Using WinDbg to Inspect Method Parameters In Raw Memory from Crash Dump

Question

One of our customers reported a crash. She saw the standard error message after an unhandled exception:

"Application has generated an exception that could not be handled... Click OK to terminate the application. Click CANCEL to debug the application."

I used DebugDiag to generate a dump of this process. I'm looking at the dump now.

!threads showed me an exception in my managed thread. There were several nested exceptions. This one was at the bottom:

0:000> !pe -nested
...
Nested exception -------------------------------------------------------------
Exception object: 14015a98
Exception type: System.AccessViolationException
Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
InnerException: <none>
StackTrace (generated):
    SP       IP       Function
    0013E958 7B6EEF3B System_Windows_Forms_ni!System.Windows.Forms.Application+ThreadContext.OnThreadException(System.Exception)+0x8b
    0013E994 7B6F7916 System_Windows_Forms_ni!System.Windows.Forms.Control.WndProcException(System.Exception)+0x16
    0013E9A0 7B6FA39C System_Windows_Forms_ni!System.Windows.Forms.Control+ControlNativeWindow.OnThreadException(System.Exception)+0xc
    0013E9A4 7B1C8512 System_Windows_Forms_ni!System.Windows.Forms.NativeWindow.Callback(IntPtr, Int32, IntPtr, IntPtr)+0x72
    0013EC70 7B1D8D2E System_Windows_Forms_ni!System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32, Int32, Int32)+0x24e
    0013ED0C 7B1D8997 System_Windows_Forms_ni!System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)+0x177
    0013ED60 7B1D87E1 System_Windows_Forms_ni!System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)+0x61
    0013ED90 7B6EDE2B System_Windows_Forms_ni!System.Windows.Forms.Application.RunDialog(System.Windows.Forms.Form)+0x33
    0013EDA4 7B7225AB System_Windows_Forms_ni!System.Windows.Forms.Form.ShowDialog(System.Windows.Forms.IWin32Window)+0x373
    0013EE30 0DF41E76 PDILibReportProcessor!profdata.com.Library.libReportRenderCrystal.RenderToDisplay(System.Windows.Forms.IWin32Window, profdata.com.Library.libOutputSettings, profdata.com.Library.libApplicationConfig)+0xb6
    0013EE4C 0DF416EB PDILibReportProcessor!profdata.com.Library.libReportProcessor.Process(System.Windows.Forms.IWin32Window)+0x153
    0013EE60 07B37644 PDILibReportProcessor!profdata.com.Library.libReportProcessor.ProcessCrystalReport(System.String, System.Type, System.Data.DataSet, profdata.com.Library.libOutputSettings, profdata.com.Library.libApplicationConfig, System.Windows.Forms.IWin32Window, System.String)+0x74
    0013EEA4 07B375B8 PDILibReportProcessor!profdata.com.Library.libReportProcessor.ProcessReport(System.String, System.Type, System.Data.DataSet, profdata.com.Library.libOutputSettings, profdata.com.Library.libApplicationConfig, System.Windows.Forms.IWin32Window)+0x18
    0013EEB8 07B333C4 APRPTCashRequirements!profdata.com.AccountsPayable.frmAPCashRequirements.RunProcessOrReport()+0x7e4

StackTraceString: <none>
HResult: 80004003

The code has displayed a Crystal Report to the user in a form. While displaying the report, the application tried to do something and got a System.AccessViolationException.

Looking at the NativeWindow.Callback source, I see this:

private IntPtr Callback(IntPtr hWnd, int msg, IntPtr wparam, IntPtr lparam)
{
    Message m = Message.Create(hWnd, msg, wparam, lparam);
    try
    {
        // calls WndProc or DefWndProc
    }
    catch (Exception exception)
    {
        this.OnThreadException(exception);
    }
    finally {...}
}

I want to know the message, wParam, and lParam arguments that caused the exception. (I'd also like to verify I'm looking at the correct exception object.) This may be an invoke back to the UI thread, or it might be a normal Windows event, in which case I want to know which one.

I got the thread environment block:

0:000> !teb
TEB at 7ffdf000
    ExceptionList:        00134144
    StackBase:            00140000
    StackLimit:           00130000

And dumped the stack memory:

0:000> !dqs 00130000 00140000
...
0013e968  00000000`00000000
0013e970  00000000`00000000
0013e978  00000000`00000000
0013e980  140ea9fc`00000000
0013e988  0013e998`0013ea44
0013e990  140c1d4c`7b6f7916
0013e998  7b6fa39c`0013ea54 <--- is NativeWindow.Callback
0013e9a0  0013ea6c`7b1c8512
0013e9a8  0013ec60`79edd757
0013e9b0  0013ec60`00000000
0013e9b8  0013ea6c`e0434f4d
0013e9c0  00000000`0013ea1c
0013e9c8  00000000`00000000
...

So if the signature is this: SP IP 0013E9A4 7B1C8512 NativeWindow.Callback(IntPtr, Int32, IntPtr, IntPtr)+0x72

1. Where exactly are the parameters on the stack?
2. How do I inspect them to get their values?

I still don't feel like I've found the root cause. We have a ThreadException handler. Why wasn't it called? What caused the System.AccessViolationException?

Note that !analyze -v reported STATUS_BREAKPOINT, because the user is stopped at the error dialog "Application has generated an exception...".

Answer 1

You should first set the context to the exception context:

.ecxr

Then make sure you have a sympath that downloads latest public symbols for all NT modules, with a local cache path:

.sympath srv*C:\<cache>\sym*http://msdl.microsoft.com/download/symbols

These steps should ensure you get a correct native stack from k, which should also reflect in the managed stack. To get the parameters for native frames w/o private symbols is hard, you have to basically reconstruct them from the stack knowing the calling convention and the parameters positions. A simple dv will not work with public symbols.

As for the ThreadException handler question, did you set the Application.SetUnhandledExceptionMode to CatchException?

Answer 2

If all you want is the window message, pull it from one of the native frames using dv /V

Edit: The fact that you're chasing AccessViolationException means that you should be definitely looking at the native stack using kn100 and .frame to figure out the actual AV

Answer 3

Not specific to this particular problem, but I've found Tess Ferrandez' blog to be a great resource for WinDbg

Answer 4

kn100 returns the stack below. I'm not sure what to do here. Set the .frame to where? And then do what?

The application is a large C# WinForms client. We have written no native code. I can usually diagnose unhandled exceptions in our code fairly quickly, but this is the first native error I've tried to diagnose.

00 00132d4c 7739bf53 ntdll!KiFastSystemCallRet
01 00132d84 7738965e user32!NtUserWaitMessage+0xc
02 00132dac 7739f762 user32!InternalDialogBox+0xd0
03 0013306c 7739f047 user32!SoftModalMessageBox+0x94b
04 001331bc 7739eec9 user32!MessageBoxWorker+0x2ba
05 00133214 7739ee65 user32!MessageBoxTimeoutW+0x7a
06 00133234 7739ee41 user32!MessageBoxExW+0x1b
07 00133250 7a14c82e user32!MessageBoxW+0x45
08 00133274 7a1507ae mscorwks!WszMessageBox+0x8b
09 00134150 7a1509ea mscorwks!UtilMessageBoxNonLocalizedVA+0x351
0a 001341d4 7a2cea8d mscorwks!UtilMessageBoxVA+0x6b
0b 001341f4 7a2cf209 mscorwks!Debugger::MessageBox+0x1a
0c 00134230 7a2d2cae mscorwks!Debugger::NotifyUserOfFault+0x65
0d 00134270 7a2d5c67 mscorwks!Debugger::ShouldAttachDebugger+0xa2
0e 001342b4 7a2d95fa mscorwks!Debugger::ShouldAttachDebuggerProxy+0x66
0f 001342c0 7a0974d1 mscorwks!Debugger::FallbackJITAttachPrompt+0x9
10 001342dc 7a09c0c7 mscorwks!WatsonLastChance+0x63
11 00134334 7a09c173 mscorwks!CLRAddVectoredHandlers+0x209
12 0013433c 7c35f0c3 mscorwks!InternalUnhandledExceptionFilter+0x22
13 00134348 61585e4e msvcr71!__CxxUnhandledExceptionFilter+0x46
WARNING: Stack unwind information not available. Following frames may be wrong.
14 00134620 77e76a20 SACommLayer_RES_EN!GetResDllVersion+0x4e2e
15 00134628 77e61ac1 kernel32!BaseProcessStart+0x39
16 00134650 7c828772 kernel32!_except_handler3+0x61
17 00134674 7c828743 ntdll!ExecuteHandler2+0x26
18 0013471c 7c82865c ntdll!ExecuteHandler+0x24
19 001349fc 77e4bef7 ntdll!RtlRaiseException+0x3d
1a 00134a5c 7a1997f7 kernel32!RaiseException+0x53
1b 00134a74 7a1915c4 mscorwks!RtlRaiseStatus+0x13
1c 00134a7c 79e9a8a9 mscorwks!_purecall+0xa
1d 00134a8c 79e9a92c mscorwks!MethodDataCache::FindHelper+0x17
1e 00134ac4 79e8a9b0 mscorwks!MethodDataCache::Find+0x52
1f 00134b00 79e8aa6a mscorwks!MethodTable::GetMethodDataHelper+0x23
20 00134b38 79e8aab3 mscorwks!MethodTable::GetMethodData+0x1a
21 00134b50 79e8aad9 mscorwks!MethodTable::MethodIterator::Init+0x13
22 00134b64 79e8b677 mscorwks!MethodTable::MethodIterator::MethodIterator+0x11
23 00134bb4 79e8b874 mscorwks!EEClass::FindMethod+0x38
24 00134c38 79e89332 mscorwks!MemberLoader::GetDescFromMemberDefOrRefThrowing+0x3e8
25 00134ec0 79fc44bf mscorwks!MemberLoader::GetMethodDescFromMemberDefOrRefOrSpecThrowing+0x219
26 00134f88 79fc43cf mscorwks!CEEInfo::findMethodInternal+0x12a
27 00134ff4 79062ea6 mscorwks!CEEInfo::findMethod+0xc4
28 0013500c 79062fa9 mscorjit!Compiler::eeFindMethod+0x22
29 001350f4 790633e8 mscorjit!Compiler::impImportCall+0xda
2a 001356fc 790643a1 mscorjit!Compiler::impImportBlockCode+0x2bbb
2b 00135774 790644d6 mscorjit!Compiler::impImportBlock+0x1df
2c 0013578c 7906465c mscorjit!Compiler::impImport+0xe2
2d 00135798 7906467a mscorjit!Compiler::fgImport+0x20
2e 001357a8 79065b8e mscorjit!Compiler::compCompile+0xc
2f 001357f4 79065d33 mscorjit!Compiler::compCompile+0x44f
30 0013587c 79066448 mscorjit!jitNativeCode+0xef
31 001358a0 79fc722c mscorjit!CILJit::compileMethod+0x25
32 0013590c 79fc72c5 mscorwks!invokeCompileMethodHelper+0x72
33 00135950 79fc7338 mscorwks!invokeCompileMethod+0x31
34 001359a4 79fc70ad mscorwks!CallCompileMethodWithSEHWrapper+0x5b
35 00135d4c 79fc6e6f mscorwks!UnsafeJitFunction+0x31b
36 00135df0 79e811eb mscorwks!MethodDesc::MakeJitWorker+0x1a8
37 00135e48 79e813ab mscorwks!MethodDesc::DoPrestub+0x41b
38 00135e98 00361efe mscorwks!PreStubWorker+0xf3
39 00135eb0 7b6eef3b 0x361efe
3a 00135f10 7b6f7916 System_Windows_Forms_ni+0x71ef3b
3b 00135f1c 7b6fa39c System_Windows_Forms_ni+0x727916
3c 0013f17c 7739b6e3 System_Windows_Forms_ni+0x72a39c
3d 0013f1a8 7739b874 user32!InternalCallWinProc+0x28
3e 0013f220 7739ba92 user32!UserCallWinProcCheckWow+0x151
3f 0013f288 7739bad0 user32!DispatchMessageWorker+0x327
40 0013f298 03c341d2 user32!DispatchMessageW+0xf
41 0013f2b4 7b1d8d2e 0x3c341d2
42 0013f368 7b1d8997 System_Windows_Forms_ni+0x208d2e
43 0013f3c0 7b1d87e1 System_Windows_Forms_ni+0x208997
44 0013f3f0 7b195931 System_Windows_Forms_ni+0x2087e1
45 0013f480 79e71b4c System_Windows_Forms_ni+0x1c5931
46 0013f490 79e821f9 mscorwks!CallDescrWorker+0x33
47 0013f510 79e96571 mscorwks!CallDescrWorkerWithHandler+0xa3
48 0013f648 79e965a4 mscorwks!MethodDesc::CallDescr+0x19c
49 0013f664 79e965c2 mscorwks!MethodDesc::CallTargetWorker+0x1f
4a 0013f67c 79eefac5 mscorwks!MethodDescCallSite::CallWithValueTypes+0x1a
4b 0013f7e0 79eef9e5 mscorwks!ClassLoader::RunMain+0x223
4c 0013fa48 79eeff35 mscorwks!Assembly::ExecuteMainMethod+0xa6
4d 0013ff18 79ef011f mscorwks!SystemDomain::ExecuteMainMethod+0x456
4e 0013ff68 79ef004f mscorwks!ExecuteEXE+0x59
4f 0013ffb0 79007c24 mscorwks!_CorExeMain+0x15c
50 0013ffc0 77e6f23b mscoree!_CorExeMain+0x2c
51 0013fff0 00000000 kernel32!BaseProcessStart+0x23