Software Diagnostics Library

Archive for February 11th, 2024

Crash Dump Analysis Patterns (Part 287)

Sunday, February 11th, 2024

Sometimes, when looking at Stack Traces or disassembly of the currently executing code we may see that continued execution would possibly (and sometimes definitely) generate an exception later on, like these sequences of recursive calls from sequential memory snapshots having the same Constant Subtrace may result in Stack Overflow:

0:000> kL # ChildEBP RetAddr 00 00efeb60 771706c9 ntdll!NtDelayExecution+0xc 01 00efeb84 75fcd18f ntdll!RtlDelayExecution+0xe9 02 00efebec 75fcd12f KERNELBASE!SleepEx+0x4f 03 00efebfc 0014138e KERNELBASE!Sleep+0xf 04 00efec08 00141338 AppD9!ConnectDB+0xe 05 00efec10 0014121a AppD9!StartModeling+0x8 06 00efec70 75d32e53 AppD9!WndProc+0x7a 07 00efec9c 75d23c26 USER32!_InternalCallWinProc+0x2b 08 00efed94 75d224e5 USER32!UserCallWinProcCheckWow+0x4c6 09 00efee10 75d598f8 USER32!DispatchMessageWorker+0x4a5 0a 00efee58 75d59db3 USER32!DialogBox2+0x143 0b 00efee88 75d7ac60 USER32!InternalDialogBox+0xf3 0c 00efef54 75d799f6 USER32!SoftModalMessageBox+0x6f0 0d 00eff0b0 75d7a4f7 USER32!MessageBoxWorker+0x2fd 0e 00eff138 75d7a565 USER32!MessageBoxTimeoutW+0x187 0f 00eff158 00141371 USER32!MessageBoxW+0x45 10 00eff170 0014121a AppD9!StartModeling+0×41 11 00eff1d0 75d32e53 AppD9!WndProc+0×7a 12 00eff1fc 75d23c26 USER32!_InternalCallWinProc+0×2b 13 00eff2f4 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6 14 00eff370 75d598f8 USER32!DispatchMessageWorker+0×4a5 15 00eff3b8 75d59db3 USER32!DialogBox2+0×143 16 00eff3e8 75d7ac60 USER32!InternalDialogBox+0xf3 17 00eff4b4 75d799f6 USER32!SoftModalMessageBox+0×6f0 18 00eff610 75d7a4f7 USER32!MessageBoxWorker+0×2fd 19 00eff698 75d7a565 USER32!MessageBoxTimeoutW+0×187 1a 00eff6b8 00141371 USER32!MessageBoxW+0×45 1b 00eff6d0 0014121a AppD9!StartModeling+0×41 1c 00eff730 75d32e53 AppD9!WndProc+0×7a 1d 00eff75c 75d23c26 USER32!_InternalCallWinProc+0×2b 1e 00eff854 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6 1f 00eff8d0 75d598f8 USER32!DispatchMessageWorker+0×4a5 20 00eff918 75d59db3 USER32!DialogBox2+0×143 21 00eff948 75d7ac60 USER32!InternalDialogBox+0xf3 22 00effa14 75d799f6 USER32!SoftModalMessageBox+0×6f0 23 00effb70 75d7a4f7 USER32!MessageBoxWorker+0×2fd 24 00effbf8 75d7a565 USER32!MessageBoxTimeoutW+0×187 25 00effc18 00141371 USER32!MessageBoxW+0×45 26 00effc30 0014121a AppD9!StartModeling+0×41 27 00effc90 75d32e53 AppD9!WndProc+0×7a 28 00effcbc 75d23c26 USER32!_InternalCallWinProc+0×2b 29 00effdb4 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6 2a 00effe30 75d22030 USER32!DispatchMessageWorker+0×4a5 2b 00effe3c 0014109d USER32!DispatchMessageW+0×10 2c 00effe68 0014155d AppD9!wWinMain+0×9d 2d (Inline) ——– AppD9!invoke_main+0×1a 2e 00effeb4 769a7ba9 AppD9!__scrt_common_main_seh+0xf8 2f 00effec4 7714bd2b KERNEL32!BaseThreadInitThunk+0×19 30 00efff1c 7714bcaf ntdll!__RtlUserThreadStart+0×2b 31 00efff2c 00000000 ntdll!_RtlUserThreadStart+0×1b

0:000> kL # ChildEBP RetAddr 00 00efd5e0 771706c9 ntdll!NtDelayExecution+0xc 01 00efd604 75fcd18f ntdll!RtlDelayExecution+0xe9 02 00efd66c 75fcd12f KERNELBASE!SleepEx+0x4f 03 00efd67c 0014138e KERNELBASE!Sleep+0xf 04 00efd688 00141338 AppD9!ConnectDB+0xe 05 00efd690 0014121a AppD9!StartModeling+0x8 06 00efd6f0 75d32e53 AppD9!WndProc+0x7a 07 00efd71c 75d23c26 USER32!_InternalCallWinProc+0x2b 08 00efd814 75d224e5 USER32!UserCallWinProcCheckWow+0x4c6 09 00efd890 75d598f8 USER32!DispatchMessageWorker+0x4a5 0a 00efd8d8 75d59db3 USER32!DialogBox2+0x143 0b 00efd908 75d7ac60 USER32!InternalDialogBox+0xf3 0c 00efd9d4 75d799f6 USER32!SoftModalMessageBox+0x6f0 0d 00efdb30 75d7a4f7 USER32!MessageBoxWorker+0x2fd 0e 00efdbb8 75d7a565 USER32!MessageBoxTimeoutW+0x187 0f 00efdbd8 00141371 USER32!MessageBoxW+0x45 10 00efdbf0 0014121a AppD9!StartModeling+0×41 11 00efdc50 75d32e53 AppD9!WndProc+0×7a 12 00efdc7c 75d23c26 USER32!_InternalCallWinProc+0×2b 13 00efdd74 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6 14 00efddf0 75d598f8 USER32!DispatchMessageWorker+0×4a5 15 00efde38 75d59db3 USER32!DialogBox2+0×143 16 00efde68 75d7ac60 USER32!InternalDialogBox+0xf3 17 00efdf34 75d799f6 USER32!SoftModalMessageBox+0×6f0 18 00efe090 75d7a4f7 USER32!MessageBoxWorker+0×2fd 19 00efe118 75d7a565 USER32!MessageBoxTimeoutW+0×187 1a 00efe138 00141371 USER32!MessageBoxW+0×45 1b 00efe150 0014121a AppD9!StartModeling+0×41 1c 00efe1b0 75d32e53 AppD9!WndProc+0×7a 1d 00efe1dc 75d23c26 USER32!_InternalCallWinProc+0×2b 1e 00efe2d4 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6 1f 00efe350 75d598f8 USER32!DispatchMessageWorker+0×4a5 20 00efe398 75d59db3 USER32!DialogBox2+0×143 21 00efe3c8 75d7ac60 USER32!InternalDialogBox+0xf3 22 00efe494 75d799f6 USER32!SoftModalMessageBox+0×6f0 23 00efe5f0 75d7a4f7 USER32!MessageBoxWorker+0×2fd 24 00efe678 75d7a565 USER32!MessageBoxTimeoutW+0×187 25 00efe698 00141371 USER32!MessageBoxW+0×45 26 00efe6b0 0014121a AppD9!StartModeling+0×41 27 00efe710 75d32e53 AppD9!WndProc+0×7a 28 00efe73c 75d23c26 USER32!_InternalCallWinProc+0×2b 29 00efe834 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6 2a 00efe8b0 75d598f8 USER32!DispatchMessageWorker+0×4a5 2b 00efe8f8 75d59db3 USER32!DialogBox2+0×143 2c 00efe928 75d7ac60 USER32!InternalDialogBox+0xf3 2d 00efe9f4 75d799f6 USER32!SoftModalMessageBox+0×6f0 2e 00efeb50 75d7a4f7 USER32!MessageBoxWorker+0×2fd 2f 00efebd8 75d7a565 USER32!MessageBoxTimeoutW+0×187 30 00efebf8 00141371 USER32!MessageBoxW+0×45 31 00efec10 0014121a AppD9!StartModeling+0×41 32 00efec70 75d32e53 AppD9!WndProc+0×7a 33 00efec9c 75d23c26 USER32!_InternalCallWinProc+0×2b 34 00efed94 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6 35 00efee10 75d598f8 USER32!DispatchMessageWorker+0×4a5 36 00efee58 75d59db3 USER32!DialogBox2+0×143 37 00efee88 75d7ac60 USER32!InternalDialogBox+0xf3 38 00efef54 75d799f6 USER32!SoftModalMessageBox+0×6f0 39 00eff0b0 75d7a4f7 USER32!MessageBoxWorker+0×2fd 3a 00eff138 75d7a565 USER32!MessageBoxTimeoutW+0×187 3b 00eff158 00141371 USER32!MessageBoxW+0×45 3c 00eff170 0014121a AppD9!StartModeling+0×41 3d 00eff1d0 75d32e53 AppD9!WndProc+0×7a 3e 00eff1fc 75d23c26 USER32!_InternalCallWinProc+0×2b 3f 00eff2f4 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6 40 00eff370 75d598f8 USER32!DispatchMessageWorker+0×4a5 41 00eff3b8 75d59db3 USER32!DialogBox2+0×143 42 00eff3e8 75d7ac60 USER32!InternalDialogBox+0xf3 43 00eff4b4 75d799f6 USER32!SoftModalMessageBox+0×6f0 44 00eff610 75d7a4f7 USER32!MessageBoxWorker+0×2fd 45 00eff698 75d7a565 USER32!MessageBoxTimeoutW+0×187 46 00eff6b8 00141371 USER32!MessageBoxW+0×45 47 00eff6d0 0014121a AppD9!StartModeling+0×41 48 00eff730 75d32e53 AppD9!WndProc+0×7a 49 00eff75c 75d23c26 USER32!_InternalCallWinProc+0×2b 4a 00eff854 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6 4b 00eff8d0 75d598f8 USER32!DispatchMessageWorker+0×4a5 4c 00eff918 75d59db3 USER32!DialogBox2+0×143 4d 00eff948 75d7ac60 USER32!InternalDialogBox+0xf3 4e 00effa14 75d799f6 USER32!SoftModalMessageBox+0×6f0 4f 00effb70 75d7a4f7 USER32!MessageBoxWorker+0×2fd 50 00effbf8 75d7a565 USER32!MessageBoxTimeoutW+0×187 51 00effc18 00141371 USER32!MessageBoxW+0×45 52 00effc30 0014121a AppD9!StartModeling+0×41 53 00effc90 75d32e53 AppD9!WndProc+0×7a 54 00effcbc 75d23c26 USER32!_InternalCallWinProc+0×2b 55 00effdb4 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6 56 00effe30 75d22030 USER32!DispatchMessageWorker+0×4a5 57 00effe3c 0014109d USER32!DispatchMessageW+0×10 58 00effe68 0014155d AppD9!wWinMain+0×9d 59 (Inline) ——– AppD9!invoke_main+0×1a 5a 00effeb4 769a7ba9 AppD9!__scrt_common_main_seh+0xf8 5b 00effec4 7714bd2b KERNEL32!BaseThreadInitThunk+0×19 5c 00efff1c 7714bcaf ntdll!__RtlUserThreadStart+0×2b 5d 00efff2c 00000000 ntdll!_RtlUserThreadStart+0×1b

We call such analysis pattern Near Exception.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Software Prognostics | Comments Off

Archive for February 11th, 2024

Crash Dump Analysis Patterns (Part 287)

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta

February 2024
M	T	W	T	F	S	S
« Jan				Mar »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29