Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.
Upcoming OSR Seminars:

Windows Internals & Software Drivers Lab, Dulles/Sterling, VA, 20-24 October, 2014
Developing File Systems for Windows, Seattle, WA 4-7 November, 2014
Kernel Debugging & Crash Analysis Lab, Boston/Waltham, MA 10-14 November, 2014
Writing WDF Drivers: Core Concepts Lab, Palo Alto, CA 12-16 January, 2015
Windows Internals & Software Drivers Lab, Seattle, WA, 16-20 February, 2015
Writing WDF Drivers: Advanced Lab, Palo Alto, CA 10-13 March, 2015


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 3  
16 Feb 05 04:18
Frank
xxxxxx@gmx.de
Join Date: 16 Feb 2005
Posts To This List: 15
Bugcheck Analysis

Hi, I do have a Bugcheck Analysis of my filter driver (see below) and I am not sure if I interpret it right. The Bugcheck occurs in a piece of code like this: NTSTATUS KLowerDevice::Call(KIrp I) { return IoCallDriver(m_pDeviceObject, I.m_Irp); } The compiler generates this: 00031 8b 55 08 mov edx, DWORD PTR _I$[ebp] 00034 8b 4d fc mov ecx, DWORD PTR _this$[ebp] 00037 8b 49 04 mov ecx, DWORD PTR [ecx+4] 0003a ff 15 00 00 00 00 call DWORD PTR __imp_@IofCallDriver@8 I think the Bugcheck "says", that the "this-pointer" isn't valid anymore (means the object has been deleted). Is this correct? Thanks in advance Dirk ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. An exception code of 0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates that an unaligned data reference was encountered. The trap frame will supply additional information. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: ef4fe7c7, The address that the exception occurred at Arg3: f8996c30, Exception Record Address Arg4: f8996930, Context Record Address Debugging Details: ------------------ ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Database SolnDb not connected EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". FAULTING_IP: myfilter+137c7 ef4fe7c7 8b4904 mov ecx,[ecx+0x4] EXCEPTION_PARAMETER1: f8996c30 CONTEXT: f8996930 -- (.cxr fffffffff8996930) eax=0000000a ebx=81fca8b8 ecx=00000004 edx=81ad6368 esi=8054f11c edi=81ad60fc eip=ef4fe7c7 esp=f8996cf8 ebp=f8996cfc iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282 myfilter+137c7: ef4fe7c7 8b4904 mov ecx,[ecx+0x4] ds:0023:00000008=???????? Resetting default context DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x7E LAST_CONTROL_TRANSFER: from ef4fe788 to ef4fe7c7 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. f8996cfc ef4fe788 81ad6368 81c29940 f8996d5c myfilter+0x137c7 f8996d0c ef4f1e3d 81ad6368 00000001 81adba58 myfilter+0x13788 f8996d5c ef4f398f 81ad60fc f8996d7c ef4f262f myfilter+0x6e3d f8996d68 ef4f262f 81ad60fc 81c29940 81ad60fc myfilter+0x898f f8996d7c 805296ad 81ad60fc 00000000 81fca8b8 myfilter+0x762f f8996dac 805b282c 81ad60fc 00000000 00000000 nt+0x556ad f8996ddc 8053602a 805295c0 00000001 00000000 nt+0xde82c 00000000 00000000 00000000 00000000 00000000 nt+0x6202a FOLLOWUP_IP: myfilter+137c7 ef4fe7c7 8b4904 mov ecx,[ecx+0x4] FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: myfilter+137c7 MODULE_NAME: Unknown_Module IMAGE_NAME: Unknown_Image DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: .cxr fffffffff8996930 ; kb BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner --------- -- DSL Komplett von GMX +++ Superg√ľnstig und stressfrei einsteigen! AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
  Message 2 of 3  
16 Feb 05 04:31
ntfsd member 8803
xxxxxx@concord.com
Join Date:
Posts To This List: 9
Bugcheck Analysis

If I understand what you wrote, it means the this pointer is null, which means you called through a bad pointer. See where the pointer you called into the current function from is supposed to be setup. (Most likely in the stack above your current one). -Jeff -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmx.de Sent: Wednesday, February 16, 2005 4:18 AM To: Windows File Systems Devs Interest List Subject: [ntfsd] Bugcheck Analysis Hi, I do have a Bugcheck Analysis of my filter driver (see below) and I am not sure if I interpret it right. The Bugcheck occurs in a piece of code like this: NTSTATUS KLowerDevice::Call(KIrp I) { return IoCallDriver(m_pDeviceObject, I.m_Irp); } The compiler generates this: 00031 8b 55 08 mov edx, DWORD PTR _I$[ebp] 00034 8b 4d fc mov ecx, DWORD PTR _this$[ebp] 00037 8b 49 04 mov ecx, DWORD PTR [ecx+4] 0003a ff 15 00 00 00 00 call DWORD PTR __imp_@IofCallDriver@8 I think the Bugcheck "says", that the "this-pointer" isn't valid anymore (means the object has been deleted). Is this correct? Thanks in advance Dirk ******************************************************************************* * =20 * * Bugcheck Analysis =20 * * =20 * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. An exception code of 0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates that an unaligned data reference was encountered. The trap frame will supply additional information. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: ef4fe7c7, The address that the exception occurred at Arg3: f8996c30, Exception Record Address Arg4: f8996930, Context Record Address Debugging Details: ------------------ ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Database SolnDb not connected EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". FAULTING_IP: myfilter+137c7 ef4fe7c7 8b4904 mov ecx,[ecx+0x4] EXCEPTION_PARAMETER1: f8996c30 CONTEXT: f8996930 -- (.cxr fffffffff8996930) eax=0000000a ebx=81fca8b8 ecx=00000004 edx=81ad6368 esi=8054f11c edi=81ad60fc eip=ef4fe7c7 esp=f8996cf8 ebp=f8996cfc iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 =20 efl=00010282 myfilter+137c7: ef4fe7c7 8b4904 mov ecx,[ecx+0x4] ds:0023:00000008=???????? Resetting default context DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x7E LAST_CONTROL_TRANSFER: from ef4fe788 to ef4fe7c7 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. f8996cfc ef4fe788 81ad6368 81c29940 f8996d5c myfilter+0x137c7 f8996d0c ef4f1e3d 81ad6368 00000001 81adba58 myfilter+0x13788 f8996d5c ef4f398f 81ad60fc f8996d7c ef4f262f myfilter+0x6e3d f8996d68 ef4f262f 81ad60fc 81c29940 81ad60fc myfilter+0x898f f8996d7c 805296ad 81ad60fc 00000000 81fca8b8 myfilter+0x762f f8996dac 805b282c 81ad60fc 00000000 00000000 nt+0x556ad f8996ddc 8053602a 805295c0 00000001 00000000 nt+0xde82c 00000000 00000000 00000000 00000000 00000000 nt+0x6202a FOLLOWUP_IP: myfilter+137c7 ef4fe7c7 8b4904 mov ecx,[ecx+0x4] FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: myfilter+137c7 MODULE_NAME: Unknown_Module IMAGE_NAME: Unknown_Image DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: .cxr fffffffff8996930 ; kb BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner --------- -- DSL Komplett von GMX +++ Superg?nstig und stressfrei einsteigen! AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl --- Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@concord.com To unsubscribe send a blank email to xxxxx@lists.osr.com ********************************************************************************* ** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, received late or incomplete, or could contain viruses. The sender therefore does not accept liability for any error or omission in the contents of this message, which arises as a result of e-mail transmission. If verification is required, please request a hard-copy version from the sender. ********************************************************************************* **
  Message 3 of 3  
16 Feb 05 04:35
Ladislav Zezula
xxxxxx@volny.cz
Join Date: 15 Jul 2003
Posts To This List: 1361
Bugcheck Analysis

First - the debugger reports you that your symbols are wrong. Fix the symbols for the operating system, e.g. using MS Symbol Server Second - it would be good to give WinDbg symbols for your filter, it will point the right place where that access violation occurred. L.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 00:19.


Copyright ©2014, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license