Accelerated .NET Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises with Notes > Selected Q&A

Table of Contents

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

This Book

Accelerated .NET Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises with Notes

Search

Table of Contents

Presentation Slides and Transcript

Practice Exercises

Application Source Code

Selected Q&A

Selected Q&A

Q. Could you share some insights about ds:[]?

A. Let's look at the typical output of an invalid pointer access violation context:

Code View: Scroll / Show All

0:000> r
Last set context:
eax=00000000 ebx=00000001 ecx=00000000 edx=0018fe40 esi=00426310 edi=00000111
eip=0041ff21 esp=0018f81c ebp=0018f850 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
Module!Function+0xb1:
0041ff21 mov dword ptr ds:[812c2bef],0  ds:002b:812c2bef=????????

We can ignore ds (data segment register) as segmentation is no longer used and is in fact abandoned in x64 model. The same is for ss (stack segment), es (extra data segment), cs (code segment). You can treat what's in square brackets [] as a memory address so the whole [] expression is a value of a memory cell at that address. The code above tries to write 0 to that memory address replacing the the original value at that address. And it is outside user space process memory space (> 0x7fffffff) so is invalid:

0:000> dp 812c2bef
812c2bef  ???????? ???????? ???????? ????????
812c2bff  ???????? ???????? ???????? ????????
812c2c0f  ???????? ???????? ???????? ????????
812c2c1f  ???????? ???????? ???????? ????????
812c2c2f  ???????? ???????? ???????? ????????
812c2c3f  ???????? ???????? ???????? ????????
812c2c4f  ???????? ???????? ???????? ????????
812c2c5f  ???????? ???????? ???????? ????????

The following books teach assembly language fundamentals necessary for Windows debugging:

Windows Debugging: Practical Foundations

http://www.dumpanalysis.org/Forthcoming+Windows+Debugging%3A+Practical+Foundations

x64 Windows Debugging: Practical Foundations

http://www.dumpanalysis.org/x64+Windows+Debugging%3A+Practical+Foundations

Q. !clrstack -a command sometimes shows <no data> for parameters or locals. What can we do here?

A. The only way I can see is to use !U command to disassemble IP and do reverse engineering of assembly language output but this could be very difficult task. !mk -p -l -a SOSEX command might give you additional local names:

Code View: Scroll / Show All

0:000> !CLRStack -a
OS Thread Id: 0xa70 (0)
Child SP IP       Call Site
[...]
0020dc5c 69360f2a
System.Windows.Forms.Application+ThreadContext.OnThreadException(System.Exception)
    PARAMETERS:
        this (0x0020dc64) = 0x0144d04c
        t (0x0020dc60) = 0x01467f44
    LOCALS:
        0x0020dc5c = 0x0147f160
        0x0020dc68 = 0x00000001
        <no data>
        <no data>
[...]

0:000> !mk -p -l -a
Thread 0:
     ESP      EIP
[...]
08:M 0020dc5c 69360f2a
System.Windows.Forms.Application+ThreadContext.OnThreadException(System.Exception)(+0x4c
IL)(+0xda Native)
      [A0]:this:0x0144d04c (ThreadContext)
      [A1]:t:0x01467f44 (System.Exception)
      [L0]:0x0147f160 (System.Windows.Forms.ThreadExceptionDialog)
      [L1]:0x1 (OK) (System.Windows.Forms.DialogResult)
      [L2]:<?>
      [L3]:<?>
[...]

Q. Context Record seems useful but is it only available when an exception is thrown? Do all calls on a stack trace have the context record?

A. Saving context record is a time consuming operation so for ordinary calls only some registers may be saved on the stack and this is entirely compiler and calling convention dependent. Similar to the context record is a trap frame structure that is also saved when a thread transitions to kernel space (in addition to faults in kernel space). Please see an additional complete memory dump analysis exercise in this book.

A. Is it possible to get parameters from a managed exception?

Q. Yes, we can use !DumpObject (!do) command:

Code View: Scroll / Show All

0:000> !pe
Exception object: 01467f44
Exception type:   System.NullReferenceException
Message:          Object reference not set to an instance of an object.
InnerException:   <none>
StackTrace (generated):
    SP       IP       Function
    0020EA90 002D0250 ApplicationA!ApplicationA.Form1.button1_Click_1(System.Object, System.EventArgs)
    0020EA98 68E04AE8 System_Windows_Forms_ni!System.Windows.Forms.Control.OnClick(System.EventArgs)+0x70
    0020EAB0 68E070A2 System_Windows_Forms_ni!System.Windows.Forms.Button.OnClick(System.EventArgs)+0xa2
    0020EAC8 69396174
System_Windows_Forms_ni!System.Windows.Forms.Button.OnMouseUp(System.Windows.Forms.MouseEventArgs)+0xac
    0020EAE4 693695B5 System_Windows_Forms_ni!System.Windows.Forms.Control.WmMouseUp(System.Windows.Forms.Message
ByRef, System.Windows.Forms.MouseButtons, Int32)+0x2d1
    0020EB78 6972A1BF System_Windows_Forms_ni!System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message
ByRef)+0x8d30bf

Code View: Scroll / Show All

    0020EBD0 697318DD System_Windows_Forms_ni!System.Windows.Forms.ButtonBase.WndProc(System.Windows.Forms.Message
ByRef)+0x8c3ac1
    0020EC14 68E6DE00 System_Windows_Forms_ni!System.Windows.Forms.Button.WndProc(System.Windows.Forms.Message
ByRef)+0x20
     0020EC20 68E570F3
System_Windows_Forms_ni!System.Windows.Forms.Control+ControlNativeWindow.OnMessage(System.Windows.Forms.Message
ByRef)+0x13
     0020EC28 68E57071
System_Windows_Forms_ni!System.Windows.Forms.Control+ControlNativeWindow.WndProc(System.Windows.Forms.Message
ByRef)+0x31
    0020EC3C 68E56FB6 System_Windows_Forms_ni!System.Windows.Forms.NativeWindow.Callback(IntPtr, Int32, IntPtr,
IntPtr)+0x96

StackTraceString: <none>
HResult: 80004003

0:000> !DumpObj 0x01467f44
Name:        System.NullReferenceException
MethodTable: 6a46470c
EEClass:     6a1a1cb4
Size:        84(0x54) bytes
File:
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll Fields:
      MT    Field   Offset                 Type  VT     Attr    Value Name
6a46f9ac  400004a        4        System.String   0 instance 01489400 _className
6a4701f4  400004b        8 ...ection.MethodBase   0 instance 00000000 _exceptionMethod
6a46f9ac  400004c        c        System.String   0 instance 00000000 _exceptionMethodString
6a46f9ac  400004d       10         System.String  0 instance 0147eee4 _message
6a464004  400004e       14 ...tions.IDictionary   0 instance 00000000 _data
6a46fc0c  400004f       18      System.Exception  0 instance 00000000 _innerException
6a46f9ac  4000050       1c         System.String  0 instance 00000000 _helpURL
6a46f5e8  4000051       20        System.Object   0 instance 0147f088 _stackTrace
6a46f5e8  4000052       24        System.Object   0 instance 00000000 _watsonBuckets
6a46f9ac  4000053       28         System.String  0 instance 00000000 _stackTraceString
6a46f9ac  4000054       2c        System.String   0 instance 00000000 _remoteStackTraceString
6a472978  4000055       3c         System.Int32   1 instance        0 _remoteStackIndex
6a46f5e8  4000056       30         System.Object  0 instance 00000000 _dynamicMethods
6a472978  4000057       40         System.Int32   1 instance -2147467261 _HResult
6a46f9ac  4000058       34        System.String   0 instance 00000000 _source
6a46aa2c  4000059       44        System.IntPtr   1 instance   20e618 _xptrs
6a472978  400005a       48         System.Int32   1 instance -1073741819 _xcode
6a42a29c  400005b       4c       System.UIntPtr   1 instance   2d0250 _ipForWatsonBuckets
6a429888  400005c       38 ...ializationManager   0 instance 0147efbc _safeSerializationManager

We can even try to analyze saved raw stack trace using !IP2MD command:

0:000> dps 0147f088
0147f088  6a426024 mscorlib_ni+0x2d6024
0147f08c  000000a0
0147f090  0000000b
0147f094  003ebde8
0147f098  002d0250
0147f09c  0020ea90
0147f0a0  0029631c
0147f0a4  68e04ae7 System_Windows_Forms_ni+0x1c4ae7
0147f0a8  0020ea98
0147f0ac  68c5c1e8 System_Windows_Forms_ni+0x1c1e8
0147f0b0  68e070a1 System_Windows_Forms_ni+0x1c70a1
0147f0b4  0020eab0
0147f0b8  68cf1900 System_Windows_Forms_ni+0xb1900
0147f0bc  69396173 System_Windows_Forms_ni+0x756173
0147f0c0  0020eac8

Code View: Scroll / Show All

0147f0c4  68cf1918 System_Windows_Forms_ni+0xb1918
0147f0c8  693695b4 System_Windows_Forms_ni+0x7295b4
0147f0cc  0020eae4
0147f0d0  68c5d764 System_Windows_Forms_ni+0x1d764
0147f0d4  6972a1be System_Windows_Forms_ni+0xaea1be
0147f0d8  0020eb78
0147f0dc  68c5c940 System_Windows_Forms_ni+0x1c940
0147f0e0  697318dc System_Windows_Forms_ni+0xaf18dc
0147f0e4  0020ebd0
0147f0e8  68cf2274 System_Windows_Forms_ni+0xb2274
0147f0ec  68e6ddff System_Windows_Forms_ni+0x22ddff
0147f0f0  0020ec14
0147f0f4  68cf1948 System_Windows_Forms_ni+0xb1948
0147f0f8  68e570f2 System_Windows_Forms_ni+0x2170f2
0147f0fc  0020ec20
0147f100  68cf73c4 System_Windows_Forms_ni+0xb73c4
0147f104  68e57070 System_Windows_Forms_ni+0x217070

0:000> !IP2MD 002d0250
MethodDesc:   0029631c
Method Name:  ApplicationA.Form1.button1_Click_1(System.Object, System.EventArgs)
Class:        002916c0
MethodTable:  00296378
mdToken:      0600000c
Module:       00292e9c
IsJitted:     yes
CodeAddr:     002d0250
Transparency: Critical

0:000> !IP2MD 68e04ae8
MethodDesc:   68c5c1e8
Method Name:  System.Windows.Forms.Control.OnClick(System.EventArgs)
Class:        68c4df38
MethodTable:  68e99948
mdToken:      060007ee
Module:       68c41000
IsJitted:     yes
CodeAddr:     68e04a78
Transparency: Safe critical

0:000> !IP2MD 69396173
MethodDesc:   68cf1918
Method Name:  System.Windows.Forms.Button.OnMouseUp(System.Windows.Forms.MouseEventArgs)
Class:        68c7bc28
MethodTable:  68e96b6c
mdToken:      060011a0
Module:       68c41000
IsJitted:      yes
CodeAddr:     693960c8
Transparency: Safe critical

Q. When multiple exceptions are seen how do we know which exception was responsible for the crash? Some exceptions may be in process of handling so might not be responsible for the crash.

A. Usually you would see that from the stack trace. Here I show you a managed code example:

Code View: Scroll / Show All

0:000> !CLRStack
OS Thread Id: 0xa70 (0)
Child SP IP       Call Site
0020da88 77ba0f34 [InlinedCallFrame: 0020da88] System.Windows.Forms.UnsafeNativeMethods.WaitMessage()
0020da84 68e6737a
System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushM
essageLoop(IntPtr, Int32, Int32)
0020db20 68e66e2c System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32,
System.Windows.Forms.ApplicationContext)
0020db78 68e66c81 System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32,
System.Windows.Forms.ApplicationContext)
0020dba8 6935fefb System.Windows.Forms.Application.RunDialog(System.Windows.Forms.Form)
0020dbbc 69389f83 System.Windows.Forms.Form.ShowDialog(System.Windows.Forms.IWin32Window)
0020dbc0 6938a1b7 [InlinedCallFrame: 0020dbc0]
0020dc58 6938a1b7 System.Windows.Forms.Form.ShowDialog()
0020dc5c 69360f2a System.Windows.Forms.Application+ThreadContext.OnThreadException(System.Exception)
0020dc98 69369866 System.Windows.Forms.Control.WndProcException(System.Exception)
0020dca4 6936ff9c System.Windows.Forms.Control+ControlNativeWindow.OnThreadException(System.Exception)
0020dca8 68e56fd1 System.Windows.Forms.NativeWindow.Callback(IntPtr, Int32, IntPtr, IntPtr)
0020ede4 014009dd [InlinedCallFrame: 0020ede4]
0020ede0 68e72eec DomainBoundILStubClass.IL_STUB_PInvoke(MSG ByRef)
0020ede4 68e671ff [InlinedCallFrame: 0020ede4] System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef) 0020ee28 68e671ff
System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushM
essageLoop(IntPtr, Int32, Int32)
0020ee2c 68e66e2c [InlinedCallFrame: 0020ee2c]
0020eec4 68e66e2c System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32,
System.Windows.Forms.ApplicationContext)
0020ef1c 68e66c81 System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32,
System.Windows.Forms.ApplicationContext)
0020ef4c 68df366d System.Windows.Forms.Application.Run(System.Windows.Forms.Form)
0020ef60 002d009a ApplicationA.Program.Main()

We try get exception parameters for exception processing functions:

Code View: Scroll / Show All

0:000< !CLRStack -a
OS Thread Id: 0xa70 (0)
Child SP IP       Call Site
[...]
0020dc5c 69360f2a
System.Windows.Forms.Application+ThreadContext.OnThreadException(System.Exception)
    PARAMETERS:
        this (0x0020dc64) = 0x0144d04c
        t (0x0020dc60) = 0x01467f44
    LOCALS:
         0x0020dc5c = 0x0147f160
         0x0020dc68 = 0x00000001
         <no data>
         <no data>
[...]

0:000> !pe 0x01467f44
Exception object: 01467f44
Exception type:   System.NullReferenceException
Message:          Object reference not set to an instance of an object.
InnerException:   <none>
StackTrace (generated):
    SP       IP       Function
    0020EA90 002D0250 ApplicationA!ApplicationA.Form1.button1_Click_1(System.Object, System.EventArgs)

Code View: Scroll / Show All

     0020EA98 68E04AE8
System_Windows_Forms_ni!System.Windows.Forms.Control.OnClick(System.EventArgs)+0x70
     0020EAB0 68E070A2
System_Windows_Forms_ni!System.Windows.Forms.Button.OnClick(System.EventArgs)+0xa2
     0020EAC8 69396174
System_Windows_Forms_ni!System.Windows.Forms.Button.OnMouseUp(System.Windows.Forms.MouseEventArgs)+0xac
     0020EAE4 693695B5
System_Windows_Forms_ni!System.Windows.Forms.Control.WmMouseUp(System.Windows.Forms.Message
ByRef, System.Windows.Forms.MouseButtons, Int32)+0x2d1
     0020EB78 6972A1BF
System_Windows_Forms_ni!System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message
ByRef)+0x8d30bf
     0020EBD0 697318DD
System_Windows_Forms_ni!System.Windows.Forms.ButtonBase.WndProc(System.Windows.Forms.Message
ByRef)+0x8c3ac1
     0020EC14 68E6DE00
System_Windows_Forms_ni!System.Windows.Forms.Button.WndProc(System.Windows.Forms.Message
ByRef)+0x20
     0020EC20 68E570F3
System_Windows_Forms_ni!System.Windows.Forms.Control+ControlNativeWindow.OnMessage(System.Windows.Forms.Message ByRef)+0x13
     0020EC28 68E57071
System_Windows_Forms_ni!System.Windows.Forms.Control+ControlNativeWindow.WndProc(System.Windows.Forms.Message ByRef)+0x31
     0020EC3C 68E56FB6
System_Windows_Forms_ni!System.Windows.Forms.NativeWindow.Callback(IntPtr, Int32, IntPtr, IntPtr)+0x96

StackTraceString: <none>
HResult: 80004003

Handled exceptions might appear as execution residue on raw stack when we use

!DumpStackObjects (!dso) command.