平台崩溃之operator new异常（八）-2010-5-19

来源：互联网发布：华康45款淘宝用字体编辑：程序博客网时间：2024/04/29 14:19

2010-5-19
今天大概中午11：50分，客服抱故障说连不上平台。
连上去看，停在如下处（见调用栈），没有弹出任何错误窗口，也没有设置断点，就停了。

MSVCRTD! 10211920()
MSVCRTD! 10211863()
MSVCRTD! 10211836()
MSVCRTD! 1020e1be()
MSVCP60D! 104b7a69()
MSVCP60D! 104ad0d2()
MSVCP60D! 1048ba18()
MSVCP60D! 1048bccc()
MSVCP60D! 10489fa6()
MSVCP60D! 10489a1b()
StringToUpper(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & {0x1e4d0aa1 "LATON1"}) line 124 + 15 bytes
HTX_DBPool::GetDbConnection(const char * 0x00e6a181, int -1, unsigned char 1) line 94 + 46 bytes
CBasePlugInModule::GetDbConnection(const char * 0x00e6a181, int -1, unsigned char 1) line 210 + 25 bytes
GetDbConnection(const char * 0x00e6a181, int -1, unsigned char 1) line 225 + 17 bytes
CDBCGETTER2::GetDBC(const char * 0x00e6a181, short 2) line 294 + 27 bytes
COrgHelper::Get(unsigned int 10008, IORGINFO * * 0x263cfb0c, unsigned char 1) line 53 + 50 bytes
CDAPPlugin::GetOrg(unsigned int 10008, unsigned char 1) line 90 + 17 bytes
CRTOPlugin::OrgIsOnline(unsigned int 10008) line 245 + 28 bytes
CSepSEMQ::CanInquiry2(CSEMQItemBase * 0x263cfcf0) line 51
CSEMQ::Inquiry2() line 1154 + 20 bytes
InquiryProc2(void * 0x00e70a20) line 607
exec_task_func(void * 0x04071840) line 32 + 15 bytes
ACED! 00585ab7()
ACED! 005859e4()
ACED! 004fa836()
MSVCRTD! 1020c323()
KERNEL32! 7c824829()

调用前的地址：StringToUpper 0x00422650 StringToUpper(char *)

00415F53   call        StringToUpper (00421f00)///<00421f00的函数地址在哪里？？？
00415F58   add         esp,8///<call 之后的下一条汇编指令
00415F5B   mov         byte ptr [ebp-4],2
00415F5F   mov         esi,esp
00415F61   lea         ecx,[ebp-40h]
00415F64   call        dword ptr [__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
00415F6A   cmp         esi,esp
00415F6C   call        _chkesp (004a2718)

函数的实际地址：StringToUpper 0x00421f00 StringToUpper(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &)
StringToUpper的汇编代码如下：
119: string StringToUpper(const string &s)
120: {
00421F00   push        ebp
00421F01   mov         ebp,esp
00421F03   push        0FFh
00421F05   push        offset __ehhandler$?StringToUpper@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocat
00421F0A   mov         eax,fs:[00000000]
00421F10   push        eax
00421F11   mov         dword ptr fs:[0],esp
00421F18   sub         esp,5Ch
00421F1B   push        ebx
00421F1C   push        esi
00421F1D   push        edi
00421F1E   lea         edi,[ebp-68h]
00421F21   mov         ecx,17h
00421F26   mov         eax,0CCCCCCCCh
00421F2B   rep stos    dword ptr [edi]
00421F2D   mov         dword ptr [ebp-28h],0
121:      string result = s.c_str();
00421F34   mov         esi,esp
00421F36   lea         eax,[ebp-24h]
00421F39   push        eax
00421F3A   mov         edi,esp
00421F3C   mov         ecx,dword ptr [ebp+0Ch]
00421F3F   call        dword ptr [__imp_?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE
00421F45   cmp         edi,esp
00421F47   call        _chkesp (004a2718)
00421F4C   push        eax
00421F4D   lea         ecx,[ebp-1Ch]
00421F50   call        dword ptr [__imp_??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD
00421F56   cmp         esi,esp
00421F58   call        _chkesp (004a2718)
00421F5D   mov         dword ptr [ebp-4],1
122:      for (unsigned i=0;i<s.size();i++)
00421F64   mov         dword ptr [ebp-20h],0
00421F6B   jmp         StringToUpper+76h (00421f76)
00421F6D   mov         ecx,dword ptr [ebp-20h]
00421F70   add         ecx,1
00421F73   mov         dword ptr [ebp-20h],ecx
00421F76   mov         esi,esp
00421F78   mov         ecx,dword ptr [ebp+0Ch]
00421F7B   call        dword ptr [__imp_?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEI
00421F81   cmp         esi,esp
00421F83   call        _chkesp (004a2718)
00421F88   cmp         dword ptr [ebp-20h],eax
00421F8B   jae         StringToUpper+0D5h (00421fd5)
123:          result[i] = toupper(s[i]);
00421F8D   mov         esi,esp
00421F8F   mov         edx,dword ptr [ebp-20h]
00421F92   push        edx
00421F93   mov         ecx,dword ptr [ebp+0Ch]
00421F96   call        dword ptr [__imp_??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEABDI
00421F9C   cmp         esi,esp
00421F9E   call        _chkesp (004a2718)
00421FA3   movsx       eax,byte ptr [eax]
00421FA6   mov         esi,esp
00421FA8   push        eax
00421FA9   call        dword ptr [__imp__toupper (004ba944)]
00421FAF   add         esp,4
00421FB2   cmp         esi,esp
00421FB4   call        _chkesp (004a2718)
00421FB9   mov         ebx,eax
00421FBB   mov         esi,esp
00421FBD   mov         ecx,dword ptr [ebp-20h]
00421FC0   push        ecx
00421FC1   lea         ecx,[ebp-1Ch]
00421FC4   call        dword ptr [__imp_??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI
00421FCA   cmp         esi,esp
00421FCC   call        _chkesp (004a2718)
00421FD1   mov         byte ptr [eax],bl
00421FD3   jmp         StringToUpper+6Dh (00421f6d)
124:      return result;
00421FD5   mov         esi,esp
00421FD7   lea         edx,[ebp-1Ch]
00421FDA   push        edx
00421FDB   mov         ecx,dword ptr [ebp+8]
00421FDE   call        dword ptr [__imp_??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV
00421FE4   cmp         esi,esp
00421FE6   call        _chkesp (004a2718)
00421FEB   mov         eax,dword ptr [ebp-28h]
00421FEE   or          al,1
00421FF0   mov         dword ptr [ebp-28h],eax
00421FF3   mov         byte ptr [ebp-4],0
00421FF7   mov         esi,esp
00421FF9   lea         ecx,[ebp-1Ch]
00421FFC   call        dword ptr [__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
00422002   cmp         esi,esp
00422004   call        _chkesp (004a2718)
00422009   mov         eax,dword ptr [ebp+8]
125: }

单步运行后，弹出user breakpoint窗口，调用栈如下：
GetDbConnection(const char * 0x00e6a181, int -1, unsigned char 1) line 226 + 13 bytes
CDBCGETTER2::GetDBC(const char * 0x00e6a181, short 2) line 294 + 27 bytes
COrgHelper::Get(unsigned int 10008, IORGINFO * * 0x1ad1fd5c, unsigned char 1) line 53 + 50 bytes
CDAPPlugin::GetOrg(unsigned int 10008, unsigned char 1) line 90 + 17 bytes
CRTOPlugin::HandleSend(umxns::CUMXApp * 0x1e53df70, CWrappedMsg<umxns::CUMXApp> * * 0x1ad1fe48) line 337 + 27 bytes
HTX_Msg_Sender::handle_message_block(ACE_Message_Block * 0x1e4d49b0) line 956 + 49 bytes
HTX_Task_Base::svc() line 103 + 17 bytes
ACED! 00585301()
ACED! 00585ab7()
ACED! 005859e4()
ACED! 004fa836()
MSVCRTD! 1020c323()
KERNEL32! 7c82

12：00左右重启平台，发现平台有2此卡住的现象。分析平台日志，发现：
第一个501线程处理失败，返回值为-8。
[2010-05-19 12:10:53:890](线程7656)GenSessionKey()...
[2010-05-19 12:10:54:296](线程7656)请求"服务器注册"(501,cmdserial=10)处理完成,返回值:-8,错误码:0,错误描述未定义错误..
处理失败的函数为：if (CSecurityWrapper::PublicKeyEncryptData(pkey,key,SESSION_KEY_SIZE,&outdata,outlen))
里面存在异常，被捕获。而该异常抛出后互斥锁没有被释放，导致后面的501处理线程全部卡在这里。见《平台无响应问题处理日记（二）-2010-5-13》
另外，有个处理501的线程在前面就-4错误返回了。日志如下：
[2010-05-19 12:12:52:609](线程8036)正在处理:服务器注册(5:501,cmdserial=10)...
[2010-05-19 12:12:54:046](线程8036)服务器ID为4176(IP:127.0.0.1，Port:9601，MIP:0.0.0.0，MPort:0)的服务器连接到平台。
[2010-05-19 12:12:54:062](线程8036)OnSererLogin() Server ID:4176...
[2010-05-19 12:12:54:093](线程8036)请求"服务器注册"(501,cmdserial=10)处理完成,返回值:-4,错误码:0,错误描述未定义错误..
.[2010-05-19 12:12:56:093](线程8036)正在处理:服务器注册(5:501,cmdserial=10)...
[2010-05-19 12:12:56:093](线程8036)服务器ID为4185(IP:192.168.1.101，Port:9601，MIP:0.0.0.0，MPort:0)的服务器连接到平台。
[2010-05-19 12:12:56:093](线程8036)OnSererLogin() Server ID:4185...
[2010-05-19 12:12:56:093](线程8036)请求"服务器注册"(501,cmdserial=10)处理完成,返回值:-4,错误码:0,错误描述未定义错误..
[2010-05-19 12:13:02:734](线程8036)正在处理:服务器注册(5:501,cmdserial=10)...
[2010-05-19 12:13:04:437](线程8036)服务器ID为3843(IP:192.168.0.22，Port:9601，MIP:0.0.0.0，MPort:0)的服务器连接到平台。
[2010-05-19 12:13:04:437](线程8036)OnSererLogin() Server ID:3843...
[2010-05-19 12:13:04:453](线程8036)GetServerCert() ServerID:3843...
[2010-05-19 12:13:04:703](线程8036)GetServerRecord() ok ServerID:3843...
[2010-05-19 12:13:04:703](线程8036)X509_get_pubkey() ok ServerID:3843...
[2010-05-19 12:13:04:703](线程8036)GetServer() ServerID:3843...
[2010-05-19 12:13:04:703](线程8036)验证机器指纹 ServerID:3843...
[2010-05-19 12:13:04:703](线程8036)产生会话密钥 ServerID:3843...
[2010-05-19 12:13:04:703](线程8036)GenSessionKey()...
线程8036处理的是服务器4176和4185.返回-4是因为服务器下的机构为空。后来重启后，这两个服务器还是没有上来。是不是这两个服务器的ap.conf下确实没有机构？

今天修改了另一处地方。就是日志的时间。以前记录的是输出日志的时间，而不是函数调用的时间。输出日志和函数调用是异步的，所以造成日志时间不准。代码已经改好。
今天把日志时间问题和昨天晚上改的GetOrg移到rto插件的代码更新上去了，于20：00重启平台。