Store process dump

Store process dump

Postby Ketandp » Wed Nov 15, 2006 6:13 am

Hey Guys,
On one of the processes dump, I see this.
Can anyone tell me how to move forward from here!


*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

*** WARNING: Unable to verify timestamp for RpcSys.dll
*** ERROR: Module load completed but symbols could not be loaded for RpcSys.dll
*** WARNING: Unable to verify timestamp for ProxyStub.DLL
*** ERROR: Module load completed but symbols could not be loaded for ProxyStub.DLL
Debugger WatsonDb Connection::Open failed 80040e4d

FAULTING_IP:
store!MINIMSG::EcRecreateTables+4
00410fcf 8b4660 mov eax,dword ptr [esi+60h]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00410fcf (store!MINIMSG::EcRecreateTables+0x00000004)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000060
Attempt to read from address 00000060

PROCESS_NAME: store.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS: 00000060

BUGCHECK_STR: ACCESS_VIOLATION

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

AUTOBUG_SUITE_MASK: 274

MODLIST_SHA1_HASH: 88677929684551bc65814141bf7a8a49cd51d4c3

LAST_CONTROL_TRANSFER: from 00412838 to 00410fcf

STACK_TEXT:
5c01f6fc 00412838 f8d10424 5c01f9b4 004200b6 store!MINIMSG::EcRecreateTables+0x4
5c01f708 004200b6 f8d10424 6a001c9a 640185c4 store!MINIMSG::PrepareToCache+0xb
5c01f9b4 6a0040bc 04a406d0 5c01fba8 5c01fbc8 store!OMSG::EcGetProps+0x629
WARNING: Stack unwind information not available. Following frames may be wrong.
5c01fc38 00697506 04a406d0 17cad160 17cad17c VSAPIScanSource+0x40bc
5c01fe4c 006977e8 17cad160 17cad17c 17cad180 store!VSIF::EcVirusScanAndClean+0x296
5c01fe74 00691667 00000000 1ac0aea8 1ac0af6c store!VSCONTEXT::EcCallScanInterface+0x60
5c01fe88 00691b71 00000000 00000000 5c01ff70 store!VSBODYCONTEXT::EcDoScan+0x4a
5c01fea4 00698bdd 0fc7df10 21e34068 5c01ff70 store!VSMAPISCANNER::EcDoScan+0x7b
5c01ff2c 00698df9 21e34088 21e34090 5c01ff70 store!EcVirusScanOneMessage+0x7f
5c01ff54 00549644 77e41a24 16ca2bf8 00000000 store!EcProcessVirusScanQueueItem+0x69
5c01ff74 004e4ad2 00000000 00000000 16ca2bf8 store!FOnlineVirusScanTask+0xef
5c01ffa8 00689692 00000000 00000000 5c01ffec store!TI::Invoke+0xd2
5c01ffb8 77e4a990 16ca2bf8 00000000 00000000 store!DwOwnThreadTask+0x1f
5c01ffec 00000000 00689673 16ca2bf8 00000000 kernel32!BaseThreadStart+0x34


FAULTING_THREAD: 00001e74

FOLLOWUP_IP:
store!MINIMSG::EcRecreateTables+4
00410fcf 8b4660 mov eax,dword ptr [esi+60h]

FAULTING_SOURCE_CODE:
875: MINIMSG::EcRecreateTables(void)
876: {
877: EC ec;
878:
> 879: if (!m_pjses)
880: goto NotSupportedError;
881:
882: if (m_pjtabMsgFolder == NULL && m_fMsgFolderProvided)
883: {
884: Assert(Pfid());


SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: wintriag

MODULE_NAME: store

IMAGE_NAME: store.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42b78a76

SYMBOL_NAME: store!MINIMSG::EcRecreateTables+4

STACK_COMMAND: ~77s; .ecxr ; kb

FAILURE_BUCKET_ID: ACCESS_VIOLATION_store!MINIMSG::EcRecreateTables+4

BUCKET_ID: ACCESS_VIOLATION_store!MINIMSG::EcRecreateTables+4

Followup: wintriag
Ketan
Ketandp
 
Posts: 3
Joined: Thu Nov 02, 2006 7:26 am
Location: Bangalore

Postby gobinath » Wed Nov 15, 2006 1:07 pm

Hi

First get the current context registers and Try to get the value of ESI from the context regiters.And analyse the ESI value, where it comes from. ., That could show throw some light on you.

-Gobi
gobinath
 
Posts: 1
Joined: Wed Nov 15, 2006 10:02 am

Postby VDO » Wed Nov 15, 2006 3:08 pm

Agree, Line 879 and the following instruction
Code: Select all
mov eax,dword ptr [esi+60h]

show that this pointer to MINIMSG class instance is NULL
Code: Select all
FAULTING_SOURCE_CODE:
875: MINIMSG::EcRecreateTables(void)
876: {
877: EC ec;
878:
> 879: if (!m_pjses)
880: goto NotSupportedError;
881:
882: if (m_pjtabMsgFolder == NULL && m_fMsgFolderProvided)
883: {
884: Assert(Pfid());


Also
Code: Select all
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

confirms that
VDO
Site Admin
 
Posts: 549
Joined: Mon May 01, 2006 10:34 am
Location: Dublin, Ireland

Reply

Postby Ketandp » Wed Nov 15, 2006 3:35 pm

Sorry Guys,
It was my week off and was not around.
I have had a look at esi and found that its been pused as one of the parameteres to this function. again I see that the content of ecx is being moved to esi just before we are failing while trying to dereference this pointer.

00410fcb 53 push ebx
00410fcc 56 push esi
00410fcd 8bf1 mov esi,ecx
00410fcf 8b4660 mov eax,dword ptr [esi+60h]

Guys,
ecx is a this pointer being moved to esi here right before we try to dereference the ptr at (esi+60) any idea!!
Ketan
Ketandp
 
Posts: 3
Joined: Thu Nov 02, 2006 7:26 am
Location: Bangalore

Postby Julior » Tue Dec 12, 2006 10:56 am

From the assembly lines that you show below I can't see that ESI has been pushed as a parameter. The push that you see of ESI is just to save the esi register value on stack as we are ready to use it ( mov esi,ecx ).

If you want to see the parameters passed to the top function you can look at the dissasembly for the caller ("u store!MINIMSG::PrepareToCache store!MINIMSG::PrepareToCache+0xb" ). However that function that is failing doesn't have any parameters so I don't think any parameter will be passed onto it. If you send us the output of the instruction between brackets above, please also send the output of "u store!MINIMSG::EcRecreateTables store!MINIMSG::EcRecreateTables+0x4 " , just as a curiosity.
Julio Rodriguez
Julior
 
Posts: 1
Joined: Mon Sep 11, 2006 6:05 am

Postby VDO » Tue Dec 12, 2006 4:19 pm

Yes, you are right it has never been pushed as parameter. This is so called Visual C++ __thiscall calling convention when a this pointer to a class object is passed via ECX (implicit parameter):

http://msdn2.microsoft.com/en-us/library/984x0h58.aspx

This is what I was saying previously that this pointer to MINIMSG class instance is NULL.

I guess you had an MINIMSG object pointer declared in OMSG or somewhere else and PrepareToCache/EcRecreateTables are not virtual functions so they were called just like normal functions. This is how in Visual C++ non-virtual methods are implemented:

Code: Select all
class A
{
public:
   int foo() { return i; }
private:
   int i;
};


Internally class members are accessed via implicit this pointer (passed via ECX):

Code: Select all
int A::foo() { return this->i; }


You got NULL pointer access violation when trying to access class member (via this->)
VDO
Site Admin
 
Posts: 549
Joined: Mon May 01, 2006 10:34 am
Location: Dublin, Ireland

Postby VDO » Tue Dec 12, 2006 10:16 pm

Let's continue explanation and suppose we have an object instance of class A and we call its foo method:

Code: Select all
A obj;
obj.foo();


The compiler has to generate code which calls foo function and the code inside the function has to know which object it is associated with.
So internally the compiler passes implicit parameter - a pointer to that object. In pseudo code:

Code: Select all
int foo_impl(A *this)
{
   return this->i;   
}

A obj;
foo_impl(&obj);


in 32-bit assembler it should be similar to this:

Code: Select all
lea ecx, obj
call foo_impl


of if you have obj declared as a local variable:

Code: Select all
lea ecx, [ebp-N]
call foo_impl


Of course, if you have other parameters they are pushed on the stack from right to left
VDO
Site Admin
 
Posts: 549
Joined: Mon May 01, 2006 10:34 am
Location: Dublin, Ireland


Return to WinDbg

Who is online

Users browsing this forum: No registered users and 1 guest

cron