launch/attach process#
Note: In gdb, you only need to enter the first few letters or even the first letter of the complete command. The premise is that the abbreviation does not conflict with other commands.
gdb ./a.out # Debug an unrun program from the beginning
gdb a <pid> # Attach to a running process
gdb -p <pid> # Same as above
gdb -q a
(gdb) attach <pid> # You can also start first and then attach
(gdb) detach # If debugging through gdb attach, after detach, the original process will continue to execute
(gdb) q # Exit gdb
----------------Silent startup option: directly enter gdb without printing a bunch of version copyright information
gdb -silent
gdb -q
# You can set an alias for gdb in ~/.bashrc:
alias gdb="gdb -q"
----------------Silent exit setting: gdb will prompt when exiting: whether to exit the debugged program
#A debugging session is active.
#
# Inferior 1 [process 29686 ] will be killed.
#Quit anyway? (y or n) n
#Silent exit: This command can also be added to the .gdbinit file.
(gdb) set confirm off
----------------When starting gdb, specify the parameters of the program to be debugged
gdb -args ./a.out a b c
----------------You can also set it through commands in gdb
(gdb) set args a b c
(gdb) show args
Argument list to give program being debugged when it is started is "a b c".
----------------You can also specify when running the program
(gdb) r a b # This seems to be saved as the argument list, and the next time r may carry the saved argument list, it is recommended to check (gdb) show args
----------------Build the program after entering gdb
(gdb) shell
(gdb) make CFLAGS="-g -O0"
Start attach debugging with a script that automatically gets the pid#
#!/bin/bash
# Indicate to use the Bash interpreter to execute the script
# Save as agdb.sh and add executable permissions (chmod +x agdb.sh)
# Usage: ./agdb.sh <program_name>
# Get the program name, which is the first argument
prog_bin=\$1
# Check if the program name is provided
if [ -z "$prog_bin" ]; then
echo "Please provide the name or path of the program!"
exit -1
fi
# Get the PID of the program
running_name=$(basename $prog_bin) # Extract the program name
pid=$(pidof $running_name)
# Check if the PID is empty
if [ -z "$pid" ]; then
echo "No running process found: $running_name"
exit -1
fi
# Attach to the process
echo "Attaching to process PID: $pid..."
gdb -q -p $pid
Remote debugging#
(gdb) i target # Display information about the debugging target platform
Remote target # or Local target
Connected to remote target via <connection info> # Port number
Architecture: <arch info> # Target architecture (e.g., x86, ARM, etc.)
(gdb) target remote localhost:25000 # Connect to gdbserver
gdb temporary environment variables#
Set environment variables in GDB that only take effect for debugging functions. Usually temporary, valid only during the debugging session.
(gdb) set env PATH=$PATH:/path/to/some/library
(gdb) set env LD_PRELOAD=$LD_PRELOAD:/path/to/some/library
(gdb) show env LD_PRELOAD # View the temporary environment variables set by gdb
(gdb) unset env LD_PRELOAD
You can also configure gdb to run initialization commands at startup in .gdbinit:
set env LD_PRELOAD=$LD_PRELOAD:/path/to/some/library
Run control#
(gdb) r arg1 arg2 ... # Restart running the binary
(gdb) start # Used to start executing the program and pause execution at the first instruction, such as stopping at main{
(gdb) stop # Pause execution
(gdb) c # Continue execution
(gdb) n # Step execution, skip when encountering a function
(gdb) s # Step execution, enter the function body when encountering a function
(gdb) until line # Run until reaching the specified line
Breakpoints setting#
-----------------------------------Breakpoints set
(gdb) b <file:line> # Set a breakpoint at a certain line in the file; the downside of setting a breakpoint by line number: if the source program is changed, the previously set breakpoint may not be what you want
(gdb) b <file:function> # Set a breakpoint at a certain function in the file
(gdb) b <namespace::class::function> # Set a breakpoint at a member function of a certain class
(gdb) b (anonymous namespace)::<func> # Set a breakpoint at a function in an anonymous namespace
(gdb) b <location> <thread-id> # Set a breakpoint at a certain location in a certain thread
(gdb) b <location> if <condition> # Set a conditional breakpoint at a certain location
(gdb) b *0x400522 # When debugging assembly or programs without debug information, it is often necessary to set breakpoints at program addresses
(gdb) tb a.c:15 # tb sets a temporary breakpoint that only takes effect once; after hitting the breakpoint once, it will be deleted
-----------------------------------Breakpoints delete/enable/disable
(gdb) d <break-id> # Delete a certain breakpoint
(gdb) disable <break-id> # Disable a certain breakpoint
(gdb) enable <break-id> # Enable a certain breakpoint
-----------------------------------Breakpoints ignore, can be used for debugging loops
(gdb) ignore 1 5 # Ignore the first five triggers of breakpoint 1
(gdb) ignore 1 0 # Cancel ignore
-----------------------------------Breakpoints set automatic execution commands
(gdb) command <break-id> # Modify existing breakpoint commands with this command
>silent # Execute commands silently
>if x > 10
>p <var> # Automatically print variable <var> when reaching the breakpoint
>end
(gdb) i breakpoints # Used to view breakpoint commands
(gdb) delete # Used to delete breakpoint commands
-----------------------------------Breakpoints environment save
(gdb) save breakpoints my_breakpoints.txt # Save the current breakpoints to the path my_breakpoints.txt
(gdb) source my_breakpoints.txt # Load the saved breakpoints from my_breakpoints.txt when starting GDB debugging next time
Set a breakpoint at the program entry point#
strip a.out # Remove debug information
-----------------------------Get program entry point 1: Use readelf command to view ELF file header, find Entry point address:
readelf -h a.out
#Entry point address: 0x400440
-----------------------------Get program entry point 2: (gdb) info files, find Entry point address:
(gdb) info files
#Entry point address: 0x400440
-----------------------------Get program entry point 3: objdump -f a.out, find Entry point address:
objdump -f a.out
#Entry point address: 0x400440
-----------------------------Set a breakpoint at the program entry point
(gdb) b *0x400440
Quickly try different inputs#
Without modifying the source code or recompiling, try different inputs for the function using breakpoint commands + reverse debugging
(gdb) b drawing
Breakpoint 1 at 0x40064d: file win.c, line 6.
(gdb) command 1
Type commands for breakpoint(s) 1, one per line.
End with a line saying just "end".
>silent # Avoid output information when stopped at the breakpoint.
>set variable n = 0 # Modify input
>c
>end
# After seeing the result, reverse execute and modify again
Watchpoint setting#
Write watchpoints: the program pauses when the value of a certain variable (watchpoint) changes.
Read watchpoints: the program pauses when a read operation on the variable occurs.
Hardware watchpoints: When setting a watchpoint, GDB uses hardware-level monitoring functions to track variable value changes. It does not affect program performance. However, there may be a limit on the number of hardware watchpoints, and if exceeded, GDB will use software watchpoints.
Software watchpoints: If hardware watchpoints are not supported or the limit has been reached, GDB implements them in software. This usually affects program running speed because it involves constant checking and managing memory.
(gdb) watch a # Set variable a as a write watchpoint
(gdb) wa a thread 2 # Only trigger the watchpoint for variable a in thread 2
(gdb) rw a # Read watchpoint, only effective for hardware watchpoints
(gdb) aw a # Read/write watchpoint
(gdb) delete watchpoint 2
(gdb) disable watchpoint 2 # Disable watchpoint 2
(gdb) enable watchpoint 2
(gdb) set can-use-hw-watchpoints off # Disable hardware watchpoints
(gdb) set can-use-hw-watchpoints on
-------------------------------Set watchpoint using memory address
(gdb) p &a # List the address of a
\$1 = (int *) 0x6009c8 <a>
(gdb) watch *(int*)0x6009c8 # Set watchpoint using dereferenced memory address
Catchpoint setting#
catchpoint is used to interrupt program execution when a specific event occurs (such as a signal, function call, system call, etc.); catchpoint is persistent by default and will interrupt the program every time the corresponding event is triggered.
(gdb) tcatch fork # Set as a temporary catchpoint that only captures once
(gdb) catch fork # Catch fork() syscall; GNU/Linux supports this feature. Check the official gdb manual for support on other platforms.
(gdb) catch vfork
(gdb) catch exec
(gdb) catch syscall # Catch all syscalls
(gdb) catch syscall [syscall | number] # Catch syscall with specified name or number
Bypassing anti-debugging#
Some programs do not want to be debugged by gdb, so they call the ptrace function in the program. If it returns failure, it proves that the program is being traced by gdb or similar programs, and it exits directly.
The way to bypass such programs is to set a catchpoint for the ptrace call and then modify the return value of ptrace.
----------------------------eg
#include <sys/ptrace.h>
#include <stdio.h>
int main(){
if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0 ) {
printf("Gdb is debugging me, exit.\n");
return 1;
}
printf("No debugger, continuing\n");
return 0;
}
----------------------------(gdb) catch syscall ptrace
(gdb) catch syscall ptrace
Catchpoint 2 (syscall 'ptrace' [101])
(gdb) r # Restart the program
Starting program: /data2/home/nanxiao/a
Catchpoint 2 (call to syscall ptrace), 0x00007ffff7b2be9c in ptrace () from /lib64/libc.so.6
(gdb) c
Continuing.
Catchpoint 2 (returned from syscall ptrace), 0x00007ffff7b2be9c in ptrace () from /lib64/libc.so.6
(gdb) set $rax = 0 # The return value of Linux64 syscall exists in rax
(gdb) c
Continuing.
No debugger, continuing
[Inferior 1 (process 11491) exited normally]
Modifying machine states#
(gdb) set $var=XXX # Set gdb variable
----------------Modify variable
(gdb) set var <varname> = <val> # Modify variable
(gdb) set file::array="Jil" # Modify string array value, string constants in read-only data segments cannot be modified
(gdb) p &array # Modify variable by modifying memory, but memory out-of-bounds is very dangerous
(gdb) set {char[4]} 0x80477a4 = "Jil" # set {type}address=expr
----------------Modify register
(gdb) set var $eax = 8 # Modify return value register eax
(gdb) set var $pc=0x08050949 # As long as you know the address of a certain instruction, you can jump to the next instruction by modifying the PC
Jump execution#
The conventional method of debugging is to set breakpoints and restart the program, skipping the non-critical machine states modification process and non-critical processes to execute at a certain position to save time;
The principle of gdb jump instructions is to modify the program counter PC to make the program jump to the specified line and continue execution. Jumping to a specified execution point does not pause; if you want gdb to pause at that execution point, you need to manually set a breakpoint.
(gdb) tb <file>:<num> # tb sets a temporary breakpoint that only takes effect once; after hitting the breakpoint once, it will be deleted
(gdb) j <num> # Jump to the specified line number
(gdb) j <func>
(gdb) j <file>:<num>
(gdb) j <file>:<func>
(gdb) j *addr # Jump to the instruction pointed to by a certain address
(gdb) j +<num> # Jump back n lines
(gdb) j -<num> # Jump forward n lines
Time Travel Debugging#
Records the changes in machine states (such as variable, register, memory data changes, etc.) caused by each gdb instruction, stored by default in gdb_record.process_id. When needing to trace back to a past state, the debugger will restore these states in reverse order, instruction by instruction.
Usage scenarios:
1) Bugs that are difficult to reproduce, very complex logic issues
2) Multithreading concurrency issues
3) Memory-related issues, such as memory stomping, memory leaks, double freeing, etc.
4) Call stack showing all question marks issue
(gdb) record save filename # Save the program execution history state information to a file, the default name is gdb_record.process_id
(gdb) record restore filename # Restore state information from the historical record file
(gdb) show record full insn-number-max # View the maximum number of executable state information that can be recorded, default 200000
(gdb) set record full insn-number-max n # Set the maximum number of recordable instructions to n
(gdb) set record full insn-number-max unlimited # Set the maximum number of recordable instructions to unlimited
(gdb) set exec-direction reverse # Set the program to execute in reverse; after executing this command, common commands like next, nexti, step, stepi, continue, finish, etc. will execute in reverse
(gdb) set exec-direction forward # Set the execution direction to forward
(gdb) b n
(gdb) record # Record all state information during program execution
(gdb) c
(gdb) reverse-search # Reverse search previously input commands
(gdb) record goto start # Jump to the start of the record
(gdb) record goto end # Jump to the end of the record
(gdb) record goto n # Jump to a specified position n in the record
(gdb) reverse-next # Execute one line of code in reverse, do not enter when encountering a function call
(gdb) reverse-nexti # rni: Execute one instruction in reverse, do not enter when encountering a function call
(gdb) reverse-step # rs: Execute one line of code in reverse, enter when encountering a function call
(gdb) reverse-stepi # rsi: Reverse single-step execution (machine code level)
(gdb) reverse-continue # rc: Continue execution in reverse
(gdb) reverse-finish # Execute in reverse until the function entry
(gdb) record stop # Stop recording state information
Switch shell environment execution#
(gdb) shell # Enter shell mode, return to the Linux terminal
(gdb) !<shell_cmd> # Equivalent to (gdb) shell <shell_cmd>;
(gdb) pwd # Switch working directory in gdb
(gdb) cd tmp
(gdb) exit # Exit shell mode, return to gdb command line
Print#
Output settings#
Specify gdb input/output device#
By default, the program's input and output use the same terminal as gdb.
tty # View this terminal
gdb -tty /dev/pts/2 ./a.out # Set the program's input/output
(gdb) tty /dev/pts/2 # Set the program's input/output
Print string length settings#
gdb limits the maximum length of printed strings. When gdb outputs a lot of information, it will pause output and print "---Type to continue, or q to quit---"; the following commands can modify the limit: gdb will output everything without pausing in between.
(gdb) show print elements # Show the maximum print length of strings
(gdb) set print elements <number-of-elements> # Set the maximum print length of strings
(gdb) set print elements 0 # Cancel the maximum print length of strings
(gdb) set print elements unlimited # Same as above
(gdb) set pagination off # Cancel paginated output
(gdb) set height 0 # Cancel the maximum height limit of output information
Machine state#
---------------------------------------Print variables/Print stack
(gdb) whatis <var> # Print variable type
(gdb) ptype <var> # Print variable type definition
(gdb) i variables # Print all variables in the current scope, including file and type
(gdb) i variables ^<var>$ # ^ indicates starting with <var>; $ indicates ending with <var>
(gdb) p <var> # Print variable <var>
(gdb) i locals # List all local variables (including static local variables) in the current function stack frame
(gdb) i variables # List all global and static variables
(gdb) i variables var # List all global and static variables starting with the regex var
(gdb) p 'file.c'::<var> # Extern global/static variables belonging to different files may have the same variable name, in this case, specify the belonging file
(gdb) p sizeof(wchar_t) # Print the byte size of wchar_t type
(gdb) x/s str # Print ASCII string or character array variable str
(gdb) x/hs str # Print 2-byte string or character array variable str
(gdb) x/ws str # Print 4-byte string or character array variable str
(gdb) p array[index]@num # Print num consecutive elements starting from index
(gdb) set print array-indexes on # By default, when printing arrays, index subscript is not printed; show index subscript
(gdb) display <var> # Track variable or expression, automatically display the value of specified <var> every time the program pauses; that is, when hitting a breakpoint, single-stepping, or manually pausing
(gdb) undisplay <var> # Cancel tracking variable
---------------------------------------Print protobuf message
(gdb) p <var>.DebugString() # Use DebugString() to print the internal structure of the proto object;
---------------------------------------Print CPU register
(gdb) i r # Print the values of all CPU registers, excluding floating-point registers and vector registers
(gdb) i all-registers # Print all CPU registers
(gdb) i r es # Print the value of CPU register es
(gdb) p $es # Print the value of CPU register es
(gdb) layout regs # In tui mode, display the register window
(gdb) tui reg float # View floating-point registers
(gdb) tui reg general # View general registers
---------------------------------------Print memory
# n: Positive integer, the number of memory units you want to view
#
# f: Print format:
# - x: hexadecimal
# - d: decimal
# - u: unsigned hexadecimal
# - o: octal
# - t: binary
# - a: hexadecimal
# - c: character format
# - f: floating point
#
# u: Size of a single memory unit:
# - b: single byte
# - h: double byte
# - w: four bytes
# - g: eight bytes
#
# addr: Memory address to print
(gdb) x/<nfu> <addr> # Print memory address, <addr> can be the pointer value of a certain variable; commonly used x/nxb x/nub x/ntb
Using _ and __ for memory debugging#
(gdb) x/16xb a # Print memory
0x7fffffffe4a0: 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
0x7fffffffe4a8: 0x08 0x09 0x0a 0x0b 0x0c 0x0d 0x0e 0x0f
(gdb) p $_ # $_ stores the last memory address checked with the x command
\$1 = (int8_t *) 0x7fffffffe4af
(gdb) p $__ # $__ stores the value of the last checked memory data with the x command (usually the last byte)
\$2 = 15
--------------------------------------Some GDB commands (like i breakpoint) may modify $_ value.
(gdb) i breakpoint # This command generates an anonymous variable to store the breakpoint, address 0x00000000004004a0, value 1
Num Type Disp Enb Address What
1 breakpoint keep y 0x00000000004004a0 in main at a.c:13
breakpoint already hit 1 time
(gdb) p $_
\$6 = (void *) 0x4004a0 <main+44>
Print the virtual memory of the process#
(gdb) i proc mappings # Display the virtual memory of the current process, including the address range, size, offset, and access permissions of each segment
process 27676 flags:
PR_STOPPED Process (LWP) is stopped
PR_ISTOP Stopped on an event of interest
PR_RLC Run-on-last-close is in effect
PR_MSACCT Microstate accounting enabled
PR_PCOMPAT Micro-state accounting inherited on fork
PR_FAULTED : Incurred a traced hardware fault FLTBPT: Breakpoint trap
Mapped address spaces:
# Start Addr: Segment start address; End Addr: Segment end address; Size: Segment size; Offset: Offset; Flags: Permissions (r readable, w writable, x executable)
Start Addr End Addr Size Offset Flags
0x8046000 0x8047fff 0x2000 0xfffff000 -s--rwx
0x8050000 0x8050fff 0x1000 0 ----r-x
0x8060000 0x8060fff 0x1000 0 ----rwx
0xfee40000 0xfef4efff 0x10f000 0 ----r-x
0xfef50000 0xfef55fff 0x6000 0 ----rwx
0xfef5f000 0xfef66fff 0x8000 0x10f000 ----rwx
0xfef67000 0xfef68fff 0x2000 0 ----rwx
0xfef70000 0xfef70fff 0x1000 0 ----rwx
0xfef80000 0xfef80fff 0x1000 0 ---sr--
0xfef90000 0xfef90fff 0x1000 0 ----rw-
0xfefa0000 0xfefa0fff 0x1000 0 ----rw-
0xfefb0000 0xfefb0fff 0x1000 0 ----rwx
0xfefc0000 0xfefeafff 0x2b000 0 ----r-x
0xfeff0000 0xfeff0fff 0x1000 0 ----rwx
0xfeffb000 0xfeffcfff 0x2000 0x2b000 ----rwx
0xfeffd000 0xfeffdfff 0x1000 0 ----rwx
(gdb) i files # List the locations of each segment in memory, as well as the mapping of the loaded shared libraries' .text, data segment, and uninitialized data segment .bss to virtual memory
Symbols from "/data1/nan/a".
Unix /proc child process:
Using the running image of child Thread 1 (LWP 1) via /proc.
While running this, GDB does not access memory from...
Local exec file:
`/data1/nan/a', file type elf32-i386-sol2.
Entry point: 0x8050950
0x080500f4 - 0x08050105 is .interp
0x08050108 - 0x08050114 is .eh_frame_hdr
0x08050114 - 0x08050218 is .hash
0x08050218 - 0x08050418 is .dynsym
0x08050418 - 0x080507e6 is .dynstr
0x080507e8 - 0x08050818 is .SUNW_version
0x08050818 - 0x08050858 is .SUNW_versym
0x08050858 - 0x08050890 is .SUNW_reloc
0x08050890 - 0x080508c8 is .rel.plt
0x080508c8 - 0x08050948 is .plt
......
0xfef5fb58 - 0xfef5fc48 is .dynamic in /usr/lib/libc.so.1
0xfef5fc80 - 0xfef650e2 is .data in /usr/lib/libc.so.1
0xfef650e2 - 0xfef650e2 is .bssf in /usr/lib/libc.so.1
0xfef650e8 - 0xfef65be0 is .picdata in /usr/lib/libc.so.1
0xfef65be0 - 0xfef666a7 is .data1 in /usr/lib/libc.so.1
0xfef666a8 - 0xfef680dc is .bss in /usr/lib/libc.so.1
Print heap#
Add custom memory allocation print commands in .gdbinit
define mallocinfo
set $__f = fopen("/dev/tty", "w") # Open /dev/tty file for output
call malloc_info(0, $__f) # Call malloc_info function to output memory allocation information to the file
call fclose($__f) # Close the file
end
Debug the program and check memory allocation:
(gdb) mallocinfo
<malloc version="1"> # Version of the memory allocation function used
<heap nr="0"> # The first heap, multi-threaded programs will allocate a separate heap for each thread to reduce inter-thread competition
<sizes> # Allocation status of memory blocks of different sizes; in the example program, no memory blocks are allocated
</sizes>
<total type="fast" count="0" size="0"/> # Fast allocation and other types of memory blocks, count="0" indicates no memory blocks are currently allocated, size="0" indicates memory usage is 0.
<total type="rest" count="0" size="0"/> # This part is for the internal implementation of malloc, usually used to optimize memory allocation and distinguish different memory pools.
<system type="current" size="1134592"/> # Memory currently requested and allocated from the OS
<system type="max" size="1134592"/> # Maximum memory the program can allocate from the OS, indicating that the program is currently not exceeding the system allocation limit.
<aspace type="total" size="1134592"/> # Size of the address space
<aspace type="mprotect" size="1134592"/> # mprotect is a system call used to change the access permissions of a certain segment of memory to protect it from illegal modification
</heap>
<total type="fast" count="0" size="0"/>
<total type="rest" count="0" size="0"/>
<system type="current" size="1134592"/>
<system type="max" size="1134592"/>
<aspace type="total" size="1134592"/>
<aspace type="mprotect" size="1134592"/>
</malloc>
Print parameter variables by actual parameter type in polymorphic interfaces#
#include <iostream> // Example code
using namespace std;
class Shape {
public: virtual void draw () {}
};
class Circle : public Shape {
int radius;
public:
Circle () { radius = 1; }
void draw () { cout << "drawing a circle...\n"; }
};
class Square : public Shape {
int height;
public:
Square () { height = 2; }
void draw () { cout << "drawing a square...\n"; }
};
void drawShape (class Shape &p){ // Expose a polymorphic interface, calling different derived class overloaded draw implementations based on the type of the passed object
p.draw ();
}
int main (void){
Circle a;
Square b;
drawShape (a);
drawShape (b);
return 0;
}
By default, gdb prints the object according to the declared type, so the type of the parameter variable p in the above polymorphic interface function stack frame is always Shape; we want to print the parameter variable according to the actual parameter type in this polymorphic interface function stack frame.
(gdb) set print object on
GDB Pretty Printers#
STL containers use complex memory layouts internally, and printing STL containers directly in GDB will show a bunch of low-level implementation details; GCC provides Python scripts (available since GDB 7.0) to enhance GDB's printing capabilities for C++ containers.
In high versions of gcc (>4.6.0), pretty printer is included by default: /usr/share/gcc/python
gcc.gnu.org Git - gcc.git/tree - libstdc++-v3/python/libstdcxx/
- Add the Pretty Printers script to the .gdbinit of the cpp project
python
import sys
sys.path.insert(0, '/usr/share/gcc/python')
from libstdcxx.v6.printers import register_libstdcxx_printers
register_libstdcxx_printers (None)
end
(gdb) i pretty-printer # Check if STL container Pretty Printers have been successfully enabled
(gdb) set print pretty on
Dependencies#
Shared library#
(gdb) i sharedlibrary # List all shared libraries loaded by the program
(gdb) i sharedlibrary hiredi # List all shared libraries that match the regex hiredi
Macro#
gcc -g3 compiled programs do not contain preprocessor macro information:
(gdb) p NAME No symbol "NAME" in current context.
If you want to view macro information in gdb, you can compile with gcc -g3:
(gdb) p NAME
$1 = "Joe"
Points#
(gdb) i b # Query all breakpoints
(gdb) i watch # List all watchpoints
Source#
In gdb command line, CTRL + X + A brings up the code window in tui, pressing it again exits the code window.
(gdb) dir <source_directory> # Add path to find source
(gdb) set substitute-path /old /new # Replace the old source search path with the new path
(gdb) l # Print the code at the paused location
(gdb) l <function> # Print the code of function function
(gdb) l <file:function> # Print the code of function function in file file
(gdb) l <file:line> # Print the code at line line in file file
(gdb) l - # Print backwards
(gdb) l +
(gdb) focus # tui mode
gdb -tui program # Start in tui mode
----------------Adjust tui window size
win <win_name> +7 # win_name can be src, cmd, asm, regs window; + or - indicates the number of lines displayed
gdb info#
(gdb) show version # View gdb version information
(gdb) show copying # View gdb copyright information
(gdb) show warranty # View gdb disclaimer
gdb -help # Help information
(gdb) apropos set # Find all command information that matches the set regex
(gdb) help b # Get usage of a specific command with help command
Function debugging#
Stack frame tracing#
Stack frame: The stack frame maintains the function execution environment, the frame pointer points to the bottom of the current stack frame, and the stack frame base pointer Stack Pointer always points to the top of the stack frame.
Each time a function is called, a stack frame is maintained on the call stack. Each independent stack frame generally includes:
Stack Pointer→
) Local variables
) Register
) Frame Pointer
) Return address of the next instruction of the current function process
) Arguments created by the passed parameters
) Previous Frame Pointer
Frame Pointer→
(gdb) i functions # List functions defined in the executable file, as well as referenced linked functions and system functions
(gdb) i functions thre* # List functions whose names match the regex expression thre, the * after the regex indicates whether debug information is included
(gdb) bt # Print the function call stack at the current breakpoint
(gdb) frame # Display the current call stack level, the file and line number, etc.
(gdb) frame 2 # Select the second stack frame to view the variables within it
(gdb) up 1 # Switch to the previous stack frame, which is the previous call stack frame
(gdb) down 2
(gdb) up-silently n # Silent switch version
(gdb) down-silently n
(gdb) frame addr # Select the stack frame with the frame number address addr, which is the previous stack frame pointed to by the called by frame
(gdb) i frame # Print the contents of the currently selected function stack frame, by default print the top stack frame
Stack level 0, frame at 0x7fffffffe590: # Top stack frame, Stack Pointer
rip = 0x40054e in func (a.c:5); # Return address points to the next instruction to be executed in func
saved rip = 0x400577 # The return address of the previous stack frame, that is, where to jump after the current function finishes executing
called by frame at 0x7fffffffe5a0 # The Frame Pointer of the previous stack frame
source language c. #
Arglist at 0x7fffffffe580, args: a=1, b=2 # Parameter variables
Locals at 0x7fffffffe580, Previous frame's sp is 0x7fffffffe590 # Local variables, the Stack Pointer of the previous stack frame, here since it is the top stack frame, points to itself
Saved registers: #
rbp at 0x7fffffffe580, rip at 0x7fffffffe588 # Registers
---------------------Print tail call stack frame
# Open O1's Tail call optimization option for compilation: when a series of functions' last instruction is to call another function, it is optimized to: the function directly calls the final function, and the intermediate function is optimized away at the assembly level
(gdb) set debug entry-values 1 # Set: in addition to outputting normal function stack frame information, also output tail call related information
---------------------Print local variables of each layer of function call stack
(gdb) bt # Print the function call stack at the current breakpoint
#0 fun_a () at a.c:6
#1 0x000109b0 in fun_b () at a.c:12
(gdb) bt full # Print local variables of each layer
#0 fun_a () at a.c:6
a = 0
#1 0x000109b0 in fun_b () at a.c:12
b = 1
(gdb) bt full n # Print local variables of the top n layers
(gdb) bt full -n # Print local variables of the bottom n layers
Function execution control#
(gdb) finish # Run until exiting the current function
(gdb) return val # Do not execute the remaining statements of the function, directly return the value val
(gdb) call func() # Run this statement when stopped at a certain point, directly call and execute the func function defined in the executable file
(gdb) print func() # Run this statement when stopped at a certain point, directly call and execute the func function defined in the executable file
Enter functions without debug information#
By default, (gdb) s will not enter functions without debug information and will skip them like (gdb) n;
The reasons for not having debug information:
- The
-goption for generating debug information was not enabled, especially for linked shared libraries, the provider did not enable-gduring compilation -O2or-O3optimized away- Inline functions are embedded by the compiler at the call site, so they do not appear as independent functions in debugging. You can disable inline optimization through compilation options.
(gdb) set step-mode on # Set to not skip functions without debug information, even if there is no debug information, you can enter first, then enable assembly debugging
$_exitcode for printing program exit status code#
(gdb) p $_exitcode
Process/Thread debugging#
Process/Thread execution control#
By default, gdb prints a prompt when it detects that a thread has been created or exited.
(gdb) set print thread-events off # Turn off print prompts
# To avoid interference from other threads when debugging one thread
(gdb) set scheduler-locking off # By default, gdb only controls the execution of the debugged single thread, while the scheduling of other threads is independent
(gdb) set scheduler-locking on # Lock scheduling, when debugging one thread, other threads are blocked until explicitly switch threads or finish debugging.
(gdb) set scheduler-locking step # When single-stepping with step, other threads will be paused; when debugging with next, other threads may continue executing.
(gdb) thread apply <id1><id2> command # Execute gdb command on specified thread set
(gdb) thread apply all command # Execute gdb command on specified thread set
Process debugging#
When debugging multi-process programs, GDB controls the parent process by default while the child processes run independently.
---------------------------------Debugging non-locking scheduled fork processes: one process gdb controls execution, one runs independently
(gdb) set follow-fork-mode child # GDB pauses at fork(), if (gdb) n tracks the parent process, you can tell gdb to track the child process; this command may not be supported on non-linux
(gdb) start
(gdb) n
(gdb) set follow-fork-mode parent # Default control of the parent process (default)
(gdb) i inferiors # Display all processes currently being debugged, including parent and child processes
(gdb) inferior <num> # Switch to debugging the specified process num
(gdb) attach <pid> # Equivalent to switching tracking
---------------------------------Debugging locking scheduled fork processes: both parent and child processes are controlled by gdb for alternating execution and concurrent scheduling
(gdb) set detach-on-fork on # Default
(gdb) set detach-on-fork off # Debug both parent and child processes simultaneously
(gdb) start # The program will stop at the fork() call.
(gdb) i inferiors # Display all processes currently being debugged, including parent and child processes
(gdb) inferior <num> # Switch to debugging the specified process num
(gdb) n
---------------------------------Debugging parallel parent and child processes:
(gdb) set schedule-multiple off # Default
(gdb) set detach-on-fork off # Debug both parent and child processes simultaneously
(gdb) set schedule-multiple on # When executing to fork(), the parent and child processes will run in parallel
(gdb) start
---------------------------------Debugging multiple processes
gdb a
(gdb) start
(gdb) add-inferior -copies 2 -exec b #-copies number of copied processes, -exec specifies the executable file to load
(gdb) i inferiors
Num Description Executable
3 <null> /home/nanxiao/b
2 <null> /home/nanxiao/b
* 1 process 1586 /home/nanxiao/a
(gdb) inferior 2 # Debug process 2
(gdb) clone-inferior -copies 1 # Clone the currently debugged program
(gdb) i inferiors
Num Description Executable
4 <null> /home/nanxiao/b
3 <null> /home/nanxiao/b
* 2 process 1590 /home/nanxiao/b
1 process 1586 /home/nanxiao/a
Print process space#
--------------------------Print all process spaces in the debugging session
(gdb) maint info program-spaces # Print all process spaces in the debugging session, including process space number and bound process id
Id Executable
4 /home/nan/b
Bound inferiors: ID 4 (process 0)
3 /home/nan/b
Bound inferiors: ID 3 (process 0)
* 2 /home/nan/b
Bound inferiors: ID 2 (process 15902)
1 /home/nan/a
Bound inferiors: ID 1 (process 15753)
Thread debugging#
(gdb) i threads # View all thread numbers in the current program, thread id, and the current call stack function
(gdb) i threads 1 2 # View specified threads
(gdb) thread 2 # GDB switches to debugging thread 2, displaying the current call stack function of that thread
(gdb) wa a thread 2 # Only trigger the watchpoint for variable a in thread 2
pstack <pid> # You can dump the thread id and backtrace of all threads under a certain process in advance for easy gdb debugging
$_thread for thread debugging#
# Can help you quickly locate potential issues in concurrent programs, such as race conditions, deadlocks, etc.
(gdb) watch a # Monitor variable a
(gdb) command 2 # Set to automatically execute gdb command when breakpoint number 2 is triggered: print the thread modifying a
> printf "thread id=%d\n", $_thread # $_thread will be replaced with the current thread's thread ID
> end
Solaris specific thread debugging cmd#
(gdb) maint info sol-threads # View all threads in the current program: type, number, corresponding lwp, current thread status, and the entry function of that thread
user thread #1, lwp 1, (active)
user thread #2, lwp 2, (active) startfunc: monitor_thread
user thread #3, lwp 3, (asleep) startfunc: mem_db_thread
- Sleep func: 0x000aa32c # If the thread is in a sleeping state, it will also display the address of the sleep function
Asynchronous Debugging#
Synchronous tasks are operations executed in a specific order (such as multithreading mutually exclusive modifications to memory), common synchronization mechanisms (lock mechanisms) will block other tasks during execution.
Asynchronous tasks are operations that need to wait; asynchronous tasks need to efficiently utilize system resources: they need to yield the CPU during operations that need to wait, and then preempt the currently executing task when the operation is completed through some mechanism (such as signals, event loops, callbacks, thread pools, etc.).
signals debugging#
GDB provides powerful signal handling control capabilities.
(gdb) i signals # View the default handling method for each signal in the current debugging process
Signal Stop Print Pass to program Description # Signal name, whether capturing the signal stops the program, whether to print information, whether GDB will pass it to the program for custom handler processing, description
SIGHUP Yes Yes Yes Hangup
SIGINT Yes Yes No Interrupt # This signal will not be passed to the program for processing, but is used for process control
SIGQUIT Yes Yes Yes Quit
...
SIGALRM No No Yes Alarm clock
(gdb) handle <Signal> nostop # Capture SIGHUP signal without stopping the program
(gdb) handle <Signal> stop
(gdb) handle <Signal> noprint
(gdb) handle <Signal> print
(gdb) handle <Signal> nopass # Whether to pass to the program, allowing the program to use custom handle processing
(gdb) handle <Signal> pass
(gdb) signal <Signal> # Send a signal to the debugging program, which is more convenient than switching to shell and using kill
(gdb) signal 0 # After the program is paused, use this to make the program run again
$_siginfo handling abnormal exit#
$_siginfo stores detailed information about the currently received signal. This is particularly useful when handling signals such as SIGSEGV (segmentation fault) or SIGFPE (arithmetic error).
(gdb) ptype $_siginfo
type = struct {
int si_signo; # Signal number, indicating the type of signal received.
int si_errno; # Error information related to the signal (usually 0).
int si_code; # Additional information provided by the kernel, describing the specific reason for the signal.
union {
int _pad[28];
struct {...} _kill;
struct {...} _timer;
struct {...} _rt;
struct {...} _sigchld;
struct {...} _sigfault;
struct {...} _sigpoll;
} _sifields; # Contains different structure information based on the type of signal, providing more signal-specific data.
}
(gdb) ptype $_siginfo._sifields._sigfault
type = struct {
void *si_addr;
}
(gdb) p $_siginfo._sifields._sigfault.si_addr # View the memory address that caused the segmentation fault
\$4 = (void *) 0x850e
Deadlock debugging#
Core dump#
ulimit -a
-a Display the current resource limit settings.
-c <core file limit> Set the maximum size of core files, in blocks.
-d <data segment size> The maximum size of the program data segment, in KB.
-f <file size> The maximum file that the shell can create, in blocks.
-H Set the hard limit of resources, which is the limit set by the administrator.
-m <memory size> Specify the upper limit of memory that can be used, in KB.
-n <number of files> Specify the maximum number of files that can be opened at the same time.
-p <buffer size> Specify the size of the pipe buffer, in 512 bytes.
-s <stack size> Specify the upper limit of the stack, in KB.
-S Set the elastic limit of resources.
-t <CPU time> Specify the upper limit of CPU usage time, in seconds.
-u <number of programs> The maximum number of programs that a user can open.
-v <virtual memory size> Specify the upper limit of virtual memory that can be used, in KB.
Generally, when ulimit -c unlimited is set; when the program encounters a serious error (such as segmentation fault, illegal instruction, etc.), it dumps the program machine states to the core file for troubleshooting.
ulimit -c # Check if the system currently allows generating core files; returning 0 indicates that core file generation is disabled. Output a positive integer indicates the size of the core file that the system allows to be generated in bytes
ulimit -c unlimited # Adjust the size limit for generating core files
echo "/coredump/core.%e.%p" > /proc/sys/kernel/core_pattern # Edit /etc/sysctl.conf or /proc/sys/kernel/core_pattern file to set the save path for core files, with the filename as core.<program name>.<PID>
-------------Generate core
(gdb) generate-core-file # Generate a core file, recording the current debugging process state. The default generated core file name is core.<PID>
(gdb) generate-core-file my_core_dump # Specify a custom filename for the core file
(gdb) gcore # The gcore tool has the same effect as the generate-core-file command in gdb, the default generated core dump file name is core.<PID>
(gdb) gcore my_core_dump
#gcore tool can perform core dump on a running process (even if the process has not crashed), generating a snapshot of that process's memory:
ps aux | grep <your_program> # Find the pid of the process
gcore <pid> # Generate core.<PID> file
-------------------Analyze core
gdb -c core.a.1402638140 ./a.out # Debug the core file generated by ./a.out
(gdb) bt full # View the exception backtrace, see where it crashed
(gdb) i locals
# Or load the coredump like below
gdb -q
(gdb) file ./a.out
(gdb) core /coredump/core.a.1402638140
Assembly debugging#
Print assembly#
(gdb) disass # Print the current assembly instructions
(gdb) disassemble func # Print the assembly instructions of the func function
(gdb) disas /m func # Display source code along with assembly instructions
(gdb) disassemble /r func # Print the machine code of the func function in hexadecimal
(gdb) disassemble /mr func # Assembly + machine code
(gdb) i line 13 # View the starting and ending addresses of the assembly instructions involved in this line
Line 13 of "foo.c" starts at address 0x4004e9 <main+37> and ends at 0x40050c <main+72>.
(gdb) disassemble 0x4004e9, 0x40050c # View the assembly instructions corresponding to the address range
(gdb) set disassemble-next-line off
(gdb) set disassemble-next-line on # Automatically disassemble the code to be executed next
(gdb) set disassemble-next-line auto # Disassemble the code to be executed next only when there is no source code, usually for functions without debug information
(gdb) set disassembly-flavor intel # Intel format; similarly, at&t format for at&t
(gdb) display /ni $pc # Print the next n assembly instructions to be executed every time returning to the gdb command line
(gdb) undisplay
(gdb) layout asm # Display the assembly code window in tui mode
(gdb) layout split # Display both assembly and source in tui mode
Assembly debugging run control#
(gdb) si # Step execute one assembly instruction
(gdb) ni # Do not step into
Set a breakpoint at the first assembly instruction of a function#
-------eg:
#include <stdio.h>
int global_var;
void change_var(){
global_var=100;
}
int main(void){
change_var();
return 0;
}
The command to set a breakpoint for the function: "b func" will not set the breakpoint at the beginning of the function at the assembly instruction level:
(gdb) b main
Breakpoint 1 at 0x8050c12: file a.c, line 9.
(gdb) r
Starting program: /data1/nan/a
[Thread debugging using libthread_db enabled]
[New Thread 1 (LWP 1)]
[Switching to Thread 1 (LWP 1)]
Breakpoint 1, main () at a.c:9
9 change_var();
(gdb) disassemble
Dump of assembler code for function main:
0x08050c0f <+0>: push %ebp
0x08050c10 <+1>: mov %esp,%ebp
=> 0x08050c12 <+3>: call 0x8050c00 <change_var>
0x08050c17 <+8>: mov $0x0,%eax
0x08050c1c <+13>: pop %ebp
0x08050c1d <+14>: ret
End of assembler dump.
To set the breakpoint at the beginning of the function at the assembly instruction level, you need to add * to the breakpoint: "b *func":
(gdb) b *main
Breakpoint 1 at 0x8050c0f: file a.c, line 8.
(gdb) r
Starting program: /data1/nan/a
[Thread debugging using libthread_db enabled]
[New Thread 1 (LWP 1)]
[Switching to Thread 1 (LWP 1)]
Breakpoint 1, main () at a.c:8
8 int main(void){
(gdb) disassemble
Dump of assembler code for function main:
=> 0x08050c0f <+0>: push %ebp
0x08050c10 <+1>: mov %esp,%ebp
0x08050c12 <+3>: call 0x8050c00 <change_var>
0x08050c17 <+8>: mov $0x0,%eax
0x08050c1c <+13>: pop %ebp
0x08050c1d <+14>: ret
End of assembler dump.
Modify the binary file of the debugged program#
Modify the binary file of the debugged program | 100 gdb tips
gdb logging#
gdb does not enable logging by default; if enabled, a gdb.txt file will be generated in the current directory to record all output results of the gdb command line for easy historical review.
(gdb) show logging # View log settings
(gdb) set logging on # Set to enable gdb logging
(gdb) set logging off
(gdb) set logging file log.txt # Change the log file path to log.txt
(gdb) set logging redirect on # The output in the GDB session (including command execution results and debugging information) will be written to the log file instead of displayed in the terminal.
(gdb) set logging redirect off
(gdb) set logging overwrite on # Each time GDB starts and logging is enabled, if the log file already exists, it will be recorded in overwrite mode
(gdb) set logging overwrite off # Append mode recording
.gdb_history#
gdb does not save historical commands by default; if saved, the historical commands are saved by default in the .gdb_history file in the current directory.
(gdb) set history save on # Enable saving gdb historical commands
(gdb) set history filename ~/.gdbcmd # Set save path
.gdbinit template#
When gdb starts, it will execute the commands in the .gdbinit script in the HOME directory and the current directory.
C project#
C++ project#
# Print contents in STL containers
python
import sys
sys.path.insert(0, "/home/xmj/project/gcc-trunk/libstdc++-v3/python")
from libstdcxx.v6.printers import register_libstdcxx_printers
register_libstdcxx_printers (None)
end
# Save historical commands
set history filename ~/.gdb_history
set history save on
# Do not display prompt information when exiting
set confirm off
# Print objects according to derived type
set print object on
# Print array index subscripts
set print array-indexes on
# Print one struct member per line
set print pretty on
Memory debugging#
todo#
gdb multi-window management
View object types
C++ cross-platform multithreading
Multithreading debugging management
Find threads, thread breakpoints
Execute commands for threads
Thread log information control
Call internal and external functions
Skip functions
Create and debug release versions
Make patches for software
Memory leak detection
Memory checking
Remote debugging
Deadlock debugging
Core dump basics
Stack overflow core dump analysis
Analysis of coredump without debug symbols
Software "cracking"