It's no secret Microsoft got a stick up their collective rear about PAGED code. Unfortunately, it's causing pain (ITA) to innocent bystanders, too.
We've been getting mysterious crashes while running one of WHCK (or whatever it's called at this moment) tests. It takes a few hours to happen. Here are snippets of !analyze:
The page fault happens on the instruction fetch at IRQL=2 at srv2+0x51716.
Arg1: fffff807f4361716, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, value 0 = read operation, 1 = write operation
Arg4: fffff807f4361716, address which referenced memory
This is PAGED code section:
SECTION HEADER #7
35CA7 virtual size
42000 virtual address
35E00 size of raw data
3EE00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
(no align specified)
The code executing at the moment:
fffff807`f4361710 ff1562befeff call qword ptr [srv2+0x3d578 (fffff807`f434d578)]
fffff807`f4361716 488bcf mov rcx,rdi
fffff807`f4361719 e8a26dfbff call srv2+0x84c0 (fffff807`f43184c0)
fffff807`f436171e 488d4d07 lea rcx,[rbp+7]
fffff807`f4361722 8bd8 mov ebx,eax
fffff807`f4361724 85c0 test eax,eax
fffff807`f4361726 7969 jns srv2+0x51791 (fffff807`f4361791)
fffff807`f4361728 ff1552befeff call qword ptr [srv2+0x3d580 (fffff807`f434d580)]
fffff807`f436172e 4c8b15cb58feff mov r10,qword ptr [srv2+0x37000 (fffff807`f4347000)]
(!analyze also returns a whole bunch of red herring of !chkimg output, which is nothing else than relocated pointers. !chkimg needs to be smarter about that).
The very first call (qword ptr [srv2+0x3d578 (fffff807`f434d578)]) is (Ba Dum Tss!) nt!KeAcquireInStackQueuedSpinLock! Upon returning from it, the processor found itself at an invalid page (most likely because of Driver verifier trickery).
This is actually not the first time we caught a bugcheck because Microsoft had some code in paged section which was running at DISPATCH_LEVEL. I don't know if the driver analysis detects calls that raise IRQL in the paged code sections. Would have caught this crap at once. Or Microsoft didn't run srv2 code through analysis.