| Andy Bonventre | 0ff15b4 | 2015-09-22 17:29:52 -0400 | [diff] [blame] | 1 | # Introduction |
| 2 | |
| 3 | Linux implements its userland-to-kernel transition using a special library |
| 4 | called linux-gate.so that is mapped by the kernel into every process. For more |
| 5 | information, see |
| 6 | |
| 7 | http://www.trilithium.com/johan/2005/08/linux-gate/ |
| 8 | |
| 9 | In a nutshell, the problem is that the system call gate function, |
| 10 | kernel\_vsyscall does not use EBP to point to the frame pointer. |
| 11 | |
| 12 | However, the Breakpad processor supports special frames like this via STACK |
| 13 | lines in the symbol file. If you look in src/client/linux/data you will see |
| 14 | symbol files for linux-gate.so for both Intel & AMD(the implementation of |
| 15 | kernel\_vsyscall changes depending on the CPU manufacturer). When processing |
| 16 | minidumps from Linux 2.6, having these symbol files is necessary for walking the |
| 17 | stack for crashes that happen while a thread is in a system call. |
| 18 | |
| 19 | If you're just interested in processing minidumps, those two symbol files should |
| 20 | be all you need! |
| 21 | |
| 22 | # Details |
| 23 | |
| 24 | The particular details of understanding the linux-gate.so symbol files can be |
| 25 | found by reading about STACK lines inside |
| 26 | src/common/windows/pdb\_source\_line\_writer.cc, and the above link. To |
| 27 | summarize briefly, we just have to inform the processor how to get to the |
| 28 | previous frame when the EIP is inside kernel\_vsyscall, and we do that by |
| 29 | telling the processor how many bytes kernel\_vsyscall has pushed onto the stack |
| 30 | in it's prologue. For example, one of the symbol files looks somewhat like the |
| 31 | following: |
| 32 | |
| 33 | MODULE Linux x86 random\_debug\_id linux-gate.so PUBLIC 400 0 kernel\_vsyscall |
| 34 | STACK WIN 4 100 1 1 0 0 0 0 0 1 |
| 35 | |
| 36 | The PUBLIC line indicates that kernel\_vsyscall is at offset 400 (in bytes) from |
| 37 | the beginning of linux-gate.so. The STACK line indicates the size of the |
| 38 | function(100), how many bytes it pushes(1), and how many bytes it pops(1). The |
| 39 | last 1 indicates that EBP is pushed onto the stack before being used by the |
| 40 | function. |
| 41 | |
| 42 | # Warnings |
| 43 | |
| 44 | These functions might change significantly depending on kernel version. In my |
| 45 | opinion, the actual function stack information is unlikely to change frequently, |
| 46 | but the Linux kernel might change the address of kernel\_vsyscall w.r.t the |
| 47 | beginning of linux-gate.so, which would cause these symbol files to be invalid. |
