Crash Dump Analysis Patterns (Part 16b)
Forthcoming Webinar on Pattern-Driven Software Diagnostics
2012 - The Year of Software Trace Analysis
Accelerated Memory Dump Analysis Training
Sponsored link: Memory Dump Analysis Services
Debugging Experts Magazine Online
Debugging Today Daily Newspaper
I’ve just found that although I covered Stack Overflow in kernel mode I didn’t do this for user mode. In fact this is one of the simplest patterns to see in crash dumps. It has its own characteristic exception code and stack trace:
FAULTING_IP:
StackOverflow!SoFunction+27
00401317 6a00 push 0
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00401300 (StackOverflow!SoFunction+0x00000010)
ExceptionCode: c00000fd (Stack overflow)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00082ffc
0:000> kL
ChildEBP RetAddr
00083000 00401317 StackOverflow!SoFunction+0x10
00083010 00401317 StackOverflow!SoFunction+0×27
00083020 00401317 StackOverflow!SoFunction+0×27
00083030 00401317 StackOverflow!SoFunction+0×27
00083040 00401317 StackOverflow!SoFunction+0×27
00083050 00401317 StackOverflow!SoFunction+0×27
00083060 00401317 StackOverflow!SoFunction+0×27
00083070 00401317 StackOverflow!SoFunction+0×27
00083080 00401317 StackOverflow!SoFunction+0×27
00083090 00401317 StackOverflow!SoFunction+0×27
000830a0 00401317 StackOverflow!SoFunction+0×27
000830b0 00401317 StackOverflow!SoFunction+0×27
000830c0 00401317 StackOverflow!SoFunction+0×27
000830d0 00401317 StackOverflow!SoFunction+0×27
000830e0 00401317 StackOverflow!SoFunction+0×27
000830f0 00401317 StackOverflow!SoFunction+0×27
00083100 00401317 StackOverflow!SoFunction+0×27
00083110 00401317 StackOverflow!SoFunction+0×27
00083120 00401317 StackOverflow!SoFunction+0×27
00083130 00401317 StackOverflow!SoFunction+0×27
There could be thousands of stack frames:
0:000> kL 2000
[...]
000a2fa0 00401317 StackOverflow!SoFunction+0x27
000a2fb0 00401317 StackOverflow!SoFunction+0x27
000a2fc0 00401317 StackOverflow!SoFunction+0x27
000a2fd0 00401317 StackOverflow!SoFunction+0x27
000a2fe0 00401317 StackOverflow!SoFunction+0x27
000a2ff0 00401317 StackOverflow!SoFunction+0x27
To reach the bottom and avoid over scrolling we can dump the raw stack data, search for the end of the repeating pattern of StackOverflow!SoFunction+0×27 and try to manually reconstruct the bottom of the stack trace:
0:000> !teb
TEB at 7efdd000
ExceptionList: 0017fdf0
StackBase: 00180000
StackLimit: 00081000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7efdd000
EnvironmentPointer: 00000000
ClientId: 00001dc4 . 00001b74
RpcHandle: 00000000
Tls Storage: 7efdd02c
PEB Address: 7efde000
LastErrorValue: 0
LastStatusValue: c0000034
Count Owned Locks: 0
HardErrorMode: 0
0:000> dds 00081000 00180000
[...]
0017fc74 00401317 StackOverflow!SoFunction+0×27
0017fc78 00000000
0017fc7c a3a8ea65
0017fc80 0017fc90
0017fc84 00401317 StackOverflow!SoFunction+0×27
0017fc88 10001843
0017fc8c a3a8ea95
0017fc90 0017fca0
0017fc94 00401317 StackOverflow!SoFunction+0×27
0017fc98 0017fcb8
0017fc9c a3a8ea85
0017fca0 0017fcb0
0017fca4 00401317 StackOverflow!SoFunction+0×27
0017fca8 00000003
0017fcac a3a8eab5
0017fcb0 0017fcc0
0017fcb4 00401317 StackOverflow!SoFunction+0×27
0017fcb8 76c68738 user32!_EndUserApiHook+0×11
0017fcbc a3a8eaa5
0017fcc0 0017fcd0
0017fcc4 00401317 StackOverflow!SoFunction+0×27
0017fcc8 76c6a6cc user32!DefWindowProcW+0×94
0017fccc a3a8ead5
0017fcd0 0017fce0
0017fcd4 00401317 StackOverflow!SoFunction+0×27
0017fcd8 0037311e
0017fcdc a3a8eac5
0017fce0 0017fcf0
0017fce4 00401317 StackOverflow!SoFunction+0×27
0017fce8 0017fcd0
0017fcec a3a8eaf5
0017fcf0 0017fd00
0017fcf4 00401317 StackOverflow!SoFunction+0×27
0017fcf8 76c6ad0f user32!NtUserBeginPaint+0×15
0017fcfc a3a8eae5
0017fd00 0017fd5c
0017fd04 00401272 StackOverflow!WndProc+0xe2
0017fd08 00401190 StackOverflow!WndProc
0017fd0c 00000003
0017fd10 cf017ada
[…]
We use the extended version of k WinDbg command and supply EBP, ESP and EIP to see in what function it started:
0:000> r
eax=a3b739e5 ebx=00000000 ecx=ac430000 edx=ffefd944 esi=0037311e edi=00000000
eip=00401300 esp=00082ff8 ebp=00083000 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282
StackOverflow!SoFunction+0×10:
00401300 89442404 mov dword ptr [esp+4],eax ss:002b:00082ffc=00000000
0:000> k L=0017fcf0 00082ff8 00401300
ChildEBP RetAddr
0017fcb0 00401317 StackOverflow!SoFunction+0×10
0017fd00 00401272 StackOverflow!SoFunction+0×27
0017fd5c 76c687af StackOverflow!WndProc+0xe2
0017fd88 76c68936 user32!InternalCallWinProc+0×23
0017fe00 76c6a571 user32!UserCallWinProcCheckWow+0×109
0017fe5c 76c6a5dd user32!DispatchClientMessage+0xe0
0017fe98 77ccee2e user32!__fnDWORD+0×2b
0017fedc 0040107d ntdll!KiUserCallbackDispatcher+0×2e
0017ff08 0040151e StackOverflow!wWinMain+0×7d
00402ba0 20245c8b StackOverflow!__tmainCRTStartup+0×176
- Dmitry Vostokov @ DumpAnalysis.org -
Sponsored link: Professional Software Debugging Services
/* Malware and Software Defects -> Victimware.org */
Copyright © 2006 - 2012. This is a non-profit research and scientific project.
_1125.png)
Citrix and Microsoft Customer Forum
Museum of Debugging and Memory Dumps
7/7/2011 - 8/8/2011 Annual Competition: Tell Your Windows Debugging Story
Crash and Hang Analysis Audit Service
CARE: Crash Analysis Report Environment
Crash Dump and Software Trace Analysis Training and Seminars
Access OpenTask Titles on Safari Books Online
DATA (Dump Analysis + Trace Analysis) Facebook group
Please join the community of memory (dump) and trace analysis engineers. This group promotes scientific methods and memory dump-based worldview.
Twitter @ DumpAnalysis You can now follow portal and blog news at DumpAnalysis on Twitter
LinkedIn Group Dr. Watson Enthusiasts All about Dr. Watson errors and more. Get news, excerpts and progress reports about the forthcoming book The Science of Dr. Watson: An Illustrated History of Debugging (ISBN 978-1906717070)
2010 (0x7DA) - The Year of Dump Analysis 2011 (0x7DB) - 2020 (0x7E4) The Debugging Decade
International Memory Analysts and Debuggers Day: 07.07 and/or 08.08 starting from The Year of Dump Analysis, 2010, 7DA
AnnouncementsComing Soon:
Fundamentals of Complete Crash and Hang Memory Dump Analysis
Management Bits: An Anthology from Reductionist Manager
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Introduction to Pattern-Driven Software Problem Solving
Memory Dump Analysis Anthology: Color Supplement for Volumes 4-5
Windows Debugging Notebook: Essential User Space WinDbg Commands
Memory Dump Analysis Anthology, Volume 5
Memory Dump Analysis Anthology, Volume 4
Memory Dump Analysis Anthology: Color Supplement for Volumes 1-3
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
October 5th, 2009 at 10:14 pm
[…] looks like a stack overflow. Usually it manifests via a PUSH instruction or a data access violation when ESP/RSP < […]
May 5th, 2010 at 1:00 pm
[…] we introduce an icon for Stack Overflow (user mode) […]
October 30th, 2010 at 11:19 pm
[…] The default analysis command detected stack overflow pattern: […]
March 4th, 2011 at 5:03 pm
void func1(void);
void __cdecl main(void)
{
func1();
}
void func1(void)
{
func1();
}
0:000> .lastevent
Last event: d0c.e94: Stack overflow - code c00000fd (first chance)
0:000> k L50
ChildEBP RetAddr
00103000 002a18e8 test!func1+0×3
00103008 002a18e8 test!func1+0×8
00103010 002a18e8 test!func1+0×8
00103018 002a18e8 test!func1+0×8
…
0:000> !teb
TEB at 7ffdf000
ExceptionList: 001ffa1c
StackBase: 00200000
StackLimit: 00101000
…
0:000>dds 101000 200000
…[ebp][ret addr].. minframe…
001ff9d4 002a18e8 test!func1+0×8
001ff9d8 001ff9e0
001ff9dc 002a18e8 test!func1+0×8
001ff9e0 001ff9e8
001ff9e4 002a18f8 test!main+0×8
001ff9e8 001ffa2c
001ff9ec 002a1174 test!__tmainCRTStartup+0×122
001ff9f0 00000001
001ff9f4 00651388
001ff9f8 00651928
001ff9fc bc2792b1
001ffa00 00000000
001ffa04 00000000
001ffa08 7ffdc000
001ffa0c 00000000
001ffa10 00000000
001ffa14 001ff9fc
001ffa18 b33a09b6
001ffa1c 001ffa68
001ffa20 002a1619 test!_except_handler4
001ffa24 bc124925
001ffa28 00000000
001ffa2c 001ffa38
001ffa30 75911194 kernel32!BaseThreadInitThunk+0xe
001ffa34 7ffdc000
001ffa38 001ffa78
001ffa3c 7747b495 ntdll!__RtlUserThreadStart+0×70
001ffa40 7ffdc000
001ffa44 774f7154 ntdll!RtlpSecMemListHead
001ffa48 00000000
001ffa4c 00000000
001ffa50 7ffdc000
001ffa54 00000000
001ffa58 00000000
001ffa5c 00000000
001ffa60 001ffa44
001ffa64 00000000
001ffa68 ffffffff
001ffa6c 7743d75d ntdll!_except_handler4
001ffa70 00178d24
001ffa74 00000000
001ffa78 001ffa90
001ffa7c 7747b468 ntdll!_RtlUserThreadStart+0×1b
001ffa80 002a12dc test!mainCRTStartup
001ffa84 7ffdc000
001ffa88 00000000
001ffa8c 00000000
001ffa90 00000000
001ffa94 00000000
001ffa98 002a12dc test!mainCRTStartup
…
0:000> r
eax=00651928 ebx=00000000 ecx=6ca33714 edx=00000000 esi=00000001 edi=002a3378
eip=002a18e3 esp=00103000 ebp=00103000 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
test!func1+0×3:
002a18e3 e8f8ffffff call test!func1 (002a18e0)
0:000> k 1ff9d8 103000 2a18e3
Requested number of stack frames (0×1ff9d8) is too large! The maximum number is 0xffff.
^ Range error in ‘k 1ff9d8 103000 2a18e3′
0:000>
0:000> k L=1ff9d8 103000 2a18e3
ChildEBP RetAddr
001ff9d8 002a18e8 test!func1+0×3
001ff9e0 002a18f8 test!func1+0×8
001ff9e8 002a1174 test!main+0×8
001ffa2c 75911194 test!__tmainCRTStartup+0×122
001ffa38 7747b495 kernel32!BaseThreadInitThunk+0xe
001ffa78 7747b468 ntdll!__RtlUserThreadStart+0×70
001ffa90 00000000 ntdll!_RtlUserThreadStart+0×1b
….