I have a physical memory dump file and a symbol file (vmlinux), and I'd like to analyze the content of dump file with symbol file in gdb. For example, to peek the state of init_task at that time the physical memory dumped:
(gdb) print &init_task
=> show the address of init_task in physical memory dump file, said 0xc0XXXXXX
(gdb) print ((struct task_struct *) 0xc0XXXXXX)->tasks
=> show the content of init_task.tasks in physical memory dump file)
I just tried the gdb commands "restore" and "target core", both are not work. "restore" need to be used on a running process, and "target core" need in core file (ELF 64-bit LSB core file) as input.
(gdb) restore binary physical-memory-dump-file
You can't do that without a process to debug.
(gdb) target core physical-memory-dump-file
"physical-memory-dump-file" is not a core dump: File format not recognized
Any idea? Thanks.
Update1: Hi Pavan, thanks for reminding; since I'm working on special platform, the bootloader on it will save the complete physical memory into the dump file, after kernel reboot from panic / Oops. So the physical-memory-dump-file will have the same size with physical RAM, and it can be mapped to the 0xc000:0000 in kernel from the first byte of it.
A physical memory dump and a core file are not exactly the same thing. A core file is just an executable image mapped into an address space; when the kernel panics it should leave an ELF file in memory at some position with hard coded addresses pointing to other parts of the image. It's likely you will have to extract the ELF image from the memory dump you have (stripping out the unused parts) before GDB will accept it and match up the symbols you have.
physical-memory-dump-fileimage - Pavan Manjunath 2012-04-05 17:39