CORE ANALYSIS SUITE The core analysis suite is a self-contained tool that can be used to investigate either live systems, kernel core dumps created from dump creation facilities such as kdump, kvmdump, xendump, the netdump and diskdump packages offered by Red Hat, the LKCD kernel patch, the mcore kernel patch created by Mission Critical Linux, as well as other formats created by manufacturer-specific firmware. o The tool is loosely based on the SVR4 crash command, but has been completely integrated with gdb in order to be able to display formatted kernel data structures, disassemble source code, etc. o The current set of available commands consist of common kernel core analysis tools such as a context-specific stack traces, source code disassembly, kernel variable displays, memory display, dumps of linked-lists, etc. In addition, any gdb command may be entered, which in turn will be passed onto the gdb module for execution. o There are several commands that delve deeper into specific kernel subsystems, which also serve as templates for kernel developers to create new commands for analysis of a specific area of interest. Adding a new command is a simple affair, and a quick recompile adds it to the command menu. o The intent is to make the tool independent of Linux version dependencies, building in recognition of major kernel code changes so as to adapt to new kernel versions, while maintaining backwards compatibility. A whitepaper with complete documentation concerning the use of this utility can be found here: http://people.redhat.com/anderson/crash_whitepaper These are the current prerequisites: o At this point, x86, ia64, x86_64, ppc64, ppc, arm, arm64, alpha, mips, s390 and s390x-based kernels are supported. Other architectures may be addressed in the future. o One size fits all -- the utility can be run on any Linux kernel version version dating back to 2.2.5-15. A primary design goal is to always maintain backwards-compatibility. o In order to contain debugging data, the top-level kernel Makefile's CFLAGS definition must contain the -g flag. Typically distributions will contain a package containing a vmlinux file with full debuginfo data. If not, the kernel must be rebuilt: For 2.2 kernels that are not built with -g, change the following line: CFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer to: CFLAGS = -g -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer For 2.4 kernels that are not built with -g, change the following line: CFLAGS := $(CPPFLAGS) -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-strict-aliasing to: CFLAGS := -g $(CPPFLAGS) -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-strict-aliasing For 2.6 and later kernels that are not built with -g, the kernel should be configured with CONFIG_DEBUG_INFO enabled, which in turn will add the -g flag to the CFLAGS setting in the kernel Makefile. After the kernel is re-compiled, the uncompressed "vmlinux" kernel that is created in the top-level kernel build directory must be saved. To build the crash utility: $ tar -xf crash-7.1.0.tar.gz $ cd crash-7.1.0 $ make The initial build will take several minutes because the embedded gdb module must be configured and and built. Alternatively, the crash source RPM file may be installed and built, and the resultant crash binary RPM file installed. The crash binary can only be used on systems of the same architecture as the host build system. There are a few optional manners of building the crash binary: o On an x86_64 host, a 32-bit x86 binary that can be used to analyze 32-bit x86 dumpfiles may be built by typing "make target=X86". o On an x86 or x86_64 host, a 32-bit x86 binary that can be used to analyze 32-bit arm dumpfiles may be built by typing "make target=ARM". o On an x86 or x86_64 host, a 32-bit x86 binary that can be used to analyze 32-bit mips dumpfiles may be built by typing "make target=MIPS". o On an ppc64 host, a 32-bit ppc binary that can be used to analyze 32-bit ppc dumpfiles may be built by typing "make target=PPC". o On an x86_64 host, an x86_64 binary that can be used to analyze arm64 dumpfiles may be built by typing "make target=ARM64". Traditionally when vmcores are compressed via the makedumpfile(8) facility the libz compression library is used, and by default the crash utility only supports libz. Recently makedumpfile has been enhanced to optionally use either the LZO or snappy compression libraries. To build crash with either or both of those libraries, type "make lzo" or "make snappy". All of the alternate build commands above are "sticky" in that the special "make" targets only have to be entered one time; all subsequent builds will follow suit. If the tool is run against a kernel dumpfile, two arguments are required, the uncompressed kernel name and the kernel dumpfile name. If run on a live system, only the kernel name is required, because /dev/mem will be used as the "dumpfile". On Red Hat or Fedora kernels where the /dev/mem device is restricted, the /dev/crash memory driver will be used. If neither /dev/mem or /dev/crash are available, then /proc/kcore will be be used as the live memory source. If /proc/kcore is also restricted, then the Red Hat /dev/crash driver may be compiled and installed; its source is included in the crash-7.1.0/memory_driver subdirectory. If the kernel file is stored in /boot, /, /boot/efi, or in any /usr/src or /usr/lib/debug/lib/modules subdirectory, then no command line arguments are required -- the first kernel found that matches /proc/version will be used as the namelist. For example, invoking crash on a live system would look like this: $ crash crash 7.1.0 Copyright (C) 2002-2014 Red Hat, Inc. Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation Copyright (C) 1999-2006 Hewlett-Packard Co Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. Copyright (C) 2005, 2011 NEC Corporation Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. This program is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Enter "help copying" to see the conditions. This program has absolutely no warranty. Enter "help warranty" for details. GNU gdb 7.6 Copyright 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"... KERNEL: /boot/vmlinux DUMPFILE: /dev/mem CPUS: 1 DATE: Fri Feb 6 13:44:11 2015 UPTIME: 10 days, 22:55:18 LOAD AVERAGE: 0.08, 0.03, 0.01 TASKS: 42 NODENAME: ha2.mclinux.com RELEASE: 2.4.0-test10 VERSION: #11 SMP Thu Nov 4 15:09:25 EST 2000 MACHINE: i686 (447 MHz) MEMORY: 128 MB PID: 3621 COMMAND: "crash" TASK: c463c000 CPU: 0 STATE: TASK_RUNNING (ACTIVE) crash> help * files mach repeat timer alias foreach mod runq tree ascii fuser mount search union bt gdb net set vm btop help p sig vtop dev ipcs ps struct waitq dis irq pte swap whatis eval kmem ptob sym wr exit list ptov sys q extend log rd task crash version: 7.1.0 gdb version: 7.6 For help on any command above, enter "help ". For help on input options, enter "help input". For help on output options, enter "help output". crash> When run on a dumpfile, both the kernel namelist and dumpfile must be entered on the command line. For example, when run on a core dump created by the Red Hat netdump or diskdump facilities: $ crash vmlinux vmcore crash 7.1.0 Copyright (C) 2002-2014 Red Hat, Inc. Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation Copyright (C) 1999-2006 Hewlett-Packard Co Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. Copyright (C) 2005, 2011 NEC Corporation Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. This program is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Enter "help copying" to see the conditions. This program has absolutely no warranty. Enter "help warranty" for details. GNU gdb 7.6 Copyright 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"... KERNEL: vmlinux DUMPFILE: vmcore CPUS: 4 DATE: Tue Mar 2 13:57:09 2004 UPTIME: 00:02:40 LOAD AVERAGE: 2.24, 0.96, 0.37 TASKS: 70 NODENAME: pro1.lab.boston.redhat.com RELEASE: 2.6.3-2.1.214.11smp VERSION: #1 SMP Tue Mar 2 10:58:27 EST 2004 MACHINE: i686 (2785 Mhz) MEMORY: 512 MB PANIC: "Oops: 0002 [#1]" (check log for details) PID: 0 COMMAND: "swapper" TASK: 22fa200 (1 of 4) [THREAD_INFO: 2356000] CPU: 0 STATE: TASK_RUNNING (PANIC) crash> The tool's environment is context-specific. On a live system, the default context is the command itself; on a dump the default context will be the task that panicked. The most commonly-used commands are: set - set a new task context by pid, task address, or cpu. bt - backtrace of the current context, or as specified with arguments. p - print the contents of a kernel variable. rd - read memory, which may be either kernel virtual, user virtual, or physical. ps - simple process listing. log - dump the kernel log_buf. struct - print the contents of a structure at a specified address. foreach - execute a command on all tasks, or those specified, in the system. Detailed help concerning the use of each of the commands in the menu above may be displayed by entering "help command", where "command" is one of those listed above. Rather than getting bogged down in details here, simply run the help command on each of the commands above. Note that many commands have multiple options so as to avoid the proliferation of command names. Command output may be piped to external commands or redirected to files. Enter "help output" for details. The command line history mechanism allows for command-line recall and command-line editing. Input files containing a set of crash commands may be substituted for command-line input. Enter "help input" for details. Note that a .crashrc file (or .rc if the name has been changed), may contain any number of "set" or "alias" commands -- see the help pages on those two commands for details. Lastly, if a command is entered that is not recognized, it is checked against the kernel's list of variables, structure, union or typedef names, and if found, the command is passed to "p", "struct", "union" or "whatis". That being the case, as long as a kernel variable/structure/union name is different than any of the current commands. (1) A kernel variable can be dumped by simply entering its name: crash> init_mm init_mm = $2 = { mmap = 0xc022d540, mmap_avl = 0x0, mmap_cache = 0x0, pgd = 0xc0101000, count = { counter = 0x6 }, map_count = 0x1, mmap_sem = { count = { counter = 0x1 }, waking = 0x0, wait = 0x0 }, context = 0x0, start_code = 0xc0000000, end_code = 0xc022b4c8, end_data = c0250388, ... (2) A structure or can be dumped simply by entering its name and address: crash> vm_area_struct c5ba3910 struct vm_area_struct { vm_mm = 0xc3ae3210, vm_start = 0x821b000, vm_end = 0x8692000, vm_next = 0xc5ba3890, vm_page_prot = { pgprot = 0x25 }, vm_flags = 0x77, vm_avl_height = 0x4, vm_avl_left = 0xc0499540, vm_avl_right = 0xc0499f40, vm_next_share = 0xc04993c0, vm_pprev_share = 0xc0499060, vm_ops = 0x0, vm_offset = 0x0, vm_file = 0x0, vm_pte = 0x0 } The crash utility has been designed to facilitate the task of adding new commands. New commands may be permanently compiled into the crash executable, or dynamically added during runtime using shared object files. To permanently add a new command to the crash executable's menu: 1. For a command named "xxx", put a reference to cmd_xxx() in defs.h. 2. Add cmd_xxx into the base_command_table[] array in global_data.c. 3. Write cmd_xxx(), putting it in one of the appropriate files. Look at the other commands for guidance on getting symbolic data, reading memory, displaying data, etc... 4. Recompile and run. Note that while the initial compile of crash, which configures and compiles the gdb module, takes several minutes, subsequent re-compiles to do such things as add new commands or fix bugs just takes a few seconds. Alternatively, you can create shared object library files consisting of crash command extensions, that can be dynamically linked into the crash executable during runtime or during initialization. This will allow the the same shared object to be used with subsequent crash releases without having to re-merge the command's code into each new set of crash sources. The dynamically linked-in commands will automatically show up in the crash help menu. For details, enter "help extend" during runtime, or enter "crash -h extend" from the shell command line.