I have a crash dump synthesized from a xen core dump. Some information is lost in the core dump, so I am not sure of the crash dump code exactly (can't get to the console right now to confirm).
Is there such a thing as a bug check 0xA with the third parameter as an 8? The docs say it can be 0 or 1. From what I understand that would imply that the access was not read or write but execute, and therefore executing a null address. That would probably explain the stack trace too:
fffff880`02e62c18 fffff800`02e7d1a9 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx
fffff880`02e62c20 fffff800`02e7be20 : fffffa80`00d4f8e0 00000000`00000000 fffff880`00e317f0 fffff880`009e8180 : nt!KiBugCheckDispatch+0x69
fffff880`02e62d60 00000000`00000000 : fffff800`02e882fc fffff880`009e8180 00000000`00000000 fffff880`00e33fc0 : nt!KiPageFault+0x260