{"id":7653,"date":"2012-05-11T07:00:00","date_gmt":"2012-05-11T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2012\/05\/11\/when-you-crash-on-a-mov-ebx-eax-instruction-there-arent-too-many-obvious-explanations-so-just-try-what-you-can\/"},"modified":"2012-05-11T07:00:00","modified_gmt":"2012-05-11T07:00:00","slug":"when-you-crash-on-a-mov-ebx-eax-instruction-there-arent-too-many-obvious-explanations-so-just-try-what-you-can","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20120511-00\/?p=7653","title":{"rendered":"When you crash on a mov ebx, eax instruction, there aren&#039;t too many obvious explanations, so just try what you can"},"content":{"rendered":"<p>\nA computer running some tests encountered a mysterious crash:\n<\/p>\n<pre>\neax=ffffffff ebx=00000000 ecx=038ef548 edx=17b060b4 esi=00000000 edi=038ef6f0\neip=14ae1b77 esp=038ef56c ebp=038ef574 iopl=0         nv up ei pl nz na po nc\ncs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202\nFOO!CFrameWnd::GetAssociatedWidget+0x47:\n14ae1b77 8bd8            mov     ebx,eax\n<\/pre>\n<p>\nA colleague of mine quickly diagnosed the proximate cause.\n<\/p>\n<blockquote CLASS=\"q\">\n<p>\n*Something* marked the code page PAGE_READWRITE,\ninstead of PAGE_EXECUTE_READ.\nI suspect a bug in a driver.\nFOO is just a victim here.\n<\/p>\n<pre>\n0:002&gt; !vprot 14ae1b77\nBaseAddress:       14ae1000\nAllocationBase:    14ae0000\nAllocationProtect: 00000080  PAGE_EXECUTE_WRITECOPY\nRegionSize:        00001000\nState:             00001000  MEM_COMMIT\nProtect:           00000004  PAGE_READWRITE\nType:              01000000  MEM_IMAGE\n<\/pre>\n<\/blockquote>\n<p>\nThis diagnosis was met with astonishment.\n&#8220;Wow!\nWhat made you think to check the protection on the code page?&#8221;\n<\/p>\n<p>\nWell, let&#8217;s see.\nWe&#8217;re crashing on a <code>mov ebx, eax<\/code> instruction.\nThis does not access memory;\nit&#8217;s a register-to-register operation.\nThere&#8217;s no way a\nproperly functioning CPU\ncan raise an exception on this instruction.\n<\/p>\n<p>\nAt this point, what possibilities remain?\n<\/p>\n<ul>\n<li>NX, which prevents the CPU from executing data.\n<li>\n    <a HREF=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2005\/04\/12\/407562.aspx\">\n    Overclocking<\/a>, which will cause all sorts of &#8220;impossible&#8221; things.<\/p>\n<li>\n    <a HREF=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2006\/04\/21\/580608.aspx\">\n    A root kit<\/a>.\n<\/ul>\n<p>\n(Note that the second and third options involve rejecting the assumption\nthat the CPU is behaving properly.)\n<\/p>\n<p>\nThese are in increasing order of paranoia,\nso you naturally\n<a HREF=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2011\/02\/10\/10127054.aspx\">\nstart with the least paranoid possibility<\/a>.\n<\/p>\n<p>\nThen, of course, there&#8217;s the non-psychic solution:\nAsk the debugger for the exception record.\n<\/p>\n<pre>\nEXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)\nExceptionAddress: 14ae1b77 (FOO!CFrameWnd::GetAssociatedWidget+0x00000047)\n   ExceptionCode: c0000005 (Access violation)\n  ExceptionFlags: 00000000\nNumberParameters: 2\n   Parameter[0]: 00000008\n   Parameter[1]: 14ae1b77\n<font COLOR=\"blue\">Attempt to execute non-executable address<\/font> 14ae1b77\n<\/pre>\n<p>\nThat last line pretty much hands it to you on a silver platter.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A computer running some tests encountered a mysterious crash: eax=ffffffff ebx=00000000 ecx=038ef548 edx=17b060b4 esi=00000000 edi=038ef6f0 eip=14ae1b77 esp=038ef56c ebp=038ef574 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 FOO!CFrameWnd::GetAssociatedWidget+0x47: 14ae1b77 8bd8 mov ebx,eax A colleague of mine quickly diagnosed the proximate cause. *Something* marked the code page PAGE_READWRITE, instead [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-7653","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>A computer running some tests encountered a mysterious crash: eax=ffffffff ebx=00000000 ecx=038ef548 edx=17b060b4 esi=00000000 edi=038ef6f0 eip=14ae1b77 esp=038ef56c ebp=038ef574 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 FOO!CFrameWnd::GetAssociatedWidget+0x47: 14ae1b77 8bd8 mov ebx,eax A colleague of mine quickly diagnosed the proximate cause. *Something* marked the code page PAGE_READWRITE, instead [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/7653","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=7653"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/7653\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=7653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=7653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=7653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}