APPLICATION_FAULT_INVALID_POINTER_READ_processhacker!PhFindElementAvlTree+1f

[MagicAndre1981]

When viewing the Threads tab, ProcessHacker crashes:

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

KEY_VALUES_STRING: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
    Name: <blank>
    Time: 2018-10-02T10:55:59.493Z
    Diff: 2506 mSec

Timeline: Dump.Current
    Name: <blank>
    Time: 2018-10-02T10:56:02.0Z
    Diff: 0 mSec

Timeline: Process.Start
    Name: <blank>
    Time: 2018-10-02T10:55:14.0Z
    Diff: 48000 mSec

Timeline: OS.Boot
    Name: <blank>
    Time: 2018-10-01T11:50:58.0Z
    Diff: 83104000 mSec

DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
ntdll!LdrpValidateUserCallTargetBitMapCheck+0
76fb2a6b 8b1482          mov     edx,dword ptr [edx+eax*4]

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 76fb2a6b (ntdll!LdrpValidateUserCallTargetBitMapCheck)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0391b7c0
Attempt to read from address 0391b7c0

FAULTING_THREAD:  000008c4

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  ProcessHacker.exe

FOLLOWUP_IP: 
ProcessHacker!PhFindElementAvlTree+1f [d:\processhacker\phlib\avltree.c @ 709]
009a648f ffd7            call    edi

READ_ADDRESS:  0391b7c0 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%p verwies auf Arbeitsspeicher bei 0x%p. Der Vorgang %s konnte im Arbeitsspeicher nicht durchgef hrt werden.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%p verwies auf Arbeitsspeicher bei 0x%p. Der Vorgang %s konnte im Arbeitsspeicher nicht durchgef hrt werden.

PROCESS_VER_PRODUCT:  Process Hacker

WATSON_BKT_MODULE:  ntdll.dll

WATSON_BKT_MODVER:  10.0.17763.1

MODULE_VER_PRODUCT:  Microsoft® Windows® Operating System

BUILD_VERSION_STRING:  17763.1.x86fre.rs5_release.180914-1434

ANALYSIS_VERSION: 10.0.17134.12 x86fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  DEU

PROBLEM_CLASSES: 

    ID:     [0n309]
    Type:   [@ACCESS_VIOLATION]
    Class:  Addendum
    Scope:  BUCKET_ID
    Name:   Omit
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x8c4]
    Frame:  [0] : ntdll!LdrpValidateUserCallTargetBitMapCheck

    ID:     [0n281]
    Type:   [INVALID_POINTER_READ]
    Class:  Primary
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x8c4]
    Frame:  [0] : ntdll!LdrpValidateUserCallTargetBitMapCheck

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

LAST_CONTROL_TRANSFER:  from 009a648f to 76fb2a6b

STACK_TEXT:  
094af7bc 009a648f 094af808 00440070 089e8bf0 ntdll!LdrpValidateUserCallTargetBitMapCheck
094af7d8 009835f0 089e8c0c 094af808 089e8bf0 ProcessHacker!PhFindElementAvlTree+0x1f
094af834 00966be2 089e8bf0 08ac15f8 76f10000 ProcessHacker!PhLoadModuleSymbolProvider+0x50
094af860 0098916d 094af888 094afac0 00000000 ProcessHacker!LoadBasicSymbolsEnumGenericModulesCallback+0x82
094af8c0 00986c3a 094af9a0 094afa7c 00000000 ProcessHacker!EnumGenericProcessModulesCallback+0x19d
094af91c 00986a59 ffffffff 094af9a0 02ae20e8 ProcessHacker!PhpEnumProcessModulesCallback+0x1ba
094afa48 0098976e 094afa70 ffffffff 08abfed0 ProcessHacker!PhpEnumProcessModules+0xf9
094afa94 00966c7e 00000c54 ffffffff 00000000 ProcessHacker!PhEnumGenericModules+0x15e
094afae0 00966e74 00a25f40 00000a80 00966e20 ProcessHacker!PhLoadSymbolsThreadProvider+0x8e
094afb24 009977ce 08a6dba0 00000000 00997550 ProcessHacker!PhpThreadQueryWorker+0x54
094afc68 009786b8 00a25f40 00978660 00978660 ProcessHacker!PhpWorkQueueThreadStart+0x27e
094afc80 7690e2f9 0445c070 7690e2e0 094afcec ProcessHacker!PhpBaseThreadStart+0x58
094afc90 76f727c7 0445c070 a699b1fa 00000000 KERNEL32!BaseThreadInitThunk+0x19
094afcec 76f7279b ffffffff 76fb2d82 00000000 ntdll!__RtlUserThreadStart+0x2b
094afcfc 00000000 00978660 0445c070 00000000 ntdll!_RtlUserThreadStart+0x1b

FAULTING_SOURCE_LINE:  d:\processhacker\phlib\avltree.c

FAULTING_SOURCE_FILE:  d:\processhacker\phlib\avltree.c

FAULTING_SOURCE_LINE_NUMBER:  709

FAULTING_SOURCE_CODE:  
    67:     }
    68: 
    69:     while (TRUE)
    70:     {
>   71:         result = Tree->CompareFunction(Element, links);
    72: 
    73:         if (result == 0)
    74:         {
    75:             *Result = 0;
    76:             return links;

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  processhacker!PhFindElementAvlTree+1f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ProcessHacker

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_ProcessHacker.exe!PhFindElementAvlTree

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_processhacker!PhFindElementAvlTree+1f

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  ProcessHacker.exe

BUCKET_ID_IMAGE_STR:  ProcessHacker.exe

FAILURE_MODULE_NAME:  ProcessHacker

BUCKET_ID_MODULE_STR:  ProcessHacker

FAILURE_FUNCTION_NAME:  PhFindElementAvlTree

BUCKET_ID_FUNCTION_STR:  PhFindElementAvlTree

BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_

FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

FAILURE_SYMBOL_NAME:  ProcessHacker.exe!PhFindElementAvlTree

[dmex]

When viewing the Threads tab, ProcessHacker crashes:

I can't reproduce this.

LdrpValidateUserCallTargetBitMapCheck

This error report makes zero sense... My best guess is your machine is faulty (e.g. memory/cpu overclocking/current OS install).

[MagicAndre1981]

no, happens on different systems, no OC, nothing.

[MagicAndre1981]

I used sfc and DISM to check for corrupted files and all system files are fine. I'll check it again when first cumulative Update for 1809 is out.

[dmex]

@MagicAndre1981

BUILD_VERSION_STRING: 17763.1.x86fre

I don't use 32bit and didn't have any VMs setup for 32bit debugging which is why I wasn't able to reproduce the crash :|

The 3rd parameter for SymRegisterCallbackW64 was incorrect (mistake that I made a few weeks ago) which triggered CFG when calling PhLoadModuleSymbolProvider... I still don't know your dump says it's caused by PhFindElementAvlTree but at least I was able to find the actual bug 👍

[MagicAndre1981]

while searching for LdrpValidateUserCallTargetBitMapCheck I also saw reports for security issues and CFG.

I did not get a dump, because of your new exception handler. I loaded the exe in Windbg, started it and at crash I called !analyze -v.

I compiled the last code, now ProcessHacker no longer crashes, but doesn't load any symbols (only the 32Bit version on the Baytrail Tablet which is only 32Bit, so here I need 32Bit ProcessHacker, on my Windows 8.1 Laptop, the 64Bit version downloads symbols fine)

[MagicAndre1981]

@dmex

ok, after copying dbghelp.dll, symsrv.dll and symsrv.yes I get symbols. So PH doesn't find the debugger.

Here are the values of my 32Bit Tablet/Win10 - 1809:

[MagicAndre1981]

commit https://github.com/processhacker/processhacker/commit/ac3325a7a5c703dfa6ee6233cae4b2375a069fab fixed it

[dmex]

I did not get a dump, because of your new exception handler.

It was necessary to add a crash dialog because some 'security' software was injecting code (and crashing due to new Win10 mitigation policies) which caused PH to exit silently without any explanation.

I'm going to add minidump generation to the crash dialog and a option to automatically report the crash sometime soon 😃

commit ac3325a fixed it

Thanks 👍