Solved

query on ldd in Linux

Posted on 2012-04-04
16
567 Views
Last Modified: 2012-04-10
Hello
From an C application, we are getting the following error in sys msgs
app[5678]: segfault at 0000000 rip 00003f32a823 rsp 000123ade323 error 4

My query is, Can i map RIP address (00003f32a823) to a function name by running below commands?
======
ldd /a/b/app | less
nm -a /a/b/app | less
nm -D <library which has closest load address> | less
=========

If yes, please confirm.

Sham
0
Comment
Question by:mohet01
  • 10
  • 6
16 Comments
 

Author Comment

by:mohet01
ID: 37809115
The reason am asking this query is, I would like to understand:
1) Is RIP pointer address a load-address of an instruction?
2) Who assigns load address to application app? linker?
3) Is load address of an instruction in app same as virtual address of that same instruction in app?
4) In point 2) 3), if the answer is yes, How linker decide the virtual address space of an app?



Sham
0
 

Author Comment

by:mohet01
ID: 37809971
[root@ukirp198 bin]# ldd app
libc.so.6 => /a/b/libc.so.6 (0x00ad3000)
/lib/ld-linux.so.2 (0x00ab5000)

1) Does "nm -a /a/b/app" provide absolute/offset load address for each dynamic symbol?
2) Does "nm -D /lib/lic.so.6" provide the absolute/offset load address for each symbol in this library?

Can somebody answer the above 2 questions
Sham
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 500 total points
ID: 37810183
The RIP (instruction pointer) listed in the segfault entry in syslog is the virtual address where the segmentation fault occurred.
For executables, the symbol value (the hex value at the start of each line) listed by nm is the virtual address at which that symbol can be found.
For shared libraries, the symbol value listed by nm is the offset (to the virtual address where the shared library was loaded) at which the symbol can be found.


So if the segfault occurred in the executable :

        nm /a/b/app | sort

should help you find the function where the segfault occurred (by looking for the symbol with a highest symbol value that is lower than the instruction pointer).


If the segfault occurred in a shared library, then first you need to figure out which library, and at what virtual address it was loaded.

On my system, this is a quite easy, as I would get an entry in syslog like this :

        app[5678]: segfault at 0000000 rip 00003f32a823 rsp 000123ade323 error 4 in library.so[3f300000+290000]

where the exact shared library where the segfault occurred is listed (library.so), as well as the virtual address where the shared library was loaded (0x3f300000).

Another way to get this information, is from a core dump.

I'll assume you don't have either of those as an option though (but double-check it to be sure), so this becomes quite a bit harder. On recent Linux systems, the virtual address at which a shared library is loaded is "randomized", so it's different for every run. This also means ldd won't help you find the information, since the crash already happened, and the process is no longer there.

Of course, if you can reproduce the segfault, none of the above really matters, since you can make it generate a core dump, attach a debugger to it, or take note of the virtual addresses where the shared libraries are loaded.



And finally, once you have found in which binary the segfault occurred, and the address where it occurred, to track down the exact instruction that caused the segfault, you can do :

        objdump -d <binary_where_segfault_occurred>

and look for the instruction at the obtained address.
0
 

Author Comment

by:mohet01
ID: 37810481
1) can we do " objdump -d " work on .so file also?
2) we are  getting RIP error like this: "app[3282]: segfault at 0000000000000046 rip 0000000000b2ab7d rsp 00000000f4880170 error 4"


process is going to crash again after 2 days on 3 Redhat 5.4 machines with same RIPerror.

So, Can you please let me know the steps that i can run today before hand of crash of app? We are also suspecting that RIP error is coming somewhere in fclose()





Sham
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 37810777
>> 1) can we do " objdump -d " work on .so file also?

yes

>> So, Can you please let me know the steps that i can run today before hand of crash of app?

If you know when it will crash, you can attach a debugger to it, and observe the crash.

If you don't know exactly, you can take note of the shared libraries and their virtual addresses by checking :

        cat /proc/<pid>/maps

where <pid> is the process id of your process.
0
 

Author Comment

by:mohet01
ID: 37811573
After taking
cat /proc/<pid>/maps


What should i do? I know, this file has range of virtual address for caiuxsA2 and its dependent so.

But which instruction in that suspect library/app? How do i know?
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 37811600
It shows you the mappings of all shared libraries. Keep this information in some text file.

When the crash occurs, you can use the information in that text file to figure out in which shared library the crash occurred, and what the virtual address was.
0
 

Author Comment

by:mohet01
ID: 37811684
Probem is, core is not getting generated, despite making "ulimit -c  unlimited", do i ask cat  /proc/pid/limits

we have application
app
and dependent libraries
xyz.so, libc.so


Before previous crash,  we see problem in, "nm -D libc.so",
:
0000000000b377f0 T _IO_doallocbuf
0000000000b2ab60 T _IO_fclose
0000000000bde680 T _IO_fclose
:

becasue RIP error as:
app[3282]: segfault at 0000000000000046 rip 0000000000b2ab7d rsp
00000000f4880170 error 4

So, How do we proceed?

Sham
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:mohet01
ID: 37811693
i mean, how do i know, frmo where fclose() is caleed app orxyz.so?
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 37811729
>> Probem is, core is not getting generated

I suspected that ;)

But with the mappings, and the RIP at the time of the crash, you can get the exact instruction that caused the crash.


>> i mean, how do i know, frmo where fclose() is caleed app orxyz.so?

Ah, but that's something else - that requires a stack dump to perform a stack trace. And that in turn requires a core file to be generated (or a debugger to be attached to the process at the time of the crash).

So, if you need that, you'll either have to make sure there's a debugger attached to the process during the crash (but keep in mind this adds overhead), or you'll have to restart the process with core dumps enabled.
0
 

Author Comment

by:mohet01
ID: 37811753
If this is the case, I will depend on core

What are the steps to verify/confirm that a process can generate core on SIGSEGV?
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 37811881
>> What are the steps to verify/confirm that a process can generate core on SIGSEGV?

If core generation is enabled for the process (ulimit -c unlimited), it will. You can test it by sending an ABRT signal to the process eg. (but that will end the process).
0
 

Author Comment

by:mohet01
ID: 37812003
ulimit -c is 0
But if i set it to unlimited, it becomes 0 after reboot
0
 

Author Comment

by:mohet01
ID: 37812456
hello
If I modify ulimit -c to unlimited
Do I need to restart app to take the change into effect
Sham
0
 

Author Closing Comment

by:mohet01
ID: 37816082
thanx
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 37828716
Sorry for the delay. But yes, that's correct.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Preface I don't like visual development tools that are supposed to write a program for me. Even if it is Xcode and I can use Interface Builder. Yes, it is a perfect tool and has helped me a lot, mainly, in the beginning, when my programs were small…
Windows programmers of the C/C++ variety, how many of you realise that since Window 9x Microsoft has been lying to you about what constitutes Unicode (http://en.wikipedia.org/wiki/Unicode)? They will have you believe that Unicode requires you to use…
The goal of this video is to provide viewers with basic examples to understand recursion in the C programming language.
The viewer will learn how to pass data into a function in C++. This is one step further in using functions. Instead of only printing text onto the console, the function will be able to perform calculations with argumentents given by the user.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now