crash (or) hang dump analysis using windbg in windows platform by k.s.shanmugasundaram
DESCRIPTION
This training comprises of 2 sessions Session -1 (Theory) 1. Understanding Dump File 2. Varieties of Dump File 3. Creation of Dump File 4. Terminologies for analyzing of Dump File 5. Introduction to WinDbg Session -2 ( Lab) 1. Postmortem Debugger Settings 2. WinDbg Setup 3. Dump File creation using Tools 4. Dump File creation using Win32 API 5. Dump File Analyzing case study For Download, drop mail to [email protected]TRANSCRIPT
Crash Dump Analysis using WinDbg
By K.S.Shanmuga sundaram
Page 2 2013
By K.S.Shanmuga sundaram
About Training
+
Page 3 2013
By K.S.Shanmuga sundaram
Session - 1
Page 4 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File 1
Varieties of Dump File 2
Creation of Dump File 3
Terminologies for analyzing of Dump File 4
Introduction to WinDbg 5
Page 5 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File 1
Varieties of Dump File 2
Creation of Dump File 3
Terminologies for analyzing of Dump File 4
Introduction to WinDbg 5
Page 6 2013
By K.S.Shanmuga sundaram
Varieties of Bugs
Bugs
Arithmetic
Logical
syntax
Resource Multi
Threaded
Perform -ance
User Interface
Page 7 2013
By K.S.Shanmuga sundaram
Impact of Bug on Application
Application may Malfunction
Application may Crash
Application may Hang
Page 8 2013
By K.S.Shanmuga sundaram
Application crash
Arises due to unhandled exception
Page 9 2013
By K.S.Shanmuga sundaram
Application Hang
May arise due to Deadlock. May arise due to High CPU usage.
Page 10 2013
By K.S.Shanmuga sundaram
How to Fix Crash / Hang Issue?
1. Store Application state i.e.
Process(s) Info, Thread(s) Info, Loaded Module Info, Register Info, Memory Info, Handle Info, Callstack Info, Etc.,
2. Start Analyze to find the root cause of the issue.
Process Dump
Information
Page 11 2013
By K.S.Shanmuga sundaram
What is Dump File?
Definition:- Static snap shot of an application at any given time.
Fact sheet
File Format Binary File Format
File Extension
.DMP - Stands for Dump
Contents Process, Thread, Stack,Callstack, Handles, Modules, etc.,
Usage (i) Debugging Crashing application. (ii) Debugging Hanging application.
Other terms
Crash dump, Core Dump, Hang Dump, Heap Dump, Memory Dump, Process dump or just dump.
Page 12 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File 1
Varieties of Dump File 2
Creation of Dump File 3
Terminologies for analyzing of Dump File 4
Introduction to WinDbg 5
Page 13 2013
By K.S.Shanmuga sundaram
Physical Memory Layout
User Space
Kernel Space
Kernel Process
User Process
Kernel Process
Kernel Process
User Process
User Process
Access Restricted
Page 14 2013
By K.S.Shanmuga sundaram
Physical Memory Layout – 32 bit
User Space
Kernel Space
4 GB
2 GB
0
2 32
Page 15 2013
By K.S.Shanmuga sundaram
Physical Memory Layout – 32 bit
User Space
Kernel Space
4 GB
3 GB
0
with /3GB switch in boot.ini file
2 32
Page 16 2013
By K.S.Shanmuga sundaram
Types of Dump File
Page 17 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File 1
Varieties of Dump File 2
Creation of Dump File 3
Terminologies for analyzing of Dump File 4
Introduction to WinDbg 5
Page 18 2013
By K.S.Shanmuga sundaram
Dump File creation
Page 19 2013
By K.S.Shanmuga sundaram
Dump File creation using Win32 API
BOOL MiniDumpWriteDump (
HANDLE hProcess,
DWORD ProcessId,
HANDLE hFile,
MINIDUMP_TYPE DumpType,
PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
PMINIDUMP_CALLBACK_INFORMATION CallbackParam
);
Page 20 2013
By K.S.Shanmuga sundaram
Dump File creation using Win32 API
API Name MiniDumpWriteDump
DLL Dbghelp.dll
Header file Dbghelp.h
Arguments
HANDLE hProcess Target process handle.
DWORD ProcessId Target process ID.
HANDLE hFile Dump file handle.
MINIDUMP_TYPE DumpType Type of information to be written dump file
PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
Pointer to Exception info like ThreadID, Exception pointers.
PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam
Pointer to user defined information. [Optional]
PMINIDUMP_CALLBACK_INFORMATION CallbackParam
Callback to receive extended dump information. [Optional].
Page 21 2013
By K.S.Shanmuga sundaram
Dump File creation using Win32 API
Argument MINIDUMP_TYPE DumpType
Description
Enumerator constants. It can have any one of the values
MiniDumpNormal
MiniDumpWithDataSegs
MiniDumpWithFullMemory
MiniDumpWithHandleData
MiniDumpFilterMemory
MiniDumpScanMe
MiniDumpWithUnloadedModules
MiniDumpWithIndirectlyReferencedMe
mory
MiniDumpFilterModulePaths
MiniDumpWithProcessThreadData
MiniDumpWithPrivateReadWriteMe
mory
MiniDumpWithoutOptionalData
MiniDumpWithFullMemoryInfo
MiniDumpWithThreadInfo
MiniDumpWithCodeSegs
Page 22 2013
By K.S.Shanmuga sundaram
Kernel Dump creation using System settings
Page 23 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File 1
Varieties of Dump File 2
Creation of Dump File 3
Terminologies for analyzing of Dump File 4
Introduction to WinDbg 5
Page 24 2013
By K.S.Shanmuga sundaram
Symbols
Global variables Local variables Function names and the addresses of their entry points Frame pointer omission (FPO) records Source File name and line number for each Instruction
Functions (except for functions declared static) Global variables specified as extern (and any other global variables visible across multiple object files)
Also called as Full Symbol
Also called as Stripped Symbol
Stores Debugging information about a program
Page 25 2013
By K.S.Shanmuga sundaram
Symbols in detail
Name of the item Address of the item in virtual memory Frame pointer omission (FPO) records for each function Data type of each variable, structure, and function Types and names of the parameters for each function Scope of each local variable Symbols associated with each line in each source file
The name of the item. The address of the item in the virtual memory space of its module. For a function, this is the address of its entry point. Frame pointer omission (FPO) records for each function.
Page 26 2013
By K.S.Shanmuga sundaram
Symbols Relation
Public symbol data can be thought of as a subset of the private symbol .
Page 27 2013
By K.S.Shanmuga sundaram
Symbol File Format
PDB stands for “Program Database”
Fact sheet
Microsoft proprietary file format (.pdb)
Extracted from Source files ( .cpp,.c, ,cs, etc.,).
PDB file information extracted by using the DIA (Debug Interface Access) SDK.
A .NET PDB file only contains only Source Filename, Line number , Local variable names as .NET Metadata already contains rest of the symbols.
Visual studio 5.0 generates .dbg file format.
Page 28 2013
By K.S.Shanmuga sundaram
Dump file relation
• DMP
• PDB • DBG
• C • CPP • H • CS
• EXE • DLL • LIB
Page 29 2013
By K.S.Shanmuga sundaram
Application Dependency
Page 30 2013
By K.S.Shanmuga sundaram
Dump File Dependency
IMAGE SYMBOLS SOURCES
Required Files For
Dump File
Analysing
Page 31 2013
By K.S.Shanmuga sundaram
Process & Threads
User Space
Kernel Space
User Process
Thread 1
Thread 2
Thread N
1 MB Stack Memory
1 MB Stack Memory
1 MB Stack Memory
Page 32 2013
By K.S.Shanmuga sundaram
Stack
User
Space
Kernel Space
Stack Memory – Thread 1
Committed
Guard
Reserved Stack Memory – Thread 2
Stack Memory – Thread 3
Stack Growth
Page 33 2013
By K.S.Shanmuga sundaram
Callstack
Call Stack
Method2() Frame 2
Method1 Frame 1
Main() Frame 0
Void Method1(int) { Method2(40,50); } Void Method2(int,int) { Do something… } Void main() { Method1(20); }
Page 34 2013
By K.S.Shanmuga sundaram
C compiler Name Mangling
Function Name
Function Address
Method1() 0x1234
Method1() 0x3423
Method2() 0x1654
Void Method1(int) { Do something… } Void Method1(char) { Do something… } Void Method2(int,int) { Do something… } Void main() { Method1(20); Method1(‘a’); Method2(40,50); }
Typical Representation
__Method1_0x1234
__Method1_0x3423
__Method2_0x1654
Page 35 2013
By K.S.Shanmuga sundaram
C++ compiler Name Mangling
Void Method1(int) { Do something… } Void Method1(char) { Do something… } Void Method2(int,int) { Do something… } Void main() { Method1(20); Method1(‘a’); Method2(40,50); }
Typical Representation
__Method1_1_@INT_0x1234
__Method1_1_@CHAR_0x3423
__Method2_2_@INT_@INT_0x1654
Function Name
No of Param
Param Type
Function Address
Method1() 1 Int 0x1234
Method1() 1 Char 0x3423
Method2() 2 Int,Int 0x1654
Page 36 2013
By K.S.Shanmuga sundaram
Calling convention
Page 37 2013
By K.S.Shanmuga sundaram
Calling convention comparison
Page 38 2013
By K.S.Shanmuga sundaram
Exception Dispatching
Debugger
Frame Handlers
Operation System
Default Post Mortem Debugger
Windows Error Reporting
First Chance
exception
Second Chance
exception
Unhandled exceptions
1 2
3
4
6
8
Exception
5 7
9
Page 39 2013
By K.S.Shanmuga sundaram
C++ Exception Test
void TestMethod { int Temp = 100; Temp = Temp /(Temp-Temp); } void main() { try { TestMethod(); }
catch(…) { printf(“ Exception Caught”); } }
Is Program
will crash?
Page 40 2013
By K.S.Shanmuga sundaram
C++ Exception Answer
C/C++ --> Code Generation --> Enable C++ Exceptions
C++ Exceptions
Command line Option
Remarks
No No Exception handled.
Yes /EHsc Only C++ Exception handled.
With SEH /EHa Both C++ and SEH exception handled. (Destructor will not be called on stack unwinding)
Page 41 2013
By K.S.Shanmuga sundaram
Terminologies
Page 42 2013
By K.S.Shanmuga sundaram
Agenda – Session1
Understanding Dump File 1
Varieties of Dump File 2
Creation of Dump File 3
Terminologies for analyzing of Dump File 4
Introduction to WinDbg 5
Page 43 2013
By K.S.Shanmuga sundaram
WinDbg – A Introduction
Microsoft Windows Debugger
GUI Debugger.
Both user and kernel mode debugger.
Non-Invasive Debugger.
Freeware.
Light weight
Page 44 2013
By K.S.Shanmuga sundaram
WinDbg – Command Types
Command Types Description
Regular Commands Used debug processes
Meta or Dot-Commands usually to control the behavior of the debugger
Extension Commands implemented as exported functions in extension DLLs
Page 45 2013
By K.S.Shanmuga sundaram
WinDbg – Commands
Command Types Examples
Regular Commands K
Meta or Dot-Commands .cls, .reload, .time
Extension Commands !analyze, !locks, !teb, !peb
Page 46 2013
By K.S.Shanmuga sundaram
WinDbg Commands
Command Description
!analyze –v Analyze Exceptions.
!analyze -hang –v Analyze Hanging.
!gle Get Last Error.
.lastevent Get last exception Event.
.ecxr Display Exception context.
!sym noisy While loading symbols displays error information. Be default it is OFF.
K Display Call stack.
ld * Load all Modules.
!for_each_frame Display call stack with Frame number.
.frame N Set “N” Frame as context
Page 47 2013
By K.S.Shanmuga sundaram
WinDbg Commands
Command Description
.reload /f /v /i Load all modules forecefully with verbose
!teb Thread Environment block ( Formatted output)
!peb Process Environment block ( Formatted output)
!runaway Displays information about time consumed by each thread.
dt nt!_TEB Full Thread Environment block
~ Display all threads Info
|| Display process Info
!wow64exts.sw Switches 64bit dump file into 32bit.
dt ModulName!* Display all available data type in a module.
dt ModulName!Type Display declaration for a given data type.
Page 48 2013
By K.S.Shanmuga sundaram
WinDbg Commands
Command Description
.symopt Display Current Symbol loading settings
.symopt +0x40 Forcefully try to match PDB with Target Binary. set's flag of "SYMOPT_LOAD_ANYTHING". It mean it will not check for timestamp
!locks Display critical section Info
!handles Display handles Info
Page 49 2013
By K.S.Shanmuga sundaram
Any Questions?
Session - 1
Page 50 2013
By K.S.Shanmuga sundaram
Session - 2
Page 51 2013
By K.S.Shanmuga sundaram
Agenda – Session2
Postmortem Debugger Settings 1
WinDbg Setup 2
Dump File creation using Tools 3
Dump File creation using Win32 API 4
Dump File Analyzing case study 5
Page 52 2013
By K.S.Shanmuga sundaram
Agenda – Session2
Postmortem Debugger Setup 1
WinDbg Setup 2
Dump File creation using Tools 3
Dump File creation using Win32 API 4
Dump File Analyzing case study 5
Page 53 2013
By K.S.Shanmuga sundaram
Registry Path
\\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT \CurrentVersion \ AeDebug
Registry Values
Value Name Remarks
Debugger Debugger Executable full path
Auto
0 - message box will be displayed prior to postmortem debugging. 1 - No message box.
Postmortem Debugger Setup Registry Settings - Windows XP and prior OS.
Page 54 2013
By K.S.Shanmuga sundaram
Registry Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
In case of 64 bit set corrresponding registry locations (wow64).
Registry Path
Value Name Value Data
DumpFolder Dump file complete path
DumpCount Total Dump file count
DumpType 0 - custom, 1 - Mini, 2 – Full
CustomDumpFlags
Valid if DumpType=0, Possible hexadecimal values = 0,1,2,4,8,10,20,40,80,100,200,400,800,1000,2000,4000,10000, 20000,40000,80000,100000,1fffff. Refer MSDN for details.
Postmortem Debugger Setup Registry Settings - Windows Server 2008, Vista with SP1 and 7.0.
Page 55 2013
By K.S.Shanmuga sundaram
Postmortem Debugger Setup Default Enabling
Tool Settings
Dr.Watson drwtsn32 –I
WinDbg WinDbg –I
Visual Studio Tools -> options --> Debugging --> Just-In-Time Enable All
Page 56 2013
By K.S.Shanmuga sundaram
Agenda – Session2
Postmortem Debugger Settings 1
WinDbg Setup 2
Dump File creation using Tools 3
Dump File creation using Win32 API 4
Dump File Analyzing case study 5
Page 57 2013
By K.S.Shanmuga sundaram
WinDbg Setup Environment Variables
_NT_SYMBOL_PATH
_NT_ALT_SYMBOL_PATH
_NT_DEBUGGER_EXTENSION_PATH
_NT_EXECUTABLE_IMAGE_PATH
_NT_SOURCE_PATH
Page 58 2013
By K.S.Shanmuga sundaram
WinDbg Setup Symbol, Image & Source path Setup
Path Type
File type Files
Symbol path
Program database files (.pdb) Target application, Windows binaries, and all dependents binaries.
Source path
Source files (.cpp & .h, .cs) Target application, CRT libraries, and all dependent binaries.
Image Path
Binary files (.exe, .dll) Target application, Windows dll, and all dependents.
Page 59 2013
By K.S.Shanmuga sundaram
Agenda – Session2
Postmortem Debugger Settings 1
WinDbg Setup 2
Dump File creation using Tools 3
Dump File creation using Win32 API 4
Dump File Analyzing case study 5
Page 60 2013
By K.S.Shanmuga sundaram
Dump File Creation Using Tools
Tool Remarks
Process Explorer
Right Click Create Dump
ProcDump procdump.exe -ma Target.exe
WinDbg WinDbg -pv -pn Target.exe -c ".dump /ma DumpFileName.dmp;q"
Task Manager
Right Click Create Dump
Dr.Watson Drwatson.exe (Enable Create Dump File)
Page 61 2013
By K.S.Shanmuga sundaram
Agenda – Session2
Postmortem Debugger Settings 1
WinDbg Setup 2
Dump File creation using Tools 3
Dump File creation using Win32 API 4
Dump File Analyzing case study 5
Page 62 2013
By K.S.Shanmuga sundaram
Dump File Creation Using Win32 API
Refer Sample MFC_1
Page 63 2013
By K.S.Shanmuga sundaram
Agenda – Session2
Postmortem Debugger Settings 1
WinDbg Setup 2
Dump File creation using Tools 3
Dump File creation using Win32 API 4
Dump File Analyzing case study 5
Page 64 2013
By K.S.Shanmuga sundaram
Case Study - 1
Exception type Access violation exception
Sample code 1 – Refer Sample MFC_1
int* i = NULL; *i = 100;
Sample code 2
Printf(“%s%s%s%s%s%s%s%s%s%s”);
Page 65 2013
By K.S.Shanmuga sundaram
Case Study - 2
Exception type Stack Overflow
Sample code 1 – Refer Sample MFC_1
Void TestMethod() { unsigned char Temp[1024*1024*1024]; }
Sample code 2
Void TestMethod() { TestMethod(); }
Page 66 2013
By K.S.Shanmuga sundaram
Case Study - 3
Exception type Divide by Zero
Sample code 1 - Refer Sample MFC_1
Void TestMethod() { int nTemp = 100; nTemp = nTemp / (nTemp - nTemp ) }
Page 67 2013
By K.S.Shanmuga sundaram
Case Study - 4
Exception type High CPU usage
Sample code 1 – Refer Sample MFC_2
UINT ThreadProc1(LPVOID pParam_in) { while(1); eturn 1; } UINT ThreadProc2(LPVOID pParam_in) { for(long i=0;i<200000;i++); return 1; } UINT ThreadProc3(LPVOID pParam_in) { for(long i=0;i<900000;i++); return 1; }
Page 68 2013
By K.S.Shanmuga sundaram
Case Study - 5
Exception type Deadlock
Sample code 1 – Refer Sample MFC_3
UINT ThreadProc1(LPVOID pParam_in) { CommonMethod(); return 1; } UINT ThreadProc2(LPVOID pParam_in) { CommonMethod(); return 1; } void CommonMethod() { EnterCriticalSection(&CriticalSection); //LeaveCriticalSection(&CriticalSection); }
Page 69 2013
By K.S.Shanmuga sundaram
References
"Microsoft Windows Internals” by Mark
Russinovich and David Solomon 5th Edition
"Advanced Windows Debugging" by Mario Hewardt and Daniel
Pravat
“Memory Dump Analysis Anthology“ by Dmitry Vostokov
Page 70 2013
By K.S.Shanmuga sundaram
Any Questions?
Session - 2
Page 71 2013
By K.S.Shanmuga sundaram
Questions?
For more details, please contact
http://www.linkedin.com/in/shanmugasundaramks
K.S.Shanmuga sundaram
Software Architect,
Bangalore, India