Cradicle Explorer
breakpad
/ docs / linux_system_calls.md
linux_system_calls.md
 1  # Introduction
 2  
 3  Linux implements its userland-to-kernel transition using a special library
 4  called linux-gate.so that is mapped by the kernel into every process. For more
 5  information, see
 6  
 7  http://www.trilithium.com/johan/2005/08/linux-gate/
 8  
 9  In a nutshell, the problem is that the system call gate function,
10  kernel\_vsyscall does not use EBP to point to the frame pointer.
11  
12  However, the Breakpad processor supports special frames like this via STACK
13  lines in the symbol file. If you look in src/client/linux/data you will see
14  symbol files for linux-gate.so for both Intel & AMD(the implementation of
15  kernel\_vsyscall changes depending on the CPU manufacturer). When processing
16  minidumps from Linux 2.6, having these symbol files is necessary for walking the
17  stack for crashes that happen while a thread is in a system call.
18  
19  If you're just interested in processing minidumps, those two symbol files should
20  be all you need!
21  
22  # Details
23  
24  The particular details of understanding the linux-gate.so symbol files can be
25  found by reading about STACK lines inside
26  src/common/windows/pdb\_source\_line\_writer.cc, and the above link. To
27  summarize briefly, we just have to inform the processor how to get to the
28  previous frame when the EIP is inside kernel\_vsyscall, and we do that by
29  telling the processor how many bytes kernel\_vsyscall has pushed onto the stack
30  in it's prologue. For example, one of the symbol files looks somewhat like the
31  following:
32  
33  MODULE Linux x86 random\_debug\_id linux-gate.so PUBLIC 400 0 kernel\_vsyscall
34  STACK WIN 4 100 1 1 0 0 0 0 0 1
35  
36  The PUBLIC line indicates that kernel\_vsyscall is at offset 400 (in bytes) from
37  the beginning of linux-gate.so. The STACK line indicates the size of the
38  function(100), how many bytes it pushes(1), and how many bytes it pops(1). The
39  last 1 indicates that EBP is pushed onto the stack before being used by the
40  function.
41  
42  # Warnings
43  
44  These functions might change significantly depending on kernel version. In my
45  opinion, the actual function stack information is unlikely to change frequently,
46  but the Linux kernel might change the address of kernel\_vsyscall w.r.t the
47  beginning of linux-gate.so, which would cause these symbol files to be invalid.