none
.Net 2.0 SP1, faulting module mscorwks.dll fault address 0x002b832f RRS feed

  • Question

  • Hi ladies & gents,

    I'm faced with the problem that my application "Winform Hello World" crashes reproducible on my XP Pro SP2 machine. The .Net Framework version is 3.5. The application goes down with "%appname% has encountered a problem and needs to close". My "Hello World" application doesn't use any COM or Interop stuff mentioned in other posts. Below I've listed the output from WinDbg !analyze -v. The machine is running under VmWare Workstation. I've already done several (un) install of .Net Framework 3.5 with no success.

    Please let me know wether I've added enough information.

    Kind regards, bemma

    Opened log file 'C:\HelloWorldCrash.log'
    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************

    !pe

    Exception object: 012b5a54
    Exception type: System.AccessViolationException
    Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
    InnerException: <none>
    StackTrace (generated):
    <none>
    StackTraceString: <none>
    HResult: 80004003
    !pe

    The current thread is unmanaged
    !pe

    There is no current managed exception on this thread
    !pe

    The current thread is unmanaged
    !pe
    Exception object: 012b5a54
    Exception type: System.AccessViolationException
    Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
    InnerException: <none>
    StackTrace (generated):
    <none>
    StackTraceString: <none>
    HResult: 80004003
    !pe 12b5a54

    Exception object: 012b5a54
    Exception type: System.AccessViolationException
    Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
    InnerException: <none>
    StackTrace (generated):
    <none>
    StackTraceString: <none>
    HResult: 80004003
    !pe

    Exception object: 012b5a54
    Exception type: System.AccessViolationException
    Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
    InnerException: <none>
    StackTrace (generated):
    <none>
    StackTraceString: <none>
    HResult: 80004003
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Your debugger is not using the correct symbols                 ***
    ***                                                                   ***
    ***    In order for this command to work properly, your symbol path   ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: kernel32!pNlsUserInfo                         ***
    ***                                                                   ***
    *************************************************************************
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Your debugger is not using the correct symbols                 ***
    ***                                                                   ***
    ***    In order for this command to work properly, your symbol path   ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: kernel32!pNlsUserInfo                         ***
    ***                                                                   ***
    *************************************************************************

    FAULTING_IP:
    mscorwks!DoJITFailFast+5
    7a12832f cc              int     3

    EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
    .exr 0xffffffffffffffff
    ExceptionAddress: 7a12832f (mscorwks!DoJITFailFast+0x00000005)
       ExceptionCode: c0000409 (Stack buffer overflow)
      ExceptionFlags: 00000001
    NumberParameters: 0

    PROCESS_NAME:  TrMessangerTest.exe

    ERROR_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text>

    EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text>

    WRITE_ADDRESS:  ffffffa5

    FOLLOWUP_IP:
    mscorwks!DoJITFailFast+5
    7a12832f cc              int     3

    FAILED_INSTRUCTION_ADDRESS:
    +1e5952f00a1df74
    00e10862 0060a4          add     byte ptr [eax-5Ch],ah

    GSFAILURE_ANALYSIS_TEXT: !gs output:
    4 Threads detected. Fault occured in thread #0
    Corruption occured in mscorwks!DoJITFailFast or one of its callers
    Module canary at 0x7A3AD240 (mscorwks!__security_cookie): 0xA1838DEE
    Complement at 0x7A3BDAA4: 0x5E7C7211  (matches OK)

    Analyzing __report_gsfailure frame...
    LEA usage: Function @0x7A12832A-0x7A12832F is NOT using LEA
    Canary at gsfailure frame: 0xA1838DEE

    Analyzing faulting frame...
    Looking for Stack Canary in Function @0x7A12832A (mscorwks!DoJITFailFast)
    Couldn't find Canary! Function is likely not using GS!
    Can't find stack canary.
    Fatal error - aborting analysis!

    Stack buffer overrun analysis completed successfully.


    NTGLOBALFLAG:  0

    APPLICATION_VERIFIER_FLAGS:  0

    MANAGED_STACK:
    (TransitionMU)
    0012F328 7B0834B7 System_Windows_Forms_ni!System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32, Int32, Int32)+0x1c3
    0012F3C8 7B0831A5 System_Windows_Forms_ni!System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)+0x17d
    0012F440 7B082FE3 System_Windows_Forms_ni!System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)+0x53
    0012F470 7B0692C2 System_Windows_Forms_ni!System.Windows.Forms.Application.Run(System.Windows.Forms.Form)+0x2e
    0012F480 00CA00A8 TrMessangerTest.exe!Unknown+0x38
    (TransitionUM)

    EXCEPTION_OBJECT: !pe 12b5a54
    !pe 12b5a54

    Exception object: 012b5a54
    Exception type: System.AccessViolationException
    Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
    InnerException: <none>
    StackTrace (generated):
    <none>
    StackTraceString: <none>
    HResult: 80004003

    MANAGED_OBJECT: !dumpobj 12c6a40
    !dumpobj 12c6a40

    Name: System.String
    MethodTable: 790fd8c4
    EEClass: 790fd824
    Size: 222(0xde) bytes
     (C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
    String: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
    Fields:
          MT    Field   Offset                 Type VT     Attr    Value Name
    79102290  4000096        4         System.Int32  1 instance      103 m_arrayLength
    79102290  4000097        8         System.Int32  1 instance      102 m_stringLength
    790ff328  4000098        c          System.Char  1 instance       41 m_firstChar
    790fd8c4  4000099       10        System.String  0   shared   static Empty
        >> Domain:Value  00164288:790d884c <<
    7912dd40  400009a       14        System.Char[]  0   shared   static WhitespaceChars
        >> Domain:Value  00164288:0127139c <<

    EXCEPTION_MESSAGE:  Attempted to read or write protected memory. This is often an indication that other memory is corru

    MANAGED_OBJECT_NAME:  System.AccessViolationException

    FAULTING_THREAD:  00000094

    DEFAULT_BUCKET_ID:  GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS

    PRIMARY_PROBLEM_CLASS:  GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS

    BUGCHECK_STR:  APPLICATION_FAULT_GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS

    STACK_TEXT: 
    0012a01c 7c90e9c0 7c8025db 000001c4 00000000 ntdll!KiFastSystemCallRet
    0012a020 7c8025db 000001c4 00000000 0012a054 ntdll!ZwWaitForSingleObject+0xc
    0012a084 7c802542 000001c4 000493e0 00000000 kernel32!WaitForSingleObjectEx+0xa8
    0012a098 6945ada6 000001c4 000493e0 003a0043 kernel32!WaitForSingleObject+0x12
    0012ab84 6945aff1 000001ac 00000080 000001b8 faultrep!InternalGenerateMinidumpEx+0x335
    0012abb0 6945b5d9 000001ac 00000080 0012abcc faultrep!InternalGenerateMinidump+0x75
    0012b528 69456652 000001ac 00000080 0012b548 faultrep!InternalGenFullAndTriageMinidumps+0x159
    0012cd40 69457d3d 0012cdb4 001818a0 00000000 faultrep!ReportFaultDWM+0x4e5
    0012d234 694582d8 7a2a2a00 0012e07c ffffffff faultrep!StartManifestReportImmediate+0x268
    0012e2a0 7c863059 7a2a2a00 ffffffff 0012f2e0 faultrep!ReportFault+0x55a
    0012e514 7a2a29db 7a2a2a00 a1838dee 5e7c7211 kernel32!UnhandledExceptionFilter+0x4cf
    0012e848 7a12832f 7a02e280 0012e8e0 79e84caf mscorwks!__report_gsfailure+0xdf
    0012e84c 7a02e280 0012e8e0 79e84caf 00000000 mscorwks!DoJITFailFast+0x5
    0012e854 79e84caf 00000000 0012ea6c 0012ea38 mscorwks!CrawlFrame::CheckGSCookies+0x1c
    0012e864 79e84830 0012f2e0 79f07957 00158098 mscorwks!CrawlFrame::SetCurGSCookie+0x36
    0012ac50 006d0064 00000070 00000000 00000000 mscorwks!Thread::StackWalkFramesEx+0xd3
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    0012ed74 79f07449 79f07957 0012ee2c 00000000 0x6d0064
    0012ed90 79f08585 0012ee88 00158098 0012ee2c mscorwks!LookForHandler+0x26
    0012eea8 79f081d6 0012eff8 0012f4ac 0012f014 mscorwks!CPFH_RealFirstPassHandler+0x49f
    0012eee8 79f080a7 0012eff8 0012f4ac 0012efcc mscorwks!CPFH_RealFirstPassHandler+0x68c
    0012ef0c 7c9037bf 0012eff8 0012f4ac 0012f014 mscorwks!COMPlusFrameHandler+0x15a
    0012ef30 7c90378b 0012eff8 0012f4ac 0012f014 ntdll!ExecuteHandler2+0x26
    0012efe0 7c90eafa 00000000 0012f014 0012eff8 ntdll!ExecuteHandler+0x24
    0012efe0 00e10862 00000000 0012f014 0012eff8 ntdll!KiUserExceptionDispatcher+0xe
    0012f2f0 7b0834b7 00000000 012b5a30 01273150 0xe10862
    0012f3b8 7b0831a5 00000000 ffffffff 00189a20 System_Windows_Forms_ni+0xb34b7
    0012f434 7b082fe3 01277f58 10940007 01277184 System_Windows_Forms_ni+0xb31a5
    0012f464 7b0692c2 01277f58 0012f4ac 01272814 System_Windows_Forms_ni+0xb2fe3
    0012f490 79e7c6cc 0012f560 00000000 0012f530 System_Windows_Forms_ni+0x992c2
    0012f510 79e7c8e1 0012f560 00000000 0012f530 mscorwks!CallDescrWorkerWithHandler+0xa3
    0012f64c 79e7c783 0092c020 0012f714 0012f6e0 mscorwks!MethodDesc::CallDescr+0x19c
    0012f668 79e7c90d 0092c020 0012f714 0012f6e0 mscorwks!MethodDesc::CallTargetWorker+0x1f
    0012f67c 79eefb9e 0012f6e0 a1917a0e 00000000 mscorwks!MethodDescCallSite::Call_RetArgSlot+0x18
    0012f7e0 79eef830 00923040 00000001 0012f81c mscorwks!ClassLoader::RunMain+0x263
    0012fa48 79ef01da 00000000 a19172f6 00000001 mscorwks!Assembly::ExecuteMainMethod+0xa6
    0012ff18 79fb9793 00400000 00000000 a1917286 mscorwks!SystemDomain::ExecuteMainMethod+0x43f
    0012ff68 79fb96df 00400000 a191725e 0007da50 mscorwks!ExecuteEXE+0x59
    0012ffb0 7900b1b3 7c90e1fe 79e70000 0012fff0 mscorwks!_CorExeMain+0x15c
    0012ffc0 7c816d4f 0007da50 7c90e1fe 7ffdc000 mscoree!_CorExeMain+0x2c
    0012fff0 00000000 7900b183 00000000 00000000 kernel32!BaseProcessStart+0x23


    SYMBOL_STACK_INDEX:  c

    SYMBOL_NAME:  mscorwks!DoJITFailFast+5

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: mscorwks

    IMAGE_NAME:  mscorwks.dll

    DEBUG_FLR_IMAGE_TIMESTAMP:  471ef729

    STACK_COMMAND:  ~0s ; kb

    FAILURE_BUCKET_ID:  GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS_c0000409_mscorwks.dll!DoJITFailFast

    BUCKET_ID:  APPLICATION_FAULT_GS_FALSE_POSITIVE_PROBABLY_NOT_USING_GS_BAD_IP_mscorwks!DoJITFailFast+5

    WATSON_STAGEONE_URL:  http://watson.microsoft.com/002b832f.htm?Retriage=1

    Followup: MachineOwner
    ---------



    Thursday, February 26, 2009 11:19 AM

All replies

  • Hello bemma,

    mscorwks!DoJITFailFast was called because CLR detected corrupted stack (GS cookie). It can be caused by buffer overrun, memory corrupted by native parts of your application, HW memory error or a bug in CLR/CRT/OS/other libraries.
    mscorwks!__report_gsfailure is CRT function and I am not sure if it is supposed to raise unhandled exception.

    These questions might help find the root cause:
    1) Does it repro on more than one physical machine (not only different VM)? (i.e. Is it memory HW error?)
    2) Does your application have any native part? If yes is there chance it could corrupt the memory?
    3) Try to run your app under debugger and set breakpoint to mscorwks!DoJITFailFast. Does it fail at the same place/memory everytime? Can you trace back the corrupted GS cookie and set a data breakpoint at it to see who corrupted it?

    -Karel

    Friday, February 27, 2009 2:35 AM
    Moderator
  •  Thanks Karel for your reply,

    1) Yes it does happen on different machines. I've done this tests on different VM's running on different physical machines.  I've done several mem checks without any results which would shed some light in that direction.
    2) No, at least I think so. I've made an Winforms application through Project templates in VS2008. In the next step I've added a standard textbox on the form that's it. So from my point of view I haven't added any of this unsafe, COM, Interop,... stuff to this testapplication. I haven't added one line of code manually, all of it has been generated by the VS project template. So it's a "real" managed application written in C#. By the way it also happens with VS2008 SP1.
    3) The exception address isn't the same all the time when the exception occurs. But it seems as there would be only 2 addresses where the exception occurs. Below I've added the output from !analyze -v command when the debugger breaks into the mscorwks!DoJITFailFast method.
    During the tests which I've done the last few days, I've recognized that the crash only occurs if another application is running. This application is also written in our house. I don't understand the fact that another application (which didn't crash ever) can influence my testapplication in that way. How can that be???

    Thanks in advance for your support, bemma
     

    Opened log file 'C:\TrMessangerTest.log'
    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************

    !pe

    There is no current managed exception on this thread
    !pe

    The current thread is unmanaged
    !pe

    There is no current managed exception on this thread
    !pe

    The current thread is unmanaged
    !pe
    There is no current managed exception on this thread
    !pe

    There is no current managed exception on this thread
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Your debugger is not using the correct symbols                 ***
    ***                                                                   ***
    ***    In order for this command to work properly, your symbol path   ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: kernel32!pNlsUserInfo                         ***
    ***                                                                   ***
    *************************************************************************
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Your debugger is not using the correct symbols                 ***
    ***                                                                   ***
    ***    In order for this command to work properly, your symbol path   ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: kernel32!pNlsUserInfo                         ***
    ***                                                                   ***
    *************************************************************************

    FAULTING_IP:
    +e20e4e
    00e20e4e 0000            add     byte ptr [eax],al

    EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
    .exr 0xffffffffffffffff
    ExceptionAddress: 00e20e4e
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 000000c4
    Attempt to write to address 000000c4

    FAULTING_THREAD:  00000c4c

    DEFAULT_BUCKET_ID:  BAD_INSTRUCTION_PTR

    PROCESS_NAME:  TrMessangerTest3.exe

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

    WRITE_ADDRESS:  000000c4

    FAILED_INSTRUCTION_ADDRESS:
    +e20e4e
    00e20e4e 0000            add     byte ptr [eax],al

    NTGLOBALFLAG:  0

    APPLICATION_VERIFIER_FLAGS:  0

    IP_ON_HEAP:  00e20e4e

    MANAGED_STACK: !dumpstack -EE
    !dumpstack -EE
    OS Thread Id: 0xc4c (0)
    Current frame:
    ChildEBP RetAddr  Caller,Callee
    0012f2f0 7b0834b7 (MethodDesc 0x7b5be1e8 +0x1c3 System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32, Int32, Int32))
    0012f310 7b0834b7 (MethodDesc 0x7b5be1e8 +0x1c3 System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32, Int32, Int32))
    0012f338 7b08374f (MethodDesc 0x7b5be1e8 +0x45b System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32, Int32, Int32))
    0012f3b8 7b0831a5 (MethodDesc 0x7b5bc400 +0x17d System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext))
    0012f434 7b082fe3 (MethodDesc 0x7b4a76e8 +0x53 System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext))
    0012f464 7b0692c2 (MethodDesc 0x7b4a6600 +0x2e System.Windows.Forms.Application.Run(System.Windows.Forms.Form))
    0012f478 00ca00a8 (MethodDesc 0x923040 +0x38 TrMessangerTest.Program.Main())

    UNALIGNED_STACK_POINTER:  0012f2d7

    LAST_CONTROL_TRANSFER:  from 7b0834b7 to 00e20e4e

    PRIMARY_PROBLEM_CLASS:  BAD_INSTRUCTION_PTR

    BUGCHECK_STR:  APPLICATION_FAULT_BAD_INSTRUCTION_PTR

    STACK_TEXT: 
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    0012f2f0 7b0834b7 00000000 012c0a10 0127317c 0xe20e4e
    0012f3b8 7b0831a5 00000000 ffffffff 001881b0 System_Windows_Forms_ni+0xb34b7
    0012f434 7b082fe3 01277eec 1c4c0007 012771b8 System_Windows_Forms_ni+0xb31a5
    0012f464 7b0692c2 01277eec 0012f4ac 01272840 System_Windows_Forms_ni+0xb2fe3
    0012f490 79e7c6cc 0012f560 00000000 0012f530 System_Windows_Forms_ni+0x992c2
    0012f510 79e7c8e1 0012f560 00000000 0012f530 mscorwks!CallDescrWorkerWithHandler+0xa3
    0012f64c 79e7c783 0092c020 0012f714 0012f6e0 mscorwks!MethodDesc::CallDescr+0x19c
    0012f668 79e7c90d 0092c020 0012f714 0012f6e0 mscorwks!MethodDesc::CallTargetWorker+0x1f
    0012f67c 79eefb9e 0012f6e0 de272eb7 00000000 mscorwks!MethodDescCallSite::Call_RetArgSlot+0x18
    0012f7e0 79eef830 00923040 00000001 0012f81c mscorwks!ClassLoader::RunMain+0x263
    0012fa48 79ef01da 00000000 de27264f 00000001 mscorwks!Assembly::ExecuteMainMethod+0xa6
    0012ff18 79fb9793 00400000 00000000 de27263f mscorwks!SystemDomain::ExecuteMainMethod+0x43f
    0012ff68 79fb96df 00400000 de2726e7 00000000 mscorwks!ExecuteEXE+0x59
    0012ffb0 7900b1b3 00000000 79e70000 0012fff0 mscorwks!_CorExeMain+0x15c
    0012ffc0 7c816d4f 00000000 00000000 7ffd6000 mscoree!_CorExeMain+0x2c
    0012fff0 00000000 7900b183 00000000 78746341 KERNEL32!BaseProcessStart+0x23


    FOLLOWUP_IP:
    System_Windows_Forms_ni+b34b7
    7b0834b7 85c0            test    eax,eax

    SYMBOL_STACK_INDEX:  1

    SYMBOL_NAME:  System_Windows_Forms_ni+b34b7

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: System_Windows_Forms_ni

    IMAGE_NAME:  System.Windows.Forms.ni.dll

    DEBUG_FLR_IMAGE_TIMESTAMP:  471ebf68

    STACK_COMMAND:  ~0s ; kb

    FAILURE_BUCKET_ID:  BAD_INSTRUCTION_PTR_c0000005_System.Windows.Forms.ni.dll!Unknown

    BUCKET_ID:  APPLICATION_FAULT_BAD_INSTRUCTION_PTR_BAD_IP_System_Windows_Forms_ni+b34b7

    Followup: MachineOwner
    ---------



    Monday, March 2, 2009 3:23 PM