Developers.CatchingBugs
Let's see how we could analyze crash dumps created by Dr. Watson. This topic covers only NT systems and debug builds.
First, we need to install Dr. Watson as a default debugger from the Start->Run->drwtsn32 -i The files are usually saved in C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson We also need to disable Error Reporting service from the Administration Tools, Services.
Making .PDB files and analyzing crash dumps using Windows Debugging tools require to install them. Debugging symbols are required too. How we could do without them? Let's setup Shareaza project first.
Open Shareaza project properties, from the C/C++ branch change the following things: Output Files: Assembler Output: Assembly, Machine Code and Source (/FAcs) ASM list location will be changed automatically.
Go to Linker options, General. Set Enable Incremental linking option to No (/INCREMENTAL:NO). In the Debugging branch change this: Generate Map File : Yes (/MAP) Map File Name : $(OutDir)/$(ProjectName).map Map Exports : Yes (/MAPINFO:EXPORTS) Map Lines : Yes (/MAPINFO:LINES)
Now let's make Shareaza to crash, to generate a crash dump. We will use Load function from the Downloads.cpp file. Add two lines to it as shown below:
<source lang="c">void CDownloads::Load() { CSingleLock pLock( &Transfers.m_pSection, TRUE ); WIN32_FIND_DATA pFind; CString strPath; HANDLE hSearch;
char* pszChar = NULL; *pszChar = 'a';
... </source>
That's it. compile the debug build and make a binary, launch Shareaza.exe. It will crash just after the GUI shows up. Now open drwtsn32.log from the Dr. Watson folder mentioned before. Look at the stack back trace:
- -----> Stack Back Trace <-----*
- ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
WARNING: Stack unwind information not available. Following frames may be wrong. ChildEBP RetAddr Args to Child 0012fa2c 00584604 0442d90c 00000018 7ffdf000 Shareaza!CDownloadsLoad+0x77
It's the last function which was executed. Ok, let's find CDownloads::Load function in Downloads.cod file:
<source lang="c">; Function compile flags: /Ogty _TEXT SEGMENT _strPath$ = -632 ; size = 4 _hSearch$ = -628 ; size = 4 $T1123227 = -624 ; size = 4 $T1123229 = -620 ; size = 4 _pLock$ = -616 ; size = 12 _pFind$ = -604 ; size = 592 $EHRec$ = -12 ; size = 12 ?Load@CDownloads@@QAEXXZ PROC NEAR ; CDownloads::Load
- _this$ = ecx
- 1143
- {</source>
The last commented line is the exact line number from Downloads.cpp. And we also see that CDownloads::Load is called as ?Load@CDownloads@@QAEXXZ. We need to open Shareaza.map file generated at the building time and search for this name. Here it is:
0001:00060da0 ?Load@CDownloads@@QAEXXZ 00461da0 f Downloads.obj
The address and its offset is 0001:00060da0. Let's search for it in the same file to find the exact line numbers:
Line numbers for .\debug\shareaza\Downloads.obj(c:\documents and settings\administrator\my documents\visual studio projects\shareazasvn\trunk\shareaza\downloads.cpp) segment .text
60 0001:0005cc60 61 0001:0005ccc2 62 0001:0005ccce 63 0001:0005ccda
...
1137 0001:00060d34 1143 0001:00060da0 1144 0001:00060de2 1146 0001:00060df8 1149 0001:00060e07 1150 0001:00060e11 1152 0001:00060e1a 1153 0001:00060e22 1155 0001:00060e2a 1156 0001:00060e34 1158 0001:00060e3c 1159 0001:00060e8c
...
It's the line 1143. Let's look back at the Dr. Watson log.
Shareaza!CDownloadsLoad+0x77.
We need to add 77 to 60da0, since 0x77 is the hexadecimal offset in this function. We will get 60E17 (using hex values in your Calculator application). 60E17 is more than 1150 0001:00060e11 and less than 1152 0001:00060e1a. So, it's located between lines 1150 and 1152.
Open Downloads.cod file and find these lines:
<source lang="c">; 1150 : *pszChar = 'a';
02b16 c6 05 00 00 00
00 61 mov BYTE PTR ds:0, 97 ; 00000061H
- 1151
- 1152
- PurgeDeletes();</source>
That is the exact lines we added before to crash Shareaza.