尽管尝试捕获,但泄漏到系统的异常

Question

我在我继承的应用程序中有以下代码,使用VS2012针对boost 1.48.0构建

bool ConvertToBoolean(const std::string& s)
{
  try
  {
    return boost::lexical_cast<bool>(s);
  }
  catch (...)
  {
    if (boost::iequals("true", s.c_str()))
    {
      return true;
    }
  }
  return false;
}

如果将"True"或"False"传递给此方法,lexical_cast将抛出bad_lexical_cast异常,因为它期望"0"或"1"并将评估字符串比较.

这似乎在我的机器上运行良好,无论是在调试器内外(它不是总是？:)),但在我们的一个客户机器上异常以某种方式"泄漏"并在使用调试时导致以下消息转储文件:

application.exe_161117_152748.dmp中0x000007FEFD08A06D处的未处理异常:Microsoft C++异常:boost :: exception_detail :: clone_impl>在内存位置0x00000000002CD9B8.

堆栈跟踪:

    KERNELBASE.dll!RaiseException() Unknown
    snowagent.exe!_CxxThrowException(void * pExceptionObject, const _s__ThrowInfo * pThrowInfo) Line 154    C++
    application.exe!boost::throw_exception<boost::bad_lexical_cast>(const boost::bad_lexical_cast & e) Line 61  C++
    application.exe!boost::detail::lexical_cast_do_cast<bool,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >::lexical_cast_impl(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & arg) Line 1750  C++
    application.exe!ConvertToBoolean(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & s) Line 111   C++
    application.exe!CScanner::Exec() Line 326   C++

什么可能导致这种泄漏？极为罕见的是你要责怪编译器,但由于VS2015中已经修复了类似的问题,我很想做到这一点,但那为什么不能在我的机器上发生？可能是因为我将VS2015与VS2012并行安装,因此具有更新的运行时间？

最后,在下面的反汇编中,异常处理是什么？我不是ASM的专家,但我希望它能为这个功能提供更多的ASM.我甚至看不到对boost::iequals Update 的调用:存在异常处理,它只是不在同一个程序集块中.所以链接的编译器问题似乎与我的问题无关.正如@Hans Passant在评论中指出的那样,这可能是另一回事.

   107: bool ConvertToBoolean(const std::string& s)
   108: {
000000013FE654F0  mov         qword ptr [rsp+8],rcx  
000000013FE654F5  sub         rsp,38h  
000000013FE654F9  mov         qword ptr [rsp+20h],0FFFFFFFFFFFFFFFEh  
   109:   try
   110:   {
   111:     return boost::lexical_cast<bool>(s);
000000013FE65502  call        boost::detail::lexical_cast_do_cast<bool,std::basic_string<char,std::char_traits<char>,std::allocator<char> > >::lexical_cast_impl (013FD1A0D3h)  
000000013FE65507  jmp         ConvertToBoolean+1Fh (013FE6550Fh)  
   112:   }
   113:   catch (...)
   114:   {
   115:     if (boost::iequals("true", s.c_str()))
   116:     {
   117:       return true;
000000013FE65509  mov         al,1  
000000013FE6550B  jmp         ConvertToBoolean+1Fh (013FE6550Fh)  
   118:     }
   119:   }
   120:   return false;
000000013FE6550D  xor         al,al  
   121: }
000000013FE6550F  add         rsp,38h  
000000013FE65513  ret  

更新:为了完整性,这是异常块

   114:   {
   115:     if (boost::iequals("true", s.c_str()))
00007FF744D9F19B  mov         rcx,qword ptr [s]  
00007FF744D9F19F  call        std::basic_string<char,std::char_traits<char>,std::allocator<char> >::c_str (07FF74425E8B3h)  
00007FF744D9F1A4  mov         qword ptr [rbp+30h],rax  
00007FF744D9F1A8  lea         rcx,[rbp+28h]  
00007FF744D9F1AC  call        std::locale::locale (07FF744252991h)  
00007FF744D9F1B1  mov         qword ptr [rbp+48h],rax  
00007FF744D9F1B5  mov         rax,qword ptr [rbp+48h]  
00007FF744D9F1B9  mov         qword ptr [rbp+50h],rax  
00007FF744D9F1BD  mov         r8,qword ptr [rbp+50h]  
00007FF744D9F1C1  lea         rdx,[rbp+30h]  
00007FF744D9F1C5  lea         rcx,[CNTServiceCommandLineInfo::`vftable'+11170h (07FF744FBF778h)]  
00007FF744D9F1CC  call        boost::algorithm::iequals<char const [5],char const * __ptr64> (07FF744251596h)  
00007FF744D9F1D1  mov         byte ptr [rbp+20h],al  
00007FF744D9F1D4  lea         rcx,[rbp+28h]  
00007FF744D9F1D8  call        std::locale::~locale (07FF74425D1C0h)  
00007FF744D9F1DD  movzx       eax,byte ptr [rbp+20h]  
00007FF744D9F1E1  test        eax,eax  
00007FF744D9F1E3  je          __catch$?ConvertToBoolean@@YA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z$0+57h (07FF744D9F1F2h)  
   116:     {
   117:       return true;
00007FF744D9F1E5  mov         byte ptr [rbp+38h],1  
00007FF744D9F1E9  lea         rax,[ConvertToBoolean+37h (07FF7444C8FD7h)]  
00007FF744D9F1F0  jmp         __catch$?ConvertToBoolean@@YA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z$0+5Eh (07FF744D9F1F9h)  
   118:     }
   119:   }
00007FF744D9F1F2  lea         rax,[ConvertToBoolean+35h (07FF7444C8FD5h)]  
00007FF744D9F1F9  add         rsp,28h  
00007FF744D9F1FD  pop         rdi  
00007FF744D9F1FE  pop         rbp  
00007FF744D9F1FF  ret  

Answer 1

在代码中进行长时间搜索后，我发现缓冲区溢出不少于 80 个字节。

STARTUPINFO startup_info;
PROCESS_INFORMATION process_information;
ZeroMemory(&startup_info, sizeof(startup_info));
ZeroMemory(&process_information, sizeof(startup_info)); <-- wrong size!

在测试期间，该代码从未在我的机器上执行，因此为什么原始问题中的代码在这些测试期间工作正常。被覆盖的堆栈显然是灾难性的，并且可能导致许多奇怪的行为。