【问题标题】:CriticalSection Crash while calling GetPrinterDataFromPort调用 GetPrinterDataFromPort 时发生 CriticalSection 崩溃
【发布时间】:2014-04-28 20:55:51
【问题描述】:

这是我尝试分析了这么多天的崩溃。谁能帮我分析一下这个问题?任何帮助将不胜感激。

我们为我们的打印机定制了语言监视器。有一个线程每分钟轮询打印机的状态。 DDK 的 GetPrinterDataFromPort 函数获取打印机状态数据。崩溃从这里开始。

bResult = g_stMonitor.pfnGetPrinterDataFromPort
                    (  m_hPort,
                       dwIOCTLUSB,
                       NULL,
                       (LPWSTR) byCmdBuf,   (DWORD)sizeof byCmdBuf,
                       (LPWSTR) (&vRsp[0]), (DWORD)vRsp.size(),
                       &dwLen
                       );

g_stMonitor->pfnGetPrinterDataFromPort 初始化为 DDKs 端口监视器结构,如下所示。 g_stMonitor 及其函数指针在调用前完全有效。

g_stMonitor->pfnGetPrinterDataFromPort = pDDKMon->pfnGetPrinterDataFromPort;

这是崩溃线程的调用堆栈:(修改后的打印机 DLL 名称和函数名称)

0:006> kbM
# ChildEBP RetAddr  Args to Child              
00 00d7f68c 7c901046 00365db0 723f2894 00365db0 ntdll!RtlpWaitForCriticalSection+0x8c
01 00d7f694 723f2894 00365db0 00d7f6d8 00365d68 ntdll!RtlEnterCriticalSection+0x46
02 00d7f6b0 723f2acb 00d7fbcc 00dee0b0 00000000 usbmon!CBasePort::open+0x1a
03 00d7f6dc 723f1c07 0022003c 00000000 00d7f950 usbmon!CBasePort::getPrinterDataFromPort+0x55
04 00d7f700 00aaac27 007f67c0 0022003c 00000000 usbmon!DynaMon_GetPrinterDataFromPort+0x31
05 00d7f968 00aadf64 00000000 00000014 00000100 Printer_DLL!PrintPrimitives::CPortMon::getPrinterDataFromPort_Base+0x267
06 00d7fb9c 00b61200 00000000 00000014 00000100 Printer_DLL!PrintPrimitives::CPortMon::GetPrinterDataFromPort+0xd4
07 00d7fbf0 00b402e6 00d7fd58 00d7fc10 122de300 Printer_DLL!PrintPrimitives::CMyPrinter::refreshStatus_+0x60
08 00d7fc88 00b43834 00d7fd58 00000000 122de194 Printer_DLL!PrintPrimitives::CMyVariant::refreshStatus_+0x86
09 00d7fe1c 00b36424 00000000 00000000 00000000 Printer_DLL!PrintPrimitives::CMyVariant::pollPlusWin32_+0xc4
0a 00d7fe30 00b5bfeb 00000000 00000000 00a9c3d8 Printer_DLL!PrintPrimitives::CMyVariant::poll_+0x14
0b 00d7fe3c 00a9c3d8 122de09c 7c91003d 00c99668 Printer_DLL!PrintPrimitives::CMyPrinter::refreshStatus_+0xb
0c 00d7ff14 00a9c839 122de0f8 7c911432 00c989f8 Printer_DLL!OSBase::CThread::threadMain+0x3a8
0d 00d7ff70 00ae9836 00c99668 122de020 7c91003d Printer_DLL!OSBase::CThread::threadEntryEx+0x49
0e 00d7ffa8 00ae98c0 7c911432 00d7ffec 7c80b713 Printer_DLL!_callthreadstartex+0x1b
0f 00d7ffb4 7c80b713 00c9c5d8 7c91003d 7c911432 Printer_DLL!_threadstartex+0x64
10 00d7ffec 00000000 00ae985c 00c9c5d8 00000000 kernel32!BaseThreadStart+0x37

对 g_stMonitor.pfnGetPrinterDataFromPort() 的调用来自帧 05。

g_stMonitor.pfnGetPrinterDataFromPort 的参数开始

传递给 pfnGetPrinterDataFromPort() 的值是有效的。

0:006> dd 00d7f700 
00d7f700  00d7f968 00aaac27 007f67c0 0022003c
00d7f710  00000000 00d7f950 00000008 00ddc058
00d7f720  00000008 00d7f74c 122de6e0 00000000
00d7f730  00dee0b0 00000000 00c90838 00ae7781
00d7f740  00d7f9fc 00000002 00000000 00000000
00d7f750  0022003c 00000002 00000000 00ae7781
00d7f760  00000068 00000002 00000000 00ae7781
00d7f770  00000000 00000002 00000000 00ae7781

m_hPort: 007f67c0

dwIOCTLUSB: 0022003c(即 IOCTL_USBPRINT_VENDOR_GET_COMMAND)

第三个参数在 00d7f710 为 NULL

byCmdBuf: 00d7f950

0:006> db 00d7f950 
00d7f950  14 01 00 00 00 00 00 00-e0 e6 2d 12 90 fb d7 00  ..........-.....

14 01 00 是获取状态命令

(DWORD)sizeof byCmdBuf 显示 8

&vRsp[0] 位于 00ddc058

在地址 00d7f720 处大小为 8

dwLen 位于地址 00d7f74c

g_stMonitor.pfnGetPrinterDataFromPort 的参数结束

在上面的调用栈中,传递给ntdll!RtlEnterCriticalSection的参数是00365db0。这是 CRITICAL_SECTION 对象的地址。

0:006> dd 00365db0 
00365db0  00000000 00000001 00000000 00000000

这表明传递的参数为NULL。这意味着 CS 没有初始化。

!analyze -v 显示如下结果:

!analyze -v 开始

0:006> !analyze -v


  • *
  • 异常分析 *
  • *

FAULTING_IP: ntdll!RtlpWaitForCriticalSection+8c 7c91b1fa ff4010 inc dword ptr [eax+10h]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) 异常地址:7c91b1fa (ntdll!RtlpWaitForCriticalSection+0x0000008c) 异常代码:c0000005(访问冲突) 异常标志:00000000 数量参数:2 参数[0]:00000001 参数[1]:00000010 尝试写入地址 00000010

PROCESS_NAME:spoolsv.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - “0x%08lx”处的指令引用了“0x%08lx”处的内存。内存不能是“%s”。

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - “0x%08lx”处的指令引用了“0x%08lx”处的内存。内存不能是“%s”。

EXCEPTION_PARAMETER1: 00000001

EXCEPTION_PARAMETER2: 00000010

WRITE_ADDRESS: 00000010

FOLLOWUP_IP: spoolsv!main+b 010043cc 6a00 推0

NTGLOBALFLAG:0

APPLICATION_VERIFIER_FLAGS:0

APP:spoolsv.exe

CRITICAL_SECTION: 00365db0 -- (!cs -s 00365db0)

BLOCKING_THREAD: 000006bc

DERIVED_WAIT_CHAIN:

Dl Eid Cid WaitType


6 6b8.a2c 临界区 --> 0 6b8.6bc 文件 IO

WAIT_CHAIN_COMMAND: ~6s;k;;~0s;k;;

DEFAULT_BUCKET_ID:NULL_CLASS_PTR_WRITE

PRIMARY_PROBLEM_CLASS:NULL_CLASS_PTR_WRITE

FAULTING_THREAD:00000000

BUGCHECK_STR:APPLICATION_FAULT_NULL_CLASS_PTR_WRITE_BlockedOn_FileIO

LAST_CONTROL_TRANSFER:从 7c90d9bc 到 7c90e4f4

STACK_TEXT:
0007fbd0 7c90d9bc 7c801879 0000006c 00000000 ntdll!KiFastSystemCallRet 0007fbd4 7c801879 0000006c 00000000 00000000 ntdll!NtReadFile+0xc 0007fc3c 77df346b 0000006c 0007fd08 00000216 kernel32!ReadFile+0x16c 0007fc68 77df32ff 0000006c 0007fd08 00000216 advapi32!ScGetPipeInput+0x2a 0007fcdc 77df3608 0000006c 0007fd08 00000216 advapi32!ScDispatcherLoop+0x3f 0007ff3c 010043cc 0100d508 01004729 00000001 advapi32!StartServiceCtrlDispatcherW+0xe3 0007ff44 01004729 00000001 00363e88 00362a90 spoolsv!main+0xb 0007ffc0 7c817067 0007fbc8 00000000 7ffd8000 spoolsv!mainCRTStartup+0x3b 0007fff0 00000000 0100461b 00000000 78746341 kernel32!BaseProcessStart+0x23

SYMBOL_STACK_INDEX:6

SYMBOL_NAME: spoolsv!main+b

FOLLOWUP_NAME:MachineOwner

MODULE_NAME: spoolsv

IMAGE_NAME:spoolsv.exe

DEBUG_FLR_IMAGE_TIMESTAMP:48025ce1

STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s ; kb

FAILURE_BUCKET_ID:NULL_CLASS_PTR_WRITE_c0000005_spoolsv.exe!main

BUCKET_ID:APPLICATION_FAULT_NULL_CLASS_PTR_WRITE_BlockedOn_FileIO_spoolsv!main+b

WATSON_STAGEONE_URL:http://watson.microsoft.com/StageOne/spoolsv_exe/5_1_2600_5512/48025ce1/ntdll_dll/5_1_2600_5512/4802a12c/c0000005/0001b1fa.htm?Retriage=1

跟进:MachineOwner

!analyze -v 结束

在语言监视器启动后和第一次调用 g_stMonitor.pfnGetPrinterDataFromPort 时发生崩溃。

这是我试图解决的问题。

  1. 我观察到,当打印机安装在打印机以外的设备类中时,LM 代码正在调用 UpdateDriverForPlugAndPlayDevicesA 调用。民意调查同时进行。所以我同步了轮询和更新驱动程序调用。即使在此之后,投票电话也失败了。
  2. 我认为在更新驱动程序调用后端口以某种方式损坏。所以我在端口连接建立之前移动了更新驱动程序调用。这并没有解决问题。更多关于 UpdateDriverForPlugAndPlayDevicesA 挂起。

我是 WinDDK 的新手。谁能帮我解决这个崩溃问题?

编辑:

0:006> !cs 00365db0 00d7f6d8 00365d68
-----------------------------------------
DebugInfo          = 0x7c97b720
Critical section   = 0x003b0608 (+0x3B0608)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x7c97b740
Critical section   = 0x003c0608 (+0x3C0608)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x7c97b920
Critical section   = 0x003e0608 (+0x3E0608)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x00099168
Critical section   = 0x00380608 (+0x380608)

NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x0009e530
Critical section   = 0x007b0608 (+0x7B0608)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x0009e5d0
Critical section   = 0x007f0608 (+0x7F0608)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x0009e648
Critical section   = 0x00840608 (+0x840608)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a3a30
Critical section   = 0x00980608 (+0x980608)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a3bf8
Critical section   = 0x006f0608 (+0x6F0608)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a4738
Critical section   = 0x00710608 (+0x710608)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a4a30
Critical section   = 0x007124a8 (+0x7124A8)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a7dd0
Critical section   = 0x00c90608 (+0xC90608)
NOT LOCKED
LockSemaphore      = 0x850
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7df8
Critical section   = 0x00c13328 Printer_DLL!lclcritsects+0x0)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7e20
Critical section   = 0x00c13340 Printer_DLL!lclcritsects+0x18)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7e48
Critical section   = 0x00c13358 Printer_DLL!lclcritsects+0x30)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7e70
Critical section   = 0x00c13370 Printer_DLL!lclcritsects+0x48)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7e98
Critical section   = 0x00c13388 Printer_DLL!lclcritsects+0x60)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7ec0
Critical section   = 0x00c133a0 Printer_DLL!lclcritsects+0x78)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7ee8
Critical section   = 0x00c133b8 Printer_DLL!lclcritsects+0x90)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7f10
Critical section   = 0x00c133d0 Printer_DLL!lclcritsects+0xA8)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7f38
Critical section   = 0x00c133e8 Printer_DLL!lclcritsects+0xC0)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7f60
Critical section   = 0x00c13400 Printer_DLL!lclcritsects+0xD8)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7f88
Critical section   = 0x00c13418 Printer_DLL!lclcritsects+0xF0)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7fb0
Critical section   = 0x00c13430 Printer_DLL!lclcritsects+0x108)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a7fd8
Critical section   = 0x00c13448 Printer_DLL!lclcritsects+0x120)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a76c8
Critical section   = 0x00c13460 Printer_DLL!lclcritsects+0x138)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000a76f0
Critical section   = 0x00c12490 Printer_DLL!mtx+0x0)
NOT LOCKED
LockSemaphore      = 0x218
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a7718
Critical section   = 0x00c124a8 Printer_DLL!mtx+0x18)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a7740
Critical section   = 0x00c124c0 Printer_DLL!mtx+0x30)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a7768
Critical section   = 0x00c124d8 Printer_DLL!mtx+0x48)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a7790
Critical section   = 0x00c93e28 (+0xC93E28)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a7860
Critical section   = 0x00c94bcc (+0xC94BCC)
NOT LOCKED
LockSemaphore      = 0x21C
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a78b0
Critical section   = 0x00c121ec Printer_DLL!OSBase::g_ShutdownHandler+0x0)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a78d8
Critical section   = 0x00c96448 (+0xC96448)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a7900
Critical section   = 0x00c122f4 Printer_DLL!USB80mm::g_evtLog+0x64)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a7c80
Critical section   = 0x00c95210 (+0xC95210)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a7ca8
Critical section   = 0x00c99e14 (+0xC99E14)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a8118
Critical section   = 0x00c99f10 (+0xC99F10)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000a81c0
Critical section   = 0x00c9ba1c (+0xC9BA1C)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000aa898
Critical section   = 0x007f5c3c (+0x7F5C3C)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000aa758
Critical section   = 0x007f5cd4 (+0x7F5CD4)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000aa8c0
Critical section   = 0x007f5d6c (+0x7F5D6C)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000aa8e8
Critical section   = 0x007f5e04 (+0x7F5E04)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000aa910
Critical section   = 0x007f5e9c (+0x7F5E9C)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000aa938
Critical section   = 0x007f5f34 (+0x7F5F34)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000aa960
Critical section   = 0x007f5fcc (+0x7F5FCC)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000aa988
Critical section   = 0x007f6064 (+0x7F6064)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000aa9b0
Critical section   = 0x007f6104 (+0x7F6104)
NOT LOCKED
LockSemaphore      = 0x3E4
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000b3630
Critical section   = 0x007b1eb4 (+0x7B1EB4)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000b3658
Critical section   = 0x007b49d8 (+0x7B49D8)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000b3790
Critical section   = 0x007b1ef0 (+0x7B1EF0)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000b3d78
Critical section   = 0x007f68f4 (+0x7F68F4)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000b4088
Critical section   = 0x007f698c (+0x7F698C)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000b0d10
Critical section   = 0x007f6a24 (+0x7F6A24)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000b42d8
Critical section   = 0x007f6c48 (+0x7F6C48)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000b4300
Critical section   = 0x007f84c8 (+0x7F84C8)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000b4328
Critical section   = 0x007f9830 (+0x7F9830)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000c0488
Critical section   = 0x0036956c (+0x36956C)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000ad2f8
Critical section   = 0x00c97288 (+0xC97288)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000f9688
Critical section   = 0x00c963a8 (+0xC963A8)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000f99a8
Critical section   = 0x00c9bbf8 (+0xC9BBF8)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000f9ef8
Critical section   = 0x00c9263c (+0xC9263C)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x000e8d50
Critical section   = 0x00c9267c (+0xC9267C)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000fa0
-----------------------------------------
DebugInfo          = 0x00104290
Critical section   = 0x00365db0 (+0x365DB0)
LOCKED
LockCount          = 0x1
OwningThread       = 0x00000000
RecursionCount     = 0x0
LockSemaphore      = 0xAA8
SpinCount          = 0x00000000

WARNING: critical section DebugInfo = 0x00000000 doesn't point back
to the DebugInfo found in the active critical sections list = 0x00104290.
The critical section was probably reused without calling DeleteCriticalSection.

Cannot read structure field value at 0x00000002, error 0
ntdll!RtlpStackTraceDataBase is NULL. Probably the stack traces are not enabled.
ntdll!RtlpStackTraceDataBase is NULL. Probably the stack traces are not enabled.
-----------------------------------------
DebugInfo          = 0x00110fc8
Critical section   = 0x00c966e8 (+0xC966E8)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x000e83f8
Critical section   = 0x007fc7cc (+0x7FC7CC)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000
-----------------------------------------
DebugInfo          = 0x0009e028
Critical section   = 0x007fd1bc (+0x7FD1BC)
NOT LOCKED
LockSemaphore      = 0x0
SpinCount          = 0x00000000

【问题讨论】:

  • 你能给出命令的输出吗(!cs 00365db0 00d7f6d8 00365d68)。其中之一是关键部分,主要是 00365db0,这看起来是 cs。这会给谁持有这个关键部分,或者这是第一个试图获取这个的线程(!cs 00365db0)
  • @tmp,感谢您的快速回复。结果很大。我应该将其添加到问题中吗?
  • 将 !cs 00365db0 00d7f6d8 00365d68 的结果添加到问题中。
  • 端口是否可能已经关闭?请在执行开始时在 usbmon!DynaMon_ClosePort 上设置断点并检查调用它的人。另一种可能性是您可能只是有堆损坏。您能否在整页堆下执行 spoolsv.exe 并查看它是否发现任何问题?
  • @SevaTitov,感谢您推荐调试 Dynamon_ClosePort 的想法。我还将尝试在整页堆下调试 spoolsv.exe。这可以使用 gflags 对吗?

标签: c++ winapi printing crash windbg


【解决方案1】:

在我看来,您的关键部分已被其他线程使用 DeleteCriticalSection API 删除。由于这个原因,您当前的线程(程序崩溃的地方)正试图调用 EnterCriticalSection 到已删除的线程,或者可能是该关键部分没有被 InitializeCriticalSection 从日志中初始化(!cs)

DebugInfo          = 0x00104290
Critical section   = 0x00365db0 (+0x365DB0)
LOCKED
LockCount          = 0x1
OwningThread       = 0x00000000
RecursionCount     = 0x0
LockSemaphore      = 0xAA8
SpinCount          = 0x00000000

WARNING: critical section DebugInfo = 0x00000000 doesn't point back
to the DebugInfo found in the active critical sections list = 0x00104290.
The critical section was probably reused without calling DeleteCriticalSection

【讨论】:

  • 感谢您的分析。是的,当我使用 dd 0x365DB0 时,0x365DB0 处的 CS 为 NULL。这是来自 MS dll 的调用。我无法理解这可能是 NULL 的方式和原因,因为我们的代码无权访问该 CS。我们只通过 hPort。什么会导致内部 CS 变为 NULL?
  • 根据您的调用堆栈,“usbmon”dll 似乎拥有这个特定的 cs。 usbmon!CBasePort::open() 通常表明“usbmon”可能提供了一些方法,例如 CBasePort::init(),它可能正在初始化这个特定的 cs。可能是您的线程可能没有调用 CBasePort::init() 等效方法。这可能是情景。这只是我的猜测,因为我对这些模块逻辑一无所知。希望它有帮助,祝你好运!!! '
  • 谢谢。 CBasePort::init() 不可用,但如果我们有任何这样的 init 函数,我会研究这种方式。你能解释一下你是如何给出 !cs 命令的开始和结束地址的吗?
猜你喜欢
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 2016-10-03
  • 2012-11-06
  • 1970-01-01
  • 2022-07-06
  • 1970-01-01
  • 2010-12-01
相关资源
最近更新 更多