Difference between revisions of "UNIX V6 dump analysis"
m (→Swappable per-process data: clarify) |
(add memory layout) |
||
Line 4: | Line 4: | ||
The second is of a dump of the complete [[main memory]] of a [[PDP-11]] running Unix; the system as distributed only supports doing such dumps to [[magnetic tape]]. This can be done either after the [[operating system|OS]] does a 'panic', which it does when something happens it can't recover from; or after [[halt]]ing the [[Central Processing Unit|CPU]]. | The second is of a dump of the complete [[main memory]] of a [[PDP-11]] running Unix; the system as distributed only supports doing such dumps to [[magnetic tape]]. This can be done either after the [[operating system|OS]] does a 'panic', which it does when something happens it can't recover from; or after [[halt]]ing the [[Central Processing Unit|CPU]]. | ||
+ | |||
+ | ==Memory layouts== | ||
+ | |||
+ | Unix stores all the writeable data of a process - both the data 'belonging' to the [[kernel]] (([[swapping|swappable]] per-process data, kept in a 'user' [[structure]], and the per-process kernel [[stack]]), as well as the user's data (both the data area, and the user stack) in a contiguous block in main memory, and they are always moved in and out (by swapping) as a unit. | ||
+ | |||
+ | The order of the layout within that is: | ||
+ | |||
+ | * 'user' structure | ||
+ | * kernel stack | ||
+ | * user data | ||
+ | * user stack | ||
+ | |||
+ | Note that although the user data and stack are contiguous in physical memory, they are not contiguous in the process [[virtual address]] space; the [[PDP-11 Memory Management]] is used to separate them. | ||
+ | |||
+ | For information about the memory layout of the kernel itself, see [[Unix V6 kernel memory layout]]. | ||
==Kernel stack top== | ==Kernel stack top== | ||
− | For both process core dumps, and for system dumps after a panic, since all [[trap]]s and [[interrupt]]s come in through basically the same code, the base of the | + | For both process core dumps, and for system dumps after a panic, since all [[trap]]s and [[interrupt]]s come in through basically the same code, the base of the kernel stack will have the same format: |
{| class="wikitable" | {| class="wikitable" | ||
Line 39: | Line 54: | ||
==Swappable per-process data== | ==Swappable per-process data== | ||
− | The | + | The per-process data kept in the 'user' structure are included in both a process core dump (where they are found at the start of the 'core' file), as well as a system dump (where runnable processes loaded into main memory can be located via their entries in the process table); the data in this structure may be of relevance and interest. |
The offsets of the various fields in the structure are: | The offsets of the various fields in the structure are: |
Revision as of 02:08, 1 February 2019
There are two kinds of dump analysis on UNIX V6, with some overlap between the two.
The first is of the 'core dump' of an individual process into a file, created either by a user's request (typing '^\' in standard V6), or by any of the error conditions (odd address, etc) which cause a process abort and core dump.
The second is of a dump of the complete main memory of a PDP-11 running Unix; the system as distributed only supports doing such dumps to magnetic tape. This can be done either after the OS does a 'panic', which it does when something happens it can't recover from; or after halting the CPU.
Memory layouts
Unix stores all the writeable data of a process - both the data 'belonging' to the kernel ((swappable per-process data, kept in a 'user' structure, and the per-process kernel stack), as well as the user's data (both the data area, and the user stack) in a contiguous block in main memory, and they are always moved in and out (by swapping) as a unit.
The order of the layout within that is:
- 'user' structure
- kernel stack
- user data
- user stack
Note that although the user data and stack are contiguous in physical memory, they are not contiguous in the process virtual address space; the PDP-11 Memory Management is used to separate them.
For information about the memory layout of the kernel itself, see Unix V6 kernel memory layout.
Kernel stack top
For both process core dumps, and for system dumps after a panic, since all traps and interrupts come in through basically the same code, the base of the kernel stack will have the same format:
Offset | Contents |
---|---|
0 | Old PS |
2 | Old PC |
4 | R0 |
6 | New PS |
10 | R1 |
12 | User SP |
14 | Index (trap type, or device number) |
16 | R5 |
20 | R4 |
22 | R3 |
24 | R2 |
The offset is from the top of the karnel stack, and is negative from there. In a process core dump, this starts at 01776 in the core dump file; in a dump of main memory, it is necessary to know the contents of kernel segment 6's address register, and the kernel stack top is 01776 above that.
Swappable per-process data
The per-process data kept in the 'user' structure are included in both a process core dump (where they are found at the start of the 'core' file), as well as a system dump (where runnable processes loaded into main memory can be located via their entries in the process table); the data in this structure may be of relevance and interest.
The offsets of the various fields in the structure are:
Offset | Contents |
---|---|
0000 | rsav |
0004 | fsav |
0066 | segflg |
0067 | error |
0070 | uid |
0071 | gid |
0072 | ruid |
0073 | rgid |
0074 | procp |
0076 | base |
0100 | count |
0102 | offset |
0106 | cdir |
0110 | dbuf |
0126 | dirp |
0130 | ino |
0132 | name |
0150 | pdir |
0152 | uisa |
0212 | uisd |
0252 | ofile |
0310 | arg |
0322 | tsize |
0324 | dsize |
0326 | ssize |
0330 | sep |
0332 | qsav |
0336 | ssav |
0342 | signal |
0412 | utime |
0414 | stime |
0416 | cutime |
0422 | cstime |
0426 | ar0 |
0430 | prof |
0440 | intflg |
(See the file 'user.h' for the meanings/contents of the various fields.)