XCrashReport : Exception Handling and Crash Reporting - Part 1

• Download demo project - 31 Kb

Introduction

One of the biggest challenges for a developer is to debug a program that has been put into production or shipped to a customer. On the developer's workstation, the program works fine. But on the customer's system, there are random crashes. There is often no direct access to the customer's system, because of distance. Writing to the event log or other log file may be helpful, but can only point in a direction, not give a precise location.

This was the state I was in when I read Bruce Dawson's paper on Release Mode Debugging. Dawson's paper discusses several techniques that I had never encountered before, including how to capture the instruction pointer (ip) of a crash, and how to plug the ip into VC++ and go directly to the source line of the crash. (I am talking about VC++ 6.0 here, not .Net).

These new techniques led me toward the holy grail of developers: being able to see a stack trace of each function that led up to the crash. At several points along the way, I thought to myself, "Well, this is pretty complete, there's nothing more to add." But then I would see there was another approach, another API I had overlooked, and I kept on.

Bruce Dawson's Techniques

The key to Dawson's approach is to generate debug symbols for the release build (I will discuss how later on.) Then whenever you release a new version, you archive the pdb file along with the exe file. Here is one thing I did not know: you can open an exe in DevStudio, step into it, enter an ip, and you will immediately be looking at the source line. This is assuming, of course, that you have the pdb file that corresponds with the exe. Oh, yes, and you will need the instruction pointer (ip).

This was the second revelation for me. Tucked away in Dawson's article was a link to some source code that he had published in Game Developer Magazine. The code included an exception handler that captured the ip, system info, and stack at the time of the crash. Best of all, there was also code that could be included in any MFC application, that would automatically call Dawson's exception handler. Here are Dawson's step-by-step directions to add an exception handler to any MFC app:

Preparation

1. Set up your release build to generate debug symbols (pdb)
2. Include these files in your project:
3. Recompile the entire project.



• In your VC++ project, go to Project | Settings. Make sure the Release configuration is selected in the Settings For combobox on the left. Go to the C/C++ tab, select the General category, and select Program Database in the Debug Info combobox. This tells the compiler to generate debug information.

  

• Go to the Link tab and check Generate debug info. This tells the linker to collate debug information into .pdb files. The linker also puts the name of the .pdb file in the executable, so the debugger can find it.
• On the same Link tab, enter /OPT:REF at the end of the Project Options list. This tells the linker to eliminate functions and/or data that are never referenced. This is the usually the default for release builds, but it gets turned off when you tell the linker to generate debug information. Failing to specify /OPT:REF will cause your executables and DLLs to get 10-20% larger.

  



• ExceptionAttacher.cpp
• ExceptionHandler.cpp - should be set to Not using precompiled headers on the C/C++ tab (Precompiled Headers).
• ExceptionHandler.h
• GetWinVer.cpp
• GetWinVer.h
• MiniVersion.cpp
• MiniVersion.h
• CrashFileNames.h


Tuck away the exe and pdb files. Do not ship the pdb file to customers - this is both unnecessary and may be helpful to someone wanting to reverse-engineer your program.

Theory Into Practice

When your app crashes, it will now call an exception handler that writes out the ip, system info, and stack to a file called ERRORLOG.TXT. In the download there is a sample project called Test1 that demonstrates this use of Dawson's exception handler.

Here is what the first part of ERRORLOG.TXT looks like:

Test1 caused an Access Violation (0xc0000005) 
in module Test1.exe at 001b:00402cc0. <=== HERE IS THE IP

Exception handler called in ExceptionAttacher.cpp - AfxWinMain.
Error occurred at 10/18/2003 19:05:08.
D:\temp1\XCrashReportTest\1.1\Test1\Release\Test1.exe, run by hdietrich.
Operating system:  Windows XP (5.1.2600).
1 processor(s), type 586.
32% memory in use.
1024 MBytes physical memory.
687 MBytes physical memory free.
2462 MBytes paging file.
2253 MBytes paging file free.
2048 MBytes user address space.
2033 MBytes user address space free.
Write to location 00000000 caused an access violation.

Context:
EDI:    0x0012fe70  ESI: 0x004043c0  EAX:   0x00000000
EBX:    0x00000001  ECX: 0x0012fe70  EDX:   0x00000000
EIP:    0x00402cc0  EBP: 0x0012f82c  SegCs: 0x0000001b
EFlags: 0x00010246  ESP: 0x0012f820  SegSs: 0x00000023

Bytes at CS:EIP:
c7 05 00 00 00 00 00 00 00 00 c3 90 90 90 90 90 

Stack:
0x0012f820: 73dd23d8 004043c0 00000111 0012f85c .#.s.C@.....\...
0x0012f830: 73dd22ae 0012fe70 000003e8 00000000 .".sp...........
0x0012f840: 00402cc0 00000000 0000000c 00000000 .,@.............
0x0012f850: 00000000 0012fe70 000003e8 0012f880 ....p...........
0x0012f860: 73dd8fc5 000003e8 00000000 00000000 ...s............
0x0012f870: 00000000 000003e8 0012fe70 00000000 ........p.......
0x0012f880: 0012f8d0 73dd2976 000003e8 00000000 ....v).s........
0x0012f890: 00000000 00000000 0012fe70 0012fe70 ........p...p...

.
.
.

OK, now we have an ip, plus the exe and its pdb file. The next step is to start up DevStudio, then go to File | Open and browse to the release build of your exe (in this case, ..\Test1\Release\Test1.exe). Next click on Step Into (F11). You should now see this:

Go to View | Debug Windows | Registers. You will see the Registers window:

Now click before the hex value of the EIP register and enter the crash ip (from ERRORLOG.TXT, we know this is 00402cc0). You cannot cut and paste - you must type this in. When typing it in, the changed address will be displayed in red:

When you are finished typing it in, hit Enter, and you will see this:

Summary

We have just gone from a crashed app to the (approximate) source line with just one piece of information - the crash instruction pointer. We have obtained this crash ip fairly simply - without having to modify any existing source code. The cost: the size of the release app (Test1.exe) went from 21 KB to 29 KB. For most commercial apps today, this size differential is insignificant.

Knowing where an app crashed is important, but sometimes you also need to know how it got to where it crashed. This is what I will discuss in Part 2.

Non-MFC Applications

Dawson's ExceptionHandler.cpp can also be used in non-MFC applications. Here is an example that shows how to use it in a Win32 application:

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
    LPTSTR lpCmdLine, int nCmdShow)
{
    int nResult = -1;
    __try
    {
        nResult = DoSomeStuff(hInstance, hPrevInstance, lpCmdLine, nCmdShow);
    }
    __except(RecordExceptionInfo(GetExceptionInformation(), "WinMain"))
    {
        // Do nothing here - RecordExceptionInfo() has already done
        // everything that is needed. Actually this code won't even
        // get called unless you return EXCEPTION_EXECUTE_HANDLER from
        // the __except clause.
    }
    return nResult;
}

Revision History

Version 1.1 - 2003 October 19

• Initial public release

Usage

This software is released into the public domain. You are free to use it in any way you like, except that you may not sell this source code. If you modify it or extend it, please to consider posting new code here for everyone to share. This software is provided "as is" with no expressed or implied warranty. I accept no liability for any damage or loss of business that this software may cause.

You must Sign In to use this message board.

FAQ    Noise Tolerance Very HighHighMediumLowVery Low   Layout Expand Posts & RepliesThread ViewNo JavascriptNo JS + Preview   Per page 102550

Msgs 1 to 25 of 27 (Total in Forum: 27) (Refresh) FirstPrevNext

Problem with address smaller than 00400000 Erik 21:06 30 Sep '09   Thanks alot for this article. However, I have a problem understanding what really happens here, I have a VC 6.0 project, and I bult in an error code right at the end of my main function, and I get a crash report saying my app is crashing at 0038eb56 But the point is: my preferred load address in the map file says it is 00400000 To determine the line number, the document says to subtract the load address + 0x1000 from the crash address, which gives me: 0038eb56 - 00400000 - 0x1000 which will give a negative result. So the crash address should always be greater than 00400000, or am I getting something wrong here? Since the crash happens in main(), and I am trying to write data to a NULL poonter just as in your example, I wonder why I do not get a crash address bigger than 00401000 :( Sign In·View Thread·PermaLink Optimisation mast be disabled! vaadim 6:51 28 May '09   Is it true? Sign In·View Thread·PermaLink Not Handling Exception in Thread Member 4736797 20:52 27 Mar '08   Thanks For U r nice Application. In normal program it works perfectly , but in Threadfunction it can't handle the Exception. I have tried a lot.Any Help on this is highly apprerciated. Sign In·View Thread·PermaLink 3.67/5 (2 votes) Does it work w/ VS 2005? Wes Jones 9:18 15 Jun '07   I converted this project by openining it in VS 2005, built, ran & crashed it. When I open Test1.exe in a new instance of VS 2005, I don't have the option to hit F11. I can see the resources, dialogs, etc, but no "Step Into" Any suggestions? Thanks Sign In·View Thread·PermaLink 1.33/5 (2 votes) unresolved external problem... [modified] James Wise 14:14 5 Dec '06   Hi i am trying to implement your code in a project of mine, I have made a few basic adjustments to parts of the code to ensure that compiles in a UNICODE project, however when i try and compile i am getting a unresolved external symbol error, for details see below.... (visual studio.Net 2005, MFC + c++) ExceptionAttacher.obj : error LNK2019: unresolved external symbol "int __cdecl RecordExceptionInfo(struct _EXCEPTION_POINTERS *,char const *)" (?RecordExceptionInfo@@YAHPAU_EXCEPTION_POINTERS@@PBD@Z) referenced in function "int __stdcall AfxWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int)" (?AfxWinMain@@YGHPAUHINSTANCE__@@0PA_WH@Z) I am surprised to see this happening since i can see that this function is present in the ExceptionHandler.cpp file? any hints or suggestions as to how i might fix this issue? Thanks, James Wise PS. it looks like a great bit of code/functionality if i can manage to get it to work properly. -- modified at 22:42 Tuesday 5th December, 2006 Sign In·View Thread·PermaLink Re: unresolved external problem... o_nix 3:38 13 Aug '07   Be careful with LPCTSTR vs. LPCSTR. Sign In·View Thread·PermaLink Debugging in borland builder Alexey_F 3:05 30 Jun '06   Hi, Is there some way to do this exe debugging for borland generated code? Thanks. Sign In·View Thread·PermaLink 001b:00000000 vjedlicka 3:58 16 May '06   Hi, does anyone know why I am getting all zeros? myApp caused an Access Violation (0xc0000005) in module myApp.exe at 001b:00000000. Thanks for advice Vaclav -- modified at 8:58 Tuesday 16th May, 2006 Sign In·View Thread·PermaLink Re: 001b:00000000 vjedlicka 22:37 16 May '06   It seems to be caused by the fact that it crashes in a different thread. Crashes in main thread can be detected as described in the article. Anyway, very useful code and series of articles! Thank you very much! Vaclav Sign In·View Thread·PermaLink Good work, but.. Bob Stanneveld 3:00 22 Dec '05   Hello, First I want to compliment on this excellent piece of debug-aided code. I have one question though: why do you want to avoid the C-Runtime in your code? I've read some comments in the source code about this. I was wondering why. Behind every great black man...             ... is the police. - Conspiracy brother Blog[^] Sign In·View Thread·PermaLink Getting it to work in VC7 Mike Smithwick 8:52 5 Oct '05   Great article, but since it was done under VC6 and not VC7 (aka ".NET"), virtually all of the steps to find the crash point don't work! (Gotta love MS!) First, when loading in the .exe, the article says to use "File->Open". In VC7, this should be "File->Open Project". Otherwise, using just Open will merely load in the resources from the .exe. Next, doing an F11, will take you to the assembly of the WinMain routine, immediately above your own code. So you'll need to do a couple of F11s to get into your source. The Register window no longer permits you modify the registers. You need to go to the Watch window, type in "EIP", which will recognize that as a register. At this point you can modify it's contents. Going back to the actual Register window will show the new data in red, proving that they have been changed. In order to get to the crash point, ENTER will not work as described. You need to do an F10 to force the display to refresh at the new IP. And since it is a crash, you will probably get a crash dialog out of it as well. Sign In·View Thread·PermaLink 5.00/5 (3 votes) Re: Getting it to work in VC7 ngcoders 12:53 11 Jul '08   thx for the getting around on vc 7 Sign In·View Thread·PermaLink 3.00/5 (1 vote) thanksCan it work for console application? Roinka 1:22 15 Sep '05   Hi, how can I use it for console applications? Sign In·View Thread·PermaLink 1.93/5 (7 votes) Two usage questions reimar 11:45 8 Sep '05   Hey, As the previous poster asked, I'm wondering how this technique can be used with dlls. I can compile the dll with debug information, but then if a crash occurs in the dll, how do I use the ERRORLOG.TXT to find the correct line? Is this possible? Second, I'm having a problem with part 3 of the article. It all works as described when I build a crash into my app, run it, and use WinDbg to analyze the CRASH.DMP file. However, when I give this exe to someone else and they run it on their computer, and then send me the resultant CRASH.DMP file, I cannot access the callstack with this file. It only gives me the last line that actually crashed (same info as the errorlog), but nothing further. Has anyone else had this problem, and have any idea what to do about it? Thanks for any help, Reimar Sign In·View Thread·PermaLink 2.00/5 (1 vote) Just excellent Robert W. 2:32 25 Jul '05   Sign In·View Thread·PermaLink 1.00/5 (1 vote) exception in system dll? evian.w@gmx.net 5:03 28 Oct '04   Hello Hans (and Bruce of course), first of all: many thanks for the great work. I integrated the supplied sources into my project because I have to find an strange error in my MFC app. Mutek's BugTrapper reports a Bug in MyListCtrl::OnCtlColor(CDC* pDC, CWnd* pWnd, UINT nCtlColor) { HBRUSH hbr = CListCtrl::OnCtlColor(pDC, pWnd, nCtlColor); // He claims that the brush object isn't valid (only in Release mode, of course!). But I can't find the error. So I decided to try this code for exception handling and crash reporting. Maybe I get a different or better error report. But if I edit the IP got from the errorlog.txt file developer studio only shows the adress 0012d152() in the call stack. And there's no way to get the source code line. Maybe I do something wrong? Who can help me? Cheers, Oliver Sign In·View Thread·PermaLink 2.00/5 (1 vote) Does this work with VC.NET? markusha 22:54 10 Sep '04   I like your tip but does it work with VC.NET? I tried to build your sample app in VC.NET and then load it in VC6. Hitting F11 shows the message box "Test1.exe does not contain debug information. Press OK to continue." So I guess this does not work with VC.NET builds since they produce different PDB files? Do you or anyone know a way to overcome this? Loading the EXE in VC.NET has F11 disabled. TIA Markus Sign In·View Thread·PermaLink Re: Does this work with VC.NET? hyling 5:51 16 Sep '04   I'm using VC.NET and it works fine for me if I start the project, then hit F11 and enter the IP. Sign In·View Thread·PermaLink 2.00/5 (1 vote) Can not change the EIP value! Dhafir 16:08 17 Jun '04   Hi, and thanks for the article I can not change the value of the EIP address no matter how I try. It seems non-editable. Am I missing something here? Thanks Dhafir Sign In·View Thread·PermaLink Re: Can not change the EIP value! Dhafir 16:13 17 Jun '04   Sorry, I managed to do it. I had to right-click on the value and untick the "Floating Point Registers" menu item in the context menu to make it mutable. Thanks, Dhafir Sign In·View Thread·PermaLink The simple solution - erangi 23:07 23 Jan '08   For the sake of future readers (have just came across this problem myself), here's a more simple solution: In the watch window, type @EIP. This will show the (decimal) value of the register. The register's value can then be manipulated directly, without the registers window. This goes to any of the registers. Just type @ and the name of the register in the watch window. Sign In·View Thread·PermaLink 5.00/5 (1 vote) Re: The simple solution - Howard Robinson 4:01 11 Mar '09   Thanks for the tip on the watch window! Sign In·View Thread·PermaLink Need guidance Khurram_iiui 4:44 28 May '04   It does not create ErrorLog.txt when application crashes due to memory read error.so how could i produce this ErrorLog.txt... Regards. thanx.. Khurram Sign In·View Thread·PermaLink Re: Need guidance Hans Dietrich 7:24 30 May '04   The first thing to do is make sure that the exception handler is hooked up properly. Try something like assigning a value to a NULL pointer. This should put you into the exception handler - this is how the demo app works. You can verify you get to the exception handler with a breakpoint or a TRACE staement. If you are not getting to the exception handler, then it is not set up properly. Compare what you are doing with the demo app. If this does not help you, please post more details here. Sign In·View Thread·PermaLink Re: Need guidance Khurram.Shahzad 23:13 30 May '04   First Exception handler is hooked properly in my application because i get ErrorLog.txt when i assign a value to NULL pointer,then i tracked the function successfully. I am working on stress Tester for a messaging Application.It work fine for 15-20 min then it crashes with the following message. 0X73DE6EEC REFERENCE AT 0X00000000 COULD NOT BE READ. this time it does not produce ErrorLog.txt and i am unable to track this address till now. thanx for reply.. Regards. Khurram Sign In·View Thread·PermaLink 1.00/5 (1 vote)

Last Visit: 21:50 9 Feb '10     Last Update: 21:50 9 Feb '10 12 Next »