Hi,
I have got several minidumps from two different users (XP SP3).
Both crash on the RtlPrefixUnicodeString API, source/destination buffers are
in memory and valid:
kd> db f4d95da6 L10
f4d95da6 44 00 65 00 76 00 69 00-63 00 65 00 5c 00 4d 00 D.e.v.i.c.e..M.
kd> db e2bdc4ca L10
e2bdc4ca 44 00 65 00 76 00 69 00-63 00 65 00 5c 00 48 00 D.e.v.i.c.e..H.
RtlPrefixUnicodeString has already read first WORDs from these buffers (to
DX and SI) and crash occured on CMP DX,SI instruction. Memory should be
valid (both WORDs were read). Instructions around faulting IP seems ok too.
What do you think guys?
Thanks, Petr
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805db95e, The address that the exception occurred at
Arg3: f758f64c, Trap Frame
Arg4: 00000000
FAULTING_IP:
nt!RtlPrefixUnicodeString+4b
805db95e 663bd6 cmp dx,si
TRAP_FRAME: f758f64c – (.trap 0xfffffffff758f64c)
ErrCode = 00000000
eax=c1062004 ebx=e2bdc4cc ecx=e2bdc48c edx=00000044 esi=805d0044
edi=f4d95da8
eip=805db95e esp=f758f6c0 ebp=f758f6cc iopl=0 nv up ei ng nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286
nt!RtlPrefixUnicodeString+0x4b:
805db95e 663bd6 cmp dx,si
kd> u eip-0n10 L0n12
nt!RtlPrefixUnicodeString+0x41:
805db954 668b17 mov dx,word ptr [edi]
805db957 668b33 mov si,word ptr [ebx]
805db95a 47 inc edi
805db95b 47 inc edi
805db95c 43 inc ebx
805db95d 43 inc ebx
805db95e 663bd6 cmp dx,si <<<<<<
805db961 897d10 mov dword ptr [ebp+10h],edi
805db964 895d0c mov dword ptr [ebp+0Ch],ebx
805db967 750e jne nt!RtlPrefixUnicodeString+0x5a (805db977)
805db969 ff4d08 dec dword ptr [ebp+8]
805db96c 75e6 jne nt!RtlPrefixUnicodeString+0x41 (805db954)
callstack:
f758f6cc f4d35e90 nt!RtlPrefixUnicodeString+0x4b
f758f6fc f4d2669c aswSnx!IsFileNameInTarget+0x1c8
[d:\avast800\drivers\aswsnx\files.cpp @ 305]
f758f738 f7905c3f aswSnx!SnxGenerateFileName+0x64
[d:\avast800\drivers\aswsnx\snx.cpp @ 1190]
f758f768 f790818e fltMgr!FltpCallOpenedFileNameHandler+0x45
f758f784 f790876b fltMgr!FltpGetNormalizedFileNameWorker+0xc4
f758f79c f79062a2 fltMgr!FltpGetNormalizedFileName+0x19
f758f7b4 f7906365 fltMgr!FltpCreateFileNameInformation+0x84
f758f7c4 f78f6e0a fltMgr!CreateTemporaryFileNameInformation+0xf
f758f7f0 f78f7366 fltMgr!FltpGetFileNameInformation+0xaa
f758f818 f06c5c73 fltMgr!FltGetFileNameInformation+0x114
kd> lmvm nt
start end module name
804d7000 806ef180 nt (pdb symbols)
c:\windows\symbols\ntoskrnl.pdb\754D4664AD754F69AB434EB0E8B41C7C2\ntoskrnl.p
db
Loaded symbol image file: ntoskrnl.exe
Mapped memory image file:
c:\windows\symbols\ntoskrnl.exe\5137ED2C218180\ntoskrnl.exe
Image path: ntoskrnl.exe
Image name: ntoskrnl.exe
Timestamp: Thu Mar 07 02:28:12 2013 (5137ED2C)
CheckSum: 00222397
ImageSize: 00218180
File version: 5.1.2600.6368
Product version: 5.1.2600.6368
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0c0a.04b0
CompanyName: Microsoft Corporation
ProductName: Sistema operativo Microsoft? Windows?
InternalName: ntoskrnl.exe
OriginalFilename: ntoskrnl.exe
ProductVersion: 5.1.2600.6368
FileVersion: 5.1.2600.6368 (xpsp_sp3_gdr.130307-0422)
FileDescription: Sistema y n?cleo de Windows NT
LegalCopyright: Copyright (C) Microsoft Corporation. Reservados todos
los derechos.