| ============================================= |
| Debugging on Linux for s/390 & z/Architecture |
| ============================================= |
| |
| Denis Joseph Barrow (djbarrow@de.ibm.com,barrow_dj@yahoo.com) |
| |
| Copyright (C) 2000-2001 IBM Deutschland Entwicklung GmbH, IBM Corporation |
| |
| .. Best viewed with fixed width fonts |
| |
| Overview of Document: |
| ===================== |
| This document is intended to give a good overview of how to debug Linux for |
| s/390 and z/Architecture. It is not intended as a complete reference and not a |
| tutorial on the fundamentals of C & assembly. It doesn't go into |
| 390 IO in any detail. It is intended to complement the documents in the |
| reference section below & any other worthwhile references you get. |
| |
| It is intended like the Enterprise Systems Architecture/390 Reference Summary |
| to be printed out & used as a quick cheat sheet self help style reference when |
| problems occur. |
| |
| .. Contents |
| ======== |
| Register Set |
| Address Spaces on Intel Linux |
| Address Spaces on Linux for s/390 & z/Architecture |
| The Linux for s/390 & z/Architecture Kernel Task Structure |
| Register Usage & Stackframes on Linux for s/390 & z/Architecture |
| A sample program with comments |
| Compiling programs for debugging on Linux for s/390 & z/Architecture |
| Debugging under VM |
| s/390 & z/Architecture IO Overview |
| Debugging IO on s/390 & z/Architecture under VM |
| GDB on s/390 & z/Architecture |
| Stack chaining in gdb by hand |
| Examining core dumps |
| ldd |
| Debugging modules |
| The proc file system |
| SysRq |
| References |
| Special Thanks |
| |
| Register Set |
| ============ |
| The current architectures have the following registers. |
| |
| 16 General propose registers, 32 bit on s/390 and 64 bit on z/Architecture, |
| r0-r15 (or gpr0-gpr15), used for arithmetic and addressing. |
| |
| 16 Control registers, 32 bit on s/390 and 64 bit on z/Architecture, cr0-cr15, |
| kernel usage only, used for memory management, interrupt control, debugging |
| control etc. |
| |
| 16 Access registers (ar0-ar15), 32 bit on both s/390 and z/Architecture, |
| normally not used by normal programs but potentially could be used as |
| temporary storage. These registers have a 1:1 association with general |
| purpose registers and are designed to be used in the so-called access |
| register mode to select different address spaces. |
| Access register 0 (and access register 1 on z/Architecture, which needs a |
| 64 bit pointer) is currently used by the pthread library as a pointer to |
| the current running threads private area. |
| |
| 16 64-bit floating point registers (fp0-fp15 ) IEEE & HFP floating |
| point format compliant on G5 upwards & a Floating point control reg (FPC) |
| |
| 4 64-bit registers (fp0,fp2,fp4 & fp6) HFP only on older machines. |
| |
| Note: |
| Linux (currently) always uses IEEE & emulates G5 IEEE format on older |
| machines, ( provided the kernel is configured for this ). |
| |
| |
| The PSW is the most important register on the machine it |
| is 64 bit on s/390 & 128 bit on z/Architecture & serves the roles of |
| a program counter (pc), condition code register,memory space designator. |
| In IBM standard notation I am counting bit 0 as the MSB. |
| It has several advantages over a normal program counter |
| in that you can change address translation & program counter |
| in a single instruction. To change address translation, |
| e.g. switching address translation off requires that you |
| have a logical=physical mapping for the address you are |
| currently running at. |
| |
| +-------------------------+-------------------------------------------------+ |
| | Bit | | |
| +--------+----------------+ Value | |
| | s/390 | z/Architecture | | |
| +========+================+=================================================+ |
| | 0 | 0 | Reserved (must be 0) otherwise specification | |
| | | | exception occurs. | |
| +--------+----------------+-------------------------------------------------+ |
| | 1 | 1 | Program Event Recording 1 PER enabled, | |
| | | | PER is used to facilitate debugging e.g. | |
| | | | single stepping. | |
| +--------+----------------+-------------------------------------------------+ |
| | 2-4 | 2-4 | Reserved (must be 0). | |
| +--------+----------------+-------------------------------------------------+ |
| | 5 | 5 | Dynamic address translation 1=DAT on. | |
| +--------+----------------+-------------------------------------------------+ |
| | 6 | 6 | Input/Output interrupt Mask | |
| +--------+----------------+-------------------------------------------------+ |
| | 7 | 7 | External interrupt Mask used primarily for | |
| | | | interprocessor signalling and clock interrupts. | |
| +--------+----------------+-------------------------------------------------+ |
| | 8-11 | 8-11 | PSW Key used for complex memory protection | |
| | | | mechanism (not used under linux) | |
| +--------+----------------+-------------------------------------------------+ |
| | 12 | 12 | 1 on s/390 0 on z/Architecture | |
| +--------+----------------+-------------------------------------------------+ |
| | 13 | 13 | Machine Check Mask 1=enable machine check | |
| | | | interrupts | |
| +--------+----------------+-------------------------------------------------+ |
| | 14 | 14 | Wait State. Set this to 1 to stop the processor | |
| | | | except for interrupts and give time to other | |
| | | | LPARS. Used in CPU idle in the kernel to | |
| | | | increase overall usage of processor resources. | |
| +--------+----------------+-------------------------------------------------+ |
| | 15 | 15 | Problem state (if set to 1 certain instructions | |
| | | | are disabled). All linux user programs run with | |
| | | | this bit 1 (useful info for debugging under VM).| |
| +--------+----------------+-------------------------------------------------+ |
| | 16-17 | 16-17 | Address Space Control | |
| | | | | |
| | | | 00 Primary Space Mode: | |
| | | | | |
| | | | The register CR1 contains the primary | |
| | | | address-space control element (PASCE), which | |
| | | | points to the primary space region/segment | |
| | | | table origin. | |
| | | | | |
| | | | 01 Access register mode | |
| | | | | |
| | | | 10 Secondary Space Mode: | |
| | | | | |
| | | | The register CR7 contains the secondary | |
| | | | address-space control element (SASCE), which | |
| | | | points to the secondary space region or | |
| | | | segment table origin. | |
| | | | | |
| | | | 11 Home Space Mode: | |
| | | | | |
| | | | The register CR13 contains the home space | |
| | | | address-space control element (HASCE), which | |
| | | | points to the home space region/segment | |
| | | | table origin. | |
| | | | | |
| | | | See "Address Spaces on Linux for s/390 & | |
| | | | z/Architecture" below for more information | |
| | | | about address space usage in Linux. | |
| +--------+----------------+-------------------------------------------------+ |
| | 18-19 | 18-19 | Condition codes (CC) | |
| +--------+----------------+-------------------------------------------------+ |
| | 20 | 20 | Fixed point overflow mask if 1=FPU exceptions | |
| | | | for this event occur (normally 0) | |
| +--------+----------------+-------------------------------------------------+ |
| | 21 | 21 | Decimal overflow mask if 1=FPU exceptions for | |
| | | | this event occur (normally 0) | |
| +--------+----------------+-------------------------------------------------+ |
| | 22 | 22 | Exponent underflow mask if 1=FPU exceptions | |
| | | | for this event occur (normally 0) | |
| +--------+----------------+-------------------------------------------------+ |
| | 23 | 23 | Significance Mask if 1=FPU exceptions for this | |
| | | | event occur (normally 0) | |
| +--------+----------------+-------------------------------------------------+ |
| | 24-31 | 24-30 | Reserved Must be 0. | |
| | +----------------+-------------------------------------------------+ |
| | | 31 | Extended Addressing Mode | |
| | +----------------+-------------------------------------------------+ |
| | | 32 | Basic Addressing Mode | |
| | | | | |
| | | | Used to set addressing mode | |
| | | | | |
| | | | +---------+----------+----------+ | |
| | | | | PSW 31 | PSW 32 | | | |
| | | | +---------+----------+----------+ | |
| | | | | 0 | 0 | 24 bit | | |
| | | | +---------+----------+----------+ | |
| | | | | 0 | 1 | 31 bit | | |
| | | | +---------+----------+----------+ | |
| | | | | 1 | 1 | 64 bit | | |
| | | | +---------+----------+----------+ | |
| +--------+----------------+-------------------------------------------------+ |
| | 32 | | 1=31 bit addressing mode 0=24 bit addressing | |
| | | | mode (for backward compatibility), linux | |
| | | | always runs with this bit set to 1 | |
| +--------+----------------+-------------------------------------------------+ |
| | 33-64 | | Instruction address. | |
| | +----------------+-------------------------------------------------+ |
| | | 33-63 | Reserved must be 0 | |
| | +----------------+-------------------------------------------------+ |
| | | 64-127 | Address | |
| | | | | |
| | | | - In 24 bits mode bits 64-103=0 bits 104-127 | |
| | | | Address | |
| | | | - In 31 bits mode bits 64-96=0 bits 97-127 | |
| | | | Address | |
| | | | | |
| | | | Note: | |
| | | | unlike 31 bit mode on s/390 bit 96 must be | |
| | | | zero when loading the address with LPSWE | |
| | | | otherwise a specification exception occurs, | |
| | | | LPSW is fully backward compatible. | |
| +--------+----------------+-------------------------------------------------+ |
| |
| Prefix Page(s) |
| -------------- |
| This per cpu memory area is too intimately tied to the processor not to mention. |
| It exists between the real addresses 0-4096 on s/390 and between 0-8192 on |
| z/Architecture and is exchanged with one page on s/390 or two pages on |
| z/Architecture in absolute storage by the set prefix instruction during Linux |
| startup. |
| |
| This page is mapped to a different prefix for each processor in an SMP |
| configuration (assuming the OS designer is sane of course). |
| |
| Bytes 0-512 (200 hex) on s/390 and 0-512, 4096-4544, 4604-5119 currently on |
| z/Architecture are used by the processor itself for holding such information |
| as exception indications and entry points for exceptions. |
| |
| Bytes after 0xc00 hex are used by linux for per processor globals on s/390 and |
| z/Architecture (there is a gap on z/Architecture currently between 0xc00 and |
| 0x1000, too, which is used by Linux). |
| |
| The closest thing to this on traditional architectures is the interrupt |
| vector table. This is a good thing & does simplify some of the kernel coding |
| however it means that we now cannot catch stray NULL pointers in the |
| kernel without hard coded checks. |
| |
| |
| |
| Address Spaces on Intel Linux |
| ============================= |
| |
| The traditional Intel Linux is approximately mapped as follows forgive |
| the ascii art:: |
| |
| 0xFFFFFFFF 4GB Himem ***************** |
| * * |
| * Kernel Space * |
| * * |
| ***************** **************** |
| User Space Himem * User Stack * * * |
| (typically 0xC0000000 3GB ) ***************** * * |
| * Shared Libs * * Next Process * |
| ***************** * to * |
| * * <== * Run * <== |
| * User Program * * * |
| * Data BSS * * * |
| * Text * * * |
| * Sections * * * |
| 0x00000000 ***************** **************** |
| |
| Now it is easy to see that on Intel it is quite easy to recognise a kernel |
| address as being one greater than user space himem (in this case 0xC0000000), |
| and addresses of less than this are the ones in the current running program on |
| this processor (if an smp box). |
| |
| If using the virtual machine ( VM ) as a debugger it is quite difficult to |
| know which user process is running as the address space you are looking at |
| could be from any process in the run queue. |
| |
| The limitation of Intels addressing technique is that the linux |
| kernel uses a very simple real address to virtual addressing technique |
| of Real Address=Virtual Address-User Space Himem. |
| This means that on Intel the kernel linux can typically only address |
| Himem=0xFFFFFFFF-0xC0000000=1GB & this is all the RAM these machines |
| can typically use. |
| |
| They can lower User Himem to 2GB or lower & thus be |
| able to use 2GB of RAM however this shrinks the maximum size |
| of User Space from 3GB to 2GB they have a no win limit of 4GB unless |
| they go to 64 Bit. |
| |
| |
| On 390 our limitations & strengths make us slightly different. |
| For backward compatibility we are only allowed use 31 bits (2GB) |
| of our 32 bit addresses, however, we use entirely separate address |
| spaces for the user & kernel. |
| |
| This means we can support 2GB of non Extended RAM on s/390, & more |
| with the Extended memory management swap device & |
| currently 4TB of physical memory currently on z/Architecture. |
| |
| |
| Address Spaces on Linux for s/390 & z/Architecture |
| ================================================== |
| |
| Our addressing scheme is basically as follows:: |
| |
| Primary Space Home Space |
| Himem 0x7fffffff 2GB on s/390 ***************** **************** |
| currently 0x3ffffffffff (2^42)-1 * User Stack * * * |
| on z/Architecture. ***************** * * |
| * Shared Libs * * * |
| ***************** * * |
| * * * Kernel * |
| * User Program * * * |
| * Data BSS * * * |
| * Text * * * |
| * Sections * * * |
| 0x00000000 ***************** **************** |
| |
| This also means that we need to look at the PSW problem state bit and the |
| addressing mode to decide whether we are looking at user or kernel space. |
| |
| User space runs in primary address mode (or access register mode within |
| the vdso code). |
| |
| The kernel usually also runs in home space mode, however when accessing |
| user space the kernel switches to primary or secondary address mode if |
| the mvcos instruction is not available or if a compare-and-swap (futex) |
| instruction on a user space address is performed. |
| |
| When also looking at the ASCE control registers, this means: |
| |
| User space: |
| |
| - runs in primary or access register mode |
| - cr1 contains the user asce |
| - cr7 contains the user asce |
| - cr13 contains the kernel asce |
| |
| Kernel space: |
| |
| - runs in home space mode |
| - cr1 contains the user or kernel asce |
| |
| - the kernel asce is loaded when a uaccess requires primary or |
| secondary address mode |
| |
| - cr7 contains the user or kernel asce, (changed with set_fs()) |
| - cr13 contains the kernel asce |
| |
| In case of uaccess the kernel changes to: |
| |
| - primary space mode in case of a uaccess (copy_to_user) and uses |
| e.g. the mvcp instruction to access user space. However the kernel |
| will stay in home space mode if the mvcos instruction is available |
| - secondary space mode in case of futex atomic operations, so that the |
| instructions come from primary address space and data from secondary |
| space |
| |
| In case of KVM, the kernel runs in home space mode, but cr1 gets switched |
| to contain the gmap asce before the SIE instruction gets executed. When |
| the SIE instruction is finished, cr1 will be switched back to contain the |
| user asce. |
| |
| |
| Virtual Addresses on s/390 & z/Architecture |
| =========================================== |
| |
| A virtual address on s/390 is made up of 3 parts |
| The SX (segment index, roughly corresponding to the PGD & PMD in Linux |
| terminology) being bits 1-11. |
| |
| The PX (page index, corresponding to the page table entry (pte) in Linux |
| terminology) being bits 12-19. |
| |
| The remaining bits BX (the byte index are the offset in the page ) |
| i.e. bits 20 to 31. |
| |
| On z/Architecture in linux we currently make up an address from 4 parts. |
| |
| - The region index bits (RX) 0-32 we currently use bits 22-32 |
| - The segment index (SX) being bits 33-43 |
| - The page index (PX) being bits 44-51 |
| - The byte index (BX) being bits 52-63 |
| |
| Notes: |
| 1) s/390 has no PMD so the PMD is really the PGD also. |
| A lot of this stuff is defined in pgtable.h. |
| |
| 2) Also seeing as s/390's page indexes are only 1k in size |
| (bits 12-19 x 4 bytes per pte ) we use 1 ( page 4k ) |
| to make the best use of memory by updating 4 segment indices |
| entries each time we mess with a PMD & use offsets |
| 0,1024,2048 & 3072 in this page as for our segment indexes. |
| On z/Architecture our page indexes are now 2k in size |
| ( bits 12-19 x 8 bytes per pte ) we do a similar trick |
| but only mess with 2 segment indices each time we mess with |
| a PMD. |
| |
| 3) As z/Architecture supports up to a massive 5-level page table lookup we |
| can only use 3 currently on Linux ( as this is all the generic kernel |
| currently supports ) however this may change in future |
| this allows us to access ( according to my sums ) |
| 4TB of virtual storage per process i.e. |
| 4096*512(PTES)*1024(PMDS)*2048(PGD) = 4398046511104 bytes, |
| enough for another 2 or 3 of years I think :-). |
| to do this we use a region-third-table designation type in |
| our address space control registers. |
| |
| |
| The Linux for s/390 & z/Architecture Kernel Task Structure |
| ========================================================== |
| Each process/thread under Linux for S390 has its own kernel task_struct |
| defined in linux/include/linux/sched.h |
| The S390 on initialisation & resuming of a process on a cpu sets |
| the __LC_KERNEL_STACK variable in the spare prefix area for this cpu |
| (which we use for per-processor globals). |
| |
| The kernel stack pointer is intimately tied with the task structure for |
| each processor as follows:: |
| |
| s/390 |
| ************************ |
| * 1 page kernel stack * |
| * ( 4K ) * |
| ************************ |
| * 1 page task_struct * |
| * ( 4K ) * |
| 8K aligned ************************ |
| |
| z/Architecture |
| ************************ |
| * 2 page kernel stack * |
| * ( 8K ) * |
| ************************ |
| * 2 page task_struct * |
| * ( 8K ) * |
| 16K aligned ************************ |
| |
| What this means is that we don't need to dedicate any register or global |
| variable to point to the current running process & can retrieve it with the |
| following very simple construct for s/390 & one very similar for |
| z/Architecture:: |
| |
| static inline struct task_struct * get_current(void) |
| { |
| struct task_struct *current; |
| __asm__("lhi %0,-8192\n\t" |
| "nr %0,15" |
| : "=r" (current) ); |
| return current; |
| } |
| |
| i.e. just anding the current kernel stack pointer with the mask -8192. |
| Thankfully because Linux doesn't have support for nested IO interrupts |
| & our devices have large buffers can survive interrupts being shut for |
| short amounts of time we don't need a separate stack for interrupts. |
| |
| |
| |
| |
| Register Usage & Stackframes on Linux for s/390 & z/Architecture |
| ================================================================= |
| Overview: |
| --------- |
| This is the code that gcc produces at the top & the bottom of |
| each function. It usually is fairly consistent & similar from |
| function to function & if you know its layout you can probably |
| make some headway in finding the ultimate cause of a problem |
| after a crash without a source level debugger. |
| |
| Note: To follow stackframes requires a knowledge of C or Pascal & |
| limited knowledge of one assembly language. |
| |
| It should be noted that there are some differences between the |
| s/390 and z/Architecture stack layouts as the z/Architecture stack layout |
| didn't have to maintain compatibility with older linkage formats. |
| |
| Glossary: |
| --------- |
| alloca: |
| This is a built in compiler function for runtime allocation |
| of extra space on the callers stack which is obviously freed |
| up on function exit ( e.g. the caller may choose to allocate nothing |
| of a buffer of 4k if required for temporary purposes ), it generates |
| very efficient code ( a few cycles ) when compared to alternatives |
| like malloc. |
| |
| automatics: |
| These are local variables on the stack, i.e they aren't in registers & |
| they aren't static. |
| |
| back-chain: |
| This is a pointer to the stack pointer before entering a |
| framed functions ( see frameless function ) prologue got by |
| dereferencing the address of the current stack pointer, |
| i.e. got by accessing the 32 bit value at the stack pointers |
| current location. |
| |
| base-pointer: |
| This is a pointer to the back of the literal pool which |
| is an area just behind each procedure used to store constants |
| in each function. |
| |
| call-clobbered: |
| The caller probably needs to save these registers if there |
| is something of value in them, on the stack or elsewhere before making a |
| call to another procedure so that it can restore it later. |
| |
| epilogue: |
| The code generated by the compiler to return to the caller. |
| |
| frameless-function: |
| A frameless function in Linux for s390 & z/Architecture is one which doesn't |
| need more than the register save area (96 bytes on s/390, 160 on z/Architecture) |
| given to it by the caller. |
| |
| A frameless function never: |
| |
| 1) Sets up a back chain. |
| 2) Calls alloca. |
| 3) Calls other normal functions |
| 4) Has automatics. |
| |
| GOT-pointer: |
| This is a pointer to the global-offset-table in ELF |
| ( Executable Linkable Format, Linux'es most common executable format ), |
| all globals & shared library objects are found using this pointer. |
| |
| lazy-binding |
| ELF shared libraries are typically only loaded when routines in the shared |
| library are actually first called at runtime. This is lazy binding. |
| |
| procedure-linkage-table |
| This is a table found from the GOT which contains pointers to routines |
| in other shared libraries which can't be called to by easier means. |
| |
| prologue: |
| The code generated by the compiler to set up the stack frame. |
| |
| outgoing-args: |
| This is extra area allocated on the stack of the calling function if the |
| parameters for the callee's cannot all be put in registers, the same |
| area can be reused by each function the caller calls. |
| |
| routine-descriptor: |
| A COFF executable format based concept of a procedure reference |
| actually being 8 bytes or more as opposed to a simple pointer to the routine. |
| This is typically defined as follows: |
| |
| - Routine Descriptor offset 0=Pointer to Function |
| - Routine Descriptor offset 4=Pointer to Table of Contents |
| |
| The table of contents/TOC is roughly equivalent to a GOT pointer. |
| & it means that shared libraries etc. can be shared between several |
| environments each with their own TOC. |
| |
| static-chain: |
| This is used in nested functions a concept adopted from pascal |
| by gcc not used in ansi C or C++ ( although quite useful ), basically it |
| is a pointer used to reference local variables of enclosing functions. |
| You might come across this stuff once or twice in your lifetime. |
| |
| e.g. |
| |
| The function below should return 11 though gcc may get upset & toss warnings |
| about unused variables:: |
| |
| int FunctionA(int a) |
| { |
| int b; |
| FunctionC(int c) |
| { |
| b=c+1; |
| } |
| FunctionC(10); |
| return(b); |
| } |
| |
| |
| s/390 & z/Architecture Register usage |
| ===================================== |
| |
| ======== ========================================== =============== |
| r0 used by syscalls/assembly call-clobbered |
| r1 used by syscalls/assembly call-clobbered |
| r2 argument 0 / return value 0 call-clobbered |
| r3 argument 1 / return value 1 (if long long) call-clobbered |
| r4 argument 2 call-clobbered |
| r5 argument 3 call-clobbered |
| r6 argument 4 saved |
| r7 pointer-to arguments 5 to ... saved |
| r8 this & that saved |
| r9 this & that saved |
| r10 static-chain ( if nested function ) saved |
| r11 frame-pointer ( if function used alloca ) saved |
| r12 got-pointer saved |
| r13 base-pointer saved |
| r14 return-address saved |
| r15 stack-pointer saved |
| |
| f0 argument 0 / return value ( float/double ) call-clobbered |
| f2 argument 1 call-clobbered |
| f4 z/Architecture argument 2 saved |
| f6 z/Architecture argument 3 saved |
| ======== ========================================== =============== |
| |
| The remaining floating points |
| f1,f3,f5 f7-f15 are call-clobbered. |
| |
| Notes: |
| ------ |
| 1) The only requirement is that registers which are used |
| by the callee are saved, e.g. the compiler is perfectly |
| capable of using r11 for purposes other than a frame a |
| frame pointer if a frame pointer is not needed. |
| 2) In functions with variable arguments e.g. printf the calling procedure |
| is identical to one without variable arguments & the same number of |
| parameters. However, the prologue of this function is somewhat more |
| hairy owing to it having to move these parameters to the stack to |
| get va_start, va_arg & va_end to work. |
| 3) Access registers are currently unused by gcc but are used in |
| the kernel. Possibilities exist to use them at the moment for |
| temporary storage but it isn't recommended. |
| 4) Only 4 of the floating point registers are used for |
| parameter passing as older machines such as G3 only have only 4 |
| & it keeps the stack frame compatible with other compilers. |
| However with IEEE floating point emulation under linux on the |
| older machines you are free to use the other 12. |
| 5) A long long or double parameter cannot be have the |
| first 4 bytes in a register & the second four bytes in the |
| outgoing args area. It must be purely in the outgoing args |
| area if crossing this boundary. |
| 6) Floating point parameters are mixed with outgoing args |
| on the outgoing args area in the order the are passed in as parameters. |
| 7) Floating point arguments 2 & 3 are saved in the outgoing args area for |
| z/Architecture |
| |
| |
| Stack Frame Layout |
| ------------------ |
| |
| ========= ============== ====================================================== |
| s/390 z/Architecture |
| ========= ============== ====================================================== |
| 0 0 back chain ( a 0 here signifies end of back chain ) |
| 4 8 eos ( end of stack, not used on Linux for S390 used |
| in other linkage formats ) |
| 8 16 glue used in other s/390 linkage formats for saved |
| routine descriptors etc. |
| 12 24 glue used in other s/390 linkage formats for saved |
| routine descriptors etc. |
| 16 32 scratch area |
| 20 40 scratch area |
| 24 48 saved r6 of caller function |
| 28 56 saved r7 of caller function |
| 32 64 saved r8 of caller function |
| 36 72 saved r9 of caller function |
| 40 80 saved r10 of caller function |
| 44 88 saved r11 of caller function |
| 48 96 saved r12 of caller function |
| 52 104 saved r13 of caller function |
| 56 112 saved r14 of caller function |
| 60 120 saved r15 of caller function |
| 64 128 saved f4 of caller function |
| 72 132 saved f6 of caller function |
| 80 undefined |
| 96 160 outgoing args passed from caller to callee |
| 96+x 160+x possible stack alignment ( 8 bytes desirable ) |
| 96+x+y 160+x+y alloca space of caller ( if used ) |
| 96+x+y+z 160+x+y+z automatics of caller ( if used ) |
| 0 back-chain |
| ========= ============== ====================================================== |
| |
| A sample program with comments. |
| =============================== |
| |
| Comments on the function test |
| ----------------------------- |
| 1) It didn't need to set up a pointer to the constant pool gpr13 as it is not |
| used ( :-( ). |
| 2) This is a frameless function & no stack is bought. |
| 3) The compiler was clever enough to recognise that it could return the |
| value in r2 as well as use it for the passed in parameter ( :-) ). |
| 4) The basr ( branch relative & save ) trick works as follows the instruction |
| has a special case with r0,r0 with some instruction operands is understood as |
| the literal value 0, some risc architectures also do this ). So now |
| we are branching to the next address & the address new program counter is |
| in r13,so now we subtract the size of the function prologue we have executed |
| the size of the literal pool to get to the top of the literal pool:: |
| |
| |
| 0040037c int test(int b) |
| { # Function prologue below |
| 40037c: 90 de f0 34 stm %r13,%r14,52(%r15) # Save registers r13 & r14 |
| 400380: 0d d0 basr %r13,%r0 # Set up pointer to constant pool using |
| 400382: a7 da ff fa ahi %r13,-6 # basr trick |
| return(5+b); |
| # Huge main program |
| 400386: a7 2a 00 05 ahi %r2,5 # add 5 to r2 |
| |
| # Function epilogue below |
| 40038a: 98 de f0 34 lm %r13,%r14,52(%r15) # restore registers r13 & 14 |
| 40038e: 07 fe br %r14 # return |
| } |
| |
| Comments on the function main |
| ----------------------------- |
| 1) The compiler did this function optimally ( 8-) ):: |
| |
| Literal pool for main. |
| 400390: ff ff ff ec .long 0xffffffec |
| main(int argc,char *argv[]) |
| { # Function prologue below |
| 400394: 90 bf f0 2c stm %r11,%r15,44(%r15) # Save necessary registers |
| 400398: 18 0f lr %r0,%r15 # copy stack pointer to r0 |
| 40039a: a7 fa ff a0 ahi %r15,-96 # Make area for callee saving |
| 40039e: 0d d0 basr %r13,%r0 # Set up r13 to point to |
| 4003a0: a7 da ff f0 ahi %r13,-16 # literal pool |
| 4003a4: 50 00 f0 00 st %r0,0(%r15) # Save backchain |
| |
| return(test(5)); # Main Program Below |
| 4003a8: 58 e0 d0 00 l %r14,0(%r13) # load relative address of test from |
| # literal pool |
| 4003ac: a7 28 00 05 lhi %r2,5 # Set first parameter to 5 |
| 4003b0: 4d ee d0 00 bas %r14,0(%r14,%r13) # jump to test setting r14 as return |
| # address using branch & save instruction. |
| |
| # Function Epilogue below |
| 4003b4: 98 bf f0 8c lm %r11,%r15,140(%r15)# Restore necessary registers. |
| 4003b8: 07 fe br %r14 # return to do program exit |
| } |
| |
| |
| Compiler updates |
| ---------------- |
| |
| :: |
| |
| main(int argc,char *argv[]) |
| { |
| 4004fc: 90 7f f0 1c stm %r7,%r15,28(%r15) |
| 400500: a7 d5 00 04 bras %r13,400508 <main+0xc> |
| 400504: 00 40 04 f4 .long 0x004004f4 |
| # compiler now puts constant pool in code to so it saves an instruction |
| 400508: 18 0f lr %r0,%r15 |
| 40050a: a7 fa ff a0 ahi %r15,-96 |
| 40050e: 50 00 f0 00 st %r0,0(%r15) |
| return(test(5)); |
| 400512: 58 10 d0 00 l %r1,0(%r13) |
| 400516: a7 28 00 05 lhi %r2,5 |
| 40051a: 0d e1 basr %r14,%r1 |
| # compiler adds 1 extra instruction to epilogue this is done to |
| # avoid processor pipeline stalls owing to data dependencies on g5 & |
| # above as register 14 in the old code was needed directly after being loaded |
| # by the lm %r11,%r15,140(%r15) for the br %14. |
| 40051c: 58 40 f0 98 l %r4,152(%r15) |
| 400520: 98 7f f0 7c lm %r7,%r15,124(%r15) |
| 400524: 07 f4 br %r4 |
| } |
| |
| |
| Hartmut ( our compiler developer ) also has been threatening to take out the |
| stack backchain in optimised code as this also causes pipeline stalls, you |
| have been warned. |
| |
| 64 bit z/Architecture code disassembly |
| -------------------------------------- |
| |
| If you understand the stuff above you'll understand the stuff |
| below too so I'll avoid repeating myself & just say that |
| some of the instructions have g's on the end of them to indicate |
| they are 64 bit & the stack offsets are a bigger, |
| the only other difference you'll find between 32 & 64 bit is that |
| we now use f4 & f6 for floating point arguments on 64 bit:: |
| |
| 00000000800005b0 <test>: |
| int test(int b) |
| { |
| return(5+b); |
| 800005b0: a7 2a 00 05 ahi %r2,5 |
| 800005b4: b9 14 00 22 lgfr %r2,%r2 # downcast to integer |
| 800005b8: 07 fe br %r14 |
| 800005ba: 07 07 bcr 0,%r7 |
| |
| |
| } |
| |
| 00000000800005bc <main>: |
| main(int argc,char *argv[]) |
| { |
| 800005bc: eb bf f0 58 00 24 stmg %r11,%r15,88(%r15) |
| 800005c2: b9 04 00 1f lgr %r1,%r15 |
| 800005c6: a7 fb ff 60 aghi %r15,-160 |
| 800005ca: e3 10 f0 00 00 24 stg %r1,0(%r15) |
| return(test(5)); |
| 800005d0: a7 29 00 05 lghi %r2,5 |
| # brasl allows jumps > 64k & is overkill here bras would do fune |
| 800005d4: c0 e5 ff ff ff ee brasl %r14,800005b0 <test> |
| 800005da: e3 40 f1 10 00 04 lg %r4,272(%r15) |
| 800005e0: eb bf f0 f8 00 04 lmg %r11,%r15,248(%r15) |
| 800005e6: 07 f4 br %r4 |
| } |
| |
| |
| |
| Compiling programs for debugging on Linux for s/390 & z/Architecture |
| ==================================================================== |
| -gdwarf-2 now works it should be considered the default debugging |
| format for s/390 & z/Architecture as it is more reliable for debugging |
| shared libraries, normal -g debugging works much better now |
| Thanks to the IBM java compiler developers bug reports. |
| |
| This is typically done adding/appending the flags -g or -gdwarf-2 to the |
| CFLAGS & LDFLAGS variables Makefile of the program concerned. |
| |
| If using gdb & you would like accurate displays of registers & |
| stack traces compile without optimisation i.e make sure |
| that there is no -O2 or similar on the CFLAGS line of the Makefile & |
| the emitted gcc commands, obviously this will produce worse code |
| ( not advisable for shipment ) but it is an aid to the debugging process. |
| |
| This aids debugging because the compiler will copy parameters passed in |
| in registers onto the stack so backtracing & looking at passed in |
| parameters will work, however some larger programs which use inline functions |
| will not compile without optimisation. |
| |
| Debugging with optimisation has since much improved after fixing |
| some bugs, please make sure you are using gdb-5.0 or later developed |
| after Nov'2000. |
| |
| |
| |
| Debugging under VM |
| ================== |
| |
| Notes |
| ----- |
| Addresses & values in the VM debugger are always hex never decimal |
| Address ranges are of the format <HexValue1>-<HexValue2> or |
| <HexValue1>.<HexValue2> |
| For example, the address range 0x2000 to 0x3000 can be described as 2000-3000 |
| or 2000.1000 |
| |
| The VM Debugger is case insensitive. |
| |
| VM's strengths are usually other debuggers weaknesses you can get at any |
| resource no matter how sensitive e.g. memory management resources, change |
| address translation in the PSW. For kernel hacking you will reap dividends if |
| you get good at it. |
| |
| The VM Debugger displays operators but not operands, and also the debugger |
| displays useful information on the same line as the author of the code probably |
| felt that it was a good idea not to go over the 80 columns on the screen. |
| This isn't as unintuitive as it may seem as the s/390 instructions are easy to |
| decode mentally and you can make a good guess at a lot of them as all the |
| operands are nibble (half byte aligned). |
| So if you have an objdump listing by hand, it is quite easy to follow, and if |
| you don't have an objdump listing keep a copy of the s/390 Reference Summary |
| or alternatively the s/390 principles of operation next to you. |
| e.g. even I can guess that |
| 0001AFF8' LR 180F CC 0 |
| is a ( load register ) lr r0,r15 |
| |
| Also it is very easy to tell the length of a 390 instruction from the 2 most |
| significant bits in the instruction (not that this info is really useful except |
| if you are trying to make sense of a hexdump of code). |
| Here is a table |
| |
| ======================= ================== |
| Bits Instruction Length |
| ======================= ================== |
| 00 2 Bytes |
| 01 4 Bytes |
| 10 4 Bytes |
| 11 6 Bytes |
| ======================= ================== |
| |
| The debugger also displays other useful info on the same line such as the |
| addresses being operated on destination addresses of branches & condition codes. |
| e.g.:: |
| |
| 00019736' AHI A7DAFF0E CC 1 |
| 000198BA' BRC A7840004 -> 000198C2' CC 0 |
| 000198CE' STM 900EF068 >> 0FA95E78 CC 2 |
| |
| |
| |
| Useful VM debugger commands |
| --------------------------- |
| |
| I suppose I'd better mention this before I start |
| to list the current active traces do:: |
| |
| Q TR |
| |
| there can be a maximum of 255 of these per set |
| ( more about trace sets later ). |
| |
| To stop traces issue a:: |
| |
| TR END. |
| |
| To delete a particular breakpoint issue:: |
| |
| TR DEL <breakpoint number> |
| |
| The PA1 key drops to CP mode so you can issue debugger commands, |
| Doing alt c (on my 3270 console at least ) clears the screen. |
| |
| hitting b <enter> comes back to the running operating system |
| from cp mode ( in our case linux ). |
| |
| It is typically useful to add shortcuts to your profile.exec file |
| if you have one ( this is roughly equivalent to autoexec.bat in DOS ). |
| file here are a few from mine:: |
| |
| /* this gives me command history on issuing f12 */ |
| set pf12 retrieve |
| /* this continues */ |
| set pf8 imm b |
| /* goes to trace set a */ |
| set pf1 imm tr goto a |
| /* goes to trace set b */ |
| set pf2 imm tr goto b |
| /* goes to trace set c */ |
| set pf3 imm tr goto c |
| |
| |
| |
| Instruction Tracing |
| ------------------- |
| Setting a simple breakpoint:: |
| |
| TR I PSWA <address> |
| |
| To debug a particular function try:: |
| |
| TR I R <function address range> |
| TR I on its own will single step. |
| TR I DATA <MNEMONIC> <OPTIONAL RANGE> will trace for particular mnemonics |
| |
| e.g.:: |
| |
| TR I DATA 4D R 0197BC.4000 |
| |
| will trace for BAS'es ( opcode 4D ) in the range 0197BC.4000 |
| |
| if you were inclined you could add traces for all branch instructions & |
| suffix them with the run prefix so you would have a backtrace on screen |
| when a program crashes:: |
| |
| TR BR <INTO OR FROM> will trace branches into or out of an address. |
| |
| e.g.:: |
| |
| TR BR INTO 0 |
| |
| is often quite useful if a program is getting awkward & deciding |
| to branch to 0 & crashing as this will stop at the address before in jumps to 0. |
| |
| :: |
| |
| TR I R <address range> RUN cmd d g |
| |
| single steps a range of addresses but stays running & |
| displays the gprs on each step. |
| |
| |
| |
| Displaying & modifying Registers |
| -------------------------------- |
| D G |
| will display all the gprs |
| |
| Adding a extra G to all the commands is necessary to access the full 64 bit |
| content in VM on z/Architecture. Obviously this isn't required for access |
| registers as these are still 32 bit. |
| |
| e.g. |
| |
| DGG |
| instead of DG |
| |
| D X |
| will display all the control registers |
| D AR |
| will display all the access registers |
| D AR4-7 |
| will display access registers 4 to 7 |
| CPU ALL D G |
| will display the GRPS of all CPUS in the configuration |
| D PSW |
| will display the current PSW |
| st PSW 2000 |
| will put the value 2000 into the PSW & cause crash your machine. |
| D PREFIX |
| displays the prefix offset |
| |
| |
| Displaying Memory |
| ----------------- |
| To display memory mapped using the current PSW's mapping try:: |
| |
| D <range> |
| |
| To make VM display a message each time it hits a particular address and |
| continue try: |
| |
| D I<range> |
| will disassemble/display a range of instructions. |
| |
| ST addr 32 bit word |
| will store a 32 bit aligned address |
| D T<range> |
| will display the EBCDIC in an address (if you are that way inclined) |
| D R<range> |
| will display real addresses ( without DAT ) but with prefixing. |
| |
| There are other complex options to display if you need to get at say home space |
| but are in primary space the easiest thing to do is to temporarily |
| modify the PSW to the other addressing mode, display the stuff & then |
| restore it. |
| |
| |
| |
| Hints |
| ----- |
| If you want to issue a debugger command without halting your virtual machine |
| with the PA1 key try prefixing the command with #CP e.g.:: |
| |
| #cp tr i pswa 2000 |
| |
| also suffixing most debugger commands with RUN will cause them not |
| to stop just display the mnemonic at the current instruction on the console. |
| |
| If you have several breakpoints you want to put into your program & |
| you get fed up of cross referencing with System.map |
| you can do the following trick for several symbols. |
| |
| :: |
| |
| grep do_signal System.map |
| |
| which emits the following among other things:: |
| |
| 0001f4e0 T do_signal |
| |
| now you can do:: |
| |
| TR I PSWA 0001f4e0 cmd msg * do_signal |
| |
| This sends a message to your own console each time do_signal is entered. |
| ( As an aside I wrote a perl script once which automatically generated a REXX |
| script with breakpoints on every kernel procedure, this isn't a good idea |
| because there are thousands of these routines & VM can only set 255 breakpoints |
| at a time so you nearly had to spend as long pruning the file down as you would |
| entering the msgs by hand), however, the trick might be useful for a single |
| object file. In the 3270 terminal emulator x3270 there is a very useful option |
| in the file menu called "Save Screen In File" - this is very good for keeping a |
| copy of traces. |
| |
| From CMS help <command name> will give you online help on a particular command. |
| e.g.:: |
| |
| HELP DISPLAY |
| |
| Also CP has a file called profile.exec which automatically gets called |
| on startup of CMS ( like autoexec.bat ), keeping on a DOS analogy session |
| CP has a feature similar to doskey, it may be useful for you to |
| use profile.exec to define some keystrokes. |
| |
| SET PF9 IMM B |
| This does a single step in VM on pressing F8. |
| |
| SET PF10 ^ |
| This sets up the ^ key. |
| which can be used for ^c (ctrl-c),^z (ctrl-z) which can't be typed |
| directly into some 3270 consoles. |
| |
| SET PF11 ^- |
| This types the starting keystrokes for a sysrq see SysRq below. |
| SET PF12 RETRIEVE |
| This retrieves command history on pressing F12. |
| |
| |
| Sometimes in VM the display is set up to scroll automatically this |
| can be very annoying if there are messages you wish to look at |
| to stop this do |
| |
| TERM MORE 255 255 |
| This will nearly stop automatic screen updates, however it will |
| cause a denial of service if lots of messages go to the 3270 console, |
| so it would be foolish to use this as the default on a production machine. |
| |
| |
| Tracing particular processes |
| ---------------------------- |
| The kernel's text segment is intentionally at an address in memory that it will |
| very seldom collide with text segments of user programs ( thanks Martin ), |
| this simplifies debugging the kernel. |
| However it is quite common for user processes to have addresses which collide |
| this can make debugging a particular process under VM painful under normal |
| circumstances as the process may change when doing a:: |
| |
| TR I R <address range>. |
| |
| Thankfully after reading VM's online help I figured out how to debug |
| I particular process. |
| |
| Your first problem is to find the STD ( segment table designation ) |
| of the program you wish to debug. |
| There are several ways you can do this here are a few |
| |
| Run:: |
| |
| objdump --syms <program to be debugged> | grep main |
| |
| To get the address of main in the program. Then:: |
| |
| tr i pswa <address of main> |
| |
| Start the program, if VM drops to CP on what looks like the entry |
| point of the main function this is most likely the process you wish to debug. |
| Now do a D X13 or D XG13 on z/Architecture. |
| |
| On 31 bit the STD is bits 1-19 ( the STO segment table origin ) |
| & 25-31 ( the STL segment table length ) of CR13. |
| |
| now type:: |
| |
| TR I R STD <CR13's value> 0.7fffffff |
| |
| e.g.:: |
| |
| TR I R STD 8F32E1FF 0.7fffffff |
| |
| Another very useful variation is:: |
| |
| TR STORE INTO STD <CR13's value> <address range> |
| |
| for finding out when a particular variable changes. |
| |
| An alternative way of finding the STD of a currently running process |
| is to do the following, ( this method is more complex but |
| could be quite convenient if you aren't updating the kernel much & |
| so your kernel structures will stay constant for a reasonable period of |
| time ). |
| |
| :: |
| |
| grep task /proc/<pid>/status |
| |
| from this you should see something like:: |
| |
| task: 0f160000 ksp: 0f161de8 pt_regs: 0f161f68 |
| |
| This now gives you a pointer to the task structure. |
| |
| Now make:: |
| |
| CC:="s390-gcc -g" kernel/sched.s |
| |
| To get the task_struct stabinfo. |
| |
| ( task_struct is defined in include/linux/sched.h ). |
| |
| Now we want to look at |
| task->active_mm->pgd |
| |
| on my machine the active_mm in the task structure stab is |
| active_mm:(4,12),672,32 |
| |
| its offset is 672/8=84=0x54 |
| |
| the pgd member in the mm_struct stab is |
| pgd:(4,6)=*(29,5),96,32 |
| so its offset is 96/8=12=0xc |
| |
| so we'll:: |
| |
| hexdump -s 0xf160054 /dev/mem | more |
| |
| i.e. task_struct+active_mm offset |
| to look at the active_mm member:: |
| |
| f160054 0fee cc60 0019 e334 0000 0000 0000 0011 |
| |
| :: |
| |
| hexdump -s 0x0feecc6c /dev/mem | more |
| |
| i.e. active_mm+pgd offset:: |
| |
| feecc6c 0f2c 0000 0000 0001 0000 0001 0000 0010 |
| |
| we get something like |
| now do:: |
| |
| TR I R STD <pgd|0x7f> 0.7fffffff |
| |
| i.e. the 0x7f is added because the pgd only |
| gives the page table origin & we need to set the low bits |
| to the maximum possible segment table length. |
| |
| :: |
| |
| TR I R STD 0f2c007f 0.7fffffff |
| |
| on z/Architecture you'll probably need to do:: |
| |
| TR I R STD <pgd|0x7> 0.ffffffffffffffff |
| |
| to set the TableType to 0x1 & the Table length to 3. |
| |
| |
| |
| Tracing Program Exceptions |
| -------------------------- |
| If you get a crash which says something like |
| illegal operation or specification exception followed by a register dump |
| You can restart linux & trace these using the tr prog <range or value> trace |
| option. |
| |
| |
| The most common ones you will normally be tracing for is: |
| |
| - 1=operation exception |
| - 2=privileged operation exception |
| - 4=protection exception |
| - 5=addressing exception |
| - 6=specification exception |
| - 10=segment translation exception |
| - 11=page translation exception |
| |
| The full list of these is on page 22 of the current s/390 Reference Summary. |
| e.g. |
| |
| tr prog 10 will trace segment translation exceptions. |
| |
| tr prog on its own will trace all program interruption codes. |
| |
| Trace Sets |
| ---------- |
| On starting VM you are initially in the INITIAL trace set. |
| You can do a Q TR to verify this. |
| If you have a complex tracing situation where you wish to wait for instance |
| till a driver is open before you start tracing IO, but know in your |
| heart that you are going to have to make several runs through the code till you |
| have a clue whats going on. |
| |
| What you can do is:: |
| |
| TR I PSWA <Driver open address> |
| |
| hit b to continue till breakpoint |
| |
| reach the breakpoint |
| |
| now do your:: |
| |
| TR GOTO B |
| TR IO 7c08-7c09 inst int run |
| |
| or whatever the IO channels you wish to trace are & hit b |
| |
| To got back to the initial trace set do:: |
| |
| TR GOTO INITIAL |
| |
| & the TR I PSWA <Driver open address> will be the only active breakpoint again. |
| |
| |
| Tracing linux syscalls under VM |
| ------------------------------- |
| Syscalls are implemented on Linux for S390 by the Supervisor call instruction |
| (SVC). There 256 possibilities of these as the instruction is made up of a 0xA |
| opcode and the second byte being the syscall number. They are traced using the |
| simple command:: |
| |
| TR SVC <Optional value or range> |
| |
| the syscalls are defined in linux/arch/s390/include/asm/unistd.h |
| e.g. to trace all file opens just do:: |
| |
| TR SVC 5 ( as this is the syscall number of open ) |
| |
| |
| SMP Specific commands |
| --------------------- |
| To find out how many cpus you have |
| Q CPUS displays all the CPU's available to your virtual machine |
| To find the cpu that the current cpu VM debugger commands are being directed at |
| do Q CPU to change the current cpu VM debugger commands are being directed at |
| do:: |
| |
| CPU <desired cpu no> |
| |
| On a SMP guest issue a command to all CPUs try prefixing the command with cpu |
| all. To issue a command to a particular cpu try cpu <cpu number> e.g.:: |
| |
| CPU 01 TR I R 2000.3000 |
| |
| If you are running on a guest with several cpus & you have a IO related problem |
| & cannot follow the flow of code but you know it isn't smp related. |
| |
| from the bash prompt issue:: |
| |
| shutdown -h now or halt. |
| |
| do a:: |
| |
| Q CPUS |
| |
| to find out how many cpus you have detach each one of them from cp except |
| cpu 0 by issuing a:: |
| |
| DETACH CPU 01-(number of cpus in configuration) |
| |
| & boot linux again. |
| |
| TR SIGP |
| will trace inter processor signal processor instructions. |
| |
| DEFINE CPU 01-(number in configuration) |
| will get your guests cpus back. |
| |
| |
| Help for displaying ascii textstrings |
| ------------------------------------- |
| On the very latest VM Nucleus'es VM can now display ascii |
| ( thanks Neale for the hint ) by doing:: |
| |
| D TX<lowaddr>.<len> |
| |
| e.g.:: |
| |
| D TX0.100 |
| |
| Alternatively |
| ============= |
| Under older VM debuggers (I love EBDIC too) you can use following little |
| program which converts a command line of hex digits to ascii text. It can be |
| compiled under linux and you can copy the hex digits from your x3270 terminal |
| to your xterm if you are debugging from a linuxbox. |
| |
| This is quite useful when looking at a parameter passed in as a text string |
| under VM ( unless you are good at decoding ASCII in your head ). |
| |
| e.g. consider tracing an open syscall:: |
| |
| TR SVC 5 |
| |
| We have stopped at a breakpoint:: |
| |
| 000151B0' SVC 0A05 -> 0001909A' CC 0 |
| |
| D 20.8 to check the SVC old psw in the prefix area and see was it from userspace |
| (for the layout of the prefix area consult the "Fixed Storage Locations" |
| chapter of the s/390 Reference Summary if you have it available). |
| |
| :: |
| |
| V00000020 070C2000 800151B2 |
| |
| The problem state bit wasn't set & it's also too early in the boot sequence |
| for it to be a userspace SVC if it was we would have to temporarily switch the |
| psw to user space addressing so we could get at the first parameter of the open |
| in gpr2. |
| |
| Next do a:: |
| |
| D G2 |
| GPR 2 = 00014CB4 |
| |
| Now display what gpr2 is pointing to:: |
| |
| D 00014CB4.20 |
| V00014CB4 2F646576 2F636F6E 736F6C65 00001BF5 |
| V00014CC4 FC00014C B4001001 E0001000 B8070707 |
| |
| Now copy the text till the first 00 hex ( which is the end of the string |
| to an xterm & do hex2ascii on it:: |
| |
| hex2ascii 2F646576 2F636F6E 736F6C65 00 |
| |
| outputs:: |
| |
| Decoded Hex:=/ d e v / c o n s o l e 0x00 |
| |
| We were opening the console device, |
| |
| You can compile the code below yourself for practice :-), |
| |
| :: |
| |
| /* |
| * hex2ascii.c |
| * a useful little tool for converting a hexadecimal command line to ascii |
| * |
| * Author(s): Denis Joseph Barrow (djbarrow@de.ibm.com,barrow_dj@yahoo.com) |
| * (C) 2000 IBM Deutschland Entwicklung GmbH, IBM Corporation. |
| */ |
| #include <stdio.h> |
| |
| int main(int argc,char *argv[]) |
| { |
| int cnt1,cnt2,len,toggle=0; |
| int startcnt=1; |
| unsigned char c,hex; |
| |
| if(argc>1&&(strcmp(argv[1],"-a")==0)) |
| startcnt=2; |
| printf("Decoded Hex:="); |
| for(cnt1=startcnt;cnt1<argc;cnt1++) |
| { |
| len=strlen(argv[cnt1]); |
| for(cnt2=0;cnt2<len;cnt2++) |
| { |
| c=argv[cnt1][cnt2]; |
| if(c>='0'&&c<='9') |
| c=c-'0'; |
| if(c>='A'&&c<='F') |
| c=c-'A'+10; |
| if(c>='a'&&c<='f') |
| c=c-'a'+10; |
| switch(toggle) |
| { |
| case 0: |
| hex=c<<4; |
| toggle=1; |
| break; |
| case 1: |
| hex+=c; |
| if(hex<32||hex>127) |
| { |
| if(startcnt==1) |
| printf("0x%02X ",(int)hex); |
| else |
| printf("."); |
| } |
| else |
| { |
| printf("%c",hex); |
| if(startcnt==1) |
| printf(" "); |
| } |
| toggle=0; |
| break; |
| } |
| } |
| } |
| printf("\n"); |
| } |
| |
| |
| |
| |
| Stack tracing under VM |
| ---------------------- |
| A basic backtrace |
| ----------------- |
| |
| Here are the tricks I use 9 out of 10 times it works pretty well, |
| |
| When your backchain reaches a dead end |
| -------------------------------------- |
| This can happen when an exception happens in the kernel and the kernel is |
| entered twice. If you reach the NULL pointer at the end of the back chain you |
| should be able to sniff further back if you follow the following tricks. |
| 1) A kernel address should be easy to recognise since it is in |
| primary space & the problem state bit isn't set & also |
| The Hi bit of the address is set. |
| 2) Another backchain should also be easy to recognise since it is an |
| address pointing to another address approximately 100 bytes or 0x70 hex |
| behind the current stackpointer. |
| |
| |
| Here is some practice. |
| |
| boot the kernel & hit PA1 at some random time |
| |
| d g to display the gprs, this should display something like:: |
| |
| GPR 0 = 00000001 00156018 0014359C 00000000 |
| GPR 4 = 00000001 001B8888 000003E0 00000000 |
| GPR 8 = 00100080 00100084 00000000 000FE000 |
| GPR 12 = 00010400 8001B2DC 8001B36A 000FFED8 |
| |
| Note that GPR14 is a return address but as we are real men we are going to |
| trace the stack. |
| display 0x40 bytes after the stack pointer:: |
| |
| V000FFED8 000FFF38 8001B838 80014C8E 000FFF38 |
| V000FFEE8 00000000 00000000 000003E0 00000000 |
| V000FFEF8 00100080 00100084 00000000 000FE000 |
| V000FFF08 00010400 8001B2DC 8001B36A 000FFED8 |
| |
| |
| Ah now look at whats in sp+56 (sp+0x38) this is 8001B36A our saved r14 if |
| you look above at our stackframe & also agrees with GPR14. |
| |
| now backchain:: |
| |
| d 000FFF38.40 |
| |
| we now are taking the contents of SP to get our first backchain:: |
| |
| V000FFF38 000FFFA0 00000000 00014995 00147094 |
| V000FFF48 00147090 001470A0 000003E0 00000000 |
| V000FFF58 00100080 00100084 00000000 001BF1D0 |
| V000FFF68 00010400 800149BA 80014CA6 000FFF38 |
| |
| This displays a 2nd return address of 80014CA6 |
| |
| now do:: |
| |
| d 000FFFA0.40 |
| |
| for our 3rd backchain:: |
| |
| V000FFFA0 04B52002 0001107F 00000000 00000000 |
| V000FFFB0 00000000 00000000 FF000000 0001107F |
| V000FFFC0 00000000 00000000 00000000 00000000 |
| V000FFFD0 00010400 80010802 8001085A 000FFFA0 |
| |
| |
| our 3rd return address is 8001085A |
| |
| as the 04B52002 looks suspiciously like rubbish it is fair to assume that the |
| kernel entry routines for the sake of optimisation don't set up a backchain. |
| |
| now look at System.map to see if the addresses make any sense:: |
| |
| grep -i 0001b3 System.map |
| |
| outputs among other things:: |
| |
| 0001b304 T cpu_idle |
| |
| so 8001B36A |
| is cpu_idle+0x66 ( quiet the cpu is asleep, don't wake it ) |
| |
| :: |
| |
| grep -i 00014 System.map |
| |
| produces among other things:: |
| |
| 00014a78 T start_kernel |
| |
| so 0014CA6 is start_kernel+some hex number I can't add in my head. |
| |
| :: |
| |
| grep -i 00108 System.map |
| |
| this produces:: |
| |
| 00010800 T _stext |
| |
| so 8001085A is _stext+0x5a |
| |
| Congrats you've done your first backchain. |
| |
| |
| |
| s/390 & z/Architecture IO Overview |
| ================================== |
| |
| I am not going to give a course in 390 IO architecture as this would take me |
| quite a while and I'm no expert. Instead I'll give a 390 IO architecture |
| summary for Dummies. If you have the s/390 principles of operation available |
| read this instead. If nothing else you may find a few useful keywords in here |
| and be able to use them on a web search engine to find more useful information. |
| |
| Unlike other bus architectures modern 390 systems do their IO using mostly |
| fibre optics and devices such as tapes and disks can be shared between several |
| mainframes. Also S390 can support up to 65536 devices while a high end PC based |
| system might be choking with around 64. |
| |
| Here is some of the common IO terminology: |
| |
| Subchannel: |
| This is the logical number most IO commands use to talk to an IO device. There |
| can be up to 0x10000 (65536) of these in a configuration, typically there are a |
| few hundred. Under VM for simplicity they are allocated contiguously, however |
| on the native hardware they are not. They typically stay consistent between |
| boots provided no new hardware is inserted or removed. |
| |
| Under Linux for s390 we use these as IRQ's and also when issuing an IO command |
| (CLEAR SUBCHANNEL, HALT SUBCHANNEL, MODIFY SUBCHANNEL, RESUME SUBCHANNEL, |
| START SUBCHANNEL, STORE SUBCHANNEL and TEST SUBCHANNEL). We use this as the ID |
| of the device we wish to talk to. The most important of these instructions are |
| START SUBCHANNEL (to start IO), TEST SUBCHANNEL (to check whether the IO |
| completed successfully) and HALT SUBCHANNEL (to kill IO). A subchannel can have |
| up to 8 channel paths to a device, this offers redundancy if one is not |
| available. |
| |
| Device Number: |
| This number remains static and is closely tied to the hardware. There are 65536 |
| of these, made up of a CHPID (Channel Path ID, the most significant 8 bits) and |
| another lsb 8 bits. These remain static even if more devices are inserted or |
| removed from the hardware. There is a 1 to 1 mapping between subchannels and |
| device numbers, provided devices aren't inserted or removed. |
| |
| Channel Control Words: |
| CCWs are linked lists of instructions initially pointed to by an operation |
| request block (ORB), which is initially given to Start Subchannel (SSCH) |
| command along with the subchannel number for the IO subsystem to process |
| while the CPU continues executing normal code. |
| CCWs come in two flavours, Format 0 (24 bit for backward compatibility) and |
| Format 1 (31 bit). These are typically used to issue read and write (and many |
| other) instructions. They consist of a length field and an absolute address |
| field. |
| |
| Each IO typically gets 1 or 2 interrupts, one for channel end (primary status) |
| when the channel is idle, and the second for device end (secondary status). |
| Sometimes you get both concurrently. You check how the IO went on by issuing a |
| TEST SUBCHANNEL at each interrupt, from which you receive an Interruption |
| response block (IRB). If you get channel and device end status in the IRB |
| without channel checks etc. your IO probably went okay. If you didn't you |
| probably need to examine the IRB, extended status word etc. |
| If an error occurs, more sophisticated control units have a facility known as |
| concurrent sense. This means that if an error occurs Extended sense information |
| will be presented in the Extended status word in the IRB. If not you have to |
| issue a subsequent SENSE CCW command after the test subchannel. |
| |
| |
| TPI (Test pending interrupt) can also be used for polled IO, but in |
| multitasking multiprocessor systems it isn't recommended except for |
| checking special cases (i.e. non looping checks for pending IO etc.). |
| |
| Store Subchannel and Modify Subchannel can be used to examine and modify |
| operating characteristics of a subchannel (e.g. channel paths). |
| |
| Other IO related Terms: |
| |
| Sysplex: |
| S390's Clustering Technology |
| QDIO: |
| S390's new high speed IO architecture to support devices such as gigabit |
| ethernet, this architecture is also designed to be forward compatible with |
| upcoming 64 bit machines. |
| |
| |
| General Concepts |
| ---------------- |
| |
| Input Output Processors (IOP's) are responsible for communicating between |
| the mainframe CPU's & the channel & relieve the mainframe CPU's from the |
| burden of communicating with IO devices directly, this allows the CPU's to |
| concentrate on data processing. |
| |
| IOP's can use one or more links ( known as channel paths ) to talk to each |
| IO device. It first checks for path availability & chooses an available one, |
| then starts ( & sometimes terminates IO ). |
| There are two types of channel path: ESCON & the Parallel IO interface. |
| |
| IO devices are attached to control units, control units provide the |
| logic to interface the channel paths & channel path IO protocols to |
| the IO devices, they can be integrated with the devices or housed separately |
| & often talk to several similar devices ( typical examples would be raid |
| controllers or a control unit which connects to 1000 3270 terminals ):: |
| |
| |
| +---------------------------------------------------------------+ |
| | +-----+ +-----+ +-----+ +-----+ +----------+ +----------+ | |
| | | CPU | | CPU | | CPU | | CPU | | Main | | Expanded | | |
| | | | | | | | | | | Memory | | Storage | | |
| | +-----+ +-----+ +-----+ +-----+ +----------+ +----------+ | |
| |---------------------------------------------------------------+ |
| | IOP | IOP | IOP | |
| |--------------------------------------------------------------- |
| | C | C | C | C | C | C | C | C | C | C | C | C | C | C | C | C | |
| ---------------------------------------------------------------- |
| || || |
| || Bus & Tag Channel Path || ESCON |
| || ====================== || Channel |
| || || || || Path |
| +----------+ +----------+ +----------+ |
| | | | | | | |
| | CU | | CU | | CU | |
| | | | | | | |
| +----------+ +----------+ +----------+ |
| | | | | | |
| +----------+ +----------+ +----------+ +----------+ +----------+ |
| |I/O Device| |I/O Device| |I/O Device| |I/O Device| |I/O Device| |
| +----------+ +----------+ +----------+ +----------+ +----------+ |
| CPU = Central Processing Unit |
| C = Channel |
| IOP = IP Processor |
| CU = Control Unit |
| |
| The 390 IO systems come in 2 flavours the current 390 machines support both |
| |
| The Older 360 & 370 Interface,sometimes called the Parallel I/O interface, |
| sometimes called Bus-and Tag & sometimes Original Equipment Manufacturers |
| Interface (OEMI). |
| |
| This byte wide Parallel channel path/bus has parity & data on the "Bus" cable |
| and control lines on the "Tag" cable. These can operate in byte multiplex mode |
| for sharing between several slow devices or burst mode and monopolize the |
| channel for the whole burst. Up to 256 devices can be addressed on one of these |
| cables. These cables are about one inch in diameter. The maximum unextended |
| length supported by these cables is 125 Meters but this can be extended up to |
| 2km with a fibre optic channel extended such as a 3044. The maximum burst speed |
| supported is 4.5 megabytes per second. However, some really old processors |
| support only transfer rates of 3.0, 2.0 & 1.0 MB/sec. |
| One of these paths can be daisy chained to up to 8 control units. |
| |
| |
| ESCON if fibre optic it is also called FICON |
| Was introduced by IBM in 1990. Has 2 fibre optic cables and uses either leds or |
| lasers for communication at a signaling rate of up to 200 megabits/sec. As |
| 10bits are transferred for every 8 bits info this drops to 160 megabits/sec |
| and to 18.6 Megabytes/sec once control info and CRC are added. ESCON only |
| operates in burst mode. |
| |
| ESCONs typical max cable length is 3km for the led version and 20km for the |
| laser version known as XDF (extended distance facility). This can be further |
| extended by using an ESCON director which triples the above mentioned ranges. |
| Unlike Bus & Tag as ESCON is serial it uses a packet switching architecture, |
| the standard Bus & Tag control protocol is however present within the packets. |
| Up to 256 devices can be attached to each control unit that uses one of these |
| interfaces. |
| |
| Common 390 Devices include: |
| Network adapters typically OSA2,3172's,2116's & OSA-E gigabit ethernet adapters, |
| Consoles 3270 & 3215 (a teletype emulated under linux for a line mode console). |
| DASD's direct access storage devices ( otherwise known as hard disks ). |
| Tape Drives. |
| CTC ( Channel to Channel Adapters ), |
| ESCON or Parallel Cables used as a very high speed serial link |
| between 2 machines. |
| |
| |
| Debugging IO on s/390 & z/Architecture under VM |
| =============================================== |
| |
| Now we are ready to go on with IO tracing commands under VM |
| |
| A few self explanatory queries:: |
| |
| Q OSA |
| Q CTC |
| Q DISK ( This command is CMS specific ) |
| Q DASD |
| |
| Q OSA on my machine returns:: |
| |
| OSA 7C08 ON OSA 7C08 SUBCHANNEL = 0000 |
| OSA 7C09 ON OSA 7C09 SUBCHANNEL = 0001 |
| OSA 7C14 ON OSA 7C14 SUBCHANNEL = 0002 |
| OSA 7C15 ON OSA 7C15 SUBCHANNEL = 0003 |
| |
| If you have a guest with certain privileges you may be able to see devices |
| which don't belong to you. To avoid this, add the option V. |
| e.g.:: |
| |
| Q V OSA |
| |
| Now using the device numbers returned by this command we will |
| Trace the io starting up on the first device 7c08 & 7c09 |
| In our simplest case we can trace the |
| start subchannels |
| like TR SSCH 7C08-7C09 |
| or the halt subchannels |
| or TR HSCH 7C08-7C09 |
| MSCH's ,STSCH's I think you can guess the rest |
| |
| A good trick is tracing all the IO's and CCWS and spooling them into the reader |
| of another VM guest so he can ftp the logfile back to his own machine. I'll do |
| a small bit of this and give you a look at the output. |
| |
| 1) Spool stdout to VM reader:: |
| |
| SP PRT TO (another vm guest ) or * for the local vm guest |
| |
| 2) Fill the reader with the trace:: |
| |
| TR IO 7c08-7c09 INST INT CCW PRT RUN |
| |
| 3) Start up linux:: |
| |
| i 00c |
| 4) Finish the trace:: |
| |
| TR END |
| |
| 5) close the reader:: |
| |
| C PRT |
| |
| 6) list reader contents:: |
| |
| RDRLIST |
| |
| 7) copy it to linux4's minidisk:: |
| |
| RECEIVE / LOG TXT A1 ( replace |
| |
| 8) |
| filel & press F11 to look at it |
| You should see something like:: |
| |
| 00020942' SSCH B2334000 0048813C CC 0 SCH 0000 DEV 7C08 |
| CPA 000FFDF0 PARM 00E2C9C4 KEY 0 FPI C0 LPM 80 |
| CCW 000FFDF0 E4200100 00487FE8 0000 E4240100 ........ |
| IDAL 43D8AFE8 |
| IDAL 0FB76000 |
| 00020B0A' I/O DEV 7C08 -> 000197BC' SCH 0000 PARM 00E2C9C4 |
| 00021628' TSCH B2354000 >> 00488164 CC 0 SCH 0000 DEV 7C08 |
| CCWA 000FFDF8 DEV STS 0C SCH STS 00 CNT 00EC |
| KEY 0 FPI C0 CC 0 CTLS 4007 |
| 00022238' STSCH B2344000 >> 00488108 CC 0 SCH 0000 DEV 7C08 |
| |
| If you don't like messing up your readed ( because you possibly booted from it ) |
| you can alternatively spool it to another readers guest. |
| |
| |
| Other common VM device related commands |
| --------------------------------------------- |
| These commands are listed only because they have |
| been of use to me in the past & may be of use to |
| you too. For more complete info on each of the commands |
| use type HELP <command> from CMS. |
| |
| detaching devices:: |
| |
| DET <devno range> |
| ATT <devno range> <guest> |
| |
| attach a device to guest * for your own guest |
| |
| READY <devno> |
| cause VM to issue a fake interrupt. |
| |
| The VARY command is normally only available to VM administrators:: |
| |
| VARY ON PATH <path> TO <devno range> |
| VARY OFF PATH <PATH> FROM <devno range> |
| |
| This is used to switch on or off channel paths to devices. |
| |
| Q CHPID <channel path ID> |
| This displays state of devices using this channel path |
| |
| D SCHIB <subchannel> |
| This displays the subchannel information SCHIB block for the device. |
| this I believe is also only available to administrators. |
| |
| DEFINE CTC <devno> |
| defines a virtual CTC channel to channel connection |
| 2 need to be defined on each guest for the CTC driver to use. |
| |
| COUPLE devno userid remote devno |
| Joins a local virtual device to a remote virtual device |
| ( commonly used for the CTC driver ). |
| |
| Building a VM ramdisk under CMS which linux can use:: |
| |
| def vfb-<blocksize> <subchannel> <number blocks> |
| |
| blocksize is commonly 4096 for linux. |
| |
| Formatting it:: |
| |
| format <subchannel> <driver letter e.g. x> (blksize <blocksize> |
| |
| Sharing a disk between multiple guests:: |
| |
| LINK userid devno1 devno2 mode password |
| |
| |
| |
| GDB on S390 |
| =========== |
| N.B. if compiling for debugging gdb works better without optimisation |
| ( see Compiling programs for debugging ) |
| |
| invocation |
| ---------- |
| gdb <victim program> <optional corefile> |
| |
| Online help |
| ----------- |
| help: gives help on commands |
| |
| e.g.:: |
| |
| help |
| help display |
| |
| Note gdb's online help is very good use it. |
| |
| |
| Assembly |
| -------- |
| info registers: |
| displays registers other than floating point. |
| |
| info all-registers: |
| displays floating points as well. |
| |
| disassemble: |
| disassembles |
| |
| e.g.:: |
| |
| disassemble without parameters will disassemble the current function |
| disassemble $pc $pc+10 |
| |
| Viewing & modifying variables |
| ----------------------------- |
| print or p: |
| displays variable or register |
| |
| e.g. p/x $sp will display the stack pointer |
| |
| display: |
| prints variable or register each time program stops |
| |
| e.g.:: |
| |
| display/x $pc will display the program counter |
| display argc |
| |
| undisplay: |
| undo's display's |
| |
| info breakpoints: |
| shows all current breakpoints |
| |
| info stack: |
| shows stack back trace (if this doesn't work too well, I'll show |
| you the stacktrace by hand below). |
| |
| info locals: |
| displays local variables. |
| |
| info args: |
| display current procedure arguments. |
| |
| set args: |
| will set argc & argv each time the victim program is invoked |
| |
| e.g.:: |
| |
| set <variable>=value |
| set argc=100 |
| set $pc=0 |
| |
| |
| |
| Modifying execution |
| ------------------- |
| step: |
| steps n lines of sourcecode |
| |
| step |
| steps 1 line. |
| |
| step 100 |
| steps 100 lines of code. |
| |
| next: |
| like step except this will not step into subroutines |
| |
| stepi: |
| steps a single machine code instruction. |
| |
| e.g.:: |
| |
| stepi 100 |
| |
| nexti: |
| steps a single machine code instruction but will not step into |
| subroutines. |
| |
| finish: |
| will run until exit of the current routine |
| |
| run: |
| (re)starts a program |
| |
| cont: |
| continues a program |
| |
| quit: |
| exits gdb. |
| |
| |
| breakpoints |
| ------------ |
| |
| break |
| sets a breakpoint |
| |
| e.g.:: |
| |
| break main |
| break *$pc |
| break *0x400618 |
| |
| Here's a really useful one for large programs |
| |
| rbr |
| Set a breakpoint for all functions matching REGEXP |
| |
| e.g.:: |
| |
| rbr 390 |
| |
| will set a breakpoint with all functions with 390 in their name. |
| |
| info breakpoints |
| lists all breakpoints |
| |
| delete: |
| delete breakpoint by number or delete them all |
| |
| e.g. |
| |
| delete 1 |
| will delete the first breakpoint |
| |
| |
| delete |
| will delete them all |
| |
| watch: |
| This will set a watchpoint ( usually hardware assisted ), |
| |
| This will watch a variable till it changes |
| |
| e.g. |
| |
| watch cnt |
| will watch the variable cnt till it changes. |
| |
| As an aside unfortunately gdb's, architecture independent watchpoint code |
| is inconsistent & not very good, watchpoints usually work but not always. |
| |
| info watchpoints: |
| Display currently active watchpoints |
| |
| condition: ( another useful one ) |
| Specify breakpoint number N to break only if COND is true. |
| |
| Usage is `condition N COND`, where N is an integer and COND is an |
| expression to be evaluated whenever breakpoint N is reached. |
| |
| |
| |
| User defined functions/macros |
| ----------------------------- |
| define: ( Note this is very very useful,simple & powerful ) |
| |
| usage define <name> <list of commands> end |
| |
| examples which you should consider putting into .gdbinit in your home |
| directory:: |
| |
| define d |
| stepi |
| disassemble $pc $pc+10 |
| end |
| define e |
| nexti |
| disassemble $pc $pc+10 |
| end |
| |
| |
| Other hard to classify stuff |
| ---------------------------- |
| signal n: |
| sends the victim program a signal. |
| |
| e.g. `signal 3` will send a SIGQUIT. |
| |
| info signals: |
| what gdb does when the victim receives certain signals. |
| |
| list: |
| |
| e.g.: |
| |
| list |
| lists current function source |
| list 1,10 |
| list first 10 lines of current file. |
| |
| list test.c:1,10 |
| |
| |
| directory: |
| Adds directories to be searched for source if gdb cannot find the source. |
| (note it is a bit sensitive about slashes) |
| |
| e.g. To add the root of the filesystem to the searchpath do:: |
| |
| directory // |
| |
| |
| call <function> |
| This calls a function in the victim program, this is pretty powerful |
| e.g. |
| (gdb) call printf("hello world") |
| outputs: |
| $1 = 11 |
| |
| You might now be thinking that the line above didn't work, something extra had |
| to be done. |
| (gdb) call fflush(stdout) |
| hello world$2 = 0 |
| As an aside the debugger also calls malloc & free under the hood |
| to make space for the "hello world" string. |
| |
| |
| |
| hints |
| ----- |
| 1) command completion works just like bash |
| ( if you are a bad typist like me this really helps ) |
| |
| e.g. hit br <TAB> & cursor up & down :-). |
| |
| 2) if you have a debugging problem that takes a few steps to recreate |
| put the steps into a file called .gdbinit in your current working directory |
| if you have defined a few extra useful user defined commands put these in |
| your home directory & they will be read each time gdb is launched. |
| |
| A typical .gdbinit file might be.:: |
| |
| break main |
| run |
| break runtime_exception |
| cont |
| |
| |
| stack chaining in gdb by hand |
| ----------------------------- |
| This is done using a the same trick described for VM:: |
| |
| p/x (*($sp+56))&0x7fffffff |
| |
| get the first backchain. |
| |
| For z/Architecture |
| Replace 56 with 112 & ignore the &0x7fffffff |
| in the macros below & do nasty casts to longs like the following |
| as gdb unfortunately deals with printed arguments as ints which |
| messes up everything. |
| |
| i.e. here is a 3rd backchain dereference:: |
| |
| p/x *(long *)(***(long ***)$sp+112) |
| |
| |
| this outputs:: |
| |
| $5 = 0x528f18 |
| |
| on my machine. |
| |
| Now you can use:: |
| |
| info symbol (*($sp+56))&0x7fffffff |
| |
| you might see something like:: |
| |
| rl_getc + 36 in section .text |
| |
| telling you what is located at address 0x528f18 |
| Now do:: |
| |
| p/x (*(*$sp+56))&0x7fffffff |
| |
| This outputs:: |
| |
| $6 = 0x528ed0 |
| |
| Now do:: |
| |
| info symbol (*(*$sp+56))&0x7fffffff |
| rl_read_key + 180 in section .text |
| |
| now do:: |
| |
| p/x (*(**$sp+56))&0x7fffffff |
| |
| & so on. |
| |
| Disassembling instructions without debug info |
| --------------------------------------------- |
| gdb typically complains if there is a lack of debugging |
| symbols in the disassemble command with |
| "No function contains specified address." To get around |
| this do:: |
| |
| x/<number lines to disassemble>xi <address> |
| |
| e.g.:: |
| |
| x/20xi 0x400730 |
| |
| |
| |
| Note: |
| Remember gdb has history just like bash you don't need to retype the |
| whole line just use the up & down arrows. |
| |
| |
| |
| For more info |
| ------------- |
| From your linuxbox do:: |
| |
| man gdb |
| |
| or:: |
| |
| info gdb. |
| |
| core dumps |
| ---------- |
| |
| What a core dump ? |
| ^^^^^^^^^^^^^^^^^^ |
| |
| A core dump is a file generated by the kernel (if allowed) which contains the |
| registers and all active pages of the program which has crashed. |
| |
| From this file gdb will allow you to look at the registers, stack trace and |
| memory of the program as if it just crashed on your system. It is usually |
| called core and created in the current working directory. |
| |
| This is very useful in that a customer can mail a core dump to a technical |
| support department and the technical support department can reconstruct what |
| happened. Provided they have an identical copy of this program with debugging |
| symbols compiled in and the source base of this build is available. |
| |
| In short it is far more useful than something like a crash log could ever hope |
| to be. |
| |
| Why have I never seen one ? |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| Probably because you haven't used the command:: |
| |
| ulimit -c unlimited in bash |
| |
| to allow core dumps, now do:: |
| |
| ulimit -a |
| |
| to verify that the limit was accepted. |
| |
| A sample core dump |
| To create this I'm going to do:: |
| |
| ulimit -c unlimited |
| gdb |
| |
| to launch gdb (my victim app. ) now be bad & do the following from another |
| telnet/xterm session to the same machine:: |
| |
| ps -aux | grep gdb |
| kill -SIGSEGV <gdb's pid> |
| |
| or alternatively use `killall -SIGSEGV gdb` if you have the killall command. |
| |
| Now look at the core dump:: |
| |
| ./gdb core |
| |
| Displays the following:: |
| |
| GNU gdb 4.18 |
| Copyright 1998 Free Software Foundation, Inc. |
| GDB is free software, covered by the GNU General Public License, and you are |
| welcome to change it and/or distribute copies of it under certain conditions. |
| Type "show copying" to see the conditions. |
| There is absolutely no warranty for GDB. Type "show warranty" for details. |
| This GDB was configured as "s390-ibm-linux"... |
| Core was generated by `./gdb'. |
| Program terminated with signal 11, Segmentation fault. |
| Reading symbols from /usr/lib/libncurses.so.4...done. |
| Reading symbols from /lib/libm.so.6...done. |
| Reading symbols from /lib/libc.so.6...done. |
| Reading symbols from /lib/ld-linux.so.2...done. |
| #0 0x40126d1a in read () from /lib/libc.so.6 |
| Setting up the environment for debugging gdb. |
| Breakpoint 1 at 0x4dc6f8: file utils.c, line 471. |
| Breakpoint 2 at 0x4d87a4: file top.c, line 2609. |
| (top-gdb) info stack |
| #0 0x40126d1a in read () from /lib/libc.so.6 |
| #1 0x528f26 in rl_getc (stream=0x7ffffde8) at input.c:402 |
| #2 0x528ed0 in rl_read_key () at input.c:381 |
| #3 0x5167e6 in readline_internal_char () at readline.c:454 |
| #4 0x5168ee in readline_internal_charloop () at readline.c:507 |
| #5 0x51692c in readline_internal () at readline.c:521 |
| #6 0x5164fe in readline (prompt=0x7ffff810) |
| at readline.c:349 |
| #7 0x4d7a8a in command_line_input (prompt=0x564420 "(gdb) ", repeat=1, |
| annotation_suffix=0x4d6b44 "prompt") at top.c:2091 |
| #8 0x4d6cf0 in command_loop () at top.c:1345 |
| #9 0x4e25bc in main (argc=1, argv=0x7ffffdf4) at main.c:635 |
| |
| |
| LDD |
| === |
| This is a program which lists the shared libraries which a library needs, |
| Note you also get the relocations of the shared library text segments which |
| help when using objdump --source. |
| |
| e.g.:: |
| |
| ldd ./gdb |
| |
| outputs:: |
| |
| libncurses.so.4 => /usr/lib/libncurses.so.4 (0x40018000) |
| libm.so.6 => /lib/libm.so.6 (0x4005e000) |
| libc.so.6 => /lib/libc.so.6 (0x40084000) |
| /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
| |
| |
| Debugging shared libraries |
| ========================== |
| Most programs use shared libraries, however it can be very painful |
| when you single step instruction into a function like printf for the |
| first time & you end up in functions like _dl_runtime_resolve this is |
| the ld.so doing lazy binding, lazy binding is a concept in ELF where |
| shared library functions are not loaded into memory unless they are |
| actually used, great for saving memory but a pain to debug. |
| |
| To get around this either relink the program -static or exit gdb type |
| export LD_BIND_NOW=true this will stop lazy binding & restart the gdb'ing |
| the program in question. |
| |
| |
| |
| Debugging modules |
| ================= |
| As modules are dynamically loaded into the kernel their address can be |
| anywhere to get around this use the -m option with insmod to emit a load |
| map which can be piped into a file if required. |
| |
| The proc file system |
| ==================== |
| What is it ?. |
| It is a filesystem created by the kernel with files which are created on demand |
| by the kernel if read, or can be used to modify kernel parameters, |
| it is a powerful concept. |
| |
| e.g.:: |
| |
| cat /proc/sys/net/ipv4/ip_forward |
| |
| On my machine outputs:: |
| |
| 0 |
| |
| telling me ip_forwarding is not on to switch it on I can do:: |
| |
| echo 1 > /proc/sys/net/ipv4/ip_forward |
| |
| cat it again:: |
| |
| cat /proc/sys/net/ipv4/ip_forward |
| |
| On my machine now outputs:: |
| |
| 1 |
| |
| IP forwarding is on. |
| |
| There is a lot of useful info in here best found by going in and having a look |
| around, so I'll take you through some entries I consider important. |
| |
| All the processes running on the machine have their own entry defined by |
| /proc/<pid> |
| |
| So lets have a look at the init process:: |
| |
| cd /proc/1 |
| cat cmdline |
| |
| emits:: |
| |
| init [2] |
| |
| :: |
| |
| cd /proc/1/fd |
| |
| This contains numerical entries of all the open files, |
| some of these you can cat e.g. stdout (2):: |
| |
| cat /proc/29/maps |
| |
| on my machine emits:: |
| |
| 00400000-00478000 r-xp 00000000 5f:00 4103 /bin/bash |
| 00478000-0047e000 rw-p 00077000 5f:00 4103 /bin/bash |
| 0047e000-00492000 rwxp 00000000 00:00 0 |
| 40000000-40015000 r-xp 00000000 5f:00 14382 /lib/ld-2.1.2.so |
| 40015000-40016000 rw-p 00014000 5f:00 14382 /lib/ld-2.1.2.so |
| 40016000-40017000 rwxp 00000000 00:00 0 |
| 40017000-40018000 rw-p 00000000 00:00 0 |
| 40018000-4001b000 r-xp 00000000 5f:00 14435 /lib/libtermcap.so.2.0.8 |
| 4001b000-4001c000 rw-p 00002000 5f:00 14435 /lib/libtermcap.so.2.0.8 |
| 4001c000-4010d000 r-xp 00000000 5f:00 14387 /lib/libc-2.1.2.so |
| 4010d000-40111000 rw-p 000f0000 5f:00 14387 /lib/libc-2.1.2.so |
| 40111000-40114000 rw-p 00000000 00:00 0 |
| 40114000-4011e000 r-xp 00000000 5f:00 14408 /lib/libnss_files-2.1.2.so |
| 4011e000-4011f000 rw-p 00009000 5f:00 14408 /lib/libnss_files-2.1.2.so |
| 7fffd000-80000000 rwxp ffffe000 00:00 0 |
| |
| |
| Showing us the shared libraries init uses where they are in memory |
| & memory access permissions for each virtual memory area. |
| |
| /proc/1/cwd is a softlink to the current working directory. |
| |
| /proc/1/root is the root of the filesystem for this process. |
| |
| /proc/1/mem is the current running processes memory which you |
| can read & write to like a file. |
| |
| strace uses this sometimes as it is a bit faster than the |
| rather inefficient ptrace interface for peeking at DATA. |
| |
| :: |
| |
| cat status |
| |
| Name: init |
| State: S (sleeping) |
| Pid: 1 |
| PPid: 0 |
| Uid: 0 0 0 0 |
| Gid: 0 0 0 0 |
| Groups: |
| VmSize: 408 kB |
| VmLck: 0 kB |
| VmRSS: 208 kB |
| VmData: 24 kB |
| VmStk: 8 kB |
| VmExe: 368 kB |
| VmLib: 0 kB |
| SigPnd: 0000000000000000 |
| SigBlk: 0000000000000000 |
| SigIgn: 7fffffffd7f0d8fc |
| SigCgt: 00000000280b2603 |
| CapInh: 00000000fffffeff |
| CapPrm: 00000000ffffffff |
| CapEff: 00000000fffffeff |
| |
| User PSW: 070de000 80414146 |
| task: 004b6000 tss: 004b62d8 ksp: 004b7ca8 pt_regs: 004b7f68 |
| User GPRS: |
| 00000400 00000000 0000000b 7ffffa90 |
| 00000000 00000000 00000000 0045d9f4 |
| 0045cafc 7ffffa90 7fffff18 0045cb08 |
| 00010400 804039e8 80403af8 7ffff8b0 |
| User ACRS: |
| 00000000 00000000 00000000 00000000 |
| 00000001 00000000 00000000 00000000 |
| 00000000 00000000 00000000 00000000 |
| 00000000 00000000 00000000 00000000 |
| Kernel BackChain CallChain BackChain CallChain |
| 004b7ca8 8002bd0c 004b7d18 8002b92c |
| 004b7db8 8005cd50 004b7e38 8005d12a |
| 004b7f08 80019114 |
| |
| Showing among other things memory usage & status of some signals & |
| the processes'es registers from the kernel task_structure |
| as well as a backchain which may be useful if a process crashes |
| in the kernel for some unknown reason. |
| |
| Some driver debugging techniques |
| ================================ |
| debug feature |
| ------------- |
| Some of our drivers now support a "debug feature" in |
| /proc/s390dbf see s390dbf.txt in the linux/Documentation directory |
| for more info. |
| |
| e.g. |
| to switch on the lcs "debug feature":: |
| |
| echo 5 > /proc/s390dbf/lcs/level |
| |
| & then after the error occurred:: |
| |
| cat /proc/s390dbf/lcs/sprintf >/logfile |
| |
| the logfile now contains some information which may help |
| tech support resolve a problem in the field. |
| |
| |
| |
| high level debugging network drivers |
| ------------------------------------ |
| ifconfig is a quite useful command |
| it gives the current state of network drivers. |
| |
| If you suspect your network device driver is dead |
| one way to check is type:: |
| |
| ifconfig <network device> |
| |
| e.g. tr0 |
| |
| You should see something like:: |
| |
| ifconfig tr0 |
| tr0 Link encap:16/4 Mbps Token Ring (New) HWaddr 00:04:AC:20:8E:48 |
| inet addr:9.164.185.132 Bcast:9.164.191.255 Mask:255.255.224.0 |
| UP BROADCAST RUNNING MULTICAST MTU:2000 Metric:1 |
| RX packets:246134 errors:0 dropped:0 overruns:0 frame:0 |
| TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 |
| collisions:0 txqueuelen:100 |
| |
| if the device doesn't say up |
| try:: |
| |
| /etc/rc.d/init.d/network start |
| |
| ( this starts the network stack & hopefully calls ifconfig tr0 up ). |
| ifconfig looks at the output of /proc/net/dev and presents it in a more |
| presentable form. |
| |
| Now ping the device from a machine in the same subnet. |
| |
| if the RX packets count & TX packets counts don't increment you probably |
| have problems. |
| |
| next:: |
| |
| cat /proc/net/arp |
| |
| Do you see any hardware addresses in the cache if not you may have problems. |
| Next try:: |
| |
| ping -c 5 <broadcast_addr> |
| |
| i.e. the Bcast field above in the output of |
| ifconfig. Do you see any replies from machines other than the local machine |
| if not you may have problems. also if the TX packets count in ifconfig |
| hasn't incremented either you have serious problems in your driver |
| (e.g. the txbusy field of the network device being stuck on ) |
| or you may have multiple network devices connected. |
| |
| |
| chandev |
| ------- |
| There is a new device layer for channel devices, some |
| drivers e.g. lcs are registered with this layer. |
| |
| If the device uses the channel device layer you'll be |
| able to find what interrupts it uses & the current state |
| of the device. |
| |
| See the manpage chandev.8 &type cat /proc/chandev for more info. |
| |
| |
| SysRq |
| ===== |
| This is now supported by linux for s/390 & z/Architecture. |
| |
| To enable it do compile the kernel with:: |
| |
| Kernel Hacking -> Magic SysRq Key Enabled |
| |
| Then:: |
| |
| echo "1" > /proc/sys/kernel/sysrq |
| |
| also type:: |
| |
| echo "8" >/proc/sys/kernel/printk |
| |
| To make printk output go to console. |
| |
| On 390 all commands are prefixed with:: |
| |
| ^- |
| |
| e.g.:: |
| |
| ^-t will show tasks. |
| ^-? or some unknown command will display help. |
| |
| The sysrq key reading is very picky ( I have to type the keys in an |
| xterm session & paste them into the x3270 console ) |
| & it may be wise to predefine the keys as described in the VM hints above |
| |
| This is particularly useful for syncing disks unmounting & rebooting |
| if the machine gets partially hung. |
| |
| Read Documentation/admin-guide/sysrq.rst for more info |
| |
| References: |
| =========== |
| - Enterprise Systems Architecture Reference Summary |
| - Enterprise Systems Architecture Principles of Operation |
| - Hartmut Penners s390 stack frame sheet. |
| - IBM Mainframe Channel Attachment a technology brief from a CISCO webpage |
| - Various bits of man & info pages of Linux. |
| - Linux & GDB source. |
| - Various info & man pages. |
| - CMS Help on tracing commands. |
| - Linux for s/390 Elf Application Binary Interface |
| - Linux for z/Series Elf Application Binary Interface ( Both Highly Recommended ) |
| - z/Architecture Principles of Operation SA22-7832-00 |
| - Enterprise Systems Architecture/390 Reference Summary SA22-7209-01 & the |
| - Enterprise Systems Architecture/390 Principles of Operation SA22-7201-05 |
| |
| Special Thanks |
| ============== |
| Special thanks to Neale Ferguson who maintains a much |
| prettier HTML version of this page at |
| http://linuxvm.org/penguinvm/ |
| Bob Grainger Stefan Bader & others for reporting bugs |