{"id":93012,"date":"2016-02-11T07:00:00","date_gmt":"2016-02-11T22:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/?p=93012"},"modified":"2019-03-13T10:30:15","modified_gmt":"2019-03-13T17:30:15","slug":"20160211-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20160211-00\/?p=93012","title":{"rendered":"Debugging walkthrough: Diagnosing an NX exception"},"content":{"rendered":"

A colleague of mine asked for help debugging a strange failure. Execution halted because the CPU detected that it was trying to execute data. <\/p>\n

\nABC!__PchSym_ (ABC+0x67be4)\nuser32!UserCallWinProcCheckWow+0x140\nuser32!DispatchClientMessage+0xa2\nuser32!__fnDWORD+0x2d\nntdll!KiUserCallbackDispatcherContinue\nuser32!ZwUserPeekMessage+0xa\nuser32!PeekMessageW+0x7f\nexplorerframe!CExplorerFrame::FrameMessagePump+0x5b\nexplorerframe!BrowserThreadProc+0x5e\nexplorerframe!BrowserNewThreadProc+0x3a\nexplorerframe!CExplorerTask::InternalResumeRT+0x12\nexplorerframe!CRunnableTask::Run+0xc9\nshell32!CShellTaskThread::ThreadProc+0x284\nshell32!CShellTaskThread::s_ThreadProc+0x2b\nSHCore!_WrapperThreadProc+0x15f\nkernel32!BaseThreadInitThunk+0xd\nntdll!RtlUserThreadStart+0x1d\n\nEXCEPTION_RECORD:  (.exr -1)\nExceptionAddress: 00007ffcfd197be4 (ABC+0x67be4)\n   ExceptionCode: c0000005 (Access violation)\n  ExceptionFlags: 00000000\nNumberParameters: 2\n   Parameter[0]: 0000000000000008\n   Parameter[1]: 00007ffcfd197be4\nAttempt to execute non-executable address 00007ffcfd197be4\n<\/pre>\n
My colleague suspected that a return address got overwritten by some function deeper in the stack, and that caused the instruction pointer to jump to a random module, and the victim module was ABC. <\/p>\n
I looked at the crash dump, and came to a different conclusion. The stack is just fine. The problem is that a DLL got unloaded: <\/p>\n
\n0:067> lm\n...\nUnloaded modules:\n...\n00007ffc`fd140000 00007ffc`fd1ee000   DEF.dll\n...\n<\/pre>\n
After DEF.dll<\/code> got unloaded, ABC.DLL<\/code> got loaded into the same location. <\/p>\n
\n0:067> .reload \/unl DEF.dll\nWARNING: DEF overlaps ABC\n<\/pre>\n
The problem is that DEF.dll<\/code> unloaded before destroying all its windows. And then its window received a message (in this case, WM_ACTIVATE­APP<\/code>, but you were not expected to know this since it wasn’t in the stack trace). The window manager called the window procedure, which now points into the middle of ABC.dll<\/code>. The debugger is correctly reporting that execution halted in the middle of ABC.dll<\/code>. <\/p>\n
The next step is to engage the people responsible for DEF.dll<\/code> to figure out why they leaked a window. <\/p>\n
Exercise<\/b>: What command would be useful at this point to help the DEF.dll<\/code> identify the window that they leaked? <\/p>\n","protected":false},"excerpt":{"rendered":"
Leap of faith.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-93012","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
Leap of faith.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/93012","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=93012"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/93012\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=93012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=93012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=93012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}