Crash while going to sleep (W7-x32)

NTDEV
1

My driver crashes the system when the system is sent to sleep. here's the analysis of the minidump:

*******************************************************************
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 9bb4988c, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 90bd8759, address which referenced memory

Debugging Details:

READ_ADDRESS: GetPointerFromAddress: unable to read from 83583848
Unable to read MiSystemVaType memory at 83562e20
9bb4988c

CURRENT_IRQL: 2

FAULTING_IP:
vjoy!vJoyGetPositionData+43 [c:\winddk\vjoy-2\driver\sys\driver.c @ 565]
90bd8759 8b400c mov eax,dword ptr [eax+0Ch]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from 90bd8adf to 90bd8759

STACK_TEXT:
83541ae0 90bd8adf 87c55a50 8764f1d8 00000001 vjoy!vJoyGetPositionData+0x43 [c:\winddk\vjoy-2\driver\sys\driver.c @ 565]
83541b04 90bdcb5d 783a5b50 00000001 83541b30 vjoy!RtlStringCbLengthW+0x1b [c:\winddk\6000\inc\ddk\ntstrsafe.h @ 6089]
83541b14 8ae3b53a 789a9a98 83541ba0 00000000 vjoy!vJoyCompleteReadReport+0x9b [c:\winddk\vjoy-2\driver\sys\driver.c @ 512]
WARNING: Stack unwind information not available. Following frames may be wrong.
83541b30 8ae3b984 83541b7c 83494019 876565c0 Wdf01000+0x2a53a
83541b38 83494019 876565c0 87656560 3a0ea8e4 Wdf01000+0x2a984
83541b7c 83493fbd 83544d20 83541ca8 00000002 nt!KiProcessTimerDpcTable+0x50
83541c68 83493e7a 83544d20 83541ca8 00000000 nt!KiProcessExpiredTimerList+0x101
83541cdc 8349200e 00001ea3 8842f918 8354e380 nt!KiTimerExpiration+0x25c
83541d20 83491e38 00000000 0000000e 00000000 nt!KiRetireDpcList+0xcb
83541d24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x38

STACK_COMMAND: kb

FOLLOWUP_IP:
vjoy!vJoyGetPositionData+43 [c:\winddk\vjoy-2\driver\sys\driver.c @ 565]
90bd8759 8b400c mov eax,dword ptr [eax+0Ch]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: vjoy!vJoyGetPositionData+43

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: vjoy

IMAGE_NAME: vjoy.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 50065fa4

FAILURE_BUCKET_ID: 0xD1_vjoy!vJoyGetPositionData+43

BUCKET_ID: 0xD1_vjoy!vJoyGetPositionData+43

Followup: MachineOwner

*******************************************************************

The crash is at the last line in the following code:
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

if (!pDevContext->positions[i])
return;

HidReport->InputReport.CollectionId = id;
WdfWaitLockAcquire(pDevContext->positionLock, NULL);
HidReport->InputReport.bAxisX = pDevContext->positions[i]->ValX;
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Some background:
This code is constantly called by a timer and is perfectly functional. When it is called during the 'going to sleep' process (That is, leaving state D0 I believe) it causes a crash.
Am I right in assuming that the correct solution is to stop the timer when leaving state D0? Any other suggestions?

Thank you guys

2

You can't call WdfWaitLockAcquire with a null timeout value while at dispatch level.

d

debt from my phone

From: xxxxx@gmail.com
Sent: 7/18/2012 11:07 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Crash while going to sleep (W7-x32)

My driver crashes the system when the system is sent to sleep. here's the analysis of the minidump:

*******************************************************************
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 9bb4988c, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 90bd8759, address which referenced memory

Debugging Details:

READ_ADDRESS: GetPointerFromAddress: unable to read from 83583848
Unable to read MiSystemVaType memory at 83562e20
9bb4988c

CURRENT_IRQL: 2

FAULTING_IP:
vjoy!vJoyGetPositionData+43 [c:\winddk\vjoy-2\driver\sys\driver.c @ 565]
90bd8759 8b400c mov eax,dword ptr [eax+0Ch]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from 90bd8adf to 90bd8759

STACK_TEXT:
83541ae0 90bd8adf 87c55a50 8764f1d8 00000001 vjoy!vJoyGetPositionData+0x43 [c:\winddk\vjoy-2\driver\sys\driver.c @ 565]
83541b04 90bdcb5d 783a5b50 00000001 83541b30 vjoy!RtlStringCbLengthW+0x1b [c:\winddk\6000\inc\ddk\ntstrsafe.h @ 6089]
83541b14 8ae3b53a 789a9a98 83541ba0 00000000 vjoy!vJoyCompleteReadReport+0x9b [c:\winddk\vjoy-2\driver\sys\driver.c @ 512]
WARNING: Stack unwind information not available. Following frames may be wrong.
83541b30 8ae3b984 83541b7c 83494019 876565c0 Wdf01000+0x2a53a
83541b38 83494019 876565c0 87656560 3a0ea8e4 Wdf01000+0x2a984
83541b7c 83493fbd 83544d20 83541ca8 00000002 nt!KiProcessTimerDpcTable+0x50
83541c68 83493e7a 83544d20 83541ca8 00000000 nt!KiProcessExpiredTimerList+0x101
83541cdc 8349200e 00001ea3 8842f918 8354e380 nt!KiTimerExpiration+0x25c
83541d20 83491e38 00000000 0000000e 00000000 nt!KiRetireDpcList+0xcb
83541d24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x38

STACK_COMMAND: kb

FOLLOWUP_IP:
vjoy!vJoyGetPositionData+43 [c:\winddk\vjoy-2\driver\sys\driver.c @ 565]
90bd8759 8b400c mov eax,dword ptr [eax+0Ch]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: vjoy!vJoyGetPositionData+43

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: vjoy

IMAGE_NAME: vjoy.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 50065fa4

FAILURE_BUCKET_ID: 0xD1_vjoy!vJoyGetPositionData+43

BUCKET_ID: 0xD1_vjoy!vJoyGetPositionData+43

Followup: MachineOwner

*******************************************************************

The crash is at the last line in the following code:
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

if (!pDevContext->positions[i])
return;

HidReport->InputReport.CollectionId = id;
WdfWaitLockAcquire(pDevContext->positionLock, NULL);
HidReport->InputReport.bAxisX = pDevContext->positions[i]->ValX;
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Some background:
This code is constantly called by a timer and is perfectly functional. When it is called during the 'going to sleep' process (That is, leaving state D0 I believe) it causes a crash.
Am I right in assuming that the correct solution is to stop the timer when leaving state D0? Any other suggestions?

Thank you guys

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:

To unsubscribe, visit the List Server section of OSR Online at ListServer/Forum

3

Thank you Doron for your quick response.
Your input was of course 100% correct but it still did not solve the problem.
The code now looks like this:
////////////////////////////////////////////////////////////////////////////////
LONGLONG timeout = 0;

if (!pDevContext->positions[i])
return;

HidReport->InputReport.CollectionId = id;
if (STATUS_SUCCESS == WdfWaitLockAcquire(pDevContext->positionLock, &timeout))
{
HidReport->InputReport.bAxisX = pDevContext->positions[i]->ValX;
////////////////////////////////////////////////////////////////////////////////

The crash is in the last line of the snippet.
It seems that this code is accessed in dispatch level when it should not.
Shouldn’t I just put a condition that this code is to be executed only in IRQL == PASSIVE_LEVEL

4

After WdfWaitLockAcquire you are probably at DISPATCH,
so cannot touch pageable memory. Have you tested with verifier?
Also, when you are out of D0, why to produce HID reports?
– pa

On 19-Jul-2012 09:06, xxxxx@gmail.com wrote:

My driver crashes the system when the system is sent to sleep. here’s the analysis of the minidump:

*******************************************************************
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 9bb4988c, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 90bd8759, address which referenced memory

Debugging Details:

READ_ADDRESS: GetPointerFromAddress: unable to read from 83583848
Unable to read MiSystemVaType memory at 83562e20
9bb4988c

CURRENT_IRQL: 2

FAULTING_IP:
vjoy!vJoyGetPositionData+43 [c:\winddk\vjoy-2\driver\sys\driver.c @ 565]
90bd8759 8b400c mov eax,dword ptr [eax+0Ch]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from 90bd8adf to 90bd8759

STACK_TEXT:
83541ae0 90bd8adf 87c55a50 8764f1d8 00000001 vjoy!vJoyGetPositionData+0x43 [c:\winddk\vjoy-2\driver\sys\driver.c @ 565]
83541b04 90bdcb5d 783a5b50 00000001 83541b30 vjoy!RtlStringCbLengthW+0x1b [c:\winddk\6000\inc\ddk\ntstrsafe.h @ 6089]
83541b14 8ae3b53a 789a9a98 83541ba0 00000000 vjoy!vJoyCompleteReadReport+0x9b [c:\winddk\vjoy-2\driver\sys\driver.c @ 512]
WARNING: Stack unwind information not available. Following frames may be wrong.
83541b30 8ae3b984 83541b7c 83494019 876565c0 Wdf01000+0x2a53a
83541b38 83494019 876565c0 87656560 3a0ea8e4 Wdf01000+0x2a984
83541b7c 83493fbd 83544d20 83541ca8 00000002 nt!KiProcessTimerDpcTable+0x50
83541c68 83493e7a 83544d20 83541ca8 00000000 nt!KiProcessExpiredTimerList+0x101
83541cdc 8349200e 00001ea3 8842f918 8354e380 nt!KiTimerExpiration+0x25c
83541d20 83491e38 00000000 0000000e 00000000 nt!KiRetireDpcList+0xcb
83541d24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x38

STACK_COMMAND: kb

FOLLOWUP_IP:
vjoy!vJoyGetPositionData+43 [c:\winddk\vjoy-2\driver\sys\driver.c @ 565]
90bd8759 8b400c mov eax,dword ptr [eax+0Ch]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: vjoy!vJoyGetPositionData+43

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: vjoy

IMAGE_NAME: vjoy.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 50065fa4

FAILURE_BUCKET_ID: 0xD1_vjoy!vJoyGetPositionData+43

BUCKET_ID: 0xD1_vjoy!vJoyGetPositionData+43

Followup: MachineOwner

*******************************************************************

The crash is at the last line in the following code:
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

if (!pDevContext->positions[i])
return;

HidReport->InputReport.CollectionId = id;
WdfWaitLockAcquire(pDevContext->positionLock, NULL);
HidReport->InputReport.bAxisX = pDevContext->positions[i]->ValX;
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Some background:
This code is constantly called by a timer and is perfectly functional. When it is called during the ‘going to sleep’ process (That is, leaving state D0 I believe) it causes a crash.
Am I right in assuming that the correct solution is to stop the timer when leaving state D0? Any other suggestions?

Thank you guys

5

You are right Pavel.
I don’t need to run this code while out of D0.
I’m not sure how to to this.
Is it possible to create an atomic block of code that is not entered if out of D0 and prevents change in power state while within? Something like a lock.

6

What happens when the acquire fails? Why not use a spin lock? Checking fot passive is not right. One of the pointers you are dereferencing is not valid. Make sure your array bounds are correct and that when you free memory, anyplace where you have stored the pointer you set it to null

d

debt from my phone

From: xxxxx@gmail.com
Sent: 7/19/2012 2:33 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Crash while going to sleep (W7-x32)

Thank you Doron for your quick response.
Your input was of course 100% correct but it still did not solve the problem.
The code now looks like this:
////////////////////////////////////////////////////////////////////////////////
LONGLONG timeout = 0;

if (!pDevContext->positions[i])
return;

HidReport->InputReport.CollectionId = id;
if (STATUS_SUCCESS == WdfWaitLockAcquire(pDevContext->positionLock, &timeout))
{
HidReport->InputReport.bAxisX = pDevContext->positions[i]->ValX;
////////////////////////////////////////////////////////////////////////////////

The crash is in the last line of the snippet.
It seems that this code is accessed in dispatch level when it should not.
Shouldn’t I just put a condition that this code is to be executed only in IRQL == PASSIVE_LEVEL

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

7

Yes, it is. Send the request to a power-managed queue. Requests in these
queues will only be presented when the device is in D0, and the device can't
leave D0 until they are completed. (There's a little more to it than that,
but that's the high-level form.)

Jake Oshins
Windows Kernel Team

The message offers no warranties and confers no rights.

wrote in message news:xxxxx@ntdev...

You are right Pavel.
I don't need to run this code while out of D0.
I'm not sure how to to this.
Is it possible to create an atomic block of code that is not entered if out
of D0 and prevents change in power state while within? Something like a
lock.

8

Thank you Jake.
This is probably what I’m looking for.