Crash Howto

Apr 1, 2016 • JamesW


转载须注明出处:www.wufei.org

数据类型

crash> struct vm_area_struct -o
struct vm_area_struct {
   [0] struct mm_struct *vm_mm;
   [4] long unsigned int vm_start;
  ...
  [44] long unsigned int vm_offset;
  [48] struct file *vm_file;
  [52] long unsigned int vm_pte;
}
SIZE: 56

crash> task_struct -o ffff8100145d2080
struct task_struct {
  [ffff8100145d2080] volatile long int state;
  [ffff8100145d2088] struct thread_info *thread_info;
  [ffff8100145d2090] atomic_t usage;
...

打印变量

crash> struct mm_struct.pgd
struct mm_struct {
   [80] pgd_t *pgd;
}

// pgd 是指针
crash> mm_struct.pgd ffff810022e7d080 -px
  pgd_t *pgd = 0xffff81000e3ac000
  -> {
       pgd = 0x2c0a6067
     }

// 不是指针就直接打印内容
crash> dentry.d_child 0xe813cb4
  d_child = {
    next = 0x3661344,
    prev = 0xdea4bc4
  },

// -l可以指定偏移
crash> dentry.d_child 0xe813cb4
  d_child = {
    next = 0x3661344,
    prev = 0xdea4bc4
  },
crash> dentry -l dentry.d_child 0x3661344
struct dentry {
  d_count = {
    counter = 1
  },
  ...
}

// se不是指针, 如果是指针就不行了
crash> task_struct.se.on_rq ffff88001c3497e0
  se.on_rq = 0,

percpu变量

crash> struct hd_struct.dkstats ffff8802450e2848
  dkstats = 0x60fdb48026c8
crash> struct disk_stats 0x60fdb48026c8:a
[0]: ffffe8fefe6026c8
struct disk_stats {
  sectors = {451376, 80468}, 
  ios = {6041, 971}, 
  merges = {386, 390}, 
  ticks = {194877, 56131}, 
  io_ticks = 12371, 
  time_in_queue = 309163
}
[1]: ffffe8fefe8026c8
struct disk_stats {
  sectors = {0, 0}, 
  ios = {0, 0}, 
  merges = {7, 242}, 
  ticks = {0, 0}, 
  io_ticks = 23, 
  time_in_queue = 581
}

打印数组

crash> page.flags,virtual c101196c 4
  flags = 0x8000,
  virtual = 0xc04b0000

  flags = 0x8000,
  virtual = 0xc04b1000

  flags = 0x8000,
  virtual = 0xc04b2000

  flags = 0x8000,
  virtual = 0xc04b3000

指针数组

struct task_group {
	...
	struct cfs_rq **cfs_rq;
};

crash> task_struct.sched_task_group ffff8802047047a0
  sched_task_group = 0xffff8801e8fe4800
crash> task_group.cfs_rq 0xffff8801e8fe4800
  cfs_rq = 0xffff880207f9e2e0
crash> long 0xffff880207f9e2e0 4
ffff880207f9e2e0:  ffff88021158c200 ffff88021158c000   ..X.......X.....
ffff880207f9e2f0:  ffff88021158d800 ffff88021158d200   ..X.......X.....
crash> rd 0xffff880207f9e2e0 4
ffff880207f9e2e0:  ffff88021158c200 ffff88021158c000   ..X.......X.....
ffff880207f9e2f0:  ffff88021158d800 ffff88021158d200   ..X.......X.....

遍历链表

// start是第一个数据结构, 通过该结构的某个成员指针遍历
static struct file_system_type *file_systems;
struct file_system_type {
	...
	struct file_system_type * next;
}

crash> p file_systems
file_systems = $7 = (struct file_system_type *) 0xffffffff81c6ea60 <sysfs_fs_type>

crash> list file_system_type.next -s file_system_type.name 0xffffffff81c6ea60
ffffffff81c6ea60
  name = 0xffffffff81aa418b "sysfs"
ffffffff81c11420
  name = 0xffffffff81a67024 "rootfs"

// start是standalone (external) list_head
crash> p &elv_list
$6 = (struct list_head *) 0xffffffff81c830b0 <elv_list>

crash> list elevator_type.list -s elevator_type.elevator_name -H elv_list
ffffffff81c85600
  elevator_name = "noop\000\000\000\000\000\000\000\000\000\000\000"
ffffffff81c85700
  elevator_name = "deadline\000\000\000\000\000\000\000"
ffffffff81c858c0
  elevator_name = "cfq\000\000\000\000\000\000\000\000\000\000\000\000"

// start是数据结构的地址, 里面内嵌有list_head, 所有的items都被当成该数据类型
struct task_struct {
	...
	struct list_head tasks;
};

crash> ps bash
PID    PPID  CPU       TASK        ST  %MEM     VSZ    RSS  COMM
3616   3610   2  ffff8802049b2fc0  IN   0.1   30312   9600  bash

crash> list task_struct.tasks -s task_struct.pid -h ffff8802049b2fc0
ffff8802049b2fc0
  pid = 3616
ffff8800c190c7a0
  pid = 3660

输入输出重定向

crash> list sched_group.next 0xffff880207c19b00 | sed 's/^/sched_group.sgp /' > /tmp/1
crash> cat /tmp/1
sched_group.sgp ffff880207c19b00
sched_group.sgp ffff8800bfd90a00
sched_group.sgp ffff880207c19f00
sched_group.sgp ffff880207c19700
crash> < /tmp/1
crash> sched_group.sgp ffff880207c19b00
  sgp = 0xffff8801f9ba3c40
crash> sched_group.sgp ffff8800bfd90a00
  sgp = 0xffff8800bfd90700
crash> sched_group.sgp ffff880207c19f00
  sgp = 0xffff880207c196c0
crash> sched_group.sgp ffff880207c19700
  sgp = 0xffff880207c197c0

Scripts

引用

  • http://people.redhat.com/anderson/crash_whitepaper/