Hi Guys,
I have a passive level driver created thread in my driver which serives requests. Now the thread keeps on running till I , of course decide destroy the device object servicing those requests.
I have a crash and the stack belongs to “the” thread.
It is trying to
ObDereferenceObject(ThreadHandle) <Psterminatesystemthread();
} <
The handle is showing NULL(garbage) in the stack.
The IRQL of the processor is strangely APC_LEVEL instead of PASSIVE at which the thread is supposed to run.
I also have another function waiting on the thread to finish executing like this
KeWaitForSingleObject(ThreadHandle,Executive, KernelMode, FALSE, NULL);
Can I wait on a thread object and also deference the object? Is this causing the panic or is it just the IRQL that has caused problems?
Any help will be greatly appreciated!
1 what is the type of the var ThreadHandle?
2 did you enable driver verifier?
3 what is the output of !analyze -v ?
d
tiny phone keyboard + fat thumbs = you do the muth
-----Original Message-----
From: xxxxx@yahoo.com
Sent: Friday, March 26, 2010 12:56 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] APC level problem (or is it?)
Hi Guys,
I have a passive level driver created thread in my driver which serives requests. Now the thread keeps on running till I , of course decide destroy the device object servicing those requests.
I have a crash and the stack belongs to “the” thread.
It is trying to
ObDereferenceObject(ThreadHandle) <Psterminatesystemthread();
} <
The handle is showing NULL(garbage) in the stack.
The IRQL of the processor is strangely APC_LEVEL instead of PASSIVE at which the thread is supposed to run.
I also have another function waiting on the thread to finish executing like this
KeWaitForSingleObject(ThreadHandle,Executive, KernelMode, FALSE, NULL);
Can I wait on a thread object and also deference the object? Is this causing the panic or is it just the IRQL that has caused problems?
Any help will be greatly appreciated!
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
-
The type of var PVOID i.e. a pointer to the thread handle… after ObReferenceObjectByHandle to the handle returned by PsCreateSystemThread.
-
No I have not used driver verifier!
3)The output of windbg
0: kd> !analyze -v
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffffffffffffd0, memory referenced.
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
Arg3: fffff80001025acf, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
WRITE_ADDRESS: ffffffffffffffd0
FAULTING_IP:
nt!ObfDereferenceObject+3b
fffff800`01025acf f0480fc13b lock xadd qword ptr [rbx],rdi
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: System
CURRENT_IRQL: 1
TRAP_FRAME: fffffadf42da2b50 – (.trap 0xfffffadf42da2b50)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=fffffadfff432bf0 rcx=0000000000000000
rdx=0000000099a81000 rsi=fffffadfff42d1b0 rdi=00000000deadbeef
rip=fffff80001025acf rsp=fffffadf42da2ce0 rbp=00000000deadbeef
r8=fffffadfff432bf0 r9=0000000000000000 r10=0000000000000000
r11=fffffadfff42d830 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!ObfDereferenceObject+0x3b:
fffff80001025acf f0480fc13b lock xadd qword ptr [rbx],rdi ds:0002:fffffadfff432bf0=0000000000c20006
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800010a6acd to fffff8000102eb50
STACK_TEXT:
fffffadf42da2a78 fffff800010a6acd : 0000000000000050 ffffffffffffffd0 0000000000000001 fffffadf42da2b50 : nt!KeBugCheckEx
fffffadf42da2a80 fffff8000102d719 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!MmAccessFault+0xa1f
fffffadf42da2b50 fffff80001025acf : 0000000000000001 0000000000000000 fffffadfff432bf0 00000000deadbeef : nt!KiPageFault+0x119
fffffadf42da2ce0 fffffadf42653964 : 0000000000000000 fffffadfff42d1b0 fffffadfff432bf0 0000000000000000 : nt!ObfDereferenceObject+0x3b
fffffadf42da2d10 fffff8000124e922 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : Driver!DriverThreadMain+0x11c
fffffadf42da2d70 fffff80001020516 : fffff800011b4180 fffffadfff432bf0 fffff800011b8540 0000000000000001 : nt!PspSystemThreadStartup+0x3e
Ans 2)Type of object
> 1 what is the type of the var ThreadHandle?
2 did you enable driver verifier?
3 what is the output of !analyze -v ?
In fact, there is just no need to either verify or debug anything here . Assuming that ThreadHandle is a handle returned by PsCreateSystemThread() the whole thing is plainly obvious at the first glance - the OP treats a handle like a pointer to the object’s body (i.e KTHREAD), and,certainly, crashes right on the spot…
Anton Bassov
I’m sorry Anton for missing out that detail previously
ThreadHandle is a pointer to the Handle
- The type of var PVOID i.e. a pointer to the thread handle… after
ObReferenceObjectByHandle to the handle returned by PsCreateSystemThread.
You mean the pointer to the thread OBJECT, not HANDLE.
wrote in message news:xxxxx@ntdev…
> I’m sorry Anton for missing out that detail previously
>
> ThreadHandle is a pointer to the Handle
>
> 1) The type of var PVOID i.e. a pointer to the thread handle… after
> ObReferenceObjectByHandle to the handle returned by PsCreateSystemThread.
>
>
>