Hi,
I have a filter driver. Sometime, it crashed during
shutdown with BugCheck 0x24 (NTFS_FILE_SYSTEM). The
memory dump file is as follow:
kd> !analyze -v
*******************************************************
*
* Bugcheck Analysis
*
*
*
******************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then
the 2nd and 3rd
parameters are the exception record and context
record. Do a .cxr
on the 3rd parameter and then kb to obtain a more
informative stack
trace.
Arguments:
Arg1: 001902fe
Arg2: b630d634
Arg3: b630d330
Arg4: b57070cb
Debugging Details:
EXCEPTION_RECORD: b630d634 – (.exr ffffffffb630d634)
ExceptionAddress: b57070cb
(FSfilter!DirectoryControlCompletionHandler+0x00000719)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000020
Attempt to read from address 00000020
CONTEXT: b630d330 – (.cxr ffffffffb630d330)
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000
esi=89bb0e00 edi=89bb0fb7
eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from 804e3d38 to b57070cb
STACK_TEXT:
b630d78c 804e3d38 89b2c420 89bb0e00 8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2
b630d7ec 8058d284 89bb0e00 e1a6ccb8 00000018
nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980
Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f
nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94
nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following
frames may be wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94
FOLLOWUP_IP:
FSfilter!DirectoryControlCompletionHandler+719
b57070cb 8a5120 mov dl,[ecx+0x20]
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME:
FSfilter!DirectoryControlCompletionHandler+719
MODULE_NAME: FSfilter
IMAGE_NAME: FSfilter.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 427a59d2
STACK_COMMAND: .cxr ffffffffb630d330 ; kb
BUCKET_ID:
0x24_FSfilter!DirectoryControlCompletionHandler+719
Followup: MachineOwner
kd> .cxr ffffffffb630d330
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000
esi=89bb0e00 edi=89bb0fb7
eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
kd> kb
*** Stack trace for last set context - .thread/.cxr
resets it
ChildEBP RetAddr Args to Child
b630d78c 804e3d38 89b2c420 89bb0e00 8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2
b630d7ec 8058d284 89bb0e00 e1a6ccb8 00000018
nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980
Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f
nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94
nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following
frames may be wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94
In FSfilter, when the
DirectoryControlCompletionHandler() was called,
IO_STACK_LOCATION was valid. MajorFunction =
0xC(IRP_MJ_DIRECTORY_CONTROL). MinorFunction =
0x2(IRP_MN_NOTIFY_CHANGE_DIRECTORY). DeviceObject in
IO_STACK_LOCATION was valid too. But DeviceExtention
and DriverObject in this DeviceObject were invalid. So
when DirectoryControlCompletionHandler() tried to
access the DeviceExtention, the system crashed.
My questions are:
Why the system reports BugChek 0x24 not other memery
access error?
What cause DeviceObject in IO_STACK_LOCATION is valid
but DeviceExtention and DriverObject are invalid?
Any advice would be appreciated.