Decoding the parameters of a thrown C++ exception (0xE06D7363)

c++ debugging visual-c++ windbg crash-dumps
17,569

Solution 1

There're many technical details involved. I can give you the direction.

The 2nd exception parameter (0052ccd8) is a pointer to a _s__ThrowInfo structure, which describes the thrown type. The 3rd parameter (564099d8) is a pointer to the thrown object.

First let's discuss the thrown object type. The _s__ThrowInfo points to a constant structure (generated at the compile-time), which resides within your executable (EXE or DLL), which is mapped into the process address space.

If the global memory is included in your crash dump - then you can find it there. Otherwise you may deduce it from the executable. Subtract the "base" address from your executable (assuming it was loaded at its preferred address), and you'll get the offset of this structure within your executable.

Decoding the actual type from this structure is kind tricky. It includes the information about types it may be cast to (C++ polymorphism), plus the d'tor (destructor) in case it's a non-trivial type (with non-trivial d'tor) and it was thrown by-value. The table of types it may be cast to contain pointers to the appropriate structures describing those types. Among other things there are textual "encodings" of those types.

Information about layout of those structures may be found here:

Next, the thrown object. Its address usually belongs to the stack memory (strictly speaking this is not mandatory, one may throw either global or dynamically-allocated(on-heap) object. But this is usually not the case). If you have the stack included in your crash dump - you'll see the object layout. Coupled with the type you'll (hopefully) realize what it means.

If you don't have the stack memory included in your crash dump - you'll not be able to recover the object.

In addition your object may contain members that are pointer to other things (like strings or other objects) which may not necessarily be allocated on the stack. Most probably you'll fail to realize those members, unless you have the full-memory dump.

Solution 2

old question and a very late answer (question popped up in active list so replying)

the gist of raymond chen and valdos answer in a consice script 

0:000> dt _s_throwinfo pCatchableTypeArray[0]->arrayOfCatchableTypes->pType->name  @@c++(( (ntdll!_EXCEPTION_RECORD *) @@masm(@esp+4) )->ExceptionInformation[2])
cppexept!_s_ThrowInfo
   +0x00c pCatchableTypeArray                                        : [0] 
      +0x004 arrayOfCatchableTypes                                      : [0] 
         +0x004 pType                                                      : 
            +0x008 name                                                       : [0]  ".PAD"
Share:
17,569
Loom
Author by

Loom

Updated on June 02, 2022

Comments

  • Loom
    Loom almost 2 years

    I've got a crash-dump file (my 32-bit windows application has crashed on a customer computer). Exception code is 0xE06D7363. So, I found this article from MSDN blogs about decoding the exception params. But a recipe from the article doesn't work for me:

    0:000> .exr -1 
ExceptionAddress: 753ad36f (KERNELBASE!RaiseException+0x00000058)
   ExceptionCode: e06d7363 (C++ EH exception)
  ExceptionFlags: 00000001
NumberParameters: 3
   Parameter[0]: 19930520
   Parameter[1]: 0052ccd8
   Parameter[2]: 564099d8
0:000> dd 564099d8 l4
564099d8  00000000 00000000 00000000 564099d0
0:000> dd 564099d0 l2
564099d0  00000001 564099b4
0:000> dd 564099b4 l2
564099b4  00000001 56454aec
0:000> da 56454aec+8
56454af4  "????????????????????????????????"
56454b14  "????????????????????????????????"
56454b34  "????????????????????????????????"
56454b54  "????????????????????????????????"
56454b74  "????????????????????????????????"
56454b94  "????????????????????????????????"
56454bb4  "????????????????????????????????"
56454bd4  "????????????????????????????????"
56454bf4  "????????????????????????????????"
56454c14  "????????????????????????????????"
56454c34  "????????????????????????????????"
56454c54  "????????????????????????????????"

    How can I make this method work? Or maybe there are other ways to analyze crash-dump with this exception?

    Below is some info from !analyze -v:

    PROCESS_NAME:  ArcMap.exe
MODULE_NAME: arcmap
FAULTING_MODULE: 76fa0000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  4e793643
ERROR_CODE: (NTSTATUS) 0xe06d7363 - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xe06d7363 - <Unable to get error code text>
EXCEPTION_PARAMETER1:  19930520
EXCEPTION_PARAMETER2:  0052ccd8
EXCEPTION_PARAMETER3:  564099d8

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Detailed memory usage analysis of windows crash dump file?
How to use WinDbg to analyze the crash dump for VC++ application?
Visual Studio - can be a breakpoint called from code?
How to debug in release mode?
What is your favourite Windbg tip/trick?
Visual Studio debugger error: Unable to start program Specified file cannot be found
Crash dump - WinDbg - force PDB files to match doesn't work?
Windbg: How to set breakpoint on one of the overloads of a C++ function?
What is the best way to attach a debugger to a process in VC++ at just the right point in time?
Why is vector deleting destructor being called as a result of a scalar delete?