I’m seeing a bugcheck in fltmgr.sys that seems to be related to stopping
the service that my driver works with. When that happens, my driver
does some cleanup (flushes CSQs, etc) and then stops filtering requests.
I’m seeing bugchecks on one of my test systems that I’m using for
high-load testing when my service locks up, which I then stop.
There are two tricky bits to this: 1) I don’t have a serial or firewire
connection to this machine (it has neither, I’m going to rummage through
some old hardware and see if we have a serial card) so I can’t verify
that my cleanup stuff is running as expected (at a guess, I suspect it
is running, but something is being cleaned up improperly). 2) I’m not
in the stack when it bugchecks.
The bugcheck appears to be occuring in FltpPassThroughInternal when it
tries to use edi as a pointer and do a test. edi is NULL which explains
why it’s bugchecking there, but I don’t know what edi is, or how it got
NULL. Any suggestions as to how I might go about answering either of
those questions?
Thanks,
~Eric
3: kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never
have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bae76f40, The address that the exception occurred at
Arg3: b88c6bac, Trap Frame
Arg4: 00000000
Debugging Details:
Page f3bc6 not present in the dump file. Type “.hh dbgerr004” for
details
Page f3e1a not present in the dump file. Type “.hh dbgerr004” for
details
PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001” for details
PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001” for details
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
fltmgr!FltpPassThroughInternal+48
bae76f40 f6470301 test byte ptr [edi+3],1
TRAP_FRAME: b88c6bac – (.trap 0xffffffffb88c6bac)
ErrCode = 00000000
eax=8ac48e70 ebx=00000000 ecx=8aff0100 edx=00000000 esi=b88c6c60
edi=00000000
eip=bae76f40 esp=b88c6c20 ebp=b88c6c2c iopl=0 nv up ei ng nz ac
po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010293
fltmgr!FltpPassThroughInternal+0x48:
bae76f40 f6470301 test byte ptr [edi+3],1
ds:0023:00000003=??
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: dd.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8082d800 to 80827c63
STACK_TEXT:
b88c6778 8082d800 0000008e c0000005 bae76f40 nt!KeBugCheckEx+0x1b
b88c6b3c 8088a262 b88c6b58 00000000 b88c6bac
nt!KiDispatchException+0x3a2
b88c6ba4 8088a216 b88c6c2c bae76f40 badb0d00
nt!CommonDispatchException+0x4a
b88c6bc4 bae75310 b88c6c60 8924da80 b88c6c60 nt!KiExceptionExit+0x186
b88c6c2c bae778d2 b88c6c60 00000000 89ba1ee8
fltmgr!FltpPerformPreCallbacks+0x11a
b88c6c48 bae77ce3 b88c6c00 8924da80 8b010af8
fltmgr!FltpPassThrough+0x1c2
b88c6c78 8081df65 89ba1ee8 8ac48e70 8ac48e70 fltmgr!FltpDispatch+0x10d
b88c6c8c 808f5437 8ac48fb8 8ac48e70 8924da80 nt!IofCallDriver+0x45
b88c6ca0 808f25eb 89ba1ee8 8ac48e70 8924da80
nt!IopSynchronousServiceTail+0x10b
b88c6d38 8088978c 0000079c 00000000 00000000 nt!NtReadFile+0x5d5
b88c6d38 7c8285ec 0000079c 00000000 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be
wrong.
0012fe88 00000000 00000000 00000000 00000000 0x7c8285ec
STACK_COMMAND: kb
FOLLOWUP_IP:
fltmgr!FltpPassThroughInternal+48
bae76f40 f6470301 test byte ptr [edi+3],1
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: fltmgr!FltpPassThroughInternal+48
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: fltmgr
IMAGE_NAME: fltmgr.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45d697cc
FAILURE_BUCKET_ID: 0x8E_fltmgr!FltpPassThroughInternal+48
BUCKET_ID: 0x8E_fltmgr!FltpPassThroughInternal+48
Followup: MachineOwner
3: kd> u bae76f40
fltmgr!FltpPassThroughInternal+0x48:
bae76f40 f6470301 test byte ptr [edi+3],1
bae76f44 741e je fltmgr!FltpPassThroughInternal+0x6c
(bae76f64)
bae76f46 8b4608 mov eax,dword ptr [esi+8]
bae76f49 f6400408 test byte ptr [eax+4],8
bae76f4d 7511 jne fltmgr!FltpPassThroughInternal+0x68
(bae76f60)
bae76f4f ff770c push dword ptr [edi+0Ch]
bae76f52 8a5701 mov dl,byte ptr [edi+1]
bae76f55 8a0f mov cl,byte ptr [edi]