How it's possible that sub instruction cause invalid pointer read?

Question

I have a crash dump with this code:

mov     r11,rsp
push    rdi
sub     rsp,0A0h
mov     qword ptr [rsp+30h],0FFFFFFFFFFFFFFFEh

It's a prologue of a function. So, !analyze -v says INVALID_POINTER_READ with instruction sub. AMD instructions set says that sub instruction cannot produce any exceptions if argument isn't a memory pointer.

Also, READ_ADDRESS is ffffffffffffffff, but in registers window I can see that rsp is 12b3e0. And this is 32-bit application in 64-bit OS.

I want to know about a possible reasons of this error and how to fix it.

UPD:

Method is std._Tree.insert(const value_type& _Val) in Microsoft Visual Studio 9.0\VC\include\xtree.

Compiler is cl.exe from Visual Studio 2008 installation, 32-bit, version 15.00.30729.01.

Command line:

 /FD /EHsc /MD /GS- /Zc:wchar_t- /Yu"stdafx.h"/W3 /WX /nologo /c /Zi /TP /wd4250 /FI -Zm200 -MP -w34100 -w34189

Linker is from the same source, version 9.00.30729.01.

UPD: for those who have a sceptical views on debugging 32-bit apps with 64-bit debuggers, I have ran a 32-bit version of a debugger and got the same results. So, I still think that it's sub instruction.

UPD: to clarify: the application is built for 32-bit platform. But the processor and Operation System is 64-bit. So, there is nothing strange that in the dump we can see 64-bit registers with 32-bit values.

Answer 1

Something else is going on. There is no memory read operation within that entire set of opcodes. You only have two writes (the push and the mov). Your alignment is fine and placing the immediate qword value -2 is being done in a region of the stack that should OK.

The bitiness of the OS and opcodes have nthing to do with this. I use 64-bit registers all the time. It is just like using 32-bit when everything was 16-bit.

Look someplace else.