\n\nThis page has been machine-translated from the original page.
\n
I have been reading xv6 OS, inspired by First OS Code Reading – Learning Kernel Mechanisms with UNIX V6.
\nI want to get better at reverse engineering and to deepen my knowledge of kernels and operating systems.
\nUnderstanding the Linux Kernel was quite heavy going, so I was looking for somewhere lighter to start. That is when I learned that UNIX V6 has a total code size of around 10,000 lines — just barely comprehensible for a human being — and I became interested.
\nHowever, UNIX V6 itself does not run on x86 CPUs, so I decided to read the source code of kash1064/xv6-public: xv6 OS, which is a fork of xv6 OS, an x86-architecture port of UNIX V6.
\nIn the previous article, we read through the xv6 OS build and boot process.
\nI was eager to start reading the kernel proper, but there were parts I could not understand just by reading the code. So I decided to set up a debugging environment first to help deepen my understanding.
\n\nThe following article was helpful as a reference for the basic procedure.
\nReference: Creating a debug environment for xv6 - Qiita
\nIn my environment I wanted the QEMU console to appear in a separate GUI window, so unlike the article above I am using qemu-gdb rather than qemu-nox-gdb.
Connecting the debugger is very straightforward — simply run the following command:
\n# Run in the same directory as the Makefile\nmake qemu-gdbNext, open another terminal and enter the following commands to enable debugging:
\n# Specify the kernel binary as the debug target in gdb\ngdb kernel\n\n# Remote debug via gdb\ntarget remote localhost:26000First, make qemu-gdb builds xv6 OS and then invokes qemu-system-i386 -serial mon:stdio -drive file=fs.img,index=1,media=disk,format=raw -drive file=xv6.img,index=0,media=disk,format=raw -smp 2 -m 512 -S -gdb tcp::26000.
The QEMU option arguments are examined one by one below.
\nThe option arguments used when running make qemu-gdb are as follows:
| Option Argument | \nPurpose | \n
|---|---|
| -serial <dev> | \nRedirect the virtual serial device to the host. With mon:stdio, both the console and the QEMU monitor are displayed in the terminal. | \n
| -drive <options> | \nAdd a new block device or interface. Here, xv6.img and fs.img are each loaded as a disk. | \n
| -smp <cpus> | \nEmulate SMP (multi-processor system) using the specified number of CPUs. | \n
| -m <MB or GB> | \nSpecify the memory size at virtual machine startup (default unit: MB). A prefix such as 1G can be used to specify gigabytes. | \n
| -S | \nDo not use the CPU at startup (i.e., halt immediately after power-on and wait for a GDB connection). | \n
| -gdb <tcp::port> | \nAccept GDB connections on the specified protocol and port. | \n
Reference: Invocation — QEMU documentation
\nReference: QEMU Options Cheat Sheet for Kernel Debugging - Qiita
\nSymbol information for the xv6 kernel is stored in kernel.sym at build time.
Looking up the address of a symbol on the GDB side gives the same result:
\n$ info address main\nSymbol \"main\" is a function at address 0x80103040.Set a breakpoint at the main function:
$ main\n$ c\nContinuing.\n[----------------------------------registers-----------------------------------]\nEAX: 0x80103040 --> 0xfb1e0ff3 \nEBX: 0x10094 --> 0x0 --> 0xf000ff53 \nECX: 0x0 --> 0xf000ff53 \nEDX: 0x1f0 --> 0xf000ff53 \nESI: 0x10094 --> 0x0 --> 0xf000ff53 \nEDI: 0x0 --> 0xf000ff53 \nEBP: 0x7bf8 --> 0x0 --> 0xf000ff53 \nESP: 0x8010b5c0 --> 0x0 --> 0xf000ff53 \nEIP: 0x80103040 --> 0xfb1e0ff3\nEFLAGS: 0x86 (carry PARITY adjust zero SIGN trap interrupt direction overflow)\n[-------------------------------------code-------------------------------------]\n 0x80103034 <mpenter+20>:\tcall 0x801027a0 <lapicinit>\n 0x80103039 <mpenter+25>:\tcall 0x80102fe0 <mpmain>\n 0x8010303e:\txchg ax,ax\n=> 0x80103040 <main>:\tendbr32 \n 0x80103044 <main+4>:\tlea ecx,[esp+0x4]\n 0x80103048 <main+8>:\tand esp,0xfffffff0\n 0x8010304b <main+11>:\tpush DWORD PTR [ecx-0x4]\n 0x8010304e <main+14>:\tpush ebp\n[------------------------------------stack-------------------------------------]\n0000| 0x8010b5c0 --> 0x0 --> 0xf000ff53 \n0004| 0x8010b5c4 --> 0x0 --> 0xf000ff53 \n0008| 0x8010b5c8 --> 0x0 --> 0xf000ff53 \n0012| 0x8010b5cc --> 0x0 --> 0xf000ff53 \n0016| 0x8010b5d0 --> 0x0 --> 0xf000ff53 \n0020| 0x8010b5d4 --> 0x0 --> 0xf000ff53 \n0024| 0x8010b5d8 --> 0x0 --> 0xf000ff53 \n0028| 0x8010b5dc --> 0x0 --> 0xf000ff53 \n[------------------------------------------------------------------------------]\nLegend: code, data, rodata, value\n\nThread 1 hit Breakpoint 1, main () at main.c:19In my environment I have gdb-peda enabled, so quite a bit of information is displayed.
\nThis completes the setup for debugging the kernel.
\nI originally planned to use bochs, but the troubleshooting did not go well, so I decided to use GDB for debugging instead.
\nThis approach turned out to be better in the end since it is easier to configure and I am more comfortable with it.
\nThis time I will really, truly start reading the kernel proper.
","fields":{"slug":"/unix-xv6-003-setup-kernel-debug-en","tagSlugs":["/tag/unix-en/","/tag/xv-6-en/","/tag/kernel-en/","/tag/os-en/","/tag/english/"]},"frontmatter":{"date":"2022-01-24","description":"Reading the source code of xv6 OS, an educational operating system, to learn about the kernel. In this article, we set up a GDB debugging environment for the xv6 OS kernel.","tags":["Unix (en)","xv6 (en)","Kernel (en)","OS (en)","English"],"title":"Reading xv6 OS Seriously to Fully Understand the Kernel – GDB Debug Environment Setup","socialImage":{"publicURL":"/static/8ad19b30a768f586cec17434bc789068/unix-xv6-003-setup-kernel-debug.png"}}}},"pageContext":{"slug":"/unix-xv6-003-setup-kernel-debug-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}