crash utility help page:  dis


NAME
  dis - disassemble

SYNOPSIS
  dis [-rfludxs][-b [num]] [address | symbol | (expression)] [count]

DESCRIPTION
  This command disassembles source code instructions starting (or ending) at
  a text address that may be expressed by value, symbol or expression:

            -r  (reverse) displays all instructions from the start of the 
                routine up to and including the designated address.
            -f  (forward) displays all instructions from the given address 
                to the end of the routine.
            -l  displays source code line number data in addition to the 
                disassembly output.
            -u  address is a user virtual address in the current context;
                otherwise the address is assumed to be a kernel virtual address.
                If this option is used, then -r and -l are ignored.
            -x  override default output format with hexadecimal format.
            -d  override default output format with decimal format.
            -s  displays the filename and line number of the source code that
                is associated with the specified text location, followed by a
                source code listing if it is available on the host machine.
                The line associated with the text location will be marked with
                an asterisk; depending upon gdb's internal "listsize" variable,
                several lines will precede the marked location. If a "count"
                argument is entered, it specifies the number of source code
                lines to be displayed after the marked location; otherwise
                the remaining source code of the containing function will be
                displayed.
      -b [num]  modify the pre-calculated number of encoded bytes to skip after
                a kernel BUG ("ud2a") instruction; with no argument, displays
                the current number of bytes being skipped. (x86 and x86_64 only)
       address  starting hexadecimal text address.
        symbol  symbol of starting text address.  On ppc64, the symbol
                preceded by '.' is used.
  (expression)  expression evaluating to a starting text address.
         count  the number of instructions to be disassembled (default is 1).
                If no count argument is entered, and the starting address
                is entered as a text symbol, then the whole routine will be
                disassembled.  The count argument is supported when used with
                the -r and -f options.

EXAMPLES
  Disassemble the sys_signal() routine without, and then with, line numbers:

    crash> dis sys_signal
    0xc0112c88 <sys_signal>:        push   %ebp
    0xc0112c89 <sys_signal+1>:      mov    %esp,%ebp
    0xc0112c8b <sys_signal+3>:      sub    $0x28,%esp
    0xc0112c8e <sys_signal+6>:      mov    0xc(%ebp),%eax
    0xc0112c91 <sys_signal+9>:      mov    %eax,0xffffffec(%ebp)
    0xc0112c94 <sys_signal+12>:     movl   $0xc0000000,0xfffffff0(%ebp)
    0xc0112c9b <sys_signal+19>:     lea    0xffffffd8(%ebp),%eax
    0xc0112c9e <sys_signal+22>:     push   %eax
    0xc0112c9f <sys_signal+23>:     lea    0xffffffec(%ebp),%eax
    0xc0112ca2 <sys_signal+26>:     push   %eax
    0xc0112ca3 <sys_signal+27>:     pushl  0x8(%ebp)
    0xc0112ca6 <sys_signal+30>:     call   0xc01124b8 <do_sigaction>
    0xc0112cab <sys_signal+35>:     test   %eax,%eax
    0xc0112cad <sys_signal+37>:     jne    0xc0112cb2 <sys_signal+42>
    0xc0112caf <sys_signal+39>:     mov    0xffffffd8(%ebp),%eax
    0xc0112cb2 <sys_signal+42>:     leave
    0xc0112cb3 <sys_signal+43>:     ret
 
    crash> dis -l sys_signal
    /usr/src/linux-2.2.5/kernel/signal.c: 1074
    0xc0112c88 <sys_signal>:        push   %ebp
    0xc0112c89 <sys_signal+1>:      mov    %esp,%ebp
    0xc0112c8b <sys_signal+3>:      sub    $0x28,%esp
    0xc0112c8e <sys_signal+6>:      mov    0xc(%ebp),%eax
    /usr/src/linux-2.2.5/kernel/signal.c: 1078
    0xc0112c91 <sys_signal+9>:      mov    %eax,0xffffffec(%ebp)
    /usr/src/linux-2.2.5/kernel/signal.c: 1079
    0xc0112c94 <sys_signal+12>:     movl   $0xc0000000,0xfffffff0(%ebp)
    /usr/src/linux-2.2.5/kernel/signal.c: 1081
    0xc0112c9b <sys_signal+19>:     lea    0xffffffd8(%ebp),%eax
    0xc0112c9e <sys_signal+22>:     push   %eax
    0xc0112c9f <sys_signal+23>:     lea    0xffffffec(%ebp),%eax
    0xc0112ca2 <sys_signal+26>:     push   %eax
    0xc0112ca3 <sys_signal+27>:     pushl  0x8(%ebp)
    0xc0112ca6 <sys_signal+30>:     call   0xc01124b8 <do_sigaction>
    /usr/src/linux-2.2.5/kernel/signal.c: 1083
    0xc0112cab <sys_signal+35>:     test   %eax,%eax
    0xc0112cad <sys_signal+37>:     jne    0xc0112cb2 <sys_signal+42>
    0xc0112caf <sys_signal+39>:     mov    0xffffffd8(%ebp),%eax
    /usr/src/linux-2.2.5/kernel/signal.c: 1084
    0xc0112cb2 <sys_signal+42>:     leave
    0xc0112cb3 <sys_signal+43>:     ret
 
  Given a return address expression of "do_no_page+65", find out the 
  function that do_no_page() calls by using the reverse flag:

    crash> dis -r (do_no_page+65)
    0xc011ea68 <do_no_page>:        push   %ebp
    0xc011ea69 <do_no_page+1>:      mov    %esp,%ebp
    0xc011ea6b <do_no_page+3>:      push   %edi
    0xc011ea6c <do_no_page+4>:      push   %esi
    0xc011ea6d <do_no_page+5>:      push   %ebx
    0xc011ea6e <do_no_page+6>:      mov    0xc(%ebp),%ebx
    0xc011ea71 <do_no_page+9>:      mov    0x10(%ebp),%edx
    0xc011ea74 <do_no_page+12>:     mov    0x14(%ebp),%edi
    0xc011ea77 <do_no_page+15>:     mov    0x28(%ebx),%eax
    0xc011ea7a <do_no_page+18>:     test   %eax,%eax
    0xc011ea7c <do_no_page+20>:     je     0xc011ea85 <do_no_page+29>
    0xc011ea7e <do_no_page+22>:     mov    0x18(%eax),%ecx
    0xc011ea81 <do_no_page+25>:     test   %ecx,%ecx
    0xc011ea83 <do_no_page+27>:     jne    0xc011eab0 <do_no_page+72>
    0xc011ea85 <do_no_page+29>:     mov    $0xffffe000,%eax
    0xc011ea8a <do_no_page+34>:     and    %esp,%eax
    0xc011ea8c <do_no_page+36>:     decl   0x30(%eax)
    0xc011ea8f <do_no_page+39>:     jns    0xc011ea9a <do_no_page+50>
    0xc011ea91 <do_no_page+41>:     lock btrl $0x0,0xc022fb60
    0xc011ea9a <do_no_page+50>:     push   %edi
    0xc011ea9b <do_no_page+51>:     mov    0x18(%ebp),%esi
    0xc011ea9e <do_no_page+54>:     push   %esi
    0xc011ea9f <do_no_page+55>:     push   %ebx
    0xc011eaa0 <do_no_page+56>:     mov    0x8(%ebp),%esi
    0xc011eaa3 <do_no_page+59>:     push   %esi
    0xc011eaa4 <do_no_page+60>:     call   0xc011e9e4 <do_anonymous_page>
    0xc011eaa9 <do_no_page+65>:     jmp    0xc011eb47 <do_no_page+223>
    
  Disassemble 10 instructions starting at user virtual address 0x81ec624:

    crash> dis -u 81ec624 10
    0x81ec624:      push   %ebp
    0x81ec625:      mov    %esp,%ebp
    0x81ec627:      sub    $0x18,%esp
    0x81ec62a:      movl   $0x1,0x8(%ebp)
    0x81ec631:      mov    0x82f9040,%eax
    0x81ec636:      mov    0x10(%eax),%edx
    0x81ec639:      and    $0x100,%edx
    0x81ec63f:      mov    0x14(%eax),%ecx
    0x81ec642:      and    $0x0,%ecx
    0x81ec645:      mov    %ecx,%eax
 
  Override the current decimal output radix format:

    crash> dis sys_read 10 -x
    0xffffffff8001178f <sys_read>:  push   %r13
    0xffffffff80011791 <sys_read+0x2>:    mov    %rsi,%r13
    0xffffffff80011794 <sys_read+0x5>:    push   %r12
    0xffffffff80011796 <sys_read+0x7>:    mov    $0xfffffffffffffff7,%r12
    0xffffffff8001179d <sys_read+0xe>:    push   %rbp
    0xffffffff8001179e <sys_read+0xf>:    mov    %rdx,%rbp
    0xffffffff800117a1 <sys_read+0x12>:   push   %rbx
    0xffffffff800117a2 <sys_read+0x13>:   sub    $0x18,%rsp
    0xffffffff800117a6 <sys_read+0x17>:   lea    0x14(%rsp),%rsi
    0xffffffff800117ab <sys_read+0x1c>:   callq  0xffffffff8000b5b4 <fget_light>
 
  Disassemble from vfs_read+320 until the end of the function:

    crash> dis -f vfs_read+320
    0xffffffff8119d4e0 <vfs_read+320>:  cmpq   $0x0,0x20(%rax)
    0xffffffff8119d4e5 <vfs_read+325>:  jne    0xffffffff8119d3e8 <vfs_read+72>
    0xffffffff8119d4eb <vfs_read+331>:  mov    $0xffffffffffffffea,%r12
    0xffffffff8119d4f2 <vfs_read+338>:  jmp    0xffffffff8119d4c3 <vfs_read+291>
    0xffffffff8119d4f4 <vfs_read+340>:  nopl   0x0(%rax)
    0xffffffff8119d4f8 <vfs_read+344>:  callq  0xffffffff8119cc40 <do_sync_read>
    0xffffffff8119d4fd <vfs_read+349>:  mov    %rax,%r12
    0xffffffff8119d500 <vfs_read+352>:  jmpq   0xffffffff8119d44c <vfs_read+172>
    0xffffffff8119d505 <vfs_read+357>:  nopl   (%rax)
    0xffffffff8119d508 <vfs_read+360>:  mov    $0xfffffffffffffff7,%r12
    0xffffffff8119d50f <vfs_read+367>:  jmp    0xffffffff8119d4c3 <vfs_read+291>
    0xffffffff8119d511 <vfs_read+369>:  mov    $0xfffffffffffffff2,%r12
    0xffffffff8119d518 <vfs_read+376>:  jmp    0xffffffff8119d4c3 <vfs_read+291>
    0xffffffff8119d51a <vfs_read+378>:  nopw   0x0(%rax,%rax,1)
 
  Display the source code listing of the mmput() function:

    crash> dis -s mmput
    FILE: kernel/fork.c
    LINE: 617
    
      612   
      613   /*
      614    * Decrement the use count and release all resources for an mm.
      615    */
      616   void mmput(struct mm_struct *mm)
    * 617   {
      618           might_sleep();
      619   
      620           if (atomic_dec_and_test(&mm->mm_users)) {
      621                   uprobe_clear_state(mm);
      622                   exit_aio(mm);
      623                   ksm_exit(mm);
      624                   khugepaged_exit(mm); /* must run before exit_mmap */
      625                   exit_mmap(mm);
      626                   set_mm_exe_file(mm, NULL);
      627                   if (!list_empty(&mm->mmlist)) {
      628                           spin_lock(&mmlist_lock);
      629                           list_del(&mm->mmlist);
      630                           spin_unlock(&mmlist_lock);
      631                   }
      632                   if (mm->binfmt)
      633                           module_put(mm->binfmt->module);
      634                   mmdrop(mm);
      635           }
      636   }
 
  The disassembly of dentry_kill() shows an indirect call to a function
  whose address is contained within a register.  Display the source code
  associated with the indirect function call:

    crash> dis dentry_kill
    ...
    0xffffffff811dcfb4 <dentry_kill+324>:	callq  *%rax
    ...
    crash> dis -s 0xffffffff811dcfb4
    FILE: fs/dcache.c
    LINE: 276
    
      271                   spin_unlock(&dentry->d_lock);
      272                   spin_unlock(&inode->i_lock);
      273                   if (!inode->i_nlink)
      274                           fsnotify_inoderemove(inode);
      275                   if (dentry->d_op && dentry->d_op->d_iput)
    * 276                           dentry->d_op->d_iput(dentry, inode);
      277                   else
      278                           iput(inode);
      279           } else {
      280                   spin_unlock(&dentry->d_lock);
      281           }
      282   }