如何从核心转储的反汇编函数中找到局部变量的地址并显示其值
Posted
技术标签:
【中文标题】如何从核心转储的反汇编函数中找到局部变量的地址并显示其值【英文标题】:How to find the address of a local variable and display its value from a disassembled function from a core dump 【发布时间】:2016-12-22 18:30:09 【问题描述】:我正在使用崩溃实用程序来调查核心文件转储。从这个核心转储中,我可以看到一个进程有两个死锁线程。死锁的原因似乎是task->mm->mmap_sem
在尝试处理页面错误时被持有太久。我正在尝试找出导致此问题的错误地址。
在处理页面错误时,Linux 内核函数do_page_fault
从cr2
寄存器中读取错误地址,然后继续处理页面错误。请参阅下面的代码。
dotraplinkage void __kprobes
do_page_fault(struct pt_regs *regs, unsigned long error_code)
struct vm_area_struct *vma;
struct task_struct *tsk;
unsigned long address;
struct mm_struct *mm;
int fault;
int write = error_code & PF_WRITE;
unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE |
(write ? FAULT_FLAG_WRITE : 0);
tsk = current;
mm = tsk->mm;
/* Get the faulting address: */
address = read_cr2();
/*
* Detect and handle instructions that would cause a page fault for
* both a tracked kernel page and a userspace page.
*/
if (kmemcheck_active(regs))
kmemcheck_hide(regs);
prefetchw(&mm->mmap_sem);
if (unlikely(kmmio_fault(regs, address)))
return;
.....
这是从核心转储中对 do_page_fault 函数的反汇编:
Dump of assembler code for function do_page_fault:
0xffffffff81441c77 <+0>: push %rbp
0xffffffff81441c78 <+1>: mov %rsp,%rbp
0xffffffff81441c7b <+4>: push %r15
0xffffffff81441c7d <+6>: push %r14
0xffffffff81441c7f <+8>: push %r13
0xffffffff81441c81 <+10>: push %r12
0xffffffff81441c83 <+12>: push %rbx
0xffffffff81441c84 <+13>: sub $0xd8,%rsp
0xffffffff81441c8b <+20>: data32 data32 data32 xchg %ax,%ax
0xffffffff81441c90 <+25>: mov %esi,%eax
0xffffffff81441c92 <+27>: mov %rdi,%rbx
0xffffffff81441c95 <+30>: mov %rsi,%r13
0xffffffff81441c98 <+33>: and $0x2,%eax
0xffffffff81441c9b <+36>: cmp $0x1,%eax
0xffffffff81441c9e <+39>: sbb %eax,%eax
0xffffffff81441ca0 <+41>: add $0x29,%eax
0xffffffff81441ca3 <+44>: mov %eax,-0xe4(%rbp)
0xffffffff81441ca9 <+50>: mov %gs:0xc400,%r15
0xffffffff81441cb2 <+59>: mov 0x270(%r15),%rax
0xffffffff81441cb9 <+66>: mov %rax,-0xf0(%rbp)
0xffffffff81441cc0 <+73>: mov %cr2,%rax
0xffffffff81441cc3 <+76>: data32 data32 xchg %ax,%ax
0xffffffff81441cc7 <+80>: mov %rax,%r12
0xffffffff81441cca <+83>: mov -0xf0(%rbp),%rax
0xffffffff81441cd1 <+90>: add $0x60,%rax
0xffffffff81441cd5 <+94>: mov %rax,-0xf8(%rbp)
0xffffffff81441cdc <+101>: prefetcht0 (%rax)
0xffffffff81441cdf <+104>: movabs $0x7fffffffefff,%rax
0xffffffff81441ce9 <+114>: cmp %rax,%r12
0xffffffff81441cec <+117>: jbe 0xffffffff81441d50 <do_page_fault+217>
0xffffffff81441cee <+119>: test $0xd,%r13b
0xffffffff81441cf2 <+123>: jne 0xffffffff81441d04 <do_page_fault+141>
0xffffffff81441cf4 <+125>: mov %r12,%rdi
0xffffffff81441cf7 <+128>: callq 0xffffffff81441884 <vmalloc_fault>
0xffffffff81441cfc <+133>: test %eax,%eax
0xffffffff81441cfe <+135>: jns 0xffffffff81441ff9 <do_page_fault+898>
0xffffffff81441d04 <+141>: mov %r12,%rsi
0xffffffff81441d07 <+144>: mov %r13,%rdi
0xffffffff81441d0a <+147>: callq 0xffffffff81441af0 <spurious_fault>
0xffffffff81441d0f <+152>: test %eax,%eax
0xffffffff81441d11 <+154>: jne 0xffffffff81441ff9 <do_page_fault+898>
0xffffffff81441d17 <+160>: testb $0x3,0x88(%rbx)
0xffffffff81441d1e <+167>: jne 0xffffffff81441e3e <do_page_fault+455>
0xffffffff81441d24 <+173>: mov %gs:0xd4e0,%rax
0xffffffff81441d2d <+182>: test %rax,%rax
0xffffffff81441d30 <+185>: je 0xffffffff81441e3e <do_page_fault+455>
0xffffffff81441d36 <+191>: mov $0xe,%esi
0xffffffff81441d3b <+196>: mov %rbx,%rdi
0xffffffff81441d3e <+199>: callq 0xffffffff81441253 <kprobe_fault_handler>
0xffffffff81441d43 <+204>: test %eax,%eax
0xffffffff81441d45 <+206>: jne 0xffffffff81441ff9 <do_page_fault+898>
0xffffffff81441d4b <+212>: jmpq 0xffffffff81441e3e <do_page_fault+455>
0xffffffff81441d50 <+217>: testb $0x3,0x88(%rbx)
0xffffffff81441d57 <+224>: jne 0xffffffff81441d7c <do_page_fault+261>
0xffffffff81441d59 <+226>: mov %gs:0xd4e0,%rax
0xffffffff81441d62 <+235>: test %rax,%rax
0xffffffff81441d65 <+238>: je 0xffffffff81441d7c <do_page_fault+261>
0xffffffff81441d67 <+240>: mov $0xe,%esi
0xffffffff81441d6c <+245>: mov %rbx,%rdi
0xffffffff81441d6f <+248>: callq 0xffffffff81441253 <kprobe_fault_handler>
0xffffffff81441d74 <+253>: test %eax,%eax
0xffffffff81441d76 <+255>: jne 0xffffffff81441ff9 <do_page_fault+898>
0xffffffff81441d7c <+261>: testb $0x3,0x88(%rbx)
0xffffffff81441d83 <+268>: je 0xffffffff81441d97 <do_page_fault+288>
0xffffffff81441d85 <+270>: callq 0xffffffff810be11d <trace_hardirqs_on>
0xffffffff81441d8a <+275>: sti
0xffffffff81441d8b <+276>: data32 xchg %ax,%ax
0xffffffff81441d8e <+279>: data32 xchg %ax,%ax
0xffffffff81441d91 <+282>: or $0x4,%r13
0xffffffff81441d95 <+286>: jmp 0xffffffff81441dac <do_page_fault+309>
0xffffffff81441d97 <+288>: testb $0x2,0x91(%rbx)
0xffffffff81441d9e <+295>: je 0xffffffff81441dac <do_page_fault+309>
0xffffffff81441da0 <+297>: callq 0xffffffff810be11d <trace_hardirqs_on>
0xffffffff81441da5 <+302>: sti
0xffffffff81441da6 <+303>: data32 xchg %ax,%ax
0xffffffff81441da9 <+306>: data32 xchg %ax,%ax
0xffffffff81441dac <+309>: test $0x8,%r13b
0xffffffff81441db0 <+313>: je 0xffffffff81441dc0 <do_page_fault+329>
0xffffffff81441db2 <+315>: mov %r12,%rdx
0xffffffff81441db5 <+318>: mov %r13,%rsi
0xffffffff81441db8 <+321>: mov %rbx,%rdi
0xffffffff81441dbb <+324>: callq 0xffffffff810369ea <pgtable_bad>
0xffffffff81441dc0 <+329>: mov 0x8ea4f2(%rip),%eax # 0xffffffff81d2c2b8 <perf_swevent_enabled+8>
0xffffffff81441dc6 <+335>: test %eax,%eax
0xffffffff81441dc8 <+337>: je 0xffffffff81441df8 <do_page_fault+385>
0xffffffff81441dca <+339>: test %rbx,%rbx
0xffffffff81441dcd <+342>: mov %rbx,%rcx
0xffffffff81441dd0 <+345>: jne 0xffffffff81441de4 <do_page_fault+365>
0xffffffff81441dd2 <+347>: lea -0xe0(%rbp),%r14
0xffffffff81441dd9 <+354>: mov %r14,%rdi
0xffffffff81441ddc <+357>: callq 0xffffffff81037284 <perf_fetch_caller_regs>
0xffffffff81441de1 <+362>: mov %r14,%rcx
0xffffffff81441de4 <+365>: mov %r12,%r8
0xffffffff81441de7 <+368>: xor %edx,%edx
0xffffffff81441de9 <+370>: mov $0x1,%esi
0xffffffff81441dee <+375>: mov $0x2,%edi
0xffffffff81441df3 <+380>: callq 0xffffffff810d24b2 <__perf_sw_event>
0xffffffff81441df8 <+385>: mov %gs:0xc408,%rax
0xffffffff81441e01 <+394>: testl $0xefffffff,-0x1fbc(%rax)
0xffffffff81441e0b <+404>: jne 0xffffffff81441e3e <do_page_fault+455>
0xffffffff81441e0d <+406>: cmpq $0x0,-0xf0(%rbp)
0xffffffff81441e15 <+414>: je 0xffffffff81441e3e <do_page_fault+455>
0xffffffff81441e17 <+416>: mov -0xf8(%rbp),%rdi
0xffffffff81441e1e <+423>: callq 0xffffffff810721e4 <down_read_trylock>
0xffffffff81441e23 <+428>: test %eax,%eax
0xffffffff81441e25 <+430>: jne 0xffffffff81441e5d <do_page_fault+486>
0xffffffff81441e27 <+432>: test $0x4,%r13b
0xffffffff81441e2b <+436>: jne 0xffffffff81441e51 <do_page_fault+474>
0xffffffff81441e2d <+438>: mov 0x80(%rbx),%rdi
0xffffffff81441e34 <+445>: callq 0xffffffff8106bb2c <search_exception_tables>
0xffffffff81441e39 <+450>: test %rax,%rax
0xffffffff81441e3c <+453>: jne 0xffffffff81441e51 <do_page_fault+474>
0xffffffff81441e3e <+455>: mov %r12,%rdx
0xffffffff81441e41 <+458>: mov %r13,%rsi
0xffffffff81441e44 <+461>: mov %rbx,%rdi
0xffffffff81441e47 <+464>: callq 0xffffffff8103707e <bad_area_nosemaphore>
0xffffffff81441e4c <+469>: jmpq 0xffffffff81441ff9 <do_page_fault+898>
0xffffffff81441e51 <+474>: mov -0xf8(%rbp),%rdi
0xffffffff81441e58 <+481>: callq 0xffffffff8143def4 <down_read>
0xffffffff81441e5d <+486>: mov -0xf0(%rbp),%rdi
0xffffffff81441e64 <+493>: mov %r12,%rsi
0xffffffff81441e67 <+496>: callq 0xffffffff810f62eb <find_vma>
0xffffffff81441e6c <+501>: test %rax,%rax
0xffffffff81441e6f <+504>: mov %rax,%r14
0xffffffff81441e72 <+507>: je 0xffffffff81441ea6 <do_page_fault+559>
0xffffffff81441e74 <+509>: cmp %r12,0x8(%rax)
0xffffffff81441e78 <+513>: jbe 0xffffffff81441eb9 <do_page_fault+578>
0xffffffff81441e7a <+515>: testb $0x1,0x31(%rax)
0xffffffff81441e7e <+519>: je 0xffffffff81441ea6 <do_page_fault+559>
0xffffffff81441e80 <+521>: test $0x4,%r13b
0xffffffff81441e84 <+525>: je 0xffffffff81441e97 <do_page_fault+544>
0xffffffff81441e86 <+527>: lea 0x10100(%r12),%rax
0xffffffff81441e8e <+535>: cmp 0x98(%rbx),%rax
0xffffffff81441e95 <+542>: jb 0xffffffff81441ea6 <do_page_fault+559>
0xffffffff81441e97 <+544>: mov %r12,%rsi
0xffffffff81441e9a <+547>: mov %r14,%rdi
0xffffffff81441e9d <+550>: callq 0xffffffff810f6ce9 <expand_stack>
0xffffffff81441ea2 <+555>: test %eax,%eax
0xffffffff81441ea4 <+557>: je 0xffffffff81441eb9 <do_page_fault+578>
0xffffffff81441ea6 <+559>: mov %r12,%rdx
0xffffffff81441ea9 <+562>: mov %r13,%rsi
0xffffffff81441eac <+565>: mov %rbx,%rdi
0xffffffff81441eaf <+568>: callq 0xffffffff81037093 <bad_area>
0xffffffff81441eb4 <+573>: jmpq 0xffffffff81441ff9 <do_page_fault+898>
0xffffffff81441eb9 <+578>: test $0x2,%r13b
0xffffffff81441ebd <+582>: je 0xffffffff81441ec6 <do_page_fault+591>
0xffffffff81441ebf <+584>: testb $0x2,0x30(%r14)
0xffffffff81441ec4 <+589>: jmp 0xffffffff81441ed1 <do_page_fault+602>
0xffffffff81441ec6 <+591>: test $0x1,%r13b
0xffffffff81441eca <+595>: jne 0xffffffff81441ed7 <do_page_fault+608>
0xffffffff81441ecc <+597>: testb $0x7,0x30(%r14)
0xffffffff81441ed1 <+602>: jne 0xffffffff81441fce <do_page_fault+855>
0xffffffff81441ed7 <+608>: mov %r12,%rdx
0xffffffff81441eda <+611>: mov %r13,%rsi
0xffffffff81441edd <+614>: mov %rbx,%rdi
0xffffffff81441ee0 <+617>: callq 0xffffffff810370e1 <bad_area_access_error>
0xffffffff81441ee5 <+622>: jmpq 0xffffffff81441ff9 <do_page_fault+898>
0xffffffff81441eea <+627>: mov %r14d,%ecx
0xffffffff81441eed <+630>: mov %r12,%rdx
0xffffffff81441ef0 <+633>: mov %r13,%rsi
0xffffffff81441ef3 <+636>: mov %rbx,%rdi
0xffffffff81441ef6 <+639>: callq 0xffffffff8103712f <mm_fault_error>
0xffffffff81441efb <+644>: test %eax,%eax
0xffffffff81441efd <+646>: jne 0xffffffff81441ff9 <do_page_fault+898>
0xffffffff81441f03 <+652>: testb $0x8,-0xe4(%rbp)
0xffffffff81441f0a <+659>: je 0xffffffff81441fc0 <do_page_fault+841>
0xffffffff81441f10 <+665>: test $0x4,%r14b
0xffffffff81441f14 <+669>: je 0xffffffff81441f61 <do_page_fault+746>
0xffffffff81441f16 <+671>: incq 0x3f8(%r15)
0xffffffff81441f1d <+678>: mov 0x8ea3a5(%rip),%eax # 0xffffffff81d2c2c8 <perf_swevent_enabled+24>
0xffffffff81441f23 <+684>: test %eax,%eax
0xffffffff81441f25 <+686>: je 0xffffffff81441fab <do_page_fault+820>
0xffffffff81441f2b <+692>: test %rbx,%rbx
0xffffffff81441f2e <+695>: mov %rbx,%rcx
0xffffffff81441f31 <+698>: jne 0xffffffff81441f50 <do_page_fault+729>
0xffffffff81441f33 <+700>: lea -0xe0(%rbp),%rcx
0xffffffff81441f3a <+707>: mov %rcx,%rdi
0xffffffff81441f3d <+710>: mov %rcx,-0x100(%rbp)
0xffffffff81441f44 <+717>: callq 0xffffffff81037284 <perf_fetch_caller_regs>
0xffffffff81441f49 <+722>: mov -0x100(%rbp),%rcx
0xffffffff81441f50 <+729>: mov %r12,%r8
0xffffffff81441f53 <+732>: xor %edx,%edx
0xffffffff81441f55 <+734>: mov $0x1,%esi
0xffffffff81441f5a <+739>: mov $0x6,%edi
0xffffffff81441f5f <+744>: jmp 0xffffffff81441fa6 <do_page_fault+815>
0xffffffff81441f61 <+746>: incq 0x3f0(%r15)
0xffffffff81441f68 <+753>: mov 0x8ea356(%rip),%eax # 0xffffffff81d2c2c4 <perf_swevent_enabled+20>
0xffffffff81441f6e <+759>: test %eax,%eax
0xffffffff81441f70 <+761>: je 0xffffffff81441fab <do_page_fault+820>
0xffffffff81441f72 <+763>: test %rbx,%rbx
0xffffffff81441f75 <+766>: mov %rbx,%rcx
0xffffffff81441f78 <+769>: jne 0xffffffff81441f97 <do_page_fault+800>
0xffffffff81441f7a <+771>: lea -0xe0(%rbp),%rcx
0xffffffff81441f81 <+778>: mov %rcx,%rdi
0xffffffff81441f84 <+781>: mov %rcx,-0x100(%rbp)
0xffffffff81441f8b <+788>: callq 0xffffffff81037284 <perf_fetch_caller_regs>
0xffffffff81441f90 <+793>: mov -0x100(%rbp),%rcx
0xffffffff81441f97 <+800>: mov %r12,%r8
0xffffffff81441f9a <+803>: xor %edx,%edx
0xffffffff81441f9c <+805>: mov $0x1,%esi
0xffffffff81441fa1 <+810>: mov $0x5,%edi
0xffffffff81441fa6 <+815>: callq 0xffffffff810d24b2 <__perf_sw_event>
0xffffffff81441fab <+820>: and $0x400,%r14d
0xffffffff81441fb2 <+827>: je 0xffffffff81441fc0 <do_page_fault+841>
0xffffffff81441fb4 <+829>: andl $0xfffffff7,-0xe4(%rbp)
0xffffffff81441fbb <+836>: jmpq 0xffffffff81441e51 <do_page_fault+474>
0xffffffff81441fc0 <+841>: mov -0xf8(%rbp),%rdi
0xffffffff81441fc7 <+848>: callq 0xffffffff8107222e <up_read>
0xffffffff81441fcc <+853>: jmp 0xffffffff81441ff9 <do_page_fault+898>
0xffffffff81441fce <+855>: mov -0xe4(%rbp),%ecx
0xffffffff81441fd4 <+861>: mov -0xf0(%rbp),%rdi
0xffffffff81441fdb <+868>: mov %r14,%rsi
0xffffffff81441fde <+871>: mov %r12,%rdx
0xffffffff81441fe1 <+874>: callq 0xffffffff810f45bf <handle_mm_fault>
0xffffffff81441fe6 <+879>: test $0x433,%eax
0xffffffff81441feb <+884>: mov %eax,%r14d
0xffffffff81441fee <+887>: je 0xffffffff81441f03 <do_page_fault+652>
0xffffffff81441ff4 <+893>: jmpq 0xffffffff81441eea <do_page_fault+627>
0xffffffff81441ff9 <+898>: add $0xd8,%rsp
0xffffffff81442000 <+905>: pop %rbx
0xffffffff81442001 <+906>: pop %r12
0xffffffff81442003 <+908>: pop %r13
0xffffffff81442005 <+910>: pop %r14
0xffffffff81442007 <+912>: pop %r15
0xffffffff81442009 <+914>: leaveq
0xffffffff8144200a <+915>: retq
现在,是否有可能找出页面错误的地址是什么?它存储在函数堆栈的什么位置?
更新:
如果是bt -f,这里是输出
#0 [ffff8801f01159f0] __schedule at ffffffff8143d229
ffff8801f01159f8: 0000000000000082 ffff8801f1201818
ffff8801f0115a08: ffff880100000000 ffff8801f0114010
ffff8801f0115a18: ffff8801b9880780 0000000000011b80
ffff8801f0115a28: ffff8801f0115fd8 ffff8801f0115fd8
ffff8801f0115a38: 0000000000011b80 ffff8801f19264c0
ffff8801f0115a48: ffff8801b9880780 ffffffff810f3f7b
ffff8801f0115a58: 00000001b74d4828 ffffea00b74d4860
ffff8801f0115a68: ffff8801f15fa5a0 ffff8801b9880780
ffff8801f0115a78: 0000000000000001 fffffffeffffffff
ffff8801f0115a88: ffff8801b9880780 ffff8801f0115aa0
ffff8801f0115a98: ffffffff8143d3b5
#1 [ffff8801f0115a98] schedule at ffffffff8143d3b5
ffff8801f0115aa0: ffff8801f0115b00 ffffffff8143e7ed
#2 [ffff8801f0115aa8] rwsem_down_failed_common at ffffffff8143e7ed
ffff8801f0115ab0: ffff8801f15fa5b0 ffff8801f15fa5b0
ffff8801f0115ac0: 0000000000000000 00007fea00000001
ffff8801f0115ad0: 80000001ed0c0067 0000000000000000
ffff8801f0115ae0: ffff8801f0115c88 00007fea45ccbfe7
ffff8801f0115af0: 0000000000000002 0000000000000000
ffff8801f0115b00: ffff8801f0115b10 ffffffff8143e846
#3 [ffff8801f0115b08] rwsem_down_read_failed at ffffffff8143e846
ffff8801f0115b10: ffff8801f0115b68 ffffffff812166c4
#4 [ffff8801f0115b18] call_rwsem_down_read_failed at ffffffff812166c4
ffff8801f0115b20: ffffffff81120c26 0000000000000ff8
ffff8801f0115b30: 0000000000000000 0000000000000004
ffff8801f0115b40: 00007fea45ccbfe7 ffff8801f1201818
ffff8801f0115b50: ffffffff8144afe0 ffff8801f15fa5a0
ffff8801f0115b60: ffffffff8143df0b ffff8801f0115c78
ffff8801f0115b70: ffffffff81441e5d
#5 [ffff8801f0115b70] do_page_fault at ffffffff81441e5d
ffff8801f0115b78: ffff8801f0115ba8 ffff8801f15fa5a0
ffff8801f0115b88: ffff8801f15fa540 00000029811333a0
ffff8801f0115b98: ffff8801f0115bb8 ffff8801eff11940
ffff8801f0115ba8: 0000000000000068 ffff8802d3001080
ffff8801f0115bb8: 00000000000000d0 00000000000000d0
ffff8801f0115bc8: ffff8801f0115c18 ffffffff8110ecc5
ffff8801f0115bd8: 0000000000000020 0000000200000202
ffff8801f0115be8: 00000000000000d0 0000000000000002
ffff8801f0115bf8: ffff8802d3ad4aa0 0000000000000002
ffff8801f0115c08: ffffea0009e3b150 ffffea0009e3b128
ffff8801f0115c18: ffff8801f0115c98 ffff8801f0115de8
ffff8801f0115c28: ffffffff812167ca 0000000000000ff8
ffff8801f0115c38: 0000000000000000 0000000000000004
ffff8801f0115c48: 00007fea45ccbfe7 0000000000000001
ffff8801f0115c58: ffff8801a41b8078 0000000000000ff8
ffff8801f0115c68: 0000000000000000 0000000000002ff0
ffff8801f0115c78: ffff8801f0115de8 ffffffff8143f105
#6 [ffff8801f0115c80] page_fault at ffffffff8143f105
[exception RIP: pipe_read+324]
RIP: ffffffff81120c26 RSP: ffff8801f0115d38 RFLAGS: 00010206
RAX: ffff8801f0115ec8 RBX: ffff8801ba6bcd40 RCX: 0000000000000000
RDX: 0000000000000ff8 RSI: 0000000000001017 RDI: 0000000000000ff8
RBP: ffff8801f0115de8 R8: 00007fea45ccbfe7 R9: 0000000000000004
R10: 0000000000000000 R11: 0000000000000ff8 R12: ffff8801a41b8078
R13: 0000000000000ff8 R14: 0000000000000000 R15: 0000000000002ff0
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
ffff8801f0115c88: 0000000000002ff0 0000000000000000
ffff8801f0115c98: 0000000000000ff8 ffff8801a41b8078
ffff8801f0115ca8: ffff8801f0115de8 ffff8801ba6bcd40
ffff8801f0115cb8: 0000000000000ff8 0000000000000000
ffff8801f0115cc8: 0000000000000004 00007fea45ccbfe7
ffff8801f0115cd8: ffff8801f0115ec8 0000000000000000
ffff8801f0115ce8: 0000000000000ff8 0000000000001017
ffff8801f0115cf8: 0000000000000ff8 ffffffffffffffff
ffff8801f0115d08: ffffffff81120c26 0000000000000010
ffff8801f0115d18: 0000000000010206 ffff8801f0115d38
ffff8801f0115d28: 0000000000000018 ffffffff81120bb8
ffff8801f0115d38: ffffffff81211ef8 ffff8801b9880780
ffff8801f0115d48: 0000000000001ff8 ffff8801ef41e390
ffff8801f0115d58: ffff8801ba6bcd88 00000003f12012d0
ffff8801f0115d68: ffff8801ba582000 ffff8801f0115ec8
ffff8801f0115d78: 00000001f0115dc8 ffffffff81617180
ffff8801f0115d88: 00000001f0115dc8 ffff8801ba582ff8
ffff8801f0115d98: 0000000df0115da8 0000000000000ff8
ffff8801f0115da8: ffff8801f1508500 000000000003d010
ffff8801f0115db8: 0000000000100073 ffff8801f0115df8
ffff8801f0115dc8: ffff8801f0115f58 ffff8801f1508500
ffff8801f0115dd8: ffff8801f0115ec8 0000000000000003
ffff8801f0115de8: ffff8801f0115ef8 ffffffff81118dfe
#7 [ffff8801f0115df0] do_sync_read at ffffffff81118dfe
ffff8801f0115df8: 0000000000011b80 0000000000000000
ffff8801f0115e08: 0000000000000000 ffffffff00000001
ffff8801f0115e18: ffff8801f1508500 0000000000000000
ffff8801f0115e28: 0000000000000000 0000000000000000
ffff8801f0115e38: 0000000000000000 ffff8801b9880780
ffff8801f0115e48: 0000000000000000 0000000000000000
ffff8801f0115e58: 0000000000000000 ffff8801ef41e358
ffff8801f0115e68: 0000000000040000 0000000000000003
ffff8801f0115e78: 0000000000040000 ffffffff811e4d73
ffff8801f0115e88: ffff8801f0115ef8 ffff8801f1508500
ffff8801f0115e98: 0000000000000004 0000000000000000
ffff8801f0115ea8: ffff8801f0115ec8 ffffffff811e4de0
ffff8801f0115eb8: 0000000000040000 ffff8801f1508500
ffff8801f0115ec8: 00007fea45ccaff0 000000000003d010
ffff8801f0115ed8: ffff8801f1508500 00007fea45cc8000
ffff8801f0115ee8: ffff8801f0115f58 0000000000040000
ffff8801f0115ef8: ffff8801f0115f38 ffffffff8111988f
#8 [ffff8801f0115f00] vfs_read at ffffffff8111988f
ffff8801f0115f08: 0000000000000001 00007fea43ceb000
ffff8801f0115f18: 0000000000000003 ffff8801f1508500
ffff8801f0115f28: 00007fea45cc8000 00007fea45cc8000
ffff8801f0115f38: ffff8801f0115f78 ffffffff811199ae
#9 [ffff8801f0115f40] sys_read at ffffffff811199ae
ffff8801f0115f48: 0000000000000000 0000000000040000
ffff8801f0115f58: 0000000000000000 00000001f0114000
ffff8801f0115f68: 0000003dcdd8e6c0 0000000000040000
ffff8801f0115f78: 0000000000000000 ffffffff81445742
#10 [ffff8801f0115f80] system_call_fastpath at ffffffff81445742
RIP: 0000003dcdadb51d RSP: 00007fea454ed0d0 RFLAGS: 00003246
RAX: 0000000000000000 RBX: ffffffff81445742 RCX: 00007fea4907b088
RDX: 0000000000040000 RSI: 00007fea45cc8000 RDI: 0000000000000000
RBP: 0000000000000000 R8: 00000000ffffffff R9: 0000000000000000
R10: 0000000000000022 R11: 0000000000003293 R12: 0000000000040000
R13: 0000003dcdd8e6c0 R14: 00000001f0114000 R15: 0000000000000000
ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b
【问题讨论】:
它没有存储在内存中的任何位置,至少在您展示的部分反汇编中没有。它存储在 R12 中。如果do_page_fault
在崩溃时不是活动函数,那么您必须展开堆栈以查看它可能保存在哪里。如果您的崩溃实用程序无法为您执行此操作,则您需要手动执行此操作。
【参考方案1】:
错误地址很可能几乎没有意义。所有必要的数据都应该在堆栈框架“周围”可见。
这里的上下文是什么?您是否从挂起的任务检测器中因等待获取信号量的线程而感到恐慌?如,您确定您在这里查看的是正确的线程吗?
虽然我现在无法验证,但可以从寄存器转储中获得地址,您可以在“bt”时看到。或者,正如评论者指出的那样,地址位于 r12 中。可能会进一步组装将其移动,但否则它应该在该寄存器中,或者如果调用函数则推入堆栈。计算它的位置留给读者作为练习,它只是有点麻烦。事实上,'bt -f' 可能会使地址很容易脱颖而出,无需太多分析。如果没有,您可以在返回地址上'dis -r'从该部分向上拆卸。
您所看到的可能是一个经典的:基于 nfs 的 mmapped 文件,其中服务器没有响应。在 dmesg 中会看到服务器没有响应的注释,但仅仅 bt 应该会告诉您它正在等待某事。
现在更新。
发布的 bt 清楚地表明,这个线程在等待锁所有者的时候“卡住”了一段时间。所以你应该调查的是锁的所有者,而不是这个线程。在相对较新的内核中,指向所有者的指针应该存储在信号量的某个位置。对于超旧内核(您似乎正在运行一个),您可能需要求助于调查所有跟踪。
附带说明一下,在转储中发现用户空间-y 地址并不难:00007fea45ccbfe7
查看传递给 read 系统调用的参数,我们看到 rsi 00007fea45cc8000(传递的缓冲区)和 rdx 0000000000040000。也就是说,地址肯定属于缓冲区,但是页面错误的偏移量有点奇怪。您必须拆卸才能确认。但是,如前所述,首先要查看的线程是错误的。
【讨论】:
1) 我修改了一些内存管理代码。所以,我想知道该地址是否属于我的托管内存区域。 2)是的,我从挂起的任务恐慌中得到它。 3)我会尝试你提到的其他事情。 我会把上面'bt -f'的输出贴出来。以上是关于如何从核心转储的反汇编函数中找到局部变量的地址并显示其值的主要内容,如果未能解决你的问题,请参考以下文章