[Crash-utility] Use crash with KVM memory dump?

[Jun Koi]

On Fri, May 30, 2014 at 12:36 AM, Dave Anderson <anderson at redhat.com> wrote:

>
>
> ----- Original Message -----
> > hi,
> >
> > i dump the whole memory of a KVM guest out using "dump-guest-memory". as
> a
> > result, now i have a big ELF file. i want to use "crash" to analyze this
> > dump file.
> >
> > the question is: given the RIP address of an instruction in the KVM
> guest -
> > for example 0x12345, which is virtual address, how can "crash" tell me
> where
> > in the dump is the position of 0x12345? is there such a command for this?
>
> Is the RIP in user-space or kernel-space?  If I understand your question
> correctly,
> you can enter "vtop" of the RIP to get the physical address, but if it's a
> user-space address, you must ensure that you have "set" the context to the
> PID/task-address of the task whose user-space memory you want to look at.
>
> >
> > my intention is to locate the place, and analyze the assembly instruction
> > around that RIP to see what is running at the time i dumped the KVM
> memory.
>
> You really don't need to know where in the dumpfile the RIP is located
> for disassembly.  If it's kernel-space you're interested in, then you
> can just do "dis -rl <RIP-address>" to see the sequence of instructions
> leading up to the RIP.  If it's user-space, there's no way to determine
> the beginning of the user-space function that was running, so the best
> you can do is to "set" your context to the task you're interested in,
> and do a "dis -u <user-space-RIP> <count>" to see where it was, and where
> it would be going to.
>
>
yes, the RIP is in the kernel at that time.

could you please confirm that everything you said above work with all kind
of guest OS running on x86, but not only Linux guest?

thanks,
Jun
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/crash-utility/attachments/20140530/4cf34de8/attachment.htm>