Analyzing Crash in WinDbg
I have a .NET application that is crashing sometimes on exit. There's a bunch of COM and native stuff underneath the hood, too. It's a x86 application running on Windows 7 x64.
I've run through some WinDbg tutorials and I think I'm executing reasonable steps to get helpful information, but the stack trace itself isn't ringing any bells.
A few other tidbits:
- I can reproduce this pretty consistently, say 75% of the time
- If I clean up the threading (a lot of
Thread.Abort()), it's reproducible maybe 20% of the time - Running the same procedure, I've seen a completely different stack trace than the one below, too
I'm using the 32-bit WinDbg. Here's the general process I've been using:
- open the executable directly from WinDbg
- set symbol path as:
SRV*c:\sym*http://msdl.microsoft.com/download/symbols - type:
.loadby sos clr - use the application, and get it to crash
Right after the crash, I get output:
(a38.1424): CLR exception - code e0434352 (first chance)
(a38.1424): CLR exception - code e0434352 (first chance)
(a38.1fd0): Unknown exception - code c000000d (first chance)
(a38.1fd0): Unknown exception - code c000000d (!!! second chance !!!)
eax=00000000 ebx=004dea1c ecx=7efdd000 edx=00000057 esi=7264d0c0 edi=07f2a248
eip=778715de esp=004dea08 ebp=004def50 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwRaiseException+0x12:
778715de 83c404 add esp,4
If I type in ~ I only get one thread:
. 0 Id: a38.1fd0 Suspend: 1 Teb: 7efdd000 Unfrozen
Now, if I type in !analyze -v I get a big stack trace:
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
[ a bunch of symbol stuff loading here ]
FAULTING_IP:
ntdll!TpReleaseCleanupGroupMembers+276
778e4f52 a1b4009577 mov eax,dword ptr [ntdll!TppLogpRoutine (779500b4)]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 778e4f52 (ntdll!TpReleaseCleanupGroupMembers+0x00000276)
ExceptionCode: c000000d
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD: 00001fd0
PROCESS_NAME: XXXXX.exe
ERROR_CODE: (NTSTATUS) 0xc000000d - An invalid parameter was passed to a service or function.
EXCEPTION_CODE: (NTSTATUS) 0xc000000d - An invalid parameter was passed to a service or function.
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: 004dea6c -- (.cxr 0x4dea6c)
eax=004deee0 ebx=00000001 ecx=7efdd000 edx=00000057 esi=7264d0c0 edi=07f2a248
eip=778e4f52 esp=004deed0 ebp=004def50 iopl=0 nv up ei ng nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000297
ntdll!TpReleaseCleanupGroupMembers+0x276:
778e4f52 a1b4009577 mov eax,dword ptr [ntdll!TppLogpRoutine (779500b4)] ds:002b:779500b4=00000000
Resetting default scope
STACK_ADDR_RAW_STACK_SYMBOL: 4deb4c
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[ffffffff]
LAST_CONTROL_TRANSFER: from 00000000 to 77883c04
DEFAULT_BUCKET_ID: STATUS_INVALID_PARAMETER
PRIMARY_PROBLEM_CLASS: STATUS_INVALID_PARAMETER
BUGCHECK_STR: APPLICATION_FAULT_STATUS_INVALID_PARAMETER
STACK_TEXT:
778e4f52 ntdll!TpReleaseCleanupGroupMembers+0x276
72630d69 AUDIOSES!DllCanUnloadNow+0x42
7565b5f4 ole32!CClassCache::CDllPathEntry::CanUnload_rl+0x3b
7565b771 ole32!CClassCache::FreeUnused+0x83
7565b68f ole32!CoFreeUnusedLibrariesEx+0x36
756a0ccb ole32!CoFreeUnusedLibraries+0x9
15e2f549 GxMetadata+0xf549
15e45e3d GxMetadata!DllCanUnloadNow+0x1686d
77889950 ntdll!LdrpCallInitRoutine+0x14
7789d6b2 ntdll!LdrShutdownProcess+0x1aa
7789d554 ntdll!RtlExitUserProcess+0x74
754279f4 KERNEL32!ExitProcessStub+0x12
720642f0 mscoreei!RuntimeDesc::ShutdownAllActiveRuntimes+0x29c
72064321 mscoreei!CLRRuntimeHostInternalImpl::ShutdownAllRuntimesThenExit+0x15
5ea18580 clr!EEPolicy::ExitProcessViaShim+0x66
5ea1862f clr!SafeExitProcess+0x122
5e9638a9 clr!DisableRuntime+0x120
5e963905 clr!EEPolicy::HandleExitProcess+0x5c
5e9b8af8 clr!_CorExeMainInternal+0xdd
5e9b3a30 clr!_CorExeMain+0x4e
720555ab mscoreei!_CorExeMain+0x38
72f67f16 MSCOREE!ShellShim__CorExeMain+0x99
72f64de3 MSCOREE!_CorExeMain_Exported+0x8
7542339a KERNEL32!BaseThreadInitThunk+0xe
77889ef2 ntdll!__RtlUserThreadStart+0x70
77889ec5 ntdll!_RtlUserThreadStart+0x1b
FOLLOWUP_IP:
AUDIOSES!DllCanUnloadNow+42
72630d69 ff3514d06472 push dword ptr [AUDIOSES!_AudioClientThreadpoolCleanupGroup (7264d014)]
EDIT 1: (additional info)
!clrstack
OS Thread Id: 0x1fd0 (0)
Child SP IP Call Site
GetFrameContext failed: 1
!threads
ThreadCount: 7
UnstartedThread: 0
BackgroundThread: 4
PendingThread: 0
DeadThread: 3
Hosted Runtime: no
PreEmptive GC Alloc Lock
ID OSID ThreadOBJ State GC Context Domain Count APT Exception
0 1 1fd0 005afe88 16220 Enabled 03051294:03051e6c 00578550 0 STA
XXXX 2 e5c 005801d0 b220 Enabled 0305a22c:0305be6c 00578550 0 MTA (Finalizer)
XXXX 3 00641258 19820 Enabled 00000000:00000000 00578550 0 Ukn
XXXX 4 06e4b800 819820 Enabled 00000000:00000000 00578550 0 Ukn
XXXX 5 18a0 081be620 200b220 Enabled 00000000:00000000 00578550 1 MTA
XXXX 8 081d5e18 819820 Enabled 00000000:00000000 00578550 0 Ukn
XXXX 7 158 07ed78d8 220 Enabled 00000000:00000000 00578550 0 Ukn
jglouie1 Answer
Looks like the ntdll!TpReleaseCleanupGroupMembers (the same as kernel32!CloseThreadpoolCleanupGroupMembers - you can look it up on msdn) function (from top of the fault stack) does not like to be called when the process is being shut down - it throws the exception you're seeing (invalid parameter) in this case.
From the presence of two more libs on the stack (audioses and gxmetadata) I'd guess some objects are destroyed/released way too late. audioses.dll seems to the Core Audio API library, not sure about the gxmetadata.dll - can you explain the use of these?
deemokUser contributions licensed under CC BY-SA 3.0