使用Windbg简单分析托管程序dump

windbg

   分析dump之前,需要先从微软符号服务器下载分析所需的pdb。打开Windbg,选择File->Symbol File Path,在弹出的符号路径设置窗口中输入以下内容并点击OK,也可以使用.sympath+命令(需要先打开dump):

1
SRV*F:\SymbolCache*http://symbols.mozilla.org/firefox;SRV*F:\SymbolCache*http://msdl.microsoft.com/download/symbols;

   其中,F:\SymbolCache替换为要存放pdb的路径,这里也可以预先在后面加上项目的pdb所在路径。


   通过File->Open Crash Dump打开dump文件,添加项目的符号路径(.sympath+命令或File-> Symbol File Path,如果已经预先添加过了则忽略),之后输入.reload /f强制重新加载符号,如果之前没有下载过符号,则需要等待比较长的时间。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
0:004> .reload /f
.*** WARNING: Unable to verify checksum for AppFrame.exe
.............................*** WARNING: Unable to verify checksum for DLog.dll
.*** ERROR: Symbol file could not be found.  Defaulted to export symbols for SocketSystem2012.dll - 
...*** WARNING: Unable to verify checksum for SceneServer.dll
..........*** WARNING: Unable to verify checksum for Base_d.dll
..................*** WARNING: Unable to verify checksum for ZoneServerLogic.DLL
..
.......*** WARNING: Unable to verify checksum for CenterServer_d.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for CenterServer_d.dll - 
.*** WARNING: Unable to verify checksum for GatewayServer_d.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for GatewayServer_d.dll - 
.*** ERROR: Symbol file could not be found.  Defaulted to export symbols for basetoolsA.dll - 
.*** ERROR: Symbol file could not be found.  Defaulted to export symbols for DataCenter.dll - 
.*** WARNING: Unable to verify checksum for EnterManager.DLL
.*** WARNING: Unable to verify checksum for RoomServer.DLL


Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

.*** WARNING: Unable to verify checksum for BattleModuleWrapper.DLL
.....*** WARNING: Unable to verify checksum for mscorlib.ni.dll
...*** WARNING: Unable to verify checksum for System.ni.dll
.*** WARNING: Unable to verify checksum for System.Xml.ni.dll
..*** WARNING: Unable to verify checksum for System.Core.ni.dll
....
Loading unloaded module list
...

   当出现Loading unloaded module list时,输入.chain命令查看当前已加载的扩展:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0:004> .chain
Extension DLL search Path:
    H:\Program\Debugging Tools for Windows (x86)\WINXP;H:\Program\Debugging Tools for Windows (x86)\winext;H:\Program\Debugging Tools for Windows (x86)\winext\arcade;H:\Program\Debugging Tools for Windows (x86)\pri;H:\Program\Debugging Tools for Windows (x86);H:\Program\Debugging Tools for Windows (x86)\winext\arcade;D:\Program\Perl\site\bin;D:\Program\Perl\bin;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\ProgramData\Oracle\Java\javapath;C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT;E:\Software\Program\Python27\;E:\Software\Program\Lua\5.1;E:\Software\Program\Lua\5.1\clibs;C:\strawberry\c\bin;C:\strawberry\perl\bin;H:\Program\Java\jdk1.8.0_65\bin;H:\Program\Java\jdk1.8.0_65\jre\bin;E:\Software\Program\Git\cmd;E:\Software\Program\Subversion\bin;E:\Software\Program\Subversion\bin;E:\Software\Program\MySQL\MySQL Server 5.5\bin;C:\Program Files (x86)\AMD\ATI.ACE\Core-Static;D:\Program\php;D:\Program\php\ext;C:\Program Files\TortoiseSVN\bin;E:\Software\Program\CMake\bin;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\;C:\Program Files (x86)\Microsoft SDKs\TypeScript\1.0\;C:\Program Files (x86)\GtkSharp\2.12\bin;D:\Program\Redis\;C:\Program Files (x86)\Common Files\Adobe\AGL;D:\Program\NASM;C:\Program Files\Microsoft SQL Server\130\Tools\Binn\;E:\Software\Program\cocos2d-x-3.2\tools\cocos2d-console\bin;C:\Program Files (x86)\Debugging Tools for Windows;D:\Program\Microsoft VS Code\bin
Extension DLL chain:
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\sos: image 4.6.1055.0, API 1.0.0, built Fri Nov 06 10:20:58 2015
        [path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\sos.dll]
    dbghelp: image 6.12.0002.633, API 6.1.6, built Tue Feb 02 04:08:26 2010
        [path: H:\Program\Debugging Tools for Windows (x86)\dbghelp.dll]
    ext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:31 2010
        [path: H:\Program\Debugging Tools for Windows (x86)\winext\ext.dll]
    exts: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:24 2010
        [path: H:\Program\Debugging Tools for Windows (x86)\WINXP\exts.dll]
    uext: image 6.12.0002.633, API 1.0.0, built Tue Feb 02 04:08:23 2010
        [path: H:\Program\Debugging Tools for Windows (x86)\winext\uext.dll]
    ntsdexts: image 6.1.7650.0, API 1.0.0, built Tue Feb 02 04:08:08 2010
        [path: H:\Program\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll]

   可以看到这里已经加载了sos.dll,如果遇到没有sos.dll的情况,可以输入.load C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos.dll加载dll。加载之前请先确认SOS 调试扩展 (sos.dll) 的版本与 CLR 和 DAC 的版本匹配: v4.0.30319,以及三个组件都是64位(这一句来自微软官方文档,我也不太明白是啥意思)。另外也可以输入.loadby sos clr(CLR版本4.0及以上,1.0或2.0版本输入.loadby sos mscorwks)加载sos.dll
   接下来,输入!clrstack即可看到托管堆栈信息:

1
2
3
4
5
6
7
8
9
0:004> !clrstack
OS Thread Id: 0x1430 (4)
Child SP       IP Call Site
03f67be8 77020c52 [InlinedCallFrame: 03f67be8] 
03f67b54 037358c4 <Module>.CBattleModuleWrapper.Create(CBattleModuleWrapper*) [f:\xxx\server\battle\battlemodulewrapper\battlemodulewrapper.cpp @ 46]
03f67b78 037351b7 DomainBoundILStubClass.IL_STUB_ReversePInvoke(Int32)
03f67be8 03b3e29a [InlinedCallFrame: 03f67be8] 
03f67be4 03735125 DomainBoundILStubClass.IL_STUB_PInvoke(IntPtr)
03f67c34 037330a8 <Module>.CreateBattleModuleWrapper() [f:\xxx\server\battle\battlemodulewrapper\battlemodulewrapper.cpp @ 192]

   输入!clrstack -a还可以看到调用堆栈传入参数信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
0:004> !clrstack -a
OS Thread Id: 0x1430 (4)
Child SP       IP Call Site
03f67be8 77020c52 [InlinedCallFrame: 03f67be8] Unknown
03f67b54 037358c4 <Module>.CBattleModuleWrapper.Create(CBattleModuleWrapper*) [f:\xxx\server\battle\battlemodulewrapper\battlemodulewrapper.cpp @ 46]
    PARAMETERS:
        軰ˉˏd (0x03f67b6c) = 0x05812178
    LOCALS:
        0x03f67b64 = 0x074e2fd0
        0x03f67b60 = 0x0749229c
        0x03f67b68 = 0x00000000
        0x03f67b5c = 0x00000000

03f67b78 037351b7 DomainBoundILStubClass.IL_STUB_ReversePInvoke(Int32)
    PARAMETERS:
        <no data>

03f67be8 03b3e29a [InlinedCallFrame: 03f67be8] 
03f67be4 03735125 DomainBoundILStubClass.IL_STUB_PInvoke(IntPtr)
    PARAMETERS:
        <no data>

03f67c34 037330a8 <Module>.CreateBattleModuleWrapper() [f:\xxx\server\battle\battlemodulewrapper\battlemodulewrapper.cpp @ 192]
    LOCALS:
        0x03f67c58 = 0x05812178
        0x03f67c54 = 0x00000000
        0x03f67c50 = 0x05812178
        0x03f67c4c = 0x05812178

本文标题:使用Windbg简单分析托管程序dump

文章作者:lfeng

发布时间:2018年03月30日 - 23时27分

最后更新:2019年03月13日 - 22时47分

原始链接:https://blog.lfengs.com/2018/Analyze-CLR-application-dump-with-windbg.html

许可协议: "署名-非商用-相同方式共享 3.0" 转载请保留原文链接及作者。

文章目录