How to resolve this error - "memory could not be "%s"

WINDBG
1

Hi Experts,

I am trying to learn NDIS Miniport drivers by modifying E100Bex sample of
DDK to work with Realtek RTL 8139. And in the MiniportInitialize while
allocating memory i could see valid assignments through DbgPrint but at the
end of the function the System get crashed and gives an error
KMODE_EXCEPTION_NOT_HANDLED(1E). Could some body point where i made the
mistake.

Entering into the Find adapter routine
Adapter is found - VendorID/DeviceID=10ec/8139
IoBaseAddress = 0xe400
IoRange = x100
Realtek’s Memory Range
Realtek’s Memory Length : 100
MemPhysAddress(Low) = 0xe7101000
MemPhysAddress(High) = 0x0
InterruptLevel = x7

<— FindRealtek Adapter, Status=0

*** Fatal System Error: 0x0000001e
(0xC0000005,0x00000000,0x00000000,0x00000000)

Thu Sep 21 12:03:23.265 2006 (GMT+6): Break instruction exception - code
80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols

Loading User Symbols

Loading unloaded module list

*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {c0000005, 0, 0, 0}

Probably caused by : NDIS.sys ( NDIS!ndisMInitializeAdapter+d06 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
80456488 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 00000000, Parameter 1 of the exception

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
+0
00000000 ?? ???

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000000

READ_ADDRESS: 00000000

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x1E

PROCESS_NAME: System

EXCEPTION_RECORD: ed437874 – (.exr ffffffffed437874)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT: ed4374cc – (.cxr ffffffffed4374cc)
eax=8166a910 ebx=81361130 ecx=00000000 edx=805e0020 esi=ed437b74
edi=00000000
eip=00000000 esp=ed43793c ebp=ed437aac iopl=0 nv up ei pl nz na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210202
00000000 ?? ???
Resetting default scope

LAST_CONTROL_TRANSFER: from bfec9f23 to 00000000

FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ed437938 bfec9f23 81361708 00000001 81361030 0x0
ed437aac bfec4ab7 8166a910 00000000 ed437b01
NDIS!ndisMInitializeAdapter+0xd06
ed437ba8 bfeb8ef4 00000000 8166a910 00000000 NDIS!ndisInitializeAdapter+0xcf
ed437be8 bfeb8ff3 81361030 813b0be8 813b0be8 NDIS!ndisPnPStartDevice+0xdb
ed437c24 8041fb8b 81361030 813b0c7c 81361030 NDIS!ndisPnPDispatch+0x3d6
ed437c38 8049c2fe 00020000 818885c8 00000000 nt!IopfCallDriver+0x35
ed437c64 80429206 81361030 ed437c84 ed437cac nt!IopSynchronousCall+0xca
ed437cb0 804c1303 81893410 00000003 818885c8 nt!IopStartDevice+0x127
ed437ce4 804e4ddb 818885c8 ed437d24 818885c8
nt!IopStartAndEnumerateDevice+0x22
ed437d38 80426bdb 81893410 804794c0 8046dc5c nt!IopNewDevice+0xba
ed437d78 804191b5 00000000 00000000 00000000 nt!IopDeviceActionWorker+0x29c
ed437da8 80455a16 00000000 00000000 00000000 nt!ExpWorkerThread+0xae
ed437ddc 80469bb2 804190f0 00000001 00000000 nt!PspSystemThreadStartup+0x69
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
NDIS!ndisMInitializeAdapter+d06
bfec9f23 33f6 xor esi,esi

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: NDIS!ndisMInitializeAdapter+d06

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NDIS

IMAGE_NAME: NDIS.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3eaf051d

STACK_COMMAND: .cxr 0xffffffffed4374cc ; kb

FAILURE_BUCKET_ID: 0x1E_NULL_IP_NDIS!ndisMInitializeAdapter+d06

BUCKET_ID: 0x1E_NULL_IP_NDIS!ndisMInitializeAdapter+d06

Followup: MachineOwner

2

Hi there,

This is actually one of the easier types of bugs to trace. If you look
at the Exception Record:

EXCEPTION_RECORD: ed437874 – (.exr ffffffffed437874)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

You can see an attempt to read from a NULL pointer. So somewhere you
are either accessing or passing a null pointer around.

As a side note, you will probably want to direct this sort of question
to the NTDEV list, as this one is generally for questions about windbg
and making it work, not for help debugging your program.

Thanks,

Justin

Justin M. Walker, CDIA+, ECMp  
Performance Testing Engineer  
Hyland Software Inc.  
  
Reality is just Chaos with better lighting.  
  
-----------------------------------------  
CONFIDENTIALITY NOTICE: This message and any attached documents may  
contain confidential information from Hyland Software, Inc. The  
information is intended only for the use of the individual or  
entity named above. If the reader of this message is not the  
intended recipient, or an employee or agent responsible for the  
delivery of this message to the intended recipient, the reader is  
hereby notified that any dissemination, distribution or copying of  
this message or of any attached documents, or the taking of any  
action or omission to take any action in reliance on the contents  
of this message or of any attached documents, is strictly  
prohibited. If you have received this communication in error,  
please notify the sender immediately by e-mail or telephone, at  
(440) 788-5000, and delete the original message immediately. Thank  
you.
3

Look at the exception record:

KMODE_EXCEPTION_NOT_HANDLED (1e)
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 00000000, Parameter 1 of the exception

Specifically, look at Arg2, the (code) address that the exception occurred at. The “FAULTING_IP: ???” should also tell you that. Ndis has jumped to a NULL pointer, which is probably a pointer that it pulled from the NDIS_MINIPORT_CHARACTERISTICS structure that you passed to NdisMRegisterMiniport. It is possible that you left a field (pointer to function) blank in that structure that is required. Verify that your DriverEntry code is correct, that you are correctly formatting the NDIS_MINIPORT_CHARACTERISTICS structure.

If you want to be a bit more adventurous, you could look at the stack frame that called the NULL pointer (NDIS!ndisMInitializeAdapter+0xd06), find where it loads the pointer to your NDIS_MINIPORT_CHARACTERISTICS into a register, then check to see what the field offset is when it pulls the pointer out of that structure. Then you can manually count field offsets until you arrive at the field that was read, or you can use the “dt” command to dump the type, which will show all of the field offsets.

– arlie

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of vimalraj s
Sent: Thursday, September 21, 2006 10:03 PM
To: Kernel Debugging Interest List
Subject: [windbg] How to resolve this error - "memory could not be “%s”

Hi Experts,

I am trying to learn NDIS Miniport drivers by modifying E100Bex sample of DDK to work with Realtek RTL 8139. And in the MiniportInitialize while allocating memory i could see valid assignments through DbgPrint but at the end of the function the System get crashed and gives an error KMODE_EXCEPTION_NOT_HANDLED(1E). Could some body point where i made the mistake.

Entering into the Find adapter routine
Adapter is found - VendorID/DeviceID=10ec/8139
IoBaseAddress = 0xe400
IoRange = x100
Realtek’s Memory Range
Realtek’s Memory Length : 100
MemPhysAddress(Low) = 0xe7101000
MemPhysAddress(High) = 0x0
InterruptLevel = x7

<— FindRealtek Adapter, Status=0

*** Fatal System Error: 0x0000001e
(0xC0000005,0x00000000,0x00000000,0x00000000)

Thu Sep 21 12:03:23.265 2006 (GMT+6): Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols

Loading User Symbols

Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {c0000005, 0, 0, 0}

Probably caused by : NDIS.sys ( NDIS!ndisMInitializeAdapter+d06 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
80456488 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 00000000, Parameter 1 of the exception

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
+0
00000000 ?? ???

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000000

READ_ADDRESS: 00000000

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x1E

PROCESS_NAME: System

EXCEPTION_RECORD: ed437874 – (.exr ffffffffed437874)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT: ed4374cc – (.cxr ffffffffed4374cc)
eax=8166a910 ebx=81361130 ecx=00000000 edx=805e0020 esi=ed437b74 edi=00000000
eip=00000000 esp=ed43793c ebp=ed437aac iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210202
00000000 ?? ???
Resetting default scope

LAST_CONTROL_TRANSFER: from bfec9f23 to 00000000

FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ed437938 bfec9f23 81361708 00000001 81361030 0x0
ed437aac bfec4ab7 8166a910 00000000 ed437b01 NDIS!ndisMInitializeAdapter+0xd06
ed437ba8 bfeb8ef4 00000000 8166a910 00000000 NDIS!ndisInitializeAdapter+0xcf
ed437be8 bfeb8ff3 81361030 813b0be8 813b0be8 NDIS!ndisPnPStartDevice+0xdb
ed437c24 8041fb8b 81361030 813b0c7c 81361030 NDIS!ndisPnPDispatch+0x3d6
ed437c38 8049c2fe 00020000 818885c8 00000000 nt!IopfCallDriver+0x35
ed437c64 80429206 81361030 ed437c84 ed437cac nt!IopSynchronousCall+0xca
ed437cb0 804c1303 81893410 00000003 818885c8 nt!IopStartDevice+0x127
ed437ce4 804e4ddb 818885c8 ed437d24 818885c8 nt!IopStartAndEnumerateDevice+0x22
ed437d38 80426bdb 81893410 804794c0 8046dc5c nt!IopNewDevice+0xba
ed437d78 804191b5 00000000 00000000 00000000 nt!IopDeviceActionWorker+0x29c
ed437da8 80455a16 00000000 00000000 00000000 nt!ExpWorkerThread+0xae
ed437ddc 80469bb2 804190f0 00000001 00000000 nt!PspSystemThreadStartup+0x69
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
NDIS!ndisMInitializeAdapter+d06
bfec9f23 33f6 xor esi,esi

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: NDIS!ndisMInitializeAdapter+d06

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NDIS

IMAGE_NAME: NDIS.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3eaf051d

STACK_COMMAND: .cxr 0xffffffffed4374cc ; kb

FAILURE_BUCKET_ID: 0x1E_NULL_IP_NDIS!ndisMInitializeAdapter+d06

BUCKET_ID: 0x1E_NULL_IP_NDIS!ndisMInitializeAdapter+d06

Followup: MachineOwner

— You are currently subscribed to windbg as: xxxxx@microsoft.com To unsubscribe send a blank email to xxxxx@lists.osr.com

4

vimalraj s wrote:

I am trying to learn NDIS Miniport drivers by modifying E100Bex
sample of DDK to work with Realtek RTL 8139. And in the
MiniportInitialize while allocating memory i could see valid
assignments through DbgPrint but at the end of the function the System
get crashed and gives an error KMODE_EXCEPTION_NOT_HANDLED(1E). Could
some body point where i made the mistake.

You jumped to address 0. Without further information, I’d guess that
you overwrite the return address on the stack.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.