Bugcheck 7E and CR2 register contains 0000000000000000

Hi All,
I am analyzing a dump with Bugcheck 7E, following in the !analyze output:

`0: kd> !analyze -v


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: 0000000000000000, The address that the exception occurred at
Arg3: fffff88001ff7928, Exception Record Address
Arg4: fffff88001ff7190, Context Record Address

Debugging Details:

KEY_VALUES_STRING: 1

Key  : AV.Fault
Value: Execute

Key  : Analysis.CPU.Sec
Value: 1

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on xyz-abc

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 1

Key  : Analysis.Memory.CommitPeak.Mb
Value: 85

Key  : Analysis.System
Value: CreateObject

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: 7e

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: 0

BUGCHECK_P3: fffff88001ff7928

BUGCHECK_P4: fffff88001ff7190

EXCEPTION_RECORD: fffff88001ff7928 – (.exr 0xfffff88001ff7928)
ExceptionAddress: 0000000000000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000008
Parameter[1]: 0000000000000000
Attempt to execute non-executable address 0000000000000000

CONTEXT: fffff88001ff7190 – (.cxr 0xfffff88001ff7190)
rax=0000000000000001 rbx=0000000000000000 rcx=fffffa800675db00
rdx=0000000000000000 rsi=fffffa8003cc6b50 rdi=fffffa800675db00
rip=0000000000000000 rsp=fffff88001ff7b68 rbp=fffff800026257f8
r8=fffffa8003c71a38 r9=0000000000000000 r10=fffffffffffffffe
r11=fffff800025f9100 r12=fffff88008947790 r13=0000000000000001
r14=0000000000000000 r15=0000000000000001
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
00000000`00000000 ?? ???
Resetting default scope

PROCESS_NAME: System

EXECUTE_ADDRESS: 0

FAILED_INSTRUCTION_ADDRESS:
+0
00000000`00000000 ?? ???

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000008

EXCEPTION_PARAMETER2: 0000000000000000

EXCEPTION_STR: 0xc0000005

IP_IN_FREE_BLOCK: 0

STACK_TEXT:
fffff88001ff7b68 fffff80002460bed : fffff80000000000 fffff80000000001 fffffa8003cc6b00 0000000000000000 : 0x0
fffff88001ff7b70 fffff80002756e40 : 0188fd8141fffffe fffff88001e00180 0000000000000080 0000000000000001 : nt!ExpWorkerThread+0x111
fffff88001ff7c00 fffff800024aeaa6 : fffff88001e00180 fffffa8003cc6b50 fffffa8003cc6040 0000000000000000 : nt!PspSystemThreadStartup+0x194
fffff88001ff7c40 0000000000000000 : fffff88001ff8000 fffff88001ff2000 fffff88001ff6d70 0000000000000000 : nt!KiStartSystemThread+0x16

SYMBOL_NAME: nt!KiStartSystemThread+16

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 6.1.7601.24475

STACK_COMMAND: .cxr 0xfffff88001ff7190 ; kb

FAILURE_BUCKET_ID: X64_0x7E_NULL_IP_nt!KiStartSystemThread+16

OS_VERSION: 7.1.7601.24475

BUILDLAB_STR: win7sp1_ldr

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

FAILURE_ID_HASH: {5d4dd521-b722-54fe-d47f-6bbdcebd03b4}

Followup: MachineOwner
--------- Following thread is showing the KiPageFault - : kd> .process fffffa8003c719b0 Implicit process is now fffffa8003c719b0
0: kd> !thread
THREAD fffffa8003cc6b50 Cid 0004.0030 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap fffff8a000008aa0
Owning Process fffffa8003c719b0 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 46589221 Ticks: 0
Context Switch Count 205578 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.468
Win32 Start Address nt!ExpWorkerThread (0xfffff80002460adc)
Stack Init fffff88001ff7c70 Current fffff88001ff6d70
Base fffff88001ff8000 Limit fffff88001ff2000 Call 0000000000000000
Priority 12 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff88001ff61d0 fffff80002563744 : fffffa8004ddfea0 fffff80002415000 fffff800025f9180 fffff800025637e2 : hal!HaliHaltSystem+0x2b
fffff88001ff6200 fffff80002564a9c : fffff80000000004 0000000000000020 000000000000000f fffffa8003cc6b50 : nt!KiBugCheckDebugBreak+0x84
fffff88001ff6260 fffff800024a8ba4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KeBugCheck2+0xcfc
fffff88001ff6930 fffff800027badd4 : 000000000000007e ffffffffc0000005 0000000000000000 fffff88001ff7928 : nt!KeBugCheckEx+0x104
fffff88001ff6970 fffff8000277352c : fffff80002625810 fffff80002455722 000067ee80c3c9fb fffffa8003cc6b50 : nt!PspUnhandledExceptionInSystemThread+0x24
fffff88001ff69b0 fffff80002496f98 : fffffa80049da890 0000000000000000 fffffa80041e5000 0000000000001000 : nt! ?? ::NNGAKEGL::string'+0x216c fffff88001ff69e0 fffff800024afddd : fffff800025e55e8 fffff88001ff7c00 0000000000000000 fffff80002415000 : nt!_C_specific_handler+0x8c fffff88001ff6a50 fffff80002474eb5 : fffff800025e55e8 fffff88001ff6ac8 fffff88001ff7928 fffff80002415000 : nt!RtlpExecuteHandlerForException+0xd fffff88001ff6a80 fffff8000258f99e : fffff88001ff7928 fffff88001ff7190 fffff88000000000 fffffa800675db00 : nt!RtlDispatchException+0x415 fffff88001ff7160 fffff800024b6f42 : fffff88001ff7928 0000000000000000 fffff88001ff79d0 fffffa8003cc6b50 : nt!KiDispatchException+0x17e fffff88001ff77f0 fffff800024b4c62 : 0000000000000008 0000000000000000 fffffa8003cc6b00 0000000000000000 : nt!KiExceptionDispatch+0xc2 fffff88001ff79d0 0000000000000000 : fffff80002460bed fffff80000000000 fffff80000000001 fffffa8003cc6b00 : nt!KiPageFault+0x422 (TrapFrame @ fffff88001ff79d0)

Here as we can see the address that was tried to access is Zeroed out as we can see from call stack and also I have checked the CR2 register that is also having zeroed out value. I have tried to find out nearby instruction by dumping rsp regsiter values but there also couldn’t get any success. Can anyone please guide me on this how to proceed.
Thanks and regards

Some code inside a worker thread called a function pointer that was null. Are you using work queue items in your driver? Are you using callbacks of some kind where you might have registered a null pointer? That’s where you need to look.

Hi @Tim_Roberts thanks for insight. Yes we are using work queue and callbacks in our product and there are number of modules involved here. Actually I want to somehow trace into the culprit driver using the rip and rsp pointer but as we can see rip is zeroed out and even callstack pointer tracing is also not pointing to any any driver module except nt. As u can see I have dumped rsp upto to some extent and after that it is having zero values so didn’t do beyond that.