Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Internals & Software Drivers | 7 February 2022 | Live, Online |
Kernel Debugging | 21 March 2022 | Live, Online |
Developing Minifilters | 23 May 2022 | Live, Online |
Writing WDF Drivers | 12 September 2022 | Live, Online |
Comments
bp myroutine "j by(poi(foo) + 8) = 0 'g' ; ''"
Let's disect this command.
bp myroutine "j by(poi(foo) + 8) = 0 'g' ; ''"
Means set a breakpoint on myrountine and then when it is hit
execute the associated command.
j by(poi(foo) + 8) = 0 'g' ; ''
means if the expression "by(poi(foo) + 8) = 0" is true then
execute a "g" else do nothing. This effectivly hides the bp if the
expression is true.
by(poi(foo) + 8) = 0
means check if the result of "by(poi(foo) + 8) is equal to 0
by(poi(foo) + 8)
means get the low order byte from "poi(foo) + 8"
poi(foo) + 8
means add 8 to the result of "poi(foo)" 8 is the offset of the
field named "byte" in the struct pointed to by foo. I used "dt foo" to
get this information when building the command.
poi(foo)
means to get the value of foo. Evaluating a varaiable returns
the address of the variable. So we add poi() to defer that address and
read the actual value of the var. "? foo" in the debugger is "&foo" in
C. So "poi(foo)" in the debugger is "foo" in C.
I suggest reading the page "Expression Syntax" in the docs to learn more
about poi, by, etc... You can get to it by clicking the link from the
docs on the "j" command which is also a good thing to read.
One could also write an extension to do this is a more natural way. The
extension could take the name of the var and the field and then use type
information to determine the right expression to build. An extension
could also be used to implement a more complex bp that would be
difficult to express using the built in syntax.
Someday when we have real C++ evaluation in the debugger one should be
able to write something like
bp myroutine "j foo->byte = 0 'g' ; ''"
but that is a ways off.
Enjoy.
-----Original Message-----
From: Barila, Phil [mailto:[email protected]]
Sent: Tuesday, June 12, 2001 11:29 AM
To: Kernel Debugging Interest List
Subject: [windbg] Evaluation syntax for struct members?
I have a condition where I want to break only if a particular member of
a
struct is a particular value. I could explicitly code that condition,
but I
don't need the code, so I would prefer to use WinDBG's breakpoints to do
it
for me. Except I can't quite figure out how to use poi() to access the
members of the struct.
<Contrived example>
struct {
ULONG dword;
UINT word;
UCHAR byte;
} myStruct;
void myRoutine(myStruct *foo)
{
if(foo->byte != 0)
{
DoSomething(foo);
}
DoSomethingElse(foo);
return;
}
</Contrived example>
So I would like to stop if foo->byte == 0, without coding the else
clause.
I believe that I can use ? and poi() to get WinDBG to show me when that
happens, but I haven't figured out how, and the debugger docs have
pretty
simple examples. Any suggestions?
Thanks,
Phil
* Philip D. Barila | (503) 264-8386
* Intel Corp. | M/S JF2-53 Office JF2-2-G6
* Storage Architecture and Performance
* Internet Systems Lab
---
You are currently subscribed to windbg as: [email protected]
To unsubscribe send a blank email to leave-windbg-$subst('Recip.MemberIDChar')@lists.osr.com
---
You are currently subscribed to windbg as: $subst('Recip.EmailAddr')
To unsubscribe send a blank email to leave-windbg-$subst('Recip.MemberIDChar')@lists.osr.com
Never Knew You Could Do With WinDbg" as an article for The NT Insider...
Ah, I can dream, can't I??
Peter
------------------------
(From on the road)
-----Original Message-----
From: Nathan Nesbit <[email protected]>
To: Kernel Debugging Interest List <[email protected]>
CC: [email protected] <[email protected]>
Sent: Tue Jun 12 20:03:33 2001
Subject: [windbg] RE: Evaluation syntax for struct members?
It would be something like this:
bp myroutine "j by(poi(foo) + 8) = 0 'g' ; ''"
Let's disect this command.
bp myroutine "j by(poi(foo) + 8) = 0 'g' ; ''"
Means set a breakpoint on myrountine and then when it is hit
execute the associated command.
j by(poi(foo) + 8) = 0 'g' ; ''
means if the expression "by(poi(foo) + 8) = 0" is true then
execute a "g" else do nothing. This effectivly hides the bp if the
expression is true.
by(poi(foo) + 8) = 0
means check if the result of "by(poi(foo) + 8) is equal to 0
by(poi(foo) + 8)
means get the low order byte from "poi(foo) + 8"
poi(foo) + 8
means add 8 to the result of "poi(foo)" 8 is the offset of the
field named "byte" in the struct pointed to by foo. I used "dt foo" to
get this information when building the command.
poi(foo)
means to get the value of foo. Evaluating a varaiable returns
the address of the variable. So we add poi() to defer that address and
read the actual value of the var. "? foo" in the debugger is "&foo" in
C. So "poi(foo)" in the debugger is "foo" in C.
I suggest reading the page "Expression Syntax" in the docs to learn more
about poi, by, etc... You can get to it by clicking the link from the
docs on the "j" command which is also a good thing to read.
One could also write an extension to do this is a more natural way. The
extension could take the name of the var and the field and then use type
information to determine the right expression to build. An extension
could also be used to implement a more complex bp that would be
difficult to express using the built in syntax.
Someday when we have real C++ evaluation in the debugger one should be
able to write something like
bp myroutine "j foo->byte = 0 'g' ; ''"
but that is a ways off.
Enjoy.
-----Original Message-----
From: Barila, Phil [mailto:[email protected]]
Sent: Tuesday, June 12, 2001 11:29 AM
To: Kernel Debugging Interest List
Subject: [windbg] Evaluation syntax for struct members?
I have a condition where I want to break only if a particular member of
a
struct is a particular value. I could explicitly code that condition,
but I
don't need the code, so I would prefer to use WinDBG's breakpoints to do
it
for me. Except I can't quite figure out how to use poi() to access the
members of the struct.
<Contrived example>
struct {
ULONG dword;
UINT word;
UCHAR byte;
} myStruct;
void myRoutine(myStruct *foo)
{
if(foo->byte != 0)
{
DoSomething(foo);
}
DoSomethingElse(foo);
return;
}
</Contrived example>
So I would like to stop if foo->byte == 0, without coding the else
clause.
I believe that I can use ? and poi() to get WinDBG to show me when that
happens, but I haven't figured out how, and the debugger docs have
pretty
simple examples. Any suggestions?
Thanks,
Phil
* Philip D. Barila | (503) 264-8386
* Intel Corp. | M/S JF2-53 Office JF2-2-G6
* Storage Architecture and Performance
* Internet Systems Lab
---
You are currently subscribed to windbg as: [email protected]
To unsubscribe send a blank email to leave-windbg-$subst('Recip.MemberIDChar')@lists.osr.com
---
You are currently subscribed to windbg as: [email protected]
To unsubscribe send a blank email to leave-windbg-$subst('Recip.MemberIDChar')@lists.osr.com
---
You are currently subscribed to windbg as: $subst('Recip.EmailAddr')
To unsubscribe send a blank email to leave-windbg-$subst('Recip.MemberIDChar')@lists.osr.com
Thanks for the confirmation that I did it right. I didn't determine the
offset with dt, as I didn't know about it, but I did end up adding the
offset to poi(foo). I was hoping there was a more elegant way, but it looks
like that's not going to happen today or tomorrow. I just used
poi(poi(foo)+OFFSET)), since I didn't know about by(), either. Fortunately,
the rest of the struct was zero at the time in question, so deref'ing didn't
produce wrong results.
Peter's right, it's time for an NT Insider article. I know 2 of the 10
things now! Only 8 more to go! :-D
Phil
-----Original Message-----
From: Nathan Nesbit [mailto:[email protected]]
Sent: Tuesday, June 12, 2001 5:04 PM
To: Kernel Debugging Interest List
Cc: [email protected]
Subject: [windbg] RE: Evaluation syntax for struct members?
It would be something like this:
bp myroutine "j by(poi(foo) + 8) = 0 'g' ; ''"
Let's disect this command.
bp myroutine "j by(poi(foo) + 8) = 0 'g' ; ''"
Means set a breakpoint on myrountine and then when it is hit
execute the associated command.
j by(poi(foo) + 8) = 0 'g' ; ''
means if the expression "by(poi(foo) + 8) = 0" is true then
execute a "g" else do nothing. This effectivly hides the bp if the
expression is true.
by(poi(foo) + 8) = 0
means check if the result of "by(poi(foo) + 8) is equal to 0
by(poi(foo) + 8)
means get the low order byte from "poi(foo) + 8"
poi(foo) + 8
means add 8 to the result of "poi(foo)" 8 is the offset of the
field named "byte" in the struct pointed to by foo. I used "dt foo" to
get this information when building the command.
poi(foo)
means to get the value of foo. Evaluating a varaiable returns
the address of the variable. So we add poi() to defer that address and
read the actual value of the var. "? foo" in the debugger is "&foo" in
C. So "poi(foo)" in the debugger is "foo" in C.
I suggest reading the page "Expression Syntax" in the docs to learn more
about poi, by, etc... You can get to it by clicking the link from the
docs on the "j" command which is also a good thing to read.
One could also write an extension to do this is a more natural way. The
extension could take the name of the var and the field and then use type
information to determine the right expression to build. An extension
could also be used to implement a more complex bp that would be
difficult to express using the built in syntax.
Someday when we have real C++ evaluation in the debugger one should be
able to write something like
bp myroutine "j foo->byte = 0 'g' ; ''"
but that is a ways off.
Enjoy.
-----Original Message-----
From: Barila, Phil [mailto:[email protected]]
Sent: Tuesday, June 12, 2001 11:29 AM
To: Kernel Debugging Interest List
Subject: [windbg] Evaluation syntax for struct members?
I have a condition where I want to break only if a particular member of
a
struct is a particular value. I could explicitly code that condition,
but I
don't need the code, so I would prefer to use WinDBG's breakpoints to do
it
for me. Except I can't quite figure out how to use poi() to access the
members of the struct.
<Contrived example>
struct {
ULONG dword;
UINT word;
UCHAR byte;
} myStruct;
void myRoutine(myStruct *foo)
{
if(foo->byte != 0)
{
DoSomething(foo);
}
DoSomethingElse(foo);
return;
}
</Contrived example>
So I would like to stop if foo->byte == 0, without coding the else
clause.
I believe that I can use ? and poi() to get WinDBG to show me when that
happens, but I haven't figured out how, and the debugger docs have
pretty
simple examples. Any suggestions?
Thanks,
Phil
* Philip D. Barila | (503) 264-8386
* Intel Corp. | M/S JF2-53 Office JF2-2-G6
* Storage Architecture and Performance
* Internet Systems Lab
---
You are currently subscribed to windbg as: [email protected]
To unsubscribe send a blank email to leave-windbg-$subst('Recip.MemberIDChar')@lists.osr.com
---
You are currently subscribed to windbg as: [email protected]
To unsubscribe send a blank email to leave-windbg-$subst('Recip.MemberIDChar')@lists.osr.com
---
You are currently subscribed to windbg as: $subst('Recip.EmailAddr')
To unsubscribe send a blank email to leave-windbg-$subst('Recip.MemberIDChar')@lists.osr.com