Hello
I developed a driver “vfums” and I have random blue screen.
In WinDbg impossible to find the source line of error.
I did specify the file directory *. pdb and nothing
Can you help please for find source line causing blue screen ?
Crash in function ExFreePool ,But good managed
WinDbg:
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger.
using .sympath and .sympath+
ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805644a0
Debug session time: Sun Sep 5 18:53:32.599 2010 (GMT+2)
System Uptime: 0 days 0:05:58.437
Symbols can not be loaded because symbol path is not initialized.
The Symbol Path can be set by:
using the _NT_SYMBOL_PATH environment variable.
using the -y <symbol_path> argument when starting the debugger.
using .sympath and .sympath+
ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Loading Kernel Symbols
…
…
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
Loading unloaded module list
…
Bugcheck Analysis
Use !analyze -v to get detailed debugging information.
BugCheck 50, {82000000, 0, 804daed1, 0}
Kernel symbols are WRONG. Please fix symbols to do analysis.
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!_KPRCB
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!KPRCB
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!_KPRCB
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!KPRCB
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!_KPRCB
ERROR: Module load completed but symbols could not be loaded for vfums.sys
******
******
Your debugger is not using the correct symbols
******
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
******
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
******
Type referenced: nt!_KPRCB
******
******
******
Your debugger is not using the correct symbols
******
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
******
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
******
Type referenced: nt!_KPRCB
******
Symbols can not be loaded because symbol path is not initialized.
The Symbol Path can be set by:
using the _NT_SYMBOL_PATH environment variable.
using the -y <symbol_path> argument when starting the debugger.
using .sympath and .sympath+
Symbols can not be loaded because symbol path is not initialized.
The Symbol Path can be set by:
using the _NT_SYMBOL_PATH environment variable.
using the -y <symbol_path> argument when starting the debugger.
using .sympath and .sympath+
Probably caused by : Pool_Corruption ( nt!ExFreePool+3e7 )
Followup: MachineOwner
---------
kd> !analyze -v
Bugcheck Analysis
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 82000000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804daed1, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!_KPRCB
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!KPRCB
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!_KPRCB
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!KPRCB
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!_KPRCB
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!_KPRCB
Your debugger is not using the correct symbols
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
Type referenced: nt!_KPRCB
Symbols can not be loaded because symbol path is not initialized.
The Symbol Path can be set by:
using the _NT_SYMBOL_PATH environment variable.
using the -y <symbol_path> argument when starting the debugger.
using .sympath and .sympath+
Symbols can not be loaded because symbol path is not initialized.
The Symbol Path can be set by:
using the _NT_SYMBOL_PATH environment variable.
using the -y <symbol_path> argument when starting the debugger.
using .sympath and .sympath+
ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to set symbol path and load symbols.
FAULTING_MODULE: 804d7000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 0
READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
82000000
FAULTING_IP:
nt!memcpy+33
804daed1 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
LAST_CONTROL_TRANSFER: from 805296be to 80537832
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f51dfa7c 805296be 00000050 82000000 00000000 nt!KeBugCheckEx+0x1b
f51dfacc 804e0f07 00000000 82000000 00000000 nt!KePulseEvent+0xd123
f51dfaf4 805527bb 81e324f8 814eb9f8 81bd7a70 nt!Kei386EoiHelper+0x274d
f51dfb60 f7b92458 81519160 81eb5a2a fffffffe nt!ExFreePool+0x3e7
f51dfc04 f7b92772 814fe528 81e324f8 81e32568 vfums+0x1458
f51dfc20 f7b92962 814fe528 81e324f8 81e32568 vfums+0x1772
f51dfc40 804e19ee 814fe528 81e324f8 80703410 vfums+0x1962
f51dfc64 80582cef 814fe528 81e324f8 81b3cf28 nt!IofCallDriver+0x32
f51dfd00 8058ecc3 00000fd8 00000000 00000000 nt!CcFastCopyRead+0x3c4
f51dfd34 804ddf0f 00000fd8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f51dfd64 7c91eb94 badb0d00 0051f948 00000000 nt!KiDeliverApc+0xbbb
f51dfd68 badb0d00 0051f948 00000000 00000000 0x7c91eb94
f51dfd6c 0051f948 00000000 00000000 00000000 0xbadb0d00
f51dfd70 00000000 00000000 00000000 00000000 0x51f948
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExFreePool+3e7
805527bb e9e2feffff jmp nt!ExFreePool+0x2ce (805526a2)
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!ExFreePool+3e7
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: Pool_Corruption
MODULE_NAME: Pool_Corruption
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
kd> !analyze -v
Bugcheck Analysis
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 82000000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804daed1, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Kernel symbols are WRONG. Please fix symbols to do analysis.
****************
******
******
Your debugger is not using the correct symbols
******
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
******
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
******
Type referenced: nt!_KPRCB
******
******
******
Your debugger is not using the correct symbols
******
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
******
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
******
Type referenced: nt!KPRCB
******
******
******
Your debugger is not using the correct symbols
******
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
******
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
******
Type referenced: nt!_KPRCB
******
******
******
Your debugger is not using the correct symbols
******
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
******
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
******
Type referenced: nt!KPRCB
******
******
******
Your debugger is not using the correct symbols
******
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
******
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
******
Type referenced: nt!_KPRCB
******
******
******
Your debugger is not using the correct symbols
******
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
******
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
******
Type referenced: nt!_KPRCB
******
******
******
Your debugger is not using the correct symbols
******
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
******
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
******
Type referenced: nt!_KPRCB
******
*************************************************************************
PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
PEB is paged out (Peb.Ldr = 7ffde00c). Type “.hh dbgerr001” for details
ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to set symbol path and load symbols.
FAULTING_MODULE: 804d7000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 0
READ_ADDRESS: 82000000
FAULTING_IP:
nt!memcpy+33
804daed1 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
LAST_CONTROL_TRANSFER: from 805296be to 80537832
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f51dfa7c 805296be 00000050 82000000 00000000 nt!KeBugCheckEx+0x1b
f51dfacc 804e0f07 00000000 82000000 00000000 nt!KePulseEvent+0xd123
f51dfaf4 805527bb 81e324f8 814eb9f8 81bd7a70 nt!Kei386EoiHelper+0x274d
f51dfb60 f7b92458 81519160 81eb5a2a fffffffe nt!ExFreePool+0x3e7
f51dfc04 f7b92772 814fe528 81e324f8 81e32568 vfums+0x1458
f51dfc20 f7b92962 814fe528 81e324f8 81e32568 vfums+0x1772
f51dfc40 804e19ee 814fe528 81e324f8 80703410 vfums+0x1962
f51dfc64 80582cef 814fe528 81e324f8 81b3cf28 nt!IofCallDriver+0x32
f51dfd00 8058ecc3 00000fd8 00000000 00000000 nt!CcFastCopyRead+0x3c4
f51dfd34 804ddf0f 00000fd8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f51dfd64 7c91eb94 badb0d00 0051f948 00000000 nt!KiDeliverApc+0xbbb
f51dfd68 badb0d00 0051f948 00000000 00000000 0x7c91eb94
f51dfd6c 0051f948 00000000 00000000 00000000 0xbadb0d00
f51dfd70 00000000 00000000 00000000 00000000 0x51f948
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExFreePool+3e7
805527bb e9e2feffff jmp nt!ExFreePool+0x2ce (805526a2)
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!ExFreePool+3e7
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: Pool_Corruption
MODULE_NAME: Pool_Corruption
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
kd> lmvm Pool_Corruption
start end module name
WARNING: Non-directory path: ‘C:\source\sivaller\vfums\v0.1\sys\vfums\obj\chk\i386\vfums.pdb’</symbol_path></symbol_path></symbol_path></symbol_path></symbol_path></symbol_path>