11:31 p.m.
We have enountered the following edge case for orc unwinder which results an
incorrect stack unwinding:
$ objdump -d vmlinux
ffffffff8100be70 <panic>:
ffffffff8100be70: f3 0f 1e fa endbr64
ffffffff8100be74: e8 c7 b9 0d 00 call ffffffff810e7840
<__fentry__>
ffffffff8100be79: 55 push %rbp
ffffffff8100be7a: 49 89 fa mov %rdi,%r10
ffffffff8100be7d: 48 89 e5 mov %rsp,%rbp
ffffffff8100be80: 48 83 ec 50 sub $0x50,%rsp
...
ffffffff8100bed2: 48 89 44 24 10 mov %rax,0x10(%rsp)
ffffffff8100bed7: e8 f4 fc ff ff call ffffffff8100bbd0 <vpanic>
ffffffff8100bedc <nmi_panic.cold>:
ffffffff8100bedc: 48 c7 c7 6e c2 8b 82 mov $0xffffffff828bc26e,%rdi
ffffffff8100bee3: e8 88 ff ff ff call ffffffff8100be70 <panic>
$ objtool --dump=orc vmlinux
...
ffffffff8100be7a:type:call sp:sp+16 bp:prevsp-16 signal:0
ffffffff8100be80:type:call sp:bp+16 bp:prevsp-16 signal:0
ffffffff8100bedc:type:call sp:sp+8 bp:(und) signal:0
ffffffff8100bee8:type:call sp:sp+16 bp:(und) signal:0
crash> gdb bt
#0 0xffffffff8126b3e4 in crash_setup_regs
#1 0xffffffff8126b7a2 in __crash_kexec
#2 0xffffffff8100bca9 in vpanic
#3 0xffffffff8100bedc in panic
#4 0xffffffff81903a9a in sysrq_handle_crash
...
crash> bt -r
...
ffffc9000126fc40: machine_kexec+184 sysrq_showstate_op
ffffc9000126fc50: .LC4+109 __crash_kexec+114
ffffc9000126fc60: 0000000000000000 0000000000000007
ffffc9000126fc70: 0000000000000063 ffffc9000126fd48
ffffc9000126fc80: .LC4+109 sysrq_showstate_op
ffffc9000126fc90: 0000000000000002 _printk_rb_static_infos+64944
ffffc9000126fca0: _printk_rb_static_descs+17712 0000000000000000
ffffc9000126fcb0: 0000000000000000 0000000000000000
ffffc9000126fcc0: 0000000000000001 0000000000000000
ffffc9000126fcd0: ffffc9000126fc60 0000000000000000
ffffc9000126fce0: crash_setup_regs+116 0000000000000010
ffffc9000126fcf0: 0000000000000046 ffffc9000126fc58
ffffc9000126fd00: 0000000000000018 a9e74447ad8b9200
ffffc9000126fd10: sysrq_showstate_op vpanic+217
ffffc9000126fd20: sysrq_crash_op ffffc9000126fd98
ffffc9000126fd30: 0000000000000000 0000000000000063
ffffc9000126fd40: panic+108 0000000000000008
ffffc9000126fd50: ffffc9000126fda8 ffffc9000126fd68
ffffc9000126fd60: a9e74447ad8b9200 a9e74447ad8b9200
ffffc9000126fd70: ffff88813bc1d1c0 0000000000000000
ffffc9000126fd80: 0000000000000000 0000000000000000
ffffc9000126fd90: _printk_rb_static_descs+786408 0000000000000000
ffffc9000126fda0: sysrq_handle_crash+26 __handle_sysrq.cold+159
Within the stack, we can identify the following stackframes:
1. rsp ffffc9000126fc40, rip (machine_kexec+184)
2. rsp ffffc9000126fc58, rip (__crash_kexec+114)
3. rsp ffffc9000126fd10, rip (vpanic+217)
4. rsp ffffc9000126fd40, rip (panic+108)
Before the fix, crash will directly pass rip to orc_find() to calculate
each framesize, actually this is incorrect, because the rip is what
we found in stack, as we all know the "call" instruction will push
the address of the next instruction into stack, rather than the address
of the "call" instruction itself. So for the (panic+108, or ffffffff8100bedc)
case, orc winder finds the frame of 0xffffffff8100bedc is sp:sp+8.
This is incorrect, because 0xffffffff8100bedc belongs to a different
function, aka nmi_panic(), rather than panic(). So we should use (rip -
5, or ffffffff8100bed7) for orc_find(), which gives sp:bp+16 for unwind
stack frame. We can confirm this by reading the disassembly at
ffffffff8100be70 ~ ffffffff8100be80.
This is an edge case because the address after the "call" instruction
located to a different function, which lead to orc_find() got a wrong
framesize.
This patch fix this by check the 1st previous instruction of rip we read
from stack. If the instruction is "call", then we pass the address of
the "call" to orc_find(), to ensure we orc unwinding the correct function.
Signed-off-by: Tao Liu <ltao(a)redhat.com>
---
x86_64.c | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/x86_64.c b/x86_64.c
index b2cddbf..70bc1da 100644
--- a/x86_64.c
+++ b/x86_64.c
@@ -8887,7 +8887,38 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr, ulong rsp,
char *stack_
if ((sp->value >= kt->init_begin) && (sp->value <
kt->init_end))
return 0;
- if ((machdep->flags & ORC) && (korc = orc_find(textaddr))) {
+ if (machdep->flags & ORC) {
+ /*
+ * Disassemble & check if the 1st previous instruction of textaddr
+ * is "call". If it does, the orc should unwind against the
+ * address of the "call" inst, rather than the textaddr itself.
+ */
+ open_tmpfile2();
+ sprintf(buf, "x/-1i 0x%lx", textaddr);
+ if (!gdb_pass_through(buf, pc->tmpfile2, GNU_RETURN_ON_ERROR)) {
+ close_tmpfile2();
+ bt->flags |= BT_FRAMESIZE_DISABLE;
+ return 0;
+ }
+ rewind(pc->tmpfile2);
+ if (fgets(buf, BUFSIZE, pc->tmpfile2)) {
+ c = parse_line(buf, arglist);
+ for (int i = 0; i < c; i++) {
+ if (!strcmp(arglist[i], "call")) {
+ reterror = 0;
+ ulong tmp_val = htol(arglist[0],
+ RETURN_ON_ERROR, &reterror);
+ if (!reterror)
+ textaddr = tmp_val;
+ break;
+ }
+ }
+ }
+ close_tmpfile2();
+
+ if ((korc = orc_find(textaddr)) == NULL)
+ goto out_orc;
+
if (CRASHDEBUG(1)) {
struct ORC_data *orc = &machdep->machspec->orc;
fprintf(fp,
@@ -8939,6 +8970,7 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr, ulong rsp,
char *stack_
}
}
+out_orc:
framesize = max = 0;
max_instructions = textaddr - sp->value;
instr = arg = -1;
--
2.47.0
11:31 p.m.
New subject: [PATCH 2/2] x86_64: ignore the compiler generated xx.cold symbols
The xx.cold symbols are generated by compiler to optimize the
frequently/infrequently called routines, rather than real function
names. We'd better filter out those, because it will interfer the
sp = value_search(text, &offset) call.
For value_search(), normally we are expecting to get the offset of text
from an actual function. With xx.cold symbol exists, it might show we
are at offset 0 of xx.cold, so crash might regard this as the start of a
function, and make incorrect decisions.
Signed-off-by: Tao Liu <ltao(a)redhat.com>
---
x86_64.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/x86_64.c b/x86_64.c
index 70bc1da..95abae6 100644
--- a/x86_64.c
+++ b/x86_64.c
@@ -2745,6 +2745,9 @@ x86_64_verify_symbol(const char *name, ulong value, char type)
if (XEN_HYPER_MODE() && STREQ(name, "__per_cpu_shift"))
return TRUE;
+ if (strlen(name) > 5 && STREQ(name + strlen(name) - 5, ".cold"))
+ return FALSE;
+
if (!(machdep->flags & KSYMS_START)) {
if (STREQ(name, "_text") || STREQ(name, "_stext")) {
machdep->flags |= KSYMS_START;
--
2.47.0
3:18 a.m.
New subject: [PATCH 1/2] x86_64: Correct the unwind address for orc when "call" instruction encountered
On 2026/05/20 13:31, Tao Liu wrote:
We have enountered the following edge case for orc unwinder which
results an
incorrect stack unwinding:
$ objdump -d vmlinux
ffffffff8100be70 <panic>:
ffffffff8100be70: f3 0f 1e fa endbr64
ffffffff8100be74: e8 c7 b9 0d 00 call ffffffff810e7840
<__fentry__>
ffffffff8100be79: 55 push %rbp
ffffffff8100be7a: 49 89 fa mov %rdi,%r10
ffffffff8100be7d: 48 89 e5 mov %rsp,%rbp
ffffffff8100be80: 48 83 ec 50 sub $0x50,%rsp
...
ffffffff8100bed2: 48 89 44 24 10 mov %rax,0x10(%rsp)
ffffffff8100bed7: e8 f4 fc ff ff call ffffffff8100bbd0 <vpanic>
ffffffff8100bedc <nmi_panic.cold>:
ffffffff8100bedc: 48 c7 c7 6e c2 8b 82 mov $0xffffffff828bc26e,%rdi
ffffffff8100bee3: e8 88 ff ff ff call ffffffff8100be70 <panic>
$ objtool --dump=orc vmlinux
...
ffffffff8100be7a:type:call sp:sp+16 bp:prevsp-16 signal:0
ffffffff8100be80:type:call sp:bp+16 bp:prevsp-16 signal:0
ffffffff8100bedc:type:call sp:sp+8 bp:(und) signal:0
ffffffff8100bee8:type:call sp:sp+16 bp:(und) signal:0
crash> gdb bt
#0 0xffffffff8126b3e4 in crash_setup_regs
#1 0xffffffff8126b7a2 in __crash_kexec
#2 0xffffffff8100bca9 in vpanic
#3 0xffffffff8100bedc in panic
#4 0xffffffff81903a9a in sysrq_handle_crash
...
crash> bt -r
...
ffffc9000126fc40: machine_kexec+184 sysrq_showstate_op
ffffc9000126fc50: .LC4+109 __crash_kexec+114
ffffc9000126fc60: 0000000000000000 0000000000000007
ffffc9000126fc70: 0000000000000063 ffffc9000126fd48
ffffc9000126fc80: .LC4+109 sysrq_showstate_op
ffffc9000126fc90: 0000000000000002 _printk_rb_static_infos+64944
ffffc9000126fca0: _printk_rb_static_descs+17712 0000000000000000
ffffc9000126fcb0: 0000000000000000 0000000000000000
ffffc9000126fcc0: 0000000000000001 0000000000000000
ffffc9000126fcd0: ffffc9000126fc60 0000000000000000
ffffc9000126fce0: crash_setup_regs+116 0000000000000010
ffffc9000126fcf0: 0000000000000046 ffffc9000126fc58
ffffc9000126fd00: 0000000000000018 a9e74447ad8b9200
ffffc9000126fd10: sysrq_showstate_op vpanic+217
ffffc9000126fd20: sysrq_crash_op ffffc9000126fd98
ffffc9000126fd30: 0000000000000000 0000000000000063
ffffc9000126fd40: panic+108 0000000000000008
ffffc9000126fd50: ffffc9000126fda8 ffffc9000126fd68
ffffc9000126fd60: a9e74447ad8b9200 a9e74447ad8b9200
ffffc9000126fd70: ffff88813bc1d1c0 0000000000000000
ffffc9000126fd80: 0000000000000000 0000000000000000
ffffc9000126fd90: _printk_rb_static_descs+786408 0000000000000000
ffffc9000126fda0: sysrq_handle_crash+26 __handle_sysrq.cold+159
Within the stack, we can identify the following stackframes:
1. rsp ffffc9000126fc40, rip (machine_kexec+184)
2. rsp ffffc9000126fc58, rip (__crash_kexec+114)
3. rsp ffffc9000126fd10, rip (vpanic+217)
4. rsp ffffc9000126fd40, rip (panic+108)
Before the fix, crash will directly pass rip to orc_find() to calculate
each framesize, actually this is incorrect, because the rip is what
we found in stack, as we all know the "call" instruction will push
the address of the next instruction into stack, rather than the address
of the "call" instruction itself. So for the (panic+108, or ffffffff8100bedc)
case, orc winder finds the frame of 0xffffffff8100bedc is sp:sp+8.
This is incorrect, because 0xffffffff8100bedc belongs to a different
function, aka nmi_panic(), rather than panic(). So we should use (rip -
5, or ffffffff8100bed7) for orc_find(), which gives sp:bp+16 for unwind
stack frame. We can confirm this by reading the disassembly at
ffffffff8100be70 ~ ffffffff8100be80.
This is an edge case because the address after the "call" instruction
located to a different function, which lead to orc_find() got a wrong
framesize.
This patch fix this by check the 1st previous instruction of rip we read
from stack. If the instruction is "call", then we pass the address of
the "call" to orc_find(), to ensure we orc unwinding the correct function.
Hi Tao, thank you for the work!
I tried the patchset, unfortunately it prints a bit wrong trace,
because the correct .cold symbols are removed, I think.
* SysRq case
crash> bt
PID: 6598 TASK: ffff8c0902d2b680 CPU: 2 COMMAND: "bash"
#0 [ffffcda8c346b970] machine_kexec at ffffffff908e91e8
#1 [ffffcda8c346b988] __crash_kexec at ffffffff90a6b7a2
#2 [ffffcda8c346ba48] vpanic at ffffffff9080bca9
#3 [ffffcda8c346ba70] panic at ffffffff9080bedc
#4 [ffffcda8c346bad0] sysrq_handle_crash at ffffffff91103a9a
#5 [ffffcda8c346bad8] sysrq_handle_loglevel at ffffffff90841048 <<--
#6 [ffffcda8c346bb08] write_sysrq_trigger at ffffffff91104679
#7 [ffffcda8c346bb30] proc_reg_write at ffffffff90dd3137
#8 [ffffcda8c346bb48] vfs_write at ffffffff90d17308
#9 [ffffcda8c346bbd8] ksys_write at ffffffff90d1783d
#10 [ffffcda8c346bc10] do_syscall_64 at ffffffff9168e96d
#11 [ffffcda8c346bf40] entry_SYSCALL_64_after_hwframe at ffffffff9180012f
* NMI case
crash> bt
PID: 0 TASK: ffffffffa3c12940 CPU: 0 COMMAND: "swapper/0"
#0 [fffffe7e99f94d50] machine_kexec at ffffffffa1ae91e8
#1 [fffffe7e99f94d68] __crash_kexec at ffffffffa1c6b7a2
#2 [fffffe7e99f94e28] vpanic at ffffffffa1a0bca9
#3 [fffffe7e99f94e50] panic at ffffffffa1a0bedc
#4 [fffffe7e99f94eb0] panic at ffffffffa1a0bee8 <<--
#5 [fffffe7e99f94eb8] unknown_nmi_error at ffffffffa1aa39a7
#6 [fffffe7e99f94ed0] exc_nmi at ffffffffa2891576
#7 [fffffe7e99f94ef0] end_repeat_nmi at ffffffffa2a01d9d
[exception RIP: default_idle+15]
On the other hand, kernel's call trace looks correct, so I looked into
how the kernel prints this.
[ 133.526125] Call Trace:
[ 133.526126] <NMI>
[ 133.526128] dump_stack_lvl+0x4e/0x70
[ 133.526131] vpanic+0xc2/0x290
[ 133.526133] panic+0x6c/0x6c
[ 133.526134] nmi_panic.cold+0xc/0xc
[ 133.526135] unknown_nmi_error+0x77/0xa0
[ 133.526137] exc_nmi+0x106/0x180
[ 133.526140] end_repeat_nmi+0xf/0x53
* When printing a symbol for call trace, it searches for "address - 1".
static void printk_stack_address(unsigned long address, int reliable,
const char *log_lvl)
{
touch_nmi_watchdog();
printk("%s %s%pBb\n", log_lvl, reliable ? "" : "?
", (void *)address);
} ^^^^
This "%pBb" gets to the following function.
/**
* sprint_backtrace_build_id - Look up a backtrace symbol and return it in a text
buffer
* @buffer: buffer to be stored
* @address: address to lookup
*
* This function is for stack backtrace and does the same thing as
* sprint_symbol() but with modified/decreased @address. If there is a
* tail-call to the function marked "noreturn", gcc optimized out code after
* the call so that the stack-saved return address could point outside of the
<<--
* caller. This function ensures that kallsyms will find the original caller
* by decreasing @address. This function also appends the module build ID to
* the @buffer if @address is within a kernel module.
*
* This function returns the number of bytes stored in @buffer.
*/
int sprint_backtrace_build_id(char *buffer, unsigned long address)
{
return __sprint_symbol(buffer, address, -1, 1, 1);
} ^^^
/* Look up a kernel symbol and return it in a text buffer. */
static int __sprint_symbol(char *buffer, unsigned long address,
int symbol_offset, int add_offset, int add_buildid)
{
...
address += symbol_offset; // search for the symbol with symbol_offset(-1)
len = kallsyms_lookup_buildid(address, &size, &offset, &modname,
&buildid,
buffer);
if (!len)
return sprintf(buffer, "0x%lx", address - symbol_offset);
offset -= symbol_offset; // adjust offset (+1)
if (add_offset) // print offset
len += sprintf(buffer + len, "+%#lx/%#lx", offset, size);
* When searching for ORC data, usually "ip - 1" is used.
bool unwind_next_frame(struct unwind_state *state)
{
...
/*
* Find the orc_entry associated with the text address.
*
* For a call frame (as opposed to a signal frame), state->ip points to
* the instruction after the call. That instruction's stack layout
* could be different from the call instruction's layout, for example
* if the call was to a noreturn function. So get the ORC data for the
<<--
* call instruction itself.
*/
orc = orc_find(state->signal ? state->ip : state->ip - 1);
^^^^^^^^^^^^^
So I tried a simple patch like this at first:
--- a/x86_64.c
+++ b/x86_64.c
@@ -3229,7 +3229,8 @@ x86_64_print_stack_entry(struct bt_info *bt, FILE *ofp, int level,
if (!(bt->flags & BT_SAVE_EFRAME_IP))
bt->eframe_ip = 0;
offset = 0;
- sp = value_search(text, &offset);
+ sp = value_search(text-1, &offset);
+ offset++;
if (!sp)
return BACKTRACE_ENTRY_IGNORED;
@@ -8811,7 +8812,9 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr, ulong rsp,
char *stack_
return 0;
}
- if (!(sp = value_search(textaddr, &offset))) {
+ sp = value_search(textaddr-1, &offset);
+ offset++;
+ if (!sp) {
if (!(bt->flags & BT_FRAMESIZE_DEBUG))
bt->flags |= BT_FRAMESIZE_DISABLE;
return 0;
@@ -8887,7 +8890,7 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr, ulong rsp,
char *stack_
if ((sp->value >= kt->init_begin) && (sp->value <
kt->init_end))
return 0;
- if ((machdep->flags & ORC) && (korc = orc_find(textaddr))) {
+ if ((machdep->flags & ORC) && (korc = orc_find(textaddr-1))) {
if (CRASHDEBUG(1)) {
struct ORC_data *orc = &machdep->machspec->orc;
fprintf(fp,
This looks good at first glance.
crash> bt
PID: 0 TASK: ffffffffa3c12940 CPU: 0 COMMAND: "swapper/0"
#0 [fffffe7e99f94d50] machine_kexec at ffffffffa1ae91e8
#1 [fffffe7e99f94d68] __crash_kexec at ffffffffa1c6b7a2
#2 [fffffe7e99f94e28] vpanic at ffffffffa1a0bca9
#3 [fffffe7e99f94e50] panic at ffffffffa1a0bedc
#4 [fffffe7e99f94eb0] nmi_panic.cold at ffffffffa1a0bee8
#5 [fffffe7e99f94eb8] unknown_nmi_error at ffffffffa1aa39a7
#6 [fffffe7e99f94ed0] exc_nmi at ffffffffa2891576
#7 [fffffe7e99f94ef0] end_repeat_nmi at ffffffffa2a01d9d
[exception RIP: default_idle+15]
RIP: ffffffffa2895c6f RSP: ffffffffa3c03e88 RFLAGS: 00000256
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8cb88b0ecf08
RDX: ffffd2b200dc74a1 RSI: 0000000000000087 RDI: 000000000008086c
RBP: ffffffffa3c12940 R8: 000000000008086c R9: 0000000000000000
R10: 0000000000000001 R11: fefefefefefefeff R12: 0000000000000000
R13: 000000007d41f000 R14: 000000000000000c R15: 000000007d41f000
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
--- <NMI exception stack> ---
#8 [ffffffffa3c03e88] default_idle at ffffffffa2895c6f
#9 [ffffffffa3c03e88] default_idle_call at ffffffffa2895ef9
#10 [ffffffffa3c03e90] cpuidle_idle_call at ffffffffa1bbf4ba
#11 [ffffffffa3c03ec8] do_idle at ffffffffa1bbf573
...
But there are some issues, which I've found so far:
* How we can emulate state->signal=1 case in crash.
Your method (check if the prev is "call") may be good, is there any
more orc-based or robust way?
* "bt -s" option still prints wrong symbols.
What do you think about this way?
Thanks,
Kazu
>
> Signed-off-by: Tao Liu <ltao(a)redhat.com>
> ---
> x86_64.c | 34 +++++++++++++++++++++++++++++++++-
> 1 file changed, 33 insertions(+), 1 deletion(-)
>
> diff --git a/x86_64.c b/x86_64.c
> index b2cddbf..70bc1da 100644
> --- a/x86_64.c
> +++ b/x86_64.c
> @@ -8887,7 +8887,38 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr, ulong
rsp, char *stack_
> if ((sp->value >= kt->init_begin) && (sp->value <
kt->init_end))
> return 0;
>
> - if ((machdep->flags & ORC) && (korc = orc_find(textaddr))) {
> + if (machdep->flags & ORC) {
> + /*
> + * Disassemble & check if the 1st previous instruction of textaddr
> + * is "call". If it does, the orc should unwind against the
> + * address of the "call" inst, rather than the textaddr itself.
> + */
> + open_tmpfile2();
> + sprintf(buf, "x/-1i 0x%lx", textaddr);
> + if (!gdb_pass_through(buf, pc->tmpfile2, GNU_RETURN_ON_ERROR)) {
> + close_tmpfile2();
> + bt->flags |= BT_FRAMESIZE_DISABLE;
> + return 0;
> + }
> + rewind(pc->tmpfile2);
> + if (fgets(buf, BUFSIZE, pc->tmpfile2)) {
> + c = parse_line(buf, arglist);
> + for (int i = 0; i < c; i++) {
> + if (!strcmp(arglist[i], "call")) {
> + reterror = 0;
> + ulong tmp_val = htol(arglist[0],
> + RETURN_ON_ERROR, &reterror);
> + if (!reterror)
> + textaddr = tmp_val;
> + break;
> + }
> + }
> + }
> + close_tmpfile2();
> +
> + if ((korc = orc_find(textaddr)) == NULL)
> + goto out_orc;
> +
> if (CRASHDEBUG(1)) {
> struct ORC_data *orc = &machdep->machspec->orc;
> fprintf(fp,
> @@ -8939,6 +8970,7 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr, ulong
rsp, char *stack_
> }
> }
>
> +out_orc:
> framesize = max = 0;
> max_instructions = textaddr - sp->value;
> instr = arg = -1;
8:23 p.m.
New subject: [PATCH 1/2] x86_64: Correct the unwind address for orc when "call" instruction encountered
Hi Kazu,
Thanks for your insight on this.
On Thu, May 21, 2026 at 8:18 PM HAGIO KAZUHITO(萩尾 一仁)
<k-hagio-ab(a)nec.com> wrote:
On 2026/05/20 13:31, Tao Liu wrote:
> We have enountered the following edge case for orc unwinder which results an
> incorrect stack unwinding:
>
> $ objdump -d vmlinux
> ffffffff8100be70 <panic>:
> ffffffff8100be70: f3 0f 1e fa endbr64
> ffffffff8100be74: e8 c7 b9 0d 00 call ffffffff810e7840
<__fentry__>
> ffffffff8100be79: 55 push %rbp
> ffffffff8100be7a: 49 89 fa mov %rdi,%r10
> ffffffff8100be7d: 48 89 e5 mov %rsp,%rbp
> ffffffff8100be80: 48 83 ec 50 sub $0x50,%rsp
> ...
> ffffffff8100bed2: 48 89 44 24 10 mov %rax,0x10(%rsp)
> ffffffff8100bed7: e8 f4 fc ff ff call ffffffff8100bbd0
<vpanic>
>
> ffffffff8100bedc <nmi_panic.cold>:
> ffffffff8100bedc: 48 c7 c7 6e c2 8b 82 mov $0xffffffff828bc26e,%rdi
> ffffffff8100bee3: e8 88 ff ff ff call ffffffff8100be70
<panic>
>
> $ objtool --dump=orc vmlinux
> ...
> ffffffff8100be7a:type:call sp:sp+16 bp:prevsp-16 signal:0
> ffffffff8100be80:type:call sp:bp+16 bp:prevsp-16 signal:0
> ffffffff8100bedc:type:call sp:sp+8 bp:(und) signal:0
> ffffffff8100bee8:type:call sp:sp+16 bp:(und) signal:0
>
> crash> gdb bt
> #0 0xffffffff8126b3e4 in crash_setup_regs
> #1 0xffffffff8126b7a2 in __crash_kexec
> #2 0xffffffff8100bca9 in vpanic
> #3 0xffffffff8100bedc in panic
> #4 0xffffffff81903a9a in sysrq_handle_crash
> ...
>
> crash> bt -r
> ...
> ffffc9000126fc40: machine_kexec+184 sysrq_showstate_op
> ffffc9000126fc50: .LC4+109 __crash_kexec+114
> ffffc9000126fc60: 0000000000000000 0000000000000007
> ffffc9000126fc70: 0000000000000063 ffffc9000126fd48
> ffffc9000126fc80: .LC4+109 sysrq_showstate_op
> ffffc9000126fc90: 0000000000000002 _printk_rb_static_infos+64944
> ffffc9000126fca0: _printk_rb_static_descs+17712 0000000000000000
> ffffc9000126fcb0: 0000000000000000 0000000000000000
> ffffc9000126fcc0: 0000000000000001 0000000000000000
> ffffc9000126fcd0: ffffc9000126fc60 0000000000000000
> ffffc9000126fce0: crash_setup_regs+116 0000000000000010
> ffffc9000126fcf0: 0000000000000046 ffffc9000126fc58
> ffffc9000126fd00: 0000000000000018 a9e74447ad8b9200
> ffffc9000126fd10: sysrq_showstate_op vpanic+217
> ffffc9000126fd20: sysrq_crash_op ffffc9000126fd98
> ffffc9000126fd30: 0000000000000000 0000000000000063
> ffffc9000126fd40: panic+108 0000000000000008
> ffffc9000126fd50: ffffc9000126fda8 ffffc9000126fd68
> ffffc9000126fd60: a9e74447ad8b9200 a9e74447ad8b9200
> ffffc9000126fd70: ffff88813bc1d1c0 0000000000000000
> ffffc9000126fd80: 0000000000000000 0000000000000000
> ffffc9000126fd90: _printk_rb_static_descs+786408 0000000000000000
> ffffc9000126fda0: sysrq_handle_crash+26 __handle_sysrq.cold+159
>
> Within the stack, we can identify the following stackframes:
>
> 1. rsp ffffc9000126fc40, rip (machine_kexec+184)
> 2. rsp ffffc9000126fc58, rip (__crash_kexec+114)
> 3. rsp ffffc9000126fd10, rip (vpanic+217)
> 4. rsp ffffc9000126fd40, rip (panic+108)
>
> Before the fix, crash will directly pass rip to orc_find() to calculate
> each framesize, actually this is incorrect, because the rip is what
> we found in stack, as we all know the "call" instruction will push
> the address of the next instruction into stack, rather than the address
> of the "call" instruction itself. So for the (panic+108, or
ffffffff8100bedc)
> case, orc winder finds the frame of 0xffffffff8100bedc is sp:sp+8.
> This is incorrect, because 0xffffffff8100bedc belongs to a different
> function, aka nmi_panic(), rather than panic(). So we should use (rip -
> 5, or ffffffff8100bed7) for orc_find(), which gives sp:bp+16 for unwind
> stack frame. We can confirm this by reading the disassembly at
> ffffffff8100be70 ~ ffffffff8100be80.
>
> This is an edge case because the address after the "call" instruction
> located to a different function, which lead to orc_find() got a wrong
> framesize.
>
> This patch fix this by check the 1st previous instruction of rip we read
> from stack. If the instruction is "call", then we pass the address of
> the "call" to orc_find(), to ensure we orc unwinding the correct
function.
Hi Tao, thank you for the work!
I tried the patchset, unfortunately it prints a bit wrong trace,
because the correct .cold symbols are removed, I think.
* SysRq case
crash> bt
PID: 6598 TASK: ffff8c0902d2b680 CPU: 2 COMMAND: "bash"
#0 [ffffcda8c346b970] machine_kexec at ffffffff908e91e8
#1 [ffffcda8c346b988] __crash_kexec at ffffffff90a6b7a2
#2 [ffffcda8c346ba48] vpanic at ffffffff9080bca9
#3 [ffffcda8c346ba70] panic at ffffffff9080bedc
#4 [ffffcda8c346bad0] sysrq_handle_crash at ffffffff91103a9a
#5 [ffffcda8c346bad8] sysrq_handle_loglevel at ffffffff90841048 <<--
#6 [ffffcda8c346bb08] write_sysrq_trigger at ffffffff91104679
#7 [ffffcda8c346bb30] proc_reg_write at ffffffff90dd3137
#8 [ffffcda8c346bb48] vfs_write at ffffffff90d17308
#9 [ffffcda8c346bbd8] ksys_write at ffffffff90d1783d
#10 [ffffcda8c346bc10] do_syscall_64 at ffffffff9168e96d
#11 [ffffcda8c346bf40] entry_SYSCALL_64_after_hwframe at ffffffff9180012f
* NMI case
crash> bt
PID: 0 TASK: ffffffffa3c12940 CPU: 0 COMMAND: "swapper/0"
#0 [fffffe7e99f94d50] machine_kexec at ffffffffa1ae91e8
#1 [fffffe7e99f94d68] __crash_kexec at ffffffffa1c6b7a2
#2 [fffffe7e99f94e28] vpanic at ffffffffa1a0bca9
#3 [fffffe7e99f94e50] panic at ffffffffa1a0bedc
#4 [fffffe7e99f94eb0] panic at ffffffffa1a0bee8 <<--
#5 [fffffe7e99f94eb8] unknown_nmi_error at ffffffffa1aa39a7
#6 [fffffe7e99f94ed0] exc_nmi at ffffffffa2891576
#7 [fffffe7e99f94ef0] end_repeat_nmi at ffffffffa2a01d9d
[exception RIP: default_idle+15]
On the other hand, kernel's call trace looks correct, so I looked into
how the kernel prints this.
[ 133.526125] Call Trace:
[ 133.526126] <NMI>
[ 133.526128] dump_stack_lvl+0x4e/0x70
[ 133.526131] vpanic+0xc2/0x290
[ 133.526133] panic+0x6c/0x6c
[ 133.526134] nmi_panic.cold+0xc/0xc
[ 133.526135] unknown_nmi_error+0x77/0xa0
[ 133.526137] exc_nmi+0x106/0x180
[ 133.526140] end_repeat_nmi+0xf/0x53
* When printing a symbol for call trace, it searches for "address - 1".
static void printk_stack_address(unsigned long address, int reliable,
const char *log_lvl)
{
touch_nmi_watchdog();
printk("%s %s%pBb\n", log_lvl, reliable ? "" : "?
", (void *)address);
} ^^^^
This "%pBb" gets to the following function.
/**
* sprint_backtrace_build_id - Look up a backtrace symbol and return it in a text
buffer
* @buffer: buffer to be stored
* @address: address to lookup
*
* This function is for stack backtrace and does the same thing as
* sprint_symbol() but with modified/decreased @address. If there is a
* tail-call to the function marked "noreturn", gcc optimized out code after
* the call so that the stack-saved return address could point outside of the
<<--
* caller. This function ensures that kallsyms will find the original caller
* by decreasing @address. This function also appends the module build ID to
* the @buffer if @address is within a kernel module.
*
* This function returns the number of bytes stored in @buffer.
*/
int sprint_backtrace_build_id(char *buffer, unsigned long address)
{
return __sprint_symbol(buffer, address, -1, 1, 1);
} ^^^
/* Look up a kernel symbol and return it in a text buffer. */
static int __sprint_symbol(char *buffer, unsigned long address,
int symbol_offset, int add_offset, int add_buildid)
{
...
address += symbol_offset; // search for the symbol with symbol_offset(-1)
len = kallsyms_lookup_buildid(address, &size, &offset, &modname,
&buildid,
buffer);
if (!len)
return sprintf(buffer, "0x%lx", address - symbol_offset);
offset -= symbol_offset; // adjust offset (+1)
if (add_offset) // print offset
len += sprintf(buffer + len, "+%#lx/%#lx", offset, size);
* When searching for ORC data, usually "ip - 1" is used.
bool unwind_next_frame(struct unwind_state *state)
{
...
/*
* Find the orc_entry associated with the text address.
*
* For a call frame (as opposed to a signal frame), state->ip points to
* the instruction after the call. That instruction's stack layout
* could be different from the call instruction's layout, for example
* if the call was to a noreturn function. So get the ORC data for the
<<--
* call instruction itself.
*/
orc = orc_find(state->signal ? state->ip : state->ip - 1);
^^^^^^^^^^^^^
So I tried a simple patch like this at first:
--- a/x86_64.c
+++ b/x86_64.c
@@ -3229,7 +3229,8 @@ x86_64_print_stack_entry(struct bt_info *bt, FILE *ofp, int level,
if (!(bt->flags & BT_SAVE_EFRAME_IP))
bt->eframe_ip = 0;
offset = 0;
- sp = value_search(text, &offset);
+ sp = value_search(text-1, &offset);
+ offset++;
if (!sp)
return BACKTRACE_ENTRY_IGNORED;
@@ -8811,7 +8812,9 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr, ulong rsp,
char *stack_
return 0;
}
- if (!(sp = value_search(textaddr, &offset))) {
+ sp = value_search(textaddr-1, &offset);
+ offset++;
+ if (!sp) {
if (!(bt->flags & BT_FRAMESIZE_DEBUG))
bt->flags |= BT_FRAMESIZE_DISABLE;
return 0;
@@ -8887,7 +8890,7 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr, ulong rsp,
char *stack_
if ((sp->value >= kt->init_begin) && (sp->value <
kt->init_end))
return 0;
- if ((machdep->flags & ORC) && (korc = orc_find(textaddr))) {
+ if ((machdep->flags & ORC) && (korc = orc_find(textaddr-1))) {
if (CRASHDEBUG(1)) {
struct ORC_data *orc = &machdep->machspec->orc;
fprintf(fp,
This looks good at first glance.
crash> bt
PID: 0 TASK: ffffffffa3c12940 CPU: 0 COMMAND: "swapper/0"
#0 [fffffe7e99f94d50] machine_kexec at ffffffffa1ae91e8
#1 [fffffe7e99f94d68] __crash_kexec at ffffffffa1c6b7a2
#2 [fffffe7e99f94e28] vpanic at ffffffffa1a0bca9
#3 [fffffe7e99f94e50] panic at ffffffffa1a0bedc
#4 [fffffe7e99f94eb0] nmi_panic.cold at ffffffffa1a0bee8
#5 [fffffe7e99f94eb8] unknown_nmi_error at ffffffffa1aa39a7
#6 [fffffe7e99f94ed0] exc_nmi at ffffffffa2891576
#7 [fffffe7e99f94ef0] end_repeat_nmi at ffffffffa2a01d9d
[exception RIP: default_idle+15]
RIP: ffffffffa2895c6f RSP: ffffffffa3c03e88 RFLAGS: 00000256
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8cb88b0ecf08
RDX: ffffd2b200dc74a1 RSI: 0000000000000087 RDI: 000000000008086c
RBP: ffffffffa3c12940 R8: 000000000008086c R9: 0000000000000000
R10: 0000000000000001 R11: fefefefefefefeff R12: 0000000000000000
R13: 000000007d41f000 R14: 000000000000000c R15: 000000007d41f000
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
--- <NMI exception stack> ---
#8 [ffffffffa3c03e88] default_idle at ffffffffa2895c6f
#9 [ffffffffa3c03e88] default_idle_call at ffffffffa2895ef9
#10 [ffffffffa3c03e90] cpuidle_idle_call at ffffffffa1bbf4ba
#11 [ffffffffa3c03ec8] do_idle at ffffffffa1bbf573
...
But there are some issues, which I've found so far:
* How we can emulate state->signal=1 case in crash.
Your method (check if the prev is "call") may be good, is there any
more orc-based or robust way?
Sorry I cannot think of a better way to emulate the state->signal=1
case. To me, tracking the previous "call" instruction is the simple
way to determine if we are in a normal function call chain(previous
"call" exists) or in interruption/exception handler (previous "call"
not exists).
* "bt -s" option still prints wrong symbols.
Hmm, I see...
How about we keep the "x86_64: Correct the unwind address for orc when
"call" instruction encountered" patch, and ignore "x86_64: ignore the
compiler generated xx.cold symbols" patch, with the following change
applied:
diff --git a/x86_64.c b/x86_64.c
index 70bc1da..1a8d90b 100644
--- a/x86_64.c
+++ b/x86_64.c
@@ -3267,7 +3267,7 @@ x86_64_print_stack_entry(struct bt_info *bt,
FILE *ofp, int level,
else if (!(bt->flags & BT_SCHEDULE)) {
if (STREQ(name, "error_exit"))
eframe_check = 8;
- else {
+ else if (!(machdep->flags & ORC)) {
if (CRASHDEBUG(2))
fprintf(ofp,
"< ignoring text symbol with no offset: %s()
>\n",
This will give us the following output:
crash> bt
PID: 2074 TASK: ffff888103ea8000 CPU: 0 COMMAND: "bash"
#0 [ffffc9000126fc40] machine_kexec at ffffffff810e91e8
#1 [ffffc9000126fc58] __crash_kexec at ffffffff8126b7a2
#2 [ffffc9000126fd18] vpanic at ffffffff8100bca9
#3 [ffffc9000126fd40] nmi_panic.cold at ffffffff8100bedc
#4 [ffffc9000126fda0] sysrq_handle_crash at ffffffff81903a9a
#5 [ffffc9000126fda8] __handle_sysrq.cold at ffffffff81041048
#6 [ffffc9000126fdd8] write_sysrq_trigger at ffffffff81904679
#7 [ffffc9000126fe00] proc_reg_write at ffffffff815d3137
#8 [ffffc9000126fe18] vfs_write at ffffffff81517308
#9 [ffffc9000126fea8] ksys_write at ffffffff8151783d
#10 [ffffc9000126fee0] do_syscall_64 at ffffffff81e8e96d
#11 [ffffc9000126ff40] entry_SYSCALL_64_after_hwframe at ffffffff8200012f
RIP: 00007faf8722f544 RSP: 00007ffe9ba94868 RFLAGS: 00000202
RAX: ffffffffffffffda RBX: 00007faf873055c0 RCX: 00007faf8722f544
RDX: 0000000000000002 RSI: 000055d80bde45d0 RDI: 0000000000000001
RBP: 0000000000000002 R8: 0000000000000073 R9: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002
R13: 000055d80bde45d0 R14: 0000000000000002 R15: 00007faf87302f00
ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b
crash> bt -s
PID: 2074 TASK: ffff888103ea8000 CPU: 0 COMMAND: "bash"
#0 [ffffc9000126fc40] machine_kexec+184 at ffffffff810e91e8
#1 [ffffc9000126fc58] __crash_kexec+114 at ffffffff8126b7a2
#2 [ffffc9000126fd18] vpanic+217 at ffffffff8100bca9
#3 [ffffc9000126fd40] nmi_panic.cold at ffffffff8100bedc
#4 [ffffc9000126fda0] sysrq_handle_crash+26 at ffffffff81903a9a
#5 [ffffc9000126fda8] __handle_sysrq.cold+159 at ffffffff81041048
#6 [ffffc9000126fdd8] write_sysrq_trigger+89 at ffffffff81904679
#7 [ffffc9000126fe00] proc_reg_write+87 at ffffffff815d3137
#8 [ffffc9000126fe18] vfs_write+248 at ffffffff81517308
#9 [ffffc9000126fea8] ksys_write+109 at ffffffff8151783d
#10 [ffffc9000126fee0] do_syscall_64+125 at ffffffff81e8e96d
#11 [ffffc9000126ff40] entry_SYSCALL_64_after_hwframe+118 at ffffffff8200012f
RIP: 00007faf8722f544 RSP: 00007ffe9ba94868 RFLAGS: 00000202
RAX: ffffffffffffffda RBX: 00007faf873055c0 RCX: 00007faf8722f544
RDX: 0000000000000002 RSI: 000055d80bde45d0 RDI: 0000000000000001
RBP: 0000000000000002 R8: 0000000000000073 R9: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002
R13: 000055d80bde45d0 R14: 0000000000000002 R15: 00007faf87302f00
ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b
Dmesg gives:
[ 83.387009] dump_stack_lvl+0x4e/0x70
[ 83.387653] vpanic+0xc2/0x290
[ 83.388143] panic+0x6c/0x6c
[ 83.388603] sysrq_handle_crash+0x1a/0x20
The nmi_panic.cold at ffffffff8100bedc in fact, is panic+0x6c/0x6c in dmesg:
crash> dis panic 30
0xffffffff8100be70 <panic>: endbr64
...
0xffffffff8100bed2 <panic+98>: mov %rax,0x10(%rsp)
0xffffffff8100bed7 <panic+103>: call 0xffffffff8100bbd0 <vpanic>
0xffffffff8100bedc <nmi_panic.cold>: mov $0xffffffff828bc26e,%rdi
0xffffffff8100bee3 <nmi_panic.cold+7>: call 0xffffffff8100be70 <panic>
I think we don't have to translate nmi_panic.cold into
panic+0x6c/0x6c, it doesn't cause serious confusion to me. In this way
we don't need to hack "text - 1" as kernel does.
What do you think?
Thanks,
Tao Liu
What do you think about this way?
Thanks,
Kazu
>
> Signed-off-by: Tao Liu <ltao(a)redhat.com>
> ---
> x86_64.c | 34 +++++++++++++++++++++++++++++++++-
> 1 file changed, 33 insertions(+), 1 deletion(-)
>
> diff --git a/x86_64.c b/x86_64.c
> index b2cddbf..70bc1da 100644
> --- a/x86_64.c
> +++ b/x86_64.c
> @@ -8887,7 +8887,38 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr,
ulong rsp, char *stack_
> if ((sp->value >= kt->init_begin) && (sp->value <
kt->init_end))
> return 0;
>
> - if ((machdep->flags & ORC) && (korc = orc_find(textaddr))) {
> + if (machdep->flags & ORC) {
> + /*
> + * Disassemble & check if the 1st previous instruction of textaddr
> + * is "call". If it does, the orc should unwind against the
> + * address of the "call" inst, rather than the textaddr
itself.
> + */
> + open_tmpfile2();
> + sprintf(buf, "x/-1i 0x%lx", textaddr);
> + if (!gdb_pass_through(buf, pc->tmpfile2, GNU_RETURN_ON_ERROR)) {
> + close_tmpfile2();
> + bt->flags |= BT_FRAMESIZE_DISABLE;
> + return 0;
> + }
> + rewind(pc->tmpfile2);
> + if (fgets(buf, BUFSIZE, pc->tmpfile2)) {
> + c = parse_line(buf, arglist);
> + for (int i = 0; i < c; i++) {
> + if (!strcmp(arglist[i], "call")) {
> + reterror = 0;
> + ulong tmp_val = htol(arglist[0],
> + RETURN_ON_ERROR,
&reterror);
> + if (!reterror)
> + textaddr = tmp_val;
> + break;
> + }
> + }
> + }
> + close_tmpfile2();
> +
> + if ((korc = orc_find(textaddr)) == NULL)
> + goto out_orc;
> +
> if (CRASHDEBUG(1)) {
> struct ORC_data *orc = &machdep->machspec->orc;
> fprintf(fp,
> @@ -8939,6 +8970,7 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr, ulong
rsp, char *stack_
> }
> }
>
> +out_orc:
> framesize = max = 0;
> max_instructions = textaddr - sp->value;
> instr = arg = -1;
2:33 a.m.
New subject: [PATCH 1/2] x86_64: Correct the unwind address for orc when "call" instruction encountered
On 2026/05/25 10:23, Tao Liu wrote:
Hi Kazu,
Thanks for your insight on this.
On Thu, May 21, 2026 at 8:18 PM HAGIO KAZUHITO(萩尾 一仁)
<k-hagio-ab(a)nec.com> wrote:
>
> On 2026/05/20 13:31, Tao Liu wrote:
>> We have enountered the following edge case for orc unwinder which results an
>> incorrect stack unwinding:
>>
>> $ objdump -d vmlinux
>> ffffffff8100be70 <panic>:
>> ffffffff8100be70: f3 0f 1e fa endbr64
>> ffffffff8100be74: e8 c7 b9 0d 00 call ffffffff810e7840
<__fentry__>
>> ffffffff8100be79: 55 push %rbp
>> ffffffff8100be7a: 49 89 fa mov %rdi,%r10
>> ffffffff8100be7d: 48 89 e5 mov %rsp,%rbp
>> ffffffff8100be80: 48 83 ec 50 sub $0x50,%rsp
>> ...
>> ffffffff8100bed2: 48 89 44 24 10 mov %rax,0x10(%rsp)
>> ffffffff8100bed7: e8 f4 fc ff ff call ffffffff8100bbd0
<vpanic>
>>
>> ffffffff8100bedc <nmi_panic.cold>:
>> ffffffff8100bedc: 48 c7 c7 6e c2 8b 82 mov $0xffffffff828bc26e,%rdi
>> ffffffff8100bee3: e8 88 ff ff ff call ffffffff8100be70
<panic>
>>
>> $ objtool --dump=orc vmlinux
>> ...
>> ffffffff8100be7a:type:call sp:sp+16 bp:prevsp-16 signal:0
>> ffffffff8100be80:type:call sp:bp+16 bp:prevsp-16 signal:0
>> ffffffff8100bedc:type:call sp:sp+8 bp:(und) signal:0
>> ffffffff8100bee8:type:call sp:sp+16 bp:(und) signal:0
>>
>> crash> gdb bt
>> #0 0xffffffff8126b3e4 in crash_setup_regs
>> #1 0xffffffff8126b7a2 in __crash_kexec
>> #2 0xffffffff8100bca9 in vpanic
>> #3 0xffffffff8100bedc in panic
>> #4 0xffffffff81903a9a in sysrq_handle_crash
>> ...
>>
>> crash> bt -r
>> ...
>> ffffc9000126fc40: machine_kexec+184 sysrq_showstate_op
>> ffffc9000126fc50: .LC4+109 __crash_kexec+114
>> ffffc9000126fc60: 0000000000000000 0000000000000007
>> ffffc9000126fc70: 0000000000000063 ffffc9000126fd48
>> ffffc9000126fc80: .LC4+109 sysrq_showstate_op
>> ffffc9000126fc90: 0000000000000002 _printk_rb_static_infos+64944
>> ffffc9000126fca0: _printk_rb_static_descs+17712 0000000000000000
>> ffffc9000126fcb0: 0000000000000000 0000000000000000
>> ffffc9000126fcc0: 0000000000000001 0000000000000000
>> ffffc9000126fcd0: ffffc9000126fc60 0000000000000000
>> ffffc9000126fce0: crash_setup_regs+116 0000000000000010
>> ffffc9000126fcf0: 0000000000000046 ffffc9000126fc58
>> ffffc9000126fd00: 0000000000000018 a9e74447ad8b9200
>> ffffc9000126fd10: sysrq_showstate_op vpanic+217
>> ffffc9000126fd20: sysrq_crash_op ffffc9000126fd98
>> ffffc9000126fd30: 0000000000000000 0000000000000063
>> ffffc9000126fd40: panic+108 0000000000000008
>> ffffc9000126fd50: ffffc9000126fda8 ffffc9000126fd68
>> ffffc9000126fd60: a9e74447ad8b9200 a9e74447ad8b9200
>> ffffc9000126fd70: ffff88813bc1d1c0 0000000000000000
>> ffffc9000126fd80: 0000000000000000 0000000000000000
>> ffffc9000126fd90: _printk_rb_static_descs+786408 0000000000000000
>> ffffc9000126fda0: sysrq_handle_crash+26 __handle_sysrq.cold+159
>>
>> Within the stack, we can identify the following stackframes:
>>
>> 1. rsp ffffc9000126fc40, rip (machine_kexec+184)
>> 2. rsp ffffc9000126fc58, rip (__crash_kexec+114)
>> 3. rsp ffffc9000126fd10, rip (vpanic+217)
>> 4. rsp ffffc9000126fd40, rip (panic+108)
>>
>> Before the fix, crash will directly pass rip to orc_find() to calculate
>> each framesize, actually this is incorrect, because the rip is what
>> we found in stack, as we all know the "call" instruction will push
>> the address of the next instruction into stack, rather than the address
>> of the "call" instruction itself. So for the (panic+108, or
ffffffff8100bedc)
>> case, orc winder finds the frame of 0xffffffff8100bedc is sp:sp+8.
>> This is incorrect, because 0xffffffff8100bedc belongs to a different
>> function, aka nmi_panic(), rather than panic(). So we should use (rip -
>> 5, or ffffffff8100bed7) for orc_find(), which gives sp:bp+16 for unwind
>> stack frame. We can confirm this by reading the disassembly at
>> ffffffff8100be70 ~ ffffffff8100be80.
>>
>> This is an edge case because the address after the "call" instruction
>> located to a different function, which lead to orc_find() got a wrong
>> framesize.
>>
>> This patch fix this by check the 1st previous instruction of rip we read
>> from stack. If the instruction is "call", then we pass the address of
>> the "call" to orc_find(), to ensure we orc unwinding the correct
function.
>
> Hi Tao, thank you for the work!
>
> I tried the patchset, unfortunately it prints a bit wrong trace,
> because the correct .cold symbols are removed, I think.
>
> * SysRq case
>
> crash> bt
> PID: 6598 TASK: ffff8c0902d2b680 CPU: 2 COMMAND: "bash"
> #0 [ffffcda8c346b970] machine_kexec at ffffffff908e91e8
> #1 [ffffcda8c346b988] __crash_kexec at ffffffff90a6b7a2
> #2 [ffffcda8c346ba48] vpanic at ffffffff9080bca9
> #3 [ffffcda8c346ba70] panic at ffffffff9080bedc
> #4 [ffffcda8c346bad0] sysrq_handle_crash at ffffffff91103a9a
> #5 [ffffcda8c346bad8] sysrq_handle_loglevel at ffffffff90841048 <<--
> #6 [ffffcda8c346bb08] write_sysrq_trigger at ffffffff91104679
> #7 [ffffcda8c346bb30] proc_reg_write at ffffffff90dd3137
> #8 [ffffcda8c346bb48] vfs_write at ffffffff90d17308
> #9 [ffffcda8c346bbd8] ksys_write at ffffffff90d1783d
> #10 [ffffcda8c346bc10] do_syscall_64 at ffffffff9168e96d
> #11 [ffffcda8c346bf40] entry_SYSCALL_64_after_hwframe at ffffffff9180012f
>
> * NMI case
>
> crash> bt
> PID: 0 TASK: ffffffffa3c12940 CPU: 0 COMMAND: "swapper/0"
> #0 [fffffe7e99f94d50] machine_kexec at ffffffffa1ae91e8
> #1 [fffffe7e99f94d68] __crash_kexec at ffffffffa1c6b7a2
> #2 [fffffe7e99f94e28] vpanic at ffffffffa1a0bca9
> #3 [fffffe7e99f94e50] panic at ffffffffa1a0bedc
> #4 [fffffe7e99f94eb0] panic at ffffffffa1a0bee8 <<--
> #5 [fffffe7e99f94eb8] unknown_nmi_error at ffffffffa1aa39a7
> #6 [fffffe7e99f94ed0] exc_nmi at ffffffffa2891576
> #7 [fffffe7e99f94ef0] end_repeat_nmi at ffffffffa2a01d9d
> [exception RIP: default_idle+15]
>
>
> On the other hand, kernel's call trace looks correct, so I looked into
> how the kernel prints this.
>
> [ 133.526125] Call Trace:
> [ 133.526126] <NMI>
> [ 133.526128] dump_stack_lvl+0x4e/0x70
> [ 133.526131] vpanic+0xc2/0x290
> [ 133.526133] panic+0x6c/0x6c
> [ 133.526134] nmi_panic.cold+0xc/0xc
> [ 133.526135] unknown_nmi_error+0x77/0xa0
> [ 133.526137] exc_nmi+0x106/0x180
> [ 133.526140] end_repeat_nmi+0xf/0x53
>
>
> * When printing a symbol for call trace, it searches for "address - 1".
>
> static void printk_stack_address(unsigned long address, int reliable,
> const char *log_lvl)
> {
> touch_nmi_watchdog();
> printk("%s %s%pBb\n", log_lvl, reliable ? "" : "?
", (void *)address);
> } ^^^^
>
> This "%pBb" gets to the following function.
>
> /**
> * sprint_backtrace_build_id - Look up a backtrace symbol and return it in a text
buffer
> * @buffer: buffer to be stored
> * @address: address to lookup
> *
> * This function is for stack backtrace and does the same thing as
> * sprint_symbol() but with modified/decreased @address. If there is a
> * tail-call to the function marked "noreturn", gcc optimized out code
after
> * the call so that the stack-saved return address could point outside of the
<<--
> * caller. This function ensures that kallsyms will find the original caller
> * by decreasing @address. This function also appends the module build ID to
> * the @buffer if @address is within a kernel module.
> *
> * This function returns the number of bytes stored in @buffer.
> */
> int sprint_backtrace_build_id(char *buffer, unsigned long address)
> {
> return __sprint_symbol(buffer, address, -1, 1, 1);
> } ^^^
>
> /* Look up a kernel symbol and return it in a text buffer. */
> static int __sprint_symbol(char *buffer, unsigned long address,
> int symbol_offset, int add_offset, int add_buildid)
> {
> ...
> address += symbol_offset; // search for the symbol with symbol_offset(-1)
> len = kallsyms_lookup_buildid(address, &size, &offset,
&modname, &buildid,
> buffer);
> if (!len)
> return sprintf(buffer, "0x%lx", address -
symbol_offset);
>
> offset -= symbol_offset; // adjust offset (+1)
>
> if (add_offset) // print offset
> len += sprintf(buffer + len, "+%#lx/%#lx", offset,
size);
>
>
> * When searching for ORC data, usually "ip - 1" is used.
>
> bool unwind_next_frame(struct unwind_state *state)
> {
> ...
> /*
> * Find the orc_entry associated with the text address.
> *
> * For a call frame (as opposed to a signal frame), state->ip points
to
> * the instruction after the call. That instruction's stack layout
> * could be different from the call instruction's layout, for example
> * if the call was to a noreturn function. So get the ORC data for the
<<--
> * call instruction itself.
> */
> orc = orc_find(state->signal ? state->ip : state->ip - 1);
> ^^^^^^^^^^^^^
>
> So I tried a simple patch like this at first:
>
> --- a/x86_64.c
> +++ b/x86_64.c
> @@ -3229,7 +3229,8 @@ x86_64_print_stack_entry(struct bt_info *bt, FILE *ofp, int
level,
> if (!(bt->flags & BT_SAVE_EFRAME_IP))
> bt->eframe_ip = 0;
> offset = 0;
> - sp = value_search(text, &offset);
> + sp = value_search(text-1, &offset);
> + offset++;
> if (!sp)
> return BACKTRACE_ENTRY_IGNORED;
>
> @@ -8811,7 +8812,9 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr, ulong
rsp, char *stack_
> return 0;
> }
>
> - if (!(sp = value_search(textaddr, &offset))) {
> + sp = value_search(textaddr-1, &offset);
> + offset++;
> + if (!sp) {
> if (!(bt->flags & BT_FRAMESIZE_DEBUG))
> bt->flags |= BT_FRAMESIZE_DISABLE;
> return 0;
> @@ -8887,7 +8890,7 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr, ulong
rsp, char *stack_
> if ((sp->value >= kt->init_begin) && (sp->value <
kt->init_end))
> return 0;
>
> - if ((machdep->flags & ORC) && (korc = orc_find(textaddr))) {
> + if ((machdep->flags & ORC) && (korc = orc_find(textaddr-1)))
{
> if (CRASHDEBUG(1)) {
> struct ORC_data *orc = &machdep->machspec->orc;
> fprintf(fp,
>
>
> This looks good at first glance.
>
> crash> bt
> PID: 0 TASK: ffffffffa3c12940 CPU: 0 COMMAND: "swapper/0"
> #0 [fffffe7e99f94d50] machine_kexec at ffffffffa1ae91e8
> #1 [fffffe7e99f94d68] __crash_kexec at ffffffffa1c6b7a2
> #2 [fffffe7e99f94e28] vpanic at ffffffffa1a0bca9
> #3 [fffffe7e99f94e50] panic at ffffffffa1a0bedc
> #4 [fffffe7e99f94eb0] nmi_panic.cold at ffffffffa1a0bee8
> #5 [fffffe7e99f94eb8] unknown_nmi_error at ffffffffa1aa39a7
> #6 [fffffe7e99f94ed0] exc_nmi at ffffffffa2891576
> #7 [fffffe7e99f94ef0] end_repeat_nmi at ffffffffa2a01d9d
> [exception RIP: default_idle+15]
> RIP: ffffffffa2895c6f RSP: ffffffffa3c03e88 RFLAGS: 00000256
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8cb88b0ecf08
> RDX: ffffd2b200dc74a1 RSI: 0000000000000087 RDI: 000000000008086c
> RBP: ffffffffa3c12940 R8: 000000000008086c R9: 0000000000000000
> R10: 0000000000000001 R11: fefefefefefefeff R12: 0000000000000000
> R13: 000000007d41f000 R14: 000000000000000c R15: 000000007d41f000
> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
> --- <NMI exception stack> ---
> #8 [ffffffffa3c03e88] default_idle at ffffffffa2895c6f
> #9 [ffffffffa3c03e88] default_idle_call at ffffffffa2895ef9
> #10 [ffffffffa3c03e90] cpuidle_idle_call at ffffffffa1bbf4ba
> #11 [ffffffffa3c03ec8] do_idle at ffffffffa1bbf573
> ...
>
>
> But there are some issues, which I've found so far:
>
> * How we can emulate state->signal=1 case in crash.
> Your method (check if the prev is "call") may be good, is there any
> more orc-based or robust way?
Sorry I cannot think of a better way to emulate the state->signal=1
case. To me, tracking the previous "call" instruction is the simple
way to determine if we are in a normal function call chain(previous
"call" exists) or in interruption/exception handler (previous
"call"
not exists).
If a panic occurred at the next to a "call" instruction, it's changed
to the "call" address wrongly. I think this is an issue of this way.
in theory, if ip value is from a register or an exception frame, we
don't need -1. I'm still searching for that way..
>
> * "bt -s" option still prints wrong symbols.
Hmm, I see...
How about we keep the "x86_64: Correct the unwind address for orc when
"call" instruction encountered" patch, and ignore "x86_64: ignore
the
compiler generated xx.cold symbols" patch, with the following change
applied:
diff --git a/x86_64.c b/x86_64.c
index 70bc1da..1a8d90b 100644
--- a/x86_64.c
+++ b/x86_64.c
@@ -3267,7 +3267,7 @@ x86_64_print_stack_entry(struct bt_info *bt,
FILE *ofp, int level,
else if (!(bt->flags & BT_SCHEDULE)) {
if (STREQ(name, "error_exit"))
eframe_check = 8;
- else {
+ else if (!(machdep->flags & ORC)) {
if (CRASHDEBUG(2))
fprintf(ofp,
"< ignoring text symbol with no offset: %s()
>\n",
This will give us the following output:
crash> bt
PID: 2074 TASK: ffff888103ea8000 CPU: 0 COMMAND: "bash"
#0 [ffffc9000126fc40] machine_kexec at ffffffff810e91e8
#1 [ffffc9000126fc58] __crash_kexec at ffffffff8126b7a2
#2 [ffffc9000126fd18] vpanic at ffffffff8100bca9
#3 [ffffc9000126fd40] nmi_panic.cold at ffffffff8100bedc
#4 [ffffc9000126fda0] sysrq_handle_crash at ffffffff81903a9a
#5 [ffffc9000126fda8] __handle_sysrq.cold at ffffffff81041048
#6 [ffffc9000126fdd8] write_sysrq_trigger at ffffffff81904679
#7 [ffffc9000126fe00] proc_reg_write at ffffffff815d3137
#8 [ffffc9000126fe18] vfs_write at ffffffff81517308
#9 [ffffc9000126fea8] ksys_write at ffffffff8151783d
#10 [ffffc9000126fee0] do_syscall_64 at ffffffff81e8e96d
#11 [ffffc9000126ff40] entry_SYSCALL_64_after_hwframe at ffffffff8200012f
RIP: 00007faf8722f544 RSP: 00007ffe9ba94868 RFLAGS: 00000202
RAX: ffffffffffffffda RBX: 00007faf873055c0 RCX: 00007faf8722f544
RDX: 0000000000000002 RSI: 000055d80bde45d0 RDI: 0000000000000001
RBP: 0000000000000002 R8: 0000000000000073 R9: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002
R13: 000055d80bde45d0 R14: 0000000000000002 R15: 00007faf87302f00
ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b
crash> bt -s
PID: 2074 TASK: ffff888103ea8000 CPU: 0 COMMAND: "bash"
#0 [ffffc9000126fc40] machine_kexec+184 at ffffffff810e91e8
#1 [ffffc9000126fc58] __crash_kexec+114 at ffffffff8126b7a2
#2 [ffffc9000126fd18] vpanic+217 at ffffffff8100bca9
#3 [ffffc9000126fd40] nmi_panic.cold at ffffffff8100bedc
#4 [ffffc9000126fda0] sysrq_handle_crash+26 at ffffffff81903a9a
#5 [ffffc9000126fda8] __handle_sysrq.cold+159 at ffffffff81041048
#6 [ffffc9000126fdd8] write_sysrq_trigger+89 at ffffffff81904679
#7 [ffffc9000126fe00] proc_reg_write+87 at ffffffff815d3137
#8 [ffffc9000126fe18] vfs_write+248 at ffffffff81517308
#9 [ffffc9000126fea8] ksys_write+109 at ffffffff8151783d
#10 [ffffc9000126fee0] do_syscall_64+125 at ffffffff81e8e96d
#11 [ffffc9000126ff40] entry_SYSCALL_64_after_hwframe+118 at ffffffff8200012f
RIP: 00007faf8722f544 RSP: 00007ffe9ba94868 RFLAGS: 00000202
RAX: ffffffffffffffda RBX: 00007faf873055c0 RCX: 00007faf8722f544
RDX: 0000000000000002 RSI: 000055d80bde45d0 RDI: 0000000000000001
RBP: 0000000000000002 R8: 0000000000000073 R9: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002
R13: 000055d80bde45d0 R14: 0000000000000002 R15: 00007faf87302f00
ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b
Dmesg gives:
[ 83.387009] dump_stack_lvl+0x4e/0x70
[ 83.387653] vpanic+0xc2/0x290
[ 83.388143] panic+0x6c/0x6c
[ 83.388603] sysrq_handle_crash+0x1a/0x20
The nmi_panic.cold at ffffffff8100bedc in fact, is panic+0x6c/0x6c in dmesg:
crash> dis panic 30
0xffffffff8100be70 <panic>: endbr64
...
0xffffffff8100bed2 <panic+98>: mov %rax,0x10(%rsp)
0xffffffff8100bed7 <panic+103>: call 0xffffffff8100bbd0 <vpanic>
0xffffffff8100bedc <nmi_panic.cold>: mov $0xffffffff828bc26e,%rdi
0xffffffff8100bee3 <nmi_panic.cold+7>: call 0xffffffff8100be70 <panic>
I think we don't have to translate nmi_panic.cold into
panic+0x6c/0x6c, it doesn't cause serious confusion to me. In this way
we don't need to hack "text - 1" as kernel does.
What do you think?
Hmm, I think the nmi_panic.cold in the sysrq stack is confusing enough.
For the "bt -s" issue, introducing value_to_symstr_trace() may be good:
--- a/defs.h
+++ b/defs.h
@@ -5798,6 +5798,7 @@ struct syment *prev_symbol(char *, struct syment *);
void get_symbol_data(char *, long, void *);
int try_get_symbol_data(char *, long, void *);
char *value_to_symstr(ulong, char *, ulong);
+char *value_to_symstr_trace(ulong, char *, ulong, int);
char *value_symbol(ulong);
ulong symbol_value(char *);
ulong symbol_value_module(char *, char *);
diff --git a/symbols.c b/symbols.c
index 3c62f54d4a93..c5747705f761 100644
--- a/symbols.c
+++ b/symbols.c
@@ -5973,6 +5973,17 @@ generic_machdep_value_to_symbol(ulong value, ulong *offset)
return NULL;
}
+char *
+value_to_symstr(ulong value, char *buf, ulong radix)
+{
+ return _value_to_symstr(value, buf, radix, 0);
+}
+
+char *
+value_to_symstr_trace(ulong value, char *buf, ulong radix)
+{
+ return _value_to_symstr(value, buf, radix, 1);
+}
/*
* For a given value, format a string containing the nearest symbol name
@@ -5980,7 +5991,7 @@ generic_machdep_value_to_symbol(ulong value, ulong *offset)
* radix (10 or 16) -- if it's 0, set it to the current pc->output_radix.
*/
char *
-value_to_symstr(ulong value, char *buf, ulong radix)
+_value_to_symstr(ulong value, char *buf, ulong radix, int trace)
{
struct syment *sp;
ulong offset;
@@ -5996,7 +6007,13 @@ value_to_symstr(ulong value, char *buf, ulong radix)
if ((radix != 10) && (radix != 16))
radix = 16;
- if ((sp = value_search(value, &offset))) {
+ if (trace) {
+ sp = value_search(value-1, &offset);
+ offset++;
+ } else
+ sp = value_search(value, &offset);
+
+ if (sp) {
if (offset)
sprintf(buf, radix == 16 ? "%s+0x%lx" :
"%s+%ld",
sp->name, offset);
diff --git a/x86_64.c b/x86_64.c
index 6a7ec67c304b..0b9a2123de07 100644
--- a/x86_64.c
+++ b/x86_64.c
@@ -3237,7 +3237,7 @@ x86_64_print_stack_entry(struct bt_info *bt, FILE *ofp, int level,
name = sp->name;
if (offset && (bt->flags & BT_SYMBOL_OFFSET))
- name_plus_offset = value_to_symstr(text, buf2, bt->radix);
+ name_plus_offset = value_to_symstr_trace(text, buf2, bt->radix);
else
name_plus_offset = NULL;
Traces look same as kernel's call traces.
* NMI case
crash> bt -sx
PID: 0 TASK: ffffffffa3c12940 CPU: 0 COMMAND: "swapper/0"
#0 [fffffe7e99f94d50] machine_kexec+0xb8 at ffffffffa1ae91e8
#1 [fffffe7e99f94d68] __crash_kexec+0x72 at ffffffffa1c6b7a2
#2 [fffffe7e99f94e28] vpanic+0xd9 at ffffffffa1a0bca9
#3 [fffffe7e99f94e50] panic+0x6c at ffffffffa1a0bedc
#4 [fffffe7e99f94eb0] nmi_panic.cold+0xc at ffffffffa1a0bee8
#5 [fffffe7e99f94eb8] unknown_nmi_error+0x77 at ffffffffa1aa39a7
#6 [fffffe7e99f94ed0] exc_nmi+0x106 at ffffffffa2891576
#7 [fffffe7e99f94ef0] end_repeat_nmi+0xf at ffffffffa2a01d9d
[exception RIP: default_idle+15]
* SysRq case
crash> bt -sx
PID: 6598 TASK: ffff8c0902d2b680 CPU: 2 COMMAND: "bash"
#0 [ffffcda8c346b970] machine_kexec+0xb8 at ffffffff908e91e8
#1 [ffffcda8c346b988] __crash_kexec+0x72 at ffffffff90a6b7a2
#2 [ffffcda8c346ba48] vpanic+0xd9 at ffffffff9080bca9
#3 [ffffcda8c346ba70] panic+0x6c at ffffffff9080bedc
#4 [ffffcda8c346bad0] sysrq_handle_crash+0x1a at ffffffff91103a9a
#5 [ffffcda8c346bad8] __handle_sysrq.cold+0x9f at ffffffff90841048
#6 [ffffcda8c346bb08] write_sysrq_trigger+0x59 at ffffffff91104679
#7 [ffffcda8c346bb30] proc_reg_write+0x57 at ffffffff90dd3137
#8 [ffffcda8c346bb48] vfs_write+0xf8 at ffffffff90d17308
#9 [ffffcda8c346bbd8] ksys_write+0x6d at ffffffff90d1783d
#10 [ffffcda8c346bc10] do_syscall_64+0x7d at ffffffff9168e96d
#11 [ffffcda8c346bf40] entry_SYSCALL_64_after_hwframe+0x76 at ffffffff9180012f
Thanks,
Kazu
>
> Thanks,
> Tao Liu
>
>>
>> What do you think about this way?
>>
>> Thanks,
>> Kazu
>>
>>
>>>
>>> Signed-off-by: Tao Liu <ltao(a)redhat.com>
>>> ---
>>> x86_64.c | 34 +++++++++++++++++++++++++++++++++-
>>> 1 file changed, 33 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/x86_64.c b/x86_64.c
>>> index b2cddbf..70bc1da 100644
>>> --- a/x86_64.c
>>> +++ b/x86_64.c
>>> @@ -8887,7 +8887,38 @@ x86_64_get_framesize(struct bt_info *bt, ulong
textaddr, ulong rsp, char *stack_
>>> if ((sp->value >= kt->init_begin) && (sp->value
< kt->init_end))
>>> return 0;
>>>
>>> - if ((machdep->flags & ORC) && (korc =
orc_find(textaddr))) {
>>> + if (machdep->flags & ORC) {
>>> + /*
>>> + * Disassemble & check if the 1st previous instruction of
textaddr
>>> + * is "call". If it does, the orc should unwind
against the
>>> + * address of the "call" inst, rather than the
textaddr itself.
>>> + */
>>> + open_tmpfile2();
>>> + sprintf(buf, "x/-1i 0x%lx", textaddr);
>>> + if (!gdb_pass_through(buf, pc->tmpfile2,
GNU_RETURN_ON_ERROR)) {
>>> + close_tmpfile2();
>>> + bt->flags |= BT_FRAMESIZE_DISABLE;
>>> + return 0;
>>> + }
>>> + rewind(pc->tmpfile2);
>>> + if (fgets(buf, BUFSIZE, pc->tmpfile2)) {
>>> + c = parse_line(buf, arglist);
>>> + for (int i = 0; i < c; i++) {
>>> + if (!strcmp(arglist[i], "call")) {
>>> + reterror = 0;
>>> + ulong tmp_val = htol(arglist[0],
>>> + RETURN_ON_ERROR,
&reterror);
>>> + if (!reterror)
>>> + textaddr = tmp_val;
>>> + break;
>>> + }
>>> + }
>>> + }
>>> + close_tmpfile2();
>>> +
>>> + if ((korc = orc_find(textaddr)) == NULL)
>>> + goto out_orc;
>>> +
>>> if (CRASHDEBUG(1)) {
>>> struct ORC_data *orc =
&machdep->machspec->orc;
>>> fprintf(fp,
>>> @@ -8939,6 +8970,7 @@ x86_64_get_framesize(struct bt_info *bt, ulong
textaddr, ulong rsp, char *stack_
>>> }
>>> }
>>>
>>> +out_orc:
>>> framesize = max = 0;
>>> max_instructions = textaddr - sp->value;
>>> instr = arg = -1;
10:22 p.m.
New subject: [PATCH 1/2] x86_64: Correct the unwind address for orc when "call" instruction encountered
Hi Kazu,
On Tue, May 26, 2026 at 7:33 PM HAGIO KAZUHITO(萩尾 一仁)
<k-hagio-ab(a)nec.com> wrote:
On 2026/05/25 10:23, Tao Liu wrote:
> Hi Kazu,
>
> Thanks for your insight on this.
>
> On Thu, May 21, 2026 at 8:18 PM HAGIO KAZUHITO(萩尾 一仁)
> <k-hagio-ab(a)nec.com> wrote:
>>
>> On 2026/05/20 13:31, Tao Liu wrote:
>>> We have enountered the following edge case for orc unwinder which results
an
>>> incorrect stack unwinding:
>>>
>>> $ objdump -d vmlinux
>>> ffffffff8100be70 <panic>:
>>> ffffffff8100be70: f3 0f 1e fa endbr64
>>> ffffffff8100be74: e8 c7 b9 0d 00 call ffffffff810e7840
<__fentry__>
>>> ffffffff8100be79: 55 push %rbp
>>> ffffffff8100be7a: 49 89 fa mov %rdi,%r10
>>> ffffffff8100be7d: 48 89 e5 mov %rsp,%rbp
>>> ffffffff8100be80: 48 83 ec 50 sub $0x50,%rsp
>>> ...
>>> ffffffff8100bed2: 48 89 44 24 10 mov %rax,0x10(%rsp)
>>> ffffffff8100bed7: e8 f4 fc ff ff call ffffffff8100bbd0
<vpanic>
>>>
>>> ffffffff8100bedc <nmi_panic.cold>:
>>> ffffffff8100bedc: 48 c7 c7 6e c2 8b 82 mov
$0xffffffff828bc26e,%rdi
>>> ffffffff8100bee3: e8 88 ff ff ff call ffffffff8100be70
<panic>
>>>
>>> $ objtool --dump=orc vmlinux
>>> ...
>>> ffffffff8100be7a:type:call sp:sp+16 bp:prevsp-16 signal:0
>>> ffffffff8100be80:type:call sp:bp+16 bp:prevsp-16 signal:0
>>> ffffffff8100bedc:type:call sp:sp+8 bp:(und) signal:0
>>> ffffffff8100bee8:type:call sp:sp+16 bp:(und) signal:0
>>>
>>> crash> gdb bt
>>> #0 0xffffffff8126b3e4 in crash_setup_regs
>>> #1 0xffffffff8126b7a2 in __crash_kexec
>>> #2 0xffffffff8100bca9 in vpanic
>>> #3 0xffffffff8100bedc in panic
>>> #4 0xffffffff81903a9a in sysrq_handle_crash
>>> ...
>>>
>>> crash> bt -r
>>> ...
>>> ffffc9000126fc40: machine_kexec+184 sysrq_showstate_op
>>> ffffc9000126fc50: .LC4+109 __crash_kexec+114
>>> ffffc9000126fc60: 0000000000000000 0000000000000007
>>> ffffc9000126fc70: 0000000000000063 ffffc9000126fd48
>>> ffffc9000126fc80: .LC4+109 sysrq_showstate_op
>>> ffffc9000126fc90: 0000000000000002 _printk_rb_static_infos+64944
>>> ffffc9000126fca0: _printk_rb_static_descs+17712 0000000000000000
>>> ffffc9000126fcb0: 0000000000000000 0000000000000000
>>> ffffc9000126fcc0: 0000000000000001 0000000000000000
>>> ffffc9000126fcd0: ffffc9000126fc60 0000000000000000
>>> ffffc9000126fce0: crash_setup_regs+116 0000000000000010
>>> ffffc9000126fcf0: 0000000000000046 ffffc9000126fc58
>>> ffffc9000126fd00: 0000000000000018 a9e74447ad8b9200
>>> ffffc9000126fd10: sysrq_showstate_op vpanic+217
>>> ffffc9000126fd20: sysrq_crash_op ffffc9000126fd98
>>> ffffc9000126fd30: 0000000000000000 0000000000000063
>>> ffffc9000126fd40: panic+108 0000000000000008
>>> ffffc9000126fd50: ffffc9000126fda8 ffffc9000126fd68
>>> ffffc9000126fd60: a9e74447ad8b9200 a9e74447ad8b9200
>>> ffffc9000126fd70: ffff88813bc1d1c0 0000000000000000
>>> ffffc9000126fd80: 0000000000000000 0000000000000000
>>> ffffc9000126fd90: _printk_rb_static_descs+786408 0000000000000000
>>> ffffc9000126fda0: sysrq_handle_crash+26 __handle_sysrq.cold+159
>>>
>>> Within the stack, we can identify the following stackframes:
>>>
>>> 1. rsp ffffc9000126fc40, rip (machine_kexec+184)
>>> 2. rsp ffffc9000126fc58, rip (__crash_kexec+114)
>>> 3. rsp ffffc9000126fd10, rip (vpanic+217)
>>> 4. rsp ffffc9000126fd40, rip (panic+108)
>>>
>>> Before the fix, crash will directly pass rip to orc_find() to calculate
>>> each framesize, actually this is incorrect, because the rip is what
>>> we found in stack, as we all know the "call" instruction will
push
>>> the address of the next instruction into stack, rather than the address
>>> of the "call" instruction itself. So for the (panic+108, or
ffffffff8100bedc)
>>> case, orc winder finds the frame of 0xffffffff8100bedc is sp:sp+8.
>>> This is incorrect, because 0xffffffff8100bedc belongs to a different
>>> function, aka nmi_panic(), rather than panic(). So we should use (rip -
>>> 5, or ffffffff8100bed7) for orc_find(), which gives sp:bp+16 for unwind
>>> stack frame. We can confirm this by reading the disassembly at
>>> ffffffff8100be70 ~ ffffffff8100be80.
>>>
>>> This is an edge case because the address after the "call"
instruction
>>> located to a different function, which lead to orc_find() got a wrong
>>> framesize.
>>>
>>> This patch fix this by check the 1st previous instruction of rip we read
>>> from stack. If the instruction is "call", then we pass the address
of
>>> the "call" to orc_find(), to ensure we orc unwinding the correct
function.
>>
>> Hi Tao, thank you for the work!
>>
>> I tried the patchset, unfortunately it prints a bit wrong trace,
>> because the correct .cold symbols are removed, I think.
>>
>> * SysRq case
>>
>> crash> bt
>> PID: 6598 TASK: ffff8c0902d2b680 CPU: 2 COMMAND: "bash"
>> #0 [ffffcda8c346b970] machine_kexec at ffffffff908e91e8
>> #1 [ffffcda8c346b988] __crash_kexec at ffffffff90a6b7a2
>> #2 [ffffcda8c346ba48] vpanic at ffffffff9080bca9
>> #3 [ffffcda8c346ba70] panic at ffffffff9080bedc
>> #4 [ffffcda8c346bad0] sysrq_handle_crash at ffffffff91103a9a
>> #5 [ffffcda8c346bad8] sysrq_handle_loglevel at ffffffff90841048 <<--
>> #6 [ffffcda8c346bb08] write_sysrq_trigger at ffffffff91104679
>> #7 [ffffcda8c346bb30] proc_reg_write at ffffffff90dd3137
>> #8 [ffffcda8c346bb48] vfs_write at ffffffff90d17308
>> #9 [ffffcda8c346bbd8] ksys_write at ffffffff90d1783d
>> #10 [ffffcda8c346bc10] do_syscall_64 at ffffffff9168e96d
>> #11 [ffffcda8c346bf40] entry_SYSCALL_64_after_hwframe at ffffffff9180012f
>>
>> * NMI case
>>
>> crash> bt
>> PID: 0 TASK: ffffffffa3c12940 CPU: 0 COMMAND: "swapper/0"
>> #0 [fffffe7e99f94d50] machine_kexec at ffffffffa1ae91e8
>> #1 [fffffe7e99f94d68] __crash_kexec at ffffffffa1c6b7a2
>> #2 [fffffe7e99f94e28] vpanic at ffffffffa1a0bca9
>> #3 [fffffe7e99f94e50] panic at ffffffffa1a0bedc
>> #4 [fffffe7e99f94eb0] panic at ffffffffa1a0bee8 <<--
>> #5 [fffffe7e99f94eb8] unknown_nmi_error at ffffffffa1aa39a7
>> #6 [fffffe7e99f94ed0] exc_nmi at ffffffffa2891576
>> #7 [fffffe7e99f94ef0] end_repeat_nmi at ffffffffa2a01d9d
>> [exception RIP: default_idle+15]
>>
>>
>> On the other hand, kernel's call trace looks correct, so I looked into
>> how the kernel prints this.
>>
>> [ 133.526125] Call Trace:
>> [ 133.526126] <NMI>
>> [ 133.526128] dump_stack_lvl+0x4e/0x70
>> [ 133.526131] vpanic+0xc2/0x290
>> [ 133.526133] panic+0x6c/0x6c
>> [ 133.526134] nmi_panic.cold+0xc/0xc
>> [ 133.526135] unknown_nmi_error+0x77/0xa0
>> [ 133.526137] exc_nmi+0x106/0x180
>> [ 133.526140] end_repeat_nmi+0xf/0x53
>>
>>
>> * When printing a symbol for call trace, it searches for "address -
1".
>>
>> static void printk_stack_address(unsigned long address, int reliable,
>> const char *log_lvl)
>> {
>> touch_nmi_watchdog();
>> printk("%s %s%pBb\n", log_lvl, reliable ? "" :
"? ", (void *)address);
>> } ^^^^
>>
>> This "%pBb" gets to the following function.
>>
>> /**
>> * sprint_backtrace_build_id - Look up a backtrace symbol and return it in a
text buffer
>> * @buffer: buffer to be stored
>> * @address: address to lookup
>> *
>> * This function is for stack backtrace and does the same thing as
>> * sprint_symbol() but with modified/decreased @address. If there is a
>> * tail-call to the function marked "noreturn", gcc optimized out
code after
>> * the call so that the stack-saved return address could point outside of the
<<--
>> * caller. This function ensures that kallsyms will find the original caller
>> * by decreasing @address. This function also appends the module build ID to
>> * the @buffer if @address is within a kernel module.
>> *
>> * This function returns the number of bytes stored in @buffer.
>> */
>> int sprint_backtrace_build_id(char *buffer, unsigned long address)
>> {
>> return __sprint_symbol(buffer, address, -1, 1, 1);
>> } ^^^
>>
>> /* Look up a kernel symbol and return it in a text buffer. */
>> static int __sprint_symbol(char *buffer, unsigned long address,
>> int symbol_offset, int add_offset, int
add_buildid)
>> {
>> ...
>> address += symbol_offset; // search for the symbol with
symbol_offset(-1)
>> len = kallsyms_lookup_buildid(address, &size, &offset,
&modname, &buildid,
>> buffer);
>> if (!len)
>> return sprintf(buffer, "0x%lx", address -
symbol_offset);
>>
>> offset -= symbol_offset; // adjust offset (+1)
>>
>> if (add_offset) // print offset
>> len += sprintf(buffer + len, "+%#lx/%#lx", offset,
size);
>>
>>
>> * When searching for ORC data, usually "ip - 1" is used.
>>
>> bool unwind_next_frame(struct unwind_state *state)
>> {
>> ...
>> /*
>> * Find the orc_entry associated with the text address.
>> *
>> * For a call frame (as opposed to a signal frame), state->ip
points to
>> * the instruction after the call. That instruction's stack
layout
>> * could be different from the call instruction's layout, for
example
>> * if the call was to a noreturn function. So get the ORC data for
the <<--
>> * call instruction itself.
>> */
>> orc = orc_find(state->signal ? state->ip : state->ip - 1);
>> ^^^^^^^^^^^^^
>>
>> So I tried a simple patch like this at first:
>>
>> --- a/x86_64.c
>> +++ b/x86_64.c
>> @@ -3229,7 +3229,8 @@ x86_64_print_stack_entry(struct bt_info *bt, FILE *ofp,
int level,
>> if (!(bt->flags & BT_SAVE_EFRAME_IP))
>> bt->eframe_ip = 0;
>> offset = 0;
>> - sp = value_search(text, &offset);
>> + sp = value_search(text-1, &offset);
>> + offset++;
>> if (!sp)
>> return BACKTRACE_ENTRY_IGNORED;
>>
>> @@ -8811,7 +8812,9 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr,
ulong rsp, char *stack_
>> return 0;
>> }
>>
>> - if (!(sp = value_search(textaddr, &offset))) {
>> + sp = value_search(textaddr-1, &offset);
>> + offset++;
>> + if (!sp) {
>> if (!(bt->flags & BT_FRAMESIZE_DEBUG))
>> bt->flags |= BT_FRAMESIZE_DISABLE;
>> return 0;
>> @@ -8887,7 +8890,7 @@ x86_64_get_framesize(struct bt_info *bt, ulong textaddr,
ulong rsp, char *stack_
>> if ((sp->value >= kt->init_begin) && (sp->value
< kt->init_end))
>> return 0;
>>
>> - if ((machdep->flags & ORC) && (korc =
orc_find(textaddr))) {
>> + if ((machdep->flags & ORC) && (korc =
orc_find(textaddr-1))) {
>> if (CRASHDEBUG(1)) {
>> struct ORC_data *orc =
&machdep->machspec->orc;
>> fprintf(fp,
>>
>>
>> This looks good at first glance.
>>
>> crash> bt
>> PID: 0 TASK: ffffffffa3c12940 CPU: 0 COMMAND: "swapper/0"
>> #0 [fffffe7e99f94d50] machine_kexec at ffffffffa1ae91e8
>> #1 [fffffe7e99f94d68] __crash_kexec at ffffffffa1c6b7a2
>> #2 [fffffe7e99f94e28] vpanic at ffffffffa1a0bca9
>> #3 [fffffe7e99f94e50] panic at ffffffffa1a0bedc
>> #4 [fffffe7e99f94eb0] nmi_panic.cold at ffffffffa1a0bee8
>> #5 [fffffe7e99f94eb8] unknown_nmi_error at ffffffffa1aa39a7
>> #6 [fffffe7e99f94ed0] exc_nmi at ffffffffa2891576
>> #7 [fffffe7e99f94ef0] end_repeat_nmi at ffffffffa2a01d9d
>> [exception RIP: default_idle+15]
>> RIP: ffffffffa2895c6f RSP: ffffffffa3c03e88 RFLAGS: 00000256
>> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8cb88b0ecf08
>> RDX: ffffd2b200dc74a1 RSI: 0000000000000087 RDI: 000000000008086c
>> RBP: ffffffffa3c12940 R8: 000000000008086c R9: 0000000000000000
>> R10: 0000000000000001 R11: fefefefefefefeff R12: 0000000000000000
>> R13: 000000007d41f000 R14: 000000000000000c R15: 000000007d41f000
>> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
>> --- <NMI exception stack> ---
>> #8 [ffffffffa3c03e88] default_idle at ffffffffa2895c6f
>> #9 [ffffffffa3c03e88] default_idle_call at ffffffffa2895ef9
>> #10 [ffffffffa3c03e90] cpuidle_idle_call at ffffffffa1bbf4ba
>> #11 [ffffffffa3c03ec8] do_idle at ffffffffa1bbf573
>> ...
>>
>>
>> But there are some issues, which I've found so far:
>>
>> * How we can emulate state->signal=1 case in crash.
>> Your method (check if the prev is "call") may be good, is there any
>> more orc-based or robust way?
>
> Sorry I cannot think of a better way to emulate the state->signal=1
> case. To me, tracking the previous "call" instruction is the simple
> way to determine if we are in a normal function call chain(previous
> "call" exists) or in interruption/exception handler (previous
"call"
> not exists).
If a panic occurred at the next to a "call" instruction, it's changed
to the "call" address wrongly. I think this is an issue of this way.
in theory, if ip value is from a register or an exception frame, we
don't need -1. I'm still searching for that way..
>>
>> * "bt -s" option still prints wrong symbols.
>
> Hmm, I see...
>
> How about we keep the "x86_64: Correct the unwind address for orc when
> "call" instruction encountered" patch, and ignore "x86_64:
ignore the
> compiler generated xx.cold symbols" patch, with the following change
> applied:
>
> diff --git a/x86_64.c b/x86_64.c
> index 70bc1da..1a8d90b 100644
> --- a/x86_64.c
> +++ b/x86_64.c
> @@ -3267,7 +3267,7 @@ x86_64_print_stack_entry(struct bt_info *bt,
> FILE *ofp, int level,
> else if (!(bt->flags & BT_SCHEDULE)) {
> if (STREQ(name, "error_exit"))
> eframe_check = 8;
> - else {
> + else if (!(machdep->flags & ORC)) {
> if (CRASHDEBUG(2))
> fprintf(ofp,
> "< ignoring text symbol with no offset: %s()
>\n",
>
> This will give us the following output:
>
> crash> bt
> PID: 2074 TASK: ffff888103ea8000 CPU: 0 COMMAND: "bash"
> #0 [ffffc9000126fc40] machine_kexec at ffffffff810e91e8
> #1 [ffffc9000126fc58] __crash_kexec at ffffffff8126b7a2
> #2 [ffffc9000126fd18] vpanic at ffffffff8100bca9
> #3 [ffffc9000126fd40] nmi_panic.cold at ffffffff8100bedc
> #4 [ffffc9000126fda0] sysrq_handle_crash at ffffffff81903a9a
> #5 [ffffc9000126fda8] __handle_sysrq.cold at ffffffff81041048
> #6 [ffffc9000126fdd8] write_sysrq_trigger at ffffffff81904679
> #7 [ffffc9000126fe00] proc_reg_write at ffffffff815d3137
> #8 [ffffc9000126fe18] vfs_write at ffffffff81517308
> #9 [ffffc9000126fea8] ksys_write at ffffffff8151783d
> #10 [ffffc9000126fee0] do_syscall_64 at ffffffff81e8e96d
> #11 [ffffc9000126ff40] entry_SYSCALL_64_after_hwframe at ffffffff8200012f
> RIP: 00007faf8722f544 RSP: 00007ffe9ba94868 RFLAGS: 00000202
> RAX: ffffffffffffffda RBX: 00007faf873055c0 RCX: 00007faf8722f544
> RDX: 0000000000000002 RSI: 000055d80bde45d0 RDI: 0000000000000001
> RBP: 0000000000000002 R8: 0000000000000073 R9: 00000000ffffffff
> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002
> R13: 000055d80bde45d0 R14: 0000000000000002 R15: 00007faf87302f00
> ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b
> crash> bt -s
> PID: 2074 TASK: ffff888103ea8000 CPU: 0 COMMAND: "bash"
> #0 [ffffc9000126fc40] machine_kexec+184 at ffffffff810e91e8
> #1 [ffffc9000126fc58] __crash_kexec+114 at ffffffff8126b7a2
> #2 [ffffc9000126fd18] vpanic+217 at ffffffff8100bca9
> #3 [ffffc9000126fd40] nmi_panic.cold at ffffffff8100bedc
> #4 [ffffc9000126fda0] sysrq_handle_crash+26 at ffffffff81903a9a
> #5 [ffffc9000126fda8] __handle_sysrq.cold+159 at ffffffff81041048
> #6 [ffffc9000126fdd8] write_sysrq_trigger+89 at ffffffff81904679
> #7 [ffffc9000126fe00] proc_reg_write+87 at ffffffff815d3137
> #8 [ffffc9000126fe18] vfs_write+248 at ffffffff81517308
> #9 [ffffc9000126fea8] ksys_write+109 at ffffffff8151783d
> #10 [ffffc9000126fee0] do_syscall_64+125 at ffffffff81e8e96d
> #11 [ffffc9000126ff40] entry_SYSCALL_64_after_hwframe+118 at ffffffff8200012f
> RIP: 00007faf8722f544 RSP: 00007ffe9ba94868 RFLAGS: 00000202
> RAX: ffffffffffffffda RBX: 00007faf873055c0 RCX: 00007faf8722f544
> RDX: 0000000000000002 RSI: 000055d80bde45d0 RDI: 0000000000000001
> RBP: 0000000000000002 R8: 0000000000000073 R9: 00000000ffffffff
> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002
> R13: 000055d80bde45d0 R14: 0000000000000002 R15: 00007faf87302f00
> ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b
>
> Dmesg gives:
>
> [ 83.387009] dump_stack_lvl+0x4e/0x70
> [ 83.387653] vpanic+0xc2/0x290
> [ 83.388143] panic+0x6c/0x6c
> [ 83.388603] sysrq_handle_crash+0x1a/0x20
>
> The nmi_panic.cold at ffffffff8100bedc in fact, is panic+0x6c/0x6c in dmesg:
>
> crash> dis panic 30
> 0xffffffff8100be70 <panic>: endbr64
> ...
> 0xffffffff8100bed2 <panic+98>: mov %rax,0x10(%rsp)
> 0xffffffff8100bed7 <panic+103>: call 0xffffffff8100bbd0 <vpanic>
> 0xffffffff8100bedc <nmi_panic.cold>: mov $0xffffffff828bc26e,%rdi
> 0xffffffff8100bee3 <nmi_panic.cold+7>: call 0xffffffff8100be70
<panic>
>
> I think we don't have to translate nmi_panic.cold into
> panic+0x6c/0x6c, it doesn't cause serious confusion to me. In this way
> we don't need to hack "text - 1" as kernel does.
>
> What do you think?
Hmm, I think the nmi_panic.cold in the sysrq stack is confusing enough.
For the "bt -s" issue, introducing value_to_symstr_trace() may be good:
I tried your approach and it works. Let's go with yours, I think it is
cleaner than mine. Do you mind posting a new patch with all your code
modifications?
Thanks,
Tao Liu
--- a/defs.h
+++ b/defs.h
@@ -5798,6 +5798,7 @@ struct syment *prev_symbol(char *, struct syment *);
void get_symbol_data(char *, long, void *);
int try_get_symbol_data(char *, long, void *);
char *value_to_symstr(ulong, char *, ulong);
+char *value_to_symstr_trace(ulong, char *, ulong, int);
char *value_symbol(ulong);
ulong symbol_value(char *);
ulong symbol_value_module(char *, char *);
diff --git a/symbols.c b/symbols.c
index 3c62f54d4a93..c5747705f761 100644
--- a/symbols.c
+++ b/symbols.c
@@ -5973,6 +5973,17 @@ generic_machdep_value_to_symbol(ulong value, ulong *offset)
return NULL;
}
+char *
+value_to_symstr(ulong value, char *buf, ulong radix)
+{
+ return _value_to_symstr(value, buf, radix, 0);
+}
+
+char *
+value_to_symstr_trace(ulong value, char *buf, ulong radix)
+{
+ return _value_to_symstr(value, buf, radix, 1);
+}
/*
* For a given value, format a string containing the nearest symbol name
@@ -5980,7 +5991,7 @@ generic_machdep_value_to_symbol(ulong value, ulong *offset)
* radix (10 or 16) -- if it's 0, set it to the current pc->output_radix.
*/
char *
-value_to_symstr(ulong value, char *buf, ulong radix)
+_value_to_symstr(ulong value, char *buf, ulong radix, int trace)
{
struct syment *sp;
ulong offset;
@@ -5996,7 +6007,13 @@ value_to_symstr(ulong value, char *buf, ulong radix)
if ((radix != 10) && (radix != 16))
radix = 16;
- if ((sp = value_search(value, &offset))) {
+ if (trace) {
+ sp = value_search(value-1, &offset);
+ offset++;
+ } else
+ sp = value_search(value, &offset);
+
+ if (sp) {
if (offset)
sprintf(buf, radix == 16 ? "%s+0x%lx" :
"%s+%ld",
sp->name, offset);
diff --git a/x86_64.c b/x86_64.c
index 6a7ec67c304b..0b9a2123de07 100644
--- a/x86_64.c
+++ b/x86_64.c
@@ -3237,7 +3237,7 @@ x86_64_print_stack_entry(struct bt_info *bt, FILE *ofp, int level,
name = sp->name;
if (offset && (bt->flags & BT_SYMBOL_OFFSET))
- name_plus_offset = value_to_symstr(text, buf2, bt->radix);
+ name_plus_offset = value_to_symstr_trace(text, buf2, bt->radix);
else
name_plus_offset = NULL;
Traces look same as kernel's call traces.
* NMI case
crash> bt -sx
PID: 0 TASK: ffffffffa3c12940 CPU: 0 COMMAND: "swapper/0"
#0 [fffffe7e99f94d50] machine_kexec+0xb8 at ffffffffa1ae91e8
#1 [fffffe7e99f94d68] __crash_kexec+0x72 at ffffffffa1c6b7a2
#2 [fffffe7e99f94e28] vpanic+0xd9 at ffffffffa1a0bca9
#3 [fffffe7e99f94e50] panic+0x6c at ffffffffa1a0bedc
#4 [fffffe7e99f94eb0] nmi_panic.cold+0xc at ffffffffa1a0bee8
#5 [fffffe7e99f94eb8] unknown_nmi_error+0x77 at ffffffffa1aa39a7
#6 [fffffe7e99f94ed0] exc_nmi+0x106 at ffffffffa2891576
#7 [fffffe7e99f94ef0] end_repeat_nmi+0xf at ffffffffa2a01d9d
[exception RIP: default_idle+15]
* SysRq case
crash> bt -sx
PID: 6598 TASK: ffff8c0902d2b680 CPU: 2 COMMAND: "bash"
#0 [ffffcda8c346b970] machine_kexec+0xb8 at ffffffff908e91e8
#1 [ffffcda8c346b988] __crash_kexec+0x72 at ffffffff90a6b7a2
#2 [ffffcda8c346ba48] vpanic+0xd9 at ffffffff9080bca9
#3 [ffffcda8c346ba70] panic+0x6c at ffffffff9080bedc
#4 [ffffcda8c346bad0] sysrq_handle_crash+0x1a at ffffffff91103a9a
#5 [ffffcda8c346bad8] __handle_sysrq.cold+0x9f at ffffffff90841048
#6 [ffffcda8c346bb08] write_sysrq_trigger+0x59 at ffffffff91104679
#7 [ffffcda8c346bb30] proc_reg_write+0x57 at ffffffff90dd3137
#8 [ffffcda8c346bb48] vfs_write+0xf8 at ffffffff90d17308
#9 [ffffcda8c346bbd8] ksys_write+0x6d at ffffffff90d1783d
#10 [ffffcda8c346bc10] do_syscall_64+0x7d at ffffffff9168e96d
#11 [ffffcda8c346bf40] entry_SYSCALL_64_after_hwframe+0x76 at ffffffff9180012f
Thanks,
Kazu
>
> Thanks,
> Tao Liu
>
>>
>> What do you think about this way?
>>
>> Thanks,
>> Kazu
>>
>>
>>>
>>> Signed-off-by: Tao Liu <ltao(a)redhat.com>
>>> ---
>>> x86_64.c | 34 +++++++++++++++++++++++++++++++++-
>>> 1 file changed, 33 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/x86_64.c b/x86_64.c
>>> index b2cddbf..70bc1da 100644
>>> --- a/x86_64.c
>>> +++ b/x86_64.c
>>> @@ -8887,7 +8887,38 @@ x86_64_get_framesize(struct bt_info *bt, ulong
textaddr, ulong rsp, char *stack_
>>> if ((sp->value >= kt->init_begin) && (sp->value
< kt->init_end))
>>> return 0;
>>>
>>> - if ((machdep->flags & ORC) && (korc =
orc_find(textaddr))) {
>>> + if (machdep->flags & ORC) {
>>> + /*
>>> + * Disassemble & check if the 1st previous instruction of
textaddr
>>> + * is "call". If it does, the orc should unwind
against the
>>> + * address of the "call" inst, rather than the
textaddr itself.
>>> + */
>>> + open_tmpfile2();
>>> + sprintf(buf, "x/-1i 0x%lx", textaddr);
>>> + if (!gdb_pass_through(buf, pc->tmpfile2,
GNU_RETURN_ON_ERROR)) {
>>> + close_tmpfile2();
>>> + bt->flags |= BT_FRAMESIZE_DISABLE;
>>> + return 0;
>>> + }
>>> + rewind(pc->tmpfile2);
>>> + if (fgets(buf, BUFSIZE, pc->tmpfile2)) {
>>> + c = parse_line(buf, arglist);
>>> + for (int i = 0; i < c; i++) {
>>> + if (!strcmp(arglist[i], "call")) {
>>> + reterror = 0;
>>> + ulong tmp_val = htol(arglist[0],
>>> + RETURN_ON_ERROR,
&reterror);
>>> + if (!reterror)
>>> + textaddr = tmp_val;
>>> + break;
>>> + }
>>> + }
>>> + }
>>> + close_tmpfile2();
>>> +
>>> + if ((korc = orc_find(textaddr)) == NULL)
>>> + goto out_orc;
>>> +
>>> if (CRASHDEBUG(1)) {
>>> struct ORC_data *orc =
&machdep->machspec->orc;
>>> fprintf(fp,
>>> @@ -8939,6 +8970,7 @@ x86_64_get_framesize(struct bt_info *bt, ulong
textaddr, ulong rsp, char *stack_
>>> }
>>> }
>>>
>>> +out_orc:
>>> framesize = max = 0;
>>> max_instructions = textaddr - sp->value;
>>> instr = arg = -1;
3:07 a.m.
New subject: [PATCH 1/2] x86_64: Correct the unwind address for orc when "call" instruction encountered
On 2026/05/27 12:22, Tao Liu wrote:
> For the "bt -s" issue, introducing
value_to_symstr_trace() may be good:
I tried your approach and it works. Let's go with yours, I think it is
cleaner than mine. Do you mind posting a new patch with all your code
modifications?
Sure, thanks for trying. I need more checks, please wait for a while.
Thanks,
Kazu
12:07 a.m.
New subject: [PATCH 1/2] x86_64: Correct the unwind address for orc when "call" instruction encountered
On 2026/05/27 17:07, HAGIO KAZUHITO(萩尾 一仁) wrote:
On 2026/05/27 12:22, Tao Liu wrote:
>> For the "bt -s" issue, introducing value_to_symstr_trace() may be
good:
>
> I tried your approach and it works. Let's go with yours, I think it is
> cleaner than mine. Do you mind posting a new patch with all your code
> modifications?
Sure, thanks for trying. I need more checks, please wait for a while.
Posted, could you check this?
https://www.mail-archive.com/devel@lists.crash-utility.osci.io/msg02196.html
I think "bt -l" also gets better tracking than before.
Thanks,
Kazu
3
days inactive
12
days old
devel@lists.crash-utility.osci.io
7 comments
2 participants
participants (2)
-
HAGIO KAZUHITO(萩尾 一仁) -
Tao Liu