understanding WinDbg output

2

I have a Winform application (C#) which imports some functions from dll.

Sometimes when running the application i get the following exception:

System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

I catch it in AppDomain.CurrentDomain.UnhandledException.

So i tried to debug it with WinDbg. I was able to catch the exception and get the following output:

!analyze -v

FAULTING_IP: 
KERNEL32!SetErrorMode+14b
77e6c427 8a08            mov     cl,byte ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 77e6c427 (KERNEL32!SetErrorMode+0x0000014b)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 087deadc
Attempt to read from address 087deadc

FAULTING_THREAD:  00000b1c

PROCESS_NAME:  App.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  087deadc

READ_ADDRESS:  087deadc 

FOLLOWUP_IP: 
KERNEL32!SetErrorMode+14b
77e6c427 8a08            mov     cl,byte ptr [eax]

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0xb1c (34)
Current frame: 
ChildEBP RetAddr  Caller,Callee

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [UnloadedModule_Arch_AX] from Frame:[0] on thread:[b1c] ; Enable Pageheap/AutoVerifer

DEFAULT_BUCKET_ID:  HEAP_CORRUPTION

PRIMARY_PROBLEM_CLASS:  HEAP_CORRUPTION

BUGCHECK_STR:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 7a0aa797 to 77e6c427

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
08bddc6c 7a0aa797 00000000 00000001 087deadc KERNEL32!SetErrorMode+0x14b
08bddd68 7c82a124 056306e8 08bddf9c 7c82a0b8 mscorwks!CorLaunchApplication+0x281f8
08bddd74 7c82a0b8 7c82a0fc 00000001 00000004 ntdll!RtlpAllocateFromHeapLookaside+0x13
08bddf9c 00000000 00000000 00000000 00000000 ntdll!RtlAllocateHeap+0x1dd


STACK_COMMAND:  .ecxr ; ~~[b1c] ; .frame 0 ; ~34s ; kb

SYMBOL_NAME:  ure.dll!Unloaded

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ure.dll

IMAGE_NAME:  ure.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  750063

FAILURE_BUCKET_ID:  HEAP_CORRUPTION_c0000005_ure.dll!Unloaded

BUCKET_ID:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_ure.dll!Unloaded

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/App_exe/1_2009_403_12/49e707a9/KERNEL32_dll/5_2_3790_4062/46264680/c0000005/0002c427.htm?Retriage=1

Followup: MachineOwner

What does that mean? and what should i do with it?

Thanks in advance for any tips!!

c#
c++
exception
dll
windbg
asked on Stack Overflow Apr 17, 2009 by Anya • edited Dec 18, 2009 by Ian Boyd

1 Answer

2

It looks like ure.dll has been unloaded, and a call to NlsAnsiToUnicodeMultiByteToWideChar() referring to it is failing. You could run .symfix before !analyze -v to confirm that.

Is that the DLL you're importing? If not, you have memory corruption. Otherwise, the bug is probably in that DLL. Are you using P/Invoke to import it?


Yup, the unloaded DLL information has been corrupted. As you might guess, it's .NET's culture.dll, and Windbg is reading the 'cult' part of that as the timestamp and checksum. Try restarting and doing the following:

.symfix
sxe ud
g

and when the breakpoint hits:

kb

(That's telling Windbg to run until the DLL is unloaded, and then dump the stack)

Run for a bit to let the module unload, and execute the following command. Then let Windbg run until you get the exception, and do this command again to compare:

db ntdll!RtlpUnloadEventTrace

(That's the beginning of the unloaded module table, which is getting corrupted.)

answered on Stack Overflow Apr 17, 2009 by Mark • edited Apr 17, 2009 by Mark

User contributions licensed under CC BY-SA 3.0