Thursday, March 26, 2009

KioskCrash: It goes *BOOM*!

Today I'm going to cover what happens when the KioskCrash application crashes. We'll cover what information the operating system provides to help diagnose the crash and what we can use to help diagnose the crash before we add any debugging support to our application. So without further ado...

When KioskCrash crashes Windows XP will display a window similar to this. There really isn't much information here, just a button to automatically send an error report to Microsoft and another button to skip sending the report. If you click the "Send Error Report" button the operating system will bundle up a bit of information about the crash and send it off to Microsoft for diagnosis. This window also includes a link to see what data the error report contains.

This is an example of what you would see with if you clicked the link to see what data is contained in the error report. The first section is the only interesting thing displayed in this window. It contains the application name & version, the module name & version and the location where the crash occurred in our image. This is why you should always add a version information resource in executables you create. Since KioskCrash is a simple application I only filled in basic information. In a large application this information would be invaluable for locating the crash. The location of the crash, called "Offset" in this window, can be used to get an idea where to find the problem in your code. I will go into more detail about how to do that in a later post. (Probably the next one.) The only other interesting thing displayed in this window is a link at the bottom to see more technical information about the error report.

Now we get to the details of the exception. The important things to note in this window is the type of exception (0xC0000005 Access Violation) and the address of the exception (0x401016). Using the image base address we can calculate that the offending instruction was located at offset 0x1016 in our module. This is about all the information we can extract from the error report windows that are displayed by the operating system.

To recap the information we've been able to determine from the Windows XP error report is that version 1.0.0.1 of the KioskCrash application crashed because of an access violation at offset 0x1016. This doesn't help us much because we don't have a way to match the source code to offset 0x1016. If we had a "map" file we might be able to determine which function caused the crash. With the symbols for this version of KioskCrash we could determine which function and perhaps even which line in that function crashed.

Next time I'll cover map files, how to create them as part of the build and how to use them with this information to locate the source of a crash. Until then...