We Keep Coding

The meaning of "Wait Start TickCount" and "Ticks" in dump file

When I use WinDBG to analyse a kernel model dump file, I can get the information of certain thread. But there are some items that confuse me.
So please help me understand the meaning of the following keywords. Thank you.
Wait Start TickCount
Ticks
UserTime
KernelTime
Here is one example.
THREAD b6b48908 Cid 1038.10b0 Teb: 7ffac000 Win32Thread: fd517868 WAIT: (WrUserRequest) UserMode Non-Alertable
b5700630 SynchronizationEvent
IRP List:
b6ae6ab8: (0006,01d8) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap 95bd9310
Owning Process b5614788 Image: iexplore.exe
Attached Process N/A Image: N/A
Wait Start TickCount 27465609 Ticks: 109779 (0:00:28:32.563)
Context Switch Count 38627
UserTime 00:00:00.717
KernelTime 00:00:00.421
Win32 Start Address 0x6a6439a0
Stack Init b8b7ded0 Current b8b7d8e0 Base b8b7e000 Limit b8b7b000 Call 0
Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
b8b7d8f8 8328aefd b6b48908 8333d008 83339e20 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
b8b7d930 83289d57 b5700630 b6b48908 b6b489ec nt!KiSwapThread+0x266
b8b7d958 83285af4 b6b48908 b6b489c8 00000000 nt!KiCommitThreadWait+0x1df
b8b7dad4 94bac293 00000001 b8b7db0c 00000001 nt!KeWaitForMultipleObjects+0x535
b8b7db44 94bac06c 000025ff 00000000 00000001 win32k!xxxRealSleepThread+0x20b (FPO: [SEH])
b8b7db60 94ba90b4 000025ff 00000000 00000001 win32k!xxxSleepThread+0x2d (FPO: [3,0,0])
b8b7dbb8 94bac685 b8b7dbe8 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x4b2 (FPO: [SEH])
b8b7dc1c 83249dc6 0295c7dc 00000000 00000000 win32k!NtUserGetMessage+0x4d (FPO: [SEH])
b8b7dc1c 77366bf4 0295c7dc 00000000 00000000 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame # b8b7dc34)
0295c790 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])

Wait Start TickCount is the computer internal time representation of when the Thread started waiting, i.e. when it changed from state "running" to state "waiting".
Ticks is the difference from Wait Start TickCount to now. These values may affect thread scheduling (together with others, such as the priorities).
Usertime is the amount of time the thread had a call stack with user mode functions on top.
Kerneltime is the amount of time the thread had a call stack with kernel mode functions on top. This should correspond to the values displayed by !runaway in user mode debugging. Both times do not include waiting time, just the actual running time when the thread was really executing CPU instructions.

Using Getaddrinfo() and SendTo() on Socket UDP fails - Segmentation fault (core dumped)

After I start using getaddrinfo() to retrieve dynamic IP addresses, the sendTo() of my socket no longer works and returns error "Segmentation fault (core dumped)". Why is that happening, is there any initialization or memory allocation missing in my codes please? I've tried quite a while but haven't figured out the reason. Any help would be really appreciated!
Here is the portion of codes :
// variables declaration
int s;
struct sockaddr_in si_other;
struct addrinfo hints;
struct addrinfo *result, *rp;
char *hostname = "localhost";
const char* portnum = "8000";
// settings of hints
memset(&hints, 0, sizeof(struct addrinfo));
hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */
hints.ai_socktype = SOCK_DGRAM; /* Datagram socket */
hints.ai_flags = 0;
hints.ai_protocol = 0;
hints.ai_flags = AI_NUMERICSERV;
// resolve dynamically IP adress by getaddrinfo()
s = getaddrinfo(hostname, NULL, &hints, &result);
if (s != 0) {
fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(s));exit(EXIT_FAILURE);
}
// create socket s
for (rp = result; rp != NULL; rp = rp->ai_next)
{
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
}
// loop for sending m x struct ECA_message_t
int m=0;
for (; m<NbMesPerFile; ++m)
{
ECA_message_t* ECA_paquet;
ECA_paquet=(ECA_message_t*)malloc(sizeof(ECA_message_t)*2400);
// 2400 to workaround some not understood memory issue and make sendto() to
// work
// function initializing ECA_paquet
Client_update_ECA_data(ECA_paquet,m);
if (sendto(s, ECA_paquet, sizeof(ECA_paquet)*2400, 0 ,(struct
sockaddr*)&si_other,slen)==-1)
{
perror("sendto()");
}
}
To add details to my struct, and to find why my malloc(sizeof(ECA_message_t) goes wrong, please see below the codes for struct ECA_message_t :
typedef struct{
unsigned int version:2;
unsigned int p:1;
unsigned int x:1;
unsigned int cc:4;
unsigned int m:1;
unsigned int pt:7;
unsigned int seq:16;
u_int32_t timestamp;
u_int32_t ssrc;
u_int32_t csrc;
} RTP_header_t; // 16 bytes
typedef struct {
unsigned int version:2;
unsigned int reserved_1:6;
unsigned int reserved_2:8;
unsigned int number_sample:16;
}ECA_header_t; // 4 bytes
typedef struct {
//every line composed of 6 values, 2 byte per value, all signed
int32_t v_phase_1;
int32_t v_phase_2;
int32_t v_phase_3;
int32_t i_phase_1;
int32_t i_phase_2;
int32_t i_phase_3;
}ECA_payload_t; // 12 bytes
typedef struct {
RTP_header_t rtp_header;
ECA_header_t eca_header;
ECA_payload_t eca_payload[MAX_ECA_SAMPLES]; // MAX_ECA_SAMPLES of 100
}ECA_message_t; // 1220 bytes
Here is the Aborted (Core dumpted) Back trace message :
*** glibc detected *** ./clientUDPIniDyn: double free or corruption (!prev): 0x081768c8 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb7642ee2]
./clientUDPIniDyn[0x804896b]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb75e64d3]
./clientUDPIniDyn[0x80486b1]
======= Memory map: ========
08048000-0804a000 r-xp 00000000 08:01 1319522 /home/lin/ULB/Memoire/Client_Server
/Server/clientUDPIniDyn
0804a000-0804b000 r--p 00001000 08:01 1319522 /home/lin/ULB/Memoire/Client_Server
/Server/clientUDPIniDyn
0804b000-0804c000 rw-p 00002000 08:01 1319522 /home/lin/ULB/Memoire/Client_Server
/Server/clientUDPIniDyn
08176000-08197000 rw-p 00000000 00:00 0 [heap]
b7589000-b75a5000 r-xp 00000000 08:05 264147 /lib/i386-linux-gnu/libgcc_s.so.1
b75a5000-b75a6000 r--p 0001b000 08:05 264147 /lib/i386-linux-gnu/libgcc_s.so.1
b75a6000-b75a7000 rw-p 0001c000 08:05 264147 /lib/i386-linux-gnu/libgcc_s.so.1
b75bf000-b75ca000 r-xp 00000000 08:05 293796 /lib/i386-linux-gnu/libnss_files-
2.15.so
b75ca000-b75cb000 r--p 0000a000 08:05 293796 /lib/i386-linux-gnu/libnss_files-
2.15.so
b75cb000-b75cc000 rw-p 0000b000 08:05 293796 /lib/i386-linux-gnu/libnss_files-
2.15.so
b75cc000-b75cd000 rw-p 00000000 00:00 0
b75cd000-b7770000 r-xp 00000000 08:05 293791 /lib/i386-linux-gnu/libc-2.15.so
b7770000-b7771000 ---p 001a3000 08:05 293791 /lib/i386-linux-gnu/libc-2.15.so
b7771000-b7773000 r--p 001a3000 08:05 293791 /lib/i386-linux-gnu/libc-2.15.so
b7773000-b7774000 rw-p 001a5000 08:05 293791 /lib/i386-linux-gnu/libc-2.15.so
b7774000-b7777000 rw-p 00000000 00:00 0
b778d000-b7791000 rw-p 00000000 00:00 0
b7791000-b7792000 r-xp 00000000 00:00 0 [vdso]
b7792000-b77b2000 r-xp 00000000 08:05 293804 /lib/i386-linux-gnu/ld-2.15.so
b77b2000-b77b3000 r--p 0001f000 08:05 293804 /lib/i386-linux-gnu/ld-2.15.so
b77b3000-b77b4000 rw-p 00020000 08:05 293804 /lib/i386-linux-gnu/ld-2.15.so
bfbad000-bfbce000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)

Here are fixed codes, no more segmentation fault by using calloc()
for (rp = result; rp != NULL; rp = rp->ai_next)
{
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); // socket creation
ECA_message_t* ECA_paquet;
ECA_paquet=calloc(NbMesPerFile, sizeof(* ECA_paquet)); // calloc to assign table [NbMesPerFile] length bloc memory for my struct EA_message_t
// sending m paquets of my struct
int m=0;
for (; m<NbMesPerFile; ++m)
{
Client_update_ECA_data(ECA_paquet,m); //update the ECA data paquet
if (sendto(s,ECA_paquet, sizeof(*ECA_paquet) ,0, rp->ai_addr,rp->ai_addrlen)==-1) // send data ECA data pointed by ECA_paquet
{
perror("sendto()");
}
}
}

// create socket s
for (rp = result; rp != NULL; rp = rp->ai_next)
{
s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
}
You are leaking filedescriptors (sockets) here. With every iteration of the loop s is reassigned. And the previous value of s is lost. (I don't know how long your linked list is)
// loop for sending m x struct ECA_message_t
int m=0;
for (; m<NbMesPerFile; ++m)
{
ECA_message_t* ECA_paquet;
ECA_paquet=(ECA_message_t*)malloc(sizeof(ECA_message_t)*2400);
// 2400 to workaround some not understood memory issue and make sendto() to
// work
// function initializing ECA_paquet
Client_update_ECA_data(ECA_paquet,m);
if (sendto(s, ECA_paquet, sizeof(ECA_paquet)*2400, 0 ,(struct
sockaddr*)&si_other,slen)==-1)
{
perror("sendto()");
}
}
You are leaking memory here. With every iteration of the loop ECA_paquet is reassigned. And the previous value of ECA_paquet is lost. Forever. (I don't know how large NbMesPerFile is)
(this is probably not the cause of your segfault, but it at least indicates substandard quality) You should also not cast the return value of malloc(), (+ #include <stdlib.h>, , plus check malloc()s return value. And turn up the warning level of your compiler.

Access violation while running app via windbg

My application get access violation sometimes.
I runned application through windbg, and it stopped in the following function .
also tried _vscprintf instead of vsnprintf, and the result was same.
I 'm newbie about windbg.
Any help will be appreciated.
int tsk_sprintf_2(char** str, const char* format, va_list* ap)
{
int len = 0;
va_list ap2;
ap2 = *ap;
len = vsnprintf(0, 0, format, *ap); /*-> access violation in this point! */
*str = (char*)calloc(1, len+1);
vsnprintf(*str, len, format, ap2);
va_end(ap2);
return len;
}
==> the following are the result from windbg
MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0x5b8 (22)
Current frame:
ChildEBP RetAddr Caller, Callee
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 1026d3d8 to 102e14cf
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
1d3cde7c 1026d3d8 1d3cdea8 0898eeeb 00000000 MSVCR100D!vcwprintf_s_l+0x52ef
1d3cded0 1026d46c 00000000 00000000 0898ee88 MSVCR100D!vsnprintf_l+0x158
1d3cdeec 0834d927 00000000 00000000 0898ee88 MSVCR100D!vsnprintf+0x1c
1d3cdfe8 1002891e 1d3ce0d0 0898ee88 1d3ce1e4 tinySAK!tsk_sprintf_2+0x57
1d3ce0f0 10028b77 09a16fe8 0898ee88 00000000 tinyWRAP!debug_xxx_cb+0x6e
1d3ce1ec 088b697b 09a16fe8 0898ee88 00000444 tinyWRAP!DDebugCallback::debug_info_cb+0x37
1d3cffb4 7c80b713 1cd10f90 1d2cfb44 7c947d9a tinyNET!tnet_transport_mainthread+0x1adb
1d3cffec 00000000 088a2aff 1cd10f90 00000000 KERNEL32!GetModuleFileNameA+0x1b4
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: msvcr100d!vcwprintf_s_l+52ef
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: MSVCR100D
IMAGE_NAME: MSVCR100D.dll
STACK_COMMAND: ~22s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_MSVCR100D.dll!vcwprintf_s_l
WATSON_STAGEONE_URL:
Followup: MachineOwner
---------
route.

You're attempting to print into a NULL pointer: len = vsnprintf(0, 0, format, *ap);; of course, it will crash. Send a valid address of output buffer as the first parameter and valid length as second.

How do I read buffer data retrieved from sysctlbyname() in iPhone?

I'm trying to get TCP open port list in iphone by using sysctlbyname().
sysctlbyname(const char *name, void *oldp, size_t *oldlenp, void *newp,
size_t newlen);
.
#include <sys/sysctl.h>
size_t len = 0;
if (sysctlbyname("net.inet.tcp.pcblist", 0, &len, 0, 0) < 0) {
perror("sysctlbyname");
} else {
char *buf = malloc(len);
//printf("%d",sizeof(buf));
sysctlbyname("net.inet.tcp.pcblist", buf, &len, 0, 0);
NSData *data = [NSData dataWithBytesNoCopy:buf length:len];
NSLog(#"data = %#", data);
//printf("%d",sizeof(buf));
//printf("%s",buf);
}
The information is copied into the buffer specified by oldp.
OUTPUT::
data = <18000000 34000000 d8160000 00000000 7d760000 00000000 0c020000 00000000 00000000 00000000 00000000 0050c598 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 c2160000 00000000 40008000 00000000 01400000
Buffer is filled with data here.but I'm unable to print the data in readable format.converting this data into NSString won't help as internally buffer has its own structure.
Anyone knows how to obtain TCP open port list as output from this data?
Thanks.

copy netstat code from BSD source.
see the printproto() function in main.c
This will explore all related to this buffer and how to get TCP port list.
Thanks.

Windbg native call stack trace does not make sense

I have a simple test program causing an infinite wait on lock.
public class SyncBlock
{
}
class Program
{
public static SyncBlock sync = new SyncBlock();
private static void ThreadProc()
{
try
{
Monitor.Enter(sync);
}
catch (Exception)
{
//Monitor.Exit(sync);
Console.WriteLine("3rd party code threw an exception");
}
}
static void Main(string[] args)
{
Thread newThread = new Thread(ThreadProc);
newThread.Start();
Console.WriteLine("Acquiring lock");
Monitor.Enter(sync);
Console.WriteLine("Releasing lock");
Monitor.Exit(sync);
}
}
So the main thread is basically get locked when it tries to do Monitor.Enter(sync). If I looked at !clrStack on main thread, its output basically show it which make sense but when I try to see native side of stack, I am expecting to see some Wait on single/multiple object type of call but I don't see it. Can anyone explain it. Thanks
0:000> !CLRStack
PDB symbol for mscorwks.dll not loaded
OS Thread Id: 0x1e8 (0)
ESP EIP
0012f0a8 77455e74 [GCFrame: 0012f0a8]
0012f178 77455e74 [HelperMethodFrame_1OBJ: 0012f178] System.Threading.Monitor.Enter (System.Object)
0012f1d0 00a40177 ConsoleApplication1.Program.Main(System.String[])
0012f400 70fc1b4c [GCFrame: 0012f400]
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012eeb4 710afb92 0012ee68 002d6280 00000000 ntdll!KiFastSystemCallRet
0012ef1c 710af7c3 00000001 002d6280 00000000 mscorwks!StrongNameFreeBuffer+0x1b1f2
0012ef3c 710af8cc 00000001 002d6280 00000000 mscorwks!StrongNameFreeBuffer+0x1ae23
0012efc0 710af961 00000001 002d6280 00000000 mscorwks!StrongNameFreeBuffer+0x1af2c
0012f010 710afae1 00000001 002d6280 00000000 mscorwks!StrongNameFreeBuffer+0x1afc1
0012f06c 70fdc5ae ffffffff 00000001 00000000 mscorwks!StrongNameFreeBuffer+0x1b141
0012f080 710df68a ffffffff 00000001 00000000 mscorwks!LogHelp_NoGuiOnAssert+0x10562
0012f10c 710b1154 002aad90 ffffffff 002aad90 mscorwks!StrongNameFreeBuffer+0x4acea
0012f128 710b10d8 42b8b47d 00000000 002aad90 mscorwks!StrongNameFreeBuffer+0x1c7b4
0012f1e0 70fc1b4c 0012f1f0 0012f230 0012f270 mscorwks!StrongNameFreeBuffer+0x1c738
0012f1f0 70fd2219 0012f2c0 00000000 0012f290 mscorwks+0x1b4c
0012f270 70fe6591 0012f2c0 00000000 0012f290 mscorwks!LogHelp_NoGuiOnAssert+0x61cd
0012f3ac 70fe65c4 0023c038 0012f478 0012f444 mscorwks!CoUninitializeEE+0x2ead
0012f3c8 70fe65e2 0023c038 0012f478 0012f444 mscorwks!CoUninitializeEE+0x2ee0
0012f3e0 7103389d 0012f444 42b8b0f1 00000000 mscorwks!CoUninitializeEE+0x2efe
0012f544 710337bd 002332e0 00000001 0012f580 mscorwks!GetPrivateContextsPerfCounters+0xf546
0012f7ac 71033d0d 00000000 42b8b9c9 00000001 mscorwks!GetPrivateContextsPerfCounters+0xf466
0012fc7c 71033ef7 00ce0000 00000000 42b8979 mscorwks!GetPrivateContextsPerfCounters+0xf9b6
0012fccc 71033e27 00ce0000 42b8b8a1 00000000 mscorwks!CorExeMain+0x168
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll -
0012fd14 71cf55ab 71033d8f 0012fd30 71f37f16 mscorwks!CorExeMain+0x98
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\mscoree.dll -
0012fd20 71f37f16 00000000 71cf0000 0012fd44 mscoreei!CorExeMain+0x38
0012fd30 71f34de3 00000000 7723d0e9 7ffd8000 mscoree!CreateConfigStream+0x13f
0012fd44 774319bb 7ffd8000 084952f9 00000000 mscoree!CorExeMain+0x8
0012fd84 7743198e 71f34ddb 7ffd8000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0012fd9c 00000000 71f34ddb 7ffd8000 00000000 ntdll!RtlInitializeExceptionChain+0x36

You have to point windbg to the microsoft windows symbols server to get a good stack trace.
type in the following in your windbg command window:
.sympath srv*c:\websymbols*http://msdl.microsoft.com/download/symbols
Also see this:
Using microsoft symbol server to get symbols
Also, to answer your original question about how to debug this, here is the cookbook:
0:000> !clrstack
OS Thread Id: 0x1358 (0)
ESP EIP
0012f328 7c90e514 [GCFrame: 0012f328]
0012f3f8 7c90e514 [HelperMethodFrame_1OBJ: 0012f3f8] System.Threading.Monitor.Enter(System.Object)
0012f450 00d10177 Program.Main(System.String[])
0012f688 79e71b4c [GCFrame: 0012f688]
In your original program, the background thread was started first. So, it acquired the lock. However it exited without releasing the lock. After that your main thread tried to acquire the lock and it is stuck because the lock is already owned.
How do you find out who owns it? First do a !threads followed by !syncblk.
0:000> !threads
ThreadCount: 3
UnstartedThread: 0
BackgroundThread: 1
PendingThread: 0
DeadThread: 1
Hosted Runtime: no
PreEmptive GC Alloc Lock
ID OSID ThreadOBJ State GC Context Domain Count APT Exception
0 1 1358 0014bb00 200a020 Enabled 00000000:00000000 001540d0 0 MTA
2 2 1360 0015e320 b220 Enabled 00000000:00000000 001540d0 0 MTA (Finalizer)
XXXX 3 0 00175a98 9820 Enabled 00000000:00000000 001540d0 1 Ukn
0:000> !syncblk
Index SyncBlock MonitorHeld Recursion Owning Thread Info SyncBlock Owner
2 0017903c 3 1 00175a98 0 XXX 013503cc SyncBlock
-----------------------------
Total 2
CCW 0
RCW 0
ComClassFactory 0
Free 0
As you can see, !syncblk says that the owining thread object is 00175a98. From the !threads output, you can see that thread object 00175a98 is the dead thread that exited while owning the lock.
Hope this helps.