使用objdump分析core堆栈
文章目录
使用c++编程的同学,经常会遇到诸如内存越界、重复释放等内存问题,大家比较习惯的追查这类问题的方式是,打开core文件的limit,生成core文件,用gdb进行分析;
但是,在实际的生产环境中。由于程序本省占用内存非常大,比如搜索的索引服务,进行core的dump不太现实,所以一般采用,在程序中捕获信号,之后打印进程的堆栈信息,再进行追查。
下面本文,就按照这种方式进行追查,首先,分析没有so的程序如何使用objdump与汇编进行分析程序的问题所在;接着分析有so的程序,如何使用objdump进行分析,希望对大家能有所帮助。
普通程序的core分析
源代码
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <execinfo.h>
static void print_stack_fs(int sig, FILE * output)
{
fprintf(output, "--------------------------------------\n");
char pTime[256];
//getSafeNow(pTime, 256);
fprintf(output, "[%s] received signal=%d, thread_id=%ld\n",
"now", sig, getpid());
void *array[128]; // 128 stacks at most
size_t size = backtrace(array, sizeof(array) / sizeof(array[0]));
if (size > 0 && size < 128) {
char ** stackLog = backtrace_symbols(array, size);
if(stackLog) {
for (size_t i = 0; i < size; i++) {
fprintf(output,"%s\n", stackLog[i]);
}
fflush(output);
free(stackLog);
}
}
}
static void sig_handler(int signo)
{
if (signo == SIGSEGV ||
signo == SIGBUS ||
signo == SIGABRT ||
signo == SIGFPE) {
print_stack_fs(signo, stderr);
exit(-1);
}
else if (signo == SIGTERM || signo == SIGINT) {
exit(-1);
}
}
static void sig_register()
{
struct sigaction sigac;
sigemptyset(&sigac.sa_mask);
sigac.sa_handler = sig_handler;
sigac.sa_flags = 0;
sigaction(SIGTERM, &sigac, 0);
sigaction(SIGINT , &sigac, 0);
sigaction(SIGQUIT, &sigac, 0);
sigaction(SIGPIPE, &sigac, 0);
sigaction(SIGBUS , &sigac, 0);
sigaction(SIGABRT, &sigac, 0);
sigaction(SIGFPE , &sigac, 0);
sigaction(SIGSEGV, &sigac, 0);
}
int main(int argc, char *argv[])
{
sig_register();
int a = 10, b = -2, c = 100;
char * pstr = 0x00;
int d = 100;
*pstr = 0x00;
return 0;
}
执行程序
关键地址:0x400add,指向出错的代码的具体的虚拟空间地址
[now] received signal=11, thread_id=1852
./a.out() [0x4008ab]
./a.out() [0x400985]
/lib64/libc.so.6(+0x362f0) [0x7fbc41a3d2f0]
./a.out() [0x400add]
/lib64/libc.so.6(__libc_start_main+0xf5) [0x7fbc41a29445]
./a.out() [0x400769]
使用objdump分析
objdump -d a.out ,分析-0x18(%rbp)的地址是变量pstr的地址,之后将pstr的放置到寄存器rax赋值,之后没有申请内存的空指针进行赋值出core,具体请看下面的汇编代码
321 0000000000400aa1 <main>:
322 400aa1: 55 push %rbp
323 400aa2: 48 89 e5 mov %rsp,%rbp
324 400aa5: 48 83 ec 30 sub $0x30,%rsp
325 400aa9: 89 7d dc mov %edi,-0x24(%rbp)
326 400aac: 48 89 75 d0 mov %rsi,-0x30(%rbp)
327 400ab0: e8 f2 fe ff ff callq 4009a7 <_ZL12sig_registerv>
328 400ab5: c7 45 fc 0a 00 00 00 movl $0xa,-0x4(%rbp) // 变量a
329 400abc: c7 45 f8 fe ff ff ff movl $0xfffffffe,-0x8(%rbp) // 变量b
330 400ac3: c7 45 f4 64 00 00 00 movl $0x64,-0xc(%rbp) // 变量c
331 400aca: 48 c7 45 e8 00 00 00 movq $0x0,-0x18(%rbp) // 变量 pstr
332 400ad1: 00
333 400ad2: c7 45 e4 64 00 00 00 movl $0x64,-0x1c(%rbp) // 变量d
334 400ad9: 48 8b 45 e8 mov -0x18(%rbp),%rax // 将变量pstr放到rax寄存器
335 400add: c6 00 00 movb $0x0,(%rax) // 对pstr赋值,也就是对空指针赋值,找到问题
336 400ae0: b8 00 00 00 00 mov $0x0,%eax
337 400ae5: c9 leaveq
338 400ae6: c3 retq
339 400ae7: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
core在so里面的objdump分析
源代码
- max.h
#ifndef __MAX_H__
#define __MAX_H__
int max(int n1, int n2, int n3);
#endif
- max.cpp
#include "max.h"
int max(int n1, int n2, int n3)
{
int max_num = n1;
max_num = max_num < n2? n2: max_num;
max_num = max_num < n3? n3: max_num;
char * pstr = 0x00;
*pstr = 0x00;
return max_num;
}
- test.cpp
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <execinfo.h>
#include "max.h"
static void print_stack_fs(int sig, FILE * output)
{
fprintf(output, "--------------------------------------\n");
char pTime[256];
//getSafeNow(pTime, 256);
fprintf(output, "[%s] received signal=%d, thread_id=%ld\n",
"now", sig, getpid());
void *array[128]; // 128 stacks at most
size_t size = backtrace(array, sizeof(array) / sizeof(array[0]));
if (size > 0 && size < 128) {
char ** stackLog = backtrace_symbols(array, size);
if(stackLog) {
for (size_t i = 0; i < size; i++) {
fprintf(output,"%s\n", stackLog[i]);
}
fflush(output);
free(stackLog);
}
}
}
static void sig_handler(int signo)
{
if (signo == SIGSEGV ||
signo == SIGBUS ||
signo == SIGABRT ||
signo == SIGFPE) {
print_stack_fs(signo, stderr);
exit(-1);
}
else if (signo == SIGTERM || signo == SIGINT) {
exit(-1);
}
}
static void sig_register()
{
struct sigaction sigac;
sigemptyset(&sigac.sa_mask);
sigac.sa_handler = sig_handler;
sigac.sa_flags = 0;
sigaction(SIGTERM, &sigac, 0);
sigaction(SIGINT , &sigac, 0);
sigaction(SIGQUIT, &sigac, 0);
sigaction(SIGPIPE, &sigac, 0);
sigaction(SIGBUS , &sigac, 0);
sigaction(SIGABRT, &sigac, 0);
sigaction(SIGFPE , &sigac, 0);
sigaction(SIGSEGV, &sigac, 0);
}
int main(int argc, char *argv[])
{
sig_register();
int a = 10, b = -2, c = 100;
int d = 100;
printf("max among 10, -2 and 100 is %d.\n", max(a, b, c));
return 0;
}
运行程序
关键地址:./libmax.so(_Z3maxiii+0x45) [0x7fb914d6868a]
[now] received signal=11, thread_id=1893
./a.out() [0x4009fb]
./a.out() [0x400ad5]
/lib64/libc.so.6(+0x362f0) [0x7fb9141b12f0]
./libmax.so(_Z3maxiii+0x45) [0x7fb914d6868a]
./a.out() [0x400c33]
/lib64/libc.so.6(__libc_start_main+0xf5) [0x7fb91419d445]
./a.out() [0x4008b9]
objdump
针对so进行反编译,运行 objdump -d libmax.so,然后找搭配_Z3maxiii,地址是645,然后+上0x45,得到地址 68A
汇编代码:movq $0x0,-0x10(%rbp) 定义pstr,68A的地址同样是对未申请内存的地址进行赋值出错。
106 0000000000000645 <_Z3maxiii>:
107 645: 55 push %rbp
108 646: 48 89 e5 mov %rsp,%rbp
109 649: 89 7d ec mov %edi,-0x14(%rbp) // 参数1
110 64c: 89 75 e8 mov %esi,-0x18(%rbp) // 参数2
111 64f: 89 55 e4 mov %edx,-0x1c(%rbp) // 参数3
112 652: 8b 45 ec mov -0x14(%rbp),%eax
113 655: 89 45 fc mov %eax,-0x4(%rbp)
114 658: 8b 45 fc mov -0x4(%rbp),%eax
115 65b: 3b 45 e8 cmp -0x18(%rbp),%eax
116 65e: 7d 05 jge 665 <_Z3maxiii+0x20>
117 660: 8b 45 e8 mov -0x18(%rbp),%eax
118 663: eb 03 jmp 668 <_Z3maxiii+0x23>
119 665: 8b 45 fc mov -0x4(%rbp),%eax
120 668: 89 45 fc mov %eax,-0x4(%rbp)
121 66b: 8b 45 fc mov -0x4(%rbp),%eax
122 66e: 3b 45 e4 cmp -0x1c(%rbp),%eax
123 671: 7d 05 jge 678 <_Z3maxiii+0x33>
124 673: 8b 45 e4 mov -0x1c(%rbp),%eax
125 676: eb 03 jmp 67b <_Z3maxiii+0x36>
126 678: 8b 45 fc mov -0x4(%rbp),%eax
127 67b: 89 45 fc mov %eax,-0x4(%rbp)
128 67e: 48 c7 45 f0 00 00 00 movq $0x0,-0x10(%rbp) // pstr
129 685: 00
130 686: 48 8b 45 f0 mov -0x10(%rbp),%rax
131 68a: c6 00 00 movb $0x0,(%rax) // 对pstr赋值0,这个就是问题所在了
132 68d: 8b 45 fc mov -0x4(%rbp),%eax
133 690: 5d pop %rbp
使用addr2line定位问题的行数
[dubaokun@localhost so]$ addr2line -e libmax.so -ifC 68a
max(int, int, int)
/home/dubaokun/github/code/engine_code/compile/objdump/so/max.cpp:9 (discriminator 3)
总结
以上的程序较为简单,实际工作中的程序较为复杂,但是复杂都是由基础而来的,大家可以认真思考、仔细研究,对于汇编代码要有一定的理解。