Windbg managed objects poi for arrays first element, second element

Windbg managed objects poi for arrays first element, second element - windbg

I can use poi in windbg scripting to traverse the fields and then print the field i am interested in.
For e.g. if i have all objects of type X which has field X.y.z where z is an array, where y is at offset 0x10 and z is at offset 0x8. I can write
.foreach ( dSM { !dumpheap -short -type X})
{
.printf "%p\n", poi(poi(${dSM}+0x10)+0x8);
!dumparray poi(poi(${dSM}+0x10)+0x8)
}
Now i want to print first/second element of all these arrays, how can i do that ?
using !do poi(poi(poi(${dSM}+0x10)+0x8)) does not work.
0:045> !DumpArray /d 000001d3b96787a8
Name: ABC[]
MethodTable: 00007ffc951e76e0
EEClass: 00007ffcf22f4480
Size: 56(0x38) bytes
Array: Rank 1, Number of elements 4, Type CLASS
Element Methodtable: 00007ffc951e6cc0
[0] 000001d3b9678788
[1] null
[2] null
[3] null
0:045> !dumpobj /d poi(000001d3b96787a8)
<Note: this object has an invalid CLASS field>
Invalid object
Array class is:
:045> !DumpClass /d 00007ffcf22f4480
Class Name: System.Object[]
mdToken: 0000000002000000
File: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
Parent Class: 00007ffcf22f5018
Module: 00007ffcf2221000
Method Table: 00007ffcf2949e80
Vtable Slots: 18
Total Method Slots: 1c
Class Attributes: 2101
Transparency: Transparent
NumInstanceFields: 0
NumStaticFields: 0

Given this program:
using System;
namespace WinDbgArrayAccess
{
class Program
{
static void Main()
{
Program[] justAnArray = new Program[20];
for (int i =0; i<justAnArray.Length;i++) justAnArray[i] = new Program();
Console.WriteLine("Access the elements of the array in WinDbg now!");
Console.ReadLine();
}
}
}
You can see
0:006> !DumpArray /d 0336243c
Name: WinDbgArrayAccess.Program[]
MethodTable: 01914db0
EEClass: 71967820
Size: 92(0x5c) bytes
Array: Rank 1, Number of elements 20, Type CLASS
Element Methodtable: 01914d60
[0] 03362498
[1] 033624a4
[2] 033624b0
[3] 033624bc
[4] 033624c8
[5] 033624d4
...
Now you need to find those numbers somewhere in the memory. Since we hardly have a different starting point, let's start at the array's address:
0:006> dp 0336243c L10
0336243c 01914db0 00000014 03362498 033624a4
0336244c 033624b0 033624bc 033624c8 033624d4
0336245c 033624e0 033624ec 033624f8 03362504
0336246c 03362510 0336251c 03362528 03362534
Now, 01914db0 is the type of the object (called Method Table, MT). 0x14 is 0n20, which is the size of the array. And after that, it seems we have the elements, 03362498, 033624a4, 033624b0 etc.
How do we access that programmatically? Well, it's easy now:
0:006> .printf "%p",poi(0336243c+(2+3)*$ptrsize)
033624bc
Where 2 is to skip MT and Length and 3 is the index of the array, giving you the 4th element.

I was able to get first 2 elements by going forward poi(poi(array+10)+8) and poi(poi(array+10)+10) offsets from array
0:298> .foreach (obj { !DumpHeap -short -live -mt 00007ffc951e7ab8}) { .printf "%p\n", ${obj}; !mex.do2 poi(poi(poi(poi(${obj}+0x10)+0x8)+0x10)+0x8); !mex.do2 poi(poi(poi(poi(${obj}+0x10)+0x8)+0x10)+0x10); }
000001d379ac94a0
[raw] 000001d379ac8bc8 "XYZ_String"
[raw] 000001d379ac8c88 "XYZ_String_2"
000001d379e87168
[raw] 000001d379e86888 "ABCD_String"
[raw] 000001d379e86948 "ABCD_String_2"
000001d3b972a218

Related

Convert Int64 array to Int8 in Julia gives InexactError: trunc(Int8, -9223372036854775808)

I try to convert a part of an julia df from Int64 to Int8.
input:
array = convert(Array{Int8} , array );
output:
InexactError: trunc(Int8, -9223372036854775808)
Stacktrace:
[1] throw_inexacterror(f::Symbol, #unused#::Type{Int8}, val::Int64)
# Core ./boot.jl:612
[2] checked_trunc_sint
# ./boot.jl:634 [inlined]
[3] toInt8
# ./boot.jl:649 [inlined]
[4] Int8
# ./boot.jl:759 [inlined]
[5] convert
# ./number.jl:7 [inlined]
[6] setindex!
# ./array.jl:903 [inlined]
[7] _unsafe_copyto!(dest::Vector{Int8}, doffs::Int64, src::Vector{Int64}, soffs::Int64, n::Int64)
# Base ./array.jl:253
[8] unsafe_copyto!
# ./array.jl:307 [inlined]
[9] _copyto_impl!
# ./array.jl:331 [inlined]
[10] copyto!
# ./array.jl:317 [inlined]
[11] copyto!
# ./array.jl:343 [inlined]
[12] copyto_axcheck!
# ./abstractarray.jl:1104 [inlined]
[13] Vector{Int8}(x::Vector{Int64})
# Base ./array.jl:563
[14] Array
# ./boot.jl:482 [inlined]
[15] convert(#unused#::Type{Array{Int8}}, a::Vector{Int64})
# Base ./array.jl:554
[16] top-level scope
# In[62]:1
[17] eval
# ./boot.jl:373 [inlined]
[18] include_string(mapexpr::typeof(REPL.softscope), mod::Module, code::String, filename::String)
# Base ./loading.jl:1196
Also:
Input:
maximum(array)
output:
11
So the bigges value of this is under 255 which is the max size of Int8.
thanks,
Bene

While the maximum value in your data is 11, the minimum value in your data is -9223372036854775808, also known as typemin(Int64), which cannot be converted to Int8 since that type can only represent values from -128 to 127.

Sometimes the typemin value in the array is used to indicate a null value or a missing value. This isn't the best practice in Julia, but it's possible your data source is using the value this way.
Say you have an array arr:
julia> arr = [1, 2, typemin(Int), 4]
4-element Vector{Int64}:
1
2
-9223372036854775808
4
If the typemin value is supposed to indicate missing data, you can do:
julia> [n == typemin(Int) ? missing : Int8(n) for n in arr]
4-element Vector{Union{Missing, Int8}}:
1
2
missing
4
Or if it's supposed to indicate null/invalid data, you can use nothing instead of missing above.

Stacktrace of an inner exception

w3wp process hosting my .NET application is crashing at random times. I have collected a dump file by setting up a second chance exception rule using DebugDiag. Here are the steps I have performed.
The lastevent command shows a .NET exception.
0:027> .lastevent
Last event: 1ae4.2e98: CLR exception - code e0434352 (first/second chance not available)
The stack trace of this thread looks as follows,
0:027> !CLRStack
OS Thread Id: 0x2e98 (68)
Child SP IP Call Site
000000266c1bab18 00007fff6e5d95fc [HelperMethodFrame: 000000266c1bab18]
000000266c1bac00 00007fff5cb38afb System.Runtime.Fx+IOCompletionThunk.UnhandledExceptionFrame(UInt32, UInt32, System.Threading.NativeOverlapped*)
000000266c1bcb48 00007fff6657120d [HelperMethodFrame: 000000266c1bcb48]
000000266c1bcc30 00007fff5cb359b5 System.Runtime.AsyncResult.Complete(Boolean)
000000266c1bea00 00007fff6657120d [FaultingExceptionFrame: 000000266c1bea00]
000000266c1bef00 00007fff5bca63a5 System.Web.HttpApplication+AsyncEventExecutionStep.OnAsyncEventCompletion(System.IAsyncResult)
000000266c1bef60 00007fff5cb3586c System.Runtime.AsyncResult.Complete(Boolean)
000000266c1befd0 00007fff570da192 System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequest(System.Object)
000000266c1bf020 00007fff5cb38b63 System.Runtime.IOThreadScheduler+ScheduledOverlapped.IOCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)
000000266c1bf090 00007fff5cb38ac7 System.Runtime.Fx+IOCompletionThunk.UnhandledExceptionFrame(UInt32, UInt32, System.Threading.NativeOverlapped*)
000000266c1bf0f0 00007fff650a045c System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) [f:\dd\ndp\clr\src\BCL\system\threading\overlapped.cs # 135]
000000266c1bf2a0 00007fff66416793 [GCFrame: 000000266c1bf2a0]
000000266c1bf498 00007fff66416793 [DebuggerU2MCatchHandlerFrame: 000000266c1bf498]
000000266c1bf628 00007fff66416793 [ContextTransitionFrame: 000000266c1bf628]
000000266c1bf858 00007fff66416793 [DebuggerU2MCatchHandlerFrame: 000000266c1bf858]
pe command shows a callback exception
0:027> !pe
Exception object: 0000002552364d38
Exception type: System.Runtime.CallbackException
Message: Async Callback threw an exception.
InnerException: System.NullReferenceException, Use !PrintException 0000002552364ae8 to see more.
StackTrace (generated):
SP IP Function
000000266C1BCC30 00007FFF5CB359B5 System_ServiceModel_Internals_ni!System.Runtime.AsyncResult.Complete(Boolean)+0x235
000000266C1BEFD0 00007FFF570DA192 System_ServiceModel_Activation_ni!System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequest(System.Object)+0x92
000000266C1BF020 00007FFF5CB38B63 System_ServiceModel_Internals_ni!System.Runtime.IOThreadScheduler+ScheduledOverlapped.IOCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)+0x53
000000266C1BF090 00007FFF5CB38AFB System_ServiceModel_Internals_ni!System.Runtime.Fx+IOCompletionThunk.UnhandledExceptionFrame(UInt32, UInt32, System.Threading.NativeOverlapped*)+0x6b
000000266C1BF0F0 00007FFF650A045C mscorlib_ni!System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)+0x7c
StackTraceString: <none>
HResult: 80131501
There are nested exceptions on this thread. Run with -nested for details
Per output of previous command, I look for nested exceptions
0:027> !PrintException -nested /d 0000002552364ae8
Exception object: 0000002552364ae8
Exception type: System.NullReferenceException
Message: Object reference not set to an instance of an object.
InnerException: <none>
StackTrace (generated):
SP IP Function
000000266C1BEF00 00007FFF5BCA63A5 System_Web_ni!System.Web.HttpApplication+AsyncEventExecutionStep.OnAsyncEventCompletion(System.IAsyncResult)+0x55
000000266C1BEF60 00007FFF5CB3586C System_ServiceModel_Internals_ni!System.Runtime.AsyncResult.Complete(Boolean)+0xec
StackTraceString: <none>
HResult: 80004003
Nested exception -------------------------------------------------------------
Exception object: 0000002552364d38
Exception type: System.Runtime.CallbackException
Message: Async Callback threw an exception.
InnerException: System.NullReferenceException, Use !PrintException 0000002552364ae8 to see more.
StackTrace (generated):
SP IP Function
000000266C1BCC30 00007FFF5CB359B5 System_ServiceModel_Internals_ni!System.Runtime.AsyncResult.Complete(Boolean)+0x235
000000266C1BEFD0 00007FFF570DA192 System_ServiceModel_Activation_ni!System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequest(System.Object)+0x92
000000266C1BF020 00007FFF5CB38B63 System_ServiceModel_Internals_ni!System.Runtime.IOThreadScheduler+ScheduledOverlapped.IOCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)+0x53
000000266C1BF090 00007FFF5CB38AFB System_ServiceModel_Internals_ni!System.Runtime.Fx+IOCompletionThunk.UnhandledExceptionFrame(UInt32, UInt32, System.Threading.NativeOverlapped*)+0x6b
000000266C1BF0F0 00007FFF650A045C mscorlib_ni!System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)+0x7c
StackTraceString: <none>
HResult: 80131501
My next step is to find the stack trace for that NullReferenceException
0:027> !do 0000002552364ae8
Name: System.NullReferenceException
MethodTable: 00007fff652865a0
EEClass: 00007fff64c3f180
Size: 160(0xa0) bytes
File: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007fff65276948 400028e 8 System.String 0 instance 000000244f54d350 _className
00007fff6528f6b8 400028f 10 ...ection.MethodBase 0 instance 0000002552366f58 _exceptionMethod
00007fff65276948 4000290 18 System.String 0 instance 0000000000000000 _exceptionMethodString
00007fff65276948 4000291 20 System.String 0 instance 000000244bf27668 _message
00007fff65286788 4000292 28 ...tions.IDictionary 0 instance 00000025523751a8 _data
00007fff65276b78 4000293 30 System.Exception 0 instance 0000000000000000 _innerException
00007fff65276948 4000294 38 System.String 0 instance 0000000000000000 _helpURL
00007fff65276f28 4000295 40 System.Object 0 instance 0000002552364cc0 _stackTrace
00007fff65276f28 4000296 48 System.Object 0 instance 0000000000000000 _watsonBuckets
00007fff65276948 4000297 50 System.String 0 instance 0000000000000000 _stackTraceString
00007fff65276948 4000298 58 System.String 0 instance 0000000000000000 _remoteStackTraceString
00007fff65279288 4000299 88 System.Int32 1 instance 0 _remoteStackIndex
00007fff65276f28 400029a 60 System.Object 0 instance 0000000000000000 _dynamicMethods
00007fff65279288 400029b 8c System.Int32 1 instance -2147467261 _HResult
00007fff65276948 400029c 68 System.String 0 instance 000000255242ce60 _source
00007fff6528fbc0 400029d 78 System.IntPtr 1 instance 0 _xptrs
00007fff65279288 400029e 90 System.Int32 1 instance -532462766 _xcode
00007fff65250340 400029f 80 System.UIntPtr 1 instance 7fff5bca63a4 _ipForWatsonBuckets
00007fff65265538 40002a0 70 ...ializationManager 0 instance 0000002552364c40 _safeSerializationManager
00007fff65276f28 400028d b8 System.Object 0 shared static s_EDILock
>> Domain:Value 000000244acba390:NotInit 000000267072bd80:NotInit <<
Here I attempt to get the stack trace of NullReferenceException. This looks like a SByte array.
0:027> !do 0000002552364cc0
Name: System.SByte[]
MethodTable: 00007fff65202b20
EEClass: 00007fff64c34f60
Size: 120(0x78) bytes
Array: Rank 1, Number of elements 96, Type SByte (Print Array)
Content: ........0Qkv&....c.[.......l&...x..[............kX.\....`..l&...`..\............................
Fields:
None
My expectation is to get a stacktrace/details of what method/line of code/object is responsible for causing this null reference. I also attempt to dump the contents of SByte array but that doesn't provide me any useful information. Any suggestions on how can I get more information about this NullReferenceException?

First of all, I think that !pe -nested already shows the call stack that you're looking for:
0:027> !PrintException -nested /d 0000002552364ae8
[...]
StackTrace (generated):
SP IP Function
000000266C1BEF00 00007FFF5BCA63A5 System_Web_ni!System.Web.HttpApplication+AsyncEventExecutionStep.OnAsyncEventCompletion(System.IAsyncResult)+0x55
000000266C1BEF60 00007FFF5CB3586C System_ServiceModel_Internals_ni!System.Runtime.AsyncResult.Complete(Boolean)+0xec
[...]
Next, a stack trace is exactly what you see in that SByte[]: it's just a bunch of numbers.
Those number do get their meaning only together with PDB files. The PDB file contains the information to turn numbers into names.
Have a look at the values in the SP column and IP column. They are:
000000266C1BEF00
000000266C1BEF60
00007FFF5BCA63A5
00007FFF5CB3586C
And now, use a converter that converts those values into text:
You'll find that the printable characters resssemble those of the output shown in SByte[] by WinDbg:
0:027> !do 0000002552364cc0
[...]
Content: ........0Qkv&....c.[.......l&...x..[............kX.\....`..l&...`..\............................
The order may be different due to little/big-endianness.

!dumpobj in windbg,what does Domain:Value dynamic statics NYI 002a8428:NotInit mean?

When i use windbg !do to view a address,it output:
0:000> !do 01ef30f4
Name: System.Collections.Generic.List`1[[System.Byte[], mscorlib]]
MethodTable: 0021285c
EEClass: 6313a530
Size: 24(0x18) bytes
File: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
Fields:
MT Field Offset Type VT Attr Value Name
633b70a0 4000ca6 4 System.Object[] 0 instance 01eed1b8 _items
63402df0 4000ca7 c System.Int32 1 instance 0 _size
63402df0 4000ca8 10 System.Int32 1 instance 0 _version
633ffa60 4000ca9 8 System.Object 0 instance 00000000 _syncRoot
633b70a0 4000caa 0 System.Object[] 0 shared static _emptyArray
**Domain:Value dynamic statics NYI 002a8428:NotInit**
What's the meaning of Domain:Value dynamic statics NYI 002a8428:NotInit?

For static fields, !do displays the static field's value in each AppDomain you have. The first value, 002a8428, is the AppDomain address, and the second value is the static field's value in that AppDomain.

Use WinDbg to Write Contents of Managed Byte[] to File

I have a crash dump from a production server that shows an OutOfMemoryException. The exception itself is not relevant here.
I happened to run a !dso to view the stack objects:
0:042> !dso
OS Thread Id: 0x1014 (42)
ESP/REG Object Name
246eeb24 109a21bc System.UnhandledExceptionEventHandler
246eeb2c 39083998 System.Runtime.Remoting.Proxies.__TransparentProxy
246eeb34 39083b5c System.UnhandledExceptionEventArgs
246eeb48 39073280 System.Byte[]
246eec10 2e720050 System.OutOfMemoryException
[snip]
246ef250 0ac1c4d0 System.IO.MemoryStream <-- interesting
I thought the MemoryStream might have something to do with the error, so I dumped it:
0:042> !do 0ac1c4d0
Name: System.IO.MemoryStream
MethodTable: 7932d5e4
EEClass: 790ec318
Size: 52(0x34) bytes
(C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
Fields:
MT Field Offset Type VT Attr Value Name
7933061c 400018a 4 System.Object 0 instance 00000000 __identity
7992cbcc 4001b6c 8 ...ream+ReadDelegate 0 instance 00000000 _readDelegate
7992cc58 4001b6d c ...eam+WriteDelegate 0 instance 00000000 _writeDelegate
7931bd9c 4001b6e 10 ...ng.AutoResetEvent 0 instance 00000000 _asyncActiveEvent
79332c4c 4001b6f 14 System.Int32 1 instance 1 _asyncActiveCount
7932e6fc 4001b6b 574 System.IO.Stream 0 shared static Null
>> Domain:Value 000dc0f0:NotInit 00109d58:109b6abc <<
79333470 4001c16 18 System.Byte[] 0 instance 50710038 _buffer
79332c4c 4001c17 1c System.Int32 1 instance 0 _origin
79332c4c 4001c18 20 System.Int32 1 instance 56071048 _position
79332c4c 4001c19 24 System.Int32 1 instance 56071048 _length
79332c4c 4001c1a 28 System.Int32 1 instance 67108864 _capacity
793044cc 4001c1b 2c System.Boolean 1 instance 1 _expandable
793044cc 4001c1c 2d System.Boolean 1 instance 1 _writable
793044cc 4001c1d 2e System.Boolean 1 instance 1 _exposable
793044cc 4001c1e 2f System.Boolean 1 instance 1 _isOpen
Wow, a 56,071,048 byte buffer seems a bit large. I'd like to see the contents of this buffer:
0:042> !do 50710038
Name: System.Byte[]
MethodTable: 79333470
EEClass: 790eeb6c
Size: 67108876(0x400000c) bytes
Array: Rank 1, Number of elements 67108864, Type Byte
Element Type: System.Byte
Fields:
None
The first 10 elements of the array are below:
0:042> !dumparray -start 0 -length 10 50710038
Name: System.Byte[]
MethodTable: 79333470
EEClass: 790eeb6c
Size: 67108876(0x400000c) bytes
Array: Rank 1, Number of elements 67108864, Type Byte
Element Methodtable: 79333520
[0] 50710040
[1] 50710041
[2] 50710042
[3] 50710043
[4] 50710044
[5] 50710045
[6] 50710046
[7] 50710047
[8] 50710048
[9] 50710049
This is a huge array. I'd rather not !dumparray the whole thing. I'd like to view the output in a file.
Question
Is it possible to dump the contents of this Byte[] to a file?
I am familiar with the .writemem command, but I can't seem to get this to work. I've tried writing the entire length, but WinDbg didn't like that:
0:042> .writemem C:\LargeBuffer.bin 50710040 L56071048
^ Range error in '.writemem C:\LargeBuffer.bin 50710040 l56071048'
Did I format that .writemem command incorrectly?

The L modifier for ranges is limited in size. If you want to get around the limit use the L? range modifier. The following command worked for me:
0:000> !do 0x04cc1000
Name: System.Byte[]
MethodTable: 68374944
EEClass: 680aaf1c
Size: 67108876(0x400000c) bytes
Array: Rank 1, Number of elements 67108864, Type Byte
Element Type:System.Byte
Content: ................................................................................................................................
Fields:
None
0:000> .writemem c:\temp\array.bin 0x04cc1000 L?0x400000c
Writing 400000c bytes

This is what worked for me:
.foreach($str {!DumpHeap /d -mt 00007ff890e96948 -min 0n126500 -short}){r#$t0= dwo(${$str}+8)*2;.writemem e:\temp\str\${$str}.txt ${$str}+c L? #$t0}

Need help identifying and computing a number representation

I need help identifying the following number format.
For example, the following number format in MIB:
0x94 0x78 = 2680
0x94 0x78 in binary: [1001 0100] [0111 1000]
It seems that if the MSB is 1, it means another character follows it. And if it is 0, it is the end of the number.
So the value 2680 is [001 0100] [111 1000], formatted properly is [0000 1010] [0111 1000]
What is this number format called and what's a good way for computing this besides bit manipulation and shifting to a larger unsigned integer?

I have seen this called either 7bhm (7-bit has-more) or VLQ (variable length quantity); see http://en.wikipedia.org/wiki/Variable-length_quantity
This is stored big-endian (most significant byte first), as opposed to the C# BinaryReader.Read7BitEncodedInt method described at Encoding an integer in 7-bit format of C# BinaryReader.ReadString
I am not aware of any method of decoding other than bit manipulation.
Sample PHP code can be found at
http://php.net/manual/en/function.intval.php#62613
or in Python I would do something like
def encode_7bhm(i):
o = [ chr(i & 0x7f) ]
i /= 128
while i > 0:
o.insert(0, chr(0x80 | (i & 0x7f)))
i /= 128
return ''.join(o)
def decode_7bhm(s):
o = 0
for i in range(len(s)):
v = ord(s[i])
o = 128*o + (v & 0x7f)
if v & 0x80 == 0:
# found end of encoded value
break
else:
# out of string, and end not found - error!
raise TypeError
return o