StackOverflow Dump 分析

背景及情況：

周一早上服務(wù)巡檢發(fā)現(xiàn)11點(diǎn)線上有一個(gè)中臺服務(wù)全部宕機(jī)下線了

當(dāng)時(shí)服務(wù)的情況

查看Tara服務(wù)監(jiān)控，發(fā)現(xiàn)服務(wù)CPU、內(nèi)存、連接池等監(jiān)控都不高。第一波11點(diǎn)40多這一次宕機(jī)運(yùn)維沒有抓到dump信息，只有如下圖的一個(gè)Windows系統(tǒng)錯(cuò)誤日志

第二波12點(diǎn)02分左右又一次宕機(jī)，這次運(yùn)維抓到了dump。于是把dump文件拿過來開擼：

dump分析

分析工具 windbg Preview
使用.loadby sos clr 指令用于加載模塊

!threadpool 查看dump文件時(shí)cpu的使用情況

||0:0:000> !threadpool
CPU utilization: 26%
Worker Thread: Total: 84 Running: 0 Idle: 84 MaxLimit: 32767 MinLimit: 500
Work Request in Queue: 0
--------------------------------------
Number of Timers: 2
--------------------------------------
Completion Port Thread:Total: 26 Free: 17 MaxFree: 16 CurrentLimit: 20 MaxLimit: 1000 MinLimit: 1000

!threads 列表顯示出應(yīng)用程序所有正在運(yùn)行的線程，當(dāng)前應(yīng)用程序域中后臺正在運(yùn)行的程序等線程相關(guān)內(nèi)容

0:000> !threads
ThreadCount: 190
UnstartedThread: 0
BackgroundThread: 172
PendingThread: 0
DeadThread: 8
Hosted Runtime: no
Lock
ID OSID ThreadOBJ State GC Mode GC Alloc Context Domain Count Apt Exception
0 1 10d4 000001d6674ca230 2a020 Preemptive 0000000000000000:0000000000000000 000001d6674bd150 0 MTA
10 2 51c 000001daf364eff0 2b220 Preemptive 0000000000000000:0000000000000000 000001d6674bd150 0 MTA (Finalizer)
12 4 2980 000001daf39c5080 1029220 Preemptive 000001D6EF6D2DA0:000001D6EF6D4D38 000001d6674bd150 0 MTA (Threadpool Worker)
13 5 ac8 000001daf39c6170 1029220 Preemptive 000001D96EEC5C20:000001D96EEC6178 000001d6674bd150 0 MTA (Threadpool Worker)
14 6 1e14 000001daf3a19590 1029220 Preemptive 000001D77372A640:000001D77372B010 000001d6674bd150 0 MTA (Threadpool Worker)
15 7 2278 000001daf3a83d20 202b220 Preemptive 0000000000000000:0000000000000000 000001d6674bd150 0 MTA
16 8 2b80 000001daf3a7c540 202b220 Preemptive 0000000000000000:0000000000000000 000001d6674bd150 0 MTA
17 9 2a3c 000001daf3a7cd10 102a220 Preemptive 0000000000000000:0000000000000000 000001d6674bd150 0 MTA (Threadpool Worker)
185 181 27a4 000001dafd751a50 8029220 Preemptive 0000000000000000:0000000000000000 000001daf3a66e90 0 MTA (Threadpool Completion Port) System.StackOverflowException 000001d8e7c11158

可以看到185號線程發(fā)生了棧溢出

!analyze -v 命令分析當(dāng)前最近的異常事件, -v 顯示異常的詳細(xì)信息
0:000> !analyze -v
DBGHELP: D:\Dump\symbols\SOS_AMD64_AMD64_4.7.3701.00.dll\5F4FF3579ec000\SOS_AMD64_AMD64_4.7.3701.00.dll - OK
DBGHELP: D:\Dump\symbols\clr.dll\5F4FF3579ec000\clr.dll - OK
MethodDesc: 00007ffd3cfec9d8
Method Name: HtmlAgilityPack.HtmlNodeCollection.System.Collections.Generic.IEnumerable<HtmlAgilityPack.HtmlNode>.GetEnumerator()
Class: 00007ffd3cff3d68
MethodTable: 00007ffd3cfecb00
mdToken: 00000000060000eb
Module: 00007ffd386f2d30
IsJitted: yes
CodeAddr: 00007ffd3cd288e0
Transparency: Transparent
MethodDesc: 00007ffd3cfe65d8
Method Name: HtmlAgilityPack.HtmlNode.CloseNode(HtmlAgilityPack.HtmlNode)
Class: 00007ffd3cff0f58
MethodTable: 00007ffd3cfe67a0
MethodDesc: 00007ffd3cfe65d8
Method Name: HtmlAgilityPack.HtmlNode.CloseNode(HtmlAgilityPack.HtmlNode)
Class: 00007ffd3cff0f58
MethodTable: 00007ffd3cfe67a0
mdToken: 000000000600007d
Module: 00007ffd386f2d30
IsJitted: yes
CodeAddr: 00007ffd3cd28580
Transparency: Transparent
MethodDesc: 00007ffd3cfe5b00
Method Name: HtmlAgilityPack.HtmlDocument.CloseCurrentNode()
Class: 00007ffd3cff0e40
MethodTable: 00007ffd3cfe5dc0
mdToken: 00000000060000c4
Module: 00007ffd386f2d30
IsJitted: yes
CodeAddr: 00007ffd3cd265f0
Transparency: Transparent
MethodDesc: 00007ffd3cfe5c00
Method Name: HtmlAgilityPack.HtmlDocument.PushNodeEnd(Int32, Boolean)
Class: 00007ffd3cff0e40
MethodTable: 00007ffd3cfe5dc0
mdToken: 00000000060000d4
Module: 00007ffd386f2d30
IsJitted: yes
CodeAddr: 00007ffd3cd262e0
Transparency: Transparent
MethodDesc: 00007ffd3cfe5ba0
Method Name: HtmlAgilityPack.HtmlDocument.Parse()
Class: 00007ffd3cff0e40
MethodTable: 00007ffd3cfe5dc0
mdToken: 00000000060000ce
Module: 00007ffd386f2d30
IsJitted: yes
CodeAddr: 00007ffd3cd25370
Transparency: Transparent
MethodDesc: 00007ffd3cfe5a10
Method Name: HtmlAgilityPack.HtmlDocument.Load(System.IO.TextReader)
Class: 00007ffd3cff0e40
MethodTable: 00007ffd3cfe5dc0
mdToken: 00000000060000b5
Module: 00007ffd386f2d30
IsJitted: yes
CodeAddr: 00007ffd3cd24a30
Transparency: Transparent
MethodDesc: 00007ffd3cfe5a20
Method Name: HtmlAgilityPack.HtmlDocument.LoadHtml(System.String)
Class: 00007ffd3cff0e40
MethodTable: 00007ffd3cfe5dc0
mdToken: 00000000060000b6
Module: 00007ffd386f2d30
IsJitted: yes
CodeAddr: 00007ffd3cd24910
Transparency: Transparent
MethodDesc: 00007ffd3a5a17b8
Method Name: xxx.ServiceImp.ButtonListTriggerProvider.IsDocument(Int32, System.String, Int32 ByRef)
Class: 00007ffd3a595498
MethodTable: 00007ffd3a5a1988
mdToken: 00000000060008af
Module: 00007ffd37fa9760
IsJitted: yes
CodeAddr: 00007ffd3cd23340
Transparency: Critical
MethodDesc: 00007ffd3a5a17a0
Method Name: xxx.ButtonListTriggerProvider.IsShowButtons(Int32, Int32, System.Guid, System.String)
Class: 00007ffd3a595498
MethodTable: 00007ffd3a5a1988
mdToken: 00000000060008ad
Module: 00007ffd37fa9760
IsJitted: yes
CodeAddr: 00007ffd3c644510
Transparency: Critical
MethodDesc: 00007ffd38f54648

可以看到一個(gè)第三方程序包
HtmlAgilityPack.HtmlNode.CloseNode方法導(dǎo)致棧溢出，入口點(diǎn)在IsShowButtons方法

~185s 切換到185號線程
!dso / !dumpstackobjects 查看當(dāng)前線程的堆棧中所有托管對象

000000CA2CA7D190 000001d6e9b3a5d8 System.String IsShowButtons:校驗(yàn)權(quán)限通過
000000CA2CA7D198 000001d867c96b50 System.String
000000CA2CA7D1A0 000001d76a4c12e0 System.String Show_Button_By_ChannelName
000000CA2CA7D1B0 000001d6680ef500 xxx.ServiceImp.ButtonListTriggerProvider
000000CA2CA7D1C8 000001d76a4c12a0 System.Func`xxx.ServiceInterface.DTO.ApplicantIntegration.CheckBlackListResultDTO, xxx.ServiceInterface],[System.Boolean, mscorlib
000000CA2CA7D210 000001d6e9b3a540 System.String IsShowButtons
000000CA2CA7D218 000001d6eb1888a0 <>f__AnonymousType14`4[[System.Int32, mscorlib],[System.Int32, mscorlib],[System.Guid, mscorlib],[System.String, mscorlib]] 000000CA2CA7D228 000001d767cf80a8 System.Object[] (System.Object[]) 000000CA2CA7D240 000001d6e9b3a540 System.String IsShowTeButtons 000000CA2CA7D248 000001d6eb1888a0 <>f__AnonymousType14`4[[System.Int32, mscorlib],[System.Int32, mscorlib],[System.Guid, mscorlib],[System.String, mscorlib]] 000000CA2CA7D258 000001d767cf80a8 System.Object[] (System.Object[])

發(fā)現(xiàn)000001d6eb1888a0 和源碼中的方法一樣，查看這個(gè)對象的參數(shù)：

0:185> !do /d 000001d6eb1888a0
Name: <>f__AnonymousType14`4System.Int32, mscorlib],[System.Int32, mscorlib],[System.Guid, mscorlib],[System.String, mscorlib
MethodTable: 00007ffd3cb557c0
EEClass: 00007ffd3cb05ca0
Size: 48(0x30) bytes
File: C:\Windows\system32\config\systemprofile\AppData\Local\assembly\dl3\A4W1852V.V6G\94HV9VM9.8EZ\6e6327dc\0063dc29_97fcd801\xxx.ServiceImp.dll
Fields:
MT Field Offset Type VT Attr Value Name
00007ffd9330c148 4000029 10 System.Int32 1 instance 606939 i__Field
00007ffd9330c148 400002a 14 System.Int32 1 instance 606418892 i__Field
00007ffd932f4840 400002b 18 System.Guid 1 instance 000001d6eb1888b8 i__Field
00007ffd9330e2b8 400002c 8 System.__Canon 0 instance 000001d6eb187908 i__Field

參數(shù)信息 !do /d 000001d6eb187908
0:185> !do /d 000001d6eb187908Free ObjectSize: 12544(0x3100) bytes

看不到free object具體信息，于是查看內(nèi)存信息：

dc 000001d6eb187908

0:185> db /d 000001d6eb187908 L1000
Unknown option 'd'
000001d6`eb187908  10 a5 49 67 d6 01 00 00-e8 30 00 00 00 00 00 00  ..Ig.....0......
000001d6`eb187918  d0 48 1f eb d6 01 00 00-52 00 65 00 73 00 75 00  .H......R.e.s.u.
000001d6`eb187928  6d 00 65 00 2f 00 36 00-30 00 36 00 39 00 33 00  m.e./.6.0.6.9.3.
000001d6`eb187938  39 00 2f 00 31 00 36 00-36 00 34 00 31 00 38 00  9./.1.6.6.4.1.8.
000001d6`eb187948  32 00 34 00 37 00 34 00-2f 00 39 00 33 00 33 00  2.4.7.4./.9.3.3.
000001d6`eb187958  34 00 63 00 64 00 36 00-32 00 38 00 65 00 34 00  4.c.d.6.2.8.e.4.
000001d6`eb187968  30 00 34 00 36 00 32 00-31 00 39 00 65 00 62 00  0.4.6.2.1.9.e.b.
000001d6`eb187978  34 00 65 00 31 00 62 00-35 00 65 00 33 00 38 00  4.e.1.b.5.e.3.8.
000001d6`eb187988  65 00 39 00 34 00 35 00-32 00 2e 00 70 00 64 00  e.9.4.5.2...p.d.
000001d6`eb187998  66 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  f...............
000001d6`eb1879a8  10 c6 b9 38 fd 7f 00 00-00 00 00 00 00 00 00 00  ...8............
000001d6`eb1879b8  1b b3 73 64 1f 1b 00 00-01 00 00 00 00 00 00 00  ..sd............
000001d6`eb1879c8  00 00 00 00 00 00 00 00-e0 53 b5 3c fd 7f 00 00  .........S.<....
000001d6`eb1879d8  18 7a 18 eb d6 01 00 00-f8 d1 af ec d7 01 00 00  .z..............
000001d6`eb1879e8  78 dc af ec d7 01 00 00-db 42 09 00 cc 37 25 24  x........B...7%$
000001d6`eb1879f8  01 01 00 00 00 00 00 00-30 ac bb b2 96 3c 94 43  ........0....<.C
000001d6`eb187a08  a5 8a e1 ed 97 3d 98 0d-00 00 00 00 00 00 00 00  .....=..........
000001d6`eb187a18  f8 97 30 93 fd 7f 00 00-35 07 00 00 7b 00 22 00  ..0.....5...{.".

至此找到了引起棧溢出的源文件pdf路徑：
606939/1664182474/9334cd628e4046219eb4e1b5e38e9452.pdf。進(jìn)一步查看源文件發(fā)現(xiàn)改文件是一個(gè)40多M的pdf文件。

根本原因分析有2個(gè)：

該文件其實(shí)不是一個(gè)有效的html文件，代碼沒有判斷直接把40M的pdf文件的內(nèi)容讀取出來當(dāng)成html來處理；
引入第三方的nuget包HtmlAgilityPack，該包低版本有該異常，在高版本已解決。因此引入第三方的包必須謹(jǐn)慎，且應(yīng)該經(jīng)過公司架構(gòu)評審。

posted @ 2022-12-25 20:42 rpoplar 閱讀(128) 評論(0) 收藏舉報(bào)

刷新頁面返回頂部

Write the code ,change the world.

StackOverflow Dump 分析

背景及情況：

dump分析

公告