c# - 了解 WinDbg 输出

Question

我有一个 Winform 应用程序 (C#)，它从 dll 导入一些函数。

有时在运行应用程序时会出现以下异常:

System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

我在 AppDomain.CurrentDomain.UnhandledException 中捕获了它。

所以我尝试用 WinDbg 调试它。我能够捕获异常并获得以下输出:

!analyze -v

FAULTING_IP: 
KERNEL32!SetErrorMode+14b
77e6c427 8a08            mov     cl,byte ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 77e6c427 (KERNEL32!SetErrorMode+0x0000014b)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 087deadc
Attempt to read from address 087deadc

FAULTING_THREAD:  00000b1c

PROCESS_NAME:  App.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  087deadc

READ_ADDRESS:  087deadc 

FOLLOWUP_IP: 
KERNEL32!SetErrorMode+14b
77e6c427 8a08            mov     cl,byte ptr [eax]

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0xb1c (34)
Current frame: 
ChildEBP RetAddr  Caller,Callee

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [UnloadedModule_Arch_AX] from Frame:[0] on thread:[b1c] ; Enable Pageheap/AutoVerifer

DEFAULT_BUCKET_ID:  HEAP_CORRUPTION

PRIMARY_PROBLEM_CLASS:  HEAP_CORRUPTION

BUGCHECK_STR:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 7a0aa797 to 77e6c427

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
08bddc6c 7a0aa797 00000000 00000001 087deadc KERNEL32!SetErrorMode+0x14b
08bddd68 7c82a124 056306e8 08bddf9c 7c82a0b8 mscorwks!CorLaunchApplication+0x281f8
08bddd74 7c82a0b8 7c82a0fc 00000001 00000004 ntdll!RtlpAllocateFromHeapLookaside+0x13
08bddf9c 00000000 00000000 00000000 00000000 ntdll!RtlAllocateHeap+0x1dd


STACK_COMMAND:  .ecxr ; ~~[b1c] ; .frame 0 ; ~34s ; kb

SYMBOL_NAME:  ure.dll!Unloaded

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ure.dll

IMAGE_NAME:  ure.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  750063

FAILURE_BUCKET_ID:  HEAP_CORRUPTION_c0000005_ure.dll!Unloaded

BUCKET_ID:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_ure.dll!Unloaded

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/App_exe/1_2009_403_12/49e707a9/KERNEL32_dll/5_2_3790_4062/46264680/c0000005/0002c427.htm?Retriage=1

Followup: MachineOwner

---

这是什么意思？我应该用它做什么？

提前感谢任何提示!!

Answer 1

看起来 ure.dll 已被卸载，调用 NlsAnsiToUnicode MultiByteToWideChar() 引用它失败。您可以在 !analyze -v 之前运行 .symfix 来确认这一点。

那是您要导入的 DLL 吗？如果不是，你有内存损坏。否则，错误可能在该 DLL 中。您是否使用 P/Invoke 导入它？

---

是的，卸载的 DLL 信息已损坏。您可能会猜到，它是 .NET 的 culture.dll，Windbg 正在读取其中的“邪教”部分作为时间戳和校验和。尝试重新启动并执行以下操作:

.symfix
sxe ud
g

当断点命中时:

kb

(这是告诉 Windbg 运行直到 DLL 被卸载，然后转储堆栈)

运行一下让模块卸载，然后执行下面的命令。然后让 Windbg 运行，直到你得到异常，再次执行这个命令来比较:

db ntdll!RtlpUnloadEventTrace

(这是已损坏的卸载模块表的开头。)