How to shoot yourself in the foot with mdb
By user12625760 on Dec 15, 2006
This would be funny if it were not for the poor customer who actually did this, lead by the hand by an info doc that suggested you do this:
#mdb -kw >do_tcp_fusion/W 0
That is it. No information as to what to do next.
However those of you steeped in adb history, remember mdb has full backward compatibility will now that if you type another address at this point it will repeat the previous command. So it will write 0 to the address specified.
If you were unfortunate enough to not be steeped in adb history they you may not know how to exit from the mdb session. If you were to guess that the way to do this was to type “exit” then mdb happily looks up “exit” in the symbol table, converts that to an address and writes 0 into that address:
# mdb -kw Loading modules: [ unix krtld genunix specfs ufs ip sctp usba s1394 nca ipc nfs audiosup random sppp sd crypto ptm lofs ] > do_tcp_fusion/W 0 do_tcp_fusion: 0x1 = 0x0 > exit exit: 0x9de3bf50 = 0x0 >
If you are quick, lucky, and realise what has happened you can write the instruction back before the system crashes, but on a moderately busy system you have almost no time to. you have to do it before the next process exits. Hitting control D, or exiting mdb using any other method now results in the system crashing:
panic[cpu0]/thread=3000183c020: BAD TRAP: type=10 rp=2a10037ba50 addr=10c8a00 mmu_fsr=0 mdb: illegal instruction fault: addr=0x10c8a00 pid=2926, pc=0x10c8a00, sp=0x2a10037b2f1, tstate=0x9900001602, context=0x115b g1-g7: 10403ac, 58692c, 10c865c, 20, 80000305cfcc0ef8, 0, 3000183c020 000002a10037b770 unix:die+9c (10, 2a10037ba50, 10c8a00, 0, 2a10037b830, c0000000 ) %l0-3: ffffffff7f402000 0000000000000010 ffffffff7e6ebec4 0000000000000000 %l4-7: 0000000000000000 0000000000001084 0000000000001000 000000000106b800 000002a10037b850 unix:trap+12b8 (2a10037ba50, 0, 0, 1835800, 180c000, 3000183c02 0) %l0-3: 0000000000000000 0000000000000010 0000030001832a98 0000000000000000 %l4-7: 0000000000010008 0000000000010000 0000000000000001 000000000180c180 000002a10037b9a0 unix:ktl0+48 (1, 0, 100173000, 100173, 5, 5) %l0-3: 0000000000000003 0000000000001400 0000009900001602 0000000001013c74 %l4-7: 0000030001832cc0 0000000000000000 0000000000000000 000002a10037ba50 syncing file systems... done dumping to /dev/dsk/c0t0d0s1, offset 107806720, content: kernel
It is actually a better way to induce a panic than most of the ones documented in books like Panic.
I've changed the info doc in question to have the command specified as:
echo 'do_tcp_fusion/W 0' | mdb -kw
So that it does not lead any more customers down that path, yes I've trawled sunsolve for all the cases where we suggest mdb -kw and updated them in a similar way.
Update: I also filed bug 6505499