进程退出后，带有新符号的后处理内存错误堆栈 [英] Postprocess drmemory error stacks with new symbols after process exits

问题描述

在一夜之间使用drmemory运行了一组测试之后，我试图通过提供pdb符号来解决错误堆栈.pdb来自大型的samba映射存储库，在运行时使用_NT_SYMBOL_PATH会使速度降低太多.

After running a set of tests with drmemory overnight I am trying to resolve the error stacks by providing pdb symbols. The pdb's come from a large samba-mapped repository and using _NT_SYMBOL_PATH at runtime slowed things down too much.

有人知道有一种工具可以根据需要生成后处理result.txt并提取新符号(通过NT_SYMBOL_PATH或其他方式)以生成更详细的堆栈吗?如果不是，是否有任何提示可以使asan_symbolize.py适应此要求?

Does anyone know of a tool that post-processes results.txt and pulls new symbols (via NT_SYMBOL_PATH or otherwise) as required to produce more detailed stacks ? If not, any hints for adapting asan_symbolize.py to do this ?

https://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/asan/scripts/asan_symbolize.py

到目前为止，我使用dbghelp.dll提出的内容如下.可行，但可能会更好.

What I came up with so far using dbghelp.dll is below. Works but could be better.

https://github.com/patraulea/postpdb

推荐答案

好的，此查询与使用windbg不相关或与 _NT_SYMBOL_PATH

ok this Query does not pertain to use of windbg or doesn't have anything to do with _NT_SYMBOL_PATH

Dr.Memory 是类似于 valgrind 的内存诊断工具，并且基于可用的 Dynamorio仪器框架原始未修改的二进制文件

Dr.Memory is a memory diagnostic tool akin to valgrind and is based on Dynamorio instumentation framework usable on raw unmodified binaries

在Windows上，您可以从命令提示符(cmd.exe)

on windows you can invoke it like drmemory.exe calc.exe from a command prompt (cmd.exe)

二进制文件执行完毕后，会将名为 results.txt 的日志文件写入默认位置

as soon as the binary finishes execution a log file named results.txt is written to a default location

如果您已设置_NT_SYMBOL_PATH，则drmemory会接受它并从预拉伸的符号文件(viz * .pdb)中解析符号信息，它似乎没有从ms符号服务器下载文件，它似乎只是忽略了SRV *缓存，并且似乎仅使用下游符号文件夹

if you had setup _NT_SYMBOL_PATH drmemory honors it and resolves symbol information from prepulled symbol file (viz *.pdb) it does not seem to download files from ms symbol server it simply seems to ignore the SRV* cache and seems to use only the downstream symbol folder

因此，如果pdb文件丢失或尚未下载

so if the pdb file is missing or isnt downloaded yet

results.txt将包含类似

the results.txt will contain stack trace like

# 6 USER32.dll!gapfnScSendMessage +0x1ce    (0x75fdc4e7 <USER32.dll+0x1c4e7>)
# 7 USER32.dll!gapfnScSendMessage +0x2ce    (0x75fdc5e7 <USER32.dll+0x1c5e7>)

如果符号文件可用，它将显示

while if the symbol file was available it would show

# 6 USER32.dll!InternalCallWinProc
# 7 USER32.dll!UserCallWinProcCheckWow

所以基本上，您需要使用符号文件进行应用

so basically you need the symbol file for appplication in question

因此，正如我评论的那样，您需要获取有问题的exe的符号

so as i commented you need to fetch the symbols for the exe in question

您也可以在运行的进程上使用symchk并创建清单文件您可以在连接到互联网的计算机上使用symchk下载符号并将其复制到non_internet机器上的本地文件夹中并将_NT_SYMBOL_PATH指向该文件夹

you can use symchk on a running process too and create a manifest file and you can use symchk on a machine that is connected to internet to download symbols and copy it to a local folder on a non_internet machine and point _NT_SYMBOL_PATH to this folder

>tlist | grep calc.exe
1772 calc.exe          Calculator

>symchk /om calcsyms.txt /ip 1772
SYMCHK: GdiPlus.dll          FAILED  - MicrosoftWindowsGdiPlus-   
1.1.7601.17514-gdiplus.pdb mismatched or not found

SYMCHK: FAILED files = 1
SYMCHK: PASSED + IGNORED files = 27

>head -n 4 calcsyms.txt
calc.pdb,971D2945E998438C847643A9DB39C88E2,1
calc.exe,4ce7979dc0000,1
ntdll.pdb,120028FA453F4CD5A6A404EC37396A582,1
ntdll.dll,4ce7b96e13c000,1

>tail -n 4 calcsyms.txt
CLBCatQ.pdb,00A720C79BAC402295B6EBDC147257182,1
clbcatq.dll,4a5bd9b183000,1
oleacc.pdb,67620D076A2E43C5A18ECD5AF77AADBE2,1
oleacc.dll,4a5bdac83c000,1

因此，假设您已提取符号，则使用本地缓存的符号文件副本重新运行测试会更容易

so assuming you have fetched the symbols it would be easier to rerun the tests with a locally cached copies of the symbol files

如果您已获取符号，但无法重新运行测试，而只能使用results.txt的输出，则您需要进行一些文本处理(sed.grep，awk或自定义解析器)

if you have fetched the symbols but you cannot rerun the tests and have to work solely with the output from results.txt you have some text processing work (sed . grep , awk . or custom parser)

drmemory套件在bin文件夹中带有symbolquery.exe，可用于解析results.txt中的符号

the drmemory suite comes with a symbolquery.exe in the bin folder and it can be used to resolve the symbols from results.txt

在上面的示例中，您可以注意到相对于modulebase的偏移量，例如#6 USER32.dll！gapfnScSendMessage + 0x1ce(0x75fdc4e7 {USER32.dll + 0x1c4e7})行中的 0x1c4e7

in the example above you can notice the offset relative to modulebase like 0x1c4e7 in the line # 6 USER32.dll!gapfnScSendMessage +0x1ce (0x75fdc4e7 {USER32.dll+0x1c4e7})

因此，对于result.txt中的每一行，您都必须解析出偏移量并在如下所示的模块上调用symbolquery

so for each line in results.txt you have to parse out the offset and invoke symbolquery on the module like below

:\>symquery.exe -f -e c:\Windows\System32\user32.dll -a +0x1c4e7
InternalCallWinProc+0x23
??:0

:\>symquery.exe -f -e c:\Windows\System32\user32.dll -a +0x1c5e7
UserCallWinProcCheckWow+0xb3

来自result.txt和修剪后的输出的简单测试处理示例

a simple test processing example from a result.txt and a trimmed output

:\>grep "^#"  results.txt | sed s/".*<"//g
# 0 system call NtUserBuildPropList parameter #2
USER32.dll+0x649d9>)
snip
COMCTL32.dll+0x2f443>)

注意comctl32.dll(在system32.dll中有一个默认的comctl.dll，在winsxs中还有其他几个，您必须查阅其他文件，例如global.log来查看dll的加载路径

notice the comctl32.dll (there is a default comctl.dll in system32.dll and several others in winsxs you have to consult the other files like global.log to view the dll load path

symquery.exe -f -e c:\Windows\winsxs\x86_microsoft.windows.common-   
controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll -a +0x2f443
CallOriginalWndProc+0x1a
??:0

symquery.exe -f -e c:\Windows\system32\comctl32.dll -a +0x2f443
DrawInsert+0x120 <----- wrong symbol due to wrong module (late binding 
/forwarded xxx yyy reasons)

这篇关于进程退出后，带有新符号的后处理内存错误堆栈的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！