IE11 crash on exit - by Andrey Bazhan

Status : 

  Won't Fix<br /><br />
		Due to several factors the product team decided to focus its efforts on other items.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.


ID 817566 Comments
Status Closed Workarounds
Type Bug Repros 2
Opened 2/16/2014 2:53:13 AM
Access Restriction Public

Description

That was a one time crash.
The problem is in iertutil!IsoReleaseDefaultScope function. It doesn't check if iertutil!g_cIsoScopeRef variable is zero.

0:000> !analyze -v
...
FAULTING_IP: 
iertutil!IsoReleaseDefaultScope+28
74281f41 8b01            mov     eax,dword ptr [ecx]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 74281f41 (iertutil!IsoReleaseDefaultScope+0x00000028)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000
...

0:000> .ecxr
eax=ffffffff ebx=00000000 ecx=00000000 edx=77553300 esi=ffffffff edi=00000001
eip=74281f41 esp=007bf958 ebp=007bf960 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
iertutil!IsoReleaseDefaultScope+0x28:
74281f41 8b01            mov     eax,dword ptr [ecx]  ds:002b:00000000=????????

0:000> k
 # ChildEBP RetAddr  
00 007bf960 732637aa iertutil!IsoReleaseDefaultScope+0x28
01 007bfaac 00ec1170 ieframe!LCIEStartAsTabProcess+0x532
02 007bfd44 00ec1398 iexplore!wWinMain+0x344
03 007bfdd4 7742495d iexplore!_imp_load__WaitForInputIdle+0x25f
04 007bfde0 776698ee kernel32!BaseThreadInitThunk+0xe
05 007bfe24 776698c4 ntdll!__RtlUserThreadStart+0x20
06 007bfe34 00000000 ntdll!_RtlUserThreadStart+0x1b

0:000> u iertutil!IsoReleaseDefaultScope iertutil!IsoReleaseDefaultScope+0x28
iertutil!IsoReleaseDefaultScope:
74281f19 8bff            mov     edi,edi
74281f1b 55              push    ebp
74281f1c 8bec            mov     ebp,esp
74281f1e 8b0dd4723874    mov     ecx,dword ptr [iertutil!g_pIsoScope (743872d4)]
74281f24 b8d8723874      mov     eax,offset iertutil!g_cIsoScopeRef (743872d8)
74281f29 56              push    esi
74281f2a 83ceff          or      esi,0FFFFFFFFh
74281f2d f00fc130        lock xadd dword ptr [eax],esi
74281f31 4e              dec     esi
74281f32 ff7508          push    dword ptr [ebp+8]
74281f35 8bc6            mov     eax,esi
74281f37 f7d8            neg     eax
74281f39 1bc0            sbb     eax,eax
74281f3b 2105d4723874    and     dword ptr [iertutil!g_pIsoScope (743872d4)],eax
74281f41 8b01            mov     eax,dword ptr [ecx]

0:000> dd iertutil!g_pIsoScope L1
743872d4  00000000
0:000> dd iertutil!g_cIsoScopeRef L1
743872d8  ffffffff

0:000> lmDvmiexplore
Browse full module list
start    end        module name
00ec0000 00f84000   iexplore   (pdb symbols)          d:\symstore\symbols\iexplore.pdb\22AFEC94624E40B4B9F10D503EE469EF2\iexplore.pdb
    Loaded symbol image file: iexplore.exe
    Image path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Image name: iexplore.exe
    Browse all global symbols  functions  data
    Timestamp:        Thu Aug 22 05:06:41 2013 (52157231)
    CheckSum:         000C5702
    ImageSize:        000C4000
    File version:     11.0.9600.16384
    Product version:  11.0.9600.16384
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Internet Explorer
    InternalName:     iexplore
    OriginalFilename: IEXPLORE.EXE
    ProductVersion:   11.00.9600.16384
    FileVersion:      11.00.9600.16384 (winblue_rtm.130821-1623)
    FileDescription:  Internet Explorer
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

0:000> lmvm iertutil
Browse full module list
start    end        module name
741a0000 743b5000   iertutil   (pdb symbols)          d:\symstore\symbols\iertutil.pdb\3FC98AE23540404E9D597DEFCA3B47762\iertutil.pdb
    Loaded symbol image file: iertutil.dll
    Image path: C:\Windows\System32\iertutil.dll
    Image name: iertutil.dll
    Browse all global symbols  functions  data
    Timestamp:        Tue Nov 26 10:38:35 2013 (52945E0B)
    CheckSum:         00219F87
    ImageSize:        00215000
    File version:     11.0.9600.16476
    Product version:  11.0.9600.16476
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Internet Explorer
    InternalName:     IeRtUtil.dll
    OriginalFilename: IeRtUtil.dll
    ProductVersion:   11.00.9600.16476
    FileVersion:      11.00.9600.16476 (winblue_gdr.131125-1806)
    FileDescription:  Run time utility for Internet Explorer
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
Sign in to post a comment.
Posted by Microsoft on 1/6/2016 at 2:40 PM
Thank you for the feedback. Classic IE is intended to maintain a "compatibility promise" that it will be compatible with all apps, sites, etc. as it was before. We are only making security fixes and nothing that may risk that compat promise. Thus resolving this issue won't fix.
Thanks,
The MS Edge Team
Posted by Microsoft on 3/5/2014 at 8:03 AM
Thank you for your feedback!

We will be investigating this issue further.

Best Regards,
The Internet Explorer Team
Posted by Andrey Bazhan on 2/26/2014 at 2:18 AM
Hello,
That was a one-time crash, and who knows how many years it can take to crash again.
But the problem exist and you can reproduce it by compiling and running this code:

typedef VOID (WINAPI *PFN_ISORELEASEDEFAULTSCOPE)(DWORD);

PFN_ISORELEASEDEFAULTSCOPE IsoReleaseDefaultScope;

int _tmain(int argc, _TCHAR* argv[])
{
    HMODULE hModule;

    hModule = LoadLibrary(_T("iertutil"));

    if (hModule) {

        IsoReleaseDefaultScope = (PFN_ISORELEASEDEFAULTSCOPE)GetProcAddress(hModule, (LPCSTR)528);

        IsoReleaseDefaultScope(0);
    }

    return 0;
}

Also, for more thorough explanation, you can look here http://www.andreybazhan.com/internet-explorer-11-one-time-crash-on-exit
Posted by Microsoft on 2/25/2014 at 12:52 PM
Hello Andrey Bazhan,
Thank you for providing feedback about IE. I do apologize for the crashes you have experienced and I would like to investigate the source of the crashes. We have been unsuccessful in our attempts to reproduce the issue. This could be caused by a number of environmental factors or differences in our test PC's and your PC.

If you are still able to reproduce the crash could you please download debug diag from http://support.microsoft.com/kb/2580960
1)    Once installed open debug diag and select the rule type 'Crash' and click next.
2)    Under Select target type select 'A specific process' and click next
3)    In the text box next to Selected Process please enter iexplore.exe and click next
4)    Under the Advanced Configuration please just click next
5)    Lastly in the Select Dump Location please take note of the location where the dump file will be written. You can change this to another location if you wish. Click Next then Click Finish.
Once you have reproduced the crash open the folder location from step 5 above. Locate the file ending in .dmp. Please compress (zip) this .dmp file(s) and upload them to connect. If the file is larger than 50mb compressed please update this bug and I will send you a private upload link.

Thank you for your assistance in the continued investigation of this issue.
Best regards,
The Internet Explorer Team