It’s no secret Microsoft got a stick up their collective rear about PAGED code. Unfortunately, it’s causing pain (ITA) to innocent bystanders, too.
We’ve been getting mysterious crashes while running one of WHCK (or whatever it’s called at this moment) tests. It takes a few hours to happen. Here are snippets of !analyze:
The page fault happens on the instruction fetch at IRQL=2 at srv2+0x51716.
Arg1: fffff807f4361716, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, value 0 = read operation, 1 = write operation
Arg4: fffff807f4361716, address which referenced memory
This is PAGED code section:
SECTION HEADER #7
PAGE name
35CA7 virtual size
42000 virtual address
35E00 size of raw data
3EE00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
(no align specified)
Execute Read
The code executing at the moment:
fffff807f4361710 ff1562befeff call qword ptr [srv2+0x3d578 (fffff807
f434d578)]
fffff807f4361716 488bcf mov rcx,rdi fffff807
f4361719 e8a26dfbff call srv2+0x84c0 (fffff807f43184c0) fffff807
f436171e 488d4d07 lea rcx,[rbp+7]
fffff807f4361722 8bd8 mov ebx,eax fffff807
f4361724 85c0 test eax,eax
fffff807f4361726 7969 jns srv2+0x51791 (fffff807
f4361791)
fffff807f4361728 ff1552befeff call qword ptr [srv2+0x3d580 (fffff807
f434d580)]
fffff807f436172e 4c8b15cb58feff mov r10,qword ptr [srv2+0x37000 (fffff807
f4347000)]
(!analyze also returns a whole bunch of red herring of !chkimg output, which is nothing else than relocated pointers. !chkimg needs to be smarter about that).
The very first call (qword ptr [srv2+0x3d578 (fffff807`f434d578)]) is (Ba Dum Tss!) nt!KeAcquireInStackQueuedSpinLock! Upon returning from it, the processor found itself at an invalid page (most likely because of Driver verifier trickery).
This is actually not the first time we caught a bugcheck because Microsoft had some code in paged section which was running at DISPATCH_LEVEL. I don’t know if the driver analysis detects calls that raise IRQL in the paged code sections. Would have caught this crap at once. Or Microsoft didn’t run srv2 code through analysis.