| # Linux Minidump Code Lab |
| |
| [TOC] |
| |
| ## About Minidumps |
| |
| Minidump is a file format for storing parts of a program's state for later |
| inspection. [Microsoft's |
| Documentation](https://docs.microsoft.com/en-us/windows/desktop/api/minidumpapiset/) |
| defines the format though the [Rust |
| Documentation](https://docs.rs/minidump/latest/minidump/format/index.html) |
| is sometimes easier to navigate. The minidump implementation and tools used by |
| Chrome are |
| [Breakpad](https://chromium.googlesource.com/breakpad/breakpad/+/refs/heads/main/README.md) |
| and |
| [Crashpad](https://chromium.googlesource.com/crashpad/crashpad/+/main/README.md). |
| However, the tools of interest here are from the Breakpad project. |
| |
| ## Create a Minidump |
| |
| When Chrome crashes it writes out a minidump file. The minidump file is written |
| under the application product directory. On Linux this is |
| `<XDG_CONFIG_HOME>/<app-name>/Crash Reports`. The default for `XDG_CONFIG_HOME` |
| is `~.config`. Common `<app-name>`s are `chromium`, `google-chrome`, |
| `google-chrome-beta`, and `google-chrome-unstable`. A typical example is |
| `~.config/google-chrome/Crash Reports`. When a minidump is uploaded it will be |
| moved between the `new`, `pending`, and `completed` subdirectories. The minidump |
| file is named something like `<uuid>.dmp`. If the minidump is uploaded to the |
| crash reporting system, the `<uuid>.meta` file will contain the crash report id. |
| Those with access can find the uploaded report at `go/crash/<report-id>`, where |
| the minidump file will be available with a name like |
| `upload_file_minidump-<report-id>.dmp`. |
| |
| To create a minidump, you can use a local build of Chromium or a release |
| version of Chrome. Run the browser with the environment variable |
| `CHROME_HEADLESS=1`, which enables crash dumping but prevents crash dumps from |
| being uploaded and deleted. Something like `$ env CHROME_HEADLESS=1 |
| ./out/debug/chrome-wrapper` or `$ env CHROME_HEADLESS=1 |
| /opt/google/chrome/google-chrome`. Navigate to `chrome://crash` to trigger a |
| crash in the renderer process or reproduce your current crash bug. A crash dump |
| file should appear in the `Crash Reports` directory. |
| |
| ## Inspect the Minidump |
| |
| To get an idea about what is in a minidump file, install the Okteta hex editor |
| and add the [Minidump Structure |
| Definition](https://github.com/bungeman/structures/tree/main/okteta-minidump). |
| Open the minidump previously created and explore the information it contains. |
| |
| One quirk to notice is that there is a `ThreadListStream` which contains |
| `MINIDUMP_THREAD`s which contain a `MINIDUMP_THREAD_CONTEXT` and an |
| `ExceptionStream` which also contains a `MINIDUMP_THREAD_CONTEXT`. The thread |
| list contains the thread contexts as they existed when the crash reporter was |
| running. The exception's thread context is the state of the crashing thread at |
| the time that it crashed, which is generally the most interesting thread |
| context. When using the Breakpad tools for Linux (like `minidump_stackwalk` and |
| `minidump-2-core`) the thread context from the exception record is used in place |
| of the thread context associated with the corresponding thread. |
| |
| Each `MINIDUMP_THREAD` contains a `StackMemoryRva` which is a reference to to a |
| copy of the stack on that thread at the time the crash handler was running. |
| Parsing a stack usefully requires additional debug information. |
| `minidump_stackwalk` or a debugger may be used to parse the stack memory to |
| create a usable trace. |
| |
| ## Get the Tools |
| |
| From a Chromium checkout `ninja -C out/release minidump-2-core |
| minidump_stackwalk dump_syms`. From a [Breakpad |
| checkout](https://chromium.googlesource.com/breakpad/breakpad/) `make`. It can |
| be useful to use Breakpad directly on machines where one does not already have |
| a Chromium checkout. |
| |
| When working at this level, one will also want to have `readelf` and |
| `objdump` available, which are available from most distributions. |
| |
| ## Get Executables and Symbols |
| |
| In addition to the minidump, you will need the exact executables of Chromium or |
| Chrome which produced the minidump and those executable's symbols. If the |
| minidump was created locally, you already have the executables. Symbols for |
| Google Chrome's official builds are available from |
| `https://edgedl.me.gvt1.com/chrome/linux/symbols/google-chrome-debug-info-linux64-${VERSION}.zip` |
| where `${VERSION}` is any version of Google Chrome that has recently been served |
| to Stable, Beta, or Unstable (Dev) channels on Linux, like `114.0.5696.0`. Those |
| with access can find both executables and symbols for unreleased builds at |
| `go/chrome-symbols`. |
| |
| For symbols outside of Chrome (like when the crash is happening in a shared |
| library) then symbols for the files of interest must be found. If the minidump |
| was created locally then install the symbol packages from your distribution. If |
| not, you will need to track down the exact symbol files, which can be an |
| interesting exercise. For some distributions using the |
| [debuginfod](https://sourceware.org/elfutils/Debuginfod.html) system can be |
| quite helpful. |
| |
| To ensure the correct binaries and debug symbols are used, the minidump contains |
| the build-id for each loaded module in the `ModuleListStream` in the |
| `CvRecordRva`'s `Signature`. This build-id is matched against a note |
| section of type `NT_GNU_BUILD_ID`, usually named `.note.gnu.build-id` in the |
| executable and symbol files. This note can be inspected with `readelf -n |
| <file>` like `readelf -n chrome` or `readelf -n chrome.debug` and looking for |
| the `.note.gnu.build-id` section. `readelf` reports the `Build ID` as the flat |
| bytes in the note, but Breakpad binaries like `stackwalk_minidimp` and |
| `dump_syms` will report and expect this truncated to a formatted Type 2 GUID |
| (without dashes). This means `readelf` will output a `<build-id>` like |
| 33221100554477668899AABBCCDDEEFFXXXXXXXX but crashpad binaries will expect and |
| report this as a `<build-uuid>` of 00112233445566778899AABBCCDDEEFF. |
| |
| The `.gnu_debuglink` section states which debug symbol file to use with a |
| striped binary. For example `readelf --string-dump=.gnu_debuglink chrome` |
| produces `chrome.debug`. This can be helpful to know for libraries with |
| interesting debug symbol setup, like libc.so.6. |
| |
| ## Create Symbolized Stack |
| |
| Given a minidump with the name `mini.dmp` |
| |
| `minidump_stackwalk mini.dmp > mini.stackwalk.nosym` |
| |
| This will produce a mostly unsymbolized summary of the crash. To symbolize, look |
| toward the bottom of the output for `WARNING: No symbols, <file>, <build-uuid>`. |
| For each `<file>` which is of interest, `mkdir -p symbols/<file>/<build-uuid>` then |
| `dump_syms <file> <directory-with-file.debug> > |
| symbols/<file>/<build-uuid>/<file>.sym`. Ensure this output `<file>.sym` |
| contains the expected `<build-uuid>`. Then re-run `minidump_stackwalk` but |
| with the symbols directory, like `minidump_stackwalk mini.dmp symbols/ > |
| mini.stackwalk`. |
| |
| The output of `minidump_stackwalk` is often quite useful and enough to track |
| down many issues. However, it does not fully use all of the information from |
| DWARF, so it is possible sometimes to get much better stack traces from a full |
| debugger like gdb. This is particularly true when functions have been |
| aggressively inlined. |
| |
| ## Create Core File |
| |
| `minidump-2-core mini.dmp > mini.core` |
| |
| ## Loading into GDB |
| |
| This works best if the binaries, symbols, and core files are all in different |
| directories to prevent gdb from automatically loading them into the wrong |
| locations. This is also generally necessary when using a system installed |
| version of Chrome. For full details see [the gdb |
| manual](https://sourceware.org/gdb/onlinedocs/gdb/Separate-Debug-Files.html). |
| The easiest way is to rename and move the .debug files to a directory structure |
| like `<debugdir>/debug/.build-id/nn/nnnnnnnn.debug` where `nn` are the first |
| two hex characters of the `build-id`, and `nnnnnnnn` are the rest of the hex |
| characters of the `build-id`. Note that this `build-id` is exactly what is |
| reported by `readelf -n <binary> | grep "Build ID"` and not the `build-uuid` |
| used by Breakpad. Then in gdb use `show debug-file-directory` to get the |
| `<previous-directories>` and `set debug-file-directory |
| <previous-directories>:<debugdir>/debug`. |
| |
| The `offset`s used here are the offsets of the corresponding module from the |
| output of `minidump_stackwalk` or (equivalently) the value of |
| `ModuleListStream::Modules[]::BaseOfImage` from the minidump file (which can be |
| read with the structure definition). |
| |
| ``` |
| $ gdb |
| (gdb) file <executable> |
| (gdb) show debug-file-directory |
| <previous directories> |
| (gdb) set debug-file-directory <previous directories>:<debugdir>/debug |
| (gdb) symbol-file <executable> -o <executable-offset> |
| (gdb) core-file <mini.core> |
| ``` |
| |
| Running the commands in this order avoids needing to load the symbols twice and |
| maps the `<executable>` to the expected location. |
| |
| To add an additional shared library it is possible to |
| `(gdb) add-symbol-file <shared-library> -o <shared-library-offset>` |
| |
| Source paths in Chrome builds are relative to the `out/<build>` directory. If you |
| have a Chromium checkout at or around when the Chrome build was created, it can |
| be added to the debugger search path, like |
| |
| ``` |
| (gdb) directory <path-to-chromium>/chromium/src/out/<build>/ |
| ``` |
| |
