【问题标题】:Not able to proceed with Windbg analysis of AppCrash_w3wp无法继续对 AppCrash_w3wp 进行 Windbg 分析
【发布时间】:2014-11-18 21:03:25
【问题描述】:

我正在为 AppCrash_w3wp 进行内存转储分析。 当我执行 !analyze -v 时,我得到以下结果。

我的符号设置有什么问题吗?还是这个分析指向一些实际问题?有人可以指导我如何进一步分析吗?

====:>

*** WARNING: Unable to verify timestamp for webengine4.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\54c5d3ee1f311718f3a2feb337c5fa29\mscorlib.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for mscorlib.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\987d450520ea6e815c63db8aecba0761\System.Data.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Data.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Mvc\9f9155f1c13562534f6cb370b0ad8381\System.Web.Mvc.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Web.Mvc.ni.dll
*** ERROR: Module load completed but symbols could not be loaded for System.Web.Mvc.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\cb6d38da3ca9a62afed46123b693899e\System.Web.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Web.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System\4598449d72d7ebbd53952399ed5fc710\System.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.ni.dll
*** WARNING: Unable to verify timestamp for alk_dalkutil64.dll
*** ERROR: Module load completed but symbols could not be loaded for alk_dalkutil64.dll

FAULTING_IP: 
KERNELBASE!RaiseException+39
000007fe`fda8940d 4881c4c8000000  add     rsp,0C8h

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fefda8940d (KERNELBASE!RaiseException+0x0000000000000039)
   ExceptionCode: e0434352 (CLR exception)
  ExceptionFlags: 00000001
NumberParameters: 5
   Parameter[0]: ffffffff80004003
   Parameter[1]: 0000000000000000
   Parameter[2]: 0000000000000000
   Parameter[3]: 0000000000000000
   Parameter[4]: 000007fefa140000

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
rax=0000000001470000 rbx=000000001791d5d0 rcx=0000000001470000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000002
rip=0000000077be186a rsp=000000001791d498 rbp=0000000000000002
 r8=0000000000000000  r9=0000000000000040 r10=0000000000000000
r11=0000000000000286 r12=0000000000000000 r13=000000001791d540
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!ZwWaitForMultipleObjects+0xa:
00000000`77be186a c3              ret

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

PROCESS_NAME:  w3wp.exe

ERROR_CODE: (NTSTATUS) 0xe0434352 - <Unable to get error code text>

EXCEPTION_CODE: (NTSTATUS) 0xe0434352 - <Unable to get error code text>

EXCEPTION_PARAMETER1:  ffffffff80004003

EXCEPTION_PARAMETER2:  0000000000000000

EXCEPTION_PARAMETER3:  0000000000000000

EXCEPTION_PARAMETER4: 0

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  w3wp.exe

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

MANAGED_STACK: 

EXCEPTION_OBJECT: !pe 103f98b08
Exception object: 0000000103f98b08
Exception type:   System.AccessViolationException
Message:          Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
InnerException:   <none>
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80004003

MANAGED_OBJECT: !dumpobj ffb11420
Name:        System.String
MethodTable: 000007fef8886500
EEClass:     000007fef81a3750
Size:        26(0x1a) bytes
File:        C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
String:      
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
0000000000000000  40000aa        8         System.Int32  1 instance                0 m_stringLength
0000000000000000  40000ab        c          System.Char  1 instance                0 m_firstChar
000007fef8886500  40000ac       18        System.String  0   shared           static Empty
                                 >> Domain:Value  0000000002488520:NotInit  0000000002576750:NotInit  <<

EXCEPTION_MESSAGE:  Attempted to read or write protected memory. This is often an indication that other memory is corru

MANAGED_OBJECT_NAME:  SYSTEM.ACCESSVIOLATIONEXCEPTION

MANAGED_STACK_COMMAND:  ** Check field   _remoteStackTraceString **;!do 103f98b08;!do ffb11420

LAST_CONTROL_TRANSFER:  from 000007fefa35565b to 000007fefda8940d

PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS_CLR_EXCEPTION

STACK_TEXT:  
00000000`00000000 00000000`00000000 w3wp!Unknown+0x0


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  w3wp!Unknown

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: w3wp

IMAGE_NAME:  w3wp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7afa2

STACK_COMMAND:  ** Check field   _remoteStackTraceString **;!do 103f98b08;!do ffb11420 ; ** Pseudo Context ** ; kb

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_e0434352_w3wp.exe!Unknown

BUCKET_ID:  X64_APPLICATION_FAULT_WRONG_SYMBOLS_CLR_EXCEPTION_w3wp!Unknown

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:wrong_symbols_e0434352_w3wp.exe!unknown

FAILURE_ID_HASH:  {419a5b7f-31d5-d77e-cd0e-fe26c9258bfb}

Followup: MachineOwner

=== 9 月 25 日编辑

我已经设置了一个环境变量 _NT_SYMBOL_PATH - symsrv*symsrv.dll*C:\Windows\symbols*http://msdl.microsoft.com/download/symbols

我想知道为什么它不动态加载所有符号?

我做了一个 .symfix;.reload 我得到了一段时间的提示。然后我在屏幕上得到了很多....,并且常规提示又回来了。

然后我做了一个“!sym嘈杂”并再次做了“.symfix;.reload”......

我收到以下消息

DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
..
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.dll\51FB164A1a9000\ntdll.dll - OK
DBGENG:  C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.dll\51FB164A1a9000\ntdll.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\400F215C54DA404788F84F5C504914952\ntdll.pdb already cached
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\400F215C54DA404788F84F5C504914952\ntdll.pdb already cached

DBGHELP: ntdll - public symbols  
        C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\400F215C54DA404788F84F5C504914952\ntdll.pdb
..............................................................
................................................................
................................................................
................................................................
................................................................
.....
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernel32.dll\51FB167611f000\kernel32.dll - OK
DBGENG:  C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernel32.dll\51FB167611f000\kernel32.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\KERNELBASE.dll\51FB16776b000\KERNELBASE.dll - OK
DBGENG:  C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\KERNELBASE.dll\51FB16776b000\KERNELBASE.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb already cached
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb already cached

DBGHELP: KERNELBASE - public symbols  
        C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb

【问题讨论】:

  • 尝试修复 MS 符号:.symfix;.reload

标签: windbg


【解决方案1】:

我的符号设置有什么问题吗?

是的。用命令更正它

.symfix x:\symbols; * Wherever you want the symbols to be
.reload

或者,如果您已经设置了其他符号路径:

.symfix+ x:\symbols
.reload

或者这个分析指向一些实际问题?

还有。您有一个 .NET 异常,它会使您的程序崩溃。这是个问题。

类型是 AccessViolation,类似于 NullReferenceException。希望修复符号在这里不会造成巨大的差异。

有人可以指导我如何进一步分析吗?

修复符号后,继续

.loadby sos clr
!pe
!clrstack

【讨论】:

  • 谢谢@Thomas W 我试过 symfix。我的观察太长了,无法作为评论发表。所以我编辑了这篇文章。基本上,即使我为 _NT_SYMBOL_PATH 添加了环境变量,符号也没有正确加载。这就是我所关心的。并且“!sym嘈杂”对我没有帮助,或者我无法很好地解释。
  • 环境变量不是必需的,但也不错。符号现在看起来不错。 .loadby sos clr;!pe;!clrstack呢?
  • SOS.dll 存在于“C:\Windows\Microsoft.NET\Framework64\v4.0.30319”中,我还将其复制到“C:\Program Files (x86)\Windows Kits\8.1 \Debuggers\x64" 安装了windbg。但我仍然收到这条消息 - ==== 0:103> .loadby sos clr;调用 LoadLibrary(C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sos) 失败,Win32 错误 0n193“%1 不是有效的 Win32 应用程序。”请检查您的调试器配置和/或网络访问。 ===
  • 无需在某处复制 SOS.dll。那么你使用了错误的 WinDbg 位数。试试 32 位版本。
猜你喜欢
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 2014-10-29
  • 2011-08-10
  • 1970-01-01
相关资源
最近更新 更多