From - Thu Sep 25 07:45:59 1997 Path: news.mitre.org!blanket.mitre.org!agate!newsgate.duke.edu!nntprelay.mathworks.com!nntp.pn.com!main.Germany.EU.net!main.de.uu.net!Dortmund.Germany.EU.net!Dortmund.de.uu.net!spock.skd.de!not-for-mail From: "Stephan Wolf" Newsgroups: comp.os.ms-windows.programmer.nt.kernel-mode Subject: Re: Finding that offending line of code when you blue-screen... Date: Thu, 25 Sep 1997 09:50:04 GMT Organization: SysKonnect Lines: 31 Message-ID: <342a30cb.5780221@spock> References: <34299a9c.500309@news.tiac.net> NNTP-Posting-Host: swolf.skd.de X-Newsreader: Forte Free Agent 1.11/32.235 On Wed, 24 Sep 1997 22:59:25 GMT, user@tiac.net (user) wrote: > I have a quick question about how one finds the offending line of >code when you barf. I understand how to interpret the BSOD to find >the offending address. I can look at the rest of the BSOD to >interpret what driver it happened in, and I can build a link map with >my driver. Is it a simple matter of just subtracting the base address >of the driver from the offending address, and then looking in the map >to see where that happened? I have done this, but it sometimes gives >strange results... what is your experience? Thanks! --steve There was already some discussion on this issue a few weeks ago and if memory serves me right you need to add some (?) fix offset to the base address before subtracting it from the offending address. Simplier way is to either attach the kernel debugger (i386kd or WinDbg) via a serial line or to have the system create a crash dump (enable in "control Panel" - "Sytem" - "Startup/Shutdown" - "Write debugging information to") and analyze it with the kernel debugger. You will need to tell the debugger where to find the debug symbols of your driver (simply point to the driver binary itself, if you didn't remove the symbols with the REBASE tool). And voila, the debugger will show you the nice labels of your driver (and of other system drivers if you copy their symbol files from \support\debug\i386\symbols on the NT CD - caveat: you'll need the SPx symbols as well if you're using any Service Pack, see ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/). Stephan Wolf http://www.syskonnect.de SysKonnect - The Server Connectivity Company