HANG and "ERROR: injection into child process failed" running powerpnt 2007

[derekbruening]

From [email protected] on May 26, 2011 11:35:17

xref issue #457 and issue #462 running powerpnt 2007 under DR, occasionally I see:
Shared memory key is: "Global\DynamoRIO_Client_Statistics.001"
<ERROR: injection into child process failed>

related to running as admin (for shmem)?
usually when this error shows up on win7, powerpnt hangs. killing it and
re-running usually has everything work fine w/ no error msg. I have seen
this error and hang even after issue #462 was fixed.

on xp64, running powerpnt 2007, I see the same message, but everything
works fine and DR appears to be injected.

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=466

[derekbruening]

From [email protected] on August 06, 2011 15:40:56

** TODO why is SYSLOG_INTERNAL_ERROR showing up in release build?

what's weird is that this is a SYSLOG_INTERNAL_ERROR so it shouldn't show
up in release build

my release build has default INTERNAL="" so should have INTERNAL off since
DEBUG is off.

** DONE splwow64.exe
CLOSED: [2011-08-06 Sat 18:39]

• State "DONE" [2011-08-06 Sat 18:39]

more info:
<ERROR: injection from pid=2564 of C:\src\dr\git\exports\lib32\release\dynamorio.dll into child process 2656 failed 0x00000000>

presumably these errors are b/c it's admin:
PID 2564, Process POWERPNT.EXE, running
PID 2656, Process splwow64.exe, running

windbg attach list says:
2656 Error 0x8007012B

try to attach to 2656: error 0xC00000BB "The request is not supported"

powerpnt is spinning

after a while, splwow64.exe exits

2nd run, this time running drview as admin:
PID 7432, Process POWERPNT.EXE, running SC release (build 0)
PID 7824, Process splwow64.exe, running

proc explore says:
splwow64.exe is a 64-bit app
"Print driver host for 32-bit applications"

running with -no_follow_children: no error msg, and splwow64.exe is
running, but powerpnt still spins: so seems the two are not nec related,
though it seemed that they always occurred together on win7.

debug DR says:
Warning: could not read image name from PEB
and asserts on the injection failure.
should downgrade to curiosity.
issue #49 covers supporting cross-arch follow-children.

** DONE powerpnt spinning
CLOSED: [2011-08-06 Sat 18:39]

• State "DONE" [2011-08-06 Sat 18:39]

attach to spinning powerpnt:
one thread is here
00 1d695a68 6de53022 ntdll!ZwWaitForSingleObject+0x15
01 1d695a78 6de43ac1 dynamorio!nt_wait_event_with_timeout+0x12 [c:\src\dr\git\src\core\win32\ntdll.c @ 3357]
02 1d695aa0 6de43d8b dynamorio!os_wait_event+0x3b1 [c:\src\dr\git\src\core\win32\os.c @ 6416]
03 1d695ab8 6ddee23b dynamorio!rwlock_wait_contended_writer+0x3b [c:\src\dr\git\src\core\win32\os.c @ 6465]
04 1d695ac4 6ddfeb03 dynamorio!write_lock+0x4b [c:\src\dr\git\src\core\utils.c @ 1177]
05 1d695acc 6de40928 dynamorio!module_list_add+0x13 [c:\src\dr\git\src\core\module_list.c @ 244]
06 1d695af0 6de40e01 dynamorio!process_image+0x48 [c:\src\dr\git\src\core\win32\os.c @ 2454]
07 1d695b30 6de49997 dynamorio!process_mmap+0x61 [c:\src\dr\git\src\core\win32\os.c @ 2876]
08 1d695f70 6de49fe6 dynamorio!postsys_MapViewOfSection+0x137 [c:\src\dr\git\src\core\win32\syscall.c @ 3410]
09 1d695f98 6ddea585 dynamorio!post_system_call+0x5a6 [c:\src\dr\git\src\core\win32\syscall.c @ 3540]
0a 1d695fa0 6ddeaf1f dynamorio!handle_post_system_call+0x25 [c:\src\dr\git\src\core\dispatch.c @ 1855]
0b 1d695fbc 6ddeafd0 dynamorio!dispatch_enter_dynamorio+0x3ef [c:\src\dr\git\src\core\dispatch.c @ 727]
0c 1d6151c0 7efdd000 dynamorio!dispatch+0x10 [c:\src\dr\git\src\core\dispatch.c @ 149]

0:000> da 1d6cc3e8
1d6cc3e8 "C:\Windows\SysWOW64\ole32.dll"

0:000> dt dynamorio!read_write_lock_t 6deaf108
+0x000 lock : _mutex_t
+0x008 num_readers : 1
+0x00c writer : 0
+0x010 num_pending_readers : 0
+0x014 writer_waiting_readers : 0x000005d4
+0x018 readers_waiting_writer : (null)

-debug: works
-no_enable_reset: spins

adding last_reader field:
0:000> dt module_data_lock
+0x000 lock : _mutex_t
+0x008 num_readers : 1
+0x00c writer : 0
+0x010 num_pending_readers : 0
+0x014 writer_waiting_readers : 0x00000600
+0x018 readers_waiting_writer : (null)
+0x01c last_reader : 0x1644

5 Id: 4e4.1644 Suspend: 1 Teb: 7efa9000 Unfrozen

ChildEBP RetAddr

WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0494e418 77a58cc8 0x18b67d3e
01 0494e440 77a502a9 ntdll!RtlEnterCriticalSection+0x150
02 0494e4dc 77a501e2 ntdll!LdrGetProcedureAddressEx+0x159
03 0494e4f8 7587143f ntdll!LdrGetProcedureAddress+0x18
04 0494e520 743b5b91 KERNELBASE!GetProcAddress+0x44
05 0494e5c8 743b5d68 apphelp!SeiGetProcAddress+0x3d
*** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\Program Files (x86)\Microsoft Office\Office12\ppcore.dll -
06 0494e5e4 68eb5418 apphelp!StubGetProcAddress+0x2b
07 0494e644 68eb5330 ppcore!ShowSplashScreen+0x6fb
08 0494e69c 68ebe923 ppcore!ShowSplashScreen+0x613
09 0494e6ac 68ebe791 ppcore!PPMain+0x8fab
0a 0494e6d8 68ebcf42 ppcore!PPMain+0x8e19
0b 0494f768 68ebce76 ppcore!PPMain+0x75ca
0c 0494f79c 68ebce19 ppcore!PPMain+0x74fe
0d 0494f7cc 75a23677 ppcore!PPMain+0x74a1
0e 0494f7d8 77a59f02 kernel32!BaseThreadInitThunk+0x12
0f 0494f818 77a59ed5 ntdll!__RtlUserThreadStart+0x70
10 0494f830 00000000 ntdll!_RtlUserThreadStart+0x1b

+0x0a0 LoaderLock : 0x77b220c0
0:000> dt RTL_CRITICAL_SECTION 0x77b220c0
+0x000 DebugInfo : 0x77b24360
+0x004 LockCount : -6
+0x008 RecursionCount : 1
+0x00c OwningThread : 0x000013b8
+0x010 LockSemaphore : 0x000003ac
+0x014 SpinCount : 0
13b8 is the thread waiting on module_data_lock

found the bug:
instrument_module_load_trigger() doesn't unlock when module doesn't exist

[derekbruening]

From [email protected] on August 06, 2011 15:56:47

Summary: HANG and "ERROR: injection into child process failed" running powerpnt 2007

[derekbruening]

From [email protected] on August 06, 2011 20:06:31

the INTERNAL problem: it's b/c I had INTERNAL_DEFAULT set to 0FF instead of OFF!

[derekbruening]

From [email protected] on August 07, 2011 19:26:19

This issue was closed by revision r918 .

Status: Fixed