Debugging Tools Intro

DWARF, ELF, GDB/binutils, build-id

Red Hat
Author Jan Kratochvl <jan.kratochvil@redhat.com>
February 12, 2011

Agenda

1 Memory debugging tools

2 DWARF debug info

3 Unwinding using .eh frame

4 Unique binaries identification by build-id

Section 1
Memory debugging tools

Memory debugging tools

Available memory debugging tools

valgrind [--db-attach=yes] executable params

gcc -fstack-protector -O
defaults: rpmbuild yes, gcc no
gcc -D_FORTIFY_SOURCE=2 -O
defaults: rpmbuild yes, gcc no
LD_PRELOAD=/usr/lib64/libefence.so ElectricFence
gcc -lmcheck or MALLOC_CHECK_=3 executable
gcc -fmudflap -lmudflap
gdb --args executable params

Memory debugging tools

valgrind db-attach=yes
--suppressions=/usr/share/doc/python-*/valgrind-python.supp
--num-callers=50

char *s = malloc (0x10);

s[0x10] = 0;
==1735== Invalid write of size 1
==1735==
at 0x400522: main (valgrindtest.c:4)
==1735== Address 0x4c31050 is 0 bytes after a block of size 16 al
==1735==
at 0x4A05E46: malloc (vg_replace_malloc.c:195)
==1735==
by 0x400515: main (valgrindtest.c:3)
==1735== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- y
==1735== starting debugger with cmd: /usr/bin/gdb -nw /proc/1954/f
[...]
0x0000000000400522 in main () at valgrindtest.c:4
4
s[0x10] = 0;
(gdb)

Memory debugging tools

gcc -fstack-protector -O
defaults: rpmbuild yes, gcc no
void f (int i) {
void *p = alloca (i);
memset (p, 0, 0x50); }
int main (void) { f (1); return 0; }

*** stack smashing detected ***: ./stackprotectortest termi

======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x32a1cfe1b7]
/lib64/libc.so.6(__fortify_fail+0x0)[0x32a1cfe180]
./stackprotectortest[0x400590]
======= Memory map: ========
[...]
Aborted

Memory debugging tools

gcc -D FORTIFY SOURCE=2 -O

defaults: rpmbuild yes, gcc no
void f (int x) {
char s[2];
memset (s, 0, x); }
int main (void) { f (3); return 0; }
*** buffer overflow detected ***: ./fortifytest terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x32a1cfe1b7]
/lib64/libc.so.6[0x32a1cfc0e0]
./fortifytest[0x4004ff]
[...]
Aborted

Memory debugging tools

LD PRELOAD=/usr/lib64/libefence.so
ElectricFence
int main (void) {
char *s = malloc (0x10);
s[0x10] = 0;

(gdb) set env LD_PRELOAD=/usr/lib64/libefence.so

(gdb) run
Starting program: efencetest
Electric Fence 2.2.2 Copyright (C) 1987-1999 Bruce Perens
Program received signal SIGSEGV, Segmentation fault.
0x00000000004004e2 in main () at efencetest.c:4
4
s[0x10] = 0;
(gdb) _

Memory debugging tools

gcc -lmcheck
enabled system-wide by Fedora debugmode.rpm
char *s = malloc (0x10);
s[0x10] = 0;
free (s);

MALLOC_CHECK_=3 MALLOC_PERTURB_=85 ./executable

*** glibc detected *** ./mchecktest: free(): invalid pointe
======= Backtrace: =========
/lib64/libc.so.6(+0x773ba)[0x7f4e92aa73ba]
./mchecktest[0x400531]
[...]
Aborted

Memory debugging tools

gcc -fmudflap -lmudflap

void f (int x) {
char *p = alloca (x);
p[2] = 0; }
int main (void) { f (2); return 0; }

*******
mudflap violation 1 (check/write): time=1297291147.545274 ptr=0x155bb11 s
pc=0x7ffd94c8ab21 location=`mudflaptest.c:4:8 (f)'
/usr/lib64/libmudflap.so.0(__mf_check+0x41) [0x7ffd94c8ab21]
./mudflaptest(f+0x8a) [0x40095e]
./mudflaptest(main+0xe) [0x40097e]
Nearby object 1: checked region begins 1B after and ends 1B after
mudflap object 0x155bb60: name=`alloca region'
bounds=[0x155bb10,0x155bb10] size=1 area=heap check=0r/0w liveness=0
alloc time=1297291147.545162 pc=0x7ffd94c89ef1
[...]

Memory debugging tools

gdb record testfile

void first (void (*secondptr) (void)) {
(*secondptr) ();
}
int main (void) {
first (NULL);
return 0;
}

Memory debugging tools

gdb record
.gdbinit: set record insn-number-max 200000
(gdb) record
(gdb) continue
Continuing.
0x0000000000000000 in ?? ()
(gdb) backtrace
#0 0x0000000000000000 in ?? ()
#1 0x000000000040049b in main () at jumpzero.c:6
(gdb) reverse-stepi
first (secondptr=0) at jumpzero.c:3
3
(*secondptr) ();
(gdb) backtrace
#0 first (secondptr=0) at jumpzero.c:3
#1 0x000000000040049b in main () at jumpzero.c:6
(gdb) _

Memory debugging tools

GDB CLI (command line interface)

$ info gdb
Sample Session

(gdb) start stop at main

(gdb) step step into
(gdb) next step over
(gdb) print expression
(gdb) continue continue execution
(gdb) break line number put breakpoint
(gdb) break function name put breakpoint
(gdb) watch variable name create watchpoint
(gdb) delete breakpoint number delete breakpoint
(gdb) quit

Memory debugging tools

GDB front ends

Eclipse CDT
KDevelop
Qt Creator
Nemiver
NetBeans
GNU Emacs
GDB TUI
DDD
Insight
see http://sourceware.org/gdb/wiki/GDB_Front_Ends

Section 2
DWARF debug info

DWARF debug info

ELF

described by /usr/include/elf.h
magic: 00000000
7F 45 4C 46 [...] .ELF[...]
overview: readelf -a binary, objdump -x binary
elfutils: eu-readelf -a binary

generic ELF is gELF

arch ABIs documents: i386, x86 64, ia64 etc.

one of its debug info formats: DWARF

DWARF debug info

ELF sample
readelf -a binary

ELF Header:
Class:
ELF64
Type:
EXEC (Executable file)
Machine:
Advanced Micro Devices X86-64
Entry point address: 0x41aef0
Section Headers:
[Nr] Name
Type
Address
Off
Size
ES Flg
[ 1] .interp
PROGBITS 0000000000400238 000238 00001c 00
A
[13] .plt
PROGBITS 000000000041a280 01a280 000c70 10 AX
[14] .text
PROGBITS 000000000041aef0 01aef0 086268 00 AX
[29] .debug_info PROGBITS 0000000000000000 00c63f 088c33 00
Dynamic section at offset 0xd46d8 contains 26 entries:
Tag
Type
Name/Value
0x0000000000000001 (NEEDED) Shared library: [libtinfo.so.5]
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]

DWARF debug info

How the DWARF looks

subprogram
name
decl_file
decl_line
type
low_pc
high_pc
frame_base
sibling
variable
[...]

(strp) "have_minimal_symbols"
(data1) 1
(data2) 997
(ref4) [ 11917]
(addr) 0x486997 <have_minimal_symbols>
(addr) 0x4869da <qsort_cmp>
(block1) [
0] call_frame_cfa
(ref4) [ 1ada7]

DWARF debug info

DWARF

specification: http://dwarfstd.org
displayed by readelf -w binary
ELF sections .debug_* (like .debug_info)
DWARF versions in use are 2, 3 and 4
gcc debug info level 3 provides macro information
gcc -g2 or -g3 specify debug info level, not DWARF version
rpmbuild uses -g, that is like -g2 (level 2)

DWARF debug info

File formats in use

OS

file format

debug info format

GNU/Linux
GNU/Linux
Apple OSX
MS-Windows
MinGW32

ELF
ELF
Mach-O
PE32
PE32

DWARF
STABS
DWARF
PDB
DWARF

DWARF debug info

STABS

obsolete debug info format

ELF sections .stab, .stabstr
gcc -gstabs+

DWARF debug info

DWARF parsing

elfutils-libs
libdwarf
gdb dwarf2read.c
readelf -w / eu-readelf -w

DWARF debug info

gcc, gcc -s and gcc -g

.dynsym is always present for shared libraries
gcc -rdynamic forces .dynsym

.symtab is generated by default for linkage

.debug_* is generated by gcc -g
gcc -s is like gcc + strip (no .symtab, no .debug_*)
strip by default removes both .symtab and .debug_*

Both .symtab and .debug_* are in *-debuginfo-*.rpm

.symtab (ELF) is used during linking
Symbol table '.symtab' contains 8602 entries:
Num:
Value Size Type
Bind
Vis
Ndx Name
76: 00016c93
124 FUNC
LOCAL DEFAULT
12 init

DWARF debug info

no runtime overhead
(only .dynsym has runtime overhead)
neither separate (/usr/lib/debug/) nor in-file debug info
debug info is never mapped to memory
debug info sections are not covered by segments at all

ELF sections are for linking/debugging:

Section Headers:
[Nr] Name
Type
Addr
Off
Size
ES Flg
[13] .text
PROGBITS 0805e100 016100 0871dc 00 AX
[29] .debug_info PROGBITS 00000000 00c63f 088c33 00

ELF segments are mapped for runtime:

Program Headers:
Type Offset
VirtAddr
PhysAddr
FileSiz MemSiz Flg
LOAD 0x000000 0x08048000 0x08048000 0xcecc4 0xcecc4 R E

DWARF debug info

DWARF sections

.debug_info: readelf -wi: DIEs

.debug_loc: readelf -wo: associated gcc -O2 ranges
.debug_ranges: readelf -wR: discontiguous functions

.debug_line: readelf -wl: source lines PC addresses

.debug_frame: readelf -wf: unwinding
usually present as .eh_frame

Section 3
Unwinding using .eh frame

Unwinding using .eh frame

-fno-omit-frame-pointer stack layout

-fno-omit-frame easily unwinds but it steals %rbp (%ebp):
400474: 55
400475: 48 89 e5
[function body]
4004c3: c9
4004c4: c3

push
mov

%rbp
%rsp,%rbp

leaveq
retq

stack (hightolow addresses, callersto-callees, outerto-inner):

0x7fffffffdc38 . . .
0x7fffffffdc30 frame #1 return address
0x7fffffffdc28 frame #1 saved %rbp
0x7fffffffdb50 frame #1 local variables. . .
0x7fffffffdb48 frame #0 return address
0x7fffffffdb40 frame #0 saved %rbp %rbp points here
0x7fffffffdb28 frame #0 local variables. . . %rsp points here

Unwinding using .eh frame

.eh frame benefits

i686 default: -fno-omit-frame-pointer (<=gcc4.5)
x86 64 default: -fomit-frame-pointer
-fno-omit-frame-pointer = 4% SPECint2000 i7 perf. hit
-fno-omit-frame easily unwinds but it steals %rbp (%ebp):
400474: 55
400475: 48 89 e5
[function body]
4004c3: c9
4004c4: c3

push
mov

%rbp
%rsp,%rbp

leaveq
retq

-fomit-frame-pointer unwinds using .eh frame:

[function body]
4004bf: c3

retq

Unwinding using .eh frame

.eh frame

used for runtime exceptions (covered by segments)

so-called unwinders

not a part of DWARF (GNU extension)

it corresponds to the DWARF section .debug_frame

no overhead when no exception is thrown

.eh_frame_hdr is its runtime acceleration index
rpmbuild default: -fasynchronous-unwind-tables
used by backtrace(), libunwind, gdb, SystemTap

Unwinding using .eh frame

.eh frame sample code

0000000000000000 <functionname>:
0:
48 83 ec 18
sub $24,%rsp
4:
c7 44 24 0c 00 00 00 00 movl $0,0xc(%rsp)

00000000 00000014 00000000 CIE

DW_CFA_def_cfa: r7 (rsp) ofs 8
DW_CFA_offset: r16 (rip) at cfa-8
00000018 00000014 0000001c FDE cie=00000000 pc=00000000..00
DW_CFA_advance_loc: 4 to 00000004
DW_CFA_def_cfa_offset: 32

Section 4
Unique binaries identification by build-id

Unique binaries identification by build-id

build-id
uniquely generated for each linked executable / shared library
eu-readelf -n file
Owner
Data size Type
GNU
20 GNU_BUILD_ID
Build ID: d48a....c8d1
/usr/lib/debug/.build-id/d4/8a....c8d1
../../../../../bin/bash = /bin/bash
/usr/lib/debug/.build-id/d4/8a....c8d1.debug
../../bin/bash.debug = /usr/lib/debug/bin/bash.debug
both symlinks are only in *-debuginfo-*.rpm

list of build-ids from a core file: eu-unstrip -n corefile

The end.
Thanks for listening.