Crash dump output!

NTFSD
1

Hi,
My machine crashed once in a while after my filter driver is unloaded successfully. From the crash dump analysis, I couldn’t tell where the crash occurred. SecureDs is my filter driver.

The output is attached below. How can I further debug the crash to pinpoint the problem? Thanks for any information.

Regards,
Sin-Lam

kd> !analyze -v

*******************************************************************************

* Bugcheck Analysis *

*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pagable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: fbece36e, memory referenced

Arg2: 00000001, IRQL

Arg3: 00000000, value 0 = read operation, 1 = write operation

Arg4: fbece36e, address which referenced memory

Debugging Details:

READ_ADDRESS: fbece36e Nonpaged pool

CURRENT_IRQL: 1

FAULTING_IP:

SecureDs!+336e

fbece36e ?? ???

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: D1

LAST_CONTROL_TRANSFER: from 80600580 to bfdada2d

STACK_TEXT:

WARNING: Stack unwind information not available. Following frames may be wrong.

fc65ab2c 80600580 fc26f06a fc65ab6c 873dca88 NTice+0x4ca2d

fc65ab7c 86e0dbe0 80674124 8785c310 fc65abdc nt!IovSpecialIrpCallDriver+0x13d

00000030 00000000 00000000 00000000 00000000 0x86e0dbe0

FOLLOWUP_IP:

SecureDs!+336e

fbece36e ?? ???

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: SecureDs!+336e

MODULE_NAME:

IMAGE_NAME: SecureDs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3cd8a086

STACK_COMMAND: kb

BUCKET_ID: 0xD1_SecureDs!+336e

Followup: MachineOwner

2

File system filters today cannot really unload. For instance, an IRP can
complete with your completion routine set in it which can fire after you
have unloaded & boom…Unloading (as implemented in SFilter, but #if
DBG’ed out, in the IFS kit) can be really implemented only for debug
purposes. Once in a while your machine will bugcheck - but then this
unload facility is only so that dev time is reduced & you don’t have to
reboot all the time when you copy your driver over. We expect you to
remove the unload code when you ship the driver. The comments in SFilter
indicate this clearly (at least in the XP versions)There lies the real
problem. The address that was referenced was of your driver which
already unloaded.

Please don’t implement unload in your shipping filter unless you are
prepared to do a 2 driver approach (one which never unloads but
reference counts), which can get very, very, complicated …

Ravi

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: Tan Sin Lam [mailto:xxxxx@lit.org.sg]
Sent: Tuesday, May 07, 2002 9:12 PM
To: File Systems Developers
Subject: [ntfsd] Crash dump output!

Hi,
My machine crashed once in a while after my filter driver is unloaded
successfully. From the crash dump analysis, I couldn’t tell where the
crash occurred. SecureDs is my filter driver.

The output is attached below. How can I further debug the crash to
pinpoint the problem? Thanks for any information.

Regards,
Sin-Lam

kd> !analyze -v

************************************************************************
*******

* Bugcheck Analysis *

************************************************************************
*******

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pagable (or completely invalid) address
at an

interrupt request level (IRQL) that is too high. This is usually caused
by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: fbece36e, memory referenced

Arg2: 00000001, IRQL

Arg3: 00000000, value 0 = read operation, 1 = write operation

Arg4: fbece36e, address which referenced memory

Debugging Details:

READ_ADDRESS: fbece36e Nonpaged pool

CURRENT_IRQL: 1

FAULTING_IP:

SecureDs!+336e

fbece36e ?? ???

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: D1

LAST_CONTROL_TRANSFER: from 80600580 to bfdada2d

STACK_TEXT:

WARNING: Stack unwind information not available. Following frames may be
wrong.

fc65ab2c 80600580 fc26f06a fc65ab6c 873dca88 NTice+0x4ca2d

fc65ab7c 86e0dbe0 80674124 8785c310 fc65abdc
nt!IovSpecialIrpCallDriver+0x13d

00000030 00000000 00000000 00000000 00000000 0x86e0dbe0

FOLLOWUP_IP:

SecureDs!+336e

fbece36e ?? ???

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: SecureDs!+336e

MODULE_NAME:

IMAGE_NAME: SecureDs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3cd8a086

STACK_COMMAND: kb

BUCKET_ID: 0xD1_SecureDs!+336e

Followup: MachineOwner