1

Could you please advise on how to resolve the issue with variable display in the Locals window during debugging?

When execution is halted at a breakpoint at the beginning of a function, the variables in the locals window are displayed correctly, and the location column shows "rsp+NN" (for variables on the stack).

Next, I step through the code using Step Into. As soon as the first instruction that accesses the stack content using the rbp register is executed, the content of the Locals window changes. The address in the Location column is now displayed as "rbp-NN," and the values of ALL stack variables in the Locals window change to incorrect ones. As far as I understand, the offsets relative to rbp are incorrect, and the incorrect variable values are a consequence of this.

Here is the code at the beginning of the function (BiBuildIdentifierList from ntoskrnl.exe of Win10 x64):

PAGE:FFFFF8045FF70778 ; __unwind { // __GSHandlerCheck
PAGE:FFFFF8045FF70778 mov [rsp-8+arg_8], rbx
PAGE:FFFFF8045FF7077D push rbp
PAGE:FFFFF8045FF7077E push rsi
PAGE:FFFFF8045FF7077F push rdi
PAGE:FFFFF8045FF70780 push r12
PAGE:FFFFF8045FF70782 push r13
PAGE:FFFFF8045FF70784 push r14
PAGE:FFFFF8045FF70786 push r15
PAGE:FFFFF8045FF70788 lea rbp, [rsp-27h]
PAGE:FFFFF8045FF7078D sub rsp, 0E0h
PAGE:FFFFF8045FF70794 mov rax, cs:__security_cookie
PAGE:FFFFF8045FF7079B xor rax, rsp
PAGE:FFFFF8045FF7079E mov [rbp+57h+var_40], rax ; <=== here, the content of Locals changes to incorrect
PAGE:FFFFF8045FF707A2 xor r13d, r13d
PAGE:FFFFF8045FF707A5 mov [r8+8], r8

The first screenshot shows the state immediately before executing the instruction: mov [rbp+57h+var_40], rax screen before instruction

The next screenshot shows the state right after executing this instruction. enter image description here The variable "P" is highlighted in the screenshots. It's an example that demonstrates that the content in the locals window does not match the actual content in memory. However, the issue affects the display of all stack variables. In the second screenshot, all variables in the Locals window are red, meaning they all "changed" their values after executing just one instruction.

If we look at the definition of the variable "P" in the Pseudocode-A window, the comments show the correct offsets relative to rsp and rbp. If I hover the mouse over the variable name "P" in the Pseudocode-A window, the tooltip displays the incorrect value of the variable (the same as in the locals window).

It turns out that the Locals window shows correct values for register variables. For stack variables, the values are displayed correctly if the variables are addressed via rsp. However, if stack variables are addressed via rbp, the values are incorrect.

I tried to change parameters in Edit Function dialog. But I can change only "Local variables area", and only increase. If I try to decrease "Local variables area" or if I try to change "Saved registers", "Purged bytes", "Frame pointer delta", "BP based Frame" then changed values are not saved - when I open Edit Function dialog again I see old parameters.

Improve this question
2
  • Hi and welcome to RE.SE. My guess here would be that they individual windows need explicit synching. But I am not sure and will defer to those who actually know. Commented Sep 10 at 7:45
  • Hi. I checked another function. Alas, the problem is stable. If function is using rbp, then the problem manifests itself. If function using only rsp then all right with Locals. I would have thought it was a bug. But it would have been noticed long ago. I probably missed something in the settings somewhere. Commented Sep 10 at 12:07

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.