Software Diagnostics Library

Archive for December 14th, 2015

Crash Dump Analysis Patterns (Part 187, Linux)

Monday, December 14th, 2015

Here we publish a Linux variant of Active Thread pattern that was previously introduced for Mac OS X and Windows. Basically it is a thread that is not waiting, sleeping, or suspended (most threads are). However, from a memory dump it is not possible to find out whether it was Spiking Thread at the dump generation time (unless we have a set of memory snapshots and in each one we have the same or similar back trace) and we don’t have any Paratext with CPU consumption stats for threads. For example, in one core dump we have this thread:

(gdb) info threads Id Target Id Frame 6 Thread 0×7f560d467700 (LWP 3483) 0×00000000004324a9 in clone () 5 Thread 0×7f560c465700 (LWP 3485) 0×000000000042fe31 in nanosleep () 4 Thread 0×7f560bc64700 (LWP 3486) 0×000000000042fe31 in nanosleep () 3 Thread 0×7f560b463700 (LWP 3487) 0×000000000042fe31 in nanosleep () 2 Thread 0×18b9860 (LWP 3482) 0×000000000042fe31 in nanosleep () 1 Thread 0×7f560cc66700 (LWP 3484) 0×000000000042fe31 in nanosleep ()

Thread #6 is not waiting so we inspect its back trace:

(gdb) thread 6 [Switching to thread 6 (Thread 0x7f560d467700 (LWP 3483))] #0 0x00000000004324a9 in clone ()

(gdb) bt #0 0×00000000004324a9 in clone () #1 0×0000000000401560 in ?? () at pthread_create.c:217 #2 0×00007f560d467700 in ?? () #3 0×0000000000000000 in ?? ()

(gdb) x/i 0x4324a9 => 0x4324a9 : test %rax,%rax

Perhaps the core dump was saved at the thread creation time.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Core Dump Analysis, Crash Dump Patterns, Linux Crash Corner, x64 Linux | No Comments »

Crash Dump Analysis Patterns (Part 14, Linux)

Monday, December 14th, 2015

This is a variant of Spiking Thread pattern previously described for Mac OS X and Windows platforms:

(gdb) info threads Id Target Id Frame 6 LWP 3712 0x00000000004329d1 in nanosleep () 5 LWP 3717 0×00000000004007a3 in isnan () 4 LWP 3716 0×00000000004329d1 in nanosleep () 3 LWP 3715 0×00000000004329d1 in nanosleep () 2 LWP 3714 0×00000000004329d1 in nanosleep () * 1 LWP 3713 0×00000000004329d1 in nanosleep ()

We notice a non-waiting thread and switch to it:

(gdb) thread 5 [Switching to thread 5 (LWP 3717)] #0 0x00000000004007a3 in isnan ()

(gdb) bt #0 0×00000000004007a3 in isnan () #1 0×0000000000400743 in sqrt () #2 0×0000000000400528 in procB () #3 0×0000000000400639 in bar_five () #4 0×0000000000400649 in foo_five () #5 0×0000000000400661 in thread_five () #6 0×0000000000403e30 in start_thread () #7 0×0000000000435089 in clone () #8 0×0000000000000000 in ?? ()

If we disassemble the return address for procB function to come back from sqrt call we see an infinite loop:

(gdb) disassemble 0x400528 Dump of assembler code for function procB: 0x0000000000400500 <+0>: push %rbp 0x0000000000400501 <+1>: mov %rsp,%rbp 0x0000000000400504 <+4>: sub $0x20,%rsp 0x0000000000400508 <+8>: movabs $0x3fd5555555555555,%rax 0x0000000000400512 <+18>: mov %rax,-0x8(%rbp) 0×0000000000400516 <+22>: mov -0×8(%rbp),%rax 0×000000000040051a <+26>: mov %rax,-0×18(%rbp) 0×000000000040051e <+30>: movsd -0×18(%rbp),%xmm0 0×0000000000400523 <+35>: callq 0×400710 <sqrt> 0×0000000000400528 <+40>: movsd %xmm0,-0×18(%rbp) 0×000000000040052d <+45>: mov -0×18(%rbp),%rax 0×0000000000400531 <+49>: mov %rax,-0×8(%rbp) 0×0000000000400535 <+53>: jmp 0×400516 <procB+22> End of assembler dump.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Assembly Language, Core Dump Analysis, Crash Dump Patterns, Linux Crash Corner, x64 Linux | No Comments »

Crash Dump Analysis Patterns (Part 77, Linux)

Monday, December 14th, 2015

This is a Linux variant of C++ Exception pattern previously described for Mac OS X and Windows platforms:

(gdb) bt #0 0x00007f0a1d0e5165 in *__GI_raise () at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007f0a1d0e83e0 in *__GI_abort () at abort.c:92 #2 0x00007f0a1db5789d in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #3 0x00007f0a1db55996 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #4 0x00007f0a1db559c3 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #5 0x00007f0a1db55bee in __cxa_throw () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6 #6 0x0000000000400dcf in procB() () #7 0x0000000000400e26 in procA() () #8 0x0000000000400e88 in procNH() () #9 0x0000000000400ea8 in bar_one() () #10 0x0000000000400eb3 in foo_one() () #11 0x0000000000400ec6 in thread_one(void*) () #12 0x00007f0a1d444b50 in start_thread () #13 0x00007f0a1d18e95d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #14 0x0000000000000000 in ?? ()

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Core Dump Analysis, Crash Dump Patterns, Linux Crash Corner, x64 Linux | No Comments »

Crash Dump Analysis Patterns (Part 180, Linux)

Monday, December 14th, 2015

This is Linux variant of Paratext pattern for Mac OS X. Because of debugger tool limitations additional software logs and the output of other tools may help in memory dump analysis. Typical examples of such pattern usage can be the list of modules with version and path info, application crash specific information from instrumentation tools such as valgrind, memory region names with attribution and boundaries, and CPU usage information. For example, top and pmap commands output:

14039: ./App1.shared 0000000000400000 4K r-x-- /home/training/ALCDA/App1/App1.shared 0000000000600000 4K rw--- /home/training/ALCDA/App1/App1.shared 0000000000611000 132K rw--- [ anon ] 00007fe8999a6000 4K ----- [ anon ] 00007fe8999a7000 8192K rw--- [ anon ] 00007fe89a1a7000 4K ----- [ anon ] 00007fe89a1a8000 8192K rw--- [ anon ] 00007fe89a9a8000 4K ----- [ anon ] 00007fe89a9a9000 8192K rw--- [ anon ] 00007fe89b1a9000 4K ----- [ anon ] 00007fe89b1aa000 8192K rw--- [ anon ] 00007fe89b9aa000 4K ----- [ anon ] 00007fe89b9ab000 8192K rw--- [ anon ] 00007fe89c1ab000 1540K r-x-- /lib/x86_64-linux-gnu/libc-2.13.so 00007fe89c32c000 2048K ----- /lib/x86_64-linux-gnu/libc-2.13.so 00007fe89c52c000 16K r---- /lib/x86_64-linux-gnu/libc-2.13.so 00007fe89c530000 4K rw--- /lib/x86_64-linux-gnu/libc-2.13.so 00007fe89c531000 20K rw--- [ anon ] 00007fe89c536000 92K r-x-- /lib/x86_64-linux-gnu/libpthread-2.13.so 00007fe89c54d000 2044K ----- /lib/x86_64-linux-gnu/libpthread-2.13.so 00007fe89c74c000 4K r---- /lib/x86_64-linux-gnu/libpthread-2.13.so 00007fe89c74d000 4K rw--- /lib/x86_64-linux-gnu/libpthread-2.13.so 00007fe89c74e000 16K rw--- [ anon ] 00007fe89c752000 128K r-x-- /lib/x86_64-linux-gnu/ld-2.13.so 00007fe89c966000 12K rw--- [ anon ] 00007fe89c96f000 8K rw--- [ anon ] 00007fe89c971000 4K r---- /lib/x86_64-linux-gnu/ld-2.13.so 00007fe89c972000 4K rw--- /lib/x86_64-linux-gnu/ld-2.13.so 00007fe89c973000 4K rw--- [ anon ] 00007ffd458c1000 132K rw--- [ stack ] 00007ffd459e9000 4K r-x-- [ anon ] ffffffffff600000 4K r-x-- [ anon ] total 47208K

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Core Dump Analysis, Crash Dump Patterns, Debugging, Debugging Methodology, GDB Annoyances, GDB for WinDbg Users, Linux Crash Corner, Software Diagnostics, Software Trace Analysis, x64 Linux | No Comments »

Archive for December 14th, 2015

Crash Dump Analysis Patterns (Part 187, Linux)

Crash Dump Analysis Patterns (Part 14, Linux)

Crash Dump Analysis Patterns (Part 77, Linux)

Crash Dump Analysis Patterns (Part 180, Linux)

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta

December 2015
M	T	W	T	F	S	S
« Nov				Jan »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31