From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15023 invoked by alias); 7 Jul 2010 17:29:51 -0000 Received: (qmail 14995 invoked by uid 22791); 7 Jul 2010 17:29:47 -0000 X-SWARE-Spam-Status: No, hits=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS X-Spam-Check-By: sourceware.org Received: from moutng.kundenserver.de (HELO moutng.kundenserver.de) (212.227.126.171) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Wed, 07 Jul 2010 17:29:39 +0000 Received: from igor (brln-4db92177.pool.mediaWays.net [77.185.33.119]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0M5a7E-1PL3aR3n0i-00xuEm; Wed, 07 Jul 2010 19:29:36 +0200 Message-ID: Reply-To: =?Windows-1252?Q?Martin_Schr=F6der?= From: =?Windows-1252?Q?Martin_Schr=F6der?= To: =?Windows-1252?Q?Petr_Hluz=EDn?= Cc: , References: <4A25DE879BC24E8DAEAEBD722E363025@igor> Subject: Re: Examining copied stack contents Date: Wed, 07 Jul 2010 17:29:00 -0000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original Content-Transfer-Encoding: 8bit Mailing-List: contact gdb-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-owner@sourceware.org X-SW-Source: 2010-07/txt/msg00021.txt.bz2 Petr Hluzín wrote: > On 3 July 2010 12:46, Martin Schröder > wrote: > > In general a debugger needs at least a stack pointer and an > instruction pointer to get a backtrace. If the function containing the > IP uses a frame pointer (a debugger should be able to tell you that) > then debugger needs to know the FP. Which register contains the FP > depends on the prologue type chosen by compiler (on x86 it is always > EBP). Command "info frame
" may assume IP is pointed to by > SP. So there are at least 2 arguments (FP+SP) to be provided on any > arch. > > Therefore I suspect "info frame
" is not general enough to be > used in your case. Hello everyone; and thanks to Petr and Joel. The above comment was exactly what I needed to find a working solution for my problem, at least as long as GDB uses Dwarf2 frame unwinding (but it *probably* should work with the other unwinders, too). Due to the content of the stack being an unaltered copy, it's of course impossible for GDB to properly unwind it at its current location. Thus, you have to copy it back to its original position. But since you almost always want to continue your program properly later on, your first step has to be to save the part of the stack that's going to be overwritten. If you assume that the convenience variable "$base" is the original address of the stack, "$length" its length and "$copyPos" the address of the copy, you have to execute the following commands: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - gdb> set $stack = malloc($length) gdb> p memcpy($stack, $base, $length); gdb> p memcpy($base, $copyPos, $length); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Of course, you should check if malloc returns something other than 0. But for brevity's sake, I won't write down the sanity checks. In any case, after you've backed-up the current stack and copied over the old stack, you have to set the $epb and $eip registers to allow GDB to understand the stack. Both should be stored within the jmp_buf struct that's created by the setjmp() statement. Unfortunately, due to security reasons, glibc masks the stack pointer register (which is not needed by GDB, strangely enough) and the eip register on Linux. Their actual values are xor-ed with a fixed pattern and then rotated by 9 bits to the left [1]. After undoing that, you can get the eip and all that remains to do is to fetch the ebp frame pointer. In my case that's simple, because due to the way the stack is copied, the ebp register is always 9 bytes less than the "base" variable. Otherwise, you have to dig around where the ebp is stored inside the jmp_buf or get it from somewhere else (like I did). Anyway, after you have the ebp and eip values, simply back them up and set them with the following commands: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - gdb> set $ebpsave = $ebp gdb> set $eipsave = $eip gdb> p $ebp = 0x gdb> p $eip = 0x - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Now, you can get a full backtrace and explore the frame details. If you later intend to continue execution, just reset your changes: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - gdb> p $ebp = $ebpsave gdb> p $eip = $eipsave gdb> p memcpy($base, $stack, $length) gdb> p free($stack) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - That's it. A bit crude since you can't exactly "just" look at it, need to learn the correct values of ebp and eip and it only works like that on x86, but hey, at least it *does* work. :) Thanks again for you help! Martin Schröder. [1] - http://cseweb.ucsd.edu/~hovav/dist/noret.pdf Page 14