次の方法で共有


What is a C0000005 crash?

In my blog about Dr. Watson I talked about product crashes. What is an example of a crash? How destructive is it?

Here’s a simple example. MyFunction takes a string parameter and calculates its length

MyFunction (char * StringParam) {

         

          int nlen; // declare an integer variable

          nlen = strlen(StringParam);

          <more code>

}

Doesn’t look like there’s a bug does it?

But there’s a potential bug: the strlen function in the C Standard Library counts the bytes in the string before finding a zero (null) byte. If the string does not have a null byte, then the strlen function will be accessing memory beyond the string buffer looking for a null byte.

This is called a Buffer Overrun error. If the memory accessed beyond the string is not allocated to the process, then a C0000005 exception (Access Violation) will result. If this exception is unhandled by the process, then the ‘unhandled exception handler” of the OS will be invoked. This is typically Dr. Watson. (However, the memory may be legitimately accessed, but may be overwritten by a virus that takes advantage of a buffer overrun on a strcpy Standard Library function).

If you have Visual Studio installed, you can look at the file PlatformSDK\include\ntstatus.h to find some of the various kinds of exceptions:

// MessageId: STATUS_ACCESS_VIOLATION

//

// MessageText:

//

// The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

//

#define STATUS_ACCESS_VIOLATION ((NTSTATUS)0xC0000005L) // winnt

In the old days of Win3.11, there was no memory protection enforcement: Accessing any memory in the process address space was fair game. strlen would just cruise merrily through the process memory, even through non-owned memory, until it found a null byte. Thus, old code may run fine on old OS’s, but when run on a new OS, it might crash.

The C Standard Library (also known as the runtime library) is not part of the C language, but it is assumed by all C development environments (particularly the linker) to be available. Microsoft’s versions have “MSVCRT” in their names. When the string functions were defined, the strings were assumed to be character arrays with a terminating null byte. This implies possible buffer overruns, as well as that no strings can have embedded nulls (like binary data).

The C++ language has just as much accessibility to the C Standard library, although string classes and objects can be used. Thus buffer overruns are still around. Most processes that run on your computer today are primarily written in C or C++.

Using managed code in .NET, a string is an object that has a length property. No null terminating byte is assumed.

What are the consequences of a crash? If it occurs in a User mode application, then that process is no longer running, but all other running processes on the machine are still valid. If it occurs in a kernel mode application, such as a device driver, all bets are off because the erroneous code had much higher access rights to the machine than a user mode program.

Except for video driver crashes, I haven’t rebooted my machines in years due to a crash.

Most of the security bulletins and Windows Updates are due to buffer overruns. If the standard library had been defined to pass in a maximum length parameter along with every string buffer, many of these security patches would never exist.

Comments

  • Anonymous
    June 30, 2004
    std::string doesn't use a terminating nul, unless you're converting it from/to a C string. But you can't really pass std::strings between binaries compiled with different compilers, or even linked against different instances of the runtime library.

  • Anonymous
    June 30, 2004
    So, managed code in .NET will not crash easily?

  • Anonymous
    July 07, 2005
    We got " C0000005 crash " error while doing an SNMP Walk for a device.We are looking for fixing it in our product.This document proved to be very vital.

  • Anonymous
    July 17, 2006
    what is solution for this crach.is it depends on the application progrme or on OS?.Because we got same access violation in STS of APG40.if we need i send core dump

  • Anonymous
    July 17, 2006
    what change we should make in the above code to remove the bug.
    solution for the bug

  • Anonymous
    July 20, 2006
    It takes a lot of work to create the blog posts and code samples that I put in my blog, and I was curious...

  • Anonymous
    December 05, 2006
    We are on VFP9 SP1 and we seem to be getting this when I call The LEFT( function ie., LEFT(string,6). This has happened twice so far this week, in different locations in our code.  Once in form code, and once in report code. Does anyone have any further solution to this? Thanks in advance...

  • Anonymous
    January 16, 2007
    We are getting this error consistantly using reports created by fp2.5b for dos under vfp9 sp1. even after converting the reports to a windows version, sp1 still gets errors but i think there gone in the sp2 beta. havent proven this yet. i have also found that while running the older report files, the memory handles returned by sys(1011) keeps climbing till we get the dreaded c5 error. help!!!!

  • Anonymous
    April 04, 2007
    What cause it to crash at OS level

  • Anonymous
    April 14, 2007
    This is happening 90% of the time i'm afront the computer, help!!

  • Anonymous
    April 22, 2007
    Frequently, We are getting access voilation problem on Windows NT environment while using Oracle Forms .  How to over come from this problem ?.  Please help me.

  • Anonymous
    May 02, 2007
    I am also facing this exception during inserting test cases in Rational Test Manager. Can you please help me how to come out of this crash and resolve the same....

  • Anonymous
    May 02, 2007
    I am also facing this exception during inserting test cases in Rational Test Manager. Can you please help me how to come out of this crash and resolve the same....

  • Anonymous
    June 13, 2007
    How many of you with this error are using Core 2 duo and didn't have this error before upgrading to this processor?

  • Anonymous
    July 24, 2007
    Can anyone help pls: The application, N:Program FilesFMFM.exe, generated an application error The error occurred on 07/24/2007 @ 16:11:05.529 The exception generated was c0000005 at address 2787A62C (ssdw3b32!DllUnregisterServer) For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

  • Anonymous
    July 24, 2007
    Can anyone help pls: I recently updated the server from old NT to Win2k3 server with new hardware and yes Intel Dual Cores. The application, N:Program FilesFMFM.exe, generated an application error The error occurred on 07/24/2007 @ 16:11:05.529 The exception generated was c0000005 at address 2787A62C (ssdw3b32!DllUnregisterServer) For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

  • Anonymous
    August 12, 2007
    {quote} Wednesday, June 13, 2007 8:34 PM by Bob How many of you with this error are using Core 2 duo and didn't have this error before upgrading to this processor? {/quote} I have a notebook using core 2 duo and I'm getting this error every time.... I' fed up with this :( Does anyone know the solution on this problem????

  • Anonymous
    August 20, 2007
    I have the same exception, Core 2 Duo. Exception was generated during GetModuleFileName calling, strange situation :(

  • Anonymous
    September 27, 2007
    A customer asks: I read your article "Intentionally crash your program". I have some questions that I

  • Anonymous
    October 08, 2007
    I had the same problem after making a simple change to an Oracle Forms application.  The only way I could solve it was to revert back to a previous version of the source code then make the change again.  It's been fine ever since then.

  • Anonymous
    October 22, 2007
    Running on VM-Ware, blade servers + Core 2 duo,  Win 2003 Server. I'm receiving sporadic occurrences of this error and it has made me sleepless. Just to let you know. Sincerely

  • Anonymous
    December 09, 2007
    Well, I've got this exception starting Skype. And what is ineteresting... When Skype started it want to get my ID, pass and then windows says @Exception c0000005 Windows Server 2008 Datacenter Full

  • Anonymous
    January 14, 2008
    The comment has been removed

  • Anonymous
    January 24, 2008
    My MS SQL 2000 crashed with c0000005 exception EVERYTIME defragging indexes is done. Arrrgghhhh.......

  • Anonymous
    February 13, 2008
    I get this error with Trendnet TEW-228PI (Realtek RTL8180 chipset) and its software (Wireless Configuration Utility), under Win2k SP4. However, the computer doesn't stop. I only get a window saying the app made an illegal operation and will be closed. I found the error code in Event Viewer. It has something to do with the driver. I'll search some more, as I've seen this board working in this OS before. Best regards

  • Anonymous
    May 17, 2008
    The comment has been removed

  • Anonymous
    October 15, 2008
    I get this C00005 error everytime. My application is built by VFP6.0 SP5. so trouble... I don't know why we still need to use VFP ?!

  • Anonymous
    November 03, 2008
    The application, C:Program FilesPlayOnlineSquareEnixPlayOnlineViewerpol.exe, generated an application error The error occurred on 11/03/2008 @ 14:44:42.109 The exception generated was c0000005 at address 01AB9C5D (FFXiMain)

  • Anonymous
    November 13, 2008
    <a href= SADDDDDDDDDDDDDDDDDDDD >DDDDDDDDDDDDDDDDDDD</a>, %-DDD,

  • Anonymous
    January 07, 2009
    The comment has been removed

  • Anonymous
    January 21, 2009
    PingBack from http://www.keyongtech.com/713718-vb-net-problem-in-windows2003

  • Anonymous
    March 16, 2010
    How detects that the process running in user mode is trying to access kernel mode Virtual Adress? Is it the processor or OS? Does the processor know about the User/Kernel mode address range?

  • Anonymous
    March 16, 2010
    Who detects that the process running in user mode is trying to access kernel mode Virtual Adress? Is it the processor or OS? Does the processor know about the User/Kernel mode address range?

  • Anonymous
    May 03, 2010
    I just got it will a null pointer exception.  Add to your code a check if your input is null.

  • Anonymous
    June 27, 2010
    I got this during my Silktest executions. Any ideas to fix it? Event Type: Information Event Source: DrWatson Event Category: None Event ID: 4097 Date: 6/27/2010 Time: 11:04:32 AM User: N/A Computer: GUI55158 Description: The application, C:progra~1borlandSilkTestAgent.exe, generated an application error The error occurred on 06/27/2010 @ 11:04:32.770 The exception generated was c0000005 at address 20058285 (AGENTDLL!TrueLogEnqueue) For more information, see Help and Support Center at go.microsoft.com/.../events.asp.