2

I have a user mode dump with 73 threads. Some of them are managed and some of them native. I would like to find the managed thread, which call stack contains a certain managed function.

I have the SOSEX extension loaded in the debugger.

Right now I do ~*e !mk to dump all the managed threads and then browse through them manually looking for what I need - too long and tiresome.

Is there a better way?

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
mark
  • 59,016
  • 79
  • 296
  • 580

1 Answers1

5

Related commands

There is !findstack <module> 2 to find threads that have a specific module on the stack, but IMHO it only works well for native callstacks and for modules only, not for methods.

Then there is !uniqstack which might help narrowing down the threads in case many threads have the same callstack. It's also a native command.

Ugly built-in solution

What I do in such cases is an ugly workaround, but I have not found something better yet:

.shell -ci "!clrstack" find "Class.Method("

Of course you can combine this with ~*e to do it for all threads.

~*e ? $tid;.shell -ci "!clrstack" find "Program.Main("

PyKd script

If you don't mind installing another WinDbg extension, I recommend PyKd for a more convenient and silent solution. Create a file findstack.py in WinDbg directory (or maybe the working directory of WinDbg, not so sure, otherwise use the full path) with the content

from pykd import * 
if "Class.Method(" in dbgCommand("!clrstack"):
    print(hex(expr("$tid")))

In WinDbg, run the script like this:

.load E:\path to\x86\pykd.pyd
*** Actually it's a DLL and I prefer renaming it
*** .load E:\path to\x86\pykd.dll
~*e !py findstack.py

Of course you can parameterize the script, e.g. like

from pykd import *
import sys
if (len(sys.argv) < 4):
    print "find <command> <search term> <success command>."
    quit()

if sys.argv[2] in dbgCommand(sys.argv[1]):
    print(dbgCommand(sys.argv[3]))

and then call it with arguments

~*e !py find.py "!clrstack" "Program.Main(" "? $tid"
Thomas Weller
  • 55,411
  • 20
  • 125
  • 222
  • Which version of the extension do you use? – mark Jul 15 '15 at 21:30
  • I tested with 0.2.0.27 using Python 2.7.8 from Anaconda 2.1.0 – Thomas Weller Jul 15 '15 at 21:33
  • ... in WinDbg 6.2.9200 with a .NET 4 x86 application. I didn't have version issues so far. – Thomas Weller Jul 15 '15 at 21:40
  • I have installed 64 bits python 2.7.10 from Anaconda and pykd-0.2.0.29-x64-python-2.7-setup.exe. And I am running the 64 bits version of WinDbg - "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\windbg.exe". So far loading pykd.pyd immediately kills the WinDbg process :-( – mark Jul 15 '15 at 21:55
  • @mark: indeed, the x64 versions seem broken. My WinDbg doesn't crash, but it says `The call to LoadLibrary ... failed, Win32 error 0n193, %1 is not a valid Win32 application` – Thomas Weller Jul 15 '15 at 22:15
  • @mark: We need the x64 version of Python: https://www.python.org/downloads/release/python-2710/ – Thomas Weller Jul 15 '15 at 22:24
  • In other words instead of Anaconda python 64 bits distro, I should use the one from python.org? Because I did install the 64 bits of python from Anaconda. – mark Jul 16 '15 at 01:14