一、准备环境
1)获取crash工具。注意区分版本(arm/arm64/x86_64)。
2)获取对应软件版本的符号表文件(如vmlinux),可以将该文件放置 crash工具同一目录下。
3)获取sysdump文件,并把所有sysdump文件追加到一个文件sysdump.core中:
cat sysdump.core.* > sysdump.core
4)使用crash工具解析之前生成出来的sysdump.core文件:
crash_arm -m phys_base=0x80000000 vmlinux sysdump.core
或:crash vmlinux sysdump.core
二、crash常见命令
分析sysdump的入口界面如下(包括panic描述及PID等):
XXXX/demo$ ./crash_arm64 vmlinux sysdump.core
crash_arm64 7.2.3++
Copyright (C) 2002-2017 Red Hat, Inc.
Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation
Copyright (C) 1999-2006 Hewlett-Packard Co
Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited
Copyright (C) 2006, 2007 VA Linux Systems Japan K.K.
Copyright (C) 2005, 2011 NEC Corporation
Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc.
Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc.
This program is free software, covered by the GNU General Public License,
and you are welcome to change it and/or distribute copies of it under
certain conditions. Enter "help copying" to see the conditions.
This program has absolutely no warranty. Enter "help warranty" for details.
GNU gdb (GDB) 7.6
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "--host=x86_64-unknown-linux-gnu --target=aarch64-elf-linux"...
KERNEL: vmlinux
DUMPFILE: sysdump.core
CPUS: 8 [OFFLINE: 7]
DATE: Sun Jan 1 08:03:20 2012
UPTIME: 00:00:00
LOAD AVERAGE: 0.00, 0.00, 0.00
TASKS: 198
NODENAME: (none)
RELEASE: 4.4.147+
VERSION: #1 SMP PREEMPT Wed Mar 20 21:09:11 CST 2019
MACHINE: aarch64 (unknown Mhz)
MEMORY: 2 GB
PANIC: "Kernel panic - not syncing: add for panic"
PID: 244
COMMAND: "kworker/u16:5"
TASK: ffffffc07b412880 [THREAD_INFO: ffffffc07b412880]
CPU: 2
STATE: TASK_RUNNING (PANIC)
crash_arm64> help
* extend mach runq tree
alias files mod search union
ascii foreach mount set vm
bpf fuser net sha1 vtop
bt gdb p sig waitq
btop help ps struct whatis
compare ipcs pte swap wr
dev irq ptob sym q
dis kmem ptov sys
eval list rd task
exit log repeat timer
crash_arm64 version: 7.2.3++ gdb version: 7.6
For help on any command above, enter "help <command>".
For help on input options, enter "help input".
For help on output options, enter "help output".
crash_arm64>
其中经常用的有:log,ps,sys,mount,sym,rd/wr,bt等。
1)使用sys命令查看系统概况。
2)使用log > kernel.log将kernel log重定向到文件中。
3)使用kmem –i查看内存使用状况。
4)使用ps命令检查进程状态。
>表示活跃的进程, RU代表为运行中的进程,IN为可中断进程,UN为不可中断进程。例如:
crash_arm64> ps
PID PPID CPU TASK ST %MEM VSZ RSS COMM
> 0 0 0 ffffff8008fdf750 RU 0.0 0 0 [swapper/0]
> 0 0 1 ffffffc07d190d80 RU 0.0 0 0 [swapper/1]
0 0 2 ffffffc07d191b00 RU 0.0 0 0 [swapper/2]
> 0 0 3 ffffffc07d192880 RU 0.0 0 0 [swapper/3]
> 0 0 4 ffffffc07d193600 RU 0.0 0 0 [swapper/4]
> 0 0 5 ffffffc07d194380 RU 0.0 0 0 [swapper/5]
0 0 6 ffffffc07d195100 RU 0.0 0 0 [swapper/6]
> 0 0 7 ffffffc07d195e80 RU 0.0 0 0 [swapper/7]
1 0 4 ffffffc07d148000 UN 0.0 0 0 [swapper/0]
2 0 1 ffffffc07d148d80 IN 0.0 0 0 [kthreadd]
3 2 0 ffffffc07d149b00 IN 0.0 0 0 [ksoftirqd/0]
4 2 0 ffffffc07d14a880 IN 0.0 0 0 [kworker/0:0]
5 2 0 ffffffc07d14b600 IN 0.0 0 0 [kworker/0:0H]
> 6 2 6 ffffffc07d14c380 RU 0.0 0 0 [kworker/u16:0]
7 2 0 ffffffc07d14d100 IN 0.0 0 0 [rcu_preempt]
8 2 0 ffffffc07d14de80 IN 0.0 0 0 [rcu_sched]
9 2 0 ffffffc07d14ec00 IN 0.0 0 0 [rcu_bh]
40 2 0 ffffffc07d558000 IN 0.0 0 0 [suspend_sys_syn]
41 2 0 ffffffc07d558d80 IN 0.0 0 0 [perf]
42 2 0 ffffffc07d7d8000 IN 0.0 0 0 [irq/6-70500000.]
43 2 4 ffffffc07d7d8d80 IN 0.0 0 0 [kworker/4:1]
44 2 0 ffffffc07d7d9b00 IN 0.0 0 0 [irq/7-70600000.]
45 2 0 ffffffc07d7da880 IN 0.0 0 0 [irq/8-70800000.]
46 2 0 ffffffc07d7db600 IN 0.0 0 0 [irq/9-70900000.]
47 2 0 ffffffc07d2f0d80 IN 0.0 0 0 [writeback]
48 2 0 ffffffc07d7dc380 IN 0.0 0 0 [crypto]
49 2 0 ffffffc07d7dd100 IN 0.0 0 0 [bioset]
50 2 0 ffffffc07d7dde80 IN 0.0 0 0 [kblockd]
52 2 0 ffffffc07c070000 IN 0.0 0 0 [spi0]
53 2 0 ffffffc07c070d80 IN 0.0 0 0 [spi5]
54 2 0 ffffffc07d2f1b00 IN 0.0 0 0 [edac-poller]
55 2 0 ffffffc07c071b00 IN 0.0 0 0 [system]
56 2 0 ffffffc07c072880 IN 0.0 0 0 [carveout_fb]
57 2 0 ffffffc07c073600 IN 0.0 0 0 [carveout_camera]
58 2 0 ffffffc07c074380 UN 0.0 0 0 [mbox-send-threa]
59 2 0 ffffffc07d2f2880 IN 0.0 0 0 [devfreq_wq]
60 2 0 ffffffc07d2f3600 IN 0.0 0 0 [cfg80211]
61 2 0 ffffffc07c075100 IN 0.0 0 0 [irq/57-spi5.0]
238 2 0 ffffffc07b410d80 IN 0.0 0 0 [adaptive_ts_not]
241 2 1 ffffffc07b462880 IN 0.0 0 0 [mmcqd/1]
242 2 2 ffffffc07b411b00 IN 0.0 0 0 [kworker/u16:3]
243 2 3 ffffffc07b04a880 IN 0.0 0 0 [kworker/u16:4]
> 244 2 2 ffffffc07b412880 RU 0.0 0 0 [kworker/u16:5]
245 2 0 ffffffc07b04b600 IN 0.0 0 0 [kworker/u16:6]
5)使用bt <pid>打印函数调用栈。
直接bt或bt加pid,比如想查看panic的进程,从入口界面看到panic的pid为244(或从ps中活跃进程看):
crash_arm64> bt
PID: 244 TASK: ffffffc07b412880 CPU: 2 COMMAND: "kworker/u16:5"
#0 [ffffffc07b4c7a80] sysdump_enter at ffffff800846ba40
#1 [ffffffc07b4c7ae0] panic at ffffff80081885b4
#2 [ffffffc07b4c7bc0] verity_verify_level at ffffff800867abc8
#3 [ffffffc07b4c7c40] verity_hash_for_block at ffffff800867b5d8
#4 [ffffffc07b4c7c90] verity_work at ffffff800867ba0c
#5 [ffffffc07b4c7d70] process_one_work at ffffff80080c18dc
#6 [ffffffc07b4c7dc0] worker_thread at ffffff80080c1cf0
#7 [ffffffc07b4c7e20] kthread at ffffff80080c7f8c
6)使用dis <addr|symbol>,对给定地址进行反汇编。
比如函数调用栈的一个地址ffffff800867abc8 :
crash_arm64> dis -l ffffff800867abc8
/space/builder/repo/TEMP_BUILD_11657/kernel4.4/drivers/md/dm-verity-target.c: 312
0xffffff800867abc8 <verity_verify_level+576>: bl 0xffffff80081884e0 <panic>
7)使用sym <addr|symbol> 显示symbol源码位置。
如下是堆栈中verity_verify_level或地址ffffff800867abc8的信息:
crash_arm64> sym verity_verify_level
ffffff800867a988 (t) verity_verify_level /space/builder/repo/TEMP_BUILD_11657/kernel4.4/drivers/md/dm-verity-target.c: 262
crash_arm64> sym ffffff800867abc8
ffffff800867abc8 (t) verity_verify_level+576 /space/builder/repo/TEMP_BUILD_11657/kernel4.4/drivers/md/dm-verity-target.c: 312
注意:
1)sym可以查找带关键字的符号,如:sym digest。
2)常见符号类型有t、T、r、R、d、D、b等(具体含义待确认):
t:static函数
T:extern函数(T代表代码区)
r:static只读变量?
R:extern只读变量?(R代表只读数据区)
d:static变量?
D:extern变量? (D代表初始化数据区)
b:static变量(B代表非初始化数据区)
8)结构体和变量:
查看结构体成员,struct加上结构体名就可以查看结构体的成员,如struct dm_verity:
若要查看结构体中所有成员的值,先找到对应地址,再使用struct <结构体名> <结构体变量地址>。
比如网上的一个例子(https://blog.csdn.net/chm880910/article/details/80329350),
task_struct变量地址为ffffffff81a8d020,执行 struct task_struct ffffffff81a8d020结果:
struct task_struct {
state = 0,
stack = 0xffffffff81a00000,
usage = {
counter = 2
},
flags = 2097408,
执行 struct task_struct 查看结构体成员:
struct task_struct {
volatile long int state;
void *stack;
atomic_t usage;
unsigned int flags;
执行 struct -o task_struct 查看结构体成员及偏移:
struct task_struct {
[0] volatile long int state;
[8] void *stack;
[16] atomic_t usage;
[20] unsigned int flags;
9)读取内存rd/修改内存wr。
注意:指针变量的地址需要两次sym找到地址。