Re: [Crash-utility] crash cannot read the symbols
I tried to use crash just to read the vmlinux file without debug info.
So I used crash not correctly.
Since this is used for linux 2.4 I cannot simply get a core dump file.
In 2.6 it's relatively easy to get a core dump, the same isn't true for linux 2.4
I guess?
Thanks,
Reinoud.
-----Original Message-----
From: crash-utility-bounces(a)redhat.com [mailto:crash-utility-bounces@redhat.com] On Behalf
Of Dave Anderson
Sent: Wednesday, September 21, 2011 6:00 AM
To: Discussion list for crash utility usage, maintenance and development
Subject: Re: [Crash-utility] crash cannot read the symbols
----- Original Message -----
Hmm, the /dev/mem does not reflect the kernel and symbols I am trying
to read, because I do not have a core dump of the crash.
I just tried to read the kernel and modules in crash to read it.
I think we have a basic misunderstanding -- although I'm not sure...
The crash utility requires two pieces:
(1) a vmlinux file built with debuginfo data, and
(2) a memory source -- which can be either:
(a) a kernel core dump, or
(b) a device driver to access physical memory on a live system.
If analyzing a kernel core dump, the vmlinux must be the same kernel version that was
running when the system crashed.
If analyzing a live system, the vmlinux must be the same kernel that is running on the
live system.
When running against a core dump, the crash utility needs at least two arguments:
$ crash vmlinux vmcore
When running against a live system, you can simply enter:
$ crash vmlinux
because the crash utility will try to find the correct device driver, which is typically
/dev/mem. If /dev/mem is restricted to its first 1MB of physical memory, you can try to
use /proc/kcore:
$ crash vmlinux /proc/kcore
Or if that doesn't work, you can create your own /dev/crash kernel module for physical
memory access. I don't know whether the sample /dev/crash memory driver supplied with
the crash utility sources will compile cleanly in a 2.4 kernel environment -- it may
require some tweaking. In the crash-5.1.8/memory_driver sub-directory, there is the
memory driver's crash.c file, a Makefile, and this README file:
For live system analysis, the physical memory source must be one of
the following devices:
/dev/mem
/proc/kcore
/dev/crash
If the live system kernel was configured with CONFIG_STRICT_DEVMEM,
then /dev/mem cannot be used.
If the live system kernel was configured without CONFIG_PROC_KCORE,
or if /proc/kcore is non-functional, then /proc/kcore cannot be used.
The third alternative is this /dev/crash driver. Presuming that
/lib/modules/`uname -r`/build points to a kernel build tree or kernel
"devel" package tree, the module can simply be built and installed
like so:
# make
...
# insmod crash.ko
Once installed, the /dev/crash driver will be used by default for
live system crash sessions.
So when you say "the /dev/mem does not reflect the kernel and symbols I am trying to
read", by that I understand you to mean that the vmlinux file that you built is not
the same kernel version as is running on your host machine. If that is true, then the
crash utility is not an appropriate tool for looking at your new vmlinux -- again, the
crash utility expects a memory source where the vmlinux is currently running, or a core
dump of the system that was running it when it crashed.
You could do this:
$ gdb vmlinux
and then poke around the kernel's static text and data as they are initially loaded
into memory. But the crash utility cannot be used that way.
Dave
--
Crash-utility mailing list
Crash-utility(a)redhat.com
https://www.redhat.com/mailman/listinfo/crash-utility