Weird analyze -v output

NTFSD
1

Hi all -

Can anyone explain what this Analyze -v output means? I do see it's an
access violation in "FsdGetPointerToCcb", (one of my functions) but I
don't see this function in the stack and was wondering what process is
going on here when this fails. It only happens on a heavily-loaded
system, so is this the MPW causing this?

Thanks - Greg

EXCEPTION_CODE: c0000005

FAULTING_IP:
ntsfsd!FsdGetPointerToCcb+9
bcb6e709 8b4110 mov eax,[ecx+0x10]

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000010

READ_ADDRESS: 00000010

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 1E

LAST_CONTROL_TRANSFER: from 8042c2bb to 80455994

STACK_TEXT:
eb837074 8042c2bb 00000003 80409688 00000000 nt!MiLockCode+0x2b5
eb837400 80454f55 0000001e c0000005 bcb6e709 nt!IopWritePageToDisk+0x12a
eb837ddc 80468ec2 80418b84 00000000 00000000
nt!MmLockPagableSectionByHandle+0x3db
00000000 00000000 00000000 00000000 00000000
nt!MiDeleteSystemPagableVm+0x58e

FOLLOWUP_IP:
ntsfsd!FsdGetPointerToCcb+9
bcb6e709 8b4110 mov eax,[ecx+0x10]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: ntsfsd!FsdGetPointerToCcb+9

MODULE_NAME: ntsfsd

IMAGE_NAME: ntsfsd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3cfe13a2

STACK_COMMAND: kb

BUCKET_ID: 0x1E_ntsfsd!FsdGetPointerToCcb+9

Followup: MachineOwner

2

An exception occurred, probably inside FsdGetPointerToCcb. The debugger is
giving you information from the exception (and context) record associated
with the exception. Do you have anything interesting going on at the
beginning of FsdGetPointertoCcb?

My guess, based upon the scant information available, is that there is
something wrong with your VM handling code, most likely, and you've trashed
a data structure needed by the modified (or mapped) page writer threads.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.

Hope to see you at the next OSR file systems class in San Jose, CA September
16, 2002!

-----Original Message-----
From: Greg Pearce [mailto:xxxxx@filetek.com]
Sent: Wednesday, June 05, 2002 10:09 AM
To: File Systems Developers
Subject: [ntfsd] Weird analyze -v output

Hi all -

Can anyone explain what this Analyze -v output means? I do see it's an
access violation in "FsdGetPointerToCcb", (one of my functions) but I
don't see this function in the stack and was wondering what process is
going on here when this fails. It only happens on a heavily-loaded
system, so is this the MPW causing this?

Thanks - Greg

EXCEPTION_CODE: c0000005

FAULTING_IP:
ntsfsd!FsdGetPointerToCcb+9
bcb6e709 8b4110 mov eax,[ecx+0x10]

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000010

READ_ADDRESS: 00000010

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 1E

LAST_CONTROL_TRANSFER: from 8042c2bb to 80455994

STACK_TEXT:
eb837074 8042c2bb 00000003 80409688 00000000 nt!MiLockCode+0x2b5
eb837400 80454f55 0000001e c0000005 bcb6e709 nt!IopWritePageToDisk+0x12a
eb837ddc 80468ec2 80418b84 00000000 00000000
nt!MmLockPagableSectionByHandle+0x3db
00000000 00000000 00000000 00000000 00000000
nt!MiDeleteSystemPagableVm+0x58e

FOLLOWUP_IP:
ntsfsd!FsdGetPointerToCcb+9
bcb6e709 8b4110 mov eax,[ecx+0x10]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: ntsfsd!FsdGetPointerToCcb+9

MODULE_NAME: ntsfsd

IMAGE_NAME: ntsfsd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3cfe13a2

STACK_COMMAND: kb

BUCKET_ID: 0x1E_ntsfsd!FsdGetPointerToCcb+9

Followup: MachineOwner

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%

3

The "FsdGetPointerToCcb is an inline function, that only does this:

inline PCCB FsdGetPointerToCcb (PIO_STACK_LOCATION Request )
{
return Request->FileObject->FsContext2;
}

That’s it! I’d like to see which function called this… and what the
state was before it crashed!

Thanks - Greg

4

Analyze -v will give you a line with the .cxr addr; kb

The form is something like this -

.cxr ffffffffaddddddd; kb

copy the line and excute in the cmd pane.

This should give you the actual stack. Exception dispatch thru
Trap creates a new stack, so you don't see yours...

Rgds,
prokash

-----Original Message-----
From: Greg Pearce [mailto:xxxxx@filetek.com]
Sent: Wednesday, June 05, 2002 6:09 AM
To: File Systems Developers
Subject: [ntfsd] Weird analyze -v output

Hi all -

Can anyone explain what this Analyze -v output means? I do see it's an
access violation in "FsdGetPointerToCcb", (one of my functions) but I
don't see this function in the stack and was wondering what process is
going on here when this fails. It only happens on a heavily-loaded
system, so is this the MPW causing this?

Thanks - Greg

EXCEPTION_CODE: c0000005

FAULTING_IP:
ntsfsd!FsdGetPointerToCcb+9
bcb6e709 8b4110 mov eax,[ecx+0x10]

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000010

READ_ADDRESS: 00000010

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 1E

LAST_CONTROL_TRANSFER: from 8042c2bb to 80455994

STACK_TEXT:
eb837074 8042c2bb 00000003 80409688 00000000 nt!MiLockCode+0x2b5
eb837400 80454f55 0000001e c0000005 bcb6e709 nt!IopWritePageToDisk+0x12a
eb837ddc 80468ec2 80418b84 00000000 00000000
nt!MmLockPagableSectionByHandle+0x3db
00000000 00000000 00000000 00000000 00000000
nt!MiDeleteSystemPagableVm+0x58e

FOLLOWUP_IP:
ntsfsd!FsdGetPointerToCcb+9
bcb6e709 8b4110 mov eax,[ecx+0x10]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: ntsfsd!FsdGetPointerToCcb+9

MODULE_NAME: ntsfsd

IMAGE_NAME: ntsfsd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3cfe13a2

STACK_COMMAND: kb

BUCKET_ID: 0x1E_ntsfsd!FsdGetPointerToCcb+9

Followup: MachineOwner

You are currently subscribed to ntfsd as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%

5

Prokash,

Thanks for the input. The details I put in the previous email came from
analyze -v, though, and there is no command in it that shows how to dump
the context!

Regards,

Greg

6

Sorry Greg,

I did not notice the detail on the previous message …

I don’t have a direct solution but you can follow these steps -

Most likely the stack is trashed, in that case you may have
To use a knowledgebase article for using DD consecutively and look
for some string ( I will hunt the ms knowledgebase, I know I’ve used it
Before).

Also you can look at the Memory window to see if the code is there
for
( ntsfsd!FsdGetPointerToCcb (). May be due to _inline some places it
is replaced as macro expansion, not sure though. Surely it did not seem like
it went thru KeBugCheck**(), but still worth a look where it is, again at
memory window (nt!KeBugCheck**() ) and see if it matches with the return
address of the top of the stack, ie ln so
that you will see what are the neighbouring functions, most likely you will
see whatever is already there in the stack frame name.

Most likely again, you may have to grab previous stack by following
the MS knowBase, also I am not sure if there is an NT Insider article about
it. I will look for it.

-prokash

-----Original Message-----
From: Greg Pearce [mailto:xxxxx@filetek.com]
Sent: Thursday, June 06, 2002 3:23 AM
To: File Systems Developers
Subject: [ntfsd] RE: Weird analyze -v output

Prokash,

Thanks for the input. The details I put in the previous email came from
analyze -v, though, and there is no command in it that shows how to dump
the context!

Regards,

Greg


You are currently subscribed to ntfsd as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%

7

For finding the processes, you can use !process command and its variant.
Pls look at the help of the current windbg app. The result should show
Processes that were in the system with different state, you can look for
One and only one RUNNING, others are in WAIT, SUSPENDED etc state.

-prokash

-----Original Message-----
From: Greg Pearce [mailto:xxxxx@filetek.com]
Sent: Thursday, June 06, 2002 3:23 AM
To: File Systems Developers
Subject: [ntfsd] RE: Weird analyze -v output

Prokash,

Thanks for the input. The details I put in the previous email came from
analyze -v, though, and there is no command in it that shows how to dump
the context!

Regards,

Greg

You are currently subscribed to ntfsd as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%

8

What version of Windbg are you using Greg? If it isn’t 6.0.7.0 you may
want to upgrade and try the latest and see if that give you more info.
!analyze is one of the things undergoing a lot of improvement in the
last couple of versions.

http://www.microsoft.com/ddk/debugging/

-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Thursday, June 06, 2002 11:09 AM
To: File Systems Developers
Subject: [ntfsd] RE: Weird analyze -v output

For finding the processes, you can use !process command and its variant.
Pls look at the help of the current windbg app. The result should show
Processes that were in the system with different state, you can look for
One and only one RUNNING, others are in WAIT, SUSPENDED etc state.

-prokash

-----Original Message-----
From: Greg Pearce [mailto:xxxxx@filetek.com]
Sent: Thursday, June 06, 2002 3:23 AM
To: File Systems Developers
Subject: [ntfsd] RE: Weird analyze -v output

Prokash,

Thanks for the input. The details I put in the previous email came from
analyze -v, though, and there is no command in it that shows how to dump
the context!

Regards,

Greg

You are currently subscribed to ntfsd as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%

9

Also couple more thing. I hope that your machine is not configured
To get just 64KB !! minidump. If so and reproducible, pls use the
Kernel full dump, that is usually good enough to debug …

Finally, the osr NT Insider article is from Vol 6 Issue 6, Nov-Dec 1999
issue. You may find the article on www.osr.com, that also has the ref. of MS
knowbase article Q159672 under the osr article “Finding the Trap Frame”…

-prokash

-----Original Message-----
From: Nathan Nesbit [mailto:xxxxx@windows.microsoft.com]
Sent: Thursday, June 06, 2002 10:13 AM
To: File Systems Developers
Subject: [ntfsd] RE: Weird analyze -v output

What version of Windbg are you using Greg? If it isn’t 6.0.7.0 you may
want to upgrade and try the latest and see if that give you more info.
!analyze is one of the things undergoing a lot of improvement in the
last couple of versions.

http://www.microsoft.com/ddk/debugging/

-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Thursday, June 06, 2002 11:09 AM
To: File Systems Developers
Subject: [ntfsd] RE: Weird analyze -v output

For finding the processes, you can use !process command and its variant.
Pls look at the help of the current windbg app. The result should show
Processes that were in the system with different state, you can look for
One and only one RUNNING, others are in WAIT, SUSPENDED etc state.

-prokash

-----Original Message-----
From: Greg Pearce [mailto:xxxxx@filetek.com]
Sent: Thursday, June 06, 2002 3:23 AM
To: File Systems Developers
Subject: [ntfsd] RE: Weird analyze -v output

Prokash,

Thanks for the input. The details I put in the previous email came from
analyze -v, though, and there is no command in it that shows how to dump
the context!

Regards,

Greg

You are currently subscribed to ntfsd as: xxxxx@zonelabs.com To
unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%

You are currently subscribed to ntfsd as: xxxxx@zonelabs.com
To unsubscribe send a blank email to %%email.unsub%%

10

Thanks Nathan… Yes, I am using WinDbg 6.0.7.0 - I’m now following
Prokash’s suggestions and trying to find the right stack and context…

Regards,

Greg

11

Prokash -

Thanks for your expertise. The procedure you outlined helped me very
much, I really appreciate it.

Thanks again (and to everyone else)!

Regards,

Greg