0.linux内核异常常用分析方法
- 异常地址是否在0附近,确认是否是空指针解引用问题
- 异常地址是否在iomem映射区,确认是否是设备访问总线异常问题,如PCI异常导致的地址访问异常
- 异常地址是否在stack附近,如果相邻,要考虑是否被踩
- 比较delay reset/nmi watchdog等多种机制打印的栈信息,看看pc是否在动,确定是否是死锁
- 用SysRq判断是真死还是假死
- 通过反汇编获得发生异常的C代码段和函数,查找开源社区是否已有补丁修复
下面分别通过PowerPC和Mips64的2个异常例子详细讲解分析过程。
1.PowerPC小系统内核异常分析
1.1 异常打印
Unable to handle kernel paging request for data at address 0x36fef31e
Faulting instruction address: 0xc0088b8c
Oops: Kernel access of bad area, sig: 11 [#1]
PREEMPT SMP NR_CPUS=2
Modules linked in: ossmod tipc ohci_hcd ehci_hcd cmm uart1655x bcm334 bootflash mtdchar bsp_flash_init boardctrl 85xx_debug util
NIP: C0088B8C LR: C0088CF8 CTR: 00000000
REGS: ce283e20 TRAP: 0300 Not tainted (2.6.21.7-EMBSYS-CGEL-3.04.10.P6.F5)
MSR: 00021000 <ME> CR: 22004222 XER: 00000000
DAR: 36FEF31E, DSISR: 00800000
TASK = cffdf180[26] 'events/1' THREAD: ce282000 CPU: 1
GPR00: 00100100 CE283ED0 CFFDF180 CF528000 C09EA500 EFFEAD20 CF5188A0 00000000
GPR08: CF5188BC 00200200 36FEF31E D1FD7F9E 22004222 1010DA44 00000290 00000000
GPR16: 1011C858 100147F4 BF9BC9C4 10100000 00000001 C0460000 C06454CC 00000000
GPR24: C0640000 CE282000 C0640000 00000005 00000000 00000000 EFFE8EC0 CFFED958
NIP [C0088B8C] free_block+0xc4/0x16c
LR [C0088CF8] drain_array+0xc4/0x100
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Call Trace:
[CE283ED0] [C06ABEC0] 0xc06abec0(unreliable)
[CE283EF0] [C0088CF8] drain_array+0xc4/0x100
[CE283F10] [C008A70C] cache_reap+0x94/0x13c
[CE283F30] [C003DA2C] run_workqueue+0xc4/0x198
[CE283F60] [C003E6D4] worker_thread+0x130/0x154
[CE283FB0] [C0042E80] kthread+0xd4/0x110
[CE283FF0] [C0011A70] original_kernel_thread+0x44/0x60Instruction dump:
5400cffe 0f000000 80c4001c 7d1cf214 3c000010 3d200020 80a8001c 60000100
81660000 61290200 81460004 3906001c <916a0000> 914b0004 90060000 91260004
------------[ cut here ]------------
Badness at c0011e4c [verbose debug info unavailable]
Call Trace:
[CE283C50] [C00080BC] show_stack+0x3c/0x1a0 (unreliable)
[CE283C80] [C018EA28] report_bug+0xb0/0xb8
[CE283C90] [C000EC94] program_check_exception+0xcc/0x4f8
[CE283CD0] [C0010BE4] ret_from_except_full+0x0/0x4c
[CE283D90] [C0640000] 0xc0640000
[CE283DD0] [C000E61C] die+0x1f0/0x27c
[CE283E00] [C0014B18] bad_page_fault+0x98/0xe8
[CE283E10] [C0010A88] handle_page_fault+0x7c/0x80
[CE283ED0] [C06ABEC0] 0xc06abec0
[CE283EF0] [C0088CF8] drain_array+0xc4/0x100
[CE283F10] [C008A70C] cache_reap+0x94/0x13c
[CE283F30] [C003DA2C] run_workqueue+0xc4/0x198
[CE283F60] [C003E6D4] worker_thread+0x130/0x154
[CE283FB0] [C0042E80] kthread+0xd4/0x110
[CE283FF0] [C0011A70] original_kernel_thread+0x44/0x60
1.2 Oops分析
Oops: Kernel access of bad area, sig: 11 [#1]
异常分类
Oops:内核态指令异常;
BUG:内核检测到逻辑异常(类似于assert),会影响内核的后续运行;
WARNING:类似于BUG,但是不会影响内核的后续运行;
PANIC:类似于BUG,系统不能继续运行,直接挂起或重启;
SOFTLOCK:长时间任务得不到调度;
异常信号
Signal |
Code |
Default Action |
Description |
SIGABRT |
6 |
A |
Process abort signal |
SIGALRM |
14 |
T |
Alarm clock |
SIGBUS |
10 |
A |
Access to an undefined portion of a memory object |
SIGCHLD |
18 |
I - Ignore the Signal |
Child process terminated, stopped, |
SIGCONT |
25 |
C - Continue the process |
Continue executing, if stopped. |
SIGFPE |
8 |
A |
Erroneous arithmetic operation. |
SIGHUP |
1 |
T |
Hangup. |
SIGILL |
4 |
A |
Illegal instruction. |
SIGINT |
2 |
T |
Terminal interrupt signal. |
SIGKILL |
9 |
T |
Kill (cannot be caught or ignored). |
SIGPIPE |
13 |
T - Abnormal termination of the process |
Write on a pipe with no one to read it. |
SIGQUIT |
3 |
A - Abnormal termination of the process |
Terminal quit signal. |
SIGSEGV |
11 |
A |
Invalid memory reference. |
SIGSTOP |
23 |
S - Stop the process |
Stop executing (cannot be caught or ignored). |
SIGTERM |
15 |
T |
Termination signal. |
SIGTSTP |
23 |
S |
Terminal stop signal. |
SIGTTIN |
26 |
S |
Background process attempting read. |
SIGTTOU |
27 |
S |
Background process attempting write. |
SIGUSR1 |
16 |
T |
User-defined signal 1. |
SIGUSR2 |
17 |
T |
User-defined signal 2. |
SIGPOLL |
22 |
T |
Pollable event. |
SIGPROF |
29 |
T |
Profiling timer expired. |
SIGSYS |
12 |
A |
Bad system call. |
SIGTRAP |
5 |
A |
Trace/breakpoint trap. |
SIGURG |
21 |
I |
High bandwidth data is available at a socket. |
SIGVTALRM |
28 |
T |
Virtual timer expired. |
SIGXCPU |
30 |
A |
CPU time limit exceeded. |
SIGXFSZ |
31 |
A |
File size limit exceeded |
Default Actions:
T - Abnormal termination of the process. The process is terminated with all the consequences of _exit() except that the status made available to wait() and waitpid() indicates abnormal termination by the specified signal.
A - Abnormal termination of the process. Additionally, implementation-defined abnormal termination actions, such as creation of a core file, may occur.
I - Ignore the signal.
S - Stop the process.
C - Continue the process, if it is stopped; otherwise, ignore the signal.
具体针对powerpc e500内核,异常与信号的对应关系如下:
所以有进程访问了超出其虚拟地址空间的地址,内核报SIGSEGV(segment fault)信号。
那是什么进程呢?
其他
#1,die_counter,表示Oops发生的次数,一般来说,如果有多条Oops,看第一条Oops信息,因为后面的Oops可能是第一条Oops的错误传播导致的。
1.3 寄存器分析
NIP: C0088B8C LR: C0088CF8 CTR: 00000000
NIP是next instruction pointer,值就是当前指令的地址。这里列出了3个寄存器的值。
LR是link register其值为上一条指令的地址。
CTR是count register,其值用于循环指令。
REGS: ce283e20 TRAP: 0300 Not tainted (2.6.21.7-EMBSYS-CGEL-3.04.10.P6.F5)
TRAP :异常处理函数入口地址;REGS :系统栈pt_regs的基址。pt_regs这个结构封装了需要在内核入口中保存的最少的状态信息。比如说每一次的系统调用、中断、陷阱、故障。
0x100: "(System Reset)" 0x200: "(Machine Check)" 0x300: "(Data Access)" 0x380: "(Data SLB Access)" 0x400: "(Instruction Access)" 0x480: "(Instruction SLB Access)" 0x500: "(Hardware Interrupt)" 0x600: "(Alignment)" 0x700: "(Program Check)" 0x800: "(FPU Unavailable)" 0x900: "(Decrementer)" 0xc00: "(System Call)" 0xd00: "(Single Step)" 0xf00: "(Performance Monitor)" 0xf20: "(Altivec Unavailable)" 0x1300: "(Instruction Breakpoint)" |
详细解释见《PowerPC™ e500 Core Family Reference Manual》“5.7 Interrupt Definitions”。
tainted :内核错误信息,由add_taint设置,解释如下:
* 'P' - Proprietary module has been loaded. * 'F' - Module has been forcibly loaded. * 'S' - SMP with CPUs not designed for SMP. * 'R' - User forced a module unload. * 'M' - System experienced a machine check exception. * 'B' - System has hit bad_page. * 'U' - Userspace-defined naughtiness. * 'D' - Kernel has oopsed before * 'A' - ACPI table overridden. * 'W' - Taint on warning. * 'C' - modules from drivers/staging are loaded. |
MSR: 00021000 <ME> CR: 22004222 XER: 00000000
DAR: 36FEF31E, DSISR: 00800000
MSR是machine state register;
CR是condition register;
XER为Integer Exception Register
DAR为data address register,其值为造成了内存访问异常的地址。E500中为Data Exception Address Register (DEAR)
DSISR为Data Storage Interrupt Status Register,是存储着发生内存访问异常原因的寄存器。E500中为Exception Syndrome Register (ESR)。0x00800000表示Store operation中的Alignment, data storage, data TLB error异常。
TASK = cffdf180[26] 'events/1' THREAD: ce282000 CPU: 1
cffdf180:进程task_struct结构体的地址;
26:进程号;
events/1:进程名;
THREAD:进程的内核栈起始地址;
CPU:当前CPU;
当前进程也就是'events/1进程,出现SIGSEGV异常了。
GPR00: 00100100 CE283ED0 CFFDF180 CF528000 C09EA500 EFFEAD20 CF5188A0 00000000
GPR08: CF5188BC 00200200 36FEF31E D1FD7F9E 22004222 1010DA44 00000290 00000000
GPR16: 1011C858 100147F4 BF9BC9C4 10100000 00000001 C0460000 C06454CC 00000000
GPR24: C0640000 CE282000 C0640000 00000005 00000000 00000000 EFFE8EC0 CFFED958
PowerPC的ABI规定的寄存器的使用规则如下:
(1)GPR0:属于易失性寄存器,ABI规定普通用户不能使用此寄存器。GCC编译器用此寄存器来保存LR寄存器,Linux PowerPC用此寄存器来传递系统调用号码。
(2)GPR1:属于专用寄存器,ABI规定用次寄存器来保存堆栈的栈顶指针。
(3)GPR2:属于专用寄存器,ABI规定普通用户不使用才寄存器,Linux PowerPC用此寄存器来保存当前进程的进程描述符地址。
(4)GPR3-GPR4:属于易失性寄存器,ABI使用这两个寄存器来保存函数的返回值,或者用来传递参数。
(5)GPR5-GPR10:也属于易失性寄存器,加上GPR3和GPR4共8个寄存器用来传递函数的参数。当函数的参数超过八个时使用堆栈来传递。
(6)GPR11-GPR12:属于易失性寄存器,ABI规定普通用户不使用该寄存器,Linux PowerPC有时用这两个寄存器来存放临时变量,但是GCC编译器没有使用这两个寄存器。
(7)GPR13:属于专用寄存器,ABI规定该寄存器sdata段的基地址指针。Linux PowerPC在系统初始化时使用该寄存器来存放临时变量。GCC有时会根据某些规则将一些常用的数据放入sdata或者sbss段中。应用程序对sdata或者sbss段数据的访问与对data和bss段数据的访问机制不同,访问sdata段的数据速度更快。
(8)GPR14-GPR31:属于非易失性寄存器。ABI使用这些寄存器来存放一些临时变量,在应用程序中可以自由使用这些变量。
1.4 调用栈分析
调用链
NIP [C0088B8C] free_block+0xc4/0x16c
LR [C0088CF8] drain_array+0xc4/0x100
Call Trace:
[CE283ED0] [C06ABEC0] 0xc06abec0(unreliable)
[CE283EF0] [C0088CF8] drain_array+0xc4/0x100
[CE283F10] [C008A70C] cache_reap+0x94/0x13c
[CE283F30] [C003DA2C] run_workqueue+0xc4/0x198
[CE283F60] [C003E6D4] worker_thread+0x130/0x154
[CE283FB0] [C0042E80] kthread+0xd4/0x110
[CE283FF0] [C0011A70] original_kernel_thread+0x44/0x60
Instruction dump:
5400cffe 0f000000 80c4001c 7d1cf214 3c000010 3d200020 80a8001c 60000100
81660000 61290200 81460004 3906001c <916a0000> 914b0004 90060000 91260004
[CE283FB0] [C0042E80] kthread+0xd4/0x110
CE283FB0:栈地址;
C0042E80:栈上保存的LR值,即函数返回地址。
kthread:函数名;
0xd4/0x110:异常指令偏移/调用函数长度。
static void free_block(struct kmem_cache *cachep, void **objpp, int nr_objects, int node)
从调用栈上看,内核在drain_array中调用free_block出现异常,查看free_block原型,对比入栈参数(CF528000 C09EA500 EFFEAD20 CF5188A0),可以发现int nr_objects, int node明显异常,可能推断调用栈可能已经被踩。
指令码
Instruction dump:
5400cffe 0f000000 80c4001c 7d1cf214 3c000010 3d200020 80a8001c 60000100
81660000 61290200 81460004 3906001c <916a0000> 914b0004 90060000 91260004
Instruction dump打印出NIP附近的指令字节码。其中<916a0000>为NIP的指令码。
反汇编定位
objump -dS vmlinux > /tmp/kernel.s
通过查找<916a0000>对应的C代码,确定具体那句C代码出现异常。
其中vmlinux为已打开调试信息的,与故障相同版本的内核镜像。
2.MIPS小系统内核异常分析
2.1 异常打印
0:Oops[#1]:
0:Cpu 0
0:Show thread info from vcpu 0
0: VCPU Stack bottom Task Ti at
0: 0 c000000595057fe0 swapper c000000595054000
0:Thread info( c000000595054000 ):
0: Process swapper (pid: 1)
0: exec_domain ffffffffc0f299b0
0: flags 100000
0: tp_value 0
0: cpu 0
0: preempt_count 2
0: regs (null)
0:STACK_END_MAGIC at va( c000000595054068 ): 57AC6E9D( =? 57AC6E9D)
0:
0:$ 0 : 0: 0000000000000000 0: 0000000000000000 0: 0000000000000000 0: 0000000000000001 0:
0:$ 4 : 0: 0000000000000000 0: 0000000000000000 0: ffffffffffffffff 0: 0000000000002976 0:
0:$ 8 : 0: 0000000000007fff 0: 000000000000000a 0: 5f73746172747570 0: 000000000000006c 0:
0:$12 : 0: 0000000000000068 0: 000000000000004c 0: ffffffffc10bc384 0: c000000593338000 0:
0:$16 : 0: 0000000000000000 0: ffffffffc10e42b8 0: ffffffffc10e0000 0: ffffffffc10e0000 0:
0:$20 : 0: 0000000000000000 0: 0000000000000080 0: 0000000000000080 0: 0000000000000000 0:
0:$24 : 0: 0000000000000006 0: ffffffffc06501a8 0: 0: 0:
0:$28 : 0: c000000595054000 0: c000000595057c88 0: 0000000000000000 0: ffffffffc087bf40 0:
0:Hi : 0000000000000000
0:Lo : 0000000000000000
0:epc : ffffffffc087c4b4 _bcore_cleanup+0x34/0x190
0: Not tainted
0:ra : ffffffffc087bf40 _init+0x3e8/0x480
0:Status: 5400ffe3 0:KX 0:SX 0:UX 0:KERNEL 0:EXL 0:IE 0:
0:Cause : 00800008
0:BadVA : 0000000000000008
0:PrId : 000c1102 (XLP316 A2 )
0:<d>Modules linked in: 0:
0:Process swapper (pid: 1, threadinfo=c000000595054000, task=c000000595053898, tls=0000000000000000)
0:Stack : 0: ffffffffffffffff 0: ffffffffc10e0000 0: c000000595193240 0: 0000000000000001 0:
0: ffffffffc104365c 0: ffffffffc087bf40 0: 000001fac104365c 0: ffffffffc087cb30 0:
0: ffffffffc087c3a8 0: 0000000000000000 0: ffffffffc0f4a778 0: c000000595193000 0:
0: c000000595193240 0: 0000000000000001 0: ffffffffc10e0000 0: c000000595193240 0:
0: 0000000000000001 0: ffffffffc104365c 0: 0000000000000000 0: 0000000000000080 0:
0: 0000000000000080 0: ffffffffc1043c44 0: 00008a17bc300000 0: ffffffffc10e0000 0:
0: c00000059333dd40 0: 0000000000000000 0: 3800000000000000 0: 0000000000000000 0:
0: 000000009333dd40 0: ffffffffc1043638 0: 000000005400ffe0 0: ffffffffbfff00fe 0:
0: ffffffffc1070000 0: ffffffffc1063200 0: 0000000000000001 0: ffffffffc104365c 0:
0: 0000000000000000 0: 0000000000000080 0: 0000000000000080 0: 0000000000000000 0:
0: ... 0:
0:Call Trace: [jiffies: 0xfffff79f]
0:[<ffffffffc087c4b4>] _bcore_cleanup+0x34/0x190
0:[<ffffffffc087bf40>] _init+0x3e8/0x480
0:[<ffffffffc1043c44>] bcmxgs_init_module+0x5e8/0xc00
0:[<ffffffffc060eebc>] do_one_initcall+0x3c/0x1a0
0:[<ffffffffc102cc04>] kernel_init+0x220/0x2b8
0:[<ffffffffc062c730>] kernel_thread_helper+0x10/0x20
0:
0:
Code: 0: ffbf0028 0: 0000802d 0: 663142b8 0:<dc420008> 0: 0040f809 0: 00000000 0: 0202102a 0: 1040001d 0: 00000000
0:
0:<4>Disabling lock debugging due to kernel taint
2.2 异常信号
异常与信号之间的关系:
2.3 线程信息分析
0:Cpu 0:这2个0为当前CPU核ID;
0:Show thread info from vcpu 0
0: VCPU Stack bottom Task Ti at
0: 0 c000000595057fe0 swapper c000000595054000
VCPU:CPU核;
Stack bottom:栈底指针;
Task:线程名;
Ti at:线程thread_info结构体指针;
0:Thread info( c000000595054000 ):
0: Process swapper (pid: 1)
0: exec_domain ffffffffc0f299b0
0: flags 100000
0: tp_value 0
0: cpu 0
0: preempt_count 2
0: regs (null)
0:STACK_END_MAGIC at va( c000000595054068 ): 57AC6E9D( =? 57AC6E9D)
flags :线程标志位,具体标记如下表。此时值为TIF_FIXADE,表示有address errors。Thread info( c000000595054000 ):产生异常的线程信息;下面的字段为thread_info结构体中的字段信息。其中,
preempt_count:为抢占计数。为0时,内核可以安全的执行抢占此线程。不为0,表示当前进程持有锁不能释放CPU控制权(不能被抢占)。
STACK_END_MAGIC:栈底部的魔幻数,可以辅助判断栈是否被踩。
#define TIF_SIGPENDING 1 /* signal pending */ #define TIF_NEED_RESCHED 2 /* rescheduling necessary */ #define TIF_SYSCALL_AUDIT 3 /* syscall auditing active */ #define TIF_SECCOMP 4 /* secure computing */ #define TIF_NOTIFY_RESUME 5 /* callback before returning to user */ #define TIF_RESTORE_SIGMASK 9 /* restore signal mask in do_signal() */ #define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */ #define TIF_POLLING_NRFLAG 17 /* true if poll_idle() is polling TIF_NEED_RESCHED */ #define TIF_MEMDIE 18 #define TIF_FREEZE 19 #define TIF_FIXADE 20 /* Fix address errors in software */ #define TIF_LOGADE 21 /* Log address errors to syslog */ #define TIF_32BIT_REGS 22 /* also implies 16/32 fprs */ #define TIF_32BIT_ADDR 23 /* 32-bit address space (o32/n32) */ #define TIF_FPUBOUND 24 /* thread bound to FPU-full CPU set */ #define TIF_LOAD_WATCH 25 /* If set, load watch registers */ #define TIF_XKPHYS_MEM_EN 26 #define TIF_XKPHYS_IO_EN 27 #define TIF_SYSCALL_TRACE 31 /* syscall trace active */
2.4 寄存器分析
0:$ 0 : 0: 0000000000000000 0: 0000000000000000 0: 0000000000000000 0: 0000000000000001 0:
0:$ 4 : 0: 0000000000000000 0: 0000000000000000 0: ffffffffffffffff 0: 0000000000002976 0:
0:$ 8 : 0: 0000000000007fff 0: 000000000000000a 0: 5f73746172747570 0: 000000000000006c 0:
0:$12 : 0: 0000000000000068 0: 000000000000004c 0: ffffffffc10bc384 0: c000000593338000 0:
0:$16 : 0: 0000000000000000 0: ffffffffc10e42b8 0: ffffffffc10e0000 0: ffffffffc10e0000 0:
0:$20 : 0: 0000000000000000 0: 0000000000000080 0: 0000000000000080 0: 0000000000000000 0:
0:$24 : 0: 0000000000000006 0: ffffffffc06501a8 0: 0: 0:
0:$28 : 0: c000000595054000 0: c000000595057c88 0: 0000000000000000 0: ffffffffc087bf40 0:
0:Hi : 0000000000000000
0:Lo : 0000000000000000
0:epc : ffffffffc087c4b4 _bcore_cleanup+0x34/0x190
0: Not tainted
0:ra : ffffffffc087bf40 _init+0x3e8/0x480
0:Status: 5400ffe3 0:KX 0:SX 0:UX 0:KERNEL 0:EXL 0:IE 0:
0:Cause : 00800008
0:BadVA : 0000000000000008
0:PrId : 000c1102 (XLP316 A2 )
Mips核心寄存器组有4组,分别是GP, COP0, COP1, COP2。
其中COP0几个重要的寄存器解释如下:
Status:c0p0状态cp0_status。其中EXL标示在异常模式中,具体解释请参照《参考资料6.7 第193页》
Cause:00800008,标示 TLB exception(load or instruction fetch)
BadVA:产生异常的虚拟地址,如地址错误、无效的TLB,TLB modified等等。
2.5 调用栈分析
0:Process swapper (pid: 1, threadinfo=c000000595054000, task=c000000595053898, tls=0000000000000000)
0:Stack : 0: ffffffffffffffff 0: ffffffffc10e0000 0: c000000595193240 0: 0000000000000001 0:
0: ffffffffc104365c 0: ffffffffc087bf40 0: 000001fac104365c 0: ffffffffc087cb30 0:
0: ffffffffc087c3a8 0: 0000000000000000 0: ffffffffc0f4a778 0: c000000595193000 0:
0: c000000595193240 0: 0000000000000001 0: ffffffffc10e0000 0: c000000595193240 0:
0: 0000000000000001 0: ffffffffc104365c 0: 0000000000000000 0: 0000000000000080 0:
0: 0000000000000080 0: ffffffffc1043c44 0: 00008a17bc300000 0: ffffffffc10e0000 0:
0: c00000059333dd40 0: 0000000000000000 0: 3800000000000000 0: 0000000000000000 0:
0: 000000009333dd40 0: ffffffffc1043638 0: 000000005400ffe0 0: ffffffffbfff00fe 0:
0: ffffffffc1070000 0: ffffffffc1063200 0: 0000000000000001 0: ffffffffc104365c 0:
0: 0000000000000000 0: 0000000000000080 0: 0000000000000080 0: 0000000000000000 0:
0: ... 0:
0:Call Trace: [jiffies: 0xfffff79f]
0:[<ffffffffc087c4b4>] _bcore_cleanup+0x34/0x190
0:[<ffffffffc087bf40>] _init+0x3e8/0x480
0:[<ffffffffc1043c44>] bcmxgs_init_module+0x5e8/0xc00
0:[<ffffffffc060eebc>] do_one_initcall+0x3c/0x1a0
0:[<ffffffffc102cc04>] kernel_init+0x220/0x2b8
0:[<ffffffffc062c730>] kernel_thread_helper+0x10/0x20
0:
0:
Code: 0: ffbf0028 0: 0000802d 0: 663142b8 0:<dc420008> 0: 0040f809 0: 00000000 0: 0202102a 0: 1040001d 0: 00000000
0:
Call Trace:出现异常线程的调用栈信息。Stack:出现异常线程的堆栈信息。
Code:异常附近的指令码打印。其中0:<dc420008>为epc处的指令码,对应代码位置为(epc : ffffffffc087c4b4 _bcore_cleanup+0x34/0x190)。具体代码需要反汇编定位。
反汇编定位方法与Powerpc的相同。
分析代码可知,异常由于访问了BadVA : 0000000000000008的非法地址,查看_bcore_cleanup代码,可知此时bde指针没有初始化,是空指针,所以bde->num_devices的地址刚好是0000000000000008,导致异常。
异常代码段如下:
_bcore_cleanup(void)
{
for (unit = 0; unit < bde->num_devices(BDE_ALL_DEVICES); unit++)
6.参考资料
6.1 http://en.wikipedia.org/wiki/Unix_signal
6.2 http://www.powerlinuxchina.net/club/viewthread.php?tid=981
6.3 《PowerPC™ e500 Application Binary Interface User’s Guide》
6.4 《PowerPC™ e500 Core Family Reference Manual》
6.5 《MPC8572E PowerQUICC™ III Integrated Host Processor Family Reference Manual》
6.6 《SYSTEM V APPLICATION BINARY INTERFACE – MIPS RISC Processor Supplement》
6.7 《XLP 300-/300-Lite-Series-Processor Programmer’s Register Reference Guide》
6.8 http://blog.chinaunix.net/uid-16459552-id-3459993.html
6.9 http://blog.chinaunix.net/uid-16459552-id-3257539.html
6.10 http://www.linuxspy.info/2249/tainted-kernel/
--EOF--