Using .frame to force a particular stack interpretation

Jason_T.

.frame supports the invocation where you specify an = followed by rbp, rsp, rip. Has anyone ever been able to get this to work in kernel mode? No matter what combination I provide, I always get a "range error". Here is my situation:

Crash occurs in an assembly routine. Looking at the dump, the saved trap only understands the current frame (the asm routine). kb prints the asm routine name and then just raw numbers for the rest of the stack. This asm routine subtracts off a large chunk of stack to store various registers. Since I know what that amount is (0x118) I can do something like

kb = @rsp+118

and I see the full stack decoded properly. Next, I would like to jump to other frames in this stack and view their locals. But I have never been able to get .frame to actually set the context like this. What I have done is to manually change the rsp field in the in-memory trap frame (add the 0x118 to it) and then do .trap on that address again. At this point the Calls window shows the correct stack and now I can jump between frames either in that window or by issuing .frame /r 3, etc.

So I have a workaround, this just seems a bit hacky to do what, presumably, the .frame /r /c = command is designed for. The other thing I don't understand is, why is it enough to just give kb the rsp, or to only modify the rsp in the trap and get a proper stack, yet .frame wants all 3 (rbp, rsp, rip)?

Scott_Noone_(OSR)

I've never tried the .frame thing, but it sounds to me like you're not generating the correct unwind data for your assembly routine. For example, see .ALLOCSTACK:

https://docs.microsoft.com/en-us/cpp/assembler/masm/dot-allocstack?view=msvc-170