Meaning of hex number in Windows crash dialog

Every now and then (ahem...) my code crashes on some system; quite often, my users send screenshots of Windows crash dialogs. For instance, I recently received this:

Unhandled win32 exception @ 0x3a009598 in launcher2g.exe:
0xC00000005: Access violation writing location 0x00000000.

It's clear to me (due to the 0xc0000005 code as well as the written out error message) that I'm following a null pointer somewhere in my launcher2g.exe process. What's not clear to me is the significance of the '0x3a009598' number. Is this the code offset in the process' address space where the assembler instruction is stored which triggered the problem?

Under the assumption that 0x3a000000 is the position where the launcher2g.exe module was loaded into the process, I used the Visual Studio debugger to check the assembler code at 0x3a009598 but unfortunately that was just lots of 'int 3' instructions (this was a debug build, so there's lots of int 3 padding).

I always wondered how to make the most of these @ 0x12345678 numbers - it would be great if somebody here could shed some light on it, or share some pointers to further explanations.

UPDATE: In case anybody finds this question in the future, here's a very interesting read I found which explains how to make sense of error messages as the one I quoted above: Finding crash information using the MAP file.

0x3a009598 would be the address of the x86 instruction that caused the crash.

The EXE typically gets loaded at its preferred load address - usually 0x04000000 iirc. So its probably bloody far away from 0x3a009598. Some DLL loaded by the process is probably located at this address.

Crash dumps are usually the most useful way to debug this kind of thing if you can get your users to generate and send them. You can load them with Visual Studio 2005 and up and get automatic symbol resolution of system dlls.

Next up, the .map files produced by your build process should help you determine the offending function - assuming you do manage to figure out which exe/dll module the crash was inside, and what its actual load address was.

On XP users can use DrWatsn32 to produce and send you crash dumps. On Vista and up, Windows Error Reporting writes the crash dumps to c:\users\\AppData\Local\Temp*.mdmp

Yes, there's a DLL located at that addres, and I know which (it happens to be a DLL I developed which my application links against). One comment regarding the crash dumps on Vista: do I need to enable them somehow? I experienced a few crashes, but no mdmp files in %TEMP% to be seen. Thanks for the pointer to .map files though, I'll look into that!

Frerich Raabe 2009-07-08 08:02:00

I *think* the mdmp files might only appear if the user selects to send the error report to Windows Error Reporting. There is apparently some way that you can, if you digitally sign your application files with a proper certificate, actually get crash dumps from Microsoft that users submit via the "Report this error to MS and see if there are any fixes" dialog that the OS shows. I can't advise on how easy and cost effective this option is.

Chris Becke 2009-07-08 20:46:29

ansaurus

tags:

views:

answers:

Meaning of hex number in Windows crash dialog

related questions