-1

I am analyzing a crash dump file which crashed when it was loading or saving a certain (local) data file. The call stack shows it had executed loading that file at the time of crash.

I am wondering if I need to have this data file along with the dump file as well to accurately analyze the crash? Will it affect the pointers in any way like the filename etc?

zar
  • 11,361
  • 14
  • 96
  • 178
  • The crash dump file doesn't need anything. but as Thomas Weller said, *you* may need the binaries to understand the crash. Do you "need" to have it to "accurately" analyze the crash? Maybe. Maybe not. Depends on the bug that caused the crash. – conio Mar 20 '17 at 00:00

2 Answers2

1

No, you don't need it. The what you will analyze with gdb is a snapshot of the memory used by your app made upon its crash, together with your app. Thus, it is only required to have the core file, and your app (binary + required libraries; in the best case you will need source code of them to be able to relate the debugging info to the algorithms). All pointers, variables and other will have values as per the moment of time when the core has dumped.

UPDATE: But, you can also run your app interactively from the debugger and step until you crash. Then yes, you will need your file.

dmi
  • 1,424
  • 1
  • 9
  • 9
  • But isn't that how we investigate all the crashes by stepping into the code using crash dump file? I am examining the call stack and values of variables at difference points. It is now unclear with your update when do we _not_ need it? – zar Mar 17 '17 at 15:30
  • 1
    While investigation of the core dump, you can only navigate the stack, but you cannot execute instructions interactively. This means, you cannot say to the debugger "please execute the next line". This is only available in the case 2 I have described when your debugger is attached to a working app (or it is launched from the debugger) and it catches the crash. – dmi Mar 17 '17 at 15:34
  • Also, to summarize. There are 2 cases: 1) post-crash investigation, 2) online debugging. If you mentioned a core dump file, this is case No 1). – dmi Mar 17 '17 at 15:36
  • Thanks that clarifies and yes mine is post-crash investigation. – zar Mar 17 '17 at 15:50
1

It depends on the crash dump type and the flags which were used when creating the crash dump. A full memory dump has all memory that the application had as well at the time of the crash. The MINIDUMP_TYPE flags give you an impression of what's possible. For C++, any dump is usually helpful, for .NET full memory is preferred.

Besides the dump, you rarely need extra files, except the PDB files which have information about source files and line numbers.

Thomas Weller
  • 55,411
  • 20
  • 125
  • 222