Page 1 of 1

How can I see 32-bit stack in a dump saved by 64-bit WinDbg?

PostPosted: Sun Oct 15, 2006 7:46 pm
by Dump
Hi!

I've got 32-bit application hanging on my 64-bit workstation and attached x64 WinDbg to it and saved a dump. However when I open the dump I never get my application stacks, only these:

Code: Select all
0:002> ~*kL

   0  Id: e1c.d7c Suspend: 1 Teb: 00000000`7efdb000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0012ede8 00000000`78b840e5 wow64cpu!CpupSyscallStub+0x9
00000000`0012edf0 00000000`78be6a5a wow64cpu!Thunk0ArgReloadState+0x1a
00000000`0012ee60 00000000`78be5e0d wow64!RunCpuSimulation+0xa
00000000`0012ee90 00000000`78ed8501 wow64!Wow64LdrpInitialize+0x2ed
00000000`0012f6c0 00000000`78ed6416 ntdll!LdrpInitializeProcess+0x17d9
00000000`0012f9d0 00000000`78ef3925 ntdll!LdrpInitialize+0x18f
00000000`0012fab0 00000000`77d59640 ntdll!KiUserApcDispatch+0x15
00000000`0012ffa8 00000000`00000000 0x77d59640
00000000`0012ffb0 00000000`00000000 0x0
00000000`0012ffb8 00000000`00000000 0x0
00000000`0012ffc0 00000000`00000000 0x0
00000000`0012ffc8 00000000`00000000 0x0
00000000`0012ffd0 00000000`00000000 0x0
00000000`0012ffd8 00000000`00000000 0x0
00000000`0012ffe0 00000000`00000000 0x0
00000000`0012ffe8 00000000`00000000 0x0
00000000`0012fff0 00000000`00000000 0x0
00000000`0012fff8 00000000`00000000 0x0
00000000`00130000 00000020`78746341 0x0
00000000`00130008 000052cc`00000001 0x20`78746341

   1  Id: e1c.c54 Suspend: 1 Teb: 00000000`7efd8000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0271e6e8 00000000`78bac512 wow64win!NtUserMessageCall+0xa
00000000`0271e6f0 00000000`78bbfddf wow64win!whNT32NtUserMessageCallCB+0x32
00000000`0271e740 00000000`78bac647 wow64win!Wow64DoMessageThunk+0xaf
00000000`0271e7a0 00000000`78be6866 wow64win!whNtUserMessageCall+0x127
00000000`0271e830 00000000`78b83c7d wow64!Wow64SystemServiceEx+0xd6
00000000`0271f0f0 00000000`78be6a5a wow64cpu!ServiceNoTurbo+0x28
00000000`0271f180 00000000`78be5e0d wow64!RunCpuSimulation+0xa
00000000`0271f1b0 00000000`78f110e0 wow64!Wow64LdrpInitialize+0x2ed
00000000`0271f6f0 00000000`78ef3925 ntdll!LdrpInitialize+0x2aa
00000000`0271f7d0 00000000`7d4d1504 ntdll!KiUserApcDispatch+0x15
00000000`0271fcc8 00000000`00000000 kernel32!BaseThreadStartThunk
00000000`0271fcd0 00000000`00000000 0x0
00000000`0271fcd8 00000000`00000000 0x0
00000000`0271fce0 00000000`00000000 0x0
00000000`0271fce8 00000000`00000000 0x0
00000000`0271fcf0 00000000`00000000 0x0
00000000`0271fcf8 00000000`00000000 0x0
00000000`0271fd00 00010003`00000000 0x0
00000000`0271fd08 00000000`00000000 0x10003`00000000
00000000`0271fd10 00000000`00000000 0x0

#  2  Id: e1c.c9c Suspend: 1 Teb: 00000000`7efd5000 Unfrozen
Child-SP          RetAddr           Call Site
00000000`0255ffa8 00000000`78f17c06 ntdll!DbgBreakPoint
00000000`0255ffb0 00000000`00000000 ntdll!DbgUiRemoteBreakin+0x26



Thanks!

PostPosted: Mon Oct 16, 2006 1:02 pm
by VDO
You need to install 32-bit WinDbg on your 64-bit machine (they can coexist together). Then use it to attach to your 32-bit process and save a dump.

PostPosted: Mon Jan 15, 2007 7:34 am
by tobyeo
If you already have the dump and its hard to get another dump with the 32 bit tools you can still attempt to get the stack from the 64 bit debugger using the 64 bit dump.

Use DQS RSP on the stack and look at the stack around the RunCPuSimulation or prior and the 32 bit stack pointer will be saved on the stack. You can then do DDS <address> on this location, but you will need to walk the stack back manually unless you can find a context record to use with .cxr as the 64 bit debugger will allow you to set break points and debug the 32 bit code on a live system, so it should be able to set an appropriate context record for 32 bit if one if found but I have never tried.

PostPosted: Thu Jan 25, 2007 10:13 am
by VDO
There is WinDbg wow64exts.dll extension that allows you to do it:

Code: Select all
0:001> !wow64exts.help
Wow64 debugger extensions:

help:          Prints this help message.
k <count>:     Combined 32/64 stack trace(no parameters).
kb <count>:    Combined 32/64 stack trace(with parameters).
straddr:       Dumps the address of important wow64 structures.
tls:           Dumps the WOW64 TLS slots.
ctx(addr):     Dump an x86 CONTEXT.
u:             Unassemble x86 code.
r:             Dump or modify registers.
bp:            Set x86 breakpoint.
bc:            Clear x86 breakpoint.
bl:            List x86 breakpoints.
be:            Enable x86 breakpoint.
bd:            Disable x86 breakpoint.
t <count>:     x86 trace on next 'g'.
tr <count>:    x86 trace with regs on next 'g'.
p <count>:     x86 step on next 'g'.
pr <count>:    x86 step with regs on next 'g'.
tlog <-r> [count] [file]                 single-step 'count' instructions and log to a file.
lf:            Dump/Set log flags.
l2f:           Enable logging to file .

New Commands:
sw:            Switch between 32-bit and 64-bit mode .
               Dumps file version info.

Tentative Commands:
bp32           set x86 breakpoint
bp64           set ia64 breakpoint
r32            Dump or modify x86 registers (if context available)
r64            Dump or modify ia64 registers
k32            Dumps x86 stack trace (if context available)
k64            Dumps ia64 stack trace
u32            Unassemble x86 code (if possible)
u64            Unassemble ia64 code (if possible)

WoW64 Category Logging Commands:
wow64lc        Lists all logging categories
wow64lo        Modifies logging output options


Here I attached 64-bit WinDbg to my 32-bit process running on x64 Windows:

Code: Select all
0:000> !wow64exts.k
Walking 64bit Stack...
Child-SP          RetAddr           Call Site
00000000`0012e4a8 00000000`78bac464 wow64win!NtUserGetMessage+0xa
00000000`0012e4b0 00000000`78be6866 wow64win!whNtUserGetMessage+0x34
00000000`0012e510 00000000`78b83c7d wow64!Wow64SystemServiceEx+0xd6
00000000`0012edd0 00000000`78be6a5a wow64cpu!ServiceNoTurbo+0x28
00000000`0012ee60 00000000`78be5e0d wow64!RunCpuSimulation+0xa
00000000`0012ee90 00000000`78ed8501 wow64!Wow64LdrpInitialize+0x2ed
00000000`0012f6c0 00000000`78ed6416 ntdll!LdrpInitializeProcess+0x17d9
00000000`0012f9d0 00000000`78ef3925 ntdll!LdrpInitialize+0x18f
00000000`0012fab0 00000000`77d59640 ntdll!KiUserApcDispatch+0x15
00000000`0012ffa8 00000000`00000000 0x77d59640
00000000`0012ffb0 00000000`00000000 0x0
00000000`0012ffb8 00000000`00000000 0x0
00000000`0012ffc0 00000000`00000000 0x0
00000000`0012ffc8 00000000`00000000 0x0
00000000`0012ffd0 00000000`00000000 0x0
00000000`0012ffd8 00000000`00000000 0x0
00000000`0012ffe0 00000000`00000000 0x0
00000000`0012ffe8 00000000`00000000 0x0
00000000`0012fff0 00000000`00000000 0x0
00000000`0012fff8 00000000`00000000 0x0
Walking 32bit Stack...
ChildEBP          RetAddr           
002dfddc 0041468f USER32!NtUserGetMessage+0x15
002dfdf8 00417ed1 MessageHistory!AfxInternalPumpMessage+0x18 [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp @ 153]
002dfe1c 00415bed MessageHistory!CWnd::RunModalLoop+0xca [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 4322]
002dfe68 0040116a MessageHistory!CDialog::DoModal+0x12c [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp @ 544]
002dff18 0043664d MessageHistory!CMessageHistoryApp::InitInstance+0x12a [c:\work\messagehistory\messagehistory.cpp @ 112]
002dff28 00420468 MessageHistory!AfxWinMain+0x47 [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\winmain.cpp @ 37]
002dffc0 7d4e992a MessageHistory!__tmainCRTStartup+0x176 [f:\rtm\vctools\crt_bld\self_x86\crt\src\crt0.c @ 315]
002dfff0 00000000 KERNEL32!BaseProcessStart+0x28


or just

Code: Select all
0:000> !wow64exts.kb
ChildEBP          RetAddr           Args to Child                                         
002dfddc 0041468f 002e63a0 00000000 00000000 user32!NtUserGetMessage+0x15
002dfdf8 00417ed1 00000004 002dfe80 002dfe68 MessageHistory!AfxInternalPumpMessage+0x18 [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp @ 153]
002dfe1c 00415bed 00000004 73d1a794 7d4dadcb MessageHistory!CWnd::RunModalLoop+0xca [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 4322]
002dfe68 0040116a 73d1a788 0044a9a0 0044a9a0 MessageHistory!CDialog::DoModal+0x12c [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp @ 544]
002dff18 0043664d 00000ece 00000002 00000001 MessageHistory!CMessageHistoryApp::InitInstance+0x12a [c:\work\messagehistory\messagehistory.cpp @ 112]
002dff28 00420468 00400000 00000000 001d07d0 MessageHistory!AfxWinMain+0x47 [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\winmain.cpp @ 37]
002dffc0 7d4e992a 00000000 00000000 7efdf000 MessageHistory!__tmainCRTStartup+0x176 [f:\rtm\vctools\crt_bld\self_x86\crt\src\crt0.c @ 315]
002dfff0 00000000 004204d1 00000000 000000c8 kernel32!BaseProcessStart+0x28

PostPosted: Sat Feb 10, 2007 4:25 pm
by VDO
or simply you can switch to 32-bit mode:

Code: Select all
0:000> !wow64exts.sw
Switched to 32bit mode

0:000:x86> kv
ChildEBP          RetAddr           Args to Child                                         
002dfddc 0040d7cc 002e6458 00000000 00000000 USER32!NtUserGetMessage+0x15
002dfdf8 00411287 00000004 002dfe78 002dfe68 ProcessHistory!AfxInternalPumpMessage+0x18 (FPO: [Non-Fpo]) (CONV: stdcall) [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp @ 153]
002dfe1c 0040efab 00000004 1eb93984 004414e0 ProcessHistory!CWnd::RunModalLoop+0xca (FPO: [Non-Fpo]) (CONV: thiscall) [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp @ 4322]
002dfe68 004010b5 1eb93998 004414e0 00434814 ProcessHistory!CDialog::DoModal+0x12c (FPO: [Non-Fpo]) (CONV: thiscall) [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp @ 544]
002dff18 00431577 00000ece 00000002 00000001 ProcessHistory!CProcessHistoryApp::InitInstance+0x55 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\dmitri\processhistory\processhistory.cpp @ 72]
002dff28 00419881 00400000 00000000 001d082c ProcessHistory!AfxWinMain+0x47 (FPO: [Non-Fpo]) (CONV: stdcall) [f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\winmain.cpp @ 37]
002dffc0 7d4e992a 00000000 00000000 7efdf000 ProcessHistory!__tmainCRTStartup+0x176 (FPO: [Non-Fpo]) (CONV: cdecl) [f:\rtm\vctools\crt_bld\self_x86\crt\src\crt0.c @ 315]
002dfff0 00000000 004198ea 00000000 000000c8 kernel32!BaseProcessStart+0x28 (FPO: [Non-Fpo])