
3
4      A. How to use lldb for kernel debugging
5      B. Design of lldb kernel debugging platform.
6      C. Kernel debugging commands.
7          i. Using commands.
8         ii. Writing new commands.
9      D. Kernel type summaries.
10          i. Using summaries
11         ii. Writing new summary functions
12      E. FAQ and General Coding Guidelines
13          i. Frequently Asked Questions
14         ii. Formatted Output printing guidelines [MUST READ]
15        iii. Coding conventions.  [MUST READ]
16         iv. Submitting changes in lldbmacros [MUST READ]
17          v. Common utility functions and paradigms
18      F. Development and Debugging on lldb kernel debugging platform.
19          i. Reading a exception backtrace
20         ii. Loading custom or local lldbmacros and operating_system plugin
21        iii. Adding debug related 'printf's
22         iv. Using VSCode's Python debugger with debugpy
23
24A. How to use lldb for kernel debugging
25========================================
26
27lldb can be used for kernel debugging the same way as gdb. The simplest way is to start lldb with kernel symbol file. The lldb environment by default does not allow loading automatic python modules. Please add the following setting in
28
29    File: ~/.lldbinit
30    settings set target.load-script-from-symbol-file true
31
32Now lldb will be ready to connect over kdp-remote '\<hostname:port>' or 'gdb-remote \<hostname:port>'.
33If you need to debug a core file, you can add '--core /path/to/corefile' to your lldb command (e.g. `xcrun --sdk macosx.internal lldb --core /path/to/corefile`)
34
35Following are detailed steps on how to debug a panic'ed / NMI'ed machine (For the curious souls).
36
37lldb debugging in detail:-
38
39  * start lldb with the right symbols file. If you do not know the version apriori, then enable dsymForUUID to load symbols dynamically.
40        bash$ dsymForUUID --enable
41        bash$ lldb /path/to/mach_kernel.symbols
42        Current executable set to '/Sources/Symbols/xnu/xnu-2253~2/mach_kernel' (x86_64).
43        (lldb)
44
45  * connect to remote device or load a core file
46        #for kdp
47        (lldb) process connect --plugin kdp-remote udp://17.123.45.67:41139
48        #for gdb (eg with astris)
49        (lldb) process connect --plugin gdb-remote gdb://17.123.45.67:8000
50        #for loading a core file
51        (lldb) file --core /path/to/core/file  /path/to/kernel_symbol_file
52
53  * Once connected you can debug with basic lldb commands like print, bt, expr etc. The xnu debug macros will also be loaded automatically from the dSYM files.
54  In case if you are working with older kernel files you can load kernel specific commands by doing -
55        (lldb) command script import /path/to/xnu/tools/lldbmacros/xnu.py
56        (lldb) showbootargs
57        debug=0x14e ncpus=2
58
59  * You can do `kgmhelp` to get a list of commands available through xnu.py
60
61SPECIAL: The `xnu.py` script brings in kernel type summary functions. To enable these please do -
62
63    (lldb) showlldbtypesummaries
64
65These could be very handy in printing important information from structures easily.
66For ex.
67
68    (lldb) print (thread_t)0x80d6a620
69    (thread_t) $45 = 0x80d6a620
70    thread                   thread_id  processor            pri    io_policy  state wait_queue           wait_event           wmesg                thread_name
71    0x80d6a620               0x317      0x902078c8           61                W     0x910cadd4           0x0                                       SystemSoundServer
72
73
74
75B. Design of lldb kernel debugging platform.
76=============================================
77
78The lldb debugger provides python scripting bridge for customizing commands and summaries in lldb. Following is the stack of platforms and how commands and summaries interact with it.
79
80    |------- xnu scripts ----------|
81    | |- lldb Command/Scripting-|  |   <-- provides scriptability for kernel data structures through summary/command invocation.
82    | |    |--lldb core--|      |  |   <-- interacts with remote kernel or corefile.
83    | |-------------------------|  |
84    |------------------------------|
85
86The xnu script in xnu/tools/lldbmacros provides the following:
87
88  * Custom functions to do plumbing of lldb command invocation to python function call. (see doc strings for @lldb_command)
89    The command interface provides some common features (which can be invoked after passing '--' on cmd line) like -
90
91      i. send the output of command to file on disk
92      ii. search for a string in the output and selectively print the line containing it.
93      iii. -v options to increase verbosity levels in commands.
94        For example: (lldb)showalltasks -- -s kernel_task --o /tmp/kernel_task.output -v
95        will show task summary output with lines matching string 'kernel_task' into a file /tmp/kernel_task.output and with a verbosity level of (default +1)
96
97  * Customization for plugging in summary functions for lldb type summaries. (see doc strings for @lldb_summary)
98     It will automatically register given types with the functions within the kernel category.
99
100  * Ability to register test cases for macros (see doc strings for @xnudebug_test).
101
102The file layout is as follows
103
104    xnu/
105     |-tools/
106       |-lldbmacros/
107         |-core/       # Core logic about kernel, lldb value abstraction, configs etc. **DO NOT TOUCH THIS DIR**
108         |-plugins/    # Holds plugins for kernel commands.
109         |-xnu.py      # xnu debug framework along with kgmhelp, xnudebug commands.
110         |-xnudefines.py
111         |-utils.py
112         |-process.py  # files containing commands/summaries code for each subsystem
113         |-memory.py
114         |-...
115       |-tests/
116         |-lldb_tests/          # unit tests for macros, using lldb scripted process to simulate debugging a core file
117         |-standalone_tests/    # standalone tests for functionality that's seperate from lldb/macros (but used by them)
118
119
120The lldbmacros directory has a Makefile that follows the build process for xnu. This packages lldbmacros scripts into the dSYM of each kernel build. This helps in rev-locking the lldb commands with changes in kernel sources.
121
122
123C. Kernel debugging commands.
124==============================
125i. Using commands.
126------------------
127Using xnu debug commands is very similar to kgmacros in gdb. You can use 'kgmhelp' to get a listing of available commands.
128If you need detailed help for a command please type 'help <command name>' and the documentation for the command will be displayed.
129For ex.
130
131    (lldb) help pmap_walk
132    Perform a page-table walk in <pmap> for <virtual_address>.
133         You can pass -- -v for verbose output. To increase the verbosity add more -v args after the '--'.
134    Syntax: pmap_walk <pmap> <virtual_address>
135
136The basic format for every command provided under kgmhelp is like follows
137
138    (lldb) command_name [cmd_args..] [-CMDOPTIONS] [-xnuoptions]
139    where:
140      command_name : name of command as registed using the @lldb_command decorator and described in 'kgmhelp'
141      cmd_args     : shell like arguments that are passed as is to the registered python function.
142                     If there is error in these arguments than the implementor may display according error message.
143      xnuoptions   : common options for stream based operations on the output of command_name.
144                     Allowed options are
145                     -h          : show help string of a command
146                     -s <regexp> : print only the lines matching <regexp>
147                     -o <file>   : direct the output of command to <file>. Will not display anything on terminal
148                     -v          : increase the verbosity of the command. Each '-v' encountered will increase verbosity by 1.
149                     -p <plugin> : pass the output of command to <plugin> for processing and followup with command requests by it.
150      CMDOPTIONS   : These are command level options (always a CAPITAL letter option) that are defined by the macro developer. Please do
151                     help <cmdname> to know how each option operates on that particular command. For an example of how to use CMDOPTIONS, take a look at vm_object_walk_pages in memory.py
152
153ii. Writing new commands.
154--------------------------
155The python modules are designed in such a way that the command from lldb invokes a python function with the arguments passed at lldb prompt.
156
157It is recommended that you do a decoupled development for command interface and core utility function so that any function/code can be called as a simple util function and get the same output. i.e.
158
159    (lldb)showtask 0xabcdef000 is same as python >>> GetTaskSummary(0xabcdef000) or equivalent
160
161Following is a step by step guideline on how to add a new command ( e.g showtaskvme ). [extra tip: Always good idea to wrap your macro code within # Macro: , # EndMacro.]
162
163  1. register a command to a function. Use the lldb_command decorator to map a 'command_name' to a function. Optionally you can provide getopt compatible option string for customizing your command invocation. Note: Only CAPITAL letter options are allowed. lowercase options are reserved for the framework level features.
164
165  2. Immediately after the register define the function to handle the command invocation. The signature is always like Abc(cmd_args=None, cmd_options={})
166
167  3. Add documentation for Abc(). This is very important for lldb to show help for each command. [ Follow the guidelines above with documentation ]
168
169  4. Use cmd_args array to get args passed on command. For example a command like `showtaskvme 0xabcdef00` will put have cmd_args=['0xabcdef00']
170      - note that we use core.value class as an interface to underlying C structures. Refer [Section B] for more details.
171      - use kern.globals.\<variable_name> & kern.GetValueFromAddress for building values from addresses.
172      - remember that the ideal type of object to be passed around is core.value
173      - Anything you 'print' will be relayed to lldb terminal output.
174
175  5. If the user has passed any custom options they would be in cmd_options dict. the format is `{'-<optionflag>':'<value>'}`. The \<value> will be '' (empty string) for non-option flags.
176
177  6. If your function finds issue with the passed argument then you can `raise ArgumentError('error_message')` to notify the user. The framework will automatically catch this and show appropriate help using the function doc string.
178
179  7. Please use "##" for commenting your code. This is important because single "#" based strings may be mistakenly considered in `unifdef` program.
180
181 Time for some code example? Try reading the code for function ShowTaskVmeHelper in memory.py.
182
183SPECIAL Note: Very often you will find yourself making changes to a file for some command/summary and would like to test it out in lldb.
184
185To easily reload your changes in lldb please follow the below example.
186
187  * you fire up lldb and start using zprint. And soon you need to add functionality to zprint.
188
189  * you happily change a function code in memory.py file to zprint macro.
190
191  * now to reload that particular changes without killing your debug session do
192        (lldb) xnudebug reload memory
193         memory is reloaded from ./memory.py
194        (lldb)
195
196  * Alternatively, you can use lldb`s command for script loading as
197        (lldb) command script import /path/to/memory.py
198    You can re-run the same command every time you update the code in file.
199
200 It is very important that you do reload using xnudebug command as it does the plumbing of commands and types for your change in the module. Otherwise you could easily get confused
201 why your changes are not reflected in the command.
202
203
204D. Kernel type summaries.
205==========================
206i. Using summaries
207------------------
208The lldb debugger provides ways for user to customize how a particular type of object be described when printed. These are very useful in displaying complex and large structures
209where only certain fields are important based on some flag or value in some field or variable. The way it works is every time lldb wants to print an object it checks
210for registered summaries. We can define python functions and hook it up with lldb as callbacks for type summaries.  For example.
211
212    (lldb) print first_zone
213    (zone_t) $49 = 0xd007c000
214          ZONE            TOT_SZ ALLOC_ELTS  FREE_ELTS    FREE_SZ ELT_SZ  ALLOC(ELTS  PGS  SLK)     FLAGS      NAME
215    0x00000000d007c000      29808        182         25       3600    144   4096   28    1   64   X$          zones
216    (lldb)
217Just printing the value of first_zone as (zone_t) 0xd007c000 wouldnt have been much help. But with the registered summary for zone_t we can see all the interesting info easily.
218
219You do not need to do anything special to use summaries. Once they are registered with lldb they show info automatically when printing objects. However if you wish to
220see all the registered type summaries run the command `type summary list -w kernel` on lldb prompt.
221Also if you wish to quickly disable the summaries for a particular command use the `showraw` command.
222
223ii. Writing new summary functions
224---------------------------------
225lldb provides really flexible interface for building summaries for complex objects and data. If you find that a struct or list can be
226diagnosed better if displayed differently, then feel free to add a type summary for that type. Following is an easy guide on how to do that.
227
228  1. Register a function as a callback for displaying information for a type. Use the `@lldb_type_summary()` decorator with an array of types you wish to register for callback
229
230  2. Provide a header for the summary using `@header()` decorator. This is a strong requirement for summaries. This gets displayed before the output
231     of `GetTypeSummary()` is displayed. [In case you do not wish to have header then still define it as "" (empty string) ]
232
233  3. Define the function with signature of `GetSomeTypeSummary(valobj)`. It is highly recommended that the naming be consistent to `Get.*?Summary(valobj)`
234     The valobj argument holds the core.value object for display.
235
236  4. Use the utility functions and memory read operations to pull out the required information.
237     [ use `kern.globals` & `kern.GetValueFromAddress` for building args to core functions. ]
238     [ remember that the ideal type of object to be passed around is core.value ]
239
240  5. return a string that would be printed by the caller. When lldb makes a call back it expects a str to be returned. So do not print
241     directly out to console. [ debug info or logs output is okay to be printed anywhere :) ]
242
243Time for some code example? Try reading the code for GetTaskSummary() in process.py.
244
245
246
247E. FAQs and Generel Coding Guidelines
248======================================
249
250i. Frequently Asked Questions
251-----------------------------
252
253  Q. How do I avoid printing the summary and see the actual data in a structure?
254
255  A. There is a command called `showraw`. This will disable all kernel specific type summaries and execute any command you provide. For ex.
256
257    (lldb) print (thread_t) 0x80d6a620
258    (thread_t) $45 = 0x80d6a620
259    thread                   thread_id  processor            pri    io_policy  state wait_queue           wait_event           wmesg                thread_name
260    0x80d6a620               0x317      0x902078c8           61                W     0x910cadd4           0x0                                       SystemSoundServer
261    (lldb) showraw print (thread_t) 0x80d6a620
262    (thread_t) $48 = 0x80d6a620
263
264  Q. I typed `showallvnodes` and nothing happens for a long time? OR How do I get output of long running command instantly on the terminal?
265
266  A. The lldb command interface tries to build result object from output of a python function. So in case of functions with very long output or runtime it may
267     seem that the lldb process is hung. But it is not. You can use "-i" option to get immediate output on terminal.
268
269        ex. (lldb) showallvnodes -- -i
270         Immediate Output
271         ....
272
273  Q. I made a change in a python file for a command or summary, but the output is not reflected in the lldb command?
274
275  A. The python framework does not allow for removing a loaded module and then reloading it. So sometimes if a command has a cached value from
276     old code that it will still call the old function and hence will not display new changes in file on disk. If you find yourself in such a situation
277     please see [Section C. -> SPECIAL Note]. If the change is to basic class or caching mechanism than it is advised to quit lldb and re-load all modules again.
278
279  Q. I am new to python. I get an error message that I do not understand. what should I do?
280
281  A. The syntax for python is different from conventional programming languages. If you get any message with SyntaxError or TypeError or ValueError then please review your code and look for common errors like
282
283  - wrong level of indentation?
284  - missed a ':' at the end of an if, elif, for, while statement?
285  - referencing a key in dictionary that doesn't exist? You might see KeyError in such cases.
286  - mistakenly used python reserved keyword as variable? (check http://docs.python.org/release/3.0.1/reference/lexical_analysis.html#id8)
287  - Trying to modify a string value? You can only create new strings but never modify existing ones.
288  - Trying to add a non string value to a string? This typically happens in print "time is " + gettime(). here gettime() returns int and not str.
289  - using a local variable with same name as global variable?
290  - assigning a value to global variable without declaring first? Its highly recommended to always declare global variable with 'global' keyword
291  If you still have difficulty you can look at the python documentation at http://docs.python.org
292
293
294  Q. I wish to pass value of variable/expression to xnu lldb macro that accepts only pointers. How can I achieve that?
295
296  A. Many lldb macros have syntax that accepts pointers (eg showtaskstacks etc). In order to have your expression be evaluated before passing to command use `back ticks`. For example:
297
298        (lldb) showtaskstacks  `(task_t)tasks.next`
299        This way the expressing withing ` ` is evaluated by lldb and the value is passed to the command.
300        Note that if your argument pointer is bad or the memory is corrupted lldb macros will fail with a long backtrace that may not make sense. gdb used to fail silently but lldb does not.
301        Please see Section F(i) for more information on reading backtraces.
302
303  Q. I connected to a coredump file with lldb --core corefile and I got RuntimeError: Unable to find lldb thread for tid=XYZ. What should I do?
304
305  A. This is most likely the case that lldb ignored the operating system plugin in the dSYM and hence threads are not populated. Please put the line 'settings set target.load-script-from-symbol-file true' in your ~/.lldbinit file. If you do not have access you can alternatively do
306
307        bash# lldb
308        (lldb) settings set target.load-script-from-symbol-file true
309        (lldb) file --core corefile
310
311
312ii. Formatted output printing - zen and peace for life
313------------------------------------------------------
314
315To avoid the horrors of printing a tabular data on console and then 2 weeks later again messing with it for a new field, it is recommended to follow these guidelines.
316
317  * any python string can be invoked to "".format() and hence makes it very easy to play with formats
318
319  * As a convention, I suggest that for printing pointer values in hex use "{0: <#020x}".format(some_int_value). This will print nice 0x prefixed strings with length padded to 20.
320
321  * If you need help with format options take a look at http://docs.python.org/library/string.html#format-string-syntax
322
323  * [ I'd first create a format string for data and then for the header just change the x's and d's to s and pass the header strings to format command. see GetTaskSummary()]
324
325  * If you need to print a string from a core.value object then use str() to get string representation of value.
326
327
328iii. Coding conventions
329-----------------------
330It is very very HIGHLY RECOMMENDED to follow these guidelines for writing any python code.
331
332 * Python is very sensitive to tabs and spaces for alignment. So please make sure you **INDENT YOUR CODE WITH SPACES** at all times.
333
334 * The standard tab width is 4 spaces. Each increasing indent adds 4 spaces beginning of the line.
335
336 * The format for documentation is -
337        """ A one line summary describing what this function / class does
338            Detailed explanation if necessary along with params and return values.
339        """
340
341 * All Classes and functions should have a doc string describing what the function does
342   A consistent format is expected. For ex.
343    def SumOfNumbers(a, b, c, d):
344        """ Calculate sum of numbers.
345            params:
346                a - int, value to be added. can be 0
347                b - int/float, value to be added.
348            returns:
349                int/float - Sum of two values
350            raises:
351                TypeError - If any type is not identified in the params
352        """
353
354 * A Class or Function should always start with CAPITAL letter and be CamelCase. If a function is for internal use only than it starts with '_'.
355
356 * Function params should always be lower_case and be word separated with '_'
357
358 * A local variable inside a function should be lower_case and separated with '_'
359
360 * A variable for internal use in object should start with '_'.
361
362 * if a class variable is supposed to hold non native type of object, it is good idea to comment what type it holds
363
364 * A class function with name matching `Get(.*?)Summary()` is always supposed to return a string which can be printed on stdout or any file.
365
366 * Functions beginning with "Get" (eg. GetVnodePath())  mean they return a value and will not print any output to stdout.
367
368 * Functions beginning with "Show"  (eg. ShowZTrace()) mean they will print data on screen and may not return any value.
369
370
371iv. Submitting changes in lldbmacros
372------------------------------------
373
374To contribute new commands or fixes to existing one, it is recommended that you follow the procedure below.
375
376  * Save the changes requried for new command or fix into lldbmacros directory.
377
378  * Make sure that the coding conventions are strictly followed.
379
380  * Run syntax checker on each of the modified files. It will find basic formatting errors in the changed files for you.
381
382  * If you are adding new file then please update the Makefile and xnu.py imports to ensure they get compiled during kernel build.
383
384  * Do a clean build of kernel from xnu top level directory.
385
386  * Verify that your changes are present in the dSYM directory of new build.
387
388  * Re-run all your test and verification steps with the lldbmacros from the newly packaged dSYM/Contents/Resources/Python/lldbmacros.
389
390v. Common utility functions and paradigms
391-----------------------------------------
392Please search and look around the code for common util functions and paradigm
393
394  * Take a peek at utils.py for common utility like sizeof_fmt() to humanize size strings in KB, MB etc. The convention is to have functions that do self contained actions and does not require intricate knowledge of kernel structures in utils.py
395
396  * If you need to get pagesize of the traget system, do not hard code any value. kern.globals.page_size is your friend. Similarly use config['verbosity'] for finding about configs.
397
398  * If you are developing a command for structure that is different based on development/release kernels please use "hasattr()" functionality to conditionalize referencing #ifdef'ed fields in structure. See example in def GetTaskSummary(task) in process.py
399
400  * `ArgumentStringToInt()` is recommended for argument parsing, as it supports binary/octal/decimal/hexadecimal literal
401    representations, as well as lldb expressions, which allows for convenient for usage e.g. `showmapvme foo_map_ptr`
402
403
404F. Development and Debugging on lldb kernel debugging platform.
405===============================================================
406
407i. Reading a exception backtrace
408--------------------------------
409In case of an error the lldbmacros may print out an exception backtrace and halt immediately. The important thing is to
410isolate possible causes of failure, and eventually filing a bug with kernel team. Following are some common ways where
411you may see an exception instead of your expected result.
412
413  * The lldbmacros cannot divine the type of memory by inspection. If a wrong pointer is passed from commandline then,
414    the command code will try to read and show some results. It may still be junk or plain erronous. Please make sure
415	your command arguments are correct. For example: a common mistake is to pass task address to showactstack. In such
416	a case lldb command may fail and show you a confusing backtrace.
417
418  * Kernel debugging is particularly tricky. Many parts of memory may not be readable. There could be failure in network,
419    debugging protocol or just plain bad memory. In such a case please try to see if you can examine memory for the object
420	you are trying to access.
421
422  * In case of memory corruption, the lldbmacros may have followed wrong pointer dereferencing. This might lead to failure
423    and a exception to be thrown.
424
425There are few more options that you can use when a macro is raising exceptions:
426
427  * Add --debug to your macro invocation to provide more detailed/verbose exception output.
428  * Add --radar to generate tar.gz archive when filling a new radar for kernel team.
429  * Add --pdb to attach pdb to exception stack for debugging.
430
431ii. Loading custom or local lldbmacros and operating_system plugin
432------------------------------------------------------------------
433
434The lldbmacros are packaged right into the dSYM for the kernel executable. This makes debugging very easy since they can get loaded automatically when symbols are loaded.
435However, this setup makes it difficult for a lldbmacro developer to load custom/local macros. Following is the suggested solution for customizing your debugging setup:
436
437  * set up environment variable DEBUG_XNU_LLDBMACROS=1 on your shell. This will disable the automatic setup of lldbmacros and the operating_system.py from the symbols.
438     - bash$ export DEBUG_XNU_LLDBMACROS=1
439
440  * start lldb from the shell
441     - bash$ lldb
442
443  * [optional] If you are making changes in the operating_system plugin then you need to set the plugin path for lldb to find your custom operating_system plugin file.
444     - (lldb)settings set target.process.python-os-plugin-path /path/to/xnu/tools/lldbmacros/core/operating_system.py
445     If you do not wish to change anything in operating_system plugin then just leave the setting empty. The symbol loading module will set one up for you.
446
447  * Load the xnu debug macros from your custom location.
448     - (lldb)command script import /path/to/xnu/tools/lldbmacros/xnu.py
449
450
451iii. Adding debug related 'printf's
452-----------------------------------
453
454The xnu debug framework provides a utility function (debuglog) in utils.py. Please use this for any of your debugging needs. It will not print any output unless the user turns on debug logging on the command. Please check the documentaiton of debuglog for usage and options.
455
456  * To enable/disable logging
457     - (lldb) xnudebug debug
458       Enabled debug logging.
459
460iv. Using VSCode's Python debugger with debugpy
461---------------------------------------------
462
463Install debugpy with:
464
465```sh
466> pip3 install --user debugpy
467```
468
469Add the following to `.vscode/launch.json`:
470```
471{
472    "version": "0.2.0",
473    "configurations": [
474        {
475            "name": "Attach Python debugger to XNU lldb macros",
476            "type": "debugpy",
477            "request": "attach",
478            "connect": {
479                "host": "localhost",
480                "port": 5678
481            },
482            "pathMappings": [
483                {
484                    "localRoot": "${workspaceFolder}/tools/lldbmacros",
485                    "remoteRoot": "${workspaceFolder}/tools/lldbmacros"
486                }
487            ],
488            "justMyCode": false
489        }
490    ]
491}
492```
493
494Then, run the scripts:
495```sh
496> export DEBUG_LLDB_PYTHON=1
497> lldb -c <corefile>
498(lldb) command script import <xnu/lldbmacros/xnu.py> # if you don't automatically load the scripts
499```
500
501The debug scripts will pause to give you a chance to "Debug: Start Debugging" in VSCode. Then breakpoints, watchpoints, and the debug console all work.
502