Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

PAGE_FAULT_IN_NONPAGED_AREA with Arg2 having a value of 2!

Don_Burn-2Don_Burn-2 Posts: 1,620
I have a client who is sending me !analyze -v where the second argument of PAGE_FAULT_IN_NONPAGED_AREA is 2 which is not documented. This is Windows 10 with the lack of symbols because the symbol server not keeping up with the OS updates.

Anyone have a clue as to why this is 2? I'm trying to help them remotely find this problem.


Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com






kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffcb81ab600000, memory referenced.
Arg2: 0000000000000002, value 0 = read operation, 1 = write operation.
Arg3: fffff80a6d419a47, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------



DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 14393.1480.amd64fre.rs1_release.170706-2004

SYSTEM_MANUFACTURER: System manufacturer

SYSTEM_PRODUCT_NAME: System Product Name

SYSTEM_SKU: SKU

SYSTEM_VERSION: System Version

BIOS_VENDOR: American Megatrends Inc.

BIOS_VERSION: 5109

BIOS_DATE: 10/16/2012

BASEBOARD_MANUFACTURER: ASUSTeK COMPUTER INC.

BASEBOARD_PRODUCT: F2A85-V PRO

BASEBOARD_VERSION: Rev X.0x

DUMP_TYPE: 1

BUGCHECK_P1: ffffcb81ab600000

BUGCHECK_P2: 2

BUGCHECK_P3: fffff80a6d419a47

BUGCHECK_P4: 2


FAULTING_IP:
netvmini_build!Ndis64Write32+37 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

\ttes_api_os_ndis.c @ 177]
fffff80a`6d419a47 8908 mov dword ptr [rax],ecx

MM_INTERNAL_CODE: 2

IMAGE_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAULTING_MODULE: fffff80a6d400000 netvmini_build

CPU_COUNT: 2

CPU_MHZ: e10

CPU_VENDOR: AuthenticAMD

CPU_FAMILY: 15

CPU_MODEL: 10

CPU_STEPPING: 1

DEFAULT_BUCKET_ID: CODE_CORRUPTION

BUGCHECK_STR: AV

PROCESS_NAME: System

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: PREDATOR

ANALYSIS_SESSION_TIME: 07-14-2017 10:22:40.0349

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

TRAP_FRAME: ffffcb81a959a710 -- (.trap 0xffffcb81a959a710)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffcb81ab600000 rbx=0000000000000000 rcx=0000000010000000
rdx=0000000000000006 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80a6d419a47 rsp=ffffcb81a959a8a0 rbp=ffffcb81a959ae90
r8=0000000000000065 r9=0000000000000003 r10=0000000000000000
r11=ffffcb81a959a640 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
netvmini_build!Ndis64Write32+0x37:
fffff80a`6d419a47 8908 mov dword ptr [rax],ecx ds:ffffcb81`ab600000=????????
Resetting default scope

LOCK_ADDRESS: fffff801fa7a8880 -- (!locks fffff801fa7a8880)

Resource @ nt!PiEngineLock (0xfffff801fa7a8880) Exclusively owned
Contention Count = 11
Threads: ffff938d547da040-01<*>
1 total locks, 1 locks currently held

PNP_TRIAGE:
Lock address : 0xfffff801fa7a8880
Thread Count : 1
Thread address: 0xffff938d547da040
Thread wait : 0xbaf6

LAST_CONTROL_TRANSFER: from fffff801fa60ae11 to fffff801fa5e0960

STACK_TEXT:
ffffcb81`a959a418 fffff801`fa60ae11 : 00000000`00000050 ffffcb81`ab600000 00000000`00000002 ffffcb81`a959a710 : nt!KeBugCheckEx
ffffcb81`a959a420 fffff801`fa4e60fd : 00000000`00000002 00000000`00000000 ffffcb81`a959a710 ffffcb81`ab600000 : nt!MiSystemFault+0x100201
ffffcb81`a959a510 fffff801`fa5e9ffc : 72000a20`32726142 2c747365`54737365 73736572`64644120 43464646`465b203a : nt!MmAccessFault+0x27d
ffffcb81`a959a710 fffff80a`6d419a47 : ffffcb81`ab600000 fffff80a`6d454440 ffffcb81`a959aaa0 ffffcb81`ab3e4000 : nt!KiPageFault+0x13c
ffffcb81`a959a8a0 fffff80a`6d406af4 : ffffcb81`ab600000 00000000`10000000 00000000`00000065 00000000`00000003 : netvmini_build!

Ndis64Write32+0x37 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

\ttes_api_os_ndis.c @ 177]
ffffcb81`a959a8e0 fffff80a`6d401e29 : fffff80a`6d5968c0 ffffcb81`00000001 00000000`00000001 00000000`00064000 : netvmini_build!

i664InternalSetPhys+0x1a4 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

\i664_api_internal.c @ 864]
ffffcb81`a959a970 fffff80a`6d42a07e : fffff80a`6d5968c0 fffff80a`6d43bce0 00000000`00000065 00000000`00000003 : netvmini_build!

Ndisi664ESConfigureEx+0xe29 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

\i664_api_es.c @ 1208]
ffffcb81`a959aa20 fffff80a`6d42d8c7 : ffff938d`52b19040 ffff938d`52b19040 00000000`00000a80 ffffdfef`f6dfe460 : netvmini_build!

A664DeviceInitialize+0x42e [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664device.c @

118]
ffffcb81`a959aac0 fffff80a`6d42c644 : ffff938d`52b19040 ffffcb81`a959ae90 ffffcb81`a959ae90 ffffcb81`a959abe8 : netvmini_build!

HWInitialize+0x507 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664mphal.c @ 214]
ffffcb81`a959ab90 fffff80a`6b6fd762 : ffff938d`55fd81a0 fffff80a`6d43b7c0 ffffcb81`a959ae90 ffff938d`55fd9028 : netvmini_build!

MPInitializeEx+0x604 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664adapter.c @ 404]
ffffcb81`a959ad30 fffff80a`6b73b848 : ffff938d`55fd8ed8 00000000`00000000 00000000`00000000 ffff938d`55fd81a0 : ndis!

ndisMInvokeInitialize+0x5e
ffffcb81`a959ad90 fffff80a`6b6fdc03 : 00000000`00000000 00000000`000000a0 ffff938d`53600400 01d2fcb0`4e560014 : ndis!

ndisMInitializeAdapter+0x4d4
ffffcb81`a959b450 fffff80a`6b6fdd10 : 00000000`000000a0 ffff938d`551b41a0 ffffb985`d5427c80 ffff938d`55fd81a0 : ndis!

ndisInitializeAdapter+0x5f
ffffcb81`a959b4a0 fffff80a`6b6efb2b : ffff938d`55fd81a0 00000000`00000004 ffff938d`530f72a0 fffff80a`6b66a10d : ndis!ndisPnPStartDevice

+0x80
ffffcb81`a959b4e0 fffff80a`6b6eefd5 : ffff938d`55fd81a0 ffff938d`55fd81a0 ffff938d`530f72a0 ffff938d`55fd81a0 : ndis!

ndisStartDeviceSynchronous+0x4f
ffffcb81`a959b530 fffff80a`6b6eebf9 : ffff938d`530f72a0 ffffcb81`a959b5a0 00000000`00000000 ffff938d`55fd81a0 : ndis!

ndisPnPIrpStartDevice+0x149
ffffcb81`a959b560 fffff801`fa9768dd : ffff938d`530f72a0 ffffcb81`a959b604 00000000`00000001 00000000`00000001 : ndis!ndisPnPDispatch

+0x149
ffffcb81`a959b5d0 fffff801`fa58bb0e : ffff938d`52fba060 00000000`00000000 ffff938d`55353de0 00000000`00000000 : nt!PnpAsynchronousCall

+0xe5
ffffcb81`a959b610 fffff801`fa582ba4 : 00000000`00000000 ffff938d`52fba060 fffff801`fa58c050 fffff801`fa58c050 : nt!PnpSendIrp+0x92
ffffcb81`a959b680 fffff801`fa976117 : ffff938d`52fb9010 ffff938d`55353de0 00000000`00000000 00000000`00000000 : nt!PnpStartDevice+0x88
ffffcb81`a959b710 fffff801`fa940bff : ffff938d`52fb9010 ffffcb81`a959b8e0 00000000`00000000 ffff938d`52fb9010 : nt!PnpStartDeviceNode

+0xdb
ffffcb81`a959b7a0 fffff801`fa97ad69 : ffff938d`52fb9010 00000000`00000001 00000000`00000001 ffff938d`52fb9010 : nt!

PipProcessStartPhase1+0x53
ffffcb81`a959b7e0 fffff801`faad576a : ffff938d`52fb9010 00000000`00000001 ffffcb81`a959bb19 fffff801`fa97b273 : nt!PipProcessDevNodeTree

+0x401
ffffcb81`a959ba60 fffff801`fa63590a : 00000001`00000003 00000000`00000000 fffff801`fa7a7360 fffff801`fa7a7430 : nt!PiRestartDevice+0xba
ffffcb81`a959bab0 fffff801`fa4f7599 : ffff938d`547da040 fffff801`fa7a7320 fffff801`fa847280 fffff801`fa847280 : nt!PnpDeviceActionWorker

+0xac1fe
ffffcb81`a959bb80 fffff801`fa547965 : fffff801`fa7cd180 00000000`00000080 ffff938d`526b06c0 ffff938d`547da040 : nt!ExpWorkerThread+0xe9
ffffcb81`a959bc10 fffff801`fa5e5e26 : fffff801`fa7cd180 ffff938d`547da040 fffff801`fa547924 00000000`00000000 : nt!

PspSystemThreadStartup+0x41
ffffcb81`a959bc60 00000000`00000000 : ffffcb81`a959c000 ffffcb81`a9596000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread

+0x16

Comments

  • Jan_BottorffJan_Bottorff Posts: 464
    I’ll take a WAG…

    1) faulting instruction is a memory write
    2) DEFAULT_BUCKET_ID: CODE_CORRUPTION
    3) BUGCHECK_STR: AV

    Perhaps a memory write to code memory? You could look at the faulting destination address, and figure out if that’s a data or code region (execute only).

    Jan

    On 7/14/17, 11:20 AM, "xxxxx@lists.osr.com on behalf of Don Burn" <xxxxx@lists.osr.com on behalf of xxxxx@windrvr.com> wrote:

    I have a client who is sending me !analyze -v where the second argument of PAGE_FAULT_IN_NONPAGED_AREA is 2 which is not documented. This is Windows 10 with the lack of symbols because the symbol server not keeping up with the OS updates.

    Anyone have a clue as to why this is 2? I'm trying to help them remotely find this problem.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com






    kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced. This cannot be protected by try-except.
    Typically the address is just plain bad or it is pointing at freed memory.
    Arguments:
    Arg1: ffffcb81ab600000, memory referenced.
    Arg2: 0000000000000002, value 0 = read operation, 1 = write operation.
    Arg3: fffff80a6d419a47, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 0000000000000002, (reserved)

    Debugging Details:
    ------------------



    DUMP_CLASS: 1

    DUMP_QUALIFIER: 401

    BUILD_VERSION_STRING: 14393.1480.amd64fre.rs1_release.170706-2004

    SYSTEM_MANUFACTURER: System manufacturer

    SYSTEM_PRODUCT_NAME: System Product Name

    SYSTEM_SKU: SKU

    SYSTEM_VERSION: System Version

    BIOS_VENDOR: American Megatrends Inc.

    BIOS_VERSION: 5109

    BIOS_DATE: 10/16/2012

    BASEBOARD_MANUFACTURER: ASUSTeK COMPUTER INC.

    BASEBOARD_PRODUCT: F2A85-V PRO

    BASEBOARD_VERSION: Rev X.0x

    DUMP_TYPE: 1

    BUGCHECK_P1: ffffcb81ab600000

    BUGCHECK_P2: 2

    BUGCHECK_P3: fffff80a6d419a47

    BUGCHECK_P4: 2


    FAULTING_IP:
    netvmini_build!Ndis64Write32+37 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

    \ttes_api_os_ndis.c @ 177]
    fffff80a`6d419a47 8908 mov dword ptr [rax],ecx

    MM_INTERNAL_CODE: 2

    IMAGE_NAME: memory_corruption

    DEBUG_FLR_IMAGE_TIMESTAMP: 0

    FAULTING_MODULE: fffff80a6d400000 netvmini_build

    CPU_COUNT: 2

    CPU_MHZ: e10

    CPU_VENDOR: AuthenticAMD

    CPU_FAMILY: 15

    CPU_MODEL: 10

    CPU_STEPPING: 1

    DEFAULT_BUCKET_ID: CODE_CORRUPTION

    BUGCHECK_STR: AV

    PROCESS_NAME: System

    CURRENT_IRQL: 0

    ANALYSIS_SESSION_HOST: PREDATOR

    ANALYSIS_SESSION_TIME: 07-14-2017 10:22:40.0349

    ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

    TRAP_FRAME: ffffcb81a959a710 -- (.trap 0xffffcb81a959a710)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=ffffcb81ab600000 rbx=0000000000000000 rcx=0000000010000000
    rdx=0000000000000006 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80a6d419a47 rsp=ffffcb81a959a8a0 rbp=ffffcb81a959ae90
    r8=0000000000000065 r9=0000000000000003 r10=0000000000000000
    r11=ffffcb81a959a640 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei pl nz na pe nc
    netvmini_build!Ndis64Write32+0x37:
    fffff80a`6d419a47 8908 mov dword ptr [rax],ecx ds:ffffcb81`ab600000=????????
    Resetting default scope

    LOCK_ADDRESS: fffff801fa7a8880 -- (!locks fffff801fa7a8880)

    Resource @ nt!PiEngineLock (0xfffff801fa7a8880) Exclusively owned
    Contention Count = 11
    Threads: ffff938d547da040-01<*>
    1 total locks, 1 locks currently held

    PNP_TRIAGE:
    Lock address : 0xfffff801fa7a8880
    Thread Count : 1
    Thread address: 0xffff938d547da040
    Thread wait : 0xbaf6

    LAST_CONTROL_TRANSFER: from fffff801fa60ae11 to fffff801fa5e0960

    STACK_TEXT:
    ffffcb81`a959a418 fffff801`fa60ae11 : 00000000`00000050 ffffcb81`ab600000 00000000`00000002 ffffcb81`a959a710 : nt!KeBugCheckEx
    ffffcb81`a959a420 fffff801`fa4e60fd : 00000000`00000002 00000000`00000000 ffffcb81`a959a710 ffffcb81`ab600000 : nt!MiSystemFault+0x100201
    ffffcb81`a959a510 fffff801`fa5e9ffc : 72000a20`32726142 2c747365`54737365 73736572`64644120 43464646`465b203a : nt!MmAccessFault+0x27d
    ffffcb81`a959a710 fffff80a`6d419a47 : ffffcb81`ab600000 fffff80a`6d454440 ffffcb81`a959aaa0 ffffcb81`ab3e4000 : nt!KiPageFault+0x13c
    ffffcb81`a959a8a0 fffff80a`6d406af4 : ffffcb81`ab600000 00000000`10000000 00000000`00000065 00000000`00000003 : netvmini_build!

    Ndis64Write32+0x37 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

    \ttes_api_os_ndis.c @ 177]
    ffffcb81`a959a8e0 fffff80a`6d401e29 : fffff80a`6d5968c0 ffffcb81`00000001 00000000`00000001 00000000`00064000 : netvmini_build!

    i664InternalSetPhys+0x1a4 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

    \i664_api_internal.c @ 864]
    ffffcb81`a959a970 fffff80a`6d42a07e : fffff80a`6d5968c0 fffff80a`6d43bce0 00000000`00000065 00000000`00000003 : netvmini_build!

    Ndisi664ESConfigureEx+0xe29 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

    \i664_api_es.c @ 1208]
    ffffcb81`a959aa20 fffff80a`6d42d8c7 : ffff938d`52b19040 ffff938d`52b19040 00000000`00000a80 ffffdfef`f6dfe460 : netvmini_build!

    A664DeviceInitialize+0x42e [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664device.c @

    118]
    ffffcb81`a959aac0 fffff80a`6d42c644 : ffff938d`52b19040 ffffcb81`a959ae90 ffffcb81`a959ae90 ffffcb81`a959abe8 : netvmini_build!

    HWInitialize+0x507 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664mphal.c @ 214]
    ffffcb81`a959ab90 fffff80a`6b6fd762 : ffff938d`55fd81a0 fffff80a`6d43b7c0 ffffcb81`a959ae90 ffff938d`55fd9028 : netvmini_build!

    MPInitializeEx+0x604 [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664adapter.c @ 404]
    ffffcb81`a959ad30 fffff80a`6b73b848 : ffff938d`55fd8ed8 00000000`00000000 00000000`00000000 ffff938d`55fd81a0 : ndis!

    ndisMInvokeInitialize+0x5e
    ffffcb81`a959ad90 fffff80a`6b6fdc03 : 00000000`00000000 00000000`000000a0 ffff938d`53600400 01d2fcb0`4e560014 : ndis!

    ndisMInitializeAdapter+0x4d4
    ffffcb81`a959b450 fffff80a`6b6fdd10 : 00000000`000000a0 ffff938d`551b41a0 ffffb985`d5427c80 ffff938d`55fd81a0 : ndis!

    ndisInitializeAdapter+0x5f
    ffffcb81`a959b4a0 fffff80a`6b6efb2b : ffff938d`55fd81a0 00000000`00000004 ffff938d`530f72a0 fffff80a`6b66a10d : ndis!ndisPnPStartDevice

    +0x80
    ffffcb81`a959b4e0 fffff80a`6b6eefd5 : ffff938d`55fd81a0 ffff938d`55fd81a0 ffff938d`530f72a0 ffff938d`55fd81a0 : ndis!

    ndisStartDeviceSynchronous+0x4f
    ffffcb81`a959b530 fffff80a`6b6eebf9 : ffff938d`530f72a0 ffffcb81`a959b5a0 00000000`00000000 ffff938d`55fd81a0 : ndis!

    ndisPnPIrpStartDevice+0x149
    ffffcb81`a959b560 fffff801`fa9768dd : ffff938d`530f72a0 ffffcb81`a959b604 00000000`00000001 00000000`00000001 : ndis!ndisPnPDispatch

    +0x149
    ffffcb81`a959b5d0 fffff801`fa58bb0e : ffff938d`52fba060 00000000`00000000 ffff938d`55353de0 00000000`00000000 : nt!PnpAsynchronousCall

    +0xe5
    ffffcb81`a959b610 fffff801`fa582ba4 : 00000000`00000000 ffff938d`52fba060 fffff801`fa58c050 fffff801`fa58c050 : nt!PnpSendIrp+0x92
    ffffcb81`a959b680 fffff801`fa976117 : ffff938d`52fb9010 ffff938d`55353de0 00000000`00000000 00000000`00000000 : nt!PnpStartDevice+0x88
    ffffcb81`a959b710 fffff801`fa940bff : ffff938d`52fb9010 ffffcb81`a959b8e0 00000000`00000000 ffff938d`52fb9010 : nt!PnpStartDeviceNode

    +0xdb
    ffffcb81`a959b7a0 fffff801`fa97ad69 : ffff938d`52fb9010 00000000`00000001 00000000`00000001 ffff938d`52fb9010 : nt!

    PipProcessStartPhase1+0x53
    ffffcb81`a959b7e0 fffff801`faad576a : ffff938d`52fb9010 00000000`00000001 ffffcb81`a959bb19 fffff801`fa97b273 : nt!PipProcessDevNodeTree

    +0x401
    ffffcb81`a959ba60 fffff801`fa63590a : 00000001`00000003 00000000`00000000 fffff801`fa7a7360 fffff801`fa7a7430 : nt!PiRestartDevice+0xba
    ffffcb81`a959bab0 fffff801`fa4f7599 : ffff938d`547da040 fffff801`fa7a7320 fffff801`fa847280 fffff801`fa847280 : nt!PnpDeviceActionWorker

    +0xac1fe
    ffffcb81`a959bb80 fffff801`fa547965 : fffff801`fa7cd180 00000000`00000080 ffff938d`526b06c0 ffff938d`547da040 : nt!ExpWorkerThread+0xe9
    ffffcb81`a959bc10 fffff801`fa5e5e26 : fffff801`fa7cd180 ffff938d`547da040 fffff801`fa547924 00000000`00000000 : nt!

    PspSystemThreadStartup+0x41
    ffffcb81`a959bc60 00000000`00000000 : ffffcb81`a959c000 ffffcb81`a9596000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread

    +0x16


    ---
    NTDEV is sponsored by OSR

    Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev>;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer>;
  • Scott_NooneScott_Noone Posts: 2,989
    !pte on the faulting address would be interesting.

    (Also, PDBs look fine to me)

    -scott
    OSR
    @OSRDrivers

    wrote in message news:xxxxx@ntdev...

    I’ll take a WAG…

    1) faulting instruction is a memory write
    2) DEFAULT_BUCKET_ID: CODE_CORRUPTION
    3) BUGCHECK_STR: AV

    Perhaps a memory write to code memory? You could look at the faulting
    destination address, and figure out if that’s a data or code region (execute
    only).

    Jan

    On 7/14/17, 11:20 AM, "xxxxx@lists.osr.com on behalf of Don
    Burn" <xxxxx@lists.osr.com on behalf of xxxxx@windrvr.com>
    wrote:

    I have a client who is sending me !analyze -v where the second argument
    of PAGE_FAULT_IN_NONPAGED_AREA is 2 which is not documented. This is
    Windows 10 with the lack of symbols because the symbol server not keeping up
    with the OS updates.

    Anyone have a clue as to why this is 2? I'm trying to help them
    remotely find this problem.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com






    kd> !analyze -v
    *******************************************************************************
    *
    *
    * Bugcheck Analysis
    *
    *
    *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced. This cannot be protected by
    try-except.
    Typically the address is just plain bad or it is pointing at freed
    memory.
    Arguments:
    Arg1: ffffcb81ab600000, memory referenced.
    Arg2: 0000000000000002, value 0 = read operation, 1 = write operation.
    Arg3: fffff80a6d419a47, If non-zero, the instruction address which
    referenced the bad memory
    address.
    Arg4: 0000000000000002, (reserved)

    Debugging Details:
    ------------------



    DUMP_CLASS: 1

    DUMP_QUALIFIER: 401

    BUILD_VERSION_STRING: 14393.1480.amd64fre.rs1_release.170706-2004

    SYSTEM_MANUFACTURER: System manufacturer

    SYSTEM_PRODUCT_NAME: System Product Name

    SYSTEM_SKU: SKU

    SYSTEM_VERSION: System Version

    BIOS_VENDOR: American Megatrends Inc.

    BIOS_VERSION: 5109

    BIOS_DATE: 10/16/2012

    BASEBOARD_MANUFACTURER: ASUSTeK COMPUTER INC.

    BASEBOARD_PRODUCT: F2A85-V PRO

    BASEBOARD_VERSION: Rev X.0x

    DUMP_TYPE: 1

    BUGCHECK_P1: ffffcb81ab600000

    BUGCHECK_P2: 2

    BUGCHECK_P3: fffff80a6d419a47

    BUGCHECK_P4: 2


    FAULTING_IP:
    netvmini_build!Ndis64Write32+37
    [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

    \ttes_api_os_ndis.c @ 177]
    fffff80a`6d419a47 8908 mov dword ptr [rax],ecx

    MM_INTERNAL_CODE: 2

    IMAGE_NAME: memory_corruption

    DEBUG_FLR_IMAGE_TIMESTAMP: 0

    FAULTING_MODULE: fffff80a6d400000 netvmini_build

    CPU_COUNT: 2

    CPU_MHZ: e10

    CPU_VENDOR: AuthenticAMD

    CPU_FAMILY: 15

    CPU_MODEL: 10

    CPU_STEPPING: 1

    DEFAULT_BUCKET_ID: CODE_CORRUPTION

    BUGCHECK_STR: AV

    PROCESS_NAME: System

    CURRENT_IRQL: 0

    ANALYSIS_SESSION_HOST: PREDATOR

    ANALYSIS_SESSION_TIME: 07-14-2017 10:22:40.0349

    ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

    TRAP_FRAME: ffffcb81a959a710 -- (.trap 0xffffcb81a959a710)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=ffffcb81ab600000 rbx=0000000000000000 rcx=0000000010000000
    rdx=0000000000000006 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80a6d419a47 rsp=ffffcb81a959a8a0 rbp=ffffcb81a959ae90
    r8=0000000000000065 r9=0000000000000003 r10=0000000000000000
    r11=ffffcb81a959a640 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei pl nz na pe nc
    netvmini_build!Ndis64Write32+0x37:
    fffff80a`6d419a47 8908 mov dword ptr [rax],ecx
    ds:ffffcb81`ab600000=????????
    Resetting default scope

    LOCK_ADDRESS: fffff801fa7a8880 -- (!locks fffff801fa7a8880)

    Resource @ nt!PiEngineLock (0xfffff801fa7a8880) Exclusively owned
    Contention Count = 11
    Threads: ffff938d547da040-01<*>
    1 total locks, 1 locks currently held

    PNP_TRIAGE:
    Lock address : 0xfffff801fa7a8880
    Thread Count : 1
    Thread address: 0xffff938d547da040
    Thread wait : 0xbaf6

    LAST_CONTROL_TRANSFER: from fffff801fa60ae11 to fffff801fa5e0960

    STACK_TEXT:
    ffffcb81`a959a418 fffff801`fa60ae11 : 00000000`00000050
    ffffcb81`ab600000 00000000`00000002 ffffcb81`a959a710 : nt!KeBugCheckEx
    ffffcb81`a959a420 fffff801`fa4e60fd : 00000000`00000002
    00000000`00000000 ffffcb81`a959a710 ffffcb81`ab600000 :
    nt!MiSystemFault+0x100201
    ffffcb81`a959a510 fffff801`fa5e9ffc : 72000a20`32726142
    2c747365`54737365 73736572`64644120 43464646`465b203a :
    nt!MmAccessFault+0x27d
    ffffcb81`a959a710 fffff80a`6d419a47 : ffffcb81`ab600000
    fffff80a`6d454440 ffffcb81`a959aaa0 ffffcb81`ab3e4000 : nt!KiPageFault+0x13c
    ffffcb81`a959a8a0 fffff80a`6d406af4 : ffffcb81`ab600000
    00000000`10000000 00000000`00000065 00000000`00000003 : netvmini_build!

    Ndis64Write32+0x37
    [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

    \ttes_api_os_ndis.c @ 177]
    ffffcb81`a959a8e0 fffff80a`6d401e29 : fffff80a`6d5968c0
    ffffcb81`00000001 00000000`00000001 00000000`00064000 : netvmini_build!

    i664InternalSetPhys+0x1a4
    [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

    \i664_api_internal.c @ 864]
    ffffcb81`a959a970 fffff80a`6d42a07e : fffff80a`6d5968c0
    fffff80a`6d43bce0 00000000`00000065 00000000`00000003 : netvmini_build!

    Ndisi664ESConfigureEx+0xe29
    [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664api

    \i664_api_es.c @ 1208]
    ffffcb81`a959aa20 fffff80a`6d42d8c7 : ffff938d`52b19040
    ffff938d`52b19040 00000000`00000a80 ffffdfef`f6dfe460 : netvmini_build!

    A664DeviceInitialize+0x42e
    [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664device.c
    @

    118]
    ffffcb81`a959aac0 fffff80a`6d42c644 : ffff938d`52b19040
    ffffcb81`a959ae90 ffffcb81`a959ae90 ffffcb81`a959abe8 : netvmini_build!

    HWInitialize+0x507
    [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664mphal.c
    @ 214]
    ffffcb81`a959ab90 fffff80a`6b6fd762 : ffff938d`55fd81a0
    fffff80a`6d43b7c0 ffffcb81`a959ae90 ffff938d`55fd9028 : netvmini_build!

    MPInitializeEx+0x604
    [c:\shop\codelever\a664-ndis-driver\netvmini\a664-driver-solution\netvmini_build\netvmini_build\a664adapter.c
    @ 404]
    ffffcb81`a959ad30 fffff80a`6b73b848 : ffff938d`55fd8ed8
    00000000`00000000 00000000`00000000 ffff938d`55fd81a0 : ndis!

    ndisMInvokeInitialize+0x5e
    ffffcb81`a959ad90 fffff80a`6b6fdc03 : 00000000`00000000
    00000000`000000a0 ffff938d`53600400 01d2fcb0`4e560014 : ndis!

    ndisMInitializeAdapter+0x4d4
    ffffcb81`a959b450 fffff80a`6b6fdd10 : 00000000`000000a0
    ffff938d`551b41a0 ffffb985`d5427c80 ffff938d`55fd81a0 : ndis!

    ndisInitializeAdapter+0x5f
    ffffcb81`a959b4a0 fffff80a`6b6efb2b : ffff938d`55fd81a0
    00000000`00000004 ffff938d`530f72a0 fffff80a`6b66a10d :
    ndis!ndisPnPStartDevice

    +0x80
    ffffcb81`a959b4e0 fffff80a`6b6eefd5 : ffff938d`55fd81a0
    ffff938d`55fd81a0 ffff938d`530f72a0 ffff938d`55fd81a0 : ndis!

    ndisStartDeviceSynchronous+0x4f
    ffffcb81`a959b530 fffff80a`6b6eebf9 : ffff938d`530f72a0
    ffffcb81`a959b5a0 00000000`00000000 ffff938d`55fd81a0 : ndis!

    ndisPnPIrpStartDevice+0x149
    ffffcb81`a959b560 fffff801`fa9768dd : ffff938d`530f72a0
    ffffcb81`a959b604 00000000`00000001 00000000`00000001 : ndis!ndisPnPDispatch

    +0x149
    ffffcb81`a959b5d0 fffff801`fa58bb0e : ffff938d`52fba060
    00000000`00000000 ffff938d`55353de0 00000000`00000000 :
    nt!PnpAsynchronousCall

    +0xe5
    ffffcb81`a959b610 fffff801`fa582ba4 : 00000000`00000000
    ffff938d`52fba060 fffff801`fa58c050 fffff801`fa58c050 : nt!PnpSendIrp+0x92
    ffffcb81`a959b680 fffff801`fa976117 : ffff938d`52fb9010
    ffff938d`55353de0 00000000`00000000 00000000`00000000 :
    nt!PnpStartDevice+0x88
    ffffcb81`a959b710 fffff801`fa940bff : ffff938d`52fb9010
    ffffcb81`a959b8e0 00000000`00000000 ffff938d`52fb9010 :
    nt!PnpStartDeviceNode

    +0xdb
    ffffcb81`a959b7a0 fffff801`fa97ad69 : ffff938d`52fb9010
    00000000`00000001 00000000`00000001 ffff938d`52fb9010 : nt!

    PipProcessStartPhase1+0x53
    ffffcb81`a959b7e0 fffff801`faad576a : ffff938d`52fb9010
    00000000`00000001 ffffcb81`a959bb19 fffff801`fa97b273 :
    nt!PipProcessDevNodeTree

    +0x401
    ffffcb81`a959ba60 fffff801`fa63590a : 00000001`00000003
    00000000`00000000 fffff801`fa7a7360 fffff801`fa7a7430 :
    nt!PiRestartDevice+0xba
    ffffcb81`a959bab0 fffff801`fa4f7599 : ffff938d`547da040
    fffff801`fa7a7320 fffff801`fa847280 fffff801`fa847280 :
    nt!PnpDeviceActionWorker

    +0xac1fe
    ffffcb81`a959bb80 fffff801`fa547965 : fffff801`fa7cd180
    00000000`00000080 ffff938d`526b06c0 ffff938d`547da040 :
    nt!ExpWorkerThread+0xe9
    ffffcb81`a959bc10 fffff801`fa5e5e26 : fffff801`fa7cd180
    ffff938d`547da040 fffff801`fa547924 00000000`00000000 : nt!

    PspSystemThreadStartup+0x41
    ffffcb81`a959bc60 00000000`00000000 : ffffcb81`a959c000
    ffffcb81`a9596000 00000000`00000000 00000000`00000000 :
    nt!KiStartSystemThread

    +0x16


    ---
    NTDEV is sponsored by OSR

    Visit the list online at:
    <http://www.osronline.com/showlists.cfm?list=ntdev>;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    software drivers!
    Details at <http://www.osr.com/seminars>;

    To unsubscribe, visit the List Server section of OSR Online at
    <http://www.osronline.com/page.cfm?name=ListServer>;
  • Alex_GrigAlex_Grig Posts: 3,235
    @Don:
    2 is Execute - instruction fetch fault
  • anton_bassovanton_bassov Posts: 4,777
    <trolling mode>

    If 0 and 1 are the codes for respectively read and write accesses that have caused a page fault, what may the code of 2 for a page fault possibly indicate????

    This is what happens when people lose their ability to think on their own - once the word "undocumented" is synonymous with "no-go-area" on the OP's books, he is already in sort of "intellectual impasse" every time he encounters something undocumented, no matter how trivial the problem is


    PS. Sorry, but I could nor resist the temptation this time

    </trolling mode>


    Having said the above, I don't see anything that indicates the invalid instruction fetch

    The whole thing looks (at least to me) like an attempt to overwrite the stack.


    Please note that the target of the failing write instruction (ffffcb81ab600000) is
    not that different from the RSP of the failing thread (ffffcb81a959a8a0) , i.e. is just 8304 pages higher in virtual memory. In other words, it seems to fall into the area that is reserved for the kernel thread stacks. Probably, this is how the system responds when an page fault is due to the attempt to write to memory area that is reserved for the kernel thread stacks....



    Anton Bassov
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!