Bus Driver on Win2K

Hi All:
I am currently implementing an USB bus driver, which works ok on
WinXP. But when it is loaded into Win2K, and a PNP IRP which minor
function is IRP_MN_QUERY_DEVICE_RELATIONS will be issued to the PDO I
created and reported. And when this PDO is represent a multi-function
USB device, it will crash the PC.

*** Fatal System Error: 0x0000001e
(0xC0000005,0xED0E810F,0x00000000,0x01000144)

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
An exception code of 0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates
that an unaligned data reference was encountered. The trap frame will
supply additional information.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: ed0e810f, The address that the exception occured at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 01000144, Parameter 1 of the exception

Exception code C0000005 means AccessViolation.

The same program works fine in WinXP, in which i did nothing to the IRP.
Are there any differences between WinXP and Win2K that I should notice
to deal with this IRP ? btz, i do compile the binary in Win2K Checked
environment which supplied in WINDDK.

Thanks in advance, any information will be appreciated.

Smore Hung

What do you mean by “did nothing to the IRP”? A bus
driver must handle TargetDeviceRelation for pdo. This
may not be the problem leading to the crash.

As usual, you connect WinDbg to the target, capture
and post the output of “!analyze -v”.

Peter and Scott, is it possible to add some
intelligence to the list server that automatically
reminds posters to get “!analyze -v” output when a
crash question is asked?


Calvin Guan (Windows DDK MVP)
Staff SW Engineer NetXtreme MINIPORT
Broadcom Corp. Irvine, CA
www.broadcom.com

— Smore Hung wrote:

> Hi All:
> I am currently implementing an USB bus driver,
> which works ok on
> WinXP. But when it is loaded into Win2K, and a PNP
> IRP which minor
> function is IRP_MN_QUERY_DEVICE_RELATIONS will be
> issued to the PDO I
> created and reported. And when this PDO is represent
> a multi-function
> USB device, it will crash the PC.
>
> *** Fatal System Error: 0x0000001e
>
> (0xC0000005,0xED0E810F,0x00000000,0x01000144)
>
> KMODE_EXCEPTION_NOT_HANDLED (1e)
> This is a very common bugcheck. Usually the
> exception address pinpoints
> the driver/function that caused the problem. Always
> note this address
> as well as the link date of the driver/image that
> contains this address.
> Some common problems are exception code 0x80000003.
> This means a hard
> coded breakpoint or assertion was hit, but this
> system was booted
> /NODEBUG. This is not supposed to happen as
> developers should never have
> hardcoded breakpoints in retail code, but …
> If this happens, make sure a debugger gets
> connected, and the
> system is booted /DEBUG. This will let us see why
> this breakpoint is
> happening.
> An exception code of 0x80000002
> (STATUS_DATATYPE_MISALIGNMENT) indicates
> that an unaligned data reference was encountered.
> The trap frame will
> supply additional information.
> Arguments:
> Arg1: c0000005, The exception code that was not
> handled
> Arg2: ed0e810f, The address that the exception
> occured at
> Arg3: 00000000, Parameter 0 of the exception
> Arg4: 01000144, Parameter 1 of the exception
>
> Exception code C0000005 means AccessViolation.
>
> The same program works fine in WinXP, in which i did
> nothing to the IRP.
> Are there any differences between WinXP and Win2K
> that I should notice
> to deal with this IRP ? btz, i do compile the binary
> in Win2K Checked
> environment which supplied in WINDDK.
>
> Thanks in advance, any information will be
> appreciated.
>
> Smore Hung
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.ca
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Calvin Guan:

What do you mean by “did nothing to the IRP”? A bus
driver must handle TargetDeviceRelation for pdo. This
may not be the problem leading to the crash.

As usual, you connect WinDbg to the target, capture
and post the output of “!analyze -v”.

Peter and Scott, is it possible to add some
intelligence to the list server that automatically
reminds posters to get “!analyze -v” output when a
crash question is asked?

Thx a lot for your answer.

Sorry I didn’t mention clearly enough. The “TargetDeviceRelation” part
is ok, my problem is “BusRelations”.

And yes, I did connect WinDbg to the target, and posted part of the
result in the mail. I thought that’s enough, and I am deeply sorry if
the information is not sufficient. Below are the whole information I can
get through “!analyze -v” in my WinDbg

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
An exception code of 0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates
that an unaligned data reference was encountered. The trap frame will
supply additional information.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: ed0e810f, The address that the exception occured at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 01000144, Parameter 1 of the exception

Details:
Unhandled exception c0000005
Fault occurred in driver usbhub.sys (
usbhub!USBH_ParentCreateFunctionList+0x147 )
ed0e810f 8b5244 mov edx,[edx+0x44]
Followup : MachineOwner
Exception parameter 1 : 00000000
Exception parameter 2 : 01000144

BUCKET: 0x1E_C0000005_usbhub!USBH_ParentCreateFunctionList_usbhub.sys
ChildEBP RetAddr
ed437164 8042afd6 ntoskrnl!FsRtlIsNtstatusExpected+0x2a
ed4374f0 804549ca ntoskrnl!FsRtlAcquireFileForModWriteEx+0x2a4
ed437ddc 80469212 ntoskrnl!CcCalculateVacbLevelLockCount+0xf
00000000 00000000 ntoskrnl!RtlIpv6StringToAddressA+0x26e
Creating .\DMP19.tmp - mini kernel dump

Thanks again.

Smore Hung

Hmm, it didn’t get to the fault stack. Are you sure
you have typed “!analyze -v” followed by an enter from
the host debugger while the target is connected? Which
version of WinDbg are you using?

A typical output of “!analyze -v” command for
KMODE_EXCEPTION_NOT_HANDLED (1e)should at least give
the exception record and recommended stack command.
Below is an example:

0: kd> !analyze -v
[…]—snip
KMODE_EXCEPTION_NOT_HANDLED (1e)
[…]—snip
Arguments:
Arg1: c0000005, The exception code that was not
handled
Arg2: f07a973b, The address that the exception
occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 0000000c, Parameter 1 of the exception
[…]—snip
EXCEPTION_RECORD: f0853aa4 – (.exr fffffffff0853aa4)
ExceptionAddress: f07a973b (mystupid_drv+0x0000173b)
ExceptionCode: c0000005
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0000000c
Attempt to read from address 0000000c
[…]—snip
STACK_TEXT:
00000000 00000000 00000000 00000000 00000000
mystupid_drv+0x173b
[…]—snip
STACK_COMMAND: .cxr fffffffff08536fc ; kb
[…]—snip
0: kd>

If your !analyze does not do this, then you need to
find out the exception record manually. To start with,
do a kv to see what is in the stack. But I strongly
suggest you download the latest windbg and run the
“!analyze -v” command again with target connected.


Calvin Guan (Windows DDK MVP)
Staff SW Engineer NetXtreme MINIPORT
Broadcom Corp. Irvine, CA
www.broadcom.com

— Smore Hung wrote:

> Calvin Guan:
> > What do you mean by “did nothing to the IRP”? A
> bus
> > driver must handle TargetDeviceRelation for pdo.
> This
> > may not be the problem leading to the crash.
> >
> > As usual, you connect WinDbg to the target,
> capture
> > and post the output of “!analyze -v”.
> >
> > Peter and Scott, is it possible to add some
> > intelligence to the list server that automatically
> > reminds posters to get “!analyze -v” output when a
> > crash question is asked?
> >
>
> Thx a lot for your answer.
>
> Sorry I didn’t mention clearly enough. The
> “TargetDeviceRelation” part
> is ok, my problem is “BusRelations”.
>
> And yes, I did connect WinDbg to the target, and
> posted part of the
> result in the mail. I thought that’s enough, and I
> am deeply sorry if
> the information is not sufficient. Below are the
> whole information I can
> get through “!analyze -v” in my WinDbg
>
> KMODE_EXCEPTION_NOT_HANDLED (1e)
> This is a very common bugcheck. Usually the
> exception address pinpoints
> the driver/function that caused the problem. Always
> note this address
> as well as the link date of the driver/image that
> contains this address.
> Some common problems are exception code 0x80000003.
> This means a hard
> coded breakpoint or assertion was hit, but this
> system was booted
> /NODEBUG. This is not supposed to happen as
> developers should never have
> hardcoded breakpoints in retail code, but …
> If this happens, make sure a debugger gets
> connected, and the
> system is booted /DEBUG. This will let us see why
> this breakpoint is
> happening.
> An exception code of 0x80000002
> (STATUS_DATATYPE_MISALIGNMENT) indicates
> that an unaligned data reference was encountered.
> The trap frame will
> supply additional information.
> Arguments:
> Arg1: c0000005, The exception code that was not
> handled
> Arg2: ed0e810f, The address that the exception
> occured at
> Arg3: 00000000, Parameter 0 of the exception
> Arg4: 01000144, Parameter 1 of the exception
>
>
> Details:
> Unhandled exception c0000005
> Fault occurred in driver usbhub.sys (
> usbhub!USBH_ParentCreateFunctionList+0x147 )
> ed0e810f 8b5244 mov edx,[edx+0x44]
> Followup : MachineOwner
> Exception parameter 1 : 00000000
> Exception parameter 2 : 01000144
>
>
> BUCKET:
>
0x1E_C0000005_usbhub!USBH_ParentCreateFunctionList_usbhub.sys
> ChildEBP RetAddr
> ed437164 8042afd6
> ntoskrnl!FsRtlIsNtstatusExpected+0x2a
> ed4374f0 804549ca
> ntoskrnl!FsRtlAcquireFileForModWriteEx+0x2a4
> ed437ddc 80469212
> ntoskrnl!CcCalculateVacbLevelLockCount+0xf
> 00000000 00000000
> ntoskrnl!RtlIpv6StringToAddressA+0x26e
> Creating .\DMP19.tmp - mini kernel dump
>
>
> Thanks again.
>
> Smore Hung
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.ca
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Calvin Guan:

Hmm, it didn’t get to the fault stack. Are you sure
you have typed “!analyze -v” followed by an enter from
the host debugger while the target is connected? Which
version of WinDbg are you using?

Ok, now I realize the problem here might be the version. I am using
WinDbg 3.0.0020.0, and I found that the newest version is 6.5.3.7 …

I will re-post my problem with better debugging information after I
installed the debugger. Thanks again for the answering.

Smore Hung

Smore Hung :

Calvin Guan:

> Hmm, it didn’t get to the fault stack. Are you sure
> you have typed “!analyze -v” followed by an enter from
> the host debugger while the target is connected? Which
> version of WinDbg are you using?

Ok, now I realize the problem here might be the version. I am using
WinDbg 3.0.0020.0, and I found that the newest version is 6.5.3.7 …

I will re-post my problem with better debugging information after I
installed the debugger. Thanks again for the answering.

Smore Hung

Here it is, and thanks for the information.

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: ed0e810f, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 01000144, Parameter 1 of the exception

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - “0x%08lx”

FAULTING_IP:
usbhub!USBH_FunctionPdoQueryId+1d
ed0e810f 8b5244 mov edx,[edx+0x44]

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 01000144

READ_ADDRESS: 01000144

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x1E

EXCEPTION_RECORD: ed4379b8 – (.exr ffffffffed4379b8)
ExceptionAddress: ed0e810f (usbhub!USBH_FunctionPdoQueryId+0x0000001d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 01000144
Attempt to read from address 01000144

CONTEXT: ed437610 – (.cxr ffffffffed437610)
eax=814ee6a8 ebx=814ee6a8 ecx=81560de8 edx=01000100 esi=8156d988
edi=81560de8
eip=ed0e810f esp=ed437a80 ebp=ed437a90 iopl=0 nv up ei pl zr na
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
usbhub!USBH_FunctionPdoQueryId+0x1d:
ed0e810f 8b5244 mov edx,[edx+0x44]
ds:0023:01000144=???
Resetting default scope

LAST_CONTROL_TRANSFER: from ed0e8395 to ed0e810f

STACK_TEXT:
ed437a90 ed0e8395 81560de8 8156d988 81560de8
usbhub!USBH_FunctionPdoQueryId+0x1d
ed437aa8 ed0e2ff5 81560de8 8156d988 8156da13 usbhub!USBH_FunctionPdoPnP+0x53
ed437acc ed0e068f 81560de8 8156d988 ed437b1c
usbhub!USBH_FunctionPdoDispatch+0x47
ed437adc 8041dded 81560d30 8156d988 81560d30 usbhub!USBH_HubDispatch+0x3b
ed437af0 804bcf45 ed437b58 81560c28 000f003f nt!IopfCallDriver+0x35
ed437b1c 804bd1f9 81560d30 ed437b34 ed437c5c nt!IopSynchronousCall+0xca
ed437b58 804b6321 81560d30 ed437c5c ed437d28 nt!IopQueryDeviceId+0x2b
ed437c78 804252f2 81560d30 00000000 8156ba28 nt!IopProcessNewDeviceNode+0x55
ed437c88 804b6119 8156ba28 ed437d28 00040000 nt!IopProcessNewChildren+0x22
ed437cac 804b5f05 816b4350 ed437d28 00000014 nt!IopEnumerateDevice+0x209
ed437ce8 804bc54e 8156ba28 ed437d28 8156ba28
nt!IopStartAndEnumerateDevice+0x1c3
ed437d3c 80424f88 816b4350 804779a0 804746dc nt!IopNewDevice+0xba
ed437d78 80416bfa 00000000 00000000 00000000 nt!IopDeviceActionWorker+0x290
ed437da8 80454a24 00000000 00000000 00000000 nt!ExpWorkerThread+0xae
ed437ddc 80469212 80416b4c 00000001 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
usbhub!USBH_FunctionPdoQueryId+1d
ed0e810f 8b5244 mov edx,[edx+0x44]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: usbhub!USBH_FunctionPdoQueryId+1d

MODULE_NAME: usbhub

IMAGE_NAME: usbhub.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3e77ac21

STACK_COMMAND: .cxr ffffffffed437610 ; kb

FAILURE_BUCKET_ID: 0x1E_usbhub!USBH_FunctionPdoQueryId+1d

BUCKET_ID: 0x1E_usbhub!USBH_FunctionPdoQueryId+1d

Followup: MachineOwner

Anything I should do now ?

Smore Hung

WinDbg 6.5.3.7 has a nasty bug of missing exports from exts.dll, which
cause some nasty diagnostics during work - especially on !poolused command.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Smore Hung”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Monday, August 01, 2005 2:20 PM
Subject: Re:[ntdev] Bus Driver on Win2K

> Calvin Guan:
> > Hmm, it didn’t get to the fault stack. Are you sure
> > you have typed “!analyze -v” followed by an enter from
> > the host debugger while the target is connected? Which
> > version of WinDbg are you using?
>
> Ok, now I realize the problem here might be the version. I am using
> WinDbg 3.0.0020.0, and I found that the newest version is 6.5.3.7 …
>
> I will re-post my problem with better debugging information after I
> installed the debugger. Thanks again for the answering.
>
> Smore Hung
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi All:
After some analysis, I think the problem is at where my bus driver
handling the PNP IRP issued to my PDO and which MinorFunction is
IRP_MN_QUERY_DEVICE_RELATIONS and type is BusRelations. When the device
plugged is a single function device(that is, only 1 interface in the
device), I can just set the status in the IRP to be STATUS_SUCCESS and
then complete it. But when it is a multi-function device(2 or more
interfaces in the device), the same way will make it crash.

Although the debugging message shows that exception happens at
USBH_FunctionPdoQueryId, I can’t see any QueryID IRP was sent to my
driver before system crashes(Actually, it looks like that system crashes
immediately after my BusRelations IRP was completed). My best guess here
is the returned information in the “BusRelations IRP” corrupts something
in the core, which causes the exception when usbhub trying to do
something on the device.

Anyone can give me some hints about what part might be wrong ?
Thanks a lot for any information and help.

Smore Hung

Have you turned on driver verifier on your driver?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Smore Hung
Sent: Monday, August 01, 2005 10:09 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Bus Driver on Win2K

Hi All:
After some analysis, I think the problem is at where my bus driver
handling the PNP IRP issued to my PDO and which MinorFunction is
IRP_MN_QUERY_DEVICE_RELATIONS and type is BusRelations. When the device
plugged is a single function device(that is, only 1 interface in the
device), I can just set the status in the IRP to be STATUS_SUCCESS and
then complete it. But when it is a multi-function device(2 or more
interfaces in the device), the same way will make it crash.

Although the debugging message shows that exception happens at
USBH_FunctionPdoQueryId, I can’t see any QueryID IRP was sent to my
driver before system crashes(Actually, it looks like that system crashes

immediately after my BusRelations IRP was completed). My best guess here

is the returned information in the “BusRelations IRP” corrupts something

in the core, which causes the exception when usbhub trying to do
something on the device.

Anyone can give me some hints about what part might be wrong ?
Thanks a lot for any information and help.

Smore Hung


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

When handling QDR-BusRelations for child PDO, you just
complete the IRP with Irp->IoStatus.Status, don’t not
change the status in IoStatus block. The status block
for this IRP is changed by a device, such as FDO of a
bus driver which returns bus relations to the PNP
manager.

HTH,
Calvin Guan (Windows DDK MVP)
Staff SW Engineer NetXtreme MINIPORT
Broadcom Corp. Irvine, CA
www.broadcom.com

— Smore Hung wrote:

> Hi All:
> After some analysis, I think the problem is at
> where my bus driver
> handling the PNP IRP issued to my PDO and which
> MinorFunction is
> IRP_MN_QUERY_DEVICE_RELATIONS and type is
> BusRelations. When the device
> plugged is a single function device(that is, only 1
> interface in the
> device), I can just set the status in the IRP to be
> STATUS_SUCCESS and
> then complete it. But when it is a multi-function
> device(2 or more
> interfaces in the device), the same way will make it
> crash.
>
> Although the debugging message shows that
> exception happens at
> USBH_FunctionPdoQueryId, I can’t see any QueryID IRP
> was sent to my
> driver before system crashes(Actually, it looks like
> that system crashes
> immediately after my BusRelations IRP was
> completed). My best guess here
> is the returned information in the “BusRelations
> IRP” corrupts something
> in the core, which causes the exception when usbhub
> trying to do
> something on the device.
>
> Anyone can give me some hints about what part
> might be wrong ?
> Thanks a lot for any information and help.
>
> Smore Hung
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.ca
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com