sfilter caused sis.sys crash on w2k

FC1 · May 3, 2005, 11:52am

I have a Windows 2000 server system installed sis.sys and dfs.sys. After I
installed sfilter.sys from latest 2003 IFS kit, it caused the crash when it
reboots. The debug information shows bug check at sis+cf81 location. Does
anyone have this problem before? Is this problem at sis.sys driver or
sfilter.sys driver? I am going to use sfilter as my base driver filter
driver? If anyone has the fix, please post it. Thanks.

OSR_Community_User · May 4, 2005, 2:35am

Get the crash dump, open it in WinDBG, do !analyze -v
and send the call stack here. Maybe someone can
help you.

L.

OSR_Community_User · May 4, 2005, 11:03am

I thik he is running out of stack space. I looked at his code and he has
character bffers on the stack that are very large.

Jamey

----- Original Message -----
From: “Ladislav Zezula”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, May 03, 2005 11:33 PM
Subject: Re: [ntfsd] sfilter caused sis.sys crash on w2k

> Get the crash dump, open it in WinDBG, do !analyze -v
> and send the call stack here. Maybe someone can
> help you.
>
> L.
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@rocketdivision.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> NOD32 1.1087 (20050503) Information
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>

FC1 · May 4, 2005, 4:05pm

Here is the analyze dump:

Opened log file ‘fred.log’
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: eb44cf81, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 00000008, Parameter 1 of the exception

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
sis+cf81
eb44cf81 837e0400 cmp dword ptr [esi+0x4],0x0

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000008

READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
00000008

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x1E

LAST_CONTROL_TRANSFER: from 8042c068 to 80452e70

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
eb81aeb0 8042c068 00000003 80409808 00000000 nt!DbgBreakPointWithStatus+0x4
eb81b238 8045249c 00000000 c0000005 eb44cf81 nt!KeBugCheckEx+0x154
eb81bddc 80465b62 8054aca6 80087000 00000000
nt!PsSetCreateThreadNotifyRoutine+0x50
00000000 00000000 00000000 00000000 00000000 nt!KiUnexpectedInterrupt+0x180

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
sis+cf81
eb44cf81 837e0400 cmp dword ptr [esi+0x4],0x0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: sis+cf81

MODULE_NAME: sis

IMAGE_NAME: sis.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3803c152

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

Closing open log file fred.log

I also found this crash when it attached to RawDisk and Cdrom drive. Any
crew about that. Thank you for the reply.

fc
“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> Get the crash dump, open it in WinDBG, do !analyze -v
> and send the call stack here. Maybe someone can
> help you.
>
> L.
>
>

Prokash_Sinha-1 · May 4, 2005, 7:22pm

What is your astrological symbol :-). You are missing it. Fix and repost,
please.

-pro

----- Original Message -----
From: “fc”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, May 04, 2005 1:06 PM
Subject: Re:[ntfsd] sfilter caused sis.sys crash on w2k

> Here is the analyze dump:
>
> Opened log file ‘fred.log’
> kd> !analyze -v
> ***
> *
> * Bugcheck Analysis
> *
>
>
> KMODE_EXCEPTION_NOT_HANDLED (1e)
> This is a very common bugcheck. Usually the exception address pinpoints
> the driver/function that caused the problem. Always note this address
> as well as the link date of the driver/image that contains this address.
> Arguments:
> Arg1: c0000005, The exception code that was not handled
> Arg2: eb44cf81, The address that the exception occurred at
> Arg3: 00000000, Parameter 0 of the exception
> Arg4: 00000008, Parameter 1 of the exception
>
> Debugging Details:
> ------------------
>
> ***** Kernel symbols are WRONG. Please fix symbols to do analysis.
>
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
> referenced memory at “0x%08lx”. The memory could not be “%s”.
>
> FAULTING_IP:
> sis+cf81
> eb44cf81 837e0400 cmp dword ptr [esi+0x4],0x0
>
> EXCEPTION_PARAMETER1: 00000000
>
> EXCEPTION_PARAMETER2: 00000008
>
> READ_ADDRESS: unable to get nt!MmPoolCodeEnd
> unable to get nt!MmSpecialPoolEnd
> unable to get nt!MmPagedPoolEnd
> unable to get nt!MmNonPagedPoolEnd
> unable to get nt!MmNonPagedPoolStart
> unable to get nt!MmSpecialPoolStart
> unable to get nt!MmPagedPoolStart
> unable to get nt!MmNonPagedPoolExpansionStart
> unable to get nt!MmPoolCodeStart
> 00000008
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0x1E
>
> LAST_CONTROL_TRANSFER: from 8042c068 to 80452e70
>
> STACK_TEXT:
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> eb81aeb0 8042c068 00000003 80409808 00000000
> nt!DbgBreakPointWithStatus+0x4
> eb81b238 8045249c 00000000 c0000005 eb44cf81 nt!KeBugCheckEx+0x154
> eb81bddc 80465b62 8054aca6 80087000 00000000
> nt!PsSetCreateThreadNotifyRoutine+0x50
> 00000000 00000000 00000000 00000000 00000000
> nt!KiUnexpectedInterrupt+0x180
>
>
> STACK_COMMAND: .bugcheck ; kb
>
> FOLLOWUP_IP:
> sis+cf81
> eb44cf81 837e0400 cmp dword ptr [esi+0x4],0x0
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: sis+cf81
>
> MODULE_NAME: sis
>
> IMAGE_NAME: sis.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 3803c152
>
> BUCKET_ID: WRONG_SYMBOLS
>
> Followup: MachineOwner
> ---------
>
> Closing open log file fred.log
>
> I also found this crash when it attached to RawDisk and Cdrom drive. Any
> crew about that. Thank you for the reply.
>
> fc
> “Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
>> Get the crash dump, open it in WinDBG, do !analyze -v
>> and send the call stack here. Maybe someone can
>> help you.
>>
>> L.
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · May 5, 2005, 1:14am

Please, do one more thing.
Configure the symbol server (WinDbg help tells you how)
and do !analyze -v again. WinDBg cannot do a good
analysis when your kernel symbols are wrong.
I forgot to write this in my prev mail, sorry for that.

L.

OSR_Community_User · May 5, 2005, 1:17am

On May 5, 2005, at 12:14 AM, Ladislav Zezula wrote:

Please, do one more thing.
Configure the symbol server (WinDbg help tells you how)
and do !analyze -v again. WinDBg cannot do a good
analysis when your kernel symbols are wrong.
I forgot to write this in my prev mail, sorry for that.

I wonder if there’s any chance that the debugger team would check for
a symbol path and run .symfix / .reload when a user calls !analyze -
v without a sympath set (or even without symbols loaded). Now that
the sym server exists, this is the #1 question from WinDbg newbies.

Just a thought.

-sd

Steve Dispensa
MVP - Windows DDK
www.kernelmustard.com

OSR_Community_User · May 5, 2005, 1:39am

> I wonder if there’s any chance that the debugger team would check for

a symbol path and run .symfix / .reload when a user calls !analyze -

Or maybe to examine the _NT_SYMBOL_PATH
environment variable during the installation process.
If doesn’t exist and the Internet connection is available,
then set it to the default value (to MS symbol server).

L.

FC1 · May 5, 2005, 11:01am

Steve,
Yes, this is a good idea. Windbg team should be able to do it. The reason I
did not include the Microsoft symbol path is sometime it will cause the
start up very slow. I always remove it unless it is necessary.

“Steve Dispensa” wrote in message
news:xxxxx@ntfsd…
> On May 5, 2005, at 12:14 AM, Ladislav Zezula wrote:
>> Please, do one more thing.
>> Configure the symbol server (WinDbg help tells you how)
>> and do !analyze -v again. WinDBg cannot do a good
>> analysis when your kernel symbols are wrong.
>> I forgot to write this in my prev mail, sorry for that.
>
> I wonder if there’s any chance that the debugger team would check for a
> symbol path and run .symfix / .reload when a user calls !analyze - v
> without a sympath set (or even without symbols loaded). Now that the sym
> server exists, this is the #1 question from WinDbg newbies.
>
> Just a thought.
>
> -sd
>
>
>
>
>
> ----------------------------------
> Steve Dispensa
> MVP - Windows DDK
> www.kernelmustard.com
>
>