WinDbgでコールスタックにUnhandledExceptionFilterが含まれる場合の解析方法
0:001:x86> !analyze -v // ★解析開始
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
ntdll!DbgBreakPoint+0
db3ec6b0 cc int 3
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ff8db3ec6b0 (ntdll!DbgBreakPoint)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 0000000000000000
FAULTING_THREAD: 0000000000001190
DEFAULT_BUCKET_ID: STACKIMMUNE
PROCESS_NAME: WinDbgTest.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {
EXCEPTION_CODE: (NTSTATUS) 0x80000003 (2147483651) - {
EXCEPTION_PARAMETER1: 0000000000000000
MOD_LIST:
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 0000000000000000 to 0000000077aef3ec
PRIMARY_PROBLEM_CLASS: STACKIMMUNE
BUGCHECK_STR: APPLICATION_FAULT_STACKIMMUNE_ZEROED_STACK
STACK_TEXT:
00000000`00000000 00000000`00000000 windbgtest.exe+0x0
SYMBOL_NAME: windbgtest.exe
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: windbgtest
DEBUG_FLR_IMAGE_TIMESTAMP: 5503f279
STACK_COMMAND: ** Pseudo Context ** ; kb
BUCKET_ID: X64_APPLICATION_FAULT_STACKIMMUNE_ZEROED_STACK_windbgtest.exe
IMAGE_NAME: C:\Users\Test\Documents\Visual Studio 2008\Projects\WinDbgTest\Debug\WinDbgTest.exe
FAILURE_BUCKET_ID: STACKIMMUNE_80000003_C:_Users_Test_Documents_Visual_Studio_2008_Projects_WinDbgTest_Debug_WinDbgTest.exe!Unknown
FOLLOWUP_IP:
WinDbgTest!__ImageBase+0
00120000 4d dec ebp
Followup: MachineOwner
---------
0:001:x86> !pe
No export pe found
0:001:x86> lmvm WinDbgTest
start end module name
00120000 0013b000 WinDbgTest C (private pdb symbols) C:\Users\Test\Documents\Visual Studio 2008\Projects\WinDbgTest\Debug\WinDbgTest.pdb
Loaded symbol image file: C:\Users\Test\Documents\Visual Studio 2008\Projects\WinDbgTest\Debug\WinDbgTest.exe
Image path: C:\Users\Test\Documents\Visual Studio 2008\Projects\WinDbgTest\Debug\WinDbgTest.exe
Image name: WinDbgTest.exe
Timestamp: Sat Mar 14 17:34:01 2015 (5503F279)
CheckSum: 00000000
ImageSize: 0001B000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:001:x86> ~*kv
//
// コールスタックに、UnhandledExceptionFilter関数が含まれている
//
0 Id: 22b4.1700 Suspend: 1 Teb: 7eddb000 Unfrozen
ChildEBP RetAddr Args to Child
002aec00 75f7ea7f 00000003 002aedc8 00000001 ntdll_77ab0000!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
002aed84 75b99188 00000000 002aedc8 00000000 KERNELBASE!WaitForMultipleObjectsEx+0xdc (FPO: [SEH])
002aeda0 75beb399 00000003 002aedc8 00000000 KERNEL32!WaitForMultipleObjects+0x19 (FPO: [Non-Fpo])
002af1dc 75beae92 00000000 00000001 00000000 KERNEL32!WerpReportFaultInternal+0x4e8 (FPO: [Non-Fpo])
002af1ec 75bcd7bf 002af280 75ff96fd 002af2b0 KERNEL32!WerpReportFault+0x74 (FPO: [0,0,4])
002af1f4 75ff96fd 002af2b0 00000001 7ac27da3 KERNEL32!BasepReportFault+0x19 (FPO: [Non-Fpo])
002af280 77b5366d 002af2b0 77aef7b4 fffffffe KERNELBASE!UnhandledExceptionFilter+0x1d1 (FPO: [Non-Fpo]) // ★UnhandledExceptionFilterが呼び出されている
002afa14 77afa8a1 ffffffff 77aef68a 00000000 ntdll_77ab0000!__RtlUserThreadStart+0x58dc6
002afa24 00000000 0013108c 7edde000 00000000 ntdll_77ab0000!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])
# 1 Id: 22b4.1190 Suspend: 1 Teb: 7ecad000 Unfrozen
ChildEBP RetAddr Args to Child
01e5fafc 00000000 00000000 00000000 00000000 ntdll_77ab0000!RtlUserThreadStart (FPO: [0,2,0])
//
// UnhandledExceptionFilter関数の第一引数(002af2b0)はEXCEPTION_POINTERS型なので、
// Args to Childの1つ目の002af2b0をEXCEPTION_POINTERS型にキャストして内容を確認する
//
0:001:x86> dt EXCEPTION_POINTERS 002af2b0 // ★EXCEPTION_POINTERSを確認
WinDbgTest!EXCEPTION_POINTERS
+0x000 ExceptionRecord : 0x002af3e8 _EXCEPTION_RECORD
+0x004 ContextRecord : 0x002af438 _CONTEXT // ★コンテキスト
0:001:x86> dt _EXCEPTION_RECORD 0x002af3e8 // ★_EXCEPTION_RECORDを確認
WinDbgTest!_EXCEPTION_RECORD
+0x000 ExceptionCode : 0n-1073741676 // ★NTSTATUSエラーコード = STATUS_INTEGER_DIVIDE_BY_ZERO(0除算)
+0x004 ExceptionFlags : 0
+0x008 ExceptionRecord : (null)
+0x00c ExceptionAddress : 0x00131580 Void
+0x010 NumberParameters : 0
+0x014 ExceptionInformation : [15] 0
0:001:x86> .cxr 0x002af438 // ★コンテキストを切り替える
eax=0000000a ebx=7edde000 ecx=00000000 edx=00000000 esi=002af8a0 edi=002af898
eip=00131580 esp=002af79c ebp=002af898 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
WinDbgTest!Crush002+0x30:
00131580 f77df8 idiv eax,dword ptr [ebp-8] ss:002b:002af890=00000000
0:001:x86> kb // ★コールスタックを確認する
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
002af898 00131430 00000000 00000000 7edde000 WinDbgTest!Crush002+0x30 [c:\users\Test\documents\visual studio 2008\projects\windbgtest\windbgtest\test001.cpp @ 28] // ★ここで落ちている
002af96c 00131b28 00000001 01d57f68 01d59658 WinDbgTest!wmain+0x40 [c:\users\Test\documents\visual studio 2008\projects\windbgtest\windbgtest\windbgtest.cpp @ 20]
002af9bc 0013196f 002af9d0 75b9919f 7edde000 WinDbgTest!__tmainCRTStartup+0x1a8 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 583]
002af9c4 75b9919f 7edde000 002afa14 77afa8cb WinDbgTest!wmainCRTStartup+0xf [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 403]
002af9d0 77afa8cb 7edde000 78872540 00000000 KERNEL32!BaseThreadInitThunk+0xe
002afa14 77afa8a1 ffffffff 77aef68a 00000000 ntdll_77ab0000!__RtlUserThreadStart+0x20
002afa24 00000000 0013108c 7edde000 00000000 ntdll_77ab0000!_RtlUserThreadStart+0x1b
//
// ★解析完了
// WinDbgTest!Crush002+0x30の位置で0除算で落ちています。
// test001.cppの28行目を確認します。
//
