llvm-pdbutil - PDB File forensics and diagnostics¶
llvm-pdbutil [subcommand] [options]
Display types, symbols, CodeView records, and other information from a PDB file, as well as manipulate and create PDB files. llvm-pdbutil is normally used by FileCheck-based tests to test LLVM’s PDB reading and writing functionality, but can also be used for general PDB file investigation and forensics, or as a replacement for cvdump.
llvm-pdbutil is separated into several subcommands each tailored to a different purpose. A brief summary of each command follows, with more detail in the sections that follow.
pretty - Dump symbol and type information in a format that tries to look as much like the original source code as possible.
dump - Dump low level types and structures from the PDB file, including CodeView records, hash tables, PDB streams, etc.
bytes - Dump data from the PDB file’s streams, records, types, symbols, etc as raw bytes.
yaml2pdb - Given a yaml description of a PDB file, produce a valid PDB file that matches that description.
pdb2yaml - For a given PDB file, produce a YAML description of some or all of the file in a way that the PDB can be reconstructed.
merge - Given two PDBs, produce a third PDB that is the result of merging the two input PDBs.
The pretty subcommand is built on the Windows DIA SDK, and as such is not supported on non-Windows platforms.
USAGE: llvm-pdbutil pretty [options] <input PDB file>
The pretty subcommand displays a very high level representation of your program’s debug info. Since it is built on the Windows DIA SDK which is the standard API that Windows tools and debuggers query debug information, it presents a more authoritative view of how a debugger is going to interpret your debug information than a mode which displays low-level CodeView records.
exclude filters take priority over include filters. So if a filter matches both an include and an exclude rule, then it is excluded.
When dumping compilands, compiland source-file contributions, or per-compiland symbols, this option instructs llvm-pdbutil to omit any compilands that match the specified regular expression.
When dumping global, public, or per-compiland symbols, this option instructs llvm-pdbutil to omit any symbols that match the specified regular expression.
When dumping types, this option instructs llvm-pdbutil to omit any types that match the specified regular expression.
When dumping compilands, compiland source-file contributions, or per-compiland symbols, limit the initial search to only those compilands that match the specified regular expression.
When dumping global, public, or per-compiland symbols, limit the initial search to only those symbols that match the specified regular expression.
When dumping types, limit the initial search to only those types that match the specified regular expression.
Only display types that have at least the specified amount of alignment padding, accounting for padding in base classes and aggregate field members.
Only display types that have at least the specified amount of alignment padding, ignoring padding in base classes and aggregate field members.
Only display types T where sizeof(T) is greater than or equal to the specified amount.
Don’t show compiler generated types and symbols
When dumping an enum, don’t show the full enum (e.g. the individual enumerator values).
Don’t show symbols from system libraries
Implies all other options in this category.
Displays class definitions in the specified format.
=all - Display all class members including data, constants, typedefs, functions, etc (default) =layout - Only display members that contribute to class size. =none - Don't display class definitions (e.g. only display the name and base list)
Displays classes in the specified order.
=none - Undefined / no particular sort order (default) =name - Sort classes by name =size - Sort classes by size =padding - Sort classes by amount of padding =padding-pct - Sort classes by percentage of space consumed by padding =padding-imm - Sort classes by amount of immediate padding =padding-pct-imm - Sort classes by percentage of space consumed by immediate padding
When dumping class definitions, stop after recursing the specified number of times. The default is 0, which is no limit.
Display compilands (e.g. object files)
Dump external (e.g. exported) symbols
Dump global symbols
Dump the mappings between source lines and code addresses.
Display symbols (variables, functions, etc) for each compiland
Type of symbols to dump when -globals, -externals, or -module-syms is specified. (default all)
=thunks - Display thunk symbols =data - Display data symbols =funcs - Display function symbols =all - Display all symbols (default)
For symbols dumped via the -module-syms, -globals, or -externals options, sort the results in specified order.
=none - Undefined / no particular sort order =name - Sort symbols by name =size - Sort symbols by size
Display typedef types
Display all types (implies -classes, -enums, -typedefs)
Force color output on or off. By default, color if used if outputting to a terminal.
When displaying relative virtual addresses, assume the process is loaded at the given address and display what would be the absolute address.
USAGE: llvm-pdbutil dump [options] <input PDB file>
The dump subcommand displays low level information about the structure of a PDB file. It is used heavily by LLVM’s testing infrastructure, but can also be used for PDB forensics. It serves a role similar to that of Microsoft’s cvdump tool.
The dump subcommand exposes internal details of the file format. As such, the reader should be familiar with The PDB File Format before using this command.
dump a summary of all of the streams in the PDB file.
In conjunction with
-streams, add information to the output about what blocks the specified stream occupies.
Dump MSF and PDB header information.
For all options that dump information from each module/compiland, limit to the specified module.
Dump the source files that contribute to each displayed module.
Dump inlinee line information (DEBUG_S_INLINEELINES CodeView subsection)
Dump line information (DEBUG_S_LINES CodeView subsection)
Dump compiland information
Dump cross module exports (DEBUG_S_CROSSSCOPEEXPORTS CodeView subsection)
Dump cross module imports (DEBUG_S_CROSSSCOPEIMPORTS CodeView subsection)
dump global symbol records
dump additional information about the globals, such as hash buckets and hash values.
dump public symbol records
dump additional information about the publics, such as hash buckets and hash values.
dump symbols (functions, variables, etc) for each module dumped.
Dump CodeView type records from TPI stream
Dump additional information from the TPI stream, such as hashes and the type index offsets array.
For each type record dumped, display the full bytes of the record in binary as well.
Only dump types with the specified type index.
Dump CodeView type records from IPI stream.
Dump additional information from the IPI stream, such as hashes and the type index offsets array.
For each ID record dumped, display the full bytes of the record in binary as well.
only dump ID records with the specified hexadecimal type index.
When used in conjunction with
-id-index, dumps the entire dependency graph for the specified index instead of just the single record with the specified index. For example, if type index 0x4000 is a function whose return type has index 0x3000, and you specify -dependents=0x4000, then this would dump both records (as well as any other dependents in the tree).
Implies most other options.
Dump section contributions.
Dump image section headers.
Dump section map.
Dump PDB string table.
USAGE: llvm-pdbutil bytes [options] <input PDB file>
Like the dump subcommand, the bytes subcommand displays low level information about the structure of a PDB file, but it is used for even deeper forensics. The bytes subcommand finds various structures in a PDB file based on the command line options specified, and dumps them in hex. Someone working on support for emitting PDBs would use this heavily, for example, to compare one PDB against another PDB to ensure byte-for-byte compatibility. It is not enough to simply compare the bytes of an entire file, or an entire stream because it’s perfectly fine for the same structure to exist at different locations in two different PDBs, and “finding” the structure is half the battle.
Dump binary data from specified range of MSF file blocks.
Dump binary data from specified range of bytes in the file.
Dump the MSF free page map.
Dump binary data from the specified streams. Format is SN[:Start][@Size]. For example, -stream-data=7:3@12 dumps 12 bytes from stream 7, starting at offset 3 in the stream.
Dump bytes of PDB Name Map
Dump the edit and continue map substream of the DBI stream.
Dump the file info substream of the DBI stream.
Dump the modi substream of the DBI stream.
Dump section contributions substream of the DBI stream.
Dump the section map from the DBI stream.
Dump the type server map from the DBI stream.
Limit all options in this category to the specified module index. By default, options in this category will dump bytes from all modules.
Dump the bytes of each module’s C13 debug subsection.
When specified with
-chunks, split the C13 debug subsection into a separate chunk for each subsection type, and dump them separately.
Dump the symbol record substream from each module.
Dump the record from the IPI stream with the given type index.
Dump the record from the TPI stream with the given type index.
USAGE: llvm-pdbutil pdb2yaml [options] <input PDB file>
USAGE: llvm-pdbutil yaml2pdb [options] <input YAML file>
Generate a PDB file from a YAML description. The YAML syntax is not described here. Instead, use llvm-pdbutil pdb2yaml and examine the output for an example starting point.
Write the resulting PDB to the specified file.
USAGE: llvm-pdbutil merge [options] <input PDB file 1> <input PDB file 2>
Merge two PDB files into a single file.
Write the resulting PDB to the specified file.