Software Diagnostics Library

Stack Overflow caused by managed code is manifested as Stack Overflow (User Mode) with JIT Code recursive entries. !CLRStack WinDbg SOS extension command may work for very long if stack frame are small so we may need to increase the number of frames to show (.kframes command) and then manually check the originating frames using !IP2MD SOS extension command.

0:000> !CLRStack
OS Thread Id: 0x1da0 (0)
Child SP IP Call Site
000000F83D205FE0 00007ffc82570539 UserQuery.g__foo|4_1()
000000F83D206010 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206040 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206070 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D2060A0 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D2060D0 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206100 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206130 00007ffc8257053e UserQuery.g__foo|4_1()
000000F83D206160 00007ffc8257053e UserQuery.g__foo|4_1()
[...]

0:000> .kframes 0xFFFF
Default stack trace depth is 0n65535 frames

0:000> kL
# Child-SP RetAddr Call Site
00 000000f8`3d205fe0 00007ffc`8257053e 0x00007ffc`82570539
01 000000f8`3d206010 00007ffc`8257053e 0x00007ffc`8257053e
02 000000f8`3d206040 00007ffc`8257053e 0x00007ffc`8257053e
03 000000f8`3d206070 00007ffc`8257053e 0x00007ffc`8257053e
04 000000f8`3d2060a0 00007ffc`8257053e 0x00007ffc`8257053e
05 000000f8`3d2060d0 00007ffc`8257053e 0x00007ffc`8257053e
06 000000f8`3d206100 00007ffc`8257053e 0x00007ffc`8257053e
07 000000f8`3d206130 00007ffc`8257053e 0x00007ffc`8257053e
08 000000f8`3d206160 00007ffc`8257053e 0x00007ffc`8257053e
09 000000f8`3d206190 00007ffc`8257053e 0x00007ffc`8257053e
[...]
7cfa 000000f8`3d37cec0 00007ffc`8257053e 0x00007ffc`8257053e
7cfb 000000f8`3d37cef0 00007ffc`8257053e 0x00007ffc`8257053e
7cfc 000000f8`3d37cf20 00007ffc`8257053e 0x00007ffc`8257053e
7cfd 000000f8`3d37cf50 00007ffc`8257053e 0x00007ffc`8257053e
7cfe 000000f8`3d37cf80 00007ffc`8257053e 0x00007ffc`8257053e
7cff 000000f8`3d37cfb0 00007ffc`8257053e 0x00007ffc`8257053e
7d00 000000f8`3d37cfe0 00007ffc`8257053e 0x00007ffc`8257053e
7d01 000000f8`3d37d010 00007ffc`825704fe 0×00007ffc`8257053e
7d02 000000f8`3d37d040 00007ffc`825704c4 0×00007ffc`825704fe
7d03 000000f8`3d37d070 00007ffc`82582bdd 0×00007ffc`825704c4
7d04 000000f8`3d37d0a0 00007ffc`8236b45e 0×00007ffc`82582bdd
7d05 000000f8`3d37d940 00007ffc`82366850 0×00007ffc`8236b45e
7d06 000000f8`3d37dc10 00007ffc`82365faf 0×00007ffc`82366850
7d07 000000f8`3d37dd50 00007ffc`82365edc 0×00007ffc`82365faf
7d08 000000f8`3d37dd90 00007ffc`823316f5 0×00007ffc`82365edc
7d09 000000f8`3d37dde0 00007ffc`8233144b 0×00007ffc`823316f5
7d0a 000000f8`3d37de70 00007ffc`81de8db1 0×00007ffc`8233144b
7d0b 000000f8`3d37df60 00007ffc`81de59fa 0×00007ffc`81de8db1
7d0c 000000f8`3d37e0c0 00007ffc`81de5985 0×00007ffc`81de59fa
7d0d 000000f8`3d37e110 00007ffc`81de4d59 0×00007ffc`81de5985
7d0e 000000f8`3d37e160 00007ffc`81de45f5 0×00007ffc`81de4d59
7d0f 000000f8`3d37e1e0 00007ffc`e196a573 0×00007ffc`81de45f5
7d10 000000f8`3d37e220 00007ffc`e18902d0 coreclr!CallDescrWorkerInternal+0×83
7d11 (Inline Function) ——–`——– coreclr!CallDescrWorkerWithHandler+0×30
7d12 000000f8`3d37e260 00007ffc`e189202c coreclr!CallDescrWorkerReflectionWrapper+0×48
7d13 000000f8`3d37e2b0 00007ffc`d5ddc9d7 coreclr!RuntimeMethodHandle::InvokeMethod+0×91c
[…]
7d1b 000000f8`3d37ed60 00007ffc`e18e0d95 coreclr!RunMain+0xd2
7d1c 000000f8`3d37ee10 00007ffc`e18e0b56 coreclr!Assembly::ExecuteMainMethod+0×1c9
7d1d 000000f8`3d37f1a0 00007ffc`e19152b2 coreclr!CorHost2::ExecuteAssembly+0×1c6
7d1e 000000f8`3d37f310 00007ffd`053896bb coreclr!coreclr_execute_assembly+0xe2
7d1f (Inline Function) ——–`——– hostpolicy!coreclr_t::execute_assembly+0×2a
7d20 000000f8`3d37f3b0 00007ffd`053899ec hostpolicy!run_app_for_context+0×56b
7d21 000000f8`3d37f550 00007ffd`0538a387 hostpolicy!run_app+0×3c
7d22 000000f8`3d37f590 00007ffd`07fab539 hostpolicy!corehost_main+0×107
7d23 000000f8`3d37f740 00007ffd`07fae506 hostfxr!execute_app+0×2e9
7d24 000000f8`3d37f840 00007ffd`07fb0821 hostfxr!`anonymous namespace’::read_config_and_execute+0xa6
7d25 000000f8`3d37f940 00007ffd`07faeb62 hostfxr!fx_muxer_t::handle_exec_host_command+0×161
7d26 000000f8`3d37f9f0 00007ffd`07fa82ab hostfxr!fx_muxer_t::execute+0×482
7d27 000000f8`3d37fb30 00007ff6`64fe2351 hostfxr!hostfxr_main_startupinfo+0xab
7d28 000000f8`3d37fc30 00007ff6`64fe2748 LINQPad7_Query_exe!exe_start+0×651
7d29 000000f8`3d37fe60 00007ff6`64fe45f8 LINQPad7_Query_exe!wmain+0×88
7d2a (Inline Function) ——–`——– LINQPad7_Query_exe!invoke_main+0×22
7d2b 000000f8`3d37fe90 00007ffd`164b54e0 LINQPad7_Query_exe!__scrt_common_main_seh+0×10c
7d2c 000000f8`3d37fed0 00007ffd`185e485b kernel32!BaseThreadInitThunk+0×10
7d2d 000000f8`3d37ff00 00000000`00000000 ntdll!RtlUserThreadStart+0×2b

0:000> !IP2MD 0×00007ffc`8257053e
MethodDesc: 00007ffc8257ce18
Method Name: UserQuery.<Main>g__foo|4_1()
Class: 00007ffc8257cd08
MethodTable: 00007ffc8257ce48
mdToken: 0000000006000007
Module: 00007ffc8257c060
IsJitted: yes
Current CodeAddr: 00007ffc82570520
Version History:
ILCodeVersion: 0000000000000000
ReJIT ID: 0
IL Addr: 0000027575cc20f2
CodeAddr: 00007ffc82570520 (MinOptJitted)
NativeCodeVersion: 0000000000000000

0:000> !DumpIL 00007ffc8257ce18
ilAddr is 0000027575CC20F2 pImport is 000001C7B44109C0
ilAddr = 0000027575CC20F2
IL_0000: nop
IL_0001: call void UserQuery::<Main>g__foo|4_1()
IL_0006: nop
IL_0007: ret

0:000> !IP2MD 0×00007ffc`825704fe
MethodDesc: 00007ffc8257ce00
Method Name: UserQuery.<Main>g__bar|4_0()
Class: 00007ffc8257cd08
MethodTable: 00007ffc8257ce48
mdToken: 0000000006000006
Module: 00007ffc8257c060
IsJitted: yes
Current CodeAddr: 00007ffc825704e0
Version History:
ILCodeVersion: 0000000000000000
ReJIT ID: 0
IL Addr: 0000027575cc20f2
CodeAddr: 00007ffc825704e0 (MinOptJitted)
NativeCodeVersion: 0000000000000000

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Sometimes, we are interested in field values across many objects of the same type, for example, processes or threads. We call this analysis pattern Structure Field Collection. For example, we may be interested in all thread names or their number of context switches. Here’s an example script that outputs all non-null thread names and their _ETHREAD structure address for further exploration:

0: kd> !for_each_thread "r $t0 = @@C++(((nt!_ETHREAD *) @#Thread )->ThreadName); .if (@$t0 != 0) { .echo _ETHREAD: @#Thread; !ustr @$t0 }"
_ETHREAD: 0xffffad03ba43b080
String(46,46) at ffffad03b9a77790: Win32k Raw Input Thread
_ETHREAD: 0xffffad03ba468080
String(58,58) at ffffad03b6943e80: Win32k Desktop Thread (IO_DT)
_ETHREAD: 0xffffad03ba57d580
String(62,62) at ffffad03ba5aebc0: Win32k Desktop Thread (NOIO_DT)
_ETHREAD: 0xffffad03ba49b080
String(46,46) at ffffad03b9a792c0: Win32k Raw Input Thread
_ETHREAD: 0xffffad03ba49c080
String(58,58) at ffffad03b6945080: Win32k Desktop Thread (IO_DT)
_ETHREAD: 0xffffad03bcb44080
String(62,62) at ffffad03bcb89740: Win32k Desktop Thread (NOIO_DT)
_ETHREAD: 0xffffad03bad74080
String(38,38) at ffffad03bacf5a90: DWM LPC Port Thread
_ETHREAD: 0xffffad03bad70080
String(42,42) at ffffad03bacf6490: DWM Compositor Thread
_ETHREAD: 0xffffad03badbf080
String(32,32) at ffffad03ba5c7910: DWM Token Thread
_ETHREAD: 0xffffad03badbe080
String(46,46) at ffffad03bacf7340: DWM Master Input Thread
_ETHREAD: 0xffffad03badbd080
String(46,46) at ffffad03bacf7660: DWM Manipulation Thread
_ETHREAD: 0xffffad03bae71080
String(34,34) at ffffad03bacf82e0: uDWM Event Thread
_ETHREAD: 0xffffad03baf49080
String(32,32) at ffffad03ba5c8e10: OS Events thread
_ETHREAD: 0xffffad03baf98080
String(30,30) at ffffad03bafb4ed0: EventLog-System
_ETHREAD: 0xffffad03baf33080
String(40,40) at ffffad03baef7490: EventLog-Application
_ETHREAD: 0xffffad03bb00b080
String(34,34) at ffffad03baef74e0: EventLog-Security
_ETHREAD: 0xffffad03bbeee080
String(100,100) at ffffad03bc1ccaa0: MicrosoftWindows.Client.CBS_cw5n1h2txyewy!InputApp
_ETHREAD: 0xffffad03bc590080
String(30,30) at ffffad03bc75cd10: UnknownAppFrame
_ETHREAD: 0xffffad03bc539080
String(30,30) at ffffad03bc75f850: UnknownAppFrame
_ETHREAD: 0xffffad03bc20e300
String(44,44) at ffffad03bc0e44f0: DManip Delegate Thread
_ETHREAD: 0xffffad03bc208080
String(44,44) at ffffad03bc0e4770: DManip Delegate Thread
_ETHREAD: 0xffffad03bc457080
String(30,30) at ffffad03bc365cd0: WebView UI ASTA
_ETHREAD: 0xffffad03bc44a080
String(52,52) at ffffad03bc25be60: Chakra Background Recycler
_ETHREAD: 0xffffad03bc448080
String(52,52) at ffffad03bc25e620: Chakra Background Recycler
_ETHREAD: 0xffffad03bc4d1080
String(58,58) at ffffad03bc25de40: EdgeHtml Independent Hit Test
_ETHREAD: 0xffffad03bc4ce080
String(28,28) at ffffad03bc3671d0: EdgeHtml Timer
_ETHREAD: 0xffffad03bc4c1080
String(42,42) at ffffad03bc0e9950: EdgeHtml Download STA
_ETHREAD: 0xffffad03bc4c0080
String(58,58) at ffffad03bc25f8e0: Chakra Parallel Worker Thread
_ETHREAD: 0xffffad03bc4be080
String(40,40) at ffffad03bc0eae90: EdgeHtml Storage STA
_ETHREAD: 0xffffad03bc4bc080
String(34,34) at ffffad03bc93fbc0: Fetch Idle Worker
_ETHREAD: 0xffffad03bc46d080
String(30,30) at ffffad03bc36a1d0: EdgeHtml Render
_ETHREAD: 0xffffad03bc544080
String(26,26) at ffffad03bc0676d0: MTA Implicit
_ETHREAD: 0xffffad03bc68c040
String(26,26) at ffffad03bc363510: MTA Implicit
_ETHREAD: 0xffffad03bca08040
String(26,26) at ffffad03bc363550: MTA Implicit
_ETHREAD: 0xffffad03bca07080
String(50,50) at ffffad03bac853c0: EdgeHtml IDB MTA Implicit
_ETHREAD: 0xffffad03bca06080
String(26,26) at ffffad03bc363250: MTA Implicit
_ETHREAD: 0xffffad03bca04080
String(50,50) at ffffad03bb0fc170: EdgeHtml IDB MTA Implicit
_ETHREAD: 0xffffad03bc58e080
String(84,84) at ffffad03bbe4af10: WebPlatStorage Events Channel MTA Implicit
_ETHREAD: 0xffffad03bbcd5080
String(36,36) at ffffad03bc9445d0: EdgeHtml Image STA
_ETHREAD: 0xffffad03bc5df080
String(52,52) at ffffad03bc25a600: Chakra Background Recycler
_ETHREAD: 0xffffad03bc5de080
String(52,52) at ffffad03bc260060: Chakra Background Recycler
_ETHREAD: 0xffffad03bc68a080
String(44,44) at ffffad03bc0f3f40: DManip Delegate Thread
_ETHREAD: 0xffffad03bc5d8080
String(58,58) at ffffad03bc264f80: EdgeHtml Independent Hit Test
_ETHREAD: 0xffffad03bc5d7080
String(28,28) at ffffad03bc754510: EdgeHtml Timer
_ETHREAD: 0xffffad03bc0880c0
String(58,58) at ffffad03bc269a20: Chakra Parallel Worker Thread
_ETHREAD: 0xffffad03bc9e6080
String(12,12) at ffffad03bc51bd40: main()
_ETHREAD: 0xffffad03bc591080
String(20,20) at ffffad03bc75d010: InputPanel
_ETHREAD: 0xffffad03bc58c080
String(44,44) at ffffad03bc93e4a0: DManip Delegate Thread
_ETHREAD: 0xffffad03bc50e080
String(44,44) at ffffad03bc93f4e0: DManip Delegate Thread
_ETHREAD: 0xffffad03bc495040
String(26,26) at ffffad03bc3611d0: MTA Implicit
_ETHREAD: 0xffffad03bc494040
String(26,26) at ffffad03bc361a50: MTA Implicit
_ETHREAD: 0xffffad03bc490080
String(26,26) at ffffad03bc760bd0: MTA Implicit
_ETHREAD: 0xffffad03bc48f080
String(88,88) at ffffad03bbbe6890: RPC StorageEvents_WaitForEvents MTA Implicit
_ETHREAD: 0xffffad03bc2a5040
String(26,26) at ffffad03bc3631d0: MTA Implicit
_ETHREAD: 0xffffad03bc1c3040
String(26,26) at ffffad03bc361810: MTA Implicit
_ETHREAD: 0xffffad03bbced0c0
String(26,26) at ffffad03bc361350: MTA Implicit
_ETHREAD: 0xffffad03bca72080
String(52,52) at ffffad03bbdf06b0: Chakra Background Recycler
_ETHREAD: 0xffffad03bca71080
String(58,58) at ffffad03bbdf34d0: Chakra Parallel Worker Thread
_ETHREAD: 0xffffad03bc509080
String(26,26) at ffffad03bc369890: CrBrowserMain
_ETHREAD: 0xffffad03bcb45080
String(34,34) at ffffad03bc94e940: LoaderLockSampler
_ETHREAD: 0xffffad03bcb21080
String(22,22) at ffffad03bc368990: BrokerEvent
_ETHREAD: 0xffffad03bc682080
String(22,22) at ffffad03bc369950: HangWatcher
_ETHREAD: 0xffffad03bc681080
String(46,46) at ffffad03bc94f020: ThreadPoolServiceThread
_ETHREAD: 0xffffad03bc680080
String(106,106) at ffffad03bcb06800: ThreadPoolSingleThreadCOMSTASharedBackgroundBlocking0
_ETHREAD: 0xffffad03bc020080
String(106,106) at ffffad03bc1c8960: ThreadPoolSingleThreadCOMSTASharedForegroundBlocking1
_ETHREAD: 0xffffad03bc01e080
String(52,52) at ffffad03bc2663c0: ThreadPoolBackgroundWorker
_ETHREAD: 0xffffad03bc285080
String(30,30) at ffffad03bc3695d0: Chrome_IOThread
_ETHREAD: 0xffffad03bc284080
String(22,22) at ffffad03bc369910: MemoryInfra
_ETHREAD: 0xffffad03bc283080
String(90,90) at ffffad03bca64110: ThreadPoolSingleThreadCOMSTASharedForeground2
_ETHREAD: 0xffffad03bc1ed080
String(94,94) at ffffad03bbe41f10: ThreadPoolSingleThreadSharedBackgroundBlocking3
_ETHREAD: 0xffffad03bc1f2080
String(52,52) at ffffad03bcb8a040: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bc1b7080
String(42,42) at ffffad03bc94fb10: CompositorTileWorker1
_ETHREAD: 0xffffad03bc1b6080
String(36,36) at ffffad03bc94fc00: VideoCaptureThread
_ETHREAD: 0xffffad03bcc0e080
String(30,30) at ffffad03bc75f950: BrowserWatchdog
_ETHREAD: 0xffffad03bcc0d080
String(94,94) at ffffad03bbe42010: ThreadPoolSingleThreadSharedBackgroundBlocking4
_ETHREAD: 0xffffad03bc29b080
String(82,82) at ffffad03bce44110: ThreadPoolSingleThreadForegroundBlocking5
_ETHREAD: 0xffffad03bcdda080
String(42,42) at ffffad03bb09a120: CacheThread_BlockFile
_ETHREAD: 0xffffad03bcdc50c0
String(94,94) at ffffad03bce44590: ThreadPoolSingleThreadSharedForegroundBlocking6
_ETHREAD: 0xffffad03bc67f4c0
String(106,106) at ffffad03bcb05690: ThreadPoolSingleThreadCOMSTASharedBackgroundBlocking7
_ETHREAD: 0xffffad03bca85080
String(52,52) at ffffad03bcb8cf80: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bc6af080
String(36,36) at ffffad03bc94e580: CrashpadMainThread
_ETHREAD: 0xffffad03bca97080
String(42,42) at ffffad03bc94e620: ExitCodeWatcherThread
_ETHREAD: 0xffffad03bcc0c080
String(18,18) at ffffad03bc36dd10: CrGpuMain
_ETHREAD: 0xffffad03bcecd080
String(34,34) at ffffad03bc9518c0: LoaderLockSampler
_ETHREAD: 0xffffad03bcecb080
String(22,22) at ffffad03bc36e950: GpuWatchdog
_ETHREAD: 0xffffad03bce7e080
String(46,46) at ffffad03bc9535d0: ThreadPoolServiceThread
_ETHREAD: 0xffffad03bcdcc080
String(52,52) at ffffad03bc26c960: ThreadPoolBackgroundWorker
_ETHREAD: 0xffffad03bcdcb080
String(40,40) at ffffad03bc952c20: Chrome_ChildIOThread
_ETHREAD: 0xffffad03bcea8080
String(52,52) at ffffad03bcb8c8c0: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bcea7080
String(38,38) at ffffad03bc952c70: VizCompositorThread
_ETHREAD: 0xffffad03bc7ee080
String(26,26) at ffffad03bc36d390: CrUtilityMain
_ETHREAD: 0xffffad03bc1f1080
String(34,34) at ffffad03bc951a00: LoaderLockSampler
_ETHREAD: 0xffffad03bca3d080
String(46,46) at ffffad03bc951c30: ThreadPoolServiceThread
_ETHREAD: 0xffffad03bca3a080
String(40,40) at ffffad03bc951c80: Chrome_ChildIOThread
_ETHREAD: 0xffffad03bce81080
String(52,52) at ffffad03bc26ca80: ThreadPoolBackgroundWorker
_ETHREAD: 0xffffad03bcbd0080
String(52,52) at ffffad03bcf03da0: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03b67af080
String(52,52) at ffffad03bdcca800: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bd0db080
String(52,52) at ffffad03bcf0fd40: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bbdcc080
String(52,52) at ffffad03bcf10280: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bcdd94c0
String(26,26) at ffffad03bc36e7d0: CrUtilityMain
_ETHREAD: 0xffffad03baf95080
String(34,34) at ffffad03bc951aa0: LoaderLockSampler
_ETHREAD: 0xffffad03bcec9080
String(46,46) at ffffad03bc952270: ThreadPoolServiceThread
_ETHREAD: 0xffffad03bceb6080
String(52,52) at ffffad03bc26ca20: ThreadPoolBackgroundWorker
_ETHREAD: 0xffffad03bceb5080
String(40,40) at ffffad03bc952d60: Chrome_ChildIOThread
_ETHREAD: 0xffffad03bceb4080
String(52,52) at ffffad03bcb8ca40: ThreadPoolForegroundWorker
_ETHREAD: 0xffffad03bcf3e040
String(166,166) at ffffad03bcc38590: windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel
_ETHREAD: 0xffffad03baf0a040
String(80,80) at ffffad03bcedb390: Microsoft.WindowsStore_8wekyb3d8bbwe!App
_ETHREAD: 0xffffad03b9850080
String(30,30) at ffffad03bc75e1d0: UnknownAppFrame
_ETHREAD: 0xffffad03bbf54080
String(30,30) at ffffad03ba344710: UnknownAppFrame
_ETHREAD: 0xffffad03ba48e080
String(44,44) at ffffad03ba32bf10: DManip Delegate Thread
_ETHREAD: 0xffffad03bada5080
String(44,44) at ffffad03bc950a10: DManip Delegate Thread

One of the early analysis patterns, Last Error Collection, is another instance of this general analysis pattern.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

In addition to the previous Spiking Thread and Distributed Spike CPU consumption analysis patterns we add Spiking Interrupts since they may account for perceived performance degradation such as response lags and system freezes. This pattern also includes DPC activity. We can see the times spent and the number of interrupts using this command and specify CPU number:

0: kd> !prcb 2
PRCB for Processor 2 at ffffe480b3600180:
Current IRQL — 2
Threads– Current ffffe480b360c240 Next 0000000000000000 Idle ffffe480b360c240
Processor Index 2 Number (0, 2) GroupSetMember 4
Interrupt Count — 0cadbd58
Times — Dpc 0000219c Interrupt 00002ae0
Kernel 00e7808e User 0041303b

0: kd> !whattime 0000219c + 00002ae0
19580 Ticks in Standard Time: 05:05.937s

We can also see the number of DPC requests from the structure itself:

0: kd> dt _KPRCB DPCData
nt!_KPRCB
+0×3340 DpcData : [2] _KDPC_DATA

0: kd> dt _KDPC_DATA
nt!_KDPC_DATA
+0x000 DpcList : _KDPC_LIST
+0x010 DpcLock : Uint8B
+0x018 DpcQueueDepth : Int4B
+0x01c DpcCount : Uint4B
+0x020 ActiveDpc : Ptr64 _KDPC
+0x028 LongDpcPresent : Uint4B
+0×02c Padding : Uint4B

0: kd> dt _KDPC_DATA ffffe480b3600180+0×3340
nt!_KDPC_DATA
+0×000 DpcList : _KDPC_LIST
+0×010 DpcLock : 0
+0×018 DpcQueueDepth : 0n1
+0×01c DpcCount : 0×74d9e0
+0×020 ActiveDpc : 0xffffa30f`e8f1f230 _KDPC
+0×028 LongDpcPresent : 0
+0×02c Padding : 0

0: kd> dt _KDPC_DATA ffffe480b3600180+0×3340+30
nt!_KDPC_DATA
+0×000 DpcList : _KDPC_LIST
+0×010 DpcLock : 0
+0×018 DpcQueueDepth : 0n0
+0×01c DpcCount : 0xd39
+0×020 ActiveDpc : (null)
+0×028 LongDpcPresent : 0
+0×02c Padding : 0

Since these numbers are high and depend on the system age, it is important to compare them with the normal system.

We should be aware that Windows 11 has DPC delegate threads (in addition to Idle threads) that are always shown as running even if they swapped (we can also check their number of context switches and kernel time):

0: kd> !process fffff80443332b00
PROCESS fffff80443332b00
SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000
DirBase: 001ae002 ObjectTable: ffff82869fa52800 HandleCount: 3321.
Image: Idle
VadRoot ffffce8384257f70 Vads 2 Clone 0 Private 9. Modified 2094. Locked 0.
DeviceMap 0000000000000000
Token ffff82869fa1f120
ElapsedTime 3 Days 23:10:01.662
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 272
Working Set Sizes (now,min,max) (9, 50, 450) (36KB, 200KB, 1800KB)
PeakWorkingSetSize 2
VirtualSize 0 Mb
PeakVirtualSize 0 Mb
PageFaultCount 9
MemoryPriority BACKGROUND
BasePriority 0
CommitCharge 15

THREAD fffff80443335bc0 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21906707 Ticks: 20013 (0:00:05:12.703)
Context Switch Count 72626555 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 3 Days 06:22:34.281
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init fffff8043f4beb70 Current fffff8043f4beb00
Base fffff8043f4bf000 Limit fffff8043f4b8000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 5
Child-SP RetAddr Call Site
fffff804`3f4be490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
fffff804`3f4be4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
fffff804`3f4be970 fffff804`42a16a74 nt!PoIdle+0x3a6
fffff804`3f4beb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b3519240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905854 Ticks: 20866 (0:00:05:26.031)
Context Switch Count 83248123 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 3 Days 08:20:45.812
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe822fb70 Current ffffa30fe822fb00
Base ffffa30fe8230000 Limit ffffa30fe8229000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e822f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e822f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e822f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e822fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b360c240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 2
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21926718 Ticks: 2 (0:00:00:00.031)
Context Switch Count 90942117 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 2 Days 15:59:04.671
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe823fb70 Current ffffa30fe823fb00
Base ffffa30fe8240000 Limit ffffa30fe8239000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e823f6c8 fffff804`42b5d0f6 nt!KeBugCheckEx
ffffa30f`e823f6d0 fffff804`43068f46 nt!PnpBugcheckPowerTimeout+0x76
ffffa30f`e823f730 fffff804`428dcc74 nt!PopBuildDeviceNotifyListWatchdog+0x16
ffffa30f`e823f760 fffff804`428db264 nt!KiProcessExpiredTimerList+0x204
ffffa30f`e823f890 fffff804`42a16abe nt!KiRetireDpcList+0x714
ffffa30f`e823fb40 00000000`00000000 nt!KiIdleLoop+0x9e

THREAD ffffe480b370c240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905684 Ticks: 21036 (0:00:05:28.687)
Context Switch Count 66067949 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 3 Days 08:02:26.906
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe824fb70 Current ffffa30fe824fb00
Base ffffa30fe8250000 Limit ffffa30fe8249000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e824f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e824f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e824f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e824fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b380c240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 4
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905843 Ticks: 20877 (0:00:05:26.203)
Context Switch Count 91986345 IdealProcessor: 4
UserTime 00:00:00.000
KernelTime 3 Days 05:20:02.156
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe825fb70 Current ffffa30fe825fb00
Base ffffa30fe8260000 Limit ffffa30fe8259000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e825f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e825f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e825f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e825fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b389d240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 5
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905822 Ticks: 20898 (0:00:05:26.531)
Context Switch Count 78668897 IdealProcessor: 5
UserTime 00:00:00.000
KernelTime 3 Days 08:24:03.187
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe826fb70 Current ffffa30fe826fb00
Base ffffa30fe8270000 Limit ffffa30fe8269000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e826f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e826f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e826f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e826fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b39b3240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 6
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905853 Ticks: 20867 (0:00:05:26.046)
Context Switch Count 96137826 IdealProcessor: 6
UserTime 00:00:00.000
KernelTime 3 Days 06:36:10.375
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe827fb70 Current ffffa30fe827fb00
Base ffffa30fe8280000 Limit ffffa30fe8279000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e827f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e827f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e827f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e827fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffe480b3b0c240 Cid 0000.0000 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 7
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21905670 Ticks: 21050 (0:00:05:28.906)
Context Switch Count 39349487 IdealProcessor: 7
UserTime 00:00:00.000
KernelTime 3 Days 06:49:50.156
Win32 Start Address nt!KiIdleLoop (0xfffff80442a16a20)
Stack Init ffffa30fe828fb70 Current ffffa30fe828fb00
Base ffffa30fe8290000 Limit ffffa30fe8289000 Call 0000000000000000
Priority 0 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e828f490 fffff804`428eaa41 nt!PpmIdleGuestExecute+0x1d
ffffa30f`e828f4d0 fffff804`428ea256 nt!PpmIdleExecuteTransition+0x661
ffffa30f`e828f970 fffff804`42a16a74 nt!PoIdle+0x3a6
ffffa30f`e828fb40 00000000`00000000 nt!KiIdleLoop+0x54

THREAD ffffce8384321140 Cid 0000.002c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21906745 Ticks: 19975 (0:00:05:12.109)
Context Switch Count 55086 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.234
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe82bfb70 Current ffffa30fe82bf8b0
Base ffffa30fe82c0000 Limit ffffa30fe82b9000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e82bf8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e82bfa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e82bfb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e82bfb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce8384362080 Cid 0000.0034 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 16926767 Ticks: 4999953 (0:21:42:04.265)
Context Switch Count 4968 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe82cfb70 Current ffffa30fe82cf8b0
Base ffffa30fe82d0000 Limit ffffa30fe82c9000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e82cf8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e82cfa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e82cfb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e82cfb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce83842f7040 Cid 0000.003c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 2
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21631408 Ticks: 295312 (0:01:16:54.250)
Context Switch Count 522 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe82dfb70 Current ffffa30fe82df8b0
Base ffffa30fe82e0000 Limit ffffa30fe82d9000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e82df8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e82dfa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e82dfb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e82dfb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce8384367040 Cid 0000.0044 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 21667748 Ticks: 258972 (0:01:07:26.437)
Context Switch Count 301 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe82efb70 Current ffffa30fe82ef8b0
Base ffffa30fe82f0000 Limit ffffa30fe82e9000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e82ef8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e82efa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e82efb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e82efb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce8384369040 Cid 0000.004c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 4
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 20333183 Ticks: 1593537 (0:06:54:59.015)
Context Switch Count 405 IdealProcessor: 4
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe82ffb70 Current ffffa30fe82ff8b0
Base ffffa30fe8300000 Limit ffffa30fe82f9000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e82ff8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e82ffa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e82ffb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e82ffb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce838436b040 Cid 0000.0054 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 5
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 4760713 Ticks: 17166007 (3:02:30:18.859)
Context Switch Count 118 IdealProcessor: 5
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe830fb70 Current ffffa30fe830f8b0
Base ffffa30fe8310000 Limit ffffa30fe8309000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e830f8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e830fa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e830fb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e830fb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce838436d040 Cid 0000.005c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 6
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 20662898 Ticks: 1263822 (0:05:29:07.218)
Context Switch Count 249 IdealProcessor: 6
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe831fb70 Current ffffa30fe831f8b0
Base ffffa30fe8320000 Limit ffffa30fe8319000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e831f8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e831fa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e831fb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e831fb40 00000000`00000000 nt!KiStartSystemThread+0×34

THREAD ffffce838436f040 Cid 0000.0064 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 7
Not impersonating
DeviceMap ffff82869fa63c00
Owning Process fffff80443332b00 Image: Idle
Attached Process ffffce83842e6040 Image: System
Wait Start TickCount 20547550 Ticks: 1379170 (0:05:59:09.531)
Context Switch Count 196 IdealProcessor: 7
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!KiExecuteDpcDelegate (0xfffff804429bb820)
Stack Init ffffa30fe832fb70 Current ffffa30fe832f8b0
Base ffffa30fe8330000 Limit ffffa30fe8329000 Call 0000000000000000
Priority 63 BasePriority 0 PriorityDecrement 0 IoPriority 0 PagePriority 0
Child-SP RetAddr Call Site
ffffa30f`e832f8f0 fffff804`4285dc17 nt!KiSwapContext+0×76
ffffa30f`e832fa30 fffff804`429bb87c nt!KiSwapThread+0×3a7
ffffa30f`e832fb10 fffff804`42a16c24 nt!KiExecuteDpcDelegate+0×5c
ffffa30f`e832fb40 00000000`00000000 nt!KiStartSystemThread+0×34

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

When we added Local Buffer Overflow in 2007, we only added a short WinDbg output snippet of a user space example and didn’t elaborate much on stack reconstruction (although we wrote a separate modeling example, albeit 32-bit). Instead, we referenced a book on that topic that was available at that time. When working on the new exercise for the 5th edition of Accelerated Windows Memory Dump Analysis we realized the missing kernel space example. Many other patterns have both space analysis variants separately.

In addition to Incorrect Stack Traces we may also have Truncated Stack Traces:

1: kd> kc
# Call Site
00 nt!KeBugCheckEx
01 nt!KiDispatchException
02 nt!KiExceptionDispatch
03 nt!KiPageFault

For our try to reconstruct stack trace we need the boundaries of the stack region: its base (upper address, the stack grows towards lower addresses) and the stack pointer address for the current fault. We get both from the output of !thread and .trap WinDbg commands:

1: kd> !thread
THREAD ffff9a8e065f7080 Cid 1e7c.1e80 Teb: 000000ce1b0a7000 Win32Thread: ffff9a8e064c9a60 RUNNING on processor 1
[...]
Base ffffce833784d000 Limit ffffce8337847000 Call 0000000000000000
[…]
ffffce83`3784c950 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff801`7e7f5e51 : nt!KiPageFault+0×443 (TrapFrame @ ffffce83`3784c950)

1: kd> .trap ffffce83`3784c950
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffff8017f831b7f
rdx=fffff8017f830000 rsi=0000000000000000 rdi=0000000000000000
rip=0000000000000000 rsp=ffffce833784cae0 rbp=0000000000000002
r8=0000000000000000 r9=0000000000000000 r10=ffff9a8e060b62c0
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
00000000`00000000 ?? ???

We see that we have NULL Pointer (Code) here. We now try stack addresses from the top of Execution Residue unless we get a good stack trace:

1: kd> dps ffffce833784cae0 ffffce833784d000
ffffce83`3784cae0 00000000`00000000
ffffce83`3784cae8 00000000`00000000
ffffce83`3784caf0 00000000`00000000
ffffce83`3784caf8 fffff801`7e7f5e51 nt!ObpReferenceObjectByHandleWithTag+0×231
ffffce83`3784cb00 00000000`00000000
ffffce83`3784cb08 ffff868e`00000000
ffffce83`3784cb10 ffff86a6`83360010
ffffce83`3784cb18 ffff9a8e`05e8f990
ffffce83`3784cb20 ffff9a8e`060b62c0
ffffce83`3784cb28 00000000`00000000
ffffce83`3784cb30 ffff9a8e`06794a70
ffffce83`3784cb38 fffff801`7e48f865 nt!IofCallDriver+0×55
ffffce83`3784cb40 ffff9a8e`05e8f960
ffffce83`3784cb48 00000000`00000001
ffffce83`3784cb50 ffffce83`3784cec0
ffffce83`3784cb58 00000000`00000001
ffffce83`3784cb60 ffff9a8e`060b62c0
ffffce83`3784cb68 ffff9a8e`05e8fa78
ffffce83`3784cb70 ffff9a8e`06794a70
ffffce83`3784cb78 fffff801`7e875328 nt!IopSynchronousServiceTail+0×1a8
ffffce83`3784cb80 ffffce83`3784cec0
ffffce83`3784cb88 ffff9a8e`05e8f960
ffffce83`3784cb90 00000000`00000001
[…]

1: kd> k L=ffffce83`3784caf8
# Child-SP RetAddr Call Site
00 ffffce83`3784caf8 fffff801`7e7f5e51 0×0
01 ffffce83`3784cb00 ffff9a8e`05e8f960 nt!ObpReferenceObjectByHandleWithTag+0×231
02 ffffce83`3784cb90 00000000`00000001 0xffff9a8e`05e8f960
03 ffffce83`3784cb98 fffff801`00000000 0×1
04 ffffce83`3784cba0 00000000`00000000 0xfffff801`00000000

1: kd> k L=ffffce83`3784cb38
# Child-SP RetAddr Call Site
00 ffffce83`3784cb38 fffff801`7e48f865 0×0
01 ffffce83`3784cb40 fffff801`7e875328 nt!IofCallDriver+0×55
02 ffffce83`3784cb80 fffff801`7e874bf5 nt!IopSynchronousServiceTail+0×1a8
03 ffffce83`3784cc20 fffff801`7e8745f6 nt!IopXxxControlFile+0×5e5
04 ffffce83`3784cd60 fffff801`7e608bb5 nt!NtDeviceIoControlFile+0×56
05 ffffce83`3784cdd0 00007ffb`8dc6ce54 nt!KiSystemServiceCopyEnd+0×25
06 000000ce`1b2fea68 00000000`00000000 0×00007ffb`8dc6ce54

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This part is a kernel space counterpart to unmanaged user space Execution Residue. We get the boundaries of the stack region from the output of !thread command:

THREAD ffff9a8e065f7080 Cid 1e7c.1e80 Teb: 000000ce1b0a7000 Win32Thread: ffff9a8e064c9a60 RUNNING on processor 1
IRP List:
ffff9a8e05e8f960: (0006,0118) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap ffffaa81e3622e30
Owning Process ffff9a8e06992080 Image: process.exe
Attached Process N/A Image: N/A
Wait Start TickCount 7953 Ticks: 1 (0:00:00:00.015)
Context Switch Count 1386 IdealProcessor: 1
UserTime 00:00:00.046
KernelTime 00:00:00.078
Win32 Start Address 0x00007ff79e985384
Stack Init ffffce833784cfd0 Current ffffce833784c690
Base ffffce833784d000 Limit ffffce8337847000 Call 0000000000000000
Priority 12 BasePriority 8 PriorityDecrement 2 IoPriority 2 PagePriority 5

0: kd> dps ffffce8337847000 ffffce833784d000
[…]
ffffce83`3784b720 ffffffff`c0000000
ffffce83`3784b728 00000000`00040000
ffffce83`3784b730 fffff801`7e6f3b90 nt!HvlGetEncryptedData
ffffce83`3784b738 fffff801`7e712bd0 nt!KiBugCheckProgress
ffffce83`3784b740 00000000`00000000
ffffce83`3784b748 00000000`00000001
ffffce83`3784b750 fffff801`860d0b70 crashdmp!Context+0×50
ffffce83`3784b758 fffff801`860c695c crashdmp!DumpWrite+0×474
ffffce83`3784b760 fffff801`860d0b70 crashdmp!Context+0×50
ffffce83`3784b768 fffff801`7e712bd0 nt!KiBugCheckProgress
ffffce83`3784b770 00000000`50404286
ffffce83`3784b778 00000000`00002000
ffffce83`3784b780 00000000`0001f900
ffffce83`3784b788 fffff801`860cc123 crashdmp!CrashdmpTelemetrySaveEnvironmentVariable+0×5f
ffffce83`3784b790 ffff785d`5e18d8e1
ffffce83`3784b798 fffff801`860c290d crashdmp!CheckContextIntegrity+0×6d
ffffce83`3784b7a0 ffffffff`c0000005
ffffce83`3784b7a8 ffff9a8e`065f7080
ffffce83`3784b7b0 fffff801`7e712bd0 nt!KiBugCheckProgress
ffffce83`3784b7b8 00000000`0000001e
ffffce83`3784b7c0 00000000`00000000
ffffce83`3784b7c8 fffff801`860c50d6 crashdmp!CrashdmpWrite+0×1f6
ffffce83`3784b7d0 00000000`00000000
ffffce83`3784b7d8 ffffce83`3784b900
ffffce83`3784b7e0 fffff801`7e712bd0 nt!KiBugCheckProgress
ffffce83`3784b7e8 00000000`00000000
ffffce83`3784b7f0 00000000`00000000
ffffce83`3784b7f8 fffff801`7e6fdf0e nt!IoWriteCrashDump+0×53e
ffffce83`3784b800 ffffce83`3784bae0
ffffce83`3784b808 ffffce83`3784b900
ffffce83`3784b810 ffffce83`3784bae0
ffffce83`3784b818 00000000`00000000
ffffce83`3784b820 0067006f`00720050
ffffce83`3784b828 00730073`00650072
ffffce83`3784b830 00540050`00450000
ffffce83`3784b838 005f004e`004f0000
ffffce83`3784b840 00000000`00000000
ffffce83`3784b848 00000000`00000000
ffffce83`3784b850 00000000`00000000
ffffce83`3784b858 00000000`00000000
ffffce83`3784b860 ffff3902`484e7864
ffffce83`3784b868 fffff801`7e5c6b1a nt!IopIsAddressRangeValid+0×3e
ffffce83`3784b870 00000000`00c33a01
ffffce83`3784b878 00000000`00000008
ffffce83`3784b880 00000000`00000000
ffffce83`3784b888 00000000`00140000
ffffce83`3784b890 ffff9a8e`00f04038
ffffce83`3784b898 00000dff`00000000
ffffce83`3784b8a0 00000000`00000000
ffffce83`3784b8a8 ffff9a8e`065f7080
ffffce83`3784b8b0 ffffffff`c0000005
ffffce83`3784b8b8 fffff801`7e6fd6d0 nt!IoSetDumpRange
ffffce83`3784b8c0 fffff801`7e6fd060 nt!IoFreeDumpRange
ffffce83`3784b8c8 ffffce83`3784b888
ffffce83`3784b8d0 ffff9a8e`00f04000
ffffce83`3784b8d8 00000000`00000000
ffffce83`3784b8e0 00000000`00000000
ffffce83`3784b8e8 ffffffff`c0000005
ffffce83`3784b8f0 00000000`00000000
ffffce83`3784b8f8 00000000`00000008
ffffce83`3784b900 00000000`00000000
ffffce83`3784b908 ffff3902`484e7824
ffffce83`3784b910 00000000`0000001e
ffffce83`3784b918 ffff9a8e`065f7080
ffffce83`3784b920 00000000`00000001
ffffce83`3784b928 00000000`00000000
ffffce83`3784b930 00000000`00000003
ffffce83`3784b938 ffffd581`211c3180
ffffce83`3784b940 00000000`00000001
ffffce83`3784b948 00000000`00000000
ffffce83`3784b950 ffffce83`3784ba60
ffffce83`3784b958 fffff801`7e712456 nt!KeBugCheck2+0xca6
ffffce83`3784b960 00000000`00000001
ffffce83`3784b968 ffff9a8e`032bc000
ffffce83`3784b970 fffff801`7ee31a00 nt!KeBugCheckReasonCallbackListHead
ffffce83`3784b978 fffff801`7ee31a00 nt!KeBugCheckReasonCallbackListHead
ffffce83`3784b980 00000000`00000000
ffffce83`3784b988 ffffce83`3784bae0
ffffce83`3784b990 ffff9a8e`065f7080
ffffce83`3784b998 fffff801`7e712bd0 nt!KiBugCheckProgress
ffffce83`3784b9a0 ffffce83`3784c000
ffffce83`3784b9a8 00000000`00000000
ffffce83`3784b9b0 00000101`01000001
ffffce83`3784b9b8 ffff9a8e`065f7080
ffffce83`3784b9c0 00000000`0000001e
ffffce83`3784b9c8 00000000`00000000
ffffce83`3784b9d0 00000000`0000000f
ffffce83`3784b9d8 fffff801`7caf2100
ffffce83`3784b9e0 00000000`00000000
ffffce83`3784b9e8 00000000`00000000
ffffce83`3784b9f0 ffffd581`211c3180
ffffce83`3784b9f8 ffff86a6`00000004
ffffce83`3784ba00 00000000`00000000
ffffce83`3784ba08 ffff86a6`00000001
ffffce83`3784ba10 ffffce83`3784d000
ffffce83`3784ba18 ffffce83`37847000
ffffce83`3784ba20 fffff801`7e712bd0 nt!KiBugCheckProgress
ffffce83`3784ba28 fffff801`7e489594 nt!ExFreeHeapPool+0×4d4
ffffce83`3784ba30 00000000`00140001
ffffce83`3784ba38 00000000`00000001
ffffce83`3784ba40 00000000`00000000
ffffce83`3784ba48 00000000`00000000
ffffce83`3784ba50 00000000`00000000
ffffce83`3784ba58 00000000`00000000
ffffce83`3784ba60 00000000`00000000
ffffce83`3784ba68 00000000`00000000
ffffce83`3784ba70 00000000`00000000
ffffce83`3784ba78 00000000`00000000
ffffce83`3784ba80 00000000`00000000
ffffce83`3784ba88 00000000`00000000
ffffce83`3784ba90 00000000`00000000
ffffce83`3784ba98 00000000`00000000
ffffce83`3784baa0 00000000`00000000
ffffce83`3784baa8 00000000`00000000
ffffce83`3784bab0 00000000`00000000
ffffce83`3784bab8 00000000`00000000
ffffce83`3784bac0 00000000`00000000
ffffce83`3784bac8 00000000`00000000
ffffce83`3784bad0 00000000`00000000
ffffce83`3784bad8 fffff801`7e40ac67 nt!ExReleasePushLockSharedEx+0×37
ffffce83`3784bae0 00000000`00000000
ffffce83`3784bae8 00000000`00000000
ffffce83`3784baf0 00000000`00000000
ffffce83`3784baf8 00000000`00000000
ffffce83`3784bb00 00000000`00000000
ffffce83`3784bb08 00000000`00000000
ffffce83`3784bb10 00001f80`0010000f
ffffce83`3784bb18 0053002b`002b0010
ffffce83`3784bb20 00040246`0018002b
ffffce83`3784bb28 00000000`00000000
ffffce83`3784bb30 00000000`00000000
ffffce83`3784bb38 00000000`00000000
ffffce83`3784bb40 00000000`00000000
ffffce83`3784bb48 00000000`00000000
ffffce83`3784bb50 00000000`00000000
ffffce83`3784bb58 00000000`00000000
ffffce83`3784bb60 00000000`0000001e
ffffce83`3784bb68 ffffffff`c0000005
ffffce83`3784bb70 ffffce83`3784c8a8
ffffce83`3784bb78 ffffce83`3784c0a8
ffffce83`3784bb80 ffffce83`3784c5e0
ffffce83`3784bb88 ffffce83`3784c0e0
ffffce83`3784bb90 00000000`00000000
ffffce83`3784bb98 00000000`00000000
ffffce83`3784bba0 00000000`00000008
ffffce83`3784bba8 ffffce83`3784c8a8
ffffce83`3784bbb0 fffff801`7f000028 nt!PsInvertedFunctionTable+0×18
ffffce83`3784bbb8 00000000`00000000
ffffce83`3784bbc0 00000000`00000000
ffffce83`3784bbc8 ffffce83`3784c950
ffffce83`3784bbd0 00000000`0010001f
ffffce83`3784bbd8 fffff801`7e5f71c0 nt!KeBugCheckEx
ffffce83`3784bbe0 00000000`0000027f
ffffce83`3784bbe8 00000000`00000000
ffffce83`3784bbf0 00000000`00000000
ffffce83`3784bbf8 00000000`00001f80
ffffce83`3784bc00 00000000`00000000
ffffce83`3784bc08 00000000`00000000
ffffce83`3784bc10 00000000`00000000
ffffce83`3784bc18 00000000`00000000
ffffce83`3784bc20 00000000`00000000
ffffce83`3784bc28 00000000`00000000
ffffce83`3784bc30 00000000`00000000
ffffce83`3784bc38 00000000`00000000
ffffce83`3784bc40 00000000`00000000
ffffce83`3784bc48 00000000`00000000
ffffce83`3784bc50 00000000`00000000
ffffce83`3784bc58 00000000`00000000
ffffce83`3784bc60 00000000`00000000
ffffce83`3784bc68 00000000`00000000
ffffce83`3784bc70 00000000`00000000
ffffce83`3784bc78 00000000`00000000
ffffce83`3784bc80 00000000`00000000
ffffce83`3784bc88 00000000`00000000
ffffce83`3784bc90 00000000`00000000
ffffce83`3784bc98 ffff86a6`006136a0
ffffce83`3784bca0 00000000`00000000
ffffce83`3784bca8 00000000`00000000
ffffce83`3784bcb0 00000000`00000000
ffffce83`3784bcb8 00000000`00000000
ffffce83`3784bcc0 00000000`00000000
ffffce83`3784bcc8 00000000`00000000
ffffce83`3784bcd0 00000000`00000000
ffffce83`3784bcd8 00000000`00000000
ffffce83`3784bce0 00000000`00000000
ffffce83`3784bce8 00000000`00000000
ffffce83`3784bcf0 00000000`00000000
ffffce83`3784bcf8 00000000`00000000
ffffce83`3784bd00 00000000`00000000
ffffce83`3784bd08 00000000`00000000
ffffce83`3784bd10 00000000`00000000
ffffce83`3784bd18 00000000`00000000
ffffce83`3784bd20 00000000`00000000
ffffce83`3784bd28 00000000`00000000
ffffce83`3784bd30 00000000`00000000
ffffce83`3784bd38 00000000`00000000
ffffce83`3784bd40 00000000`00000000
ffffce83`3784bd48 00000000`00000000
ffffce83`3784bd50 00000000`00000000
ffffce83`3784bd58 00000000`00000000
ffffce83`3784bd60 00000000`00000000
ffffce83`3784bd68 00000000`00000000
ffffce83`3784bd70 00000000`00000000
ffffce83`3784bd78 00000000`00000000
ffffce83`3784bd80 00000000`00000000
ffffce83`3784bd88 00000000`00000000
ffffce83`3784bd90 00000000`00000000
ffffce83`3784bd98 00000000`00000000
ffffce83`3784bda0 00000000`00000000
ffffce83`3784bda8 00000000`00000000
ffffce83`3784bdb0 00000000`00000000
ffffce83`3784bdb8 00000000`00000000
ffffce83`3784bdc0 00000000`00000000
ffffce83`3784bdc8 00000000`00000000
ffffce83`3784bdd0 00000000`00000000
ffffce83`3784bdd8 00000000`00000000
ffffce83`3784bde0 00000000`00000000
ffffce83`3784bde8 00000000`00000000
ffffce83`3784bdf0 00000000`00000000
ffffce83`3784bdf8 00000000`00000000
ffffce83`3784be00 00000000`00000000
ffffce83`3784be08 00000000`00000000
ffffce83`3784be10 00000000`00000000
ffffce83`3784be18 00000000`00000000
ffffce83`3784be20 00000000`00000000
ffffce83`3784be28 00000000`00000000
ffffce83`3784be30 00000000`00000000
ffffce83`3784be38 00000000`00000000
ffffce83`3784be40 00000000`00000000
ffffce83`3784be48 00000000`00000000
ffffce83`3784be50 00000000`00000000
ffffce83`3784be58 00000000`00000000
ffffce83`3784be60 00000000`00000000
ffffce83`3784be68 00000000`00000000
ffffce83`3784be70 00000000`00000000
ffffce83`3784be78 00000000`00000000
ffffce83`3784be80 00000000`00000000
ffffce83`3784be88 00000000`00000000
ffffce83`3784be90 00000000`00000000
ffffce83`3784be98 00000000`00000000
ffffce83`3784bea0 00000000`00000000
ffffce83`3784bea8 00000000`00000000
ffffce83`3784beb0 00000000`00000000
ffffce83`3784beb8 00000000`00000000
ffffce83`3784bec0 00000000`00000000
ffffce83`3784bec8 00000000`00000000
ffffce83`3784bed0 00000000`00000000
ffffce83`3784bed8 00000000`00000000
ffffce83`3784bee0 00000000`00000000
ffffce83`3784bee8 00000000`00000000
ffffce83`3784bef0 00000000`00000000
ffffce83`3784bef8 00000000`00000000
ffffce83`3784bf00 00000000`00000000
ffffce83`3784bf08 00000000`00000000
ffffce83`3784bf10 00000000`00000000
ffffce83`3784bf18 00000000`00000000
ffffce83`3784bf20 00000000`00000000
ffffce83`3784bf28 00000000`00000000
ffffce83`3784bf30 00000000`00000000
ffffce83`3784bf38 00000000`00000000
ffffce83`3784bf40 00000000`00000000
ffffce83`3784bf48 00000000`00000000
ffffce83`3784bf50 00000000`00000000
ffffce83`3784bf58 00000000`00000000
ffffce83`3784bf60 00000000`00000000
ffffce83`3784bf68 00000000`00000000
ffffce83`3784bf70 00000000`00000000
ffffce83`3784bf78 00000000`00000000
ffffce83`3784bf80 00000000`00000000
ffffce83`3784bf88 00000000`00000000
ffffce83`3784bf90 00000000`00000000
ffffce83`3784bf98 00000000`00000000
ffffce83`3784bfa0 00000000`00000000
ffffce83`3784bfa8 00000000`00000000
ffffce83`3784bfb0 00000000`00000000
ffffce83`3784bfb8 00000000`00000000
ffffce83`3784bfc0 00000000`00000000
ffffce83`3784bfc8 00000000`00000000
ffffce83`3784bfd0 00000000`00000000
ffffce83`3784bfd8 00000000`00000000
ffffce83`3784bfe0 00000000`00000000
ffffce83`3784bfe8 00000000`00000000
ffffce83`3784bff0 00000000`00000000
ffffce83`3784bff8 00000000`00000000
ffffce83`3784c000 00000000`00000000
ffffce83`3784c008 00000000`00000000
ffffce83`3784c010 00000000`00000000
ffffce83`3784c018 00000000`00000000
ffffce83`3784c020 00000000`00000000
ffffce83`3784c028 00000000`00000000
ffffce83`3784c030 00000000`0010001f
ffffce83`3784c038 ffffce83`3784c950
ffffce83`3784c040 00000000`00000000
ffffce83`3784c048 00000000`00000000
ffffce83`3784c050 00000000`00000000
ffffce83`3784c058 ffffce83`3784c0e0
ffffce83`3784c060 ffffce83`3784c5e0
ffffce83`3784c068 fffff801`7e5f72c7 nt!KeBugCheckEx+0×107
ffffce83`3784c070 ffffce83`3784c8a8
ffffce83`3784c078 ffffce83`3784c5e0
ffffce83`3784c080 ffffce83`3784c8a8
ffffce83`3784c088 00000000`00000000
ffffce83`3784c090 00000000`00000000
ffffce83`3784c098 00000000`00000000
ffffce83`3784c0a0 00000000`00040246
ffffce83`3784c0a8 fffff801`7e659ecb nt!KiDispatchException+0×17467b
ffffce83`3784c0b0 00000000`0000001e
ffffce83`3784c0b8 ffffffff`c0000005
ffffce83`3784c0c0 00000000`00000000
ffffce83`3784c0c8 00000000`00000008
ffffce83`3784c0d0 00000000`00000000
ffffce83`3784c0d8 00000000`00000001
ffffce83`3784c0e0 ffff86a6`0312a600
ffffce83`3784c0e8 ffff86a6`0312a688
ffffce83`3784c0f0 ffff86a6`0312a4e8
ffffce83`3784c0f8 00000000`00000d0d
ffffce83`3784c100 00000001`00000000
ffffce83`3784c108 00000000`00000000
ffffce83`3784c110 00001f80`0010001f
ffffce83`3784c118 0053002b`002b0010
ffffce83`3784c120 00050282`0018002b
ffffce83`3784c128 00000000`00000000
ffffce83`3784c130 00000000`00000000
ffffce83`3784c138 00000000`00000000
ffffce83`3784c140 00000000`00000000
ffffce83`3784c148 00000000`00000000
ffffce83`3784c150 00000000`00000000
[…]
ffffce83`3784cda0 00000000`00000000
ffffce83`3784cda8 ffffce83`00000000
ffffce83`3784cdb0 ffff86a6`00000001
ffffce83`3784cdb8 00000000`00000000
ffffce83`3784cdc0 ffffaa81`e634c9c0
ffffce83`3784cdc8 fffff801`7e608bb5 nt!KiSystemServiceCopyEnd+0×25
ffffce83`3784cdd0 00000000`00000000
ffffce83`3784cdd8 ffff1496`0a767479
ffffce83`3784cde0 00000000`0002034c
ffffce83`3784cde8 000002aa`2d0d0180
ffffce83`3784cdf0 000000ce`1b2feac0
ffffce83`3784cdf8 00000023`83360010
ffffce83`3784ce00 00000000`00000000
ffffce83`3784ce08 00000000`00000000
ffffce83`3784ce10 00000000`00000000
ffffce83`3784ce18 00000000`00000000
ffffce83`3784ce20 ffff9a8e`065f7080
ffffce83`3784ce28 00000000`00000000
ffffce83`3784ce30 ffff9a8e`065f7080
ffffce83`3784ce38 fffff801`7e608bb5 nt!KiSystemServiceCopyEnd+0×25
ffffce83`3784ce40 00000000`00000001
ffffce83`3784ce48 ffffce83`38b5db80
ffffce83`3784ce50 000002aa`00000000
ffffce83`3784ce58 ffff868e`e8876c88 win32k!NtUserKillTimer
ffffce83`3784ce60 000000ce`00000000
ffffce83`3784ce68 00001f80`02080000
ffffce83`3784ce70 00000000`00000007
ffffce83`3784ce78 00000000`000001e4
ffffce83`3784ce80 00000000`00000000
ffffce83`3784ce88 000000ce`1b2ff5b8
ffffce83`3784ce90 000000ce`1b2ff689
ffffce83`3784ce98 00000000`00000000
ffffce83`3784cea0 00000000`00000246
ffffce83`3784cea8 000000ce`1b0a7000
ffffce83`3784ceb0 00000000`00000000
ffffce83`3784ceb8 00000000`00000000
ffffce83`3784cec0 00000000`00000000
ffffce83`3784cec8 00000000`00000000
ffffce83`3784ced0 00000000`00000000
ffffce83`3784ced8 00000000`00000000
ffffce83`3784cee0 00000000`00000000
ffffce83`3784cee8 00000000`00000000
ffffce83`3784cef0 00000000`00000000
ffffce83`3784cef8 00000000`00000000
ffffce83`3784cf00 00000000`00000000
ffffce83`3784cf08 00000000`00000000
ffffce83`3784cf10 00007ffb`8a73a5c2
ffffce83`3784cf18 00000000`00000000
ffffce83`3784cf20 00000000`00000000
ffffce83`3784cf28 00000000`00000000
ffffce83`3784cf30 00000000`00000000
ffffce83`3784cf38 00000000`00000000
ffffce83`3784cf40 00000000`00000000
ffffce83`3784cf48 00000000`00000000
ffffce83`3784cf50 00000000`00000000
ffffce83`3784cf58 00000000`00000000
ffffce83`3784cf60 00000000`00000000
ffffce83`3784cf68 00000000`00000000
ffffce83`3784cf70 00000000`00000000
ffffce83`3784cf78 00000000`00000000
ffffce83`3784cf80 00000000`00000000
ffffce83`3784cf88 00000000`000001e4
ffffce83`3784cf90 00000000`00000000
ffffce83`3784cf98 00000000`000001e4
ffffce83`3784cfa0 00000000`00000100
ffffce83`3784cfa8 00007ffb`8dc6ce54
ffffce83`3784cfb0 00000000`00000033
ffffce83`3784cfb8 00000000`00000246
ffffce83`3784cfc0 000000ce`1b2fea68
ffffce83`3784cfc8 00000000`0000002b
ffffce83`3784cfd0 ffffce83`3784d000
ffffce83`3784cfd8 ffffce83`37847000
ffffce83`3784cfe0 ffffce83`38b5e000
ffffce83`3784cfe8 ffffce83`38b58000
ffffce83`3784cff0 ffffce83`38b5d420
ffffce83`3784cff8 ffffce83`38b5dc90
ffffce83`3784d000 ????????`????????

In the case of Self-Diagnosis bugchecks Effect Components‘ execution residue (such as crashdmp and dump_diskdump) overwrite previous pre-bugcheck execution residue that makes reconstruction of Past Stack Trace impossible.

However, before Effect Components are executed, content of the stack region is saved in a special area:

0: kd> ? ffffce833784d000 - ffffce8337847000
Evaluate expression: 24576 = 00000000`00006000

0: kd> dps KiPreBugcheckStackSaveArea KiPreBugcheckStackSaveArea+6000
[…]
fffff801`7ee2f9f0 00000000`00000034
fffff801`7ee2f9f8 00000000`00000015
fffff801`7ee2fa00 ffff868e`e836edb0 win32kfull!vSrcTranCopyS8D32
fffff801`7ee2fa08 00000000`00000005
fffff801`7ee2fa10 00000000`0000000d
fffff801`7ee2fa18 00000000`00000014
fffff801`7ee2fa20 ffffce83`3784c020
fffff801`7ee2fa28 ffff868e`e8379289 win32kfull!vExpandAndCopyText+0×499
fffff801`7ee2fa30 ffff86a6`03358c65
fffff801`7ee2fa38 00000000`00000005
fffff801`7ee2fa40 ffff86a6`00000024
fffff801`7ee2fa48 ffff86a6`03361644
fffff801`7ee2fa50 00000000`ffcce4f7
fffff801`7ee2fa58 00000000`0000001f
fffff801`7ee2fa60 00000000`00000138
fffff801`7ee2fa68 00000000`00000000
fffff801`7ee2fa70 00000000`00000000
fffff801`7ee2fa78 00000000`ffcce4f7
fffff801`7ee2fa80 ffff86a6`03b27840
fffff801`7ee2fa88 00000000`0000002f
fffff801`7ee2fa90 00000000`00000024
fffff801`7ee2fa98 ffffce83`3784c68c
fffff801`7ee2faa0 00000000`0000002a
fffff801`7ee2faa8 fffff801`00000014
fffff801`7ee2fab0 00000000`0000002a
fffff801`7ee2fab8 ffff86a6`03358a90
fffff801`7ee2fac0 ffff868e`e836edb0 win32kfull!vSrcTranCopyS8D32
fffff801`7ee2fac8 ffffce83`3784c020
fffff801`7ee2fad0 ffff86a6`00000000
fffff801`7ee2fad8 ffff86a6`03b27840
fffff801`7ee2fae0 00000001`00000020
fffff801`7ee2fae8 00000000`00000138
fffff801`7ee2faf0 00000000`00000000
fffff801`7ee2faf8 ffff86a6`03356000
fffff801`7ee2fb00 ffff86a6`00000138
fffff801`7ee2fb08 ffff868e`e83c35a0 win32kfull!draw_clrt_nf_ntb_o_to_temp_start
fffff801`7ee2fb10 ffffce83`3784c010
fffff801`7ee2fb18 ffff86a6`03b27840
fffff801`7ee2fb20 ffff86a6`00911000
fffff801`7ee2fb28 ffff86a6`0312a4e8
fffff801`7ee2fb30 ffff86a6`0312a600
fffff801`7ee2fb38 ffff86a6`03b27840
fffff801`7ee2fb40 ffff868e`e83c35a0 win32kfull!draw_clrt_nf_ntb_o_to_temp_start
fffff801`7ee2fb48 ffff868e`e8559d80 win32kfull!draw_clrt_f_ntb_o_to_temp_start
fffff801`7ee2fb50 ffff86a6`03360000
fffff801`7ee2fb58 fffff801`7e407bae nt!ExAcquirePushLockExclusiveEx+0xee
fffff801`7ee2fb60 ffff9a8e`065f7080
fffff801`7ee2fb68 ffff86a6`00200280
fffff801`7ee2fb70 00000000`00000000
fffff801`7ee2fb78 00000000`00000000
fffff801`7ee2fb80 00000000`00000000
fffff801`7ee2fb88 ffff86a6`00200290
fffff801`7ee2fb90 00000000`00000022
fffff801`7ee2fb98 00000000`00000210
fffff801`7ee2fba0 00000000`00000000
fffff801`7ee2fba8 ffffce83`3784b85c
fffff801`7ee2fbb0 ffff86a6`00911000
fffff801`7ee2fbb8 00000000`00000000
fffff801`7ee2fbc0 00000000`00000000
fffff801`7ee2fbc8 fffff801`7e4dc26a nt!RtlpHpReleaseQueuedLockExclusive+0×20a
fffff801`7ee2fbd0 ffffce83`3784b9e0
fffff801`7ee2fbd8 ffff86a6`00200280
fffff801`7ee2fbe0 00000000`00040246
fffff801`7ee2fbe8 fffff801`7e49af8b nt!KeQueryCurrentStackInformationEx+0×8b
fffff801`7ee2fbf0 00000000`00000000
fffff801`7ee2fbf8 ffffce83`3784b9e0
fffff801`7ee2fc00 00000000`00000210
fffff801`7ee2fc08 ffff86a6`03358a60
fffff801`7ee2fc10 ffffce83`3784d000
fffff801`7ee2fc18 ffffce83`37847000
fffff801`7ee2fc20 00000000`00000000
fffff801`7ee2fc28 ffffce83`3784bf00
fffff801`7ee2fc30 00000000`00000000
fffff801`7ee2fc38 00000000`00000000
fffff801`7ee2fc40 ffffce83`3784b9f8
fffff801`7ee2fc48 fffff801`7e4e6aae nt!KeQueryCurrentStackInformation+0×2e
fffff801`7ee2fc50 ffffce83`3784ba10
fffff801`7ee2fc58 ffffce83`3784ba18
fffff801`7ee2fc60 ffffce83`3784ba60
fffff801`7ee2fc68 00000000`00000000
fffff801`7ee2fc70 00000000`00000008
fffff801`7ee2fc78 fffff801`7e7119e1 nt!KeBugCheck2+0×231
fffff801`7ee2fc80 00000000`00000000
fffff801`7ee2fc88 00000000`00000000
fffff801`7ee2fc90 00000000`00000000
fffff801`7ee2fc98 ffffce83`3784c8a8
fffff801`7ee2fca0 ffffce83`3784b9d0
fffff801`7ee2fca8 fffff801`7e65a4dc nt!RtlDispatchException+0×17399c
fffff801`7ee2fcb0 ffffce83`3784bed0
fffff801`7ee2fcb8 00000000`00000000
fffff801`7ee2fcc0 ffffce83`3784c0e0
fffff801`7ee2fcc8 00000000`00000000
fffff801`7ee2fcd0 00000101`01000000
fffff801`7ee2fcd8 ffff9a8e`065f7080
fffff801`7ee2fce0 00000000`0000001e
fffff801`7ee2fce8 00000000`00000000
fffff801`7ee2fcf0 00000000`0000000f
fffff801`7ee2fcf8 fffff801`7caf2100
fffff801`7ee2fd00 00000000`00000000
fffff801`7ee2fd08 00000000`00000000
fffff801`7ee2fd10 00000000`00000000
fffff801`7ee2fd18 ffff86a6`00000004
fffff801`7ee2fd20 00000000`00000000
fffff801`7ee2fd28 ffff86a6`03350010
fffff801`7ee2fd30 ffffce83`3784d000
fffff801`7ee2fd38 ffffce83`37847000
fffff801`7ee2fd40 fffff801`7e712bd0 nt!KiBugCheckProgress
fffff801`7ee2fd48 fffff801`7e489594 nt!ExFreeHeapPool+0×4d4
fffff801`7ee2fd50 00000000`00000000
fffff801`7ee2fd58 00000000`00000000
fffff801`7ee2fd60 00000000`00000000
fffff801`7ee2fd68 00000000`00000000
fffff801`7ee2fd70 00000000`00000000
fffff801`7ee2fd78 00000000`00000000
fffff801`7ee2fd80 00000000`00000000
fffff801`7ee2fd88 00000000`00000000
fffff801`7ee2fd90 00000000`00000000
fffff801`7ee2fd98 00000000`00000000
fffff801`7ee2fda0 00000000`00000000
fffff801`7ee2fda8 00000000`00000000
fffff801`7ee2fdb0 00000000`00000000
fffff801`7ee2fdb8 00000000`00000000
fffff801`7ee2fdc0 00000000`00000000
fffff801`7ee2fdc8 00000000`00000000
fffff801`7ee2fdd0 00000000`00000000
fffff801`7ee2fdd8 00000000`00000000
fffff801`7ee2fde0 00000000`00000000
fffff801`7ee2fde8 00000000`00000000
fffff801`7ee2fdf0 00000000`00000000
fffff801`7ee2fdf8 fffff801`7e40ac67 nt!ExReleasePushLockSharedEx+0×37
fffff801`7ee2fe00 ffff9a8e`00000002
fffff801`7ee2fe08 ffff86a6`00001f80
fffff801`7ee2fe10 ffff86a6`006136a0
fffff801`7ee2fe18 ffff86a6`0329ccd0
fffff801`7ee2fe20 00000000`000000bd
fffff801`7ee2fe28 ffff86a6`0329ccd0
fffff801`7ee2fe30 ffff86a6`03ac53f0
fffff801`7ee2fe38 ffff868e`e807e1d9 win32kbase!NSInstrumentation::CPlatformReaderWriterLock::ReleaseShared+0×19
fffff801`7ee2fe40 ffff86a6`006163d0
fffff801`7ee2fe48 ffff868e`00000003
fffff801`7ee2fe50 00000000`00000000
fffff801`7ee2fe58 ffff9a8e`00831120
fffff801`7ee2fe60 00000000`00000000
fffff801`7ee2fe68 ffff868e`e8123442 win32kbase!NSInstrumentation::CTypeIsolation<28672,112>::Free+0×8e
fffff801`7ee2fe70 00000000`00000000
fffff801`7ee2fe78 ffff86a6`006136a0
fffff801`7ee2fe80 ffff86a6`000000df
fffff801`7ee2fe88 00000000`00000000
fffff801`7ee2fe90 00000000`00000000
fffff801`7ee2fe98 ffff86a6`03358a70
fffff801`7ee2fea0 00000000`00000000
fffff801`7ee2fea8 ffff86a6`03358a90
fffff801`7ee2feb0 ffffce83`3784bcc0
fffff801`7ee2feb8 ffff868e`e837897f win32kfull!EngTextOut+0×68f
fffff801`7ee2fec0 ffff86a6`03358a90
fffff801`7ee2fec8 ffff86a6`03b27840
fffff801`7ee2fed0 ffffce83`3784bcc0
fffff801`7ee2fed8 00000000`00000005
fffff801`7ee2fee0 ffff86a6`03358a90
fffff801`7ee2fee8 ffff86a6`00000024
fffff801`7ee2fef0 00000000`00000000
fffff801`7ee2fef8 00000000`00000000
fffff801`7ee2ff00 00000000`00000000
fffff801`7ee2ff08 00000000`00000000
fffff801`7ee2ff10 00000000`00000000
fffff801`7ee2ff18 00000000`00000000
fffff801`7ee2ff20 00000000`00000000
fffff801`7ee2ff28 00000000`00000000
fffff801`7ee2ff30 00000000`00000000
fffff801`7ee2ff38 00000000`00000000
fffff801`7ee2ff40 00000000`00000000
fffff801`7ee2ff48 00000000`00000000
fffff801`7ee2ff50 00000000`00000000
fffff801`7ee2ff58 00000000`00000000
fffff801`7ee2ff60 00000000`00000000
fffff801`7ee2ff68 00000000`00000000
fffff801`7ee2ff70 00000000`00000000
fffff801`7ee2ff78 00000000`00000000
fffff801`7ee2ff80 00000000`00000000
fffff801`7ee2ff88 00000000`00000000
fffff801`7ee2ff90 ffffce83`3784c5d0
fffff801`7ee2ff98 00000000`00000000
fffff801`7ee2ffa0 ffff86a6`00000000
fffff801`7ee2ffa8 ffff86a6`03b27840
fffff801`7ee2ffb0 ffff86a6`03116220
fffff801`7ee2ffb8 00000000`000001d4
fffff801`7ee2ffc0 00000000`00000000
fffff801`7ee2ffc8 ffff86a6`03b27840
fffff801`7ee2ffd0 ffff86a6`03b27858
fffff801`7ee2ffd8 ffffce83`3784c68c
fffff801`7ee2ffe0 ffff86a6`0312a4e8
fffff801`7ee2ffe8 ffff86a6`0312a600
fffff801`7ee2fff0 ffff86a6`03b27840
fffff801`7ee2fff8 00000000`00000000
fffff801`7ee30000 00000000`00000000
fffff801`7ee30008 ffff86a6`03358a90
fffff801`7ee30010 00000000`00000000
fffff801`7ee30018 00000000`000000d0
fffff801`7ee30020 ffff86a6`03116220
fffff801`7ee30028 00000000`00000000
fffff801`7ee30030 00000000`00000000
fffff801`7ee30038 00000000`00000000
fffff801`7ee30040 00000000`00000000
fffff801`7ee30048 00000000`00000000
fffff801`7ee30050 00000000`00000000
fffff801`7ee30058 00000000`00000000
fffff801`7ee30060 00000000`00000000
fffff801`7ee30068 00000000`00000000
fffff801`7ee30070 00000000`00000000
fffff801`7ee30078 00000000`00000000
fffff801`7ee30080 00000000`00000000
fffff801`7ee30088 00000000`00000000
fffff801`7ee30090 00000000`00000000
fffff801`7ee30098 00000000`00000000
fffff801`7ee300a0 00000000`00000000
fffff801`7ee300a8 00000000`00000000
fffff801`7ee300b0 00000000`00000000
fffff801`7ee300b8 00000000`00000000
fffff801`7ee300c0 00000000`00000000
fffff801`7ee300c8 00000000`00000000
fffff801`7ee300d0 00000000`00000000
fffff801`7ee300d8 00000000`00000000
fffff801`7ee300e0 00000000`00000000
fffff801`7ee300e8 00000000`00000000
fffff801`7ee300f0 00000000`00000000
fffff801`7ee300f8 00000000`00000000
fffff801`7ee30100 00000000`00000000
fffff801`7ee30108 00000000`00000000
fffff801`7ee30110 00000000`00040293
fffff801`7ee30118 fffff801`7e49af8b nt!KeQueryCurrentStackInformationEx+0×8b
fffff801`7ee30120 00000000`00000000
fffff801`7ee30128 00000000`00000000
fffff801`7ee30130 00000000`00000000
fffff801`7ee30138 00000000`00000000
fffff801`7ee30140 ffffce83`3784d000
fffff801`7ee30148 ffffce83`37847000
fffff801`7ee30150 00000000`00000000
fffff801`7ee30158 00000000`00000000
fffff801`7ee30160 00000000`00000000
fffff801`7ee30168 fffff801`7e4e9cc6 nt!RtlGetExtendedContextLength2+0×46
fffff801`7ee30170 00000000`00000000
fffff801`7ee30178 fffff801`7e4e6a64 nt!RtlpGetStackLimitsEx+0×14
fffff801`7ee30180 ffffce83`3784c0e0
fffff801`7ee30188 ffffce83`3784c8a8
fffff801`7ee30190 00000001`00000010
fffff801`7ee30198 ffffce83`3784c0e0
fffff801`7ee301a0 ffffce83`3784c0a0
fffff801`7ee301a8 fffff801`7e4e6c59 nt!RtlDispatchException+0×119
fffff801`7ee301b0 ffffce83`3784c0e0
fffff801`7ee301b8 00000000`00000000
fffff801`7ee301c0 000004e8`fffffb30
fffff801`7ee301c8 000004d0`fffffb30
fffff801`7ee301d0 00000000`00000019
fffff801`7ee301d8 ffff86a6`03360000
fffff801`7ee301e0 ffffce83`3784c5d0
fffff801`7ee301e8 ffff86a6`0312a688
fffff801`7ee301f0 00000000`00000000
fffff801`7ee301f8 000004f7`00000000
fffff801`7ee30200 00000000`00000000
fffff801`7ee30208 ffffce83`3784d000
fffff801`7ee30210 ffffce83`37847000
fffff801`7ee30218 ffffce83`3784bea0
fffff801`7ee30220 00000000`00000000
fffff801`7ee30228 00000000`00000000
fffff801`7ee30230 00000000`00000000
fffff801`7ee30238 ffffce83`3784c8a8
fffff801`7ee30240 00000000`00000000
fffff801`7ee30248 00000000`00000000
fffff801`7ee30250 00000000`00000000
fffff801`7ee30258 00000000`00000000
fffff801`7ee30260 00000000`00000000
fffff801`7ee30268 00000000`00000000
fffff801`7ee30270 00000000`00000000
fffff801`7ee30278 00000000`00000000
fffff801`7ee30280 00000000`00000000
fffff801`7ee30288 00000000`00000000
fffff801`7ee30290 ffffce83`3784c0e0
fffff801`7ee30298 ffff86a6`00615054
fffff801`7ee302a0 00000000`00000000
fffff801`7ee302a8 ffffffff`ffffffff
fffff801`7ee302b0 00000000`00000000
fffff801`7ee302b8 00000000`00000000
fffff801`7ee302c0 00000000`00000000
fffff801`7ee302c8 00000000`00000000
fffff801`7ee302d0 00000000`00000000
fffff801`7ee302d8 00000000`00000000
fffff801`7ee302e0 00000000`00000000
fffff801`7ee302e8 00000000`00000000
fffff801`7ee302f0 00000000`00000000
fffff801`7ee302f8 00000000`00000000
fffff801`7ee30300 00000000`00000000
fffff801`7ee30308 00000000`00000000
fffff801`7ee30310 00000000`00000000
fffff801`7ee30318 00000000`00000000
fffff801`7ee30320 00000000`00000000
fffff801`7ee30328 00000000`00000000
fffff801`7ee30330 00000000`00000000
fffff801`7ee30338 00000000`00000000
fffff801`7ee30340 00000000`00000000
fffff801`7ee30348 00000000`00000000
fffff801`7ee30350 00000000`0010001f
fffff801`7ee30358 ffffce83`3784c950
fffff801`7ee30360 00000000`00000000
fffff801`7ee30368 00000000`00000000
fffff801`7ee30370 00000000`00000000
fffff801`7ee30378 ffffce83`3784c0e0
fffff801`7ee30380 ffffce83`3784c5e0
fffff801`7ee30388 fffff801`7e5f72c7 nt!KeBugCheckEx+0×107
fffff801`7ee30390 ffffce83`3784c8a8
fffff801`7ee30398 ffffce83`3784c5e0
fffff801`7ee303a0 ffffce83`3784c8a8
fffff801`7ee303a8 00000000`00000000
fffff801`7ee303b0 00000000`00000000
fffff801`7ee303b8 00000000`00000000
fffff801`7ee303c0 00000000`00040246
fffff801`7ee303c8 fffff801`7e659ecb nt!KiDispatchException+0×17467b
fffff801`7ee303d0 00000000`0000001e
fffff801`7ee303d8 ffffffff`c0000005
fffff801`7ee303e0 00000000`00000000
fffff801`7ee303e8 00000000`00000008
fffff801`7ee303f0 00000000`00000000
fffff801`7ee303f8 00000000`00000001
fffff801`7ee30400 ffff86a6`0312a600
fffff801`7ee30408 ffff86a6`0312a688
fffff801`7ee30410 ffff86a6`0312a4e8
fffff801`7ee30418 00000000`00000d0d
fffff801`7ee30420 00000001`00000000
fffff801`7ee30428 00000000`00000000
fffff801`7ee30430 00001f80`0010001f
fffff801`7ee30438 0053002b`002b0010
fffff801`7ee30440 00050282`0018002b
fffff801`7ee30448 00000000`00000000
fffff801`7ee30450 00000000`00000000
fffff801`7ee30458 00000000`00000000
fffff801`7ee30460 00000000`00000000
fffff801`7ee30468 00000000`00000000
fffff801`7ee30470 00000000`00000000
[…]
fffff801`7ee310c0 00000000`00000000
fffff801`7ee310c8 ffffce83`00000000
fffff801`7ee310d0 ffff86a6`00000001
fffff801`7ee310d8 00000000`00000000
fffff801`7ee310e0 ffffaa81`e634c9c0
fffff801`7ee310e8 fffff801`7e608bb5 nt!KiSystemServiceCopyEnd+0×25
fffff801`7ee310f0 00000000`00000000
fffff801`7ee310f8 ffff1496`0a767479
fffff801`7ee31100 00000000`0002034c
fffff801`7ee31108 000002aa`2d0d0180
fffff801`7ee31110 000000ce`1b2feac0
fffff801`7ee31118 00000023`83360010
fffff801`7ee31120 00000000`00000000
fffff801`7ee31128 00000000`00000000
fffff801`7ee31130 00000000`00000000
fffff801`7ee31138 00000000`00000000
fffff801`7ee31140 ffff9a8e`065f7080
fffff801`7ee31148 00000000`00000000
fffff801`7ee31150 ffff9a8e`065f7080
fffff801`7ee31158 fffff801`7e608bb5 nt!KiSystemServiceCopyEnd+0×25
fffff801`7ee31160 00000000`00000001
fffff801`7ee31168 ffffce83`38b5db80
fffff801`7ee31170 000002aa`00000000
fffff801`7ee31178 ffff868e`e8876c88 win32k!NtUserKillTimer
fffff801`7ee31180 000000ce`00000000
fffff801`7ee31188 00001f80`02080000
fffff801`7ee31190 00000000`00000007
fffff801`7ee31198 00000000`000001e4
fffff801`7ee311a0 00000000`00000000
fffff801`7ee311a8 000000ce`1b2ff5b8
fffff801`7ee311b0 000000ce`1b2ff689
fffff801`7ee311b8 00000000`00000000
fffff801`7ee311c0 00000000`00000246
fffff801`7ee311c8 000000ce`1b0a7000
fffff801`7ee311d0 00000000`00000000
fffff801`7ee311d8 00000000`00000000
fffff801`7ee311e0 00000000`00000000
fffff801`7ee311e8 00000000`00000000
fffff801`7ee311f0 00000000`00000000
fffff801`7ee311f8 00000000`00000000
fffff801`7ee31200 00000000`00000000
fffff801`7ee31208 00000000`00000000
fffff801`7ee31210 00000000`00000000
fffff801`7ee31218 00000000`00000000
fffff801`7ee31220 00000000`00000000
fffff801`7ee31228 00000000`00000000
fffff801`7ee31230 00007ffb`8a73a5c2
fffff801`7ee31238 00000000`00000000
fffff801`7ee31240 00000000`00000000
fffff801`7ee31248 00000000`00000000
fffff801`7ee31250 00000000`00000000
fffff801`7ee31258 00000000`00000000
fffff801`7ee31260 00000000`00000000
fffff801`7ee31268 00000000`00000000
fffff801`7ee31270 00000000`00000000
fffff801`7ee31278 00000000`00000000
fffff801`7ee31280 00000000`00000000
fffff801`7ee31288 00000000`00000000
fffff801`7ee31290 00000000`00000000
fffff801`7ee31298 00000000`00000000
fffff801`7ee312a0 00000000`00000000
fffff801`7ee312a8 00000000`000001e4
fffff801`7ee312b0 00000000`00000000
fffff801`7ee312b8 00000000`000001e4
fffff801`7ee312c0 00000000`00000100
fffff801`7ee312c8 00007ffb`8dc6ce54
fffff801`7ee312d0 00000000`00000033
fffff801`7ee312d8 00000000`00000246
fffff801`7ee312e0 000000ce`1b2fea68
fffff801`7ee312e8 00000000`0000002b
fffff801`7ee312f0 ffffce83`3784d000
fffff801`7ee312f8 ffffce83`37847000
fffff801`7ee31300 ffffce83`38b5e000
fffff801`7ee31308 ffffce83`38b58000
fffff801`7ee31310 ffffce83`38b5d420
fffff801`7ee31318 ffffce83`38b5dc90
fffff801`7ee31320 ffff9a8e`002f9448

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

When looking at the kernel and complete memory dumps, the current thread running on the current processor (!thread) may not belong to the current process (not listed in the output of !process WinDbg command). This observation happens when a thread that is owned by one process gets attached to the second process:

0: kd> !thread
THREAD ffffa902d2ff8080 Cid 1f00.02c0 Teb: 000000836c677000 Win32Thread: 0000000000000000 RUNNING on processor 0
IRP List:
ffffa902d0afabb0: (0006,0118) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap ffffba81b0037600
Owning Process ffffa902d1581080 Image: OriginalProcess.exe
Attached Process ffffa902cf41a080 Image: NewProcess.exe
Wait Start TickCount 136814 Ticks: 3 (0:00:00:00.046)
Context Switch Count 4 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.046
Win32 Start Address 0×00007ff62aabf010
Stack Init ffffe10adff87c90 Current ffffe10adff876a0
Base ffffe10adff88000 Limit ffffe10adff82000 Call 0000000000000000
Priority 14 BasePriority 8 PriorityDecrement 80 IoPriority 2 PagePriority 5
[…]

In this way, a thread can access another process space. We call such analysis pattern Shared Thread. Another example is process creation resulting in Hidden Process. Such Shared Threads can also be found in Stack Trace Collection.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Previously we introduced Rough Stack Trace analysis pattern for unmanaged space. However, similar collection of symbolic references is possible for managed space (without included unmanaged references we see in Caller-n-Callee). Although the output is noisy, it can be filtered by external tools. The simple WinDbg script outputs managed method descriptors from a stack segment where boundaries were taken from the output of !teb command (this works even for complete memory dumps with .NET Core SOS extension after switching to the appropriate process context):

1: kd> .for (r $t0=000000a7d4d9c000; @$t0 < 000000a7d4db0000; r $t0=@$t0+@$ptrsize) {.if (poi(@$t0) > 7ff000000000) { .printf "---\n"; !IP2MD poi(@$t0) }}
[...]
Failed to request MethodData, not in JIT code range
---
MethodDesc:   00007ff8f7da4fd8
Method Name:          System.Windows.Forms.Application.Run(System.Windows.Forms.Form)
Class:                00007ff8f7d9c1f0
MethodTable:          00007ff8f7da50b0
mdToken:              0000000006000AB8
Module:               00007ff8f7c599a0
IsJitted:             yes
Current CodeAddr:     00007ff953059310
Version History:
ILCodeVersion:      0000000000000000
ReJIT ID:           0
IL Addr:            00007ff952a055d7
CodeAddr:           00007ff953059310  (ReadyToRun)
NativeCodeVersion:  0000000000000000
—
MethodDesc:   00007ff8f7c26d98
Method Name:          LINQPad.UIProgram.Run()
Class:                00007ff8f7c32d30
MethodTable:          00007ff8f7c28280
mdToken:              00000000060001AF
Module:               00007ff8f7bc2780
IsJitted:             yes
Current CodeAddr:     00007ff8f8328c50
Version History:
ILCodeVersion:      0000000000000000
ReJIT ID:           0
IL Addr:            000002316969a53c
CodeAddr:           00007ff8f8328c50  (MinOptJitted)
NativeCodeVersion:  0000000000000000
—
MethodDesc:   00007ff8f7c26c60
Method Name:          LINQPad.UIProgram.Go(System.String[])
Class:                00007ff8f7c32d30
MethodTable:          00007ff8f7c28280
mdToken:              00000000060001A4
Module:               00007ff8f7bc2780
IsJitted:             yes
Current CodeAddr:     00007ff8f7f23890
Version History:
ILCodeVersion:      0000000000000000
ReJIT ID:
IL Addr:            0000023169699840
CodeAddr:           00007ff8f7f23890  (MinOptJitted)
NativeCodeVersion:  0000000000000000
—
Failed to request MethodData, not in JIT code range
—
MethodDesc:   00007ff8f7c26c00
Method Name:          LINQPad.UIProgram.Start(System.String[])
Class:                00007ff8f7c32d30
MethodTable:          00007ff8f7c28280
mdToken:              00000000060001A0
Module:               00007ff8f7bc2780
IsJitted:             yes
Current CodeAddr:     00007ff8f7b2fce0
Version History:
ILCodeVersion:      0000000000000000
ReJIT ID:           0
IL Addr:            00000231696996fc
CodeAddr:           00007ff8f7b2fce0  (MinOptJitted)
NativeCodeVersion:  0000000000000000
—
MethodDesc:   00007ff8f7bc64d8
Method Name:          LINQPad.UI.Loader.Main(System.String[])
Class:                00007ff8f7c09508
MethodTable:          00007ff8f7bc64f0
mdToken:              0000000006000346
Module:               00007ff8f7bc2780
IsJitted:             yes
Current CodeAddr:     00007ff8f7b26400
Version History:
ILCodeVersion:      0000000000000000
ReJIT ID:           0
IL Addr:            00000231696ab048
CodeAddr:           00007ff8f7b26400  (MinOptJitted)
NativeCodeVersion:  0000000000000000
—
Failed to request MethodData, not in JIT code range
—
Failed to request MethodData, not in JIT code range
—
Failed to request MethodData, not in JIT code range
—
Failed to request MethodData, not in JIT code range
—
[…]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

In simple exception cases, we have exception record, for example from Stored Exception corresponding to exception context, for example:

0:000> .exr -1
ExceptionAddress: 00000001400247ae (TestWER64!CTestDefaultDebuggerDlg::OnBnClickedButton1+0×000000000000007e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

0:000> .ecxr
rax=0000000000000000 rbx=0000000000000001 rcx=000000000014fd20
rdx=00000000000003e8 rsi=000000000014fd20 rdi=000000014002daa0
rip=00000001400247ae rsp=000000000014efd0 rbp=0000000000000111
r8=0000000000000000  r9=0000000140024730 r10=0000000140024730
r11=000000000014f0d0 r12=0000000000000000 r13=00000000000003e8
r14=0000000000000110 r15=0000000000000001
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
TestWER64!CTestDefaultDebuggerDlg::OnBnClickedButton1+0×7e:
00000001`400247ae c704250000000000000000 mov dword ptr [0],0 ds:00000000`00000000=????????

In other cases, we may have missing context:

0:000> .excr
Minidump doesn't have an exception context
Unable to get exception context, HRESULT 0x80004002

invalid context (see also Invalid Exception Information) in the output of !analyze -v command:

CONTEXT:  00007ffb54bd1e60 -- (.cxr 0x7ffb54bd1e60)
rax=15ff480001191885 rbx=ff48c88b48000000 rcx=00441f0f00044c3c
rdx=08ba3824448d4c00 rsi=4838244c8b480001 rdi=0058b9413024448d
rip=00441f0f00044a04 rsp=441f0f00044bd315 rbp=18e4840fc0850000
r8=4c20244489480000  r9=244c89444024448d r10=15ff48a9518d4130
r11=00441f0f00044ebc r12=0118c1840fc08500 r13=8b4840244c8b4800
r14=d88b0000003ee8d7 r15=15ff4838244c8b48
iopl=0 vip vif ov dn ei pl nz na pe nc
cs=2183  ss=044c  ds=4800  es=f98b  fs=ff48  gs=5315             efl=441f0f00
00441f0f`00044a04 ??              ???
Resetting default scope

and valid context but not corresponding to stored exception record:

0:000> .ecxr
rax=00007ffe0a6a9618 rbx=0000024a3aa44020 rcx=0000000100000001
rdx=0000000000000001 rsi=0000024a3abff3e8 rdi=0000024a3abfb5c8
rip=00007ffe9768d759 rsp=000000dc0fd7caf0 rbp=000000dc0fd7d160
r8=0000024a00000007  r9=0000024a5ce8bc80 r10=0000000000000000
r11=0000000000000000 r12=0000024a3abfad90 r13=0000024a3aa44020
r14=0000000000000000 r15=0000024a3abfb5e0
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!RaiseException+0x69:
00007ffe`9768d759 0f1f440000      nop     dword ptr [rax+rax]

0:000> .exr -1
ExceptionAddress: 00007ffe0a6a9609
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

However, Exception Stack Trace may be available with JIT Code address :

0:000> kL
# Child-SP          RetAddr           Call Site
00 000000dc`0fd7b558 00007ffe`976b0d40 ntdll!NtWaitForMultipleObjects+0x14
01 000000dc`0fd7b560 00007ffe`976b0c3e KERNELBASE!WaitForMultipleObjectsEx+0xf0
02 000000dc`0fd7b850 00007ffe`994cf6aa KERNELBASE!WaitForMultipleObjects+0xe
03 000000dc`0fd7b890 00007ffe`994cf0e6 kernel32!WerpReportFaultInternal+0x58a
04 000000dc`0fd7b9b0 00007ffe`9776c439 kernel32!WerpReportFault+0xbe
05 000000dc`0fd7b9f0 00007ffe`99cd4b63 KERNELBASE!UnhandledExceptionFilter+0x3d9
06 000000dc`0fd7bb10 00007ffe`99cbbb16 ntdll!RtlUserThreadStart$filt$0+0xa2
07 000000dc`0fd7bb50 00007ffe`99cd130f ntdll!_C_specific_handler+0x96
08 000000dc`0fd7bbc0 00007ffe`99c7b5e4 ntdll!RtlpExecuteHandlerForException+0xf
09 000000dc`0fd7bbf0 00007ffe`99c7b335 ntdll!RtlDispatchException+0x244
0a 000000dc`0fd7c300 00007ffe`9768d759 ntdll!RtlRaiseException+0x185
0b 000000dc`0fd7caf0 00007ffe`6986b259 KERNELBASE!RaiseException+0x69
0c 000000dc`0fd7cbd0 00007ffe`6986b28b coreclr!NakedThrowHelper2+0x9
0d 000000dc`0fd7cc00 00007ffe`6986b295 coreclr!NakedThrowHelper_RspAligned+0x1e
0e 000000dc`0fd7d128 00007ffe`0a6a9609 coreclr!NakedThrowHelper_FixRsp+0×5
0f 000000dc`0fd7d130 00007ffe`0a548023 0×00007ffe`0a6a9609
10 000000dc`0fd7d170 00007ffe`0a547734 0×00007ffe`0a548023
11 000000dc`0fd7d230 00000000`627311e5 0×00007ffe`0a547734
12 000000dc`0fd7d290 00007ffe`62b50fe7 PresentationCore+0×4011e5
13 000000dc`0fd7d2d0 00007ffe`62a35840 PresentationFramework+0xbb0fe7
14 000000dc`0fd7d310 00007ffe`62b51a60 PresentationFramework+0xa95840
15 000000dc`0fd7d350 00000000`62732e22 PresentationFramework+0xbb1a60
16 000000dc`0fd7d390 00000000`62757c42 PresentationCore+0×402e22
17 000000dc`0fd7d3d0 00007ffe`0a5448f3 PresentationCore+0×427c42
18 000000dc`0fd7d410 00007ffe`0a548023 0×00007ffe`0a5448f3
19 000000dc`0fd7d450 00000000`62740e19 0×00007ffe`0a548023
1a 000000dc`0fd7d510 00000000`62732b6a PresentationCore+0×410e19
1b 000000dc`0fd7d580 00000000`62757c42 PresentationCore+0×402b6a
1c 000000dc`0fd7d5c0 00007ffe`0a5448f3 PresentationCore+0×427c42
1d 000000dc`0fd7d600 00007ffe`0a548023 0×00007ffe`0a5448f3
1e 000000dc`0fd7d640 00007ffe`0a547734 0×00007ffe`0a548023
1f 000000dc`0fd7d700 00007ffe`0a550211 0×00007ffe`0a547734
20 000000dc`0fd7d760 00007ffe`0a558efd 0×00007ffe`0a550211
21 000000dc`0fd7d7a0 00007ffe`0a55ebb1 0×00007ffe`0a558efd
22 000000dc`0fd7d860 00007ffe`0a564474 0×00007ffe`0a55ebb1
23 000000dc`0fd7d8b0 00007ffe`0a550eff 0×00007ffe`0a564474
24 000000dc`0fd7d9e0 00007ffe`0a550692 0×00007ffe`0a550eff
25 000000dc`0fd7da70 00007ffe`0a54967d 0×00007ffe`0a550692
26 000000dc`0fd7dae0 00007ffe`0a549596 0×00007ffe`0a54967d
27 000000dc`0fd7db70 00007ffe`0a548ac7 0×00007ffe`0a549596
28 000000dc`0fd7dbc0 00007ffe`0a5488f5 0×00007ffe`0a548ac7
29 000000dc`0fd7dc20 00007ffe`0a54920c 0×00007ffe`0a5488f5
2a 000000dc`0fd7dc70 00007ffe`0a548f07 0×00007ffe`0a54920c
2b 000000dc`0fd7dd00 00007ffe`09d2d772 0×00007ffe`0a548f07
2c 000000dc`0fd7de00 00007ffe`995ae858 0×00007ffe`09d2d772
2d 000000dc`0fd7de80 00007ffe`995ae299 user32!UserCallWinProcCheckWow+0×2f8
2e 000000dc`0fd7e010 00007ffe`0a18011b user32!DispatchMessageWorker+0×249
2f 000000dc`0fd7e090 00007ffe`69557ec3 0×00007ffe`0a18011b
30 000000dc`0fd7e150 00007ffe`695553a1 WindowsBase+0×197ec3
31 000000dc`0fd7e1e0 00007ffe`6955534e WindowsBase+0×1953a1
32 000000dc`0fd7e210 00007ffe`6276966c WindowsBase+0×19534e
33 000000dc`0fd7e240 00007ffe`62767ccd PresentationFramework+0×7c966c
34 000000dc`0fd7e270 00007ffe`62764c5c PresentationFramework+0×7c7ccd
35 000000dc`0fd7e2c0 00007ffe`09d1618e PresentationFramework+0×7c4c5c
36 000000dc`0fd7e2f0 00007ffe`6986a2f3 0×00007ffe`09d1618e
37 000000dc`0fd7e340 00007ffe`697a2fcc coreclr!CallDescrWorkerInternal+0×83
38 000000dc`0fd7e380 00007ffe`697c22b3 coreclr!MethodDescCallSite::CallTargetWorker+0×268
39 (Inline Function) ——–`——– coreclr!MethodDescCallSite::Call+0xb
3a 000000dc`0fd7e4c0 00007ffe`697c207e coreclr!RunMainInternal+0×11f
3b 000000dc`0fd7e5f0 00007ffe`697c1be1 coreclr!RunMain+0xd2
3c 000000dc`0fd7e6a0 00007ffe`697c1908 coreclr!Assembly::ExecuteMainMethod+0×1cd
3d 000000dc`0fd7ea30 00007ffe`69789ad2 coreclr!CorHost2::ExecuteAssembly+0×1c8
3e 000000dc`0fd7eba0 00007ffe`7d502c72 coreclr!coreclr_execute_assembly+0xe2
3f (Inline Function) ——–`——– hostpolicy!coreclr_t::execute_assembly+0×2b
40 000000dc`0fd7ec40 00007ffe`7d502ed7 hostpolicy!run_app_for_context+0×3be
41 000000dc`0fd7edd0 00007ffe`7d503b6b hostpolicy!run_app+0×37
42 000000dc`0fd7ee10 00007ffe`7d5839ea hostpolicy!corehost_main+0xfb
43 000000dc`0fd7efd0 00007ffe`7d587358 hostfxr!execute_app+0×206
44 (Inline Function) ——–`——– hostfxr!?A0×83a23e19::read_config_and_execute+0×10a
45 000000dc`0fd7f0c0 00007ffe`7d585b5f hostfxr!fx_muxer_t::handle_exec_host_command+0×214
46 000000dc`0fd7f1b0 00007ffe`7d582029 hostfxr!fx_muxer_t::execute+0×39b
47 000000dc`0fd7f2f0 00007ff6`3aede0b0 hostfxr!hostfxr_main_startupinfo+0×89
48 000000dc`0fd7f3f0 00007ff6`3aede418 ApplicationA_exe!exe_start+0×620
49 000000dc`0fd7f5d0 00007ff6`3aedfef8 ApplicationA_exe!wmain+0×124
4a (Inline Function) ——–`——– ApplicationA_exe!invoke_main+0×22
4b 000000dc`0fd7f740 00007ffe`99477034 ApplicationA_exe!__scrt_common_main_seh+0×10c
4c 000000dc`0fd7f780 00007ffe`99c7d0d1 kernel32!BaseThreadInitThunk+0×14
4d 000000dc`0fd7f7b0 00000000`00000000 ntdll!RtlUserThreadStart+0×21

0:000> u 00007ffe`0a6a9609
00007ffe`0a6a9609 c70001000000    mov     dword ptr [rax],1
00007ffe`0a6a960f 90              nop
00007ffe`0a6a9610 90              nop
00007ffe`0a6a9611 488d6500        lea     rsp,[rbp]
00007ffe`0a6a9615 5d              pop     rbp
00007ffe`0a6a9616 c3              ret
00007ffe`0a6a9617 0019            add     byte ptr [rcx],bl
00007ffe`0a6a9619 0502000552      add     eax,52050002h

In the case of .NET Core dump, we can use Saved Exception Context to get the original exception:

0:000> dp coreclr!g_SavedExceptionInfo
00007ffe`69bd57f0  00000000`c0000005 00000000`00000000
00007ffe`69bd5800  00007ffe`0a6a9609 00000000`00000002
00007ffe`69bd5810  00000000`00000001 00000000`00000000
00007ffe`69bd5820  00000000`00000000 00000000`00000000
00007ffe`69bd5830  00000000`00000000 00000000`00000000
00007ffe`69bd5840  00000000`00000000 00000000`00000000
00007ffe`69bd5850  00000000`00000000 00000000`00000000
00007ffe`69bd5860  00000000`00000000 00000000`00000000

0:000> dt coreclr!g_SavedExceptionInfo
+0x000 m_ExceptionRecord : _EXCEPTION_RECORD
+0x0a0 m_ExceptionContext : _CONTEXT
+0x570 m_Crst           : CrstStatic

0:000> .cxr coreclr!g_SavedExceptionInfo+a0
rax=0000000000000000 rbx=0000024a3aa44020 rcx=0000024a3aa1d210
rdx=0000024a3aa44020 rsi=0000024a3abff3e8 rdi=0000024a3abfb5c8
rip=00007ffe0a6a9609 rsp=000000dc0fd7d130 rbp=000000dc0fd7d160
r8=0000024a3abff3e8  r9=0000000000000000 r10=0000000000000000
r11=000000dc0fd7d090 r12=0000024a3abfad90 r13=0000024a3aa44020
r14=0000000000000000 r15=0000024a3abfb5e0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
00007ffe`0a6a9609 c70001000000    mov     dword ptr [rax],1 ds:00000000`00000000=????????

This may also work in the case of invalid or missing exception information in .NET Core dumps:

0:000> .exr -1
ExceptionAddress: 0000000000000000
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 0

0:000> .excr
Minidump doesn't have an exception context
Unable to get exception context, HRESULT 0x80004002

0:000> .cxr coreclr!g_SavedExceptionInfo+a0
rax=0000000000000000 rbx=0000024a3aa44020 rcx=0000024a3aa1d210
rdx=0000024a3aa44020 rsi=0000024a3abff3e8 rdi=0000024a3abfb5c8
rip=00007ffe0a6a9609 rsp=000000dc0fd7d130 rbp=000000dc0fd7d160
r8=0000024a3abff3e8  r9=0000000000000000 r10=0000000000000000
r11=000000dc0fd7d090 r12=0000024a3abfad90 r13=0000024a3aa44020
r14=0000000000000000 r15=0000024a3abfb5e0
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
00007ffe`0a6a9609 c70001000000    mov     dword ptr [rax],1 ds:00000000`00000000=????????

In some other unmanaged cases, we can use probe Execution Residue values around some exception processing symbols as in the case of Hidden Exceptions, but this may not work if such values are overwritten or no longer available.

A similar approach is available for .NET Framework despite the type not available:

0:000> x clr!g_SavedExceptionInfo
00007ffc`efc01f40 clr!g_SavedExceptionInfo = <no type information>

0:000> dt clr!g_SavedExceptionInfo
Symbol clr!g_SavedExceptionInfo not found.

0:000> .cxr clr!g_SavedExceptionInfo+a0
rax=0000000000000000 rbx=0000000002f8b8a0 rcx=0000000002f27ee8
rdx=0000000002f8a598 rsi=0000000002f8a598 rdi=0000000002fa1028
rip=00007ffc8fcb0829 rsp=000000000113e5b0 rbp=000000000113e5e0
r8=0000000002fa1028  r9=0000000000000000 r10=00007ff480140018
r11=00007ffc8fba8ae8 r12=0000000000000002 r13=0000000000000202
r14=0000000000000001 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
00007ffc`8fcb0829 c70001000000    mov     dword ptr [rax],1 ds:00000000`00000000=????????

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

COM Exceptions are Software Exceptions and their information can be extracted from C++ Exception record as shown in this post. Here we show the case of Nested and Hidden Exceptions.

We see a COM exception raising function on Exception Stack Trace:

0:008> .exr -1
ExceptionAddress: 00007ff97800cadf (ntdll!LdrpICallHandler+0x000000000000000f)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000000a
Subcode: 0xa FAST_FAIL_GUARD_ICALL_CHECK_FAILURE

0:008> kL
*** Stack trace for last set context - .thread/.cxr resets it
# Child-SP          RetAddr           Call Site
00 0000009e`393f9e78 00007ff9`7802184f ntdll!LdrpICallHandler+0xf
01 0000009e`393f9e80 00007ff9`77fea889 ntdll!RtlpExecuteHandlerForException+0xf
02 0000009e`393f9eb0 00007ff9`780204be ntdll!RtlDispatchException+0x219
03 0000009e`393fa5c0 00007ff9`7800cb9e ntdll!KiUserExceptionDispatch+0x2e
04 0000009e`393fad78 00007ff9`72591030 ntdll!LdrpDispatchUserCallTarget+0xe
05 0000009e`393fad80 00007ff9`72594a52 VCRUNTIME140_APP!_CallSettingFrame+0x20
06 0000009e`393fadb0 00007ff9`7259e514 VCRUNTIME140_APP!__FrameHandler3::FrameUnwindToState+0x112
07 0000009e`393fae20 00007ff9`72593cc8 VCRUNTIME140_APP!__FrameHandler3::FrameUnwindToEmptyState+0x54
08 0000009e`393fae50 00007ff9`7259ee51 VCRUNTIME140_APP!__InternalCxxFrameHandler<__FrameHandler3>+0x10c
09 0000009e`393faeb0 00007ff8`f83ea850 VCRUNTIME140_APP!__CxxFrameHandler3+0x71
0a 0000009e`393faf00 00007ff9`780218cf PaintStudio_ViewModel!DllGetActivationFactory+0x100
0b 0000009e`393faf30 00007ff9`77f9d9b2 ntdll!RtlpExecuteHandlerForUnwind+0xf
0c 0000009e`393faf60 00007ff9`7259e9de ntdll!RtlUnwindEx+0x522
0d 0000009e`393fb670 00007ff9`72592955 VCRUNTIME140_APP!__FrameHandler3::UnwindNestedFrames+0xee
0e 0000009e`393fb760 00007ff9`72592d81 VCRUNTIME140_APP!CatchIt<__FrameHandler3>+0xb9
0f 0000009e`393fb800 00007ff9`72593dc4 VCRUNTIME140_APP!FindHandler<__FrameHandler3>+0x33d
10 0000009e`393fb970 00007ff9`7259ee51 VCRUNTIME140_APP!__InternalCxxFrameHandler<__FrameHandler3>+0x208
11 0000009e`393fb9d0 00007ff9`7802184f VCRUNTIME140_APP!__CxxFrameHandler3+0x71
12 0000009e`393fba20 00007ff9`77fea889 ntdll!RtlpExecuteHandlerForException+0xf
13 0000009e`393fba50 00007ff9`77fea643 ntdll!RtlDispatchException+0x219
14 0000009e`393fc160 00007ff9`759d3b29 ntdll!RtlRaiseException+0×153
15 0000009e`393fc9d0 00007ff9`72596220 KERNELBASE!RaiseException+0×69
16 0000009e`393fcab0 00007ff9`4919a58c VCRUNTIME140_APP!_CxxThrowException+0×90
17 0000009e`393fcb10 00007ff8`f8057628 vccorlib140_app!__abi_WinRTraiseCOMException+0×2c
18 0000009e`393fcb40 00007ff8`f8093e81 PaintStudio_ViewModel+0×7628
19 0000009e`393fcb70 00007ff8`f818f27f PaintStudio_ViewModel+0×43e81
1a 0000009e`393fcbc0 00007ff8`f818c26f PaintStudio_ViewModel+0×13f27f
1b 0000009e`393fcc90 00007ff8`f811935a PaintStudio_ViewModel+0×13c26f
1c 0000009e`393fcd40 00007ff8`f827ce8e PaintStudio_ViewModel+0xc935a
1d 0000009e`393fd110 00007ff8`f82723ab PaintStudio_ViewModel+0×22ce8e
1e 0000009e`393fd5c0 00007ff8`f83bf09d PaintStudio_ViewModel+0×2223ab
1f 0000009e`393fd7b0 00007ff8`f83c16bd PaintStudio_ViewModel+0×36f09d
20 0000009e`393fdc60 00007ff8`f80e1331 PaintStudio_ViewModel+0×3716bd
21 0000009e`393fdd10 00007ff7`2030d3b9 PaintStudio_ViewModel+0×91331
22 0000009e`393fdd50 00007ff7`202f772f PaintStudio_View+0×2d3b9
23 0000009e`393fddb0 00007ff7`202f702b PaintStudio_View+0×1772f
24 0000009e`393fdee0 00007ff7`202f520e PaintStudio_View+0×1702b
25 0000009e`393fe010 00007ff7`203266d6 PaintStudio_View+0×1520e
26 0000009e`393fe100 00007ff9`4af9d25b PaintStudio_View+0×466d6
27 0000009e`393fe140 00007ff9`4af9d1ce Windows_UI_Xaml!DirectUI::FrameworkApplicationGenerated:: OnActivatedProtected+0×4b
28 0000009e`393fe170 00007ff9`4af9ebe6 Windows_UI_Xaml!DirectUI::FrameworkApplication::DispatchGenericActivation+0×4a
29 0000009e`393fe1a0 00007ff9`4aeb39eb Windows_UI_Xaml!DirectUI::FrameworkView::OnActivated+0×186
2a (Inline Function) ——–`——– Windows_UI_Xaml!Microsoft::WRL::Callback::__l2::<lambda_772c64e6f5ddba6f719dbbabda2a0901>::operator()+0×15
2b 0000009e`393fe220 00007ff9`72cd55cf Windows_UI_Xaml!Microsoft::WRL::Details::DelegateArgTraits<long (__cdecl Windows::Foundation:: ITypedEventHandler_impl<Windows::Foundation::Internal:: AggregateType<Windows::UI::Core::CoreWindow *,Windows::UI::Core::ICoreWindow *>,IInspectable *>::*)(Windows::UI::Core::ICoreWindow *,IInspectable *)>::DelegateInvokeHelper<Windows::Foundation:: ITypedEventHandler<Windows::UI::Core::CoreWindow *,IInspectable *>,<lambda_772c64e6f5ddba6f719dbbabda2a0901>,-1,Windows::UI::Core::ICoreWindow *,IInspectable *>::Invoke+0×1b
2c 0000009e`393fe250 00007ff9`72cd8a22 twinapi_appcore!Microsoft::WRL::InvokeTraits<-2>:: InvokeDelegates<<lambda_3ad0adb09957fd62cbc86618ebbeb8fa>,Windows::Foundation:: ITypedEventHandler<Windows::ApplicationModel::Core::CoreApplicationView *,Windows::ApplicationModel::Activation::IActivatedEventArgs *> >+0×67
2d 0000009e`393fe2c0 00007ff9`76cb6a63 twinapi_appcore!Windows::ApplicationModel::Core:: CoreApplicationView::Activate+0×3d2
2e 0000009e`393fe430 00007ff9`76d1a036 rpcrt4!Invoke+0×73
2f 0000009e`393fe490 00007ff9`76c783b9 rpcrt4!Ndr64StubWorker+0xb56
30 0000009e`393feb30 00007ff9`76fd5d13 rpcrt4!NdrStubCall3+0xc9
31 0000009e`393feb90 00007ff9`76c99bab combase!CStdStubBuffer_Invoke+0×73
32 0000009e`393febd0 00007ff9`76fbd0e3 rpcrt4!CStdStubBuffer_Invoke+0×3b
33 (Inline Function) ——–`——– combase!InvokeStubWithExceptionPolicyAndTracing::__l6:: <lambda_c9f3956a20c9da92a64affc24fdd69ec>::operator()+0×18
34 0000009e`393fec00 00007ff9`76fbced3 combase!ObjectMethodExceptionHandlingAction< <lambda_c9f3956a20c9da92a64affc24fdd69ec> >+0×43
35 (Inline Function) ——–`——– combase!InvokeStubWithExceptionPolicyAndTracing+0xa8
36 0000009e`393fec60 00007ff9`76fd9556 combase!DefaultStubInvoke+0×1c3
37 (Inline Function) ——–`——– combase!SyncStubCall::Invoke+0×22
38 0000009e`393fedb0 00007ff9`76fba4fa combase!SyncServerCall::StubInvoke+0×26
39 (Inline Function) ——–`——– combase!StubInvoke+0×259
3a 0000009e`393fedf0 00007ff9`76fda81b combase!ServerCall::ContextInvoke+0×42a
3b (Inline Function) ——–`——– combase!CServerChannel::ContextInvoke+0xc0
3c (Inline Function) ——–`——– combase!DefaultInvokeInApartment+0xc0
3d 0000009e`393ff1f0 00007ff9`76f701ac combase!ASTAInvokeInApartment+0×15b
3e 0000009e`393ff400 00007ff9`76f70a11 combase!AppInvoke+0×1ec
3f 0000009e`393ff490 00007ff9`76f918c2 combase!ComInvokeWithLockAndIPID+0×681
40 (Inline Function) ——–`——– combase!ComInvoke+0×1c1
41 0000009e`393ff7c0 00007ff9`76f90a99 combase!ThreadDispatch+0×272
42 0000009e`393ff890 00007ff9`76f947ba combase!ModernSTAState::HandleMessage+0×51
43 0000009e`393ff8e0 00007ff9`4eac92f5 combase!ModernSTAWaitContext::HandlePriorityEventsFromMessagePump+0×66
44 0000009e`393ff910 00007ff9`4eac8fee Windows_UI!Windows::UI::Core::CDispatcher::ProcessMessage+0×1b5
45 0000009e`393ff9c0 00007ff9`4eac8f21 Windows_UI!Windows::UI::Core::CDispatcher::WaitAndProcessMessagesInternal+0xae
46 0000009e`393ffad0 00007ff9`72cea89f Windows_UI!Windows::UI::Core::CDispatcher::WaitAndProcessMessages+0×31
47 0000009e`393ffb00 00007ff9`76eac235 twinapi_appcore!<lambda_643db08282a766b00cec20194396f531>::operator()+0xff
48 0000009e`393ffbf0 00007ff9`77aa7c24 SHCore!_WrapperThreadProc+0xf5
49 0000009e`393ffcd0 00007ff9`77fed4d1 kernel32!BaseThreadInitThunk+0×14
4a 0000009e`393ffd00 00000000`00000000 ntdll!RtlUserThreadStart+0×21

We dump doubly dereferenced raw stack region around such exception processing calls:

0:008> dpp 0000009e`393fc160 0000009e`393fcb70
[…]
0000009e`393fcb38 00007ff8`f8057628 cc003f4c`6115ffcc
0000009e`393fcb40 0000009e`393fcb88 0000009e`393fcb98
0000009e`393fcb48 000001e8`69af9450 00007ff9`491c6170 vccorlib140_app!Platform::COMException::`vftable’
0000009e`393fcb50 000001e8`69af9450 00007ff9`491c6170 vccorlib140_app!Platform::COMException::`vftable’
[…]

We see C++ Object references and apply object structure to them:

0:008> dt vccorlib140_app!Platform::COMException 000001e8`69af9450
+0×000 __VFN_table : 0×00007ff9`491c6170
+0×008 __VFN_table : 0×00007ff9`491c5bf8
+0×010 __VFN_table : 0×00007ff9`491c5e20
+0×018 __VFN_table : 0×00007ff9`491c5ec0
+0×020 __description    : 0×000001e8`5e1e30a8 Void
+0×028 __restrictedErrorString : 0×000001e8`5ba83728 Void
+0×030 __restrictedErrorReference : (null)
+0×038 __capabilitySid  : (null)
+0×040 __hresult        : 0n-2147024894
+0×048 __restrictedInfo : 0×000001e8`699f4308 Void
+0×050 __throwInfo      : 0×00007ff9`491baf60 Void
+0×058 __size           : 0×40
+0×060 __prepare        : Platform::IntPtr
+0×068 __abi_reference_count : __abi_FTMWeakRefData
+0×078 __abi_disposed   : 0
+0×080 __abi_disposed   : 0

0:008> du 0x000001e8`5e1e30a8
000001e8`5e1e30a8  "The system cannot find the file "
000001e8`5e1e30e8  "specified..."

0:008> du 0x000001e8`5ba83728
000001e8`5ba83728  "Error trying to initialize appli"
000001e8`5ba83768  "cation data storage folder"

0:008> !error 0n-2147024894
Error code: (HRESULT) 0x80070002 (2147942402) - The system cannot find the file specified.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

C++ Objects may leave virtual function table pointer traces in Execution Residue and, therefore, their adjacent data can be inspected:

0:000> !teb
TEB at 0000000000306000
ExceptionList: 0000000000000000
StackBase: 0000000000150000
StackLimit: 000000000014d000
SubSystemTib: 0000000000000000
FiberData: 0000000000001e00
ArbitraryUserPointer: 0000000000000000
Self: 0000000000306000
EnvironmentPointer: 0000000000000000
ClientId: 0000000000000214 . 00000000000011b0
RpcHandle: 0000000000000000
Tls Storage: 0000000000306058
PEB Address: 0000000000305000
LastErrorValue: 0
LastStatusValue: c0000034
Count Owned Locks: 0
HardErrorMode: 0

0:000> dps 000000000014d000 0000000000150000
00000000`0014d000 00000000`00000000
00000000`0014d008 00000000`00000000
00000000`0014d010 00000000`00000000
00000000`0014d018 00000000`00000000
00000000`0014d020 00000000`00000000
[…]
00000000`0014fe08 00000000`00000000
00000000`0014fe10 00000000`005d4550
00000000`0014fe18 00000000`00000000
00000000`0014fe20 00000000`005cd7e0
00000000`0014fe28 00000000`005cd7e0
00000000`0014fe30 00000000`005cd7e0
00000000`0014fe38 00000001`40017778 ExecutionResidueC__Objects!CObject::`vftable’
00000000`0014fe40 624f206f`6c6c6548
00000000`0014fe48 00000021`7463656a
00000000`0014fe50 00000000`00000000
00000000`0014fe58 00000000`00000000
00000000`0014fe60 00000000`00000000
00000000`0014fe68 00000000`00000000
00000000`0014fe70 00000000`00000000
00000000`0014fe78 00000000`00000000
00000000`0014fe80 00000000`00000000
00000000`0014fe88 00000000`00000000
00000000`0014fe90 00000000`00000000
00000000`0014fe98 00000000`00000000
00000000`0014fea0 00000000`00000000
00000000`0014fea8 00000000`00000000
00000000`0014feb0 00000001`40017778 ExecutionResidueC__Objects!CObject::`vftable’
00000000`0014feb8 624f206f`6c6c6548
00000000`0014fec0 00000021`7463656a
00000000`0014fec8 00000000`00000000
00000000`0014fed0 00000000`00000000
00000000`0014fed8 0000e111`9d4d4b61
[…]

0:000> dps 00000001`40017778
00000001`40017778 00000001`40001040 ExecutionResidueC__Objects!CObject::`scalar deleting destructor’
00000001`40017780 00000001`40001020 ExecutionResidueC__Objects!CObject::foo
00000001`40017788 00000001`40001030 ExecutionResidueC__Objects!CObject::bar
00000001`40017790 600e149f`00000000
00000001`40017798 00000002`00000000
00000001`400177a0 00017c6c`00000069
00000001`400177a8 00000000`00016e6c
00000001`400177b0 00000000`600e149f
00000001`400177b8 00000014`0000000c
00000001`400177c0 00016ed8`00017cd8
00000001`400177c8 600e149f`00000000
00000001`400177d0 0000000d`00000000
00000001`400177d8 00017cec`000002f0
00000001`400177e0 00000000`00016eec
00000001`400177e8 00000000`600e149f
00000001`400177f0 00000000`0000000e

0:000> da 00000000`0014feb8
00000000`0014feb8 “Hello Object!”

0:000> dt ExecutionResidueC__Objects!CObject 00000000`0014feb0
+0×000 __VFN_table : 0×00000001`40017778
+0×008 data : [32] “Hello Object!”

We see that two objects were allocated on the stack. However, finding dynamically allocated objects may require another level of pointer redirection when pointers to such objects are stored on the stack, for example with dpp WinDbg command:

0:000> dpp 000000000014d000 0000000000150000
00000000`0014d000 00000000`00000000
00000000`0014d008 00000000`00000000
00000000`0014d010 00000000`00000000
00000000`0014d018 00000000`00000000
00000000`0014d020 00000000`00000000
[…]
00000000`0014fe08 00000000`00000000
00000000`0014fe10 00000000`005d4550 00000000`005d4560
00000000`0014fe18 00000000`00000000
00000000`0014fe20 00000000`005cd7e0 00000001`40017778 ExecutionResidueC__Objects!CObject::`vftable’
00000000`0014fe28 00000000`005cd7e0 00000001`40017778 ExecutionResidueC__Objects!CObject::`vftable’
00000000`0014fe30 00000000`005cd7e0 00000001`40017778 ExecutionResidueC__Objects!CObject::`vftable’
00000000`0014fe38 00000001`40017778 00000001`40001040 ExecutionResidueC__Objects!CObject::`scalar deleting destructor’
00000000`0014fe40 624f206f`6c6c6548
00000000`0014fe48 00000021`7463656a
00000000`0014fe50 00000000`00000000
00000000`0014fe58 00000000`00000000
00000000`0014fe60 00000000`00000000
00000000`0014fe68 00000000`00000000
00000000`0014fe70 00000000`00000000
00000000`0014fe78 00000000`00000000
00000000`0014fe80 00000000`00000000
00000000`0014fe88 00000000`00000000
00000000`0014fe90 00000000`00000000
00000000`0014fe98 00000000`00000000
00000000`0014fea0 00000000`00000000
00000000`0014fea8 00000000`00000000
00000000`0014feb0 00000001`40017778 00000001`40001040 ExecutionResidueC__Objects!CObject::`scalar deleting destructor’
00000000`0014feb8 624f206f`6c6c6548
00000000`0014fec0 00000021`7463656a
00000000`0014fec8 00000000`00000000
00000000`0014fed0 00000000`00000000
00000000`0014fed8 0000e111`9d4d4b61
[…]

0:000> !address 00000000`005cd7e0

Usage: Heap
Base Address: 00000000`005c0000
End Address: 00000000`005d8000
Region Size: 00000000`00018000 ( 96.000 kB)
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 00000000`005c0000
Allocation Protect: 00000004 PAGE_READWRITE
More info: heap owning the address: !heap 0×5c0000
More info: heap segment
More info: heap entry containing the address: !heap -x 0×5cd7e0

0:000> dps 00000000`005cd7e0
00000000`005cd7e0 00000001`40017778 ExecutionResidueC__Objects!CObject::`vftable’
00000000`005cd7e8 624f206f`6c6c6548
00000000`005cd7f0 00000021`7463656a
00000000`005cd7f8 00000000`00000000
00000000`005cd800 00000000`00000000
00000000`005cd808 93002500`6c5ec8a3
00000000`005cd810 4f535345`434f5250
00000000`005cd818 54494843`52415f52
00000000`005cd820 413d4552`55544345
00000000`005cd828 00000000`3436444d
00000000`005cd830 00000000`00000000
00000000`005cd838 92002600`6c5bc8a0
00000000`005cd840 576d6172`676f7250
00000000`005cd848 5c3a433d`32333436
00000000`005cd850 206d6172`676f7250
00000000`005cd858 00000073`656c6946

0:000> da 00000000`005cd7e8
00000000`005cd7e8 “Hello Object!”

0:000> dps 00000001`40017778
00000001`40017778 00000001`40001040 ExecutionResidueC__Objects!CObject::`scalar deleting destructor’
00000001`40017780 00000001`40001020 ExecutionResidueC__Objects!CObject::foo
00000001`40017788 00000001`40001030 ExecutionResidueC__Objects!CObject::bar
00000001`40017790 600e149f`00000000
00000001`40017798 00000002`00000000
00000001`400177a0 00017c6c`00000069
00000001`400177a8 00000000`00016e6c
00000001`400177b0 00000000`600e149f
00000001`400177b8 00000014`0000000c
00000001`400177c0 00016ed8`00017cd8
00000001`400177c8 600e149f`00000000
00000001`400177d0 0000000d`00000000
00000001`400177d8 00017cec`000002f0
00000001`400177e0 00000000`00016eec
00000001`400177e8 00000000`600e149f
00000001`400177f0 00000000`0000000e

0:000> dt ExecutionResidueC__Objects!CObject 00000000`005cd7e0
+0×000 __VFN_table : 0×00000001`40017778
+0×008 data : [32] “Hello Object!”

We created a modeling C++ program for better illustration:

struct CObject
{
    virtual ~CObject() {};
    virtual int foo() { return 1; };
    virtual int bar() { return 2; };

    char data[32] = "Hello Object!";
};

int main()
{
    CObject  localObj;
    int      _[20]{};	// padding the stack
    CObject* dynamicObj{new CObject};

    throw CObject();
}

The example memory dump, PDB file, and source code can be downloaded from here.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

One of the earliest memory analysis patterns, Lateral Damage now has a specialization for CPU mode. Due to some reasons, we may get a dump with a different default CPU mode, for example, WOW64 or even V86 segmented memory addressing mode. In such a case, most commands will not work or give incorrect output.

In one such a dump we see 32-bit bugcheck parameters in !analyze -v command output:

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 054d0450, Terminating object
Arg3: 054d0730, Process image file name
Arg4: 02b90db0, Explanatory message (ascii)

But the dump itself from x64 Windows:

Kernel base = 0xfffff800`0280d000 PsLoadedModuleList = 0xfffff800`02a52e90

We notice WOW64 prompt:

16.1: kd:x86> k
# ChildEBP          RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 00000000 00000000 0x0

We switch to x64 mode:

16.1: kd:x86> .effmach AMD64
Effective machine: x64 (AMD64)

Now we get correct bugcheck parameters:

16.1: kd> !analyze -v
[...]
Arguments:
Arg1: 0000000000000003, Process
Arg2: fffffa80054d0450, Terminating object
Arg3: fffffa80054d0730, Process image file name
Arg4: fffff80002b90db0, Explanatory message (ascii)
[…]

However, the stack trace is not available, all registers are zeroed, and stack region memory is not accessible:

16.1: kd> k
# Child-SP          RetAddr           Call Site
00 00000000`00000000 00000000`00000000 0x0

16.1: kd> !thread
THREAD fffffa800b2c6b60  Cid 0998.1a58  Teb: 000007ffffeee000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap                 fffff8a000008aa0
Owning Process            fffffa800425b820       Image:         App.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      28317542       Ticks: 0
Context Switch Count      2              IdealProcessor: 0
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x000007feee8080ec
Stack Init fffff880066f3c70 Current fffff880066f3440
Base fffff880066f4000 Limit fffff880066ee000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
00000000`00000000 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0×0

16.1: kd> r
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=0000000000000000 rsp=0000000000000000 rbp=0000000000000000
r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up di pl nz na pe nc
cs=0000  ss=0000  ds=0000  es=0000  fs=0000  gs=0000             efl=00000000
00000000`00000000 ??              ???

16.1: kd> dp fffff880066f3440
0000:3440  ????????`???????? ????????`????????
0000:3450  ????????`???????? ????????`????????
0000:3460  ????????`???????? ????????`????????
0000:3470  ????????`???????? ????????`????????
0000:3480  ????????`???????? ????????`????????
0000:3490  ????????`???????? ????????`????????
0000:34a0  ????????`???????? ????????`????????
0000:34b0  ????????`???????? ????????`????????

We notice segmented memory addressing and apply .segmentation command that is still available (the hint is taken from here):

16.1: kd> .segmentation /V /X /a
In x86 v86 code: no
In x86 16-bit code: no
In amd64 64-bit code: yes

Although stack trace is not available we see the normal prompt and can get look at stack region Execution Residue and get Rough Stack Trace:

1: kd> k
# Child-SP          RetAddr           Call Site
00 00000000`00000000 00000000`00000000 0x0

1: kd> dpS fffff880066ee000 fffff880066f4000
fffff800`02b7e79e nt!PspGetSetContextInternal+0×2c6
fffff800`02b7e8e5 nt!PspGetSetContextInternal+0×40d
fffff800`0289e11e nt!MiResolveDemandZeroFault+0×3be
fffff800`02e04245 hal!HalpPCIPerformConfigAccess+0×55
fffff800`02e04b32 hal!HalpPciAccessMmConfigSpace+0×196
fffff880`051f224f dump_diskdump!WorkHorseDpc+0×18f
fffff800`02e04000 hal!HalpPCIConfig+0×70
fffff880`051f3dbb dump_diskdump!ScsiPortNotification+0×107
fffff880`04c0386f dump_LSI_SAS!BuildScatterGather+0xcf [e:\win7\drivers\oem\src\storage\lsi_sas\ca_init.c @ 2468]
fffff880`04c086c2 dump_LSI_SAS!CheckInqFlagReplies+0×42e [e:\win7\drivers\oem\src\storage\lsi_sas\ca_util.c @ 6455]
fffff800`028cdf7e nt!iswctype_l+0xce
fffff880`051f224f dump_diskdump!WorkHorseDpc+0×18f
fffff800`028cde19 nt!output_l+0×6e1
fffff880`051e9110 crashdmp!StrBeginningDump
fffff880`051f3dbb dump_diskdump!ScsiPortNotification+0×107
fffff800`028cde19 nt!output_l+0×6e1
fffff880`04c0386f dump_LSI_SAS!BuildScatterGather+0xcf [e:\win7\drivers\oem\src\storage\lsi_sas\ca_init.c @ 2468]
fffff880`04c12090 dump_LSI_SAS!LSImpiMSIIsr+0xf4 [e:\win7\drivers\oem\src\storage\lsi_sas\ca_int.c @ 208]
fffff880`04c0386f dump_LSI_SAS!BuildScatterGather+0xcf [e:\win7\drivers\oem\src\storage\lsi_sas\ca_init.c @ 2468]
fffff880`051f224f dump_diskdump!WorkHorseDpc+0×18f
fffff800`02e072ec hal!HalpTscStallExecutionProcessor+0xe8
fffff880`051f2401 dump_diskdump!AllocateScatterGatherList+0×5d
fffff880`051f257c dump_diskdump!ExecuteSrb+0×68
fffff880`051e9370 crashdmp!Context+0×30
fffff880`051e9370 crashdmp!Context+0×30
fffff800`0292810c nt!DisplayCharacter+0×5c
fffff880`051f3a9d dump_diskdump!ScsiPortInitialize+0×805
fffff880`051e9370 crashdmp!Context+0×30
fffff800`02929c33 nt!VidDisplayString+0×73
fffff880`051e9370 crashdmp!Context+0×30
fffff880`051e6440 crashdmp!IsBufferValid+0×28
fffff880`051e5f7a crashdmp!FilterCallback+0xae
fffff880`051f2a79 dump_diskdump!DiskDumpWrite+0×1a9
fffff880`051e5d76 crashdmp!CrashdmpWriteRoutine+0×4a
fffff880`051e4f48 crashdmp!WritePageSpanToDisk+0×180
fffff880`051e9370 crashdmp!Context+0×30
fffff880`051e9370 crashdmp!Context+0×30
fffff880`051e4c95 crashdmp!WriteKernelDump+0×12d
fffff880`051e5d2c crashdmp!CrashdmpWriteRoutine
fffff800`02a85b60 nt!KeBugCheckAddPagesCallbackListHead
fffff880`051e4ac5 crashdmp!DumpWrite+0×145
fffff880`051e9370 crashdmp!Context+0×30
fffff880`051e4187 crashdmp!CrashdmpWrite+0×57
fffff880`051e9a30 crashdmp!ContextCopy
fffff800`02a85b60 nt!KeBugCheckAddPagesCallbackListHead
fffff800`02974bc1 nt!IoWriteCrashDump+0×391
fffff800`02a898a0 nt!IopTriageDumpDataBlocks
fffff800`02a85b60 nt!KeBugCheckAddPagesCallbackListHead
fffff800`02a85b60 nt!KeBugCheckAddPagesCallbackListHead
fffff800`02936de0 nt!IoSetDumpRange
fffff800`02936d30 nt!IoFreeDumpRange
fffff800`02abe900 nt!KiProcessorBlock
fffff800`0280d000 nt!KiSelectNextThread <PERF> (nt+0×0)
fffff800`02975f26 nt!KeBugCheck2+0xac6
fffff800`02b90db0 nt! ?? ::NNGAKEGL::`string’
fffff800`028a051e nt!SepNormalAccessCheck+0×18e
fffff800`02b90db0 nt! ?? ::NNGAKEGL::`string’
fffff800`02e0a501 hal!HalpSendFlatIpi+0×92
fffff800`02b90db0 nt! ?? ::NNGAKEGL::`string’
fffff800`0288d744 nt!KeBugCheckEx+0×104
fffff800`02b90db0 nt! ?? ::NNGAKEGL::`string’
fffff800`02c15982 nt!PspCatchCriticalBreak+0×92
fffff800`02b90db0 nt! ?? ::NNGAKEGL::`string’
fffff800`02bc30ab nt! ?? ::NNGAKEGL::`string’+0×17ad6
fffff800`02b46698 nt!NtTerminateProcess+0xf4
fffff800`0288c8d3 nt!KiSystemServiceCopyEnd+0×13
????????`????????

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Inspecting memory region type to which a pointer points to may help diagnosing some coding mistakes. We call this analysis pattern Pointer Class. Below is a case study modeled on a real-life case.

The application was crashing sporadically and the memory dump was pointing to invalid objects reused after free. We recreated similar source code pattern and got the similar crash (PointerClass.exe.8752.dmp):

0:000> kL
# Child-SP          RetAddr           Call Site
00 000000e9`a10fe448 00007ff9`64e08037 ntdll!NtWaitForMultipleObjects+0x14
01 000000e9`a10fe450 00007ff9`64e07f1e KERNELBASE!WaitForMultipleObjectsEx+0x107
02 000000e9`a10fe750 00007ff9`653c71fb KERNELBASE!WaitForMultipleObjects+0xe
03 000000e9`a10fe790 00007ff9`653c6ca8 kernel32!WerpReportFaultInternal+0x51b
04 000000e9`a10fe8b0 00007ff9`64eb00b8 kernel32!WerpReportFault+0xac
05 000000e9`a10fe8f0 00007ff9`672a4ab2 KERNELBASE!UnhandledExceptionFilter+0x3b8
06 000000e9`a10fea10 00007ff9`6728c656 ntdll!RtlUserThreadStart$filt$0+0xa2
07 000000e9`a10fea50 00007ff9`672a11cf ntdll!_C_specific_handler+0x96
08 000000e9`a10feac0 00007ff9`6726a209 ntdll!RtlpExecuteHandlerForException+0xf
09 000000e9`a10feaf0 00007ff9`6729fe3e ntdll!RtlDispatchException+0x219
0a 000000e9`a10ff200 00007ff7`df32103a ntdll!KiUserExceptionDispatch+0×2e
0b 000000e9`a10ff918 00007ff7`df321081 PointerClass!Data::GetData+0xa
0c 000000e9`a10ff920 00007ff7`df32121a PointerClass!Work::DoWork+0×21
0d 000000e9`a10ff960 00007ff7`df321494 PointerClass!main+0×4a
0e (Inline Function) ——–`——– PointerClass!invoke_main+0×22
0f 000000e9`a10ff9b0 00007ff9`65377bd4 PointerClass!__scrt_common_main_seh+0×10c
10 000000e9`a10ff9f0 00007ff9`6726ce51 kernel32!BaseThreadInitThunk+0×14
11 000000e9`a10ffa20 00000000`00000000 ntdll!RtlUserThreadStart+0×21

0:000> .frame b
0b 000000e9`a10ff918 00007ff7`df321081 PointerClass!Data::GetData+0xa [C:\NewWork\PointerClass\PointerClass.cpp @ 7]

0:000> dv
this = 0×00000227`eb030000

0:000> dp poi(this)
00000227`eb030000  ????????`???????? ????????`????????
00000227`eb030010  ????????`???????? ????????`????????
00000227`eb030020  ????????`???????? ????????`????????
00000227`eb030030  ????????`???????? ????????`????????
00000227`eb030040  ????????`???????? ????????`????????
00000227`eb030050  ????????`???????? ????????`????????
00000227`eb030060  ????????`???????? ????????`????????
00000227`eb030070  ????????`???????? ????????`????????

struct Data
{
void SetData(int newData) { data = newData; }
int  GetData() { return data; }
private:
int data{};
};

An engineer found out that a pointer to an outside object was used and it was not updated when the object was freed:

struct Work
{
void SetData(Data* newData)
{
data = newData;
}

void DoWork()
{
if (data)
{
auto value = data->GetData();
++value;
data->SetData(value);
}
}

private:
Data* data{};
};

void Init(Work& work, Model& model)
{
unsigned long long dummy{};
if (Data* pData = model.GetData(); pData)
{
work.SetData(pData);
}
}

The solution was to use a double pointer but it also crashed (PointerClassFixNotWorking.exe.7452.dmp):

struct Work
{
void SetData(Data** newData)
{
data = newData;
}

void DoWork()
{
if (data && *data)
{
auto value = (*data)->GetData();
++value;
(*data)->SetData(value);
}
}

private:
Data** data{};
};

void Init(Work& work, Model& model)
{
unsigned long long dummy{};
if (Data* pData = model.GetData(); pData)
{
work.SetData(&pData);
}
}

0:000> .ecxr
*** WARNING: Unable to verify checksum for PointerClassFixNotWorking.exe
rax=0000019a4be10000 rbx=0000019a4bff29c0 rcx=0000019a4be10000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000019a4bff6cf0
rip=00007ff766d5103a rsp=0000007ede6ff958 rbp=0000000000000000
r8=0000007ede6ff938  r9=0000000000000000 r10=0000000000000000
r11=0000000000000246 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
PointerClassFixNotWorking!Data::GetData+0xa:
00007ff7`66d5103a 8b00            mov     eax,dword ptr [rax] ds:0000019a`4be10000=????????

0:000> kL
*** Stack trace for last set context - .thread/.cxr resets it
# Child-SP          RetAddr           Call Site
00 0000007e`de6ff958 00007ff7`66d51092 PointerClassFixNotWorking!Data::GetData+0xa
01 0000007e`de6ff960 00007ff7`66d5124a PointerClassFixNotWorking!Work::DoWork+0x32
02 0000007e`de6ff9a0 00007ff7`66d514d4 PointerClassFixNotWorking!main+0x4a
03 (Inline Function) --------`-------- PointerClassFixNotWorking!invoke_main+0x22
04 0000007e`de6ff9f0 00007ff9`65377bd4 PointerClassFixNotWorking!__scrt_common_main_seh+0x10c
05 0000007e`de6ffa30 00007ff9`6726ce51 kernel32!BaseThreadInitThunk+0x14
06 0000007e`de6ffa60 00000000`00000000 ntdll!RtlUserThreadStart+0x21

struct Data
{
void SetData(int newData) { data = newData; }
int  GetData() { return data; }
private:
int data{};
};

It was hypothesized that the object was also freed somewhere else and the debugging continued. However, the simple inspection of this->data Pointer Class would have revealed that it is pointing to a stack location (that was reused by subsequent calls to other functions):

0:000> .frame 1
01 0000007e`de6ff960 00007ff7`66d5124a PointerClassFixNotWorking!Work::DoWork+0x32 [C:\NewWork\PointerClassFixNotWorking\PointerClassFixNotWorking.cpp @ 24]

0:000> dv /i /v
prv local  0000007e`de6ff980           value = 0n1275013568
prv local  0000007e`de6ff9a0            this = 0x0000007e`de6ff9c0

0:000> dt this
Local var @ 0x7ede6ff9a0 Type Work*
0x0000007e`de6ff9c0
+0×000 data             : 0×0000007e`de6ff978  -> 0×0000019a`4be10000 Data

0:000> !address 0×0000007e`de6ff978
Usage:                  Stack
Base Address:           0000007e`de6fd000
End Address:            0000007e`de700000
Region Size:            00000000`00003000 (  12.000 kB)
State:                  00001000          MEM_COMMIT
Protect:                00000004          PAGE_READWRITE
Type:                   00020000          MEM_PRIVATE
Allocation Base:        0000007e`de600000
Allocation Protect:     00000004          PAGE_READWRITE
More info:              ~0k

So the correct fix should have been be to use an address (heap region in the original case) of a pointer stored inside an owner object (allocated on heap in the original case):

void Init(Work& work, Model& model)
{
unsigned long long dummy{};
if (Data** ppData = model.GetData(); ppData && *ppData)
{
work.SetData(ppData);
}
}

The example memory dumps, PDB files, and source code of applications can be downloaded from here.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

The collection of register values can be interpreted as Context Pointer to various memory locations:

0:000> !for_each_register -c:.if (${@#RegisterValue} > 0xFFFF) {.printf "${@#RegisterName}: %p -> %p\n", ${@#RegisterValue}, poi(${@#RegisterValue})}
rdx: 000000e4c0afe888 -> 00000000000000b4
rsp: 000000e4c0afe488 -> 00007ffecc888037
r9: 00000000ffffffff -> Memory access error at ')'
r11: 000000e4c0afdc30 -> 0000000000000090
r12: 00000000ffffffff -> Memory access error at ')'
r13: 000000e4c0afe888 -> 00000000000000b4
rip: 00007ffecf6bcbc4 -> 00841f0fc32ecdc3
edx: 00000000c0afe888 -> Memory access error at ')'
esp: 00000000c0afe488 -> Memory access error at ')'
r9d: 00000000ffffffff -> Memory access error at ')'
r11d: 00000000c0afdc30 -> Memory access error at ')'
r12d: 00000000ffffffff -> Memory access error at ')'
r13d: 00000000c0afe888 -> Memory access error at ')'
eip: 00000000cf6bcbc4 -> Memory access error at ')'

We filter pointer values to avoid a lot of registers that contain 0 values.

Individual pointers can also be Pointer Cones.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

When interpreting a value as a pointer to a memory address we are usually interested in adjacent values pointed to:

0:000> ? rdx
Evaluate expression: 982485297288 = 000000e4`c0afe888

0:000> ? poi(000000e4`c0afe888)
Evaluate expression: 180 = 00000000`000000b4

0:000> ? poi(rdx)
Evaluate expression: 180 = 00000000`000000b4

0:000> dps rdx-10 rdx+10
000000e4`c0afe878 000000e4`c0afeac0
000000e4`c0afe880 000000e4`c0971000
000000e4`c0afe888 00000000`000000b4
000000e4`c0afe890 00000000`0000008c
000000e4`c0afe898 00000000`00000088

0:000> r $t0 = 0

0:000> dps rdx-@$t0 rdx+@$t0
000000e4`c0afe888 00000000`000000b4

0:000> r $t0 = 20

0:000> dps rdx-@$t0 rdx+@$t0
000000e4`c0afe868 00000000`00000001
000000e4`c0afe870 00001a38`00000001
000000e4`c0afe878 000000e4`c0afeac0
000000e4`c0afe880 000000e4`c0971000
000000e4`c0afe888 00000000`000000b4
000000e4`c0afe890 00000000`0000008c
000000e4`c0afe898 00000000`00000088
000000e4`c0afe8a0 00000000`00000088
000000e4`c0afe8a8 00000000`0000008c

We call this analysis pattern Pointer Cone by analogy with cones in category theory and our earlier attempts to use it. The reason for this pattern appearance is that it has been used in many times in other analysis pattern descriptions. We also intend to use this pattern language building block in our next analysis pattern.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

When developers look at crash dumps they are more interested at parameters and local variables in particular stack frames of interest. However, sometimes it is useful to look at all such frames especially to gather information that may be useful for technical support or to correlate to additional traces and logs (for example, Historical Information to establish additional Basic Facts and build Vocabulary Index).

Listing the parameters can be done, for example, by using Stack Trace command variant (kP WinDbg commend, but we use kPL to exclude source code references to reduce visual clutter):

0:000> kPL
# Child-SP          RetAddr           Call Site
00 000000e4`c0afe488 00007ffe`cc888037 ntdll!NtWaitForMultipleObjects+0x14
01 000000e4`c0afe490 00007ffe`cc887f1e KERNELBASE!WaitForMultipleObjectsEx+0x107
02 000000e4`c0afe790 00007ffe`cd8271fb KERNELBASE!WaitForMultipleObjects+0xe
03 000000e4`c0afe7d0 00007ffe`cd826ca8 kernel32!WerpReportFaultInternal+0x51b
04 000000e4`c0afe8f0 00007ffe`cc9300b8 kernel32!WerpReportFault+0xac
05 000000e4`c0afe930 00007ffe`cf6c4ab2 KERNELBASE!UnhandledExceptionFilter+0x3b8
06 000000e4`c0afea50 00007ffe`cf6ac656 ntdll!RtlUserThreadStart$filt$0+0xa2
07 000000e4`c0afea90 00007ffe`cf6c11cf ntdll!_C_specific_handler+0x96
08 000000e4`c0afeb00 00007ffe`cf68a209 ntdll!RtlpExecuteHandlerForException+0xf
09 000000e4`c0afeb30 00007ffe`cf6bfe3e ntdll!RtlDispatchException+0x219
0a 000000e4`c0aff240 00007ffe`cc8f0aa2 ntdll!KiUserExceptionDispatch+0x2e
0b 000000e4`c0aff948 00007ff6`c8ab1568 KERNELBASE!wil::details::DebugBreak+0x2
0c 000000e4`c0aff950 00007ff6`c8ab1560 FrameTrace!foo(
unsigned int64 num = 0,
class std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > * str = 0×000000e4`c0aff9d0 “Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! “)+0×68
0d 000000e4`c0aff9b0 00007ff6`c8ab1560 FrameTrace!foo(
unsigned int64 num = 0,
class std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > * str = 0×000000e4`c0affa30 “Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! “)+0×60
0e 000000e4`c0affa10 00007ff6`c8ab1560 FrameTrace!foo(
unsigned int64 num = 1,
class std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > * str = 0×000000e4`c0affa90 “Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! “)+0×60
0f 000000e4`c0affa70 00007ff6`c8ab1560 FrameTrace!foo(
unsigned int64 num = 2,
class std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > * str = 0×000000e4`c0affaf0 “Hello World! Hello World! Hello World! Hello World! “)+0×60
10 000000e4`c0affad0 00007ff6`c8ab1560 FrameTrace!foo(
unsigned int64 num = 3,
class std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > * str = 0×000000e4`c0affb50 “Hello World! Hello World! “)+0×60
11 000000e4`c0affb30 00007ff6`c8ab15b5 FrameTrace!foo(
unsigned int64 num = 4,
class std::basic_string<wchar_t,std::char_traits<wchar_t>,std::allocator<wchar_t> > * str = 0×000000e4`c0affbb0 “Hello World! “)+0×60
12 000000e4`c0affb90 00007ff6`c8ab2b14 FrameTrace!main(void)+0×25
13 (Inline Function) ——–`——– FrameTrace!invoke_main+0×22
14 000000e4`c0affbe0 00007ffe`cd7d7bd4 FrameTrace!__scrt_common_main_seh(void)+0×10c
15 000000e4`c0affc20 00007ffe`cf68ce51 kernel32!BaseThreadInitThunk+0×14
16 000000e4`c0affc50 00000000`00000000 ntdll!RtlUserThreadStart+0×21

The stack trace comes from the following modeling application:

void foo(std::size_t num, const std::wstring& str)
{
if (std::wstring concatStr{ str }; num)
{
concatStr += str;

foo(–num, concatStr);
}
else
{
::DebugBreak();
}
}

int main()
{
foo(5, L”Hello World! “);
}

To list local variable we need to use !for_each_frame WinDbg command:

0:000> !for_each_frame "dv"
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
00 000000e4`c0afe488 00007ffe`cc888037 ntdll!NtWaitForMultipleObjects+0x14
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
01 000000e4`c0afe490 00007ffe`cc887f1e KERNELBASE!WaitForMultipleObjectsEx+0x107
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
02 000000e4`c0afe790 00007ffe`cd8271fb KERNELBASE!WaitForMultipleObjects+0xe
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
03 000000e4`c0afe7d0 00007ffe`cd826ca8 kernel32!WerpReportFaultInternal+0x51b
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
04 000000e4`c0afe8f0 00007ffe`cc9300b8 kernel32!WerpReportFault+0xac
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
05 000000e4`c0afe930 00007ffe`cf6c4ab2 KERNELBASE!UnhandledExceptionFilter+0x3b8
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
06 000000e4`c0afea50 00007ffe`cf6ac656 ntdll!RtlUserThreadStart$filt$0+0xa2
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
07 000000e4`c0afea90 00007ffe`cf6c11cf ntdll!_C_specific_handler+0x96
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
08 000000e4`c0afeb00 00007ffe`cf68a209 ntdll!RtlpExecuteHandlerForException+0xf
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
09 000000e4`c0afeb30 00007ffe`cf6bfe3e ntdll!RtlDispatchException+0x219
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0a 000000e4`c0aff240 00007ffe`cc8f0aa2 ntdll!KiUserExceptionDispatch+0x2e
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0b 000000e4`c0aff948 00007ff6`c8ab1568 KERNELBASE!wil::details::DebugBreak+0x2
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0c 000000e4`c0aff950 00007ff6`c8ab1560 FrameTrace!foo+0x68 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 14]
concatStr = "Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! "
num = 0
str = 0x000000e4`c0aff9d0 "Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! "
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0d 000000e4`c0aff9b0 00007ff6`c8ab1560 FrameTrace!foo+0x60 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 11]
concatStr = "Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! "
num = 0
str = 0x000000e4`c0affa30 "Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! "
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0e 000000e4`c0affa10 00007ff6`c8ab1560 FrameTrace!foo+0x60 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 11]
concatStr = "Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! "
num = 1
str = 0x000000e4`c0affa90 "Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! "
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0f 000000e4`c0affa70 00007ff6`c8ab1560 FrameTrace!foo+0x60 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 11]
concatStr = "Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! Hello World! "
num = 2
str = 0x000000e4`c0affaf0 "Hello World! Hello World! Hello World! Hello World! "
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
10 000000e4`c0affad0 00007ff6`c8ab1560 FrameTrace!foo+0x60 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 11]
concatStr = "Hello World! Hello World! Hello World! Hello World! "
num = 3
str = 0x000000e4`c0affb50 "Hello World! Hello World! "
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
11 000000e4`c0affb30 00007ff6`c8ab15b5 FrameTrace!foo+0x60 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 11]
concatStr = "Hello World! Hello World! "
num = 4
str = 0x000000e4`c0affbb0 "Hello World! "
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
12 000000e4`c0affb90 00007ff6`c8ab2b14 FrameTrace!main+0x25 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 20]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
13 (Inline Function) --------`-------- FrameTrace!invoke_main+0x22 [d:\A01\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
14 000000e4`c0affbe0 00007ffe`cd7d7bd4 FrameTrace!__scrt_common_main_seh+0x10c [d:\A01\_work\6\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
has_cctor = false
main_result = <value unavailable>
tls_init_callback = <value unavailable>
is_nested = <value unavailable>
tls_dtor_callback = <value unavailable>
main_result = <value unavailable>
__scrt_current_native_startup_state = <value unavailable>
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
15 000000e4`c0affc20 00007ffe`cf68ce51 kernel32!BaseThreadInitThunk+0x14
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
16 000000e4`c0affc50 00000000`00000000 ntdll!RtlUserThreadStart+0x21
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
15 000000e4`c0affc20 00007ffe`cf68ce51 kernel32!BaseThreadInitThunk+0x14

We can also apply “dv /i /V” command to each frame to get additional low-level frame details:

[...]
11 000000e4`c0affb30 00007ff6`c8ab15b5 FrameTrace!foo+0x60 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 11]
prv local  000000e4`c0affb50 @rsp+0x0020             concatStr = "Hello World! Hello World! "
prv param  000000e4`c0affb90 @rsp+0x0060                   num = 4
prv param  000000e4`c0affb98 @rsp+0x0068                   str = 0x000000e4`c0affbb0 "Hello World! "
[...]

We see this as a form of back tracing Execution Residue, for example:

0:000> !for_each_frame ".frame /c @$frame; dps rsp"
[...]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
04 000000e4`c0afe8f0 00007ffe`cc9300b8 kernel32!WerpReportFault+0xac
04 000000e4`c0afe8f0 00007ffe`cc9300b8 kernel32!WerpReportFault+0xac
rax=000000000000005b rbx=0000000000000000 rcx=0000000000000003
rdx=000000e4c0afe888 rsi=0000000000000000 rdi=0000000000000003
rip=00007ffecd826ca8 rsp=000000e4c0afe8f0 rbp=0000000000000000
r8=0000000000000000  r9=00000000ffffffff r10=0000000000000000
r11=000000e4c0afdc30 r12=000000e4c0afeac0 r13=ffffffffffffffff
r14=000000e4c0afeac0 r15=0000000000001a38
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
kernel32!WerpReportFault+0xac:
00007ffe`cd826ca8 8bf8            mov     edi,eax
000000e4`c0afe8f0  00000000`00000000
000000e4`c0afe8f8  00000000`00000000
000000e4`c0afe900  00000000`00000003
000000e4`c0afe908  000000e4`c0afeac0
000000e4`c0afe910  00000000`00000004
000000e4`c0afe918  00000000`00000001
000000e4`c0afe920  00000000`00000000
000000e4`c0afe928  00007ffe`cc9300b8 KERNELBASE!UnhandledExceptionFilter+0x3b8
000000e4`c0afe930  00000000`00000000
000000e4`c0afe938  000000e4`c0affc50
000000e4`c0afe940  00007ffe`cd7c0000 kernel32!RtlVirtualUnwindStub <PERF> (kernel32+0x0)
000000e4`c0afe948  00000207`5d660000
000000e4`c0afe950  00000000`00000000
000000e4`c0afe958  00007ffe`cf6660b9 ntdll!RtlpFindEntry+0x4d
000000e4`c0afe960  00000004`00000006
000000e4`c0afe968  00000001`00000000
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
05 000000e4`c0afe930 00007ffe`cf6c4ab2 KERNELBASE!UnhandledExceptionFilter+0x3b8
05 000000e4`c0afe930 00007ffe`cf6c4ab2 KERNELBASE!UnhandledExceptionFilter+0x3b8
rax=000000000000005b rbx=0000000000000000 rcx=0000000000000003
rdx=000000e4c0afe888 rsi=00007ffecd7c0000 rdi=0000000000000000
rip=00007ffecc9300b8 rsp=000000e4c0afe930 rbp=000000e4c0affc50
r8=0000000000000000  r9=00000000ffffffff r10=0000000000000000
r11=000000e4c0afdc30 r12=000000e4c0afeac0 r13=ffffffffffffffff
r14=0000000000000001 r15=0000000000000004
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!UnhandledExceptionFilter+0x3b8:
00007ffe`cc9300b8 0f1f440000      nop     dword ptr [rax+rax]
000000e4`c0afe930  00000000`00000000
000000e4`c0afe938  000000e4`c0affc50
000000e4`c0afe940  00007ffe`cd7c0000 kernel32!RtlVirtualUnwindStub <PERF> (kernel32+0x0)
000000e4`c0afe948  00000207`5d660000
000000e4`c0afe950  00000000`00000000
000000e4`c0afe958  00007ffe`cf6660b9 ntdll!RtlpFindEntry+0x4d
000000e4`c0afe960  00000004`00000006
000000e4`c0afe968  00000001`00000000
000000e4`c0afe970  00000000`00000001
000000e4`c0afe978  00007ffe`cd7c0000 kernel32!RtlVirtualUnwindStub <PERF> (kernel32+0x0)
000000e4`c0afe980  00000207`5d662ff0
000000e4`c0afe988  00000000`00000000
000000e4`c0afe990  000000e4`c0afeac0
000000e4`c0afe998  00007ffe`cd7c0000 kernel32!RtlVirtualUnwindStub <PERF> (kernel32+0x0)
000000e4`c0afe9a0  00000000`005a0058
000000e4`c0afe9a8  00007ffe`cca6ff70 KERNELBASE!`string'
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
06 000000e4`c0afea50 00007ffe`cf6ac656 ntdll!RtlUserThreadStart$filt$0+0xa2
06 000000e4`c0afea50 00007ffe`cf6ac656 ntdll!RtlUserThreadStart$filt$0+0xa2
rax=000000000000005b rbx=00007ffecf764420 rcx=0000000000000003
rdx=000000e4c0afe888 rsi=0000000000000000 rdi=0000000000000000
rip=00007ffecf6c4ab2 rsp=000000e4c0afea50 rbp=000000e4c0affc50
r8=0000000000000000  r9=00000000ffffffff r10=0000000000000000
r11=000000e4c0afdc30 r12=000000e4c0aff730 r13=000000e4c0affc50
r14=000000e4c0aff0c0 r15=00007ffecf620000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlUserThreadStart$filt$0+0xa2:
00007ffe`cf6c4ab2 eb16            jmp     ntdll!RtlUserThreadStart$filt$0+0xba (00007ffe`cf6c4aca)
000000e4`c0afea50  00000000`00000000
000000e4`c0afea58  00007ffe`cf764420 ntdll!`string'+0x9aa8
000000e4`c0afea60  00000000`00000000
000000e4`c0afea68  000000e4`c0affbe0
000000e4`c0afea70  00000000`00000000
000000e4`c0afea78  00007ffe`cf6457d8 ntdll!LdrpAppendUnicodeStringToFilenameBuffer+0x50
000000e4`c0afea80  00000000`0006ce51
000000e4`c0afea88  00007ffe`cf6ac656 ntdll!_C_specific_handler+0x96
000000e4`c0afea90  000000e4`c0afeb40
000000e4`c0afea98  00007ffe`cf642930 ntdll!LdrpFindLoadedDllByNameLockHeld+0xe4
000000e4`c0afeaa0  000000e4`c0aff088
000000e4`c0afeaa8  000000e4`c0aff110
000000e4`c0afeab0  000000e4`c0aff240
000000e4`c0afeab8  00000000`00000000
000000e4`c0afeac0  000000e4`c0aff730
000000e4`c0afeac8  000000e4`c0aff240
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
07 000000e4`c0afea90 00007ffe`cf6c11cf ntdll!_C_specific_handler+0x96
07 000000e4`c0afea90 00007ffe`cf6c11cf ntdll!_C_specific_handler+0x96
rax=000000000000005b rbx=00007ffecf764420 rcx=0000000000000003
rdx=000000e4c0afe888 rsi=0000000000000000 rdi=0000000000000000
rip=00007ffecf6ac656 rsp=000000e4c0afea90 rbp=000000000006ce51
r8=0000000000000000  r9=00000000ffffffff r10=0000000000000000
r11=000000e4c0afdc30 r12=000000e4c0aff730 r13=000000e4c0affc50
r14=000000e4c0aff0c0 r15=00007ffecf620000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!_C_specific_handler+0x96:
00007ffe`cf6ac656 85c0            test    eax,eax
000000e4`c0afea90  000000e4`c0afeb40
000000e4`c0afea98  00007ffe`cf642930 ntdll!LdrpFindLoadedDllByNameLockHeld+0xe4
000000e4`c0afeaa0  000000e4`c0aff088
000000e4`c0afeaa8  000000e4`c0aff110
000000e4`c0afeab0  000000e4`c0aff240
000000e4`c0afeab8  00000000`00000000
000000e4`c0afeac0  000000e4`c0aff730
000000e4`c0afeac8  000000e4`c0aff240
000000e4`c0afead0  00000000`00000000
000000e4`c0afead8  000000e4`c0afeb70
000000e4`c0afeae0  000000e4`c0aff240
000000e4`c0afeae8  00007ffe`cf6ac5c0 ntdll!_C_specific_handler
000000e4`c0afeaf0  00000000`00000000
000000e4`c0afeaf8  00007ffe`cf6c11cf ntdll!RtlpExecuteHandlerForException+0xf
000000e4`c0afeb00  00000000`00000000
000000e4`c0afeb08  000000e4`c0aff070
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
08 000000e4`c0afeb00 00007ffe`cf68a209 ntdll!RtlpExecuteHandlerForException+0xf
08 000000e4`c0afeb00 00007ffe`cf68a209 ntdll!RtlpExecuteHandlerForException+0xf
rax=000000000000005b rbx=0000000000000000 rcx=0000000000000003
rdx=000000e4c0afe888 rsi=000000e4c0aff730 rdi=0000000000000000
rip=00007ffecf6c11cf rsp=000000e4c0afeb00 rbp=000000e4c0aff070
r8=0000000000000000  r9=00000000ffffffff r10=0000000000000000
r11=000000e4c0afdc30 r12=00007ffecf6ac5c0 r13=000000e4c0aff240
r14=000000e4c0afeb70 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlpExecuteHandlerForException+0xf:
00007ffe`cf6c11cf 90              nop
000000e4`c0afeb00  00000000`00000000
000000e4`c0afeb08  000000e4`c0aff070
000000e4`c0afeb10  000000e4`c0aff730
000000e4`c0afeb18  000000e4`c0aff730
000000e4`c0afeb20  000000e4`c0aff0c0
000000e4`c0afeb28  00007ffe`cf68a209 ntdll!RtlDispatchException+0x219
000000e4`c0afeb30  000000e4`00000001
000000e4`c0afeb38  00007ffe`cf620000 ntdll!RtlStringCchCopyW <PERF> (ntdll+0x0)
000000e4`c0afeb40  00000000`00000000
000000e4`c0afeb48  00007ffe`cf78e9f0 ntdll!__PchSym_ <PERF> (ntdll+0x16e9f0)
000000e4`c0afeb50  000000e4`c0afeb70
000000e4`c0afeb58  000000e4`c0aff090
000000e4`c0afeb60  000000e4`c0aff080
000000e4`c0afeb68  00000000`00000000
000000e4`c0afeb70  000000e4`00000000
000000e4`c0afeb78  00007ffe`cc8300f0 KERNELBASE!UrlHashW <PERF> (KERNELBASE+0xf0)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
09 000000e4`c0afeb30 00007ffe`cf6bfe3e ntdll!RtlDispatchException+0x219
09 000000e4`c0afeb30 00007ffe`cf6bfe3e ntdll!RtlDispatchException+0x219
rax=000000000000005b rbx=0000000000000000 rcx=0000000000000003
rdx=000000e4c0afe888 rsi=000000e4c0aff730 rdi=0000000000000000
rip=00007ffecf68a209 rsp=000000e4c0afeb30 rbp=000000e4c0aff070
r8=0000000000000000  r9=00000000ffffffff r10=0000000000000000
r11=000000e4c0afdc30 r12=00007ffecf6ac5c0 r13=000000e4c0aff240
r14=000000e4c0afeb70 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!RtlDispatchException+0x219:
00007ffe`cf68a209 8bd0            mov     edx,eax
000000e4`c0afeb30  000000e4`00000001
000000e4`c0afeb38  00007ffe`cf620000 ntdll!RtlStringCchCopyW <PERF> (ntdll+0x0)
000000e4`c0afeb40  00000000`00000000
000000e4`c0afeb48  00007ffe`cf78e9f0 ntdll!__PchSym_ <PERF> (ntdll+0x16e9f0)
000000e4`c0afeb50  000000e4`c0afeb70
000000e4`c0afeb58  000000e4`c0aff090
000000e4`c0afeb60  000000e4`c0aff080
000000e4`c0afeb68  00000000`00000000
000000e4`c0afeb70  000000e4`00000000
000000e4`c0afeb78  00007ffe`cc8300f0 KERNELBASE!UrlHashW <PERF> (KERNELBASE+0xf0)
000000e4`c0afeb80  00000001`00000000
000000e4`c0afeb88  00000012`00000018
000000e4`c0afeb90  00000000`00000000
000000e4`c0afeb98  00360030`00300030
000000e4`c0afeba0  00001f80`0010000f
000000e4`c0afeba8  00000000`00000033
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0a 000000e4`c0aff240 00007ffe`cc8f0aa2 ntdll!KiUserExceptionDispatch+0x2e
0a 000000e4`c0aff240 00007ffe`cc8f0aa2 ntdll!KiUserExceptionDispatch+0x2e
rax=000000000000005b rbx=000002075d662a10 rcx=0000000000000003
rdx=000000e4c0afe888 rsi=0000000000000000 rdi=000002075d666e40
rip=00007ffecf6bfe3e rsp=000000e4c0aff240 rbp=0000000000000000
r8=0000000000000000  r9=00000000ffffffff r10=0000000000000000
r11=000000e4c0afdc30 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!KiUserExceptionDispatch+0x2e:
00007ffe`cf6bfe3e 84c0            test    al,al
000000e4`c0aff240  00007ff6`c8ac32f0 FrameTrace!`string'
000000e4`c0aff248  00000000`000a0008
000000e4`c0aff250  00000207`5d662a10
000000e4`c0aff258  00007ff6`00200000
000000e4`c0aff260  000000e4`c0aff2f0
000000e4`c0aff268  000000e4`c0aff2f0
000000e4`c0aff270  00001f80`0010005f
000000e4`c0aff278  0053002b`002b0033
000000e4`c0aff280  00000246`002b002b
000000e4`c0aff288  00000000`00000000
000000e4`c0aff290  00000000`00000000
000000e4`c0aff298  00000000`00000000
000000e4`c0aff2a0  00000000`00000000
000000e4`c0aff2a8  00000000`00000000
000000e4`c0aff2b0  00000000`00000000
000000e4`c0aff2b8  000000e4`c0aff970
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0b 000000e4`c0aff948 00007ff6`c8ab1568 KERNELBASE!wil::details::DebugBreak+0x2
0b 000000e4`c0aff948 00007ff6`c8ab1568 KERNELBASE!wil::details::DebugBreak+0x2
rax=000000000000005b rbx=000002075d662a10 rcx=0000000000000003
rdx=000000e4c0afe888 rsi=0000000000000000 rdi=000002075d666e40
rip=00007ffecc8f0aa2 rsp=000000e4c0aff948 rbp=0000000000000000
r8=0000000000000000  r9=00000000ffffffff r10=0000000000000000
r11=000000e4c0afdc30 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!wil::details::DebugBreak+0x2:
00007ffe`cc8f0aa2 cc              int     3
000000e4`c0aff948  00007ff6`c8ab1568 FrameTrace!foo+0x68 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 14]
000000e4`c0aff950  000000e4`c0aff970
000000e4`c0aff958  000000e4`c0aff9d0
000000e4`c0aff960  00000000`000000d0
000000e4`c0aff968  00000207`5d66a990
000000e4`c0aff970  00000207`5d66b070
000000e4`c0aff978  00007ff6`c8ab15ed FrameTrace!std::basic_string<wchar_t,std::char_traits<wchar_t>, std::allocator<wchar_t> >::operator+=+0x1d [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.26.28801\include\xstring @ 2821]
000000e4`c0aff980  00000000`000001a0
000000e4`c0aff988  00000000`000001a7
000000e4`c0aff990  0000e8d4`e5494150
000000e4`c0aff998  0000e8d4`e5494150
000000e4`c0aff9a0  000000e4`c0affa30
000000e4`c0aff9a8  00007ff6`c8ab1560 FrameTrace!foo+0x60 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 11]
000000e4`c0aff9b0  00000000`00000000
000000e4`c0aff9b8  000000e4`c0aff9d0
000000e4`c0aff9c0  00000000`00000068
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0c 000000e4`c0aff950 00007ff6`c8ab1560 FrameTrace!foo+0x68 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 14]
0c 000000e4`c0aff950 00007ff6`c8ab1560 FrameTrace!foo+0x68 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 14]
rax=000000000000005b rbx=000002075d662a10 rcx=0000000000000003
rdx=000000e4c0afe888 rsi=0000000000000000 rdi=000002075d666e40
rip=00007ff6c8ab1568 rsp=000000e4c0aff950 rbp=0000000000000000
r8=0000000000000000  r9=00000000ffffffff r10=0000000000000000
r11=000000e4c0afdc30 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
FrameTrace!foo+0x68:
00007ff6`c8ab1568 90              nop
000000e4`c0aff950  000000e4`c0aff970
000000e4`c0aff958  000000e4`c0aff9d0
000000e4`c0aff960  00000000`000000d0
000000e4`c0aff968  00000207`5d66a990
000000e4`c0aff970  00000207`5d66b070
000000e4`c0aff978  00007ff6`c8ab15ed FrameTrace!std::basic_string<wchar_t,std::char_traits<wchar_t>, std::allocator<wchar_t> >::operator+=+0x1d [C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Tools\MSVC\14.26.28801\include\xstring @ 2821]
000000e4`c0aff980  00000000`000001a0
000000e4`c0aff988  00000000`000001a7
000000e4`c0aff990  0000e8d4`e5494150
000000e4`c0aff998  0000e8d4`e5494150
000000e4`c0aff9a0  000000e4`c0affa30
000000e4`c0aff9a8  00007ff6`c8ab1560 FrameTrace!foo+0x60 [C:\NewWork\FrameTrace\FrameTrace.cpp @ 11]
000000e4`c0aff9b0  00000000`00000000
000000e4`c0aff9b8  000000e4`c0aff9d0
000000e4`c0aff9c0  00000000`00000068
000000e4`c0aff9c8  00000207`5d66a8a0
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
[...]

We need to reset the current context after the command above since the last frame becomes the current:

0:000> kc
*** Stack trace for last set context - .thread/.cxr resets it
# Call Site
15 ntdll!RtlUserThreadStart

0:000> .cxr
Resetting default scope

0:000> kc
# Call Site
00 ntdll!NtWaitForMultipleObjects
01 KERNELBASE!WaitForMultipleObjectsEx
02 KERNELBASE!WaitForMultipleObjects
03 kernel32!WerpReportFaultInternal
04 kernel32!WerpReportFault
05 KERNELBASE!UnhandledExceptionFilter
06 ntdll!RtlUserThreadStart$filt$0
07 ntdll!_C_specific_handler
08 ntdll!RtlpExecuteHandlerForException
09 ntdll!RtlDispatchException
0a ntdll!KiUserExceptionDispatch
0b KERNELBASE!wil::details::DebugBreak
0c FrameTrace!foo
0d FrameTrace!foo
0e FrameTrace!foo
0f FrameTrace!foo
10 FrameTrace!foo
11 FrameTrace!foo
12 FrameTrace!main
13 FrameTrace!invoke_main
14 FrameTrace!__scrt_common_main_seh
15 kernel32!BaseThreadInitThunk
16 ntdll!RtlUserThreadStart

We call this analysis pattern Frame Trace.

The example memory dump, the application PDB file, and source code can be downloaded from here.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

When modeling Invalid Pointer (Objects) analysis pattern, we noticed that if we use MEM_RELEASE instead of MEM_DECOMMIT in VirtualFree API call, we see page memory contents despite an access violation Stored Exception pointing to that page. Moreover, the page contents were not corresponding to what should have been expected from source code. We had to do live kernel debugging in order to verify what was going on.

We launched InvalidPointerObject.exe that displayed the committed address allocated via VirtualAlloc API call:

The we broke into the system, found our process and inspected that address:

Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\com2
Waiting to reconnect...
Connected to Windows 10 18362 x64 target at (Fri May 1 22:46:00.982 2020 (UTC + 1:00)), ptr64 TRUE
Kernel Debugger connection established.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (1 procs) Free x64
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff800`74800000 PsLoadedModuleList = 0xfffff800`74c48190
System Uptime: 0 days 0:00:00.000
KDTARGET: Refreshing KD connection
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
* *
* You are seeing this message because you pressed either *
* CTRL+C (if you run console kernel debugger) or, *
* CTRL+BREAK (if you run GUI kernel debugger), *
* on your debugger machine's keyboard. *
* *
* THIS IS NOT A BUG OR A SYSTEM CRASH *
* *
* If you did not intend to break into the debugger, press the "g" key, then *
* press the "Enter" key now. This message might immediately reappear. If it *
* does, press "g" and "Enter" again. *
* *
*******************************************************************************
nt!DbgBreakPointWithStatus:
fffff800`749c93a0 cc int 3

1: kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffffe00314e89300
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001ad002 ObjectTable: ffffc90314806d40 HandleCount: 3136.
Image: System

[...]

PROCESS ffffe00318d60080
SessionId: 1 Cid: 1a90 Peb: 161ab73000 ParentCid: 1474
DirBase: af7ee002 ObjectTable: ffffc9031c02a0c0 HandleCount: 33.
Image: InvalidPointerObject.exe

[...]

1: kd> !process ffffe00318d60080 3f
PROCESS ffffe00318d60080
SessionId: 1 Cid: 1a90 Peb: 161ab73000 ParentCid: 1474
DirBase: af7ee002 ObjectTable: ffffc9031c02a0c0 HandleCount: 33.
Image: InvalidPointerObject.exe
VadRoot ffffe0031a78d1c0 Vads 22 Clone 0 Private 94. Modified 0. Locked 2.
DeviceMap ffffc903193e9bf0
Token ffffc9031c692060
ElapsedTime 00:01:13.571
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 20344
QuotaPoolUsage[NonPagedPool] 3256
Working Set Sizes (now,min,max) (497, 50, 345) (1988KB, 200KB, 1380KB)
PeakWorkingSetSize 465
VirtualSize 4139 Mb
PeakVirtualSize 4139 Mb
PageFaultCount 499
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 107
Job ffffe00317be8060

[...]

THREAD ffffe003198ba0c0 Cid 1a90.18bc Teb: 000000161ab74000 Win32Thread: 0000000000000000 WAIT: (Executive) KernelMode Alertable
ffffe0031a7b0238 NotificationEvent
IRP List:
ffffe00318a49510: (0006,0238) Flags: 00060900 Mdl: ffffe00319319470
Not impersonating
DeviceMap ffffc903193e9bf0
Owning Process ffffe00318d60080 Image: InvalidPointerObject.exe
Attached Process N/A Image: N/A
Wait Start TickCount 6673 Ticks: 4692 (0:00:01:13.312)
Context Switch Count 118 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.015
*** WARNING: Unable to verify checksum for InvalidPointerObject.exe
Win32 Start Address InvalidPointerObject!wmainCRTStartup (0x00007ff66357e044)
Stack Init ffff848c00a22c90 Current ffff848c00a22560
Base ffff848c00a23000 Limit ffff848c00a1d000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffff848c`00a225a0 fffff800`7483c7bd nt!KiSwapContext+0x76
ffff848c`00a226e0 fffff800`7483b644 nt!KiSwapThread+0xbfd
ffff848c`00a22780 fffff800`7483ade5 nt!KiCommitThreadWait+0x144
ffff848c`00a22820 fffff800`74de982a nt!KeWaitForSingleObject+0x255
ffff848c`00a22900 fffff800`74de595f nt!IopSynchronousServiceTail+0x24a
ffff848c`00a229a0 fffff800`749d2e15 nt!NtReadFile+0x59f
ffff848c`00a22a90 00007ffb`0ed3c184 nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffff848c`00a22b00)
00000016`1a96f338 00007ffb`0c405227 ntdll!NtReadFile+0x14
00000016`1a96f340 00007ff6`6359b3b9 KERNELBASE!ReadFile+0x77
00000016`1a96f3c0 00000000`00000001 InvalidPointerObject!_read_nolock+0x2f5 [minkernel\crts\ucrt\src\appcrt\lowio\read.cpp @ 566]
00000016`1a96f3c8 00000000`00000000 0x1

1: kd> .thread /r /p ffffe003198ba0c0
Implicit thread is now ffffe003`198ba0c0
Implicit process is now ffffe003`18d60080
.cache forcedecodeuser done
Loading User Symbols
....

1: kd> kL
*** Stack trace for last set context - .thread/.cxr resets it
# Child-SP RetAddr Call Site
00 ffff848c`00a225a0 fffff800`7483c7bd nt!KiSwapContext+0x76
01 ffff848c`00a226e0 fffff800`7483b644 nt!KiSwapThread+0xbfd
02 ffff848c`00a22780 fffff800`7483ade5 nt!KiCommitThreadWait+0x144
03 ffff848c`00a22820 fffff800`74de982a nt!KeWaitForSingleObject+0x255
04 ffff848c`00a22900 fffff800`74de595f nt!IopSynchronousServiceTail+0x24a
05 ffff848c`00a229a0 fffff800`749d2e15 nt!NtReadFile+0x59f
06 ffff848c`00a22a90 00007ffb`0ed3c184 nt!KiSystemServiceCopyEnd+0x25
07 00000016`1a96f338 00007ffb`0c405227 ntdll!NtReadFile+0x14
*** WARNING: Unable to verify checksum for InvalidPointerObject.exe
08 00000016`1a96f340 00007ff6`6359b3b9 KERNELBASE!ReadFile+0x77
09 00000016`1a96f3c0 00000000`00000001 InvalidPointerObject!_read_nolock+0x2f5
0a 00000016`1a96f3c8 00000000`00000000 0x1

1: kd> !vad 146e3a70000 1

VAD @ ffffe0031a78eb10
Start VPN 146e3a70 End VPN 146e3a70 Control Area 0000000000000000
FirstProtoPte 0000000000000000 LastPte 0000000000000000 Commit Charge 1 (0n1)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ViewUnmap MemCommit PrivateMemory READWRITE

1: kd> dc 146e3a70000
00000146`e3a70000 00000001 00000000 00000000 00000000 …………….
00000146`e3a70010 00000000 00000000 00000000 00000000 …………….
00000146`e3a70020 00000000 00000000 00000000 00000000 …………….
00000146`e3a70030 00000000 00000000 00000000 00000000 …………….
00000146`e3a70040 00000000 00000000 00000000 00000000 …………….
00000146`e3a70050 00000000 00000000 00000000 00000000 …………….
00000146`e3a70060 00000000 00000000 00000000 00000000 …………….
00000146`e3a70070 00000000 00000000 00000000 00000000 …………….

We see the page memory contents show the correct counter value (1):

struct Resource
{
    void DoSomething()
    {
        ++m_usageCounter;
    }

    std::size_t m_usageCounter{};
}; 

We resume system execution and hit a key. The program crashes in the second DoSomething call after releasing memory that contained Resource object:

	::VirtualFree(pMem, 0, MEM_RELEASE);

	pResource->DoSomething();

We wait until WER dialog appears (we had to add DWORD DontShowUI (0) to \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting):

We then break in the system again and inspect the same address:

1: kd> g
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
* *
* You are seeing this message because you pressed either *
* CTRL+C (if you run console kernel debugger) or, *
* CTRL+BREAK (if you run GUI kernel debugger), *
* on your debugger machine's keyboard. *
* *
* THIS IS NOT A BUG OR A SYSTEM CRASH *
* *
* If you did not intend to break into the debugger, press the "g" key, then *
* press the "Enter" key now. This message might immediately reappear. If it *
* does, press "g" and "Enter" again. *
* *
*******************************************************************************
nt!DbgBreakPointWithStatus:
fffff800`749c93a0 cc int 3

0: kd> .thread /r /p ffffe003198ba0c0
Implicit thread is now ffffe003`198ba0c0
Implicit process is now ffffe003`18d60080
.cache forcedecodeuser done
Loading User Symbols
....

0: kd> kL
*** Stack trace for last set context - .thread/.cxr resets it
# Child-SP RetAddr Call Site
00 ffff848c`00a21f70 fffff800`7483c7bd nt!KiSwapContext+0x76
01 ffff848c`00a220b0 fffff800`7483b644 nt!KiSwapThread+0xbfd
02 ffff848c`00a22150 fffff800`748884e7 nt!KiCommitThreadWait+0x144
03 ffff848c`00a221f0 fffff800`74e1ffe9 nt!KeWaitForMultipleObjects+0x287
04 ffff848c`00a22300 fffff800`74e1fd05 nt!ObWaitForMultipleObjects+0x2a9
05 ffff848c`00a22800 fffff800`749d2e15 nt!NtWaitForMultipleObjects+0x105
06 ffff848c`00a22a90 00007ffb`0ed3cc14 nt!KiSystemServiceCopyEnd+0x25
07 00000016`1a96e208 00007ffb`0c438027 ntdll!NtWaitForMultipleObjects+0x14
08 00000016`1a96e210 00007ffb`0c437f0e KERNELBASE!WaitForMultipleObjectsEx+0x107
09 00000016`1a96e510 00007ffb`0e0071fb KERNELBASE!WaitForMultipleObjects+0xe
0a 00000016`1a96e550 00007ffb`0e006ca8 KERNEL32!WerpReportFaultInternal+0x51b
0b 00000016`1a96e670 00007ffb`0c4df868 KERNEL32!WerpReportFault+0xac
0c 00000016`1a96e6b0 00007ffb`0ed44b32 KERNELBASE!UnhandledExceptionFilter+0x3b8
0d 00000016`1a96e7d0 00007ffb`0ed2c6d6 ntdll!RtlUserThreadStart$filt$0+0xa2
0e 00000016`1a96e810 00007ffb`0ed4121f ntdll!_C_specific_handler+0x96
0f 00000016`1a96e880 00007ffb`0ed0a289 ntdll!RtlpExecuteHandlerForException+0xf
10 00000016`1a96e8b0 00007ffb`0ed3fe8e ntdll!RtlDispatchException+0x219
11 00000016`1a96efc0 00007ff6`6357378a ntdll!KiUserExceptionDispatch+0×2e
*** WARNING: Unable to verify checksum for InvalidPointerObject.exe
12 00000016`1a96f6d8 00007ff6`63573875 InvalidPointerObject!Resource::DoSomething+0xa
13 00000016`1a96f6e0 00007ff6`6357dfd4 InvalidPointerObject!wmain+0xd5
14 (Inline Function) ——–`——– InvalidPointerObject!invoke_main+0×22
15 00000016`1a96f730 00007ffb`0dfb7bd4 InvalidPointerObject!__scrt_common_main_seh+0×10c
16 00000016`1a96f770 00007ffb`0ed0ced1 KERNEL32!BaseThreadInitThunk+0×14
17 00000016`1a96f7a0 00000000`00000000 ntdll!RtlUserThreadStart+0×21

0: kd> .frame 0n18;dv /t /v
12 00000016`1a96f6d8 00007ff6`63573875 InvalidPointerObject!Resource::DoSomething+0xa [C:\NewWork\InvalidPointerObject\InvalidPointerObject.cpp @ 10]
00000016`1a96f6e0 struct Resource * this = 0×00000146`e3a70000

0: kd> !vad 146e3a70000 1

VAD @ ffffe0031ab91080
Start VPN 146e3a70 End VPN 146e3a70 Control Area ffffe0031a66f780
FirstProtoPte ffffc9031b8fdf50 LastPte ffffc9031b8fdf50 Commit Charge 0 (0n0)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ViewShare READWRITE

ControlArea @ ffffe0031a66f780
Segment ffffc9031c7d55d0 Flink ffffe0031ab91f40 Blink ffffe0031ab910e0
Section Ref 1 Pfn Ref 0 Mapped Views 3
User Ref 4 WaitForDel 0 Flush Count 1
File Object 0000000000000000 ModWriteCount 0 System Views 0
WritableRefs 0 PartitionId 0
Flags (2000) Commit

Pagefile-backed section

Segment @ ffffc9031c7d55d0
ControlArea ffffe0031a66f780 ExtendInfo 0000000000000000
Total Ptes 1
Segment Size 1000 Committed 1
CreatingProcessId 1a90 FirstMappedVa 146e3a70000
ProtoPtes ffffc9031b8fdf50
Flags (80000) ProtectionMask

0: kd> !ca ffffe0031a66f780 4

ControlArea @ ffffe0031a66f780
Segment ffffc9031c7d55d0 Flink ffffe0031ab91f40 Blink ffffe0031ab910e0
Section Ref 1 Pfn Ref 0 Mapped Views 3
User Ref 4 WaitForDel 0 Flush Count 1
File Object 0000000000000000 ModWriteCount 0 System Views 0
WritableRefs 0 PartitionId 0
Flags (2000) Commit

Pagefile-backed section

3 mapped view(s):

ffffe0031ab91f40 - VAD ffffe0031ab91ee0, process ffffe0031a8d3080 WerFault.exe
ffffe0031ab93ca0 - VAD ffffe0031ab93c40, process ffffe0031acd3080 InvalidPointer
ffffe0031ab910e0 - VAD ffffe0031ab91080, process ffffe00318d60080 InvalidPointer

0: kd> dc 146e3a70000
00000146`e3a70000 000000f0 00001a90 000018bc 00000000 …………….
00000146`e3a70010 00000000 00000000 00000000 00000000 …………….
00000146`e3a70020 00000000 00000000 00000000 00000000 …………….
00000146`e3a70030 00000000 00000000 00000000 00000000 …………….
00000146`e3a70040 00000000 00000000 00000000 00000000 …………….
00000146`e3a70050 00000000 00000000 00000000 00000000 …………….
00000146`e3a70060 00000000 00000000 00000000 00000000 …………….
00000146`e3a70070 00000000 00000000 00000000 00000000 …………….

We see the page contents changed (it now contains PID and TID) and also its pagefile-backed section lists 3 mapped views including 2 new processes, one is Zombie Process duplicate of the original InvalidPointerObject.exe process and another is WerFault.exe:

0: kd> !process ffffe0031acd3080
PROCESS ffffe0031acd3080
SessionId: 1 Cid: 06cc Peb: 161ab73000 ParentCid: 1a90
DirBase: 9d002002 ObjectTable: ffffc9031c03e5c0 HandleCount: 0.
Image: InvalidPointerObject.exe
VadRoot ffffe0031a789d90 Vads 21 Clone ffffe00318770810 Private 41. Modified 0. Locked 0.
DeviceMap 0000000000000000
Token ffffc9031d32a770
ElapsedTime 00:00:26.741
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 17776
QuotaPoolUsage[NonPagedPool] 6024
Working Set Sizes (now,min,max) (28, 50, 345) (112KB, 200KB, 1380KB)
PeakWorkingSetSize 10
VirtualSize 4138 Mb
PeakVirtualSize 4138 Mb
PageFaultCount 28
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 51

No active threads

0: kd> !process 1a90
Searching for Process with Cid == 1a90
PROCESS ffffe00318d60080
SessionId: 1 Cid: 1a90 Peb: 161ab73000 ParentCid: 1474
DirBase: af7ee002 ObjectTable: ffffc9031c02a0c0 HandleCount: 39.
Image: InvalidPointerObject.exe
VadRoot ffffe0031a78d1c0 Vads 22 Clone ffffe00318770590 Private 43. Modified 18. Locked 0.
DeviceMap ffffc903193e9bf0
Token ffffc9031c692060
ElapsedTime 00:38:20.130
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 20352
QuotaPoolUsage[NonPagedPool] 6328
Working Set Sizes (now,min,max) (547, 50, 345) (2188KB, 200KB, 1380KB)
PeakWorkingSetSize 515
VirtualSize 4139 Mb
PeakVirtualSize 4139 Mb
PageFaultCount 552
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 106
Job ffffe00317be8060

[...]

We resume system execution and collect the process crash dump. When we look at the crash address we see the same unexpected False Memory contents:

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(1a90.18bc): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run !analyze -v
ntdll!NtWaitForMultipleObjects+0x14:
00007ffb`0ed3cc14 c3 ret

0:000> kL
# Child-SP RetAddr Call Site
00 00000016`1a96e208 00007ffb`0c438027 ntdll!NtWaitForMultipleObjects+0x14
01 00000016`1a96e210 00007ffb`0c437f0e KERNELBASE!WaitForMultipleObjectsEx+0x107
02 00000016`1a96e510 00007ffb`0e0071fb KERNELBASE!WaitForMultipleObjects+0xe
03 00000016`1a96e550 00007ffb`0e006ca8 kernel32!WerpReportFaultInternal+0x51b
04 00000016`1a96e670 00007ffb`0c4df868 kernel32!WerpReportFault+0xac
05 00000016`1a96e6b0 00007ffb`0ed44b32 KERNELBASE!UnhandledExceptionFilter+0x3b8
06 00000016`1a96e7d0 00007ffb`0ed2c6d6 ntdll!RtlUserThreadStart$filt$0+0xa2
07 00000016`1a96e810 00007ffb`0ed4121f ntdll!_C_specific_handler+0x96
08 00000016`1a96e880 00007ffb`0ed0a289 ntdll!RtlpExecuteHandlerForException+0xf
09 00000016`1a96e8b0 00007ffb`0ed3fe8e ntdll!RtlDispatchException+0x219
0a 00000016`1a96efc0 00007ff6`6357378a ntdll!KiUserExceptionDispatch+0×2e
*** WARNING: Unable to verify checksum for InvalidPointerObject.exe
0b 00000016`1a96f6d8 00007ff6`63573875 InvalidPointerObject!Resource::DoSomething+0xa
0c 00000016`1a96f6e0 00007ff6`6357dfd4 InvalidPointerObject!wmain+0xd5
0d (Inline Function) ——–`——– InvalidPointerObject!invoke_main+0×22
0e 00000016`1a96f730 00007ffb`0dfb7bd4 InvalidPointerObject!__scrt_common_main_seh+0×10c
0f 00000016`1a96f770 00007ffb`0ed0ced1 kernel32!BaseThreadInitThunk+0×14
10 00000016`1a96f7a0 00000000`00000000 ntdll!RtlUserThreadStart+0×21

0:000> dx Debugger.Sessions[0].Processes[6800].Threads[6332].Stack.Frames[11].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[6800].Threads[6332].Stack.Frames[11].SwitchTo()
00000016`1a96f6e0 struct Resource * this = 0×00000146`e3a70000

0:000> !address 0×00000146`e3a70000

Usage: <unknown>
Base Address: 00000146`e3a70000
End Address: 00000146`e3a71000
Region Size: 00000000`00001000 ( 4.000 kB)
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00040000 MEM_MAPPED
Allocation Base: 00000146`e3a70000
Allocation Protect: 00000004 PAGE_READWRITE

Content source: 1 (target), length: 1000

0:000> dc 0×00000146`e3a70000
00000146`e3a70000 000000f0 00001a90 000018bc 00000000 …………….
00000146`e3a70010 00000000 00000000 00000000 00000000 …………….
00000146`e3a70020 00000000 00000000 00000000 00000000 …………….
00000146`e3a70030 00000000 00000000 00000000 00000000 …………….
00000146`e3a70040 00000000 00000000 00000000 00000000 …………….
00000146`e3a70050 00000000 00000000 00000000 00000000 …………….
00000146`e3a70060 00000000 00000000 00000000 00000000 …………….
00000146`e3a70070 00000000 00000000 00000000 00000000 …………….

0:000> ~
. 0 Id: 1a90.18bc Suspend: 0 Teb: 00000016`1ab74000 Unfrozen

0:000> dx -r1 ((InvalidPointerObject!Resource *)0x146e3a70000)
((InvalidPointerObject!Resource *)0x146e3a70000) : 0×146e3a70000 [Type: Resource *]
[+0×000] m_usageCounter : 0×1a90000000f0 [Type: unsigned __int64]

0:000> .ecxr
rax=00000146e3a70000 rbx=00000146e3aa5bf0 rcx=00000146e3a70000
rdx=0000000000000000 rsi=0000000000000000 rdi=00000146e3aa5c70
rip=00007ff66357378a rsp=000000161a96f6d8 rbp=0000000000000000
r8=000000161a96f6a8 r9=0000000000000000 r10=0000000000000000
r11=0000000000000246 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
InvalidPointerObject!Resource::DoSomething+0xa:
00007ff6`6357378a 488b00 mov rax,qword ptr [rax] ds:00000146`e3a70000=00001a90000000f0

Such False Memory may complicate the analysis of process crash dumps when we want to examine memory contents prior to exception.

The example memory dump, the application PDB file, and source code can be downloaded from here.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

In addition to generic Invalid Pointer pattern that maps to visible pointer dereference in C and C++ code, plain NULL Code Pointers and NULL Data Pointers that are visible Small Values, and Wild Pointers showing ASCII or Regular Data (such as UNICODE fragments), we have implicit dereference (from C++ source code perspective) crash dump analysis patterns that we call Invalid Pointer (Objects). When seeing them in a high-level debugger (could be just an exception during debugging) developers are confused since they do not see the usual pointer dereference:

struct Resource
{
    void DoSomething()
    {
        ++m_usageCounter;
    }

    std::size_t m_usageCounter{};
}; 

However, the function call was ordinary (not virtual, otherwise we would have NULL Code Pointer), and the object address to access its members was passed via RCX register, but the memory of the object was invalid, hence we have an exception inside the method call when trying to access object members:

0:000> .ecxr
*** WARNING: Unable to verify checksum for InvalidPointerObject.exe
rax=0000022c837e0000 rbx=0000022c83905ca0 rcx=0000022c837e0000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000022c83907540
rip=00007ff6d65630ba rsp=00000098812ffc18 rbp=0000000000000000
r8=00000098812ffbe8 r9=0000000000000000 r10=0000000000000000
r11=0000000000000246 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
InvalidPointerObject!Resource::DoSomething+0xa:
00007ff6`d65630ba 488b00 mov rax,qword ptr [rax] ds:0000022c`837e0000=????????????????

0:000> !address @rax

Usage:
Base Address: 0000022c`837e0000
End Address: 0000022c`837e1000
Region Size: 00000000`00001000 ( 4.000 kB)
State: 00002000 MEM_RESERVE
Protect:
Type: 00020000 MEM_PRIVATE
Allocation Base: 0000022c`837e0000
Allocation Protect: 00000004 PAGE_READWRITE

0:000> kL
# Child-SP RetAddr Call Site
00 00000098`812fe748 00007ffd`62278027 ntdll!NtWaitForMultipleObjects+0×14
01 00000098`812fe750 00007ffd`62277f0e KERNELBASE!WaitForMultipleObjectsEx+0×107
02 00000098`812fea50 00007ffd`63d871fb KERNELBASE!WaitForMultipleObjects+0xe
03 00000098`812fea90 00007ffd`63d86ca8 kernel32!WerpReportFaultInternal+0×51b
04 00000098`812febb0 00007ffd`6231f868 kernel32!WerpReportFault+0xac
05 00000098`812febf0 00007ffd`64ee4b32 KERNELBASE!UnhandledExceptionFilter+0×3b8
06 00000098`812fed10 00007ffd`64ecc6d6 ntdll!RtlUserThreadStart$filt$0+0xa2
07 00000098`812fed50 00007ffd`64ee121f ntdll!_C_specific_handler+0×96
08 00000098`812fedc0 00007ffd`64eaa289 ntdll!RtlpExecuteHandlerForException+0xf
09 00000098`812fedf0 00007ffd`64edfe8e ntdll!RtlDispatchException+0×219
0a 00000098`812ff500 00007ff6`d65630ba ntdll!KiUserExceptionDispatch+0×2e
0b 00000098`812ffc18 00007ff6`d656313c InvalidPointerObject!Resource::DoSomething+0xa
0c 00000098`812ffc20 00007ff6`d6568454 InvalidPointerObject!wmain+0×6c
0d (Inline Function) ——–`——– InvalidPointerObject!invoke_main+0×22
0e 00000098`812ffc70 00007ffd`63d37bd4 InvalidPointerObject!__scrt_common_main_seh+0×10c
0f 00000098`812ffcb0 00007ffd`64eaced1 kernel32!BaseThreadInitThunk+0×14
10 00000098`812ffce0 00000000`00000000 ntdll!RtlUserThreadStart+0×21

0:000> ub 00007ff6`d656313c
InvalidPointerObject!wmain+0×45:
00007ff6`d6563115 488b4c2428 mov rcx,qword ptr [rsp+28h]
00007ff6`d656311a e891ffffff call InvalidPointerObject!Resource::DoSomething (00007ff6`d65630b0)
00007ff6`d656311f 41b800400000 mov r8d,4000h
00007ff6`d6563125 33d2 xor edx,edx
00007ff6`d6563127 488b4c2420 mov rcx,qword ptr [rsp+20h]
00007ff6`d656312c ff15ce0e0200 call qword ptr [InvalidPointerObject!_imp_VirtualFree (00007ff6`d6584000)]
00007ff6`d6563132 488b4c2428 mov rcx,qword ptr [rsp+28h]
00007ff6`d6563137 e874ffffff call InvalidPointerObject!Resource::DoSomething (00007ff6`d65630b0)

0:000> u InvalidPointerObject!Resource::DoSomething
InvalidPointerObject!Resource::DoSomething:
00007ff6`d65630b0 48894c2408 mov qword ptr [rsp+8],rcx
00007ff6`d65630b5 488b442408 mov rax,qword ptr [rsp+8]
00007ff6`d65630ba 488b00 mov rax,qword ptr [rax]
00007ff6`d65630bd 48ffc0 inc rax
00007ff6`d65630c0 488b4c2408 mov rcx,qword ptr [rsp+8]
00007ff6`d65630c5 488901 mov qword ptr [rcx],rax
00007ff6`d65630c8 c3 ret
00007ff6`d65630c9 cc int 3

The example memory dump, the application PDB file, and source code can be downloaded from here.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Interrupts can happen in either kernel or user mode. In the latter case, upon transition to kernel mode, a special memory region in is used for interrupt processing in kernel space, distinct from the thread’s kernel stack, that we call Interrupt Stack. It can also be used for mining Execution Residue.

2: kd> !thread -1 1f
THREAD fffffa801a9fa3e0  Cid 0f74.0804  Teb: 000007ffffdf8000 Win32Thread: 0000000000000000 RUNNING on processor 2
Not impersonating
DeviceMap                 fffff88000007400
Owning Process            fffffa801a949c10       Image:         App.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      81642662       Ticks: 0
Context Switch Count      58671950       IdealProcessor: 4
UserTime                  01:33:39.702
KernelTime                00:01:11.401
Win32 Start Address 0x000007fef9b1050c
Stack Init fffffa6005af4db0 Current fffffa6005af4950
Base fffffa6005af5000 Limit fffffa6005aef000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           Call Site
fffffa60`01793b98 fffff800`01a58eee nt!KeBugCheckEx
fffffa60`01793ba0 fffff800`01a57dcb nt!KiBugCheckDispatch+0×6e
fffffa60`01793ce0 fffffa60`00eb279b nt!KiPageFault+0×20b (TrapFrame @ fffffa60`01793ce0)
fffffa60`01793e70 fffffa60`00e62739 tcpip! ?? ::FNODOBFM::`string’+0×3883b
fffffa60`01794020 fffffa60`00e62194 tcpip!TcpMatchReceive+0×1b9
fffffa60`01794120 fffffa60`00e52ddd tcpip!TcpPreValidatedReceive+0×2e4
fffffa60`017941c0 fffffa60`00e52e89 tcpip!IppDeliverListToProtocol+0×4d
fffffa60`01794280 fffffa60`00e52463 tcpip!IppProcessDeliverList+0×59
fffffa60`017942f0 fffffa60`00e5176c tcpip!IppReceiveHeaderBatch+0×223
fffffa60`017943d0 fffffa60`00e50d54 tcpip!IpFlcReceivePackets+0×8dc
fffffa60`017945d0 fffffa60`00e61133 tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0×264
fffffa60`017946b0 fffffa60`009a40bc tcpip!FlReceiveNetBufferListChain+0xd3
fffffa60`01794700 fffffa60`0096c8c9 NDIS!ndisMIndicateNetBufferListsToOpen+0xac
fffffa60`01794750 fffffa60`008016f7 NDIS!ndisMDispatchReceiveNetBufferLists+0×1d9
fffffa60`01794bd0 fffffa60`02b4e2d3 NDIS!NdisMIndicateReceiveNetBufferLists+0×67
fffffa60`01794c10 fffffa60`02b3de0c Driver+0×152d3
fffffa60`01794de0 fffffa60`02b3df6b Driver+0×4e0c
fffffa60`01794e20 fffffa60`02b3e0b3 Driver+0×4f6b
fffffa60`01794e60 fffffa60`00801670 Driver+0×50b3
fffffa60`01794ec0 fffff800`01a5d367 NDIS!ndisInterruptDpc+0xc0
fffffa60`01794f40 fffff800`01a5bc35 nt!KiRetireDpcList+0×117
fffffa60`01794fb0 fffff800`01a5ba47 nt!KyRetireDpcList+0×5 (TrapFrame @ fffffa60`01794e70)
fffffa60`05af4bf0 fffff800`01aa1b28 nt!KiDispatchInterruptContinue
fffffa60`05af4c20 000007fe`f7e5c55a nt!KiDpcInterrupt+0xf8 (TrapFrame @ fffffa60`05af4c20)
00000000`4deae430 00000000`00000000 0×000007fe`f7e5c55a

2: kd> !address fffffa60`01794e60
Usage:
Base Address:           fffffa60`011ff000
End Address:            fffffa60`019dc000
Region Size:            00000000`007dd000
VA Type:                SystemDynamicSpace
VAD Address:            0×27676e69727473
Commit Charge:          0×244a0f51940
Protection:             0×244a0f51940 []
Memory Usage:           Private
No Change:              yes
More info:              !vad 0xfffffa60011ff000

2: kd> !address fffffa60`05af4c20
Usage:                  Stack
Base Address:           fffffa60`05aef000
End Address:            fffffa60`05af5000
Region Size:            00000000`00006000
VA Type:                SystemDynamicSpace

2: kd> dpS fffffa60`01793b98 fffffa60`01794fb0
[…]
fffffa60`05657c3f Driver2+0×4c3f
fffffa60`05656369 Driver2+0×3369
[…]
fffffa60`00801670 NDIS!ndisInterruptDpc+0xc0
fffff800`01a5d367 nt!KiRetireDpcList+0×117
fffff800`01a5bc35 nt!KyRetireDpcList+0×5
fffffa60`008015b0 NDIS!ndisInterruptDpc

2: kd> ub fffffa60`05657c3f
Driver2+0×4c25:
fffffa60`05657c25 8bf2            mov     esi,edx
fffffa60`05657c27 33d2            xor     edx,edx
fffffa60`05657c29 418be8          mov     ebp,r8d
fffffa60`05657c2c 488bd9          mov     rbx,rcx
fffffa60`05657c2f 448d4240        lea     r8d,[rdx+40h]
fffffa60`05657c33 488d48b8        lea     rcx,[rax-48h]
fffffa60`05657c37 418bf9          mov     edi,r9d
fffffa60`05657c3a e8010e0000      call    Driver2+0×5a40 (fffffa60`05658a40)

2: kd> ub fffffa60`05656369
Driver2+0×334d:
fffffa60`0565634d cc              int     3
fffffa60`0565634e cc              int     3
fffffa60`0565634f cc              int     3
fffffa60`05656350 4889542410      mov     qword ptr [rsp+10h],rdx
fffffa60`05656355 48894c2408      mov     qword ptr [rsp+8],rcx
fffffa60`0565635a 4883ec58        sub     rsp,58h
fffffa60`0565635e 488d4c2428      lea     rcx,[rsp+28h]
fffffa60`05656363 ff15972c0000    call    qword ptr [Driver2+0×6000 (fffffa60`05659000)]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Sometimes, when we have One-Thread Process memory dumps, it is possible to get other stack regions indirectly through the analysis of virtual memory regions. Consider, for example, this dump that has only one process exit thread:

0:000> kL
# Child-SP          RetAddr           Call Site
00 000000f1`828ff848 00007ff9`d29aa9b8 ntdll!NtTerminateProcess+0x14
01 000000f1`828ff850 00007ff9`d113cd8a ntdll!RtlExitUserProcess+0xb8
02 000000f1`828ff880 00007ff7`fbb91231 kernel32!ExitProcessImplementation+0xa
03 000000f1`828ff8b0 00007ff7`fbb9125f HiddenStack!bar1+0x41
04 000000f1`828ffa80 00007ff7`fbb91cb5 HiddenStack!foo1+0x1f
05 000000f1`828ffc40 00007ff7`fbb91b1b HiddenStack!std::_Invoker_functor::_Call<void (__cdecl*)(void)>+0x15
06 000000f1`828ffc70 00007ff7`fbb917c4 HiddenStack!std::invoke<void (__cdecl*)(void)>+0x1b
07 000000f1`828ffca0 00007ff7`fbb99728 HiddenStack!std::thread::_Invoke<std::tuple<void (__cdecl*)(void)>,0>+0x64
08 000000f1`828ffcf0 00007ff9`d1137bd4 HiddenStack!thread_start<unsigned int (__cdecl*)(void *),1>+0x50
09 000000f1`828ffd20 00007ff9`d29aced1 kernel32!BaseThreadInitThunk+0x14
0a 000000f1`828ffd50 00000000`00000000 ntdll!RtlUserThreadStart+0x21

There are no more thread stack traces:

0:000> ~
. 0 Id: 27d4.22a4 Suspend: -1 Teb: 000000f1`8266a000 Unfrozen

However, in addition to thread #0, we can find several regions having PAGE_GUARD protection:

0:000> !address
[...]
+       f1`82800000       f1`828fb000        0`000fb000 MEM_PRIVATE MEM_RESERVE                                    Stack      [~0; 27d4.22a4]
f1`828fb000       f1`828fe000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          Stack      [~0; 27d4.22a4]
f1`828fe000       f1`82900000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     Stack      [~0; 27d4.22a4]
+       f1`82900000       f1`829fb000        0`000fb000 MEM_PRIVATE MEM_RESERVE                                    <unknown>
f1`829fb000       f1`829fe000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          <unknown>
f1`829fe000       f1`82a00000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unknown>  […………….]
+       f1`82a00000       f1`82afc000        0`000fc000 MEM_PRIVATE MEM_RESERVE                                    <unknown>
f1`82afc000       f1`82aff000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          <unknown>
f1`82aff000       f1`82b00000        0`00001000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unknown>  […………….]
+       f1`82b00000       f1`82bfb000        0`000fb000 MEM_PRIVATE MEM_RESERVE                                    <unknown>
f1`82bfb000       f1`82bfe000        0`00003000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE|PAGE_GUARD          <unknown>
f1`82bfe000       f1`82c00000        0`00002000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     <unknown>  […………….]
+       f1`82c00000      1fe`828f0000      10c`ffcf0000             MEM_FREE    PAGE_NOACCESS                      Free
[…]

We then can get Rough Stack Traces out of them:

0:000> .lines -d
Line number information will not be loaded

0:000> dpS f1`829fe000       f1`82a00000
00007ff9`d2986139 ntdll!RtlpFindEntry+0×4d
00007ff9`d297dbea ntdll!RtlpAllocateHeap+0xcfa
00007ff9`d297babb ntdll!RtlpAllocateHeapInternal+0×1cb
00007ff9`d297babb ntdll!RtlpAllocateHeapInternal+0×1cb
00007ff9`d2a463fa ntdll!RtlpValidateHeap+0×32
00007ff9`d2a44b25 ntdll!RtlDebugAllocateHeap+0×35d
00007ff9`d29f49d6 ntdll!RtlpAllocateHeap+0×77ae6
00007ff9`d29f49d6 ntdll!RtlpAllocateHeap+0×77ae6
00007ff9`d0070000 KERNELBASE!UrlHashW <PERF> (KERNELBASE+0×0)
00007ff9`d007b4b1 KERNELBASE!SetTEBLangID+0×2d
00007ff9`d007ac70 KERNELBASE!_KernelBaseBaseDllInitialize+0×90
00007ff9`d297babb ntdll!RtlpAllocateHeapInternal+0×1cb
00007ff9`d297babb ntdll!RtlpAllocateHeapInternal+0×1cb
00007ff9`d19e7890 msvcrt!CRTDLL_INIT
00007ff9`d29db5a3 ntdll!RTL_BINARY_ARRAY<RTLP_FLS_SLOT,8,4>::ChunkAllocate+0×67
00007ff9`d19e0000 msvcrt!`dynamic initializer for ‘__ExceptionPtr::m_badAllocExceptionPtr” <PERF> (msvcrt+0×0)
00007ff9`d29db65d ntdll!RTL_BINARY_ARRAY<RTLP_FLS_SLOT,8,4>::SetValue+0×39
00007ff9`d2964ef7 ntdll!RtlDeactivateActivationContextUnsafeFast+0xc7
00007ff9`d299439c ntdll!RtlFlsSetValue+0xec
00007ff9`d2986139 ntdll!RtlpFindEntry+0×4d
00000000`7ffe0301 SharedUserData+0×301
00007ff9`d297dbea ntdll!RtlpAllocateHeap+0xcfa
00000000`7ffe0358 SharedUserData+0×358
00007ff7`fbb923ca HiddenStack!std::chrono::duration_cast<std::chrono::duration<double,
std::ratio<1,1000000000> >,__int64,std::ratio<1,1000000000>,void>+0×4a
00000000`7ffe0358 SharedUserData+0×358
00007ff9`d294bb47 ntdll!RtlGetSystemTimePrecise+0×57
00007ff9`d00b6931 KERNELBASE!SleepEx+0xa1
00007ff9`d00d3890 KERNELBASE!GetSystemTimePreciseAsFileTime+0×10
00007ff7`fbb931b4 HiddenStack!_Thrd_sleep+0×3c
00007ff7`fbb916c5 HiddenStack!std::this_thread::sleep_until<std::chrono::steady_clock,
std::chrono::duration<__int64,std::ratio<1,1000000000> > >+0×65
00007ff7`fbb91651 HiddenStack!std::chrono::operator+<std::chrono::steady_clock,
std::chrono::duration<__int64,std::ratio<1,1000000000> >,__int64,std::ratio<1,1> >+0×41
00007ff7`fbb913fd HiddenStack!std::this_thread::sleep_for<__int64,std::ratio<1,1> >+0×2d
00007ff7`fbb912a9 HiddenStack!bar2+0×39
00007ff7`fbb912df HiddenStack!foo2+0×1f
00007ff7`fbb91cb5 HiddenStack!std::_Invoker_functor::_Call<void (__cdecl*)(void)>+0×15
00007ff7`fbb91aec HiddenStack!std::unique_ptr<std::tuple<void (__cdecl*)(void)>,std::default_delete<std::tuple<void (__cdecl*)(void)> > >::unique_ptr<std::tuple<void (__cdecl*)(void)>,std::default_delete<std::tuple<void (__cdecl*)(void)> > ><std::default_delete<std::tuple<void (__cdecl*)(void)> >,0>+0×2c
00007ff7`fbb91b1b HiddenStack!std::invoke<void (__cdecl*)(void)>+0×1b
00007ff7`fbb917c4 HiddenStack!std::thread::_Invoke<std::tuple<void (__cdecl*)(void)>,0>+0×64
00007ff7`fbb9c1d7 HiddenStack!__acrt_getptd+0xb3
00007ff7`fbb99728 HiddenStack!thread_start<unsigned int (__cdecl*)(void *),1>+0×50
00007ff9`d1137bd4 kernel32!BaseThreadInitThunk+0×14
00007ff9`d29aced1 ntdll!RtlUserThreadStart+0×21

0:000> dpS f1`82aff000       f1`82b00000
00007ff9`d2986139 ntdll!RtlpFindEntry+0×4d
00007ff9`d297dbea ntdll!RtlpAllocateHeap+0xcfa
00007ff9`d297dbea ntdll!RtlpAllocateHeap+0xcfa
00007ff9`d297babb ntdll!RtlpAllocateHeapInternal+0×1cb
00007ff9`d2a463fa ntdll!RtlpValidateHeap+0×32
00007ff9`d2a463fa ntdll!RtlpValidateHeap+0×32
00007ff9`d2a44b25 ntdll!RtlDebugAllocateHeap+0×35d
00007ff9`d29f49d6 ntdll!RtlpAllocateHeap+0×77ae6
00007ff9`d2962da8 ntdll!LdrpInitializeThread+0×40
00007ff9`d297562f ntdll!TppCallbackCheckThreadAfterCallback+0×9f
00007ff9`d29700e5 ntdll!RtlRegisterThreadWithCsrss+0×35
00007ff9`d29b18f5 ntdll!_LdrpInitialize+0×89
00007ff9`d2975394 ntdll!TppCallbackEpilog+0×144
00007ff9`d29701d6 ntdll!TppCritSetThread+0×7a
00007ff9`d2973155 ntdll!TppWorkCallbackPrologRelease+0×1c9
00007ff9`d296e2c3 ntdll!LdrpWorkCallback+0×63
00007ff9`d2aa52f0 ntdll!LdrpWorkQueue
00007ff9`d29708a2 ntdll!TppWorkpExecuteCallback+0xb2
00000000`7ffe0386 SharedUserData+0×386
00007ff9`d2974060 ntdll!TppWorkerThread+0×300
00007ff9`d1137bd4 kernel32!BaseThreadInitThunk+0×14
00007ff9`d29aced1 ntdll!RtlUserThreadStart+0×21

0:000> dpS f1`82bfe000       f1`82c00000
00007ff9`d2986139 ntdll!RtlpFindEntry+0×4d
00007ff9`d297dbea ntdll!RtlpAllocateHeap+0xcfa
00007ff9`d297dbea ntdll!RtlpAllocateHeap+0xcfa
00007ff9`d297babb ntdll!RtlpAllocateHeapInternal+0×1cb
00007ff9`d2a463fa ntdll!RtlpValidateHeap+0×32
00007ff9`d2a463fa ntdll!RtlpValidateHeap+0×32
00007ff9`d2a44b25 ntdll!RtlDebugAllocateHeap+0×35d
00007ff9`d29f49d6 ntdll!RtlpAllocateHeap+0×77ae6
00007ff9`d2962da8 ntdll!LdrpInitializeThread+0×40
00007ff9`d29700e5 ntdll!RtlRegisterThreadWithCsrss+0×35
00007ff9`d29b18f5 ntdll!_LdrpInitialize+0×89
00007ff9`d297babb ntdll!RtlpAllocateHeapInternal+0×1cb
00007ff9`d29701d6 ntdll!TppCritSetThread+0×7a
00007ff9`d2970098 ntdll!TppPoolAddWorker+0×68
00007ff9`d2974060 ntdll!TppWorkerThread+0×300
00007ff9`d1137bd4 kernel32!BaseThreadInitThunk+0×14
00007ff9`d29aced1 ntdll!RtlUserThreadStart+0×21

We call such analysis pattern Hidden Stack as another way to get Historical Information from memory dumps.

The example memory dump, the application PDB file, and source code can be downloaded from here.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Raw stack memory region analysis is more productive with Region Clusters analysis pattern. Here we apply simple clustering techniques to organize various region values into disjoint sets with chosen semantics. For our purposes simple sort suffices to generate such clusters that can be visually inspected. We take the same stack.csv file from Region Profile analysis pattern. It’s values are sorted and the results are shown in sorted order with corresponding count of occurrences and symbolic references (we use the internal version of Narrascope written in C++, a narrative debugger, but you can use your favorite scripting language here):

0 count: 13718
1 count: 273
2 count: 23
3 count: 22
4 count: 28
5 count: 9
6 count: 5
7 count: 18
8 count: 35
9 count: 5
a count: 24
b count: 12
c count: 4
d count: 3
e count: 1
f count: 28
10 count: 14
...
c0000034 count: 2
c0000388 count: 2
c01c0001 count: 1
c0a70000 count: 1
d0908070 count: 1
dcae0fa0 count: 1
e30000e3 count: 1
f80004fc count: 2
ffff5815 count: 2
fffffed3 count: 2
fffffffd count: 2
ffffffff count: 18
100000000 count: 6
100000001 count: 4
100001f80 count: 1
100001fa0 count: 16
100001fa4 count: 2
100003033 count: 2
100010000 count: 1
...
7ff700000000 count: 1
7ff700000001 count: 2
7ff70000000d count: 1
7ff747390000 Photoshop_exe count: 1
7ff74ebd4ec0 Photoshop_exe+0x7844ec0 count: 1
7ff74ef351c7 Photoshop_exe+0x7ba51c7 count: 1
7ff74ef4e2f0 Photoshop_exe+0x7bbe2f0 count: 1
7ff74ef4e5a9 Photoshop_exe+0x7bbe5a9 count: 1
...
7fff00000000 count: 21
7fff00000001 count: 7
7fff00000002 count: 1
7fff00000003 count: 1
7fff00000004 count: 1
7fff00000011 count: 1
7fff00000020 count: 1
7fff00000040 count: 3
7fff00000102 count: 1
7fff0000029e count: 3
7fff00140000 count: 1
7fff02000002 count: 1
7fff4782c33b libcef!GetHandleVerifier+0x61d7b count: 1
7fff4782c884 libcef!GetHandleVerifier+0x622c4 count: 1
7fff493749cc libcef!cef_time_to_timet+0x1a9228 count: 2
...
7fff9a0c1e57 GdiPlus!GpGraphics::MeasureString+0x333 count: 1
7fff9a128c2a GdiPlus!FastTextImager::MeasureString+0x32 count: 1
7fff9a174e18 GdiPlus!GpFontFamily::vftable' count: 2
7fff9b6055b3 DWrite!FontFace::GetDesignGlyphAdvances+0x57 count: 1
7fffa7e6c260 comctl32!ListBox_WndProc count: 5
7fffa7e6c357 comctl32!ListBox_WndProc+0xf7 count: 2
7fffb1373c18 npmproxy!INotifyNetworkListManagerEventsProxyVtbl+0x1b8 count: 1
7fffb2c14e96 msvcp140!_Mbrtowc+0x66 [f:\dd\vctools\crt\crtw32\stdcpp\xmbtowc.c @ 156] count: 1
...
7fffc09f0359 ntdll!qsort+0x379 count: 1
7fffc09fa1e4 ntdll!woutput_s+0x8e8 count: 1
7fffc09fa297 ntdll!write_string+0x3f count: 1
7fffc09fbd30 ntdll!NtdllDefWindowProc_W count: 2
7fffc09fbf10 ntdll!NtdllDispatchHook_W count: 2
7fffc09ffc54 ntdll!KiUserCallForwarder+0x24 count: 1
7fffc09ffdb4 ntdll!KiUserCallbackDispatcherContinue count: 2
800000000000 count: 1
800000000001 count: 2
800063640000 count: 36
800066660000 count: 38
80006f6f0000 count: 2
800072720000 count: 8
800075750000 count: 1
974b00000000 count: 1
974b8118d10d count: 1
a76b00000000 count: 1
a76bb8365307 count: 1
a76bb8378c47 count: 1
a76bb8378f77 count: 1
a76bb837bfd7 count: 1
a8c300000000 count: 1
a8c311cf265f count: 1
...
30000000000000 count: 1
30000000310030 count: 1
30000300470048 count: 1
30002000100000 count: 1
3000300030007b count: 1
3000300031002d count: 1
30003000310031 count: 2
300031002d0037 count: 1
30003800390032 count: 3
31000000000000 count: 1
310000007d0036 count: 1
31002d00310037 count: 1
310032002d0035 count: 1
...
7fdf7fbd7f9c7f7b count: 2
8000800000000001 count: 1
8000800000001fa0 count: 1
8000800080000000 count: 6
8000800080008000 count: 52
80121a254b25250a count: 1
923800003f000000 count: 2
bf000000bf000000 count: 1
bff0000000000000 count: 2
e5b2a56118358cbe count: 2
ffff0072656c6c6f count: 1
fffffdb773438b57 count: 3
ffffff0000000005 count: 1
ffffff7bc010786f count: 1
ffffff7bc010787f count: 1
fffffffb00000000 count: 1
ffffffff00000000 count: 4
ffffffff00000001 count: 3
ffffffff00000005 count: 1
ffffffff00001fa0 count: 2
ffffffff4c494146 count: 2
ffffffffffffc3ce count: 1
fffffffffffffef6 count: 1
ffffffffffffff00 count: 2
ffffffffffffff01 count: 2
fffffffffffffffe count: 166
ffffffffffffffff count: 38

We can easily identify error values, module boundaries, and Regular Data. The sorting can also be done for double word or word values, for example to isolate errors or wide character values, but this will have to be seen whether it is useful.

This clustering approach can be depicted in the following idealized diagram:

The full output can be found here: stack-clusters.txt for stack.csv file.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -