Tracking down source of WDF_VIOLATION (10d)

WDF_VIOLATION (10d)
The Kernel-Mode Driver Framework was notified that Windows detected an error
in a framework-based driver. In general, the dump file will yield additional
information about the driver that caused this bug check.
Arguments:
Arg1: 0000000000000003, Windows Driver Framework Verifier has encountered a fatal error.
	In particular, an I/O request has been completed, but a framework
	request object cannot be deleted because there are outstanding
	references to the input buffer or the output buffer, or both. The
	driver's IFR will include details on the outstanding references.
Arg2: 000028fc7c2786d8, WDFREQUEST handle
Arg3: 0000000000000001, The number of outstanding references remaining on both buffers.
Arg4: ffffd703749d2db0, Reserved.

STACK_TEXT:  
ffffad06`6d727898 fffff806`574be394     : 00000000`0000010d 00000000`00000003 000028fc`7c2786d8 00000000`00000001 : nt!KeBugCheckEx
ffffad06`6d7278a0 fffff806`5749663b     : ffffd703`83d87920 ffffd703`850108c0 00000000`e000000c fffff806`57581285 : Wdf01000!FxVerifierBugCheckWorker+0x24 [minkernel\wdf\framework\shared\object\fxverifierbugcheck.cpp @ 68]
ffffad06`6d7278e0 fffff806`5744c57f     : 00000000`00000000 fffff806`6d36db32 00000000`00000002 00000000`00000000 : Wdf01000!FxRequest::CompleteInternal+0x4a08b [minkernel\wdf\framework\shared\core\fxrequest.cpp @ 810]
ffffad06`6d727980 fffff806`6d368b32     : fffff806`6d373080 ffffd703`83d87920 00000000`00000002 fffff806`6d3711b8 : Wdf01000!imp_WdfRequestComplete+0x8f [minkernel\wdf\framework\shared\core\fxrequestapi.cpp @ 436]
ffffad06`6d7279e0 fffff806`6d3611c8     : ffffd703`754aa958 fffff806`00000000 ffffad06`6d727e01 ffffaf80`d56e5500 : TSPIFCQL2600!ResponseQueue_Process_CTIO7+0x426 [C:\Projects\TSPIFCQL2600\TSPIFCQL2600.cpp @ 4046]
ffffad06`6d727a60 fffff806`6d363a9b     : ffffd703`7551df30 ffffad06`6d727e00 ffffaf80`d56e55b0 ffffad06`6d727e00 : TSPIFCQL2600!ATIOAndResponseQueue_Process+0x1c8 [C:\Projects\TSPIFCQL2600\TSPIFCQL2600.cpp @ 1156]
ffffad06`6d727ab0 fffff806`57442d5d     : 000028fc`8c555368 ffffd703`754d2e60 ffffaf80`d3480330 ffffad06`6d727e00 : TSPIFCQL2600!Event_InterruptDPC_ATIOAndResponseQueue+0x5b [C:\Projects\TSPIFCQL2600\TSPIFCQL2600.cpp @ 1094]
ffffad06`6d727ae0 fffff806`5231ee8c     : ffffaf80`d2112180 ffffad06`6d727e00 ffffaf80`d3480bf0 ffffad06`6d727e70 : Wdf01000!FxInterrupt::_InterruptDpcThunk+0x9d [minkernel\wdf\framework\shared\irphandlers\pnp\km\interruptobjectkm.cpp @ 410]
ffffad06`6d727b20 fffff806`5231da5d     : ffffaf80`d2112180 00000000`00000000 ffffaf80`00000000 00000000`0139df27 : nt!KiExecuteAllDpcs+0x95c
ffffad06`6d727d00 fffff806`524229d5     : 00000000`00000000 ffffaf80`d2112180 ffffaf80`d3480280 00000000`00000000 : nt!KiRetireDpcList+0x25d
ffffad06`6d727fb0 fffff806`524227c0     : 00000000`00000010 00000000`00000282 ffffad06`70727408 00000000`00000000 : nt!KxRetireDpcList+0x5
ffffad06`707273e0 fffff806`52421eb5     : 00000000`00000002 fffff806`5241b6d1 00000000`00000000 00000000`00000000 : nt!KiDispatchInterruptContinue
ffffad06`70727410 fffff806`5241b6d1     : 00000000`00000000 00000000`00000000 00000094`cb7ff410 00000000`00000000 : nt!KiDpcInterruptBypass+0x25
ffffad06`70727420 00007fff`05b5cfa4     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiInterruptDispatch+0xb1
00000094`cb7fef40 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`05b5cfa4

Hi, I’m attempting to track down the source of this error.
This driver doesn’t create any WDFREQUEST objects, it only uses them as provided to it via a framework queue.
It uses WdfRequestRetrieveOutputBuffer and WdfRequestRetrieveInputBuffer, but I don’t think those add a reference.

It uses the various WdfDma* functions such as WdfDmaTransactionInitializeUsingRequest, WdfDmaTransactionGetRequest, WdfDmaTransactionExecute, WdfDmaTransactionRelease, WdfDmaTransactionDmaCompletedFinal.

Could this be caused by double completion of a WDFREQUEST? (I doubt that as I’m pretty sure that would trigger a different error message).

Could this be caused by completing a request while there is still an outstanding DMA transaction on it? (I’m starting to think that may be the case)
If so, what’s the easiest way to check that using WINDBG and the crash dump?

Thanks,
Erik

Ok. Answering my own question here. After further investigation, it looks like it is a case of having a DMA transaction active while completing the request associated with it.

It may not seem like it in the depths of debugging, but that blue screen just saved you from some VERY difficult to find timing-related crashes in the field. Extra credit to the KMDF team for that.