A customer has supplied you with a crash report containing a callstack with symbol relative offsets from DLLs. The callstack also indicates which module relates to which address.
This is real data from a bug at Software Verify Ltd. This is one thread from many in a dump relating to a deadlock bug we were investigating.
How do you decode these symbol relative offsets?
In the above data we can see a callstack containing entries for ntoskrnl.exe, ntdll.dll, kernelbase.dll, kernel32.dll and svlcoveragevalidatorstub_x64.dll.
All the modules are Microsoft DLLs except for one DLL, which is part of C++ Coverage Validator, one of our tools.
To decode these values, we load svlCoverageValidatorStub_x64.dll into DWARF Browser.exe (64 bit), then for each symbol we take the following actions.
For our purposes here, we're going to show how to convert one symbol. We're going to use the first symbol from svlCoverageValidatorStub_x64.dll in the example data above.
Type the symbol name into the Name Filter field, then click Filter. This makes it easy to find the symbol we want.
Once we have found the symbol, right click on the symbol to display the context menu and choose Offset from this symbol....
An alternate method is to click on the symbol to select it, then from the Query menu choose Find Symbol with Symbol Relative Address....
Or, from the Query menu choose Find Symbol with Symbol Relative Address... then choose the symbol you want from the combo box.
Type the offset into the dialog (hex values must be prefixed with 0x) and click OK.
The appropriate location in the code is found and displayed.
Repeating the process for the data shown above resulted in this information.
svlcoveragevalidatorstub_x64.dll!sendCommandLineAndStartTimeToGUI+0x2868 sendWorkerEx::sendWorkerProc sendworkerex.cpp 250
svlcoveragevalidatorstub_x64.dll!setValidatorFeedbackHookingComplete+0x1fa6 stubSendComm::stubSendProc stubsendcomm.cpp 611