Example of working with a dump.

Let's say that you are looking at a crash dump, so following the first command from this page you do:

0:006> !analyze -v

Part of what the command prints is:

FAULTING_IP:?
YCWebCameraSource+14c7e
1c414c7e 8b01 ? ? ? ? ? ?mov ? ? eax,dword ptr [ecx]

EXCEPTION_RECORD: ?ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 1c414c7e (YCWebCameraSource+0x00014c7e)
? ?ExceptionCode: c0000005 (Access violation)
? ExceptionFlags: 00000000
NumberParameters: 2
? ?Parameter[0]: 00000000
? ?Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT: ?00000000 -- (.cxr 0x0;r)
eax=00000000 ebx=0465c528 ecx=00000000 edx=00000500 esi=0465c498 edi=00000000
eip=77c2e1a4 esp=0465c370 ebp=0465c4f0 iopl=0 ? ? ? ? nv up ei pl nz ac po nc
cs=0023 ?ss=002b ?ds=002b ?es=002b ?fs=0053 ?gs=002b ? ? ? ? ? ? efl=00200212

PROCESS_NAME: ?chrome.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: ?00000000
EXCEPTION_PARAMETER2: ?00000000
READ_ADDRESS: ?00000000?

FOLLOWUP_IP:?
YCWebCameraSource+14c7e
1c414c7e 8b01 ? ? ? ? ? ?mov ? ? eax,dword ptr [ecx]

BUGCHECK_STR: ?APPLICATION_FAULT_NULL_POINTER_READ_INVALID_POINTER_READ_BEFORE_CALL

STACK_TEXT: ?
0465cab8 00000000 0465cbc4 096052c0 1c414fe1 YCWebCameraSource+0x14c7e

which basically says that there is an attempt to read from NULL:

YCWebCameraSource+14c7e
1c414c7e 8b01 ? ? ? ? ? ?mov ? ? eax,dword ptr [ecx]

and ECX is 0.

The problematic part is the last one: the stack is a single line of text, inside a DLL that you know nothing about. Moving on to the next command,

0:006> .ecxr
eax=0bd00048 ebx=000000f0 ecx=00000000 edx=00000500 esi=0465cbc4 edi=00000140
eip=1c414c7e esp=0465cabc ebp=000000f0 iopl=0 ? ? ? ? nv up ei pl nz na po nc
cs=0023 ?ss=002b ?ds=002b ?es=002b ?fs=0053 ?gs=002b ? ? ? ? ? ? efl=00210202
YCWebCameraSource+0x14c7e:
1c414c7e 8b01 ? ? ? ? ? ?mov ? ? eax,dword ptr [ecx] ?ds:002b:00000000=????????

confirms what we already know as the debugger loads the context when the exception was received. The stack window shows only one line of text.

0:006> k
? *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr ?
WARNING: Stack unwind information not available. Following frames may be wrong.
0465cab8 00000000 YCWebCameraSource+0x14c7e

Looking at the registers show the reason: EBP is 0xF0, which is not a pointer to the stack. ESP looks fine, so let's see what's there using the next command from the list:

0:006> dds esp
0465cabc ?00000000
0465cac0 ?0465cbc4
0465cac4 ?096052c0
0465cac8 ?1c414fe1 YCWebCameraSource+0x14fe1
0465cacc ?0b7b0000
0465cad0 ?00000140
0465cad4 ?000000f0
0465cad8 ?00000500
0465cadc ?09710000
0465cae0 ?00000140
0465cae4 ?000000f0
0465cae8 ?000003c0
0465caec ?00000000
0465caf0 ?00000000
0465caf4 ?00000140
0465caf8 ?1c40c24e YCWebCameraSource+0xc24e
0465cafc ?0b7b0000
0465cb00 ?00000140
0465cb04 ?000000f0
0465cb08 ?00000000
0465cb0c ?00000500
0465cb10 ?09710000
0465cb14 ?00000140
0465cb18 ?000000f0
0465cb1c ?00000000
0465cb20 ?000003c0
0465cb24 ?0465e074
0465cb28 ?09158124
0465cb2c ?091561c8
0465cb30 ?00000000
0465cb34 ?09605848
0465cb38 ?0b8007c8

A few pointers to code close to the address that crashed, which is good because it means the control flow before the crash is reasonable. But clearly that code is not using EBP to maintain stack frames (more on that later). So see what else is on the stack:

0:006> dds
0465cb3c ?0b800960
0465cb40 ?000003c0
0465cb44 ?091561c8
0465cb48 ?00022009
0465cb4c ?80004005
0465cb50 ?1c4238f8 YCWebCameraSource+0x238f8
0465cb54 ?09605848
0465cb58 ?00000000
0465cb5c ?000000b2
0465cb60 ?096052c0
0465cb64 ?00000000
0465cb68 ?00000000
0465cb6c ?00000140
0465cb70 ?000000f0
0465cb74 ?00000140
0465cb78 ?000000f0
0465cb7c ?00000500
0465cb80 ?00022009
0465cb84 ?0b7b0000
0465cb88 ?00000001
0465cb8c ?1c4238f8 YCWebCameraSource+0x238f8
0465cb90 ?096046c8
0465cb94 ?00000000
0465cb98 ?0465cc28
0465cb9c ?00000140
0465cba0 ?000000f0
0465cba4 ?000003c0
0465cba8 ?00021808
0465cbac ?09710000
0465cbb0 ?00000002
0465cbb4 ?557cf400
0465cbb8 ?11d31a04

Note that issuing the command without an argument just continues where the last invocation left of. Furthermore, just hitting enter repeats the last command so after this point is a matter of keep hitting enter. Which is good because in this case interesting things happen after a long time:

0:006>?
0465f22c ?f15f2bff
0465f230 ?0465f27c
0465f234 ?772b9b03 msvcrt!free+0x65
0465f238 ?01700000
0465f23c ?00000000
0465f240 ?772b9b10 msvcrt!free+0x84
0465f244 ?f1a4c16f
0465f248 ?00000000
0465f24c ?0170b3f8
0465f250 ?00000000
0465f254 ?00000000
0465f258 ?0465f238
0465f25c ?ffffffff
0465f260 ?00000000
0465f264 ?0465f244
0465f268 ?82eaa80b
0465f26c ?0465f98c
0465f270 ?772dc265 msvcrt!_except_handler4
0465f274 ?82eaa80b
0465f278 ?fffffffe
0465f27c ?772b9b10 msvcrt!free+0x84
0465f280 ?732343a5 devenum!ATL::CComObject<CCreateSwEnum>::`scalar deleting destructor'+0x3d
0465f284 ?0170b3f8
0465f288 ?73234566 devenum!ATL::CComObject<CCreateSwEnum>::Release+0x23
0465f28c ?03290d90
0465f290 ?031f0b50
0465f294 ?0465f4bc
0465f298 ?6fb647db chrome_6faf0000!media::GetDeviceNamesDirectShow+0x3ab
0465f29c ?6fb647e5 chrome_6faf0000!media::GetDeviceNamesDirectShow+0x3b5
0465f2a0 ?0465f2b8
0465f2a4 ?6faf22b5 chrome_6faf0000!tcmalloc::FL_Push+0x71
0465f2a8 ?01192308

After a while of seeing symbols from various DLLs go through the stack we start to see symbols from Chrome. The last part looks relatively good. Note that at address?0465f298 ?there is a pointer to Chrome code, and more importantly, 4 bytes before there is a pointer to another place in the stack, some bytes after the current position:?0465f294 ?0465f4bc. This is the typical pattern of a call to a function that use EBP to track stack frames. Time to use the next command from the list:

0:006> k = 0465f294 ?0465f294 ?0465f294 ?
ChildEBP RetAddr ?
WARNING: Frame IP not in any known module. Following frames may be wrong.
0465f294 6fb647db 0x465f294
0465f4bc 07554180 chrome_6faf0000!media::GetDeviceNamesDirectShow+0x3ab
0465f4cc 6fb643d2 0x7554180
0465f4e8 6fb64386 chrome_6faf0000!media::VideoCaptureDeviceFactory::EnumerateDeviceNames+0x45
0465f4f4 6fb55ece chrome_6faf0000!base::internal::Invoker<>
0465f5d4 6fb5552d chrome_6faf0000!base::MessageLoop::RunTask+0x50a
0465f718 6fb62bad chrome_6faf0000!base::MessageLoop::DoWork+0x359
0465f744 6fb5503a chrome_6faf0000!base::MessagePumpDefault::Run+0xc7
0465f768 6fb54f2d chrome_6faf0000!base::MessageLoop::RunHandler+0x6e
0465f794 6fb54ec4 chrome_6faf0000!base::MessageLoop::Run+0x65
0465f79c 6fb5291e chrome_6faf0000!base::Thread::Run+0xb
0465f928 6fb52509 chrome_6faf0000!base::Thread::ThreadMain+0x26e
0465f94c 778a850d chrome_6faf0000!base::`anonymous namespace'::ThreadFunc+0xcb
0465f958 77c5bf39 kernel32!BaseThreadInitThunk+0xe
0465f99c 77c5bf0c ntdll!__RtlUserThreadStart+0x72
0465f9b4 00000000 ntdll!_RtlUserThreadStart+0x1b

Strictly speaking the format that I just used is not correct, but the debugger does a decent job figuring out what I want just complaining about the first frame. The good part is that now we have a stack that looks reasonable. Time to go up and try to get something better.

The pattern that we just saw, a pointer a few bytes ahead followed by a symbol should repeat itself... as in the pointer should point to another pointer followed by a symbol. Se if we search up on the debugger output for?0465f294 we should get to the previous frame. If there is no match, it means that either we reached a function call that doesn't use EBP, or we are following stale data from the stack (traces of something that happened before, and has not been overwritten yet, but it is not the current call sequence).

And that's exactly what happens in this case. But going up and following stack manually a few times provides a better stack. Remember that the goal is not to get a perfect stack trace but to get enough information to do something about it. We already know that get the actual stack will be impossible because close to the crash point there's no EBP and no symbols. But the type of symbols that you see going through while executing dds gives you a rough idea of how the flow ends up at the code that crashes.

0:006> k = 0465e0ac ?0465e0ac ?0465e0ac ?
ChildEBP RetAddr ?
WARNING: Frame IP not in any known module. Following frames may be wrong.
0465e0ac 76ec7543 0x465e0ac
0465e11c 76ec4fdf combase!CServerContextActivator::CreateInstance+0x18b
0465e15c 76ec7610 combase!ActivationPropertiesIn::DelegateCreateInstance+0x5c
0465e1b0 76ec7334 combase!CApartmentActivator::CreateInstance+0x75
0465e1d4 76ec6d52 combase!CProcessActivator::CCICallback+0x3b
0465e1f4 76ec72cf combase!CProcessActivator::AttemptActivation+0x2c
0465e22c 76ec73a9 combase!CProcessActivator::ActivateByContext+0x97
0465e25c 76ec4fdf combase!CProcessActivator::CreateInstance+0x5d
0465e29c 76ec50d7 combase!ActivationPropertiesIn::DelegateCreateInstance+0x5c
0465e4fc 76ec4fdf combase!CClientContextActivator::CreateInstance+0xdd
0465e53c 76ec5ba6 combase!ActivationPropertiesIn::DelegateCreateInstance+0x5c
0465ede8 76ebc9c2 combase!ICoCreateInstanceEx+0xfb6
(Inline) -------- combase!CComActivator::DoCreateInstance+0x11a
(Inline) -------- combase!CoCreateInstanceEx+0x14e
0465ee3c 732352c3 combase!CoCreateInstance+0x169
0465eef0 70cedfbd devenum!CDeviceMoniker::BindToObject+0x1ac
0465f0e0 70ce59df chrome_6faf0000!media::VideoCaptureDeviceWin::GetDeviceFilter+0x234
0465f3ac 70ce56a2 chrome_6faf0000!media::GetDeviceSupportedFormatsDirectShow+0x335
0465f3c0 6fb64995 chrome_6faf0000!media::VideoCaptureDeviceFactoryWin::GetDeviceSupportedFormats+0x20
0465f44c 6fb648c1 chrome_6faf0000!content::VideoCaptureManager::ConsolidateDevicesInfoOnDeviceThread+0xc1
0465f46c 6fb64883 chrome_6faf0000!base::internal::RunnableAdapter<>::Run+0x2e
0465f488 6fb64848 chrome_6faf0000!base::internal::InvokeHelper<>::MakeItSo+0x25
0465f4b8 6fb64800 chrome_6faf0000!base::internal::Invoker<<media::VideoCaptureDevice::N+0x33
0465f4cc 6fb643d2 chrome_6faf0000!base::Callback<>::Run+0x17
0465f4e8 6fb64386 chrome_6faf0000!media::VideoCaptureDeviceFactory::EnumerateDeviceNames+0x45
0465f4f4 6fb55ece chrome_6faf0000!base::internal::Invoker<2,base::internal::BindState<>::Run+0x10
0465f5d4 6fb5552d chrome_6faf0000!base::MessageLoop::RunTask+0x50a
0465f718 6fb62bad chrome_6faf0000!base::MessageLoop::DoWork+0x359
0465f744 6fb5503a chrome_6faf0000!base::MessagePumpDefault::Run+0xc7
0465f768 6fb54f2d chrome_6faf0000!base::MessageLoop::RunHandler+0x6e
0465f794 6fb54ec4 chrome_6faf0000!base::MessageLoop::Run+0x65
0465f79c 6fb5291e chrome_6faf0000!base::Thread::Run+0xb
0465f928 6fb52509 chrome_6faf0000!base::Thread::ThreadMain+0x26e
0465f94c 778a850d chrome_6faf0000!base::`anonymous namespace'::ThreadFunc+0xcb
0465f958 77c5bf39 kernel32!BaseThreadInitThunk+0xe
0465f99c 77c5bf0c ntdll!__RtlUserThreadStart+0x72
0465f9b4 00000000 ntdll!_RtlUserThreadStart+0x1b

Note how this stack is slightly different right where the previous stack started, but it flows nicely into a sequence of com calls. There's usually no point in going too deep into code we don't control, so that is all we need in this case.
評論