Prerequisite: Understanding what __purecall means.I was asked to help diagnose an issue in which a program managed to stumble into the __purecall function. XYZ!_purecall:
00a14509 a100000000 mov eax,dword ptr ds:[00000000h] ds:0023:00000000=????????
The stack at the point of failure looked like this:XYZ!_purecall
XYZ!CViewFrame::SetFrame+0x14d
XYZ!CViewFrame::SetPresentation+0x355
XYZ!CViewFrame::BeginView+0x1fe
The line at XYZ!CViewFrame::SetFrame that called the mystic __purecall was a simple AddRef: pSomething->AddRef(); // crashes in __purecall From what we know of __purecall, this means that somebody called into a virtual method on a derived class after the derived class's destructor has run. Okay, well, let's see if we can find the object in question. Since the method being called is a COM method, the __stdcall calling convention applies, which means that the this pointer is on the stack. 0:023> dd esp+4 l1
0529f76c 06a88d58Using our knowledge of the layout of a COM object, we can navigate through memory to find the vtable.Read more: The old new thing
00a14509 a100000000 mov eax,dword ptr ds:[00000000h] ds:0023:00000000=????????
The stack at the point of failure looked like this:XYZ!_purecall
XYZ!CViewFrame::SetFrame+0x14d
XYZ!CViewFrame::SetPresentation+0x355
XYZ!CViewFrame::BeginView+0x1fe
The line at XYZ!CViewFrame::SetFrame that called the mystic __purecall was a simple AddRef: pSomething->AddRef(); // crashes in __purecall From what we know of __purecall, this means that somebody called into a virtual method on a derived class after the derived class's destructor has run. Okay, well, let's see if we can find the object in question. Since the method being called is a COM method, the __stdcall calling convention applies, which means that the this pointer is on the stack. 0:023> dd esp+4 l1
0529f76c 06a88d58Using our knowledge of the layout of a COM object, we can navigate through memory to find the vtable.Read more: The old new thing
Posts
0 comments:
Post a Comment