Win XP drwatson.log parse

[Tacio]

May be this wrong forum, but anyway... I have programm MeGUI for dvd ripping and some time ago it's shows error while openning avs files. So I record drwatson.log file with this error and may be anybody can parse this log, because I haven't experience in debugging.

This is the error:

drwtsn32.7z

[Mijzelf]

The most interesting part of a Dr.Watson log is around the 'Fault ->' part. In this case:

eax=20100000 ebx=00000000 ecx=0681fb18 edx=00000025 esi=0681fb18 edi=00140000

eip=7c901230 esp=0012e120 ebp=0012e124 iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll -

function: ntdll!DbgBreakPoint

7c90121c f6461010 test byte ptr [esi+0x10],0x10

7c901220 0f84e0f10000 je ntdll!RtlInitUnicodeStringEx+0x61 (7c910406)

7c901226 5e pop esi

7c901227 c9 leave

7c901228 c20400 ret 0x4

7c90122b 90 nop

7c90122c 90 nop

7c90122d 90 nop

7c90122e 90 nop

7c90122f 90 nop

FAULT ->ntdll!DbgBreakPoint:

7c901230 cc int 3

7c901231 c3 ret

7c901232 8bff mov edi,edi

7c901234 90 nop

7c901235 90 nop

7c901236 90 nop

7c901237 90 nop

7c901238 90 nop

ntdll!DbgUserBreakPoint:

7c901239 cc int 3

7c90123a c3 ret

*----> Stack Back Trace <----*

WARNING: Stack unwind information not available. Following frames may be wrong.

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ole32.dll -

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll -

ChildEBP RetAddr Args to Child

0012e124 7c93bd1f 0681fb18 0012e504 0012e504 ntdll!DbgBreakPoint

0012e1ec 774fd01c 00140000 00000000 0681fb20 ntdll!RtlInitializeSListHead+0x2d0f

0012e200 774fd057 77606034 0681fb20 0012e2e4 ole32!IsValidIid+0xdb

0012e210 7a0afcb7 0681fb20 0012e504 7a0b320b ole32!CoTaskMemFree+0x13

0012e2e4 7c9105c8 0680c0d0 0012e3bc 7c910551 mscorwks!CorLaunchApplication+0x2d718

0012e2e4 7c9105c8 0680c0d0 0012e3bc 7c910551 ntdll!RtlFreeHeap+0x18b

What you see here is the code around the crash, the value of the processor registers at the moment of the crash, the exact crash point, and a stackdump, which contains information about which functions are calling each other.

From bottom up: RtlFreeHeap which is located in ntdll.dll calls CorLaunchApplication which is located in mscorwks.dll, which calls CoTaskMemFree in ole32.dll....

Unfortunately this list of functions can be wrong when something has damaged the stack. A buffer overflow can do that.

In this case, the crash is a hardcoded break (int 3). So the program has found that someting is serious wrong, and tries to jump to the debugger.

The list RtlFreeHeap->CoTaskMemFree->DbgBreakPoint suggests that is has someting to do with memory management. Maybe a com-object wich is released twice, or an allocated buffer which is filled up beyond it limits.

[Tacio]

Oh.. it so complex... may be I can give more information about this crash and you can say more about how resolve this problem?

[cluberti]

It's crashing because a debug breakpoint in the code occurred, which means likely there's a bug in the code for the application. You could download and install Microsoft's Application Verifier, and in the App Verifier application create a "basics" rule (the default) for the MeGUI .exe file and then run the app with adplus attached in crash mode, but again, the breakpoint means that likely there's bad .net code in that application.