Develop Reference

Unable to find the cause of showing MEMORY_CORRUPTION_LARGE and ACCESS_VIOLATION whereas the callstack show clr!DontCallDirectlyForceStackOverflow

My customer is facing random crashes. And got multiple dumps from him but Unable to analyze the reason correctly. Crashes are on Windows Server 2008 and 2012.
he customer is running an application on a windows network:
Most users access to the application from their local clients (all Windows 10).
Some users are running the application via terminal servers (TS1 and TS2).
TS1 is a Windows Server 2008 R2.
TS2 is a Windows Server 2012 R2.
On TS1, TS2 and all Windows 10 PCs Actian PSQL Clients are installed (13.30.037.000).
A Windows Server 2012 R2 is used as a file and database server (Actian PSQL 13.31.006.000).
Windbg shows :
*** procdump -e -ma 7824 C:\Debugging
*** Unhandled exception: C0000005.ACCESS_VIOLATION'
!analyze -v shows :
GetUrlPageData2 (WinHttp) failed: 12002.
FAULTING_IP:
clr!DontCallDirectlyForceStackOverflow+12
74184c2a 0000 add byte ptr [eax],al
EXCEPTION_RECORD: 76ef042f -- (.exr 0x76ef042f)
ExceptionAddress: 0be13000
ExceptionCode: 0be03000
ExceptionFlags: 0be0b000
NumberParameters: 199442432
Parameter[0]: 0bef4000
Parameter[1]: 0bf09000
Parameter[2]: 0bf0c000
Parameter[3]: 0bf0f000
Parameter[4]: 0bf2d000
Parameter[5]: 0bf41000
Parameter[6]: 0bf46000
Parameter[7]: 0bf55000
Parameter[8]: 0bf5a000
Parameter[9]: 0bf62000
Parameter[10]: 0bf67000
Parameter[11]: 0bf82000
Parameter[12]: 0bfc3000
Parameter[13]: 0bfc7000
Parameter[14]: 0bfdf000
CONTEXT: 0b971530 -- (.cxr 0xb971530;r)
eax=000001ff ebx=01ffffff ecx=ffff0000 edx=00000000 esi=00000000 edi=0000003f
eip=003fffff esp=00000000 ebp=00000000 iopl=0 vip vif nv up di pl nz na po nc
cs=0000 ss=0000 ds=0000 es=0000 fs=ffff gs=0000 efl=ffff0000
0000:ffff ?? ???
Last set context:
eax=000001ff ebx=01ffffff ecx=ffff0000 edx=00000000 esi=00000000 edi=0000003f
eip=003fffff esp=00000000 ebp=00000000 iopl=0 vip vif nv up di pl nz na po nc
cs=0000 ss=0000 ds=0000 es=0000 fs=ffff gs=0000 efl=ffff0000
0000:ffff ?? ???
Resetting default scope
DEFAULT_BUCKET_ID: CODE_CORRUPTION
PROCESS_NAME: MgxpaRuntime.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 0b9703bc
WRITE_ADDRESS: 0b9703bc
FOLLOWUP_IP:
clr!DontCallDirectlyForceStackOverflow+12
74184c2a 0000 add byte ptr [eax],al
APPLICATION_VERIFIER_FLAGS: 6aeef141
WARNING: !chkimg output was truncated to 50 lines. Invoke !chkimg without '-lo [num_lines]' to view entire output.
17666 errors : !clr (73cb1000-7440c927)
APP: mgxparuntime.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
MANAGED_STACK: !dumpstack -EE
Failed to load data access DLL, 0x80004005
Some functionality may be impaired
OS Thread Id: 0x3d58 (9)
TEB information is not available so a stack size of 0xFFFF is assumed
Current frame:
ChildEBP RetAddr Caller, Callee
PRIMARY_PROBLEM_CLASS: CODE_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 73fcb5b4 to 74184c2a
STACK_TEXT:
0b9713c0 73fcb5b4 92ca4142 0b971450 73db0690 clr!DontCallDirectlyForceStackOverflow+0x12
0b9713e8 73db062a 92ca469e 00b06970 00000000 clr!CLRVectoredExceptionHandler+0x9b
0b971434 76eb6822 0b971450 0b971580 0b971530 clr!CLRVectoredExceptionHandlerShim+0xd6
0b971484 76f1cfc1 00000000 0b971a78 091351a0 ntdll!RtlpCallVectoredHandlers+0xba
0b971514 0b9719e8 76ef042f 0b971530 0b971580 ntdll!RtlDispatchException+0x72
WARNING: Frame IP not in any known module. Following frames may be wrong.
0b971520 0b971580 0b971530 0b971580 c0000005 0xb9719e8
0b971530 00000000 00000000 74184c2a 00000002 0xb971580
STACK_COMMAND: ~9s; .ecxr ; kb
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
FAILURE_BUCKET_ID: CODE_CORRUPTION_c0000005_memory_corruption!Unknown
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:code_corruption_c0000005_memory_corruption!unknown
FAILURE_ID_HASH: {52b16108-a3a5-b115-868e-9fc9ce8e1ee0}
Followup: memory_corruption
---------
Can someone help to understand the cause of such crashes? If i try to check such dumps in DebugDiag , it shows the recursive call stack ...But what is the actual cause?

Lost some debug functionality in Delphi 2007

Recently I have lost some of my debug functionality in Delphi 2007.
Specifically, the Watch List Window is completely disable as are all but a
few of the Watch List's popup menu items. The only menu items that are
enabled are
Add Group...
Show Column Headers
Stay on Top
Dockable
This is the case in the ide and the program running or not running
Breakpoints work as does tooltip expressions at breakpoint.
In Tools | Options , Code completion, Error Insight, Block Completion and
Code Template Completion are unchecked, all other options are checked.
In Tools | Options, Debugger Options are set Integrated Debugging and
Automatically close files implicitly...' checked , all others unchecked.
In Project | Options (Compiler), Optimization unchecked All Debugging
section items checked with exception of 'definitions only'
Conditional Defines are DEBUG;madExcept
When a breakpoint is hit, the Watch List windows shows 'Evaluating...' for
each Watch Name. BTW, the watch names were entered some time ago when all
debugging features were working.
After a period of attempted debugging while at a breakpoint (stopped), the
Run button on toolbar becomes disabled and I have to click 'Run | Program
Reset' on the menu at which time madExcept
throws the following exception from the IDE:
date/time : 2014-09-28, 09:08:17, 855ms
computer name : JOHNTAYLOR-LAP
user name : JT <admin>
registered owner : Microsoft / Microsoft
operating system : Windows 7 x64 build 7600
system language : English
system up time : 10 days 22 hours
program up time : 3 days
processors : 8x Intel(R) Core(TM) i7 CPU Q 840 # 1.87GHz
physical memory : 7944/16308 MB (free/total)
free disk space : (C:) 83.99 GB
display mode : 1024x768, 32 bit
process id : $2994
allocated memory : 354.77 MB
command line : "C:\CodeGear RAD Studio\CodeGear\RAD Studio\5.0\bin\bds.exe" -np
executable : bds.exe
current module : madExcept_.bpl
exec. date/time : 2007-12-11 15:04
version : 11.0.2902.10471
compiled with : Delphi 2006/07
madExcept version : 4.0.6
callstack crc : $f8d6ff12, $83616f26, $cd9b05a3
exception number : 1
exception class : EListError
exception message : List index out of bounds (0).
main thread ($325c):
20032558 +03c rtl100.bpl Classes 3525 +3 TInterfaceList.Put
2087a8f4 +008 dbkdebugide100.bpl Debug 6414 +1 TThread.RemoveNotifier
20aa3b13 +043 coreide100.bpl WatchWin 1543 +1 TWatchWindow.EvaluteComplete
20878cf9 +0fd dbkdebugide100.bpl Debug 5564 +12 TThread.EvalComplete
20877660 +02c dbkdebugide100.bpl Debug 4871 +2 TDbkApiEvent.Send
208784c8 +024 dbkdebugide100.bpl Debug 5300 +2 TDebugKernel.apiComplete
2013a81a +012 vcl100.bpl Controls 4039 +1 TControl.ScreenToClient
209b6b21 +065 coreide100.bpl EditorControl 6744 +3 TCustomEditControl.WMNCHitTest
7759e74d +078 ntdll.dll RtlAnsiStringToUnicodeString
76977b0a +016 USER32.dll CallWindowProcA
20885499 +039 dbkdebugide100.bpl Debug 11455 +3 TDebugger.DBKWndProc
20040e4c +014 rtl100.bpl Classes 11583 +8 StdWndProc
7696810d +00a USER32.dll DispatchMessageA
Can anyone help me get this straightened out ? This started suddenly about
a month ago and not pursuant to any new component installation that I am
aware of.

I had the same problem in BDS2006. And I found a very simple solution that worked for me. Open your project desktop-file (.dsk). Go to the watches section. I just removed some unwanted watches (don't forget to adjust the count), started Delphi again and my watches and menu-items were enabled.

Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 32 bytes) in joomla 3

Getting following error at joomla admin, when click on Global Configuration option:
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 32 bytes) in /home/arena/public_html/libraries/phputf8/utils/unicode.php on line 49
,
i am using joomla 3.0.1

There are several ways you can solve this problem. By adding the init_set('memory_limit', $amount_of_memory) in your index.php file, by setting the memory_limit Apache variable at the .htaccess level using the php_value, or by modifying the global/local php.ini. We have discussed all the options here http://www.itoctopus.com/allowed-memory-size-of-x-bytes-exhausted-error-on-joomla . If none works, then most likely this is a hosting issue, and you should take it with your host.

To what extent Dynamic lib can be decoded or decompressed? - ios

I'm developing a dynamic library for an iOS application(not for apple store). Given an IPA, to what extent my dynamic library can be decompressed by hacker/user? can my method definitions in dynamic library read while decompressing? Thanks in advance.

From man dyldinfo:
dyldinfo(1) BSD General Commands Manual dyldinfo(1)
NAME
dyldinfo -- Displays information used by dyld in an executable
SYNOPSIS
dyldinfo [-arch arch-name] [-dylibs] [-rebase] [-bind] [-weak_bind] [-lazy_bind] [-export] [-opcodes]
[-function_starts] file(s)
DESCRIPTION
Executables built for Mac OS X 10.6 and later have a new format for the information in the __LINKEDIT
segment. The dyldinfo tool will display that information.
The options are as follows:
-arch arch
Only display the specified architecture. Other architectures in a universal image are ignored.
-dylibs
Display the table of dylibs on which this image depends.
-rebase
Display the table of rebasing information. Rebasing is what dyld does when an image is not
loaded at its preferred address. Typically, this involves updating pointers in the __DATA seg-
ment which point within the image.
-bind Display the table of binding information. These are the symbolic fix ups that dyld must do
when an image is loaded.
-weak_bind
Display the table of weak binding information. Typically, only C++ progams will have any weak
binding. These are symbols which dyld must unique accross all images.
-lazy_bind
Display the table of lazy binding information. These are symbols which dyld delays binding
until they are first used. Lazy binding is automatically used for all function calls to func-
tions in some external dylib.
-export
Display the table symbols which this image exports.
-opcodes
Display the low level opcodes used to encode all rebase and binding information.
-function_starts
Decodes the list of function start addresses.
This is just one example of the tools that can be used for analysis of dylibs. On my machine, for instance, I ran it on one of OpenSceneGraph's dylibs and here is a snippet I got:
0x143942 __ZN3osg13gluDeleteTessEPNS_13GLUtesselatorE
0x143968 __ZL9GotoStatePN3osg13GLUtesselatorE9TessState
0x143AA9 __ZN3osg15gluTessPropertyEPNS_13GLUtesselatorEjd
0x143B75 __ZN3osg18gluGetTessPropertyEPNS_13GLUtesselatorEjPd
0x143C70 __ZN3osg13gluTessNormalEPNS_13GLUtesselatorEddd
0x143C85 __ZN3osg15gluTessCallbackEPNS_13GLUtesselatorEjPFvvE
0x143E44 __ZN3osg13gluTessVertexEPNS_13GLUtesselatorEPdPv
0x143FE4 __ZL10EmptyCachePN3osg13GLUtesselatorE
0x144063 __ZL9AddVertexPN3osg13GLUtesselatorEPdPv
0x14411A __ZN3osg19gluTessBeginPolygonEPNS_13GLUtesselatorEPv
0x144161 __ZN3osg19gluTessBeginContourEPNS_13GLUtesselatorE
0x1441A1 __ZN3osg17gluTessEndContourEPNS_13GLUtesselatorE
0x1441C9 __ZN3osg17gluTessEndPolygonEPNS_13GLUtesselatorE
And:
__DATA __const 0x001D9D28 pointer 0 __ZTv0_n72_NK3osg6Camera12DrawCallback9classNameEv
__DATA __data 0x001E8208 pointer 0 __ZTv0_n72_NK3osg6Camera12DrawCallback9classNameEv
__DATA __data 0x001E84E8 pointer 0 __ZTv0_n72_NK3osg6Camera12DrawCallback9classNameEv
__DATA __const 0x001DA5F8 pointer 0 __ZTv0_n72_NK3osg8Drawable12CullCallback9classNameEv
__DATA __data 0x001E57E8 pointer 0 __ZTv0_n72_NK3osg8Drawable12CullCallback9classNameEv
And like always, pulling out strings and other const data is ridiculously easy. (The following is from a .so ... I couldn't find an x86 dylib on my system in my 30 seconds of searching ... the method is the same, though) (oh and you can tell that I disasm'd a library shipped with valgrind):
If you have strings consisting of sensitive data then those can easily be pulled from your libs... this is what I got from just dropping one lib into IDA:
__cstring:00003A58 ; Segment type: Pure data
__cstring:00003A58 __cstring segment dword public 'DATA' use32
__cstring:00003A58 assume cs:__cstring
__cstring:00003A58 ;org 3A58h
__cstring:00003A58 aDevRandom db '/dev/random',0 ; DATA XREF: _vgr00000ZU_libSystemZdZaZddylib_arc4random+17o
__cstring:00003A58 ; __data:__crashreporter_info__o
__cstring:00003A64 aValgrind_launc db 'VALGRIND_LAUNCHER',0 ; DATA XREF: vg_cleanup_env+1Co
__cstring:00003A76 aDyld_shared_re db 'DYLD_SHARED_REGION',0
__cstring:00003A89 aDyld_insert_li db 'DYLD_INSERT_LIBRARIES',0
__cstring:00003A9F align 10h
__cstring:00003AA0 aInstrumentedBy db 'Instrumented by Valgrind 3.8.1',0
__cstring:00003AA0 __cstring ends
This is where you'd find all the const strings that are used. Below this section (not shown) is the "pure data" section where other const data is stored.
So, again, it totally depends on exactly what information is sensitive.

uboot environment variable save doesn't seem to work

I'm having problems trying to save environment variables in uBoot and have them persist across reboots, see trace below. This is with U-Boot 2009.08-00000-g19b0e8d-dirty (May 29 2012 - 16:09:40). Any ideas as to what could be wrong? Is the "Writing to Flash... Flash not Erased" message significant?
-> setenv ipaddr 10.1.10.28
-> saveenv
Saving Environment to Flash...
. done
Un-Protected 1 sectors
. done
Un-Protected 1 sectors
Erasing Flash...
. done
Erased 1 sectors
Writing to Flash... Flash not Erased
. done
Protected 1 sectors
. done
Protected 1 sectors
-> printenv
bootdelay=1
baudrate=115200
serverip=10.1.10.40
loadaddr=41000000
u-boot=q4/u-boot.bin
load=tftp ${loadaddr) ${u-boot}
upd=run load; run prog
bootargs=console=ttyMCF2,115200 panic=10
rootpath=/tftpboot/ltib
nfsargs=setenv bootargs ${bootargs} root=/dev/nfs rw nfsroot=${serverip}:${rootpath} ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}:${netdev}:off
nfs=run nfsargs; tftp q4/uImage-nfs; bootm
prog=prot off 0 3ffff;era 0 3ffff;cp.b ${loadaddr} 0 ${filesize};save
ext_wp_off=mw.b 10010020 e0 1
ethact=FEC0
ethaddr=3c:98:bf:00:00:14
eth1addr=3c:98:bf:00:00:15
nfsaddr=10.1.10.40
httpPort=81
hostname=
stdin=serial
stdout=serial
stderr=serial
mem=65024k
ipaddr=10.1.10.28
Environment size: 686/32763 bytes
-> reset
U-Boot 2009.08-00000-g19b0e8d-dirty (May 29 2012 - 16:09:40)
(c) 2012.
CPU: Freescale MCF53013 (Mask:73 Version:1)
CPU CLK 240 MHz BUS CLK 80 MHz
Board: RevB
I2C: ready
DRAM: 64 MB
FLASH: 32 MB
In: serial
Out: serial
Err: serial
Net: FEC0, FEC1
-> printenv
bootdelay=1
baudrate=115200
serverip=10.1.10.40
loadaddr=41000000
u-boot=q4/u-boot.bin
load=tftp ${loadaddr) ${u-boot}
upd=run load; run prog
bootargs=console=ttyMCF2,115200 panic=10
rootpath=/tftpboot/ltib
nfsargs=setenv bootargs ${bootargs} root=/dev/nfs rw nfsroot=${serverip}:${rootpath} ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}:${netdev}:off
nfs=run nfsargs; tftp q4/uImage-nfs; bootm
prog=prot off 0 3ffff;era 0 3ffff;cp.b ${loadaddr} 0 ${filesize};save
ext_wp_off=mw.b 10010020 e0 1
ethact=FEC0
ethaddr=3c:98:bf:00:00:14
eth1addr=3c:98:bf:00:00:15
nfsaddr=10.1.10.40
httpPort=81
hostname=
stdin=serial
stdout=serial
stderr=serial
mem=65024k
Environment size: 668/32763 bytes
->
flinfo output is:
-> flinfo
Bank # 1: CFI conformant FLASH (16 x 16) Size: 32 MB in 262 Sectors
AMD Standard command set, Manufacturer ID: 0x01, Device ID: 0x227E
Erase timeout: 8192 ms, write timeout: 1 ms
Buffer write timeout: 5 ms, buffer size: 64 bytes
Sector Start Addresses:
00000000 RO 00008000 RO 00010000 RO 00018000 RO 00020000 RO
00040000 00060000 00080000 000A0000 000C0000
000E0000 00100000 00120000 00140000 00160000
00180000 001A0000 001C0000 001E0000 00200000
00220000 00240000 00260000 00280000 002A0000
002C0000 002E0000 00300000 00320000 00340000
00360000 00380000 003A0000 003C0000 003E0000
00400000 00420000 00440000 00460000 00480000
004A0000 004C0000 004E0000 00500000 00520000
00540000 00560000 00580000 005A0000 005C0000
005E0000 00600000 00620000 00640000 00660000
00680000 006A0000 006C0000 006E0000 00700000
00720000 00740000 00760000 00780000 007A0000
007C0000 007E0000 00800000 00820000 00840000
00860000 00880000 008A0000 008C0000 008E0000
00900000 00920000 00940000 00960000 00980000
009A0000 009C0000 009E0000 00A00000 00A20000
00A40000 00A60000 00A80000 00AA0000 00AC0000
00AE0000 00B00000 00B20000 00B40000 00B60000
00B80000 00BA0000 00BC0000 00BE0000 00C00000
00C20000 00C40000 00C60000 00C80000 00CA0000
00CC0000 00CE0000 00D00000 00D20000 00D40000
00D60000 00D80000 00DA0000 00DC0000 00DE0000
00E00000 00E20000 00E40000 00E60000 00E80000
00EA0000 00EC0000 00EE0000 00F00000 00F20000
00F40000 00F60000 00F80000 00FA0000 00FC0000
00FE0000 01000000 01020000 01040000 01060000
01080000 010A0000 010C0000 010E0000 01100000
01120000 01140000 01160000 01180000 011A0000
011C0000 011E0000 01200000 01220000 01240000
01260000 01280000 012A0000 012C0000 012E0000
01300000 01320000 01340000 01360000 01380000
013A0000 013C0000 013E0000 01400000 01420000
01440000 01460000 01480000 014A0000 014C0000
014E0000 01500000 01520000 01540000 01560000
01580000 015A0000 015C0000 015E0000 01600000
01620000 01640000 01660000 01680000 016A0000
016C0000 016E0000 01700000 01720000 01740000
01760000 01780000 017A0000 017C0000 017E0000
01800000 01820000 01840000 01860000 01880000
018A0000 018C0000 018E0000 01900000 01920000
01940000 01960000 01980000 019A0000 019C0000
019E0000 01A00000 01A20000 01A40000 01A60000
01A80000 01AA0000 01AC0000 01AE0000 01B00000
01B20000 01B40000 01B60000 01B80000 01BA0000
01BC0000 01BE0000 01C00000 01C20000 01C40000
01C60000 01C80000 01CA0000 01CC0000 01CE0000
01D00000 01D20000 01D40000 01D60000 01D80000
01DA0000 01DC0000 01DE0000 01E00000 01E20000
01E40000 01E60000 01E80000 01EA0000 01EC0000
01EE0000 01F00000 01F20000 01F40000 01F60000
01F80000 01FA0000 01FC0000 01FE0000 RO 01FE8000 RO
01FF0000 01FF8000

I had a similar issue after using "fw_setenv" to update my U-Boot environment.
What I found is that my U-Boot was unable to unlock the environment sector after fw_setenv locked it from Linux. Everything would look ok, but then the write would fail the same way yours did.
I was able to fix my problem by unlocking the env sector from Linux using flash_unlock.

This occurs after using fw_setenv on occasion in Linux. If you can boot into your running Linux, the execute "mtd unlock /devX" where X is your partition in which your u-boot environment variables live, then boot back into u-boot. You should be able to execute a "Saveenv"

I reflashed my Flash and can now save environment variables OK. Must have been some corruption?