1# Introduction 2 3Linux implements its userland-to-kernel transition using a special library 4called linux-gate.so that is mapped by the kernel into every process. For more 5information, see 6 7http://www.trilithium.com/johan/2005/08/linux-gate/ 8 9In a nutshell, the problem is that the system call gate function, 10kernel\_vsyscall does not use EBP to point to the frame pointer. 11 12However, the Breakpad processor supports special frames like this via STACK 13lines in the symbol file. If you look in src/client/linux/data you will see 14symbol files for linux-gate.so for both Intel & AMD(the implementation of 15kernel\_vsyscall changes depending on the CPU manufacturer). When processing 16minidumps from Linux 2.6, having these symbol files is necessary for walking the 17stack for crashes that happen while a thread is in a system call. 18 19If you're just interested in processing minidumps, those two symbol files should 20be all you need! 21 22# Details 23 24The particular details of understanding the linux-gate.so symbol files can be 25found by reading about STACK lines inside 26src/common/windows/pdb\_source\_line\_writer.cc, and the above link. To 27summarize briefly, we just have to inform the processor how to get to the 28previous frame when the EIP is inside kernel\_vsyscall, and we do that by 29telling the processor how many bytes kernel\_vsyscall has pushed onto the stack 30in it's prologue. For example, one of the symbol files looks somewhat like the 31following: 32 33MODULE Linux x86 random\_debug\_id linux-gate.so PUBLIC 400 0 kernel\_vsyscall 34STACK WIN 4 100 1 1 0 0 0 0 0 1 35 36The PUBLIC line indicates that kernel\_vsyscall is at offset 400 (in bytes) from 37the beginning of linux-gate.so. The STACK line indicates the size of the 38function(100), how many bytes it pushes(1), and how many bytes it pops(1). The 39last 1 indicates that EBP is pushed onto the stack before being used by the 40function. 41 42# Warnings 43 44These functions might change significantly depending on kernel version. In my 45opinion, the actual function stack information is unlikely to change frequently, 46but the Linux kernel might change the address of kernel\_vsyscall w.r.t the 47beginning of linux-gate.so, which would cause these symbol files to be invalid. 48