通过评估 CPU 寄存器找出系统锁定时正在执行哪个 Linux 进程
我需要找出当我的 Linux (Debian) 系统挂起(x86 平台)时正在执行什么。在系统锁定之前,我设法提取了以下信息:
es: 0x7B
cs: 0x73
ss: 0x7B
ds: 0x7B
fs: 0x0
gs: 0x33
ldtbase: 0x0
tr: 0x80
dr7: 0x400
dr6: 0xFFFF0FF0
eax: 0xBFBDE820
ecx: 0xA908F9A0
edx: 0xB708A000
ebx: 0xB71B5278
esp: 0xBFBDE730
ebp: 0xBFBDE838
esi: 0x9D36B58
edi: 0x9D50BB8
eip: 0xB71B13E8
eflags: 0x203206
cr3: 0x1E9DE000
cr0: 0x80050033
从段寄存器的值中,我知道当 Linux 挂起时,它处于用户空间模式。我想知道是哪个进程/库导致了崩溃,以及理想情况下是哪个进程/库导致了崩溃。
通过查看 CR3 和 EIP,我应该能够获得这些信息,但我很困惑。据我所知,虚拟地址0xB71B13E8是相对于所使用的页表(0x1E9DE000)而言的。 现在,指令指针指向物理地址,对吧?我想我应该将这个(EIP值)转换为虚拟地址,该地址将是CR3指向的页表的偏移量。
有人可以帮我一下吗?
I need to find out what is executing when my Linux (Debian) system hangs (x86 platform). I managed to extract the following information just before the system locked up:
es: 0x7B
cs: 0x73
ss: 0x7B
ds: 0x7B
fs: 0x0
gs: 0x33
ldtbase: 0x0
tr: 0x80
dr7: 0x400
dr6: 0xFFFF0FF0
eax: 0xBFBDE820
ecx: 0xA908F9A0
edx: 0xB708A000
ebx: 0xB71B5278
esp: 0xBFBDE730
ebp: 0xBFBDE838
esi: 0x9D36B58
edi: 0x9D50BB8
eip: 0xB71B13E8
eflags: 0x203206
cr3: 0x1E9DE000
cr0: 0x80050033
From the values of the segment registers, I know that when Linux hangs, it's on user-space mode. What I would like to find out is which process/library is causing the crash, and ideally which exact part of it.
By looking at CR3 and EIP, I should be able to get this information but I am getting confused. As far as I know, the virtual address 0xB71B13E8 is relative to the page table used (0x1E9DE000).
Now, the instruction pointer points to a physical address, right? I think I should convert this (EIP value) to a virtual address which would be the offset of the page table pointed by CR3.
Could anyone please help me a bit on that?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您从哪里提取信息?
如果这是用户模式崩溃/锁定,则该信息可能来自核心转储(您可以即时转储核心,而不必杀死主题)
在这种情况下,请使用 gdb /usr/bin/myprogrambinary corefile
并使用 gdb 命令进行导航
bt、infothreads、infoshared、thread apply all bt full等通过对系统上安装的各种库进行调试符号,这一切将大大改善(根据您的发行版,安装相关的 *-dbg 软件包)
Where did you extract the information from?
If this is a usermode crash/lockup, presumably this information is from a core dump (you can dump cores on the fly without necessarily killing the subject)
In that case, use
gdb /usr/bin/myprogrambinary corefileAnd navigate using gdb commands
bt,info threads,info shared,thread apply all bt fulletcThe usefulness of all this will greatly improve with debugging symbols for the various libraries installed on your system (depending on your distro, install the relevant *-dbg packages)