Crash Dump Analysis Patterns (Part 5)

The next pattern I would like to talk about is Optimized Code. If you have such cases you should not trust your crash dump analysis tools like WinDbg. Always suspect that compiler generated code might have been optimized if you see any suspicious or strange behaviour of your tool. Let’s consider this fragment of stack:

Args to Child
77e44c24 000001ac 00000000 ntdll!KiFastSystemCallRet
000001ac 00000000 00000000 ntdll!NtFsControlFile+0xc
00000034 00000bb8 0013e3f4 kernel32!WaitNamedPipeW+0x2c3
0016fc60 00000000 67c14804 MyModule!PipeCreate+0x48

3rd-party function PipeCreate from MyModule opens a named pipe and its first parameter (0016fc60) points to a pipe name L”\\.\pipe\MyPipe”. Inside the source code it calls Win32 API function WaitNamedPipeW (to wait for the pipe to be available for connection) and passes the same pipe name. But we see that  the first parameter to WaitNamedPipeW is 00000034 which cannot be the pointer to a valid Unicode string. And the program should have been crashed if 00000034 were a pointer value.

Everything becomes clear if we look at WaitNamedPipeW disassembly (comments are mine):

0:000> uf kernel32!WaitNamedPipeW
mov     edi,edi
push    ebp
mov     ebp,esp
sub     esp,50h
push    dword ptr [ebp+8]  ; Use pipe name
lea     eax,[ebp-18h]
push    eax
call    dword ptr [kernel32!_imp__RtlCreateUnicodeString (77e411c8)]

call    dword ptr [kernel32!_imp__NtOpenFile (77e41014)]
cmp     dword ptr [ebp-4],edi
mov     esi,eax
jne     kernel32!WaitNamedPipeW+0×1d5 (77e93316)
cmp     esi,edi
jl      kernel32!WaitNamedPipeW+0×1ef (77e93331)
movzx   eax,word ptr [ebp-10h]
mov     ecx,dword ptr fs:[18h]
add     eax,0Eh
push    eax
push    dword ptr [kernel32!BaseDllTag (77ecd14c)]
mov     dword ptr [ebp+8],eax  ; reuse parameter slot

As we know [ebp+8] is the first function parameter in non-FPO calls:

Parameters and Local Variables

And we see it is reused because after we convert LPWSTR to UNICODE_STRING and call NtOpenFile to get a handle we no longer need our parameter slot and the compiler can reuse it to store other information.

There is another compiler optimization we should be aware of and it is called OMAP. It moves the code inside the code section and puts the most frequently accessed code fragments together. In that case if you type in WinDbg, for example, 

0:000> uf nt!someFunction

you get different code than if you type (assuming f4794100 is the address of the function you obtained from stack or disassembly)

0:000> uf f4794100

In conclusion the advice is to be alert and conscious during crash dump analysis and inspect any inconsistencies closer.

Happy debugging!

- Dmitry Vostokov @ -

8 Responses to “Crash Dump Analysis Patterns (Part 5)”

  1. Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 50) Says:

    […] I call this pattern as False Function Parameters where double checks and knowledge of calling conventions are required. Sometimes this pattern is a consequence of another pattern that I previously called Optimized Code. […]

  2. !analyze -v : Crash Dump Analysis Pattern (Part 5) Says:

    […] […]

  3. Software Generalist » Blog Archive » Reading Notebook: 22-Apr-09 Says:

    […] safe register association with arguments at the beginning of a function (p. 164) - See my Optimized Code pattern: […]

  4. David Richter Says:

    Excellent site. I have found that third party device drivers that have not passed though MS driver testing are culprit even though the stack might not point to them, or the lm command. The driver could have allocated a buffer and made a system call (which caused the crash). It is likely, however, that the driver passed it some erroneous data. As well all know, applications crash when a thread of execution accesses a block of memory it does not own, or it does own but corrupts its state. I saw a big improvement with the introduction of Vista SP1, yet I will still find my system to hang should I fill up with third party downloads. I find a quickened system when I use driver verifier. Oh, and you have an outstanding site.

  5. Crash Dump Analysis » Blog Archive » Virtualized process, incorrect stack trace, stack trace collection, multiple exceptions, optimized code and C++ exception: pattern cooperation Says:

    […] a pointer to an exception pointers structure is NULL (probably because of optimized code) and we cannot use .exptr command. However we can still use a technique described in Hidden […]

  6. Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 7) Says:

    […] Today we introduce an icon for Optimized Code pattern: […]

  7. Dmitry Vostokov Says:

    Another example of parameter reuse:

  8. Dmitry Vostokov Says:

    We make this pattern name more specific by specifying its variant: Optimized Code (function parameter reuse). As a side note, this reuse mechanism is also used in tail recursion.

Leave a Reply

You must be logged in to post a comment.