I was in need of symbolicating an OS X kernel panic.log and consulting Apple's TN2063 (Understanding and Debugging Kernel Panics) to do that, when I realized that Apple had last updated this document in 2008: kextload would complain about paramters it no longer knows about, gdb no longer ships with Xcode and the Kernel Debug Kits for more recent OS X releases neither include the referenced tools nor is their layout compatible with what that TechNote expects.

In other words: if you want to symbolicate a recent kernel panic log, that TechNote - which used to be a great resource for that purpose - is no longer of any help; you're on your own.

So, after some research, I'd like to share with you how I managed to symbolicate an OS X 10.11 panic log by hand using lldb and the kernel debug kit for 10.11:

  1. If you haven't already done so, download the kernel debug kit for the OS X release the panic occured on from https://developer.apple.com/downloads/ and install it. That will add a kernel debug kit for that OS X release to /Library/Developer/KDKs/.
  2. Open Terminal.app and start an interactive lldb session with the kernel image of the KDK you just installed (all in one line):
    $ lldb /Library/Developer/KDKs/KDK_10.11_15A284.kdk/System/Library/Kernels/kernel
  3. LLDB will inform you that 'kernel' contains a debug script and provides instructions to add these to the current session. Add them to the session.
    (lldb) target create "/Library/Developer/KDKs/KDK_10.11_15A284.kdk/System/Library/Kernels/kernel" warning: 'kernel' contains a debug script. To run this script in this debug session: command script import "/Library/Developer/KDKs/KDK_10.11_15A284.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/../Python/kernel.py" To run all discovered debug scripts in this session: settings set target.load-script-from-symbol-file true Current executable set to '/Library/Developer/KDKs/KDK_10.11_15A284.kdk/System/Library/Kernels/kernel' (x86_64). (lldb) settings set target.load-script-from-symbol-file true
  4. The kexts included in the backtrace are listed under "Kernel Extensions in backtrace" along with their addresses. Let's add them next, using this as a template:
    (lldb) addkext -F [PathTo.Kext]/Contents/MacOS/[KextExecutable] [KextLoadAddress]
    The [KextLoadAddress] is the start address that is included after the @ sign. Example:
    (lldb) addkext -F /Library/Extensions/My.kext/Contents/MacOS/My 0xffffff7f80d51000
  5. We can now look up the symbol for any address by feeding the return address (on the right side of the colon) into
    (lldb) image lookup -a [ReturnAddress]
    (lldb) image lookup -a 0xffffff7f80d536f5

I'm pretty sure there are better ways to use lldb to symbolicate a panic.log, but it's the only I could find for now. If you know about a more efficient way, please don't hesitate to post it in the comments.


Accounting for KASLR
Feb 27, 2019

Rudy Richter on Twitter pointed out to me that my blog post does not account for KASLR and that, in that regard, this mail on Apple's darwin-kernel list can be really helpful.

Next post
Previous post