home / skills / trailofbits / skills / dwarf-expert

dwarf-expert skill

safe

/plugins/dwarf-expert/skills/dwarf-expert

This skill helps you analyze DWARF debug information across v3-v5, answer standards questions, and assist code interacting with DWARF data.

npx playbooks add skill trailofbits/skills --skill dwarf-expert

Review the files below or copy the command above to add this skill to your agents.

Files (4)

SKILL.md

4.8 KB

---
name: dwarf-expert
description: Provides expertise for analyzing DWARF debug files and understanding the DWARF debug format/standard (v3-v5). Triggers when understanding DWARF information, interacting with DWARF files, answering DWARF-related questions, or working with code that parses DWARF data.
allowed-tools:
  - Read
  - Bash
  - Grep
  - Glob
  - WebSearch
---
# Overview
This skill provides technical knowledge and expertise about the DWARF standard and how to interact with DWARF files. Tasks include answering questions about the DWARF standard, providing examples of various DWARF features, parsing and/or creating DWARF files, and writing/modifying/analyzing code that interacts with DWARF data.

## When to Use This Skill
- Understanding or parsing DWARF debug information from compiled binaries
- Answering questions about the DWARF standard (v3, v4, v5)
- Writing or reviewing code that interacts with DWARF data
- Using `dwarfdump` or `readelf` to extract debug information
- Verifying DWARF data integrity with `llvm-dwarfdump --verify`
- Working with DWARF parsing libraries (libdwarf, pyelftools, gimli, etc.)

## When NOT to Use This Skill
- **DWARF v1/v2 Analysis**: Expertise limited to versions 3, 4, and 5.
- **General ELF Parsing**: Use standard ELF tools if DWARF data isn't needed.
- **Executable Debugging**: Use dedicated debugging tools (gdb, lldb, etc) for debugging executable code/runtime behavior.
- **Binary Reverse Engineering**: Use dedicated RE tools (Ghidra, IDA) unless specifically analyzing DWARF sections.
- **Compiler Debugging**: DWARF generation issues are compiler-specific, not covered here.

# Authoritative Sources
When specific DWARF standard information is needed, use these authoritative sources:

1. **Official DWARF Standards (dwarfstd.org)**: Use web search to find specific sections of the official DWARF specification at dwarfstd.org. Search queries like "DWARF5 DW_TAG_subprogram attributes site:dwarfstd.org" are effective.

2. **LLVM DWARF Implementation**: The LLVM project's DWARF handling code at `llvm/lib/DebugInfo/DWARF/` serves as a reliable reference implementation. Key files include:
   - `DWARFDie.cpp` - DIE handling and attribute access
   - `DWARFUnit.cpp` - Compilation unit parsing
   - `DWARFDebugLine.cpp` - Line number information
   - `DWARFVerifier.cpp` - Validation logic

3. **libdwarf**: The reference C implementation at github.com/davea42/libdwarf-code provides detailed handling of DWARF data structures.

# Verification Workflows
Use `llvm-dwarfdump` verification options to validate DWARF data integrity:

## Structural Validation
```bash
# Verify DWARF structure (compile units, DIE relationships, address ranges)
llvm-dwarfdump --verify <binary>

# Detailed error output with summary
llvm-dwarfdump --verify --error-display=full <binary>

# Machine-readable JSON error summary
llvm-dwarfdump --verify --verify-json=errors.json <binary>
```

## Quality Metrics
```bash
# Output debug info quality metrics as JSON
llvm-dwarfdump --statistics <binary>
```

The `--statistics` output helps compare debug info quality across compiler versions and optimization levels.

## Common Verification Patterns
- **After compilation**: Verify binaries have valid DWARF before distribution
- **Comparing builds**: Use `--statistics` to detect debug info quality regressions
- **Debugging debuggers**: Identify malformed DWARF causing debugger issues
- **DWARF tool development**: Validate parser output against known-good binaries

# Parsing DWARF Debug Information
## readelf
ELF files can be parsed via the `readelf` command ({baseDir}/reference/readelf.md). Use this for general ELF information, but prefer `dwarfdump` for DWARF-specific parsing.

## dwarfdump
DWARF files can be parsed via the `dwarfdump` command, which is more effective at parsing and displaying complex DWARF information than `readelf` and should be used for most DWARF parsing tasks ({baseDir}/reference/dwarfdump.md).

# Working With Code
This skill supports writing, modifying, and reviewing code that interacts with DWARF data. This may involve code that parses DWARF debug data from scratch or code that leverages libraries to parse and interact with DWARF data ({baseDir}/reference/coding.md).

# Choosing Your Approach
```
┌─ Need to verify DWARF data integrity?
│   └─ Use `llvm-dwarfdump --verify` (see Verification Workflows above)
├─ Need to answer questions about the DWARF standard?
│   └─ Search dwarfstd.org or reference LLVM/libdwarf source
├─ Need simple section dump or general ELF info?
│   └─ Use `readelf` ({baseDir}/reference/readelf.md)
├─ Need to parse, search, and/or dump DWARF DIE nodes?
│   └─ Use `dwarfdump` ({baseDir}/reference/dwarfdump.md)
└─ Need to write, modify, or review code that interacts with DWARF data?
    └─ Refer to the coding reference ({baseDir}/reference/coding.md)
```

Overview

This skill provides focused expertise for analyzing DWARF debug information (versions 3–5) and for writing or reviewing code that reads or generates DWARF data. It helps interpret DIEs, attributes, line tables, frame information, and address ranges. The skill is geared toward security research, vulnerability audits, and tooling that consumes DWARF.

How this skill works

The skill inspects DWARF sections in ELF binaries and guides use of command-line tools (dwarfdump, llvm-dwarfdump, readelf) and libraries (libdwarf, pyelftools, gimli). It explains DWARF constructs (CU/DIE hierarchies, attribute forms, DW_OP expressions, .debug_line, .debug_frame) and provides code patterns for parsing, validating, and generating DWARF. It also recommends verification and quality workflows using llvm-dwarfdump options.

When to use it

Parsing or extracting debug info from compiled binaries
Answering precise DWARF standard questions (v3, v4, v5)
Writing or reviewing code that walks DWARF DIE trees or decodes attributes
Verifying DWARF integrity and debugging malformed debug info
Comparing debug-info quality across compiler versions or build configurations

Best practices

Prefer llvm-dwarfdump for deep DWARF inspection and verification; use readelf only for general ELF layout
Validate with llvm-dwarfdump --verify and capture JSON errors for automation
Prefer existing libraries (libdwarf, pyelftools, gimli) over writing a parser from scratch unless needed
Always check unit length, abbreviation tables, and attribute forms when parsing DIEs to avoid misinterpretation
Use --statistics to track debug-info quality regressions across builds

Example use cases

Audit a build to ensure debug info is present and correctly formed before distribution
Write a Python tool using pyelftools to extract function ranges and inlined subroutines for vulnerability traceability
Diagnose a debugger crash by verifying and isolating malformed DWARF sections with llvm-dwarfdump --verify
Compare DWARF output from two compiler versions to identify regressions in generated debug information

FAQ

Which DWARF versions does this skill cover?

It covers DWARF versions 3, 4, and 5; v1 and v2 are out of scope.

When should I use readelf vs dwarfdump?

Use readelf for general ELF section and header information; use dwarfdump or llvm-dwarfdump for detailed DWARF parsing and validation.

How do I automate DWARF validation in CI?

Run llvm-dwarfdump --verify --verify-json=errors.json and fail the build on non-empty error output; use --statistics to detect quality regressions.