locked
First Chance exception in ntdll 0XC0000005 Windbg

    Question

  • Please help me analyze this crash dump . This is my last resort.

    We have a windows COM/DCOM service that crashes with this dump. It looks as if there is some heap corruption going on here. This crash strangely occurs only on Windows server 2008 sp2 and is causing a lot of headaches.

    Can any windbg experts help here? I would appreciate any kinda of help with locating the error or proving tips on how to debug this since i am a newbie with windbg. Thanks in advance. Below is the windbg output

     

    
    Comment: 'Dump created by DbgHost. First chance exception 0XC0000005'
    Symbol search path is: C:\debug symbols;C:\Windows\Symbols
    
    Windows Server 2008/Windows Vista Version 6002 (Service Pack 2) UP Free x86 compatible
    Product: LanManNt, suite: Enterprise TerminalServer SingleUserTS
    Machine Name:
    Debug session time: Tue Nov 30 14:15:48.000 2010 (GMT+2)
    System Uptime: 5 days 0:32:32.875
    Process Uptime: 0 days 1:29:39.000
    ...........................................................
    Loading unloaded module list .....  
    This dump file has an exception of interest stored in it. 
    The stored exception information can be accessed via .ecxr. 
    (868.ae4): Access violation - code c0000005 (first/second chance not available) 
    eax=c0c0c0a0 ebx=00140000 ecx=c0c0c0a0 edx=00141000 esi=00140000 edi=00140000 
    eip=7005a43d esp=04ebf2dc ebp=04ebf320 iopl=0     nv up ei ng nz na pe nc 
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000       efl=00010286 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for verifier.dll - verifier!VerifierStopMessage+0x591d:  
    7005a43d 8139aaaacdab  cmp   dword ptr [ecx],0ABCDAAAAh ds:0023:c0c0c0a0=???????? 
    *** WARNING: Unable to verify checksum for vsrv.exe 
    0:011> !analyze -v  
    ******************************************************************************* 
    *                                       * 
    *            Exception Analysis                  * 
    *                                       * 
    ******************************************************************************* 
    
    *** WARNING: Unable to verify checksum for TCheckLic.dll 
    *** WARNING: Unable to verify checksum for regserverps.dll 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for regserverps.dll -  
    *** WARNING: Unable to verify checksum for carsps.dll 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for carsps.dll - 
    *** WARNING: Unable to verify checksum for vsrvps.dll 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for vsrvps.dll - 
    *** WARNING: Unable to verify checksum for vdbaccs.dll 
    *** WARNING: Unable to verify checksum for VsrvPing.dll 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for msiltcfg.dll  
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for WlS0WndH.dll 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for wsock32.dll - 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for comctl32.dll   
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for wtsapi32.dll   
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for winnsi.dll 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for sxs.dll 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for winsta.dll 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for psapi.dll 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for lpk.dll 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for clbcatq.dll 
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for ws2_32.dll  
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for nsi.dll 
    ************************************************************************* 
    ***                                  *** 
    ***                                  *** 
    ***  Your debugger is not using the correct symbols         *** 
    ***                                  *** 
    ***  In order for this command to work properly, your symbol path  *** 
    ***  must point to .pdb files that have full type information.   *** 
    ***                                  *** 
    ***  Certain .pdb files (such as the public OS symbols) do not   *** 
    ***  contain the required information. Contact the group that   *** 
    ***  provided you with these symbols if you need this command to  *** 
    ***  work.                             *** 
    ***                                  *** 
    ***  Type referenced: IMAGE_NT_HEADERS32              *** 
    ***                                  *** 
    ************************************************************************* 
    Failed calling InternetOpenUrl, GLE=12007 
    *************************************************************************
    ***                                  *** 
    ***                                  *** 
    ***  Your debugger is not using the correct symbols         *** 
    ***                                  *** 
    ***  In order for this command to work properly, your symbol path  *** 
    ***  must point to .pdb files that have full type information.   *** 
    ***                                  *** 
    ***  Certain .pdb files (such as the public OS symbols) do not   *** 
    ***  contain the required information. Contact the group that   *** 
    ***  provided you with these symbols if you need this command to  *** 
    ***  work.                             *** 
    ***                                  *** 
    ***  Type referenced: kernel32!pNlsUserInfo             *** 
    ***                                  *** 
    ************************************************************************* 
    ************************************************************************* 
    ***                                  *** 
    ***                                  *** 
    ***  Your debugger is not using the correct symbols         *** 
    ***                                  *** 
    ***  In order for this command to work properly, your symbol path  *** 
    ***  must point to .pdb files that have full type information.   *** 
    ***                                  *** 
    ***  Certain .pdb files (such as the public OS symbols) do not   *** 
    ***  contain the required information. Contact the group that   *** 
    ***  provided you with these symbols if you need this command to  *** 
    ***  work.                             *** 
    ***                                  *** 
    ***  Type referenced: kernel32!pNlsUserInfo             *** 
    ***                                  *** 
    *************************************************************************  
    
    FAULTING_IP:  
    verifier!VerifierStopMessage+591d 
    7005a43d 8139aaaacdab  cmp   dword ptr [ecx],0ABCDAAAAh 
    
    EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) 
    ExceptionAddress: 7005a43d (verifier!VerifierStopMessage+0x0000591d) 
      ExceptionCode: c0000005 (Access violation) 
     ExceptionFlags: 00000000 
    NumberParameters: 2 
      Parameter[0]: 00000000 
      Parameter[1]: c0c0c0a0 
    Attempt to read from address c0c0c0a0 
    
    PROCESS_NAME: vsrv.exe 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 
    
    EXCEPTION_PARAMETER1: 00000000 
    
    EXCEPTION_PARAMETER2: c0c0c0a0 
    
    READ_ADDRESS: c0c0c0a0  
    
    FOLLOWUP_IP:  
    verifier!VerifierStopMessage+591d 
    7005a43d 8139aaaacdab  cmp   dword ptr [ecx],0ABCDAAAAh 
    
    NTGLOBALFLAG: 2000000 
    
    APPLICATION_VERIFIER_FLAGS: 0
    
    ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer
    
    FAULTING_THREAD: 00000ae4 
    
    DEFAULT_BUCKET_ID: HEAP_CORRUPTION 
    
    PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION 
    
    BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ 
    
    LAST_CONTROL_TRANSFER: from 7005a9e0 to 7005a43d 
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong. 
    04ebf320 7005a9e0 00141000 c0c0c0c0 00000004 verifier!VerifierStopMessage+0x591d 
    04ebf33c 700587eb 00141000 00240000 01000002 verifier!VerifierStopMessage+0x5ec0 
    04ebf390 77622614 00140000 01000002 c0c0c0c0 verifier!VerifierStopMessage+0x3ccb 
    04ebf3d8 775eb7cd 00140000 01000002 c0c0c0c0 ntdll!RtlDebugFreeHeap+0x2f 
    04ebf4cc 775d7545 c0c0c0c0 c0c0c0c0 04ebf604 ntdll!RtlpFreeHeap+0x5f 
    04ebf4e8 762f9a26 00140000 00000000 c0c0c0c0 ntdll!RtlFreeHeap+0x14e 
    04ebf4fc 773aaf25 00140000 00000000 c0c0c0c0 kernel32!HeapFree+0x14 
    04ebf510 773aaf41 7747f6f8 c0c0c0c0 04ebf538 ole32!CRetailMalloc_Free+0x1c 
    04ebf520 75e16efc c0c0c0c0 04ebf604 037d3e6c ole32!CoTaskMemFree+0x13 
    04ebf538 75e08221 c0c0c0c0 c0c0c0c0 037d3e6c rpcrt4!NdrPointerFree+0xb5 
    04ebf560 75e0825a 00000000 04ebf58c 75e16ecb rpcrt4!NdrpEmbeddedPointerFree+0x4c 
    04ebf56c 75e16ecb 04ebf604 09afcff0 037d3e60 rpcrt4!NdrSimpleStructFree+0x1c 
    04ebf58c 75e16ecb 09afcff0 09afcff0 037d3e52 rpcrt4!NdrPointerFree+0x91 
    04ebf5ac 75ea25c8 09afcff0 04ebf840 037d3e4e rpcrt4!NdrPointerFree+0x91 
    04ebf5d4 75ea248b 04ebf840 00000002 04ebf7e0 rpcrt4!NdrpFreeParams+0x150 
    04ebf5e4 75ea2429 feabd21b 09a52fe0 07bd6f28 rpcrt4!NdrStubCall2+0x9aa 
    04ebf65c 751d192d 037d4968 00000000 00000000 rpcrt4!NdrStubCall2+0x55c 
    04ebfa04 75ea293b 09a52fe0 0982cfc0 07bd6f28 rsaenh!AesExpandKey+0x23 
    04ebfa54 7747a8c5 09a52fe0 07bd6f28 0982cfc0 rpcrt4!CStdStubBuffer_Invoke+0xa0 
    04ebfa9c 7747aa59 07bd6f28 09225f08 08dbec38 ole32!SyncStubInvoke+0x3c 
    04ebfae8 773a61d6 07bd6f28 09a12f18 09a52fe0 ole32!StubInvoke+0xb9 
    04ebfbc4 773a60e7 0982cfc0 00000000 09a52fe0 ole32!CCtxComChnl::ContextInvoke+0xfa 
    04ebfbe0 773a6df5 07bd6f28 00000001 09a52fe0 ole32!MTAInvoke+0x1a 
    04ebfc0c 7747a981 07bd6f28 00000001 09a52fe0 ole32!STAInvoke+0x46 
    04ebfc40 7747a79b d0908070 0982cfc0 09a52fe0 ole32!AppInvoke+0xaa 
    04ebfd1c 7747ae2d 07bd6ed0 06ffd420 00000400 ole32!ComInvokeWithLockAndIPID+0x32c 
    04ebfd44 773a6bcd 07bd6ed0 00000400 06df2e30 ole32!ComInvoke+0xc5 
    04ebfd58 773a6b8c 07bd6ed0 04ebfe18 00000400 ole32!ThreadDispatch+0x23 
    04ebfd9c 75fafd72 00ba002a 00000400 0000babe ole32!ThreadWndProc+0x167 
    04ebfdc8 75fafe4a 773a6aef 00ba002a 00000400 user32!InternalCallWinProc+0x23 
    04ebfe40 75fb018d 00000000 773a6aef 00ba002a user32!UserCallWinProcCheckWow+0x14b 
    04ebfea4 75fa8b7c 773a6aef 00000001 04ebff34 user32!DispatchMessageWorker+0x322 
    04ebfeb4 0044fbc9 04ebff14 00000000 00000000 user32!DispatchMessageA+0xf 
    04ebff34 0044faf1 00000000 00000000 041b2e88 vsrv!ATL::CComApartment::Apartment+0xc9  [d:\program files\microsoft visual studio\vc98\atl\include\atlbase.h @ 3837] 
    04ebff88 762fd0e9 041b2e88 04ebffd4 775b19bb vsrv!ATL::CComApartment::_Apartment+0x11  [d:\program files\microsoft visual studio\vc98\atl\include\atlbase.h @ 3815] 
    04ebff94 775b19bb 041b2e88 6a03c808 00000000 kernel32!BaseThreadInitThunk+0xe 
    04ebffd4 775b198e 00402428 041b2e88 ffffffff ntdll!__RtlUserThreadStart+0x23 
    04ebffec 00000000 00402428 041b2e88 00000000 ntdll!_RtlUserThreadStart+0x1b 
    
    
    STACK_COMMAND: .cxr 00000000 ; kb ; ~11s; .ecxr ; kb 
    
    SYMBOL_NAME: heap_corruption!heap_corruption 
    
    FOLLOWUP_NAME: MachineOwner 
    
    MODULE_NAME: heap_corruption 
    
    IMAGE_NAME: heap_corruption 
    
    DEBUG_FLR_IMAGE_TIMESTAMP: 0 
    
    FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption 
    
    BUCKET_ID:  APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_heap_corruption!heap_corruption 
    
    WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/vsrv_exe/68_50_606_0/4ce50c9e /verifier_dll/6_0_6001_18000/4791a775/c0000005/0001a43d.htm?Retriage=1 
    
    Followup: MachineOwner 
    

     
    Tuesday, November 30, 2010 12:42 PM

All replies

  • I enabled full page heap and attached windbg to the service and here is what i got after selecting Go to Unhandled exception

    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=e0e0e0c0 ebx=00140000 ecx=e0e0e0c0 edx=00141000 esi=00140000 edi=00140000
    eip=6fe5a43d esp=0464f2dc ebp=0464f320 iopl=0     nv up ei ng nz na pe nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000       efl=00010286
    verifier!VerifierStopMessage+0x591d:
    6fe5a43d 8139aaaacdab  cmp   dword ptr [ecx],0ABCDAAAAh ds:0023:e0e0e0c0=????????
    0:011> gn
    Tue Nov 30 17:38:50.656 2010 (GMT+2): 
    
    ===========================================================
    Tue Nov 30 17:38:50.656 2010 (GMT+2): VERIFIER STOP 0000000C: pid 0x810: exception raised while verifying block 
    
    	00141000 : Heap handle
    	E0E0E0E0 : Heap block
    	00000000 : Block size
    	C0000005 : Exception code
    Tue Nov 30 17:38:50.656 2010 (GMT+2): ===========================================================
    This verifier stop is not continuable. Process will be terminated 
    when you use the `go' debugger command.
    ===========================================================
    
    Any ideas?

     

     

    Tuesday, November 30, 2010 4:23 PM