| .. SPDX-License-Identifier: GPL-2.0+ |
| .. Copyright (c) 2020 Heinrich Schuchardt |
| |
| Analyzing crash dumps |
| ===================== |
| |
| When the CPU detects an instruction that it cannot execute it raises an |
| interrupt. U-Boot than writes a crash dump. This chapter describes how such |
| dump can be analyzed. |
| |
| Creating a crash dump voluntarily |
| --------------------------------- |
| |
| For describing the analysis of a crash dump we need an example. U-Boot comes |
| with a command 'exception' that comes in handy here. The command is enabled |
| by:: |
| |
| CONFIG_CMD_EXCEPTION=y |
| |
| The example output below was recorded when running qemu\_arm64\_defconfig on |
| QEMU:: |
| |
| => exception undefined |
| "Synchronous Abort" handler, esr 0x02000000 |
| elr: 00000000000101fc lr : 00000000000214ec (reloc) |
| elr: 000000007ff291fc lr : 000000007ff3a4ec |
| x0 : 000000007ffbd7f8 x1 : 0000000000000000 |
| x2 : 0000000000000001 x3 : 000000007eedce18 |
| x4 : 000000007ff291fc x5 : 000000007eedce50 |
| x6 : 0000000000000064 x7 : 000000007eedce10 |
| x8 : 0000000000000000 x9 : 0000000000000004 |
| x10: 6db6db6db6db6db7 x11: 000000000000000d |
| x12: 0000000000000006 x13: 000000000001869f |
| x14: 000000007edd7dc0 x15: 0000000000000002 |
| x16: 000000007ff291fc x17: 0000000000000000 |
| x18: 000000007eed8dc0 x19: 0000000000000000 |
| x20: 000000007ffbd7f8 x21: 0000000000000000 |
| x22: 000000007eedce10 x23: 0000000000000002 |
| x24: 000000007ffd4c80 x25: 0000000000000000 |
| x26: 0000000000000000 x27: 0000000000000000 |
| x28: 000000007eedce70 x29: 000000007edd7b40 |
| |
| Code: b00003c0 912ad000 940029d6 17ffff52 (e7f7defb) |
| Resetting CPU ... |
| |
| resetting ... |
| |
| The first line provides us with the type of interrupt that occurred. |
| (On ARMv8 a synchronous abort is an exception where the return address stored |
| in the ESR register indicates the instruction that caused the exception.) |
| |
| The second line provides the contents of the elr and the lr register after |
| subtracting the relocation offset. - U-Boot relocates itself after being |
| loaded. - The relocation offset can also be displayed using the bdinfo command. |
| |
| After the contents of the registers we get a line indicating the machine |
| code of the instructions preceding the crash and in parentheses the instruction |
| leading to the dump. |
| |
| Analyzing the code location |
| --------------------------- |
| |
| We can convert the instructions in the line starting with 'Code:' into mnemonics |
| using the objdump command. To make things easier scripts/decodecode is |
| supplied:: |
| |
| $echo 'Code: b00003c0 912ad000 940029d6 17ffff52 (e7f7defb)' | \ |
| CROSS_COMPILE=aarch64-linux-gnu- ARCH=arm64 scripts/decodecode |
| Code: b00003c0 912ad000 940029d6 17ffff52 (e7f7defb) |
| All code |
| ======== |
| 0: b00003c0 adrp x0, 0x79000 |
| 4: 912ad000 add x0, x0, #0xab4 |
| 8: 940029d6 bl 0xa760 |
| c: 17ffff52 b 0xfffffffffffffd54 |
| 10:* e7f7defb .inst 0xe7f7defb ; undefined <-- trapping instruction |
| |
| Code starting with the faulting instruction |
| =========================================== |
| 0: e7f7defb .inst 0xe7f7defb ; undefined |
| |
| Now lets use the locations provided by the elr and lr registers after |
| subtracting the relocation offset to find out where in the code the crash |
| occurred and from where it was invoked. |
| |
| File u-boot.map contains the memory layout of the U-Boot binary. Here we find |
| these lines:: |
| |
| .text.do_undefined |
| 0x00000000000101fc 0xc cmd/built-in.o |
| .text.exception_complete |
| 0x0000000000010208 0x90 cmd/built-in.o |
| ... |
| .text.cmd_process |
| 0x00000000000213b8 0x164 common/built-in.o |
| 0x00000000000213b8 cmd_process |
| .text.cmd_process_error |
| 0x000000000002151c 0x40 common/built-in.o |
| 0x000000000002151c cmd_process_error |
| |
| So the error occurred at the start of function do\_undefined() and this |
| function was invoked from somewhere inside function cmd\_process(). |
| |
| If we want to dive deeper, we can disassemble the U-Boot binary:: |
| |
| $ aarch64-linux-gnu-objdump -S -D u-boot | less |
| |
| 00000000000101fc <do_undefined>: |
| { |
| /* |
| * 0xe7f...f. is undefined in ARM mode |
| * 0xde.. is undefined in Thumb mode |
| */ |
| asm volatile (".word 0xe7f7defb\n"); |
| 101fc: e7f7defb .inst 0xe7f7defb ; undefined |
| return CMD_RET_FAILURE; |
| } |
| 10200: 52800020 mov w0, #0x1 // #1 |
| 10204: d65f03c0 ret |
| |
| This example is based on the ARMv8 architecture but the same procedures can be |
| used on other architectures as well. |