Hi,
I'v encountered a weird crash that was probably caused by my volume upper
filter driver.
The crash occurs inside the path of a read IRP in the HAL (Read I/Os are
usually skipped by my filter) .
Any help on how to further analyze this crash is appreciated.
I was using the new windbg 6.6.0.35 debugger, and had all the right symbols
locations (Including the public microsoft symbol server), however the
debugger still complained about OS missing symbols.
Thanks,
Eran.
Microsoft (R) Windows Debugger Version 6.6.0003.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\dump\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is:
SRV*\SANPRO02\Company\software\win2000\symbols*http://msdl.microsoft.com/download/symbols;c:\dump
Executable search path is:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ntkrpamp.exe -
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (2 procs) Free
x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp1_rtm.050324-1447
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Thu Dec 22 11:38:44.187 2005 (GMT+2)
System Uptime: 1 days 15:59:57.937
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ntkrpamp.exe -
Loading Kernel Symbols
.....................................................................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdb00c). Type ".hh dbgerr001" for details
Loading unloaded module list
..
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {ae9b9000, 2, 0, 80a5cf30}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : memory_corruption
Followup: memory_corruption
1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ae9b9000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80a5cf30, address which referenced memory
Debugging Details:
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
FAULTING_MODULE: 80800000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 0
READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
ae9b9000
CURRENT_IRQL: 2
FAULTING_IP:
hal!HalpMovntiCopyBuffer+18
80a5cf30 8b06 mov eax,[esi]
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 80a5cf30 to 8088bdd3
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
ba1f0600 80a5cf30 badb0d00 00000000 f728e79d nt!Kei386EoiHelper+0x28d3
ba1f0680 80a579d6 baf48000 ae9b9000 00001000 hal!HalpMovntiCopyBuffer+0x18
ba1f06a0 80a5878b ae9b9000 8b4db048 00001000 hal!HalpCopyBufferMap+0xb6
ba1f06ec 80a57c00 8b514748 89cb38d0 014db048 hal!HalpMapTransfer+0x179
ba1f073c 80a57d3d 8b5e5ab8 00000000 8b4db048
hal!HalpAllocateAdapterCallback+0xa2
ba1f0768 80a58bee 02514748 898f5ab8 886787b4 hal!IoFreeAdapterChannel+0xdb
ba1f0788 80a582f7 02514748 8b524064 00000002
hal!HalAllocateAdapterChannel+0x13a
ba1f07b4 f728d48c 8b514748 8b5e5ab8 00000060
hal!HalBuildScatterGatherList+0x26f
ba1f07e4 f728bb73 8b5e5cf8 8b5e5ab8 898f5ab8
storport!RaidDmaBuildScatterGatherList+0x2c
ba1f0820 f728bbc5 8b5e5cf8 88678700 ba1f0854
storport!RaidAdapterScatterGatherExecute+0x49
ba1f0830 f7292e8c 8b5e5b70 88678768 8b4d9e18
storport!RaidAdapterExecuteXrb+0x21
ba1f0854 f728e2d5 00000000 00000001 00000000 storport!RaUnitStartIo+0x9c
ba1f0874 f729224b 8b4d9e18 006a23c8 00000000 storport!RaidStartIoPacket+0x49
ba1f0894 f7293418 8b4d9d08 886a23c8 8863da68
storport!RaidUnitSubmitRequest+0x4d
ba1f08b0 f728d726 8b4d9d08 886a23c8 ba1f08d4 storport!RaUnitScsiIrp+0x90
ba1f08c0 8081dce5 8b4d9c50 886a23c8 89c1da30 storport!RaDriverScsiIrp+0x2a
ba1f08d4 f7265a20 89c1da30 03f42040 ba1f0918 nt!IofCallDriver+0x45
ba1f08e4 f7265635 89c1da30 8b3c50e8 8863db8c
CLASSPNP!SubmitTransferPacket+0xbb
ba1f0918 f7265712 00000000 00001000 8863da68
CLASSPNP!ServiceTransferRequest+0x1e4
ba1f093c 8081dce5 8b3c5030 00000000 8b525678 CLASSPNP!ClassReadWrite+0x159
ba1f0950 f74c80cf 8b3add70 8863dbb0 ba1f0974 nt!IofCallDriver+0x45
ba1f0960 8081dce5 8b3dea90 8863da68 8863dbd4 PartMgr!PmReadWrite+0x95
ba1f0974 f7317053 8864ddf8 8b50d900 8863da68 nt!IofCallDriver+0x45
ba1f0990 8081dce5 8b3adcb8 8863da68 8863dbf8 ftdisk!FtDiskReadWrite+0x1a9
ba1f09a4 f72c0720 8b525b60 00000001 89eb26f0 nt!IofCallDriver+0x45
ba1f09bc 8081dce5 89eb26f0 8863da68 8b391e10 volsnap!VolSnapRead+0x52
ba1f09d0 f7af234f 89f1df0c 00000001 ba1f09f4 nt!IofCallDriver+0x45
ba1f09e0 f7af322a 89f1de50 8863da68 00000000 TDPS
ba1f09f4 f7af3b9b 89f1de50 8863da68 00000001 TDPS
ba1f0a34 8081dce5 89f1de50 8863da68 8863da68 TDPS
ba1f0a48 f7b500ce 89917c20 ba1f0aac f7b5b3c7 nt!IofCallDriver+0x45
ba1f0a54 f7b5b3c7 8864ddf8 89f1de50 0b885400 Ntfs!NtfsSingleAsync+0x91
ba1f0aac f7b5734f 8864ddf8 8863da68 89917c20 Ntfs!NtfsVolumeDasdIo+0x12c
ba1f0b98 f7b508de 8864ddf8 8863da68 00000001 Ntfs!NtfsCommonRead+0x1d5
ba1f0c3c 8081dce5 8989a020 8863da68 89e57f38 Ntfs!NtfsFsdRead+0x113
ba1f0c50 f7243c53 89e57f38 8863da68 00000000 nt!IofCallDriver+0x45
ba1f0c78 8081dce5 89880ee8 8863da68 898f9b80 fltmgr!FltpDispatch+0x6f
ba1f0c8c 808f4797 8863dbf8 8863da68 898b1c38 nt!IofCallDriver+0x45
ba1f0ca0 808f196b 89880ee8 8863da68 898b1c38 nt!NtWriteFile+0x2923
ba1f0d38 80888c6c 0000028c 00000000 00000000 nt!NtReadFile+0x5cf
ba1f0d64 7c82ed54 badb0d00 0258f468 00000000
nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb64
ba1f0d68 badb0d00 0258f468 00000000 00000000 0x7c82ed54
ba1f0d78 00000000 00000000 00000000 00000000 TDTCP!_TdiSubmitRequest+0x52
STACK_COMMAND: kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
80888d69 - nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+c61
[05:06]
8088d1c2-8088d1d3 18 bytes - nt!KiDispatchInterrupt+262 (+0x4459)
[d8 0f 22 d8 c3 0f 20 e0:e0 25 7f ff ff ff 0f 22]
8088d1da - nt!KiDispatchInterrupt+27a (+0x18)
[c3:00]
20 errors : !nt (80888d69-8088d1da)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
Followup: memory_corruption
1: kd> !irql
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
nt!_KPRCB.DebuggerSavedIRQL not found.
Saved IRQL not available prior to Windows Server 2003