Whoops… dyslexia kicked in there. Somehow I thought
you were asking about KMODE_EXCEPTION_NOT_HANDLED.
Sorry 'bout that.
-----Original Message-----
From: Nate Bushman [mailto:xxxxx@legato.com]
Sent: Wednesday, June 13, 2001 2:57 PM
To: File Systems Developers
Subject: [ntfsd] RE: UNEXPECTED_KERNEL_MODE_TRAP (Double Fault) win 2k -
NAV 7.03
If you get a KMODE_EXCEPTION_NOT_HANDLED bug check, here’s
how you can find the stack of the code that actually threw
the exception.
I’ll assume your symbols are set up and that you’re using
the latest version of WinDbg.
- Dump the current stack of each processor (use ~n to change
to a different processor, ex: ~1 changes the debugger so
that if you dump the stack it’ll be the stack of processor 1,
remember that the processor are 0-indexed).
When you’re dumping the stacks, look for the following
function call: PspUnhandledExceptionInSystemThread()
When you’ve found this call you don’t need to look any
further on any of the other CPUs.
The first parameter to PspUnhandledExceptionInSystemThread()
is a pointer to an EXCEPTION_POINTERS struct that can
be used to trace things back to the code that caused the
exception.
To dump the stack, use the command: kvb
- You’ll want to dump the EXCEPTION_POINTERS struct, but
you need to load kdex2x86.dll before you can do this.
To load the extension dll, use the command: !load kdex2x86.dll
- Dump the EXCEPTION_POINTERS struct. The address, as I
said, is the first argument to
PspUnhandledExceptionInSystemThread()
To dump the struct, use: !strct EXCEPTION_POINTERS ffffffff
where ffffffff is the address (the first argument to
PspUnhandledExceptionInSystemThread())
- Dump the context record pointed to by the
ContextRecord pointer in the EXCEPTION_POINTERS
struct
Do this: .cxr eeeeffff
Where eeeeffff is the pointer to the context
record that you got when you dumped the
EXCEPTION_POINTERS struct.
- Dump the stack of the code that caused the exception.
When you display the context record, you’ll have the
state of all of the registers at the time of the
exception. You need to use the values of some
of these registers in order to tell WinDbg where
the stack is that you want to dump. The
register values that you’re interested in are for
the ebp, esp and eip registers.
Do this: kb=
The stack trace of the offending code should now
print out.
=====================
Here’s an example of how I discovered the offending code
in a crash dump file when one of my drivers crashed.
I discovered that my VmvReceiveRequestForDeltaInfo() routine
was dereferencing a NULL pointer (param 4 in the bug check).
It helps A LOT to read the DDK docs on bug checks. They’ll
lead you through all the steps that I listed here.
KMODE_EXCEPTION_NOT_HANDLED (1e)
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: fcd04ad9, The address that the exception occured at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 00000000, Parameter 1 of the exception
kd> kvb
ChildEBP RetAddr Args to Child
f61cb144 80454fd5 f61cb16c 8045fea7 f61cb174
ntoskrnl!PspUnhandledExceptionInSystemThread+0x18 (FPO: [1,0,0])
f61cbddc 80468ec2 fccecc20 00000000 00000000
ntoskrnl!PspSystemThreadStartup+0x5e (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 ntoskrnl!KiThreadStartup+0x16
kd> !load kdex2x86.dll
Loaded kdex2x86.dll extension DLL
kd> !strct EXCEPTION_POINTERS f61cb16c
struct _EXCEPTION_POINTERS (sizeof=8)
+0 struct _EXCEPTION_RECORD *ExceptionRecord = F61CB5F4
+4 struct _CONTEXT ContextRecord = F61CB24C
kd> .cxr F61CB24C
eax=00000000 ebx=813f72a8 ecx=813f4708 edx=00000000 esi=00000000
edi=00000000
eip=fcd04ad9 esp=f61cb6bc ebp=f61cb6e4 iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
VincaMV!VmvReceiveRequestForDeltaInfo+78:
fcd04ad9 8b0c86 mov ecx,[esi+eax4]
kd> kb=f61cb6e4 f61cb6bc fcd04ad9
ChildEBP RetAddr Args to Child
f61cb6e4 fccee251 811cdc08 00000000 811cdc08
VincaMV!VmvReceiveRequestForDeltaInfo+0x78 [d:\mirroringforw2k\vmv\delta.c @
1254]
f61cbd80 fccece29 00000230 811cdc08 00000000
VincaMV!VmvReceiveRemoteRequest+0x8ec [d:\mirroringforw2k\vmv\remote.c @
315]
f61cbda8 80454faf 00000000 00000000 00000000 VincaMV!VmvLinkGetThread+0x209
[d:\mirroringforw2k\vmv\link.c @ 3033]
f61cbddc 80468ec2 fccecc20 00000000 00000000
ntoskrnl!PspSystemThreadStartup+0x69
00000000 00000000 00000000 00000000 00000000 ntoskrnl!KiThreadStartup+0x16
-----Original Message-----
From: Ronen Agam [mailto:xxxxx@hotmail.com]
Sent: Wednesday, June 13, 2001 10:47 AM
To: File Systems Developers
Subject: [ntfsd] RE: UNEXPECTED_KERNEL_MODE_TRAP (Double Fault) win 2k -
NAV 7.03
Can you recommand a way for me to find where the problem might be? It
dosen’t happens all the time, but almost every time I run IE and NAV is on
and OS is win2000. On nt it never happens.
Thanks,
Ronen
>From: “Dan Partelly”
>Reply-To: “File Systems Developers”
>To: “File Systems Developers”
>Subject: [ntfsd] RE: UNEXPECTED_KERNEL_MODE_TRAP (Double Fault) win 2k -
>NAV 7.03
>Date: Wed, 13 Jun 2001 17:35:39 +0300
>
>Duble faults are weird animals. First of all , a double fault will occur
>only when the CPU will fault while the CPU already tryes to invoke an
>exception handler. An example would be a IDT with a too low limit . But in
>your case ,
>Im too almost sure , like Mr Ravisankar already told you , that the real
>reason of your double fault is a stack overflow. In practice you often get
>a
>double fault because you run out of stack in ring0, and the CPU is unable
>to
>save EIP/CS/EFLAGS on the stack . This is one reason why the gate for a
>duble fault is in NT/2k/XP in fact a task gate. A clean stack , and clean
>registers are required to prevent a triple fault , thus CPU reset. This way
>, at least the system will survive long enough to bug check. Dont bother
>to
>extract a stack trace from that dump , 99% is that you encounter a sack
>overflow.
>
>
>----- Original Message -----
>From: “Ronen Agam”
>To: “File Systems Developers”
>Sent: Wednesday, June 13, 2001 3:42 PM
>Subject: [ntfsd] RE: UNEXPECTED_KERNEL_MODE_TRAP (Double Fault) win 2k -
>NAV
>7.03
>
>
> > Unhandled exception 8
> > Creating .\DMP4.tmp - mini kernel dump
> >
> >
> > eax=ffdff13c ebx=0000007f ecx=80036000 edx=00000000 esi=00000000
> > edi=00000000
> > eip=804669be esp=80470468 ebp=00000000 iopl=0 nv up di ng nz na
>po
> > nc
> > cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> > efl=00000086
> > ntoskrnl!Kei386EoiHelper+1608:
> > 804669be ebef jmp ntoskrnl!Kei386EoiHelper+0x15f9
>(804669af)
> >
> > This is what I see from the dump file.
> >
> >
> > >From: “danp”
> > >Reply-To: “File Systems Developers”
> > >To: “File Systems Developers”
> > >Subject: [ntfsd] RE: UNEXPECTED_KERNEL_MODE_TRAP (Double Fault) win 2k
>-
> > >NAV 7.03
> > >Date: Wed, 13 Jun 2001 14:14:53 +0300
> > >
> > >Stack trace ? It can be reconstructed from the crash dump.
> > >
> > >----- Original Message -----
> > >From: “Ronen Agam”
> > >To: “File Systems Developers”
> > >Sent: Wednesday, June 13, 2001 1:45 PM
> > >Subject: [ntfsd] RE: UNEXPECTED_KERNEL_MODE_TRAP (Double Fault) win 2k
>-
> > >NAV
> > >7.03
> > >
> > >
> > > >
> > > >
> > > >
> > > > >From: “Ravisankar Pudipeddi”
> > > > >Reply-To: “File Systems Developers”
> > > > >To: “File Systems Developers”
> > > > >Subject: [ntfsd] RE: UNEXPECTED_KERNEL_MODE_TRAP (Double Fault) win
>2k
> > >-
> > > > >NAV 7.03
> > > > >Date: Tue, 12 Jun 2001 15:53:51 -0700
> > > > >
> > > > >Sounds like a stack ovfl.
> > > > >A stack trace will help confirm.
> > > >
> > > > I am using softice, and I type stack and there is nothing.
> > > > How can I trace the problem?
> > > >
> > > > Ronen
> > > >
> > > > >-----Original Message-----
> > > > >From: xxxxx@mmm.com [mailto:xxxxx@mmm.com]
> > > > >Sent: Tuesday, June 12, 2001 1:51 PM
> > > > >To: File Systems Developers
> > > > >Subject: [ntfsd] UNEXPECTED_KERNEL_MODE_TRAP (Double Fault) win 2k
>-
> > >NAV
> > > > >7.03
> > > > >
> > > > >
> > > > >Hi,
> > > > >
> > > > >I have a file system filter driver that works fine on nt and 2000.
>When
> > > > >my driver uses ZwCreateFile to query a directory full name, the Irp
> > > > >comes to my filter dispatch. In the filter dispatch I can see that
>when
> > > > >the name is '' - root directory - and I pass it to next driver in
>the
> > > > >stack I get UNEXPECTED_KERNEL_MODE_TRAP with parametr1 = 8 ->
>Double
> > > > >Fault. This doesn’t happens if Nav is not working. It only happens
>on
> > > > >win2k with NAV ver 7.03. I tries win2k service pack 1 and 2 with
>same
> > > > >results.
> > > > >
> > > > >Anyone can help?
> > > > >
> > > > >status=ZwCreateFile(&hDir,
> > > > > FILE_LIST_DIRECTORY,
> > > > > &ObjectAttributes,
> > > > > &IoStatus,
> > > > > 0,
> > > > > FILE_ATTRIBUTE_DIRECTORY,
> > > > > FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
> > > > > FILE_OPEN,
> > > > > FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT,
> > > > > NULL,
> > > > > 0);
> > > > >
> > > > >
> > > > >Thanks,
> > > > >Ronen
> > > > >
> > > > >
> > > > >—
> > > > >You are currently subscribed to ntfsd as:
>xxxxx@windows.microsoft.com
> > > > >To unsubscribe send a blank email to
>leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > > > >
> > > > >—
> > > > >You are currently subscribed to ntfsd as: xxxxx@hotmail.com
> > > > >To unsubscribe send a blank email to
>leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > > >
> > > >
> > > > Get your FREE download of MSN Explorer at http://explorer.msn.com
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
> > > > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> > > >
> > >
> > >
> > >
> > >—
> > >You are currently subscribed to ntfsd as: xxxxx@hotmail.com
> > >To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
> >
> > Get your FREE download of MSN Explorer at http://explorer.msn.com
> >
> >
> > —
> > You are currently subscribed to ntfsd as: danp@jb.rdsor.ro
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> >
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
—
You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntfsd as: xxxxx@legato.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com