How to debug an illegal pointer based crash

Awbadhho · February 12, 2014, 8:09am

All,

I am chasing a crash in our driver for which we only have a minidump.

The crash is straight forward, PAGE_FAULT_IN_NONPAGED_AREA, unfortunately
the crash stack dump shows:

FAULTING_IP:
MyDriver!MyDumpMemory+e3 [d:\Codebase\MyDriver\MyDriverlogs.cpp @ 317]
fffff800`013c5773 0fb60408 movzx eax,byte ptr [rax+rcx]

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff800a2dea462 to fffff800a2dd10a0

STACK_TEXT:
ffffd00022abe658 fffff800a2dea462 : 0000000000000050 ffffe00003fa0000
0000000000000000 ffffd00022abe840 : nt!KeBugCheckEx
ffffd00022abe660 fffff800a2ce9ffd : 0000000000000000 ffffe000025c4880
ffffd00022abe840 ffffd00022abe9b0 : nt! ?? ::FNODOBFM::string'+0x8ed2 ffffd00022abe700 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : nt!MmAccessFault+0x7ed

This is also expected, since the page we tried to access was perhaps
invalid or paged out.

Dumping registers show:
kd> r
rax=0000000000000000 rbx=000c36ee00000000 rcx=0000000000000050
rdx=ffffe00003fa0000 rsi=ffffd00022abe7f8 rdi=ffffe000025c4ba0
rip=fffff800a2dd10a0 rsp=ffffd00022abe658 rbp=0000000000000000
r8=0000000000000000 r9=ffffd00022abe840 r10=ffffd00022abe840
r11=ffffe000025c4880 r12=0000000000000000 r13=0000000000000000
r14=fffff800a2fc9f80 r15=ffffe00003fa0000
iopl=0 nv up ei ng nz ac po cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00000297

This tells me that we passed an invalid address 0x50 to the movzx
instruction.

Infortunately for us, since it is a mini dump, we are unable to trace where
the function MyDriver!MyDumpMemory is getting the invalid address from.

There are many places where it is called from, and code review of all
places have not come up with any clues as to how an invalid pointer might
get passed to the function. The said function hasa null check for the
pointer, but ofcourse it cannot handle an illegal pointer.

We tried to reconstruct the call stack, and get the return address of the
function for the crash, but unfortunately, that doesnt work, since the
caller turns out to be nt!KiPageFault+0x12f. Again this is expected, as our
original stack is not present any more.

The IRQL is

kd> !irql
Debugger saved IRQL for processor 0x0 – 0 (LOW_LEVEL)

So it is not a problem at eveleted IRQLs.

Any suggestions on how we can proceed with such little information would
help.

BTW, we have already gone through
http://msdn.microsoft.com/en-us/library/windows/hardware/ff539004(v=vs.85).aspx

which suggests that there is no one way of catching illegal memory.

Thanks

Awbadhho

Doron_Holan · February 12, 2014, 10:00am

It is a null pointer deref,
movzx eax,byte ptr [rax+rcx]

kd> r
rax=0000000000000000
rbx=000c36ee00000000
rcx=0000000000000050

Rax+rac=0x50

The only bad memory you can detect is null or a user mode pointer through Mm probe and lock. Please don’t tell.me you have SEH blocks trying to catch or prevent bad memory references

d

Dent from my phone

From: Ami Awbadhhomailto:xxxxx
Sent: ?2/?12/?2014 5:09 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] How to debug an illegal pointer based crash

All,

I am chasing a crash in our driver for which we only have a minidump.

The crash is straight forward, PAGE_FAULT_IN_NONPAGED_AREA, unfortunately the crash stack dump shows:

FAULTING_IP:
MyDriver!MyDumpMemory+e3 [d:\Codebase\MyDriver\MyDriverlogs.cpp @ 317]
fffff800013c5773 0fb60408 movzx eax,byte ptr [rax+rcx] MM_INTERNAL_CODE: 0 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: System CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from fffff800a2dea462 to fffff800a2dd10a0 STACK_TEXT: ffffd00022abe658 fffff800a2dea462 : 0000000000000050 ffffe00003fa0000 0000000000000000 ffffd00022abe840 : nt!KeBugCheckEx ffffd00022abe660 fffff800a2ce9ffd : 0000000000000000 ffffe000025c4880 ffffd00022abe840 ffffd00022abe9b0 : nt! ?? ::FNODOBFM::string’+0x8ed2
ffffd00022abe700 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!MmAccessFault+0x7ed

This is also expected, since the page we tried to access was perhaps invalid or paged out.

Dumping registers show:
kd> r
rax=0000000000000000 rbx=000c36ee00000000 rcx=0000000000000050
rdx=ffffe00003fa0000 rsi=ffffd00022abe7f8 rdi=ffffe000025c4ba0
rip=fffff800a2dd10a0 rsp=ffffd00022abe658 rbp=0000000000000000
r8=0000000000000000 r9=ffffd00022abe840 r10=ffffd00022abe840
r11=ffffe000025c4880 r12=0000000000000000 r13=0000000000000000
r14=fffff800a2fc9f80 r15=ffffe00003fa0000
iopl=0 nv up ei ng nz ac po cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000297

This tells me that we passed an invalid address 0x50 to the movzx instruction.

Infortunately for us, since it is a mini dump, we are unable to trace where the function MyDriver!MyDumpMemory is getting the invalid address from.

There are many places where it is called from, and code review of all places have not come up with any clues as to how an invalid pointer might get passed to the function. The said function hasa null check for the pointer, but ofcourse it cannot handle an illegal pointer.

We tried to reconstruct the call stack, and get the return address of the function for the crash, but unfortunately, that doesnt work, since the caller turns out to be nt!KiPageFault+0x12f. Again this is expected, as our original stack is not present any more.

The IRQL is

kd> !irql
Debugger saved IRQL for processor 0x0 – 0 (LOW_LEVEL)

So it is not a problem at eveleted IRQLs.

Any suggestions on how we can proceed with such little information would help.

BTW, we have already gone through http://msdn.microsoft.com/en-us/library/windows/hardware/ff539004(v=vs.85).aspx

which suggests that there is no one way of catching illegal memory.

Thanks

Awbadhho
— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

Awbadhho · February 12, 2014, 10:10am

Hi Doron,

if it is a null pointer deref, then why is the address 0x50 and not 0x0?

And in the code for the function we do check for null, then why would that
check fail.

// Dumps a memory region to debug output
void MyDumpMemory (void *pMem, int nSize)
{
unsigned char str[20];
unsigned char *m = (unsigned char *)pMem;
int i, j;
char buff[128];

#define CHARS_PER_LINE (16)

if(pMem == NULL)
{

return;
}

for (j = 0; j < nSize / CHARS_PER_LINE; j++)
{
RtlZeroMemory(str , sizeof str);
RtlZeroMemory(buff, sizeof buff);

for (i = 0; i < CHARS_PER_LINE; i++)
{
if (m[i] > ’ ’ && m[i] <= ‘~’)
str[i]=m[i];
else
str[i]=‘.’;
}

MyTrace(TRACELEVEL_LOW, (“0x%08p %02x %02x %02x %02x %02x %02x
%02x %02x - %02x %02x %02x %02x %02x %02x %02x %02x %s\n”, m, m[0], m[1],
m[2], m[3], m[4], m[5], m[6], m[7], m[8], m[9], m[10], m[11], m[12], m[13],
m[14], m[15], str));

m+=CHARS_PER_LINE;
}
}

On Wed, Feb 12, 2014 at 8:29 PM, Doron Holan wrote:

> It is a null pointer deref,
> movzx eax,byte ptr [rax+rcx]
>
>
> kd> r
> rax=0000000000000000
> rbx=000c36ee00000000
> rcx=0000000000000050
>
> Rax+rac=0x50
>
> The only bad memory you can detect is null or a user mode pointer through
> Mm probe and lock. Please don’t tell.me you have SEH blocks trying to
> catch or prevent bad memory references
>
> d
>
> Dent from my phone
> ------------------------------
> From: Ami Awbadhho
> Sent: 2/12/2014 5:09 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] How to debug an illegal pointer based crash
>
> All,
>
> I am chasing a crash in our driver for which we only have a minidump.
>
> The crash is straight forward, PAGE_FAULT_IN_NONPAGED_AREA,
> unfortunately the crash stack dump shows:
>
> FAULTING_IP:
> MyDriver!MyDumpMemory+e3 [d:\Codebase\MyDriver\MyDriverlogs.cpp @ 317]
> fffff800013c5773 0fb60408 movzx eax,byte ptr [rax+rcx] > > MM_INTERNAL_CODE: 0 > > CUSTOMER_CRASH_COUNT: 1 > > DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT > > BUGCHECK_STR: 0x50 > > PROCESS_NAME: System > > CURRENT_IRQL: 0 > > LAST_CONTROL_TRANSFER: from fffff800a2dea462 to fffff800a2dd10a0 > > STACK_TEXT: > ffffd00022abe658 fffff800a2dea462 : 0000000000000050 ffffe00003fa0000 > 0000000000000000 ffffd00022abe840 : nt!KeBugCheckEx > ffffd00022abe660 fffff800a2ce9ffd : 0000000000000000 ffffe000025c4880 > ffffd00022abe840 ffffd00022abe9b0 : nt! ?? ::FNODOBFM::string’+0x8ed2
> ffffd00022abe700 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : nt!MmAccessFault+0x7ed
>
>
>
> This is also expected, since the page we tried to access was perhaps
> invalid or paged out.
>
> Dumping registers show:
> kd> r
> rax=0000000000000000 rbx=000c36ee00000000 rcx=0000000000000050
> rdx=ffffe00003fa0000 rsi=ffffd00022abe7f8 rdi=ffffe000025c4ba0
> rip=fffff800a2dd10a0 rsp=ffffd00022abe658 rbp=0000000000000000
> r8=0000000000000000 r9=ffffd00022abe840 r10=ffffd00022abe840
> r11=ffffe000025c4880 r12=0000000000000000 r13=0000000000000000
> r14=fffff800a2fc9f80 r15=ffffe00003fa0000
> iopl=0 nv up ei ng nz ac po cy
> cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
> efl=00000297
>
> This tells me that we passed an invalid address 0x50 to the movzx
> instruction.
>
> Infortunately for us, since it is a mini dump, we are unable to trace
> where the function MyDriver!MyDumpMemory is getting the invalid address
> from.
>
> There are many places where it is called from, and code review of all
> places have not come up with any clues as to how an invalid pointer might
> get passed to the function. The said function hasa null check for the
> pointer, but ofcourse it cannot handle an illegal pointer.
>
> We tried to reconstruct the call stack, and get the return address of
> the function for the crash, but unfortunately, that doesnt work, since the
> caller turns out to be nt!KiPageFault+0x12f. Again this is expected, as our
> original stack is not present any more.
>
> The IRQL is
>
> kd> !irql
> Debugger saved IRQL for processor 0x0 – 0 (LOW_LEVEL)
>
> So it is not a problem at eveleted IRQLs.
>
>
> Any suggestions on how we can proceed with such little information would
> help.
>
> BTW, we have already gone through
> http://msdn.microsoft.com/en-us/library/windows/hardware/ff539004(v=vs.85).aspx
>
> which suggests that there is no one way of catching illegal memory.
>
> Thanks
>
> Awbadhho
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Don_Burn · February 12, 2014, 10:14am

You are referencing a structure or something similar where the element you
are accessing is at 0x50. Make you test

If ((ULONG_PTR)pMem) < 4096)

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ami Awbadhho
Sent: Wednesday, February 12, 2014 10:10 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How to debug an illegal pointer based crash

Hi Doron,

if it is a null pointer deref, then why is the address 0x50 and not 0x0?

And in the code for the function we do check for null, then why would that
check fail.

// Dumps a memory region to debug output void MyDumpMemory (void *pMem, int
nSize) {
unsigned char str[20];
unsigned char *m = (unsigned char *)pMem;
int i, j;
char buff[128];

#define CHARS_PER_LINE (16)

if(pMem == NULL)
{

return;
}

for (j = 0; j < nSize / CHARS_PER_LINE; j++)
{
RtlZeroMemory(str , sizeof str);
RtlZeroMemory(buff, sizeof buff);

for (i = 0; i < CHARS_PER_LINE; i++)
{
if (m[i] > ’ ’ && m[i] <= ‘~’)
str[i]=m[i];
else
str[i]=‘.’;
}

MyTrace(TRACELEVEL_LOW, (“0x%08p %02x %02x %02x %02x %02x %02x %02x
%02x - %02x %02x %02x %02x %02x %02x %02x %02x %s\n”, m, m[0], m[1], m[2],
m[3], m[4], m[5], m[6], m[7], m[8], m[9], m[10], m[11], m[12], m[13], m[14],
m[15], str));

m+=CHARS_PER_LINE;
}
}

On Wed, Feb 12, 2014 at 8:29 PM, Doron Holan
wrote:

It is a null pointer deref,
movzx eax,byte ptr [rax+rcx]

kd> r
rax=0000000000000000
rbx=000c36ee00000000
rcx=0000000000000050

Rax+rac=0x50

The only bad memory you can detect is null or a user mode pointer
through Mm probe and lock. Please don’t tell.me you have SEH blocks trying
to catch or prevent bad memory references

d

Dent from my phone
________________________________

From: Ami Awbadhho mailto:xxxxx
Sent: 2/12/2014 5:09 AM
To: Windows System Software Devs Interest List
mailto:xxxxx
Subject: [ntdev] How to debug an illegal pointer based crash

All,

I am chasing a crash in our driver for which we only have a
minidump.

The crash is straight forward, PAGE_FAULT_IN_NONPAGED_AREA,
unfortunately the crash stack dump shows:

FAULTING_IP:
MyDriver!MyDumpMemory+e3 [d:\Codebase\MyDriver\MyDriverlogs.cpp @
317]
fffff800013c5773 0fb60408 movzx eax,byte ptr [rax+rcx] MM_INTERNAL_CODE: 0 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: System CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from fffff800a2dea462 to fffff800a2dd10a0 STACK_TEXT: ffffd00022abe658 fffff800a2dea462 : 0000000000000050
ffffe00003fa0000 0000000000000000 ffffd00022abe840 : nt!KeBugCheckEx ffffd00022abe660 fffff800a2ce9ffd : 0000000000000000
ffffe000025c4880 ffffd00022abe840 ffffd00022abe9b0 : nt! ?? ::FNODOBFM::string’+0x8ed2
ffffd00022abe700 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 :
nt!MmAccessFault+0x7ed

This is also expected, since the page we tried to access was perhaps
invalid or paged out.

Dumping registers show:
kd> r
rax=0000000000000000 rbx=000c36ee00000000 rcx=0000000000000050
rdx=ffffe00003fa0000 rsi=ffffd00022abe7f8 rdi=ffffe000025c4ba0
rip=fffff800a2dd10a0 rsp=ffffd00022abe658 rbp=0000000000000000
r8=0000000000000000 r9=ffffd00022abe840 r10=ffffd00022abe840
r11=ffffe000025c4880 r12=0000000000000000 r13=0000000000000000
r14=fffff800a2fc9f80 r15=ffffe00003fa0000
iopl=0 nv up ei ng nz ac po cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00000297

This tells me that we passed an invalid address 0x50 to the movzx
instruction.

Infortunately for us, since it is a mini dump, we are unable to
trace where the function MyDriver!MyDumpMemory is getting the invalid
address from.

There are many places where it is called from, and code review of
all places have not come up with any clues as to how an invalid pointer
might get passed to the function. The said function hasa null check for the
pointer, but ofcourse it cannot handle an illegal pointer.

We tried to reconstruct the call stack, and get the return address
of the function for the crash, but unfortunately, that doesnt work, since
the caller turns out to be nt!KiPageFault+0x12f. Again this is expected, as
our original stack is not present any more.

The IRQL is

kd> !irql
Debugger saved IRQL for processor 0x0 – 0 (LOW_LEVEL)

So it is not a problem at eveleted IRQLs.

Any suggestions on how we can proceed with such little information
would help.

BTW, we have already gone through
http://msdn.microsoft.com/en-us/library/windows/hardware/ff539004(v=vs.85).a
spx
http:aspx>

which suggests that there is no one way of catching illegal memory.

Thanks

Awbadhho
— NTDEV is sponsored by OSR Visit the list at:
http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at:
http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</http:></mailto:xxxxx></mailto:xxxxx>

Doron_Holan · February 12, 2014, 10:25am

It is 50 because you are adding 0x50 to null and then dereferencing it. You can see that in the instruction where the bugcheck occurred. You can map the offset of the function to a line of source, what is line 317?

d

Dent from my phone

From: Ami Awbadhhomailto:xxxxx
Sent: ?2/?12/?2014 7:09 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: Re: [ntdev] How to debug an illegal pointer based crash

Hi Doron,

if it is a null pointer deref, then why is the address 0x50 and not 0x0?

And in the code for the function we do check for null, then why would that check fail.

// Dumps a memory region to debug output
void MyDumpMemory (void *pMem, int nSize)
{
unsigned char str[20];
unsigned char *m = (unsigned char *)pMem;
int i, j;
char buff[128];

#define CHARS_PER_LINE (16)

if(pMem == NULL)
{

return;
}

for (j = 0; j < nSize / CHARS_PER_LINE; j++)
{
RtlZeroMemory(str , sizeof str);
RtlZeroMemory(buff, sizeof buff);

for (i = 0; i < CHARS_PER_LINE; i++)
{
if (m[i] > ’ ’ && m[i] <= ‘~’)
str[i]=m[i];
else
str[i]=‘.’;
}

MyTrace(TRACELEVEL_LOW, (“0x%08p %02x %02x %02x %02x %02x %02x %02x %02x - %02x %02x %02x %02x %02x %02x %02x %02x %s\n”, m, m[0], m[1], m[2], m[3], m[4], m[5], m[6], m[7], m[8], m[9], m[10], m[11], m[12], m[13], m[14], m[15], str));

m+=CHARS_PER_LINE;
}
}

On Wed, Feb 12, 2014 at 8:29 PM, Doron Holan > wrote:
It is a null pointer deref,
movzx eax,byte ptr [rax+rcx]

kd> r
rax=0000000000000000
rbx=000c36ee00000000
rcx=0000000000000050

Rax+rac=0x50

The only bad memory you can detect is null or a user mode pointer through Mm probe and lock. Please don’t tell.me http: you have SEH blocks trying to catch or prevent bad memory references

d

Dent from my phone
________________________________
From: Ami Awbadhhomailto:xxxxx
Sent: 2/12/2014 5:09 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] How to debug an illegal pointer based crash

All,

I am chasing a crash in our driver for which we only have a minidump.

The crash is straight forward, PAGE_FAULT_IN_NONPAGED_AREA, unfortunately the crash stack dump shows:

FAULTING_IP:
MyDriver!MyDumpMemory+e3 [d:\Codebase\MyDriver\MyDriverlogs.cpp @ 317]
fffff800013c5773 0fb60408 movzx eax,byte ptr [rax+rcx] MM_INTERNAL_CODE: 0 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: System CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from fffff800a2dea462 to fffff800a2dd10a0 STACK_TEXT: ffffd00022abe658 fffff800a2dea462 : 0000000000000050 ffffe00003fa0000 0000000000000000 ffffd00022abe840 : nt!KeBugCheckEx ffffd00022abe660 fffff800a2ce9ffd : 0000000000000000 ffffe000025c4880 ffffd00022abe840 ffffd00022abe9b0 : nt! ?? ::FNODOBFM::string’+0x8ed2
ffffd00022abe700 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!MmAccessFault+0x7ed

This is also expected, since the page we tried to access was perhaps invalid or paged out.

Dumping registers show:
kd> r
rax=0000000000000000 rbx=000c36ee00000000 rcx=0000000000000050
rdx=ffffe00003fa0000 rsi=ffffd00022abe7f8 rdi=ffffe000025c4ba0
rip=fffff800a2dd10a0 rsp=ffffd00022abe658 rbp=0000000000000000
r8=0000000000000000 r9=ffffd00022abe840 r10=ffffd00022abe840
r11=ffffe000025c4880 r12=0000000000000000 r13=0000000000000000
r14=fffff800a2fc9f80 r15=ffffe00003fa0000
iopl=0 nv up ei ng nz ac po cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000297

This tells me that we passed an invalid address 0x50 to the movzx instruction.

Infortunately for us, since it is a mini dump, we are unable to trace where the function MyDriver!MyDumpMemory is getting the invalid address from.

There are many places where it is called from, and code review of all places have not come up with any clues as to how an invalid pointer might get passed to the function. The said function hasa null check for the pointer, but ofcourse it cannot handle an illegal pointer.

We tried to reconstruct the call stack, and get the return address of the function for the crash, but unfortunately, that doesnt work, since the caller turns out to be nt!KiPageFault+0x12f. Again this is expected, as our original stack is not present any more.

The IRQL is

kd> !irql
Debugger saved IRQL for processor 0x0 – 0 (LOW_LEVEL)

So it is not a problem at eveleted IRQLs.

Any suggestions on how we can proceed with such little information would help.

BTW, we have already gone through http://msdn.microsoft.com/en-us/library/windows/hardware/ff539004(v=vs.85).aspx

which suggests that there is no one way of catching illegal memory.

Thanks

Awbadhho
— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx></http:></mailto:xxxxx></mailto:xxxxx>

Awbadhho · February 12, 2014, 11:30am

Line 317 is :

if (m[i] > ’ ’ && m[i] <= ‘~’)

I had posted the entire function in the earlier post, but do so once
again…

Does this mean the size being passed is beyond the size of the pointer and
it crashes because we are walking off the page allocation?

// Dumps a memory region to debug output
void MyDumpMemory (void *pMem, int nSize)
{
unsigned char str[20];
unsigned char *m = (unsigned char *)pMem;
int i, j;
char buff[128];

#define CHARS_PER_LINE (16)

if(pMem == NULL)
{

return;
}

for (j = 0; j < nSize / CHARS_PER_LINE; j++)
{
RtlZeroMemory(str , sizeof str);
RtlZeroMemory(buff, sizeof buff);

for (i = 0; i < CHARS_PER_LINE; i++)
{
if (m[i] > ’ ’ && m[i] <= ‘~’)
str[i]=m[i];
else
str[i]=‘.’;
}

MyTrace(TRACELEVEL_LOW, (“0x%08p %02x %02x %02x %02x %02x %02x
%02x %02x - %02x %02x %02x %02x %02x %02x %02x %02x %s\n”, m, m[0], m[1],
m[2], m[3], m[4], m[5], m[6], m[7], m[8], m[9], m[10], m[11], m[12], m[13],
m[14], m[15], str));

m+=CHARS_PER_LINE;
}
}

On Wed, Feb 12, 2014 at 8:54 PM, Doron Holan wrote:

> It is 50 because you are adding 0x50 to null and then dereferencing it.
> You can see that in the instruction where the bugcheck occurred. You can
> map the offset of the function to a line of source, what is line 317?
>
>
> d
>
> Dent from my phone
> ------------------------------
> From: Ami Awbadhho
> Sent: 2/12/2014 7:09 AM
>
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] How to debug an illegal pointer based crash
>
> Hi Doron,
>
> if it is a null pointer deref, then why is the address 0x50 and not 0x0?
>
> And in the code for the function we do check for null, then why would
> that check fail.
>
> // Dumps a memory region to debug output
> void MyDumpMemory (void *pMem, int nSize)
> {
> unsigned char str[20];
> unsigned char *m = (unsigned char *)pMem;
> int i, j;
> char buff[128];
>
> #define CHARS_PER_LINE (16)
>
> if(pMem == NULL)
> {
>
> return;
> }
>
>
> for (j = 0; j < nSize / CHARS_PER_LINE; j++)
> {
> RtlZeroMemory(str , sizeof str);
> RtlZeroMemory(buff, sizeof buff);
>
> for (i = 0; i < CHARS_PER_LINE; i++)
> {
> if (m[i] > ’ ’ && m[i] <= ‘~’)
> str[i]=m[i];
> else
> str[i]=‘.’;
> }
>
> MyTrace(TRACELEVEL_LOW, (“0x%08p %02x %02x %02x %02x %02x %02x
> %02x %02x - %02x %02x %02x %02x %02x %02x %02x %02x %s\n”, m, m[0], m[1],
> m[2], m[3], m[4], m[5], m[6], m[7], m[8], m[9], m[10], m[11], m[12], m[13],
> m[14], m[15], str));
>
> m+=CHARS_PER_LINE;
> }
> }
>
>
> On Wed, Feb 12, 2014 at 8:29 PM, Doron Holan wrote:
>
>> It is a null pointer deref,
>> movzx eax,byte ptr [rax+rcx]
>>
>>
>> kd> r
>> rax=0000000000000000
>> rbx=000c36ee00000000
>> rcx=0000000000000050
>>
>> Rax+rac=0x50
>>
>> The only bad memory you can detect is null or a user mode pointer through
>> Mm probe and lock. Please don’t tell.me you have SEH blocks trying to
>> catch or prevent bad memory references
>>
>> d
>>
>> Dent from my phone
>> ------------------------------
>> From: Ami Awbadhho
>> Sent: 2/12/2014 5:09 AM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] How to debug an illegal pointer based crash
>>
>> All,
>>
>> I am chasing a crash in our driver for which we only have a minidump.
>>
>> The crash is straight forward, PAGE_FAULT_IN_NONPAGED_AREA,
>> unfortunately the crash stack dump shows:
>>
>> FAULTING_IP:
>> MyDriver!MyDumpMemory+e3 [d:\Codebase\MyDriver\MyDriverlogs.cpp @ 317]
>> fffff800013c5773 0fb60408 movzx eax,byte ptr [rax+rcx] >> >> MM_INTERNAL_CODE: 0 >> >> CUSTOMER_CRASH_COUNT: 1 >> >> DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT >> >> BUGCHECK_STR: 0x50 >> >> PROCESS_NAME: System >> >> CURRENT_IRQL: 0 >> >> LAST_CONTROL_TRANSFER: from fffff800a2dea462 to fffff800a2dd10a0 >> >> STACK_TEXT: >> ffffd00022abe658 fffff800a2dea462 : 0000000000000050 ffffe00003fa0000 >> 0000000000000000 ffffd00022abe840 : nt!KeBugCheckEx >> ffffd00022abe660 fffff800a2ce9ffd : 0000000000000000 ffffe000025c4880 >> ffffd00022abe840 ffffd00022abe9b0 : nt! ?? ::FNODOBFM::string’+0x8ed2
>> ffffd00022abe700 0000000000000000 : 0000000000000000 0000000000000000
>> 0000000000000000 0000000000000000 : nt!MmAccessFault+0x7ed
>>
>>
>>
>> This is also expected, since the page we tried to access was perhaps
>> invalid or paged out.
>>
>> Dumping registers show:
>> kd> r
>> rax=0000000000000000 rbx=000c36ee00000000 rcx=0000000000000050
>> rdx=ffffe00003fa0000 rsi=ffffd00022abe7f8 rdi=ffffe000025c4ba0
>> rip=fffff800a2dd10a0 rsp=ffffd00022abe658 rbp=0000000000000000
>> r8=0000000000000000 r9=ffffd00022abe840 r10=ffffd00022abe840
>> r11=ffffe000025c4880 r12=0000000000000000 r13=0000000000000000
>> r14=fffff800a2fc9f80 r15=ffffe00003fa0000
>> iopl=0 nv up ei ng nz ac po cy
>> cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
>> efl=00000297
>>
>> This tells me that we passed an invalid address 0x50 to the movzx
>> instruction.
>>
>> Infortunately for us, since it is a mini dump, we are unable to trace
>> where the function MyDriver!MyDumpMemory is getting the invalid address
>> from.
>>
>> There are many places where it is called from, and code review of all
>> places have not come up with any clues as to how an invalid pointer might
>> get passed to the function. The said function hasa null check for the
>> pointer, but ofcourse it cannot handle an illegal pointer.
>>
>> We tried to reconstruct the call stack, and get the return address of
>> the function for the crash, but unfortunately, that doesnt work, since the
>> caller turns out to be nt!KiPageFault+0x12f. Again this is expected, as our
>> original stack is not present any more.
>>
>> The IRQL is
>>
>> kd> !irql
>> Debugger saved IRQL for processor 0x0 – 0 (LOW_LEVEL)
>>
>> So it is not a problem at eveleted IRQLs.
>>
>>
>> Any suggestions on how we can proceed with such little information
>> would help.
>>
>> BTW, we have already gone through
>> http://msdn.microsoft.com/en-us/library/windows/hardware/ff539004(v=vs.85).aspx
>>
>> which suggests that there is no one way of catching illegal memory.
>>
>> Thanks
>>
>> Awbadhho
>> — NTDEV is sponsored by OSR Visit the list at:
>> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
>> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Tim_Roberts · February 12, 2014, 12:54pm

Ami Awbadhho wrote:

Hi Doron,

if it is a null pointer deref, then why is the address 0x50 and not 0x0?

And in the code for the function we do check for null, then why would
that check fail.

“buff” is never used. Why do you allocate it?

You don’t really need to clear “str”. You can just add a terminating
zero at the end of the loop.

You are assuming that pMem is always a multiple of 16 bytes. If you use
driver verifier, that might not be the case. If you were to allocate 6
bytes, for example, you would cause a verifier failure.

Which line is line 317? It’s not clear to me where a “movzx” would
arise here, nor how 80 got involved. What does MyTrace do? Does it
expand to DbgPrint, or is that your own handler? If MyTrace assumes
that the line will never exceed 80 characters, that would cause this
failure. You have “%08p”, but that merely says “use a minimum of 8
characters”. All kernel pointers in an x64 driver end up requiring 16
characters, and that would make this line 87 characters long.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Awbadhho · February 12, 2014, 1:23pm

hi tim,

yes you are right, buff is never used, it was there with some previous
code, but still remains to be deleted. But the code crashing is the one
with the buff in at present so I posted that version.

line 317 is : if (m[i] > ’ ’ && m[i] <= ‘~’)

MYTrace is DbgPrint, so tehre is no 80 character restriction there.

the %08p is fine becase as you said, in 32 bit for formatting we need it to
be 8 spaces, and in 64 but it will be 16. I don’t see a problem here as
well. It is such a small function that this crash looks weird.

there is no verifier enabled on this crashing machine,

I do not understand how it went past the NULL check, I am absolutely sure
that the memory *didnt* get cleared which the loop runs by any other thread.

On Wed, Feb 12, 2014 at 11:23 PM, Tim Roberts wrote:

> Ami Awbadhho wrote:
> > Hi Doron,
> >
> > if it is a null pointer deref, then why is the address 0x50 and not 0x0?
> >
> > And in the code for the function we do check for null, then why would
> > that check fail.
>
> “buff” is never used. Why do you allocate it?
>
> You don’t really need to clear “str”. You can just add a terminating
> zero at the end of the loop.
>
> You are assuming that pMem is always a multiple of 16 bytes. If you use
> driver verifier, that might not be the case. If you were to allocate 6
> bytes, for example, you would cause a verifier failure.
>
> Which line is line 317? It’s not clear to me where a “movzx” would
> arise here, nor how 80 got involved. What does MyTrace do? Does it
> expand to DbgPrint, or is that your own handler? If MyTrace assumes
> that the line will never exceed 80 characters, that would cause this
> failure. You have “%08p”, but that merely says “use a minimum of 8
> characters”. All kernel pointers in an x64 driver end up requiring 16
> characters, and that would make this line 87 characters long.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Doron_Holan · February 12, 2014, 1:26pm

Perhaps you passed a pointer value close to NULL, but not null itself.

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ami Awbadhho
Sent: Wednesday, February 12, 2014 10:23 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How to debug an illegal pointer based crash

hi tim,

yes you are right, buff is never used, it was there with some previous code, but still remains to be deleted. But the code crashing is the one with the buff in at present so I posted that version.

line 317 is : if (m[i] > ’ ’ && m[i] <= ‘~’)

MYTrace is DbgPrint, so tehre is no 80 character restriction there.

the %08p is fine becase as you said, in 32 bit for formatting we need it to be 8 spaces, and in 64 but it will be 16. I don’t see a problem here as well. It is such a small function that this crash looks weird.

there is no verifier enabled on this crashing machine,

I do not understand how it went past the NULL check, I am absolutely sure that the memory *didnt* get cleared which the loop runs by any other thread.

On Wed, Feb 12, 2014 at 11:23 PM, Tim Roberts > wrote:
Ami Awbadhho wrote:
> Hi Doron,
>
> if it is a null pointer deref, then why is the address 0x50 and not 0x0?
>
> And in the code for the function we do check for null, then why would
> that check fail.
“buff” is never used. Why do you allocate it?

You don’t really need to clear “str”. You can just add a terminating
zero at the end of the loop.

You are assuming that pMem is always a multiple of 16 bytes. If you use
driver verifier, that might not be the case. If you were to allocate 6
bytes, for example, you would cause a verifier failure.

Which line is line 317? It’s not clear to me where a “movzx” would
arise here, nor how 80 got involved. What does MyTrace do? Does it
expand to DbgPrint, or is that your own handler? If MyTrace assumes
that the line will never exceed 80 characters, that would cause this
failure. You have “%08p”, but that merely says “use a minimum of 8
characters”. All kernel pointers in an x64 driver end up requiring 16
characters, and that would make this line 87 characters long.

–
Tim Roberts, xxxxx@probo.com mailto:xxxxx
Providenza & Boekelheide, Inc.

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx>

Awbadhho · February 12, 2014, 1:36pm

>Perhaps you passed a pointer value close to NULL, but not null itself.

can you please explain why a ‘close to NULL’ value will cause this? Also
how close to NULL does this value need to be?

On Wed, Feb 12, 2014 at 11:55 PM, Doron Holan wrote:

> Perhaps you passed a pointer value close to NULL, but not null itself.
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Ami Awbadhho
> Sent: Wednesday, February 12, 2014 10:23 AM
>
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] How to debug an illegal pointer based crash
>
>
>
> hi tim,
>
>
>
> yes you are right, buff is never used, it was there with some previous
> code, but still remains to be deleted. But the code crashing is the one
> with the buff in at present so I posted that version.
>
>
>
> line 317 is : if (m[i] > ’ ’ && m[i] <= ‘~’)
>
>
>
> MYTrace is DbgPrint, so tehre is no 80 character restriction there.
>
>
>
> the %08p is fine becase as you said, in 32 bit for formatting we need it
> to be 8 spaces, and in 64 but it will be 16. I don’t see a problem here as
> well. It is such a small function that this crash looks weird.
>
>
>
> there is no verifier enabled on this crashing machine,
>
>
>
> I do not understand how it went past the NULL check, I am absolutely sure
> that the memory didnt get cleared which the loop runs by any other thread.
>
>
>
>
>
>
>
>
>
>
>
> On Wed, Feb 12, 2014 at 11:23 PM, Tim Roberts wrote:
>
> Ami Awbadhho wrote:
> > Hi Doron,
> >
> > if it is a null pointer deref, then why is the address 0x50 and not 0x0?
> >
> > And in the code for the function we do check for null, then why would
> > that check fail.
>
> “buff” is never used. Why do you allocate it?
>
> You don’t really need to clear “str”. You can just add a terminating
> zero at the end of the loop.
>
> You are assuming that pMem is always a multiple of 16 bytes. If you use
> driver verifier, that might not be the case. If you were to allocate 6
> bytes, for example, you would cause a verifier failure.
>
> Which line is line 317? It’s not clear to me where a “movzx” would
> arise here, nor how 80 got involved. What does MyTrace do? Does it
> expand to DbgPrint, or is that your own handler? If MyTrace assumes
> that the line will never exceed 80 characters, that would cause this
> failure. You have “%08p”, but that merely says “use a minimum of 8
> characters”. All kernel pointers in an x64 driver end up requiring 16
> characters, and that would make this line 87 characters long.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

OSR_Community_User · February 12, 2014, 2:17pm

> Perhaps you passed a pointer value close to NULL, but not null itself.

The most common cause of this is passing a pointer to a field In a struct,
for example, &thing->whatever. This will pass the offset of “whatever” if
“thing” is NULL.

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ami Awbadhho
Sent: Wednesday, February 12, 2014 10:23 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How to debug an illegal pointer based crash

hi tim,

yes you are right, buff is never used, it was there with some previous
code, but still remains to be deleted. But the code crashing is the one
with the buff in at present so I posted that version.

line 317 is : if (m[i] > ’ ’ && m[i] <= ‘~’)

MYTrace is DbgPrint, so tehre is no 80 character restriction there.

the %08p is fine becase as you said, in 32 bit for formatting we need it
to be 8 spaces, and in 64 but it will be 16. I don’t see a problem here as
well. It is such a small function that this crash looks weird.

there is no verifier enabled on this crashing machine,

I do not understand how it went past the NULL check, I am absolutely sure
that the memory *didnt* get cleared which the loop runs by any other
thread.

On Wed, Feb 12, 2014 at 11:23 PM, Tim Roberts
> wrote:
> Ami Awbadhho wrote:
>> Hi Doron,
>>
>> if it is a null pointer deref, then why is the address 0x50 and not 0x0?
>>
>> And in the code for the function we do check for null, then why would
>> that check fail.
> “buff” is never used. Why do you allocate it?
>
> You don’t really need to clear “str”. You can just add a terminating
> zero at the end of the loop.
>
> You are assuming that pMem is always a multiple of 16 bytes. If you use
> driver verifier, that might not be the case. If you were to allocate 6
> bytes, for example, you would cause a verifier failure.
>
> Which line is line 317? It’s not clear to me where a “movzx” would
> arise here, nor how 80 got involved. What does MyTrace do? Does it
> expand to DbgPrint, or is that your own handler? If MyTrace assumes
> that the line will never exceed 80 characters, that would cause this
> failure. You have “%08p”, but that merely says “use a minimum of 8
> characters”. All kernel pointers in an x64 driver end up requiring 16
> characters, and that would make this line 87 characters long.
>
> –
> Tim Roberts, xxxxx@probo.com mailto:xxxxx
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx>

Maxim_S_Shatskih · February 12, 2014, 4:31pm

>can you please explain why a ‘close to NULL’ value will cause this? Also how close to NULL does

this value need to be?

The usual cause is &(Struc->Fld), where Struc is NULL

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · February 12, 2014, 5:01pm

“close” is typically defined as <= 65535. It is rare to have a “close”
access of the type you have that exceeds some much smaller number, e.g.,
512 or 1024. 0x50 (80 bytes) is so close that it and smaller values would
probably encompass nearly 100% of the actual BSOD accesses of this type.

Values which are large would, if all such BSODs were collected, the number
that were “far” from 0 but still “close” enough to trigger a BSOD would
probably be expressible in a single-digit integer.

While satisfying intellectual knowledge, the key thing it told you is that
you are dereferencing a NULL pointer, and that’s where you need to
concentrate your efforts.

So if you put

ASSERT(p >= (void *)65536);

would catch this for any pointer p. But earlier checks, such as ASSERT(p
!= NULL) will catch it earlier, before you get to the &p->whatever which
ultimately triggers it.
joe

p.s. 65536 is te magic number this week; you probably want to make this a
#define in te unlikely case it would change in the future.

>can you please explain why a ‘close to NULL’ value will cause this? Also
> how close to NULL does
>this value need to be?

The usual cause is &(Struc->Fld), where Struc is NULL

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Tim_Roberts · February 12, 2014, 5:01pm

Ami Awbadhho wrote:

hi tim,

yes you are right, buff is never used, it was there with some previous
code, but still remains to be deleted. But the code crashing is the
one with the buff in at present so I posted that version.

line 317 is : if (m[i] > ’ ’ && m[i] <= ‘~’)

MYTrace is DbgPrint, so tehre is no 80 character restriction there.

It can’t be EXACTLY DbgPrint, because DbgPrint doesn’t take those
parameters. What is it, exactly? Did you copy KdPrint?

the %08p is fine becase as you said, in 32 bit for formatting we need
it to be 8 spaces, and in 64 but it will be 16. I don’t see a problem
here as well. It is such a small function that this crash looks weird.
…
I do not understand how it went past the NULL check, I am absolutely
sure that the memory *didnt* get cleared which the loop runs by any
other thread.

You have a loop here calling a macro. It wouldn’t take much for an
ill-behaved macro to write off the end of an array, and that screws up
all of your assumptions.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Pavel_A1 · February 12, 2014, 8:20pm

On 12-Feb-2014 20:22, Ami Awbadhho wrote:
[snip]

MYTrace is DbgPrint, so tehre is no 80 character restriction there.
the %08p is fine becase as you said, in 32 bit for formatting we need it
to be 8 spaces, and in 64 but it will be 16. I don’t see a problem here
as well. It is such a small function that this crash looks weird.

Just can’t help noticing that another, ‘better’, OS
has a ready function (print_hex_dump) to alleviate
trouble of rolling and debugging ours own.
And lot of terribly useful printk formats.

Regards,
– pa

Peter_Viscarola_OSR · February 12, 2014, 9:10pm

That is because on said other “better” operating system, printk *was* the debugger for years and years. Ever try setting a break point with printk? Or single-stepping.

Oh well, whatever, never mind.

Peter
OSR
@OSRdrivers