Oracle getting anyone’s password

I just published a blog post on how to get the oracle database link password if for some reason we have forgotten it.Brian Fitzgerald respond to me with :

Indeed this is a very good point ! And here is how we can do that using GDB :

Continue reading

Tracing Memory access of an oracle process : Intel PinTools

This blog post is motivated by a conversation with Frits Hoogland on his great blog post The curious case of the missing semctl call about how he managed to find  a useful memory address (suspecting a fixed SGA variable) used by a process in his investigation.So here i will show how we can easily generates a trace of all/range of memory addresses referenced by a program with an acceptable overhead.

Continue reading

Latch acquisition/release call-graph including UltraFast Latch

In one of my previous post i showed that it was not possible to draw a complete latch call graph for a specific process based only on dedicated function call such as  ksl_get_shared_latch,kslgetl and kslfre. The reason for this is that UltraFast latch can be acquired without the need for a dedicated function call (ex: inside kcbgtcr function).

So how to track them ?

Continue reading

Troubleshooting Latch Contention using sytemtap

The purpose of this blog post is to show how we can troubleshoot contention on  a specific latch using a systemtap script. This post is highly inspired by the “latchprof” script developed by Tanel Poder and his systematic approach for latch contention troubleshooting (For more info please check latch-contention-troubleshooting .)

This is what we are going to achieve :

Tested in : oracle

stap -v monitor_latch.stp  “latch_address” “latch#” “refresh_time”


This script show a breakdown of latch holder by pid/session id/sql_hash for “cache buffers chains” latch with address “0x000000009F69FF60”

Continue reading

Dynamic tracing tools : Easier access to session/process address [ksupga_]

When troubleshooting a performance problem or investigating oracle internal using dynamic tracing tools like systemtap,it’s often useful to have the session address at hand. In fact, having the session address we can access many useful information such as : wait_event,p1 and p2  value,sql_id,and many other fields as stored in X$KSUSE (underlying table to V$SESSION). Luca Canali have already done a great work ,he identified that when the function “kskthewt” is called at the end of a wait event the register R13  (tested with Oracle on RHEL6.5 and with Oracle on OEL7 respectively) is pointing to the session addr with some offset and he manged also to determine the offset of the different column of X$KSUSE using X$KQFCO and X$KQFTA as in here.

The question is : Can we determine the session address without probing any function call ?

One way to answer this question is to determine how the value stored in the register R13 was set in the function “kskthewt”. Time to disassemble !

NOTE : This post contain no disassembly code of the oracle executable just the finding !

For basic info on reverse engineering please take look at my previous post.

Continue reading

The missing argument of ksl_get_shared_latch : the power of disassembly in action

In one of my previous post entitled  Latch acquisition/release call-graph : Dynamic tracing tools in action i have assumed that the function “ksl_get_shared_latch” (in version took only 5 arguments :

  • ksl_get_shared_latch(laddr, wait, why, where,mode)

As an exercise to my previous post Reverse engineering : What we need to know as a DBA ? i decided to take a deeper look

Continue reading