All geek questions in one place

Determination of the structure field taking into account the field displacement

Suppose I am debugging a crash in optimized code. I look at the disassembly, and I see the following:

lea eax,[edi+8Ch]

Now let's say I know what structure is stored in edi, in which case it is a slightly larger structure. Large enough so that I could not immediately understand in which field the offset 8Ch corresponds.

What I am doing is simply opening my viewport in Visual Studio and manually doing the pointer arithmetic on the hidden NULL pointer (so that the offset macro would do it) until I get the one that matches, but this is tedious. Is there any way I can quickly determine which field is being accessed?

+4
source share
2 answers

In VisualStrudio, you will be able to "watch" the expression as follows:

 (unsigned)&(((StructTypeName*)0)->StructFieldName)

You put different field names until VS shows you the correct offset value.

You can also load your application into WinDbg (make sure the characters are loaded) and use the dt command. WinDbg resets the layout / contents of the supplied type / variable name with all field offsets.

+3
source

If you need to spend time on this debugging scheme, I would suggest writing a program that prints all the offsets of the structs fields and list them in offset; field pairs offset; field offset; field .

I would go even further and write a script (for example, in Python) that takes the text of the structure and generates a C code file containing all the offsetof operators for all the fields of the structure.

0
source

Source: https://habr.com/ru/post/1437885/

More articles:


All Articles