Important information in crash dump

Crash occurs in a function, and 95% of crash is caused by one of the following two situations:

• The crash function gets the wrong parameter.
• Crash functions use corrupted internal data.

CodeIs the process of changing data. for the same piece of code, if the data used is the same in the same environment, the execution result must be unique. if the function crashes, the data used is definitely different from the ideal situation. data sources used by functions: one is the input parameters of the function, and the other is the member variables or global variables referenced by the function body.

 

Therefore, to analyze the crash dump, we usually look for the source of the Error Data. Below are some common examples that cause data errors:

1. Uninitialized variables are used. For example, no memory pointer is allocated and no criticalsection is initialized.
2. The function parameters are incorrectly calculated. For example, when a function is called, the order of input parameters is incorrect, and the string length is incorrect during string operations.
3. Incorrect use of data leads to uption. For example, Double Free leads to heap curruption, and forgetting to synchronize in a multi-threaded environment leads to a global variable calculation error. The addref and release calls of COM are not paired.
4. ViolationProgramUse Data logically. For example, functions that start to use these resources before the program loads necessary resources.

It can be seen that the analysis of crash dump is entirely dependent on the program. Whether or not useful information can be mined from crash dump depends on:

• Familiarity with the target program, including program architecture, role of important functions, important data structures, calling logic between functions, and implementation details of key functions.
• Basic knowledge, including assembly, exception, memory, API, message, CRT, etc.

To analyze a dump, follow these steps:

1. See what causes the crash.
2. Alignment symbol, find the name of the function that has crashed, and find the corresponding assembly code andSource code.
3. List callstack
4. Check whether callstack is reasonable
5. Check whether the function that has crashed has the correct parameters.
6. Check whether the data used by the crashed function is correct.
7. Combine the above information to get the answer, and then use the information to prove or refute your conjecture.
8. More meaningful information can be obtained through further operations, such as activating pageheap, re-capturing dump, or simply performing live debug

About CRTArticle: Http://www.codeproject.com/KB/cpp/Short_Story_VCPP_CRT.aspx? MSG = 2319521

 

From: <efficient troubleshooting for Windows user-mode Programs>