What the panes show
The panes give a "snapshot" of the debuggee at one point in the execution process. If the debuggee is currently in the debug loop then it will be in a suspended state, and the panes will show that current state. The state includes the current register values (register pane), the current stack contents (esp stack pane and ebp stack pane) and the last line of executed code (codepane). The panes have a white background if the thread being looked at is currently in the debug loop or if it will go back into the debug loop when the system returns from an API.
Under Win32, it is the system, rather than the processor, which holds the register values. This is because the processor needs to be switched to run more than one program. The register values are kept in any area of memory kept by the system for each process called the "register context". When it is the turn of a thread to get processor time, its register context will be given to the processor. When in the debug loop the register context is read within the debug loop using the API GetThreadContext. This API only gives valid results in the debug loop (when the process is in suspension).
As for the stack, on start-up each program is given a small amount of physical memory for its stack. As stack requirements grow, the system allocates more memory. The area of memory used for the stack is contained in the "memory context" of the process.
If the panes are grey
If panes are grey, this means that the thread showing in the panes is not currently in the debug loop, probably because it is running. The grey panes tell you that the information displayed in the panes is not necessarily an accurate display of the current state of the thread.
Note that if you have pressed F6 to trace over a procedure and the debuggee has not yet returned from that procedure (whether an API or a procedure in its own code) the panes are not greyed. This is because GoBug is waiting for the return from the procedure.
The codepane shows the current instruction place (pointed to by the red arrow), and the code disassembly at that place and nearby instruction lines. GoBug is a symbolic debugger. This enables the names of code labels to be shown. "START" is shown here, showing the program starting address. The symbols in the data section are also shown, as on the 4th line you can see MOV [hInst],EAX. This is a move instruction from the EAX register into the data section symbol "hInst" (square brackets indicate a memory reference). In this illustration there are also 3 calls to Windows APIs. The name of the API is given first, then the Windows DLL which contains the API.
All numbers are shown in the codepane are in hex. The numbers on the left column correspond to the instruction address as loaded into the debuggee's memory context by Windows.
Use the scrollbar on the right hand side to scroll up and down the code section you are viewing. In the scrollbar there is a button with a little right arrow. This is the scroll button. Move this to scroll up and down the codepane (a popup window will appear showing the current address being displayed). Or you can click it to expand the codepane so that you can view all the text material in the codepane. If the codepane has the key focus you can use the right arrow key to expand the codepane and the left arrow key to retract it.
Displaying Unicode symbols in the codepane
The "Go" tools allow you to use Unicode code and data labels in your applications and these are displayed properly by GoBug. Here is an example of the codepane display where some symbols with non-Roman characters are used
Viewing different code sections in the codepane
Move to a different code section by using the "inspect, codepane to view code at .." menu item, which allows you to choose the address to view (or code symbol to view if loaded). Using the codepane you can only view the code sections of the debuggee itself (including loaded DLLs). If you want to view 32-bit code in any other memory area you need to create a code inspector.
Viewing the opcodes in the codepane
Checking the menu item "view, codepane opcodes mouseover" (or the same from the right click context menu when in the codepane) causes the opcodes to be shown on mouseover within the codepane rather than the disassembly.
Negative immediate values in the codepane
GoBug does not normally show immediate values as signed numbers. What this means is that if you code MOV EAX,88000000h this is what will appear in the codepane on disassembly. This is despite the fact that the highest bit in this number is set and it could be regarded as a negative (signed) number (value minus 78000000h). However in some cases, GoBug will assume a signed value was intended by the coder and so it may show the number as negative. This occurs if the short-form of coding is found on disassembly ie. opcode 83, which uses only 3 bytes instead of the usual 6. This is normally produced you code ADC, ADD, AND, CMP, OR, SBB, SUB and XOR using 32 bit registers where the operand is a number between -80h and +7Fh. Note however, that not all assemblers will do this. In the same way PUSHing a value between -80h and +7Fh can be done with two opcode bytes using the opcode 6A, and GoBug treats these too, as signed numbers.
The eip arrow
This arrow points to the current instruction before it is executed. Pressing F5 will execute that instruction and move to the next. Jumps and conditional jumps will show as either an up or a down arrow (there will also be a change in colour). If you change the flags while the pointer is at a conditional jump, the arrow will change to suit the new flags. The arrow may also change direction if you change a register value tested by an instruction for example changing ECX to zero on a LOOP instruction.
If you can see the codepane with a white background, but you cannot see the eip arrow, it is because you are viewing an area of code away from the current instruction. Use "inspect, codepane to view at .." to restore the codepane view to the current eip. Note that in a multi-threaded application each thread will have its own eip value. Choose the correct eip for the code section actually in the debug loop, shown by the thread button.
If the arrow is intermittent but pointing to a CALL instruction, this shows that the CALL is currently executing but the CALL has not yet returned. The CALL may be carrying out a long process, it might be waiting for something to happen or it might be stuck in a loop. See action if a thread has not returned from a CALL.
Repeating a codepane view in a new session
If you start a new session with the same debuggee, the last codepane views (whether by code address or by procedure name) will appear on the "inspect, codepane to view at .." menu. See sessions.
Context menu in the codepane
A right click in the codepane gives a context menu from which you can easily choose various options including setting a breakpoint and dealing with the appearance of the codepane..
The register pane
The register pane shows the current values contained in the ordinary registers. These are all hex numbers. In the case of the segment registers (DS, CS, SS, FS, GS), although these are 32-bit registers, only the first 16 bits hold valid values, the remainder of bits are unused. The flags are also shown in the register pane. The flags are C (carry), P (parity), A=, Z (zero), S (sign), O (overflow) and D (direction).
Changing the registers and flags
When in the debug loop, you can change the value of the registers. To do this, left click on the register, delete the digits you want to change and enter the new value (press enter when done or ESC to cancel). You can also change the flags. To do this, left click on the flag to change.
When the register pane has the focus instead of clicking the mouse you can press enter twice to change the register or flag which has the focus rectangle. If the register or flag is already highlighted you need only press enter once.
As you single step through the code, the registers and flags which have changed in value since the last instruction appear in a different colour.
Context menu in the register pane
A right click in the register gives a context menu from which you can easily choose various options including amending a register and inspecting a value contained in a register..
The stack pane (ESP)
The stack panes display the contents of the stack for the thread which is in the debug loop. At the beginning of a debug session the ESP pane will show the stack at the position of the stack pointer (this is indicated by a line). This place is where any PUSH or POP instruction will use the stack. As you single step through the code, any stack contents which have changed in value since the last instruction will appear in a different colour.
Each line of the stack display represents one stack position (which in Win32 means one dword). The left hand side of the stack display shows the offset from ESP for the line being displayed. The actual stack address appears every 4 lines. Compare these values with the ESP value shown in the register pane, to understand the stack pane display. The right hand column displays the actual contents of the stack. Note that when you make an API call, or a call to a procedure you will probably find that several changes occur to the stack in many places which are out of view. Scroll up and down to display the remainder of the stack.
See also the stacktrace pane.
The stack pane (EBP)
The EBP stack pane can be used to follow local data being kept on the stack within a stack frame in a procedure. Again the line shows the address contained in the ESP register. This coding shows how to use the EBP stack pane in practice (example taken from a dialog procedure):-
1. DlgProc: 2. PUSH EBP 3. MOV EBP,ESP 4. SUB ESP,40h ; ;main dialog procedure code goes here ; MOV ESP,EBP POP EBP RET 10hThis code shows the establishment of a stack frame for a dialog procedure. It has two jobs to do. Firstly it must arrange for EBP to be used to address the arguments sent by the caller. Secondly it must set up an area on the stack where local data can be stored whilst in the procedure. Line 3 sets up EBP to address the arguments. After that instruction has been executed, the arguments sent by the system can be addressed as follows:-
See also the stacktrace pane.
Changing the stack
When in the debug loop, you can change the contents of the stack. This is useful if you want to try passing different parameters to an API. To do this, left click on the stack position you want to change, delete the digits you want to change and enter the new value (press enter when done or ESC to cancel).
When the stack pane has the focus instead of clicking the mouse you can press enter twice to change the stack position which has the focus rectangle. If the register or flag is already highlighted you need only press enter once.
Context menu in the stack panes
A right click in the stack pane gives a context menu from which you can easily choose various options including amending the stack and inspecting a value contained in the stack..
Refreshment of the panes
The contents of the panes are refreshed immediately after each single step. If you want to refresh the panes at any other time you can click on the appropriate a href="Multi.htm#tb">thread button or you can use the "inspect, refresh all panes/inspectors" menu item.
Changing the number and
position of the panes
Changing the size of the
Restoring the size, number and position of the panes
Dumping the panes
Printing the panes
Use the toolbar pane buttons to change the number and position of the main panes. The buttons (starting from the left) correspond to the codepane, register pane, ESP stackpane, EBP stackpane and the logpane (yes that's supposed to be a log!). For more information about the logpane click here. To remove a pane switch off its button. To restore a pane switch it on again. The order in which you switch on the panes determines the position of the pane, since they fill the main window in the following sequence: top left, bottom left, top right, bottom right.
Each pane may be changed in size in the usual way ie. by dragging its edge.
You can restore the size, number and position of the main panes (code, register and stack panes) to the default by clicking on the menu item "view, panes as default".
Ensure that the pane you want to dump is visible. Scroll that pane so that it shows the starting point of the material you want to dump. Click on the menu item "file, dump". Click on the appropriate pane which will appear in the menu item. Alternatively right click on the pane and choose "dump the pane". Choose a file name for the dumped file (GoBug will suggest a name). Choose a path for the file to be written (GoBug will remember this for the next time you debug this particular exe). Choose the type of file to make (use ANSI unless you want to make a Unicode file because you are using non-Roman characters). If dumping the codepane or a stackpane you may change the starting point and size of the dump. If dumping the register pane, this is a single page only. The file which is created on this dump is plain text with carriage returns and line feeds but no tabs. It is usually best to view the dumped file with an editor set to a fixed width font (as opposed to a proportionally spaced font).
Ensure that the pane you want to print is visible. Scroll that pane so that it shows the starting point of the material you want to print. Click on the menu item "file, print". Alternatively right click on the pane and choose "print the pane". Click on the appropriate pane which will appear in the menu item. If printing the codepane or a stackpane you may change the starting point and size of the print. If printing the register pane, this is a single page only. You can change the font used for printing by using the "settings, fonts, when printing" menu item.
Changing the size of the
Restoring the size, number and position of the panes
Dumping the panes
Printing the panes