Archive for the ‘MFC Debugging’ Category

Software Diagnostics Services

Friday, July 13th, 2012

For some time I was struggling with finding a good name for memory dump and software trace analysis activities. The name Memoretics I use for the science of memory dump analysis (that also incorporates software traces) seems not so good to describe the whole practical activity that should be transparent to everyone in IT. Fortunately, I timely understood that all these activities constitute the essence of software diagnostics that previously lacked any solid foundation. Thus, Software Diagnostics Institute was reborn from the previous Crash Dump Analysis Portal. This institute does pure and applied research and scientific activities and in recent years was funded mainly from OpenTask publisher and recently from Memory Dump Analysis Services. The latter company also recognized that the broadening of its commercial activities requires a new name. So, Software Diagnostics Services was reborn:

The First Comprehensive Software Diagnostics Service

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 147)

Tuesday, August 30th, 2011

This is a new pattern about activation contexts. Here we have software exceptions STATUS_SXS_*, for example:

STATUS_SXS_EARLY_DEACTIVATION 0xC015000F
STATUS_SXS_INVALID_DEACTIVATION 0xC0150010

0:000> !analyze -v

[...]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 77a54441 (ntdll!RtlDeactivateActivationContext+0x00000154)
   ExceptionCode: c015000f
  ExceptionFlags: 00000000
NumberParameters: 3
   Parameter[0]: 00000000
   Parameter[1]: 0056cbe8
   Parameter[2]: 0056cc18

EXCEPTION_CODE: (NTSTATUS) 0xc015000f - The activation context being deactivated is not the most recently activated one.

CONTEXT:  003df6c8 -- (.cxr 0x3df6c8)
eax=003df9bc ebx=13050002 ecx=00000000 edx=00000000 esi=0056cbe8 edi=0056cc18
eip=77a54441 esp=003df9b0 ebp=003dfa0c iopl=0  nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b  efl=00000206
ntdll!RtlDeactivateActivationContext+0x154:
77a54441 8b36 mov    esi,dword ptr [esi]  ds:002b:0056cbe8=0056cbb8
Resetting default scope

STACK_TEXT: 
003dfa0c 755aa138 005507d0 13050002 003dfa7c ntdll!RtlDeactivateActivationContext+0×154
003dfa1c 002b1235 00000000 13050002 3a92c68c kernel32!DeactivateActCtx+0×31
003dfa7c 002b13b5 00000001 01f01e98 01f01ec8 TestActCtx!wmain+0×225
003dfac4 75593677 7efde000 003dfb10 77a09f02 TestActCtx!__tmainCRTStartup+0xfa
003dfad0 77a09f02 7efde000 7e35c89d 00000000 kernel32!BaseThreadInitThunk+0xe
003dfb10 77a09ed5 002b140c 7efde000 ffffffff ntdll!__RtlUserThreadStart+0×70
003dfb28 00000000 002b140c 7efde000 00000000 ntdll!_RtlUserThreadStart+0×1b

The ReactOS code for RtlDeactivateActivationContext function suggests the following line of inquiry:

0:000> dt _TEB
TestActCtx!_TEB
   +0x000 NtTib            : _NT_TIB
   +0x01c EnvironmentPointer : Ptr32 Void
   +0x020 ClientId         : _CLIENT_ID
   +0x028 ActiveRpcHandle  : Ptr32 Void
   +0x02c ThreadLocalStoragePointer : Ptr32 Void
   +0x030 ProcessEnvironmentBlock : Ptr32 _PEB
   +0x034 LastErrorValue   : Uint4B
   +0x038 CountOfOwnedCriticalSections : Uint4B
   +0x03c CsrClientThread  : Ptr32 Void
   +0x040 Win32ThreadInfo  : Ptr32 Void
   +0x044 User32Reserved   : [26] Uint4B
   +0x0ac UserReserved     : [5] Uint4B
   +0x0c0 WOW32Reserved    : Ptr32 Void
   +0x0c4 CurrentLocale    : Uint4B
   +0x0c8 FpSoftwareStatusRegister : Uint4B
   +0x0cc SystemReserved1  : [54] Ptr32 Void
   +0x1a4 ExceptionCode    : Int4B
   +0×1a8 ActivationContextStack : _ACTIVATION_CONTEXT_STACK
   +0×1bc SpareBytes1      : [24] UChar
   +0×1d4 GdiTebBatch      : _GDI_TEB_BATCH
   +0×6b4 RealClientId     : _CLIENT_ID
   +0×6bc GdiCachedProcessHandle : Ptr32 Void
   +0×6c0 GdiClientPID     : Uint4B
   +0×6c4 GdiClientTID     : Uint4B
   +0×6c8 GdiThreadLocalInfo : Ptr32 Void
   +0×6cc Win32ClientInfo  : [62] Uint4B
   +0×7c4 glDispatchTable  : [233] Ptr32 Void
   +0xb68 glReserved1      : [29] Uint4B
   +0xbdc glReserved2      : Ptr32 Void
   +0xbe0 glSectionInfo    : Ptr32 Void
   +0xbe4 glSection        : Ptr32 Void
   +0xbe8 glTable          : Ptr32 Void
   +0xbec glCurrentRC      : Ptr32 Void
   +0xbf0 glContext        : Ptr32 Void
   +0xbf4 LastStatusValue  : Uint4B
   +0xbf8 StaticUnicodeString : _UNICODE_STRING
   +0xc00 StaticUnicodeBuffer : [261] Wchar
   +0xe0c DeallocationStack : Ptr32 Void
   +0xe10 TlsSlots         : [64] Ptr32 Void
   +0xf10 TlsLinks         : _LIST_ENTRY
   +0xf18 Vdm              : Ptr32 Void
   +0xf1c ReservedForNtRpc : Ptr32 Void
   +0xf20 DbgSsReserved    : [2] Ptr32 Void
   +0xf28 HardErrorMode    : Uint4B
   +0xf2c Instrumentation  : [16] Ptr32 Void
   +0xf6c WinSockData      : Ptr32 Void
   +0xf70 GdiBatchCount    : Uint4B
   +0xf74 InDbgPrint       : UChar
   +0xf75 FreeStackOnTermination : UChar
   +0xf76 HasFiberData     : UChar
   +0xf77 IdealProcessor   : UChar
   +0xf78 Spare3           : Uint4B
   +0xf7c ReservedForPerf  : Ptr32 Void
   +0xf80 ReservedForOle   : Ptr32 Void
   +0xf84 WaitingOnLoaderLock : Uint4B
   +0xf88 Wx86Thread       : _Wx86ThreadState
   +0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void
   +0xf98 ImpersonationLocale : Uint4B
   +0xf9c IsImpersonating  : Uint4B
   +0xfa0 NlsCache         : Ptr32 Void
   +0xfa4 pShimData        : Ptr32 Void
   +0xfa8 HeapVirtualAffinity : Uint4B
   +0xfac CurrentTransactionHandle : Ptr32 Void
   +0xfb0 ActiveFrame      : Ptr32 _TEB_ACTIVE_FRAME
   +0xfb4 FlsData          : Ptr32 Void

0:000> dt _ACTIVATION_CONTEXT_STACK
TestActCtx!_ACTIVATION_CONTEXT_STACK
   +0x000 Flags            : Uint4B
   +0x004 NextCookieSequenceNumber : Uint4B
   +0x008 ActiveFrame      : Ptr32 _RTL_ACTIVATION_CONTEXT_STACK_FRAME
   +0x00c FrameListCache   : _LIST_ENTRY

0:000> dt _RTL_ACTIVATION_CONTEXT_STACK_FRAME
ntdll!_RTL_ACTIVATION_CONTEXT_STACK_FRAME
   +0x000 Previous         : Ptr32 _RTL_ACTIVATION_CONTEXT_STACK_FRAME
   +0x004 ActivationContext : Ptr32 _ACTIVATION_CONTEXT
   +0x008 Flags            : Uint4B

0:000> dd 0056cc18 l4
0056cc18  0056cbe8 0056ca6c 00000028 13050003

0:000> dd 0056cbe8
0056cbe8  0056cbb8 0056c934 00000028 13050002
0056cbf8  00000000 00000000 00000000 00000000
0056cc08  00000000 00000000 00000000 00000000
0056cc18  0056cbe8 0056ca6c 00000028 13050003
0056cc28  00000000 00000000 00000000 00000000
0056cc38  00000000 00000000 00000000 00000000
0056cc48  00000000 00000000 0000000c 00000000
0056cc58  00000000 00000000 00000000 00000000

0:000> dd 0056cbb8
0056cbb8  00000000 0056c7fc 00000028 13050001
0056cbc8  00000000 00000000 00000000 00000000
0056cbd8  00000000 00000000 00000000 00000000
0056cbe8  0056cbb8 0056c934 00000028 13050002
0056cbf8  00000000 00000000 00000000 00000000
0056cc08  00000000 00000000 00000000 00000000
0056cc18  0056cbe8 0056ca6c 00000028 13050003
0056cc28  00000000 00000000 00000000 00000000
 

We see that a different cookie was found on top of the thread activation stack and the code raised the runtime exception.

For this pattern I have also created a modeling application and present its source code with additional memory dump analysis in a separate post.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -