understanding WinDbg output
I have a Winform application (C#) which imports some functions from dll.
Sometimes when running the application i get the following exception:
System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
I catch it in AppDomain.CurrentDomain.UnhandledException.
So i tried to debug it with WinDbg. I was able to catch the exception and get the following output:
!analyze -v
FAULTING_IP:
KERNEL32!SetErrorMode+14b
77e6c427 8a08 mov cl,byte ptr [eax]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 77e6c427 (KERNEL32!SetErrorMode+0x0000014b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 087deadc
Attempt to read from address 087deadc
FAULTING_THREAD: 00000b1c
PROCESS_NAME: App.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 087deadc
READ_ADDRESS: 087deadc
FOLLOWUP_IP:
KERNEL32!SetErrorMode+14b
77e6c427 8a08 mov cl,byte ptr [eax]
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0xb1c (34)
Current frame:
ChildEBP RetAddr Caller,Callee
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [UnloadedModule_Arch_AX] from Frame:[0] on thread:[b1c] ; Enable Pageheap/AutoVerifer
DEFAULT_BUCKET_ID: HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 7a0aa797 to 77e6c427
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
08bddc6c 7a0aa797 00000000 00000001 087deadc KERNEL32!SetErrorMode+0x14b
08bddd68 7c82a124 056306e8 08bddf9c 7c82a0b8 mscorwks!CorLaunchApplication+0x281f8
08bddd74 7c82a0b8 7c82a0fc 00000001 00000004 ntdll!RtlpAllocateFromHeapLookaside+0x13
08bddf9c 00000000 00000000 00000000 00000000 ntdll!RtlAllocateHeap+0x1dd
STACK_COMMAND: .ecxr ; ~~[b1c] ; .frame 0 ; ~34s ; kb
SYMBOL_NAME: ure.dll!Unloaded
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ure.dll
IMAGE_NAME: ure.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 750063
FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_ure.dll!Unloaded
BUCKET_ID: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_ure.dll!Unloaded
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/App_exe/1_2009_403_12/49e707a9/KERNEL32_dll/5_2_3790_4062/46264680/c0000005/0002c427.htm?Retriage=1
Followup: MachineOwner
What does that mean? and what should i do with it?
Thanks in advance for any tips!!
Anya
Ian Boyd1 Answer
It looks like ure.dll has been unloaded, and a call to NlsAnsiToUnicodeMultiByteToWideChar() referring to it is failing. You could run .symfix before !analyze -v to confirm that.
Is that the DLL you're importing? If not, you have memory corruption. Otherwise, the bug is probably in that DLL. Are you using P/Invoke to import it?
Yup, the unloaded DLL information has been corrupted. As you might guess, it's .NET's culture.dll, and Windbg is reading the 'cult' part of that as the timestamp and checksum. Try restarting and doing the following:
.symfix
sxe ud
g
and when the breakpoint hits:
kb
(That's telling Windbg to run until the DLL is unloaded, and then dump the stack)
Run for a bit to let the module unload, and execute the following command. Then let Windbg run until you get the exception, and do this command again to compare:
db ntdll!RtlpUnloadEventTrace
(That's the beginning of the unloaded module table, which is getting corrupted.)
MarkUser contributions licensed under CC BY-SA 3.0