Comments on: Crash Dump Analysis Patterns (Part 69)

By: Dmitry Vostokov

Dmitry Vostokov — Wed, 23 Oct 2019 21:52:13 +0000

Dynamic Memory Corruption may result in Self-Diagnosis too:

0:001> kc
# Call Site
00 ntdll!NtWaitForMultipleObjects
01 ntdll!WerpWaitForCrashReporting
02 ntdll!RtlReportExceptionHelper
03 ntdll!RtlReportException
04 ntdll!RtlReportFatalFailure$filt$0
05 ntdll!_C_specific_handler
06 ntdll!RtlpExecuteHandlerForException
07 ntdll!RtlDispatchException
08 ntdll!RtlRaiseException
09 ntdll!RtlReportFatalFailure
0a ntdll!RtlReportCriticalFailure
0b ntdll!RtlpHeapHandleError
0c ntdll!RtlpHpHeapHandleError
0d ntdll!RtlpLogHeapFailure
0e ntdll!RtlpAnalyzeHeapFailure
0f ntdll!RtlpFreeHeap
10 ntdll!RtlpFreeHeapInternal
11 ntdll!RtlFreeHeap
12 AppL!_free_base
13 AppL!thread_two
14 AppL!thread_start
15 kernel32!BaseThreadInitThunk
16 ntdll!RtlUserThreadStart

0:001> .exr -1
ExceptionAddress: 00007ffefd339269 (ntdll!RtlReportFatalFailure+0×0000000000000009)
ExceptionCode: c0000374
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 00007ffefd3a27f0

0:001> !error c0000374
Error code: (NTSTATUS) 0xc0000374 (3221226356) - A heap has been corrupted.

By: Dmitry Vostokov

Dmitry Vostokov — Sat, 29 Sep 2018 14:43:23 +0000

Another example is insufficient memory in Edge:

0f 00000037`4671e030 00007ffe`179cdd4e Chakra!OutOfMemory_fatal_error+0×23
10 00000037`4671e070 00007ffe`177b5450 Chakra!Js::Exception::RaiseIfScriptActive+0×3a
11 00000037`4671e0a0 00007ffe`1783754d Chakra!Js::Throw::OutOfMemory+0×10
12 00000037`4671e0e0 00007ffe`1776ec2d Chakra!Memory::Recycler::LargeAlloc<0>+0xc85c5

By: Dmitry Vostokov

Dmitry Vostokov — Fri, 16 Dec 2016 23:11:50 +0000

Another example is Windows 8-style security interrupts:

0:112> .exr -1
ExceptionAddress: 00007ffffdb82513 (eModel!wil::details::ReportFailure+0×00000000000000ab)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000007
Subcode: 0×7 FAST_FAIL_FATAL_APP_EXIT

0:112> kc 4
# Call Site
00 eModel!wil::details::ReportFailure
01 eModel!wil::details::ReportFailure_Hr
02 eModel!wil::details::in1diag3::FailFast_Hr
03 eModel!SpartanCore::LayerOwner::ConnectToLayerStateSystem

0:112> r
Last set context:
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000007
rdx=0000004d31b8421c rsi=000000000000331c rdi=0000000000000004
rip=00007ffffdb82513 rsp=0000004d32c4bff0 rbp=000000000000331c
r8=0000000000000003 r9=0000004d31b8421c r10=0000004d31b841a8
r11=0000004d32c4bf60 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
eModel!wil::details::ReportFailure+0xab:
00007fff`fdb82513 cd29 int 29h

By: Dmitry Vostokov

Dmitry Vostokov — Sat, 25 Jul 2015 18:47:50 +0000

Another example: runtime library abort():

# 2 Id: acc.13b0 Suspend: 0 Teb: 7efa9000 Unfrozen
ChildEBP RetAddr
0333f4cc 768c15f7 ntdll!NtWaitForMultipleObjects+0×15
0333f568 762c19f8 KERNELBASE!WaitForMultipleObjectsEx+0×100
0333f5b0 762c4200 kernel32!WaitForMultipleObjectsExImplementation+0xe0
0333f5cc 762e80a4 kernel32!WaitForMultipleObjects+0×18
0333f638 762e7f63 kernel32!WerpReportFaultInternal+0×186
0333f64c 762e7858 kernel32!WerpReportFault+0×70
0333f65c 762e77d7 kernel32!BasepReportFault+0×20
0333f6e8 733f267a kernel32!UnhandledExceptionFilter+0×1af
0333fa20 747371ed msvcr90!abort+0×10f
WARNING: Stack unwind information not available. Following frames may be wrong.
0333fab8 77a938aa DispatcherProxy!Singleton<_dispatcherproxyreceiver>::instance+0×5ed
0333fbcc 77a99f45 ntdll!RtlpFreeHeap+0xb7a
0333fbe4 00000000 ntdll!_RtlUserThreadStart+0×1b

By: Dmitry Vostokov

Dmitry Vostokov — Tue, 26 Feb 2013 13:38:46 +0000

Additional example is from IE:

0:000> kc

user32!NtUserMessageCall
user32!SendMessageWorker
user32!SendMessageW
ieframe!CTabWindow::_MakeBlockingCallToHungTabToTriggerNtUserHangDetection
ieframe!CTabWindow::MarkTabAsHung
ieframe!FrameTabWndProc
user32!InternalCallWinProc
user32!UserCallWinProcCheckWow
user32!DispatchMessageWorker
user32!DispatchMessageW
ieframe!CBrowserFrame::FrameMessagePump
ieframe!BrowserThreadProc
ieframe!BrowserNewThreadProc
ieframe!SHOpenFolderWindow
ieframe!IEWinMainEx
ieframe!IEWinMain
ieframe!LCIEStartAsFrame
iexplore!wWinMain
iexplore!_initterm_e
kernel32!BaseThreadInitThunk
ntdll_77dc0000!__RtlUserThreadStart
ntdll_77dc0000!_RtlUserThreadStart

By: Crash Dump Analysis » Blog Archive » Strong process coupling, stack trace collection, critical section coruption and wait chains, message box, self-diagnosis, hidden exception and dynamic memory corruption: pattern cooperation

Mon, 26 Apr 2010 20:21:08 +0000

[…] was an exception indeed diagnosed by FilterException call. The exception is probably hidden somewhere on the raw […]

By: Crash Dump Analysis » Blog Archive » Main thread, critical section wait chains, critical section deadlock, stack trace collection, execution residue, data contents locality, self-diagnosis and not my version: pattern cooperation

Mon, 19 Apr 2010 23:38:51 +0000

[…] default command also reports a heap corruption but the closer inspection reveals that it was a detected […]

By: Dmitry Vostokov

Dmitry Vostokov — Wed, 23 Sep 2009 09:34:04 +0000

Here we can save the dump manually either using MS userdump.exe or using Task Manager in Vista/W2K8:

http://www.dumpanalysis.org/blog/index.php/2007/11/08/crash-dumps-for-dummies-part-7/

By: TheAlerter

TheAlerter — Wed, 23 Sep 2009 08:59:18 +0000

Sometimes we get something like “Microsoft Visual C++ Runtime error” dialog when a program crashes. No drwtsn32.log file will be created followed by this dialog. How are we going to deal with this.