By: sergmat

sergmat — Fri, 04 Mar 2011 17:03:01 +0000

void func1(void);
void __cdecl main(void)
{
func1();
}
void func1(void)
{
func1();
}

0:000> .lastevent
Last event: d0c.e94: Stack overflow - code c00000fd (first chance)

0:000> k L50
ChildEBP RetAddr
00103000 002a18e8 test!func1+0×3
00103008 002a18e8 test!func1+0×8
00103010 002a18e8 test!func1+0×8
00103018 002a18e8 test!func1+0×8
…

0:000> !teb
TEB at 7ffdf000
ExceptionList: 001ffa1c
StackBase: 00200000
StackLimit: 00101000
…

0:000>dds 101000 200000
…[ebp][ret addr].. minframe…
001ff9d4 002a18e8 test!func1+0×8
001ff9d8 001ff9e0
001ff9dc 002a18e8 test!func1+0×8
001ff9e0 001ff9e8
001ff9e4 002a18f8 test!main+0×8
001ff9e8 001ffa2c
001ff9ec 002a1174 test!__tmainCRTStartup+0×122
001ff9f0 00000001
001ff9f4 00651388
001ff9f8 00651928
001ff9fc bc2792b1
001ffa00 00000000
001ffa04 00000000
001ffa08 7ffdc000
001ffa0c 00000000
001ffa10 00000000
001ffa14 001ff9fc
001ffa18 b33a09b6
001ffa1c 001ffa68
001ffa20 002a1619 test!_except_handler4
001ffa24 bc124925
001ffa28 00000000
001ffa2c 001ffa38
001ffa30 75911194 kernel32!BaseThreadInitThunk+0xe
001ffa34 7ffdc000
001ffa38 001ffa78
001ffa3c 7747b495 ntdll!__RtlUserThreadStart+0×70
001ffa40 7ffdc000
001ffa44 774f7154 ntdll!RtlpSecMemListHead
001ffa48 00000000
001ffa4c 00000000
001ffa50 7ffdc000
001ffa54 00000000
001ffa58 00000000
001ffa5c 00000000
001ffa60 001ffa44
001ffa64 00000000
001ffa68 ffffffff
001ffa6c 7743d75d ntdll!_except_handler4
001ffa70 00178d24
001ffa74 00000000
001ffa78 001ffa90
001ffa7c 7747b468 ntdll!_RtlUserThreadStart+0×1b
001ffa80 002a12dc test!mainCRTStartup
001ffa84 7ffdc000
001ffa88 00000000
001ffa8c 00000000
001ffa90 00000000
001ffa94 00000000
001ffa98 002a12dc test!mainCRTStartup
…

0:000> r
eax=00651928 ebx=00000000 ecx=6ca33714 edx=00000000 esi=00000001 edi=002a3378
eip=002a18e3 esp=00103000 ebp=00103000 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
test!func1+0×3:
002a18e3 e8f8ffffff call test!func1 (002a18e0)

0:000> k 1ff9d8 103000 2a18e3
Requested number of stack frames (0×1ff9d8) is too large! The maximum number is 0xffff.
^ Range error in ‘k 1ff9d8 103000 2a18e3′

0:000>

0:000> k L=1ff9d8 103000 2a18e3
ChildEBP RetAddr
001ff9d8 002a18e8 test!func1+0×3
001ff9e0 002a18f8 test!func1+0×8
001ff9e8 002a1174 test!main+0×8
001ffa2c 75911194 test!__tmainCRTStartup+0×122
001ffa38 7747b495 kernel32!BaseThreadInitThunk+0xe
001ffa78 7747b468 ntdll!__RtlUserThreadStart+0×70
001ffa90 00000000 ntdll!_RtlUserThreadStart+0×1b
….

By: Crash Dump Analysis » Blog Archive » Incorrect stack trace, stack overflow, early crash dump, nested exception, problem exception handler and same vendor: pattern cooperation

Sat, 30 Oct 2010 23:19:09 +0000

[…] The default analysis command detected stack overflow pattern: […]

By: Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 32)

Wed, 05 May 2010 13:00:19 +0000

[…] we introduce an icon for Stack Overflow (user mode) […]

By: Crash Dump Analysis » Blog Archive » WOW64 process, NULL data pointer, stack overflow, main thread, incorrect stack trace, nested exceptions, hidden exception, manual dump, multiple exceptions and virtualized system: pattern cooperation

Mon, 05 Oct 2009 22:14:05 +0000

[…] looks like a stack overflow. Usually it manifests via a PUSH instruction or a data access violation when ESP/RSP < […]

Comments on: Crash Dump Analysis Patterns (Part 16b)

By: sergmat

By: Crash Dump Analysis » Blog Archive » Incorrect stack trace, stack overflow, early crash dump, nested exception, problem exception handler and same vendor: pattern cooperation

By: Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 32)

By: Crash Dump Analysis » Blog Archive » WOW64 process, NULL data pointer, stack overflow, main thread, incorrect stack trace, nested exceptions, hidden exception, manual dump, multiple exceptions and virtualized system: pattern cooperation