WinDbg: Failed to find runtime module (coreclr.dll or clr.dll or libcoreclr.so)

当我们通过 WinDbg 启动一个 .NET 的程序时，WinDbg 将会在运行可执行之前执行一个中断，此时还没有加载 .NET 的运行时。

但是，SOS 扩展需要 clr.dll 或者 coreclr.dll 的支持。所以，在这个时间点执行 SOS 的扩展指令会遇到如下的错误：

0:000> .load C:\Users\Guanjun\.dotnet\sos\sos.dll
0:000> !threads
Failed to find runtime module (coreclr.dll or clr.dll or libcoreclr.so), 0x80004002
Extension commands need it in order to have something to do.
For more information see https://go.microsoft.com/fwlink/?linkid=2135652

解决的方式是使用 g 命令继续执行托管程序，此时会自动加载需要的模块，其中包括了 coreclr.dll，如下所示：

0:000> g
ModLoad: 00007ff9`f1c80000 00007ff9`f1caf000   C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ff9`c15d0000 00007ff9`c1629000   C:\Program Files\dotnet\host\fxr\8.0.6\hostfxr.dll
ModLoad: 00007ff9`be1c0000 00007ff9`be224000   C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.6\hostpolicy.dll
ModLoad: 00007ff9`7d990000 00007ff9`7de76000   C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.6\coreclr.dll
ModLoad: 00007ff9`f2170000 00007ff9`f229b000   C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ff9`f2360000 00007ff9`f26b3000   C:\WINDOWS\System32\combase.dll
ModLoad: 00007ff9`f2ce0000 00007ff9`f2dad000   C:\WINDOWS\System32\OLEAUT32.dll
ModLoad: 00007ff9`f14c0000 00007ff9`f1542000   C:\WINDOWS\System32\bcryptPrimitives.dll
(3c64.5464): Unknown exception - code 04242420 (first chance)
ModLoad: 00007ff9`758e0000 00007ff9`7656d000   C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.6\System.Private.CoreLib.dll
ModLoad: 00007ff9`86690000 00007ff9`86849000   C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.6\clrjit.dll
ModLoad: 00007ff9`eec50000 00007ff9`eec62000   C:\WINDOWS\SYSTEM32\kernel.appcore.dll
ModLoad: 0000022e`dcc00000 0000022e`dcc08000   C:\Study\DotNet\chapter_02\02TypeSample\bin\Debug\net8.0\02TypeSample.dll
ModLoad: 0000022e`dcc20000 0000022e`dcc2e000   C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.6\System.Runtime.dll
ModLoad: 00007ff9`c02c0000 00007ff9`c02e8000   C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.6\System.Console.dll
ModLoad: 00007ff9`cf080000 00007ff9`cf092000   C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.6\System.Threading.dll
ModLoad: 0000022e`de5d0000 0000022e`de5d8000   C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.6\System.Text.Encoding.Extensions.dll
ModLoad: 00007ff9`cf540000 00007ff9`cf555000   C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.6\System.Runtime.InteropServices.dll
(3c64.c54): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
00007ff9`f37d1090 cc              int     3

在 coreclr.dll 加载之后，使用 WinDbg 中的工具栏中的 Break 按钮，或者快捷键 Alt+Del, 或者 Ctrl + Brak 进行中断。

也可以在代码中使用 Console.ReadLine() 进行等待，或者使用 Debugger.Break() 语句进行中断。

中断之后，就可以使用 SOS 的扩展命令了，例如上面的 !threads

:007> !threads
ThreadCount:      2
UnstartedThread:  0
BackgroundThread: 1
PendingThread:    0
DeadThread:       0
Hosted Runtime:   no
                                                                                                            Lock  
 DBG   ID     OSID ThreadOBJ           State GC Mode     GC Alloc Context                  Domain           Count Apt Exception
   0    1     5464 0000022EDCC71C00    2a020 Preemptive  0000022EE1012940:0000022EE1014600 0000022edccb6fb0 -00001 MTA 
   6    2      974 0000022EDCC99A30    21220 Preemptive  0000000000000000:0000000000000000 0000022edccb6fb0 -00001 Ukn (Finalizer) 

可以切换到 0 托管线程，然后查看线程堆栈。

0:007> ~0s
ntdll!NtReadFile+0x14:
00007ff9`f37cd624 c3              ret
0:000> !clrstack
OS Thread Id: 0x5464 (0)
        Child SP               IP Call Site
0000007F83B7E310 00007ff9f37cd624 [InlinedCallFrame: 0000007f83b7e310] 
0000007F83B7E310 00007ff9c02c76eb [InlinedCallFrame: 0000007f83b7e310] 
0000007F83B7E2E0 00007ff9c02c76eb Interop+Kernel32.ReadFile(IntPtr, Byte*, Int32, Int32 ByRef, IntPtr) [/_/src/libraries/System.Console/src/Microsoft.Interop.LibraryImportGenerator/Microsoft.Interop.LibraryImportGenerator/LibraryImports.g.cs @ 412]
0000007F83B7E3D0 00007ff9c02cc9c0 System.ConsolePal+WindowsConsoleStream.ReadFileNative(IntPtr, System.Span`1, Boolean, Int32 ByRef, Boolean) [/_/src/libraries/System.Console/src/System/ConsolePal.Windows.cs @ 1150]
0000007F83B7E430 00007ff9c02cc8bb System.ConsolePal+WindowsConsoleStream.Read(System.Span`1) [/_/src/libraries/System.Console/src/System/ConsolePal.Windows.cs @ 1108]
0000007F83B7E470 00007ff9c02cfb84 System.IO.ConsoleStream.Read(Byte[], Int32, Int32) [/_/src/libraries/System.Console/src/System/IO/ConsoleStream.cs @ 34]
0000007F83B7E4E0 00007ff975ce8aa1 System.IO.StreamReader.ReadBuffer() [/_/src/libraries/System.Private.CoreLib/src/System/IO/StreamReader.cs @ 613]
0000007F83B7E530 00007ff975ce9184 System.IO.StreamReader.ReadLine() [/_/src/libraries/System.Private.CoreLib/src/System/IO/StreamReader.cs @ 802]
0000007F83B7E5E0 00007ff9c02d005d System.IO.SyncTextReader.ReadLine() [/_/src/libraries/System.Console/src/System/IO/SyncTextReader.cs @ 77]
0000007F83B7E630 00007ff9c02c9319 System.Console.ReadLine() [/_/src/libraries/System.Console/src/System/Console.cs @ 752]
0000007F83B7E660 00007ff91df7195c Advanced.NET.Debugging.Chapter2.TypeSample.Main(System.String[]) [C:\Study\DotNet\chapter_02\02TypeSample\Program.cs @ 37]

如果需要查看 Main() 方法的内容，可以直接点击 Main() 方法前面的链接 [00007ff91df7195c](!U /d 00007ff91df7195c)，这相当与输入命令 !U /d 00007ff91df7195c，可以查看到源代码所对应的机器代码，和机器代码前面的地址。

0:000> !U /d 00007ff91df7195c
Normal JIT generated code
Advanced.NET.Debugging.Chapter2.TypeSample.Main(System.String[])
ilAddr is 0000022EDCC02154 pImport is 00000200ED1EBB50
Begin 00007FF91DF71930, size 49

C:\Study\DotNet\chapter_02\02TypeSample\Program.cs @ 36:
00007ff9`1df71930 55              push    rbp
00007ff9`1df71931 4883ec30        sub     rsp,30h
00007ff9`1df71935 488d6c2430      lea     rbp,[rsp+30h]
00007ff9`1df7193a 33c0            xor     eax,eax
00007ff9`1df7193c 8945fc          mov     dword ptr [rbp-4],eax
00007ff9`1df7193f 488945f0        mov     qword ptr [rbp-10h],rax
00007ff9`1df71943 48894d10        mov     qword ptr [rbp+10h],rcx
00007ff9`1df71947 833ddac9080000  cmp     dword ptr [00007ff9`1dffe328],0
00007ff9`1df7194e 7405            je      02TypeSample!Advanced.NET.Debugging.Chapter2.TypeSample.Main+0x25 (00007ff9`1df71955)
00007ff9`1df71950 e86badc95f      call    coreclr!JIT_DbgIsJustMyCode (00007ff9`7dc0c6c0)
00007ff9`1df71955 90              nop

C:\Study\DotNet\chapter_02\02TypeSample\Program.cs @ 37:
00007ff9`1df71956 ff151c2d0d00    call    qword ptr [00007ff9`1e044678]
>>> 00007ff9`1df7195c 488945f0        mov     qword ptr [rbp-10h],rax
00007ff9`1df71960 90              nop

C:\Study\DotNet\chapter_02\02TypeSample\Program.cs @ 39:
00007ff9`1df71961 c745fc0a000000  mov     dword ptr [rbp-4],0Ah

C:\Study\DotNet\chapter_02\02TypeSample\Program.cs @ 40:
00007ff9`1df71968 8b4dfc          mov     ecx,dword ptr [rbp-4]
00007ff9`1df7196b ff15df2d0d00    call    qword ptr [00007ff9`1e044750]
00007ff9`1df71971 90              nop

C:\Study\DotNet\chapter_02\02TypeSample\Program.cs @ 52:
00007ff9`1df71972 90              nop
00007ff9`1df71973 4883c430        add     rsp,30h
00007ff9`1df71977 5d              pop     rbp
00007ff9`1df71978 c3              ret

例如，可以看到源代码第 39 行对应的地址为 00007ff91df71961，在这里下一个断点的方式就是使用 bp` 指令。

0:000> bp 00007ff9`1df71961

继续使用 g 执行程序，可以看到 WinDbg 在执行到源代码的第 39 行停了下来。

0:000> bp 00007ff9`1df81961
0:000> g
(2cf8.2978): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00007ff9`1df811d0 0000            add     byte ptr [rax],al ds:00007ff9`1df811d0=00