Re: Windows 关于web 容器的崩溃

Windows内核调试

Windows 关于web 容器的崩溃

寒江雪 2015-10-27, 10:13 上午
一直困扰很久的一个崩溃，程序使用了IE容器，在容器里面执行JS脚本之后导致程序崩溃，以下是完整的堆栈：

0:000> kb

ChildEBP RetAddr Args to Child

0012b4c8 7c92df5a 7c8025db 00000994 00000000 ntdll!KiFastSystemCallRet

0012b4cc 7c8025db 00000994 00000000 00000000 ntdll!ZwWaitForSingleObject+0xc

0012b530 7c802542 00000994 ffffffff 00000000 kernel32!WaitForSingleObjectEx+0xa8

0012b544 0040c590 00000994 ffffffff 00000000 kernel32!WaitForSingleObject+0x12

0012b560 7c864eb9 0012b7f8 00000000 00000000 BaiduBridge!CExceptionReport::UnhandledExceptionFilterCb+0x1f7 [d:\cygwin\home\scmpf\compiler_src\yanyaowen_1593530_win32\0\app\ecom\shifen\sf-crm\sf-bridge2\bridge\dialog\exceptionreport.cpp @ 207]

0012b7d0 7c843e82 0012b7f8 7c839ba9 0012b800 kernel32!UnhandledExceptionFilter+0x1c7

0012b7d8 7c839ba9 0012b800 00000000 0012b800 kernel32!BaseProcessStart+0x39

0012b800 7c9232a8 0012b8ec 0012ffe0 0012b908 kernel32!_except_handler3+0x61

0012b824 7c92327a 0012b8ec 0012ffe0 0012b908 ntdll!ExecuteHandler2+0x26

0012b8d4 7c92e48a 00000000 0012b908 0012b8ec ntdll!ExecuteHandler+0x24

0012b8d4 3d1f8cc7 00000000 0012b908 0012b8ec ntdll!KiUserExceptionDispatcher+0xe

0012bbd0 3d190a55 0a71ac28 0f72b1dc 0f72b0a8 mshtml!CMarkup::GetLookasidePtr

0012bbfc 3d11b41e 0012bc08 00000000 0012bc44 mshtml!CMarkup::EnsureScriptContext+0x1c

0012bc0c 3d2acbb7 0a716ff8 00000008 0a716ff8 mshtml!CMarkup::BlockScriptExecution+0xf

0012bc44 3d2b33c9 00000000 0a73f928 00000001 mshtml!CStyleSheet::AddImportedStyleSheet+0x215

0012bc84 3d4a9b79 00000017 00021af4 00000000 mshtml!MSCSSParser::Write+0x1d2

0012bca8 3d1bbadb 00000000 0f8f4f4c 1038a170 mshtml!CStyleSheet::put_cssText+0x124

0012bcd8 3d1daaf3 0f72b0a8 1038a170 0ba1ee30 mshtml!GS_PropEnum+0x1ab

0012bd4c 3d1daf92 0f72b0a8 000003f6 00000001 mshtml!CBase::ContextInvokeEx+0x5d1

0012bd78 3d1da535 0f72b0a8 000003f6 00000001 mshtml!CBase::InvokeEx+0x25

0012bda0 3d1da4f1 0f72b0a8 000003f6 00000001 mshtml!CBase::VersionedInvokeEx+0x20

0012bdf0 3e373a8a 0ba1eef0 000003f6 00000001 mshtml!PlainInvokeEx+0xea

0012be30 3e3739d6 0cf97d30 000003f6 00000409 jscript!IDispatchExInvokeEx2+0xf8

0012be6c 3e374f16 0cf97d30 00000409 00000004 jscript!IDispatchExInvokeEx+0x6a

0012bf2c 3e374e70 000003f6 00000004 00000000 jscript!InvokeDispatchEx+0x98

0012bf60 3e372d5d 0cf97d30 0012bf94 0000000c jscript!VAR::InvokeByName+0x135

0012bfac 3e372911 0cf97d30 0000000c 00000000 jscript!VAR::InvokeDispName+0x7a

0012c140 3e37139b 0012c158 00000000 00000000 jscript!CScriptRuntime::Run+0x2061

0012c228 3e3712d5 00000000 00000003 0ab68810 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012c274 3e374a9c 00000000 00000003 0ab68810 jscript!ScrFncObj::Call+0x8f

0012c2f8 3e3728b5 10373e60 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137

0012c32c 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012c4c8 3e37139b 0012c4e0 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012c5b0 3e3712d5 00000000 00000006 0ab688c0 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012c5fc 3e374a9c 00000000 00000006 0ab688c0 jscript!ScrFncObj::Call+0x8f

0012c680 3e3728b5 0d035c48 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137

0012c6b4 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012c850 3e37139b 0012c868 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012c938 3e3712d5 00000000 00000002 0ab689f0 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012c984 3e374a9c 00000000 00000002 0ab689f0 jscript!ScrFncObj::Call+0x8f

0012ca08 3e3728b5 0cfd7030 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137

0012ca3c 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012cbd8 3e37139b 0012cbf0 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012ccc0 3e3712d5 00000000 00000001 0ab68aa0 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012cd0c 3e3729f5 00000000 00000001 0ab68aa0 jscript!ScrFncObj::Call+0x8f

0012cd90 3e3728b5 0cfb5830 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2

0012cdc4 3e3743ec 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012ce04 3e3724b1 0cf97d30 0012ce74 0ce81dd0 jscript!VAR::InvokeJSObj<SYM *>+0xb8

0012ce40 3e372d5d 0cf97d30 0012ce74 00000001 jscript!VAR::InvokeByName+0x170

0012ce8c 3e374225 0cf97d30 00000001 00000000 jscript!VAR::InvokeDispName+0x7a

0012cebc 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0xce

0012d058 3e37139b 0012d070 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012d140 3e3712d5 00000000 00000001 0ab68b50 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012d18c 3e3729f5 00000000 00000001 0ab68b50 jscript!ScrFncObj::Call+0x8f

0012d210 3e3728b5 0d02aea8 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2

0012d244 3e3743ec 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012d284 3e3724b1 0cf97d30 0012d2f4 0ce81dd0 jscript!VAR::InvokeJSObj<SYM *>+0xb8

0012d2c0 3e372d5d 0cf97d30 0012d2f4 00000001 jscript!VAR::InvokeByName+0x170

0012d30c 3e374225 0cf97d30 00000001 00000000 jscript!VAR::InvokeDispName+0x7a

0012d33c 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0xce

0012d4d8 3e37139b 0012d4f0 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012d5c0 3e3712d5 00000000 00000002 0ab68c90 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012d60c 3e3729f5 00000000 00000002 0ab68c90 jscript!ScrFncObj::Call+0x8f

0012d690 3e3728b5 10431e88 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2

0012d6c4 3e3743ec 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012d704 3e3724b1 0cf97d30 0012d774 0cf7a248 jscript!VAR::InvokeJSObj<SYM *>+0xb8

0012d740 3e372d5d 0cf97d30 0012d774 00000001 jscript!VAR::InvokeByName+0x170

0012d78c 3e374225 0cf97d30 00000001 00000000 jscript!VAR::InvokeDispName+0x7a

0012d7bc 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0xce

0012d958 3e37139b 0012d970 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012da40 3e3712d5 00000000 00000002 0ab68d90 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012da8c 3e3729f5 00000000 00000002 0ab68d90 jscript!ScrFncObj::Call+0x8f

0012db10 3e3728b5 0d0e1f88 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2

0012db44 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012dce0 3e37139b 0012dcf8 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012ddc8 3e3712d5 00000000 00000003 0ab68e30 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012de14 3e3729f5 00000000 00000003 0ab68e30 jscript!ScrFncObj::Call+0x8f

0012de98 3e3728b5 0d0e2298 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2

0012decc 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012e068 3e37139b 0012e080 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012e150 3e3712d5 00000000 00000004 0ab68f20 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012e19c 3e374a9c 00000000 00000004 0ab68f20 jscript!ScrFncObj::Call+0x8f

0012e220 3e3728b5 10373e60 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137

0012e254 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012e3f0 3e37139b 0012e408 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012e4d8 3e3712d5 00000000 00000004 0ab69060 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012e524 3e374a9c 00000000 00000004 0ab69060 jscript!ScrFncObj::Call+0x8f

0012e5a8 3e3728b5 10373e60 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137

0012e5dc 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012e778 3e37139b 0012e790 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012e860 3e3712d5 00000000 00000002 0ab69120 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012e8ac 3e374a9c 00000000 00000002 0ab69120 jscript!ScrFncObj::Call+0x8f

0012e930 3e3728b5 10373e60 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x137

0012e964 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012eb00 3e37139b 0012eb18 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012ebe8 3e3712d5 00000000 00000001 0ab691e0 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012ec34 3e3729f5 00000000 00000001 0ab691e0 jscript!ScrFncObj::Call+0x8f

0012ecb8 3e3728b5 0d161520 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2

0012ecec 3e3743ec 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012ed2c 3e3724b1 0cf97d30 0012ed9c 10399840 jscript!VAR::InvokeJSObj<SYM *>+0xb8

0012ed68 3e372d5d 0cf97d30 0012ed9c 00000001 jscript!VAR::InvokeByName+0x170

0012edb4 3e374225 0cf97d30 00000001 00000000 jscript!VAR::InvokeDispName+0x7a

0012ede4 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0xce

0012ef80 3e37139b 0012ef98 00000000 00000000 jscript!CScriptRuntime::Run+0x2abe

0012f068 3e3712d5 00000000 00000001 0ab697b0 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012f0b4 3e3729f5 00000000 00000001 0ab697b0 jscript!ScrFncObj::Call+0x8f

0012f138 3e3728b5 0aac25f8 0cf97d30 00000001 jscript!NameTbl::InvokeInternal+0x2a2

0012f16c 3e374f83 0cf97d30 00000000 00000001 jscript!VAR::InvokeByDispID+0x17c

0012f308 3e37139b 0012f320 0012f468 0012f468 jscript!CScriptRuntime::Run+0x2abe

0012f3f0 3e3712d5 0012f468 00000000 00000000 jscript!ScrFncObj::CallWithFrameOnStack+0xff

0012f43c 3e371103 0012f468 00000000 00000000 jscript!ScrFncObj::Call+0x8f

0012f4b8 3e353ea3 0c621b00 0012f678 00000000 jscript!CSession::Execute+0x175

0012f504 3e35553f 0d0efdf0 0012f678 0012f688 jscript!COleScript::ExecutePendingScripts+0x1c0

0012f568 3e35534d 0d0efdf0 0f4ea4c4 3d119f54 jscript!COleScript::ParseScriptTextCore+0x29a

0012f590 3d11a47f 0d0efdf4 0f61b188 0f4ea4c4 jscript!COleScript::ParseScriptText+0x30

0012f5e8 3d11a1f1 0f581020 00000000 0b911e40 mshtml!CScriptCollection::ParseScriptText+0x21b

0012f6ac 3d11a612 00000000 00000000 00000000 mshtml!CScriptElement::CommitCode+0x3c1

0012f6e0 3d119363 7c80934a 0b97ca10 0b97ca10 mshtml!CScriptElement::Execute+0xd6

0012f734 3d1145a2 0b9978b0 7c80934a 0b97ca10 mshtml!CHtmParse::Execute+0x4a

0012f74c 3d114334 3d1139ed 00328602 0b97ca10 mshtml!CHtmPost::Broadcast+0xf

0012f80c 3d117aa6 00328602 00000000 0b97ca10 mshtml!CHtmPost::Exec+0x5f7

0012f824 3d117a09 00328602 00000000 0b97ca10 mshtml!CHtmPost::Run+0x15

0012f844 3d117952 0a6c4020 00328602 0b97ca10 mshtml!PostManExecute+0x1fd

0012f864 3d11796f 00000001 00000000 0012f884 mshtml!PostManResume+0xf8

0012f874 3d19c90b 0b7d4fd0 0b97ca10 0012f8c0 mshtml!CHtmPost::OnDwnChanCallback+0x10

0012f884 3d1da1b3 0b7d4fd0 00000000 0a6c4020 mshtml!CDwnChan::OnMethodCall+0x19

0012f8c0 3d1c4cc0 0012f948 3d1c4c12 00000000 mshtml!GlobalWndOnMethodCall+0x104

0012f8e0 77d18734 000d011e 000001f3 00000000 mshtml!GlobalWndProc+0x183

0012f90c 77d18816 3d1c4c12 000d011e 00008002 user32!InternalCallWinProc+0x28

0012f974 77d189cd 00000000 3d1c4c12 000d011e user32!UserCallWinProcCheckWow+0x150

0012f9d4 77d18a10 0012fa34 00000000 00000001 user32!DispatchMessageWorker+0x306

0012f9e4 00409989 0012fa34 007cabd4 007cabd4 user32!DispatchMessageW+0xf

0012fa00 0040b2b5 958b907c 007cabd4 770f4880 BaiduBridge!WTL::CMessageLoop::Run+0x69 [d:\cygwin\home\scmpf\compiler_src\yanyaowen_1593530_win32\0\app\ecom\shifen\sf-crm\sf-bridge2\bridge\public\include\basement\wtl\atlapp.h @ 577]

0012fa60 0040c266 0002065c 00000005 0012fb7c BaiduBridge!Run+0x6f [d:\cygwin\home\scmpf\compiler_src\yanyaowen_1593530_win32\0\app\ecom\shifen\sf-crm\sf-bridge2\bridge\dialog\dialog.cpp @ 113]

0012ff2c 006227e7 00400000 00000000 0002065c BaiduBridge!wWinMain+0xf77 [d:\cygwin\home\scmpf\compiler_src\yanyaowen_1593530_win32\0\app\ecom\shifen\sf-crm\sf-bridge2\bridge\dialog\dialog.cpp @ 703]

0012ffc0 7c816037 80000001 0012f118 7ffdd000 BaiduBridge!__tmainCRTStartup+0x150 [f:\sp\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 589]

0012fff0 00000000 00622957 00000000 00000000 kernel32!BaseProcessStart+0x23

0:000> .ecxr

eax=00000000 ebx=00000000 ecx=00000000 edx=0f72b1d8 esi=0000000b edi=00000000

eip=3d1f8cc7 esp=0012bbd4 ebp=0012bbfc iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246

mshtml!CMarkup::GetLookasidePtr:

3d1f8cc7 ?? ???

请教各位，这个崩溃从哪下手排查，先谢谢各位了。

Re: Windows 关于web 容器的崩溃

irp 2015-11-01, 16:42 下午
你的os应该是xp, 最好把os 版本 (windbg vertarget命令)，所有的thread stack都贴上来。另外，32位的stack trace有时候不准。手动找到 context, 如下例子:
0:022> k
ChildEBP RetAddr
0623eedc 77488ec4 ntdll!KiFastSystemCallRet
0623eee0 774c4afe ntdll!ZwWaitForSingleObject+0xc
0623ef64 774c4be7 ntdll!RtlReportExceptionEx+0x14b
0623efa4 774e0d4b ntdll!RtlReportException+0x3c
0623efb8 774e0dd1 ntdll!RtlpTerminateFailureFilter+0x14
0623efc4 77439a9c ntdll!RtlReportCriticalFailure+0x6b
0623efd8 774341ac ntdll!_EH4_CallFilterFunc+0x12
0623f000 774897f9 ntdll!_except_handler4+0x8e
0623f024 774897cb ntdll!ExecuteHandler2+0x26
0623f0d4 77489657 ntdll!ExecuteHandler+0x24
0623f0d4 774e0dbc ntdll!KiUserExceptionDispatcher+0xf
0623f448 774e19c8 ntdll!RtlReportCriticalFailure+0x5b
0623f458 774e1ab6 ntdll!RtlpReportHeapFailure+0x21
0623f48c 774e1d28 ntdll!RtlpLogHeapFailure+0xa1
0623f4e4 774ab014 ntdll!RtlpAnalyzeHeapFailure+0x25a
0623f50c 7746f38c ntdll!RtlpFindAndCommitPages+0x158
0623f534 7746f5d1 ntdll!RtlpExtendHeap+0x2a
0623f61c 77498592 ntdll!RtlpAllocateHeap+0x7db
0623f694 72e30ae9 ntdll!RtlAllocateHeap+0x1e3

选择 0623f0d4 之前的一个ebp地址开始搜索context record, 我这里选了0623f000.

0:022> s -d 0623f000 L1000 1003f
0623f104 0001003f 00000000 00000000 00000000 ?...............
0623f104 0001003f 00000000 00000000 00000000 ?...............

0:022> .cxr 0623f104
eax=0623f3e0 ebx=00000000 ecx=7fffffff edx=00000000 esi=071a0000 edi=071a2fe0
eip=774e0dbc esp=0623f3d0 ebp=0623f448 iopl=0         nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000246
ntdll!RtlReportCriticalFailure+0x5b:
774e0dbc eb1c            jmp     ntdll!RtlReportCriticalFailure+0x6f (774e0dda)
eax=0623f3e0 ebx=00000000 ecx=7fffffff edx=00000000 esi=071a0000 edi=071a2fe0
eip=774e0dbc esp=0623f3d0 ebp=0623f448 iopl=0         nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000246
ntdll!RtlReportCriticalFailure+0x5b:
774e0dbc eb1c            jmp     ntdll!RtlReportCriticalFailure+0x6f (774e0dda)

假设你的stack trace是好的。挺难解释的。唯一解释 mshtml被卸载了，所以它的eip是无效的。 !address @eip 看看什么结果？

Re: Windows 关于web 容器的崩溃

格蠹老雷 2015-11-03, 10:43 上午
lm命令看一下，有可能是mshtml模块被卸载了，其它线程释放com对象了...

Re: Windows 关于web 容器的崩溃

寒江雪 2015-11-04, 18:48 下午

0:000> lm o

start end module name

00230000 002bb000 apputil (deferred)

00400000 0080f000 baidubridge T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\dialog.pdb

00810000 00929000 bull80u T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Bull80U.pdb

00a70000 0319a000 libcef T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\libcef.dll.pdb

031a0000 0321d000 sqlite3 (deferred)

050c0000 050e2000 rudplib T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\udt.pdb

05990000 059e0000 ImProtocol (deferred)

05a30000 05a48000 locallog (deferred)

05ad0000 05b1b000 ImStorage (deferred)

05c60000 05d26000 NetService T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\NetService.pdb

06820000 069da000 imengine T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\ImEngine.pdb

078b0000 078f5000 skindll (deferred)

09610000 09680000 HistoryExplorer (deferred)

0ba80000 0bae3000 fmmgr (deferred)

0be50000 0be6a000 memo (deferred)

10000000 10344000 basement T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Basement.pdb

11ff0000 11ffa000 ddrawex (deferred)

39700000 397eb000 riched20 (deferred)

63300000 644d6000 Flash32_19_0_0_185 T (no symbols)

64690000 64709000 mscms (deferred)

64710000 64740000 dinput8 (deferred)

654e0000 654fb000 atl80 (deferred)

66de0000 66e1f000 schannel (deferred)

67480000 674d7000 dxtmsft (deferred)

674e0000 67fad000 igdumd32 (deferred)

67fb0000 67fb6000 dciman32 (deferred)

67fc0000 680a7000 ddraw (deferred)

680b0000 680c4000 atl (deferred)

680d0000 68109000 dxtrans (pdb symbols) d:\microsoftsymbols\dxtrans.pdb\E4EDE3D39A83480785C9FB66750055C62\dxtrans.pdb

68140000 681f2000 jscript (pdb symbols) d:\microsoftsymbols\jscript.pdb\B54425D3F535420FB551ACECE32040AD2\jscript.pdb

68200000 6822a000 msls31 (deferred)

68230000 687f5000 mshtml (pdb symbols) d:\microsoftsymbols\mshtml.pdb\45B7237A658B401286C40A6F480169D22\mshtml.pdb

68d60000 68e01000 dbghelp (deferred)

68f30000 68f3e000 pngfilt (deferred)

69840000 69876000 AudioSes (deferred)

69e00000 69e4f000 webio (deferred)

69e50000 69ea8000 winhttp (deferred)

69fb0000 69fbb000 imgutil (deferred)

6a040000 6a04b000 msimtf (deferred)

6b0f0000 6b0f8000 credssp (deferred)

6b200000 6b214000 devenum (deferred)

6ca30000 6ca8f000 sxs (deferred)

看了一下这个dll还在

Re: Windows 关于web 容器的崩溃

寒江雪 2015-11-04, 19:04 下午

0:000> vertarget

Windows 7 Version 7601 (Service Pack 1) MP (4 procs) Free x86 compatible

Product: WinNt, suite: SingleUserTS

kernel32.dll version: 6.1.7601.18933 (win7sp1_gdr.150715-0600)

Machine Name:

Debug session time: Tue Oct 20 15:29:58.000 2015 (UTC + 8:00)

System Uptime: not available

Process Uptime: 0 days 0:03:25.000

Kernel time: 0 days 0:00:08.000

User time: 0 days 0:00:02.000

0:000> lm o

start end module name

00230000 002bb000 apputil T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\AppUtil.pdb

00400000 0080f000 baidubridge T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\dialog.pdb

00810000 00929000 bull80u T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Bull80U.pdb

00a70000 0319a000 libcef T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\libcef.dll.pdb

031a0000 0321d000 sqlite3 T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\sqlite3.pdb

050c0000 050e2000 rudplib T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\udt.pdb

05990000 059e0000 ImProtocol T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\ImProtocol.pdb

05a30000 05a48000 locallog T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\LocalLog.pdb

05ad0000 05b1b000 ImStorage T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\imStorage.pdb

05c60000 05d26000 NetService T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\NetService.pdb

06820000 069da000 imengine T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\ImEngine.pdb

078b0000 078f5000 skindll T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\SkinDLL.pdb

09610000 09680000 HistoryExplorer T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\HistoryExplorer.pdb

0ba80000 0bae3000 fmmgr T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\fmmgr.pdb

0be50000 0be6a000 memo T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Memo.pdb

10000000 10344000 basement T (private pdb symbols) e:\bridgefeedback\bridge_old_pdb\2_2_30_0\Basement.pdb

11ff0000 11ffa000 ddrawex (pdb symbols) d:\microsoftsymbols\ddrawex.pdb\77F109ED1AD24573B1BDB1EB1EDCEAA62\ddrawex.pdb

39700000 397eb000 riched20 T (no symbols)

63300000 644d6000 Flash32_19_0_0_185 T (no symbols)

64690000 64709000 mscms (pdb symbols) d:\microsoftsymbols\mscms.pdb\93303CBC777E44A592376E1F326E20172\mscms.pdb

64710000 64740000 dinput8 (export symbols) dinput8.dll

654e0000 654fb000 atl80 T (private pdb symbols) d:\microsoftsymbols\atl80.i386.pdb\DA17E56C93E04FE995DA16DF647C8B623\atl80.i386.pdb

66de0000 66e1f000 schannel (pdb symbols) d:\microsoftsymbols\schannel.pdb\3E364029B5124F2A9B86FA5812102A072\schannel.pdb

67480000 674d7000 dxtmsft (pdb symbols) d:\microsoftsymbols\dxtmsft.pdb\93C44267FE3A4256B787CF3663AB41C72\dxtmsft.pdb

674e0000 67fad000 igdumd32 T (no symbols)

67fb0000 67fb6000 dciman32 (pdb symbols) d:\microsoftsymbols\dciman32.pdb\5D634DE385204C3D889B9E6E938098B62\dciman32.pdb

67fc0000 680a7000 ddraw (pdb symbols) d:\microsoftsymbols\ddraw.pdb\497DBEEFB3854F24BC6A468137860ADA2\ddraw.pdb

680b0000 680c4000 atl (pdb symbols) d:\microsoftsymbols\atl.pdb\9A2474AB5BCA4AB8A34ADA69E8771BF92\atl.pdb

680d0000 68109000 dxtrans (pdb symbols) d:\microsoftsymbols\dxtrans.pdb\E4EDE3D39A83480785C9FB66750055C62\dxtrans.pdb

68140000 681f2000 jscript (pdb symbols) d:\microsoftsymbols\jscript.pdb\B54425D3F535420FB551ACECE32040AD2\jscript.pdb

68200000 6822a000 msls31 (pdb symbols) d:\microsoftsymbols\msls31.pdb\7919161B84F0418F9FCD19A720CF43902\msls31.pdb

68230000 687f5000 mshtml (pdb symbols) d:\microsoftsymbols\mshtml.pdb\45B7237A658B401286C40A6F480169D22\mshtml.pdb

68d60000 68e01000 dbghelp (pdb symbols) d:\microsoftsymbols\dbghelp.pdb\39559573E21B46F28E286923BE9E6A761\dbghelp.pdb

68f30000 68f3e000 pngfilt (pdb symbols) d:\microsoftsymbols\PNGFilt.pdb\69D8B465B19F454B99D2E9A95EB9FCCD2\PNGFilt.pdb

69840000 69876000 AudioSes (pdb symbols) d:\microsoftsymbols\AudioSes.pdb\CB4B0ADA67AF422B9DE62BEBC004011F2\AudioSes.pdb

69e00000 69e4f000 webio (pdb symbols) d:\microsoftsymbols\webio.pdb\A4D8EDEE321149F4931A8F77FF4AE1542\webio.pdb

0:000> .ecxr

eax=00000000 ebx=00000000 ecx=00000000 edx=13dd0468 esi=0000000b edi=00000000

eip=683e3773 esp=0018bc14 ebp=0018bc3c iopl=0 nv up ei pl zr na pe nc

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246

mshtml!CMarkup::GetLookasidePtr:

683e3773 8b90a4000000 mov edx,dword ptr [eax+0A4h] ds:002b:000000a4=????????

eip 的地址在加载模块的内存地址空间中。

现在看到的崩溃是在打开页面之后，点击页面按钮崩溃的，应该是JS脚本的问题，但是JS脚本导致崩溃有点不可思议。