Case of NullReferenceException not handled by sos / windbg

In this post I am going to be discussing about the NullReferenceException which is not trapped “sxe clr” command. FYI “sxe  clr” is the command in debugging tools to catch any clr exception.  Here is the kind of  code that I was debugging.

using System;

namespace Test
 class Program
 string test;

 static void Main(string[] args)
     new Program().Testing();
   catch {
    Console.WriteLine("Something went wrong");

 int Testing(){
   if (test.Substring(10,20) == "asd")
     return 10;
   return 1;

The application was reporting “something went wrong”, just another day where I had to debug some code which I don’t appreciate debugging. I was asked to debug the issue. And I use windbg for all my production debugging.

Attached the process and issued the command sxe -c “!clrstack;!pe” clr, which instructs the debugger to trap any exception from clr and then print stack-trace and exception whenever an exception is thrown. And to my surprise the debugger didn’t break on the exception and I never got the call-stack.  And  my debugger was set ignore AV exception so it didn’t report on AV, if not I could have managed to get the call-stack and figure out the exception.  And to my surprise when I issued the command !pe I didn’t get any result.

From my past experience of debugging I know if have bp on KERNELBASE!RaiseException  I should be able to catch any exception. This is one advantage of understanding code close to metal , comes in handy when everything else fails. So issued the command bp KERNELBASE!RaiseException and here is the call-stack from the breakpoint

0:000> !mk

Thread 0:

ESP              EIP

00:U 000000000031e738 000007fefdafaa40 KERNELBASE!RaiseException

01:U 000000000031e740 000007fee4b6dbdc mscorwks!NakedThrowHelper2+0xc

02:U 000000000031e770 000007fee4b6dc2a mscorwks!NakedThrowHelper_RspAligned+0x3d

03:U 000000000031ece8 000007fee4b6dc35 mscorwks!NakedThrowHelper_FixRsp+0x5

04:M 000000000031ecf0 000007ff001a027f Test.Program.Testing()(+0x1 IL)(+0x3f Native) [C:\Users\naveen\Documents\Visual Studio 2010\Projects\ConsoleApplication4\Program.cs, @ 19,13]

05:M 000000000031ed40 000007ff001a0170 Test.Program.Main(System.String[])(+0x7 IL)(+0x50 Native) [C:\Users\naveen\Documents\Visual Studio 2010\Projects\ConsoleApplication4\Program.cs, @ 10,17]

06:U 000000000031ed90 000007fee4b6d502 mscorwks!CallDescrWorker+0x82

07:U 000000000031ede0 000007fee4a29fd3 mscorwks!CallDescrWorkerWithHandler+0xd3

08:U 000000000031ee80 000007fee4a3a3af mscorwks!MethodDesc::CallDescr+0x24f

09:U 000000000031f0d0 000007fee49adc7f mscorwks!ClassLoader::RunMain+0x22b

0a:U 000000000031f330 000007fee4991c74 mscorwks!Assembly::ExecuteMainMethod+0xbc

0b:U 000000000031f620 000007fee49c9955 mscorwks!SystemDomain::ExecuteMainMethod+0x491

0c:U 000000000031fbf0 000007fee4addb07 mscorwks!ExecuteEXE+0x47

0d:U 000000000031fc40 000007fee499855c mscorwks!CorExeMain+0xac

0e:U 000000000031fca0 000007fef9493309 mscoreei!CorExeMain+0x41

0f:U 000000000031fcd0 000007fef9525b21 MSCOREE!CorExeMain_Exported+0x57

10:U 000000000031fd00 00000000776cf56d KERNEL32!BaseThreadInitThunk+0xd

11:U 000000000031fd30 0000000077903281 ntdll!RtlUserThreadStart+0x1d

Now I see which line is causing the exception. I could guess what the exception could be. To confirm my assumption I issued the command !dso after the catch block message and here is the output

0:000> !dso

OS Thread Id: 0x1590 (0)

RSP/REG          Object           Name

000000000031ea58 00000000026a5ae0 Microsoft.Win32.SafeHandles.SafeFileHandle

000000000031ea68 00000000026a5ae0 Microsoft.Win32.SafeHandles.SafeFileHandle

000000000031eb18 00000000026a5ae0 Microsoft.Win32.SafeHandles.SafeFileHandle

000000000031eb58 00000000026a5ae0 Microsoft.Win32.SafeHandles.SafeFileHandle

000000000031eb80 00000000026a5ae0 Microsoft.Win32.SafeHandles.SafeFileHandle

000000000031eba0 00000000026a5ae0 Microsoft.Win32.SafeHandles.SafeFileHandle

000000000031ebe0 00000000026a5b58 System.IO.StreamReader

000000000031ebf0 00000000026a5b58 System.IO.StreamReader

000000000031ec10 00000000026a5b58 System.IO.StreamReader

000000000031ec40 00000000026a5b58 System.IO.StreamReader

000000000031ec50 00000000026a5b58 System.IO.StreamReader

000000000031ec60 00000000026a5b00 System.IO.__ConsoleStream

000000000031ec68 00000000026a5e68 System.Byte[]    (System.Byte[])

000000000031ec98 00000000026a6198 System.IO.TextReader+SyncTextReader

000000000031eca0 00000000026a5b58 System.IO.StreamReader

000000000031ecb0 00000000026a5b58 System.IO.StreamReader

000000000031ecd8 00000000026a6198 System.IO.TextReader+SyncTextReader

000000000031ed40 00000000026a6198 System.IO.TextReader+SyncTextReader

000000000031ed48 00000000026a4070 System.String

000000000031ed68 00000000026a4058 Test.Program

000000000031ed78 00000000026a4090 System.NullReferenceException

000000000031ed90 00000000026a3ff0 System.Object[]    (System.String[])

000000000031ef18 00000000026a3ff0 System.Object[]    (System.String[])

000000000031f100 00000000026a3ff0 System.Object[]    (System.String[])

000000000031f128 00000000026a3ff0 System.Object[]    (System.String[])

I could see a NullReferenceException on the stack, issued !pe on exception object and here is the output

0:000> !pe 00000000026a4090

Exception object: 00000000026a4090

Exception type: System.NullReferenceException

Message: Object reference not set to an instance of an object.

InnerException: <none>

StackTrace (generated):

SP               IP               Function

000000000031ECF0 000007FF001A027F ConsoleApplication4!Test.Program.Testing()+0x3f

000000000031ED40 000007FF001A0170 ConsoleApplication4!Test.Program.Main(System.String[])+0x50

StackTraceString: <none>

HResult: 80004003

And now I know which code to fix.

6 thoughts on “Case of NullReferenceException not handled by sos / windbg

  1. Pingback: DotNetShoutout
  2. Good article. Thanks for reminding me about !dso.

    ps. Any idea why windbg wasn’t getting the clr exception?

  3. A very informative article. I tried to follow the steps as you detail but came across an issue. My version of WinDbg did not recognise the !mk command.

    I created the same program with VS 2010. Used Ctrl-E to open the executable. Set the break point on RaiseException then ran the program. When it hit the break point I used .loadby sos clr and issued the “!mk” command and got the reply “No export mk found”.

    WinDbg: X86

    Wonder what I am doing wrong?

      1. Naveen,

        Thanks for the link. However I am unable to reproduce the debugging session as you describe. I would like to fully understand the operation of WinDbg, SOS and SOSEX and the debugging of NullReferenceExceptions ad these do come up far too often.

        Below is the output as I have seen it during my own WinDbg session. I am using the same source code built with VS 2010, .NET 4 client profile and the debug build.

        As you can see, the RaiseException break point is never hit before the Access violation occurs. !dso does not reveal the NullReference exception. I am at a loss as to what I have done differently.

        Thanks in advance for any help you can provide.

        *** wait with pending attach
        Symbol search path is: SRV*
        Executable search path is:
        ModLoad: 001a0000 001a8000 C:\Users\Adam Sparrowhawk\Documents\Visual Studio 2010\Projects\WinDbgTest\WinDbgTest\bin\Debug\WinDbgTest.exe
        ModLoad: 776c0000 77840000 C:\Windows\SysWOW64\ntdll.dll
        ModLoad: 74180000 741ca000 C:\Windows\SYSTEM32\MSCOREE.DLL
        ModLoad: 76b00000 76c00000 C:\Windows\syswow64\KERNEL32.dll
        ModLoad: 75a80000 75ac6000 C:\Windows\syswow64\KERNELBASE.dll
        ModLoad: 759c0000 75a60000 C:\Windows\syswow64\ADVAPI32.dll
        ModLoad: 75460000 7550c000 C:\Windows\syswow64\msvcrt.dll
        ModLoad: 76ae0000 76af9000 C:\Windows\SysWOW64\sechost.dll
        ModLoad: 76dc0000 76eb0000 C:\Windows\syswow64\RPCRT4.dll
        ModLoad: 75230000 75290000 C:\Windows\syswow64\SspiCli.dll
        ModLoad: 75220000 7522c000 C:\Windows\syswow64\CRYPTBASE.dll
        ModLoad: 74110000 74176000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
        ModLoad: 76eb0000 76f07000 C:\Windows\syswow64\SHLWAPI.dll
        ModLoad: 77100000 77190000 C:\Windows\syswow64\GDI32.dll
        ModLoad: 76cc0000 76dc0000 C:\Windows\syswow64\USER32.dll
        ModLoad: 77210000 7721a000 C:\Windows\syswow64\LPK.dll
        ModLoad: 77220000 772bd000 C:\Windows\syswow64\USP10.dll
        ModLoad: 75890000 758f0000 C:\Windows\system32\IMM32.DLL
        ModLoad: 758f0000 759bc000 C:\Windows\syswow64\MSCTF.dll
        ModLoad: 6b4c0000 6bb2f000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
        ModLoad: 73250000 7330e000 C:\Windows\system32\MSVCR100_CLR0400.dll
        ModLoad: 6a6f0000 6b4b3000 C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\4ff1f12a08d455f195ba996fe77497c6\
        ModLoad: 73c10000 73c20000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
        ModLoad: 76fa0000 770fc000 C:\Windows\syswow64\ole32.dll
        ModLoad: 73650000 736b0000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
        (121c.1548): Break instruction exception – code 80000003 (first chance)
        eax=7efac000 ebx=00000000 ecx=00000000 edx=7775f4e2 esi=00000000 edi=00000000
        eip=776d000c esp=04affb9c ebp=04affbc8 iopl=0 nv up ei pl zr na pe nc
        cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
        776d000c cc int 3
        0:004> .extpath “C:\Users\Adam Sparrowhawk\Documents\Visual Studio 2010\Projects\WinDbgTest\WinDbgTest\bin\Debug”
        Extension search path is: C:\Users\Adam Sparrowhawk\Documents\Visual Studio 2010\Projects\WinDbgTest\WinDbgTest\bin\Debug
        0:004> .loadby sos clr
        0:004> .load sosex
        0:004> sxe clr
        0:004> sxe av
        0:004> bp KERNELBASE!RaiseException
        0:004> bl
        0 e 75a8b6cf 0001 (0001) 0:**** KERNELBASE!RaiseException
        0:004> g
        (121c.f64): Access violation – code c0000005 (first chance)
        First chance exceptions are reported before any exception handling.
        This exception may be expected and handled.
        eax=00000000 ebx=00000000 ecx=00000000 edx=0000000a esi=0065f270 edi=002aed50
        eip=004b0177 esp=002aecd8 ebp=002aecf4 iopl=0 nv up ei pl zr na pe nc
        cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
        004b0177 3909 cmp dword ptr [ecx],ecx ds:002b:00000000=????????
        0:000> k
        ChildEBP RetAddr
        WARNING: Frame IP not in any known module. Following frames may be wrong.
        002aecf4 004b00b6 0x4b0177
        002aed24 6b4c21db 0x4b00b6
        002aed34 6b4e4a2a clr!CallDescrWorker+0x33
        002aedb0 6b4e4bcc clr!CallDescrWorkerWithHandler+0x8e
        002aeee8 6b4e4c01 clr!MethodDesc::CallDescr+0x194
        002aef04 6b4e4c21 clr!MethodDesc::CallTargetWorker+0x21
        002aef1c 6b5ace82 clr!MethodDescCallSite::Call+0x1c
        002af080 6b5acf90 clr!ClassLoader::RunMain+0x24c
        002af2e8 6b5acda4 clr!Assembly::ExecuteMainMethod+0xc1
        002af7cc 6b5ad199 clr!SystemDomain::ExecuteMainMethod+0x4ec
        002af820 6b5ad09a clr!ExecuteEXE+0x58
        002af86c 6b62af00 clr!_CorExeMainInternal+0x19f
        002af8a4 741155ab clr!_CorExeMain+0x4e
        002af8b0 74187f16 mscoreei!_CorExeMain+0x38
        002af8c0 74184de3 MSCOREE!ShellShim__CorExeMain+0x99
        002af8c8 76b13677 MSCOREE!_CorExeMain_Exported+0x8
        002af8d4 776f9d42 KERNEL32!BaseThreadInitThunk+0xe
        002af914 776f9d15 ntdll!__RtlUserThreadStart+0x70
        002af92c 00000000 ntdll!_RtlUserThreadStart+0x1b
        0:000> !mk
        Thread 0:
        ESP EIP
        00:M 002aecd8 004b0177 *** WARNING: Unable to verify checksum for C:\Users\Adam Sparrowhawk\Documents\Visual Studio 2010\Projects\WinDbgTest\WinDbgTest\bin\Debug\WinDbgTest.exe
        Test.Program.Testing()(+0x1 IL)(+0x37 Native) [c:\users\adam sparrowhawk\documents\visual studio 2010\Projects\WinDbgTest\WinDbgTest\Program.cs, @ 26,13]
        01:M 002aecfc 004b00b6 Test.Program.Main(System.String[])(+0x12 IL)(+0x46 Native) [c:\users\adam sparrowhawk\documents\visual studio 2010\Projects\WinDbgTest\WinDbgTest\Program.cs, @ 15,17]
        02:U 002aed2c 6b4c21db clr!CallDescrWorker+0x33
        03:U 002aed3c 6b4e4a2a clr!CallDescrWorkerWithHandler+0x8e
        04:U 002aedb8 6b4e4bcc clr!MethodDesc::CallDescr+0x194
        05:U 002aeef0 6b4e4c01 clr!MethodDesc::CallTargetWorker+0x21
        06:U 002aef0c 6b4e4c21 clr!MethodDescCallSite::Call+0x1c
        07:U 002aef24 6b5ace82 clr!ClassLoader::RunMain+0x24c
        08:U 002af088 6b5acf90 clr!Assembly::ExecuteMainMethod+0xc1
        09:U 002af2f0 6b5acda4 clr!SystemDomain::ExecuteMainMethod+0x4ec
        0a:U 002af7d4 6b5ad199 clr!ExecuteEXE+0x58
        0b:U 002af828 6b5ad09a clr!_CorExeMainInternal+0x19f
        0c:U 002af874 6b62af00 clr!_CorExeMain+0x4e
        0d:U 002af8ac 741155ab mscoreei!_CorExeMain+0x38
        0e:U 002af8b8 74187f16 MSCOREE!ShellShim__CorExeMain+0x99
        0f:U 002af8c8 74184de3 MSCOREE!_CorExeMain_Exported+0x8
        10:U 002af8d0 76b13677 KERNEL32!BaseThreadInitThunk+0xe
        11:U 002af8dc 776f9d42 ntdll!__RtlUserThreadStart+0x70
        12:U 002af91c 776f9d15 ntdll!_RtlUserThreadStart+0x1b

        0:000> !dso
        OS Thread Id: 0xf64 (0)
        ESP/REG Object Name
        002AECE4 0219d6d8 Test.Program
        002AECFC 0219d6d8 Test.Program
        002AED00 0219bd50 System.Object[] (System.String[])
        002AEDD4 0219bd50 System.Object[] (System.String[])
        002AEF74 0219bd50 System.Object[] (System.String[])
        002AEFA8 0219bd50 System.Object[] (System.String[])

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s