Analisi da riga di comando di un dump
Nell’ultimo week-end, un applicazione in sviluppo è terminata inaspettatamente un infinità di volta. Generando un gran numero di memory dump, tutti di dimensioni considerevoli. La domanda sorge spontanea.
Come posso analizzare tutti questi dump senza sprecare un sacco del mio tempo?
Riflettendo la soluzione si più tranquillamente avere utilizando WinDbg e compagni (Debugging tools for Windows). Questa fantastica suite di ostici ma potente tools per il debugging mettono a disposizione:
- cdb : un debugger per programmi nel user-space solo da riga di comando
- kd: un debbuger per programmi in kernel-space solo da riga di comando
- windbg: un fantastico debugger con un interfaccia odiosa, finche non ti innamori dei comandi che ti mette a disposizione.
- Altro come dbgsrv, symsrv…
Tornando all’ analisi dei dump; dopo l’ installazione ed aggiunta nel PATH la cartella di Debugging tools for Windows (esempio: C:\Program Files\Debugging Tools for Windows (x86)), basta eseguire cdb con questi parametri:
cdb -y Crash1.pdb -i Crash1.exe -z Crash1.dmp -c “!analyze -v;q” > resultAnalyze.txt
Descrizione dei parametri
- -y file.pdb: il pdb del programma, in caso di più di uno separato da punto e virgola “;”.
- -i file.exe: l’immagine del programma
- -z File.dmp: il dump da analizare.
- -c “!analyze -v;q”: Una sequenza di comandi, “!analyze -v” analiza il dump e q termina il programma.
- > redirect.txt: il file dove viene dirottato l’output.
Questo è un ottima partenza per uno script che mi digerisca tutti i file e ti generi per ogni dump un analisi come questa:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [Crash1.dmp]
User Mini Dump File with Full Memory: Only application data is available
Symbol search path is: Crash1.pdb;C:\symbols
Executable search path is: Crash1.exe
Windows XP Version 666 (Service Pack 6) MP (66 procs) Free x64 compatible
Product: WinNt, suite: SingleUserTS
Debug session time: Mon Feb 9 21:01:56.000 2009 (GMT+1)
System Uptime: 0 days 0:28:19.394
Process Uptime: 0 days 0:00:28.000
….
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(96c.970): Integer divide-by-zero - code c0000094 (first/second chance not available)
eax=00000000 ebx=7ffde000 ecx=00000000 edx=00000000 esi=00000000 edi=0012ff68
eip=004113a0 esp=0012fe84 ebp=0012ff68 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** WARNING: Unable to verify checksum for Crash1.exe
Crash1!wmain+0×30:
004113a0 f77df8 idiv eax,dword ptr [ebp-8] ss:0023:0012ff60=00000000
0:000> cdb: Reading initial command ‘!analyze -v;q’
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll -
***** OS symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: ntdll!_PEB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
FAULTING_IP:
Crash1!wmain+30
004113a0 f77df8 idiv eax,dword ptr [ebp-8]
EXCEPTION_RECORD: ffffffff — (.exr 0xffffffffffffffff)
ExceptionAddress: 004113a0 (Crash1!wmain+0×00000030)
ExceptionCode: c0000094 (Integer divide-by-zero)
ExceptionFlags: 00000000
NumberParameters: 0
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: Crash1.exe
MODULE_NAME: Crash1
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 49908b97
ERROR_CODE: (NTSTATUS) 0xc0000094 - {EXCEPTION} Integer division by zero.
FAULTING_THREAD: 00000970
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00411718 to 004113a0
STACK_TEXT:
0012ff68 00411718 00000001 00343250 00343320 Crash1!wmain+0×30
0012ffb8 0041155f 0012fff0 7c817067 055af9d4 Crash1!__tmainCRTStartup+0×1a8
0012ffc0 7c817067 055af9d4 00000000 7ffde000 Crash1!wmainCRTStartup+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fff0 00000000 00411073 00000000 78746341 kernel32!RegisterWaitForInputIdle+0×49
STACK_COMMAND: ~0s; .ecxr ; kb
FOLLOWUP_IP:
Crash1!wmain+30
004113a0 f77df8 idiv eax,dword ptr [ebp-8]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Crash1!wmain+30
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: Crash1.exe
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000094_Crash1.exe!base_address
Followup: MachineOwner
———
quit:
Dopo una notte a macinare tutti i dump ho potuto velocemente guardali velocemente e identificare una serie di problemi invece del problema diagnosticabile coi primi dump.
Nota: I vari errori possono essere risolti con un la confiugrazione dei simboli pubblici di windows (http://support.microsoft.com/kb/311503).