Comments on: Crash Dump Analysis Patterns (Part 11) https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Thu, 07 May 2026 03:26:18 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-767701 Dmitry Vostokov Wed, 06 Oct 2021 17:24:07 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-767701 These may also result from the incorrect application of .process/.thread commands incomplete memory dumps that do not take into account process virtual memory mapping. These may also result from the incorrect application of .process/.thread commands incomplete memory dumps that do not take into account process virtual memory mapping.

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-741645 Dmitry Vostokov Mon, 17 Feb 2014 00:00:06 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-741645 To check the correctness of some frames we can use the same method as described in Coincidental Symbolic Information pattern: http://www.dumpanalysis.org/blog/index.php/2007/08/30/crash-dump-analysis-patterns-part-24/ We use backwards disassembly on a return address: 0286f430 690e6daa mshtml!CBase::PrivateInvokeEx+0x6d WARNING: Stack unwind information not available. Following frames may be wrong. 0286f494 6915f5c5 jscript9!DllGetClassObject+0x18bb1 0:005> ub 690e6daa jscript9!DllGetClassObject+0x18b9e: 690e6d97 ff7514 push dword ptr [ebp+14h] 690e6d9a ff7510 push dword ptr [ebp+10h] 690e6d9d 8b06 mov eax,dword ptr [esi] 690e6d9f 53 push ebx 690e6da0 ff75ec push dword ptr [ebp-14h] 690e6da3 ff7508 push dword ptr [ebp+8] 690e6da6 56 push esi 690e6da7 ff5020 call dword ptr [eax+20h] To check the correctness of some frames we can use the same method as described in Coincidental Symbolic Information pattern:

http://www.dumpanalysis.org/blog/index.php/2007/08/30/crash-dump-analysis-patterns-part-24/

We use backwards disassembly on a return address:

0286f430 690e6daa mshtml!CBase::PrivateInvokeEx+0×6d
WARNING: Stack unwind information not available. Following frames may be wrong.
0286f494 6915f5c5 jscript9!DllGetClassObject+0×18bb1

0:005> ub 690e6daa
jscript9!DllGetClassObject+0×18b9e:
690e6d97 ff7514 push dword ptr [ebp+14h]
690e6d9a ff7510 push dword ptr [ebp+10h]
690e6d9d 8b06 mov eax,dword ptr [esi]
690e6d9f 53 push ebx
690e6da0 ff75ec push dword ptr [ebp-14h]
690e6da3 ff7508 push dword ptr [ebp+8]
690e6da6 56 push esi
690e6da7 ff5020 call dword ptr [eax+20h]

]]> By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 114) https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-201567 Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 114) Tue, 09 Nov 2010 12:03:08 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-201567 [...] trace may or may not be included here and it might be incorrect, heuristic and not fully discernible automatically (requires raw stack semantic analysis) like in [...] […] trace may or may not be included here and it might be incorrect, heuristic and not fully discernible automatically (requires raw stack semantic analysis) like in […]

]]> By: Crash Dump Analysis » Blog Archive » Incorrect stack trace, stack overflow, early crash dump, nested exception, problem exception handler and same vendor: pattern cooperation https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-198596 Crash Dump Analysis » Blog Archive » Incorrect stack trace, stack overflow, early crash dump, nested exception, problem exception handler and same vendor: pattern cooperation Sat, 30 Oct 2010 23:59:02 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-198596 [...] Debugging Experts Magazine Online This case study centers on 3 process dump files (two first chance exception and one second chance exception). To recall the difference between them please read first chance exceptions explained series. When we get first and second chance exception dumps together we usually open a second chance exception dump first. However, in this case, the second chance exception dump had an incorrect stack trace: [...] […] Debugging Experts Magazine Online This case study centers on 3 process dump files (two first chance exception and one second chance exception). To recall the difference between them please read first chance exceptions explained series. When we get first and second chance exception dumps together we usually open a second chance exception dump first. However, in this case, the second chance exception dump had an incorrect stack trace: […]

]]> By: Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 19) https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-141766 Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 19) Wed, 07 Apr 2010 14:53:57 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-141766 [...] we introduce an icon for Incorrect Stack Trace [...] […] we introduce an icon for Incorrect Stack Trace […]

]]> By: Crash Dump Analysis » Blog Archive » Reflecting on 2008 (Part 1) https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-119533 Crash Dump Analysis » Blog Archive » Reflecting on 2008 (Part 1) Wed, 27 Jan 2010 00:47:59 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-119533 [...] dereferencing null debug windows crash dump analysis system_service_exception kernel32!pnlsuserinfo warning: frame ip not in any known module. following frames may be wrong. win32 error 0n2 previously announced volume is available in trade windbg script [...] […] dereferencing null debug windows crash dump analysis system_service_exception kernel32!pnlsuserinfo warning: frame ip not in any known module. following frames may be wrong. win32 error 0n2 previously announced volume is available in trade windbg script […]

]]> By: Crash Dump Analysis » Blog Archive » Manual dump, virtualized process, stack trace collection, multiple exceptions, optimized code, wild code pointer, incorrect stack trace and hidden exception: pattern cooperation https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-99103 Crash Dump Analysis » Blog Archive » Manual dump, virtualized process, stack trace collection, multiple exceptions, optimized code, wild code pointer, incorrect stack trace and hidden exception: pattern cooperation Wed, 14 Oct 2009 19:46:38 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-99103 [...] 0×161dc2c so we might guess that this was an instance of wild code pointer or the case of incorrect stack trace. However using techniques to get exception context from hidden exceptions we get the following [...] […] 0×161dc2c so we might guess that this was an instance of wild code pointer or the case of incorrect stack trace. However using techniques to get exception context from hidden exceptions we get the following […]

]]> By: Crash Dump Analysis » Blog Archive » WOW64 process, NULL data pointer, stack overflow, main thread, incorrect stack trace, nested exceptions, hidden exception, manual dump, multiple exceptions and virtualized system: pattern cooperation https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-97625 Crash Dump Analysis » Blog Archive » WOW64 process, NULL data pointer, stack overflow, main thread, incorrect stack trace, nested exceptions, hidden exception, manual dump, multiple exceptions and virtualized system: pattern cooperation Mon, 05 Oct 2009 22:20:35 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-97625 [...] there is a possibility of an exception in main GUI thread and also the stack trace itself looks incorrect, suddenly sending a Windows message without any kind of a message [...] […] there is a possibility of an exception in main GUI thread and also the stack trace itself looks incorrect, suddenly sending a Windows message without any kind of a message […]

]]> By: Crash Dump Analysis » Blog Archive » Virtualized process, incorrect stack trace, stack trace collection, multiple exceptions, optimized code and C++ exception: pattern cooperation https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-83536 Crash Dump Analysis » Blog Archive » Virtualized process, incorrect stack trace, stack trace collection, multiple exceptions, optimized code and C++ exception: pattern cooperation Wed, 08 Jul 2009 19:54:58 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-83536 [...] the shown above stack trace is incorrect but at the same time the first thread stack looks [...] […] the shown above stack trace is incorrect but at the same time the first thread stack looks […]

]]> By: Crash Dump Analysis » Blog Archive » The Importance of Symbols https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-78956 Crash Dump Analysis » Blog Archive » The Importance of Symbols Sat, 13 Jun 2009 23:46:45 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/03/crash-dump-analysis-patterns-part-11/#comment-78956 [...] post looks at incorrect stack traces in more detail and provides an example and explanation of why WinDbg is not able to get them right [...] […] post looks at incorrect stack traces in more detail and provides an example and explanation of why WinDbg is not able to get them right […]

]]>