Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

BSOD on processing destroyed timer

Hello.
From the dump it looks like windows tries to process already destroyed
object. Can I somehow discover who created that timer ?

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffff8a00031d158, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on
chips which support this level of status)
Arg4: fffff80003497b20, address which referenced memory


STACK_TEXT:
fffff880`043ff1c8 fffff800`0348b3a9 : 00000000`0000000a fffff8a0`0031d158
00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffff880`043ff1d0 fffff800`0348a020 : fffffa80`0d310b00 fffffa80`036d3768
fffffa80`036d3768 fffffa80`03f17808 : nt!KiBugCheckDispatch+0x69
fffff880`043ff310 fffff800`03497b20 : fffffa80`0d7e5120 fffffa80`107b6748
fffffa80`107b6748 fffffa80`03f177a0 : nt!KiPageFault+0x260
fffff880`043ff4a0 fffff800`034979be : 00000006`1e5904a0 fffff880`043ffb18
00000000`00029205 fffff880`043d9628 : nt!KiProcessExpiredTimerList+0x110
fffff880`043ffaf0 fffff800`034977a7 : 00000001`ba9cbfc5 00000001`00029205
00000001`ba9cbf45 00000000`00000005 : nt!KiTimerExpiration+0x1be
fffff880`043ffb90 fffff800`03483b0a : fffff880`043d7180 fffff880`043e1fc0
00000000`00000001 fffff880`00000000 : nt!KiRetireDpcList+0x277
fffff880`043ffc40 00000000`00000000 : fffff880`04400000 fffff880`043fa000
fffff880`043ffc00 00000000`00000000 : nt!KiIdleLoop+0x5a


.trap 0xfffff880043ff310
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=17e499c76c1c0000
rdx=fffff88004369700 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80003497b20 rsp=fffff880043ff4a0 rbp=fffffa8003f17808
r8=fffffa80107b66e0 r9=0000000000000008 r10=fffff8000341b000
r11=fffff880043ff470 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po cy
nt!KiProcessExpiredTimerList+0x110:
fffff800`03497b20 f00fba2f07 lock bts dword ptr [rdi],7
ds:00000000`00000000=????????

!pte fffff8a00031d158
VA fffff8a00031d158
PXE at FFFFF6FB7DBEDF88 PPE at FFFFF6FB7DBF1400 PDE at
FFFFF6FB7E280008 PTE at FFFFF6FC500018E8
contains 0000000116204863 contains 000000000488C863 contains
000000004881B863 contains AEB00000AA538882
pfn 116204 ---DA--KWEV pfn 488c ---DA--KWEV pfn 4881b
---DA--KWEV not valid

Transition: aa538

Protect: 4 - ReadWrite

Comments

  • Doron_HolanDoron_Holan Posts: 10,353
    Does it consistently repro? DV will catch a driver freeing memory that it still currently enqueued in the timer or dpc list

    Bent from my phone
    ________________________________
    From: xxxxx@lists.osr.com on behalf of xxxxx@gmail.com
    Sent: Friday, December 1, 2017 4:36:38 AM
    To: Windows System Software Devs Interest List
    Subject: [ntdev] BSOD on processing destroyed timer

    Hello.
    From the dump it looks like windows tries to process already destroyed object. Can I somehow discover who created that timer ?

    IRQL_NOT_LESS_OR_EQUAL (a)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high. This is usually
    caused by drivers using improper addresses.
    If a kernel debugger is available get the stack backtrace.
    Arguments:
    Arg1: fffff8a00031d158, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000001, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
    Arg4: fffff80003497b20, address which referenced memory


    STACK_TEXT:
    fffff880`043ff1c8 fffff800`0348b3a9 : 00000000`0000000a fffff8a0`0031d158 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
    fffff880`043ff1d0 fffff800`0348a020 : fffffa80`0d310b00 fffffa80`036d3768 fffffa80`036d3768 fffffa80`03f17808 : nt!KiBugCheckDispatch+0x69
    fffff880`043ff310 fffff800`03497b20 : fffffa80`0d7e5120 fffffa80`107b6748 fffffa80`107b6748 fffffa80`03f177a0 : nt!KiPageFault+0x260
    fffff880`043ff4a0 fffff800`034979be : 00000006`1e5904a0 fffff880`043ffb18 00000000`00029205 fffff880`043d9628 : nt!KiProcessExpiredTimerList+0x110
    fffff880`043ffaf0 fffff800`034977a7 : 00000001`ba9cbfc5 00000001`00029205 00000001`ba9cbf45 00000000`00000005 : nt!KiTimerExpiration+0x1be
    fffff880`043ffb90 fffff800`03483b0a : fffff880`043d7180 fffff880`043e1fc0 00000000`00000001 fffff880`00000000 : nt!KiRetireDpcList+0x277
    fffff880`043ffc40 00000000`00000000 : fffff880`04400000 fffff880`043fa000 fffff880`043ffc00 00000000`00000000 : nt!KiIdleLoop+0x5a


    .trap 0xfffff880043ff310
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000002 rbx=0000000000000000 rcx=17e499c76c1c0000
    rdx=fffff88004369700 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80003497b20 rsp=fffff880043ff4a0 rbp=fffffa8003f17808
    r8=fffffa80107b66e0 r9=0000000000000008 r10=fffff8000341b000
    r11=fffff880043ff470 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz ac po cy
    nt!KiProcessExpiredTimerList+0x110:
    fffff800`03497b20 f00fba2f07 lock bts dword ptr [rdi],7 ds:00000000`00000000=????????

    !pte fffff8a00031d158
    VA fffff8a00031d158
    PXE at FFFFF6FB7DBEDF88 PPE at FFFFF6FB7DBF1400 PDE at FFFFF6FB7E280008 PTE at FFFFF6FC500018E8
    contains 0000000116204863 contains 000000000488C863 contains 000000004881B863 contains AEB00000AA538882
    pfn 116204 ---DA--KWEV pfn 488c ---DA--KWEV pfn 4881b ---DA--KWEV not valid
    Transition: aa538
    Protect: 4 - ReadWrite

    --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at
  • Thank you for reply Doron !
    It reproduces about once per day ! I’ll try to get access to this machine
    next week, for now I only have dumps

    On Fri, 1 Dec 2017 at 18:07, xxxxx@microsoft.com
    wrote:

    > Does it consistently repro? DV will catch a driver freeing memory that it
    > still currently enqueued in the timer or dpc list
    >
    > Bent from my phone
    > ------------------------------
    > *From:* xxxxx@lists.osr.com <
    > xxxxx@lists.osr.com> on behalf of xxxxx@gmail.com <
    > xxxxx@lists.osr.com>
    > *Sent:* Friday, December 1, 2017 4:36:38 AM
    > *To:* Windows System Software Devs Interest List
    > *Subject:* [ntdev] BSOD on processing destroyed timer
    >
    > Hello.
    > From the dump it looks like windows tries to process already destroyed
    > object. Can I somehow discover who created that timer ?
    >
    > IRQL_NOT_LESS_OR_EQUAL (a)
    > An attempt was made to access a pageable (or completely invalid) address
    > at an
    > interrupt request level (IRQL) that is too high. This is usually
    > caused by drivers using improper addresses.
    > If a kernel debugger is available get the stack backtrace.
    > Arguments:
    > Arg1: fffff8a00031d158, memory referenced
    > Arg2: 0000000000000002, IRQL
    > Arg3: 0000000000000001, bitfield :
    > bit 0 : value 0 = read operation, 1 = write operation
    > bit 3 : value 0 = not an execute operation, 1 = execute operation (only on
    > chips which support this level of status)
    > Arg4: fffff80003497b20, address which referenced memory
    >
    >
    > STACK_TEXT:
    > fffff880`043ff1c8 fffff800`0348b3a9 : 00000000`0000000a fffff8a0`0031d158
    > 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
    > fffff880`043ff1d0 fffff800`0348a020 : fffffa80`0d310b00 fffffa80`036d3768
    > fffffa80`036d3768 fffffa80`03f17808 : nt!KiBugCheckDispatch+0x69
    > fffff880`043ff310 fffff800`03497b20 : fffffa80`0d7e5120 fffffa80`107b6748
    > fffffa80`107b6748 fffffa80`03f177a0 : nt!KiPageFault+0x260
    > fffff880`043ff4a0 fffff800`034979be : 00000006`1e5904a0 fffff880`043ffb18
    > 00000000`00029205 fffff880`043d9628 : nt!KiProcessExpiredTimerList+0x110
    > fffff880`043ffaf0 fffff800`034977a7 : 00000001`ba9cbfc5 00000001`00029205
    > 00000001`ba9cbf45 00000000`00000005 : nt!KiTimerExpiration+0x1be
    > fffff880`043ffb90 fffff800`03483b0a : fffff880`043d7180 fffff880`043e1fc0
    > 00000000`00000001 fffff880`00000000 : nt!KiRetireDpcList+0x277
    > fffff880`043ffc40 00000000`00000000 : fffff880`04400000 fffff880`043fa000
    > fffff880`043ffc00 00000000`00000000 : nt!KiIdleLoop+0x5a
    >
    >
    > .trap 0xfffff880043ff310
    > NOTE: The trap frame does not contain all registers.
    > Some register values may be zeroed or incorrect.
    > rax=0000000000000002 rbx=0000000000000000 rcx=17e499c76c1c0000
    > rdx=fffff88004369700 rsi=0000000000000000 rdi=0000000000000000
    > rip=fffff80003497b20 rsp=fffff880043ff4a0 rbp=fffffa8003f17808
    > r8=fffffa80107b66e0 r9=0000000000000008 r10=fffff8000341b000
    > r11=fffff880043ff470 r12=0000000000000000 r13=0000000000000000
    > r14=0000000000000000 r15=0000000000000000
    > iopl=0 nv up ei ng nz ac po cy
    > nt!KiProcessExpiredTimerList+0x110:
    > fffff800`03497b20 f00fba2f07 lock bts dword ptr [rdi],7
    > ds:00000000`00000000=????????
    >
    > !pte fffff8a00031d158
    > VA fffff8a00031d158
    > PXE at FFFFF6FB7DBEDF88 PPE at FFFFF6FB7DBF1400 PDE at
    > FFFFF6FB7E280008 PTE at FFFFF6FC500018E8
    > contains 0000000116204863 contains 000000000488C863 contains
    > 000000004881B863 contains AEB00000AA538882
    > pfn 116204 ---DA--KWEV pfn 488c ---DA--KWEV pfn 4881b
    > ---DA--KWEV not valid
    >
    > Transition: aa538
    >
    > Protect: 4 - ReadWrite
    >
    > --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
    > on crash dump analysis, WDF, Windows internals and software drivers!
    > Details at To unsubscribe, visit the List Server section of OSR Online at
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: <
    > http://www.osronline.com/showlists.cfm?list=ntdev>;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Scott_NooneScott_Noone Posts: 2,989
    Does !pool fffff8a00031d158 say anything?

    -scott
    OSR
    @OSRDrivers
  • Thank you Scott !

    !pool fffff8a00031d158
    Pool page fffff8a00031d158 region is Paged pool
    *fffff8a00031d000 size: 1d0 previous size: 0 (Allocated) *ComP
    Owning component : Unknown (update pooltag.txt)
    fffff8a00031d1d0 size: 40 previous size: 1d0 (Allocated) MmSm
    fffff8a00031d210 size: 20 previous size: 40 (Allocated) Pp
    fffff8a00031d230 size: 50 previous size: 20 (Allocated) ObNm
    fffff8a00031d280 size: 80 previous size: 50 (Allocated) RngS
    fffff8a00031d300 size: 20 previous size: 80 (Allocated) ObNm
    fffff8a00031d320 size: 80 previous size: 20 (Allocated) Sect
    (Protected)
    fffff8a00031d3a0 size: 190 previous size: 80 (Allocated) Txsa
    fffff8a00031d530 size: 50 previous size: 190 (Allocated) Ntfo
    fffff8a00031d580 size: 50 previous size: 50 (Allocated) IoNm
    fffff8a00031d5d0 size: 30 previous size: 50 (Allocated) ObDi
    fffff8a00031d600 size: 20 previous size: 30 (Allocated) ObNm
    fffff8a00031d620 size: 30 previous size: 20 (Allocated) ObDi
    fffff8a00031d650 size: 20 previous size: 30 (Allocated) ObNm
    fffff8a00031d670 size: 30 previous size: 20 (Allocated) ObDi
    fffff8a00031d6a0 size: 60 previous size: 30 (Allocated) KLna
    fffff8a00031d700 size: 190 previous size: 60 (Allocated) Txsa
    fffff8a00031d890 size: 20 previous size: 190 (Allocated) ABFD
    fffff8a00031d8b0 size: 20 previous size: 20 (Allocated) ABFD
    fffff8a00031d8d0 size: 20 previous size: 20 (Allocated) ABFD
    fffff8a00031d8f0 size: 20 previous size: 20 (Allocated) ABFD
    fffff8a00031d910 size: 20 previous size: 20 (Allocated) ABFD
    fffff8a00031d930 size: a0 previous size: 20 (Allocated) Key
    (Protected)
    fffff8a00031d9d0 size: a0 previous size: a0 (Allocated) Key
    (Protected)
    fffff8a00031da70 size: a0 previous size: a0 (Allocated) Key
    (Protected)
    fffff8a00031db10 size: 10 previous size: a0 (Free) Io
    fffff8a00031db20 size: 30 previous size: 10 (Allocated) ObDi
    fffff8a00031db50 size: 20 previous size: 30 (Allocated) ObNm
    fffff8a00031db70 size: 40 previous size: 20 (Allocated) NtFs
    fffff8a00031dbb0 size: 150 previous size: 40 (Allocated) NtFs
    fffff8a00031dd00 size: 30 previous size: 150 (Allocated) ObNm
    fffff8a00031dd30 size: 10 previous size: 30 (Free) Key
    fffff8a00031dd40 size: 30 previous size: 10 (Allocated) ObNm
    fffff8a00031dd70 size: 30 previous size: 30 (Allocated) ObDi
    fffff8a00031dda0 size: 20 previous size: 30 (Allocated) ObNm
    fffff8a00031ddc0 size: 30 previous size: 20 (Allocated) ObNm
    fffff8a00031ddf0 size: 30 previous size: 30 (Allocated) ObDi
    fffff8a00031de20 size: 40 previous size: 30 (Allocated) Symt
    fffff8a00031de60 size: 80 previous size: 40 (Allocated) SeSd
    fffff8a00031dee0 size: 10 previous size: 80 (Free) NtFs
    fffff8a00031def0 size: 30 previous size: 10 (Allocated) Ntf0
    fffff8a00031df20 size: 30 previous size: 30 (Allocated) ObDi
    fffff8a00031df50 size: 20 previous size: 30 (Allocated) ObNm
    fffff8a00031df70 size: 30 previous size: 20 (Allocated) ObDi
    fffff8a00031dfa0 size: 20 previous size: 30 (Allocated) ObNm
    fffff8a00031dfc0 size: 40 previous size: 20 (Allocated) MmSm



    On Fri, Dec 1, 2017 at 6:29 PM, Scott Noone <
    xxxxx@lists.osr.com> wrote:

    > Does !pool fffff8a00031d158 say anything?
    >
    > -scott
    > OSR
    > @OSRDrivers
    >
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: lists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Scott_NooneScott_Noone Posts: 2,989
    <QUOTE>
    !pool fffff8a00031d158
    Pool page fffff8a00031d158 region is Paged pool
    *fffff8a00031d000 size: 1d0 previous size: 0 (Allocated) *ComP
    </QUOTE>

    Looks like someone allocated a timer out of paged pool (which would be a bad
    thing).

    Try this and see if you can find the tag in any of the loaded modules:

    !for_each_module "s -a ${@#Base} ${@#End} \"ComP\""

    Any weird third party COM port software loaded? That's just a guess based on
    "ComP" possibly being "ComPort"...

    -scott
    OSR
    @OSRDrivers
  • Thank you very much Scott !! You are the god of Windbg !
    It turns out memory for our communication port was allocated from paged
    pool. I didn't know that it should be allocated from non paged pool
    since FltCreateCommunicationPort
    documentation says nothing of this sort.

    Thank you again Scott ! Your help was invaluable!

    On Fri, Dec 1, 2017 at 6:52 PM, Scott Noone <
    xxxxx@lists.osr.com> wrote:

    >
    > !pool fffff8a00031d158
    > Pool page fffff8a00031d158 region is Paged pool
    > *fffff8a00031d000 size: 1d0 previous size: 0 (Allocated) *ComP
    >
    >
    > Looks like someone allocated a timer out of paged pool (which would be a
    > bad thing).
    >
    > Try this and see if you can find the tag in any of the loaded modules:
    >
    > !for_each_module "s -a ${@#Base} ${@#End} \"ComP\""
    >
    > Any weird third party COM port software loaded? That's just a guess based
    > on "ComP" possibly being "ComPort"...
    >
    >
    > -scott
    > OSR
    > @OSRDrivers
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: lists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!