20150430 调试分析之 根据内核报错信息栈信息分析错误
2015-04-30 Lover雪儿
还是沿用上篇文章的程序,继续研究内核报错信息
文章地址:http://www.cnblogs.com/lihaiyan/p/4470353.html
错误驱动源文件:
加载错误驱动程序
1 root@EasyARM-iMX257 /mnt/nfs/module/37_debug_err_led# echo 1 > /dev/errdule/37_debug_err_led# echo 1 > /dev/err_led_dev 2 le kernel paging request at virtual address 43fac060 3 pgd = c3b8c000 4 [43fac060] *pgd=00000000 5 Internal error: Oops: 5 [#1] PREEMPT 6 Modules linked in: err_led gpio 7 CPU: 0 Not tainted (2.6.31-207-g7286c01 #694) 8 PC is at key_open+0x18/0x54 [err_led] 9 LR is at key_open+0x10/0x54 [err_led] 10 pc : [<bf006128>] lr : [<bf006120>] psr: 60000013 11 sp : c3bc1e70 ip : c04666e6 fp : 00095c98 12 r10: c31441e0 r9 : c3bc0000 r8 : c317a250 13 r7 : 00000000 r6 : c3a536a0 r5 : 000000 r2 : 00000000 r1 : 43facfff r0 : 43fac000 14 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user 15 Control: 00000015 16 Process sh (pid: 1793, stack limit = 0xc3bc0270) 17 Stack0b 00000000 18 1e80: c3a7ef40 c31441e0 c317a250 00000000 c00bb7fc c380f0a0 c33c0b58 c00b66b4 19 1ea0: c3bc1ef8 c31441e0 c3861e60 c3bc1ef0 c3387000 00020242 c33c0b58 c00b76d4 20 1ec0: 00000000 c38 c00c4288 00000000 000001b6 21 1e0000000 c380f0a0 c33c0b58 b89cf420: 00000000 c00c5698 c3830820 fffffff7 be9ad704 c00c5d34 c3bc1f84 00020242 22 1f40: 000001b6 c31441e0 c381b980 00000003 c380f0a0 c33c0b58 00000000 00020241 23 1f0029f24 c3387000 00000003 00095c00000 000001b6 000932ac 00000001 00000005 c0029f24 c3bc0000 24 1fa0: 40138000 c0029da0 000001b6 000932ac 000932ac 00020241 000001b6 00000000 25 1fc0: 000001b6 000932ac 00000001 00000005 00000000 000933f8 40138000 00095c98 26 1f00d11e0 60000010 000932ac 00000000 00000000 27 [<bf006128>] (key_open+0x18/0x54 [err_led]) from [<c00bb9d0>] (chrdev_open+0x1d4/0x1f4) 28 [<c00bb9d0>] (chrdev_open+0x1d4/0x1f4) from [<c00b66b4>] (__dentry_open+0x18c/0x2ac) 29 [<cx2ac) from [<c00b76d4>] (nameida4>] (nameidata_to_filp+0x44/0x5c) from [<c00c4288>] (do_filp_open+0x3e4/0x7e8) 30 [<c00c4288>] (do_filp_open+0x3e4/0x7e8) from [<c00b6444>] (do_sys_open+0x5c/0x114) 31 [<c00b6444>] (do_sys_open+0x5c/0x114) from [<c0029da0>] (ret_fast_syscall+0x0/0x2c) 32 Code: e24dd004 eb41085c e59f1030 e59f0030 (e5113f9f) 33 ---[ end trace 01db7cfdfa76251c ]--- 34 process '100' (pid 1793) exited. Scheduli811, tty '': '/sbin/getty -L ttymxc0 115200 vt100' 35 36 arm-none-linux-gnueabi-gcc (GCC) 4.1.2 37 root filesystem buil0700 38 Freescale Semiconductor, Inc.
1.根据错误信息确定出PC指针地址,查到再/proc/kallsyms 它属于的函数
PC = bf006128;
1 root@EasyARM-iMX257 /mnt/nfs/module/37_debug_err_led# cat /proc/kallsyms > kallsyms.txt 2 3 在kallsyms .txt中查找bf006128 4 结果如下: 5 28487 bf006110 t key_open [err_led] 6 28488 bf006110 t $a [err_led] 7 28489 bf006154 t $d [err_led] 8 28490 bf006164 t $a [err_led] 9 28491 bf006248 t $d [err_led]
很显然,bf006128的地址属于也key_open函数
2.反汇编,
1 84 00000110 <key_open>: 2 85 110: e52de004 str lr, [sp, #-4]! 3 86 114: e59f0038 ldr r0, [pc, #56] ; 154 <.text+0x154> 4 87 118: e24dd004 sub sp, sp, #4 ; 0x4 5 88 11c: ebfffffe bl 0 <printk> 6 89 120: e59f1030 ldr r1, [pc, #48] ; 158 <.text+0x158> 7 90 124: e59f0030 ldr r0, [pc, #48] ; 15c <.text+0x15c> 8 91 128: e5113f9f ldr r3, [r1, #-3999] //出错位置,从这儿开始,把栈信息全部从下开始打印 9 92 12c: e3c33007 bic r3, r3, #7 ; 0x7 10 93 130: e5013f9f str r3, [r1, #-3999] 11 94 134: e5112f9f ldr r2, [r1, #-3999] 12 **************************** 13 187769 c00bb7fc <chrdev_open>: 14 187770 c00bb7fc: e92d45f0 stmdb sp!, {r4, r5, r6, r7, r8, sl, lr} 栈为7个 15 187771 c00bb800: e24dd00c sub sp, sp, #12 ; 0xc 栈 7+3 = 10 16 **************************** 17 183387 c00b76d0: ebfffb94 bl c00b6528 <__dentry_open> 18 183388 c00b76d4: e1a04000 mov r4, r0 19 183389 c00b76d8: ea000000 b c00b76e0 <nameidata_to_filp+0x50> 20 **************************** 21 182202 c00b6528 <__dentry_open>: 22 182203 c00b6528: e92d45f0 stmdb sp!, {r4, r5, r6, r7, r8, sl, lr} 栈为7个 23 182204 c00b652c: e282c001 add ip, r2, #1 ; 0x1 24 182205 c00b6530: e20cc003 and ip, ip, #3 ; 0x3 25 182206 c00b6534: e38cc01c orr ip, ip, #28 ; 0x1c 26 182207 c00b6538: e24dd004 sub sp, sp, #4 ; 0x4 栈为8个 27 182208 c00b653c: e59d7020 ldr r7, [sp, #32] 28 **************************** 29 198284 c00c5694: e12fff3c blx ip 30 198285 c00c5698: e59f3054 ldr r3, [pc, #84] ; c00c56f4 <.text+0x9c6f4> 31 198286 c00c569c: e1500003 cmp r0, r3 32 182208 c00b653c: e59d7020 ldr r7, [sp, #32] 33 **************************** 34 198708 c00c5d24: e1a00004 mov r0, r4 35 198709 c00c5d28: e1a0100c mov r1, ip 36 198710 c00c5d2c: e1a02006 mov r2, r6 37 198711 c00c5d30: ebfffe4d bl c00c566c <vfs_ioctl> 38 198712 c00c5d34: eaffffb8 b c00c5c1c <do_vfs_ioctl+0x430> 39 198713 c00c5d38: e3e0500d mvn r5, #13 ; 0xd 40 **************************** 41 198273 c00c566c <vfs_ioctl>: 42 198274 c00c566c: e92d4070 stmdb sp!, {r4, r5, r6, lr} 43 198275 c00c5670: e5903010 ldr r3, [r0, #16] 44 198276 c00c5674: e1a04000 mov r4, r0 45 **************************** 46 198373 c00c57ec <do_vfs_ioctl>: 47 198374 c00c57ec: e92d4370 stmdb sp!, {r4, r5, r6, r8, r9, lr} 栈为6个 48 198375 c00c57f0: e1a0c002 mov ip, r2 49 198376 c00c57f4: e59f2588 ldr r2, [pc, #1416] ; c00c5d84 <.text+0x9cd84> 50 198377 c00c57f8: e24dd040 sub sp, sp, #64 ; 0x40 栈为16个 51 198378 c00c57fc: e15c0002 cmp ip, r2 52 **************************** 53 32805 c0029da0 <ret_fast_syscall>: 54 32806 c0029da0: e321f093 msr CPSR_c, #147 ; 0x93 55 32807 c0029da4: e5991000 ldr r1, [r9] 56 32808 c0029da8: e31100ff tst r1, #255 ; 0xff 57 32809 c0029dac: 1a000006 bne c0029dcc <fast_work_pending> 58 32810 c0029db0: e59d1048 ldr r1, [sp, #72] 59 32811 c0029db4: e5bde044 ldr lr, [sp, #68]! 60 32812 c0029db8: e16ff001 msr SPSR_fsxc, r1 61 32813 c0029dbc: e95d7ffe ldmdb sp, {r1, r2, r3, r4, r5, r6, r7, r8, r9,sl, fp, ip, sp, lr}^ 62 63 32918 c0029f24 <sys_call_table>: 64 32919 c0029f24: c0055348 andgt r5, r5, r8, asr #6 65 32920 c0029f28: c004ab8c andgt sl, r4, ip, lsl #23 66 32921 c0029f2c: c002a50c andgt sl, r2, ip, lsl #10 67 32922 c0029f30: c00b8cd0 ldrgtd r8, [fp], -r0 68 32923 c0029f34: c00b8d38 andgt r8, fp, r8, lsr sp
根据栈地址分析汇编代码
1 1e80: c3a7ef40 c31441e0 c317a250 00000000 c00bb7fc c380f0a0 c33c0b58 c00b66b4 2 <chrdev_open>sp r4 r5 r6 3 1ea0: c3bc1ef8 c31441e0 c3861e60 c3bc1ef0 c3387000 00020242 c33c0b58 c00b76d4 4 r7 r8 sl lr caller'sp返回地址 5 1ec0: 00000000 c38 c00c4288 00000000 000001b6 6 __dentry_open's 向后数8个 7 1e0000000 c380f0a0 c33c0b58 b89cf420: 00000000 c00c5698 c3830820 8 vfs_ioctl向后数4个为返回地址 9 fffffff7 be9ad704 c00c5d34 c3bc1f84 00020242 10 do_vfs_ioctl'sp 向后数22个为返回地址 11 1f40: 000001b6 c31441e0 c381b980 00000003 c380f0a0 c33c0b58 00000000 00020241 12 1f0029f24 c3387000 00000003 00095c00000 000001b6 000932ac 00000001 00000005 c0029f24 c3bc0000 13 sys_call_table 14 1fa0: 40138000 c0029da0 000001b6 000932ac 000932ac 00020241 000001b6 00000000 15 ret_fast_syscall向后数14个 16 1fc0: 000001b6 000932ac 00000001 00000005 00000000 000933f8 40138000 00095c98 17 1fd0: c00d11e0 60000010 000932ac 00000000 00000000 18 [<bf006128>] (key_open+0x18/0x54 [err_led]) from [<c00bb9d0>] (chrdev_open+0x1d4/0x1f4) 19 [<c00bb9d0>] (chrdev_open+0x1d4/0x1f4) from [<c00b66b4>] (__dentry_open+0x18c/0x2ac) 20 [<cx2ac) from [<c00b76d4>] (nameida4>] (nameidata_to_filp+0x44/0x5c) from [<c00c4288>] (do_filp_open+0x3e4/0x7e8) 21 [<c00c4288>] (do_filp_open+0x3e4/0x7e8) from [<c00b6444>] (do_sys_open+0x5c/0x114) 22 [<c00b6444>] (do_sys_open+0x5c/0x114) from [<c0029da0>] (ret_fast_syscall+0x0/0x2c)
回溯信息
1 [<bf006128>] (key_open+0x18/0x54 [err_led]) from [<c00bb9d0>] (chrdev_open+0x1d4/0x1f4) 2 [<c00bb9d0>] (chrdev_open+0x1d4/0x1f4) from [<c00b66b4>] (__dentry_open+0x18c/0x2ac) 3 [<cx2ac) from [<c00b76d4>] (nameida4>] (nameidata_to_filp+0x44/0x5c) from [<c00c4288>] (do_filp_open+0x3e4/0x7e8) 4 [<c00c4288>] (do_filp_open+0x3e4/0x7e8) from [<c00b6444>] (do_sys_open+0x5c/0x114) 5 [<c00b6444>] (do_sys_open+0x5c/0x114) from [<c0029da0>] (ret_fast_syscall+0x0/0x2c) 6 Code: e24dd004 eb41085c e59f1030 e59f0030 (e5113f9f)
从上面的错误代码中发现代码调用顺序为:
key_open < ---- chrdev_open < --- do_filp_open < --- do_sys_open < --- ret_fast_syscall