[Crash-utility] Re:[RFC] Crash patch for DWARF CFI based unwind support

Dave Anderson anderson at redhat.com
Mon Oct 23 18:34:32 UTC 2006 

Rachita Kothiyal wrote:

> On Mon, Oct 23, 2006 at 09:31:11AM -0400, Dave Anderson wrote:
> >
> > Hmmm, yeah, good catch...
> >
> > But what happens the second time around, anyway?  Are the RSP/RIP
> > starting points so different such that the low_budget tracer's output
> > is so drastically different?  Or does it go off into the weeds because
> > the other user_regs_struct register offsets (that don't get initialized)
> > cause an OFFSET() failure?
> >
>
> Hi Dave
>
> This is what I get when I try it out on one my dumps:
>
> crash> bt      // ----------------------------------------------> 1
> PID: 4102   TASK: ffff81022e94d1e0  CPU: 0   COMMAND: "bash"
>  #0 [ffff810223d73d78] crash_kexec at ffffffff801521d1
>  #1 [ffff810223d73dc0] machine_kexec at ffffffff8011a739
>  #2 [ffff810223d73e00] crash_kexec at ffffffff801521ed
>  #3 [ffff810223d73e88] crash_kexec at ffffffff801521d1
>  #4 [ffff810223d73eb8] __sysrq_get_key_op at ffffffff80288b29
>  #5 [ffff810223d73ec0] __handle_sysrq at ffffffff80288d37
>  #6 [ffff810223d73f00] write_sysrq_trigger at ffffffff801adf95
>  #7 [ffff810223d73f10] vfs_write at ffffffff80179bf0
>  #8 [ffff810223d73f40] sys_write at ffffffff8017a187
>  #9 [ffff810223d73f80] system_call at ffffffff801096da
>     RIP: 00002b3979ef3900  RSP: 00007fff3122f360  RFLAGS: 00010287
>     RAX: 0000000000000001  RBX: ffffffff801096da  RCX: 00000000fbad2a84
>     RDX: 0000000000000002  RSI: 00002b397a181000  RDI: 0000000000000001
>     RBP: 0000000000000002   R8: 00000000ffffffff   R9: 00002b397a072ae0
>     R10: 0000000000000000  R11: 0000000000000246  R12: 00002b397a06c780
>     R13: 00002b397a181000  R14: 0000000000000002  R15: 0000000000000000
>     ORIG_RAX: 0000000000000001  CS: 0033  SS: 002b
> crash> set unwind on // ------------------------------------------> 2
> unwind: on
> crash> bt
> PID: 4102   TASK: ffff81022e94d1e0  CPU: 0   COMMAND: "bash"
>  #0 [ffff810223d73e08] crash_kexec at ffffffff801521d1
>  #1 [ffff810223d73ec8] __handle_sysrq at ffffffff80288d37
>  #2 [ffff810223d73f08] write_sysrq_trigger at ffffffff801adf95
>  #3 [ffff810223d73f18] vfs_write at ffffffff80179bf0
>  #4 [ffff810223d73f48] sys_write at ffffffff8017a187
>  #5 [ffff810223d73f88] system_call at ffffffff801096da
>     RIP: 00002b3979ef3900  RSP: 00007fff3122f360  RFLAGS: 00010287
>     RAX: 0000000000000001  RBX: ffffffff801096da  RCX: 00000000fbad2a84
>     RDX: 0000000000000002  RSI: 00002b397a181000  RDI: 0000000000000001
>     RBP: 0000000000000002   R8: 00000000ffffffff   R9: 00002b397a072ae0
>     R10: 0000000000000000  R11: 0000000000000246  R12: 00002b397a06c780
>     R13: 00002b397a181000  R14: 0000000000000002  R15: 0000000000000000
>     ORIG_RAX: 0000000000000001  CS: 0033  SS: 002b
> crash> set unwind off //-------------------------------------> 3
> unwind: off
> crash> bt
> PID: 4102   TASK: ffff81022e94d1e0  CPU: 0   COMMAND: "bash"
>  #0 [ffff810223d73e88] crash_kexec at ffffffff801521d1
>  #1 [ffff810223d73eb8] __sysrq_get_key_op at ffffffff80288b29
>  #2 [ffff810223d73ec0] __handle_sysrq at ffffffff80288d37
>  #3 [ffff810223d73f00] write_sysrq_trigger at ffffffff801adf95
>  #4 [ffff810223d73f10] vfs_write at ffffffff80179bf0
>  #5 [ffff810223d73f40] sys_write at ffffffff8017a187
>  #6 [ffff810223d73f80] system_call at ffffffff801096da
>     RIP: 00002b3979ef3900  RSP: 00007fff3122f360  RFLAGS: 00010287
>     RAX: 0000000000000001  RBX: ffffffff801096da  RCX: 00000000fbad2a84
>     RDX: 0000000000000002  RSI: 00002b397a181000  RDI: 0000000000000001
>     RBP: 0000000000000002   R8: 00000000ffffffff   R9: 00002b397a072ae0
>     R10: 0000000000000000  R11: 0000000000000246  R12: 00002b397a06c780
>     R13: 00002b397a181000  R14: 0000000000000002  R15: 0000000000000000
>     ORIG_RAX: 0000000000000001  CS: 0033  SS: 002b
>
> The register values which the last bt starts working with(marked 3 above),
> are rsp=ffff810223d73e08 and rip=ffffffff801521d1 (from NT_PRSTATUS).
> So from that point in stack, output 3 and 1 are same.
>
> We also see that stack addresses in 2 and 3 are off by '0x8'.
>  eg #1 ffff810223d73ec8 ------------> 2
>        ffff810223d73ec0 ------------> 3
>
> This is because what crash is reporting is the stack address at which
> the return address was pushed on stack, while what the dwarf based bt is
> reporting is the CFA. In most cases, return address is stored at a location
> (CFA - 8). That is why the offset of 0x8.
>
> The low-budget tracer's backtraces are different from the dwarf-tracer
> because when the low-budget tracer is unwinding the stack by trying to read
> kernel text addresses, it actually comes across many addresses which were
> actually not pushed onto stack because of function calls.
> Specially for the panic task on kdumps, where after 'crash_kexec' is called,
> the registers are dumped onto stack(for creating NT_PRSTATUS section), this
> becomes misleading for the low-budget tracer mechanism. Thats why we see
> multiple crash_kexec entries in the backtrace. Static inline functions can
> also aggrevate this problem.
>
> In other cases, stale frames on the stack can also mislead the low-budget
> tracer.
>
> AFAICT, user_regs_struct register offsets are not the culprits here.
>
> Thanks
> Rachita

So, in other words, if we hardwire the user_regs_struct so that
it uses the NT_PRSTATUS registers all the time, then we get
the second (preferred/better) budget back trace when unwind
is off.

That being the case, I argue for hardwiring them all the time.

Dave

More information about the Crash-utility mailing list