如何在Windbg中查找应用程序崩溃的根本原因?
我有一个应用程序在用户执行特定操作时崩溃。例如,当我单击应用程序中的特定按钮时,它会崩溃。
因此,我将 Windbg 附加到该应用程序,然后执行相同的操作,这会触发崩溃。
当崩溃发生时,调试器显示以下输出:
0:001> g
ModLoad: 04530000 04565000 C:\Windows\SysWOW64\ws2_32.DLL
ModLoad: 72430000 7246c000 C:\Windows\SysWOW64\mswsock.dll
ModLoad: 723e0000 723e5000 C:\Windows\SysWOW64\wshtcpip.dll
(10b0.1e9c): C++ EH exception - code e06d7363 (first chance)
(10b0.1c94): C++ EH exception - code e06d7363 (first chance)
(10b0.1c94): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=00000000 ebx=040ee7e0 ecx=00000003 edx=00000000 esi=005c7630 edi=00400000
eip=770715de esp=040ee7cc ebp=040eece4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwRaiseException+0x12:
770715de 83c404 add esp,4
我想分析上面的输出以找出此异常的根本原因。也许,我可以向该应用程序的开发人员报告?但根据我的理解,我想掌握这个输出。
当我单击该按钮时,我可以看到 exe 加载了 3 个 dll:ws2_32.dll、mswsock.dll 和 wshtcpip.dll,可能是因为它使用从这些加载的模块导出的函数。
有 2 个首次机会异常,异常代码为:e06d7363,这是根据 Visual C++ 编译器的异常代码。
我不确定为什么会出现第二次机会异常以及到底发生了什么?
下面是调试器中此时的调用堆栈视图,
0:001> k
ChildEBP RetAddr
03a4e7cc 7706014d ntdll!ZwRaiseException+0x12
03a4e7cc 00000000 ntdll!KiUserExceptionDispatcher+0x29
我在调试器中再次按 g 以允许应用程序处理异常,这是调试器中的输出,
0:001> g
WARNING: Continuing a non-continuable exception
(114c.390): Unknown exception - code 00000000 (first chance)
(114c.390): Unknown exception - code 00000000 (!!! second chance !!!)
eax=00000000 ebx=03a4e318 ecx=83ee0000 edx=026ce8b8 esi=007073e0 edi=00400000
eip=770715de esp=03a4e304 ebp=03a4ece4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwRaiseException+0x12:
770715de 83c404 add esp,4
所以,看起来像是应用程序未处理的异常?
以下是详细信息。我已经使用 kv 命令来显示堆栈上的参数。希望这些信息可以帮助您解决问题。
0:001> g
ModLoad: 040a0000 040d5000 C:\Windows\SysWOW64\ws2_32.DLL
ModLoad: 72430000 7246c000 C:\Windows\SysWOW64\mswsock.dll
ModLoad: 723e0000 723e5000 C:\Windows\SysWOW64\wshtcpip.dll
(193c.1810): C++ EH exception - code e06d7363 (first chance)
(193c.1810): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=00000000 ebx=02c1e7e0 ecx=00000003 edx=00000000 esi=007073e0 edi=00400000
eip=770715de esp=02c1e7cc ebp=02c1ece4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwRaiseException+0x12:
770715de 83c404 add esp,4
0:001> kv
ChildEBP RetAddr Args to Child
02c1e7cc 7706014d 02c1e7e0 02c1e830 00000000 ntdll!ZwRaiseException+0x12 (FPO: [3,0,0])
02c1e7cc 00000000 02c1e7e0 02c1e830 00000000 ntdll!KiUserExceptionDispatcher+0x29 (FPO: [2,0,0]) (CONTEXT @ 0000000c)
0:001> g
WARNING: Continuing a non-continuable exception
(193c.1810): Unknown exception - code 00000000 (first chance)
(193c.1810): Unknown exception - code 00000000 (!!! second chance !!!)
eax=00000000 ebx=02c1e318 ecx=e04b0000 edx=0096e8b8 esi=007073e0 edi=00400000
eip=770715de esp=02c1e304 ebp=02c1ece4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwRaiseException+0x12:
770715de 83c404 add esp,4
I have an application which crashes upon a specific action taken by the user. For instance, when I click on a specific button in the application, it crashes.
So, I attached windbg to this application and then performed the same operation which would trigger the crash.
When the crash happened, debugger shows the following output:
0:001> g
ModLoad: 04530000 04565000 C:\Windows\SysWOW64\ws2_32.DLL
ModLoad: 72430000 7246c000 C:\Windows\SysWOW64\mswsock.dll
ModLoad: 723e0000 723e5000 C:\Windows\SysWOW64\wshtcpip.dll
(10b0.1e9c): C++ EH exception - code e06d7363 (first chance)
(10b0.1c94): C++ EH exception - code e06d7363 (first chance)
(10b0.1c94): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=00000000 ebx=040ee7e0 ecx=00000003 edx=00000000 esi=005c7630 edi=00400000
eip=770715de esp=040ee7cc ebp=040eece4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwRaiseException+0x12:
770715de 83c404 add esp,4
I want to analyze the above output to find out the root cause of this exception. Maybe, I could report it to the developer of this application then? But for my understanding I would like to grasp this output.
I can see that the exe loads the 3 dlls, ws2_32.dll, mswsock.dll and wshtcpip.dll when I click on that button probably because it uses functions exported from these loaded modules.
There are 2 first chance exceptions with the exception code: e06d7363 which is the exception code according to Visual C++ Compiler.
I am not sure why the second chance exception comes and what's exactly going on there?
Below is the view of call stack at this point in the debugger,
0:001> k
ChildEBP RetAddr
03a4e7cc 7706014d ntdll!ZwRaiseException+0x12
03a4e7cc 00000000 ntdll!KiUserExceptionDispatcher+0x29
I pressed g again in the debugger to allow the application to handle the exception and this is the output in debugger,
0:001> g
WARNING: Continuing a non-continuable exception
(114c.390): Unknown exception - code 00000000 (first chance)
(114c.390): Unknown exception - code 00000000 (!!! second chance !!!)
eax=00000000 ebx=03a4e318 ecx=83ee0000 edx=026ce8b8 esi=007073e0 edi=00400000
eip=770715de esp=03a4e304 ebp=03a4ece4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwRaiseException+0x12:
770715de 83c404 add esp,4
So, looks like an unhandled exception by the application?
Here are the details. I have used the kv command to show the parameters on the stack. Hope this information helps you to troubleshoot.
0:001> g
ModLoad: 040a0000 040d5000 C:\Windows\SysWOW64\ws2_32.DLL
ModLoad: 72430000 7246c000 C:\Windows\SysWOW64\mswsock.dll
ModLoad: 723e0000 723e5000 C:\Windows\SysWOW64\wshtcpip.dll
(193c.1810): C++ EH exception - code e06d7363 (first chance)
(193c.1810): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=00000000 ebx=02c1e7e0 ecx=00000003 edx=00000000 esi=007073e0 edi=00400000
eip=770715de esp=02c1e7cc ebp=02c1ece4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwRaiseException+0x12:
770715de 83c404 add esp,4
0:001> kv
ChildEBP RetAddr Args to Child
02c1e7cc 7706014d 02c1e7e0 02c1e830 00000000 ntdll!ZwRaiseException+0x12 (FPO: [3,0,0])
02c1e7cc 00000000 02c1e7e0 02c1e830 00000000 ntdll!KiUserExceptionDispatcher+0x29 (FPO: [2,0,0]) (CONTEXT @ 0000000c)
0:001> g
WARNING: Continuing a non-continuable exception
(193c.1810): Unknown exception - code 00000000 (first chance)
(193c.1810): Unknown exception - code 00000000 (!!! second chance !!!)
eax=00000000 ebx=02c1e318 ecx=e04b0000 edx=0096e8b8 esi=007073e0 edi=00400000
eip=770715de esp=02c1e304 ebp=02c1ece4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwRaiseException+0x12:
770715de 83c404 add esp,4
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
一些注释
查看堆栈跟踪。但是堆栈跟踪不完整,应该有
使用 kv 命令创建以显示堆栈上的参数。
为了分析这一点,我们需要异常发生时的 kv 输出,然后转储异常记录。请提供信息,然后我可以展示如何转储异常记录。
根据发布的结果运行:“.exr 02c1e830”
A couple of comments
look at the stack trace. However the stack trace is incomplete and should have
been created with the kv command to show the parameters on the stack.
To analyze this we need the kv output when the exception is raised and then dump the exception record. Please provide the information and then I can show how to dump the exception record.
Based on the posted results run: ".exr 02c1e830"