Search code examples

What is the ds:0023:003a3000=?? stuff on the end of a drwatson FAULT?

I have the following entry in a Dr Watson log. What is the significance of the "ds:0023:003a3000=??" part of the entry to the right of the FAULT line?

*----> State Dump for Thread Id 0xdfc <----*
eax=00000000 ebx=00390320 ecx=0854ff48 edx=09e44bfc esi=00012ce1 edi=0854ff61
eip=00465c51 esp=0854ff30 ebp=00000000 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

function: sysman
        00465c37 49               dec     ecx
        00465c38 eb02             jmp     sysman+0x65c3c (00465c3c)
        00465c3a 33c9             xor     ecx,ecx
        00465c3c 8d542428         lea     edx,[esp+0x28]
        00465c40 52               push    edx
        00465c41 51               push    ecx
        00465c42 8d4c2418         lea     ecx,[esp+0x18]
        00465c46 e8d5c0fcff       call    sysman+0x31d20 (00431d20)
        00465c4b 33c0             xor     eax,eax
        00465c4d 8d4c2418         lea     ecx,[esp+0x18]
FAULT ->00465c51 8a441eff         mov     al,[esi+ebx-0x1]        ds:0023:003a3000=??
        00465c55 50               push    eax
        00465c56 6864074900       push    0x490764
        00465c5b 51               push    ecx
        00465c5c e8cfd0fcff       call    sysman+0x32d30 (00432d30)
        00465c61 8d542424         lea     edx,[esp+0x24]
        00465c65 68689f4800       push    0x489f68
        00465c6a 8d44242c         lea     eax,[esp+0x2c]
        00465c6e 52               push    edx
        00465c6f 50               push    eax
        00465c70 e83bc3fcff       call    sysman+0x31fb0 (00431fb0)

*----> Stack Back Trace <----*
ChildEBP RetAddr  Args to Child              
00000000 00000000 00000000 00000000 00000000 sysman+0x65c51

*----> Raw Stack Dump <----*
000000000854ff30  58 01 55 08 75 07 c8 09 - 00 00 00 00 18 6d c7 01  X.U.u........m..
000000000854ff40  fc 4b e4 09 04 bd 47 00 - 04 bd 47 00 fc 0c c9 01  .K....G...G.....
000000000854ff50  ac ca ae 09 64 5f c4 01 - 20 37 37 30 32 34 3a 20  ....d_.. 77024: 
000000000854ff60  00 b3 42 00 a8 ff 54 08 - 90 a6 47 00 02 00 00 00  ..B...T...G.....
000000000854ff70  8b c5 42 00 b8 ff 54 08 - 2e 03 39 00 28 99 cb 01  ..B...T...9.(...
000000000854ff80  ff ff ff ff 00 00 00 00 - 00 00 00 00 20 1e cb 01  ............ ...
000000000854ff90  a6 f7 ba 77 06 00 00 00 - c9 f7 ba 77 e1 6b d9 09  ...w.......w.k..
000000000854ffa0  06 00 00 00 1f 00 00 00 - 68 00 55 08 c1 a0 47 00  ........h.U...G.
000000000854ffb0  00 00 00 00 58 c4 42 00 - c9 a5 ca 09 d1 fb 38 0a  ....X.B.......8.
000000000854ffc0  27 00 00 00 e1 6b d9 09 - ef f2 41 00 c9 a5 ca 09  '....k....A.....
000000000854ffd0  01 59 cc 01 38 00 55 08 - ec 00 55 08 00 00 00 00  .Y..8.U...U.....
000000000854ffe0  e0 00 55 08 ff ff ff ff - 89 00 00 00 01 00 01 01  ..U.............
000000000854fff0  c8 ff 54 08 b8 ff 54 08 - 77 00 55 08 29 a5 ca 09  ..T...T.w.U.)...
0000000008550000  51 00 00 00 5f 00 00 00 - 00 9f 82 7c 61 36 ca 01  Q..._......|a6..
0000000008550010  25 00 00 00 3f 00 00 00 - 00 ce bb 77 91 b7 c7 01  %...?......w....
0000000008550020  19 00 00 00 1f 00 00 00 - 00 ff ff ff d9 28 cc 01  .............(..
0000000008550030  0b 00 00 00 1f 00 00 00 - 00 00 55 08 d1 fb 38 0a  ..........U...8.
0000000008550040  27 00 00 00 3f 00 00 00 - 00 20 ba 77 00 00 00 00  '...?.... .w....
0000000008550050  00 00 00 00 00 00 00 00 - 20 b7 c7 01 00 00 00 00  ........ .......
0000000008550060  00 00 00 00 00 00 00 00 - b4 00 55 08 1b 90 47 00  ..........U...G.`


  • To summarize:

    You get a register dump here:

    eax=00000000 ebx=00390320 ecx=0854ff48 edx=09e44bfc esi=00012ce1 edi=0854ff61
    eip=00465c51 esp=0854ff30 ebp=00000000 iopl=0         nv up ei pl zr na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

    The eip indicates the instruction that failed:

    FAULT ->00465c51 8a441eff         mov     al,[esi+ebx-0x1]        ds:0023:003a3000=??

    The stuff at the end is the address that failed to read, which is the "usual" data segment of 23, and address 3A3000, whcih is composed of esi and ebx minus 1: 390320+12ce1-1. To me, that looks like an index gone bad - 3a3000 would be the first address of a new "page" in memory, so that's why it's failing at that point. 77025 bytes into an array is quite a long way, but it is of course possible that it's something else that is wrong.