struct command

crash> help struct

NAME
  struct - structure contents

SYNOPSIS
  struct struct_name[.member[,member]][-o][-l offset][-rfuxdp][address | symbol]
         [count | -c count]

DESCRIPTION
  This command displays either a structure definition, or a formatted display
  of the contents of a structure at a specified address.  When no address is
  specified, the structure definition is shown along with the structure size.
  A structure member may be appended to the structure name in order to limit
  the scope of the data displayed to that particular member; when no address
  is specified, the member's offset and definition are shown.

    struct_name  name of a C-code structure used by the kernel.
        .member  name of a structure member; to display multiple members of a
                 structure, use a comma-separated list of members.

             -o  show member offsets when displaying structure definitions;
                 if used with an address or symbol argument, each member will
                 be preceded by its virtual address.

        address  hexadecimal address of a structure; if the address points
                 to an embedded list_head structure contained within the
                 target data structure, then the "-l" option must be used.
         symbol  symbolic reference to the address of a structure.

    crash> struct vm_area_struct
    struct vm_area_struct {
        struct mm_struct *vm_mm;
        long unsigned int vm_start;
        long unsigned int vm_end;
        struct vm_area_struct *vm_next;
        pgprot_t vm_page_prot;
        short unsigned int vm_flags;
        short int vm_avl_height;
        struct vm_area_struct *vm_avl_left;
        struct vm_area_struct *vm_avl_right;
        struct vm_area_struct *vm_next_share;
        struct vm_area_struct **vm_pprev_share;
        struct vm_operations_struct *vm_ops;
        long unsigned int vm_offset;
        struct file *vm_file;
        long unsigned int vm_pte;
    }
    SIZE: 56

    crash> struct vm_area_struct -o
    struct vm_area_struct {
       [0] struct mm_struct *vm_mm;
       [4] long unsigned int vm_start;
       [8] long unsigned int vm_end;
      [12] struct vm_area_struct *vm_next;
      [16] pgprot_t vm_page_prot;
      [20] short unsigned int vm_flags;
      [22] short int vm_avl_height;
      [24] struct vm_area_struct *vm_avl_left;
      [28] struct vm_area_struct *vm_avl_right;
      [32] struct vm_area_struct *vm_next_share;
      [36] struct vm_area_struct **vm_pprev_share;
      [40] struct vm_operations_struct *vm_ops;
      [44] long unsigned int vm_offset;
      [48] struct file *vm_file;
      [52] long unsigned int vm_pte;
    }
    SIZE: 56

  Display the definition and offset of the pgd member of an mm_struct:

    crash> struct mm_struct.pgd
    struct mm_struct {
       [80] pgd_t *pgd;
    }

  Display the pgd member of the mm_struct at address ffff810022e7d080:

    crash> struct mm_struct.pgd ffff810022e7d080
      pgd = 0xffff81000e3ac000

crash> set hex
output radix: 16 (hex)
ppp_asynctty_receive(struct tty_struct *tty, const unsigned char *buf,char *cflags, int count)

crash> dis ppp_asynctty_receive
0xc02a98cc <ppp_asynctty_receive>:      mov     r12, sp
0xc02a98d0 <ppp_asynctty_receive+0x4>:  push    {r4, r5, r6, r7, r8, r9, r10, r11, r12, lr, pc}
0xc02a98d4 <ppp_asynctty_receive+0x8>:  sub     r11, r12, #4
0xc02a98d8 <ppp_asynctty_receive+0xc>:  sub     sp, sp, #20
0xc02a98dc <ppp_asynctty_receive+0x10>: mov     r8, r1/*buf*/
0xc02a98e0 <ppp_asynctty_receive+0x14>: mov     r7, r2
0xc02a98e4 <ppp_asynctty_receive+0x18>: mov     r10, r3
0xc02a98e8 <ppp_asynctty_receive+0x1c>: str     r0, [r11, #-56] ; 0x38
0xc02a98ec <ppp_asynctty_receive+0x20>: bl      0xc02a97dc <ap_get>
0xc02a98f0 <ppp_asynctty_receive+0x24>: subs    r4, r0, #0
0xc02a98f4 <ppp_asynctty_receive+0x28>: beq     0xc02a9d34 <ppp_asynctty_receive+1128>
0xc02a98f8 <ppp_asynctty_receive+0x2c>: add     r9, r4, #28
0xc02a98fc <ppp_asynctty_receive+0x30>: mov     r0, r9
0xc02a9900 <ppp_asynctty_receive+0x34>: bl      0xc053fd54 <_raw_spin_lock_irqsave>
0xc02a9904 <ppp_asynctty_receive+0x38>: str    4r0, [r11, #-52] ; 0x34
0xc02a9908 <ppp_asynctty_receive+0x3c>: ldr     r0, [r4, #12]
0xc02a990c <ppp_asynctty_receive+0x40>: mvn     r3, r0
0xc02a9910 <ppp_asynctty_receive+0x44>: tst     r3, #251658240  ; 0xf000000
0xc02a9914 <ppp_asynctty_receive+0x48>: movne   r2, #0
0xc02a9918 <ppp_asynctty_receive+0x4c>: movne   r3, r2
0xc02a991c <ppp_asynctty_receive+0x50>: bne     0xc02a9970 <ppp_asynctty_receive+164>
0xc02a9920 <ppp_asynctty_receive+0x54>: b       0xc02a9980 <ppp_asynctty_receive+180>
0xc02a9924 <ppp_asynctty_receive+0x58>: cmp     r7, #0
0xc02a9928 <ppp_asynctty_receive+0x5c>: ldrb    r1, [r8, r3]
0xc02a992c <ppp_asynctty_receive+0x60>: beq     0xc02a993c <ppp_asynctty_receive+112>
0xc02a9930 <ppp_asynctty_receive+0x64>: ldrb    r12, [r7, r3]
0xc02a9934 <ppp_asynctty_receive+0x68>: cmp     r12, #0
0xc02a9938 <ppp_asynctty_receive+0x6c>: bne     0xc02a996c <ppp_asynctty_receive+160>
0xc02a993c <ppp_asynctty_receive+0x70>: eor     r12, r1, r1, lsr #4
0xc02a9940 <ppp_asynctty_receive+0x74>: tst     r1, #128        ; 0x80
0xc02a9944 <ppp_asynctty_receive+0x78>: and     r12, r12, #15
0xc02a9948 <ppp_asynctty_receive+0x7c>: movw    r1, #27030      ; 0x6996
0xc02a994c <ppp_asynctty_receive+0x80>: asr     r12, r1, r12
0xc02a9950 <ppp_asynctty_receive+0x84>: movne   r1, #33554432   ; 0x2000000
0xc02a9954 <ppp_asynctty_receive+0x88>: moveq   r1, #16777216   ; 0x1000000
0xc02a9958 <ppp_asynctty_receive+0x8c>: tst     r12, #1
0xc02a995c <ppp_asynctty_receive+0x90>: orr     r2, r1, r2
0xc02a9960 <ppp_asynctty_receive+0x94>: movne   r1, #134217728  ; 0x8000000
0xc02a9964 <ppp_asynctty_receive+0x98>: moveq   r1, #67108864   ; 0x4000000
0xc02a9968 <ppp_asynctty_receive+0x9c>: orr     r2, r2, r1
0xc02a996c <ppp_asynctty_receive+0xa0>: add     r3, r3, #1
0xc02a9970 <ppp_asynctty_receive+0xa4>: cmp     r3, r10
0xc02a9974 <ppp_asynctty_receive+0xa8>: blt     0xc02a9924 <ppp_asynctty_receive+88>
0xc02a9978 <ppp_asynctty_receive+0xac>: orr     r2, r2, r0
0xc02a997c <ppp_asynctty_receive+0xb0>: str     r2, [r4, #12]
0xc02a9980 <ppp_asynctty_receive+0xb4>: add     r2, r4, #116    ; 0x74
0xc02a9984 <ppp_asynctty_receive+0xb8>: str     r2, [r11, #-48] ; 0x30
0xc02a9988 <ppp_asynctty_receive+0xbc>: b       0xc02a9ccc <ppp_asynctty_receive+1024>
0xc02a998c <ppp_asynctty_receive+0xc0>: ldr     r3, [r4, #8]
0xc02a9990 <ppp_asynctty_receive+0xc4>: tst     r3, #2
0xc02a9994 <ppp_asynctty_receive+0xc8>: beq     0xc02a99a8 <ppp_asynctty_receive+220>
0xc02a9998 <ppp_asynctty_receive+0xcc>: ldrb    r2, [r8]
0xc02a999c <ppp_asynctty_receive+0xd0>: cmp     r2, #125        ; 0x7d
0xc02a99a0 <ppp_asynctty_receive+0xd4>: moveq   r6, #1
0xc02a99a4 <ppp_asynctty_receive+0xd8>: beq     0xc02a99e0 <ppp_asynctty_receive+276>
0xc02a99a8 <ppp_asynctty_receive+0xdc>: mov     r6, #0
0xc02a99ac <ppp_asynctty_receive+0xe0>: ldrb    r2, [r8, r6]

[  377.819440:0] Unable to handle kernel NULL pointer dereference at virtual address 00000117
[  377.827709:0] pgd = c0004000
[  377.830597:0] [00000117] *pgd=00000000
[  377.834356:0] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[  377.839835:0] Modules linked in:
[  377.843079:0] CPU: 0    Not tainted  (3.4.0-g1d9dbdb #7)
[  377.848399:0] PC is at ppp_asynctty_receive+0xe0/0x478
[  377.853531:0] LR is at get_parent_ip+0x14/0x48
[  377.857977:0] pc : [<c02a99ac>]    lr : [<c004d550>]    psr: 60000193
[  377.857984:0] sp : e45c3ed8  ip : e45c3e80  fp : e45c3f14
[  377.869777:0] r10: 00010000  r9 : e040201c  r8 : 00000117
[  377.875156:0] r7 : b4050402  r6 : 00000000  r5 : df7018a8  r4 : e0402000
[  377.881831:0] r3 : 00000000  r2 : e0402074  r1 : e45c3e80  r0 : 0f000000

从上可知：输入参数struct tty_struct *tty【r0】对应的是r4: e0402000

crash> rd e0402000
e0402000:  df701800                              ..p.
crash> struct tty_struct.magic df701800 [symbol, 内容才是symbol]
  magic = 0x5401

tty->magic = TTY_MAGIC;[0x5401]

而

crash> struct tty_struct.magic e0402000
  magic = 0xdf701800
从代码看肯定是不对的。
这是为什么那？【不管怎么说这里要记着】

但是：

crash> struct tty_struct.buf df701800
  buf = {
    work = {
      data = {
        counter = 0x0
      },
      entry = {
        next = 0xdf7018cc,
        prev = 0xdf7018cc
      },
      func = 0xc01fa710 <flush_to_ldisc>
    },
    lock = {
      {
        rlock = {
          raw_lock = {
            lock = 0x0
          },
          break_lock = 0x0
        }
      }
    },
    head = 0xc91e9340,
    tail = 0xc91e9340,
    free = 0xdf7a4c00,
    memory_used = 0x0
  }
struct tty_bufhead {
    struct work_struct work;
    spinlock_t lock;
    struct tty_buffer *head;
    struct tty_buffer *tail;
    struct tty_buffer *free;
    int memory_used;
}

就是直接使用struct tty_buffer *head：head = 0xc91e9340,

crash> tty_buffer 0xc91e9340
struct tty_buffer {
  next = 0xd0161280,
  char_buf_ptr = 0x117 <Address 0x117 out of bounds>,
  flag_buf_ptr = 0xb4050402 <Address 0xb4050402 out of bounds>,
  used = 0x2040101,
  size = 0x9030301,
  commit = 0x2040101,
  read = 0x10000,
  data = 0xc91e935c
}

而不是

crash> rd 0xc91e9340
c91e9340:  d0161280                              ....
crash> tty_buffer d0161280
struct tty_buffer {
  next = 0x83c46c61,
  char_buf_ptr = 0x1f1c003a <Address 0x1f1c003a out of bounds>,
  flag_buf_ptr = 0x6d696c45 <Address 0x6d696c45 out of bounds>,
  used = 0xc5616e69,
  size = 0xc32069a3,
  commit = 0x72746eae,
  read = 0x6c756765,
  data = 0xd016129c
}

这可能是和传参数有关，而不是对struct command等基本定义的理解是错误的。