I suggest you learn how to use the debugging tools.
Even SoftIce (which you should abandon in favor of WinDbg) allows you to
load symbols at a specified address. I have not used it in years and don’t
remember how to do it, however.
As for the other information below (Phase 2), sorry. This is a bit of a
mess. Go study the samples in the DDK. Go read the DDK documentation on
usage of SpinLocks, DPCs, etc. Get a good book on NT Kernel Development.
Good Luck,
-dave
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gray
Sent: Saturday, March 29, 2008 10:06 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] help! BSOD with
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
Thanks David Cattley very much at first!
I had tried to do some change to improve my driver program.
Phase 1: My driver’s datastruct about device extension includes
Doubly-linked list, spin lock(to synchronize list), event, hanle, and other
fundamental types of C language(such as LONG, BOOLEAN etc.).
I initialize list, event, spin lock at “DriverEntry” routine, but DDK
document and MSDN don’t tell me how to release them. So we don’t need
release them, right? To access doubly-linked list synchronously, I call
“KeAcquireSpinLock”, then deal with works, then call “KeReleaseSpinLock”
immediately. Even in “Unload” routine, I used spin lock too. I found it easy
to BSOD when I test it with loading driver and unloading driver frequently.
Phase 2: I don’t use spin lock to synchronize list, but DPCs.
When I need synchronize list, I raise the priority of IRQL to
DISPATCH_LEVEL, then assign DPCs to other CPU, then access doubly-linked
list, and then lower priority to origin value. After adjusting, BSOD happens
lower too.
So, it puzzles me. why spin lock is easier to BSOD ?
My DPCs has release before unloading driver, and I don’t use timers,
threads, only event.
I had released doubly-linked in “Unload” routine, DDK document don’t tell me
how to release event so I don’t release it.(maybe it don’t need release:))
At last, I delete symbolic link and device, then reach the tail scope of
“Unload” routine.
I don’t ‘publish’ any other callbacks to other system entities too.
When I debug my driver with SoftICE, all routines work well, even run to
tail line of “Unload” routine.
The error code of BSOD is
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS,
what I need to release now?
Thansk.
“David R. Cattley” ???:xxxxx@ntdev…
> Do you by chance have any DPCs, Timers, or Work Items in your driver
> design?
> Have these been properly drained before unloading the driver?
>
> Does your driver ‘publish’ any other callbacks to other system entities
> that
> it is failing to revoke?
>
> To find what entry-point your driver is being called at, simply reload the
> symbols for your driver at the ‘unloaded’ address. In Windbg this
> command
> is
>
> .reload /unl
>
> Good Luck,
> Dave Cattley
> Consulting Engineer
> Systems Software Development
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Gray
> Sent: Saturday, March 29, 2008 4:24 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] help! BSOD with
> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
>
> Dear all:
> I’m writing a virtual device driver (belongs to NT legacy driver) which
> runs in Windows XP SP2, it works well during it’s working lifecycle
> (including loading driver, working, until to unload it), but after
> unloading
>
> it, sometimes BSOD with code 0xCE, namely
> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS.
> I’m wonder what operations happen after unloading driver, it seems that
> driver runs a invalid address(CS:EIP points to 0xFFFF) after just now
> leaving “Unload” routine scope, and BSOD doesn’t happen every time.
> So, how do I cancel the pending operations? I have set counter in every
> IRP, in fact, I deal with the routines associated IRP_MJ_CREATE,
> IRP_MJ_CLOSE, IRP_MJ_DEVICE_CONTROL as below:
>
> /* Pseudocode routine framwork*/
>
> NTSTATUS XxxDispatchRoutine(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
> {
> // 1. Increasing IRP counts
> pDevExtension->nIrpCount++; // pDevExtension points to device
> extension
>
> // 2. Dealing with IRP and finishing it.
> … // some codes
> IoCompleteRequest(Irp, IO_NO_INCREMENT); // finishing IRP
>
> // 3. Decreasing IRP counts
> pDevExtension->nIrpCount–;
>
> return status; // e.g. return STATUS_SUCCESS;
> }
>
> In “Unload” routinue, I wait for IRP count decrease to zero, then
> continue.
> I was puzzled how to solve it.
>
> The following is the analysis of WinDbg, and the “Procon.sys” is my
> driver’s
>
> name.
>
> kd> !analyze -v
>
*************************************************************************
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
*************************************************************************
>
>
> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)
> A driver unloaded without cancelling timers, DPCs, worker threads, etc.
> The broken driver’s name is displayed on the screen.
> Arguments:
> Arg1: f887479e, memory referenced
> Arg2: 00000000, value 0 = read operation, 1 = write operation
> Arg3: f887479e, If non-zero, the instruction address which referenced the
> bad memory
> address.
> Arg4: 00000000, Mm internal code.
>
> Debugging Details:
> ------------------
>
>
> READ_ADDRESS: f887479e
>
> FAULTING_IP:
> Procon+579e
> f887479e ?? ???
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xCE
>
> PROCESS_NAME: vmware-authd.ex
>
> TRAP_FRAME: b90e1c74 – (.trap 0xffffffffb90e1c74)
> ErrCode = 00000000
> eax=00000000 ebx=f88727b4 ecx=00000000 edx=80010031 esi=00e8f72c
> edi=b90e1d64
> eip=f887479e esp=b90e1ce8 ebp=b90e1ce8 iopl=0 nv up ei pl zr na pe
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00000246
> <unloaded_procon.sys>+0x579e:
> f887479e ?? ???
> Resetting default scope
>
> IP_MODULE_UNLOADED:
> Procon+579e
> f887479e ?? ???
>
> LAST_CONTROL_TRANSFER: from 80524fa0 to 8053454e
>
> FAILED_INSTRUCTION_ADDRESS:
> Procon+579e
> f887479e ?? ???
>
> STACK_TEXT:
> b90e1c10 80524fa0 00000050 f887479e 00000000 nt!KeBugCheckEx+0x1b
> b90e1c5c 804e2718 00000000 f887479e 00000000 nt!MmAccessFault+0x6f5
> b90e1c5c f887479e 00000000 f887479e 00000000 nt!KiTrap0E+0xcc
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> b90e1ce4 b90e1d4c f8872ae8 81c4db18 f8872add <unloaded_procon.sys>+0x579e
> b90e1d4c 804df7ec 00000005 01290048 00010000 0xb90e1d4c
> b90e1d4c 0000003b 00000005 01290048 00010000 nt!KiFastCallEntry+0xf8
> 00000001 00000000 00000000 00000000 00000000 0x3b
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> Procon+579e
> f887479e ?? ???
>
> SYMBOL_STACK_INDEX: 3
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: Procon+579e
>
> MODULE_NAME: Procon
>
> IMAGE_NAME: Procon.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 0
>
> FAILURE_BUCKET_ID: 0xCE_VRF_BAD_IP_Procon+579e
>
> BUCKET_ID: 0xCE_VRF_BAD_IP_Procon+579e
>
> Followup: MachineOwner
> ---------
>
>
> Thanks for your help!
> Best regards,
> Gray
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</unloaded_procon.sys></unloaded_procon.sys>
so dear dave can try it if you want.