Re: [Crash-utility] Use crash with KVM memory dump?

----- Original Message ----- > > > > On Fri, May 30, 2014 at 12:36 AM, Dave Anderson < anderson(a)redhat.com > > wrote: > > > > > > ----- Original Message ----- > > hi, > > > > i dump the whole memory of a KVM guest out using "dump-guest-memory". as a > > result, now i have a big ELF file. i want to use "crash" to analyze this > > dump file. > > > > the question is: given the RIP address of an instruction in the KVM guest - > > for example 0x12345, which is virtual address, how can "crash" tell me > > where > > in the dump is the position of 0x12345? is there such a command for this? > > Is the RIP in user-space or kernel-space? If I understand your question correctly, > you can enter "vtop" of the RIP to get the physical address, but if it's a > user-space address, you must ensure that you have "set" the context to the > PID/task-address of the task whose user-space memory you want to look at. > > > > > my intention is to locate the place, and analyze the assembly instruction > > around that RIP to see what is running at the time i dumped the KVM memory. > > You really don't need to know where in the dumpfile the RIP is located > for disassembly. If it's kernel-space you're interested in, then you > can just do "dis -rl <RIP-address>" to see the sequence of instructions > leading up to the RIP. If it's user-space, there's no way to determine > the beginning of the user-space function that was running, so the best > you can do is to "set" your context to the task you're interested in, > and do a "dis -u <user-space-RIP> <count>" to see where it was, and where > it would be going to. > > > yes, the RIP is in the kernel at that time. > > could you please confirm that everything you said above work with all kind of > guest OS running on x86, but not only Linux guest? Sorry, no, the crash utility will only work with a Linux guest.