I am doing more and more testing and I again saw the random crash (altough it is less frequent now.)
This time the stack seems completely misleading, it shows that the exception occurs because KeAcquireSpinLock. Again RIP seems NULL but the module is ntkrnlmp.exe and not the driver however the issue should be with the driver only.
I checked the code and there does not seem to be anything obvious which will cause KeReleaseSpinLock to fail.
Please let me know if you get any pointers.
Thanks
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 9600.17031.amd64fre.winblue_gdr.140221-1952
Machine Name:
Kernel base = 0xfffff800ae476000 PsLoadedModuleList = 0xfffff800
ae7402d0
Debug session time: Wed Oct 19 23:53:38.441 2016 (UTC - 4:00)
System Uptime: 4 days 20:48:26.185
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: 0000000000000000, The address that the exception occurred at
Arg3: ffffd001050068b8, Exception Record Address
Arg4: ffffd001050060c0, Context Record Address
Debugging Details:
TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
+22
00000000`00000000 ?? ???
EXCEPTION_RECORD: ffffd001050068b8 – (.exr 0xffffd001050068b8)
ExceptionAddress: 0000000000000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000008
Parameter[1]: 0000000000000000
Attempt to execute non-executable address 0000000000000000
CONTEXT: ffffd001050060c0 – (.cxr 0xffffd001050060c0)
rax=0000000000000000 rbx=ffffe000161a8010 rcx=ffffe0001a0ac380
rdx=ffffe00015e9a7f0 rsi=ffffe000161ac040 rdi=ffffd00105006b78
rip=0000000000000000 rsp=ffffd00105006af0 rbp=0000000000000080
r8=0000000000000000 r9=ffffe0001a0ac388 r10=fffff8002c443120
r11=0000000000000000 r12=0000000000000000 r13=fffff800ae476000
r14=fffff8002ca29300 r15=fffff8002ca244d0
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
00000000`00000000 ?? ???
Resetting default scope
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
EXCEPTION_PARAMETER1: 0000000000000008
EXCEPTION_PARAMETER2: 0000000000000000
WRITE_ADDRESS: fffff800ae72dce0: Unable to get special pool info
fffff800ae72dce0: Unable to get special pool info
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
0000000000000000
FOLLOWUP_IP:
nt!KxWaitForSpinLockAndAcquire+23
fffff800`ae545663 4885c0 test rax,rax
FAILED_INSTRUCTION_ADDRESS:
+23
00000000`00000000 ?? ???
BUGCHECK_STR: AV
LAST_CONTROL_TRANSFER: from ffffe00015e9a7f0 to 0000000000000000
STACK_TEXT:
ffffd00105006af0 ffffe000
15e9a7f0 : ffffe0001a0ac380 ffffe000
161ac040 ffffe0001a0ac388 00000000
00000001 : 0x0
ffffd00105006af8 ffffe000
1a0ac380 : ffffe000161ac040 ffffe000
1a0ac388 0000000000000001 fffff800
ae545663 : 0xffffe00015e9a7f0 ffffd001
05006b00 ffffe000161ac040 : ffffe000
1a0ac388 0000000000000001 fffff800
ae545663 ffffd00105006b78 : 0xffffe000
1a0ac380
ffffd00105006b08 ffffe000
1a0ac388 : 0000000000000001 fffff800
ae545663 ffffd00105006b78 fffff800
2ca219fb : 0xffffe000161ac040 ffffd001
05006b10 0000000000000001 : fffff800
ae545663 ffffd00105006b78 fffff800
2ca219fb ffffe0001a0ac380 : 0xffffe000
1a0ac388
ffffd00105006b18 fffff800
ae545663 : ffffd00105006b78 fffff800
2ca219fb ffffe0001a0ac380 ffffe000
161ac040 : 0x1
ffffd00105006b20 fffff800
ae546472 : 0000000000000001 ffffe000
19400c40 ffffe000161a8010 00000000
00000000 : nt!KxWaitForSpinLockAndAcquire+0x23
ffffd00105006b50 00000000
00000000 : ffffe00100000000 ffffe000
19e81808 ffffe000161ac040 fffff800
2ca24735 : nt!KeReleaseSpinLock+0x22
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: nt!KxWaitForSpinLockAndAcquire+23
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 53085af2
STACK_COMMAND: .cxr 0xffffd001050060c0 ; kb
FAILURE_BUCKET_ID: X64_AV_NULL_IP_nt!KxWaitForSpinLockAndAcquire+23
BUCKET_ID: X64_AV_NULL_IP_nt!KxWaitForSpinLockAndAcquire+23
Followup: MachineOwner