How to get more info about virtual tables?

WINDBG
1

Hello,

I am always confronted with a problem when debugging, and I am just
curious if Windbg can help me. A lot of times, I have a pointer to
some interface and when I try to inspect the pointer, (using dt /r …)
I just get random values. It does provide though the virtual
functions which is nice, but I was hoping for more. Are there any
extensions, commands, etc. that people use often to get more
information when given a pointer to some interface?

Thanks,
J

2

Jonathon wrote:

I am always confronted with a problem when debugging, and I am just
curious if Windbg can help me. A lot of times, I have a pointer to
some interface and when I try to inspect the pointer, (using dt /r …)
I just get random values. It does provide though the virtual
functions which is nice, but I was hoping for more. Are there any
extensions, commands, etc. that people use often to get more
information when given a pointer to some interface?

What were you hoping to find? One of the philosophies of a COM
interface is that the implementation is hidden. You know the addresses
of the method functions, but that’s it.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

3

  1. What do you mean ‘random values?’ Could you post some output from windbg with a little background information?

  2. What are you looking for exactly?

In general, debugging c++ can be cumbersome, especially in windbg, because namespaces and class hierarchies can get out of hand pretty quickly as far as legibility in symbol names is concerned, and the indirect call doesn’t help.

mm

4

The vtable is not the object. If you know the type that the vtable supports, you can dump the type and find the vtable offset, subtract that from the this pointer (typically ecx) and get the type. You could also dump the virt func itself to see if there an adjustor thunk to get the offset. The vtable by itself cannot give you this pointer, the vtable is static and shared across all instances of the class.

d

Sent from my phone with no t9, all spilling mistakes are not intentional.

-----Original Message-----
From: xxxxx@evitechnology.com
Sent: Wednesday, October 21, 2009 11:31 AM
To: Kernel Debugging Interest List
Subject: RE:[windbg] How to get more info about virtual tables?

1. What do you mean ‘random values?’ Could you post some output from windbg with a little background information?

2. What are you looking for exactly?

In general, debugging c++ can be cumbersome, especially in windbg, because namespaces and class hierarchies can get out of hand pretty quickly as far as legibility in symbol names is concerned, and the indirect call doesn’t help.

mm


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

5

Jonathon wrote:

Hello,

I am always confronted with a problem when debugging, and I am just
curious if Windbg can help me. A lot of times, I have a pointer to
some interface and when I try to inspect the pointer, (using dt /r …)
I just get random values. It does provide though the virtual
functions which is nice, but I was hoping for more. Are there any
extensions, commands, etc. that people use often to get more
information when given a pointer to some interface?

If you have

which refers to a base class (even
an interface base class) of an object you are interested
in, you can put something like (MyModule!MyBaseClass*)
into the watch window and then, when you pop it open, if
you got it right, it will offer a "vtcast" node which you can
use to open up the derived object.

I often use this when postmortem-ing crashes as a pretty good
hint as to whether the address I'm looking at is really what
I think it is (if it is, I get the vtcast to it's most derived
type... if not, I get garbage.)

I don't know of an equivalent way to do this (have the debugger
do the dynamic_cast<> for you) from the command line.

Thanks,

Joseph
6

Doron Holan wrote:

The vtable is not the object. If you know the type that the vtable
supports, you can dump the type and find the vtable offset, subtract
that from the this pointer (typically ecx) and get the type. You
could also dump the virt func itself to see if there an adjustor
thunk to get the offset. The vtable by itself cannot give you this
pointer, the vtable is static and shared across all instances of the
class.

This is an area I wish the debugger was better at, because,
unfortunately, unless the function is a leaf function, the
this pointer has often been moved to either edi or esi
depending on the whims of the compiler (since it has to free
up ecx to use for the this pointer of called objects.)

Also, if the function isn’t at the top of the call stack, digging
out the actual value of the register in the given call frame
can be a pain.

There probably isn’t much the debugger can really do to help
either of these situations without additional cooperation from
the compiler, but I still dream of a day when I don’t have to
go groveling though the assembler and raw stack data in order
to find my this pointer.

Thanks,

Joseph

d

Sent from my phone with no t9, all spilling mistakes are not
intentional.

-----Original Message----- From: xxxxx@evitechnology.com
Sent: Wednesday, October 21, 2009 11:31
> AM To: Kernel Debugging Interest List Subject:
> RE:[windbg] How to get more info about virtual tables?
>
>
> 1. What do you mean ‘random values?’ Could you post some output
> from windbg with a little background information?
>
> 2. What are you looking for exactly?
>
> In general, debugging c++ can be cumbersome, especially in windbg,
> because namespaces and class hierarchies can get out of hand pretty
> quickly as far as legibility in symbol names is concerned, and the
> indirect call doesn’t help.
>
> mm
>
> — WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

7

we are aware of these issues and want to address them in the future, all hope is not lost ;). Everybody internally to Microsoft also feels this pain, so it is rather universal :frowning:

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Joseph Galbraith
Sent: Thursday, October 22, 2009 9:48 AM
To: Kernel Debugging Interest List
Subject: Re: [windbg] How to get more info about virtual tables?

Doron Holan wrote:

The vtable is not the object. If you know the type that the vtable
supports, you can dump the type and find the vtable offset, subtract
that from the this pointer (typically ecx) and get the type. You could
also dump the virt func itself to see if there an adjustor thunk to
get the offset. The vtable by itself cannot give you this pointer, the
vtable is static and shared across all instances of the class.

This is an area I wish the debugger was better at, because, unfortunately, unless the function is a leaf function, the this pointer has often been moved to either edi or esi depending on the whims of the compiler (since it has to free up ecx to use for the this pointer of called objects.)

Also, if the function isn’t at the top of the call stack, digging out the actual value of the register in the given call frame can be a pain.

There probably isn’t much the debugger can really do to help either of these situations without additional cooperation from the compiler, but I still dream of a day when I don’t have to go groveling though the assembler and raw stack data in order to find my this pointer.

Thanks,

Joseph

d

Sent from my phone with no t9, all spilling mistakes are not
intentional.

-----Original Message----- From: xxxxx@evitechnology.com
Sent: Wednesday, October 21, 2009 11:31 AM
> To: Kernel Debugging Interest List Subject:
> RE:[windbg] How to get more info about virtual tables?
>
>
> 1. What do you mean ‘random values?’ Could you post some output from
> windbg with a little background information?
>
> 2. What are you looking for exactly?
>
> In general, debugging c++ can be cumbersome, especially in windbg,
> because namespaces and class hierarchies can get out of hand pretty
> quickly as far as legibility in symbol names is concerned, and the
> indirect call doesn’t help.
>
> mm
>
> — WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer