Where was the exception raised?

delphi package - automated exception handling
Post Reply
2BrightSparks
Posts: 28
Joined: Mon Jan 03, 2005 3:03 pm
Contact:

Where was the exception raised?

Post by 2BrightSparks »

Hi, can anyone tell me where the exception was raised in the following, thanks:

date/time : 2005-10-15, 20:23:17, 593ms
computer name : xxx
user name : mainuser <admin>
operating system : Windows XP Service Pack 2 build 2600
system language : English
system up time : 11 hours 36 minutes
program up time : 2 minutes 41 seconds
processors : 2x Intel(R) Pentium(R) 4 CPU 3.00GHz
physical memory : 565/1014 MB (free/total)
free disk space : (C:) 57.42 GB
display mode : 1024x768, 32 bit
process id : $16c
allocated memory : 28.26 MB
executable : xxx.exe
exec. date/time : 2005-09-05 16:21
version : 1.0.0.0
madExcept version : 3.0
callstack crc : $02bf1a6d, $f74e1f9f, $f1a05ef0
exception class : EAccessViolation
exception message : Access violation at address 02BF1A6D. Read of address 02BF1A6D.

thread $dec:
02bf1a6d ???
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by thread $484 at:
02bf1b9a ???

Main ($41c):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
00431bed xxx.exe madExcept PauseMeEventually
0044c4b7 xxx.exe madExcept PeekMessageCallbackA
004d221b xxx.exe Forms TApplication.ProcessMessage
004d22c2 xxx.exe Forms TApplication.HandleMessage
004d24f2 xxx.exe Forms TApplication.Run
006b0bd7 xxx.exe xxx 113 initialization

thread $150 (TWorkerThread):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
005b6e59 xxx.exe VirtualTrees 5172 TWorkerThread.Execute
0044bc9b xxx.exe madExcept HookedTThreadExecute
00470d5c xxx.exe Classes ThreadProc
00405020 xxx.exe System ThreadWrapper
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by Main ($41c) at:
005b6d7a xxx.exe VirtualTrees 5131 TWorkerThread.Create

thread $788:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
02c3739a cwe001.dll ??0cfwCMutex@@QAE@PAD_N@Z
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by thread $484 at:
02c3c9ca cwe001.dll

thread $52c:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9a9 ntdll.dll NtWaitForMultipleObjects
7c8094ec kernel32.dll WaitForMultipleObjectsEx
77d495f3 user32.dll MsgWaitForMultipleObjectsEx
77d496a3 user32.dll MsgWaitForMultipleObjects
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by thread $ebc at:
1b11275a msjet40.dll

thread $620: <priority:1>
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by thread $ebc at:
1b003481 msjet40.dll

thread $bbc: <priority:1>
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by thread $ebc at:
1b003481 msjet40.dll

thread $754: <priority:1>
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by thread $ebc at:
1b003481 msjet40.dll

thread $4e8: <priority:1>
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by thread $ebc at:
1b28c778 msrd3x40.dll

thread $394: <priority:1>
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by thread $ebc at:
1b28c778 msrd3x40.dll

thread $390: <priority:1>
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by thread $ebc at:
1b28c778 msrd3x40.dll

Computer_backup ($14c):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e58f ntdll.dll NtSetEventBoostPriority
00404523 xxx.exe System @AfterConstruction
005a719b xxx.exe Masks TMask.Create
005eca16 xxx.exe TreeScan 873 TNormalTreeScanner.ScanDirectory
005ec1f5 xxx.exe TreeScan 701 TNormalTreeScanner.ScanTree
006504e9 xxx.exe ProfileEngine 2045 TRunProfile.Scan
0065005d xxx.exe ProfileEngine 1935 TRunProfile.ScanSourceDest
0064f03f xxx.exe ProfileEngine 1702 TRunProfile.RunTheProfile
0064cc69 xxx.exe ProfileEngine 1159 TRunProfile.Execute
0044bc9b xxx.exe madExcept HookedTThreadExecute
00470d5c xxx.exe Classes ThreadProc
00405020 xxx.exe System ThreadWrapper
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by Main ($41c) at:
0064a0eb xxx.exe ProfileEngine 533 TRunProfile.Create
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

That's a bit strange. There's a secondary thread which crashed:

"Access violation at address 02BF1A6D. Read of address 02BF1A6D.

thread $dec:
02bf1a6d ???
0044bbea xxx.exe madExcept ThreadExceptFrame
>> created by thread $484 at:
02bf1b9a ???"

The strange thing is that this thread was evidently created by code which isn't part of any module. Also the thread code itself seems to be gone in the meanwhile.

It looks to me like this:

(1) Either someone tried to do some remote thread stuff on your process but failed miserably (spyware, virus?).

(2) Or your process had loaded a dll or package at address 02bxxxxx, which created a thread and then was unloaded before the thread was through.

Please check whether you have any dlls or packages which you load/unload at runtime, which might be loaded at 02bxxxxx. If you have, please make sure that you kill all running secondary threads created by those dlls/pckages before you unload them.
2BrightSparks
Posts: 28
Joined: Mon Jan 03, 2005 3:03 pm
Contact:

Post by 2BrightSparks »

I thought it looked a bit strange. No external DLL's were being used at the point it crashed (there is a COM object but that wasn't being used, although it may have been created before). The user hasn't reported it happening again.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

2BrightSparks wrote:I thought it looked a bit strange. No external DLL's were being used at the point it crashed (there is a COM object but that wasn't being used, although it may have been created before). The user hasn't reported it happening again.
Were external DLLs used before it crashed? If yes, at what address to they normally load?
2BrightSparks
Posts: 28
Joined: Mon Jan 03, 2005 3:03 pm
Contact:

Post by 2BrightSparks »

Hi, no external DLL's were loaded before it crashed. The program only has one external DLL (apart from the COM object), but that wasn't loaded at the time.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I think you misunderstood me. Was this DLL loaded (and unloaded!) before the exception occurred? Or can you guarantee that this DLL was never yet loaded by your program when the crash occurred?
2BrightSparks
Posts: 28
Joined: Mon Jan 03, 2005 3:03 pm
Contact:

Post by 2BrightSparks »

Hi, I cannot absolutely guarantee that no DLL was loaded and unloaded before it crashed.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Which DLL might have been loaded and unloaded? Is there one which might be loaded at address 02Bxxxxx? Does that DLL create secondary threads?
2BrightSparks
Posts: 28
Joined: Mon Jan 03, 2005 3:03 pm
Contact:

Post by 2BrightSparks »

How do you check which address a DLL is loaded at? The only non-COM DLL is loaded via LoadLibrary.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

The return value of LoadLibrary is the address at which the dll was loaded. Use IntToHex(LoadLibrary) or IntToHex(GetModuleHandle).
Post Reply