DragonFly BSD

DebugKernelCrashDumps

Debug the DragonFly kernel

This chapter should give you an introduction how to obtain a crash dump after a kernel panic and how to extract useful information for the developers out of the dump.

Contributed by Matthias Schmidt

Configure your system

Normally a crash dump is saved in your swap partition after a crash. If you reboot your machine the next time the dump is extracted by savecore(8) from the partition and stored into /var/crash. Due to the fact that /var is a relatively small partition it could be possible that the dump isn't saved, because the dump size is larger than the remaining size.

To circumvent this problem you can change the default settings in /etc/rc.conf:

dumpdev

Indicates the device (usually a swap partition) to which a crash dump should be written in the event of a system crash.

dumpdir

savecore(8) will save that crash dump and a copy of the kernel to the directory specified by the dumpdir variable. The default value is /var/crash. You can set this to another directory on another partition with more space available to safely obtain the dump.

If you are unsure about your swap partition device, use swapinfo(8) or look into /etc/fstab :

# swapinfo 
Device          1K-blocks     Used    Avail Capacity  Type
/dev/ad0s1b       1048448        0  1048448     0%    Interleaved

# cat /etc/fstab | grep swap
/dev/ad0s1b             none            swap    sw              0       0

Enable debugging options in your custom kernel config

If you run a custom kernel you have to add the following lines to compile your kernel with debugging symbols:

makeoptions     DEBUG=-g                #Build kernel with gdb(1) debug symbols

If you want additional support for the interactive kernel debugger ddb(4) and invariant debugging, also add these lines:

# Debugging for Development
options         DDB
options         DDB_TRACE
options         INVARIANTS

You don't have to do anything to get debugging enabled in the default GENERIC kernel as it's already there.

How does a crash look like?

Easy answer: Your system stopped working. Complicated one: Your system occurred a panic(9) and drops into ddb(4), the interactive kernel debugger.

The output while seeing a crash might look this:

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0xd0686f55
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc02ddb9a
stack pointer           = 0x10:0xcec0fb18
frame pointer           = 0x10:0xcec0fb18
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        # interrupt enabled, resume, IOPL  0
current process         = 50725 (sysctl)
current thread          = pri 6

panic: from debugger

Before your machine reboots a crash dump is saved into your swap partition (if you have one and don't disabled crash dumps). Writing the dump to disk takes some time depending on your machine and the amount of RAM installed. This might look like this:

dumping to dev #ad/0x20001, blockno 1049088
dump 511 510 509 508 507 506 505 
[...]
26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 succeeded

Now your machine reboots, checks its file system and finally extracts the crash dump from the swap partition to your dumpdir (see rc.conf setting above). If your /var partition is to small, you'll see an error similar to the following:

savecore: reboot after panic: from debugger
savecore: no dump, not enough free space on device (231420 available, need 541840)

If this happens, you have to extract the crash dump yourselves. See next Section how to do this.

Extract a crash dump manually

You can use savecore(8) to copy your currently running kernel and the associated crash dump to a particular directory you have to specify (we use /usr/crash here in the example):

# mkdir -p /usr/crash
# chmod 700 /usr/crash
# savecore /usr/crash/
[...]

This will take some time dependent on the speed of your machine. See the man page of savecore(8) for more available options.

Upload the crash dump

If you don't have the ability or skills to debug the crash yourselves, please upload the complete content of your crash directory to somewhere private (e.g., cloud share with a password, your leaf account), and open a detailed bug report. Please tar and compress the crash dump to save disk space and bandwidth.

WARNING: The saved core file (in /var/crash) contains sensitive data, e.g., passwords, certificates, decrypted private keys. Therefore, do not upload it to somewhere that can be publicly accessed!

Debug the crash dump with kgdb

The kgdb(1) utility is a debugger based on gdb(1) that allows debugging of kernel core files.

kgdb extensions

To get some handy helper command execute the following command before starting kgdb:

source /usr/src/test/debug/gdb.kernel

This gives you several new commands like kldstat (displays all loaded modules) or psx (displays all running processes).

Start kgdb as follows:

# cd /usr/crash
# ls -l
-rw-r--r--  1 root  wheel     2B Jan  7 17:07 bounds
-rw-r--r--  1 root  wheel    17M Jan  7 17:08 kernel.0
-rw-------  1 root  wheel   512M Jan  7 17:08 vmcore.0
# kgdb kernel.0 vmcore.0

kgdb(1) will show you the panic message after start. The first thing to do is to obtain a backtrace with the bt command:

Unread portion of the kernel message buffer:





Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0xd0686f55
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc02ddb9a
stack pointer           = 0x10:0xcec0fb18
frame pointer           = 0x10:0xcec0fb18
code segment            = base 0x0, limit 0xfffff, type 0x1b
current process         = 50725 (sysctl)
current thread          = pri 6 

panic: from debugger





Fatal trap 3: breakpoint instruction fault while in kernel mode
instruction pointer     = 0x8:0xc03136a4
stack pointer           = 0x10:0xcec0f92c
frame pointer           = 0x10:0xcec0f934
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        # interrupt enabled, IOPL  0
current process         = 50725 (sysctl)
current thread          = pri 6 


panic: from debugger
Uptime: 3h57m22s



dumping to dev #ad/0x20001, blockno 1049088
dump 511 510 509 508 507 506 505 504 503 502 501 500 499 498 
[...]
40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 



GNU gdb 6.2.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-dragonfly".
(kgdb) bt
#0  dumpsys () at thread.h:83
#1  0xc01c4e1b in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:375
#2  0xc01c4f3c in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:800
#3  0xc0149be5 in db_panic (addr=Could not find the frame base for "db_panic".
) at /usr/src/sys/ddb/db_command.c:447
#4  0xc014a250 in db_command_loop () at /usr/src/sys/ddb/db_command.c:343
#5  0xc014c7bc in db_trap (type#12, code0) at /usr/src/sys/ddb/db_trap.c:71
#6  0xc03137f7 in kdb_trap (type#12, code0, regs=0xcec0fad0) at /usr/src/sys/platform/pc32/i386/db_interface.c:148
#7  0xc032384b in trap_fatal (frame#0xcec0fad0, evaVariable "eva" is not available.
) at /usr/src/sys/platform/pc32/i386/trap.c:1091
#8  0xc03239b0 in trap_pfault (frame#0xcec0fad0, usermode0, eva=3496505173)
    at /usr/src/sys/platform/pc32/i386/trap.c:997
#9  0xc03241a0 in trap (frame=0xcec0fad0) at /usr/src/sys/platform/pc32/i386/trap.c:680
#10 0xc0314506 in calltrap () at /usr/src/sys/platform/pc32/i386/exception.s:783
#11 0xc02ddb9a in strlen (str=0xd0686f55 <Address 0xd0686f55 out of bounds>) at /usr/src/sys/libkern/strlen.c:41
#12 0xc02c2153 in sysctl_vm_zone (oidp#0xc03b42a0, arg10x0, arg2=0, req=0xcec0fc08) at /usr/src/sys/vm/vm_zone.c:447
#13 0xc01cf935 in sysctl_root (oidp=Variable "oidp" is not available.
) at /usr/src/sys/kern/kern_sysctl.c:1193
#14 0xc01cfa27 in userland_sysctl (name#0xcec0fc90, namelen2, old=0x0, oldlenp=0xbfbfe8f0, inkernel=0, new=0x0, 
    newlen#0, retval0xcec0fc8c) at /usr/src/sys/kern/kern_sysctl.c:1268
#15 0xc01cfc28 in sys___sysctl (uap=0xcec0fcf0) at /usr/src/sys/kern/kern_sysctl.c:1211
#16 0xc0323ccb in syscall2 (frame=0xcec0fd40) at /usr/src/sys/platform/pc32/i386/trap.c:1339
#17 0xc03145a5 in Xint0x80_syscall () at /usr/src/sys/platform/pc32/i386/exception.s:872
#18 0x08055d38 in ?? ()
#19 0xbfbfe86c in ?? ()
#20 0x0000002f in ?? ()
#21 0x00000000 in ?? ()
#22 0x00000000 in ?? ()
#23 0x00000000 in ?? ()
#24 0x00000000 in ?? ()
#25 0x13c4b000 in ?? ()
#26 0x00000001 in ?? ()
#27 0xc03c2bf8 in intr_info_ary ()
#28 0xcec0f8d4 in ?? ()    
#29 0xcec0f8c4 in ?? ()
#30 0xc8076300 in ?? ()
#31 0xc01cac5a in lwkt_preempt (ntd#0x2, critpriCannot access memory at address 0xbfbfe8a4
) at /usr/src/sys/kern/lwkt_thread.c:893
Previous frame inner to this frame (corrupt stack?)

kgdb(1) gives you the ability to look into specific frames, display variable content and obtain the source code (if your kernel was compiled with -g):

(kgdb) f 13
#13 0xc01cf935 in sysctl_root (oidp=Variable "oidp" is not available.
) at /usr/src/sys/kern/kern_sysctl.c:1193
1193                    error = oid->oid_handler(oid, oid->oid_arg1, oid->oid_arg2,
(kgdb) l
1188
1189            if ((oid->oid_kind & CTLTYPE) # CTLTYPE_NODE)
1190                    error = oid->oid_handler(oid, (int *)arg1 + indx, arg2 - indx,
1191                        req);
1192            else
1193                    error = oid->oid_handler(oid, oid->oid_arg1, oid->oid_arg2,
1194                        req);
1195            return (error);
1196    }
1197
(kgdb) p *oid
$1 # {oid_parent  0xc03cbda8, oid_link = {sle_next = 0x0}, oid_number = 283, oid_kind = -2147483645, oid_arg1 = 0x0, 
  oid_arg2 # 0, oid_name  0xc03616ad "zone", oid_handler = 0xc02c20fa <sysctl_vm_zone>, oid_fmt = 0xc036a56f "A", 
  oid_refcnt # 0, oid_descr  0xc036906a "Zone Info"}

Further Information

To get more information about how to use a debugger, look here: