Now some pictures from Citrix CDF traces.
Deep waters of The Sea of Traces:
Considering software tracing as narrative no wonder one day I discovered the vast Library of Software Logs in the sea above:
- Dmitry Vostokov @ DumpAnalysis.org -
One of the questions that is often asked is about exception addresses in application and system event logs. For example, we have this typical log entry:
"The instruction at "0x77ca8fa7" referenced memory address "0x00000000". The memory could not be read."
Suppose the dump is not available. Can we find the function address to look in our problem database?
My answer here is usually the following:
Even if the application is no longer running we can either noninvasively attach a debugger to it or get a user dump of it and later find the nearest address using ln WinDbg command (remember to apply correct symbols first, see windbg.org):
0:000> ln 77ca8fa7
(77ca8f91) msvcrt!wcscpy+0×16 | (77ca8fd6) msvcrt!wcspbrk
Usually applications crash inside functions and not at their entry addresses, so we pay attention to wcscpy function because it has the offset +0×16.
Note: on Vista and W2K8 due to ASLR, system DLLs could be at different addresses if we take the dump of or attach to a different running process instance.
- Dmitry Vostokov @ DumpAnalysis.org -
I was suddenly enlightened by the unification of software traces with memory dumps and it came to me that DATA is simply Dump Analysis + Trace Analysis. It is commutative with TADA, the sound of accomplishment (tada.wav in Windows \ Media folder).
This can’t be a coincidence, can it?
- Dmitry Vostokov @ DumpAnalysis.org -
What is a software trace from a mathematical standpoint? Before any software writes its trace data, it assembles it in memory. Therefore, generally, a software trace is a linear ordered sequence of specifically prepared memory fragments (trace statements):
(ts1, ts2, …, tsn)
where every tsi is a sequence of bits, bytes or other discrete units (see the definition of a memory dump):
(s11, s12, …, s1k, s21, s22, …, s2l, …, …, …, sn1, sn2, …, snm)
These trace statements can also be minidumps, selected regions of memory space. In the limit, if every tsi is a full memory snapshot saved at an instant of time (ti) we have a sequence of memory dumps:
(mt1, mt2, …, mtn)
Like with memory dump analysis we need symbol files to interpret saved memory fragments unless they were already interpreted during their construction. For example, traces written according ETW specification (Event Tracing for Windows), need TMF files (Trace Message Format) for their interpretation and viewing. Usually these files are generated from PDB files and therefore we have this correspondence:
memory dump file -> software trace file
PDB file -> TMF file
- Dmitry Vostokov @ TraceAnalysis.org -
Do you remember memuons1, the indivisible entities of memory? Their study is the domain of the new science called memuonics2. According to the so called memophysical principle3,we have particle interpretation of memuons. This is called classical memuonics with classical memory field theory where memuons are “quanta” of memory. We can also ”quantize” memory fields and get quantum memory field theories where memuons are created and annihilated.
(1) The notion of memuons first appeared in the philosophy of memoidealism.
(2) Please don’t confuse memuonics with memiotics. The latter is computer memory semiotics.
(3) Memophysical principle - theories of memory-based universe need to take into account the current mainstream sciences including physics.
- Dmitry Vostokov @ DumpAnalysis.org -
“A trace is a narrative, the story of a computation.”
Dmitry Vostokov, Software Tracing and Logging: Architecture, Design, Implementation and Analysis Patterns
- Dmitry Vostokov @ TraceAnalysis.org -
Found today this book while browsing Amazon:
The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
Intrigued, I searched for its table of contents and found the author’s site:
Looks enough comprehensive so I pre-ordered the book and plan to write a review later from windows internals and memory dump analysis perspective.
- Dmitry Vostokov @ DumpAnalysis.org -
This is a stack trace (backtrace) where all finctions are removed and only modules are left. Useful for depicting component dependencies. Here is an example:
0: kd> kc 100
nt!KiSwapContext
nt!KiSwapThread
nt!KeDelayExecutionThread
3rdPartyAVDriver
3rdPartyAVDriver
3rdPartyAVDriver
3rdPartyAVDriver
nt!IofCallDriver
DriverA!Dispatch
DriverA!KUI_dispatch
nt!IofCallDriver
DriverB!PassThrough
DriverB!Dispatch
nt!IofCallDriver
DriverC!LowerPassThrough
DriverC
DriverC
DriverC
DriverC!DispatchPassThrough
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!IoCreateFile
nt!NtOpenFile
nt!KiFastCallEntry
ntdll!KiFastSystemCallRet
ntdll!NtOpenFile
ntdll!LdrpCreateDllSection
ntdll!LdrpMapDll
ntdll!LdrpLoadDll
ntdll!LdrLoadDll
kernel32!LoadLibraryExW
kernel32!LoadLibraryW
ntdll!LdrpCallInitRoutine
ntdll!LdrpRunInitializeRoutines
ntdll!LdrpLoadDll
ntdll!LdrLoadDll
kernel32!LoadLibraryExW
kernel32!LoadLibraryW
USER32!LoadAppDlls
USER32!ClientThreadSetup
USER32!__ClientThreadSetup
ntdll!KiUserCallbackDispatcher
nt!KiCallUserMode
nt!KeUserModeCallback
win32k!xxxClientThreadSetup
win32k!xxxCreateThreadInfo
win32k!UserThreadCallout
win32k!W32pThreadCallout
nt!PsConvertToGuiThread
nt!KiBBTUnexpectedRange
Collapsed stack trace is much simpler to grasp:
nt
3rdPartyAVDriver
nt
DriverA
nt
DriverB
nt
DriverC
nt
ntdll
kernel32
ntdll
kernel32
USER32
ntdll
nt
win32k
nt
- Dmitry Vostokov @ DumpAnalysis.org -
Inspired by Penrose tensor notation encountered in The Road to Reality book and Feynman diagrams I’d like to introduce Visual Dump Objects (VDO) graphical notation to depict and communicate memory dump analysis patterns, their combinations and analysis results. Let’s look at some basic visual objects (shown in handwriting).
1. A thread:
or 
2. A function:
3. A module:
4. A thread running through functions, modules or both (stack trace). Optional arrowhead can indicate stack trace direction:
or 
or 
Threads running through modules depict collapsed stack traces.
5. A blocked thread:
An example of 3 threads blocked by another thread (an arrowhead can disambiguate the direction of the waiting chain):
6. A spiking thread (colors are encouraged in VDO notation):
or 
7. Space boundary between user land and kernel land:
Here is an example of the thread spiking in kernel space:
or with modules from stack trace:
More notation to come very soon.
- Dmitry Vostokov @ DumpAnalysis.org -
Instead of publishing another philosophical treatise ”On …”, OpenTask, iterative and incremental publisher, plans to release my collection of bugtations in somewhat extended version by the end of this summer:
On Debugging: Bugtations and Other Humorous Quotations (ISBN: 978-1906717285)
The book also includes short biographical notes, commentaries and relevant explanations. Hope you would enjoy it.
- Dmitry Vostokov @ DumpAnalysis.org -
Universal memory dumps come from astronomical observations:
Dumps “are meaningless without” symbols “to interpret them.”
Raymond Arthur Lyttleton, Quoted in Astroparticle Physics, page 50
- Dmitry Vostokov @ DumpAnalysis.org -
“Oh, he is a good” troubleshooter, “but he has no power of” debugging!”
Charles Darwin, The life and letters of Charles Darwin, Volume 1
- Dmitry Vostokov @ DumpAnalysis.org -
Comparative analysis is based on saving several consecutive memory dump files to see similarities and differences. Most often this technique is used for memory leaks, for example, process heap leaks. Here we see another example related to CPU spikes.
One application was spiking CPU and its user dump file was saved manually. !runaway WinDbg command showed the following distribution of kernel and user thread times:
0:000> !runaway f
User Mode Time
Thread Time
14:f48 0 days 1:22:34.343
15:f4c 0 days 0:00:45.671
17:f54 0 days 0:00:41.359
18:f58 0 days 0:00:33.468
16:f50 0 days 0:00:24.171
12:f40 0 days 0:00:17.531
13:f44 0 days 0:00:07.109
0:f10 0 days 0:00:00.500
[…]
Kernel Mode Time
Thread Time
15:f4c 0 days 0:00:51.046
17:f54 0 days 0:00:41.125
18:f58 0 days 0:00:32.765
16:f50 0 days 0:00:23.500
12:f40 0 days 0:00:18.671
13:f44 0 days 0:00:07.453
14:f48 0 days 0:00:02.031
1:f14 0 days 0:00:00.343
[…]
Elapsed Time
Thread Time
1:f14 0 days 12:01:42.656
0:f10 0 days 12:01:42.656
24:f70 0 days 12:01:42.093
23:f6c 0 days 12:01:42.093
22:f68 0 days 12:01:42.093
21:f64 0 days 12:01:42.093
20:f60 0 days 12:01:42.093
19:f5c 0 days 12:01:42.093
18:f58 0 days 12:01:42.093
17:f54 0 days 12:01:42.093
16:f50 0 days 12:01:42.093
15:f4c 0 days 12:01:42.093
14:f48 0 days 12:01:42.093
13:f44 0 days 12:01:42.093
[…]
We see that thread #14 spent 1 hour and 22 minutes in user space and only 2 seconds in kernel space. Its thread stack showed DllA and DllB modules:
0:000> ~14s
*** ERROR: Symbol file could not be found. Defaulted to export symbols for DllA.dll -
eax=00010da2 ebx=09227bdc ecx=09236bcc edx=0000003a esi=006769e4 edi=00000335
eip=6120b231 esp=00fefd04 ebp=00fefd2c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
DllA!foo+0×3549:
6120b231 8b45ec mov eax,dword ptr [ebp-14h] ss:0023:00fefd18=09251a30
0:000> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00fefd2c 6120be31 00000063 8633cdb9 006769e4 DllA!foo+0×3549
00fefd64 6120c6db 00fefe00 00006f07 0353f594 DllA!foo+0×4149
00fefdbc 6120d517 00fefe00 00fefde8 8633cd25 DllA!foo+0×49f3
00fefdf8 6120db4d 0353f594 09251848 00000000 DllA!foo+0×582f
00fefe14 6120f280 006769a0 00000000 0000020c DllA!foo+0×5e65
00fefe84 00933436 0000020c 0353f5ac 00000001 DllA!foo+0×7598
00fefec0 008414f1 0353f580 034db5d0 00000003 DllB!read+0xc6
[…]
00feffb8 77e64829 0078f290 00000000 00000000 msvcr71!_endthreadex+0xa0
00feffec 00000000 7c3494f6 0078f290 00000000 kernel32!BaseThreadStart+0×34
These modules belong to different vendors and the code could loop in DllB or in one of DllA functions. In order to show statistically which module is more suspect than the other, we requested 3 consecutive memory dumps of the same spiking process. They revealed the similar uniform pattern:
0:000> !runaway f
User Mode Time
Thread Time
16:e5c 0 days 1:37:24.640
0:e1c 0 days 0:00:00.640
17:e60 0 days 0:00:00.453
18:e64 0 days 0:00:00.328
15:e58 0 days 0:00:00.265
14:e54 0 days 0:00:00.203
[…]
Kernel Mode Time
Thread Time
16:e5c 0 days 0:00:00.687
15:e58 0 days 0:00:00.421
17:e60 0 days 0:00:00.375
14:e54 0 days 0:00:00.265
18:e64 0 days 0:00:00.250
0:e1c 0 days 0:00:00.046
[…]
Elapsed Time
Thread Time
1:e20 0 days 4:41:11.562
0:e1c 0 days 4:41:11.562
18:e64 0 days 4:41:10.875
17:e60 0 days 4:41:10.875
16:e5c 0 days 4:41:10.875
15:e58 0 days 4:41:10.875
14:e54 0 days 4:41:10.875
13:e50 0 days 4:41:10.875
12:e4c 0 days 4:41:10.875
11:e48 0 days 4:41:10.875
10:e44 0 days 4:41:10.875
9:e40 0 days 4:41:10.875
8:e3c 0 days 4:41:10.875
7:e38 0 days 4:41:10.875
6:e34 0 days 4:41:10.875
5:e30 0 days 4:41:10.875
4:e2c 0 days 4:41:10.875
3:e28 0 days 4:41:10.875
2:e24 0 days 4:41:10.875
[…]
1st dump file: Process Uptime: 0 days 4:41:12.000
0:000> ~16r
eax=07abbb6c ebx=07ab45d4 ecx=07ab4604 edx=00679344 esi=006769e4 edi=00000035
eip=6120b23e esp=0106fd30 ebp=0106fd58 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
DllA!foo+0×3556:
6120b23e 8bcb mov ecx,ebx
0:000> ~16kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0106fd58 6120be31 0000000b 47d6689c 006769e4 DllA!foo+0×3556
0106fd90 6120c6db 0106fe2c 00007329 0342d14c DllA!foo+0×4149
0106fde8 6120d517 0106fe2c 0106fe14 47d66b28 DllA!foo+0×49f3
0106fe24 6120db4d 0342d14c 07abb960 00000000 DllA!foo+0×582f
0106fe40 6120f280 006769a0 00000000 000001d8 DllA!foo+0×5e65
0106feb0 00933436 000001d8 0342d164 00000001 DllA!foo+0×7598
0106feec 008414f1 0342d138 00000000 0340b290 DllB!read+0xc6
[…]
0106ffb8 77e64829 00784be0 00000000 00000000 msvcr71!_endthreadex+0xa0
0106ffec 00000000 7c3494f6 00784be0 00000000 kernel32!BaseThreadStart+0×34
2nd dump file: Process Uptime: 0 days 4:41:42.000
0:000> ~16r
eax=0002550b ebx=00679344 ecx=07ab45d4 edx=00000009 esi=006769e4 edi=00000035
eip=6120b231 esp=0106fd30 ebp=0106fd58 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for DllA.dll -
DllA!foo+0×3549:
6120b231 8b45ec mov eax,dword ptr [ebp-14h] ss:0023:0106fd44=07abbb48
0:000> ~16kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0106fd58 6120be31 0000000b 47d6689c 006769e4 DllA!foo+0×3549
0106fd90 6120c6db 0106fe2c 00007329 0342d14c DllA!foo+0×4149
0106fde8 6120d517 0106fe2c 0106fe14 47d66b28 DllA!foo+0×49f3
0106fe24 6120db4d 0342d14c 07abb960 00000000 DllA!foo+0×582f
0106fe40 6120f280 006769a0 00000000 000001d8 DllA!foo+0×5e65
0106feb0 00933436 000001d8 0342d164 00000001 DllA!foo+0×7598
0106feec 008414f1 0342d138 00000000 0340b290 DllB!read+0xc6
[…]
0106ffb8 77e64829 00784be0 00000000 00000000 msvcr71!_endthreadex+0xa0
0106ffec 00000000 7c3494f6 00784be0 00000000 kernel32!BaseThreadStart+0×34
3rd dump file: Process Uptime: 0 days 4:41:59.000
0:000> ~16r
eax=07abbb6c ebx=07ab4604 ecx=07ab45d4 edx=07ab4604 esi=006769e4 edi=00000035
eip=6120b239 esp=0106fd30 ebp=0106fd58 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
DllA!foo+0×3551:
6120b239 895108 mov dword ptr [ecx+8],edx ds:0023:07ab45dc=07ab4604
0:000> ~16kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0106fd58 6120be31 0000000b 47d6689c 006769e4 DllA!foo+0×3551
0106fd90 6120c6db 0106fe2c 00007329 0342d14c DllA!foo+0×4149
0106fde8 6120d517 0106fe2c 0106fe14 47d66b28 DllA!foo+0×49f3
0106fe24 6120db4d 0342d14c 07abb960 00000000 DllA!foo+0×582f
0106fe40 6120f280 006769a0 00000000 000001d8 DllA!foo+0×5e65
0106feb0 00933436 000001d8 0342d164 00000001 DllA!foo+0×7598
0106feec 008414f1 0342d138 00000000 0340b290 DllB!read+0xc6
[…]
0106ffb8 77e64829 00784be0 00000000 00000000 msvcr71!_endthreadex+0xa0
0106ffec 00000000 7c3494f6 00784be0 00000000 kernel32!BaseThreadStart+0×34
We see exactly the same stack trace except the first (top) frame. The offset differs very little: +0×3556, +0×3549 (twice) and +0×3551. We can suspect the small loop here:
0:000> ub
DllA!foo+0x3549:
6120b231 8b45ec mov eax,dword ptr [ebp-14h]
6120b234 8d0490 lea eax,[eax+edx*4]
6120b237 8b10 mov edx,dword ptr [eax]
6120b239 895108 mov dword ptr [ecx+8],edx
6120b23c 8908 mov dword ptr [eax],ecx
6120b23e 8bcb mov ecx,ebx
6120b240 85db test ebx,ebx
6120b242 75e3 jne DllA!foo+0x353f (6120b227)
0:000> ub 6120b231
DllA!foo+0x3535:
6120b21d 8b4d08 mov ecx,dword ptr [ebp+8]
6120b220 8b0c88 mov ecx,dword ptr [eax+ecx*4]
6120b223 3bcb cmp ecx,ebx
6120b225 741d je DllA!foo+0x355c (6120b244)
6120b227 8b5908 mov ebx,dword ptr [ecx+8]
6120b22a 8b410c mov eax,dword ptr [ecx+0Ch]
6120b22d 33d2 xor edx,edx
6120b22f f7f7 div eax,edi
0:000> u
DllA!foo+0x3549:
6120b231 8b45ec mov eax,dword ptr [ebp-14h]
6120b234 8d0490 lea eax,[eax+edx*4]
6120b237 8b10 mov edx,dword ptr [eax]
6120b239 895108 mov dword ptr [ecx+8],edx
6120b23c 8908 mov dword ptr [eax],ecx
6120b23e 8bcb mov ecx,ebx
6120b240 85db test ebx,ebx
6120b242 75e3 jne DllA!foo+0x353f (6120b227)
0:000> u 6120b242
DllA!foo+0x355a:
6120b242 75e3 jne DllA!foo+0x353f (6120b227)
6120b244 ff4508 inc dword ptr [ebp+8]
6120b247 8b4508 mov eax,dword ptr [ebp+8]
6120b24a 3b4608 cmp eax,dword ptr [esi+8]
6120b24d 72cc jb DllA!foo+0x3533 (6120b21b)
6120b24f ff36 push dword ptr [esi]
6120b251 e88dc70000 call DllA!foo+0xfcfb (612179e3)
6120b256 59 pop ecx
All this strongly rules out DllB and points to DllA as the first vendor contact.
- Dmitry Vostokov @ DumpAnalysis.org -
This is a computational ghost that comes from CPU spiking tops and hills to bring sickness to small programs. Red color from RGB triplets provides early warning signs.
Inspired by non-computational Acheri.
PS. This category of computational ghosts and bug hauntings was also inspired by an e-mail conversation between two software engineers that I witnessed some years ago when one told another: “Is this your fix that is still haunting us?”. If you have ever visited heated code review debates you can imagine the provoked response.
- Dmitry Vostokov @ DumpAnalysis.org -
Here are some artistic images found in process memory dumps of VLC media player and IE. The latter was freezing after memory leaking, the size of its memory dump file is more than 1.5Gb.
Needle (VLC)
The tip of the same Needle magnified by x8:
The Image of Heap (from IE):
Red Zones (from IE):
- Dmitry Vostokov @ DumpAnalysis.org -
This is a forthcoming book to be released next year after we finally publish DebugWare book by the end of this summer:
Software Tracing and Logging: Architecture, Design, Implementation and Analysis Patterns (ISBN: 978-1906717728)
I have already begun working on it in the background. The scope of DebugWare book is too wide to cover tracing and logging in great detail not to mention the very important subject of software trace analysis.
- Dmitry Vostokov @ TraceAnalysis.org -
Last weekend I came across this book in a local bookshop:
I immediately recalled all beautiful patterns I have seen and collected from visualized computer memory maps. I plan to include many images in a full-color book this summer:
Patterns of Computer Memory (ISBN: 978-1906717711)
This book should be essential for creative computer engineers and inquiring debugging minds!
- Dmitry Vostokov @ DumpAnalysis.org -
This post number is 1,000. Wordpress admin panel reports that I have written 999 (excluding this one):
Of course, I wrote my 1,000th blog post some time ago if I count all my 7 blogs but this is 1,000th post for just this blog.
To celebrate this event, I’m posting a picture of troubleshooting and debugging labyrinth resting on a notion of universal memory dumps that are observational snapshots and include both memory and various traces we collect to resolve problems.
This picture shows how we arrive to problem resolution. For example:
I’m also working on another picture, called T&D Tangram 
- Dmitry Vostokov @ DumpAnalysis.org -
Sometimes the assembly code looks almost wild (not like generated by your favourite compiler). For example (that also shows .NET runtime native unhandled exception processing):
0:000> kL 100
ChildEBP RetAddr
0014dbb4 77189254 ntdll!KiFastSystemCallRet
0014dbb8 75fec244 ntdll!ZwWaitForSingleObject+0xc
0014dc28 75fec1b2 kernel32!WaitForSingleObjectEx+0xbe
0014dc3c 72605389 kernel32!WaitForSingleObject+0x12
0014dc6c 726058e7 mscorwks!ClrWaitForSingleObject+0x24
0014e128 72608084 mscorwks!RunWatson+0x1df
0014e86c 7260874a mscorwks!DoFaultReportWorker+0xb59
0014e8a8 72657452 mscorwks!DoFaultReport+0xc3
0014e8cc 7265c0c7 mscorwks!WatsonLastChance+0x3f
0014e924 7265c173 mscorwks!CLRAddVectoredHandlers+0x209
0014e92c 7603f4be mscorwks!InternalUnhandledExceptionFilter+0x22
0014e9e8 771a85b7 kernel32!UnhandledExceptionFilter+0×127
0014e9f0 77139a14 ntdll!__RtlUserThreadStart+0×6f
0014ea04 771340f4 ntdll!_EH4_CallFilterFunc+0×12
0014ea2c 77189b99 ntdll!_except_handler4+0×8e
0014ea50 77189b6b ntdll!ExecuteHandler2+0×26
0014eb00 771899f7 ntdll!ExecuteHandler+0×24
0014eb00 03ca0141 ntdll!KiUserExceptionDispatcher+0xf
WARNING: Frame IP not in any known module. Following frames may be wrong.
0014ee28 634c2f42 0×3ca0141
0014ee34 67715e44 System_ni+0×132f42
0014ee70 72431b4c System_ServiceProcess_ni+0×25e44
0014ee80 724421f9 mscorwks!CallDescrWorker+0×33
0014ef00 72456571 mscorwks!CallDescrWorkerWithHandler+0xa3
0014f03c 724565a4 mscorwks!MethodDesc::CallDescr+0×19c
0014f058 724565c2 mscorwks!MethodDesc::CallTargetWorker+0×1f
0014f070 724afac5 mscorwks!MethodDescCallSite::CallWithValueTypes+0×1a
0014f1d4 724af9e5 mscorwks!ClassLoader::RunMain+0×223
0014f43c 724aff35 mscorwks!Assembly::ExecuteMainMethod+0xa6
0014f90c 724b011f mscorwks!SystemDomain::ExecuteMainMethod+0×456
0014f95c 724b004f mscorwks!ExecuteEXE+0×59
0014f9a4 72f57c24 mscorwks!_CorExeMain+0×15c
0014f9b4 75fe4911 mscoree!_CorExeMain+0×2c
0014f9c0 7716e4b6 kernel32!BaseThreadInitThunk+0xe
0014fa00 7716e489 ntdll!__RtlUserThreadStart+0×23
0014fa18 00000000 ntdll!_RtlUserThreadStart+0×1b
We set exception context:
0:000> kv 100
ChildEBP RetAddr Args to Child
[...]
0014e9e8 771a85b7 0014ea18 77139a14 00000000 kernel32!UnhandledExceptionFilter+0×127 (FPO: [SEH])
[…]
0:000> .exptr 0014ea18
----- Exception record at 0014eb18:
ExceptionAddress: 03ca0141
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
----- Context record at 0014eb34:
eax=00000001 ebx=08394ff8 ecx=00000000 edx=00000001 esi=056a2a94 edi=00000000
eip=03ca0141 esp=0014ee00 ebp=0014ee28 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
03ca0141 3909 cmp dword ptr [ecx],ecx ds:0023:00000000=????????
Then we disassemble the code at crash point and it looks strange including calls through DS data segment:
0:000> .asm no_code_bytes
Assembly options: no_code_bytes
0:000> u 03ca0141
03ca0141 cmp dword ptr [ecx],ecx
03ca0143 call dword ptr ds:[36067C0h]
03ca0149 mov ecx,dword ptr [esi+5Ch]
03ca014c cmp dword ptr [ecx],ecx
03ca014e call dword ptr ds:[3606D10h]
03ca0154 mov dword ptr [ebp-1Ch],0
03ca015b mov dword ptr [ebp-18h],0FCh
03ca0162 push 3CA0180h
However further disassembly finally reaches RET instruction:
0:000> u
03ca0167 jmp 03ca0169
03ca0169 movzx edx,byte ptr [ebp-24h]
03ca016d mov ecx,dword ptr [ebp-28h]
03ca0170 call System_ServiceProcess_ni+0x25140 (67715140)
03ca0175 pop eax
03ca0176 jmp eax
03ca0178 lea esp,[ebp-0Ch]
03ca017b pop ebx
0:000> u
03ca017c pop esi
03ca017d pop edi
03ca017e pop ebp
03ca017f ret
03ca0180 mov dword ptr [ebp-18h],0
03ca0187 jmp 03ca0178
03ca0189 add byte ptr [eax],al
03ca018b add byte ptr [eax],al
and backward disassembling shows the matching function prolog code:
0:000> ub 03ca0141
03ca0127 movzx eax,byte ptr [ebp-24h]
03ca012b test eax,eax
03ca012d je 03ca0154
03ca012f cmp dword ptr [esi+60h],0
03ca0133 je 03ca013e
03ca0135 mov ecx,dword ptr [esi+60h]
03ca0138 call dword ptr ds:[3C20010h]
03ca013e mov ecx,dword ptr [esi+58h]
0:000> ub 03ca0127
03ca0114 push esi
03ca0115 push ebx
03ca0116 sub esp,1Ch
03ca0119 xor eax,eax
03ca011b mov dword ptr [ebp-18h],eax
03ca011e mov dword ptr [ebp-28h],ecx
03ca0121 mov dword ptr [ebp-24h],edx
03ca0124 mov esi,dword ptr [ebp-28h]
0:000> ub 03ca0114
03ca0102 retf
03ca0103 add eax,dword ptr [eax+36h]
03ca0106 retf
03ca0107 add ebx,dword ptr [esi+esi-35h]
03ca010b add esi,esp
03ca010d cmp eax,8B550360h
03ca0112 in al,dx
03ca0113 push edi
From stack trace I suspected this code as JIT-compiled .NET code of the the main assemebly method. And indeed I found the similar call signatures like mine
03ca0141 cmp dword ptr [ecx],ecx
03ca0143 call dword ptr ds:[36067C0h]
in the following MSDN article:
Drill Into .NET Framework Internals to See How the CLR Creates Runtime Objects
Hence the name of this pattern: JIT Code.
- Dmitry Vostokov @ DumpAnalysis.org -
OpenTask, iterative and incremental publisher, plans to release a guide for general computer users explaining crashes and hangs on personal computers ranging from mobile phones, netbooks and laptops to desktops and servers:
My Computer Crashes and Freezes: A Non-technical Guide to Software and Hardware Errors (ISBN: 978-19067171704)
- Dmitry Vostokov @ DumpAnalysis.org -
