-
-
Save SkyBulk/6f6bfee6e37756e4e878bbb5d3dd271e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0:005> r | |
| eax=00000000 ebx=008adff0 ecx=008f00a7 edx=00000000 esi=02d8bb70 edi=00000000 | |
| eip=7157b68f esp=02d8bb44 ebp=02d8bb5c iopl=0 nv up ei pl zr na pe nc | |
| cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 | |
| mshtml!CElement::Doc+0x2: | |
| 7157b68f 8b5070 mov edx,dword ptr [eax+70h] ds:002b:00000070=???????? | |
| 0:005> u mshtml!CElement::Doc | |
| mshtml!CElement::Doc: | |
| 7157b68d 8b01 mov eax,dword ptr [ecx] | |
| 7157b68f 8b5070 mov edx,dword ptr [eax+70h] <-- crashes here | |
| 7157b692 ffd2 call edx | |
| 7157b694 8b400c mov eax,dword ptr [eax+0Ch] | |
| 7157b697 c3 ret | |
| 7157b698 90 nop | |
| 7157b699 90 nop | |
| 7157b69a 90 nop | |
| 0:005> knL | |
| # ChildEBP RetAddr | |
| 00 02d8bb40 715b9b02 mshtml!CElement::Doc+0x2 | |
| 01 02d8bb5c 715b9a0e mshtml!CTreeNode::ComputeFormats+0xba <-- where the call to mshtml!CElement::Doc originated and what defines value in ecx. | |
| 02 02d8be08 715c872a mshtml!CTreeNode::ComputeFormatsHelper+0x44 | |
| 03 02d8be18 715c86ea mshtml!CTreeNode::GetFancyFormatIndexHelper+0x11 | |
| 04 02d8be28 715c86d1 mshtml!CTreeNode::GetFancyFormatHelper+0xf | |
| 05 02d8be3c 715eab32 mshtml!CTreeNode::GetFancyFormat+0x35 | |
| 06 02d8be44 715eabee mshtml!CLineCore::AO_GetFancyFormat+0x23 | |
| 07 02d8be78 715db7b6 mshtml!CRecalcLinePtr::RecalcMargins+0x19d | |
| 08 02d8c670 7167dbdb mshtml!CDisplay::RecalcLines+0x6e5 | |
| 09 02d8c74c 71605c45 mshtml!CDisplay::WaitForRecalc+0x209 | |
| 0a 02d8c79c 7158e667 mshtml!CFlowLayout::Notify+0x7de | |
| 0b 02d8c7a8 71582127 mshtml!NotifyElement+0x41 | |
| 0c 02d8c7fc 715820be mshtml!CMarkup::SendNotification+0x60 | |
| 0d 02d8c824 715cc083 mshtml!CMarkup::Notify+0xd6 | |
| 0e 02d8c86c 7160574e mshtml!CElement::SendNotification+0x4a | |
| 0f 02d8c890 7152189c mshtml!CElement::EnsureRecalcNotify+0x15f | |
| 10 02d8c914 71527145 mshtml!CDisplayPointer::MoveUnit+0x2b2 | |
| 11 02d8ca00 71526fb2 mshtml!CHTMLEditor::AdjustPointer+0x16f | |
| 12 02d8ca34 71526e39 mshtml!CEditTracker::AdjustPointerForInsert+0x8b | |
| 13 02d8ca90 71526cd6 mshtml!CCaretTracker::PositionCaretAt+0x141 | |
| 0:005> u 715b9b02-7 | |
| mshtml!CTreeNode::ComputeFormats+0xb3: | |
| 715b9afb 8b0b mov ecx,dword ptr [ebx] | |
| 715b9afd e88b1bfcff call mshtml!CElement::Doc (7157b68d) <-- causing the crash , and still ebx holding the value that was passed to ecx | |
| 715b9b02 53 push ebx | |
| 715b9b03 891e mov dword ptr [esi],ebx | |
| 715b9b05 894604 mov dword ptr [esi+4],eax | |
| 715b9b08 8b0b mov ecx,dword ptr [ebx] | |
| 715b9b0a 56 push esi | |
| 715b9b0b e838000000 call mshtml!CElement::ComputeFormats (715b9b48) | |
| 0:005> d ebx | |
| 008adff0 a7 00 8f 00 00 00 00 00-4a 40 ff ff ff ff ff ff ........J@...... | |
| 008ae000 51 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 Q............... | |
| 008ae010 00 00 00 00 18 e0 8a 00-62 00 00 00 00 00 00 00 ........b....... | |
| 008ae020 00 00 00 00 00 00 00 00-00 e0 8a 00 00 00 00 00 ................ | |
| 008ae030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ | |
| 008ae040 df ce 33 66 00 00 00 80-bd 00 89 00 00 00 00 00 ..3f............ | |
| 008ae050 71 04 ff ff ff ff ff ff-61 00 00 00 00 00 00 00 q.......a....... | |
| 008ae060 00 00 00 00 00 00 00 00-c0 e2 8a 00 70 e0 8a 00 ............p... | |
| 0:005> d poi(ebx) | |
| 008f00a7 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ <-- it seems object in ebx is still kept from ecx | |
| 008f00b7 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ | |
| 008f00c7 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ | |
| 008f00d7 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ | |
| 008f00e7 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ | |
| 008f00f7 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ | |
| 008f0107 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ | |
| 008f0117 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ | |
| 0:005> d poi(ecx) | |
| 00000000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? <-- freed | |
| 00000010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? | |
| 00000020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? | |
| 00000030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? | |
| 00000040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? | |
| 00000050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? | |
| 00000060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? | |
| 00000070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment