Hi All,
I am developing a WDF driver. I get a crash dump which is as given below when verifier is enabled. The issues is that the dump just give the hint that there has been a memory leak but it doesnt point to the driver but it shows image as ntkrpamp.exe.
How to find out what caused the memory leak?
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000062, A driver has forgotten to free its pool allocations prior to unloading.
Arg2: 8247d20c, name of the driver having the issue.
Arg3: 824a8d80, verifier internal structure with driver information.
Arg4: 0000000b, total # of (paged+nonpaged) allocations that weren’t freed.
Type !verifier 3 drivername.sys for info on the allocations
that were leaked that caused the bugcheck.
Debugging Details:
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_MI_VERIFIER_DRIVER_ENTRY ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to set symbol path and load symbols.
MODULE_NAME: nt
FAULTING_MODULE: 82e06000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4a2480e6
BUGCHECK_STR: 0xc4_62
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 83139f03 to 82ee2c88
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
87f279b0 83139f03 000000c4 00000062 8247d20c nt!KeBugCheckEx+0x1e
87f279d0 8313e5eb 8247d20c 824a8d80 87439000 nt!PoSetHiberRange+0xe278
87f27a1c 82f97633 8247d1b0 87439000 40000000 nt!PoSetHiberRange+0x12960
87f27a68 82f98521 8247d1b0 ffffffff 00000000 nt!IoUnregisterFileSystem+0x1225
87f27a8c 830c1497 8247d1b0 851d5f78 828f2830 nt!LdrResFindResource+0x25d
87f27aa4 830276c4 828f2848 828f2848 828f2830 nt!NtSetVolumeInformationFile+0x546
87f27abc 82e6eee0 00000000 828f7f18 828f7e68 nt!SeOpenObjectAuditAlarm+0xab7
87f27aec 830276c4 828f7e68 828f7e68 828f7e50 nt!ObfDereferenceObjectWithTag+0x89
87f27b04 82e6eee0 00000000 828fce78 9fd49674 nt!SeOpenObjectAuditAlarm+0xab7
87f27b44 82fb98e5 00000000 a2cbdcb0 00000000 nt!ObfDereferenceObjectWithTag+0x89
87f27b58 82fb984b 00000002 00000000 00000000 nt!ExCreateCallback+0x2c1a
87f27b8c 830c48fb 82470030 a2cbdcb0 00000002 nt!ExCreateCallback+0x2b80
87f27bc4 830c487b 8281e590 00000000 83218870 nt!IoReportTargetDeviceChange+0x1a01
87f27be0 82e1b56e 82470030 00000001 824f75a0 nt!IoReportTargetDeviceChange+0x1981
87f27c0c 82fb94c8 824d63a8 00000002 00000000 nt!ExRegisterCallback+0xc17
87f27cc4 82fbb1a4 87f27cf4 00000000 a2cbdcf0 nt!ExCreateCallback+0x27fd
87f27cdc 82fbccec 00000000 87982730 851d3798 nt!ExCreateCallback+0x44d9
87f27d00 82e73c27 87982730 00000000 851d3798 nt!IoCreateDevice+0xf49
87f27d50 83014643 00000001 a32d46ad 00000000 nt!KeInsertQueueDpc+0x36e
87f27d90 82ec6059 82e73b1a 00000001 00000000 nt!PsCreateSystemThread+0x19a
00000000 00000000 00000000 00000000 00000000 nt!wcsupr+0x14a
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!PoSetHiberRange+e278
83139f03 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!PoSetHiberRange+e278
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: ntkrpamp.exe
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner