Windbg Extension Netext using the Guide "3"----dig up the data you want Managed Heap

Summary:

There are two more commonly used commands in Netext that can be used to analyze the objects on the heap. One is!wheap, the other is!windex.

!wheap This command can be used to print out the heap structure information. The information after the object is aggregated on the heap. This command can also filter out the objects according to some conditions, but the execution speed is slow. At this point, it is more recommended to!windex.
!windex is a very common command. This command can be used to find an object in the heap that implements a interface, inheriting an abstract class or class. After this command is executed, the object after index has been cached, which can speed up the line of similar commands. There are also very cool features that can show individual fields in batches from the same type of object.

!wheap

!wheap This command can be used to print out the heap structure information.  and the aggregated information for the heap object. Plus the parameter –detailsonly, like his name, can print out detailed information.

It can show the number of heap, because the GC mode used by this CLR Rutime is server mode (1). Then the number of heap will vary according to the number of processor. The number of heap that can be seen here is 2.

For the difference between GC types, refer to the links below

• Http://blogs.msdn.com/b/clyon/archive/2004/09/08/226981.aspx
• https://msdn.microsoft.com/en-us/library/cc165011 (v=office.11). aspx
• Http://blogs.msdn.com/b/clyon/archive/2005/02/04/367419.aspx

As you can see from the output, each managed heap has its own address. If the size of the heap is larger, it also contains more than one segment. The maximum value for each segment is fixed. The maximum value is determined by a number of factors. Different environments and configurations, this value will vary. When a segment is about to be allocated full, a new segment is created. The segment will grow slowly until it reaches full length.

This command also prompts for the number of objects on different generation generations in the GC Heap. The more special one is Generation 3. The generation we know is 3.

0:000>!wheap-detailsonlyheaps:2<-- the number of heap-->Server mode:1<-- GC mode, 1 means server mode-->Heap [0]:<-- The first heap-->    Allocated:0000000155a56fe8 Card table:00000000027ea6b0 ephemeral Heap segment:0000000155660000 Finalizatio n Fill pointers:000000c28007cd40 Heap address:0000000000e1e790 Lowest address:0000000155660000 Highest Address : 00000001f5660000 Generation Addresses: [0]:allocstart (0000000155793728), Alloccxtlimit (0000000000000000), ALLOCC Txptr (0000000000000000), startseg (0000000155660000) [1]:allocstart (0000000155660080), Alloccxtlimit ( 0000000000000000), Allocctxptr (0000000000000000), startseg (0000000155660000) [2]:allocstart (0000000155660068), Alloccxtlimit (0000000000000000), Allocctxptr (0000000000000000), startseg (0000000155660000) [3]:AllocStart ( 00000001d5660068), Alloccxtlimit (0000000000000000), Allocctxptr (0000000000000000), startseg (00000001d5660000) segments:segment:0000000155660000 start:0000000155660068 end:0000000155981340 Himark:0000000155a56fe8 Committed:   0000000155a61000 reserved:0000000195660000 next:0000000000000000<-- The first segment, because there is a second segment has been created, you can guess that the segment has been quickly allocated. Subtracting the address of start with the end address can calculate the size of a segment. Here is 64MB.-->segment:00000001d5660000 start:00000001d5660068 end:00000001d569bf10 himark:00000001d569bf10 Committed: 00000001d56a1000 reserved:00000001e5660000 next:0000000000000000heap [1]: Allocated:0000000195907af8 Card Table: 00000000027ea6b0 ephemeral heap segment:0000000195660000 finalization Fill pointers:000000c28007cd40 heap Addre        Ss:0000000000e20db0 Lowest address:0000000155660000 Highest address:00000001f5660000 Generation Addresses: [0]:allocstart (000000019573e270), Alloccxtlimit (0000000000000000), Allocctxptr (0000000000000000), startseg ( 0000000195660000) [1]:allocstart (0000000195660080), Alloccxtlimit (0000000000000000), Allocctxptr (0000000000000000 ), Startseg (0000000195660000) [2]:allocstart (0000000195660068), Alloccxtlimit (0000000000000000), ALLOCCTXPTR ( 0000000000000000), Startseg (0000000195660000) [3]:allocstart (00000001e5660068), Alloccxtlimit (0000000000000000), Allocctxptr (0000000000000000), startseg (00000001e5660000) Segments:segment:0000000195660000 start:0000000195660068 End:0000000195907af8 Himark:0000000195907af8 committed:0000000195911000 reserved:00000001d5660000 next:0000000000000000segment:00000001e5660000 start:00000001e5660068 End: 00000001e5660080 himark:00000001e5660080 committed:00000001e5661000 reserved:00000001f5660000 Next: 0000000000000000Heap Areas:area [0000000155660068]: 0000000155660068-0000000155660080 () heap:0 Generation:2 L   arge:0<-- represents 24 objects in Generation 2-->Area [0000000155660080]: 0000000155660080-0000000155793728 (1259176) heap:0 generation:1 Large:0area [0000000155 793728]: 0000000155793728-0000000155a61000 (2939096) heap:0 generation:0 Large:0area [0000000195660068]: 00000001956 60068-0000000195660080 (heap:1 generation:2 Large:0area [0000000195660080]: 0000000195660080-000000019573e2 (909808) heap:1 generation:1 Large:0area [000000019573e270]: 000000019573e270-0000000195911000 (1912208) Heap : 1 generation:0 Large:0area [00000001d5660068]: 00000001d5660068-00000001d569bf10 (245416) heap:0 Generation:3 La Rge:1<-- indicates that 245,416 objects are in Generation 3, which is the large object Heap-->Area [00000001e5660068]: 00000001e5660068-00000001e5660080 (heap:1 Generation:3 large:10000000155660068 000)       0000000E111D0 0 2 Free0000000155660080 0000000000e111d0 0 1 Free0000000155660098 0000000000e111d0 0 1 free00000001556600b0 000007fef0b96cb8 0 1 system.exception0000000155660150 000007fef0b96f10 1 0 1 system.outofmemoryexception00000001556601f0 000007fef0b96f98 0 1 system.stackoverflowexception00000001 55660290 000007fef0b97020 0 1 system.executionengineexception0000000155660330 000007fef0b970a8 0 1 S Ystem. threading.threadabortexception00000001556603d0 000007fef0b970a8 0 1 system.threading.threadabortexception.....0 000000195747da0 000007fee67a1e60 1 0 system.xml.schema.xmlschemaobjecttable+valuescollection0000000195747dc0 00       0007fee67a1f28 1 0 System.xml.schema.xmlschemaobjecttable+xsoenumerator0000000195747df8 000007fef0b9c768 Approx. 1 0 system.inT32[]0000000195747e20 000007fee67a2048 1 0 System.Collections.Generic.Dictionary ' 2+entry[[system.xml.xmlqualifi Edname, System.xml],[system.xml.schema.xmlschemaobject, System.xml]][]0000000195747e80 000007fee679fd20 1 0 Sys Tem. Xml.schema.xmlschemaobjecttable+xmlschemaobjectentry[]0000000195747ed8 000007fee67a1e60 1 0 System.Xml.Schema.X      mlschemaobjecttable+valuescollection00000001d5660068 0000000000e111d0 0 3 free00000001d5660080 000007fef0b9adf8 8192 0 3 system.object[] ..... This output is throttled. Only the first objects of each heap range have been shown. Use-nothrottle to list all objects or any limiting parameter (-type for example)

View Code

-The purpose of detailsonly is to print out the structure information of the heap. Object only prints the first 500. If you want to print out all of the objects on the heap, use the parameter –nothrottle, but the command will run for a slightly longer time.

With the-start and –end parameters, you can print out the data of an object in a range.

With –mt <string> parameters, you can print out the objects of the specified methodtable value. Similar to command!GCHEAP–MT <addr>

The results of the!WHEAP show some summary information about the object on the heap. This information is categorized by object type, and one data represents an object type.

The first column is the address of one object, and if more than one object is of the same type, only the first one is displayed.

The second column is the address of the methodtable of this type of object.

The third column is the total number of virtual memory used for this type. In the case of high memory scenarios, this value can be used to quickly find the object type that occupies the highest virtual memory.

The fourth column is the number of this type.

The fifth column is the name of this type

 !wheap.......0000000195747d18 000007fef0b9c768 1 0 system.int32[]0000000195747d4 0 000007fee679a850 1 0 System.Collections.Generic.Dictionary ' 2+entry[[system.xml.xmlqualifiedname, System.Xml], [System.Xml.Schema.SchemaAttDef, System.Xml]]  []0000000195747da0 000007fee67a1e60 1 0 system.xml.schema.xmlschemaobjecttable+valuescollection0000000195747dc0       000007fee67a1f28 1 0 System.xml.schema.xmlschemaobjecttable+xsoenumerator0000000195747df8 000007fef0b9c768 1 0 system.int32[]0000000195747e20 000007fee67a2048 1 0 System.Collections.Generic.Dictionary ' 2+entry[[ System.Xml.XmlQualifiedName, System.xml],[system.xml.schema.xmlschemaobject, System.xml]][]0000000195747e80 000007FEE679FD20 1 0 System.xml.schema.xmlschemaobjecttable+xmlschemaobjectentry[]0000000195747ed8 000007fee67a 1e60 1 0 system.xml.schema.xmlschemaobjecttable+valuescollection  

View Code

!windex

!windex is a very common command. This command will not only dig in the heap to find the type of data you need. The most useful thing is that it can be used to find an object in the heap that implements a interface and inherits an abstract class or class. After this command is executed, the object after index has been cached, which can speed up the line of similar commands.

Here's a look at!windex's more interesting features, which show the heap last object as a tree structure through the WinDbg UI. This approach compares the image of various objects for analysis.

First, run the !windex-tree command in WinDbg. This command will quickly index the object on the heap. A temporary file is then generated locally. It also generates a command.

0:000>!windex-treestarting indexing at 20:19:06 pmindexing finished @ 20:19:07 pm7,098,503 Bytes in 77,156 ObjectsIn Dex took 00:00:01copy, paste and Run command Below:.cmdtree C:\Users\sonicguo\AppData\Local\Temp\HEAE0D6.tmp

Copy & PASTE This command to the command line to execute.  It will then pop up another window, such as. The effect of this diagram is a little closer to the window effect of checking object in Visual Studio.

You can double click a record at this time. The details of the record will be displayed.

0:000>!WINDEX-MT 000007fee79efa20index is up to date If you believe it's not, use!windex-flush to force reindex000 00001556ebc68 000007fee79efa20 System.ServiceModel.BasicHttpBinding   0 100000001556f2b88 000007FEE79EFA20 System.ServiceModel.BasicHttpBinding   0 1

If you double-click not this type, but one of the following fields, the value of each field in this type is displayed. For example there are two basichttpbinding here. I want to know the name of every basichttpbinding. Then simply double-click on the name to print out the names of the two basichttpbinding.

This is a great way to quickly investigate the value of a particular field of a type.

00000001556ebc68 00000001556f2b88 [System.ServiceModel.BasicHttpBinding] System.String name = 00000001556ce118 Basichttpbindingconfigurationjava

!windex also supports fuzzy queries. For example, execute the following command to print all objects that have the suffix basichttpbinding.

0:000>!windex-type *. Basichttpbindingindex is-to-date If you believe it isn't, use!windex-flush-Force reindex00000001556ebc68 000007fe E79EFA20 System.ServiceModel.BasicHttpBinding   0 100000001556f2b88 000007fee79efa20 System.ServiceModel.BasicHttpBinding   0 1

With!wfrom, you can find a specific field from the filtered object, provided you know the name of the field.

0:000>!wfrom-type *. BasicHttpBinding Select Namename:wsHttpBindingConfigurationname:basicHttpBindingConfigurationJava2 Object (s) Listed

This shows that the result is very cool, but not able to see the address of the object, slightly insufficient. To compensate for this deficiency, you can use the additional parameters $addr () to resolve.

0:000>!wfrom-type *. BasicHttpBinding Select $addr (), namecalculated:00000001556ebc68name:wshttpbindingconfigurationcalculated: 00000001556f2b88name:basichttpbindingconfigurationjava

In addition, you can add an alias with a $ A () parameter to make the output more readable.

0:000>!wfrom-type *. BasicHttpBinding Select $a ("Address", $addr ()), $typename (), nameaddress:00000001556ebc68calculated: System.servicemodel.basichttpbindingname:wshttpbindingconfigurationaddress:00000001556f2b88calculated: System.ServiceModel.BasicHttpBindingname:basicHttpBindingConfigurationJava2 Object (s) listed

So many new features, do you think it's cool to blow the sky? In the next issue, I'll continue to introduce more cool new features.

Sonic Guo

Windbg Extension Netext using the Guide "3"----dig up the data you want Managed Heap