Possible wrong callstack with KERNELBASE!_EH4_GlobalUnwind

[derekbruening]

From zhao...@google.com on November 15, 2013 17:01:42

Some callstack has KERNELBASE!_EH4_GlobalUnwind

#0 system call NtGdiSelectBitmap ^M
#1 GDI32.dll!SelectObject^M
#2 USER32.dll!BitmapFromDIB^M
#3 USER32.dll!ConvertDIBBitmap^M
#4 USER32.dll!CopyBmp ^M
#5 USER32.dll!CopyIcoCur^M
#6 USER32.dll!InternalCopyImage^M
#7 USER32.dll!__ClientCopyImage^M
#8 KERNELBASE.dll!_EH4_GlobalUnwind^M
#9 USER32.dll!VerNtUserCreateWindowEx^M
#10 USER32.dll!_CreateWindowEx^M
#11 USER32.dll!CreateWindowExW^M
#12 USER32.dll!CreateIMEUI^M

The KERNELBASE.dll!_EH4_GlobalUnwind is likely to be wrong.
From the asm code
KERNELBASE!_EH4_GlobalUnwind:
755b72da 55 push ebp
755b72db 8bec mov ebp,esp
755b72dd 53 push ebx
755b72de 56 push esi
755b72df 57 push edi
755b72e0 6a00 push 0x0
755b72e2 6a00 push 0x0
755b72e4 68ef725b75 push 0x755b72ef
755b72e9 51 push ecx
755b72ea e891020000 call KERNELBASE!RtlUnwind (755b7580)
755b72ef 5f pop edi
755b72f0 5e pop esi
755b72f1 5b pop ebx
755b72f2 5d pop ebp
755b72f3 c3 ret
It may caused by this "push 0x755b72ef".

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1385

[derekbruening]

From zhao...@google.com on November 15, 2013 14:04:59

Another example:
kernel32!_EH4_GlobalUnwind:
753dd7a2 55 push ebp
753dd7a3 8bec mov ebp,esp
753dd7a5 53 push ebx
753dd7a6 56 push esi
753dd7a7 57 push edi
753dd7a8 6a00 push 0x0
753dd7aa 6a00 push 0x0
753dd7ac 68b7d73d75 push 0x753dd7b7
753dd7b1 51 push ecx
753dd7b2 e823690700 call kernel32!RtlUnwind (754540da)
753dd7b7 5f pop edi
753dd7b8 5e pop esi
753dd7b9 5b pop ebx
753dd7ba 5d pop ebp
753dd7bb c3 ret

[derekbruening]

From zhao...@google.com on November 15, 2013 14:17:10

For such kind of thing, maybe we can find the code patter something like:
push ret_addr
push ecx
call
ret_addr:
pop edi
maintain a list of ret_addr, and tell the callstack component to ignore those ret_addr?