read *and its processor
as and it is processor
aditya,
I myself am not an ITP expert, I take help from the firmware team when I
need to interact with their code.
So here is what I heard from them:
you are correct when you say control registers (eip and friends) will be
virtual addresses on both ITP and Windbg, this is because the x86 proc
supports virtual addressing.
however, in ITP when you open a memory view, it will open the Physical
memory view where as by default in Windbg it opens the virtual addresses.
you can, ofcourse see physical memory in windbg too.
Intel processors work with virtual memory most of hte time, but they need to
translate these addresses to physical mem addresses for th memory controller
(MC) to work with, as the MC doesnt understand VAD.
Now this makes me think, wy I am seeing a different EIP in windbg and ITP. I
think it is simple, it is *not* possible to halt a machine both from windbg
and ITP at the same time. So by the time I halt the machine from windbg and
again halt it from ITP, the processor core goes into the INT3 handler of the
OS and hence the difference. That is why, when I manually align the EIP in
ITP to the one I see in windbg, I get to see my code.
Guys, I am no expert in this, and I am trying to understand it all…kind of
thinking aloud here…hopefully this explains the scenario…
do correct me with your knowledge.
thanks
amit
On Wed, Nov 25, 2009 at 2:14 PM, wrote:
> I don’t know about ITP at all, I was just asserting that windbg surly uses
> virtual addresses.
>
> >>but then, I would assume that if I forced ITP to point to the virtual EIP
> where Windbg is pointing to, it will assume it to be phys mem and point to a
> completely junk location.
>
> Either I am totally out of context or its time to take paid vacation. 
>
> Based on my understanding EIP is specific to processor, and its processor;
> which will execute the instruction pointed by EIP register, and as we
> discussed processor will always treat this as a virtual address. So be it
> any debugger, processor (obviously intel architecture) will treat it as
> virtual. isn’t it?
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- amitr0
xxxxx@gmail.com wrote:
>> do we see virtual addresses for control registers (eip etc) in windbg?
>>I have not read the original post but based on last discussion between you and Mr Tim, the answer is Yes. we always see virtual addresses in EIP ESP. Even if virtual memory is turned off.
I’m not sure what you were trying to say here, but this wasn’t it. You
cannot “turn off” virtual memory in Windows. Even if you disable the
page file, you are still running with virtual memory. Without it,
multiprocessing in “flat” mode is simply not practical. You have to
start using the segment registers, like real mode.
It is possible to turn off paging in CR0 (although not while Windows is
running), but when you do so, the registers (like EIP) do contain
physical addresses.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
It sounds like you’re saying that you’re halting it two different times, manually? If so, that would definitely give you different EIP’s, in all likelihood. Another thing that would do this depending on how exactly you are breaking in with the ITP and what you are expecting to see is that windbg is ‘correcting’ the reported address for you - that is, is not reporting the address of - whereas the ‘ITP’ will not.
In any case, why aren’t you setting the ‘ITP’ to halt on an SMI? Or are you.
mm
yes i have tried halting ITP on SMI, bu once ITP intervenes, windbg will not
get control. the hardware debugger presides over software.
On Thu, Nov 26, 2009 at 12:31 AM, wrote:
> It sounds like you’re saying that you’re halting it two different times,
> manually? If so, that would definitely give you different EIP’s, in all
> likelihood. Another thing that would do this depending on how exactly you
> are breaking in with the ITP and what you are expecting to see is that
> windbg is ‘correcting’ the reported address for you - that is, is not
> reporting the address of > can’t think of off the top of my head that handles this> - whereas the ‘ITP’
> will not.
>
> In any case, why aren’t you setting the ‘ITP’ to halt on an SMI? Or are
> you.
>
>
> mm
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- amitr0
OK, but why are you using both then? I mean, that’s what a hardware debugger does?
mm
well i am debugging SMI function code, so our driver generats SMI and we
have a BIOS counter part which handles it. So we needed both worlds. It is
easier to setup windbg with symbols than ITP for windows
On Thu, Nov 26, 2009 at 8:43 AM, wrote:
> OK, but why are you using both then? I mean, that’s what a hardware
> debugger does?
>
>
> mm
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- amitr0
>I’m not sure what you were trying to say here, but this wasn’t it. You cannot “turn off” virtual memory in Windows. Even if you disable the page file, you are still running with virtual memory.
Clash of terms. Yes I meant disable page file. Funny thing is that few years back One MS interviewer referred it as virtual memory, I adopted this term from that place. Plus I think I read that even if there is no page file, address translation will happen using page tables, though in this case they’ll not refer to page file. I may re-check it on your pointers.
Thanks
aditya
This is what I read :
“If paging is not used, the linear address space of the processor is mapped directly into the physical
address space of processor. The physical address space is defined as the range of addresses
that the processor can generate on its address bus”
This is from Intel Manuals, when it says linear address space is mapped directly to physical, I thought that this mapping will be done using PT which now I guess is not the case. Can you please clarify this.
Thanks
aditya
Even if you turn off the page file, paging can still occur. Read only app data and sharable pages can be backed by the image on disk.
d
-----Original Message-----
From: xxxxx@gmail.com
Sent: Wednesday, November 25, 2009 9:36 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] ITP vs Windbg
@Tim
>>I’m not sure what you were trying to say here, but this wasn’t it. You cannot “turn off” virtual memory in Windows. Even if you disable the page file, you are still running with virtual memory.
Clash of terms. Yes I meant disable page file. Funny thing is that few years back One MS interviewer referred it as virtual memory, I adopted this term from that place. Plus I think I read that even if there is no page file, address translation will happen using page tables, though in this case they’ll not refer to page file. I may re-check it on your pointers.
Thanks
aditya
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>possible to halt a machine both from windbg and ITP at the same time. So by the time I halt the
machine from windbg and again halt it from ITP, the processor core goes into the INT3
BreakIn from WinDbg does not use INT3.
Instead, Windows with KD on will call KdPollBreakIn at lots of moments in its life (like the thread switches).
If the breakin byte was sent to the WinDbg’s serial port - then KdPollBreakIn goes to the KD “server side” code - take the command byte from the serial port, execute it and this is in a loop.
Breakpoints can use INT3 though.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> This is from Intel Manuals, when it says linear address space is mapped directly to physical, I thought
that this mapping will be done using PT which now I guess is not the case. Can you please clarify this.
If paging is not enabled in the CPU - then it does not use PTs.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
xxxxx@gmail.com wrote:
This is what I read :
“If paging is not used, the linear address space of the processor is mapped directly into the physical
address space of processor. The physical address space is defined as the range of addresses
that the processor can generate on its address bus”This is from Intel Manuals, when it says linear address space is mapped directly to physical, I thought that this mapping will be done using PT which now I guess is not the case. Can you please clarify this.
Right. That excerpt is quite correct, but you aren’t reading the whole
sentence. The linear/virtual address space is mapped directly to
physical, ***IF*** paging is not used. There are no 32-bit x86
operating systems today that will operate without paging. In Windows
and Linux, even if you turn off the swap file, the processor is still
running with paging enabled. Indeed, some BIOSes today turn on paging
at boot time, so that even MS-DOS runs with paging.
The linear/virtual to physical mapping is done using the page tables.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Got it.
Thanks Tim and Maxim.