Retro video games delivered to your door every month!
Click above to get retro games delivered to your door ever month!
X-Hacker.org- Blinker 5.10 Online Reference - <b> analysing a sample gpf</b> http://www.X-Hacker.org [<<Previous Entry] [^^Up^^] [Next Entry>>] [Menu] [About The Guide]
 Analysing a sample GPF
------------------------------------------------------------------------------
 In order to correctly analyse a GPF dump it is necessary to create a .MAP
 file for the program using the MAP S,A link script command. In addition,
 specifying the X parameter to MAP will allow you to easily locate the OBJ
 module containing the offending code, although the MAP file is significantly
 larger so linking may be a little slower.
 For example:

 BLX286: 1313: exception error 0D: general protection fault, code=08DC

 Active Host is DPMI (v4.10 i486 5264 Kb)

 Reg Value Limit Base     Flags Segment Module File
 CS  0117  FD8B  808EFC10 FB00     04   T      C:\TEST.EXE <- Segment |
 DS  0147  FFFF  808CF490 F300     0A   T      C:\TEST.EXE    Number  |
 ES  00B7  00FF  80900000 F300     **                          (04)   |
 SS  0147  FFFF  808CF490 F300     0A   T      C:\TEST.EXE            |
                                                                      |
 [Code byte CS] C3 BB 0A 00 [IP] 26 C4 1F 26 81 7F 02 55 90 75 05 83  |
                                                                      |
 [Registers] AX=91F7 BX=000A CX=0007 DX=0117  CS:IP=0117:91EE  <------|
             SI=4988 DI=61DB BP=6192 SP=614E      Code Offset         |
             FL=0246 NV UP DI NT NG ZR NA PO NC              (91EE)   |
                                                                      |
 [Stack value   SS] 08DC 3E13 4988 61DB 61A2 B030 0107 0000 61DB 4988 |
               [SP] 0118 1234 0234 3344 2340 0382 4320 6124 0107 3882 |
                                                                      |
 [Stack frame   SS] 4988 61DB 61A2 B030 0107 0000 61DB 4988 61DB 0083 |
               [BP] 0118 1234 0234 3344 2340 0382 4320 6124 0107 3882 |
                                                                      |
 SECTION OF MAP FILE:                                                 |
 Start      Length   Name              Class                          |
 .       .     .           .                                          |
 .       .     .           .                                          |
 0004:85C0  00BEEH   DBGAPI_TEXT       CODE                           |
 0004:91AE  00076H   DEBUG_INIT_TEXT   CODE  <------------------------|
 0004:9224  0024AH   DBGSHADO_TEXT     CODE                           |
 .       .     .           .                                          |
 .       .     .           .                                          |
 Address          Publics by Value                                    |
 .       .     .           .                                          |
 0004:9173  Res   __DBGABORT                                          |
 0004:91E0  Res   DBGINIT     <---------------------------------------|
 0004:9224  Res   DISPOUTAT                                           |

 Looking at the above example we can see that a protection violation occurred
 in module T within TEST.EXE. The offending code resides in segment 04. The
 value contained in the instruction pointer (IP) gives the offset for the
 segment, in this case 91EE.

 If we then go to the MAP file and locate the offsets for segment 04 we can
 see that offset 91EE corresponds to code in segment DEBUG_INIT_TEXT. If the
 map option `A' was specified at link time then a listing of public symbols
 will be present in the map file. Adopting the same procedure for scanning
 this list of publics we find that offset 91EE points to several bytes after
 the address of the public symbol DBGINIT.

 The utility BLIGPF.EXE in the Blinker directory is provided to automate this
 task. If BLIGPF is executed while the GPF dump is still displayed on the
 screen then it will display the name of the offending public symbol. If the
 GPF dump was redirected to a file then display it on the screen by typing
 TYPE TEST.GPF at the DOS prompt, then run BLIGPF.

 To determine whether the function DBGINIT exists in the program source code,
 or in an external library, and its exact module name, use the X parameter to
 the MAP command to create a map of each segment and its contributing
 modules:

 Detailed segment map

 Start      Length   Name              Class  Module    ACBP
 .       .     .
 .       .     .
 0004:85C0  00BEEH   DBGAPI_TEXT       CODE   DBGAPI     48
 0004:91AE  00076H   DEBUG_INIT_TEXT   CODE   DBGINIT    28
 0004:9224  0024AH   DBGSHADO_TEXT     CODE   DBGSHADO   48
 .       .     .
 .       .     .

 This indicates that the module containing the offending code is DBGINIT, and
 if it is not immediately obvious then it is possible to identify the exact
 .OBJ or .LIB file in which the module is contained by looking at the Blinker
 output when the VERBOSE command is added to the link script file.

 The line starting `[Code byte CS]' in the GPF dump shows the code bytes just
 executed to the left of the `[IP]' and the code bytes causing the GPF, i.e.
 about to be executed, to the right of the `[IP]'. For anyone who understands
 assembly language, the DOS DEBUG utility can be used to display the actual
 assembly language code causing the GPF. For example, in the GPF above, to
 run DEBUG, enter the code bytes after [IP], and disassemble the offending
 instruction, you would type:

 C:>DEBUG
 -E100 26 C4 1F 26 81 7F 02 55 90 75 05 83
 -U100
 nnnn:0100   26                ES:
 nnnn:0101   C4 1F             LES      BX,[BX]
 nnnn:0103   26                ES:
 nnnn:0104   81 7F 02 55 90    CMP      WORD PTR
 [BX+02],9055
 . . .
 -Q
 C:>

 The disassembled instructions indicate that the offending code was LES
 ES:BX,[BX], which is typically sufficient to identify and fix the problem.
 The presence of asterisks (****) in the segment registers indicates that a
 selector belongs to an overlay in a dual mode program, or that is not from
 the application. Asterisks within the code bytes or the stack indicate data
 outside a segment limit.

 When a Dual mode program has a GPF it may occur in an overlaid segment, in
 which case the CS value will be relatively high and no segment number will
 be displayed. In this case relink the program as an Extended mode program
 which will remove overlays and put the segments in the map where the dump
 function can identify them. Alternatively you can take the code segment
 limit from the dump and refer to the table of overlays in the MAP file to
 locate the most likely overlay.

Online resources provided by: http://www.X-Hacker.org --- NG 2 HTML conversion by Dave Pearson