BSOD while reading KTHREAD member variable

Chandra · November 1, 2007, 7:30am

Hi,

When I display kernel structures in windbg e.g., KTHREAD in debugger there
are no issues. But, when I programmatically try to access some member of it
e.g., TrapFrame, I get bug check PAGE_FAULT_IN_NONPAGED_AREA. Note also the
bug check happens for some members and for some it don’t.

Here are some details. When I checked the address whose read reference
caused the bug check, I see:

kd> !pte 0xf810ad64
VA f810ad64
PDE at C0300F80 PTE at C03E0428
contains 01010163 contains 0E51ABE2
pfn 1010 -G-DA–KWEV not valid
Transition: e51a
Protect: 1f - ReadWriteCopyExecute WC

It seems address 0xf810ad64 has PTE invalid.

This address is actually the address of TrapFrame member of KTHREAD and
displays correctly in windbg:

kd> dt _KTHREAD 0x8161f540 TrapFrame
+0x134 TrapFrame : 0xf810ad64 _KTRAP_FRAME
kd> dt _KTRAP_FRAME 0xf810ad64
+0x000 DbgEbp : 0x18
+0x004 DbgEip : 0x77f705fa
+0x008 DbgArgMark : 0x705fc
+0x00c DbgArgPointer : 0xc0150008
+0x010 TempSegCs : 0

My question is when windbg shows the structure pointer as valid and does not
complain when we display contents of it, why does we get a bug check error
programmatically. How do we safely access contents of such member variables
of KTHREAD?

Thanks in advance
Chandra

Jason_Sanchez · November 1, 2007, 8:57am

Have you tried stopping whatever thread is trying to do the read just prior
to it executes the read, to see if that memory is valid according to windbg?

Chandra · November 1, 2007, 9:17am

Yes. That’s the thread of my driver. I checked that memory in windbg before
and after I access it for reading. In both cases it shows invalid PTE using
!pte command as I listed earlier. But, in windbg the structure (KTRAP_FRAME)
pointed by that address is always displayed correctly. And that address
matches with the value of TrapFrame member of KTHREAD.

On 11/1/07, Jason Sanchez wrote:
>
> Have you tried stopping whatever thread is trying to do the read just
> prior
> to it executes the read, to see if that memory is valid according to
> windbg?
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>