oops堆栈分析实例

本文主要是介绍oops堆栈分析实例，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

本文基于Linux-4.0，根据一个crash现场的实例，根据堆栈中的数据，反推整个函数调用流程，由于本例子存在oops，也会直接打印出backtrace，最终可以与我们的分析结果做一下比较，看看分析是否正确。

/ # echo c > /proc/sysrq-trigger
sysrq: SysRq : Trigger a crash
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = ffff8000779f9000
[00000000] *pgd=00000000b79fb003, *pud=00000000b7cb3003, *pmd=0000000000000000
Internal error: Oops: 94000046 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 642 Comm: sh Not tainted 4.0.0 #1
Hardware name: linux,dummy-virt (DT)
task: ffff800077f46300 ti: ffff800077804000 task.ti: ffff800077804000
PC is at sysrq_handle_crash+0x14/0x1c
LR is at __handle_sysrq+0x124/0x194
pc : [<ffff800000377cd4>] lr : [<ffff800000378688>] pstate: 60000145
sp : ffff800077807dd0
x29: ffff800077807dd0 x28: ffff800077804000
x27: ffff80000056d000 x26: 0000000000000040
x25: 000000000000011a x24: 0000000000000015
x23: 0000000000000000 x22: 0000000000000007
x21: 0000000000000063 x20: ffff8000007ae000
x19: ffff8000007c18e8 x18: 00000000005fd000
x17: 0000000000602000 x16: ffff80000019705c
x15: 0000000000001000 x14: 0ffffffffffffffe
x13: 0000000000000038 x12: 0101010101010101
x11: ffff8000007ae000 x10: 000000000000007c
x9 : 0000000000000002 x8 : 0000000000000001
x7 : 000000000000007c x6 : 0000000000000030
x5 : 0000000000002208 x4 : 0000000000000000
x3 : 0000000000000000 x2 : ffff800077804000
x1 : 0000000000000000 x0 : 0000000000000001Process sh (pid: 642, stack limit = 0xffff800077804028)
Stack: (0xffff800077807dd0 to 0xffff800077808000)
7dc0:                                     77807e10 ffff8000 00378b04 ffff8000
7de0: 00000002 00000000 fffffffb ffffffff 77807ec8 ffff8000 1c84b550 00000000
7e00: 60000000 00000000 1c84b550 00000000 77807e30 ffff8000 001f2f5c ffff8000
7e20: 785b8c00 ffff8000 1c84b550 00000000 77807e50 ffff8000 00196650 ffff8000
7e40: 78607d00 ffff8000 00000002 00000000 77807e90 ffff8000 001970a0 ffff8000
7e60: 78607d00 ffff8000 78607d00 ffff8000 1c84b550 00000000 00000002 00000000
7e80: 60000000 00000000 00000000 00000000 da4cd8c0 0000ffff 00085c30 ffff8000
7ea0: 00000000 00000000 1c84b550 00000000 ffffffff ffffffff 00409398 00000000
7ec0: 00200200 00000000 00000000 00000000 00000001 00000000 1c84b550 00000000
7ee0: 00000002 00000000 00000000 00000000 1c84b550 00000000 1c84b560 00000000
7f00: 80808080 00808080 fefeff62 fefefefe 00000040 00000000 fefefeff fefefefe
7f20: 7f7f7f7f 7f7f7f7f 01010101 01010101 00000008 00000000 00000400 00000000
7f40: 00502b5c 00000050 00001000 00000000 00000000 00000000 00602000 00000000
7f60: 005fd000 00000000 00000001 00000000 1c84b550 00000000 00000002 00000000
7f80: 00601000 00000000 1c84b550 00000000 00000020 00000000 00000000 00000000
7fa0: 00601000 00000000 005820f0 00000000 da4cdfba 0000ffff da4cd8c0 0000ffff
7fc0: 0044a504 00000000 da4cd180 0000ffff 00409398 00000000 60000000 00000000
7fe0: 00000001 00000000 00000040 00000000 00000000 00000000 00000000 00000000
Call trace:
[<ffff800000377cd4>] sysrq_handle_crash+0x14/0x1c
[<ffff800000378b00>] write_sysrq_trigger+0x50/0x64
[<ffff8000001f2f58>] proc_reg_write+0x54/0x84
[<ffff80000019664c>] vfs_write+0x98/0x1d8
[<ffff80000019709c>] SyS_write+0x40/0xa0
Code: 52800020 b903a420 d5033e9f d2800001 (39000020)
---[ end trace 2fd7253656805fb6 ]---

SP和FP(x29)寄存器中的值都是ffff800077807dd0，从后面信息可以进行堆栈回溯：

ffff8000 77807dd0 --- FP
ffff8000 77807e10 --- FP'(从FP寄存器地址处读取)
ffff8000 77807e30 --- FP''(从FP'寄存器地址处读取)
ffff8000 77807e50 --- FP'''(从FP''寄存器地址处读取)
ffff8000 77807e90 --- FP''''(从FP'''寄存器地址处读取)
0000ffff da4cd8c0 --- 该值已经不是内核地址了，所以已经超出了内核堆栈区域

我们找到了FP地址后，可以进一步找到LR寄存器中保存的返回地址：

ffff8000 00378b04 --- FP + 8
ffff8000 001f2f5c --- FP' + 8
ffff8000 00196650 --- FP'' + 8
ffff8000 001970a0 --- FP''' + 8

接下来看是一个一个查看对应的堆栈调用关系，从第一个LR地址开始查看，进入gdb调试vmlinux：

aarch64-linux-gnu-gdb vmlinux

跳转关系1
使用反汇编指令：

(gdb) disassemble 0xffff800000378b04
Dump of assembler code for function write_sysrq_trigger:0xffff800000378ab0 <+0>:	stp	x29, x30, [sp,#-32]!0xffff800000378ab4 <+4>:	mov	x29, sp0xffff800000378ab8 <+8>:	str	x19, [sp,#16]0xffff800000378abc <+12>:	mov	x19, x20xffff800000378ac0 <+16>:	cbz	x2, 0xffff800000378b04 <write_sysrq_trigger+84>0xffff800000378ac4 <+20>:	mov	x0, sp0xffff800000378ac8 <+24>:	mov	x2, x10xffff800000378acc <+28>:	and	x3, x0, #0xffffffffffffc0000xffff800000378ad0 <+32>:	mov	x0, #0xfffffffffffffff2    	// #-140xffff800000378ad4 <+36>:	ldr	x3, [x3,#8]0xffff800000378ad8 <+40>:	adds	x2, x2, #0x10xffff800000378adc <+44>:	ccmp	x2, x3, #0x2, cc0xffff800000378ae0 <+48>:	cset	x4, ls0xffff800000378ae4 <+52>:	cbz	x4, 0xffff800000378b08 <write_sysrq_trigger+88>0xffff800000378ae8 <+56>:	mov	w2, #0x0                   	// #00xffff800000378aec <+60>:	ldrb	w3, [x1]0xffff800000378af0 <+64>:	uxtb	w3, w30xffff800000378af4 <+68>:	cbnz	w2, 0xffff800000378b08 <write_sysrq_trigger+88>0xffff800000378af8 <+72>:	mov	w1, #0x0                   	// #00xffff800000378afc <+76>:	mov	w0, w30xffff800000378b00 <+80>:	bl	0xffff800000378564 <__handle_sysrq>0xffff800000378b04 <+84>:	mov	x0, x190xffff800000378b08 <+88>:	ldr	x19, [sp,#16]0xffff800000378b0c <+92>:	ldp	x29, x30, [sp],#320xffff800000378b10 <+96>:	ret

关键的在如下的位置：

   0xffff800000378b00 <+80>:	bl	0xffff800000378564 <__handle_sysrq>0xffff800000378b04 <+84>:	mov	x0, x19

我们对应的LR地址为0xffff800000378b04，该值-4就应该是跳转指令：所以上一级函数是write_sysrq_trigger，跳转进入的函数symbol为__handle_sysrq。

跳转关系2

使用反汇编指令：

(gdb) disassemble 0xffff8000001f2f5c
Dump of assembler code for function proc_reg_write:0xffff8000001f2f04 <+0>:	stp	x29, x30, [sp,#-32]!0xffff8000001f2f08 <+4>:	mov	w4, #0x0                   	// #00xffff8000001f2f0c <+8>:	mov	x29, sp0xffff8000001f2f10 <+12>:	stp	x19, x20, [sp,#16]0xffff8000001f2f14 <+16>:	ldr	x5, [x0,#32]0xffff8000001f2f18 <+20>:	ldur	x19, [x5,#-32]0xffff8000001f2f1c <+24>:	add	x5, x19, #0x640xffff8000001f2f20 <+28>:	add	w6, w4, #0x10xffff8000001f2f24 <+32>:	dmb	ish0xffff8000001f2f28 <+36>:	ldxr	w7, [x5]0xffff8000001f2f2c <+40>:	cmp	w7, w40xffff8000001f2f30 <+44>:	b.ne	0xffff8000001f2f3c <proc_reg_write+56>0xffff8000001f2f34 <+48>:	stxr	w8, w6, [x5]0xffff8000001f2f38 <+52>:	cbnz	w8, 0xffff8000001f2f28 <proc_reg_write+36>0xffff8000001f2f3c <+56>:	dmb	ish0xffff8000001f2f40 <+60>:	cmp	w4, w70xffff8000001f2f44 <+64>:	b.ne	0xffff8000001f2f78 <proc_reg_write+116>0xffff8000001f2f48 <+68>:	ldr	x4, [x19,#40]0xffff8000001f2f4c <+72>:	mov	x20, #0xfffffffffffffffb    	// #-50xffff8000001f2f50 <+76>:	ldr	x4, [x4,#24]0xffff8000001f2f54 <+80>:	cbz	x4, 0xffff8000001f2f60 <proc_reg_write+92>0xffff8000001f2f58 <+84>:	blr	x40xffff8000001f2f5c <+88>:	mov	x20, x00xffff8000001f2f60 <+92>:	mov	x0, x190xffff8000001f2f64 <+96>:	bl	0xffff8000001f2bf4 <unuse_pde>0xffff8000001f2f68 <+100>:	mov	x0, x200xffff8000001f2f6c <+104>:	ldp	x19, x20, [sp,#16]0xffff8000001f2f70 <+108>:	ldp	x29, x30, [sp],#320xffff8000001f2f74 <+112>:	ret0xffff8000001f2f78 <+116>:	mov	w4, w70xffff8000001f2f7c <+120>:	tbz	w7, #31, 0xffff8000001f2f20 <proc_reg_write+28>0xffff8000001f2f80 <+124>:	mov	x20, #0xfffffffffffffffb    	// #-50xffff8000001f2f84 <+128>:	b	0xffff8000001f2f68 <proc_reg_write+100>
End of assembler dump.

关键的在如下的位置：

   0xffff8000001f2f58 <+84>:	blr	x40xffff8000001f2f5c <+88>:	mov	x20, x0

我们对应的LR地址为0xffff8000001f2f5c，该值-4就应该是跳转指令：blr x4 实际上是指跳转到x4寄存器中的一个地址处。返回地址位于proc_reg_write函数中，因此该函数应该就是上一级调用的函数，至于这个x4寄存器地址对应的symbol，实际上就是write_sysrq_trigger，因为是从它返回过来的。

跳转关系3

使用反汇编指令：

(gdb) disassemble 0xffff800000196650
Dump of assembler code for function vfs_write:0xffff8000001965b4 <+0>:	stp	x29, x30, [sp,#-64]!0xffff8000001965b8 <+4>:	mov	x29, sp0xffff8000001965bc <+8>:	stp	x19, x20, [sp,#16]0xffff8000001965c0 <+12>:	stp	x21, x22, [sp,#32]0xffff8000001965c4 <+16>:	str	x23, [sp,#48]0xffff8000001965c8 <+20>:	ldr	w4, [x0,#68]0xffff8000001965cc <+24>:	tbz	w4, #1, 0xffff80000019676c <vfs_write+440>0xffff8000001965d0 <+28>:	tbz	w4, #18, 0xffff800000196774 <vfs_write+448>0xffff8000001965d4 <+32>:	mov	x4, sp0xffff8000001965d8 <+36>:	and	x5, x4, #0xffffffffffffc0000xffff8000001965dc <+40>:	mov	x4, x10xffff8000001965e0 <+44>:	ldr	x5, [x5,#8]0xffff8000001965e4 <+48>:	adds	x4, x4, x20xffff8000001965e8 <+52>:	ccmp	x4, x5, #0x2, cc0xffff8000001965ec <+56>:	cset	x6, ls0xffff8000001965f0 <+60>:	cbz	x6, 0xffff800000196750 <vfs_write+412>0xffff8000001965f4 <+64>:	mov	x21, x30xffff8000001965f8 <+68>:	mov	x22, x10xffff8000001965fc <+72>:	mov	x3, x20xffff800000196600 <+76>:	mov	x1, x00xffff800000196604 <+80>:	mov	x19, x00xffff800000196608 <+84>:	mov	x2, x210xffff80000019660c <+88>:	mov	w0, #0x1                   	// #10xffff800000196610 <+92>:	bl	0xffff8000001964c4 <rw_verify_area>0xffff800000196614 <+96>:	sxtw	x20, w00xffff800000196618 <+100>:	tbnz	x20, #63, 0xffff8000001966c0 <vfs_write+268>0xffff80000019661c <+104>:	ldr	x1, [x19,#32]0xffff800000196620 <+108>:	ldrh	w0, [x1]0xffff800000196624 <+112>:	and	w0, w0, #0xf0000xffff800000196628 <+116>:	cmp	w0, #0x8, lsl #120xffff80000019662c <+120>:	b.eq	0xffff800000196758 <vfs_write+420>0xffff800000196630 <+124>:	ldr	x0, [x19,#40]0xffff800000196634 <+128>:	ldr	x4, [x0,#24]0xffff800000196638 <+132>:	cbz	x4, 0xffff8000001966d8 <vfs_write+292>0xffff80000019663c <+136>:	mov	x2, x200xffff800000196640 <+140>:	mov	x3, x210xffff800000196644 <+144>:	mov	x1, x220xffff800000196648 <+148>:	mov	x0, x190xffff80000019664c <+152>:	blr	x40xffff800000196650 <+156>:	mov	x20, x0

关键的在如下的位置：

   0xffff80000019664c <+152>:	blr	x40xffff800000196650 <+156>:	mov	x20, x0

我们对应的LR地址为0xffff800000196650，该值-4就应该是跳转指令：blr x4 ，至于这个x4寄存器地址对应的symbol，实际上就是proc_reg_write，该函数运行结束后会返回到vfs_write中，因此上一级的函数是vfs_write。

跳转关系4

使用反汇编指令：

(gdb) disassemble 0xffff8000001970a0
Dump of assembler code for function SyS_write:0xffff80000019705c <+0>:	stp	x29, x30, [sp,#-64]!0xffff800000197060 <+4>:	mov	x29, sp0xffff800000197064 <+8>:	stp	x19, x20, [sp,#16]0xffff800000197068 <+12>:	stp	x21, x22, [sp,#32]0xffff80000019706c <+16>:	mov	x21, x10xffff800000197070 <+20>:	mov	x22, x20xffff800000197074 <+24>:	bl	0xffff8000001b2f14 <__fdget_pos>0xffff800000197078 <+28>:	ands	x20, x0, #0xfffffffffffffffc0xffff80000019707c <+32>:	mov	x19, x00xffff800000197080 <+36>:	b.eq	0xffff8000001970f4 <SyS_write+152>0xffff800000197084 <+40>:	add	x3, x29, #0x400xffff800000197088 <+44>:	ldr	x4, [x20,#112]0xffff80000019708c <+48>:	mov	x1, x210xffff800000197090 <+52>:	mov	x2, x220xffff800000197094 <+56>:	mov	x0, x200xffff800000197098 <+60>:	str	x4, [x3,#-8]!0xffff80000019709c <+64>:	bl	0xffff8000001965b4 <vfs_write>0xffff8000001970a0 <+68>:	mov	x21, x00xffff8000001970a4 <+72>:	tbnz	x21, #63, 0xffff8000001970b0 <SyS_write+84>0xffff8000001970a8 <+76>:	ldr	x0, [x29,#56]0xffff8000001970ac <+80>:	str	x0, [x20,#112]0xffff8000001970b0 <+84>:	tbnz	w19, #1, 0xffff8000001970cc <SyS_write+112>0xffff8000001970b4 <+88>:	tbnz	w19, #0, 0xffff8000001970d8 <SyS_write+124>0xffff8000001970b8 <+92>:	mov	x0, x210xffff8000001970bc <+96>:	ldp	x19, x20, [sp,#16]0xffff8000001970c0 <+100>:	ldp	x21, x22, [sp,#32]0xffff8000001970c4 <+104>:	ldp	x29, x30, [sp],#640xffff8000001970c8 <+108>:	ret0xffff8000001970cc <+112>:	add	x0, x20, #0x480xffff8000001970d0 <+116>:	bl	0xffff8000005611bc <mutex_unlock>0xffff8000001970d4 <+120>:	tbz	w19, #0, 0xffff8000001970b8 <SyS_write+92>0xffff8000001970d8 <+124>:	mov	x0, x200xffff8000001970dc <+128>:	bl	0xffff800000198128 <fput>0xffff8000001970e0 <+132>:	mov	x0, x210xffff8000001970e4 <+136>:	ldp	x19, x20, [sp,#16]0xffff8000001970e8 <+140>:	ldp	x21, x22, [sp,#32]0xffff8000001970ec <+144>:	ldp	x29, x30, [sp],#640xffff8000001970f0 <+148>:	ret0xffff8000001970f4 <+152>:	mov	x21, #0xfffffffffffffff7    	// #-90xffff8000001970f8 <+156>:	b	0xffff8000001970b8 <SyS_write+92>
End of assembler dump.

关键的在如下的位置：

   0xffff80000019709c <+64>:	bl	0xffff8000001965b4 <vfs_write>0xffff8000001970a0 <+68>:	mov	x21, x0

我们对应的LR地址为0xffff8000001970a0，该值-4就应该是跳转指令：bl 0xffff8000001965b4 <vfs_write> ，这里看起来就很清晰了，从SyS_write函数跳转到vfs_write函数，完成之后又返回到了SyS_write函数，因此上一级的函数是SyS_write。

总结

从上面的分析过程，我们可以梳理出函数的调用关系如下：

SyS_write --> vfs_write --> proc_reg_write --> write_sysrq_trigger --> __handle_sysrq --> sysrq_handle_crash

看看这个结果是不是与dumpstack中的一致，说明整个分析过程是正确的。哈哈~

这篇关于oops堆栈分析实例的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---