关注公众号不迷路:DumpStack
扫码加关注
目录
- 一、工具的编译和安装
- 二、内存转储机制
- 三、各种内存转储分析工具
- 四、示例:解高通平台dump
- 五、crash启动命令
- 六、crash内部命令
- 6.1 help - 帮助
- 6.x alias - 创建命令的别名
- 6.x ascii - 将十六进制转化为字符串
- 6.x bpf - 过滤相关(暂不分析)
- 6.x bt - 打印堆栈信息
- 6.x.1 -a - 显示所有cpu上当前正在运行的进程的栈回溯信息
- 6.x.1 -c cpu(s) - 指定要显示那(几)个cpu上的栈回溯信息
- 6.x.1 -g - 显示进程及其下面所有线程的栈信息
- 6.x.1 -r - 显示栈的原始raw数据
- 6.x.1 -t - 从sp到栈顶部,找到的所有文本符号并显示,在回溯跟踪失败时有用
- 6.x.1 -T - 显示任务的整个栈中的所有文本符号,在回溯跟踪失败时有用
- 6.x.1 -l - 在显示栈回溯信息时,显示文件名和行号
- 6.x.1 -e - 在当前进程的栈上搜索在内核模式和用户模式下可能的异常帧,难道是自动识别异常帧??
- 6.x.1 -E - 在irq栈和异常栈中,搜索可能的异常帧,牛逼
- 6.x.1 -f - 显示栈帧的所有数据,可以通过该选项确定传递给函数的参数
- 6.x.1 -F[F] - 同样是显示栈帧,但是会将可解析的符号解析出来
- 6.x.1 -o
- 6.x.1 -O
- 6.x.1 -v - 检查是否存在栈溢出
- 6.x.1 -p - 只显示产生panic的那个进程
- 6.x.1 -R ref
- 6.x.1 -s [-x | d] - 以符号名+地址偏移的方式显示
- 6.x.1 -I ip - 指定代码地址
- 6.x.1 -S sp - 指定栈帧的地址
- 6.x.1 pid | task - 要查看哪个进程的栈信息
- 6.x btop/ptob - 地址和页帧的相互转换
- 6.x dev - 查看当前有哪些设备,并显示其对应的ops
- 6.x dis - 反汇编
- 6.x eval - 计算表达式的值
- 6.x extend - 和动态库相关(暂不分析)
- 6.x files - 显示当前系统中open了哪些文件
- 6.x foreach - 为指定的task重复一个指定的命令
- 6.x fuser - 查看有哪些进程在使用指定的文件
- 6.x gdb - 调用gdb命令
- 6.x ipcs - (暂不分析)
- 6.x irq - 显示中断信息
- 6.x kmem - 显示内存使用情况(暂不分析)
- 6.x list - 展示一个链表的内容(未完成)
- 6.x log - 展示log_buf内容,即dmesg信息
- 6.x mach - 显示机器的基本信息
- 6.x mod - 展示模块信息(未完成)
- 6.x mount - 展示当前挂载的文件系统的信息(未完成)
- 6.x net - 展示网络相关的信息
- 6.x p - 打印表达式的值
- 6.x ps - 展示进程状态
- 6.x pte
- 6.x ptov - 物理地址转化为虚拟地址
- 6.x vtop - 虚拟地址转化为物理地址
- 6.x rd - 读内存
- 6.x wr - 写内存
- 6.x repeat -重复执行一个命令
- 6.x runq - 显示runqueue信息
- 6.x search - 在一段内存范围内搜索给定值
- 6.x set - 设置|获取crashtool工作的上下文,或者设置crashtool工具的一些内部参数
- 6.x sig - 查看进程发出的sig信号
- 6.x struct/union - 查看结构体/union的定义
- 6.x swap - 查看swap设备信息(暂不分析)
- 6.x sym - 查看符号的值
- 6.x sys - 查看系统信息
- 6.x task - 显示指定task的task_struct和thread_info结构的信息
- 6.x timer - 显示软件定时器信息
- 6.x tree - 展示rb树或者radix树的信息(暂不分析)
- 6.x vm - 显示进程的虚拟内存信息(暂不分析)
- 6.x waitq - 显示指定等待队列上的内容
- 6.x whatis - 展示结构体、联合体等定义
- 关注公众号不迷路:DumpStack
Crash工具可以用来分析一个正在运行的内核,也可以用来分析一个内核的crash dump文件,即内核进入异常时产生的crash dump文件,不是应用层程序运行异常产生的core dump文件,它支持分析由netdump,diskdump,LKCD,kdump,xen-dump或者kvmdump工具产生的crash dump文件。它整合了SVR4 UNIX crash的工具和GDB调试器,因而具有源码级别调试能力。Crash工具可以用来分析内核的调用堆栈,内核源码的反汇编,内核数据结构和变量的格式化展示等等,另外Crash也可以传递一些GDB命令来执行。
Crash工具后向兼容,当内核版本变化导致Crash工具更新后后仍然会兼容以前的内核版本。
一、工具的编译和安装
参考文档:
http://www.tjtech.me/how-to-build-redhat-crash-for-arm-under-x86_64-ubuntu.html
为了后期查阅方便,直接搬过来了
How to build Red Hat Crash for ARM under x86_64 Ubuntu
Now, our building environments for Android are almost x86_64 Ubuntu, but we still have low-end products based on armv7 kernel. For analyze ramdump under armv7, let's build it on Ubuntu 18.04 (should be same for others).
Step0: install essential build tools
|
sudo apt-get install build-essential |
Step1: download crash source code
|
git clone https://github.com/crash-utility/crash.git |
Step2: make for ARM
|
make target=ARM |
note that:
-
it's not cross compiling, we will use the crash tool in current enviroment(x86_64).
-
we will get gdb-7.6.tar.gz after this step
Step3: install related libraries
-
install termcap library
met below error:
|
configure: error: no termcap library found |
download termcap-1.3.1.tar.gz from https://ftp.gnu.org/gnu/termcap/
|
./configure make make install |
-
install gcc-multilib
met below errors:
|
/usr/bin/ld: skipping incompatible /usr/lib/gcc/x86_64-linux-gnu/7/libgcc.a when searching for -lgcc /usr/bin/ld: cannot find -lgcc /usr/bin/ld: skipping incompatible /usr/lib/gcc/x86_64-linux-gnu/7/libgcc_s.so.1 when searching for libgcc_s.so.1 /usr/bin/ld: cannot find libgcc_s.so.1 |
|
sudo apt-get install gcc-multilib |
-
install lib32ncurses5-dev
met below error:
|
/usr/bin/ld: cannot find libncurses.so.5 |
execute the following command
|
sudo apt-get install lib32ncurses5-dev |
-
install lib32z1-dev
met below errors:
|
/usr/bin/ld: skipping incompatible //usr/lib/x86_64-linux-gnu/libz.so when searching for -lz /usr/bin/ld: skipping incompatible //usr/lib/x86_64-linux-gnu/libz.a when searching for -lz /usr/bin/ld: cannot find -lz |
execute the following command
|
sudo apt-get install lib32z1-dev |
Step4: check crash
|
tj@tj-X230:~/tools/crash$ ./crash --version
crash 7.2.8++ Copyright (C) 2002-2020 Red Hat, Inc. Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation Copyright (C) 1999-2006 Hewlett-Packard Co Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. Copyright (C) 2005, 2011 NEC Corporation Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. This program is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Enter "help copying" to see the conditions. This program has absolutely no warranty. Enter "help warranty" for details.
GNU gdb (GDB) 7.6 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "--host=x86_64-unknown-linux-gnu --target=arm-elf-linux". |
We can see This GDB was configured as "--host=x86_64-unknown-linux-gnu --target=arm-elf-linux".
The --host means the crash tool is used on.
二、内存转储机制
Linux内核是一个不与特定进程相关的功能集合,内核的代码很难轻易的在调试器中执行和跟踪。开发者认为,内核如果发生了错误,就不应该继续运行。因此内核发生错误时,它的行为通常被设定为系统崩溃,机器重启。基于动态存储器的电气特性,机器重启后,上次错误发生时的现场会遭到破坏,这使得查找内核的错误变得异常困难。
内核社区和一些商业公司为此开发了很多种调试技术和工具,希望可以让内核的调试变得简单。其中一种是单步跟踪调试方法,即使用代码调试器,一步步的跟踪执行的代码,通过查看变量和寄存器的值来分析错误发生的原因。这一类的调试器有gdb,kdb,kgdb。另一种方法是在系统崩溃时,将内存保存起来,供事后进行分析。多数情况下,单步调式跟踪可以满足需求,但是单步跟踪调试也有缺点。如遇到如下几种情况时:
-
错误发生在客户的机器上。
-
错误发生在很关键的生产机器上。
-
错误很难重现。
单步调试跟踪方法将无能为力。对于这几种情况,在内核发生错误并崩溃的时候,将内存转储起来供事后分析就显得尤为重要,这就是内核的内存转储机制
由于Linux的开放性的缘故,在Linux下有好几种内存转储机制,下面将对它们分别做简要的介绍。
2.1 LKCD
LKCD(Linux Kernel Crash Dump)是Linux下第一个内核崩溃内存转储项目,它最初由SGI的工程师开发和维护。它提供了一种可靠的方法来发现、保存和检查系统的崩溃。LKCD作为Linux内核的一个补丁,它一直以来都没有被接收进入内核的主线。目前该项目已经完全停止开发。
2.2 Diskdump
Diskdump是另外一个内核崩溃内存转储的内核补丁,它由塔高(Takao Indoh)在2004年开发出来。与LKCD相比,Diskdump更加简单。当系统崩溃时,Diskdump对系统有完全的控制。为避免混乱,它首先关闭所有的中断;在SMP系统上,它还会把其他的CPU停掉。然后它校验它自己的代码,如果代码与初始化时不一样。它会认为它已经被破坏,并拒绝继续运行。然后Diskdump选择一个位置来存放内存转储。Diskdump作为一个内核的补丁,也没有被接收进入内核的主线。在众多的发行版中,它也只得到了RedHat的支持
2.3 Netdump
RedHat在它的Linux高级服务器2.1的版本中,提供了它自己的第一个内核崩溃内存转储机制:Netdump。与LKCD和Diskdump将内存转储保存在本地磁盘不同,当系统崩溃时,Netdump将内存转储文件通过网络保存到远程机器中。RedHat认为采用网络方式比采用磁盘保存的方式要简单,因为当系统崩溃时,可以在没有中断的情况下使用网卡的论询模式来进行网络数据传送。同时,网络方式对内存转储文件提供了更好的管理支持。与Diskdump一样,Netdump没有被接收进入内核的主线,目前也只有RedHat的发行版对Netdump提供支持。
2.4 Kdump
Kdump是一种基于kexec的内存转储工具,目前它已经被内核主线接收,成为了内核的一部分,它也由此获得了绝大多数Linux发行版的支持。与传统的内存转储机制不同不同,基于Kdump的系统工作的时候需要两个内核,一个称为系统内核,即系统正常工作时运行的内核;另外一个称为捕获内核,即正常内核崩溃时,用来进行内存转储的内核。在本文稍后的内容中,将会介绍如何设置kump。
2.5 MKdump
MKdump(mini kernel dump)是NTT数据和VA Linux开发另一个内核内存转储工具,它与Kdump类似,都是基于kexec,都需要使用两个内核来工作。其中一个是系统内核;另外一个是mini内核,用来进行内存转储。与Kdump相比,它有以下特点:
-
将内存保存到磁盘
-
可以将内存转储镜像转换到lcrash支持格式
-
通过kexec启动时,mini内核覆盖第一个内核
三、各种内存转储分析工具
与具有众多的内存转储机制一样,Linux下也有众多的内存转储分析工具,下面将会逐一做简单介绍。
3.1 Lcrash
Lcrash是随LKCD一起发布的一个内内存储分析工具。随着LKCD开发的停止,lcrash的开发也同时停止了。目前它的代码已经被合并进入Crash工具中。
3.2 Alicia
Alicia (Advanced Linux Crash-dump Interactive Analyzer,高级Linux崩溃内存转储交互分析器)是一个建立在lcrash和Crash工具之上的一个内存转储分析工具。它使用Perl语言封装了Lcrash和Crash的底层命令,向用户提供了一个更加友好的交互方式和界面。Alicia目前的开发也已经停滞。
3.3 Crash
Crash是由Dave Anderson开发和维护的一个内存转储分析工具,目前它的最新版本是5.0.0。在没有统一标准的内存转储文件的格式的情况下,Crash工具支持众多的内存转储文件格式,包括:
-
Live linux 系统
-
kdump产生的正常的和压缩的内存转储文件
-
由makedumpfile命令生成的压缩的内存转储文件
-
由Netdump生成的内存转储文件
-
由Diskdump生成的内存转储文件
-
由Kdump生成的Xen的内存转储文件
-
IBM的390/390x的内存转储文件
-
LKCD生成的内存转储文件
-
Mcore生成的内存转储文件
四、示例:解高通平台dump
4.1 获取kaslr
KASLR(kernel address space layout randomization),内核地址空间布局随机化,是linux内核的一个非常重要的安全机制,为了防止黑客修改内核数据,KASLR技术可以让kernel运行的地址和vmlinux中的链接地址有个偏移,并且是每次reboot后内核加载运行的地址都不一样,因此我们需要针对每次dump获取到对应的kimage_voffset偏移量并传递给crash工具进行解析。
共有两种方法获取kaslr的值:
方法一:使用的命令如下,直接关注4ead dead这一行,后面的0000 c460 001a 0000即为kaslr,但是由于arm采用little-endian,因此需要倒序读取,拼接后kaslr为:0x0000001ac4600000
|
[hupu@HUC /mnt/hgfs]$ hexdump OCIMEM.BIN | grep dead 0012800 beef dead 0000 0000 0000 0000 0000 0000 0037120 ff5f 1991 c766 ae0f f0f7 ff05 bc72 dead 003f6d0 4ead dead 003fb10 0000 0000 d00d dead 0232 95e0 6ec7 54ad |
方法二执行的命令如下,拼接后也是0x0000001ac4600000
|
[hupu@HUC /mnt/hgfs]$ hexdump -e '16/4 "%08x " "\n"' -s 0x03f6d4 -n 8 OCIMEM.BIN c4600000 0000001a |
怎么确定kaslr地址的呢?实际上从高通提供的ramparser解析工具中可以查看,不同平台可能会不一样,比如如下:
|
self.imem_start = 0x14680000 self.kaslr_addr = 0x146bf6d0 self.imem_file_name = 'OCIMEM.BIN' |
0x146bf6d0 - 0x14680000 = 0x03f6d0 因此只需要hexdump出来OCIMEM.BIN中的对应地址即可看到kaslr的值
4.2 确认ramdump的加载偏移量
DDRCS0_0.BIN文件是什么?从名字上看,它就是DDR中的内容,高通QPST是用于在手机crash之后进行内存数据收集的工具,收集出来的内存数据都会以此来命名,DDRCS0_0.BIN、DDRCS0_1.BIN、DDRCS1_0.BIN、DDRCS1_1.BIN等。crash命令遵循MEMORY-IMAGE@[ADDRESS]的格式来传入dumpfile,这些address在高通同一个平台上是固定的,具体要参考高通对应平台的文档。
上面所列的DDRCS0_0.BIN、DDRCS0_1.BIN、DDRCS1_0.BIN、DDRCS1_1.BIN为ramdump时内存的实际存储内容,属于原始数据,如下:
|
[hupu@HUC /mnt/hgfs]$ ls DDRCS* DDRCS0_0.BIN DDRCS0_1.BIN DDRCS1_0.BIN DDRCS1_1.BIN |
但是其加载的地址偏移位是未知的,这时就需要借助dump_info.txt的信息来确认了,下面第一行就是各个bin文件的基地址
|
[hupu@HUC /mnt/hgfs]$ grep DDRCS dump_info.txt -nr 48: 1 0x0000000080000000 0000002147483648 DDR CS0 part0 Memo DDRCS0_0.BIN 49: 1 0x0000000100000000 0000002147483648 DDR CS0 part1 Memo DDRCS0_1.BIN 50: 1 0x0000000180000000 0000002147483648 DDR CS1 part0 Memo DDRCS1_0.BIN 51: 1 0x0000000200000000 0000002147483648 DDR CS1 part1 Memo DDRCS1_1.BIN |
4.3 拼接得到命令
拼接的命令如下,整个加载过程约需要3分钟
|
crash_arm64 vmlinux DDRCS0_0.BIN@0x0000000080000000,DDRCS0_1.BIN@0x0000000100000000,DDRCS1_0.BIN@0x0000000180000000,DDRCS1_1.BIN@0x0000000200000000 --kaslr=0x0000001ac4600000 |
五、crash启动命令
5.1 命令格式
crash启动命令如下
|
crash [OPTION]... NAMELIST MEMORY-IMAGE[@ADDRESS] (用来分析dumpfile文件) crash [OPTION]... [NAMELIST] (用来分析正在运行的系统) |
NAMELIST:这个是未压缩的内核镜像文件(vmlinux)的路径,在用来分析dumpfile文件的时候也可以使用gzip或者bzip2压缩后的vmlinux文件。
MEMORY-IMAGE[@ADDRESS]:由netdump,diskdump,LKCD,kdump,xen-dump或者kvmdump工具产生的crash dump文件的路径,如果运行Crash工具没有输入这个参数的话,那么Crash工具将会用来分析正在运行的linux内核,分析正在运行的内核需要访问系统的RAM,一般是需要root权限的。分析live system的时候,默认情况下/dev/crash将会被使用,如果这个文件不存在,然后会使用/dev/mem,但是如果kernel被配置为CONFIG_STRICT_DEVMEM,那么/proc/kcore将会被使用,也可以显式的指定/dev/crash、/dev/mem、/proc/kcore
分析live system的时候,不指定NAMELIST场景下,crash也会从一些默认目录查找对应的NAMELIST,如果找到的和正在运行的不匹配,没那么会提示如下错误crash: invalid kernel virtual address:
如果dumpfile里面没有描述文件内容的头信息,即原始RAM的dumpfile文件,那么对应块的物理起始地址需要通过@ADDRESS以16进制指定,这将会在/var/tmp目录下创建临时的ELF信息。这种场景下可以通过MEMORY-IMAGE@ADDRESS指定多个dumofile文件。
可以看到如果要用来分析内核的core dump文件,那么必须输入NAMELIST MEMORY-IMAGE这两个参数。而如果用来分析正在运行的linux系统的话,如果内核的vmlinux没有在固定的位置(如/boot),那么NAMELIST参数也需要指定。
5.2 相关选项
|
选项 |
说明 |
|
mapfile |
当分析正在运行的内核的时候,如果NAMELIST文件与当前正在运行的内核不一致,或者分析dumpfile的时候,NAMELIST与产生dumpfile的内核不一致,那么原始内核的System.map文件需要在命令行指定 |
|
-h [option]/ --help [option] |
不带有option的时候,展示crash工具的帮助,如果option是carsh工具的命令名字,那么会展示对应的帮助。另外option也可以是"input"、"output"或者"all" |
|
-s |
静默处理到"crash>",不会展示版本信息、初始化过程等 |
|
-i file |
在展示"crash>"之前,执行file文件中的命令 |
|
-d num |
设置debug level,数值越高,crash在初始化和运行的时候就会展示越多的信息 |
|
-S |
使用/boot/System.map作为mapfile |
|
-t |
展示系统crash的事件戳并推出 |
|
-c tty-device |
使用tty-device作为调试信息的控制台 |
|
-p page-size |
如果处理器的分页大小不能通过dumpfile判断出来,并且不能使用处理器的默认值,那么可以通过这个选项来指定 |
|
-o filename |
使用MEMORY-IMAGE@ADDRESS形式的原始RAM的dumpfile时候,这个选项可以用来创建一个独立的ELF vmcore,以备将来使用 |
|
-x |
自动的从一个指定目录加载扩展模块。环境变量CRASH_EXTENSIONS可以用来指定加载目录 |
|
--active |
仅跟踪每个cpu上正在运行的task |
|
--buildinfo |
展示crash的build信息 |
|
--memory_module modname |
使用modname作为crash.ko的替代模块来创建/dev/crash设备 |
|
--memory_device device |
使用device代替/dev/crash、/dev/mem或者/proc/kcore |
|
--smp |
指定分析的系统是smp内核 |
|
-v |
展示crash的版本信息 |
|
--cpus number |
指定smp系统的cpu数目 |
|
--more/--less |
指定输出工具 |
|
--hex/--dec |
指定命令输出的进制 |
六、crash内部命令
6.1 help - 帮助
|
crash_arm64> help
* extend log rd task alias files mach repeat timer ascii foreach mod runq tree bpf fuser mount search union bt gdb net set vm btop help p sig vtop dev ipcs ps struct waitq dis irq pte swap whatis eval kmem ptob sym wr exit list ptov sys q
crash_arm64 version: 7.3.0 gdb version: 7.6 For help on any command above, enter "help <command>". For help on input options, enter "help input". For help on output options, enter "help output". |
help也可以接一堆参数的,如下:
|
crash_arm64> help help
NAME help - get help
SYNOPSIS help [command | all] [-<option>]
DESCRIPTION When entered with no argument, a list of all currently available crash_arm64 commands is listed. If a name of a crash_arm64 command is entered, a man-like page for the command is displayed. If "all" is entered, help pages for all commands will be displayed. If neither of the above is entered, the argument string will be passed on to the gdb help command.
A number of internal debug, statistical, and other dumpfile related data is available with the following options:
-a - alias data -b - shared buffer data -B - build data -c - numargs cache -d - device table -D - dumpfile contents/statistics -e - extension table data -f - filesys table -g - gdb data -h - hash_table data -H - hash_table data (verbose) -k - kernel_table -K - kernel_table (verbose) -L - LKCD page cache environment -M <num> machine specific -m - machdep_table -N - net_table -n - dumpfile contents/statistics -o - offset_table and size_table -p - program_context -r - dump registers from dumpfile header -s - symbol table data -t - task_table -T - task_table plus context_array -v - vm_table -V - vm_table (verbose) -x - text cache -z - help options |
6.x alias - 创建命令的别名
帮助信息如下:
|
alias [alias] [command string] |
示例:
|
# 查看系统中的所有别名 crash_arm64> alias ORIGIN ALIAS COMMAND builtin man help builtin ? help builtin quit q builtin sf set scroll off builtin sn set scroll on builtin hex set radix 16 builtin dec set radix 10 builtin g gdb builtin px p -x builtin pd p -d builtin for foreach builtin size * builtin dmesg log builtin lsmod mod builtin last ps -l
# 创建一个别名 crash_arm64> alias kp kmem -p ORIGIN ALIAS COMMAND runtime kp kmem -p
# 创建一个带重定向的别名要使用引号 crash_arm64> alias ksd "kmem -p | grep slab | grep DMA" ORIGIN ALIAS COMMAND runtime ksd kmem -p | grep slab | grep DMA
# 移除一个别名 crash_arm64> alias kp "" alias deleted: kp |
6.x ascii - 将十六进制转化为字符串
命令很简单但是很实用,如下:
|
# 将十六进制raw数据转化为字符串 crash_arm64> ascii 62696c2f7273752f 62696c2f7273752f: /usr/lib
# 查看ascii码表 crash_arm64> ascii
0 1 2 3 4 5 6 7 +------------------------------- 0 | NUL DLE SP 0 @ P ' p 1 | SOH DC1 ! 1 A Q a q 2 | STX DC2 " 2 B R b r 3 | ETX DC3 # 3 C S c s 4 | EOT DC4 $ 4 D T d t 5 | ENQ NAK % 5 E U e u 6 | ACK SYN & 6 F V f v 7 | BEL ETB ` 7 G W g w 8 | BS CAN ( 8 H X h x 9 | HT EM ) 9 I Y i y A | LF SUB * : J Z j z B | VT ESC + ; K [ k { C | FF FS , < L \ l | D | CR GS _ = M ] m } E | SO RS . > N ^ n ~ F | SI US / ? O - o DEL |
6.x bpf - 过滤相关(暂不分析)
帮助信息如下:
附:官方帮助文档
6.x bt - 打印堆栈信息
展示调用堆栈信息,-a选项可以显示所有cpu上的调用堆栈。foreach bt可以显示所有task的调用堆栈
帮助信息如下:
|
bt [-a|-c cpu(s)|-g|-r|-t|-T|-l|-e|-E|-f|-F|-o|-O|-v|-p] [-R ref] [-s [-x|d]] [-I ip] [-S sp] [pid | task] |
bt -T - 查看调用栈信息
6.x.1 -a - 显示所有cpu上当前正在运行的进程的栈回溯信息
示例:
|
crash_arm64> bt -a PID: 0 TASK: ffffff9acf4ee280 CPU: 0 COMMAND: "swapper/0" bt: WARNING: cannot determine starting stack frame for task ffffff9acf4ee280
PID: 278 TASK: ffffffdd57625ec0 CPU: 1 COMMAND: "kworker/u16:6" bt: WARNING: cannot determine starting stack frame for task ffffffdd57625ec0
PID: 0 TASK: ffffffdc3fdf3f40 CPU: 2 COMMAND: "swapper/2" bt: WARNING: cannot determine starting stack frame for task ffffffdc3fdf3f40
PID: 0 TASK: ffffffdc3fdf0040 CPU: 3 COMMAND: "swapper/3" bt: WARNING: cannot determine starting stack frame for task ffffffdc3fdf0040
PID: 0 TASK: ffffffdc3fe6dec0 CPU: 4 COMMAND: "swapper/4" bt: WARNING: cannot determine starting stack frame for task ffffffdc3fe6dec0
PID: 0 TASK: ffffffdc3fe69fc0 CPU: 5 COMMAND: "swapper/5" bt: WARNING: cannot determine starting stack frame for task ffffffdc3fe69fc0
PID: 16709 TASK: ffffffdda4de3f40 CPU: 6 COMMAND: "sh" bt: WARNING: cannot determine starting stack frame for task ffffffdda4de3f40
PID: 0 TASK: ffffffdc3fe68040 CPU: 7 COMMAND: "swapper/7" bt: WARNING: cannot determine starting stack frame for task ffffffdc3fe68040 |
6.x.1 -c cpu(s) - 指定要显示那(几)个cpu上的栈回溯信息
可取格式如下:
display the stack trace of the active task on one or more CPUs, which can be specified using the format "3", "1,8,9", "1-23", or "1,8,9-14". (only applicable to crash dumps)
|
crash_arm64> bt -c 1 PID: 278 TASK: ffffffdd57625ec0 CPU: 1 COMMAND: "kworker/u16:6" bt: WARNING: cannot determine starting stack frame for task ffffffdd57625ec0 crash_arm64> bt -c 1,3-5 PID: 278 TASK: ffffffdd57625ec0 CPU: 1 COMMAND: "kworker/u16:6" bt: WARNING: cannot determine starting stack frame for task ffffffdd57625ec0
PID: 0 TASK: ffffffdc3fdf0040 CPU: 3 COMMAND: "swapper/3" bt: WARNING: cannot determine starting stack frame for task ffffffdc3fdf0040
PID: 0 TASK: ffffffdc3fe6dec0 CPU: 4 COMMAND: "swapper/4" bt: WARNING: cannot determine starting stack frame for task ffffffdc3fe6dec0
PID: 0 TASK: ffffffdc3fe69fc0 CPU: 5 COMMAND: "swapper/5" bt: WARNING: cannot determine starting stack frame for task ffffffdc3fe69fc0 crash_arm64> |
6.x.1 -g - 显示进程及其下面所有线程的栈信息
displays the stack traces of all threads in the thread group of the target task; the thread group leader will be displayed first.
|
#显示这个进程下所有线程的栈信息,group leader最先显示 crash_arm64> bt -g PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000
PID: 1316 TASK: ffffff809e2953c0 CPU: 0 COMMAND: "Binder:1235_1" #0 [ffffffc01658b9e0] __switch_to at ffffffe4fb6af5ec #1 [ffffffc01658ba40] __schedule at ffffffe4fc97a260 #2 [ffffffc01658baa0] schedule at ffffffe4fc97a598 #3 [ffffffc01658bbd0] binder_thread_read at ffffffe4fc3a62ec #4 [ffffffc01658bc70] binder_ioctl_write_read at ffffffe4fc3a2ff4 #5 [ffffffc01658bd00] binder_ioctl$f42ae93cc7b62da6c06eb3ca54df1c12 at ffffffe4fc39e6e4 #6 [ffffffc01658bda0] do_vfs_ioctl at ffffffe4fb940ba8 #7 [ffffffc01658bde0] __arm64_sys_ioctl at ffffffe4fb9417e8 #8 [ffffffc01658be20] oplus_invoke_syscall at ffffffe4fb6d0500 #9 [ffffffc01658be70] el0_svc_common at ffffffe4fb6c2ec4 #10 [ffffffc01658beb0] el0_svc_handler at ffffffe4fb6c2e04 #11 [ffffffc01658bff0] el0_svc at ffffffe4fb484e84 PC: 00000076109cf4e8 LR: 000000761098bdbc SP: 0000007612ec6900 X29: 0000007612ec69e0 X28: 0000007612dce000 X27: 00000000000fc000 X26: 0000007612ec6ff8 X25: 0000000000000000 X24: 0000007612ec7000 X23: 0000000000000100 X22: 00000000fffffff7 X21: b40000758ec0d120 X20: b40000758ec0d000 X19: 0000007612ec7000 X18: 000000758f7a0000 X17: 000000761098bd1c X16: 00000076117ad538 X15: 0000000034155555 X14: 00000076109f19e2 X13: 0000000000000000 X12: ffffff80ffffffd0 X11: 0000007612ec6980 X10: 0000007612ec69b0 X9: 0000007612ec69b0 X8: 000000000000001d X7: 0000000000000000 X6: 0000000000000000 X5: 0000000000000000 X4: 0000000000000000 X3: 0000000000000000 X2: 0000007612ec6a00 X1: 00000000c0306201 X0: 0000000000000005 ORIG_X0: 0000000000000005 SYSCALLNO: 1d PSTATE: 80001000
#也可指定进程查看 crash_arm64> bt -g 4460 PID: 4460 TASK: ffffff82d376d3c0 CPU: 5 COMMAND: "ndroid.launcher" #0 [ffffffc029723b90] __switch_to at ffffffe4fb6af5ec #1 [ffffffc029723bf0] __schedule at ffffffe4fc97a260 #2 [ffffffc029723c50] schedule at ffffffe4fc97a598 #3 [ffffffc029723cd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 #4 [ffffffc029723d70] do_epoll_wait at ffffffe4fb98dbcc #5 [ffffffc029723dd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 #6 [ffffffc029723e10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c #7 [ffffffc029723e20] oplus_invoke_syscall at ffffffe4fb6d0500 #8 [ffffffc029723e70] el0_svc_common at ffffffe4fb6c2eac #9 [ffffffc029723eb0] el0_svc_handler at ffffffe4fb6c2e04 #10 [ffffffc029723ff0] el0_svc at ffffffe4fb484e84 PC: 000000709190f4a8 LR: 000000709032cad0 SP: 0000007ff83df7d0 X29: 0000007ff83df920 X28: 000000006fdc3ed8 X27: 000000006fdcd218 X26: b40000700f020240 X25: 00000070957e4000 X24: 000000007fffffff X23: b40000700f0890c0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b40000700f089168 X19: b40000700f0890c0 X18: 000000709596a000 X17: 00000070918d176c X16: 000000709032fdb0 X15: 0000000034155555 X14: 003b315da2864000 X13: 000000015f34ccce X12: 000000700f00d888 X11: b400000000000000 X10: 0000000000000026 X9: e06b960998e9cab4 X8: 0000000000000016 X7: 0000000000000000 X6: 0000000000000001 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007ff83df810 X0: 000000000000003f ORIG_X0: 000000000000003f SYSCALLNO: 16 PSTATE: 60001000
PID: 4490 TASK: ffffff82d2193240 CPU: 1 COMMAND: "Signal Catcher" #0 [ffffffc029b43bd0] __switch_to at ffffffe4fb6af5ec #1 [ffffffc029b43c30] __schedule at ffffffe4fc97a260 #2 [ffffffc029b43c90] schedule at ffffffe4fc97a598 #3 [ffffffc029b43d10] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 #4 [ffffffc029b43d60] do_sigtimedwait at ffffffe4fb6f7354 #5 [ffffffc029b43e00] __arm64_sys_rt_sigtimedwait at ffffffe4fb6f48d8 #6 [ffffffc029b43e20] oplus_invoke_syscall at ffffffe4fb6d0500 #7 [ffffffc029b43e70] el0_svc_common at ffffffe4fb6c2eac #8 [ffffffc029b43eb0] el0_svc_handler at ffffffe4fb6c2e04 #9 [ffffffc029b43ff0] el0_svc at ffffffe4fb484e84 PC: 000000709190eee8 LR: 00000070918cfdd4 SP: 0000006fff465b10 X29: 0000006fff465b20 X28: 0000006fff466000 X27: 000000700d3b0000 X26: 0000006fff466000 X25: 0000006fff465cc0 X24: 0000006fff465cc0 X23: 000000700cdb6207 X22: 0000000080000204 X21: 0000006fff466000 X20: b400006ffcc37800 X19: 0000006fff465b6c X18: 0000006ff9936000 X17: 00000070918cfd8c X16: 000000700d3aa310 X15: 0000000000000000 X14: 000000700ce374fc X13: 000000700ce3749c X12: 0000000000000001 |
6.x.1 -r - 显示栈的原始raw数据
|
crash_arm64> bt -r PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" ffffffc0164d8000: 0000000057ac6e9d 0000000000000000 ffffffc0164d8010: 0000000000000000 0000000000000000 ffffffc0164d8020: 0000000000000000 0000000000000000 ffffffc0164d8030: 0000000000000000 0000000000000000 ffffffc0164d8040: 0000000000000000 0000000000000000 ffffffc0164d8050: 0000000000000000 0000000000000000 ffffffc0164d8060: 0000000000000000 0000000000000000 ffffffc0164d8070: 0000000000000000 0000000000000000 ffffffc0164d8080: 0000000000000000 0000000000000000 ffffffc0164d8090: 0000000000000000 0000000000000000 ffffffc0164d80a0: 0000000000000000 0000000000000000 ffffffc0164d80b0: 0000000000000000 0000000000000000 ffffffc0164d80c0: 0000000000000000 0000000000000000 ffffffc0164d80d0: 0000000000000000 0000000000000000 ffffffc0164d80e0: 0000000000000000 0000000000000000 ffffffc0164d80f0: 0000000000000000 0000000000000000 ffffffc0164d8100: 0000000000000000 0000000000000000 |
6.x.1 -t - 从sp到栈顶部,找到的所有文本符号并显示,在回溯跟踪失败时有用
范围:当前任务的,当前栈位置到栈顶
display all text symbols found from the last known stack location to the top of the stack. (helpful if the back trace fails)
注意:-t的显示是-T的子集
|
crash_arm64> bt PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000
crash_arm64> bt -t PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" START: __switch_to at ffffffe4fb6af5f0 [ffffffc0164dbb78] __switch_to at ffffffe4fb6af4e8 [ffffffc0164dbb88] __schedule at ffffffe4fc97a104 [ffffffc0164dbb98] __schedule at ffffffe4fc97a264 [ffffffc0164dbbf8] schedule at ffffffe4fc97a59c [ffffffc0164dbc58] schedule_hrtimeout_range_clock at ffffffe4fc97f2c8 [ffffffc0164dbcd8] do_epoll_wait at ffffffe4fb98dbd0 [ffffffc0164dbd38] autoremove_wake_function.cfi_jt at ffffffe4fc99d5c0 [ffffffc0164dbd78] __se_sys_epoll_pwait at ffffffe4fb98b4dc [ffffffc0164dbda0] __arm64_sys_epoll_pwait.cfi_jt at ffffffe4fc9a9c8c [ffffffc0164dbdd8] __arm64_sys_epoll_pwait at ffffffe4fb98b480 [ffffffc0164dbe18] oplus_invoke_syscall at ffffffe4fb6d0504 [ffffffc0164dbe28] el0_svc_common at ffffffe4fb6c2ec8 [ffffffc0164dbe78] el0_svc_handler at ffffffe4fb6c2e08 [ffffffc0164dbeb8] el0_svc at ffffffe4fb484e88
crash_arm64> bt -T PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" [ffffffc0164da7a8] perf_output_begin_forward at ffffffe4fb87a5c4 [ffffffc0164da8a8] update_rq_clock_task at ffffffe4fb71a63c [ffffffc0164da8d8] update_rq_clock at ffffffe4fb71a580 [ffffffc0164da8e8] update_rq_clock at ffffffe4fb71a598 [ffffffc0164da8f8] update_blocked_averages at ffffffe4fb72c6d0 [ffffffc0164da928] update_blocked_averages at ffffffe4fb72c6f8 [ffffffc0164da938] update_sd_lb_stats at ffffffe4fb732400 [ffffffc0164da958] update_sd_lb_stats at ffffffe4fb732c88 [ffffffc0164da968] update_sd_lb_stats at ffffffe4fb732c64 [ffffffc0164daa58] perf_event_output_forward at ffffffe4fb8695e0 [ffffffc0164daa68] find_busiest_group at ffffffe4fb731670 [ffffffc0164daae8] __perf_event_overflow at ffffffe4fb86b4e8 [ffffffc0164dabb8] update_curr_rt$c8e64db50a637c5c2b38997a086ae425 at ffffffe4fb737218 [ffffffc0164dac08] ktime_get_mono_fast_ns at ffffffe4fb799978 [ffffffc0164dac98] vsnprintf at ffffffe4fc96e784 [ffffffc0164dad08] complete at ffffffe4fb73ed54 [ffffffc0164dad38] complete at ffffffe4fb73ed60 [ffffffc0164dad48] ipc_log_write at ffffffe4fb8258b4 [ffffffc0164dad68] ipc_log_write at ffffffe4fb8258cc [ffffffc0164dadd8] trace_call_bpf at ffffffe4fb813158 [ffffffc0164dade8] trace_call_bpf at ffffffe4fb8130bc [ffffffc0164dadf8] perf_trace_run_bpf_submit at ffffffe4fb86b908 [ffffffc0164dae08] __typeid__ZTSFvPvbP11task_structS1_E_global_addr at ffffffe4fc99e10c [ffffffc0164dae58] perf_trace_sched_switch$ee860aa0ac644f155aca91f42de065c2 at ffffffe4fb71570c [ffffffc0164dae68] __schedule at ffffffe4fc97a038 [ffffffc0164dae78] __switch_to at ffffffe4fb6af390 [ffffffc0164dae88] fpsimd_thread_switch at ffffffe4fb6ad5f8 [ffffffc0164daec8] finish_task_switch at ffffffe4fb71e3e4 [ffffffc0164daed8] __schedule at ffffffe4fc97a268 [ffffffc0164daf38] schedule at ffffffe4fc97a59c [ffffffc0164daf48] try_to_del_timer_sync at ffffffe4fb794ed4 [ffffffc0164daf58] try_to_del_timer_sync at ffffffe4fb795054 [ffffffc0164daf68] list_sort_add at ffffffe4fb921720 [ffffffc0164daf78] rmqueue_bulk at ffffffe4fb8edb74 [ffffffc0164db2a8] perf_output_begin_forward at ffffffe4fb87a5c4 [ffffffc0164db398] context_struct_compute_av at ffffffe4fbb56620 [ffffffc0164db3e8] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484 at ffffffe4fc287440 [ffffffc0164db3f8] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484 at ffffffe4fc2874d4 [ffffffc0164db408] update_task_rq_cpu_cycles at ffffffe4fb741280 [ffffffc0164db428] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484.cfi_jt at ffffffe4fc99e3b4 [ffffffc0164db438] drop_ux_task_cpus at ffffffe4fb883f38 [ffffffc0164db468] update_sd_lb_stats at ffffffe4fb732c88 [ffffffc0164db478] ktime_get at ffffffe4fb79a094 [ffffffc0164db4a8] gic_raise_softirq$d736f6d6e8dd18ba2d62d944fce32704 at ffffffe4fbc2d9b4 [ffffffc0164db4b8] smp_send_reschedule at ffffffe4fb6c259c [ffffffc0164db4f8] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484 at ffffffe4fc287440 [ffffffc0164db508] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484 at ffffffe4fc2874d4 [ffffffc0164db518] update_task_rq_cpu_cycles at ffffffe4fb741280 [ffffffc0164db538] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484.cfi_jt at ffffffe4fc99e3b4 [ffffffc0164db568] ttwu_do_wakeup at ffffffe4fb725480 [ffffffc0164db578] walt_update_task_ravg at ffffffe4fb73f1c4 [ffffffc0164db5a8] gic_raise_softirq$d736f6d6e8dd18ba2d62d944fce32704 at ffffffe4fbc2d9b4 [ffffffc0164db5b8] arch_irq_work_raise at ffffffe4fb6c1dcc [ffffffc0164db600] __typeid__ZTSFvPK7cpumaskjE_global_addr at ffffffe4fc9906e4 [ffffffc0164db618] irq_work_queue at ffffffe4fb827498 [ffffffc0164db628] fixup_busy_time at ffffffe4fb740908 [ffffffc0164db668] fixup_busy_time at ffffffe4fb740c44 [ffffffc0164db678] update_load_avg at ffffffe4fb732f7c [ffffffc0164db6b8] sched_update_nr_prod at ffffffe4fb746ba0 [ffffffc0164db6d8] task_fits_max at ffffffe4fb72adb0 [ffffffc0164db6e8] sched_update_nr_prod at ffffffe4fb746d1c [ffffffc0164db6f8] enqueue_task_fair$b601a1dbcc3b38bc5b22cc81fa26794b at ffffffe4fb72db20 [ffffffc0164db718] ktime_get_mono_fast_ns at ffffffe4fb799978 [ffffffc0164db728] update_curr_rt$c8e64db50a637c5c2b38997a086ae425 at ffffffe4fb737218 [ffffffc0164db7a8] activate_task at ffffffe4fb71b604 [ffffffc0164db7b8] update_rq_clock at ffffffe4fb71a598 [ffffffc0164db7e8] load_balance at ffffffe4fb72cd24 [ffffffc0164db7f8] load_balance at ffffffe4fb72cd2c [ffffffc0164db878] update_curr_rt$c8e64db50a637c5c2b38997a086ae425 at ffffffe4fb737218 [ffffffc0164db8c8] ktime_get_mono_fast_ns at ffffffe4fb799978 [ffffffc0164db968] __slab_free at ffffffe4fb901244 [ffffffc0164db978] __schedule at ffffffe4fc97a038 [ffffffc0164db9c8] kfree at ffffffe4fb8fee54 [ffffffc0164dba18] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484 at ffffffe4fc287440 [ffffffc0164dba28] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484 at ffffffe4fc2874d4 [ffffffc0164dba38] update_task_rq_cpu_cycles at ffffffe4fb741280 [ffffffc0164dba98] trace_call_bpf at ffffffe4fb813158 [ffffffc0164dbaa8] trace_call_bpf at ffffffe4fb8130bc [ffffffc0164dbab8] perf_trace_run_bpf_submit at ffffffe4fb86b908 [ffffffc0164dbac8] __typeid__ZTSFvPvbP11task_structS1_E_global_addr at ffffffe4fc99e10c [ffffffc0164dbb18] perf_trace_sched_switch$ee860aa0ac644f155aca91f42de065c2 at ffffffe4fb71570c [ffffffc0164dbb28] __schedule at ffffffe4fc97a038 [ffffffc0164dbb38] __switch_to at ffffffe4fb6af390 [ffffffc0164dbb48] fpsimd_thread_switch at ffffffe4fb6ad5f8 [ffffffc0164dbb78] __switch_to at ffffffe4fb6af4e8 [ffffffc0164dbb88] __schedule at ffffffe4fc97a104 [ffffffc0164dbb98] __schedule at ffffffe4fc97a264 [ffffffc0164dbbf8] schedule at ffffffe4fc97a59c [ffffffc0164dbc58] schedule_hrtimeout_range_clock at ffffffe4fc97f2c8 [ffffffc0164dbcd8] do_epoll_wait at ffffffe4fb98dbd0 [ffffffc0164dbd38] autoremove_wake_function.cfi_jt at ffffffe4fc99d5c0 [ffffffc0164dbd78] __se_sys_epoll_pwait at ffffffe4fb98b4dc [ffffffc0164dbda0] __arm64_sys_epoll_pwait.cfi_jt at ffffffe4fc9a9c8c [ffffffc0164dbdd8] __arm64_sys_epoll_pwait at ffffffe4fb98b480 [ffffffc0164dbe18] oplus_invoke_syscall at ffffffe4fb6d0504 [ffffffc0164dbe28] el0_svc_common at ffffffe4fb6c2ec8 [ffffffc0164dbe78] el0_svc_handler at ffffffe4fb6c2e08 [ffffffc0164dbeb8] el0_svc at ffffffe4fb484e88 crash_arm64> |
6.x.1 -T - 显示任务的整个栈中的所有文本符号,在回溯跟踪失败时有用
范围:当前任务的所有栈空间,-t显示的是-T的子集
display all text symbols found from just above the task_struct or thread_info to the top of the stack. (helpful if the back trace fails or the -t option starts too high in the process stack).
|
#正常查看panic的进程的栈信息是查看不出来的 crash_arm64> bt -p PID: 5758 TASK: ffffff82b41b3240 CPU: 6 COMMAND: "Binder:2238_13" bt: WARNING: cannot determine starting stack frame for task ffffff82b41b3240
#使用-T方式能够查看这个task的栈中所有的函数调用 crash_arm64> bt -pT PID: 5758 TASK: ffffff82b41b3240 CPU: 6 COMMAND: "Binder:2238_13" bt: WARNING: cannot determine starting stack frame for task ffffff82b41b3240 [ffffffc02d3cae18] set_ux_task_to_prefer_cpu at ffffffe4fb8848fc [ffffffc02d3cb4b8] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484 at ffffffe4fc2874d4 [ffffffc02d3cb4c8] find_energy_efficient_cpu at ffffffe4fb7298fc [ffffffc02d3cb508] find_energy_efficient_cpu at ffffffe4fb72993c [ffffffc02d3cb518] update_stats_enqueue_sleeper at ffffffe4fb733a3c [ffffffc02d3cb538] update_stats_enqueue_sleeper at ffffffe4fb733a50 [ffffffc02d3cb568] update_stats_enqueue_sleeper at ffffffe4fb733a64 [ffffffc02d3cb588] enqueue_entity at ffffffe4fb7333bc [ffffffc02d3cb598] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484 at ffffffe4fc287440 [ffffffc02d3cb5a8] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484 at ffffffe4fc2874d4 [ffffffc02d3cb5b8] update_task_rq_cpu_cycles at ffffffe4fb741280 [ffffffc02d3cb5c8] ohm_schedstats_record at ffffffe4fbd46ff8 [ffffffc02d3cb5d8] qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484.cfi_jt at ffffffe4fc99e3b4 [ffffffc02d3cb608] update_load_avg at ffffffe4fb732f60 [ffffffc02d3cb618] update_task_pred_demand at ffffffe4fb741020 [ffffffc02d3cb648] walt_update_task_ravg at ffffffe4fb73fd00 [ffffffc02d3cb6b8] ktime_get at ffffffe4fb79a094 [ffffffc02d3cb6c8] __schedule at ffffffe4fc97a2c8 [ffffffc02d3cb718] ktime_get_mono_fast_ns at ffffffe4fb799978 [ffffffc02d3cb7a8] _raw_spin_unlock_irqrestore at ffffffe4fc97ff60 [ffffffc02d3cb7c8] set_user_nice at ffffffe4fb71faa8 [ffffffc02d3cb7f8] binder_do_set_priority at ffffffe4fc3b0360 [ffffffc02d3cb808] has_capability_noaudit at ffffffe4fb6eb2e0 [ffffffc02d3cb838] binder_free_transaction at ffffffe4fc3ae82c [ffffffc02d3cb948] __schedule at ffffffe4fc97a268 [ffffffc02d3cb968] __typeid__ZTSFvPvbP11task_structS1_E_global_addr at ffffffe4fc99e10c [ffffffc02d3cb980] finish_task_switch at ffffffe4fb71e3e4 [ffffffc02d3cb990] _raw_spin_unlock_irq at ffffffe4fc97ff80 [ffffffc02d3cb9c8] _raw_spin_unlock_irq at ffffffe4fc97ff80 [ffffffc02d3cb9d8] finish_task_switch at ffffffe4fb71e3e4 [ffffffc02d3cb9e8] __schedule at ffffffe4fc97a268 [ffffffc02d3cba48] schedule at ffffffe4fc97a59c [ffffffc02d3cbaa8] binder_thread_read at ffffffe4fc3a62f0 [ffffffc02d3cbab8] binder_thread_read at ffffffe4fc3a62b0 [ffffffc02d3cbb80] autoremove_wake_function.cfi_jt at ffffffe4fc99d5c0 [ffffffc02d3cbb98] avc_has_extended_perms at ffffffe4fbb3a5e0 [ffffffc02d3cbbd8] binder_ioctl_write_read at ffffffe4fc3a2ff8 [ffffffc02d3cbc78] binder_ioctl$f42ae93cc7b62da6c06eb3ca54df1c12 at ffffffe4fc39e6e8 [ffffffc02d3cbcf0] __arm64_sys_ioctl.cfi_jt at ffffffe4fc9a9e4c [ffffffc02d3cbd08] do_vfs_ioctl at ffffffe4fb940bac [ffffffc02d3cbd50] binder_ioctl$f42ae93cc7b62da6c06eb3ca54df1c12.cfi_jt at ffffffe4fc9aa7cc [ffffffc02d3cbd78] security_file_ioctl at ffffffe4fbb343f0 [ffffffc02d3cbda8] __arm64_sys_ioctl at ffffffe4fb9417ec [ffffffc02d3cbde8] oplus_invoke_syscall at ffffffe4fb6d0504 [ffffffc02d3cbdf0] __arm64_sys_ioctl.cfi_jt at ffffffe4fc9a9e4c [ffffffc02d3cbe28] el0_svc_common at ffffffe4fb6c2eb0 [ffffffc02d3cbe38] el0_svc_common at ffffffe4fb6c2e94 [ffffffc02d3cbe78] el0_svc_handler at ffffffe4fb6c2e08 [ffffffc02d3cbeb8] el0_svc at ffffffe4fb484e88 crash_arm64> |
6.x.1 -l - 在显示栈回溯信息时,显示文件名和行号
|
crash_arm64> bt -l PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/arch/arm64/kernel/process.c: 572 #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/kernel/sched/core.c: 3652 #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/kernel/sched/core.c: 4501 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/kernel/time/hrtimer.c: 2162 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/kernel/time/hrtimer.c: 2216 #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/fs/eventpoll.c: 2334 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/fs/eventpoll.c: 2320 #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/arch/arm64/kernel/secureguard/rootguard/oplus_hook_syscall.c: 61 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/arch/arm64/kernel/syscall.c: 124 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/arch/arm64/kernel/syscall.c: 172 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/arch/arm64/kernel/entry.S: 1031 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000 crash_arm64> |
6.x.1 -e - 在当前进程的栈上搜索在内核模式和用户模式下可能的异常帧,难道是自动识别异常帧??
search the stack for possible kernel and user mode exception frames.
|
#还是啥也看不了 crash_arm64> bt -p PID: 5758 TASK: ffffff82b41b3240 CPU: 6 COMMAND: "Binder:2238_13" bt: WARNING: cannot determine starting stack frame for task ffffff82b41b3240
#搜索异常帧 crash_arm64> bt -pe PID: 5758 TASK: ffffff82b41b3240 CPU: 6 COMMAND: "Binder:2238_13"
KERNEL-MODE EXCEPTION FRAME AT: ffffffc02d3cb518 PC: ffffffe4fb741020 [update_task_pred_demand+168] LR: ffffffe4fb732f60 [update_load_avg+244] SP: ffffffc02d3cb650 PSTATE: 00000004 X29: ffffffc02d3cb640 X28: ffffff82b41b3240 X27: 0000000000000004 X26: 0000000000000000 X25: 0000000000000006 X24: ffffffe4fc99e3b4 X23: ffffff82f25b5ac0 X22: ffffffe4fbd46ff8 X21: 00000045d963f05f X20: ffffffe4fb741280 X19: ffffffc02d3cb610 X18: ffffffe4fc2874d4 X17: ffffffc02d3cb5b0 X16: ffffffe4fc287440 X15: ffffffc02d3cb5b0 X14: ffffffe4fb7333bc X13: ffffffc02d3cb5e0 X12: 0000000000000005 X11: 00000044e603188a X10: ffffffe4fb733a64 X9: ffffffc02d3cb580 X8: 000000000004ebf8 X7: ffffff82f2539ac0 X6: ffffff829b4f2240 X5: ffffff829b4f2240 X4: ffffffe4fb733a50 X3: ffffffc02d3cb580 X2: 0000000000000080 X1: 00000045d95f35d7 X0: ffffffe4fb733a3c
KERNEL-MODE EXCEPTION FRAME AT: ffffffc02d3cb890 PC: ffffffe4fc97ff80 [_raw_spin_unlock_irq+28] LR: ffffffe4fb71e3e4 [finish_task_switch+216] SP: ffffffc02d3cb9d0 PSTATE: 60400005 X29: ffffffc02d3cb9d0 X28: ffffffe4fd5421c0 X27: ffffffe4fc99e10c X26: ffffff8083763258 X25: ffffff82b41b3240 X24: 0000000000000000 X23: ffffffe4fc97a268 X22: ffffff82b41b3240 X21: 0000000000000000 X20: ffffff829e6e3240 X19: ffffff82f25b5ac0 X18: ffffffc027d55060 X17: 00000000000003e7 X16: 00000000000a6025 X15: 000000000000002a X14: 0000000000000010 X13: 0000000000000004 X12: 0000000000000000 X11: ffffffe4fd53bbb4 X10: 0000000000000c80 X9: ffffff829e6e32a0 X8: 00000000000000e0 X7: 0000000000000001 X6: 0000000000000000 X5: ffffff82f25955b8 X4: 0000000000000000 X3: 0b3e00010b991001 X2: 0b3e0000a23e0001 X1: ffffff82b41b3240 X0: ffffff82f25b5ac0
USER-MODE EXCEPTION FRAME AT: ffffffc02d3cbec0 PC: 000000709190e4e8 LR: 00000070918cadbc SP: 0000006e25773890 X29: 0000006e25773970 X28: 0000006e2567b000 X27: 00000000000fc000 X26: 0000006e25773ff8 X25: 0000000000000000 X24: 0000006e25774000 X23: 0000000000000100 X22: 00000000fffffff7 X21: b400006e770f7920 X20: b400006e770f7800 X19: 0000006e25774000 X18: 0000006e255ba000 X17: 00000070918cad1c X16: 0000007094724538 X15: 0000000000000000 X14: ffffffffff000000 X13: 0000000000000000 X12: ffffff80ffffffd0 X11: 0000006e25773910 X10: 0000006e25773940 X9: 0000006e25773940 X8: 000000000000001d X7: 0000000000000000 X6: 0000000000000000 X5: 0000000000000000 X4: 0000000000000000 X3: 0000000000000000 X2: 0000006e25773990 X1: 00000000c0306201 X0: 000000000000003d ORIG_X0: 000000000000003d SYSCALLNO: 1d PSTATE: 80001000 crash_arm64> |
6.x.1 -E - 在irq栈和异常栈中,搜索可能的异常帧,牛逼
search the IRQ stacks (x86, x86_64, arm64, and ppc64), and the exception stacks (x86_64) for possible exception frames; all other arguments except for -c will be ignored since this is not a context-sensitive operation.
搜索IRQ栈(x86, x86_64, arm64, ppc64)和异常栈(x86_64)寻找可能的异常帧;除了-c之外的所有其他参数将被忽略,因为这不是一个上下文敏感的操作。
|
#正常啥也看不到 crash_arm64> bt -p PID: 5758 TASK: ffffff82b41b3240 CPU: 6 COMMAND: "Binder:2238_13" bt: WARNING: cannot determine starting stack frame for task ffffff82b41b3240
#加参数后甚至可以定位出问题函数,牛逼 crash_arm64> bt -pE CPU 0 IRQ STACK:
KERNEL-MODE EXCEPTION FRAME AT: ffffffc010003a98 PC: ffffffe4fb483c04 [el1_ia+28] LR: ffffffe4fb48150c [do_mem_abort+100] SP: ffffffc010003d00 PSTATE: 80400085 X29: ffffffc010003b90 X28: 0000000096000006 X27: ffffffc010003bd0 X26: 0000000000000064 X25: 0000000000000006 X24: ffffffe4fd540ac0 X23: 0000000000000025 X22: ffffffe4fdc7f568 X21: ffffffe4fd955018 X20: ffffff82f2417780 X19: ffffff82abb96480 X18: ffffffe4fc98218c X17: ffffffc010003b80 X16: 708d18da9ba1a800 X15: 0000000000000000 X14: 0000000000000064 X13: 0000000096000006 X12: ffffffc010003bd0 X11: ffffff80a2623fc0 X10: ffffffe4fc982248 X9: ffffffc010003b20 X8: 0000000000000064 X7: ffffffc010003bd0 X6: 0000000096000006 X5: 0000000000000025 X4: ffffffe4fb6d0edc X3: ffffffc010003ae0 X2: ffffffc010003bd0 X1: 0000000096000006 X0: 0000000000000064
KERNEL-MODE EXCEPTION FRAME AT: ffffffc010003bd0 PC: ffffffe4fb9dc5bc [jankinfo_update_time_info+872] LR: ffffffe4fb727b34 [account_process_tick+376] SP: ffffffc010003d10 PSTATE: 80400085 X29: ffffffc010003d10 X28: 0000000000000001 X27: ffffff82f2417780 X26: ffffffe4fd955018 X25: ffffffe4fdc7f568 X24: ffffffe4fc9a71d8 X23: ffffffe4fe28f000 X22: ffffffe4fd987ac0 X21: ffffff82f2441ac0 X20: 0000000000000001 X19: ffffff82abb96480 X18: ffffffc010005050 X17: 0000000000000000 X16: fffffc181dcd6500 X15: 000000000000000f X14: 000003e7e2329b00 X13: 0000000000000001 X12: 0000000000000000 X11: ffffff80bb1e8008 X10: ffffff80bb1e8000 X9: 0000000000000000 X8: 0000000000000064 X7: 0000000000000000 X6: ffffff82f242d118 X5: 0000000000000000 X4: 0000000000000008 X3: 006c6f6f70206461 X2: 0000000000000008 X1: ffffff82abb96ca8 X0: ffffff82abb96480
CPU 1 IRQ STACK:(none found)
CPU 2 IRQ STACK:(none found)
CPU 3 IRQ STACK:(none found)
CPU 4 IRQ STACK:(none found)
CPU 5 IRQ STACK:(none found)
CPU 6 IRQ STACK:
KERNEL-MODE EXCEPTION FRAME AT: ffffffc010033a98 PC: ffffffe4fb483c04 [el1_ia+28] LR: ffffffe4fb48150c [do_mem_abort+100] SP: ffffffc010033d00 PSTATE: 80400085 X29: ffffffc010033b90 X28: 0000000096000006 X27: ffffffc010033bd0 X26: 0000000000000064 X25: 0000000000000006 X24: ffffffe4fd540ac0 X23: 0000000000000025 X22: ffffffe4fdc7f568 X21: ffffffe4fd955018 X20: ffffff82f258b780 X19: ffffff82b41b3240 X18: ffffffe4fc98218c X17: ffffffc010033b80 X16: 708d18da9ba1a800 X15: 0000000000000000 X14: 0000000000000064 X13: 0000000096000006 X12: ffffffc010033bd0 X11: ffffff80a2621e00 X10: ffffffe4fc982248 X9: ffffffc010033b20 X8: 0000000000000064 X7: ffffffc010033bd0 X6: 0000000096000006 X5: 0000000000000025 X4: ffffffe4fb6d0edc X3: ffffffc010033ae0 X2: ffffffc010033bd0 X1: 0000000096000006 X0: 0000000000000064
KERNEL-MODE EXCEPTION FRAME AT: ffffffc010033bd0 PC: ffffffe4fb9dc5bc [jankinfo_update_time_info+872] #异常 LR: ffffffe4fb727b34 [account_process_tick+376] SP: ffffffc010033d10 PSTATE: 80400085 X29: ffffffc010033d10 X28: 0000000000000001 X27: ffffff82f258b780 X26: ffffffe4fd955018 X25: ffffffe4fdc7f568 X24: ffffffe4fc9a71d8 X23: ffffffe4fe28f000 X22: ffffffe4fd987ac0 X21: ffffff82f25b5ac0 X20: 0000000000000000 X19: ffffff82b41b3240 X18: ffffffc010035050 X17: 000000000000001f X16: fffffc180baeb900 X15: 000000000000000f X14: 000003e7f4514700 X13: 0000000000000001 X12: 0000000000000000 X11: ffffff80bb1e8668 X10: ffffff80bb1e8660 X9: 0000000000000006 X8: 0000000000000064 X7: 0000000000000000 X6: ffffff82f25a3548 X5: ffffff82f25955b8 X4: 0000000000000008 X3: 000033315f383332 X2: 0000000000000008 X1: ffffff82b41b3a68 X0: ffffff82b41b3240
CPU 7 IRQ STACK:
KERNEL-MODE EXCEPTION FRAME AT: ffffffc01003b068 PC: ffffffe4fbd46ff8 [ohm_schedstats_record+212] LR: ffffffe4fc287440 [qcom_cpufreq_get_cpu_cycle_counter$0e7f515b8f5a5edf9a06e988b2019484+72] SP: ffffffc01003b180 PSTATE: 00000009 X29: ffffffc01003b170 X28: ffffff80bdc2d900 X27: 0000000000000000 X26: ffffff82f25c2d48 X25: ffffff809e6610c0 X24: ffffffe4fb7298fc X23: ffffffc01003b240 X22: ffffffe4fc287440 X21: 708d18da9ba1a800 X20: 000000000000000f X19: 00000000000000ff X18: fffffffff25c2d48 X17: ffffff809e6610c0 X16: 0000000000000001 X15: 0000000000000002 X14: 0000000000000002 X13: 0000000000000007 X12: 0000000700000070 X11: 000000000000001e X10: 0000000000000003 X9: 000000007fffffff X8: 0000000100000001 X7: ffffffc01003b200 X6: ffffff82f25c2d48 X5: 0000000000000145 X4: 0000000000000004 X3: 0000000000000000 X2: 00000000ffffffff X1: 0000000000000000 X0: 0000000000000000
crash_arm64> |
6.x.1 -f - 显示栈帧的所有数据,可以通过该选项确定传递给函数的参数
display all stack data contained in a frame; this option can be used to determine the arguments passed to each function; on ia64, the argument register contents are dumped.
显示栈帧中包含的所有堆栈数据,这个选项可以用来确定传递给每个函数的参数,这个需要对栈帧的格式详细了解
|
#只显示调用关系 crash_arm64> bt PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000
#将每一个栈帧都显示出来 crash_arm64> bt -f PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec ffffffc0164dbb90: ffffffc0164dbbf0 ffffffe4fc97a264 ffffffc0164dbba0: ffffffe4fdd7a508 ffffffe4fdd7a508 ffffffc0164dbbb0: ffffff82d38c90c0 ffffff80a1e75dc0 ffffffc0164dbbc0: ffffff809dcf53c0 ffffff82f2577ac0 ffffffc0164dbbd0: 00000001164dbc00 0000000000000000 ffffffc0164dbbe0: 0000000000000004 708d18da9ba1a800 #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 ffffffc0164dbbf0: ffffffc0164dbc50 ffffffe4fc97a59c ffffffc0164dbc00: ffffff809d752b68 ffffff809d752b30 ffffffc0164dbc10: ffffff809d752b30 ffffffc0164dbd40 ffffffc0164dbc20: ffffff809d752b00 ffffff809e29a8c1 ffffffc0164dbc30: ffffff809d752b58 ffffff809dcf53c0 ffffffc0164dbc40: 0000007fc42df160 ffffff809dcf53c0 #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 ffffffc0164dbc50: ffffffc0164dbcd0 ffffffe4fc97f2c8 ffffffc0164dbc60: 0000000000000010 ffffff809d752b68 ffffffc0164dbc70: ffffffc0164dbca0 0000000000000000 ffffffc0164dbc80: 0000000000000000 0000000000000000 ffffffc0164dbc90: 0000000000000000 0000000000000000 ffffffc0164dbca0: 0000000000000000 0000000000000000 ffffffc0164dbcb0: 0000000000000000 0000000000000000 ffffffc0164dbcc0: 0000000000000000 708d18da9ba1a800 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 ffffffc0164dbcd0: ffffffc0164dbd70 ffffffe4fb98dbd0 ffffffc0164dbce0: ffffff809dcf53c0 ffffff809dcf53c0 ffffffc0164dbcf0: 0000007fc42df160 0000000000000010 ffffffc0164dbd00: 0000000000000000 0000000000000000 ffffffc0164dbd10: ffffff809e29a8c1 ffffff809e29a8c0 ffffffc0164dbd20: 0000000000000000 0000000000000001 ffffffc0164dbd30: ffffff809dcf53c0 ffffffe4fc99d5c0 ffffffc0164dbd40: ffffff809d752b30 ffffff809d752b30 ffffffc0164dbd50: 0000000000000001 0000007fc42df160 ffffffc0164dbd60: 0000000000000000 708d18da9ba1a800 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc ffffffc0164dbd70: ffffffc0164dbdd0 ffffffe4fb98b4dc ffffffc0164dbd80: ffffff809dcf53c0 0000000000000000 ffffffc0164dbd90: 0000000000000000 ffffff809dcf53c0 ffffffc0164dbda0: ffffffe4fc9a9c8c 0000000000000009 ffffffc0164dbdb0: 0000007fc42df160 0000000000000010 ffffffc0164dbdc0: 00000000ffffffff 0000000000000000 #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 ffffffc0164dbdd0: ffffffc0164dbe10 ffffffe4fb98b480 ffffffc0164dbde0: 00000000000003e8 ffffff80cee95b00 ffffffc0164dbdf0: 00000000000003e8 0000000000000016 ffffffc0164dbe00: 00000000000003e8 ffffffc0164dbec0 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c ffffffc0164dbe10: ffffffc0164dbe20 ffffffe4fb6d0504 #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 ffffffc0164dbe20: ffffffc0164dbe70 ffffffe4fb6c2ec8 ffffffc0164dbe30: 0000000056000000 0000000004000008 ffffffc0164dbe40: 0000000000000015 0000000004000000 ffffffc0164dbe50: ffffff809dcf53c0 0000000000000016 ffffffc0164dbe60: ffffffe4fd53a688 ffffffc0164dbec0 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 ffffffc0164dbe70: ffffffc0164dbeb0 ffffffe4fb6c2e08 ffffffc0164dbe80: 0000000060001000 0000000056000000 ffffffc0164dbe90: 00000076109d04a8 00000000ffffffff ffffffc0164dbea0: ffffff9df4bf0000 0000000004000000 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 ffffffc0164dbeb0: ffffffc0164dbff0 ffffffe4fb484e88 ffffffc0164dbec0: 0000000000000009 0000007fc42df160 ffffffc0164dbed0: 0000000000000010 00000000ffffffff ffffffc0164dbee0: 0000000000000000 0000000000000008 ffffffc0164dbef0: 000000758ec18520 000000757b035860 ffffffc0164dbf00: 0000000000000016 b79a1c55bdc51541 ffffffc0164dbf10: 00000000000001d0 b400000000000000 ffffffc0164dbf20: 000000759000d888 000000757b035740 ffffffc0164dbf30: 0000000000000000 0000000034155555 ffffffc0164dbf40: 00000076119f0db0 000000761099276c ffffffc0164dbf50: 000000761366c000 b4000075900510e0 ffffffc0164dbf60: b400007590051188 00000000ffffffff ffffffc0164dbf70: 00000000ffffffff b4000075900510e0 ffffffc0164dbf80: 0000000000000000 00000076133a8000 ffffffc0164dbf90: 0000000000000000 0000000000000000 ffffffc0164dbfa0: 0000000000000000 0000007fc42df270 ffffffc0164dbfb0: 00000076119edad0 0000007fc42df120 ffffffc0164dbfc0: 00000076109d04a8 0000000060001000 ffffffc0164dbfd0: 0000000000000009 0000000000000016 ffffffc0164dbfe0: 0000000000000000 0000000000000000 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000 crash_arm64> |
6.x.1 -F[F] - 同样是显示栈帧,但是会将可解析的符号解析出来
similar to -f, except that the stack data is displayed symbolically when appropriate; if the stack data references a slab cache object, the name of the slab cache will be displayed in brackets; on ia64, the substitution is done to the argument register contents. If -F is entered twice, and the stack data references a slab cache object, both the address and the name of the slab cache will be displayed in brackets.
|
crash_arm64> bt -F PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec ffffffc0164dbb90: ffffffc0164dbbf0 __schedule+1572 ffffffc0164dbba0: event_sched_switch event_sched_switch ffffffc0164dbbb0: [task_struct] [mm_struct] ffffffc0164dbbc0: [task_struct] ffffff82f2577ac0 ffffffc0164dbbd0: 00000001164dbc00 0000000000000000 ffffffc0164dbbe0: 0000000000000004 708d18da9ba1a800 #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 ffffffc0164dbbf0: ffffffc0164dbc50 schedule+140 ffffffc0164dbc00: [kmalloc-256] [kmalloc-256] ffffffc0164dbc10: [kmalloc-256] ffffffc0164dbd40 ffffffc0164dbc20: [kmalloc-256] [filp] ffffffc0164dbc30: [kmalloc-256] [task_struct] ffffffc0164dbc40: 0000007fc42df160 [task_struct] #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 ffffffc0164dbc50: ffffffc0164dbcd0 schedule_hrtimeout_range_clock+204 ffffffc0164dbc60: 0000000000000010 [kmalloc-256] ffffffc0164dbc70: ffffffc0164dbca0 0000000000000000 ffffffc0164dbc80: 0000000000000000 0000000000000000 ffffffc0164dbc90: 0000000000000000 0000000000000000 ffffffc0164dbca0: 0000000000000000 0000000000000000 ffffffc0164dbcb0: 0000000000000000 0000000000000000 ffffffc0164dbcc0: 0000000000000000 708d18da9ba1a800 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 ffffffc0164dbcd0: ffffffc0164dbd70 do_epoll_wait+1000 ffffffc0164dbce0: [task_struct] [task_struct] ffffffc0164dbcf0: 0000007fc42df160 0000000000000010 ffffffc0164dbd00: 0000000000000000 0000000000000000 ffffffc0164dbd10: [filp] [filp] ffffffc0164dbd20: 0000000000000000 0000000000000001 ffffffc0164dbd30: [task_struct] autoremove_wake_function.cfi_jt ffffffc0164dbd40: [kmalloc-256] [kmalloc-256] ffffffc0164dbd50: 0000000000000001 0000007fc42df160 ffffffc0164dbd60: 0000000000000000 708d18da9ba1a800 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc ffffffc0164dbd70: ffffffc0164dbdd0 __se_sys_epoll_pwait+80 ffffffc0164dbd80: [task_struct] 0000000000000000 ffffffc0164dbd90: 0000000000000000 [task_struct] ffffffc0164dbda0: __arm64_sys_epoll_pwait.cfi_jt 0000000000000009 ffffffc0164dbdb0: 0000007fc42df160 0000000000000010 ffffffc0164dbdc0: 00000000ffffffff 0000000000000000 #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 ffffffc0164dbdd0: ffffffc0164dbe10 __arm64_sys_epoll_pwait+32 ffffffc0164dbde0: 00000000000003e8 [kmalloc-128] ffffffc0164dbdf0: 00000000000003e8 0000000000000016 ffffffc0164dbe00: 00000000000003e8 ffffffc0164dbec0 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c ffffffc0164dbe10: ffffffc0164dbe20 oplus_invoke_syscall+124 #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 ffffffc0164dbe20: ffffffc0164dbe70 el0_svc_common+156 ffffffc0164dbe30: 0000000056000000 0000000004000008 ffffffc0164dbe40: 0000000000000015 0000000004000000 ffffffc0164dbe50: [task_struct] 0000000000000016 ffffffc0164dbe60: sys_call_table ffffffc0164dbec0 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 ffffffc0164dbe70: ffffffc0164dbeb0 el0_svc_handler+116 ffffffc0164dbe80: 0000000060001000 0000000056000000 ffffffc0164dbe90: 00000076109d04a8 00000000ffffffff ffffffc0164dbea0: ffffff9df4bf0000 0000000004000000 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 ffffffc0164dbeb0: ffffffc0164dbff0 el0_svc+8 ffffffc0164dbec0: 0000000000000009 0000007fc42df160 ffffffc0164dbed0: 0000000000000010 00000000ffffffff ffffffc0164dbee0: 0000000000000000 0000000000000008 ffffffc0164dbef0: 000000758ec18520 000000757b035860 ffffffc0164dbf00: 0000000000000016 b79a1c55bdc51541 ffffffc0164dbf10: 00000000000001d0 b400000000000000 ffffffc0164dbf20: 000000759000d888 000000757b035740 ffffffc0164dbf30: 0000000000000000 0000000034155555 ffffffc0164dbf40: 00000076119f0db0 000000761099276c ffffffc0164dbf50: 000000761366c000 b4000075900510e0 ffffffc0164dbf60: b400007590051188 00000000ffffffff ffffffc0164dbf70: 00000000ffffffff b4000075900510e0 ffffffc0164dbf80: 0000000000000000 00000076133a8000 ffffffc0164dbf90: 0000000000000000 0000000000000000 ffffffc0164dbfa0: 0000000000000000 0000007fc42df270 ffffffc0164dbfb0: 00000076119edad0 0000007fc42df120 ffffffc0164dbfc0: 00000076109d04a8 0000000060001000 ffffffc0164dbfd0: 0000000000000009 0000000000000016 ffffffc0164dbfe0: 0000000000000000 0000000000000000 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000
crash_arm64> bt -FF PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec ffffffc0164dbb90: ffffffc0164dbbf0 __schedule+1572 ffffffc0164dbba0: event_sched_switch event_sched_switch ffffffc0164dbbb0: [ffffff82d38c90c0:task_struct] [ffffff80a1e75dc0:mm_struct] ffffffc0164dbbc0: [ffffff809dcf53c0:task_struct] ffffff82f2577ac0 ffffffc0164dbbd0: 00000001164dbc00 0000000000000000 ffffffc0164dbbe0: 0000000000000004 708d18da9ba1a800 #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 ffffffc0164dbbf0: ffffffc0164dbc50 schedule+140 ffffffc0164dbc00: [ffffff809d752b68:kmalloc-256] [ffffff809d752b30:kmalloc-256] ffffffc0164dbc10: [ffffff809d752b30:kmalloc-256] ffffffc0164dbd40 ffffffc0164dbc20: [ffffff809d752b00:kmalloc-256] [ffffff809e29a8c1:filp] ffffffc0164dbc30: [ffffff809d752b58:kmalloc-256] [ffffff809dcf53c0:task_struct] ffffffc0164dbc40: 0000007fc42df160 [ffffff809dcf53c0:task_struct] #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 ffffffc0164dbc50: ffffffc0164dbcd0 schedule_hrtimeout_range_clock+204 ffffffc0164dbc60: 0000000000000010 [ffffff809d752b68:kmalloc-256] ffffffc0164dbc70: ffffffc0164dbca0 0000000000000000 ffffffc0164dbc80: 0000000000000000 0000000000000000 ffffffc0164dbc90: 0000000000000000 0000000000000000 ffffffc0164dbca0: 0000000000000000 0000000000000000 ffffffc0164dbcb0: 0000000000000000 0000000000000000 ffffffc0164dbcc0: 0000000000000000 708d18da9ba1a800 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 ffffffc0164dbcd0: ffffffc0164dbd70 do_epoll_wait+1000 ffffffc0164dbce0: [ffffff809dcf53c0:task_struct] [ffffff809dcf53c0:task_struct] ffffffc0164dbcf0: 0000007fc42df160 0000000000000010 ffffffc0164dbd00: 0000000000000000 0000000000000000 ffffffc0164dbd10: [ffffff809e29a8c1:filp] [ffffff809e29a8c0:filp] ffffffc0164dbd20: 0000000000000000 0000000000000001 ffffffc0164dbd30: [ffffff809dcf53c0:task_struct] autoremove_wake_function.cfi_jt ffffffc0164dbd40: [ffffff809d752b30:kmalloc-256] [ffffff809d752b30:kmalloc-256] ffffffc0164dbd50: 0000000000000001 0000007fc42df160 ffffffc0164dbd60: 0000000000000000 708d18da9ba1a800 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc ffffffc0164dbd70: ffffffc0164dbdd0 __se_sys_epoll_pwait+80 ffffffc0164dbd80: [ffffff809dcf53c0:task_struct] 0000000000000000 ffffffc0164dbd90: 0000000000000000 [ffffff809dcf53c0:task_struct] ffffffc0164dbda0: __arm64_sys_epoll_pwait.cfi_jt 0000000000000009 ffffffc0164dbdb0: 0000007fc42df160 0000000000000010 ffffffc0164dbdc0: 00000000ffffffff 0000000000000000 #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 ffffffc0164dbdd0: ffffffc0164dbe10 __arm64_sys_epoll_pwait+32 ffffffc0164dbde0: 00000000000003e8 [ffffff80cee95b00:kmalloc-128] ffffffc0164dbdf0: 00000000000003e8 0000000000000016 ffffffc0164dbe00: 00000000000003e8 ffffffc0164dbec0 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c ffffffc0164dbe10: ffffffc0164dbe20 oplus_invoke_syscall+124 #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 ffffffc0164dbe20: ffffffc0164dbe70 el0_svc_common+156 ffffffc0164dbe30: 0000000056000000 0000000004000008 ffffffc0164dbe40: 0000000000000015 0000000004000000 ffffffc0164dbe50: [ffffff809dcf53c0:task_struct] 0000000000000016 ffffffc0164dbe60: sys_call_table ffffffc0164dbec0 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 ffffffc0164dbe70: ffffffc0164dbeb0 el0_svc_handler+116 ffffffc0164dbe80: 0000000060001000 0000000056000000 ffffffc0164dbe90: 00000076109d04a8 00000000ffffffff ffffffc0164dbea0: ffffff9df4bf0000 0000000004000000 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 ffffffc0164dbeb0: ffffffc0164dbff0 el0_svc+8 ffffffc0164dbec0: 0000000000000009 0000007fc42df160 ffffffc0164dbed0: 0000000000000010 00000000ffffffff ffffffc0164dbee0: 0000000000000000 0000000000000008 ffffffc0164dbef0: 000000758ec18520 000000757b035860 ffffffc0164dbf00: 0000000000000016 b79a1c55bdc51541 ffffffc0164dbf10: 00000000000001d0 b400000000000000 ffffffc0164dbf20: 000000759000d888 000000757b035740 ffffffc0164dbf30: 0000000000000000 0000000034155555 ffffffc0164dbf40: 00000076119f0db0 000000761099276c ffffffc0164dbf50: 000000761366c000 b4000075900510e0 ffffffc0164dbf60: b400007590051188 00000000ffffffff ffffffc0164dbf70: 00000000ffffffff b4000075900510e0 ffffffc0164dbf80: 0000000000000000 00000076133a8000 ffffffc0164dbf90: 0000000000000000 0000000000000000 ffffffc0164dbfa0: 0000000000000000 0000007fc42df270 ffffffc0164dbfb0: 00000076119edad0 0000007fc42df120 ffffffc0164dbfc0: 00000076109d04a8 0000000060001000 ffffffc0164dbfd0: 0000000000000009 0000000000000016 ffffffc0164dbfe0: 0000000000000000 0000000000000000 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000 crash_arm64> |
6.x.1 -o
6.x.1 -O
6.x.1 -v - 检查是否存在栈溢出
check the kernel stack of all tasks for evidence of stack overflows. It does so by verifying the thread_info.task pointer, ensuring that the thread_info.cpu is a valid cpu number, and checking the end of the stack for the STACK_END_MAGIC value.
|
crash_arm64> bt -v bt: invalid kernel virtual address: 0 type: "stack overflow check" No stack overflows detected
crash_arm64> bt -v PID: 5823 TASK: ffff88102aae0040 CPU: 1 COMMAND: "flush-253:0" possible stack overflow: thread_info.task: 102efb5adc0 != ffff88102aae0040 possible stack overflow: 40ffffffff != STACK_END_MAGIC |
6.x.1 -p - 只显示产生panic的那个进程
为了凸显效果,下面我先将crashtool的上下文切到sf,然后使用bt -p查看
|
crash_arm64> ps | grep surface 1235 1 5 ffffff809dcf53c0 IN 0.4 2793532 56744 surfaceflinger 1317 1 4 ffffff809e292180 IN 0.4 2793532 56744 surfaceflinger 1490 1 6 ffffff82c5850000 IN 0.4 2793532 56744 surfaceflinger 1491 1 0 ffffff80876cb240 IN 0.4 2793532 56744 surfaceflinger 1494 1 4 ffffff82c5ac0000 IN 0.4 2793532 56744 surfaceflinger 1495 1 5 ffffff82c5ac2180 IN 0.4 2793532 56744 surfaceflinger 1497 1 6 ffffff82c5ac6480 IN 0.4 2793532 56744 surfaceflinger 1498 1 4 ffffff82c5ac53c0 IN 0.4 2793532 56744 surfaceflinger crash_arm64> set 1235 PID: 1235 COMMAND: "surfaceflinger" TASK: ffffff809dcf53c0 [THREAD_INFO: ffffff809dcf53c0] CPU: 5 STATE: TASK_INTERRUPTIBLE crash_arm64> bt PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000 crash_arm64> bt -p PID: 5758 TASK: ffffff82b41b3240 CPU: 6 COMMAND: "Binder:2238_13" bt: WARNING: cannot determine starting stack frame for task ffffff82b41b3240 crash_arm64> |
6.x.1 -R ref
6.x.1 -s [-x | d] - 以符号名+地址偏移的方式显示
display the symbol name plus its offset.
以符号名+地址偏移的方式显示,x和d用于控制偏移的进制
|
crash_arm64> bt PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000 crash_arm64> bt -s PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to+772 at ffffffe4fb6af5ec #1 [ffffffc0164dbbf0] __schedule+1568 at ffffffe4fc97a260 #2 [ffffffc0164dbc50] schedule+136 at ffffffe4fc97a598 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock+200 at ffffffe4fc97f2c4 #4 [ffffffc0164dbd70] do_epoll_wait+996 at ffffffe4fb98dbcc #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait+76 at ffffffe4fb98b4d8 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait+28 at ffffffe4fb98b47c #7 [ffffffc0164dbe20] oplus_invoke_syscall+120 at ffffffe4fb6d0500 #8 [ffffffc0164dbe70] el0_svc_common+152 at ffffffe4fb6c2ec4 #9 [ffffffc0164dbeb0] el0_svc_handler+112 at ffffffe4fb6c2e04 #10 [ffffffc0164dbff0] el0_svc+4 at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000 crash_arm64> |
6.x.1 -I ip - 指定代码地址
-I ip: use ip as the starting text location.
6.x.1 -S sp - 指定栈帧的地址
-S sp: use sp as the starting stack frame address.
6.x.1 pid | task - 要查看哪个进程的栈信息
|
crash_arm64> ps | grep surface 1235 1 5 ffffff809dcf53c0 IN 0.4 2793532 56744 surfaceflinger 1317 1 4 ffffff809e292180 IN 0.4 2793532 56744 surfaceflinger 1490 1 6 ffffff82c5850000 IN 0.4 2793532 56744 surfaceflinger 1491 1 0 ffffff80876cb240 IN 0.4 2793532 56744 surfaceflinger 1494 1 4 ffffff82c5ac0000 IN 0.4 2793532 56744 surfaceflinger 1495 1 5 ffffff82c5ac2180 IN 0.4 2793532 56744 surfaceflinger 1497 1 6 ffffff82c5ac6480 IN 0.4 2793532 56744 surfaceflinger 1498 1 4 ffffff82c5ac53c0 IN 0.4 2793532 56744 surfaceflinger
#通过pid指定task crash_arm64> bt 1235 PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000
#通过task_struct结构的地址指定task crash_arm64> bt ffffff809dcf53c0 PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000 crash_arm64> |
6.x btop/ptob - 地址和页帧的相互转换
示例如下:
|
#已知地址,确定其所属的页 crash_arm64> btop ffffff801b8c3e60 ffffff801b8c3e60: ffffff801b8c3
#已知页编号,确定这个页的起始地址 crash_arm64> ptob ffffff801b8c3 ffffff801b8c3: ffffff801b8c3000 |
6.x dev - 查看当前有哪些设备,并显示其对应的ops
展示字符设备和块设备的分配、I/O端口使用和I/O内存使用情况,这个命令可以用来查看每个设备对应的fops
帮助信息如下:
|
dev [-i | -p | -d | -D ] [-V | -v index [file]] |
如果不接任何参数的话,dev直接打印出当前所有的字符设备和块设备
|
#显示所有块设备和字符设备 crash_arm64> dev CHRDEV NAME CDEV OPERATIONS 1 mem f79b83c0 memory_fops 4 /dev/vc/0 c07bc560 console_fops 4 tty f7af5004 tty_fops 4 ttyS f7b02204 tty_fops 5 /dev/tty c07bc440 tty_fops 5 /dev/console c07bc4a0 console_fops 5 /dev/ptmx c07bc500 ptmx_fops 6 lp c5797e40 lp_fops 7 vcs f7b03d40 vcs_fops 10 misc f7f68640 misc_fops 13 input f79b8840 input_fops 21 sg f7f12840 sg_fops 29 fb f7f8c640 fb_fops 128 ptm f7b02604 tty_fops 136 pts f7b02404 tty_fops 162 raw c0693e40 raw_fops 180 usb f79b8bc0 usb_fops 189 usb_device c06a0300 usbfs_device_file_operations 216 rfcomm f5961a04 tty_fops 254 pcmcia f79b82c0 ds_fops
BLKDEV NAME GENDISK OPERATIONS 1 ramdisk f7b23480 rd_bd_op 8 sd f7cab280 sd_fops 9 md f7829b80 md_fops 11 sr f75c24c0 sr_bdops 65 sd (none) 66 sd (none) 67 sd (none) 68 sd (none) 69 sd (none) 70 sd (none) 71 sd (none) 128 sd (none) 129 sd (none) 130 sd (none) 131 sd (none) 132 sd (none) 133 sd (none) 134 sd (none) 135 sd (none) 253 device-mapper c57a0ac0 dm_blk_dops 254 mdp (none) |
6.x.1 -i - 显示IO接口和IO内存
|
crash_arm64> dev -i RESOURCE RANGE NAME c03036d4 0000-ffff PCI IO c0302594 0000-001f dma1 c03025b0 0020-003f pic1 c03025cc 0040-005f timer c03025e8 0060-006f keyboard c0302604 0080-008f dma page reg c0302620 00a0-00bf pic2 c030263c 00c0-00df dma2 c0302658 00f0-00ff fpu c122ff20 0170-0177 ide1 c122f240 0213-0213 isapnp read c122ff40 02f8-02ff serial(auto) c122ff00 0376-0376 ide1 c03186e8 03c0-03df vga+ c122ff60 03f8-03ff serial(auto) c123851c 0800-083f Intel Corporation 82371AB PIIX4 ACPI c1238538 0840-085f Intel Corporation 82371AB PIIX4 ACPI c122f220 0a79-0a79 isapnp write c122f200 0cf8-0cff PCI conf1 c1238858 dc00-dc7f 3Com Corporation 3c905B 100BaseTX [Cyclone] c122fc00 dc00-dc7f 00:11.0 c12380c8 dce0-dcff Intel Corporation 82371AB PIIX4 USB c1238d1c e000-efff PCI Bus #02 c1237858 e800-e8ff Adaptec AIC-7880U c1237458 ec00-ecff Adaptec AHA-2940U2/W / 7890 c1239cc8 ffa0-ffaf Intel Corporation 82371AB PIIX4 IDE
RESOURCE RANGE NAME c03036f0 00000000-ffffffff PCI mem c0004000 00000000-0009ffff System RAM c03026ac 000a0000-000bffff Video RAM area c03026fc 000c0000-000c7fff Video ROM c0302718 000c9800-000cdfff Extension ROM c0302734 000ce000-000ce7ff Extension ROM c0302750 000ce800-000cffff Extension ROM c03026e0 000f0000-000fffff System ROM c0004040 00100000-07ffdfff System RAM c0302674 00100000-0028682b Kernel code c0302690 0028682c-0031c63f Kernel data c0004060 07ffe000-07ffffff reserved c1239058 ec000000-efffffff Intel Corporation 440BX/ZX - 82443BX/ZX Host bridge c1238d54 f1000000-f1ffffff PCI Bus #02 c1239554 f2000000-f5ffffff PCI Bus #01 c1237074 f4000000-f5ffffff nVidia Corporation Riva TnT2 [NV5] c1238d38 fa000000-fbffffff PCI Bus #02 c1237874 faffe000-faffefff Adaptec AIC-7880U c127ec40 faffe000-faffefff aic7xxx c1237474 fafff000-faffffff Adaptec AHA-2940U2/W / 7890 c127eec0 fafff000-faffffff aic7xxx c1239538 fc000000-fdffffff PCI Bus #01 c1237058 fc000000-fcffffff nVidia Corporation Riva TnT2 [NV5] c1238874 fe000000-fe00007f 3Com Corporation 3c905B 100BaseTX [Cyclone] c0004080 fec00000-fec0ffff reserved c00040a0 fee00000-fee0ffff reserved c00040c0 ffe00000-ffffffff reserved |
6.x.1 -p - 显示PCI设备信息
|
crash_arm64> dev -p ROOT BUS BUSNAME ffffffdbeb2a9480 0000:00 PCI DEV DO:BU:SL.FN CLASS PCI_ID TYPE ffffffdbeb012480 0000:00:00.0 0604 17cb:10b ROOT_PORT [BRIDGE] PCI BUS PARENT BUS ffffffdbeb335080 ffffffdbeb2a9480 PCI DEV DO:BU:SL.FN CLASS PCI_ID TYPE ffffffdbeb012480 0000:00:00.0 0604 17cb:10b ROOT_PORT [BRIDGE] ffffffdbeb011280 0000:01:00.0 ff00 17cb:1101 ENDPOINT
ROOT BUS BUSNAME ffffffdc172b4680 0002:00 PCI DEV DO:BU:SL.FN CLASS PCI_ID TYPE ffffffdc163d8080 0002:00:00.0 0604 17cb:10b ROOT_PORT [BRIDGE] PCI BUS PARENT BUS ffffffdc172b3c80 ffffffdc172b4680 PCI DEV DO:BU:SL.FN CLASS PCI_ID TYPE ffffffdc163d8080 0002:00:00.0 0604 17cb:10b ROOT_PORT [BRIDGE] ffffffdc15e7da80 0002:01:00.0 ff00 17cb:306 ENDPOINT |
6.x.1 -d
6.x.1 -D
6.x.1 -V
6.x.1 -v index [file]
示例:
6.x dis - 反汇编
反汇编命令。-f可以从函数的开始处开始展示汇编命令到指定的地址,-f可以从指定地址展示到函数的结尾。-l可以展示源代码行。-s可以显示对应的源代码,count可以指定显示的行数
dis -xl <$fun> - 查看某个函数的汇编代码
命令格式如下:
|
dis [-rfludxs][-b [num]] [address | symbol | (expression)] [count] |
6.x.1 -r/-f - 向前/向后进行反汇编
r和f分别是reverse和forward的缩写
reverse,向前,即从函数开始到address指定的地址之间的代码
forward,向后,从address给定的地址到函数结束之间的代码
|
crash_arm64> dis -r crc16+8 # 从crc16+8处向前反汇编 0xffffff9accc78a48 <crc16>: cbz x2, 0xffffff9accc78a74 0xffffff9accc78a4c <crc16+4>: adrp x8, 0xffffff9ace38c000 0xffffff9accc78a50 <crc16+8>: add x8, x8, #0x36
crash_arm64> dis -f crc16+8 # 从crc16+8处向后反汇编,一只到函数结束 0xffffff9accc78a50 <crc16+8>: add x8, x8, #0x36 0xffffff9accc78a54 <crc16+12>: ldrb w9, [x1],#1 0xffffff9accc78a58 <crc16+16>: and x10, x0, #0xff 0xffffff9accc78a5c <crc16+20>: subs x2, x2, #0x1 0xffffff9accc78a60 <crc16+24>: eor x9, x9, x10 0xffffff9accc78a64 <crc16+28>: and w10, w0, #0xff00 0xffffff9accc78a68 <crc16+32>: ldrh w9, [x8,x9,lsl #1] 0xffffff9accc78a6c <crc16+36>: eor w0, w9, w10, lsr #8 0xffffff9accc78a70 <crc16+40>: b.ne 0xffffff9accc78a54 0xffffff9accc78a74 <crc16+44>: ret
crash_arm64> dis -f crc16+8 4 # 从crc16+8处向后反汇编,只反汇编4条 0xffffff9accc78a50 <crc16+8>: add x8, x8, #0x36 0xffffff9accc78a54 <crc16+12>: ldrb w9, [x1],#1 0xffffff9accc78a58 <crc16+16>: and x10, x0, #0xff 0xffffff9accc78a5c <crc16+20>: subs x2, x2, #0x1 |
6.x.1 -l - 显示在源代码中的行数
|
crash_arm64> dis -l -f crc16+8 4 # 从crc16+8处向后反汇编,只反汇编4条,并显示行数 /work/jenkins/workspace/deploy_system_vendor_image_release/146972/code/source/android/kernel/msm-4.19/lib/crc16.c: 59 0xffffff9accc78a50 <crc16+8>: add x8, x8, #0x36 /work/jenkins/workspace/deploy_system_vendor_image_release/146972/code/source/android/kernel/msm-4.19/lib/crc16.c: 60 0xffffff9accc78a54 <crc16+12>: ldrb w9, [x1],#1 /work/jenkins/workspace/deploy_system_vendor_image_release/146972/code/source/android/kernel/msm-4.19/include/linux/crc16.h: 26 0xffffff9accc78a58 <crc16+16>: and x10, x0, #0xff /work/jenkins/workspace/deploy_system_vendor_image_release/146972/code/source/android/kernel/msm-4.19/lib/crc16.c: 59 0xffffff9accc78a5c <crc16+20>: subs x2, x2, #0x1 |
6.x.1 -u - 反汇编用户空间地址处的代码
带上该参数表示地址为用户空间的虚拟地址,此时-l和-r参数失效
不接上该参数则地址默认为内核空间的虚拟地址
|
crash_arm64> dis -u 81ec624 10 0x81ec624: push %ebp 0x81ec625: mov %esp,%ebp 0x81ec627: sub $0x18,%esp 0x81ec62a: movl $0x1,0x8(%ebp) 0x81ec631: mov 0x82f9040,%eax 0x81ec636: mov 0x10(%eax),%edx 0x81ec639: and $0x100,%edx 0x81ec63f: mov 0x14(%eax),%ecx 0x81ec642: and $0x0,%ecx 0x81ec645: mov %ecx,%eax |
6.x.1 -d/-x - 十进制或十六进制显示
|
反汇编时输出的偏移地址为16进制格式,如下 crash_arm64> dis -x update_curr ... 0xffffff9acc7301f4 <update_curr+0xbc>: str x8, [x21,#88] 0xffffff9acc7301f8 <update_curr+0xc0>: ldp x11, x9, [x19,#56] 0xffffff9acc7301fc <update_curr+0xc4>: ldr x8, [x19,#40]
反汇编时输出的偏移地址为10进制格式,如下 crash_arm64> dis -d update_curr ... 0xffffff9acc7301f4 <update_curr+188>: str x8, [x21,#88] 0xffffff9acc7301f8 <update_curr+192>: ldp x11, x9, [x19,#56] 0xffffff9acc7301fc <update_curr+196>: ldr x8, [x19,#40] |
6.x.1 -s - 显示源码
|
crash_arm64> dis -s 0xffffff9accc78a58 4 # 显示源文件,只是我这里没有源码 FILE: /work/jenkins/workspace/deploy_system_vendor_image_release/146972/code/source/android/kernel/msm-4.19/include/linux/crc16.h LINE: 26
dis: 0xffffff9accc78a58: source code is not available
# 下面是网上别人反汇编的源码 crash_arm64> dis -s mmput # 使用-s参数显示源代码 FILE: kernel/fork.c LINE: 617
612 613 /* 614 * Decrement the use count and release all resources for an mm. 615 */ 616 void mmput(struct mm_struct *mm) * 617 { 618 might_sleep(); 619 620 if (atomic_dec_and_test(&mm->mm_users)) { 621 uprobe_clear_state(mm); 622 exit_aio(mm); 623 ksm_exit(mm); 624 khugepaged_exit(mm); /* must run before exit_mmap */ 625 exit_mmap(mm); 626 set_mm_exe_file(mm, NULL); 627 if (!list_empty(&mm->mmlist)) { 628 spin_lock(&mmlist_lock); 629 list_del(&mm->mmlist); 630 spin_unlock(&mmlist_lock); 631 } 632 if (mm->binfmt) 633 module_put(mm->binfmt->module); 634 mmdrop(mm); 635 } 636 }
crash_arm64> dis -s 0xffffffff811dcfb4 # 也可指定地址 FILE: fs/dcache.c LINE: 276
271 spin_unlock(&dentry->d_lock); 272 spin_unlock(&inode->i_lock); 273 if (!inode->i_nlink) 274 fsnotify_inoderemove(inode); 275 if (dentry->d_op && dentry->d_op->d_iput) * 276 dentry->d_op->d_iput(dentry, inode); 277 else 278 iput(inode); 279 } else { 280 spin_unlock(&dentry->d_lock); 281 } 282 } |
6.x.1 -b [num]
该参数仅在x86上有效
6.x.1 address | symbol | (expression) - 指定从哪开始反汇编
指定从哪个地址处或那个符号处开始反汇编
expression为一个表达式,可以通过该表达式,来指定相对于函数起始地址处的偏移,例如下面语句表示从函数crc16偏移地址为8开始,向后的全部内容进行反汇编
dis -f crc16+8
|
crash_arm64> dis 0xffffff9accc78a58 # 对指定地址进行反汇编,只反汇编1条 0xffffff9accc78a58 <crc16+16>: and x10, x0, #0xff
crash_arm64> dis 0xffffff9accc78a58 4 # 对指定地址进行反汇编,连续4条 0xffffff9accc78a58 <crc16+16>: and x10, x0, #0xff 0xffffff9accc78a5c <crc16+20>: subs x2, x2, #0x1 0xffffff9accc78a60 <crc16+24>: eor x9, x9, x10 0xffffff9accc78a64 <crc16+28>: and w10, w0, #0xff00
crash_arm64> dis crc16 # 对指定函数的所有源代码进行反汇编 0xffffff9accc78a48 <crc16>: cbz x2, 0xffffff9accc78a74 0xffffff9accc78a4c <crc16+4>: adrp x8, 0xffffff9ace38c000 0xffffff9accc78a50 <crc16+8>: add x8, x8, #0x36 0xffffff9accc78a54 <crc16+12>: ldrb w9, [x1],#1 0xffffff9accc78a58 <crc16+16>: and x10, x0, #0xff 0xffffff9accc78a5c <crc16+20>: subs x2, x2, #0x1 0xffffff9accc78a60 <crc16+24>: eor x9, x9, x10 0xffffff9accc78a64 <crc16+28>: and w10, w0, #0xff00 0xffffff9accc78a68 <crc16+32>: ldrh w9, [x8,x9,lsl #1] 0xffffff9accc78a6c <crc16+36>: eor w0, w9, w10, lsr #8 0xffffff9accc78a70 <crc16+40>: b.ne 0xffffff9accc78a54 0xffffff9accc78a74 <crc16+44>: ret
crash_arm64> dis crc16+8 # 从指定函数的指定偏移地址,默认只反汇编一条 0xffffff9accc78a50 <crc16+8>: add x8, x8, #0x36
crash_arm64> dis crc16+8 6 # 从指定函数的指定偏移地址,并指定反汇编的条数 0xffffff9accc78a50 <crc16+8>: add x8, x8, #0x36 0xffffff9accc78a54 <crc16+12>: ldrb w9, [x1],#1 0xffffff9accc78a58 <crc16+16>: and x10, x0, #0xff 0xffffff9accc78a5c <crc16+20>: subs x2, x2, #0x1 0xffffff9accc78a60 <crc16+24>: eor x9, x9, x10 0xffffff9accc78a64 <crc16+28>: and w10, w0, #0xff00 |
6.x.1 count - 指定要反汇编的条数
示例在上面
6.x eval - 计算表达式的值
计算表达式并展示结果,帮助信息如下:
|
eval [-b][-l] (expression) | value |
可以进行如下计算:
|
+ - & | ^ * % / << >> |
|
参数 |
说明 |
|
-b |
在结果中显示哪些bit位被置一了 |
|
-l |
结果以long型显示,即64bit |
注意:The -b and -l options must precede the expression or value arguments.
示例:
|
crash_arm64> eval 128m hexadecimal: 8000000 (128MB) decimal: 134217728 octal: 1000000000 binary: 00001000000000000000000000000000
crash_arm64> eval 128 * 1m hexadecimal: 8000000 (128MB) decimal: 134217728 octal: 1000000000 binary: 00001000000000000000000000000000
crash_arm64> eval (1 << 27) hexadecimal: 8000000 (128MB) decimal: 134217728 octal: 1000000000 binary: 00001000000000000000000000000000
crash_arm64> eval (1 << 32) hexadecimal: 100000000 (4GB) decimal: 4294967296 octal: 40000000000 binary: 0000000000000000000000000000000100000000000000000000000000000000
crash_arm64> eval -b 41dc065 # 显示哪些bit被置位了 hexadecimal: 41dc065 decimal: 69058661 octal: 407340145 binary: 00000100000111011100000001100101 bits set: 26 20 19 18 16 15 14 6 5 2 0
crash_arm64> eval -lb 64g hexadecimal: 1000000000 (64GB) decimal: 68719476736 octal: 1000000000000 binary: 0000000000000000000000000001000000000000000000000000000000000000 bits set: 36 |
6.x extend - 和动态库相关(暂不分析)
帮助信息如下:
参数说明如下:
|
参数 |
说明 |
示例:
6.x files - 显示当前系统中open了哪些文件
帮助信息如下:
|
files [-d dentry] | [-p inode] | [-c] [-R reference] [pid | taskp] ... |
不加参数时,默认打印如下:
|
crash_arm64> files PID: 16709 TASK: ffffffdda4de3f40 CPU: 6 COMMAND: "sh" ROOT: / CWD: / FD FILE DENTRY INODE TYPE PATH 0 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 1 ffffffdd69006940 ffffffdbe27715f8 ffffffddab0ec148 REG /proc/sysrq-trigger 2 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 10 ffffffdd68983c40 ffffffdd4e3a04e8 ffffffdd4dfe3c08 CHR /dev/tty 11 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 |
6.x.1 -d dentry - 指定十六进制目录下dentry
Display information about the dentry at address f745fd60:
|
crash_arm64> files -d f745fd60 DENTRY INODE SUPERBLK TYPE PATH f745fd60 f7284640 f73a3e00 REG /var/spool/lpd/lpd.lock |
6.x.1 -p inode - 指定十六进制inode
For the inode at address f59b90fc, display all of its pages that are in the page cache:
|
crash_arm64> files -p f59b90fc INODE NRPAGES f59b90fc 6
PAGE PHYSICAL MAPPING INDEX CNT FLAGS ca3353e0 39a9f000 f59b91ac 0 2 82c referenced,uptodate,lru,private ca22cb20 31659000 f59b91ac 1 2 82c referenced,uptodate,lru,private ca220160 3100b000 f59b91ac 2 2 82c referenced,uptodate,lru,private ca1ddde0 2eeef000 f59b91ac 3 2 82c referenced,uptodate,lru,private ca36b300 3b598000 f59b91ac 4 2 82c referenced,uptodate,lru,private ca202680 30134000 f59b91ac 5 2 82c referenced,uptodate,lru,private |
6.x.1 -c
For each open file, display the number of pages that are in the page cache:
|
crash_arm64> files -c 1954 PID: 1954 TASK: f7a28000 CPU: 1 COMMAND: "syslogd" ROOT: / CWD: / FD INODE I_MAPPING NRPAGES TYPE PATH 0 cb3ae868 cb3ae910 0 SOCK socket:/[4690] 2 f2721c5c f2721d04 461 REG /var/log/messages 3 cbda4884 cbda492c 47 REG /var/log/secure 4 e48092c0 e4809368 58 REG /var/log/maillog 5 f65192c0 f6519368 48 REG /var/log/cron 6 e4809e48 e4809ef0 0 REG /var/log/spooler 7 d9c43884 d9c4392c 0 REG /var/log/boot.log |
6.x.1 -R reference - 过滤打开的文件
过滤出打开的文件的路径中包括reference的哪些文件
|
crash_arm64> files PID: 16709 TASK: ffffffdda4de3f40 CPU: 6 COMMAND: "sh" ROOT: / CWD: / FD FILE DENTRY INODE TYPE PATH 0 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 1 ffffffdd69006940 ffffffdbe27715f8 ffffffddab0ec148 REG /proc/sysrq-trigger 2 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 10 ffffffdd68983c40 ffffffdd4e3a04e8 ffffffdd4dfe3c08 CHR /dev/tty 11 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 crash_arm64> files -R pts PID: 16709 TASK: ffffffdda4de3f40 CPU: 6 COMMAND: "sh" ROOT: / CWD: / FD FILE DENTRY INODE TYPE PATH 0 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 2 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 11 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0
crash_arm64> files -R /dev PID: 16709 TASK: ffffffdda4de3f40 CPU: 6 COMMAND: "sh" ROOT: / CWD: / FD FILE DENTRY INODE TYPE PATH 0 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 2 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 10 ffffffdd68983c40 ffffffdd4e3a04e8 ffffffdd4dfe3c08 CHR /dev/tty 11 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0
crash_arm64> files -R /proc PID: 16709 TASK: ffffffdda4de3f40 CPU: 6 COMMAND: "sh" ROOT: / CWD: / FD FILE DENTRY INODE TYPE PATH 1 ffffffdd69006940 ffffffdbe27715f8 ffffffddab0ec148 REG /proc/sysrq-trigger |
6.x.1 pid | taskp - 查看指定进程打开的文件
|
crash_arm64> ps | grep sh 16608 16607 5 ffffffdd86845ec0 IN 0.0 2124580 2728 sh > 16709 10129 6 ffffffdda4de3f40 RU 0.0 2124580 2636 sh 16710 1 0 ffffffdda4de0040 IN 0.0 2258552 4680 shell svc 16709
crash_arm64> files 16709 PID: 16709 TASK: ffffffdda4de3f40 CPU: 6 COMMAND: "sh" ROOT: / CWD: / FD FILE DENTRY INODE TYPE PATH 0 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 1 ffffffdd69006940 ffffffdbe27715f8 ffffffddab0ec148 REG /proc/sysrq-trigger 2 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 10 ffffffdd68983c40 ffffffdd4e3a04e8 ffffffdd4dfe3c08 CHR /dev/tty 11 ffffffdd44891300 ffffffdbe2639388 ffffffdd8e123de8 CHR /dev/pts/0 |
6.x foreach - 为指定的task重复一个指定的命令
foreach可执行的命令有限,详见下面的附件
帮助信息如下:
|
foreach [[pid | taskp | name | state | [kernel | user | gleader]] ...] command [flag] [argument] |
6.x.1 pid - 只对pid指定的进程执行命令
|
crash_arm64> foreach 661 bt PID: 661 TASK: ffffffdd4ca2dec0 CPU: 7 COMMAND: "sh" #0 [ffffff8022e73960] __switch_to at ffffff9acc689ee0 #1 [ffffff8022e739b0] __schedule at ffffff9acdfaf924 #2 [ffffff8022e73a10] schedule at ffffff9acdfafb94 #3 [ffffff8022e73ab0] schedule_timeout at ffffff9acdfb40e0 #4 [ffffff8022e73b20] wait_woken at ffffff9acc744c90 #5 [ffffff8022e73c20] n_tty_read at ffffff9acce2db28 #6 [ffffff8022e73c80] tty_read at ffffff9acce2c9b0 #7 [ffffff8022e73d30] __vfs_read at ffffff9acc951000 #8 [ffffff8022e73d60] vfs_read at ffffff9acc951270 #9 [ffffff8022e73db0] ksys_read at ffffff9acc95187c #10 [ffffff8022e73de0] __arm64_sys_read at ffffff9acc9518fc #11 [ffffff8022e73e00] oppo_invoke_syscall at ffffff9acc6abb94 #12 [ffffff8022e73e50] el0_svc_common at ffffff9acc69d140 #13 [ffffff8022e73ea0] el0_svc_handler at ffffff9acc69d080 #14 [ffffff8022e73ff0] el0_svc at ffffff9acc684d04 PC: 0000007ec304e168 LR: 0000005903bd6da4 SP: 0000007fedcfb170 X29: 0000007fedcfb170 X28: 0000005903be7420 X27: 0000005903be6000 X26: 0000000000000001 X25: 0000000000000000 X24: 0000000080000800 X23: 0000000000000018 X22: 0000007ec322b000 X21: 0000000000000000 X20: 0000007fedcfb1c4 X19: 0000000000000001 X18: 0000007ec411e000 X17: 0000007ec304e160 X16: 0000007ec306e770 X15: 000000000000002f X14: 0000005903be6850 X13: 0000005903be6000 X12: 0000005903be6000 X11: 0000005903be6000 X10: 0000005903be6000 X9: 0000000000000200 X8: 000000000000003f X7: 00000000000042ac X6: 0000007ec4392000 X5: 0000007ec2a94dc0 X4: ffffffffffffffff X3: ffffffffffffffff X2: 0000000000000001 X1: 0000007fedcfb1c4 X0: 0000000000000000 ORIG_X0: 0000000000000000 SYSCALLNO: 3f PSTATE: 00001000 |
6.x.1 taskp - 传入的是task_struct结构的地址
|
crash_arm64> foreach ffffffdd4ca2dec0 bt PID: 661 TASK: ffffffdd4ca2dec0 CPU: 7 COMMAND: "sh" #0 [ffffff8022e73960] __switch_to at ffffff9acc689ee0 #1 [ffffff8022e739b0] __schedule at ffffff9acdfaf924 #2 [ffffff8022e73a10] schedule at ffffff9acdfafb94 #3 [ffffff8022e73ab0] schedule_timeout at ffffff9acdfb40e0 #4 [ffffff8022e73b20] wait_woken at ffffff9acc744c90 #5 [ffffff8022e73c20] n_tty_read at ffffff9acce2db28 #6 [ffffff8022e73c80] tty_read at ffffff9acce2c9b0 #7 [ffffff8022e73d30] __vfs_read at ffffff9acc951000 #8 [ffffff8022e73d60] vfs_read at ffffff9acc951270 #9 [ffffff8022e73db0] ksys_read at ffffff9acc95187c #10 [ffffff8022e73de0] __arm64_sys_read at ffffff9acc9518fc #11 [ffffff8022e73e00] oppo_invoke_syscall at ffffff9acc6abb94 #12 [ffffff8022e73e50] el0_svc_common at ffffff9acc69d140 #13 [ffffff8022e73ea0] el0_svc_handler at ffffff9acc69d080 #14 [ffffff8022e73ff0] el0_svc at ffffff9acc684d04 PC: 0000007ec304e168 LR: 0000005903bd6da4 SP: 0000007fedcfb170 X29: 0000007fedcfb170 X28: 0000005903be7420 X27: 0000005903be6000 X26: 0000000000000001 X25: 0000000000000000 X24: 0000000080000800 X23: 0000000000000018 X22: 0000007ec322b000 X21: 0000000000000000 X20: 0000007fedcfb1c4 X19: 0000000000000001 X18: 0000007ec411e000 X17: 0000007ec304e160 X16: 0000007ec306e770 X15: 000000000000002f X14: 0000005903be6850 X13: 0000005903be6000 X12: 0000005903be6000 X11: 0000005903be6000 X10: 0000005903be6000 X9: 0000000000000200 X8: 000000000000003f X7: 00000000000042ac X6: 0000007ec4392000 X5: 0000007ec2a94dc0 X4: ffffffffffffffff X3: ffffffffffffffff X2: 0000000000000001 X1: 0000007fedcfb1c4 X0: 0000000000000000 ORIG_X0: 0000000000000000 SYSCALLNO: 3f PSTATE: 00001000 |
6.x.1 name - 指定进程名
注意,同一个名字可能会对应多个线程
|
crash_arm64> foreach msm_watchdog bt PID: 89 TASK: ffffffdbf31b0040 CPU: 3 COMMAND: "msm_watchdog" #0 [ffffff800d993ce0] __switch_to at ffffff9acc689ee0 #1 [ffffff800d993d30] __schedule at ffffff9acdfaf924 #2 [ffffff800d993d90] schedule at ffffff9acdfafb94 #3 [ffffff800d993e00] watchdog_kthread at ffffff9acdfae660 #4 [ffffff800d993e60] kthread at ffffff9acc6fc0f0 |
6.x.1 state - 指定进程的状态
可用的进程状态如下:
|
RU, IN, UN, ST, ZO, TR, SW, DE, WA, PA, ID or NE. |
示例如下:
|
crash_arm64> foreach UN bt PID: 80 TASK: ffffffdbf31d1fc0 CPU: 7 COMMAND: "fb_flush" #0 [ffffff800d493d90] __switch_to at ffffff9acc689ee0 #1 [ffffff800d493de0] __schedule at ffffff9acdfaf924 #2 [ffffff800d493e40] schedule at ffffff9acdfafb94 #3 [ffffff800d493e60] kthread at ffffff9acc6fc0cc
PID: 168 TASK: ffffffdd587d5ec0 CPU: 2 COMMAND: "panic_flush" #0 [ffffff8014033d10] __switch_to at ffffff9acc689ee0 #1 [ffffff8014033d60] __schedule at ffffff9acdfaf924 #2 [ffffff8014033dc0] schedule at ffffff9acdfafb94 #3 [ffffff8014033e20] panic_flush_thread at ffffff9acc7035c8 #4 [ffffff8014033e60] kthread at ffffff9acc6fc0f0
PID: 429 TASK: ffffffdd51f50040 CPU: 3 COMMAND: "shortc_thread" #0 [ffffff801c8fbd50] __switch_to at ffffff9acc689ee0 #1 [ffffff801c8fbda0] __schedule at ffffff9acdfaf924 #2 [ffffff801c8fbe00] schedule at ffffff9acdfafb94 #3 [ffffff801c8fbe20] shortc_thread_main at ffffff9acdfae96c #4 [ffffff801c8fbe60] kthread at ffffff9acc6fc0f0
PID: 467 TASK: ffffffdbe8809fc0 CPU: 2 COMMAND: "usbtemp_kthread" #0 [ffffff801cb33bd0] __switch_to at ffffff9acc689ee0 #1 [ffffff801cb33c20] __schedule at ffffff9acdfaf924 #2 [ffffff801cb33c80] schedule at ffffff9acdfafb94 #3 [ffffff801cb33d20] schedule_timeout at ffffff9acdfb4644 #4 [ffffff801cb33d80] schedule_timeout_uninterruptible at ffffff9acdfb4810 #5 [ffffff801cb33da0] msleep at ffffff9acc7b0c54 #6 [ffffff801cb33e00] oppo_usbtemp_monitor_main at ffffff9acd478514 #7 [ffffff801cb33e60] kthread at ffffff9acc6fc0f0
PID: 530 TASK: ffffffdd50213f40 CPU: 0 COMMAND: "hdcp_2x" #0 [ffffff8021fabcc0] __switch_to at ffffff9acc689ee0 #1 [ffffff8021fabd10] __schedule at ffffff9acdfaf924 #2 [ffffff8021fabd70] schedule at ffffff9acdfafb94 #3 [ffffff8021fabe00] sde_hdcp_2x_main at ffffff9acdb0eee0 #4 [ffffff8021fabe60] kthread at ffffff9acc6fc0f0
PID: 531 TASK: ffffffdd50211fc0 CPU: 2 COMMAND: "dp_hdcp2p2" #0 [ffffff8021fb3ce0] __switch_to at ffffff9acc689ee0 #1 [ffffff8021fb3d30] __schedule at ffffff9acdfaf924 #2 [ffffff8021fb3d90] schedule at ffffff9acdfafb94 #3 [ffffff8021fb3e00] dp_hdcp2p2_main at ffffff9acda84948 #4 [ffffff8021fb3e60] kthread at ffffff9acc6fc0f0 |
6.x.1 kernel - 对所有的内核线程执行命令
6.x.1 user - 对所有的用户线程执行命令
6.x.1 gleader - 对所有的用户空间的group leader线程执行命令
6.x.1 active - 对每个cpu上正在运行的current进程执行该命令
6.x fuser - 查看有哪些进程在使用指定的文件
帮助信息如下:
|
fuser [pathname | inode] |
|
参数 |
说明 |
|
pathname |
指定文件的路径 |
|
inode |
十六进制的inode地址 |
下面查看有哪些进程在使用这个库/usr/lib/libkfm.so.2.0.0
|
crash_arm64> fuser /usr/lib/libkfm.so.2.0.0 PID TASK COMM USAGE 779 c5e82000 "kwm" mmap 808 c5a8e000 "krootwm" mmap 806 c5b42000 "kfm" mmap 809 c5dde000 "kpanel" mmap |
6.x gdb - 调用gdb命令
帮助信息如下:
|
gdb command |
示例:
|
crash_arm64> gdb print sizeof(struct task_struct) $1 = 7680 |
6.x ipcs - (暂不分析)
帮助信息如下:
|
ipcs [-smMq] [-n pid|task] [id | addr] |
6.x.1 -s
6.x.1 -m
6.x.1 -M
6.x.1 -q
6.x.1 -n pid|task
6.x.1 id|addr
参数说明如下:
|
参数 |
说明 |
示例:
6.x irq - 显示中断信息
帮助信息如下,不加参数时显示所有中断信息
|
irq [[[index ...] | -u ] | -d | -b | -a | -s [-c cpu]] |
6.x.1 index - 指定要查看的中断号
多个中断号空格隔开
|
crash_arm64> irq 43 IRQ IRQ_DESC/_DATA IRQACTION NAME 43 ffffffdbf2930c80 ffffffdbe8815c00 "qcom,temp-alarm"
crash_arm64> irq 43 44 45 46 IRQ IRQ_DESC/_DATA IRQACTION NAME 43 ffffffdbf2930c80 ffffffdbe8815c00 "qcom,temp-alarm" 44 ffffffdbf29d6c80 ffffffdbe88cab00 "sig-tx" 45 ffffffdbf29d6080 ffffffdbe88cb280 "sig-rx" 46 ffffffdbf29d1880 ffffffdbe88ca600 "msg-tx" crash_arm64> |
6.x.1 -u - 只显示在用户空间的中断
|
crash_arm64> irq -u IRQ IRQ_DESC/_DATA IRQACTION NAME 1 ffffffdbc0673c80 (unused) 2 ffffffdbc0674280 (unused) 3 ffffffdbc0671280 ffffffdbc066d200 "arch_timer" 4 ffffffdbc0675480 (unused) 5 ffffffdbc0673680 ffffffdbc066ed80 "arch_mem_timer" 6 ffffffdbc0676680 (unused) 7 ffffffdbf338aa80 ffffffdbed137a00 "arm-pmu" 8 ffffffdbf338ec80 ffffffdbf1b5c080 "dcvsh-irq-0" 9 ffffffdbf3388c80 ffffffdbf1b76b00 "dcvsh-irq-4" 10 ffffffdbf338e680 ffffffdbf1b89980 "dcvsh-irq-7" 11 ffffffdbf338f280 ffffffdd50925480 "ngd_slim_irq" 12 ffffffdbf338d480 ffffffdc1e508300 "sps" 13 ffffffdbf338b080 ffffffdd55af7000 "arm_dsu_0" 14 ffffffdbf338c280 ffffffdbf2d2b500 "apps_wdog_bark" |
6.x.1 -d - 打印中断描述符
arm64上不支持,其他平台显示如下
|
crash> irq -d [0] divide_error [1] debug [2] nmi [3] int3 [4] overflow [5] bounds ... |
6.x.1 -b - 打印中断下半部信息
|
crash_arm64> irq -b SOFTIRQ_VEC ACTION [0] ffffff9acc6d0e98 <tasklet_hi_action> [1] ffffff9acc7affb0 <run_timer_softirq> [2] ffffff9acdc58398 <net_tx_action> [3] ffffff9acdc587b8 <net_rx_action> [4] ffffff9accc26210 <blk_done_softirq> [6] ffffff9acc6d0e60 <tasklet_action> [7] ffffff9acc72c5d0 <run_rebalance_domains> [8] ffffff9acc7b4f90 <hrtimer_run_softirq> [9] ffffff9acc79eea8 <rcu_process_callbacks> |
6.x.1 -a - 打印用户中断的cpu亲和力,也就是中断绑核信息
|
crash_arm64> irq -a IRQ NAME AFFINITY 3 arch_timer 0-7 5 arch_mem_timer 2 7 arm-pmu 0-7 8 dcvsh-irq-0 0 9 dcvsh-irq-4 2 10 dcvsh-irq-7 3 11 ngd_slim_irq 1 12 sps 0 13 arm_dsu_0 0 14 apps_wdog_bark 3 16 90b6400.qcom,cpu-cpu-llcc-bwmon 3 17 9091000.qcom,cpu-llcc-ddr-bwmon 0-7 20 0-7 21 1d84000.ufshc 3 22 ipcc_1 3 25 apps_rsc 3 26 pon_kpdpwr_status 0-7 27 pon_resin_status 0-7 |
6.x.1 -s [-c cpu] - 打印内核中断
如果没有通过-c选项指定要看那个cpu上的中断信息,则默认显示所有的cpu的中断信息
|
crash_arm64> irq -s CPU0 CPU1 CPU2 CPU3 CPU4 CPU5 CPU6 CPU7 3: 93690 91020 90378 89430 90341 92807 91941 89570 GICv3 arch_timer 5: 2918 2126 3036 3328 234 314 320 168 GICv3 arch_mem_timer 7: 176 164 163 165 171 183 184 193 GICv3 arm-pmu 8: 0 0 0 0 0 0 0 0 GICv3 dcvsh-irq-0 9: 0 0 0 0 0 0 0 0 GICv3 dcvsh-irq-4 10: 0 0 0 0 0 0 0 0 GICv3 dcvsh-irq-7 11: 11 0 0 0 0 0 0 0 GICv3 ngd_slim_irq 12: 11 0 0 0 0 0 0 0 GICv3 sps 13: 0 0 0 0 0 0 0 0 GICv3 arm_dsu_0 14: 0 0 0 0 0 0 0 0 GICv3 apps_wdog_bark 16: 3754 512 462 92 0 0 0 0 GICv3 90b6400.qcom,cpu-cpu-llcc-bwmon 17: 1370 0 0 0 0 0 0 0 GICv3 9091000.qcom,cpu-llcc-ddr-bwmon |
-s也可以通过-c cpu选项指定要查询的cpu,且-c cpu选项只能和-s选项一起使用,指定方式为:"1,3,5", "1-3", "1,3,5-7,10", "all", or "a" (shortcut for "all").
|
crash_arm64> irq -s -c 1,3,5 CPU1 CPU3 CPU5 3: 91020 89430 92807 GICv3 arch_timer 5: 2126 3328 314 GICv3 arch_mem_timer 7: 164 165 183 GICv3 arm-pmu 8: 0 0 0 GICv3 dcvsh-irq-0 9: 0 0 0 GICv3 dcvsh-irq-4 10: 0 0 0 GICv3 dcvsh-irq-7 11: 0 0 0 GICv3 ngd_slim_irq 12: 0 0 0 GICv3 sps 13: 0 0 0 GICv3 arm_dsu_0 14: 0 0 0 GICv3 apps_wdog_bark 16: 512 92 0 GICv3 90b6400.qcom,cpu-cpu-llcc-bwmon 17: 0 0 0 GICv3 9091000.qcom,cpu-llcc-ddr-bwmon 20: 0 0 0 PDC 21: 96994 1878 0 GICv3 1d84000.ufshc 22: 0 922 0 GICv3 ipcc_1 25: 16144 29056 0 GICv3 apps_rsc 26: 0 0 0 pmic_arb pon_kpdpwr_status |
6.x kmem - 显示内存使用情况(暂不分析)
帮助信息如下:
示例:
6.x list - 展示一个链表的内容(未完成)
命令格式如下
|
list [[-o] offset][-e end][-[s|S] struct[.member[,member] [-l offset]] -[x|d]] [-r|-B] [-h|-H] start |
6.x.1 [-o] offset
6.x.1 -e end
6.x.1 -[s|S] struct[.member[,member] -l offset
list -s list_head <$addr> - 从某个地址起,查看其往后的链表情况
6.x.1 -x|d - 十六/十进制显示
6.x.1 -r - 向前遍历
对于-r参数,帮助信息如下,可见对于那些使用list_head结构组织起来的书籍结构,默认是沿着next成员向后遍历的,加上-r参数后,则使用prev向前遍历
For a list linked with list_head structures, traverse the list in the reverse order by using the "prev" pointer instead of "next".
6.x.1 -B
6.x.1 -h|-H
6.x.1 start
示例
|
#首先我们找到一个全局变量的类型 crash_arm64> whatis file_systems struct file_system_type *file_systems;
#我们查看这个全局变量中的链表的地址 crash_arm64> struct file_system_type.next file_systems -o struct file_system_type { [ffffff85e27833a0] struct file_system_type *next; }
#打印这个链表 crash_arm64> list file_system_type.next 0xffffff85e27833a0 ffffff85e27833a0 ffffff85e2740e78 ffffff85e278e9a0
#打印这个链表上我们关注的信息 crash_arm64> list file_system_type.next -s file_system_type.name 0xffffff85e27833a0 ffffff85e27833a0 name = 0xffffff85e1f92148 "sysfs" ffffff85e2740e78 name = 0xffffff85e1d5c16d "rootfs" ffffff85e278e9a0 name = 0xffffff85e1d350d3 "ramfs" |
6.x log - 展示log_buf内容,即dmesg信息
帮助信息如下:
|
log [-Ttdma] |
log太多了,一般我们使用下面命令将dmesg信息重定向到文件中,然后再查看
|
log > dmesg.txt |
不加任何参数显示如下:
|
crash_arm64> log [ 0.467730] pci 0000:ff:02.0: [8086:2c10] type 00 class 0x060000 [ 0.467749] pci 0000:ff:02.1: [8086:2c11] type 00 class 0x060000 [ 0.467769] pci 0000:ff:02.4: [8086:2c14] type 00 class 0x060000 [ 0.467788] pci 0000:ff:02.5: [8086:2c15] type 00 class 0x060000 [ 0.467809] pci 0000:ff:03.0: [8086:2c18] type 00 class 0x060000 [ 0.467828] pci 0000:ff:03.1: [8086:2c19] type 00 class 0x060000 |
6.x.1 -T - 按年月日显示时间戳
|
crash_arm64> log -T [Sat Apr 4 07:41:09 2020] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable [Sat Apr 4 07:41:09 2020] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved [Sat Apr 4 07:41:09 2020] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved [Sat Apr 4 07:41:09 2020] BIOS-e820: [mem 0x0000000000100000-0x00000000dffeffff] usable [Sat Apr 4 07:41:09 2020] BIOS-e820: [mem 0x00000000dfff0000-0x00000000dfffffff] ACPI data [Sat Apr 4 07:41:09 2020] BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved |
6.x.1 -t - 不显示时间戳
|
crash_arm64> log -t pci 0000:ff:02.0: [8086:2c10] type 00 class 0x060000 pci 0000:ff:02.1: [8086:2c11] type 00 class 0x060000 pci 0000:ff:02.4: [8086:2c14] type 00 class 0x060000 pci 0000:ff:02.5: [8086:2c15] type 00 class 0x060000 pci 0000:ff:03.0: [8086:2c18] type 00 class 0x060000 |
6.x.1 -d
6.x.1 -m - 显示日志级别
级别将在<>中显示
|
crash_arm64> log -m <4>Linux version 2.2.5-15smp (root@mclinux1) (gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)) #1 SMP Thu Aug 26 11:04:37 EDT 1999 <4>Intel MultiProcessor Specification v1.4 <4> Virtual Wire compatibility mode. <4>OEM ID: DELL Product ID: WS 410 APIC at: 0xFEE00000 <4>Processor #0 Pentium(tm) Pro APIC version 17 <4>Processor #1 Pentium(tm) Pro APIC version 17 <4>I/O APIC #2 Version 17 at 0xFEC00000. |
6.x.1 -a
示例:
6.x mach - 显示机器的基本信息
帮助信息如下:
|
mach [-m | -c -[xd] | -o] |
6.x.1 不加参数,显示机器的基本信息
|
crash_arm64> mach MACHINE TYPE: aarch64 MEMORY SIZE: 7.6 GB CPUS: 8 HZ: 250 PAGE SIZE: 4096 KERNEL VIRTUAL BASE: ffffffc000000000 KERNEL MODULES BASE: ffffff8000000000 KERNEL VMALLOC BASE: ffffff8008000000 KERNEL VMEMMAP BASE: ffffffbf00000000 KERNEL STACK SIZE: 16384 IRQ STACK SIZE: 16384 IRQ STACKS: CPU 0: ffffff8008000000 CPU 1: ffffff8008008000 CPU 2: ffffff8008010000 CPU 3: ffffff8008018000 CPU 4: ffffff8008020000 CPU 5: ffffff8008028000 CPU 6: ffffff8008030000 CPU 7: ffffff8008038000 crash_arm64> |
6.x.1 -m - 显示物理内存信息
6.x.1 -c [-x | -d] - 仅在x86上有效,显示cpuinfo信息
-xd选项用于控制显示的格式
6.x.1 -o - 仅在ppc64平台上有效
6.x mod - 展示模块信息(未完成)
展示模块信息,mod -s tcp_debug [pathtofile],命令可以用来加载tcp_debug模块的调试信息。mod -d可以用来删除模块的调试信息
帮助信息如下:
|
mod -s module [objfile] | -d module | -S [directory] [-D|-t|-r|-R|-o|-g] |
6.x.1 不接参数 - 显示当前已安装的模块信息
不接参数时显示一些基本的模块信息,如下
|
crash_arm64> mod MODULE NAME BASE SIZE OBJECT FILE ffffff9abfc94500 msm_11ad_proxy ffffff9abfc8e000 32768 (not loaded) [CONFIG_KALLSYMS] ffffff9abfc9e100 q6_pdr_dlkm ffffff9abfc9c000 16384 (not loaded) [CONFIG_KALLSYMS] ffffff9abfca7900 q6_notifier_dlkm ffffff9abfca4000 20480 (not loaded) [CONFIG_KALLSYMS] ffffff9abfcb0280 snd_event_dlkm ffffff9abfcae000 16384 (not loaded) [CONFIG_KALLSYMS] ffffff9abfcbcc40 apr_dlkm ffffff9abfcb6000 258048 (not loaded) [CONFIG_KALLSYMS] ffffff9abfcfd480 adsp_loader_dlkm ffffff9abfcfb000 16384 (not loaded) [CONFIG_KALLSYMS] ffffff9abfd91900 q6_dlkm ffffff9abfd04000 1388544 (not loaded) [CONFIG_KALLSYMS] ffffff9abfe773c0 rmnet_shs ffffff9abfe62000 135168 (not loaded) [CONFIG_KALLSYMS] ffffff9ac0042c00 platform_dlkm ffffff9abfe88000 3006464 (not loaded) [CONFIG_KALLSYMS] ffffff9ac01780c0 rmnet_perf ffffff9ac0172000 40960 (not loaded) [CONFIG_KALLSYMS] ffffff9ac01ec640 native_dlkm ffffff9ac01c4000 212992 (not loaded) [CONFIG_KALLSYMS] ffffff9ac0211c40 usf_dlkm ffffff9ac0205000 65536 (not loaded) [CONFIG_KALLSYMS] ffffff9ac021d100 pinctrl_wcd_dlkm ffffff9ac021b000 16384 (not loaded) [CONFIG_KALLSYMS] ffffff9ac0226540 pinctrl_lpi_dlkm ffffff9ac0223000 24576 (not loaded) [CONFIG_KALLSYMS] ffffff9ac0231a00 swr_dlkm ffffff9ac022e000 24576 (not loaded) [CONFIG_KALLSYMS] ffffff9ac023e9c0 hdmi_dlkm ffffff9ac023a000 24576 (not loaded) [CONFIG_KALLSYMS] ffffff9ac0247300 stub_dlkm ffffff9ac0245000 16384 (not loaded) [CONFIG_KALLSYMS] ffffff9ac02522c0 wcd_core_dlkm ffffff9ac024d000 32768 (not loaded) [CONFIG_KALLSYMS] ffffff9ac0266040 wsa881x_dlkm ffffff9ac025b000 57344 (not loaded) [CONFIG_KALLSYMS] ffffff9ac0279f00 bolero_cdc_dlkm ffffff9ac026f000 61440 (not loaded) [CONFIG_KALLSYMS] |
6.x.1 -s module [objfile]
6.x.1 -d module
6.x.1 -S [directory]
6.x.1 -D
6.x.1 -t
6.x.1 -r
6.x.1 -R
6.x.1 -g
6.x.1 -o
6.x mount - 展示当前挂载的文件系统的信息(未完成)
帮助信息如下:
|
mount [-f][-i] [-n pid|task] [mount|vfsmount|superblock|dev|dir|dentry|inode] |
6.x.1 不加参数 - 显示当前系统中挂载的文件系统信息
|
crash_arm64> mount MOUNT SUPERBLK TYPE DEVNAME DIRNAME ffffffdd4f669080 ffffffdbc0686c80 rootfs rootfs / ffffffdd4f66b100 ffffffdd4f8eec80 ext4 /dev/block/dm-14 / ffffffdd4f66d180 ffffffdc02815a80 tmpfs tmpfs /dev ffffffdd4f669a40 ffffffdc02811280 devpts devpts /dev/pts ffffffdd4f668040 ffffffdc3fd70080 proc proc /proc ffffffdd4f66db40 ffffffdc02810080 sysfs sysfs /sys ffffffdd4f669700 ffffffdd58703680 selinuxfs selinuxfs /sys/fs/selinux ffffffdd4f66c7c0 ffffffdd50a95a80 tmpfs tmpfs /mnt ffffffdd4f66fbc0 ffffffdc02c5c880 ext4 /dev/block/dm-19 /mnt/vendor/my_product ffffffdd4f66a0c0 ffffffdc02dbb680 ext4 /dev/block/dm-20 /mnt/vendor/my_engineering ffffffdd4f66d4c0 ffffffdc02df8080 ext4 /dev/block/dm-21 /mnt/vendor/my_company ffffffdd4f66cb00 ffffffdc02ea0080 ext4 /dev/block/dm-22 /mnt/vendor/my_carrier |
6.x.1 -f - 仅在3.13版内核上支持
6.x.1 -i - 仅在2.6.32版内核上支持
6.x.1 -n pid|task
6.x.1 mount
6.x.1 vfsmount
6.x.1 superblock
6.x.1 dev
6.x.1 dir
6.x.1 dentry
6.x.1 inode
6.x net - 展示网络相关的信息
帮助信息如下:
|
net [[-s | -S] [-xd] [-R ref] [pid | task]] [-a] [ -n [pid | task]] [-N addr] |
6.x.1 不接参数 - 显示现在系统中的所有网络设备
|
crash_arm64> net NET_DEVICE NAME IP ADDRESS(ES) ffffffdbef7a3680 lo 127.0.0.1 ffffffdd574f4480 bond0 ffffffdd56401280 dummy0 ffffffdd56403680 imq0 ffffffdd56404880 imq1 ffffffdd54dc0080 ip_vti0 ffffffdd54f9da80 ip6_vti0 ffffffdd54f9c880 sit0 ffffffdd54fcda80 ip6tnl0 ffffffdc0b3d4880 rmnet_ipa0 ffffffdc277f2480 rmnet_mhi0 ffffffdd66c95a80 rmnet_data0 ffffffdc9575b680 rmnet_data1 ffffffdc9039da80 rmnet_data2 ffffffdc9039a480 rmnet_data3 ffffffdc9317b680 rmnet_data4 ffffffdc934a1280 rmnet_data5 ffffffdc934a5a80 r_rmnet_data0 ffffffdd6b942480 r_rmnet_data1 ffffffdd6b95c880 r_rmnet_data2 ffffffdc91502480 r_rmnet_data3 ffffff8025961000 wlan0 ffffff802596e000 p2p0 ffffff802597b000 wifi-aware0 |
6.x.1 [-s | -S] [-xd] [-R ref] [pid | task]
6.x.1 [-a]
6.x.1 [ -n [pid | task]]
6.x.1 [-N addr] - 将十进制或者十六进制的IP转化为标准IP格式显示
|
crash_arm64> net -N 1041236234 10.1.16.62
crash_arm64> net -N 0x3E10010A 10.1.16.62 |
6.x p - 打印表达式的值
该命令实际就是将参数传递给gdb的print命令,显示一些信息,格式都是一样的
帮助信息如下:
|
p [-x|-d][-u] [expression | symbol[:cpuspec]] |
6.x.1 [-x|-d] - 指定要显示数据的进制
|
crash_arm64> p /x jiffies $5 = 0x19549
crash_arm64> p /x jiffies_64 $6 = 0x100019549
crash_arm64> p jiffies jiffies = $7 = 103753
crash_arm64> p jiffies_64 jiffies_64 = $8 = 4295071049
crash_arm64> p fair_sched_class fair_sched_class = $9 = { next = 0xffffff9ace009f90, enqueue_task = 0xffffff9acc724b98, dequeue_task = 0xffffff9acc726f80, yield_task = 0xffffff9acc728810, yield_to_task = 0xffffff9acc728950, check_preempt_curr = 0xffffff9acc728a18, pick_next_task = 0xffffff9acc728d28, put_prev_task = 0xffffff9acc729c38, select_task_rq = 0xffffff9acc729c78, migrate_task_rq = 0xffffff9acc72af70, task_woken = 0x0, set_cpus_allowed = 0xffffff9acc7114f8, rq_online = 0xffffff9acc72b088, rq_offline = 0xffffff9acc72b0a0, set_curr_task = 0xffffff9acc72b0b8, task_tick = 0xffffff9acc72b0f8, task_fork = 0xffffff9acc72be40, task_dead = 0xffffff9acc72c030, switched_from = 0xffffff9acc72c0b8, switched_to = 0xffffff9acc72c138, prio_changed = 0xffffff9acc72c1d8, get_rr_interval = 0xffffff9acc72c248, update_curr = 0xffffff9acc72c2a0, task_change_group = 0xffffff9acc72c2d0, fixup_walt_sched_stats = 0xffffff9acc72c458 } |
6.x.1 [-u]
6.x.1 [expression | symbol[:cpuspec]] - 要显示的表达式、变量名、函数名
其中,cpuspec一样显示per-cpu变量的
|
:cpuspec CPU specification for a per-cpu symbol: : CPU of the currently selected task. :a[ll] all CPUs. :#[-#][,...] CPU list(s), e.g. "1,3,5", "1-3", or "1,3,5-7,10". |
下面是显示per-cpu变量irq_stat
|
crash_arm64> p irq_stat # 不接cpu的话值显示地址 PER-CPU DATA TYPE: irq_cpustat_t irq_stat; PER-CPU ADDRESSES: [0]: ffffffddb5c33680 [1]: ffffffddb5e2a680 [2]: ffffffddb6021680 [3]: ffffffddb6218680 [4]: ffffffddb640f680 [5]: ffffffddb6606680 [6]: ffffffddb67fd680 [7]: ffffffddb69f4680 crash_arm64> p irq_stat:1,3,5 # 指定cpu的话,将会一起显示器成员 per_cpu(irq_stat, 1) = $10 = { __softirq_pending = 0, ipi_irqs = {158456, 67750, 1, 0, 61, 68312, 0} } per_cpu(irq_stat, 3) = $11 = { __softirq_pending = 0, ipi_irqs = {138835, 64954, 1, 0, 72, 65128, 0} } per_cpu(irq_stat, 5) = $12 = { __softirq_pending = 0, ipi_irqs = {324742, 57852, 1, 0, 9, 107173, 0} } crash_arm64> |
6.x ps - 展示进程状态
帮助信息如下:
|
ps [-k|-u|-G|-y policy] [-s] [-p|-c|-t|-[l|m][-C cpu]|-a|-g|-r|-S|-A] [pid | task | command] ... |
6.x.1 不接参数 - 显示所有cpu上的所有进程
|
crash_arm64> ps PID PPID CPU TASK ST %MEM VSZ RSS COMM 0 0 0 ffffffe4fdd6c4c0 RU 0.0 0 0 [swapper/0] 0 0 1 ffffff8000620000 RU 0.0 0 0 [swapper/1] 0 0 2 ffffff8000622180 RU 0.0 0 0 [swapper/2] 0 0 3 ffffff80006210c0 RU 0.0 0 0 [swapper/3] 0 0 4 ffffff8000626480 RU 0.0 0 0 [swapper/4] 0 0 5 ffffff80006253c0 RU 0.0 0 0 [swapper/5] 0 0 6 ffffff8000623240 RU 0.0 0 0 [swapper/6] > 0 0 7 ffffff8000632180 RU 0.0 0 0 [swapper/7] 1 0 5 ffffff800b73c300 IN 0.1 2189180 10632 init 2 0 7 ffffff800b738000 IN 0.0 0 0 [kthreadd] 3 2 5 ffffff800b73a180 ID 0.0 0 0 [rcu_gp] 4 2 0 ffffff800b7390c0 ID 0.0 0 0 [rcu_par_gp] 5 2 0 ffffff800b73e480 ID 0.0 0 0 [kworker/0:0] 6 2 0 ffffff800b73d3c0 ID 0.0 0 0 [kworker/0:0H] 7 2 0 ffffff800b73b240 ID 0.0 0 0 [kworker/0:1] 8 2 0 ffffff800b7de480 ID 0.0 0 0 [kworker/0:0X] 9 2 6 ffffff800b7dd3c0 ID 0.0 0 0 [kworker/u24:0] 10 2 0 ffffff800b7db240 ID 0.0 0 0 [mm_percpu_wq] 11 2 0 ffffff800b7dc300 IN 0.0 0 0 [ksoftirqd/0] 12 2 5 ffffff800b7d8000 ID 0.0 0 0 [rcu_preempt] 13 2 5 ffffff800b7da180 IN 0.0 0 0 [rcuog/0] 14 2 5 ffffff800b7d90c0 IN 0.0 0 0 [rcuop/0] 15 2 0 ffffff8000624300 IN 0.0 0 0 [migration/0] 16 2 0 ffffff80006310c0 IN 0.0 0 0 [cpuhp/0] 17 2 1 ffffff8000636480 IN 0.0 0 0 [cpuhp/1] 18 2 1 ffffff80006353c0 IN 0.0 0 0 [migration/1] 19 2 1 ffffff8000633240 IN 0.0 0 0 [ksoftirqd/1] 20 2 1 ffffff8000634300 ID 0.0 0 0 [kworker/1:0] 21 2 1 ffffff8000630000 ID 0.0 0 0 [kworker/1:0H] 22 2 1 ffffff8000674300 ID 0.0 0 0 [kworker/1:0X]
#前面带">"的,是表示这个cpu上正在运行的进程 crash_arm64> ps | grep ">" > 0 0 7 ffffff8000632180 RU 0.0 0 0 [swapper/7] > 2744 1 5 ffffff82d38c90c0 RU 0.2 189312 30056 HwBinder:1654_2 > 4102 901 1 ffffff82d0856480 RU 3.8 13326236 559968 OplusLocationCa > 4720 901 2 ffffff82b201c300 RU 3.8 13326236 559968 Binder:2238_D > 5758 901 6 ffffff82b41b3240 RU 3.8 13326236 559968 Binder:2238_13 > 14385 902 0 ffffff82abb96480 RU 1.9 2184852 276120 Jit thread pool > 14672 902 3 ffffff829b4f2180 RU 1.4 2099384 199624 BuglyThread-1 > 14702 14673 4 ffffff82cff0d3c0 RU 0.0 2133788 2952 getprop |
6.x.1 [-k|-u|-G|-y policy]
6.x.1 [-s]
6.x.1 [-p|-c|-t|-[l|m][-C cpu]|-a|-g|-r|-S|-A]
6.x.1.1 -g - 查看指定进程下面有多少个线程
|
#如果后面跟上进程号的话,还能显示出这个进程下面有哪些线程 crash_arm64> ps -g 1235 PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" PID: 1316 TASK: ffffff809e2953c0 CPU: 0 COMMAND: "Binder:1235_1" PID: 1317 TASK: ffffff809e292180 CPU: 4 COMMAND: "surfaceflinger" PID: 1318 TASK: ffffff809aaad3c0 CPU: 7 COMMAND: "Binder:1235_2" PID: 1320 TASK: ffffff809d0a90c0 CPU: 4 COMMAND: "HwBinder:1235_1" PID: 1488 TASK: ffffff82c5856480 CPU: 2 COMMAND: "ImageManager" PID: 1489 TASK: ffffff82c5852180 CPU: 4 COMMAND: "TimerDispatch" PID: 1490 TASK: ffffff82c5850000 CPU: 6 COMMAND: "surfaceflinger" PID: 1491 TASK: ffffff80876cb240 CPU: 0 COMMAND: "surfaceflinger" PID: 1492 TASK: ffffff82c5ac3240 CPU: 6 COMMAND: "app" PID: 1493 TASK: ffffff82c5ac4300 CPU: 6 COMMAND: "sf" PID: 1494 TASK: ffffff82c5ac0000 CPU: 4 COMMAND: "surfaceflinger" PID: 1495 TASK: ffffff82c5ac2180 CPU: 5 COMMAND: "surfaceflinger" PID: 1496 TASK: ffffff82c5ac10c0 CPU: 4 COMMAND: "FrameFinder" PID: 1497 TASK: ffffff82c5ac6480 CPU: 6 COMMAND: "surfaceflinger" PID: 1498 TASK: ffffff82c5ac53c0 CPU: 4 COMMAND: "surfaceflinger" PID: 1499 TASK: ffffff82c59e10c0 CPU: 5 COMMAND: "POL.NATIVE_LOOP" PID: 1973 TASK: ffffff82c586e480 CPU: 0 COMMAND: "DispPerfHandler" PID: 1974 TASK: ffffff82c3e2e480 CPU: 5 COMMAND: "DispPerfHandler" PID: 1975 TASK: ffffff82c3e2d3c0 CPU: 5 COMMAND: "DispPerfHandler" PID: 1976 TASK: ffffff82c3e2b240 CPU: 5 COMMAND: "DispPerfHandler" PID: 1977 TASK: ffffff82c3e2c300 CPU: 5 COMMAND: "DispPerfHandler" PID: 1978 TASK: ffffff82c3e28000 CPU: 5 COMMAND: "DispPerfHandler" PID: 1979 TASK: ffffff82c3e2a180 CPU: 5 COMMAND: "DispPerfHandler" PID: 1980 TASK: ffffff82c3e290c0 CPU: 6 COMMAND: "DispPerfHandler" PID: 1984 TASK: ffffff82c3e3d3c0 CPU: 5 COMMAND: "oplus_display_k" PID: 1985 TASK: ffffff82c3e3b240 CPU: 0 COMMAND: "OPlusDispEvent" PID: 1986 TASK: ffffff82c3e3c300 CPU: 6 COMMAND: "OplusTouchIdle" PID: 1990 TASK: ffffff80967b0000 CPU: 7 COMMAND: "nwatchcall" PID: 3833 TASK: ffffff82b0612180 CPU: 6 COMMAND: "Binder:1235_3" PID: 3834 TASK: ffffff82d4b44300 CPU: 5 COMMAND: "Binder:1235_4" PID: 6109 TASK: ffffff82b9f5c300 CPU: 5 COMMAND: "Binder:1235_5" PID: 6120 TASK: ffffff82b9f5e480 CPU: 7 COMMAND: "Binder:1235_5" PID: 6123 TASK: ffffff82a1a70000 CPU: 4 COMMAND: "ScreenShotThrea"
crash_arm64> |
6.x.1 [pid | task | command] - 只查看指定进程的信息
pid表示进程号
task: 这个进程
6.x pte
帮助信息如下:
参数说明如下:
|
参数 |
说明 |
示例:
6.x ptov - 物理地址转化为虚拟地址
帮助信息如下,可查看物理地址对应的虚拟地址,或者知道在percpu段内的偏移,计算在各个cpu上的虚拟地址
|
ptov [address | offset:cpuspec] |
|
#已知物理地址,将其转化为虚拟地址 crash_arm64> ptov 0x80000000 VIRTUAL PHYSICAL ffffff8000000000 80000000
#已知一个percpun内的偏移为0x10,计算在各个cpu上的虚拟地址 crash_arm64> ptov 0x10:a PER-CPU OFFSET: 10 CPU VIRTUAL [0] ffffff9df4aba010 [1] ffffff9df4af8010 [2] ffffff9df4b36010 [3] ffffff9df4b74010 [4] ffffff9df4bb2010 [5] ffffff9df4bf0010 [6] ffffff9df4c2e010 [7] ffffff9df4c6c010 crash_arm64> |
6.x vtop - 虚拟地址转化为物理地址
帮助信息如下:
|
vtop [-c [pid | taskp]] [-u|-k] address ... |
6.x.1 [-c [pid | taskp]] - 使用指定进程的页表转换
默认使用swapper_pg_dir页表进行转换,当然也可以指定使用某个进程的页表进行转换
|
Translate user virtual address 80b4000: #将用户空间的虚拟地址转化为物理地址 crash_arm64> vtop 80b4000 VIRTUAL PHYSICAL 80b4000 660f000
PAGE DIRECTORY: c37f0000 PGD: c37f0080 => e0d067 PMD: c37f0080 => e0d067 PTE: c0e0d2d0 => 660f067 PAGE: 660f000
PTE PHYSICAL FLAGS 660f067 660f000 (PRESENT|RW|USER|ACCESSED|DIRTY)
VMA START END FLAGS FILE c773daa0 80b4000 810c000 77
PAGE PHYSICAL INODE OFFSET CNT FLAGS c0393258 660f000 0 17000 1 uptodate
Translate kernel virtual address c806e000, first using swapper_pg_dir as the page directory base, and secondly, using the page table base of PID 1359: #将内核空间的虚拟地址转化为物理地址,使用swapper_pg_dir的页表转换 crash_arm64> vtop c806e000 VIRTUAL PHYSICAL c806e000 2216000
PAGE DIRECTORY: c0101000 PGD: c0101c80 => 94063 PMD: c0101c80 => 94063 PTE: c00941b8 => 2216063 PAGE: 2216000
PTE PHYSICAL FLAGS 2216063 2216000 (PRESENT|RW|ACCESSED|DIRTY)
PAGE PHYSICAL INODE OFFSET CNT FLAGS c02e9370 2216000 0 0 1
#将内核空间的虚拟地址转化为物理地址,使用指定进程的页表转化 crash_arm64> vtop -c 1359 c806e000 VIRTUAL PHYSICAL c806e000 2216000
PAGE DIRECTORY: c5caf000 PGD: c5cafc80 => 94063 PMD: c5cafc80 => 94063 PTE: c00941b8 => 2216063 PAGE: 2216000
PTE PHYSICAL FLAGS 2216063 2216000 (PRESENT|RW|ACCESSED|DIRTY)
PAGE PHYSICAL INODE OFFSET CNT FLAGS c02e9370 2216000 0 0 1
Determine swap location of user virtual address 40104000:
crash_arm64> vtop 40104000 VIRTUAL PHYSICAL 40104000 (not mapped)
PAGE DIRECTORY: c40d8000 PGD: c40d8400 => 6bbe067 PMD: c40d8400 => 6bbe067 PTE: c6bbe410 => 58bc00
PTE SWAP OFFSET 58bc00 /dev/sda8 22716
VMA START END FLAGS FILE c7200ae0 40104000 40b08000 73
SWAP: /dev/sda8 OFFSET: 22716 |
6.x.1 [-u|-k] - 用于标记这个虚拟地址是用户空间还是内核空间的
注意:该参数只在用户空间和内核空间重叠的时候才需要指定
6.x rd - 读内存
帮助信息如下:
|
rd [-adDsSupxmfNR][-8|-16|-32|-64][-o offs][-e addr][-r file][address|symbol] [count] |
6.x.1 [-adDsSupxmfNR]
6.x.1.1 -a - 显示ascii码
|
#在指定地址后的连续16个字节中如果有可显示的ascii码,则显示 crash_arm64> rd ffffff82b41b3240 -a 16 ffffff82b41b3240: * crash_arm64> rd ffffff82b41b3240 -a 160 ffffff82b41b3240: * ffffff82b41b3272: <- ffffff82b41b327c: @ ffffff82b41b327e: @@ ffffff82b41b3288: R9 ffffff82b41b3292: e ffffff82b41b3294: E ffffff82b41b32ba: s ffffff82b41b32cc: x ffffff82b41b32d0: x ffffff82b41b32d4: x crash_arm64> |
6.x.1.1 -d|D - 按有符号|无符号类型的十进制格式去显示
-d:有符号
-D:无符号
|
crash_arm64> rd ffffff82b41b3270 -d ffffff82b41b3270: -274118967296 crash_arm64> rd ffffff82b41b3270 -D ffffff82b41b3270: 18446743799590584320 crash_arm64> |
6.x.1.1 -x - 不显示ascii部分
|
crash_arm64> rd ffffff82b41b3270 10 ffffff82b41b3270: ffffffc02d3c8000 4040014000000003 ..<-........@.@@ ffffff82b41b3280: 0000000000000000 0000000000013952 ........R9...... ffffff82b41b3290: 00000045d96509e7 0000000000000000 ..e.E........... ffffff82b41b32a0: 0000000600000001 0000000000000098 ................ ffffff82b41b32b0: 00000000fffedc1e ffffff800b738000 ..........s.....
crash_arm64> rd ffffff82b41b3270 -x 10 ffffff82b41b3270: ffffffc02d3c8000 4040014000000003 ffffff82b41b3280: 0000000000000000 0000000000013952 ffffff82b41b3290: 00000045d96509e7 0000000000000000 ffffff82b41b32a0: 0000000600000001 0000000000000098 ffffff82b41b32b0: 00000000fffedc1e ffffff800b738000 crash_arm64> |
6.x.1.1 u,p,m,f - 指定地址类型
u:后面的address为用户空间的虚拟地址
p:后面的address为物理地址
m:后面的address为主机host地址
f:后面的address为相对于dumpfile的偏移地址
6.x.1.1 -R - 从指定地址向前开始dump
|
#从指定的地址向后查看16个内存 crash_arm64> rd ffffff82b41b3270 0x10 ffffff82b41b3270: ffffffc02d3c8000 4040014000000003 ..<-........@.@@ ffffff82b41b3280: 0000000000000000 0000000000013952 ........R9...... ffffff82b41b3290: 00000045d96509e7 0000000000000000 ..e.E........... ffffff82b41b32a0: 0000000600000001 0000000000000098 ................ ffffff82b41b32b0: 00000000fffedc1e ffffff800b738000 ..........s..... ffffff82b41b32c0: 0000000600000007 0000007800000001 ............x... ffffff82b41b32d0: 0000007800000078 0000000000000000 x...x........... ffffff82b41b32e0: ffffffe4fd5421c0 0000000000000000 .!T.............
#从开始地址向前查看16个内存 crash_arm64> rd ffffff82b41b3270 -R 0x10 ffffff82b41b31f8: 0000000000000000 0000000000000000 ................ ffffff82b41b3208: 0000000000000000 0000000000000000 ................ ffffff82b41b3218: 0000000000000000 0000000000000000 ................ ffffff82b41b3228: 0000000000000000 0000000000000000 ................ ffffff82b41b3238: 0000000000000000 000000000400082a ........*....... ffffff82b41b3248: 0000007fffffffff 00000000a2b91000 ................ ffffff82b41b3258: 0000000100010004 0000000000000000 ................ ffffff82b41b3268: 0000000000000000 ffffffc02d3c8000 ..........<-.... crash_arm64> |
6.x.1.1 -N - 以网络字节序显示,仅在16bit或32bit显示时有效
|
crash_arm64> rd ffffff82b41b3270 -32 ffffff82b41b3270: 2d3c8000 ..<-
crash_arm64> rd ffffff82b41b3270 -32 -N ffffff82b41b3270: 00803c2d -<.. crash_arm64> |
6.x.1.1 -s,S[S] - 如果这个地址的数据能够解析成符号,则已对应的符号显示
|
Display the same block of memory, first without symbols, again with symbols, and then with symbols and slab cache references:
f6e31f70: f6e31f6c f779c180 c04a4032 00a9dd40 l.....y.2@J.@... f6e31f80: 00000fff c0472da0 f6e31fa4 f779c180 .....-G.......y. f6e31f90: fffffff7 00a9b70f f6e31000 c04731ee .............1G. f6e31fa0: f6e31fa4 00000000 00000000 00000000 ................ f6e31fb0: 00000000 00a9dd40 c0404f17 00000000 ....@....O@..... f6e31fc0: 00a9dd40 00000fff 00a9dd40 00a9b70f @.......@....... f6e31fd0: bf9e2718 ffffffda c040007b 0000007b .'......{.@.{...
f6e31f70: f6e31f6c f779c180 kmsg_read 00a9dd40 f6e31f80: 00000fff vfs_read+159 f6e31fa4 f779c180 f6e31f90: fffffff7 00a9b70f f6e31000 sys_read+60 f6e31fa0: f6e31fa4 00000000 00000000 00000000 f6e31fb0: 00000000 00a9dd40 syscall_call+7 00000000 f6e31fc0: 00a9dd40 00000fff 00a9dd40 00a9b70f f6e31fd0: bf9e2718 ffffffda startup_32+123 0000007b
f6e31f70: [size-4096] [filp] kmsg_read 00a9dd40 f6e31f80: 00000fff vfs_read+159 [size-4096] [filp] f6e31f90: fffffff7 00a9b70f [size-4096] sys_read+60 f6e31fa0: [size-4096] 00000000 00000000 00000000 f6e31fb0: 00000000 00a9dd40 syscall_call+7 00000000 f6e31fc0: 00a9dd40 00000fff 00a9dd40 00a9b70f f6e31fd0: bf9e2718 ffffffda startup_32+123 0000007b
f6e31f70: [f6e31f6c:size-4096] [f779c180:filp] kmsg_read 00a9dd40 f6e31f80: 00000fff vfs_read+159 [f6e31fa4:size-4096] [f779c180:filp] f6e31f90: fffffff7 00a9b70f [f6e31000:size-4096] sys_read+60 f6e31fa0: [f6e31fa4:size-4096] 00000000 00000000 00000000 f6e31fb0: 00000000 00a9dd40 syscall_call+7 00000000 f6e31fc0: 00a9dd40 00000fff 00a9dd40 00a9b70f f6e31fd0: bf9e2718 ffffffda startup_32+123 0000007b |
6.x.1 [-8|-16|-32|-64] - 指定读取数据的宽度
|
crash_arm64> rd ffffff82b41b3240 -8 -o 16 -e ffffff82b41b32b8 ffffff82b41b3250: 00 10 b9 a2 00 00 00 00 04 00 01 00 01 00 00 00 ................ ffffff82b41b3260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ffffff82b41b3270: 00 80 3c 2d c0 ff ff ff 03 00 00 00 40 01 40 40 ..<-........@.@@ ffffff82b41b3280: 00 00 00 00 00 00 00 00 52 39 01 00 00 00 00 00 ........R9...... ffffff82b41b3290: e7 09 65 d9 45 00 00 00 00 00 00 00 00 00 00 00 ..e.E........... ffffff82b41b32a0: 01 00 00 00 06 00 00 00 98 00 00 00 00 00 00 00 ................ ffffff82b41b32b0: 1e dc fe ff 00 00 00 00 ........
crash_arm64> rd ffffff82b41b3240 -32 -o 16 -e ffffff82b41b32b8 ffffff82b41b3250: a2b91000 00000000 00010004 00000001 ................ ffffff82b41b3260: 00000000 00000000 00000000 00000000 ................ ffffff82b41b3270: 2d3c8000 ffffffc0 00000003 40400140 ..<-........@.@@ ffffff82b41b3280: 00000000 00000000 00013952 00000000 ........R9...... ffffff82b41b3290: d96509e7 00000045 00000000 00000000 ..e.E........... ffffff82b41b32a0: 00000001 00000006 00000098 00000000 ................ ffffff82b41b32b0: fffedc1e 00000000 ........ crash_arm64> |
6.x.1 [-o offs] - 从指定的地址开始偏移offs后开始dump
即从下面address地址开始偏移offs后,开始读取
|
crash_arm64> rd ffffff82b41b3240 -r aaa.bin -o 8 0x10 16 bytes copied from 0xffffff82b41b3248 to aaa.bin crash_arm64> |
6.x.1 [-e addr] - 读取的结束地址
|
crash_arm64> rd ffffff82b41b3240 -o 16 -e ffffff82b41b32b8 ffffff82b41b3250: 00000000a2b91000 0000000100010004 ................ ffffff82b41b3260: 0000000000000000 0000000000000000 ................ ffffff82b41b3270: ffffffc02d3c8000 4040014000000003 ..<-........@.@@ ffffff82b41b3280: 0000000000000000 0000000000013952 ........R9...... ffffff82b41b3290: 00000045d96509e7 0000000000000000 ..e.E........... ffffff82b41b32a0: 0000000600000001 0000000000000098 ................ ffffff82b41b32b0: 00000000fffedc1e ........ crash_arm64> |
6.x.1 [-r file] - 将读取的数据重定向到指定的文件中
|
crash_arm64> rd ffffff82b41b3240 -r aaa.bin 0x10 16 bytes copied from 0xffffff82b41b3240 to aaa.bin crash_arm64> |
6.x.1 [address|symbol] - 指定要读的地址或变量名
|
crash_arm64> rd ffffff82b41b3270 ffffff82b41b3270: ffffffc02d3c8000 ..<-....
crash_arm64> rd jiffies ffffffe4fdc76980: 0000000100000001 ........
crash_arm64> rd -d jiffies ffffffe4fdc76980: 4294967297 |
6.x.1 [count] - 指定要读取的个数
该参数必须是命令行的最后一个参数
6.x wr - 写内存
修改一个正在运行的系统的内存,只有使用/dev/mem的时候才能修改,在dumpfile上不能执行写入操作
帮助信息如下:
|
wr [-u|-k|-p] [-8|-16|-32|-64] [address|symbol] value |
6.x.1 [-u|-k|-p] - 指定传入的地址的类型
-u address argument is a user virtual address.
-k address argument is a kernel virtual address.
-p address argument is a physical address.
6.x.1 [-8|-16|-32|-64] - 指定要写入的宽度
-8 write data in an 8-bit value.
-16 write data in a 16-bit value.
-32 write data in a 32-bit values (default on 32-bit machines).
-64 write data in a 64-bit values (default on 64-bit machines).
6.x.1 [address|symbol] - 指定地址
6.x.1 value - 要写入的值
|
#直接写地址 crash_arm64> wr ffffffe4fd7e03b8 1
#写变量 crash_arm64> wr my_debug_flag 1 |
6.x repeat -重复执行一个命令
帮助信息如下:
|
repeat [-seconds] command |
6.x.1 [-seconds] - 指定每间隔几秒执行一次
示例:
|
crash_arm64> repeat -1 p jiffies jiffies = $1 = 155551079 jiffies = $2 = 155551180 jiffies = $3 = 155551281 jiffies = $4 = 155551382 jiffies = $5 = 155551483 jiffies = $6 = 155551584 jiffies = $7 = 155551685 jiffies = $8 = 155551786 jiffies = $9 = 155551887 jiffies = $10 = 155551988 jiffies = $11 = 155552089 jiffies = $12 = 155552190 jiffies = $13 = 155552291 jiffies = $14 = 155552392 jiffies = $15 = 155552493 jiffies = $16 = 155552594 jiffies = $17 = 155552695 jiffies = $18 = 155552796 ... |
6.x runq - 显示runqueue信息
帮助信息如下:
|
runq [-t] [-T] [-m] [-g] [-c cpu(s)] |
6.x.1 不接参数 - 显示所有cpu的runqueue
|
#下面会显示cfs和rt队列上的信息,如果这个队列上挂了任务的话,则还会显示挂了哪些任务 crash_arm64> runq CPU 0 RUNQUEUE: ffffff82f2441ac0 CURRENT: PID: 14385 TASK: ffffff82abb96480 COMMAND: "Jit thread pool" RT PRIO_ARRAY: ffffff82f2441c80 # rt队列的位置 [no tasks queued] CFS RB_ROOT: ffffff82f2441bb8 # cfs队列的位置 [no tasks queued]
CPU 1 RUNQUEUE: ffffff82f247fac0 CURRENT: PID: 4102 TASK: ffffff82d0856480 COMMAND: "OplusLocationCa" RT PRIO_ARRAY: ffffff82f247fc80 [no tasks queued] CFS RB_ROOT: ffffff82f247fbb8 [no tasks queued]
CPU 2 RUNQUEUE: ffffff82f24bdac0 CURRENT: PID: 4720 TASK: ffffff82b201c300 COMMAND: "Binder:2238_D" RT PRIO_ARRAY: ffffff82f24bdc80 [no tasks queued] CFS RB_ROOT: ffffff82f24bdbb8 [no tasks queued]
CPU 3 RUNQUEUE: ffffff82f24fbac0 CURRENT: PID: 14672 TASK: ffffff829b4f2180 COMMAND: "BuglyThread-1" RT PRIO_ARRAY: ffffff82f24fbc80 [no tasks queued] CFS RB_ROOT: ffffff82f24fbbb8 [no tasks queued]
CPU 4 RUNQUEUE: ffffff82f2539ac0 CURRENT: PID: 14702 TASK: ffffff82cff0d3c0 COMMAND: "getprop" RT PRIO_ARRAY: ffffff82f2539c80 [no tasks queued] CFS RB_ROOT: ffffff82f2539bb8 [no tasks queued]
CPU 5 RUNQUEUE: ffffff82f2577ac0 CURRENT: PID: 2744 TASK: ffffff82d38c90c0 COMMAND: "HwBinder:1654_2" RT PRIO_ARRAY: ffffff82f2577c80 [no tasks queued] CFS RB_ROOT: ffffff82f2577bb8 # 显示队列上挂载的任务
CPU 6 RUNQUEUE: ffffff82f25b5ac0 CURRENT: PID: 5758 TASK: ffffff82b41b3240 COMMAND: "Binder:2238_13" RT PRIO_ARRAY: ffffff82f25b5c80
CFS RB_ROOT: ffffff82f25b5bb8 [120] PID: 14481 TASK: ffffff82abe8e480 COMMAND: "nloadapkservice"
CPU 7 RUNQUEUE: ffffff82f25f3ac0 CURRENT: PID: 0 TASK: ffffff8000632180 COMMAND: "swapper/7" RT PRIO_ARRAY: ffffff82f25f3c80 [no tasks queued] CFS RB_ROOT: ffffff82f25f3bb8 [no tasks queued] |
6.x.1 [-t] - 显示时间戳,即rq->clock的值
第一个时间戳是rq->clock
第二个时间戳是:following each cpu timestamp is the last_run or timestamp value of the active task on that cpu, whichever applies, along with the task identification.
|
crash_arm64> runq -t CPU 0: 299996103258 299994023206 PID: 14385 TASK: ffffff82abb96480 COMMAND: "Jit thread pool" CPU 1: 300003424144 300003424144 PID: 4102 TASK: ffffff82d0856480 COMMAND: "OplusLocationCa" CPU 2: 300003650758 300003650758 PID: 4720 TASK: ffffff82b201c300 COMMAND: "Binder:2238_D" CPU 3: 300003550914 300003550914 PID: 14672 TASK: ffffff829b4f2180 COMMAND: "BuglyThread-1" CPU 4: 300003840706 300003840706 PID: 14702 TASK: ffffff82cff0d3c0 COMMAND: "getprop" CPU 5: 300003900446 300003858883 PID: 2744 TASK: ffffff82d38c90c0 COMMAND: "HwBinder:1654_2" CPU 6: 300003834977 300000010185 PID: 5758 TASK: ffffff82b41b3240 COMMAND: "Binder:2238_13" CPU 7: 299951857268 000000000000 PID: 0 TASK: ffffff8000632180 COMMAND: "swapper/7" |
6.x.1 [-T]
-T显示的是:Display the time lag of each CPU relative to the most recent runqueue timestamp.
|
crash_arm64> runq -T CPU 5: 0.00 secs CPU 4: 0.00 secs CPU 6: 0.00 secs CPU 2: 0.00 secs CPU 3: 0.00 secs CPU 1: 0.00 secs CPU 0: 0.01 secs CPU 7: 0.05 secs crash_arm64> |
6.x.1 [-m] - 显示各个cpu上正在运行的任务已经跑了多长时间
格式如下:
days, hours, minutes, seconds and milliseconds.
|
crash_arm64> runq -m CPU 0: [0 00:00:00.002] PID: 14385 TASK: ffffff82abb96480 COMMAND: "Jit thread pool" CPU 1: [0 00:00:00.000] PID: 4102 TASK: ffffff82d0856480 COMMAND: "OplusLocationCa" CPU 2: [0 00:00:00.000] PID: 4720 TASK: ffffff82b201c300 COMMAND: "Binder:2238_D" CPU 3: [0 00:00:00.000] PID: 14672 TASK: ffffff829b4f2180 COMMAND: "BuglyThread-1" CPU 4: [0 00:00:00.000] PID: 14702 TASK: ffffff82cff0d3c0 COMMAND: "getprop" CPU 5: [0 00:00:00.000] PID: 2744 TASK: ffffff82d38c90c0 COMMAND: "HwBinder:1654_2" CPU 6: [0 00:00:00.003] PID: 5758 TASK: ffffff82b41b3240 COMMAND: "Binder:2238_13" CPU 7: [0 00:04:59.951] PID: 0 TASK: ffffff8000632180 COMMAND: "swapper/7" crash_arm64> |
6.x.1 [-g] - 显示task_group的层级
|
Display tasks hierarchically by task_group:
crash_arm64> runq -g CPU 0 CURRENT: PID: 14734 TASK: ffff88010626f500 COMMAND: "sh" ROOT_TASK_GROUP: ffffffff81ed93e0 RT_RQ: ffff880028216808 [ 0] TASK_GROUP: ffff88022c6bbc00 RT_RQ: ffff880139fc9800 (THROTTLED) [ 0] PID: 14750 TASK: ffff88013a4dd540 COMMAND: "rtloop99" [ 1] PID: 14748 TASK: ffff88013bbca040 COMMAND: "rtloop98" [ 1] TASK_GROUP: ffff88012b0fb400 RT_RQ: ffff880089029000 [ 1] PID: 14752 TASK: ffff880088abf500 COMMAND: "rtloop98" [ 54] PID: 14749 TASK: ffff880037a4e080 COMMAND: "rtloop45" [ 98] PID: 14746 TASK: ffff88012678c080 COMMAND: "rtloop1" ROOT_TASK_GROUP: ffffffff81ed93e0 CFS_RQ: ffff8800282166e8 [120] PID: 14740 TASK: ffff88013b1e6080 COMMAND: "sh" [120] PID: 14738 TASK: ffff88012678d540 COMMAND: "sh" [120] PID: 14734 TASK: ffff88010626f500 COMMAND: "sh" [CURRENT] TASK_GROUP: ffff884052bc9800 CFS_RQ: ffff8831e4a1b000 (THROTTLED) [120] PID: 14732 TASK: ffff88013bbcb500 COMMAND: "sh" [120] PID: 14728 TASK: ffff8800b3496080 COMMAND: "sh" [120] PID: 14730 TASK: ffff880037833540 COMMAND: "sh" TASK_GROUP: ffff884058f1d000 CFS_RQ: ffff88120a101600 (THROTTLED) [120] PID: 14726 TASK: ffff880138d42aa0 COMMAND: "sh" ...
Display tasks hierarchically by task_group for cpu 3 only:
crash_arm64> runq -g -c3 CPU 3 CURRENT: PID: 2948 TASK: ffff88022af2a100 COMMAND: "bash" INIT_TASK_GROUP: ffffffff81e1a780 RT_RQ: ffff880028216148 [no tasks queued] INIT_TASK_GROUP: ffffffff81e1a780 CFS_RQ: ffff880028216028 [120] PID: 2948 TASK: ffff88022af2a100 COMMAND: "bash" [CURRENT] TASK_GROUP: ffff88012b880800 CFS_RQ: ffff88012c5d1000 <libvirt> TASK_GROUP: ffff88012c078000 CFS_RQ: ffff88012c663e00 <qemu> TASK_GROUP: ffff88022c7f4c00 CFS_RQ: ffff88012bb56000 <guest2> TASK_GROUP: ffff88022b621400 CFS_RQ: ffff88012b012000 <vcpu0> [120] PID: 3248 TASK: ffff88012a9d4100 COMMAND: "qemu-kvm" |
6.x.1 [-c cpu(s)] - 指定cpu
格式如下:
restrict the output to the run queue data of one or more CPUs, which can be specified using the format "3", "1,8,9", "1-23", or "1,8,9-14".
6.x search - 在一段内存范围内搜索给定值
帮助信息如下:
|
search [-s start] [ -[kKV] | -u | -p | -t | -T ] [-e end | -l length] [-m mask] [-x count] -[cwh] [value | (expression) | symbol | string] ... |
6.x.1 [-s start] [-e end | -l length] - 指定搜索范围
start和end可以是虚拟地址、物理地址、或一个函数名、变量名等符号
|
Search the 4K page at c532c000 for all instances of 0xffffffff:
c532c33c: ffffffff c532c3fc: ffffffff
Search the static kernel data area for all instances of c2d400eb:
c022b550: c2d400eb c022b590: c2d400eb c022b670: c2d400eb c022b6e0: c2d400eb c022b7b0: c2d400eb c022b7e0: c2d400eb c022b8b0: c2d400eb |
6.x.1 [ -[kKV] | -u | -p | -t | -T ] - 也是指定搜索范围
各个参数的解释如下:
|
-k If no start address is specified, start the search at the base of kernel virtual address space. This option is the default. -K Same as -k, except that mapped kernel virtual memory that was allocated by vmalloc(), module memory, or virtual mem_map regions will not be searched. -V Same as -k, except that unity-mapped kernel virtual memory and mapped kernel-text/static-data (x86_64 and ia64) will not be searched. -u If no start address is specified, start the search at the base of the current context's user virtual address space. If a start address is specified, then this option specifies that the start address is a user virtual address. -p If no start address is specified, start the search at the base of physical address space. If a start address is specified, then this option specifies that the start address is a physical address. -t Search only the kernel stack pages of every task. If one or more matches are found in a task's kernel stack, precede the output with a task-identifying header. -T Same as -t, except only the active task(s) are considered. |
|
Search the current context's address space for all instances of 0xdeadbeef:
81aba5c: deadbeef 81abaa8: deadbeef bfffc698: deadbeef bffff390: deadbeef |
6.x.1 [-m mask] - 忽略掩码掩盖住的信息
|
Search all kernel memory above the kernel text space for all instances of 0xabcd occurring in the lower 16-bits of each 32-bit word:
c071481c: abcd c0c2b0fc: 804abcd c0cf5e74: 7489abcd c17c0b44: c012abcd c1dac730: 3dbeabcd c226d0e8: ffffabcd c23ed5dc: abcd c3022544: 3dbeabcd c3069b58: 3dbeabcd c3e86e84: aabcd c3e88ed0: aabcd c3e8ee5c: aabcd c3e9df50: aabcd c3e9e930: aabcd c440a778: 804abcd c486eb44: 3dbeabcd c578f0fc: 804abcd c6394f90: 8ababcd c65219f0: 3abcd c661399c: abcd c68514ac: 8abcd c7e036bc: 3dbeabcd c7e12568: 5abcd c7e1256c: 5abcd
Search physical memory for all instances of 0xbabe occurring in the upper 16 bits of each 32-bit word:
2a1dc4: babe671e 2b6928: babe3de1 2f99ac: babe0d54 31843c: babe70b9 3ba920: babeb5d7 413ce4: babe7540 482747c: babe2600 48579a4: babe2600 4864a68: babe2600 |
6.x.1 [-x count] - 找到对应的字符后,显示上下count个数据
|
crash_arm64> search -m 0xffff0000 dead -x 4 ffffff8006637e48: 0000000000000000 0000000000000000 ................ ffffff8006637e58: 0000000000000000 0000000000000000 ................ ffffff8006637e68: dead ffffff8006637e70: 0000000000000000 0000000000000000 ................ ffffff8006637e80: 0000000000000000 0000000000000000 ................
ffffff80068439e0: f054c650b97a0020 0000000000000000 .z.P.T......... ffffff80068439f0: 000080100000ae20 00000019f01a6a54 .......Tj...... ffffff8006843a00: dead ffffff8006843a08: 0000000000000000 0000000000000000 ................ ffffff8006843a18: 0000000000000000 0000000000000000 ................
ffffff802da9d760: 00000000000bbba0 00000000000773a4 .........s...... ffffff802da9d770: 00000000000a4f96 00000000000c2a98 .O.......*...... ffffff802da9d780: bdead ffffff802da9d788: 00000000000be65d 00000000000be65d ].......]....... ffffff802da9d798: 00000000000be65d 00000000000be65d ].......].......
ffffff80328bcb70: 0000000000059033 000000000007870f 3............... ffffff80328bcb80: 0000000000013b42 00000000000368ed B;.......h...... ffffff80328bcb90: 8dead ffffff80328bcb98: 000000000005904b 0000000000036904 K........i...... ffffff80328bcba8: 0000000000055199 000000000005e806 .Q..............
ffffff8037028250: 00000000ffffe4e1 0000007d2d06ee9c ...........-}... ffffff8037028260: 00000000ffffe4b5 0000007d2d06eea5 ...........-}... ffffff8037028270: ffffdead ffffff8037028278: 0000007d2d06eeb1 00000000ff000080 ...-}........... ffffff8037028288: 0000007d2d06eeb6 0000000000000000 ...-}...........
ffffff8040f22d00: 0002deac20000010 0002deac0002deac ... ............ ffffff8040f22d10: 2000001000000000 0002dead0002dead ....... ........ ffffff8040f22d20: 2dead ffffff8040f22d28: 0002deae20000010 0002deae0002deae ... ............ ffffff8040f22d38: 2000001000000000 0002deaf0002deaf ....... ........ |
6.x.1 [c,w,h] - 指定查找字符串或十六进制数据
-c: Search for character string values instead of unsigned longs. If the string contains any space(s), it must be encompassed by double quotes.
-w: Search for unsigned hexadecimal ints instead of unsigned longs. This is only meaningful on 64-bit systems in order to search both the upper and lower 32-bits of each 64-bit long for the value.
-h: Search for unsigned hexadecimal shorts instead of unsigned longs.
|
Search kernel memory for two strings: #查找字符串
ffff8800013ddec1: can't allocate memory for key lists..<3>%s %s: error con ffff8801258be748: Failure to install fence: %d..<3>[drm:%s] *ERROR* Failed ffff880125f07ec9: can't allocate memory..<3>ACPI: Invalid data..Too many d ffffffff813ddec1: can't allocate memory for key lists..<3>%s %s: error con |
6.x.1 [value | (expression) | symbol | string] - 指定要搜索啥
6.x set - 设置|获取crashtool工作的上下文,或者设置crashtool工具的一些内部参数
关于使用该工具设置crashtool工具的一些内部参数,参见help文件
设置或者获取上下文。可以根据pid、task_struct等来进行设置,帮助信息如下:
set <$pid> - 设置需要查看的进程pid
|
set [[-a] [pid | taskp] | [-c cpu] | -p] | [crash_arm64_variable [setting]] | -v |
6.x.0 不接任何参数 - 查看当前cpu处在哪个进程的上下文
|
crash_arm64> set PID: 5758 COMMAND: "Binder:2238_13" TASK: ffffff82b41b3240 [THREAD_INFO: ffffff82b41b3240] CPU: 6 STATE: TASK_RUNNING (PANIC) crash_arm64> |
6.x.1 pid - 通过pid指定当前crashtool所处的上下文
|
#首先通过ps查看指定进程的pid crash_arm64> ps | grep surfaceflinger 1235 1 5 ffffff809dcf53c0 IN 0.4 2793532 56744 surfaceflinger 1317 1 4 ffffff809e292180 IN 0.4 2793532 56744 surfaceflinger 1490 1 6 ffffff82c5850000 IN 0.4 2793532 56744 surfaceflinger 1491 1 0 ffffff80876cb240 IN 0.4 2793532 56744 surfaceflinger 1494 1 4 ffffff82c5ac0000 IN 0.4 2793532 56744 surfaceflinger 1495 1 5 ffffff82c5ac2180 IN 0.4 2793532 56744 surfaceflinger 1497 1 6 ffffff82c5ac6480 IN 0.4 2793532 56744 surfaceflinger 1498 1 4 ffffff82c5ac53c0 IN 0.4 2793532 56744 surfaceflinger
#切换到surfaceflinger上下文 crash_arm64> set 1235 PID: 1235 COMMAND: "surfaceflinger" TASK: ffffff809dcf53c0 [THREAD_INFO: ffffff809dcf53c0] CPU: 5 STATE: TASK_INTERRUPTIBLE
#查看bt信息 crash_arm64> bt PID: 1235 TASK: ffffff809dcf53c0 CPU: 5 COMMAND: "surfaceflinger" #0 [ffffffc0164dbb90] __switch_to at ffffffe4fb6af5ec #1 [ffffffc0164dbbf0] __schedule at ffffffe4fc97a260 #2 [ffffffc0164dbc50] schedule at ffffffe4fc97a598 #3 [ffffffc0164dbcd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 #4 [ffffffc0164dbd70] do_epoll_wait at ffffffe4fb98dbcc #5 [ffffffc0164dbdd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 #6 [ffffffc0164dbe10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c #7 [ffffffc0164dbe20] oplus_invoke_syscall at ffffffe4fb6d0500 #8 [ffffffc0164dbe70] el0_svc_common at ffffffe4fb6c2ec4 #9 [ffffffc0164dbeb0] el0_svc_handler at ffffffe4fb6c2e04 #10 [ffffffc0164dbff0] el0_svc at ffffffe4fb484e84 PC: 00000076109d04a8 LR: 00000076119edad0 SP: 0000007fc42df120 X29: 0000007fc42df270 X28: 0000000000000000 X27: 0000000000000000 X26: 0000000000000000 X25: 00000076133a8000 X24: 0000000000000000 X23: b4000075900510e0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b400007590051188 X19: b4000075900510e0 X18: 000000761366c000 X17: 000000761099276c X16: 00000076119f0db0 X15: 0000000034155555 X14: 0000000000000000 X13: 000000757b035740 X12: 000000759000d888 X11: b400000000000000 X10: 00000000000001d0 X9: b79a1c55bdc51541 X8: 0000000000000016 X7: 000000757b035860 X6: 000000758ec18520 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007fc42df160 X0: 0000000000000009 ORIG_X0: 0000000000000009 SYSCALLNO: 16 PSTATE: 60001000 crash_arm64> |
6.x.1 taskp - 通过任务的task_struct结构的地址,指定当前crashtool所处的上下文
|
#首先查看指定进程对应的task_struct结构的地址 crash_arm64> ps | grep launcher 1790 1 5 ffffff807ff853c0 IN 0.0 2163860 4188 loc_launcher 1801 1 6 ffffff8068da53c0 IN 0.0 2163860 4188 loc_launcher 4460 901 5 ffffff82d376d3c0 IN 2.2 7082700 324228 ndroid.launcher 4699 901 1 ffffff82b24ac300 IN 2.2 7082700 324228 launcher-loader 4864 901 1 ffffff82b293e480 IN 2.2 7082700 324228 launcher-loader
#将crashtool环境切换到该进程对应的上下文 crash_arm64> set ffffff82d376d3c0 PID: 4460 COMMAND: "ndroid.launcher" TASK: ffffff82d376d3c0 [THREAD_INFO: ffffff82d376d3c0] CPU: 5 STATE: TASK_INTERRUPTIBLE
#查看栈回溯信息 crash_arm64> bt PID: 4460 TASK: ffffff82d376d3c0 CPU: 5 COMMAND: "ndroid.launcher" #0 [ffffffc029723b90] __switch_to at ffffffe4fb6af5ec #1 [ffffffc029723bf0] __schedule at ffffffe4fc97a260 #2 [ffffffc029723c50] schedule at ffffffe4fc97a598 #3 [ffffffc029723cd0] schedule_hrtimeout_range_clock at ffffffe4fc97f2c4 #4 [ffffffc029723d70] do_epoll_wait at ffffffe4fb98dbcc #5 [ffffffc029723dd0] __se_sys_epoll_pwait at ffffffe4fb98b4d8 #6 [ffffffc029723e10] __arm64_sys_epoll_pwait at ffffffe4fb98b47c #7 [ffffffc029723e20] oplus_invoke_syscall at ffffffe4fb6d0500 #8 [ffffffc029723e70] el0_svc_common at ffffffe4fb6c2eac #9 [ffffffc029723eb0] el0_svc_handler at ffffffe4fb6c2e04 #10 [ffffffc029723ff0] el0_svc at ffffffe4fb484e84 PC: 000000709190f4a8 LR: 000000709032cad0 SP: 0000007ff83df7d0 X29: 0000007ff83df920 X28: 000000006fdc3ed8 X27: 000000006fdcd218 X26: b40000700f020240 X25: 00000070957e4000 X24: 000000007fffffff X23: b40000700f0890c0 X22: 00000000ffffffff X21: 00000000ffffffff X20: b40000700f089168 X19: b40000700f0890c0 X18: 000000709596a000 X17: 00000070918d176c X16: 000000709032fdb0 X15: 0000000034155555 X14: 003b315da2864000 X13: 000000015f34ccce X12: 000000700f00d888 X11: b400000000000000 X10: 0000000000000026 X9: e06b960998e9cab4 X8: 0000000000000016 X7: 0000000000000000 X6: 0000000000000001 X5: 0000000000000008 X4: 0000000000000000 X3: 00000000ffffffff X2: 0000000000000010 X1: 0000007ff83df810 X0: 000000000000003f ORIG_X0: 000000000000003f SYSCALLNO: 16 PSTATE: 60001000 crash_arm64> |
6.x.1 -a
6.x.1 -c cpu - 将crashtool的上下文设置为指定的cpu上正在运行的current进程
可以通过该方法查看指定cpu上正在运行的进程
|
crash_arm64> set -c 2 PID: 4720 COMMAND: "Binder:2238_D" TASK: ffffff82b201c300 [THREAD_INFO: ffffff82b201c300] CPU: 2 STATE: TASK_RUNNING (ACTIVE) crash_arm64> |
6.x.1 -p - 强制将crashtool的上下文切换到产生panic的那个进程
|
crash_arm64> set -p PID: 5758 COMMAND: "Binder:2238_13" TASK: ffffff82b41b3240 [THREAD_INFO: ffffff82b41b3240] CPU: 6 STATE: TASK_RUNNING (PANIC) crash_arm64> |
6.x.1 -v - 查看当前crashtool的内部变量
|
crash_arm64> set -v scroll: on (/usr/bin/less) radix: 10 (decimal) refresh: on print_max: 256 print_array: off console: (not assigned) debug: 0 core: off hash: on silent: off edit: vi namelist: vmlinux dumpfile: /var/tmp/ramdump_elf_AyoCVL unwind: off zero_excluded: off null-stop: off gdb: off scope: 0 (not set) offline: show redzone: on error: default crash_arm64> |
6.x sig - 查看进程发出的sig信号
帮助信息如下:
|
sig [[-l] | [-s sigset]] | [-g] [pid | taskp] ... |
示例:
6.x struct/union - 查看结构体/union的定义
例如我们已经知道一个结构体所在的地址,我们想查看这个结构体里面的一些成员的值,如下,我们已经知道一个task_struct所在的位置,可以使用下面的方式查看comm,pid,stack的值
|
crash_arm64> struct task_struct.comm 0xffffff82b41b3240 comm = "Binder:2238_13\000" crash_arm64> struct task_struct.pid 0xffffff82b41b3240 pid = 5758 crash_arm64> struct task_struct.stack 0xffffff82b41b3240 stack = 0xffffffc02d3c8000 crash_arm64> |
这两个命令用于显示结构体或union相关成员,命令格式如下
|
struct struct_name[.member[,member]][-o][-l offset][-rfuxdp] [address | symbol][:cpuspec] [count | -c count]
union union_name[.member[,member]] [-o][-l offset][-rfuxdp] [address | symbol][:cpuspec] [count | -c count] |
6.x.1 struct_name[.member[,member]] - 指定要查看的结构体,成员
member用于指定要查看的结构体成员的名称,要查看多个成员时使用逗号隔开
|
# 查看结构体的定义 crash_arm64> struct sched_class struct sched_class { const struct sched_class *next; void (*enqueue_task)(struct rq *, struct task_struct *, int); void (*dequeue_task)(struct rq *, struct task_struct *, int); void (*yield_task)(struct rq *); bool (*yield_to_task)(struct rq *, struct task_struct *, bool); void (*check_preempt_curr)(struct rq *, struct task_struct *, int); struct task_struct *(*pick_next_task)(struct rq *, struct task_struct *, struct rq_flags *); void (*put_prev_task)(struct rq *, struct task_struct *); int (*select_task_rq)(struct task_struct *, int, int, int, int); void (*migrate_task_rq)(struct task_struct *, int); void (*task_woken)(struct rq *, struct task_struct *); void (*set_cpus_allowed)(struct task_struct *, const struct cpumask *); void (*rq_online)(struct rq *); void (*rq_offline)(struct rq *); void (*set_curr_task)(struct rq *); void (*task_tick)(struct rq *, struct task_struct *, int); void (*task_fork)(struct task_struct *); void (*task_dead)(struct task_struct *); void (*switched_from)(struct rq *, struct task_struct *); void (*switched_to)(struct rq *, struct task_struct *); void (*prio_changed)(struct rq *, struct task_struct *, int); unsigned int (*get_rr_interval)(struct rq *, struct task_struct *); void (*update_curr)(struct rq *); void (*task_change_group)(struct task_struct *, int); void (*fixup_walt_sched_stats)(struct rq *, struct task_struct *, u16, u16); } SIZE: 200
crash_arm64> struct sched_class.enqueue_task # 查看结构体中指定成员的偏移 struct sched_class { [8] void (*enqueue_task)(struct rq *, struct task_struct *, int); } |
6.x.1 [-o] - 显示成员的偏移地址
如果后面使用address或symbol指定结构体变量,则显示这个变量中各个成员的地址
|
crash_arm64> struct -o sched_class # 显示该结构体中成员的偏移地址 struct sched_class { [0] const struct sched_class *next; [8] void (*enqueue_task)(struct rq *, struct task_struct *, int); [16] void (*dequeue_task)(struct rq *, struct task_struct *, int); [24] void (*yield_task)(struct rq *); [32] bool (*yield_to_task)(struct rq *, struct task_struct *, bool); [40] void (*check_preempt_curr)(struct rq *, struct task_struct *, int); [48] struct task_struct *(*pick_next_task)(struct rq *, struct task_struct *, struct rq_flags *); [56] void (*put_prev_task)(struct rq *, struct task_struct *); [64] int (*select_task_rq)(struct task_struct *, int, int, int, int); [72] void (*migrate_task_rq)(struct task_struct *, int); [80] void (*task_woken)(struct rq *, struct task_struct *); [88] void (*set_cpus_allowed)(struct task_struct *, const struct cpumask *); [96] void (*rq_online)(struct rq *); [104] void (*rq_offline)(struct rq *); [112] void (*set_curr_task)(struct rq *); [120] void (*task_tick)(struct rq *, struct task_struct *, int); [128] void (*task_fork)(struct task_struct *); [136] void (*task_dead)(struct task_struct *); [144] void (*switched_from)(struct rq *, struct task_struct *); [152] void (*switched_to)(struct rq *, struct task_struct *); [160] void (*prio_changed)(struct rq *, struct task_struct *, int); [168] unsigned int (*get_rr_interval)(struct rq *, struct task_struct *); [176] void (*update_curr)(struct rq *); [184] void (*task_change_group)(struct task_struct *, int); [192] void (*fixup_walt_sched_stats)(struct rq *, struct task_struct *, u16, u16); } SIZE: 200
crash_arm64> struct -o sched_class fair_sched_class #显示结构体变量的偏移 struct sched_class { [ffffff9ace00a058] const struct sched_class *next; [ffffff9ace00a060] void (*enqueue_task)(struct rq *, struct task_struct *, int); [ffffff9ace00a068] void (*dequeue_task)(struct rq *, struct task_struct *, int); [ffffff9ace00a070] void (*yield_task)(struct rq *); [ffffff9ace00a078] bool (*yield_to_task)(struct rq *, struct task_struct *, bool); [ffffff9ace00a080] void (*check_preempt_curr)(struct rq *, struct task_struct *, int); [ffffff9ace00a088] struct task_struct *(*pick_next_task)(struct rq *, struct task_struct *, struct rq_flags *); [ffffff9ace00a090] void (*put_prev_task)(struct rq *, struct task_struct *); [ffffff9ace00a098] int (*select_task_rq)(struct task_struct *, int, int, int, int); [ffffff9ace00a0a0] void (*migrate_task_rq)(struct task_struct *, int); [ffffff9ace00a0a8] void (*task_woken)(struct rq *, struct task_struct *); [ffffff9ace00a0b0] void (*set_cpus_allowed)(struct task_struct *, const struct cpumask *); [ffffff9ace00a0b8] void (*rq_online)(struct rq *); [ffffff9ace00a0c0] void (*rq_offline)(struct rq *); [ffffff9ace00a0c8] void (*set_curr_task)(struct rq *); [ffffff9ace00a0d0] void (*task_tick)(struct rq *, struct task_struct *, int); [ffffff9ace00a0d8] void (*task_fork)(struct task_struct *); [ffffff9ace00a0e0] void (*task_dead)(struct task_struct *); [ffffff9ace00a0e8] void (*switched_from)(struct rq *, struct task_struct *); [ffffff9ace00a0f0] void (*switched_to)(struct rq *, struct task_struct *); [ffffff9ace00a0f8] void (*prio_changed)(struct rq *, struct task_struct *, int); [ffffff9ace00a100] unsigned int (*get_rr_interval)(struct rq *, struct task_struct *); [ffffff9ace00a108] void (*update_curr)(struct rq *); [ffffff9ace00a110] void (*task_change_group)(struct task_struct *, int); [ffffff9ace00a118] void (*fixup_walt_sched_stats)(struct rq *, struct task_struct *, u16, u16); } SIZE: 200
#下面是已经知道sched_class类型的变量的起始地址,求成员dequeue_task的地址 crash_arm64> struct -o sched_class.dequeue_task 0xffffff9ace00a058 struct sched_class { [ffffff9ace00a068] void (*dequeue_task)(struct rq *, struct task_struct *, int); } |
6.x.1 [-l offset]
6.x.1 [-rfuxdp]
6.x.1.1 -r - 显示一个结构体变量的raw数据,即十六进制的数据
|
crash_arm64> struct sched_class fair_sched_class -r # 显示raw数据 ffffff9ace00a058: ffffff9ace009f90 ffffff9acc724b98 .........Kr..... ffffff9ace00a068: ffffff9acc726f80 ffffff9acc728810 .or.......r..... ffffff9ace00a078: ffffff9acc728950 ffffff9acc728a18 P.r.......r..... ffffff9ace00a088: ffffff9acc728d28 ffffff9acc729c38 (.r.....8.r..... ffffff9ace00a098: ffffff9acc729c78 ffffff9acc72af70 x.r.....p.r..... ffffff9ace00a0a8: 0000000000000000 ffffff9acc7114f8 ..........q..... ffffff9ace00a0b8: ffffff9acc72b088 ffffff9acc72b0a0 ..r.......r..... ffffff9ace00a0c8: ffffff9acc72b0b8 ffffff9acc72b0f8 ..r.......r..... ffffff9ace00a0d8: ffffff9acc72be40 ffffff9acc72c030 @.r.....0.r..... ffffff9ace00a0e8: ffffff9acc72c0b8 ffffff9acc72c138 ..r.....8.r..... ffffff9ace00a0f8: ffffff9acc72c1d8 ffffff9acc72c248 ..r.....H.r..... ffffff9ace00a108: ffffff9acc72c2a0 ffffff9acc72c2d0 ..r.......r..... ffffff9ace00a118: ffffff9acc72c458 X.r..... crash_arm64>
|
6.x.1.1 -f - 后面接的address是相对于dump文件中的偏移
address argument is a dumpfile offset.
6.x.1.1 -u - 后面接的address是在当前进程用户空间的地址
address argument is a user virtual address in the current context.
后面接的address是
6.x.1.1 -x,d - 十六进制或十进制显示
6.x.1.1 -p
|
#已知结构体task_struct的地址,查看其成员的值,成员可以是数据结构,也可以是普通的结构 crash_arm64> struct task_struct.thread_info 0xffffff9ace00a058 -p thread_info = { flags = 18446743639079034768, padding = {18446743639052929944, 18446743639052939136, 18446743639052945424, 18446743639052945744, 18446743639052945944, 18446743639052946728, 18446743639052950584}, addr_limit = 18446743639052950648, ttbr0 = 18446743639052955504, preempt_count = 0 }
crash_arm64> struct task_struct.thread_info 0xffffff9ace00a058 -px thread_info = { flags = 0xffffff9ace009f90, padding = {0xffffff9acc724b98, 0xffffff9acc726f80, 0xffffff9acc728810, 0xffffff9acc728950, 0xffffff9acc728a18, 0xffffff9acc728d28, 0xffffff9acc729c38}, addr_limit = 0xffffff9acc729c78, ttbr0 = 0xffffff9acc72af70, preempt_count = 0x0 }
crash_arm64> struct task_struct.state 0xffffff9ace00a058 -px state = 0xffffff9acc7114f8 |
6.x.1 [address | symbol] - 要查看的结构体地址或变量名
|
# 查看某个结构体变量的初始化 crash_arm64> struct sched_class fair_sched_class struct sched_class { next = 0xffffff9ace009f90, enqueue_task = 0xffffff9acc724b98, dequeue_task = 0xffffff9acc726f80, yield_task = 0xffffff9acc728810, yield_to_task = 0xffffff9acc728950, check_preempt_curr = 0xffffff9acc728a18, pick_next_task = 0xffffff9acc728d28, put_prev_task = 0xffffff9acc729c38, select_task_rq = 0xffffff9acc729c78, migrate_task_rq = 0xffffff9acc72af70, task_woken = 0x0, set_cpus_allowed = 0xffffff9acc7114f8, rq_online = 0xffffff9acc72b088, rq_offline = 0xffffff9acc72b0a0, set_curr_task = 0xffffff9acc72b0b8, task_tick = 0xffffff9acc72b0f8, task_fork = 0xffffff9acc72be40, task_dead = 0xffffff9acc72c030, switched_from = 0xffffff9acc72c0b8, switched_to = 0xffffff9acc72c138, prio_changed = 0xffffff9acc72c1d8, get_rr_interval = 0xffffff9acc72c248, update_curr = 0xffffff9acc72c2a0, task_change_group = 0xffffff9acc72c2d0, fixup_walt_sched_stats = 0xffffff9acc72c458 }
#注意,使用下面的方法查看结构体的时候,一定要确保后面的地址是正确的,否则可能会导致所有的成员有偏移 crash_arm64> sym fair_sched_class # 先查看某个结构体变量的地址 ffffff9ace00a058 (R) fair_sched_class crash_arm64> struct sched_class 0xffffff9ace00a058 # 查看指定地址的结构体 struct sched_class { next = 0xffffff9ace009f90, enqueue_task = 0xffffff9acc724b98, dequeue_task = 0xffffff9acc726f80, yield_task = 0xffffff9acc728810, yield_to_task = 0xffffff9acc728950, check_preempt_curr = 0xffffff9acc728a18, pick_next_task = 0xffffff9acc728d28, put_prev_task = 0xffffff9acc729c38, select_task_rq = 0xffffff9acc729c78, migrate_task_rq = 0xffffff9acc72af70, task_woken = 0x0, set_cpus_allowed = 0xffffff9acc7114f8, rq_online = 0xffffff9acc72b088, rq_offline = 0xffffff9acc72b0a0, set_curr_task = 0xffffff9acc72b0b8, task_tick = 0xffffff9acc72b0f8, task_fork = 0xffffff9acc72be40, task_dead = 0xffffff9acc72c030, switched_from = 0xffffff9acc72c0b8, switched_to = 0xffffff9acc72c138, prio_changed = 0xffffff9acc72c1d8, get_rr_interval = 0xffffff9acc72c248, update_curr = 0xffffff9acc72c2a0, task_change_group = 0xffffff9acc72c2d0, fixup_walt_sched_stats = 0xffffff9acc72c458 } #注意:下面的地址输错了,导致所有的成员存在偏移 crash_arm64> struct sched_class 0xffffff9ace00a060 struct sched_class { next = 0xffffff9acc724b98, enqueue_task = 0xffffff9acc726f80, dequeue_task = 0xffffff9acc728810, yield_task = 0xffffff9acc728950, yield_to_task = 0xffffff9acc728a18, check_preempt_curr = 0xffffff9acc728d28, pick_next_task = 0xffffff9acc729c38, put_prev_task = 0xffffff9acc729c78, select_task_rq = 0xffffff9acc72af70, migrate_task_rq = 0x0, task_woken = 0xffffff9acc7114f8, set_cpus_allowed = 0xffffff9acc72b088, rq_online = 0xffffff9acc72b0a0, rq_offline = 0xffffff9acc72b0b8, set_curr_task = 0xffffff9acc72b0f8, task_tick = 0xffffff9acc72be40, task_fork = 0xffffff9acc72c030, task_dead = 0xffffff9acc72c0b8, switched_from = 0xffffff9acc72c138, switched_to = 0xffffff9acc72c1d8, prio_changed = 0xffffff9acc72c248, get_rr_interval = 0xffffff9acc72c2a0, update_curr = 0xffffff9acc72c2d0, task_change_group = 0xffffff9acc72c458, fixup_walt_sched_stats = 0x8040200800 }
crash_arm64> p fair_sched_class # 也可以通过p命令查看指定的结构体 fair_sched_class = $2 = { next = 0xffffff9ace009f90, enqueue_task = 0xffffff9acc724b98, dequeue_task = 0xffffff9acc726f80, yield_task = 0xffffff9acc728810, yield_to_task = 0xffffff9acc728950, check_preempt_curr = 0xffffff9acc728a18, pick_next_task = 0xffffff9acc728d28, put_prev_task = 0xffffff9acc729c38, select_task_rq = 0xffffff9acc729c78, migrate_task_rq = 0xffffff9acc72af70, task_woken = 0x0, set_cpus_allowed = 0xffffff9acc7114f8, rq_online = 0xffffff9acc72b088, rq_offline = 0xffffff9acc72b0a0, set_curr_task = 0xffffff9acc72b0b8, task_tick = 0xffffff9acc72b0f8, task_fork = 0xffffff9acc72be40, task_dead = 0xffffff9acc72c030, switched_from = 0xffffff9acc72c0b8, switched_to = 0xffffff9acc72c138, prio_changed = 0xffffff9acc72c1d8, get_rr_interval = 0xffffff9acc72c248, update_curr = 0xffffff9acc72c2a0, task_change_group = 0xffffff9acc72c2d0, fixup_walt_sched_stats = 0xffffff9acc72c458 } |
6.x.1 [:cpuspec] - 查看percpu变量时,用于指定要查看哪个cpu上的变量
格式如下:
|
CPU specification for a per-cpu address or symbol: : CPU of the currently selected task. :a[ll] all CPUs. :#[-#][,...] CPU list(s), e.g. "1,3,5", "1-3", or "1,3,5-7,10". |
示例如下:
|
#下面是获取percpu变量的值,以rq类型的变量runqueues为例,我们查看这个rq->cpu变量 crash_arm64> struct rq.cpu runqueues:all # 显示所有cpu的percpu变量 [0]: ffffffddb5c33f40 cpu = 0 [1]: ffffffddb5e2af40 cpu = 1 [2]: ffffffddb6021f40 cpu = 2 [3]: ffffffddb6218f40 cpu = 3 [4]: ffffffddb640ff40 cpu = 4 [5]: ffffffddb6606f40 cpu = 5 [6]: ffffffddb67fdf40 cpu = 6 [7]: ffffffddb69f4f40 cpu = 7
crash_arm64> struct rq.cpu runqueues:4 # 只显示cpu4的percpu变量 [4]: ffffffddb640ff40 cpu = 4
crash_arm64> struct rq.cpu runqueues:4-6 # 显示cpu4~6上的percpu变量 [4]: ffffffddb640ff40 cpu = 4 [5]: ffffffddb6606f40 cpu = 5 [6]: ffffffddb67fdf40 cpu = 6 crash_arm64> |
6.x.1 [count | -c count] - 查看连续count个这样的数据
|
#下面的示例表示,在c101196c地址处,至少有4个连续的page结构, # 我们查看c101196c处的连续4个page结构宏的flags和virtual成员的值 crash_arm64>struct page.flags,virtual c101196c 4 flags = 0x8000, virtual = 0xc04b0000
flags = 0x8000, virtual = 0xc04b1000
flags = 0x8000, virtual = 0xc04b2000
flags = 0x8000, virtual = 0xc04b3000
#下面例子表示有一个tcp_sl_timer类型的数组tcp_slt_array Display the array of tcp_sl_timer structures declared by tcp_slt_array[]: crash_arm64> struct tcp_sl_timer tcp_slt_array 4 struct tcp_sl_timer { count = { counter = 0x0 }, period = 0x32, last = 0x1419e4, handler = 0xc0164854 <tcp_syn_recv_timer> } struct tcp_sl_timer { count = { counter = 0x2 }, period = 0x753, last = 0x14a6df, handler = 0xc01645b0 <tcp_keepalive> } struct tcp_sl_timer { count = { counter = 0x0 }, period = 0x2ee, last = 0x143134, handler = 0xc016447c <tcp_twkill> } struct tcp_sl_timer { count = { counter = 0x0 }, period = 0x64, last = 0x143198, handler = 0xc0164404 <tcp_bucketgc> }
#下面显示连续2个,以16进制显示 crash_arm64> struct i2c_device_id 0xffffff9acc728810 -x 2 struct i2c_device_id { name = "\375{\275\251\365\v\000\371\375\003\000\221\364O\002\251\363\003\000\252", driver_data = 0x7100051fb9405268 }
struct i2c_device_id { name = "\300\a\000Th\376D\371\024-A\371\025\001\004\221\225\001\000\264", driver_data = 0x54000121eb15013f } |
6.x swap - 查看swap设备信息(暂不分析)
示例:
|
SWAP_INFO_STRUCT TYPE SIZE USED PCT PRI FILENAME ffffff80f13b8600 PARTITION 4194300k 0k 0% 32758 /first_stage_ramdisk/dev/block/zram0 ffffff82c0ab0200 PARTITION 3145724k 0k 0% 2020 /first_stage_ramdisk/dev/block/loop27 |
6.x sym - 查看符号的值
帮助信息如下:
|
sym [-l] | [-M] | [-m module] | [-p|-n] | [-q string] | [symbol | vaddr] |
6.x.1 [-l] - 显示系统中所有的符号和他们的值
|
crash_arm64> sym -l ffffffe4fb480000 (t) __efistub__text ffffffe4fb480000 (t) _head ffffffe4fb480000 (T) _text ffffffe4fb480040 (t) pe_header ffffffe4fb480044 (t) coff_header ffffffe4fb480058 (t) optional_header ffffffe4fb480070 (t) extra_header_fields ffffffe4fb4800f8 (t) section_table ffffffe4fb481000 (T) __exception_text_start ffffffe4fb481000 (T) _stext ffffffe4fb481000 (t) efi_header_end ffffffe4fb481000 (t) sun4i_handle_irq ffffffe4fb4810a8 (T) do_undefinstr ffffffe4fb481100 (T) do_cp15instr ffffffe4fb481330 (T) do_sysinstr ffffffe4fb4814a8 (T) do_mem_abort ffffffe4fb48159c (T) do_el0_irq_bp_hardening ffffffe4fb481630 (T) do_el0_ia_bp_hardening ffffffe4fb48171c (T) do_sp_pc_abort ffffffe4fb481828 (T) do_debug_exception |
6.x.1 [-M] - 查看当前ko模块的符号
|
crash_arm64> sym -M ffffffe49e525000 MODULE START: msm_drm ffffffe49e528000 (T) __cfi_check ffffffe49e52fb78 (T) msm_open$652b98aaf06c4494928582f508baa34c.cfi_jt ffffffe49e52fb7c (?) sde_rsc_client_create ffffffe49e52fb7c (T) sde_rsc_client_create.cfi_jt ffffffe49e52fb80 (T) __typeid__ZTSFvP9sde_hw_dsjE_global_addr ffffffe49e52fb80 (T) sde_hw_ds_setup_opmode$39735110a481dcbb705d3ab40dcda592.cfi_jt ffffffe49e52fb84 (T) dp_link_send_psm_request$801106114eb10dcea6703d8a65848e5a.cfi_jt ffffffe49e52fb88 (T) __typeid__ZTSFvP12sde_hw_mixerP16sde_hw_mixer_cfgE_global_addr ffffffe49e52fb88 (T) sde_hw_lm_setup_out$41a075a1ff0c823edc9e8698b39ad30c.cfi_jt ffffffe49e52fb8c (T) __typeid__ZTSFiP14dp_catalog_auxbE_global_addr |
6.x.1 [-m module] - 查看指定ko模块的符号
|
crash_arm64> sym -m qcom_edac ffffffe49e950000 MODULE START: qcom_edac ffffffe49e951000 (T) __cfi_check ffffffe49e9510f8 (T) cleanup_module.cfi_jt ffffffe49e9510fc (T) init_module.cfi_jt ffffffe49e951100 (T) llcc_ecc_irq_handler$ac29f208fd07f28460a5dd7ae18fd394.cfi_jt ffffffe49e951104 (T) qcom_llcc_poll_cache_errors$ac29f208fd07f28460a5dd7ae18fd394.cfi_jt ffffffe49e951108 (T) qcom_llcc_edac_probe$ac29f208fd07f28460a5dd7ae18fd394.cfi_jt ffffffe49e95110c (T) qcom_llcc_edac_remove$ac29f208fd07f28460a5dd7ae18fd394.cfi_jt ffffffe49e951110 (T) qcom_llcc_edac_probe$ac29f208fd07f28460a5dd7ae18fd394 ffffffe49e95132c (T) qcom_llcc_edac_remove$ac29f208fd07f28460a5dd7ae18fd394 ffffffe49e951364 (T) qcom_llcc_poll_cache_errors$ac29f208fd07f28460a5dd7ae18fd394 ffffffe49e951384 (T) llcc_ecc_irq_handler$ac29f208fd07f28460a5dd7ae18fd394 ffffffe49e951508 (t) dump_syn_reg ffffffe49e9517a4 (") __cfi_check_fail ffffffe49e9517bc (T) cleanup_module ffffffe49e952004 (?) __param_str_poll_msec ffffffe49e9522b0 (?) edac_reg_data ffffffe49e952370 (?) __param_poll_msec ffffffe49e952398 (?) _note_6 ffffffe49e953000 (?) poll_msec ffffffe49e953008 (?) qcom_llcc_edac_driver ffffffe49e953100 (?) __this_module ffffffe49e955000 MODULE END: qcom_edac |
6.x.1 [-p|-n] - 显示指定符号前后的符号
可以用该方法判断某个变量前后的变量是啥,会不会被溢出
|
crash_arm64> sym -pn jiffies ffffffe4fdc75180 (d) bit_wait_table ffffffe4fdc76980 (D) jiffies ffffffe4fdc769c0 (D) jiffies_lock crash_arm64> |
6.x.1 [-q string] - 显示所有包含指定字符串的符号
|
crash_arm64> sym -q init ffffffe4fb48bc54 (t) mac_init ffffffe4fb48d838 (t) essiv_cbc_init_tfm ffffffe4fb48d8f4 (t) sha256_base_init ffffffe4fb48dc50 (t) sha224_base_init ffffffe4fb48e6dc (t) bm_init_fs_context ffffffe4fb4ca654 (t) ovl_inode_init_once ffffffe4fb4cc82c (t) ramoops_init_przs ffffffe4fb4ccab0 (t) ramoops_init_prz ffffffe4fb4cd960 (t) rsa_init ffffffe4fb4ce684 (t) cmac_init_tfm ffffffe4fb4ce6f0 (t) crypto_cmac_digest_init ffffffe4fb4ced9c (t) hmac_init_tfm ffffffe4fb4cee8c (t) hmac_init ffffffe4fb4d01c4 (t) crypto_cts_init_tfm ffffffe4fb4d0d4c (t) init_tfm ffffffe4fb4d1dec (t) crypto_rfc3686_init_tfm ffffffe4fb4d281c (t) adiantum_init_tfm ffffffe4fb4d3440 (t) crypto_rfc4543_init_tfm ffffffe4fb4d37e8 (t) crypto_rfc4106_init_tfm ffffffe4fb4d3ee4 (t) crypto_gcm_init_tfm |
6.x.1 [symbol | vaddr] - 指定要查看的符号名或地址
|
crash_arm64> sym jiffies ffffffe4fdc76980 (D) jiffies
crash_arm64> sym fair_sched_class ffffffe4fd5421c0 (R) fair_sched_class
crash_arm64> sym init_cfs_rq ffffffe4fb72d9b0 (T) init_cfs_rq /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/kernel/sched/fair.c: 12231
#如果直接传入地址的话,还能钙素你这个地址是个啥,好牛逼 crash_arm64> sym ffffffe4fb72d9b0 ffffffe4fb72d9b0 (T) init_cfs_rq /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/kernel/sched/fair.c: 12231
crash_arm64> sym ffffffe4fb6af5ec ffffffe4fb6af5ec (T) __switch_to+772 /work/code/master/user/20210809013330-sm8350-11-2021080805170126-user-1628474006440/source/android/kernel/msm-5.4/arch/arm64/kernel/process.c: 572 crash_arm64> |
6.x sys - 查看系统信息
帮助信息如下:
|
sys [-c [name|number]] [-t] [-i] config |
6.x.1 不接参数
|
crash_arm64> sys KERNEL: vmlinux DUMPFILES: /var/tmp/ramdump_elf_AyoCVL [temporary ELF header] DDRCS0_0.BIN DDRCS0_1.BIN DDRCS0_2.BIN DDRCS1_0.BIN DDRCS1_1.BIN DDRCS1_2.BIN CPUS: 8 [OFFLINE: 6] DATE: Mon Aug 16 10:23:25 CST 2021 UPTIME: 00:05:00 LOAD AVERAGE: 8.47, 5.68, 2.54 TASKS: 5071 NODENAME: localhost RELEASE: 5.4.86-qgki-g7686eabaea37 VERSION: #25 SMP PREEMPT Mon Aug 16 02:00:04 UTC 2021 MACHINE: aarch64 (unknown Mhz) MEMORY: 11.3 GB PANIC: " (0)[14385:Jit thread pool][20210816_10:23:25.795954]@0 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000064" |
|
#显示所有系统调用信息 crash_arm64> sys -c NUM SYSTEM CALL FILE AND LINE NUMBER 0 __arm64_sys_io_setup.cfi_jt 1 __arm64_sys_io_destroy.cfi_jt 2 __arm64_sys_io_submit.cfi_jt 3 __arm64_sys_io_cancel.cfi_jt 4 __arm64_sys_io_getevents.cfi_jt 5 __arm64_sys_setxattr.cfi_jt 6 __arm64_sys_lsetxattr.cfi_jt 7 __arm64_sys_fsetxattr.cfi_jt 8 __arm64_sys_getxattr.cfi_jt
#查看指定的系统调用 crash_arm64> sys -c sys_open NUM SYSTEM CALL FILE AND LINE NUMBER 56 __arm64_sys_openat.cfi_jt 265 __arm64_sys_open_by_handle_at.cfi_jt 428 __arm64_sys_open_tree.cfi_jt crash_arm64> |
6.x.1 [-t]
6.x.1 [-i]
6.x.1 config - 查看系统中的所有CONFIG_XXX信息
这个吊啊
|
crash_arm64> sys config # # Automatically generated file; DO NOT EDIT. # Linux/arm64 5.4.86 Kernel Configuration # # # Compiler: Android (6877366 based on r383902b1) clang version 11.0.2 (https://android.googlesource.com/toolchain/llvm-project b397f81060ce6d701042b782172ed13bee898b79) # CONFIG_OPLUS_SYSTEM_KERNEL_QCOM=y # CONFIG_OPLUS_SYSTEM_KERNEL_MTK is not set # CONFIG_OPLUS_AGING_DEBUG is not set # CONFIG_OPLUS_KASAN_DEBUG is not set # CONFIG_OPLUS_KMEMLEAK_DEBUG is not set # CONFIG_OPLUS_SLUB_DEBUG is not set # CONFIG_OPLUS_PAGEOWNER_DEBUG is not set CONFIG_CC_VERSION_TEXT="Android (6877366 based on r383902b1) clang version 11.0.2 (https://android.googlesource.com/toolchain/llvm-project b397f81060ce6d701042b782172ed13bee898b79)" CONFIG_GCC_VERSION=0 CONFIG_CC_IS_CLANG=y CONFIG_LD_IS_LLD=y CONFIG_CLANG_VERSION=110002 CONFIG_CC_CAN_LINK=y CONFIG_CC_HAS_ASM_GOTO=y CONFIG_IRQ_WORK=y CONFIG_BUILDTIME_EXTABLE_SORT=y |
6.x task - 显示指定task的task_struct和thread_info结构的信息
帮助信息如下:
|
task [-R member[,member]] [-dx] [pid | taskp] ... |
6.x.1 不接参数 - 显示crash所处的当前上下文的task
|
crash_arm64> task PID: 5758 TASK: ffffff82b41b3240 CPU: 6 COMMAND: "Binder:2238_13" struct task_struct { thread_info = { flags = 67110954, addr_limit = 549755813887, ttbr0 = 2730037248, { preempt_count = 4295032836, preempt = { count = 65540, need_resched = 1 } |
6.x.1 [-R member[,member]] - 查看指定的成员
不指定是哪个task的话,则是当前crashtool的所处上下文的task
|
crash_arm64> task -R comm PID: 5758 TASK: ffffff82b41b3240 CPU: 6 COMMAND: "Binder:2238_13" comm = "Binder:2238_13\000",
crash_arm64> task -R se.on_rq PID: 5758 TASK: ffffff82b41b3240 CPU: 6 COMMAND: "Binder:2238_13" se.on_rq = 1,
crash_arm64> task -R se.on_rq,comm PID: 5758 TASK: ffffff82b41b3240 CPU: 6 COMMAND: "Binder:2238_13" se.on_rq = 1, comm = "Binder:2238_13\000",
crash_arm64> |
6.x.1 [-d,x] - 指定数据数据的格式是十六进制还是十进制
6.x.1 [pid | taskp] - 指定要看哪个task的信息
|
crash_arm64> task -R se.on_rq,comm 4460 PID: 4460 TASK: ffffff82d376d3c0 CPU: 5 COMMAND: "ndroid.launcher" se.on_rq = 0, comm = "ndroid.launcher",
crash_arm64> task -R se.on_rq,comm ffffff82d376d3c0 PID: 4460 TASK: ffffff82d376d3c0 CPU: 5 COMMAND: "ndroid.launcher" se.on_rq = 0, comm = "ndroid.launcher",
crash_arm64> |
6.x timer - 显示软件定时器信息
帮助信息如下:
|
timer [-r][-C cpu] |
6.x.1 不接参数
显示当前jiffies的值,有哪些定时任务等
|
crash_arm64> timer JIFFIES 4294967297
TIMER_BASES[0][BASE_STD]: ffffff82f2415240 EXPIRES TTE TIMER_LIST FUNCTION 4294967308 11 ffffff80b69513a0 ffffffe4fc9a871c <delayed_work_timer_fn.cfi_jt> 4294968000 703 ffffff82c7ad03b0 ffffffe4fc9a8884 <blk_rq_timed_out_timer$4fc695cdd5c41595837c2e5534214bdf.cfi_jt> 4294968250 953 ffffff809e41e7c8 ffffffe4fc9a871c <delayed_work_timer_fn.cfi_jt> 4294968356 1059 ffffff80be3eb158 ffffffe4fc9a8938 <qcom_wdt_pet_task_wakeup$d100cbd411b5ac9653548537e28bb3f1.cfi_jt> 4294980609 13312 ffffff80df181348 ffffffe4fc9a88a8 <tw_timer_handler$314b122d11b29ca078365e2893caeb3d.cfi_jt> TIMER_BASES[0][BASE_DEF]: ffffff82f24164c0 EXPIRES TTE TIMER_LIST FUNCTION (none)
TIMER_BASES[1][BASE_STD]: ffffff82f2453240 EXPIRES TTE TIMER_LIST FUNCTION 4294963442 -3855 ffffff82c5baa668 ffffffe4fc9a889c <addrconf_rs_timer$ffc1c6d11efcd228b58c5d2babb75035.cfi_jt> 4294967247 -50 ffffffc025eb3d38 ffffffe4fc9a87d0 <process_timeout$e4fd1098c6295426ae797d74cf690c4c.cfi_jt> 4294967490 193 ffffffe4fe38feb0 ffffffe4fc9a8864 <oppo_sla_timer_function$35e6e6f60f3eb977d0bb8be949b9a7d4.cfi_jt> 4294968226 929 ffffffe4fe3929f8 ffffffe4fc9a88d8 <apps_monitor_timer_function$39671692f83e613a8050350a1eea3174.cfi_jt> 4294968247 950 ffffff809e41c298 ffffffe4fc9a871c <delayed_work_timer_fn.cfi_jt> 4294968472 1175 ffffffe4fdddc1b0 ffffffe4fc9a871c <delayed_work_timer_fn.cfi_jt> 4294969676 2379 ffffffe4fe35fda0 ffffffe4fc9a871c <delayed_work_timer_fn.cfi_jt> 4294970463 3166 ffffff829fd11b60 ffffffe4fc9a88a8 <tw_timer_handler$314b122d11b29ca078365e2893caeb3d.cfi_jt> 4294970490 3193 ffffff829fd10a08 ffffffe4fc9a88a8 <tw_timer_handler$314b122d11b29ca078365e2893caeb3d.cfi_jt> 4294971043 3746 ffffff81e4ef0810 ffffffe4fc9a8748 <add_timer.cfi_jt+8> 4294975405 8108 ffffff80bfd136c0 ffffffe4fc9a88a8 <tw_timer_handler$314b122d11b29ca078365e2893caeb3d.cfi_jt> 4294983997 16700 ffffffe4fdf1b6d0 ffffffe4fc9a871c <delayed_work_timer_fn.cfi_jt> 4294989830 22533 ffffffc0287a3d68 ffffffe4fc9a87d0 <process_timeout$e4fd1098c6295426ae797d74cf690c4c.cfi_jt> 4295022012 54715 ffffff80b7c61668 ffffffe4fc9a889c <addrconf_rs_timer$ffc1c6d11efcd228b58c5d2babb75035.cfi_jt> 4295123598 156301 ffffff80b69ca298 ffffffe4fc9a871c <delayed_work_timer_fn.cfi_jt> 4295792733 825436 ffffffe4fddd7cb0 ffffffe4fc9a871c <delayed_work_timer_fn.cfi_jt> 4295792734 825437 ffffffe4fe349408 ffffffe4fc9a8894 <ns_life_ctrl_timer$32c1e54a4ff0062cb838db048e1071f2.cfi_jt> 4305692724 10725427 ffffffe4fdda4b50 ffffffe4fc9a871c <delayed_work_timer_fn.cfi_jt> TIMER_BASES[1][BASE_DEF]: ffffff82f24544c0 EXPIRES TTE TIMER_LIST FUNCTION (none)
TIMER_BASES[2][BASE_STD]: ffffff82f2491240 EXPIRES TTE TIMER_LIST FUNCTION 4294969744 2447 ffffff809e071440 ffffffe4fc9a8950 <dev_watchdog$9fe0fbb7a3db82b6da38c9b233e73bb8.cfi_jt> 4294997244 29947 ffffffe4fdf195e8 ffffffe4fc9a871c <delayed_work_timer_fn.cfi_jt> TIMER_BASES[2][BASE_DEF]: ffffff82f24924c0 EXPIRES TTE TIMER_LIST FUNCTION (none) |
6.x.1 [-r] - 显示高精度定时器信息
按照时间先后排序
|
crash_arm64> timer -r CPU: 0 HRTIMER_CPU_BASE: ffffff82f2417740 CLOCK: 0 HRTIMER_CLOCK_BASE: ffffff82f2417780 [ktime_get.cfi_jt] CURRENT 300004000000 SOFTEXPIRES EXPIRES TTE HRTIMER FUNCTION 300061347280 300061542279 57542279 ffffffc03371bc78 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 300068276916 300073276916 69276916 ffffffc027323c78 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 300153003009 300158003009 154003009 ffffffc03626bcd8 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 300398281000 300398281000 394281000 ffffff82d4143e00 ffffffe4fc9a71fc <timerfd_tmrproc$0b52575b05e631a902b23813bbdc9c3d.cfi_jt> 300623357482 300628357482 624357482 ffffffc034ff3cd8 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 301057781812 301075761809 1071761809 ffffffc03246bc78 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 301653638831 301653688831 1649688831 ffffffc02c4b3cd8 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 301814488481 301824488480 1820488480 ffffffc027ae3c78 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 302334115927 302334165927 2330165927 ffffffc016e33d98 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 302487089207 302492089207 2488089207 ffffffc035c1bc78 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 302901973895 302904930894 2900930894 ffffffc02ae93c78 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 303048442697 303053442697 3049442697 ffffffc033173cd8 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 303594980727 303594980727 3590980727 ffffff80bc4dc300 ffffffe4fc9a71fc <timerfd_tmrproc$0b52575b05e631a902b23813bbdc9c3d.cfi_jt> 303602120310 303602120310 3598120310 ffffff80bc1cf300 ffffffe4fc9a71fc <timerfd_tmrproc$0b52575b05e631a902b23813bbdc9c3d.cfi_jt> 303603272133 303603272133 3599272133 ffffff80bc1cf000 ffffffe4fc9a71fc <timerfd_tmrproc$0b52575b05e631a902b23813bbdc9c3d.cfi_jt> 303804691657 303804741657 3800741657 ffffffc034f9bcd8 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 304459637384 304464637384 4460637384 ffffffc03490bc78 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> 304550771967 304555771961 4551771961 ffffffc0354d3928 ffffffe4fc9a7200 <hrtimer_wakeup$1b13361d2920a7369bc90e7a164f4989.cfi_jt> |
6.x.1 [-C cpu] - 指定显示哪个cpu上的定时器信息
6.x tree - 展示rb树或者radix树的信息(暂不分析)
帮助信息如下:
示例:
6.x vm - 显示进程的虚拟内存信息(暂不分析)
帮助信息如下:
6.x waitq - 显示指定等待队列上的内容
该命令遍历指定的等待队列,打印等待队列上的任务信息
帮助信息如下:
|
waitq [ symbol ] | [ struct.member struct_addr ] | [ address ] |
6.x.1 [ symbol ] - 指定要遍历哪个等待队列
6.x.1 [ struct.member struct_addr ]
|
Find out if any tasks are blocked on the "buffer_wait" wait queue: #查看有哪些任务卡在buffer_wait这个等待队列上 crash_arm64> waitq buffer_wait wait queue "buffer_wait" (c02927f0) is empty
See who is blocked on the "wait_chldexit" queue of task c5496000: #已知一个task_struct所在的地址为c5496000 #查看有哪些任务卡在task_struct结构下的wait_chldexit等待队列上 crash_arm64> waitq task_struct.wait_chldexit c5496000 PID: 30879 TASK: c5496000 CPU: 0 COMMAND: "bash"
Display the task list waiting on a known task queue:
crash_arm64> waitq c3534098 PID: 13691 TASK: c3534000 CPU: 1 COMMAND: "bash" |
6.x.1 [ address ] - 指定等待队列的地址
6.x whatis - 展示结构体、联合体等定义
帮助信息如下:
|
whatis [[-o] [struct | union | typedef | symbol]] | [[-r [size|range]] [-m member]] |
6.x.1 [-o] - 显示成员的偏移地址
|
crash_arm64> whatis -o sched_class # 显示数据结构成员的偏移 struct sched_class { [0] const struct sched_class *next; [8] void (*enqueue_task)(struct rq *, struct task_struct *, int); [16] void (*dequeue_task)(struct rq *, struct task_struct *, int); [24] void (*yield_task)(struct rq *); [32] bool (*yield_to_task)(struct rq *, struct task_struct *, bool); [40] void (*check_preempt_curr)(struct rq *, struct task_struct *, int); [48] struct task_struct *(*pick_next_task)(struct rq *, struct task_struct *, struct rq_flags *); [56] void (*put_prev_task)(struct rq *, struct task_struct *); [64] int (*select_task_rq)(struct task_struct *, int, int, int, int); [72] void (*migrate_task_rq)(struct task_struct *, int); [80] void (*task_woken)(struct rq *, struct task_struct *); [88] void (*set_cpus_allowed)(struct task_struct *, const struct cpumask *); [96] void (*rq_online)(struct rq *); [104] void (*rq_offline)(struct rq *); [112] void (*set_curr_task)(struct rq *); [120] void (*task_tick)(struct rq *, struct task_struct *, int); [128] void (*task_fork)(struct task_struct *); [136] void (*task_dead)(struct task_struct *); [144] void (*switched_from)(struct rq *, struct task_struct *); [152] void (*switched_to)(struct rq *, struct task_struct *); [160] void (*prio_changed)(struct rq *, struct task_struct *, int); [168] unsigned int (*get_rr_interval)(struct rq *, struct task_struct *); [176] void (*update_curr)(struct rq *); [184] void (*task_change_group)(struct task_struct *, int); [192] void (*fixup_walt_sched_stats)(struct rq *, struct task_struct *, u16, u16); } SIZE: 200 |
6.x.1 [struct | union | typedef | symbol] - 指定要查看的数据类型或变量名
指定要查看的数据类型或者变量名
struct,uion,typedef表示数据结构的类型的名称,例如task_struct,u64等
symbol表示该数据结构类型的变量名字,例如fair_sched_class
|
# 查看typedef的是什么类型的 crash_arm64> whatis u64 typedef unsigned long long u64; SIZE: 8
#查看某个变量是什么数据结构 crash_arm64> whatis fair_sched_class const struct sched_class fair_sched_class;
# 查看函数的类型 crash_arm64> whatis enqueue_task_fair void enqueue_task_fair(struct rq *, struct task_struct *, int);
#查看数据结构的成员 crash_arm64> whatis sched_class struct sched_class { const struct sched_class *next; void (*enqueue_task)(struct rq *, struct task_struct *, int); void (*dequeue_task)(struct rq *, struct task_struct *, int); void (*yield_task)(struct rq *); bool (*yield_to_task)(struct rq *, struct task_struct *, bool); void (*check_preempt_curr)(struct rq *, struct task_struct *, int); struct task_struct *(*pick_next_task)(struct rq *, struct task_struct *, struct rq_flags *); void (*put_prev_task)(struct rq *, struct task_struct *); int (*select_task_rq)(struct task_struct *, int, int, int, int); void (*migrate_task_rq)(struct task_struct *, int); void (*task_woken)(struct rq *, struct task_struct *); void (*set_cpus_allowed)(struct task_struct *, const struct cpumask *); void (*rq_online)(struct rq *); void (*rq_offline)(struct rq *); void (*set_curr_task)(struct rq *); void (*task_tick)(struct rq *, struct task_struct *, int); void (*task_fork)(struct task_struct *); void (*task_dead)(struct task_struct *); void (*switched_from)(struct rq *, struct task_struct *); void (*switched_to)(struct rq *, struct task_struct *); void (*prio_changed)(struct rq *, struct task_struct *, int); unsigned int (*get_rr_interval)(struct rq *, struct task_struct *); void (*update_curr)(struct rq *); void (*task_change_group)(struct task_struct *, int); void (*fixup_walt_sched_stats)(struct rq *, struct task_struct *, u16, u16); } SIZE: 200 |
6.x.1 [-r [size|range]] - 仅查看的数据结构大小为size字节,或者范围在range内的结构体
|
# 显示所有大小为192字节的数据结构 crash_arm64> whatis -r 192 SIZE TYPE 192 PMICRecordKernelStruct 192 PMICRecordStruct 192 acc_instance 192 arpt_entry 192 audit_ctl_mutex 192 bpf_lru_list ...
# 显示所有大小在256~512字节之间的数据结构 crash_arm64> whatis -r 256-512 SIZE TYPE 256 RegistrationRequest 256 _phx_baseinfo 256 arpt_error 256 audit_tree_refs 256 av8l_fast_io_pgtab ... |
6.x.1 [-m member] - 仅显示数据结构中带有member的结构体
|
# 显示所有成员中包含task_struct结构的数据类型 crash_arm64> whatis -m task_struct SIZE TYPE 8 mmc_ctx 8 rcuwait 16 core_thread 16 migration_arg 16 ns_get_path_task_args 16 selected_task 16 spurious_fp_touch 16 tgid_iter
# 显示所有大小在256-512字节之间,且包含task_struct成员的数据结构类型 crash_arm64> whatis -r 256-512 -m task_struct SIZE TYPE 256 ecryptfs_msg_ctx 256 futex_pi_state 264 amp_mgr 264 blk_mq_tag_set 264 configfs_buffer 264 cpuhp_cpu_state 264 i3c_dev_desc |
未完待续...
文章评论
respect!!