| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196 |
- #
- # GDB debugging support
- #
- # Copyright 2012 Red Hat, Inc. and/or its affiliates
- #
- # Authors:
- # Avi Kivity <avi@redhat.com>
- #
- # This work is licensed under the terms of the GNU GPL, version 2
- # or later. See the COPYING file in the top-level directory.
- import gdb
- VOID_PTR = gdb.lookup_type('void').pointer()
- def pthread_self():
- '''Fetch the base address of TLS.'''
- return gdb.parse_and_eval("$fs_base")
- def get_glibc_pointer_guard():
- '''Fetch glibc pointer guard value'''
- fs_base = pthread_self()
- return gdb.parse_and_eval('*(uint64_t*)((uint64_t)%s + 0x30)' % fs_base)
- def glibc_ptr_demangle(val, pointer_guard):
- '''Undo effect of glibc's PTR_MANGLE()'''
- return gdb.parse_and_eval('(((uint64_t)%s >> 0x11) | ((uint64_t)%s << (64 - 0x11))) ^ (uint64_t)%s' % (val, val, pointer_guard))
- def get_jmpbuf_regs(jmpbuf):
- JB_RBX = 0
- JB_RBP = 1
- JB_R12 = 2
- JB_R13 = 3
- JB_R14 = 4
- JB_R15 = 5
- JB_RSP = 6
- JB_PC = 7
- pointer_guard = get_glibc_pointer_guard()
- return {'rbx': jmpbuf[JB_RBX],
- 'rbp': glibc_ptr_demangle(jmpbuf[JB_RBP], pointer_guard),
- 'rsp': glibc_ptr_demangle(jmpbuf[JB_RSP], pointer_guard),
- 'r12': jmpbuf[JB_R12],
- 'r13': jmpbuf[JB_R13],
- 'r14': jmpbuf[JB_R14],
- 'r15': jmpbuf[JB_R15],
- 'rip': glibc_ptr_demangle(jmpbuf[JB_PC], pointer_guard) }
- def symbol_lookup(addr):
- # Example: "__clone3 + 44 in section .text of /lib64/libc.so.6"
- result = gdb.execute(f"info symbol {hex(addr)}", to_string=True).strip()
- try:
- if "+" in result:
- (func, result) = result.split(" + ")
- (offset, result) = result.split(" in ")
- else:
- offset = "0"
- (func, result) = result.split(" in ")
- func_str = f"{func}<+{offset}> ()"
- except:
- return f"??? ({result})"
- # Example: Line 321 of "../util/coroutine-ucontext.c" starts at address
- # 0x55cf3894d993 <qemu_coroutine_switch+99> and ends at 0x55cf3894d9ab
- # <qemu_coroutine_switch+123>.
- result = gdb.execute(f"info line *{hex(addr)}", to_string=True).strip()
- if not result.startswith("Line "):
- return func_str
- result = result[5:]
- try:
- result = result.split(" starts ")[0]
- (line, path) = result.split(" of ")
- path = path.replace("\"", "")
- except:
- return func_str
- return f"{func_str} at {path}:{line}"
- def dump_backtrace(regs):
- '''
- Backtrace dump with raw registers, mimic GDB command 'bt'.
- '''
- # Here only rbp and rip that matter..
- rbp = regs['rbp']
- rip = regs['rip']
- i = 0
- while rbp:
- # For all return addresses on stack, we want to look up symbol/line
- # on the CALL command, because the return address is the next
- # instruction instead of the CALL. Here -1 would work for any
- # sized CALL instruction.
- print(f"#{i} {hex(rip)} in {symbol_lookup(rip if i == 0 else rip-1)}")
- rip = gdb.parse_and_eval(f"*(uint64_t *)(uint64_t)({hex(rbp)} + 8)")
- rbp = gdb.parse_and_eval(f"*(uint64_t *)(uint64_t)({hex(rbp)})")
- i += 1
- def dump_backtrace_live(regs):
- '''
- Backtrace dump with gdb's 'bt' command, only usable in a live session.
- '''
- old = dict()
- # remember current stack frame and select the topmost
- # so that register modifications don't wreck it
- selected_frame = gdb.selected_frame()
- gdb.newest_frame().select()
- for i in regs:
- old[i] = gdb.parse_and_eval('(uint64_t)$%s' % i)
- for i in regs:
- gdb.execute('set $%s = %s' % (i, regs[i]))
- gdb.execute('bt')
- for i in regs:
- gdb.execute('set $%s = %s' % (i, old[i]))
- selected_frame.select()
- def bt_jmpbuf(jmpbuf):
- '''Backtrace a jmpbuf'''
- regs = get_jmpbuf_regs(jmpbuf)
- try:
- # This reuses gdb's "bt" command, which can be slightly prettier
- # but only works with live sessions.
- dump_backtrace_live(regs)
- except:
- # If above doesn't work, fallback to poor man's unwind
- dump_backtrace(regs)
- def co_cast(co):
- return co.cast(gdb.lookup_type('CoroutineUContext').pointer())
- def coroutine_to_jmpbuf(co):
- coroutine_pointer = co_cast(co)
- return coroutine_pointer['env']['__jmpbuf']
- class CoroutineCommand(gdb.Command):
- '''Display coroutine backtrace'''
- def __init__(self):
- gdb.Command.__init__(self, 'qemu coroutine', gdb.COMMAND_DATA,
- gdb.COMPLETE_NONE)
- def invoke(self, arg, from_tty):
- argv = gdb.string_to_argv(arg)
- if len(argv) != 1:
- gdb.write('usage: qemu coroutine <coroutine-pointer>\n')
- return
- bt_jmpbuf(coroutine_to_jmpbuf(gdb.parse_and_eval(argv[0])))
- class CoroutineBt(gdb.Command):
- '''Display backtrace including coroutine switches'''
- def __init__(self):
- gdb.Command.__init__(self, 'qemu bt', gdb.COMMAND_STACK,
- gdb.COMPLETE_NONE)
- def invoke(self, arg, from_tty):
- gdb.execute("bt")
- try:
- # This only works with a live session
- co_ptr = gdb.parse_and_eval("qemu_coroutine_self()")
- except:
- # Fallback to use hard-coded ucontext vars if it's coredump
- co_ptr = gdb.parse_and_eval("co_tls_current")
- if co_ptr == False:
- return
- while True:
- co = co_cast(co_ptr)
- co_ptr = co["base"]["caller"]
- if co_ptr == 0:
- break
- gdb.write("Coroutine at " + str(co_ptr) + ":\n")
- bt_jmpbuf(coroutine_to_jmpbuf(co_ptr))
- class CoroutineSPFunction(gdb.Function):
- def __init__(self):
- gdb.Function.__init__(self, 'qemu_coroutine_sp')
- def invoke(self, addr):
- return get_jmpbuf_regs(coroutine_to_jmpbuf(addr))['rsp'].cast(VOID_PTR)
- class CoroutinePCFunction(gdb.Function):
- def __init__(self):
- gdb.Function.__init__(self, 'qemu_coroutine_pc')
- def invoke(self, addr):
- return get_jmpbuf_regs(coroutine_to_jmpbuf(addr))['rip'].cast(VOID_PTR)
|
