Powershell: Crash of whole powershell when invoking querySelectorAll

Created on 22 Jan 2017  路  18Comments  路  Source: PowerShell/PowerShell

Steps to reproduce

(Invoke-WebRequest www.microsoft.com).ParsedHtml.querySelectorAll("h2")

Expected behavior

Powershell window should never crash, even though what I wrote isn't supported somehow.

Actual behavior

Powershell crashed.

Environment data

> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.14393.693
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.693
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
Area-Cmdlets OS-Windows Resolution-External
Source
picture Ciantic

Most helpful comment

I agree with @SeeminglyScience that PowerShell shouldn't try to recover from a heap corruption error.

picture daxian-dbw on 19 Mar 2020
👍2

All 18 comments

@Ciantic Thanks for report the Issue!
Could you show $Error[0] | fl * -force ?

iSazonov picture iSazonov on 23 Jan 2017

@iSazonov the powershell.exe window crashes. If I open a new powershell window and type those, nothing comes up.

Ciantic picture Ciantic on 23 Jan 2017

I see. I thought that only the cmdlet is crashed.
I can confirm the Issue is on:

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.0.10240.17146
WSManStackVersion              3.0
SerializationVersion           1.1.0.1
CLRVersion                     4.0.30319.42000
BuildVersion                   10.0.10011.16384
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3

But in Powershell Core there is not a problem:

PS C:\temp>  (Invoke-WebRequest www.microsoft.com).ParsedHtml.querySelectorAll("h2")
You cannot call a method on a null-valued expression.
At line:1 char:2
+  (Invoke-WebRequest www.microsoft.com).ParsedHtml.querySelectorAll("h ...
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

PS C:\temp> $PSVersionTable

Name                           Value
----                           -----
PSRemotingProtocolVersion      2.3
GitCommitId                    v6.0.0-alpha.14-40-gcbda3867adbe82f3afea6314077d3b4b64ca656f-dirty
BuildVersion                   3.0.0.0
CLRVersion
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSVersion                      6.0.0-alpha
PSEdition                      Core
WSManStackVersion              3.0
SerializationVersion           1.1.0.1
iSazonov picture iSazonov on 23 Jan 2017

Glad it's fixed in 6.0, but I agree that's not awesome in 5.x. Following up offline w/ @SteveL-MSFT

joeyaiello picture joeyaiello on 23 Jan 2017

@joeyaiello it's not "fixed" in 6.0, but a side-effect that ParsedHtml isn't an implemented property on PSCore because it depends on Internet Explorer (the error message is literally saying 'you can't call a method on parsedhtml because it's null').

SteveL-MSFT picture SteveL-MSFT on 23 Jan 2017

@SteveL-MSFT Should we close the Issue?

iSazonov picture iSazonov on 31 Oct 2018

We have separate issue to implement equivalent of ParsedHtml so closing this as it's no longer applicable

SteveL-MSFT picture SteveL-MSFT on 31 Oct 2018

This is broken on PowerShell 7.0.0-rc.3:

$document = New-Object -Com "HTMLFile"
$document.querySelectorAll("a")
"didn't crash"
mohd-akram picture mohd-akram on 1 Mar 2020

Perhaps @SeeminglyScience could share thoughts.

iSazonov picture iSazonov on 1 Mar 2020

It's actually not querySelectorAll specifically, but calling get__NewEnum on the IHTMLDOMChildrenCollection (or doing literally anything with it aside from getting the length property). My guess is that when the collection is empty, trying to allocate the enumerator or even query IDispatch causes heap corruption (as indicated by the error code in the event viewer). If I remember correctly, the same API crashed Windows PowerShell as well when called from the ParsedHtml result of Invoke-WebRequest.

My guess is that there isn't anything PowerShell could or should do about it, heap corruption doesn't seem to be something you can "handle" safely. You can work around it by checking length before trying to enumerate, but even intellisense will crash so I'd really recommend just not using it.

SeeminglyScience picture SeeminglyScience on 2 Mar 2020
👍1

length > 0 doesn't seem to matter:

$src = [System.Text.Encoding]::Unicode.GetBytes("<html></html>")
$document = New-Object -Com "HTMLFile"
$document.write($src)
$document.querySelectorAll("html").length
$document.querySelectorAll("html")
"didn't crash"

This issue isn't present when using methods like getElementsByTagName.

mohd-akram picture mohd-akram on 2 Mar 2020

Apparently, one can work around it use .item():

$src = [System.Text.Encoding]::Unicode.GetBytes("<html></html>")
$document = New-Object -Com "HTMLFile"
$document.write($src)
$document.querySelectorAll("html").length
$document.querySelectorAll("html").item(0)
"didn't crash"
mohd-akram picture mohd-akram on 2 Mar 2020
👍2

Gotcha, so it's just the enumerator and/or IDispatch implementation in general that is causing the corruption. If it happens in VBA too, there's almost definitely nothing for PowerShell to fix. Glad you could find a workaround 馃憤

SeeminglyScience picture SeeminglyScience on 2 Mar 2020

I've verified that the same code crashes Excel, also completely silently:

Sub TestQuerySelectorAll()
    Dim document As HTMLDocument
    Set document = New HTMLDocument
    Set items = document.querySelectorAll("html")
    For Each item In items
    Next
End Sub

Is there a way to not make PowerShell fail completely silently? That's the bigger problem IMO.

mohd-akram picture mohd-akram on 4 Mar 2020

Is there a way to not make PowerShell fail completely silently? That's the bigger problem IMO.

Not really 馃槙. Heap corruption is one of the few errors you shouldn't try to recover from. There's a handler at the native level that kills the process and sends it to windows error reporting (according to this post at least).

I did verify that it is indeed STATUS_HEAP_CORRUPTION from ntdll

In WinDbg console:

Critical error detected c0000374
(5fc4.6680): Break instruction exception - code 80000003 (first chance)
ntdll!RtlReportCriticalFailure+0x56:
00007ffc`628b9232 cc              int     3

!dumpstack 

:010> !dumpstack
OS Thread Id: 0x6680 (10)
Current frame: ntdll!RtlReportCriticalFailure + 0x56
Child-SP         RetAddr          Caller, Callee
000000DC7638DA90 00007ffbf3cb6ba2 mshtml!CEnumVARIANT::CEnumVARIANT + 0x4e, calling mshtml!CBaseEnum::CBaseEnum
000000DC7638DAD0 00007ffbf3cb6f5f mshtml!CEnumVARIANT::Create + 0x77, calling mshtml!CEnumVARIANT::Init
000000DC7638DB00 00007ffc628c15ff ntdll!RtlpGetModifiedProcessCookie + 0x27, calling ntdll!NtQueryInformationProcess
000000DC7638DB10 00007ffbf3a59e13 mshtml!CStaticNodeList::get__newEnum + 0x33, calling mshtml!CEnumVARIANT::Create
000000DC7638DB40 00007ffc628c4405 ntdll!RtlpReportHeapFailure + 0xd, calling ntdll!RtlpGetModifiedProcessCookie
000000DC7638DB70 00007ffc628c1662 ntdll!RtlpHeapHandleError + 0x12, calling ntdll!RtlpReportHeapFailure
000000DC7638DBA0 00007ffc628c196a ntdll!RtlpHpHeapHandleError + 0x7a, calling ntdll!RtlpHeapHandleError
000000DC7638DBD0 00007ffc628ca929 ntdll!RtlpLogHeapFailure + 0x45, calling ntdll!RtlpHpHeapHandleError
000000DC7638DC00 00007ffc628007df ntdll!RtlpFreeHeapInternal + 0x75f, calling ntdll!RtlpLogHeapFailure
000000DC7638DC40 00007ffbf357d87f mshtml!MemProtectHeapUnrootAndZero + 0x2f, calling KERNEL32!TlsGetValue
000000DC7638DCB0 00007ffc627ffc11 ntdll!RtlFreeHeap + 0x51, calling ntdll!RtlpFreeHeapInternal
000000DC7638DCF0 00007ffbf3656391 mshtml!CDataAry<short>::`scalar deleting destructor' + 0x1d, calling mshtml!MemoryProtection::HeapFree
000000DC7638DD10 00007ffbf37136a7 mshtml!CBase::PrivateInvokeEx + 0xd7, calling ntdll!LdrpDispatchUserCallTarget
000000DC7638DD20 00007ffbf3cb6c2b mshtml!CBaseEnum::~CBaseEnum + 0x6b, calling mshtml!CDataAry<short>::`scalar deleting destructor'
000000DC7638DD30 00007ffbf3a59a40 mshtml!CStaticNodeList::PrivateQueryInterface + 0x210, calling ntdll!LdrpDispatchUserCallTarget
000000DC7638DD50 00007ffbf3cb6d27 mshtml!CEnumVARIANT::`vector deleting destructor' + 0x17, calling mshtml!CEnumVARIANT::~CEnumVARIANT
000000DC7638DD80 00007ffbf3aab3d8 mshtml!CBaseEnum::Release + 0x28, calling ntdll!LdrpDispatchUserCallTarget
000000DC7638DDB0 00007ffc6214c815 OLEAUT32!VariantClearWorker + 0x109, calling ntdll!LdrpDispatchUserCallTarget
000000DC7638DDE0 00007ffc6214cb41 OLEAUT32!VariantClear + 0x21, calling OLEAUT32!VariantClearWorker
000000DC7638DE10 00007ffc11a9319f coreclr!SafeVariantClear + 0x7f [f:\workspace\_work\1\s\src\vm\olevariant.cpp:1145], calling OLEAUT32!VariantClear
000000DC7638DE60 00007ffc11a16a02 coreclr!RCW::SupportsMngStdInterface + 0x222 [f:\workspace\_work\1\s\src\vm\runtimecallablewrapper.cpp:4411], calling coreclr!SafeVariantClear [f:\workspace\_work\1\s\src\vm\olevariant.cpp:1122]
000000DC7638DF40 00007ffc11948f68 coreclr!ComObject::SupportsInterface + 0xe6f70 [f:\workspace\_work\1\s\src\vm\runtimecallablewrapper.cpp:4697], calling coreclr!RCW::SupportsMngStdInterface [f:\workspace\_work\1\s\src\vm\runtimecallablewrapper.cpp:4337]
000000DC7638DFB0 00007ffc117bb308 coreclr!Precode::IsPointingToPrestub + 0x20 [f:\workspace\_work\1\s\src\vm\precode.cpp:207], calling coreclr!Precode::IsPointingTo [f:\workspace\_work\1\s\src\vm\precode.h:180]
000000DC7638E0A0 00007ffc117d9f39 coreclr!ObjIsInstanceOf + 0x2a9 [f:\workspace\_work\1\s\src\vm\jithelpers.cpp:2239], calling coreclr!ComObject::SupportsInterface [f:\workspace\_work\1\s\src\vm\runtimecallablewrapper.cpp:4621]
000000DC7638E1C0 00007ffc1180ddf4 coreclr!JITutil_IsInstanceOfAny + 0xd4 [f:\workspace\_work\1\s\src\vm\jithelpers.cpp:2638], calling coreclr!ObjIsInstanceOf [f:\workspace\_work\1\s\src\vm\jithelpers.cpp:2209]
000000DC7638E250 00007ffc11a79c46 coreclr!MarshalNative::IsComObject + 0x106 [f:\workspace\_work\1\s\src\vm\marshalnative.cpp:1207], calling coreclr!__security_check_cookie [d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\gs\amd64\amdsecgs.asm:45]
000000DC7638E2E8 00007ffc1180dd95 coreclr!JITutil_IsInstanceOfAny + 0x75 [f:\workspace\_work\1\s\src\vm\jithelpers.cpp:2637], calling coreclr!LazyMachStateCaptureState [F:\workspace\_work\1\s\src\vm\amd64\getstate.asm:62]
000000DC7638E300 00007ffc118c5ee5 coreclr!ThePreStub + 0x55 [F:\workspace\_work\1\s\src\vm\amd64\ThePreStubAMD64.asm:22], calling coreclr!PreStubWorker [f:\workspace\_work\1\s\src\vm\prestub.cpp:1694]
000000DC7638E320 00007ffc117e26ea coreclr!JITutil_IsInstanceOfInterface + 0x63a [f:\workspace\_work\1\s\src\vm\jithelpers.cpp:2576], calling coreclr!JITutil_IsInstanceOfAny [f:\workspace\_work\1\s\src\vm\jithelpers.cpp:2625]
000000DC7638E330 00007ffbb30b217b (MethodDesc 00007ffbb1feeba8 + 0x1b System.Management.Automation.PSObject.Base(System.Object)), calling coreclr!JIT_IsInstanceOfClass [F:\workspace\_work\1\s\src\vm\amd64\JitHelpers_Fast.asm:57]
000000DC7638E370 00007ffc0877688a (MethodDesc 00007ffbb254a618 + 0x2a System.Management.Automation.EnumerableOps.GetCOMEnumerator(System.Object)), calling 00007ffbb249fd40
000000DC7638E3B0 00007ffbb36e8056 (MethodDesc 00007ffbb36dcde8 + 0x36 DynamicClass.CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.ExecutionContext)), calling (MethodDesc 00007ffbb254a618 + 0 System.Management.Automation.EnumerableOps.GetCOMEnumerator(System.Object))
000000DC7638E400 00007ffbb30c690c (MethodDesc 00007ffbb2a81130 + 0x2fc System.Dynamic.UpdateDelegates.UpdateAndExecuteVoid3[[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib]](System.Runtime.CompilerServices.CallSite, System.__Canon, System.__Canon, System.__Canon))
000000DC7638E4A0 00007ffc118c7076 coreclr!InstantiatingMethodStubWorker + 0xd6 [F:\workspace\_work\1\s\src\vm\amd64\InstantiatingStub.asm:132]
000000DC7638E4F0 00007ffbb30b19fe (MethodDesc 00007ffbb2573e68 + 0x9e System.Management.Automation.ScopedItemSearcher`1[[System.__Canon, System.Private.CoreLib]].MoveNext()), calling coreclr!JIT_WriteBarrier [F:\workspace\_work\1\s\src\vm\amd64\JitHelpers_Fast.asm:466]
000000DC7638E550 00007ffbb30c65d5 (MethodDesc 00007ffbb2a81250 + 0xf5 System.Management.Automation.Interpreter.ActionCallInstruction`5[[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib]].Invoke(System.Object, System.Object, System.Object, System.Object, System.Object))
000000DC7638E5D0 00007ffbb30c62b6 (MethodDesc 00007ffbb2815c40 + 0x106 System.Management.Automation.Interpreter.CallInstruction.InvokeInstance(System.Object, System.Object[]))
000000DC7638E610 00007ffbb30b1547 (MethodDesc 00007ffbb216bbe8 + 0x117 System.Reflection.RtFieldInfo.GetValue(System.Object)), calling coreclr!RuntimeFieldHandle::GetValue [f:\workspace\_work\1\s\src\vm\reflectioninvocation.cpp:134]
000000DC7638E640 00007ffbb30c615a (MethodDesc 00007ffbb2980b38 + 0x8a System.Management.Automation.Interpreter.DynamicInstructionN.Run(System.Management.Automation.Interpreter.InterpretedFrame))
000000DC7638E6A0 00007ffbb30b71c3 (MethodDesc 00007ffbb2811e90 + 0xd3 System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame))
000000DC7638E6C0 00007ffbb30b178b (MethodDesc 00007ffbb2819458 + 0x7b System.Management.Automation.Interpreter.ActionCallInstruction`2[[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib]].Run(System.Management.Automation.Interpreter.InterpretedFrame))
000000DC7638E730 00007ffbb30b71c3 (MethodDesc 00007ffbb2811e90 + 0xd3 System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame))
000000DC7638E7C0 00007ffbb30f800b (MethodDesc 00007ffbb2830b30 + 0x6b System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame))
000000DC7638E830 00007ffbb30f7b74 (MethodDesc 00007ffbb28368f0 + 0xc4 System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, System.Private.CoreLib]](System.__Canon)), calling (MethodDesc 00007ffbb2830b30 + 0 System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame))
000000DC7638E860 00007ffbb30f738d (MethodDesc 00007ffbb2544f48 + 0x1ad System.Management.Automation.MutableTuple`16[[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib],[System.__Canon, System.Private.CoreLib]].SetValueImpl(Int32, System.Object)), calling coreclr!JIT_WriteBarrier [F:\workspace\_work\1\s\src\vm\amd64\JitHelpers_Fast.asm:466]
000000DC7638E8A0 00007ffc0877f42a (MethodDesc 00007ffbb29370e0 + 0x33a System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object))
000000DC7638E940 00007ffc0877eef0 (MethodDesc 00007ffbb29370b8 + 0x140 System.Management.Automation.DlrScriptCommandProcessor.Complete()), calling (MethodDesc 00007ffbb29370e0 + 0 System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object))
000000DC7638E9C0 00007ffc0867068c (MethodDesc 00007ffbb278c960 + 0x9c System.Management.Automation.CommandProcessorBase.DoComplete()), calling 00007ffbb1d2b070
000000DC7638EA10 00007ffc089b6b94 (MethodDesc 00007ffbb2560238 + 0xa4 System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase)), calling (MethodDesc 00007ffbb278c960 + 0 System.Management.Automation.CommandProcessorBase.DoComplete())
000000DC7638EAA0 00007ffc089b6819 (MethodDesc 00007ffbb2560220 + 0xd9 System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object)), calling (MethodDesc 00007ffbb2560238 + 0 System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase))
000000DC7638EB20 00007ffc088c5eda (MethodDesc 00007ffbb21277c0 + 0x52a System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()), calling 00007ffbb248b270 (stub for System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object))
000000DC7638EBD0 00007ffc088c6765 (MethodDesc 00007ffbb21277f0 + 0x135 System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()), calling 00007ffbb1de1108 (stub for System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper())
000000DC7638EC30 00007ffc088c6622 (MethodDesc 00007ffbb21277d8 + 0x62 System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProcImpersonate()), calling 00007ffbb1de1118 (stub for System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc())
000000DC7638EC70 00007ffc088c7b82 (MethodDesc 00007ffbb278b980 + 0x32 System.Management.Automation.Runspaces.PipelineThread.WorkerProc())
000000DC7638ECA0 00007ffc0f4518bb (MethodDesc 00007ffbb2404db0 + 0x4b System.Threading.ThreadHelper.ThreadStart_Context(System.Object))
000000DC7638ECD0 00007ffc0f448a66 (MethodDesc 00007ffbb1f3ad00 + 0x76 System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object))
000000DC7638ED50 00007ffc0f434d0b (MethodDesc 00007ffbb2404df8 + 0x2b System.Threading.ThreadHelper.ThreadStart()), calling 00007ffbb1dc2738 (stub for System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object))
000000DC7638ED70 00007ffc618d71c9 USER32!RegisterClassW + 0x59, calling USER32!RegisterClassExWOWW
000000DC7638ED90 00007ffc118c65f3 coreclr!CallDescrWorkerInternal + 0x83 [F:\workspace\_work\1\s\src\vm\amd64\CallDescrWorkerAMD64.asm:101]
000000DC7638EDD0 00007ffc1186f602 coreclr!MethodDescCallSite::CallTargetWorker + 0x196 [f:\workspace\_work\1\s\src\vm\callhelpers.cpp:612], calling coreclr!CallDescrWorkerInternal [F:\workspace\_work\1\s\src\vm\amd64\CallDescrWorkerAMD64.asm:38]
000000DC7638EE10 00007ffc117adbee coreclr!MetaSig::Init + 0xfe [f:\workspace\_work\1\s\src\vm\siginfo.cpp:605], calling coreclr!SigParser::SkipExactlyOne [f:\workspace\_work\1\s\src\utilcode\sigparser.cpp:16]
000000DC7638EE60 00007ffc11843820 coreclr!MetaSig::MetaSig + 0x1f4 [f:\workspace\_work\1\s\src\vm\siginfo.cpp:694], calling coreclr!MethodDesc::IsSharedByGenericMethodInstantiations [f:\workspace\_work\1\s\src\vm\method.cpp:1649]
000000DC7638EE70 00007ffc1186f8e9 coreclr!ArgIteratorTemplate<ArgIteratorBase>::ComputeReturnFlags + 0x25 [f:\workspace\_work\1\s\src\vm\callingconvention.h:1423], calling coreclr!MetaSig::GetReturnTypeNormalized [f:\workspace\_work\1\s\src\vm\siginfo.cpp:5166]
000000DC7638EE80 00007ffc1186d827 coreclr!MethodDesc::GetSingleCallableAddrOfVirtualizedCode + 0x5f [f:\workspace\_work\1\s\src\vm\method.cpp:2032], calling coreclr!MethodTable::GetRestoredSlot [f:\workspace\_work\1\s\src\vm\methodtable.cpp:9720]
000000DC7638EF10 00007ffc118b2c96 coreclr!ThreadNative::KickOffThread_Worker + 0x126 [f:\workspace\_work\1\s\src\vm\comsynchronizable.cpp:248], calling coreclr!MethodDescCallSite::CallTargetWorker [f:\workspace\_work\1\s\src\vm\callhelpers.cpp:324]
000000DC7638F080 00007ffc1184c142 coreclr!ManagedThreadBase_DispatchMiddle + 0x7e [f:\workspace\_work\1\s\src\vm\threads.cpp:7498], calling ntdll!LdrpDispatchUserCallTarget
000000DC7638F0B0 00007ffc1187d16f coreclr!ClrFlsIncrementValue + 0x1f [f:\workspace\_work\1\s\src\inc\clrhost.h:99], calling ntdll!LdrpDispatchUserCallTarget
000000DC7638F180 00007ffc627fba17 ntdll!RtlpAllocateHeapInternal + 0x127, calling ntdll!RtlpLowFragHeapAllocFromContext
000000DC7638F1A0 00007ffc1184c02f coreclr!ManagedThreadBase_DispatchOuter + 0xaf [f:\workspace\_work\1\s\src\vm\threads.cpp:7663], calling coreclr!ManagedThreadBase_DispatchMiddle [f:\workspace\_work\1\s\src\vm\threads.cpp:7458]
000000DC7638F240 00007ffc1183dc80 coreclr!ThreadNative::KickOffThread + 0x150 [f:\workspace\_work\1\s\src\vm\comsynchronizable.cpp:363], calling coreclr!ManagedThreadBase_DispatchOuter [f:\workspace\_work\1\s\src\vm\threads.cpp:7615]
000000DC7638F290 00007ffc44d2f32a MPCLIENT!MpConveyUserChoiceForSampleList + 0x5cc4a, calling ntdll!LdrpDispatchUserCallTarget
000000DC7638F360 00007ffc118b1efa coreclr!Thread::intermediateThreadProc + 0x8a [f:\workspace\_work\1\s\src\vm\threads.cpp:2105], calling ntdll!LdrpDispatchUserCallTarget
000000DC7638F3D0 00007ffc627e5132 ntdll!LdrpCallTlsInitializers + 0x36, calling ntdll!RtlReleaseSRWLockShared
000000DC7638F3E0 00007ffc627e50aa ntdll!LdrpCallInitRoutine + 0x6e, calling ntdll!RtlGetCurrentServiceSessionId
000000DC7638F410 00007ffc627ed80b ntdll!LdrpReleaseLoaderLock + 0x2f, calling ntdll!RtlGetCurrentServiceSessionId
000000DC7638F420 00007ffc62833854 ntdll!LdrpDropLastInProgressCount + 0x38, calling ntdll!RtlLeaveCriticalSection
000000DC7638F450 00007ffc627e2f62 ntdll!LdrpInitializeThread + 0x1fa, calling ntdll!LdrpDropLastInProgressCount
000000DC7638F4C0 00007ffc627e2e9a ntdll!LdrpInitializeThread + 0x132, calling ntdll!RtlActivateActivationContextUnsafeFast
000000DC7638F4C8 00007ffc627e2ecd ntdll!LdrpInitializeThread + 0x165, calling ntdll!RtlDeactivateActivationContextUnsafeFast
000000DC7638F510 00007ffc627e2f2a ntdll!LdrpInitializeThread + 0x1c2, calling ntdll!RtlActivateActivationContextUnsafeFast
000000DC7638F518 00007ffc627e2f4a ntdll!LdrpInitializeThread + 0x1e2, calling ntdll!RtlDeactivateActivationContextUnsafeFast
000000DC7638F530 00007ffc62831912 ntdll!_LdrpInitialize + 0xa6, calling ntdll!NtTestAlert
000000DC7638F5D0 00007ffc62831853 ntdll!LdrpInitialize + 0x3b, calling ntdll!_LdrpInitialize
000000DC7638F600 00007ffc62831808 ntdll!LdrInitializeThunk + 0x18, calling ntdll!NtContinue
000000DC7638FA60 00007ffc118b1ed7 coreclr!Thread::intermediateThreadProc + 0x67 [f:\workspace\_work\1\s\src\vm\threads.cpp:2100], calling coreclr!__chkstk [d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\misc\amd64\chkstk.asm:67]
000000DC7638FAA0 00007ffc62357bd4 KERNEL32!BaseThreadInitThunk + 0x14, calling ntdll!LdrpDispatchUserCallTarget
000000DC7638FAD0 00007ffc6282ced1 ntdll!RtlUserThreadStart + 0x21, calling ntdll!LdrpDispatchUserCallTarget

Maybe report it to whatever team owns that COM API, but PS probably can't ignore heap corruption (even if just to write an error message).

SeeminglyScience picture SeeminglyScience on 4 Mar 2020

Here's some code that prints an error before exit:

$Signature = @"
private delegate int VectoredExceptionHandler(IntPtr exceptionInfo);

[DllImport("kernel32.dll")]
private static extern IntPtr AddVectoredExceptionHandler(
    uint first, VectoredExceptionHandler handler
);

public static void AddHeapCorruptionHandler() {
    AddVectoredExceptionHandler(0, e => {
        uint exceptionCode = (uint)Marshal.ReadInt32(Marshal.ReadIntPtr(e));
        // STATUS_HEAP_CORRUPTION
        if (exceptionCode == 0xc0000374)
        {
            Console.Error.WriteLine("HEAP CORRUPTION");
        }
        // Return EXCEPTION_CONTINUE_SEARCH
        return 0;
    });
}
"@
Add-Type -MemberDefinition $Signature -Name ErrHandlingApi -Namespace Kernel32
[Kernel32.ErrHandlingApi]::AddHeapCorruptionHandler()

I guess this could be added to PowerShell.

mohd-akram picture mohd-akram on 4 Mar 2020
👍1

/cc @daxian-dbw What do you thing about adding the handler to shutdown PowerShell gracefully?

iSazonov picture iSazonov on 4 Mar 2020

I agree with @SeeminglyScience that PowerShell shouldn't try to recover from a heap corruption error.

daxian-dbw picture daxian-dbw on 19 Mar 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pcgeek86 picture pcgeek86  路  3Comments
andschwa picture andschwa  路  3Comments
rkeithhill picture rkeithhill  路  3Comments
pcgeek86 picture pcgeek86  路  3Comments
concentrateddon picture concentrateddon  路  3Comments