3

它是 XP 上的大型 32 位混合模式 MFC 7.0 应用程序,用户告诉他正在使用托管代码中实现的功能。crach 位于已获取 LoaderLock 的线程中,并且似乎来自 .NET 工作线程池。

0:016> !cs -o -l
-----------------------------------------
DebugInfo          = 0x7c97e1a0
Critical section   = 0x7c97e174 (ntdll!LdrpLoaderLock+0x0)
LOCKED
LockCount          = 0x4
OwningThread       = 0x00000260
RecursionCount     = 0x1
LockSemaphore      = 0x7BC
SpinCount          = 0x00000000
OwningThread DbgId = ~16s
OwningThread Stack =
ChildEBP RetAddr  Args to Child              
0f66e400 7c90df4a 7c8648a2 00000002 0f66e57c ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0f66e404 7c8648a2 00000002 0f66e57c 00000001 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
0f66e74c 7c83ab50 0f66e774 7c839b39 0f66e77c kernel32!UnhandledExceptionFilter+0x8b9 (FPO: [Non-Fpo])
0f66e754 7c839b39 0f66e77c 00000000 0f66e77c kernel32!BaseThreadStart+0x4d (FPO: [Non-Fpo])
0f66e77c 7c9032a8 0f66e868 0f66ffdc 0f66e884 kernel32!_except_handler3+0x61 (FPO: [Uses EBP] [3,0,7])
0f66e7a0 7c90327a 0f66e868 0f66ffdc 0f66e884 ntdll!ExecuteHandler2+0x26
0f66e850 7c90e48a 00000000 0f66e884 0f66e868 ntdll!ExecuteHandler+0x24
0f66e850 79247eb4 00000000 0f66e884 0f66e868 ntdll!KiUserExceptionDispatcher+0xe (FPO: [2,0,0]) (CONTEXT @ 0f66e884)
0f66eb4c 7929a46e 0e715d80 792483ef 0e715d80 mscorwks!Thread::UnhijackThread+0xb (FPO: [0,0,0])
0f66eb54 792483ef 0e715d80 00000000 00000000 mscorwks!Thread::RareEnablePreemptiveGC+0x36 (FPO: [0,0,0])
0f66eb64 792a6ff9 06ee0000 00000000 00000000 mscorwks!Thread::RareDisablePreemptiveGC+0x5f (FPO: [0,0,0])
0f66ec10 79247e14 06ee0000 00000003 00000000 mscorwks!SystemDomain::RunDllMain+0x7d (FPO: [Non-Fpo])
0f66ee98 603d6a2c 00000001 00000003 00000000 mscorwks!ExecuteDLL+0x3c0 (FPO: [Non-Fpo])
0f66eed8 603d70a3 06ee0000 0f66eebc 00000000 mscoreei!CorDllMainWorker+0x153 (FPO: [Non-Fpo])
0f66ef14 79015012 00000000 00000003 00000000 mscoreei!_CorDllMain+0x111 (FPO: [Non-Fpo])
0f66ef30 7c90118a 06ee0000 00000003 00000000 mscoree!ShellShim__CorDllMain+0xad (FPO: [Non-Fpo])
0f66ef50 7c91397b 06ef841e 06ee0000 00000003 ntdll!LdrpCallInitRoutine+0x14
0f66efc8 7c80c136 00000000 793fa180 7c80934a ntdll!LdrShutdownThread+0xd7 (FPO: [Non-Fpo])
0f66f000 792ee8ad 00000000 00000000 792ee78a kernel32!ExitThread+0x3e (FPO: [Non-Fpo])
0f66f020 792edfcb 00000000 00000000 00000000 mscorwks!ThreadpoolMgr::WorkerThreadStart+0x123 (FPO: [Non-Fpo])

堆栈上一些有趣的值可能是 06ee00000f66eebc。第一个是 myMixedModeDll 的基地址,第二个是:

0:016> ln 06ef841e 
(06ef841e)   myMixedModeDll!CorDllMain   |  (06ef8424)   myMixedModeDll!CDialog::CDialog
Exact matches:

实际的例外应该在这里:

0:000> .cxr 0f66e884;kb 
eax=000000df ebx=00000000 ecx=0e715d80 edx=000003a4 esi=0e715d80 edi=00010000
eip=79247eb4 esp=0f66eb50 ebp=0f66ec10 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010282
mscorwks!Thread::UnhijackThread+0xb:
79247eb4 8910            mov     dword ptr [eax],edx  ds:0023:000000df=????????
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr  Args to Child              
0f66eb4c 7929a46e 0e715d80 792483ef 0e715d80 mscorwks!Thread::UnhijackThread+0xb
0f66eb54 792483ef 0e715d80 00000000 00000000 mscorwks!Thread::RareEnablePreemptiveGC+0x36

是的,eax 不好:

0:000> u 79247eae 
mscorwks!Thread::UnhijackThread+0x5:
79247eae 8b5178          mov     edx,dword ptr [ecx+78h]
79247eb1 8b417c          mov     eax,dword ptr [ecx+7Ch]
79247eb4 8910            mov     dword ptr [eax],edx

是的,ECX 已正确恢复

0:016> dd @ecx+0x78 L1
0e715df8  000003a4
0:016> dd @ecx+0x7c L1
0e715dfc  000000df

0:016> dd @ecx L0x20
0e715d80  0e6f4798 00000000 ffffffff 00000000
0e715d90  00000000 00000020 00000000 0e715da0
0e715da0  0e715da0 0e715da0 00000000 00000000
0e715db0  00000000 000000df 00000000 00000000
0e715dc0  00000000 00000000 00000000 00000000
0e715dd0  00000000 00000000 00000000 00000000
0e715de0  00000000 00000000 00000000 00000000
0e715df0  0e7093e8 00002733 000003a4 000000df

最后的错误值

0:016> !gle
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0xc0000034 - Object Name not found.

这个 .NET 的版本是 1.1.4322 ,sos!声称线程 #16 不是托管线程。

0:016> !t
ThreadCount: 10
UnstartedThread: 0
BackgroundThread: 10
PendingThread: 0
DeadThread: 0
                                  PreEmptive   GC Alloc                     Lock     
        ID  ThreadOBJ       State     GC       Context           Domain     Count APT Exception
  0  0xc8c 0x001ae598      0x4220 Enabled  0x1b7df804:0x1b7df8d8 0x001fda98     0 STA
  5  0xcd4 0x001caea0      0xb220 Enabled  0x00000000:0x00000000 0x001fda98     0 MTA (Finalizer)
  8  0xe28 0x0c56ac40       0x220 Enabled  0x00000000:0x00000000 0x001fda98     0 Ukn
 10  0x8a8 0x0e5f4b48    0x800220 Enabled  0x1b822518:0x1b824458 0x001fda98     0 MTA (Threadpool Completion Port)
 11  0xc18 0x0e6d6a60    0x800220 Enabled  0x1b8651cc:0x1b867008 0x001fda98     0 MTA (Threadpool Completion Port)
 12  0xa54 0x00190c28       0x220 Enabled  0x1b5247f0:0x1b52650c 0x001fda98     0 Ukn
 13  0xe9c 0x0e6627f8       0x220 Enabled  0x1b5307f0:0x1b53250c 0x001fda98     0 Ukn
 14  0xe58 0x0e6b11a0   0x1800220 Enabled  0x00000000:0x00000000 0x001fda98     0 MTA (Threadpool Worker)
 15  0x8dc 0x0e6d68a8       0x220 Enabled  0x00000000:0x00000000 0x001fda98     0 Ukn
 17  0xbcc 0x0e709378       0x220 Enabled  0x1b52c7f0:0x1b52e50c 0x001fda98     0 Ukn
0:016> !ClrStack
Thread 16
Not a managed thread.

我怎样才能找到更多信息来揭示这次崩溃的原因?

4

0 回答 0