0

I know this may sound nit-picky, but I want to know if there is a reason for these semantics.

Child to me means those are the things it will pass to the function it is about to call, however if you break on function name, then a given record will already exist and will not change. That record shows what that function received from its parent.

Lets say that I break on wmain and step in a few lines. windbg will report:

 # ChildEBP RetAddr  Args to Child              
00 005dfeb8 009e138b 00000001 00ac9bc0 00acfac8 ASMTests!wmain+0x19

Now those values wont change. When I enter the next function DoBuf0, they don't change so they are not actually the args to the child, They are the args received from the parent. Eg: My wmain passes "buf0" as second argument to DoBuf0

 # ChildEBP RetAddr  Args to Child              
00 005dfe0c 009e1131 005dfe34 009e218c 005dfe74 ASMTests!DoBuf0
01 005dfeb8 009e138b 00000001 00ac9bc0 00acfac8 ASMTests!wmain+0x91

0:000:x86> da 009e218c 
009e218c  "buf0"

They are the args the parent (wmain) passed to the child (DoBuf0), But they are NOT displayed on the Parents line, they are displayed on the childs. Wouldn't it make more sense to just call them Args from parent? In the case above args to Child implicates that DoBuf0 will be passing them to ITs child.

Thanks

chup
  • 69
  • 1
  • 7
  • 1
    `I want to know if there is a reason for these semantics`. There is no reason. WinDbg was not designed for average user, who needs explanation where function arguments come from. I agree that description "Arguments from parent" would be better description though. – seva titov Mar 23 '17 at 21:45
  • "Args from Parent" would also be a bad name because those aren't necessarily the arguments to the function (in fact, on the x64 they almost never are). See my answer [here](http://stackoverflow.com/questions/25740674/what-does-kb-show-for-64-bit-processes) – snoone Mar 24 '17 at 13:24

1 Answers1

0

Child to me means those are the things it will pass to the function it is about to call

How could the window show things that have not happened yet? Do you expect some sort of speculative execution simulation? A "child" is something that has been called, and the call has left evidence data on the stack.

Quote from the WinDbg help

Raw args displays the first three parameters that are passed to the function. On an x86-based processor, this display includes the first three parameters that are passed to the function ("Args to Child").

Addrs displays various frame-related addresses. On an x86-based processor, this display includes the base pointer for the stack frame ("ChildEBP") and the return address ("RetAddr").

Side S. Fresh
  • 3,015
  • 2
  • 16
  • 18