Compartir a través de


Just another crash

If you are following this blog for a long time you probably know about my previous posts related to ISA or TMG crashing and about the fact that 95% of the time is not an issue caused by ISA/TMG. Well, this is just another crash where the first blame goes to ISA/TMG, in this particular case, ISA. The first argument is: is ISA that is triggering the error on event viewer. True statement as we see below:

Event Type: Error
Event Source: Microsoft ISA Server 2006
Event Category: None
Event ID: 1000
Time: 17:31:40
User: N/A
Description:
Faulting application wspsrv.exe, version 5.0.5723.516, stamp 4a880d39,
faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address
0x1078b242.

Still doesn't mean that it’s an ISA issue though, but I’m okay of looking for help with ISA folks first, it’s normal. If there is a crash we should also have a dump and if we don’t, use DebugDiag (the  newer version that I showed yesterday) to attach to the crashed process and get the dump. Let’s see the dump for this particular scenario:

FAULTING_IP:
AkrFiltr+b992
1203b992 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 1203b992 (<Unloaded_AkrFiltr.dll>+0x0000b992)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 1203b992
Attempt to read from address 1203b992

PROCESS_NAME: wspsrv.exe

FAULTING_MODULE: 7c800000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 48ebaac7
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory
at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 1203b992
READ_ADDRESS: 1203b992

FOLLOWUP_IP:
AkrFiltr+b992
1203b992 ?? ???
FAULTING_THREAD: 00000fb0
BUGCHECK_STR:
APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR
DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR
LAST_CONTROL_TRANSFER: from 00000000 to 1203b992

STACK_TEXT:
123ffc9c 00000000 1204109a 123ffd04 120d2110 <Unloaded_AkrFiltr.dll>+0xb992

FAILED_INSTRUCTION_ADDRESS:
AkrFiltr+b992
1203b992 ?? ???
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: AkrFiltr+b992
FOLLOWUP_NAME: MachineOwner

MODULE_NAME: AkrFiltr

IMAGE_NAME: AkrFiltr.dll
STACK_COMMAND: ~40s; .ecxr ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_AkrFiltr.dll!Unloaded
Followup: MachineOwner

 

This is a pretty straight forward stack and as a matter of fact a pretty straight forward dump. This module was causing the service to crash due an access violation (c0000005), as a result the whole process was going down. The solution was provided by the third party vendor owner of this module (an update).

For more references about crashes on ISA Server also see:

Comments