使用objdump分析core堆栈

使用objdump分析core堆栈

使用c++编程的同学，经常会遇到诸如内存越界、重复释放等内存问题，大家比较习惯的追查这类问题的方式是，打开core文件的limit，生成core文件，用gdb进行分析；
但是，在实际的生产环境中。由于程序本省占用内存非常大，比如搜索的索引服务，进行core的dump不太现实，所以一般采用，在程序中捕获信号，之后打印进程的堆栈信息，再进行追查。
下面本文，就按照这种方式进行追查，首先，分析没有so的程序如何使用objdump与汇编进行分析程序的问题所在；接着分析有so的程序，如何使用objdump进行分析，希望对大家能有所帮助。

普通程序的core分析

源代码

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <execinfo.h>

static void print_stack_fs(int sig, FILE * output)
{
    fprintf(output, "--------------------------------------\n");

	char pTime[256];
	//getSafeNow(pTime, 256);
    fprintf(output, "[%s] received signal=%d, thread_id=%ld\n",
		   	"now", sig, getpid());

    void *array[128]; // 128 stacks at most
    size_t size = backtrace(array, sizeof(array) / sizeof(array[0]));
    if (size > 0 && size < 128) {
        char ** stackLog = backtrace_symbols(array, size);
        if(stackLog) {
            for (size_t i = 0; i < size; i++) {
                fprintf(output,"%s\n", stackLog[i]);
            }
            fflush(output);
            free(stackLog);
        }
    }
}

static void sig_handler(int signo)
{
	if (signo == SIGSEGV ||
        signo == SIGBUS  ||
        signo == SIGABRT ||
        signo == SIGFPE) {

        print_stack_fs(signo, stderr);

		exit(-1);
	}
	else if (signo == SIGTERM || signo == SIGINT) {
		exit(-1);
    }
}

static void sig_register()
{
    struct sigaction sigac;
    sigemptyset(&sigac.sa_mask);
    sigac.sa_handler = sig_handler;
    sigac.sa_flags = 0;

    sigaction(SIGTERM, &sigac, 0);
    sigaction(SIGINT , &sigac, 0);
    sigaction(SIGQUIT, &sigac, 0);
    sigaction(SIGPIPE, &sigac, 0);
    sigaction(SIGBUS , &sigac, 0);
    sigaction(SIGABRT, &sigac, 0);
    sigaction(SIGFPE , &sigac, 0);
    sigaction(SIGSEGV, &sigac, 0);
}



int main(int argc, char *argv[])
{
sig_register();
    int a = 10, b = -2, c = 100;
    char * pstr = 0x00;
    int d = 100;
    *pstr = 0x00;
    return 0;
}

执行程序

关键地址：0x400add，指向出错的代码的具体的虚拟空间地址

[now] received signal=11, thread_id=1852
./a.out() [0x4008ab]
./a.out() [0x400985]
/lib64/libc.so.6(+0x362f0) [0x7fbc41a3d2f0]
./a.out() [0x400add]
/lib64/libc.so.6(__libc_start_main+0xf5) [0x7fbc41a29445]
./a.out() [0x400769]

使用objdump分析

objdump -d a.out ，分析-0x18(%rbp)的地址是变量pstr的地址，之后将pstr的放置到寄存器rax赋值，之后没有申请内存的空指针进行赋值出core，具体请看下面的汇编代码

321 0000000000400aa1 <main>:
322   400aa1:   55                      push   %rbp
323   400aa2:   48 89 e5                mov    %rsp,%rbp
324   400aa5:   48 83 ec 30             sub    $0x30,%rsp
325   400aa9:   89 7d dc                mov    %edi,-0x24(%rbp)
326   400aac:   48 89 75 d0             mov    %rsi,-0x30(%rbp)
327   400ab0:   e8 f2 fe ff ff          callq  4009a7 <_ZL12sig_registerv>
328   400ab5:   c7 45 fc 0a 00 00 00    movl   $0xa,-0x4(%rbp)					// 变量a
329   400abc:   c7 45 f8 fe ff ff ff    movl   $0xfffffffe,-0x8(%rbp)					// 变量b
330   400ac3:   c7 45 f4 64 00 00 00    movl   $0x64,-0xc(%rbp)				// 变量c
331   400aca:   48 c7 45 e8 00 00 00    movq   $0x0,-0x18(%rbp)				// 变量 pstr
332   400ad1:   00
333   400ad2:   c7 45 e4 64 00 00 00    movl   $0x64,-0x1c(%rbp)			// 变量d
334   400ad9:   48 8b 45 e8             mov    -0x18(%rbp),%rax					// 将变量pstr放到rax寄存器
335   400add:   c6 00 00                movb   $0x0,(%rax)								// 对pstr赋值，也就是对空指针赋值，找到问题
336   400ae0:   b8 00 00 00 00          mov    $0x0,%eax
337   400ae5:   c9                      leaveq
338   400ae6:   c3                      retq
339   400ae7:   66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)

core在so里面的objdump分析

源代码

1. max.h

#ifndef __MAX_H__
#define __MAX_H__

int max(int n1, int n2, int n3);

#endif

2. max.cpp

#include "max.h"

int max(int n1, int n2, int n3)
{
    int max_num = n1;
    max_num = max_num < n2? n2: max_num;
    max_num = max_num < n3? n3: max_num;
    char * pstr = 0x00;
    *pstr = 0x00;
    return max_num;
}

3. test.cpp

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <execinfo.h>
#include "max.h"

static void print_stack_fs(int sig, FILE * output)
{
    fprintf(output, "--------------------------------------\n");

	char pTime[256];
	//getSafeNow(pTime, 256);
    fprintf(output, "[%s] received signal=%d, thread_id=%ld\n",
		   	"now", sig, getpid());

    void *array[128]; // 128 stacks at most
    size_t size = backtrace(array, sizeof(array) / sizeof(array[0]));
    if (size > 0 && size < 128) {
        char ** stackLog = backtrace_symbols(array, size);
        if(stackLog) {
            for (size_t i = 0; i < size; i++) {
                fprintf(output,"%s\n", stackLog[i]);
            }
            fflush(output);
            free(stackLog);
        }
    }
}

static void sig_handler(int signo)
{
	if (signo == SIGSEGV ||
        signo == SIGBUS  ||
        signo == SIGABRT ||
        signo == SIGFPE) {

        print_stack_fs(signo, stderr);

		exit(-1);
	}
	else if (signo == SIGTERM || signo == SIGINT) {
		exit(-1);
    }
}

static void sig_register()
{
    struct sigaction sigac;
    sigemptyset(&sigac.sa_mask);
    sigac.sa_handler = sig_handler;
    sigac.sa_flags = 0;

    sigaction(SIGTERM, &sigac, 0);
    sigaction(SIGINT , &sigac, 0);
    sigaction(SIGQUIT, &sigac, 0);
    sigaction(SIGPIPE, &sigac, 0);
    sigaction(SIGBUS , &sigac, 0);
    sigaction(SIGABRT, &sigac, 0);
    sigaction(SIGFPE , &sigac, 0);
    sigaction(SIGSEGV, &sigac, 0);
}



int main(int argc, char *argv[])
{
	sig_register();
    int a = 10, b = -2, c = 100;
    int d = 100;
    printf("max among 10, -2 and 100 is %d.\n", max(a, b, c));
    return 0;
}

运行程序

关键地址：./libmax.so(_Z3maxiii+0x45) [0x7fb914d6868a]

[now] received signal=11, thread_id=1893
./a.out() [0x4009fb]
./a.out() [0x400ad5]
/lib64/libc.so.6(+0x362f0) [0x7fb9141b12f0]
./libmax.so(_Z3maxiii+0x45) [0x7fb914d6868a]
./a.out() [0x400c33]
/lib64/libc.so.6(__libc_start_main+0xf5) [0x7fb91419d445]
./a.out() [0x4008b9]

objdump

针对so进行反编译，运行 objdump -d libmax.so，然后找搭配_Z3maxiii，地址是645，然后+上0x45，得到地址 68A
汇编代码：movq $0x0,-0x10(%rbp) 定义pstr，68A的地址同样是对未申请内存的地址进行赋值出错。

106 0000000000000645 <_Z3maxiii>:
107  645:   55                      push   %rbp
108  646:   48 89 e5                mov    %rsp,%rbp
109  649:   89 7d ec                mov    %edi,-0x14(%rbp)				// 参数1
110  64c:   89 75 e8                mov    %esi,-0x18(%rbp)				// 参数2
111  64f:   89 55 e4                mov    %edx,-0x1c(%rbp)				// 参数3
112  652:   8b 45 ec                mov    -0x14(%rbp),%eax
113  655:   89 45 fc                mov    %eax,-0x4(%rbp)
114  658:   8b 45 fc                mov    -0x4(%rbp),%eax
115  65b:   3b 45 e8                cmp    -0x18(%rbp),%eax
116  65e:   7d 05                   jge    665 <_Z3maxiii+0x20>
117  660:   8b 45 e8                mov    -0x18(%rbp),%eax
118  663:   eb 03                   jmp    668 <_Z3maxiii+0x23>
119  665:   8b 45 fc                mov    -0x4(%rbp),%eax
120  668:   89 45 fc                mov    %eax,-0x4(%rbp)
121  66b:   8b 45 fc                mov    -0x4(%rbp),%eax
122  66e:   3b 45 e4                cmp    -0x1c(%rbp),%eax
123  671:   7d 05                   jge    678 <_Z3maxiii+0x33>
124  673:   8b 45 e4                mov    -0x1c(%rbp),%eax
125  676:   eb 03                   jmp    67b <_Z3maxiii+0x36>
126  678:   8b 45 fc                mov    -0x4(%rbp),%eax
127  67b:   89 45 fc                mov    %eax,-0x4(%rbp)
128  67e:   48 c7 45 f0 00 00 00    movq   $0x0,-0x10(%rbp)				// pstr
129  685:   00
130  686:   48 8b 45 f0             mov    -0x10(%rbp),%rax
131  68a:   c6 00 00                movb   $0x0,(%rax)			// 对pstr赋值0，这个就是问题所在了
132  68d:   8b 45 fc                mov    -0x4(%rbp),%eax
133  690:   5d                      pop    %rbp

使用addr2line定位问题的行数

[dubaokun@localhost so]$ addr2line -e libmax.so -ifC 68a
max(int, int, int)
/home/dubaokun/github/code/engine_code/compile/objdump/so/max.cpp:9 (discriminator 3)

总结

以上的程序较为简单，实际工作中的程序较为复杂，但是复杂都是由基础而来的，大家可以认真思考、仔细研究，对于汇编代码要有一定的理解。