WinDbg: Meaning of columns of STACK_TEXT RRS feed

  • Question

  • Hi,

    I am analyzing a crash dump with WinDbg. With the "!anaylze -v" command there is also a "STACK_TEXT" displayed. This is very helpful, but I also need to know what are the addresses which are shown there; example: <0012e288 7816e0e8 0012e2a4 031b2c58 00000000> (most upper line of the example below)

    There are alway 5 columns but there is no hint - also not in the helpfile - which column has which meaning.

    Can anybody tell me this ?



    0012e288 7816e0e8 0012e2a4 031b2c58 00000000 msvcr80!_woutput_l+0x74b [f:\dd\vctools\crt_bld\self_x86\crt\src\output.c @ 1629]
    0012e2c4 7816e102 7813f135 031b2c58 00000000 msvcr80!_vscwprintf_helper+0x4f [f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c @ 441]
    0012e2d8 78306c68 031b2c58 0012e330 006f1010 msvcr80!_vscwprintf+0x14 [f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c @ 450]
    0012e2f0 78307307 031b2c58 0012e330 ff9f7eaa mfc80u!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::FormatV+0x23 [f:\dd\vctools\vc7libs\ship\atlmfc\include\cstringt.h @ 2142]
    0012e320 00638f38 0012e364 00004fb0 000003ee mfc80u!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::Format+0x3c [f:\dd\vctools\vc7libs\ship\atlmfc\include\cstringt.h @ 2552]


    Tuesday, May 31, 2011 10:06 AM


All replies

  • ChildEBP RetAddr Args to Child
    0012e288 7816e0e8 0012e2a4 031b2c58 00000000 msvcr80!_woutput_l+0x74b [f:\dd\vctools\crt_bld\self_x86\crt\src\output.c @ 1629]
    I'm preparing for the exam 70-660 TS: Windows Internals
    • Marked as answer by Thursday, March 19, 2015 2:00 PM
    Tuesday, May 31, 2011 1:26 PM
  • Thanks - but what means "Args to Child" ?

    Tuesday, June 7, 2011 6:40 AM
  • It means parameters if exists otherwise simple 3 dwords from the previous frame.
    I'm preparing for the exam 70-660 TS: Windows Internals
    Tuesday, June 7, 2011 8:30 AM
  • Thank you for your help - I think I got it:

    for all who has the same problem, you have to read "Manually Walking a Stack" of the WinDbg Help.


    In my simple example

    0012e2d8 78306c68 05588818 0012e330 006f1010    msvcr80!_vscwprintf+0x14 [f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c @ 450]

    => EBP:   0012e2d8  (here the lokal stack / local variables can begin)

    => RET:   78306c68   (Return addr)

    => int __cdecl _vscwprintf (const wchar_t *format,va_list ap)

         format String starts @   05588818  (far away from stack ==> possibly a string on the heap)


    These informations there are quite bad for those who has to analyze a crash dump:

    - there are max. 3 function-arguments shown

    - you have to guess (and know of course the called function declaration) if the shown DWORD of the stack-trace is a heap pointer, stack pointer, a valid number or ... - this makes analyzing crashes expensive

    - a minidump has usually too less informations (especially when you look for variables on the heap)

    - ... and remember: "DO BACKUP YOUR PDB FILES !"

    Friday, June 10, 2011 11:48 AM
  • Sorry, but I am still confused.

    Take this example (unicode):

    CString txt;
    txt.Format(_T("%d, %d, %s"), 0xAAAA, 0xBBBB, 0xCCCC, _T("Servus"));

    WinDbg shows this (I just insert the first call to Format):
        0025f96c 0037159b 0025fa6c 0037884c 0000aaaa mfc100ud!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::Format+0x53


    Let's compare this to its assembler:
            0x41156F: C745FC00000000 MOV DWORD PTR [EBP-0x4],0x0
            0x411576: 8BF4 MOV ESI,ESP
            0x411578: 6868884100 PUSH 'Servus' ; (0x418868)
            0x41157D: 68CCCC0000 PUSH 0xCCCC  
            0x411582: 68BBBB0000 PUSH 0xBBBB
            0x411587: 68AAAA0000 PUSH 0xAAAA
            0x41158C: 684C884100 PUSH '%d, %d, %s' ; (0x41884C)
            0x411591: 8D45D4 LEA EAX,[EBP-0x2C]
            0x411594: 50 PUSH EAX
            0x411595: FF1528C44100 CALL DWORD PTR [MFC100UD.DLL!5232]; (0x41C428)

    The last argument in the stack trace is simple 0xAAAA
    The one before is the "const wchar_t*" (yes, I verified this by viewing the memory at 0x0037884c)

    But what argument is the first one? 0025fa6c

     Any idea ? 



    Friday, June 10, 2011 4:18 PM
    • Marked as answer by Thursday, March 19, 2015 2:00 PM
    Saturday, September 21, 2013 10:35 PM
    Thursday, March 19, 2015 2:00 PM