Disassembling files, running an app under debug mode.
What does not
Some dlls are reported as "unkown format" upon load event.
What was not tested
|Operating system||Test date||Wine version||Installs?||Runs?||Used|
|Show||Ubuntu 10.10 "Maverick" i386 (+ variants like Kubuntu)||May 20 2011||1.3.20||Yes||Yes||Gold||Anastasius Focht|
|Show||Fedora 12 x86_64||Jul 22 2010||1.2||Yes||Yes||Gold||Anastasius Focht|
|Current||Gentoo Linux x86_64||Dec 22 2008||1.1.11||Yes||Yes||Gold||an anonymous user|
|Show||Ubuntu 7.04 "Feisty" amd64 (+ variants like Kubuntu)||Feb 27 2008||0.9.56.||N/A||Yes||Gold||JeffZ|
|Show||Fedora 8||Jan 25 2008||0.9.54.||Yes||Yes||Gold||Anastasius Focht|
|Bug #||Description||Status||Resolution||Other apps affected|
|7560||ollydbg fails to debug multithreaded apps||CLOSED||INVALID||View|
|7635||OllyDbg 1.10 blanks on pause or attach||CLOSED||WONTFIX||View|
|10249||ollydbg complains about unexpected debug events from child processes after attaching to the debuggee||CLOSED||FIXED||View|
ÂWhen applications are firstÂ loaded in to debugger, you might get message boxes with following errors:
Unable to oÂpen or read executable file 'foo.dll'
ÂBad or unknown format 'foo.dll'
This is expected (and annoying) behaviour. The debugger tried to physically read the dll by looking into "system32" directory of the WINEPREFIX. Most Wine builtins don't have a fake placeholder by default hence the error.
Just dismiss the message boxes with 'OK'.
You can work around this problem by adding the dll in question to "[FakeDllsSection]" of "tools/wine.inf" (wine source tree) and then rerun 'wineboot --update' to have it installed in WINEPREFIX.
When the disassembly window goes blank (after pausing, single stepping into wine, etc.) you probably hit a code location which the debugger can't properly handle due to design of Wine/Linux.
The debugger hits ELF code in wine builtins outside of win32 API virtual mapping range which leads to empty code/disassembly window (debugger needs to read memory in order to disassemble it). Look at registers window while you step, you can see EIP still changing but no code is actually displayed. Just hit a few times run until return until the code reaches PE/win32 memory range again. Then the code/disassembly will reappear.
This is expected behaviour and by design.
Depending on situation, the debugger reads large memory chunks from target process (debuggee). The transfer of large memory chunks between wineserver and debugger process leads to performance loss.
Technically, wineserver uses Linux ptrace facility to read remote process memory. Only 32-bit integers can be read/written at a time which causes extreme overhead for large blocks.
This performance problem has been solved in Ollydbg v2 which optimized the needed memory reads (for disassembly, memory view) to much smaller chunks.
With commit 1a79912a10a6cded54d1f1de5f746bbffec3ffee (Wine post-1.2) the sÂituation somewhat improved. WIneserver now uses /proc/pid/mem to read process memory since it should be faster.