Hi all,
I am trying to make a virtual USB audio class device.
I have a root enumerated device which statically enumerates a child PDO
(WdfPdoInitAllocate/…/WdfFdoAddStaticChild). I have set the HW id such
that usbccgp.sys attaches… the descriptors are parsed and usbaudio.sys
attaches to the first interface.
The problem is a few seconds after usbaudio.sys attaches it bugchecks with
a memory access violation and I havent been able to figure out why.
There are a bunch of URBs submitted (get descriptors, select interface
etc), the final internal IOCTL received is
IOCTL_INTERNAL_USB_GET_TOPOLOGY_ADDRESS which I complete with
STATUS_NOT_SUPPORTED before the crash (this IOCTL is interleaved with other
URB IOCTLs before that too).
Any help would be appreciated, I have pasted the output from “!analyze -v”
below.
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 999953fb, The address that the exception occurred at
Arg3: 8ac377d4, Exception Record Address
Arg4: 8ac373b0, Context Record Address
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
usbaudio!USBHwSelectAudioConfiguration+85
999953fb 0fb706 movzx eax,word ptr [esi]
EXCEPTION_RECORD: 8ac377d4 – (.exr 0xffffffff8ac377d4)
ExceptionAddress: 999953fb
(usbaudio!USBHwSelectAudioConfiguration+0x00000085)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
CONTEXT: 8ac373b0 – (.cxr 0xffffffff8ac373b0;r)
eax=00000003 ebx=85e2bde4 ecx=00000004 edx=00000000 esi=00000000
edi=85e615ec
eip=999953fb esp=8ac3789c ebp=8ac378c0 iopl=0 nv up ei ng nz ac po
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010293
usbaudio!USBHwSelectAudioConfiguration+0x85:
999953fb 0fb706 movzx eax,word ptr [esi]
ds:0023:00000000=???
Last set context:
eax=00000003 ebx=85e2bde4 ecx=00000004 edx=00000000 esi=00000000
edi=85e615ec
eip=999953fb esp=8ac3789c ebp=8ac378c0 iopl=0 nv up ei ng nz ac po
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010293
usbaudio!USBHwSelectAudioConfiguration+0x85:
999953fb 0fb706 movzx eax,word ptr [esi]
ds:0023:00000000=???
Resetting default scope
DEFAULT_BUCKET_ID: CODE_CORRUPTION
PROCESS_NAME: System
CURRENT_IRQL: 2
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
READ_ADDRESS: 00000000
FOLLOWUP_IP:
usbaudio!USBHwSelectAudioConfiguration+85
999953fb 0fb706 movzx eax,word ptr [esi]
BUGCHECK_STR: 0x7E
ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
LOCK_ADDRESS: 83593000 – (!locks 83593000)
Resource @ nt!PiEngineLock (0x83593000) Exclusively owned
Contention Count = 6
Threads: 84be2a70-01<*>
1 total locks, 1 locks currently held
PNP_TRIAGE:
Lock address : 0x83593000
Thread Count : 1
Thread address: 0x84be2a70
Thread wait : 0x185e
LAST_CONTROL_TRANSFER: from 83507b11 to 8348e678
STACK_TEXT:
8ac378c0 99994c27 00000000 85e2bde4 85e0ede8
usbaudio!USBHwSelectAudioConfiguration+0x85
8ac37934 9998f552 85e2bde4 85aa4d70 85e2bd78 usbaudio!USBDeviceStart+0x229
8ac37950 8df110d4 85e2bde4 85ec2708 00000000 usbaudio!DeviceStart+0x30
8ac3797c 8df0b540 85ec2708 85ec2850 85aa4cb8 ks!CKsDevice::PnpStart+0x72
8ac37998 83464035 85aa4cb8 85ec2708 8ac37a20 ks!CKsDevice::DispatchPnp+0x2d2
8ac379b0 835eaad2 00000000 8577c618 85a4d8e0 nt!IofCallDriver+0x63
8ac379cc 8344f756 8ac379fc 8344f505 85a4d8e0 nt!PnpAsynchronousCall+0x92
8ac37a30 835edac0 8344f505 85a4d8e0 8577d008 nt!PnpStartDevice+0xdb
8ac37a8c 835ed989 85a4d8e0 00000036 00000000 nt!PnpStartDeviceNode+0x12c
8ac37aa8 835e5de8 00000000 00000000 85a81f78 nt!PipProcessStartPhase1+0x62
8ac37ca4 836ba752 8577d008 85a81f78 8ac37cd0 nt!PipProcessDevNodeTree+0x188
8ac37cd8 8344f2e1 83590f20 84be2a70 83568b7c nt!PiRestartDevice+0x8a
8ac37d00 83490afb 00000000 00000000 84be2a70 nt!PnpDeviceActionWorker+0x1fb
8ac37d50 8361e62c 00000001 939d4d76 00000000 nt!ExpWorkerThread+0x10d
8ac37d90 834befe9 834909ee 00000001 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
8343baee-8343baf1 4 bytes - nt!ExpDetectHypervisorCr3Heuristic+23
[fa c7 45 f8:e9 cd 8a 07]
8343bb89-8343bb8d 5 bytes - nt!ExpDetectHypervisorVarianceHeuristic+33
(+0x9b)
[fa b1 1f ff 15:e9 82 8b 07 0a]
8343bd88-8343bd8c 5 bytes - nt!Ki386VdmEnablePentiumExtentions+4
(+0x1ff)
[fa 0f 20 e0 f7:e9 83 91 09 0a]
83462e86-83462e8a 5 bytes - nt!KiExecuteDpc+a6 (+0x270fe)
[fa 6a 01 53 56:e9 7d 8b 05 0a]
8346527d - nt!KiSaveProcessorControlState+75 (+0x23f7)
[0f:cc]
83465284 - nt!KiSaveProcessorControlState+7c (+0x07)
[0f:cc]
83465292 - nt!KiSaveProcessorControlState+8a (+0x0e)
[0f:cc]
834653d5-834653d9 5 bytes - nt!KiXMMIZeroPages+19 (+0x143)
[fa f7 80 fc 01:e9 ae 48 05 0a]
83466b09-83466b0d 5 bytes - nt!KiChainedDispatch+29 (+0x1734)
[fa 64 8b 0d 1c:e9 52 bb 06 0a]
83467565-83467569 5 bytes - nt!ExfInterlockedAddUlong+5 (+0xa5c)
[fa f0 0f ba 28:e9 16 d8 07 0a]
834675b6-834675ba 5 bytes - nt!ExfInterlockedInsertHeadList+6 (+0x51)
[fa f0 0f ba 2e:e9 d5 8f 04 0a]
8346760e-83467612 5 bytes - nt!ExfInterlockedInsertTailList+6 (+0x58)
[fa f0 0f ba 2e:e9 35 8e 04 0a]
83467661-83467665 5 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x53)
[fa f0 0f ba 2a:e9 8a cd 04 0a]
8346a91c-8346a920 5 bytes - nt!KiServiceExit (+0x32bb)
[fa f6 45 72 02:e9 e7 3e 01 0a]
8346a98a - nt!KiServiceExit+6e (+0x6e)
[fa:cc]
8346aacb-8346aacf 5 bytes - nt!KiServiceExit2 (+0x141)
[fa f6 45 72 02:e9 f8 48 06 0a]
8346ab15 - nt!KiServiceExit2+4a (+0x4a)
[fa:cc]
8346b2c8-8346b2cc 5 bytes - nt!KiExceptionExit (+0x7b3)
[fa f6 45 72 02:e9 4b 72 01 0a]
8346b312 - nt!KiExceptionExit+4a (+0x4a)
[fa:cc]
8346d188 - nt!VdmFixEspEbp+3 (+0x1e76)
[0f:cc]
8346e238-8346e23c 5 bytes - nt!KiFlushNPXState+4 (+0x10b0)
[fa 64 8b 3d 1c:e9 f3 f3 00 0a]
8348a52e-8348a532 5 bytes - nt!KiExitDispatcher+97 (+0x1c2f6)
[fa 8b 7e 04 c6:e9 15 66 ff 09]
8348a690-8348a694 5 bytes - nt!KeIsContextSwapActive+4 (+0x162)
[fa 64 a1 0c 00:e9 d3 30 ff 09]
8348a747-8348a74b 5 bytes - nt!KiDispatchInterrupt+87 (+0xb7)
[fa 0f 31 2b 83:e9 dc 85 02 0a]
8348a7ff-8348a803 5 bytes - nt!SwapContext+f (+0xb8)
[fa fe 8b 31 01:e9 8c 65 ff 09]
8348ad2b-8348ad2f 5 bytes - nt!KiIdleLoop+1b (+0x52c)
[fa f6 83 54 1a:e9 70 61 02 0a]
8348ad8c-8348ad90 5 bytes - nt!KiIdleLoop+7c (+0x61)
[fa 0f 31 2b 83:e9 d7 69 02 0a]
8348af1e - nt!KiRetireDpcList+cb (+0x192)
[fa:cc]
8348af40 - nt!KiRetireDpcList+ed (+0x22)
[fa:cc]
8348b0ec-8348b0f0 5 bytes - nt!KiExecuteAllDpcs+120 (+0x1ac)
[fa 8b 43 0c 85:e9 b7 67 02 0a]
8348c91a-8348c91e 5 bytes - nt!KiTimerExpiration+e (+0x182e)
[fa 8b 3d 80 c5:e9 11 59 02 0a]
8348cb2e-8348cb32 5 bytes - nt!KiTimerExpiration+222 (+0x214)
[fa 8b 48 10 89:e9 6d 59 02 0a]
8348dcd3-8348dcd7 5 bytes - nt!KeUpdateSystemTimeAssist+13 (+0x11a5)
[fa 64 8b 0d 1c:e9 f0 79 02 0a]
8348e4fb-8348e4ff 5 bytes - nt!KeUpdateRunTime+1d (+0x828)
[fa e8 82 5c fd:e9 88 6e 02 0a]
834914b1-834914b5 5 bytes - nt!KiSwapThread+2a (+0x2fb6)
[fa 8b 7e 04 c6:e9 1a 0e ff 09]
834929b5-834929b9 5 bytes - nt!KiSwapKernelStackAndExit+39 (+0x1504)
[fa 85 d2 0f 85:e9 06 dc fe 09]
83492ae6-83492aea 5 bytes - nt!KiSwapKernelStackAndExit+16a (+0x131)
[fa 8f 83 30 01:e9 dd de fe 09]
83492c1e-83492c22 5 bytes - nt!NtCallbackReturn+46 (+0x138)
[fa e8 f0 fc ff:e9 ed 9a 00 0a]
834ac80c-834ac810 5 bytes - nt!KiSaveLazyProcessorState+28 (+0x19bee)
[fa 0f 20 c0 8b:e9 cf 1b 03 0a]
834b7d56-834b7d5a 5 bytes - nt!KiQuantumEnd+237 (+0xb54a)
[fa 8b 7e 04 c6:e9 35 ef 02 0a]
834b92dd-834b92e1 5 bytes - nt!KiRestoreLazyProcessorState+1c (+0x1587)
[fa 33 c9 38 4d:e9 56 54 02 0a]
834bc644-834bc648 5 bytes - nt!KiCheckForThreadDispatch+77 (+0x3367)
[fa 8b 7e 04 c6:e9 3f 57 fc 09]
834d345a-834d345e 5 bytes - nt!NtYieldExecution+126 (+0x16e16)
[fa 80 7e 11 00:e9 09 e6 fa 09]
834d359c-834d35a0 5 bytes - nt!NtYieldExecution+268 (+0x142)
[fa 8b 5e 04 c6:e9 77 12 01 0a]
834d6e4d-834d6e51 5 bytes - nt!KiSetQuantumTargetThread+13 (+0x38b1)
[fa 80 7f 11 00:e9 7e b1 fa 09]
834db4a4-834db4a8 5 bytes - nt!KeTerminateThread+78 (+0x4657)
[fa 64 8b 0d 20:e9 7f 65 fe 09]
83506f75-83506f79 5 bytes - nt!KeUpdateTotalCyclesCurrentThread+d
(+0x2bad1)
[fa 64 8b 35 20:e9 e6 da fd 09]
835099fe - nt!Ki386CheckDelayedNpxTrap+337 (+0x2a89)
[fa:cc]
8354c008-8354c00c 5 bytes - nt!Ki386EnableGlobalPage+8
[fa f0 ff 0a f3:e9 7b db f6 7b]
8354c0b1-8354c0b5 5 bytes - nt!Ki386EnableCurrentLargePage+9 (+0xa9)
[fa 0f 20 d8 0f:e9 ca d9 f6 7b]
8354c4ca - nt!CPUID+a (+0x419)
[0f:cc]
83599e0a - nt!KiInitializeProcessorState+20
[0f:cc]
83599e28 - nt!KiInitializeProcessorState+3e (+0x1e)
[0f:cc]
83745558 - nt!KiCalibrateTimeAdjustment+31a
[0f:cc]
213 errors : !nt (8343baee-83745558)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
STACK_COMMAND: .cxr 0xffffffff8ac373b0 ; kb
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:memory_corruption_large
FAILURE_ID_HASH: {e29154ac-69a4-0eb8-172a-a860f73c0a3c}