使用WinDbg在WinCE设备上调试.NET应用程序中的AccessViolation

时间:2012-05-08 15:25:47

标签: .net compact-framework windows-ce windbg

我正在调试客户端的.NET 2.0 WinCE(6.0)应用程序崩溃。我已经从设备中取出了.kdmp并在WinDbg中打开了,但说实话我并不知道我在寻找什么。我可以看到它是一个取消应用程序的访问冲突,但这就是我所能说的。任何有关使用WinDbg for .NET Compact Framework的提示都表示赞赏。我没有使用该工具的经验。

以下是!analyze -v

的输出 
*******************************************************************************
*                                                                             *
*                      Win CE Exception Analysis                              *
*                                                                             *
*******************************************************************************


Debugging Details:
------------------

GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
TRIAGER: Could not open triage file : C:\Program Files\Windows Kits\8.0\Debuggers\x86\triage\guids.ini, error 2
SYMSRV:  C:\Program Files\Windows Kits\8.0\Debuggers\x86\sym\ole32.dll\4D7757B97a000\ole32.dll not found
SYMSRV:  C:\Program Files\Windows Kits\8.0\Debuggers\x86\sym\ole32.dll\4D7757B97a000\ole32.dll not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ole32.dll/4D7757B97a000/ole32.dll not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ole32.dll/4D7757B97a000/ole32.dll not found
SYMSRV:  C:\Program Files\Windows Kits\8.0\Debuggers\x86\sym\ole32.dll\4D7757B97a000\ole32.dll not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
DBGHELP: ole32.dll not found in c:\documents and settings\thomas carvin\desktop\scanner\bin\debug
DBGHELP: ole32.dll not found in c:\documents and settings\thomas carvin\desktop\scanner\bin\debug
DBGENG:  ole32.dll - Image mapping disallowed by non-local path.
Unable to load image ole32.dll, Win32 error 0n2
DBGENG:  ole32.dll - Partial symbol image load missing image info
DBGHELP: No header for ole32.dll.  Searching for dbg file
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\ole32.dbg - file not found
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\dll\ole32.dbg - path not found
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\symbols\dll\ole32.dbg - path not found
DBGHELP: .\ole32.dbg - file not found
DBGHELP: .\dll\ole32.dbg - path not found
DBGHELP: .\symbols\dll\ole32.dbg - path not found
DBGHELP: ole32.dll missing debug info.  Searching for pdb anyway
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\ole32.pdb - file not found
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\dll\ole32.pdb - file not found
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\symbols\dll\ole32.pdb - file not found
DBGHELP: ole32.pdb - file not found
*** WARNING: Unable to verify timestamp for ole32.dll
*** ERROR: Module load completed but symbols could not be loaded for ole32.dll
DBGHELP: ole32 - no symbols loaded
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
TRIAGER: Could not open triage file : C:\Program Files\Windows Kits\8.0\Debuggers\x86\triage\modclass.ini, error 2

FAULTING_IP: 
+0
80428ca8 e5913010 ldr         r3,[r1,#0x10]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 80428ca8
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000010
Attempt to read from address 00000010

FAULTING_THREAD:  0cf2001a

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000010

READ_ADDRESS:  00000010 

FOLLOWUP_IP: 
+0
80428ca8 e5913010 ldr         r3,[r1,#0x10]

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>OEM</CELG_NAME>
    <CELG_VALUE>MOTOROLA MC3100R</CELG_VALUE>
</ANALYSIS>

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>Build</CELG_NAME>
    <CELG_VALUE>0</CELG_VALUE>
</ANALYSIS>

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>RAM</CELG_NAME>
    <CELG_VALUE>135143424</CELG_VALUE>
</ANALYSIS>

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>FreeRAM</CELG_NAME>
    <CELG_VALUE>107048960</CELG_VALUE>
</ANALYSIS>

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>Store</CELG_NAME>
    <CELG_VALUE>83693568</CELG_VALUE>
</ANALYSIS>

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>FreeStore</CELG_NAME>
    <CELG_VALUE>54960128</CELG_VALUE>
</ANALYSIS>

APP:  scanner.exe

IP_ON_HEAP:  8042c0e0

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 8042c0e0 to 80428ca8

DEFAULT_BUCKET_ID:  STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACKIMMUNE

BUGCHECK_STR:  APPLICATION_FAULT_STACKIMMUNE_NULL_CLASS_PTR_READ_ZEROED_STACK

FRAME_ONE_INVALID: 1

STACK_TEXT:  
00000000 00000000 scanner.exe!Unknown+0x0


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  scanner.exe!Unknown

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: scanner

IMAGE_NAME:  scanner.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  ** Pseudo Context ** ; kb

FAILURE_BUCKET_ID:  STACKIMMUNE_c0000005_scanner.exe!Unloaded

BUCKET_ID:  ARM_APPLICATION_FAULT_STACKIMMUNE_NULL_CLASS_PTR_READ_ZEROED_STACK_scanner.exe!Unknown

Followup: MachineOwner

这是未组装的指令和加载的模块

1:000:armce> u 80428ca8
80428ca8 e5913010 ldr         r3,[r1,#0x10]
80428cac e3530001 cmp         r3,#1
80428cb0 0a000005 beq         80428ccc
80428cb4 e3530002 cmp         r3,#2
80428cb8 1a00000c bne         80428cf0
80428cbc e1a03004 mov         r3,r4
80428cc0 e2802010 add         r2,r0,#0x10
80428cc4 eb000830 bl          8042ad8c
1:000:armce> lm
start    end        module name
00010000 00074000   scanner   (deferred)             
40010000 400a6000   coredll    (deferred)             
400b0000 400c2000   fpcrt      (deferred)             
40120000 4012d000   zlib       (deferred)             
40140000 401a5000   commctrl   (deferred)             
40290000 402a0000   iphlpapi   (deferred)             
402b0000 402bd000   ws2        (deferred)             
402c0000 402c6000   wspm       (deferred)             
402d0000 402d6000   nspm       (deferred)             
402f0000 402fb000   ssllsp     (deferred)             
40380000 403ba000   netui      (deferred)             
40400000 40405000   lpcrt      (deferred)             
404b0000 404b7000   secur32    (deferred)             
405f0000 4066a000   ole32      (deferred)             
40670000 406a5000   oleaut32   (deferred)             
406d0000 40722000   rpcrt4     (deferred)             
40730000 4078b000   imaging    (deferred)             
419b0000 419c2000   mscoree    (deferred)             
41e30000 41e5b000   rsaenh     (deferred)             
41f30000 41f37000   rcm2api32   (deferred)             
41f40000 41f53000   edbgtl     (deferred)             
41f70000 41f7f000   tcpconnectiona   (deferred)             
41f80000 41fbd000   netcfagl2_0   (deferred)             
41fc0000 41fd0000   sqlceme30   (deferred)             
42010000 420db000   mscoree2_0   (deferred)             
42160000 42184000   sqlceer30en   (deferred)             
80400000 80420000   NK         (deferred)

来自CE Watson转储查看器的信息

enter iDump Info

Processes

Modules

Callstack

Memory Block

Threads

此时我主要是寻找方向。如果有人可以说这个问题是由于应用程序,由于依赖库,或者由于设备/操作系统,这将是一个很好的起点。

2 个答案:

答案 0 :(得分:4)

酷!我喜欢看到x86 / x64以外的架构的崩溃转储:)

我没有调试CR ARM的经验,但我可以从这里解读一些事情:

  

GetContextState失败,0x80070570

一般情况下这些错误都很糟糕,并且意味着转储文件在某种程度上已损坏。

这是你的错误指示:

  

ldr r3,[r1,#0x10]

并且,根据您的异常记录,崩溃发生是因为您尝试引用地址0x10:

  

尝试从地址00000010

中读取

因此,在前一条指令中r1必须为零。通常,当您看到此模式时,它是对数据结构的NULL指针的取消引用,因此0x10是您尝试访问的数据结构字段的偏移量。

不幸的是,堆栈从那里是垃圾(有一些迹象表明它已经以某种方式归零),因此很难从那里获得更多细节。以下命令是否显示任何信息?

u 80428ca8
lm

答案 1 :(得分:1)

在内核中间着陆是最糟糕的,因为在你所处的位置以及如何到达那里可能非常困难。不幸的是,很难掌握调试符号,因为它们对于每个平台都是独一无二的 - 你必须从摩托罗拉获得它们,而不是从微软获得。

ARM处理器上的约定是将当前叶函数的返回地址存储在链接寄存器lr中。每个函数的序言都负责将该寄存器的值存储在一个不会被它调用的任何函数中删除的位置。为了能够展开堆栈,如果发生硬件异常,Windows CE要求prolog采用特定的形式。虚拟展开算法在ARM Prolog and Epilog描述(&#39;虚拟&#39;因为Windows异常处理实际上实际展开堆栈,直到它发现了实际的处理程序为止异常,但它只能通过遍历堆栈来找到该处理程序。您可以按照该算法自行返回堆栈。

该链接上的examples实际上非常不典型 - 代码只保存堆栈中的r0-r3,然后保存C / C ++ varargs函数的任何持久寄存器。这是因为它们与任何其他参数相邻。 Windows CE ARM调用约定将前四个参数传递给寄存器r0-r3中的函数,然后传递堆栈中的第五个和后续参数。因此,使用va_args的函数必须将前四个函数推送到堆栈旁边,因此它可以将所有参数视为相同。

通常,ARM函数将以stmdb(STore Multiple,Decrement Before)指令开始,该指令存储由函数覆盖的所有易失性寄存器。在普通代码中,该指令并不经常使用,因此stmdb几乎总是函数的第一条指令。因此,您可以从该指令和堆栈中计算出lr的值是什么,从而返回到何处。然后,您可以为每个方法重复此操作,直到您知道某个地方为止。希望这将在DLL的导入部分中,但它很可能在mscoree2_0.dll或netcfagl2_0.dll中。您可能需要搜索Compact Framework程序集的反汇编,以查找调用该本机入口点的托管代码。

相关问题
最新问题