Crash Dump Analysis Patterns (Part 84b)
JIT compiling is not restricted to .NET in Windows and we decided to add Java variant of JIT Code (.NET) analysis pattern. Here’s one thread example from java.exe process memory dump:
0:071> k
# ChildEBP RetAddr
00 536cf424 770c15ce ntdll!NtWaitForSingleObject+0×15
01 536cf490 76f31194 KERNELBASE!WaitForSingleObjectEx+0×98
02 536cf4a8 76f31148 kernel32!WaitForSingleObjectExImplementation+0×75
03 536cf4bc 59207cb3 kernel32!WaitForSingleObject+0×12
WARNING: Stack unwind information not available. Following frames may be wrong.
04 536cf4e4 5918dbb1 jvm!JVM_FindSignal+0×5833
05 536cf558 03b6db25 jvm!JVM_Clone+0×30161
06 536cf588 03c4b0f4 0×3b6db25
07 536cf690 0348339a 0×3c4b0f4
08 536cf7d8 034803d7 0×348339a
09 536cf7e4 591a0732 0×34803d7
0a 536cf870 75bb9cde jvm!JVM_Clone+0×42ce2
0b 536cf87c 5926529e msvcrt!_VEC_memzero+0×82
0c 536cf8c4 591a1035 jvm!JVM_FindSignal+0×62e1e
0d 536cf908 591a1097 jvm!JVM_Clone+0×435e5
0e 536cf978 5914c49f jvm!JVM_Clone+0×43647
0f 536cf9d4 591c22dc jvm!jio_printf+0xaf
10 536cfa20 591c2d37 jvm!JVM_Clone+0×6488c
11 536cfa58 592071e9 jvm!JVM_Clone+0×652e7
12 536cfc98 5d34c556 jvm!JVM_FindSignal+0×4d69
13 536cfcd0 5d34c600 msvcr100!_endthreadex+0×3f
14 536cfcdc 76f3338a msvcr100!_endthreadex+0xce
15 536cfce8 77829902 kernel32!BaseThreadInitThunk+0xe
16 536cfd28 778298d5 ntdll!__RtlUserThreadStart+0×70
17 536cfd40 00000000 ntdll!_RtlUserThreadStart+0×1b
We see that the return addresses are indeed return addresses saved on stack with the preceding call instruction:
0:071> ub 03b6db25
03b6db03 50 push eax
03b6db04 57 push edi
03b6db05 e876586455 call jvm!JVM_Clone+0x55930 (591b3380)
03b6db0a 83c408 add esp,8
03b6db0d 8d9730010000 lea edx,[edi+130h]
03b6db13 891424 mov dword ptr [esp],edx
03b6db16 c7876c01000004000000 mov dword ptr [edi+16Ch],4
03b6db20 e8dbff6155 call jvm!JVM_Clone+0×300b0 (5918db00)
0:071> ub 03c4b0f4
03c4b0cd 891c24 mov dword ptr [esp],ebx
03c4b0d0 894c2404 mov dword ptr [esp+4],ecx
03c4b0d4 899c2480000000 mov dword ptr [esp+80h],ebx
03c4b0db 898c2484000000 mov dword ptr [esp+84h],ecx
03c4b0e2 b928b0b91a mov ecx,1AB9B028h
03c4b0e7 89bc248c000000 mov dword ptr [esp+8Ch],edi
03c4b0ee 90 nop
03c4b0ef e8ac29f2ff call 03b6daa0
0:071> ub 034803d7
034803c6 89049c mov dword ptr [esp+ebx*4],eax
034803c9 43 inc ebx
034803ca 49 dec ecx
034803cb 75f5 jne 034803c2
034803cd 8b5d14 mov ebx,dword ptr [ebp+14h]
034803d0 8b4518 mov eax,dword ptr [ebp+18h]
034803d3 8bf4 mov esi,esp
034803d5 ffd0 call eax
0:071> ub 591a0732
jvm!JVM_Clone+0x42ccc:
591a071c 57 push edi
591a071d 89461c mov dword ptr [esi+1Ch],eax
591a0720 e8ab110000 call jvm!JVM_Clone+0x43e80 (591a18d0)
591a0725 6a08 push 8
591a0727 6a06 push 6
591a0729 57 push edi
591a072a 894514 mov dword ptr [ebp+14h],eax
591a072d e86e9af2ff call jvm+0×6a1a0 (590ca1a0)
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -