Inspecting memory in zxdb

Zxdb supports the following commands for inspecting memory:

• aspace
• mem-analyze
• mem-read / x
• stack
• sym-near

aspace: Show mapped memory regions.

The aspace command, abbreviated as, outputs address space information for the process. In Fuchsia, virtual memory consists of a hierarchy of Virtual Memory Objects (VMOs).

With no parameters, the aspace command shows all VMOs in the process.

When given an address, the aspace command shows the VMO hierarchy containing just that address. This can be useful to determine where an address is in memory, as the names of the VMOs typically indicate what type of region that is.

Understanding the output

In the following example, the aspace command details the following about the 0x10b7f304d28 address:

• Hierarchy of VMOs that contain the address.
• The address and size of each VMO.
• The name of each VMO, which can give clues about their purpose.
  • From the name in this example, you can tell the address is in a stack allocated by pthreads.

The following are relevant VMO names that could be included in output from the aspace command:

• initial-thread: The stack of the startup thread.
• pthread_t:0x...: The stack of a pthread-created thread. The address indicates the memory location of the `pthread_t structure for that thread.
• *uncompressed-bootfs: A memory-mapped library coming from bootfs (core system libraries). The libs command can tell you the library name for that address.
• stack: msg of ...: The startup stack. This very small stack is used only by the dynamic linker and loader code.
• scudo:*: Pages allocated with the scudo memory manager. If the process is using scudo, these regions are the application heap.
• vdso/full: The built-in library that implements system calls.
• blob-*: Mapped library coming from blobfs. The libs command can tell you the library name for that address.

mem-analyze: Dumps memory, trying to interpret pointers.

This command attempts to interpret memory as pointers and decode what they point to. Addresses with corresponding symbols are symbolized, while other addresses indicate the name of the memory-mapping region they fall into (see the aspace command). It can be useful for dumping unknown memory.

See also stack, which is a variant of the mem-analyze command for stack analysis.

mem-read: Dump process memory

The mem-read command, abbreviated x, provides hex dumps of the given address. You supply the address and optionally override the default size with the -s option.

You can also supply an expression that evaluates to an address. If the type of the pointer has a known size, the dump automatically shows that many bytes:

stack: Provides a low-level analysis of the stack

The stack command analyzes the stack in a similar way to mem-analyze. It defaults to the top of the current thread's stack. The stack command attempts to decode addresses present in the memory region, but it also adds annotations for the known register values and stack base pointers of the thread.

In the notes colum, left-pointing arrows indicate which registers point to that stack location, while right-pointing arrows indicate where the value of the stack entry points to if it is interpreted as an address.

sym-near: Map addresses to symbols

The sym-near command, abbreviated sn, attempts to map an address to a symbol name. Running the command outputs the name and line information (if available) for the symbol at or preceeding the address and is most often used to tell what a pointer points to.