How should one proceed to analyze this type of BSOD - Help

OSR_Community_User · August 12, 2002, 1:28pm

Hi all,

I’ve a BSOD like this, which is not very reproducible. I am trying to find
how one should proceed when there is no stack trace of our driver. But we
should be able to somehow conclude the type and possibly the source of the
fault.

Also is there any place I can find detail about the args …

Thanx in advance

-prokash

kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000002, A list entry was corrupt <<< could be 1 or 2 >>>
Arg2: 0007ee7a, entry in list being removed
Arg3: 0000ffda, highest physical page number
Arg4: 0000ffff, reference count of entry being removed

Debugging Details:

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 4E

LAST_CONTROL_TRANSFER: from 801234eb to 8012dd6d

STACK_TEXT:
f687a950 801234eb 8057ef00 8057eec8 8057ef00 nt!MiUnlinkPageFromList+0x39
f687aa1c 801231b0 e24fa9ec e3af574c 8057ef00 nt!MiFlushSectionInternal+0x2db
f687aa64 80121946 807b7490 00000000 00000000 nt!MmFlushSection+0x140
f687aa88 80121344 ffac4d28 00000000 01000000 nt!MiFlushDataSection+0x52
f687ab60 801796ef f687abac 0000000e 00000000 nt!MmCreateSection+0x3aa
f687abcc 8013e394 0006e9b4 0000000e 00000000 nt!NtCreateSection+0x14f
f687abcc 77f678bf 0006e9b4 0000000e 00000000 nt!KiSystemService+0xc4
0006e8c4 77f6acb5 0006e9b4 0000000e 00000000 ntdll!NtCreateSection+0xb
0006e920 77f6a73e 0006e958 00000000 0006e980 ntdll!LdrpCreateDllSection+0xcf
0006e9bc 77f6b4a8 00073f90 0006e9e8 0006ecb8 ntdll!LdrpMapDll+0xc8
0006ec64 77f63b86 00073f90 0006ecb8 0006ecac ntdll!LdrpLoadDll+0x175
0006ec80 77f13ac2 00073f90 0006ecb8 0006ecac ntdll!LdrLoadDll+0x16
0006ece4 77f13838 7ffdec00 00000000 00000000 KERNEL32!LoadLibraryExW+0x198
0006ed04 77f137ca 0006ed50 00000000 00000000 KERNEL32!LoadLibraryExA+0x5b
0006ed14 6fab06c9 0006ed50 77f13fb3 010e1e34 KERNEL32!LoadLibraryA+0xd
WARNING: Stack unwind information not available. Following frames may be
wrong.
010e1e34 00000000 00000000 00000000 00000000 mapi32x!MAPIUninitialize+0x2019

FOLLOWUP_IP:
nt!MiUnlinkPageFromList+39
8012dd6d e98d000000 jmp nt!MiUnlinkPageFromList+0xcb (8012ddff)

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!MiUnlinkPageFromList+39

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 37e8005b

STACK_COMMAND: kb

BUCKET_ID: 0x4E_nt!MiUnlinkPageFromList+39

Followup: MachineOwner

Dan_Partelly · August 12, 2002, 1:33pm

There is not much to analyse here, a portion of your driver slowly corrupts memory. Identify the flawed code,
it can be anything which dont appears in this stack trace.

Ciao

----- Original Message -----
From: Prokash Sinha
To: File Systems Developers
Sent: Monday, August 12, 2002 8:25 PM
Subject: [ntfsd] How should one proceed to analyze this type of BSOD - Help

Hi all,

I’ve a BSOD like this, which is not very reproducible. I am trying to find how one should proceed when there is no stack trace of our driver. But we should be able to somehow conclude the type and possibly the source of the fault.

Also is there any place I can find detail about the args …

Thanx in advance

-prokash

kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

PFN_LIST_CORRUPT (4e)

Typically caused by drivers passing bad memory descriptor lists (ie: calling

MmUnlockPages twice with the same list, etc). If a kernel debugger is

available get the stack trace.

Arguments:

Arg1: 00000002, A list entry was corrupt <<< could be 1 or 2 >>>

Arg2: 0007ee7a, entry in list being removed

Arg3: 0000ffda, highest physical page number

Arg4: 0000ffff, reference count of entry being removed

Debugging Details:

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 4E

LAST_CONTROL_TRANSFER: from 801234eb to 8012dd6d

STACK_TEXT:

f687a950 801234eb 8057ef00 8057eec8 8057ef00 nt!MiUnlinkPageFromList+0x39

f687aa1c 801231b0 e24fa9ec e3af574c 8057ef00 nt!MiFlushSectionInternal+0x2db

f687aa64 80121946 807b7490 00000000 00000000 nt!MmFlushSection+0x140

f687aa88 80121344 ffac4d28 00000000 01000000 nt!MiFlushDataSection+0x52

f687ab60 801796ef f687abac 0000000e 00000000 nt!MmCreateSection+0x3aa

f687abcc 8013e394 0006e9b4 0000000e 00000000 nt!NtCreateSection+0x14f

f687abcc 77f678bf 0006e9b4 0000000e 00000000 nt!KiSystemService+0xc4

0006e8c4 77f6acb5 0006e9b4 0000000e 00000000 ntdll!NtCreateSection+0xb

0006e920 77f6a73e 0006e958 00000000 0006e980 ntdll!LdrpCreateDllSection+0xcf

0006e9bc 77f6b4a8 00073f90 0006e9e8 0006ecb8 ntdll!LdrpMapDll+0xc8

0006ec64 77f63b86 00073f90 0006ecb8 0006ecac ntdll!LdrpLoadDll+0x175

0006ec80 77f13ac2 00073f90 0006ecb8 0006ecac ntdll!LdrLoadDll+0x16

0006ece4 77f13838 7ffdec00 00000000 00000000 KERNEL32!LoadLibraryExW+0x198

0006ed04 77f137ca 0006ed50 00000000 00000000 KERNEL32!LoadLibraryExA+0x5b

0006ed14 6fab06c9 0006ed50 77f13fb3 010e1e34 KERNEL32!LoadLibraryA+0xd

WARNING: Stack unwind information not available. Following frames may be wrong.

010e1e34 00000000 00000000 00000000 00000000 mapi32x!MAPIUninitialize+0x2019

FOLLOWUP_IP:

nt!MiUnlinkPageFromList+39

8012dd6d e98d000000 jmp nt!MiUnlinkPageFromList+0xcb (8012ddff)

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!MiUnlinkPageFromList+39

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 37e8005b

STACK_COMMAND: kb

BUCKET_ID: 0x4E_nt!MiUnlinkPageFromList+39

Followup: MachineOwner

You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
To unsubscribe send a blank email to %%email.unsub%%

Bryan_Burgin · August 12, 2002, 2:09pm

Prokash,

I would suggest running your driver under the watchful eye of Driver Verifier. Details are in the DDK. It is tuned to catch a number of common memory allocation/use errors at the point at which an error (corruption) occurs rather than downstream when the corruption causes havoc elsewahere.

Bryan S. Burgin
xxxxx@microsoft.com

This posting is provided “AS IS” with no warranties, and confers no rights.

-----Original Message-----
From: Dan Partelly [mailto:xxxxx@rdsor.ro]
Sent: Monday, August 12, 2002 10:02 AM
To: File Systems Developers
Subject: [ntfsd] Re: How should one proceed to analyze this type of BSOD - Help

There is not much to analyse here, a portion of your driver slowly corrupts memory. Identify the flawed code,
it can be anything which dont appears in this stack trace.
?
Ciao
?
----- Original Message -----
From: Prokash Sinha
To: File Systems Developers
Sent: Monday, August 12, 2002 8:25 PM
Subject: [ntfsd] How should one proceed to analyze this type of BSOD - Help

Hi all,

I’ve a BSOD like this, which is not very reproducible. I am trying to find how one should proceed when there is no stack trace of our driver. But we should be able to somehow conclude the type and possibly the source of the fault.

Also is there any place I can find detail about the args …

Thanx in advance

-prokash

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000002, A list entry was corrupt <<< could be 1 or 2 >>>
Arg2: 0007ee7a, entry in list being removed
Arg3: 0000ffda, highest physical page number
Arg4: 0000ffff, reference count of entry being removed

Debugging Details:

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 4E

LAST_CONTROL_TRANSFER: from 801234eb to 8012dd6d

STACK_TEXT:
f687a950 801234eb 8057ef00 8057eec8 8057ef00 nt!MiUnlinkPageFromList+0x39
f687aa1c 801231b0 e24fa9ec e3af574c 8057ef00 nt!MiFlushSectionInternal+0x2db
f687aa64 80121946 807b7490 00000000 00000000 nt!MmFlushSection+0x140
f687aa88 80121344 ffac4d28 00000000 01000000 nt!MiFlushDataSection+0x52
f687ab60 801796ef f687abac 0000000e 00000000 nt!MmCreateSection+0x3aa
f687abcc 8013e394 0006e9b4 0000000e 00000000 nt!NtCreateSection+0x14f
f687abcc 77f678bf 0006e9b4 0000000e 00000000 nt!KiSystemService+0xc4
0006e8c4 77f6acb5 0006e9b4 0000000e 00000000 ntdll!NtCreateSection+0xb
0006e920 77f6a73e 0006e958 00000000 0006e980 ntdll!LdrpCreateDllSection+0xcf
0006e9bc 77f6b4a8 00073f90 0006e9e8 0006ecb8 ntdll!LdrpMapDll+0xc8
0006ec64 77f63b86 00073f90 0006ecb8 0006ecac ntdll!LdrpLoadDll+0x175
0006ec80 77f13ac2 00073f90 0006ecb8 0006ecac ntdll!LdrLoadDll+0x16
0006ece4 77f13838 7ffdec00 00000000 00000000 KERNEL32!LoadLibraryExW+0x198
0006ed04 77f137ca 0006ed50 00000000 00000000 KERNEL32!LoadLibraryExA+0x5b
0006ed14 6fab06c9 0006ed50 77f13fb3 010e1e34 KERNEL32!LoadLibraryA+0xd
WARNING: Stack unwind information not available. Following frames may be wrong.
010e1e34 00000000 00000000 00000000 00000000 mapi32x!MAPIUninitialize+0x2019

FOLLOWUP_IP:
nt!MiUnlinkPageFromList+39
8012dd6d e98d000000 jmp nt!MiUnlinkPageFromList+0xcb (8012ddff)

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!MiUnlinkPageFromList+39

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 37e8005b

STACK_COMMAND: kb

BUCKET_ID: 0x4E_nt!MiUnlinkPageFromList+39

Followup: MachineOwner

You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
To unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@microsoft.com
To unsubscribe send a blank email to %%email.unsub%%

OSR_Community_User · August 13, 2002, 2:45pm

This can be MDL mishandling.

----- Original Message -----
From: Prokash Sinha
To: File Systems Developers
Sent: Monday, August 12, 2002 9:25 PM
Subject: [ntfsd] How should one proceed to analyze this type of BSOD - Help