PAGE_FAULT_IN_NON_PAGED_AREA




Hi,

Thanks for pointing out the mistake.I’m attaching the correct dump

trace.This error cannot be reproduced as they see in the customer

site once in 5 days or so.Kindly help me out to trace the same.

PAGE_FAULT_IN_NONPAGED_AREA (50)

Invalid system memory was referenced. This cannot be protected by

try-except,

it must be protected by a Probe. Typically the address is just plain

bad or it

is pointing at freed memory.

Arguments:

Arg1: ec513000, memory referenced.

Arg2: 00000000, value 0 = read operation, 1 = write operation.

Arg3: ba7dd752, If non-zero, the instruction address which referenced

the bad memory

address.

Arg4: 00000001, (reserved)

Debugging Details:

------------------

READ_ADDRESS: ec513000 Paged pool

FAULTING_IP:

ScdFs!ScdOpenTargetDirectory+25b

ba7dd752 f3a5 rep movsd

MM_INTERNAL_CODE: 1

IMAGE_NAME: ScdFs.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 4046570f

MODULE_NAME: ScdFs

FAULTING_MODULE: ba7d9000 ScdFs

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

CURRENT_IRQL: 1

LAST_CONTROL_TRANSFER: from ba7dc55d to ba7dd752

TRAP_FRAME: b95da688 – (.trap ffffffffb95da688)

ErrCode = 00000000

eax=000000e0 ebx=e1152420 ecx=00000001 edx=ec512ef0 esi=ec512ffe

edi=ec512fcc

eip=ba7dd752 esp=b95da6fc ebp=b95da76c iopl=0 nv up ei pl nz

na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000

efl=00010202

ScdFs!ScdOpenTargetDirectory+0x25b:

ba7dd752 f3a5 rep movsd ds:ec512ffe=???

es:ec512fcc=00320039

Resetting default scope

STACK_TEXT:

b95da76c ba7dc55d 8982d0d8 886a8d70 89627840 ScdFs!

ScdOpenTargetDirectory+0x25b

b95da91c ba7db162 8982d0d8 88c2a428 886a8d70 ScdFs!

ScdCommonCreate+0xdd1

b95da960 804f0473 89627748 88c2a428 88c2a428 ScdFs!ScdFsdCreate+0x9d

b95da970 8058f898 89747ce0 8827d0ac b95dab24 nt!IofCallDriver+0x3f

b95daa68 8058e482 89747cf8 00000000 8827d008 nt!IopParseDevice+0xab5

b95daae4 8058dbb9 00000000 b95dab24 00000240 nt!

ObpLookupObjectName+0x545

b95dab38 8058faa9 00000000 00000000 00000000 nt!

ObOpenObjectByName+0xe8

b95dabb4 8058fb7d b95daca8 00100002 b95dac74 nt!IopCreateFile+0x413

b95dac00 805b4b54 b95daca8 00100002 b95dac74 nt!IoCreateFile+0x3d

b95dacac 805a4b67 b95dad14 86e83e08 886f5008 nt!

IopOpenLinkOrRenameTarget+0xe3

b95dad48 804dfd24 000003ac 03b4f408 00052bd0 nt!

NtSetInformationFile+0x666

b95dad48 7ffe0304 000003ac 03b4f408 00052bd0 nt!KiSystemService+0xd0

03b4f468 00000000 00000000 00000000 00000000 SharedUserData!

SystemCallStub+0x4

FOLLOWUP_IP:

ScdFs!ScdOpenTargetDirectory+25b

ba7dd752 f3a5 rep movsd

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: ScdFs!ScdOpenTargetDirectory+25b

STACK_COMMAND: .trap ffffffffb95da688 ; kb

FAILURE_BUCKET_ID: 0x50_ScdFs!ScdOpenTargetDirectory+25b

BUCKET_ID: 0x50_ScdFs!ScdOpenTargetDirectory+25b

Followup: MachineOwner

---------

!pool gives the following error.

I guess that this paged pool region is having some problem.

kd> !pool ec513000

Pool page ec513000 region is Paged pool

ec513000 is not a valid small pool allocation, checking large pool…

ec513000 is not a valid large pool allocation, checking large session

pool…

ec513000 is freed (or corrupt) pool

Bad allocation size @ec513000, too large



An error (or corruption) in the pool was detected;

Attempting to diagnose the problem.



Use !poolval ec513000 for more details.



Pool page [ec513000] is INVALID.

Analyzing linked list…

Scanning for single bit errors…

None found

Please provide any suggestions to solve this bug…

Regards,

Priya


Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com

Hi,

The faulting instruction is a “rep movsd”, so the driver is trying to copy
the contents of ESI into EDI (most likely a string). Note that the faulting
address, ec513000, is on a page boundary. This page boundary also happens to
be the next page after the contents of ESI, so my guess is that this is most
likely a buffer overrun of the source buffer in a copy operation. This guess
is backed up by the second parameter of the bugcheck, which indicates that
it was a read operation that caused the fault.

Is ScdFs your driver?

Regards,

-scott


Scott Noone
Software Engineer
OSR Open Systems Resources, Inc.
http://www.osronline.com

“priya priya” wrote in message
news:xxxxx@ntfsd…

Hi,

Thanks for pointing out the mistake.I’m attaching the correct dump
trace.This error cannot be reproduced as they see in the customer
site once in 5 days or so.Kindly help me out to trace the same.

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: ec513000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: ba7dd752, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------

READ_ADDRESS: ec513000 Paged pool

FAULTING_IP:
ScdFs!ScdOpenTargetDirectory+25b
ba7dd752 f3a5 rep movsd

MM_INTERNAL_CODE: 1

IMAGE_NAME: ScdFs.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 4046570f

MODULE_NAME: ScdFs

FAULTING_MODULE: ba7d9000 ScdFs

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

CURRENT_IRQL: 1

LAST_CONTROL_TRANSFER: from ba7dc55d to ba7dd752

TRAP_FRAME: b95da688 – (.trap ffffffffb95da688)
ErrCode = 00000000
eax=000000e0 ebx=e1152420 ecx=00000001 edx=ec512ef0 esi=ec512ffe
edi=ec512fcc
eip=ba7dd752 esp=b95da6fc ebp=b95da76c iopl=0 nv up ei pl nz
na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010202
ScdFs!ScdOpenTargetDirectory+0x25b:
ba7dd752 f3a5 rep movsd ds:ec512ffe=???
es:ec512fcc=00320039
Resetting default scope

STACK_TEXT:
b95da76c ba7dc55d 8982d0d8 886a8d70 89627840 ScdFs!
ScdOpenTargetDirectory+0x25b
b95da91c ba7db162 8982d0d8 88c2a428 886a8d70 ScdFs!
ScdCommonCreate+0xdd1
b95da960 804f0473 89627748 88c2a428 88c2a428 ScdFs!ScdFsdCreate+0x9d
b95da970 8058f898 89747ce0 8827d0ac b95dab24 nt!IofCallDriver+0x3f
b95daa68 8058e482 89747cf8 00000000 8827d008 nt!IopParseDevice+0xab5
b95daae4 8058dbb9 00000000 b95dab24 00000240 nt!
ObpLookupObjectName+0x545
b95dab38 8058faa9 00000000 00000000 00000000 nt!
ObOpenObjectByName+0xe8
b95dabb4 8058fb7d b95daca8 00100002 b95dac74 nt!IopCreateFile+0x413
b95dac00 805b4b54 b95daca8 00100002 b95dac74 nt!IoCreateFile+0x3d
b95dacac 805a4b67 b95dad14 86e83e08 886f5008 nt!
IopOpenLinkOrRenameTarget+0xe3
b95dad48 804dfd24 000003ac 03b4f408 00052bd0 nt!
NtSetInformationFile+0x666
b95dad48 7ffe0304 000003ac 03b4f408 00052bd0 nt!KiSystemService+0xd0
03b4f468 00000000 00000000 00000000 00000000 SharedUserData!
SystemCallStub+0x4

FOLLOWUP_IP:
ScdFs!ScdOpenTargetDirectory+25b
ba7dd752 f3a5 rep movsd

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: ScdFs!ScdOpenTargetDirectory+25b

STACK_COMMAND: .trap ffffffffb95da688 ; kb

FAILURE_BUCKET_ID: 0x50_ScdFs!ScdOpenTargetDirectory+25b

BUCKET_ID: 0x50_ScdFs!ScdOpenTargetDirectory+25b

Followup: MachineOwner
---------

!pool gives the following error.
I guess that this paged pool region is having some problem.

kd> !pool ec513000
Pool page ec513000 region is Paged pool
ec513000 is not a valid small pool allocation, checking large pool…
ec513000 is not a valid large pool allocation, checking large session
pool…
ec513000 is freed (or corrupt) pool
Bad allocation size @ec513000, too large


An error (or corruption) in the pool was detected;
Attempting to diagnose the problem.

Use !poolval ec513000 for more details.


Pool page [ec513000] is INVALID.

Analyzing linked list…

Scanning for single bit errors…

None found

Please provide any suggestions to solve this bug…

Regards,
Priya

Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com




Hi,

Thanks for the reply.

The instruction I feel where it is failing in the code is,

if ((ParentName.Buffer = PScdFsRtlAllocatePool(PagedPool,

pFinalName->MaximumLength)) == NULL)

{

Iosb.Status = STATUS_NO_MEMORY;

try_return(Iosb);

}

RtlCopyBytes( (UCHAR*) ParentName.Buffer,(UCHAR*) pFinalName-

>Buffer,pFinalName->Length);

Here pFinalName->Buffer is the source bufffer.How to avoid the

situation when it crosses the page boundary and that page is

corrupted or freed?When do we come across this situation?

I wanted to reproduce the bug in my place so that I can be sure that

the error is in this line.Can you suggest some ways to reproduce the

bug?And also what is the solution in these cases.What kind of error

checking mechanisms should be provided?

My driver is ScdFS.

Regards,

Priya


Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com

> Here pFinalName->Buffer is the source bufffer.How to avoid the

situation when it crosses the page boundary and that page is
corrupted or freed?When do we come across this situation?

You must not avoid this. All you need to do is
to allocate memory properly and handle
eventual allocation failure(s) gracefully.

Can you suggest some ways to reproduce the bug?

Build your driver with PDB debug info. Then
if you have a crash dump, Windbg will point
source file name and line number where the bugcheck occurred
(if it occurred in your driver, of course).

Also, I suggest to build the symbol storage
usable with Symbol Server, and then integrate
symbols of your driver into it using SymStore.exe
(part of WinDbg). If you place the symbols integration into
some “PostBuild.bat” file (called after you build the driver),
your debugging with WinDbg will get MUCH more confortable
and you will have symbols for all versions of your driver.

L.




Hi,

The scenario is bug is occuing at the customer sight and they have

send the dump file.I’m not able to reproduce the error at my place.

By analyzing the dump file i have guessed that the error can be in

this line.But I wanted to reproduce the same error here.That is the

source buffer trying to copy data from corrupted pool.How to

reproduce this?

Regards,

Priya


Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com

> But I wanted to reproduce the same error here.That is the

source buffer trying to copy data from corrupted pool.How to
reproduce this?

You must know, you’re the author :slight_smile:
I repeat - get the crash dump with a version of you
driver which you have symbols for, then run
WinDbg and try to find.
I have no better advice :frowning:

L.




Hi,

I have build the pdb file and got the line number where the error has

occured.But the release version was pointing out to different place

to look at.This pdb is completely pointing out some different

location.Is that the error has occured at same line number where the

debugger is pointing to or should i see the next few lines…

Regards,

Priya


Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com

> I have build the pdb file and got the line number where the error has

occured.But the release version was pointing out to different place

You must invoke the bugcheck again with the newly built driver.

L.




Yes with the newly built driver only I opened the crash dump file.

It pointed out the error at some line in source code.

Are you referring to this…

I think I have not understood what you are trying to explain…

Can you give some more explanation as I’m new to tracing bugs using

dump file…


Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com

> Yes with the newly built driver only I opened the crash dump file.

It pointed out the error at some line in source code.
Are you referring to this…

No, this is not enough. You have to generate a new crash
dump, with the new driver and new debug info.
New builds of drivers could confuse windbg so much
that the code points are completely wrong.

So PLEASE, do these steps

  1. Build a new release of your driver.
  2. Save the PDB file (i.e. the symbols)
  3. Send the newly built driver to the customer
    OR try to generate crash dump yourself
  4. Open the crash dump (make damn well sure that
    you have the proper symbols for your driver -
    don’t ignore any warnings about something wrong
    int the symbols that WinDbg might report.

Then you should see the exact line where the bugcheck occurred.

=============== OR =================

If you are good enough in assembler, you will be able to
reconstruct the position in the source code from the assembler
that WinDbg points as the place of bugcheck
in the original crash dump.
The advantage of it is that you must not try to
reproduce the bugcheck, the disadvantage
is that it will take a bit (or a lot) longer than if you
have full symbols.

I use both approaches, depends on if I have
the proper symbols or not.

L.

Thanks for the inputs you have given.Just one more clarification.The

assembly code while expanding the error location using u ba7dd752

gives the following output…

ba7dd752 f3a5 rep movsd

ba7dd754 8bc8 mov ecx,eax

ba7dd756 83e103 and ecx,0x3

ba7dd759 f3a4 rep movsb

ba7dd75b 8b750c mov esi,[ebp+0xc]

ba7dd75e 33ff xor edi,edi

ba7dd760 897de0 mov [ebp-0x20],edi

ba7dd763 8a452c mov al,[ebp+0x2c]

While single stepping through the code and looking into the assembly

code the following first four lines only matchs in few places,

ba7dd752 f3a5 rep movsd

ba7dd754 8bc8 mov ecx,eax

ba7dd756 83e103 and ecx,0x3

ba7dd759 f3a4 rep movsb

----->From here on assembly code changes

My question is will all the lines of assembly code be similar when

the bug occurs?


Get your Free E-mail at http://freelancewriting.zzn.com
___________________________________________________________
Get your own Web-based E-mail Service at http://www.zzn.com