Invalid EIP

WINDBG
1

I got another strange crash dump. I’m wondering why 70a8280c becomes eip.

002fdfb8 70a8280c 002fdfd0 002fdfe4 002fdfd0 ntdll!KiUserExceptionDispatcher+0xf
002fe2e8 70a83285 0000006c 04c7fb60 0000006c util!ssb::data_block_t::data_block_t+0x6c [g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 43]
002fe31c 70a83424 0000006c 04c7fb60 0000006c util!ssb::data_block_t::new_instance+0x85 [g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 25]
002fe354 70a838f5 0000006c 04c7fb60 0000006c util!ssb::msg_db_t::msg_db_t+0x64 [g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 174]
002fe388 6c531a39 0000006c 04c7fb60 0000006c util!ssb::msg_db_t::new_instance+0x85 [g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 138]
002fe550 6c5284ba 002fe56c 245a6256 00000001 ssb_sdk!ssb::hmac_to_token+0xf2 [g:\dailybuild\b_10_17735\platform\zc\zc_pdu.cpp @ 114]
002fe600 6c823a89 04b5ab11 0a173fe8 000000bd ssb_sdk!ssb::video_conference_t::start_request+0x17a [g:\dailybuild\b_10_17735\platform\ssb_sdk\vd_conf.cpp @ 1052]
002fe8b4 6c823e65 2767fff6 015278e8 04c44be8 zVideoApp!CmmConfAgent::StartConference+0xdd3 [g:\dailybuild\b_10_17735\client\src\application\common\cmmconfmgr\cmmconfagent.cpp @ 915]
002fe980 6c821ef0 0000000a 2767fea6 0000001c zVideoApp!CmmConfAgent::SetConfStatus+0x148 [g:\dailybuild\b_10_17735\client\src\application\common\cmmconfmgr\cmmconfagent.cpp @ 1016]
002fe9f0 6c821b0a 015278a4 6c82dd3e 0000001c zVideoApp!CmmConfAgent::CloseandStartConf+0x10c [g:\dailybuild\b_10_17735\client\src\application\common\cmmconfmgr\cmmconfagent.cpp @ 340]

FAILED_INSTRUCTION_ADDRESS:
util!ssb::data_block_t::data_block_t+6c [g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 43]
70a8280c ff ???

0:000> u 70a8280c
util!ssb::data_block_t::data_block_t+0x6c [g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 43]:
70a8280c ff ???
70a8280d ff8946183bdd dec dword ptr [ecx-22C4E7BAh]
70a82813 7521 jne util!ssb::data_block_t::data_block_t+0x96 (70a82836)
70a82815 8b4e18 mov ecx,dword ptr [esi+18h]
70a82818 8b11 mov edx,dword ptr [ecx]
70a8281a 8b4204 mov eax,dword ptr [edx+4]
70a8281d 57 push edi
70a8281e ffd0 call eax

0:000> u util!ssb::data_block_t::data_block_t L25
util!ssb::data_block_t::data_block_t [g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 39]:
70a827a0 6aff push 0FFFFFFFFh
70a827a2 68a885a970 push offset util!_clean_type_info_names_internal+0x1a8a (70a985a8)
70a827a7 64a100000000 mov eax,dword ptr fs:[00000000h]
70a827ad 50 push eax
70a827ae 51 push ecx
70a827af 53 push ebx
70a827b0 55 push ebp
70a827b1 56 push esi
70a827b2 57 push edi
70a827b3 a1f852ab70 mov eax,dword ptr [util!__security_cookie (70ab52f8)]
70a827b8 33c4 xor eax,esp
70a827ba 50 push eax
70a827bb 8d442418 lea eax,[esp+18h]
70a827bf 64a300000000 mov dword ptr fs:[00000000h],eax
70a827c5 8bf1 mov esi,ecx
70a827c7 89742414 mov dword ptr [esp+14h],esi
70a827cb 33ed xor ebp,ebp
70a827cd c706b4a5a970 mov dword ptr [esi],offset util!ssb::ref_count_tssb::null_lock::vftable' (70a9a5b4)<br>70a827d3 896e04 mov dword ptr [esi+4],ebp<br>70a827d6 8b7c2428 mov edi,dword ptr [esp+28h]<br>70a827da 8b5c242c mov ebx,dword ptr [esp+2Ch]<br>70a827de 8b4c2434 mov ecx,dword ptr [esp+34h]<br>70a827e2 8bc7 mov eax,edi<br>70a827e4 2b442430 sub eax,dword ptr [esp+30h]<br>70a827e8 896c2420 mov dword ptr [esp+20h],ebp<br>70a827ec 894610 mov dword ptr [esi+10h],eax<br>70a827ef 8b442438 mov eax,dword ptr [esp+38h]<br>70a827f3 c70654ada970 mov dword ptr [esi],offset util!ssb::data_block_t::vftable’ (70a9ad54)
70a827f9 897e08 mov dword ptr [esi+8],edi
70a827fc 895e0c mov dword ptr [esi+0Ch],ebx
70a827ff 894e14 mov dword ptr [esi+14h],ecx
70a82802 894618 mov dword ptr [esi+18h],eax
70a82805 3bc5 cmp eax,ebp
70a82807 7508 jne util!ssb::data_block_t::data_block_t+0x71 (70a82811)
70a82809 e8b232ffff call util!ssb::ssb_allocator_t::instance (70a75ac0)
70a8280e 894618 mov dword ptr [esi+18h],eax
70a82811 3bdd cmp ebx,ebp

Thanks,
-Sam</ssb::null_lock>

2

The diasassembly is useless and uninteresting unless accompanied by the
!analyze -v output.
joe

I got another strange crash dump. I’m wondering why 70a8280c becomes eip.

002fdfb8 70a8280c 002fdfd0 002fdfe4 002fdfd0
ntdll!KiUserExceptionDispatcher+0xf
002fe2e8 70a83285 0000006c 04c7fb60 0000006c
util!ssb::data_block_t::data_block_t+0x6c
[g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 43]
002fe31c 70a83424 0000006c 04c7fb60 0000006c
util!ssb::data_block_t::new_instance+0x85
[g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 25]
002fe354 70a838f5 0000006c 04c7fb60 0000006c
util!ssb::msg_db_t::msg_db_t+0x64
[g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 174]
002fe388 6c531a39 0000006c 04c7fb60 0000006c
util!ssb::msg_db_t::new_instance+0x85
[g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 138]
002fe550 6c5284ba 002fe56c 245a6256 00000001
ssb_sdk!ssb::hmac_to_token+0xf2
[g:\dailybuild\b_10_17735\platform\zc\zc_pdu.cpp @ 114]
002fe600 6c823a89 04b5ab11 0a173fe8 000000bd
ssb_sdk!ssb::video_conference_t::start_request+0x17a
[g:\dailybuild\b_10_17735\platform\ssb_sdk\vd_conf.cpp @ 1052]
002fe8b4 6c823e65 2767fff6 015278e8 04c44be8
zVideoApp!CmmConfAgent::StartConference+0xdd3
[g:\dailybuild\b_10_17735\client\src\application\common\cmmconfmgr\cmmconfagent.cpp
@ 915]
002fe980 6c821ef0 0000000a 2767fea6 0000001c
zVideoApp!CmmConfAgent::SetConfStatus+0x148
[g:\dailybuild\b_10_17735\client\src\application\common\cmmconfmgr\cmmconfagent.cpp
@ 1016]
002fe9f0 6c821b0a 015278a4 6c82dd3e 0000001c
zVideoApp!CmmConfAgent::CloseandStartConf+0x10c
[g:\dailybuild\b_10_17735\client\src\application\common\cmmconfmgr\cmmconfagent.cpp
@ 340]

FAILED_INSTRUCTION_ADDRESS:
util!ssb::data_block_t::data_block_t+6c
[g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 43]
70a8280c ff ???

0:000> u 70a8280c
util!ssb::data_block_t::data_block_t+0x6c
[g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 43]:
70a8280c ff ???
70a8280d ff8946183bdd dec dword ptr [ecx-22C4E7BAh]
70a82813 7521 jne util!ssb::data_block_t::data_block_t+0x96
(70a82836)
70a82815 8b4e18 mov ecx,dword ptr [esi+18h]
70a82818 8b11 mov edx,dword ptr [ecx]
70a8281a 8b4204 mov eax,dword ptr [edx+4]
70a8281d 57 push edi
70a8281e ffd0 call eax

0:000> u util!ssb::data_block_t::data_block_t L25
util!ssb::data_block_t::data_block_t
[g:\dailybuild\b_10_17735\common\platform\util\src\msgblock.cpp @ 39]:
70a827a0 6aff push 0FFFFFFFFh
70a827a2 68a885a970 push offset
util!_clean_type_info_names_internal+0x1a8a (70a985a8)
70a827a7 64a100000000 mov eax,dword ptr fs:[00000000h]
70a827ad 50 push eax
70a827ae 51 push ecx
70a827af 53 push ebx
70a827b0 55 push ebp
70a827b1 56 push esi
70a827b2 57 push edi
70a827b3 a1f852ab70 mov eax,dword ptr [util!__security_cookie
(70ab52f8)]
70a827b8 33c4 xor eax,esp
70a827ba 50 push eax
70a827bb 8d442418 lea eax,[esp+18h]
70a827bf 64a300000000 mov dword ptr fs:[00000000h],eax
70a827c5 8bf1 mov esi,ecx
70a827c7 89742414 mov dword ptr [esp+14h],esi
70a827cb 33ed xor ebp,ebp
70a827cd c706b4a5a970 mov dword ptr [esi],offset
util!ssb::ref_count_tssb::null_lock::vftable' (70a9a5b4)<br>&gt; 70a827d3 896e04 mov dword ptr [esi+4],ebp<br>&gt; 70a827d6 8b7c2428 mov edi,dword ptr [esp+28h]<br>&gt; 70a827da 8b5c242c mov ebx,dword ptr [esp+2Ch]<br>&gt; 70a827de 8b4c2434 mov ecx,dword ptr [esp+34h]<br>&gt; 70a827e2 8bc7 mov eax,edi<br>&gt; 70a827e4 2b442430 sub eax,dword ptr [esp+30h]<br>&gt; 70a827e8 896c2420 mov dword ptr [esp+20h],ebp<br>&gt; 70a827ec 894610 mov dword ptr [esi+10h],eax<br>&gt; 70a827ef 8b442438 mov eax,dword ptr [esp+38h]<br>&gt; 70a827f3 c70654ada970 mov dword ptr [esi],offset<br>&gt; util!ssb::data_block_t::vftable’ (70a9ad54)
> 70a827f9 897e08 mov dword ptr [esi+8],edi
> 70a827fc 895e0c mov dword ptr [esi+0Ch],ebx
> 70a827ff 894e14 mov dword ptr [esi+14h],ecx
> 70a82802 894618 mov dword ptr [esi+18h],eax
> 70a82805 3bc5 cmp eax,ebp
> 70a82807 7508 jne util!ssb::data_block_t::data_block_t+0x71
> (70a82811)
> 70a82809 e8b232ffff call util!ssb::ssb_allocator_t::instance
> (70a75ac0)
> 70a8280e 894618 mov dword ptr [esi+18h],eax
> 70a82811 3bdd cmp ebx,ebp
>
> Thanks,
> -Sam
>
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></ssb::null_lock>

3

xxxxx@yahoo.com wrote:

I got another strange crash dump. I’m wondering why 70a8280c becomes eip.

That kind of thing can easily happen if a called function overwrites the
stack. Note the call instruction at 70a82809 that would have pushed the
return address 70a8280e. It would only take one “*p -= 2;” to change
that and cause the results you see.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.