[Crash-utility] crash cannot read the symbols

Dave Anderson anderson at redhat.com
Wed Sep 21 12:59:52 UTC 2011 


----- Original Message -----
> Hmm, the /dev/mem does not reflect the kernel and symbols I am trying
> to read, because I do not have a core dump of the crash.
> I just tried to read the kernel and modules in crash to read it.

I think we have a basic misunderstanding -- although I'm not sure...

The crash utility requires two pieces:

 (1) a vmlinux file built with debuginfo data, and
 (2) a memory source -- which can be either:
     (a) a kernel core dump, or 
     (b) a device driver to access physical memory on a live system.

If analyzing a kernel core dump, the vmlinux must be the same kernel 
version that was running when the system crashed.

If analyzing a live system, the vmlinux must be the same kernel that
is running on the live system.

When running against a core dump, the crash utility needs at least
two arguments:

  $ crash vmlinux vmcore

When running against a live system, you can simply enter:

  $ crash vmlinux

because the crash utility will try to find the correct device driver,
which is typically /dev/mem.  If /dev/mem is restricted to its first 1MB
of physical memory, you can try to use /proc/kcore:

  $ crash vmlinux /proc/kcore

Or if that doesn't work, you can create your own /dev/crash kernel module
for physical memory access.  I don't know whether the sample /dev/crash 
memory driver supplied with the crash utility sources will compile cleanly
in a 2.4 kernel environment -- it may require some tweaking.  In the 
crash-5.1.8/memory_driver sub-directory, there is the memory driver's 
crash.c file, a Makefile, and this README file:

>  For live system analysis, the physical memory source must be one
>  of the following devices:
>
>    /dev/mem
>    /proc/kcore
>    /dev/crash
>
>  If the live system kernel was configured with CONFIG_STRICT_DEVMEM,
>  then /dev/mem cannot be used.
>
>  If the live system kernel was configured without CONFIG_PROC_KCORE,
>  or if /proc/kcore is non-functional, then /proc/kcore cannot be used.
>
>  The third alternative is this /dev/crash driver.  Presuming that
>  /lib/modules/`uname -r`/build points to a kernel build tree or
>  kernel "devel" package tree, the module can simply be built and
>  installed like so:
>
>    # make
>    ...
>    # insmod crash.ko
>
>  Once installed, the /dev/crash driver will be used by default for
>  live system crash sessions.

So when you say "the /dev/mem does not reflect the kernel and symbols
I am trying to read", by that I understand you to mean that the vmlinux
file that you built is not the same kernel version as is running on your
host machine.  If that is true, then the crash utility is not an
appropriate tool for looking at your new vmlinux -- again, the crash 
utility expects a memory source where the vmlinux is currently running,
or a core dump of the system that was running it when it crashed.

You could do this:

  $ gdb vmlinux

and then poke around the kernel's static text and data as they
are initially loaded into memory.  But the crash utility cannot
be used that way.

Dave

More information about the Crash-utility mailing list