Windbg Kernel Debugger shows wrong usermode stack for C++ x64 apps compiled in VS2015 and VS2017

Question

Windbg Kernel Debugger shows wrong usermode stack for C++ x64 apps compiled in VS2015 and VS2017

I am not able to get the right stack for on my own C++ x64 compiled apps. I tried multiple versions of Visual Studio (VS2013, VS2015, VS2017). VS2013 worked fine, stacks were correct in Windbg KD, but VS2015 and VS2017 stacks were incorrect in Windbg KD.

To simply reproduce this

[optional] Enable windows debugging and restart PC
```
bcdedit -debug on
```
Open Visual Studio.

Create new console app project. Replace main with this:

#include "stdafx.h"
#include <Windows.h>

class CSymbolTest
{
public:
    void TestSymbols(const char* param1, unsigned int param2)
    {
        printf("%s %u\n", param1, param2);
        system("PAUSE");
    }
};

int main()
{
    CSymbolTest o;

    o.TestSymbols("Hello world is ", 0);

    return 0;
}

Compile x64/debug
Run app
Run Windbg (I have latest 10.0.17134.12) with admin rights
File->Kernel Debug...->Local (must be lokal kernel debugging enabled - step 1.)

Here are Windbg commands and output of my testing app (SymbolTest.exe)

lkd> !process 0 0 SymbolTest.exe
PROCESS ffffc68d3f536580
    SessionId: 1  Cid: 1cc8    Peb: 2371da000  ParentCid: 2ba4
    DirBase: 264500000  ObjectTable: ffffa30237269540  HandleCount:  43.
    Image: SymbolTest.exe

lkd> .process /P ffffc68d3f536580
Implicit process is now ffffc68d`3f536580
lkd> .reload /user
Loading User Symbols
.......
lkd> !process ffffc68d3f536580 7
PROCESS ffffc68d3f536580
    SessionId: 1  Cid: 1cc8    Peb: 2371da000  ParentCid: 2ba4
    DirBase: 264500000  ObjectTable: ffffa30237269540  HandleCount:  43.
    Image: SymbolTest.exe
    VadRoot ffffc68d3dbc3890 Vads 22 Clone 0 Private 118. Modified 2. Locked 0.
    DeviceMap ffffa3022c2669b0
    Token                             ffffa3023bbdc060
    ElapsedTime                       00:00:51.609
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         24064
    QuotaPoolUsage[NonPagedPool]      3256
    Working Set Sizes (now,min,max)  (712, 50, 345) (2848KB, 200KB, 1380KB)
    PeakWorkingSetSize                690
    VirtualSize                       4141 Mb
    PeakVirtualSize                   4148 Mb
    PageFaultCount                    777
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      147
    Job                               ffffc68d3eb26600

        THREAD ffffc68d3f161080  Cid 1cc8.23e0  Teb: 00000002371db000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
            ffffc68d3c3cb580  ProcessObject
        Not impersonating
        DeviceMap                 ffffa3022c2669b0
        Owning Process            ffffc68d3f536580       Image:         SymbolTest.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      493631         Ticks: 3333 (0:00:00:52.078)
        Context Switch Count      56             IdealProcessor: 2             
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
*** WARNING: Unable to verify checksum for c:\users\petr.pospisil\documents\visual studio 2015\Projects\SymbolTest\x64\Debug\SymbolTest.exe
        Win32 Start Address SymbolTest!ILT+260(mainCRTStartup) (0x00007ff737361109)
        Stack Init fffff60366c81c90 Current fffff60366c816c0
        Base fffff60366c82000 Limit fffff60366c7c000 Call 0000000000000000
        Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
GetContextState failed, 0x80004001
Unable to get current machine context, HRESULT 0x80004001
        Child-SP          RetAddr           : Args to Child                                                           : Call Site
        fffff603`66c81700 fffff802`2e2fbd76 : fffff603`00000000 ffffc68d`3f161080 fffff603`66c818d0 fffff603`00000000 : nt!KiSwapContext+0x76
        fffff603`66c81840 fffff802`2e2fb56b : ffffc68d`3ddfd0f0 00000000`00000000 00000000`00000000 fffff802`2e77194d : nt!KiSwapThread+0x2c6
        fffff603`66c81910 fffff802`2e2fac8f : 00000000`000000b4 fffff802`00000000 00007ffe`71eb8800 ffffc68d`3f1611c0 : nt!KiCommitThreadWait+0x13b
        fffff603`66c819b0 fffff802`2e7887bc : ffffc68d`3c3cb580 fffff802`00000006 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x1ff
        fffff603`66c81a90 fffff802`2e455223 : ffffc68d`3f161080 00000000`00000000 00000000`00000000 ffffc68d`3c3cb580 : nt!NtWaitForSingleObject+0xfc
        fffff603`66c81b00 00007ffe`74d8a014 : 00007ffe`71e8e0e2 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff603`66c81b00)
        00000002`372ff918 00007ffe`71e8e0e2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000002`372ffa50 : ntdll!NtWaitForSingleObject+0x14
        00000002`372ff920 00007ffe`35edf728 : 00000000`000000ac 00000002`372ffa30 00000002`00000000 00000000`000000a4 : KERNELBASE!WaitForSingleObjectEx+0xa2
        00000002`372ff9c0 00007ffe`35edef6b : 00000132`4df81d20 00000002`372ffa10 00000002`372ffb98 00000000`00000000 : ucrtbased!execute_command<char>+0x264 [minkernel\crts\ucrt\src\desktopcrt\exec\spawnv.cpp @ 247] 
        00000002`372ffb00 00007ffe`35ee0969 : 00000000`00000000 00000132`4df81d20 00000000`00000000 00000000`00000000 : ucrtbased!common_spawnv<char>+0x233 [minkernel\crts\ucrt\src\desktopcrt\exec\spawnv.cpp @ 328] 
        (Inline Function) --------`-------- : --------`-------- --------`-------- --------`-------- --------`-------- : ucrtbased!_spawnve+0x14 (Inline Function @ 00007ffe`35ee0969) [minkernel\crts\ucrt\src\desktopcrt\exec\spawnv.cpp @ 405] 
        (Inline Function) --------`-------- : --------`-------- --------`-------- --------`-------- --------`-------- : ucrtbased!__crt_char_traits<char>::tspawnve+0x14 (Inline Function @ 00007ffe`35ee0969) [minkernel\crts\ucrt\inc\corecrt_internal_traits.h @ 106] 
        00000002`372ffb60 00007ff7`3736175b : 00007ff7`37369ca4 00000000`00000000 00000000`00000000 00000002`372ffcb8 : ucrtbased!common_system<char>+0x101 [minkernel\crts\ucrt\src\desktopcrt\exec\system.cpp @ 58] 
        00000002`372ffbd0 00007ff7`37369ca4 : 00000000`00000000 00000000`00000000 00000002`372ffcb8 cccccccc`cccccccc : SymbolTest!CSymbolTest::TestSymbols+0x5b [c:\users\petr.pospisil\documents\visual studio 2015\projects\symboltest\symboltest\symboltest.cpp @ 14] 
        00000002`372ffbd8 00000000`00000000 : 00000000`00000000 00000002`372ffcb8 cccccccc`cccccccc cccccccc`cccccccc : SymbolTest!`string'

As you can see the stack ends with the SymbolTest!`string', which is wrong because windbg did not take SymbolTest!CSymbolTest::TestSymbols function param count into account to get next right stack function.

I tried almost any configuration in the C++ compiler and linker in VS2015 to find an workaround for this. There must be something because VS2013 pdb symbols work fine for me.

Any idea what compiler/VS option to use to fix this to workaround this?

Thx in advance.

visual-studio

visual-c++

windbg

asked on Stack Overflow Jun 29, 2018 by

Petr Pospíšíl

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0