Discussion:
stack memory is missing from x64 minidump with MiniDumpWithIndirectlyReferencedMemory - not included in minidump?
(too old to reply)
Saulius Menkevičius
2011-08-18 13:54:19 UTC
Permalink
Raw Message
Hi,

I get proper callstack with MiniDumpWithFullMemory, however. I even tried using MINIDUMP_CALLBACK_INFORMATION to force inclusion of RSP and RBP memory range, but to no avail.

I.e. i have code like this:
case MemoryCallback:
switch(PMINIDUMPCALLBACKINPUT->CallbackType)
<..snip>
Output->MemoryBase = rInfo.m_pExPointers->ContextRecord->Rsp + 0x4000 - 0x200;
Output->MemorySize = 0x4000; // 16 KB
<..snip>

Are there any security settings in effect for thread or process? This by the way happens only within IIS environment (IIS v.7) - this is a plain native ISAPI dll. So I suspect security/privileges.

Any pointers?

=== output from cdb ===
0:006> .ecxr
rax=00000000017ddc20 rbx=0000000000fa3cb0 rcx=000000003159bb20
rdx=00000000017ddba0 rsi=00000000017ddca0 rdi=00000000017ddc30
rip=0000000030d41dc2 rsp=00000000017dda30 rbp=00000000017deb10
r8=00000000017de650 r9=0000000006e51d28 r10=000000001075e518
r11=0000000001041690 r12=0000000000000000 r13=0000000000000124
r14=0000000000000001 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
Unable to load image \\?\D:\Inetpub\wwwroot\scripts\x.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for x.dll
*** ERROR: Module load completed but symbols could not be loaded for x.dll
x+0x1dc2:
00000000`30d41dc2 8b042500000000 mov eax,dword ptr [0] ds:00000000`00000000
=????????
0:006> dq 17dda30 + 20
00000000`017dda50 ????????`???????? ????????`????????
00000000`017dda60 ????????`???????? ????????`????????
00000000`017dda70 ????????`???????? ????????`????????
00000000`017dda80 ????????`???????? ????????`????????
00000000`017dda90 ????????`???????? ????????`????????
00000000`017ddaa0 ????????`???????? ????????`????????
00000000`017ddab0 ????????`???????? ????????`????????
00000000`017ddac0 ????????`???????? ????????`????????
0:006>

====

Also it says that:
WARNING: Teb 6 pointer is NULL - defaulting to 00000000`7ffde000
WARNING: 00000000`7ffde000 does not appear to be a TEB

But I don't know if that makes any difference.

Thanks,
-Saulius
Saulius Menkevičius
2011-08-31 13:31:21 UTC
Permalink
Raw Message
While investigating, it seems there is a problem with
OpenThread(THREAD_ALL_ACCESS, that dbghelp.dll!MinidumpWriteDump is
doing. That functions returns ACCESS_DENIED error for each thread it
is trying to open.

This is probably a security (?) feature of IIS environment where
threads in application pool could be owned by different apps/users,
maybe..

Didnt find a workaround yet.

On Aug 18, 4:54 pm, Saulius Menkevičius
Post by Saulius Menkevičius
Hi,
I get proper callstack with MiniDumpWithFullMemory, however. I even tried using MINIDUMP_CALLBACK_INFORMATION to force inclusion of RSP and RBP memory range, but to no avail.
switch(PMINIDUMPCALLBACKINPUT->CallbackType)
<..snip>
 Output->MemoryBase = rInfo.m_pExPointers->ContextRecord->Rsp + 0x4000 - 0x200;
 Output->MemorySize = 0x4000; // 16 KB
<..snip>
Are there any security settings in effect for thread or process? This by the way happens only within IIS environment (IIS v.7) - this is a plain native ISAPI dll. So I suspect security/privileges.
Any pointers?
=== output from cdb ===
0:006> .ecxr
rax=00000000017ddc20 rbx=0000000000fa3cb0 rcx=000000003159bb20
rdx=00000000017ddba0 rsi=00000000017ddca0 rdi=00000000017ddc30
rip=0000000030d41dc2 rsp=00000000017dda30 rbp=00000000017deb10
 r8=00000000017de650  r9=0000000006e51d28 r10=000000001075e518
r11=0000000001041690 r12=0000000000000000 r13=0000000000000124
r14=0000000000000001 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
Unable to load image \\?\D:\Inetpub\wwwroot\scripts\x.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for x.dll
*** ERROR: Module load completed but symbols could not be loaded for x.dll
00000000`30d41dc2 8b042500000000  mov     eax,dword ptr [0] ds:00000000`00000000
=????????
0:006> dq 17dda30 + 20
00000000`017dda50  ????????`???????? ????????`????????
00000000`017dda60  ????????`???????? ????????`????????
00000000`017dda70  ????????`???????? ????????`????????
00000000`017dda80  ????????`???????? ????????`????????
00000000`017dda90  ????????`???????? ????????`????????
00000000`017ddaa0  ????????`???????? ????????`????????
00000000`017ddab0  ????????`???????? ????????`????????
00000000`017ddac0  ????????`???????? ????????`????????
0:006>
====
WARNING: Teb 6 pointer is NULL - defaulting to 00000000`7ffde000
WARNING: 00000000`7ffde000 does not appear to be a TEB
But I don't know if that makes any difference.
Thanks,
-Saulius
Loading...