跳到主要內容

A Case Study of Debugging

In the previous post, I mentioned two great books about debugging. In this article, I want to share a real case which is solved by using some tricks. Last week, one of my colleague came to me and asked me a question: There is a Python script running. But can not use "kill process_pid" to kill it. Only "kill -9 process_id" works. Why?

My first guess is that the script installing a signal handler and not exit. My colleague promised it did exit. OK, let's check. First step, we observe the process's status by using ps:

shit 17392 99.7  0.2 244216 23300 ?        Rl   Aug10 9149:48 python /shit.py /shit.config
Hey, it is running and occupying almost CPU time. This means it may trap into some infinite loop. But there is no loop in the handler. Hmmm, some bug hidden in lower level? How to identify this?

 We use gdb to attach the process and see where it is:

 (gdb) attach 17392
(gdb) where
#0  adns_forallqueries_next (ads=0xb5d6500, context_r=0x7fff2ffe9b68) at ../src/setup.c:706
#1  0x00002ac062aa3d92 in PyDict_New () from /usr/lib64/python2.6/site-packages/adns.so
#2  0x0000003b5ead8e19 in PyEval_EvalFrameEx () from /usr/lib64/libpython2.6.so.1.0
...

And use "si" to step on assembly level since the adns.so compiled without any debug info. We make sure the value of IP is limited in adns_forallqueries_next()'s address range. We got the bug!! Check the source code of adns library(adns-1.2/src/setup.c):

  1. adns_query adns_forallqueries_next(adns_state ads, void **context_r) {
  2.   adns_query qu, nqu;
  4.   adns__consistency(ads,0,cc_entex);
  5.   nqu= ads->forallnext;
  6.   for (;;) {
  7.     qu= nqu;
  8.     if (!qu) return 0;
  9.     if (qu->next) {
  10.       nqu= qu->next;
  11.     } else if (qu == ads->udpw.tail) {
  12.       nqu=
  13.         ads->tcpw.head ? ads->tcpw.head :
  14.         ads->childw.head ? ads->childw.head :
  15.         ads->output.head;
  16.     } else if (qu == ads->tcpw.tail) {
  17.       nqu=
  18.         ads->childw.head ? ads->childw.head :
  19.         ads->output.head;
  20.     } else if (qu == ads->childw.tail) {
  21.       nqu= ads->output.head;
  22.     } else {
  23.       nqu= 0;
  24.     }
  25.     if (!qu->parent) break;
  26.   }
  27.   ads->forallnext= nqu;
  28.   if (context_r) *context_r= qu->ctx.ext;
  29.   return qu;
  30. }

 We know process is in this loop. But why? The reason is easy: in the signal handler, my colleague deletes an object which contains objects which invokes this C function when the object is destroyed. However, signal is sent to process at any possible time, if there is some object works on the list above and receives the signal, the list would not be complete...results in this strange behavior.

 So how to solve this? It is easy. Just do not delete the object explicitly and let OS recycle the resource is enough. And remind colleague make sure every function calls in the signal handlers, no matter explicitly or implicitly, should be async-signal-safe. :-)
標籤:

留言

張貼留言

這個網誌中的熱門文章

誰在呼叫我?不同的backtrace實作說明好文章

今天下班前一個同事問到:如何在Linux kernel的function中主動印出backtrace以方便除錯? 寫過kernel module的人都知道,基本上就是用dump_stack()之類的function就可以作到了。但是dump_stack()的功能是如何作到的呢?概念上其實並不難,慣用手法就是先觀察stack在function call時的變化(一般OS或計組教科書都有很好的說明,如果不想翻書,可以參考 這篇 ),然後將對應的return address一層一層找出來後,再將對應的function名稱印出即可(透過執行檔中的section去讀取函式名稱即可,所以要將KALLSYM選項打開)。在userspace的實作可參考Jserv介紹過的 whocallme 或對岸好手實作過的 backtrace() ,都是針對x86架構的很好說明文章。 不過從前面兩篇文章可以知道,只要知道編譯器的calling convention,就可以實作出backtrace,所以是否GCC有提供現成的機制呢?Yes, that is what __builtin_return_address() for!! 可以參考這篇 文章 。該篇文章還提到了其他可以拿來實作功能更齊全的backtrace的 程式庫 ,在了解了運作原理後,用那些東西還蠻方便的。 OK,那Linux kernel是怎麼做的呢?就是用頭兩篇文章的方式啦~ 每個不同的CPU架構各自手工實作一份dump_stack()。 為啥不用GCC的機制?畢竟...嗯,我猜想,除了backtrace以外,開發者還會想看其他register的值,還有一些有的沒的,所以光是GCC提供的介面是很難印出全部所要的資訊,與其用半套GCC的機制,不如全都自己來~ arm的實作 大致上長這樣,可以看到基本上就只是透過迭代fp, lr, pc來完成: 352 void unwind_backtrace (struct pt_regs * regs , struct task_struct *tsk) 353 { 354 struct stackframe frame ; 355 register unsigned long current_sp asm ( "
13 則留言
閱讀完整內容

淺讀Linux root file system初始化流程

在Unix的世界中,file system佔據一個極重要的抽象化地位。其中,/ 所代表的rootfs更是所有後續新增file system所必須依賴前提條件。以Linux為例,黑客 Jserv 就曾經詳細說明過 initramfs的背後設計考量 。本篇文章不再重複背景知識,主要將追蹤rootfs初始化的流程作點整理,免得自己日後忘記。 :-) file system與特定CPU架構無關,所以我觀察的起點從init/main.c的start_kernel()開始,這是Linux作完基本CPU初始化後首先跳進的C function(我閱讀的版本為 3.12 )。跟root file system有關的流程羅列如下: start_kernel()         -> vfs_caches_init_early()         -> vfs_caches_init()                 -> mnt_init()                         -> init_rootfs()                         -> init_mount_tree()         -> rest_init()                 -> kernel_thread(kernel_init,...) 其中比較重要的是mnt_int()中的init_rootfs()與init_mout_tree()。init_rootfs()實作如下: int __init init_rootfs(void) {         int err = register_filesystem(&rootfs_fs_type);         if (err)                 return err;         if (IS_ENABLED(CONFIG_TMPFS) && !saved_root_name[0] &&                 (!root_fs_names || strstr(root_fs_names, "tmpfs"))) {          
張貼留言
閱讀完整內容

kernel panic之後怎麼辦?

今天同事在處理一個陌生的模組時遇到kernel panic,Linux印出了backtrace,同事大致上可以知道是在哪個function中,但該function的長度頗長,短時間無法定位在哪個位置,在這種情況下,要如何收斂除錯範圍呢?更糟的是,由於加入printk會改變模組行為,所以printk基本上無法拿來檢查參數的值是否正常。 一般這樣的問題會backtrace的資訊來著手。從這個資訊我們可以知道在function中的多少offset發生錯誤,以x86為例(從 LDD3 借來的例子): Unable to handle kernel NULL pointer dereference at virtual address 00000000 printing eip: d083a064 Oops: 0002 [#1] SMP CPU:    0 EIP:    0060:[<d083a064>]    Not tainted EFLAGS: 00010246   (2.6.6) EIP is at faulty_write+0x4/0x10 [faulty] eax: 00000000   ebx: 00000000   ecx: 00000000   edx: 00000000 esi: cf8b2460   edi: cf8b2480   ebp: 00000005   esp: c31c5f74 ds: 007b   es: 007b   ss: 0068 Process bash (pid: 2086, threadinfo=c31c4000 task=cfa0a6c0) Stack: c0150558 cf8b2460 080e9408 00000005 cf8b2480 00000000 cf8b2460 cf8b2460        fffffff7 080e9408 c31c4000 c0150682 cf8b2460 080e9408 00000005 cf8b2480        00000000 00000001 00000005 c0103f8f 00000001 080e9408 00000005 00000005 Call Trace:  [<c0150558>] vfs
張貼留言
閱讀完整內容