1 <chapter id="debugger">
2 <title>Debugging Wine</title>
5 <title>Introduction</title>
8 Written by &name-eric-pouech; <email>&email-eric-pouech;</email>
9 (Last updated: 6/14/2000)
12 (Extracted from <filename>wine/documentation/winedbg</filename>)
16 <title>Processes and threads: in underlying OS and in Windows</title>
19 Before going into the depths of debugging in Wine, here's
20 a small overview of process and thread handling in Wine.
21 It has to be clear that there are two different beasts:
22 processes/threads from the Unix point of view and
23 processes/threads from a Windows point of view.
26 Each Windows' thread is implemented as a Unix process (under
27 Linux using the <function>clone</function> syscall), meaning
28 that all threads of a same Windows' process share the same
36 <para><varname>W-process</varname> means a process in Windows' terminology</para>
39 <para><varname>U-process</varname> means a process in Unix' terminology</para>
42 <para><varname>W-thread</varname> means a thread in Windows' terminology</para>
46 A <varname>W-process</varname> is made of one or several
47 <varname>W-threads</varname>. Each
48 <varname>W-thread</varname> is mapped to one and only one
49 <varname>U-process</varname>. All
50 <varname>U-processes</varname> of a same
51 <varname>W-process</varname> share the same address space.
54 Each Unix process can be identified by two values:
58 <para>the Unix process id (<varname>upid</varname> in the following)</para>
61 <para>the Windows's thread id (<varname>tid</varname>)</para>
65 Each Windows' process has also a Windows' process id
66 (<varname>wpid</varname> in the following). It must be clear
67 that <varname>upid</varname> and <varname>wpid</varname> are
68 different and shall not be used instead of the other.
71 <varname>Wpid</varname> and <varname>tid</varname> are
72 defined (Windows) system wide. They must not be confused
73 with process or thread handles which, as any handle, is an
74 indirection to a system object (in this case process or
75 thread). A same process can have several different handles
76 on the same kernel object. The handles can be defined as
77 local (the values is only valid in a process), or system
78 wide (the same handle can be used by any
79 <varname>W-process</varname>).
84 <title>Wine, debugging and WineDbg</title>
87 When talking of debugging in Wine, there are at least two
92 <para>the Windows' debugging API.</para>
95 <para>the Wine integrated debugger, dubbed
96 <command>WineDbg</command>.</para>
100 Wine implements most of the Windows' debugging API (the
101 part in KERNEL32, not the one in
102 <filename>IMAGEHLP.DLL</filename>), and allows any program
103 (emulated or Winelib) using that API to debug a
104 <varname>W-process</varname>.
107 <command>WineDbg</command> is a Winelib application making
108 use of this API to allow debugging both any Wine or Winelib
109 applications as well as Wine itself (kernel and all DLLs).
115 <sect1 id="dbg-modes">
116 <title>WineDbg's modes of invocation</title>
119 <title>Starting a process</title>
122 Any application (either a Windows' native executable, or a
123 Winelib application) can be run through
124 <command>WineDbg</command>. Command line options and tricks
125 are the same as for wine:
129 winedbg "hl.exe -windowed"
134 <title>Attaching</title>
137 <command>WineDbg</command> can also be launched without any
138 command line argument: <command>WineDbg</command> is started
139 without any attached process. You can get a list of running
140 <varname>W-processes</varname> (and their
141 <varname>wpid</varname>'s) using the <command>walk
142 process</command> command, and then, with the
143 <command>attach</command> command, pick up the
144 <varname>wpid</varname> of the <varname>W-process</varname>
145 you want to debug. This is (for now) a neat feature for the
150 <para>you can debug an already started application</para>
155 <sect2 id="dbg-on-exception">
156 <title id="dbg-exception-title">On exception</title>
159 When something goes wrong, Windows tracks this as an
160 exception. Exceptions exist for segmentation violation,
161 stack overflow, division by zero...
164 When an exception occurs, Wine checks if the <varname>W-process</varname> is
165 debugged. If so, the exception event is sent to the
166 debugger, which takes care of it: end of the story. This
167 mechanism is part of the standard Windows' debugging API.
170 If the <varname>W-process</varname> is not debugged, Wine
171 tries to launch a debugger. This debugger (normally
172 <command>WineDbg</command>, see III Configuration for more
173 details), at startup, attaches to the
174 <varname>W-process</varname> which generated the exception
175 event. In this case, you are able to look at the causes of
176 the exception, and either fix the causes (and continue
177 further the execution) or dig deeper to understand what went
181 If <command>WineDbg</command> is the standard debugger, the
182 <command>pass</command> and <command>cont</command> commands
183 are the two ways to let the process go further for the
184 handling of the exception event.
187 To be more precise on the way Wine (and Windows) generates
188 exception events, when a fault occurs (segmentation
189 violation, stack overflow...), the event is first sent to
190 the debugger (this is known as a first chance exception).
191 The debugger can give two answers:
196 <term>continue:</term>
199 the debugger had the ability to correct what's
200 generated the exception, and is now able to continue
209 the debugger couldn't correct the cause of the
210 first chance exception. Wine will now try to walk
211 the list of exception handlers to see if one of them
212 can handle the exception. If no exception handler is
213 found, the exception is sent once again to the
214 debugger to indicate the failure of the exception
222 since some of Wine's code uses exceptions and
223 <function>try/catch</function> blocks to provide some
224 functionality, <command>WineDbg</command> can be entered
225 in such cases with segv exceptions. This happens, for
226 example, with <function>IsBadReadPtr</function> function.
227 In that case, the <command>pass</command> command shall be
228 used, to let the handling of the exception to be done by
229 the <function>catch</function> block in
230 <function>IsBadReadPtr</function>.
236 <title>Quitting</title>
239 Unfortunately, Windows doesn't provide a detach kind of API,
240 meaning that once you started debugging a process, you must
241 do so until the process dies. Killing (or stopping/aborting)
242 the debugger will also kill the debugged process. This will
243 be true for any Windows' debugging API compliant debugger,
244 starting with <command>WineDbg</command>.
250 <sect1 id="wine-debugger">
251 <title>Using the Wine Debugger</title>
254 Written by &name-marcus-meissner; <email>&email-marcus-meissner;</email>,
258 (Extracted from <filename>wine/documentation/debugging</filename>)
262 This file describes where to start debugging Wine. If at any
263 point you get stuck and want to ask for help, please read the
264 file <filename>documentation/bugreports</filename> for
265 information on how to write useful bug reports.
269 <title>Crashes</title>
272 These usually show up like this:
275 |Unexpected Windows program segfault - opcode = 8b
276 |Segmentation fault in Windows program 1b7:c41.
277 |Loading symbols from ELF file /root/wine/wine...
278 |....more Loading symbols from ...
281 | CS:01b7 SS:016f DS:0287 ES:0000
282 | IP:0c41 SP:878a BP:8796 FLAGS:0246
283 | AX:811e BX:0000 CX:0000 DX:0000 SI:0001 DI:ffff
285 |0x016f:0x878a: 0001 016f ffed 0000 0000 0287 890b 1e5b
286 |0x016f:0x879a: 01b7 0001 000d 1050 08b7 016f 0001 000d
287 |0x016f:0x87aa: 000a 0003 0004 0000 0007 0007 0190 0000
290 |0050: sel=0287 base=40211d30 limit=0b93f (bytes) 16-bit rw-
292 |0 0x01b7:0x0c41 (PXSRV_FONGETFACENAME+0x7c)
293 |1 0x01b7:0x1e5b (PXSRV_FONPUTCATFONT+0x2cd)
295 |3 0x01b7:0x0768 (PXSRV_FONINITFONTS+0x81)
296 |4 0x014f:0x03ed (PDOXWIN_@SQLCURCB$Q6CBTYPEULN8CBSCTYPE+0x1b1)
299 |0x01b7:0x0c41 (PXSRV_FONGETFACENAME+0x7c): movw %es:0x38(%bx),%dx
302 Steps to debug a crash. You may stop at any step, but please
303 report the bug and provide as much of the information
304 gathered to the newsgroup or the relevant developer as
311 Get the reason for the crash. This is usually an access to
312 an invalid selector, an access to an out of range address
313 in a valid selector, popping a segmentregister from the
314 stack or the like. When reporting a crash, report this
315 <emphasis>whole</emphasis> crashdump even if it doesn't
319 (In this case it is access to an invalid selector, for
320 <systemitem>%es</systemitem> is <literal>0000</literal>, as
321 seen in the register dump).
326 Determine the cause of the crash. Since this is usually
327 a primary/secondary reaction to a failed or misbehaving
328 Wine function, rerun Wine with <parameter>-debugmsg
329 +relay</parameter> added to the commandline. This will
330 generate quite a lot of output, but usually the reason is
331 located in the last call(s). Those lines usually look like
335 |Call KERNEL.90: LSTRLEN(0227:0692 "text") ret=01e7:2ce7 ds=0227
336 ^^^^^^^^^ ^ ^^^^^^^^^ ^^^^^^ ^^^^^^^^^ ^^^^
337 | | | | | |Datasegment
338 | | | | |Return address
339 | | | |textual parameter
341 | | |Argument(s). This one is a win16 segmented pointer.
343 |The module, the function is called in. In this case it is KERNEL.
345 |Ret KERNEL.90: LSTRLEN() retval=0x0004 ret=01e7:2ce7 ds=0227
347 |Returnvalue is 16 bit and has the value 4.
352 If you have found a misbehaving function, try to find out
353 why it misbehaves. Find the function in the source code.
354 Try to make sense of the arguments passed. Usually there is
355 a <function>TRACE(<channel>,"(...)\n");</function> at
356 the beginning of the function. Rerun wine with
357 <parameter>-debugmsg +xyz,+relay</parameter> added to the
363 Additional information on how to debug using the internal
364 debugger can be found in
365 <filename>debugger/README</filename>.
370 If this information isn't clear enough or if you want to
371 know more about what's happening in the function itself,
372 try running wine with <parameter>-debugmsg
373 +all</parameter>, which dumps ALL included debug
379 If even that isn't enough, add more debug output for
380 yourself into the functions you find relevant. See
381 <filename>documentation/debug-msgs</filename>. You might
382 also try to run the program in <command>gdb</command>
383 instead of using the WINE-debugger. If you do that, use
384 <parameter>handle SIGSEGV nostop noprint</parameter> to
385 disable the handling of seg faults inside
386 <command>gdb</command> (needed for Win16). If you don't use
387 the <parameter>--desktop</parameter> or
388 <parameter>--managed</parameter> option, start the WINE
389 process with <parameter>--sync</parameter>, or chances are
390 good to get X into an unusable state.
395 You can also set a breakpoint for that function. Start wine
396 with the <parameter>--debug</parameter> option added to the
397 commandline. After loading the executable wine will enter
398 the internal debugger. Use <parameter>break
399 KERNEL_LSTRLEN</parameter> (replace by function you want
400 to debug, CASE IS RELEVANT) to set a breakpoint. Then use
401 <command>continue</command> to start normal
402 program-execution. Wine will stop if it reaches the
403 breakpoint. If the program isn't yet at the crashing call
404 of that function, use <command>continue</command> again
405 until you are about to enter that function. You may now
406 proceed with single-stepping the function until you reach
407 the point of crash. Use the other debugger commands to
408 print registers and the like.
415 <title>Program hangs, nothing happens</title>
418 Switch to UNIX shell, get the process-ID using <command>ps -a |
419 grep wine</command>, and do a <command>kill -HUP
420 <pid></command> (without the < and >). Wine will
421 then enter its internal debugger and you can proceed as
422 explained above. Also, you can use
423 <parameter>--debug</parameter> switch and then you can get into
424 internal debugger by pressing
425 <keycombo><keycap>Ctrl</keycap><keycap>C</keycap></keycombo> in
426 the terminal where you run Wine.
431 <title>Program reports an error with a Messagebox</title>
434 Sometimes programs are reporting failure using more or
435 less nondescript messageboxes. We can debug this using the
436 same method as Crashes, but there is one problem... For
437 setting up a message box the program also calls Wine
438 producing huge chunks of debug code.
441 Since the failure happens usually directly before setting up
442 the Messagebox you can start wine with
443 <parameter>--debug</parameter> added to the commandline, set a
444 breakpoint at <function>MessageBoxA</function> (called by win16
445 and win32 programs) and proceed with
446 <command>continue</command>. With <parameter>--debugmsg
447 +all</parameter> Wine will now stop directly before setting
448 up the Messagebox. Proceed as explained above.
451 You can also run wine using <command>wine -debugmsg +relay
452 program.exe 2>&1 | less -i</command> and in
453 <command>less</command> search for <quote>MessageBox</quote>.
458 <title>Disassembling programs:</title>
461 You may also try to disassemble the offending program to
462 check for undocumented features and/or use of them.
465 The best, freely available, disassembler for Win16 programs is
466 <application>Windows Codeback</application>, archivename
467 <filename>wcbxxx.zip</filename>, which usually can be found in
468 the <filename>Cica-Mirror</filename> subdirectory on the WINE
469 ftpsites. (See <filename>ANNOUNCE</filename>).
472 Disassembling win32 programs is possible using
473 <application>Windows Disassembler 32</application>, archivename
474 something like <filename>w32dsm87.zip</filename> (or similar)
475 on <systemitem class="systemname">ftp.winsite.com</systemitem>
476 and mirrors. The shareware version does not allow saving of
477 disassembly listings. You can also use the newer (and in the
478 full version better) <application>Interactive
479 Disassembler</application> (IDA) from the ftp sites mentioned
480 at the end of the document. Understanding disassembled code is
481 mostly a question of exercise.
484 Most code out there uses standard C function entries (for it
485 is usually written in C). Win16 function entries usually
492 retf XXXX <--------- XXXX is number of bytes of arguments
495 This is a <function>FAR</function> function with no local
496 storage. The arguments usually start at
497 <literal>[bp+6]</literal> with increasing offsets. Note, that
498 <literal>[bp+6]</literal> belongs to the
499 <emphasis>rightmost</emphasis> argument, for exported win16
500 functions use the PASCAL calling convention. So, if we use
501 <function>strcmp(a,b)</function> with <parameter>a</parameter>
502 and <parameter>b</parameter> both 32 bit variables
503 <parameter>b</parameter> would be at <literal>[bp+6]</literal>
504 and <parameter>a</parameter> at <literal>[bp+10]</literal>.
507 Most functions make also use of local storage in the stackframe:
511 ... function code ...
516 This does mostly the same as above, but also adds
517 <literal>0x86</literal> bytes of stackstorage, which is
518 accessed using <literal>[bp-xx]</literal>. Before calling a
519 function, arguments are pushed on the stack using something
523 push word ptr [bp-02] <- will be at [bp+8]
524 push di <- will be at [bp+6]
528 Here first the selector and then the offset to the passed
534 <title>Sample debugging session:</title>
537 Let's debug the infamous Word <filename>SHARE.EXE</filename>
541 |marcus@jet $ wine winword.exe
542 | +---------------------------------------------+
543 | | ! You must leave Windows and load SHARE.EXE|
544 | | before starting Word. |
545 | +---------------------------------------------+
548 |marcus@jet $ wine winword.exe -debugmsg +relay -debug
549 |CallTo32(wndproc=0x40065bc0,hwnd=000001ac,msg=00000081,wp=00000000,lp=00000000)
550 |Win16 task 'winword': Breakpoint 1 at 0x01d7:0x001a
551 |CallTo16(func=0127:0070,ds=0927)
552 |Call WPROCS.24: TASK_RESCHEDULE() ret=00b7:1456 ds=0927
553 |Ret WPROCS.24: TASK_RESCHEDULE() retval=0x8672 ret=00b7:1456 ds=0927
554 |CallTo16(func=01d7:001a,ds=0927)
555 | AX=0000 BX=3cb4 CX=1f40 DX=0000 SI=0000 DI=0927 BP=0000 ES=11f7
556 |Loading symbols: /home/marcus/wine/wine...
557 |Stopped on breakpoint 1 at 0x01d7:0x001a
559 |Wine-dbg>break MessageBoxA <---- Set Breakpoint
560 |Breakpoint 2 at 0x40189100 (MessageBoxA [msgbox.c:190])
561 |Wine-dbg>c <---- Continue
562 |Call KERNEL.91: INITTASK() ret=0157:0022 ds=08a7
563 | AX=0000 BX=3cb4 CX=1f40 DX=0000 SI=0000 DI=08a7 ES=11d7 EFL=00000286
564 |CallTo16(func=090f:085c,ds=0dcf,0x0000,0x0000,0x0000,0x0000,0x0800,0x0000,0x0000,0x0dcf)
565 |... <----- Much debugoutput
566 |Call KERNEL.136: GETDRIVETYPE(0x0000) ret=060f:097b ds=0927
568 |Ret KERNEL.136: GETDRIVETYPE() retval=0x0002 ret=060f:097b ds=0927
569 ^^^^^^ DRIVE_REMOVEABLE
570 (It is a floppy diskdrive.)
572 |Call KERNEL.136: GETDRIVETYPE(0x0001) ret=060f:097b ds=0927
574 |Ret KERNEL.136: GETDRIVETYPE() retval=0x0000 ret=060f:097b ds=0927
575 ^^^^^^ DRIVE_CANNOTDETERMINE
576 (I don't have drive B: assigned)
578 |Call KERNEL.136: GETDRIVETYPE(0x0002) ret=060f:097b ds=0927
580 |Ret KERNEL.136: GETDRIVETYPE() retval=0x0003 ret=060f:097b ds=0927
582 (specified as a harddisk)
584 |Call KERNEL.97: GETTEMPFILENAME(0x00c3,0x09278364"doc",0x0000,0927:8248) ret=060f:09b1 ds=0927
585 ^^^^^^ ^^^^^ ^^^^^^^^^
586 | | |buffer for fname
587 | |temporary name ~docXXXX.tmp
588 |Force use of Drive C:.
590 |Warning: GetTempFileName returns 'C:~doc9281.tmp', which doesn't seem to be writeable.
591 |Please check your configuration file if this generates a failure.
594 Whoops, it even detects that something is wrong!
597 |Ret KERNEL.97: GETTEMPFILENAME() retval=0x9281 ret=060f:09b1 ds=0927
598 ^^^^^^ Temporary storage ID
600 |Call KERNEL.74: OPENFILE(0x09278248"C:~doc9281.tmp",0927:82da,0x1012) ret=060f:09d8 ds=0927
601 ^^^^^^^^^^^^^^^^ ^^^^^^^^^ ^^^^^^^
602 |filename |OFSTRUCT |open mode:
604 OF_CREATE|OF_SHARE_EXCLUSIVE|OF_READWRITE
607 This fails, since my <medialabel>C:</medialabel> drive is in
608 this case mounted readonly.
611 |Ret KERNEL.74: OPENFILE() retval=0xffff ret=060f:09d8 ds=0927
612 ^^^^^^ HFILE_ERROR16, yes, it failed.
614 |Call USER.1: MESSAGEBOX(0x0000,0x09278376"Sie mussen Windows verlassen und SHARE.EXE laden bevor Sie Word starten.",0x00000000,0x1030) ret=060f:084f ds=0927
620 |Stopped on breakpoint 2 at 0x40189100 (MessageBoxA [msgbox.c:190])
621 |190 { <- the sourceline
626 The code seems to find a writeable harddisk and tries to create
627 a file there. To work around this bug, you can define
628 <medialabel>C:</medialabel> as a networkdrive, which is ignored
634 <title>Debugging Tips</title>
637 Here are some useful debugging tips, added by Andreas Mohr:
643 If you have a program crashing at such an early loader phase that you can't
644 use the Wine debugger normally, but Wine already executes the program's
645 start code, then you may use a special trick. You should do a
647 wine --debugmsg +relay program
649 to get a listing of the functions the program calls in its start function.
652 wine --debug winfile.exe
656 This way, you get into <command>Wine-dbg</command>. Now you
657 can set a breakpoint on any function the program calls in
658 the start function and just type <userinput>c</userinput>
659 to bypass the eventual calls of Winfile to this function
660 until you are finally at the place where this function gets
661 called by the crashing start function. Now you can proceed
662 with your debugging as usual.
667 If you try to run a program and it quits after showing an error messagebox,
668 the problem can usually be identified in the return value of one of the
669 functions executed before <function>MessageBox()</function>.
670 That's why you should re-run the program with e.g.
672 wine --debugmsg +relay <program name> &>relmsg
674 Then do a <command>more relmsg</command> and search for the
675 last occurrence of a call to the string "MESSAGEBOX". This is a line like
677 Call USER.1: MESSAGEBOX(0x0000,0x01ff1246 "Runtime error 219 at 0004:1056.",0x00000000,0x1010) ret=01f7:2160 ds=01ff
679 In my example the lines before the call to
680 <function>MessageBox()</function> look like that:
682 Call KERNEL.96: FREELIBRARY(0x0347) ret=01cf:1033 ds=01ff
683 CallTo16(func=033f:0072,ds=01ff,0x0000)
684 Ret KERNEL.96: FREELIBRARY() retval=0x0001 ret=01cf:1033 ds=01ff
685 Call KERNEL.96: FREELIBRARY(0x036f) ret=01cf:1043 ds=01ff
686 CallTo16(func=0367:0072,ds=01ff,0x0000)
687 Ret KERNEL.96: FREELIBRARY() retval=0x0001 ret=01cf:1043 ds=01ff
688 Call KERNEL.96: FREELIBRARY(0x031f) ret=01cf:105c ds=01ff
689 CallTo16(func=0317:0072,ds=01ff,0x0000)
690 Ret KERNEL.96: FREELIBRARY() retval=0x0001 ret=01cf:105c ds=01ff
691 Call USER.171: WINHELP(0x02ac,0x01ff05b4 "COMET.HLP",0x0002,0x00000000) ret=01cf:1070 ds=01ff
692 CallTo16(func=0117:0080,ds=01ff)
693 Call WPROCS.24: TASK_RESCHEDULE() ret=00a7:0a2d ds=002b
694 Ret WPROCS.24: TASK_RESCHEDULE() retval=0x0000 ret=00a7:0a2d ds=002b
695 Ret USER.171: WINHELP() retval=0x0001 ret=01cf:1070 ds=01ff
696 Call KERNEL.96: FREELIBRARY(0x01be) ret=01df:3e29 ds=01ff
697 Ret KERNEL.96: FREELIBRARY() retval=0x0000 ret=01df:3e29 ds=01ff
698 Call KERNEL.52: FREEPROCINSTANCE(0x02cf00ba) ret=01f7:1460 ds=01ff
699 Ret KERNEL.52: FREEPROCINSTANCE() retval=0x0001 ret=01f7:1460 ds=01ff
700 Call USER.1: MESSAGEBOX(0x0000,0x01ff1246 "Runtime error 219 at 0004:1056.",0x00000000,0x1010) ret=01f7:2160 ds=01ff
704 I think that the call to <function>MessageBox()</function>
705 in this example is <emphasis>not</emphasis> caused by a
706 wrong result value of some previously executed function
707 (it's happening quite often like that), but instead the
708 messagebox complains about a runtime error at
709 <literal>0x0004:0x1056</literal>.
712 As the segment value of the address is only
713 <literal>4</literal>, I think that that is only an internal
714 program value. But the offset address reveals something
715 quite interesting: Offset <literal>1056</literal> is
716 <emphasis>very</emphasis> close to the return address of
717 <function>FREELIBRARY()</function>:
719 Call KERNEL.96: FREELIBRARY(0x031f) ret=01cf:105c ds=01ff
724 Provided that segment <literal>0x0004</literal> is indeed segment
725 <literal>0x1cf</literal>, we now we can use IDA (available at
726 <ulink url="ftp://ftp.uni-koeln.de/pc/msdos/programming/assembler/ida35bx.zip">
727 ftp://ftp.uni-koeln.de/pc/msdos/programming/assembler/ida35bx.zip</ulink>) to
728 disassemble the part that caused the error. We just have to find the address of
729 the call to <function>FreeLibrary()</function>. Some lines before that the
730 runtime error occurred. But be careful! In some cases you don't have to
731 disassemble the main program, but instead some DLL called by it in order to find
732 the correct place where the runtime error occurred. That can be determined by
733 finding the origin of the segment value (in this case <literal>0x1cf</literal>).
738 If you have created a relay file of some crashing
739 program and want to set a breakpoint at a certain
740 location which is not yet available as the program loads
741 the breakpoint's segment during execution, you may set a
742 breakpoint to <function>GetVersion16/32</function> as
743 those functions are called very often.
746 Then do a <userinput>c</userinput> until you are able to
747 set this breakpoint without error message.
752 Some useful programs:
757 <application>IDA</application>:
759 <ulink url="ftp://ftp.uni-koeln.de/pc/msdos/programming/assembler/ida35bx.zip">
760 ftp://ftp.uni-koeln.de/pc/msdos/programming/assembler/ida35bx.zip</ulink>
765 <emphasis>Very</emphasis> good DOS disassembler ! It's badly needed
766 for debugging Wine sometimes.
772 <application>XRAY</application>:
774 <ulink url="ftp://ftp.th-darmstadt.de/pub/machines/ms-dos/SimTel/msdos/asmutil/xray15.zip">
775 ftp://ftp.th-darmstadt.de/pub/machines/ms-dos/SimTel/msdos/asmutil/xray15.zip</ulink>
780 Traces DOS calls (Int 21h, DPMI, ...). Use it with
781 Windows to correct file management problems etc.
787 <application>pedump</application>:
789 <ulink url="http://oak.oakland.edu/pub/simtelnet/win95/prog/pedump.zip">
790 http://oak.oakland.edu/pub/simtelnet/win95/prog/pedump.zip</ulink>
795 Dumps the imports and exports of a PE (Portable
806 <title>Some basic debugger usages:</title>
809 After starting your program with
812 wine -debug myprog.exe
815 the program loads and you get a prompt at the program
816 starting point. Then you can set breakpoints:
819 b RoutineName (by outine name) OR
820 b *0x812575 (by address)
823 Then you hit <command>c</command> (continue) to run the
824 program. It stops at the breakpoint. You can type
827 step (to step one line) OR
828 stepi (to step one machine instruction at a time;
829 here, it helps to know the basic 386
831 info reg (to see registers)
832 info stack (to see hex values in the stack)
833 info local (to see local variables)
834 list <line number> (to list source code)
835 x <variable name> (to examine a variable; only works if code
836 is not compiled with optimization)
837 x 0x4269978 (to examine a memory location)
842 By hitting <keycap>Enter</keycap>, you repeat the last
849 <sect1 id="memory-addresses">
850 <title>Useful memory addresses</title>
852 Written by &name-andreas-mohr; <email>&email-andreas-mohr;</email>
855 Wine uses several different kinds of memory addresses.
860 Win32/"normal" Wine addresses/Linux: linear addresses.
864 Linear addresses can be everything from 0x0 up to
865 0xffffffff. In Wine on Linux they are often around
866 e.g. 0x08000000, 0x00400000 (std. Win32 program load
867 address), 0x40000000. Every Win32 process has its own
868 private 4GB address space (that is, from 0x0 up to
875 Win16 "enhanced mode": segmented addresses.
879 These are the "normal" Win16 addresses, called SEGPTR.
880 They have a segment:offset notation, e.g. 0x01d7:0x0012.
881 The segment part usually is a "selector", which *always*
882 has the lowest 3 bits set. Some sample selectors are
883 0x1f7, 0x16f, 0x8f. If these bits are set except for
884 the lowest bit, as e.g. with 0x1f6,xi then it might be a
885 handle to global memory. Just set the lowest bit to get
886 the selector in these cases. A selector kind of
887 "points" to a certain linear (see above) base address.
888 It has more or less three important attributes: segment
889 base address, segment limit, segment access rights.
895 Selector 0x1f7 (0x40320000, 0x0000ffff, r-x) So 0x1f7
896 has a base address of 0x40320000, the segment's last
897 address is 0x4032ffff (limit 0xffff), and it's readable
898 and executable. So an address of 0x1f7:0x2300 would be
899 the linear address of 0x40322300.
905 DOS/Win16 "standard mode"
909 They, too, have a segment:offset notation. But they are
910 completely different from "normal" Win16 addresses, as
911 they just represent at most 1MB of memory: The segment
912 part can be anything from 0 to 0xffff, and it's the same
913 with the offset part.
916 Now the strange thing is the calculation that's behind
917 these addresses: Just calculate segment*16 + offset in
918 order to get a "linear DOS" address. So
919 e.g. 0x0f04:0x3628 results in 0xf040 + 0x3628 = 0x12668.
920 And the highest address you can get is 0xfffff (1MB), of
921 course. In Wine, this "linear DOS" address of 0x12668
922 has to be added to the linear base address of the
923 corresponding DOS memory allocated for dosmod in order
924 to get the true linear address of a DOS seg:offs
925 address. And make sure that you're doing this in the
926 correct process with the correct linear address space,
934 <sect1 id="dbg-config">
935 <title>Configuration</title>
938 <title>Registry configuration</title>
941 The Windows' debugging API uses a registry entry to know
942 which debugger to invoke when an unhandled exception occurs
943 (see <link endterm="dbg-exception-title"
944 linkend="dbg-on-exception"></link> for some details). Two
948 "MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug"
951 Determine the behavior:
955 <term>Debugger:</term>
958 this is the command line used to launch the debugger
959 (it uses two <function>printf</function> formats
960 (<literal>%ld</literal>) to pass context dependent
961 information to the debugger). You should put here a
962 complete path to your debugger
963 (<command>WineDbg</command> can of course be used, but
964 any other Windows' debugging API aware debugger will
966 The path to the debugger you chose to use must be reachable
967 via a DOS drive in the Wine config file !
970 You can also set a shell script to launch the debugger. In
971 this case, you need to be sure that the invocation in
972 this shell script is of the form:
974 WINEPRELOAD=<path_to_winedbg.so> exec wine $*
976 (Shell script must use exec, and the debugger .so file must
977 be preloaded to override the shell script information).
985 if this value is zero, a message box will ask the
986 user if he/she wishes to launch the debugger when an
987 unhandled exception occurs. Otherwise, the debugger
988 is automatically started.
995 A regular Wine registry looks like:
998 [MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug] 957636538
999 "Auto"=dword:00000001
1000 "Debugger"="/usr/local/bin/winedbg %ld %ld"
1004 <title>Note 1</title>
1006 creating this key is mandatory. Not doing so will not
1007 fire the debugger when an exception occurs.
1011 <title>Note 2</title>
1013 <command>wineinstall</command> (available in Wine source)
1014 sets up this correctly.
1015 However, due to some limitation of the registry installed,
1016 if a previous Wine installation exists, it's safer to
1020 [MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug]
1023 key before running again <command>wineinstall</command> to
1024 regenerate this key.
1030 <title>WineDbg configuration</title>
1033 <command>WineDbg</command> can be configured through a number
1034 of options. Those options are stored in the registry, on a
1035 per user basis. The key is (in <emphasis>my</emphasis> registry)
1038 [eric\\Software\\Wine\\WineDbg]
1041 Those options can be read/written while inside
1042 <command>WineDbg</command>, as part of the debugger
1043 expressions. To refer to one of these options, its name must
1044 be prefixed by a <literal>$</literal> sign. For example,
1047 set $BreakAllThreadsStartup = 1
1050 sets the option <varname>BreakAllThreadsStartup</varname> to
1051 <literal>TRUE</literal>.
1054 All the options are read from the registry when
1055 <command>WineDbg</command> starts (if no corresponding value
1056 is found, a default value is used), and are written back to
1057 the registry when <command>WineDbg</command> exits (hence,
1058 all modifications to those options are automatically saved
1059 when <command>WineDbg</command> terminates).
1062 Here's the list of all options:
1066 <title>Controlling when the debugger is entered</title>
1070 <term><varname>BreakAllThreadsStartup</varname></term>
1073 Set to <literal>TRUE</literal> if at all threads
1074 start-up the debugger stops set to
1075 <literal>FALSE</literal> if only at the first thread
1076 startup of a given process the debugger stops.
1077 <literal>FALSE</literal> by default.
1082 <term><varname>BreakOnCritSectTimeOut</varname></term>
1085 Set to <literal>TRUE</literal> if the debugger stops
1086 when a critical section times out (5 minutes);
1087 <literal>TRUE</literal> by default.
1092 <term><varname>BreakOnAttach</varname></term>
1095 Set to <literal>TRUE</literal> if when
1096 <command>WineDbg</command> attaches to an existing
1097 process after an unhandled exception,
1098 <command>WineDbg</command> shall be entered on the
1099 first attach event. Since the attach event is
1100 meaningless in the context of an exception event
1101 (the next event which is the exception event is of
1102 course relevant), that option is likely to be
1103 <literal>FALSE</literal>.
1108 <term><varname>BreakOnFirstChance</varname></term>
1111 An exception can generate two debug events. The
1112 first one is passed to the debugger (known as a
1113 first chance) just after the exception. The debugger
1114 can then decides either to resume execution (see
1115 <command>WineDbg</command>'s <command>cont</command>
1116 command) or pass the exception up to the exception
1117 handler chain in the program (if it exists)
1118 (<command>WineDbg</command> implements this through the
1119 <command>pass</command> command). If none of the
1120 exception handlers takes care of the exception, the
1121 exception event is sent again to the debugger (known
1122 as last chance exception). You cannot pass on a last
1124 <varname>BreakOnFirstChance</varname> exception is
1125 <literal>TRUE</literal>, then winedbg is entered for
1126 both first and last chance execptions (to
1127 <literal>FALSE</literal>, it's only entered for last
1133 <term><varname>BreakOnDllLoad</varname></term>
1136 Set to <literal>TRUE</literal> if the debugger stops
1137 when a DLL is loaded into memory; when the debugger
1138 is invoked after a crash, the DLLs already mapped in
1139 memory will not trigger this break.
1140 <literal>FALSE</literal> by default.
1148 <title>Output handling</title>
1152 <term><varname>ConChannelMask</varname></term>
1155 Mask of active debugger output channels on console
1160 <term><varname>StdChannelMask</varname></term>
1163 Mask of active debugger output channels on <filename>stderr</filename>
1168 <term><varname>UseXTerm</varname></term>
1171 Set to <literal>TRUE</literal> if the debugger uses
1172 its own <command>xterm</command> window for console
1173 input/output. Set to <literal>FALSE</literal> if
1174 the debugger uses the current Unix console for
1182 Those last 3 variables are jointly used in two generic ways:
1187 <para>default</para>
1189 ConChannelMask = DBG_CHN_MESG (1)
1194 In this case, all input/output goes into a specific
1195 <command>xterm</command> window (but all debug
1196 messages <function>TRACE</function>,
1197 <function>WARN</function>... still goes to tty where
1203 to have all input/output go into the tty where Wine
1204 was started from (to be used in a X11-free
1209 StdChannelMask = DBG_CHN_MESG (1)
1215 Those variables also allow, for example for debugging
1219 ConChannelMask = 0xfff
1220 StdChannelMask = 0xfff
1224 This allows to redirect all <function>WineDbg</function>
1225 output to both tty Wine was started from, and
1226 <command>xterm</command> debugging window. If Wine (or
1227 <command>WineDbg</command>) was started with a redirection
1228 of <filename>stdout</filename> and/or
1229 <filename>stderr</filename> to a file (with for
1230 example >& shell redirect command), you'll get in that
1231 file both outputs. It may be interesting to look in the
1232 relay trace for specific values which the process segv'ed
1238 <title>Context information</title>
1242 <term><varname>ThreadId</varname></term>
1244 <para>ID of the <varname>W-thread</varname> currently
1245 examined by the debugger</para>
1249 <term><varname>ProcessId</varname></term>
1251 <para>ID of the <varname>W-thread</varname> currently
1252 examined by the debugger</para>
1256 <term><registers></term>
1258 <para>All CPU registers are also available</para>
1264 The <varname>ThreadId</varname> and
1265 <varname>ProcessId</varname> variables can be handy to set
1266 conditional breakpoints on a given thread or process.
1273 <sect1 id="dbg-commands">
1274 <title>WineDbg Command Reference</title>
1280 abort aborts the debugger
1281 quit exits the debugger
1283 attach N attach to a W-process (N is its ID). IDs can be
1284 obtained using the walk process command
1285 detach detach from a W-process. WineDbg will exit (this may
1286 be changed later on)
1289 help prints some help on the commands
1290 help info prints some help on info commands
1293 mode 16 switch to 16 bit mode
1294 mode 32 switch to 32 bit mode
1299 <title>Flow control</title>
1302 cont continue execution until next breakpoint or exception.
1303 pass pass the exception event up to the filter chain.
1304 step continue execution until next C line of code (enters
1306 next continue execution until next C line of code (doesn't
1307 enter function call)
1308 stepi execute next assembly instruction (enters function
1310 nexti execute next assembly instruction (doesn't enter
1312 finish do nexti commands until current function is exited
1315 cont, step, next, stepi, nexti can be postfixed by a
1316 number (N), meaning that the command must be executed N
1322 <title>Breakpoints, watch points</title>
1325 enable N enables (break|watch)point #N
1326 disable N disables (break|watch)point #N
1327 delete N deletes (break|watch)point #N
1328 cond N removes any a existing condition to (break|watch)point N
1329 cond N <expr> adds condition <expr> to (break|watch)point N. <expr>
1330 will be evaluated each time the breakpoint is hit. If
1331 the result is a zero value, the breakpoint isn't
1333 break * N adds a breakpoint at address N
1334 break <id> adds a breakpoint at the address of symbol <id>
1335 break <id> N adds a breakpoint at the address of symbol <id> (N ?)
1336 break N adds a breakpoint at line N of current source file
1337 break adds a breakpoint at current $pc address
1338 watch * N adds a watch command (on write) at address N (on 4 bytes)
1339 watch <id> adds a watch command (on write) at the address of
1341 info break lists all (break|watch)points (with state)
1344 When setting a breakpoint on an <id>, if several symbols with this
1345 <id> exist, the debugger will prompt for the symbol you want to use.
1346 Pick up the one you want from its number.
1349 Alternatively you can specify a DLL in the <id> (for example
1350 MYDLL.DLL.myFunc for function myFunc of
1351 <filename>G:\AnyPath\MyDll.dll)</filename>.
1354 You can use the symbol <emphasis>EntryPoint</emphasis> to stand for
1355 the entry point of the Dll.
1360 <title>Stack manipulation</title>
1363 bt print calling stack of current thread
1364 bt N print calling stack of thread of ID N (note: this
1365 doesn't change the position of the current frame as
1366 manipulated by the up & dn commands)
1367 up goes up one frame in current thread's stack
1368 up N goes up N frames in current thread's stack
1369 dn goes down one frame in current thread's stack
1370 dn N goes down N frames in current thread's stack
1371 frame N set N as the current frame for current thread's stack
1372 info local prints information on local variables for current
1378 <title>Directory & source file manipulation</title>
1382 dir <pathname>
1384 symbolfile <module> <pathname>
1387 list lists 10 source lines from current position
1388 list - lists 10 source lines before current position
1389 list N lists 10 source lines from line N in current file
1390 list <path>:N lists 10 source lines from line N in file <path>
1391 list <id> lists 10 source lines of function <id>
1392 list * N lists 10 source lines from address N
1395 You can specify the end target (to change the 10 lines
1396 value) using the ','. For example:
1399 list 123, 234 lists source lines from line 123 up to line 234 in
1401 list foo.c:1,56 lists source lines from line 1 up to 56 in file foo.c
1406 <title>Displaying</title>
1409 A display is an expression that's evaluated and printed
1410 after the execution of any <command>WineDbg</command>
1414 display lists the active displays
1415 info display (same as above command)
1416 display <expr> adds a display for expression <expr>
1417 display /fmt <expr> adds a display for expression <expr>. Printing
1418 evaluated <expr> is done using the given format (see
1419 print command for more on formats)
1420 del display N deletes display #N
1421 undisplay N (same as del display)
1426 <title>Disassembly</title>
1429 disas disassemble from current position
1430 disas <expr> disassemble from address <expr>
1431 disas <expr>,<expr>disassembles code between addresses specified by
1432 the two <expr>
1437 <title>Information on Wine's internals</title>
1440 info class <id> prints information on Windows's class <id>
1441 walk class lists all Windows' class registered in Wine
1442 info share lists all the dynamic libraries loaded the debugged
1443 program (including .so files, NE and PE DLLs)
1444 info module N prints information on module of handle N
1445 walk module lists all modules loaded by debugged program
1446 info queue N prints information on Wine's queue N
1447 walk queue lists all queues allocated in Wine
1448 info regs prints the value of CPU register
1449 info segment N prints information on segment N
1450 info segment lists all allocated segments
1451 info stack prints the values on top of the stack
1452 info map lists all virtual mappings used by the debugged
1454 info wnd N prints information of Window of handle N
1455 walk wnd lists all the window hierarchy starting from the
1457 walk wnd N lists all the window hierarchy starting from the
1459 walk process lists all w-processes in Wine session
1460 walk thread lists all w-threads in Wine session
1461 walk modref (no longer avail)
1466 <title>Memory (reading, writing, typing)</title>
1469 x <expr> examines memory at <expr> address
1470 x /fmt <expr> examines memory at <expr> address using format /fmt
1471 print <expr> prints the value of <expr> (possibly using its type)
1472 print /fmt <expr> prints the value of <expr> (possibly using its
1474 set <lval>=<expr> writes the value of <expr> in <lval>
1475 whatis <expr> prints the C type of expression <expr>
1478 <filename>/fmt</filename> is either <filename>/<letter></filename> or
1479 <filename>/<count><letter></filename> letter can be
1482 s => an ASCII string
1483 u => an Unicode UTF16 string
1484 i => instructions (disassemble)
1485 x => 32 bit unsigned hexadecimal integer
1486 d => 32 bit signed decimal integer
1487 w => 16 bit unsigned hexadecimal integer
1488 c => character (only printable 0x20-0x7f are actually
1490 b => 8 bit unsigned hexadecimal integer
1495 <title>Expressions</title>
1498 Expressions in Wine Debugger are mostly written in a C form. However, there
1499 are a few discrepancies:
1503 Identifiers can take a '.' in their names. This allow mainly to access symbols
1504 from different DLLs like USER32.DLL.CreateWindowA
1509 The debugger will try to distinguish this writing with structure operations.
1510 Therefore, you can only use the previous writing in operations manipulating
1511 symbols ({break|watch}points, type information command...).
1518 <title>debug messages</title>
1520 It is possible to turn on and off debug messages as you are debuging using
1524 set + warn win => turn on warn on 'win' channel
1525 set + win => turn on warn/fixme/err/trace on 'win' channel
1526 set - win => turn off warn/fixme/err/trace on 'win' channel
1527 set - fixme => turn off the 'fixme' class
1533 <sect1 id="dbg-others">
1534 <title>Other debuggers</title>
1537 <title>Using other Unix debuggers</title>
1540 You can also use other debuggers (like
1541 <command>gdb</command>), but you must be aware of a few
1545 You need to attach the unix debugger to the correct unix
1546 process (representing the correct windows thread) (you can
1547 "guess" it from a <command>ps fax</command> for example:
1548 When running the emulator, usually the first two
1549 <varname>upids</varname> are for the Windows' application
1550 running the desktop, the first thread of the application is
1551 generally the third <varname>upid</varname>; when running a
1552 Winelib program, the first thread of the application is
1553 generally the first <varname>upid</varname>)
1557 Even if latest <command>gdb</command> implements the
1558 notion of threads, it won't work with Wine because the
1559 thread abstraction used for implementing Windows' thread
1560 is not 100% mapped onto the linux posix threads
1561 implementation. It means that you'll have to spawn a
1562 different <command>gdb</command> session for each Windows'
1563 thread you wish to debug.
1567 <!-- *** Extra content spliced in from article by Andreas Mohr *** -->
1569 Following text written by &name-andreas-mohr; <email>&email-andreas-mohr;</email>
1572 Here's how to get info about the current execution status of a
1573 certain Wine process:
1576 Change into your Wine source dir and enter:
1582 Switch to another console and enter <command>ps ax | grep
1583 wine</command> to find all wine processes. Inside
1584 <command>gdb</command>, repeat for all Wine processes:
1587 (gdb) attach <userinput>PID</userinput>
1590 with <userinput>PID</userinput> being the process ID of one of
1591 the Wine processes. Use
1597 to get the backtrace of the current Wine process, i.e. the
1598 function call history. That way you can find out what the
1599 current process is doing right now. And then you can use
1609 (gdb) b <userinput>SomeFunction</userinput>
1618 to set a breakpoint at a certain function and continue up to
1619 that function. Finally you can enter
1625 to detach from the Wine process.
1627 <!-- *** End of xtra content *** -->
1631 <title>Using other Windows debuggers</title>
1634 You can use any Windows' debugging API compliant debugger
1635 with Wine. Some reports have been made of success with
1636 VisualStudio debugger (in remote mode, only the hub runs
1637 in Wine). GoVest fully runs in Wine.
1642 <title>Main differences between winedbg and regular Unix debuggers</title>
1644 <!-- FIXME: convert this into a table -->
1646 +----------------------------------+---------------------------------+
1648 +----------------------------------+---------------------------------+
1649 |WineDbg debugs a Windows' process:|gdb debugs a Windows' thread: |
1650 |+ the various threads will be |+ a separate gdb session is |
1651 | handled by the same WineDbg | needed for each thread of |
1652 | session | Windows' process |
1653 |+ a breakpoint will be triggered |+ a breakpoint will be triggered |
1654 | for any thread of the w-process | only for the w-thread debugged |
1655 +----------------------------------+---------------------------------+
1656 |WineDbg supports debug information|gdb supports debug information |
1658 |+ stabs (standard Unix format) |+ stabs (standard Unix format) |
1659 |+ Microsoft's C, CodeView, .DBG | |
1660 +----------------------------------+---------------------------------+
1666 <sect1 id="dbg-limits">
1667 <title>Limitations</title>
1670 16 bit processes are not supported (but calls to 16 bit code
1671 in 32 bit applications are).
1677 <!-- Keep this comment at the end of the file
1680 sgml-parent-document:("wine-doc.sgml" "set" "book" "part" "chapter" "")