Windbg analysis Dump File simple demonstration)

From: http://www.rainsts.net/article.asp? Id = 765

Using Windbg to debug Dump files is a common method. Unlike Attach Process, This method allows us to perform debugging "offline. The Dump file stores the memory and related program information images of the target process at a certain time point. This article is just a simple debugging process demonstration. For more details, refer to the help of Windbg and SOS. dll.

Class Program
{
Private List <Byte []> list = new List <byte []> ();

Void Test1 ()
{
For (int I = 0; I <10; I ++)
{
List. Add (new byte [1024*1024*10]);
}
}

Void Test2 ()
{
New Thread () =>
{
While (true)
{
}
}). Start ();
}

Static void Main (string [] args)
{
Var o = new Program ();
O. Test1 ();
O. Test2 ();

Console. WriteLine ("Press any key to exit ...");
Console. ReadKey (true );
Environment. Exit (0 );
}
}

This test sample causes excessive CPU and memory usage, which is the two most common problems in our daily debugging work.

1. Capture Dump files

We can directly use the ADPlus. vbs provided by Windbg to complete this task.

C: \... \ Windbg> adplus. vbs-hang-o z: \ temp-p 6876

Attaching the debugger to: LEARN. CUI. EXE
(Process ID: 6876)

Parameter description:

• -Hang: attaches the image to the target process, captures the dump image, and then removes it. The corresponding parameter is-crash mode, which terminates the target process.
• -O: Specifies the Dump file storage path.
• -P: Specify the PID of the target process.

2. Use Windbg to debug the Dump file

(1) Start Windbg to Open the Dump File (File-> Open Crash Dump ...).

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [Z: \ Temp \... \ PID-6876__LEARN.CUI.EXE _ full_1e84_2008-12-19_13-01-28-781_1adc.dmp]
User Mini Dump File with Full Memory: Only application data is available

...

Executable search path is:
Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Debug session time: Fri Dec 19 13:01:28. 0002008 (GMT + 8)
System Uptime: 0 days 1:31:57. 003
Process Uptime: 0 days 0:00:21. 000

......................

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via. ecxr.
(1adc. 1aa4): Wake debugger-code 80000007 (first/second chance not available)
Eax = 00000014 ebx = 00000000 ecx = 79153810 edx = 7c92e4f4 esi = 0012f274 edi = 00000000
Eip = 7c92e4f4 esp = 0012f228 ebp = 0012f248 iopl = 0 nv up ei pl zr na pe nc
Cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00000246
Ntdll! KiFastSystemCallRet:
7c92e4f4 c3 ret

(2) Load SOS. dll

0: 000>. load sos

(3) Don't forget that ThreadPool may also be the root cause of high CPU usage.

0: 000>! Threadpool

CPU utilization 0%
Worker Thread: Total: 0 Running: 0 Idle: 0 MaxLimit: 0 MinLimit: 0
Work Request in Queue: 0
--------------------------------------
Number of Timers: 0
--------------------------------------
Completion Port Thread: Total: 0 Free: 0 MaxFree: 0 CurrentLimit: 0 MaxLimit: 1000 MinLimit: 0

"CPU utilization 0%", it seems that this time is not a ThreadPool problem.

(4) Let's see which thread occupies too much CPU time.

0: 000>! Runaway

User Mode Time
Thread Time
3: 1a1c 0 days 0:00:20. 984
2: 1a30 0 days 0:00:00. 000
1: 1a14 0 days 0:00:00. 000
0: 1aa4 0 days 0:00:00. 000

It seems that Thread 3 is our goal.

(5) switch to this thread and view the call stack.

0: 000> ~ 3 s

Eax = 00993034 ebx = 012d4e98 ecx = 012d2f18 edx = 012d2f18 esi = 012d2f18 edi = 00000000
Eip = 00cd0285 esp = 0115f8b4 ebp = 0115f8b8 iopl = 0 nv up ei pl zr na pe nc
Cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 003b gs = 0000 efl = 00000246
00cd0285 90 nop

0: 003>! Clrstack

OS Thread Id: 0x1a1c (3)
ESP EIP
0115f8b4 00cd0285 Learn. CUI. Program. <Test2> B _ 0 ()
0115f8c0 792d6cf6 System. Threading. ThreadHelper. ThreadStart_Context (System. Object)
0115f8cc 792e019f System. Threading. ExecutionContext. Run (...)
0115f8e4 792d6c74 System. Threading. ThreadHelper. ThreadStart ()
0115fb0c 79e71b4c [GCFrame: 0115fb0c]

(6) Check the IL code of "Learn. CUI. Program. <Test2> B _ 0.

0: 003>! Name2ee * Learn. CUI. Program

Module: 790c1000 (mscorlib. dll)
--------------------------------------
Module: 00992c5c (Learn.CUI.exe)
Token: 0x02000002
MethodTable: 0099304c
EEClass: 00991320
Name: Learn. CUI. Program

0: 003>! Dumpmt-md 0099304c

EEClass: 00991320
Module: 00992c5c
Name: Learn. CUI. Program
MdToken: 02000002 (D: \... \ Learn.CUI.exe)
BaseSize: 0xc
ComponentSize: 0x0
Number of IFaces in IFaceMap: 0
Slots in VTable: 9
--------------------------------------
MethodDesc Table
Entry MethodDesc JIT Name
79286a70 79104934 PreJIT System. Object. ToString ()
79286a90 7910493c PreJIT System. Object. Equals (System. Object)
79286b00 7910496c PreJIT System. Object. GetHashCode ()
792f72f0 79104990 PreJIT System. Object. Finalize ()
00cd00f8 0099302c JIT Learn. CUI. Program .. ctor ()
00cd0150 00993008 JIT Learn. CUI. Program. Test1 ()
00cd01d8 00993014 JIT Learn. CUI. Program. Test2 ()
00cd0070 00993020 JIT Learn. CUI. Program. Main (System. String [])
00cd0268 00993034 JIT Learn. CUI. Program. <Test2> B _ 0 ()

0: 003>! Dumpmd 00993034

Method Name: Learn. CUI. Program. <Test2> B _ 0 ()
Class: 00991320
MethodTable: 0099304c
MdToken: 06000005.
Module: 00992c5c
IsJitted: yes
CodeAddr: 00cd0268

0: 003>! Dumpil 00993034

IlAddr = 00402088
IL_0000: nop
IL_0001: br. s IL_0005
IL_0003: nop
IL_0004: nop
IL_0005: ldc. i4.1
IL_0006: stloc.0
IL_0007: br. s IL_0103

A problem. IL is incomplete. This is usually caused by anonymous methods. It doesn't matter. Continue.

(6) export the Module and use Reflector.exe to view the source code.

0: 003>! Dumpdomain

Domain 1: 001647b0
LowFrequencyHeap: 001647d4
HighFrequencyHeap: 00164820
StubHeap: 0016486c
Stage: OPEN
SecurityDescriptor: 001532a0
Name: Learn.CUI.exe

Assembly: 00171418 [C: \ WINDOWS \ assembly \ GAC_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 \ mscorlib. dll]
ClassLoader: 00171488
SecurityDescriptor: 0015d288
Module Name
790c1000 C: \ WINDOWS \ assembly \ GAC_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 \ mscorlib. dll

Assembly: 0017a788 [D: \... \ Learn.CUI.exe]
ClassLoader: 0017a7f8
SecurityDescriptor: 00172458
Module Name
00992c5c D: \... \ Learn.CUI.exe

0: 003>! SaveModule 00992c5c z: \ temp \ a. dll

3 sections in file
Section 0-VA = 2000, VASize = af4, FileAddr = 200, FileSize = c00
Section 1-VA = 4000, VASize = 5c0, FileAddr = e00, FileSize = 600
Section 2-VA = 6000, VASize = c, FileAddr = 1400, FileSize = 200

Use Reflector.exe to open a. dll. We can view the decompilation result of the Learn. CUI. Program. <Test2> B _ 0 () method.

[CompilerGenerated]
Private static void <Test2> B _ 0 ()
{
While (true)
{
}
}

Obviously, this is the problem.

(7) Next, we need to find out the large users who eat memory.

0: 003>! Eeheap-gc

Number of GC Heaps: 1
Generation 0 starts at 0x012d2e8c
Generation 1 starts at 0x012d2e80
Generation 2 starts at 0x012d1000

Ephemeral segment allocation context: none
Segment begin allocated size
012d0000 012d1000 012d8e98 0x00007e98 (32408)

Large object heap starts at 0x022d1000
Segment begin allocated size
022d0000 022d1000 02cd3260 0x00a02260 (10494560)
032d0000 032d1000 03cd1010 0x00a00010 (10485776)
042d0000 042d1000 04cd1020 0x00a00020 (10485792)
052d0000 052d1000 05cd1020 0x00a00020 (10485792)
062d0000 062d1000 06cd1020 0x00a00020 (10485792)
072d0000 072d1000 07cd1020 0x00a00020 (10485792)
082d0000 082d1000 08cd1020 0x00a00020 (10485792)
092d0000 092d1000 09cd1020 0x00a00020 (10485792)
0a760000 0a761000 0b161020 0x00a00020 (10485792)
0b760000 0b761000 0c161020 0x00a00020 (10485792)
Total Size 0x640a208 (104899080)

------------------------------

GC Heap Size 0x640a208 (104899080)

Good guy, there are a bunch of large players playing mahjong on LOH.

(8) identify these large accounts.

0: 003>! Dumpheap-minute 85000-stat

Total 10 objects
Statistics:
MT Count TotalSize Class Name
7933335c 10 104857760 System. Byte []
Total 10 objects

"System. Byte []", um, continue.

(9) Find the memory address of a large user.

0: 003>! Dumpheap-type Byte []-min 85000

Address MT Size
022d3250 7933335c 10485776
032d1000 7933335c 10485776
042d1000 7933335c 10485776
052d1000 7933335c 10485776
062d1000 7933335c 10485776
072d1000 7933335c 10485776
082d1000 7933335c 10485776
092d1000 7933335c 10485776
0a761000 7933335c 10485776
0b761000 7933335c 10485776

Total 10 objects

(10) pick one out to see who holds the reference of this large household.

0: 003>! Gcroot 022d3250

Scan Thread 0 OSTHread 1aa4
ESP: 12f468: Root: 012d2e2c (Learn. CUI. Program)->
012d2e38 (System. Collections. Generic. List '1 [[System. Byte [], mscorlib])->
012d2ec8 (System. Byte [] [])->
022d3250 (System. Byte [])

Scan Thread 2 OSTHread 1a30
Scan Thread 3 OSTHread 1a1c

Hey, there is a "List <Byte []>" guy in the Program type that takes the handle of this large user. Continue to check the information of the Program object.

0: 003>! Do 012d2e2c

Name: Learn. CUI. Program
MethodTable: 0099304c
EEClass: 00991320
Size: 12 (0xc) bytes

Fields:
MT Field Offset Type VT Attr Value Name
00000000 4000001 4 0 instance 012d2e38 list
79317cc4 4000002 4... ading. ThreadStart 0 static 012d2f18 CS $ <> 9 _ CachedAnonymousMethodDelegate1

Obviously, the problem is the list field.

(11) The remaining work is to view the. dll source code from the SaveModule in Reflector.exe. If you use Byte [] and list to search, you don't need to demonstrate it.

Private void Test1 ()
{
For (int I = 0; I <10; I ++)
{
This. list. Add (new byte [0xa00000]);
}
}

--------------