Develop Reference

Analyze a dump file that contains a MSVCR exception

I have the following thread stack with a msvcr100!_CxxThrowException.
# ChildEBP RetAddr Args to Child
00 0973ef38 7739bf53 7739610a 00000000 00000000 ntdll!KiFastSystemCallRet
01 0973ef70 7738965e 0019029e 00000000 00000001 user32!NtUserWaitMessage+0xc
02 0973ef98 7739f762 77380000 0016aa20 00000000 user32!InternalDialogBox+0xd0
03 0973f258 7739f047 0973f3b4 00000000 ffffffff user32!SoftModalMessageBox+0x94b
04 0973f3a8 7739eec9 0973f3b4 00000028 00000000 user32!MessageBoxWorker+0x2ba
05 0973f400 773d7d0d 00000000 001aaf18 0019bb60 user32!MessageBoxTimeoutW+0x7a
06 0973f434 773c42c8 00000000 7787b9f0 7786c24c user32!MessageBoxTimeoutA+0x9c
07 0973f454 773c42a4 00000000 7787b9f0 7786c24c user32!MessageBoxExA+0x1b
08 0973f470 7786f265 00000000 7787b9f0 7786c24c user32!MessageBoxA+0x45
09 0973f4a4 7786c20f 7787b9f0 7786c24c 00012010 netman!__crtMessageBoxA+0xf6
0a 0973f4cc 7786f34e 0000000a 00000000 0973f788 netman!_NMSG_WRITE+0x127
0b 0973f4fc 7786d6b6 77ecb7c0 0973f760 77e761b7 netman!abort+0x7
0c 0973f508 77e761b7 0973f788 00000000 00000000 netman!__CxxUnhandledExceptionFilter+0x2f
0d 0973f760 77e792a3 0973f788 77e61ac1 0973f790 kernel32!UnhandledExceptionFilter+0x12a
0e 0973f768 77e61ac1 0973f790 00000000 0973f790 kernel32!BaseThreadStart+0x4a
0f 0973f790 7c828772 0973fb4c 0973ffdc 0973f86c kernel32!_except_handler3+0x61
10 0973f7b4 7c828743 0973fb4c 0973ffdc 0973f86c ntdll!ExecuteHandler2+0x26
11 0973f85c 7c82865c 09737000 0973f86c 00010007 ntdll!ExecuteHandler+0x24
12 0973fb3c 77e4bef7 0973fb4c 0000000f e06d7363 ntdll!RtlRaiseException+0x3d
13 0973fb9c 78ac872d e06d7363 00000001 00000003 kernel32!RaiseException+0x53
14 0973fbd4 0084bb9e 0973fc38 00bd8470 9adbd99a msvcr100!_CxxThrowException+0x48
When I look a the msvcr100!_CxxThrowException frame I see the following information. How can I progressive analyze this dump to determine the cause of the MSVCR exception?
14 0973fbd4 0084bb9e msvcr100!_CxxThrowException+0x48 [f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp # 157]
0973fbdc void * pExceptionObject = 0x0973fc38
0973fbe0 struct _s__ThrowInfo * pThrowInfo = 0x00bd8470
0973fbb4 struct EHExceptionRecord ThisException = struct EHExceptionRecord
78ac8734 struct EHExceptionRecord ExceptionTemplate = struct EHExceptionRecord

EDIT: At the time I wrote this answer, I wasn't aware of the better, less complicated approaches suggested by the other posters below. So please scroll down and check their answers out as well!
According to your comments, you can't really analyze the stack trace further than this point.
To at least get details about the exception itself (only if it's a exception you have symbols for, such as one in std), you can do the following:
I prepared a simple test file:
#include <stdexcept>
int main()
{
throw std::runtime_error("Oh noez!");
}
Then I ran it in WinDbg:
CommandLine: Z:\Temp\testexception\bin\Debug\testexception.exe
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred symsrv*symsrv.dll*c:\users\david\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: symsrv*symsrv.dll*c:\users\david\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00910000 00919000 testexception.exe
ModLoad: 771a0000 7731b000 ntdll.dll
ModLoad: 75b60000 75c40000 C:\WINDOWS\SysWOW64\KERNEL32.DLL
ModLoad: 73ef0000 7406e000 C:\WINDOWS\SysWOW64\KERNELBASE.dll
ModLoad: 0fb60000 0fcd3000 C:\WINDOWS\SysWOW64\MSVCR100D.dll
(4de4.178c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000003 ecx=039b0000 edx=00000000 esi=009100e8 edi=00360000
eip=7724ccbc esp=0018f524 ebp=0018f550 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
7724ccbc cc int 3
Processing initial command '.prefer_dml 1'
0:000> .prefer_dml 1
DML versions of commands on by default
0:000> bp ntdll!ExecuteHandler2 <<<<<< This is just to get a stack more similar to yours
0:000> g
(4de4.178c): C++ EH exception - code e06d7363 (first chance)
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=64905de5 edx=7722b670 esi=00000000 edi=00000000
eip=7722b62c esp=0018f3cc ebp=0018f490 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ExecuteHandler2:
7722b62c 55 push ebp
0:000> kb
# ChildEBP RetAddr Args to Child
00 0018f3c8 7722b624 0018f4a8 0018fa4c 0018f4f8 ntdll!ExecuteHandler2
01 0018f490 77218e7f 0018f4a8 0018f4f8 0018f4a8 ntdll!ExecuteHandler+0x24
02 0018f490 73fadad8 0018f4a8 0018f4f8 0018f4a8 ntdll!KiUserExceptionDispatcher+0xf
03<0018f9b0>0fc5cf82 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x48
*** WARNING: Unable to verify checksum for testexception.exe
04 0018f9f0 00911071 0018fa00 009153a8 00914790 MSVCR100D!_CxxThrowException+0x52
05 0018fa0c 009114df 00000001 00a14f78 00a12358 testexception!main+0x21
06 0018fa5c 0091130f 0018fa78 75b738f4 00360000 testexception!__tmainCRTStartup+0x1bf
07 0018fa64 75b738f4 00360000 75b738d0 380b229d testexception!mainCRTStartup+0xf
08 0018fa78 77205de3 00360000 6488a725 00000000 KERNEL32!BaseThreadInitThunk+0x24
09 0018fac0 77205dae ffffffff 7722b7d2 00000000 ntdll!__RtlUserThreadStart+0x2f
0a 0018fad0 00000000 00911300 00360000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> dds 0018f9b0 l6 <<<<<< The address is from the line with RaiseException above, I marked it with < >
0018f9b0 0018f9f0
0018f9b4 0fc5cf82 MSVCR100D!_CxxThrowException+0x52
0018f9b8 e06d7363
0018f9bc 00000001
0018f9c0 00000003
0018f9c4 0018f9e4 <<<<<< This is the address of the arguments array
0:000> dpp 0018f9e4 l3
0018f9e4 19930520
0018f9e8 <0018fa00>00914790 <testexception!std::runtime_error>::`vftable' <<<<<< this is the exception
0018f9ec 009153a8 00000000
0:000> dt 0018fa00 testexception!std::runtime_error <<<<<< remove the `vftable` part (again marked with < > above)
+0x000 __VFN_table : 0x00914790
+0x004 _Mywhat : 0x00a11068 "Oh noez!" <<<<<< Here is our message from the code
+0x008 _Mydofree : 1

#CherryDT's answer is probably fine. I just want to share an alternative approach.
.symfix
.sympath+ <your private symbols>
.reload
.exr -1
dp <parameter 1> L1
ln <result of dp>
dt <type of ln> <parameter 1>
It should look something like this (skipping the symbols parts):
0:000> .exr -1
ExceptionAddress: 7689c41f (KERNELBASE!RaiseException+0x00000058)
ExceptionCode: e06d7363 (C++ EH exception)
ExceptionFlags: 00000001
NumberParameters: 3
Parameter[0]: 19930520
Parameter[1]: 004bfb68
Parameter[2]: 003370b8
0:000> dp 004bfb68 L1
004bfb68 0f5cf1d0
0:000> ln 0f5cf1d0
(0f5cf1d0) MSVCR110D!std::exception::`vftable' | (0f5cf1d8) MSVCR110D!`string'
Exact matches:
MSVCR110D!std::exception::`vftable' = <no type information>
0:000> dt std::exception 004bfb68
SimpleCppCrash!std::exception
+0x000 __VFN_table : 0x0f5cf1d0
+0x004 _Mywhat : 0x0059f410 "Ouch: This application crashed because ..."
+0x008 _Mydofree : 1
If you have trouble with the symbols for MSVCRxxD, I found that a !analyze -v helps (I did not find out what that actually does to fix the problem).

Alternate Approach
$exr_param0,14 are PseudoRegisters for _EXCEPTION_RECORD->ExceptionInformation[15]
ExceptionInformation[2] is pExceptionObject
0:000> da poi($exr_param1+4)
0046ad00 "Oh noez!"
if you use the latest windbg drop you can use the Natvis Expression Evaluator
to view it like this
0:000> dx Debugger.State.DebuggerVariables.curprocess.Threads.First().Stack.Frames[1].LocalVariables.ThisException.params
Debugger.State.DebuggerVariables.curprocess.Threads.First().Stack.Frames[1].LocalVariables.ThisException.params [Type: EHExceptionRecord::EHParameters]
[+0x000] magicNumber : 0x19930520
[+0x004] pExceptionObject : 0x30f9a4 [Type: void *]
[+0x008] pThrowInfo : 0x133728 [Type: _s_ThrowInfo *]
or
0:000> ?? ((stdexcept!std::runtime_error *) #$exr_param1 )->_Data
struct __std_exception_data
+0x000 _What : 0x003dad00 "Oh noez!"
+0x004 _DoFree : 1

How do I get a meaningful stack-trace using MiniDumpWriteDump

I'm trying to programatically generate a stack trace. When my users are having a crash, in particular a random one, it's hard to talk them through the process of getting a dump so I can fix the problem. In the past once they would send me the trace I would cross reference the addresses in it to the Intermediate/foo.map file to figure out which function was the problem (is that the best way?)
I built a library from various examples I found around the net, to output a minidump to make my job easier. I staged a crash, but the stack trace I get from the minidump file is wildly different from a live stack trace I get from attaching windbg. Examples of both are below:
MiniDump.dmp:
KERNELBASE.dll!76a6c42d()
[Frames below may be incorrect and/or missing, no symbols loaded for KERNELBASE.dll]
KERNELBASE.dll!76a6c42d()
kernel32.dll!75bd14bd()
game.exe!00759035()
game.exe!00575ba3()
WinDbg.exe:
0:000:x86> kv
ChildEBP RetAddr Args to Child
00186f44 00bc8ea9 19460268 0018a9b7 03f70a28 Minidump!crashme+0x2 (FPO: [0,0,0]) (CONV: cdecl) [c:\project\debug\minidump.cpp # 68]
0018795c 00b9ef31 0018796c 03f56c00 6532716d Main!LoadPlugin+0x339 (FPO: [1,642,4]) (CONV: cdecl) [c:\project\main\pluginloader.cpp # 129]
00188968 00b9667d 19460268 0018a9ac 00000000 Main!Command+0x1f1 (FPO: [2,1024,4]) (CONV: cdecl) [c:\project\main\commands.cpp # 2617]
*** WARNING: Unable to verify checksum for C:\Game\game.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Game\game.exe
0018b1a8 005b5095 19460268 0018beac 00000000 Main!Hook::Detour+0x52d (FPO: [2,2570,0]) (CONV: thiscall) [c:\project\main\hook.cpp # 275]
WARNING: Stack unwind information not available. Following frames may be wrong.
0018b1b4 00000000 19495200 19495200 00000006 game+0x1b5095
game.exe is not mine, and I don't have the source/symbols. The Main.dll is injected into game.exe and it provides front end functionality to load additional DLLs from within the game. The debug code, and the staged crash is in Minidump.dll. After Main.dll loads Minidump it calls AfterLoad(), which sets the exception filter, and then triggers the crash. The relevant minidump code is below:
When I opened the MiniDump.dmp I pointed it to all of my symbol files (with the exception of game.exe, which I don't have) and that part seems like it's working. I do point it to the game.exe binary since I have that. The stack trace I get out of it just really isn't helpful though. My ultimate goal is that the user can just load the DLL, cause the crash, and email the dump file to me. Then I'll attach the symbol files and binaries and be able to diagnose the problem for them. Am I doing something wrong, or is it just not possible to get what I want.
typedef BOOL (WINAPI *MINIDUMPWRITEDUMP)(
HANDLE hProcess,
DWORD ProcessId,
HANDLE hFile,
MINIDUMP_TYPE DumpType,
CONST PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
CONST PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
CONST PMINIDUMP_CALLBACK_INFORMATION CallbackParam
);
LONG WINAPI WriteDumpFilter(struct _EXCEPTION_POINTERS *pExceptionPointers)
{
HANDLE hFile = NULL;
HMODULE hDll = NULL;
MINIDUMPWRITEDUMP pMiniDumpWriteDump = NULL;
_MINIDUMP_EXCEPTION_INFORMATION ExceptionInformation = {0};
//load MiniDumpWriteDump
hDll = LoadLibrary(TEXT("DbgHelp.dll"));
pMiniDumpWriteDump = (MINIDUMPWRITEDUMP)GetProcAddress(hDll, "MiniDumpWriteDump");
//create output file
hFile = CreateFile( _T( "C:\\temp\\MiniDump.dmp"),
GENERIC_READ|GENERIC_WRITE, 0, NULL,
CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL );
//bail if we don't have a file
if ((hFile != NULL) && (hFile != INVALID_HANDLE_VALUE))
{
//get exception information
ExceptionInformation.ThreadId = GetCurrentThreadId();
ExceptionInformation.ExceptionPointers = pExceptionPointers;
ExceptionInformation.ClientPointers = TRUE;
//write the debug dump
pMiniDumpWriteDump( GetCurrentProcess(), GetCurrentProcessId(),
hFile, MiniDumpWithFullMemory, &ExceptionInformation,
NULL, NULL );
//close the debug output file
CloseHandle(hFile);
}
return EXCEPTION_EXECUTE_HANDLER;
}
VOID crashme() {int* foo = 0; *foo = 0;}
VOID AfterLoad(VOID)
{
SetUnhandledExceptionFilter(WriteDumpFilter);
crashme();
}
I tried to trim some of the fat out of all the details to simplify the problem, but I can be more explicit if needed. I found the good write-up on CodeProject, and I tried finding more background information to read in order to help me understand the problem, but what I could find didn't help me understand they were just step-by-steps to get it running (which is already is). Anyone have any idea what I'm doing wrong, or maybe point me to relevant reading?
After Sergei's suggestion I did .ecxr in windbg and got better output, but it still doesn't match the trace I get when I hook windbg straight up to the process and trigger the crash. Here is the minidump trace;
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0018e774 00759035 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
0018e7b4 00575ba3 00000000 00000000 00000001 game+0x359035
0018fc50 0057788a 009855ef 0018fdcb 00000001 game+0x175ba3
0018fc78 77b7e013 012d9230 002d91d0 002d9200 game+0x17788a
0018fc90 77ba9567 00290000 00000000 002d91d0 ntdll!RtlFreeHeap+0x7e
0018fd6c 0076ece2 0018ff78 007e1b7e ffffffff ntdll!LdrRemoveLoadAsDataTable+0x4e0
002bbc38 5c306174 61666544 00746c75 5d4c3055 game+0x36ece2
002bbc3c 61666544 00746c75 5d4c3055 8c000000 0x5c306174
002bbc40 00746c75 5d4c3055 8c000000 00000101 0x61666544
002bbc44 5d4c3055 8c000000 00000101 01000000 game+0x346c75
002bbc48 8c000000 00000101 01000000 00000000 0x5d4c3055
002bbc4c 00000000 01000000 00000000 0000006e 0x8c000000
and the trace from attaching the debugger to the process
0:000:x86> kv
ChildEBP RetAddr Args to Child
00186f44 00bc8ea9 19460268 0018a9b7 03f70a28 Minidump!crashme+0x2 (FPO: [0,0,0]) (CONV: cdecl) [c:\project\debug\minidump.cpp # 68]
0018795c 00b9ef31 0018796c 03f56c00 6532716d Main!LoadPlugin+0x339 (FPO: [1,642,4]) (CONV: cdecl) [c:\project\main\pluginloader.cpp # 129]
00188968 00b9667d 19460268 0018a9ac 00000000 Main!Command+0x1f1 (FPO: [2,1024,4]) (CONV: cdecl) [c:\project\main\commands.cpp # 2617]
*** WARNING: Unable to verify checksum for C:\Game\game.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Game\game.exe
0018b1a8 005b5095 19460268 0018beac 00000000 Main!Hook::Detour+0x52d (FPO: [2,2570,0]) (CONV: thiscall) [c:\project\main\hook.cpp # 275]
WARNING: Stack unwind information not available. Following frames may be wrong.
0018b1b4 00000000 19495200 19495200 00000006 game+0x1b5095
I don't have the source for game.exe (I have it for the DLLs which is where the error is), but I decompiled game.exe and here is what is at game+0x359035.
.text:00759001 ; =============== S U B R O U T I N E =======================================
.text:00759001
.text:00759001 ; Attributes: library function bp-based frame
.text:00759001
.text:00759001 ; __stdcall _CxxThrowException(x, x)
.text:00759001 __CxxThrowException#8 proc near ; CODE XREF: .text:0040100Fp
.text:00759001 ; sub_401640+98p ...
.text:00759001
.text:00759001 dwExceptionCode = dword ptr -20h
.text:00759001 dwExceptionFlags= dword ptr -1Ch
.text:00759001 nNumberOfArguments= dword ptr -10h
.text:00759001 Arguments = dword ptr -0Ch
.text:00759001 var_8 = dword ptr -8
.text:00759001 var_4 = dword ptr -4
.text:00759001 arg_0 = dword ptr 8
.text:00759001 arg_4 = dword ptr 0Ch
.text:00759001
.text:00759001 push ebp
.text:00759002 mov ebp, esp
.text:00759004 sub esp, 20h
.text:00759007 mov eax, [ebp+arg_0]
.text:0075900A push esi
.text:0075900B push edi
.text:0075900C push 8
.text:0075900E pop ecx
.text:0075900F mov esi, offset unk_853A3C
.text:00759014 lea edi, [ebp+dwExceptionCode]
.text:00759017 rep movsd
.text:00759019 mov [ebp+var_8], eax
.text:0075901C mov eax, [ebp+arg_4]
.text:0075901F mov [ebp+var_4], eax
.text:00759022 lea eax, [ebp+Arguments]
.text:00759025 push eax ; lpArguments
.text:00759026 push [ebp+nNumberOfArguments] ; nNumberOfArguments
.text:00759029 push [ebp+dwExceptionFlags] ; dwExceptionFlags
.text:0075902C push [ebp+dwExceptionCode] ; dwExceptionCode
.text:0075902F call ds:RaiseException
.text:00759035 pop edi
.text:00759036 pop esi
.text:00759037 leave
.text:00759038 retn 8
.text:00759038 __CxxThrowException#8 endp
My error that I'm triggering is in Minidump.dll, but this code at the top of the stack is in game.exe. There could be plenty going on inside the game.exe that I'm unaware of, could it maybe be hijacking the error that I'm triggering somehow? I.E., I trigger the error in the DLL, but something setup in the game.exe captures program flow before the exception filter that writes the minidump is called?
If that's the case, when I attach the debugger to the process, trigger the error and get the right output that points to the error being in my DLL, then that means game.exe isn't capturing the program flow before the debugger can do the trace. How could I make my minidump code behave the same way... This is getting into territory I'm not terribly familiar with. Any ideas?
I chased further back, and the function calling that one, has this line in it:
.text:00575A8D mov esi, offset aCrashDumpTooLa ; "Crash dump too large to send.\n"
So, I think game.exe is hijacking the exception to do it's own dump before my code tries to get the dump. And then my dumps trace is just a trace of game.exe's dump process...
Answer
I've got it figured out. I'm not sure how to answer my own post, so here is the deal.
.text:0057494A push offset aDbghelp_dll ; "DbgHelp.dll"
.text:0057494F call ds:LoadLibraryA
.text:00574955 test eax, eax
.text:00574957 jz short loc_5749C8
.text:00574959 push offset aMinidumpwrited ; "MiniDumpWriteDump"
.text:0057495E push eax ; hModule
.text:0057495F call ds:GetProcAddress
.text:00574965 mov edi, eax
.text:00574967 test edi, edi
.text:00574969 jz short loc_5749C8
.text:0057496B mov edx, lpFileName
.text:00574971 push 0 ; hTemplateFile
.text:00574973 push 80h ; dwFlagsAndAttributes
.text:00574978 push 2 ; dwCreationDisposition
.text:0057497A push 0 ; lpSecurityAttributes
.text:0057497C push 0 ; dwShareMode
.text:0057497E push 40000000h ; dwDesiredAccess
.text:00574983 push edx ; lpFileName
.text:00574984 call ds:CreateFileA
.text:0057498A mov esi, eax
.text:0057498C cmp esi, 0FFFFFFFFh
.text:0057498F jz short loc_5749C8
.text:00574991 call ds:GetCurrentThreadId
.text:00574997 push 0
.text:00574999 push 0
.text:0057499B mov [ebp+var_1C], eax
.text:0057499E lea eax, [ebp+var_1C]
.text:005749A1 push eax
.text:005749A2 push 0
.text:005749A4 push esi
.text:005749A5 mov [ebp+var_18], ebx
.text:005749A8 mov [ebp+var_14], 1
.text:005749AF call ds:__imp_GetCurrentProcessId
.text:005749B5 push eax
.text:005749B6 call ds:GetCurrentProcess
.text:005749BC push eax
.text:005749BD call edi
.text:005749BF push esi ; hObject
.text:005749C0 call ds:CloseHandle
.text:005749C6 jmp short loc_574A02
Thats from game.exe. It turns out game.exe does it's own minidump. My minidump was triggering after theirs so what I was seeing in my stack trace was a trace of their dump process. I found a dmp file in the game''s installation directory and once I loaded my symbols into it, it showed the correct output I was after.

You are doing just fine. When you open the minidump you generated, after you load the symbols, do
.ecxr
first to set context to what you saved in ExceptionInformation parameter to MiniDumpWriteDump(). Then you will have a legit stack trace.
We use a similar dump generation mechanism at the place where I work.
there are some future gotchas though. You want to check whether your dump catch mechanism is triggered on things like an abort() call.
For that, check out _set_invalid_parameter_handler() and signal(SIGABRT, ...).

I figured it out. Basically game.exe had its own MiniDumpWriteDump code that was triggering before my code. So the stack trace I was getting wasn't a trace of the error, it was a trace of game.exe doing its own MiniDump. I put more details up in the original post.
Thanks!

Crash Debugging Win32 Application

I'm spending lot of time doing crash debugging of Win32 apps. One thing i'm very curious to know about is, How to find whether any address belongs to stack / heap or program code section. Is there any windbg/ollydbg plugin available for this purpose? Or I've to to it manually from memory map?
Ex:
0:000> r
eax=00930264 ebx=008e0000 ecx=41414592 edx=00930000 esi=41414141 edi=008e0441
eip=00407289 esp=0012fae0 ebp=0012faf4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
MyApp+0x7289:
00407289 8b1437 mov edx,dword ptr [edi+esi] ds:0023:41cf4582=????????
0:000> u eip
MyApp+0x7289:
00407289 8b1437 mov edx,dword ptr [edi+esi]
0040728c 8b4c3704 mov ecx,dword ptr [edi+esi+4]
00407290 57 push edi
00407291 e89ae8ffff call MyApp+0x5b30 (00405b30)
00407296 897d14 mov dword ptr [ebp+14h],edi
00407299 5f pop edi
0040729a 85c0 test eax,eax
0040729c 741e je MyApp+0x72bc (004072bc)
In this case i wanna know which register pointing to which section (code/stack/heap )so that i can proceed further to the root cause.
Thanks in Advance.

0:000> ?#esi+#edi
Evaluate expression: 36278408 = 02299088
0:000> !address 02299088
ProcessParametrs 00311020 in range 00310000 00410000
Environment 02294848 in range 02290000 02390000
02290000 : 02290000 - 00100000
Type 00020000 MEM_PRIVATE
Protect 00000004 PAGE_READWRITE
State 00001000 MEM_COMMIT
Usage RegionUsageHeap
Handle 00310000

How could it happen? (in debugging minidump file)

I'm tracing dmp file which seems like crashed calling virtual function of broken object instance.
it seems that vft of the broken object pointer pointed wrong address(0x3822a497) and program crashed immediately after call edx to 0x3822a497 (LAST_CONTROL_TRANSFER: from 00ccde67 to 3822a497), and instruction pointer (EIP) couldn't even go one step further. then, shouldn't it be edx=0x3822a497? but both Visual Studio and Windbg indicates edx=0x1e4dcc0.
Can somebody explain how could it happen?
EDIT: I trusted LAST_CONTROL_TRANSFER too much, but still mystery exists. please first see updated suppositions 1,2,3 below and give me a possible scenario.
Result of windbg !analyze -v
Failed calling InternetOpenUrl, GLE=12029
FAULTING_IP:
+8cde67
3822a497 006e00 add byte ptr [esi],ch
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 3822a497
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 0138d2cc
Attempt to write to address 0138d2cc
PROCESS_NAME: DDD.exe
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
FAULTING_MODULE: 76df0000 kernel32
DEBUG_FLR_IMAGE_TIMESTAMP: 518275c9
MODULE_NAME: DDD
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 0138d2cc
WRITE_ADDRESS: 0138d2cc
FOLLOWUP_IP:
DDD+8cde67
00ccde67 ?? ???
FAILED_INSTRUCTION_ADDRESS:
+591b2faf0239d8f4
3822a497 006e00 add byte ptr [esi],ch
MOD_LIST: <ANALYSIS/>
FAULTING_THREAD: 00000650
BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR
DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR
LAST_CONTROL_TRANSFER: from 00ccde67 to 3822a497
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
0018cfe0 00ccde67 1a75cb52 00000000 28e86c00 0x3822a497
0018cfe4 1a75cb52 00000000 28e86c00 00000011 DDD+0x8cde67
0018cfe8 00000000 28e86c00 00000011 29b52260 0x1a75cb52
STACK_COMMAND: ~0s; .ecxr ; kb
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: DDD+8cde67
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: DDD.exe
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_DDD.exe!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/...
Followup: MachineOwner
---------
0:000>
Result of windbg .excr
0:000> .ecxr
eax=0018d0c8 ebx=78b3b6a8 ecx=00cddb00 edx=01e4dcc0 esi=0138d2cc edi=0018cfc8
eip=3822a497 esp=0018cfe4 ebp=00000002 iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210282
3822a497 006e00          add     byte ptr [esi],ch          ds:002b:0138d2cc=??
Result of windbg r
Last set context:
eax=0018d0c8 ebx=78b3b6a8 ecx=00cddb00 edx=01e4dcc0 esi=0138d2cc edi=0018cfc8
eip=3822a497 esp=0018cfe4 ebp=00000002 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210282
3822a497 006e00 add byte ptr [esi],ch ds:002b:0138d2cc=??
Disassembly before LAST_CONTROL_TRANSFER: from 00ccde67 to 3822a497
current_time = timeGetTime();
00CCDE34 call dword ptr [__imp__timeGetTime#0 (17EE5FCh)]
(*it)->proc();
00CCDE3A mov eax,dword ptr [ebx]
00CCDE3C test eax,eax
00CCDE3E je 00CCDFFE
00CCDE44 test edi,edi
00CCDE46 je 00CCDFFE
00CCDE4C cmp dword ptr [eax+4],edi
00CCDE4F ja 00CCDFFE
00CCDE55 cmp edi,dword ptr [eax+8]
00CCDE58 jae 00CCDFFE
00CCDE5E mov ecx,dword ptr [edi]
00CCDE60 mov eax,dword ptr [ecx]
00CCDE62 mov edx,dword ptr [eax+0Ch]
00CCDE65 call edx
00CCDE67 push 0
EDIT
Oh I forgot to put stack state.
stack (esp=0x18cfe4)
0x0018CFA4 00000000 00000000 00000000 00000000 ................
0x0018CFB4 00000000 00000000 00000000 00000000 ................
0x0018CFC4 00000000 fffffd34 000002e4 fffffd34 ....4?..?...4?..
0x0018CFD4 000002cc 00000019 00000000 0018d0c8 ?...........??..
0x0018CFE4 >00ccde67 1a75cb52 00000000 28e86c00 g??.R?u......l?(
0x0018CFF4 00000011 29b52260 00000000 78b3c718 ....`"?).....??x
0x0018D004 29b522a0 00000000 78b3b6ac 29b522a0 ?"?)....???x?"?)
0x0018D014 00000000 78b3b6a8 1a75cb52 00000140 ....???xR?u.#...
0x0018D024 01e4f688 1a75cb52 0018d050 0170d884 ???.R?u.P?..??p.
0x0018D034 ffffffff 0018d05c 0098ec41 1a75cb36 ....\?..A??.6?u.
Disassembly around eip (0x3822A497)
3822A490 54 push esp
3822A491 00 db 00h
3822A492 65 db 65h
3822A493 00 72 00 add byte ptr [edx],dh
3822A496 61 popad
3822A497 00 6E 00 add byte ptr [esi],ch
3822A49A 69 00 74 00 65 00 imul eax,dword ptr [eax],650074h
Memory dump around eip (0x3822A497)
0x3822A480 55da14f5 80000000 00001e08 00000024 ?.?U........$...
0x3822A490 00650054 00610072 0069006e 00650074 T.e.r.a.n.i.t.e.
0x3822A4A0 004e0020 00630065 006c006b 00630061 .N.e.c.k.l.a.c.
0x3822A4B0 00000065 4d747cba 55da14f2 80000000 e...?|tM?.?U....
Obviously this is not valid instructions but wide characters text.
I think it is very likely that callee broke edx information as xwlan said.
( And I thought LAST_CONTROL_TRANSFER is some kind of trustful information. It was just displaying last callstack entry to eip )
But my suppositions still don't make a sense. Can somebody make a scenario that makes sense?
Suppose 1: instruction jumped before 0x3822A497 and executed popad
I think this makes most sense. (e.g. could jumped by some indirection jump/call to pointer to text buffer 0x3822A490)
If so, popad would executed, which pops EDI, ESI, EBP, EBX, EDX, ECX, and EAX from stack.
Then why can't I find these register's values from stack?
For example, if so, shouldn't I see 0x00000002 (ebp), 0x01e4dcc0 (edx) from stack near 0x0018CFE4 (esp)?
Suppose 2: callee was not 0x3822A497 , instruction jumped exactly to 0x3822A497
I think it is very rare case.
If jump was by indirect call/jmp, nothing would pointed to 0x3822A497 which is odd number,
If jump was by relative call/jmp, the call instruction would be near 0x3822A497,
but I can't find such a relative calls when I disassembly from every point near 0x3822A497
and because it has ##, 00, ##, 00, ## pattern of wide character text,
most possible jump instruction jumps to next instruction pointer, for example:
3822A494 72 00 > jb 3822A496
3822A496 61 popad
3822A497 00 6E 00 add byte ptr [esi],ch
Suppose 3: Callee was 0x3822A497
then why edx is not 0x3822A497. (First question)

You're putting too much faith in the call stack, you're likely missing a frame here (probably some sort of FPO related artifact). I suspect that EDX wasn't the bad EIP, it held the address of a valid function that eventually set up the invalid EIP.
If I were you, I would reconstruct EDX at the time of the crash and see what function it is. Then you can try to figure out what that function might have done to trash EIP (probably a stack overflow). If you're feeling lucky/lazy, you could hope that EDX has stayed unmolested and see what, "uf #edx" gets you.

look like stack corruption, "esp=0018cfe4 ebp=00000002", ebp is apparently a bad value.
i'd suggest check the code "00CCDE65 call edx", the edx looks like point to a virtual function, this function and its callee corrupt the stack. dds esp in windbg can help to dump current stack memory to check whether there's any suspicious values, e.g. any string?

Analyzing Outlook HANG dump (with GoogleCalendarSync add-in installed)

Since I started using outlook with GoogleCalendarSync i'm experiencing hangs every once in awhile.
I used ADPlus to create a hang dump of the process (using adplus -hang -pn outlook.exe -o c:\dumps).
When I read the dump via WinDBG I use the command !analyze -v -hang, but I can't figure out what exactly went wrong.
The output of the command is:
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
+1d32faf00ffdf58 00000000 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000 ExceptionCode: 80000007 (Wake debugger)
ExceptionFlags: 00000000 NumberParameters: 0
BUGCHECK_STR: HANG
PROCESS_NAME: OUTLOOK.EXE
ERROR_CODE: (NTSTATUS) 0xcfffffff - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xcfffffff - <Unable to get error code
text>
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
MANAGED_STACK: !dumpstack -EE OS Thread Id: 0xd60 (37) Current frame:
ChildEBP RetAddr Caller,Callee
DERIVED_WAIT_CHAIN:
Dl Eid Cid WaitType
-- --- ------- -------------------------- 0 ba0.6a4 Thread Handle --> 37 ba0.d60 Event
WAIT_CHAIN_COMMAND: ~0s;k;;~37s;k;;
BLOCKING_THREAD: 00000d60
DEFAULT_BUCKET_ID: APPLICATION_HANG_BlockedOn_EventHandle
PRIMARY_PROBLEM_CLASS: APPLICATION_HANG_BlockedOn_EventHandle
LAST_CONTROL_TRANSFER: from 7c90df5a to 7c90e514
FAULTING_THREAD: 00000025
STACK_TEXT: 11f3f764 7c90df5a 7c8025db 00000458 00000000
ntdll!KiFastSystemCallRet 11f3f768 7c8025db 00000458 00000000 00000000
ntdll!NtWaitForSingleObject+0xc 11f3f7cc 7c802542 00000458 ffffffff
00000000 kernel32!WaitForSingleObjectEx+0xa8 11f3f7e0 77520197
00000458 ffffffff 00192888 kernel32!WaitForSingleObject+0x12 11f3f7fc
77602e50 00192888 001a3ab8 00000000 ole32!GetToSTA+0x6f 11f3f81c
7760208a 11f3f8e4 11f3f9f4 09b148b8
ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0xf6 11f3f8fc
7752c982 09b148b8 11f3f9f4 11f3f9e4
ole32!CRpcChannelBuffer::SendReceive2+0xc8 11f3f968 7752c91a 09b148b8
11f3f9f4 11f3f9e4 ole32!CAptRpcChnl::SendReceive+0xab 11f3f9bc
77ef5db5 09b148b8 11f3f9f4 11f3f9e4
ole32!CCtxComChnl::SendReceive+0x113 11f3f9d8 77ef5ead 09b22354
11f3fa20 0600015b rpcrt4!NdrProxySendReceive+0x43 11f3fdbc 77ef5e42
774e6228 774e92da 11f3fdf4 rpcrt4!NdrClientCall2+0x1fa 11f3fddc
77e88519 00000010 00000005 11f3fe04 rpcrt4!ObjectStublessClient+0x8b
11f3fdec 7752d919 09b22354 00000001 145bf7b8 rpcrt4!ObjectStubless+0xf
11f3fe04 7752d8ba 09b22354 00192888 00000001
ole32!RemoteReleaseRifRefHelper+0x84 11f3fe2c 7752c558 09b22354
00192888 00000001 ole32!RemoteReleaseRifRef+0x74 11f3fe84 7752c351
0e8a3cfc 0e8a3cf8 00000000 ole32!CStdMarshal::DisconnectCliIPIDs+0x200
11f3feac 7750c880 00000002 0e8a3da0 0e8a3cf8
ole32!CStdMarshal::Disconnect+0x178 11f3fec8 7750c7ed 0e8a3cf8
11f3fee8 7750c967 ole32!CStdIdentity::~CStdIdentity+0x89 11f3fed4
7750c967 00000001 00440023 00520006 ole32!CStdIdentity::`vector
deleting destructor'+0xd 11f3fee8 77ef5ae8 80000000 11f3ff00 1112f31b
ole32!CStdIdentity::CInternalUnk::Release+0x4c 11f3fef4 1112f31b
0e8bd1fc 11f3ff14 1112a0e4 rpcrt4!IUnknown_Release_Proxy+0x11 WARNING:
Stack unwind information not available. Following frames may be wrong.
11f3ff00 1112a0e4 11f3ff80 00000000 11f3ff80 GoogleCalendarSync+0xf31b
11f3ff14 1112a0b1 00000000 11f3ff80 11f3ffb4 GoogleCalendarSync+0xa0e4
11f3ff24 11137c5e 555047c9 00020048 80578cb2 GoogleCalendarSync+0xa0b1
11f3ffb4 7c80b729 00000301 00440023 00520006
GoogleCalendarSync+0x17c5e 11f3ffec 00000000 111378c0 00000301
00000000 kernel32!BaseThreadStart+0x37
FOLLOWUP_IP: GoogleCalendarSync+f31b 1112f31b 8b5508 mov
edx,dword ptr [ebp+8]
SYMBOL_STACK_INDEX: 15
SYMBOL_NAME: GoogleCalendarSync+f31b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: GoogleCalendarSync
IMAGE_NAME: GoogleCalendarSync.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4d9f0466
STACK_COMMAND: ~37s ; kb
BUCKET_ID: HANG_GoogleCalendarSync+f31b
WATSON_IBUCKET: -1362224887
WATSON_IBUCKETTABLE: 1
FAILURE_BUCKET_ID:
APPLICATION_HANG_BlockedOn_EventHandle_cfffffff_GoogleCalendarSync.dll!Unknown
WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/OUTLOOK_EXE/14_0_6117_5001/4f3e2d20/unknown/0_0_0_0/bbbbbbb4/cfffffff/00000000.htm?Retriage=1
Followup: MachineOwner
---------------------------
How can I further investigate this dump? What am I missing?

The thread GoogleCalendarSync is operating in tries to Release a COM object whose apartement model is STA, that is the object lives in a single thread. This kind of object was very popular in the begining of COM, because the COM layer ensures the object won't be accessed from multiple threads in the same time, thus avoiding adding synchronization code in the object implementation.
You can grab the first parameter of GetToSTA (0x00192888 in this case), dump the contents of the memory at this address (dc 0x00192888). In the result, skip the first 2 DWORD : next DWORD should be the target process ID and next one the target thread ID. This target thread is likely to be already blocked in another operation (refer to http://blogs.msdn.com/b/tess/archive/2008/06/12/asp-net-case-study-deadlock-waiting-in-gettosta.aspx if you need a real life example).