Fatal Error

OSR_Community_User · July 14, 2005, 10:16am

Hello All,
I am developing a TDi filter driver for windows that depends on
ipfilterdriver of Windows NT.

I am queueing packets in a queue and marking them pending for future use.

Here I am returning STATUS_PENDING from dispatch function.

It is working some times but crashing the system …

The error and bugcheck analysis is this . Please help me . What could be the
problem and how to resolve it.

Thanks,
M V Ramana

Error Analysis is here

*** Fatal System Error: 0x000000d1
(0x00000000,0x00000002,0x00000000,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
…
Loading unloaded module list
…
Loading User Symbols
…
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {0, 2, 0, 0}

Probably caused by : ntoskrnl.exe ( nt!KiTrap0E+27c )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
80456488 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory

Debugging Details:

OVERLAPPED_MODULE: s3gnb

READ_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
+0
00000000 ?? ???

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from c2072a02 to 00000000

STACK_TEXT:
ee01fdf8 c2072a02 c9226a4c 00000000 804321a8 0x0
WARNING: Frame IP not in any known module. Following frames may be wrong.
00010246 003d0054 0043002e 004d004f 002e003b 0xc2072a02
c9a3abf2 00000000 00000000 00000000 00000000 0x3d0054

FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???

FOLLOWUP_IP:
nt!KiTrap0E+27c
80468b6f f7457000000200 test dword ptr [ebp+0x70],0x20000

SYMBOL_STACK_INDEX: 3

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!KiTrap0E+27c

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 3ee6c002

STACK_COMMAND: .trap ffffffffee01fd88 ; kb

FAILURE_BUCKET_ID: 0xD1_CODE_AV_BAD_IP_nt!KiTrap0E+27c

BUCKET_ID: 0xD1_CODE_AV_BAD_IP_nt!KiTrap0E+27c

Followup: MachineOwner

Take MSN Search Challenge
http://server1.msn.co.in/sp05/searchgames/index.aspx Win prizes everyday!

William_Michael_Jones-2 · July 14, 2005, 10:40am

(1) You are trying to read from location 0. You can never do that.
(2) Do you have your symbols loaded for the you driver and it should show
you the bad reference.

Sincerely;
Mike Jones

“Mr. venkat” wrote in message news:xxxxx@ntdev…
> Hello All,
> I am developing a TDi filter driver for windows that depends on
> ipfilterdriver of Windows NT.
>
> I am queueing packets in a queue and marking them pending for future use.
>
> Here I am returning STATUS_PENDING from dispatch function.
>
> It is working some times but crashing the system …
>
> The error and bugcheck analysis is this . Please help me . What could be
the
> problem and how to resolve it.
>
> Thanks,
> M V Ramana
>
> Error Analysis is here
>
> Fatal System Error: 0x000000d1
> (0x00000000,0x00000002,0x00000000,0x00000000)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
> Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
> Loading Kernel Symbols
>
…
…
> Loading unloaded module list
> …
> Loading User Symbols
> …
>

>
>
> * Bugcheck Analysis
>
>
>
>

>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck D1, {0, 2, 0, 0}
>
> Probably caused by : ntoskrnl.exe ( nt!KiTrap0E+27c )
>
> Followup: MachineOwner
> ---------
>
> nt!RtlpBreakWithStatusInstruction:
> 80456488 cc int 3
> kd> !analyze -v
>
***

>
>
> * Bugcheck Analysis
>
>
>
>

>
> DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
> An attempt was made to access a pageable (or completely invalid) address
at
> an
> interrupt request level (IRQL) that is too high. This is usually
> caused by drivers using improper addresses.
> If kernel debugger is available get stack backtrace.
> Arguments:
> Arg1: 00000000, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000000, value 0 = read operation, 1 = write operation
> Arg4: 00000000, address which referenced memory
>
> Debugging Details:
> ------------------
>
>
> OVERLAPPED_MODULE: s3gnb
>
> READ_ADDRESS: 00000000
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> +0
> 00000000 ?? ???
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xD1
>
> LAST_CONTROL_TRANSFER: from c2072a02 to 00000000
>
> STACK_TEXT:
> ee01fdf8 c2072a02 c9226a4c 00000000 804321a8 0x0
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 00010246 003d0054 0043002e 004d004f 002e003b 0xc2072a02
> c9a3abf2 00000000 00000000 00000000 00000000 0x3d0054
>
>
> FAILED_INSTRUCTION_ADDRESS:
> +0
> 00000000 ?? ???
>
> FOLLOWUP_IP:
> nt!KiTrap0E+27c
> 80468b6f f7457000000200 test dword ptr [ebp+0x70],0x20000
>
> SYMBOL_STACK_INDEX: 3
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: nt!KiTrap0E+27c
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntoskrnl.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 3ee6c002
>
> STACK_COMMAND: .trap ffffffffee01fd88 ; kb
>
> FAILURE_BUCKET_ID: 0xD1_CODE_AV_BAD_IP_nt!KiTrap0E+27c
>
> BUCKET_ID: 0xD1_CODE_AV_BAD_IP_nt!KiTrap0E+27c
>
> Followup: MachineOwner
> ---------
>
> _________________________________________________________________
> Take MSN Search Challenge
> http://server1.msn.co.in/sp05/searchgames/index.aspx Win prizes everyday!
>
>

Thomas_F_Divine · July 14, 2005, 10:59am

“Mr. venkat” wrote in message news:xxxxx@ntdev…
> Hello All,
> I am developing a TDi filter driver for windows that depends on
> ipfilterdriver of Windows NT.
>
> I am queueing packets in a queue and marking them pending for future use.
>
> Here I am returning STATUS_PENDING from dispatch function.
>
> It is working some times but crashing the system …
>
> The error and bugcheck analysis is this . Please help me . What could be
> the problem and how to resolve it.
>
> Thanks,
> M V Ramana
>
Unfortunately, it looks like your driver has totally hosed memory. It is so
bad that the bugcheck analysis isn’t helpful - at least not to me.

This is certainly a bad pointer somewhere. Since there is so little
information in the bugcheck analysis I would suspect a bad callback function
pointer somewhere at the very least.

If possible, simplify your filter to the point that it does nothing (just
passthru). Then add code that does more complex things in small steps. As
you add each new increment of code walk through it using a debugger to make
sure that it is behaving as you intended.

Pay careful attention to IRQL restrictions. Add ASSERTs at each of your
function entry points to verify that you are being called at the correct
IRQL. For example:

ASSERT( KeGetCurrentIrql() == IRQL_DISPATCH_LEVEL );

This will ASSERT if you are not at IRQL_DISPATCH_LEVEL.

Place similar asserts before each system function that you call. The
documentation for each system function identifies the permitted IRQL.

You may end up with a lot of ASSERTs in your code, but if they catch one bug
for you it is worth it.

Check all error return indications carefully.

If possible, run your driver through PreFast to see if it identifies any
problems. PreFast is a tool that is provided in the XP and higher DDKs. You
can use PreFast from these later DDKs even if your target is Windows 2000.
Just select the Windows 2000 Build Environment. Read the DDK docs about
PreFast.

Finally, there is a good chance that you just don’t understand TDI well
enough to write a TDI filter. It is difficult and some (e.g., Maxim) would
say impossible. I would certainly agree with Max that you should use a TDI
Filter ONLY if you have no other choice. You really need to write a lot of
TDI Clients before you attempt to write a TDI Filter…

Finally, TDI Filters will be replaced with the Windows Filtering Platform
(WFP) in LongHorn. WFP is a filtering API that is designed primarily to
support the MS LH Firewall, but its API will be exposed for others to use.
WFP is certainly better that TDI, but

Good luck,

Thomas F. Divine, Windows DDK MVP

OSR_Community_User · July 14, 2005, 12:15pm

This looks to me like a call through a null function pointer.

Note that the faulting IP is 0.

Dan.

At 10:39 AM 7/14/2005 -0400, you wrote:

(1) You are trying to read from location 0. You can never do that.
(2) Do you have your symbols loaded for the you driver and it should show
you the bad reference.

Sincerely;
Mike Jones

“Mr. venkat” wrote in message news:xxxxx@ntdev…
> > Hello All,
> > I am developing a TDi filter driver for windows that depends on
> > ipfilterdriver of Windows NT.
> >
> > I am queueing packets in a queue and marking them pending for future use.
> >
> > Here I am returning STATUS_PENDING from dispatch function.
> >
> > It is working some times but crashing the system …
> >
> > The error and bugcheck analysis is this . Please help me . What could be
>the
> > problem and how to resolve it.
> >
> > Thanks,
> > M V Ramana
> >
> > Error Analysis is here
> >
> > Fatal System Error: 0x000000d1
> > (0x00000000,0x00000002,0x00000000,0x00000000)
> >
> > Break instruction exception - code 80000003 (first chance)
> >
> > A fatal system error has occurred.
> > Debugger entered on first try; Bugcheck callbacks have not been invoked.
> >
> > A fatal system error has occurred.
> >
> > Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
> > Loading Kernel Symbols
> >
>…
>…
> > Loading unloaded module list
> > …
> > Loading User Symbols
> > …
> >
>
>
> >
> >
> > * Bugcheck Analysis
> >
> >
> >
> >
>
>
> >
> > Use !analyze -v to get detailed debugging information.
> >
> > BugCheck D1, {0, 2, 0, 0}
> >
> > Probably caused by : ntoskrnl.exe ( nt!KiTrap0E+27c )
> >
> > Followup: MachineOwner
> > ---------
> >
> > nt!RtlpBreakWithStatusInstruction:
> > 80456488 cc int 3
> > kd> !analyze -v
> >
>***
>
> >
> >
> > * Bugcheck Analysis
> >
> >
> >
> >
>
>
> >
> > DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
> > An attempt was made to access a pageable (or completely invalid) address
>at
> > an
> > interrupt request level (IRQL) that is too high. This is usually
> > caused by drivers using improper addresses.
> > If kernel debugger is available get stack backtrace.
> > Arguments:
> > Arg1: 00000000, memory referenced
> > Arg2: 00000002, IRQL
> > Arg3: 00000000, value 0 = read operation, 1 = write operation
> > Arg4: 00000000, address which referenced memory
> >
> > Debugging Details:
> > ------------------
> >
> >
> > OVERLAPPED_MODULE: s3gnb
> >
> > READ_ADDRESS: 00000000
> >
> > CURRENT_IRQL: 2
> >
> > FAULTING_IP:
> > +0
> > 00000000 ?? ???
> >
> > DEFAULT_BUCKET_ID: DRIVER_FAULT
> >
> > BUGCHECK_STR: 0xD1
> >
> > LAST_CONTROL_TRANSFER: from c2072a02 to 00000000
> >
> > STACK_TEXT:
> > ee01fdf8 c2072a02 c9226a4c 00000000 804321a8 0x0
> > WARNING: Frame IP not in any known module. Following frames may be wrong.
> > 00010246 003d0054 0043002e 004d004f 002e003b 0xc2072a02
> > c9a3abf2 00000000 00000000 00000000 00000000 0x3d0054
> >
> >
> > FAILED_INSTRUCTION_ADDRESS:
> > +0
> > 00000000 ?? ???
> >
> > FOLLOWUP_IP:
> > nt!KiTrap0E+27c
> > 80468b6f f7457000000200 test dword ptr [ebp+0x70],0x20000
> >
> > SYMBOL_STACK_INDEX: 3
> >
> > FOLLOWUP_NAME: MachineOwner
> >
> > SYMBOL_NAME: nt!KiTrap0E+27c
> >
> > MODULE_NAME: nt
> >
> > IMAGE_NAME: ntoskrnl.exe
> >
> > DEBUG_FLR_IMAGE_TIMESTAMP: 3ee6c002
> >
> > STACK_COMMAND: .trap ffffffffee01fd88 ; kb
> >
> > FAILURE_BUCKET_ID: 0xD1_CODE_AV_BAD_IP_nt!KiTrap0E+27c
> >
> > BUCKET_ID: 0xD1_CODE_AV_BAD_IP_nt!KiTrap0E+27c
> >
> > Followup: MachineOwner
> > ---------
> >
> > _________________________________________________________________
> > Take MSN Search Challenge
> > http://server1.msn.co.in/sp05/searchgames/index.aspx Win prizes everyday!
> >
> >
>
>
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@privtek.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · July 15, 2005, 3:05am

Thanks for your information…

Actually my driver is working most of the times but crashing
rarely…
It is crashing sometimes even when not referencing zero address. some times
zero address of course…

I think that the main reason would be not maintaining IRQL at correct
level…
correct me If I am wrong…

Can anybody give me the reference to know what IRQL’s to be maintained and
when (for TDI)- in detail.
That will help me more…

Thanks,
M V Ramana

From: “Thomas F. Divine”
>Reply-To: “Windows System Software Devs Interest List”
>
>To: “Windows System Software Devs Interest List”
>Subject: Re:[ntdev] Fatal Error
>Date: Thu, 14 Jul 2005 10:58:36 -0400
>
>
>“Mr. venkat” wrote in message news:xxxxx@ntdev…
>>Hello All,
>> I am developing a TDi filter driver for windows that depends on
>>ipfilterdriver of Windows NT.
>>
>>I am queueing packets in a queue and marking them pending for future use.
>>
>>Here I am returning STATUS_PENDING from dispatch function.
>>
>>It is working some times but crashing the system …
>>
>>The error and bugcheck analysis is this . Please help me . What could be
>>the problem and how to resolve it.
>>
>>Thanks,
>>M V Ramana
>>
>Unfortunately, it looks like your driver has totally hosed memory. It is so
>bad that the bugcheck analysis isn’t helpful - at least not to me.
>
>This is certainly a bad pointer somewhere. Since there is so little
>information in the bugcheck analysis I would suspect a bad callback
>function pointer somewhere at the very least.
>
>If possible, simplify your filter to the point that it does nothing (just
>passthru). Then add code that does more complex things in small steps. As
>you add each new increment of code walk through it using a debugger to make
>sure that it is behaving as you intended.
>
>Pay careful attention to IRQL restrictions. Add ASSERTs at each of your
>function entry points to verify that you are being called at the correct
>IRQL. For example:
>
>ASSERT( KeGetCurrentIrql() == IRQL_DISPATCH_LEVEL );
>
>This will ASSERT if you are not at IRQL_DISPATCH_LEVEL.
>
>Place similar asserts before each system function that you call. The
>documentation for each system function identifies the permitted IRQL.
>
>You may end up with a lot of ASSERTs in your code, but if they catch one
>bug for you it is worth it.
>
>Check all error return indications carefully.
>
>If possible, run your driver through PreFast to see if it identifies any
>problems. PreFast is a tool that is provided in the XP and higher DDKs. You
>can use PreFast from these later DDKs even if your target is Windows 2000.
>Just select the Windows 2000 Build Environment. Read the DDK docs about
>PreFast.
>
>Finally, there is a good chance that you just don’t understand TDI well
>enough to write a TDI filter. It is difficult and some (e.g., Maxim) would
>say impossible. I would certainly agree with Max that you should use a TDI
>Filter ONLY if you have no other choice. You really need to write a lot of
>TDI Clients before you attempt to write a TDI Filter…
>
>Finally, TDI Filters will be replaced with the Windows Filtering Platform
>(WFP) in LongHorn. WFP is a filtering API that is designed primarily to
>support the MS LH Firewall, but its API will be exposed for others to use.
>WFP is certainly better that TDI, but
>
>Good luck,
>
>Thomas F. Divine, Windows DDK MVP
>
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com

_________________________________________________________________
Take MSN Search Challenge
http://server1.msn.co.in/sp05/searchgames/index.aspx Win prizes everyday!

Calvin_Guan-2 · July 15, 2005, 3:20am

The code called a NULL pointer.
Try to do a !thread to get the kernel stack and do a raw stack dump, or you
may start from the trap frame. You need to manually walk the stack.

Calvin Guan (Windows DDK MVP)
Staff SW Engineer NetXtreme MINIPORT
Broadcom Corp. Irvine, CA
www.broadcom.com

----- Original Message -----
From: “Mr. venkat”
To: “Windows System Software Devs Interest List”
Sent: Thursday, July 14, 2005 7:16 AM
Subject: [ntdev] Fatal Error

> Hello All,
> I am developing a TDi filter driver for windows that depends on
> ipfilterdriver of Windows NT.
>
> I am queueing packets in a queue and marking them pending for future use.
>
> Here I am returning STATUS_PENDING from dispatch function.
>
> It is working some times but crashing the system …
>
> The error and bugcheck analysis is this . Please help me . What could be
> the problem and how to resolve it.
>
> Thanks,
> M V Ramana
>
> Error Analysis is here
>
> Fatal System Error: 0x000000d1
> (0x00000000,0x00000002,0x00000000,0x00000000)
>
> Break instruction exception - code 80000003 (first chance)
>
> A fatal system error has occurred.
> Debugger entered on first try; Bugcheck callbacks have not been invoked.
>
> A fatal system error has occurred.
>
> Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
> Loading Kernel Symbols
> …
> Loading unloaded module list
> …
> Loading User Symbols
> …
>****************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck D1, {0, 2, 0, 0}
>
> Probably caused by : ntoskrnl.exe ( nt!KiTrap0E+27c )
>
> Followup: MachineOwner
> ---------
>
> nt!RtlpBreakWithStatusInstruction:
> 80456488 cc int 3
> kd> !analyze -v
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *******************************************************************************
>
> DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
> An attempt was made to access a pageable (or completely invalid) address
> at an
> interrupt request level (IRQL) that is too high. This is usually
> caused by drivers using improper addresses.
> If kernel debugger is available get stack backtrace.
> Arguments:
> Arg1: 00000000, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000000, value 0 = read operation, 1 = write operation
> Arg4: 00000000, address which referenced memory
>
> Debugging Details:
> ------------------
>
>
> OVERLAPPED_MODULE: s3gnb
>
> READ_ADDRESS: 00000000
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> +0
> 00000000 ?? ???
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xD1
>
> LAST_CONTROL_TRANSFER: from c2072a02 to 00000000
>
> STACK_TEXT:
> ee01fdf8 c2072a02 c9226a4c 00000000 804321a8 0x0
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 00010246 003d0054 0043002e 004d004f 002e003b 0xc2072a02
> c9a3abf2 00000000 00000000 00000000 00000000 0x3d0054
>
>
> FAILED_INSTRUCTION_ADDRESS:
> +0
> 00000000 ?? ???
>
> FOLLOWUP_IP:
> nt!KiTrap0E+27c
> 80468b6f f7457000000200 test dword ptr [ebp+0x70],0x20000
>
> SYMBOL_STACK_INDEX: 3
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: nt!KiTrap0E+27c
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntoskrnl.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 3ee6c002
>
> STACK_COMMAND: .trap ffffffffee01fd88 ; kb
>
> FAILURE_BUCKET_ID: 0xD1_CODE_AV_BAD_IP_nt!KiTrap0E+27c
>
> BUCKET_ID: 0xD1_CODE_AV_BAD_IP_nt!KiTrap0E+27c
>
> Followup: MachineOwner
> ---------
>
> _________________________________________________________________
> Take MSN Search Challenge
> http://server1.msn.co.in/sp05/searchgames/index.aspx Win prizes everyday!
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@hotpop.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>