Hi,
Tell me how to analyze memory.dmp Bug Check 0x19: BAD_POOL_HEADER?
Q1. I think that I need to walk around linked list, to check if linked list
is corrupted.
But I don’t know the structure of pool header,
Can you tell me how to walk around linked list by using flink and blink?
: kd> !pool a43b4540 1
a43b4520 size: 20 previous size: 60 (Free) Uswl (windows list
pool)
a43b4528 a4042a08 a42df6c8 a43b45f4 00000000
^^^^^^^^ ^^^^^^^^
flink? blink? Is this correct?
a43b4538 00010078 01580192 06027701 34206847
*a43b4540 size: c0 previous size: 20 (Allocated) *Gh 4
a43b4548 980407e4 00000000 00000001 8427d020
^^^^^^^^ ^^^^^^^^
flink? blink? Is this correct?
a43b4558 000000a8 000506e5 00000000 a43b4590
Q2. Why a43b4528, previous 20 byte address of a43b4548 is checked.
: kd> !pool a43b4540 1
a43b4520 size: 20 previous size: 60 (Free) Uswl (windows list
pool)
a43b4528 a4042a08 a42df6c8 a43b45f4 00000000
^^^^^^^^
The pool entry being checked in last instruction.
a43b4538 00010078 01580192 06027701 34206847
*a43b4540 size: c0 previous size: 20 (Allocated) *Gh 4
a43b4548 980407e4 00000000 00000001 8427d020
^^^^^^^^
I believe that win32k!FreeObject() passed this pointer to CtxFreePool(),
and then CtxFreePool() try to free this area.
BUT why is a43b4528 (a43b4548-20) checked in last instruction?
a43b4558 000000a8 000506e5 00000000 a43b4590
Thanks,
Kimi
[Debug log of memory.dmp]
2: kd> .bugcheck
Bugcheck code 00000019
Arguments 00000003 a43b4528 000006c3 00000000
00000003: pool freelist is corrupt. (In a healthy list, the values of
Parameters 2, 3, and 4 should be identical.)
a43b4528: The pool entry being checked
000006c3: The read-back flink freelist value…
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ddtools/hh/
ddtools/bccodes_519j.asp
http:/ddtools/bccodes_519j.asp>
2: kd> kv
ChildEBP RetAddr Args to Child
aaa1bcb8 80120411 a3000000 a43b4548 00000040
nt!CtxFreeWinStationSubPool+0xc2 (FPO: [Non-Fpo])
aaa1bccc 80120378 a43b4548 a3012206 a43b4548 nt!CtxFreeWinStationPool+0x37
(FPO: [1,0,2])
aaa1bcd4 a3012206 a43b4548 a4341ae0 aaa1bd10 nt!CtxFreePool+0x1e (FPO: [1,0,
0])
aaa1bce4 a301b79e a43b4548 00000004 a41c9f48 win32k!FreeObject+0x4b (FPO:
[2,0,2])
$B!!!(J ^^^^^^^^
$B!!!(J Guess the pointer of something object, because
CtxFreePool()'s 1st
paramter should be pointer to free objects
aaa1bd10 a301d16b aaa1bd68 a5191670 a51916d3 win32k!DC::vReleaseVis+0x5d
(FPO: [Non-Fpo])
aaa1bd38 a30207a1 010103fa 55040879 aaa1bd58 win32k!GreSelectVisRgn+0xc9
(FPO: [Non-Fpo])
aaa1bd68 a302d24e 55040879 a431bee8 a431bf04 win32k!ResetOrg+0x42 (FPO:
[Non-Fpo])
aaa1bd84 a302d30d a431bee8 00000004 a5190618 win32k!UserSetDCVisRgn+0x88
(FPO: [Non-Fpo])
aaa1bd98 a3109b0c a431bee8 aaa1be00 a44ac4a8 win32k!InvalidateDce+0xb7 (FPO:
[1,0,3])
aaa1bdb8 a31198e7 a5190618 00000004 00000000
win32k!zzzInvalidateDCCache+0xe9 (FPO: [EBP 0xaaa1be00] [2,2,4])
aaa1be00 a302c5c9 a42db508 aaa1be50 aaa1be58 win32k!zzzBltValidBits+0xe5
(FPO: [Non-Fpo])
aaa1be68 a302c78d a42db508 00000000 000000f0
win32k!xxxEndDeferWindowPosEx+0x13c (FPO: [Non-Fpo])
aaa1be84 a305b23b a51b31f0 00000000 00000001 win32k!xxxSetWindowPos+0x6b
(FPO: [Non-Fpo])
aaa1beb0 a305b1b2 a51b31f0 00000001 0000006e win32k!xxxMoveWindow+0x6e (FPO:
[Non-Fpo])
aaa1bee4 80148589 01b10330 00000001 0000006e win32k!NtUserMoveWindow+0xae
(FPO: [Non-Fpo])
aaa1bee4 66e3eb1b 01b10330 00000001 0000006e nt!KiSystemService+0xc9 (FPO:
[0,0] TrapFrame @ aaa1bf04)
0012f11c 6606ed09 01b10330 00000001 0000006e USER32!ZwUserMoveWindow+0xb
(FPO: [6,0,0])
0012f17c 6607a924 034ca6d4 0012f1c4 00000001 MSVBVM60!DESK::Destroy_165+0x2
0012f1e4 66030c54 00000001 00000005 034ca67c
MSVBVM60!_HrPopupSetDefItem_52+0x7 (FPO: [2,0,0])
0012f1e4 66030c54 00000001 00000005 034ca67c MSVBVM60!ComboCtlProc+0x533
2: kd> !pool a43b4548
a43b4000 size: 4a0 previous size: 0 (Allocated) Gh 5
a43b44a0 size: 20 previous size: 4a0 (Free) Gh 8
a43b44c0 size: 60 previous size: 20 (Allocated) Gh @
a43b4520 size: 20 previous size: 60 (Free) Uswl
*a43b4540 size: c0 previous size: 20 (Allocated) *Gh 4
a43b4600 size: c0 previous size: c0 (Allocated) Gh 4
a43b46c0 size: 4a0 previous size: c0 (Allocated) Gh 5
a43b4b60 size: 4a0 previous size: 4a0 (Allocated) Gh 5
2: kd> !pool a43b4540 1
a43b4000 size: 4a0 previous size: 0 (Allocated) Gh 5
a43b4008 a1050568 a5005680 00000000 00000000
a43b4018 00000000 a1050568 00000000 a4057ae8
a43b44a0 size: 20 previous size: 4a0 (Free) Gh 8
a43b44a8 a43764a8 a42da4a8 00000000 00000000
a43b44b8 00000041 00000002 03027701 40206847
a43b44c0 size: 60 previous size: 20 (Allocated) Gh @
a43b44c8 2c100542 a5005420 00000000 00000000
a43b44d8 00000007 00000000 a30bb58f 80000014
a43b4520 size: 20 previous size: 60 (Free) Uswl (windows list
pool)
a43b4528 a4042a08 a42df6c8 a43b45f4 00000000
a43b4538 00010078 01580192 06027701 34206847
*a43b4540 size: c0 previous size: 20 (Allocated) *Gh 4
a43b4548 980407e4 00000000 00000001 8427d020
a43b4558 000000a8 000506e5 00000000 a43b4590
a43b4600 size: c0 previous size: c0 (Allocated) Gh 4
a43b4608 a3000248 a3000248 00000001 8427d020
a43b4618 000000a8 0003dfe6 00000000 a43b4678
a43b46c0 size: 4a0 previous size: c0 (Allocated) Gh 5
a43b46c8 3d050572 a5005720 00000000 00000000
a43b46d8 00000000 3d050572 00000000 a4057ae8
a43b4b60 size: 4a0 previous size: 4a0 (Allocated) Gh 5
a43b4b68 d9050663 a5006630 00000000 00000000
a43b4b78 00000000 d9050663 00000000 a4057ae8</http:>
How to analyze memory.dmp Bug Check 0x19: BAD_POOL_HEADER?You shouldnt be very concerned by the pool management structures layout. Your driver most likely causes memory corruption or incorectly manipulates pool memory. First, see in what situation you are by examining p1 to p4 of the bugcheck. Match them against documentation, and see what exactly causes this bugcheck.
----- Original Message -----
From: xxxxx@citrix.co.jp
To: NT Developers Interest List
Sent: Monday, October 07, 2002 1:55 PM
Subject: [ntdev] How to analyze memory.dmp Bug Check 0x19: BAD_POOL_HEADER?
Hi,
Tell me how to analyze memory.dmp Bug Check 0x19: BAD_POOL_HEADER?
Q1. I think that I need to walk around linked list, to check if linked list is corrupted.
But I don’t know the structure of pool header,
Can you tell me how to walk around linked list by using flink and blink?
: kd> !pool a43b4540 1
a43b4520 size: 20 previous size: 60 (Free) Uswl (windows list pool)
a43b4528 a4042a08 a42df6c8 a43b45f4 00000000
^^^^^^^^ ^^^^^^^^
flink? blink? Is this correct?
a43b4538 00010078 01580192 06027701 34206847
*a43b4540 size: c0 previous size: 20 (Allocated) *Gh 4
a43b4548 980407e4 00000000 00000001 8427d020
^^^^^^^^ ^^^^^^^^
flink? blink? Is this correct?
a43b4558 000000a8 000506e5 00000000 a43b4590
Q2. Why a43b4528, previous 20 byte address of a43b4548 is checked.
: kd> !pool a43b4540 1
a43b4520 size: 20 previous size: 60 (Free) Uswl (windows list pool)
a43b4528 a4042a08 a42df6c8 a43b45f4 00000000
^^^^^^^^
The pool entry being checked in last instruction.
a43b4538 00010078 01580192 06027701 34206847
*a43b4540 size: c0 previous size: 20 (Allocated) *Gh 4
a43b4548 980407e4 00000000 00000001 8427d020
^^^^^^^^
I believe that win32k!FreeObject() passed this pointer to CtxFreePool(), and then CtxFreePool() try to free this area.
BUT why is a43b4528 (a43b4548-20) checked in last instruction?
a43b4558 000000a8 000506e5 00000000 a43b4590
Thanks,
Kimi
[Debug log of memory.dmp]
2: kd> .bugcheck
Bugcheck code 00000019
Arguments 00000003 a43b4528 000006c3 00000000
00000003: pool freelist is corrupt. (In a healthy list, the values of Parameters 2, 3, and 4 should be identical.)
a43b4528: The pool entry being checked
000006c3: The read-back flink freelist value…
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ddtools/hh/ddtools/bccodes_519j.asp
2: kd> kv
ChildEBP RetAddr Args to Child
aaa1bcb8 80120411 a3000000 a43b4548 00000040 nt!CtxFreeWinStationSubPool+0xc2 (FPO: [Non-Fpo])
aaa1bccc 80120378 a43b4548 a3012206 a43b4548 nt!CtxFreeWinStationPool+0x37 (FPO: [1,0,2])
aaa1bcd4 a3012206 a43b4548 a4341ae0 aaa1bd10 nt!CtxFreePool+0x1e (FPO: [1,0,0])
aaa1bce4 a301b79e a43b4548 00000004 a41c9f48 win32k!FreeObject+0x4b (FPO: [2,0,2])
$B!!!(B ^^^^^^^^
$B!!!(B Guess the pointer of something object, because CtxFreePool()'s 1st
paramter should be pointer to free objects
aaa1bd10 a301d16b aaa1bd68 a5191670 a51916d3 win32k!DC::vReleaseVis+0x5d (FPO: [Non-Fpo])
aaa1bd38 a30207a1 010103fa 55040879 aaa1bd58 win32k!GreSelectVisRgn+0xc9 (FPO: [Non-Fpo])
aaa1bd68 a302d24e 55040879 a431bee8 a431bf04 win32k!ResetOrg+0x42 (FPO: [Non-Fpo])
aaa1bd84 a302d30d a431bee8 00000004 a5190618 win32k!UserSetDCVisRgn+0x88 (FPO: [Non-Fpo])
aaa1bd98 a3109b0c a431bee8 aaa1be00 a44ac4a8 win32k!InvalidateDce+0xb7 (FPO: [1,0,3])
aaa1bdb8 a31198e7 a5190618 00000004 00000000 win32k!zzzInvalidateDCCache+0xe9 (FPO: [EBP 0xaaa1be00] [2,2,4])
aaa1be00 a302c5c9 a42db508 aaa1be50 aaa1be58 win32k!zzzBltValidBits+0xe5 (FPO: [Non-Fpo])
aaa1be68 a302c78d a42db508 00000000 000000f0 win32k!xxxEndDeferWindowPosEx+0x13c (FPO: [Non-Fpo])
aaa1be84 a305b23b a51b31f0 00000000 00000001 win32k!xxxSetWindowPos+0x6b (FPO: [Non-Fpo])
aaa1beb0 a305b1b2 a51b31f0 00000001 0000006e win32k!xxxMoveWindow+0x6e (FPO: [Non-Fpo])
aaa1bee4 80148589 01b10330 00000001 0000006e win32k!NtUserMoveWindow+0xae (FPO: [Non-Fpo])
aaa1bee4 66e3eb1b 01b10330 00000001 0000006e nt!KiSystemService+0xc9 (FPO: [0,0] TrapFrame @ aaa1bf04)
0012f11c 6606ed09 01b10330 00000001 0000006e USER32!ZwUserMoveWindow+0xb (FPO: [6,0,0])
0012f17c 6607a924 034ca6d4 0012f1c4 00000001 MSVBVM60!DESK::Destroy_165+0x2
0012f1e4 66030c54 00000001 00000005 034ca67c MSVBVM60!_HrPopupSetDefItem_52+0x7 (FPO: [2,0,0])
0012f1e4 66030c54 00000001 00000005 034ca67c MSVBVM60!ComboCtlProc+0x533
2: kd> !pool a43b4548
a43b4000 size: 4a0 previous size: 0 (Allocated) Gh 5
a43b44a0 size: 20 previous size: 4a0 (Free) Gh 8
a43b44c0 size: 60 previous size: 20 (Allocated) Gh @
a43b4520 size: 20 previous size: 60 (Free) Uswl
*a43b4540 size: c0 previous size: 20 (Allocated) *Gh 4
a43b4600 size: c0 previous size: c0 (Allocated) Gh 4
a43b46c0 size: 4a0 previous size: c0 (Allocated) Gh 5
a43b4b60 size: 4a0 previous size: 4a0 (Allocated) Gh 5
2: kd> !pool a43b4540 1
a43b4000 size: 4a0 previous size: 0 (Allocated) Gh 5
a43b4008 a1050568 a5005680 00000000 00000000
a43b4018 00000000 a1050568 00000000 a4057ae8
a43b44a0 size: 20 previous size: 4a0 (Free) Gh 8
a43b44a8 a43764a8 a42da4a8 00000000 00000000
a43b44b8 00000041 00000002 03027701 40206847
a43b44c0 size: 60 previous size: 20 (Allocated) Gh @
a43b44c8 2c100542 a5005420 00000000 00000000
a43b44d8 00000007 00000000 a30bb58f 80000014
a43b4520 size: 20 previous size: 60 (Free) Uswl (windows list pool)
a43b4528 a4042a08 a42df6c8 a43b45f4 00000000
a43b4538 00010078 01580192 06027701 34206847
*a43b4540 size: c0 previous size: 20 (Allocated) *Gh 4
a43b4548 980407e4 00000000 00000001 8427d020
a43b4558 000000a8 000506e5 00000000 a43b4590
a43b4600 size: c0 previous size: c0 (Allocated) Gh 4
a43b4608 a3000248 a3000248 00000001 8427d020
a43b4618 000000a8 0003dfe6 00000000 a43b4678
a43b46c0 size: 4a0 previous size: c0 (Allocated) Gh 5
a43b46c8 3d050572 a5005720 00000000 00000000
a43b46d8 00000000 3d050572 00000000 a4057ae8
a43b4b60 size: 4a0 previous size: 4a0 (Allocated) Gh 5
a43b4b68 d9050663 a5006630 00000000 00000000
a43b4b78 00000000 d9050663 00000000 a4057ae8
—
You are currently subscribed to ntdev as: xxxxx@rdsor.ro
To unsubscribe send a blank email to %%email.unsub%%