常用命令
1. Load Image
B::d.load.Binary *.bin address
2. Load 符号表
B::Data.LOAD.Elf *.elf /nocode
3. 加载cmm文件
B::CD.DO *.cmm
4. 16进制显示
B::Setup.var %hex
5. 查看进程栈信息
B::frame /task address /Locals
6. 查看结构体信息
B::v.v (struct task_struct *)address
7. 查看变量信息
B::var.view crash_buf
8. 保存内存内容到文件
B::data.save.Binary bl2_log.bin 0x43560000++0x1000
案例分析
基于qcom平台分析,系统发生ramdump,导出dump文件,通过ramdump_parser工具解析dump文件,需要有对应版本的vmlinux。
死锁分析
1. 查看解析后的输出文件tasks.txt,发现多个进程都想要获取mutex_lock
2. 定位mutex_lock的owner
a. 双击launch_t32.bat启动T32 Simulator
b. 切换为16进制显示:setup.var %hex
c. 查看指定进程栈信息:frame /task 0xFFFFFF80BB53DA00 /Locals
d. 查看mutex lock的owner
3. 查看mutex_lock owner对应的栈信息
a. frame /task 0xFFFFFF80B5621E00
结论:android.hardwar进程持有锁,也可以使用 0xFFFFFF80B5621E00 在tasks.txt中查找持锁的进程
第三方bin发生crash
若第三方bin存放在ddr区域,需要使用dd命令将其切割出来再结合对应elf文件进行解析
假设bl31.bin存放在ddr 0x9000_0000处,大小2MB,ddr开始地址为0x8000_0000, 则使用如下命令切割bl31.bin
dd if=ddr.bin of=/mnt/bl31.bin bs=1024 skip=262144 count=2048
若第三方bin单独存放在一块topram(地址为0x3300_0000)里面,在ramdump时,会将该topram的内容保存在一个文件中,如dsp.bin
在编译的dsp.bin时会生成对应的elf文件dsp.elf
双击launch_t32.bat启动T32 Simulator
1. 加载bin:d.load.Binary dsp.bin 0x33000000
2. 加载elf:Data.LOAD.Elf dsp.elf /nocode
3. 十六进制显示:setup.var %hex
4. 查看adsp core的全局变量:var.view crash_buf
5. 查看pc指针对应的code:List.auto 0x3301a8c8
恢复栈信息
emmc压力测试中打印出通用寄存器的值如下:
[ 153.889297] Unable to handle kernel write to read-only memory at virtual address ffffffc0102f3edc
[ 153.898191] Mem abort info:
[ 153.900986] ESR = 0x9600004e
[ 153.904043] EC = 0x25: DABT (current EL), IL = 32 bits
[ 153.904943] init: Untracked pid 5573 exited with status 0
[ 153.909354] SET = 0, FnV = 0
[ 153.909356] EA = 0, S1PTW = 0
[ 153.909357] Data abort info:
[ 153.909359] ISV = 0, ISS = 0x0000004e
[ 153.909362] CM = 0, WnR = 1
[ 153.909366] swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000c218a000
[ 153.909369] [ffffffc0102f3edc] pgd=00000001fffff003, pud=00000001fffff003, pmd=00400000c0200791
[ 153.909379] Internal error: Oops: 9600004e [#1] PREEMPT SMP
[ 153.909417] CPU: 2 PID: 5536 Comm: ghr Tainted: G
[ 153.909419] Hardware name:
[ 153.909423] pstate: 60400089 (nZCv daIf +PAN -UAO)
[ 153.909440] pc : mmc_release_host+0x5c/0xbc
[ 153.909444] lr : mmc_release_host+0x28/0xbc
[ 153.909446] sp : ffffffc02b1a3b30
[ 153.909448] x29: ffffffc02b1a3b30 x28: ffffffc011378980
[ 153.909452] x27: 0000000000000001 x26: ffffff816d815628
[ 153.909456] x25: 0000000000000400 x24: 0000000000000200
[ 153.909460] x23: 0000000000000400 x22: ffffffc011bb289e
[ 153.909464] x21: ffffff80af60b600 x20: ffffff81714ea5e0
[ 153.909468] x19: ffffff81714ea000 x18: ffffffc02db05070
[ 153.909471] x17: 0000000000000038 x16: ffffffc01133a3d0
[ 153.909475] x15: ffffffc01200f487 x14: 0000000000000066
[ 153.909478] x13: ffffffc02b1a39e0 x12: 0000000000000001
[ 153.909482] x11: 8d24cb314076ad00 x10: ffffff80a134b780
[ 153.909485] x9 : ffffffc0102f3edc x8 : 0000000000000008
[ 153.909489] x7 : 0000000000000000 x6 : ffffffc010cf60a8
[ 153.909492] x5 : 0000000000000000 x4 : 0000000000000080
[ 153.909496] x3 : 0000000000000000 x2 : 0000000000000001
[ 153.909499] x1 : 0000000000000000 x0 : ffffff81714ea5e0
[ 153.909504] Call trace:
[ 153.909508] mmc_release_host+0x5c/0xbc
[ 153.909511] mmc_put_card+0x2c/0x5c
[ 153.909521] hr_show+0x194/0x1f4
[ 153.909528] dev_attr_show+0x48/0xa8
[ 153.909538] sysfs_kf_seq_show+0xe8/0x17c
[ 153.909545] kernfs_seq_show+0x48/0x84
[ 154.003791] seq_read+0x1cc/0x5bc
[ 154.062179] kernfs_fop_read+0x68/0x1fc
[ 154.062184] __vfs_read+0x60/0x204
[ 154.062187] vfs_read+0xbc/0x15c
[ 154.062190] ksys_read+0x78/0xe4
[ 154.062193] __arm64_sys_read+0x1c/0x28
[ 154.062200] el0_svc_common+0xb8/0x1bc
[ 154.062203] el0_svc_handler+0x74/0x98
[ 154.062208] el0_svc+0x8/0xc
[ 154.062218] Code: f9439669 aa1403e0 121e7908 790c7a68 (f900013f)
[ 154.062222] ---[ end trace ef0af08cc7db63cf ]---
[ 154.062227] Kernel panic - not syncing: Fatal exception
1. 新建stack_info.cmm文件,并添加内容:
r.set pc mmc_release_host+0x5c/0xbc
r.set lr mmc_release_host+0x28/0xbc
r.set sp 0xffffffc02b1a3b30
r.set x29 0xffffffc02b1a3b30
r.set x27 0x0000000000000001
r.set x25 0x0000000000000400
r.set x23 0x0000000000000400
r.set x21 0xffffff80af60b600
r.set x19 0xffffff81714ea000
r.set x17 0x0000000000000038
r.set x15 0xffffffc01200f487
r.set x13 0xffffffc02b1a39e0
r.set x11 0x8d24cb314076ad00
r.set x9 0xffffffc0102f3edc
r.set x7 0x0000000000000000
r.set x5 0x0000000000000000
r.set x3 0x0000000000000000
r.set x1 0x0000000000000000
r.set x28 0xffffffc011378980
r.set x26 0xffffff816d815628
r.set x24 0x0000000000000200
r.set x22 0xffffffc011bb289e
r.set x20 0xffffff81714ea5e0
r.set x18 0xffffffc02db05070
r.set x16 0xffffffc01133a3d0
r.set x14 0x0000000000000066
r.set x12 0x0000000000000001
r.set x10 0xffffff80a134b780
r.set x8 0x0000000000000008
r.set x6 0xffffffc010cf60a8
r.set x4 0x0000000000000080
r.set x2 0x0000000000000001
r.set x0 0xffffff81714ea5e0
2. 将stack_info.cmm 加载到T32中:B:: CD.DO stack_info.cmm
3. 显示当前栈信息: B:: frame /Locals
4. 根据当前的栈信息,分析root cause of=/mnt/d/bl31.bin bs=1024 skip=262144 count=2048dd if=DDRCS0.bin of=/mnt/d/bl31.bin bs=1024 skip=262144 count=2048dd if=DDRCS0.bin of=/mnt/d/bl31.bin bs=1024 skip=262144 coun