Sorry, no, the crash utility will only work with a Linux guest.
----- Original Message -----
>
>
>
> On Fri, May 30, 2014 at 12:36 AM, Dave Anderson < anderson@redhat.com >
> wrote:
>
>
>
>
>
> ----- Original Message -----
> > hi,
> >
> > i dump the whole memory of a KVM guest out using "dump-guest-memory". as a
> > result, now i have a big ELF file. i want to use "crash" to analyze this
> > dump file.
> >
> > the question is: given the RIP address of an instruction in the KVM guest -
> > for example 0x12345, which is virtual address, how can "crash" tell me
> > where
> > in the dump is the position of 0x12345? is there such a command for this?
>
> Is the RIP in user-space or kernel-space? If I understand your question correctly,
> you can enter "vtop" of the RIP to get the physical address, but if it's a
> user-space address, you must ensure that you have "set" the context to the
> PID/task-address of the task whose user-space memory you want to look at.
>
> >
> > my intention is to locate the place, and analyze the assembly instruction
> > around that RIP to see what is running at the time i dumped the KVM memory.
>
> You really don't need to know where in the dumpfile the RIP is located
> for disassembly. If it's kernel-space you're interested in, then you
> can just do "dis -rl <RIP-address>" to see the sequence of instructions
> leading up to the RIP. If it's user-space, there's no way to determine
> the beginning of the user-space function that was running, so the best
> you can do is to "set" your context to the task you're interested in,
> and do a "dis -u <user-space-RIP> <count>" to see where it was, and where
> it would be going to.
>
>
> yes, the RIP is in the kernel at that time.
>
> could you please confirm that everything you said above work with all kind of
> guest OS running on x86, but not only Linux guest?