I have managed to obtain and install a copy of the Windows XP Service Pack 1
Beta this morning, and I have now managed to load all the debug symbols I
require into the debugger.
I have just analysed the Windows XP CrashDump file and here is what I came
up with. It appears that a page fault occurred in the IopMountInitializeVpb
function which was in turn invoked from the function IopMountVolume. now on
further analysis looking at the registers, I think the fault occurred on the
following operation.
mov [ecx+0x30],al
the register ecx is pointing to a null address. so could it be that a null
parameter going into IopMountInitializeVpb? if so, how can I find out what
this parameter is supposed to be?
Regards,
James
Here is the output from the Windbg…
kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000030, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804daa5b, address which referenced memory
Debugging Details:
WRITE_ADDRESS: 00000030
CURRENT_IRQL: 2
FAULTING_IP:
nt!IopMountInitializeVpb+31
804daa5b 884130 mov [ecx+0x30],al
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA_W
TRAP_FRAME: fc5ab958 – (.trap fffffffffc5ab958)
ErrCode = 00000002
eax=80e99208 ebx=80e4bba0 ecx=00000000 edx=ffb9c1b4 esi=ffb6b2d0
edi=80cc53e0
eip=804daa5b esp=fc5ab9cc ebp=fc5ab9d4 iopl=0 nv up ei pl nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010202
nt!IopMountInitializeVpb+31:
804daa5b 884130 mov [ecx+0x30],al
ds:0023:00000030=??
Resetting default context
LAST_CONTROL_TRANSFER: from 80572987 to 804daa5b
STACK_TEXT:
fc5ab9d4 80572987 80e4bba0 80e99290 00000000 nt!IopMountInitializeVpb+0x31
fc5aba30 804dc853 00000000 fc5abb00 00000000 nt!IopMountVolume+0x22a
fc5aba60 805a9603 ffb78558 80e4bba0 fc5abb98 nt!IopCheckVpbMounted+0x59
fc5abb54 8059ff67 80e4bba0 00000000 80dd6798 nt!IopParseDevice+0x3ba
fc5abbd8 805a7c1e 00000000 fc5abc18 00000040 nt!ObpLookupObjectName+0x56a
fc5abc2c 805a9bf5 00000000 00000000 805a8b01 nt!ObOpenObjectByName+0xe9
fc5abca8 805a9ccb 0006fa7c 80100080 0006fa1c nt!IopCreateFile+0x407
fc5abcf0 805adbbc 0006fa7c 80100080 0006fa1c nt!IoCreateFile+0x36
fc5abd30 804dd300 0006fa7c 80100080 0006fa1c nt!NtCreateFile+0x2e
fc5abd30 7ffe0304 0006fa7c 80100080 0006fa1c nt!KiSystemService+0xc4
0006fa74 00000000 00000000 00000000 00000000
SharedUserData!SystemCallStub+0x4
FOLLOWUP_IP:
nt!IopMountInitializeVpb+31
804daa5b 884130 mov [ecx+0x30],al
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!IopMountInitializeVpb+31
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 3cf5e14b
STACK_COMMAND: .trap fffffffffc5ab958 ; kb
BUCKET_ID: 0xA_W_nt!IopMountInitializeVpb+31
Followup: MachineOwner
kd> kv
ChildEBP RetAddr Args to Child
fc5ab93c 804e000e 0000000a 00000030 00000002 nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
fc5ab93c 804daa5b 0000000a 00000030 00000002 nt!KiTrap0E+0x2ad (FPO: [0,0]
TrapFrame @ fc5ab958)
fc5ab9d4 80572987 80e4bba0 80e99290 00000000 nt!IopMountInitializeVpb+0x31
(FPO: [Non-Fpo])
fc5aba30 804dc853 00000000 fc5abb00 00000000 nt!IopMountVolume+0x22a (FPO:
[Non-Fpo])
fc5aba60 805a9603 ffb78558 80e4bba0 fc5abb98 nt!IopCheckVpbMounted+0x59
(FPO: [Non-Fpo])
fc5abb54 8059ff67 80e4bba0 00000000 80dd6798 nt!IopParseDevice+0x3ba (FPO:
[Non-Fpo])
fc5abbd8 805a7c1e 00000000 fc5abc18 00000040 nt!ObpLookupObjectName+0x56a
(FPO: [Non-Fpo])
fc5abc2c 805a9bf5 00000000 00000000 805a8b01 nt!ObOpenObjectByName+0xe9
(FPO: [Non-Fpo])
fc5abca8 805a9ccb 0006fa7c 80100080 0006fa1c nt!IopCreateFile+0x407
fc5abcf0 805adbbc 0006fa7c 80100080 0006fa1c nt!IoCreateFile+0x36 (FPO:
[Non-Fpo])
fc5abd30 804dd300 0006fa7c 80100080 0006fa1c nt!NtCreateFile+0x2e (FPO:
[Non-Fpo])
fc5abd30 7ffe0304 0006fa7c 80100080 0006fa1c nt!KiSystemService+0xc4 (FPO:
[0,0] TrapFrame @ fc5abd64)
0006fa74 00000000 00000000 00000000 00000000
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
-----Original Message-----
From: James Dunning [mailto:xxxxx@generaldynamics.uk.com]
Sent: 23 July 2002 17:29
To: File Systems Developers
Subject: [ntfsd] Re: Currently having problems mounting a volume
I thought that may have been the case, but I wasnt sure because I couldn’t
see any debug symbols for XP with no SP on the Microsoft Website. I have
use winDBG in the past for NT4 and never had any problems creating debug
symbols for the driver and loading the NT4 debug symbols into the debugger.
this is why I just wanted to make sure.
I may work for a pretty big company, but you wouldn’t believe how tight
fisted they are when it comes to addition funding for projects. the
development PC’s and environment is pretty much diabolical, and there’s not
a lot I can do about it.
I may also need to get msdn universal or professional subscription so I can
download the XP sp1 beta or debug symbols, and that could take me over 2
weeks before I can get approval for funding.
I will have to discuss the possibility of getting another PC for debugging
purposes with the team lead tomorrow morning and see what happens.
Until then I’m signing off and going home.
Kind regards,
James
P.S… I am unable to use the Microsoft symbol server due to tight security
we have here. I can not have a debug and test machine connected to the
company network. 
-----Original Message-----
From: Dan Partelly [mailto:xxxxx@rdsor.ro]
Sent: 23 July 2002 16:38
To: File Systems Developers
Subject: [ntfsd] Re: Currently having problems mounting a volume
James,
> Does this mean need to have SP1 for windows xp, before i can use the
debug symbols?
Of course it does. Debug symbols are generated at link time during the same
process the bianry images
for your OS are built. MS made available symbols for SP1 of XP beta, but
they also made available
symbols for XP no SP. You MUST have an exact match. Also, if you are using
debug build of the OS
, the symbols must be for the debug build. Also, during development, a
symbol file will be generated
for your driver too. Make sure that gets loaded by the debugger as well.
Please read the Windbg
documentation how to correctly setup your symbol environment, or ask on
windbg mailing list.
Also, you work for a pretty big company, cant they afford to buy you another
machine to use Windbg
for remote debugging ? While NTICE is a nice tool, I found that it lacks a
lot of features and extensions
Windbg has, and which are extremly usefull for writting file systems, where
you can fast run into
problems. A correctly setup debug environment will be rewarding, it will
minimize your wasted time, and
accelerate the overall development progress.
Dan
----- Original Message -----
From: “James Dunning”
To: “File Systems Developers”
Sent: Tuesday, July 23, 2002 6:37 PM
Subject: [ntfsd] Re: Currently having problems mounting a volume
> Thanks for the reply, I suppose it was a stupid question to ask, obviously
> it could happen for a number of reasons. I am using softice to debug the
> filesystem driver locally, but just recently started to use the latest
copy
> of WinDbg to examine the crashdump files which are generated by Windows
XP.
>
> I thought i had the full OS debug symbols installed on my PC, but im quite
> confused at the momement, as i’ve not noticed this before… when WinDBG
> tries to load all the symbols into the debugger, it complains that i have
> the wrong symbols!
>
> Now i am using the retail copy of Windows XP, and i’ve downloaded and
> installed the following package from
> http://www.microsoft.com/ddk/debugging/symbols.asp
>
> Windows XP with Service Pack 1 Beta x86 retail symbols, all
> languages (File size: 156 MB)
>
> I have noticed that it states “With Service Pack 1 Beta” Does this mean i
> need to have SP1 for windows xp, before i can use the debug symbols? if
so,
> then am i right in saying that SP1 has not been released yet for XP?
>
> Regards,
> James
>
>
>
> -----Original Message-----
> From: Dan Partelly [mailto:xxxxx@rdsor.ro]
> Sent: 23 July 2002 12:28
> To: File Systems Developers
> Subject: [ntfsd] Re: Currently having problems mounting a volume
>
>
> >> why I could be getting a page fault once the mount request has been
> completed?
>
> It can happen from 1001 reasons.
>
> Why dont you run with full OS symbols loaded into debugger ? Also,
> generally please copy / paste the stack from Windbg when posting here, is
> much more usefull than a handwritten , maybe incorrect stack trace. Its
good
> to paste us as much information directly from Windbg and not ny hand. And
> please , DO use debug symbols.
>
>
>
> ----- Original Message -----
> From: “James Dunning”
> To: “File Systems Developers”
> Sent: Tuesday, July 23, 2002 2:26 PM
> Subject: [ntfsd] Currently having problems mounting a volume
>
>
> > I am currently having a problem mounting a volume from my file system
> > driver, I have successfully managed to identify the filesystem on my
> volume
> > from IRP_MN_MOUNT_VOLUME and now obviously i would like to mount it.
> >
> > when i call FsRtlNotifyVolumeEvent( FileObjectToNotify,
FSRTL_VOLUME_MOUNT
> > ), everything appears to work fine and returns STATUS_SUCCESS. however
> > somewhere down the line after the IRP_MN_MOUNT_VOLUME request has been
> > completed, a page fault occurs.
> >
> > I can not understand where the fault is occurring from. I have looked
at
> > the crash dump file generated by win XP, and it appears to be caused by
my
> > file system driver.
> >
> > the stack looks like this…
> >
> > ntoskrnl!.text+02E3
> > ntoskrnl!ExWindowsStationObjectType
> > ntoskrnl!KiCoprocessorError
> > ntoskrnl!SePrivilegeCheck
> > ntoskrnl!SeReleaseSubjectContext
> > ntoskrnl!ObOpenByName
> > ntoskrnl!IoGetFileObjectGenericMapping
> > ntoskrnl!IoCreateFile <-------------------- I guess this is the
> > point where
> > ntoskrnl!NtCreateFile the file system
> > gets the mount
> > request.
> >
> > What exactly happens when this call is made? FsRtlNotifyVolumeEvent?
would
> > anyone have any idea why I could be getting a page fault once the mount
> > request has been completed?
> >
> > Any advice would be grateful.
> >
> > Regards
> > James
> >
> >
> > ps.
> >
> > Windbg states that the faulting_ip is nt!IoReadDiskSignature (why is
this
> > call being made after the mount?)
> > it also states that the following_ip is stfs!StFsdDispatch (which is
from
> my
> > filesystem driver)
> >
> >
> > General Dynamics United Kingdom Limited
> > Registered in England and Wales No. 1911653
> > Registered Office: 100 New Bridge Street, London, EC4V 6JA
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@generaldynamics.uk.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> General Dynamics United Kingdom Limited
> Registered in England and Wales No. 1911653
> Registered Office: 100 New Bridge Street, London, EC4V 6JA
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
—
You are currently subscribed to ntfsd as:
xxxxx@generaldynamics.uk.com
To unsubscribe send a blank email to %%email.unsub%%
General Dynamics United Kingdom Limited
Registered in England and Wales No. 1911653
Registered Office: 100 New Bridge Street, London, EC4V 6JA
—
You are currently subscribed to ntfsd as:
xxxxx@generaldynamics.uk.com
To unsubscribe send a blank email to %%email.unsub%%
General Dynamics United Kingdom Limited
Registered in England and Wales No. 1911653
Registered Office: 100 New Bridge Street, London, EC4V 6JA