Linked-list debugging in gdb

Quite a few of the codebases I've worked on have some form of linked list implementation; generally a list node type:

struct list_node {
    struct list_node *prev;
    struct list_node *next;
};

... and sometimes (for type-safety) a separate type for the lists themselves:

struct list {
    struct list_node head;
};

Debugging these lists often means a lot of manual pointer-chasing, which can be error prone. If your list iterators are causing segfaults, it'd be nice to be able to track down invalid list entries.

python gdb extensions

It turns out we can write a little code to automate this, using the gdb module. Amongst other things, we can define our own commands to use in the standard gdb interpreter.

The skeleton code to implement a gdb command in python goes something like this:

import gdb

class MyNewCommand(gdb.Command):

    def __init__(self):
        super(MyNewCommand, self).__init__("my-new-command",
                gdb.COMMAND_DATA, gdb.COMPLETE_SYMBOL)

    def invoke(self, argument, from_tty):
        args = gdb.string_to_argv(argument)
        expr = args[0]
        list = gdb.parse_and_eval(expr)

        # command implementation goes here ...

MyNewCommand()

In a nutshell:

We define a new subclass of gdb.Command
Our new class' __init__() function will register the command name ("my-new-command" in this example) with the gdb interpreter, and pass a few hints about the command's usage.
The invoke() function is called when the user invokes the command at the gdb interpreter interface.
The invoke() implementation can access the debugger's state thorugh the gdb python module.
Finally, we create an instance of the new class to get it registered with the interpreter.

The class' docstring is used by gdb's inline help command, which makes documenting your new command a total piece of cake.

Back to our list example, I've written a little python gdb extension to iterate and print a list:

#!/usr/bin/env python

import gdb

class ListPrintCommand(gdb.Command):
    """Iterate and print a list.

list-print <EXPR> [MAX]

Given a list EXPR, iterate though the list nodes' ->next pointers, printing
each node iterated. We will iterate thorugh MAX list nodes, to prevent
infinite loops with corrupt lists. If MAX is zero, we will iterate the
entire list.

List nodes types are expected to have a member named "next". List types
may be the same as node types, or a separate type with an explicit
head node, called "head"."""

    MAX_ITER = 20

    def __init__(self):
        super(ListPrintCommand, self).__init__("list-print",
                gdb.COMMAND_DATA, gdb.COMPLETE_SYMBOL)

    def invoke(self, argument, from_tty):
        args = gdb.string_to_argv(argument)
        if len(args) == 0:
            print "Argument required (list to iterate)"
            return

        expr = args[0]

        if len(args) == 2:
            max_iter = int(args[1])
        else:
            max_iter = self.MAX_ITER

        list = gdb.parse_and_eval(expr)

        fnames = [ f.name for f in list.type.fields() ]

        # handle lists with a separate list type....
        if 'head' in fnames:
            head = list['head']

        # ...and those with the head as a regular node
        elif 'next' in fnames:
            head = list

        else:
            print "Unknown list head type"
            return

        # if the type has a 'prev' member, we check for validity as we walk
        # the list
        check_prev = 'prev' in [ f.name for f in head.type.fields() ]

        print "list@%s: %s" % (head.address, head)
        node = head['next']
        prev = head.address
        i = 1

        while node != head.address:
            print "node@%s: %s #%d" % (node, node.dereference(), i)

            if check_prev and prev != node['prev']:
                    print " - invalid prev pointer!"

            if i == max_iter:
                print " ... (max iterations reached)"
                break

            prev = node
            node = node['next']
            i += 1

        if check_prev and i != max_iter and head['prev'] != prev:
            print "list has invalid prev pointer!"

ListPrintCommand()

This defines a new function, list-print, which takes an expression as an argument, and iterates through the list nodes:

(gdb) list-print handler->devices[0]->device->boot_options
list@0x6128f0: {prev = 0x6129f8, next = 0x613918}
node@0x613918: {prev = 0x6128f0, next = 0x613568} #1
node@0x613568: {prev = 0x613918, next = 0x6131b8} #2
node@0x6131b8: {prev = 0x613568, next = 0x612e08} #3
node@0x612e08: {prev = 0x6131b8, next = 0x6129f8} #4
node@0x6129f8: {prev = 0x612e08, next = 0x6128f0} #5
(gdb)

To use the gdb-list macro: download gdb-list.py (2.2 kB), and source it into your gdb session:

(gdb) source ~/devel/gdb-list/gdb-list.py

Then you should be able to invoke list-print <symbol> to debug your list structures. Typing help list-print will show the command's docstring:

(gdb) help list-print 
Iterate and print a list.

list-print <EXPR> [MAX]

Given a list EXPR, iterate though the list nodes' ->next pointers, printing
each node iterated. We will iterate thorugh MAX list nodes, to prevent
infinite loops with corrupt lists. If MAX is zero, we will iterate the
entire list.

List nodes types are expected to have a member named "next". List types
may be the same as node types, or a separate type with an explicit
head node, called "head".
(gdb)

comments

Baijnath Jaiswal

Hi, Nice article.:-) But can this script be used to print the information from linux kernel's list (e.g. struct list_head). For example the structure is something like this:

struct my_struct {

    struct my_hardware_context ahw;
    int open_netdev;
    struct net_device *netdev;
    struct pci_dev *pdev;
    struct list_head mac_list;
    ....
    ....
};

so i am able to print the content of 'struct my_struct' , struct my_hardware_context ahw, but not the content of pointers and list ( e.g. struct net_device *netdev, struct pci_dev *pdev, struct list_head mac_list) automatically. So can you tell me how to print these using your script ?

Thanks in advance.

posted at 7:45 p.m. on 27 May 2013

Jeremy Kerr

Hi Baijnath,

The list-print gdb command will allow you to iterate the list nodes in struct mystruct, but it doesn't do anything special with the "container type" that contains the mac_list member.

So, you're able to print the list itself, you'll just see the same output as above. For example, using the source:

int main(void)
{
    struct list_head list = LIST_HEAD_INIT(list);
    struct my_struct s1, s2, s3;

    s2.open_dev = 2;

    list_add(&list, &s1.mac_list);
    list_add(&list, &s2.mac_list);
    list_add(&list, &s3.mac_list);

    breakpoint();

    return EXIT_SUCCESS;
}

We can print the list itself:

(gdb) run
Starting program: /home/jk/tmp/lists/list

Breakpoint 1, main () at list.c:29
29  breakpoint()
(gdb) list-print list
list@0x7fffffffe270: {next = 0x7fffffffe2f8, prev = 0x7fffffffe298}
node@0x7fffffffe2f8: {next = 0x7fffffffe2c8, prev = 0x7fffffffe270} #1
node@0x7fffffffe2c8: {next = 0x7fffffffe298, prev = 0x7fffffffe2f8} #2
node@0x7fffffffe298: {next = 0x7fffffffe270, prev = 0x7fffffffe2c8} #3
(gdb)

.. but we don't get any other information about struct my_struct. However, you can always use the pointers to find the containing type:

# find the offset of the mac_list member in struct my_struct
(gdb) p &((struct my_struct *)0)->mac_list
$1 = (struct list_head *) 0x18

# print the my_struct info for the second item in the list
(gdb) p *(struct my_struct *)(0x7fffffffe2c8 - 0x18)
$2 = {open_dev = 2, netdev = 0x0, pdev = 0x0, 
  mac_list = {next = 0x7fffffffe2c8, prev = 0x7fffffffe270}}

Alternatively, you could add a new list-print-entry macro that, given the container type name and the member name, prints the dereferenced struct while iterating the list.

posted at 10:16 p.m. on 27 May 2013

Baijnath Jaiswal

@Jeremy Kerr, Thanks for your quick response :-) Well now i am able to print all members content of 'struct my_struct' using -

x=gdb.parse_and_eval(expr),

if x.type.keys() is a pointer then

x1= x.dereference()

and finally x1.fetch_lazy() (pseudo code)

except kernel list 'list_head mac_list' (there are more such lists in my_struct). I am not able to print the dereferenced struct as you suggested above :-( Can you please suggest me a sample code to do this. Thanks.

posted at 4:12 p.m. on 30 May 2013

Baijnath Jaiswal

for clarification, this is the script i am using:

import gdb

def is_container(v): c = v.type.code return (c == gdb.TYPE_CODE_STRUCT or c == gdb.TYPE_CODE_UNION)

def is_pointer(v): return (v.type.code == gdb.TYPE_CODE_PTR)

def print_struct_follow_pointers(s, level_limit = 3, level = 0): indent = ' ' * level

if not is_container(s):
    gdb.write('%s\n' % (s,))
    return

if level >= level_limit:
    gdb.write('%s { ... },\n' % (s.type,))
    return

gdb.write('%s {\n' % (s.type,))
for k in s.type.keys():
    v = s[k]
    if is_pointer(v):
        gdb.write('%s %s: %s' % (indent, k, v))
        try:
            v1 = v.dereference()
            v1.fetch_lazy()
        except gdb.error:
            gdb.write(',\n')
            continue
        else:
            gdb.write(' -> ')
        print_struct_follow_pointers(v1, level_limit, level + 1)
    elif is_container(v):
        gdb.write('%s %s: ' % (indent, k))
        print_struct_follow_pointers(v, level_limit, level + 1)
    else:
        gdb.write('%s %s: %s,\n' % (indent, k, v))
gdb.write('%s},\n' % (indent,))

class PrintStructFollowPointers(gdb.Command): ''' print-struct-follow-pointers [/LEVEL_LIMIT] STRUCT-VALUE ''' def init(self): super(PrintStructFollowPointers, self).init( 'print-struct-follow-pointers', gdb.COMMAND_DATA, gdb.COMPLETE_SYMBOL, False)

def invoke(self, arg, from_tty):
    s = arg.find('/')
    if s == -1:
        (expr, limit) = (arg, 3)
    else:
        if arg[:s].strip():
            (expr, limit) = (arg, 3)
        else:
            i = s + 1
            for (i, c) in enumerate(arg[s+1:], s + 1):
                if not c.isdigit():
                    break
            end = i
            digits = arg[s+1:end]
            try:
                limit = int(digits)
            except ValueError:
                raise gdb.GdbError(PrintStructFollowPointers.__doc__)
            (expr, limit) = (arg[end:], limit)
    try:
        v = gdb.parse_and_eval(expr)
    except gdb.error, e:
        raise gdb.GdbError(e.message)

    print_struct_follow_pointers(v, limit)

PrintStructFollowPointers()

And testing it by using:

(gdb) print-struct-follow-pointer *(struct my_struct *)dev_base->priv

It is printing all the fields of 'struct my_struct' but it is not iterating the list_head mac_list or other kernel lists.

posted at 8:03 p.m. on 30 May 2013

mani

(gdb) source firstScript.py
Traceback (most recent call last):
  File "gdbtest2.py", line 12, in <module>
    HelloWorld ()
TypeError: Required argument 'name' (pos 1) not found

I am getting above mentioned error

posted at 8:33 p.m. on 02 May 2016

Jeremy Kerr

Hi Mani,

Without the code to either gdbtest2.py or firstScript.py, it's hard to tell what's happening there. Also, it doesn't look like either of these are the linked-list debugging script from this page.

However, at a wild guess, have you left out the first argument to the gdb.Command constructor?

posted at 8:39 p.m. on 02 May 2016

Anu

I have to write a pretty printer to print all the buffers which are connected to the head. Below is my .cc implementation on the code:

Header File:

#define    APPEND_BUF(fifo,b)                    \
{                                \
    (b)->b_forw = 0;                    \
    if ( (fifo)->head )                    \
        ((buf_t *)((fifo)->tail))->b_forw = (b);    \
    else                            \
        (fifo)->head = (b);                \
    (fifo)->tail = (b);                    \
}

Actual code:

m_Buf.b_timestamp = 0xc0defeed;

mm.head = 0;
m_Head.tail = 0;

buf_t buf1;
buf1.b_timestamp = 0xdeadface;
APPEND_BUF(&m_Head, &buf1);
printf("appended buf1\n");
// if you crash here, m_Head should print buf1
buf_t buf2;
buf2.b_timestamp = 0xc0defeed;
APPEND_BUF(&m_Head, &buf2);
printf("appended buf2\n");
// if you crash here, m_Head should print buf2, buf1
buf_t* bufTmp = m_Head.head;
m_Head.head = static_cast<buf_t*>(m_Head.head->b_forw);
printf("dequeued buf2\n");
// bufTmp now has one that's been removed from the queue
// if you crash here, m_Head should print buf1

buf_t buf3;
buf3.b_timestamp = 0xabcdef00;
APPEND_BUF(&m_Head, &buf3);
printf("appended buf3\n");

So now after writing the pretty printers I should be able to print the buffer addresses and the contents. Can you tell me how to go about it.

posted at 1:41 a.m. on 23 Jun 2016

Jeremy Kerr

Hi Anu,

Your header file snippet is a macro that uses the list structure. Can you post the definition of the list structure instead?

To implement a pretty-printer for these, you'll just need to add struct-specific print statements in the while loop, where we print out the nodes.

Jeremy

posted at 1:54 p.m. on 23 Jun 2016

Anu

Thanks Jeremy,

I used the below struct in my implementation:

typedef struct buffer_head
{
    buf_t    *head;            /* First node on link list      */
    buf_t    *tail;            /* Last node on link list       */
}HEAD;

typedef struct buf buf_t;
struct buf

{

UINT32   b_flags;             
UINT32   b_id;               
UINT32  b_free      :1,      
    b_itnSpecific   :1,      
    b_ioctl         :6,    
    b_concat        :1,      
    b_ioctlLuParms  :1,       
A  a1;           
A  a2;  
....
... //Many more contents
}

Then I have separate code with below declaration which that header files to call above data

 unsigned int    m_Data;
 buf_t           m_Buf;
 HEAD            m_Head;

In the main code

m_Buf.b_timestamp = 0xc0defeed;

m_Head.head = 0;
m_Head.tail = 0;

//Adding buffer 1
buf_t buf1;
buf1.b_timestamp = 0xdeadface;
APPEND_BUF(&m_Head, &buf1);

//Adding buf 2
buf_t buf2;
buf2.b_timestamp = 0xc0defeed;
APPEND_BUF(&m_Head, &buf2);

//removing buf 2
buf_t* bufTmp = m_Head.head;
m_Head.head = static_cast<buf_t*>(m_Head.head->b_forw);

//adding buf3
buf_t buf3;
buf3.b_timestamp = 0xabcdef00;
APPEND_BUF(&m_Head, &buf3);
printf("appended buf3\n");

I should be getting all the contents of buf1 and buf3 after I write the pretty printer. Can you guide me on the same

posted at 2:18 a.m. on 24 Jun 2016

Jeremy Kerr

Hi Anu,

That detail helps. You seem to have omitted the b_forw member from struct buf, but that should be okay. I'm assuming that's a void * if you have to cast it to a buf_t * (is that intentional? things would be easier if you had it typed correctly).

As I mentioned earlier, to pretty-print this list of struct bufs, you'll just need to add to the while loop, around where we have the:

print "node@%s: %s #%d" % (node, node.dereference(), i)

statement. Here, you'll want to get a pointer to the struct buf (which is the node in this case), and simply print its members (eg, buf['b_flags'] and buf['b_id']).

You will also need to alter the macro itself, as your 'next' pointer is called b_forw, not next. There may be some complexity in that you're not using a struct buf pointer as b_forw, in that gdb won't know what type it is automatically.

posted at 11:38 a.m. on 24 Jun 2016

tinku

Hey Jemery,

How should the expression be written while executing the code. e.g., list-print ??? Also is there is way I can see the linked list for which this .py script is written. As that will be helpful for me in understanding the code better.

posted at 1:52 a.m. on 16 Jul 2016

Jeremy Kerr

Hi Tinku,

The linked list for which this debug code was written for is at the top of the post. It will also work for singly-linked list (ie, which have no prev member) - specifically, it will work for any list type that has a member named next.

The expression can be any valid gdb value, that evaluates as a pointer to the type of your list. In the example in the post, we use:

(gdb) list-print handler->devices[0]->device->boot_options

which follows a couple of pointers and an array before getting to the list type. Of course, the expression that you use there will be highly dependent on the code (and state) that you're debugging.

posted at 12:32 p.m. on 18 Jul 2016

tinku

Thank you so much Jeremy

posted at 1:51 a.m. on 26 Jul 2016

tinku

Hi Jeremy,

Can you throw some light on registering and auto loading. Is there a way I don't pass the command name and it does things for me automatically.

posted at 7:25 a.m. on 05 Aug 2016

Jeremy Kerr

Hi Tinku,

To get the list-print macro registered automatically, you can just put the source command in your .gdbinit file, so that it's performed when gdb starts.

I'm not sure what you mean by "a way I don't pass the command name" though. Which command name are you referring to there? You'll always need to run the actual list-print command for the script to do anything.

posted at 11:17 a.m. on 05 Aug 2016

tinku

Hi Jeremy,

I am talking about doing something like mentioned on https://sourceware.org/gdb/onlinedocs/gdb/Writing-a-Pretty_002dPrinter.html

def str_lookup_function(val):
     lookup_tag = val.type.tag
     if lookup_tag == None:
         return None
     regex = re.compile("^std::basic_string<char,.*>$")
     if regex.match(lookup_tag):
         return StdStringPrinter(val)
     return None

def register_printers(objfile):
     objfile.pretty_printers.append(str_lookup_function)

import gdb.libstdcxx.v6
 gdb.libstdcxx.v6.register_printers(gdb.current_objfile())

What value does this bring to the pretty printer.

Thanks for your help

posted at 1:55 a.m. on 06 Aug 2016

tinku

The whole purpose here is to create a new command to print linked list structure. If I want to write a pretty printer for the same thing how do I do that.

Thank you.

posted at 11:43 a.m. on 07 Aug 2016

Jeremy Kerr

Hi Tinku,

The page you linked has some decent information on writing the pretty-printer. You'd just want to implement the printer's to_string() method, using similar content to my invoke() method. See the examples of fooPrinter and barPrinter in the page you've linked.

Also, https://sourceware.org/gdb/onlinedocs/gdb/Pretty-Printing-API.html has some information about the API that you're looking to implement.

posted at 12:19 p.m. on 07 Aug 2016

tinku

Hi Jeremy,

Is there is way to print node.dereference() in decent format using any functions or do we have to do manually do stuff? Thanks

posted at 2:39 a.m. on 19 Aug 2016

Michael Giardino

What a useful script, thanks so much! It works flawlessly with kernel-type linked lists, saving me a ton of time.

For anybody else who has a newer version of Python linked into their GDB (Debian 9 has 3.5), the script needs slight modifications. Basically just add parentheses around the arguments following each print. Apparently Python made print a function so it fails with bad syntax in newer versions of Python.

For example:

print "list@%s: %s" % (head.address, head)

becomes

print("list@%s: %s" % (head.address, head))

posted at 4:43 p.m. on 14 Nov 2017

Linked-list debugging in gdb

python gdb extensions

comments

post a comment

comment preview

posted on

about

related