Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Inability to disassemble functions

DilipDilip Member Posts: 10
From time to time, in some user-mode crash dumps, I find it impossible to unassemble certain functions. Most likely in the call stack of the thread that caused the fault. I see something like:

0:000> u 0abcdefa
MyMod!MyClass::MyFunc
0abcdefa ?? ???
^ Memory access error in 'u 0abcdefa'

The address 0abcdefa I am trying to unassemble is the beginning of a routine I obtained by running the 'x' command.

What exactly does this mean? The module (MyMod) does seem loaded in the dump.

If I run '!address 0abcdefa', at the very end, I get:
Content source: 0 (invalid), length: 3fdd

How does this happen?

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,342
    The address was either paged out at the time of the system crash OR you're
    just looking at a minidump which doesn't capture the code. In the latter
    case you can use the executable image path (Ctrl+i) to point WinDbg to the
    images that back the code.

    If it was paged out then you're pretty much out of luck. However, note that
    you can open ANY executable file as a dump file in WinDbg (Ctrl+D) and
    disassemble the code. Not quite the same, but good enough for looking at the
    assembly.

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • DilipDilip Member Posts: 10
    Scott

    Thank you very much for responding.

    I was aware you could open any exe to view the assembly
    but this exercise was confined to analyzing a crash dump
    which had that odd feature of not being able to unassemble
    the function I was interested in seeing.

    Strangely enough, the fault happened just one level above
    the function that I was wanting to see, on the call stack
    stack. I find it slightly impossible for it to have gotten paged
    out so quickly. (or maybe I am wrong here?)

    Its gotta be a bad dump. Thanks once again!
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 30 Nov 2020 LIVE ONLINE
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE