analyze COM PRC application crash dump RRS feed

  • Question

  • Hi guys!

    I found out that sometimes my app crashes only on windows vista platforms, it happen rarely, the crash stack is:

    (53c.b24): Access violation - code c0000005 (first/second chance not available)

    0b89f8f8 76266e4d ole32!HandleIncomingCall+0x7d
    0b89f91c 7633a981 ole32!STAInvoke+0x22
    0b89f950 7633a79b ole32!AppInvoke+0xaa
    0b89fa2c 763391aa ole32!ComInvokeWithLockAndIPID+0x32c
    0b89fa78 75e0e128 ole32!ThreadInvoke+0x2fd
    0b89fab0 75e0e4e7 rpcrt4!DispatchToStubInCNoAvrf+0x38
    0b89fb08 75e0e7a1 rpcrt4!RPC_INTERFACE::DispatchToStubWorker+0x135
    0b89fb2c 75e0e742 rpcrt4!RPC_INTERFACE::DispatchToStub+0x90
    0b89fb68 75e0e270 rpcrt4!RPC_INTERFACE::DispatchToStubWithObject+0xbc
    0b89fb98 75e0e203 rpcrt4!LRPC_SCALL::DispatchRequest+0x132
    0b89fbb8 75e0e3db rpcrt4!LRPC_SCALL::QueueOrDispatchCall+0xa7
    0b89fbd4 75e0eb2b rpcrt4!LRPC_SCALL::HandleRequest+0x2d6
    0b89fc04 75e0e02b rpcrt4!LRPC_SASSOCIATION::HandleRequest+0x153
    0b89fc38 75e085db rpcrt4!LRPC_ADDRESS::HandleRequest+0xa3
    0b89fcb8 75e08615 rpcrt4!LRPC_ADDRESS::ProcessIO+0x3a5
    0b89fcc4 75e0844f rpcrt4!LrpcServerIoHandler+0x16
    0b89fcd4 75e08351 rpcrt4!ProcessLrpcComplete+0xe
    0b89fd40 75e077ba rpcrt4!LOADABLE_TRANSPORT::ProcessIOEvents+0x1ab
    0b89fd48 75e07779 rpcrt4!ProcessIOEventsWrapper+0xd
    0b89fd68 75e077e1 rpcrt4!BaseCachedThreadRoutine+0x9e
    0b89fd74 7580f299 rpcrt4!ThreadStartRoutine+0x1b
    0b89fd80 77aed819 kernel32!BaseThreadInitThunk+0xe
    0b89fdc0 77aeda2b ntdll!__RtlUserThreadStart+0x23
    0b89fdd8 00000000 ntdll!_RtlUserThreadStart+0x1b 

    0:086> .ecxr
    eax=00000000 ebx=007bd258 ecx=00000003 edx=00000000 esi=04e2d4e4 edi=7625b540
    eip=76266b34 esp=0b89f8b8 ebp=0b89f8f8 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
    76266b34 8b08            mov     ecx,dword ptr [eax]  ds:002b:00000000=????????

    I tied to analyze  HandleIncomingCall and found that it took pointer (p1) from p1 =*(TIB + 0x0F80) (I didn't find any described field  at this offset, something undocumented!?), then it took pointer p2 = *p1 + 0x68 (p2), p2 = NULL, and it is trying to access by p2 (eax) and as result access violation.

    could somebody help me to analyze the rpc stack? as I understood it is trying to invoke object method stub? how can find interface id of invoked method? also I don't see any application entries in the crash stack, what does it mean? asynchronous rpc call?

    p.s. I have only dump, problem is not stable reproducible

    Sunday, March 2, 2014 10:02 AM