KeWaitForMultipleObjects BSOD

NTDEV
1

Hi ,
i’m trying to build a WDM driver for a legacy serial device which act more
or less like a mouse
i used the polling sample from W.Oney s book .
the sample need a usermode event to start polling the device but i wanted to
start polling the device immediatly untill i remove it .
as my device doesnt give a pnp id , i get a SerialDeviceObject pointer
calling IoGetDeviceObjectPointer in my STARTDEVICE

i must have done something terribly wrong but i dont anderstand why i get a
BSOD.

here’s the modified pollingthreadroutine code :

VOID PollingThreadRoutine(PDEVICE_EXTENSION pdx)
{ // PollingThreadRoutine
NTSTATUS status;
KTIMER timer;
KEVENT evt;
IO_STATUS_BLOCK IoStatusBlock;
PIRP Irp;

KeInitializeTimerEx(&timer, SynchronizationTimer);

PVOID pollevents = {
(PVOID) &pdx->evKill,
(PVOID) &timer,
};
C_ASSERT(arraysize(pollevents) <= THREAD_WAIT_OBJECTS);

LARGE_INTEGER duetime = {0};
#define POLLING_INTERVAL 500

KeSetTimerEx(&timer, duetime, POLLING_INTERVAL, NULL);

KdPrint((DRIVERNAME" - Entering poll loop …\n"));
while(TRUE)
{
// Block until time to poll again.
status = KeWaitForMultipleObjects(arraysize(pollevents),
pollevents, WaitAny, Executive, KernelMode, FALSE, NULL, NULL);
if (!NT_SUCCESS(status))
{
KdPrint((DRIVERNAME " - KeWaitForMultipleObjects failed - %X\n",
status));
break;
}
if (status == STATUS_WAIT_0)
{
status = STATUS_DELETE_PENDING;
break;
}
// Read Device .
KeInitializeEvent(&evt, NotificationEvent, FALSE);
Irp = IoBuildDeviceIoControlRequest (IRP_MJ_READ,pdx->SerialDeviceObject,
NULL,0,pdx->data,sizeof(pdx->data),FALSE,&evt,&IoStatusBlock);

if (Irp != NULL)
{// SEND READ IRP
status = IoCallDriver(pdx->SerialDeviceObject,Irp);
// If pending wait for completion
if (status == STATUS_PENDING)
{
KeWaitForSingleObject(&evt, Executive, KernelMode, FALSE,NULL);
status = IoStatusBlock.Status;
}
}
else
{
KdPrint((DRIVERNAME " - IoBuildDeviceIoControlRequest failed.
STATUS_INSUFFICIENT_RESOURCES\n"));
break;
}

}

KeCancelTimer(&timer);
PsTerminateSystemThread(STATUS_SUCCESS);
}

and here’s the bugcheck analysis :

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: 00000000, memory referenced

Arg2: 00000002, IRQL

Arg3: 00000001, value 0 = read operation, 1 = write operation

Arg4: 804eda63, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:

nt!KeWaitForMultipleObjects+23d

804eda63 8902 mov [edx],eax

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from f33f441e to 804eda63

TRAP_FRAME: fca00c84 – (.trap fffffffffca00c84)

ErrCode = 00000002

eax=8122d090 ebx=8122d090 ecx=811f6e74 edx=00000000 esi=8122d020
edi=00000000

eip=804eda63 esp=fca00cf8 ebp=fca00d28 iopl=0 nv up ei ng nz ac po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296

nt!KeWaitForMultipleObjects+0x23d:

804eda63 8902 mov [edx],eax

Resetting default scope

STACK_TEXT:

fca00d28 f33f441e 00000002 fca00da0 00000001
nt!KeWaitForMultipleObjects+0x23d

fca00dac 8057c73a 811f6e00 00000000 00000000
mmtser!PollingThreadRoutine+0x78 [c:\stock\projet\mmtser\readwrite.cpp @
167]

fca00ddc 805124c1 f33f43a6 811f6e00 00000000 nt!PspSystemThreadStartup+0x34

00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:

mmtser!PollingThreadRoutine+78 [c:\stock\projet\mmtser\readwrite.cpp @ 167]

f33f441e 8945b4 mov [ebp-0x4c],eax

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: mmtser!PollingThreadRoutine+78

MODULE_NAME: mmtser

IMAGE_NAME: mmtser.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 415141ee

STACK_COMMAND: .trap fffffffffca00c84 ; kb

BUCKET_ID: 0xA_W_mmtser!PollingThreadRoutine+78

Followup: MachineOwner

2

Whilst this may not be the immediate problem, there’s certainly a likely
problem for the future: Your code seems to be running at IRQL=2, which
means that you can’t actually do a wait at that time.

This is not the cause of the crash that you’ve got here, but it’s certainly
not going to help in the future when you’ve fixed the proble you’re seeing
at the moment.

Your current problem is a NULL pointer being used as a destination for a
write. I’m not sure what’s wrong, it all looks OK. I’d step through the
code with a debugger, and see what’s going wrong that way.

Does it go wrong on the first iteration of the loop, or later on?


Mats

xxxxx@lists.osr.com wrote on 09/22/2004 11:40:53 AM:

Hi ,
i’m trying to build a WDM driver for a legacy serial device which act
more
or less like a mouse
i used the polling sample from W.Oney s book .
the sample need a usermode event to start polling the device but i wanted
to
start polling the device immediatly untill i remove it .
as my device doesnt give a pnp id , i get a SerialDeviceObject pointer
calling IoGetDeviceObjectPointer in my STARTDEVICE

i must have done something terribly wrong but i dont anderstand why i get
a
BSOD.

here’s the modified pollingthreadroutine code :

VOID PollingThreadRoutine(PDEVICE_EXTENSION pdx)
{ // PollingThreadRoutine
NTSTATUS status;
KTIMER timer;
KEVENT evt;
IO_STATUS_BLOCK IoStatusBlock;
PIRP Irp;

KeInitializeTimerEx(&timer, SynchronizationTimer);

PVOID pollevents = {
(PVOID) &pdx->evKill,
(PVOID) &timer,
};
C_ASSERT(arraysize(pollevents) <= THREAD_WAIT_OBJECTS);

LARGE_INTEGER duetime = {0};
#define POLLING_INTERVAL 500

KeSetTimerEx(&timer, duetime, POLLING_INTERVAL, NULL);

KdPrint((DRIVERNAME" - Entering poll loop …\n"));
while(TRUE)
{
// Block until time to poll again.
status = KeWaitForMultipleObjects(arraysize(pollevents),
pollevents, WaitAny, Executive, KernelMode, FALSE, NULL, NULL);
if (!NT_SUCCESS(status))
{
KdPrint((DRIVERNAME " - KeWaitForMultipleObjects failed - %X\n",
status));
break;
}
if (status == STATUS_WAIT_0)
{
status = STATUS_DELETE_PENDING;
break;
}
// Read Device .
KeInitializeEvent(&evt, NotificationEvent, FALSE);
Irp = IoBuildDeviceIoControlRequest
(IRP_MJ_READ,pdx->SerialDeviceObject,
NULL,0,pdx->data,sizeof(pdx->data),FALSE,&evt,&IoStatusBlock);

if (Irp != NULL)
{// SEND READ IRP
status = IoCallDriver(pdx->SerialDeviceObject,Irp);
// If pending wait for completion
if (status == STATUS_PENDING)
{
KeWaitForSingleObject(&evt, Executive, KernelMode, FALSE,NULL);
status = IoStatusBlock.Status;
}
}
else
{
KdPrint((DRIVERNAME " - IoBuildDeviceIoControlRequest failed.
STATUS_INSUFFICIENT_RESOURCES\n"));
break;
}

}

KeCancelTimer(&timer);
PsTerminateSystemThread(STATUS_SUCCESS);
}

and here’s the bugcheck analysis :

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address
at
an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: 00000000, memory referenced

Arg2: 00000002, IRQL

Arg3: 00000001, value 0 = read operation, 1 = write operation

Arg4: 804eda63, address which referenced memory

Debugging Details:

WRITE_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:

nt!KeWaitForMultipleObjects+23d

804eda63 8902 mov [edx],eax

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from f33f441e to 804eda63

TRAP_FRAME: fca00c84 – (.trap fffffffffca00c84)

ErrCode = 00000002

eax=8122d090 ebx=8122d090 ecx=811f6e74 edx=00000000 esi=8122d020
edi=00000000

eip=804eda63 esp=fca00cf8 ebp=fca00d28 iopl=0 nv up ei ng nz ac po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296

nt!KeWaitForMultipleObjects+0x23d:

804eda63 8902 mov [edx],eax

Resetting default scope

STACK_TEXT:

fca00d28 f33f441e 00000002 fca00da0 00000001
nt!KeWaitForMultipleObjects+0x23d

fca00dac 8057c73a 811f6e00 00000000 00000000
mmtser!PollingThreadRoutine+0x78 [c:\stock\projet\mmtser\readwrite.cpp @
167]

fca00ddc 805124c1 f33f43a6 811f6e00 00000000
nt!PspSystemThreadStartup+0x34

00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:

mmtser!PollingThreadRoutine+78 [c:\stock\projet\mmtser\readwrite.cpp @
167]

f33f441e 8945b4 mov [ebp-0x4c],eax

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: mmtser!PollingThreadRoutine+78

MODULE_NAME: mmtser

IMAGE_NAME: mmtser.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 415141ee

STACK_COMMAND: .trap fffffffffca00c84 ; kb

BUCKET_ID: 0xA_W_mmtser!PollingThreadRoutine+78

Followup: MachineOwner

Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@3dlabs.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

ForwardSourceID:NT00003EA2

3

Replace the polling thread with a KTIMER - much easier to cancel.
The drawback is that the poll callback will be on DISPATCH - but in your
code it is so anyway.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Launay Ronan”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Wednesday, September 22, 2004 2:40 PM
Subject: [ntdev] KeWaitForMultipleObjects BSOD

> Hi ,
> i’m trying to build a WDM driver for a legacy serial device which act more
> or less like a mouse
> i used the polling sample from W.Oney s book .
> the sample need a usermode event to start polling the device but i wanted to
> start polling the device immediatly untill i remove it .
> as my device doesnt give a pnp id , i get a SerialDeviceObject pointer
> calling IoGetDeviceObjectPointer in my STARTDEVICE
>
> i must have done something terribly wrong but i dont anderstand why i get a
> BSOD.
>
> here’s the modified pollingthreadroutine code :
>
> VOID PollingThreadRoutine(PDEVICE_EXTENSION pdx)
> { // PollingThreadRoutine
> NTSTATUS status;
> KTIMER timer;
> KEVENT evt;
> IO_STATUS_BLOCK IoStatusBlock;
> PIRP Irp;
>
> KeInitializeTimerEx(&timer, SynchronizationTimer);
>
> PVOID pollevents = {
> (PVOID) &pdx->evKill,
> (PVOID) &timer,
> };
> C_ASSERT(arraysize(pollevents) <= THREAD_WAIT_OBJECTS);
>
> LARGE_INTEGER duetime = {0};
> #define POLLING_INTERVAL 500
>
> KeSetTimerEx(&timer, duetime, POLLING_INTERVAL, NULL);
>
> KdPrint((DRIVERNAME" - Entering poll loop …\n"));
> while(TRUE)
> {
> // Block until time to poll again.
> status = KeWaitForMultipleObjects(arraysize(pollevents),
> pollevents, WaitAny, Executive, KernelMode, FALSE, NULL, NULL);
> if (!NT_SUCCESS(status))
> {
> KdPrint((DRIVERNAME " - KeWaitForMultipleObjects failed - %X\n",
> status));
> break;
> }
> if (status == STATUS_WAIT_0)
> {
> status = STATUS_DELETE_PENDING;
> break;
> }
> // Read Device .
> KeInitializeEvent(&evt, NotificationEvent, FALSE);
> Irp = IoBuildDeviceIoControlRequest (IRP_MJ_READ,pdx->SerialDeviceObject,
> NULL,0,pdx->data,sizeof(pdx->data),FALSE,&evt,&IoStatusBlock);
>
> if (Irp != NULL)
> {// SEND READ IRP
> status = IoCallDriver(pdx->SerialDeviceObject,Irp);
> // If pending wait for completion
> if (status == STATUS_PENDING)
> {
> KeWaitForSingleObject(&evt, Executive, KernelMode, FALSE,NULL);
> status = IoStatusBlock.Status;
> }
> }
> else
> {
> KdPrint((DRIVERNAME " - IoBuildDeviceIoControlRequest failed.
> STATUS_INSUFFICIENT_RESOURCES\n"));
> break;
> }
>
> }
>
> KeCancelTimer(&timer);
> PsTerminateSystemThread(STATUS_SUCCESS);
> }
>
> and here’s the bugcheck analysis :
>
> IRQL_NOT_LESS_OR_EQUAL (a)
> An attempt was made to access a pageable (or completely invalid) address at
> an
>
> interrupt request level (IRQL) that is too high. This is usually
>
> caused by drivers using improper addresses.
>
> If a kernel debugger is available get the stack backtrace.
>
> Arguments:
>
> Arg1: 00000000, memory referenced
>
> Arg2: 00000002, IRQL
>
> Arg3: 00000001, value 0 = read operation, 1 = write operation
>
> Arg4: 804eda63, address which referenced memory
>
> Debugging Details:
>
> ------------------
>
>
>
> WRITE_ADDRESS: 00000000
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
>
> nt!KeWaitForMultipleObjects+23d
>
> 804eda63 8902 mov [edx],eax
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xA
>
> LAST_CONTROL_TRANSFER: from f33f441e to 804eda63
>
> TRAP_FRAME: fca00c84 – (.trap fffffffffca00c84)
>
> ErrCode = 00000002
>
> eax=8122d090 ebx=8122d090 ecx=811f6e74 edx=00000000 esi=8122d020
> edi=00000000
>
> eip=804eda63 esp=fca00cf8 ebp=fca00d28 iopl=0 nv up ei ng nz ac po nc
>
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
>
> nt!KeWaitForMultipleObjects+0x23d:
>
> 804eda63 8902 mov [edx],eax
>
> Resetting default scope
>
> STACK_TEXT:
>
> fca00d28 f33f441e 00000002 fca00da0 00000001
> nt!KeWaitForMultipleObjects+0x23d
>
> fca00dac 8057c73a 811f6e00 00000000 00000000
> mmtser!PollingThreadRoutine+0x78 [c:\stock\projet\mmtser\readwrite.cpp @
> 167]
>
> fca00ddc 805124c1 f33f43a6 811f6e00 00000000 nt!PspSystemThreadStartup+0x34
>
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
>
>
>
> FOLLOWUP_IP:
>
> mmtser!PollingThreadRoutine+78 [c:\stock\projet\mmtser\readwrite.cpp @ 167]
>
> f33f441e 8945b4 mov [ebp-0x4c],eax
>
> SYMBOL_STACK_INDEX: 1
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: mmtser!PollingThreadRoutine+78
>
> MODULE_NAME: mmtser
>
> IMAGE_NAME: mmtser.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 415141ee
>
> STACK_COMMAND: .trap fffffffffca00c84 ; kb
>
> BUCKET_ID: 0xA_W_mmtser!PollingThreadRoutine+78
>
> Followup: MachineOwner
>
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

4

> -----Original Message-----

From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: September 22, 2004 7:52 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] KeWaitForMultipleObjects BSOD

Replace the polling thread with a KTIMER - much easier to cancel.

The drawback is that the poll callback will be on DISPATCH - but in your
code it is so anyway.

Well, crashing at dispatch level does NOT mean his callback has to be at
DISPATCH_LEVEL. KeWaitXxx KeSetEvent and many other functions will raise the
IRQL from PASSIVE to DISPATCH internally at certain points.

The dump indicated that KeWaitForMultipleObjects was trying to dereference a
NULL pointer. I would:

  1. make sure the call is made at correct IRQL.
  2. carefully inspect each parameters passed to the function.
  3. Enable DV and/or install checked build to see if there’s a bite.
  4. Disassemble the function to see where the null pointer came from if
    anything else doesn’t work. (This one is painful but usually works for me
    eventually).

HTH,
Calvin

Calvin Guan Software Engineer
ATI Technologies Inc. www.ati.com

5

It goes wrong on the second iteration , but from the original sample it says
:
// Starting the timer with a zero due time will cause us to perform the
// first poll immediately. Thereafter, polls occur at the POLLING_INTERVAL
so im guessing it crash when it actually really wait for the timer .
but
i tried puting the polling interval to 5ms and it crashed on the 6th
iterations

as a side note i changed also my code as i wasnt sending the read irp the
right way .

“Mats PETERSSON” a écrit dans le message de
news:xxxxx@ntdev…
>
>
>
>
>
> Whilst this may not be the immediate problem, there’s certainly a likely
> problem for the future: Your code seems to be running at IRQL=2, which
> means that you can’t actually do a wait at that time.
>
> This is not the cause of the crash that you’ve got here, but it’s
certainly
> not going to help in the future when you’ve fixed the proble you’re seeing
> at the moment.
>
> Your current problem is a NULL pointer being used as a destination for a
> write. I’m not sure what’s wrong, it all looks OK. I’d step through the
> code with a debugger, and see what’s going wrong that way.
>
> Does it go wrong on the first iteration of the loop, or later on?
>
> –
> Mats
>
> xxxxx@lists.osr.com wrote on 09/22/2004 11:40:53 AM:
>
> > Hi ,
> > i’m trying to build a WDM driver for a legacy serial device which act
> more
> > or less like a mouse
> > i used the polling sample from W.Oney s book .
> > the sample need a usermode event to start polling the device but i
wanted
> to
> > start polling the device immediatly untill i remove it .
> > as my device doesnt give a pnp id , i get a SerialDeviceObject pointer
> > calling IoGetDeviceObjectPointer in my STARTDEVICE
> >
> > i must have done something terribly wrong but i dont anderstand why i
get
> a
> > BSOD.
> >
> > here’s the modified pollingthreadroutine code :
> >
> > VOID PollingThreadRoutine(PDEVICE_EXTENSION pdx)
> > { // PollingThreadRoutine
> > NTSTATUS status;
> > KTIMER timer;
> > KEVENT evt;
> > IO_STATUS_BLOCK IoStatusBlock;
> > PIRP Irp;
> >
> > KeInitializeTimerEx(&timer, SynchronizationTimer);
> >
> > PVOID pollevents = {
> > (PVOID) &pdx->evKill,
> > (PVOID) &timer,
> > };
> > C_ASSERT(arraysize(pollevents) <= THREAD_WAIT_OBJECTS);
> >
> > LARGE_INTEGER duetime = {0};
> > #define POLLING_INTERVAL 500
> >
> > KeSetTimerEx(&timer, duetime, POLLING_INTERVAL, NULL);
> >
> > KdPrint((DRIVERNAME" - Entering poll loop …\n"));
> > while(TRUE)
> > {
> > // Block until time to poll again.
> > status = KeWaitForMultipleObjects(arraysize(pollevents),
> > pollevents, WaitAny, Executive, KernelMode, FALSE, NULL, NULL);
> > if (!NT_SUCCESS(status))
> > {
> > KdPrint((DRIVERNAME " - KeWaitForMultipleObjects failed - %X\n",
> > status));
> > break;
> > }
> > if (status == STATUS_WAIT_0)
> > {
> > status = STATUS_DELETE_PENDING;
> > break;
> > }
> > // Read Device .
> > KeInitializeEvent(&evt, NotificationEvent, FALSE);
> > Irp = IoBuildDeviceIoControlRequest
> (IRP_MJ_READ,pdx->SerialDeviceObject,
> > NULL,0,pdx->data,sizeof(pdx->data),FALSE,&evt,&IoStatusBlock);
> >
> > if (Irp != NULL)
> > {// SEND READ IRP
> > status = IoCallDriver(pdx->SerialDeviceObject,Irp);
> > // If pending wait for completion
> > if (status == STATUS_PENDING)
> > {
> > KeWaitForSingleObject(&evt, Executive, KernelMode, FALSE,NULL);
> > status = IoStatusBlock.Status;
> > }
> > }
> > else
> > {
> > KdPrint((DRIVERNAME " - IoBuildDeviceIoControlRequest failed.
> > STATUS_INSUFFICIENT_RESOURCES\n"));
> > break;
> > }
> >
> > }
> >
> > KeCancelTimer(&timer);
> > PsTerminateSystemThread(STATUS_SUCCESS);
> > }
> >
> > and here’s the bugcheck analysis :
> >
> > IRQL_NOT_LESS_OR_EQUAL (a)
> > An attempt was made to access a pageable (or completely invalid) address
> at
> > an
> >
> > interrupt request level (IRQL) that is too high. This is usually
> >
> > caused by drivers using improper addresses.
> >
> > If a kernel debugger is available get the stack backtrace.
> >
> > Arguments:
> >
> > Arg1: 00000000, memory referenced
> >
> > Arg2: 00000002, IRQL
> >
> > Arg3: 00000001, value 0 = read operation, 1 = write operation
> >
> > Arg4: 804eda63, address which referenced memory
> >
> > Debugging Details:
> >
> > ------------------
> >
> >
> >
> > WRITE_ADDRESS: 00000000
> >
> > CURRENT_IRQL: 2
> >
> > FAULTING_IP:
> >
> > nt!KeWaitForMultipleObjects+23d
> >
> > 804eda63 8902 mov [edx],eax
> >
> > DEFAULT_BUCKET_ID: DRIVER_FAULT
> >
> > BUGCHECK_STR: 0xA
> >
> > LAST_CONTROL_TRANSFER: from f33f441e to 804eda63
> >
> > TRAP_FRAME: fca00c84 – (.trap fffffffffca00c84)
> >
> > ErrCode = 00000002
> >
> > eax=8122d090 ebx=8122d090 ecx=811f6e74 edx=00000000 esi=8122d020
> > edi=00000000
> >
> > eip=804eda63 esp=fca00cf8 ebp=fca00d28 iopl=0 nv up ei ng nz ac po nc
> >
> > cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
> >
> > nt!KeWaitForMultipleObjects+0x23d:
> >
> > 804eda63 8902 mov [edx],eax
> >
> > Resetting default scope
> >
> > STACK_TEXT:
> >
> > fca00d28 f33f441e 00000002 fca00da0 00000001
> > nt!KeWaitForMultipleObjects+0x23d
> >
> > fca00dac 8057c73a 811f6e00 00000000 00000000
> > mmtser!PollingThreadRoutine+0x78 [c:\stock\projet\mmtser\readwrite.cpp @
> > 167]
> >
> > fca00ddc 805124c1 f33f43a6 811f6e00 00000000
> nt!PspSystemThreadStartup+0x34
> >
> > 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
> >
> >
> >
> > FOLLOWUP_IP:
> >
> > mmtser!PollingThreadRoutine+78 [c:\stock\projet\mmtser\readwrite.cpp @
> 167]
> >
> > f33f441e 8945b4 mov [ebp-0x4c],eax
> >
> > SYMBOL_STACK_INDEX: 1
> >
> > FOLLOWUP_NAME: MachineOwner
> >
> > SYMBOL_NAME: mmtser!PollingThreadRoutine+78
> >
> > MODULE_NAME: mmtser
> >
> > IMAGE_NAME: mmtser.sys
> >
> > DEBUG_FLR_IMAGE_TIMESTAMP: 415141ee
> >
> > STACK_COMMAND: .trap fffffffffca00c84 ; kb
> >
> > BUCKET_ID: 0xA_W_mmtser!PollingThreadRoutine+78
> >
> > Followup: MachineOwner
> >
> >
> >
> >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at http://www.
> > osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> > ForwardSourceID:NT00003EA2
>
>
>

6

ah it’s ok i found my mistake
the problem was from the thread creation function
i simply wasnt iniatilizing the kill event
so the NULL pointer :))

thanks all
Ronan

“Launay Ronan” a écrit dans le message de
news:xxxxx@ntdev…
>
> It goes wrong on the second iteration , but from the original sample it
says
> :
> // Starting the timer with a zero due time will cause us to perform the
> // first poll immediately. Thereafter, polls occur at the POLLING_INTERVAL
> so im guessing it crash when it actually really wait for the timer .
> but
> i tried puting the polling interval to 5ms and it crashed on the 6th
> iterations
>
> as a side note i changed also my code as i wasnt sending the read irp the
> right way .
>
>
>
> “Mats PETERSSON” a écrit dans le message de
> news:xxxxx@ntdev…
> >
> >
> >
> >
> >
> > Whilst this may not be the immediate problem, there’s certainly a likely
> > problem for the future: Your code seems to be running at IRQL=2, which
> > means that you can’t actually do a wait at that time.
> >
> > This is not the cause of the crash that you’ve got here, but it’s
> certainly
> > not going to help in the future when you’ve fixed the proble you’re
seeing
> > at the moment.
> >
> > Your current problem is a NULL pointer being used as a destination for a
> > write. I’m not sure what’s wrong, it all looks OK. I’d step through the
> > code with a debugger, and see what’s going wrong that way.
> >
> > Does it go wrong on the first iteration of the loop, or later on?
> >
> > –
> > Mats
> >
> > xxxxx@lists.osr.com wrote on 09/22/2004 11:40:53 AM:
> >
> > > Hi ,
> > > i’m trying to build a WDM driver for a legacy serial device which act
> > more
> > > or less like a mouse
> > > i used the polling sample from W.Oney s book .
> > > the sample need a usermode event to start polling the device but i
> wanted
> > to
> > > start polling the device immediatly untill i remove it .
> > > as my device doesnt give a pnp id , i get a SerialDeviceObject pointer
> > > calling IoGetDeviceObjectPointer in my STARTDEVICE
> > >
> > > i must have done something terribly wrong but i dont anderstand why i
> get
> > a
> > > BSOD.
> > >
> > > here’s the modified pollingthreadroutine code :
> > >
> > > VOID PollingThreadRoutine(PDEVICE_EXTENSION pdx)
> > > { // PollingThreadRoutine
> > > NTSTATUS status;
> > > KTIMER timer;
> > > KEVENT evt;
> > > IO_STATUS_BLOCK IoStatusBlock;
> > > PIRP Irp;
> > >
> > > KeInitializeTimerEx(&timer, SynchronizationTimer);
> > >
> > > PVOID pollevents = {
> > > (PVOID) &pdx->evKill,
> > > (PVOID) &timer,
> > > };
> > > C_ASSERT(arraysize(pollevents) <= THREAD_WAIT_OBJECTS);
> > >
> > > LARGE_INTEGER duetime = {0};
> > > #define POLLING_INTERVAL 500
> > >
> > > KeSetTimerEx(&timer, duetime, POLLING_INTERVAL, NULL);
> > >
> > > KdPrint((DRIVERNAME" - Entering poll loop …\n"));
> > > while(TRUE)
> > > {
> > > // Block until time to poll again.
> > > status = KeWaitForMultipleObjects(arraysize(pollevents),
> > > pollevents, WaitAny, Executive, KernelMode, FALSE, NULL, NULL);
> > > if (!NT_SUCCESS(status))
> > > {
> > > KdPrint((DRIVERNAME " - KeWaitForMultipleObjects failed - %X\n",
> > > status));
> > > break;
> > > }
> > > if (status == STATUS_WAIT_0)
> > > {
> > > status = STATUS_DELETE_PENDING;
> > > break;
> > > }
> > > // Read Device .
> > > KeInitializeEvent(&evt, NotificationEvent, FALSE);
> > > Irp = IoBuildDeviceIoControlRequest
> > (IRP_MJ_READ,pdx->SerialDeviceObject,
> > > NULL,0,pdx->data,sizeof(pdx->data),FALSE,&evt,&IoStatusBlock);
> > >
> > > if (Irp != NULL)
> > > {// SEND READ IRP
> > > status = IoCallDriver(pdx->SerialDeviceObject,Irp);
> > > // If pending wait for completion
> > > if (status == STATUS_PENDING)
> > > {
> > > KeWaitForSingleObject(&evt, Executive, KernelMode, FALSE,NULL);
> > > status = IoStatusBlock.Status;
> > > }
> > > }
> > > else
> > > {
> > > KdPrint((DRIVERNAME " - IoBuildDeviceIoControlRequest failed.
> > > STATUS_INSUFFICIENT_RESOURCES\n"));
> > > break;
> > > }
> > >
> > > }
> > >
> > > KeCancelTimer(&timer);
> > > PsTerminateSystemThread(STATUS_SUCCESS);
> > > }
> > >
> > > and here’s the bugcheck analysis :
> > >
> > > IRQL_NOT_LESS_OR_EQUAL (a)
> > > An attempt was made to access a pageable (or completely invalid)
address
> > at
> > > an
> > >
> > > interrupt request level (IRQL) that is too high. This is usually
> > >
> > > caused by drivers using improper addresses.
> > >
> > > If a kernel debugger is available get the stack backtrace.
> > >
> > > Arguments:
> > >
> > > Arg1: 00000000, memory referenced
> > >
> > > Arg2: 00000002, IRQL
> > >
> > > Arg3: 00000001, value 0 = read operation, 1 = write operation
> > >
> > > Arg4: 804eda63, address which referenced memory
> > >
> > > Debugging Details:
> > >
> > > ------------------
> > >
> > >
> > >
> > > WRITE_ADDRESS: 00000000
> > >
> > > CURRENT_IRQL: 2
> > >
> > > FAULTING_IP:
> > >
> > > nt!KeWaitForMultipleObjects+23d
> > >
> > > 804eda63 8902 mov [edx],eax
> > >
> > > DEFAULT_BUCKET_ID: DRIVER_FAULT
> > >
> > > BUGCHECK_STR: 0xA
> > >
> > > LAST_CONTROL_TRANSFER: from f33f441e to 804eda63
> > >
> > > TRAP_FRAME: fca00c84 – (.trap fffffffffca00c84)
> > >
> > > ErrCode = 00000002
> > >
> > > eax=8122d090 ebx=8122d090 ecx=811f6e74 edx=00000000 esi=8122d020
> > > edi=00000000
> > >
> > > eip=804eda63 esp=fca00cf8 ebp=fca00d28 iopl=0 nv up ei ng nz ac po nc
> > >
> > > cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
> > >
> > > nt!KeWaitForMultipleObjects+0x23d:
> > >
> > > 804eda63 8902 mov [edx],eax
> > >
> > > Resetting default scope
> > >
> > > STACK_TEXT:
> > >
> > > fca00d28 f33f441e 00000002 fca00da0 00000001
> > > nt!KeWaitForMultipleObjects+0x23d
> > >
> > > fca00dac 8057c73a 811f6e00 00000000 00000000
> > > mmtser!PollingThreadRoutine+0x78 [c:\stock\projet\mmtser\readwrite.cpp
@
> > > 167]
> > >
> > > fca00ddc 805124c1 f33f43a6 811f6e00 00000000
> > nt!PspSystemThreadStartup+0x34
> > >
> > > 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
> > >
> > >
> > >
> > > FOLLOWUP_IP:
> > >
> > > mmtser!PollingThreadRoutine+78 [c:\stock\projet\mmtser\readwrite.cpp @
> > 167]
> > >
> > > f33f441e 8945b4 mov [ebp-0x4c],eax
> > >
> > > SYMBOL_STACK_INDEX: 1
> > >
> > > FOLLOWUP_NAME: MachineOwner
> > >
> > > SYMBOL_NAME: mmtser!PollingThreadRoutine+78
> > >
> > > MODULE_NAME: mmtser
> > >
> > > IMAGE_NAME: mmtser.sys
> > >
> > > DEBUG_FLR_IMAGE_TIMESTAMP: 415141ee
> > >
> > > STACK_COMMAND: .trap fffffffffca00c84 ; kb
> > >
> > > BUCKET_ID: 0xA_W_mmtser!PollingThreadRoutine+78
> > >
> > > Followup: MachineOwner
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at http://www.
> > > osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> > > ForwardSourceID:NT00003EA2
> >
> >
> >
>
>
>

7

Instead of dedicating an entire thread to polling the serial port, you can look at the mouser example. It also continuously reads from the serial port, but instead of waiting synchronously, it just resends the read request from the completion routine.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Launay Ronan
Sent: Wednesday, September 22, 2004 8:03 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] KeWaitForMultipleObjects BSOD

ah it’s ok i found my mistake
the problem was from the thread creation function
i simply wasnt iniatilizing the kill event
so the NULL pointer :))

thanks all
Ronan

“Launay Ronan” a ?crit dans le message de
news:xxxxx@ntdev…
>
> It goes wrong on the second iteration , but from the original sample it
says
> :
> // Starting the timer with a zero due time will cause us to perform the
> // first poll immediately. Thereafter, polls occur at the POLLING_INTERVAL
> so im guessing it crash when it actually really wait for the timer .
> but
> i tried puting the polling interval to 5ms and it crashed on the 6th
> iterations
>
> as a side note i changed also my code as i wasnt sending the read irp the
> right way .
>
>
>
> “Mats PETERSSON” a ?crit dans le message de
> news:xxxxx@ntdev…
> >
> >
> >
> >
> >
> > Whilst this may not be the immediate problem, there’s certainly a likely
> > problem for the future: Your code seems to be running at IRQL=2, which
> > means that you can’t actually do a wait at that time.
> >
> > This is not the cause of the crash that you’ve got here, but it’s
> certainly
> > not going to help in the future when you’ve fixed the proble you’re
seeing
> > at the moment.
> >
> > Your current problem is a NULL pointer being used as a destination for a
> > write. I’m not sure what’s wrong, it all looks OK. I’d step through the
> > code with a debugger, and see what’s going wrong that way.
> >
> > Does it go wrong on the first iteration of the loop, or later on?
> >
> > –
> > Mats
> >
> > xxxxx@lists.osr.com wrote on 09/22/2004 11:40:53 AM:
> >
> > > Hi ,
> > > i’m trying to build a WDM driver for a legacy serial device which act
> > more
> > > or less like a mouse
> > > i used the polling sample from W.Oney s book .
> > > the sample need a usermode event to start polling the device but i
> wanted
> > to
> > > start polling the device immediatly untill i remove it .
> > > as my device doesnt give a pnp id , i get a SerialDeviceObject pointer
> > > calling IoGetDeviceObjectPointer in my STARTDEVICE
> > >
> > > i must have done something terribly wrong but i dont anderstand why i
> get
> > a
> > > BSOD.
> > >
> > > here’s the modified pollingthreadroutine code :
> > >
> > > VOID PollingThreadRoutine(PDEVICE_EXTENSION pdx)
> > > { // PollingThreadRoutine
> > > NTSTATUS status;
> > > KTIMER timer;
> > > KEVENT evt;
> > > IO_STATUS_BLOCK IoStatusBlock;
> > > PIRP Irp;
> > >
> > > KeInitializeTimerEx(&timer, SynchronizationTimer);
> > >
> > > PVOID pollevents = {
> > > (PVOID) &pdx->evKill,
> > > (PVOID) &timer,
> > > };
> > > C_ASSERT(arraysize(pollevents) <= THREAD_WAIT_OBJECTS);
> > >
> > > LARGE_INTEGER duetime = {0};
> > > #define POLLING_INTERVAL 500
> > >
> > > KeSetTimerEx(&timer, duetime, POLLING_INTERVAL, NULL);
> > >
> > > KdPrint((DRIVERNAME" - Entering poll loop …\n"));
> > > while(TRUE)
> > > {
> > > // Block until time to poll again.
> > > status = KeWaitForMultipleObjects(arraysize(pollevents),
> > > pollevents, WaitAny, Executive, KernelMode, FALSE, NULL, NULL);
> > > if (!NT_SUCCESS(status))
> > > {
> > > KdPrint((DRIVERNAME " - KeWaitForMultipleObjects failed - %X\n",
> > > status));
> > > break;
> > > }
> > > if (status == STATUS_WAIT_0)
> > > {
> > > status = STATUS_DELETE_PENDING;
> > > break;
> > > }
> > > // Read Device .
> > > KeInitializeEvent(&evt, NotificationEvent, FALSE);
> > > Irp = IoBuildDeviceIoControlRequest
> > (IRP_MJ_READ,pdx->SerialDeviceObject,
> > > NULL,0,pdx->data,sizeof(pdx->data),FALSE,&evt,&IoStatusBlock);
> > >
> > > if (Irp != NULL)
> > > {// SEND READ IRP
> > > status = IoCallDriver(pdx->SerialDeviceObject,Irp);
> > > // If pending wait for completion
> > > if (status == STATUS_PENDING)
> > > {
> > > KeWaitForSingleObject(&evt, Executive, KernelMode, FALSE,NULL);
> > > status = IoStatusBlock.Status;
> > > }
> > > }
> > > else
> > > {
> > > KdPrint((DRIVERNAME " - IoBuildDeviceIoControlRequest failed.
> > > STATUS_INSUFFICIENT_RESOURCES\n"));
> > > break;
> > > }
> > >
> > > }
> > >
> > > KeCancelTimer(&timer);
> > > PsTerminateSystemThread(STATUS_SUCCESS);
> > > }
> > >
> > > and here’s the bugcheck analysis :
> > >
> > > IRQL_NOT_LESS_OR_EQUAL (a)
> > > An attempt was made to access a pageable (or completely invalid)
address
> > at
> > > an
> > >
> > > interrupt request level (IRQL) that is too high. This is usually
> > >
> > > caused by drivers using improper addresses.
> > >
> > > If a kernel debugger is available get the stack backtrace.
> > >
> > > Arguments:
> > >
> > > Arg1: 00000000, memory referenced
> > >
> > > Arg2: 00000002, IRQL
> > >
> > > Arg3: 00000001, value 0 = read operation, 1 = write operation
> > >
> > > Arg4: 804eda63, address which referenced memory
> > >
> > > Debugging Details:
> > >
> > > ------------------
> > >
> > >
> > >
> > > WRITE_ADDRESS: 00000000
> > >
> > > CURRENT_IRQL: 2
> > >
> > > FAULTING_IP:
> > >
> > > nt!KeWaitForMultipleObjects+23d
> > >
> > > 804eda63 8902 mov [edx],eax
> > >
> > > DEFAULT_BUCKET_ID: DRIVER_FAULT
> > >
> > > BUGCHECK_STR: 0xA
> > >
> > > LAST_CONTROL_TRANSFER: from f33f441e to 804eda63
> > >
> > > TRAP_FRAME: fca00c84 – (.trap fffffffffca00c84)
> > >
> > > ErrCode = 00000002
> > >
> > > eax=8122d090 ebx=8122d090 ecx=811f6e74 edx=00000000 esi=8122d020
> > > edi=00000000
> > >
> > > eip=804eda63 esp=fca00cf8 ebp=fca00d28 iopl=0 nv up ei ng nz ac po nc
> > >
> > > cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
> > >
> > > nt!KeWaitForMultipleObjects+0x23d:
> > >
> > > 804eda63 8902 mov [edx],eax
> > >
> > > Resetting default scope
> > >
> > > STACK_TEXT:
> > >
> > > fca00d28 f33f441e 00000002 fca00da0 00000001
> > > nt!KeWaitForMultipleObjects+0x23d
> > >
> > > fca00dac 8057c73a 811f6e00 00000000 00000000
> > > mmtser!PollingThreadRoutine+0x78 [c:\stock\projet\mmtser\readwrite.cpp
@
> > > 167]
> > >
> > > fca00ddc 805124c1 f33f43a6 811f6e00 00000000
> > nt!PspSystemThreadStartup+0x34
> > >
> > > 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
> > >
> > >
> > >
> > > FOLLOWUP_IP:
> > >
> > > mmtser!PollingThreadRoutine+78 [c:\stock\projet\mmtser\readwrite.cpp @
> > 167]
> > >
> > > f33f441e 8945b4 mov [ebp-0x4c],eax
> > >
> > > SYMBOL_STACK_INDEX: 1
> > >
> > > FOLLOWUP_NAME: MachineOwner
> > >
> > > SYMBOL_NAME: mmtser!PollingThreadRoutine+78
> > >
> > > MODULE_NAME: mmtser
> > >
> > > IMAGE_NAME: mmtser.sys
> > >
> > > DEBUG_FLR_IMAGE_TIMESTAMP: 415141ee
> > >
> > > STACK_COMMAND: .trap fffffffffca00c84 ; kb
> > >
> > > BUCKET_ID: 0xA_W_mmtser!PollingThreadRoutine+78
> > >
> > > Followup: MachineOwner
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at http://www.
> > > osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> > > ForwardSourceID:NT00003EA2
> >
> >
> >
>
>
>


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com