BSoD in wdf01000.sys

Hi all ,

I encounter a BSOD in wdf01000.sys and it is hard to debug .
My driver is Mobile broadabnd driver in Win 7 based on WDM . and the lower driver is wriiten in WDF , the coinstaller version is 1.9.

I hope somebody can help me to clarify this issue . thanks in advance for any help !
the memory dump is attached :

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {c0000420, 828a9dc8, 807e2d8c, 0}

Probably caused by : Wdf01000.sys ( Wdf01000!FxIrpQueue::RemoveNextIrpFromQueue+12 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
828a9394 cc int 3
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000420, The exception code that was not handled
Arg2: 828a9dc8, The address that the exception occurred at
Arg3: 807e2d8c, Trap Frame
Arg4: 00000000

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000420 -

FAULTING_IP:
nt!KeAccumulateTicks+316
828a9dc8 cd2c int 2Ch

TRAP_FRAME: 807e2d8c – (.trap 0xffffffff807e2d8c)
ErrCode = 00000000
eax=00000000 ebx=00000c9d ecx=00000001 edx=000000d7 esi=807c2120 edi=00026161
eip=828a9dc8 esp=807e2e00 ebp=807e2e20 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KeAccumulateTicks+0x316:
828a9dc8 cd2c int 2Ch
Resetting default scope

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: iexplore.exe

CURRENT_IRQL: 1c

LAST_CONTROL_TRANSFER: from 8291ae71 to 828a9394

STACK_TEXT:
807e24bc 8291ae71 00000003 a7f85586 00000065 nt!RtlpBreakWithStatusInstruction
807e250c 8291b96d 00000003 807e2910 00000000 nt!KiBugCheckDebugBreak+0x1c
807e28d0 8291ad10 0000008e c0000420 828a9dc8 nt!KeBugCheck2+0x68b
807e28f4 828fb372 0000008e c0000420 828a9dc8 nt!KeBugCheckEx+0x1e
807e2d1c 82882016 807e2d38 00000000 807e2d8c nt!KiDispatchException+0x1ac
807e2d84 82881fb2 807e2e20 828a9dca badb0d00 nt!CommonDispatchException+0x4a
807e2dd0 828a9b79 ffffffff 00000030 00026161 nt!Kei386EoiHelper+0x17a
807e2e20 828a9342 00002711 00000000 00003600 nt!KeAccumulateTicks+0xc8
807e2e60 8280a430 00000002 000000d1 807e2ee8 nt!KeUpdateRunTime+0x145
807e2e60 82fb257c 00000002 000000d1 807e2ee8 hal!HalpClockInterruptPn+0x158
807e2ee8 82fb26c4 00000000 807e2f0c 807e2f04 Wdf01000!FxIrpQueue::RemoveNextIrpFromQueue+0x12
807e2ef8 82facfbe 807e2f0c 807e2f20 82fbf8f3 Wdf01000!FxIrpQueue::GetNextRequest+0xf
807e2f04 82fbf8f3 85cb2e64 85cb2f90 85cb2e00 Wdf01000!FxRequest::GetNextRequest+0x11
807e2f20 82fc0bb3 85cb2e02 00000000 85cb2e00 Wdf01000!FxIoQueue::DispatchEvents+0x305
807e2f3c 82fc0c48 84943c94 807e2fa4 828a63b5 Wdf01000!FxIoQueue::DeferredDispatchRequestsFromDpc+0x26
807e2f48 828a63b5 85cb2f90 85cb2e00 00000000 Wdf01000!FxIoQueue::_DeferredDispatchDpcThunk+0x2d
807e2fa4 828a6218 807c2120 84943c10 00000000 nt!KiExecuteAllDpcs+0xf9
807e2ff4 828a59dc 91c6b6d8 00000000 00000000 nt!KiRetireDpcList+0xd5
807e2ff8 91c6b6d8 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2c
WARNING: Frame IP not in any known module. Following frames may be wrong.
828a59dc 00000000 0000001a 00d6850f bb830000 0x91c6b6d8

STACK_COMMAND: kb

FOLLOWUP_IP:
Wdf01000!FxIrpQueue::RemoveNextIrpFromQueue+12
82fb257c 85c0 test eax,eax

SYMBOL_STACK_INDEX: a

SYMBOL_NAME: Wdf01000!FxIrpQueue::RemoveNextIrpFromQueue+12

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Wdf01000

IMAGE_NAME: Wdf01000.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbf28

FAILURE_BUCKET_ID: 0x8E_Wdf01000!FxIrpQueue::RemoveNextIrpFromQueue+12

BUCKET_ID: 0x8E_Wdf01000!FxIrpQueue::RemoveNextIrpFromQueue+12

Followup: MachineOwner
---------

Hmmmm…

Did you !wdfkd.wdflogdump ??

Peter
OSR

xxxxx@hotmail.com wrote:

I encounter a BSOD in wdf01000.sys and it is hard to debug .

Not really, once you have the tools. I’m expanding just a bit on
Peter’s hint, which was exactly right.

My driver is Mobile broadabnd driver in Win 7 based on WDM . and the lower driver is wriiten in WDF , the coinstaller version is 1.9.

I hope somebody can help me to clarify this issue . thanks in advance for any help !
the memory dump is attached :

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {c0000420, 828a9dc8, 807e2d8c, 0}

Probably caused by : Wdf01000.sys ( Wdf01000!FxIrpQueue::RemoveNextIrpFromQueue+12 )

C0000420 is STATUS_ASSERTION_FAILURE. The KMDF code always describes
its assertions in its log. !load wdfkd, then !wdftmffile to file the
wdf01009.tmf file, then !wdflogdump with your driver name.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

The stack looks like the DPC is running for too long. Find out why.

Thanks all .
I didn’t aware of that , i will debug it with WDF log dump.

Sorry to back to this thread and ask a different BSoD

I reproduce this issue and get another BSoD. I dump bugcheck and parse a pieces of code here .
and have following questions

1.Whcih case cause the write request dump “FxIoQueue::CanThreadDispatchEventsLocked …”
Is that matter with the queue is Sequential type?

  1. I check the dump file to retrive the parameter in the IoCallDriver function , It looks that the Irp is correct(have buffer memory, no Null pointer,and almost the same with normal Irp that i had sent) .and in this case, the crash is happened from MBNet620.sys(WDM) or myserial.sys(WDF) ? what i see is that MBNet620.sys send a normal WRITE Irp to myserial.sys and then crashed in wdf01000.sys.(i am not braming WDF , i just wish to clarify and solve the Bsod :slight_smile: ,and the WDF log is not so informative)

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000060, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 828c190e, address which referenced memory
Debugging Details:

WRITE_ADDRESS: 00000060
CURRENT_IRQL: 2
FAULTING_IP:
nt!KeInsertQueueApc+60
828c190e 8701 xchg eax,dword ptr [ecx]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
TRAP_FRAME: 8a30b46c – (.trap 0xffffffff8a30b46c)
ErrCode = 00000002
eax=00000001 ebx=00000060 ecx=00000060 edx=00000000 esi=84b0c818 edi=00000000
eip=828c190e esp=8a30b4e0 ebp=8a30b500 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!KeInsertQueueApc+0x60:
828c190e 8701 xchg eax,dword ptr [ecx] ds:0023:00000060=???
Resetting default scope
LAST_CONTROL_TRANSFER: from 828e3e71 to 82872394
STACK_TEXT:
8a30b034 828e3e71 00000003 adaef7f7 00000065 nt!RtlpBreakWithStatusInstruction
8a30b084 828e496d 00000003 00000060 828c190e nt!KiBugCheckDebugBreak+0x1c
8a30b44c 8284d7eb 0000000a 00000060 00000002 nt!KeBugCheck2+0x68b
8a30b44c 828c190e 0000000a 00000060 00000002 nt!KiTrap0E+0x2cf
8a30b500 8286fdff 84b0c818 00000000 00000000 nt!KeInsertQueueApc+0x60
8a30b54c 8804f08c 84b0c920 84b44190 84b0c7d8 nt!IopfCompleteRequest+0x3f4
8a30b57c 8804f1f0 84b0c7d8 84aaae00 84b14850 Wdf01000!FxPkgGeneral::OnCreate+0x25b
8a30b598 88045a3f 84b0c7d8 8a30b5bc 828434bc Wdf01000!FxPkgGeneral::Dispatch+0xc3
8a30b5a4 828434bc 84b14850 84b0c7d8 01000102 Wdf01000!FxDevice::Dispatch+0x7f
8a30b5bc 9461aa5d 84b0c7d8 8a30b5e4 9461906f nt!IofCallDriver+0x63
8a30b5c8 9461906f 84c3e7e0 84b0c7d8 9462e2d4 MBNet620!CallDriver+0x1d [e:\ioproxy\irpgate.c @ 164]
8a30b5e4 94618e6e 84c3e7e0 8a30b664 000001a1 MBNet620!Write+0xaf [e:\ioproxy\write.c @ 87]
8a30b600 94604d96 84c3e7e0 8a30b664 000001a1 MBNet620!Send+0x1e [e:\ioproxy\ioproxy.c @ 111]
8a30b638 94604ec6 84c3e7e0 8a30b664 000001a1 MBNet620!HWWrite+0x66 [e:\ndis6x\mphal.c @ 320]
8a30bc5c 94605e6c 854bc380 8a30bc90 84d69a08 MBNet620!HWDeliver+0xd6 [e:\ndis6x\mphal.c @ 409]
8a30bc94 94603cdf 854bc380 84ae707c 84c4d8e8 MBNet620!HWProgramDmaForSend+0x19c [e:\ndis6x\mphal.c @ 1744]
8a30bcc8 94607cef 854bc380 854bcddc 849f9820 MBNet620!TXTransmitQueuedSendsWorker+0xcf [e:\ndis6x\datapath.c @ 411]
8a30bcdc 8848f30a 854bcddc 85be6bd8 8a30bd00 MBNet620!MBWorkItemWorker+0x2f [e:\ndis6x\workitem.c @ 125]
8a30bcec 82a277b5 84bf3028 85be6bd8 847dd1d8 ndis!ndisDispatchIoWorkItem+0xf
8a30bd00 82874f2b 84aaae00 00000000 847dd1d8 nt!IopProcessWorkItem+0x23
8a30bd50 82a1566d 00000000 adaefae3 00000000 nt!ExpWorkerThread+0x10d
8a30bd90 828c70d9 82874e1e 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

STACK_COMMAND: kb

FOLLOWUP_IP:
MBNet620!CallDriver+1d [e:\ioproxy\irpgate.c @ 164]
9461aa5d 8945fc mov dword ptr [ebp-4],eax

FAULTING_SOURCE_CODE:
160: NTSTATUS status;
161:
162: Pending(gate);
163:

164: status = IoCallDriver(gate->devObject, Irp);
165:
166: if (STATUS_PENDING != status)
167: {
168: UnPending(gate);
169: }

SYMBOL_STACK_INDEX: a

SYMBOL_NAME: MBNet620!CallDriver+1d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MBNet620

IMAGE_NAME: MBNet620.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4e55d96f

FAILURE_BUCKET_ID: 0xA_MBNet620!CallDriver+1d

BUCKET_ID: 0xA_MBNet620!CallDriver+1d

Followup: MachineOwner

0: kd> !wdfdriverinfo myserial 3ff

Default driver image name: myserial
WDF library image name: Wdf01000
FxDriverGlobals 0x84b44190
WdfBindInfo 0x947dd004
Version v1.9 build(7600)

Driver Handles:
dt FxDriver 0x8495F440 : !WDFDRIVER 0x7b6a0bb8
dt FxDevice 0x84ACA528 : !WDFDEVICE 0x7b535ad0 Context 84aca6f0 Cleanup 947cd1a0
dt FxDefaultIrpHandler 0x85BED570 : WDF INTERNAL
dt FxPkgGeneral 0x85610D40 : WDF INTERNAL
dt FxWmiIrpHandler 0x8498EB78 : WDF INTERNAL
dt FxPkgIo 0x856A0CE0 : WDF INTERNAL
dt FxIoQueue 0x8636FBE0 : !WDFQUEUE 0x79c90418
dt FxIoQueue 0x8488DD08 : !WDFQUEUE 0x7b7722f0
dt FxIoQueue 0x849A6770 : !WDFQUEUE 0x7b659888
dt FxIoQueue 0x84B06B18 : !WDFQUEUE 0x7b4f94e0
dt FxIoQueue 0x84885010 : !WDFQUEUE 0x7b77afe8
dt FxIoQueue 0x84A7A010 : !WDFQUEUE 0x7b585fe8
dt FxPkgFdo 0x84AD4728 : WDF INTERNAL
dt FxCmResList 0x84983560 : !WDFCMRESLIST 0x7b67ca98
dt FxCmResList 0x84B51300 : !WDFCMRESLIST 0x7b4aecf8
dt FxChildList 0x856A0E60 : !WDFCHILDLIST 0x7a95f198
dt FxIoTarget 0x85BA7318 : !WDFIOTARGET 0x7a458ce0
dt FxSpinLock 0x86084780 : !WDFSPINLOCK 0x79f7b878
dt FxSpinLock 0x865395C8 : !WDFSPINLOCK 0x79ac6a30
dt FxSpinLock 0x86576730 : !WDFSPINLOCK 0x79a898c8
dt FxSpinLock 0x85F6E920 : !WDFSPINLOCK 0x7a0916d8
dt FxSpinLock 0x84B133A0 : !WDFSPINLOCK 0x7b4ecc58
dt FxWaitLock 0x865D3A80 : !WDFWAITLOCK 0x79a2c578
dt FxTimer 0x84A32728 : !WDFTIMER 0x7b5cd8d0 Context 84a327e8
dt FxTimer 0x86562128 : !WDFTIMER 0x79a9ded0 Context 865621e8
dt FxTimer 0x86575AD0 : !WDFTIMER 0x79a8a528 Context 86575b90
dt FxDpc 0x855D6C00 : !WDFDPC 0x7aa293f8
dt FxDpc 0x8631B638 : !WDFDPC 0x79ce49c0
dt FxString 0x84B0E4D8 : !WDFSTRING 0x7b4f1b20
dt FxUsbDevice 0x84A807A0 : !WDFUSBDEVICE 0x7b57f858
dt FxUsbInterface 0x84A77A90 : !WDFUSBINTERFACE 0x7b588568
dt FxUsbPipe 0x84A320E8 : !WDFUSBPIPE 0x7b5cdf10 Context 84c39ad0
dt FxUsbPipe 0x84AA3BA8 : !WDFUSBPIPE 0x7b55c450 Context 84c39c30
dt FxUsbPipe 0x85AC73B8 : !WDFUSBPIPE 0x7a538c40 Context 84c46108
dt FxObject 0x85833A48 : !WDFMEMORY 0x7a7cc5b0
dt FxFileObject 0x865A2290 : !WDFFILEOBJECT 0x79a5dd68
dt FxDevice 0x84AFC7F8 : !WDFDEVICE 0x7b503800 Context 84afc9c0 Cleanup 947cd1a0
dt FxDefaultIrpHandler 0x864F5E08 : WDF INTERNAL
dt FxPkgGeneral 0x862E1B20 : WDF INTERNAL
dt FxWmiIrpHandler 0x8495CA70 : WDF INTERNAL
dt FxPkgIo 0x85BD54F0 : WDF INTERNAL
dt FxIoQueue 0x865775C0 : !WDFQUEUE 0x79a88a38
dt FxIoQueue 0x84AA59F8 : !WDFQUEUE 0x7b55a600
dt FxIoQueue 0x864B0DD8 : !WDFQUEUE 0x79b4f220
dt FxIoQueue 0x84A1D190 : !WDFQUEUE 0x7b5e2e68
dt FxIoQueue 0x864B8218 : !WDFQUEUE 0x79b47de0
dt FxIoQueue 0x8495F998 : !WDFQUEUE 0x7b6a0660
dt FxPkgFdo 0x84A159F8 : WDF INTERNAL
dt FxCmResList 0x84C24708 : !WDFCMRESLIST 0x7b3db8f0
dt FxCmResList 0x86054E30 : !WDFCMRESLIST 0x79fab1c8
dt FxChildList 0x84ACE848 : !WDFCHILDLIST 0x7b5317b0
dt FxIoTarget 0x84AE41B0 : !WDFIOTARGET 0x7b51be48
dt FxSpinLock 0x84BCF730 : !WDFSPINLOCK 0x7b4308c8
dt FxSpinLock 0x86109130 : !WDFSPINLOCK 0x79ef6ec8
dt FxSpinLock 0x85BE3360 : !WDFSPINLOCK 0x7a41cc98
dt FxSpinLock 0x8611A898 : !WDFSPINLOCK 0x79ee5760
dt FxSpinLock 0x8657F420 : !WDFSPINLOCK 0x79a80bd8
dt FxWaitLock 0x8657D168 : !WDFWAITLOCK 0x79a82e90
dt FxTimer 0x84AF3640 : !WDFTIMER 0x7b50c9b8 Context 84af3700
dt FxTimer 0x8495FBA8 : !WDFTIMER 0x7b6a0450 Context 8495fc68
dt FxTimer 0x8494C9C8 : !WDFTIMER 0x7b6b3630 Context 8494ca88
dt FxDpc 0x84A37C68 : !WDFDPC 0x7b5c8390
dt FxDpc 0x848DA8D0 : !WDFDPC 0x7b725728
dt FxString 0x85BE18C8 : !WDFSTRING 0x7a41e730
dt FxUsbDevice 0x848BE890 : !WDFUSBDEVICE 0x7b741768
dt FxUsbInterface 0x857019A8 : !WDFUSBINTERFACE 0x7a8fe650
dt FxUsbPipe 0x84962308 : !WDFUSBPIPE 0x7b69dcf0 Context 84c39a20
dt FxUsbPipe 0x85556010 : !WDFUSBPIPE 0x7aaa9fe8 Context 84c39ce0
dt FxObject 0x84BA7010 : !WDFMEMORY 0x7b458fe8
dt FxFileObject 0x86579E80 : !WDFFILEOBJECT 0x79a86178
dt FxDevice 0x84AE2720 : !WDFDEVICE 0x7b51d8d8 Context 84ae28e8
dt FxDefaultIrpHandler 0x84B0DEA0 : WDF INTERNAL
dt FxPkgGeneral 0x849BEB28 : WDF INTERNAL
dt FxWmiIrpHandler 0x848E87C0 : WDF INTERNAL
dt FxPkgIo 0x84A1EE00 : WDF INTERNAL
dt FxPkgPdo 0x84BD1010 : WDF INTERNAL
dt FxCmResList 0x857DC620 : !WDFCMRESLIST 0x7a8239d8
dt FxCmResList 0x86581E80 : !WDFCMRESLIST 0x79a7e178
dt FxRequest 0x849B41D0 : !WDFREQUEST 0x7b64be28
dt FxRequest 0x84AF3558 : !WDFREQUEST 0x7b50caa0
dt FxRequest 0x862A6998 : !WDFREQUEST 0x79d59660

Dump leaked handles: the driver is not tracking handles

WDF Verifier settings for myserial.sys is OFF

0: kd> !wdflogdump myserial
Trace searchpath is:

Trace format prefix is: %7!u!: %!FUNC! -
TMF file used for formatting log is: D:\WinDDK\7600.16385.1\tools\tracing\i386\Wdf01009.tmf
Log at 84b0f000
Gather log: Please wait, this may take a moment (reading 4032 bytes).
% read so far … 10, 20, 30, 40, 50, 60, 70, 80, 90, 100
There are 124 log entries

— start of log —
315: FxIoQueue::CanThreadDispatchEventsLocked - Presentation lock for WDFQUEUE 0x7B4F94E0 is already held, deferring to dpc or workitem
… (again and again)…
436: FxIoQueue::CanThreadDispatchEventsLocked - Presentation lock for WDFQUEUE 0x7B4F94E0 is already held, deferring to dpc or workitem

437: FxPkgGeneral::OnCreate - Exclusive WDFDEVICE 0x7B535AD0, only one open handle is allowed
438: FxPkgGeneral::OnCreate - Exclusive WDFDEVICE 0x7B535AD0, only one open handle is allowed
---- end of log ----

0: kd> !wdfqueue 0x7B4F94E0

Dumping WDFQUEUE 0x7b4f94e0

Sequential, Power-managed, PowerOn, Can accept, Can dispatch, ExecutionLevelDispatch, SynchronizationScopeDevice
Number of driver owned requests: 0
Number of waiting requests: 0

EvtIoWrite: (0x947d0350) myserial!IOWrite

Code of the Iowrite queue creation by this way here:

WDF_IO_QUEUE_CONFIG_INIT(&wdfIOQueueConfig,WdfIoQueueDispatchSequential);
wdfIOQueueConfig.EvtIoWrite = IOWrite;
wdfIOQueueConfig.EvtIoStop = IOStop;
wdfIOQueueConfig.EvtIoCanceledOnQueue = IOCanceledOnQueue;

ntStatus = WdfIoQueueCreate(WdfDevice,&wdfIOQueueConfig, \
WDF_NO_OBJECT_ATTRIBUTES,&WriteQueue);
if(!NT_SUCCESS(ntStatus))
{
//Print
return ntStatus;
}

ntStatus = WdfDeviceConfigureRequestDispatching(WdfDevice,\
WriteQueue,\
WdfRequestTypeWrite);
if(!NT_SUCCESS(ntStatus))
{
//Print
return ntStatus;
}

Did you also write MBNet620? Based on the stack it looks like MBNet620 meant
to send a write but ended up sending a create instead:

nt!IopfCompleteRequest+0x3f4
Wdf01000!FxPkgGeneral::OnCreate+0x25b
Wdf01000!FxPkgGeneral::Dispatch+0xc3
Wdf01000!FxDevice::Dispatch+0x7f
nt!IofCallDriver+0x63
MBNet620!CallDriver+0x1d [e:\ioproxy\irpgate.c @ 164]
MBNet620!Write+0xaf [e:\ioproxy\write.c @ 87]

This can happen if you fail to set up the next stack location properly
(IRP_MJ_CREATE is major function 0, so a failure to set up the next stack
location often ends up looking like a create on the other side).

-scott


Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@ntdev…

Sorry to back to this thread and ask a different BSoD

I reproduce this issue and get another BSoD. I dump bugcheck and parse a
pieces of code here .
and have following questions

1.Whcih case cause the write request dump
“FxIoQueue::CanThreadDispatchEventsLocked …”
Is that matter with the queue is Sequential type?

  1. I check the dump file to retrive the parameter in the IoCallDriver
    function , It looks that the Irp is correct(have buffer memory, no Null
    pointer,and almost the same with normal Irp that i had sent) .and in this
    case, the crash is happened from MBNet620.sys(WDM) or myserial.sys(WDF) ?
    what i see is that MBNet620.sys send a normal WRITE Irp to myserial.sys and
    then crashed in wdf01000.sys.(i am not braming WDF , i just wish to clarify
    and solve the Bsod :slight_smile: ,and the WDF log is not so informative)

0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000060, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on
chips which support this level of status)
Arg4: 828c190e, address which referenced memory
Debugging Details:

WRITE_ADDRESS: 00000060
CURRENT_IRQL: 2
FAULTING_IP:
nt!KeInsertQueueApc+60
828c190e 8701 xchg eax,dword ptr [ecx]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
TRAP_FRAME: 8a30b46c – (.trap 0xffffffff8a30b46c)
ErrCode = 00000002
eax=00000001 ebx=00000060 ecx=00000060 edx=00000000 esi=84b0c818
edi=00000000
eip=828c190e esp=8a30b4e0 ebp=8a30b500 iopl=0 nv up ei pl nz na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010202
nt!KeInsertQueueApc+0x60:
828c190e 8701 xchg eax,dword ptr [ecx]
ds:0023:00000060=???
Resetting default scope
LAST_CONTROL_TRANSFER: from 828e3e71 to 82872394
STACK_TEXT:
8a30b034 828e3e71 00000003 adaef7f7 00000065
nt!RtlpBreakWithStatusInstruction
8a30b084 828e496d 00000003 00000060 828c190e nt!KiBugCheckDebugBreak+0x1c
8a30b44c 8284d7eb 0000000a 00000060 00000002 nt!KeBugCheck2+0x68b
8a30b44c 828c190e 0000000a 00000060 00000002 nt!KiTrap0E+0x2cf
8a30b500 8286fdff 84b0c818 00000000 00000000 nt!KeInsertQueueApc+0x60
8a30b54c 8804f08c 84b0c920 84b44190 84b0c7d8 nt!IopfCompleteRequest+0x3f4
8a30b57c 8804f1f0 84b0c7d8 84aaae00 84b14850
Wdf01000!FxPkgGeneral::OnCreate+0x25b
8a30b598 88045a3f 84b0c7d8 8a30b5bc 828434bc
Wdf01000!FxPkgGeneral::Dispatch+0xc3
8a30b5a4 828434bc 84b14850 84b0c7d8 01000102
Wdf01000!FxDevice::Dispatch+0x7f
8a30b5bc 9461aa5d 84b0c7d8 8a30b5e4 9461906f nt!IofCallDriver+0x63
8a30b5c8 9461906f 84c3e7e0 84b0c7d8 9462e2d4 MBNet620!CallDriver+0x1d
[e:\ioproxy\irpgate.c @ 164]
8a30b5e4 94618e6e 84c3e7e0 8a30b664 000001a1 MBNet620!Write+0xaf
[e:\ioproxy\write.c @ 87]
8a30b600 94604d96 84c3e7e0 8a30b664 000001a1 MBNet620!Send+0x1e
[e:\ioproxy\ioproxy.c @ 111]
8a30b638 94604ec6 84c3e7e0 8a30b664 000001a1 MBNet620!HWWrite+0x66
[e:\ndis6x\mphal.c @ 320]
8a30bc5c 94605e6c 854bc380 8a30bc90 84d69a08 MBNet620!HWDeliver+0xd6
[e:\ndis6x\mphal.c @ 409]
8a30bc94 94603cdf 854bc380 84ae707c 84c4d8e8
MBNet620!HWProgramDmaForSend+0x19c [e:\ndis6x\mphal.c @ 1744]
8a30bcc8 94607cef 854bc380 854bcddc 849f9820
MBNet620!TXTransmitQueuedSendsWorker+0xcf [e:\ndis6x\datapath.c @ 411]
8a30bcdc 8848f30a 854bcddc 85be6bd8 8a30bd00 MBNet620!MBWorkItemWorker+0x2f
[e:\ndis6x\workitem.c @ 125]
8a30bcec 82a277b5 84bf3028 85be6bd8 847dd1d8 ndis!ndisDispatchIoWorkItem+0xf
8a30bd00 82874f2b 84aaae00 00000000 847dd1d8 nt!IopProcessWorkItem+0x23
8a30bd50 82a1566d 00000000 adaefae3 00000000 nt!ExpWorkerThread+0x10d
8a30bd90 828c70d9 82874e1e 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

STACK_COMMAND: kb

FOLLOWUP_IP:
MBNet620!CallDriver+1d [e:\ioproxy\irpgate.c @ 164]
9461aa5d 8945fc mov dword ptr [ebp-4],eax

FAULTING_SOURCE_CODE:
160: NTSTATUS status;
161:
162: Pending(gate);
163:

164: status = IoCallDriver(gate->devObject, Irp);
165:
166: if (STATUS_PENDING != status)
167: {
168: UnPending(gate);
169: }

SYMBOL_STACK_INDEX: a

SYMBOL_NAME: MBNet620!CallDriver+1d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MBNet620

IMAGE_NAME: MBNet620.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4e55d96f

FAILURE_BUCKET_ID: 0xA_MBNet620!CallDriver+1d

BUCKET_ID: 0xA_MBNet620!CallDriver+1d

Followup: MachineOwner

0: kd> !wdfdriverinfo myserial 3ff

Default driver image name: myserial
WDF library image name: Wdf01000
FxDriverGlobals 0x84b44190
WdfBindInfo 0x947dd004
Version v1.9 build(7600)

Driver Handles:
dt FxDriver 0x8495F440 : !WDFDRIVER 0x7b6a0bb8
dt FxDevice 0x84ACA528 : !WDFDEVICE 0x7b535ad0 Context
84aca6f0 Cleanup 947cd1a0
dt FxDefaultIrpHandler 0x85BED570 : WDF INTERNAL
dt FxPkgGeneral 0x85610D40 : WDF INTERNAL
dt FxWmiIrpHandler 0x8498EB78 : WDF INTERNAL
dt FxPkgIo 0x856A0CE0 : WDF INTERNAL
dt FxIoQueue 0x8636FBE0 : !WDFQUEUE 0x79c90418
dt FxIoQueue 0x8488DD08 : !WDFQUEUE 0x7b7722f0
dt FxIoQueue 0x849A6770 : !WDFQUEUE 0x7b659888
dt FxIoQueue 0x84B06B18 : !WDFQUEUE 0x7b4f94e0
dt FxIoQueue 0x84885010 : !WDFQUEUE 0x7b77afe8
dt FxIoQueue 0x84A7A010 : !WDFQUEUE 0x7b585fe8
dt FxPkgFdo 0x84AD4728 : WDF INTERNAL
dt FxCmResList 0x84983560 : !WDFCMRESLIST 0x7b67ca98
dt FxCmResList 0x84B51300 : !WDFCMRESLIST 0x7b4aecf8
dt FxChildList 0x856A0E60 : !WDFCHILDLIST 0x7a95f198
dt FxIoTarget 0x85BA7318 : !WDFIOTARGET 0x7a458ce0
dt FxSpinLock 0x86084780 : !WDFSPINLOCK 0x79f7b878
dt FxSpinLock 0x865395C8 : !WDFSPINLOCK 0x79ac6a30
dt FxSpinLock 0x86576730 : !WDFSPINLOCK 0x79a898c8
dt FxSpinLock 0x85F6E920 : !WDFSPINLOCK 0x7a0916d8
dt FxSpinLock 0x84B133A0 : !WDFSPINLOCK 0x7b4ecc58
dt FxWaitLock 0x865D3A80 : !WDFWAITLOCK 0x79a2c578
dt FxTimer 0x84A32728 : !WDFTIMER 0x7b5cd8d0
Context 84a327e8
dt FxTimer 0x86562128 : !WDFTIMER 0x79a9ded0
Context 865621e8
dt FxTimer 0x86575AD0 : !WDFTIMER 0x79a8a528
Context 86575b90
dt FxDpc 0x855D6C00 : !WDFDPC 0x7aa293f8
dt FxDpc 0x8631B638 : !WDFDPC 0x79ce49c0
dt FxString 0x84B0E4D8 : !WDFSTRING 0x7b4f1b20
dt FxUsbDevice 0x84A807A0 : !WDFUSBDEVICE 0x7b57f858
dt FxUsbInterface 0x84A77A90 : !WDFUSBINTERFACE
0x7b588568
dt FxUsbPipe 0x84A320E8 : !WDFUSBPIPE
0x7b5cdf10 Context 84c39ad0
dt FxUsbPipe 0x84AA3BA8 : !WDFUSBPIPE
0x7b55c450 Context 84c39c30
dt FxUsbPipe 0x85AC73B8 : !WDFUSBPIPE
0x7a538c40 Context 84c46108
dt FxObject 0x85833A48 : !WDFMEMORY 0x7a7cc5b0
dt FxFileObject 0x865A2290 : !WDFFILEOBJECT 0x79a5dd68
dt FxDevice 0x84AFC7F8 : !WDFDEVICE 0x7b503800 Context
84afc9c0 Cleanup 947cd1a0
dt FxDefaultIrpHandler 0x864F5E08 : WDF INTERNAL
dt FxPkgGeneral 0x862E1B20 : WDF INTERNAL
dt FxWmiIrpHandler 0x8495CA70 : WDF INTERNAL
dt FxPkgIo 0x85BD54F0 : WDF INTERNAL
dt FxIoQueue 0x865775C0 : !WDFQUEUE 0x79a88a38
dt FxIoQueue 0x84AA59F8 : !WDFQUEUE 0x7b55a600
dt FxIoQueue 0x864B0DD8 : !WDFQUEUE 0x79b4f220
dt FxIoQueue 0x84A1D190 : !WDFQUEUE 0x7b5e2e68
dt FxIoQueue 0x864B8218 : !WDFQUEUE 0x79b47de0
dt FxIoQueue 0x8495F998 : !WDFQUEUE 0x7b6a0660
dt FxPkgFdo 0x84A159F8 : WDF INTERNAL
dt FxCmResList 0x84C24708 : !WDFCMRESLIST 0x7b3db8f0
dt FxCmResList 0x86054E30 : !WDFCMRESLIST 0x79fab1c8
dt FxChildList 0x84ACE848 : !WDFCHILDLIST 0x7b5317b0
dt FxIoTarget 0x84AE41B0 : !WDFIOTARGET 0x7b51be48
dt FxSpinLock 0x84BCF730 : !WDFSPINLOCK 0x7b4308c8
dt FxSpinLock 0x86109130 : !WDFSPINLOCK 0x79ef6ec8
dt FxSpinLock 0x85BE3360 : !WDFSPINLOCK 0x7a41cc98
dt FxSpinLock 0x8611A898 : !WDFSPINLOCK 0x79ee5760
dt FxSpinLock 0x8657F420 : !WDFSPINLOCK 0x79a80bd8
dt FxWaitLock 0x8657D168 : !WDFWAITLOCK 0x79a82e90
dt FxTimer 0x84AF3640 : !WDFTIMER 0x7b50c9b8
Context 84af3700
dt FxTimer 0x8495FBA8 : !WDFTIMER 0x7b6a0450
Context 8495fc68
dt FxTimer 0x8494C9C8 : !WDFTIMER 0x7b6b3630
Context 8494ca88
dt FxDpc 0x84A37C68 : !WDFDPC 0x7b5c8390
dt FxDpc 0x848DA8D0 : !WDFDPC 0x7b725728
dt FxString 0x85BE18C8 : !WDFSTRING 0x7a41e730
dt FxUsbDevice 0x848BE890 : !WDFUSBDEVICE 0x7b741768
dt FxUsbInterface 0x857019A8 : !WDFUSBINTERFACE
0x7a8fe650
dt FxUsbPipe 0x84962308 : !WDFUSBPIPE
0x7b69dcf0 Context 84c39a20
dt FxUsbPipe 0x85556010 : !WDFUSBPIPE
0x7aaa9fe8 Context 84c39ce0
dt FxObject 0x84BA7010 : !WDFMEMORY 0x7b458fe8
dt FxFileObject 0x86579E80 : !WDFFILEOBJECT 0x79a86178
dt FxDevice 0x84AE2720 : !WDFDEVICE 0x7b51d8d8 Context
84ae28e8
dt FxDefaultIrpHandler 0x84B0DEA0 : WDF INTERNAL
dt FxPkgGeneral 0x849BEB28 : WDF INTERNAL
dt FxWmiIrpHandler 0x848E87C0 : WDF INTERNAL
dt FxPkgIo 0x84A1EE00 : WDF INTERNAL
dt FxPkgPdo 0x84BD1010 : WDF INTERNAL
dt FxCmResList 0x857DC620 : !WDFCMRESLIST 0x7a8239d8
dt FxCmResList 0x86581E80 : !WDFCMRESLIST 0x79a7e178
dt FxRequest 0x849B41D0 : !WDFREQUEST 0x7b64be28
dt FxRequest 0x84AF3558 : !WDFREQUEST 0x7b50caa0
dt FxRequest 0x862A6998 : !WDFREQUEST 0x79d59660

Dump leaked handles: the driver is not tracking handles

WDF Verifier settings for myserial.sys is OFF

0: kd> !wdflogdump myserial
Trace searchpath is:

Trace format prefix is: %7!u!: %!FUNC! -
TMF file used for formatting log is:
D:\WinDDK\7600.16385.1\tools\tracing\i386\Wdf01009.tmf
Log at 84b0f000
Gather log: Please wait, this may take a moment (reading 4032 bytes).
% read so far … 10, 20, 30, 40, 50, 60, 70, 80, 90, 100
There are 124 log entries

— start of log —
315: FxIoQueue::CanThreadDispatchEventsLocked - Presentation lock for
WDFQUEUE 0x7B4F94E0 is already held, deferring to dpc or workitem
… (again and again)…
436: FxIoQueue::CanThreadDispatchEventsLocked - Presentation lock for
WDFQUEUE 0x7B4F94E0 is already held, deferring to dpc or workitem

437: FxPkgGeneral::OnCreate - Exclusive WDFDEVICE 0x7B535AD0, only one open
handle is allowed
438: FxPkgGeneral::OnCreate - Exclusive WDFDEVICE 0x7B535AD0, only one open
handle is allowed
---- end of log ----

0: kd> !wdfqueue 0x7B4F94E0

Dumping WDFQUEUE 0x7b4f94e0

Sequential, Power-managed, PowerOn, Can accept, Can dispatch,
ExecutionLevelDispatch, SynchronizationScopeDevice
Number of driver owned requests: 0
Number of waiting requests: 0

EvtIoWrite: (0x947d0350) myserial!IOWrite

Code of the Iowrite queue creation by this way here:

WDF_IO_QUEUE_CONFIG_INIT(&wdfIOQueueConfig,WdfIoQueueDispatchSequential);
wdfIOQueueConfig.EvtIoWrite = IOWrite;
wdfIOQueueConfig.EvtIoStop = IOStop;
wdfIOQueueConfig.EvtIoCanceledOnQueue = IOCanceledOnQueue;

ntStatus = WdfIoQueueCreate(WdfDevice,&wdfIOQueueConfig, \
WDF_NO_OBJECT_ATTRIBUTES,&WriteQueue);
if(!NT_SUCCESS(ntStatus))
{
//Print
return ntStatus;
}

ntStatus = WdfDeviceConfigureRequestDispatching(WdfDevice,\
WriteQueue,\
WdfRequestTypeWrite);
if(!NT_SUCCESS(ntStatus))
{
//Print
return ntStatus;
}