[Crash-utility] Use crash with KVM memory dump?

[Dave Anderson]

----- Original Message -----
> hi,
> 
> i dump the whole memory of a KVM guest out using "dump-guest-memory". as a
> result, now i have a big ELF file. i want to use "crash" to analyze this
> dump file.
> 
> the question is: given the RIP address of an instruction in the KVM guest -
> for example 0x12345, which is virtual address, how can "crash" tell me where
> in the dump is the position of 0x12345? is there such a command for this?

Is the RIP in user-space or kernel-space?  If I understand your question correctly,
you can enter "vtop" of the RIP to get the physical address, but if it's a
user-space address, you must ensure that you have "set" the context to the
PID/task-address of the task whose user-space memory you want to look at.

> 
> my intention is to locate the place, and analyze the assembly instruction
> around that RIP to see what is running at the time i dumped the KVM memory.

You really don't need to know where in the dumpfile the RIP is located
for disassembly.  If it's kernel-space you're interested in, then you
can just do "dis -rl <RIP-address>" to see the sequence of instructions
leading up to the RIP.  If it's user-space, there's no way to determine
the beginning of the user-space function that was running, so the best
you can do is to "set" your context to the task you're interested in,
and do a "dis -u <user-space-RIP> <count>" to see where it was, and where
it would be going to. 

Dave  

 
> thank a lot,
> Jun