1.示例异常代码
cpp
#include "TestGetDataLib.h"
TestGetDataLib::TestGetDataLib()
{
}
int TestGetDataLib::getTransData(int d)
{
int n = d + *m_pA + *m_pB;
return n;
}2.无PDB文件分析
无PDB文件,用winDbg工具分析dump文件的日志
bash
Microsoft (R) Windows Debugger Version 10.0.22621.755 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [D:\dev__\TestCrash\TestDump\20260512_142003.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available
Symbol search path is: srv*
Executable search path is:
Windows 10 Version 19044 MP (16 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Debug session time: Tue May 12 14:20:03.000 2026 (UTC + 8:00)
System Uptime: 1 days 5:37:23.915
Process Uptime: 0 days 0:00:16.000
................................................................
.................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(4f88.513c): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
eax=00000001 ebx=00000000 ecx=0060d5c8 edx=0060fe24 esi=76153b70 edi=090405e8
eip=77d23acc esp=0060bb30 ebp=0060bb3c iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216
ntdll!NtGetContextThread+0xc:
77d23acc c20800 ret 8
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify timestamp for Qt5Widgets.dll
*** WARNING: Unable to verify timestamp for Qt5Core.dll
DBGHELP: Timeout to store: C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\sym*https://msdl.microsoft.com/download/symbols
DBGHELP: Timeout to store: https://msdl.microsoft.com/download/symbols
KEY_VALUES_STRING: 1
Key : AV.Dereference
Value: NullPtr
Key : AV.Fault
Value: Read
Key : Analysis.CPU.mSec
Value: 2093
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 76204
Key : Analysis.Init.CPU.mSec
Value: 625
Key : Analysis.Init.Elapsed.mSec
Value: 13363
Key : Analysis.Memory.CommitPeak.Mb
Value: 161
Key : Timeline.OS.Boot.DeltaSec
Value: 106643
Key : Timeline.Process.Start.DeltaSec
Value: 16
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
FILE_IN_CAB: 20260512_142003.dmp
CONTEXT: (.ecxr)
eax=00000000 ebx=0060fe24 ecx=0060d5c8 edx=0060fe24 esi=00000002 edi=00000001
eip=6e0814d5 esp=0060d5ac ebp=0060d638 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
TestGetDataLib!ZN14TestGetDataLib12getTransDataEi+0x5:
6e0814d5 8b00 mov eax,dword ptr [eax] ds:002b:00000000=????????
Resetting default scope
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 6e0814d5 (TestGetDataLib!ZN14TestGetDataLib12getTransDataEi+0x00000005)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
PROCESS_NAME: MainWin.exe
READ_ADDRESS: 00000000
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p 0x%p %s
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0060d638 00401aae 00000000 00000026 0060d738 TestGetDataLib!ZN14TestGetDataLib12getTransDataEi+0x5
0060d718 620acbb0 0157e4a8 00000009 0060d738 MainWin+0x1aae
0060d758 620ae005 0157e4a8 0157e4a8 0159d590 Qt5Widgets!ZN15QAbstractButton7toggledEb+0x250
0060d768 620ac883 0060d7b8 00000000 0060d734 Qt5Widgets!ZN15QAbstractButton11setIconSizeERK5QSize+0x625
0060d798 620ae1a3 0060d7b8 0060db60 0157e890 Qt5Widgets!ZNK15QAbstractButton9hitButtonERK6QPoint+0x43
0060d7a8 62006252 0060d968 0060d7d0 00000026 Qt5Widgets!ZN15QAbstractButton17mouseReleaseEventEP11QMouseEvent+0xd3
0060d7d8 6200604e 0060db60 015812a0 0060d848 Qt5Widgets!ZN7QWidget5eventEP6QEvent+0x392
0060d7e8 68aa2803 00000014 00000000 0000000c Qt5Widgets!ZN7QWidget5eventEP6QEvent+0x18e
0060d848 68c80b7f 00000000 ffffffff 0157e4a8 Qt5Core!ZN7QThread21setTerminationEnabledEb+0x483
0060d9f8 68c817e9 0157e4a8 0060db60 00000000 Qt5Core!ZN23QCoreApplicationPrivate29threadRequiresCoreApplicationEv+0xf
0060da48 61fcdb4f 0157e4a8 0060db60 00000000 Qt5Core!ZN16QCoreApplication20sendSpontaneousEventEP7QObjectP6QEvent+0x179
00000000 00000000 00000000 00000000 00000000 Qt5Widgets!ZN19QApplicationPrivate14sendMouseEventEP7QWidgetP11QMouseEventS1_S1_PS1_R8QPointerIS0_Ebb+0x1ef
STACK_COMMAND: ~0s; .ecxr ; kb
SYMBOL_NAME: TestGetDataLib!ZN14TestGetDataLib12getTransDataEi+5
MODULE_NAME: TestGetDataLib
IMAGE_NAME: TestGetDataLib.dll
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_TestGetDataLib.dll!ZN14TestGetDataLib12getTransDataEi
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {8e2ab228-6379-6831-9348-ab14d84735bd}
Followup: MachineOwner
---------本次分析的说明
1. 异常定位清晰
TestGetDataLib!ZN14TestGetDataLib12getTransDataEi+0x5:
6e0814d5 8b00 mov eax,dword ptr [eax] ; eax = 0ZN14TestGetDataLib12getTransDataEi被WinDbg成功解析为TestGetDataLib::getTransData(int)函数- 崩溃指令是
mov eax,[eax],此时eax=0
2. 异常类型明确
AV.Dereference: NullPtr
AV.Fault: Read
ExceptionCode: c0000005 (Access violation)
Attempt to read from address 00000000这是一个典型的空指针读取错误------程序尝试通过空指针访问内存。
| 可能原因 | 检查方法 |
|---|---|
| PDB文件不完整 | 执行 !sym noisy + .reload /f TestGetDataLib 观察详细加载过程 |
| 源码路径未配置 | 尝试 File -> Source file path,添加源码目录 |
| 编译时未嵌入行号信息 | 检查编译配置是否包含 -g 但没有 -g3(MinGW可用 -g3 生成更完整信息) |
| PDB与DLL版本不匹配 | 对比时间戳,确认 TestGetDataLib.dll 与 TestGetDataLib.pdb 来自同一次编译 |
结论
这个分析日志表明:
| 方面 | 状态 |
|---|---|
| 符号加载 | ✅ 成功,函数名已解析 |
| 源码行号 | ⚠️ 未显示,建议检查PDB完整性和源码路径 |
| 崩溃定位 | ✅ TestGetDataLib::getTransData(int) 函数内部 |
3.有PDB文件分析
新增PDB文件,用winDbg工具分析dump文件的日志
bash
Microsoft (R) Windows Debugger Version 10.0.22621.755 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [D:\do___\CrashAnalysis\260512\20260512_203729.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available
Symbol search path is: srv*
Executable search path is:
Windows 10 Version 19044 MP (16 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Debug session time: Tue May 12 20:37:29.000 2026 (UTC + 8:00)
System Uptime: 1 days 11:54:51.020
Process Uptime: 0 days 0:01:56.000
................................................................
................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(5a54.5264): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
eax=00000001 ebx=00000000 ecx=0060d5c8 edx=0060fe24 esi=76153b70 edi=00e905e8
eip=77d23acc esp=0060bb30 ebp=0060bb3c iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
ntdll!NtGetContextThread+0xc:
77d23acc c20800 ret 8
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols
OK D:\do___\CrashAnalysis\260512
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify timestamp for Qt5Widgets.dll
*** WARNING: Unable to verify timestamp for Qt5Core.dll
KEY_VALUES_STRING: 1
Key : AV.Dereference
Value: NullPtr
Key : AV.Fault
Value: Read
Key : Analysis.CPU.mSec
Value: 1874
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 21021
Key : Analysis.Init.CPU.mSec
Value: 843
Key : Analysis.Init.Elapsed.mSec
Value: 115485
Key : Analysis.Memory.CommitPeak.Mb
Value: 164
Key : Timeline.OS.Boot.DeltaSec
Value: 129291
Key : Timeline.Process.Start.DeltaSec
Value: 116
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
FILE_IN_CAB: 20260512_203729.dmp
CONTEXT: (.ecxr)
eax=00000000 ebx=0060fe24 ecx=0060d5c8 edx=0060fe24 esi=00000004 edi=00000000
eip=6e0814d5 esp=0060d5ac ebp=0060d638 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
TestGetDataLib!TestGetDataLib::getTransData+0x5:
6e0814d5 8b00 mov eax,dword ptr [eax] ds:002b:00000000=????????
Resetting default scope
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 6e0814d5 (TestGetDataLib!TestGetDataLib::getTransData+0x00000005)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
PROCESS_NAME: MainWin.exe
READ_ADDRESS: 00000000
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p 0x%p %s
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
FAULTING_LOCAL_VARIABLE_NAME: d
STACK_TEXT:
0060d638 00401aae 00000000 00000026 0060d738 TestGetDataLib!TestGetDataLib::getTransData+0x5
WARNING: Stack unwind information not available. Following frames may be wrong.
0060d718 620acbb0 0079e148 00000009 0060d738 MainWin+0x1aae
0060d758 620ae005 0079e148 0079e148 007bd590 Qt5Widgets!ZN15QAbstractButton7toggledEb+0x250
0060d768 620ac883 0060d7b8 00000000 00000000 Qt5Widgets!ZN15QAbstractButton11setIconSizeERK5QSize+0x625
0060d798 620ae1a3 0060d7b8 0060db60 00000000 Qt5Widgets!ZNK15QAbstractButton9hitButtonERK6QPoint+0x43
0060d7d8 6200604e 0060db60 00000001 0060d848 Qt5Widgets!ZN15QAbstractButton17mouseReleaseEventEP11QMouseEvent+0xd3
0060d7e8 68aa2803 00000014 000002b9 0000000c Qt5Widgets!ZN7QWidget5eventEP6QEvent+0x18e
0060d848 68c80b7f 00000000 0010114a 0079e148 Qt5Core!ZN7QThread21setTerminationEnabledEb+0x483
0060d9f8 68c817e9 0079e148 0060db60 00000000 Qt5Core!ZN23QCoreApplicationPrivate29threadRequiresCoreApplicationEv+0xf
0060da48 61fcdb4f 0079e148 0060db60 00000000 Qt5Core!ZN16QCoreApplication20sendSpontaneousEventEP7QObjectP6QEvent+0x179
00000000 00000000 00000000 00000000 00000000 Qt5Widgets!ZN19QApplicationPrivate14sendMouseEventEP7QWidgetP11QMouseEventS1_S1_PS1_R8QPointerIS0_Ebb+0x1ef
STACK_COMMAND: ~0s; .ecxr ; kb
FAULTING_SOURCE_LINE: ..\..\..\DemoCrash\libs\TestGetDataLib\TestGetDataLib.cpp
FAULTING_SOURCE_FILE: ..\..\..\DemoCrash\libs\TestGetDataLib\TestGetDataLib.cpp
FAULTING_SOURCE_LINE_NUMBER: 9
SYMBOL_NAME: TestGetDataLib!TestGetDataLib::getTransData+5
MODULE_NAME: TestGetDataLib
IMAGE_NAME: TestGetDataLib.dll
FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_TestGetDataLib.dll!TestGetDataLib::getTransData
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {54c99ebc-9850-df47-73d0-dc6245d1012f}
Followup: MachineOwner
---------完美!🎉 这次的分析日志展示了 PDB 符号加载成功后的完整调试能力。相比之前的日志,这次多了关键信息,让我详细解读一下。
本次分析的亮点
1. 精确到源码行号的定位
FAULTING_SOURCE_LINE: ..\..\..\DemoCrash\libs\TestGetDataLib\TestGetDataLib.cpp
FAULTING_SOURCE_LINE_NUMBER: 9这是最重要的进步!WinDbg 现在可以直接告诉你:崩溃发生在 TestGetDataLib.cpp 的第 9 行。
2. 局部变量名称被捕获
FAULTING_LOCAL_VARIABLE_NAME: d这个信息非常宝贵------WinDbg 捕获到了出错的局部变量名 d。结合源码行号,可以立即定位到第 9 行中名为 d 的变量被错误解引用。
3. 函数名解析更清晰
TestGetDataLib!TestGetDataLib::getTransData+0x5相比之前的混淆名称 ZN14TestGetDataLib12getTransDataEi,现在直接显示为可读的 C++ 函数签名。
崩溃分析总结
| 项目 | 信息 |
|---|---|
| 崩溃模块 | TestGetDataLib.dll |
| 崩溃函数 | TestGetDataLib::getTransData |
| 源码位置 | TestGetDataLib.cpp 第 9 行 |
| 崩溃变量 | 局部变量 d |
| 崩溃原因 | 尝试通过空指针 (eax=0) 读取内存 |