Is there a way to break windbg or visual studio debugger execution when the value of LastError value changes?
Edit:
Found a way by setting a breakpoint in ntdll!RtlSetLastWin32Error.
Does anyone know another way or it's the best way for that?
set a write breakpoint on the address of teb->LastErrorValue
ba w4 ##c++(&(#$thread->LastErrorValue))
happy breaking whenever error value changes
you can add conditions to the bp to break only when you want too
0:000> ba w4 ##c++(&(#$thread->LastErrorValue)) "!gle;gc"
breakpoint 0 redefined
0:000> g
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0xc000008a - Indicates the specified resource type cannot be found in the image file.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0xc0000034 - Object Name not found.
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0xc0000034 - Object Name not found.
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0xc0000034 - Object Name not found.
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0xc0000034 - Object Name not found.
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0xc0000034 - Object Name not found.
Related
I want to get information on a process from Sysinternals' livekd using its process ID. How do I do this?
The documentation for WinDBG's !process command on MSDN (https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/-process) says,
!process [/s Session] [/m Module] [Process [Flags]]
gives information about the process specified by "Process". The documentation further says,
Process - Specifies the hexadecimal address or the process ID of the process on the target computer.
But try as I might, specifying the PID gives nothing, and I can't see a way to find the hexadecimal address of the process structure for a running process.
For e.g., from Sysinternals' Process Explorer, I see a process with PID 672 backed by svchost.exe, as follows:
But when I use the !process command with the PID 672 or its hexadecimal, 2A0, I get nothing. See below:
0: kd> !process 672
Searching for Process with Cid == 672
Cannot resolve nt!_EPROCESS object type
0: kd> !process 2A0
Searching for Process with Cid == 2a0
Cannot resolve nt!_EPROCESS object type
But !process svchost.exe works (for a some instance of that image that's running):
0: kd> !process svchost.exe
PROCESS ffffdc0a4b49b180
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001ad002 ObjectTable: ffff9a0ba4e3ee40 HandleCount: 6664.
Image: System
VadRoot ffffdc0a66ea3200 Vads 58 Clone 0 Private 30. Modified 31341619. Locked 192.
DeviceMap ffff9a0ba4e36360
Token ffff9a0ba4e072b0
ElapsedTime 5 Days 13:59:48.702
I can also use !process ffffdc0a4b49b180 using the information gained from !process svchost.exe, but I want to use the process ID to get this information. How do I do this?
Edit 1: I think that I am setting the symbols correctly, based on information here: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/symbol-path . Please see the output below.
0: kd> .sympath
Symbol search path is: srv*c:\symbols\*https://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srv*c:\symbols\*https://msdl.microsoft.com/download/symbols
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\symbols\*https://msdl.microsoft.com/download/symbols
0: kd> lml
start end module name
fffff804`82200000 fffff804`83246000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
fffff804`a3420000 fffff804`a342d000 LiveKdD (no symbols)
0: kd> !sym noisy
noisy mode - symbol prompts on
0: kd> .reload nt
SYMSRV: BYINDEX: 0xF
c:\symbols\*https://msdl.microsoft.com/download/symbols
ntoskrnl.exe
F05723421046000
SYMSRV: PATH: c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe
SYMSRV: RESULT: 0x00000000
DBGHELP: c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe - OK
DBGENG: c:\symbols\ntoskrnl.exe\F05723421046000\ntoskrnl.exe - Mapped image memory
SYMSRV: BYINDEX: 0x10
c:\symbols\*https://msdl.microsoft.com/download/symbols
ntkrnlmp.pdb
1F9BB45B28B806E4D18925C06E924B8C1
SYMSRV: PATH: c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: nt - public symbols
c:\symbols\ntkrnlmp.pdb\1F9BB45B28B806E4D18925C06E924B8C1\ntkrnlmp.pdb
0: kd> dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x438 ProcessLock : _EX_PUSH_LOCK
+0x440 UniqueProcessId : Ptr64 Void
+0x448 ActiveProcessLinks : _LIST_ENTRY
+0x458 RundownProtect : _EX_RUNDOWN_REF
+0x460 Flags2 : Uint4B
+0x460 JobNotReallyActive : Pos 0, 1 Bit
+0x460 AccountingFolded : Pos 1, 1 Bit
+0x460 NewProcessReported : Pos 2, 1 Bit
....
Edit 2:
I just discovered that LiveKdD.sys is not getting loaded. I have reinstalled Windows SDK, and uninstalled my antivirus software. That doesn't fix this issue.
But, LivekdD.sys is present in the directory it's trying to load it from. See below.
PS C:\WINDOWS\system32\drivers> dir livekdd.sys
Directory: C:\WINDOWS\system32\drivers
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 24-11-2021 21:53 39272 livekdd.sys
Launching D:\Windows Kits\10\Debuggers\x64\kd.exe:
Microsoft (R) Windows Debugger Version 10.0.22000.194 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'LiveKD live system view'
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff807`75400000 PsLoadedModuleList = 0xfffff807`7602a2d0
Debug session time: Wed Nov 24 22:03:56.831 2021 (UTC + 5:30)
System Uptime: 0 days 0:13:04.851
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..................................
Loading User Symbols
..........................................
Loading unloaded module list
............
For analysis of this file, run !analyze -v
0: kd> .tlist notepad.exe
Unable to load image \??\C:\WINDOWS\system32\Drivers\LiveKdD.SYS, Win32 error 0n2
0n3176 notepad.exe
As Already commented several times it works
here is an output from livekd
0: kd> .tlist calculator.exe
0n1872 Calculator.exe
0: kd> !process 0n1872 0
Searching for Process with Cid == 750
PROCESS ffffc388a8cd5080
SessionId: 5 Cid: 0750 Peb: 806522f000 ParentCid: 0250
DirBase: 7a081002 ObjectTable: ffff8985feda39c0 HandleCount: 467.
Image: Calculator.exe
0: kd> !process 0 0 calculator.exe
PROCESS ffffc388a8cd5080
SessionId: 5 Cid: 0750 Peb: 806522f000 ParentCid: 0250
DirBase: 7a081002 ObjectTable: ffff8985feda39c0 HandleCount: 467.
Image: Calculator.exe
EDIT
a complete session
D:\>livekd
LiveKd v5.63 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2020 Mark Russinovich and Ken Johnson
Launching C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\kd.exe:
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\livekd.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'LiveKD live system view'
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*f:\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff803`3cc00000 PsLoadedModuleList = 0xfffff803`3d045f30
Debug session time: Wed Nov 24 06:55:11.500 2021
System Uptime: 3 days 5:19:28.286
Loading Kernel Symbols
...............................................................
................................................................
................................................................
................................................
Loading User Symbols
Loading unloaded module list
..................................................
0: kd> .tlist cmd.exe
*** ERROR: Module load completed but symbols could not be loaded for LiveKdD.SYS
0n7836 cmd.exe
0: kd> !process 0n7836 0
Searching for Process with Cid == 1e9c
PROCESS ffffc388b2810080
SessionId: 9 Cid: 1e9c Peb: 7f78344000 ParentCid: 1468
DirBase: 115d4a002 ObjectTable: ffff8985fed9ad40 HandleCount: 68.
Image: cmd.exe
0: kd>
edit 2
my module is as follows
0: kd> lmv live
start end module name
fffff803`59090000 fffff803`5909d000 LiveKdD (no symbols)
Symbol file: LiveKdD.SYS
Image path: \??\C:\WINDOWS\system32\Drivers\LiveKdD.SYS
Image name: LiveKdD.SYS
Timestamp: Mon Apr 27 21:28:28 2020 (5EA70124)
CheckSum: 00014362
ImageSize: 0000D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
0: kd>
I've got an issue at the moment where the android app just quits without exception. I've managed to trace it back to this line.
PropertyChanged?.Invoke(this, new PropertyChangedEventArgs(propertyName));
I've checked all the properties and they all seem fine, no nulls etc.
I've also found this in the Debug output:
Fatal signal 6 (SIGABRT), code -6 (SI_TKILL) in tid 9154
I've googled this and spent the last 2 days trying various things like changing compiler options but to no avail. Is there a way to get more detailed information ? I am not familiar with the workings of Android so if its anything specific please explain in detail.
I'm using:
VS2019 community (not preview)
XF: 4.7.0.1351 (tried the latest 4.8.0.1451 but the same happens)
Android: 9.0 API 28
Running on an emulator also tried actual device.
UPDATE 1 (logcat snips):
09-20 14:09:03.764 777 777 F : Why are we setting the target on an unoccupied slot?
--------- beginning of crash
09-20 14:09:03.764 777 777 F libc : Fatal signal 6 (SIGABRT), code -6 (SI_TKILL) in tid 777, pid 777
09-20 14:09:03.790 852 852 I crash_dump32: obtaining output fd from tombstoned, type: kDebuggerdTombstone
09-20 14:09:03.790 1747 1747 I /system/bin/tombstoned: received crash request for pid 777
09-20 14:09:03.791 852 852 I crash_dump32: performing dump of process 777 (target tid = 777)
09-20 14:09:03.795 852 852 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-20 14:09:03.795 852 852 F DEBUG : Build fingerprint: 'google/sdk_gphone_x86_arm/generic_x86_arm:9/PSR1.180720.117/5875966:user/release-keys'
09-20 14:09:03.795 852 852 F DEBUG : Revision: '0'
09-20 14:09:03.795 852 852 F DEBUG : ABI: 'x86'
09-20 14:09:03.795 852 852 F DEBUG : pid: 777, tid: 777
09-20 14:09:03.795 852 852 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
09-20 14:09:03.795 852 852 F DEBUG : Abort message: 'Why are we setting the target on an unoccupied slot?'
09-20 14:09:03.795 852 852 F DEBUG : eax 00000000 ebx 00000309 ecx 00000309 edx 00000006
09-20 14:09:03.796 852 852 F DEBUG : edi 00000309 esi c5462780
09-20 14:09:03.796 852 852 F DEBUG : ebp ffa9f6b8 esp ffa9f608 eip f66dfb39
09-20 14:09:03.796 852 852 F DEBUG :
09-20 14:09:03.796 852 852 F DEBUG : backtrace:
09-20 14:09:03.796 852 852 F DEBUG : #00 pc 00000b39 [vdso:f66df000] (__kernel_vsyscall+9)
09-20 14:09:03.796 852 852 F DEBUG : #01 pc 0001fdf8 /system/lib/libc.so (syscall+40)
09-20 14:09:03.796 852 852 F DEBUG : #02 pc 00022ed3 /system/lib/libc.so (abort+115)
UPDATE 2:
So as I've said it crashes without exception when Invoking the PropertyChanged method.
Using the debugger I've inspected the properties of PropertyChanged. I've got a subscriber to this even which is in an external assembly for the Data Access Layer.
I removed this subscriber to see if that was the issue, but no, the problem remains.
I checked the subscriber again and now it states it's inside the Xamarin.Forms.Core.dll called OnPropertyChanged
I'm not sure how to debug this further.
UPDATE 3:
I've created another project in the hope of getting the same behaviour, but unfortunately I could not reproduce the issue, but I did notice one thing.
We can clearly see the target in my broken project (second image) is NULL, any ideas how this could happen ?
It seems it makes no difference if the Target is null, I have no idea why it was null on one project and not the other.
Anyway after many hours , well days of debugging, the issue was because I was overwriting the properties of the bound object using Force.DeepCloner
I'm not sure exactly why this happens but its got something to do with how the object is used in the bindings. Once its created, using DeepCloner to overwrite "this" causes these issues.
I am unable to figure this problem out. Symbol is not being resolved
Deployment
There are number of exes of my system deployed on a network path. All users run those exes from that shared network path. This was working fine two weeks ago but now some of those exes have started crashing. There is no fix pattern of being crashed, it happens to any user, anytime during any activity.
Troubleshooting
I have got the dump of one of them, i tried WinDbg and got following
Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\crash\RNS1000.exe.mdmp]
User Mini Dump File: Only registers, stack and portions of memory are available
Symbol search path is: SRV*c:\crash*http://msdl.microsoft.com/download/symbols;c:\crash
Executable search path is:
Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Wed Oct 10 15:36:36.000 2012 (UTC + 5:00)
System Uptime: not available
Process Uptime: 0 days 7:12:54.000
................................................................
.........................................................
Loading unloaded module list
.......
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(924.85c): In-page I/O error ffffffffc000020c - code c0000006 (first/second chance not available)
eax=02060000 ebx=7c90fe01 ecx=00001000 edx=7c90e4f4 esi=000003a0 edi=00000000
eip=7c90e4f4 esp=0013afdc ebp=0013b040 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200297
ntdll!KiFastSystemCallRet:
7c90e4f4 c3 ret
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
GetUrlPageData2 (WinHttp) failed: 12007.
FAULTING_IP:
RNS1000+55f610
0095f610 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0095f610 (RNS1000+0x0055f610)
ExceptionCode: c0000006 (In-page I/O error)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 00000008
Parameter[1]: 0095f610
Parameter[2]: c000020c
Inpage operation failed at 0095f610, due to I/O error c000020c
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT
PROCESS_NAME: RNS1000.exe
ERROR_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".
EXCEPTION_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 0095f610
EXCEPTION_PARAMETER3: c000020c
IO_ERROR: (NTSTATUS) 0xc000020c - The transport connection is now disconnected.
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 00000000 to 00000000
APP: rns1000.exe
FAULTING_THREAD: ffffffff
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT
BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT
STACK_TEXT:
00000000 00000000 hardware_disk!Unknown+0x0
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: hardware_disk!Unknown
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: hardware_disk
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: ** Pseudo Context ** ; kb
FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_c0000006_hardware_disk!Unknown
BUCKET_ID: APPLICATION_FAULT_SOFTWARE_NX_FAULT_hardware_disk!Unknown
IMAGE_NAME: hardware_disk
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/RNS1000_exe/2_0_0_5/4f17b9d2/RNS1000_exe/2_0_0_5/4f17b9d2/c0000006/0055f610.htm?Retriage=1
Followup: MachineOwner
---------
I am expecting RNS1000+55f610 to be resolved to one of my programs function but it has not been resolved. The sysmbol path contains exe, pdb and mdmp.
Please tell me why has it not been resolved? what wrong am i doing?
The key part here is the In-page I/O error. The underlying disk/network drive disappeared.
The crash occurs some time later when it tries to page back in part of the executable, but it no longer has a valid file handle/connection.
The only fix is to run it locally or make sure the disk doesn't disappear while they're running.
More generally, you can get VB to create the info files for native debugging using the "Create symbolic debug info" option in the project's Compile settings. This can only be done before the fact though and won't help with debugging an existing build.
My operations group, and the devs are clueless to why this happens. Basically the server-side service of a client/server application hangs. We have been pushing new bugfixed versions and providing all kinds of logs to the devs, but they can't figure it out. To make it even harder to figure out, this is an application that works very closely with another application on the client side.
I have no idea if I'm onto something here, as I have limited windbg experience, but this seems worth checking out. Google comes up pretty promising, but with mostly gamers having BSODs not providing much more info...
I found this bit at the start of the dump:
WARNING: odbccp32 overlaps comctl32 .
WARNING: odbc32 overlaps odbccp32
WARNING: odbc32 overlaps comctl32 .............
WARNING: mswsock overlaps FWPUCLNT .......
WARNING: winsta overlaps winnsi .
WARNING: ntlanman overlaps drprov .... ...
WARNING: srvcli overlaps netapi32
WARNING: wkscli overlaps srvcli ..........
WARNING: ncrypt overlaps schannel .
WARNING: nlaapi overlaps ncrypt .
WARNING: NapiNSP overlaps nlaapi ....
WARNING: rsaenh overlaps cryptsp
and a bit lower:
OVERLAPPED_MODULE: Address regions for 'odbc32' and 'odbccp32' overlap
Here is the complete !analyze -v dump:
Microsoft (R) Windows Debugger Version 6.2.8400.0 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\debug\MES\PLSMES.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available
Symbol search path is: srv*c:\symbols*c:\windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Version 7601 (Service Pack 1) MP (16 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Machine Name:
Debug session time: Thu Jun 14 10:37:01.000 2012 (UTC + 2:00)
System Uptime: not available
Process Uptime: 0 days 6:36:13.000
......................................WARNING: odbccp32 overlaps comctl32
.WARNING: odbc32 overlaps odbccp32
WARNING: odbc32 overlaps comctl32
.............WARNING: mswsock overlaps FWPUCLNT
.......WARNING: winsta overlaps winnsi
.WARNING: ntlanman overlaps drprov
....
...WARNING: srvcli overlaps netapi32
.WARNING: wkscli overlaps srvcli
..........WARNING: ncrypt overlaps schannel
.WARNING: nlaapi overlaps ncrypt
.WARNING: NapiNSP overlaps nlaapi
....WARNING: rsaenh overlaps cryptsp
Cannot read PEB32 from WOW64 TEB32 7efdd000 - Win32 error 0n30
wow64cpu!CpupSyscallStub+0x9:
00000000`741f2e09 c3 ret
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify timestamp for PLSMES.exe
*** ERROR: Module load completed but symbols could not be loaded for PLSMES.exe
FAULTING_IP:
+0
00000000`00000000 ?? ???
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0000000000000000
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD: 0000000000001364
DEFAULT_BUCKET_ID: BAD_DUMP_MISSING_MEMORY
PROCESS_NAME: PLSMES.exe
OVERLAPPED_MODULE: Address regions for 'odbc32' and 'odbccp32' overlap
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
APP: plsmes.exe
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 0000000000000000 to 00000000741f2e09
PRIMARY_PROBLEM_CLASS: BAD_DUMP_MISSING_MEMORY
BUGCHECK_STR: APPLICATION_FAULT_BAD_DUMP_MISSING_MEMORY
STACK_TEXT:
00000000`00000000 00000000`00000000 bad_dump!missing_stack+0x0
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: bad_dump!missing_stack
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: bad_dump
IMAGE_NAME: bad_dump
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: ** Pseudo Context ** ; kb
FAILURE_BUCKET_ID: BAD_DUMP_MISSING_MEMORY_80000003_bad_dump!missing_stack
BUCKET_ID: X64_APPLICATION_FAULT_BAD_DUMP_MISSING_MEMORY_bad_dump!missing_stack
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/PLSMES_exe/4_4_3_2582/4f8ac8f6/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1
Followup: MachineOwner
---------
Could this be related to the application hangs? Overlapping memory doesn't seem good.
Note: The same server runs other instances of the same application without error.
Any pointers to further debugging would also be nice.
(Moved from ServerFault, I guess this is better asked here.)
I've seen this happen when a 64 bit version of task manager is used to create a dump of a 32 bit process. If this is your case, then use the 32 bit version of task manager which can be found in the SysWOW64 folder. This link describes the problem:
http://blogs.msdn.com/b/tess/archive/2010/09/29/capturing-memory-dumps-for-32-bit-processes-on-an-x64-machine.aspx
I'm debugging some random crash bugs, but actually very difficult to go deep into. Because when i open crash dump, only find one error:
0:000> .exr -1
ExceptionAddress: 00000000
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 0
Actually i haven't set any hard-code breakpoint in code, so i search about this exception in google, some people said this exception may be caused by heap corruption.
So my question is,
Is there any other reason why cause this exception, except hard-code breakpoint, manual breakpoint while debugging, heap corruption?
Another question is, i try to use Application Verifier to check heap corruption, i understand how does it work, app verifier will trigger break instruction exception while heap corruption. But currently, i run without app verifier, who will raise the break instruction exception?
Additional info: call stack for current thread.
*0:000> k
ChildEBP RetAddr
0012f96c 7c827d19 ntdll!KiFastSystemCallRet
0012f970 77e6202c ntdll!NtWaitForMultipleObjects+0xc
0012fa18 7739bbd1 kernel32!WaitForMultipleObjectsEx+0x11a
0012fa74 3b288523 user32!RealMsgWaitForMultipleObjectsEx+0x141
0012fab8 3b32b9bd msenv!EnvironmentMsgLoop+0x1ea
0012fae4 3b32b94d msenv!CMsoCMHandler::FPushMessageLoop+0x86
0012fb0c 3b32b8e9 msenv!SCM::FPushMessageLoop+0xb7
0012fb28 3b32b8b8 msenv!SCM_MsoCompMgr::FPushMessageLoop+0x28
0012fb48 3b32be4e msenv!CMsoComponent::PushMsgLoop+0x28
0012fbe0 3b327561 msenv!VStudioMainLogged+0x482
0012fc0c 3000a4a6 msenv!VStudioMain+0xc1
0012fc38 30007301 devenv!util_CallVsMain+0xff
0012ff14 3000760c devenv!CDevEnvAppId::Run+0x91f
0012ff30 30007680 devenv!WinMain+0x74
0012ffc0 77e6f23b devenv!License::GetPID+0x258
0012fff0 00000000 kernel32!BaseProcessStart+0x23*
Our application is a Visual Studio Package.
Below is the result from !analyze -v
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for mscorlib.ni.dll
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
FAULTING_IP:
+0
00000000 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD: 00001f1c
DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
PROCESS_NAME: devenv.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
MANAGED_STACK:
SP IP Function
0012E584 09C8A903 Microsoft_VisualStudio_Design!Microsoft.VisualStudio.NativeMethods.ThrowOnFailure(Int32, Int32[])+0x3b
0012E590 09C8C604 Microsoft_VisualStudio_Design!Microsoft.VisualStudio.Design.VSDesignSurfaceManager.Microsoft.VisualStudio.Shell.Interop.IVsSelectionEvents.OnElementValueChanged(UInt32, System.Object, System.Object)+0x144
StackTraceString: <none>
HResult: 80004005
EXCEPTION_OBJECT: !pe 3115d464
Exception object: 3115d464
Exception type: System.Runtime.InteropServices.COMException
Message: Error HRESULT E_FAIL has been returned from a call to a COM component.
InnerException: <none>
StackTrace (generated):
SP IP Function
0012E584 09C8A903 Microsoft_VisualStudio_Design!Microsoft.VisualStudio.NativeMethods.ThrowOnFailure(Int32, Int32[])+0x3b
0012E590 09C8C604 Microsoft_VisualStudio_Design!Microsoft.VisualStudio.Design.VSDesignSurfaceManager.Microsoft.VisualStudio.Shell.Interop.IVsSelectionEvents.OnElementValueChanged(UInt32, System.Object, System.Object)+0x144
StackTraceString: <none>
HResult: 80004005
MANAGED_OBJECT: !dumpobj 3201988
Name: System.String
MethodTable: 79330a00
EEClass: 790ed64c
Size: 158(0x9e) bytes
(C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: Error HRESULT E_FAIL has been returned from a call to a COM component.
Fields:
MT Field Offset Type VT Attr Value Name
79332c4c 4000096 4 System.Int32 1 instance 71 m_arrayLength
79332c4c 4000097 8 System.Int32 1 instance 70 m_stringLength
793316e0 4000098 c System.Char 1 instance 45 m_firstChar
79330a00 4000099 10 System.String 0 shared static Empty
>> Domain:Value 00219c28:03031198 <<
79331630 400009a 14 System.Char[] 0 shared static WhitespaceChars
>> Domain:Value 00219c28:03031798 <<
EXCEPTION_MESSAGE: Error HRESULT E_FAIL has been returned from a call to a COM component.
MANAGED_OBJECT_NAME: System.Runtime.InteropServices.COMException
LAST_CONTROL_TRANSFER: from 7c827d19 to 7c82860c
PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT
BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT
STACK_TEXT:
09c8a903 Microsoft_VisualStudio_Design!Microsoft.VisualStudio.NativeMethods.ThrowOnFailure
09c8c604 Microsoft_VisualStudio_Design!Microsoft.VisualStudio.Design.VSDesignSurfaceManager.Microsoft.VisualStudio.Shell.Interop.IVsSelectionEvents.OnElementValueChanged
STACK_COMMAND: dds 12e584 ; kb
FOLLOWUP_IP:
+9c8a903
09c8a903 8bc6 mov eax,esi
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Microsoft_VisualStudio_Design!Microsoft.VisualStudio.NativeMethods.ThrowOnFailure+9c8a903
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Microsoft_VisualStudio_Design
IMAGE_NAME: Microsoft.VisualStudio.Design.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_Microsoft.VisualStudio.Design.dll!Microsoft.VisualStudio.NativeMethods.ThrowOnFailure
BUCKET_ID: APPLICATION_FAULT_STATUS_BREAKPOINT_Microsoft_VisualStudio_Design!Microsoft.VisualStudio.NativeMethods.ThrowOnFailure+9c8a903
Followup: MachineOwner
...
In the managed stack, there is a explicit error,Microsoft.VisualStudio.NativeMethods.ThrowOnFailure..
But that means the com exception cause the break instruction exception?
!analyze seems just dump the managed level, the com exception maybe the last error in the managed level.
I also search something about interrupt and exception from google, Normally, the break instruction exception can be triggered in following conditions:
1. Hardcode interrupt request, like: __asm int 3 (ASM), System.Diagnostics.Debugger.Break (C#), DebugBreak() (WinAPI).
2. OS enable memory runtime check, like Application Verifier can trigger after heap corruption, memory overrun.
3. Compiler can have some configuration to enble what should be filled for the uninitialized memory block and end of function(blank area, after retun..). For example, Microsoft VC complier can fill 0xCC if enable /GZ. 0xCC is actually a opcode of __asm int 3. So if some error cause the application run into such block, will trigger a break point.
Correct?
If that, I think Application Verifier should be best choice to find the root cause.
For future reference, the Your debugger is not using the correct symbols warning is caused because you need to add Windows symbols to the Windbg symbols path. Here is how to do that:
Set Microsoft symbol server path automatically:
0:000> .symfix
Optionally you can specify an additional location where to download symbol from, e.g.:
0:000> .sympath+ c:\myproject
Check current symbol search path:
0:000> .sympath
You should see something like this:
SRV**http://msdl.microsoft.com/download/symbols
Reload symbols:
0:000> .reload
Then, you will be able to see information about the current exception using this command:
0:000> !analyze -v
You should see a line similar to the following:
ExceptionCode: c0000005 (Access violation)
Good luck fixing bugs!
The command to use to find the exception that caused the crash dump is .ecxr. The outpt you got from .exr -1 is incorrect as the ExceptionAddress is zero.