Crash Dump while using Visual Studio

prakash_p · December 7, 2007, 4:59am

Hi all,

I am using a minifilter driver which encrypts-decrypts the data.
While using Visual Studio, suddenly crash occurs.

I have analyzed the dump, it shows

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e87c1410, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 8054b407, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:

WRITE_ADDRESS: e87c1410 Paged pool

FAULTING_IP:
nt!ExDeferredFreePool+156
8054b407 8913 mov [ebx],edx

MM_INTERNAL_CODE: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

TRAP_FRAME: f7a5e8bc – (.trap fffffffff7a5e8bc)
ErrCode = 00000002
eax=e85c27f0 ebx=e87c1410 ecx=e85c2408 edx=863ee458 esi=863ee050 edi=000001ff
eip=8054b407 esp=f7a5e930 ebp=f7a5e970 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ExDeferredFreePool+0x156:
8054b407 8913 mov [ebx],edx ds:0023:e87c1410=???
Resetting default scope

LAST_CONTROL_TRANSFER: from 8054b51e to 8054b407

STACK_TEXT:
f7a5e970 8054b51e e87c4008 f7a5ea94 8000000b nt!ExDeferredFreePool+0x156
f7a5e9b0 8057523d e85cf7f8 00000000 00000000 nt!ExFreePoolWithTag+0x489
f7a5e9d4 80574f19 00000000 00000000 00000000 nt!RtlpInheritAcl+0x76
f7a5eab0 80575286 00000000 e14dc790 f7a5eb08 nt!RtlpNewSecurityObject+0x387
f7a5eadc 80575729 00000000 00000000 f7a5eb08 nt!SeAssignSecurity+0x4f
f7a5eb0c 8057576f f7a5ec20 00000000 85b78020 nt!ObAssignSecurity+0x35
f7a5ebf4 8057c238 85b78020 f7a5ec20 00000000 nt!ObInsertObject+0x4da
f7a5ed4c 8057d0b4 f7a5edb4 001f03ff 00000000 nt!PspCreateThread+0x618
f7a5ed80 f73b1bd8 f7a5edb4 001f03ff 00000000 nt!PsCreateSystemThread+0x33
f7a5edac 8057d0f1 00000c78 00000000 00000000 NDIS!ndisWorkerThread+0x4b
f7a5eddc 804f827a f73b1b85 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
nt!ExDeferredFreePool+156
8054b407 8913 mov [ebx],edx

FOLLOWUP_NAME: Pool_corruption

SYMBOL_NAME: nt!ExDeferredFreePool+156

MODULE_NAME: Pool_Corruption

IMAGE_NAME: Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: .trap fffffffff7a5e8bc ; kb

BUCKET_ID: 0x50_W_nt!ExDeferredFreePool+156

Followup: Pool_corruption

Kindly help me to analyze this dump

Thanks
Prakash

Mark_Roddy · December 7, 2007, 8:20am

You have corrupted the system pool. Try running with driver verifier
enabled on your minifilter.

On Dec 7, 2007 5:01 AM, wrote:
> Hi all,
>
> I am using a minifilter driver which encrypts-decrypts the data.
> While using Visual Studio, suddenly crash occurs.
>
> I have analyzed the dump, it shows
>
>
> kd> !analyze -v
> ***
> *
> * Bugcheck Analysis
> *
>
>
> PAGE_FAULT_IN_NONPAGED_AREA (50)
> Invalid system memory was referenced. This cannot be protected by try-except,
> it must be protected by a Probe. Typically the address is just plain bad or it
> is pointing at freed memory.
> Arguments:
> Arg1: e87c1410, memory referenced.
> Arg2: 00000001, value 0 = read operation, 1 = write operation.
> Arg3: 8054b407, If non-zero, the instruction address which referenced the bad memory
> address.
> Arg4: 00000001, (reserved)
>
> Debugging Details:
> ------------------
>
>
> WRITE_ADDRESS: e87c1410 Paged pool
>
> FAULTING_IP:
> nt!ExDeferredFreePool+156
> 8054b407 8913 mov [ebx],edx
>
> MM_INTERNAL_CODE: 1
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0x50
>
> TRAP_FRAME: f7a5e8bc – (.trap fffffffff7a5e8bc)
> ErrCode = 00000002
> eax=e85c27f0 ebx=e87c1410 ecx=e85c2408 edx=863ee458 esi=863ee050 edi=000001ff
> eip=8054b407 esp=f7a5e930 ebp=f7a5e970 iopl=0 nv up ei pl nz na pe nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
> nt!ExDeferredFreePool+0x156:
> 8054b407 8913 mov [ebx],edx ds:0023:e87c1410=???
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from 8054b51e to 8054b407
>
> STACK_TEXT:
> f7a5e970 8054b51e e87c4008 f7a5ea94 8000000b nt!ExDeferredFreePool+0x156
> f7a5e9b0 8057523d e85cf7f8 00000000 00000000 nt!ExFreePoolWithTag+0x489
> f7a5e9d4 80574f19 00000000 00000000 00000000 nt!RtlpInheritAcl+0x76
> f7a5eab0 80575286 00000000 e14dc790 f7a5eb08 nt!RtlpNewSecurityObject+0x387
> f7a5eadc 80575729 00000000 00000000 f7a5eb08 nt!SeAssignSecurity+0x4f
> f7a5eb0c 8057576f f7a5ec20 00000000 85b78020 nt!ObAssignSecurity+0x35
> f7a5ebf4 8057c238 85b78020 f7a5ec20 00000000 nt!ObInsertObject+0x4da
> f7a5ed4c 8057d0b4 f7a5edb4 001f03ff 00000000 nt!PspCreateThread+0x618
> f7a5ed80 f73b1bd8 f7a5edb4 001f03ff 00000000 nt!PsCreateSystemThread+0x33
> f7a5edac 8057d0f1 00000c78 00000000 00000000 NDIS!ndisWorkerThread+0x4b
> f7a5eddc 804f827a f73b1b85 00000000 00000000 nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
> FOLLOWUP_IP:
> nt!ExDeferredFreePool+156
> 8054b407 8913 mov [ebx],edx
>
> FOLLOWUP_NAME: Pool_corruption
>
> SYMBOL_NAME: nt!ExDeferredFreePool+156
>
> MODULE_NAME: Pool_Corruption
>
> IMAGE_NAME: Pool_Corruption
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 0
>
> STACK_COMMAND: .trap fffffffff7a5e8bc ; kb
>
> BUCKET_ID: 0x50_W_nt!ExDeferredFreePool+156
>
> Followup: Pool_corruption
> ---------
>
>
> Kindly help me to analyze this dump
>
>
> Thanks
> Prakash
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@hollistech.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

–
Mark Roddy