none
Access Violation crash in Managed software??? RRS feed

  • Question

  • I'm very familiar with these in the C++ world but didn't expect to see one in the C# world. 

    We have a C# service and here's the calls stack I get from a crash dump.  No, the service is solely written in C# and does not call any C++ libraries that we've built or use pinvoke.

    00 07a9e0fc 79e94f9c 00000000 00000000 00164f30 mscorwks!CoUninitializeEE+0x19b1

    01 07a9e110 79e9537d 00000000 07a9e2d4 07a9e13c mscorwks!CoUninitializeEE+0x1918

    02 07a9e120 7a097838 00000000 07a9e138 c0000005 mscorwks!CoUninitializeEE+0x1cf9

    03 07a9e13c 7a097913 07a9e2b8 07a9e2d4 07a9e1cc mscorwks!GetAddrOfContractShutoffFlag+0xa716

    04 07a9e158 79f8e943 07a9e1cc 70e688ef 00223730 mscorwks!GetAddrOfContractShutoffFlag+0xa7f1

    05 07a9e18c 79f8e7e5 07a9e1cc 70e688a3 00000000 mscorwks!CorExitProcess+0x3b16d

    06 07a9e1c0 79fa6a91 07a9e1cc 07a9e2b8 07a9e2d4 mscorwks!CorExitProcess+0x3b00f

    07 07a9e1d4 7c828772 07a9e2b8 07a9f2bc 07a9e2d4 mscorwks!CorExitProcess+0x532bb

    08 07a9e1f8 7c828743 07a9e2b8 07a9f2bc 07a9e2d4 ntdll!RtlRaiseStatus+0xe0

    09 07a9e2a0 7c82857e 07a98000 07a9e2d4 07a9e2b8 ntdll!RtlRaiseStatus+0xb1

    0a 07a9e640 041db6fd 011c2198 09212a80 09212a98 ntdll!KiUserExceptionDispatcher+0xe

    0b 07a9e654 041ea615 09212a98 0112ac1c 09212478 System_Runtime_Serialization_ni+0x16b6fd

    0c 07a9e668 040e145a 00000000 09212478 040e1225 System_Runtime_Serialization_ni+0x17a615

    0d 07a9e694 040e11e1 09212478 011c2198 09212a80 System_Runtime_Serialization_ni+0x7145a

    0e 07a9e6ac 040e0fc9 09212478 00000000 00000000 System_Runtime_Serialization_ni+0x711e1

    0f 07a9e704 040e0f0b 09212478 01261f9c 01261f9c System_Runtime_Serialization_ni+0x70fc9

    10 07a9e71c 0335f365 09212478 07a9e73c 040e3c35 System_Runtime_Serialization_ni+0x70f0b

    11 07a9e750 0335f2dc 09212478 0112adac 00000000 System_ServiceModel_ni+0x37f365

    12 07a9e784 0335f267 09212478 0112adac 01121bf8 System_ServiceModel_ni+0x37f2dc

    13 07a9e7a0 0335f1f9 00000000 0114f4d4 09212478 System_ServiceModel_ni+0x37f267

     

    Thanks,

     

    Hugo

    Wednesday, January 19, 2011 12:56 AM

All replies

  •  

    Hi Hugo,

     

    Could you send me the dump file? please let me know your email address by sending a mail to v-eryang@microsoft.com. Then I will create a file transfer workspace where you can upload your dump file. The dump will be kept confidential.

     

    If this issue is urgent, please contact support at http://support.microsoft.com.


    Eric Yang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, January 19, 2011 2:25 AM
  • Hi Eric,

     

    I sent you an e-mail with my contact.  

     

    Thank you,

     

    Hugo

    Wednesday, January 19, 2011 1:46 PM
  • Hi Hugo,

    I sent the link to you, please check mail.


    Eric Yang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, January 20, 2011 2:35 AM
  • The problem is in the DataRow object being sent to WriteRowXml. One of the strings in it seems to be too large and hence a buffer overflow occurs causing GC heap corruption, thus the crash.

    "Could not retrieve pallet load data for PartNumber: 2899056 at location SG1F003_E011"

     

    All the other strings are smaller and they contain “System”, “script” etc. Only in  the above we see such a large string.

     

     

    Analysis:

     

    00bf7ec9 e89ac59264      call    System_Data_ni!System.Data.DataRow.get_Item(System.Data.DataColumn) (65524468)

    00bf7ece 8bc8            mov     ecx,eax

    00bf7ed0 8b01            mov     eax,dword ptr [ecx]

    00bf7ed2 ff5028          call    dword ptr [eax+28h] à Crash occurs here since EAX is null

    >>> 00bf7ed5 50              push    eax

     

     

    In System.Data.DataRow, reflecting the code:

     

    public object get_Item(DataColumn column)

    {

        this.CheckColumn(column);

        int defaultRecord = this.GetDefaultRecord();

        return column[defaultRecord];

    }

     

     

    0:022> !do 0180a5e4

    Name: System.Data.DataRow

    MethodTable: 6524508c

    EEClass: 6515df30

    Size: 64(0x40) bytes

    GC Generation: 2

    (C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll)

    Fields:

          MT    Field   Offset                 Type VT     Attr    Value Name

    65242d0c  4000720        4 ...em.Data.DataTable  0 instance 014e1718 _table

    652456b8  4000721        8 ...aColumnCollection  0 instance 014e18d4 _columns

    79332c4c  4000722       18         System.Int32  1 instance     3193 oldRecord

    79332c4c  4000723       1c         System.Int32  1 instance     3193 newRecord à The default record

    79332c4c  4000724       20         System.Int32  1 instance       -1 tempRecord

    79332c4c  4000725       24         System.Int32  1 instance     3194 _rowID

    6565825c  4000726       28         System.Int32  1 instance        0 _action

    793044cc  4000727       38       System.Boolean  1 instance        0 inChangingEvent

    793044cc  4000728       39       System.Boolean  1 instance        0 inDeletingEvent

    793044cc  4000729       3a       System.Boolean  1 instance        0 inCascade

    65244ff8  400072a        c ...m.Data.DataColumn  0 instance 00000000 _lastChangedColumn

    79332c4c  400072b       2c         System.Int32  1 instance        0 _countColumnChange

    65673e88  400072c       10 ...em.Data.DataError  0 instance 00000000 error

    7933061c  400072d       14        System.Object  0 instance 00000000 _element

    79332c4c  400072e       30         System.Int32  1 instance   983290 _rbTreeNodeId

    79332c4c  4000730       34         System.Int32  1 instance -2015898825 ObjectID

    79332c4c  400072f      498         System.Int32  1   static -2015898782 _objectTypeCount

     

     

    0:022> !do 014f3170

    Name: System.Data.Common.StringStorage

    MethodTable: 65247764

    EEClass: 65173c20

    Size: 44(0x2c) bytes

    GC Generation: 2

    (C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll)

    Fields:

          MT    Field   Offset                 Type VT     Attr    Value Name

    65244ff8  4000b3a        4 ...m.Data.DataColumn  0 instance 014e6b54 Column

    65242d0c  4000b3b        8 ...em.Data.DataTable  0 instance 014e1718 Table

    79331840  4000b3c        c          System.Type  0 instance 00fe41bc DataType

    65659d9c  4000b3d       1c         System.Int32  1 instance       18 StorageTypeCode

    793245cc  4000b3e       10 ...lections.BitArray  0 instance 00000000 dbNullBits

    7933061c  4000b3f       14        System.Object  0 instance 00fe1198 DefaultValue

    7933061c  4000b40       18        System.Object  0 instance 0106b130 NullValue

    793044cc  4000b41       20       System.Boolean  1 instance        0 IsCloneable

    793044cc  4000b42       21       System.Boolean  1 instance        0 IsCustomDefinedType

    793044cc  4000b43       22       System.Boolean  1 instance        1 IsStringType

    793044cc  4000b44       23       System.Boolean  1 instance        0 IsValueType

    793041d0  4000b39      1dc      System.Object[]  0   static 011c0ec4 StorageClassType

    793041d0  4000cc3       24      System.Object[]  0 instance 01754468 value

     

     

    0:022> !da 01754468

    Name: System.String[]

    MethodTable: 793041d0

    EEClass: 790eda54

    Size: 16400(0x4010) bytes

    Array: Rank 1, Number of elements 4096, Type CLASS

    Element Methodtable: 79330a00

    [0] 014e7108

    [1] 014f33c8

    <snip>

    [3192] 0180a36c

    [3193] 0180a4fc

    [3194] 0180a648

    [3195] 0180a794

    <snip>

     

    0:022> !do 0180a4fc

    <Note: this object has an invalid CLASS field>

    Invalid object

     

    0:022> du 0180a4fc

    0180a4fc  "trieve pallet load data for Part"

    0180a53c  "Number: 2899056 at location SG1F"

    0180a57c  "003_E011"


    bill boyce
    Friday, January 28, 2011 9:59 PM
    Moderator
  • Hi Bill,

     

    First, thank you for looking into this...

     

    Are you saying the string "Could not retrieve pallet load data for PartNumber: 2899056 at location SG1F003_E011"  is too large?

    Is it crashing when calling the function WriteXmlRow(...) or within it?  

    Thanks,

    Hugo

    Wednesday, February 2, 2011 1:49 PM
  • Bill,

     

    Can you see who called WriteRowXML?  This is called from quite a few places, trying to narrow it down.

     

    Thanks.

    Wednesday, February 2, 2011 2:16 PM
  • Bill,

     

    That string you found comes from a database table.  Basically there's a service that reads rows of data from a database table, serializes it to xml and ships it to a client.  The column in the database is varchar(max) so each row could have a fairly large string in it.  Is it one single row string in the datarow obkect that is too large or is it the entire object itself that is too large.  I would think it's the object...

     

    Hugo

    Wednesday, February 2, 2011 3:29 PM
  • Having someone else look at the dump, will respond as soon as I get some more info.

     

    Thanks,


    bill boyce
    Tuesday, February 22, 2011 9:02 PM
    Moderator
  • You can crash the .net runtime. (stack overflow, etc...) .

    In checking deeper analysis needs to happen and a better understanding of what is being done is in order.  Perhaps a repro of some sort of even an iDNA trace collection may due involving time.

     

    Your question now falls into the paid support category which requires a more in-depth level of support. 

    Please visit the below link to see the various paid support options that are available to better meet

    your needs.

     

    http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone


    bill boyce
    Thursday, February 24, 2011 12:49 PM
    Moderator