Hi, I am experience a weird crash on my win2003 test machines.
My software is a combination of a user-mode process (Service) and a UpperFilter volume
driver. In the test scenario, the machines are part of a MSCS cluster.
I have a notification mechanism between driver and process which is based on the inverse IOCTL model and therefore implemented cancellation when the user-process is going down. I elaborated on this because I know the bugcheck I received may indicate
a wrong cancellation handling of the IOCTL but I do not think this is the case. The OS complains that when the user-mode process crashes, ntoskrnl didn’t release some locked pages and states that the system call that locked the pages is NtReadFileScather which is used profusely by my user application. Using !irpfind
I failed to find any IRP with an MDL similar to that described by the Bugcheck.
Attach below is the windbg output,
Can someone help with this one?
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols;c:\dump
Microsoft (R) Windows Debugger Version 6.3.0017.0
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\dump\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols;c:\dump
Executable search path is:
Windows Server 2003 Kernel Version 3790 MP (2 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_rtm.030324-2048
Kernel base = 0x804de000 PsLoadedModuleList = 0x8057b6a8
Debug session time: Sun Oct 24 22:34:29 2004
System Uptime: 0 days 10:37:53.992
Loading Kernel Symbols
…
Loading unloaded module list
…
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c). Type “.hh dbgerr001” for details
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck CB, {805d4008, 804dfd24, 814ed000, 800}
Probably caused by : ntkrnlmp.exe ( nt!NtReadFileScatter+456 )
Followup: MachineOwner
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS (cb)
Caused by a driver not cleaning up completely after an I/O.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 805d4008, The calling address in the driver that locked the pages or if the
IO manager locked the pages this points to the dispatch routine of
the top driver on the stack to which the IRP was sent.
Arg2: 804dfd24, The caller of the calling address in the driver that locked the
pages. If the IO manager locked the pages this points to the device
object of the top driver on the stack to which the IRP was sent.
Arg3: 814ed000, A pointer to the MDL containing the locked pages.
Arg4: 00000800, The number of locked pages.
Debugging Details:
FAULTING_IP:
nt!NtReadFileScatter+456
805d4008 8b451c mov eax,[ebp+0x1c]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xCB
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 805f6305 to 805435b9
STACK_TEXT:
f5df1c30 805f6305 000000cb 805d4008 804dfd24 nt!KeBugCheckEx+0x19
f5df1c5c 805cf217 824cafe8 81b87878 00000001 nt!MmCleanProcessAddressSpace+0x2e7
f5df1cf0 805dfe6a 00000001 81c03a08 804f3251 nt!PspExitThread+0x673
f5df1cfc 804f3251 81c03a08 f5df1d48 f5df1d3c nt!PsExitSpecialApc+0x1b
f5df1d4c 804dfda8 00000001 00000000 f5df1d64 nt!KiDeliverApc+0x1c6
f5df1d4c 7ffe0304 00000001 00000000 f5df1d64 nt!KiServiceExit+0x56
00e9fad8 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!NtReadFileScatter+456
805d4008 8b451c mov eax,[ebp+0x1c]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!NtReadFileScatter+456
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 3e8015c6
BUCKET_ID: 0xCB_nt!NtReadFileScatter+456
Followup: MachineOwner
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com