Hi all,
I'm getting an intermittent blue screen on an XP SP2 laptop that occurs VERY
infrequently during a USB drive plug in. Cursory analysis of the dump shows
the function PdoRemoveDevice using a bad pointer during a function call.
The call instruction below appears to be calling a junk address. I've seen
reference on the web to a few other cases with exactly the same stack traces
and problem at usbhub!USBH_PdoRemoveDevice+0x41 (the call bellow). The edi
value seems to be a parameter passed in to the function. Our driver is not
on the stack, so I'm not terribly suspicious of it, and we're not getting
this on any other machines currently. Also, I've two dumps crashing at
exactly the same spot on this particular machine, so I'm hesitant to think
minor random memory corruption of some sort. Any ideas of directions to go?
usbhub!USBH_PdoRemoveDevice:
f76226be 8bff mov edi,edi
f76226c0 55 push ebp
f76226c1 8bec mov ebp,esp
f76226c3 51 push ecx
f76226c4 51 push ecx
f76226c5 53 push ebx
f76226c6 56 push esi
f76226c7 8b7508 mov esi,dword ptr [ebp+8]
f76226ca 8b4604 mov eax,dword ptr [esi+4]
f76226cd 33db xor ebx,ebx
f76226cf 57 push edi
f76226d0 8b7d0c mov edi,dword ptr [ebp+0Ch]
f76226d3 3bfb cmp edi,ebx
f76226d5 895df8 mov dword ptr [ebp-8],ebx
f76226d8 895dfc mov dword ptr [ebp-4],ebx
f76226db 894508 mov dword ptr [ebp+8],eax
f76226de 895e08 mov dword ptr [esi+8],ebx
f76226e1 7431 je usbhub!USBH_PdoRemoveDevice+0x56 (f7622714)
f76226e3 0fb74e0c movzx ecx,word ptr [esi+0Ch]
f76226e7 51 push ecx
f76226e8 50 push eax
f76226e9 68526f6470 push 70646F52h
f76226ee 6875736268 push 68627375h
f76226f3 ffb70c020000 push dword ptr [edi+20Ch]
f76226f9 ff972c020000 call dword ptr [edi+22Ch]
f76226ff 83bfa800000001 cmp dword ptr [edi+0A8h],1
f7622706 740c je usbhub!USBH_PdoRemoveDevice+0x56 (f7622714)
The analyze looks like so:
*********************************************************************
1: kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: f7a11ac4, Exception Record Address
Arg4: f7a117c0, Context Record Address
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
+0
00000000 ?? ???
EXCEPTION_RECORD: f7a11ac4 -- (.exr fffffffff7a11ac4)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 00000000
Attempt to execute non-executable address 00000000
CONTEXT: f7a117c0 -- (.cxr fffffffff7a117c0)
eax=85929de8 ebx=00000000 ecx=00000003 edx=854695d4 esi=85929ea0
edi=86362b70
eip=00000000 esp=f7a11b8c ebp=f7a11bb8 iopl=0 nv up ei ng nz na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010282
00000000 ?? ???
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced
memory at "0x%08lx". The memory could not be "%s".
WRITE_ADDRESS: 00000000
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from f76226ff to 00000000
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7a11b88 f76226ff 00000000 68627375 70646f52 0x0
f7a11bb8 f7629661 85929de8 86362b70 854694f8
usbhub!USBH_PdoRemoveDevice+0x41
f7a11bd8 f7622952 85929ea0 854694f8 00000002 usbhub!USBH_PdoPnP+0x5b
f7a11bfc f76201d8 01929ea0 854694f8 f7a11c30 usbhub!USBH_PdoDispatch+0x5a
f7a11c0c 804eef95 85929de8 854694f8 858cf950 usbhub!USBH_HubDispatch+0x48
f7a11c1c f7990db4 858cf898 858cf950 854694f8 nt!IopfCallDriver+0x31
f7a11c30 f7992980 858cf898 854694f8 854695f8
USBSTOR!USBSTOR_FdoRemoveDevice+0xac
f7a11c48 804eef95 858cf898 854694f8 f7a11cd4 USBSTOR!USBSTOR_Pnp+0x4e
f7a11c58 8059183b 85929de8 85929de8 00000002 nt!IopfCallDriver+0x31
f7a11c84 80591a9d 858cf898 f7a11cb0 00000000 nt!IopSynchronousCall+0xb7
f7a11cd8 804f6d72 85929de8 00000002 00000000 nt!IopRemoveDevice+0x93
f7a11d00 80593466 e47905b0 00000018 e54d4ba0
nt!IopRemoveLockedDeviceNode+0x160
f7a11d18 805934cd 8579c368 00000002 e54d4ba0
nt!IopDeleteLockedDeviceNode+0x34
f7a11d4c 80593571 85929de8 024d4ba0 00000002
nt!IopDeleteLockedDeviceNodes+0x3f
f7a11d7c 805378d9 8552d9a0 00000000 865c2da8 nt!IopDelayedRemoveWorker+0x4b
f7a11dac 805ce7ce 8552d9a0 00000000 00000000 nt!ExpWorkerThread+0xef
f7a11ddc 8054524e 805377ea 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
USBSTOR!USBSTOR_FdoRemoveDevice+ac
f7990db4 ff760c push dword ptr [esi+0Ch]
SYMBOL_STACK_INDEX: 6
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: USBSTOR
IMAGE_NAME: USBSTOR.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 41107d6c
SYMBOL_NAME: USBSTOR!USBSTOR_FdoRemoveDevice+ac
STACK_COMMAND: .cxr 0xfffffffff7a117c0 ; kb
FAILURE_BUCKET_ID: 0x7E_USBSTOR!USBSTOR_FdoRemoveDevice+ac
BUCKET_ID: 0x7E_USBSTOR!USBSTOR_FdoRemoveDevice+ac
Followup: MachineOwner
****************************************************************************
******