I was in need of symbolicating an OS X kernel panic.log and consulting Apple's TN2063 (Understanding and Debugging Kernel Panics) to do that, when I realized that Apple had last updated this document in 2008: kextload would complain about paramters it no longer knows about, gdb no longer ships with Xcode and the Kernel Debug Kits for more recent OS X releases neither include the referenced tools nor is their layout compatible with what that TechNote expects.

In other words: if you want to symbolicate a recent kernel panic log, that TechNote - which used to be a great resource for that purpose - is no longer of any help; you're on your own.

So, after some research, I'd like to share with you how I managed to symbolicate an OS X 10.11 panic log by hand using lldb and the kernel debug kit for 10.11:

  1. If you haven't already done so, download the kernel debug kit for the OS X release the panic occured on from https://developer.apple.com/downloads/ and install it. That will add a kernel debug kit for that OS X release to /Library/Developer/KDKs/.
  2. Open Terminal.app and start an interactive lldb session with the kernel image of the KDK you just installed (all in one line):
    $ lldb /Library/Developer/KDKs/KDK_10.11_15A284.kdk/System/Library/Kernels/kernel
  3. LLDB will inform you that 'kernel' contains a debug script and provides instructions to add these to the current session. Add them to the session.
    (lldb) target create "/Library/Developer/KDKs/KDK_10.11_15A284.kdk/System/Library/Kernels/kernel" warning: 'kernel' contains a debug script. To run this script in this debug session: command script import "/Library/Developer/KDKs/KDK_10.11_15A284.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/../Python/kernel.py" To run all discovered debug scripts in this session: settings set target.load-script-from-symbol-file true Current executable set to '/Library/Developer/KDKs/KDK_10.11_15A284.kdk/System/Library/Kernels/kernel' (x86_64). (lldb) settings set target.load-script-from-symbol-file true
  4. The kexts included in the backtrace are listed under "Kernel Extensions in backtrace" along with their addresses. Let's add them next, using this as a template:
    (lldb) addkext -F [PathTo.Kext]/Contents/MacOS/[KextExecutable] [KextLoadAddress]
    The [KextLoadAddress] is the start address that is included after the @ sign. Example:
    (lldb) addkext -F /Library/Extensions/My.kext/Contents/MacOS/My 0xffffff7f80d51000
  5. We can now look up the symbol for any address by feeding the return address (on the right side of the colon) into
    (lldb) image lookup -a [ReturnAddress]
    (lldb) image lookup -a 0xffffff7f80d536f5

I'm pretty sure there are better ways to use lldb to symbolicate a panic.log, but it's the only I could find for now. If you know about a more efficient way, please don't hesitate to post it in the comments.

Next post
Previous post