« Trace Analysis Patterns (Part 101)
Trace Analysis Patterns (Part 102) »

Crash Dump Analysis Patterns (Part 222)

Software Exception is added for completeness of pattern discourse. We mentioned it a few times before, for example, in Activation Context, Exception Module, Missing Component (static linkage), Self-Dump, Stack Overflow (software implementation), and Translated Exception patterns. Typical example of software exceptions is C++ Exception pattern.

Software exceptions, such as not enough memory, are different from the so-called hardware exceptions by being predictable, synchronous, and detected by software code itself. Hardware exceptions such as divide by zero, access violation, and memory protection, on the contrary, are unpredictable, and detected by hardware. Of course, it is possible to do some checks before code execution, and then throw a software exception or some diagnostic message for a would be hardware exception. See, for example, Self-Diagnosis pattern for user mode and its corresponding equivalent for kernel mode.

In Windows memory dumps we may see RaiseException call in user space stack trace, such as from Data Correlation pattern example:

0:000> kL
ChildEBP RetAddr
0012e950 78158e89 kernel32!RaiseException+0×53
0012e988 7830770c msvcr80!_CxxThrowException+0×46
0012e99c 783095bc mfc80u!AfxThrowMemoryException+0×19
0012e9b4 02afa8ca mfc80u!operator new+0×27
0012e9c8 02b0992f ModuleA!std::_Allocate<…>+0×1a
0012e9e0 02b09e7c ModuleA!std::vector >::vector >+0×3f
[…]

When looking for Multiple or Hidden Exceptions we may also want to check for such calls.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This entry was posted on Saturday, February 28th, 2015 at 4:50 pm and is filed under Crash Dump Analysis, Crash Dump Patterns, Debugging. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Crash Dump Analysis Patterns (Part 222)”

  1. Dmitry Vostokov Says:
    July 3rd, 2016 at 9:41 am

    0:008> kc
    #
    00 combase!RoFailFastWithErrorContextInternal2
    01 combase!RoFailFastWithErrorContextInternal
    02 Windows_UI_Xaml!DirectUI::ErrorHelper::ProcessUnhandledError
    03 Windows_UI_Xaml!DirectUI::FinalUnhandledErrorDetectedRegistration::OnFinalUnhandledErrorDetected
    04 Windows_UI_Xaml!Microsoft::WRL::Details::InvokeHelper, Windows::Foundation::IEventHandler, Microsoft::WRL::FtmBase,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil, Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil, Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil, Microsoft::WRL::Details::Nil>,long (__stdcall*)(IInspectable *,Windows::ApplicationModel::Core::IUnhandledErrorDetectedEventArgs *),2>::Invoke
    05 twinapi_appcore!Windows::Internal::Details::GitInvokeHelper    ,Windows::Internal::GitPtr,2>::Invoke
    06 twinapi_appcore!Windows::ApplicationModel::Core::UnhandledErrorInvokeHelper::Invoke
    07 twinapi_appcore!Microsoft::WRL::InvokeTraits<2>::InvokeDelegates< ,Windows::Foundation::IEventHandler     >
    08 twinapi_appcore!Microsoft::WRL::EventSource    ,Microsoft::WRL::InvokeModeOptions<2> >::DoInvoke< >
    09 twinapi_appcore!Windows::ApplicationModel::Core::CoreApplication::ForwardLocalError
    0a twinapi_appcore!Windows::ApplicationModel::Core::CoreApplicationFactory::ForwardLocalError
    0b combase!CallErrorForwarder
    0c combase!RoReportFailedDelegate
    0d twinapi_appcore!`wil::ErrorHandlingHelpers::Instance’::`2′::`dynamic atexit destructor for ‘wrapper”
    0e twinapi_appcore!Microsoft::WRL::EventSource    ,Microsoft::WRL::InvokeModeOptions< -2> >::DoInvoke< >
    0f twinapi_appcore!Windows::ApplicationModel::Core::CoreApplicationView::Activate
    10 rpcrt4!Invoke
    11 rpcrt4!NdrStubCall2
    12 combase!CStdStubBuffer_Invoke
    13 rpcrt4!CStdStubBuffer_Invoke
    14 combase!InvokeStubWithExceptionPolicyAndTracing::__l7::::operator()
    15 combase!ObjectMethodExceptionHandlingAction< >
    16 combase!InvokeStubWithExceptionPolicyAndTracing
    17 combase!DefaultStubInvoke
    18 combase!SyncStubCall::Invoke
    19 combase!SyncServerCall::StubInvoke
    1a combase!StubInvoke
    1b combase!ServerCall::ContextInvoke
    1c combase!CServerChannel::ContextInvoke
    1d combase!DefaultInvokeInApartment
    1e combase!ASTAInvokeInApartment
    1f combase!AppInvoke
    20 combase!ComInvokeWithLockAndIPID
    21 combase!ComInvoke
    22 combase!ThreadDispatch
    23 combase!CComApartment::ASTAHandleMessage
    24 combase!ASTAWaitContext::Wait
    25 combase!ASTAWaitInNewContext
    26 combase!ASTAThreadWaitForHandles
    27 combase!CoWaitForMultipleHandles
    28 twinapi_appcore!CTSimpleArray,CSimpleArrayStandardCompareHelper,CSimpleArrayStandardMergeHelper >::RemoveAt
    29 SHCore!CTSimpleArray,4294967294,CTPolicyCoTaskMem >,CSimpleArrayStandardCompareHelper >,CSimpleArrayStandardMergeHelper > >::_Add const &>
    2a kernel32!BaseThreadInitThunk
    2b ntdll!__RtlUserThreadStart
    2c ntdll!_RtlUserThreadStart

    0:008> !error c000027b
    Error code: (NTSTATUS) 0xc000027b (3221226107) - An application-internal exception has occurred.

  2. Dmitry Vostokov Says:
    September 7th, 2016 at 8:44 pm

    The above comment is for stowed exceptions which were collected and then enveloped by internal software exception, see Multiple Exceptions (stowed) analysis pattern for additional references.

  3. Dmitry Vostokov Says:
    February 1st, 2021 at 9:14 am

    COM Exception:
    https://www.dumpanalysis.org/blog/index.php/2021/01/31/crash-dump-analysis-patterns-part-274/

Leave a Reply

You must be logged in to post a comment.