0

我正在调试客户端的 .NET 2.0 WinCE (6.0) 应用程序的崩溃。我已经从设备中提取了 .kdmp 并在 WinDbg 中打开,但老实说,我不太清楚我在寻找什么。我可以看到这是关闭应用程序的访问冲突,但这就是我能说的全部。任何有关使用 WinDbg for .NET Compact Framework 的技巧都值得赞赏。我没有使用该工具的经验。

这是来自的输出!analyze -v 

*******************************************************************************
*                                                                             *
*                      Win CE Exception Analysis                              *
*                                                                             *
*******************************************************************************


Debugging Details:
------------------

GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
Unable to get program counter
TRIAGER: Could not open triage file : C:\Program Files\Windows Kits\8.0\Debuggers\x86\triage\guids.ini, error 2
SYMSRV:  C:\Program Files\Windows Kits\8.0\Debuggers\x86\sym\ole32.dll\4D7757B97a000\ole32.dll not found
SYMSRV:  C:\Program Files\Windows Kits\8.0\Debuggers\x86\sym\ole32.dll\4D7757B97a000\ole32.dll not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ole32.dll/4D7757B97a000/ole32.dll not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ole32.dll/4D7757B97a000/ole32.dll not found
SYMSRV:  C:\Program Files\Windows Kits\8.0\Debuggers\x86\sym\ole32.dll\4D7757B97a000\ole32.dll not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
DBGHELP: C:\Program Files\Windows Kits\8.0\Debuggers\ole32.dll - file not found
DBGHELP: ole32.dll not found in c:\documents and settings\thomas carvin\desktop\scanner\bin\debug
DBGHELP: ole32.dll not found in c:\documents and settings\thomas carvin\desktop\scanner\bin\debug
DBGENG:  ole32.dll - Image mapping disallowed by non-local path.
Unable to load image ole32.dll, Win32 error 0n2
DBGENG:  ole32.dll - Partial symbol image load missing image info
DBGHELP: No header for ole32.dll.  Searching for dbg file
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\ole32.dbg - file not found
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\dll\ole32.dbg - path not found
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\symbols\dll\ole32.dbg - path not found
DBGHELP: .\ole32.dbg - file not found
DBGHELP: .\dll\ole32.dbg - path not found
DBGHELP: .\symbols\dll\ole32.dbg - path not found
DBGHELP: ole32.dll missing debug info.  Searching for pdb anyway
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\ole32.pdb - file not found
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\dll\ole32.pdb - file not found
DBGHELP: c:\documents and settings\thomas carvin\desktop\scanner\bin\debug\symbols\dll\ole32.pdb - file not found
DBGHELP: ole32.pdb - file not found
*** WARNING: Unable to verify timestamp for ole32.dll
*** ERROR: Module load completed but symbols could not be loaded for ole32.dll
DBGHELP: ole32 - no symbols loaded
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
GetContextState failed, 0x80070570
Unable to get program counter
GetContextState failed, 0x80070570
GetContextState failed, 0x80070570
Unable to get current machine context, Win32 error 0n1392
TRIAGER: Could not open triage file : C:\Program Files\Windows Kits\8.0\Debuggers\x86\triage\modclass.ini, error 2

FAULTING_IP: 
+0
80428ca8 e5913010 ldr         r3,[r1,#0x10]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 80428ca8
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000010
Attempt to read from address 00000010

FAULTING_THREAD:  0cf2001a

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000010

READ_ADDRESS:  00000010 

FOLLOWUP_IP: 
+0
80428ca8 e5913010 ldr         r3,[r1,#0x10]

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>OEM</CELG_NAME>
    <CELG_VALUE>MOTOROLA MC3100R</CELG_VALUE>
</ANALYSIS>

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>Build</CELG_NAME>
    <CELG_VALUE>0</CELG_VALUE>
</ANALYSIS>

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>RAM</CELG_NAME>
    <CELG_VALUE>135143424</CELG_VALUE>
</ANALYSIS>

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>FreeRAM</CELG_NAME>
    <CELG_VALUE>107048960</CELG_VALUE>
</ANALYSIS>

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>Store</CELG_NAME>
    <CELG_VALUE>83693568</CELG_VALUE>
</ANALYSIS>

CE_DEVLOG: <ANALYSIS>
    <CELG_NAME>FreeStore</CELG_NAME>
    <CELG_VALUE>54960128</CELG_VALUE>
</ANALYSIS>

APP:  scanner.exe

IP_ON_HEAP:  8042c0e0

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 8042c0e0 to 80428ca8

DEFAULT_BUCKET_ID:  STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACKIMMUNE

BUGCHECK_STR:  APPLICATION_FAULT_STACKIMMUNE_NULL_CLASS_PTR_READ_ZEROED_STACK

FRAME_ONE_INVALID: 1

STACK_TEXT:  
00000000 00000000 scanner.exe!Unknown+0x0


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  scanner.exe!Unknown

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: scanner

IMAGE_NAME:  scanner.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  ** Pseudo Context ** ; kb

FAILURE_BUCKET_ID:  STACKIMMUNE_c0000005_scanner.exe!Unloaded

BUCKET_ID:  ARM_APPLICATION_FAULT_STACKIMMUNE_NULL_CLASS_PTR_READ_ZEROED_STACK_scanner.exe!Unknown

Followup: MachineOwner

这是未汇编的指令和加载的模块

1:000:armce> u 80428ca8
80428ca8 e5913010 ldr         r3,[r1,#0x10]
80428cac e3530001 cmp         r3,#1
80428cb0 0a000005 beq         80428ccc
80428cb4 e3530002 cmp         r3,#2
80428cb8 1a00000c bne         80428cf0
80428cbc e1a03004 mov         r3,r4
80428cc0 e2802010 add         r2,r0,#0x10
80428cc4 eb000830 bl          8042ad8c
1:000:armce> lm
start    end        module name
00010000 00074000   scanner   (deferred)             
40010000 400a6000   coredll    (deferred)             
400b0000 400c2000   fpcrt      (deferred)             
40120000 4012d000   zlib       (deferred)             
40140000 401a5000   commctrl   (deferred)             
40290000 402a0000   iphlpapi   (deferred)             
402b0000 402bd000   ws2        (deferred)             
402c0000 402c6000   wspm       (deferred)             
402d0000 402d6000   nspm       (deferred)             
402f0000 402fb000   ssllsp     (deferred)             
40380000 403ba000   netui      (deferred)             
40400000 40405000   lpcrt      (deferred)             
404b0000 404b7000   secur32    (deferred)             
405f0000 4066a000   ole32      (deferred)             
40670000 406a5000   oleaut32   (deferred)             
406d0000 40722000   rpcrt4     (deferred)             
40730000 4078b000   imaging    (deferred)             
419b0000 419c2000   mscoree    (deferred)             
41e30000 41e5b000   rsaenh     (deferred)             
41f30000 41f37000   rcm2api32   (deferred)             
41f40000 41f53000   edbgtl     (deferred)             
41f70000 41f7f000   tcpconnectiona   (deferred)             
41f80000 41fbd000   netcfagl2_0   (deferred)             
41fc0000 41fd0000   sqlceme30   (deferred)             
42010000 420db000   mscoree2_0   (deferred)             
42160000 42184000   sqlceer30en   (deferred)             
80400000 80420000   NK         (deferred)

以及来自 CE Watson Dump Viewer 的信息

enter iDump Info

Processes

Modules

Callstack

内存块

线程

在这一点上,我主要是在寻找方向。如果有人可以说这个问题是由于应用程序、依赖库或设备/操作系统引起的,那将是一个很好的起点。

4

2 回答 2

4

凉爽的!我喜欢从 x86/x64 以外的架构中看到崩溃转储 :)

我对调试 CR ARM 的经验为零,但是我可以从这里破译几件事:

GetContextState 失败,0x80070570

一般来说,这些错误是不好的,意味着转储文件以某种方式损坏。

这是您的错误说明:

ldr r3,[r1,#0x10]

而且,根据您的异常记录,发生崩溃是因为您尝试引用地址 0x10:

尝试从地址 00000010 读取

因此,r1 在前一条指令中必须为零。通常,当您看到此模式时,它是对数据结构的 NULL 指针的取消引用,因此 0x10 是您尝试访问的数据结构的字段的偏移量。

不幸的是,堆栈从那里是垃圾(有一些迹象表明它以某种方式归零),因此很难从那里获得更多细节。以下命令是否显示任何信息?

u 80428ca8
lm
于 2012-05-08T15:44:48.230 回答
1

降落在内核中间是最糟糕的,因为很难弄清楚你在哪里以及你是如何到达那里的。不幸的是,很难获得调试符号,因为它们对于每个平台都是独一无二的——你必须从摩托罗拉获得它们,而不是从微软获得。

ARM 处理器的约定是将当前叶函数的返回地址存储在链接寄存器中,lr. 每个函数的序言负责将此寄存器的值存储在不会被它调用的任何函数丢弃的位置。为了能够展开堆栈,如果发生硬件异常,Windows CE 要求序言采用特定形式。虚拟展开器算法在ARM Prolog 和 Epilog中进行了描述(“虚拟”是因为 Windows 异常处理在发现异常的实际处理程序之前实际上不会展开堆栈,但它只能通过遍历堆栈来找到该处理程序)。您可以按照该算法自行返回堆栈。

该链接上的示例实际上非常不典型-代码仅在为 C/C++ 可变参数函数保存任何持久寄存器之前将 r0-r3 保存在堆栈上。这样它们就在任何其他参数旁边。Windows CE ARM 调用约定将前四个参数传递给寄存器 r0-r3 中的函数,然后是堆栈中的第五个和后续参数。因此,使用的函数va_args必须将前四个压入堆栈,与其他函数相邻,因此它可以将所有参数视为相同。

Normally, an ARM function will start with a stmdb (STore Multiple, Decrement Before) instruction that stores all the volatile registers overwritten by the function. This instruction isn't used very often in normal code, so the stmdb is nearly always the first instruction of the function. You can therefore work out from that instruction, and from the stack, what the value of lr was and therefore where to return to. You can then repeat that for each method until you get somewhere recognizable. Hopefully this will be in an import section of a DLL, but it's probable that it will be in mscoree2_0.dll or netcfagl2_0.dll. You will probably need to search a disassembly of the Compact Framework assemblies to find what managed code called into that native entry point.

于 2013-05-23T00:56:06.037 回答