While testing our filter with Symantec software I found a memory leak. It is happening
only when our and Symantec FS filters are working together. I tested with TrendMicro and
other anti-virus software too. The problem observed only with Symantec…
1: kd> !verifier 1
Verify Level fb … enabled options are:
Special pool
Special irql
All pool allocations checked on unload
Io subsystem checking enabled
Deadlock detection enabled
Enhanced Io checking enabled
DMA checking enabled
Pool Allocations Attempted 0x1068a6
Pool Allocations Succeeded 0x1068a6
Pool Allocations Succeeded SpecialPool 0x1068a6
Pool Allocations With NO TAG 0x0
Pool Allocations Failed 0x0
Resource Allocations Failed Deliberately 0x0
Current paged pool allocations 0xdc5 for 00C30130 bytes
Peak paged pool allocations 0xfb8 for 00C99F3C bytes
Current nonpaged pool allocations 0x26b for 00057AB8 bytes
Peak nonpaged pool allocations 0x295 for 000787AC bytes
> If the source of problems is going from my filter what is the basic steps
that I should to do to find it?
I guess that this is from a live system? Are you a minifilter? If so
unload and see whether you are leaking anything you will find out & get to
look at the tags.
Otherwise you’re going to have to run/watch/run/watch to see which of the
drivers is growing in pool usage (or have you done this and the 12Mb of
Paged Pool is the suspect?) and then pick through !verfiier 3 to spot
potentially guilty Tag & CallersAddress. That should give you a good lead
for where to go next (assuming that the filter in question is reasonably
well behaved with respect to use of tags and doesn’t do all it’s allocation
through helper routines which can destroy information).
Do you know whether the filter is behaving OK when your filter isn’t
working?
> If the source of problems is going from my filter what is the basic
>> steps that I should to do to find it?
RW> I guess that this is from a live system? Are you a minifilter? If
RW> so unload and see whether you are leaking anything you will find
RW> out & get to look at the tags.
No, it is not a minifilter.
RW> Otherwise you’re going to have to run/watch/run/watch to see which
RW> of the drivers is growing in pool usage (or have you done this and
RW> the 12Mb of
RW> Paged Pool is the suspect?) and then pick through !verfiier 3 to
RW> spot potentially guilty Tag & CallersAddress. That should give you
RW> a good lead for where to go next (assuming that the filter in
RW> question is reasonably well behaved with respect to use of tags and
RW> doesn’t do all it’s allocation through helper routines which can
RW> destroy information).
RW> Do you know whether the filter is behaving OK when your filter isn’t
RW> working?
It seems that problem is on my side. I forgot that I can’t trust Verifier when I use
LookasideList… (I should take advantage of !poolused instead) .
I would suggest looking at any pool tags to see what tag if any is present,
but the data below indicates every allocation is tagged. If memory jumps
during times of stressing the file system, allow the system to go idle for
several minutes to allow any memory that is being held for ‘just in case’
situations to be released. Simplify your system to only one partition on
one drive being used and if you can cause it there, it may be easier to
find. This can be a different partition from the system/boot drive so
normal OS activity won’t make things more difficult.
“Eugene Lomovsky” wrote in message news:xxxxx@ntfsd… > Hello, All! > > While testing our filter with Symantec software I found a memory leak. It > is happening > only when our and Symantec FS filters are working together. I tested with > TrendMicro and > other anti-virus software too. The problem observed only with Symantec… > > 1: kd> !verifier 1 > > Verify Level fb … enabled options are: > Special pool > Special irql > All pool allocations checked on unload > Io subsystem checking enabled > Deadlock detection enabled > Enhanced Io checking enabled > DMA checking enabled > > Summary of All Verifier Statistics > > RaiseIrqls 0x0 > AcquireSpinLocks 0x26c807 > Synch Executions 0x0 > Trims 0x160353 > > Pool Allocations Attempted 0x1068a6 > Pool Allocations Succeeded 0x1068a6 > Pool Allocations Succeeded SpecialPool 0x1068a6 > Pool Allocations With NO TAG 0x0 > Pool Allocations Failed 0x0 > Resource Allocations Failed Deliberately 0x0 > > Current paged pool allocations 0xdc5 for 00C30130 bytes > Peak paged pool allocations 0xfb8 for 00C99F3C bytes > Current nonpaged pool allocations 0x26b for 00057AB8 bytes > Peak nonpaged pool allocations 0x295 for 000787AC bytes > > Driver Verification List > > Entry State NonPagedPool PagedPool Module > > 82ab4f08 Loaded 00000f90 00000000 ourdriver1.sys > 82ab4e80 Loaded 0001cfe8 00000188 oufilter.sys > 82ab4df8 Loaded 000034c4 00000074 ourdriver2.sys > 82ab4d78 Loaded 00000958 00000000 aksifdh.sys > 82ab4cb0 Loaded 00000c5c 00bb11f0 savrt.sys > 82ab4c28 Loaded 0003419c 0000cd6c symevent.sys > 82ab4ba0 Loaded 00000000 000018dc savrtpel.sys > 82ab4b20 Loaded 00000e5c 000706fc symtdi.sys > 82ab4a98 Loaded 000000d0 00000000 symredrv.sys > > 1: kd> !lmi savrt.sys > Loaded Module Info: [savrt.sys] > Module: savrt > Base Address: f7f24000 > Image Name: savrt.sys > Machine Type: 332 (I386) > Time Stamp: 430f857b Sat Aug 27 01:11:23 2005 > Size: 58000 > CheckSum: 5fae7 > Characteristics: 10e > Debug Data Dirs: Type Size VA Pointer > CODEVIEW 58, 416c, 2f6c RSDS - GUID: > {F9EEC8B1-8EF0-48F1-8230-8A4F494B9C47} > Age: 1, Pdb: > C:\bld_area\AutoProtect_r9.7\AutoProtect\Src\bin.iruk\savrt.pdb > Symbol Type: DEFERRED - No error - symbol load deferred > Load Report: no symbols loaded > > On Performance page in Task Manager Paged Kernel memory grows constantly. > > If the source of problems is going from my filter what is the basic steps > that I should to do to > find it? > > Eugene. > > >