Further to Jason’s comment, keep in mind that functions using a
register-passing scheme (e.g., C++, fastcall, custom assembly, or
anything on the IA-64) will not store the parameters on the stack.
Thus, the three values after the stored return address function pointer
may in fact be parameters, but not the first three parameters of the
function.
Sometimes the compiler re-uses parameters; sometimes the code overwrites
the values at that memory location.
The specific rules about marshalling arguments and passing them on the
stack is language and machine architecture specific. Even WITH private
PDB symbols, the debugger may not be able to show those values to you,
although it tries to do it whenever possible (and sometimes when it
isn’t possible it “tries”).
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jason Cunningham
Sent: Friday, October 28, 2005 4:23 PM
To: Kernel Debugging Interest List
Subject: RE: [windbg] Viewing function call parameters in WinDbg
For your symbols question:
The public symbols from http://msdl.microsoft.com/download/symbols are
stripped. For example, you should see something like the spew below.
Notice that kernel32’s symbols are public symbols, thus you don’t get
info on what args a fn takes. The symbols you build yourself will have
full debugging info (commonly called private symbols) and thus will show
you params with kP or kp.
You’ll notice that I get a different error message than you. I’m
debugging on the machine which generated the minidump, so the debugger
can directly load the image. I’ll guess that your !lmi will show the
image type as something like FILE and you’re not debugging on the box
that generated the dump. If you’re not debugging a minidump, you’ll
want to look into things as Tony suggested.
I must also point out that blindly using the three args when you don’t
have private symbols can lead to trouble; the debugger doesn’t (can’t)
guarantee they’re always correct. Trivially, do ‘kb’ on a stack which
has a function that takes < 3 args. What you’re seeing is just the next
three things on the stack after the return address. You can see this
with ‘dds @esp’.
Thanks,
Jason
0:000> !lmi kernel32.dll
Loaded Module Info: [kernel32.dll]
Module: kernel32
Base Address: 7c800000
Image Name: kernel32.dll
Machine Type: 332 (I386)
Time Stamp: 411096b4 Wed Aug 04 00:56:36 2004
Size: f4000
CheckSum: ff848
Characteristics: 210e perf
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 25, 82bfc, 81ffc RSDS - GUID:
{FB334FB2-8FA3-4128-BDE9-229285BE4C2F}
Age: 2, Pdb: kernel32.pdb
CLSID 4, 82bf8, 81ff8 [Data not mapped]
Image Type: MEMORY - Image read successfully from loaded memory.
Symbol Type: PDB - Symbols loaded successfully from symbol
server.
kernel32.pdb\FB334FB28FA34128BDE9229285BE4C2F2\kernel32.pdb
Load Report: public symbols , not source indexed
kernel32.pdb\FB334FB28FA34128BDE9229285BE4C2F2\kernel32.pdb
0:005> x kernel32!WaitForMultipleObjectsEx
7c80952a kernel32!WaitForMultipleObjectsEx =
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rufoo
Sent: Thursday, October 27, 2005 11:31 PM
To: Kernel Debugging Interest List
Subject: RE: [windbg] Viewing function call parameters in WinDbg
Thank you. I am actually debugging a release binary
for a customer, and I dont have the source or pdb
handy now. However I am trying to check out the
parameters to CreateFileW, MoveFileW, and few other
kernel32 calls, and I downloaded windows symbols and
using kernel32.pdb. In WinDbg, I am seeing the
function names using kp, but not the function
parameters. Is this expected? How are these PDB files
different from what we generate for our binaries?
TIA
–rufoo
— Tony Mason wrote:
> On a live system, that would suggest something
> seriously wrong with the
> stack or address space.
>
> On a post-mortem (crash dump) I’d guess you are
> looking at either a
> damaged dump file or a mini-dump file (which doesn’t
> have any memory
> contents within it anyway - just minimal information
> about the thread
> stack).
>
> Regards,
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> Rufoo
> Sent: Friday, October 28, 2005 2:11 AM
> To: Kernel Debugging Interest List
> Subject: RE: [windbg] Viewing function call
> parameters in WinDbg
>
> Thank you. This is what I wanted.
> But for all the parameters I get > error>, what could be the reason?
>
> TIA
> --rufoo
>
> — Doron Holan wrote:
>
> > kp
> > or
> > kP
> >
> > depending on your formatting preferences. You
> need
> > full symbol
> > information for this option to work.
> >
> > d
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On
> Behalf
> > Of Rufoo
> > Sent: Thursday, October 27, 2005 9:25 PM
> > To: Kernel Debugging Interest List
> > Subject: [windbg] Viewing function call parameters
> > in WinDbg
> >
> > Hello there
> >
> > It is very likely that this question has been
> asked
> > before, but I just dont find in my google
> searches.
> >
> > while stepping through the assembly code I want to
> > see
> > the function call arguments. Currently, the way I
> do
> > it is to pick the pointer addresses from the call
> > stack window(with the Args option on, which gives
> > three parameters), and put it in the memory
> window.
> >
> > As you can see it is very tedious to do this for
> > every
> > function call, especially if we are tracing
> through
> > more than 20 function calls.
> >
> > So, is there any simpler way of doing this? I am
> not
> > very experienced with windbg, so I might have
> missed
> > something simpler if it exists. Kindly enlighten.
> >
> > Thanks in advance,
> > --rufoo
> >
> >
> >
> >
> > Yahoo! FareChase: Search multiple travel sites in
> > one click.
> > http://farechase.yahoo.com
> >
> > —
> > You are currently subscribed to windbg as:
> > xxxxx@microsoft.com
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> > —
> > You are currently subscribed to windbg as: unknown
> > lmsubst tag argument: ‘’
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
>
>
>
>
>
> Start your day with Yahoo! - Make it your home page!
>
> http://www.yahoo.com/r/hs
>
> —
> You are currently subscribed to windbg as:
> xxxxx@osr.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
> —
> You are currently subscribed to windbg as: unknown
> lmsubst tag argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
—
You are currently subscribed to windbg as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com