SOFTWARE_NX_FAULT的疑问?
碰到一个很神奇的问题,可能和Windows的NX机制有关。
描述如下,大虾们伸出援手~~~Help me
系统环境:
Windows2003 (2003默认开启了NX)
SQLSERVER2000
软件崩溃后,产生dmp。
使用windbg载入dmp进行分析。
提示为
c0000005(Access violation)
Attempt to execute non-executable address 00886169
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT
EIP指向 00886169 8b4c2404 mov ecx,dword ptr [esp+4]
我的分析过程如下:
1.SOFTWARE_NX_FAULT 查了下关于该标识的含义,似乎只有当违反了NX机制(在非代码段中执行代码)时,才可能产生该错误。可是这时EIP指向明明是代码段,如下:
上下文环境:
eax=00000001 ebx=00000000 ecx=02befd28 edx=02befca4 esi=01692c48 edi=0012f758
eip=00886169 esp=02befbe4 ebp=02befcb8 iopl=0 nv up ei pl zr na pe nc
模块:
start end module name
00880000 00984000 mfc71u (private pdb symbols)
所以00886169肯定是代码段了。
2.Attempt to execute non-executable address 00886169
按windbg里所提示的,执行了不可以被执行的地址0x00886169,那么我查看了关于该地址的页属性
0:007> !address 0x00886169
00880000 : 00881000 - 000dc000
Type 01000000 MEM_IMAGE
Protect 00000020 PAGE_EXECUTE_READ
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\WINDOWS\system32\mfc71u.dll
该页的属性为PAGE_EXECUTE_READ,是可以执行的。
很矛盾...
3.00886169 8b4c2404 mov ecx,dword ptr [esp+4]
如果esp+4指向莫名的地址,那也可能会出现这种错误。
0:007> !address esp+4
02af0000 : 02bed000 - 00003000
Type 00020000 MEM_PRIVATE
Protect 00000004 PAGE_READWRITE
State 00001000 MEM_COMMIT
Usage RegionUsageStack
Pid.Tid 528.614
也同样是正常的...
原本怀疑是开启了NX的问题,但现象与NX所表现出来的现象又不相同。
在网上看到的示例,EIP指向的地址由于NX的作用,会变得不可执行。
这个问题困扰我很久了,用了很多很多的时间与精力都解决不了。
希望得到各位大大的帮助。。
以下是windbg的分析结果:
0:007> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
FAULTING_IP:
mfc71u!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::Format+0 [f:\vs70builds\6030\vc\mfcatl\ship\atlmfc\include\cstringt.h @ 1795]
00886169 8b4c2404 mov ecx,dword ptr [esp+4]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00886169 (mfc71u!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::Format)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 00886169
Attempt to execute non-executable address 00886169
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT
PROCESS_NAME: DocSystem.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"
WRITE_ADDRESS: 00886169
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
LAST_CONTROL_TRANSFER: from 013ca90c to 00886169
STACK_TEXT:
02befbe0 013ca90c 02befca4 013dfa68 00000008 mfc71u!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::Format [f:\vs70builds\6030\vc\mfcatl\ship\atlmfc\include\cstringt.h @ 1795]
02befcb8 013b8df0 01692c68 016965f0 02befd28 DataBaseSystem!CPto_Bussiness::CPto_TimeOutSearch+0x8c [e:\workspace\Êý¾Ý¿âÄ£¿é\databasesystem\tables\pto_bussiness.cpp @ 39]
02befcec 013ba825 00004844 00000000 02befd28 DataBaseSystem!CDBSQLSERVER::DBSqlServer_IBussinessWork+0xbc0 [e:\workspace\Êý¾Ý¿âÄ£¿é\databasesystem\innerclass\dbsqlserver.cpp @ 517]
02befd00 004312a2 00004844 00000000 02befd28 DataBaseSystem!DBSystem_IBussinessWork+0x35 [e:\workspace\Êý¾Ý¿âÄ£¿é\databasesystem\interface\dbinterface.cpp @ 138]
WARNING: Stack unwind information not available. Following frames may be wrong.
02befd10 0012f758 004308d0 02beffec 01696a38 DocSystem+0x312a2
02befd28 009633b0 00000000 009633b0 009633b0 0x12f758
02befd2c 00000000 009633b0 009633b0 009633b0 mfc71u!afxStringManager+0x14
STACK_COMMAND: ~7s; .ecxr ; kb
FAULTING_THREAD: 00000614
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT
BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT_SOFTWARE_NX_FAULT_FALSE_POSITIVE
FOLLOWUP_IP:
mfc71u!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::Format+0 [f:\vs70builds\6030\vc\mfcatl\ship\atlmfc\include\cstringt.h @ 1795]
00886169 8b4c2404 mov ecx,dword ptr [esp+4]
FAULTING_SOURCE_CODE:
No source found for 'f:\vs70builds\6030\vc\mfcatl\ship\atlmfc\include\cstringt.h'
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: mfc71u!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::Format+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mfc71u
IMAGE_NAME: mfc71u.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 44b45834
FAILURE_BUCKET_ID: mfc71u.dll!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::Format_c000
BUCKET_ID: APPLICATION_FAULT_SOFTWARE_NX_FAULT_SOFTWARE_NX_FAULT_FALSE_POSITIVE_mfc71u!ATL::CStringT_wchar_t,StrTraitMFC_DLL_wchar_t,ATL::ChTraitsCRT_wchar_t_____::Format+0
Followup: MachineOwner
---------
0:007> .ecxr
eax=00000001 ebx=00000000 ecx=02befd28 edx=02befca4 esi=01692c48 edi=0012f758
eip=00886169 esp=02befbe4 ebp=02befcb8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
mfc71u!ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t> > >::Format:
00886169 8b4c2404 mov ecx,dword ptr [esp+4] ss:0023:02befbe8=02befca4
另,模块中同时加载了MFC71U与MFC71两个DLL,不知是否有关系。
00880000 00984000 mfc71u (private pdb symbols)
7c140000 7c243000 mfc71 (deferred)