1

We are observing some sporadic issue in our customer site. So we collected the dump and analysed using Winddbg. From that we came to there was a Access Violation Exception . The exact line is highlighted in the screen shot attached. Screen shot from Windbg

Is there any way to check because of which pointer reference exception is occuring using windbg ? I tried the locals window in Windbg also still it did not help. locals window from WinDbg

I tried Visual studio , and read a lot if there is a way , No luck :(

Thank you so much for time.

Edit 1 :

r and ub command in Windbg

Edit 2 : dt ModuleDef command result

Nitheesh Kedlaya
  • 147
  • 1
  • 10
  • 1
    Dump the register state with `r`, dump the assembly for the currently executing code with `ub`. Correlate with your code, and inspect your variables with `dt` – Botje Aug 27 '20 at 13:05
  • Without knowing anything about your code I would guess that `ptModuleDef`is null, or `ptModuleDef->ptAssocDef` is null. – Botje Aug 27 '20 at 13:13
  • I suppose shipping a version with debug symbols would result in a core dump with symbol information? – Peter - Reinstate Monica Aug 27 '20 at 13:14
  • @Botje i got the exact line from my code . But the variable i am not getting . Sry i am very new to windbg if i am asking silly questions. I used the 3 commands as you said also . ptModuleDef is not NULL because we have a check for that. – Nitheesh Kedlaya Aug 27 '20 at 13:14
  • @Peter-ReinstateMonica We have the symbols and loaded the symbols also – Nitheesh Kedlaya Aug 27 '20 at 13:16
  • Edit your question with the contents of the two commands I showed. It would also help if you included the output of `dt -r2 ptModuleDef` so we know its structure. – Botje Aug 27 '20 at 13:18
  • 3
    Please post code as text, not images. – Botje Aug 27 '20 at 13:32
  • I specifically asked for `dt`output because I wanted to know if `ptAssocDef` was at offset 0x15c from the start of your `ModuleDef` type. If you don't want to share that, please just do `dt ModuleDef`and see what its offset is. EDIT: I'm pretty certain `ptModuleDef->ptAssocDef` is null. – Botje Aug 27 '20 at 13:33
  • 2
    This is basic reverse-compiling. You need to understand assembly language if you're going to debug at this level. The `push [eax]` is probably the `apszFullSOPList[intCounter]` seeing as it's also the loop control and is probably already enregistered. This makes `mov eax, [esi+68h]` a load of something, and `push [eax+15ch]` a parameter. The other parameter is `intAssocID`, so working backward the push is probably the `->intAssocID`, which means that the `mov eax, [esi+68h]` is probably `ptModuleDef->ptAssocDef`. Since `eax` is zero in the crash dump, this means that `ptAssocDef` is null. – Raymond Chen Aug 27 '20 at 13:41
  • @Botje updated the question with dt command thank you – Nitheesh Kedlaya Aug 27 '20 at 13:43
  • @RaymondChen Thank you . ptModuleDef->ptAssocDef is Null or is there any way it might have corrupted ?? I have this worry because we are doing following code after this line . This is legacy code. if (ptModuleDef->ptAssocDef) { delete ptModuleDef->ptAssocDef; } – Nitheesh Kedlaya Aug 27 '20 at 13:44
  • The value of hte `eax` register is right there in the debug output. `eax=00000000`. – Raymond Chen Aug 27 '20 at 13:45
  • `delete` on a NULL pointer is a no-op. Also, it happens *after* the crashing line, so it is not (yet) a concern. – Botje Aug 27 '20 at 13:50
  • To supplement @RaymondChen 's comment (should probably be an answer by itself): `ptAssocDef` is at offset 0x68, and your crash is trying to dereference the result of `[esi+68h]`. – Botje Aug 27 '20 at 13:52
  • @Botje and RaymondChen The line where exception is happening ( Clear_Negotiation_Info(ptModuleDef->ptAssocDef->intAssocID,apszFullSOPList[intCounter]); ) , we are planning to remove this piece of code by using some other API's which dont use ptAssocDef. Then also it is necessary for me to execute this piece if (ptModuleDef->ptAssocDef) { delete ptModuleDef->ptAssocDef; ptModuleDef->ptAssocDef = NULL; } i am worried it pointer is corrupted it might give some other issue . But if it is only Null then it wont cause any harm right ? – Nitheesh Kedlaya Aug 27 '20 at 13:56
  • https://stackoverflow.com/questions/4190703/is-it-safe-to-delete-a-null-pointer – Raymond Chen Aug 27 '20 at 14:31
  • @RaymondChen thank you so much... – Nitheesh Kedlaya Aug 27 '20 at 14:35
  • @Botje thank you so much.. – Nitheesh Kedlaya Aug 27 '20 at 14:36
  • 1
    in the ub esi+68 becomes 0 so you need to find out why – blabb Aug 28 '20 at 10:34

0 Answers0