Enodev.fr / Christophe's log (Posts about Debugging)https://www.enodev.fr/enSun, 10 Mar 2024 11:03:11 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssDecode segfault errors in dmesghttps://www.enodev.fr/posts/decode-segfault-errors-in-dmesg.htmlChristophe Vu-Brugier<p>You are writing a C program. You build it. You run it.</p> <div class="code"><pre class="code literal-block"><span class="gp">$ </span>./foo <span class="go">Segmentation fault</span> </pre></div> <p>The machine hardly reminds you that you are human. But before rushing to re-compile your program with debugging symbols or adding <code>printf()</code> calls here and there, have a look at the output of the Linux kernel:</p> <div class="code"><pre class="code literal-block"><span class="gp">$ </span>dmesg <span class="go">foo[1234]: segfault at 2a ip 0000000000400511 sp 00007fffe00a3260 error 4 in foo[400000+1000]</span> </pre></div> <p>There are some hints in the output of <code>dmesg</code>:</p> <ul> <li><code>foo</code> is the <em>executable name</em></li> <li><code>1234</code> is the <em>process ID</em></li> <li><code>2a</code> is the <em>faulty address</em> in hexadecimal</li> <li>the value after <code>ip</code> is the <em>instruction pointer</em></li> <li>the value after <code>sp</code> is the <em>stack pointer</em></li> <li><code>error 4</code> is an <em>error code</em></li> <li>the string at the end is the <em>name of the virtual memory area</em> (<abbr title="virtual memory area">VMA</abbr>)</li> </ul> <p>The error code is a combination of several error bits defined in <a href="https://elixir.bootlin.com/linux/v6.7/source/arch/x86/include/asm/trap_pf.h#L6">fault.c</a> in the Linux kernel:</p> <div class="code"><pre class="code literal-block"><span class="cm">/*</span> <span class="cm"> * Page fault error code bits:</span> <span class="cm"> *</span> <span class="cm"> * bit 0 == 0: no page found 1: protection fault</span> <span class="cm"> * bit 1 == 0: read access 1: write access</span> <span class="cm"> * bit 2 == 0: kernel-mode access 1: user-mode access</span> <span class="cm"> * bit 3 == 1: use of reserved bit detected</span> <span class="cm"> * bit 4 == 1: fault was an instruction fetch</span> <span class="cm"> * bit 5 == 1: protection keys block access</span> <span class="cm"> * bit 6 == 1: shadow stack access fault</span> <span class="cm"> * bit 15 = 1: SGX MMU page-fault</span> <span class="cm"> */</span> <span class="k">enum</span><span class="w"> </span><span class="n">x86_pf_error_code</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="n">X86_PF_PROT</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span> <span class="w"> </span><span class="n">X86_PF_WRITE</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span> <span class="w"> </span><span class="n">X86_PF_USER</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span> <span class="w"> </span><span class="n">X86_PF_RSVD</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span> <span class="w"> </span><span class="n">X86_PF_INSTR</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="mi">4</span><span class="p">,</span> <span class="w"> </span><span class="n">X86_PF_PK</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span> <span class="w"> </span><span class="n">X86_PF_SHSTK</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="mi">6</span><span class="p">,</span> <span class="w"> </span><span class="n">X86_PF_SGX</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">&lt;&lt;</span><span class="w"> </span><span class="mi">15</span><span class="p">,</span> <span class="p">};</span> </pre></div> <p>Since you are executing a user-mode program, <code>X86_PF_USER</code> is set and the error code is at least 4. If the invalid memory access is a write, then <code>X86_PF_WRITE</code> is set instead. Thus:</p> <ul> <li>If the error code is 4, then the faulty memory access is a <em>read</em> from user space.</li> <li>If the error code is 6, then the faulty memory access is a <em>write</em> from user space.</li> </ul> <p>Moreover, the <em>faulty memory address</em> in <code>dmesg</code> can help you identify the bug. For instance, if the memory address is 0, the root cause is probably a <code>NULL</code> pointer dereference.</p> <p>The name of the VMA may indicate the location of the error:</p> <div class="code"><pre class="code literal-block"><span class="cp">#include</span><span class="w"> </span><span class="cpf">&lt;stdlib.h&gt;</span> <span class="kt">int</span><span class="w"> </span><span class="nf">main</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span> <span class="w"> </span><span class="n">free</span><span class="p">((</span><span class="kt">void</span><span class="w"> </span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="mi">42</span><span class="p">);</span> <span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </pre></div> <p>When executed, the program above triggers a segfault and the VMA name is <code>libc</code>. Maybe a function from <code>libc</code> was called with a pointer no longer valid.</p> <div class="code"><pre class="code literal-block"><span class="go">progname[1234]: segfault at 22 ip 00007f6b2531473c sp 00007ffc7b2c5c30 error 4 in libc-2.31.so[7f6b252af000+14b000]</span> </pre></div> <p>The fault handler is architecture dependent, so you will not observe the same messages in <code>dmesg</code> with other architectures than x86. For instance, on ARM no message is displayed unless the Linux kernel has been built with <code>CONFIG_DEBUG_USER</code>.</p> <div class="caption"> <img src="https://www.enodev.fr/images/poutres-fondation-louis-vuitton.thumbnail.jpg" class="img-fluid rounded" alt="Fondation Louis Vuitton"> <p>A <s>64-bit</s> 64-beam architecture<br> <small>Fondation Louis Vuitton</small></p> </div>DebuggingLinuxProgrammingx86https://www.enodev.fr/posts/decode-segfault-errors-in-dmesg.htmlSat, 14 Jun 2014 18:00:00 GMT