A customer was studying a minidump collected by Windows Error Reporting. The minidump includes the contents of the stack, but the contents are randomly filled with 0xAAAAAAAA. <\/p>\n
\n00f3ac5c 00f3d1c0\n00f3ac60 592ccae2 contoso!AppWndProc+0x1c5b\n00f3ac64 aaaaaaaa\n00f3ac68 aaaaaaaa\n00f3ac6c aaaaaaaa\n00f3ac70 aaaaaaaa\n00f3ac74 00000000\n00f3ac78 00000000\n00f3ac7c 58e75a46 contoso!WndProcGeneric\n00f3ac80 504e7fea cohelp!allyourbuttons+0x5aba\n00f3ac84 aaaaaaaa\n00f3ac88 aaaaaaaa\n00f3ac8c 00000000\n00f3ac90 00000000\n00f3ac94 0ee26838\n00f3ac98 00000000\n00f3ac9c aaaaaaaa\n00f3aca0 58ec7405 contoso!GetBlockBeforeCapture+0x2e\n00f3aca4 0ee26838\n00f3aca8 0fd6db10\n00f3acac 00000000\n00f3acb0 aaaaaaaa\n00f3acb4 00f3ad04\n00f3acb8 58ec732f contoso!FindDrawingFromGraphicId+0x136\n00f3acbc aaaaaaaa\n00f3acc0 00000000\n00f3acc4 00000000\n00f3acc8 00000000\n00f3accc 00000000\n00f3acd0 aaaaaaaa\n00f3acd4 aaaaaaaa\n00f3acd8 aaaaaaaa\n<\/pre>\nWhat’s going on here? <\/p>\n
What’s going on is that the minidump has been filtered. The customer missed this message from the debugger that was printed at the top of the debug session: <\/p>\n
\nUser Mini Triage Dump File: Only registers, stack and portions of memory are available <\/p>\n
The user dump currently examined is a triage dump. Consequently, only a subset of debugger functionality will be available. If needed, please collect a minidump or a heap dump. <\/p>\n
\n
- To create a mini user dump use the command: .dump \/m <filename><\/li>\n
- To create a full user dump use the command: .dump \/ma <filename><\/li>\n<\/ul>\n
Triage dumps have certain values on the stack and in the register contexts overwritten with pattern
0xAAAAAAAA<\/code>. If you see this value <\/p>\n\n
- the original value was not
NULL<\/code> \n- the original value was not a direct pointer to a loaded or unloaded image \n
- the original value did not point to an object whose VFT points to a loaded or unloaded image (indirect pointer) \n
- the original value did not point to the stack itself or any memory area added to the dump (TEB, PEB, memory for CLR stackwalk or exceptions, etc.) \n
- the original value was not a valid handle value <\/blockquote>\n
After receiving this explanation, the customer was still a bit dubious. “A lot of function parameters in the dump are being given as
0xAAAAAAAA<\/code>, which suggests that they have been filtered out. But I thought constant strings and plain integers should still be on the stack. Does the fact that I don’t see them mean that they were corrupted?” <\/p>\nIf you look at the information banner printed by the debugger, you can see that plain integers are not on the list of things exempt from filtering. You might still see an integer if it happens to match a value that is exempt from filtering, such as if it happens to be zero or match a valid handle. <\/p>\n
As for constant strings, it depends on how the constant string is stored. If it’s a literal string embedded in a module, then it would be exempt from filtering according to rule 2. But if the string were copied to the heap or to the stack, then that would make it subject to filtering. <\/p>\n","protected":false},"excerpt":{"rendered":"
No, it’s just that the original data was scrubbed out.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-94645","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"
No, it’s just that the original data was scrubbed out.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/94645","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=94645"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/94645\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=94645"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=94645"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=94645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}