Part I - System/Application Error Collection Tools
These tools are used to collection software data (especially when error occurs) that can be used to identify & fix software defects.
1. Dr. Watson
"Dr. Watson for Windows is a program error debugger that gathers information about your computer when an error (or user-mode fault) occurs with a program. The information obtained and logged by Dr. Watson is the information needed by technical support personnel to diagnose a program error for a computer running Windows."
A text file (Drwtsn32.log) is created whenever an error is detected, and can be delivered to support personnel by the method they prefer. A crash dump file can also be created, which is a binary file that a programmer can load into a debugger.
Starting with Windows Vista, Dr. Watson has been replaced with "Problem Reports and Solutions"
2. Windows Error Report
While Dr.Watson left the memory dump on the user's local machine for debugging, Windows Error Reporting offers to send the memory dump to Microsoft using the internet, more info can be found at - http://en.wikipedia.org/wiki/Windows_Error_Reporting
3. Adplus
ADPlus is console-based Microsoft Visual Basic script. It automates the Microsoft CDB debugger to produce memory dumps and log files that contain debug output from one or more processes. It has many switches to control what data to collect, more info can be found at Microsoft KB on Adplus tool
[Reference]
- Wiki on Dr. Watson Debugger
- Description of Dr. Watson Tool
Part II - Structured Exception Handling
SEH is usually known as a convenient error handling mechanism for windows native code programmers provided by windows operating system itself (with compiler support). But it is also a great system to enable applications talking to software debuggers.
1. Various Concepts
Structured exception handling is a mechanism for handling both hardware and software exceptions. To full understand SEH mechanism, you should get familiar with the following concepts:
- guarded body of code
- exception handler
- termination handler
- filter expression, follows __except keyword, evaluated when system conducting exception processing
- filter function, can only be called in filter expression
filter expression & function can only return the following three values:
- EXCEPTION_CONTINUE_SEARCH, The system continues its search for an exception handler.
- EXCEPTION_CONTINUE_EXECUTION, The system stops its search for an exception handler, restores the machine state, and continues thread execution at the point at which the exception occurred.
- EXCEPTION_EXECUTE_HANDLER, The system transfers control to the exception handler, and thread execution continues sequentially in the stack frame in which the exception handler is found.
2. Stack Unwinding
If the located exception handler is not in the stack frame in which the exception occurred, the system unwinds the stack, leaving the current stack frame and any other stack frames until it is back to the exception handler's stack frame.
3. Vectored Exception Handling
Vectored handlers are called in the order that they were added, after the debugger gets a first chance notification, but before the system begins unwinding the stack. Since they are not framed based, they will be called each time when an exception is raised.
4. Exception & Debugger
SEH is also a communication mechanism between windows application and debugger. The detailed description on the whole exception dispatching process can be found here and the debugger exception handling process can be found here.
The core concepts here are first-chance notification and second-chance(last-chance) notification.
- 1st chance notification is a mechanism to notify debugger the exception information before application get chance to process the exception.
- 2nd chance notification happens after the windows system finds that no application defined exception handler exists.
David Kline wrote a great article on first-chance & second-chance notification.
5. Functions and Keywords
- GetExceptionCode and GetExceptionInformation can be used to get detail information about current exception.
- The SEH compatible compiler recognize __try, __except, __finally, __leave as keywords.
- It will also interpret the GetExceptionCode, GetExceptionInformation, and AbnormalTermination functions as keywords, and their use outside the appropriate exception-handling syntax generates a compiler error.
[Reference]
- Crash Course on SEH
- Structured Exception Handling @ MSDN
- First and Second Chance Exception handling
- David Kline's Article
Part III - Dump File
In Part I, we introduced several tools to get diagnose data to enable offline debugging and analyzing. The most important diagnose data is dump file. There are two dump files:
1. Kernel-Mode Dump (system/core/memory dump)
This kind of dump happens when an stop error occurs in the windows system. The common phenomenon is that the blue screen shows up and at the same time, an core dump file is generated.
There are three kinds of core dump files:
- Complete Memory Dump
A Complete Memory Dump is the largest kernel-mode dump file. This file contains all the physical memory for the machine at the time of the fault.
The Complete Memory Dump file is written to %SystemRoot%\Memory.dmp by default.
- Small Memory Dump
A Small Memory Dump is much smaller than the other two kinds of kernel-mode crash dump files. It is exactly 64 KB in size, and requires only 64 KB of pagefile space on the boot drive.
- Kernel Memory Dump
A Kernel Memory Dump contains all the memory in use by the kernel at the time of the crash. This kind of dump file is significantly smaller than the Complete Memory Dump. Typically, the dump file will be around one-third the size of the physical memory on the system.
This dump file will not include unallocated memory, or any memory allocated to user-mode applications. It only includes memory allocated to the Windows kernel and hardware abstraction level (HAL), as well as memory allocated to kernel-mode drivers and other kernel-mode programs.
Here, you can find more detailed information on kernel-mode dump files.
An great Microsoft KB on system dump(core dump, blue screen) configuration.
2. User-Mode Dump (application/process dump)
This kind of dump file is from specific process, not from the windows system itself.
- Full Dump
A full user-mode dump is the basic user-mode dump file. This dump file includes the entire memory space of a process, the program's executable image itself, the handle table, and other information that will be useful to the debugger.
- Mini Dump
A mini user-mode dump includes only selected parts of the memory associated with a process. The size and contents of a minidump file varies depending on the program being dumped and the application doing the dumping.
The name "minidump" is misleading, because the largest minidump files actually contain more information than the "full" user-mode dump.
User mode dump files can be created using the following methods:
- using task manager
- using adplus
- using userdump
You can also using some debugging tools such as Visual Studio and Windbg to create dump files.
Manipulate Mini Dump Programmatically:
- MiniDumpReadDumpStream()
- MiniDumpWriteDump()
- MINIDUMP_TYPE ENUM
[Reference]
- Dump in Visual Studio
- Crash Dump Doc @ MSDN
