I have a Winform application (C#) which imports some functions from dll.
Sometimes when running the application i get the following exception:
System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
I catch it in AppDomain.CurrentDomain.UnhandledException
.
So i tried to debug it with WinDbg. I was able to catch the exception and get the following output:
!analyze -v
FAULTING_IP:
KERNEL32!SetErrorMode+14b
77e6c427 8a08 mov cl,byte ptr [eax]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 77e6c427 (KERNEL32!SetErrorMode+0x0000014b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 087deadc
Attempt to read from address 087deadc
FAULTING_THREAD: 00000b1c
PROCESS_NAME: App.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 087deadc
READ_ADDRESS: 087deadc
FOLLOWUP_IP:
KERNEL32!SetErrorMode+14b
77e6c427 8a08 mov cl,byte ptr [eax]
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0xb1c (34)
Current frame:
ChildEBP RetAddr Caller,Callee
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [UnloadedModule_Arch_AX] from Frame:[0] on thread:[b1c] ; Enable Pageheap/AutoVerifer
DEFAULT_BUCKET_ID: HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 7a0aa797 to 77e6c427
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
08bddc6c 7a0aa797 00000000 00000001 087deadc KERNEL32!SetErrorMode+0x14b
08bddd68 7c82a124 056306e8 08bddf9c 7c82a0b8 mscorwks!CorLaunchApplication+0x281f8
08bddd74 7c82a0b8 7c82a0fc 00000001 00000004 ntdll!RtlpAllocateFromHeapLookaside+0x13
08bddf9c 00000000 00000000 00000000 00000000 ntdll!RtlAllocateHeap+0x1dd
STACK_COMMAND: .ecxr ; ~~[b1c] ; .frame 0 ; ~34s ; kb
SYMBOL_NAME: ure.dll!Unloaded
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ure.dll
IMAGE_NAME: ure.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 750063
FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_ure.dll!Unloaded
BUCKET_ID: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_ure.dll!Unloaded
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/App_exe/1_2009_403_12/49e707a9/KERNEL32_dll/5_2_3790_4062/46264680/c0000005/0002c427.htm?Retriage=1
Followup: MachineOwner
What does that mean? and what should i do with it?
Thanks in advance for any tips!!
It looks like ure.dll
has been unloaded, and a call to NlsAnsiToUnicodeMultiByteToWideChar() referring to it is failing. You could run .symfix
before !analyze -v
to confirm that.
Is that the DLL you're importing? If not, you have memory corruption. Otherwise, the bug is probably in that DLL. Are you using P/Invoke to import it?
Yup, the unloaded DLL information has been corrupted. As you might guess, it's .NET's culture.dll
, and Windbg is reading the 'cult' part of that as the timestamp and checksum. Try restarting and doing the following:
.symfix
sxe ud
g
and when the breakpoint hits:
kb
(That's telling Windbg to run until the DLL is unloaded, and then dump the stack)
Run for a bit to let the module unload, and execute the following command. Then let Windbg run until you get the exception, and do this command again to compare:
db ntdll!RtlpUnloadEventTrace
(That's the beginning of the unloaded module table, which is getting corrupted.)
User contributions licensed under CC BY-SA 3.0