We have created 2 (pin-oriented) AVStream kernel filters: one that acts as a producer of video-data and the other as a consumer. We have also created a test-application which creates 4 graphs and each graph holds such a producer feeding directly into a consumer. When nicely stopping all graphs and releasing the involved objects before exiting this application, there is no problem. However if the application is killed or it terminates without nice cleanup, we get a BSOD.
I’ve included the crash analysis and some possibly useful additional input below.
Now, this does not happen if I just insert a non-AVStream in-place transform filter - that does nothing - in between the producer and the consumer in each graph. If I understand the various info I found on the Internet correctly, I guess this means that we only hit this if we have a closed AVStream circuit between our two components.
Can anyone offer information on what we could be doing wrong here? All actions on our internal structures are guarded with spinlocks/mutexes and we also don’t get any problems with access to those. So, is there any condition in which we should not be calling KsStreamPointerDelete for a KSSTREAM_POINTER that we acquired with KsStreamPointerClone (from a KSSTREAM_POINTER which was locked) or is there some extra synchronization needed?
Thanks in advance for all your input!
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000048, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80002ec7365, address which referenced memory
Debugging Details:
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 7601.23796.amd64fre.win7sp1_ldr.170427-1518
DUMP_TYPE: 0
BUGCHECK_P1: 48
BUGCHECK_P2: 2
BUGCHECK_P3: 1
BUGCHECK_P4: fffff80002ec7365
WRITE_ADDRESS: 0000000000000048
CURRENT_IRQL: 2
FAULTING_IP:
nt!KeAcquireSpinLockRaiseToDpc+55
fffff800`02ec7365 f0480fba2900 lock bts qword ptr [rcx],0
CPU_COUNT: c
CPU_MHZ: ce2
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3f
CPU_STEPPING: 2
CPU_MICROCODE: 6,3f,2,0 (F,M,S,R) SIG: 38’00000000 (cache) 38’00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
ANALYSIS_SESSION_HOST: KNDCLT20376
ANALYSIS_SESSION_TIME: 11-24-2017 14:05:32.0610
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
TRAP_FRAME: fffff88002f1b620 – (.trap 0xfffff88002f1b620)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=0000000000000048
rdx=fffffa800fe2def0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002ec7365 rsp=fffff88002f1b7b0 rbp=0000000000000048
r8=fffffa80208e6900 r9=0000000000000000 r10=fffff80002e4e000
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nt!KeAcquireSpinLockRaiseToDpc+0x55:
fffff80002ec7365 f0480fba2900 lock bts qword ptr [rcx],0 ds:00000000
00000048=???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80002faf4a2 to fffff80002eb52f0
STACK_TEXT:
fffff88002f1ad68 fffff800
02faf4a2 : 0000000000000048 fffff880
009fd1c0 0000000000000065 fffff800
02ef9bfc : nt!DbgBreakPointWithStatus
fffff88002f1ad70 fffff800
02fb028e : 0000000000000003 00000000
00000000 fffff80002efa460 00000000
0000000a : nt!KiBugCheckDebugBreak+0x12
fffff88002f1add0 fffff800
02ebd5c4 : 0000000000000001 fffff880
013ae17b 0000000000000000 fffff800
02f398f2 : nt!KeBugCheck2+0x71e
fffff88002f1b4a0 fffff800
02ebca69 : 000000000000000a 00000000
00000048 0000000000000002 00000000
00000001 : nt!KeBugCheckEx+0x104
fffff88002f1b4e0 fffff800
02ebb6e0 : 0000000000005200 fffff800
02eb1ecc 00000000000052f6 00000000
00000002 : nt!KiBugCheckDispatch+0x69
fffff88002f1b620 fffff800
02ec7365 : fffff880009f2100 00000000
00000000 fffff88002f1b901 00000000
000bb800 : nt!KiPageFault+0x260
fffff88002f1b7b0 fffff880
04a51850 : fffffa800e3c5102 fffff880
04a4cea1 0000000000000000 fffffa80
0fe2def0 : nt!KeAcquireSpinLockRaiseToDpc+0x55
fffff88002f1b800 fffff880
04a4cea1 : fffffa800fe2db08 fffffa80
0d579402 fffffa800e3c5102 fffffa80
0e3c5102 : ks!KsQueueWorkItem+0x24
fffff88002f1b830 fffff880
04a4c487 : fffffa800e3c5010 fffffa80
0d579402 fffffa80208e6920 fffffa80
0e3c5010 : ks!CKsPin::Process+0x85
fffff88002f1b860 fffff880
04a4c1d1 : fffffa800e3c5010 fffffa80
0d579408 fffffa800d579320 fffffa80
208e6920 : ks!CKsQueue::AddFrame+0x1e7
fffff88002f1b8a0 fffff880
04a4b5cc : fffffa8000000000 fffffa80
0e296a30 fffff88002f1b960 fffffa80
0ede7f80 : ks!CKsQueue::TransferKsIrp+0x4a1
fffff88002f1b930 fffff880
04a4c71f : fffffa800e3c5010 00000000
00000000 0000000000000000 fffffa80
10b332b8 : ks!KspTransferKsIrp+0x54
fffff88002f1b960 fffff880
04a4c7af : fffffa800e296a30 00000000
00000002 0000000000000000 00000000
020d0102 : ks!CKsQueue::ForwardIrp+0x167
fffff88002f1b9b0 fffff880
04a4d17f : fffffa800e296a30 00000000
00000000 fffffa800d579320 fffffa80
1e8d05c0 : ks!CKsQueue::ForwardWaitingIrps+0x5f
fffff88002f1b9e0 fffff880
04a4c945 : fffffa801e8d05c0 00000000
00000000 0000000000000000 00000000
00000000 : ks!CKsQueue::UnlockStreamPointer+0x123
fffff88002f1ba30 fffff880
085e5401 : fffffa800ed845f0 00000000
00000000 0000057ff127bd00 fffffa80
1fa623f0 : ks!CKsQueue::DeleteStreamPointer+0xf5
fffff88002f1ba70 fffff880
085dd487 : fffffa800ed845f0 fffffa80
1fa62518 0000057ff127bd08 fffffa80
1fa62461 : MNA_180_Stream!CEncoderStreamPin::completeFrameDMA+0x85 [d:\devel\compositor3\drivers\avstream\windows\driver\encoderstreampin.cpp @ 584]
fffff88002f1bab0 fffff880
0483e9a6 : fffffa800ed845f0 0000057f
f1640fd8 0000057ff127bd78 fffffa80
0ea365d0 : MNA_180_Stream!CMNA1x0Device::dispatchHwISR+0xff [d:\devel\compositor3\drivers\avstream\windows\driver\mna1x0device.cpp @ 720]
fffff88002f1baf0 fffff880
00c738a7 : 0000057ff15c9ab8 fffffa80
0ea36540 fffffa800ea365d0 ffffd319
2f2e18e2 : MNA_180+0x29a6
fffff88002f1bb60 fffff800
02ec88fc : fffff880009f2180 0000000d
88d95ed5 0000000d88d8d675 fffffa80
0dff7118 : Wdf01000!FxInterrupt::_InterruptDpcThunk+0x8f
fffff88002f1bb90 fffff800
02eb51ca : fffff880009f2180 fffff880
009fd1c0 0000000000000000 fffff880
00c73818 : nt!KiRetireDpcList+0x1bc
fffff88002f1bc40 00000000
00000000 : fffff88002f1c000 fffff880
02f16000 fffff88002f1bc00 00000000
00000000 : nt!KiIdleLoop+0x5a
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: fd14a5e528caf58e85330912312fa94897419379
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 3d96cdb641e3210790d6716bf29cc0bcf8ce424f
THREAD_SHA1_HASH_MOD: 61ed7f98d169b2955416919b0bae7fdaffbb49d6
FOLLOWUP_IP:
ks!KsQueueWorkItem+24
fffff880`04a51850 4c8d4f38 lea r9,[rdi+38h]
FAULT_INSTR_CODE: 384f8d4c
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: ks!KsQueueWorkItem+24
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ks
IMAGE_NAME: ks.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7a3f3
IMAGE_VERSION: 6.1.7601.17514
FAILURE_BUCKET_ID: X64_0xA_ks!KsQueueWorkItem+24
BUCKET_ID: X64_0xA_ks!KsQueueWorkItem+24
PRIMARY_PROBLEM_CLASS: X64_0xA_ks!KsQueueWorkItem+24
TARGET_TIME: 2017-11-24T12:50:55.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 336
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer EmbeddedNT SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-04-28 02:13:49
BUILDDATESTAMP_STR: 170427-1518
BUILDLAB_STR: win7sp1_ldr
BUILDOSVER_STR: 6.1.7601.23796.amd64fre.win7sp1_ldr.170427-1518
ANALYSIS_SESSION_ELAPSED_TIME: 149f
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0xa_ks!ksqueueworkitem+24
FAILURE_ID_HASH: {005516bc-4fb8-66d8-b322-cfa8ebdc299a}
Followup: MachineOwner
1: kd> .frame /c 9
09 fffff88002f1b860 fffff880
04a4c1d1 ks!CKsQueue::AddFrame+0x1e7
rax=0000000000000002 rbx=fffffa800e3c5010 rcx=0000000000000048
rdx=fffffa800fe2def0 rsi=fffffa800e3c5102 rdi=fffffa80208e6920
rip=fffff88004a4c487 rsp=fffff88002f1b860 rbp=fffffa800d579402
r8=fffffa80208e6900 r9=0000000000000000 r10=fffff80002e4e000
r11=0000000000000002 r12=0000000000000000 r13=fffff88002f1b901
r14=0000000000000000 r15=fffffa800d5793f8
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
ks!CKsQueue::AddFrame+0x1e7:
fffff88004a4c487 ebb3 jmp ks!CKsQueue::AddFrame+0x19c (fffff880
04a4c43c)
1: kd> !ks.dump @rbx
Queue fffffa800e3c5010:
Frames Received : 2330
Frames Waiting : 1
Frames Cancelled : 0
And Gate fffffa800fe2dec0 : count = 0, next = 0000000000000000
Frame Gate [AND] fffffa800fe2dec0 : count = 0, next = 0000000000000000
Frame Header fffffa80208e6920:
NextFrameHeaderInIrp = 0000000000000000
OriginalIrp = fffffa800d579320
Mdl = fffffa800e51e200
Irp = fffffa800d579320
StreamHeader = fffffa800ede7f48
FrameBuffer = fffff880062fa040
StreamHeaderSize = 00000000
FrameBufferSize = 000bb800
Context = 0000000000000000
Refcount = 1
1: kd> !ks.dump 0xfffffa800d579320
IRP fffffa800d579320 was adjusted to an object fffffa800fe2dc00
Pin object fffffa800fe2dc00 [CKsPin = fffffa800fe2db00]
Descriptor fffff8a00ae610d0
Context fffffa8010b33000
Id 0
Communication Source
DataFlow Out
Interface Standard Interface
Medium Standard Medium
StreamHdr Size 0
DeviceState KSSTATE_RUN
ClientState KSSTATE_RUN
ResetState KSRESET_END