https://stackoverflow.com/questions/1456899/what-are-segfault-rip-rsp-numbers-and-how-to-use-them

 

 


11

When my linux application crashes, it produces a line in the logs something like:

segfault at 0000000 rip 00003f32a823 rsp 000123ade323 error 4

What are those rip and rsp addresses? How do I use them to pinpoint the problem? Do they correspond to something in the objdump or readelf outputs? Are they useful if my program gets its symbols stripped out (to a separate file, which can be used using gdb)?

Share

Improve this question

Follow

 

edited Oct 20, 2022 at 11:36

pevik

4,39333 gold badges3131 silver badges4343 bronze badges

asked Sep 21, 2009 at 21:11

 

johnnys

 

Add a comment


2 Answers

Sorted by:

                         Highest score (default)                                                                     Trending (recent votes count more)                                                                     Date modified (newest first)                                                                     Date created (oldest first)                     


7

Well the rip pointer tells you the instruction that caused the crash. You need to look it up in a map file.

In the map file you will have a list of functions and their starting address. When you load the application it is loaded to a base address. The rip pointer - the base address gives you the map file address. If you then search through the map file for a function that starts at an address slightly lower than your rip pointer and is followed, in the list, by a function with a higher address you have located the function that crashed.

From there you need to try and identify what went wrong in your code. Its not much fun but it, at least, gives you a starting point.

Edit: The "segfault at" bit is telling you, i'd wager, that you have dereferenced a NULL pointer. The rsp is the current stack pointer. Alas its probably not all that useful. With a memory dump you "may" be able to figure out more accurately where you'd got to in the function but it can be really hard to work out, exactly, where you are in an optimised build

Share

Improve this answer

Follow

 

edited Sep 21, 2009 at 21:35

 

 

answered Sep 21, 2009 at 21:20

Goz

61.1k2424 gold badges122122 silver badges203203 bronze badges

Add a comment

 


3

I got the error, too. When I saw:

probe.out[28503]: segfault at 0000000000000180 rip 00000000004450c0 rsp 00007fff4d508178 error 4

probe.out is an app which using libavformat (ffmpeg). I disassembled it.

objdump -d probe.out

The rip is where the instruction will run:

00000000004450c0 <ff_rtp_queued_packet_time>:
  4450c0:       48 8b 97 80 01 00 00    mov    0x180(%rdi),%rdx
  44d25d:       e8 5e 7e ff ff          callq  4450c0 <ff_rtp_queued_packet_time>

finally, I found the app crashed in the function ff_rtp_queued_packet_time.

PS. sometimes the address doesn't exactly match, but it is almost there.