Access violation - code c0000005

[kouzhudong]

Brief description of your issue

0:020> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.Sec
    Value: 0

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on CORREY

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 4

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 136

    Key  : Analysis.System
    Value: CreateObject

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 6861

    Key  : Timeline.Process.Start.DeltaSec
    Value: 429


NTGLOBALFLAG:  4400

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
rax=000001ecd5c20871 rbx=000001ecd19e37b0 rcx=0000000000000001
rdx=0000000000000008 rsi=000001ecd1bea380 rdi=000001ecd5c20858
rip=00007ff73410b295 rsp=0000007c67bff6b8 rbp=0000000000000000
 r8=000001ecd5c20871  r9=0000000000000001 r10=0000000000000dd0
r11=0000007c67bff5e0 r12=000000000000000e r13=000001ecd3f2c3c0
r14=000001ecd29fca80 r15=000001ecd29fcde0
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
SystemInformer+0x14b295:
00007ff7`3410b295 660f7500        pcmpeqw xmm0,xmmword ptr [rax] ds:000001ec`d5c20871=0022
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ff73410b295 (SystemInformer+0x000000000014b295)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

PROCESS_NAME:  SystemInformer.exe

READ_ADDRESS:  ffffffffffffffff 

ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p            0x%p                    %s

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffffffffffffffff

STACK_TEXT:  
0000007c`67bff6b8 00007ffd`79a529a7 : 000001ec`d19e37b0 000001ec`d1bea380 00007ffd`79a71690 000001ec`d29fcdf0 : SystemInformer+0x14b295
0000007c`67bff6c0 00007ffd`802d386b : 000001ec`d59f0070 000001ec`d59efc50 0000007c`67bff7e9 000001ec`d3f2c3c0 : DotNetTools+0x29a7
0000007c`67bff740 00007ffd`802d369f : 000001ec`d37b9cb0 00000000`00000000 00000000`00000000 7fffffff`ffffffff : sechost!EtwpLoadEventTrigger+0x15b
0000007c`67bff850 00007ffd`802db8ea : 00000000`00000000 000001ec`d1bea380 000001ec`d37b9cb0 00000000`00000000 : sechost!EtwpProcessRealTimeTraces+0xc7
0000007c`67bff8b0 00007ffd`79a53147 : 000001ec`d1bea3a4 00000000`00000001 000001ec`d29fc200 00000000`00000000 : sechost!ProcessTrace+0x18a
0000007c`67bff910 00007ff7`3410a735 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : DotNetTools+0x3147
0000007c`67bffb50 00007ffd`80e27374 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SystemInformer+0x14a735
0000007c`67bffb90 00007ffd`8125cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
0000007c`67bffbc0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


SYMBOL_NAME:  SystemInformer+14b295

MODULE_NAME: SystemInformer

IMAGE_NAME:  SystemInformer.exe

STACK_COMMAND:  ~20s ; .ecxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_SystemInformer.exe!Unknown

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {b271a9f9-efc9-ea7b-e213-bd1d4817e73e}

Followup:     MachineOwner
---------

0:020> ~20s ; .ecxr ; kb
ntdll!NtGetContextThread+0x14:
00007ffd`812af344 c3              ret
rax=000001ecd5c20871 rbx=000001ecd19e37b0 rcx=0000000000000001
rdx=0000000000000008 rsi=000001ecd1bea380 rdi=000001ecd5c20858
rip=00007ff73410b295 rsp=0000007c67bff6b8 rbp=0000000000000000
 r8=000001ecd5c20871  r9=0000000000000001 r10=0000000000000dd0
r11=0000007c67bff5e0 r12=000000000000000e r13=000001ecd3f2c3c0
r14=000001ecd29fca80 r15=000001ecd29fcde0
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
SystemInformer+0x14b295:
00007ff7`3410b295 660f7500        pcmpeqw xmm0,xmmword ptr [rax] ds:000001ec`d5c20871=0022
  *** Stack trace for last set context - .thread/.cxr resets it
 # RetAddr           : Args to Child                                                           : Call Site
00 00007ffd`79a529a7 : 000001ec`d19e37b0 000001ec`d1bea380 00007ffd`79a71690 000001ec`d29fcdf0 : SystemInformer+0x14b295
01 00007ffd`802d386b : 000001ec`d59f0070 000001ec`d59efc50 0000007c`67bff7e9 000001ec`d3f2c3c0 : DotNetTools+0x29a7
02 00007ffd`802d369f : 000001ec`d37b9cb0 00000000`00000000 00000000`00000000 7fffffff`ffffffff : sechost!EtwpLoadEventTrigger+0x15b
03 00007ffd`802db8ea : 00000000`00000000 000001ec`d1bea380 000001ec`d37b9cb0 00000000`00000000 : sechost!EtwpProcessRealTimeTraces+0xc7
04 00007ffd`79a53147 : 000001ec`d1bea3a4 00000000`00000001 000001ec`d29fc200 00000000`00000000 : sechost!ProcessTrace+0x18a
05 00007ff7`3410a735 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : DotNetTools+0x3147
06 00007ffd`80e27374 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SystemInformer+0x14a735
07 00007ffd`8125cc91 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
08 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
0:020> lmvm SystemInformer
Browse full module list
start             end                 module name
00007ff7`33fc0000 00007ff7`34300000   SystemInformer   (no symbols)           
    Loaded symbol image file: SystemInformer.exe
    Image path: C:\Program Files\SystemInformer\SystemInformer.exe
    Image name: SystemInformer.exe
    Browse all global symbols  functions  data
    Image was built with /Brepro flag.
    Timestamp:        AE5D994F (This is a reproducible build file hash, not a timestamp)
    CheckSum:         003447CD
    ImageSize:        00340000
    File version:     3.2.25004.614
    Product version:  3.2.25004.614
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    Information from resource tables:
        CompanyName:      Winsider Seminars & Solutions, Inc.
        ProductName:      System Informer
        InternalName:     System Informer
        OriginalFilename: System Informer.exe
        ProductVersion:   3.2.25004.614
        FileVersion:      3.2.25004.614
        FileDescription:  System Informer
        LegalCopyright:   Copyright (c) Winsider Seminars & Solutions, Inc.  All rights reserved.

Steps to reproduce (optional)

No response

Expected behavior (optional)

No response

Actual behavior (optional)

No response

Environment (optional)

No response

[kouzhudong]

SystemInformer_DumpFile_TEMQXNDADRAFQLY.001.zip
SystemInformer_DumpFile_TEMQXNDADRAFQLY.002.zip
SystemInformer_DumpFile_TEMQXNDADRAFQLY.003.zip

[kouzhudong]

Uploading SystemInformer.dmp…

[dmex]

Looks like ETW allocated unaligned memory and triggered an access violation due to SSE memory alignment requirements.