进程退出后,带有新符号的后处理内存错误堆栈 [英] Postprocess drmemory error stacks with new symbols after process exits
问题描述
在一夜之间使用drmemory运行了一组测试之后,我试图通过提供pdb符号来解决错误堆栈.pdb来自大型的samba映射存储库,在运行时使用_NT_SYMBOL_PATH会使速度降低太多.
After running a set of tests with drmemory overnight I am trying to resolve the error stacks by providing pdb symbols. The pdb's come from a large samba-mapped repository and using _NT_SYMBOL_PATH at runtime slowed things down too much.
有人知道有一种工具可以根据需要生成后处理result.txt并提取新符号(通过NT_SYMBOL_PATH或其他方式)以生成更详细的堆栈吗?如果不是,是否有任何提示可以使asan_symbolize.py适应此要求?
Does anyone know of a tool that post-processes results.txt and pulls new symbols (via NT_SYMBOL_PATH or otherwise) as required to produce more detailed stacks ? If not, any hints for adapting asan_symbolize.py to do this ?
https://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/asan/scripts/asan_symbolize.py
到目前为止,我使用dbghelp.dll提出的内容如下.可行,但可能会更好.
What I came up with so far using dbghelp.dll is below. Works but could be better.
https://github.com/patraulea/postpdb
推荐答案
好的,此查询与使用windbg不相关或与 _NT_SYMBOL_PATH
ok this Query does not pertain to use of windbg or doesn't have anything to do with _NT_SYMBOL_PATH
Dr.Memory
是类似于 valgrind
的内存诊断工具
,并且基于可用的 Dynamorio仪器框架
原始未修改的二进制文件
Dr.Memory
is a memory diagnostic tool
akin to valgrind
and is based on Dynamorio instumentation framework
usable on raw unmodified binaries
在Windows上,您可以从命令提示符(cmd.exe)
on windows you can invoke it like drmemory.exe calc.exe
from a command prompt (cmd.exe)
二进制文件执行完毕后,会将名为 results.txt
的日志文件写入默认位置
as soon as the binary finishes execution a log file named results.txt
is written to a default location
如果您已设置_NT_SYMBOL_PATH,则drmemory会接受它并从预拉伸的符号文件(viz * .pdb)中解析符号信息,它似乎没有从ms符号服务器下载文件,它似乎只是忽略了SRV *缓存,并且似乎仅使用下游符号文件夹
if you had setup _NT_SYMBOL_PATH drmemory honors it and resolves symbol information from prepulled symbol file (viz *.pdb) it does not seem to download files from ms symbol server it simply seems to ignore the SRV* cache and seems to use only the downstream symbol folder
因此,如果pdb文件丢失或尚未下载
so if the pdb file is missing or isnt downloaded yet
results.txt将包含类似
the results.txt will contain stack trace like
# 6 USER32.dll!gapfnScSendMessage +0x1ce (0x75fdc4e7 <USER32.dll+0x1c4e7>)
# 7 USER32.dll!gapfnScSendMessage +0x2ce (0x75fdc5e7 <USER32.dll+0x1c5e7>)
如果符号文件可用,它将显示
while if the symbol file was available it would show
# 6 USER32.dll!InternalCallWinProc
# 7 USER32.dll!UserCallWinProcCheckWow
所以基本上,您需要使用符号文件进行应用
so basically you need the symbol file for appplication in question
因此,正如我评论的那样,您需要获取有问题的exe的符号
so as i commented you need to fetch the symbols for the exe in question
您也可以在运行的进程上使用symchk并创建清单文件您可以在连接到互联网的计算机上使用symchk下载符号并将其复制到non_internet机器上的本地文件夹中并将_NT_SYMBOL_PATH指向该文件夹
you can use symchk on a running process too and create a manifest file and you can use symchk on a machine that is connected to internet to download symbols and copy it to a local folder on a non_internet machine and point _NT_SYMBOL_PATH to this folder
>tlist | grep calc.exe
1772 calc.exe Calculator
>symchk /om calcsyms.txt /ip 1772
SYMCHK: GdiPlus.dll FAILED - MicrosoftWindowsGdiPlus-
1.1.7601.17514-gdiplus.pdb mismatched or not found
SYMCHK: FAILED files = 1
SYMCHK: PASSED + IGNORED files = 27
>head -n 4 calcsyms.txt
calc.pdb,971D2945E998438C847643A9DB39C88E2,1
calc.exe,4ce7979dc0000,1
ntdll.pdb,120028FA453F4CD5A6A404EC37396A582,1
ntdll.dll,4ce7b96e13c000,1
>tail -n 4 calcsyms.txt
CLBCatQ.pdb,00A720C79BAC402295B6EBDC147257182,1
clbcatq.dll,4a5bd9b183000,1
oleacc.pdb,67620D076A2E43C5A18ECD5AF77AADBE2,1
oleacc.dll,4a5bdac83c000,1
因此,假设您已提取符号,则使用本地缓存的符号文件副本重新运行测试会更容易
so assuming you have fetched the symbols it would be easier to rerun the tests with a locally cached copies of the symbol files
如果您已获取符号,但无法重新运行测试,而只能使用results.txt的输出,则您需要进行一些文本处理(sed.grep,awk或自定义解析器)
if you have fetched the symbols but you cannot rerun the tests and have to work solely with the output from results.txt you have some text processing work (sed . grep , awk . or custom parser)
drmemory套件在bin文件夹中带有symbolquery.exe,可用于解析results.txt中的符号
the drmemory suite comes with a symbolquery.exe in the bin folder and it can be used to resolve the symbols from results.txt
在上面的示例中,您可以注意到相对于modulebase的偏移量,例如#6 USER32.dll!gapfnScSendMessage + 0x1ce(0x75fdc4e7 {USER32.dll + 0x1c4e7})行中的 0x1c4e7
in the example above you can notice the offset relative to modulebase like 0x1c4e7 in the line # 6 USER32.dll!gapfnScSendMessage +0x1ce (0x75fdc4e7 {USER32.dll+0x1c4e7})
因此,对于result.txt中的每一行,您都必须解析出偏移量并在如下所示的模块上调用symbolquery
so for each line in results.txt you have to parse out the offset and invoke symbolquery on the module like below
:\>symquery.exe -f -e c:\Windows\System32\user32.dll -a +0x1c4e7
InternalCallWinProc+0x23
??:0
:\>symquery.exe -f -e c:\Windows\System32\user32.dll -a +0x1c5e7
UserCallWinProcCheckWow+0xb3
来自result.txt和修剪后的输出的简单测试处理示例
a simple test processing example from a result.txt and a trimmed output
:\>grep "^#" results.txt | sed s/".*<"//g
# 0 system call NtUserBuildPropList parameter #2
USER32.dll+0x649d9>)
snip
COMCTL32.dll+0x2f443>)
注意comctl32.dll(在system32.dll中有一个默认的comctl.dll,在winsxs中还有其他几个,您必须查阅其他文件,例如global.log来查看dll的加载路径
notice the comctl32.dll (there is a default comctl.dll in system32.dll and several others in winsxs you have to consult the other files like global.log to view the dll load path
symquery.exe -f -e c:\Windows\winsxs\x86_microsoft.windows.common-
controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll -a +0x2f443
CallOriginalWndProc+0x1a
??:0
symquery.exe -f -e c:\Windows\system32\comctl32.dll -a +0x2f443
DrawInsert+0x120 <----- wrong symbol due to wrong module (late binding
/forwarded xxx yyy reasons)
这篇关于进程退出后,带有新符号的后处理内存错误堆栈的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!