How do I locate the cause of pool corruption?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Harshal (harshal_at_gmail.com)
Date: 12/21/04 

Date: 21 Dec 2004 10:00:26 -0800

Hi,

I get the following bugchecks (from a couple of different runs) when I
run my driver under the driver verifier. The stack trace does not
mention my driver but I am sure that is what caused the problem. How do
I find out which piece of code caused this problem?

I print out the address of all the IRPs I use but the output does not
include the address mentioned in the first bugcheck.

Thanks for your help.

Regards,
- Harshal

1/ BugCheck #1

DRIVER_CORRUPTED_EXPOOL (c5)
Arg1: 00030100, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8053e5e3, address which referenced memory

Debugging Details:
------------------

OVERLAPPED_MODULE: rdbss

BUGCHECK_STR: 0xC5_2

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExDeferredFreePool+fb
8053e5e3 8913 mov [ebx],edx

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8053e5c8 to 8053e5e3

IRP_ADDRESS: 8493ef68

DEVICE_OBJECT: 83650f18

DRIVER_OBJECT: 83651930

IMAGE_NAME: Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAULTING_MODULE: ec7e6000 tcpip

STACK_TEXT:
f75b6958 8053e5c8 831c7008 8355f218 839b1318 nt!ExDeferredFreePool+0xfb
f75b6990 804f54a4 839b1008 00000000 8493efa8 nt!ExFreePoolWithTag+0x413
f75b69e4 804f4f93 8493efa8 f75b6a30 f75b6a24 nt!IopCompleteRequest+0xf4
f75b6a34 806cf38c 00000000 00000000 f75b6a4c nt!KiDeliverApc+0xb1
f75b6a34 806ca023 00000000 00000000 f75b6a4c
hal!HalpApcInterrupt2ndEntry+0x31
f75b6ac0 804f4eab 8493efa8 8493ef68 00000000 hal!KfLowerIrql+0x43
f75b6ae0 804f4fad 8493efa8 8355f218 00000000 nt!KeInsertQueueApc+0x49
f75b6b14 80649736 00000000 8493ef68 839b1008
nt!IopfCompleteRequest+0x1d7
f75b6b7c ec7f2620 8493ef68 00000000 8493efd8 nt!IovCompleteRequest+0x90
f75b6ba0 ec7ecd50 8493ef68 0093efd8 00000000
tcpip!GetInterfaceInfo+0xe0
f75b6bc4 ec829822 8493ef68 8493efd8 83650f18
tcpip!IPDispatchDeviceControl+0x5e2
f75b6bd8 ec7ebd4b 83650f18 8493ef68 83650f18 tcpip!IPDispatch+0x37
f75b6c10 804ecd5a 83650f18 8493ef68 806ca214 tcpip!TCPDispatch+0x127
f75b6c20 80649111 831f1a50 806c9fe0 8493ef68 nt!IopfCallDriver+0x31
f75b6c44 8058c958 8493efd8 8355f218 8493ef68 nt!IovCallDriver+0x9e
f75b6c58 8058d544 83650f18 8493ef68 8355f218
nt!IopSynchronousServiceTail+0x5e
f75b6d00 8059a155 000002f8 000001e0 00000000 nt!IopXxxControlFile+0x5ec
f75b6d34 804da1dd 000002f8 000001e0 00000000
nt!NtDeviceIoControlFile+0x28
f75b6d34 7ffe0304 000002f8 000001e0 00000000 nt!KiSystemService+0xc4
00f7f504 77f5b864 76d61400 000002f8 000001e0
SharedUserData!SystemCallStub+0x4
00f7f508 76d61400 000002f8 000001e0 00000000
ntdll!ZwDeviceIoControlFile+0xc
00f7f550 76d614f4 000002f8 00120040 00000000 iphlpapi!TCPSendIoctl+0x51
00f7f5d8 76d615bc 0137b008 00f7f60c 00f7fb18
iphlpapi!GetInterfaceInfo+0x85
00f7f610 76d61d00 00000000 01377008 00000000
iphlpapi!GetAdapterOrderMap+0xb3
00f7f860 76d61c5b 00f7fb18 01346f58 013a2008
iphlpapi!GetAdapterList+0x2f
00f7f894 76d61fad 00000000 01346f58 013a2008
iphlpapi!GetAdapterInfo+0x1f
00f7f8e8 75d38788 013a2008 00f7fb18 00000000
iphlpapi!GetAdapterInfoEx+0x1c
00f7fb10 75d3c196 000007a8 001637e0 00f7fc10
NETSHELL!HrGetAutoNetSetting+0x64
00f7fbd0 75d3a044 00f7fbec 00000001 0016c038
NETSHELL!CLanStatEngine::HrUpdateData+0x15d
00f7fbf4 75d36454 01346f68 00f7fc10 00f7fca0
NETSHELL!CNetStatisticsEngine::UpdateStatistics+0x2b
00f7fc18 75d37393 0007dec5 75d3735f 001547b8
NETSHELL!CNetStatisticsCentral::RefreshStatistics+0x4c
00f7fc2c 77d43a50 00000000 00000113 00007f9d
NETSHELL!CNetStatisticsCentral::TimerCallback+0x34
00f7fc58 77d442c5 75d3735f 00000000 00000113
USER32!InternalCallWinProc+0x1b
00f7fcc0 77d43e6f 00000000 75d3735f 00000000
USER32!UserCallWinProc+0xf3
00f7fd18 77d43ddf 00f7fd6c 00000000 74b015d7
USER32!DispatchMessageWorker+0x10e
00f7fd24 74b015d7 00f7fd6c 771c301d 74b00000
USER32!DispatchMessageW+0xb
00f7fd90 74b02f1b 74b00000 00000000 00020108 stobject!SysTrayMain+0x175
00f7ffb4 77e7d28e 00000000 771c301d 00a2f580
stobject!CSysTray::SysTrayThreadProc+0x45
00f7ffec 00000000 74b02ed6 00000000 00000000
kernel32!BaseThreadStart+0x37

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nt!ExDeferredFreePool+fb
8053e5e3 8913 mov [ebx],edx

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: Pool_corruption

SYMBOL_NAME: nt!ExDeferredFreePool+fb

MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID: 0xC5_2_nt!ExDeferredFreePool+fb

BUCKET_ID: 0xC5_2_nt!ExDeferredFreePool+fb

Followup: Pool_corruption
---------

2/ BugCheck #2
IRQL_NOT_LESS_OR_EQUAL (a)
Arguments:
Arg1: 000000b8, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804dddc2, address which referenced memory

Debugging Details:
------------------

WRITE_ADDRESS: 000000b8

CURRENT_IRQL: 2

FAULTING_IP:
nt!MiSessionOutSwapProcess+23
804dddc2 ff00 inc dword ptr [eax]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 804dde30 to 804dddc2

TRAP_FRAME: f9c87cf4 -- (.trap fffffffff9c87cf4)
ErrCode = 00000002
eax=000000b8 ebx=81484000 ecx=00000000 edx=00000000 esi=00000020
edi=81484020
eip=804dddc2 esp=f9c87d68 ebp=f9c87da4 iopl=0 nv up ei pl zr na
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
nt!MiSessionOutSwapProcess+0x23:
804dddc2 ff00 inc dword ptr [eax]
Resetting default scope

STACK_TEXT:
f9c87d6c 804dde30 81484020 81484060 f9c87da4
nt!MiSessionOutSwapProcess+0x23
f9c87d84 804def43 81484020 00000000 81946b30 nt!MmOutSwapProcess+0x20
f9c87da4 804def71 00484068 8057dfe1 00000000 nt!KiOutSwapProcesses+0x58
f9c87dac 8057dfe1 00000000 00000000 00000000
nt!KeSwapProcessOrStack+0x5d
f9c87ddc 80512c12 804eb368 00000000 00000000
nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
nt!MiSessionOutSwapProcess+23
804dddc2 ff00 inc dword ptr [eax]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!MiSessionOutSwapProcess+23

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 40d1d336

STACK_COMMAND: .trap fffffffff9c87cf4 ; kb

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0xA_W_VRF_nt!MiSessionOutSwapProcess+23

BUCKET_ID: 0xA_W_VRF_nt!MiSessionOutSwapProcess+23
Followup: MachineOwner
---------

Relevant Pages

  • Error: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
    ... I have developed a custom single comport USB-UART WDM driver for ... Sometimes my drivers is crashing with the bugcheck, ... Frame IP not in any known module. ... FOLLOWUP_NAME: MachineOwner ...
    (microsoft.public.development.device.drivers)
  • How to slove these bugcheck code??
    ... I got these bugcheck code when I develop my own dma driver. ... FOLLOWUP_NAME: MachineOwner ... If a kernel debugger is available get the stack backtrace. ...
    (microsoft.public.development.device.drivers)
  • Re: ProtocolUnbindAdapter() gets called at IRQL DISPATCH_LEVEL on Vista
    ... It's not entirely clear to me what's happening inside the driver, ... The level was indeed dispatch - as the bugcheck parameters show (0x02 ... ProtocolUnbind handler is called at the right IRQL. ... It is also possible that somewhere prior to NDIS calling unbind handler, ...
    (microsoft.public.development.device.drivers)
  • Re: URGENT - BugCheck, STOP: 0x0000001E (0xC0000005, 0xA002FB6D, 0x00000000, 0x000D0100)
    ... Buggy device driver or system service. ... Disabling memory caching of the BIOS might also resolve the error. ... > This is a very common bugcheck. ... Frame IP not in any known module. ...
    (microsoft.public.windows.server.general)
  • Re: System errors/bugchecks in Event Viewer
    ... have you updated or reinstalled the cards driver lately? ... Also, these bugcheck errors. ... > Is it referring to a driver?? ... > The specified module could not be found. ...
    (microsoft.public.windowsxp.general)