Monday

How to analyze Dr. Watson File Dump : watson, dr, analyze

Today I was scratching my head to figure out what is happening with set of Dr Watson logs. this particular link helped me to decipher the log in to more meaningful information. As always debuging the high level language is much easier than just navigating numbers. Drop me a note, I will help you if you are stuck with Dr Watson logs.

How to analyze Dr. Watson File Dump : watson, dr, analyze

Generally when I look at a drwstn32.log I just want the 15 second "what happened... vaguely" answer. To get that, just open the log in notepad, start at the bottom and scroll up. You're looking for something like the FAULT below.

...

FAULT ->77f7d66e 8908 mov [eax],ecx ds:00000000=????????

...

Once you see that just look up the name of the function that blew up and guess. (the blocks after the FAULT give you a basic function stack list including the function that blew up, see below) From there you need some windows knowledge to interpret what the function name means. For example, RtlDestroyHeap is related to deleting memory. In the below example, I have a tabctl32 object in my project which blew up while deallocating memory. That gave me an object and a type of error in 15 seconds. You could try looking up the values of the function parameters in the hex dump, but I'd suggest you're better off looking at code at that point. As for continuing through the error. Basically what happened is an uncaught type of error ripped all the way through your code and up to windows, your process is probably dead. Maybe try adding whacks of temporary error handling in your code. If you can't find anything else, add a bunch of catch(...) to catch anything and have it spit out an error message to the screen. At least that'll tell you where it happened in your code rather than in system dlls. From there, you'll have to iteratively track it back to the source by adding progressively more specific/deeper error trapping checks.

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0012f4c0 77f64e17 00130000 001524e8 0012f4ec 00000000 ntdll!RtlDestroyHeap
0012f4f0 212f1448 00130000 00000000 001524f0 212f1f9e ntdll!RtlFreeHeap
77f64d60 83ec8b10 d2850cec 0f575653 00021284 087d8b00 tabctl32!

...

3 comments:

  1. Testing comments

    ReplyDelete
  2. Anonymous8:27 AM

    Interesting article...

    ReplyDelete
  3. Anonymous5:19 PM

    Came through google search

    ReplyDelete

Followers