Using WinDBG/CDB and SOS to find a thread given a ManagedThreadId

CDB and SOS have more power than most people realize, I’ll use this post to show some some handy cdb/sos tricks while at the same answering the simple question of which thread a ManagedThreadId maps to.

At the end of this post you’ll be able to:

  • Map a ManagedThreadId to the correct thread ordinal
  • Use CDB to convert from decimal to hex
  • Pipe CDB commands through pipeline commands like findstr

Full source for the simple app below can be found here. In the below app we want to figure which thread we’re running on so we can inspect the stack. 

    internal class Program
    {
        private static void SleepForever() { Thread.Sleep(Int32.MaxValue); }

        static void Main(string[] args)
        {
            const int countThreadsToStart = 20;
            foreach (var unused in Enumerable.Range(0, countThreadsToStart))
            {
                // Instantiate thread that prints and stores its ManagedThreadId.
                new Thread(() =>
                {
                    // store ThreadId as an object as this forces boxing and lets us find the object on the stack via !dso in SOS.
                    object boxedThreadId = Thread.CurrentThread.ManagedThreadId;
                    Console.WriteLine("Find my threadId of {0}", boxedThreadId);
                    SleepForever();
                }).Start();
            }
            SleepForever();
        }
    }

Step 1, run this app in CDB: 

 PS C:\hgs\ig2600_blog\FindTheThread\bin> C:\bin_drop\public_dbg_64\cdb .\Debug\FindTheThread.exe

Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: .\Debug\FindTheThread.exe
 
Find my threadId of 3
Find my threadId of 4
Find my threadId of 5
Find my threadId of 6
Find my threadId of 7
Find my threadId of 8
Find my threadId of 9
Find my threadId of 10
Find my threadId of 11
Find my threadId of 12
Find my threadId of 13
Find my threadId of 14
Find my threadId of 15
Find my threadId of 16
Find my threadId of 17
Find my threadId of 18
Find my threadId of 19
Find my threadId of 20
Find my threadId of 21
Find my threadId of 22
(e28.c94): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
00000000`7744ef90 cc              int     3
0:025> .loadby sos clr

Lets say our goal is to debug what’s running on thread 21, how do we know which thread ordinal we should debug on?   Luckily we have a !Threads command: 

 0:025> !threads
ThreadCount:      22
UnstartedThread:  0
BackgroundThread: 1
PendingThread:    0
DeadThread:       0
Hosted Runtime:   no
                                           PreEmptive                                                   Lock
       ID  OSID        ThreadOBJ     State GC       GC Alloc Context                  Domain           Count APT Excepti
on
   0    1  224c 000000000054dd80   200a020 Enabled  0000000002ac90b0:0000000002ac9fd0 00000000004ee680     0 MTA 2    2   c8c 0000000000553bd0      b220 Enabled  0000000000000000:0000000000000000 00000000004ee680     0 MTA (Finalizer)
   4    3  1670 0000000000591620   200b020 Enabled  0000000002ac3be0:0000000002ac3fd0 00000000004ee680     0 MTA
   5    4  1c84 0000000000578370   200b020 Enabled  0000000002ac4160:0000000002ac5fd0 00000000004ee680     0 MTA
   6    5  1a54 000000000057a190   200b020 Enabled  0000000002ac6160:0000000002ac7fd0 00000000004ee680     0 MTA
   7    6  2364 0000000000591f90   200b020 Enabled  0000000002aca160:0000000002acbfd0 00000000004ee680     0 MTA
   8    7   b38 0000000000593570   200b020 Enabled  0000000002acc160:0000000002acdfd0 00000000004ee680     0 MTA
   9    8  1c88 0000000000594df0   200b020 Enabled  0000000002ace160:0000000002acffd0 00000000004ee680     0 MTA
  10    9   ef8 00000000005966b0   200b020 Enabled  0000000002ad0160:0000000002ad1fd0 00000000004ee680     0 MTA
  11    a  21d0 0000000000597f70   200b020 Enabled  0000000002ad2160:0000000002ad3fd0 00000000004ee680     0 MTA
  12    b  22a8 0000000000599830   200b020 Enabled  0000000002ad4160:0000000002ad5fd0 00000000004ee680     0 MTA
  13    c   600 000000000059b0f0   200b020 Enabled  0000000002ad6160:0000000002ad7fd0 00000000004ee680     0 MTA
  14    d  2388 000000000059c9b0   200b020 Enabled  0000000002ad8160:0000000002ad9fd0 00000000004ee680     0 MTA
  15    e  19b8 000000000059e270   200b020 Enabled  0000000002ada160:0000000002adbfd0 00000000004ee680     0 MTA
  16    f  1e9c 000000000059fb30   200b020 Enabled  0000000002adc160:0000000002addfd0 00000000004ee680     0 MTA
  17   10  1c9c 00000000005a13f0   200b020 Enabled  0000000002ade160:0000000002adffd0 00000000004ee680     0 MTA
  18   11  20c4 00000000005a2d40   200b020 Enabled  0000000002ae0160:0000000002ae1fd0 00000000004ee680     0 MTA
  19   12  14bc 00000000005a4600   200b020 Enabled  0000000002ae2160:0000000002ae3fd0 00000000004ee680     0 MTA
  20   13  1994 00000000005a5ec0   200b020 Enabled  0000000002ae4160:0000000002ae5fd0 00000000004ee680     0 MTA
  21   14  19bc 00000000005a7780   200b020 Enabled  0000000002ae6160:0000000002ae7fd0 00000000004ee680     0 MTA
  22   15   1ac 00000000005a9040   200b020 Enabled  0000000002ae8160:0000000002ae9fd0 00000000004ee680     0 MTA
  23   16  2084 00000000005aa900   200b020 Enabled  0000000002aea160:0000000002aebfd0 00000000004ee680     0 MTA
0:025>

In this output, the first column is the thread ordinal (which is what the ~ operator works on).  The second column, is the OSID which is the ManagedThreadID,  but is inconveniently the value is displayed in hexdecimal.  To continue we need to find the thread ordinal, given an OSID of 21 in base 16. To convert 21 to hex, use the evaluation operator (?), and pass in an explicitly base 10 number by pre-pending 0n:

 0:025> ? 0n21
Evaluate expression: 21 = 00000000`00000015
0:025>

Now, re-run !threads, but pipe the output through findstr 15 . Findstr can be run via the .shell command: 

 0:025> .shell -ci "!Threads" findstr 15"
  15    e  19b8 000000000059e270   200b020 Enabled  0000000002ada160:0000000002adbfd0 00000000004ee680     0 MTA
  22   15   1ac 00000000005a9040   200b020 Enabled  0000000002ae8160:0000000002ae9fd0 00000000004ee680     0 MTA

OSID 15, is thread 22, lets switch to it with the ~s operator: 

0:025> ~22s
ntdll!NtDelayExecution+0xa:
00000000`7745009a c3              ret

To verify we have the correct thread, we can dump the stack and inspect the boxedThreadId Object. We do this with !dso to (dump stack objects) and then run !do (dump object) on the int32.

0:022> !dso
OS Thread Id: 0x1ac (22)
RSP/REG          Object           Name
0000000021F7E4C0 0000000002ac2110 Microsoft.Win32.SafeHandles.SafeFileHandle
0000000021F7E590 0000000002ac3048 System.IO.StreamWriter
0000000021F7E5C0 0000000002ac3318 System.Byte[]
0000000021F7E5E0 0000000002ac8f60 System.Threading.ExecutionContext
0000000021F7E638 0000000002ae7fe8 System.Int32
0000000021F7E640 0000000002ac2070 System.String    Find my threadId of {0}
0000000021F7E680 0000000002ac1fe8 System.Threading.ContextCallback
0000000021F7E698 0000000002ac8f60 System.Threading.ExecutionContext
0000000021F7E6A0 0000000002ac8ef8 System.Threading.ThreadHelper
0000000021F7E6B0 0000000002ac8f60 System.Threading.ExecutionContext
0000000021F7E6C0 0000000002ac3490 System.IO.TextWriter+SyncTextWriter
0000000021F7E6D0 0000000002ac8f60 System.Threading.ExecutionContext
0000000021F7E6D8 0000000002ac8ef8 System.Threading.ThreadHelper
0000000021F7E6E0 0000000002ae7fe8 System.Int32
0000000021F7E6F0 0000000002ac8ea0 System.Threading.Thread
0000000021F7E700 0000000002ac8f60 System.Threading.ExecutionContext
0000000021F7E748 0000000002ac1fe8 System.Threading.ContextCallback
0000000021F7E750 0000000002ac8f60 System.Threading.ExecutionContext
0000000021F7E760 0000000002ac8ef8 System.Threading.ThreadHelper
0000000021F7E770 0000000002ac8ef8 System.Threading.ThreadHelper
0000000021F7E7A0 0000000002ac8f60 System.Threading.ExecutionContext
0000000021F7E7B0 0000000002ac8ef8 System.Threading.ThreadHelper
0000000021F7E7C0 0000000002ac8ef8 System.Threading.ThreadHelper
0000000021F7E810 0000000002ac8f20 System.Threading.ThreadStart
0000000021F7E978 0000000002ac8f20 System.Threading.ThreadStart
0000000021F7EBB0 0000000002ac8f20 System.Threading.ThreadStart
0000000021F7EBC8 0000000002ac8f20 System.Threading.ThreadStart

0:022>!do 0000000002ae7fe8
Name:        System.Int32
MethodTable: 000007fee50bc848
EEClass:     000007fee4c40890
Size:        24(0x18) bytes
File:        C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
000007fee50bc848  400047b        8         System.Int32  1 instance               21 m_value
0:022>

Note the value is 21, exactly what we were looking for! Leave a comment if you have things you’d like to see me debug.

Comments

Russell Troywest said…
Thank you Igor. I've just spent the last hour trying to work out why my callstack wasn't what I was expecting for a specific thread. I'd completely forgotten the OSID was the ManagedThreadId :)
12/06/2011 7:00 AM
Post a Comment

Popular posts from this blog

Finding CLR exceptions without visual studio

(If you want to understand what exception code 0xe0434352 is, read this post ) Often exceptions are thrown and caught and you don't see them. You probably know how to debug this in Visual Studio, so let me show you how to do it in cdb. Sample Code: class Program { static void Main(string[] args) { foreach (var x in Enumerable.Range(0,2000)) { Thread.Sleep(TimeSpan.FromSeconds(1)); Console.WriteLine("Hello World"); ThrowAndCatchException(); } } private static void ThrowAndCatchException() { try { throw new NotImplementedException(); } catch(Exception) { } } } Output of the application: Hello World Hello World Hello World Nothing about an exception, but you're sure it's happening behind the covers -- fire up cdb: C:\Program Files\Debugging Tools for Windows (x64)>cdb -pn consoleapplication3.exe <SNIP> ModLoad: 000007fe`f7e90000 000007fe`f7eb4000 C:\Windows\Mi
Read more

Why do I keep getting exception code e0434352?

If you want to know how to debug CLR exceptions using cdb then read this post . Exception code e0434352 is the exception code used internally by the CLR to represent most exceptions(*). Regardless of if you throw a System.NullReferenceException or a System.ArgumentException in C#, you'll throw a SEH exception e0434352 under the covers. A fun way to validate this theory is to watch what happens to the CLR exceptions settings in cdb. Fire up cdb, and see the state of clr exceptions: 0:000> .shell -ci "sx" findstr clr clr - CLR exception - second-chance break - not handled clrn - CLR notification exception - break - handled .shell: Process exited Now, set the exception handler for exception number e0434352 and recheck the value of the clr exception handler: 0:000> sxe e0434352 0:000> .shell -ci "sx" findstr clr clr - CLR exception - break - not handled clrn - CLR notification exception - break - handled .shell: Process exited Armed with
Read more

Powershell script to enable windows to capture localhost traffic in wireshark

If you want to understand why the following scripts work read this post . Otherwise just paste the following into an elevated powershell window: Setup windows networking to allow localhost capturing in wireshark: # Find the network configuration that has the default gateway. $defaultAdapter = Get-WMIObject Win32_NetworkAdapterConfiguration | ? {$_.DefaultIPGateway} if (@($defaultAdapter).Length -ne 1) {throw "You don't have 1 default gateway, your network configuration is not supported" } # Route local IP address via the default gateway route add $defaultAdapter.IPAddress[0] $defaultAdapter.DefaultIPGateway Write-Host "Start capturing on localhost by connecting to $($defaultAdapter.IPAddress[0])" Return windows networking to normal configuration: # Find the network configuration that has the default gateway. $defaultAdapter = Get-WMIObject Win32_NetworkAdapterConfiguration | ? {$_.DefaultIPGateway} if (@($defaultAdapter).Length -ne 1) {throw "Y
Read more