Segfault error

Ever end up with messages like these in your Linux system’s system log? (/var/log/messages or journalctl or whatever system log system you’re using)?

Apr 1 08:09:27 machinename kernel: ProcessNameThatCrashed[22041]: segfault at 00000000e5c5e000 rip 00000000081473d0 rsp 00000000e5c5aa30 error 4

Ever wonder what that error number means? Well, Raphael Geissert over at Raphael’s blog has a handy little lookup tool that I made use of today.

In my case, error 4 means “The cause was a user-mode read resulting in no page being found.”

As commenter “LittleAncientForestKami” explains, maybe not rocket science, but since I had no idea how to figure this out, really appreciated.

So, I thought I’d figure out what “rip” and “rsp” meant. “rsp” is probably a little hard to use, but “rip” is the address of the instruction where the crash occured, and you can figure out what function it points to using this technique described by StackOverflow user qrtt1:

  1. Dump the addresses of the crashing application by saying “objdump -d ProcessNameThatCrashed | less” (where “ProcessNameThatCrashed” is the name of the crashing app)
  2. Search for the address in ‘less’ by typing “/”, then entering the address name (in this case, the address I’m searching for is ‘81473d0’).

A few (or maybe many) lines up from the line matching the address in question, you should see the name of the function that crashed:

0081473c4 <fourBytesNetworkToHost>:
81473c4: 55 push %ebp
81473c5: 89 e5 mov %esp,%ebp
81473c7: 83 ec 18 sub $0x18,%esp
81473ca: 8d 55 fc lea 0xfffffffc(%ebp),%edx
81473cd: 8b 45 08 mov 0x8(%ebp),%eax
81473d0: 8b 00 mov (%eax),%eax

In this case ‘fourBytesNetworkToHost’ is the name of the function that crashed.

Leave a Reply