DRIVER_IRQL_NOT_LESS_OR_EQUAL

OSR_Community_User · July 30, 2007, 2:12am

Hi,

Periodically after 30min-1.5h I have blues screen
with the next message:
DRIVER_IRQL_NOT_LESS_OR_EQUAL.

When I use WinDbg, drivers works corect all night, but without it

the driver crashed as I wrote before. How can I debug this error?

Thank you

Alexander_Krol · July 30, 2007, 2:59am

You can debug it with a debugger
Open crash dump in WinDbg. Ensure that your symbols are correct. Start with !analyze -v command.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]On Behalf Of Andrey Kamchatnikov
Sent: Monday, July 30, 2007 9:11 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Hi,

Periodically after 30min-1.5h I have blues screen
with the next message:

DRIVER_IRQL_NOT_LESS_OR_EQUAL.

When I use WinDbg, drivers works corect all night, but without it

the driver crashed as I wrote before. How can I debug this error?

Thank you

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

anton_bassov · July 30, 2007, 5:03am

Is it your driver’s module where the crash occurs? Please note that it does not necessarily have to be your driver’s module - for example, your driver may corrupt some other driver’s memory, so that
you can bluescreen when this driver tries to access corrupt memory ( please note that DRIVER_IRQL_NOT_LESS_OR_EQUAL may be displayed not only if some operation that requires low IRQL was attempted at elevated one - for example, if the target address is just plainly invalid and you access it at elevated IRQL, you will get exactly the same BSOD message)…

Anton Bassov

Daniel_Terhell · July 30, 2007, 5:22am

Do you have Verifier enabled ?

/Daniel

“Andrey Kamchatnikov” wrote in message news:xxxxx@ntdev…
Hi,

Periodically after 30min-1.5h I have blues screen
with the next message:
DRIVER_IRQL_NOT_LESS_OR_EQUAL.

When I use WinDbg, drivers works corect all night, but without it

the driver crashed as I wrote before. How can I debug this error?

Thank you

OSR_Community_User · July 30, 2007, 6:08am

Andrey Kamchatnikov wrote:

Periodically after 30min-1.5h I have blues screen
with the next message:
*DRIVER_IRQL_NOT_LESS_OR_EQUAL.*
When I use WinDbg, drivers works corect all night, but without it
the driver crashed as I wrote before. How can I debug this error?

(Only because you did not state anything about your test environment,
and because it might be useful for some OP here:)

If you run your tests within a VM using VMware Player 2.0, this error
message can also come from the VMware USB2.0 support module.

With one of our apps I had a similar problem here - and also the crash
never occurred with the debug version of the software. Downgrading to
the old player wouldn’t help, either (because it does not replace the
new VM USB driver, I assume).

The solution was to add ehci.present=“true” and change
virtualhw.version=“6” in the VMX file.

OSR_Community_User · July 30, 2007, 7:07am

Yes, it’s in my driver:

t!DbgBreakPointWithStatus+0x4:
804e8b25 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 897d267c, memory referenced
Arg2: 00000016, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: baadd6b9, address which referenced memory

Debugging Details:

ANALYSIS: Kernel with unknown size. Will force reload symbols with known
size.
ANALYSIS: Force reload command: .reload /f
ntoskrnl.exe=FFFFFFFF804DC000,214600,41108004
***** Kernel symbols are WRONG. Please fix symbols to do analysis.

FAULTING_MODULE: 804dc000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 46adae2b

READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
897d267c

CURRENT_IRQL: 16

FAULTING_IP:
sg_nevada+6b9
baadd6b9 8b8c1024010000 mov ecx,dword ptr [eax+edx+124h]

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 805383be to 804e8b25

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
bacb632c 805383be 00000003 897d267c baadd6b9 nt!DbgBreakPointWithStatus+0x4
bacb670c 804e7158 0000000a 897d267c 00000016
nt!KeDeregisterBugCheckReasonCallback+0x6c7
bacb67b4 804dfd9f 89668008 896fd0d8 00010016 nt!Kei386EoiHelper+0x285d
bacb67f8 baea5da1 00000001 8975c370 00000000 nt!KeSynchronizeExecution+0x24d
bacb6848 804dfd7d 0001000c 0000003f bacb685c atapi+0x2da1
00000000 00000000 00000000 00000000 00000000 nt!KeSynchronizeExecution+0x22b

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
sg_nevada+6b9
baadd6b9 8b8c1024010000 mov ecx,dword ptr [eax+edx+124h]

SYMBOL_NAME: sg_nevada+6b9

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: sg_nevada

IMAGE_NAME: sg_nevada.sys

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Monday, July 30, 2007 11:08 AM
Subject: RE:[ntdev] DRIVER_IRQL_NOT_LESS_OR_EQUAL

> Is it your driver’s module where the crash occurs? Please note that it
> does not necessarily have to be your driver’s module - for example, your
> driver may corrupt some other driver’s memory, so that
> you can bluescreen when this driver tries to access corrupt memory (
> please note that DRIVER_IRQL_NOT_LESS_OR_EQUAL may be displayed not only
> if some operation that requires low IRQL was attempted at elevated one -
> for example, if the target address is just plainly invalid and you access
> it at elevated IRQL, you will get exactly the same BSOD message)…
>
> Anton Bassov
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Tim_Roberts · July 30, 2007, 1:39pm

Andrey Kamchatnikov wrote:

Yes, it’s in my driver:
…
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid)
address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 897d267c, memory referenced
Arg2: 00000016, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: baadd6b9, address which referenced memory
…
FAULTING_IP:
sg_nevada+6b9
baadd6b9 8b8c1024010000 mov ecx,dword ptr [eax+edx+124h]

This looks pretty clear. A routine that you called via
KeSynchronizeExecution is accessing a piece of data that came from paged
pool. What does the code in your synchronize function look like?

Also, if you fixed your symbols, as the dump suggests, the output would
be much more useful.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.