Trouble shooting: step by step to analysis crashes 1

This post’s goal is to guide a starter to analysis a crash by reading into the assemble code.

But the example listed here is not a good one, because the crash point is not an obvious one, the real reason of the crash for this example is still remain uncovered.

My point here is, we can use a such kind of way to analysis some crash, and once you read this post, you can start the first step. If you run into any problems when analysis your crash, well, we can discuss wih them together here. Here we go.

As you know, you can get the call stack by adding a backtrace support for your app.

You can compile your app by adding -rdynamic, when the crash happened, you can use addr2line to locate the exact line of your source code which caused the crash.

But when a formal product is released, we will not compile our components with -rdynamic, then we need to analysis the source code ourself.

Here is an example:

The crash report log which contains the call stack when the crash happened.

Get the and disassemble it, here is the code we get.


The source code of the crash point


Analysis steps:

1. Disassemble the library/excutable.

2. Locate the crash point

Use the crash backtrace information to locate the crash point.

/opt/mcu/pas/ [0x51dbdb]

Find raAdd in the asm code, the address is 00140ba0, crash point is raAdd+0x3b, that is 00143765

Now we got the crash point which code is:

  140bdb:    8b 40 08                 mov    0x8(%eax),%eax

Seems it was happend when reading/assigning a value.

3. Translate the asm code to C code.

If see into the definition of struct vacantNode_tag, we can get that 0x8(%eax) means ra->workingSetElement->next, so the crash was happened in this line

I’ve matched and listed the C code together with the asm code in the previous asm contents.


Like what I said at the beginning, this is really not a good example to explain crash analysis by reading the asm code. Because we did not find the real reason of the crash for this example.
And if you read the C code carefully, you can find a really weired thing, how could this crash happen in such a code?

  140bdb:    8b 40 08                 mov    0x8(%eax),%eax                    //((vacantNode *)ra->workingSetElement)->next
  140bde:    85 c0                    test   %eax,%eax                            //if (((vacantNode *)ra->workingSetElement) && ((vacantNode *)ra->workingSetElement)->next != NULL)

Allow me to explain it later.

Leave a comment

Your email address will not be published. Required fields are marked *

One thought on “Trouble shooting: step by step to analysis crashes