Google celebrates Hispanic Heritage Month. See how.

Debugging components

Developing software means dealing with program crashes and uncovering the source of bugs. Fuchsia has a suite of tools to help identify and diagnose issues in your components from analyzing crash logs to full step-through debugging in core code.

Analyzing crashes

Fuchsia starts a program at boot called crashanalyzer that reports program crashes and prints a backtrace of the crashing thread to the system log. While you can explore these directly by reviewing the logs at runtime, the backtrace content is encoded using the stack memory address references rather than pointing to the corresponding lines in the program source files.

[klog][I] devmgr: crash_analyzer_listener: analyzing exception type 0x108
[klog][I] <== fatal exception: process crasher[42410] thread initial-thread[42424]
[klog][I] <== fatal page fault, PC at 0x1e1888dbbbd7
[klog][I]  CS:                   0 RIP:     0x1e1888dbbbd7 EFL:            0x10246 CR2:                  0
[klog][I]  RAX:                  0 RBX:                0x1 RCX:     0x721ad98697c6 RDX:     0x77accb36f264
[klog][I]  RSI:                  0 RDI:                  0 RBP:     0x2781c4816f90 RSP:     0x2781c4816f80
[klog][I]   R8:                  0  R9:                  0 R10:                  0 R11:              0x246
[klog][I]  R12:     0x773bf11dcda0 R13:     0x773bf11dcdd0 R14:               0x16 R15:         0x78050d69
[klog][I]  errc:               0x6
[klog][I] bottom of user stack:
[klog][I] 0x00002781c4816f80: f11dcda0 0000773b 9ccd2b38 000039b2 |....;w..8+...9..|
[klog][I] 0x00002781c4816f90: c4816fd0 00002781 88dbbba7 00001e18 |.o...'..........|
[klog][I] 0x00002781c4816fa0: 00000008 00000000 9ccd2b38 000039b2 |........8+...9..|
[klog][I] 0x00002781c4816fb0: f11dcf70 0000773b f11dcf70 0000773b |p...;w..p...;w..|
[klog][I] 0x00002781c4816fc0: cb36f570 000077ac f11dcdd0 0000773b |p.6..w......;w..|
[klog][I] 0x00002781c4816fd0: c4816ff0 00002781 cb2b0d0f 000077ac |.o...'....+..w..|
[klog][I] 0x00002781c4816fe0: 00000054 00000000 f11dcf70 0000773b |T.......p...;w..|
[klog][I] 0x00002781c4816ff0: f11dcfe0 0000773b 00000000 00000000 |....;w..........|
[klog][I] arch: x86_64
[klog][I] dso: id=a94c78564173530d51670b6586b1aa471e004f06 base=0x7d3506a49000
[klog][I] dso: id=a61961ba9776a67a00fb322af9ebbdcfd1ce3f62 base=0x77accb297000
[klog][I] dso: id=760f1e6e47d3dd8b6a19150aa47241279ec75a9c base=0x721ad9863000 name=<vDSO>
[klog][I] dso: id=b18462140c6784a53736105bbf3021852eeda68c base=0x1e1888dbb000 name=app:crasher
[klog][I] bt#01: pc 0x1e1888dbbbd7 sp 0x2781c4816f80 (app:crasher,0xbd7)
[klog][I] bt#02: pc 0x1e1888dbbba7 sp 0x2781c4816fa0 (app:crasher,0xba7)
[klog][I] bt#03: pc 0x77accb2b0d0f sp 0x2781c4816fe0 (,0x19d0f)
[klog][I] bt#04: pc 0 sp 0x2781c4817000
[klog][I] bt#05: end

This is because the debug symbols are stripped out of the core binaries by default at build time. To properly analyze the crash log, you need to reapply those symbols to the backtrace to see the call stack in terms of source code line numbers. When you call the ffx log command, the developer tools process the raw log through an additional binary called symbolizer that reapplies the symbols from your local build configuration to any backtraces in the log.

ffx log

The output you see includes the symbols reapplied to the backtrace:

[klog][I] devmgr: crash_analyzer_listener: analyzing exception type 0x108
... same output as "raw" backtrace ...
start of symbolized stack:
[klog][I] #01: blind_write at ../../src/developer/forensics/crasher/cpp/crasher.c:21
[klog][I] #02: main at ../../src/developer/forensics/crasher/cpp/crasher.c:137
[klog][I] #03: start_main at ../../zircon/third_party/ulib/musl/src/env/__libc_start_main.c:49
[klog][I] #04: unknown, can't find pc, sp or app/library in line
end of symbolized stack

With a properly symbolized backtrace, you can directly discover the site of a crash in your source code.

Step-through debugging

Just knowing where a program crashed may not be enough information to fully diagnose the issue. Sometimes it's necessary to walk through the code step-by-step and even inspect the state of variables in memory. To support this, Fuchsia has a debugger for core code called zxdb.

The zxdb tool is a client that connects to a running debug_agent component on the target device. You can use the zxdb commands to configure the debug_agent to attach to specific processes and set breakpoints. Once a debug session is attached to a running process, zxdb allows you to step through the code and inspect the stack frames.

Diagram showing how the Fuchsia debugger (zxdb) interacts with the
debug_agent service running on a Fuchsia device to perform interactive
debugging of a process.

Setting up the debug session requires the following high-level steps:

  1. Run the debug_agent component on the target device.
  2. Run the zxdb client and connect to the target device.
  3. Set the location for zxdb to find debug symbols.

The simplest method to start a debug session is to use the ffx debug connect command, which does all of these in the context of your local Fuchsia build. However, these steps can also be performed manually if you need to configure them separately.

Once the debug session is active, you are taken to a [zxdb] prompt to issue debugger commands. You can use zxdb to configure the debug_agent to attach to a process using a name filter and set pending breakpoints even if no matching process is currently running.

The following example sets a pending breakpoint on main to stop at the beginning of execution, and waits for a process called "hello-world" to start:

[zxdb] attach hello-world
Waiting for process matching "hello-world"

[zxdb] break main
Breakpoint 1 (Software) on Global, Enabled, stop=All, @ main
Pending: No matches for location, it will be pending library loads.

Once the debugger is attached to a process, you can use zxdb commands to control and inspect the state of the process. Here is a short collection of common commands:

step Step over the next line of code in the thread
next Step into the next line of code in the thread
continue Continue execution until the next breakpoint, exception, or exit
frame List or select from the current stack frames
print Evaluate an expression and print the result

Exercise: Using the Fuchsia debugger

In this exercise, you'll use the Fuchsia debugger (zxdb) to inspect a running instance of the echo component and understand the cause of a crash.

Start the emulator

If you do not already have an instance running, start FEMU with networking support:

ffx emu start workstation_eng.qemu-x64 --headless

Once the emulator is running, create a local package repository and register it with the emulator instance:

ffx repository add-from-pm $HOME/.package_repos/sdk-samples -r
ffx target repository register -r

Start a debug session

Once the emulator has started up, start a zxdb debugging session with the ffx debug connect command:

ffx debug connect
Connecting (use "disconnect" to cancel)...
Connected successfully.
πŸ‘‰ To get started, try "status" or "help".

After successfully connecting, the zxdb prompt is ready to accept commands.

Attach to the component

Before launching the component, configure zxdb to attach to an instance of echo. This enables the debugger to attach as soon as the process starts:

[zxdb] attach echo

Set a breakpoint on the greeting() function:

[zxdb] break greeting

With the debugger ready, start a new echo component instance:

ffx component run /core/ffx-laboratory:echo fuchsia-pkg://

Explore the debug session

Upon reaching the breakpoint in greeting(), execution stops and the debugger waits for a new command. Use the list command to show where execution is currently paused:

[zxdb] list
  18 // Return a proper greeting for the list
β–Ά 19 std::string greeting(std::vector<std::string>& names) {
  20   // Join the list of names based on length
  21   auto number_of_names = names.size();
  22   switch (number_of_names) {
  23     case 0:
  24       return "Nobody!";
  25     case 1:
  26       return join(names, "");
  27     case 2:
  28       return join(names, " and ");
  29     default:

Step into the greeting() function using the next command:

[zxdb] next

The print command will output the state of any variables in the current stack frame. Print the current value of names:

[zxdb] print names
{"Alice", "Bob", "Spot"}

Step through the greeting() function a more few times using next:

[zxdb] next

To let the program continue to completion, use the continue command:

[zxdb] continue

Exit the debugging session to return to the terminal:

[zxdb] exit

Introduce some crashing code

Next, you'll add some code to main() to cause the component to crash (or panic). Simulate this behavior by adding an strlen(nullptr) reference just after the arguments are collected:


int main(int argc, const char* argv[], char* envp[]) {
  // ...

  // Simulate a crash 

  // Print a greeting to syslog
  std::cout << "Hello, " << echo::greeting(arguments) << "!" << std::endl;

  return 0;

Run bazel build and verify that the build completes successfully:

bazel build --config=fuchsia_x64 //fuchsia-codelab/echo:pkg \

Start a new debug session with zxdb:

ffx debug connect

Debug the crashing stack frame

Configure the debugger to attach to the echo component:

[zxdb] attach echo

Start a new instance of the component:

ffx component run /core/ffx-laboratory:echo fuchsia-pkg:// --recreate

This time, the debugger detects that an exception was thrown and halts execution:

Attached Process 1 state=Running koid=1164808
 Page fault reading address 0x0 (second chance)
 Process 1 (koid=1164808) thread 1 (koid=1164810)
 Faulting instruction: 0x43e0fd349210

πŸ›‘ strlen(const char*) β€’ strlen.c:21

Use the frame command to inspect the stack trace at the point of the crash:

[zxdb] frame
β–Ά 0 strlen(…) β€’ strlen.c:21
  1 main(…) β€’
  2 Β«libc startupΒ» (-r expands)
  3 Β«libc startupΒ» (-r expands)
  4 $elf(_start) + 0x11

Notice line 1 in the stack trace indicates the point in where the crash happened, corresponding to the nullptr reference.

The current stack frame (frame 0) is deep within the system library, but you can inspect any stack frame by prefixing the command with the frame number from the stack trace.

Print the value of the arguments at the point of the crash by passing the frame number as follows:

[zxdb] frame 1 print arguments
{"Alice", "Bob", "Spot"}

Exit the debugging session to return to the terminal:

[zxdb] exit

Destroy the instance

Clean up the echo instance using the following command:

ffx component destroy /core/ffx-laboratory:echo