Verifier gives bugcheck IRQL_NOT_LESS_OR EQUAL

Ulka · December 12, 2015, 2:43am

Hi ,
I have enabled verifier on my debug machine since then I am getting
bugcheck 0xa.
This bug hits when DriverEntry function returns , so it comes after return
statement. Also it does not come always,Typically when i do load unload
multiple times I get following bugcheck. I have also checked IRQL level
during return and it is 0.
Any pointers will be aprreciated.
Following is a stack -

: kd> k

Child-SP RetAddr Call Site

00 ffffd00133fe9b28 fffff801bec09422 nt!DbgBreakPointWithStatus
01 ffffd00133fe9b30 fffff801bec08d52 nt!KiBugCheckDebugBreak+0x12
02 ffffd00133fe9b90 fffff801beb645d4 nt!KeBugCheck2+0x93e
03 ffffd00133fea2a0 fffff801beb6eea9 nt!KeBugCheckEx+0x104
04 ffffd00133fea2e0 fffff801beb6d6c8 nt!KiBugCheckDispatch+0x69
05 ffffd00133fea420 fffff801beb69c47 nt!KiPageFault+0x248
06 ffffd00133fea5b0 fffff801bec87a7a nt!ExpInterlockedPopEntrySListFault
07 ffffd00133fea5c0 fffff801beb1248c nt!ExAllocatePoolWithTag+0x11a
08 ffffd00133fea6a0 fffff801bef6a606 nt!KsepPoolAllocatePaged+0x20
09 ffffd00133fea6d0 fffff801bef68bc9 nt!KsepStringDuplicateUnicode+0x46
0a ffffd00133fea710 fffff801bef6548b nt!KseShimDriverIoCallbacks+0x61
0b ffffd00133fea860 fffff801bef63b3a nt!IopLoadDriver+0x603
0c ffffd00133feab30 fffff801bea8edd9 nt!IopLoadUnloadDriver+0x4e
0d ffffd00133feab70 fffff801beafc758 nt!ExpWorkerThread+0xe9
0e ffffd00133feac00 fffff801beb695b6 nt!PspSystemThreadStartup+0x58
0f ffffd00133feac60 0000000000000000 nt!KiStartSystemThread+0x16

kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffc00110034650, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 00000000000000ff, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only
on chips which support this level of status)
Arg4: fffff801beb69c47, address which referenced memory

Debugging Details:

BUGCHECK_P1: ffffc00110034650

BUGCHECK_P2: ff

BUGCHECK_P3: ff

BUGCHECK_P4: fffff801beb69c47

WRITE_ADDRESS: ffffc00110034650 Paged pool

CURRENT_IRQL: 0

FAULTING_IP:
nt!ExpInterlockedPopEntrySListFault+0
fffff801`beb69c47 498b08 mov rcx,qword ptr [r8]

CPU_COUNT: 2

CPU_MHZ: 766

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3e

CPU_STEPPING: 4

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: System

ANALYSIS_VERSION: 10.0.10240.9 amd64fre

TRAP_FRAME: ffffd00133fea420 – (.trap 0xffffd00133fea420)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000b21c60010 rbx=0000000000000000 rcx=ffffd0013438a500
rdx=ffffc00110034650 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801beb69c47 rsp=ffffd00133fea5b0 rbp=ffffe00028a1e000
r8=ffffc00110034650 r9=0000000000000009 r10=ffffd0013438a500
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di ng nz na po nc
nt!ExpInterlockedPopEntrySListFault:
fffff801beb69c47 498b08 mov rcx,qword ptr [r8] ds:ffffc00110034650=ffffc00103222510
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff801bec09422 to fffff801beb69bb0

STACK_TEXT:
ffffd00133fe9b28 fffff801bec09422 : 000000000000000a 0000000000000003
ffffd00133fe9c90 fffff801beadf9ec : nt!DbgBreakPointWithStatus
ffffd00133fe9b30 fffff801bec08d52 : 0000000000000003 ffffd00133fe9c90
fffff801beb71010 000000000000000a : nt!KiBugCheckDebugBreak+0x12
ffffd00133fe9b90 fffff801beb645d4 : 000000000000004d 0000000000000000
ffffd0013438a500 ffffd00133fea670 : nt!KeBugCheck2+0x93e
ffffd00133fea2a0 fffff801beb6eea9 : 000000000000000a ffffc00110034650
00000000000000ff 00000000000000ff : nt!KeBugCheckEx+0x104
ffffd00133fea2e0 fffff801beb6d6c8 : 0000000000000001 0000000000000001
0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
ffffd00133fea420 fffff801beb69c47 : ffffd0013438a500 fffff801bec87a7a
000000000000000a ffff68bbd03f15bc : nt!KiPageFault+0x248
ffffd00133fea5b0 fffff801bec87a7a : 000000000000000a ffff68bbd03f15bc
ffffd00133fea670 fffff801beb53add : nt!ExpInterlockedPopEntrySListFault
ffffd00133fea5c0 fffff801beb1248c : fffff80000000416 0000000000000074
ffffd00133fea8b8 0000000000000000 : nt!ExAllocatePoolWithTag+0x11a
ffffd00133fea6a0 fffff801bef6a606 : 0000000000000074 0000000000000000
0000000000000000 0000000000000000 : nt!KsepPoolAllocatePaged+0x20
ffffd00133fea6d0 fffff801bef68bc9 : ffffe0002a6f1330 ffffd00133fea810
ffffe0002a6f1480 ffffe0002a6f1330 : nt!KsepStringDuplicateUnicode+0x46
ffffd00133fea710 fffff801bef6548b : 0000000000000000 0000000000000000
fffff80077780000 ffffe0002a6f1330 : nt!KseShimDriverIoCallbacks+0x61
ffffd00133fea860 fffff801bef63b3a : ffffe0002ae2b1a0 0000000000000000
0000000000000000 fffff801bedee340 : nt!IopLoadDriver+0x603
ffffd00133feab30 fffff801bea8edd9 : fffff80100000000 ffffffff80000ddc
ffffe0002a2cf040 fffff801bedee340 : nt!IopLoadUnloadDriver+0x4e
ffffd00133feab70 fffff801beafc758 : 0065006c00750064 0000000000000080
fffff801bedee340 ffffe0002a2cf040 : nt!ExpWorkerThread+0xe9
ffffd00133feac00 fffff801beb695b6 : fffff801bed78180 ffffe0002a2cf040
ffffe00028b08040 006b007300690064 : nt!PspSystemThreadStartup+0x58
ffffd00133feac60 0000000000000000 : ffffd00133feb000 ffffd00133fe5000
0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiPageFault+248
fffff801`beb6d6c8 33c0 xor eax,eax

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: nt!KiPageFault+248

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 563ad7f4

BUCKET_ID_FUNC_OFFSET: 248

FAILURE_BUCKET_ID: AV_VRF_nt!KiPageFault

BUCKET_ID: AV_VRF_nt!KiPageFault

PRIMARY_PROBLEM_CLASS: AV_VRF_nt!KiPageFault

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_vrf_nt!kipagefault

FAILURE_ID_HASH: {c4fd3121-9238-a06f-0946-076aa16ccef3}

Followup: MachineOwner

Thanks,
-Ulka

Paul_McDonough · December 12, 2015, 10:38am

With out any code it’s hard to say but you generally see this error when
you are corrupting something.

Also note that the IRQL shown in WinDbg doesn’t really mean much (
https://msdn.microsoft.com/en-us/library/windows/hardware/ff563825(v=vs.85).aspx
)

On Sat, Dec 12, 2015 at 2:43 AM, Ulka Vaze wrote:

> Hi ,
> I have enabled verifier on my debug machine since then I am getting
> bugcheck 0xa.
> This bug hits when DriverEntry function returns , so it comes after return
> statement. Also it does not come always,Typically when i do load unload
> multiple times I get following bugcheck. I have also checked IRQL level
> during return and it is 0.
> Any pointers will be aprreciated.
> Following is a stack -
>
> : kd> k
> # Child-SP RetAddr Call Site
> 00 ffffd00133fe9b28 fffff801bec09422 nt!DbgBreakPointWithStatus
> 01 ffffd00133fe9b30 fffff801bec08d52 nt!KiBugCheckDebugBreak+0x12
> 02 ffffd00133fe9b90 fffff801beb645d4 nt!KeBugCheck2+0x93e
> 03 ffffd00133fea2a0 fffff801beb6eea9 nt!KeBugCheckEx+0x104
> 04 ffffd00133fea2e0 fffff801beb6d6c8 nt!KiBugCheckDispatch+0x69
> 05 ffffd00133fea420 fffff801beb69c47 nt!KiPageFault+0x248
> 06 ffffd00133fea5b0 fffff801bec87a7a nt!ExpInterlockedPopEntrySListFault
> 07 ffffd00133fea5c0 fffff801beb1248c nt!ExAllocatePoolWithTag+0x11a
> 08 ffffd00133fea6a0 fffff801bef6a606 nt!KsepPoolAllocatePaged+0x20
> 09 ffffd00133fea6d0 fffff801bef68bc9 nt!KsepStringDuplicateUnicode+0x46
> 0a ffffd00133fea710 fffff801bef6548b nt!KseShimDriverIoCallbacks+0x61
> 0b ffffd00133fea860 fffff801bef63b3a nt!IopLoadDriver+0x603
> 0c ffffd00133feab30 fffff801bea8edd9 nt!IopLoadUnloadDriver+0x4e
> 0d ffffd00133feab70 fffff801beafc758 nt!ExpWorkerThread+0xe9
> 0e ffffd00133feac00 fffff801beb695b6 nt!PspSystemThreadStartup+0x58
> 0f ffffd00133feac60 0000000000000000 nt!KiStartSystemThread+0x16
>
> kd> !analyze -v
>
> *****
>
>
> * Bugcheck
> Analysis
>
>
>
>
>
> IRQL_NOT_LESS_OR_EQUAL (a)
> An attempt was made to access a pageable (or completely invalid) address
> at an
> interrupt request level (IRQL) that is too high. This is usually
> caused by drivers using improper addresses.
> If a kernel debugger is available get the stack backtrace.
> Arguments:
> Arg1: ffffc00110034650, memory referenced
> Arg2: 00000000000000ff, IRQL
> Arg3: 00000000000000ff, bitfield :
> bit 0 : value 0 = read operation, 1 = write operation
> bit 3 : value 0 = not an execute operation, 1 = execute operation
> (only on chips which support this level of status)
> Arg4: fffff801beb69c47, address which referenced memory
>
> Debugging Details:
> ------------------
>
>
> BUGCHECK_P1: ffffc00110034650
>
> BUGCHECK_P2: ff
>
> BUGCHECK_P3: ff
>
> BUGCHECK_P4: fffff801beb69c47
>
> WRITE_ADDRESS: ffffc00110034650 Paged pool
>
> CURRENT_IRQL: 0
>
> FAULTING_IP:
> nt!ExpInterlockedPopEntrySListFault+0
> fffff801beb69c47 498b08 mov rcx,qword ptr [r8] > > CPU_COUNT: 2 > > CPU_MHZ: 766 > > CPU_VENDOR: GenuineIntel > > CPU_FAMILY: 6 > > CPU_MODEL: 3e > > CPU_STEPPING: 4 > > DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT > > BUGCHECK_STR: AV > > PROCESS_NAME: System > > ANALYSIS_VERSION: 10.0.10240.9 amd64fre > > TRAP_FRAME: ffffd00133fea420 -- (.trap 0xffffd00133fea420) > NOTE: The trap frame does not contain all registers. > Some register values may be zeroed or incorrect. > rax=0000000b21c60010 rbx=0000000000000000 rcx=ffffd0013438a500 > rdx=ffffc00110034650 rsi=0000000000000000 rdi=0000000000000000 > rip=fffff801beb69c47 rsp=ffffd00133fea5b0 rbp=ffffe00028a1e000 > r8=ffffc00110034650 r9=0000000000000009 r10=ffffd0013438a500 > r11=0000000000000002 r12=0000000000000000 r13=0000000000000000 > r14=0000000000000000 r15=0000000000000000 > iopl=0 nv up di ng nz na po nc > nt!ExpInterlockedPopEntrySListFault: > fffff801beb69c47 498b08 mov rcx,qword ptr [r8]
> ds:ffffc00110034650=ffffc00103222510 > Resetting default scope > > LAST_CONTROL_TRANSFER: from fffff801bec09422 to fffff801beb69bb0 > > STACK_TEXT: > ffffd00133fe9b28 fffff801bec09422 : 000000000000000a 0000000000000003 > ffffd00133fe9c90 fffff801beadf9ec : nt!DbgBreakPointWithStatus > ffffd00133fe9b30 fffff801bec08d52 : 0000000000000003 ffffd00133fe9c90 > fffff801beb71010 000000000000000a : nt!KiBugCheckDebugBreak+0x12 > ffffd00133fe9b90 fffff801beb645d4 : 000000000000004d 0000000000000000 > ffffd0013438a500 ffffd00133fea670 : nt!KeBugCheck2+0x93e > ffffd00133fea2a0 fffff801beb6eea9 : 000000000000000a ffffc00110034650 > 00000000000000ff 00000000000000ff : nt!KeBugCheckEx+0x104 > ffffd00133fea2e0 fffff801beb6d6c8 : 0000000000000001 0000000000000001 > 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69 > ffffd00133fea420 fffff801beb69c47 : ffffd0013438a500 fffff801bec87a7a > 000000000000000a ffff68bbd03f15bc : nt!KiPageFault+0x248 > ffffd00133fea5b0 fffff801bec87a7a : 000000000000000a ffff68bbd03f15bc > ffffd00133fea670 fffff801beb53add : nt!ExpInterlockedPopEntrySListFault > ffffd00133fea5c0 fffff801beb1248c : fffff80000000416 0000000000000074 > ffffd00133fea8b8 0000000000000000 : nt!ExAllocatePoolWithTag+0x11a > ffffd00133fea6a0 fffff801bef6a606 : 0000000000000074 0000000000000000 > 0000000000000000 0000000000000000 : nt!KsepPoolAllocatePaged+0x20 > ffffd00133fea6d0 fffff801bef68bc9 : ffffe0002a6f1330 ffffd00133fea810 > ffffe0002a6f1480 ffffe0002a6f1330 : nt!KsepStringDuplicateUnicode+0x46 > ffffd00133fea710 fffff801bef6548b : 0000000000000000 0000000000000000 > fffff80077780000 ffffe0002a6f1330 : nt!KseShimDriverIoCallbacks+0x61 > ffffd00133fea860 fffff801bef63b3a : ffffe0002ae2b1a0 0000000000000000 > 0000000000000000 fffff801bedee340 : nt!IopLoadDriver+0x603 > ffffd00133feab30 fffff801bea8edd9 : fffff80100000000 ffffffff80000ddc > ffffe0002a2cf040 fffff801bedee340 : nt!IopLoadUnloadDriver+0x4e > ffffd00133feab70 fffff801beafc758 : 0065006c00750064 0000000000000080 > fffff801bedee340 ffffe0002a2cf040 : nt!ExpWorkerThread+0xe9 > ffffd00133feac00 fffff801beb695b6 : fffff801bed78180 ffffe0002a2cf040 > ffffe00028b08040 006b007300690064 : nt!PspSystemThreadStartup+0x58 > ffffd00133feac60 0000000000000000 : ffffd00133feb000 ffffd00133fe5000 > 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16 > > > STACK_COMMAND: kb > > FOLLOWUP_IP: > nt!KiPageFault+248 > fffff801beb6d6c8 33c0 xor eax,eax
>
> SYMBOL_STACK_INDEX: 5
>
> SYMBOL_NAME: nt!KiPageFault+248
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntkrnlmp.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 563ad7f4
>
> BUCKET_ID_FUNC_OFFSET: 248
>
> FAILURE_BUCKET_ID: AV_VRF_nt!KiPageFault
>
> BUCKET_ID: AV_VRF_nt!KiPageFault
>
> PRIMARY_PROBLEM_CLASS: AV_VRF_nt!KiPageFault
>
> ANALYSIS_SOURCE: KM
>
> FAILURE_ID_HASH_STRING: km:av_vrf_nt!kipagefault
>
> FAILURE_ID_HASH: {c4fd3121-9238-a06f-0946-076aa16ccef3}
>
> Followup: MachineOwner
> ---------
>
> Thanks,
> -Ulka
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at

anton_bassov · December 13, 2015, 2:30am

Hard to say anything without looking at your code, but I have a weird feeling that you just don’t handle initialization properly.At least this is, IIRC, more or less what was happening to me when I failed to initialize NDIS protocol driver properly - after DriverEntry having returned I was getting calls from NDIS library which, due to my failure to provide a valid callback function pointer, was resulting in BSOD. The only difference was a certainty of a bugcheck - unlike you, I was getting it in 100% cases without Verifier anywhere in sight…

Anton Bassov

Maxim_S_Shatskih · December 13, 2015, 2:13pm

>06 ffffd00133fea5b0 fffff801bec87a7a nt!ExpInterlockedPopEntrySListFault

Amazing.

Just a week ago here there was a topic here about exactly this smart feature of Windows, with a link to a blog article provided.

And now we see somebody crashing exactly there.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

Ulka · December 22, 2015, 3:44am

Thanks Paul , Anton.
I could able to figure out the cause and indeed it was pool corruption.

Thanks so much.
-Ulka

On Sun, Dec 13, 2015 at 1:00 PM, wrote:

>

>
>
> Hard to say anything without looking at your code, but I have a weird
> feeling that you just don’t handle initialization properly.At least this
> is, IIRC, more or less what was happening to me when I failed to initialize
> NDIS protocol driver properly - after DriverEntry having returned I was
> getting calls from NDIS library which, due to my failure to provide a valid
> callback function pointer, was resulting in BSOD. The only difference was a
> certainty of a bugcheck - unlike you, I was getting it in 100% cases
> without Verifier anywhere in sight…
>
>
>
>
>
> Anton Bassov
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>

Ulka · December 22, 2015, 4:10am

Hi Maxim,
Can you please point me to a thread you are talking about?

Thanks,
-Ulka

On Mon, Dec 14, 2015 at 12:42 AM, Maxim S. Shatskih
wrote:

> >06 ffffd00133fea5b0 fffff801bec87a7a nt!ExpInterlockedPopEntrySListFault
>
> Amazing.
>
> Just a week ago here there was a topic here about exactly this smart
> feature of Windows, with a link to a blog article provided.
>
> And now we see somebody crashing exactly there.
>
> –
> Maxim S. Shatskih
> Microsoft MVP on File System And Storage
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>

Maxim_S_Shatskih · December 22, 2015, 7:56am

Google for “ExpInterlockedPopEntrySListFault”

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

“Ulka Vaze” wrote in message news:xxxxx@ntdev…
Hi Maxim,

Can you please point me to a thread you are talking about?

Thanks,

-Ulka

On Mon, Dec 14, 2015 at 12:42 AM, Maxim S. Shatskih wrote:

>06 ffffd00133fea5b0 fffff801bec87a7a nt!

Amazing.

Just a week ago here there was a topic here about exactly this smart feature of Windows, with a link to a blog article provided.

And now we see somebody crashing exactly there.

–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>