• Ntdebugging Blog

    Debugging a Windows 8.1 Store App Crash Dump

    • 0 Comments

    Quality reports on the App Summary page

    Microsoft provides triage dumps of your Windows Store application’s crashes and hangs through the Quality section of the App Summary page on the Dev Center - Windows Store apps portal.

     

    Back in June 2012, the Windows Store team posted an article on this feature and the basics of debugging the dumps provided.  Improving apps with Quality reports,

    http://blogs.msdn.com/b/windowsstore/archive/2012/06/27/improving-apps-with-quality-reports.aspx.

     

    This article digs further into the debugging of Windows Store application crash dump files, and explains the recent changes made to exception reporting in Windows 8.1.

     

    The files being debugged can be obtained from the Quality page or by collecting them yourself using Windows Error Reporting (WER) or the AeDebug feature of Windows.

     

    An example AeDebug tool is Sysinternals ProcDump. To configure crash dumping, execute the following from an elevated command prompt:

     

    C:\>md c:\dumps

    C:\>procdump.exe -ma -i c:\dumps

     

    Windows Runtime Architecture

    The Windows Runtime (WinRT API) is at the core of all Windows Store applications. Similar to how Win32 and.NET sit between the Desktop app and the kernel, the WinRT API sits between the Windows Store app and the kernel.

     

     

    In between the WinRT API and app is a layer called the Language Projection layer. This layer projects the C++ centric concepts of WinRT, into language specific concepts.

     

    The projection of errors through the Language Projection layer is the focus of this article.

    • In WinRT, errors are modeled as IErrorInfo and IRestrictedErrorInfo interfaces.
    • In CLR languages, errors are modeled as exceptions and are represented as class objects derived from System.Exception.
    • In JavaScript, errors are also modeled as exceptions and are represented as JavaScript Exception (JSE) objects.
    • In C/C++, errors are modeled as an interface or a pure HRESULT.

     

     

    Because each language has a different concept on how errors are handled, the projection layer needs to use a least common denominator. For errors, that means that just an HRESULT (Error Code) and HSTRING (Error Message) are sent through the projection layer. Any addition information held by WinRT’s interface is not available in the receiving language. And conversely, any additional information held by the language’s object is not available to WinRT.

     

    If the error becomes unhandled, the HRESULT becomes the Exception Code reported in the Exception Record (of a live debug session or dump file).

     

    Visual Studio 2013

    Opening a dump file in Visual Studio allows you to see the Exception Record via the MiniDump File Summary. The Exception Code is listed in the Dump Summary section.

     

    MinidumpFileSummary

     

    If you Debug the application, the Exception Code‘s Description will be listed in the Output window.

     

    OutputWindow

     

    The call stack of the Exception Record’s context is viewable in the Call Stack window. Depending on the dump’s state, the $exceptionstack pseudo variable can be used in a Watch (or Locals) window to see the stack.

     

    VisualStudio-CallStack

     

    Note, having the Private PDBs of the application will make the stack output more complete/accurate.

     

    Debugging Tools for Windows

    Using the Debugging Tools for Windows, the Exception Record can be displayed using the .exr -1 command. The Exception Code’s description can (sometimes) be looked up using the !error <code> command. The context of the exception is changed to with the .ecxr command. The stack is displayed with the k command (knL adds frame numbers and omits source line information).

     

    0:004> .exr -1

    ExceptionAddress: 722248e8 (msvcr110!Concurrency::details::_ReportUnobservedException+0x00000022)

       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)

      ExceptionFlags: 00000001

    NumberParameters: 1

       Parameter[0]: 00000005

     

    0:004> !error c0000409

    Error code: (NTSTATUS) 0xc0000409 (3221226505) - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

     

    0:004> .ecxr

    eax=00000001 ebx=ffffffff ecx=00000005 edx=0a6ee048 esi=13672424 edi=0546c33c

    eip=722248e8 esp=02ceeef8 ebp=02ceef14 iopl=0         nv up ei pl nz na po nc

    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202

    msvcr110!Concurrency::details::_ReportUnobservedException+0x22:

    722248e8 cd29            int     29h

     

    0:004> knL

      *** Stack trace for last set context - .thread/.cxr resets it

    # ChildEBP RetAddr 

    00 02ceeef4 00f2f6cb msvcr110!Concurrency::details::_ReportUnobservedException+0x22

    WARNING: Stack unwind information not available. Following frames may be wrong.

    01 02ceef14 00f2fad7 MyBadApp+0xef6cb

    02 02ceef40 01122720 MyBadApp+0xefad7

    03 02ceef64 011228eb MyBadApp+0x2e2720

    04 02ceef70 00f3960a MyBadApp+0x2e28eb

    05 02ceefb0 010cc804 MyBadApp+0xf960a

    06 02ceefc0 0112108e MyBadApp+0x28c804

    07 02ceeff8 72422b61 MyBadApp+0x2e108e

    08 02cef034 72427e27 Microsoft_Xbox!DllGetClassObject+0x61352

    09 02cef040 76095c3e Microsoft_Xbox!DllGetClassObject+0x66618

    0a 02cef060 7610f497 rpcrt4!Invoke+0x2a

    0b 02cef6ec 75c241f8 rpcrt4!NdrStubCall2+0x33c

    0c 02cef734 75c1f58a combase!CStdStubBuffer_Invoke+0xc1

    0d 02cef7c0 75b24617 combase!SyncStubInvoke+0x144

    0e (Inline) -------- combase!StubInvoke+0x9a

    0f 02cef8e8 75b97d8d combase!CCtxComChnl::ContextInvoke+0x222

    10 02cef90c 75c24cc9 combase!DefaultInvokeInApartment+0x30

    11 (Inline) -------- combase!ASTAInvokeInApartment+0x35

    12 02cef9b4 75c1fdc7 combase!AppInvoke+0x5ae

    13 02cefb00 75c24c71 combase!ComInvokeWithLockAndIPID+0x5ed

    14 02cefb20 75b93118 combase!ComInvoke+0x153

    15 02cefb30 75b97b11 combase!ThreadDispatch+0x23

    16 02cefb44 75be53b5 combase!CComApartment::ASTAHandleMessage+0xe6

    17 02cefb68 75ba8f22 combase!ASTAWaitContext::DispatchCallsOnExitNonBlockingProcessEventsIfAppropriate+0x9e

    18 02cefb8c 75b5917e combase!ASTAWaitContext::~ASTAWaitContext+0x1a9

    19 02cefb98 74acb13d combase!CoEndProcessEvents+0x37

    1a 02cefbf4 00f733d7 windows_ui!Windows::UI::Core::CDispatcher::ProcessEvents+0x29ac1

    1b 02cefc64 00f77f46 MyBadApp+0x1333d7

    1c 02cefc94 74f6f45e MyBadApp+0x137f46

    1d 02cefca0 74f6f322 twinapi_appcore!Windows::ApplicationModel::Core::CoreApplicationView::Run+0x27

    1e 02cefcc0 74b1008a twinapi_appcore!<lambda_f0454c86bc54370cf843d844d6c13e00>::operator()+0xb2

    1f 02cefd44 75f4a534 SHCore!_WrapperThreadProc+0xe2

    20 02cefd50 77dd8f8b kernel32!BaseThreadInitThunk+0xe

    21 02cefd94 77dd8f61 ntdll!__RtlUserThreadStart+0x20

    22 02cefda4 00000000 ntdll!_RtlUserThreadStart+0x1b

     

    Simple so far...

    Using Visual Studio or the Debugging Tools for Windows is relatively simple when the Exception Record is associated with the call stack of the issue. This is not however always the case. It depends on what side of the projection layer the issue occurred. If the error (exception) was not handled on the language side, the exception is marshaled (projected) to the WinRT side for its exception handling. When this occurs, it starts getting very, very tricky indeed, to see what stack caused the issue...

     

    Language Exceptions - Error Code 0xC000027B

    In the initial design of the WinRT API, the projection of errors was done though a call to the RoOriginateError function. This function takes a HRESULT and HSTRING. Of note, there is no call stack captured. The limits of the RoOriginateError function were recognized and a new (associated) function was created for Windows 8.1.

     

    The RoOriginateLanguageException function takes a HRESULT, HSTRING and a marshalable interface pointer. When RoOriginateLanguageException in called, the current call stack is captured and is passed as part of the error.

     

    The purpose of RoOriginateLanguageException is to marshal the interface pointer so that additional language information is available on the other side of the projection layer. This behavior is achieved by using a specific exception code. Instead of the using the (user defined) HRESULT, a value of 0xC000027B is used. This error code indicates to the receiver that there is data to unmarshal. The data includes the HRESULT and HSTRING, and also the Interface pointer.

     

    The important point to understand here is that all async exceptions raised in Windows 8.1 Windows Store apps now result in a 0xC000027B error code in the Exception Record, not the error code passed by the caller.

     

    Debugging Language Exceptions

    The Exception Record of a Language Exception contains (of note) the exception code (0xC000027B) and two parameters.

     

    0:004> .exr -1

    ExceptionAddress: 73034fec (Windows_UI_Xaml!DirectUI::ErrorHelper::ProcessUnhandledError+0x000000b8)

       ExceptionCode: c000027b

      ExceptionFlags: 00000001

    NumberParameters: 2

       Parameter[0]: 0bdaf240

       Parameter[1]: 00000001

     

    0:006> !error c000027b

    Error code: (NTSTATUS) 0xc000027b (3221226107) - An application-internal exception has occurred.

     

    The first parameter is the address of a pointer array (of unmarshalled data). The second parameter is the count of pointers in the pointer array.

     

    So why is the need for a count?  Since applications have multiple threads, it is possible for multiple threads to call RoOriginateLanguageException simultaneously. Equally, there can be a cyclic nature to the experience, where exceptions are caught and then re-thrown. Since WinRT processes the errors asynchronously, multiple errors exist regularly. The first exception in the array should be the focus of the investigation.

     

    [Tip] Even though Microsoft publishes the private symbols for combase.dll (allowing you to view the local variables of combase!RoFailFast* functions), these locals regularly resolve to invalid addresses due to register reuse and other code flow optimizations. The pointer array in Parameter[0] is the correct place to get the address of the language exception pointer array.

     

    Original Error Code

    The first step when debugging a Language Exception is to determine the actual error code of the caller, instead of the 0xC000027B error code.

     

    Casting an address to a pointer array of a specific type in Visual Studio is, put simply, too difficult to undertake. The easiest option is to use the Debugging Tools for Windows. Even though these tools are all command-line driven and use an obscure syntax, it is relatively easy to follow the following commands to get to the important information.

     

    If not done already, set your symbol path to the Microsoft Public Symbol server:

     

    0:004> .sympath SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols

    Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols

    Expanded Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols

    ************* Symbol Path validation summary **************

    Response                         Time (ms)     Location

    Deferred                                       SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols

     

    Force the load of the symbols using the .reload /f command:

     

    0:004> .reload /f

    ...

     

    The next step is to display the pointer array as the original structure type. First, we need to know what structure to cast the pointer array to. Using the Parameter[0] value from .exr -1, we will generate a dt command that will display the header of the first record. We use Parameter[0] as the address in this command.

     

    dt <Parameter[0]> combase!_STOWED_EXCEPTION_INFORMATION_HEADER*

     

    Here’s an example:

     

    0:004> .exr -1

    ExceptionAddress: 73034fec (Windows_UI_Xaml!DirectUI::ErrorHelper::ProcessUnhandledError+0x000000b8)

       ExceptionCode: c000027b

      ExceptionFlags: 00000001

    NumberParameters: 2

       Parameter[0]: 0180cf90

       Parameter[1]: 00000003

     

    0:004> dt 0180cf90 combase!_STOWED_EXCEPTION_INFORMATION_HEADER*

    0x070884a4

       +0x000 Size             : 0x20

       +0x004 Signature        : 0x53453031

     

    The value of the Signature member (0x53453031) is converted to a string using .formats <value>.

     

    0:006> .formats 0x53453031

    Evaluate expression:

      Hex:     53453031

      Decimal: 1397043249

      Octal:   12321230061

      Binary:  01010011 01000101 00110000 00110001

      Chars:   SE01

      Time:    Wed Apr 09 04:34:09 2014

      Float:   low 8.46917e+011 high 0

      Double:  6.90231e-315

     

    The chars “SE01” map to a structure name of combase!_STOWED_EXCEPTION_INFORMATION_V1. It can be assumed that v2 uses a signature of “SE02” and a structure name of combase!_STOWED_EXCEPTION_INFORMATION_V2, and so on…

     

    Now we know the type, we can again use the values from .exr -1 to generate a dt command that will display each record. We use the Parameter[0] as the address, and Parameter[1] as the count in the command. We add an “*” to the end of the type as this is an array of pointers to the type, not structures packed next to each other.

     

    In this example, there are 3 pointers, so 3 records are displayed:

     

    dt -a<Parameter[1]> <Parameter[0]> combase!_STOWED_EXCEPTION_INFORMATION_V1*

     

    Note, there is no space between the -a and <Parameter[1]>.

     

    0:004> .exr -1

    ExceptionAddress: 73034fec (Windows_UI_Xaml!DirectUI::ErrorHelper::ProcessUnhandledError+0x000000b8)

       ExceptionCode: c000027b

      ExceptionFlags: 00000001

    NumberParameters: 2

       Parameter[0]: 0180cf90

       Parameter[1]: 00000003

     

    0:004> dt -a3 0180cf90 combase!_STOWED_EXCEPTION_INFORMATION_V1*

    [0] @ 0180cf90

    ---------------------------------------------

    0x070884a4

       +0x000 Header           : _STOWED_EXCEPTION_INFORMATION_HEADER

       +0x008 ResultCode       : 80131500

       +0x00c ExceptionForm    : 0y01

       +0x00c ThreadId         : 0y000000000000000000010100111100 (0x53c)

       +0x010 ExceptionAddress : 0x7721ea23 Void

       +0x014 StackTraceWordSize : 4

       +0x018 StackTraceWords  : 5

       +0x01c StackTrace       : 0x06f48418 Void

       +0x010 ErrorText        : 0x7721ea23  "?????"

     

    [1] @ 0180cf94

    ---------------------------------------------

    0x071ca274

       +0x000 Header           : _STOWED_EXCEPTION_INFORMATION_HEADER

       +0x008 ResultCode       : 80131500

       +0x00c ExceptionForm    : 0y01

       +0x00c ThreadId         : 0y000000000000000000010100111100 (0x53c)

       +0x010 ExceptionAddress : (null)

       +0x014 StackTraceWordSize : 4

       +0x018 StackTraceWords  : 0x19

       +0x01c StackTrace       : 0x071c926c Void

       +0x010 ErrorText        : (null)

     

    [2] @ 0180cf98

    ---------------------------------------------

    0x071c922c

       +0x000 Header           : _STOWED_EXCEPTION_INFORMATION_HEADER

       +0x008 ResultCode       : 80131534

       +0x00c ExceptionForm    : 0y01

       +0x00c ThreadId         : 0y000000000000000000010100111100 (0x53c)

       +0x010 ExceptionAddress : (null)

       +0x014 StackTraceWordSize : 4

       +0x018 StackTraceWords  : 9

       +0x01c StackTrace       : 0x071c8224 Void

       +0x010 ErrorText        : (null)

     

    The ResultCode member is 80131500 in the first two records, and 80131534 in the third record. A quick use of the !error <code> command looks up the descriptions:

     

    0:007> !error 80131500

    Error code: (HRESULT) 0x80131500 (2148734208) - <Unable to get error code text>

     

    0:007> !error 80131534

    Error code: (HRESULT) 0x80131534 (2148734260) - <Unable to get error code text>

     

    In this case, both aren‘t well-known error codes. This is common as API specific error codes aren’t in the OS error lookup routines.

     

    Here are some examples of known error codes, found by looking at a random selection of dumps. Some are quite common (80004003, 80004005 and 80070057) while others are quite rare:

     

    0:004> !error 80004003

    Error code: (HRESULT) 0x80004003 (2147500035) - Invalid pointer

     

    0:004> !error 80004005

    Error code: (HRESULT) 0x80004005 (2147500037) - Unspecified error

     

    0:005> !error 8000ffff

    Error code: (HRESULT) 0x8000ffff (2147549183) - Catastrophic failure

     

    0:004> !error 80070057

    Error code: (HRESULT) 0x80070057 (2147942487) - The parameter is incorrect.

     

    0:006> !error 80073db8

    Error code: (HRESULT) 0x80073db8 (2147958200) - Loading the state store failed.

     

    0:005> !error 800f1000

    Error code: (HRESULT) 0x800f1000 (2148470784) - No installed components were detected.

     

    0:006> !error 88985004

    Error code: (HRESULT) 0x88985004 (2291683332) - A font file exists but could not be opened due to access denied, sharing violation, or similar error.

     

    Original Call Stack

    Regardless of whether the error code is known or unknown, it is useful to determine the location of the issue by viewing the call stack.

     

    Symbol Pointers

    If the ExceptionForm member has a value of 0y01, the structure’s union represents a call stack.

     

    Unlike call stacks associated with threads, where the symbol pointers are placed throughout the stack next to local variables, these symbols pointers are packed tightly at the address specified in the StackTrace member. The dpS command is used to display the call stack.

    • It is important to include a limit (L) as the call stack is regularly longer than the default 10 rows displayed by dpS. The limit’s value is in the StackTraceWords member.
    • Note that capital S is used (dps vs dpS) because we want to omit the first column normally displayed by dps; the location of the symbol pointer is irrelevant.
    • If you aren‘t using the same bitness debugger as the target’s bitness, use ddS for StackTraceWordSize = 4, and dqS for StackTraceWordSize = 8.

     

    0:004> dt -a3 0180cf90 combase!_STOWED_EXCEPTION_INFORMATION_V1*

    [0] @ 0180cf90

    ---------------------------------------------

    0x070884a4

       +0x000 Header           : _STOWED_EXCEPTION_INFORMATION_HEADER

       +0x008 ResultCode       : 80131500

       +0x00c ExceptionForm    : 0y01

       +0x00c ThreadId         : 0y000000000000000000010100111100 (0x53c)

       +0x010 ExceptionAddress : 0x7721ea23 Void

       +0x014 StackTraceWordSize : 4

       +0x018 StackTraceWords  : 5

       +0x01c StackTrace       : 0x06f48418 Void

       +0x010 ErrorText        : 0x7721ea23  "?????"

    ...

     

    0:007> dpS 0x06f48418 L5

    7723f217 combase!RoOriginateLanguageException+0x3b

    72e29bfd clr!SetupErrorInfo+0x1e1

    72ef27e1 clr!MarshalNative::GetHRForException_WinRT+0x7d

    71981170 Windows_UI_Xaml_ni+0x291170

    72b02a36 clr!COMToCLRDispatchHelper+0x28

     

    Unicode String Pointer

    If the ExceptionForm member has a value of 0y10, the structure’s union represents an error message.

     

    The call stack is (hopefully) contained within the Unicode string pointed at by the ErrorText member. As the text is defined by the caller, the existence of a call stack text isn’t guaranteed.

     

    0:005> dt –a1 13f117e0 combase!_STOWED_EXCEPTION_INFORMATION_V1*

    [0] @ 13f117e0

    ---------------------------------------------

    0x0471f3c0

       +0x000 Header           : _STOWED_EXCEPTION_INFORMATION_HEADER

       +0x008 ResultCode       : 8000ffff

       +0x00c ExceptionForm    : 0y10

       +0x00c ThreadId         : 0y000000000000000000010101110100 (0x574)

       +0x010 ExceptionAddress : 0x0de38f7c Void

       +0x014 StackTraceWordSize : 0

       +0x018 StackTraceWords  : 0

       +0x01c StackTrace       : (null)

       +0x010 ErrorText        : 0x0de38f7c  "System.Exception..   at Windows.UI.Xaml.VisualStateManager.GoToState(Control control, String stateName, Boolean useTransitions)..   at MyBadApp.Common.LayoutAwarePage.InvalidateVisualState()..   at MyBadApp.Common.LayoutAwarePage.WindowSizeChanged(Object sender, WindowSizeChangedEventArgs e)"

     

    CLR - Last Exception Object

    Sometimes, the call stack retrieved from the record isn’t that useful. It may just be the call stack leading up to RoOriginateLanguageException function call, or it just might not relate to any of the code that the application author has written. In these cases, the CLR provides one more chance to understand the issue.

     

    When the CLR throws an exception on a managed thread, the address of the exception object is kept in an (internal) per-thread variable. This address is what the !sos.pe (print exception) command reads to display the CLR Last Exception of a thread.

     

    Note, if you use the Windows 8.1 SDK version of the Debugging Tools for Windows, SOS will be automatically loaded for you, including the download of any required DLLs. As such, it is highly suggested that you use the Windows 8.1 version.

     

    Example #1

    Looking at this example, we can see that there is a single record with an "Invalid pointer" error.

     

    0:006> .exr -1

    ExceptionAddress: 00007ffb87c46960 (twinapi_appcore!Microsoft::WRL::ComPtr<Windows::ApplicationModel::Core::UnhandledErrorDetectedEventArgs>::{dtor})

       ExceptionCode: c000027b

      ExceptionFlags: 00000001

    NumberParameters: 2

       Parameter[0]: 0000003fbc80c8a0

       Parameter[1]: 0000000000000001

     

    0:006> dt -a1 0000003fbc80c8a0 combase!_STOWED_EXCEPTION_INFORMATION_V1*

    [0] @ 0000003f`bc80c8a0

    ---------------------------------------------

    0x0000003f`bfc3c5b8

       +0x000 Header           : _STOWED_EXCEPTION_INFORMATION_HEADER

       +0x008 ResultCode       : 80004003

       +0x00c ExceptionForm    : 0y01

       +0x00c ThreadId         : 0y000000000000000000100111001000 (0x9c8)

       +0x010 ExceptionAddress : 0x00007ffb`981e1f1c Void

       +0x018 StackTraceWordSize : 8

       +0x01c StackTraceWords  : 0x18

       +0x020 StackTrace       : 0x0000003f`bd7ac9c0 Void

       +0x010 ErrorText        : 0x00007ffb`981e1f1c  "???"

     

    0:006> !error 80004003

    Error code: (HRESULT) 0x80004003 (2147500035) - Invalid pointer

     

    This is a common call stack. A CLR exception is being marshaling to the unhandled error reporting sub-system of WinRT.

     

    0:006> dpS 0x0000003f`bd7ac9c0 L18

    00007ffb`98238d27 combase!RoOriginateLanguageException+0x57

    00007ffb`71e0f926 mscorlib_ni!DomainNeutralILStubClass.IL_STUB_PInvoke(Int32, System.String, IntPtr)+0xe6

    00007ffb`71ff7084 mscorlib_ni!System.Runtime.InteropServices.WindowsRuntime.WindowsRuntimeMarshal.RoOriginateLanguageException(Int32, System.String, IntPtr)+0x44

    00007ffb`71ff6b8d mscorlib_ni!System.Runtime.InteropServices.WindowsRuntime.WindowsRuntimeMarshal.ReportUnhandledError(System.Exception)+0x12d

    00007ffb`885042f4 System_Runtime_WindowsRuntime_ni!System.Threading.WinRTSynchronizationContext+Invoker.InvokeCore()+0x73e04

    00007ffb`7ee6b915 clr!ExceptionTracker::CallHandler+0xc5

    00007ffb`7ee6b80b clr!ExceptionTracker::CallCatchHandler+0x7f

    00007ffb`7ee6b728 clr!ProcessCLRException+0x2e6

    00007ffb`9a30a7fd ntdll!RtlpExecuteHandlerForUnwind+0xd

    00007ffb`9a2b36ba ntdll!RtlUnwindEx+0x366

    00007ffb`7ee6d1c0 clr!ClrUnwindEx+0x40

    00007ffb`7ee6d174 clr!ProcessCLRException+0x2b2

    00007ffb`9a30a77d ntdll!RtlpExecuteHandlerForException+0xd

    00007ffb`9a2b29fb ntdll!RtlDispatchException+0x19b

    00007ffb`9a2b2668 ntdll!RtlRaiseException+0xf0

    00007ffb`976c8384 KERNELBASE!RaiseException+0x68

     

    There is a CLR Last Exception object and the exception code of it matches the record’s code:

     

    0:006> !sos.pe

    Exception object: 0000003fa2be4830

    Exception type:   System.NullReferenceException

    Message:          Object reference not set to an instance of an object.

    InnerException:   <none>

    StackTrace (generated):

        SP               IP               Function

        0000003FBC80D190 00007FFB1F72FC18 MyBadApp!MyBadApp.Utilities.Authentication.GetAliasFromSecurityToken()+0x18

        0000003FBC80D1D0 00007FFB1F72FAC2 MyBadApp! MyBadApp.MainPage.MainPage_AuthenticateUserCompleted(System.Object, System.EventArgs)+0x82

        0000003FBC80D210 00007FFB1F72F5E5 MyBadApp! MyBadApp.MainPage+<AuthenticateUser_Async>d__0.MoveNext()+0x305

        0000003FBC80EE60 00007FFB724F0B31 mscorlib_ni!System.Runtime.CompilerServices.AsyncMethodBuilderCore.<ThrowAsync>b__4(System.Object)+0x4d61d1

        0000003FBC80EE90 00007FFB88490523 System_Runtime_WindowsRuntime_ni!System.Threading.WinRTSynchronizationContext+Invoker.InvokeCore()+0x33

     

    StackTraceString: <none>

    HResult: 80004003

     

    In this case, you can surmise that the System.NullReferenceException exception was thrown within the MyBadApp!MyBadApp.Utilities.Authentication.GetAliasFromSecurityToken() function, and that it was unhandled.

     

    Extraction of the CLR Last Exception object can also sometimes be done in Visual Studio. When you do a Debug with Managed Only on the dump file, the Locals window sometimes contains a pseudo variable called $exception that represents the exception.

     

    VisualStudio-Locals

     

    The Text Visualizer of the StackTrace member allows you to see the call stack.

     

    TextVisualizer

     

    Example #2

    Looking at another example, we can see that again there is a single record, this time with an "Unspecified error" exception code.

     

    0:004> .exr -1

    ExceptionAddress: 73034fec (Windows_UI_Xaml!DirectUI::ErrorHelper::ProcessUnhandledError+0x000000b8)

       ExceptionCode: c000027b

      ExceptionFlags: 00000001

    NumberParameters: 2

       Parameter[0]: 0bdaf240

       Parameter[1]: 00000001

     

    0:004> dt -a1 0bdaf240 combase!PSTOWED_EXCEPTION_INFORMATION_V1

    [0] @ 0bdaf240

    ---------------------------------------------

    0x0af64034

       +0x000 Header           : _STOWED_EXCEPTION_INFORMATION_HEADER

       +0x008 ResultCode       : 80004005

       +0x00c ExceptionForm    : 0y01

       +0x00c ThreadId         : 0y000000000000000000010010011110 (0x49e)

       +0x010 ExceptionAddress : (null)

       +0x014 StackTraceWordSize : 4

       +0x018 StackTraceWords  : 5

       +0x01c StackTrace       : 0x0af6302c Void

       +0x010 ErrorText        : (null)

     

    0:006> !error 80004005

    Error code: (HRESULT) 0x80004005 (2147500037) - Unspecified error

     

    The call stack of the record suggests that this is associated with GetNavigationState:

     

    0:004> dpS 0x0af6302c L5

    72ec4e7d Windows_UI_Xaml!DirectUI::NavigationHistory::WritePageStackEntryToString+0x1f7fde

    72ec4ef0 Windows_UI_Xaml!DirectUI::NavigationHistory::GetNavigationState+0x1f7ddf

    72ccd0fa Windows_UI_Xaml!DirectUI::Frame::GetNavigationStateImpl+0x3a

    72cccced Windows_UI_Xaml!DirectUI::FrameGenerated::GetNavigationState+0x2f

    737d00eb Windows_UI_Xaml_ni+0x2400eb

     

    But the CLR Last Exception object doesn’t have the same exception code as the record:

     

    0:004> !sos.pe

    Exception object: 02cb3cb8

    Exception type:   <Unknown>

    Message:          <Invalid Object>

    InnerException:   System.Runtime.InteropServices.COMException, Use !PrintException e2a09bc6 to see more.

    StackTrace (generated):

        SP       IP       Function

        052DF6C0 07141094 MyBadApp!UNKNOWN+0x544

        052DF8A4 73E0D17A mscorlib_ni!System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(System.Threading.Tasks.Task)+0x5e

        052DF8B4 73E0D115 mscorlib_ni!System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(System.Threading.Tasks.Task)+0x35

        052DF8C0 071409DB MyBadApp!UNKNOWN+0xb3

        052DF8CC 7458458F mscorlib_ni!System.Runtime.CompilerServices.AsyncMethodBuilderCore.<ThrowAsync>b__4(System.Object)+0x33

        052DF8D4 6F9EF994 System_Runtime_WindowsRuntime_ni!System.Threading.WinRTSynchronizationContext+Invoker.InvokeCore()+0x24

     

    StackTraceString: <none>

    HResult: 80131500

     

    0:006> !error 80131500

    Error code: (HRESULT) 0x80131500 (2148734208) - <Unable to get error code text>

     

    It does however have a nested CLR Exception object that does have the same exception code as the record. It too has a call stack that indicates GetNavigationState is having an issue.

     

    0:004> !PrintException /d 02caf968

    Exception object: 02caf968

    Exception type:   System.Runtime.InteropServices.COMException

    Message:          <Invalid Object>

    InnerException:   <none>

    StackTrace (generated):

        SP       IP       Function

        00000000 00000001 Windows_UI_Xaml_ni!Windows.UI.Xaml.Controls.Frame.GetNavigationState()+0x2

        052DF778 071411B5 MyBadApp!UNKNOWN+0x1d

        052DF788 07140BF3 MyBadApp!UNKNOWN+0xa3

     

    StackTraceString: <none>

    HResult: 80004005

     

    Summary

    The asynchronous and projected nature of Windows Store applications makes them significantly harder to debug than desktop applications. Knowing the error code and call stack is just the first step in understanding the root cause of a crash in a Store application. Hopefully this blog post has made those first steps easier to undertake, and that those first steps have pointed you in the right direction.

     

    The solutions to some of the more common issues have been talked about on episodes of Channel 9 Defrag Tools. These episodes show the code changes required to avoid the hang or crash:

  • Ntdebugging Blog

    Understanding Pool Corruption Part 3 – Special Pool for Double Frees

    • 0 Comments

    In Part 1 and Part 2 of this series we discussed pool corruption and how special pool can be used to identify the cause of such corruption.  In today’s article we will use special pool to catch a double free of pool memory.

     

    A double free of pool will cause a system to blue screen, however the resulting crash may vary.  In the most obvious scenario a driver that frees a pool allocation twice will cause the system to immediately crash with a stop code of C2 BAD_POOL_CALLER, and the first parameter will be 7 to indicate “Attempt to free pool which was already freed”.  If you experience such a crash, enabling special pool should be high on your list of troubleshooting steps.

     

    BAD_POOL_CALLER (c2)

    The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.

    Arguments:

    Arg1: 0000000000000007, Attempt to free pool which was already freed

    Arg2: 00000000000011c1, (reserved)

    Arg3: 0000000004810007, Memory contents of the pool block

    Arg4: fffffa8001b10800, Address of the block of pool being deallocated

     

    A less obvious crash would be if the pool has been reallocated.  As we showed in Part 2, pool is structured so that multiple drivers share a page.  When DriverA calls ExFreePool to free its pool block the block is made available for other drivers.  If memory manager gives this memory to DriverF, and then DriverA frees it a second time, a crash may occur in DriverF when the pool allocation no longer contains the expected data.  Such a problem may be difficult for the developer of DriverF to identify without special pool.

     

     

    Special pool will place each driver’s allocation in a separate page of memory (as discussed in Part 2).  When a driver frees a pool block in special pool the whole page will be freed, and any access to a free page will cause an immediate bugcheck.  Additionally, special pool will place this page on the tail of the list of pages to be used again.  This increases the likelihood that the page will still be free when it is freed a second time, decreasing the likelihood of the DriverA/DriverF scenario shown above.

     

    To demonstrate this failure we will once again use the Sysinternals tool NotMyFault.  Choose the “Double free” option and click “Crash”.  Most likely you will get the stop C2 bugcheck mentioned above.  Enable special pool and reboot to get a more informative error.

     

    verifier /flags 1 /driver myfault.sys

     

    Choosing the “Double free” option with special pool enabled resulted in the following crash.  The bugcheck code PAGE_FAULT_IN_NONPAGED_AREA means some driver tried to access memory that was not valid.  This invalid memory was the freed special pool page.

     

    PAGE_FAULT_IN_NONPAGED_AREA (50)

    Invalid system memory was referenced.  This cannot be protected by try-except,

    it must be protected by a Probe.  Typically the address is just plain bad or it

    is pointing at freed memory.

    Arguments:

    Arg1: fffff9800a7fe7f0, memory referenced.

    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.

    Arg3: fffff80060263888, If non-zero, the instruction address which referenced the bad memory address.

    Arg4: 0000000000000002, (reserved)

     

    Looking at the call stack we can see myfault.sys was freeing pool and ExFreePoolSanityChecks took a page fault that lead to the crash.

     

    kd> kn

    # Child-SP          RetAddr           Call Site

    00 fffff880`0419fe28 fffff800`5fd7e28a nt!DbgBreakPointWithStatus

    01 fffff880`0419fe30 fffff800`5fd7d8de nt!KiBugCheckDebugBreak+0x12

    02 fffff880`0419fe90 fffff800`5fc5b544 nt!KeBugCheck2+0x79f

    03 fffff880`041a05b0 fffff800`5fd1c5bc nt!KeBugCheckEx+0x104

    04 fffff880`041a05f0 fffff800`5fc95acb nt! ?? ::FNODOBFM::`string'+0x33e2a

    05 fffff880`041a0690 fffff800`5fc58eee nt!MmAccessFault+0x55b

    06 fffff880`041a07d0 fffff800`60263888 nt!KiPageFault+0x16e

    07 fffff880`041a0960 fffff800`6024258c nt!ExFreePoolSanityChecks+0xe8

    08 fffff880`041a09a0 fffff880`04c9b5d9 nt!VerifierExFreePoolWithTag+0x3c

    09 fffff880`041a09d0 fffff880`04c9b727 myfault!MyfaultDeviceControl+0x2fd

    0a fffff880`041a0b20 fffff800`60241a4a myfault!MyfaultDispatch+0xb7

    0b fffff880`041a0b80 fffff800`600306c7 nt!IovCallDriver+0xba

    0c fffff880`041a0bd0 fffff800`600458a6 nt!IopXxxControlFile+0x7e5

    0d fffff880`041a0d60 fffff800`5fc5a453 nt!NtDeviceIoControlFile+0x56

    0e fffff880`041a0dd0 000007fd`ea212c5a nt!KiSystemServiceCopyEnd+0x13

     

    Using the address from the bugcheck code, we can verify that the memory is in fact not valid:

     

    kd> dd fffff9800a7fe7f0

    fffff980`0a7fe7f0  ???????? ???????? ???????? ????????

    fffff980`0a7fe800  ???????? ???????? ???????? ????????

    fffff980`0a7fe810  ???????? ???????? ???????? ????????

    fffff980`0a7fe820  ???????? ???????? ???????? ????????

    fffff980`0a7fe830  ???????? ???????? ???????? ????????

    fffff980`0a7fe840  ???????? ???????? ???????? ????????

    fffff980`0a7fe850  ???????? ???????? ???????? ????????

    fffff980`0a7fe860  ???????? ???????? ???????? ????????

    kd> !pte fffff9800a7fe7f0

                                               VA fffff9800a7fe7f0

    PXE at FFFFF6FB7DBEDF98    PPE at FFFFF6FB7DBF3000    PDE at FFFFF6FB7E600298    PTE at FFFFF6FCC0053FF0

    contains 0000000002A91863  contains 0000000002A10863  contains 0000000000000000

    pfn 2a91      ---DA--KWEV  pfn 2a10      ---DA--KWEV  not valid

     

    So far we have enough evidence to prove that myfault.sys was freeing invalid memory, but how to we know this memory is being freed twice?  If there was a double free we need to determine if the first or second call to ExFreePool was incorrect.  To this so we need to determine what code freed the memory first.

     

    Driver Verifier special pool keeps track of the last 0x10000 calls to allocate and free pool.  You can dump this database with the !verifier 80 command.  To limit the data output you can also pass this command the address of the memory you suspect was double freed.

     

    Don’t assume the address in the bugcheck code is the address being freed, go get the address from the function that called VerifierExFreePoolWithTag.

     

    In the above call stack the call below VerifierExFreePoolWithTag is frame 9 (start counting with 0, or use kn).

     

    kd> .frame /r 9

    09 fffff880`041a09d0 fffff880`04c9b727 myfault+0x15d9

    rax=0000000000000000 rbx=fffff9800a7fe800 rcx=fffff9800a7fe800

    rdx=fffffa8001a37fa0 rsi=fffffa80035975e0 rdi=fffffa8003597610

    rip=fffff88004c9b5d9 rsp=fffff880041a09d0 rbp=fffffa80034568d0

    r8=fffff9800a7fe801  r9=fffff9800a7fe7f0 r10=fffff9800a7fe800

    r11=0000000000000000 r12=0000000000000000 r13=0000000000000000

    r14=fffff800600306c7 r15=fffffa8004381b80

    iopl=0         nv up ei ng nz na po nc

    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286

    myfault+0x15d9:

    fffff880`04c9b5d9 eb7a            jmp     myfault+0x1655 (fffff880`04c9b655)

     

    On x64 systems the first parameter is passed in rcx.  The below assembly shows that rcx originated from rbx.

     

    kd> ub fffff880`04c9b5d9

    myfault+0x15ba:

    fffff880`04c9b5ba ff15a80a0000    call    qword ptr [myfault+0x2068 (fffff880`04c9c068)]

    fffff880`04c9b5c0 33d2            xor     edx,edx

    fffff880`04c9b5c2 488bc8          mov     rcx,rax

    fffff880`04c9b5c5 488bd8          mov     rbx,rax

    fffff880`04c9b5c8 ff154a0a0000    call    qword ptr [myfault+0x2018 (fffff880`04c9c018)]

    fffff880`04c9b5ce 33d2            xor     edx,edx

    fffff880`04c9b5d0 488bcb          mov    rcx,rbx

    fffff880`04c9b5d3 ff153f0a0000    call    qword ptr [myfault+0x2018 (fffff880`04c9c018)]

     

    Run !verifier 80 using the address from rbx:

     

    kd> !verifier 80 fffff9800a7fe800

     

    Log of recent kernel pool Allocate and Free operations:

     

    There are up to 0x10000 entries in the log.

     

    Parsing 0x0000000000010000 log entries, searching for address 0xfffff9800a7fe800.

     

     

    ======================================================================

    Pool block fffff9800a7fe800, Size 0000000000000800, Thread fffffa80046ce4c0

    fffff80060251a32 nt!VfFreePoolNotification+0x4a

    fffff8005fe736c9 nt!ExFreePool+0x595

    fffff80060242597 nt!VerifierExFreePoolWithTag+0x47

    fffff88004c9b5ce myfault!MyfaultDeviceControl+0x2f2

    fffff88004c9b727 myfault!MyfaultDispatch+0xb7

    fffff80060241a4a nt!IovCallDriver+0xba

    fffff800600306c7 nt!IopXxxControlFile+0x7e5

    fffff800600458a6 nt!NtDeviceIoControlFile+0x56

    fffff8005fc5a453 nt!KiSystemServiceCopyEnd+0x13

    ======================================================================

    Pool block fffff9800a7fe800, Size 0000000000000800, Thread fffffa80046ce4c0

    fffff80060242a5d nt!VeAllocatePoolWithTagPriority+0x2d1

    fffff8006024b20e nt!XdvExAllocatePoolInternal+0x12

    fffff80060242f69 nt!VerifierExAllocatePool+0x61

    fffff88004c9b5c0 myfault!MyfaultDeviceControl+0x2e4

    fffff88004c9b727 myfault!MyfaultDispatch+0xb7

    fffff80060241a4a nt!IovCallDriver+0xba

    fffff800600306c7 nt!IopXxxControlFile+0x7e5

    fffff800600458a6 nt!NtDeviceIoControlFile+0x56

    fffff8005fc5a453 nt!KiSystemServiceCopyEnd+0x13

     

    The above output shows the pool block being allocated by myfault.sys and then freed by myfault.sys.  If we combine this information with the call stack leading up to our bugcheck we can conclude that the pool was freed once in MyfaultDeviceControl at offset 0x2f2, then freed again in MyfaultDeviceControl at offset 0x2fd.

     

    Now we know which driver is causing the problem, and if this is our driver we know which area of the code to investigate.

  • Ntdebugging Blog

    Event ID 157 "Disk # has been surprise removed"

    • 7 Comments

    Hello my name is Bob Golding and I would like to share information on a new error you may see in the system event log. It is Event ID 157 "Disk <n> has been surprise removed" with Source: disk.  This error indicates that the CLASSPNP driver has received a “surprise removal” request from the plug and play manager (PNP) for a non-removable disk.

     

    What does this error mean?

    The PNP manager does what is called enumerations.  An enumeration is a request sent to a driver that controls a bus, such as PCI, to take an inventory of devices on the bus and report back a list of the devices.  The SCSI bus is enumerated in a similar manner, as are devices on the IDE bus.

     

    These enumerations can happen for a number of reasons.  For example, hardware can request an enumeration when it detects a change in configuration.  Also a user can initiate an enumeration by selecting “scan for new devices” in device manager.  

     

    When an enumeration request is received, the bus driver will rescan the bus for all devices.  It will issue commands to the existing devices as though it was looking for new ones.  If these commands fail on an existing unit, the driver will mark the device as “missing”.  When the device is marked “missing”, it will not be reported back to PNP in the inventory.  When PNP determines that the device is not in the inventory it will send a surprise removal request to the bus driver so the bus driver can remove the device object.

     

    Since the CLASSPNP driver sits in the device stack and receives requests that are destined for disks, it sees the surprise removal request and logs an event if the disk is supposed to be non-removable.  An example of a non-removable disk is a hard drive on a SCSI or IDE bus.  An example of a removable disk is a USB thumb drive.

     

    Previously nothing was logged when a non-removable disk was removed, as a result disks would disappear from the system with no indication.  The event id 157 error was implemented in Windows 8.1 and Windows Server 2012 R2 to log a record of a disk disappearing.

     

    Why does this error happen?

    These errors are most often caused when something disrupts the system’s communication with a disk, such as a SAN fabric error or a SCSI bus problem.  The errors can also be caused by a disk that fails, or when a user unplugs a disk while the system is running.  An administrator that sees these errors needs to verify the heath of the disk subsystem.

     

    Event ID 157 Example:

     

  • Ntdebugging Blog

    Understanding ARM Assembly Part 1

    • 9 Comments

    My name is Marion Cole, and I am a Sr. EE in Microsoft Platforms Serviceability group.  You may be wondering why Microsoft support would need to know ARM assembly.  Doesn’t Windows only run on x86 and x64 machines?  No.  Windows has ran on a variety of processors in the past.  Those include i860, Alpha, MIPS, Fairchild Clipper, PowerPC, Itanium, SPARC, 286, 386, IA-32, x86, x64, and the newest one is ARM.  Most of these processors are antiquated now.  The common ones now are IA-32, x86, x64.  However Windows has started supporting ARM processors in order to jump into the portable devices arena.  You will find them in the Microsoft Surface RT, Windows Phones, and other things in the future I am sure.  So you may be saying that these devices are locked, and cannot be debugged.  That is true from a live debug perspective, but you can get memory dumps and application dumps from them and those can be debugged.

     

    Processor

     

    There are limitations on ARM processors that Windows supports.  There are 3 System on Chip (SOC) vendors that are supported.  nVidia, Texas-Instruments, and Qualcomm. Windows only supports the ARMv7 (Cortex, Scorpion) architecture in ARMv7-A in (Application Profile) mode.  This implements a traditional ARM architecture with multiple modes and supporting a Virtual Memory System Architecture (VMSA) based on an MMU.  It supports the ARM and Thumb-2 instruction sets which allows for a mixture of 16 (Thumb) and 32 (ARM) bit opcodes.  So it will look strange in the assembly.  Luckily the debuggers know this and handle it for you.  This also helps to shrink the size of the assembly code in memory.  The processor also has to have the Optional ISA extensions of VFP (Hardware Floating Point) and NEON (128-bit SIMD Architecture).

     

    In order to understand the assembly that you will see you need to understand the processor internals.

     

    ARM is a Reduced Instruction Set Computer (RISC) much like some of the previous processors that Windows ran on.  It is a 32 bit load/store style processor.  It has a “Weakly-ordered” memory model: similar to Alpha and IA64, and it requires specific memory barriers to enforce ordering.  In ARM devices these as ISB, DSB, and DMB instructions.

     

    Registers

     

    The processor has 16 available registers r0 – r15.

    0: kd> r

    r0=00000001  r1=00000000  r2=00000000  r3=00000000  r4=e1820044  r5=e17d0580

    r6=00000001  r7=e17f89b9  r8=00000002  r9=00000000 r10=1afc38ec r11=e1263b78

    r12=e127813c  sp=e1263b20  lr=e16c12c3  pc=e178b6d0 psr=00000173 ----- Thumb

     

    r0, r1, r2, r3, and r12 are volatile registers.  Volatile registers are scratch registers presumed by the caller to be destroyed across a call.  Nonvolatile registers are required to retain their values across a function call and must be saved by the callee if used. 

     

    On Windows four of these registers have a designated purpose.  Those are:

    • PC (r15) – Program Counter (EIP on x86)
    • LR (r14) – Link Register.  Used as a return address to the caller.
    • SP (r13) – Stack Pointer (ESP on x86).
    • R11 – Frame Pointer (EBP on x86).
    • CPSR – Current Program Status Register (Flags on x86).

     

    In Windbg all but r11 will be labeled appropriately for you.  So you may be asking why r11 is not labeled “fp” in the debugger.  That is because r11 is only used as a frame pointer when you are calling a non-leaf subroutine.  The way it works is this: when a call to a non-leaf subroutine is made, the called subroutine pushes the value of the previous frame pointer (in r11) to the stack (right after the lr) and then r11 is set to point to this location in the stack, so eventually we end up with a linked list of frame pointers in the stack that easily enables the construction of the call stack. The frame pointer is not pushed to the stack in leaf functions.  Will discuss leaf functions later.

     

    CPSR (Current Program Status Register)

     

    Now we need to understand some about the CPSR register.  Here is the bit breakdown:

    31

    30

    29

    28

    27

    26

    25

    24

    23

    22

    21

    20

    19

    18

    17

    16

    15

    14

    13

    12

    11

    10

    9

    8

    7

    6

    5

    4

    3

    2

    1

    0

    N

    Z

    C

    V

    Q

    IT

    J

    Reserved

    GE

    IT

    E

    A

    I

    F

    T

    M

     

    • Bits [31:28] – Condition Code Flags
      • N – bit 31 – If this bit is set, the result was negative.  If bit is cleared the result was positive or zero.
      • Z – bit 30 – If set this bit indicates the result was zero or values compared were equal.  If it is cleared, the value is non-zero or the compared values are not equal.
      • C – bit 29 – If this bit is set the instruction resulted in a carry condition.  E.g. Adding two unsigned values resulted in a value too large to be strored.
      • V – bit 28 – If this bit is set then the instruction resulted in an overflow condition.  E.g. An overflow of adding two signed values.
    • Instructions variants ending with ‘s’ set the condition codes (mov/movs)
    • E – bit 9 – Endianness (big = 1/Little = 0)
    • T – bit 5 – Set if executing Thumb instructions
    • M – bits [4:0] – CPU Mode (User 10000/Supervisor 10011)

     

    So why do I need to know about the CPSR (Current Program Status Register)?  You will need to know where some of these bits are due to how some of the assembly instruction affect these flags.  Example of this is:

     

    ADD will add two registers together, or add an immediate value to a register.  However it will not affect the flags.

     

    ADDS will do the same as ADD, but it does affect the flags.

     

    MOV will allow you to move a value into a register, and a value between registers.  This is not like the x86/x64.  MOV will not let you read or write to memory.  This does not affect the flags.

     

    MOVS does the same thing as MOV, but it does affect the flags.

     

    I hope you are seeing a trend here.  There are instructions that will look the same.  However if they end in “S” then you need to know that this will affect the flags.  I am not going to list all of those assembly instructions here.  Those are already listed in the ARM Architecture Reference Manual ARMv7-A and ARMv7-R edition at http://infocenter.arm.com/help/topic/com.arm.doc.ddi0406b/index.html.

     

    So now we have an idea of what can set the flags.  Now we need to understand what the flags are used for.  They are mainly used for branching instructions.  Here is an example:

    003a11d2 429a     cmp         r2,r3

    003a11d4 d104     bne         |MyApp!FirstFunc+0x28 (003a11e0)|

     

    The first instruction in this code (cmp) compares the value stored in register r2 to the value stored in register r3. This comparison instruction sets or resets the Z flag in the CPSR register. The second instruction is a branch instruction (b) with the condition code ne which means that if the result of the previous comparison was that the values are not equal (the CPSR flag Z is zero) then branch to the address MyApp!FirstFunc+0x28 (003a11e0). Otherwise the execution continues.

     

    There are a few compare instructions.  “cmp” subtracts two register values, sets the flags, and discards the result.  “cmn” adds two register values, sets the flags, and discards the results.  “tst” does a bit wise AND of two register values, sets the flags, and discards the results.  There is even an If Then (it) instruction.  I am not going to discuss that one here as I have never seen it in any of the Windows code.

     

    So is “bne” the only branch instruction?  No.  There is a lot of them.  Here is a table of things that can be seen beside “b”, and what they check the CPSR register:

    Mnemonic

    Extension

    Meaning (Integer)

    Condition Flags (in CPSR)

    EQ

    Equal

    Z==1

    NE

    Not Equal

    Z==0

    MI

    Negative (Minus)

    N==1

    PL

    Positive or Zero (Plus)

    N==0

    HI

    Unsigned higher

    C==1 and Z==0

    LS

    Unsigned lower or same

    C==0 or Z==1

    GE

    Signed greater than or equal

    N==V

    LT

    Signed less than

    N!=V

    GT

    Signed greater than

    Z==0 and N==V

    LE

    Signed less than or equal

    Z==1 or N!=V

    VS

    Overflow

    V==1

    VC

    No overflow

    V==0

    CS

    Carry set

    C==1

    CC

    Carry clear

    C==0

    None (AL)

    Execute always

     

     

    Floating Point Registers

     

    As mentioned earlier the processor also has to have the ISA extensions of VFP (Hardware Floating Point) and NEON (128-bit SIMD Architecture).  Here is what they are.

    Floating Point

     

    As you can see this is 16 – 64bit regiters (d0-d15) that is overlaid with 32 – 32bit registers (s0-s31).  There are varieties of the ARM processor that has 32 – 64bit registers and 64 – 32bit registers.  Windows 8 will support both 16 and 32 register variants.  You have to be careful when using these, because if you access unaligned floats you may cause an exception.

     

    SIMD (NEON)

     

    As you can see here the SIMD (NEON) extension adds 16 – 128 bit registers (q0-q15) onto the floating point registers.  So if you reference Q0 it is the same as referencing D0-D1 or S0-S1-S2-S3.

     

    In part 2 we will discuss how Windows utilizes this processor.

  • Ntdebugging Blog

    The Compiler Did What?

    • 0 Comments

    I was recently investigating a crash in an application.  As I researched the issue I found a very old defect in the code that was only recently being exposed by the compiler.

     

    The crash occurred at the below instruction because the ebx register does not hold a valid pointer.

     

    0:001> r

    eax=d9050cf7 ebx=003078c0 ecx=6e2e0000 edx=00000000 esi=00000001 edi=0c334468

    eip=65637fbe esp=010eb408 ebp=010eb878 iopl=0         nv up ei pl nz na po nc

    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202

    riched20!CTxtSelection::CreateCaret+0x429:

    65637fbe 8b4b1c          mov     ecx,dword ptr [ebx+1Ch] ds:002b:003078dc=????????

    0:001> dd 003078c0

    003078c0  ???????? ???????? ???????? ????????

    003078d0  ???????? ???????? ???????? ????????

    003078e0  ???????? ???????? ???????? ????????

    003078f0  ???????? ???????? ???????? ????????

    00307900  ???????? ???????? ???????? ????????

    00307910  ???????? ???????? ???????? ????????

    00307920  ???????? ???????? ???????? ????????

    00307930  ???????? ???????? ???????? ????????

     

    Examining the assembly leading up to the crash, ebx came from [ebp-40c].

     

    0:001> ub .

    riched20!CTxtSelection::CreateCaret+0x408:

    65637f9d 6a08            push    8

    65637f9f ff156cf06465    call    dword ptr [riched20!_imp__CreateBitmap (6564f06c)]

    65637fa5 898784000000    mov     dword ptr [edi+84h],eax

    65637fab eb06            jmp    riched20!CTxtSelection::CreateCaret+0x41e (65637fb3)

    65637fad 8bb5e4fbffff    mov     esi,dword ptr [ebp-41Ch]

    65637fb3 8b9df4fbffff    mov    ebx,dword ptr [ebp-40Ch]

    65637fb9 ff775c          push    dword ptr [edi+5Ch]

    65637fbc 6a01            push    1

    0:001> dd @ebp-40c l1

    010eb46c  003078c0

     

    Looking at the whole function, [ebp-40c] was populated at the beginning of the function as the contents of edi+1C. The contents of edi+1Ch were first moved into ecx and later the value of ecx was moved into [ebp-40Ch].    Further examination of the whole function showed the edi register is unchanged at the time of the crash, so I can use its current value to determine what [ebp-40c] should contain.

     

    0:001> uf riched20!CTxtSelection::CreateCaret

    riched20!CTxtSelection::CreateCaret:

    65637b95 8bff            mov     edi,edi

    65637b97 55              push    ebp

    65637b98 8bec            mov     ebp,esp

    65637b9a 81ec5c040000    sub     esp,45Ch

    65637ba0 a100e06465      mov     eax,dword ptr [riched20!__security_cookie (6564e000)]

    65637ba5 33c5            xor     eax,ebp

    65637ba7 8945fc          mov     dword ptr [ebp-4],eax

    65637baa 53              push    ebx

    65637bab 56              push    esi

    65637bac 57              push    edi

    65637bad 8bf9            mov     edi,ecx

    65637baf 8b4f1c          mov    ecx,dword ptr [edi+1Ch] <<< The value originates from [edi+1Ch]

    65637bb2 0fbf4740        movsx   eax,word ptr [edi+40h]

    65637bb6 898df4fbffff    mov    dword ptr [ebp-40Ch],ecx <<< Store the value on the stack

    <snip>

    65637fb3 8b9df4fbffff    mov    ebx,dword ptr [ebp-40Ch] <<< Read the value from the stack

    <snip>

    65637fbe 8b4b1c          mov    ecx,dword ptr [ebx+1Ch] <<< Crash here because ebx is invalid

    <snip>

     

    The expected value of [ebp-40C], and thus the expected value of the ebx register, is 091978c0 based on the value in [edi+1Ch] at the time of the crash.  This would be a valid pointer and is not what is currently in [ebp-40C] or ebx.  It is noteworthy that at the time of the crash, ebx is similar to what should be there, it differs only by the high word of the dword.

     

    0:001> r ebx

    ebx=003078c0

     

    0:001> dd @edi+1c l1

    0c334484  091978c0

     

    The expected value, 091978c0, is a valid pointer.

     

    0:001> dd 091978c0

    091978c0  091978c8 00000000 00000501 05000000

    091978d0  00000015 076c1a27 2a372f35 0c2e3998

    091978e0  000049aa 00000000 00000000 00000000

    091978f0  00000000 00000000 00000000 00000000

    09197900  00000000 00000000 00000000 00000000

    09197910  00000000 00000000 00000000 00000000

    09197920  1a3098a8 00000000 00000000 00000000

    09197930  00000000 00000000 00000000 00000000

     

    Somehow the value at ebp-40C was changed between instruction 65637bb6, where [ebp-40C] was set, and instruction 65637fb3 where [ebp-40C] was read.  Fortunately I had a mechanism to reproduce this crash so I was able to set a breakpoint and trace through how this happened.

     

    First I set a breakpoint on the instruction that populates [ebp-40C].

     

    0:003> bp 65637bb6

    0:003> g

    Breakpoint 0 hit

    eax=ffffffff ebx=0c334468 ecx=091978c0 edx=00000060 esi=091978c0 edi=0c334468

    eip=65637bb6 esp=010eb410 ebp=010eb878 iopl=0         nv up ei pl nz na pe nc

    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206

    riched20!CTxtSelection::CreateCaret+0x21:

    65637bb6 898df4fbffff    mov     dword ptr [ebp-40Ch],ecx ss:002b:010eb46c=00000000

     

    Next I calculated ebp-40C and set a break on write access breakpoint.

     

    0:001> ?@ebp-40c

    Evaluate expression: 17740908 = 010eb46c

    0:001> ba w4 010eb46c

    0:001> g

    Breakpoint 1 hit

    eax=00000030 ebx=00000000 ecx=00000000 edx=00000020 esi=00000001 edi=0c334468

    eip=65637f67 esp=010eb40c ebp=010eb878 iopl=0         nv up ei pl zr na pe nc

    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246

    riched20!CTxtSelection::CreateCaret+0x3d2:

    65637f67 66898475f4fbffff mov     word ptr [ebp+esi*2-40Ch],ax ss:002b:010eb46e=0919

     

    The write breakpoint hit at a location I was not expecting.  The instruction where the breakpoint hit is not modifying the variable that was stored at [ebp-40C].

     

    Although I cannot share the Windows source code on this blog, the code in question roughly resembles the below example.  Note that a proficient assembly language reader could figure out the code flow, this example is not sharing any magic.

     

    Struct1*    p1;

    WORD        array[512];

    p1 = GetStruct1();

    array[i-2] = 0x30;

    p1->p = variable2; // Crash here because p1 is not a valid pointer

     

    We are crashing because p1 is not a valid pointer.  The high word of p1 is being overwritten as 0030 by the line “array[i-2] = 0x30;” because i is 1, leading to an underflow of the array.  This underflow is corrupting the pointer in p1.

     

    0:001> r ebx

    ebx=003078c0

     

    Clearly there is a defect in the above code.  If it is legitimate for i to be 1 (and it is), then a check must be made to prevent an underflow of the array.  However further research found that this code has been consistent for many years and many releases of the product.  Why is this suddenly crashing now?  As the bank robber in Dirty Harry said, “I gots to know."

     

    In the above assembly we calculate that “array” starts at ebp-408 (assuming i is always 2 or greater, 2*2-40c is -408).  In the earlier assembly we see that p1 is placed at ebp-40c.  In this configuration an underflow of “array” will always corrupt p1.

     

    Examining the assembly on a system that does not crash, I found that the local variables are stored differently in a different version of this binary.  In the beginning of the function we see that p1 is stored in ebx.  In this version of the binary ebx is never stored on the stack, so it cannot be corrupted by an underflow.

     

    0:000> uf riched20!CTxtSelection::CreateCaret

    riched20!CTxtSelection::CreateCaret:

    74e75c53 8bff            mov     edi,edi

    74e75c55 55              push    ebp

    74e75c56 8bec            mov     ebp,esp

    74e75c58 81ec58040000    sub     esp,458h

    74e75c5e a19010e974      mov     eax,dword ptr [riched20!__security_cookie (74e91090)]

    74e75c63 53              push    ebx

    74e75c64 56              push    esi

    74e75c65 8bf1            mov     esi,ecx

    74e75c67 8b5e1c          mov    ebx,dword ptr [esi+1Ch]

     

    The code that populates array[i-2] with 0x30 is later in the function.  In this version, array is stored at ebp-404.  If there is an underflow it will corrupt ebp-408.

     

    riched20!CTxtSelection::CreateCaret+0x3e1:

    74e76034 66c7847df8fbffff3000 mov word ptr [ebp+edi*2-408h],30h

     

    The value stored at ebp-408 is used in several places in this function, however it is never used after instruction 74e76034 executes.  This means any underflow in the array only corrupts memory that is not used after the corruption, and as a result the corruption never results in a crash.  Although this defect has existed for a long time, the compiler has protected us until now.

     

    74e75d3f 0b85f8fbffff    or      eax,dword ptr [ebp-408h]

    74e75e51 ffb5f8fbffff    push    dword ptr [ebp-408h]

    74e75e8a 8b8df8fbffff    mov     ecx,dword ptr [ebp-408h]

    74e75f20 398df8fbffff    cmp     dword ptr [ebp-408h],ecx

    74e75fec 8b85f8fbffff    mov     eax,dword ptr [ebp-408h]

     

    The issue discussed in this article was addressed as part of KB2883200.

  • Ntdebugging Blog

    We Are Hiring Windows Escalation Engineers in Charlotte and Issaquah

    • 1 Comments

    Would you like to join the world’s best and most elite debuggers to enable the success of Microsoft solutions?

     

    As a trusted advisor to our top customers you will be working with to the most experienced IT professionals and developers in the industry. You will influence our product teams in sustained engineering efforts to drive improvements in our products.

     

    This role involves deep analysis of product source code and debugging to solve problems in multi-million dollar configurations and will give you an opportunity to stretch your critical thinking skills. During the course of debugging, you will uncover opportunities to improve the customer experience while influencing the current and future design of our products.

     

    In addition to providing support to customers while being the primary interface to our sustained engineering teams, you will also have the opportunity to work with new technologies and unreleased software. Through our continuous investment in depth training and hands-on experience with tough customer challenges you will become the world’s best in this area. Expect to partner with many various roles at Microsoft launching a very successful career!

     

    We have positions open at our sites in Charlotte, NC USA; and Issaquah, WA USA.

     

    Learn more about what an Escalation Engineer does at:

    Profile: Ron Stock, CTS Escalation Engineer - Microsoft Customer Service & Support - What is CSS?

    Microsoft JobsBlog JobCast with Escalation Engineer Jeff Dailey

    Microsoft JobsBlog JobCast with Escalation Engineer Scott Oseychik

     

    Apply here:

    Charlotte: http://www.microsoft-careers.com/job/Charlotte-Escalation-Engineer-Job-NC-28201/23321500/

    Issaquah: https://careers.microsoft.com/jobdetails.aspx?ss=&pg=0&so=&rw=8&jid=122974&jlang=EN&pp=SS

  • Ntdebugging Blog

    Great power. Great responsibility.

    • 1 Comments

    When it comes to the registry, administrators are given great power to manually configure Windows to suit their needs, but even slight, seemingly innocuous changes to a particular key or value can have a drastic impact on basic operations of the system, even affecting its ability to boot properly.

     

    I recently had the pleasure of the debugging a black-screen system hang that occurred after applying security updates and rebooting.  After ruling out any “low-hanging fruit” such as deadlocks on executive resources, resource depletion, etc., I decided to survey how far along the boot had gotten.  In the output below we can tell that it’s fairly early in the boot process and that session zero is currently being setup.

     

    When a new session is created, the “Session Leader”(i.e. smss.exe instance not associated with a particular session) launches a new instance of smss.exe, who is then tasked with ensuring that the Windows subsystem gets setup properly, which includes loading and initializing win32k.sys and launching csrss.exe.

     

    3: kd> !process 0 0

    **** NT ACTIVE PROCESS DUMP ****

    PROCESS 8e282840  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000

        DirBase: 00122000  ObjectTable: 97801e18  HandleCount: 554.

        Image: System

     

    PROCESS 94153ad8  SessionId: none  Cid: 0390    Peb: 7ffdf000  ParentCid: 0004

        DirBase: 03368020  ObjectTable: a13564f0  HandleCount:  19.

        Image: smss.exe

     

    PROCESS 92a55d90  SessionId: 0  Cid: 03c8    Peb: 7ffd9000  ParentCid: 0390

        DirBase: 03368040  ObjectTable: a95606e0  HandleCount:  10.

        Image: smss.exe

     

    PROCESS 92a56c48  SessionId: 0  Cid: 03d4    Peb: 7ffd9000  ParentCid: 03c8

        DirBase: 03368060  ObjectTable: a959ea28  HandleCount:  30.

        Image: csrss.exe

     

    So let’s dump out the threads for these session zero processes and see what they’re doing:

     

    1.  Notice how the Session Manager thread has been waiting for more than fifteen minutes for the Windows subsystem to load and initialize.

     

    3: kd> !process /s 0 0 0x17

    Searching processes with session id 0

    **** NT ACTIVE PROCESS DUMP ****

    PROCESS 92a55d90  SessionId: 0  Cid: 03c8    Peb: 7ffd9000  ParentCid: 0390

        DirBase: 03368040  ObjectTable: a95606e0  HandleCount:  10.

        Image: smss.exe

        VadRoot 941e0578 Vads 8 Clone 0 Private 21. Modified 535. Locked 0.

        DeviceMap 97808b98

        Token                             a95767b8

        ElapsedTime                       00:15:32.714

        UserTime                          00:00:00.000

        KernelTime                        00:00:00.000

        QuotaPoolUsage[PagedPool]         6952

        QuotaPoolUsage[NonPagedPool]      384

        Working Set Sizes (now,min,max)  (125, 50, 345) (500KB, 200KB, 1380KB)

        PeakWorkingSetSize                125

        VirtualSize                       2 Mb

        PeakVirtualSize                   4 Mb

        PageFaultCount                    120

        MemoryPriority                    BACKGROUND

        BasePriority                      8

        CommitCharge                      29

     

            THREAD 92a5d030  Cid 03c8.03cc  Teb: 7ffdf000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable

                941df930  SynchronizationEvent

                92a56c48  ProcessObject

            Not impersonating

            DeviceMap                 97808b98

            Owning Process            92a55d90       Image:         smss.exe

            Attached Process          N/A            Image:         N/A

            Wait Start TickCount      1896           Ticks: 59778 (0:00:15:32.542)

            Context Switch Count      94             IdealProcessor: 0            

            UserTime                  00:00:00.000

            KernelTime                00:00:00.046

            Win32 Start Address smss!NtProcessStartupW (0x4857d9a2)

            Stack Init 9dc89000 Current 9dc888c0 Base 9dc89000 Limit 9dc86000 Call 0

            Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5

            Kernel stack not resident.

            ChildEBP RetAddr  Args to Child             

            9dc888d8 81eb923a 92a5d030 97cb5120 92a5d0b8 nt!KiSwapContext+0x26

            9dc8891c 81eb4bca 92a5d030 00000000 00000002 nt!KiSwapThread+0x44f

            9dc88970 82040e83 00000002 9dc88aa8 00000001 nt!KeWaitForMultipleObjects+0x53d

            9dc88bfc 82040bf2 00000002 00000001 00000000 nt!ObpWaitForMultipleObjects+0x256

            9dc88d48 81e57c96 00000002 0008fb38 00000001 nt!NtWaitForMultipleObjects+0xcc

            9dc88d48 778d5d14 00000002 0008fb38 00000001 nt!KiSystemServicePostCall

            0008fac4 778d54a0 4857cc7e 00000002 0008fb38 ntdll!KiFastSystemCallRet

            0008fac8 4857cc7e 00000002 0008fb38 00000001 ntdll!NtWaitForMultipleObjects+0xc

            0008fb40 48579296 0008fb78 0008fb68 0008fbb0 smss!SmscpLoadSubSystem+0x9b

            0008fb80 4857ca8a 0008fbb0 00000000 00000000 smss!SmpExecuteCommand+0x8d

            0008fbc4 4857d0bc 00000000 00000000 00000000 smss!SmscpLoadSubSystemsForMuSession+0x182

            0008fbe8 4857b678 00000003 002417d8 00000000 smss!SmscMain+0xc2

            0008fc7c 4857d988 00000003 002417d8 002417e8 smss!wmain+0x50

            0008fcc0 77886885 00241898 779bde2d 00000000 smss!NtProcessStartupW_AfterSecurityCookieInitialized+0x221

            0008fd00 778b15d6 4857d9a2 7ffd9000 ffffffff ntdll!__RtlUserThreadStart+0x35

            0008fd18 00000000 4857d9a2 7ffd9000 00000000 ntdll!_RtlUserThreadStart+0x1b

     

    2.  Also, we can see that there’s a single active thread within the csrss.exe process, which is a red flag because we know that csrss.exe hosts the Desktop Thread and Raw Input Thread, among others.

     

    The user-mode portion of the Windows subsystem is implemented in csrss.exe and associated “ServerDlls” such as csrsrv.dll, winsrv.dll, basesrv.dll and, on Windows 7 and later, sxssrv.dll.  Also, csrss.exe hosts the Desktop thread and Raw Input thread, whose primary functions include handling inputs from the various input devices.

     

    PROCESS 92a56c48  SessionId: 0  Cid: 03d4    Peb: 7ffd9000  ParentCid: 03c8

        DirBase: 03368060  ObjectTable: a959ea28  HandleCount:  30.

        Image: csrss.exe

        VadRoot 9391c128 Vads 33 Clone 0 Private 193. Modified 60. Locked 0.

        DeviceMap 97808b98

        Token                             a9598b30

        ElapsedTime                       00:15:32.558

        UserTime                          00:00:00.000

        KernelTime                        00:00:03.182

        QuotaPoolUsage[PagedPool]         48312

        QuotaPoolUsage[NonPagedPool]      1584

        Working Set Sizes (now,min,max)  (582, 50, 345) (2328KB, 200KB, 1380KB)

        PeakWorkingSetSize                7285

        VirtualSize                       23 Mb

        PeakVirtualSize                   48 Mb

        PageFaultCount                    49628

        MemoryPriority                    BACKGROUND

        BasePriority                      13

        CommitCharge                      248

     

            THREAD 942c5590  Cid 03d4.03e4  Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable

                915e4078  NotificationEvent

            Not impersonating

            DeviceMap                 97808b98

            Owning Process            92a56c48       Image:         csrss.exe

            Attached Process          N/A            Image:         N/A

            Wait Start TickCount      2516           Ticks: 59158 (0:00:15:22.870)

            Context Switch Count      1              IdealProcessor: 0            

            UserTime                  00:00:00.000

            KernelTime                00:00:00.000

            Win32 Start Address ati2mtag!IRQMGR_WorkerThreadRoutine (0xa1ccf340)

            Stack Init 9dcfd000 Current 9dcfcc30 Base 9dcfd000 Limit 9dcfa000 Call 0

            Priority 13 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5

            ChildEBP RetAddr  Args to Child             

            9dcfcc48 81eb923a 942c5590 942c5618 00000000 nt!KiSwapContext+0x26

            9dcfcc8c 81e54f38 942c5590 00000000 942c5590 nt!KiSwapThread+0x44f

            9dcfcce4 a1d78724 915e4078 00000000 00000000 nt!KeWaitForSingleObject+0x492

            9dcfcd00 a1c13340 908be398 915e4070 00000000 VIDEOPRT!VideoPortWaitForSingleObject+0x53

            9dcfcd14 a1cce17f 908be398 915e4070 00000000 ati2mtag!IRQMgrMP_WaitForSingleObject+0x20

            9dcfcd6c a1ccf355 93f45000 93f45000 9dcfcdc0 ati2mtag!PassiveRing_WorkerThreadRoutine+0x6f

            9dcfcd7c 81fe301c 93f45000 ad8fc28d 00000000 ati2mtag!IRQMGR_WorkerThreadRoutine+0x15

            9dcfcdc0 81e4beee a1ccf340 93f45000 00000000 nt!PspSystemThreadStartup+0x9d

            00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

     

    3.  Having seen this, we now know why the system is perpetually hung:  Csrss.exe is not running properly.  Because there is a video driver worker thread running, but the Desktop Thread and Raw Input Thread are not running, it appears that csrss has attempted to terminate.  The termination has not completed because of the video-driver worker thread performing a non-alertable wait.

     

    4.  Next, we need to check for any state in the dump that might tell us why csrss.exe attempted to terminate:

     

    3: kd> dt nt!eprocess 92a56c48 LastThreadExitStatus

       +0x184 LastThreadExitStatus : 0n-1073741619

     

    3: kd> !error 0n-1073741619

    Error code: (NTSTATUS) 0xc00000cd (3221225677) - The name limit for the local computer network adapter card was exceeded.

     

    After a quick search for STATUS_TOO_MANY_NAMES (0xc00000cd) through the source code, I was able to theorize that csrss.exe may have attempted the termination due to invalid command-line parameters.

     

    3: kd> vertarget

    Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (16 procs) Free x86 compatible

    Product: Server, suite: Enterprise TerminalServer SingleUserTS

    Built by: 6002.18881.x86fre.vistasp2_gdr.130707-1535

    Machine Name:

    Kernel base = 0x81e0d000 PsLoadedModuleList = 0x81f24c70

    Debug session time: Fri Oct 25 05:10:34.030 2013 (UTC - 5:00)

    System Uptime: 0 days 0:16:02.134

     

    3: kd> .process /p /r 92a56c48

    Implicit process is now 92a56c48

    Loading User Symbols

    .............

     

    3: kd> !peb

    PEB at 7ffd9000

    CommandLine:  'C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,1024 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16'

     

    Sure enough, there was additional command-line parameter that was not recognized on Vista/Windows Server 2008 SP2 (supported only on Windows 7 and later).  Once the invalid command-line parameter was removed, the server was able to boot normally again.

     

    So how did the invalid value get there?  It turns out that a logon script was setting the following registry value using an export from a Windows 7/Windows 2008 R2 machine where ServerDll=sxssrv,4 is a valid value.

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems

    Name:  Windows

    Type:  REG_EXPAND_SZ

     

    Well, that concludes today’s segment, but in the timeless words of Uncle Ben remember “with great power comes great responsibility.”  As we just saw, this applies not only to those possessing a spider-sense, but also to Windows administrators.  J

     

    Until next time, happy debugging!

  • Ntdebugging Blog

    Debugging a Generation 2 Virtual Machine

    • 1 Comments

    Hyper-V is based on the 440BX (PCI) chipset for emulation. The decision to use this chipset started years ago with Connectix Virtual PC.  The advantage of using an emulated chipset based on a popular motherboard like the 440BX, along with associated peripherals, is the compatibility with a large number of operating systems.

     

    Windows Server 2012 R2 introduced the Generation 2 Virtual Machine. It is a UEFI based design, removing emulated devices and replacing them with synthetic devices. Generation 2 VMs no longer support the following devices:

    • Legacy BIOS
    • COM Ports
    • Floppy Controller
    • DMA Controller
    • i8042 keyboard controller
    • PS/2 devices
    • Legacy NIC
    • IDE Controller
    • S3 video
    • PCI BUS
    • Programmable Interrupt Controller
    • Programmable Interrupt Timer
    • Super I/O Device

     

    After reading this list you might ask the question – how do I debug a Generation 2 VM?

     

    The COM port is not actually removed from a Generation 2 VM. The port is turned off by default and not present in the user interface. To enable it for debugging use the following steps.

     

    1.  Shutdown the VM.  You can verify the VM is off using the below PowerShell command.

     

    2.  Turn off secure boot using the following PowerShell Command.

    set-vmfirmware

    image002

     

    3.  Set a COM port path using the following PowerShell command where the path is equal the named pipe.

    set-vmcomport

    image003

     

    4.  To confirm the COM port settings after making the change, use the following command.

    get-vmcomport

    image004

     

    5.  Restart the Virtual Machine using the following command.

    Start-VM –Name VM2

    image005

     

    6.  Inside the guest VM, you can confirm that UEFI has been disabled with the following command. The results are False if UEFI was successfully disabled in step 2 above.

    Confirm-SecureBootUEFI

    image006

     

    7.  Enable Kernel Debugging using BCDEdit.

    BCDEdit /debug ON

    image007

    image008

     

    8.  Configure the debugger to connect to the pipe:

    KernelDebug1

     

    9.  Connect the debugger and break in with Ctrl+Break:

    KernelDebug2

  • Ntdebugging Blog

    Performance Monitor Averages, the Right Way and the Wrong Way

    • 3 Comments

    Performance Monitor (perfmon) is the preferred tool to measure the performance of Windows systems.  The perfmon tool provides an analysis view with a chart and metrics of the Last, Average, Minimum, and Maximum values.

     

    There are scenarios where the line in the chart is the most valuable piece of information, such as a memory leak.  Other times we may not be looking for a trend, the Last, Average, Minimum, and Maximum metrics may be valuable.  One example where the metrics are valuable is when evaluating average disk latency over a period of time.  In this article we are going to use disk latency counters to illustrate how metrics are calculated for performance counters.  The concepts we will illustrate with disk latency apply to all performance counters.  This article will not be a deep dive into understanding disk latency, there are already many sources of information on that topic.

     

    Most performance counter metrics are pretty straightforward.  The minimum and maximum metrics are self-explanatory.  The last metric is the last entry in the data.  The metric that is confusing is the average.  When calculating averages it is important to consider the cardinality of the data.  This is especially important when working with data that is already an average, such as the Avg. Disk sec/Read counter which displays the average time per each read from a disk.

     

    Perfmon logs are gathered at a specific time interval, such as every 15 seconds.  At every interval the counters are read and an entry is written to the log.  In this interval there may have been many reads from the disk, a few reads, or there may have been none.  The number of reads performed is a critical aspect of the average calculation, this is the cardinality of the data.

     

    Consider the following 10 entries in a perfmon log:

    1 reads took 150ms

    0 reads took 0 ms

    0 reads took 0 ms

    0 reads took 0 ms

    0 reads took 0 ms

    0 reads took 0 ms

    0 reads took 0 ms

    0 reads took 0 ms

    0 reads took 0 ms

    0 reads took 0 ms

     

    Often, averages are calculated by adding a column of numbers and dividing by the number of entries.  However this calculation does not work for the above data.  If we simply add and divide we get an average latency of 15ms (150 / 10) per read, but this is clearly incorrect.  There has been 1 read performed and it took 150ms, therefore the average latency is 150ms per read.  Depending on the system configuration, an average read latency of less than 20ms may be considered fast and more than 20ms may be considered slow.  If we perform the calculation incorrectly we may believe the disk is performing adequately while the correct calculation shows the disk is actually very slow.

     

    What data is used to calculate averages?

    Let’s take a look at the data perfmon is working with.  Perfmon stores data in two different structures.  Formatted values are stored as PDH_FMT_COUNTERVALUE.  Raw values are stored as PDH_RAW_COUNTER.

     

    Formatted values are just plain numbers.  They contain only the result of calculating the average of one or more raw values, but not the raw data used to obtain that calculation.  Data stored in a perfmon CSV or TSV file is already formatted, which means they contain a column of floating point numbers.  If our previous example was stored in a CSV or TSV we would have the following data:

    0.15

    0.00

    0.00

    0.00

    0.00

    0.00

    0.00

    0.00

    0.00

    0.00

     

    The above numbers contain no information about how many reads were performed over the course of this log.  Therefore it is impossible to calculate an accurate average from these numbers.  That is not to say CSV and TSV files are worthless, there are many performance scenarios (such as memory leaks) where the average is not important.

     

    Raw counters contain the raw performance information, as delivered by the performance counter to pdh.dll.  In the case of Avg. Disk sec/Read the FirstValue contains the total time for all reads and the SecondValue contains the total number of reads performed.  This information can be used to calculate the average while taking into consideration the cardinality of the data.

     

    Again using the above example, the raw data would look like this:

    FirstValue: 0

    SecondValue: 0

    FirstValue: 2147727

    SecondValue: 1

    FirstValue: 2147727

    SecondValue: 1

     

    On first look the above raw data does not resemble our formatted data at all.  In order to calculate the average we need to know what the correct algorithm is.  The Avg. Disk sec/Read counter is of type PERF_AVERAGE_TIMER and the average calculation is ((Nx - N0) / F) / (Dx - D0).  N refers to FirstValue in the raw counter data, F refers to the number of ticks per second, and D refers to SecondValue.  Ticks per second can be obtained from the PerformanceFrequency parameter of KeQueryPerformanceCounter, in my example it is 14318180.

     

    Using the algorithm for PERF_AVERAGE_TIMER the calculation for the formatted values would be:

    ((2147727 - 0) / 14318180) / (1 - 0) = 0.15

    ((2147727 - 2147727) / 14318180) / (1 - 1) = 0*

    *If the denominator is 0 there is no new data and the result is 0.

     

    Because the raw counter contains both the number of reads performed during each interval and the time it took for these reads to complete, we can accurately calculate the average for many entries.

     

    If you’ve taken the time to read this far you may be wondering why I have taken the time to explain such a mundane topic.  It is important to explain how this works because many performance tools are not using the correct average calculation and many users are trying to calculate averages using data that is not appropriate for such calculations (such as CSV and TSV files).  Programmers should use PdhComputeCounterStatistics to calculate averages and should not sum and divide by the count or duplicate the calculations described in MSDN.

     

    Recently we have found that under some conditions perfmon will use the incorrect algorithm to calculate averages.  When reading from log files perfmon has been formatting the values, summing them, and dividing by the number of entries.  This issue has been corrected in perfmon for Windows 8/Server 2012 with KB2877211 and for Windows 8.1/Server 2012 R2 as part of KB2883200.  We recommend using these fixes when analyzing perfmon logs to determine the average of a performance counter.  Note that KB2877211/KB2883200 only change the behavior when analyzing logs, there is no change when the data is collected.  This means you can collect performance logs from any version of Windows and analyze them on a system with these fixes installed.

  • Ntdebugging Blog

    ResAvail Pages and Working Sets

    • 0 Comments

    Hello everyone, I'm Ray and I'm here to talk a bit about a dump I recently looked at and a little-referenced memory counter called ResAvail Pages (resident available pages).

     

    The problem statement was:  The server hangs after a while.

     

    Not terribly informative, but that's where we start with many cases. First some good housekeeping:

     

    0: kd> vertarget

    Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64

    Product: Server, suite: TerminalServer SingleUserTS

    Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533

    Machine Name: "ASDFASDF1234"

    Kernel base = 0xfffff800`01665000 PsLoadedModuleList = 0xfffff800`018a8670

    Debug session time: Thu Aug  8 09:39:26.992 2013 (UTC - 4:00)

    System Uptime: 9 days 1:08:39.307

     

    Of course Windows 7 Server == Server 2008 R2.

     

    One of the basic things I check at the beginning of these hang dumps with vague problem statements is the memory information.

     

    0: kd> !vm 21

     

    *** Virtual Memory Usage ***

    Physical Memory:     2097038 (   8388152 Kb)

    Page File: \??\C:\pagefile.sys

      Current:  12582912 Kb  Free Space:  12539700 Kb

      Minimum:  12582912 Kb  Maximum:     12582912 Kb

    Available Pages:      286693 (   1146772 Kb)

    ResAvail Pages:          135 (       540 Kb)

     

    ********** Running out of physical memory **********

     

    Locked IO Pages:           0 (         0 Kb)

    Free System PTEs:   33526408 ( 134105632 Kb)

     

    ******* 12 system cache map requests have failed ******

     

    Modified Pages:         4017 (     16068 Kb)

    Modified PF Pages:      4017 (     16068 Kb)

    NonPagedPool Usage:   113241 (    452964 Kb)

    NonPagedPool Max:    1561592 (   6246368 Kb)

    PagedPool 0 Usage:     35325 (    141300 Kb)

    PagedPool 1 Usage:     28162 (    112648 Kb)

    PagedPool 2 Usage:     24351 (     97404 Kb)

    PagedPool 3 Usage:     24350 (     97400 Kb)

    PagedPool 4 Usage:     24516 (     98064 Kb)

    PagedPool Usage:      136704 (    546816 Kb)

    PagedPool Maximum:  33554432 ( 134217728 Kb)

     

    ********** 222 pool allocations have failed **********

     

    Session Commit:         6013 (     24052 Kb)

    Shared Commit:          6150 (     24600 Kb)

    Special Pool:              0 (         0 Kb)

    Shared Process:      1214088 (   4856352 Kb)

    Pages For MDLs:           67 (       268 Kb)

    PagedPool Commit:     136768 (    547072 Kb)

    Driver Commit:         15548 (     62192 Kb)

    Committed pages:     1648790 (   6595160 Kb)

    Commit limit:        5242301 (  20969204 Kb)

     

    So we're failing to allocate pool, but we aren't out of virtual memory for paged pool or nonpaged pool.  Let's look at the breakdown:

     

    0: kd> dd nt!MmPoolFailures l?9

    fffff800`01892160  000001be 00000000 00000000 00000002

    fffff800`01892170  00000000 00000000 00000000 00000000

    fffff800`01892180  00000000

     

    Where:

        yellow   = Nonpaged high/medium/low priority failures

        green    = Paged high/medium/low priority failures

        cyan      = Session paged high/medium/low priority failures

     

    So we actually failed both nonpaged AND paged pool allocations in this case.  Why?  We're "Running out of physical memory", obviously.  So where does this running out of physical memory message come from?  In the above example this is from the ResAvail Pages counter.

     

    ResAvail Pages is the amount of physical memory there would be if every working set was at its minimum size and only what needs to be resident in RAM was present (e.g. PFN database, system PTEs, driver images, kernel thread stacks, nonpaged pool, etc).

     

    Where did this memory go then?  We have plenty of Available Pages (Free + Zero + Standby) for use.  So something is claiming memory it isn't actually using.  In this type of situation one of the things I immediately suspect is process working set minimums. Working set basically means the physical memory used by a process.

     

    So let's check.

     

    0: kd> !process 0 1

     

    <a lot of processes in this output>.

     

    PROCESS fffffa8008f76060

        SessionId: 0  Cid: 0adc    Peb: 7fffffda000  ParentCid: 0678

        DirBase: 204ac9000  ObjectTable: 00000000  HandleCount:   0.

        Image: cscript.exe

        VadRoot 0000000000000000 Vads 0 Clone 0 Private 1. Modified 3. Locked 0.

        DeviceMap fffff8a000008a70

        Token                             fffff8a0046f9c50

        ElapsedTime                       9 Days 01:08:00.134

        UserTime                          00:00:00.000

        KernelTime                        00:00:00.015

        QuotaPoolUsage[PagedPool]         0

        QuotaPoolUsage[NonPagedPool]      0

        Working Set Sizes (now,min,max)  (5, 50, 345) (20KB, 200KB, 1380KB)

        PeakWorkingSetSize                1454

        VirtualSize                       65 Mb

        PeakVirtualSize                   84 Mb

        PageFaultCount                    1628

        MemoryPriority                    BACKGROUND

        BasePriority                      8

        CommitCharge                      0

     

    I have only shown one example process above for brevity's sake, but there were thousands returned.  241,423 to be precise.  None had abnormally high process working set minimums, but cumulatively their usage adds up.

     

    The “now” process working set is lower than the minimum working set.  How is that possible?  Well, the minimum and maximum are not hard limits, but suggested limits.  For example, the minimum working set is honored unless there is memory pressure, in which case it can be trimmed below this value.  There is a way to set the min and/or max as hard limits on specific processes by using the QUOTA_LIMITS_HARDWS_MIN_ENABLE flag via SetProcessWorkingSetSize.

     

    You can view if the minimum and maximum working set values are configured in the _EPROCESS->Vm->Flags structure.  Note these numbers are from another system as this structure was already torn down for the processes we were looking at.

     

    0: kd> dt _EPROCESS fffffa8008f76060 Vm

    nt!_EPROCESS

       +0x398 Vm : _MMSUPPORT

    0: kd> dt _MMSUPPORT fffffa8008f76060+0x398

    nt!_MMSUPPORT

       +0x000 WorkingSetMutex  : _EX_PUSH_LOCK

       +0x008 ExitGate         : 0xfffff880`00961000 _KGATE

       +0x010 AccessLog        : (null)

       +0x018 WorkingSetExpansionLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0xfffffa80`08f3c410 ]

       +0x028 AgeDistribution  : [7] 0

       +0x044 MinimumWorkingSetSize : 0x32

       +0x048 WorkingSetSize   : 5

       +0x04c WorkingSetPrivateSize : 5

       +0x050 MaximumWorkingSetSize : 0x159

       +0x054 ChargedWslePages : 0

       +0x058 ActualWslePages  : 0

       +0x05c WorkingSetSizeOverhead : 0

       +0x060 PeakWorkingSetSize : 0x5ae

       +0x064 HardFaultCount   : 0x41

       +0x068 VmWorkingSetList : 0xfffff700`01080000 _MMWSL

       +0x070 NextPageColor    : 0x2dac

       +0x072 LastTrimStamp    : 0

       +0x074 PageFaultCount   : 0x65c

       +0x078 RepurposeCount   : 0x1e1

       +0x07c Spare            : [2] 0

       +0x084 Flags            : _MMSUPPORT_FLAGS

    0: kd> dt _MMSUPPORT_FLAGS fffffa8008f76060+0x398+0x84

    nt!_MMSUPPORT_FLAGS

       +0x000 WorkingSetType   : 0y000

       +0x000 ModwriterAttached : 0y0

       +0x000 TrimHard         : 0y0

       +0x000 MaximumWorkingSetHard : 0y0

       +0x000 ForceTrim        : 0y0

       +0x000 MinimumWorkingSetHard : 0y0

       +0x001 SessionMaster    : 0y0

       +0x001 TrimmerState     : 0y00

       +0x001 Reserved         : 0y0

       +0x001 PageStealers     : 0y0000

       +0x002 MemoryPriority   : 0y00000000 (0)

       +0x003 WsleDeleted      : 0y1

       +0x003 VmExiting        : 0y1

       +0x003 ExpansionFailed  : 0y0

       +0x003 Available        : 0y00000 (0)

     

    How about some more detail?

     

    0: kd> !process fffffa8008f76060

    PROCESS fffffa8008f76060

        SessionId: 0  Cid: 0adc    Peb: 7fffffda000  ParentCid: 0678

        DirBase: 204ac9000  ObjectTable: 00000000  HandleCount:  0.

        Image: cscript.exe

        VadRoot 0000000000000000 Vads 0 Clone 0 Private 1. Modified 3. Locked 0.

        DeviceMap fffff8a000008a70

        Token                             fffff8a0046f9c50

        ElapsedTime                       9 Days 01:08:00.134

        UserTime                          00:00:00.000

        KernelTime                        00:00:00.015

        QuotaPoolUsage[PagedPool]         0

        QuotaPoolUsage[NonPagedPool]      0

        Working Set Sizes (now,min,max)  (5, 50, 345) (20KB, 200KB, 1380KB)

        PeakWorkingSetSize                1454

        VirtualSize                       65 Mb

        PeakVirtualSize                   84 Mb

        PageFaultCount                    1628

        MemoryPriority                    BACKGROUND

        BasePriority                      8

        CommitCharge                      0

     

    No active threads

     

    0: kd> !object fffffa8008f76060

    Object: fffffa8008f76060  Type: (fffffa8006cccc90) Process

        ObjectHeader: fffffa8008f76030 (new version)

        HandleCount: 0  PointerCount: 1

     

    The highlighted information shows us that this process has no active threads left but the process object itself (and its 20KB working set use) were still hanging around because a kernel driver had a reference to the object that it never released.  Sampling other entries shows the server had been leaking process objects since it was booted.

     

    Unfortunately trying to directly track down pointer leaks on process objects is difficult and requires an instrumented kernel, so we tried to check the easy stuff first before going that route.  We know it has to be a kernel driver doing this (since it is a pointer and not a handle leak) so we looked at the list of 3rd party drivers installed.  Note: The driver names have been redacted.

     

    0: kd> lm

    start             end                 module name

    <snip>

    fffff880`04112000 fffff880`04121e00   driver1    (no symbols)   <-- no symbols usually means 3rd party       

    fffff880`04158000 fffff880`041a4c00   driver2    (no symbols)          

    <snip>

     

    0: kd> lmvm driver1   

    Browse full module list

    start             end                 module name

    fffff880`04112000 fffff880`04121e00   driver1    (no symbols)          

        Loaded symbol image file: driver1.sys

        Image path: \SystemRoot\system32\DRIVERS\driver1.sys

        Image name: driver1.sys

        Browse all global symbols  functions  data

        Timestamp:        Wed Dec 13 12:09:32 2006 (458033CC)

        CheckSum:         0001669E

        ImageSize:        0000FE00

        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

    0: kd> lmvm driver2

    Browse full module list

    start             end                 module name

    fffff880`04158000 fffff880`041a4c00   driver2    (no symbols)          

        Loaded symbol image file: driver2.sys

        Image path: \??\C:\Windows\system32\drivers\driver2.sys

        Image name: driver2.sys

        Browse all global symbols  functions  data

        Timestamp:        Thu Nov 30 12:12:07 2006 (456F10E7)

        CheckSum:         0004FE8E

        ImageSize:        0004CC00

        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

     

    Fortunately for both the customer and us we turned up a pair of drivers that predated Windows Vista (meaning they were designed for XP/2003) that raised an eyebrow.  Of course we need a more solid evidence link than just "it's an old driver", so I did a quick search of our internal KB.  This turned up several other customers who had these same drivers installed, experienced the same problem, then removed them and the problem went away.  That sounds like a pretty good evidence link. We implemented the same plan for this customer successfully.

Page 1 of 23 (230 items) 12345»