Help required to analyze the following dump

NTDEV
1

Hi all,

I see BSOD when I am freeing some IRP during closing of application . Can
some body help me to analyze the following data :

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current thread’s
stack bactrace will reveal the guilty party.
Arguments:
Arg1: afb91ed8, address trying to free
Arg2: afb91fff, address where bits are corrupted
Arg3: e4000124, unique internal Mm pattern
Arg4: 00000024, caller is freeing an address where bytes after the end of
the allocation have been overwritten

Details:
Unknown type 401, value 00000024
Probably caused by driver ntoskrnl.exe ( ntoskrnl!_imp__VidSetScrollRegion
(ntoskrnl+0x0)+0x0 )
Unknown type 80000004, value 00052e70
Followup : MachineOwner

BUCKET: 0xC1_ntoskrnl!_imp__VidSetScrollRegion
(ntoskrnl+0x0)_ntoskrnl.exe
WARNING: Stack unwind information not available. Following frames may be
wrong.
ChildEBP RetAddr
edcfa93c 8042c068 ntoskrnl!MmGetVirtualForPhysical+0x2e
edcfacc4 8053889f ntoskrnl!IopWritePageToDisk+0x5d
edcfad08 80467348 ntoskrnl!IopEnumerateDevice+0x7b3
edcfad34 804672a2 ntoskrnl!MmDeleteProcessAddressSpace+0x1ec
edcfad58 8041fdb0 ntoskrnl!MmDeleteProcessAddressSpace+0x146
edcfad74 edc8c89b ntoskrnl!FsRtlSplitLocks+0x17
edcfad98 8041f54b filter!Fltr_Dispatch+0x2a9
edcfade0 80495b70 ntoskrnl!FsRtlCheckLockForWriteAccess+0x63
edcfadfc 8044c3b3 ntoskrnl!MiFindEmptyAddressRangeInTree+0x16f
edcfae20 8044c64a ntoskrnl!MiInitializeWorkingSetList+0x721
edcfaec4 edce575b ntoskrnl!MiAddWorkingSetPage+0xf0
edcfaed8 80461691 symevent!SYMEvent_GetSubTask+0x78d
edcfaee4 00000064 ntoskrnl!MiFlushRelease+0x67
Cannot find KiProcessorBlock - can not create dump file

The Memory dump looks like :

afb91ecf e4 e4 e4 e4 e4 e4 e4 e4 e4 00 00 24 01 00 00 00 …$…
afb91edf 00 00 00 00 00 00 00 00 00 e8 1e b9 af e8 1e b9 …
afb91eef af 20 01 00 c0 00 00 00 00 00 01 05 06 01 00 00 . …
afb91eff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f2f 00 00 00 00 00 00 00 00 00 fc 1f b9 af 00 00 00 …
afb91f3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f5f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f8f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91faf 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 …
afb91fbf 00 00 00 00 00 00 00 00 00 d0 fa 41 81 00 00 00 …A…
afb91fcf 00 38 be 7b f0 c8 09 30 84 03 00 00 00 00 00 00 .8.{…0…
afb91fdf 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 32 …pH2
afb91fef 86 00 00 00 00 50 0f c9 ed e0 10 98 ff e4 e4 e4 …P…
afb91fff e5 ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ???
??? .???
afb9200f ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ???
??? ??? ???
afb9201f ??? ??? ??? ???

This is happening every time when I am freeing IRP .

Thanks in advance
srinivasa


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

Sounds like you are freeing memory that has already been freed

----- Original Message -----
From: “Srinivasa Rao Deevi”
To: “NT Developers Interest List”
Sent: Friday, January 04, 2002 7:11 PM
Subject: [ntdev] Help required to analyze the following dump

> Hi all,
>
> I see BSOD when I am freeing some IRP during closing of application . Can
> some body help me to analyze the following data :
>
> SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
> Special pool has detected memory corruption. Typically the current
thread’s
> stack bactrace will reveal the guilty party.
> Arguments:
> Arg1: afb91ed8, address trying to free
> Arg2: afb91fff, address where bits are corrupted
> Arg3: e4000124, unique internal Mm pattern
> Arg4: 00000024, caller is freeing an address where bytes after the end of
> the allocation have been overwritten
>
>
> Details:
> Unknown type 401, value 00000024
> Probably caused by driver ntoskrnl.exe ( ntoskrnl!_imp__VidSetScrollRegion
> (ntoskrnl+0x0)+0x0 )
> Unknown type 80000004, value 00052e70
> Followup : MachineOwner
>
>
> BUCKET: 0xC1_ntoskrnl!_imp__VidSetScrollRegion
> (ntoskrnl+0x0)_ntoskrnl.exe
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> ChildEBP RetAddr
> edcfa93c 8042c068 ntoskrnl!MmGetVirtualForPhysical+0x2e
> edcfacc4 8053889f ntoskrnl!IopWritePageToDisk+0x5d
> edcfad08 80467348 ntoskrnl!IopEnumerateDevice+0x7b3
> edcfad34 804672a2 ntoskrnl!MmDeleteProcessAddressSpace+0x1ec
> edcfad58 8041fdb0 ntoskrnl!MmDeleteProcessAddressSpace+0x146
> edcfad74 edc8c89b ntoskrnl!FsRtlSplitLocks+0x17
> edcfad98 8041f54b filter!Fltr_Dispatch+0x2a9
> edcfade0 80495b70 ntoskrnl!FsRtlCheckLockForWriteAccess+0x63
> edcfadfc 8044c3b3 ntoskrnl!MiFindEmptyAddressRangeInTree+0x16f
> edcfae20 8044c64a ntoskrnl!MiInitializeWorkingSetList+0x721
> edcfaec4 edce575b ntoskrnl!MiAddWorkingSetPage+0xf0
> edcfaed8 80461691 symevent!SYMEvent_GetSubTask+0x78d
> edcfaee4 00000064 ntoskrnl!MiFlushRelease+0x67
> Cannot find KiProcessorBlock - can not create dump file
>
> The Memory dump looks like :
>
> afb91ecf e4 e4 e4 e4 e4 e4 e4 e4 e4 00 00 24 01 00 00 00 …$…
> afb91edf 00 00 00 00 00 00 00 00 00 e8 1e b9 af e8 1e b9 …
> afb91eef af 20 01 00 c0 00 00 00 00 00 01 05 06 01 00 00 . …
> afb91eff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
> afb91f0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
> afb91f1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
> afb91f2f 00 00 00 00 00 00 00 00 00 fc 1f b9 af 00 00 00 …
> afb91f3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
> afb91f4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
> afb91f5f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
> afb91f6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
> afb91f7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
> afb91f8f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
> afb91f9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
> afb91faf 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 …
> afb91fbf 00 00 00 00 00 00 00 00 00 d0 fa 41 81 00 00 00 …A…
> afb91fcf 00 38 be 7b f0 c8 09 30 84 03 00 00 00 00 00 00 .8.{…0…
> afb91fdf 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 32 …pH2
> afb91fef 86 00 00 00 00 50 0f c9 ed e0 10 98 ff e4 e4 e4 …P…
> afb91fff e5 ??? ??? ??? ??? ??? ??? ???
> ??? ??? ??? ??? ??? ??? ???
> ??? .???
> afb9200f ??? ??? ??? ??? ??? ??? ???
> ??? ??? ??? ??? ??? ??? ???
> ??? ??? ???
> afb9201f ??? ??? ??? ???
>
> This is happening every time when I am freeing IRP .
>
> Thanks in advance
> srinivasa
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

Is this happening when you free the Irp that you have set the current stack
location on?

Pete

Peter Scott
xxxxx@KernelDrivers.com
http://www.KernelDrivers.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Srinivasa Rao Deevi
Sent: Friday, January 04, 2002 8:12 PM
To: NT Developers Interest List
Subject: [ntdev] Help required to analyze the following dump

Hi all,

I see BSOD when I am freeing some IRP during closing of application . Can
some body help me to analyze the following data :

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current thread’s
stack bactrace will reveal the guilty party.
Arguments:
Arg1: afb91ed8, address trying to free
Arg2: afb91fff, address where bits are corrupted
Arg3: e4000124, unique internal Mm pattern
Arg4: 00000024, caller is freeing an address where bytes after the end of
the allocation have been overwritten

Details:
Unknown type 401, value 00000024
Probably caused by driver ntoskrnl.exe ( ntoskrnl!_imp__VidSetScrollRegion
(ntoskrnl+0x0)+0x0 )
Unknown type 80000004, value 00052e70
Followup : MachineOwner

BUCKET: 0xC1_ntoskrnl!_imp__VidSetScrollRegion
(ntoskrnl+0x0)_ntoskrnl.exe
WARNING: Stack unwind information not available. Following frames may be
wrong.
ChildEBP RetAddr
edcfa93c 8042c068 ntoskrnl!MmGetVirtualForPhysical+0x2e
edcfacc4 8053889f ntoskrnl!IopWritePageToDisk+0x5d
edcfad08 80467348 ntoskrnl!IopEnumerateDevice+0x7b3
edcfad34 804672a2 ntoskrnl!MmDeleteProcessAddressSpace+0x1ec
edcfad58 8041fdb0 ntoskrnl!MmDeleteProcessAddressSpace+0x146
edcfad74 edc8c89b ntoskrnl!FsRtlSplitLocks+0x17
edcfad98 8041f54b filter!Fltr_Dispatch+0x2a9
edcfade0 80495b70 ntoskrnl!FsRtlCheckLockForWriteAccess+0x63
edcfadfc 8044c3b3 ntoskrnl!MiFindEmptyAddressRangeInTree+0x16f
edcfae20 8044c64a ntoskrnl!MiInitializeWorkingSetList+0x721
edcfaec4 edce575b ntoskrnl!MiAddWorkingSetPage+0xf0
edcfaed8 80461691 symevent!SYMEvent_GetSubTask+0x78d
edcfaee4 00000064 ntoskrnl!MiFlushRelease+0x67
Cannot find KiProcessorBlock - can not create dump file

The Memory dump looks like :

afb91ecf e4 e4 e4 e4 e4 e4 e4 e4 e4 00 00 24 01 00 00 00 …$…
afb91edf 00 00 00 00 00 00 00 00 00 e8 1e b9 af e8 1e b9 …
afb91eef af 20 01 00 c0 00 00 00 00 00 01 05 06 01 00 00 . …
afb91eff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f2f 00 00 00 00 00 00 00 00 00 fc 1f b9 af 00 00 00 …
afb91f3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f5f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f8f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91faf 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 …
afb91fbf 00 00 00 00 00 00 00 00 00 d0 fa 41 81 00 00 00 …A…
afb91fcf 00 38 be 7b f0 c8 09 30 84 03 00 00 00 00 00 00 .8.{…0…
afb91fdf 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 32 …pH2
afb91fef 86 00 00 00 00 50 0f c9 ed e0 10 98 ff e4 e4 e4 …P…
afb91fff e5 ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ???
??? .???
afb9200f ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ???
??? ??? ???
afb9201f ??? ??? ??? ???

This is happening every time when I am freeing IRP .

Thanks in advance
srinivasa


You are currently subscribed to ntdev as: xxxxx@KernelDrivers.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

4

Pete

No. This is happening when I am using next IRP stack location only . not the
current IRP location . This is happening after the IRP calls its completion
routine , and in the IRP_MJ_CLOSE call if I try to release the IRP this is
happening . It looks to me like somebody is freeing memory before I call
IoFreeIrp .

Any ideas where to check ?

Thanks in advance
srinivasa

-----Original Message-----
From: Pete Scott [mailto:xxxxx@KernelDrivers.com]
Sent: Saturday, January 05, 2002 10:02 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Help required to analyze the following dump

Is this happening when you free the Irp that you have set the current stack
location on?

Pete

Peter Scott
xxxxx@KernelDrivers.com
http://www.KernelDrivers.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Srinivasa Rao Deevi
Sent: Friday, January 04, 2002 8:12 PM
To: NT Developers Interest List
Subject: [ntdev] Help required to analyze the following dump

Hi all,

I see BSOD when I am freeing some IRP during closing of application . Can
some body help me to analyze the following data :

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption. Typically the current thread’s
stack bactrace will reveal the guilty party.
Arguments:
Arg1: afb91ed8, address trying to free
Arg2: afb91fff, address where bits are corrupted
Arg3: e4000124, unique internal Mm pattern
Arg4: 00000024, caller is freeing an address where bytes after the end of
the allocation have been overwritten

Details:
Unknown type 401, value 00000024
Probably caused by driver ntoskrnl.exe ( ntoskrnl!_imp__VidSetScrollRegion
(ntoskrnl+0x0)+0x0 )
Unknown type 80000004, value 00052e70
Followup : MachineOwner

BUCKET: 0xC1_ntoskrnl!_imp__VidSetScrollRegion
(ntoskrnl+0x0)_ntoskrnl.exe
WARNING: Stack unwind information not available. Following frames may be
wrong.
ChildEBP RetAddr
edcfa93c 8042c068 ntoskrnl!MmGetVirtualForPhysical+0x2e
edcfacc4 8053889f ntoskrnl!IopWritePageToDisk+0x5d
edcfad08 80467348 ntoskrnl!IopEnumerateDevice+0x7b3
edcfad34 804672a2 ntoskrnl!MmDeleteProcessAddressSpace+0x1ec
edcfad58 8041fdb0 ntoskrnl!MmDeleteProcessAddressSpace+0x146
edcfad74 edc8c89b ntoskrnl!FsRtlSplitLocks+0x17
edcfad98 8041f54b filter!Fltr_Dispatch+0x2a9
edcfade0 80495b70 ntoskrnl!FsRtlCheckLockForWriteAccess+0x63
edcfadfc 8044c3b3 ntoskrnl!MiFindEmptyAddressRangeInTree+0x16f
edcfae20 8044c64a ntoskrnl!MiInitializeWorkingSetList+0x721
edcfaec4 edce575b ntoskrnl!MiAddWorkingSetPage+0xf0
edcfaed8 80461691 symevent!SYMEvent_GetSubTask+0x78d
edcfaee4 00000064 ntoskrnl!MiFlushRelease+0x67
Cannot find KiProcessorBlock - can not create dump file

The Memory dump looks like :

afb91ecf e4 e4 e4 e4 e4 e4 e4 e4 e4 00 00 24 01 00 00 00 …$…
afb91edf 00 00 00 00 00 00 00 00 00 e8 1e b9 af e8 1e b9 …
afb91eef af 20 01 00 c0 00 00 00 00 00 01 05 06 01 00 00 . …
afb91eff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f2f 00 00 00 00 00 00 00 00 00 fc 1f b9 af 00 00 00 …
afb91f3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f5f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f8f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91f9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
afb91faf 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 …
afb91fbf 00 00 00 00 00 00 00 00 00 d0 fa 41 81 00 00 00 …A…
afb91fcf 00 38 be 7b f0 c8 09 30 84 03 00 00 00 00 00 00 .8.{…0…
afb91fdf 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 32 …pH2
afb91fef 86 00 00 00 00 50 0f c9 ed e0 10 98 ff e4 e4 e4 …P…
afb91fff e5 ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ???
??? .???
afb9200f ??? ??? ??? ??? ??? ??? ???
??? ??? ??? ??? ??? ??? ???
??? ??? ???
afb9201f ??? ??? ??? ???

This is happening every time when I am freeing IRP .

Thanks in advance
srinivasa


You are currently subscribed to ntdev as: xxxxx@KernelDrivers.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: xxxxx@microtune.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com