Use WinDbg to analyze the dump of a. NET program

Introduction 1. What is WinDbg

• WinDbg is a very good source-level (Source-level) debugging tool released by Microsoft, which can be used for kernel mode debugging and user-mode debugging, as well as debugging dump files.
• WinDbg is an important diagnostic debugging tool for Microsoft: You can view the source code, set breakpoints, view variables, view call stacks, and memory conditions.
• The dump file is the memory image of the process and can be saved to the dump file by the debugger in the execution state of the program.

2. WinDbg can solve the following problems

High memory
High CPU
Program exception
Program Hang Dead

3. Two ways to debug and analyze using WinDbg

• Use the WinDbg debugger to attach to the process that needs to be debugged. (The running of the process will be paused)
• Crawl the process dump file, using WinDbg to analyze the dump

I. Preparation 1. Download

Website address: Https://developer.microsoft.com/zh-cn/windows/hardware/windows-driver-kit
Select the appropriate toolkit to download

2. Installation

1. After downloading click Install, can choose Install the tool, we only choose WinDbg to be able. Select 32-bit or 64-bit programs to run after installation under the Debuggers folder

2. After opening WinDbg, you need to set the symbol path, you can press the shortcut key ctrl+s. Paste in the following path to save. The system will automatically download the required symbol table when the dump parsing and other operations
   SRVc:\symcachehttp://msdl.microsoft.com/download/symbols;c:\symcache;

3. Crawl Dump1. Get through Procdump

: https://technet.microsoft.com/en-us/sysinternals/dd996900

After download for the compressed package, unzip the file. Generate a dump file with a DOS command. The following is an example of a statement

procdump-ma-c 0-s 3-n 2 sqlservr.exe-o E:\dumps\

This statement means: when sqkservr.exe This process run time CPU occupies more than 0%, the time exceeds 3 seconds, then generates a dump file under E:\dumps. Until you have generated 2 of them. The following is an introduction to commands

• -ma generates full dump, which includes all the memory of the process. The default dump format includes thread and handle information.
• -C generates a dump file when the CPU usage reaches this threshold.
• -S CPU threshold must last a few seconds before fetching the dump file.
• -N the number of dump files to crawl before the tool exits.
• -O dump file to save the directory.
• Sqlservr.exe can be replaced with the ID of the process

To run the sample (SQL Server and other operations require CMD to open with Administrator privileges)

2. Task Manager Crawl

Can be in the Task Manager process right-click the process to create a dump file, the system will automatically crawl and save, save complete will pop-up dialog prompts to save the path

Two Parsing 1. Parsing the dump file

Through the WinDbg menu,file->open Crash dump chooses the dump file to open. Open the successful interface as shown in:

2. Commands 1. Basic commands

• ? Get command Prompt
• D View memory information
• K Observation stack
• ~ display and control thread ~number s number for thread ID such as: ~1s to get the Line 1-thread context
• Q Exit
• !runaway Viewing threads Consuming CPU time, you can see which thread occupies the highest time (all threads)
• . Dump/ma e:/dumps/myapp.dmp Crawl Dump

2. Meta-command

• . Help get Command prompt
• . CLS Clear Screen
• . ttime Viewing threads Consuming CPU time, you can see which thread occupies the highest time (current thread)

3: Extended Command

• . Chain Gets the list of command sets. In a dynamic-link library that has already been loaded.
• . load/.unload Load/unload command Module
• **! module name. help** view extension commands included in an extension library

4..Net program-related commands basic

• !peb or!dlls lists DLLs that the process has loaded
• **!threadpool * * View current number of CPU threads, etc.
• !dumpheap–stat Statistics Heap Information
• ! Threads All managed threads-special CRL-Created threads
• !clrstack Look at this thread and do the same.
• !clrstack–p AddrAddr: Method-specific parameter value address
• !do Address view parameter values
• !analyze–v Show detailed information about the analysis
• . reload/i/F forcing the PDB to reload

Memory debugging

• **!eeheap–gc** getting memory information in GC
• !eeheap–loader Loader Heap Information
• !dumpheap–stat Statistics of GC heap, statistics of surviving objects on GC heap
• !DUMPHEAP-MT < View objects on this address
• !gcroot << Object address >> View object root
• **!dumpheap-type <<system.string>>** View information for String types in the heap
• !helproot -View Help for gcroot

in the parsing. NET program, you first load the SOS.DLL that corresponds to the version of the running environment Framework:

. Load C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SOS. Dll

Here are just some of the more commonly used commands, want to learn more about the command to the official website to view

3. High Memory Footprint Example

"Read file Code"

"Grab the dump file open during code execution and load SOS.dll"

"Run!dumpheap–stat to get the highest memory occupied address"

"!gcroot Address get Call function"

Finally, we found the high memory call entry!
Of course, if the high-memory object on the GC heap is a custom class, then you can look directly at the relevant calling function to analyze the possible problems.

Use WinDbg to analyze the dump of a. NET program