gdb定位coredump文件实战——非法访问内存

一 代码

#include <stdio.h>
int main(){
    int b=1;
    int* a;
    a=NULL;
    *a=b;
    return 0;
}

二 编译并运行

# 编译
[root@localhost charpter05]# g++ -g -o test 0505.cpp
# 查看core存放目录
[root@localhost charpter05]# cat /proc/sys/kernel/core_pattern
/data/coredump/core.%e.%p
# 创建core目录
[root@localhost charpter05]# mkdir -p /data/coredump
# 执行程序
[root@localhost charpter05]# ./test
Segmentation fault (core dumped)
# 将core文件拷贝到程序所在目录以便于分析
[root@localhost charpter05]# cp /data/coredump/core.test.1223 core.test.1223

三 core分析

1 分析该coredump文件的ELF头部

[root@localhost charpter05]# readelf -h core.test.1223
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              CORE (Core file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x0
  Start of program headers:          64 (bytes into file)
  Start of section headers:          0 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         31
  Size of section headers:           0 (bytes)
  Number of section headers:         0
  Section header string table index: 0

可以看到文件类型是CORE类型，表示这是core-dump文件

2 查看core文件中是否有符号表信息

[root@localhost charpter05]# objdump -x core.test.1223 | tail
40 load28        00021000  00007ffcdaeb7000  0000000000000000  00040000  2**12
                  CONTENTS, ALLOC, LOAD
41 load29        00002000  00007ffcdaf8e000  0000000000000000  00061000  2**12
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
42 load30        00001000  ffffffffff600000  0000000000000000  00063000  2**12
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
SYMBOL TABLE:
no symbols

从结果可知，core文件中没有符号表，无法进行调试，所以调试时要带上可执行程序，它主要是用来提供符号表信息。

3 调试core文件

[root@localhost charpter05]# gdb test core.test.1223
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-100.el7_4.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/omc++/charpter05/test...done.
[New LWP 1223]
Core was generated by `./test'.
Program terminated with signal 11, Segmentation fault.
#0  0x00000000004005c7 in main () at 0505.cpp:6
6        *a=b;
Missing separate debuginfos, use: debuginfo-install glibc-2.17-196.el7_4.2.x86_64 libgcc-4.8.5-16.el7_4.1.x86_64 libstdc++-4.8.5-16.el7_4.1.x86_64
(gdb)

使用GDB，先从可执行文件中读符号表，然后读取core文件。

结果显示在程序的第6行 ，*a=b;有问题。

分别打印变量a和b的值

(gdb) p b
$1 = 1
(gdb) p a
$2 = (int *) 0x0

发现a变量指向地址是非法地址，也就是因为a没有分配内存导致。

第6行应该修改为：a=&b,这样a就指向b了。