What does the bugcheck mean

Hi,

I got a bugcheck as below with my file system filter driver but the module
that caused is nt.

Could anyone help me in understanding this and proceding further to findout
what part of my filter driver is casuing this crash.

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: e344d000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80532a99, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

MODULE_NAME: nt

FAULTING_MODULE: 804d0000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 3ee6c002

READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
e344d000

FAULTING_IP:
nt!wctomb+7ec
80532a99 66833800 cmp word ptr [eax],0x0

MM_INTERNAL_CODE: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from 804fc8cb to 80526488

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
b714f230 804fc8cb 00000003 c038d134 80676b7c nt!DbgBreakPointWithStatus+0x4
b714f5bc 8051a2c9 00000001 e344d000 00000000 nt!KeBugCheckEx+0x169
b714f604 805389b6 00000000 e344d000 00000000
nt!MmTrimAllSystemPagableMemory+0x4819
b714f61c 0000000e ffffff01 00000002 81ad6140 nt!Kei386EoiHelper+0x2910

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_NAME: MachineOwner

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

Thanks,
Kedar.

Well, the most important sentence in the analysis is
“Kernel symbols are WRONG. Please fix symbols to do analysis.”

First, you must fix the symbols, then repeat the analysis.
Maybe it will show you something more senseful.

L.

Since you have not set up kernel symbols correctly, that makes almost
everything in the output useless. The bug check itself:

0x50 ( e344d000, 0, 80532a99, 1)

Is the only hint we’re going to get. From this, my guess is that you’ve
mis-described a length somewhere. Note that the faulting address
(e344d000) is on a page boundary. Further, this page is in the region
generally used for paged pool. So, my guess is that the page before was
valid and this page was not valid.

This might happen if you sent a buffer into an OS function and described
the buffer as being longer than it really is.

Of course, using symbols is likely to provide more information.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kedar
Sent: Wednesday, June 01, 2005 2:15 AM
To: ntfsd redirect
Subject: [ntfsd] What does the bugcheck mean

Hi,

I got a bugcheck as below with my file system filter driver but the
module
that caused is nt.

Could anyone help me in understanding this and proceding further to
findout
what part of my filter driver is casuing this crash.

************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain
bad or
it
is pointing at freed memory.
Arguments:
Arg1: e344d000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80532a99, If non-zero, the instruction address which referenced
the
bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

MODULE_NAME: nt

FAULTING_MODULE: 804d0000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 3ee6c002

READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
e344d000

FAULTING_IP:
nt!wctomb+7ec
80532a99 66833800 cmp word ptr [eax],0x0

MM_INTERNAL_CODE: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from 804fc8cb to 80526488

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be

wrong.
b714f230 804fc8cb 00000003 c038d134 80676b7c
nt!DbgBreakPointWithStatus+0x4
b714f5bc 8051a2c9 00000001 e344d000 00000000 nt!KeBugCheckEx+0x169
b714f604 805389b6 00000000 e344d000 00000000
nt!MmTrimAllSystemPagableMemory+0x4819
b714f61c 0000000e ffffff01 00000002 81ad6140 nt!Kei386EoiHelper+0x2910

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_NAME: MachineOwner

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

Thanks,
Kedar.


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com