std::runtime_error::what()在使用嵌套异常时导致访问冲突

Question

我并不是在寻找解决这个问题的方法，我只是想了解它的原因。一位同事向我展示了一些代码，这些代码在Visual 2008编译后在Windows 6 ARMV4I下运行时会导致访问冲突。同样的代码在x86 Windows下运行良好，他声称它在GCC编译的Linux下工作(我还没有验证)。我将问题归纳为以下代码：

int main( int argc, char* argv[] )
{
    try
    {
        throw std::runtime_error( "a" );
    }
    catch( std::runtime_error& e1 )
    {
        try
        {
            try
            {
                throw std::runtime_error( "b" );
            }
            catch( std::runtime_error& e11 )
            {
                throw;
            }
        }
        catch( std::runtime_error& e12 )
        {
            e12.what(); // access violation
        }
    }
    return 0;
}

撇开这段代码是否合理的问题不谈，当上面的代码调用std::runtime_error::what()时，有人能解释是什么导致了访问冲突吗？

谢谢，PaulH

编辑：调用堆栈：

test.exe!wmain(int argc = 1, wchar_t** argv = 0x00040080) Line: 169, Byte Offsets: 0xd8 C++
_CallSettingFrame   
test.exe!CallCatchBlock(EHExceptionRecord* pExcept = 0x1803eb0c, unsigned long int* pRN = 0x1803fc18, _CONTEXT* pContext = 0x1803f014, _s_FuncInfo* pFuncInfo = 0x00023960, void* handlerAddress = 0x00011494, int CatchDepth = 0, unsigned long int NLGCode = 256) Line: 878, Byte Offsets: 0x258  C++
test.exe!__InternalCxxFrameHandler(EHExceptionRecord* pExcept = 0x1803eb0c, unsigned long int* pRN = 0x1803f2f8, _CONTEXT* pContext = 0x1803f014, _DISPATCHER_CONTEXT* pDC = 0x1803e824, _s_FuncInfo* pFuncInfo = 0x00023960, int CatchDepth = 0) Line: 179, Byte Offsets: 0xfc C++
test.exe!__CxxFrameHandler3(EHExceptionRecord* pExcept = 0x1803eb0c, unsigned long int* pRN = 0x1803f2f8, _CONTEXT* pContext = 0x1803f014, _DISPATCHER_CONTEXT* pDC = 0x1803e824) Line: 242, Byte Offsets: 0x54 C++
0xf000fffc  

输出窗口：

RaiseException: Thread=96ec78d0 Proc=80096c70 'test.exe'
AKY=00000801 PC=03f91e7c(coredll.dll+0x00043e7c) RA=88037538(NK.EXE+0x00007538) BVA=00000000 FSR=00000000
RaiseException: Thread=96ec78d0 Proc=80096c70 'test.exe'
AKY=00000801 PC=03f91e7c(coredll.dll+0x00043e7c) RA=88037538(NK.EXE+0x00007538) BVA=00000000 FSR=00000000
RaiseException: Thread=96ec78d0 Proc=80096c70 'test.exe'
AKY=00000801 PC=03f91e7c(coredll.dll+0x00043e7c) RA=88037538(NK.EXE+0x00007538) BVA=00000000 FSR=00000000
Data Abort: Thread=96ec78d0 Proc=80096c70 'test.exe'
AKY=00000801 PC=000114ac(test.exe+0x000014ac) RA=0002095c(test.exe+0x0001095c) BVA=5061654c FSR=00000405
First-chance exception at 0x000114ac in test.exe: 0xC0000005: Access violation reading location 0x5061654c.

Edit2: Microsoft中有一个关于这个问题的缺陷报告。

Answer 1

这不是一个答案，而是一个清单太长，不能发表评论。

我查找程序集以发布违规代码的生成。见下文。我从底部将AV标记在正确的指令行5行上。

int _tmain(int argc, _TCHAR* argv[])
{
000116E8  mov         r12, sp 
000116EC  stmdb       sp!, {r11, r12, lr} 
000116F0  add         r11, sp, #0xC 
000116F4  sub         sp, sp, #0x98 
000116F8  ldr         r3, [pc, #0x10C] 
000116FC  ldr         r3, [r3] 
00011700  str         r3, [r11, #-0x10] 
    try
    {
        throw std::runtime_error( "a" );
00011704  mov         r2, #0 
00011708  mov         r1, #0 
0001170C  sub         r0, r11, #0x84 
00011710  bl          |std::basic_string<char,std::char_traits<char>,std::allocator<char> >::_Tidy ( 11118h )| 
00011714  ldr         r1, [pc, #0xEC] 
00011718  mov         r2, #1 
0001171C  sub         r0, r11, #0x84 
00011720  bl          |std::basic_string<char,std::char_traits<char>,std::allocator<char> >::assign ( 114d0h ) 
00011724  sub         r1, r11, #0x84 
00011728  sub         r0, r11, #0x68 
0001172C  bl          |std::runtime_error::runtime_error ( 115ach )| 
00011730  ldr         r1, [pc, #0xC4] 
00011734  sub         r0, r11, #0x68 
00011738  bl          000118F0 
    return 0;
0001173C  ldr         r0, [r11, #-0x10] 
00011740  bl          00011C70 
00011744  mov         r0, #0 
}
00011748  sub         sp, r11, #0xC 
0001174C  ldmia       sp, {r11, sp, pc} 
00011750  andeq       r3, r1, r8, ror r0 
00011754  andeq       r4, r1, r0, ror #3 
            }
            catch( std::runtime_error& e11 )
00011758  str         lr, [sp, #-4]! 
            {
                throw;
0001175C  mov         r1, #0 
00011760  mov         r0, #0 
00011764  bl          000118F0 
00011768  andeq       r3, r1, r8, ror r0 
0001176C  andeq       r4, r1, r0, ror #3 
            }
        }
        catch( std::runtime_error& e12 )
00011770  str         lr, [sp, #-4]! 
        {
            e12.what(); // access violation
00011774  ldr         r0, e12, #-0xA4 
00011778  ldr         r3, [r0]         // AV
0001177C  mov         lr, pc 
00011780  ldr         pc, [r3, #4] 
00011784  ldr         r0, [pc, #0x78] 
00011788  ldr         pc, [sp], #4