Crash Dump Analysis Patterns (Part 274)

COM Exceptions are Software Exceptions and their information can be extracted from C++ Exception record as shown in this post. Here we show the case of Nested and Hidden Exceptions.

We see a COM exception raising function on Exception Stack Trace:

0:008> .exr -1
ExceptionAddress: 00007ff97800cadf (ntdll!LdrpICallHandler+0x000000000000000f)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000000a
Subcode: 0xa FAST_FAIL_GUARD_ICALL_CHECK_FAILURE

0:008> kL
*** Stack trace for last set context - .thread/.cxr resets it
# Child-SP          RetAddr           Call Site
00 0000009e`393f9e78 00007ff9`7802184f ntdll!LdrpICallHandler+0xf
01 0000009e`393f9e80 00007ff9`77fea889 ntdll!RtlpExecuteHandlerForException+0xf
02 0000009e`393f9eb0 00007ff9`780204be ntdll!RtlDispatchException+0x219
03 0000009e`393fa5c0 00007ff9`7800cb9e ntdll!KiUserExceptionDispatch+0x2e
04 0000009e`393fad78 00007ff9`72591030 ntdll!LdrpDispatchUserCallTarget+0xe
05 0000009e`393fad80 00007ff9`72594a52 VCRUNTIME140_APP!_CallSettingFrame+0x20
06 0000009e`393fadb0 00007ff9`7259e514 VCRUNTIME140_APP!__FrameHandler3::FrameUnwindToState+0x112
07 0000009e`393fae20 00007ff9`72593cc8 VCRUNTIME140_APP!__FrameHandler3::FrameUnwindToEmptyState+0x54
08 0000009e`393fae50 00007ff9`7259ee51 VCRUNTIME140_APP!__InternalCxxFrameHandler<__FrameHandler3>+0x10c
09 0000009e`393faeb0 00007ff8`f83ea850 VCRUNTIME140_APP!__CxxFrameHandler3+0x71
0a 0000009e`393faf00 00007ff9`780218cf PaintStudio_ViewModel!DllGetActivationFactory+0x100
0b 0000009e`393faf30 00007ff9`77f9d9b2 ntdll!RtlpExecuteHandlerForUnwind+0xf
0c 0000009e`393faf60 00007ff9`7259e9de ntdll!RtlUnwindEx+0x522
0d 0000009e`393fb670 00007ff9`72592955 VCRUNTIME140_APP!__FrameHandler3::UnwindNestedFrames+0xee
0e 0000009e`393fb760 00007ff9`72592d81 VCRUNTIME140_APP!CatchIt<__FrameHandler3>+0xb9
0f 0000009e`393fb800 00007ff9`72593dc4 VCRUNTIME140_APP!FindHandler<__FrameHandler3>+0x33d
10 0000009e`393fb970 00007ff9`7259ee51 VCRUNTIME140_APP!__InternalCxxFrameHandler<__FrameHandler3>+0x208
11 0000009e`393fb9d0 00007ff9`7802184f VCRUNTIME140_APP!__CxxFrameHandler3+0x71
12 0000009e`393fba20 00007ff9`77fea889 ntdll!RtlpExecuteHandlerForException+0xf
13 0000009e`393fba50 00007ff9`77fea643 ntdll!RtlDispatchException+0x219
14 0000009e`393fc160 00007ff9`759d3b29 ntdll!RtlRaiseException+0×153
15 0000009e`393fc9d0 00007ff9`72596220 KERNELBASE!RaiseException+0×69
16 0000009e`393fcab0 00007ff9`4919a58c VCRUNTIME140_APP!_CxxThrowException+0×90
17 0000009e`393fcb10 00007ff8`f8057628 vccorlib140_app!__abi_WinRTraiseCOMException+0×2c
18 0000009e`393fcb40 00007ff8`f8093e81 PaintStudio_ViewModel+0×7628
19 0000009e`393fcb70 00007ff8`f818f27f PaintStudio_ViewModel+0×43e81
1a 0000009e`393fcbc0 00007ff8`f818c26f PaintStudio_ViewModel+0×13f27f
1b 0000009e`393fcc90 00007ff8`f811935a PaintStudio_ViewModel+0×13c26f
1c 0000009e`393fcd40 00007ff8`f827ce8e PaintStudio_ViewModel+0xc935a
1d 0000009e`393fd110 00007ff8`f82723ab PaintStudio_ViewModel+0×22ce8e
1e 0000009e`393fd5c0 00007ff8`f83bf09d PaintStudio_ViewModel+0×2223ab
1f 0000009e`393fd7b0 00007ff8`f83c16bd PaintStudio_ViewModel+0×36f09d
20 0000009e`393fdc60 00007ff8`f80e1331 PaintStudio_ViewModel+0×3716bd
21 0000009e`393fdd10 00007ff7`2030d3b9 PaintStudio_ViewModel+0×91331
22 0000009e`393fdd50 00007ff7`202f772f PaintStudio_View+0×2d3b9
23 0000009e`393fddb0 00007ff7`202f702b PaintStudio_View+0×1772f
24 0000009e`393fdee0 00007ff7`202f520e PaintStudio_View+0×1702b
25 0000009e`393fe010 00007ff7`203266d6 PaintStudio_View+0×1520e
26 0000009e`393fe100 00007ff9`4af9d25b PaintStudio_View+0×466d6
27 0000009e`393fe140 00007ff9`4af9d1ce Windows_UI_Xaml!DirectUI::FrameworkApplicationGenerated:: OnActivatedProtected+0×4b
28 0000009e`393fe170 00007ff9`4af9ebe6 Windows_UI_Xaml!DirectUI::FrameworkApplication::DispatchGenericActivation+0×4a
29 0000009e`393fe1a0 00007ff9`4aeb39eb Windows_UI_Xaml!DirectUI::FrameworkView::OnActivated+0×186
2a (Inline Function) ——–`——– Windows_UI_Xaml!Microsoft::WRL::Callback::__l2::<lambda_772c64e6f5ddba6f719dbbabda2a0901>::operator()+0×15
2b 0000009e`393fe220 00007ff9`72cd55cf Windows_UI_Xaml!Microsoft::WRL::Details::DelegateArgTraits<long (__cdecl Windows::Foundation:: ITypedEventHandler_impl<Windows::Foundation::Internal:: AggregateType<Windows::UI::Core::CoreWindow *,Windows::UI::Core::ICoreWindow *>,IInspectable *>::*)(Windows::UI::Core::ICoreWindow *,IInspectable *)>::DelegateInvokeHelper<Windows::Foundation:: ITypedEventHandler<Windows::UI::Core::CoreWindow *,IInspectable *>,<lambda_772c64e6f5ddba6f719dbbabda2a0901>,-1,Windows::UI::Core::ICoreWindow *,IInspectable *>::Invoke+0×1b
2c 0000009e`393fe250 00007ff9`72cd8a22 twinapi_appcore!Microsoft::WRL::InvokeTraits<-2>:: InvokeDelegates<<lambda_3ad0adb09957fd62cbc86618ebbeb8fa>,Windows::Foundation:: ITypedEventHandler<Windows::ApplicationModel::Core::CoreApplicationView *,Windows::ApplicationModel::Activation::IActivatedEventArgs *> >+0×67
2d 0000009e`393fe2c0 00007ff9`76cb6a63 twinapi_appcore!Windows::ApplicationModel::Core:: CoreApplicationView::Activate+0×3d2
2e 0000009e`393fe430 00007ff9`76d1a036 rpcrt4!Invoke+0×73
2f 0000009e`393fe490 00007ff9`76c783b9 rpcrt4!Ndr64StubWorker+0xb56
30 0000009e`393feb30 00007ff9`76fd5d13 rpcrt4!NdrStubCall3+0xc9
31 0000009e`393feb90 00007ff9`76c99bab combase!CStdStubBuffer_Invoke+0×73
32 0000009e`393febd0 00007ff9`76fbd0e3 rpcrt4!CStdStubBuffer_Invoke+0×3b
33 (Inline Function) ——–`——– combase!InvokeStubWithExceptionPolicyAndTracing::__l6:: <lambda_c9f3956a20c9da92a64affc24fdd69ec>::operator()+0×18
34 0000009e`393fec00 00007ff9`76fbced3 combase!ObjectMethodExceptionHandlingAction< <lambda_c9f3956a20c9da92a64affc24fdd69ec> >+0×43
35 (Inline Function) ——–`——– combase!InvokeStubWithExceptionPolicyAndTracing+0xa8
36 0000009e`393fec60 00007ff9`76fd9556 combase!DefaultStubInvoke+0×1c3
37 (Inline Function) ——–`——– combase!SyncStubCall::Invoke+0×22
38 0000009e`393fedb0 00007ff9`76fba4fa combase!SyncServerCall::StubInvoke+0×26
39 (Inline Function) ——–`——– combase!StubInvoke+0×259
3a 0000009e`393fedf0 00007ff9`76fda81b combase!ServerCall::ContextInvoke+0×42a
3b (Inline Function) ——–`——– combase!CServerChannel::ContextInvoke+0xc0
3c (Inline Function) ——–`——– combase!DefaultInvokeInApartment+0xc0
3d 0000009e`393ff1f0 00007ff9`76f701ac combase!ASTAInvokeInApartment+0×15b
3e 0000009e`393ff400 00007ff9`76f70a11 combase!AppInvoke+0×1ec
3f 0000009e`393ff490 00007ff9`76f918c2 combase!ComInvokeWithLockAndIPID+0×681
40 (Inline Function) ——–`——– combase!ComInvoke+0×1c1
41 0000009e`393ff7c0 00007ff9`76f90a99 combase!ThreadDispatch+0×272
42 0000009e`393ff890 00007ff9`76f947ba combase!ModernSTAState::HandleMessage+0×51
43 0000009e`393ff8e0 00007ff9`4eac92f5 combase!ModernSTAWaitContext::HandlePriorityEventsFromMessagePump+0×66
44 0000009e`393ff910 00007ff9`4eac8fee Windows_UI!Windows::UI::Core::CDispatcher::ProcessMessage+0×1b5
45 0000009e`393ff9c0 00007ff9`4eac8f21 Windows_UI!Windows::UI::Core::CDispatcher::WaitAndProcessMessagesInternal+0xae
46 0000009e`393ffad0 00007ff9`72cea89f Windows_UI!Windows::UI::Core::CDispatcher::WaitAndProcessMessages+0×31
47 0000009e`393ffb00 00007ff9`76eac235 twinapi_appcore!<lambda_643db08282a766b00cec20194396f531>::operator()+0xff
48 0000009e`393ffbf0 00007ff9`77aa7c24 SHCore!_WrapperThreadProc+0xf5
49 0000009e`393ffcd0 00007ff9`77fed4d1 kernel32!BaseThreadInitThunk+0×14
4a 0000009e`393ffd00 00000000`00000000 ntdll!RtlUserThreadStart+0×21

We dump doubly dereferenced raw stack region around such exception processing calls:

0:008> dpp 0000009e`393fc160 0000009e`393fcb70
[…]
0000009e`393fcb38 00007ff8`f8057628 cc003f4c`6115ffcc
0000009e`393fcb40 0000009e`393fcb88 0000009e`393fcb98
0000009e`393fcb48 000001e8`69af9450 00007ff9`491c6170 vccorlib140_app!Platform::COMException::`vftable’
0000009e`393fcb50 000001e8`69af9450 00007ff9`491c6170 vccorlib140_app!Platform::COMException::`vftable’
[…]

We see C++ Object references and apply object structure to them:

0:008> dt vccorlib140_app!Platform::COMException 000001e8`69af9450
+0×000 __VFN_table : 0×00007ff9`491c6170
+0×008 __VFN_table : 0×00007ff9`491c5bf8
+0×010 __VFN_table : 0×00007ff9`491c5e20
+0×018 __VFN_table : 0×00007ff9`491c5ec0
+0×020 __description    : 0×000001e8`5e1e30a8 Void
+0×028 __restrictedErrorString : 0×000001e8`5ba83728 Void

+0×030 __restrictedErrorReference : (null)
+0×038 __capabilitySid  : (null)
+0×040 __hresult        : 0n-2147024894
+0×048 __restrictedInfo : 0×000001e8`699f4308 Void
+0×050 __throwInfo      : 0×00007ff9`491baf60 Void
+0×058 __size           : 0×40
+0×060 __prepare        : Platform::IntPtr
+0×068 __abi_reference_count : __abi_FTMWeakRefData
+0×078 __abi_disposed   : 0
+0×080 __abi_disposed   : 0

0:008> du 0x000001e8`5e1e30a8
000001e8`5e1e30a8  "The system cannot find the file "
000001e8`5e1e30e8  "specified..."

0:008> du 0x000001e8`5ba83728
000001e8`5ba83728  "Error trying to initialize appli"
000001e8`5ba83768  "cation data storage folder"

0:008> !error 0n-2147024894
Error code: (HRESULT) 0x80070002 (2147942402) - The system cannot find the file specified.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Comments are closed.