0

I'm looking at a crash dump. Some variables seem perfectly viewable in windbg, while others just say "memory access error". What causes this? Why do some variables have sensical values while others simply list ?

It appears that all the problems are associated with following pointers. I'm certain that while many of these pointers are uninitialized the vast majority of them should be pointing somewhere valid. Based on the nature of this crash (a simple null ptr dereference) I'm fairly certain the whole process hasn't gone out to lunch.

Doug T.
  • 64,223
  • 27
  • 138
  • 202

2 Answers2

2

Mini-dumps are fairly useless, they don't contain a snapshot of all in use memory. Instead, all they contain are some critical structures/lists (e.g. the loaded module list) and the contents of the crashing stack.

So, any pointer that you try to follow in the dump will just give you question marks. Grab a full memory dump instead and you'll be able to see what these buffers point to.

-scott

snoone
  • 5,409
  • 18
  • 19
  • that's what I suspected, but do you have a citation for this? – Doug T. Nov 07 '10 at 16:49
  • I couldn't find anything that nicely describes the differences in user mode, but here are the differences for the types in kernel mode: http://support.microsoft.com/kb/254649. In user mode, minidumps can have all kinds of info depending on the options used when writing it. Those are listed here: http://msdn.microsoft.com/en-us/library/ms680519(v=VS.85).aspx – snoone Nov 07 '10 at 18:59
  • 1
    Is there a way to know if its invalid because its not in the dump VS its just a junk pointer? – paulm Feb 05 '14 at 11:50
1

If they are local pointer variables, what is most likely happening is that the pointers are not initialized, or that stack location has been reused to contain another variable, that may not be a pointer. In both cases, the pointer value may point to a random, unreadable portion of memory.

Michael
  • 54,279
  • 5
  • 125
  • 144