DUMP 分析技巧
最近數據分離驅動老是偶然的出現藍屏問題,很難肯定緣由, 只能經過Dump 文件分析了服務器
Dump 文件分析很大程度上就是分析藍屏產生的緣由。這種系統級的錯誤算是Windows提示錯誤中比較嚴重的一種(更嚴重的還有啓動黑屏等硬件或軟件兼容性錯誤等等)。說它是比較嚴重,是由於畢竟Windows還提供了dump文件給用戶分析,至少能比較容易的找到錯誤的緣由。通常藍屏要麼是內核程序中的異常或違規,要麼是數據結構的損壞,也有boot或shutdown的時候內核出錯。有時候藍屏是一閃而過,緊接着是系統重啓;有時候是藍屏等待。總之藍屏的時候都提示了一些中止代碼和錯誤信息,不過這些提示是不全面的,最多知道哪一個模塊出錯(好比驅動)。想了解進一步的信息,或者經過搜索引擎,最好的方式固然是dump文件分析。固然,若是有更進一步研究的慾望,內核調試是更好的方法,不過這須要某些軟件支持和調試技巧。session
類型
Dump文件有三種:完整內存轉儲,內核內存轉儲,小內存轉儲。System Properties中的高級選項中能夠看到這些設置。
完整內存轉儲太大,通常是物理內存大小或多一些,包括了用戶進程頁面,這種方式不實用,2GB的物理內存轉儲出來至少要2GB的磁盤空間(還有文件頭信息)。內核轉儲通常是200MB大小(物理內存小於4GB),它只是包含了全部屬於內核模式的物理內存。小內存轉儲通常是64KB(64位上是 128KB),這兩種方式是更經常使用的。
小內存轉儲在\Windows \Minidump下生成了一個叫Mini日期+序列號.dmp的文件,這個珍貴的資源就是系統Crash時刻的狀態,只不太小內存轉儲只記錄的有限的信息,並且在你分析時,若是windbg沒有設置符號服務器的路徑(關於符號服務器,請參考Windbg內核調試之二: 經常使用命令),那麼你的當前系統必須和發生藍屏的系統的Ntoskrnl.exe版本相同,不然就有找不到符號的問題產生。
啓動windbg,用 Open Crash Dump打開dump文件,或者直接拖動文件到windbg中,windbg顯示以下信息:數據結構
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.ide
Loading Dump File [C:\Documents and Settings\xinyuan\桌面\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available函數
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_rtm.070216-1710
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Sun Nov 14 10:39:57.213 2010 (UTC + 8:00)
System Uptime: 204 days 6:25:27.625
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrpamp.exe -
Loading Kernel Symbols
...............................................................
...........................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdd00c). Type ".hh dbgerr001" for details
Loading unloaded module list
..........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************ui
Use !analyze -v to get detailed debugging information.this
BugCheck 8E, {c0000005, f7248be2, b7818668, 0}搜索引擎
***** Kernel symbols are WRONG. Please fix symbols to do analysis.spa
*** ERROR: Symbol file could not be found. Defaulted to export symbols for fltMgr.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for halmacpi.dll -
*** ERROR: Module load completed but symbols could not be loaded for DIOMonitor.sys
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : DIOMonitor.sys ( DIOMonitor+2739 ).net
Followup: MachineOwner
---------
大體上提示了引發藍屏的緣由
命令
經過lm命令查看模塊列表。另外,若是出現Unable to load p_w_picpath,說明沒有找到這個文件,這個時候須要查看是否加載了正確的符號文件。設置符號服務器路徑(.symfix命令)是頗有必要的,由於調試機器和 Crash機器的環境極可能不一致。
運行命令kb,顯示調用棧的信息。若是有正確的符號設置,能夠看到調用的函數名。若是你在調試本身驅動程序的藍屏問題,請確保設置正確該驅動程序的符號路徑,否則就會出現Stack unwind information not available的問題。加入正確的符號文件(pdb)後,能夠用命令!reload從新加載符號文件。
經過!thread 和!process,能夠顯示當前進程和線程。或者經過dt nt!_KTHREAD 地址和dt nt!_EPROCESS地址來查看線程和進程結構。
Windbg 提供了自動分析dump文件的機制。經過命令!analyze –v,windbg能夠自動作分析,顯示以下信息:
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
FAULTING_MODULE: 80800000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4c62488f
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
FAULTING_IP:
fltMgr!FltParseFileNameInformation+e
f7248be2 668b4e02 mov cx,word ptr [esi+2]
TRAP_FRAME: b7818668 -- (.trap 0xffffffffb7818668)
ErrCode = 00000000
eax=00000000 ebx=89044690 ecx=00000000 edx=783f0002 esi=00000000 edi=b7818744
eip=f7248be2 esp=b78186dc ebp=b78186ec iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
fltMgr!FltParseFileNameInformation+0xe:
f7248be2 668b4e02 mov cx,word ptr [esi+2] ds:0023:00000002=????
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8082d800 to 80827c63
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b7818234 8082d800 0000008e c0000005 f7248be2 nt!KeBugCheckEx+0x1b
b78185f8 8088a262 b7818614 00000000 b7818668 nt!KeTerminateThread+0xee2
b781868c 80a5c456 00000000 00000000 00000023 nt!Kei386EoiHelper+0x1d2
b78186ec b8059739 00000000 89800338 898003ec hal!KfLowerIrql+0x62
b7818950 f7232b73 89800394 b7818974 00000000 DIOMonitor+0x2739
b78189b8 f7234fc2 00800338 00000000 89800338 fltMgr!FltRequestOperationStatusCallback+0x5bd
b78189cc f72354f1 89800338 8a1cae48 b7818a0c fltMgr!FltGetIrpName+0x57a
b78189dc f7235b83 894ca7d0 8a1cae48 89800338 fltMgr!FltGetIrpName+0xaa9
b7818a0c f72435de b7818a2c 00000000 00000000 fltMgr!FltGetIrpName+0x113b
b7818a48 8081df65 894ca7d0 8a1cae48 8a1cae48 fltMgr!FltProcessFileLock+0x220c
b7818a5c 808f8f71 b7818c04 8af86018 00000000 nt!IofCallDriver+0x45
b7818b44 80937942 8af86030 00000000 8a7fad60 nt!NtWriteFile+0x647d
b7818bc4 80933a76 00000000 b7818c04 00000040 nt!NtMakePermanentObject+0xe10
b7818c18 808eae25 00000000 00000000 814a9001 nt!ObOpenObjectByName+0xea
b7818c94 808ec0bf 0219f9b4 80100080 0219f950 nt!IoCreateController+0x507
b7818cf0 808eeb4e 0219f9b4 80100080 0219f950 nt!IoCreateFile+0xa3
b7818d30 8088978c 0219f9b4 80100080 0219f950 nt!NtCreateFile+0x30
b7818d64 7c9585ec badb0d00 0219f918 00000000 nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb64
b7818d68 badb0d00 0219f918 00000000 00000000 0x7c9585ec
b7818d6c 0219f918 00000000 00000000 00000000 0xbadb0d00
b7818d70 00000000 00000000 00000000 00000000 0x219f918
STACK_COMMAND: kb
FOLLOWUP_IP:
DIOMonitor+2739
b8059739 85c0 test eax,eax
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: DIOMonitor+2739
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: DIOMonitor
IMAGE_NAME: DIOMonitor.sys
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
通常是按照以下:中止碼解釋,陷阱幀寄存器信息,藍屏屬性(有些除零錯誤就在這裏顯示),棧調用,錯誤指令位置(FOLLOWUP_IP),出錯源代碼和彙編代碼行,錯誤代碼行,出錯模塊信息(包括負責人等信息),來組織自動分析信息。
經過r命令,能夠顯示Crash時刻寄存器的狀態和最後的命令狀態。
經過d命令,能夠顯示當前內存的地址。在定位了錯誤代碼行了以後,就能夠進一步進行內核調試和系統調試了
本文來自CSDN博客,轉載請標明出處:http://blog.csdn.net/hanxin1987216/archive/2010/11/17/6014584.aspx
- 1. core dump分析
- 2. jca分析dump
- 3. 分析Thread Dump
- 4. windbg分析dump
- 5. jstack和dump分析
- 6. .net core dump分析
- 7. corefile dump 分析11
- 8. Java heap dump 分析
- 9. Java Thread Dump分析
- 10. Dump文件分析
- 更多相關文章...
- • Markdown 高級技巧 - Markdown 教程
- • XML 相關技術 - XML 教程
- • Git五分鐘教程
- • 算法總結-二分查找法
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. 安裝cuda+cuDNN
- 2. GitHub的使用說明
- 3. phpDocumentor使用教程【安裝PHPDocumentor】
- 4. yarn run build報錯Component is not found in path 「npm/taro-ui/dist/weapp/components/rate/index「
- 5. 精講Haproxy搭建Web集羣
- 6. 安全測試基礎之MySQL
- 7. C/C++編程筆記:C語言中的複雜聲明分析,用實例帶你完全讀懂
- 8. Python3教程(1)----搭建Python環境
- 9. 李宏毅機器學習課程筆記2:Classification、Logistic Regression、Brief Introduction of Deep Learning
- 10. 阿里雲ECS配置速記
- 1. core dump分析
- 2. jca分析dump
- 3. 分析Thread Dump
- 4. windbg分析dump
- 5. jstack和dump分析
- 6. .net core dump分析
- 7. corefile dump 分析11
- 8. Java heap dump 分析
- 9. Java Thread Dump分析
- 10. Dump文件分析