Displaying and Searching std::map Contents in WinDbg

July 25, 2013

tags: , ,
6 comments

This time we’re up for a bigger challenge. We want to automatically display and possibly search and filter std::map objects in WinDbg. The script for std::vectors was relatively easy because of the flat structure of the data in a vector; maps are more complex beasts.

Specifically, an map in the Visual C++ STL is implemented as a red-black tree. Each tree node has three important pointers: _Left, _Right, and _Parent. Additionally, each node has a _Myval field that contains the std::pair with the key and value represented by the node.

Iterating a tree structure requires recursion, and WinDbg scripts don’t have any syntax to define functions. However, we can invoke a script recursively – a script is allowed to contain the $$>a< command that invokes it again with a different set of arguments. The path to the script is also readily available in ${$arg0}.

Before I show you the script, there’s just one little challenge I had to deal with. When you call a script recursively, the values of the pseudo-registers (like $t0) will be clobbered by the recursive invocation. I was on the verge of allocating memory dynamically or calling into a shell process to store and load variables, when I stumbled upon the .push and .pop commands, which store the register context and load it, respectively. These are a must for recursive WinDbg scripts.

OK, so suppose you want to display values from an std::map<int, point> where the key is less than or equal to 2. Here we go:

0:000> $$>a< traverse_map.script my_map -c ".block { .if (@@(@$t9.first) <= 2) { .echo —-; ?? @$t9.second } }"

size = 10
—-
struct point
   +0x000 x                : 0n1
   +0x004 y                : 0n2
   +0x008 data             : extra_data
—-
struct point
   +0x000 x                : 0n0
   +0x004 y                : 0n1
   +0x008 data             : extra_data
—-
struct point
   +0x000 x                : 0n2
   +0x004 y                : 0n3
   +0x008 data             : extra_data

For each pair (stored in the $t9 pseudo-register), the block checks if the first component is less than or equal to 2, and if it is, outputs the second component.

Next, here’s the script. Note it’s considerably more complex that what we had to with vectors, because it essentially invokes itself with a different set of parameters and then repeats recursively.

.if ($sicmp("${$arg1}", "-n") == 0) {
    .if (@@(@$t0->_Isnil) == 0) {
        .if (@$t2 == 1) {
            .printf /D "<exec cmd=\"db %p L10\">%p</exec>\n", @$t0, @$t0
            .printf "key = "
            ?? @$t0->_Myval.first
            .printf "value = "
            ?? @$t0->_Myval.second
        } .else {
            r? $t9 = @$t0->_Myval
            command
        }
    }

    $$ Recurse into _Left, _Right unless they point to the root of the tree
    .if (@@(@$t0->_Left) != @@(@$t1)) {
        .push /r /q
        r? $t0 = @$t0->_Left
        $$>a< ${$arg0} -n
        .pop /r /q
    }
    .if (@@(@$t0->_Right) != @@(@$t1)) {
        .push /r /q
        r? $t0 = @$t0->_Right
        $$>a< ${$arg0} -n
        .pop /r /q
    }
} .else {
    r? $t0 = ${$arg1}

    .if (${/d:$arg2}) {
        .if ($sicmp("${$arg2}", "-c") == 0) {
            r $t2 = 0
            aS ${/v:command} "${$arg3}"
        }
    } .else {
        r $t2 = 1
        aS ${/v:command} " "
    }

    .printf "size = %d\n", @@(@$t0._Mysize) 
    
    r? $t0 = @$t0._Myhead->_Parent
    r? $t1 = @$t0->_Parent

    $$>a< ${$arg0} -n

    ad command
}

Of particular note are the aS command which configures an alias that is then used by the recursive invocation to invoke a command block for each of the map’s elements; the $sicmp function which compares strings; and the .printf /D function, which outputs a chunk of DML. Finally, the recursion terminates when _Left or _Right are equal to the root of the tree (that’s just how the tree is implemented in this case).


I am posting short links and updates on Twitter as well as on this blog. You can follow me: @goldshtn

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

6 comments

  1. Marc ShermanJuly 26, 2013 ב 9:54 AM

    Friggin’ awesome! Bookmarked. Thanks for posting this!!

    Reply
  2. KappaAugust 14, 2013 ב 1:29 PM

    Excellent! Worked like a charm.

    Reply
  3. IsaakAugust 28, 2013 ב 12:05 PM

    Thanks for posting! However I’m getting this error

    Type is not struct/class/union for operator. ‘._Mysize) )

    when executing

    .printf “size = %d\n”, @@(@$t0._Mysize)

    my_map is a std::map. Is therer something I’m missing?

    Thank you

    Reply
  4. VladimirMarch 15, 2016 ב 8:10 PM

    Thanks, helped me a lot!

    Reply
  5. VicSeptember 28, 2016 ב 12:53 AM

    not working for me

    Reply
  6. Mark KharitonovSeptember 1, 2017 ב 12:01 AM

    I wonder if it is possible to call $$>a< ${$arg0} -n from the body of a .foreach command.

    I am trying, but getting Alias already defined error

    Reply