Summary of methods for obtaining the dump file under Windows and the call stack for each thread under process

1. dump file purpose dump file, mainly used to diagnose the running state of a process, especially when encountering a crash (Crash) or suspend (hang) does not respond, you need to analyze its working state. In addition to the usual common attach to this process, the analysis of dump files has become an important means.

Believe that some of the software maintenance and support engineers in this area have deep experience, such as one day, the customer said, ah, bad, the server process hung up, what's going on?  Then, look at the log file, and there is no information available. Technical support tell him to follow a step to generate a dump file to see ... 2. How to generate dump file, how to get the call stack generated dump file, according to the state requirements of the process, in two cases: 1) This process does not crash, it is running, then how to crawl the dump file without terminating the process? Debugging Tools for Windows provides a very good tool for ADPlus.vbs. As can be seen from the name, it is actually a VB script, just a wrapper script for the CDB debugger.
The path is the same as the debugging Tools for Windows installation path, and the method used is simple as follows:
Adplus.vbs-hang-p 1234-o d:/dump which-hang indicate the use of hang mode, that is, during the process of attaching to the operation of snapshot crawl a dump file, after completion detach.
Using the Procdump command in Sysinternals, you can get the dump file of the running state of the process:
Such as:
[JavaScript]View Plaincopyprint?

1. Procdump-s 20-n 1 OBMO.exe c:\OBMO.dmp
2. Procdump-s 20-n 1 AMPService.exe c:\AMPService.dmp
3. Procdump-s 20-n 1 OBServiceManager.exe c:\OBServiceManager.dmp
4. Procdump-s 20-n 1 MlSrvWrapper.exe c:\MlSrvWrapper.dmp
5. Procdump-s 20-n 1 AdminWebServices.exe c:\AdminWebServices.dmp

2) After the process up, will soon be crash, to get it crash when the dump file corresponds to the-crash crash mode, the user started ADPlus, and then it started to monitor the program, in the event of an abnormal crash automatically generated dump file, Or, by CTRL-C, a FETCH command is issued. However, after the-crash mode is completed, the monitored process must be terminated. So we only choose the-hang mode here.
-P is the process to debug id,-o specifies the dump file path to output. Also, like ADPlus, there is a userdump tool, but the process of crawling user mode, and ADPlus is both kernel mode and user mode.

And then use Dr. Waston tool automatically creates dump file (when crash) "Catch dump"
1. General Grasping method
Adplus-hang-p 3230-quiet grasping 3230 pid process, hang mode, equivalent to the process of pausing, take memory snapshot
ADPLUS-CRASH-PN W3wp-quiet catch w3wp process, crash mode, when the process crashes the end of the time to automatically crawl the memory
Adplus-hang-iis-quiet catches IIS-related processes, including web apps on host, and IIS itself
2. Capture Window Service
Http://support.microsoft.com/kb/824344/zh-cn
3, remote capture
Http://blog.joycode.com/tingwang/archive/2006/08/11/79763.aspx
4, catch blue screen and the crash of dump
Computer restart for no reason or blue screen will save a Minidump under C:\WINDOWS\Minidump\, but this Minidump available commands are very few, generally only hit!analyze–v see which process is caused, there are related driver module on the basic positioning problems.
5, IIS recovery time to catch
HTTP://BLOG.YESKY.COM/BLOG/OMAKEY/ARCHIVE/2006/12/17/1618015.HTML6, planning tasks to catch
such as a process up and do not know when it will accidentally crash, can be in the planning task with crash, when the process unexpectedly terminated, CDB can be directly attached to, crawl then dump, if you want to catch some will automatically restart the process, and to catch each reboot before the dump, Refer to the Appendix for a section. 3. How to analyze dump files

"Common Commands"

1, first path C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727, set the. NET path to the PATH environment variable, once again in the WinDbg can be directly. Load SOS instead of. Load \ C Windows\microsoft.net\framework\v2.0.50727\sos.dll
2, LD demo, loading the PDB file of your program, debugging. NET programs to load the KERNEL32 and mscorwks symbols, about these two things you can check the information, especially the latter has what functions can learn more.
3. Enter the following text in the WinDbg file/symbol File Path dialog box to load and download symbols automatically
C:\windows\symbols;d:\program Files\Microsoft Visual Studio 8\sdk\v2.0\symbols;. Sympath Srv*d:\localsymbols*http://msdl.microsoft.com/download/symbols
There are debugging symbols for Windows,. net2.0, and automatic downloads from the Web, and be aware that you are modifying the directory as appropriate

"Debug Deadlock"
1,!SYNCBLK, see which threads got the lock
2, ~67e!clrstack jump to a thread to get the lock to see what it is doing operation, delay to release the lock
3.!runaway See how long the thread that owns the lock has been running.
4. ~*e!clrstack View the managed stacks of all threads and see which ones are waiting for locks, such as hang in System.Threading.Monitor.Enter (System.Object)
5, ~136s Select the thread, display the following
0:000> ~136s eax=00005763 ebx=08deeb5c ecx=03eff0d4 edx=5570ab69 esi=08deeb5c edi=7ffd6000 eip=7c95ed54 ESP=08DEEB10 EBP=08DEEBB8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll! KIFASTSYSTEMCALLRET:7C95ED54 c3 ret
Find the value of the ECX register, after copying the ctrl+f, look up, will find!syncblk place, as follows
0:000>!syncblk Index syncblock monitorheld recursion owning Thread Info syncblock Owner 1906 03ee4be4 5 1 03ee8f88 22c 8 185E2EF0 System.Object 5390 052ca39c 3 1 05292b30 1dd4 1060d3ac System.Object 9372 0530702c 1 0012d3a8 1aa8 80 185e7704 System.Object 11428 03eff0d4 1 053b8fa8 169c 86 166acd98 System.Object 15278 0531c6b4 1 06bc1430 26d8 1 A5bea88 System.Object
You can see 136 threads waiting for the lock is occupied by the Line 120 line (the format is a bit messy, make it look),
6, sometimes through the ECX register to find the lock is not very sure, you can use ~* KB to all the thread stack out, and then according to!syncblk out of synchronization fast value to search about how many lines thread is waiting and so on that lock. Because the same is waiting for the lock, can wait for the state is not the same, some in Q, some lock has been upgraded, and some to try to get the lock, so not necessarily at that time the ECX register point to that block of memory, how to find a waiting lock thread waiting for the memory address of the lock, and it is waiting for the lock by which thread I haven't figured out the rules yet, but in general, if there are other synchronization objects, it's harder to check. NET uses the steps I've mentioned above to find out the lock problem.

For more detailed information, refer to this article: http://www.cppblog.com/tgh621/archive/2010/10/27/131525.html

4. Get the call stack here, you can use several tools:
1. Use stracent this trace tool

Stracent-a System call Tracer for Windows

Http://www.intellectualheaven.com/default.asp?BH=projects&H=strace.htm

2. Directly using Procexp.exe also can see the process of the call stack information, if the symbol library is more complete, the call stack is very clear.
3. MSE (Managed Stack Explorer)
This tool is very useful for dotnet processes. http://mse.codeplex.com/, you can see the managed stack details of the dotnet process directly.

Tools are basically so much, the specific analysis will have to see how to use.

Summary of methods for obtaining the dump file under Windows and the call stack for each thread under process (GO)