简单分析minidump(2)

发表于 | 分类于 | 评论数: | 阅读次数:

有了前几节的准备工作,我们的程序已经可以自动捕获异常了,那么我们开始通过windbg来分析dump解决实际问题。先从简单入手,CString大小写转化导致的异常(提取码ffk6)。

步骤1

使用windbg打开minidump,设置好应用程序的pdb, 执行命令 “.ecxr” 、”kv” ,打印如下栈信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
0:121> .ecxr
eax=0e16eea8 ebx=00160768 ecx=00000000 edx=00000001 esi=0e16ef38 edi=0e16ef48
eip=7c80bef7 esp=0e16eea4 ebp=0e16eef8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
Unable to load image C:\WINDOWS\system32\kernel32.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for kernel32.dll
*** ERROR: Module load completed but symbols could not be loaded for kernel32.dll
kernel32+0xbef7:
7c80bef7 ??              ???
*** ERROR: Module load completed but symbols could not be loaded for mfc120.dll
0:121> kv
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0e16eea0 1028bc8c e06d7363 00000001 00000000 kernel32+0xbef7
*** WARNING: Unable to verify timestamp for msvcr120.dll
*** ERROR: Module load completed but symbols could not be loaded for msvcr120.dll
0e16eef8 005a9339 e06d7363 00000001 00000003 mfc120+0x28bc8c
0e16ef38 101eee11 0e16ef48 1028bc8c 1029b540 msvcr120+0x19339
0e16ef4c 100566d4 00160760 0b139848 004a67d2 mfc120+0x1eee11
*** WARNING: Unable to verify timestamp for BlockSvr.exe
0e16ef8c 004dc703 0b224248 ec476e15 00000002 mfc120+0x566d4
0e16fea0 004c2bcf 0b139e10 0b167c20 001dfe60 BlockSvr!CSockServer::OnLogonUserV2+0x723 (FPO: [Non-Fpo]) (CONV: thiscall) [d:\program files (x86)\jenkins\workspace\publish_gamechannel\blocksvr\user.cpp @ 11713]
0e16ff2c 005041e4 0b139e10 0b167c20 00160768 BlockSvr!CSockServer::OnRequest+0x90f (FPO: [Non-Fpo]) (CONV: thiscall) [d:\program files (x86)\jenkins\workspace\publish_gamechannel\blocksvr\socksvr.cpp @ 424]
0e16ff54 0050c04b 00000000 0b088970 0b2ec408 BlockSvr!CIocpWorker::DoWorkLoop+0xa4
0e16ff6c 0050c01b 0e16ffac 005bc01d 00160760 BlockSvr!CBaseWorker::WorkerThreadProc+0x2b
0e16ff74 005bc01d 00160760 9835355e 00000000 BlockSvr!CBaseWorker::WorkerThreadFunc+0xb
0e16ffac 005bc001 00000000 0e16ffec 7c82482f msvcr120+0x2c01d
0e16ffb8 7c82482f 0b2ec408 00000000 00000000 msvcr120+0x2c001
0e16ffec 00000000 005bbfb4 0b2ec408 00000000 kernel32+0x2482f

步骤2

显示了应用程序的代码行号,但我们希望看到更仔细点,就需要加载windows的系统符号文件

1
e:\mylocalsymbols;SRV*e:\mylocalsymbols*http://msdl.microsoft.com/download/symbols

步骤3

设置后,重新“kv” 查看堆栈信息,显示如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
0:121> kv
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr  Args to Child              
0e16eef8 005a9339 e06d7363 00000001 00000003 kernel32!RaiseException+0x53 (FPO: [Non-Fpo])
0e16ef38 101eee11 0e16ef48 1028bc8c 1029b540 msvcr120!_CxxThrowException+0x5b (FPO: [Non-Fpo]) (CONV: stdcall) [f:\dd\vctools\crt\crtw32\eh\throw.cpp @ 152]
0e16ef4c 100566d4 00160760 0b139848 004a67d2 mfc120!AfxThrowInvalidArgException+0x19 (FPO: [Non-Fpo]) (CONV: stdcall) [f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\except.cpp @ 228]
*** WARNING: Unable to verify timestamp for BlockSvr.exe
0e16ef58 004a67d2 ec477f39 00000000 49bf1ce1 mfc120!ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char> > >::MakeLower+0x23 (FPO: [0,0,0]) (CONV: thiscall) [f:\dd\vctools\vc7libs\ship\atlmfc\include\cstringt.h @ 1796]
0e16ef8c 004dc703 0b224248 ec476e15 00000002 BlockSvr!IsTempLogonToken+0x52 (FPO: [Non-Fpo]) (CONV: cdecl) [d:\program files (x86)\jenkins\workspace\publish_gamechannel\blocksvr\main.cpp @ 2277]
0e16fea0 004c2bcf 0b139e10 0b167c20 001dfe60 BlockSvr!CSockServer::OnLogonUserV2+0x723 (FPO: [Non-Fpo]) (CONV: thiscall) [d:\program files (x86)\jenkins\workspace\publish_gamechannel\blocksvr\user.cpp @ 11713]
0e16ff2c 005041e4 0b139e10 0b167c20 00160768 BlockSvr!CSockServer::OnRequest+0x90f (FPO: [Non-Fpo]) (CONV: thiscall) [d:\program files (x86)\jenkins\workspace\publish_gamechannel\blocksvr\socksvr.cpp @ 424]
0e16ff54 0050c04b 00000000 0b088970 0b2ec408 BlockSvr!CIocpWorker::DoWorkLoop+0xa4
0e16ff6c 0050c01b 0e16ffac 005bc01d 00160760 BlockSvr!CBaseWorker::WorkerThreadProc+0x2b
0e16ff74 005bc01d 00160760 9835355e 00000000 BlockSvr!CBaseWorker::WorkerThreadFunc+0xb
0e16ffac 005bc001 00000000 0e16ffec 7c82482f msvcr120!_callthreadstartex+0x1b (FPO: [Non-Fpo]) (CONV: cdecl) [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376]
0e16ffb8 7c82482f 0b2ec408 00000000 00000000 msvcr120!_threadstartex+0x7c (FPO: [Non-Fpo]) (CONV: stdcall) [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354]
0e16ffec 00000000 005bbfb4 0b2ec408 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo])

结论

可以看到是由于CString 触发了_CxxThrowException。 服务从VC6版本切换到VS2013,CString 的MakeLower 函数检查变的更加严格,部分特殊用户名在VC6中正确转化,但是在vs2013中会抛出异常,将大小写转化函数替换为CharLower ,问题解决