Crash Dump Analysis Patterns (Part 16b)
I’ve just found that although I covered Stack Overflow in kernel mode I didn’t do this for user mode. In fact this is one of the simplest patterns to see in crash dumps. It has its own characteristic exception code and stack trace:
FAULTING_IP:
StackOverflow!SoFunction+27
00401317 6a00 push 0
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00401300 (StackOverflow!SoFunction+0x00000010)
ExceptionCode: c00000fd (Stack overflow)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00082ffc
0:000> kL
ChildEBP RetAddr
00083000 00401317 StackOverflow!SoFunction+0x10
00083010 00401317 StackOverflow!SoFunction+0×27
00083020 00401317 StackOverflow!SoFunction+0×27
00083030 00401317 StackOverflow!SoFunction+0×27
00083040 00401317 StackOverflow!SoFunction+0×27
00083050 00401317 StackOverflow!SoFunction+0×27
00083060 00401317 StackOverflow!SoFunction+0×27
00083070 00401317 StackOverflow!SoFunction+0×27
00083080 00401317 StackOverflow!SoFunction+0×27
00083090 00401317 StackOverflow!SoFunction+0×27
000830a0 00401317 StackOverflow!SoFunction+0×27
000830b0 00401317 StackOverflow!SoFunction+0×27
000830c0 00401317 StackOverflow!SoFunction+0×27
000830d0 00401317 StackOverflow!SoFunction+0×27
000830e0 00401317 StackOverflow!SoFunction+0×27
000830f0 00401317 StackOverflow!SoFunction+0×27
00083100 00401317 StackOverflow!SoFunction+0×27
00083110 00401317 StackOverflow!SoFunction+0×27
00083120 00401317 StackOverflow!SoFunction+0×27
00083130 00401317 StackOverflow!SoFunction+0×27
There could be thousands of stack frames:
0:000> kL 2000
[...]
000a2fa0 00401317 StackOverflow!SoFunction+0x27
000a2fb0 00401317 StackOverflow!SoFunction+0x27
000a2fc0 00401317 StackOverflow!SoFunction+0x27
000a2fd0 00401317 StackOverflow!SoFunction+0x27
000a2fe0 00401317 StackOverflow!SoFunction+0x27
000a2ff0 00401317 StackOverflow!SoFunction+0x27
To reach the bottom and avoid over scrolling we can dump the raw stack data, search for the end of the repeating pattern of StackOverflow!SoFunction+0×27 and try to manually reconstruct the bottom of the stack trace:
0:000> !teb
TEB at 7efdd000
ExceptionList: 0017fdf0
StackBase: 00180000
StackLimit: 00081000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7efdd000
EnvironmentPointer: 00000000
ClientId: 00001dc4 . 00001b74
RpcHandle: 00000000
Tls Storage: 7efdd02c
PEB Address: 7efde000
LastErrorValue: 0
LastStatusValue: c0000034
Count Owned Locks: 0
HardErrorMode: 0
0:000> dds 00081000 00180000
[...]
0017fc74 00401317 StackOverflow!SoFunction+0×27
0017fc78 00000000
0017fc7c a3a8ea65
0017fc80 0017fc90
0017fc84 00401317 StackOverflow!SoFunction+0×27
0017fc88 10001843
0017fc8c a3a8ea95
0017fc90 0017fca0
0017fc94 00401317 StackOverflow!SoFunction+0×27
0017fc98 0017fcb8
0017fc9c a3a8ea85
0017fca0 0017fcb0
0017fca4 00401317 StackOverflow!SoFunction+0×27
0017fca8 00000003
0017fcac a3a8eab5
0017fcb0 0017fcc0
0017fcb4 00401317 StackOverflow!SoFunction+0×27
0017fcb8 76c68738 user32!_EndUserApiHook+0×11
0017fcbc a3a8eaa5
0017fcc0 0017fcd0
0017fcc4 00401317 StackOverflow!SoFunction+0×27
0017fcc8 76c6a6cc user32!DefWindowProcW+0×94
0017fccc a3a8ead5
0017fcd0 0017fce0
0017fcd4 00401317 StackOverflow!SoFunction+0×27
0017fcd8 0037311e
0017fcdc a3a8eac5
0017fce0 0017fcf0
0017fce4 00401317 StackOverflow!SoFunction+0×27
0017fce8 0017fcd0
0017fcec a3a8eaf5
0017fcf0 0017fd00
0017fcf4 00401317 StackOverflow!SoFunction+0×27
0017fcf8 76c6ad0f user32!NtUserBeginPaint+0×15
0017fcfc a3a8eae5
0017fd00 0017fd5c
0017fd04 00401272 StackOverflow!WndProc+0xe2
0017fd08 00401190 StackOverflow!WndProc
0017fd0c 00000003
0017fd10 cf017ada
[…]
We use the extended version of k WinDbg command and supply EBP, ESP and EIP to see in what function it started:
0:000> r
eax=a3b739e5 ebx=00000000 ecx=ac430000 edx=ffefd944 esi=0037311e edi=00000000
eip=00401300 esp=00082ff8 ebp=00083000 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282
StackOverflow!SoFunction+0×10:
00401300 89442404 mov dword ptr [esp+4],eax ss:002b:00082ffc=00000000
0:000> k L=0017fcf0 00082ff8 00401300
ChildEBP RetAddr
0017fcb0 00401317 StackOverflow!SoFunction+0×10
0017fd00 00401272 StackOverflow!SoFunction+0×27
0017fd5c 76c687af StackOverflow!WndProc+0xe2
0017fd88 76c68936 user32!InternalCallWinProc+0×23
0017fe00 76c6a571 user32!UserCallWinProcCheckWow+0×109
0017fe5c 76c6a5dd user32!DispatchClientMessage+0xe0
0017fe98 77ccee2e user32!__fnDWORD+0×2b
0017fedc 0040107d ntdll!KiUserCallbackDispatcher+0×2e
0017ff08 0040151e StackOverflow!wWinMain+0×7d
00402ba0 20245c8b StackOverflow!__tmainCRTStartup+0×176
- Dmitry Vostokov @ DumpAnalysis.org -
October 5th, 2009 at 10:14 pm
[…] looks like a stack overflow. Usually it manifests via a PUSH instruction or a data access violation when ESP/RSP < […]
May 5th, 2010 at 1:00 pm
[…] we introduce an icon for Stack Overflow (user mode) […]
October 30th, 2010 at 11:19 pm
[…] The default analysis command detected stack overflow pattern: […]
March 4th, 2011 at 5:03 pm
void func1(void);
void __cdecl main(void)
{
func1();
}
void func1(void)
{
func1();
}
0:000> .lastevent
Last event: d0c.e94: Stack overflow - code c00000fd (first chance)
0:000> k L50
ChildEBP RetAddr
00103000 002a18e8 test!func1+0×3
00103008 002a18e8 test!func1+0×8
00103010 002a18e8 test!func1+0×8
00103018 002a18e8 test!func1+0×8
…
0:000> !teb
TEB at 7ffdf000
ExceptionList: 001ffa1c
StackBase: 00200000
StackLimit: 00101000
…
0:000>dds 101000 200000
…[ebp][ret addr].. minframe…
001ff9d4 002a18e8 test!func1+0×8
001ff9d8 001ff9e0
001ff9dc 002a18e8 test!func1+0×8
001ff9e0 001ff9e8
001ff9e4 002a18f8 test!main+0×8
001ff9e8 001ffa2c
001ff9ec 002a1174 test!__tmainCRTStartup+0×122
001ff9f0 00000001
001ff9f4 00651388
001ff9f8 00651928
001ff9fc bc2792b1
001ffa00 00000000
001ffa04 00000000
001ffa08 7ffdc000
001ffa0c 00000000
001ffa10 00000000
001ffa14 001ff9fc
001ffa18 b33a09b6
001ffa1c 001ffa68
001ffa20 002a1619 test!_except_handler4
001ffa24 bc124925
001ffa28 00000000
001ffa2c 001ffa38
001ffa30 75911194 kernel32!BaseThreadInitThunk+0xe
001ffa34 7ffdc000
001ffa38 001ffa78
001ffa3c 7747b495 ntdll!__RtlUserThreadStart+0×70
001ffa40 7ffdc000
001ffa44 774f7154 ntdll!RtlpSecMemListHead
001ffa48 00000000
001ffa4c 00000000
001ffa50 7ffdc000
001ffa54 00000000
001ffa58 00000000
001ffa5c 00000000
001ffa60 001ffa44
001ffa64 00000000
001ffa68 ffffffff
001ffa6c 7743d75d ntdll!_except_handler4
001ffa70 00178d24
001ffa74 00000000
001ffa78 001ffa90
001ffa7c 7747b468 ntdll!_RtlUserThreadStart+0×1b
001ffa80 002a12dc test!mainCRTStartup
001ffa84 7ffdc000
001ffa88 00000000
001ffa8c 00000000
001ffa90 00000000
001ffa94 00000000
001ffa98 002a12dc test!mainCRTStartup
…
0:000> r
eax=00651928 ebx=00000000 ecx=6ca33714 edx=00000000 esi=00000001 edi=002a3378
eip=002a18e3 esp=00103000 ebp=00103000 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
test!func1+0×3:
002a18e3 e8f8ffffff call test!func1 (002a18e0)
0:000> k 1ff9d8 103000 2a18e3
Requested number of stack frames (0×1ff9d8) is too large! The maximum number is 0xffff.
^ Range error in ‘k 1ff9d8 103000 2a18e3′
0:000>
0:000> k L=1ff9d8 103000 2a18e3
ChildEBP RetAddr
001ff9d8 002a18e8 test!func1+0×3
001ff9e0 002a18f8 test!func1+0×8
001ff9e8 002a1174 test!main+0×8
001ffa2c 75911194 test!__tmainCRTStartup+0×122
001ffa38 7747b495 kernel32!BaseThreadInitThunk+0xe
001ffa78 7747b468 ntdll!__RtlUserThreadStart+0×70
001ffa90 00000000 ntdll!_RtlUserThreadStart+0×1b
….