Mixed mode crash from workerthread pool, but no managed thread

3

It’s a large 32 bits mixed mode MFC 7.0 app on XP, the user tells that he was using a feature which is implemented in managed code. The crach is in a thread that has acquired the LoaderLock, and seems to orgin from .NET workerthread pool.

0:016> !cs -o -l
-----------------------------------------
DebugInfo          = 0x7c97e1a0
Critical section   = 0x7c97e174 (ntdll!LdrpLoaderLock+0x0)
LOCKED
LockCount          = 0x4
OwningThread       = 0x00000260
RecursionCount     = 0x1
LockSemaphore      = 0x7BC
SpinCount          = 0x00000000
OwningThread DbgId = ~16s
OwningThread Stack =
ChildEBP RetAddr  Args to Child              
0f66e400 7c90df4a 7c8648a2 00000002 0f66e57c ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0f66e404 7c8648a2 00000002 0f66e57c 00000001 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
0f66e74c 7c83ab50 0f66e774 7c839b39 0f66e77c kernel32!UnhandledExceptionFilter+0x8b9 (FPO: [Non-Fpo])
0f66e754 7c839b39 0f66e77c 00000000 0f66e77c kernel32!BaseThreadStart+0x4d (FPO: [Non-Fpo])
0f66e77c 7c9032a8 0f66e868 0f66ffdc 0f66e884 kernel32!_except_handler3+0x61 (FPO: [Uses EBP] [3,0,7])
0f66e7a0 7c90327a 0f66e868 0f66ffdc 0f66e884 ntdll!ExecuteHandler2+0x26
0f66e850 7c90e48a 00000000 0f66e884 0f66e868 ntdll!ExecuteHandler+0x24
0f66e850 79247eb4 00000000 0f66e884 0f66e868 ntdll!KiUserExceptionDispatcher+0xe (FPO: [2,0,0]) (CONTEXT @ 0f66e884)
0f66eb4c 7929a46e 0e715d80 792483ef 0e715d80 mscorwks!Thread::UnhijackThread+0xb (FPO: [0,0,0])
0f66eb54 792483ef 0e715d80 00000000 00000000 mscorwks!Thread::RareEnablePreemptiveGC+0x36 (FPO: [0,0,0])
0f66eb64 792a6ff9 06ee0000 00000000 00000000 mscorwks!Thread::RareDisablePreemptiveGC+0x5f (FPO: [0,0,0])
0f66ec10 79247e14 06ee0000 00000003 00000000 mscorwks!SystemDomain::RunDllMain+0x7d (FPO: [Non-Fpo])
0f66ee98 603d6a2c 00000001 00000003 00000000 mscorwks!ExecuteDLL+0x3c0 (FPO: [Non-Fpo])
0f66eed8 603d70a3 06ee0000 0f66eebc 00000000 mscoreei!CorDllMainWorker+0x153 (FPO: [Non-Fpo])
0f66ef14 79015012 00000000 00000003 00000000 mscoreei!_CorDllMain+0x111 (FPO: [Non-Fpo])
0f66ef30 7c90118a 06ee0000 00000003 00000000 mscoree!ShellShim__CorDllMain+0xad (FPO: [Non-Fpo])
0f66ef50 7c91397b 06ef841e 06ee0000 00000003 ntdll!LdrpCallInitRoutine+0x14
0f66efc8 7c80c136 00000000 793fa180 7c80934a ntdll!LdrShutdownThread+0xd7 (FPO: [Non-Fpo])
0f66f000 792ee8ad 00000000 00000000 792ee78a kernel32!ExitThread+0x3e (FPO: [Non-Fpo])
0f66f020 792edfcb 00000000 00000000 00000000 mscorwks!ThreadpoolMgr::WorkerThreadStart+0x123 (FPO: [Non-Fpo])

Some interesting vales on the stack might be the 06ee0000 and 0f66eebc. The first is the base address for myMixedModeDll, and the second:

0:016> ln 06ef841e 
(06ef841e)   myMixedModeDll!CorDllMain   |  (06ef8424)   myMixedModeDll!CDialog::CDialog
Exact matches:

The actual exception should be here:

0:000> .cxr 0f66e884;kb 
eax=000000df ebx=00000000 ecx=0e715d80 edx=000003a4 esi=0e715d80 edi=00010000
eip=79247eb4 esp=0f66eb50 ebp=0f66ec10 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010282
mscorwks!Thread::UnhijackThread+0xb:
79247eb4 8910            mov     dword ptr [eax],edx  ds:0023:000000df=????????
  *** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr  Args to Child              
0f66eb4c 7929a46e 0e715d80 792483ef 0e715d80 mscorwks!Thread::UnhijackThread+0xb
0f66eb54 792483ef 0e715d80 00000000 00000000 mscorwks!Thread::RareEnablePreemptiveGC+0x36

And yes the eax is not good:

0:000> u 79247eae 
mscorwks!Thread::UnhijackThread+0x5:
79247eae 8b5178          mov     edx,dword ptr [ecx+78h]
79247eb1 8b417c          mov     eax,dword ptr [ecx+7Ch]
79247eb4 8910            mov     dword ptr [eax],edx

Yes, ECX has been restored properly

0:016> dd @ecx+0x78 L1
0e715df8  000003a4
0:016> dd @ecx+0x7c L1
0e715dfc  000000df

0:016> dd @ecx L0x20
0e715d80  0e6f4798 00000000 ffffffff 00000000
0e715d90  00000000 00000020 00000000 0e715da0
0e715da0  0e715da0 0e715da0 00000000 00000000
0e715db0  00000000 000000df 00000000 00000000
0e715dc0  00000000 00000000 00000000 00000000
0e715dd0  00000000 00000000 00000000 00000000
0e715de0  00000000 00000000 00000000 00000000
0e715df0  0e7093e8 00002733 000003a4 000000df

The last error value

0:016> !gle
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0xc0000034 - Object Name not found.

This .NET is version 1.1.4322 , and the sos! Claims that thread #16 is not a managed thread.

0:016> !t
ThreadCount: 10
UnstartedThread: 0
BackgroundThread: 10
PendingThread: 0
DeadThread: 0
                                  PreEmptive   GC Alloc                     Lock     
        ID  ThreadOBJ       State     GC       Context           Domain     Count APT Exception
  0  0xc8c 0x001ae598      0x4220 Enabled  0x1b7df804:0x1b7df8d8 0x001fda98     0 STA
  5  0xcd4 0x001caea0      0xb220 Enabled  0x00000000:0x00000000 0x001fda98     0 MTA (Finalizer)
  8  0xe28 0x0c56ac40       0x220 Enabled  0x00000000:0x00000000 0x001fda98     0 Ukn
 10  0x8a8 0x0e5f4b48    0x800220 Enabled  0x1b822518:0x1b824458 0x001fda98     0 MTA (Threadpool Completion Port)
 11  0xc18 0x0e6d6a60    0x800220 Enabled  0x1b8651cc:0x1b867008 0x001fda98     0 MTA (Threadpool Completion Port)
 12  0xa54 0x00190c28       0x220 Enabled  0x1b5247f0:0x1b52650c 0x001fda98     0 Ukn
 13  0xe9c 0x0e6627f8       0x220 Enabled  0x1b5307f0:0x1b53250c 0x001fda98     0 Ukn
 14  0xe58 0x0e6b11a0   0x1800220 Enabled  0x00000000:0x00000000 0x001fda98     0 MTA (Threadpool Worker)
 15  0x8dc 0x0e6d68a8       0x220 Enabled  0x00000000:0x00000000 0x001fda98     0 Ukn
 17  0xbcc 0x0e709378       0x220 Enabled  0x1b52c7f0:0x1b52e50c 0x001fda98     0 Ukn
0:016> !ClrStack
Thread 16
Not a managed thread.

How can I find out more to reveal the cause to this crash ?

windbg
sos
asked on Stack Overflow Oct 11, 2012 by Kjell Gunnar • edited Oct 12, 2012 by Kjell Gunnar

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0