I am hitting a bug check which indicates
SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION.
I can reproduce it by disabling/enabling the driver
with the special pool flag set in static verfier.
Although it is happening only on 64-bit system I don’t
think it is related to the platform.
Under what circumstances would this happen?
What is special memory pool?
0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption.
Typically the current thread’s
stack backtrace will reveal the guilty party.
Arguments:
Arg1: fffffabec6d62f90, address trying to free
Arg2: fffffabec6d62ff8, address where bits are
corrupted
Arg3: 00000000007f4068, (reserved)
Arg4: 0000000000000024, caller is freeing an address
where bytes after the end of the allocation have been
overwritten
Debugging Details:
*** Error in in reading nt!_ETHREAD @ 0000000000000000
*** Error in in reading nt!_ETHREAD @ 0000000000000000
BUGCHECK_STR: 0xC1_24
SPECIAL_POOL_CORRUPTION_TYPE: 24
DEFAULT_BUCKET_ID: DRIVER_FAULT
CURRENT_IRQL: 2
LOCK_ADDRESS: fffff800011b5ae0 – (!locks
fffff800011b5ae0)
Resource @ nt!IopDeviceTreeLock (0xfffff800011b5ae0)
Shared 1 owning threads
Contention Count = 1
Threads: fffffadfe7952760-01<*>
1 total locks, 1 locks currently held
PNP_TRIAGE:
Lock address : 0xfffff800011b5ae0
Thread Count : 1
Thread address: 0xfffffadfe7952760
Thread wait : 0xf85a
LAST_CONTROL_TRANSFER: from fffff800010c8ede to
fffff8000104b350
STACK_TEXT:
fffffadfe4a70b48 fffff800
010c8ede :
fffffabec6d62f90 00000000
00000000 00000000000000c1 fffff800
0106144e : nt!RtlpBreakWithStatusInstruction
fffffadfe4a70b50 fffff800
010ca4c4 :
fffff80000000003 00000000
000000c1 fffffabec6d62f90 fffffabe
c6d62ff8 : nt!KiBugCheckDebugBreak+0x1e
fffffadfe4a70bb0 fffff800
010502d4 :
fffffadfe4a71260 fffffadf
e4a71258 fffffadfe4a72000 fffff800
013d2f48 : nt!KeBugCheck2+0x676
fffffadfe4a71200 fffff800
013e6d74 :
00000000000000c1 fffffabe
c6d62f90 fffffabec6d62ff8 00000000
007f4068 : nt!KeBugCheckEx+0x104
fffffadfe4a71240 fffff800
01184292 :
fffffabec6d62f90 fffffabe
c5a70d30 0000000000000001 fffffadf
e79cd2e0 : nt!MmFreeSpecialPool+0x334
fffffadfe4a712c0 fffffadf
e1e82502 :
fffffabec6d1aff0 fffffabe
c6d64de0 fffffadfe66598a0 fffffabe
c5a70d30 : nt!ExFreePoolWithTag+0x15c
fffffadfe4a71380 fffffadf
e1eab2ac :
fffffabec6d62f90 00000000
00000284 fffffadfe4a713d8 00000000
00000018 : mydriver!operator delete+0x42
[c:\projects\mydriver\software\source\capture\cp.h @
85]
fffffadfe4a713b0 fffffadf
e1e86191 :
fffffabec6d62f90 fffffadf
00000001 0000000000000000 00000000
00000000 : mydriver!GenTunerDemod::`scalar
deleting destructor’+0x2c
fffffadfe4a713e0 fffffadf
e1e845af :
fffffabec5cd6e60 fffffadf
e698aae0 fffffa80004a7fd0 fffffadf
e669e140 : mydriver!Device::unInit+0x4f1
[c:\projects\mydriver\software\source\capture\devi.cpp
@ 1685]
fffffadfe4a716d0 fffffadf
e1e676ee :
fffffadfe6a197f0 fffffabe
c5a70d30 fffffadfe69e7320 fffffadf
e6a19730 :
mydriver!Device::dispatchPnpStop+0x1f
[c:\projects\mydriver\software\source\capture\devi.cpp
@ 922]
fffffadfe4a71700 fffffadf
e1e5f2f5 :
fffffadfe66598a0 fffffadf
e4a717d0 fffffadfe6a19730 fffffabe
c5a70d30 : ks!CKsDevice::PnpStop+0xaf
fffffadfe4a71760 fffff800
013c6255 :
fffffadfe66598a0 fffffadf
e4a717d0 fffffabec5a70d30 fffffadf
e6b56bf0 : ks!CKsDevice::DispatchPnp+0xf0
fffffadfe4a717a0 fffffadf
e4c2b814 :
fffffadfe6b15900 fffffabe
c5a70d30 0000000000000000 fffffabe
c5a70d30 : nt!IovCallDriver+0x1b5
fffffadfe4a71810 fffff800
013c6255 :
fffffadfe6afde90 fffffadf
e4a718a0 fffffabec5a70d30 fffffadf
e6a7cbf0 :
ksthunk!CKernelFilterDevice::DispatchIrp+0x294
fffffadfe4a71870 fffff800
01226573 :
fffffadfe4a71b07 fffffabe
c5a70d30 fffffadfe6a7cb00 fffffabe
c5a70d30 : nt!IovCallDriver+0x1b5
fffffadfe4a718e0 fffff800
010c494c :
fffffadfe6a7cb00 fffffa80
01c12e20 fffffadfe7973e40 fffffadf
e7973e40 : nt!IopSynchronousCall+0x14a
fffffadfe4a71950 fffff800
01336e85 :
000094c0e44b9b90 00000000
00000000 fffffa8001c22a70 00000000
80000000 : nt!IopRemoveLockedDeviceNode+0x98d
fffffadfe4a71b00 fffff800
0133b9db :
fffffadfdde4fae8 00000000
00000000 fffffa800220b0b0 fffffa80
02e6e784 :
nt!IopDeleteLockedDeviceNodes+0x135
fffffadfe4a71b60 fffff800
012b3364 :
0000000000000000 fffffadf
e7984bb0 0000000000000001 fffffa80
01c22a70 :
nt!PiProcessQueryRemoveAndEject+0x1471
fffffadfe4a71c90 fffff800
01056d6c :
fffffadfe6723180 fffff800
01225960 fffffadfe7952760 fffff800
011a69b8 : nt!PiWalkDeviceList+0x255
fffffadfe4a71d00 fffff800
01272bae :
fffffadfe7952760 00000000
00000080 fffffadfe7952760 fffffadf
e4673680 : nt!ExpWorkerThread+0x13b
fffffadfe4a71d70 fffff800
0102d016 :
fffffadfe466b180 fffffadf
e7952760 fffffadfe4673680 00000000
00000000 : nt!PspSystemThreadStartup+0x3e
fffffadfe4a71dd0 00000000
00000000 :
0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KxStartSystemThread+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
mydriver!operator delete+42
[c:\projects\mydriver\software\source\capture\cp.h @
85]
fffffadf`e1e82502 4883c428 add rsp,0x28
FAULTING_SOURCE_CODE:
81: if( p )
82: {
83: ExFreePool( p );
84: }
85: }
86:
87: inline void * _cdecl operator new( size_t sz
)
88: {
89: PVOID p = ExAllocatePoolWithTag(
NonPagedPool, sz, ‘txnC’ );
90: DbgLogMicroTrace((“generic replacement new
size %d got = %p\n”, sz, p ) );
SYMBOL_STACK_INDEX: 6
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: mydriver!operator delete+42
MODULE_NAME: mydriver
IMAGE_NAME: mydriver.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4429932d
FAILURE_BUCKET_ID:
X64_0xC1_24_VRF_mydriver!operator_delete+42
BUCKET_ID:
X64_0xC1_24_VRF_mydriver!operator_delete+42
Followup: MachineOwner
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com