/proc/<pid>/stat 的“eip”字段似乎没有更新

Question

根据这个线程，/proc//stat的第30个值（从1开始）应该显示进程的'eip'值。

Get instruction pointer of running application on Unix

但是当我打印 bash 进程的第 30 个值时，它一直返回相同的地址：

root@graphics:/proc# ps | grep bash
 3032 pts/21   00:00:00 bash
root@graphics:/proc# cd 3032
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a
root@graphics:/proc/3032# cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f53790ef84a

即使 chrome 也是如此。我认为'eip'值在执行时会不断变化。为什么总是返回相同的地址？

---

好的，看了明杰的回答后，我下定决心，如果我超级频繁地检查，这个值是否真的会发生变化。目标进程是 chrome，它的 pid 是 1834。这是我代表我检查值的 bash 脚本：

#!/bin/bash

EIP=
while true; do
    NEW_EIP=`cat /proc/1834/stat | awk '{print $30}' | xargs printf "0x%x"`
    if [[ "$NEW_EIP" != "$EIP" ]]; then
        echo "eip changed! (eip: " $NEW_EIP ")"
    fi

    EIP=$NEW_EIP
    echo $EIP >> $0.dump
done

如果捕获的第 30 个值与之前捕获的值不同，则该脚本旨在打印 eip changed! 消息。当我运行这个脚本时，结果发现它实际上正在改变！

root@graphics:/home/gwangmu/Documents# ./eiptest 
eip changed! (eip:  0x7f94e711e8dd )
eip changed! (eip:  0x7f94e868ce0d )
eip changed! (eip:  0x7f94e711e8dd )
eip changed! (eip:  0x7f94e868ce0d )
eip changed! (eip:  0x7f94e711e8dd )
eip changed! (eip:  0x7f94e868cbfa )
eip changed! (eip:  0x7f94e711e8dd )
eip changed! (eip:  0x7f94e868ce0d )
eip changed! (eip:  0x7f94e711e8dd )
eip changed! (eip:  0x7f94e868d23d )
eip changed! (eip:  0x7f94e711e8dd )
eip changed! (eip:  0x7f94e868d23d )
eip changed! (eip:  0x7f94e711e8dd )
eip changed! (eip:  0x7f94e868ce0d )
eip changed! (eip:  0x7f94e711e8dd )
eip changed! (eip:  0x7f94ee983c7a )
eip changed! (eip:  0x7f94e711e8dd )
eip changed! (eip:  0x7f94ee7a1190 )
eip changed! (eip:  0x7f94e711e8dd )

我希望它对其他人有一点帮助。谢谢明杰！

Answer 1

bash 运行程序时，会一直等到子进程退出，所以eip 指向的是waitpid 调用的退出地址

/proc/9919$ cat stat | awk '{print $30}' | xargs printf "0x%x" && echo
0x7f037e3a831c

您可以使用gdb查看它

% gdb
(gdb) attach 9919
Attaching to process 9919
Reading symbols from /bin/bash...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libncurses.so.5...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libtinfo.so.5...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libdl.so.2...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...(no debugging symbols found)...done.
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libnss_compat.so.2...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libnsl.so.1...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libnss_nis.so.2...(no debugging symbols found)...done.
Reading symbols from /lib/x86_64-linux-gnu/libnss_files.so.2...(no debugging symbols found)...done.
0x00007f037e3ca5e0 in read () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) disassemble 0x7f037e3a831c
Dump of assembler code for function waitpid:
   0x00007f037e3a8300 <+0>: mov    0x2f14cd(%rip),%r9d        # 0x7f037e6997d4
   0x00007f037e3a8307 <+7>: test   %r9d,%r9d
   0x00007f037e3a830a <+10>:    jne    0x7f037e3a8336 <waitpid+54>
   0x00007f037e3a830c <+12>:    xor    %r10d,%r10d
   0x00007f037e3a830f <+15>:    movslq %edx,%rdx
   0x00007f037e3a8312 <+18>:    movslq %edi,%rdi
   0x00007f037e3a8315 <+21>:    mov    $0x3d,%eax
   0x00007f037e3a831a <+26>:    syscall 
   0x00007f037e3a831c <+28>:    cmp    $0xfffffffffffff000,%rax
   0x00007f037e3a8322 <+34>:    ja     0x7f037e3a8325 <waitpid+37>
   0x00007f037e3a8324 <+36>:    retq   
   0x00007f037e3a8325 <+37>:    mov    0x2ebb3c(%rip),%rdx        # 0x7f037e693e68
   0x00007f037e3a832c <+44>:    neg    %eax
   0x00007f037e3a832e <+46>:    mov    %eax,%fs:(%rdx)
   0x00007f037e3a8331 <+49>:    or     $0xffffffffffffffff,%rax
   0x00007f037e3a8335 <+53>:    retq   
   0x00007f037e3a8336 <+54>:    push   %rbx
   0x00007f037e3a8337 <+55>:    sub    $0x10,%rsp
   0x00007f037e3a833b <+59>:    mov    %edx,0xc(%rsp)
   0x00007f037e3a833f <+63>:    mov    %rsi,(%rsp)
   0x00007f037e3a8343 <+67>:    mov    %edi,0x8(%rsp)
   0x00007f037e3a8347 <+71>:    callq  0x7f037e3e3620
   0x00007f037e3a834c <+76>:    mov    $0x3d,%ecx
   0x00007f037e3a8351 <+81>:    mov    %eax,%r8d
   0x00007f037e3a8354 <+84>:    xor    %r10d,%r10d
   0x00007f037e3a8357 <+87>:    movslq 0xc(%rsp),%rdx
   0x00007f037e3a835c <+92>:    mov    (%rsp),%rsi
   0x00007f037e3a8360 <+96>:    mov    %ecx,%eax
   0x00007f037e3a8362 <+98>:    movslq 0x8(%rsp),%rdi
   0x00007f037e3a8367 <+103>:   syscall 
   0x00007f037e3a8369 <+105>:   cmp    $0xfffffffffffff000,%rax
   0x00007f037e3a836f <+111>:   mov    %rax,%rbx
   0x00007f037e3a8372 <+114>:   ja     0x7f037e3a8384 <waitpid+132>
   0x00007f037e3a8374 <+116>:   mov    %r8d,%edi
   0x00007f037e3a8377 <+119>:   callq  0x7f037e3e3680
   0x00007f037e3a837c <+124>:   add    $0x10,%rsp
   0x00007f037e3a8380 <+128>:   mov    %ebx,%eax
   0x00007f037e3a8382 <+130>:   pop    %rbx
   0x00007f037e3a8383 <+131>:   retq   
   0x00007f037e3a8384 <+132>:   mov    0x2ebadd(%rip),%rax        # 0x7f037e693e68
   0x00007f037e3a838b <+139>:   neg    %ebx
   0x00007f037e3a838d <+141>:   mov    %ebx,%fs:(%rax)
   0x00007f037e3a8390 <+144>:   or     $0xffffffffffffffff,%rbx
   0x00007f037e3a8394 <+148>:   jmp    0x7f037e3a8374 <waitpid+116>
End of assembler dump.

0x7f037e3a831c 在函数 waitpid 中的系统调用之后