Windbg Dump Analysis (original summary)

1. Introduction of the article
1.1 Download and install
1.2 Debugger
1.3 Operator Interface
2. Command Chapter
2.1 Breakdown by Source
2.1.1 Basic commands
2.1.2-dollar Command
2.1.3 Extension Commands
2.2 Breakdown by function
2.2.1 System Information
2.2.2 Process
2.2.3 Module
2.2.4 Symbol
2.2.5 Threads
2.2.6 Memory
2.2.7 Events
3. Explore the article
3.1 Method Inline
3.2 String Resident Pool

1. Introduction of the article

Introduction of the article
1.1 Download and install
1.2 Debugger
1.3 Operator Interface

The so-called technology sharing, in fact, is a self-summary and mutual learning, growing process.

considering the original article http://www.cnblogs.com/LoveOfPrince/p/6032523.html "Memory leak Dump analysis" was reproduced, and there is no indication of the source, all the pictures here are marked, sorry AH.

1.1 Download and install

WinDbg is a free and powerful debugging tool released by Microsoft, which downloads the Microsoft Windows SDK from official website and chooses to install "Debugging Tools for Windows".

1.2 Debugger

There are four debugger programs in the installation directory.

CDB.exe and Ntsd.exe only support user-mode debugging; Kd.exe is used primarily for kernel debugging and sometimes for user mode. The above three can only work in the command line in the console interface.

The Windbg.exe uses a visual user interface to support user mode and kernel-mode debugging. In both modes, real-time debug mode and post-debug mode are supported. In addition, source-level debugging is supported.

1.3 Operator Interface 2. Command Chapter

Command Chapter
2.1 Breakdown by Source
2.2 Breakdown by function

2.1 Breakdown by Source

Divided by source
2.1.1 Basic commands
2.1.2-dollar Command
2.1.3 Extension Commands

2.1.1 Basic commands

Use? To view basic commands

2.1.2-dollar Command

Use the. Help View meta command

2.1.3 Extension Commands

Use. chain to view the extension, and then view all the extended commands under the specified module

2.2 Breakdown by function

Breakdown by function
2.2.1 System Information
2.2.2 Process
2.2.3 Module
2.2.4 Symbol
2.2.5 Threads
2.2.6 Memory
2.2.7 Events

2.2.1 System Information

To download symbols that match the local system, use the following command to view the local System information.

The operating system version, System uptime, commissioning time, and more are listed here.

2.2.2 Process

WinDbg can debug multiple processes at the same time. You can attach a process that already exists directly, or you can create a new process and attach it. You need to switch to the target process first to check the environment information of the current process to see if the switch was successful. Finally, the debugging of the current process is ended.

View process information, as well as the included program domains.

2.2.3 Module

The command associated with the module information.

Lists the module symbol information to be loaded by the current debugging process, saves the specified module as an assembly, and decompile looks good, but some variable names are not straightforward to understand.

For example, view the module image file relocation information, you can find that basically is the best. You can also view the PE header information to study.

2.2.4 Symbol

When you create a binary image file, a file with the associated suffix named. dbg,. Sym, or. pdb is called a symbol file and contains the following symbolic information:
1) source file path and line number for each symbol.
2) The name and address of the variable.
3) function name, address, and prototype.
4) Frame pointer optimization data.
5) Type information for variables, structures, and so on.

Symbol path is used to tell the debugger where to look for symbol files, debugging process, only the correct setting of the symbol path, so that the debugger can debug target, symbol files and source file one by one corresponding to the best to play the powerful role of the debugger.

If there are thousands of symbol files and different versions of the same symbol file exist on different platforms, then the one by one manual setting of the symbolic path is certainly unrealistic, and the concept of a symbolic server is introduced. The symbol server has a naming convention that allows the debugger to correctly locate the corresponding platform and version of the symbol file.

WinDbg access symbol requires two files (SYMSRV. DLLs and SymStore. EXE), you need to set the system variable to tell him where the two files are placed.

2.2.5 Threads

View basic information about a thread.

For example, list all (managed) threads.

The thread number is a thread ID value that is maintained internally by the debugger software and is an integer starting from 0, which is not significant outside.
The thread ID is a system-maintained unique ID value.
The frozen state of the thread determines whether the CPU time is distributed to it.

View the stack information for the thread.

View the time information for a thread, including three aspects: total consumption time from the beginning of creation to the present, user mode execution time, kernel mode execution time.

In addition to time consuming, you can also view the thread pool information.

2.2.6 Memory

Memory is where you store your data and code, and you can analyze many problems with a memory view command. Understand the reasons for not being recycled by looking at the large objects on the heap, as well as the owner of the object.

Understand the reasons for not being recycled by looking at the large objects on the heap, as well as the owner of the object.

2.2.7 Events

The WinDbg is event-driven.

such as program failure analysis, computer blue screen failure analysis.

Check the C disk did find Baidu browser directory, uninstall Baidu Antivirus, delete the C-disk Baidu browser (also can clean up the registry), restart the computer, back to normal.

3. Explore the article

Discussion of the article
3.1 Method Inline
3.2 String Resident Pool

3.1 Method Inline

By default, release releases are optimized to avoid the invocation overhead of some methods by moving the method body of the called method into the principal of the caller, which is called a method inline.

It can be found that the Docalc method is inline and the Calc method does not. Here is a question, what is good code, my understanding is in addition to make people look comfortable, but also closer to the compiled optimized code.

3.2 String Resident Pool

When the program starts, the hosting pool in the system domain is responsible for managing the strings that are homed. Fetch the dump analysis, find the root of these strings, find all in an object array, look at this array, sure enough is the resident pool

Referring to a passage in the architect's cultivation:

Finding problems is always more important than solving problems. In general, from the point of problem exposure, a little bit to trace back to find out, will definitely find out who the problem, and what the problem.
The worst case scenario is when we have limited time or ability to pinpoint who's problem, such as a system failure, which means we can't solve the problem at all. This is the best way to reduce the cost of the problem, try to isolate the scope of the problem, set aside time and space to identify the real problem.

Windbg Dump Analysis (original summary)