Enabling Tracing crashes driver

Hi,

Have this problem and wondering if it’s a common “gotcha”… ?

I’ve modified the WDF Toaster Simple Device Driver and have added tracing.
FWIW I’ve used tracing in the past on several drivers.

I can load and unload the driver at will without tracing enabled.
If I load the driver, and then attempt to view tracing with TraceView, it
crashes the driver immediately.

Anyone seen this before I have to haul out WinDbg?

Regards,


Mark McDougall, Engineer
Virtual Logic Pty Ltd, http:
21-25 King St, Rockdale, 2216
Ph: +612-9599-3255 Fax: +612-9599-3266</http:>

What is the call stack and output of !analyze -v? Also, what is the OS?

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark McDougall
Sent: Thursday, August 23, 2007 9:08 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Enabling Tracing crashes driver

Hi,

Have this problem and wondering if it’s a common “gotcha”… ?

I’ve modified the WDF Toaster Simple Device Driver and have added
tracing.
FWIW I’ve used tracing in the past on several drivers.

I can load and unload the driver at will without tracing enabled.
If I load the driver, and then attempt to view tracing with TraceView,
it
crashes the driver immediately.

Anyone seen this before I have to haul out WinDbg?

Regards,


Mark McDougall, Engineer
Virtual Logic Pty Ltd, http:
21-25 King St, Rockdale, 2216
Ph: +612-9599-3255 Fax: +612-9599-3266


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</http:>

Doron Holan wrote:

What is the call stack and output of !analyze -v? Also, what is the OS?

XP(Pro).

kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad
or it
is pointing at freed memory.
Arguments:
Arg1: aaabc540, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80603128, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

Could not read faulting driver name

READ_ADDRESS: aaabc540

FAULTING_IP:
nt!NtSetInformationToken+2c6
80603128 ff10 call dword ptr [eax]

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: TraceView.exe

LAST_CONTROL_TRANSFER: from 80603303 to 80603128

STACK_TEXT:
aaa06910 80603303 81bd9908 c28a3e05 00000000 nt!NtSetInformationToken+0x2c6
aaa0693c 80600836 c28a3e05 aaabc540 aaa06ac0 nt!NtSetInformationToken+0x5af
aaa0696c 80600a44 c28a3e05 e29b6f38 aaa06aa8 nt!SeAccessCheckByType+0x127
aaa06aec 80600c6c c28a3e05 e1451f0c 00000001 nt!SeAccessCheckByType+0x4d8
aaa06b18 80600d14 e1451f0c 00000005 00224101 nt!SeAppendPrivileges+0x93
aaa06b38 80600e50 e1451f0c 00000001 00224101
nt!SepAdtPrivilegeObjectAuditAlarm+0x77
aaa06b60 8060103b e1451f0c 00224101 00040002
nt!SepAdtPrivilegedServiceAuditAlarm+0x28
aaa06b94 80603d72 00224148 821c8dd0 81d6b230 nt!SeLocateProcessImageName+0x71
aaa06c40 804eeeb1 823e81d8 821b6ab0 806e4410 nt!IoWMIRegistrationControl+0x8c
aaa06c64 8057f4eb 823e81d8 821b6ab0 823cb380 nt!MiAddViewsForSection+0x38
aaa06d00 8057804e 0000035c 0000034c 00000000
nt!MiFindEmptyAddressRangeDownTree+0x150
aaa06d34 8054060c 0000035c 0000034c 00000000
nt!RtlLengthSecurityDescriptor+0x3a
aaa06d64 7c90eb94 badb0d00 0006f0e8 aa69ad98 nt!RtlIpv4StringToAddressA+0xfd
WARNING: Frame IP not in any known module. Following frames may be wrong.
aaa06d78 00000000 00000000 00000000 00000000 0x7c90eb94

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!NtSetInformationToken+2c6
80603128 ff10 call dword ptr [eax]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!NtSetInformationToken+2c6

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 41107b0d

FAILURE_BUCKET_ID: 0x50_nt!NtSetInformationToken+2c6

BUCKET_ID: 0x50_nt!NtSetInformationToken+2c6

Followup: MachineOwner

Regards,


Mark McDougall, Engineer
Virtual Logic Pty Ltd, http:
21-25 King St, Rockdale, 2216
Ph: +612-9599-3255 Fax: +612-9599-3266</http:>

Mark McDougall wrote:

Interestingly, the machine will ONLY crash if I enable tracing in
TraceView.exe, and ONLY if I trace this particular driver - other
drivers trace fine.

Incidently, sometimes it crashes as soon as I start tracing, other times
as soon as I stop tracing. Weird…

I should probably add this this driver is a root-enum driver (no class
install) just like the toaster device.

And the driver appears to operate correctly otherwise!

Regards,


Mark McDougall, Engineer
Virtual Logic Pty Ltd, http:
21-25 King St, Rockdale, 2216
Ph: +612-9599-3255 Fax: +612-9599-3266</http:>

Are you calling WPP_CLEANUP in your driver’s Unload routine? Are you
passing the right object to WPP_INIT_TRACING?

Thx
d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark McDougall
Sent: Thursday, August 23, 2007 11:00 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Enabling Tracing crashes driver

Mark McDougall wrote:

Interestingly, the machine will ONLY crash if I enable tracing in
TraceView.exe, and ONLY if I trace this particular driver - other
drivers trace fine.

Incidently, sometimes it crashes as soon as I start tracing, other times
as soon as I stop tracing. Weird…

I should probably add this this driver is a root-enum driver (no class
install) just like the toaster device.

And the driver appears to operate correctly otherwise!

Regards,


Mark McDougall, Engineer
Virtual Logic Pty Ltd, http:
21-25 King St, Rockdale, 2216
Ph: +612-9599-3255 Fax: +612-9599-3266


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</http:>

This commonly happens when you forget to call WPP_CLEANUP on driver unload.

If you fail to do that, then ETW still thinks your driver is loaded, when you enable/disable the provider ETW will call drivers callback function (automatically added by the WPP code)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Mark McDougall
Sent: Thursday, August 23, 2007 11:00 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Enabling Tracing crashes driver

Mark McDougall wrote:

Interestingly, the machine will ONLY crash if I enable tracing in
TraceView.exe, and ONLY if I trace this particular driver - other
drivers trace fine.

Incidently, sometimes it crashes as soon as I start tracing, other times
as soon as I stop tracing. Weird…

I should probably add this this driver is a root-enum driver (no class
install) just like the toaster device.

And the driver appears to operate correctly otherwise!

Regards,


Mark McDougall, Engineer
Virtual Logic Pty Ltd, http:
21-25 King St, Rockdale, 2216
Ph: +612-9599-3255 Fax: +612-9599-3266


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</http:>

Doron Holan wrote:

Are you calling WPP_CLEANUP in your driver’s Unload routine?

DOH!!! That was it!

The reason I wasn’t calling it was because I mis-red this…

// Cleanup tracing here because DriverContextCleanup will not be called
// as we have failed to create WDFDRIVER object itself.
// Please note that if your return failure from DriverEntry after the
// WDFDRIVER object is created successfully, you don’t have to
// call WPP cleanup because in those cases DriverContextCleanup
// will be executed when the framework deletes the DriverObject.

…thinking that I didn’t have to explicitly call WPP cleanup… only my
problem was I didn’t have a DriverContextCleanup callback registered!!!

Thanks again!
Regards,


Mark McDougall, Engineer
Virtual Logic Pty Ltd, http:
21-25 King St, Rockdale, 2216
Ph: +612-9599-3255 Fax: +612-9599-3266</http:>