Re: Help on bugcheck 0xA

Tech-Archive recommends: Fix windows errors by optimizing your registry

In all likelyhood newData is messed up, for instance a value of 1, which
would at some point be rounded down to zero. Put a debug print in front of
the if to display the value. VerifierFreePoolWithTag is a wrapper around
ExFreePoolWithTag so look at that for the prototype. This is a general
convention that VerifierXXX becomes YyXXX where Yy is one of the standard
kernel prefixes.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply


"Raj" <Raj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:138CEEBB-58F5-45B3-B81A-7D1A957E4F16@xxxxxxxxxxxxxxxx
I am developing a device driver for 1394. I came across this crash during
development. Can someone give me pointers on how I can debug this? I am
using
WinDbg 6.6.7.5. Target is Windows XP SP2 machine.

I understand that ExFreePool() is causing this bugcheck. I enabled
special
pool using gflags.exe.

1) I am using non paged pool memory and has no paged memory. I know using
local variable in kernel function will not violate IRQL rules.

2) I dont understand IRQL = 2. This is the function called as a result of
DeviceIoControl and from the dispatch function. So I was expecting this
code
to run at PASSIVE_LEVEL and not DISPATCH level. Even if it runs at
Dispatch
level, I cant see what is wrong.

3) I am thinking memory pointer is valid and bugcheck may be because of
memory corruption(buffer overrun) by some other part of code. How can I
confirm this is the case?

4) What is function prototype of 'VerifierFreePoolWithTag'. Where can I
find the function prototypes and structure definitions that are not in
WDK
documentation?
I went to Azius debugger training and improved some skills but this is
long
process of understanding system debugging.

Thanks,
Raj
==================================================
Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 0, 80531798}

*** WARNING: Unable to verify checksum for SpawnApps.exe
*** ERROR: Module load completed but symbols could not be loaded for
SpawnApps.exe
Probably caused by : sfbXp.sys ( sfbXp!t1394_SfbAsyncWrite+2d7 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
80526da8 cc int 3
kd> !analyze -v
************************************************************
* Bugcheck Analysis
************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address
at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80531798, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpCheckForResource+48
80531798 8b36 mov esi,dword ptr [esi]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: SpawnApps.exe

TRAP_FRAME: f212ea74 -- (.trap fffffffff212ea74)
ErrCode = 00000000
eax=8055b788 ebx=00000040 ecx=88855000 edx=00000000 esi=00000000
edi=88854fc0
eip=80531798 esp=f212eae8 ebp=f212eaf4 iopl=0 nv up ei pl nz na
po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010203
nt!ExpCheckForResource+0x48:
80531798 8b36 mov esi,dword ptr [esi]
ds:0023:00000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 804f780d to 80526da8

FOLLOWUP_IP:
sfbXp!t1394_SfbAsyncWrite+2d7 [driver\1394diag\sfbdrv.c @ 744]
f65d59e7 397dfc cmp dword ptr [ebp-4],edi

FAULTING_SOURCE_CODE:
740:
741: if(newData)
742: ExFreePool(newData);
743:
744: if(aIrp)
745: IoFreeIrp(aIrp);

749: return(ntStatus);


SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: sfbXp!t1394_SfbAsyncWrite+2d7

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: sfbXp

IMAGE_NAME: sfbXp.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45140475

FAILURE_BUCKET_ID: 0xA_VRF_sfbXp!t1394_SfbAsyncWrite+2d7

BUCKET_ID: 0xA_VRF_sfbXp!t1394_SfbAsyncWrite+2d7

Followup: MachineOwner
---------

kd> .trap fffffffff212ea74
ErrCode = 00000000
eax=8055b788 ebx=00000040 ecx=88855000 edx=00000000 esi=00000000
edi=88854fc0
eip=80531798 esp=f212eae8 ebp=f212eaf4 iopl=0 nv up ei pl nz na
po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010203
nt!ExpCheckForResource+0x48:
80531798 8b36 mov esi,dword ptr [esi]
ds:0023:00000000=????????
kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
f212eaf4 80657e35 00854fc0 00000000 c0120090 nt!ExpCheckForResource+0x48
(FPO: [Non-Fpo])
f212eb0c 8064c49c 88854fc0 f212eb44 f65d59e7
nt!ExFreePoolSanityChecks+0x4d
(FPO: [Non-Fpo])
f212eb18 f65d59e7 88854fc0 00000000 f212eb60
nt!VerifierFreePoolWithTag+0x1c
(FPO: [Non-Fpo])
f212eb44 f65d72d2 862a1d18 88078ed8 ffffffc0
sfbXp!t1394_SfbAsyncWrite+0x2d7
(FPO: [Non-Fpo]) (CONV: stdcall) [driver\1394diag\sfbdrv.c @ 744]
f212eb98 f65d352d 862a1d18 88078ed8 862a1df8
sfbXp!t1394_sfbPendingRequestAtDriver+0x21c (FPO: [Non-Fpo]) (CONV:
stdcall)
[driver\1394diag\sfbdrv.c @ 468]
f212ebc8 804eddf9 862a1d18 00000a08 806d02e8
sfbXp!t1394Diag_IoControl+0x71d
(FPO: [Non-Fpo]) (CONV: stdcall) [driver\1394diag\ioctl.c @ 664]
f212ebd8 8064b5a8 88078fd0 88078ff4 860ec1d0 nt!IopfCallDriver+0x31 (FPO:
[0,0,0])
f212ebfc 80655fd6 860ec118 8653fe30 88078e00 nt!IovCallDriver+0xa0 (FPO:
[Non-Fpo])
f212ec10 804eddf9 860ec118 88078ed8 806d02e8
nt!ViDriverDispatchGeneric+0x2a
(FPO: [Non-Fpo])
f212ec20 8064b5a8 85e3b810 806d02d0 88078ed8 nt!IopfCallDriver+0x31 (FPO:
[0,0,0])
f212ec44 80573b3a 88078fd8 8630fc58 88078ed8 nt!IovCallDriver+0xa0 (FPO:
[Non-Fpo])
f212ec58 805749c9 860ec118 88078ed8 8630fc58
nt!IopSynchronousServiceTail+0x60 (FPO: [Non-Fpo])
f212ed00 8056d326 000000f4 00000000 00000000 nt!IopXxxControlFile+0x5e7
(FPO: [Non-Fpo])
f212ed34 8053c808 000000f4 00000000 00000000
nt!NtDeviceIoControlFile+0x2a
(FPO: [Non-Fpo])
f212ed34 7c90eb94 000000f4 00000000 00000000 nt!KiFastCallEntry+0xf8
(FPO:
[0,0] TrapFrame @ f212ed64)
0012c268 7c90d8ef 7c801671 000000f4 00000000 ntdll!KiFastSystemCallRet
(FPO:
[0,0,0])
0012c26c 7c801671 000000f4 00000000 00000000
ntdll!ZwDeviceIoControlFile+0xc
(FPO: [10,0,0])
0012c2cc 00353f21 000000f4 002220f0 0012c340
kernel32!DeviceIoControl+0xdd
(FPO: [Non-Fpo])
0012c308 00341c99 0012d408 002220f0 0012c340 sfbapi!RetryDeviceIo+0x101
(FPO: [Non-Fpo]) (CONV: stdcall) [1394api\sfbdllutil.c @ 2605]
0012d368 0034218c 00120003 00000000 00000000
sfbapi!SFB_GetAppsInfoOnNode+0x259






.

Relevant Pages

  • Re: Random BSODs
    ... Use!analyze -v to get detailed debugging information. ... 804f98b7, address which referenced memory ... FOLLOWUP_NAME: MachineOwner ... System and Application logs in Event Viewer for the last boot. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Irql_not_less_or_equal
    ... Use!analyze -v to get detailed debugging information. ... interrupt request level that is too high. ... Arg2: 0000001c, IRQL ... FOLLOWUP_NAME: MachineOwner ...
    (microsoft.public.windowsxp.hardware)
  • Irql_not_less_or_equal
    ... Use!analyze -v to get detailed debugging information. ... interrupt request level that is too high. ... Arg2: 0000001c, IRQL ... FOLLOWUP_NAME: MachineOwner ...
    (microsoft.public.windowsxp.hardware)
  • Help on bugcheck 0xA
    ... I am using non paged pool memory and has no paged memory. ... What is function prototype of 'VerifierFreePoolWithTag'. ... Use!analyze -v to get detailed debugging information. ... FOLLOWUP_NAME: MachineOwner ...
    (microsoft.public.development.device.drivers)
  • Re: Unknown Wdf01000.sys error
    ... Please do not send e-mail directly to this alias. ... WdfObjectDelete to free that kind of memory. ... > Use!analyze -v to get detailed debugging information. ... > FOLLOWUP_NAME: MachineOwner ...
    (microsoft.public.development.device.drivers)