Software Diagnostics Library

Crash Dump Analysis Patterns (Part 69)

Sometimes patterns like Message Box and / or Stack Trace semantics reveal another pattern that I call Self-Diagnosis which may or may not result in Self-Dump. The diagnostic message may reveal the problem internally detected by runtime environment.

Consider the following stack trace:

0:000> kv ChildEBP RetAddr Args to Child 0012e8c0 77f4bf53 77f4610a 00000000 00000000 ntdll!KiFastSystemCallRet 0012e8f8 77f3965e 000101a2 00000000 00000001 user32!NtUserWaitMessage+0xc 0012e920 77f4f762 77f30000 00151768 00000000 user32!InternalDialogBox+0xd0 0012ebe0 77f4f047 0012ed3c 00000000 ffffffff user32!SoftModalMessageBox+0x94b 0012ed30 77f4eec9 0012ed3c 00000028 00000000 user32!MessageBoxWorker+0x2ba 0012ed88 77f87d0d 00000000 001511a8 0014ef50 user32!MessageBoxTimeoutW+0x7a 0012edbc 77f742c8 00000000 0012ee70 1001d7d4 user32!MessageBoxTimeoutA+0x9c 0012eddc 77f742a4 00000000 0012ee70 1001d7d4 user32!MessageBoxExA+0x1b 0012edf8 10014c9a 00000000 0012ee70 1001d7d4 user32!MessageBoxA+0×45 WARNING: Stack unwind information not available. Following frames may be wrong. 0012ee2c 10010221 0012ee70 1001d7d4 00012010 component!Error+0×7e4a […]

Dumping the message box message and its title shows that Visual C++ runtime detected a buffer overflow condition:

0:000> da 0012ee70 0012ee70 "Buffer overrun detected!..Progra” 0012ee90 “m: E:\W\program.exe..A buffer ov” 0012eeb0 “errun has been detected which ha” 0012eed0 “s corrupted the program’s.intern” 0012eef0 “al state. The program cannot sa” 0012ef10 “fely continue execution and must” 0012ef30 “.now be terminated..”

0:000> da 1001d7d4 1001d7d4 "Microsoft Visual C++ Runtime Lib" 1001d7f4 "rary"

- Dmitry Vostokov @ DumpAnalysis.org -

This entry was posted on Wednesday, July 9th, 2008 at 5:49 pm and is filed under Crash Dump Analysis, Crash Dump Patterns, Debugging. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses to “Crash Dump Analysis Patterns (Part 69)”

TheAlerter Says:
September 23rd, 2009 at 8:59 am
Sometimes we get something like “Microsoft Visual C++ Runtime error” dialog when a program crashes. No drwtsn32.log file will be created followed by this dialog. How are we going to deal with this.
Dmitry Vostokov Says:
September 23rd, 2009 at 9:34 am
Here we can save the dump manually either using MS userdump.exe or using Task Manager in Vista/W2K8:

http://www.dumpanalysis.org/blog/index.php/2007/11/08/crash-dumps-for-dummies-part-7/
Crash Dump Analysis » Blog Archive » Main thread, critical section wait chains, critical section deadlock, stack trace collection, execution residue, data contents locality, self-diagnosis and not my version: pattern cooperation Says:
April 19th, 2010 at 11:38 pm
[…] default command also reports a heap corruption but the closer inspection reveals that it was a detected […]
Crash Dump Analysis » Blog Archive » Strong process coupling, stack trace collection, critical section coruption and wait chains, message box, self-diagnosis, hidden exception and dynamic memory corruption: pattern cooperation Says:
April 26th, 2010 at 8:21 pm
[…] was an exception indeed diagnosed by FilterException call. The exception is probably hidden somewhere on the raw […]
Dmitry Vostokov Says:
February 26th, 2013 at 1:38 pm
Additional example is from IE:

0:000> kc

user32!NtUserMessageCall
user32!SendMessageWorker
user32!SendMessageW
ieframe!CTabWindow::_MakeBlockingCallToHungTabToTriggerNtUserHangDetection
ieframe!CTabWindow::MarkTabAsHung
ieframe!FrameTabWndProc
user32!InternalCallWinProc
user32!UserCallWinProcCheckWow
user32!DispatchMessageWorker
user32!DispatchMessageW
ieframe!CBrowserFrame::FrameMessagePump
ieframe!BrowserThreadProc
ieframe!BrowserNewThreadProc
ieframe!SHOpenFolderWindow
ieframe!IEWinMainEx
ieframe!IEWinMain
ieframe!LCIEStartAsFrame
iexplore!wWinMain
iexplore!_initterm_e
kernel32!BaseThreadInitThunk
ntdll_77dc0000!__RtlUserThreadStart
ntdll_77dc0000!_RtlUserThreadStart
Dmitry Vostokov Says:
July 25th, 2015 at 6:47 pm
Another example: runtime library abort():

# 2 Id: acc.13b0 Suspend: 0 Teb: 7efa9000 Unfrozen
ChildEBP RetAddr
0333f4cc 768c15f7 ntdll!NtWaitForMultipleObjects+0×15
0333f568 762c19f8 KERNELBASE!WaitForMultipleObjectsEx+0×100
0333f5b0 762c4200 kernel32!WaitForMultipleObjectsExImplementation+0xe0
0333f5cc 762e80a4 kernel32!WaitForMultipleObjects+0×18
0333f638 762e7f63 kernel32!WerpReportFaultInternal+0×186
0333f64c 762e7858 kernel32!WerpReportFault+0×70
0333f65c 762e77d7 kernel32!BasepReportFault+0×20
0333f6e8 733f267a kernel32!UnhandledExceptionFilter+0×1af
0333fa20 747371ed msvcr90!abort+0×10f
WARNING: Stack unwind information not available. Following frames may be wrong.
0333fab8 77a938aa DispatcherProxy!Singleton<_dispatcherproxyreceiver>::instance+0×5ed
0333fbcc 77a99f45 ntdll!RtlpFreeHeap+0xb7a
0333fbe4 00000000 ntdll!_RtlUserThreadStart+0×1b
Dmitry Vostokov Says:
December 16th, 2016 at 11:11 pm
Another example is Windows 8-style security interrupts:

0:112> .exr -1
ExceptionAddress: 00007ffffdb82513 (eModel!wil::details::ReportFailure+0×00000000000000ab)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000007
Subcode: 0×7 FAST_FAIL_FATAL_APP_EXIT

0:112> kc 4
# Call Site
00 eModel!wil::details::ReportFailure
01 eModel!wil::details::ReportFailure_Hr
02 eModel!wil::details::in1diag3::FailFast_Hr
03 eModel!SpartanCore::LayerOwner::ConnectToLayerStateSystem

0:112> r
Last set context:
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000007
rdx=0000004d31b8421c rsi=000000000000331c rdi=0000000000000004
rip=00007ffffdb82513 rsp=0000004d32c4bff0 rbp=000000000000331c
r8=0000000000000003 r9=0000004d31b8421c r10=0000004d31b841a8
r11=0000004d32c4bf60 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
eModel!wil::details::ReportFailure+0xab:
00007fff`fdb82513 cd29 int 29h
Dmitry Vostokov Says:
September 29th, 2018 at 2:43 pm
Another example is insufficient memory in Edge:

0f 00000037`4671e030 00007ffe`179cdd4e Chakra!OutOfMemory_fatal_error+0×23
10 00000037`4671e070 00007ffe`177b5450 Chakra!Js::Exception::RaiseIfScriptActive+0×3a
11 00000037`4671e0a0 00007ffe`1783754d Chakra!Js::Throw::OutOfMemory+0×10
12 00000037`4671e0e0 00007ffe`1776ec2d Chakra!Memory::Recycler::LargeAlloc<0>+0xc85c5
Dmitry Vostokov Says:
October 23rd, 2019 at 9:52 pm
Dynamic Memory Corruption may result in Self-Diagnosis too:

0:001> kc
# Call Site
00 ntdll!NtWaitForMultipleObjects
01 ntdll!WerpWaitForCrashReporting
02 ntdll!RtlReportExceptionHelper
03 ntdll!RtlReportException
04 ntdll!RtlReportFatalFailure$filt$0
05 ntdll!_C_specific_handler
06 ntdll!RtlpExecuteHandlerForException
07 ntdll!RtlDispatchException
08 ntdll!RtlRaiseException
09 ntdll!RtlReportFatalFailure
0a ntdll!RtlReportCriticalFailure
0b ntdll!RtlpHeapHandleError
0c ntdll!RtlpHpHeapHandleError
0d ntdll!RtlpLogHeapFailure
0e ntdll!RtlpAnalyzeHeapFailure
0f ntdll!RtlpFreeHeap
10 ntdll!RtlpFreeHeapInternal
11 ntdll!RtlFreeHeap
12 AppL!_free_base
13 AppL!thread_two
14 AppL!thread_start
15 kernel32!BaseThreadInitThunk
16 ntdll!RtlUserThreadStart

0:001> .exr -1
ExceptionAddress: 00007ffefd339269 (ntdll!RtlReportFatalFailure+0×0000000000000009)
ExceptionCode: c0000374
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 00007ffefd3a27f0

0:001> !error c0000374
Error code: (NTSTATUS) 0xc0000374 (3221226356) - A heap has been corrupted.

You must be logged in to post a comment.

Crash Dump Analysis Patterns (Part 69)

9 Responses to “Crash Dump Analysis Patterns (Part 69)”

Leave a Reply