Advanced Debugging
About AdvDbg Consult Train Services Products Tools Community Contact  
欢迎光临 高端调试 登录 | 注册 | FAQ
 
  ACPI调试
Linux内核调试
Windows内核调试
 
  调试战役
调试原理
新工具观察
 
  Linux
Windows Vista
Windows
 
  Linux驱动
WDF
WDM
 
  PCI Express
PCI/PCI-X
USB
无线通信协议
 
  64位CPU
ARM
IA-32
  CPU Info Center
 
  ACPI标准
系统认证
Desktop
服务器
 
  Embedded Linux
嵌入式开发工具
VxWorks
WinCE
嵌入式Windows
 
  易内核
  小朱书店
  老雷的微博
  《软件调试》
  《格蠹汇编》
  《软件调试(第二版)》
沪ICP备11027180号

Windows内核调试

帖子发起人: 寒江雪   发起时间: 2015-10-27 10:13 上午   回复: 6

Print Search
帖子排序:    
   2015-10-27, 10:13 上午
yanyaowen 离线,最后访问时间: 2015-10-27 2:05:31 寒江雪

发帖数前500位
注册: 2015-10-27
发 贴: 4
Windows 关于web 容器的崩溃
Reply Quote
一直困扰很久的一个崩溃,程序使用了IE容器,在容器里面执行JS脚本之后导致程序崩溃,以下是完整的堆栈:

0:000> kb
ChildEBP RetAddr  Args to Child              
0012b4c8 7c92df5a 7c8025db 00000994 00000000 ntdll!KiFastSystemCallRet
0012b4cc 7c8025db 00000994 00000000 00000000 ntdll!ZwWaitForSingleObject+0xc
0012b530 7c802542 00000994 ffffffff 00000000 kernel32!WaitForSingleObjectEx+0xa8
0012b544 0040c590 00000994 ffffffff 00000000 kernel32!WaitForSingleObject+0x12
0012b560 7c864eb9 0012b7f8 00000000 00000000 BaiduBridge!CExceptionReport::UnhandledExceptionFilterCb+0x1f7 [d:\cygwin\home\scmpf\compiler_src\yanyaowen_1593530_win32\0\app\ecom\shifen\sf-crm\sf-bridge2\bridge\dialog\exceptionreport.cpp @ 207]
0012b7d0 7c843e82 0012b7f8 7c839ba9 0012b800 kernel32!UnhandledExceptionFilter+0x1c7
0012b7d8 7c839ba9 0012b800 00000000 0012b800 kernel32!BaseProcessStart+0x39
0012b800 7c9232a8 0012b8ec 0012ffe0 0012b908 kernel32!_except_handler3+0x61
0012b824 7c92327a 0012b8ec 0012ffe0 0012b908 ntdll!ExecuteHandler2+0x26
0012b8d4 7c92e48a 00000000 0012b908 0012b8ec ntdll!ExecuteHandler+0x24
0012b8d4 3d1f8cc7 00000000 0012b908 0012b8ec ntdll!KiUserExceptionDispatcher+0xe
0012bbd0 3d190a55 0a71ac28 0f72b1dc 0f72b0a8 mshtml!CMarkup::GetLookasidePtr
0012bbfc 3d11b41e 0012bc08 00000000 0012bc44 mshtml!CMarkup::EnsureScriptContext+0x1c
0012bc0c 3d2acbb7 0a716ff8 00000008 0a716ff8 mshtml!CMarkup::BlockScriptExecution+0xf
0012bc44 3d2b33c9 00000000 0a73f928 00000001 mshtml!CStyleSheet::AddImportedStyleSheet+0x215
0012bc84 3d4a9b79 00000017 00021af4 00000000 mshtml!MSCSSParser::Write+0x1d2
0012bca8 3d1bbadb 00000000 0f8f4f4c 1038a170 mshtml!CStyleSheet::put_cssText+0x124
0012bcd8 3d1daaf3 0f72b0a8 1038a170 0ba1ee30 mshtml!GS_PropEnum+0x1ab
0012bd4c 3d1daf92 0f72b0a8 000003f6 00000001 mshtml!CBase::ContextInvokeEx+0x5d1
0012bd78 3d1da535 0f72b0a8 000003f6 00000001 mshtml!CBase::InvokeEx+0x25
0012bda0 3d1da4f1 0f72b0a8 000003f6 00000001 mshtml!CBase::VersionedInvokeEx+0x20
0012bdf0 3e373a8a 0ba1eef0 000003f6 00000001 mshtml!PlainInvokeEx+0xea
0012be30 3e3739d6 0cf97d30 000003f6 00000409 jscript!IDispatchExInvokeEx2+0xf8
0012be6c 3e374f16 0cf97d30 00000409 00000004 jscript!IDispatchExInvokeEx+0x6a
0012bf2c 3e374e70 000003f6 00000004 00000000 jscript!InvokeDispatchEx+0x98
0012bf60 3e372d5d 0cf97d30 0012bf94 0000000c jscript!VAR::InvokeByName+0x135
0012bfac 3e372911 0cf97d30 0000000c 00000000 jscript!VAR::InvokeDispName+0x7a
0012c140 3e37139b 0012c158 00000000 00000000 jscript!CScriptRuntime::Run+0x2061
0012c228 3e3712d5 00000000 00000003 0ab68810 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012c274 3e374a9c 00000000 00000003 0ab68810 jscript!ScrFncObj::Call+0x8f
0012c2f8 3e3728b5 10373e60 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137
0012c32c 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012c4c8 3e37139b 0012c4e0 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012c5b0 3e3712d5 00000000 00000006 0ab688c0 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012c5fc 3e374a9c 00000000 00000006 0ab688c0 jscript!ScrFncObj::Call+0x8f
0012c680 3e3728b5 0d035c48 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137
0012c6b4 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012c850 3e37139b 0012c868 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012c938 3e3712d5 00000000 00000002 0ab689f0 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012c984 3e374a9c 00000000 00000002 0ab689f0 jscript!ScrFncObj::Call+0x8f
0012ca08 3e3728b5 0cfd7030 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137
0012ca3c 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012cbd8 3e37139b 0012cbf0 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012ccc0 3e3712d5 00000000 00000001 0ab68aa0 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012cd0c 3e3729f5 00000000 00000001 0ab68aa0 jscript!ScrFncObj::Call+0x8f
0012cd90 3e3728b5 0cfb5830 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2
0012cdc4 3e3743ec 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012ce04 3e3724b1 0cf97d30 0012ce74 0ce81dd0 jscript!VAR::InvokeJSObj<SYM *>+0xb8
0012ce40 3e372d5d 0cf97d30 0012ce74 00000001 jscript!VAR::InvokeByName+0x170
0012ce8c 3e374225 0cf97d30 00000001 00000000 jscript!VAR::InvokeDispName+0x7a
0012cebc 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0xce
0012d058 3e37139b 0012d070 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012d140 3e3712d5 00000000 00000001 0ab68b50 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012d18c 3e3729f5 00000000 00000001 0ab68b50 jscript!ScrFncObj::Call+0x8f
0012d210 3e3728b5 0d02aea8 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2
0012d244 3e3743ec 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012d284 3e3724b1 0cf97d30 0012d2f4 0ce81dd0 jscript!VAR::InvokeJSObj<SYM *>+0xb8
0012d2c0 3e372d5d 0cf97d30 0012d2f4 00000001 jscript!VAR::InvokeByName+0x170
0012d30c 3e374225 0cf97d30 00000001 00000000 jscript!VAR::InvokeDispName+0x7a
0012d33c 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0xce
0012d4d8 3e37139b 0012d4f0 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012d5c0 3e3712d5 00000000 00000002 0ab68c90 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012d60c 3e3729f5 00000000 00000002 0ab68c90 jscript!ScrFncObj::Call+0x8f
0012d690 3e3728b5 10431e88 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2
0012d6c4 3e3743ec 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012d704 3e3724b1 0cf97d30 0012d774 0cf7a248 jscript!VAR::InvokeJSObj<SYM *>+0xb8
0012d740 3e372d5d 0cf97d30 0012d774 00000001 jscript!VAR::InvokeByName+0x170
0012d78c 3e374225 0cf97d30 00000001 00000000 jscript!VAR::InvokeDispName+0x7a
0012d7bc 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0xce
0012d958 3e37139b 0012d970 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012da40 3e3712d5 00000000 00000002 0ab68d90 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012da8c 3e3729f5 00000000 00000002 0ab68d90 jscript!ScrFncObj::Call+0x8f
0012db10 3e3728b5 0d0e1f88 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2
0012db44 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012dce0 3e37139b 0012dcf8 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012ddc8 3e3712d5 00000000 00000003 0ab68e30 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012de14 3e3729f5 00000000 00000003 0ab68e30 jscript!ScrFncObj::Call+0x8f
0012de98 3e3728b5 0d0e2298 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2
0012decc 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012e068 3e37139b 0012e080 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012e150 3e3712d5 00000000 00000004 0ab68f20 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012e19c 3e374a9c 00000000 00000004 0ab68f20 jscript!ScrFncObj::Call+0x8f
0012e220 3e3728b5 10373e60 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137
0012e254 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012e3f0 3e37139b 0012e408 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012e4d8 3e3712d5 00000000 00000004 0ab69060 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012e524 3e374a9c 00000000 00000004 0ab69060 jscript!ScrFncObj::Call+0x8f
0012e5a8 3e3728b5 10373e60 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137
0012e5dc 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012e778 3e37139b 0012e790 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012e860 3e3712d5 00000000 00000002 0ab69120 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012e8ac 3e374a9c 00000000 00000002 0ab69120 jscript!ScrFncObj::Call+0x8f
0012e930 3e3728b5 10373e60 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137
0012e964 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012eb00 3e37139b 0012eb18 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012ebe8 3e3712d5 00000000 00000001 0ab691e0 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012ec34 3e3729f5 00000000 00000001 0ab691e0 jscript!ScrFncObj::Call+0x8f
0012ecb8 3e3728b5 0d161520 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2
0012ecec 3e3743ec 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012ed2c 3e3724b1 0cf97d30 0012ed9c 10399840 jscript!VAR::InvokeJSObj<SYM *>+0xb8
0012ed68 3e372d5d 0cf97d30 0012ed9c 00000001 jscript!VAR::InvokeByName+0x170
0012edb4 3e374225 0cf97d30 00000001 00000000 jscript!VAR::InvokeDispName+0x7a
0012ede4 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0xce
0012ef80 3e37139b 0012ef98 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe
0012f068 3e3712d5 00000000 00000001 0ab697b0 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012f0b4 3e3729f5 00000000 00000001 0ab697b0 jscript!ScrFncObj::Call+0x8f
0012f138 3e3728b5 0aac25f8 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2
0012f16c 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c
0012f308 3e37139b 0012f320 0012f468 0012f468 jscript!CScriptRuntime::Run+0x2abe
0012f3f0 3e3712d5 0012f468 00000000 00000000 jscript!ScrFncObj::CallWithFrameOnStack+0xff
0012f43c 3e371103 0012f468 00000000 00000000 jscript!ScrFncObj::Call+0x8f
0012f4b8 3e353ea3 0c621b00 0012f678 00000000 jscript!CSession::Execute+0x175
0012f504 3e35553f 0d0efdf0 0012f678 0012f688 jscript!COleScript::ExecutePendingScripts+0x1c0
0012f568 3e35534d 0d0efdf0 0f4ea4c4 3d119f54 jscript!COleScript::ParseScriptTextCore+0x29a
0012f590 3d11a47f 0d0efdf4 0f61b188 0f4ea4c4 jscript!COleScript::ParseScriptText+0x30
0012f5e8 3d11a1f1 0f581020 00000000 0b911e40 mshtml!CScriptCollection::ParseScriptText+0x21b
0012f6ac 3d11a612 00000000 00000000 00000000 mshtml!CScriptElement::CommitCode+0x3c1
0012f6e0 3d119363 7c80934a 0b97ca10 0b97ca10 mshtml!CScriptElement::Execute+0xd6
0012f734 3d1145a2 0b9978b0 7c80934a 0b97ca10 mshtml!CHtmParse::Execute+0x4a
0012f74c 3d114334 3d1139ed 00328602 0b97ca10 mshtml!CHtmPost::Broadcast+0xf
0012f80c 3d117aa6 00328602 00000000 0b97ca10 mshtml!CHtmPost::Exec+0x5f7
0012f824 3d117a09 00328602 00000000 0b97ca10 mshtml!CHtmPost::Run+0x15
0012f844 3d117952 0a6c4020 00328602 0b97ca10 mshtml!PostManExecute+0x1fd
0012f864 3d11796f 00000001 00000000 0012f884 mshtml!PostManResume+0xf8
0012f874 3d19c90b 0b7d4fd0 0b97ca10 0012f8c0 mshtml!CHtmPost::OnDwnChanCallback+0x10
0012f884 3d1da1b3 0b7d4fd0 00000000 0a6c4020 mshtml!CDwnChan::OnMethodCall+0x19
0012f8c0 3d1c4cc0 0012f948 3d1c4c12 00000000 mshtml!GlobalWndOnMethodCall+0x104
0012f8e0 77d18734 000d011e 000001f3 00000000 mshtml!GlobalWndProc+0x183
0012f90c 77d18816 3d1c4c12 000d011e 00008002 user32!InternalCallWinProc+0x28
0012f974 77d189cd 00000000 3d1c4c12 000d011e user32!UserCallWinProcCheckWow+0x150
0012f9d4 77d18a10 0012fa34 00000000 00000001 user32!DispatchMessageWorker+0x306
0012f9e4 00409989 0012fa34 007cabd4 007cabd4 user32!DispatchMessageW+0xf
0012fa00 0040b2b5 958b907c 007cabd4 770f4880 BaiduBridge!WTL::CMessageLoop::Run+0x69 [d:\cygwin\home\scmpf\compiler_src\yanyaowen_1593530_win32\0\app\ecom\shifen\sf-crm\sf-bridge2\bridge\public\include\basement\wtl\atlapp.h @ 577]
0012fa60 0040c266 0002065c 00000005 0012fb7c BaiduBridge!Run+0x6f [d:\cygwin\home\scmpf\compiler_src\yanyaowen_1593530_win32\0\app\ecom\shifen\sf-crm\sf-bridge2\bridge\dialog\dialog.cpp @ 113]
0012ff2c 006227e7 00400000 00000000 0002065c BaiduBridge!wWinMain+0xf77 [d:\cygwin\home\scmpf\compiler_src\yanyaowen_1593530_win32\0\app\ecom\shifen\sf-crm\sf-bridge2\bridge\dialog\dialog.cpp @ 703]
0012ffc0 7c816037 80000001 0012f118 7ffdd000 BaiduBridge!__tmainCRTStartup+0x150 [f:\sp\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 589]
0012fff0 00000000 00622957 00000000 00000000 kernel32!BaseProcessStart+0x23


0:000> .ecxr
eax=00000000 ebx=00000000 ecx=00000000 edx=0f72b1d8 esi=0000000b edi=00000000
eip=3d1f8cc7 esp=0012bbd4 ebp=0012bbfc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!CMarkup::GetLookasidePtr:
3d1f8cc7 ??              ???

请教各位,这个崩溃从哪下手排查,先谢谢各位了。




IP 地址: 已记录   报告
   2015-11-01, 16:42 下午
john 离线,最后访问时间: 2006-10-19 16:20:30 irp

发帖数前200位
注册: 2006-10-19
发 贴: 5
Re: Windows 关于web 容器的崩溃
Reply Quote
你的os应该是xp, 最好把os 版本 (windbg vertarget命令),所有的thread stack都贴上来。另外,32位的stack trace有时候不准。手动找到 context, 如下例子:
0:022> k
ChildEBP RetAddr 
0623eedc 77488ec4 ntdll!KiFastSystemCallRet
0623eee0 774c4afe ntdll!ZwWaitForSingleObject+0xc
0623ef64 774c4be7 ntdll!RtlReportExceptionEx+0x14b
0623efa4 774e0d4b ntdll!RtlReportException+0x3c
0623efb8 774e0dd1 ntdll!RtlpTerminateFailureFilter+0x14
0623efc4 77439a9c ntdll!RtlReportCriticalFailure+0x6b
0623efd8 774341ac ntdll!_EH4_CallFilterFunc+0x12
0623f000 774897f9 ntdll!_except_handler4+0x8e
0623f024 774897cb ntdll!ExecuteHandler2+0x26
0623f0d4 77489657 ntdll!ExecuteHandler+0x24
0623f0d4 774e0dbc ntdll!KiUserExceptionDispatcher+0xf
0623f448 774e19c8 ntdll!RtlReportCriticalFailure+0x5b
0623f458 774e1ab6 ntdll!RtlpReportHeapFailure+0x21
0623f48c 774e1d28 ntdll!RtlpLogHeapFailure+0xa1
0623f4e4 774ab014 ntdll!RtlpAnalyzeHeapFailure+0x25a
0623f50c 7746f38c ntdll!RtlpFindAndCommitPages+0x158
0623f534 7746f5d1 ntdll!RtlpExtendHeap+0x2a
0623f61c 77498592 ntdll!RtlpAllocateHeap+0x7db
0623f694 72e30ae9 ntdll!RtlAllocateHeap+0x1e3

选择 0623f0d4 之前的一个ebp地址开始搜索context record, 我这里选了0623f000.

0:022> s -d 0623f000 L1000 1003f
0623f104  0001003f 00000000 00000000 00000000  ?...............
0623f104  0001003f 00000000 00000000 00000000  ?...............


0:022> .cxr 0623f104
eax=0623f3e0 ebx=00000000 ecx=7fffffff edx=00000000 esi=071a0000 edi=071a2fe0
eip=774e0dbc esp=0623f3d0 ebp=0623f448 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlReportCriticalFailure+0x5b:
774e0dbc eb1c            jmp     ntdll!RtlReportCriticalFailure+0x6f (774e0dda)
eax=0623f3e0 ebx=00000000 ecx=7fffffff edx=00000000 esi=071a0000 edi=071a2fe0
eip=774e0dbc esp=0623f3d0 ebp=0623f448 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlReportCriticalFailure+0x5b:
774e0dbc eb1c            jmp     ntdll!RtlReportCriticalFailure+0x6f (774e0dda)


假设你的stack trace是好的。挺难解释的。唯一解释 mshtml被卸载了,所以它的eip是无效的。 !address @eip 看看什么结果?

IP 地址: 已记录   报告
   2015-11-03, 10:43 上午
Raymond 离线,最后访问时间: 2019-2-18 12:30:29 格蠹老雷

发帖数前10位
注册: 2005-12-19
发 贴: 1,299
Re: Windows 关于web 容器的崩溃
Reply Quote
lm命令看一下,有可能是mshtml模块被卸载了,其它线程释放com对象了...
IP 地址: 已记录   报告
   2015-11-04, 18:48 下午
yanyaowen 离线,最后访问时间: 2015-10-27 2:05:31 寒江雪

发帖数前500位
注册: 2015-10-27
发 贴: 4
Re: Windows 关于web 容器的崩溃
Reply Quote
0:000> lm o
start    end        module name
00230000 002bb000   apputil    (deferred)             
00400000 0080f000   baidubridge T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\dialog.pdb
00810000 00929000   bull80u  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Bull80U.pdb
00a70000 0319a000   libcef   T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\libcef.dll.pdb
031a0000 0321d000   sqlite3    (deferred)             
050c0000 050e2000   rudplib  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\udt.pdb
05990000 059e0000   ImProtocol   (deferred)             
05a30000 05a48000   locallog   (deferred)             
05ad0000 05b1b000   ImStorage   (deferred)             
05c60000 05d26000   NetService T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\NetService.pdb
06820000 069da000   imengine T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\ImEngine.pdb
078b0000 078f5000   skindll    (deferred)             
09610000 09680000   HistoryExplorer   (deferred)             
0ba80000 0bae3000   fmmgr      (deferred)             
0be50000 0be6a000   memo       (deferred)             
10000000 10344000   basement T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Basement.pdb
11ff0000 11ffa000   ddrawex    (deferred)             
39700000 397eb000   riched20   (deferred)             
63300000 644d6000   Flash32_19_0_0_185 T (no symbols)           
64690000 64709000   mscms      (deferred)             
64710000 64740000   dinput8    (deferred)             
654e0000 654fb000   atl80      (deferred)             
66de0000 66e1f000   schannel   (deferred)             
67480000 674d7000   dxtmsft    (deferred)             
674e0000 67fad000   igdumd32   (deferred)             
67fb0000 67fb6000   dciman32   (deferred)             
67fc0000 680a7000   ddraw      (deferred)             
680b0000 680c4000   atl        (deferred)             
680d0000 68109000   dxtrans    (pdb symbols)          d:\microsoftsymbols\dxtrans.pdb\E4EDE3D39A83480785C9FB66750055C62\dxtrans.pdb
68140000 681f2000   jscript    (pdb symbols)          d:\microsoftsymbols\jscript.pdb\B54425D3F535420FB551ACECE32040AD2\jscript.pdb
68200000 6822a000   msls31     (deferred)             
68230000 687f5000   mshtml     (pdb symbols)          d:\microsoftsymbols\mshtml.pdb\45B7237A658B401286C40A6F480169D22\mshtml.pdb
68d60000 68e01000   dbghelp    (deferred)             
68f30000 68f3e000   pngfilt    (deferred)             
69840000 69876000   AudioSes   (deferred)             
69e00000 69e4f000   webio      (deferred)             
69e50000 69ea8000   winhttp    (deferred)             
69fb0000 69fbb000   imgutil    (deferred)             
6a040000 6a04b000   msimtf     (deferred)             
6b0f0000 6b0f8000   credssp    (deferred)             
6b200000 6b214000   devenum    (deferred)             
6ca30000 6ca8f000   sxs        (deferred)   


看了一下这个dll还在

IP 地址: 已记录   报告
   2015-11-04, 19:04 下午
yanyaowen 离线,最后访问时间: 2015-10-27 2:05:31 寒江雪

发帖数前500位
注册: 2015-10-27
发 贴: 4
Re: Windows 关于web 容器的崩溃
Reply Quote
0:000> vertarget
Windows 7 Version 7601 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.1.7601.18933 (win7sp1_gdr.150715-0600)
Machine Name:
Debug session time: Tue Oct 20 15:29:58.000 2015 (UTC + 8:00)
System Uptime: not available
Process Uptime: 0 days 0:03:25.000
  Kernel time: 0 days 0:00:08.000
  User time: 0 days 0:00:02.000


0:000> lm o
start    end        module name
00230000 002bb000   apputil  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\AppUtil.pdb
00400000 0080f000   baidubridge T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\dialog.pdb
00810000 00929000   bull80u  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Bull80U.pdb
00a70000 0319a000   libcef   T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\libcef.dll.pdb
031a0000 0321d000   sqlite3  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\sqlite3.pdb
050c0000 050e2000   rudplib  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\udt.pdb
05990000 059e0000   ImProtocol T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\ImProtocol.pdb
05a30000 05a48000   locallog T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\LocalLog.pdb
05ad0000 05b1b000   ImStorage T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\imStorage.pdb
05c60000 05d26000   NetService T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\NetService.pdb
06820000 069da000   imengine T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\ImEngine.pdb
078b0000 078f5000   skindll  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\SkinDLL.pdb
09610000 09680000   HistoryExplorer T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\HistoryExplorer.pdb
0ba80000 0bae3000   fmmgr    T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\fmmgr.pdb
0be50000 0be6a000   memo     T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Memo.pdb
10000000 10344000   basement T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Basement.pdb
11ff0000 11ffa000   ddrawex    (pdb symbols)          d:\microsoftsymbols\ddrawex.pdb\77F109ED1AD24573B1BDB1EB1EDCEAA62\ddrawex.pdb
39700000 397eb000   riched20 T (no symbols)           
63300000 644d6000   Flash32_19_0_0_185 T (no symbols)           
64690000 64709000   mscms      (pdb symbols)          d:\microsoftsymbols\mscms.pdb\93303CBC777E44A592376E1F326E20172\mscms.pdb
64710000 64740000   dinput8    (export symbols)       dinput8.dll
654e0000 654fb000   atl80    T (private pdb symbols)  d:\microsoftsymbols\atl80.i386.pdb\DA17E56C93E04FE995DA16DF647C8B623\atl80.i386.pdb
66de0000 66e1f000   schannel   (pdb symbols)          d:\microsoftsymbols\schannel.pdb\3E364029B5124F2A9B86FA5812102A072\schannel.pdb
67480000 674d7000   dxtmsft    (pdb symbols)          d:\microsoftsymbols\dxtmsft.pdb\93C44267FE3A4256B787CF3663AB41C72\dxtmsft.pdb
674e0000 67fad000   igdumd32 T (no symbols)           
67fb0000 67fb6000   dciman32   (pdb symbols)          d:\microsoftsymbols\dciman32.pdb\5D634DE385204C3D889B9E6E938098B62\dciman32.pdb
67fc0000 680a7000   ddraw      (pdb symbols)          d:\microsoftsymbols\ddraw.pdb\497DBEEFB3854F24BC6A468137860ADA2\ddraw.pdb
680b0000 680c4000   atl        (pdb symbols)          d:\microsoftsymbols\atl.pdb\9A2474AB5BCA4AB8A34ADA69E8771BF92\atl.pdb
680d0000 68109000   dxtrans    (pdb symbols)          d:\microsoftsymbols\dxtrans.pdb\E4EDE3D39A83480785C9FB66750055C62\dxtrans.pdb
68140000 681f2000   jscript    (pdb symbols)          d:\microsoftsymbols\jscript.pdb\B54425D3F535420FB551ACECE32040AD2\jscript.pdb
68200000 6822a000   msls31     (pdb symbols)          d:\microsoftsymbols\msls31.pdb\7919161B84F0418F9FCD19A720CF43902\msls31.pdb
68230000 687f5000   mshtml     (pdb symbols)          d:\microsoftsymbols\mshtml.pdb\45B7237A658B401286C40A6F480169D22\mshtml.pdb
68d60000 68e01000   dbghelp    (pdb symbols)          d:\microsoftsymbols\dbghelp.pdb\39559573E21B46F28E286923BE9E6A761\dbghelp.pdb
68f30000 68f3e000   pngfilt    (pdb symbols)          d:\microsoftsymbols\PNGFilt.pdb\69D8B465B19F454B99D2E9A95EB9FCCD2\PNGFilt.pdb
69840000 69876000   AudioSes   (pdb symbols)          d:\microsoftsymbols\AudioSes.pdb\CB4B0ADA67AF422B9DE62BEBC004011F2\AudioSes.pdb
69e00000 69e4f000   webio      (pdb symbols)          d:\microsoftsymbols\webio.pdb\A4D8EDEE321149F4931A8F77FF4AE1542\webio.pdb


0:000> .ecxr
eax=00000000 ebx=00000000 ecx=00000000 edx=13dd0468 esi=0000000b edi=00000000
eip=683e3773 esp=0018bc14 ebp=0018bc3c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
mshtml!CMarkup::GetLookasidePtr:
683e3773 8b90a4000000    mov     edx,dword ptr [eax+0A4h] ds:002b:000000a4=????????


eip 的地址在 加载模块的内存地址空间中。

现在看到的崩溃是在打开页面之后,点击页面按钮崩溃的,应该是JS脚本的问题,但是JS脚本导致崩溃有点不可思议。




IP 地址: 已记录   报告
   2015-11-04, 19:04 下午
yanyaowen 离线,最后访问时间: 2015-10-27 2:05:31 寒江雪

发帖数前500位
注册: 2015-10-27
发 贴: 4
Re: Windows 关于web 容器的崩溃
Reply Quote
0:000> vertarget
Windows 7 Version 7601 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
kernel32.dll version: 6.1.7601.18933 (win7sp1_gdr.150715-0600)
Machine Name:
Debug session time: Tue Oct 20 15:29:58.000 2015 (UTC + 8:00)
System Uptime: not available
Process Uptime: 0 days 0:03:25.000
  Kernel time: 0 days 0:00:08.000
  User time: 0 days 0:00:02.000


0:000> lm o
start    end        module name
00230000 002bb000   apputil  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\AppUtil.pdb
00400000 0080f000   baidubridge T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\dialog.pdb
00810000 00929000   bull80u  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Bull80U.pdb
00a70000 0319a000   libcef   T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\libcef.dll.pdb
031a0000 0321d000   sqlite3  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\sqlite3.pdb
050c0000 050e2000   rudplib  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\udt.pdb
05990000 059e0000   ImProtocol T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\ImProtocol.pdb
05a30000 05a48000   locallog T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\LocalLog.pdb
05ad0000 05b1b000   ImStorage T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\imStorage.pdb
05c60000 05d26000   NetService T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\NetService.pdb
06820000 069da000   imengine T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\ImEngine.pdb
078b0000 078f5000   skindll  T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\SkinDLL.pdb
09610000 09680000   HistoryExplorer T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\HistoryExplorer.pdb
0ba80000 0bae3000   fmmgr    T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\fmmgr.pdb
0be50000 0be6a000   memo     T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Memo.pdb
10000000 10344000   basement T (private pdb symbols)  e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Basement.pdb
11ff0000 11ffa000   ddrawex    (pdb symbols)          d:\microsoftsymbols\ddrawex.pdb\77F109ED1AD24573B1BDB1EB1EDCEAA62\ddrawex.pdb
39700000 397eb000   riched20 T (no symbols)           
63300000 644d6000   Flash32_19_0_0_185 T (no symbols)           
64690000 64709000   mscms      (pdb symbols)          d:\microsoftsymbols\mscms.pdb\93303CBC777E44A592376E1F326E20172\mscms.pdb
64710000 64740000   dinput8    (export symbols)       dinput8.dll
654e0000 654fb000   atl80    T (private pdb symbols)  d:\microsoftsymbols\atl80.i386.pdb\DA17E56C93E04FE995DA16DF647C8B623\atl80.i386.pdb
66de0000 66e1f000   schannel   (pdb symbols)          d:\microsoftsymbols\schannel.pdb\3E364029B5124F2A9B86FA5812102A072\schannel.pdb
67480000 674d7000   dxtmsft    (pdb symbols)          d:\microsoftsymbols\dxtmsft.pdb\93C44267FE3A4256B787CF3663AB41C72\dxtmsft.pdb
674e0000 67fad000   igdumd32 T (no symbols)           
67fb0000 67fb6000   dciman32   (pdb symbols)          d:\microsoftsymbols\dciman32.pdb\5D634DE385204C3D889B9E6E938098B62\dciman32.pdb
67fc0000 680a7000   ddraw      (pdb symbols)          d:\microsoftsymbols\ddraw.pdb\497DBEEFB3854F24BC6A468137860ADA2\ddraw.pdb
680b0000 680c4000   atl        (pdb symbols)          d:\microsoftsymbols\atl.pdb\9A2474AB5BCA4AB8A34ADA69E8771BF92\atl.pdb
680d0000 68109000   dxtrans    (pdb symbols)          d:\microsoftsymbols\dxtrans.pdb\E4EDE3D39A83480785C9FB66750055C62\dxtrans.pdb
68140000 681f2000   jscript    (pdb symbols)          d:\microsoftsymbols\jscript.pdb\B54425D3F535420FB551ACECE32040AD2\jscript.pdb
68200000 6822a000   msls31     (pdb symbols)          d:\microsoftsymbols\msls31.pdb\7919161B84F0418F9FCD19A720CF43902\msls31.pdb
68230000 687f5000   mshtml     (pdb symbols)          d:\microsoftsymbols\mshtml.pdb\45B7237A658B401286C40A6F480169D22\mshtml.pdb
68d60000 68e01000   dbghelp    (pdb symbols)          d:\microsoftsymbols\dbghelp.pdb\39559573E21B46F28E286923BE9E6A761\dbghelp.pdb
68f30000 68f3e000   pngfilt    (pdb symbols)          d:\microsoftsymbols\PNGFilt.pdb\69D8B465B19F454B99D2E9A95EB9FCCD2\PNGFilt.pdb
69840000 69876000   AudioSes   (pdb symbols)          d:\microsoftsymbols\AudioSes.pdb\CB4B0ADA67AF422B9DE62BEBC004011F2\AudioSes.pdb
69e00000 69e4f000   webio      (pdb symbols)          d:\microsoftsymbols\webio.pdb\A4D8EDEE321149F4931A8F77FF4AE1542\webio.pdb


0:000> .ecxr
eax=00000000 ebx=00000000 ecx=00000000 edx=13dd0468 esi=0000000b edi=00000000
eip=683e3773 esp=0018bc14 ebp=0018bc3c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
mshtml!CMarkup::GetLookasidePtr:
683e3773 8b90a4000000    mov     edx,dword ptr [eax+0A4h] ds:002b:000000a4=????????


eip 的地址在 加载模块的内存地址空间中。

现在看到的崩溃是在打开页面之后,点击页面按钮崩溃的,应该是JS脚本的问题,但是JS脚本导致崩溃有点不可思议。

IP 地址: 已记录   报告
   2015-11-05, 06:11 上午
john 离线,最后访问时间: 2006-10-19 16:20:30 irp

发帖数前200位
注册: 2006-10-19
发 贴: 5
Re: Windows 关于web 容器的崩溃
Reply Quote
我的win7 x64 sp1, wow64目录下的mshtml.dll. 版本即时和你的不同,也应该无大差别。你的dump
符号不太对,尽管windbg没有报mismatch symbol. 指令不对。你的dump里应该是getlookasideptr+offset.
你可以手工walk stack, dps @esp - 100, 用ebp串起来。检查每个ret address, 确保是好的,能和symbol对起来。

0:000> u 6363e207
mshtml!CMarkup::GetLookasidePtr:
6363e207 8bff            mov     edi,edi
6363e209 55              push    ebp
6363e20a 8bec            mov     ebp,esp
6363e20c 8bd1            mov     edx,ecx
6363e20e 83ec10          sub     esp,10h
6363e211 8b4d08          mov     ecx,dword ptr [ebp+8]
6363e214 8b82ac010000    mov     eax,dword ptr [edx+1ACh]
6363e21a 25ff3f0000      and     eax,3FFFh

假设你的windbg显示是对的,cmarkup 应该是个空指针。也许用 gflag 激活pageheap有帮助。有可能是mshtml的问题。还有
能在win7 64上重现最好,地址空间大,pageheap对程序影响较小。

IP 地址: 已记录   报告
高端调试 » 软件调试 » Windows内核调试 » Windows 关于web 容器的崩溃

 
Legal Notice Privacy Statement Corporate Governance Corporate Governance
(C)2004-2017 ADVDBG.ORG All Rights Reserved.