My driver reported "SYSTEM_THREAD_EXCEPTION_NOT_HANDLED"

jeff_jiang · May 10, 2010, 8:28am

My code:
/************************************************************/
DriverEntry()
{
WDFMEMORY wdfMem = NULL;
HANDLE filep =NULL;
…
WdfMemoryCreate(WDF_NO_OBJECT_ATTRIBUTES,NonPagedPool,&wdfMem…);
ZwCreateFile(&filep…);
…
…
if(filep != NULL)
{
ZwClose(filep);
filep = NULL;
}
if(wdfMem != NULL)
{
WdfObjectDelete(wdfMem);
wdfMem = NULL;
}
/*************************************************************/

The windbg informations:

/*************************************************************/
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000e7a, The address that the exception occurred at
Arg3: 8613b444, Exception Record Address
Arg4: 8613b140, Context Record Address

ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to set symbol path and load symbols.

FAULTING_MODULE: 81652000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 4be7f4a7

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - “0x%08lx”

FAULTING_IP:
+9747
00000e7a ?? ???

EXCEPTION_RECORD: 8613b444 – (.exr 0xffffffff8613b444)
ExceptionAddress: 00000e7a
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 00000e7a
Attempt to execute non-executable address 00000e7a

CONTEXT: 8613b140 – (.cxr 0xffffffff8613b140)
eax=00000e7a ebx=8329c218 ecx=00000001 edx=00000000 esi=8329c2c0 edi=7cd63de0
eip=00000e7a esp=8613b50c ebp=8613b52c iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
00000e7a ?? ???
Resetting default scope

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x7E

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 851b37d2 to 00000e7a

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
8613b508 851b37d2 7cd63de0 00000000 8329c218 0xe7a
8613b52c 85174fd6 8329c218 8329c22c 8613b558 Wdf01000+0x427d2
8613b53c 851b3951 00000000 000004b1 851cc5a8 Wdf01000+0x3fd6
8613b558 851b4198 8329c200 00000000 8329c218 Wdf01000+0x42951
8613b56c 851b431d 8329c200 00000001 7cd63de0 Wdf01000+0x43198
8613b58c 851b0a54 82d4b9d8 00000000 8613b5ac Wdf01000+0x4331d
8613b59c 83619a36 8329c218 00000000 8613b5c8 Wdf01000+0x3fa54

8613b5ac 8361a56e 7cd63de0 00000000 8329c268 dre_panther_ctrl!WdfObjectDelete+0x16 [e:\winddk\7600.16385.0\inc\wdf\kmdf\1.9\wdfobject.h @ 589]
[f:\code\trunk\panther\win_trunk\dev_win\win_beta\soi\osal\km\dre_osal_km.c @ 2514]
8613b5dc 8366d3d7 8329c2c0 82d4b9d8 00000000 dre_panther_ctrl!ZwClose+0x4d [f:\code\trunk\panther\win_trunk\dev_win\win_beta\soi\osal\km\dre_osal_km.c @ 3573]
8613b69c 8366c427 836991f0 00000000 00000000 dre_panther_ctrl![f:\code\trunk\panther\win_trunk\dev_win\win_beta\driver\control\dre_ctrl_priv.c @ 56]
8613b70c 83617b79 82d4b9d8 8308b000 8308b000 dre_panther_ctrl!DriverEntry+0x1b4 [f:\code\trunk\panther\win_trunk\dev_win\win_beta\driver\control\dre_ctrl.c @ 154]
8613b728 817c1376 82d4b9d8 8308b000 8613ba80 dre_panther_ctrl!FxDriverEntryWorker+0x7f [d:\w7rtm\minkernel\wdf\framework\kmdf\src\dynamic\stub\stub.cpp @ 285]
8613b90c 817b58c4 00000000 8613b900 8613b93c nt!IoRegisterFileSystem+0x1566
8613b950 81824243 9308c528 00000001 9308c514 nt!KeAllocateCalloutStack+0x1662
8613b988 81824573 00000001 8613ba80 817b55bb nt!SeMarkLogonSessionForTerminationNotification+0x128b
8613b9f4 817b4cbc 40000000 8000080c 8613ba28 nt!RtlQueryRegistryValues+0x31b
8613bad8 817b44b0 00000000 8613bd00 8329d0c0 nt!KeAllocateCalloutStack+0xa5a
8613bcd4 818cfbdd 8329d0c0 8321b268 8613bd00 nt!KeAllocateCalloutStack+0x24e
8613bd08 8165dac6 8175413c 827fed78 81784500 nt!IoPnPDeliverServicePowerNotification+0x9747
8613bd44 8168a41d 00000000 00000000 827fed78 nt!KeInitializeDeviceQueue+0x47b
8613bd7c 81827a1c 00000000 7eb05410 00000000 nt!KeQuerySystemTime+0x14d
8613bdc0 81680a3e 8168a320 00000001 00000000 nt!RtlDestroyAtomTable+0x4fe
00000000 00000000 00000000 00000000 00000000 nt!RtlSubAuthorityCountSid+0x3c4

FOLLOWUP_IP:
dre_panther_ctrl!WdfObjectDelete+16 [e:\winddk\7600.16385.0\inc\wdf\kmdf\1.9\wdfobject.h @ 589]
83619a36 5d pop ebp

FAULTING_SOURCE_CODE:
585: WDFOBJECT Object
586: )
587: {
588: ((PFN_WDFOBJECTDELETE) WdfFunctions[WdfObjectDeleteTableIndex])(WdfDriverGlobals, Object);

589: }
590:
591: //
592: // WDF Function: WdfObjectQuery
593: //
594: typedef

/*************************************************************/

What shall I do?

Daniel_Terhell · May 10, 2010, 9:22am

WdfFunctions[WdfObjectDeleteTableIndex] does not point to a valid function
address. Make sure it’s properly initialized or avoid function pointers.

//Daniel

is pointing to address

wrote in message news:xxxxx@ntdev…
> My code:
> //
> DriverEntry()
> {
> WDFMEMORY wdfMem = NULL;
> HANDLE filep =NULL;
> …
> WdfMemoryCreate(WDF_NO_OBJECT_ATTRIBUTES,NonPagedPool,&wdfMem…);
> ZwCreateFile(&filep…);
> …
> …
> if(filep != NULL)
> {
> ZwClose(filep);
> filep = NULL;
> }
> if(wdfMem != NULL)
> {
> WdfObjectDelete(wdfMem);
> wdfMem = NULL;
> }
> //
>
> The windbg informations:
>
>
> //
> SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
> This is a very common bugcheck. Usually the exception address pinpoints
> the driver/function that caused the problem. Always note this address
> as well as the link date of the driver/image that contains this address.
> Arguments:
> Arg1: c0000005, The exception code that was not handled
> Arg2: 00000e7a, The address that the exception occurred at
> Arg3: 8613b444, Exception Record Address
> Arg4: 8613b140, Context Record Address
>
> ADDITIONAL_DEBUG_TEXT:
> Use ‘!findthebuild’ command to search for the target build information.
> If the build information is available, run ‘!findthebuild -s ; .reload’ to
> set symbol path and load symbols.
>
> FAULTING_MODULE: 81652000 nt
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4be7f4a7
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - “0x%08lx”
>
> FAULTING_IP:
> +9747
> 00000e7a ?? ???
>
> EXCEPTION_RECORD: 8613b444 – (.exr 0xffffffff8613b444)
> ExceptionAddress: 00000e7a
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000008
> Parameter[1]: 00000e7a
> Attempt to execute non-executable address 00000e7a
>
> CONTEXT: 8613b140 – (.cxr 0xffffffff8613b140)
> eax=00000e7a ebx=8329c218 ecx=00000001 edx=00000000 esi=8329c2c0
> edi=7cd63de0
> eip=00000e7a esp=8613b50c ebp=8613b52c iopl=0 nv up ei pl nz na po
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010202
> 00000e7a ?? ???
> Resetting default scope
>
> DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
>
> BUGCHECK_STR: 0x7E
>
> CURRENT_IRQL: 0
>
> LAST_CONTROL_TRANSFER: from 851b37d2 to 00000e7a
>
> STACK_TEXT:
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 8613b508 851b37d2 7cd63de0 00000000 8329c218 0xe7a
> 8613b52c 85174fd6 8329c218 8329c22c 8613b558 Wdf01000+0x427d2
> 8613b53c 851b3951 00000000 000004b1 851cc5a8 Wdf01000+0x3fd6
> 8613b558 851b4198 8329c200 00000000 8329c218 Wdf01000+0x42951
> 8613b56c 851b431d 8329c200 00000001 7cd63de0 Wdf01000+0x43198
> 8613b58c 851b0a54 82d4b9d8 00000000 8613b5ac Wdf01000+0x4331d
> 8613b59c 83619a36 8329c218 00000000 8613b5c8 Wdf01000+0x3fa54
>
> 8613b5ac 8361a56e 7cd63de0 00000000 8329c268
> dre_panther_ctrl!WdfObjectDelete+0x16
> [e:\winddk\7600.16385.0\inc\wdf\kmdf\1.9\wdfobject.h @ 589]
> [f:\code\trunk\panther\win_trunk\dev_win\win_beta\soi\osal\km\dre_osal_km.c
> @ 2514]
> 8613b5dc 8366d3d7 8329c2c0 82d4b9d8 00000000 dre_panther_ctrl!ZwClose+0x4d
> [f:\code\trunk\panther\win_trunk\dev_win\win_beta\soi\osal\km\dre_osal_km.c
> @ 3573]
> 8613b69c 8366c427 836991f0 00000000 00000000
> dre_panther_ctrl![f:\code\trunk\panther\win_trunk\dev_win\win_beta\driver\control\dre_ctrl_priv.c
> @ 56]
> 8613b70c 83617b79 82d4b9d8 8308b000 8308b000
> dre_panther_ctrl!DriverEntry+0x1b4
> [f:\code\trunk\panther\win_trunk\dev_win\win_beta\driver\control\dre_ctrl.c
> @ 154]
> 8613b728 817c1376 82d4b9d8 8308b000 8613ba80
> dre_panther_ctrl!FxDriverEntryWorker+0x7f
> [d:\w7rtm\minkernel\wdf\framework\kmdf\src\dynamic\stub\stub.cpp @ 285]
> 8613b90c 817b58c4 00000000 8613b900 8613b93c
> nt!IoRegisterFileSystem+0x1566
> 8613b950 81824243 9308c528 00000001 9308c514
> nt!KeAllocateCalloutStack+0x1662
> 8613b988 81824573 00000001 8613ba80 817b55bb
> nt!SeMarkLogonSessionForTerminationNotification+0x128b
> 8613b9f4 817b4cbc 40000000 8000080c 8613ba28
> nt!RtlQueryRegistryValues+0x31b
> 8613bad8 817b44b0 00000000 8613bd00 8329d0c0
> nt!KeAllocateCalloutStack+0xa5a
> 8613bcd4 818cfbdd 8329d0c0 8321b268 8613bd00
> nt!KeAllocateCalloutStack+0x24e
> 8613bd08 8165dac6 8175413c 827fed78 81784500
> nt!IoPnPDeliverServicePowerNotification+0x9747
> 8613bd44 8168a41d 00000000 00000000 827fed78
> nt!KeInitializeDeviceQueue+0x47b
> 8613bd7c 81827a1c 00000000 7eb05410 00000000 nt!KeQuerySystemTime+0x14d
> 8613bdc0 81680a3e 8168a320 00000001 00000000 nt!RtlDestroyAtomTable+0x4fe
> 00000000 00000000 00000000 00000000 00000000
> nt!RtlSubAuthorityCountSid+0x3c4
>
>
> FOLLOWUP_IP:
> dre_panther_ctrl!WdfObjectDelete+16
> [e:\winddk\7600.16385.0\inc\wdf\kmdf\1.9\wdfobject.h @ 589]
> 83619a36 5d pop ebp
>
> FAULTING_SOURCE_CODE:
> 585: WDFOBJECT Object
> 586: )
> 587: {
> 588: ((PFN_WDFOBJECTDELETE)
> WdfFunctions[WdfObjectDeleteTableIndex])(WdfDriverGlobals, Object);
>> 589: }
> 590:
> 591: //
> 592: // WDF Function: WdfObjectQuery
> 593: //
> 594: typedef
>
> /*/
>
> What shall I do?
>

OSR_Community_User · May 10, 2010, 10:05am

It looks like you didn’t initialize something correctly.

How about you show us your entire DriverEntry()?

mm

Tim_Roberts · May 10, 2010, 12:51pm

xxxxx@yahoo.com.cn wrote:

My code:
/************************************************************/
DriverEntry()
{
WDFMEMORY wdfMem = NULL;
HANDLE filep =NULL;
…
WdfMemoryCreate(WDF_NO_OBJECT_ATTRIBUTES,NonPagedPool,&wdfMem…);
ZwCreateFile(&filep…);
…
…
if(filep != NULL)
{
ZwClose(filep);
filep = NULL;
}
if(wdfMem != NULL)
{
WdfObjectDelete(wdfMem);
wdfMem = NULL;
}
/*************************************************************/

Your code does not show a call to WdfDriverCreate. Are you doing that?
If not, then you haven’t initialized WDF, and many of your WDF calls
will explode.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

shrinivas_Kulkarni · May 11, 2010, 12:07am

please check the return value of WdfMemoryCreate; Go ahead and delete the object (memory) only when it was created right.

WdfMemoryCreate returns STATUS_SUCCESS if the operation succeeds. Otherwise, this method might return one of the following values:
STATUS_INVALID_PARAMETER
An invalid parameter was detected.
STATUS_INSUFFICIENT_RESOURCES
There was insufficient memory.