|
|
|
The DRIVER_VERIFIER_DETECTED_VIOLATION bug check has a value of 0x000000C4. This is the general bug check code for fatal errors found by Driver Verifier.
The four bug check parameters are displayed on the blue screen. Parameter 1 identifies the type of violation.
The following parameters are general Driver Verifier violation codes:
| Parameter 1 | Parameter 2 | Parameter 3 | Parameter 4 | Cause of Error |
|---|---|---|---|---|
| 0x00 | Current IRQL | Pool type | 0 | The driver requested a zero-byte pool allocation. |
| 0x01 | Current IRQL | Pool type | Size of allocation, in bytes | The driver attempted to allocate paged memory at an IRQL above APC_LEVEL. |
| 0x02 | Current IRQL | Pool type | Size of allocation, in bytes | The driver attempted to allocate nonpaged memory at an IRQL above DISPATCH_LEVEL. |
| 0x10 | Bad Address | 0 | 0 | The driver attempted to free an address that was not returned from an allocate call. |
| 0x11 | Current IRQL | Pool type | Address of pool | The driver attempted to free paged pool at an IRQL above APC_LEVEL. |
| 0x12 | Current IRQL | Pool type | Address of pool | The driver attempted to free nonpaged pool at an IRQL above DISPATCH_LEVEL. |
| 0x13 or 0x14 |
Reserved | Pointer to pool header | Pool header contents | The driver attempted to free memory pool which was already freed. |
| 0x15 | Timer entry | Pool type (-1 for special pool) | Pool address being freed | The driver attempted to free pool which contains an active timer. |
| 0x16 | Reserved | Pool address | 0 | The driver attempted to free pool at a bad address (or passed invalid parameters to a memory routine). |
| 0x17 | Resource entry | Pool type (-1 for special pool) | Pool address being freed | The driver attempted to free pool which contains an active ERESOURCE. |
| 0x30 | Current IRQL | Requested IRQL | 0 | The driver passed an invalid parameter to KeRaiseIrql.
(The parameter was either a value lower than the current IRQL, or a value higher than HIGH_LEVEL. This may be the result of using an uninitialized parameter.) |
| 0x31 | Current IRQL | Requested IRQL | 0 | The driver passed an invalid parameter to KeLowerIrql.
(The parameter was either a value higher than the current IRQL, or a value higher than HIGH_LEVEL. This may be the result of using an uninitialized parameter.) |
| 0x32 | Current IRQL | Spin lock address | 0 | The driver called KeReleaseSpinLock at an IRQL other than DISPATCH_LEVEL.
(This may be due to a double-release of a spin lock.) |
| 0x33 | Current IRQL | Fast mutex address | 0 | The driver attempted to acquire fast mutex at an IRQL above APC_LEVEL. |
| 0x34 | Current IRQL | Fast mutex address | 0 | The driver attempted to release fast mutex at an IRQL other than APC_LEVEL. |
| 0x35 | Current IRQL | Spin lock address | Old IRQL | The kernel released a spin lock when not at DISPATCH_LEVEL. |
| 0x36 | Current IRQL | Spin lock number | Old IRQL | The kernel released a queued spin lock when not at DISPATCH_LEVEL. |
| 0x37 | Current IRQL | Thread APC disable count | Resource | The driver tried to acquire a resource, but APCs are not disabled. |
| 0x38 | Current IRQL | Thread APC disable count | Resource | The driver tried to release a resource, but APCs are not disabled. |
| 0x39 | Current IRQL | Thread APC disable count | Mutex | The driver tried to acquire a mutex "unsafe", but the IRQL was not APC_LEVEL on entry. |
| 0x3A | Current IRQL | Thread APC disable count | Mutex | The driver tried to release a mutex "unsafe", but the IRQL was not APC_LEVEL on entry. |
| 0x3B | Current IRQL | Object to wait on | Timeout parameter | The driver called KeWaitXxx at an IRQL of DISPATCH_LEVEL or higher.
(This is permitted only if the driver already owns the DISPATCHER lock and it passes a timeout value of zero to the routine.) |
| 0x3C | Handle passed to routine | Object type | 0 | The driver called ObReferenceObjectByHandle with a bad handle. |
| 0x3D | 0 | 0 | Address of the bad resource | The driver passed a bad (unaligned) resource to ExAcquireResourceExclusive. |
| 0x40 | Current IRQL | Spin lock address | 0 | The driver called KeAcquireSpinLockAtDpcLevel at an IRQL other than DISPATCH_LEVEL. |
| 0x41 | Current IRQL | Spin lock address | 0 | The driver called KeReleaseSpinLockFromDpcLevel at an IRQL other than DISPATCH_LEVEL. |
| 0x42 | Current IRQL | Spin lock address | 0 | The driver called KeAcquireSpinLock at an IRQL above DISPATCH_LEVEL. |
| 0x6F | MDL address | Physical page being locked | Highest physical page in the system | The driver passed a page to MmProbeAndLockPages that was not in the PFN database.
(This often results from a driver that attempts to lock its own private dualport RAM. Such behavior can corrupt memory on machines with noncontiguous physical RAM.) |
| 0x70 | Current IRQL | MDL address | Access mode | The driver called MmProbeAndLockPages at an IRQL above DISPATCH_LEVEL. |
| 0x71 | Current IRQL | MDL address | Process address | The driver called MmProbeAndLockProcessPages at an IRQL above DISPATCH_LEVEL. |
| 0x72 | Current IRQL | MDL address | Process address | The driver called MmProbeAndLockSelectedPages at an IRQL above DISPATCH_LEVEL. |
| 0x73 | Current IRQL | Low 32 bits of the physical address (all 64 bits in Win64) | Number of bytes | The driver called MmMapIoSpace at an IRQL above DISPATCH_LEVEL. |
| 0x74 | Current IRQL | MDL address | Access mode | The driver called MmMapLockedPages in kernel mode at an IRQL above DISPATCH_LEVEL. |
| 0x75 | Current IRQL | MDL address | Access mode | The driver called MmMapLockedPages in user mode at an IRQL above APC_LEVEL. |
| 0x76 | Current IRQL | MDL address | Access mode | The driver called MmMapLockedPagesSpecifyCache in kernel mode at an IRQL above DISPATCH_LEVEL. |
| 0x77 | Current IRQL | MDL address | Access mode | The driver called MmMapLockedPagesSpecifyCache in user mode at an IRQL above APC_LEVEL. |
| 0x78 | Current IRQL | MDL address | 0 | The driver called MmUnlockPages at an IRQL above DISPATCH_LEVEL. |
| 0x79 | Current IRQL | Virtual address being unmapped | MDL address | The driver called MmUnmapLockedPages in kernel mode at an IRQL above DISPATCH_LEVEL. |
| 0x7A | Current IRQL | Virtual address being unmapped | MDL address | The driver called MmUnmapLockedPages in user mode at an IRQL above APC_LEVEL. |
| 0x7B | Current IRQL | Virtual address being unmapped | Number of bytes | The driver called MmUnmapIoSpace at an IRQL above APC_LEVEL. |
| 0x7C | MDL address | MDL flags | 0 | The driver called MmUnlockPages, and passed an MDL whose pages were never successfully locked. |
| 0x7D | MDL address | MDL flags | 0 | The driver called MmUnlockPages, and passed an MDL whose pages are from nonpaged pool.
(These should never be unlocked.) |
| 0x80 | Current IRQL | Event address | 0 | The driver called KeSetEvent at an IRQL above DISPATCH_LEVEL. |
| 0x81 | MDL address | MDL flags | 0 | The driver called MmMapLockedPages.
(You should use MmMapLockedPagesSpecifyCache instead, with the BugCheckOnFailure parameter set to FALSE.) |
| 0x82 | MDL address | MDL flags | 0 | The driver called MmMapLockedPagesSpecifyCache with the BugCheckOnFailure parameter equal to TRUE.
(This parameter should be set to FALSE.) |
| 0x83 | Start of physical address range to map | Number of bytes to map | First page frame number that isn't locked down | The driver called MmMapIoSpace without having locked down the MDL pages. |
| 0x84 | Start of physical address range to map | Number of bytes to map | First page frame number that is on the free list | The driver called MmMapIoSpace without having locked down the MDL pages (or after freeing the MDL pages). |
| 0x85 | MDL address | Number of pages to map | First page frame number that isn't locked down | The driver called MmMapLockedPages without having locked down the MDL pages. |
| 0x86 | MDL address | Number of pages to map | First page frame number that is on the free list | The driver called MmMapLockedPages without having locked down the MDL pages (or after freeing the MDL pages). |
| 0x87 | Base physical page of the existing mapping
(Shift left for physical address) |
Number of pages already mapped in the existing mapping | MEMORY_CACHING_TYPE of the existing mapping | The driver called MmMapIoSpace, but the caller's cache type conflicts with an existing mapping. |
| 0x88 | Base physical page of the requested mapping
(Shift left for physical address) |
Number of pages in the requested mapping | MEMORY_CACHING_TYPE of the requested mapping | The driver called MmMapIoSpace to map a physical range as non-cached or write-combined, but the caller's physical range already has an existing cached mapping. |
| 0x89 | MDL address | Pointer to the non-memory page in the MDL | The non-memory page number in the MDL | An MDL is not marked as "I/O", but it contains non-memory page addresses. |
| 0x8A | MDL address | Base physical page of the requested mapping
(Shift left for physical address) |
MEMORY_CACHING_TYPE of the requested mapping | The driver called MmMapLockedPagesXxx to map a physical range as non-cached or write-combined, but the caller's physical range already has an existing cached mapping. |
| 0x90 | Reserved | Reserved | Reserved | The driver switched stacks, and the current stack is neither a thread stack nor a DPC stack.
(Typically, the driver doing this should be on the stack obtained by the KB debugger command.) |
The following parameters are used only when the Memory Pool Tracking option of Driver Verifier is active.
| Parameter 1 | Parameter 2 | Parameter 3 | Parameter 4 | Cause of Error |
|---|---|---|---|---|
| 0x51 | Base address of allocation | Corrupt address | Number of charged bytes | The driver attempted to free memory after having written past the end of the allocation. |
| 0x52 | Base address of allocation | Reserved | Number of charged bytes | The driver attempted to free memory after having written past the end of the allocation. |
| 0x53, 0x54, or 0x59 |
Base address of allocation | Reserved | Reserved | The driver attempted to free memory after having written past the end of the allocation. |
| 0x60 | Bytes allocated from paged pool | Bytes allocated from nonpaged pool | Total number of unfreed allocations | The driver is unloading without first freeing all its memory pools. |
| 0x61 | Bytes allocated from paged pool | Bytes allocated from nonpaged pool | Total number of unfreed allocations | The driver is unloading, but it is simultaneously attempting to allocate pool in another thread. |
The following parameters are used only when the Deadlock Detection option of Driver Verifier is active. This option is only available in Windows XP and later.
| Parameter 1 | Parameter 2 | Parameter 3 | Parameter 4 | Cause of Error |
|---|---|---|---|---|
| 0x1000 | Address of the resource | Reserved | Reserved | Self-deadlock: The current thread has tried to recursively acquire a resource. |
| 0x1001 | Address of the resource that was the final cause of the deadlock | Reserved | Reserved | Deadlock: A lock hierarchy violation has been found.
(Use the !deadlock debugger extension for further information.) |
| 0x1002 | Address of the resource | Reserved | Reserved | Uninitialized resource: A resource has been acquired without having been initialized first. |
| 0x1003 | Address of the resource that is being released deadlocked | Address of the resource which should have been released first | Reserved | Unexpected release: A resource has been released out of the proper order. |
| 0x1004 | Address of the resource | Address of the thread that acquired the resource | Address of the current thread | Unexpected thread: The wrong thread is releasing a resource. |
| 0x1005 | Address of the resource | Reserved | Reserved | Multiple initialization: A resource is being initialized more than once. |
| 0x1006 | Address of the thread being deleted | Address of the resource owned by the thread | Reserved | Thread holds resources: A thread is being deleted without first releasing its resources. |
| 0x1007 | Address of the resource | Reserved | Reserved | Unacquired resource: A resource is being released without having first been acquired. |
The following parameters are used only when the Disk Integrity Verification option of Driver Verifier is active. This option is only available in Windows Server 2003 and later.
| Parameter 1 | Parameter 2 | Parameter 3 | Parameter 4 | Cause of Error |
|---|---|---|---|---|
| 0xA0 | Pointer to the IRP making the read or write request | Device object of the lower device | Number of the sector in which the error was detected | A cyclic redundancy check (CRC) error was detected on a hard disk. |
The _POOL_TYPE codes are enumerated in ntddk.h. In particular, zero indicates nonpaged pool and one indicates paged pool.
See the description of each code in the Parameters section for a description of the cause.
This bug check can only occur when Driver Verifier has been instructed to monitor one or more drivers. If you did not intend to use Driver Verifier, you should deactivate it. You might consider removing the driver which caused this problem as well.
If you are the driver writer, use the information obtained through this bug check to fix the bugs in your code.
After a Memory Allocation Tracking bug check, use the following command in the kernel debugger:
kd> dp ViBadDriver L1; dS @$p
This will return the name of the driver causing the error.
Then use the the !verifier debugger extension:
kd> !verifier 3 drivername.sys
This will return information about the leaked memory allocations.
For full details, see Driver Verifier.