Possible wrong callstack with KERNELBASE!_EH4_GlobalUnwind

[derekbruening]

From zhao...@google.com on November 15, 2013 17:01:42

Some callstack has KERNELBASE!_EH4_GlobalUnwind

0 system call NtGdiSelectBitmap ^M

1 GDI32.dll!SelectObject^M

2 USER32.dll!BitmapFromDIB^M

3 USER32.dll!ConvertDIBBitmap^M

4 USER32.dll!CopyBmp ^M

5 USER32.dll!CopyIcoCur^M

6 USER32.dll!InternalCopyImage^M

7 USER32.dll!__ClientCopyImage^M

8 KERNELBASE.dll!_EH4_GlobalUnwind^M

9 USER32.dll!VerNtUserCreateWindowEx^M

10 USER32.dll!_CreateWindowEx^M

11 USER32.dll!CreateWindowExW^M

12 USER32.dll!CreateIMEUI^M

The KERNELBASE.dll!_EH4_GlobalUnwind is likely to be wrong. From the asm code KERNELBASE!_EH4_GlobalUnwind: 755b72da 55 push ebp 755b72db 8bec mov ebp,esp 755b72dd 53 push ebx 755b72de 56 push esi 755b72df 57 push edi 755b72e0 6a00 push 0x0 755b72e2 6a00 push 0x0 755b72e4 68ef725b75 push 0x755b72ef 755b72e9 51 push ecx 755b72ea e891020000 call KERNELBASE!RtlUnwind (755b7580) 755b72ef 5f pop edi 755b72f0 5e pop esi 755b72f1 5b pop ebx 755b72f2 5d pop ebp 755b72f3 c3 ret It may caused by this "push 0x755b72ef".

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1385

[derekbruening]

From zhao...@google.com on November 15, 2013 14:04:59

Another example: kernel32!_EH4_GlobalUnwind: 753dd7a2 55 push ebp 753dd7a3 8bec mov ebp,esp 753dd7a5 53 push ebx 753dd7a6 56 push esi 753dd7a7 57 push edi 753dd7a8 6a00 push 0x0 753dd7aa 6a00 push 0x0 753dd7ac 68b7d73d75 push 0x753dd7b7 753dd7b1 51 push ecx 753dd7b2 e823690700 call kernel32!RtlUnwind (754540da) 753dd7b7 5f pop edi 753dd7b8 5e pop esi 753dd7b9 5b pop ebx 753dd7ba 5d pop ebp 753dd7bb c3 ret

[derekbruening]

From zhao...@google.com on November 15, 2013 14:17:10

For such kind of thing, maybe we can find the code patter something like: push ret_addr push ecx call ret_addr: pop edi maintain a list of ret_addr, and tell the callstack component to ignore those ret_addr?