Windbg dump method

How to manually capture dump files
When performing fault diagnosis in a production environment, you can analyze and debug processes of running services or applications in order not to terminate running services or applications.

The first intuitive and concise method is to use a debugger such as windbg to attach the process to be debugged, and then detach the process. However, the disadvantage of this method is that the debugger command must first break the process. After the DEBUG command is executed, the F5 command must be executed to continue running, because it means that the entire process has been suspended by you when you break it. In addition, it is often because of first chance excetpion and automatic break. You must always pay attention to avoiding the entire process of break for a long time. Therefore, such debugging method is a great test of time, and there is usually no time for careful analysis.

Another method is to capture a dump file by capturing the snapshot of the service process in abnormal situations, such as the CPU duration of 100% for a long time and the memory usage suddenly spikes, after dump is complete, deatch the process to continue running. Then, use tools such as windbg to analyze the dump file captured.

So how can we capture dump files without terminating the process? Debugging tools for Windows provides an excellent tool, adplus. vbs. It can be seen from the name that it is actually a VB script, just a packaging script for the CDB debugger.

The path is the same as the installation path of debugging tools for Windows. The method is as follows:

Adplus. vbs-Hang-P 1234-o d:/dump

-Hang indicates that the Hang mode is used, that is, when the process is running, append snapshot to capture a dump file, and then detach it. The corresponding mode is-crash mode. The user starts adplus first and then starts the program to be monitored. The dump file is automatically generated when an exception crashes, or use ctrl-C to manually issue a capture command. However, after the-crash mode is captured, the monitored process must be terminated. Therefore, we only use the-Hang mode here.

-P is the ID of the project to be created. For example, for asp.netapplication thread pool, download w3wp.exe in win2003.

-O specifies the dump file path for output.

In addition, similar to adplus, there is a userdump tool that captures user-mode processes, while adplus supports both kernel mode and user mode.

In general, dr. Waston will capture the dump file automatically after the process crashes. It can be used by the windbg and other debuggers to analyze the state of the program crash afterwards.

================================
0: 000>! Dumpheap-stat
No export dumpheap found
====== Solution:
. Load clr20/SOS. dll, which must be executed first. SOS. dll is under the default C:/Windows/microsoft.net/framework/v2.....you copy to the clr20 directory under c:/program files/debugging tools for Windows (clr20 is manually created by you)
======================================

When developing in. net, the most basic debugging method is to use Visual Studio single-step debugging. However, in some special cases, especially when the CLR is involved, this method cannot be used.
You can use either of the following methods to view the memory usage, il code, and CLR information during running:
1. Use vs2005 + SOS. dll
2. Use windbg + SOS. dll
The second method is more powerful. Next I will show you how to use this method to obtain the value inside the arraylist during running.
Some may say: Is it faster for me to directly use Visual Studio for single-step debugging? Of course, this is just a demonstration. This demonstration will lay the foundation for future advanced debugging.

Before performing this operation, familiarize yourself with the basic knowledge:
A. Use vs2005 + SOS. DLL for debugging
1. You need to enable unmanaged code debugging in the project> Properties> debugging>
2. Open the debugging-> window-> instant
3. enter it in the real-time window! Load SOS load debugging Module
4. Input other debugging statements

B. Use windbg + SOS. dll
1. download the latest windbg from Microsoft website
2. Open windbg and enter SRV * C:/Symbols * http://msdl.microsoft.com/download/symbols in the file-> symbol file path... window
3. Run the program to be debugged and select the program you just run in file-> attach to process in windbg.
4. In the displayed command window, you can enter debugging statements.
5. common debugging statements:
Lm // view the loaded modules
. Load C:/Windows/Microsoft. NET/framework/v2.0.50727/SOS. dll // load the debugging Module
LD testclass // load the debugging symbol
! Name2ee testclass.exe testclass. program. Test // display the address related to the test method
! Dumpmt-MD 00976d48 // obtain the member function details of the class.
! Dumpil 00973028 // display the Il code after this method is compiled by the compiler
! Dumpheap-stat // This command displays the statistics of all objects in the program. The displayed size is the size of the object itself, excluding the nominal value of the object.
! Dumpheap-MT 790fcb30 // This command displays detailed information about methodtable 790fcb30
! Gcroot 012919b8 // to display the relationship of an instance
! Dumpobj (DO) 012a3904 // display the specific content of an object to see what is in the object and what is the value
! Objsize 012a1ba4 // actual size of the object in the memory
! Eeheap-GC // view the managed heap (including the size)
! Dumparray // view the array information
Next let's take a look at the specific debugging steps:
1. Our test code


Namespace testclass
{
Class Program
{
[Stathread]
Static void main (string [] ARGs)
{
Arraylist list = new arraylist ();
List. Add ("aaaa ");
List. Add ("BBBB ");
Console. Readline ();
}
}
} It is very simple. It is an arraylist.

Run this program (start execution, do not Debug), then enter windbg, attach to this process

2. View All stack information
0: 004>! Dumpheap-stat
Mt count totalsize Class Name
7910062c 1 12 system. Security. permissions. securitypermission
7918e284 1 16 system. Io. textreader + synctextreader
79102d10 1 20 Microsoft. win32.safehandles. safefilemappinghandle
79102cb4 1 20 Microsoft. win32.safehandles. safeviewoffilehandle
79101d30 1 20 system. Text. internalencoderbestfitfallback
79100a7c 1 20 Microsoft. win32.safehandles. safefilehandle
79105cd4 1 24 system. Collections. arraylist
......
7912ad90 11 9036 system. object []
790fcb30 2083 131492 system. String
Total 2202 objects
In addition to our arraylist, there is a lot of other system information, you don't need to worry about it

3. view the arraylist information.
0: 004>! Dumpheap-MT 79105cd4
Address Mt size
012a1b88 79105cd4 24
Total 1 objects
Statistics:
Mt count totalsize Class Name
79105cd4 1 24 system. Collections. arraylist
Total 1 objects

4. view the actual internal values of the corresponding address
0: 004>! Do 012a1b88
Name: system. Collections. arraylist
Methodtable: 79105cd4
Eeclass: 79105c28
Size: 24 (0x18) bytes
(C:/Windows/ASSEMBLY/gac_32/mscorlib/2.0.0.0 _ b77a5c561934e089/mscorlib. dll)
Fields:
MT field offset type vt attr Value Name
7912ad90 40008df 4 system. object [] 0 instance 012a1bb0 _ items
791018e0 40008e0 C system. int32 1 instance 2 _ size
791018e0 40008e1 10 system. int32 1 instance 2 _ version
790fc35c 40008e2 8 system. Object 0 instance 00000000 _ syncroot
7912ad90 40008e3 1c0 system. object [] 0 shared static emptyarray
> Domain: Value 00149c58: 012a1ba0 <
The size of arraylist is 2. The specific value is saved in address 012a1bb0, which is an array of the system. object [] type.

5. View array information
0: 004>! Dumparray 012a1bb0
Name: system. object []
Methodtable: 7912ad90
Eeclass: 7912b304
Size: 32 (0x20) bytes
Array: Rank 1, number of elements 4, type class
Element methodtable: 790fc35c
[0] 012a1b50
[1] 012a1b6c
[2] Null
[3] Null

6. view the values of objects in the array
0: 004>! Do 012a1b50
Name: system. String
Methodtable: 790fcb30
Eeclass: 790fca90
Size: 26 (0x1a) bytes
(C:/Windows/ASSEMBLY/gac_32/mscorlib/2.0.0.0 _ b77a5c561934e089/mscorlib. dll)
String: AAAA
Fields:
MT field offset type vt attr Value Name
791018e0 4000096 4 system. int32 1 instance 5 m_arraylength
791018e0 4000097 8 system. int32 1 instance 4 m_stringlength
790fe534 4000098 C system. Char 1 instance 61 m_firstchar
790fcb30 4000099 10 system. String 0 shared static empty
> Domain: Value 00149c58: 790d81bc <
7912b1d8 400009a 14 system. Char [] 0 shared static whitespacechars
> Domain: Value 00149c58: 012a16f0 <
================================

Summary of windbg usage
[Capture dump]
1. General capture
Adplus-Hang-P 3230-Quiet: capture the 3230 PID process. The hang mode is equivalent to pausing the process and taking a memory snapshot.
Adplus-crash-PN w3wp-Quiet: capture w3wp processes in crash mode. When the process crashes, it automatically captures the memory at the time.
Adplus-Hang-IIS-Quiet: capture IIS-related processes, including Web applications on the host and IIS itself
2. Capture the window service
Http://support.microsoft.com/kb/824344/zh-cn
3. Remote capturing
Http://blog.joycode.com/tingwang/archive/2006/08/11/79763.aspx
4. Dump for blue screen capture and crash
If the computer is restarted for no reason or the blue screen will save a minidump under C:/Windows/minidump/, but this minidump has very few available commands and is generally used only! Analyze-V can see which process is causing the problem, and the related driver module can basically locate the problem.
5. Capture When IIS is recycled
Http://blog.yesky.com/blog/omakey/archive/2006/12/17/1618015.html
6. scheduled task capture
For example, after a process is started, it does not know when it will crash unexpectedly. You can use crash to catch it in the scheduled task. when the process is terminated unexpectedly, CDB can directly attach it, capture the dump at that time. If you want to capture the processes that will automatically restart and the dump before each restart, refer to the section in the appendix.

Common commands]
1. First, path C:/Windows/Microsoft. net/framework/v2.0.50727, put.. NET Path is set as the PATH environment variable, which can be directly stored in windbg. load SOS, instead of having. load C:/Windows/Microsoft. net/framework/v2.0.50727/SOS. DLL
2. LD Demo: load the PDB file of your program and debug it. net programs generally need to load the symbols of Kernel32 and mscorwks. You can check the information about these two things, especially the functions of the latter.
3. Enter the following text in the file/Symbol file path dialog box of windbg to automatically load and download symbols.
C:/Windows/symbols; D:/program files/Microsoft Visual Studio 8/SDK/V2.0/symbols;. sympath SRV * D:/localsymbols * http://msdl.microsoft.com/download/symbols
There are debugging symbols for Windows,. net2.0, and automatically downloaded from the Internet. Make sure to modify the directory as needed.

Debug deadlock]
1 ,! Syncblk to check which threads have obtained the lock
2 ,~ 67e! Clrstack jumps to a thread that gets the lock to see what it is doing and refuses to release the lock.
3 ,! Runaway checks how long the lock-occupying thread has been running.
4 ,~ * E! Clrstack: view the managed stacks of all threads to see which are waiting for the lock, such as the hang in system. Threading. Monitor. Enter (system. Object)
5 ,~ Select this thread for seconds, as shown below
0: 000> ~ 136 s eax = 00005763 EBX = 08deeb5c ECx = 03eff0d4 edX = 5570ab69 ESI = 08deeb5c EDI = 7ffd6000 EIP = 109esp = 08deeb10 EBP = 08deebb8 iopl = 0 NV up ei pl Zr na PE NC cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00000246 NTDLL! Kifastsystemcallret: 7c95ed54 C3 RET
Find the ECX register value, copy it, CTRL + F, and search up! Syncblk:
0: 000>! Syncblk index syncblock monitorheld recursion owning thread info syncblock owner 1906 03ee4be4 5 1 03ee8f88 22c8 67 185e2ef0 system. object 5390 052ca39c 3 1 05292b30 1dd4 49 1060d3ac system. object 9372 0530702c 15 1 0012d3a8 1aa8 80 185e7704 system. object 11428 03eff0d4 35 1 053b8fa8 169c 120 166acd98 system. object 15278 0531c6b4 61 1 06bc1430 26d8 86 1a5bea88 system. object
We can see that the lock waiting for the 136 thread is occupied by the 120 thread (the format is a bit messy, let's look at it together ),
6. Sometimes it is difficult to find the lock through the ECX register. You can use ~ * KB is used to open all the thread stacks! The synchronized fast value from syncblk searches for the approximate number of threads waiting for that lock. Because they are also waiting for locks, they can wait in different States. Some locks in Q have been upgraded, and some have tried to get the locks. Therefore, the ECX Register may not point to the memory at the time, how can I find the memory address of a lock waiting for the lock thread and the thread holding the lock that it is waiting for? I haven't figured out the rule yet, but in general, if there are other synchronization objects, it is more difficult to query .. . Net.

[Memory leakage]
1 ,! Dumpheap-stat to check which objects have the largest number and occupy the largest memory,
2. Find an object with a large number of formats, view its method table, and then use it! Dumpheap-MT 66398fa4: randomly find the addresses of several objects.
3. Use! Run the do 1e5a22bc command to view the status and attribute values of several objects.
4. Use it! Gcroot-nostacks 1e5a22bc it is not normal to check the root of several objects. If the root of some objects is not pre-designed by myself, it is likely to be strongly referenced by the objects I did not expect, therefore, GC cannot recycle it, so it will leak.
[CPU]
It mainly uses counters and! For details about the runaway command, see the following link:
Http://www.cnblogs.com/onlytianc... 7/06/03/769307 .html
[Thread pool depletion]
! Threadpool can see the completion port, the thread pool worker thread and timer callback each occupy the thread pool.
[Others]
1 ,! Eestack-short-ee: it can be used to view dumpstack of all important threads (Lock obtaining, managed, stopped, and allowed to be recycled), which is almost equivalent ~ * E! Dumpstack
2. Time: You can see how long the process has been running.
3 ,! DSO can view the objects in the current thread and Analyze memory leakage issues.
[Summary]
It is recommended to use windbg for troubleshooting. net, first of all, we need to understand the basic knowledge of CLR hosts and some basics of Il, as well as simple registers and Assembly attempts, and then we have a good idea, the last step is experience and understanding of code logic.

[Appendix: A Tool for automatically capturing dump, which can be used when the program exits unexpectedly]
[Usage]
1. Run the following command in cmd to ensure that the scheduled task is on
Net start "Task Scheduler"
2. Execute the following command to schedule automatic packet capture
At 13:27 D:/MyApp/autodump/processmon.exe
The Scheduled Start Time and path of the automatically captured program must be set as needed. The current user must log out before the scheduled start.
[Related configuration]
<Deleetask>
<Add key = "adpluspath" value = "D:/MyApp/debugging/adplus. vbs"/> <! -- Adplus path -->
<Add key = "processname" value = "w3wp"/> <! -- The name of the dump process to be captured. Some available names are not required. -->
</Appsettings>

[Source code]

Using system;
Using system. Collections. Generic;
Using system. diagnostics;
Using system. Threading;

Namespace processmon
{
Class Program
{
Static readonly list <int> _ dumppids = new list <int> ();
Private Static readonly string _ processname = system. configuration. configurationmanager. deleettings ["processname"];
Private Static readonly string _ adpluspath = system. configuration. configurationmanager. deleetpipeline ["adpluspath"];
Static void main (string [] ARGs)
{
While (true)
{
Console. writeline ("..");
Threadproc ();
Thread. Sleep (10000 );
}
}

Private Static void threadproc ()
{
Foreach (process vprocess in process. getprocesses ())
{
Try
{
String processname = vprocess. processname. tolower ();
If (processname. indexof (_ processname)> = 0)
{
Console. writeline ("{0}-{1}", vprocess. processname, vprocess. ID );

If (_ dumppids. Contains (vprocess. ID ))
Continue;
_ Dumppids. Add (vprocess. ID );

Dumpprocessdeg d = dumpprocess;
D. begininvoke (vprocess. ID, null, null );
Dumpprocess (vprocess. ID );
}
}
Catch (exception ex)
{
Console. writeline (Ex );
}
}
}

Private delegate void dumpprocessdeg (int pid );
Static void dumpprocess (int pid)
{
Processstartinfo info = new system. Diagnostics. processstartinfo ();
Info. filename = _ adpluspath;
Info. Arguments = string. Format ("-crash-P {0}-quiet", pid );
Info. workingdirectory = "C ://";
Process proc;
Try
{
Proc = process. Start (Info );
}
Catch (system. componentmodel. win32exception E)
{
Console. writeline ("the specified program file cannot be found. /R {0} ", e );
Return;
}
Proc. enableraisingevents = true;
Console. writeline ("Start Time of the external program: {0}", Proc. starttime );
Proc. waitforexit (60000 );
If (Proc. hasexited = false ){
Console. writeline ("the main program forcibly terminates the running of the external program! ");
Proc. Kill ();
}
Else {
Console. writeline ("the external program Exits normally! ");
}
Console. writeline ("external program end running time: {0}", Proc. exittime );
Console. writeline ("returned value of an external program when it stops running: {0}", Proc. exitcode );
}
}
}

====================
Add several commands:

1 ,! Analyze-V: used to analyze detailed conditions and error causes of thread disconnection. 2 ,! Locks: lists the usage of all resources. 3 ,! Locks-V 0x ???????? : Deadlock Analysis for specific addresses. 4 ,! Thread 0x ???????? : Details of a specific thread. 5.. Thread 0x ???????? : To a thread stack.