使用WinDbg从崩溃转储中检查原始内存中的方法参数

Question

我们的一位客户报告了一起车祸。在未处理的异常之后，她看到了标准错误消息：

“应用程序生成了无法处理的异常...单击”确定“终止应用程序。单击”取消“以调试应用程序。”

我使用DebugDiag生成此进程的转储。我现在正在看垃圾场。

！线程在我的托管线程中向我显示了一个异常。有几个嵌套异常。这个位于底部：

0:000> !pe -nested
...
Nested exception -------------------------------------------------------------
Exception object: 14015a98
Exception type: System.AccessViolationException
Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
InnerException: <none>
StackTrace (generated):
    SP       IP       Function
    0013E958 7B6EEF3B System_Windows_Forms_ni!System.Windows.Forms.Application+ThreadContext.OnThreadException(System.Exception)+0x8b
    0013E994 7B6F7916 System_Windows_Forms_ni!System.Windows.Forms.Control.WndProcException(System.Exception)+0x16
    0013E9A0 7B6FA39C System_Windows_Forms_ni!System.Windows.Forms.Control+ControlNativeWindow.OnThreadException(System.Exception)+0xc
    0013E9A4 7B1C8512 System_Windows_Forms_ni!System.Windows.Forms.NativeWindow.Callback(IntPtr, Int32, IntPtr, IntPtr)+0x72
    0013EC70 7B1D8D2E System_Windows_Forms_ni!System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32, Int32, Int32)+0x24e
    0013ED0C 7B1D8997 System_Windows_Forms_ni!System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)+0x177
    0013ED60 7B1D87E1 System_Windows_Forms_ni!System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)+0x61
    0013ED90 7B6EDE2B System_Windows_Forms_ni!System.Windows.Forms.Application.RunDialog(System.Windows.Forms.Form)+0x33
    0013EDA4 7B7225AB System_Windows_Forms_ni!System.Windows.Forms.Form.ShowDialog(System.Windows.Forms.IWin32Window)+0x373
    0013EE30 0DF41E76 PDILibReportProcessor!profdata.com.Library.libReportRenderCrystal.RenderToDisplay(System.Windows.Forms.IWin32Window, profdata.com.Library.libOutputSettings, profdata.com.Library.libApplicationConfig)+0xb6
    0013EE4C 0DF416EB PDILibReportProcessor!profdata.com.Library.libReportProcessor.Process(System.Windows.Forms.IWin32Window)+0x153
    0013EE60 07B37644 PDILibReportProcessor!profdata.com.Library.libReportProcessor.ProcessCrystalReport(System.String, System.Type, System.Data.DataSet, profdata.com.Library.libOutputSettings, profdata.com.Library.libApplicationConfig, System.Windows.Forms.IWin32Window, System.String)+0x74
    0013EEA4 07B375B8 PDILibReportProcessor!profdata.com.Library.libReportProcessor.ProcessReport(System.String, System.Type, System.Data.DataSet, profdata.com.Library.libOutputSettings, profdata.com.Library.libApplicationConfig, System.Windows.Forms.IWin32Window)+0x18
    0013EEB8 07B333C4 APRPTCashRequirements!profdata.com.AccountsPayable.frmAPCashRequirements.RunProcessOrReport()+0x7e4

StackTraceString: <none>
HResult: 80004003

代码已在表单中向用户显示Crystal Report。在显示报告时，应用程序尝试执行某些操作并获得System.AccessViolationException。

查看NativeWindow.Callback源代码，我看到了：

private IntPtr Callback(IntPtr hWnd, int msg, IntPtr wparam, IntPtr lparam)
{
    Message m = Message.Create(hWnd, msg, wparam, lparam);
    try
    {
        // calls WndProc or DefWndProc
    }
    catch (Exception exception)
    {
        this.OnThreadException(exception);
    }
    finally {...}
}

我想知道导致异常的消息，wParam和lParam参数。 （我也想验证我正在查看正确的异常对象。）这可能是对UI线程的调用，或者它可能是正常的Windows事件，在这种情况下我想知道哪一个。< / p>

我得到了线程环境块：

0:000> !teb
TEB at 7ffdf000
    ExceptionList:        00134144
    StackBase:            00140000
    StackLimit:           00130000

并转储堆栈内存：

0:000> !dqs 00130000 00140000
...
0013e968  00000000`00000000
0013e970  00000000`00000000
0013e978  00000000`00000000
0013e980  140ea9fc`00000000
0013e988  0013e998`0013ea44
0013e990  140c1d4c`7b6f7916
0013e998  7b6fa39c`0013ea54 <--- is NativeWindow.Callback
0013e9a0  0013ea6c`7b1c8512
0013e9a8  0013ec60`79edd757
0013e9b0  0013ec60`00000000
0013e9b8  0013ea6c`e0434f4d
0013e9c0  00000000`0013ea1c
0013e9c8  00000000`00000000
...

所以如果签名是这样的：     SP IP     0013E9A4 7B1C8512 NativeWindow.Callback（IntPtr，Int32，IntPtr，IntPtr）+ 0x72

1. 参数的确切位置 堆栈？
2. 我如何检查它们 得到他们的价值观？

我仍然觉得我没有找到根本原因。我们有一个ThreadException处理程序。为什么不叫它？导致System.AccessViolationException？

的原因

请注意!analyze -v报告了STATUS_BREAKPOINT，因为用户在错误对话框中停止了“应用程序已生成异常...”。

Answer 1

您应该首先将上下文设置为异常上下文：

.ecxr

然后确保您有一个使用本地缓存路径下载所有NT模块的最新公共符号的同情：

.sympath srv*C:\<cache>\sym*http://msdl.microsoft.com/download/symbols

这些步骤应该确保从k获得正确的本机堆栈，这也应该反映在托管堆栈中。要获得没有私有符号的本机帧的参数很难，你必须基本上从堆栈中重建它们，知道调用约定和参数位置。简单的dv不适用于公共符号。

至于ThreadException处理程序问题，您是否将Application.SetUnhandledExceptionMode设置为CatchException？

Answer 2

如果你想要的只是窗口消息，请使用dv / V

从其中一个本机帧中取出它

编辑：您正在追逐AccessViolationException，这意味着您应该肯定使用kn100和.frame查看本机堆栈以找出实际的AV < / p>

Answer 3

kn100返回下面的堆栈。我不知道该怎么做。将.frame设置为哪里？然后做什么？

该应用程序是一个大型的C＃WinForms客户端。我们没有写过本机代码。我通常可以很快地在代码中诊断未处理的异常，但这是我尝试诊断的第一个本机错误。

00 00132d4c 7739bf53 ntdll!KiFastSystemCallRet
01 00132d84 7738965e user32!NtUserWaitMessage+0xc
02 00132dac 7739f762 user32!InternalDialogBox+0xd0
03 0013306c 7739f047 user32!SoftModalMessageBox+0x94b
04 001331bc 7739eec9 user32!MessageBoxWorker+0x2ba
05 00133214 7739ee65 user32!MessageBoxTimeoutW+0x7a
06 00133234 7739ee41 user32!MessageBoxExW+0x1b
07 00133250 7a14c82e user32!MessageBoxW+0x45
08 00133274 7a1507ae mscorwks!WszMessageBox+0x8b
09 00134150 7a1509ea mscorwks!UtilMessageBoxNonLocalizedVA+0x351
0a 001341d4 7a2cea8d mscorwks!UtilMessageBoxVA+0x6b
0b 001341f4 7a2cf209 mscorwks!Debugger::MessageBox+0x1a
0c 00134230 7a2d2cae mscorwks!Debugger::NotifyUserOfFault+0x65
0d 00134270 7a2d5c67 mscorwks!Debugger::ShouldAttachDebugger+0xa2
0e 001342b4 7a2d95fa mscorwks!Debugger::ShouldAttachDebuggerProxy+0x66
0f 001342c0 7a0974d1 mscorwks!Debugger::FallbackJITAttachPrompt+0x9
10 001342dc 7a09c0c7 mscorwks!WatsonLastChance+0x63
11 00134334 7a09c173 mscorwks!CLRAddVectoredHandlers+0x209
12 0013433c 7c35f0c3 mscorwks!InternalUnhandledExceptionFilter+0x22
13 00134348 61585e4e msvcr71!__CxxUnhandledExceptionFilter+0x46
WARNING: Stack unwind information not available. Following frames may be wrong.
14 00134620 77e76a20 SACommLayer_RES_EN!GetResDllVersion+0x4e2e
15 00134628 77e61ac1 kernel32!BaseProcessStart+0x39
16 00134650 7c828772 kernel32!_except_handler3+0x61
17 00134674 7c828743 ntdll!ExecuteHandler2+0x26
18 0013471c 7c82865c ntdll!ExecuteHandler+0x24
19 001349fc 77e4bef7 ntdll!RtlRaiseException+0x3d
1a 00134a5c 7a1997f7 kernel32!RaiseException+0x53
1b 00134a74 7a1915c4 mscorwks!RtlRaiseStatus+0x13
1c 00134a7c 79e9a8a9 mscorwks!_purecall+0xa
1d 00134a8c 79e9a92c mscorwks!MethodDataCache::FindHelper+0x17
1e 00134ac4 79e8a9b0 mscorwks!MethodDataCache::Find+0x52
1f 00134b00 79e8aa6a mscorwks!MethodTable::GetMethodDataHelper+0x23
20 00134b38 79e8aab3 mscorwks!MethodTable::GetMethodData+0x1a
21 00134b50 79e8aad9 mscorwks!MethodTable::MethodIterator::Init+0x13
22 00134b64 79e8b677 mscorwks!MethodTable::MethodIterator::MethodIterator+0x11
23 00134bb4 79e8b874 mscorwks!EEClass::FindMethod+0x38
24 00134c38 79e89332 mscorwks!MemberLoader::GetDescFromMemberDefOrRefThrowing+0x3e8
25 00134ec0 79fc44bf mscorwks!MemberLoader::GetMethodDescFromMemberDefOrRefOrSpecThrowing+0x219
26 00134f88 79fc43cf mscorwks!CEEInfo::findMethodInternal+0x12a
27 00134ff4 79062ea6 mscorwks!CEEInfo::findMethod+0xc4
28 0013500c 79062fa9 mscorjit!Compiler::eeFindMethod+0x22
29 001350f4 790633e8 mscorjit!Compiler::impImportCall+0xda
2a 001356fc 790643a1 mscorjit!Compiler::impImportBlockCode+0x2bbb
2b 00135774 790644d6 mscorjit!Compiler::impImportBlock+0x1df
2c 0013578c 7906465c mscorjit!Compiler::impImport+0xe2
2d 00135798 7906467a mscorjit!Compiler::fgImport+0x20
2e 001357a8 79065b8e mscorjit!Compiler::compCompile+0xc
2f 001357f4 79065d33 mscorjit!Compiler::compCompile+0x44f
30 0013587c 79066448 mscorjit!jitNativeCode+0xef
31 001358a0 79fc722c mscorjit!CILJit::compileMethod+0x25
32 0013590c 79fc72c5 mscorwks!invokeCompileMethodHelper+0x72
33 00135950 79fc7338 mscorwks!invokeCompileMethod+0x31
34 001359a4 79fc70ad mscorwks!CallCompileMethodWithSEHWrapper+0x5b
35 00135d4c 79fc6e6f mscorwks!UnsafeJitFunction+0x31b
36 00135df0 79e811eb mscorwks!MethodDesc::MakeJitWorker+0x1a8
37 00135e48 79e813ab mscorwks!MethodDesc::DoPrestub+0x41b
38 00135e98 00361efe mscorwks!PreStubWorker+0xf3
39 00135eb0 7b6eef3b 0x361efe
3a 00135f10 7b6f7916 System_Windows_Forms_ni+0x71ef3b
3b 00135f1c 7b6fa39c System_Windows_Forms_ni+0x727916
3c 0013f17c 7739b6e3 System_Windows_Forms_ni+0x72a39c
3d 0013f1a8 7739b874 user32!InternalCallWinProc+0x28
3e 0013f220 7739ba92 user32!UserCallWinProcCheckWow+0x151
3f 0013f288 7739bad0 user32!DispatchMessageWorker+0x327
40 0013f298 03c341d2 user32!DispatchMessageW+0xf
41 0013f2b4 7b1d8d2e 0x3c341d2
42 0013f368 7b1d8997 System_Windows_Forms_ni+0x208d2e
43 0013f3c0 7b1d87e1 System_Windows_Forms_ni+0x208997
44 0013f3f0 7b195931 System_Windows_Forms_ni+0x2087e1
45 0013f480 79e71b4c System_Windows_Forms_ni+0x1c5931
46 0013f490 79e821f9 mscorwks!CallDescrWorker+0x33
47 0013f510 79e96571 mscorwks!CallDescrWorkerWithHandler+0xa3
48 0013f648 79e965a4 mscorwks!MethodDesc::CallDescr+0x19c
49 0013f664 79e965c2 mscorwks!MethodDesc::CallTargetWorker+0x1f
4a 0013f67c 79eefac5 mscorwks!MethodDescCallSite::CallWithValueTypes+0x1a
4b 0013f7e0 79eef9e5 mscorwks!ClassLoader::RunMain+0x223
4c 0013fa48 79eeff35 mscorwks!Assembly::ExecuteMainMethod+0xa6
4d 0013ff18 79ef011f mscorwks!SystemDomain::ExecuteMainMethod+0x456
4e 0013ff68 79ef004f mscorwks!ExecuteEXE+0x59
4f 0013ffb0 79007c24 mscorwks!_CorExeMain+0x15c
50 0013ffc0 77e6f23b mscoree!_CorExeMain+0x2c
51 0013fff0 00000000 kernel32!BaseProcessStart+0x23