Warning<\/b>: This article talks about implementation details which can change at any time. The information provided is for debugging and diagnostic purposes only. <\/p>\n
A customer found that their server program occasionally crashes in the internal function The dereference was due to a null pointer in the The customer chased the null pointer backwards and found that it came from the The customer confirmed that, yes, the Although the customer didn’t do it in their application (at least not knowingly), they did try a test application which passed the Is it possible that this is a critical section that was initialized with the traditional No, that’s not why the the So what does it mean when the Other evidence that you have an uninitialized critical section is that the critical section is locked, yet has no owner. Furthermore, the spin count is zero, which occurs only on uniprocessor systems. I suspect the server they are running the program on has more than one core. (Heck, my phone<\/i> has more than one core.) <\/p>\n Bonus reading<\/b>: Displaying a critical section in the debugger<\/a>. <\/p>\nRtlpWaitOnCriticalSection<\/code> trying to dereference the address 0x00000014<\/code>. <\/p>\n\n7789dde3 ff4014 inc dword ptr [eax+14h]\n<\/pre>\n
EAX<\/code> register. This was particularly difficult to debug because the problem usually didn’t surface until the program had been running continuously for a week or more. <\/p>\nDebugInfo<\/code> field of the RTL_<\/code>CRITICAL_<\/code>SECTION<\/code> structure. <\/p>\n\ntypedef struct _RTL_CRITICAL_SECTION\n{\n \/\/ value in memory:\n PRTL_CRITICAL_SECTION_DEBUG DebugInfo; \/\/ 0x00000000\n LONG LockCount; \/\/ 0xFFFFFFFC\n LONG RecursionCount; \/\/ 0x00000000\n PVOID OwningThread; \/\/ 0x00000000\n PVOID LockSemaphore; \/\/ 0x00005CDC\n ULONG SpinCount; \/\/ 0x00000000\n} RTL_CRITICAL_SECTION, *PRTL_CRITICAL_SECTION;\n<\/pre>\nDebugInfo<\/code> of the critical section they were trying to enter was indeed null. <\/p>\nCRITICAL_<\/code>SECTION_<\/code>NO_<\/code>DEBUG_<\/code>INFO<\/code> flag to the InitializeCriticalSectionEx<\/code> function, in the hopes of inducing a null pointer for the DebugInfo<\/code>, but it didn’t work. When initialized in that way, the DebugInfo<\/code> was set to 0xFFFFFFFF<\/code>. <\/p>\nInitializeCriticalSection<\/code> function, but the attempt to allocate the debug info failed, so the kernel left it null? <\/p>\nDebugInfo<\/code> is null. If a critical section has no debug info (either explicitly requested as such with the CRITICAL_<\/code>SECTION_<\/code>NO_<\/code>DEBUG_<\/code>INFO<\/code> flag, or because the system couldn’t allocate any debug info), then the DebugInfo<\/code> is set to the special value 0xFFFFFFFF<\/code>. The DebugInfo<\/code> for a valid initialized critical section is never null. <\/p>\nDebugInfo<\/code> is null? The most likely reason is that you are using an uninitialized critical section. Either you never initialized it, or you deleted an initialized critical section (which resets it back to the uninitialized state). <\/p>\n