views:

3807

answers:

6

I have a Winform application (C#) which imports some functions from dll.

Sometimes when running the application i get the following exception:

System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

I catch it in AppDomain.CurrentDomain.UnhandledException.

So i tried to debug it with WinDbg. I was able to catch the exception and get the following output:

!analyze -v

FAULTING_IP: 
KERNEL32!SetErrorMode+14b
77e6c427 8a08            mov     cl,byte ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 77e6c427 (KERNEL32!SetErrorMode+0x0000014b)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 087deadc
Attempt to read from address 087deadc

FAULTING_THREAD:  00000b1c

PROCESS_NAME:  App.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  087deadc

READ_ADDRESS:  087deadc 

FOLLOWUP_IP: 
KERNEL32!SetErrorMode+14b
77e6c427 8a08            mov     cl,byte ptr [eax]

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0xb1c (34)
Current frame: 
ChildEBP RetAddr  Caller,Callee

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [UnloadedModule_Arch_AX] from Frame:[0] on thread:[b1c] ; Enable Pageheap/AutoVerifer

DEFAULT_BUCKET_ID:  HEAP_CORRUPTION

PRIMARY_PROBLEM_CLASS:  HEAP_CORRUPTION

BUGCHECK_STR:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 7a0aa797 to 77e6c427

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
08bddc6c 7a0aa797 00000000 00000001 087deadc KERNEL32!SetErrorMode+0x14b
08bddd68 7c82a124 056306e8 08bddf9c 7c82a0b8 mscorwks!CorLaunchApplication+0x281f8
08bddd74 7c82a0b8 7c82a0fc 00000001 00000004 ntdll!RtlpAllocateFromHeapLookaside+0x13
08bddf9c 00000000 00000000 00000000 00000000 ntdll!RtlAllocateHeap+0x1dd


STACK_COMMAND:  .ecxr ; ~~[b1c] ; .frame 0 ; ~34s ; kb

SYMBOL_NAME:  ure.dll!Unloaded

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ure.dll

IMAGE_NAME:  ure.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  750063

FAILURE_BUCKET_ID:  HEAP_CORRUPTION_c0000005_ure.dll!Unloaded

BUCKET_ID:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_ure.dll!Unloaded

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/App_exe/1_2009_403_12/49e707a9/KERNEL32_dll/5_2_3790_4062/46264680/c0000005/0002c427.htm?Retriage=1

Followup: MachineOwner


What does that mean? and what should i do with it?

Thanks in advance for any tips!!

+1  A: 

It looks like ure.dll has been unloaded, and a call to NlsAnsiToUnicodeMultiByteToWideChar() referring to it is failing. You could run .symfix before !analyze -v to confirm that.

Is that the DLL you're importing? If not, you have memory corruption. Otherwise, the bug is probably in that DLL. Are you using P/Invoke to import it?


Yup, the unloaded DLL information has been corrupted. As you might guess, it's .NET's culture.dll, and Windbg is reading the 'cult' part of that as the timestamp and checksum. Try restarting and doing the following:

.symfix
sxe ud
g

and when the breakpoint hits:

kb

(That's telling Windbg to run until the DLL is unloaded, and then dump the stack)

Run for a bit to let the module unload, and execute the following command. Then let Windbg run until you get the exception, and do this command again to compare:

db ntdll!RtlpUnloadEventTrace

(That's the beginning of the unloaded module table, which is getting corrupted.)

Mark
Im not using this dll. I also do not have it on my computer. I have never heard of it before. No idea why is it trying to load it. However, it is unloaded:Unloaded modules:00000001 4333ab5a ure.dll Timestamp: Tue Mar 31 01:56:51 1970 (00750063) Checksum: 0074006CAlso when i execute !analyze -v, before giving me results it displays:*** WARNING: Unable to verify timestamp for ure.dll*** ERROR: Module load completed but symbols could not be loaded for ure.dllHelp!
Anya
oh yes didnt realise that! At what point i need to run those commands? right after exception is cought? before analyze? after? before go? Thanks many!:)
Anya
before the exception is caught.
Mark
Mark, run the commands. And kb returns me the following:ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong.0dc9dc6c 7a0aa797 00000000 00000001 0522ea5c KERNEL32!SetErrorMode+0x14b0dc9dd68 7c82a124 056306e8 0dc9df9c 7c82a0b8 mscorwks!CorLaunchApplication+0x281f80dc9dd74 7c82a0b8 7c82a0fc 00000001 00000004 ntdll!RtlpAllocateFromHeapLookaside+0x130dc9df9c 00000000 00000000 00000000 00000000 ntdll!RtlAllocateHeap+0x1dd
Anya
however after i run analyze - v it still tells me *** WARNING: Unable to verify timestamp for ure.dll*** ERROR: Module load completed but symbols could not be loaded for ure.dll
Anya
You can safely ignore that message - it can't verify "ure.dll" because it doesn't exist!
Mark
ok i got this:0:040> db ntdll!RtlpUnloadEventTrace7c8890c0 00 00 b9 77 00 80 00 00-00 00 00 00 c8 0a d7 45 ...w...........E7c8890d0 4f c3 00 00 76 00 65 00-72 00 73 00 69 00 6f 00 O...v.e.r.s.i.o.7c8890e0 6e 00 2e 00 64 00 6c 00-6c 00 00 00 00 00 00 00 n...d.l.l.......7c8890f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................7c889100 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
Anya
7c889110 00 00 00 00 00 00 34 60-00 80 00 00 01 00 00 00 ......4`........7c889120 59 ab 33 43 1f 33 01 00-63 00 75 00 6c 00 74 00 Y.3C.3..c.u.l.t.7c889130 75 00 72 00 65 00 2e 00-64 00 6c 00 6c 00 00 00 u.r.e...d.l.l...
Anya
Hmm, I can't see any corruption there. Has the exception happened yet?
Mark
Anya, you need to fix the system symbols! otherwise the stack information is misleading! run '.symfix+ c:\websymbols;.reload' and then rerun the analysis
A: 

Here what it gives me after i execute analyze -v now.

FAULTING_IP: KERNEL32!SetErrorMode+14b 77e6c427 8a08 mov cl,byte ptr [eax]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 77e6c427 (KERNEL32!SetErrorMode+0x0000014b) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0522ea5c Attempt to read from address 0522ea5c

FAULTING_THREAD: 00000df0

PROCESS_NAME: MyApp.exe

OVERLAPPED_MODULE: Address regions for 'ure' and 'MyApp' overlap

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 0522ea5c

READ_ADDRESS: 0522ea5c

FOLLOWUP_IP: KERNEL32!SetErrorMode+14b 77e6c427 8a08 mov cl,byte ptr [eax]

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

MANAGED_STACK: !dumpstack -EE OS Thread Id: 0xdf0 (40) Current frame: ChildEBP RetAddr Caller,Callee 0dc9ddb8 79367ab4 (MethodDesc 0x79243568 +0x10 System.Collections.ArrayList.IndexOf(System.Object)) 0dc9ddc8 79368159 (MethodDesc 0x792435b8 +0x1d System.Collections.ArrayList.Remove(System.Object))

EXCEPTION_OBJECT: !pe 149d428 Exception object: 0149d428 Exception type: System.AccessViolationException Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. InnerException: StackTrace (generated): StackTraceString: HResult: 80004003

MANAGED_OBJECT: !dumpobj 149cde8 Name: System.String MethodTable: 790fa3e0 EEClass: 790fa340 Size: 222(0xde) bytes (C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll) String: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. Fields: MT Field Offset Type VT Attr Value Name 790fed1c 4000096 4 System.Int32 0 instance 103 m_arrayLength 790fed1c 4000097 8 System.Int32 0 instance 102 m_stringLength 790fbefc 4000098 c System.Char 0 instance 41 m_firstChar 790fa3e0 4000099 10 System.String 0 shared static Empty

Domain:Value 00165808:790d6584 << 79124670 400009a 14 System.Char[] 0 shared static WhitespaceChars Domain:Value 00165808:01271378 <<

EXCEPTION_MESSAGE: Attempted to read or write protected memory. This is often an indication that other memory is corru

MANAGED_OBJECT_NAME: System.AccessViolationException

ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer

DEFAULT_BUCKET_ID: HEAP_CORRUPTION

PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION

BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_CORRUPT_MODULELIST_OVERLAPPED_MODULE_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER: from 7a0aa797 to 77e6c427

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong. 0dc9dc6c 7a0aa797 00000000 00000001 0522ea5c KERNEL32!SetErrorMode+0x14b 0dc9dd68 7c82a124 056306e8 0dc9df9c 7c82a0b8 mscorwks!CorLaunchApplication+0x281f8 0dc9dd74 7c82a0b8 7c82a0fc 00000001 00000004 ntdll!RtlpAllocateFromHeapLookaside+0x13 0dc9df9c 00000000 00000000 00000000 00000000 ntdll!RtlAllocateHeap+0x1dd

SYMBOL_NAME: heap_corruption!heap_corruption

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: heap_corruption

IMAGE_NAME: heap_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: ~40s ; kb

FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption

BUCKET_ID: APPLICATION_FAULT_HEAP_CORRUPTION_CORRUPT_MODULELIST_OVERLAPPED_MODULE_INVALID_POINTER_READ_heap_corruption!heap_corruption

WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/MyApp_exe/1_2009_403_12/49e707a9/KERNEL32_dll/5_2_3790_4062/46264680/c0000005/0002c427.htm?Retriage=1

Followup: MachineOwner

Anya
That's good - that's the same error, caught with the managed code information available. Basically, culture.dll has been unloaded, so a read of WhitespaceChars causes an access violation.
Mark
What does "lm m *ure*" say?
Mark
(That's the list all modules that have "ure" in their names)
Mark
and "lm m myapp*"
Mark
OK, try:bp kernel32!freelibrary "j (poi(@esp+4)==0x60340000) '.echo Culture freed; kb'; g"
Mark
That will add a breakpoint that fires every time culture.dll is freed using FreeLibrary. It uses the "j" command to decide whether to break with a message or continue.Restart your program, run ".symfix" followed by the command above. Then hit F5 after each time the breakpoint is hit, and you should notice a pattern.
Mark
free library breakpoint is simpler with the following command: sxe ud ure.dll
True, but that didn't get a result (see above). And it may be that the erroneous FreeLibrary is before the one that results in an unload.
Mark
Also, ure.dll isn't a real DLL.
Mark
A: 

Guys, when i set my symbol path and .reload i get an error saying

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\KERNEL32.dll

I have checked, kernel32.pdb is in the symbol folder.

why it doesnt see and load it?

Thanks!!

Anya
Try ".symfix; .reload /f /o". The breakpoint I suggested earlier should work without symbols, though.
Mark
A: 

in fact it says :

DBGHELP: c:\windows\symbols\dll\kernel32.pdb - mismatched pdb DBGHELP: Couldn't load mismatched pdb for C:\WINDOWS\system32\KERNEL32.dll

Anya, did you know you can edit your own posts? You could add this information to the previous reply.
Mark
no i didnt now i know:)
any success with that breakpoint?
Mark
A: 

Ok no idea if breakpoint has worked, but i managed to get some stack of where exception happens (i hope), and it looks like that:

FOLLOWUP_IP: kernel32!SetErrorMode+14b 77e6c427 8a08 mov cl,byte ptr [eax]

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

MANAGED_STACK: !dumpstack -EE OS Thread Id: 0x104 (117) Current frame: ChildEBP RetAddr Caller,Callee 201add20 793d48cf (MethodDesc 0x792512c8 +0xb System.Threading.EventWaitHandle.Set()) 201add28 00eab665 (MethodDesc 0x939620 +0x15 System.Collections.BlockingQueue.Enqueue(System.Object)) 201add30 00eab3a0 (MethodDesc 0x938598 +0xc8 Elevate.MessageLog.MessageLog.AddMessageObjects(Elevate.MessageLog.DebugLevels, Boolean, System.String, System.Object[])) 201addb8 06c7023c (MethodDesc 0x9398b0 +0x1cc dvR.OrderBookWrapper.Price(System.String, System.String))

ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer

FAULTING_THREAD: 00000104

DEFAULT_BUCKET_ID: HEAP_CORRUPTION

PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION

BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ

this function -> dvR.OrderBookWrapper.Price. its mine! and i assume from a stack that its where the problem happens. am i right? now, is there a way to get an address of the problem?

Thanks!:))

Anya
Hi Anya. Unfortunately, this still comes back to the root problem, which is that culture.dll is unloaded before it's needed. Depending on how the program runs, you may hit the problem in various places in your code. The managed stack ends at the transition into unmanaged code, so in a case like this doesn't help identify the problem. You really need to get that breakpoint to hit - look for the text "Culture freed".
Mark
Alternatively, post the parts of your code that deal with the DLL, somewhere everyone can read it.
Mark
So Anya, no joy?
Mark
A: 

Everything is working now was able to get all the info i needed.

Thanks so much!