Hi Alex –
The exception happens 100% of the time. I’m attaching the whole !analyze -v
output in case you’re interested in seeing anything else.
One other thing: When I comment out the call to get the process ID, I get a
crash with the following stack:
fltmgr!FltpCompleteCompletionNode+0x2d
fltmgr!FltCompletePendedPostOperation+0x82
fltmgr!FltpSafeCompletionWorker+0xba
nt!ExpWorkerThread+0x11a
t!PspSystemThreadStartup+0x57
nt!KiStartSystemThread+0x16
ERROR_CODE: (NTSTATUS) 0xc0000005
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80001c8d080
0000000000000010
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
So apparently a NULL pointer is involved, though I’m not sure where or how
– I don’t manipulate any incoming objects or pointers at all.
Doug
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80001a8d328, The address that the exception occurred at
Arg3: fffffa60019c79d8, Exception Record Address
Arg4: fffffa60019c73b0, Context Record Address
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!PsGetProcessId+0
fffff800`01a8d328 488b81e0000000 mov rax,qword ptr [rcx+0E0h]
EXCEPTION_RECORD: fffffa60019c79d8 – (.exr 0xfffffa60019c79d8)
ExceptionAddress: fffff80001a8d328 (nt!PsGetProcessId)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: fffffa60019c73b0 – (.cxr 0xfffffa60019c73b0)
rax=6500000438850f31 rbx=fffffa60085f0208 rcx=6500000438850f31
rdx=0000000000000000 rsi=fffffa60019c7cb0 rdi=fffffa800aeea010
rip=fffff80001a8d328 rsp=fffffa60019c7c18 rbp=fffffa800847f050
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=fffffa8006cc1768 r12=fffffa800b626350 r13=0000000000000001
r14=0000000000000000 r15=fffffa60005efcc0
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010202
nt!PsGetProcessId:
fffff80001a8d328 488b81e0000000 mov rax,qword ptr [rcx+0E0h] ds:002b:65000004
38851011=???
Resetting default scope
CUSTOMER_CRASH_COUNT: 4
DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
memory at 0x%08lx. The memory could not be %s.
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80001c79080
ffffffffffffffff
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from fffffa6000a90127 to fffff80001a8d328
STACK_TEXT:
fffffa60019c7c18 fffffa60
00a90127 : fffffa8006cfd720 fffff800
01be28a0
fffffa8000000001 fffff800
01aaf9ee : nt!PsGetProcessId
fffffa60019c7c20 fffffa60
085ed086 : fffffa60085f0208 00000000
00000000
fffffa60005ec7f0 fffff800
01abe43a : fltmgr!FltGetRequestorProcessId+0x17
fffffa60019c7c50 fffffa60
00ab7db9 : fffffa800b708b90 00000000
00000000
fffffa60085ed028 00000000
00000000 :
FSMFx64!LongTermNameLookupCallback+0x5e
[c:\dev36\proj\servermoncfg\fsmonitor\fsminifilter\filter\fsmf.c @ 623]
fffffa60019c7c90 fffff800
01ab1366 : fffffa6000ab7d10 fffff800
01be28a0
fffffa8006cfd720 fffffa80
0b6262a0 : fltmgr!FltpSafeCompletionWorker+0xa9
fffffa60019c7cf0 fffff800
01cc8fd3 : fffffa800b626320 00000000
00000000
fffffa8006cfd720 00000000
00000080 : nt!ExpWorkerThread+0x11a
fffffa60019c7d50 fffff800
01ade816 : fffffa60005ec180 fffffa80
06cfd720
fffffa60005f5d40 00000000
00000001 : nt!PspSystemThreadStartup+0x57
fffffa60019c7d80 00000000
00000000 : 0000000000000000 00000000
00000000
0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
FOLLOWUP_IP:
FileSightMFx64!LongTermNameLookupCallback+5e
[c:\dev36\proj\servermoncfg\fsmonitor\fsminifilter\filter\fsmf.c @ 623]
fffffa60`085ed086 ?? ???
*** NOTE: The faulting source below is off by just a couple of lines – this
code happens just before the call to FltGetRequestorProcessId
FAULTING_SOURCE_CODE:
619: {
620:
recordList->LogRecord.Operations[0].Data = fsi.EndOfFile;
621:
recordList->LogRecord.bDirectory = fsi.Directory ? 1 : 0;
622: }
623:
recordList->LogRecord.Operations[0].OpType = RECORD_OPTYPE_OPEN;
624:
break;
625: }
626: }
627: }
628:
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: FSMFx64!LongTermNameLookupCallback+5e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: FSMFx64
IMAGE_NAME: FSMFx64.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 49f096bd
STACK_COMMAND: .cxr 0xfffffa60019c73b0 ; kb
FAILURE_BUCKET_ID: X64_0x7E_FSMFx64!LongTermNameLookupCallback+5e
BUCKET_ID: X64_0x7E_FSMFx64!LongTermNameLookupCallback+5e
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-363879-
xxxxx@lists.osr.com] On Behalf Of Alexandru Carp
Sent: Thursday, April 23, 2009 10:52 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] FltGetRequestorProcessId exception
Hi Doug,
As far as I can tell you’re doing everything right.
FltDoCompletionProcessingWhenSafe does not require you to reference the
CALLBACK_DATA. PsGetProcessId is a very simple function. Could you
please post the memory address it’s trying to reference ?
Also, is it always failing ?
Regards,
Alex.
This posting is provided “AS IS” with no warranties, and confers no
rights.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer