一:背景
1. 講故事
很多.NET開發者在學習高級偵錯的時候,使用sos的命令輸出會發現這裏也看不懂那裏也看不懂,比如截圖中的這位朋友。
.NET高級偵錯屬於一個偏冷門的領域,國內可觀測的資料比較少,所以很多東西需要你自己去探究原始碼,然後用各種偵錯工具去驗證,相關原始碼如下:
coreclr: https://github.com/dotnet/runtime
windows: https://github.com/reactos/reactos
linux: https://www.kernel.org/
這一篇權當拋磚引玉,來引導一下如何去探索。
二:WinDbg 分析
1. 復原現象
為了方便講述先上一段簡單的測試程式碼,來觀察一下執行緒列表中所謂的 lockcount 列。
internal classProgram
{
staticvoidMain(string[] args)
{
Console.WriteLine("hello world...");
Debugger.Break();
}
}
接下來用 windbg 附加一下,使用
!threads
命令觀察輸出。
0:000> !t
ThreadCount: 3
UnstartedThread: 0
BackgroundThread: 2
PendingThread: 0
DeadThread: 0
Hosted Runtime: no
Lock
DBG ID OSID ThreadOBJ State GC Mode GC Alloc Context Domain Count Apt Exception
0114c8 000001A8B862DBB0 2a020 Preemptive 000001A8BA1DDEE0:000001A8BA1DF478 000001a8b8623c20 0 MTA
5271e0000001A8D25740B0 2b220 Preemptive 0000000000000000:0000000000000000000001a8b8623c20 0 MTA (Finalizer)
7331b0 000001A8B86E7730 102a220 Preemptive 0000000000000000:0000000000000000000001a8b8623c20 0 MTA (Threadpool Worker)
從上面的卦中可以看到
Lock Count=0
,那這裏的值取自源碼的哪裏呢?
2. 取自哪裏
大家要知道每一行記錄都是在
coreclr Thread
中摘取出來的欄位,言外之意就是可以把 Thread 所有資訊給展示出來,可以用 dt 命令,簡化後如下:
0:000> dt coreclr!Thread 000001A8B862DBB0
+0x000 __VFN_table : 0x00007ffd`d2f93c70
=00007ffd`d30ce8d8 m_DetachCount : 0n0
=00007ffd`d30ce8d4 m_ActiveDetachCount : 0n0
=00007ffd`d30cf4dc m_threadsAtUnsafePlaces : Volatile<long>
+0x008 m_State : Volatile<enum Thread::ThreadState>
+0x00c m_fPreemptiveGCDisabled : Volatile<unsigned long>
+0x010 m_pFrame : 0x0000006f`df57e328 Frame
+0x018 m_pDomain : 0x000001a8`b8623c20 AppDomain
+0x020 m_dwLockCount : 0
+0x024 m_ThreadId : 1
...
透過仔細分析卦中資訊,可以發現這個 lockcount 其實就是
m_dwLockCount
欄位,知道是這個欄位之後接下來就是尋找coreclr源碼啦,截圖如下:
從源碼註釋中看的非常清楚,這個欄位可用來跟蹤5中鎖。
critical p
spin lock
syncblock lock
EE Crst
GC lock
接下來搜尋下源碼看看 m_dwLockCount 是怎麽更新的,可以發現如下兩處,並且都是和同步塊索引相關,截圖如下:
inline void Thread::IncLockCount()
{
LIMITED_METHOD_CONTRACT;
_ASSERTE(GetThread() == this);
m_dwLockCount++;
_ASSERTE(m_dwLockCount != 0 || HasThreadStateNC(TSNC_UnbalancedLocks));
}
inline void Thread::DecLockCount()
{
LIMITED_METHOD_CONTRACT;
_ASSERTE(GetThread() == this);
_ASSERTE(m_dwLockCount > 0 || HasThreadStateNC(TSNC_UnbalancedLocks));
m_dwLockCount--;
}
接下來要做的一件事就是如何自增 m_dwLockCount 值 來模擬達到這位朋友的 1024。
3. 如何模擬復現
其實當你知道是跟蹤這五種鎖,要模擬就非常簡單了,為了方便講述上一段測試程式碼,利用 lock 讓 m_dwLockCount 欄位不斷自增,參考如下:
internal classProgram
{
publicstaticobject[] locks;
staticvoidMain(string[] args)
{
locks = Enumerable.Range(0, 100).Select(i => newobject()).ToArray();
foreach (var item in locks)
{
Monitor.Enter(item);
}
Debugger.Break();
Console.ReadLine();
}
}
接下來用 windbg 附加觀察一下。
0:000> !t
ThreadCount: 3
UnstartedThread: 0
BackgroundThread: 2
PendingThread: 0
DeadThread: 0
Hosted Runtime: no
Lock
DBG ID OSID ThreadOBJ State GC Mode GC Alloc Context Domain Count Apt Exception
016c90 00000239840DDBB0 2a020 Preemptive 0000023985B2BB38:0000023985B2D478 00000239840d3c20 100 MTA
52217800000239859640B0 2b220 Preemptive 0000000000000000:000000000000000000000239840d3c20 0 MTA (Finalizer)
736d00 0000023984197700102a220 Preemptive 0000000000000000:000000000000000000000239840d3c20 0 MTA (Threadpool Worker)
0:000> dt coreclr!Thread 00000239840DDBB0
+0x000 __VFN_table : 0x00007ffd`d2f93c70
=00007ffd`d30ce8d8 m_DetachCount : 0n0
=00007ffd`d30ce8d4 m_ActiveDetachCount : 0n0
=00007ffd`d30cf4dc m_threadsAtUnsafePlaces : Volatile<long>
+0x008 m_State : Volatile<enum Thread::ThreadState>
+0x00c m_fPreemptiveGCDisabled : Volatile<unsigned long>
+0x010 m_pFrame : 0x00000074`a937e888 Frame
+0x018 m_pDomain : 0x00000239`840d3c20 AppDomain
+0x020 m_dwLockCount : 0x64
這裏順便提一下,如果你想即時觀察 m_dwLockCount 更改的執行緒棧資訊,可以在
Thread+0x20
處下一個ba硬體斷點即可。
0:000> !t
ThreadCount: 3
UnstartedThread: 0
BackgroundThread: 2
PendingThread: 0
DeadThread: 0
Hosted Runtime: no
Lock
DBG ID OSID ThreadOBJ State GC Mode GC Alloc Context Domain Count Apt Exception
01618800000290D550DBB0 2a020 Preemptive 00000290D6F4AD20:00000290D6F4B478 00000290d5503c20 0 MTA
52686c 00000290EF3F40B0 2b220 Preemptive 0000000000000000:000000000000000000000290d5503c20 0 MTA (Finalizer)
73312c 00000290D55C7740 102a220 Preemptive 0000000000000000:000000000000000000000290d5503c20 0 MTA (Threadpool Worker)
0:000> ba w4 00000290D550DBB0+0x20
0:000> g
ModLoad: 00007ffd`cff80000 00007ffd`cffd1000 C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.32\System.Collections.dll
ModLoad: 00007ffd`d00d0000 00007ffd`d0103000 C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.32\System.Runtime.Extensions.dll
Breakpoint 1 hit
coreclr!JIT_MonEnter_Portable+0x65:
00007ffd`d298c8a5 4883c430 add rsp,30h
0:000> kL 5
# Child-SP RetAddr Call Site
00000000b5`f917e780 00007ffd`72e917f4 coreclr!JIT_MonEnter_Portable+0x65
01000000b5`f917e7c0 00007ffd`d29b6ca3 0x00007ffd`72e917f4
02000000b5`f917e860 00007ffd`d294cc62 coreclr!CallDescrWorkerInternal+0x83
03 (Inline Function) --------`-------- coreclr!CallDescrWorkerWithHandler+0x57
04000000b5`f917e8a0 00007ffd`d2953c29 coreclr!MethodDescCallSite::CallTargetWorker+0x196
...
三:總結
還是那句話,國內
.NET高級偵錯
方面的資料甚少,要想理解sos命令輸出是什麽意思,切記多看源碼,其實本篇重要的不是知識,而是告訴你如何去探究新知的方法。
