1 <chapter id=
"debugger">
2 <title>Debugging Wine
</title>
5 <title>Introduction
</title>
8 <title>Processes and threads: in underlying OS and in Windows
</title>
11 Before going into the depths of debugging in Wine, here's
12 a small overview of process and thread handling in Wine.
13 It has to be clear that there are two different beasts:
14 processes/threads from the Unix point of view and
15 processes/threads from a Windows point of view.
18 Each Windows' thread is implemented as a Unix process (under
19 Linux using the
<function>clone
</function> syscall), meaning
20 that all threads of a same Windows' process share the same
29 <varname>W-process
</varname> means a process in Windows' terminology
34 <varname>U-process
</varname> means a process in Unix' terminology
39 <varname>W-thread
</varname> means a thread in Windows' terminology
44 A
<varname>W-process
</varname> is made of one or several
45 <varname>W-threads
</varname>. Each
46 <varname>W-thread
</varname> is mapped to one and only one
47 <varname>U-process
</varname>. All
48 <varname>U-processes
</varname> of a same
49 <varname>W-process
</varname> share the same address space.
52 Each Unix process can be identified by two values:
57 the Unix process id (
<varname>upid
</varname> in the following)
62 the Windows's thread id (
<varname>tid
</varname>)
67 Each Windows' process has also a Windows' process id
68 (
<varname>wpid
</varname> in the following). It must be clear
69 that
<varname>upid
</varname> and
<varname>wpid
</varname> are
70 different and shall not be used instead of the other.
73 <varname>Wpid
</varname> and
<varname>tid
</varname> are
74 defined (Windows) system wide. They must not be confused
75 with process or thread handles which, as any handle, is an
76 indirection to a system object (in this case process or
77 thread). A same process can have several different handles
78 on the same kernel object. The handles can be defined as
79 local (the values is only valid in a process), or system
80 wide (the same handle can be used by any
81 <varname>W-process
</varname>).
86 <title>Wine, debugging and WineDbg
</title>
89 When talking of debugging in Wine, there are at least two
95 the Windows' debugging API.
100 the Wine integrated debugger, dubbed
<command>WineDbg
</command>.
105 Wine implements most of the Windows' debugging API (the
106 part in
<filename>KERNEL32.DLL
</filename>, not the one in
107 <filename>IMAGEHLP.DLL
</filename>), and allows any program
108 (emulated or Winelib) using that API to debug a
109 <varname>W-process
</varname>.
112 <command>WineDbg
</command> is a Winelib application making
113 use of this API to allow debugging both any Wine or Winelib
114 applications as well as Wine itself (kernel and all DLLs).
120 <sect1 id=
"dbg-modes">
121 <title>WineDbg's modes of invocation
</title>
124 <title>Starting a process
</title>
127 Any application (either a Windows' native executable, or a
128 Winelib application) can be run through
129 <command>WineDbg
</command>. Command line options and tricks
130 are the same as for wine:
134 winedbg
"hl.exe -windowed"
139 <title>Attaching
</title>
142 <command>WineDbg
</command> can also be launched without any
143 command line argument:
<command>WineDbg
</command> is started
144 without any attached process. You can get a list of running
145 <varname>W-processes
</varname> (and their
146 <varname>wpid
</varname>'s) using the
<command>walk
147 process
</command> command, and then, with the
148 <command>attach
</command> command, pick up the
149 <varname>wpid
</varname> of the
<varname>W-process
</varname>
150 you want to debug. This is a neat feature as it allows you
151 to debug an already started application.
155 <sect2 id=
"dbg-on-exception">
156 <title id=
"dbg-exception-title">On exceptions
</title>
159 When something goes wrong, Windows tracks this as an
160 exception. Exceptions exist for segmentation violation,
161 stack overflow, division by zero, etc.
164 When an exception occurs, Wine checks if the
<varname>W-process
</varname> is
165 debugged. If so, the exception event is sent to the
166 debugger, which takes care of it: end of the story. This
167 mechanism is part of the standard Windows' debugging API.
170 If the
<varname>W-process
</varname> is not debugged, Wine
171 tries to launch a debugger. This debugger (normally
172 <command>WineDbg
</command>, see III Configuration for more
173 details), at startup, attaches to the
174 <varname>W-process
</varname> which generated the exception
175 event. In this case, you are able to look at the causes of
176 the exception, and either fix the causes (and continue
177 further the execution) or dig deeper to understand what went
181 If
<command>WineDbg
</command> is the standard debugger, the
182 <command>pass
</command> and
<command>cont
</command> commands
183 are the two ways to let the process go further for the
184 handling of the exception event.
187 To be more precise on the way Wine (and Windows) generates
188 exception events, when a fault occurs (segmentation
189 violation, stack overflow...), the event is first sent to
190 the debugger (this is known as a first chance exception).
191 The debugger can give two answers:
196 <term>continue:
</term>
199 the debugger had the ability to correct what's
200 generated the exception, and is now able to continue
209 the debugger couldn't correct the cause of the
210 first chance exception. Wine will now try to walk
211 the list of exception handlers to see if one of them
212 can handle the exception. If no exception handler is
213 found, the exception is sent once again to the
214 debugger to indicate the failure of the exception
222 since some of Wine's code uses exceptions and
223 <function>try/catch
</function> blocks to provide some
224 functionality,
<command>WineDbg
</command> can be entered
225 in such cases with segv exceptions. This happens, for
226 example, with
<function>IsBadReadPtr
</function> function.
227 In that case, the
<command>pass
</command> command shall be
228 used, to let the handling of the exception to be done by
229 the
<function>catch
</function> block in
230 <function>IsBadReadPtr
</function>.
235 <sect2 id=
"interrupt">
236 <title>Interrupting
</title>
239 You can stop the debugger while it's running by hitting
240 Ctrl-C in its window. This will stop the debugged process,
241 and let you manipulate the current context.
246 <title>Quitting
</title>
249 Wine supports the new XP APIs, allowing for a debugger to
250 detach from a program being debugged (see
251 <command>detach
</command> command). Unfortunately, as the
252 debugger cannot, for now, neither clear its internal
253 information, nor restart a new process, the debugger, after
254 detaching itself, cannot do much except being quitted.
260 <sect1 id=
"wine-debugger">
261 <title>Using the Wine Debugger
</title>
264 This section describes where to start debugging Wine. If at any
265 point you get stuck and want to ask for help, please read the
266 <emphasis>How to Report A Bug
</emphasis> section of the
267 <emphasis>Wine Users Guide
</emphasis> for information on how to write
272 <title>Crashes
</title>
275 These usually show up like this:
278 |Unexpected Windows program segfault - opcode =
8b
279 |Segmentation fault in Windows program
1b7:c41.
280 |Loading symbols from ELF file /root/wine/wine...
281 |....more Loading symbols from ...
284 | CS:
01b7 SS:
016f DS:
0287 ES:
0000
285 | IP:
0c41 SP:
878a BP:
8796 FLAGS:
0246
286 | AX:
811e BX:
0000 CX:
0000 DX:
0000 SI:
0001 DI:ffff
288 |
0x016f:
0x878a:
0001 016f ffed
0000 0000 0287 890b
1e5b
289 |
0x016f:
0x879a:
01b7
0001 000d
1050 08b7
016f
0001 000d
290 |
0x016f:
0x87aa:
000a
0003 0004 0000 0007 0007 0190 0000
293 |
0050: sel=
0287 base=
40211d30 limit=
0b93f (bytes)
16-bit rw-
295 |
0 0x01b7:
0x0c41 (PXSRV_FONGETFACENAME+
0x7c)
296 |
1 0x01b7:
0x1e5b (PXSRV_FONPUTCATFONT+
0x2cd)
298 |
3 0x01b7:
0x0768 (PXSRV_FONINITFONTS+
0x81)
299 |
4 0x014f:
0x03ed (PDOXWIN_@SQLCURCB$Q6CBTYPEULN8CBSCTYPE+
0x1b1)
302 |
0x01b7:
0x0c41 (PXSRV_FONGETFACENAME+
0x7c): movw %es:
0x38(%bx),%dx
305 Steps to debug a crash. You may stop at any step, but please
306 report the bug and provide as much of the information
307 gathered to the bug report as feasible.
313 Get the reason for the crash. This is usually an access to
314 an invalid selector, an access to an out of range address
315 in a valid selector, popping a segment register from the
316 stack or the like. When reporting a crash, report this
317 <emphasis>whole
</emphasis> crashdump even if it doesn't
321 (In this case it is access to an invalid selector, for
322 <systemitem>%es
</systemitem> is
<literal>0000</literal>, as
323 seen in the register dump).
328 Determine the cause of the crash. Since this is usually
329 a primary/secondary reaction to a failed or misbehaving
330 Wine function, rerun Wine with
<parameter>-debugmsg
331 +relay
</parameter> added to the commandline. This will
332 generate quite a lot of output, but usually the reason is
333 located in the last call(s). Those lines usually look like
337 |Call KERNEL
.90: LSTRLEN(
0227:
0692 "text") ret=
01e7:
2ce7 ds=
0227
338 ^^^^^^^^^ ^ ^^^^^^^^^ ^^^^^^ ^^^^^^^^^ ^^^^
339 | | | | | |Datasegment
340 | | | | |Return address
341 | | | |textual parameter
343 | | |Argument(s). This one is a win16 segmented pointer.
345 |The module, the function is called in. In this case it is KERNEL.
347 |Ret KERNEL
.90: LSTRLEN() retval=
0x0004 ret=
01e7:
2ce7 ds=
0227
349 |Returnvalue is
16 bit and has the value
4.
354 If you have found a misbehaving function, try to find out
355 why it misbehaves. Find the function in the source code.
356 Try to make sense of the arguments passed. Usually there is
357 a
<function>WINE_DEFAULT_DEBUG_CHANNEL(
<channel
>);
</function>
358 at the beginning of the file. Rerun wine with
359 <parameter>-debugmsg +xyz,+relay
</parameter> added to the
363 Occasionally there are additional debug channels defined at the
364 beginning of the file in the form.
365 <function>WINE_DECLARE_DEBUG_CHANNEL(
<channel
>);
</function>
366 If so the offending function may also uses one of these alternate
367 channels. Look through the the function for
368 <function>TRACE_(
<channel
>)(
" ... /n");
</function> and add any
369 additional channels to the commandline.
374 Additional information on how to debug using the internal
375 debugger can be found in
376 <filename>programs/winedbg/README
</filename>.
381 If this information isn't clear enough or if you want to
382 know more about what's happening in the function itself,
383 try running wine with
<parameter>-debugmsg
384 +all
</parameter>, which dumps ALL included debug
390 If even that isn't enough, add more debug output for yourself
391 into the functions you find relevant. See The section on Debug
392 Logging in this guide for more information. You might
393 also try to run the program in
<command>gdb
</command>
394 instead of using the Wine debugger. If you do that, use
395 <parameter>handle SIGSEGV nostop noprint
</parameter> to
396 disable the handling of seg faults inside
397 <command>gdb
</command> (needed for Win16).
402 You can also set a breakpoint for that function. Start wine
403 useing
<command>winedbg
</command> instead of
404 <command>wine
</command>. Once the debugger is is running enter
405 <command>break
</command> <parameter>KERNEL_LSTRLEN
</parameter>
406 (replace by function you want to debug, CASE IS RELEVANT)
407 to set a breakpoint. Then
408 use
<command>continue
</command> to start normal
409 program-execution. Wine will stop if it reaches the
410 breakpoint. If the program isn't yet at the crashing call
411 of that function, use
<command>continue
</command> again
412 until you are about to enter that function. You may now
413 proceed with single-stepping the function until you reach
414 the point of crash. Use the other debugger commands to
415 print registers and the like.
422 <title>Program hangs, nothing happens
</title>
425 Start the program with
<command>winedbg
</command> instead of
426 <command>wine
</command>. When the program locks up switch to the
427 winedbg terminal and press
428 <keycombo><keycap>Ctrl
</keycap><keycap>C
</keycap></keycombo>. this
429 will stop the program and let you debug the program as you would for
435 <title>Program reports an error with a Messagebox
</title>
438 Sometimes programs are reporting failure using more or
439 less nondescript messageboxes. We can debug this using the
440 same method as Crashes, but there is one problem... For
441 setting up a message box the program also calls Wine
442 producing huge chunks of debug code.
445 Since the failure happens usually directly before setting up
446 the Messagebox you can start winedbg and set a
447 breakpoint at
<function>MessageBoxA
</function> (called by win16
448 and win32 programs) and proceed with
449 <command>continue
</command>. With
<parameter>--debugmsg
450 +all
</parameter> Wine will now stop directly before setting
451 up the Messagebox. Proceed as explained above.
454 You can also run wine using
<command>wine -debugmsg +relay
455 program.exe
2>&
1 | less -i
</command> and in
456 <command>less
</command> search for
<quote>MessageBox
</quote>.
461 <title>Disassembling programs:
</title>
464 You may also try to disassemble the offending program to
465 check for undocumented features and/or use of them.
468 The best, freely available, disassembler for Win16 programs is
469 <application>Windows Codeback
</application>, archive name
470 <filename>wcbxxx.zip<
/> (e.g.
<filename>wcb105a.zip<
/>), which
471 usually can be found in the
<filename>Cica-Mirror
</filename>
472 subdirectory on the Wine ftp sites. (See
<filename>ANNOUNCE<
/>).
475 Disassembling win32 programs is possible using
476 <application>Windows Disassembler
32<
/>. Look for
477 a file called
<filename>w32dsm87.zip<
/> (or similar)
478 on
<ulink url=
"http://www.winsite.com/">http://www.winsite.com<
/>
479 and mirrors. The shareware version does not allow saving of
480 disassembly listings. You can also use the newer (and in the
481 full version better)
<application>Interactive
482 Disassembler
</application> (IDA) from the ftp sites mentioned
483 at the end of the document. Understanding disassembled code is
484 mostly a question of exercise.
487 Most code out there uses standard C function entries (for it
488 is usually written in C). Win16 function entries usually
495 retf XXXX
<--------- XXXX is number of bytes of arguments
498 This is a
<function>FAR
</function> function with no local
499 storage. The arguments usually start at
500 <literal>[bp+
6]
</literal> with increasing offsets. Note, that
501 <literal>[bp+
6]
</literal> belongs to the
502 <emphasis>rightmost
</emphasis> argument, for exported win16
503 functions use the PASCAL calling convention. So, if we use
504 <function>strcmp(a,b)
</function> with
<parameter>a
</parameter>
505 and
<parameter>b
</parameter> both
32 bit variables
506 <parameter>b
</parameter> would be at
<literal>[bp+
6]
</literal>
507 and
<parameter>a
</parameter> at
<literal>[bp+
10]
</literal>.
510 Most functions make also use of local storage in the stackframe:
514 ... function code ...
519 This does mostly the same as above, but also adds
520 <literal>0x86</literal> bytes of stackstorage, which is
521 accessed using
<literal>[bp-xx]
</literal>. Before calling a
522 function, arguments are pushed on the stack using something
526 push word ptr [bp-
02]
<- will be at [bp+
8]
527 push di
<- will be at [bp+
6]
531 Here first the selector and then the offset to the passed
537 <title>Sample debugging session:
</title>
540 Let's debug the infamous Word
<filename>SHARE.EXE
</filename>
544 |marcus@jet $ wine winword.exe
545 | +---------------------------------------------+
546 | | ! You must leave Windows and load SHARE.EXE|
547 | | before starting Word. |
548 | +---------------------------------------------+
551 |marcus@jet $ wine winword.exe -debugmsg +relay -debug
552 |CallTo32(wndproc=
0x40065bc0,hwnd=
000001ac,msg=
00000081,wp=
00000000,lp=
00000000)
553 |Win16 task 'winword': Breakpoint
1 at
0x01d7:
0x001a
554 |CallTo16(func=
0127:
0070,ds=
0927)
555 |Call WPROCS
.24: TASK_RESCHEDULE() ret=
00b7:
1456 ds=
0927
556 |Ret WPROCS
.24: TASK_RESCHEDULE() retval=
0x8672 ret=
00b7:
1456 ds=
0927
557 |CallTo16(func=
01d7:
001a,ds=
0927)
558 | AX=
0000 BX=
3cb4 CX=
1f40 DX=
0000 SI=
0000 DI=
0927 BP=
0000 ES=
11f7
559 |Loading symbols: /home/marcus/wine/wine...
560 |Stopped on breakpoint
1 at
0x01d7:
0x001a
562 |Wine-dbg
>break MessageBoxA
<---- Set Breakpoint
563 |Breakpoint
2 at
0x40189100 (MessageBoxA [msgbox.c:
190])
564 |Wine-dbg
>c
<---- Continue
565 |Call KERNEL
.91: INITTASK() ret=
0157:
0022 ds=
08a7
566 | AX=
0000 BX=
3cb4 CX=
1f40 DX=
0000 SI=
0000 DI=
08a7 ES=
11d7 EFL=
00000286
567 |CallTo16(func=
090f:
085c,ds=
0dcf,
0x0000,
0x0000,
0x0000,
0x0000,
0x0800,
0x0000,
0x0000,
0x0dcf)
568 |...
<----- Much debugoutput
569 |Call KERNEL
.136: GETDRIVETYPE(
0x0000) ret=
060f:
097b ds=
0927
571 |Ret KERNEL
.136: GETDRIVETYPE() retval=
0x0002 ret=
060f:
097b ds=
0927
572 ^^^^^^ DRIVE_REMOVEABLE
573 (It is a floppy diskdrive.)
575 |Call KERNEL
.136: GETDRIVETYPE(
0x0001) ret=
060f:
097b ds=
0927
577 |Ret KERNEL
.136: GETDRIVETYPE() retval=
0x0000 ret=
060f:
097b ds=
0927
578 ^^^^^^ DRIVE_CANNOTDETERMINE
579 (I don't have drive B: assigned)
581 |Call KERNEL
.136: GETDRIVETYPE(
0x0002) ret=
060f:
097b ds=
0927
583 |Ret KERNEL
.136: GETDRIVETYPE() retval=
0x0003 ret=
060f:
097b ds=
0927
585 (specified as a harddisk)
587 |Call KERNEL
.97: GETTEMPFILENAME(
0x00c3,
0x09278364"doc",
0x0000,
0927:
8248) ret=
060f:
09b1 ds=
0927
588 ^^^^^^ ^^^^^ ^^^^^^^^^
589 | | |buffer for fname
590 | |temporary name ~docXXXX.tmp
591 |Force use of Drive C:.
593 |Warning: GetTempFileName returns 'C:~doc9281.tmp', which doesn't seem to be writeable.
594 |Please check your configuration file if this generates a failure.
597 Whoops, it even detects that something is wrong!
600 |Ret KERNEL
.97: GETTEMPFILENAME() retval=
0x9281 ret=
060f:
09b1 ds=
0927
601 ^^^^^^ Temporary storage ID
603 |Call KERNEL
.74: OPENFILE(
0x09278248"C:~doc9281.tmp",
0927:
82da,
0x1012) ret=
060f:
09d8 ds=
0927
604 ^^^^^^^^^^^^^^^^ ^^^^^^^^^ ^^^^^^^
605 |filename |OFSTRUCT |open mode:
607 OF_CREATE|OF_SHARE_EXCLUSIVE|OF_READWRITE
610 This fails, since my
<medialabel>C:
</medialabel> drive is in
611 this case mounted readonly.
614 |Ret KERNEL
.74: OPENFILE() retval=
0xffff ret=
060f:
09d8 ds=
0927
615 ^^^^^^ HFILE_ERROR16, yes, it failed.
617 |Call USER
.1: MESSAGEBOX(
0x0000,
0x09278376"You must close Windows and load SHARE.EXE before you start Word.",
0x00000000,
0x1030) ret=
060f:
084f ds=
0927
623 |Stopped on breakpoint
2 at
0x40189100 (MessageBoxA [msgbox.c:
190])
624 |
190 {
<- the sourceline
629 The code seems to find a writeable harddisk and tries to create
630 a file there. To work around this bug, you can define
631 <medialabel>C:
</medialabel> as a networkdrive, which is ignored
637 <title>Debugging Tips
</title>
640 Here are some additional debugging tips:
646 If you have a program crashing at such an early loader phase that you can't
647 use the Wine debugger normally, but Wine already executes the program's
648 start code, then you may use a special trick. You should do a
650 wine --debugmsg +relay program
652 to get a listing of the functions the program calls in its start function.
659 This way, you get into
<command>winedbg
</command>. Now you
660 can set a breakpoint on any function the program calls in
661 the start function and just type
<userinput>c
</userinput>
662 to bypass the eventual calls of Winfile to this function
663 until you are finally at the place where this function gets
664 called by the crashing start function. Now you can proceed
665 with your debugging as usual.
670 If you try to run a program and it quits after showing an error messagebox,
671 the problem can usually be identified in the return value of one of the
672 functions executed before
<function>MessageBox()
</function>.
673 That's why you should re-run the program with e.g.
675 wine --debugmsg +relay
<program name
> &
>relmsg
677 Then do a
<command>more relmsg
</command> and search for the
678 last occurrence of a call to the string
"MESSAGEBOX". This is a line like
680 Call USER
.1: MESSAGEBOX(
0x0000,
0x01ff1246 "Runtime error 219 at 0004:1056.",
0x00000000,
0x1010) ret=
01f7:
2160 ds=
01ff
682 In my example the lines before the call to
683 <function>MessageBox()
</function> look like that:
685 Call KERNEL
.96: FREELIBRARY(
0x0347) ret=
01cf:
1033 ds=
01ff
686 CallTo16(func=
033f:
0072,ds=
01ff,
0x0000)
687 Ret KERNEL
.96: FREELIBRARY() retval=
0x0001 ret=
01cf:
1033 ds=
01ff
688 Call KERNEL
.96: FREELIBRARY(
0x036f) ret=
01cf:
1043 ds=
01ff
689 CallTo16(func=
0367:
0072,ds=
01ff,
0x0000)
690 Ret KERNEL
.96: FREELIBRARY() retval=
0x0001 ret=
01cf:
1043 ds=
01ff
691 Call KERNEL
.96: FREELIBRARY(
0x031f) ret=
01cf:
105c ds=
01ff
692 CallTo16(func=
0317:
0072,ds=
01ff,
0x0000)
693 Ret KERNEL
.96: FREELIBRARY() retval=
0x0001 ret=
01cf:
105c ds=
01ff
694 Call USER
.171: WINHELP(
0x02ac,
0x01ff05b4 "COMET.HLP",
0x0002,
0x00000000) ret=
01cf:
1070 ds=
01ff
695 CallTo16(func=
0117:
0080,ds=
01ff)
696 Call WPROCS
.24: TASK_RESCHEDULE() ret=
00a7:
0a2d ds=
002b
697 Ret WPROCS
.24: TASK_RESCHEDULE() retval=
0x0000 ret=
00a7:
0a2d ds=
002b
698 Ret USER
.171: WINHELP() retval=
0x0001 ret=
01cf:
1070 ds=
01ff
699 Call KERNEL
.96: FREELIBRARY(
0x01be) ret=
01df:
3e29 ds=
01ff
700 Ret KERNEL
.96: FREELIBRARY() retval=
0x0000 ret=
01df:
3e29 ds=
01ff
701 Call KERNEL
.52: FREEPROCINSTANCE(
0x02cf00ba) ret=
01f7:
1460 ds=
01ff
702 Ret KERNEL
.52: FREEPROCINSTANCE() retval=
0x0001 ret=
01f7:
1460 ds=
01ff
703 Call USER
.1: MESSAGEBOX(
0x0000,
0x01ff1246 "Runtime error 219 at 0004:1056.",
0x00000000,
0x1010) ret=
01f7:
2160 ds=
01ff
707 I think that the call to
<function>MessageBox()
</function>
708 in this example is
<emphasis>not
</emphasis> caused by a
709 wrong result value of some previously executed function
710 (it's happening quite often like that), but instead the
711 messagebox complains about a runtime error at
712 <literal>0x0004:
0x1056</literal>.
715 As the segment value of the address is only
716 <literal>4</literal>, I think that that is only an internal
717 program value. But the offset address reveals something
718 quite interesting: Offset
<literal>1056</literal> is
719 <emphasis>very
</emphasis> close to the return address of
720 <function>FREELIBRARY()
</function>:
722 Call KERNEL
.96: FREELIBRARY(
0x031f) ret=
01cf:
105c ds=
01ff
727 Provided that segment
<literal>0x0004</literal> is indeed segment
728 <literal>0x1cf</literal>, we now we can use IDA (available at
729 <ulink url=
"http://www.filelibrary.com:8080/cgi-bin/freedownload/DOS/h/72/ida35bx.zip">
730 http://www.filelibrary.com:
8080/cgi-bin/freedownload/DOS/h/
72/ida35bx.zip
</ulink>) to
731 disassemble the part that caused the error. We just have to find the address of
732 the call to
<function>FreeLibrary()
</function>. Some lines before that the
733 runtime error occurred. But be careful! In some cases you don't have to
734 disassemble the main program, but instead some DLL called by it in order to find
735 the correct place where the runtime error occurred. That can be determined by
736 finding the origin of the segment value (in this case
<literal>0x1cf</literal>).
741 If you have created a relay file of some crashing
742 program and want to set a breakpoint at a certain
743 location which is not yet available as the program loads
744 the breakpoint's segment during execution, you may set a
745 breakpoint to
<function>GetVersion16/
32</function> as
746 those functions are called very often.
749 Then do a
<userinput>c
</userinput> until you are able to
750 set this breakpoint without error message.
755 Some useful programs:
760 <application>IDA
</application>:
762 <ulink url=
"http://www.filelibrary.com:8080/cgi-bin/freedownload/DOS/h/72/ida35bx.zip">
763 http://www.filelibrary.com:
8080/cgi-bin/freedownload/DOS/h/
72/ida35bx.zip
</ulink>
768 <emphasis>Very
</emphasis> good DOS disassembler ! It's badly needed
769 for debugging Wine sometimes.
775 <application>XRAY
</application>:
777 <ulink url=
"http://garbo.uwasa.fi/pub/pc/sysinfo/xray15.zip">
778 http://garbo.uwasa.fi/pub/pc/sysinfo/xray15.zip
</ulink>
783 Traces DOS calls (Int
21h, DPMI, ...). Use it with
784 Windows to correct file management problems etc.
790 <application>pedump
</application>:
792 <ulink url=
"ftp://ftp.simtel.net/pub/simtelnet/win95/prog/pedump.zip">
793 ftp://ftp.simtel.net/pub/simtelnet/win95/prog/pedump.zip
</ulink>
798 Dumps the imports and exports of a PE (Portable
805 <application>winedump
</application>:
809 Dumps the imports and exports of a PE (Portable
810 Executable) DLL (included in wine tree).
820 <title>Some basic debugger usages:
</title>
823 After starting your program with
826 wine -debug myprog.exe
829 the program loads and you get a prompt at the program
830 starting point. Then you can set breakpoints:
833 b RoutineName (by outine name) OR
834 b *
0x812575 (by address)
837 Then you hit
<command>c
</command> (continue) to run the
838 program. It stops at the breakpoint. You can type
841 step (to step one line) OR
842 stepi (to step one machine instruction at a time;
843 here, it helps to know the basic
386
845 info reg (to see registers)
846 info stack (to see hex values in the stack)
847 info local (to see local variables)
848 list
<line number
> (to list source code)
849 x
<variable name
> (to examine a variable; only works if code
850 is not compiled with optimization)
851 x
0x4269978 (to examine a memory location)
856 By hitting
<keycap>Enter
</keycap>, you repeat the last
863 <sect1 id=
"memory-addresses">
864 <title>Useful memory addresses
</title>
866 Wine uses several different kinds of memory addresses.
871 Win32/
"normal" Wine addresses/Linux: linear addresses.
875 Linear addresses can be everything from
0x0 up to
876 0xffffffff. In Wine on Linux they are often around
877 e.g.
0x08000000,
0x00400000 (std. Win32 program load
878 address),
0x40000000. Every Win32 process has its own
879 private
4GB address space (that is, from
0x0 up to
886 Win16
"enhanced mode": segmented addresses.
890 These are the
"normal" Win16 addresses, called SEGPTR.
891 They have a segment:offset notation, e.g.
0x01d7:
0x0012.
892 The segment part usually is a
"selector", which
893 <emphasis>always
</emphasis>
894 has the lowest
3 bits set. Some sample selectors are
895 0x1f7,
0x16f,
0x8f. If these bits are set except for
896 the lowest bit, as e.g. with
0x1f6,xi then it might be a
897 handle to global memory. Just set the lowest bit to get
898 the selector in these cases. A selector kind of
899 "points" to a certain linear (see above) base address.
900 It has more or less three important attributes: segment
901 base address, segment limit, segment access rights.
907 Selector
0x1f7 (
0x40320000,
0x0000ffff, r-x) So
0x1f7
908 has a base address of
0x40320000, the segment's last
909 address is
0x4032ffff (limit
0xffff), and it's readable
910 and executable. So an address of
0x1f7:
0x2300 would be
911 the linear address of
0x40322300.
917 DOS/Win16
"standard mode"
921 They, too, have a segment:offset notation. But they are
922 completely different from
"normal" Win16 addresses, as
923 they just represent at most
1MB of memory: The segment
924 part can be anything from
0 to
0xffff, and it's the same
925 with the offset part.
928 Now the strange thing is the calculation that's behind
929 these addresses: Just calculate segment*
16 + offset in
930 order to get a
"linear DOS" address. So
931 e.g.
0x0f04:
0x3628 results in
0xf040 +
0x3628 =
0x12668.
932 And the highest address you can get is
0xfffff (
1MB), of
933 course. In Wine, this
"linear DOS" address of
0x12668
934 has to be added to the linear base address of the
935 corresponding DOS memory allocated for dosmod in order
936 to get the true linear address of a DOS seg:offs
937 address. And make sure that you're doing this in the
938 correct process with the correct linear address space,
946 <sect1 id=
"dbg-config">
947 <title>Configuration
</title>
950 <title>Registry configuration
</title>
953 The Windows' debugging API uses a registry entry to know
954 which debugger to invoke when an unhandled exception occurs
955 (see
<link endterm=
"dbg-exception-title"
956 linkend=
"dbg-on-exception"></link> for some details). Two
960 "MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug"
963 Determine the behavior:
967 <term>Debugger:
</term>
970 this is the command line used to launch the debugger
971 (it uses two
<function>printf
</function> formats
972 (
<literal>%ld
</literal>) to pass context dependent
973 information to the debugger). You should put here a
974 complete path to your debugger
975 (
<command>WineDbg
</command> can of course be used, but
976 any other Windows' debugging API aware debugger will
978 The path to the debugger you chose to use must be reachable
979 via a DOS drive in the Wine config file !
987 if this value is zero, a message box will ask the
988 user if he/she wishes to launch the debugger when an
989 unhandled exception occurs. Otherwise, the debugger
990 is automatically started.
997 A regular Wine registry looks like:
1000 [MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug]
957636538
1001 "Auto"=dword:
00000001
1002 "Debugger"=
"winedbg --debugmsg -all %ld %ld"
1006 <title>Note
1</title>
1008 creating this key is mandatory. Not doing so will not
1009 fire the debugger when an exception occurs.
1013 <title>Note
2</title>
1015 <command>wineinstall
</command> (available in Wine source)
1016 sets up this correctly.
1017 However, due to some limitation of the registry installed,
1018 if a previous Wine installation exists, it's safer to
1022 [MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug]
1025 key before running again
<command>wineinstall
</command> to
1026 regenerate this key.
1032 <title>WineDbg configuration
</title>
1035 <command>WineDbg
</command> can be configured through a number
1036 of options. Those options are stored in the registry, on a
1037 per user basis. The key is (in
<emphasis>my
</emphasis> registry)
1040 [eric\\Software\\Wine\\WineDbg]
1043 Those options can be read/written while inside
1044 <command>WineDbg
</command>, as part of the debugger
1045 expressions. To refer to one of these options, its name must
1046 be prefixed by a
<literal>$
</literal> sign. For example,
1049 set $BreakAllThreadsStartup =
1
1052 sets the option
<varname>BreakAllThreadsStartup
</varname> to
1053 <literal>TRUE
</literal>.
1056 All the options are read from the registry when
1057 <command>WineDbg
</command> starts (if no corresponding value
1058 is found, a default value is used), and are written back to
1059 the registry when
<command>WineDbg
</command> exits (hence,
1060 all modifications to those options are automatically saved
1061 when
<command>WineDbg
</command> terminates).
1064 Here's the list of all options:
1068 <title>Controlling when the debugger is entered
</title>
1072 <term><varname>BreakAllThreadsStartup
</varname></term>
1075 Set to
<literal>TRUE
</literal> if at all threads
1076 start-up the debugger stops set to
1077 <literal>FALSE
</literal> if only at the first thread
1078 startup of a given process the debugger stops.
1079 <literal>FALSE
</literal> by default.
1084 <term><varname>BreakOnCritSectTimeOut
</varname></term>
1087 Set to
<literal>TRUE
</literal> if the debugger stops
1088 when a critical section times out (
5 minutes);
1089 <literal>TRUE
</literal> by default.
1094 <term><varname>BreakOnAttach
</varname></term>
1097 Set to
<literal>TRUE
</literal> if when
1098 <command>WineDbg
</command> attaches to an existing
1099 process after an unhandled exception,
1100 <command>WineDbg
</command> shall be entered on the
1101 first attach event. Since the attach event is
1102 meaningless in the context of an exception event
1103 (the next event which is the exception event is of
1104 course relevant), that option is likely to be
1105 <literal>FALSE
</literal>.
1110 <term><varname>BreakOnFirstChance
</varname></term>
1113 An exception can generate two debug events. The
1114 first one is passed to the debugger (known as a
1115 first chance) just after the exception. The debugger
1116 can then decides either to resume execution (see
1117 <command>WineDbg
</command>'s
<command>cont
</command>
1118 command) or pass the exception up to the exception
1119 handler chain in the program (if it exists)
1120 (
<command>WineDbg
</command> implements this through the
1121 <command>pass
</command> command). If none of the
1122 exception handlers takes care of the exception, the
1123 exception event is sent again to the debugger (known
1124 as last chance exception). You cannot pass on a last
1126 <varname>BreakOnFirstChance
</varname> exception is
1127 <literal>TRUE
</literal>, then winedbg is entered for
1128 both first and last chance execptions (to
1129 <literal>FALSE
</literal>, it's only entered for last
1135 <term><varname>BreakOnDllLoad
</varname></term>
1138 Set to
<literal>TRUE
</literal> if the debugger stops
1139 when a DLL is loaded into memory; when the debugger
1140 is invoked after a crash, the DLLs already mapped in
1141 memory will not trigger this break.
1142 <literal>FALSE
</literal> by default.
1150 <title>Context information
</title>
1154 <term><varname>ThreadId
</varname></term>
1157 ID of the
<varname>W-thread
</varname> currently
1158 examined by the debugger
1163 <term><varname>ProcessId
</varname></term>
1166 ID of the
<varname>W-thread
</varname> currently
1167 examined by the debugger
1172 <term><registers
></term>
1175 All CPU registers are also available
1182 The
<varname>ThreadId
</varname> and
1183 <varname>ProcessId
</varname> variables can be handy to set
1184 conditional breakpoints on a given thread or process.
1191 <sect1 id=
"dbg-commands">
1192 <title>WineDbg Command Reference
</title>
1198 abort aborts the debugger
1199 quit exits the debugger
1201 attach N attach to a W-process (N is its ID). IDs can be
1202 obtained using the walk process command
1203 detach detach from a W-process. WineDbg will exit (this may
1204 be changed later on)
1207 help prints some help on the commands
1208 help info prints some help on info commands
1211 mode
16 switch to
16 bit mode
1212 mode
32 switch to
32 bit mode
1217 <title>Flow control
</title>
1220 cont continue execution until next breakpoint or exception.
1221 pass pass the exception event up to the filter chain.
1222 step continue execution until next C line of code (enters
1224 next continue execution until next C line of code (doesn't
1225 enter function call)
1226 stepi execute next assembly instruction (enters function
1228 nexti execute next assembly instruction (doesn't enter
1230 finish do nexti commands until current function is exited
1233 cont, step, next, stepi, nexti can be postfixed by a
1234 number (N), meaning that the command must be executed N
1240 <title>Breakpoints, watch points
</title>
1243 enable N enables (break|watch)point #N
1244 disable N disables (break|watch)point #N
1245 delete N deletes (break|watch)point #N
1246 cond N removes any a existing condition to (break|watch)point N
1247 cond N
<expr
> adds condition
<expr
> to (break|watch)point N.
<expr
>
1248 will be evaluated each time the breakpoint is hit. If
1249 the result is a zero value, the breakpoint isn't
1251 break * N adds a breakpoint at address N
1252 break
<id
> adds a breakpoint at the address of symbol
<id
>
1253 break
<id
> N adds a breakpoint at the address of symbol
<id
> (N ?)
1254 break N adds a breakpoint at line N of current source file
1255 break adds a breakpoint at current $pc address
1256 watch * N adds a watch command (on write) at address N (on
4 bytes)
1257 watch
<id
> adds a watch command (on write) at the address of
1259 info break lists all (break|watch)points (with state)
1262 When setting a breakpoint on an
<id
>, if several symbols with this
1263 <id
> exist, the debugger will prompt for the symbol you want to use.
1264 Pick up the one you want from its number.
1267 Alternatively you can specify a DLL in the
<id
> (for example
1268 MYDLL.DLL.myFunc for function myFunc of
1269 <filename>G:\AnyPath\MyDll.dll)
</filename>.
1272 You can use the symbol
<emphasis>EntryPoint
</emphasis> to stand for
1273 the entry point of the Dll.
1276 When setting a break/watch-point by
<id
>, if the symbol cannot be found (for example, the symbol is contained in a not yet loaded module), winedbg will
1277 recall the name of the symbol and will try to set the breakpoint each time a new module is loaded (until it succeeds).
1282 <title>Stack manipulation
</title>
1285 bt print calling stack of current thread
1286 bt N print calling stack of thread of ID N (note: this
1287 doesn't change the position of the current frame as
1288 manipulated by the up & dn commands)
1289 up goes up one frame in current thread's stack
1290 up N goes up N frames in current thread's stack
1291 dn goes down one frame in current thread's stack
1292 dn N goes down N frames in current thread's stack
1293 frame N set N as the current frame for current thread's stack
1294 info local prints information on local variables for current
1300 <title>Directory & source file manipulation
</title>
1304 dir
<pathname
>
1306 symbolfile
<pathname
> loads external symbol definition
1307 symbolfile
<pathname
> N loads external symbol definition
1308 (applying an offset of N to addresses)
1311 list lists
10 source lines from current position
1312 list - lists
10 source lines before current position
1313 list N lists
10 source lines from line N in current file
1314 list
<path
>:N lists
10 source lines from line N in file
<path
>
1315 list
<id
> lists
10 source lines of function
<id
>
1316 list * N lists
10 source lines from address N
1319 You can specify the end target (to change the
10 lines
1320 value) using the ','. For example:
1323 list
123,
234 lists source lines from line
123 up to line
234 in
1325 list foo.c:
1,
56 lists source lines from line
1 up to
56 in file foo.c
1330 <title>Displaying
</title>
1333 A display is an expression that's evaluated and printed
1334 after the execution of any
<command>WineDbg
</command>
1338 display lists the active displays
1339 info display (same as above command)
1340 display
<expr
> adds a display for expression
<expr
>
1341 display /fmt
<expr
> adds a display for expression
<expr
>. Printing
1342 evaluated
<expr
> is done using the given format (see
1343 print command for more on formats)
1344 del display N deletes display #N
1345 undisplay N (same as del display)
1350 <title>Disassembly
</title>
1353 disas disassemble from current position
1354 disas
<expr
> disassemble from address
<expr
>
1355 disas
<expr
>,
<expr
>disassembles code between addresses specified by
1356 the two
<expr
>
1361 <title>Information on Wine's internals
</title>
1364 info class
<id
> prints information on Windows's class
<id
>
1365 walk class lists all Windows' class registered in Wine
1366 info share lists all the dynamic libraries loaded the debugged
1367 program (including .so files, NE and PE DLLs)
1368 info module
<N
> prints information on module of handle
<N
>
1369 walk module lists all modules loaded by debugged program
1370 info regs prints the value of CPU register
1371 info segment
<N
>prints information on segment
<N
>
1372 info segment lists all allocated segments
1373 info stack prints the values on top of the stack
1374 walk map lists all virtual mappings used by the debugged
1376 walk map
<N
> lists all virtual mappings used by the program of pid
<N
>
1377 info wnd
<N
> prints information of Window of handle
<N
>
1378 walk wnd lists all the window hierarchy starting from the
1380 walk wnd
<N
> lists all the window hierarchy starting from the
1381 window of handle
<N
>
1382 walk process lists all w-processes in Wine session
1383 walk thread lists all w-threads in Wine session
1384 walk exception lists the exception frames (starting from current
1390 <title>Memory (reading, writing, typing)
</title>
1393 x
<expr
> examines memory at
<expr
> address
1394 x /fmt
<expr
> examines memory at
<expr
> address using format /fmt
1395 print
<expr
> prints the value of
<expr
> (possibly using its type)
1396 print /fmt
<expr
> prints the value of
<expr
> (possibly using its
1398 set
<lval
>=
<expr
> writes the value of
<expr
> in
<lval
>
1399 whatis
<expr
> prints the C type of expression
<expr
>
1402 <filename>/fmt
</filename> is either
<filename>/
<letter
></filename> or
1403 <filename>/
<count
><letter
></filename> letter can be
1406 s =
> an ASCII string
1407 u =
> an Unicode UTF16 string
1408 i =
> instructions (disassemble)
1409 x =
> 32 bit unsigned hexadecimal integer
1410 d =
> 32 bit signed decimal integer
1411 w =
> 16 bit unsigned hexadecimal integer
1412 c =
> character (only printable
0x20-
0x7f are actually printed)
1413 b =
> 8 bit unsigned hexadecimal integer
1419 <title>Expressions
</title>
1422 Expressions in Wine Debugger are mostly written in a C form. However, there
1423 are a few discrepancies:
1427 Identifiers can take a '.' in their names. This allow
1428 mainly to access symbols from different DLLs like
1429 <function>USER32.DLL.CreateWindowA
</function>.
1434 The debugger will try to distinguish this writing with structure operations.
1435 Therefore, you can only use the previous writing in operations manipulating
1436 symbols ({break|watch}points, type information command...).
1443 <title>Debug channels
</title>
1445 It is possible to turn on and off debug messages as you are debugging using
1449 set + warn win =
> turn on warn on 'win' channel
1450 set + win =
> turn on warn/fixme/err/trace on 'win' channel
1451 set - win =
> turn off warn/fixme/err/trace on 'win' channel
1452 set - fixme =
> turn off the 'fixme' class
1458 <sect1 id=
"dbg-others">
1459 <title>Other debuggers
</title>
1462 <title>GDB mode
</title>
1465 WineDbg can act as a remote monitor for GDB. This allows to
1466 use all the power of GDB, but while debugging wine and/or
1467 any Win32 application. To enable this mode, just add
1468 <parameter>--gdb
</parameter> to winedbg command line. You'll
1469 end up on a GDB prompt. You'll have to use the GDB commands
1474 However, some limitation in GDB while debugging wine (see
1475 below) don't appear in this mode:
1479 GDB will correctly present Win32 thread
1480 information and breakpoint behavior
1485 Moreover, it also provides support for the Dwarf II
1486 debug format (which became the default format (instead
1487 of stabs) in gcc
3.1).
1494 A few wine extensions available through the monitor command.
1496 monitor wnd lists all window in the Wine session
1497 monitor proc lists all processes in the Wine session
1498 monitor mem displays memory mapping of debugged process
1505 <title>Graphical frontends to gdb
</title>
1508 This section will describe how you can debug wine using the
1509 GDB mode of winedbg and some graphical front ends to GDB for
1510 those of you who really like graphical debuggers.
1517 Use the following steps, in this order:
1521 Start the wine debugger with a command line
1524 winedbg -- --gdb --no-start
<name_of_exe_to_debug.exe
>
1535 In ddd, use the 'Open File' or 'Open Program' to
1536 point to the wine executable
1541 In the output of
1/, there's a line like
1543 target remote localhost:
32878
1545 copy that line and paste into ddd command pane (the one with the (gdb)
1550 The program should now be loaded and up and running. If you want, you
1551 can also add in
1/ after the name of the exec all the needed
1559 Use the following steps, in this order:
1563 Start the wine debugger with a command line like:
1565 winedbg -- --gdb --no-start
<name_of_exe_to_debug.exe
>
1571 In the output of
1/, there's a line like
1573 target remote localhost:
32878
1577 kdbg -r localhost:
32878 wine
1579 localhost:
32878 is not a fixed value, but has been printed in step
1580 1/. 'wine' should also be the full path to the wine executable.
1584 The program should now be loaded and up and running. If you want, you
1585 can also add in
1/ after the name of the exec all the needed
1592 <title>Using other Unix debuggers
</title>
1595 You can also use other debuggers (like
1596 <command>gdb
</command>), but you must be aware of a few
1600 You need to attach the unix debugger to the correct unix
1601 process (representing the correct windows thread) (you can
1602 "guess" it from a
<command>ps fax
</command> for example:
1603 When running the emulator, usually the first two
1604 <varname>upids
</varname> are for the Windows' application
1605 running the desktop, the first thread of the application is
1606 generally the third
<varname>upid
</varname>; when running a
1607 Winelib program, the first thread of the application is
1608 generally the first
<varname>upid
</varname>)
1612 Even if latest
<command>gdb
</command> implements the
1613 notion of threads, it won't work with Wine because the
1614 thread abstraction used for implementing Windows' thread
1615 is not
100% mapped onto the Linux POSIX threads
1616 implementation. It means that you'll have to spawn a
1617 different
<command>gdb
</command> session for each Windows'
1618 thread you wish to debug.
1623 Here's how to get info about the current execution status of a
1624 certain Wine process:
1627 Change into your Wine source dir and enter:
1633 Switch to another console and enter
<command>ps ax | grep
1634 wine
</command> to find all wine processes. Inside
1635 <command>gdb
</command>, repeat for all Wine processes:
1638 (gdb) attach
<userinput>PID
</userinput>
1641 with
<userinput>PID
</userinput> being the process ID of one of
1642 the Wine processes. Use
1648 to get the backtrace of the current Wine process, i.e. the
1649 function call history. That way you can find out what the
1650 current process is doing right now. And then you can use
1660 (gdb) b
<userinput>SomeFunction
</userinput>
1669 to set a breakpoint at a certain function and continue up to
1670 that function. Finally you can enter
1676 to detach from the Wine process.
1678 <!-- *** End of xtra content *** -->
1682 <title>Using other Windows debuggers
</title>
1685 You can use any Windows' debugging API compliant debugger
1686 with Wine. Some reports have been made of success with
1687 VisualStudio debugger (in remote mode, only the hub runs
1688 in Wine). GoVest fully runs in Wine.
1693 <title>Main differences between winedbg and regular Unix debuggers
</title>
1694 <table><title>Debuggers comparison
</title>
1695 <tgroup cols=
2 align=
"left">
1698 <entry>WineDbg
</entry><entry>gdb
</entry>
1702 WineDbg debugs a Windows' process: the various
1703 threads will be handled by the same WineDbg session,
1704 and a breakpoint will be triggered for any thread of
1708 gdb debugs a Windows' thread: a separate gdb session
1709 is needed for each thread of a Windows' process and
1710 a breakpoint will be triggered only for the w-thread
1716 WineDbg supports debug information from stabs
1717 (standard Unix format) and Microsoft's C, CodeView,
1721 GDB supports debug information from stabs (standard
1722 Unix format) and Dwarf II.
1732 <sect1 id=
"dbg-limits">
1733 <title>Limitations
</title>
1738 16 bit processes are not supported (but calls to
16 bit
1739 code in
32 bit applications are).
1744 Function call in expression is no longer supported
1751 <!-- Keep this comment at the end of the file
1754 sgml-parent-document:("wine-devel.sgml" "set" "book" "part" "chapter" "")