{"id":107360,"date":"2022-11-07T07:00:00","date_gmt":"2022-11-07T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=107360"},"modified":"2022-11-07T09:21:34","modified_gmt":"2022-11-07T17:21:34","slug":"20221107-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20221107-00\/?p=107360","title":{"rendered":"In the debugger, how can I get from a projected type back to the C++\/WinRT implementation?"},"content":{"rendered":"

Say you are looking at a crash dump, and you have a pointer to a Windows Runtime object projection, and you know that the Windows Runtime object is implemented in C++\/WinRT, and you want to get to the implementation type so you can look at its private members.<\/p>\n

The basic trick of treating the pointer as the start of an object doesn’t work:<\/p>\n

0:000> ?? s\r\nstruct winrt::Contoso::Sample\r\n   +0x000 m_ptr : 0x00000205`9ab9cf20 winrt::impl::abi<winrt::Windows::Foundation::IUnknown,void>::type\r\n<\/pre>\n
If you dump memory starting at this interface pointer, you get the expected vtable, but the rest does not match the expected implementation type.<\/p>\n
0:000> dps 0x00000205`9ab9cf20\r\n00000205`9ab9cf20  00007ff6`0bef8998 contoso!winrt::impl::produce<winrt::Contoso::implementation::Sample,winrt::Contoso::ISample>::`vftable'\r\n00000205`9ab9cf28  00007ff6`0bef8a38 contoso!winrt::impl::produce<winrt::Contoso::implementation::Sample,winrt::Windows::Foundation::IClosable>::`vftable'\r\n00000205`9ab9cf30  00000000`0000002a\r\n00000205`9ab9cf38  00000205`9ab9dae0\r\n00000205`9ab9cf40  00640065`00720046\r\n00000205`9ab9cf48  00000000`00000000\r\n00000205`9ab9cf50  00000000`00000004\r\n\r\n0:000> dt contoso!winrt::Contoso::implementation::Sample 0x00000205`9ab9cf20\r\n   +0x010 vtable           : winrt::impl::produce<winrt::Contoso::implementation::Sample,winrt::Contoso::ISample>\r\n   +0x018 vtable           : winrt::impl::produce<winrt::Contoso::implementation::Sample,winrt::Windows::Foundation::IClosable>\r\n   +0x000 __VFN_table : 0x00007ff6`0bef8998\r\n   +0x008 m_references     : std::atomic<unsigned __int64>\r\n   +0x020 m_value          : 0n7471174<\/span> \u2190 garbage\r\n   +0x028 m_name           : std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >\r\n\r\n0:000> ?? ((contoso!winrt::Contoso::implementation::Sample*)0x00000205`9ab9cf20)->m_name\r\nclass std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >\r\n   +0x000 _Mypair          : std::_Compressed_pair<std::allocator<wchar_t>,std::_String_val<std::_Simple_types<wchar_t> >,1>\r\n\r\n0:000> ?? ((consolecppwinrt!winrt::MyProject::implementation::Sample*)0x00000205`9ab9cf20)->m_name._Mypair\r\nclass std::_Compressed_pair<std::allocator<wchar_t>,std::_String_val<std::_Simple_types<wchar_t> >,1>\r\n   +0x000 _Myval2          : std::_String_val<std::_Simple_types<wchar_t> >\r\n\r\n0:000> ?? ((consolecppwinrt!winrt::MyProject::implementation::Sample*)0x00000205`9ab9cf20)->m_name._Mypair._Myval2\r\nclass std::_String_val<std::_Simple_types<wchar_t> >\r\n   +0x000 _Myproxy         : (null)<\/span> \u2190 garbage\r\n   +0x008 _Bx              : std::_String_val<std::_Simple_types<wchar_t> >::_Bxty\r\n   +0x018 _Mysize          : 0xabababab`fdfdfdfd<\/span> \u2190 garbage\r\n   +0x020 _Myres           : 0xabababab`abababab<\/span> \u2190 garbage\r\n<\/pre>\n
The reason nothing matches up is that the projection vtable is not at the start of the object. Let’s look at the initial structure again:<\/p>\n
0:000> dt contoso!winrt::Contoso::implementation::Sample\r\n   +0x010<\/span> vtable           : winrt::impl::produce<winrt::Contoso::implementation::Sample,winrt::Contoso::ISample>\r\n   +0x018 vtable           : winrt::impl::produce<winrt::Contoso::implementation::Sample,winrt::Windows::Foundation::IClosable>\r\n   +0x000 __VFN_table : Ptr64\r\n   +0x008 m_references     : std::atomic<unsigned __int64>\r\n   +0x020 m_value          : Int4B\r\n   +0x028 m_name           : std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >\r\n<\/pre>\n
Even though the debugger lists the ISample<\/code> projection vtable first, it’s not actually the start of the object. The offset is 0x010<\/code>.<\/p>\n
The object starts with its private little vtable __VFN_table<\/code>. In this case, we see that the projection vtable is at offset 0x10<\/code>, so we can subtract 0x10<\/code> to find the true start of the object:<\/p>\n
0:000> ?? ((consolecppwinrt!winrt::MyProject::implementation::Sample*)0x00000205`9ab9cf10)\r\nstruct winrt::MyProject::implementation::Sample * 0x00000205`9ab9cf20\r\n   +0x010 vtable           : winrt::impl::produce<winrt::Contoso::implementation::Sample,winrt::Contoso::ISample>\r\n   +0x018 vtable           : winrt::impl::produce<winrt::Contoso::implementation::Sample,winrt::Windows::Foundation::IClosable>\r\n   +0x000 __VFN_table : 0x00007ff6`0bef8d68\r\n   +0x008 m_references     : std::atomic<unsigned __int64>\r\n   +0x020 m_value          : 0n42<\/span> \u2190 good value\r\n   +0x028 m_name           : std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> >\r\n\r\n0:000> ?? ((consolecppwinrt!winrt::MyProject::implementation::Sample*)0x00000205`9ab9cf10)->m_name._Mypair._Myval2\r\nclass std::_String_val<std::_Simple_types<wchar_t> >\r\n   +0x000 _Myproxy         : 0x00000205`9ab9dae0 std::_Container_proxy\r\n   +0x008 _Bx              : std::_String_val<std::_Simple_types<wchar_t> >::_Bxty\r\n   +0x018 _Mysize          : 4<\/span> \u2190 good value\r\n   +0x020 _Myres           : 7<\/span> \u2190 good value\r\n\r\n0:000> ?? ((consolecppwinrt!winrt::MyProject::implementation::Sample*)0x00000205`9ab9cf10)->m_name._Mypair._Myval2._Bx\r\nunion std::_String_val<std::_Simple_types<wchar_t> >::_Bxty\r\n   +0x000 _Buf             : [8]  \"Fred\"<\/span> \u2190 good value\r\n   +0x000 _Ptr             : 0x00640065`00720046  \"--- memory read error at address 0x00640065`00720046 ---\"\r\n   +0x000 _Alias           : [8]  \"F\"\r\n<\/pre>\n
We happened to know that the m_ptr<\/code> came from a projection of the Sample<\/code> runtime class, which means that it’s a pointer to the default interface, which is ISample<\/code>. If m_ptr<\/code> came from a projection f the IClosable<\/code> interface, then we would have to adjust by 0x018<\/code> to get to the start of the object.<\/p>\n
My strategy is simply to go backward from the projection pointer and see if a non-projection vtable emerges.<\/p>\n
0:000> dps 0x00000205`9ab9cf20-40 0x00000205`9ab9cf20\r\n00000205`9ab9cee0  00000205`9ab9cdc0\r\n00000205`9ab9cee8  00000205`9ab9dab0\r\n00000205`9ab9cef0  00000000`00000000\r\n00000205`9ab9cef8  00000001`00000000\r\n00000205`9ab9cf00  00000000`00000050\r\n00000205`9ab9cf08  fdfdfdfd`00000118\r\n00000205`9ab9cf10  00007ff6`0bef8d68 contoso!winrt::impl::heap_implements<winrt::Contoso::implementation::Sample>::`vftable'<\/span>\r\n00000205`9ab9cf18  00000000`00000001\r\n00000205`9ab9cf20  00007ff6`0bef8998 contoso!winrt::impl::produce<winrt::Contoso::implementation::Sample,winrt::Contoso::ISample>::`vftable'\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Look behind you.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-107360","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
Look behind you.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=107360"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107360\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=107360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=107360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=107360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}