用Python开发的代码,有些时候会出现一些故障,这些故障很难从Python级调试中排查出原因。此时,需要对Python解释器进行C级调试,以排查更底层的原因。本文以定位Python built-in函数的源码实现为例,展示这种C级调试的片段。
Q:
我想查看os.system()的源码
>>> import os >>> os.system >>> os.__file__ '/usr/lib/python2.7/os.pyc' >>> import inspect >>> inspect.getfile(os) '/usr/lib/python2.7/os.pyc' >>> inspect.getmodule(os)
这些信息不是我想要的。
A: scz 2015-09-21 10:21
# gdb -q --args /usr/bin/python2.7-dbg -c 'import os;os.system("echo $$;/bin/sleep 1")'
built-in函数名等于system时断下:
(gdb) b PyCFunction_Call if (0==strcmp(((PyCFunctionObject *)func)->m_ml->ml_name,"system"))
Breakpoint 1 at 0x80bc2a1: file ../Objects/methodobject.c, line 73.
(gdb) r
...
Breakpoint 1, PyCFunction_Call (func=, arg=('echo $$;/bin/sleep 1',), kw=0x0) at ../Objects/methodobject.c:73
73 PyCFunctionObject* f = (PyCFunctionObject*)func;
PyCFunction_Call()用于调用built-in函数。
(gdb) output func
即将调用built-in函数system()。查看此时的模块名:
(gdb) output *(PyCFunctionObject *)func
{
_ob_next = 0xb7d30c68,
_ob_prev = 0xb7d30cd8,
ob_refcnt = 4,
ob_type = 0x82b9780 ,
m_ml = 0x82f72b0 ,
m_self = 0x0,
m_module = 'posix'
}
(gdb) x/s PyString_AsString(((PyCFunctionObject *)func)->m_module)
0xb7d303fc: "posix"
模块名不是想像中的os,而是posix,意味着os模块调用了posix模块。
针对PyCFunction_Call()设置条件断点时,不要轻易检查m_module,除非确知其名。
查看此时的函数信息:
(gdb) output *(((PyCFunctionObject *)func)->m_ml)
{
ml_name = 0x826e8c9 "system",
ml_meth = 0x81f5ea9 ,
ml_flags = 1,
ml_doc = 0x82f3f40 "system(command) -> exit_status\n\nExecute the command (a string) in a subshell."
}
(gdb) x/s ((PyCFunctionObject *)func)->m_ml->ml_name
0x826e8c9: "system"
(gdb) output/x ((PyCFunctionObject *)func)->m_ml->ml_meth
0x81f5ea9
(gdb) info symbol 0x81f5ea9
(gdb) info symbol ((PyCFunctionObject *)func)->m_ml->ml_meth
posix_system in section .text of /usr/bin/python2.7-dbg
built-in函数system()对应的C实现是posix_system():
(gdb) list posix_system
2791 "system(command) -> exit_status\n\n\
2792 Execute the command (a string) in a subshell.");
2793
2794 static PyObject *
2795 posix_system(PyObject *self, PyObject *args)
2796 {
2797 char *command;
2798 long sts;
2799 if (!PyArg_ParseTuple(args, "s:system", &command))
2800 return NULL;
(gdb) info source
Current source file is ../Modules/posixmodule.c
Compilation directory is /home/packages/python/2.7/d/python2.7-2.7.9/build-debug
Located in /usr/src/python/python2.7-2.7.9/Modules/posixmodule.c
Contains 9512 lines.
Source language is c.
Compiled with DWARF 2 debugging format.
Does not include preprocessor macro info.
现在知道os.system()对应posixmodule.c中的posix_system()。我一般在Source Insight里查看精确版本的源码实现,如果想快速了解大概,可以在线查看:
http://svn.python.org/projects/python/trunk/Modules/posixmodule.c http://hg.python.org/cpython/file/2.7/Modules/posixmodule.c
(gdb) tb *posix_system
Temporary breakpoint 2 at 0x81f5ea9: file ../Modules/posixmodule.c, line 2796.
(gdb) c
Continuing.
Temporary breakpoint 2, posix_system (self=, args=) at ../Modules/posixmodule.c:2796
2796 {
(gdb) bt 10
#0 posix_system (self=, args=) at ../Modules/posixmodule.c:2796
#1 0x080bc300 in PyCFunction_Call (func=, arg=('echo $$;/bin/sleep 1',), kw=0x0) at ../Objects/methodobject.c:81
#2 0x08149d0b in call_function (pp_stack=0xbffff804, oparg=1) at ../Python/ceval.c:4033
#3 0x081454ec in PyEval_EvalFrameEx (f=Frame 0xb7c5c034, for file , line 1, in (), throwflag=0) at ../Python/ceval.c:2679
#4 0x08147a77 in PyEval_EvalCodeEx ... at ../Python/ceval.c:3265
#5 0x0813d035 in PyEval_EvalCode ... at ../Python/ceval.c:667
#6 0x08172b65 in run_mod ... at ../Python/pythonrun.c:1371
#7 0x08172a71 in PyRun_StringFlags ... at ../Python/pythonrun.c:1334
#8 0x081716de in ... at ../Python/pythonrun.c:975
#9 0x0818983d in Py_Main (argc=3, argv=0xbffffc84) at ../Modules/main.c:584
(More stack frames follow...)
不要用”until *posix_system”,until有个很微妙的限制:
(gdb) help until Execute until the program reaches a source line greater than the current or a specified location (same args as break command) within the current frame.
注意这句,”within the current frame”。一般意义上until *addr并不等价于tb *addr;c。而我们通常想要的是后者。这与windbg的g addr命令有显著不同。以前被坑过,跑飞了还奇怪为什么,辛辛苦苦得到的中间状态就这么没了。
其实,如果确知os.system()会调用C函数system(),可以直接针对后者下断,然后查看调用栈回溯:
(gdb) tb *system
Temporary breakpoint 3 at 0xb7fa9be0: file pt-system.c, line 27.
(gdb) c
Continuing.
Temporary breakpoint 3, system (line=0xb7c448fc "echo $$;/bin/sleep 1") at pt-system.c:27
27 {
(gdb) bt 5
#0 system (line=0xb7c448fc "echo $$;/bin/sleep 1") at pt-system.c:27
#1 0x081f5efc in posix_system (self=0x0, args=('echo $$;/bin/sleep 1',)) at ../Modules/posixmodule.c:2802
#2 0x080bc300 in PyCFunction_Call (func=, arg=('echo $$;/bin/sleep 1',), kw=0x0) at ../Objects/methodobject.c:81
#3 0x08149d0b in call_function (pp_stack=0xbffff804, oparg=1) at ../Python/ceval.c:4033
#4 0x081454ec in PyEval_EvalFrameEx (f=Frame 0xb7c5c034, for file , line 1, in (), throwflag=0) at ../Python/ceval.c:2679
(More stack frames follow...)
从中一眼就看到posixmodule.c的posix_system()。
我前面演示的复杂方案是广谱方案。