Crash Analysis

WINDBG
1

Hi,
I am getting following crash from Windows Service:

FAULTING_IP:
kernel32!RaiseException+3c
77e55dfa 5e pop esi
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x0000003c)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: DxDmService.exe
ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to
set symbol path and load symbols.
MODULE_NAME: NtUtil
FAULTING_MODULE: 7c800000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
are invalid
FAULTING_THREAD: 00001368
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00499531 to 102627d0
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
0653fb48 00499531 0653fbc8 00000000 00000000
NtUtil!NtQueryBackupBlobInfoByHandle
0653fb94 0044fce8 028cfa48 00000000 ffffffff DxDmService+0x99531
0653fe08 004319d7 00000000 00000000 00000000 DxDmService+0x4fce8
0653ff64 00431b12 00000000 02840048 0653ffac DxDmService+0x319d7
0653ff74 103317d5 02840048 87caa240 00000000 DxDmService+0x31b12
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!OsVersionCompare+0x5925
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!OsVersionCompare+0x59cd
0653ffec 00000000 103317fb 0084e5a8 00000000
kernel32!GetModuleFileNameA+0xeb

FOLLOWUP_IP:
NtUtil!NtQueryBackupBlobInfoByHandle+0
102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653fb48
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: NtUtil.dll
STACK_COMMAND: ~52s; .ecxr ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID:
WRONG_SYMBOLS_80000003_NtUtil.dll!NtQueryBackupBlobInfoByHandle
WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1
Followup: MachineOwner
---------
The exception is
0:052> .exr 0xffffffffffffffff
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0
But there does not look to be any problem with above thread stack. I checked
other threads also and could not find any problem. Can somebody advice how
to debug the crash?

Thanks
Ash</unloaded_rt40.dll>

2

I don’t do much user mode debugging, but what does the stack look like after
you do .excr?

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Ashish ntdev” wrote in message
news:xxxxx@windbg…
Hi,
I am getting following crash from Windows Service:

FAULTING_IP:
kernel32!RaiseException+3c
77e55dfa 5e pop esi
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x0000003c)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: DxDmService.exe
ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to
set symbol path and load symbols.
MODULE_NAME: NtUtil
FAULTING_MODULE: 7c800000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
are invalid
FAULTING_THREAD: 00001368
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00499531 to 102627d0
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
0653fb48 00499531 0653fbc8 00000000 00000000
NtUtil!NtQueryBackupBlobInfoByHandle
0653fb94 0044fce8 028cfa48 00000000 ffffffff DxDmService+0x99531
0653fe08 004319d7 00000000 00000000 00000000 DxDmService+0x4fce8
0653ff64 00431b12 00000000 02840048 0653ffac DxDmService+0x319d7
0653ff74 103317d5 02840048 87caa240 00000000 DxDmService+0x31b12
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!OsVersionCompare+0x5925
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!OsVersionCompare+0x59cd
0653ffec 00000000 103317fb 0084e5a8 00000000
kernel32!GetModuleFileNameA+0xeb

FOLLOWUP_IP:
NtUtil!NtQueryBackupBlobInfoByHandle+0
102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653fb48
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: NtUtil.dll
STACK_COMMAND: ~52s; .ecxr ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID:
WRONG_SYMBOLS_80000003_NtUtil.dll!NtQueryBackupBlobInfoByHandle
WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1
Followup: MachineOwner
---------

The exception is
0:052> .exr 0xffffffffffffffff
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

But there does not look to be any problem with above thread stack. I checked
other threads also and could not find any problem. Can somebody advice how
to debug the crash?

Thanks
Ash</unloaded_rt40.dll>

3

HI Scott,
Here is the output after setting the symbols:

FAULTING_IP:
kernel32!RaiseException+53
77e55dfa 5e pop esi

EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
PROCESS_NAME: DxDmService.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
are invalid
NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00001368

PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT

BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT

LAST_CONTROL_TRANSFER: from 10262a57 to 102627d0

STACK_TEXT:
0653f884 10262a57 000006e8 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfoByHandle
0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfo+0x47
0653fb48 00499531 0653fbc8 00000000 00000000 DxDmService!isFileTheSame+0x1fa
0653fb94 0044fce8 028cfa48 00000000 ffffffff
DxDmService!FileListGetNextMatching+0x181 0653fe08 004319d7 00000000
00000000 00000000 DxDmService!CDmMediaFolder::iGarbageCollect+0x98
0653ff64 00431b12 00000000 02840048 0653ffac
DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
0653ff74 103317d5 02840048 87caa240 00000000
DxDmService!CDmFilter::GarbageCollectionProc+0x42
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82
0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34

FOLLOWUP_IP:
NtUtil!NtQueryBackupBlobInfoByHandle+0

102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

FAULTING_SOURCE_CODE:
No source found for ‘d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c’

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653f884

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NtUtil

IMAGE_NAME: NtUtil.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88

STACK_COMMAND: ~52s; .ecxr ; kb

FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_NtUtil.dll!
NtQueryBackupBlobInfoByHandle

BUCKET_ID:
APPLICATION_FAULT_STATUS_BREAKPOINT_NtUtil!NtQueryBackupBlobInfoByHandle+653f884

WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1

Followup: MachineOwner
---------
0:052> .exr 0xffffffffffffffff
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0
0:052> kb
ChildEBP RetAddr Args to Child
0653f884 10262a57 000006e8 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfoByHandle
0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfo+0x47
0653fb48 00499531 0653fbc8 00000000 00000000 DxDmService!isFileTheSame+0x1fa
0653fb94 0044fce8 028cfa48 00000000 ffffffff
DxDmService!FileListGetNextMatching+0x181
0653fe08 004319d7 00000000 00000000 00000000
DxDmService!CDmMediaFolder::iGarbageCollect+0x98
0653ff64 00431b12 00000000 02840048 0653ffac
DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
0653ff74 103317d5 02840048 87caa240 00000000
DxDmService!CDmFilter::GarbageCollectionProc+0x42
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82
0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34
Looking at faulting instruction, we have
0:052> u NtUtil!NtQueryBackupBlobInfoByHandle
NtUtil!NtQueryBackupBlobInfoByHandle
[d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c @ 139]:
102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)
102627d5 e8765d0000 call NtUtil!_chkstk (10268550)
102627da a120e02810 mov eax,dword ptr [NtUtil!__security_cookie
(1028e020)]
102627df 33c4 xor eax,esp
102627e1 8984242c020100 mov dword ptr <unloaded_rt40.dll>+0x1022b
(0001022c)[esp],eax
102627e8 8b842438020100 mov eax,dword ptr <unloaded_rt40.dll>+0x10237
(00010238)[esp]
102627ef 8b8c243c020100 mov ecx,dword ptr <unloaded_rt40.dll>+0x1023b
(0001023c)[esp]
102627f6 53 push ebx
It is crashing at first instruction.

Thanks for help
Ashish
On Wed, Apr 14, 2010 at 3:46 PM, Ashish ntdev wrote:

> Hi,
> I am getting following crash from Windows Service:
>
> FAULTING_IP:
> kernel32!RaiseException+3c
> 77e55dfa 5e pop esi
> EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
> ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x0000003c)
> ExceptionCode: 80000003 (Break instruction exception)
> ExceptionFlags: 00000001
> NumberParameters: 0
> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
> PROCESS_NAME: DxDmService.exe
> ADDITIONAL_DEBUG_TEXT:
> Use ‘!findthebuild’ command to search for the target build information.
> If the build information is available, run ‘!findthebuild -s ; .reload’ to
> set symbol path and load symbols.
> MODULE_NAME: NtUtil
> FAULTING_MODULE: 7c800000 ntdll
> DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88
> ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
> has been reached.
> EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
> are invalid
> FAULTING_THREAD: 00001368
> PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
> BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
> LAST_CONTROL_TRANSFER: from 00499531 to 102627d0
> STACK_TEXT:
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 0653fb48 00499531 0653fbc8 00000000 00000000
> NtUtil!NtQueryBackupBlobInfoByHandle
> 0653fb94 0044fce8 028cfa48 00000000 ffffffff DxDmService+0x99531
> 0653fe08 004319d7 00000000 00000000 00000000 DxDmService+0x4fce8
> 0653ff64 00431b12 00000000 02840048 0653ffac DxDmService+0x319d7
> 0653ff74 103317d5 02840048 87caa240 00000000 DxDmService+0x31b12
> 0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!OsVersionCompare+0x5925
> 0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!OsVersionCompare+0x59cd
> 0653ffec 00000000 103317fb 0084e5a8 00000000
> kernel32!GetModuleFileNameA+0xeb
>
> FOLLOWUP_IP:
> NtUtil!NtQueryBackupBlobInfoByHandle+0
> 102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
> (00010230)
>
> SYMBOL_STACK_INDEX: 0
> SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653fb48
> FOLLOWUP_NAME: MachineOwner
> IMAGE_NAME: NtUtil.dll
> STACK_COMMAND: ~52s; .ecxr ; kb
> BUCKET_ID: WRONG_SYMBOLS
> FAILURE_BUCKET_ID:
> WRONG_SYMBOLS_80000003_NtUtil.dll!NtQueryBackupBlobInfoByHandle
> WATSON_STAGEONE_URL:
> http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1
> Followup: MachineOwner
> ---------
> The exception is
> 0:052> .exr 0xffffffffffffffff
> ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
> ExceptionCode: 80000003 (Break instruction exception)
> ExceptionFlags: 00000001
> NumberParameters: 0
> But there does not look to be any problem with above thread stack. I
> checked other threads also and could not find any problem. Can somebody
> advice how to debug the crash?
>
> Thanks
> Ash
>
></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll>

4

This still doesn’t have the output after .ecxr (different than .exr).

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Ashish ntdev” wrote in message
news:xxxxx@windbg…
HI Scott,
Here is the output after setting the symbols:

FAULTING_IP:
kernel32!RaiseException+53
77e55dfa 5e pop esi

EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
PROCESS_NAME: DxDmService.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
are invalid
NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00001368

PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT

BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT

LAST_CONTROL_TRANSFER: from 10262a57 to 102627d0

STACK_TEXT:
0653f884 10262a57 000006e8 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfoByHandle
0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfo+0x47
0653fb48 00499531 0653fbc8 00000000 00000000 DxDmService!isFileTheSame+0x1fa
0653fb94 0044fce8 028cfa48 00000000 ffffffff
DxDmService!FileListGetNextMatching+0x181 0653fe08 004319d7 00000000
00000000 00000000 DxDmService!CDmMediaFolder::iGarbageCollect+0x98
0653ff64 00431b12 00000000 02840048 0653ffac
DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
0653ff74 103317d5 02840048 87caa240 00000000
DxDmService!CDmFilter::GarbageCollectionProc+0x42
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82
0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34

FOLLOWUP_IP:
NtUtil!NtQueryBackupBlobInfoByHandle+0

102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

FAULTING_SOURCE_CODE:
No source found for ‘d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c’

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653f884

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NtUtil

IMAGE_NAME: NtUtil.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88

STACK_COMMAND: ~52s; .ecxr ; kb

FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_NtUtil.dll!
NtQueryBackupBlobInfoByHandle

BUCKET_ID:
APPLICATION_FAULT_STATUS_BREAKPOINT_NtUtil!NtQueryBackupBlobInfoByHandle+653f884

WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1

Followup: MachineOwner
---------
0:052> .exr 0xffffffffffffffff
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

0:052> kb
ChildEBP RetAddr Args to Child
0653f884 10262a57 000006e8 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfoByHandle
0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfo+0x47
0653fb48 00499531 0653fbc8 00000000 00000000 DxDmService!isFileTheSame+0x1fa
0653fb94 0044fce8 028cfa48 00000000 ffffffff
DxDmService!FileListGetNextMatching+0x181
0653fe08 004319d7 00000000 00000000 00000000
DxDmService!CDmMediaFolder::iGarbageCollect+0x98
0653ff64 00431b12 00000000 02840048 0653ffac
DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
0653ff74 103317d5 02840048 87caa240 00000000
DxDmService!CDmFilter::GarbageCollectionProc+0x42
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82
0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34

Looking at faulting instruction, we have

0:052> u NtUtil!NtQueryBackupBlobInfoByHandle
NtUtil!NtQueryBackupBlobInfoByHandle
[d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c @ 139]:
102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)
102627d5 e8765d0000 call NtUtil!_chkstk (10268550)
102627da a120e02810 mov eax,dword ptr [NtUtil!__security_cookie
(1028e020)]
102627df 33c4 xor eax,esp
102627e1 8984242c020100 mov dword ptr <unloaded_rt40.dll>+0x1022b
(0001022c)[esp],eax
102627e8 8b842438020100 mov eax,dword ptr <unloaded_rt40.dll>+0x10237
(00010238)[esp]
102627ef 8b8c243c020100 mov ecx,dword ptr <unloaded_rt40.dll>+0x1023b
(0001023c)[esp]
102627f6 53 push ebx

It is crashing at first instruction.

Thanks for help
Ashish
On Wed, Apr 14, 2010 at 3:46 PM, Ashish ntdev
wrote:

Hi,
I am getting following crash from Windows Service:

FAULTING_IP:
kernel32!RaiseException+3c
77e55dfa 5e pop esi
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x0000003c)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: DxDmService.exe
ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to
set symbol path and load symbols.
MODULE_NAME: NtUtil
FAULTING_MODULE: 7c800000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
are invalid
FAULTING_THREAD: 00001368
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00499531 to 102627d0
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
0653fb48 00499531 0653fbc8 00000000 00000000
NtUtil!NtQueryBackupBlobInfoByHandle
0653fb94 0044fce8 028cfa48 00000000 ffffffff DxDmService+0x99531
0653fe08 004319d7 00000000 00000000 00000000 DxDmService+0x4fce8
0653ff64 00431b12 00000000 02840048 0653ffac DxDmService+0x319d7
0653ff74 103317d5 02840048 87caa240 00000000 DxDmService+0x31b12
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!OsVersionCompare+0x5925
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!OsVersionCompare+0x59cd
0653ffec 00000000 103317fb 0084e5a8 00000000
kernel32!GetModuleFileNameA+0xeb

FOLLOWUP_IP:
NtUtil!NtQueryBackupBlobInfoByHandle+0
102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653fb48
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: NtUtil.dll
STACK_COMMAND: ~52s; .ecxr ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID:
WRONG_SYMBOLS_80000003_NtUtil.dll!NtQueryBackupBlobInfoByHandle
WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1
Followup: MachineOwner
---------

The exception is
0:052> .exr 0xffffffffffffffff
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

But there does not look to be any problem with above thread stack. I checked
other threads also and could not find any problem. Can somebody advice how
to debug the crash?

Thanks
Ash</unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll>

5

You seem to be thrashing around here. The fundamental cause is rather
easy to see:

Ashish ntdev wrote:

FAULTING_IP:
kernel32!RaiseException+53
77e55dfa 5e pop esi

DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
PROCESS_NAME: DxDmService.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A
breakpoint has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more
arguments are invalid

You have reached a breakpoint, which almost always means you have hit an
assertion failure. To find the failure, you need to disassemble the
bytes leading up to the faulting instruction. You should probably see
code that pushes a line number and an assertion failure message. That
might give you the next hint.

STACK_TEXT:
0653f884 10262a57 000006e8 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfoByHandle
0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfo+0x47
0653fb48 00499531 0653fbc8 00000000 00000000
DxDmService!isFileTheSame+0x1fa
0653fb94 0044fce8 028cfa48 00000000 ffffffff
DxDmService!FileListGetNextMatching+0x181 0653fe08 004319d7 00000000

DxDmService is the DiskXtender service are you using that? It looks
like it’s comparing a file in some way and getting confused.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

6

HI TIm,
I thought assertion is only there in debug build and this is release
build…Am I missing something?

On Thu, Apr 15, 2010 at 3:46 AM, Tim Roberts wrote:

> You seem to be thrashing around here. The fundamental cause is rather
> easy to see:
>
> Ashish ntdev wrote:
> >
> > FAULTING_IP:
> > kernel32!RaiseException+53
> > 77e55dfa 5e pop esi
> > …
> > DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
> > PROCESS_NAME: DxDmService.exe
> >
> > ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A
> > breakpoint has been reached.
> >
> > EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more
> > arguments are invalid
>
> You have reached a breakpoint, which almost always means you have hit an
> assertion failure. To find the failure, you need to disassemble the
> bytes leading up to the faulting instruction. You should probably see
> code that pushes a line number and an assertion failure message. That
> might give you the next hint.
>
>
> > STACK_TEXT:
> > 0653f884 10262a57 000006e8 0653fb40 0653f8d4
> > NtUtil!NtQueryBackupBlobInfoByHandle
> > 0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
> > NtUtil!NtQueryBackupBlobInfo+0x47
> > 0653fb48 00499531 0653fbc8 00000000 00000000
> > DxDmService!isFileTheSame+0x1fa
> > 0653fb94 0044fce8 028cfa48 00000000 ffffffff
> > DxDmService!FileListGetNextMatching+0x181 0653fe08 004319d7 00000000
>
> DxDmService is the DiskXtender service are you using that? It looks
> like it’s comparing a file in some way and getting confused.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

7

Thanks For clarifying…I Thought they are same. Here is the output
0:052> .ecxr
eax=0653f8d4 ebx=0084e5a8 ecx=0653fb40 edx=0653f8d8 esi=000006e8
edi=0653ff50
eip=102627d0 esp=0653f888 ebp=0653fb48 iopl=0 nv up ei pl nz ac po
cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000213
NtUtil!NtQueryBackupBlobInfoByHandle:
102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

On Wed, Apr 14, 2010 at 11:49 PM, Scott Noone wrote:

> This still doesn’t have the output after .ecxr (different than .exr).
>
>
> -scott
>
> –
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
> “Ashish ntdev” wrote in message
> news:xxxxx@windbg…
>
> HI Scott,
> Here is the output after setting the symbols:
>
> FAULTING_IP:
> kernel32!RaiseException+53
> 77e55dfa 5e pop esi
>
> EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
> ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
> ExceptionCode: 80000003 (Break instruction exception)
> ExceptionFlags: 00000001
> NumberParameters: 0
>
> DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
> PROCESS_NAME: DxDmService.exe
>
> ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
> has been reached.
>
> EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
> are invalid
> NTGLOBALFLAG: 0
>
> APPLICATION_VERIFIER_FLAGS: 0
>
> FAULTING_THREAD: 00001368
>
> PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT
>
>
> BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT
>
> LAST_CONTROL_TRANSFER: from 10262a57 to 102627d0
>
> STACK_TEXT:
> 0653f884 10262a57 000006e8 0653fb40 0653f8d4
> NtUtil!NtQueryBackupBlobInfoByHandle
> 0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
> NtUtil!NtQueryBackupBlobInfo+0x47
> 0653fb48 00499531 0653fbc8 00000000 00000000
> DxDmService!isFileTheSame+0x1fa
> 0653fb94 0044fce8 028cfa48 00000000 ffffffff
> DxDmService!FileListGetNextMatching+0x181 0653fe08 004319d7 00000000
> 00000000 00000000 DxDmService!CDmMediaFolder::iGarbageCollect+0x98
> 0653ff64 00431b12 00000000 02840048 0653ffac
> DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
> 0653ff74 103317d5 02840048 87caa240 00000000
> DxDmService!CDmFilter::GarbageCollectionProc+0x42
> 0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
> 0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82
> 0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34
>
>
> FOLLOWUP_IP:
> NtUtil!NtQueryBackupBlobInfoByHandle+0
>
> 102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
> (00010230)
>
> FAULTING_SOURCE_CODE:
> No source found for ‘d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c’
>
> SYMBOL_STACK_INDEX: 0
> SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653f884
>
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: NtUtil
>
> IMAGE_NAME: NtUtil.dll
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88
>
> STACK_COMMAND: ~52s; .ecxr ; kb
>
> FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_NtUtil.dll!
> NtQueryBackupBlobInfoByHandle
>
> BUCKET_ID:
> APPLICATION_FAULT_STATUS_BREAKPOINT_NtUtil!NtQueryBackupBlobInfoByHandle+653f884
>
> WATSON_STAGEONE_URL:
> http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1
>
> Followup: MachineOwner
> ---------
> 0:052> .exr 0xffffffffffffffff
> ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
> ExceptionCode: 80000003 (Break instruction exception)
> ExceptionFlags: 00000001
> NumberParameters: 0
>
> 0:052> kb
> ChildEBP RetAddr Args to Child
> 0653f884 10262a57 000006e8 0653fb40 0653f8d4
> NtUtil!NtQueryBackupBlobInfoByHandle
> 0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
> NtUtil!NtQueryBackupBlobInfo+0x47
> 0653fb48 00499531 0653fbc8 00000000 00000000
> DxDmService!isFileTheSame+0x1fa
> 0653fb94 0044fce8 028cfa48 00000000 ffffffff
> DxDmService!FileListGetNextMatching+0x181
> 0653fe08 004319d7 00000000 00000000 00000000
> DxDmService!CDmMediaFolder::iGarbageCollect+0x98
> 0653ff64 00431b12 00000000 02840048 0653ffac
> DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
> 0653ff74 103317d5 02840048 87caa240 00000000
> DxDmService!CDmFilter::GarbageCollectionProc+0x42
> 0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
> 0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82
>
> 0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34
>
> Looking at faulting instruction, we have
>
> 0:052> u NtUtil!NtQueryBackupBlobInfoByHandle
> NtUtil!NtQueryBackupBlobInfoByHandle
> [d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c @ 139]:
> 102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
> (00010230)
> 102627d5 e8765d0000 call NtUtil!_chkstk (10268550)
> 102627da a120e02810 mov eax,dword ptr [NtUtil!__security_cookie
> (1028e020)]
> 102627df 33c4 xor eax,esp
> 102627e1 8984242c020100 mov dword ptr <unloaded_rt40.dll>+0x1022b
> (0001022c)[esp],eax
> 102627e8 8b842438020100 mov eax,dword ptr <unloaded_rt40.dll>+0x10237
> (00010238)[esp]
> 102627ef 8b8c243c020100 mov ecx,dword ptr <unloaded_rt40.dll>+0x1023b
> (0001023c)[esp]
> 102627f6 53 push ebx
>
> It is crashing at first instruction.
>
> Thanks for help
> Ashish
> On Wed, Apr 14, 2010 at 3:46 PM, Ashish ntdev
> wrote:
>
> Hi,
> I am getting following crash from Windows Service:
>
> FAULTING_IP:
> kernel32!RaiseException+3c
> 77e55dfa 5e pop esi
> EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
> ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x0000003c)
> ExceptionCode: 80000003 (Break instruction exception)
> ExceptionFlags: 00000001
> NumberParameters: 0
> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
> PROCESS_NAME: DxDmService.exe
> ADDITIONAL_DEBUG_TEXT:
> Use ‘!findthebuild’ command to search for the target build information.
> If the build information is available, run ‘!findthebuild -s ; .reload’ to
> set symbol path and load symbols.
> MODULE_NAME: NtUtil
> FAULTING_MODULE: 7c800000 ntdll
> DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88
> ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
> has been reached.
> EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
> are invalid
> FAULTING_THREAD: 00001368
> PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
> BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
> LAST_CONTROL_TRANSFER: from 00499531 to 102627d0
> STACK_TEXT:
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 0653fb48 00499531 0653fbc8 00000000 00000000
> NtUtil!NtQueryBackupBlobInfoByHandle
> 0653fb94 0044fce8 028cfa48 00000000 ffffffff DxDmService+0x99531
> 0653fe08 004319d7 00000000 00000000 00000000 DxDmService+0x4fce8
> 0653ff64 00431b12 00000000 02840048 0653ffac DxDmService+0x319d7
> 0653ff74 103317d5 02840048 87caa240 00000000 DxDmService+0x31b12
> 0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!OsVersionCompare+0x5925
> 0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!OsVersionCompare+0x59cd
> 0653ffec 00000000 103317fb 0084e5a8 00000000
> kernel32!GetModuleFileNameA+0xeb
>
> FOLLOWUP_IP:
> NtUtil!NtQueryBackupBlobInfoByHandle+0
> 102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
> (00010230)
>
> SYMBOL_STACK_INDEX: 0
> SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653fb48
> FOLLOWUP_NAME: MachineOwner
> IMAGE_NAME: NtUtil.dll
> STACK_COMMAND: ~52s; .ecxr ; kb
> BUCKET_ID: WRONG_SYMBOLS
> FAILURE_BUCKET_ID:
> WRONG_SYMBOLS_80000003_NtUtil.dll!NtQueryBackupBlobInfoByHandle
> WATSON_STAGEONE_URL:
> http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1
> Followup: MachineOwner
> ---------
>
> The exception is
> 0:052> .exr 0xffffffffffffffff
> ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
> ExceptionCode: 80000003 (Break instruction exception)
> ExceptionFlags: 00000001
> NumberParameters: 0
>
> But there does not look to be any problem with above thread stack. I
> checked other threads also and could not find any problem. Can somebody
> advice how to debug the crash?
>
> Thanks
> Ash
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll>

8

Weird, your context record isn’t bringing you to the point of the
breakpoint.

Can you repro this? You might want to try running the application under the
debugger, hopefully you’ll trap in at the breakpoint and can see where the
hard coded break is.

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Ashish ntdev” wrote in message
news:xxxxx@windbg…
Thanks For clarifying…I Thought they are same. Here is the output
0:052> .ecxr
eax=0653f8d4 ebx=0084e5a8 ecx=0653fb40 edx=0653f8d8 esi=000006e8
edi=0653ff50
eip=102627d0 esp=0653f888 ebp=0653fb48 iopl=0 nv up ei pl nz ac po
cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000213
NtUtil!NtQueryBackupBlobInfoByHandle:
102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

On Wed, Apr 14, 2010 at 11:49 PM, Scott Noone wrote:

This still doesn’t have the output after .ecxr (different than .exr).

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Ashish ntdev” wrote in message
news:xxxxx@windbg…

HI Scott,
Here is the output after setting the symbols:

FAULTING_IP:
kernel32!RaiseException+53

77e55dfa 5e pop esi

EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)

ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
PROCESS_NAME: DxDmService.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
are invalid

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00001368

PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT

BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT

LAST_CONTROL_TRANSFER: from 10262a57 to 102627d0

STACK_TEXT:
0653f884 10262a57 000006e8 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfoByHandle
0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfo+0x47

0653fb48 00499531 0653fbc8 00000000 00000000 DxDmService!isFileTheSame+0x1fa
0653fb94 0044fce8 028cfa48 00000000 ffffffff
DxDmService!FileListGetNextMatching+0x181 0653fe08 004319d7 00000000
00000000 00000000 DxDmService!CDmMediaFolder::iGarbageCollect+0x98
0653ff64 00431b12 00000000 02840048 0653ffac
DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
0653ff74 103317d5 02840048 87caa240 00000000
DxDmService!CDmFilter::GarbageCollectionProc+0x42
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82
0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34

FOLLOWUP_IP:
NtUtil!NtQueryBackupBlobInfoByHandle+0

102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

FAULTING_SOURCE_CODE:
No source found for ‘d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c’

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653f884

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NtUtil

IMAGE_NAME: NtUtil.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88

STACK_COMMAND: ~52s; .ecxr ; kb

FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_NtUtil.dll!
NtQueryBackupBlobInfoByHandle

BUCKET_ID:
APPLICATION_FAULT_STATUS_BREAKPOINT_NtUtil!NtQueryBackupBlobInfoByHandle+653f884

WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1

Followup: MachineOwner
---------

0:052> .exr 0xffffffffffffffff
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

0:052> kb
ChildEBP RetAddr Args to Child
0653f884 10262a57 000006e8 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfoByHandle
0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfo+0x47

0653fb48 00499531 0653fbc8 00000000 00000000 DxDmService!isFileTheSame+0x1fa
0653fb94 0044fce8 028cfa48 00000000 ffffffff
DxDmService!FileListGetNextMatching+0x181
0653fe08 004319d7 00000000 00000000 00000000
DxDmService!CDmMediaFolder::iGarbageCollect+0x98
0653ff64 00431b12 00000000 02840048 0653ffac
DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
0653ff74 103317d5 02840048 87caa240 00000000
DxDmService!CDmFilter::GarbageCollectionProc+0x42
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82

0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34

Looking at faulting instruction, we have

0:052> u NtUtil!NtQueryBackupBlobInfoByHandle
NtUtil!NtQueryBackupBlobInfoByHandle
[d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c @ 139]:

102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

102627d5 e8765d0000 call NtUtil!_chkstk (10268550)
102627da a120e02810 mov eax,dword ptr [NtUtil!__security_cookie
(1028e020)]
102627df 33c4 xor eax,esp
102627e1 8984242c020100 mov dword ptr <unloaded_rt40.dll>+0x1022b
(0001022c)[esp],eax
102627e8 8b842438020100 mov eax,dword ptr <unloaded_rt40.dll>+0x10237
(00010238)[esp]
102627ef 8b8c243c020100 mov ecx,dword ptr <unloaded_rt40.dll>+0x1023b
(0001023c)[esp]
102627f6 53 push ebx

It is crashing at first instruction.

Thanks for help
Ashish
On Wed, Apr 14, 2010 at 3:46 PM, Ashish ntdev
wrote:

Hi,
I am getting following crash from Windows Service:

FAULTING_IP:
kernel32!RaiseException+3c
77e55dfa 5e pop esi
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x0000003c)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: DxDmService.exe
ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to
set symbol path and load symbols.
MODULE_NAME: NtUtil
FAULTING_MODULE: 7c800000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
are invalid
FAULTING_THREAD: 00001368
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00499531 to 102627d0
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
0653fb48 00499531 0653fbc8 00000000 00000000
NtUtil!NtQueryBackupBlobInfoByHandle
0653fb94 0044fce8 028cfa48 00000000 ffffffff DxDmService+0x99531
0653fe08 004319d7 00000000 00000000 00000000 DxDmService+0x4fce8
0653ff64 00431b12 00000000 02840048 0653ffac DxDmService+0x319d7
0653ff74 103317d5 02840048 87caa240 00000000 DxDmService+0x31b12
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!OsVersionCompare+0x5925
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!OsVersionCompare+0x59cd
0653ffec 00000000 103317fb 0084e5a8 00000000
kernel32!GetModuleFileNameA+0xeb

FOLLOWUP_IP:
NtUtil!NtQueryBackupBlobInfoByHandle+0
102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653fb48
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: NtUtil.dll
STACK_COMMAND: ~52s; .ecxr ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID:
WRONG_SYMBOLS_80000003_NtUtil.dll!NtQueryBackupBlobInfoByHandle
WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1
Followup: MachineOwner
---------

The exception is
0:052> .exr 0xffffffffffffffff
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

But there does not look to be any problem with above thread stack. I checked
other threads also and could not find any problem. Can somebody advice how
to debug the crash?

Thanks
Ash


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll>

9

Ashish ntdev wrote:

I thought assertion is only there in debug build and this is release
build…Am I missing something?

We don’t know whether DiskXtender ships the release build or the debug
build. Further, it’s quite possible to include an assert in a release
build.

Indeed, many people have compared the practice of removing asserts in a
release build to including brakes in a car and then removing them just
before you ship it.

The facts are in the dump. You’re getting an 0x80000003 exception.
That’s a software breakpoint. It could be a hardcoded breakpoint (that
is, “__asm int 3”), but the more likely explanation is an assert.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

10

Unfortunately…I took this dump from Windbg only. When it hit here, the
situation was also same as I listed here. I am suspecting to be stack
overflow but the stack and IP address looks good. Is there any other option?

On Fri, Apr 16, 2010 at 1:09 AM, Scott Noone wrote:

> Weird, your context record isn’t bringing you to the point of the
> breakpoint.
>
> Can you repro this? You might want to try running the application under the
> debugger, hopefully you’ll trap in at the breakpoint and can see where the
> hard coded break is.
>
>
> -scott
>
> –
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
>
> “Ashish ntdev” wrote in message
> news:xxxxx@windbg…
>
> Thanks For clarifying…I Thought they are same. Here is the output
> 0:052> .ecxr
> eax=0653f8d4 ebx=0084e5a8 ecx=0653fb40 edx=0653f8d8 esi=000006e8
> edi=0653ff50
> eip=102627d0 esp=0653f888 ebp=0653fb48 iopl=0 nv up ei pl nz ac po
> cy
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000213
> NtUtil!NtQueryBackupBlobInfoByHandle:
> 102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
> (00010230)
>
>
> On Wed, Apr 14, 2010 at 11:49 PM, Scott Noone wrote:
>
> This still doesn’t have the output after .ecxr (different than .exr).
>
>
> -scott
>
> –
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
>
> “Ashish ntdev” wrote in message
> news:xxxxx@windbg…
>
> HI Scott,
> Here is the output after setting the symbols:
>
> FAULTING_IP:
> kernel32!RaiseException+53
>
> 77e55dfa 5e pop esi
>
> EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
>
> ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
> ExceptionCode: 80000003 (Break instruction exception)
> ExceptionFlags: 00000001
> NumberParameters: 0
>
>
> DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
> PROCESS_NAME: DxDmService.exe
>
>
> ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
> has been reached.
>
> EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
> are invalid
>
> NTGLOBALFLAG: 0
>
> APPLICATION_VERIFIER_FLAGS: 0
>
>
> FAULTING_THREAD: 00001368
>
> PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT
>
>
> BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT
>
> LAST_CONTROL_TRANSFER: from 10262a57 to 102627d0
>
> STACK_TEXT:
> 0653f884 10262a57 000006e8 0653fb40 0653f8d4
> NtUtil!NtQueryBackupBlobInfoByHandle
> 0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
> NtUtil!NtQueryBackupBlobInfo+0x47
>
> 0653fb48 00499531 0653fbc8 00000000 00000000
> DxDmService!isFileTheSame+0x1fa
> 0653fb94 0044fce8 028cfa48 00000000 ffffffff
> DxDmService!FileListGetNextMatching+0x181 0653fe08 004319d7 00000000
> 00000000 00000000 DxDmService!CDmMediaFolder::iGarbageCollect+0x98
> 0653ff64 00431b12 00000000 02840048 0653ffac
> DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
> 0653ff74 103317d5 02840048 87caa240 00000000
> DxDmService!CDmFilter::GarbageCollectionProc+0x42
> 0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
> 0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82
> 0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34
>
>
> FOLLOWUP_IP:
> NtUtil!NtQueryBackupBlobInfoByHandle+0
>
> 102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
> (00010230)
>
>
> FAULTING_SOURCE_CODE:
> No source found for ‘d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c’
>
>
> SYMBOL_STACK_INDEX: 0
> SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653f884
>
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: NtUtil
>
> IMAGE_NAME: NtUtil.dll
>
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88
>
>
> STACK_COMMAND: ~52s; .ecxr ; kb
>
>
> FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_NtUtil.dll!
> NtQueryBackupBlobInfoByHandle
>
> BUCKET_ID:
> APPLICATION_FAULT_STATUS_BREAKPOINT_NtUtil!NtQueryBackupBlobInfoByHandle+653f884
>
>
> WATSON_STAGEONE_URL:
> http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1
>
> Followup: MachineOwner
> ---------
>
> 0:052> .exr 0xffffffffffffffff
> ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
> ExceptionCode: 80000003 (Break instruction exception)
> ExceptionFlags: 00000001
> NumberParameters: 0
>
>
> 0:052> kb
> ChildEBP RetAddr Args to Child
> 0653f884 10262a57 000006e8 0653fb40 0653f8d4
> NtUtil!NtQueryBackupBlobInfoByHandle
> 0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
> NtUtil!NtQueryBackupBlobInfo+0x47
>
> 0653fb48 00499531 0653fbc8 00000000 00000000
> DxDmService!isFileTheSame+0x1fa
> 0653fb94 0044fce8 028cfa48 00000000 ffffffff
> DxDmService!FileListGetNextMatching+0x181
> 0653fe08 004319d7 00000000 00000000 00000000
> DxDmService!CDmMediaFolder::iGarbageCollect+0x98
> 0653ff64 00431b12 00000000 02840048 0653ffac
> DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
> 0653ff74 103317d5 02840048 87caa240 00000000
> DxDmService!CDmFilter::GarbageCollectionProc+0x42
> 0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
> 0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82
>
> 0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34
>
> Looking at faulting instruction, we have
>
> 0:052> u NtUtil!NtQueryBackupBlobInfoByHandle
> NtUtil!NtQueryBackupBlobInfoByHandle
> [d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c @ 139]:
>
> 102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
> (00010230)
>
> 102627d5 e8765d0000 call NtUtil!_chkstk (10268550)
> 102627da a120e02810 mov eax,dword ptr [NtUtil!__security_cookie
> (1028e020)]
> 102627df 33c4 xor eax,esp
> 102627e1 8984242c020100 mov dword ptr <unloaded_rt40.dll>+0x1022b
> (0001022c)[esp],eax
> 102627e8 8b842438020100 mov eax,dword ptr <unloaded_rt40.dll>+0x10237
> (00010238)[esp]
> 102627ef 8b8c243c020100 mov ecx,dword ptr <unloaded_rt40.dll>+0x1023b
> (0001023c)[esp]
> 102627f6 53 push ebx
>
> It is crashing at first instruction.
>
> Thanks for help
> Ashish
> On Wed, Apr 14, 2010 at 3:46 PM, Ashish ntdev
> wrote:
>
>
> Hi,
> I am getting following crash from Windows Service:
>
> FAULTING_IP:
> kernel32!RaiseException+3c
> 77e55dfa 5e pop esi
> EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
> ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x0000003c)
> ExceptionCode: 80000003 (Break instruction exception)
> ExceptionFlags: 00000001
> NumberParameters: 0
> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
> PROCESS_NAME: DxDmService.exe
> ADDITIONAL_DEBUG_TEXT:
> Use ‘!findthebuild’ command to search for the target build information.
> If the build information is available, run ‘!findthebuild -s ; .reload’ to
> set symbol path and load symbols.
> MODULE_NAME: NtUtil
> FAULTING_MODULE: 7c800000 ntdll
> DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88
> ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
> has been reached.
> EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
> are invalid
> FAULTING_THREAD: 00001368
> PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
> BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
> LAST_CONTROL_TRANSFER: from 00499531 to 102627d0
> STACK_TEXT:
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 0653fb48 00499531 0653fbc8 00000000 00000000
> NtUtil!NtQueryBackupBlobInfoByHandle
> 0653fb94 0044fce8 028cfa48 00000000 ffffffff DxDmService+0x99531
> 0653fe08 004319d7 00000000 00000000 00000000 DxDmService+0x4fce8
> 0653ff64 00431b12 00000000 02840048 0653ffac DxDmService+0x319d7
> 0653ff74 103317d5 02840048 87caa240 00000000 DxDmService+0x31b12
> 0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!OsVersionCompare+0x5925
> 0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!OsVersionCompare+0x59cd
> 0653ffec 00000000 103317fb 0084e5a8 00000000
> kernel32!GetModuleFileNameA+0xeb
>
> FOLLOWUP_IP:
> NtUtil!NtQueryBackupBlobInfoByHandle+0
> 102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
> (00010230)
>
> SYMBOL_STACK_INDEX: 0
> SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653fb48
> FOLLOWUP_NAME: MachineOwner
> IMAGE_NAME: NtUtil.dll
> STACK_COMMAND: ~52s; .ecxr ; kb
> BUCKET_ID: WRONG_SYMBOLS
> FAILURE_BUCKET_ID:
> WRONG_SYMBOLS_80000003_NtUtil.dll!NtQueryBackupBlobInfoByHandle
> WATSON_STAGEONE_URL:
> http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1
> Followup: MachineOwner
> ---------
>
> The exception is
> 0:052> .exr 0xffffffffffffffff
> ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
> ExceptionCode: 80000003 (Break instruction exception)
> ExceptionFlags: 00000001
> NumberParameters: 0
>
> But there does not look to be any problem with above thread stack. I
> checked other threads also and could not find any problem. Can somebody
> advice how to debug the crash?
>
> Thanks
> Ash
>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll>

11

That doesn’t make much sense, the exception code indicates a breakpoint but
the faulting instruction shown doesn’t jive with that. You should really be
looking for an assert or debugbreak, do you own any of this code?

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Ashish ntdev” wrote in message
news:xxxxx@windbg…
Unfortunately…I took this dump from Windbg only. When it hit here, the
situation was also same as I listed here. I am suspecting to be stack
overflow but the stack and IP address looks good. Is there any other option?

On Fri, Apr 16, 2010 at 1:09 AM, Scott Noone wrote:

Weird, your context record isn’t bringing you to the point of the
breakpoint.

Can you repro this? You might want to try running the application under the
debugger, hopefully you’ll trap in at the breakpoint and can see where the
hard coded break is.

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Ashish ntdev” wrote in message
news:xxxxx@windbg…

Thanks For clarifying…I Thought they are same. Here is the output
0:052> .ecxr
eax=0653f8d4 ebx=0084e5a8 ecx=0653fb40 edx=0653f8d8 esi=000006e8
edi=0653ff50
eip=102627d0 esp=0653f888 ebp=0653fb48 iopl=0 nv up ei pl nz ac po
cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000213
NtUtil!NtQueryBackupBlobInfoByHandle:

102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

On Wed, Apr 14, 2010 at 11:49 PM, Scott Noone wrote:

This still doesn’t have the output after .ecxr (different than .exr).

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Ashish ntdev” wrote in message
news:xxxxx@windbg…

HI Scott,
Here is the output after setting the symbols:

FAULTING_IP:
kernel32!RaiseException+53

77e55dfa 5e pop esi

EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)

ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

DEFAULT_BUCKET_ID: STATUS_BREAKPOINT
PROCESS_NAME: DxDmService.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
are invalid

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 00001368

PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT

BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT

LAST_CONTROL_TRANSFER: from 10262a57 to 102627d0

STACK_TEXT:
0653f884 10262a57 000006e8 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfoByHandle
0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfo+0x47

0653fb48 00499531 0653fbc8 00000000 00000000 DxDmService!isFileTheSame+0x1fa
0653fb94 0044fce8 028cfa48 00000000 ffffffff
DxDmService!FileListGetNextMatching+0x181 0653fe08 004319d7 00000000
00000000 00000000 DxDmService!CDmMediaFolder::iGarbageCollect+0x98
0653ff64 00431b12 00000000 02840048 0653ffac
DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
0653ff74 103317d5 02840048 87caa240 00000000
DxDmService!CDmFilter::GarbageCollectionProc+0x42
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82
0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34

FOLLOWUP_IP:
NtUtil!NtQueryBackupBlobInfoByHandle+0

102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

FAULTING_SOURCE_CODE:
No source found for ‘d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c’

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653f884

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NtUtil

IMAGE_NAME: NtUtil.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88

STACK_COMMAND: ~52s; .ecxr ; kb

FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_NtUtil.dll!
NtQueryBackupBlobInfoByHandle

BUCKET_ID:
APPLICATION_FAULT_STATUS_BREAKPOINT_NtUtil!NtQueryBackupBlobInfoByHandle+653f884

WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1

Followup: MachineOwner
---------

0:052> .exr 0xffffffffffffffff
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

0:052> kb
ChildEBP RetAddr Args to Child
0653f884 10262a57 000006e8 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfoByHandle
0653f8a4 00499a0a 0653fbed 0653fb40 0653f8d4
NtUtil!NtQueryBackupBlobInfo+0x47

0653fb48 00499531 0653fbc8 00000000 00000000 DxDmService!isFileTheSame+0x1fa
0653fb94 0044fce8 028cfa48 00000000 ffffffff
DxDmService!FileListGetNextMatching+0x181
0653fe08 004319d7 00000000 00000000 00000000
DxDmService!CDmMediaFolder::iGarbageCollect+0x98
0653ff64 00431b12 00000000 02840048 0653ffac
DxDmService!CDmFilter::iGarbageCollectionProc+0x1a7
0653ff74 103317d5 02840048 87caa240 00000000
DxDmService!CDmFilter::GarbageCollectionProc+0x42
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!_callthreadstartex+0x1b
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!_threadstartex+0x82

0653ffec 00000000 103317fb 0084e5a8 00000000 kernel32!BaseThreadStart+0x34

Looking at faulting instruction, we have

0:052> u NtUtil!NtQueryBackupBlobInfoByHandle
NtUtil!NtQueryBackupBlobInfoByHandle
[d:\work\sm64sp1\dxdev\idm-dx\common\ntutil\nt_blob.c @ 139]:

102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

102627d5 e8765d0000 call NtUtil!_chkstk (10268550)
102627da a120e02810 mov eax,dword ptr [NtUtil!__security_cookie
(1028e020)]
102627df 33c4 xor eax,esp
102627e1 8984242c020100 mov dword ptr <unloaded_rt40.dll>+0x1022b
(0001022c)[esp],eax
102627e8 8b842438020100 mov eax,dword ptr <unloaded_rt40.dll>+0x10237
(00010238)[esp]
102627ef 8b8c243c020100 mov ecx,dword ptr <unloaded_rt40.dll>+0x1023b
(0001023c)[esp]
102627f6 53 push ebx

It is crashing at first instruction.

Thanks for help
Ashish
On Wed, Apr 14, 2010 at 3:46 PM, Ashish ntdev
wrote:

Hi,
I am getting following crash from Windows Service:

FAULTING_IP:
kernel32!RaiseException+3c
77e55dfa 5e pop esi
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x0000003c)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: DxDmService.exe
ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to
set symbol path and load symbols.
MODULE_NAME: NtUtil
FAULTING_MODULE: 7c800000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4aa9fa88
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint
has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments
are invalid
FAULTING_THREAD: 00001368
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00499531 to 102627d0
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
0653fb48 00499531 0653fbc8 00000000 00000000
NtUtil!NtQueryBackupBlobInfoByHandle
0653fb94 0044fce8 028cfa48 00000000 ffffffff DxDmService+0x99531
0653fe08 004319d7 00000000 00000000 00000000 DxDmService+0x4fce8
0653ff64 00431b12 00000000 02840048 0653ffac DxDmService+0x319d7
0653ff74 103317d5 02840048 87caa240 00000000 DxDmService+0x31b12
0653ffac 1033187d 00000000 0653ffec 77e660b9 OsUtil!OsVersionCompare+0x5925
0653ffb8 77e660b9 0084e5a8 00000000 00000000 OsUtil!OsVersionCompare+0x59cd
0653ffec 00000000 103317fb 0084e5a8 00000000
kernel32!GetModuleFileNameA+0xeb

FOLLOWUP_IP:
NtUtil!NtQueryBackupBlobInfoByHandle+0
102627d0 b830020100 mov eax,offset <unloaded_rt40.dll>+0x1022f
(00010230)

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NtUtil!NtQueryBackupBlobInfoByHandle+653fb48
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: NtUtil.dll
STACK_COMMAND: ~52s; .ecxr ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID:
WRONG_SYMBOLS_80000003_NtUtil.dll!NtQueryBackupBlobInfoByHandle
WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/DxDmService_exe/6_30_0_271/4aa9f9c7/kernel32_dll/5_2_3790_3311/49c5225e/80000003/00015dfa.htm?Retriage=1
Followup: MachineOwner
---------

The exception is
0:052> .exr 0xffffffffffffffff
ExceptionAddress: 77e55dfa (kernel32!RaiseException+0x00000053)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

But there does not look to be any problem with above thread stack. I checked
other threads also and could not find any problem. Can somebody advice how
to debug the crash?

Thanks
Ash


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll></unloaded_rt40.dll>

12

One can generate exception in current thread with arbitrary context record and arbitrary non-matching exception record using NtRaiseException(ExceptionRecord, ContextRecord, BOOLEAN(FirstChance)). That could be the case for current situation, but almost nobody calls NtRaiseException() directly, since usually it’s sufficient to call RtlRaiseException(), or even fully documented RaiseException(). In fact, presented exception record totally matches with call ‘RaiseException(STATUS_BREAKPOINT, EXCEPTION_NONCONTINUABLE, 0, NULL)’. If compiler knows this call will never return (func declared with __declspec(noreturn), or __assume(0) used), or if there’s some sort of function chaining(?) (current function calls RaiseException(), and the next and last high-level call targets NtUtil!NtQueryBackupBlobInfoByHandle()), I can imagine compiler could place function NtQueryBackupBlobInfoByHandle right after the call to RaiseException, for seamless function transition. In that situation we could see first function instruction in the callstack (as that’ll be “return address” for RaiseException()).
But there’re still discrepancies. First, when msvc aware about noreturn, it (AFAIK) places int3 after the call. Okay, that just leaves us with either some non-msvc compiler or function chaining(?), which I believe will require ltcg. That’s still fine; What really bothers me here is the second discrepancy ? absence of the ‘kernel32!RaiseException+0x00000053’ on the callstack (it shall be on the top, and NtQueryBackupBlobInfoByHandle would be the very next). This fact can virtually destroy almost perfect picture.

Just to clear things out, we’d like to see output of the following line:
“.cxr; r; kbn99; .echo ~; ub 102627d0 L18; u 102627d0 L5; .echo~ ; ub 10262a57 L18; u 10262a57 L5; .echo ~~~; dps @esp L80”

If the above stuff is somehow correct, key function to check for ‘RaiseException’ can be seen as last call in “ub 10262a57” output. In source such call to ‘RaiseException’ will be most likely wrapped in some ‘assert’ macro.