Crash dump - resolve unmanaged code crash in a .NET application using WinDbg - windbg

I'm trying to discover the WinDbg tool to analyze a crash dump we have on our production server.
When I run !analyze -v, I get:
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/w3wp_exe/7_0_6002_18005/49e03238/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1
FAULTING_IP:
+14935130
00000000`00000000 ?? ???
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0000000000000000
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD: 00000000000029b0
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: w3wp.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0x29b0 (0)
Child-SP RetAddr Call Site
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 000000007749c0b0 to 00000000775e6d5a
STACK_TEXT:
00000000`0012f6c8 00000000`7749c0b0 : 00000000`00000000 000007fe`faf07e6b 00000000`00000000 000007fe`f9c015f0 : ntdll!ZwWaitForSingleObject+0xa
00000000`0012f6d0 000007fe`f9c03e74 : 00000000`00000158 00000000`ffb35de0 00000000`00000000 00000000`00000158 : kernel32!WaitForSingleObjectEx+0x9c
00000000`0012f790 00000000`ffb3235a : 00000000`fffffffe 00000000`00000001 00000000`007e6400 00000000`0000008c : w3wphost!AppHostInitialize+0x280
00000000`0012f7f0 00000000`ffb33b71 : 00000000`00000000 00000000`ffb33ce5 00000000`00000000 00000000`00000000 : w3wp!wmain+0x466
00000000`0012f980 00000000`7748be3d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : w3wp!PerfStopProvider+0x199
00000000`0012f9c0 00000000`775c6a51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0012f9f0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
STACK_COMMAND: ~0s; .ecxr ; kb
FOLLOWUP_IP:
w3wphost!AppHostInitialize+280
000007fe`f9c03e74 f6052998000003 test byte ptr [w3wphost!g_dwDebugFlags (000007fe`f9c0d6a4)],3
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: w3wphost!AppHostInitialize+280
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: w3wphost
IMAGE_NAME: w3wphost.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 49e0420f
FAILURE_BUCKET_ID: WRONG_SYMBOLS_80000003_w3wphost.dll!AppHostInitialize
BUCKET_ID: X64_APPLICATION_FAULT_WRONG_SYMBOLS_w3wphost!AppHostInitialize+280
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/w3wp_exe/7_0_6002_18005/49e03238/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1
Followup: MachineOwner
I really have a hard time figuring what is what. From what I understand, here are the interesting part:
EXCEPTION_CODE and STACK_TEXT.
I'm a really new to WinDbg, and it's the first time I'm using this tool. I've been struggling with my Google search, so I guess I'm not searching for the right thing.
What I'd like to do is:
Understand the output format of the stack_text
Try to see the input parameters of each functions
Is that the right way to approach this problem?

There are several good tutorials available on the web and even in the WinDbg help file (.chm). A good place would be WinDBG tutorial - Introduction or Tess' blog, If broken it is, fix it you should.
In your case, step 1 would be to point WinDbg to the correct symbols. It's clear from the output above that your sympath is either incorrect or not pointing to any PDB files. Do the following in the debugger:
.sympath SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
This will point the debugger to use the Microsoft public symbol server for OS components; it will cache the PDB files to your c:\symbols folder. To add another symbol path (for example, the folder containing your application's PDB files), you can either use a ';' delimited list of paths or simply use the .sympath+ command to add new paths piecemeal.
Once you set up your symbol path, run !analyze -v again or follow the steps in the tutorial above to see if you get better results.

The stack trace should be readable if you have the correct symbols. You could try something like:
Load the dump file.
Run .symfix
Open the 'Symbol File Path' menu
Add a path to your application's .PDB files
Check the 'reload' checkbox
Run !clrstack -p to dump the stack with parameters.

Related

The ba command (Break on Access) in WinDbg is not working as advertised in the book Advanced Windows Debugging by Daniel Pravat and Mario Hewardt

I am reading the book Advanced Windows Debugging: Developing and Administering Reliable, Robust, and Secure Software by Daniel Pravat and Mario Hewardt. I have questions about Chapter 2.
I am using WinDBG 10.0.19041.1 X86 on Windows 10 Pro Version 2004 build 19041.572. I built 02sample.exe with Microsoft Visual Studio Community 2019 Version 16.7.6 with the GenerateDebugInformation property set to DebugFull. I am debugging the Debug|x86 configuration of 02sample.exe.
I am reading the section in chapter 2 named Setting a Breakpoint on Access and I am seeing differences between what is in the book and what I am experiencing.
The first difference in behavior is with the following command.
0:000> dt gGlobal
This command fails with the following error.
Symbol gGlobal not found.
The following command does work.
0:000> dt 02sample!gGlobal
*** WARNING: Unable to verify checksum for 02sample.exe
gGlobal
+0x000 m_ref : 0n0
The next difference in behavior is with the following command.
0:000> ba w4 gGlobal+0
Based on the following output, this appears to work.
0:000> bl
0 e Disable Clear 00969130 w 4 0001 (0001) 0:**** 02sample!gGlobal
However, the breakpoint is not being hit. I cannot figure out why.
Symbols Are probably Not Yet Loaded
try either .reload /f or .reload /f foo.exe
before attempting unqualified dt gGlobal
a qualified foo!gGlobal will always work because it loads the symbols
check with !sym noisy
0:000> !sym noisy
noisy mode - symbol prompts off
0:000> dt gGlobal
Symbol gGlobal not found.
0:000> dt gGlobal
Symbol gGlobal not found.
0:000> dt gGlobal
Symbol gGlobal not found.
0:000> dt awd!gGlobal
SYMSRV: BYINDEX: 0x2
snipxxxxxxxxxxxxxxx
DBGHELP: awd - public symbols & lines
C:\Users\XXX\Desktop\awd\Chapter2\Debug\awd.pdb
+0x000 m_ref : 0n0
0:000>
how is the Book Telling You to set the ba breakpoint ?
You Cannot Set a ba breakpoint on a module when you are Stopped At System Breakpoint
Because the system will reset the thread context
you have to go the Entry Point and then Set the ba breakpoint as windbg suggests do you do that ?
:\>cdb -c "g #$exentry;ba w4 awd!gGlobal;g;u .;kb;q" awd.exe |awk "/Reading/,/quit/"
0:000> cdb: Reading initial command 'g #$exentry;ba w4 awd!gGlobal;g;u .;kb;q'
*** WARNING: Unable to verify checksum for awd.exe
Breakpoint 0 hit
awd!Global::Global+0x21:
00a23461 8b45fc mov eax,dword ptr [ebp-4]
00a23464 83c404 add esp,4
00a23467 3bec cmp ebp,esp
00a23469 e895ddffff call awd!ILT+510(__RTC_CheckEsp) (00a21203)
00a2346e 8be5 mov esp,ebp
00a23470 5d pop ebp
00a23471 c3 ret
00a23472 cc int 3
ChildEBP RetAddr Args to Child
0026f9d4 00a21687 0026f9ec 522c59df 00a21670 awd!Global::Global+0x21
0026f9dc 522c59df 00a21670 00a2b208 0026fa50 awd!`dynamic initializer for 'gGlobal''+0x17
0026f9ec 00a24a5e 00a2b000 00a2b30c 91b61bad ucrtbased!_initterm+0x3f
0026fa50 00a2498d 0026fa60 00a24d08 0026fa6c awd!__scrt_common_main_seh+0xbe
0026fa58 00a24d08 0026fa6c 7683ed6c 7ffde000 awd!__scrt_common_main+0xd
0026fa60 7683ed6c 7ffde000 0026faac 773337eb awd!wmainCRTStartup+0x8
0026fa6c 773337eb 7ffde000 761f96f6 00000000 kernel32!BaseThreadInitThunk+0xe
0026faac 773337be 00a21145 7ffde000 00000000 ntdll!__RtlUserThreadStart+0x70
0026fac4 00000000 00a21145 7ffde000 00000000 ntdll!_RtlUserThreadStart+0x1b
quit:
if by chance you misunderstood entrypoint to wmain() and set a ba break on reaching wmain() it probably will never be hit because the code in question has already been executed

How to use windbg to troubleshoot executable which won't start?

The Intel Power Gadget tool will not run on my system, and I'm trying to figure out why. It's a Core i7-720QM running Window 8.1 x64. AIDA64 reads the CPU temperatures just fine, but I can't even launch the Intel Power Gadget. No windows open and nothing happens. It works fine on a different computer.
I tried attaching windbg, but it's not obvious what's causing the executable to fail. I haven't been able to find a windbg tutorial which shows how to troubleshoot executables which won't start.
In the following output, I set a breakpoint and dumped the stack as recommended by user blabb. Any ideas?
0:000> .symfix
0:000> .restart
CommandLine: "C:\Program Files\Intel\Power Gadget 3.0\IntelPowerGadget.exe"
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is: srv*
ModLoad: 00007ff6`800f0000 00007ff6`80178000 IntelPowerGadget.exe
ModLoad: 00007ff9`82ab0000 00007ff9`82c5c000 ntdll.dll
ModLoad: 00007ff9`80480000 00007ff9`805be000 C:\Windows\system32\KERNEL32.DLL
ModLoad: 00007ff9`7fcd0000 00007ff9`7fde5000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 00000000`550e0000 00000000`55643000 C:\Windows\SYSTEM32\mfc100u.dll
ModLoad: 00000000`55920000 00000000`559f2000 C:\Windows\SYSTEM32\MSVCR100.dll
ModLoad: 00007ff9`80820000 00007ff9`80997000 C:\Windows\system32\USER32.dll
ModLoad: 00007ff9`82450000 00007ff9`825a1000 C:\Windows\system32\GDI32.dll
ModLoad: 00007ff9`80ce0000 00007ff9`821f9000 C:\Windows\system32\SHELL32.dll
ModLoad: 00007ff9`805c0000 00007ff9`80754000 C:\Windows\system32\ole32.dll
ModLoad: 00007ff9`7b660000 00007ff9`7b810000 C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_932b3b5547500489\gdiplus.dll
ModLoad: 00000000`55880000 00000000`55918000 C:\Windows\SYSTEM32\MSVCP100.dll
ModLoad: 00007ff9`823f0000 00007ff9`82444000 C:\Windows\system32\SHLWAPI.dll
ModLoad: 00007ff9`7d8c0000 00007ff9`7db3b000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb\COMCTL32.dll
ModLoad: 00007ff9`7cca0000 00007ff9`7cca7000 C:\Windows\SYSTEM32\MSIMG32.dll
ModLoad: 00007ff9`803d0000 00007ff9`8047a000 C:\Windows\system32\msvcrt.dll
ModLoad: 00007ff9`82700000 00007ff9`82911000 C:\Windows\SYSTEM32\combase.dll
ModLoad: 00007ff9`825b0000 00007ff9`826f1000 C:\Windows\system32\RPCRT4.dll
ModLoad: 00007ff9`807c0000 00007ff9`80819000 C:\Windows\SYSTEM32\sechost.dll
(1a58.1a54): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ff9`82b71cd0 cc int 3
0:000> bp ntdll!ntTerminateProcess
0:000> bl
0 e 00007ff9`82b41090 0001 (0001) 0:**** ntdll!NtTerminateProcess
0:000> g
ModLoad: 00007ff9`80770000 00007ff9`807a6000 C:\Windows\system32\IMM32.DLL
ModLoad: 00007ff9`80270000 00007ff9`803c3000 C:\Windows\system32\MSCTF.dll
ModLoad: 00007ff9`7e870000 00007ff9`7e999000 C:\Windows\SYSTEM32\UxTheme.dll
ModLoad: 00007ff9`7df70000 00007ff9`7df91000 C:\Windows\system32\dwmapi.dll
ModLoad: 00000000`550d0000 00000000`550dd000 C:\Windows\SYSTEM32\MFC100ENU.DLL
ModLoad: 00007ff9`82a00000 00007ff9`82aaa000 C:\Windows\system32\ADVAPI32.dll
ModLoad: 00007ff9`743b0000 00007ff9`743c1000 C:\Program Files\Intel\Power Gadget 3.0\EnergyLib64.dll
ModLoad: 00007ff9`7f230000 00007ff9`7f276000 C:\Windows\SYSTEM32\POWRPROF.dll
Breakpoint 0 hit
ntdll!NtTerminateProcess:
00007ff9`82b41090 4c8bd1 mov r10,rcx
0:000> kb
RetAddr : Args to Child : Call Site
00007ff9`82b1f400 : 00007e42`e1a67e08 00000000`013f1680 00000000`00000000 00000000`00fafc80 : ntdll!NtTerminateProcess
00007ff9`8048516a : 00000000`00000000 00000000`013f1680 00000000`013f1680 00007ff6`80105bb0 : ntdll!RtlExitUserProcess+0x60
00000000`55940ccd : 00000000`013f1678 00007ff6`863f6e0b 00000000`01181f9e 00000000`00000000 : KERNEL32!ExitProcessImplementation+0xa
*** ERROR: Module load completed but symbols could not be loaded for IntelPowerGadget.exe
00007ff6`800f9e78 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!doexit+0x1c1
00007ff9`804813d2 : 00007ff6`800f9fc4 00007ff6`7f50b000 00000000`00000000 00000000`00000000 : IntelPowerGadget+0x9e78
00007ff9`82b1eb64 : 00007ff9`804813b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34
0:000> g
Breakpoint 0 hit
ntdll!NtTerminateProcess:
00007ff9`82b41090 4c8bd1 mov r10,rcx
0:000> g
ntdll!NtTerminateProcess+0xa:
00007ff9`82b4109a c3 ret
the output in your query is not useful you are simply running the application and windbg is showing all the modules it loaded which doesnt yield any information to the problem in hand you may need to set atleast one breakpoint let windbg break and dump the stack to analyze the path of execution
.restart
when windbg breaks set a bp prior to issuing g when the breakpoint is hit dump the stack backtrace with kb
bp ntdll!ntTerminateProcess
bl
g
kb
edit your post to paste the new output
the function that lead to termination appears to be at 00007ff6`800f9e78
you may need to analyze this function
ub (unassemble backward ) ub 00007ff6`800f9e78 enabling loadersnap !gflag + sls and scanning the debug spew for clues could lead to failures due to dependency should show the call if this call appears to be a terminal call you may need to trace back to determine the branch which leads to this call and analyse why this branch was taken
00007ff6`800f9e78 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!doexit+0x1c1
00007ff9`804813d2 : 00007ff6`800f9fc4 00007ff6`7f50b000 00000000`00000000 00000000`00000000 : IntelPowerGadget+0x9e78
edit
i took a look at the offending exe it seems there is an integer division by zero exception in EnergyLib64.dll->Initialization Routine called by initterm (LdrpRunInitializeRoutine) when it checks for some processor specific functionality using cpuid the result of cpuid after some calculations is shifted right by 20 shr eax,20 which makes eax 0 and the divisor ebp is also 0 so div eax, ebp results in a divide by zero exception which leads to immediate termination. via msvcrt!exit at 0x......9e78

Not able to proceed with Windbg analysis of AppCrash_w3wp

I am doing a memory dump analysis for AppCrash_w3wp.
When I do an !analyze -v I get the following result.
Is there any problem in my symbol setup? Or is this analysis pointing to some actual issue? Could somebody please guide me on how to analyze this further?
====:>
*** WARNING: Unable to verify timestamp for webengine4.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\54c5d3ee1f311718f3a2feb337c5fa29\mscorlib.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for mscorlib.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\987d450520ea6e815c63db8aecba0761\System.Data.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Data.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Mvc\9f9155f1c13562534f6cb370b0ad8381\System.Web.Mvc.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Web.Mvc.ni.dll
*** ERROR: Module load completed but symbols could not be loaded for System.Web.Mvc.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\cb6d38da3ca9a62afed46123b693899e\System.Web.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.Web.ni.dll
Unable to load image C:\Windows\assembly\NativeImages_v4.0.30319_64\System\4598449d72d7ebbd53952399ed5fc710\System.ni.dll, Win32 error 0n2
*** WARNING: Unable to verify checksum for System.ni.dll
*** WARNING: Unable to verify timestamp for alk_dalkutil64.dll
*** ERROR: Module load completed but symbols could not be loaded for alk_dalkutil64.dll
FAULTING_IP:
KERNELBASE!RaiseException+39
000007fe`fda8940d 4881c4c8000000 add rsp,0C8h
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000007fefda8940d (KERNELBASE!RaiseException+0x0000000000000039)
ExceptionCode: e0434352 (CLR exception)
ExceptionFlags: 00000001
NumberParameters: 5
Parameter[0]: ffffffff80004003
Parameter[1]: 0000000000000000
Parameter[2]: 0000000000000000
Parameter[3]: 0000000000000000
Parameter[4]: 000007fefa140000
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
rax=0000000001470000 rbx=000000001791d5d0 rcx=0000000001470000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000002
rip=0000000077be186a rsp=000000001791d498 rbp=0000000000000002
r8=0000000000000000 r9=0000000000000040 r10=0000000000000000
r11=0000000000000286 r12=0000000000000000 r13=000000001791d540
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!ZwWaitForMultipleObjects+0xa:
00000000`77be186a c3 ret
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: w3wp.exe
ERROR_CODE: (NTSTATUS) 0xe0434352 - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xe0434352 - <Unable to get error code text>
EXCEPTION_PARAMETER1: ffffffff80004003
EXCEPTION_PARAMETER2: 0000000000000000
EXCEPTION_PARAMETER3: 0000000000000000
EXCEPTION_PARAMETER4: 0
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
APP: w3wp.exe
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
MANAGED_STACK:
EXCEPTION_OBJECT: !pe 103f98b08
Exception object: 0000000103f98b08
Exception type: System.AccessViolationException
Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
InnerException: <none>
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80004003
MANAGED_OBJECT: !dumpobj ffb11420
Name: System.String
MethodTable: 000007fef8886500
EEClass: 000007fef81a3750
Size: 26(0x1a) bytes
File: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
String:
Fields:
MT Field Offset Type VT Attr Value Name
0000000000000000 40000aa 8 System.Int32 1 instance 0 m_stringLength
0000000000000000 40000ab c System.Char 1 instance 0 m_firstChar
000007fef8886500 40000ac 18 System.String 0 shared static Empty
>> Domain:Value 0000000002488520:NotInit 0000000002576750:NotInit <<
EXCEPTION_MESSAGE: Attempted to read or write protected memory. This is often an indication that other memory is corru
MANAGED_OBJECT_NAME: SYSTEM.ACCESSVIOLATIONEXCEPTION
MANAGED_STACK_COMMAND: ** Check field _remoteStackTraceString **;!do 103f98b08;!do ffb11420
LAST_CONTROL_TRANSFER: from 000007fefa35565b to 000007fefda8940d
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS_CLR_EXCEPTION
STACK_TEXT:
00000000`00000000 00000000`00000000 w3wp!Unknown+0x0
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: w3wp!Unknown
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: w3wp
IMAGE_NAME: w3wp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7afa2
STACK_COMMAND: ** Check field _remoteStackTraceString **;!do 103f98b08;!do ffb11420 ; ** Pseudo Context ** ; kb
FAILURE_BUCKET_ID: WRONG_SYMBOLS_e0434352_w3wp.exe!Unknown
BUCKET_ID: X64_APPLICATION_FAULT_WRONG_SYMBOLS_CLR_EXCEPTION_w3wp!Unknown
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:wrong_symbols_e0434352_w3wp.exe!unknown
FAILURE_ID_HASH: {419a5b7f-31d5-d77e-cd0e-fe26c9258bfb}
Followup: MachineOwner
===
Edited on September 25
I have set up an environment variable
_NT_SYMBOL_PATH - symsrv*symsrv.dll*C:\Windows\symbols*http://msdl.microsoft.com/download/symbols
I am wondering why isn't it loading all symbols dynamically?
I did a .symfix;.reload
I get the prompt for sometime. Then I get a lot of .... on the screen and the regular prompt is back.
Then I did a "!sym noisy" and did ".symfix;.reload" again...
I get the following messages
DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: cache*;SRV*http://msdl.microsoft.com/download/symbols
..
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.dll\51FB164A1a9000\ntdll.dll - OK
DBGENG: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.dll\51FB164A1a9000\ntdll.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\400F215C54DA404788F84F5C504914952\ntdll.pdb already cached
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\400F215C54DA404788F84F5C504914952\ntdll.pdb already cached
DBGHELP: ntdll - public symbols
C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\400F215C54DA404788F84F5C504914952\ntdll.pdb
..............................................................
................................................................
................................................................
................................................................
................................................................
.....
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernel32.dll\51FB167611f000\kernel32.dll - OK
DBGENG: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernel32.dll\51FB167611f000\kernel32.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\KERNELBASE.dll\51FB16776b000\KERNELBASE.dll - OK
DBGENG: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\KERNELBASE.dll\51FB16776b000\KERNELBASE.dll - Mapped image memory
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb already cached
DBGHELP: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb already cached
DBGHELP: KERNELBASE - public symbols
C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\sym\kernelbase.pdb\88D04DC8E39B4CBB9CB12366C2AE475F2\kernelbase.pdb
Is there any problem in my symbol setup?
Yes. Correct it with the commands
.symfix x:\symbols; * Wherever you want the symbols to be
.reload
Or, if you have other symbol paths already set up:
.symfix+ x:\symbols
.reload
Or is this analysis pointing to some actual issue?
Also. You have a .NET exception which crashes your program. That is an issue.
The type is AccessViolation, something similar to a NullReferenceException. Hopefully, fixing symbols does not make a huge deifference here.
Could somebody please guide me on how to analyze this further?
After fixing the symbols, proceed with
.loadby sos clr
!pe
!clrstack

Sometimes Windows Crash while LabVIEW operator Advantech PCI-1716 card

The system include 2 Advantech PCI-1716 card:http://www.advantech.com/products/PCI-1716/mod_86EC4C4D-F497-45C5-81DA-B8600C0EB36F.aspx
I write a program with NI LabVIEW 7.1.
The LabVIEW program can control the two PCI 1716 card.
It work very good.
But about a year later, The computer crashed and sometimes auto restart.
Nobody change the software and hardware.
I used WinDbg to analysis the Windows crash dump file and I think I find something abnormal.
For the WinDbg result, I think maybe the PCI-1716 driver was broken so I re-installed it.
But the problem also happen.
And I also re-installed my windows xp.
The also problem happen again.
I don't know how.
Maybe the PCI 1716 hardware broken.
But how to find which one, there are two PCI 1716 card.
The WinDbg result is:
Loading Dump File [F:\WinDBG\Mini012313-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*C:\Documents and Settings\cky\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp2_rtm.040803-2158 Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055d700 Debug session time: Wed Jan 23 23:09:23.250 2013 (GMT+8) System Uptime: 0 days 23:47:48.802 Loading Kernel Symbols ....................................................................................................... Loading User Symbols Loading unloaded module list ....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {ffdf, 2, 1, 806e5a8e}
Unable to load image ADS1716S.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ADS1716S.sys
*** ERROR: Module load completed but symbols could not be loaded for ADS1716S.sys Probably caused by : ADS1716S.sys ( ADS1716S+f08 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 0000ffdf, memory referenced Arg2: 00000002, IRQL Arg3: 00000001, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: 806e5a8e, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: 0000ffdf
CURRENT_IRQL: 2
FAULTING_IP: hal!KeAcquireQueuedSpinLock+42 806e5a8e 8902 mov dword ptr [edx],eax
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: LabVIEW.exe
LAST_CONTROL_TRANSFER: from 804efbb0 to 806e5a8e
STACK_TEXT: aa286c00 804efbb0 aa286c20 804f0de4 aa286c1c hal!KeAcquireQueuedSpinLock+0x42 aa286c08 804f0de4 aa286c1c 8602dc38 806e53b8 nt!IoAcquireCancelSpinLock+0xe aa286c20 804f104a 8602dc38 00000001 aa286c58 nt!IopStartNextPacket+0x18 aa286c30 f788ef08 8602dc38 00000001 85eb0230 nt!IoStartNextPacket+0x38 WARNING: Stack unwind information not available. Following frames may be wrong. aa286c58 80575529 85eb0230 86090da0 85f32448 ADS1716S+0xf08 aa286c80 805d1cb9 85f32448 85f32448 85f32690 nt!IoCancelThreadIo+0x33 aa286d08 805d209a 00000001 85f32448 00000000 nt!PspExitThread+0x403 aa286d28 805d2275 85f32448 00000001 aa286d64 nt!PspTerminateThreadByPointer+0x52 aa286d54 8054160c 00000000 00000001 0012e810 nt!NtTerminateProcess+0x105 aa286d54 7c92eb94 00000000 00000001 0012e810 nt!KiFastCallEntry+0xfc 0012e810 00000000 00000000 00000000 00000000 0x7c92eb94
STACK_COMMAND: kb
FOLLOWUP_IP: ADS1716S+f08 f788ef08 ?? ???
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: ADS1716S+f08
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ADS1716S
IMAGE_NAME: ADS1716S.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45b96de9
FAILURE_BUCKET_ID: 0xA_W_ADS1716S+f08
BUCKET_ID: 0xA_W_ADS1716S+f08
Followup: MachineOwner
---------
0: kd> lmvm ADS1716S start end module name f788e000 f7893ac0 ADS1716S T (no symbols)
Loaded symbol image file: ADS1716S.sys
Image path: ADS1716S.sys
Image name: ADS1716S.sys
Timestamp: Fri Jan 26 10:56:41 2007 (45B96DE9)
CheckSum: 00010C75
ImageSize: 00005AC0
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
I'd run Memtest86+ just to see if you have any bad RAM.
Following that maybe you can pull 1 card out and write a simple script to do some I/O (similar to what you're doing normally maybe). If it takes a while you could put it into a loop and run it for a while and see if you can force a crash. You could repeat the test on each card to see if you have any issues with just one of the cards.
Does the crash happen often or rarely?

windbg conflicting information

I have WinDBG 6.12.0002.633 x86 and I'm using it to view a post-mortem kdmp from a Windows Mobile 6 ARMV4I application.
When I go to analyze the callstack I get a lot of unknowns. In the analysis, I can see in the *FAULTING_IP* section that the fault is in the tcpstk module. (for which I also have symbols. But, in the *STACK_TEXT* section, the tcpstk addresses appear as just addresses, no symbols.
Also, in the *MODULE_NAME* section, I get another unknown even though it just said the faulting module was in tcpstk.
The result of the !analyze -v command is:
1:128:armce> !analyze -v
***snip!***
FAULTING_IP:
tcpstk!_DerefIF+38 [\private\winceos\comm\tcpipw\ip\iproute.c # 1032]
01b0d6f0 ???????? ???
***snip!***
IP_ON_HEAP: 07b00090
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
FRAME_ONE_INVALID: 1
STACK_TEXT:
761efa6c 07b00090 : 7b858453 00000003 00000000 00000000 : 0x7b0d6f0
761efa7c 07b0020c : 7b858453 506f010a 00000000 00000000 : 0x7b00090
761efacc 78012d38 : 7b858453 506f010a 00000000 00000000 : 0x7b0020c
761efaf4 78013cdc module_78010000!AdapterBindingManager::NetUp+0xb4 [bar.cpp # 268]
761efb34 78014b78 module_78010000!AdapterBindingManager::EnterState+0x5e4 [bar.cpp # 1327]
761efda4 78015c08 module_78010000!AdapterBindingManager::ProcessEvent+0x8e4 [bar.cpp # 1298]
761efdd8 03f668dc module_78010000!MediaSense+0x25c [foo.cpp # 673]
761efe94 00000000 coredll_3f49000!ThreadBaseFunc+0x98 [\private\winceos\coreos\core\dll\apis.c # 633]
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: ~128s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_Unknown_Image!Unknown
If I switch to the kp command, I suddenly can see that part of the callstack
1:128:armce> kp
Child-SP RetAddr Call Site
761efa6c 01b0d6e0 tcpstk!_DerefIF(struct Interface * IF = 0x7b858453)+0x38 [\private\winceos\comm\tcpipw\ip\iproute.c # 1032]
761efa6c 00000000 tcpstk!_DerefIF(struct Interface * IF = 0x7b858453)+0x28 [\private\winceos\comm\tcpipw\ip\iproute.c # 1026]
Why isn't the !analyze -v command able to show the fully decoded callstack? Why does it show so many unknowns?
I think that WinDBG cannot debug ARM I have not seen any documentation that states it is capable of debugging ARM, only x86 and x64 applications.
There is a Windbg provided in the ARM toolkit that is the windowed version of armsd which is not related to the microsoft WindDbg.