I tried to use crash just to read the vmlinux file without debug info. So I used crash not correctly. Since this is used for linux 2.4 I cannot simply get a core dump file. In 2.6 it's relatively easy to get a core dump, the same isn't true for linux 2.4 I guess? Thanks, Reinoud. -----Original Message----- From: crash-utility-bounces@xxxxxxxxxx [mailto:crash-utility-bounces@xxxxxxxxxx] On Behalf Of Dave Anderson Sent: Wednesday, September 21, 2011 6:00 AM To: Discussion list for crash utility usage, maintenance and development Subject: Re: crash cannot read the symbols ----- Original Message ----- > Hmm, the /dev/mem does not reflect the kernel and symbols I am trying > to read, because I do not have a core dump of the crash. > I just tried to read the kernel and modules in crash to read it. I think we have a basic misunderstanding -- although I'm not sure... The crash utility requires two pieces: (1) a vmlinux file built with debuginfo data, and (2) a memory source -- which can be either: (a) a kernel core dump, or (b) a device driver to access physical memory on a live system. If analyzing a kernel core dump, the vmlinux must be the same kernel version that was running when the system crashed. If analyzing a live system, the vmlinux must be the same kernel that is running on the live system. When running against a core dump, the crash utility needs at least two arguments: $ crash vmlinux vmcore When running against a live system, you can simply enter: $ crash vmlinux because the crash utility will try to find the correct device driver, which is typically /dev/mem. If /dev/mem is restricted to its first 1MB of physical memory, you can try to use /proc/kcore: $ crash vmlinux /proc/kcore Or if that doesn't work, you can create your own /dev/crash kernel module for physical memory access. I don't know whether the sample /dev/crash memory driver supplied with the crash utility sources will compile cleanly in a 2.4 kernel environment -- it may require some tweaking. In the crash-5.1.8/memory_driver sub-directory, there is the memory driver's crash.c file, a Makefile, and this README file: > For live system analysis, the physical memory source must be one of > the following devices: > > /dev/mem > /proc/kcore > /dev/crash > > If the live system kernel was configured with CONFIG_STRICT_DEVMEM, > then /dev/mem cannot be used. > > If the live system kernel was configured without CONFIG_PROC_KCORE, > or if /proc/kcore is non-functional, then /proc/kcore cannot be used. > > The third alternative is this /dev/crash driver. Presuming that > /lib/modules/`uname -r`/build points to a kernel build tree or kernel > "devel" package tree, the module can simply be built and installed > like so: > > # make > ... > # insmod crash.ko > > Once installed, the /dev/crash driver will be used by default for > live system crash sessions. So when you say "the /dev/mem does not reflect the kernel and symbols I am trying to read", by that I understand you to mean that the vmlinux file that you built is not the same kernel version as is running on your host machine. If that is true, then the crash utility is not an appropriate tool for looking at your new vmlinux -- again, the crash utility expects a memory source where the vmlinux is currently running, or a core dump of the system that was running it when it crashed. You could do this: $ gdb vmlinux and then poke around the kernel's static text and data as they are initially loaded into memory. But the crash utility cannot be used that way. Dave -- Crash-utility mailing list Crash-utility@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/crash-utility -- Crash-utility mailing list Crash-utility@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/crash-utility