Crash Dump Analysis Patterns (Part 170)
Thursday, April 5th, 2012Address space-wide search for errors and status codes may show Coincidental Error Code pattern:
0:000> !heap -x -v c0000005
Search VM for address range c0000005 - c0000005 : 028690b8 (c0000005), [...]
0:000> dd 028690b8 l1
028690b8 c0000005
In such cases we need to check whether the addresses belong to volatile regions such as stack because it is possible to have such values as legitimate code and image data:
0:000> !address 028690b8
Usage: Image
Allocation Base: 02700000
Base Address: 02869000
End Address: 02874000
Region Size: 0000b000
Type: 01000000 MEM_IMAGE
State: 00001000 MEM_COMMIT
Protect: 00000002 PAGE_READONLY
More info: lmv m ModuleA
More info: !lmi ModuleA
More info: ln 0×28690b8
0:000> u 028690b8
ModuleA!ComputeB:
028690b8 050000c000 add eax,0C00000h
[...]
Another example:
0:000> !heap -x -v c0000005
Search VM for address range 00000000c0000005 - 00000000c0000005 : 7feff63ab60 (c0000005),
0:000> !address 7feff63ab60
Usage: Image
Allocation Base: 000007fe`ff460000
Base Address: 000007fe`ff635000
End Address: 000007fe`ff63c000
Region Size: 00000000`00007000
Type: 01000000 MEM_IMAGE
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
More info: lmv m ole32
More info: !lmi ole32
More info: ln 0×7feff63ab60
0:000> dp 7feff63ab60
000007fe`ff63ab60 00000000`c0000005 c0000194`00000001
000007fe`ff63ab70 00000001`00000000 00000000`c00000aa
000007fe`ff63ab80 80000002`00000001 00000001`00000000
000007fe`ff63ab90 00000000`c0000096 c000001d`00000001
000007fe`ff63aba0 00000001`00000000 00000000`80000003
000007fe`ff63abb0 c00000fd`00000001 00000001`00000000
000007fe`ff63abc0 00000000`c0000235 c0000006`00000001
000007fe`ff63abd0 00000001`00000000 00000000`c0000420
In the latter case the data structure suggests a table of errors:
0:000> ln 7feff63ab60
(000007fe`ff63ab60) ole32!gReportedExceptions
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -