Assume thatProgramNamed mydebug and used
Cscript.exe adplus. vbs-crash-PN mydebug.exe-o c: \ test \ crashdump-Quiet captures the dump file of the program during the crash period. Download the crash dump of this program. Click here.
Step 1: After opening the crash dump, the captured exception is immediately displayed.
Loading dump file [D: \ study \ mydebug \ crashdump \ crash_mode _ Date_11-12-2008 _ Time_15-30-1818 \ PID-3512__MYDEBUG.EXE _ 2nd_chance_integerdivide _ full_0474_2008-11-12_15-30-35-715_0db8.dmp]
User mini dump file with full memory: only application data is available
Comment: '2nd _ chance_IntegerDivide_exception_in_MYDEBUG.EXE_running_on_T-RENHE-03'
Symbolsearch path is: SRV * D: \ symbolslocal * http://msdl.microsoft.com/download/symbols#d:#symbolslocal
Executable search path is:
Windows Server 2003 version 3790 (Service Pack 2) Up Free x86 compatible
Product: Server, Suite: Enterprise terminalserver singleuserts
Debug session time: Wed Nov 12 15:30:35. 0002008 (GMT + 8)
System uptime: 0 days 6:30:46. 419
Process uptime: 0 days 0:02:46. 000
...
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via. ecxr.
(Db8.1678 ): Integer divide-by-zero -Code c0000094 (first/second chance not available)
Eax = 00000004 EBX = 7ffdd000 ECx = 00434e40 edX = 00000000 ESI = 00000000 EDI = 0012fe60
EIPs = 00401490 ESP = 0012fe04 EBP = 0012fe60 iopl = 0 NV up ei pl Zr na PE NC
Cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00010246
* ** Warning: unable to verify checksum for mydebug.exe
Mydebug! Callfast + 0x60:
00401490 f77df4 idiv eax, dword ptr [ebp-0Ch] ss: 0023: 0012fe54 = 00000000
From the above information, we can see that the command at 00401490 saved in the instruction register EIP has an exception, and the instruction and exception information that generate an exception has been listed.
At a glance, we can see that this program generates an exception due to division by zero. How exactly is this exception produced?
The complete debug process is listed below.
0: 000>. logopen c: \ crahdebug1.log // open crashdebug1.log and start writing to debug log
opened Log File 'C: \ crashdebugl. log'
0: 000> kb
/*
the Comand displays the call stack content, the call stack stores the Instantaneous State when an exception occurs, while the stack top is the focus of the exception. From the following callstack, we can see that the nested call process is as follows: main-> callwidhcdel-> callwithstd-> callfast (-> indicates the call relationship). When calling the callfast function, run the 00401490 exception occurs during the command. Therefore, you need to step into the callfast function to view the command.
*/
Childebp retaddr ARGs to child
0012fe60 00401402 00000006 0012ff18 00000000 mydebug! Callfast + 0x60 [D: \ study \ mydebug. cpp @ 58]
0012feb8 00401393004310d8 00000004 00000006 mydebug! Callwithstd + 0x42 [D: \ study \ mydebug. cpp @ 44]
0012ff180040130a 0043101c 00000004 00000006 mydebug! Callwithcdecl + 0x43 [D: \ study \ mydebug. cpp @ 37]
0012ff80 00401969 00000001 000000e90 000000dc0 mydebug! Main + 0x9a [D: \ study \ mydebug. cpp @ 28]
0012ffc0 77e6f23b 00000000 00000000 7ffdd000 mydebug! Maincrtstartup + 0xe9 [crt0.c @ 206]
0012fff0 00000000 00401880 00000000 78746341 Kernel32! Baseprocessstart + 0x23
/*
From the call stack, we can clearly see the function call chain. After all the initialization processes are completed, the main function calls callwithcdecl, then callwithcdecl nested call callwithstd, and then callwithstd nested call callfast. Each nested call is accompanied by a series of registers and push stacks of parameters. So we can follow the call stack to see the clear call chain :)
The following briefly describes the values returned from the call Stack:
Childebp:
This value stores the value of the EBP register when the corresponding function is called.
0: 000> dd 0012feb8 L4
0012feb8 0012ff18 00401393004310d8 00000004
0: 000> dd 0012ff80 L4
0012ff80 0012ffc0 0040196900000001 000000e90
*/
0: 000> kN
# Childebp retaddr
00 0012fe60 00401402 mydebug! Callfast + 0x60 [D: \ study \ mydebug. cpp @ 58]
01 0012feb8 00401393 mydebug! Callwithstd + 0x42 [D: \ study \ mydebug. cpp @ 44]
02 0012ff18 0040130a mydebug! Callwithcdecl + 0x43 [D: \ study \ mydebug. cpp @ 37]
03 0012ff80 00401969 mydebug! Main + 0x9a [D: \ study \ mydebug. cpp @ 28]
04 0012ffc0 77e6f23b mydebug! Maincrtstartup + 0xe9 [crt0.c @ 206]
05 0012fff0 00000000 Kernel32! Baseprocessstart + 0x23
0: 000>. Frame 0 // Select the frame of the stack top
00 0012fe60 00401402 mydebug! Callfast + 0x60 [D: \ study \ mydebug. cpp @ 58]
0: 000> DV // view the parameter information.
Szmessage = 0x004310d8 "now in the callwithstd function, parameters are :"
A = 4
B = 6
Idivider = 0 // determine from the name that it does not conform to business logic.
Iresult = 0
0: 000> r
Eax = 00000004 EBX = 7ffdd000 ECx = 00434e40 edX = 00000000 ESI = 00000000 EDI = 0012fe60
EIP = 00401490 ESP = 0012fe04 EBP = 0012fe60 iopl = 0 NV up ei pl Zr na PE NC
Cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00010246
Mydebug! Callfast + 0x60:
00401490 f77df4 idiv eax, dword ptr [ebp-0Ch] ss: 0023: 0012fe54 = 00000000
0: 000> U mydebug! Callfast // Display 10 lines of the Function Command by default.
Mydebug! Callfast [D: \ study \ mydebug. cpp @ 48]:
00401430 55 push EBP
00401431 8bec mov EBP, ESP
00401433 83ec50 sub ESP, 50 h
00401436 53 push EBX
00401437 56 push ESI
00401438 57 push EDI
00401439 51 push ECx
0040143a 8d7db0 Lea EDI, [ebp-50h]
0: 000> U mydebug! Callfast L40 // Display the instruction set of 40 unit Blocks
/*
00401490The command must include
*/
Mydebug! Callfast [D: \ study \ mydebug. cpp @ 48]:
00401430 55 push EBP
00401431 8bec mov EBP, ESP
00401433 83ec50 sub ESP, 50 h
00401436 53 push EBX
00401437 56 push ESI
00401438 57 push EDI
00401439 51 push ECx
0040143a 8d7db0 Lea EDI, [ebp-50h]
0040143d b914000000 mov ECx, 14 h
00401442 b8cccccccc mov eax, 0 cccccccch
00401447 f3ab rep STOs dword ptr es: [EDI]
00401449 59 pop ECx
0040144a 8955f8 mov dword ptr [ebp-8], EDX
0040144d 894dfc mov dword ptr [ebp-4], ECx
00401450 8b00008 mov eax, dword ptr [EBP + 8]
00401453 50 push eax
00401454 8b4df8 mov ECx, dword ptr [ebp-8]
00401457 51 push ECx
00401458 8b55fc mov edX, dword ptr [ebp-4]
0040145b 52 push edX
0040145c 6814114300 push offset mydebug! 'String' (00431114)
00401461 e89a030000 call mydebug! Printf (00401800)
00401466 83c410 add ESP, 10 h
00401469 c745f400000000 mov dword ptr [ebp-0Ch], 0
00401470 c745f000000000 mov dword ptr [ebp-10h], 0
00401477 837d0806 Cmp dword ptr [EBP + 8], 6
0040147b 7509 JNE mydebug! Callfast + 0x56 (00401486)
0040147d c745f400000000 mov dword ptr [ebp-0Ch], 0
00401484 eb06 JMP mydebug! Callfast + 0x5c (0040148c)
00401486 8b00008 mov eax, dword ptr [EBP + 8]
00401489 8945f4 mov dword ptr [ebp-0Ch], eax
0040148c 8b45f8 mov eax, dword ptr [ebp-8]
0040148f 99 CDQ
00401490 f77df4 Idiv eax, dword ptr [ebp-0Ch] // This is the culprit
00401493 8945f0 mov dword ptr [ebp-10h], eax
00401496 8b4df0 mov ECx, dword ptr [ebp-10h]
00401499 51 push ECx
0040149a 8b55f4 mov edX, dword ptr [ebp-0Ch]
0040149d 52 push edX
0040149e 8b45f8 mov eax, dword ptr [ebp-8]
004014a1 50 push eax
004014a2 6824114300 push offset mydebug! 'String' (00431124)
004014a7 e854030000 call mydebug! Printf (00401800)
004014ac 83c410 add ESP, 10 h
004014af b803000000 mov eax, 3
004014b4 5f pop EDI
004014b5 5E pop ESI
004014b6 5B pop EBX
004014b7 83c450 add ESP, 50 h
004014ba 3bec cmp ebp, ESP
004014bc e87f010000 call mydebug! _ Chkesp (1, 00401640)
004014c1 8be5 mov ESP, EBP
004014c3 5d pop EBP
004014c4 c20400 RET 4
004014c7 cc int 3
004014c8 cc int 3
004014c9 cc int 3
004014ca cc int 3
004014cb cc int 3
004014cc cc int 3
004014cd cc int 3
004014ce cc int 3
004014cf cc int 3
004014d0 cc int 3
0: 000> dd ebp-0Ch L1 // Check the value of the dividend indicated by the specified memory unit address. Of course, the value is 0.
0012fe54 00000000
0: 000>. logclose
Closing open log file c: \ crashdebugl. Log
As for how this 0 came from, you can contact your vendor to tell him that when the current real parameter is the value specified in DV, the divide by zero exception will be thrown in the callfast function, then let them modify business logic.Source codeDebugging is much easier.
Of course, if you are interested, you can study the business logic indicated by the instruction set with exception listed above.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
