WndDbg dump file. STACK_TEXT Columns

What are the columns in the STACK_TEXT?

STACK_TEXT:
Child (saved) EBP ReturnAddress ??? ??? ??? ???
fffff880075a3c30 fffff96000b51b5e : 000000003c041764 0000000000000000 fffff900c00c5010 0000000000000000 : win32k!EngCombineRgn+0x52

In a WndDbg crash dump file.
What are the names (values) of the columns STACK_TEXT?
1.) I understand the ChildEBP
2.) I understand the Return Address

The only information I can find says (from an old post, 32 Bit, after the Return Address) ‘First Three Parameters’.

The example above is from a 64Bit machine.

My original assumption is that the Return Address is now followed by the ‘First Four Parameters’ but this still does
not make sense to me where the only place in my code I call EngCombineRgn() is like this:
EngCombineRgn(ppdev->RegionHandle,ppdev->RegionHandle,AddThisRegion,RGN_OR);

If the columns are the first four parameters I would expect to see the same value twice (ppdev->RegionHandle,ppdev->RegionHandle).

Thanks in advance for any help, and is this documented somewhere?.

in x64 first 4 parameters are passed via registers the stack wont make sense

On 8/27/16, xxxxx@ameritech.net wrote:
> What are the columns in the STACK_TEXT?
>
> STACK_TEXT:
> Child (saved) EBP ReturnAddress ??? ???
> ??? ???
> fffff880075a3c30 fffff96000b51b5e : 000000003c041764 0000000000000000
> fffff900c00c5010 0000000000000000 : win32k!EngCombineRgn+0x52
>
> In a WndDbg crash dump file.
> What are the names (values) of the columns STACK_TEXT?
> 1.) I understand the ChildEBP
> 2.) I understand the Return Address
>
> The only information I can find says (from an old post, 32 Bit, after the
> Return Address) ‘First Three Parameters’.
>
> The example above is from a 64Bit machine.
>
> My original assumption is that the Return Address is now followed by the
> ‘First Four Parameters’ but this still does
> not make sense to me where the only place in my code I call EngCombineRgn()
> is like this:
> EngCombineRgn(ppdev->RegionHandle,ppdev->RegionHandle,AddThisRegion,RGN_OR);
>
> If the columns are the first four parameters I would expect to see the same
> value twice (ppdev->RegionHandle,ppdev->RegionHandle).
>
>
> Thanks in advance for any help, and is this documented somewhere?.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
></http:></http:></http:>

hit enter too soon :frowning: yes it is documented google x64 calling convention

Calling convention

The x64 Application Binary Interface (ABI) uses a four register
fast-call calling convention by default.

https://msdn.microsoft.com/en-us/library/ms235286.aspx

if you want some help try th codemachine.com’s cmkd windbg extension
it can parse the calle and would try to find the actual contents of
the registers when this function was called

On 8/27/16, raj r wrote:
> in x64 first 4 parameters are passed via registers the stack wont make
> sense
>
> On 8/27/16, xxxxx@ameritech.net wrote:
>> What are the columns in the STACK_TEXT?
>>
>> STACK_TEXT:
>> Child (saved) EBP ReturnAddress ??? ???
>> ??? ???
>> fffff880075a3c30 fffff96000b51b5e : 000000003c041764 0000000000000000
>> fffff900c00c5010 0000000000000000 : win32k!EngCombineRgn+0x52
>>
>> In a WndDbg crash dump file.
>> What are the names (values) of the columns STACK_TEXT?
>> 1.) I understand the ChildEBP
>> 2.) I understand the Return Address
>>
>> The only information I can find says (from an old post, 32 Bit, after the
>> Return Address) ‘First Three Parameters’.
>>
>> The example above is from a 64Bit machine.
>>
>> My original assumption is that the Return Address is now followed by the
>> ‘First Four Parameters’ but this still does
>> not make sense to me where the only place in my code I call
>> EngCombineRgn()
>> is like this:
>> EngCombineRgn(ppdev->RegionHandle,ppdev->RegionHandle,AddThisRegion,RGN_OR);
>>
>> If the columns are the first four parameters I would expect to see the
>> same
>> value twice (ppdev->RegionHandle,ppdev->RegionHandle).
>>
>>
>> Thanks in advance for any help, and is this documented somewhere?.
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at:
>> http:
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software
>> drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http:
>>
></http:></http:></http:>

Thank you very much raj r!
Most helpful!