Software Diagnostics Library

Crash Dumps and Global Conspiracy

January 11th, 2008

I’m reading a book now about global conspiracy to educate myself about various such theories and just for fun. There are Matrix-style conspiracy theories where we are like computer programs. Looking from crash dump analysis and debugging perspective I thought about this: can a process detect its own past crash dumps? Obviously yes, if the code was written with such intention. If the code was written without such intention but is complex enough to generate additional code or reuse the existing one to train itself in such procedure then it can detect past crash dumps too. You see where I’m heading now If we can see our past crash dumps then this will be the proof that we live in a Matrix-type world. The link to the book I’m reading now is below and I promise to write a review when I finish it.

Yet another thought - are there any secret software engineering societies (SSES)? Can we see patterns in memory dumps linking to alien code?

The David Icke Guide to the Global Conspiracy

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Books, Fun with Crash Dumps | 1 Comment »

What is KiFastSystemCallRet?

January 10th, 2008

This question was asked hundreds of times in 2007 and here is the short answer. This is a return function address for trap frames created for system calls on x86 post-W2K systems.

Since Pentium II Microsoft changed OS call dispatching from interrupt driven INT /IRETD mechanism used in Windows NT and Windows 2000 to faster optimized instruction sequence. This is SYSENTER / SYSEXIT pair on x86 32-bit Intel platforms and SYSCALL / SYSRET pair on x64 Intel and AMD platforms.

INT instruction saves a return address but SYSENTER doesn’t. Let’s look at a typical thread call stack from complete memory dump coming from x86 Windows 2003 system:

1: kd> kL ChildEBP RetAddr a5a2ac64 80502d26 nt!KiSwapContext+0x2f a5a2ac70 804faf20 nt!KiSwapThread+0x8a a5a2ac98 805a4d6c nt!KeWaitForSingleObject+0x1c2 a5a2ad48 8054086c nt!NtReplyWaitReceivePortEx+0x3dc a5a2ad48 7c91eb94 nt!KiFastCallEntry+0xfc 00a0fe18 7c91e399 ntdll!KiFastSystemCallRet 00a0fe1c 77e56703 ntdll!NtReplyWaitReceivePortEx+0xc 00a0ff80 77e56c22 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0xf4 00a0ff88 77e56a3b RPCRT4!RecvLotsaCallsWrapper+0xd 00a0ffa8 77e56c0a RPCRT4!BaseCachedThreadRoutine+0×79 00a0ffb4 7c80b683 RPCRT4!ThreadStartRoutine+0×1a 00a0ffec 00000000 kernel32!BaseThreadStart+0×37

RPC module calls the native function to wait for a reply from an LPC port. Note that we disassemble the return address instead of the symbolic address because of OMAP Code Optimization:

1: kd> ub RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0xf4 ^ Unable to find valid previous instruction for 'ub RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0xf4'

1: kd> ub 77e56703 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0xd9: 77e566e8 e8edfeffff call RPCRT4!RpcpPurgeEEInfoFromThreadIfNecessary (77e565da) 77e566ed ff75ec push dword ptr [ebp-14h] 77e566f0 8d45f0 lea eax,[ebp-10h] 77e566f3 ff75f4 push dword ptr [ebp-0Ch] 77e566f6 ff75fc push dword ptr [ebp-4] 77e566f9 50 push eax 77e566fa ff7658 push dword ptr [esi+58h] 77e566fd ff15b010e577 call dword ptr [RPCRT4!_imp__NtReplyWaitReceivePortEx (77e510b0)]

1: kd> dps 77e510b0 l1 77e510b0 7c91e38d ntdll!ZwReplyWaitReceivePortEx

NTDLL stub for the native function is small and transitions to level 0 via shared SystemCallSub immediately:

1: kd> uf ntdll!NtReplyWaitReceivePortEx ntdll!ZwReplyWaitReceivePortEx: 7c91e38d mov eax,0C4h 7c91e392 mov edx,offset SharedUserData!SystemCallStub (7ffe0300) 7c91e397 call dword ptr [edx] 7c91e399 ret 14h

1: kd> dps 7ffe0300 l3 7ffe0300 7c91eb8b ntdll!KiFastSystemCall 7ffe0304 7c91eb94 ntdll!KiFastSystemCallRet 7ffe0308 00000000

1: kd> uf ntdll!KiFastSystemCall ntdll!KiFastSystemCall: 7c91eb8b mov edx,esp 7c91eb8d sysenter 7c91eb8f nop 7c91eb90 nop 7c91eb91 nop 7c91eb92 nop 7c91eb93 nop 7c91eb94 ret

Before executing SYSENTER ESP points to the following return address:

1: kd> u 7c91e399 ntdll!NtReplyWaitReceivePortEx+0xc: 7c91e399 ret 14h

SYSENTER instruction changes ESP and EIP to new values contained in machine-specific registers (MSR). As a result EIP points to nt!KiFastCallEntry. After saving a trap frame and checking parameters it calls nt!NtReplyWaitReceivePortEx address from system function table. When the latter function returns KiFastCallEntry proceeds to KiServiceExit and KiSystemCallExit2:

1: kd> ub 8054086c nt!KiFastCallEntry+0xe2: 80540852 mov ebx,dword ptr [edi+eax*4] 80540855 sub esp,ecx 80540857 shr ecx,2 8054085a mov edi,esp 8054085c cmp esi,dword ptr [nt!MmUserProbeAddress (80561114)] 80540862 jae nt!KiSystemCallExit2+0×9f (80540a10) 80540868 rep movs dword ptr es:[edi],dword ptr [esi] 8054086a call ebx

1: kd> u nt!KiFastCallEntry+0x105: 80540875 mov edx,dword ptr [ebp+3Ch] 80540878 mov dword ptr [ecx+134h],edx nt!KiServiceExit: 8054087e cli 8054087f test dword ptr [ebp+70h],20000h 80540886 jne nt!KiServiceExit+0x10 (8054088e) 80540888 test byte ptr [ebp+6Ch],1 8054088c je nt!KiServiceExit+0x66 (805408e4) 8054088e mov ebx,dword ptr fs:[124h]

1: kd> u nt!KiSystemCallExit2+0x12: 80540983 sti 80540984 sysexit

Let’s inspect the trap frame:

1: kd> kv5 ChildEBP RetAddr Args to Child a5a2ac64 80502d26 82ffc090 82ffc020 804faf20 nt!KiSwapContext+0x2f a5a2ac70 804faf20 e12424b0 8055c0a0 e12424b0 nt!KiSwapThread+0x8a a5a2ac98 805a4d6c 00000001 00000010 00000001 nt!KeWaitForSingleObject+0x1c2 a5a2ad48 8054086c 000000c8 00a0ff70 00000000 nt!NtReplyWaitReceivePortEx+0x3dc a5a2ad48 7c91eb94 000000c8 00a0ff70 00000000 nt!KiFastCallEntry+0xfc (TrapFrame @ a5a2ad64)

1: kd> .trap a5a2ad64 ErrCode = 00000000 eax=00000000 ebx=00000000 ecx=00a0fd6c edx=7c91eb94 esi=00159b38 edi=00000100 eip=7c91eb94 esp=00a0fe1c ebp=00a0ff80 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!KiFastSystemCallRet: 001b:7c91eb94 ret

1: kd> kL *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr 00a0fe18 7c91e399 ntdll!KiFastSystemCallRet 00a0fe1c 77e56703 ntdll!NtReplyWaitReceivePortEx+0xc 00a0ff80 77e56c22 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0xf4 00a0ff88 77e56a3b RPCRT4!RecvLotsaCallsWrapper+0xd 00a0ffa8 77e56c0a RPCRT4!BaseCachedThreadRoutine+0x79 00a0ffb4 7c80b683 RPCRT4!ThreadStartRoutine+0x1a 00a0ffec 00000000 kernel32!BaseThreadStart+0x37

Therefore I believe the dummy ntdll!KiFastSystemCallRet function with one RET instruction is used to create a uniform trap frame across system calls. Otherwise trap frames for different native API calls would contain different return values.

While reading this post I found two related articles. The first one explains old mechanism for Windows NT and the second one explains the new one:

I’ll cover SYSCALL / SYSRET in another blog post.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Assembly Language, Crash Dump Analysis | 7 Comments »

Crash Dump Analysis AntiPatterns (Part 8)

January 10th, 2008

This is sometime very funny one. It is called Fooled by Abbreviation. When someone is so presupposed or engaged in identifying Alien Components due to limited time and complexity of issues. For example, “Ctx” abbreviation in function names will most likely mean “Context” in general but can also be a function and data structure prefix used by a company with a similar sounding name. Opposite cases happen too when general is presupposed instead of particular, for example, ”Mms” prefix is read as “Memory Management Subsystem” but belongs to a multimedia system vendor.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in AntiPatterns, Crash Dump Patterns, Software Technical Support | No Comments »

2007 in Retrospection (Part 2)

January 8th, 2008

Here is the list of 100 most frequent phrases and keywords (out of almost 30,000 unique phrases recorded for 2007) from various search engines that brought people to my blog. Therefore I believe that publishing this list will bring more people searching for the same phrases straight to my blog, some kind of “SEO resonance” :-)

crash dump analysis
vista crash dump
what is kifastsystemcallret
kmode_exception_not_handled
crash dump
windbg commands
crash dump vista
werfault.exe
dump analysis
stressprinters
kernel_mode_exception_not_handled
debugging by thinking
interrupt enable flag asmpedia
fnodobfm
dr watson vista
debugging techniques using windbg
component timestamps crash dump
dumpanalysis
system_thread_exception_not_handled
windbg script
stack trace reconstruction
error inittyperead( teb )
false positive dump
coupled processes windbg
windbg
gs peb teb register
user mode process dumper
windows rootkits drivers rus
minidump analysis
windbg analyze
drwtsn32 vista
crash dumps
debugware.com
ntdll!kifastsystemcallret
csrss crash avoid
kifastsystemcallret
windbg scripts
bugcheck explained
memory dumping mechanism
irql_not_less_or_equal
dump analyzer
vdtw30.dll
vista dr watson
userdump
kei386eoihelper
windbg command
vista memory dump
windows crash kernel analysis
dmitry vostokov
wermgr.exe
kernel32!pnlsuserinfo
userdump.exe
!clrstack
vista crash analysis
xp ntsd .loadby
drwatson vista
how to use windbg
receivelotsacalls
system_thread_exception_not_handled (7e)
pspunhandledexceptioninsystemthread
x64 debugging
dr watson postmortem debugger
werfault.exe vista
wersvc
automate windbg dmp info
windbg tips
faultrep.dll
windbg tutorial
convertticket
windows crash dump analysis
your debugger is not using the correct symbols
werfault
warning: frame ip not in any known module. following frames may be wrong.
windbg !analyze
windbg dump
crash dump analyzer
analyze minidump
crash dump analysis blog
when a process dies silently
windbg crash dump analysis
vista crash dump analysis
dr watson postmortem
frame ip not in any known module
memory dump
windbg crash dump analysis blog
advanced windows debugging
ntsd vista
rtlactivateactivationcontextunsafefast
unable to find module ‘mscorwks’
vista crash dumps
exception_double_fault
vista 64bit post mortem debugger
windows vista crash dump
crash dump analysis tool
what is memory dump
crash dump in vista
double fault + x64
memory dump analysis
symbol file could not be found
systemdump

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Announcements, Crash Dump Analysis, DumpAnalysis.org Statistics | 2 Comments »

What is a Software Defect?

January 8th, 2008

Software can be considered as models of real or imagined systems which may be models themselves. Any modeling act involves a mapping between a system and a model that preserves causal, ordering and inclusion relationships and a mapping from the model to the system that translates emerging relationships and causal structures back to that system. The latter I call modeling expectations and any observed deviations in structure and behavior between the model and the system I call software defects which can be functional failures, error messages, crashes or hangs (red line on diagrams below):

Consider ATM software as a venerable example. It models imagined world of ATM transactions which we call ATM software requirements. The latter specifies ACID (atomic, consistent, isolated and durable) transaction rules. If they are broken by the written software we have the defect:

What are software requirements? They are models of real or imagined systems or can be models of past causal and relationship experiences. If requirements are wrong they do not translate back and we still consider software as having a defect:

Translating this to ATM example we have:

Another example where the perceived absence of failures can be considered as a defect is the program designed to model memory leaks that might not be leaking due to a defect in its source code.

Now we can answer the question ”What is a memory corruption?” which is the topic of the next post.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Debugging, Science of Memory Dump Analysis | 2 Comments »

Pooltags from Citrix drivers

January 7th, 2008

Citrix has recently published the list of their pooltags. Please refer to the following article:

http://support.citrix.com/article/ctx115257

So when you see the following or similar output from !poolused WinDbg command you can update your pooltag.txt file located in your Debugging Tools for Windows installation \triage folder:

WD UNKNOWN pooltag 'WD ', please update pooltag.txt

Please also be aware that ‘Ica’ pooltag doesn’t belong to Citrix drivers although it sounds like “ICA protocol”. It comes from Microsoft termdd.sys driver.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Citrix, Crash Dump Analysis | No Comments »

USHORT vs. ULONG websites

January 4th, 2008

It is about the number of visits a website has at some point of its evolution. This blog has been visited more than 65,535 times and now belongs to ULONG category (unsigned long type). Has anyone seen ULONGLONG websites?

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Announcements | 2 Comments »

ManagementBits update (December, 2007)

January 4th, 2008

As promised I’m posting here the first monthly summary of my Management Bits and Tips blog where I introduced the port of crash dump analysis patterns to project failure analysis patterns.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Announcements, Management Bits and Tips, Software Technical Support | No Comments »

Literate Scientist

January 2nd, 2008

As a voracious reader (half of my book collection) I always wanted to share my book search results (I spend some time researching books on Amazon). Finally I opened my 3rd blog where I intend to review books written by literate scientists that I have read and which are not quite related to crash dump analysis and debugging domain:

http://www.literatescientist.com/

Happy New Year and Happy Reading in 2008 :-)

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Announcements, Books | 2 Comments »

How to distinguish between 1st and 2nd chances

January 2nd, 2008

Sometimes we look for Early Crash Dump pattern but information about whether an exception was first-chance or second-chance is missing from a crash dump file name or in a crash dump itself, for example:

This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (1254.1124): Access violation - code c0000005 (first/second chance not available) TestDefaultDebugger64!CTestDefaultDebuggerDlg::OnBnClickedButton1: 00000000`00401570 c704250000000000000000 mov dword ptr [0],0 ds:00000000`00000000=????????

If we recall that first-chance exceptions don’t leave any traces on user space thread stacks (see Interrupts and Exceptions Explained, Part 6 for details) then we won’t see any exception codes on thread raw stack:

0:000> !teb TEB at 000007fffffde000 ExceptionList: 0000000000000000 StackBase: 0000000000130000 StackLimit: 000000000012b000 SubSystemTib: 0000000000000000 FiberData: 0000000000001e00 ArbitraryUserPointer: 0000000000000000 Self: 000007fffffde000 EnvironmentPointer: 0000000000000000 ClientId: 0000000000001254 . 0000000000001124 RpcHandle: 0000000000000000 Tls Storage: 000007fffffde058 PEB Address: 000007fffffd5000 LastErrorValue: 0 LastStatusValue: c0000034 Count Owned Locks: 0 HardErrorMode: 0

0:000> s -d 000000000012b000 0000000000130000 c0000005

However, we would definitely see it on raw stack in second-chance exception crash dump:

0:000> s -d 000000000012b000 0000000000130000 c0000005 00000000`0012f000 c0000005 00000000 00000000 00000000 .

Using raw stack observations we can even tell when a crash dump was saved from a debugger handling a second-chance exception or saved by some postmortem debugger afterwards. For example, on my Vista x64 I see the following difference:

raw stack from a crash dump saved from WinDbg after receiving second-chance exception:

00000000`0012e278 00000000`00000000 00000000`0012e280 00000000`00000000 00000000`0012e288 00000000`7790032c kernel32!IsDebugPortPresent+0×2c 00000000`0012e290 00000000`00000000 00000000`0012e298 00000000`00000000 00000000`0012e2a0 00000000`00000000 00000000`0012e2a8 00000000`7790032c kernel32!IsDebugPortPresent+0×2c 00000000`0012e2b0 00000001`00010000 00000000`0012e2b8 00000000`00000000 00000000`0012e2c0 00000000`00000000 00000000`0012e2c8 00000000`77b63c94 ntdll! ?? ::FNODOBFM::`string’+0xbd14 00000000`0012e2d0 00000000`00000000 00000000`0012e2d8 00000000`0012e420 00000000`0012e2e0 00000000`77b63cb0 ntdll! ?? ::FNODOBFM::`string’+0xbd30 00000000`0012e2e8 00000000`7793cf47 kernel32!UnhandledExceptionFilter+0xb7 00000000`0012e2f0 ffffffff`ffffffff 00000000`0012e2f8 00000000`00000000 00000000`0012e300 00000000`00000000 00000000`0012e308 00000000`00000000 00000000`0012e310 00000000`00318718 00000000`0012e318 00000000`7799eb89 user32!ImeWndProcWorker+0×331 00000000`0012e320 00000000`00000000 00000000`0012e328 00000000`00000000 00000000`0012e330 00000000`00000000 00000000`0012e338 00000000`004189b0 TestDefaultDebugger64!_getptd_noexit+0×80 00000000`0012e340 00000000`01fb4b90 00000000`0012e348 00000000`0012e928 00000000`0012e350 00000000`00000000 00000000`0012e358 00000000`00418a50 TestDefaultDebugger64!_getptd+0×80 00000000`0012e360 00000000`01fb4b90 00000000`0012e368 00000000`0041776d TestDefaultDebugger64!_XcptFilter+0×1d 00000000`0012e370 00000000`0012e4f0 00000000`0012e378 00000000`77aa3cfa ntdll!RtlDecodePointer+0×2a 00000000`0012e380 00000000`00436fc4 TestDefaultDebugger64!__rtc_tzz+0×1f8c 00000000`0012e388 00000000`00000001 00000000`0012e390 00000000`0012f000 00000000`0012e398 00000000`77a60000 ntdll!`string’ <PERF> (ntdll+0×0) 00000000`0012e3a0 00000000`0004c6e1 00000000`0012e3a8 00000000`00000001 00000000`0012e3b0 00000000`0012ff90 00000000`0012e3b8 00000000`77afb1b5 ntdll!RtlUserThreadStart+0×95 00000000`0012e3c0 00000000`0012e420 00000000`0012e3c8 00000000`d4b99e6f 00000000`0012e3d0 00000000`00000000 00000000`0012e3d8 00000000`00000001 00000000`0012e3e0 00000000`0012e4f0 00000000`0012e3e8 00000000`77a8ae4b ntdll!_C_specific_handler+0×8c

raw stack from a crash dump saved by CDB installed as a default postmortem debugger (WER was used to launch it):

0:000> dqs 00000000`0012e278 00000000`0012e3e8 00000000`0012e278 00000000`00000000 00000000`0012e280 00000000`00000000 00000000`0012e288 00000000`00000000 00000000`0012e290 ffffffff`ffffffff 00000000`0012e298 00000000`779257ef kernel32!WerpReportExceptionInProcessContext+0×9f 00000000`0012e2a0 00000000`00000000 00000000`0012e2a8 00000000`0012ff90 00000000`0012e2b0 00000000`0012e420 00000000`0012e2b8 00000000`0041f4dc TestDefaultDebugger64!__CxxUnhandledExceptionFilter+0×5c 00000000`0012e2c0 00000000`00000000 00000000`0012e2c8 00000000`7a8b477b 00000000`0012e2d0 00000000`00000000 00000000`0012e2d8 fffff980`01000000 00000000`0012e2e0 00000000`00000001 00000000`0012e2e8 00000000`7793d07e kernel32!UnhandledExceptionFilter+0×1ee 00000000`0012e2f0 00000000`77b63cb0 ntdll! ?? ::FNODOBFM::`string’+0xbd30 00000000`0012e2f8 000007fe`00000000 00000000`0012e300 00000000`00000000 00000000`0012e308 00000000`00000001 00000000`0012e310 00000000`00000000 00000000`0012e318 00000000`00000000 00000000`0012e320 000007ff`00000000 00000000`0012e328 00000000`00000000 00000000`0012e330 00000000`00000000 00000000`0012e338 00000000`004189b0 TestDefaultDebugger64!_getptd_noexit+0×80 00000000`0012e340 00000000`023f4b90 00000000`0012e348 00000000`77ab8cf8 ntdll!RtlpFindNextActivationContextSection+0xaa 00000000`0012e350 00000000`00000000 00000000`0012e358 00000000`00418a50 TestDefaultDebugger64!_getptd+0×80 00000000`0012e360 00000000`023f4b90 00000000`0012e368 00000000`0041776d TestDefaultDebugger64!_XcptFilter+0×1d 00000000`0012e370 00000000`0012e4f0 00000000`0012e378 00000000`77aa3cfa ntdll!RtlDecodePointer+0×2a 00000000`0012e380 00000000`00436fc4 TestDefaultDebugger64!__rtc_tzz+0×1f8c 00000000`0012e388 00000000`00000001 00000000`0012e390 00000000`0012f000 00000000`0012e398 00000000`77a60000 ntdll!`string’ <PERF> (ntdll+0×0) 00000000`0012e3a0 00000000`0004c6e1 00000000`0012e3a8 00000000`00000001 00000000`0012e3b0 00000000`0012ff90 00000000`0012e3b8 00000000`77afb1b5 ntdll!RtlUserThreadStart+0×95 00000000`0012e3c0 00000000`0012e420 00000000`0012e3c8 00000000`7a8b477b 00000000`0012e3d0 00000000`00000000 00000000`0012e3d8 00000000`00000001 00000000`0012e3e0 00000000`0012e4f0 00000000`0012e3e8 00000000`77a8ae4b ntdll!_C_specific_handler+0×8c

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, Vista | 3 Comments »

Upgrade in power

December 30th, 2007

I’ve upgraded the hosting to make it more reliable especially for e-mail and notification delivery. Recently I found that people had problems contacting me through the contact form. I apologize for any inconvenience caused.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Announcements | No Comments »

Crash Dump Analysis E-zine

December 27th, 2007

I’ve found that e-mail subscribers do not get notifications and this has been going on for almost all December. This let me think about distributing a monthly e-zine highlighting written posts and other useful and related information. Previously registered subscribers will receive the first sample e-zine issue soon. If you would like to subscribe too (or unsubscribe) you can do it at the bottom of the main blog page.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Announcements, Crash Dump Analysis | No Comments »

Raw Stack Dump of all threads (part 2)

December 24th, 2007

In the previous part I used WinDbg scripting to get raw stack data from user process dump. However the script needs to be modified if the dump is complete memory dump. Here I use !for_each_thread WinDbg extension command to dump stack trace and user space raw stack data for all threads except system threads because they don’t have user space stack counterpart and their TEB address is NULL:

!for_each_thread ".thread /r /p @#Thread; .if (@$teb != 0) {!thread @#Thread; r? $t1 = ((ntdll!_NT_TIB *)@$teb)->StackLimit; r? $t2 = ((ntdll!_NT_TIB *)@$teb)->StackBase; !teb; dps @$t1 @$t2}"

We need to open a log file. It will be huge and we might want to dump raw stack contents for specific process only. In such case we can filter the output of the script using $proc pseudo-register, the address of EPROCESS:

!for_each_thread ".thread /r /p @#Thread; .if (@$teb != 0 & @$proc == <EPROCESS>) {!thread @#Thread; r? $t1 = ((ntdll!_NT_TIB *)@$teb)->StackLimit; r? $t2 = ((ntdll!_NT_TIB *)@$teb)->StackBase; !teb; dps @$t1 @$t2}"

For example:

1: kd>!process 0 0 ... ... ... PROCESS 8596f9c8 SessionId: 0 Cid: 0fac Peb: 7ffde000 ParentCid: 0f3c DirBase: 3fba6520 ObjectTable: d6654e28 HandleCount: 389. Image: explorer.exe … … …

1: kd> !for_each_thread ".thread /r /p @#Thread; .if (@$teb != 0 & @$proc == 8596f9c8) {!thread @#Thread; r? $t1 = ((ntdll!_NT_TIB *)@$teb)->StackLimit; r? $t2 = ((ntdll!_NT_TIB *)@$teb)->StackBase; !teb; dps @$t1 @$t2}” Implicit thread is now 8659b208 Implicit process is now 8659b478 Loading User Symbols

Implicit thread is now 86599db0 Implicit process is now 8659b478 Loading User Symbols

... ... ... Implicit thread is now 85b32db0 Implicit process is now 8596f9c8 Loading User Symbols

THREAD 85b32db0 Cid 0fac.0fb0 Teb: 7ffdd000 Win32Thread: bc0a6be8 WAIT: (Unknown) UserMode Non-Alertable 859bda20 SynchronizationEvent Not impersonating DeviceMap d743e440 Owning Process 8596f9c8 Image: explorer.exe Wait Start TickCount 376275 Ticks: 102 (0:00:00:01.593) Context Switch Count 3509 LargeStack UserTime 00:00:00.078 KernelTime 00:00:00.203 Win32 Start Address Explorer!ModuleEntry (0x010148a4) Start Address kernel32!BaseProcessStartThunk (0x77e617f8) Stack Init ba5fe000 Current ba5fdc50 Base ba5fe000 Limit ba5f9000 Call 0 Priority 10 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr Args to Child ba5fdc68 80833465 85b32db0 85b32e58 00000000 nt!KiSwapContext+0x26 ba5fdc94 80829a62 00000000 bc0a6be8 00000000 nt!KiSwapThread+0x2e5 ba5fdcdc bf89abe3 859bda20 0000000d 00000001 nt!KeWaitForSingleObject+0x346 ba5fdd38 bf89da53 000024ff 00000000 00000001 win32k!xxxSleepThread+0x1be ba5fdd4c bf89e411 000024ff 00000000 0007fef8 win32k!xxxRealWaitMessageEx+0x12 ba5fdd5c 8088978c 0007ff08 7c8285ec badb0d00 win32k!NtUserWaitMessage+0x14 ba5fdd5c 7c8285ec 0007ff08 7c8285ec badb0d00 nt!KiFastCallEntry+0xfc (TrapFrame @ ba5fdd64) 0007feec 7739bf53 7c92addc 77e619d1 000d9298 ntdll!KiFastSystemCallRet 0007ff08 7c8fadbd 00000000 0007ff5c 0100fff1 USER32!NtUserWaitMessage+0xc 0007ff14 0100fff1 000d9298 7ffde000 0007ffc0 SHELL32!SHDesktopMessageLoop+0x24 0007ff5c 0101490c 00000000 00000000 000207fa Explorer!ExplorerWinMain+0x2c4 0007ffc0 77e6f23b 00000000 00000000 7ffde000 Explorer!ModuleEntry+0x6d 0007fff0 00000000 010148a4 00000000 78746341 kernel32!BaseProcessStart+0x23

Last set context: TEB at 7ffdd000 ExceptionList: 0007ffe0 StackBase: 00080000 StackLimit: 00072000 SubSystemTib: 00000000 FiberData: 00001e00 ArbitraryUserPointer: 00000000 Self: 7ffdd000 EnvironmentPointer: 00000000 ClientId: 00000fac . 00000fb0 RpcHandle: 00000000 Tls Storage: 00000000 PEB Address: 7ffde000 LastErrorValue: 6 LastStatusValue: c0000008 Count Owned Locks: 0 HardErrorMode: 0 00072000 ???????? 00072004 ???????? 00072008 ???????? 0007200c ???????? 00072010 ???????? 00072014 ???????? 00072018 ???????? 0007201c ???????? ... ... ... 00079ff8 ???????? 00079ffc ???????? 0007a000 00000000 0007a004 00000000 0007a008 00000000 0007a00c 00000000 0007a010 00000000 0007a014 00000000 0007a018 00000000 0007a01c 00000000 0007a020 00000000 0007a024 00000000 0007a028 00000000 0007a02c 00000000 ... ... ... 0007ff04 0007ff14 0007ff08 0007ff14 0007ff0c 7c8fadbd SHELL32!SHDesktopMessageLoop+0x24 0007ff10 00000000 0007ff14 0007ff5c 0007ff18 0100fff1 Explorer!ExplorerWinMain+0x2c4 0007ff1c 000d9298 0007ff20 7ffde000 0007ff24 0007ffc0 0007ff28 00000000 0007ff2c 0007fd28 0007ff30 0007ff50 0007ff34 7ffde000 0007ff38 7c82758b ntdll!ZwQueryInformationProcess+0xc 0007ff3c 77e6c336 kernel32!GetErrorMode+0x18 0007ff40 ffffffff 0007ff44 0000000c 0007ff48 00000000 0007ff4c 00018fb8 0007ff50 000000ec 0007ff54 00000001 0007ff58 000d9298 0007ff5c 0007ffc0 0007ff60 0101490c Explorer!ModuleEntry+0x6d 0007ff64 00000000 0007ff68 00000000 0007ff6c 000207fa 0007ff70 00000001 0007ff74 00000000 0007ff78 00000000 0007ff7c 00000044 0007ff80 0002084c 0007ff84 0002082c 0007ff88 000207fc 0007ff8c 00000000 0007ff90 00000000 0007ff94 00000000 0007ff98 00000000 0007ff9c f60e87fc 0007ffa0 00000002 0007ffa4 021a006a 0007ffa8 00000001 0007ffac 00000001 0007ffb0 00000000 0007ffb4 00000000 0007ffb8 00000000 0007ffbc 00000000 0007ffc0 0007fff0 0007ffc4 77e6f23b kernel32!BaseProcessStart+0x23 0007ffc8 00000000 0007ffcc 00000000 0007ffd0 7ffde000 0007ffd4 00000000 0007ffd8 0007ffc8 0007ffdc b9a94ce4 0007ffe0 ffffffff 0007ffe4 77e61a60 kernel32!_except_handler3 0007ffe8 77e6f248 kernel32!`string'+0x88 0007ffec 00000000 0007fff0 00000000 0007fff4 00000000 0007fff8 010148a4 Explorer!ModuleEntry 0007fffc 00000000 00080000 78746341 ... ... ...

Because complete memory dumps contain only physical memory contents some pages of raw stack data can be in page files and therefore unavailable.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Crash Dump Analysis, Debugging, WinDbg Scripts, WinDbg Tips and Tricks | 2 Comments »

Bugchecks: CF

December 21st, 2007

Bugcheck CF name is the second longest one (doesn’t fit in this post title):

TERMINAL_SERVER_DRIVER_MADE_INCORRECT_MEMORY_REFERENCE (cf) Arguments: Arg1: a020b1d4, memory referenced Arg2: 00000000, value 0 = read operation, 1 = write operation Arg3: a020b1d4, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, Mm internal code. A driver has been incorrectly ported to Terminal Server. It is referencing session space addresses from the system process context. Probably from queueing an item to a system worker thread. The broken driver's name is displayed on the screen.

Although bugcheck explanation mentions only system process context it can also happen in an arbitrary process context. Recall that kernel space address mapping is usually considered as persistent where virtual-to-physical mapping doesn’t change between switching threads that belong to different processes. However there is so called session space in multi-user terminal services environments where different users can use different display drivers, for example:

MS RDP users - RDPDD.DLL
Citrix ICA users - VDTW30.DLL
Vista users - TSDDD.DLL
Console user - Some H/W related video driver like ATI or NVIDIA

These drivers are not committed at the same time persistently since OS boot although their module addresses might remain fixed. Therefore when a new user session is created the appropriate display driver corresponding to terminal services protocol is loaded and mapped to the so called session space starting from A0000000 (x86) or FFFFF90000000000 (x64) after win32k.sys address range (on first usage) and then committed to physical memory by proper PTE entries in process page tables. During thread switch, if the new process context belongs to a different session with a different display driver, the current display driver is decommitted by clearing its PTEs and the new driver is committed by setting its proper PTE entries.

Therefore in the system process context like worker threads virtual addresses corresponding to display driver code and data might be unknown. This can also happen in an arbitrary process context if we access the code that belongs to a display driver that doesn’t correspond to the current session protocol. This can be illustrated with the following example where TSDD can be either RDP or ICA display driver.

In the list of loaded modules we can see that ATI and TSDD drivers are loaded:

0: kd> lm start end module name ... ... ... 77d30000 77d9f000 RPCRT4 (deferred) 77e10000 77e6f000 USER32 (deferred) 77f40000 77f7c000 GDI32 (deferred) 77f80000 77ffc000 ntdll (pdb symbols) 78000000 78045000 MSVCRT (deferred) 7c2d0000 7c335000 ADVAPI32 (deferred) 7c340000 7c34f000 Secur32 (deferred) 7c570000 7c624000 KERNEL32 (deferred) 7cc30000 7cc70000 winsrv (deferred) 80062000 80076f80 hal (deferred) 80400000 805a2940 nt (pdb symbols) a0000000 a0190ce0 win32k (pdb symbols) a0191000 a01e8000 ati2drad (deferred) a01f0000 a0296000 tsdd (no symbols) b4a60000 b4a72320 naveng (deferred) b4a73000 b4b44c40 navex15 (deferred) … … …

The bugcheck happens in 3rd-partyApp process context running inside some terminal session:

PROCESS_NAME: 3rd-partyApp.exe

TRAP_FRAME: b475f84c -- (.trap 0xffffffffb475f84c) ErrCode = 00000000 eax=a020b1d4 ebx=00000000 ecx=04e0443b edx=ffffffff esi=a21b6778 edi=a201b018 eip=a020b1d4 esp=b475f8c0 ebp=b475f900 iopl=3 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00013246 TSDD+0×1b1d4: a020b1d4 ?? ???

Examining display driver virtual address shows that it is unknown (PTE is NULL):

0: kd> !pte a020b1d4 A020B1D4 - PDE at C0300A00 PTE at C028082C contains 14AB6863 contains 00000000 pfn 14ab6 –DA–KWV not valid

ATI display driver address is unknown too:

0: kd> !pte a0191000 A0191000 - PDE at C0300A00 PTE at C0280644 contains 3E301863 contains 00000000 pfn 3e301 –DA–KWV not valid

Let’s switch to another terminal session :

PROCESS 87540a60 SessionId: 45 Cid: 3954 Peb: 7ffdf000 ParentCid: 0164 DirBase: 2473d000 ObjectTable: 889b2c48 TableSize: 182. Image: csrss.exe

0: kd> .process /r /p 87540a60 Implicit process is now 87540a60 Loading User Symbols ................

Now TSDD display driver address is valid:

0: kd> !pte a020b1d4 A020B1D4 - PDE at C0300A00 PTE at C028082C contains 5D2C2863 contains 20985863 pfn 5d2c2 –DA–KWV pfn 20985 –DA–KWV

but ATI driver address is not. It is unknown and this is expected because no real display hardware is used:

0: kd> !pte a0191000 A0191000 - PDE at C0300A00 PTE at C0280644 contains 5D2C2863 contains 00000000 pfn 5d2c2 –DA–KWV not valid

Let’s switch to session 0 where display is “physical”:

PROCESS 8898a5e0 SessionId: 0 Cid: 0180 Peb: 7ffdf000 ParentCid: 0164 DirBase: 14c58000 ObjectTable: 8898b948 TableSize: 1322. Image: csrss.exe

0: kd> .process /r /p 8898a5e0 Implicit process is now 8898a5e0 Loading User Symbols ..............

TSDD driver address is unknown and this is expected too because we no longer use terminal services protocol:

0: kd> !pte a020b1d4 A020B1D4 - PDE at C0300A00 PTE at C028082C contains 14AB6863 contains 00000000 pfn 14ab6 –DA–KWV not valid

However ATI display driver addresses are not unknown (not NULL) and their 2 selected pages are either in transition or in a page file:

0: kd> !pte a0191000 A0191000 - PDE at C0300A00 PTE at C0280644 contains 14AB6863 contains 156DD882 pfn 14ab6 –DA–KWV not valid Transition: 156dd Protect: 4

0: kd> !pte a0198000 A0198000 - PDE at C0300A00 PTE at C0280660 contains 14AB6863 contains 000B9060 pfn 14ab6 –DA–KWV not valid PageFile 0 Offset b9 Protect: 3

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Bugchecks Depicted, Crash Dump Analysis | No Comments »

2007 in Retrospection (Part 1)

December 20th, 2007

I started this blog in August, 2006 and during Christmas, 2007 moved it to dumpanalysis.org registered in March, 2006. However I didn’t track any site stats until Feb, 2007 when I added Google Analytics and ShinyStat counters. I was surprised by the growing number of visits started with 2,000/month in February and exceeding 9,000/month in November. Here is the simplified daily visits curve from ShinyStat:

I’ll put more interesting analytic observations from 2007 data later on.

Wishing all visitors a Happy Christmas and New Year.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Announcements, Crash Dump Analysis, DumpAnalysis.org Statistics | 3 Comments »

Crash Dump Analysis Patterns (Part 42b)

December 19th, 2007

Here is another example of Wait Chain pattern where objects are critical sections.

WinDbg can detect them if we use !analyze -v -hang command but it detects only one and not necessarily the longest or widest chain in cases with multiple wait chains:

DERIVED_WAIT_CHAIN:

Dl Eid Cid WaitType -- --- ------- -------------------------- 2 8d8.90c Critical Section --> 4 8d8.914 Critical Section --> 66 8d8.f9c Unknown

Looking at threads we see this chain and we also see that the final thread is blocked waiting for socket.

0:167> ~~[90c]kvL ChildEBP RetAddr Args to Child 00bbfd9c 7c942124 7c95970f 00000ea0 00000000 ntdll!KiFastSystemCallRet 00bbfda0 7c95970f 00000ea0 00000000 00000000 ntdll!NtWaitForSingleObject+0xc 00bbfddc 7c959620 00000000 00000004 00000000 ntdll!RtlpWaitOnCriticalSection+0x19c 00bbfdfc 6748d2f9 06018b50 00000000 00000000 ntdll!RtlEnterCriticalSection+0xa8 … … … 00bbffb8 7c82608b 00315218 00000000 00000000 msvcrt!_endthreadex+0xa3 00bbffec 00000000 77b9b4bc 00315218 00000000 kernel32!BaseThreadStart+0×34

0:167> ~~[914]kvL 100 ChildEBP RetAddr Args to Child 00dbf1cc 7c942124 7c95970f 000004b0 00000000 ntdll!KiFastSystemCallRet 00dbf1d0 7c95970f 000004b0 00000000 00000000 ntdll!NtWaitForSingleObject+0xc 00dbf20c 7c959620 00000000 00000004 0031abcc ntdll!RtlpWaitOnCriticalSection+0x19c 00dbf22c 6748d244 0031abd8 003174e0 00dbf254 ntdll!RtlEnterCriticalSection+0xa8 … … … 00dbffb8 7c82608b 00315218 00000000 00000000 msvcrt!_endthreadex+0xa3 00dbffec 00000000 77b9b4bc 00315218 00000000 kernel32!BaseThreadStart+0×34

0:167> ~~[f9c]kvL 100 ChildEBP RetAddr Args to Child 0fe2a09c 7c942124 71933a09 00000b50 00000001 ntdll!KiFastSystemCallRet 0fe2a0a0 71933a09 00000b50 00000001 0fe2a0c8 ntdll!NtWaitForSingleObject+0xc 0fe2a0dc 7194576e 00000b50 00000234 00000000 mswsock!SockWaitForSingleObject+0x19d 0fe2a154 71a12679 00000234 0fe2a1b4 00000001 mswsock!WSPRecv+0x203 0fe2a190 62985408 00000234 0fe2a1b4 00000001 WS2_32!WSARecv+0x77 0fe2a1d0 6298326b 00000234 0274ebc6 00000810 component!wait+0x338 ... ... ... 0fe2ffb8 7c82608b 060cfc70 00000000 00000000 msvcrt!_endthreadex+0xa3 0fe2ffec 00000000 77b9b4bc 060cfc70 00000000 kernel32!BaseThreadStart+0x34

If we look at all held critical sections we would see another thread that blocked +125 other threads:

0:167> !locks

CritSec +31abd8 at 0031abd8 WaiterWoken No LockCount 6 RecursionCount 1 OwningThread f9c EntryCount 0 ContentionCount 17 *** Locked

CritSec +51e4bd8 at 051e4bd8 WaiterWoken No LockCount 125 RecursionCount 1 OwningThread 830 EntryCount 0 ContentionCount 7d *** Locked

CritSec +5f40620 at 05f40620 WaiterWoken No LockCount 0 RecursionCount 1 OwningThread 920 EntryCount 0 ContentionCount 0 *** Locked

CritSec +60b6320 at 060b6320 WaiterWoken No LockCount 1 RecursionCount 1 OwningThread 8a8 EntryCount 0 ContentionCount 1 *** Locked

CritSec +6017c60 at 06017c60 WaiterWoken No LockCount 0 RecursionCount 1 OwningThread 914 EntryCount 0 ContentionCount 0 *** Locked

CritSec +6018b50 at 06018b50 WaiterWoken No LockCount 3 RecursionCount 1 OwningThread 914 EntryCount 0 ContentionCount 3 *** Locked

CritSec +6014658 at 06014658 WaiterWoken No LockCount 2 RecursionCount 1 OwningThread 928 EntryCount 0 ContentionCount 2 *** Locked

0:167> ~~[830]kvL 100 ChildEBP RetAddr Args to Child 0ff2f300 7c942124 7c95970f 000004b0 00000000 ntdll!KiFastSystemCallRet 0ff2f304 7c95970f 000004b0 00000000 00000000 ntdll!NtWaitForSingleObject+0xc 0ff2f340 7c959620 00000000 00000004 0031abcc ntdll!RtlpWaitOnCriticalSection+0x19c 0ff2f360 6748d244 0031abd8 003174e0 0ff2f388 ntdll!RtlEnterCriticalSection+0xa8 … … … 0ff2ffb8 7c82608b 060cf9a0 00000000 00000000 msvcrt!_endthreadex+0xa3 0ff2ffec 00000000 77b9b4bc 060cf9a0 00000000 kernel32!BaseThreadStart+0×34

Searching for any thread waiting for critical section 051e4bd8 gives us:

8 Id: 8d8.924 Suspend: 1 Teb: 7ffd5000 Unfrozen ChildEBP RetAddr Args to Child 011ef8e0 7c942124 7c95970f 00000770 00000000 ntdll!KiFastSystemCallRet 011ef8e4 7c95970f 00000770 00000000 00000000 ntdll!NtWaitForSingleObject+0xc 011ef920 7c959620 00000000 00000004 00000000 ntdll!RtlpWaitOnCriticalSection+0x19c 011ef940 677b209d 051e4bd8 011efa0c 057bd36c ntdll!RtlEnterCriticalSection+0xa8 … … … 011effb8 7c82608b 00315510 00000000 00000000 msvcrt!_endthreadex+0xa3 011effec 00000000 77b9b4bc 00315510 00000000 kernel32!BaseThreadStart+0×34

and we can construct yet another wait chain:

8 8d8.924 Critical Section --> 67 8d8.830 Critical Section --> 66 8d8.f9c Unknown

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, WinDbg Tips and Tricks | 9 Comments »

Management Bits and Tips blog

December 18th, 2007

To disassociate management activities and thoughts with crashes and hangs I have created a separate blog called

Management Bits and Tips

with the subtitle “Reflections on Software Engineering and Software Technical Support Management”.

Although, in the future, I reserve the right to metaphorically relate crash and hang dump analysis patterns with technical and people management.

All future posts in Management Bits and Tips category and related posts in Software Techical Support category will go there and here I will only post monthly or bi-monthly summary.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Announcements, Management Bits and Tips, Software Technical Support | 2 Comments »

Crash Dump Analysis Patterns (Part 41b)

December 17th, 2007

Now Manual Dump pattern as seen from process memory dumps. It is not possible to reliably identify manual dumps here because a debugger or another process dumper might have been attached to a process noninvasively and not leaving traces of intervention so we can only rely on the following information:

Comment field

Loading Dump File [C:\kktools\userdump8.1\x64\notepad.dmp] User Mini Dump File with Full Memory: Only application data is available

Comment: 'Userdump generated complete user-mode minidump with Standalone function on COMPUTER-NAME'

Absence of exceptions

Loading Dump File [C:\UserDumps\notepad.dmp] User Mini Dump File with Full Memory: Only application data is available

Symbol search path is: srv*c:\mss*http://msdl.microsoft.com/download/symbols Executable search path is: Windows Vista Version 6000 MP (2 procs) Free x64 Product: WinNt, suite: SingleUserTS Debug session time: Mon Dec 17 16:31:31.000 2007 (GMT+0) System Uptime: 0 days 0:45:11.148 Process Uptime: 0 days 0:00:36.000 .................... user32!ZwUserGetMessage+0xa: 00000000`76c8e6aa c3 ret 0:000> ~*kL

. 0 Id: 1b8.ed4 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen Child-SP RetAddr Call Site 00000000`0029f618 00000000`76c8e6ea user32!ZwUserGetMessage+0xa 00000000`0029f620 00000000`ff2b6eca user32!GetMessageW+0x34 00000000`0029f650 00000000`ff2bcf8b notepad!WinMain+0x176 00000000`0029f6d0 00000000`76d7cdcd notepad!IsTextUTF8+0x24f 00000000`0029f790 00000000`76ecc6e1 kernel32!BaseThreadInitThunk+0xd 00000000`0029f7c0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Wake debugger exception

Loading Dump File [C:\UserDumps\notepad2.dmp] User Mini Dump File with Full Memory: Only application data is available

Symbol search path is: srv*c:\mss*http://msdl.microsoft.com/download/symbols Executable search path is: Windows Vista Version 6000 MP (2 procs) Free x64 Product: WinNt, suite: SingleUserTS Debug session time: Mon Dec 17 16:35:37.000 2007 (GMT+0) System Uptime: 0 days 0:49:13.806 Process Uptime: 0 days 0:02:54.000 .................... This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (314.1b4): Wake debugger - code 80000007 (first/second chance not available)” user32!ZwUserGetMessage+0xa: 00000000`76c8e6aa c3 ret

Break instruction exception

Loading Dump File [C:\UserDumps\notepad3.dmp] User Mini Dump File with Full Memory: Only application data is available

Symbol search path is: srv*c:\mss*http://msdl.microsoft.com/download/symbols Executable search path is: Windows Vista Version 6000 MP (2 procs) Free x64 Product: WinNt, suite: SingleUserTS Debug session time: Mon Dec 17 16:45:15.000 2007 (GMT+0) System Uptime: 0 days 0:58:52.699 Process Uptime: 0 days 0:14:20.000 .................... This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. ntdll!DbgBreakPoint: 00000000`76ecfdf0 cc int 3 0:001> ~*kL

0 Id: 1b8.ed4 Suspend: 1 Teb: 000007ff`fffdc000 Unfrozen Child-SP RetAddr Call Site 00000000`0029f618 00000000`76c8e6ea user32!ZwUserGetMessage+0xa 00000000`0029f620 00000000`ff2b6eca user32!GetMessageW+0x34 00000000`0029f650 00000000`ff2bcf8b notepad!WinMain+0x176 00000000`0029f6d0 00000000`76d7cdcd notepad!IsTextUTF8+0x24f 00000000`0029f790 00000000`76ecc6e1 kernel32!BaseThreadInitThunk+0xd 00000000`0029f7c0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

# 1 Id: 1b8.ec4 Suspend: 1 Teb: 000007ff`fffda000 Unfrozen Child-SP RetAddr Call Site 00000000`030df798 00000000`76f633e8 ntdll!DbgBreakPoint 00000000`030df7a0 00000000`76d7cdcd ntdll!DbgUiRemoteBreakin+0×38 00000000`030df7d0 00000000`76ecc6e1 kernel32!BaseThreadInitThunk+0xd 00000000`030df800 00000000`00000000 ntdll!RtlUserThreadStart+0×1d

The latter might also be some assertion statement in the code leading to a process crash like in the following instance of Dynamic Memory Corruption pattern (heap corruption):

FAULTING_IP: ntdll!DbgBreakPoint+0 77f813b1 cc int 3

EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff) ExceptionAddress: 77f813b1 (ntdll!DbgBreakPoint) ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 3 Parameter[0]: 00000000 Parameter[1]: 09aef2ac Parameter[2]: 09aeeee8

STACK_TEXT: 09aef0bc 77fb76aa ntdll!DbgBreakPoint 09aef0c4 77fa65c2 ntdll!RtlpBreakPointHeap+0×26 09aef2bc 77fb5367 ntdll!RtlAllocateHeapSlowly+0×212 09aef340 77fa64f6 ntdll!RtlDebugAllocateHeap+0xcb 09aef540 77fcc9e3 ntdll!RtlAllocateHeapSlowly+0×5a 09aef720 786f3f11 ntdll!RtlAllocateHeap+0×954 09aef730 786fd10e rpcrt4!operator new+0×12 09aef748 786fc042 rpcrt4!OSF_CCONNECTION::OSF_CCONNECTION+0×174 09aef79c 786fbe0d rpcrt4!OSF_CASSOCIATION::AllocateCCall+0xfa 09aef808 786fbd53 rpcrt4!OSF_BINDING_HANDLE::AllocateCCall+0×1cd 09aef83c 786f1f2f rpcrt4!OSF_BINDING_HANDLE::GetBuffer+0×28 09aef854 786f1ee4 rpcrt4!I_RpcGetBufferWithObject+0×6e 09aef860 786f1ea4 rpcrt4!I_RpcGetBuffer+0xb 09aef86c 78754762 rpcrt4!NdrGetBuffer+0×2b 09aefab8 796d78b5 rpcrt4!NdrClientCall2+0×3f9 09aefac8 796d7821 advapi32!LsarOpenPolicy2+0×14 09aefb1c 796d8b04 advapi32!LsaOpenPolicy+0xaf 09aefb84 796d8aa9 advapi32!LookupAccountSidInternal+0×63 09aefbac 0aaf5d8b advapi32!LookupAccountSidW+0×1f WARNING: Stack unwind information not available. Following frames may be wrong. 09aeff40 0aad1665 ComponentDLL+0×35d8b 09aeff5c 3f69264c ComponentDLL+0×11665 09aeff7c 780085bc ComponentDLL+0×264c 09aeffb4 77e5438b msvcrt!_endthreadex+0xc1 09aeffec 00000000 kernel32!BaseThreadStart+0×52

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, WinDbg Tips and Tricks | 9 Comments »

Crash Dump Analysis Patterns (Part 42a)

December 14th, 2007

Wait Chain is another pattern and it is simply a sequence of causal relations between events: thread A is waiting for event E to happen that threads B, C or D are supposed to signal at some time in the future but they are all waiting for event F to happen that thread G is about to signal as soon as it finishes processing some critical task:

That subsumes various deadlock patterns too which are causal loops where thread A is waiting for event AB that thread B will signal as soon as thread A signals event BA thread B is waiting for:

In this context “Event” means any type of synchronization object, critical section, LPC/RPC reply or data arrival through some IPC channel and not only Win32 event object or kernel _KEVENT.

As the first example of Wait Chain pattern I show a process being terminated and waiting for the other thread to finish or in other words, considering thread termination as an event itself, the main process thread is waiting for the second thread object to be signaled. The second thread tries to cancel previous I/O request directed to some device. However that IRP is not cancellable and process hangs. This can be depicted on the following diagram:

where Thread A is our main thread waiting for Event A which is thread B itself waiting for I/O cancellation (Event B). Their stack traces are:

THREAD 8a3178d0 Cid 04bc.01cc Teb: 7ffdf000 Win32Thread: bc1b6e70 WAIT: (Unknown) KernelMode Non-Alertable 8af2c920 Thread Not impersonating DeviceMap e1032530 Owning Process 89ff8d88 Image: processA.exe Wait Start TickCount 80444 Ticks: 873 (0:00:00:13.640) Context Switch Count 122 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.156 Win32 Start Address 0x010148a4 Start Address 0x77e617f8 Stack Init f3f29000 Current f3f28be8 Base f3f29000 Limit f3f25000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 ChildEBP RetAddr f3f28c00 80833465 nt!KiSwapContext+0x26 f3f28c2c 80829a62 nt!KiSwapThread+0x2e5 f3f28c74 8094c0ea nt!KeWaitForSingleObject+0x346 ; stack trace with arguments shows the first parameter as 8af2c920 f3f28d0c 8094c63f nt!PspExitThread+0×1f0 f3f28d24 8094c839 nt!PspTerminateThreadByPointer+0×4b f3f28d54 8088978c nt!NtTerminateProcess+0×125 f3f28d54 7c8285ec nt!KiFastCallEntry+0xfc

THREAD 8af2c920 Cid 04bc.079c Teb: 7ffd7000 Win32Thread: 00000000 WAIT: (Unknown) KernelMode Non-Alertable 8af2c998 NotificationTimer IRP List: 8ad26260: (0006,0220) Flags: 00000000 Mdl: 00000000 Not impersonating DeviceMap e1032530 Owning Process 89ff8d88 Image: processA.exe Wait Start TickCount 81312 Ticks: 5 (0:00:00:00.078) Context Switch Count 169 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0×77da3ea5 Start Address 0×77e617ec Stack Init f3e09000 Current f3e08bac Base f3e09000 Limit f3e05000 Call 0 Priority 13 BasePriority 13 PriorityDecrement 0 ChildEBP RetAddr f3e08bc4 80833465 nt!KiSwapContext+0×26 f3e08bf0 80828f0b nt!KiSwapThread+0×2e5 f3e08c38 808ea7a4 nt!KeDelayExecutionThread+0×2ab f3e08c68 8094c360 nt!IoCancelThreadIo+0×62 f3e08cf0 8094c569 nt!PspExitThread+0×466 f3e08cfc 8082e0b6 nt!PsExitSpecialApc+0×1d f3e08d4c 80889837 nt!KiDeliverApc+0×1ae f3e08d4c 7c8285ec nt!KiServiceExit+0×56

By inspecting IRP we can see a device it was directed to, see that it has cancel bit but doesn’t have a cancel routine:

0: kd> !irp 8ad26260 1 Irp is active with 5 stacks 4 is current (= 0x8ad2633c) No Mdl: No System Buffer: Thread 8af2c920: Irp stack trace. Flags = 00000000 ThreadListEntry.Flink = 8af2cb28 ThreadListEntry.Blink = 8af2cb28 IoStatus.Status = 00000000 IoStatus.Information = 00000000 RequestorMode = 00000001 Cancel = 01 CancelIrql = 0 ApcEnvironment = 00 UserIosb = 77ecb700 UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine = 00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000 Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000 UserBuffer = 77ecb720 &Tail.Overlay.DeviceQueueEntry = 8ad262a0 Tail.Overlay.Thread = 8af2c920 Tail.Overlay.AuxiliaryBuffer = 00000000 Tail.Overlay.ListEntry.Flink = 00000000 Tail.Overlay.ListEntry.Blink = 00000000 Tail.Overlay.CurrentStackLocation = 8ad2633c Tail.Overlay.OriginalFileObject = 89ff8920 Tail.Apc = 00000000 Tail.CompletionKey = 00000000 cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000 >[ c, 2] 0 1 8ab20388 89ff8920 00000000-00000000 pending \Device\DeviceA Args: 00000020 00000017 00000000 00000000 [ c, 2] 0 0 8affa4b8 89ff8920 00000000-00000000 \Device\DeviceB Args: 00000020 00000017 00000000 00000000

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging | 10 Comments »

Flawless writing with Google

December 13th, 2007

Management Bits and Tips 0×1 - Many managers have flawless writing skills (bit). Use Google to check your writing (tip).

It is especially important for non-native English speakers like me. You can search simple sub-sentences and their alterations to compare search results.

For example, today I had a discussion about this sub-sentence:

“It’s main advantage is “

It gives 539 search results. However the sentence without apostrophe

“Its main advantage is “

gives 8,870 search results. Let’s check combinations with two “it”.

“It’s main advantage is it’s ” - 192
“Its main advantage is it’s ” - 0
“It’s main advantage is its ” - 299
“Its main advantage is its ” - 836

So you get the idea of what is more correct or more widely used from descriptive grammar point of view.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Management Bits and Tips, Software Technical Support | 2 Comments »

May 2026
M	T	W	T	F	S	S
« Mar
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta