1

I'm debugging the source code for mscorlib1 with WinDbg/SOS. I'm curious, is it possible to get the managed function name if you see its address in assembly? For example, this is some of the code I'm seeing in the disassembly window:

00007ffd`7f035d7c 488d0d3d3af5ff  lea     rcx,[System_Private_CoreLib_ni+0x8797c0 (00007ffd`7ef897c0)]
00007ffd`7f035d83 e890728eff      call    System_Private_CoreLib_ni+0x20d018 (00007ffd`7e91d018)
00007ffd`7f035d88 488bf0          mov     rsi,rax
00007ffd`7f035d8b b9874a0000      mov     ecx,4A87h
00007ffd`7f035d90 e8834a91ff      call    System_Private_CoreLib_ni+0x23a818 (00007ffd`7e94a818)
00007ffd`7f035d95 488bc8          mov     rcx,rax
00007ffd`7f035d98 e87356b9ff      call    System_Private_CoreLib_ni+0x4bb410 (00007ffd`7ebcb410)
00007ffd`7f035d9d 488bd0          mov     rdx,rax
00007ffd`7f035da0 488bce          mov     rcx,rsi
00007ffd`7f035da3 e8e89fbdff      call    System_Private_CoreLib_ni+0x4ffd90 (00007ffd`7ec0fd90)

I want to find out what the names of some of these functions being call-ed are. I figure the command to use for this would be !dumpmd, but none of these commands seem to work:

!dumpmd 0x20d018
!dumpmd e890728eff
!dumpmd 00007ffd`7e91d018

All of them respond with "... is not a MethodDesc". How then can I get the managed function name from the assembly, or is it not possible?

1 mscorlib was recently renamed System.Private.CoreLib for .NET Core, so that's why you see that instead of mscorlib_ni.

James Ko
  • 32,215
  • 30
  • 128
  • 239

2 Answers2

2

Pass the entire address to !sosex.mln

Steve Johnson
  • 2,958
  • 13
  • 15
2
!dumpmd 0x20d018

can't work, because you only pass the offset relative to the module. Without specifying the module (System_Private_CoreLib_ni), !dumpmd cannot know what you're referring to.

!dumpmt e890728eff

can't work, because you pass machine code to !dumpmt. e8 is the machine code for the assembly instruction call and the rest is a relative offset. To interpret that, !dumpmt would need to know the address of the instruction so that it can calculate the address of the method being called.

!dumpmt 00007ffd`7e91d018

could at least be plausible, because you pass an absolute address. That is a meaningful address. But it's not the address of a method table which !dumpmt expects.

With a given native address, you can use

!IP2MD <Code address> Displays the MethodDesc structure at the specified address in code that has been JIT-compiled.

Actually the command will display much more, including the method name.

0:000> !ip2md 001fce80
MethodDesc:   00508ab4
Method Name:  ReporterCmd.Program+<>c..cctor()
Class:        0025e10c
MethodTable:  00508ad0
mdToken:      06000027
Module:       00193fbc
IsJitted:     yes
CodeAddr:     001fce48
Transparency: Critical

The (download) command !mln as implemented by @Steve Johnson and mentioned in his answer is really helpful, since it will auto detect the nearest useful thing, so you needn't know in detail what you have.

0:000> !mln 001fce80
Method instance: (BEGIN=001fce48)(MD=00508ab4 disassemble)[ReporterCmd.Program+<>c..cctor()]

If you're learning about .NET internals, I recommend using !mln and then finding out how to get the same results using other methods so that you know about the relationship of things.

Community
  • 1
  • 1
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222