3

My application is crashing frequently after updating .Net frame work. Below is the application event log found in event viewer,

Faulting application name: MyApp.exe, version: Version of my App, time stamp: 0x5885f545 Faulting module name: ntdll.dll, version: 6.1.7601.23677, time stamp: 0x589c957a Exception code: 0xc015000f Fault offset: 0x00084269 Faulting process id: 0x%9 Faulting application start time: 0x%10 Faulting application path: %11 Faulting module path: %12 Report Id: %13 Faulting package full name: %14 Faulting package-relative application ID: %15

Also below error also found in event logs,

Application: MyApp.exe .Net Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception. Exception Info: exception code c015000f, exception address 77994269

For me looks like there is a compatibility issue between ntdll.dll and .Net version. Is there any KB needs to be installed along with .Net 4.0.30319?

I am analysing crash dump, It shows below call stack,

0 0042eb84 7566171a ntdll!NtWaitForMultipleObjects+0x15
01 0042ec20 75551a08 KERNELBASE!WaitForMultipleObjectsEx+0x100
02 0042ec68 75554200 kernel32!WaitForMultipleObjectsExImplementation+0xe0
03 0042ec84 755780ec kernel32!WaitForMultipleObjects+0x18
04 0042ecf0 75577fab kernel32!WerpReportFaultInternal+0x186
05 0042ed04 755778a0 kernel32!WerpReportFault+0x70
06 0042ed14 7557781f kernel32!BasepReportFault+0x20
07 0042eda0 77395b67 kernel32!UnhandledExceptionFilter+0x1af
08 0042eda8 77395a44 ntdll!__RtlUserThreadStart+0x62
09 0042edbc 773958d1 ntdll!_EH4_CallFilterFunc+0x12
0a 0042ede4 773834c9 ntdll!_except_handler4+0x8e
0b 0042ee08 7738349b ntdll!ExecuteHandler2+0x26
0c 0042ee2c 7738343c ntdll!ExecuteHandler+0x24
0d 0042eeb8 77330143 ntdll!RtlDispatchException+0x127
0e 0042eeb8 773a41c9 ntdll!KiUserExceptionDispatcher+0xf
0f 0042f3e0 7555544c ntdll!RtlDeactivateActivationContext+0x154
10 0042f3f0 055e70ce kernel32!DeactivateActCtx+0x31
11 0042f434 013e1fd1 mydll!Mydll::Function+0x8e

The issue is with Windows 2008. In one of the machine which has same .Net version and ntdll.dll version 6.1.7601.17514, the application works fine.

But only with ntdll.dll version 6.1.7601.23677 the application crashes.

srajeshnkl
  • 883
  • 3
  • 16
  • 49
  • 1
    Ensure at least that you've installed .NET 4.5.2; 4, 4.5 and 4.5.1 are no longer supported. [See also](https://blogs.msdn.microsoft.com/dotnet/2015/12/09/support-ending-for-the-net-framework-4-4-5-and-4-5-1/). Beyond that, you'll need someone with a debugger and patience (or a reinstall). `c015000f` is `STATUS_SXS_EARLY_DEACTIVATION`, which suggests a problem with side-by-side assemblies, but that's really not much help on its own in resolving things. – Jeroen Mostert Feb 12 '18 at 11:17
  • 1
    Does myapp.exe have dependencies other than .NET framework? If yes, is it then from managed or unmanaged code? – Azaz ul Haq Feb 12 '18 at 11:27
  • 1
    @AzazulHaq MyApp.exe has depencies with managed and unmanaged both. I have also updated call stack in the question – srajeshnkl Feb 12 '18 at 11:36
  • 1
    The stack confirms that it is indeed `DeactivateActCtx` throwing a `STATUS_SXS_EARLY_DEACTIVATION` exception that's ultimately the problem. The fact that it works on another (version of the) OS does not preclude the possibility that `mydll` contains a bug. – Jeroen Mostert Feb 12 '18 at 11:44
  • 1
    @JeroenMostert : Thanks. My actual question is to check is there any issue due to the ntdll.dll version change? since it's working fine in another machine, I don't want to do any code change rather I need to identify what causes the issue on particular machine? – srajeshnkl Feb 12 '18 at 11:49
  • 1
    2008 R2 is out of support. If installing all the latest available updates doesn't fix it, no other update will. If you want it to "just work", simply don't upgrade. If you want to understand *why* it doesn't work, get someone with experience debugging unmanaged code to get their hands dirty. You may want to try the code on a later version of Windows (Server 2016 or W10). If it occurs there you have strong proof that the code itself is at fault and you can stop hunting around for KBs; if it doesn't you at least have impetus for upgrading. – Jeroen Mostert Feb 12 '18 at 12:00
  • 1
    @JeroenMostert Thanks for your prompt reply. It gives me a picture about 2008 is out of support. Yes the code works in later windows versions win 2016 or 10. So I am interested to know which KB caused the issue. If any microsoft article or link which talks about the issue would be helpful in my case. – srajeshnkl Feb 12 '18 at 12:09
  • 3
    There are 6 years worth of updates between 6.1.7601.17514 (which is vanilla 2008 R2 SP1) and 6.1.7601.23677. The chance that any single one of those has a note attached saying "may cause crashes involving side-by-side versioning" is, let's say not good. I hope you get an answer, but I'm skeptical. – Jeroen Mostert Feb 12 '18 at 12:26
  • 1
    @JeroenMostert Thanks. I got the answer. I am in place of resolving the issue, so I wanted to know is there any document or link from Microsoft which says this. so that I can uninstall and check particular update. – srajeshnkl Feb 13 '18 at 03:58
  • If you want to diagnose more, try to get the proper PDBs (including your mydll PDB), but also Microsoft ones. The stackframe as it is is almost useless. – Simon Mourier Feb 13 '18 at 07:33
  • 3
    you call `ActivateActCtx(*, &cookie1);` after this you or somedy else call `ActivateActCtx(*, &cookie2);` and then you call `DeactivateActCtx(0, cookie1);` **before** `DeactivateActCtx(0, cookie2);`. error absolute not related to `ntdll` – RbMm Feb 14 '18 at 10:31

1 Answers1

0

I faced a similar issue loading a managed .NET dll from an unmanaged cpp application.

I found out that .NET exceptions, even if they are catched, could crash the application. It seems that building the host application with the /CETCOMPAT (CET Shadow Stack compatible) flag enabled caused the issue.

In short (more details): Catching exceptions leads to a change of the stack which is detected as a violation and causes a termination of the process.

Fruchtzwerg
  • 10,999
  • 12
  • 40
  • 49