two drivers attached to same stack ?

Hi i am seeing BSOD due to Unexpected Kernel Mode Trap : Exception Double fault
due to stack overflow(which was confirmed by looking at ESP and stack limit)

When i review the stack i can see SymEvent( norton anti-virus) to be part of the our thread’s call stack. This seems strange to me.

Can I conclude it to be a problem with SymEvent or there is something that i can do to avert this situation ?

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it’s a trap of a kind
that the kernel isn’t allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000

Debugging Details:

BUGCHECK_STR: 0x7f_8

TSS: 00000028 – (.tss 0x28)
eax=00000000 ebx=ee83d118 ecx=82278df8 edx=82250450 esi=ee83d098 edi=ee83cf7c
eip=804eae6a esp=ee83d000 ebp=ee83d014 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!MmAccessFault+0x2:
804eae6a 55 push ebp
Resetting default scope

DEFAULT_BUCKET_ID: CODE_CORRUPTION

PROCESS_NAME: System

TRAP_FRAME: ee83d304 – (.trap 0xffffffffee83d304)
ErrCode = 00000000
eax=82339ef0 ebx=00000000 ecx=e182e0d0 edx=8239d280 esi=e182e008 edi=ee83e838
eip=f8400486 esp=ee83d378 ebp=ee83e624 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
Ntfs!NtfsBackoutFailedOpensPriv:
f8400486 7811 js Ntfs!NtfsBackoutFailedOpensPriv+0x13 (f8400499) [br=1]
Resetting default scope

LAST_CONTROL_TRANSFER: from 804e3718 to 804eae6a

STACK_TEXT:
ee83cffc 804e3718 00000000 ee83cf7c 00000000 nt!MmAccessFault+0x2
ee83cffc 804db5aa 00000000 ee83cf7c 00000000 nt!KiTrap0E+0xcc
ee83d118 804e57f7 823b9770 82250450 82250450 nt!_chkstk+0xe
ee83d1f4 804fbc23 00000000 81b297a0 81b297b0 nt!IopfCallDriver+0x31
ee83d208 804fbc4a 81b319d8 81b2970c 81b297b8 nt!IopPageReadInternal+0xf4
ee83d228 804fb8af 82278df8 81b297d8 81b297b8 nt!IoPageRead+0x1b
ee83d29c 804f26d1 1d8ec860 f8400486 c03e1000 nt!MiDispatchFault+0x274
ee83d2ec 804e3718 00000000 f8400486 00000000 nt!MmAccessFault+0x5bc
ee83d2ec f8400486 00000000 f8400486 00000000 nt!KiTrap0E+0xcc
ee83d374 f83f1695 81ad0d60 81b514d0 e182e008 Ntfs!NtfsBackoutFailedOpensPriv
ee83d38c 804e464c ee83d3f4 804e45b1 ffffffff Ntfs!NtfsCreateNewFile+0xd69
ee83d3b0 804e4565 ee83e614 ffffffff ee83d3dc nt!_NLG_Return2
ee83d3dc 804dd49a ee83d44c ee83e614 ee83d4f8 nt!_except_handler3+0xd5
ee83d400 804dd46b ee83d44c ee83e614 ee83d4f8 nt!ExecuteHandler2+0x26
ee83d7c8 804e45a9 ee83e948 804e45a9 00000000 nt!ExecuteHandler+0x24
ee83d7f0 804e4505 ee83e948 ee83d814 00000000 nt!_global_unwind2+0x18
ee83d814 804dd49a ee83d8f8 ee83e948 ee83d948 nt!_except_handler3+0x75
ee83d838 804dd46b ee83d8f8 ee83e948 ee83d948 nt!ExecuteHandler2+0x26
ee83d8e8 804de6a1 ee83d8f8 ee83d948 c00000d8 nt!ExecuteHandler+0x24
ee83dc1c f8397290 c00000d8 ccb4d400 81ad0d60 nt!ExRaiseStatus+0xb5
ee83dc34 f83ef043 81ad0d60 c00000d8 00000000 Ntfs!NtfsRaiseStatus+0xa0
ee83dc64 f83ea749 81ad0d60 00000000 00000008 Ntfs!MakeRoomForAttribute+0xd0
ee83dc88 f83c2963 81ad0d60 e7034138 00000068 Ntfs!NtfsChangeAttributeSize+0x4e
ee83de5c f83c2ead 81ad0d60 e7034200 ee83de84 Ntfs!NtfsAddAttributeAllocation+0x67f
ee83df18 f83d215d 81ad0d60 8227bd10 e7034200 Ntfs!NtfsAddAllocation+0x386
ee83df58 f83d2207 81ad0d60 e7034200 0000000c Ntfs!NtfsExtendDataStream+0xcf
ee83e02c f83d23e1 81ad0d60 e7034338 ee83e04c Ntfs!NtfsAllocateRecord+0x58d
ee83e0b0 f83d2e9d 81ad0d60 e7034200 ee83e168 Ntfs!GetIndexBuffer+0xd5
ee83e1e4 f83d2eda 81ad0d60 e7034200 ee83e328 Ntfs!InsertWithBufferSplit+0xac
ee83e23c f83c7319 81ad0d60 e7034200 ee83e328 Ntfs!AddToIndex+0x14b
ee83e35c f83c6797 81ad0d60 e7034200 e7784380 Ntfs!NtfsAddIndexEntry+0xbf
ee83e3e0 f83c6826 81ad0d60 e7034200 e182e008 Ntfs!NtfsAddNameToParent+0x1b6
ee83e428 f83c7b17 81ad0d60 00000001 e7034200 Ntfs!NtfsAddLink+0x77
ee83e624 f83bac37 81ad0d60 82339d60 82339ef0 Ntfs!NtfsCreateNewFile+0x87a
ee83e878 f83b7f64 81ad0d60 82339d60 ee83e8d0 Ntfs!NtfsCommonCreate+0x12ce
ee83e958 804e57f7 823b9770 82339d60 82339d60 Ntfs!NtfsFsdCreate+0x1ec
ee83e968 f84580c4 82339f0c 823066f8 82339d60 nt!IopfCallDriver+0x31
ee83e998 804e57f7 823ba4d0 82339ef0 823ba6c0 fltMgr!FltpCreate+0x154
ee83e9a8 f843b90e 82339f38 823056a8 ee83ea64 nt!IopfCallDriver+0x31
ee83e9f4 804e57f7 823ba6c0 00000005 82339f5c sr!SrCreate+0x1e8
ee83ea04 efc98741 82339f38 82339f5c ee83ea64 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
ee83ea2c efc9fd70 823ba608 00000000 ee83ea64 SYMEVENT+0x7741
ee83ea48 efc987b9 ee83ea64 804eaa39 efc98880 SYMEVENT+0xed70
ee83ea88 804e57f7 81cad120 82339d60 82339d60 SYMEVENT+0x77b9
ee83eb08 805715ca 82352698 81a3784c ee83ecb0 nt!IopfCallDriver+0x31
ee83ebe8 805653ec 823526b0 00000000 81a377a8 nt!IopParseDevice+0xa12
ee83ec70 8056951a 00000000 ee83ecb0 00000040 nt!ObpLookupObjectName+0x56a
ee83ecc4 80571aa3 00000000 00000000 c33a0800 nt!ObOpenObjectByName+0xeb
ee83ed40 80571b72 e1251468 00120116 ee83eed4 nt!IopCreateFile+0x407
ee83ed9c 80571ca8 e1251468 00120116 ee83eed4 nt!IoCreateFile+0x8e
ee83eddc 804e07ec e1251468 00120116 ee83eed4 nt!NtCreateFile+0x30
ee83eddc 804de9b1 e1251468 00120116 ee83eed4 nt!KiFastCallEntry+0xf8
ee83ee80 ef9aa1b2 e1251468 00120116 ee83eed4 nt!ZwCreateFile+0x11
ee83eeec efa19a42 e185c018 00000001 00000000 OurFSD+0x361b2
ee83ef48 ef9d323e e62c0038 e562302c 00000000 OurFSD+0xa5a42
ee83f1bc ef9d62e8 e62c000c 00000000 ee83f2c0 OurFSD+0x5f23e
ee83f1e4 ef9f4213 ee83f2b4 ee83fcb0 00000000 OurFSD+0x622e8
ee83f2d0 ef9fb945 ee83f37c e6b30bec 00000176 OurFSD+0x80213
ee83f3b0 ef9fb615 ee83f488 ee83f664 ef989a72 OurFSD+0x87945
ee83f4d4 ef9f9202 ee83f630 ee83f7e4 00000000 OurFSD+0x87615
ee83f6e4 ef9f76f8 ee83f7c4 00000000 81a7bda8 OurFSD+0x85202
ee83f8fc ef9f36c0 ee83f980 ee83fbd8 ee83fc14 OurFSD+0x836f8
ee83f9ac ef9f34e9 ee83fac8 ee83fbd8 ee83fc14 OurFSD+0x7f6c0
ee83fb04 ef9ebca7 ee83fc50 ee83fbd8 ee83fc14 OurFSD+0x7f4e9
ee83fc88 ef9d649e e123900c e23ff8de e7033144 OurFSD+0x77ca7
ee83fce4 ef9b9310 e7ce1ccc 00000000 81a7bda8 OurFSD+0x6249e
ee83fd28 ef9d828e 822c0a10 e7ce1ccc 81b77368 OurFSD+0x45310
ee83fd70 ef9b074a 822c0a10 e63cfae4 e63cfaf0 OurFSD+0x6428e
ee83fdac 8057f17b 822c0a10 00000000 00000000 OurFSD+0x3c74a
ee83fddc 804fa27a ef9b0700 822c0a10 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

CHKIMG_EXTENSION: !chkimg -lo 50 -db !nt
12 errors : !nt (804e4724-804e4a87)
804e4720 bf f4 64 80 *f0 *a9 *f9 *81 f2 3f 4e 80 14 a2 65 80 …d…?N…e.
…
804e47a0 27 94 5d 80 c2 71 59 80 61 aa 63 80 *50 *53 *ca *ef '.]…qY.a.c.PS…
…
804e4a80 d6 c8 5a 80 *80 *55 *ca *ef a5 83 61 80 d3 78 64 80 …Z…U…a…xd.

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: STRIDE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_STRIDE

BUCKET_ID: MEMORY_CORRUPTION_STRIDE

Followup: memory_corruption

xxxxx@yahoo.co.in wrote:

Hi i am seeing BSOD due to Unexpected Kernel Mode Trap : Exception Double fault
due to stack overflow(which was confirmed by looking at ESP and stack limit)

When i review the stack i can see SymEvent( norton anti-virus) to be part of the our thread’s call stack. This seems strange to me.

In any given file system stack there can be as many filters in the stack
as there are products installed … in other words there can be MANY
filters in the stack. Since there is only 12KB of stack space to play
with, every filter must be careful in how they implement their code. For
instance I see in the below call stack that your driver burns up nearly
4KB of space before making a call into the ZwCreateFile() API. This API,
or any path along the IRP_MJ_CREATE handler processing path, is known to
consume lots of stack space.

Can I conclude it to be a problem with SymEvent or there is something that i can do to avert this situation ?

They (NAV) use up barely 90 bytes of stack space so no, the problem is
in your code, not theirs. As well, this is your worker thread, it is
your responsibility to write better code and not consume 1/3 of the
kernel stack prior to making your call down the stack.

Pete

---

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it’s a trap of a kind
that the kernel isn’t allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000

Debugging Details:

BUGCHECK_STR: 0x7f_8

TSS: 00000028 – (.tss 0x28)
eax=00000000 ebx=ee83d118 ecx=82278df8 edx=82250450 esi=ee83d098 edi=ee83cf7c
eip=804eae6a esp=ee83d000 ebp=ee83d014 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!MmAccessFault+0x2:
804eae6a 55 push ebp
Resetting default scope

DEFAULT_BUCKET_ID: CODE_CORRUPTION

PROCESS_NAME: System

TRAP_FRAME: ee83d304 – (.trap 0xffffffffee83d304)
ErrCode = 00000000
eax=82339ef0 ebx=00000000 ecx=e182e0d0 edx=8239d280 esi=e182e008 edi=ee83e838
eip=f8400486 esp=ee83d378 ebp=ee83e624 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
Ntfs!NtfsBackoutFailedOpensPriv:
f8400486 7811 js Ntfs!NtfsBackoutFailedOpensPriv+0x13 (f8400499) [br=1]
Resetting default scope

LAST_CONTROL_TRANSFER: from 804e3718 to 804eae6a

STACK_TEXT:
ee83cffc 804e3718 00000000 ee83cf7c 00000000 nt!MmAccessFault+0x2
ee83cffc 804db5aa 00000000 ee83cf7c 00000000 nt!KiTrap0E+0xcc
ee83d118 804e57f7 823b9770 82250450 82250450 nt!_chkstk+0xe
ee83d1f4 804fbc23 00000000 81b297a0 81b297b0 nt!IopfCallDriver+0x31
ee83d208 804fbc4a 81b319d8 81b2970c 81b297b8 nt!IopPageReadInternal+0xf4
ee83d228 804fb8af 82278df8 81b297d8 81b297b8 nt!IoPageRead+0x1b
ee83d29c 804f26d1 1d8ec860 f8400486 c03e1000 nt!MiDispatchFault+0x274
ee83d2ec 804e3718 00000000 f8400486 00000000 nt!MmAccessFault+0x5bc
ee83d2ec f8400486 00000000 f8400486 00000000 nt!KiTrap0E+0xcc
ee83d374 f83f1695 81ad0d60 81b514d0 e182e008 Ntfs!NtfsBackoutFailedOpensPriv
ee83d38c 804e464c ee83d3f4 804e45b1 ffffffff Ntfs!NtfsCreateNewFile+0xd69
ee83d3b0 804e4565 ee83e614 ffffffff ee83d3dc nt!_NLG_Return2
ee83d3dc 804dd49a ee83d44c ee83e614 ee83d4f8 nt!_except_handler3+0xd5
ee83d400 804dd46b ee83d44c ee83e614 ee83d4f8 nt!ExecuteHandler2+0x26
ee83d7c8 804e45a9 ee83e948 804e45a9 00000000 nt!ExecuteHandler+0x24
ee83d7f0 804e4505 ee83e948 ee83d814 00000000 nt!_global_unwind2+0x18
ee83d814 804dd49a ee83d8f8 ee83e948 ee83d948 nt!_except_handler3+0x75
ee83d838 804dd46b ee83d8f8 ee83e948 ee83d948 nt!ExecuteHandler2+0x26
ee83d8e8 804de6a1 ee83d8f8 ee83d948 c00000d8 nt!ExecuteHandler+0x24
ee83dc1c f8397290 c00000d8 ccb4d400 81ad0d60 nt!ExRaiseStatus+0xb5
ee83dc34 f83ef043 81ad0d60 c00000d8 00000000 Ntfs!NtfsRaiseStatus+0xa0
ee83dc64 f83ea749 81ad0d60 00000000 00000008 Ntfs!MakeRoomForAttribute+0xd0
ee83dc88 f83c2963 81ad0d60 e7034138 00000068 Ntfs!NtfsChangeAttributeSize+0x4e
ee83de5c f83c2ead 81ad0d60 e7034200 ee83de84 Ntfs!NtfsAddAttributeAllocation+0x67f
ee83df18 f83d215d 81ad0d60 8227bd10 e7034200 Ntfs!NtfsAddAllocation+0x386
ee83df58 f83d2207 81ad0d60 e7034200 0000000c Ntfs!NtfsExtendDataStream+0xcf
ee83e02c f83d23e1 81ad0d60 e7034338 ee83e04c Ntfs!NtfsAllocateRecord+0x58d
ee83e0b0 f83d2e9d 81ad0d60 e7034200 ee83e168 Ntfs!GetIndexBuffer+0xd5
ee83e1e4 f83d2eda 81ad0d60 e7034200 ee83e328 Ntfs!InsertWithBufferSplit+0xac
ee83e23c f83c7319 81ad0d60 e7034200 ee83e328 Ntfs!AddToIndex+0x14b
ee83e35c f83c6797 81ad0d60 e7034200 e7784380 Ntfs!NtfsAddIndexEntry+0xbf
ee83e3e0 f83c6826 81ad0d60 e7034200 e182e008 Ntfs!NtfsAddNameToParent+0x1b6
ee83e428 f83c7b17 81ad0d60 00000001 e7034200 Ntfs!NtfsAddLink+0x77
ee83e624 f83bac37 81ad0d60 82339d60 82339ef0 Ntfs!NtfsCreateNewFile+0x87a
ee83e878 f83b7f64 81ad0d60 82339d60 ee83e8d0 Ntfs!NtfsCommonCreate+0x12ce
ee83e958 804e57f7 823b9770 82339d60 82339d60 Ntfs!NtfsFsdCreate+0x1ec
ee83e968 f84580c4 82339f0c 823066f8 82339d60 nt!IopfCallDriver+0x31
ee83e998 804e57f7 823ba4d0 82339ef0 823ba6c0 fltMgr!FltpCreate+0x154
ee83e9a8 f843b90e 82339f38 823056a8 ee83ea64 nt!IopfCallDriver+0x31
ee83e9f4 804e57f7 823ba6c0 00000005 82339f5c sr!SrCreate+0x1e8
ee83ea04 efc98741 82339f38 82339f5c ee83ea64 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
ee83ea2c efc9fd70 823ba608 00000000 ee83ea64 SYMEVENT+0x7741
ee83ea48 efc987b9 ee83ea64 804eaa39 efc98880 SYMEVENT+0xed70
ee83ea88 804e57f7 81cad120 82339d60 82339d60 SYMEVENT+0x77b9
ee83eb08 805715ca 82352698 81a3784c ee83ecb0 nt!IopfCallDriver+0x31
ee83ebe8 805653ec 823526b0 00000000 81a377a8 nt!IopParseDevice+0xa12
ee83ec70 8056951a 00000000 ee83ecb0 00000040 nt!ObpLookupObjectName+0x56a
ee83ecc4 80571aa3 00000000 00000000 c33a0800 nt!ObOpenObjectByName+0xeb
ee83ed40 80571b72 e1251468 00120116 ee83eed4 nt!IopCreateFile+0x407
ee83ed9c 80571ca8 e1251468 00120116 ee83eed4 nt!IoCreateFile+0x8e
ee83eddc 804e07ec e1251468 00120116 ee83eed4 nt!NtCreateFile+0x30
ee83eddc 804de9b1 e1251468 00120116 ee83eed4 nt!KiFastCallEntry+0xf8
ee83ee80 ef9aa1b2 e1251468 00120116 ee83eed4 nt!ZwCreateFile+0x11
ee83eeec efa19a42 e185c018 00000001 00000000 OurFSD+0x361b2
ee83ef48 ef9d323e e62c0038 e562302c 00000000 OurFSD+0xa5a42
ee83f1bc ef9d62e8 e62c000c 00000000 ee83f2c0 OurFSD+0x5f23e
ee83f1e4 ef9f4213 ee83f2b4 ee83fcb0 00000000 OurFSD+0x622e8
ee83f2d0 ef9fb945 ee83f37c e6b30bec 00000176 OurFSD+0x80213
ee83f3b0 ef9fb615 ee83f488 ee83f664 ef989a72 OurFSD+0x87945
ee83f4d4 ef9f9202 ee83f630 ee83f7e4 00000000 OurFSD+0x87615
ee83f6e4 ef9f76f8 ee83f7c4 00000000 81a7bda8 OurFSD+0x85202
ee83f8fc ef9f36c0 ee83f980 ee83fbd8 ee83fc14 OurFSD+0x836f8
ee83f9ac ef9f34e9 ee83fac8 ee83fbd8 ee83fc14 OurFSD+0x7f6c0
ee83fb04 ef9ebca7 ee83fc50 ee83fbd8 ee83fc14 OurFSD+0x7f4e9
ee83fc88 ef9d649e e123900c e23ff8de e7033144 OurFSD+0x77ca7
ee83fce4 ef9b9310 e7ce1ccc 00000000 81a7bda8 OurFSD+0x6249e
ee83fd28 ef9d828e 822c0a10 e7ce1ccc 81b77368 OurFSD+0x45310
ee83fd70 ef9b074a 822c0a10 e63cfae4 e63cfaf0 OurFSD+0x6428e
ee83fdac 8057f17b 822c0a10 00000000 00000000 OurFSD+0x3c74a
ee83fddc 804fa27a ef9b0700 822c0a10 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

CHKIMG_EXTENSION: !chkimg -lo 50 -db !nt
12 errors : !nt (804e4724-804e4a87)
804e4720 bf f4 64 80 *f0 *a9 *f9 *81 f2 3f 4e 80 14 a2 65 80 …d…?N…e.
…
804e47a0 27 94 5d 80 c2 71 59 80 61 aa 63 80 *50 *53 *ca *ef '.]…qY.a.c.PS…
…
804e4a80 d6 c8 5a 80 *80 *55 *ca *ef a5 83 61 80 d3 78 64 80 …Z…U…a…xd.

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: STRIDE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_STRIDE

BUCKET_ID: MEMORY_CORRUPTION_STRIDE

Followup: memory_corruption

---

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

The first thing that I would to is fix your excessive stack consumption. Based on ChildEBP values, assuming the stack trace is correct (ee83eed4 - ee83fddc), it looks like you managed to use nearly a whole page worth of stack before even getting to ZwCreateFile. Each x86 kernel stack has only three pages, so you’re taking up nearly a whopping 1/3 of it just in your driver alone.

You should use the pool instead of stack for all but the smallest local variables.

Btw: The kvn command is useful in stack overflow situations as it has the debugger calculate the stack cost per frame for you automagically.

• S

-----Original Message-----
From: xxxxx@yahoo.co.in
Sent: Thursday, July 02, 2009 05:35
To: Windows File Systems Devs Interest List
Subject: [ntfsd] two drivers attached to same stack ?

Hi i am seeing BSOD due to Unexpected Kernel Mode Trap : Exception Double fault
due to stack overflow(which was confirmed by looking at ESP and stack limit)

When i review the stack i can see SymEvent( norton anti-virus) to be part of the our thread’s call stack. This seems strange to me.

Can I conclude it to be a problem with SymEvent or there is something that i can do to avert this situation ?

------------------------------------------------------------------------------------------------------

kd> !analyze -v


Bugcheck Analysis



UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it’s a trap of a kind
that the kernel isn’t allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a portion of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

BUGCHECK_STR: 0x7f_8

TSS: 00000028 – (.tss 0x28)
eax=00000000 ebx=ee83d118 ecx=82278df8 edx=82250450 esi=ee83d098 edi=ee83cf7c
eip=804eae6a esp=ee83d000 ebp=ee83d014 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!MmAccessFault+0x2:
804eae6a 55 push ebp
Resetting default scope

DEFAULT_BUCKET_ID: CODE_CORRUPTION

PROCESS_NAME: System

TRAP_FRAME: ee83d304 – (.trap 0xffffffffee83d304)
ErrCode = 00000000
eax=82339ef0 ebx=00000000 ecx=e182e0d0 edx=8239d280 esi=e182e008 edi=ee83e838
eip=f8400486 esp=ee83d378 ebp=ee83e624 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
Ntfs!NtfsBackoutFailedOpensPriv:
f8400486 7811 js Ntfs!NtfsBackoutFailedOpensPriv+0x13 (f8400499) [br=1]
Resetting default scope

LAST_CONTROL_TRANSFER: from 804e3718 to 804eae6a

STACK_TEXT:
ee83cffc 804e3718 00000000 ee83cf7c 00000000 nt!MmAccessFault+0x2
ee83cffc 804db5aa 00000000 ee83cf7c 00000000 nt!KiTrap0E+0xcc
ee83d118 804e57f7 823b9770 82250450 82250450 nt!_chkstk+0xe
ee83d1f4 804fbc23 00000000 81b297a0 81b297b0 nt!IopfCallDriver+0x31
ee83d208 804fbc4a 81b319d8 81b2970c 81b297b8 nt!IopPageReadInternal+0xf4
ee83d228 804fb8af 82278df8 81b297d8 81b297b8 nt!IoPageRead+0x1b
ee83d29c 804f26d1 1d8ec860 f8400486 c03e1000 nt!MiDispatchFault+0x274
ee83d2ec 804e3718 00000000 f8400486 00000000 nt!MmAccessFault+0x5bc
ee83d2ec f8400486 00000000 f8400486 00000000 nt!KiTrap0E+0xcc
ee83d374 f83f1695 81ad0d60 81b514d0 e182e008 Ntfs!NtfsBackoutFailedOpensPriv
ee83d38c 804e464c ee83d3f4 804e45b1 ffffffff Ntfs!NtfsCreateNewFile+0xd69
ee83d3b0 804e4565 ee83e614 ffffffff ee83d3dc nt!_NLG_Return2
ee83d3dc 804dd49a ee83d44c ee83e614 ee83d4f8 nt!_except_handler3+0xd5
ee83d400 804dd46b ee83d44c ee83e614 ee83d4f8 nt!ExecuteHandler2+0x26
ee83d7c8 804e45a9 ee83e948 804e45a9 00000000 nt!ExecuteHandler+0x24
ee83d7f0 804e4505 ee83e948 ee83d814 00000000 nt!_global_unwind2+0x18
ee83d814 804dd49a ee83d8f8 ee83e948 ee83d948 nt!_except_handler3+0x75
ee83d838 804dd46b ee83d8f8 ee83e948 ee83d948 nt!ExecuteHandler2+0x26
ee83d8e8 804de6a1 ee83d8f8 ee83d948 c00000d8 nt!ExecuteHandler+0x24
ee83dc1c f8397290 c00000d8 ccb4d400 81ad0d60 nt!ExRaiseStatus+0xb5
ee83dc34 f83ef043 81ad0d60 c00000d8 00000000 Ntfs!NtfsRaiseStatus+0xa0
ee83dc64 f83ea749 81ad0d60 00000000 00000008 Ntfs!MakeRoomForAttribute+0xd0
ee83dc88 f83c2963 81ad0d60 e7034138 00000068 Ntfs!NtfsChangeAttributeSize+0x4e
ee83de5c f83c2ead 81ad0d60 e7034200 ee83de84 Ntfs!NtfsAddAttributeAllocation+0x67f
ee83df18 f83d215d 81ad0d60 8227bd10 e7034200 Ntfs!NtfsAddAllocation+0x386
ee83df58 f83d2207 81ad0d60 e7034200 0000000c Ntfs!NtfsExtendDataStream+0xcf
ee83e02c f83d23e1 81ad0d60 e7034338 ee83e04c Ntfs!NtfsAllocateRecord+0x58d
ee83e0b0 f83d2e9d 81ad0d60 e7034200 ee83e168 Ntfs!GetIndexBuffer+0xd5
ee83e1e4 f83d2eda 81ad0d60 e7034200 ee83e328 Ntfs!InsertWithBufferSplit+0xac
ee83e23c f83c7319 81ad0d60 e7034200 ee83e328 Ntfs!AddToIndex+0x14b
ee83e35c f83c6797 81ad0d60 e7034200 e7784380 Ntfs!NtfsAddIndexEntry+0xbf
ee83e3e0 f83c6826 81ad0d60 e7034200 e182e008 Ntfs!NtfsAddNameToParent+0x1b6
ee83e428 f83c7b17 81ad0d60 00000001 e7034200 Ntfs!NtfsAddLink+0x77
ee83e624 f83bac37 81ad0d60 82339d60 82339ef0 Ntfs!NtfsCreateNewFile+0x87a
ee83e878 f83b7f64 81ad0d60 82339d60 ee83e8d0 Ntfs!NtfsCommonCreate+0x12ce
ee83e958 804e57f7 823b9770 82339d60 82339d60 Ntfs!NtfsFsdCreate+0x1ec
ee83e968 f84580c4 82339f0c 823066f8 82339d60 nt!IopfCallDriver+0x31
ee83e998 804e57f7 823ba4d0 82339ef0 823ba6c0 fltMgr!FltpCreate+0x154
ee83e9a8 f843b90e 82339f38 823056a8 ee83ea64 nt!IopfCallDriver+0x31
ee83e9f4 804e57f7 823ba6c0 00000005 82339f5c sr!SrCreate+0x1e8
ee83ea04 efc98741 82339f38 82339f5c ee83ea64 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
ee83ea2c efc9fd70 823ba608 00000000 ee83ea64 SYMEVENT+0x7741
ee83ea48 efc987b9 ee83ea64 804eaa39 efc98880 SYMEVENT+0xed70
ee83ea88 804e57f7 81cad120 82339d60 82339d60 SYMEVENT+0x77b9
ee83eb08 805715ca 82352698 81a3784c ee83ecb0 nt!IopfCallDriver+0x31
ee83ebe8 805653ec 823526b0 00000000 81a377a8 nt!IopParseDevice+0xa12
ee83ec70 8056951a 00000000 ee83ecb0 00000040 nt!ObpLookupObjectName+0x56a
ee83ecc4 80571aa3 00000000 00000000 c33a0800 nt!ObOpenObjectByName+0xeb
ee83ed40 80571b72 e1251468 00120116 ee83eed4 nt!IopCreateFile+0x407
ee83ed9c 80571ca8 e1251468 00120116 ee83eed4 nt!IoCreateFile+0x8e
ee83eddc 804e07ec e1251468 00120116 ee83eed4 nt!NtCreateFile+0x30
ee83eddc 804de9b1 e1251468 00120116 ee83eed4 nt!KiFastCallEntry+0xf8
ee83ee80 ef9aa1b2 e1251468 00120116 ee83eed4 nt!ZwCreateFile+0x11
ee83eeec efa19a42 e185c018 00000001 00000000 OurFSD+0x361b2
ee83ef48 ef9d323e e62c0038 e562302c 00000000 OurFSD+0xa5a42
ee83f1bc ef9d62e8 e62c000c 00000000 ee83f2c0 OurFSD+0x5f23e
ee83f1e4 ef9f4213 ee83f2b4 ee83fcb0 00000000 OurFSD+0x622e8
ee83f2d0 ef9fb945 ee83f37c e6b30bec 00000176 OurFSD+0x80213
ee83f3b0 ef9fb615 ee83f488 ee83f664 ef989a72 OurFSD+0x87945
ee83f4d4 ef9f9202 ee83f630 ee83f7e4 00000000 OurFSD+0x87615
ee83f6e4 ef9f76f8 ee83f7c4 00000000 81a7bda8 OurFSD+0x85202
ee83f8fc ef9f36c0 ee83f980 ee83fbd8 ee83fc14 OurFSD+0x836f8
ee83f9ac ef9f34e9 ee83fac8 ee83fbd8 ee83fc14 OurFSD+0x7f6c0
ee83fb04 ef9ebca7 ee83fc50 ee83fbd8 ee83fc14 OurFSD+0x7f4e9
ee83fc88 ef9d649e e123900c e23ff8de e7033144 OurFSD+0x77ca7
ee83fce4 ef9b9310 e7ce1ccc 00000000 81a7bda8 OurFSD+0x6249e
ee83fd28 ef9d828e 822c0a10 e7ce1ccc 81b77368 OurFSD+0x45310
ee83fd70 ef9b074a 822c0a10 e63cfae4 e63cfaf0 OurFSD+0x6428e
ee83fdac 8057f17b 822c0a10 00000000 00000000 OurFSD+0x3c74a
ee83fddc 804fa27a ef9b0700 822c0a10 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

CHKIMG_EXTENSION: !chkimg -lo 50 -db !nt
12 errors : !nt (804e4724-804e4a87)
804e4720 bf f4 64 80 *f0 *a9 *f9 *81 f2 3f 4e 80 14 a2 65 80 …d…?N…e.
…
804e47a0 27 94 5d 80 c2 71 59 80 61 aa 63 80 *50 *53 *ca *ef '.]…qY.a.c.PS…
…
804e4a80 d6 c8 5a 80 *80 *55 *ca *ef a5 83 61 80 d3 78 64 80 …Z…U…a…xd.

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: STRIDE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_STRIDE

BUCKET_ID: MEMORY_CORRUPTION_STRIDE

Followup: memory_corruption

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Hi Guys,

Thanks for your views. They sound reasonable to me.

But Given this situation,Is there a way to position OurFsd Driver to be on Top of SymEvent so that it doesnt interfere with our activity.

Thanks
Harish

SymEvent (the very old version you are using) is on top of file system
drivers. The order of filters is undeterministic. You could try a more
current version of SymEvent that will not attach in the file system stack.
You did say Norton in one post, but SymEvent has not attached to the file
system stack for more than two years (almost 3, I believe). The Symantec
stack was still using SymEvent in the file system filter later than the
Norton version.

Your excessive stack usage must be fixed. A third of the file system stack
is far too excessive for legacy file system filters. NTFS has had for some
time special code that enabled it to switch stacks because so many filters
consumed too much. Even with that, many filters caused crashes. I would
recommend that no filter use more than 1KB of stack. In minifilters this
rule may be unnecessary and is probably one reason all the effort was made
to create the minifilter model.

wrote in message news:xxxxx@ntfsd…
> Hi Guys,
>
> Thanks for your views. They sound reasonable to me.
>
> But Given this situation,Is there a way to position OurFsd Driver to be on
> Top of SymEvent so that it doesnt interfere with our activity.
>
> Thanks
> Harish
>

David is much more generous than I would be - I’d say “no filter should
use more than 256 bytes of stack.” I’ve been in cases so extreme that I
suggest to people they move ALL local variables into an allocated
structure.

Use prefast, set the stackhog limit to something very small and fix your
code.

Mini-filters still should not consume excessive stack, either, because
they still make re-entrant calls. The problem is not as severe, but it
is still there.

Tony
OSR

Hi David,

you are right.
Its not norton AV, its Symantec AV(Crash Reported in an enterprise)

Thanks,
Harish