Tutorial: Reverse debugging with GDB 7 (转载)
Tutorial: Reverse debugging with GDB 7
Tutorial: Reverse debugging with GDB 7
by Jay Conrod
posted on 2009-12-01
GDB 7 came out a few weeks ago, and one of the major new features is reverse debugging. This allows you to record the execution of a process, then play it backward and forward. This is incredibly useful for fixing those mysterious bugs that are so common in C/C++ programs.
In this post, I'll give a motivating example of why reverse debugging is so useful, then I'll give a summary of the commands you need to know about. You might also want to look at the official tutorial on the GDB wiki, which is a good reference.
Here's a typical program we might have in C. It's very simple, but it contains a subtle bug that causes it to crash when we run it.
#include <stdio.h>
#include <stdlib.h> void initialize(int *array, int size) {
for (int i = 0; i <= size; ++i)
array[i] = 0;
} int main(void) {
int *p = malloc(sizeof(int));
int values[10]; *p = 37;
initialize(values, 10);
printf("*p = %d\n", *p);
free(p); return 0;
}
This program is compiled with the following command:
gcc -ggdb -std=c99 -O0 test.c -o test
When we run this program from the command line, we get a segmentation fault. What happened? We load it into gdb and enable recording:
(gdb) break main
Breakpoint 1 at 0x8048449: file test.c, line 11.
(gdb) run
Starting program: /home/jay/Code/test/test Breakpoint 1, main () at test.c:11
(gdb) record
(gdb)
The record
command turns on recording. It must be issued after the program has started running, so the beginning of main
is a good place to use it. If you are debugging code that runs before main
(such as C++ global constructors), you may want to set a breakpoint in _start
, the actual entry point of the program.
Once recording is enabled, we run the program until the segmentation fault occurs:
(gdb) continue
Continuing.
warning: Process record ignores the memory change of instruction at
address 0xdd45e1 because it can't get the value of the segment
register. Program received signal SIGSEGV, Segmentation fault.
0x0804847b in main () at test.c:15
(gdb)
After getting a weird warning (which appears to occur inside malloc
), we find that the segmentation fault occurs at the call to printf
. The only memory operation here is dereferencing p
, so we print its value:
(gdb) print p
$1 = (int *) 0x0
(gdb)
p
should not be null! We set it at the beginning with malloc
and never changed its value. We can find out where it was changed by setting a watchpoint and using the reverse-continue
command. This works just like you would hope: the program runs backwards until the point at which p
was changed. Note that we explicitly set a software watchpoint rather than a hardware watchpoint; GDB 7 seems to silently ignore hardware watchpoints when replaying the program.
(gdb) set can-use-hw-watchpoints 0
(gdb) watch p
Watchpoint 2: p
(gdb) reverse-continue
Continuing.
Watchpoint 2: p Old value = (int *) 0x0
New value = (int *) 0x804b008
0x0804842c in initialize (array=0xbffff5c0, size=10) at test.c:6
(gdb)
GDB stops on line 6 in the initialize
function. Upon closer examination of the loop, we notice the off-by-one error in the condition. Since the array we passed to initialize
is adjacent to p
on the stack, we overwrite p
when we write off the end of the array.
This kind of error is an example of a buffer overflow, a common bug in C. More severe versions of this bug can create security vulnerabilities. Overflows are usually quite difficult to track down because a variable like p
could change many times before taking on a "bad" value like it did here. If we had set a watchpoint at the beginning of a more complex program, the debugger might stop hundreds of times before we found something interesting. More generally, we frequently debug by sneaking up on a fault from the front; if we accidentally pass the fault, we usually have to start over. Reverse debugging allows us to approach a fault much more quickly from behind. We just let the program run normally until we reach a point shortly after a fault has occurred (for instance, when the SIGSEGV
signal is received). We then run the program backward until we find what went wrong. The debugger can do pretty much the same things running backward as forward, including setting new watchpoints and breakpoints.
Before we wrap up, here's a quick summary of useful commands for reverse debugging:
record
- enable recording mode. This command must be issued while the program is running, and you can only run the program back to the point where this command was issued. There is a performance penalty.reverse-step, reverse-next, reverse-finish, reverse-continue
- just like the normal versions of the commands, but in the opposite direction.set exec-direction reverse
- switches the program execution direction to reverse. The step, next, finish, continue commands will work in the currect execution direction.set can-use-hw-watchpoints 0
- disables hardware watch points. This is necessary if you want to use watchpoints while running the program in reverse.
Once again, you need GDB 7 in order to use reverse debugging. It is supplied as part of Ubuntu 9.10 (Karmic) and other newer Linux distributions. Since reverse debugging a fairly new feature, it's not as complete as one would hope, so there's an official wish list which contains bugs and feature requests.
Finally, I'd like to reference Sebastien Duquette's tutorial on reverse debugging, which is where I found out that you need to disable hardware watchpoints. If you're interested in how reverse debugging actually works, Michael Snyder (one of the GDB developers responsible for it) has a short post on StackOverflow about it.
Comment by Lakshmy m.a posted on Fri Mar 5 09:24:25 2010
sir, Am a student of model engineering college trikakkara of ernakulam district,kerala,India.we a group of 4 took this rgdb as our mini project.i would like to get some technical support from your side.can you please send me a mail as your respones, sir i couldnt get ur mail id...so that i can mail you we would like to get a tutorial of each reverse commands implementation + its logic we have downloaded the source code of the new version of gdb.7 but we couldnt understand the logic ,since its very lengthy, and we hav a short time to for our mini project section... It will be very helpful if we get the basic idea behind this.
http://www.jayconrod.com/posts/28/tutorial-reverse-debugging-with-gdb-7
Tutorial: Reverse debugging with GDB 7 (转载)的更多相关文章
- GDB 反向调试(Reverse Debugging)
这个挺有意思 http://blog.csdn.net/CherylNatsu/article/details/6436570 使用调试器时最常用的功能就是step, next, continue,这 ...
- Debugging with GDB 用GDB调试多线程程序
Debugging with GDB http://www.delorie.com/gnu/docs/gdb/gdb_25.html GDB调试多线程程序总结 一直对GDB多线程调试接触不多,最近因为 ...
- 【转载】GDB反向调试(Reverse Debugging)
记得刚开始学C语言的时候,用vc的F10来调试程序,经常就是一阵狂按,然后一不小心按过了.结果又得从头再来,那时候我就问我的老师,能不能倒退回去几步.我的老师很遗憾地和我说,不行,开弓没有回头箭.这句 ...
- gdb调试4--回退
加入你正在使用GDB7.0以上版本的调试器并且运行在支持反向调试的平台,你就可以用以下几条命令来调试程序: reverse-continue 反向运行程序知道遇到一个能使程序中断的事件(比如断点,观察 ...
- Debugging Under Unix: gdb Tutorial (https://www.cs.cmu.edu/~gilpin/tutorial/)
//注释掉 #include <iostream.h> //替换为 #include <iostream> using namespace std; Contents Intr ...
- 27 Debugging Go Code with GDB 使用GDB调试go代码
Debugging Go Code with GDB 使用GDB调试go代码 Introduction Common Operations Go Extensions Known Issues Tu ...
- [转]Debugging the Mac OS X kernel with VMware and GDB
Source: http://ho.ax/posts/2012/02/debugging-the-mac-os-x-kernel-with-vmware-and-gdb/ Source: http:/ ...
- 使用gdb调试Python进程
使用gdb调试Python进程 有时我们会想调试一个正在运行的Python进程,或者一个Python进程的coredump.例如现在遇到一个mod_wsgi的进程僵死了,不接受请求,想看看究竟是运行到 ...
- GDB的non-stop模式
线程调试必杀技 - GDB的non-stop模式 作者:破砂锅 开源的GDB被广泛使用在Linux.OSX.Unix和各种嵌入式系统(例如手机),这次它又带给我们一个惊喜. 多线程调试之痛 调试器 ...
随机推荐
- HSTS的来龙去脉
前言 安全经常说“云.管.端”,“管”指的是管道,传输过程中的安全.为了确保信息在网络传输层的安全,现在很多网站都开启了HTTPS,也就是HTTP+TLS,在传输过程中对信息进行加密.HTTPS使用了 ...
- Linux内核分析第五周学习总结——分析system_call中断处理过程
Linux内核分析第五周学习总结--分析system_call中断处理过程 zl + <Linux内核分析>MOOC课程http://mooc.study.163.com/course/U ...
- POJ.1426 Find The Multiple (BFS)
POJ.1426 Find The Multiple (BFS) 题意分析 给出一个数字n,求出一个由01组成的十进制数,并且是n的倍数. 思路就是从1开始,枚举下一位,因为下一位只能是0或1,故这个 ...
- 传说中的 SonarLint
Sonar是一个用于代码质量管理的开源平台,用于管理源代码的质量 通过插件形式,可以支持包括java,C#,C/C++,PL/SQL,Cobol,JavaScrip,Groovy等等二十几种编程语言的 ...
- NYOJ--703
原题链接:http://acm.nyist.net/JudgeOnline/problem.php?pid=703 分析:先考虑不受限制的情况,此时共可以修n*(n-1)/2条隧道:所有的place组 ...
- Linux环境编译动态库和静态库总结
对Linux环境动态库和静态库的一些基础知识做一些总结, 首先总结静态库的编译步骤. 1 先基于.cpp或者.c文件生成对应的.o文件 2将几个.o文件 使用ar -cr命令 生成libname.a文 ...
- 「Linux+Django」uwsgi服务启动(start)停止(stop)重新装载(reload)
转自:http://blog.51cto.com/12482328/2087535?cid=702003 1. 添加uwsgi相关文件 在之前的文章跟讲到过centos中搭建nginx+uwsgi+f ...
- react-native安装react-navigation后出现package-lock.json文件的坑
npm5.0开始安装后回生成一个新的package-lock.json文件.以致初始化好的react-native项目引入的依赖被删除. 目前解决办法.使用facebook的yarn add 第三方组 ...
- codevs 2796 最小完全图
2796 最小完全图 http://codevs.cn/problem/2796/ 时间限制: 1 s 空间限制: 128000 KB 题目描述 Description 若一个图的每一对不 ...
- 《HTML5编程之旅》系列二:Communication 技术初探
本文主要探讨用于构建实时跨源通信的两个模块:跨文档消息通信(Cross Document Messaging)和XMLHttpRequestLevel2.通过这两个模块,我们可以构建不同域间进行安全 ...