« Crash Dump Analysis Patterns (Part 111)
Crash Dump Analysis Patterns (Part 9f) »

Crash Dump Analysis Patterns (Part 112)

When I started getting several process memory dumps with very similar crash dispositions I decided to factor them into a separate pattern called Problem Exception Handler. This usually happens with custom exception handlers not written according to prescribed rules (for example, a handler for a non-continuable exception) or have other defects common to normal code.

In the example below we have a different stack trace epilogue for a similar issue that shows a relationship with a custom exception handler:

0:000> kv 1000
ChildEBP RetAddr  Args to Child
0003300c 77af9904 77b8929c 792ea99b 00000000 ntdll!RtlAcquireSRWLockShared+0x1a
00033058 77af9867 00406ef8 00033098 000330a0 ntdll!RtlLookupFunctionTable+0×2a
000330a8 77af97f9 00406ef8 00000000 00000000 ntdll!RtlIsValidHandler+0×26
00033128 77b25dd7 01033140 00033154 00033140 ntdll!RtlDispatchException+0×10b
00033128 77b40726 01033140 00033154 00033140 ntdll!KiUserExceptionDispatcher+0xf (CONTEXT @ 00033154)
00033490 77b25dd7 010334a8 000334bc 000334a8 ntdll!RtlDispatchException+0×18a
00033490 77b40726 010334a8 000334bc 000334a8 ntdll!KiUserExceptionDispatcher+0xf (CONTEXT @ 000334bc)
000337f8 77b25dd7 01033810 00033824 00033810 ntdll!RtlDispatchException+0×18a
[…]
0012f228 77b40726 0112f240 0012f254 0012f240 ntdll!KiUserExceptionDispatcher+0xf (CONTEXT @ 0012f254)
0012f590 77b25dd7 0112f5a8 0012f5d8 0012f5a8 ntdll!RtlDispatchException+0×18a
0012f590 768bfbae 0112f5a8 0012f5d8 0012f5a8 ntdll!KiUserExceptionDispatcher+0xf (CONTEXT @ 0012f5d8)
0012f8f4 0059ecad 0eedfade 00000001 00000007 kernel32!RaiseException+0×58
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f918 00473599 0eedfade 00000001 00000007 Application+0×19ecad
[…]
0012ff88 768cd0e9 7ffdf000 0012ffd4 77b019bb Application+0×70f8
0012ff94 77b019bb 7ffdf000 793f6617 00000000 kernel32!BaseThreadInitThunk+0xe
0012ffd4 77b0198e 011263c0 7ffdf000 ffffffff ntdll!__RtlUserThreadStart+0×23
0012ffec 00000000 011263c0 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0×1b

0:000> !exchain
00033048: ntdll!_except_handler4+0 (77ac99fa)
0012ff78: Application+6ef8 (00406ef8)
0012ffc4: ntdll!_except_handler4+0 (77ac99fa)
0012ffe4: ntdll!FinalExceptionHandler+0 (77b66f9b)
Invalid exception stack at ffffffff

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This entry was posted on Wednesday, October 27th, 2010 at 2:44 pm and is filed under Crash Dump Analysis, Crash Dump Patterns, Debugging. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Crash Dump Analysis Patterns (Part 112)”

  1. Dmitry Vostokov Says:
    November 3rd, 2010 at 11:24 am

    The excepton handler may belong to an unloaded module causing stack overflow:

    [...]
    00000000`018cd4e0 00000000`772b96c5 ntdll!RtlpCallVectoredHandlers+0xac
    00000000`018cd550 00000000`772c722a ntdll!RtlDispatchException+0x25
    00000000`018cdbf0 000007fe`f992acc0 ntdll!KiUserExceptionDispatcher+0x2e
    00000000`018ce188 00000000`772a38bb <Unloaded_ModuleA.dll>+0x3acc0
    00000000`018ce190 00000000`772b96c5 ntdll!RtlpCallVectoredHandlers+0xac
    00000000`018ce200 00000000`772c722a ntdll!RtlDispatchException+0x25
    00000000`018ce8a0 00000000`772b3738 ntdll!KiUserExceptionDispatcher+0x2e
    00000000`018cee40 00000000`772b3c64 ntdll!LdrpSearchResourceSection_U+0x16e
    00000000`018cef70 00000000`7716e8b0 ntdll!LdrFindResource_U+0x44
    00000000`018cefb0 00000000`6eadac42 kernel32!FindResourceExW+0x84
    [...]
    00000000`018cfef0 00000000`772a6991 kernel32!BaseThreadInitThunk+0xd
    00000000`018cff20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Leave a Reply

You must be logged in to post a comment.