The last few days have been spent debugging a very strange problem. An application built for i386 running on Windows crashed, with the top of the callstack completely corrupted and the instruction pointer in a nonsense location.

After some effort, I rebuilt the callstack and was able to determine how the IP ended up in the nonsense location. An instruction in boost shared pointer code attempts to call a function defined in my DLLs import address table using an incorrect offset. The instruction looks like:

call dword ptr [nonsense offset into import address table]

As a result, execution ended up in a bad location that was, unfortunately, executable. Execution then proceeded, gobbling up the top of the stack until eventually crashing.

By launching the identical application on my PC, and stepping into the problematic code, I can find the same call instruction and see it’s supposed to by calling msvc100’s ‘new’ operator.

Further comparing the minidump from the client’s PC to my PC, I found that my PC was calls a function with an offset of 0x0254 into the address table. On the clients PC, the code is trying to invoke a function with an offset of 0x8254.

What’s even more confusing is that this offset is not coming from a register or another memory location. The offset is a constant in the disassembly. So, the disassembly looks like:

call dword ptr [ 0x50018254 ]

not like:

call dword ptr [ edx ]

Does anyone know how this might happen?