ansaurus

Question

Answer 1

+1 A:

It looks like ure.dll has been unloaded, and a call to ~~NlsAnsiToUnicode~~MultiByteToWideChar() referring to it is failing. You could run .symfix before !analyze -v to confirm that.

Is that the DLL you're importing? If not, you have memory corruption. Otherwise, the bug is probably in that DLL. Are you using P/Invoke to import it?

Yup, the unloaded DLL information has been corrupted. As you might guess, it's .NET's culture.dll, and Windbg is reading the 'cult' part of that as the timestamp and checksum. Try restarting and doing the following:

.symfix
sxe ud
g

and when the breakpoint hits:

kb

(That's telling Windbg to run until the DLL is unloaded, and then dump the stack)

Run for a bit to let the module unload, and execute the following command. Then let Windbg run until you get the exception, and do this command again to compare:

db ntdll!RtlpUnloadEventTrace

(That's the beginning of the unloaded module table, which is getting corrupted.)

Mark 2009-04-17 07:56:26

Im not using this dll. I also do not have it on my computer. I have never heard of it before. No idea why is it trying to load it. However, it is unloaded:Unloaded modules:00000001 4333ab5a ure.dll Timestamp: Tue Mar 31 01:56:51 1970 (00750063) Checksum: 0074006CAlso when i execute !analyze -v, before giving me results it displays:*** WARNING: Unable to verify timestamp for ure.dll*** ERROR: Module load completed but symbols could not be loaded for ure.dllHelp!

Anya 2009-04-17 08:41:09

oh yes didnt realise that! At what point i need to run those commands? right after exception is cought? before analyze? after? before go? Thanks many!:)

Anya 2009-04-17 09:55:18

before the exception is caught.

Mark 2009-04-17 10:06:35

Mark, run the commands. And kb returns me the following:ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong.0dc9dc6c 7a0aa797 00000000 00000001 0522ea5c KERNEL32!SetErrorMode+0x14b0dc9dd68 7c82a124 056306e8 0dc9df9c 7c82a0b8 mscorwks!CorLaunchApplication+0x281f80dc9dd74 7c82a0b8 7c82a0fc 00000001 00000004 ntdll!RtlpAllocateFromHeapLookaside+0x130dc9df9c 00000000 00000000 00000000 00000000 ntdll!RtlAllocateHeap+0x1dd

Anya 2009-04-17 10:31:42

however after i run analyze - v it still tells me *** WARNING: Unable to verify timestamp for ure.dll*** ERROR: Module load completed but symbols could not be loaded for ure.dll

Anya 2009-04-17 10:32:57

You can safely ignore that message - it can't verify "ure.dll" because it doesn't exist!

Mark 2009-04-17 10:38:34

ok i got this:0:040> db ntdll!RtlpUnloadEventTrace7c8890c0 00 00 b9 77 00 80 00 00-00 00 00 00 c8 0a d7 45 ...w...........E7c8890d0 4f c3 00 00 76 00 65 00-72 00 73 00 69 00 6f 00 O...v.e.r.s.i.o.7c8890e0 6e 00 2e 00 64 00 6c 00-6c 00 00 00 00 00 00 00 n...d.l.l.......7c8890f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................7c889100 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

Anya 2009-04-17 10:45:50

7c889110 00 00 00 00 00 00 34 60-00 80 00 00 01 00 00 00 ......4`........7c889120 59 ab 33 43 1f 33 01 00-63 00 75 00 6c 00 74 00 Y.3C.3..c.u.l.t.7c889130 75 00 72 00 65 00 2e 00-64 00 6c 00 6c 00 00 00 u.r.e...d.l.l...

Anya 2009-04-17 10:46:30

Hmm, I can't see any corruption there. Has the exception happened yet?

Mark 2009-04-17 11:08:47

Anya, you need to fix the system symbols! otherwise the stack information is misleading! run '.symfix+ c:\websymbols;.reload' and then rerun the analysis

2009-04-17 14:20:05

Answer 2

A:

Here what it gives me after i execute analyze -v now.

FAULTING_IP: KERNEL32!SetErrorMode+14b 77e6c427 8a08 mov cl,byte ptr [eax]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 77e6c427 (KERNEL32!SetErrorMode+0x0000014b) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0522ea5c Attempt to read from address 0522ea5c

FAULTING_THREAD: 00000df0

PROCESS_NAME: MyApp.exe

OVERLAPPED_MODULE: Address regions for 'ure' and 'MyApp' overlap

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 0522ea5c

READ_ADDRESS: 0522ea5c

FOLLOWUP_IP: KERNEL32!SetErrorMode+14b 77e6c427 8a08 mov cl,byte ptr [eax]

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

MANAGED_STACK: !dumpstack -EE OS Thread Id: 0xdf0 (40) Current frame: ChildEBP RetAddr Caller,Callee 0dc9ddb8 79367ab4 (MethodDesc 0x79243568 +0x10 System.Collections.ArrayList.IndexOf(System.Object)) 0dc9ddc8 79368159 (MethodDesc 0x792435b8 +0x1d System.Collections.ArrayList.Remove(System.Object))

EXCEPTION_OBJECT: !pe 149d428 Exception object: 0149d428 Exception type: System.AccessViolationException Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. InnerException: StackTrace (generated): StackTraceString: HResult: 80004003

MANAGED_OBJECT: !dumpobj 149cde8 Name: System.String MethodTable: 790fa3e0 EEClass: 790fa340 Size: 222(0xde) bytes (C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll) String: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. Fields: MT Field Offset Type VT Attr Value Name 790fed1c 4000096 4 System.Int32 0 instance 103 m_arrayLength 790fed1c 4000097 8 System.Int32 0 instance 102 m_stringLength 790fbefc 4000098 c System.Char 0 instance 41 m_firstChar 790fa3e0 4000099 10 System.String 0 shared static Empty

Domain:Value 00165808:790d6584 << 79124670 400009a 14 System.Char[] 0 shared static WhitespaceChars Domain:Value 00165808:01271378 <<

EXCEPTION_MESSAGE: Attempted to read or write protected memory. This is often an indication that other memory is corru

MANAGED_OBJECT_NAME: System.AccessViolationException

ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer

DEFAULT_BUCKET_ID: HEAP_CORRUPTION

PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION

BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_CORRUPT_MODULELIST_OVERLAPPED_MODULE_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER: from 7a0aa797 to 77e6c427

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong. 0dc9dc6c 7a0aa797 00000000 00000001 0522ea5c KERNEL32!SetErrorMode+0x14b 0dc9dd68 7c82a124 056306e8 0dc9df9c 7c82a0b8 mscorwks!CorLaunchApplication+0x281f8 0dc9dd74 7c82a0b8 7c82a0fc 00000001 00000004 ntdll!RtlpAllocateFromHeapLookaside+0x13 0dc9df9c 00000000 00000000 00000000 00000000 ntdll!RtlAllocateHeap+0x1dd

SYMBOL_NAME: heap_corruption!heap_corruption

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: heap_corruption

IMAGE_NAME: heap_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: ~40s ; kb

FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption

BUCKET_ID: APPLICATION_FAULT_HEAP_CORRUPTION_CORRUPT_MODULELIST_OVERLAPPED_MODULE_INVALID_POINTER_READ_heap_corruption!heap_corruption

WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/MyApp_exe/1_2009_403_12/49e707a9/KERNEL32_dll/5_2_3790_4062/46264680/c0000005/0002c427.htm?Retriage=1

Followup: MachineOwner

Anya 2009-04-17 11:10:48

That's good - that's the same error, caught with the managed code information available. Basically, culture.dll has been unloaded, so a read of WhitespaceChars causes an access violation.

Mark 2009-04-17 11:22:08

What does "lm m *ure*" say?

Mark 2009-04-17 11:26:35

(That's the list all modules that have "ure" in their names)

Mark 2009-04-17 11:27:06

and "lm m myapp*"

Mark 2009-04-17 11:34:57

OK, try:bp kernel32!freelibrary "j (poi(@esp+4)==0x60340000) '.echo Culture freed; kb'; g"

Mark 2009-04-17 12:01:44

That will add a breakpoint that fires every time culture.dll is freed using FreeLibrary. It uses the "j" command to decide whether to break with a message or continue.Restart your program, run ".symfix" followed by the command above. Then hit F5 after each time the breakpoint is hit, and you should notice a pattern.

Mark 2009-04-17 12:03:48

free library breakpoint is simpler with the following command: sxe ud ure.dll

2009-04-17 14:18:23

True, but that didn't get a result (see above). And it may be that the erroneous FreeLibrary is before the one that results in an unload.

Mark 2009-04-17 16:52:41

Also, ure.dll isn't a real DLL.

Mark 2009-04-17 16:53:11

Answer 3

A:

Guys, when i set my symbol path and .reload i get an error saying

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\KERNEL32.dll

I have checked, kernel32.pdb is in the symbol folder.

why it doesnt see and load it?

Thanks!!

Anya 2009-04-20 02:53:53

Try ".symfix; .reload /f /o". The breakpoint I suggested earlier should work without symbols, though.

Mark 2009-04-20 06:03:29

Answer 4

A:

in fact it says :

DBGHELP: c:\windows\symbols\dll\kernel32.pdb - mismatched pdb DBGHELP: Couldn't load mismatched pdb for C:\WINDOWS\system32\KERNEL32.dll

2009-04-20 03:31:54

Anya, did you know you can edit your own posts? You could add this information to the previous reply.

Mark 2009-04-20 06:05:48

no i didnt now i know:)

2009-04-20 06:44:04

any success with that breakpoint?

Mark 2009-04-20 07:46:46

Answer 5

A:

Ok no idea if breakpoint has worked, but i managed to get some stack of where exception happens (i hope), and it looks like that:

FOLLOWUP_IP: kernel32!SetErrorMode+14b 77e6c427 8a08 mov cl,byte ptr [eax]

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

MANAGED_STACK: !dumpstack -EE OS Thread Id: 0x104 (117) Current frame: ChildEBP RetAddr Caller,Callee 201add20 793d48cf (MethodDesc 0x792512c8 +0xb System.Threading.EventWaitHandle.Set()) 201add28 00eab665 (MethodDesc 0x939620 +0x15 System.Collections.BlockingQueue.Enqueue(System.Object)) 201add30 00eab3a0 (MethodDesc 0x938598 +0xc8 Elevate.MessageLog.MessageLog.AddMessageObjects(Elevate.MessageLog.DebugLevels, Boolean, System.String, System.Object[])) 201addb8 06c7023c (MethodDesc 0x9398b0 +0x1cc dvR.OrderBookWrapper.Price(System.String, System.String))

ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer

FAULTING_THREAD: 00000104

DEFAULT_BUCKET_ID: HEAP_CORRUPTION

PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION

BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ

this function -> dvR.OrderBookWrapper.Price. its mine! and i assume from a stack that its where the problem happens. am i right? now, is there a way to get an address of the problem?

Thanks!:))

Anya 2009-04-21 05:15:50

Hi Anya. Unfortunately, this still comes back to the root problem, which is that culture.dll is unloaded before it's needed. Depending on how the program runs, you may hit the problem in various places in your code. The managed stack ends at the transition into unmanaged code, so in a case like this doesn't help identify the problem. You really need to get that breakpoint to hit - look for the text "Culture freed".

Mark 2009-04-21 14:20:55

Alternatively, post the parts of your code that deal with the DLL, somewhere everyone can read it.

Mark 2009-04-22 13:34:59

So Anya, no joy?

Mark 2009-04-23 12:59:20

Answer 6

A:

Everything is working now was able to get all the info i needed.

Thanks so much!

2009-04-30 09:19:20

ansaurus

tags:

views:

answers:

understanding WinDbg output

related questions