|
IntroductionThe Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user. Thus, a kernel panic is always the result of a bug, either in Apple's code or in the code of some third party kernel extension. Such bugs need to be investigated and resolved. There are a number of circumstances in which the ability to capture a kernel core dump is useful.
To assist you in these situations, Apple provides a remote kernel core dump facility which has been present since Mac OS X 10.3 for PowerPC-based Macintosh systems, and since Mac OS X 10.4.7 for Intel-based Macintosh systems. You can configure a Mac OS X computer so that, when the machine panics, it transmits a core dump of the kernel to a server via TCP/IP. The core dump server is a daemon that collects the kernel core dump from the client and writes it to disk. You can then analyze the core dump using a variety of tools, most notably GDB. There are two components of core dumping, the server side and client side. The server side is the destination of the core dump file, the client side enables the kernel on the machine which panics, to dump its core to the server. Note: The source for the kernel core dump server is part of Darwin (in the This technical note focuses on describing the core dump process across an internet connection. A FireWire connection can also be used to transmit the core dump. FireWire is a useful alternative when the kernel panic on the client system involves the built-in Ethernet driver, or some other network code such that the core dump cannot be sent across an Ethernet connection. The Read Me file in the FireWire SDK for Mac OS X describes the setup process for using FireWire to transmit a core dump. You can access the FireWire SDK from the Apple Developer Hardware & Drivers - Downloads web page. Once you succeeded in saving the core dump across the FireWire connection, you can learn more about analyzing the core dump by reading the section Debugging with Kernel Core Dumps. This technical note provides information on the following tasks.
Configuring the ServerThe first step in collecting kernel core dumps is to set up a kernel core dump server. To start you must choose a machine to act as the server, taking into account the following points.
WARNING: To simplify the setup process this technical note assumes that your client and server are on a trusted network, and that you trust all of the users who have accounts on the server. Furthermore, when a client panics, it transmits the contents of kernel memory to the server in the clear. It's quite possible that this data includes sensitive information. You should configure your network (using, for example, switched hubs, a firewall, or a VPN) so that this data can't be seen by unauthorized persons. To enable the kernel core dump server, execute the following steps:
Creating a Core Dump DirectoryTo start, you must create a directory into which the server writes core dumps. That directory must be writable by the program that's dumping the core. The easiest way to guarantee this is to make it writable by everyone. We recommend that you create this directory with the commands shown in Listing 1. server$ sudo mkdir /PanicDumps Password:******** server$ sudo chown root:wheel /PanicDumps server$ sudo chmod 1777 /PanicDumps Activating the Kernel Dump Server ProcessFor Mac OS X 10.5 and greater, a disabled launchd property list file is present as part of the basic system installation. The To activate the server, use server$ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.kdumpd.plist Password:******** Note: The -w argument to launchctl removes the You can verify that the core dump server is active by using the server$ sudo launchctl list | grep kdump Password:******** - 0 com.apple.kdumpd There may be no PID associated with the Once you have the server configured correctly, you can proceed on to the next step, Configuring a Client. Configuring the Kernel Core Dump Server for Mac OS X prior to 10.5If you have server machine with a version of Mac OS X prior to 10.5, there are different instructions to follow. For a server machine with Mac OS X 10.4, follow the instructions in the section, Configuring the Kernel Core Dump Server for Mac OS X 10.4.x. For a server machine with Mac OS X 10.3, follow the instructions in the section, Configuring the Kernel Core Dump Server for Mac OS X 10.3.x. Configuring the Kernel Core Dump Server for Mac OS X 10.4.xThe procedure for setting up the Kernel Core Dump server under Mac OS X 10.4.x is similar to the procedure for Mac OS X 10.5. The only difference is that the launchd property list file is not installed by default, so you have to create it yourself. Create the launchd property list file shown in Listing 4. These instructions assume that you are using the server$ sudo cat > /tmp/com.mycompany.kdump.plist Password: ******** <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>InitGroups</key> <true/> <key>Label</key> <string>com.mycompany.kdumpd</string> <key>ProgramArguments</key> <array> <string>/usr/libexec/kdumpd</string> <string>/PanicDumps</string> </array> <key>Sockets</key> <dict> <key>Listener</key> <dict> <key>SockServiceName</key> <string>1069</string> <key>SockType</key> <string>dgram</string> </dict> </dict> <key>UserName</key> <string>nobody</string> <key>inetdCompatibility</key> <dict> <key>Wait</key> <true/> </dict> </dict> </plist> ^D client$ ls -l /tmp/com.mycompany.kdump.plist -rw-r--r-- 1 admin wheel 831 Sep 10 15:25 /tmp/com.mycompany.kdump.plist client$ sudo cp /tmp/com.mycompany.kdump.plist /Library/LaunchDaemons/ Password: ******** client$ ls -l /Library/LaunchDaemons/com.mycompany.kdump.plist -rw-r--r-- 1 root wheel 831 Sep 10 15:26 /Library/LaunchDaemons/com.mycompany.kdump.plist Once you have the created the launchd property list, restart the system. The core dump server process should be active on restart. You can verify that the core dump server process is active by using the server$ sudo launchctl list | grep kdump Password:******** com.mycompany.kdumpd The presence of the With the server configured, configure the client as described in Configuring a Client. Configuring the Kernel Core Dump Server for Mac OS X 10.3.xFollow these instructions to configure the Kernel Core Dump server for Mac OS X 10.3. These instructions assume that you are using the Configure xinetdConfigure the extended Internet services daemon, service macosxkdump { disable = no type = UNLISTED socket_type = dgram protocol = udp port = 1069 user = nobody groups = yes server = /usr/libexec/kdumpd server_args = /PanicDumps wait = yes } server$ cat > /tmp/macosxkdump service macosxkdump { disable = no type = UNLISTED socket_type = dgram protocol = udp port = 1069 user = nobody groups = yes server = /usr/libexec/kdumpd server_args = /PanicDumps wait = yes } ^D server$ ls -l /tmp/macosxkdump -rw-r--r-- 1 quinn staff 278 14 Jul 15:25 /tmp/macosxkdump server$ sudo cp /tmp/macosxkdump /etc/xinetd.d Password: ******** server$ ls -l /etc/xinetd.d/macosxkdump -rw-r--r-- 1 root wheel 278 14 Jul 15:26 /etc/xinetd.d/macosxkdump IMPORTANT: To maintain system security, the configuration file ( Signal xinetdYou must send the server$ sudo kill -HUP `cat /var/run/xinetd.pid` Password: ******** Alternatively, you can simply reboot the machine, which also causes Confirm ConfigurationYou can confirm that everything is configured correctly using one of two methods.
Jul 14 15:40:57 localhost xinetd[349]: Starting reconfiguration Jul 14 15:40:57 localhost xinetd[349]: readjusting service ssh Jul 14 15:40:57 localhost xinetd[349]: Reconfigured: new=1 old=1 dropped=0 (services) server$ sudo kill -USR1 `cat /var/run/xinetd.pid` Password: ******** Service = macosxkdump State = Active Service configuration: macosxkdump id = macosxkdump flags = IPv4 type = UNLISTED socket_type = dgram Protocol (name,number) = (udp,17) port = 1069 wait = yes user = -2 Groups = yes PER_SOURCE = -1 Bind = All addresses. Server = /usr/libexec/kdumpd Server argv = kdumpd /PanicDumps Only from: All sites No access: No blocked sites Logging to syslog. Facility = daemon, level = info Log_on_success flags = HOST PID HOST Log_on_failure flags = HOST running servers = 0 retry servers = 0 attempts = 0 service fd = 6 Once you have the server configured, you can configure the client as described in Configuring a Client. Configuring a ClientTo enable kernel core dumps on a client machine, you must modify the
Listing 12 shows an example of how to set the client$ sudo nvram boot-args="debug=0xd44 _panicd_ip=10.0.40.2" Password: ******** You must restart to enable this setting. IMPORTANT: The Debug Flags in DepthYou can use the Table 1 : Debug flags
Table 2 : Useful debug flag combinations
Testing Your ConfigurationOnce you have enabled the server and configured the client, it's time to test things to make sure they're working as expected. To test the system you need to trigger a kernel panic on the client system. Two methods are presented here.
Triggering a Kernel Panic with DTraceFor Mac OS X 10.5 or later, use client$ sudo dtrace -w -n "BEGIN{ panic();}" Triggering a Kernel Panic with the Instant Panic Kernel ExtensionFor all versions of Mac OS X, this technical note includes a simple kernel extension, InstantPanic, that panics the kernel as soon as you load it. You can get the source and binary for this kernel extension from the Downloadables section. Start by downloading and unarchiving the kernel extension on your desktop. Load the kernel extension using the commands shown in Listing 14. client$ cd ~/Desktop/InstantPanic/build/ client$ sudo cp -r InstantPanic.kext / Password: ******** client$ sudo kextload /InstantPanic.kext Note: In Listing 14 we make a copy of the kernel extension as root (using The Kernel Panic Core Dump FileOnce a panic occurs, if all goes well, the client will transmit a kernel core dump to the server. You can see the transmission progress on the screen of the client (assuming that you set the When the transfer is complete you can list the server$ ls -l /PanicDumps total 216872 -rw-rw---- 1 nobody wheel 300245144 Sep 19 12:51 paniclog-xnu-1228.5.20-10.0.40.7-3a061187 The name of this file includes the kernel version—as displayed by Note: For Mac OS X 10.4.6 and earlier, the core dump file name does not include the kernel's minor version. The section Debugging with Kernel Core Dumps explains how you can debug a kernel panic using the core dump file. Alternatively, if you had set the server$ ls -l /PanicDumps total 216872 -rw-rw---- 1 nobody wheel 300245144 Sep 19 12:51 paniclog-xnu-1228.5.20-10.0.40.7-3a061187 server$ sudo cat /PanicDumps/paniclog-xnu-1228.5.20-10.0.40.7-3a061187 panic(cpu 0 caller 0x21058018): InstantPanic: Just add water! Backtrace, Format - Frame : Return Address (4 potential args on stack) 0x1b38fc18 : 0x12b0fa (0x4592a4 0x1b38fc4c 0x133243 0x0) 0x1b38fc68 : 0x21058018 (0x21058053 0x0 0x2a57e38 0x2e4f4a0) 0x1b38fc88 : 0x18f24d (0x21058080 0x0 0x0 0x0) 0x1b38fcc8 : 0x18f51e (0x6f 0x1 0x2e4f4a4 0x2e4f4c0) 0x1b38fd68 : 0x147c60 (0x53b8e0 0x6f 0x1 0x2e4f4a4) 0x1b38fdb8 : 0x12d17e (0x2e4f488 0x3300790 0x1b38fdf8 0x11ee14) 0x1b38fdf8 : 0x126257 (0x2e4f400 0x2a50844 0x3338e88 0x0) 0x1b38ff08 : 0x1973dd (0x1b38ff44 0x0 0x0 0x0) 0x1b38ffc8 : 0x19f3b3 (0x33cfc34 0x0 0x1a20b5 0x2f73790) No mapping exists for frame pointer Backtrace terminated-invalid frame pointer 0xbffff458 Kernel loadable modules in backtrace (with dependencies): com.apple.dts.kext.InstantPanic(1.0)@0x21057000->0x21058fff BSD process name corresponding to current thread: kextload Mac OS version: 9E17 Kernel version: Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 System model name: iMac4,1 (Mac-F42787C8) For more information about kernel panic logs, see Technical Note TN2063: Understanding and Debugging Kernel Panics. Debugging with Kernel Core DumpsIf you're a kernel programmer, you can use kernel core dumps to debug kernel panics and hangs. Before you start, you should collect together the following helpful resources.
IMPORTANT: You must download the resources (Kernel Debug kit, Darwin xnu source code, and other pertinent driver source code) that correspond to the kernel version on the client machine (the machine that panicked). The first step to debugging with a kernel core file is to open that file in GDB using the IMPORTANT: If the system you use to analyze the kernel panic core dump uses a different machine architecture than that of the client system which generated the panic, you must include the server$ sudo gdb -c /PanicDumps/core-xnu-1228.5.20-10.0.40.7-10499ce2 Password: ******** GNU gdb 6.3.50-20050815 (Apple version gdb-768) (Tue Oct 2 04:07:49 UTC 2007) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-apple-darwin". #0 0x001ae4cd in ?? () Note: In Xcode 1.2 and earlier, GDB does not allow you to have spaces in the pathname that you supply to the As you can see, this backtrace contains no symbolic information. You can fix this by loading kernel symbols from the Kernel Debug Kit. Listing 18 shows an example of this. Once you load the kernel symbols, the backtrace is now much more helpful. (gdb) add-symbol-file /Volumes/KernelDebugKit/mach_kernel add symbol table from file "/Volumes/KernelDebugKit/mach_kernel"? (y or n) y Reading symbols from /Volumes/KernelDebugKit/mach_kernel...Reading symbols from /Volumes/KernelDebugKit/mach_kernel.dSYM/Contents/Resources/DWARF/mach_kernel...done. done. (gdb) bt #0 Debugger (message=0x4592a4 "panic") at /SourceCache/xnu/xnu-1228.5.20/osfmk/i386/AT386/model_dep.c:786 #1 0x0012b0fa in panic (str=0x210c7053 "InstantPanic: Just add water!") at /SourceCache/xnu/xnu-1228.5.20/osfmk/kern/debug.c:274 #2 0x210c7018 in ?? () Now that you have symbols, you're only a short step away from source-level debugging. As you can see from frame 1 of the backtrace, GDB expects to find the kernel source in the directory server$ mkdir -p /SourceCache/xnu server$ ln -s ~/Desktop/xnu-1228.5.20 /SourceCache/xnu Now you can look back up the stack (using the (gdb) frame 0 #0 Debugger (message=0x4592a4 "panic") at /SourceCache/xnu/xnu-1228.5.20/osfmk/i386/AT386/model_dep.c:786 warning: Source file is more recent than executable. 786 hw_atomic_sub(&debug_mode, 1); (gdb) frame 1 #1 0x0012b0fa in panic (str=0x210c7053 "InstantPanic: Just add water!") at /SourceCache/xnu/xnu-1228.5.20/osfmk/kern/debug.c:274 warning: Source file is more recent than executable. 274 Debugger("panic"); Last, but certainly not least, you can use the kernel debugging macros on a kernel core dump in the same way you would on a live kernel. Listing 21 shows how to load up the kernel debugging macros and execute two of the most useful macros.
(gdb) source /Volumes/KernelDebugKit/kgmacros Loading Kernel GDB Macros package. Type "help kgm" for more info. (gdb) paniclog panic(cpu 0 caller 0x21114018): InstantPanic: Just add water! Backtrace, Format - Frame : Return Address (4 potential args on stack) 0x20ed7c18 : 0x12b0fa (0x4592a4 0x20ed7c4c 0x133243 0x0) 0x20ed7c68 : 0x21114018 (0x21114053 0x0 0x2a57e38 0x538eca0) 0x20ed7c88 : 0x18f24d (0x21114080 0x0 0x0 0x0) 0x20ed7cc8 : 0x18f51e (0x72 0x1 0x538eca4 0x538ecc0) 0x20ed7d68 : 0x147c60 (0x53b8e0 0x72 0x1 0x538eca4) 0x20ed7db8 : 0x12d17e (0x538ec88 0x5399590 0x20ed7df8 0x11ee14) 0x20ed7df8 : 0x126257 (0x538ec00 0x2a50508 0x39cf5a0 0x0) 0x20ed7f08 : 0x1973dd (0x20ed7f44 0x0 0x0 0x0) 0x20ed7fc8 : 0x19f3b3 (0x40c5e8c 0x19ecd7 0x8 0x40c5e8c) No mapping exists for frame pointer Backtrace terminated-invalid frame pointer 0xbffff458 Kernel loadable modules in backtrace (with dependencies): com.apple.dts.kext.InstantPanic(1.0)@0x21113000->0x21114fff BSD process name corresponding to current thread: kextload Mac OS version: 9E17 Kernel version: Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 System model name: iMac4,1 (Mac-F42787C8) (gdb) showallstacks [...] task vm_map ipc_space #acts pid proc command 0x0345182c 0x039cf5a0 0x02a50508 1 576 0x0333b4a0 kextload thread processor pri state wait_queue wait_event 0x05358a78 0x0053b0c0 31 R kernel_stack=0x20ed4000 stacktop=0x20ed7c18 0x20ed7c18 0x12b0fa <panic+422> 0x20ed7c68 0x21114018 <com.apple.dts.kext.InstantPanic + 0x1018> 0x20ed7c88 0x18f24d <kmod_start_or_stop+213> 0x20ed7cc8 0x18f51e <kmod_control+112> 0x20ed7d68 0x147c60 <_Xkmod_control+240> 0x20ed7db8 0x12d17e <ipc_kobject_server+247> 0x20ed7df8 0x126257 <mach_msg_overwrite_trap+752> 0x20ed7f08 0x1973dd <mach_call_munger+529> 0x20ed7fc8 0x19f3b3 <lo_mach_scall+227> stackbottom=0x20ed7fc8 You can learn more about the kernel debugging macros in the I/O Kit documentation. Note: With kernel coredumps, when examining threads other than the thread interrupted for debugger entry, you must use the With GDB under Mac OS X 10.4, if the target corefile was generated by a PowerPC-based Macintosh system, you must issue the following command before issuing the
Kernel Core Dump OptionsThe information above is sufficient for the needs of most developers to obtain kernel panic core dumps. However, there are options to address some networking issues.
IMPORTANT: To use any of these options, you must modify the firmware Configuring the Client and Server UDP Port AssignmentThe kernel dump protocol uses UDP on port 1069 by default. The port assignment is configurable for all Mac OS X releases on the kernel dump server side. On the client side, for the Intel-based Macintosh systems you must have Mac OS X 10.4.7 or greater to configure a custom port assignment. For a PowerPC-based Macintosh system, you must have Mac OS X 10.5 or greater to configure a custom port assignment. If you want the core dump server to collect core dumps from PowerPC clients running Mac OS X 10.4 or earlier, or from Intel-based client running Mac OS X 10.4.6, you must leave the server port assignment set to the default value of 1069. Configuring the Client UDP Port AssignmentTo customize the client port assignment to 12345, add client$ sudo nvram boot-args="debug=0xd44 _panicd_ip=10.0.40.2 _panicd_port=12345" Password: ******** You must restart to enable this setting. Configuring the Server UDP Port AssignmentFor Mac OS X 10.5 or greater, to customize the server port assignment, edit the IMPORTANT: Ensure that the file ownership and file permissions of the For a core dump server running under Mac OS X 10.4.x, to modify the port assignment refer to Listing 4 and modify the For a core dump server running under Mac OS X 10.3.x, to modify the port assignment refer to Listing 7 and modify the Configuring the Client Router UsageThere are some situations where you want to force the core dump client to communicate to the core dump server using a specific router. This option exists for Intel-based clients systems with Mac OS X 10.4.7 or greater present, and for PowerPC-based clients with Mac OS X 10.5 or greater present. To customize the client router address assignment to 10.0.40.1, add client$ sudo nvram boot-args="debug=0xd44 _panicd_ip=10.0.40.2 _router_ip=10.0.40.1" Password: ******** You must restart to enable this setting. Specifying the Ethernet InterfaceYou can force the system to use a particular port by setting the client$ sudo nvram boot-args="debug=0xd44 _panicd_ip=10.0.40.2 kdp_match_name=en1" Password: ******** You must restart to enable this setting. Note: The kernel dump client can only be configured to transmit on a built-in hard-wired Ethernet port. There is no support for transmitting core dumps across the AirPort interface, nor across third-party Ethernet interfaces. This is an issue for the MacBook Air which has no built-in hard-wired Ethernet interface. ConclusionThe kernel core dump facility is a useful debugging tool for both kernel extension developers and users with large or complex Macintosh installations. Using this facility, you can capture information about kernel panics (and kernel hangs) where it's not possible to use the two-machine kernel debugger. Further Reading
Downloadables
Document Revision History
Posted: 2008-11-12 |
|