How can I find the crash line of code from stack?

4

Now I have the crash info:

TestAPP caused an Access Violation (0xc0000005) in module XCrashReportTest.exe at 0023:5763c230.

Context:
EDI:    0x002aee0c  ESI: 0x002ad7f4  EAX:   0x00000000
EBX:    0x00000000  ECX: 0x57635670  EDX:   0x028c1d27
EIP:    0x5763c230  EBP: 0x002aee18  SegCs: 0x00000023
EFlags: 0x00010246  ESP: 0x002ad554  SegSs: 0x0000002b

Bytes at CS:EIP:                                                 
8b 08 52 50 8b 41 18 ff d0 8b 0d c8 e0 66 57 8b                  

Stack:                                                           
0x002ad554: 576504f7 002aee0c 002ad7f4 002ad570 ..eW..*...*.p.*. 
0x002ad564: 002aee0c 5763c201 002aee18 002ad59c ..*...cW..*...*. 
0x002ad574: 576490b1 5763c201 002aee0c 00000100 ..dW..cW..*..... 
0x002ad584: 002ad5f4 57648d9f 75785eaa 57668e70 ..*...dW.^xup.fW 
0x002ad594: 002aee0c 00000001 002ad604 5764d4d2 ..*.......*...dW 
0x002ad5a4: 002aee0c 57668e70 5763c201 00000000 ..*.p.fW..cW.... 
0x002ad5b4: 00000100 75785d2a 57668e5c 002aee0c ....*]xu\.fW..*. 
0x002ad5c4: 57668e4c 002add84 00000000 00000000 L.fW..*.........

I refer to XCrashReport[XCrashReport : Exception Handling and Crash Reporting - Part 1

But I find that sometimes the EIP differed when I run the same *.exe in the same machine. So, sometimes I can't match the crash line of code with EIP(the methods descriped in XCrashReport : Exception Handling and Crash Reporting - Part 1. I don't know how to use the stack info.

Anyone can help me?

c++
windows
exception
mfc
asked on Stack Overflow Oct 14, 2012 by Triumphant

1 Answer

3

The only one reasonable way for doing this is to load your crash dump into the debugger and provide symbols, i.e. the .pdb files. This can be tricky because pdb files may not have enough info. Companies like Microsoft give out public PDB files that do not have information about the names of the local vars and other details. PDBs that with full information are called public PDBs.

Sometimes the stack gets corrupted and this results in a "lose of control". Code picks up the return address, that is some garbage, loads this value into EIP and starts executing instructions from there. In this scenario the crash happens very soon, after executing just a couple of "instructions".

I mean that you need to figure out if your EIP is pointing to any code first.

answered on Stack Overflow Oct 14, 2012 by Kirill Kobelev • edited Oct 17, 2012 by Kirill Kobelev

User contributions licensed under CC BY-SA 3.0