WinDBG 设置条件断点

Conditional breakpoints can be veryuseful when you are trying to find bugs in your code. They cause a break tooccur only if a specific condition is satisfied.

A conditional breakpoint is created by combining a breakpoint command witheither thej (Execute If - Else) command or the.if token, followed by thegc (Go from Conditional Breakpoint)command. This breakpoint causes a break to occur only if a specific conditionis satisfied.

The basic syntax for a conditional breakpoint using thej commandis as follows:
0:000> bp Address "j (Condition) 'OptionalCommands'; 'gc' "

The basic syntax for a conditional breakpoint using the.if tokenis as follows:
0:000> bp Address ".if (Condition) {OptionalCommands} .else {gc}"

Conditional breakpoints are best illustrated with an example. Thefollowing command sets a breakpoint at line 143 of theMysource.cppsourcefile. When this breakpoint is hit, the variable MyVar is tested. If thisvariable is less than or equal to 20, execution continues; if it is greaterthan 20, execution stops.
0:000> bp `mysource.cpp:143` "j (poi(MyVar)>0n20) ''; 'gc' " 
0:000> bp `mysource.cpp:143` ".if (poi(MyVar)>0n20) {} .else {gc}"

The preceding command has a fairly complicated syntax that contains thefollowing elements:

The bp (Set Breakpoint) command sets breakpoints. Although the preceding example uses the bp command, you could also use thebu (Set Unresolved Breakpoint) command. For more information about the differences betweenbp andbu, and for a basic introduction to breakpoints, seeUsing Breakpoints.
Bp命令设置断点。尽管前面的例子使用了bp命令,你也可以使用bu命令。如果需要查看bp和bu之间的不同,和断点的简介,可以查看Using Breakpoints.

Source line numbers are specified by using grave accents ( ` ). For details, seeSource Line Syntax.
源代码行通过使用沉音符指定,详见Source Line Syntax.

When the breakpoint is hit, the command in straight quotation marks ( " ) is executed. In this example, this command is aj (Execute If - Else) command or an.if token, which tests the expression in parentheses.

In the source program, MyVar is an integer. If you are using C++ expression syntax, MyVar is interpreted as an integer. However, in this example (and in the default debugger configuration), MASM expression syntax is used. In a MASM expression,MyVar is treated as an address. Thus, you need to use the poi operator to dereference it. (If your variable actually is a C pointer, you will need to dereference it twice—for example,poi(poi(MyPtr)).) The0n prefix specifies that this number is decimal. For syntax details, seeMASM Numbers and Operators.
在源程序中,MyVar是一个整数。如果你使用C++表达式语法,MyVar被解释为一个整数。然而在这个例子中(并且在默认的调试器选项),使用的是MASM表达式语法。在一个MASM表达式中,MyVar被认为是一个地址。因此你需要使用poi操作符去解引用它。(如果你的变量实际上是一个C指针,你需要两次解引用它-例如poi(poi(MyPtr)) )0n前缀指定这个数字是10进制的。语法的详细内容参见MASM Numbers and Operators.

The expression in parentheses is followed by two commands, surrounded by single quotation marks (' ) for thej command and curly brackets ( {} ) for the.if token. If the expression is true, the first of these commands is executed. In this example, there is no first command, so command execution will end and control will remain with the debugger. If the expression in parentheses is false, the second command will execute. The second command should almost always be agc (Go from Conditional Breakpoint) command, because this command causes execution to resume in the same manner that was occurring before the breakpoint was hit (stepping, tracing, or free execution).

If you want to see a message each time the breakpoint is passed or when itis finally hit, you can use additional commands in the single quotation marksor curly brackets. For example:
0:000> bp `:143` "j (poi(MyVar)>5) '.echo MyVar Too Big'; '.echo MyVar Acceptable; gc' " 
0:000> bp `:143` ".if (poi(MyVar)>5) {.echo MyVar Too Big} .else {.echo MyVar Acceptable; gc} " 

These comments are especially useful if you have several such breakpointsrunning at the same time, because the debugger does not display its standard"Breakpoint n Hit" messages when you are using a commandstring in thebp command.
如果你在同一时间有几个这样的断点,这些注释将会特别有用,因为当你在bp命令中使用一个命令字符串时,调试器并不显示它的标准的"Breakpointn Hit"消息

Conditional Breakpoints and Register Sign Extension

You can set a breakpoint that is conditional on a register value.

The following command will break at the beginning of themyFunctionfunction if theeax register is equal to 0xA3:
0:000> bp mydriver!myFunction "j @eax = 0xa3  '';'gc'" 
0:000> bp mydriver!myFunction ".if @eax = 0xa3  {} .else {gc}"

However, the following similar command willnot necessarily breakwheneax equals 0xC0004321:
0:000> bp mydriver!myFunction "j @eax = 0xc0004321  '';'gc'" 
0:000> bp mydriver!myFunction ".if @eax = 0xc0004321  {} .else {gc}"

The reason the preceding command will fail is that the MASM expressionevaluator sign-extends registers whose high bit equals one. Wheneax hasthe value 0xC0004321, it will be treated as 0xFFFFFFFF`C0004321 in computations—eventhougheax will still bedisplayed as 0xC0004321. However, thenumeral0xc0004321 is sign-extended in kernel mode, but not in usermode. Therefore, the preceding command will not work properly in user mode. Ifyou mask the high bits ofeax, the command will work properly in kernelmode—but now it will fail in user mode.

You should formulate your commands defensively against sign extension inboth modes. In the preceding command, you can make the command defensive bymasking the high bits of a 32-bit register by using an AND operation to combineit with 0x00000000`FFFFFFFF and by masking the high bits of a numeric constantby including a grave accent ( ` ) in its syntax.

The following command will work properly in user mode and kernel mode:
0:000> bp mydriver!myFunction "j (@eax & 0x0`ffffffff) = 0x0`c0004321  '';'gc'" 
0:000> bp mydriver!myFunction ".if (@eax & 0x0`ffffffff) = 0x0`c0004321  {} .else {gc}"

For more information about which numbers are sign-extended by thedebugger, seeSign Extension.
如果需要有关数字在调试器中是如何进行符号扩展的,可以查看Sign Extension.

Conditional Breakpoints in WinDbg

In WinDbg, you can create a conditional breakpoint by clickingBreakpoints from theEdit menu,entering a new breakpoint address into the Command box, and entering acondition into theCondition box.

For example, typingmymod!myFunc+0x3A into theCommand boxand myVar < 7 into the Condition box is equivalent to issuingthe following command:
例如,在Command框中输入mymod!myFunc+0x3A并且在Condition框中输入myVar < 7等价于下面的命令
0:000> bu mymod!myFunc+0x3A "j(myVar<7) '.echo "Breakpoint hit, condition myVar<7"'; 'gc'" 
0:000> bu mymod!myFunc+0x3A ".if(myVar<7) {.echo "Breakpoint hit, condition myVar<7"} .else {gc}" 

Restrictions on Conditional Breakpoints

If you arecontrolling the user-mode debugger from the kernel debugger,you cannot use conditional breakpoints or any other breakpoint command stringthat contains thegc (Go from Conditional Breakpoint) org (Go) commands. If you use thesecommands, the serial interface might not be able to keep up with the number ofbreakpoint passes, and you will be unable to break back into CDB.
