crash> help dis
NAME
dis - disassemble
SYNOPSIS
dis [-rludx][-b [num]] [address | symbol | (expression)] [count]
DESCRIPTION
This command disassembles source code instructions starting (or ending) at
a text address that may be expressed by value, symbol or expression:
/*-r:reverse
*-l:displays source code line number data
**/
-r (reverse) displays all instructions from the start of the
routine up to and including the designated address.
-l displays source code line number data in addition to the
disassembly output.
-u address is a user virtual address in the current context;
otherwise the address is assumed to be a kernel virtual address.
If this option is used, then -r and -l are ignored.
/*-x/d:output format
**/
-x override default output format with hexadecimal format.
-d override default output format with decimal format.
-b [num] modify the pre-calculated number of encoded bytes to skip after
a kernel BUG ("ud2a") instruction; with no argument, displays
the current number of bytes being skipped. (x86 and x86_64 only)
/*从那个位置开始 dis-assember:
*address, symbol and expression.
**/
address starting hexadecimal text address.
symbol symbol of starting text address. On ppc64, the symbol
preceded by '.' is used.
(expression) expression evaluating to a starting text address.
/*count: the number of instructions to be disassembled (default is 1)*/
count the number of instructions to be disassembled (default is 1).
If no count argument is entered, and the starting address
is entered as a text symbol, then the whole routine will be
disassembled. The count argument is ignored when used with
the -r option.
EXAMPLES
Disassemble the sys_signal() routine without, and then with, line numbers:
crash> dis run_init_process
0xc000863c <run_init_process>: mov r12, sp
0xc0008640 <run_init_process+4>: push {r11, r12, lr, pc}
0xc0008644 <run_init_process+8>: sub r11, r12, #4
0xc0008648 <run_init_process+12>: ldr r1, [pc, #12] ; 0xc000865c <run_init_process+32>
0xc000864c <run_init_process+16>: mov r2, r1
0xc0008650 <run_init_process+20>: str r0, [r2], #136 ; 0x88
0xc0008654 <run_init_process+24>: bl 0xc0011a40 <kernel_execve>
0xc0008658 <run_init_process+28>: ldm sp, {r11, sp, pc}
0xc000863c <run_init_process>: mov r12, sp
0xc0008640 <run_init_process+4>: push {r11, r12, lr, pc}
0xc0008644 <run_init_process+8>: sub r11, r12, #4
/home/wenshuai/code/3.4kernel/linux_kernel/init/main.c: 794
0xc0008648 <run_init_process+12>: ldr r1, [pc, #12] ; 0xc000865c <run_init_process+32>
0xc000864c <run_init_process+16>: mov r2, r1
0xc0008650 <run_init_process+20>: str r0, [r2], #136 ; 0x88
/home/wenshuai/code/3.4kernel/linux_kernel/init/main.c: 795
0xc0008654 <run_init_process+24>: bl 0xc0011a40 <kernel_execve>
/home/wenshuai/code/3.4kernel/linux_kernel/init/main.c: 796
0xc0008658 <run_init_process+28>: ldm sp, {r11, sp, pc}
Given a return address expression of "run_init_process+16", find out the
function that run_init_process calls by using the reverse flag:
0xc0008640 <run_init_process+4>: push {r11, r12, lr, pc}
0xc0008644 <run_init_process+8>: sub r11, r12, #4
0xc0008648 <run_init_process+12>: ldr r1, [pc, #12] ; 0xc000865c <run_init_process+32>
0xc000864c <run_init_process+16>: mov r2, r1
Disassemble 10 instructions starting at user virtual address 0x81ec624:
crash> dis -u 81ec624 10
0x81ec624: push %ebp
0x81ec625: mov %esp,%ebp
0x81ec627: sub $0x18,%esp
0x81ec62a: movl $0x1,0x8(%ebp)
0x81ec631: mov 0x82f9040,%eax
0x81ec636: mov 0x10(%eax),%edx
0x81ec639: and $0x100,%edx
0x81ec63f: mov 0x14(%eax),%ecx
0x81ec642: and $0x0,%ecx
0x81ec645: mov %ecx,%eax
Override the current decimal output radix format:
crash> dis sys_read 10 -x
0xffffffff8001178f <sys_read>: push %r13
0xffffffff80011791 <sys_read+0x2>: mov %rsi,%r13
0xffffffff80011794 <sys_read+0x5>: push %r12
0xffffffff80011796 <sys_read+0x7>: mov $0xfffffffffffffff7,%r12
0xffffffff8001179d <sys_read+0xe>: push %rbp
0xffffffff8001179e <sys_read+0xf>: mov %rdx,%rbp
0xffffffff800117a1 <sys_read+0x12>: push %rbx
0xffffffff800117a2 <sys_read+0x13>: sub $0x18,%rsp
0xffffffff800117a6 <sys_read+0x17>: lea 0x14(%rsp),%rsi
0xffffffff800117ab <sys_read+0x1c>: callq 0xffffffff8000b5b4 <fget_light>
crash>
NAME
dis - disassemble
SYNOPSIS
dis [-rludx][-b [num]] [address | symbol | (expression)] [count]
DESCRIPTION
This command disassembles source code instructions starting (or ending) at
a text address that may be expressed by value, symbol or expression:
/*-r:reverse
*-l:displays source code line number data
**/
-r (reverse) displays all instructions from the start of the
routine up to and including the designated address.
-l displays source code line number data in addition to the
disassembly output.
-u address is a user virtual address in the current context;
otherwise the address is assumed to be a kernel virtual address.
If this option is used, then -r and -l are ignored.
/*-x/d:output format
**/
-x override default output format with hexadecimal format.
-d override default output format with decimal format.
-b [num] modify the pre-calculated number of encoded bytes to skip after
a kernel BUG ("ud2a") instruction; with no argument, displays
the current number of bytes being skipped. (x86 and x86_64 only)
/*从那个位置开始 dis-assember:
*address, symbol and expression.
**/
address starting hexadecimal text address.
symbol symbol of starting text address. On ppc64, the symbol
preceded by '.' is used.
(expression) expression evaluating to a starting text address.
/*count: the number of instructions to be disassembled (default is 1)*/
count the number of instructions to be disassembled (default is 1).
If no count argument is entered, and the starting address
is entered as a text symbol, then the whole routine will be
disassembled. The count argument is ignored when used with
the -r option.
EXAMPLES
Disassemble the sys_signal() routine without, and then with, line numbers:
crash> dis run_init_process
0xc000863c <run_init_process>: mov r12, sp
0xc0008640 <run_init_process+4>: push {r11, r12, lr, pc}
0xc0008644 <run_init_process+8>: sub r11, r12, #4
0xc0008648 <run_init_process+12>: ldr r1, [pc, #12] ; 0xc000865c <run_init_process+32>
0xc000864c <run_init_process+16>: mov r2, r1
0xc0008650 <run_init_process+20>: str r0, [r2], #136 ; 0x88
0xc0008654 <run_init_process+24>: bl 0xc0011a40 <kernel_execve>
0xc0008658 <run_init_process+28>: ldm sp, {r11, sp, pc}
crash> dis -l run_init_process
/home/wenshuai/code/3.4kernel/linux_kernel/init/main.c: 7930xc000863c <run_init_process>: mov r12, sp
0xc0008640 <run_init_process+4>: push {r11, r12, lr, pc}
0xc0008644 <run_init_process+8>: sub r11, r12, #4
/home/wenshuai/code/3.4kernel/linux_kernel/init/main.c: 794
0xc0008648 <run_init_process+12>: ldr r1, [pc, #12] ; 0xc000865c <run_init_process+32>
0xc000864c <run_init_process+16>: mov r2, r1
0xc0008650 <run_init_process+20>: str r0, [r2], #136 ; 0x88
/home/wenshuai/code/3.4kernel/linux_kernel/init/main.c: 795
0xc0008654 <run_init_process+24>: bl 0xc0011a40 <kernel_execve>
/home/wenshuai/code/3.4kernel/linux_kernel/init/main.c: 796
0xc0008658 <run_init_process+28>: ldm sp, {r11, sp, pc}
Given a return address expression of "run_init_process+16", find out the
function that run_init_process calls by using the reverse flag:
crash> dis -r (run_init_process+16)
0xc000863c <run_init_process>: mov r12, sp0xc0008640 <run_init_process+4>: push {r11, r12, lr, pc}
0xc0008644 <run_init_process+8>: sub r11, r12, #4
0xc0008648 <run_init_process+12>: ldr r1, [pc, #12] ; 0xc000865c <run_init_process+32>
0xc000864c <run_init_process+16>: mov r2, r1
Disassemble 10 instructions starting at user virtual address 0x81ec624:
crash> dis -u 81ec624 10
0x81ec624: push %ebp
0x81ec625: mov %esp,%ebp
0x81ec627: sub $0x18,%esp
0x81ec62a: movl $0x1,0x8(%ebp)
0x81ec631: mov 0x82f9040,%eax
0x81ec636: mov 0x10(%eax),%edx
0x81ec639: and $0x100,%edx
0x81ec63f: mov 0x14(%eax),%ecx
0x81ec642: and $0x0,%ecx
0x81ec645: mov %ecx,%eax
Override the current decimal output radix format:
crash> dis sys_read 10 -x
0xffffffff8001178f <sys_read>: push %r13
0xffffffff80011791 <sys_read+0x2>: mov %rsi,%r13
0xffffffff80011794 <sys_read+0x5>: push %r12
0xffffffff80011796 <sys_read+0x7>: mov $0xfffffffffffffff7,%r12
0xffffffff8001179d <sys_read+0xe>: push %rbp
0xffffffff8001179e <sys_read+0xf>: mov %rdx,%rbp
0xffffffff800117a1 <sys_read+0x12>: push %rbx
0xffffffff800117a2 <sys_read+0x13>: sub $0x18,%rsp
0xffffffff800117a6 <sys_read+0x17>: lea 0x14(%rsp),%rsi
0xffffffff800117ab <sys_read+0x1c>: callq 0xffffffff8000b5b4 <fget_light>
crash>