FS filter crashed during shutdown

Hi,
I have a filter driver. Sometime, it crashed during
shutdown with BugCheck 0x24 (NTFS_FILE_SYSTEM). The
memory dump file is as follow:

kd> !analyze -v
*******************************************************

*
* Bugcheck Analysis
*
*
*
******************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then
the 2nd and 3rd
parameters are the exception record and context
record. Do a .cxr
on the 3rd parameter and then kb to obtain a more
informative stack
trace.
Arguments:
Arg1: 001902fe
Arg2: b630d634
Arg3: b630d330
Arg4: b57070cb

Debugging Details:

EXCEPTION_RECORD: b630d634 – (.exr ffffffffb630d634)
ExceptionAddress: b57070cb
(FSfilter!DirectoryControlCompletionHandler+0x00000719)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000020
Attempt to read from address 00000020

CONTEXT: b630d330 – (.cxr ffffffffb630d330)
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000
esi=89bb0e00 edi=89bb0fb7
eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from 804e3d38 to b57070cb

STACK_TEXT:
b630d78c 804e3d38 89b2c420 89bb0e00 8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2
b630d7ec 8058d284 89bb0e00 e1a6ccb8 00000018
nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980
Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f
nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94
nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following
frames may be wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94

FOLLOWUP_IP:
FSfilter!DirectoryControlCompletionHandler+719
b57070cb 8a5120 mov dl,[ecx+0x20]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME:
FSfilter!DirectoryControlCompletionHandler+719

MODULE_NAME: FSfilter

IMAGE_NAME: FSfilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 427a59d2

STACK_COMMAND: .cxr ffffffffb630d330 ; kb

BUCKET_ID:
0x24_FSfilter!DirectoryControlCompletionHandler+719

Followup: MachineOwner

kd> .cxr ffffffffb630d330
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000
esi=89bb0e00 edi=89bb0fb7
eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
kd> kb
*** Stack trace for last set context - .thread/.cxr
resets it
ChildEBP RetAddr Args to Child
b630d78c 804e3d38 89b2c420 89bb0e00 8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2
b630d7ec 8058d284 89bb0e00 e1a6ccb8 00000018
nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980
Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f
nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94
nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following
frames may be wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94

In FSfilter, when the
DirectoryControlCompletionHandler() was called,
IO_STACK_LOCATION was valid. MajorFunction =
0xC(IRP_MJ_DIRECTORY_CONTROL). MinorFunction =
0x2(IRP_MN_NOTIFY_CHANGE_DIRECTORY). DeviceObject in
IO_STACK_LOCATION was valid too. But DeviceExtention
and DriverObject in this DeviceObject were invalid. So
when DirectoryControlCompletionHandler() tried to
access the DeviceExtention, the system crashed.

My questions are:
Why the system reports BugChek 0x24 not other memery
access error?
What cause DeviceObject in IO_STACK_LOCATION is valid
but DeviceExtention and DriverObject are invalid?
Any advice would be appreciated.

>Why the system reports BugChek 0x24 not other memery

access error?

Because Ntfs has an exception handler that catches the ACCVIO.

What cause DeviceObject in IO_STACK_LOCATION is valid
but DeviceExtention and DriverObject are invalid?

I’m not sure how you deduce that the DeviceObject is “valid” when it does
not point to a valid driver object.

What does !pool on the device object address show? Is it allocated with
tag “Devi”? What does !devobj output look like?

Do you call IoDeleteDevice ANYWHERE except your FastIoDetach routine? That
would be a very bad thing.

  • Dan.

Any advice would be appreciated.
At 07:16 AM 6/22/2005 -0700, you wrote:
Hi,
I have a filter driver. Sometime, it crashed during
shutdown with BugCheck 0x24 (NTFS_FILE_SYSTEM). The
memory dump file is as follow:

kd> !analyze -v
*******************************************************

*
* Bugcheck Analysis
*
*
*
******************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then
the 2nd and 3rd
parameters are the exception record and context
record. Do a .cxr
on the 3rd parameter and then kb to obtain a more
informative stack
trace.
Arguments:
Arg1: 001902fe
Arg2: b630d634
Arg3: b630d330
Arg4: b57070cb

Debugging Details:

EXCEPTION_RECORD: b630d634 – (.exr ffffffffb630d634)
ExceptionAddress: b57070cb
(FSfilter!DirectoryControlCompletionHandler+0x00000719)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000020
Attempt to read from address 00000020

CONTEXT: b630d330 – (.cxr ffffffffb630d330)
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000
esi=89bb0e00 edi=89bb0fb7
eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from 804e3d38 to b57070cb

STACK_TEXT:
b630d78c 804e3d38 89b2c420 89bb0e00 8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2
b630d7ec 8058d284 89bb0e00 e1a6ccb8 00000018
nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980
Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f
nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94
nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following
frames may be wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94

FOLLOWUP_IP:
FSfilter!DirectoryControlCompletionHandler+719
b57070cb 8a5120 mov dl,[ecx+0x20]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME:
FSfilter!DirectoryControlCompletionHandler+719

MODULE_NAME: FSfilter

IMAGE_NAME: FSfilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 427a59d2

STACK_COMMAND: .cxr ffffffffb630d330 ; kb

BUCKET_ID:
0x24_FSfilter!DirectoryControlCompletionHandler+719

Followup: MachineOwner

kd> .cxr ffffffffb630d330
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000
esi=89bb0e00 edi=89bb0fb7
eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
kd> kb
*** Stack trace for last set context - .thread/.cxr
resets it
ChildEBP RetAddr Args to Child
b630d78c 804e3d38 89b2c420 89bb0e00 8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2
b630d7ec 8058d284 89bb0e00 e1a6ccb8 00000018
nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980
Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f
nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94
nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following
frames may be wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94

In FSfilter, when the
DirectoryControlCompletionHandler() was called,
IO_STACK_LOCATION was valid. MajorFunction =
0xC(IRP_MJ_DIRECTORY_CONTROL). MinorFunction =
0x2(IRP_MN_NOTIFY_CHANGE_DIRECTORY). DeviceObject in
IO_STACK_LOCATION was valid too. But DeviceExtention
and DriverObject in this DeviceObject were invalid. So
when DirectoryControlCompletionHandler() tried to
access the DeviceExtention, the system crashed.

My questions are:
Why the system reports BugChek 0x24 not other memery
access error?
What cause DeviceObject in IO_STACK_LOCATION is valid
but DeviceExtention and DriverObject are invalid?
Any advice would be appreciated.


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@privtek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

To add to Dan’s last sentence – Also, NEVER pass the FastIoDetach call down
the driver stack. Always do your thing and return.

/ted

-----Original Message-----
From: Dan Kyler [mailto:xxxxx@privtek.com]
Sent: Wednesday, June 22, 2005 11:11 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] FS filter crashed during shutdown

Why the system reports BugChek 0x24 not other memery
access error?

Because Ntfs has an exception handler that catches the ACCVIO.

What cause DeviceObject in IO_STACK_LOCATION is valid
but DeviceExtention and DriverObject are invalid?

I’m not sure how you deduce that the DeviceObject is “valid” when it does
not point to a valid driver object.

What does !pool on the device object address show? Is it allocated with
tag “Devi”? What does !devobj output look like?

Do you call IoDeleteDevice ANYWHERE except your FastIoDetach routine? That
would be a very bad thing.

  • Dan.

Any advice would be appreciated.
At 07:16 AM 6/22/2005 -0700, you wrote:
Hi,
I have a filter driver. Sometime, it crashed during
shutdown with BugCheck 0x24 (NTFS_FILE_SYSTEM). The
memory dump file is as follow:

kd> !analyze -v
*******************************************************

*
* Bugcheck Analysis
*
*
*
******************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then
the 2nd and 3rd
parameters are the exception record and context
record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative
stack
trace.
Arguments:
Arg1: 001902fe
Arg2: b630d634
Arg3: b630d330
Arg4: b57070cb

Debugging Details:

EXCEPTION_RECORD: b630d634 – (.exr ffffffffb630d634)
ExceptionAddress: b57070cb
(FSfilter!DirectoryControlCompletionHandler+0x00000719)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000020
Attempt to read from address 00000020

CONTEXT: b630d330 – (.cxr ffffffffb630d330)
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000 esi=89bb0e00
edi=89bb0fb7 eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from 804e3d38 to b57070cb

STACK_TEXT:
b630d78c 804e3d38 89b2c420 89bb0e00 8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2 b630d7ec 8058d284 89bb0e00 e1a6ccb8
00000018 nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980
Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f
nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94
nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following
frames may be wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94

FOLLOWUP_IP:
FSfilter!DirectoryControlCompletionHandler+719
b57070cb 8a5120 mov dl,[ecx+0x20]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME:
FSfilter!DirectoryControlCompletionHandler+719

MODULE_NAME: FSfilter

IMAGE_NAME: FSfilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 427a59d2

STACK_COMMAND: .cxr ffffffffb630d330 ; kb

BUCKET_ID:
0x24_FSfilter!DirectoryControlCompletionHandler+719

Followup: MachineOwner

kd> .cxr ffffffffb630d330
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000 esi=89bb0e00
edi=89bb0fb7 eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
kd> kb
*** Stack trace for last set context - .thread/.cxr
resets it
ChildEBP RetAddr Args to Child
b630d78c 804e3d38 89b2c420 89bb0e00 8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2 b630d7ec 8058d284 89bb0e00 e1a6ccb8
00000018 nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980
Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f
nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94
nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following
frames may be wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94

In FSfilter, when the
DirectoryControlCompletionHandler() was called, IO_STACK_LOCATION was
valid. MajorFunction = 0xC(IRP_MJ_DIRECTORY_CONTROL). MinorFunction =
0x2(IRP_MN_NOTIFY_CHANGE_DIRECTORY). DeviceObject in
IO_STACK_LOCATION was valid too. But DeviceExtention
and DriverObject in this DeviceObject were invalid. So
when DirectoryControlCompletionHandler() tried to
access the DeviceExtention, the system crashed.

My questions are:
Why the system reports BugChek 0x24 not other memery
access error?
What cause DeviceObject in IO_STACK_LOCATION is valid
but DeviceExtention and DriverObject are invalid?
Any advice would be appreciated.


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@privtek.com To
unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com

I’m sorry to make a wrong statement. DeviceObject actually
is not valid. Eventhough it has a valid address, it doesn’t
have tag “Devi” anymore. So, it is not surprised that DeviceExten and
DriverObject
are not valid.
BTW, IoDeleteDevice ONLY in FastIoDetech routine.
Still can not find why the DeviceObject is currupted when complete routine
is called.

What cause DeviceObject in IO_STACK_LOCATION is valid
but DeviceExtention and DriverObject are invalid?

I’m not sure how you deduce that the DeviceObject is “valid” when it does
not point to a valid driver object.

What does !pool on the device object address show? Is it allocated with
tag “Devi”? What does !devobj output look like?

Do you call IoDeleteDevice ANYWHERE except your FastIoDetach routine? That
would be a very bad thing.

  • Dan.

Any advice would be appreciated.
At 07:16 AM 6/22/2005 -0700, you wrote:
Hi,
I have a filter driver. Sometime, it crashed during
shutdown with BugCheck 0x24 (NTFS_FILE_SYSTEM). The
memory dump file is as follow:

kd> !analyze -v
*******************************************************

*
* Bugcheck Analysis
*
*
*
******************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then
the 2nd and 3rd
parameters are the exception record and context
record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative
stack
trace.
Arguments:
Arg1: 001902fe
Arg2: b630d634
Arg3: b630d330
Arg4: b57070cb

Debugging Details:

EXCEPTION_RECORD: b630d634 – (.exr ffffffffb630d634)
ExceptionAddress: b57070cb
(FSfilter!DirectoryControlCompletionHandler+0x00000719)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000020
Attempt to read from address 00000020

CONTEXT: b630d330 – (.cxr ffffffffb630d330)
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000 esi=89bb0e00
edi=89bb0fb7 eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from 804e3d38 to b57070cb

STACK_TEXT:
b630d78c 804e3d38 89b2c420 89bb0e00 8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2 b630d7ec 8058d284 89bb0e00 e1a6ccb8
00000018 nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980
Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f
nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94
nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following
frames may be wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94

FOLLOWUP_IP:
FSfilter!DirectoryControlCompletionHandler+719
b57070cb 8a5120 mov dl,[ecx+0x20]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME:
FSfilter!DirectoryControlCompletionHandler+719

MODULE_NAME: FSfilter

IMAGE_NAME: FSfilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 427a59d2

STACK_COMMAND: .cxr ffffffffb630d330 ; kb

BUCKET_ID:
0x24_FSfilter!DirectoryControlCompletionHandler+719

Followup: MachineOwner

kd> .cxr ffffffffb630d330
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000 esi=89bb0e00
edi=89bb0fb7 eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
kd> kb
*** Stack trace for last set context - .thread/.cxr
resets it
ChildEBP RetAddr Args to Child
b630d78c 804e3d38 89b2c420 89bb0e00 8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2 b630d7ec 8058d284 89bb0e00 e1a6ccb8
00000018 nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980
Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f
nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94
nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following
frames may be wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94

In FSfilter, when the
DirectoryControlCompletionHandler() was called, IO_STACK_LOCATION was
valid. MajorFunction = 0xC(IRP_MJ_DIRECTORY_CONTROL). MinorFunction =
0x2(IRP_MN_NOTIFY_CHANGE_DIRECTORY). DeviceObject in
IO_STACK_LOCATION was valid too. But DeviceExtention
and DriverObject in this DeviceObject were invalid. So
when DirectoryControlCompletionHandler() tried to
access the DeviceExtention, the system crashed.

My questions are:
Why the system reports BugChek 0x24 not other memery
access error?
What cause DeviceObject in IO_STACK_LOCATION is valid
but DeviceExtention and DriverObject are invalid?
Any advice would be appreciated.


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@privtek.com To
unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@sbcglobal.net To
unsubscribe send a blank email to xxxxx@lists.osr.com

What if the FastIoDetech is being called as the irp is making its way back
up the completion routines?

What would prevent this from occuring?

  • jb

============================================
jonathan borden
xxxxx@austin.rr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David Wu
Sent: Thursday, June 23, 2005 6:11 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] FS filter crashed during shutdown

I’m sorry to make a wrong statement. DeviceObject actually is not valid.
Eventhough it has a valid address, it doesn’t have tag “Devi” anymore. So,
it is not surprised that DeviceExten and DriverObject are not valid.
BTW, IoDeleteDevice ONLY in FastIoDetech routine.
Still can not find why the DeviceObject is currupted when complete routine
is called.

What cause DeviceObject in IO_STACK_LOCATION is valid but
DeviceExtention and DriverObject are invalid?

I’m not sure how you deduce that the DeviceObject is “valid” when it does
not point to a valid driver object.

What does !pool on the device object address show? Is it allocated with tag
“Devi”? What does !devobj output look like?

Do you call IoDeleteDevice ANYWHERE except your FastIoDetach routine? That
would be a very bad thing.

  • Dan.

Any advice would be appreciated.
At 07:16 AM 6/22/2005 -0700, you wrote:
Hi,
I have a filter driver. Sometime, it crashed during shutdown with
BugCheck 0x24 (NTFS_FILE_SYSTEM). The memory dump file is as follow:

kd> !analyze -v
*******************************************************

*
* Bugcheck Analysis
*
*
*
******************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative
stack
trace.
Arguments:
Arg1: 001902fe
Arg2: b630d634
Arg3: b630d330
Arg4: b57070cb

Debugging Details:

EXCEPTION_RECORD: b630d634 – (.exr ffffffffb630d634)
ExceptionAddress: b57070cb
(FSfilter!DirectoryControlCompletionHandler+0x00000719)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000020
Attempt to read from address 00000020

CONTEXT: b630d330 – (.cxr ffffffffb630d330)
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000 esi=89bb0e00
edi=89bb0fb7 eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0 nv up ei pl
zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from 804e3d38 to b57070cb

STACK_TEXT:
b630d78c 804e3d38 89b2c420 89bb0e00 8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2 b630d7ec 8058d284 89bb0e00 e1a6ccb8
00000018 nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980 Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94 nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be
wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94

FOLLOWUP_IP:
FSfilter!DirectoryControlCompletionHandler+719
b57070cb 8a5120 mov dl,[ecx+0x20]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME:
FSfilter!DirectoryControlCompletionHandler+719

MODULE_NAME: FSfilter

IMAGE_NAME: FSfilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 427a59d2

STACK_COMMAND: .cxr ffffffffb630d330 ; kb

BUCKET_ID:
0x24_FSfilter!DirectoryControlCompletionHandler+719

Followup: MachineOwner

kd> .cxr ffffffffb630d330
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000 esi=89bb0e00
edi=89bb0fb7 eip=b57070cb esp=b630d6fc ebp=b630d78c iopl=0 nv up ei pl
zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
FSfilter!DirectoryControlCompletionHandler+0x719:
b57070cb 8a5120 mov dl,[ecx+0x20]
ds:0023:00000020=??
kd> kb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child b630d78c 804e3d38 89b2c420 89bb0e00
8a5faa50
FSfilter!DirectoryControlCompletionHandler+0x719
b630d7bc 8058d234 e1a6ccb8 e1a6ccd8 00000018
nt!IopfCompleteRequest+0xa2 b630d7ec 8058d284 89bb0e00 e1a6ccb8
00000018 nt!FsRtlNotifyCompleteIrp+0x124
b630d814 80578a12 e1a6ccb8 00000000 e1b0c008
nt!FsRtlNotifyCompleteIrpList+0x3c
b630d89c f7b7d399 8a6fe2a8 8a676400 e1b0c230
nt!FsRtlNotifyFilterReportChange+0x59a
b630dac8 f7b77d83 b630dae4 89b8c840 8a6c99d0
Ntfs!NtfsCommonCleanup+0x2271
b630dc40 804e37f7 8a676020 89b8c840 8a6f9980 Ntfs!NtfsFsdCleanup+0xcf
b630dc50 f7475bbf 89b49618 89b8c850 b630dca4
nt!IopfCallDriver+0x31
b630dc60 804e37f7 8a6c9918 89b8c840 89b8c840
sr!SrCleanup+0xb3
b630dc70 8056a8e8 89b49600 8a762040 00000001
nt!IopfCallDriver+0x31
b630dca4 80566901 89e836e8 8a6c9918 0012019f nt!IopCloseFile+0x27c
b630dcd4 80566aab 89e836e8 89b49618 8a762040
nt!ObpDecrementHandleCount+0x119
b630dcfc 80566b1c e1fa43d8 89b49618 000004e0
nt!ObpCloseHandleTableEntry+0x14d
b630dd44 80566b66 000004e0 00000001 00000000
nt!ObpCloseHandle+0x87
b630dd58 804de7ec 000004e0 0104fef0 7c90eb94 nt!NtClose+0x1d
b630dd58 7c90eb94 000004e0 0104fef0 7c90eb94
nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be
wrong.
0104fee0 00000000 00000000 00000000 00000000
0x7c90eb94

In FSfilter, when the
DirectoryControlCompletionHandler() was called, IO_STACK_LOCATION was
valid. MajorFunction = 0xC(IRP_MJ_DIRECTORY_CONTROL). MinorFunction =
0x2(IRP_MN_NOTIFY_CHANGE_DIRECTORY). DeviceObject in IO_STACK_LOCATION
was valid too. But DeviceExtention and DriverObject in this
DeviceObject were invalid. So when DirectoryControlCompletionHandler()
tried to access the DeviceExtention, the system crashed.

My questions are:
Why the system reports BugChek 0x24 not other memery access error?
What cause DeviceObject in IO_STACK_LOCATION is valid but
DeviceExtention and DriverObject are invalid?
Any advice would be appreciated.


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@privtek.com To
unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@sbcglobal.net To
unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com