_CONTEXT structure debugging on Windows: How to?
[ADDENDUM: QUESTION DOES NOT NEED TO BE ANSWERED DUE TO AN INCORRECT ASSUMPTION ON MY PART; SEE MY ANSWER BELOW, AND MY APOLOGIES]
My client has handed me a tracefile sent by a customer that includes (of relevance) only the CPU register information contained in the _CONTEXT structure at the time an exception was thrown.
I have been enhancing, compiling & building the code (written in C++, with some JNI calls to J开发者_开发技巧VM) for the program for a few months, and the new version I built was just released to customers: hence the tracefile with the bug report. This tracefile was produced by the program and simply corresponds to spitting out the register data (contained in the _CONTEXT structure) as captured by setting a custom exception handler for the program (via SetUnhandledExceptionFilter()).
My client reports to me that over the years, previous developers have found these tracefiles to be useful and have helped track down bugs, with nothing more than the information in the tracefiles.
I am therefore operating under the assumption that it was in fact the CPU register output from the _CONTEXT structure that previous developers have found useful in the tracefiles, and I am attempting to find a way to interpret that information to help track down what was occurring at the time of the crash. (i.e., what function was being called and what its arguments were, etc.)
Perhaps it is not feasible to use the CPU register data without any other information, in which case perhaps my client is misleading me and in fact previous developers have had in their possession tracefiles that contained information in addition to the CPU register information.
So, this is one thing I would like to know: Is it feasible, in general, using ONLY the CPU register information available with the _CONTEXT data structure, along with having all source code available in a successful Debug & Release build environment, to obtain useful information?
Assuming the answer is "yes", the second thing I would like to know is: How does one go about obtaining useful information from the CPU register information contained in the _CONTEXT structure, given that the source code is available, and that this source code builds & runs successfully on the development machine in both Debug & Release mode (but not in the end-user's environment and without any end-user files or data other than the single tracefile noted)? The goal, I assume, is to locate the function that was called at the time of the exception, based on its address, and hopefully this function will be one that is within the existing code base (and not nested deeply inside the Windows DLL's). Further, my client indicated that previous developers were even able to obtain arguments to the culprit function that caused the exception (though again, he could be misleading me).
Note that of course the end-user is using the Release-mode build of the program. I would also assume that the _CONTEXT information spit out in the tracefile will correspond to the CPU used by the end-user.
In short, I am asking how to interpret the various fields of the _CONTEXT structure, which represent the CPU registers on Windows, in a useful way to debug an exception. What do the registers correspond to and which ones should I be looking at? Here is a link to a page that includes the definition of the _CONTEXT structure for some (not all) CPU's, as an example of possible _CONTEXT structures: http://msdn.microsoft.com/en-us/library/ms679284%28VS.85%29.aspx. I am not certain which CPU the end-user is using, but that info will be easily available as needed if I am confident I can get some useful info from the _CONTEXT structure. Note that the tracefile I have shows 128 (4-byte) entries - which doesn't seem to match the size of any of the _CONTEXT structures I've seen (I also looked in WINNT.H, the actual file that defines the _CONTEXT structure, and at first glance didn't see any possible definitions that contained 128x4 bytes, but that was just a quick glance and I could be mistaken).
I have hunted around for answers or hints, but have not found any useful ones yet.
Thank you,
Dan.
MY QUESTION DID NOT CORRECTLY IDENTIFY THE INFORMATION PRESENT IN THE TRACEFILE, AND DOES NOT NEED TO BE ANSWERED.
My apologies all.
Upon reviewing the code that produces the data in the tracefile noted in the question, I have found that I made a mistake. It is not the _CONTEXT structure whose values are being spit out into the tracefile, but rather the code is stepping through _CONTEXT::Esp and spitting that out (i.e. it is walking the stack itself, at runtime, in response to an exception - it's not spitting out the contents of the CPU registers).
Therefore my question is no longer relevant. I leave it here only in case the information in the question (or answer) is useful to others, though the question was not itself answered (nor did it need to be for me).
Thanks, Dan
精彩评论