WinDbg重建堆棧

原創 BeanJoy 2020-06-02 04:04

  某些情況下,抓取到dump分析到異常後,卻發現堆棧並不對,不能有效的定位到程序崩潰的地方,這個時候就需要重建一下堆棧。

  可以參考:HOW TO: Find the Problem Exception Stack When You Receive an UnhandledExceptionFilter Call in the Stack Trace 

  當然也可以試着用DebugDiag來分析,在“Recovered stack”中會顯示重建後的堆棧。

  下面是一個堆棧被破壞後的dump,分別用WinDbg重建和用DebugDiag分析後的結果:

0:003> k
ChildEBP RetAddr  
0764f630 75119171 USER32!NtUserWaitForInputIdle+0x15
0764f660 75892ce5 USER32!WaitForInputIdle+0x5a
0764f6fc 004e8b00 kernel32!WinExec+0xc4
0764f7d8 75850047 SDAMSDevMgmt!ExpFilter+0x152 [D:\WangWang\WIN2K\Common\..\include\StackWalker.h @ 339]
0764f860 772321d7 kernel32!UnhandledExceptionFilter+0x127
0764f868 772320b4 ntdll!__RtlUserThreadStart+0x62
0764f87c 77231f59 ntdll!_EH4_CallFilterFunc+0x12
0764f8a4 77206ab9 ntdll!_except_handler4+0x8e
0764f8c8 77206a8b ntdll!ExecuteHandler2+0x26
0764f8ec 77206a2d ntdll!ExecuteHandler+0x24
0764f978 771d0143 ntdll!RtlDispatchException+0x127
0764f978 00000000 ntdll!KiUserExceptionDispatcher+0xf
0:003> kb
ChildEBP RetAddr  Args to Child              
0764f630 75119171 00000fa8 00007530 00000000 USER32!NtUserWaitForInputIdle+0x15
0764f660 75892ce5 000007bc 00007530 0764f7cc USER32!WaitForInputIdle+0x5a
0764f6fc 004e8b00 0764f70c 00000000 6473746e kernel32!WinExec+0xc4
0764f7d8 75850047 0764f890 47ea2381 00000000 SDAMSDevMgmt!ExpFilter+0x152 [D:\WangWang\WIN2K\Common\..\include\StackWalker.h @ 339]
0764f860 772321d7 0764f890 772320b4 00000000 kernel32!UnhandledExceptionFilter+0x127
0764f868 772320b4 00000000 0764ffd4 771ec520 ntdll!__RtlUserThreadStart+0x62
0764f87c 77231f59 00000000 00000000 00000000 ntdll!_EH4_CallFilterFunc+0x12
0764f8a4 77206ab9 fffffffe 0764ffc4 0764f9e0 ntdll!_except_handler4+0x8e
0764f8c8 77206a8b 0764f990 0764ffc4 0764f9e0 ntdll!ExecuteHandler2+0x26
0764f8ec 77206a2d 0764f990 0764ffc4 0764f9e0 ntdll!ExecuteHandler+0x24
0764f978 771d0143 0164f990 0764f9e0 0764f990 ntdll!RtlDispatchException+0x127
0764f978 00000000 0164f990 0764f9e0 0764f990 ntdll!KiUserExceptionDispatcher+0xf
0:003> kP
ChildEBP RetAddr  
0764f630 75119171 USER32!NtUserWaitForInputIdle+0x15
0764f660 75892ce5 USER32!WaitForInputIdle+0x5a
0764f6fc 004e8b00 kernel32!WinExec+0xc4
0764f7d8 75850047 SDAMSDevMgmt!ExpFilter(
			struct _EXCEPTION_POINTERS * pExp = 0x0764f890)+0x152 [D:\WangWang\WIN2K\Common\..\include\StackWalker.h @ 339]
0764f860 772321d7 kernel32!UnhandledExceptionFilter+0x127
0764f868 772320b4 ntdll!__RtlUserThreadStart+0x62
0764f87c 77231f59 ntdll!_EH4_CallFilterFunc+0x12
0764f8a4 77206ab9 ntdll!_except_handler4+0x8e
0764f8c8 77206a8b ntdll!ExecuteHandler2+0x26
0764f8ec 77206a2d ntdll!ExecuteHandler+0x24
0764f978 771d0143 ntdll!RtlDispatchException+0x127
0764f978 00000000 ntdll!KiUserExceptionDispatcher+0xf
0:003> dd 0764f890
0764f890  0764f990 0764f9e0 771ec530 00000001
0764f8a0  007cdea8 0764f8c8 77206ab9 fffffffe
0764f8b0  0764ffc4 0764f9e0 0764f964 0764fedc
0764f8c0  77206acd 0764ffc4 0764f978 77206a8b
0764f8d0  0764f990 0764ffc4 0764f9e0 0764f964
0764f8e0  77231ecd 00000000 0764f990 0764ffc4
0764f8f0  77206a2d 0764f990 0764ffc4 0764f9e0
0764f900  0764f964 77231ecd 09023a40 0764f990
0:003> .cxr 0764f9e0
eax=09023a40 ebx=08540020 ecx=0000000c edx=00000000 esi=08540020 edi=09023a40
eip=755aa048 esp=0764fe44 ebp=0764fe4c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
msvcrt!__ascii_strnicmp+0x86:
755aa048 660f6f06        movdqa  xmm0,xmmword ptr [esi] ds:002b:08540020=????????????????????????????????
0:003> k
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr  
0764fe4c 755aa00b msvcrt!__ascii_strnicmp+0x86
0764fe5c 72a83ae4 msvcrt!_VEC_memcpy+0x52
0764fe7c 0048f8cd MFC42u!CFixedAlloc::Free+0x2a
0764fe98 004c3659 SDAMSDevMgmt!CBufferListItem::AddData+0x6e [D:\WangWang\WIN2K\Common\RingStream.cpp @ 876]
0764feb4 004dae64 SDAMSDevMgmt!CSDAMSMsgConvertor::PushBuffer+0x58 [D:\WangWang\WIN2K\COMMON\SDAMSMsgConvertor.cpp @ 116]
0764fee8 004f210d SDAMSDevMgmt!SDAMTransferThread::OnReceive+0x119 [D:\WangWang\WIN2K\SDAMSDevMgmt\SDAMTransferThread.cpp @ 111]
0764ff18 004f2063 SDAMSDevMgmt!CTCPServerThread::ProcessMsg+0x5f [D:\WangWang\WIN2K\Common\TCPServerThread.cpp @ 482]
0764ff48 755b1287 SDAMSDevMgmt!CTCPServerThread::_ServerWorkThread+0xec [D:\WangWang\WIN2K\Common\TCPServerThread.cpp @ 452]
0764ff80 755b1328 msvcrt!_endthreadex+0x44
0764ff88 758133ca msvcrt!_endthreadex+0xce
0764ff94 771f9ed2 kernel32!BaseThreadInitThunk+0xe
0764ffd4 771f9ea5 ntdll!__RtlUserThreadStart+0x70
0764ffec 00000000 ntdll!_RtlUserThreadStart+0x1b


  下面是DebugDiag分析後的結果片段:

  附上_EXCEPTION_POINTERS的定義,結合上面WinDbg分析過程來看。注意kb和kP的區別,kb中kernel32!UnhandledExceptionFilter第一個Args to Child爲0764f890,就是SDAMSDevMgmt!ExpFilter第一個參數的地址(kP中struct _EXCEPTION_POINTERS * pExp = 0x0764f890),爲一個_EXCEPTION_POINTERS結構,然後就可以用.cxr查看此結構中PCONTEXT的值。

typedef struct _EXCEPTION_POINTERS {
    PEXCEPTION_RECORD ExceptionRecord;
    PCONTEXT ContextRecord;
} EXCEPTION_POINTERS, *PEXCEPTION_POINTERS;


發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

微信整改地方號;阿里高層大地震;工信部下架違規 App;百度入局元宇宙;Android 遊戲將登陸 Windows;TIOBE 發佈 12 月榜單|架構週報

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

辛晓亮 2021-12-13 11:54:42

Win10新版推送,但接下來每年只提供一次功能更新

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

罗燕珊 2021-11-18 09:28:56

Windows 11 又出新招限制三方瀏覽器

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

辛晓亮 2021-11-12 18:18:53

“MSL”出爐?Ubuntu 發佈 Multipass 對標 WSL

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

辛晓亮 2021-11-12 10:08:56

Facebook 改名爲 Meta;同花順系統崩潰,網友:血虧;字節跳動迴應“抄襲阿里 Ant Design 代碼”:深表歉意

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

闫园园 2021-11-01 13:43:58

“問題孩子”Windows 11來了,WSL 成其最大亮點

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

闫园园 2021-10-08 16:23:55

最大程度的開放:Windows 11即將迎來第三方應用商店

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragr

罗燕珊 2021-09-30 15:08:49

迎來大更新,Edge瀏覽器終於要翻身?

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

闫园园 2021-09-09 17:03:56

Windows 11 預覽版現嚴重 Bug 原來是內置廣告惹的禍

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

辛晓亮 2021-09-08 15:38:56

Windows 11將於10月5日發佈,運行Android應用還要再等

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

闫园园 2021-09-03 17:59:05

70萬行代碼、歷時20年,一名開發人員寫出的史詩般的計算機程序

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragr

核子可乐 2021-08-04 17:18:48

不含TPM芯片?抱歉,你的電腦不能升級Windows 11

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

SUZANNE HUMPHRIES 2021-07-07 14:13:54

Windows 11 發佈,支持原生 Android 應用

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

核子可乐 2021-06-28 16:58:58

揭曉Windows 11如何做到原生支持安卓應用

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

核子可乐 2021-06-28 16:18:56

用了10年Windows後,我最終轉向Linux

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

Shalitha Suranga 2020-11-09 13:58:51