Summary of windbg usage

Source

Http://www.cnblogs.com/onlytiancai/archive/2007/12/26/1014880.html

I have been using windbg for some time. I will share some experience with you today.
[Capture dump]
1. General capture
Adplus-Hang-P 3230-Quiet: capture the 3230 PID process. The hang mode is equivalent to pausing the process and taking a memory snapshot.
Adplus-crash-PN w3wp-Quiet: capture w3wp processes in crash mode. When the process crashes, it automatically captures the memory at the time.
Adplus-Hang-IIS-Quiet: capture IIS-related processes, including Web applications on the host and IIS itself
2. Capture the window service

Http://support.microsoft.com/kb/824344/zh-cn

3. Remote capturing

Http://blog.joycode.com/tingwang/archive/2006/08/11/79763.aspx

4. Dump for blue screen capture and crash
If the computer is restarted for no reason or the blue screen will save a minidump under c: \ windows \ minidump \, there are very few available commands for this minidump, which is generally used only! Analyze-V can see which process is causing the problem, and the related driver module can basically locate the problem.
5. Capture When IIS is recycled

Http://blog.yesky.com/blog/omakey/archive/2006/12/17/1618015.html

6. scheduled task capture
For example, after a process is started, it does not know when it will crash unexpectedly. You can use crash to catch it in the scheduled task. when the process is terminated unexpectedly, CDB can directly attach it, capture the dump at that time. If you want to capture the processes that will automatically restart and the dump before each restart, refer to the section in the appendix.
Common commands]
1. First, path c: \ windows \ Microsoft. net \ framework \ v2.0.50727, put.. NET Path is set as the PATH environment variable, which can be directly stored in windbg. load SOS, instead of having. load c: \ windows \ Microsoft. net \ framework \ v2.0.50727 \ SOS. DLL
2. LD Demo: load the PDB file of your program and debug it. net programs generally need to load the symbols of Kernel32 and mscorwks. You can check the information about these two things, especially the functions of the latter.
3. Enter the following text in the file/Symbol file path dialog box of windbg to automatically load and download symbols.
C: \ windows \ symbols; D: \ Program Files \ Microsoft Visual Studio 8 \ SDK \ V2.0 \ symbols;. sympath SRV * D: \ localsymbols * http://msdl.microsoft.com/download/symbols
There are debugging symbols for Windows,. net2.0, and automatically downloaded from the Internet. Make sure to modify the directory as needed.
Debug deadlock]
1 ,! Syncblk to check which threads have obtained the lock
2 ,~ 67e! Clrstack jumps to a thread that gets the lock to see what it is doing and refuses to release the lock.
3 ,! Runaway checks how long the lock-occupying thread has been running.
4 ,~ * E! Clrstack: view the managed stacks of all threads to see which are waiting for the lock, such as the hang in system. Threading. Monitor. Enter (system. Object)
5 ,~ Select this thread for seconds, as shown below
0: 000> ~ 136 s eax = 00005763 EBX = 08deeb5c ECx =03eff0d4EdX = 5570ab69 ESI = 08deeb5c EDI = 7ffd6000 EIP = 7c95ed54 ESP = 08deeb10 EBP = 08deebb8 iopl = 0 NV up ei pl Zr na PE cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00000246 NTDLL! Kifastsystemcallret:
7c95ed54 C3 RET
Find the ECX register value, copy it, CTRL + F, and search up! Syncblk:
0: 000>! Syncblk index syncblock monitorheld recursion owning thread info syncblock owner 1906 03ee4be4 5 1 03ee8f88 22c8 67 185e2ef0 system. object 5390 052ca39c 3 1 05292b30 1dd4 49 1060d3ac system. object 9372 0530702c 15 1 0012d3a8 1aa8 80 185e7704 system. object
1142803eff0d435 1 053b8fa8 169c120166acd98 system. Object 15278 0531c6b4 61 1 06bc1430 26d8 86 1a5bea88 system. Object
We can see that the lock waiting for the 136 thread is occupied by the 120 thread (the format is a bit messy, let's look at it together ),
6. Sometimes it is difficult to find the lock through the ECX register. You can use ~ * KB is used to open all the thread stacks! The synchronized fast value from syncblk searches for the approximate number of threads waiting for that lock. Because they are also waiting for locks, they can wait in different States. Some locks in Q have been upgraded, and some have tried to get the locks. Therefore, the ECX Register may not point to the memory at the time, how can I find the memory address of a lock waiting for the lock thread and the thread holding the lock that it is waiting for? I haven't figured out the rule yet, but in general, if there are other synchronization objects, it is more difficult to query .. . Net.
[Memory leakage]
1 ,! Dumpheap-stat to check which objects have the largest number and occupy the largest memory,
2. Find an object with a large number of formats, view its method table, and then use it! Dumpheap-MT 66398fa4: randomly find the addresses of several objects.
3. Use! Run the do 1e5a22bc command to view the status and attribute values of several objects.
4. Use it! Gcroot-nostacks 1e5a22bc it is not normal to check the root of several objects. If the root of some objects is not pre-designed by myself, it is likely to be strongly referenced by the objects I did not expect, therefore, GC cannot recycle it, so it will leak.
[CPU]
It mainly uses counters and! For details about the runaway command, see the following link:

Http://www.cnblogs.com/onlytiancai/archive/2007/12/archive/2007/06/03/769307.html

[Thread pool depletion]
! Threadpool can see the completion port, the thread pool worker thread and timer callback each occupy the thread pool.
[Others]
1 ,! Eestack-short-ee: it can be used to view dumpstack of all important threads (Lock obtaining, managed, stopped, and allowed to be recycled), which is almost equivalent ~ * E! Dumpstack
2. Time: You can see how long the process has been running.
3 ,! DSO can view the objects in the current thread and Analyze memory leakage issues.
4 ,! Threads can view all managed threads, including which zombie threads, background threads, blocked threads, and a thread list. The lock count, GC, and exceptions on each thread are also displayed, whether it is a thread pool thread or a completed port thread.
There are also some common commands ,! Dumpdomain ,! I will not elaborate on the name2ee and so on. For details, refer to the following SOS reference.
Http://files.cnblogs.com/onlytiancai/sos%E5%8F%82%E8%80%83.zip
[Summary]
It is recommended to use windbg for troubleshooting. net, first of all, we need to understand the basic knowledge of CLR hosts and some basics of Il, as well as simple registers and Assembly attempts, and then we have a good idea, the last step is experience and understanding of code logic.
[Appendix: A Tool for automatically capturing dump, which can be used when the program exits unexpectedly]
[Usage]
1. Run the following command in cmd to ensure that the scheduled task is on
Net start "Task Scheduler"
2. Execute the following command to schedule automatic packet capture
At 13:27 D: \ MyApp \ autodump \ processmon.exe
The Scheduled Start Time and path of the automatically captured program must be set as needed. The current user must log out before the scheduled start.
[Related configuration]

<Deleetask>
 
<Add key = "adpluspath" value = "D: \ MyApp \ debugging \ adplus. vbs"/> <! -- Adplus path -->
 
<Add key = "processname" value = "w3wp"/> <! -- The name of the dump process to be captured. Some available names are not required. -->
</Appsettings>

[Source code]

 

Using system;
Using system. Collections. Generic;
Using system. diagnostics;
Using system. Threading;

Namespace processmon
{

Class Program

{

Staticreadonly list <int>
_ Dumppids = new list <int> ();

Privatestaticreadonlystring _ processname
= System. configuration. configurationmanager. receivettings ["processname"];

Privatestaticreadonlystring _ adpluspath
= System. configuration. configurationmanager. deleetpipeline ["adpluspath"];

Staticvoid main (string [] ARGs)

{

While (true)

{
Console. writeline ("..");
Threadproc ();
Thread. Sleep (10000 );
}
}


Privatestaticvoid threadproc ()

{

Foreach (process vprocess
In process. getprocesses ())

{

Try

{


String processname
= Vprocess. processname. tolower ();

If (processname. indexof (_ processname)
> = 0)

{
Console. writeline ("{0}-{1 }",
Vprocess. processname, vprocess. ID );


If (_ dumppids. Contains (vprocess. ID ))

Continue;
_ Dumppids. Add (vprocess. ID );


Dumpprocessdeg d
= Dumpprocess;
D. begininvoke (vprocess. ID,
Null,
Null );
Dumpprocess (vprocess. ID );
}
}

Catch (exception ex)

{
Console. writeline (Ex );
}
}
}


Privatedelegatevoid dumpprocessdeg (int pid );

Staticvoid dumpprocess (int pid)

{
Processstartinfo info
= New system. Diagnostics. processstartinfo ();
Info. filename
= _ Adpluspath;
Info. Arguments
= String. Format ("-crash-P {0}-quiet", pid );
Info. workingdirectory
= "C :\\";
Process proc;

Try

{
Proc
= Process. Start (Info );
}

Catch (system. componentmodel. win32exception E)

{
Console. writeline ("the specified program file cannot be found. \ R {0 }",
E );

Return;
}
Proc. enableraisingevents
= True;
Console. writeline ("Start Time of external program execution: {0 }",
Proc. starttime );
Proc. waitforexit (60000 );

If (Proc. hasexited
= False ){
Console. writeline ("the main program forcibly terminates the running of the external program! ");
Proc. Kill ();
}

Else {
Console. writeline ("the external program Exits normally! ");
}
Console. writeline ("external program end running time: {0 }",
Proc. exittime );
Console. writeline ("returned value when an external program stops running: {0 }",
Proc. exitcode );
}
}
}