PortCls crash in DataRangeIntersection after dynamic subdevice removed successfully

David_R_Cattley · July 24, 2007, 1:43pm

More PortCls woes with dynamic subdevices and perhaps this one is a bug in
PortCls?

The scenario:
Windows XP SP2 (free) PortCls version 5.1.2600.2180

A dynamic subdevice has been unregistered sucessfully (STATUS_SUCCESS
returned from IUnregisterSubdevice::UnregisterSubdevice ) and prior to that
all physical connections to the subdevce were also unregistered sucessfully.

The subdevice is instantiated, however, in KSSTUDIO (it was instantiated
prior to unregistering). When I right-click in KSSTUDIO on an (it happens
to be output) Pin on the subdevice, PortCls bugchecks in
portcls!CPortWaveCyclic::DataRangeIntersection() with a NULL pointer
reference.

The big question: Why in the world would PortCls think it could run
DataRangeIntersection on an unregistered subdevice? !ks.dump shows that the
Miniport is NULL, the Filter List is empty, and the Pin List is empty.

Is this a bug in PortCls? It seems to me it must be in the sense that a
perfectly reasonable (but invalid) request was sent into it from usermode
and it bugchecked.

It seems that portcls!CPortWaveCyclic::DataRangeIntersection() is simply the
following (based on Windbg dissassembly window):

NTSTATUS
CPortWaveCyclic::DataRangeIntersection( )
{
return m_Miniport->DataRangeIntersection( )
}

which would be pretty sad when m_Miniport is NULL (like after deregistering
the SubDevice).

Thanks,
-dave

Here is the data from Windbg:

Access violation - code c0000005 (!!! second chance !!!)
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax]
1: kd> kv
ChildEBP RetAddr Args to Child
f7bee9a0 f95d773a 81953010 00000000 81ac3940
portcls!CPortWaveCyclic::DataRangeIntersection+0x14 (FPO: [Non-Fpo])
f7bee9c8 f95d76f9 81975ae0 00000000 f73b1498
portcls!GenerateFormatFromRange+0x27 (FPO: [Non-Fpo])
f7beea54 f95d782a 81975ae0 00000000 81ac3940
portcls!ValidateTypeAndSpecifier+0x17d (FPO: [Non-Fpo])
f7beea84 f962b5e5 81975ae0 81ac3918 81ac3940
portcls!PinIntersectHandler+0x3d (FPO: [Non-Fpo])
f7beeaa0 f962b473 f95d77ed 81975ae0 81ac3918
ks!CompatibleIntersectHandler+0x16 (FPO: [Non-Fpo])
f7beeaf0 f962b5c6 81975ae0 81ac3918 00000000
ks!KsPinDataIntersectionEx+0x474 (FPO: [Non-Fpo])
f7beeb18 f95d77e6 81975ae0 81ac3918 00000000 ks!KsPinDataIntersection+0x23
(FPO: [Non-Fpo])
f7beeb44 f9629e98 81975ae0 81ac3918 00000000
portcls!PcPinPropertyHandler+0x72 (FPO: [Non-Fpo])
f7beeba8 f9629ec9 81975ae0 00000003 e1e68b80 ks!KspPropertyHandler+0x602
(FPO: [Non-Fpo])
f7beebcc f95d6603 81975ae0 00000003 e1e68b80 ks!KsPropertyHandler+0x19 (FPO:
[Non-Fpo])
f7beebe0 f95d8a85 81975ae0 00000003 e1e68b80
portcls!PcHandlePropertyWithTable+0x1b (FPO: [Non-Fpo])
f7beec14 f95d669d 819e0c88 819a8690 81975ae0
portcls!CPortFilterTopology::DeviceIoControl+0xb2 (FPO: [Non-Fpo])
f7beec30 f9629f85 819a8690 81975ae0 f7beec64
portcls!DispatchDeviceIoControl+0x49 (FPO: [Non-Fpo])
f7beec40 804ef095 819a8690 81975ae0 806e4410 ks!DispatchDeviceIoControl+0x28
(FPO: [Non-Fpo])
f7beec50 8057e70a 81975b74 819f6ae0 81975ae0 nt!IopfCallDriver+0x31 (FPO:
[0,0,0])
f7beec64 8057f56d 819a8690 81975ae0 819f6ae0
nt!IopSynchronousServiceTail+0x60 (FPO: [Non-Fpo])
f7beed00 805780c2 000000dc 00000134 00000000 nt!IopXxxControlFile+0x5c5
(FPO: [Non-Fpo])
f7beed34 8054086c 000000dc 00000134 00000000 nt!NtDeviceIoControlFile+0x2a
(FPO: [Non-Fpo])
f7beed34 7c90eb94 000000dc 00000134 00000000 nt!KiFastCallEntry+0xfc (FPO:
[0,0] TrapFrame @ f7beed64)
0006f430 7c90d8ef 7c8016be 000000dc 00000134 ntdll!KiFastSystemCallRet (FPO:
[0,0,0])
1: kd> r
eax=00000000 ebx=81ac3940 ecx=f95d2890 edx=aa0001bf esi=81ac3940
edi=81ac3970
eip=f95e2820 esp=f7bee994 ebp=f7bee9a0 iopl=0 nv up ei pl nz ac po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010212
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax]
ds:0023:00000000=???
1: kd> gn

Fatal System Error: 0x0000008e
(0xC0000005,0xF95E2820,0xF7BEE920,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
…
…
Loading User Symbols
…
Loading unloaded module list
…

Bugcheck Analysis

******

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {c0000005, f95e2820, f7bee920, 0}

ERROR: Module load completed but symbols could not be loaded for
KsStudio.exe
Probably caused by : portcls.sys (
portcls!CPortWaveCyclic::DataRangeIntersection+14 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
8052a834 cc int 3
1: kd>
1: kd> !analyze -v
*******************************************************************

Bugcheck Analysis

*************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f95e2820, The address that the exception occurred at
Arg3: f7bee920, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
portcls!CPortWaveCyclic::DataRangeIntersection+14
f95e2820 8b08 mov ecx,dword ptr [eax]

TRAP_FRAME: f7bee920 – (.trap 0xfffffffff7bee920)
ErrCode = 00000000
eax=00000000 ebx=81ac3940 ecx=f95d2890 edx=aa0001bf esi=81ac3940
edi=81ac3970
eip=f95e2820 esp=f7bee994 ebp=f7bee9a0 iopl=0 nv up ei pl nz ac po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010212
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax]
ds:0023:00000000=???
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: KsStudio.exe

LAST_CONTROL_TRANSFER: from 804f8cb1 to 8052a834

STACK_TEXT:
f7bee09c 804f8cb1 00000003 f7bee3f8 00000000
nt!RtlpBreakWithStatusInstruction
f7bee0e8 804f989c 00000003 00000000 f7bee8cc nt!KiBugCheckDebugBreak+0x19
f7bee4c8 804f9deb 0000008e c0000005 f95e2820 nt!KeBugCheck2+0x574
f7bee4e8 804fe6bb 0000008e c0000005 f95e2820 nt!KeBugCheckEx+0x1b
f7bee8b0 805412d5 f7bee8cc 00000000 f7bee920 nt!KiDispatchException+0x3b1
f7bee918 80541286 f7bee9a0 f95e2820 badb0d00 nt!CommonDispatchException+0x4d
f7bee9a0 f95d773a 81953010 00000000 81ac3940 nt!Kei386EoiHelper+0x18a
f7bee9a0 f95d773a 81953010 00000000 81ac3940
portcls!GenerateFormatFromRange+0x27
f7bee9c8 f95d76f9 81975ae0 00000000 f73b1498
portcls!GenerateFormatFromRange+0x27
f7beea54 f95d782a 81975ae0 00000000 81ac3940
portcls!ValidateTypeAndSpecifier+0x17d
f7beea84 f962b5e5 81975ae0 81ac3918 81ac3940
portcls!PinIntersectHandler+0x3d
f7beeaa0 f962b473 f95d77ed 81975ae0 81ac3918
ks!CompatibleIntersectHandler+0x16
f7beeaf0 f962b5c6 81975ae0 81ac3918 00000000
ks!KsPinDataIntersectionEx+0x474
f7beeb18 f95d77e6 81975ae0 81ac3918 00000000 ks!KsPinDataIntersection+0x23
f7beeb44 f9629e98 81975ae0 81ac3918 00000000
portcls!PcPinPropertyHandler+0x72
f7beeba8 f9629ec9 81975ae0 00000003 e1e68b80 ks!KspPropertyHandler+0x602
f7beebcc f95d6603 81975ae0 00000003 e1e68b80 ks!KsPropertyHandler+0x19
f7beebe0 f95d8a85 81975ae0 00000003 e1e68b80
portcls!PcHandlePropertyWithTable+0x1b
f7beec14 f95d669d 819e0c88 819a8690 81975ae0
portcls!CPortFilterTopology::DeviceIoControl+0xb2
f7beec30 f9629f85 819a8690 81975ae0 f7beec64
portcls!DispatchDeviceIoControl+0x49
f7beec40 804ef095 819a8690 81975ae0 806e4410 ks!DispatchDeviceIoControl+0x28
f7beec50 8057e70a 81975b74 819f6ae0 81975ae0 nt!IopfCallDriver+0x31
f7beec64 8057f56d 819a8690 81975ae0 819f6ae0
nt!IopSynchronousServiceTail+0x60
f7beed00 805780c2 000000dc 00000134 00000000 nt!IopXxxControlFile+0x5c5
f7beed34 8054086c 000000dc 00000134 00000000 nt!NtDeviceIoControlFile+0x2a
f7beed34 7c90eb94 000000dc 00000134 00000000 nt!KiFastCallEntry+0xfc
0006f430 7c90d8ef 7c8016be 000000dc 00000134 ntdll!KiFastSystemCallRet
0006f434 7c8016be 000000dc 00000134 00000000 ntdll!ZwDeviceIoControlFile+0xc
0006f494 01036034 000000dc 002f0003 000a7fa0 kernel32!DeviceIoControl+0x78
WARNING: Stack unwind information not available. Following frames may be
wrong.
0006f4d8 0103613b 000000dc 002f0003 000a7fa0 KsStudio+0x36034
0006f504 01036182 000000dc 000a7fa0 000000d8 KsStudio+0x3613b
0006f584 0102c21c 000000dc 000a7fa0 000000d8 KsStudio+0x36182
0006f5bc 0102a797 00000000 000701ec 73dd6773 KsStudio+0x2c21c
0006f5f8 7e423b9c 73dd6745 000901de 00000110 KsStudio+0x2a797
0006f664 7e423591 00000000 73dd6745 000901de
USER32!UserCallDlgProcCheckWow+0xf0
0006f6ac 7e43e561 00000000 00000110 000701ec USER32!DefDlgProcWorker+0xa8
0006f6c8 7e418734 000901de 00000110 000701ec USER32!DefDlgProcA+0x22
0006f6f4 7e418816 7e43e53f 000901de 00000110 USER32!InternalCallWinProc+0x28
0006f75c 7e41c63f 00000000 7e43e53f 000901de
USER32!UserCallWinProcCheckWow+0x150
0006f78c 7e41f65d 7e43e53f 000901de 00000110 USER32!CallWindowProcAorW+0x98
0006f7ac 73dd216b 7e43e53f 000901de 00000110 USER32!CallWindowProcA+0x1b
0006f7cc 73dd21ec 00000110 000701ec 00000000 MFC42!CWnd::DefWindowProcA+0x44
0006f7e0 73dea83b 00a5d7e0 00000000 73dd2047 MFC42!CWnd::Default+0x27
0006f7ec 73dd2047 000701ec 00000000 00a5d7e0
MFC42!CDialog::HandleInitDialog+0x56
0006f86c 73dd1b9b 00000110 000701ec 73e7b0e8 MFC42!CWnd::OnWndMsg+0x485
0006f88c 73dd1b05 00000110 000701ec 00000000 MFC42!CWnd::WindowProc+0x24
0006f8ec 73dd1a58 00a5d7e0 84c800c4 00000110 MFC42!AfxCallWndProc+0x91
0006f90c 73e6847d 000901de 00000110 000701ec MFC42!AfxWndProc+0x36
0006f938 7e418734 000901de 00000110 000701ec MFC42!AfxWndProcBase+0x39
0006f964 7e418816 73e68444 000901de 00000110 USER32!InternalCallWinProc+0x28
0006f9cc 7e41b89b 00000000 73e68444 000901de
USER32!UserCallWinProcCheckWow+0x150
0006fa08 7e4243e0 0047a090 00476608 000701ec USER32!SendMessageWorker+0x4a5
0006fac0 7e424704 00000000 0047a090 00000414
USER32!InternalCreateDialog+0x9df
0006fae4 7e439b0b 01000000 01072170 0007012a
USER32!CreateDialogIndirectParamAorW+0x33
0006fb04 73ddf11e 01000000 01072170 0007012a
USER32!CreateDialogIndirectParamA+0x1b
0006fb6c 73de6a08 01072170 00a00048 01000000
MFC42!CWnd::CreateDlgIndirect+0x175
0006fbb0 010317ef cece9bc2 00768b00 01005b70 MFC42!CDialog::DoModal+0xc2
0006fbdc 01031f6d 00a5d7e0 00a5d860 73dd24c0 KsStudio+0x317ef
0006fbf8 73dd23bf 00768b00 0000802e 00000000 KsStudio+0x31f6d
0006fc28 73dd2aee 0000802e 00000000 00000000
MFC42!CCmdTarget::OnCmdMsg+0x10a
0006fc58 73dd3244 0000802e 00000000 00000000 MFC42!CView::OnCmdMsg+0x20
0006fca8 73dd1bf1 00000000 00000000 00768b00 MFC42!CWnd::OnCommand+0x53
0006fd28 73dd1b9b 00000111 0000802e 00000000 MFC42!CWnd::OnWndMsg+0x2f
0006fd48 73dd1b05 00000111 0000802e 00000000 MFC42!CWnd::WindowProc+0x24
0006fda8 73dd1a58 00768b00 00000000 00000111 MFC42!AfxCallWndProc+0x91
0006fdc8 73e6847d 00070152 00000111 0000802e MFC42!AfxWndProc+0x36
0006fdf4 7e418734 00070152 00000111 0000802e MFC42!AfxWndProcBase+0x39
0006fe20 7e418816 73e68444 00070152 00000111 USER32!InternalCallWinProc+0x28
0006fe88 7e4189cd 00000000 73e68444 00070152
USER32!UserCallWinProcCheckWow+0x150
0006fee8 7e4196c7 0106571c 00000001 0106571c
USER32!DispatchMessageWorker+0x306
0006fef8 73dd125a 0106571c 00000001 010656e8 USER32!DispatchMessageA+0xf
0006ff08 73ddb55f 010656e8 010656e8 0006ffc0
MFC42!CWinThread::PumpMessage+0x3c
0006ff20 73ddcf95 01067da4 000823e0 00000000 MFC42!CWinThread::Run+0x48
0006ff30 0104c172 01000000 00000000 000823e0 MFC42!AfxWinMain+0x6a
0006ffc0 7c816fd7 00380036 00350032 7ffde000 KsStudio+0x4c172

STACK_COMMAND: kb

FOLLOWUP_IP:
portcls!CPortWaveCyclic::DataRangeIntersection+14
f95e2820 8b08 mov ecx,dword ptr [eax]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: portcls

IMAGE_NAME: portcls.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f13

SYMBOL_NAME: portcls!CPortWaveCyclic::DataRangeIntersection+14

FAILURE_BUCKET_ID: 0x8E_portcls!CPortWaveCyclic::DataRangeIntersection+14

BUCKET_ID: 0x8E_portcls!CPortWaveCyclic::DataRangeIntersection+14

Followup: MachineOwner
---------

1: kd> .trap 0xfffffffff7bee920
ErrCode = 00000000
eax=00000000 ebx=81ac3940 ecx=f95d2890 edx=aa0001bf esi=81ac3940
edi=81ac3970
eip=f95e2820 esp=f7bee994 ebp=f7bee9a0 iopl=0 nv up ei pl nz ac po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010212
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax]
ds:0023:00000000=???
1: kd> lmvmportcls
start end module name
f95c6000 f95e9980 portcls (pdb symbols)
C:\SYMBOLS\CACHE\portcls.pdb\9380C119FB254169B3415C54DEF742F52\portcls.pdb
Loaded symbol image file: portcls.sys
Image path: \SystemRoot\system32\drivers\portcls.sys
Image name: portcls.sys
Timestamp: Wed Aug 04 02:15:47 2004 (41107F13)
CheckSum: 0002E05C
ImageSize: 00023980
File version: 5.1.2600.2180
Product version: 5.1.2600.2180
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.9 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft? Windows? Operating System
InternalName: portcls.sys
OriginalFilename: portcls.sys
ProductVersion: 5.1.2600.2180
FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
FileDescription: Port Class (Class Driver for Port/Miniport Devices)
LegalCopyright: ? Microsoft Corporation. All rights reserved.
1: kd> !ks.dump 81953010 7
—> INITIALIZING KS DEBUGGER EXTENSION
—> This will only happen once… please wait…
—> Checking KS symbols… please wait…
—> KS symbols seem ok…
—> Initializing all LibExt modules…
—> This may take a few moments as symbols / modules are validated
—> Please wait…
—> LibExt modules initialized and validated

Wave Cyclic Port 81953008:
Miniport : 00000000
Driver : 819a8690 [\Driver\btiaa2dp]
Filter List:
No filters exist!
Pin List :
No pins present
Event List :
No enabled events!

OSR_Community_User · July 24, 2007, 4:27pm

This bug isn’t in the current code (a null MiniPort returns failing status), so it got fixed at some point post XP SP2. I can try to look into this further tomorrow (no time at the moment).

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of David R. Cattley
Sent: Tuesday, July 24, 2007 10:43 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] PortCls crash in DataRangeIntersection after dynamic subdevice removed successfully

More PortCls woes with dynamic subdevices and perhaps this one is a bug in PortCls?

The scenario:
Windows XP SP2 (free) PortCls version 5.1.2600.2180

A dynamic subdevice has been unregistered sucessfully (STATUS_SUCCESS returned from IUnregisterSubdevice::UnregisterSubdevice ) and prior to that all physical connections to the subdevce were also unregistered sucessfully.

The subdevice is instantiated, however, in KSSTUDIO (it was instantiated prior to unregistering). When I right-click in KSSTUDIO on an (it happens to be output) Pin on the subdevice, PortCls bugchecks in portcls!CPortWaveCyclic::DataRangeIntersection() with a NULL pointer reference.

The big question: Why in the world would PortCls think it could run DataRangeIntersection on an unregistered subdevice? !ks.dump shows that the Miniport is NULL, the Filter List is empty, and the Pin List is empty.

Is this a bug in PortCls? It seems to me it must be in the sense that a perfectly reasonable (but invalid) request was sent into it from usermode and it bugchecked.

It seems that portcls!CPortWaveCyclic::DataRangeIntersection() is simply the following (based on Windbg dissassembly window):

NTSTATUS
CPortWaveCyclic::DataRangeIntersection( )
{
return m_Miniport->DataRangeIntersection( )
}

which would be pretty sad when m_Miniport is NULL (like after deregistering the SubDevice).

Thanks,
-dave

Here is the data from Windbg:

Access violation - code c0000005 (!!! second chance !!!)
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax]
1: kd> kv
ChildEBP RetAddr Args to Child
f7bee9a0 f95d773a 81953010 00000000 81ac3940 portcls!CPortWaveCyclic::DataRangeIntersection+0x14 (FPO: [Non-Fpo])
f7bee9c8 f95d76f9 81975ae0 00000000 f73b1498 portcls!GenerateFormatFromRange+0x27 (FPO: [Non-Fpo])
f7beea54 f95d782a 81975ae0 00000000 81ac3940 portcls!ValidateTypeAndSpecifier+0x17d (FPO: [Non-Fpo])
f7beea84 f962b5e5 81975ae0 81ac3918 81ac3940 portcls!PinIntersectHandler+0x3d (FPO: [Non-Fpo])
f7beeaa0 f962b473 f95d77ed 81975ae0 81ac3918 ks!CompatibleIntersectHandler+0x16 (FPO: [Non-Fpo])
f7beeaf0 f962b5c6 81975ae0 81ac3918 00000000 ks!KsPinDataIntersectionEx+0x474 (FPO: [Non-Fpo])
f7beeb18 f95d77e6 81975ae0 81ac3918 00000000 ks!KsPinDataIntersection+0x23 (FPO: [Non-Fpo])
f7beeb44 f9629e98 81975ae0 81ac3918 00000000 portcls!PcPinPropertyHandler+0x72 (FPO: [Non-Fpo])
f7beeba8 f9629ec9 81975ae0 00000003 e1e68b80 ks!KspPropertyHandler+0x602 (FPO: [Non-Fpo])
f7beebcc f95d6603 81975ae0 00000003 e1e68b80 ks!KsPropertyHandler+0x19 (FPO: [Non-Fpo])
f7beebe0 f95d8a85 81975ae0 00000003 e1e68b80 portcls!PcHandlePropertyWithTable+0x1b (FPO: [Non-Fpo])
f7beec14 f95d669d 819e0c88 819a8690 81975ae0 portcls!CPortFilterTopology::DeviceIoControl+0xb2 (FPO: [Non-Fpo])
f7beec30 f9629f85 819a8690 81975ae0 f7beec64 portcls!DispatchDeviceIoControl+0x49 (FPO: [Non-Fpo])
f7beec40 804ef095 819a8690 81975ae0 806e4410 ks!DispatchDeviceIoControl+0x28 (FPO: [Non-Fpo])
f7beec50 8057e70a 81975b74 819f6ae0 81975ae0 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f7beec64 8057f56d 819a8690 81975ae0 819f6ae0 nt!IopSynchronousServiceTail+0x60 (FPO: [Non-Fpo])
f7beed00 805780c2 000000dc 00000134 00000000 nt!IopXxxControlFile+0x5c5 (FPO: [Non-Fpo])
f7beed34 8054086c 000000dc 00000134 00000000 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo])
f7beed34 7c90eb94 000000dc 00000134 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ f7beed64)
0006f430 7c90d8ef 7c8016be 000000dc 00000134 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
1: kd> r
eax=00000000 ebx=81ac3940 ecx=f95d2890 edx=aa0001bf esi=81ac3940 edi=81ac3970
eip=f95e2820 esp=f7bee994 ebp=f7bee9a0 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=???
1: kd> gn

Fatal System Error: 0x0000008e
(0xC0000005,0xF95E2820,0xF7BEE920,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
…
Loading User Symbols
…
Loading unloaded module list
…
***************************************************************************

Bugcheck Analysis
*
****************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {c0000005, f95e2820, f7bee920, 0}

ERROR: Module load completed but symbols could not be loaded for KsStudio.exe
Probably caused by : portcls.sys ( portcls!CPortWaveCyclic::DataRangeIntersection+14 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
8052a834 cc int 3
1: kd>
1: kd> !analyze -v

Bugcheck Analysis

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f95e2820, The address that the exception occurred at
Arg3: f7bee920, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
portcls!CPortWaveCyclic::DataRangeIntersection+14
f95e2820 8b08 mov ecx,dword ptr [eax]

TRAP_FRAME: f7bee920 – (.trap 0xfffffffff7bee920)
ErrCode = 00000000
eax=00000000 ebx=81ac3940 ecx=f95d2890 edx=aa0001bf esi=81ac3940 edi=81ac3970
eip=f95e2820 esp=f7bee994 ebp=f7bee9a0 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=???
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: KsStudio.exe

LAST_CONTROL_TRANSFER: from 804f8cb1 to 8052a834

STACK_TEXT:
f7bee09c 804f8cb1 00000003 f7bee3f8 00000000 nt!RtlpBreakWithStatusInstruction
f7bee0e8 804f989c 00000003 00000000 f7bee8cc nt!KiBugCheckDebugBreak+0x19
f7bee4c8 804f9deb 0000008e c0000005 f95e2820 nt!KeBugCheck2+0x574
f7bee4e8 804fe6bb 0000008e c0000005 f95e2820 nt!KeBugCheckEx+0x1b
f7bee8b0 805412d5 f7bee8cc 00000000 f7bee920 nt!KiDispatchException+0x3b1
f7bee918 80541286 f7bee9a0 f95e2820 badb0d00 nt!CommonDispatchException+0x4d
f7bee9a0 f95d773a 81953010 00000000 81ac3940 nt!Kei386EoiHelper+0x18a
f7bee9a0 f95d773a 81953010 00000000 81ac3940 portcls!GenerateFormatFromRange+0x27
f7bee9c8 f95d76f9 81975ae0 00000000 f73b1498 portcls!GenerateFormatFromRange+0x27
f7beea54 f95d782a 81975ae0 00000000 81ac3940 portcls!ValidateTypeAndSpecifier+0x17d
f7beea84 f962b5e5 81975ae0 81ac3918 81ac3940 portcls!PinIntersectHandler+0x3d
f7beeaa0 f962b473 f95d77ed 81975ae0 81ac3918 ks!CompatibleIntersectHandler+0x16
f7beeaf0 f962b5c6 81975ae0 81ac3918 00000000 ks!KsPinDataIntersectionEx+0x474
f7beeb18 f95d77e6 81975ae0 81ac3918 00000000 ks!KsPinDataIntersection+0x23
f7beeb44 f9629e98 81975ae0 81ac3918 00000000 portcls!PcPinPropertyHandler+0x72
f7beeba8 f9629ec9 81975ae0 00000003 e1e68b80 ks!KspPropertyHandler+0x602
f7beebcc f95d6603 81975ae0 00000003 e1e68b80 ks!KsPropertyHandler+0x19
f7beebe0 f95d8a85 81975ae0 00000003 e1e68b80 portcls!PcHandlePropertyWithTable+0x1b
f7beec14 f95d669d 819e0c88 819a8690 81975ae0 portcls!CPortFilterTopology::DeviceIoControl+0xb2
f7beec30 f9629f85 819a8690 81975ae0 f7beec64 portcls!DispatchDeviceIoControl+0x49
f7beec40 804ef095 819a8690 81975ae0 806e4410 ks!DispatchDeviceIoControl+0x28
f7beec50 8057e70a 81975b74 819f6ae0 81975ae0 nt!IopfCallDriver+0x31
f7beec64 8057f56d 819a8690 81975ae0 819f6ae0 nt!IopSynchronousServiceTail+0x60
f7beed00 805780c2 000000dc 00000134 00000000 nt!IopXxxControlFile+0x5c5
f7beed34 8054086c 000000dc 00000134 00000000 nt!NtDeviceIoControlFile+0x2a
f7beed34 7c90eb94 000000dc 00000134 00000000 nt!KiFastCallEntry+0xfc
0006f430 7c90d8ef 7c8016be 000000dc 00000134 ntdll!KiFastSystemCallRet
0006f434 7c8016be 000000dc 00000134 00000000 ntdll!ZwDeviceIoControlFile+0xc
0006f494 01036034 000000dc 002f0003 000a7fa0 kernel32!DeviceIoControl+0x78
WARNING: Stack unwind information not available. Following frames may be wrong.
0006f4d8 0103613b 000000dc 002f0003 000a7fa0 KsStudio+0x36034
0006f504 01036182 000000dc 000a7fa0 000000d8 KsStudio+0x3613b
0006f584 0102c21c 000000dc 000a7fa0 000000d8 KsStudio+0x36182
0006f5bc 0102a797 00000000 000701ec 73dd6773 KsStudio+0x2c21c
0006f5f8 7e423b9c 73dd6745 000901de 00000110 KsStudio+0x2a797
0006f664 7e423591 00000000 73dd6745 000901de USER32!UserCallDlgProcCheckWow+0xf0
0006f6ac 7e43e561 00000000 00000110 000701ec USER32!DefDlgProcWorker+0xa8
0006f6c8 7e418734 000901de 00000110 000701ec USER32!DefDlgProcA+0x22
0006f6f4 7e418816 7e43e53f 000901de 00000110 USER32!InternalCallWinProc+0x28
0006f75c 7e41c63f 00000000 7e43e53f 000901de USER32!UserCallWinProcCheckWow+0x150
0006f78c 7e41f65d 7e43e53f 000901de 00000110 USER32!CallWindowProcAorW+0x98
0006f7ac 73dd216b 7e43e53f 000901de 00000110 USER32!CallWindowProcA+0x1b
0006f7cc 73dd21ec 00000110 000701ec 00000000 MFC42!CWnd::DefWindowProcA+0x44
0006f7e0 73dea83b 00a5d7e0 00000000 73dd2047 MFC42!CWnd::Default+0x27
0006f7ec 73dd2047 000701ec 00000000 00a5d7e0 MFC42!CDialog::HandleInitDialog+0x56
0006f86c 73dd1b9b 00000110 000701ec 73e7b0e8 MFC42!CWnd::OnWndMsg+0x485
0006f88c 73dd1b05 00000110 000701ec 00000000 MFC42!CWnd::WindowProc+0x24
0006f8ec 73dd1a58 00a5d7e0 84c800c4 00000110 MFC42!AfxCallWndProc+0x91
0006f90c 73e6847d 000901de 00000110 000701ec MFC42!AfxWndProc+0x36
0006f938 7e418734 000901de 00000110 000701ec MFC42!AfxWndProcBase+0x39
0006f964 7e418816 73e68444 000901de 00000110 USER32!InternalCallWinProc+0x28
0006f9cc 7e41b89b 00000000 73e68444 000901de USER32!UserCallWinProcCheckWow+0x150
0006fa08 7e4243e0 0047a090 00476608 000701ec USER32!SendMessageWorker+0x4a5
0006fac0 7e424704 00000000 0047a090 00000414 USER32!InternalCreateDialog+0x9df
0006fae4 7e439b0b 01000000 01072170 0007012a USER32!CreateDialogIndirectParamAorW+0x33
0006fb04 73ddf11e 01000000 01072170 0007012a USER32!CreateDialogIndirectParamA+0x1b
0006fb6c 73de6a08 01072170 00a00048 01000000 MFC42!CWnd::CreateDlgIndirect+0x175
0006fbb0 010317ef cece9bc2 00768b00 01005b70 MFC42!CDialog::DoModal+0xc2
0006fbdc 01031f6d 00a5d7e0 00a5d860 73dd24c0 KsStudio+0x317ef
0006fbf8 73dd23bf 00768b00 0000802e 00000000 KsStudio+0x31f6d
0006fc28 73dd2aee 0000802e 00000000 00000000 MFC42!CCmdTarget::OnCmdMsg+0x10a
0006fc58 73dd3244 0000802e 00000000 00000000 MFC42!CView::OnCmdMsg+0x20
0006fca8 73dd1bf1 00000000 00000000 00768b00 MFC42!CWnd::OnCommand+0x53
0006fd28 73dd1b9b 00000111 0000802e 00000000 MFC42!CWnd::OnWndMsg+0x2f
0006fd48 73dd1b05 00000111 0000802e 00000000 MFC42!CWnd::WindowProc+0x24
0006fda8 73dd1a58 00768b00 00000000 00000111 MFC42!AfxCallWndProc+0x91
0006fdc8 73e6847d 00070152 00000111 0000802e MFC42!AfxWndProc+0x36
0006fdf4 7e418734 00070152 00000111 0000802e MFC42!AfxWndProcBase+0x39
0006fe20 7e418816 73e68444 00070152 00000111 USER32!InternalCallWinProc+0x28
0006fe88 7e4189cd 00000000 73e68444 00070152 USER32!UserCallWinProcCheckWow+0x150
0006fee8 7e4196c7 0106571c 00000001 0106571c USER32!DispatchMessageWorker+0x306
0006fef8 73dd125a 0106571c 00000001 010656e8 USER32!DispatchMessageA+0xf
0006ff08 73ddb55f 010656e8 010656e8 0006ffc0 MFC42!CWinThread::PumpMessage+0x3c
0006ff20 73ddcf95 01067da4 000823e0 00000000 MFC42!CWinThread::Run+0x48
0006ff30 0104c172 01000000 00000000 000823e0 MFC42!AfxWinMain+0x6a
0006ffc0 7c816fd7 00380036 00350032 7ffde000 KsStudio+0x4c172

STACK_COMMAND: kb

FOLLOWUP_IP:
portcls!CPortWaveCyclic::DataRangeIntersection+14
f95e2820 8b08 mov ecx,dword ptr [eax]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: portcls

IMAGE_NAME: portcls.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f13

SYMBOL_NAME: portcls!CPortWaveCyclic::DataRangeIntersection+14

FAILURE_BUCKET_ID: 0x8E_portcls!CPortWaveCyclic::DataRangeIntersection+14

BUCKET_ID: 0x8E_portcls!CPortWaveCyclic::DataRangeIntersection+14

Followup: MachineOwner
---------

1: kd> .trap 0xfffffffff7bee920
ErrCode = 00000000
eax=00000000 ebx=81ac3940 ecx=f95d2890 edx=aa0001bf esi=81ac3940 edi=81ac3970
eip=f95e2820 esp=f7bee994 ebp=f7bee9a0 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=???
1: kd> lmvmportcls
start end module name
f95c6000 f95e9980 portcls (pdb symbols) C:\SYMBOLS\CACHE\portcls.pdb\9380C119FB254169B3415C54DEF742F52\portcls.pdb
Loaded symbol image file: portcls.sys
Image path: \SystemRoot\system32\drivers\portcls.sys
Image name: portcls.sys
Timestamp: Wed Aug 04 02:15:47 2004 (41107F13)
CheckSum: 0002E05C
ImageSize: 00023980
File version: 5.1.2600.2180
Product version: 5.1.2600.2180
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.9 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft? Windows? Operating System
InternalName: portcls.sys
OriginalFilename: portcls.sys
ProductVersion: 5.1.2600.2180
FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
FileDescription: Port Class (Class Driver for Port/Miniport Devices)
LegalCopyright: ? Microsoft Corporation. All rights reserved.
1: kd> !ks.dump 81953010 7
—> INITIALIZING KS DEBUGGER EXTENSION
—> This will only happen once… please wait…
—> Checking KS symbols… please wait…
—> KS symbols seem ok…
—> Initializing all LibExt modules…
—> This may take a few moments as symbols / modules are validated
—> Please wait…
—> LibExt modules initialized and validated

Wave Cyclic Port 81953008:
Miniport : 00000000
Driver : 819a8690 [\Driver\btiaa2dp]
Filter List:
No filters exist!
Pin List :
No pins present
Event List :
No enabled events!

David_R_Cattley · July 25, 2007, 9:19am

Bob,

I appreciate you looking into this. If you have a moment to unearth the
fix-point for this issue and whether or not it made it into a QFE for
Win2K-SP4+ I would appreciate that feedback as well. When I make my
request to a UAA PM to get the QFE(s) necessary I would like to know what I
am asking for if possible. Fishing never seems to work well…

Regards & Thanks,
-dave

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Bob Kjelgaard
Sent: Tuesday, July 24, 2007 4:27 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] PortCls crash in DataRangeIntersection after dynamic
subdevice removed successfully

This bug isn’t in the current code (a null MiniPort returns failing status),
so it got fixed at some point post XP SP2. I can try to look into this
further tomorrow (no time at the moment).

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David R. Cattley
Sent: Tuesday, July 24, 2007 10:43 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] PortCls crash in DataRangeIntersection after dynamic
subdevice removed successfully

More PortCls woes with dynamic subdevices and perhaps this one is a bug in
PortCls?

The scenario:
Windows XP SP2 (free) PortCls version 5.1.2600.2180

A dynamic subdevice has been unregistered sucessfully (STATUS_SUCCESS
returned from IUnregisterSubdevice::UnregisterSubdevice ) and prior to that
all physical connections to the subdevce were also unregistered sucessfully.

The subdevice is instantiated, however, in KSSTUDIO (it was instantiated
prior to unregistering). When I right-click in KSSTUDIO on an (it happens
to be output) Pin on the subdevice, PortCls bugchecks in
portcls!CPortWaveCyclic::DataRangeIntersection() with a NULL pointer
reference.

The big question: Why in the world would PortCls think it could run
DataRangeIntersection on an unregistered subdevice? !ks.dump shows that the
Miniport is NULL, the Filter List is empty, and the Pin List is empty.

Is this a bug in PortCls? It seems to me it must be in the sense that a
perfectly reasonable (but invalid) request was sent into it from usermode
and it bugchecked.

It seems that portcls!CPortWaveCyclic::DataRangeIntersection() is simply the
following (based on Windbg dissassembly window):

NTSTATUS
CPortWaveCyclic::DataRangeIntersection( ) {
return m_Miniport->DataRangeIntersection( ) }

which would be pretty sad when m_Miniport is NULL (like after deregistering
the SubDevice).

Thanks,
-dave

Here is the data from Windbg:

Access violation - code c0000005 (!!! second chance !!!)
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax]
1: kd> kv
ChildEBP RetAddr Args to Child
f7bee9a0 f95d773a 81953010 00000000 81ac3940
portcls!CPortWaveCyclic::DataRangeIntersection+0x14 (FPO: [Non-Fpo])
f7bee9c8 f95d76f9 81975ae0 00000000 f73b1498
portcls!GenerateFormatFromRange+0x27 (FPO: [Non-Fpo])
f7beea54 f95d782a 81975ae0 00000000 81ac3940
portcls!ValidateTypeAndSpecifier+0x17d (FPO: [Non-Fpo])
f7beea84 f962b5e5 81975ae0 81ac3918 81ac3940
portcls!PinIntersectHandler+0x3d (FPO: [Non-Fpo]) f7beeaa0 f962b473 f95d77ed
81975ae0 81ac3918 ks!CompatibleIntersectHandler+0x16 (FPO: [Non-Fpo])
f7beeaf0 f962b5c6 81975ae0 81ac3918 00000000
ks!KsPinDataIntersectionEx+0x474 (FPO: [Non-Fpo])
f7beeb18 f95d77e6 81975ae0 81ac3918 00000000 ks!KsPinDataIntersection+0x23
(FPO: [Non-Fpo])
f7beeb44 f9629e98 81975ae0 81ac3918 00000000
portcls!PcPinPropertyHandler+0x72 (FPO: [Non-Fpo])
f7beeba8 f9629ec9 81975ae0 00000003 e1e68b80 ks!KspPropertyHandler+0x602
(FPO: [Non-Fpo]) f7beebcc f95d6603 81975ae0 00000003 e1e68b80
ks!KsPropertyHandler+0x19 (FPO: [Non-Fpo]) f7beebe0 f95d8a85 81975ae0
00000003 e1e68b80 portcls!PcHandlePropertyWithTable+0x1b (FPO: [Non-Fpo])
f7beec14 f95d669d 819e0c88 819a8690 81975ae0
portcls!CPortFilterTopology::DeviceIoControl+0xb2 (FPO: [Non-Fpo]) f7beec30
f9629f85 819a8690 81975ae0 f7beec64 portcls!DispatchDeviceIoControl+0x49
(FPO: [Non-Fpo]) f7beec40 804ef095 819a8690 81975ae0 806e4410
ks!DispatchDeviceIoControl+0x28 (FPO: [Non-Fpo]) f7beec50 8057e70a 81975b74
819f6ae0 81975ae0 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f7beec64 8057f56d 819a8690 81975ae0 819f6ae0
nt!IopSynchronousServiceTail+0x60 (FPO: [Non-Fpo]) f7beed00 805780c2
000000dc 00000134 00000000 nt!IopXxxControlFile+0x5c5 (FPO: [Non-Fpo])
f7beed34 8054086c 000000dc 00000134 00000000 nt!NtDeviceIoControlFile+0x2a
(FPO: [Non-Fpo])
f7beed34 7c90eb94 000000dc 00000134 00000000 nt!KiFastCallEntry+0xfc (FPO:
[0,0] TrapFrame @ f7beed64) 0006f430 7c90d8ef 7c8016be 000000dc 00000134
ntdll!KiFastSystemCallRet (FPO: [0,0,0])
1: kd> r
eax=00000000 ebx=81ac3940 ecx=f95d2890 edx=aa0001bf esi=81ac3940
edi=81ac3970
eip=f95e2820 esp=f7bee994 ebp=f7bee9a0 iopl=0 nv up ei pl nz ac po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010212
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax]
ds:0023:00000000=???
1: kd> gn

Fatal System Error: 0x0000008e
(0xC0000005,0xF95E2820,0xF7BEE920,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE Loading
Kernel Symbols
…
…
Loading User Symbols
…
Loading unloaded module list
…

Bugcheck Analysis

******

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {c0000005, f95e2820, f7bee920, 0}

ERROR: Module load completed but symbols could not be loaded for
KsStudio.exe Probably caused by : portcls.sys (
portcls!CPortWaveCyclic::DataRangeIntersection+14 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
8052a834 cc int 3
1: kd>
1: kd> !analyze -v
*******************************************************************

Bugcheck Analysis

*************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints the
driver/function that caused the problem. Always note this address as well
as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard coded
breakpoint or assertion was hit, but this system was booted /NODEBUG. This
is not supposed to happen as developers should never have hardcoded
breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the system is
booted /DEBUG. This will let us see why this breakpoint is happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f95e2820, The address that the exception occurred at
Arg3: f7bee920, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
portcls!CPortWaveCyclic::DataRangeIntersection+14
f95e2820 8b08 mov ecx,dword ptr [eax]

TRAP_FRAME: f7bee920 – (.trap 0xfffffffff7bee920) ErrCode = 00000000
eax=00000000 ebx=81ac3940 ecx=f95d2890 edx=aa0001bf esi=81ac3940
edi=81ac3970
eip=f95e2820 esp=f7bee994 ebp=f7bee9a0 iopl=0 nv up ei pl nz ac po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010212
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax]
ds:0023:00000000=???
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: KsStudio.exe

LAST_CONTROL_TRANSFER: from 804f8cb1 to 8052a834

STACK_TEXT:
f7bee09c 804f8cb1 00000003 f7bee3f8 00000000
nt!RtlpBreakWithStatusInstruction
f7bee0e8 804f989c 00000003 00000000 f7bee8cc nt!KiBugCheckDebugBreak+0x19
f7bee4c8 804f9deb 0000008e c0000005 f95e2820 nt!KeBugCheck2+0x574
f7bee4e8 804fe6bb 0000008e c0000005 f95e2820 nt!KeBugCheckEx+0x1b f7bee8b0
805412d5 f7bee8cc 00000000 f7bee920 nt!KiDispatchException+0x3b1
f7bee918 80541286 f7bee9a0 f95e2820 badb0d00 nt!CommonDispatchException+0x4d
f7bee9a0 f95d773a 81953010 00000000 81ac3940 nt!Kei386EoiHelper+0x18a
f7bee9a0 f95d773a 81953010 00000000 81ac3940
portcls!GenerateFormatFromRange+0x27
f7bee9c8 f95d76f9 81975ae0 00000000 f73b1498
portcls!GenerateFormatFromRange+0x27
f7beea54 f95d782a 81975ae0 00000000 81ac3940
portcls!ValidateTypeAndSpecifier+0x17d
f7beea84 f962b5e5 81975ae0 81ac3918 81ac3940
portcls!PinIntersectHandler+0x3d f7beeaa0 f962b473 f95d77ed 81975ae0
81ac3918 ks!CompatibleIntersectHandler+0x16
f7beeaf0 f962b5c6 81975ae0 81ac3918 00000000
ks!KsPinDataIntersectionEx+0x474
f7beeb18 f95d77e6 81975ae0 81ac3918 00000000 ks!KsPinDataIntersection+0x23
f7beeb44 f9629e98 81975ae0 81ac3918 00000000
portcls!PcPinPropertyHandler+0x72
f7beeba8 f9629ec9 81975ae0 00000003 e1e68b80 ks!KspPropertyHandler+0x602
f7beebcc f95d6603 81975ae0 00000003 e1e68b80 ks!KsPropertyHandler+0x19
f7beebe0 f95d8a85 81975ae0 00000003 e1e68b80
portcls!PcHandlePropertyWithTable+0x1b
f7beec14 f95d669d 819e0c88 819a8690 81975ae0
portcls!CPortFilterTopology::DeviceIoControl+0xb2
f7beec30 f9629f85 819a8690 81975ae0 f7beec64
portcls!DispatchDeviceIoControl+0x49
f7beec40 804ef095 819a8690 81975ae0 806e4410 ks!DispatchDeviceIoControl+0x28
f7beec50 8057e70a 81975b74 819f6ae0 81975ae0 nt!IopfCallDriver+0x31
f7beec64 8057f56d 819a8690 81975ae0 819f6ae0
nt!IopSynchronousServiceTail+0x60 f7beed00 805780c2 000000dc 00000134
00000000 nt!IopXxxControlFile+0x5c5
f7beed34 8054086c 000000dc 00000134 00000000 nt!NtDeviceIoControlFile+0x2a
f7beed34 7c90eb94 000000dc 00000134 00000000 nt!KiFastCallEntry+0xfc
0006f430 7c90d8ef 7c8016be 000000dc 00000134 ntdll!KiFastSystemCallRet
0006f434 7c8016be 000000dc 00000134 00000000 ntdll!ZwDeviceIoControlFile+0xc
0006f494 01036034 000000dc 002f0003 000a7fa0 kernel32!DeviceIoControl+0x78
WARNING: Stack unwind information not available. Following frames may be
wrong.
0006f4d8 0103613b 000000dc 002f0003 000a7fa0 KsStudio+0x36034
0006f504 01036182 000000dc 000a7fa0 000000d8 KsStudio+0x3613b
0006f584 0102c21c 000000dc 000a7fa0 000000d8 KsStudio+0x36182 0006f5bc
0102a797 00000000 000701ec 73dd6773 KsStudio+0x2c21c
0006f5f8 7e423b9c 73dd6745 000901de 00000110 KsStudio+0x2a797
0006f664 7e423591 00000000 73dd6745 000901de
USER32!UserCallDlgProcCheckWow+0xf0
0006f6ac 7e43e561 00000000 00000110 000701ec USER32!DefDlgProcWorker+0xa8
0006f6c8 7e418734 000901de 00000110 000701ec USER32!DefDlgProcA+0x22
0006f6f4 7e418816 7e43e53f 000901de 00000110 USER32!InternalCallWinProc+0x28
0006f75c 7e41c63f 00000000 7e43e53f 000901de
USER32!UserCallWinProcCheckWow+0x150
0006f78c 7e41f65d 7e43e53f 000901de 00000110 USER32!CallWindowProcAorW+0x98
0006f7ac 73dd216b 7e43e53f 000901de 00000110 USER32!CallWindowProcA+0x1b
0006f7cc 73dd21ec 00000110 000701ec 00000000 MFC42!CWnd::DefWindowProcA+0x44
0006f7e0 73dea83b 00a5d7e0 00000000 73dd2047 MFC42!CWnd::Default+0x27
0006f7ec 73dd2047 000701ec 00000000 00a5d7e0
MFC42!CDialog::HandleInitDialog+0x56
0006f86c 73dd1b9b 00000110 000701ec 73e7b0e8 MFC42!CWnd::OnWndMsg+0x485
0006f88c 73dd1b05 00000110 000701ec 00000000 MFC42!CWnd::WindowProc+0x24
0006f8ec 73dd1a58 00a5d7e0 84c800c4 00000110 MFC42!AfxCallWndProc+0x91
0006f90c 73e6847d 000901de 00000110 000701ec MFC42!AfxWndProc+0x36
0006f938 7e418734 000901de 00000110 000701ec MFC42!AfxWndProcBase+0x39
0006f964 7e418816 73e68444 000901de 00000110 USER32!InternalCallWinProc+0x28
0006f9cc 7e41b89b 00000000 73e68444 000901de
USER32!UserCallWinProcCheckWow+0x150
0006fa08 7e4243e0 0047a090 00476608 000701ec USER32!SendMessageWorker+0x4a5
0006fac0 7e424704 00000000 0047a090 00000414
USER32!InternalCreateDialog+0x9df
0006fae4 7e439b0b 01000000 01072170 0007012a
USER32!CreateDialogIndirectParamAorW+0x33
0006fb04 73ddf11e 01000000 01072170 0007012a
USER32!CreateDialogIndirectParamA+0x1b
0006fb6c 73de6a08 01072170 00a00048 01000000
MFC42!CWnd::CreateDlgIndirect+0x175
0006fbb0 010317ef cece9bc2 00768b00 01005b70 MFC42!CDialog::DoModal+0xc2
0006fbdc 01031f6d 00a5d7e0 00a5d860 73dd24c0 KsStudio+0x317ef
0006fbf8 73dd23bf 00768b00 0000802e 00000000 KsStudio+0x31f6d
0006fc28 73dd2aee 0000802e 00000000 00000000
MFC42!CCmdTarget::OnCmdMsg+0x10a
0006fc58 73dd3244 0000802e 00000000 00000000 MFC42!CView::OnCmdMsg+0x20
0006fca8 73dd1bf1 00000000 00000000 00768b00 MFC42!CWnd::OnCommand+0x53
0006fd28 73dd1b9b 00000111 0000802e 00000000 MFC42!CWnd::OnWndMsg+0x2f
0006fd48 73dd1b05 00000111 0000802e 00000000 MFC42!CWnd::WindowProc+0x24
0006fda8 73dd1a58 00768b00 00000000 00000111 MFC42!AfxCallWndProc+0x91
0006fdc8 73e6847d 00070152 00000111 0000802e MFC42!AfxWndProc+0x36
0006fdf4 7e418734 00070152 00000111 0000802e MFC42!AfxWndProcBase+0x39
0006fe20 7e418816 73e68444 00070152 00000111 USER32!InternalCallWinProc+0x28
0006fe88 7e4189cd 00000000 73e68444 00070152
USER32!UserCallWinProcCheckWow+0x150
0006fee8 7e4196c7 0106571c 00000001 0106571c
USER32!DispatchMessageWorker+0x306
0006fef8 73dd125a 0106571c 00000001 010656e8 USER32!DispatchMessageA+0xf
0006ff08 73ddb55f 010656e8 010656e8 0006ffc0
MFC42!CWinThread::PumpMessage+0x3c
0006ff20 73ddcf95 01067da4 000823e0 00000000 MFC42!CWinThread::Run+0x48
0006ff30 0104c172 01000000 00000000 000823e0 MFC42!AfxWinMain+0x6a 0006ffc0
7c816fd7 00380036 00350032 7ffde000 KsStudio+0x4c172

STACK_COMMAND: kb

FOLLOWUP_IP:
portcls!CPortWaveCyclic::DataRangeIntersection+14
f95e2820 8b08 mov ecx,dword ptr [eax]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: portcls

IMAGE_NAME: portcls.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f13

SYMBOL_NAME: portcls!CPortWaveCyclic::DataRangeIntersection+14

FAILURE_BUCKET_ID: 0x8E_portcls!CPortWaveCyclic::DataRangeIntersection+14

BUCKET_ID: 0x8E_portcls!CPortWaveCyclic::DataRangeIntersection+14

Followup: MachineOwner
---------

1: kd> .trap 0xfffffffff7bee920
ErrCode = 00000000
eax=00000000 ebx=81ac3940 ecx=f95d2890 edx=aa0001bf esi=81ac3940
edi=81ac3970
eip=f95e2820 esp=f7bee994 ebp=f7bee9a0 iopl=0 nv up ei pl nz ac po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010212
portcls!CPortWaveCyclic::DataRangeIntersection+0x14:
f95e2820 8b08 mov ecx,dword ptr [eax]
ds:0023:00000000=???
1: kd> lmvmportcls
start end module name
f95c6000 f95e9980 portcls (pdb symbols)
C:\SYMBOLS\CACHE\portcls.pdb\9380C119FB254169B3415C54DEF742F52\portcls.pdb
Loaded symbol image file: portcls.sys
Image path: \SystemRoot\system32\drivers\portcls.sys
Image name: portcls.sys
Timestamp: Wed Aug 04 02:15:47 2004 (41107F13)
CheckSum: 0002E05C
ImageSize: 00023980
File version: 5.1.2600.2180
Product version: 5.1.2600.2180
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.9 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft? Windows? Operating System
InternalName: portcls.sys
OriginalFilename: portcls.sys
ProductVersion: 5.1.2600.2180
FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
FileDescription: Port Class (Class Driver for Port/Miniport Devices)
LegalCopyright: ? Microsoft Corporation. All rights reserved.
1: kd> !ks.dump 81953010 7
—> INITIALIZING KS DEBUGGER EXTENSION
—> This will only happen once… please wait…
—> Checking KS symbols… please wait…
—> KS symbols seem ok…
—> Initializing all LibExt modules…
—> This may take a few moments as symbols / modules are validated
—> Please wait…
—> LibExt modules initialized and validated

Wave Cyclic Port 81953008:
Miniport : 00000000
Driver : 819a8690 [\Driver\btiaa2dp]
Filter List:
No filters exist!
Pin List :
No pins present
Event List :
No enabled events!

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · July 25, 2007, 11:04am

Well, you can tell Hakon I said “Hi” (but while that won’t get a negative response [us Scandinavians have to stick together!], I don’t expect it to really help much either ;->).

I believe I actually fixed this one (might even have identified it, suppose I can find out when I see where the change was made- bug report is almost always part of the data)- not that it matters- it just has that familiar feel to it. I’ll try to track what I can for it, but I can’t get to the level of QFEs myself (don’t have access to those DB, AFAIK). Since QFEs have to be requested, there may not even be one, yet.

I’m afraid further followup will take longer than usual for me, though- I’ve got a slew of “fires” to put out this morning, some will take a lot of time.

If you’re considering options, I’ve been thinking that if you release the port after you unregister the subdevice, then redo PcCreatePort up through PcRegisterSubdevice again (you may need to create a new id string by adding a digit or something, like “WaveCyclicn”), it may prove a viable workaround. The original port should go away when the last file handles (the ones KSStudio has open) close, so this shouldn’t leak anything. But I haven’t tried it, and this is again a place where the wdm audio list might provide much better guidance than I can.

Tim Roberts (IIRC) has posted the list URL a few times over the last year (try searching NTDEV for “wdmaudio” or “wdmaudiodev”?)- used to have link in my browser, but I guess it dropped off somewhere.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of David R. Cattley
Sent: Wednesday, July 25, 2007 6:18 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] PortCls crash in DataRangeIntersection after dynamic subdevice removed successfully

Bob,

I appreciate you looking into this. If you have a moment to unearth the
fix-point for this issue and whether or not it made it into a QFE for
Win2K-SP4+ I would appreciate that feedback as well. When I make my
request to a UAA PM to get the QFE(s) necessary I would like to know what I
am asking for if possible. Fishing never seems to work well…

Regards & Thanks,
-dave

Tim_Roberts · July 25, 2007, 12:37pm

Bob Kjelgaard wrote:

Well, you can tell Hakon I said “Hi” (but while that won’t get a negative response [us Scandinavians have to stick together!], I don’t expect it to really help much either ;->).
…
But I haven’t tried it, and this is again a place where the wdm audio list might provide much better guidance than I can.

Tim Roberts (IIRC) has posted the list URL a few times over the last year (try searching NTDEV for “wdmaudio” or “wdmaudiodev”?)- used to have link in my browser, but I guess it dropped off somewhere.

http://www.wdmaudiodev.com. Or you can send a message with the subject
“subscribe” to xxxxx@freelists.org.

It is a low-volume list (handful of posts a week), and there are a lot
of extremely competent audio people there. I’m afraid I’ve made a boob
of myself several times by pretending to have more expertise that I
turned out to have. I now listen a lot more than I contribute.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.