Crash Dump Analysis Patterns (Part 69)

Sometimes patterns like Message Box and / or Stack Trace semantics reveal another pattern that I call Self-Diagnosis which may or may not result in Self-Dump. The diagnostic message may reveal the problem internally detected by runtime environment.

Consider the following stack trace:

0:000> kv
ChildEBP RetAddr  Args to Child             
0012e8c0 77f4bf53 77f4610a 00000000 00000000 ntdll!KiFastSystemCallRet
0012e8f8 77f3965e 000101a2 00000000 00000001 user32!NtUserWaitMessage+0xc
0012e920 77f4f762 77f30000 00151768 00000000 user32!InternalDialogBox+0xd0
0012ebe0 77f4f047 0012ed3c 00000000 ffffffff user32!SoftModalMessageBox+0x94b
0012ed30 77f4eec9 0012ed3c 00000028 00000000 user32!MessageBoxWorker+0x2ba
0012ed88 77f87d0d 00000000 001511a8 0014ef50 user32!MessageBoxTimeoutW+0x7a
0012edbc 77f742c8 00000000 0012ee70 1001d7d4 user32!MessageBoxTimeoutA+0x9c
0012eddc 77f742a4 00000000 0012ee70 1001d7d4 user32!MessageBoxExA+0x1b
0012edf8 10014c9a 00000000 0012ee70 1001d7d4 user32!MessageBoxA+0×45
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ee2c 10010221 0012ee70 1001d7d4 00012010 component!Error+0×7e4a
[…]

Dumping the message box message and its title shows that Visual C++ runtime detected a buffer overflow condition:

0:000> da 0012ee70
0012ee70  "Buffer overrun detected!..Progra”
0012ee90  “m: E:\W\program.exe..A buffer ov”
0012eeb0  “errun has been detected which ha”
0012eed0  “s corrupted the program’s.intern”
0012eef0  “al state.  The program cannot sa”
0012ef10  “fely continue execution and must”
0012ef30  “.now be terminated..”

0:000> da 1001d7d4
1001d7d4  "Microsoft Visual C++ Runtime Lib"
1001d7f4  "rary"

- Dmitry Vostokov @ DumpAnalysis.org -

9 Responses to “Crash Dump Analysis Patterns (Part 69)”

  1. TheAlerter Says:

    Sometimes we get something like “Microsoft Visual C++ Runtime error” dialog when a program crashes. No drwtsn32.log file will be created followed by this dialog. How are we going to deal with this.

  2. Dmitry Vostokov Says:

    Here we can save the dump manually either using MS userdump.exe or using Task Manager in Vista/W2K8:

    http://www.dumpanalysis.org/blog/index.php/2007/11/08/crash-dumps-for-dummies-part-7/

  3. Crash Dump Analysis » Blog Archive » Main thread, critical section wait chains, critical section deadlock, stack trace collection, execution residue, data contents locality, self-diagnosis and not my version: pattern cooperation Says:

    […] default command also reports a heap corruption but the closer inspection reveals that it was a detected […]

  4. Crash Dump Analysis » Blog Archive » Strong process coupling, stack trace collection, critical section coruption and wait chains, message box, self-diagnosis, hidden exception and dynamic memory corruption: pattern cooperation Says:

    […] was an exception indeed diagnosed by FilterException call. The exception is probably hidden somewhere on the raw […]

  5. Dmitry Vostokov Says:

    Additional example is from IE:

    0:000> kc

    user32!NtUserMessageCall
    user32!SendMessageWorker
    user32!SendMessageW
    ieframe!CTabWindow::_MakeBlockingCallToHungTabToTriggerNtUserHangDetection
    ieframe!CTabWindow::MarkTabAsHung
    ieframe!FrameTabWndProc
    user32!InternalCallWinProc
    user32!UserCallWinProcCheckWow
    user32!DispatchMessageWorker
    user32!DispatchMessageW
    ieframe!CBrowserFrame::FrameMessagePump
    ieframe!BrowserThreadProc
    ieframe!BrowserNewThreadProc
    ieframe!SHOpenFolderWindow
    ieframe!IEWinMainEx
    ieframe!IEWinMain
    ieframe!LCIEStartAsFrame
    iexplore!wWinMain
    iexplore!_initterm_e
    kernel32!BaseThreadInitThunk
    ntdll_77dc0000!__RtlUserThreadStart
    ntdll_77dc0000!_RtlUserThreadStart

  6. Dmitry Vostokov Says:

    Another example: runtime library abort():

    # 2 Id: acc.13b0 Suspend: 0 Teb: 7efa9000 Unfrozen
    ChildEBP RetAddr
    0333f4cc 768c15f7 ntdll!NtWaitForMultipleObjects+0×15
    0333f568 762c19f8 KERNELBASE!WaitForMultipleObjectsEx+0×100
    0333f5b0 762c4200 kernel32!WaitForMultipleObjectsExImplementation+0xe0
    0333f5cc 762e80a4 kernel32!WaitForMultipleObjects+0×18
    0333f638 762e7f63 kernel32!WerpReportFaultInternal+0×186
    0333f64c 762e7858 kernel32!WerpReportFault+0×70
    0333f65c 762e77d7 kernel32!BasepReportFault+0×20
    0333f6e8 733f267a kernel32!UnhandledExceptionFilter+0×1af
    0333fa20 747371ed msvcr90!abort+0×10f
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0333fab8 77a938aa DispatcherProxy!Singleton<_dispatcherproxyreceiver>::instance+0×5ed
    0333fbcc 77a99f45 ntdll!RtlpFreeHeap+0xb7a
    0333fbe4 00000000 ntdll!_RtlUserThreadStart+0×1b

  7. Dmitry Vostokov Says:

    Another example is Windows 8-style security interrupts:

    0:112> .exr -1
    ExceptionAddress: 00007ffffdb82513 (eModel!wil::details::ReportFailure+0×00000000000000ab)
    ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
    ExceptionFlags: 00000001
    NumberParameters: 1
    Parameter[0]: 0000000000000007
    Subcode: 0×7 FAST_FAIL_FATAL_APP_EXIT

    0:112> kc 4
    # Call Site
    00 eModel!wil::details::ReportFailure
    01 eModel!wil::details::ReportFailure_Hr
    02 eModel!wil::details::in1diag3::FailFast_Hr
    03 eModel!SpartanCore::LayerOwner::ConnectToLayerStateSystem

    0:112> r
    Last set context:
    rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000007
    rdx=0000004d31b8421c rsi=000000000000331c rdi=0000000000000004
    rip=00007ffffdb82513 rsp=0000004d32c4bff0 rbp=000000000000331c
    r8=0000000000000003 r9=0000004d31b8421c r10=0000004d31b841a8
    r11=0000004d32c4bf60 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei pl zr na po nc
    cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
    eModel!wil::details::ReportFailure+0xab:
    00007fff`fdb82513 cd29 int 29h

  8. Dmitry Vostokov Says:

    Another example is insufficient memory in Edge:

    0f 00000037`4671e030 00007ffe`179cdd4e Chakra!OutOfMemory_fatal_error+0×23
    10 00000037`4671e070 00007ffe`177b5450 Chakra!Js::Exception::RaiseIfScriptActive+0×3a
    11 00000037`4671e0a0 00007ffe`1783754d Chakra!Js::Throw::OutOfMemory+0×10
    12 00000037`4671e0e0 00007ffe`1776ec2d Chakra!Memory::Recycler::LargeAlloc<0>+0xc85c5

  9. Dmitry Vostokov Says:

    Dynamic Memory Corruption may result in Self-Diagnosis too:

    0:001> kc
    # Call Site
    00 ntdll!NtWaitForMultipleObjects
    01 ntdll!WerpWaitForCrashReporting
    02 ntdll!RtlReportExceptionHelper
    03 ntdll!RtlReportException
    04 ntdll!RtlReportFatalFailure$filt$0
    05 ntdll!_C_specific_handler
    06 ntdll!RtlpExecuteHandlerForException
    07 ntdll!RtlDispatchException
    08 ntdll!RtlRaiseException
    09 ntdll!RtlReportFatalFailure
    0a ntdll!RtlReportCriticalFailure
    0b ntdll!RtlpHeapHandleError
    0c ntdll!RtlpHpHeapHandleError
    0d ntdll!RtlpLogHeapFailure
    0e ntdll!RtlpAnalyzeHeapFailure
    0f ntdll!RtlpFreeHeap
    10 ntdll!RtlpFreeHeapInternal
    11 ntdll!RtlFreeHeap
    12 AppL!_free_base
    13 AppL!thread_two
    14 AppL!thread_start
    15 kernel32!BaseThreadInitThunk
    16 ntdll!RtlUserThreadStart

    0:001> .exr -1
    ExceptionAddress: 00007ffefd339269 (ntdll!RtlReportFatalFailure+0×0000000000000009)
    ExceptionCode: c0000374
    ExceptionFlags: 00000001
    NumberParameters: 1
    Parameter[0]: 00007ffefd3a27f0

    0:001> !error c0000374
    Error code: (NTSTATUS) 0xc0000374 (3221226356) - A heap has been corrupted.

Leave a Reply