如何从windbg内核调试器检查用户线程调用堆栈? [英] How to examine user thread call stack from windbg kernel debugger?
问题描述
我的 exe-once 测试程序调用 CancelIo 并且它阻塞了,我想调查它阻塞在哪个函数中,所以,当它阻塞时,我使用windbg 闯入机器,远程,并尝试找出它.
My exe-once test program calls CancelIo and it blocks, I'd like to investigate in which function it is blocking, so, when it blocks, I use windbg to break into the machine, remotely, and try to find it out.
如图中黄色标记,我的 EXE 有两个线程,fffffa8013958b60 和 fffffa8013aa1060.我已经知道 fffffa8013aa1060 是调用 CancelIo 的那个.
As marked as yellow in the image, my EXE has two threads, fffffa8013958b60 and fffffa8013aa1060. I already know that fffffa8013aa1060 is the one calling CancelIo.
那么,如何显示线程fffffa8013aa1060的当前调用栈?
Then, how do I show current call stack of the thread fffffa8013aa1060?
1: kd> !process fffffa8014c25170 2
PROCESS fffffa8014c25170
SessionId: 1 Cid: 0ad4 Peb: 7fffffdf000 ParentCid: 07b8
DirBase: 2b451000 ObjectTable: fffff8a002e61620 HandleCount: 12.
Image: exe-once.exe
THREAD fffffa8013958b60 Cid 0ad4.0724 Teb: 000007fffffdd000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8013aa1060 Thread
THREAD fffffa8013aa1060 Cid 0ad4.01e8 Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (DelayExecution) KernelMode Non-Alertable
fffffa8013aa1420 Semaphore Limit 0x1
推荐答案
试试这个命令序列
.process /i fffffa8014c25170
g
.thread fffffa8013aa1060
.reload /user
k
摘自 WinDbg 文档:
Excerpt from WinDbg documentation:
/i[...] 指定进程将被侵入式调试.这种调试意味着目标计算机的操作系统实际上使指定的进程处于活动状态.[...] 如果使用/i,则必须使用 g (Go) 命令来执行目标.几秒钟后,目标重新进入调试器,指定的进程处于活动状态并用于进程上下文.
/i [...] Specifies that Process is to be debugged invasively. This kind of debugging means that the operating system of the target computer actually makes the specified process active. [...] If you use /i, you must use the g (Go) command to execute the target. After several seconds, the target breaks back in to the debugger, and the specified Process is active and used for the process context.
这篇关于如何从windbg内核调试器检查用户线程调用堆栈?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
