ntdll 0XC0000005 Windbg 中的第一次机会异常
Posted
技术标签:
【中文标题】ntdll 0XC0000005 Windbg 中的第一次机会异常【英文标题】:First Chance exception in ntdll 0XC0000005 Windbg 【发布时间】:2010-11-30 12:40:16 【问题描述】:请帮我分析这个故障转储。这是我最后的手段。
我们有一个 Windows COM/DCOM 服务会因这个转储而崩溃。看起来好像这里发生了一些堆损坏。奇怪的是,这种崩溃只发生在 Windows server 2008 sp2 上,并引起了很多麻烦。
任何windbg专家可以在这里提供帮助吗?由于我是windbg的新手,因此我将不胜感激找到错误或证明如何调试此错误的任何帮助。 提前致谢。 下面是windbg的输出
Comment: 'Dump created by DbgHost. First chance exception 0XC0000005'
Symbol search path is: C:\debug symbols;C:\Windows\Symbols
Windows Server 2008/Windows Vista Version 6002 (Service Pack 2) UP Free x86 compatible
Product: LanManNt, suite: Enterprise TerminalServer SingleUserTS
Machine Name:
Debug session time: Tue Nov 30 14:15:48.000 2010 (GMT+2)
System Uptime: 5 days 0:32:32.875
Process Uptime: 0 days 1:29:39.000
...........................................................
Loading unloaded module list .....
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(868.ae4): Access violation - code c0000005 (first/second chance not available)
eax=c0c0c0a0 ebx=00140000 ecx=c0c0c0a0 edx=00141000 esi=00140000 edi=00140000
eip=7005a43d esp=04ebf2dc ebp=04ebf320 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
*** ERROR: Symbol file could not be found. Defaulted to export symbols for verifier.dll - verifier!VerifierStopMessage+0x591d:
7005a43d 8139aaaacdab cmp dword ptr [ecx],0ABCDAAAAh ds:0023:c0c0c0a0=????????
*** WARNING: Unable to verify checksum for vsrv.exe
0:011> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for TCheckLic.dll
*** WARNING: Unable to verify checksum for regserverps.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for regserverps.dll -
*** WARNING: Unable to verify checksum for carsps.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for carsps.dll -
*** WARNING: Unable to verify checksum for vsrvps.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for vsrvps.dll -
*** WARNING: Unable to verify checksum for vdbaccs.dll
*** WARNING: Unable to verify checksum for VsrvPing.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for msiltcfg.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for WlS0WndH.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for wsock32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for comctl32.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for wtsapi32.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for winnsi.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for sxs.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for winsta.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for psapi.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for lpk.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for clbcatq.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ws2_32.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for nsi.dll
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: IMAGE_NT_HEADERS32 ***
*** ***
*************************************************************************
Failed calling InternetOpenUrl, GLE=12007
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
FAULTING_IP:
verifier!VerifierStopMessage+591d
7005a43d 8139aaaacdab cmp dword ptr [ecx],0ABCDAAAAh
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7005a43d (verifier!VerifierStopMessage+0x0000591d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: c0c0c0a0
Attempt to read from address c0c0c0a0
PROCESS_NAME: vsrv.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: c0c0c0a0
READ_ADDRESS: c0c0c0a0
FOLLOWUP_IP:
verifier!VerifierStopMessage+591d
7005a43d 8139aaaacdab cmp dword ptr [ecx],0ABCDAAAAh
NTGLOBALFLAG: 2000000
APPLICATION_VERIFIER_FLAGS: 0
ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer
FAULTING_THREAD: 00000ae4
DEFAULT_BUCKET_ID: HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 7005a9e0 to 7005a43d
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
04ebf320 7005a9e0 00141000 c0c0c0c0 00000004 verifier!VerifierStopMessage+0x591d
04ebf33c 700587eb 00141000 00240000 01000002 verifier!VerifierStopMessage+0x5ec0
04ebf390 77622614 00140000 01000002 c0c0c0c0 verifier!VerifierStopMessage+0x3ccb
04ebf3d8 775eb7cd 00140000 01000002 c0c0c0c0 ntdll!RtlDebugFreeHeap+0x2f
04ebf4cc 775d7545 c0c0c0c0 c0c0c0c0 04ebf604 ntdll!RtlpFreeHeap+0x5f
04ebf4e8 762f9a26 00140000 00000000 c0c0c0c0 ntdll!RtlFreeHeap+0x14e
04ebf4fc 773aaf25 00140000 00000000 c0c0c0c0 kernel32!HeapFree+0x14
04ebf510 773aaf41 7747f6f8 c0c0c0c0 04ebf538 ole32!CRetailMalloc_Free+0x1c
04ebf520 75e16efc c0c0c0c0 04ebf604 037d3e6c ole32!CoTaskMemFree+0x13
04ebf538 75e08221 c0c0c0c0 c0c0c0c0 037d3e6c rpcrt4!NdrPointerFree+0xb5
04ebf560 75e0825a 00000000 04ebf58c 75e16ecb rpcrt4!NdrpEmbeddedPointerFree+0x4c
04ebf56c 75e16ecb 04ebf604 09afcff0 037d3e60 rpcrt4!NdrSimpleStructFree+0x1c
04ebf58c 75e16ecb 09afcff0 09afcff0 037d3e52 rpcrt4!NdrPointerFree+0x91
04ebf5ac 75ea25c8 09afcff0 04ebf840 037d3e4e rpcrt4!NdrPointerFree+0x91
04ebf5d4 75ea248b 04ebf840 00000002 04ebf7e0 rpcrt4!NdrpFreeParams+0x150
04ebf5e4 75ea2429 feabd21b 09a52fe0 07bd6f28 rpcrt4!NdrStubCall2+0x9aa
04ebf65c 751d192d 037d4968 00000000 00000000 rpcrt4!NdrStubCall2+0x55c
04ebfa04 75ea293b 09a52fe0 0982cfc0 07bd6f28 rsaenh!AesExpandKey+0x23
04ebfa54 7747a8c5 09a52fe0 07bd6f28 0982cfc0 rpcrt4!CStdStubBuffer_Invoke+0xa0
04ebfa9c 7747aa59 07bd6f28 09225f08 08dbec38 ole32!SyncStubInvoke+0x3c
04ebfae8 773a61d6 07bd6f28 09a12f18 09a52fe0 ole32!StubInvoke+0xb9
04ebfbc4 773a60e7 0982cfc0 00000000 09a52fe0 ole32!CCtxComChnl::ContextInvoke+0xfa
04ebfbe0 773a6df5 07bd6f28 00000001 09a52fe0 ole32!MTAInvoke+0x1a
04ebfc0c 7747a981 07bd6f28 00000001 09a52fe0 ole32!STAInvoke+0x46
04ebfc40 7747a79b d0908070 0982cfc0 09a52fe0 ole32!AppInvoke+0xaa
04ebfd1c 7747ae2d 07bd6ed0 06ffd420 00000400 ole32!ComInvokeWithLockAndIPID+0x32c
04ebfd44 773a6bcd 07bd6ed0 00000400 06df2e30 ole32!ComInvoke+0xc5
04ebfd58 773a6b8c 07bd6ed0 04ebfe18 00000400 ole32!ThreadDispatch+0x23
04ebfd9c 75fafd72 00ba002a 00000400 0000babe ole32!ThreadWndProc+0x167
04ebfdc8 75fafe4a 773a6aef 00ba002a 00000400 user32!InternalCallWinProc+0x23
04ebfe40 75fb018d 00000000 773a6aef 00ba002a user32!UserCallWinProcCheckWow+0x14b
04ebfea4 75fa8b7c 773a6aef 00000001 04ebff34 user32!DispatchMessageWorker+0x322
04ebfeb4 0044fbc9 04ebff14 00000000 00000000 user32!DispatchMessageA+0xf
04ebff34 0044faf1 00000000 00000000 041b2e88 vsrv!ATL::CComApartment::Apartment+0xc9 [d:\program files\microsoft visual studio\vc98\atl\include\atlbase.h @ 3837]
04ebff88 762fd0e9 041b2e88 04ebffd4 775b19bb vsrv!ATL::CComApartment::_Apartment+0x11 [d:\program files\microsoft visual studio\vc98\atl\include\atlbase.h @ 3815]
04ebff94 775b19bb 041b2e88 6a03c808 00000000 kernel32!BaseThreadInitThunk+0xe
04ebffd4 775b198e 00402428 041b2e88 ffffffff ntdll!__RtlUserThreadStart+0x23
04ebffec 00000000 00402428 041b2e88 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: .cxr 00000000 ; kb ; ~11s; .ecxr ; kb
SYMBOL_NAME: heap_corruption!heap_corruption
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption
BUCKET_ID: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_heap_corruption!heap_corruption
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/vsrv_exe/68_50_606_0/4ce50c9e /verifier_dll/6_0_6001_18000/4791a775/c0000005/0001a43d.htm?Retriage=1
Followup: MachineOwner
【问题讨论】:
【参考方案1】:你能复制一下吗?
如果是这样,
正确设置您的符号以使用符号服务器。
例如设置环境变量
_NT_SYMBOL_PATH=SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
设置应用程序验证程序以使用默认测试并使用类似于windbg -xd av -xd ch -xd sov ApplicationCommandLine 的命令行运行您的应用程序。
如果您有内存损坏,AppVerif 可能会捕获它并在您的调试器中引发第二次机会异常。确保启用整页堆,以便堆立即超出访问违规。
如有必要,请熟悉!avrf 扩展。
【讨论】:
是的,我可以很容易地复制它。唯一的问题是测试机器上没有互联网接入。我下载的符号有问题吗?我之前尝试过使用应用程序验证器,但每次我使用应用程序验证器启动服务时,简单的测试都会使服务崩溃并退出。 另一个问题是我无法对服务进行实时调试,因为它是多线程的,并且还没有找到一种方法可以毫无问题地附加调试器。 我启用了整页堆并附加了调试器以上是关于ntdll 0XC0000005 Windbg 中的第一次机会异常的主要内容,如果未能解决你的问题,请参考以下文章
为啥我在 WinDbg 中看到的是 ntdll 反汇编,而不是我的汇编代码?