where to start with bugcheck 0xEF CRITICAL_PROCESS_DIED?

OSR_Community_User · January 10, 2014, 11:44am

I have a bugcheck on a machine running my driver, but I'm at a loss where to start with it. I don't have any evidence that my driver has caused the BSOD, but hey, we've all been there.

Here's the crash dump with the few things I've thought of to try. Suggestions welcome... with thanks.

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CRITICAL_PROCESS_DIED (ef)
A critical system process died
Arguments:
Arg1: fffffa8009064080, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:

OVERLAPPED_MODULE: Address regions for 'rspndr' and 'luafv.sys' overlap

PROCESS_OBJECT: fffffa8009064080

IMAGE_NAME: csrss.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 5010ac39

MODULE_NAME: csrss

FAULTING_MODULE: 000007f7b70b0000 csrss

PROCESS_NAME: csrss.exe

EXCEPTION_CODE: (Win32) 0xf70f380 (259060608) -

BUGCHECK_STR: 0xEF_f70f380

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

CURRENT_IRQL: 0

STACK_TEXT:
fffff88006cf36e8 fffff8036c190795 : 00000000000000ef fffffa8009064080 0000000000000000 0000000000000000 : nt!KeBugCheckEx
fffff88006cf36f0 fffff8036c127e2e : fffffa8009064080 00000000144d2c01 0000000000000001 0000000000000000 : nt!PspCatchCriticalBreak+0xad
fffff88006cf3730 fffff8036c09ea01 : fffffa8009064080 00000000144d2c01 fffffa8009064080 0000000000000001 : nt! ?? ::NNGAKEGL::string'+0x4a25a fffff88006cf3790 fffff8036c0a480e : ffffffffffffffff fffffa8009064080 fffffa8009064080 0000000000000000 : nt!PspTerminateProcess+0x6d fffff88006cf37d0 fffff8036bc66453 : fffffa8009064080 fffffa800f70f380 fffff88006cf38c0 fffff88006cf4b00 : nt!NtTerminateProcess+0x9e fffff88006cf3840 fffff8036bc6b630 : fffff8036bde72d0 fffff88006cf48d0 fffff88006cf48d0 fffff88006cf4b00 : nt!KiSystemServiceCopyEnd+0x13 fffff88006cf39d8 fffff8036bde72d0 : fffff88006cf48d0 fffff88006cf48d0 fffff88006cf4b00 fffff88006cf4240 : nt!KiServiceLinkage fffff88006cf39e0 fffff8036bc1525f : 000000000010005f 00000041396ff540 00000041396ff540 0000000000000003 : nt! ?? ::FNODOBFM::string'+0x14926
fffff88006cf4210 fffff8036bc6380b : fffffa800f70f380 0000000000000000 fffff88006cf4b00 fffff88006cf4a50 : nt!KiRaiseException+0x1a0
fffff88006cf49c0 fffff8036bc66453 : 0000000000000008 0000000000000000 0000000000000001 fffff88006cf4b00 : nt!NtRaiseException+0x7b
fffff88006cf4b00 000007fcb16edc12 : 0000000000000000 0000000000000000 0000000000000000 000007fcaf786b9b : nt!KiSystemServiceCopyEnd+0x13
00000041396ffc60 0000000000000000 : 0000000000000000 0000000000000000 000007fcaf786b9b 000007fcb163ed3c : RPCRT4!LRPC_ADDRESS_AVRF::vftable'+0x2 STACK_COMMAND: kb FOLLOWUP_NAME: MachineOwner FAILURE_BUCKET_ID: 0xEF_f70f380_IMAGE_csrss.exe BUCKET_ID: 0xEF_f70f380_IMAGE_csrss.exe Followup: MachineOwner --------- 1: kd> !process PROCESS fffffa8009064080 SessionId: 0 Cid: 01e4 Peb: 7f7b634e000 ParentCid: 01dc DirBase: 1090ae000 ObjectTable: fffff8a007173a80 HandleCount: <data not accessible> Image: csrss.exe VadRoot fffffa800f2a5010 Vads 73 Clone 0 Private 246. Modified 95. Locked 0. DeviceMap fffff8a00000c500 Token fffff8a0071b0120 ElapsedTime 00:39:14.158 UserTime 00:00:00.000 KernelTime 00:00:00.062 QuotaPoolUsage[PagedPool] 99384 QuotaPoolUsage[NonPagedPool] 9488 Working Set Sizes (now,min,max) (963, 50, 345) (3852KB, 200KB, 1380KB) PeakWorkingSetSize 963 VirtualSize 41 Mb PeakVirtualSize 42 Mb PageFaultCount 1227 MemoryPriority BACKGROUND BasePriority 13 CommitCharge 373 THREAD fffffa8009121780 Cid 01e4.0208 Teb: 000007f7b6348000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa8009175ad0 SynchronizationEvent fffffa800911d6e0 SynchronizationEvent fffffa8009175b50 SynchronizationEvent THREAD fffffa8009100080 Cid 01e4.020c Teb: 000007f7b6346000 Win32Thread: fffff901000cf010 WAIT: (WrLpcReceive) UserMode Non-Alertable fffffa8009100428 Semaphore Limit 0x1 THREAD fffffa8009100780 Cid 01e4.0210 Teb: 000007f7b6344000 Win32Thread: 0000000000000000 WAIT: (WrLpcReceive) UserMode Non-Alertable fffffa8009100b28 Semaphore Limit 0x1 THREAD fffffa80091114c0 Cid 01e4.0234 Teb: 000007f7b634c000 Win32Thread: fffff901001fdb90 WAIT: (WrLpcReceive) UserMode Non-Alertable fffffa8009111868 Semaphore Limit 0x1 THREAD fffffa8009109080 Cid 01e4.025c Teb: 000007f7b621e000 Win32Thread: fffff901001a3b90 WAIT: (WrUserRequest) KernelMode Alertable fffffa8009133560 SynchronizationEvent fffffa8009038210 NotificationTimer fffffa800912b520 SynchronizationTimer fffff8036bea6ba0 NotificationEvent THREAD fffffa8009109780 Cid 01e4.0260 Teb: 000007f7b621c000 Win32Thread: fffff901001a3710 WAIT: (WrUserRequest) UserMode Non-Alertable fffffa8008d6e070 SynchronizationEvent fffffa8009175460 SynchronizationEvent fffffa800921b260 SynchronizationEvent THREAD fffffa8008af02c0 Cid 01e4.0368 Teb: 000007f7b6218000 Win32Thread: fffff901001c9b90 WAIT: (WrUserRequest) UserMode Non-Alertable fffffa8008af0160 SynchronizationEvent THREAD fffffa800966a1c0 Cid 01e4.0660 Teb: 000007f7b6216000 Win32Thread: fffff901001d9b90 RUNNING on processor 4 THREAD fffffa800b9c2600 Cid 01e4.02fc Teb: 000007f7b621a000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8009226c80 QueueObject THREAD fffffa800f3f7080 Cid 01e4.04e0 Teb: 000007f7b634a000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8009226c80 QueueObject THREAD fffffa800f70f380 Cid 01e4.043c Teb: 000007f7b6214000 Win32Thread: 0000000000000000 RUNNING on processor 1 1: kd> !locks ****DUMP OF ALL RESOURCE OBJECTS**** KD: Scanning for held locks............. Resource @ 0xfffffa8009034928 Shared 1 owning threads Threads: fffffa800f80e040-01<*> KD: Scanning for held locks. Resource @ 0xfffffa8008fe9260 Shared 1 owning threads Contention Count = 19 Threads: fffffa800797bb00-01<*> KD: Scanning for held locks..... Resource @ 0xfffffa8008b18a80 Shared 1 owning threads Threads: fffffa8009b04780-01<*> KD: Scanning for held locks...................................................................................................................................................................................................................... Resource @ 0xfffffa8008aa4358 Exclusively owned Threads: fffffa800f80e040-01<*> Resource @ 0xfffffa8008aa4428 Exclusively owned Threads: fffffa800797bb00-01<*> KD: Scanning for held locks.................. 7948 total locks, 5 locks currently held 1: kd> !stacks 2 mydriver! Proc.Thread .Thread Ticks ThreadState Blocker [fffff8036bf5f200 Idle] [fffffa8007960980 System] [fffffa8008a8d980 smss.exe] [fffffa8009064080 csrss.exe] [fffffa800912d080 smss.exe] [fffffa8009130340 wininit.exe] [fffffa800892a980 csrss.exe] [fffffa800890d980 winlogon.exe] [fffffa800910b340 services.exe] [fffffa800920d080 lsass.exe] [fffffa8008d79440 svchost.exe] [fffffa800f233900 LogonUI.exe] [fffffa80079c5300 svchost.exe] [fffffa800935f980 spoolsv.exe] [fffffa8009615640 IPROSetMonitor] [fffffa800934f980 svchost.exe] [fffffa8009698980 wlms.exe] [fffffa8009768080 msdtc.exe] Threads Processed: 197 1: kd> lm start end module name 000007f7b70b0000 000007f7b70b7000 csrss (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\csrss.pdb\0F993192D26546EAA1D753DE86F6FC0D1\csrss.pdb 000007fcaf4d0000 000007fcaf52c000 bcryptPrimitives (deferred) 000007fcaf530000 000007fcaf53a000 CRYPTBASE (deferred) 000007fcaf540000 000007fcaf5f2000 sxs (deferred) 000007fcaf710000 000007fcaf71d000 sxssrv (deferred) 000007fcaf720000 000007fcaf752000 winsrv (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\winsrv.pdb\902FC8293ADD49189782B0A61EA51A9C2\winsrv.pdb 000007fcaf760000 000007fcaf772000 basesrv (deferred) 000007fcaf780000 000007fcaf793000 CSRSRV (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\csrsrv.pdb\F92152B487B84C32B21B292ECD26EE3B1\csrsrv.pdb 000007fcaf7c0000 000007fcaf8b3000 kernelbase (deferred) 000007fcafe20000 000007fcaff56000 kernel32 (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\kernel32.pdb\EA7B2E0FAE2E47C3BE3FC6F07C218C772\kernel32.pdb 000007fcb14c0000 000007fcb160c000 USER32 (deferred) 000007fcb1610000 000007fcb1755000 RPCRT4 (private pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\rpcrt4.pdb\B61C62E472B94DC0A66E2F6BF777BBD92\rpcrt4.pdb 000007fcb2070000 000007fcb21b1000 GDI32 (deferred) 000007fcb2650000 000007fcb2698000 sechost (deferred) 000007fcb2840000 000007fcb2a00000 ntdll (private pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\ntdll.pdb\4D2C5958D47543C197545B0DE9ED8C032\ntdll.pdb fffff8036acf6000 fffff8036acff000 kd (deferred) fffff8036bc0d000 fffff8036c359000 nt (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\ntkrnlmp.pdb\E2A28FBB5A694B22910DBF6F2F0CA7522\ntkrnlmp.pdb fffff8036c359000 fffff8036c3c5000 hal (deferred) fffff88000c00000 fffff88000c7f000 CI (deferred) fffff88000c7f000 fffff88000ce2000 msrpc (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\msrpc.pdb\DCC67CE372F14B57A798BDAB14DE0CDC2\msrpc.pdb fffff88000cf1000 fffff88000d50000 mcupdate_GenuineIntel (deferred) fffff88000d50000 fffff88000dac000 CLFS (deferred) fffff88000dac000 fffff88000dcf000 tm (deferred) fffff88000dcf000 fffff88000de4000 PSHED (deferred) fffff88000de4000 fffff88000dee000 BOOTVID (deferred) fffff88000e00000 fffff88000e0a000 msisadrv (deferred) fffff88000e0a000 fffff88000e47000 pci (private pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\pci.pdb\429548BF135649C9A87C6617D1481B962\pci.pdb fffff88000e47000 fffff88000e54000 vdrvroot (deferred) fffff88000e57000 fffff88000ee3000 cng (deferred) fffff88000efe000 fffff88000ff9000 NDIS (private pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\ndis.pdb\34D71E377CCF45C692BA42681E7428FD2\ndis.pdb fffff88001000000 fffff8800106f000 NETIO (deferred) fffff88001070000 fffff88001132000 Wdf01000 (deferred) fffff88001132000 fffff88001142000 WDFLDR (deferred) fffff88001142000 fffff88001159000 acpiex (deferred) fffff88001159000 fffff88001164000 WppRecorder (deferred) fffff88001164000 fffff880011d1000 ACPI (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\acpi.pdb\425FB6EBB16F4D2E95BC68BCFBE51EF52\acpi.pdb fffff880011d1000 fffff880011db000 WMILIB (deferred) fffff880011db000 fffff880011f2000 pdc (deferred) fffff88001400000 fffff88001418000 mydriver (private pdb symbols) c:\proj\drivers\mydriver\x64\win7release\mydriver.pdb fffff88001418000 fffff88001478000 fltmgr (private pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\fltMgr.pdb\5529FDF39E154F82B803386CABA371542\fltMgr.pdb fffff88001495000 fffff880014af000 partmgr (deferred) fffff880014af000 fffff880014f8000 spaceport (deferred) fffff880014f8000 fffff88001510000 volmgr (deferred) fffff88001510000 fffff88001570000 volmgrx (deferred) fffff88001570000 fffff8800158a000 mountmgr (deferred) fffff8800158a000 fffff880015a0000 storahci (deferred) fffff880015a0000 fffff880015f5000 storport (deferred) fffff88001626000 fffff88001809000 Ntfs (private pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\ntfs.pdb\5CE079205ED54193B17045C69F4831062\ntfs.pdb fffff88001809000 fffff88001824000 ksecdd (deferred) fffff88001824000 fffff88001835000 pcw (deferred) fffff88001835000 fffff8800183f000 Fs_Rec (deferred) fffff8800183f000 fffff8800186e000 ksecpkg (deferred) fffff8800186e000 fffff880019d7000 dxgkrnl (private pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\dxgkrnl.pdb\439183C1793F4DBD825AB075FD546B861\dxgkrnl.pdb fffff880019d7000 fffff880019e8000 watchdog (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\watchdog.pdb\D7960F52EC2C405CA0B7EDBAF39E958E2\watchdog.pdb fffff88001a00000 fffff88001a54000 CLASSPNP (deferred) fffff88001a54000 fffff88001a68000 crashdmp (deferred) fffff88001a7e000 fffff88001cb7000 tcpip (deferred) fffff88001cb7000 fffff88001d1f000 fwpkclnt (deferred) fffff88001d1f000 fffff88001d3a000 wfplwfs (deferred) fffff88001d3a000 fffff88001d8e000 volsnap (deferred) fffff88001d8e000 fffff88001da5000 mup (deferred) fffff88001db1000 fffff88001dcd000 disk (deferred) fffff88001de5000 fffff88001dee000 Null (deferred) fffff88001dee000 fffff88001dfb000 BasicRender (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\BasicRender.pdb\65CBEE45D6A14B4295E0828F299D34BE2\BasicRender.pdb fffff88003c00000 fffff88003c1f000 USBSTOR (deferred) fffff88003c48000 fffff88003cbb000 rdbss (deferred) fffff88003cbb000 fffff88003cd5000 wanarp (deferred) fffff88003cd5000 fffff88003ce3000 nsiproxy (deferred) fffff88003ce3000 fffff88003cef000 npsvctrig (deferred) fffff88003cef000 fffff88003cfb000 mssmbios (deferred) fffff88003cfb000 fffff88003d0c000 discache (deferred) fffff88003d0c000 fffff88003d2d000 dfsc (deferred) fffff88003d2d000 fffff88003d39000 ndistapi (deferred) fffff88003d39000 fffff88003d68000 ndiswan (deferred) fffff88003d68000 fffff88003d86000 rassstp (deferred) fffff88003d86000 fffff88003d9e000 AgileVpn (deferred) fffff88003d9e000 fffff88003dad000 CompositeBus (deferred) fffff88003dad000 fffff88003db8000 kdnic (deferred) fffff88003db8000 fffff88003dca000 umbus (deferred) fffff88003dca000 fffff88003de0000 usbehci (deferred) fffff88003de0000 fffff88003dfa000 raspppoe (deferred) fffff88003dfa000 fffff88003dfb480 swenum (deferred) fffff88003e00000 fffff88003e96000 afd (deferred) fffff88003ea7000 fffff88003ef5000 dxgmms1 (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\dxgmms1.pdb\3EDD4ACA6B2F47F7AE8A8D17ACB53D151\dxgmms1.pdb fffff88003ef5000 fffff88003f06000 BasicDisplay (deferred) fffff88003f06000 fffff88003f18000 Npfs (deferred) fffff88003f18000 fffff88003f24000 Msfs (deferred) fffff88003f24000 fffff88003f46000 tdx (deferred) fffff88003f46000 fffff88003f54000 TDI (deferred) fffff88003f54000 fffff88003fac000 netbt (deferred) fffff88003fac000 fffff88003fd6000 pacer (deferred) fffff88003fd6000 fffff88003fe6000 netbios (deferred) fffff88004001000 fffff8800407e000 USBPORT (deferred) fffff8800407e000 fffff88004094000 HDAudBus (deferred) fffff88004094000 fffff88004107000 e1r63x64 (deferred) fffff88004107000 fffff88004121000 astkmd (deferred) fffff88004121000 fffff88004139000 serial (deferred) fffff88004139000 fffff88004146000 serenum (deferred) fffff88004146000 fffff8800415e000 IPMIDrv (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\IPMIDRV.pdb\72C091B9E8494B8FA0D8942352B3F7B31\IPMIDRV.pdb fffff8800415e000 fffff88004168000 wmiacpi (deferred) fffff88004168000 fffff88004184000 intelppm (deferred) fffff88004184000 fffff8800418e000 acpipagr (deferred) fffff8800418e000 fffff880041af000 raspptp (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\raspptp.pdb\4EC9DC68BDDE4063978C73E6B6C793712\raspptp.pdb fffff880041af000 fffff880041db000 tunnel (deferred) fffff880041db000 fffff88004200000 rasl2tp (deferred) fffff88004200000 fffff8800421b000 HIDCLASS (deferred) fffff8800421b000 fffff88004228000 kbdhid (deferred) fffff88004228000 fffff88004237000 kbdclass (deferred) fffff88004237000 fffff88004243000 mouhid (deferred) fffff88004243000 fffff88004252000 mouclass (deferred) fffff88004252000 fffff8800425f000 dump_diskdump (deferred) fffff8800425f000 fffff88004277000 dump_mydriver (deferred) fffff88004277000 fffff8800428b000 lltdio (deferred) fffff8800428b000 fffff880042a3000 rspndr (deferred) fffff880042a8000 fffff880042f7000 ks (deferred) fffff880042f7000 fffff88004302000 rdpbus (deferred) fffff88004302000 fffff88004316000 NDProxy (deferred) fffff88004316000 fffff880043b2000 usbhub (deferred) fffff880043b2000 fffff880043bd000 USBD (deferred) fffff880043bd000 fffff880043c5000 HIDPARSE (deferred) fffff880043c5000 fffff880043e8000 usbccgp (deferred) fffff880043e8000 fffff880043f5000 hidusb (deferred) fffff88006400000 fffff8800643b000 mrxsmb20 (deferred) fffff880064a7000 fffff880064d8000 cdrom (deferred) fffff880064d8000 fffff880064e2000 sfloppy (deferred) fffff880064e2000 fffff88006502000 bowser (deferred) fffff88006502000 fffff88006519000 mpsdrv (private pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\mpsdrv.pdb\E6D2A47FE68B445991AEC4151DB2A92E2\mpsdrv.pdb fffff88006519000 fffff8800657c000 mrxsmb (deferred) fffff8800657c000 fffff880065c7000 mrxsmb10 (deferred) fffff88006600000 fffff8800668d000 srv (deferred) fffff88006695000 fffff88006774000 HTTP (private pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\http.pdb\5FBDF1EF34AF4F2E87240413E2847F712\http.pdb fffff88006e00000 fffff88006ea1000 srv2 (deferred) fffff88006ea4000 fffff88006f70000 peauth (deferred) fffff88006f70000 fffff88006f7b000 secdrv (deferred) fffff88006f7b000 fffff88006fbf000 srvnet (deferred) fffff88006fbf000 fffff88006fd1000 tcpipreg (deferred) fffff88006fd1000 fffff88006fdf000 monitor (deferred) fffff88006fdf000 fffff88006fec000 condrv (deferred) fffff960000d4000 fffff960004c4000 win32k (private pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\win32k.pdb\DFDD4C69F54C4A6DBD1690B944D3E0FA2\win32k.pdb fffff960006e7000 fffff960006f0000 TSDDD (deferred) fffff96000842000 fffff96000878000 cdd (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\cdd.pdb\D770FD396CFC4572B69985545C1CAAED1\cdd.pdb Unloaded modules: fffff88004277000 fffff8800429f000 luafv.sys fffff88001a68000 fffff88001a75000 dump_storport.sys fffff88001dcd000 fffff88001de5000 dump_mydriver.sys fffff8800186e000 fffff8800189f000 cdrom.sys fffff88001da5000 fffff88001db1000 hwpolicy.sys fffff88000ee3000 fffff88000efe000 sacdrv.sys fffff88000ce4000 fffff880`00cf1000 ApiSetSchema.dll

Alex_Grig · January 10, 2014, 11:58am

Is “mydriver.sys” your storage miniport? If it is, the crash happened because of page-in error, or because of page-in data corruption.

OSR_Community_User · January 10, 2014, 12:20pm

yes it is.
Could you explain to this padawan how you worked that out?

Alex_Grig · January 10, 2014, 1:02pm

>Could you explain to this padawan how you worked that out?

“dump_mydriver.sys” in the unloaded module list I see.
mydriver.sys a inbox driver name is not.

OSR_Community_User · January 13, 2014, 6:21am

> “dump_mydriver.sys” in the unloaded module list I see.

mydriver.sys a inbox driver name is not.

I understand how you worked out that mydriver.sys is a storage miniport.
I don’t understand how you conclude that “the crash happened because of page-in error, or because of page-in data corruption.”

I admit it’s a fair hypothesis - a storage driver corrupts program code. However I don’t see the smoking gun: is there another clue I’ve missed?

Alex_Grig · January 13, 2014, 10:28am

If you have the crashdump, check the callstack of processor 4:

4k

OSR_Community_User · January 13, 2014, 10:52am

> If you have the crashdump, check the callstack of processor 4:

4: kd> 4k
Child-SP RetAddr Call Site
fffff880070378e0 fffff8036c035014 nt!AlpcpReceiveMessagePort+0x3d9
fffff88007037950 fffff8036c0480d9 nt!AlpcpReceiveMessage+0x2e2
fffff880070379e0 fffff8036bc66453 nt!NtAlpcSendWaitReceivePort+0xf9
fffff88007037a90 000007fcb284347b nt!KiSystemServiceCopyEnd+0x13
0000004139a3f538 000007fcaf784b91 ntdll!NtAlpcSendWaitReceivePort+0xa
0000004139a3f540 000007fcb28a70b5 CSRSRV!CsrApiRequestThread+0x155
0000004139a3f850 0000000000000000 ntdll!RtlUserThreadStart+0x25

Yet again your teachings intrigue me. Why 4?
(I guess my insight doesn’t serve me well). For the record, here are the other CPUs:-

4: kd> 0k
Child-SP RetAddr Call Site
fffff88002dd3760 fffff8036bca17f9 nt!MiDispatchFault+0x91
fffff88002dd38a0 fffff8036bc42f4e nt!MmAccessFault+0x289
fffff88002dd39e0 fffff8036bc47f93 nt!MiInPageSingleKernelStack+0x14e
fffff88002dd3bb0 fffff8036bc39fd9 nt!KeSwapProcessOrStack+0xb3
fffff88002dd3c10 fffff8036bcee7e6 nt!PspSystemThreadStartup+0x59
fffff88002dd3c60 0000000000000000 nt!KiStartSystemThread+0x16
4: kd> 1k
Child-SP RetAddr Call Site
fffff88006cf36e8 fffff8036c190795 nt!KeBugCheckEx
fffff88006cf36f0 fffff8036c127e2e nt!PspCatchCriticalBreak+0xad
fffff88006cf3730 fffff8036c09ea01 nt! ?? ::NNGAKEGL::string'+0x4a25a fffff88006cf3790 fffff8036c0a480e nt!PspTerminateProcess+0x6d fffff88006cf37d0 fffff8036bc66453 nt!NtTerminateProcess+0x9e fffff88006cf3840 fffff8036bc6b630 nt!KiSystemServiceCopyEnd+0x13 fffff88006cf39d8 fffff8036bde72d0 nt!KiServiceLinkage fffff88006cf39e0 fffff8036bc1525f nt! ?? ::FNODOBFM::string’+0x14926
fffff88006cf4210 fffff8036bc6380b nt!KiRaiseException+0x1a0
fffff88006cf49c0 fffff8036bc66453 nt!NtRaiseException+0x7b
fffff88006cf4b00 000007fcb16edc12 nt!KiSystemServiceCopyEnd+0x13
00000041396ffc60 0000000000000000 RPCRT4!LRPC_ADDRESS_AVRF::vftable'+0x2 4: kd\> 2k Child-SP RetAddr Call Site fffff8800608b1a8 fffff8036bcaab53 nt!KiDpcInterrupt fffff8800608b1d0 fffff8036bca8dcd nt!KiCommitThreadWait+0x5c1 fffff8800608b290 fffff8036c04b847 nt!KeWaitForMultipleObjects+0x25d fffff8800608b340 fffff8036c04bcb3 nt!ObWaitForMultipleObjects+0x297 fffff8800608b840 fffff8036bc66453 nt!NtWaitForMultipleObjects+0xe3 fffff8800608ba90 000007fcb284319b nt!KiSystemServiceCopyEnd+0x13 000000f08ee3f238 000007fcaf7c12d2 ntdll!NtWaitForMultipleObjects+0xa 000000f08ee3f240 000007fcafe21282 kernelbase!WaitForMultipleObjectsEx+0xe5 000000f08ee3f520 000007fc9c68bb33 kernel32!WaitForMultipleObjects+0x12 000000f08ee3f560 000000f08c40e408 0x000007fc9c68bb33
000000f08ee3f568 0000000000000003 0x000000f08c40e408 000000f08ee3f570 000000f000000000 0x3 000000f08ee3f578 000007fc00000000 0x000000f000000000
000000f08ee3f580 0000000000000410 0x000007fc00000000 000000f08ee3f588 0000000000000420 0x410 000000f08ee3f590 fffffffffffffffe 0x420 000000f08ee3f598 000000f08ee3f5a0 0xfffffffffffffffe
000000f08ee3f5a0 000000f000000003 0x000000f08ee3f5a0 000000f08ee3f5a8 000000f08ee3f5b0 0x000000f000000003
000000f08ee3f5b0 0000000000000003 0x000000f08ee3f5b0 000000f08ee3f5b8 0000000000000000 0x3 4: kd\> 3k Child-SP RetAddr Call Site fffff8800334c810 fffff8036bc61106 nt!SwapContext_PatchStMxCsr+0x5e fffff8800334c850 fffff8036bcaa7cb nt!KiSwapContext+0x76 fffff8800334c990 fffff8036bc8e9a8 nt!KiCommitThreadWait+0x23b fffff8800334ca50 fffff8036c03fee9 nt!KeDelayExecutionThread+0x1c8 fffff8800334cad0 fffff8036bc66453 nt!NtDelayExecution+0x58 fffff8800334cb00 000007fcb2842f2a nt!KiSystemServiceCopyEnd+0x13 000000f08c0ef338 000007fcaf7c11f2 ntdll!NtDelayExecution+0xa 000000f08c0ef340 000007fcb2685399 kernelbase!SleepEx+0xaa 000000f08c0ef3e0 000007fcb2655369 sechost!_GSHandlerCheck_SEH+0x3a8d 000000f08c0ef4e0 000007fc99db66b8 sechost!StartServiceCtrlDispatcherW+0x54 000000f08c0ef520 0000000000000028 0x000007fc99db66b8
000000f08c0ef528 000000f08c12c4b0 0x28
000000f08c0ef530 0000000000000050 0x000000f08c12c4b0 000000f08c0ef538 000007fcb14113ba 0x50 000000f08c0ef540 000007fc99d33c20 0x000007fcb14113ba
000000f08c0ef548 0000000000000000 0x000007fc99d33c20 4: kd\> 5k Child-SP RetAddr Call Site fffff88007bdc600 fffff8036c095438 nt!KeFlushProcessWriteBuffers+0x1c9 fffff88007bdc730 fffff8036c09ea01 nt!PspTerminateAllThreads+0x210 fffff88007bdc790 fffff8036c0a480e nt!PspTerminateProcess+0x6d fffff88007bdc7d0 fffff8036bc66453 nt!NtTerminateProcess+0x9e fffff88007bdc840 fffff8036bc6b630 nt!KiSystemServiceCopyEnd+0x13 fffff88007bdc9d8 fffff8036bde72d0 nt!KiServiceLinkage fffff88007bdc9e0 fffff8036bc1525f nt! ?? ::FNODOBFM::string’+0x14926
fffff88007bdd210 fffff8036bc6380b nt!KiRaiseException+0x1a0
fffff88007bdd9c0 fffff8036bc66453 nt!NtRaiseException+0x7b
fffff88007bddb00 000007fcb16edc12 nt!KiSystemServiceCopyEnd+0x13
000000f08f03f4c0 0000000000000000 RPCRT4!LRPC_ADDRESS_AVRF::vftable'+0x2 4: kd\> 6k Child-SP RetAddr Call Site fffff8800601bac8 fffff8036bce6b00 nt!KiIpiInterrupt fffff8800601baf8 fffff8036bc664fa nt!KiInitiateUserApc fffff8800601bb00 000007fcb2842c2a nt!KiSystemServiceExit+0x9f 000000f08e80fbc8 000007fcaf7c10ea ntdll!NtWaitForSingleObject+0xa 000000f08e80fbd0 000007fc99de75f0 kernelbase!WaitForSingleObjectEx+0x92 000000f08e80fc70 000000f08c40be60 0x000007fc99de75f0
000000f08e80fc78 000000f08c3c0000 0x000000f08c40be60 000000f08e80fc80 000000f000000000 0x000000f08c3c0000
000000f08e80fc88 0000000000000200 0x000000f000000000 000000f08e80fc90 0000000000000001 0x200 000000f08e80fc98 0000000000000000 0x1 4: kd\> 7k Child-SP RetAddr Call Site fffff880061382d8 fffff8036bc6156f nt!KiIpiInterrupt fffff88006138300 fffff8036bc61106 nt!SwapContext_PatchLdMxCsr+0x4f fffff88006138340 fffff8036bcaa7cb nt!KiSwapContext+0x76 fffff88006138480 fffff8036bca960f nt!KiCommitThreadWait+0x23b fffff88006138540 fffff8036bfe7f6c nt!KeWaitForSingleObject+0x1cf fffff880061385d0 fffff8036bfe8187 nt!EtwpRegisterProvider+0x9c fffff88006138680 fffff8036c151715 nt!EtwRegister+0x23 fffff880061386c0 fffff8036c1512cc nt!DbgkpStartSystemErrorHandler+0x49 fffff88006138730 fffff8036c1e8b94 nt!DbgkpSendErrorMessage+0x80 fffff88006138870 fffff8036bde72bd nt! ?? ::NNGAKEGL::string’+0x135a0
fffff880061389e0 fffff8036bc1525f nt! ?? ::FNODOBFM::string'+0x14913 fffff88006139210 fffff8036bc6380b nt!KiRaiseException+0x1a0 fffff880061399c0 fffff8036bc66453 nt!NtRaiseException+0x7b fffff88006139b00 000007fcb16edc12 nt!KiSystemServiceCopyEnd+0x13 0000001deebbf660 0000000000000000 RPCRT4!LRPC_ADDRESS_AVRF::vftable’+0x2

Alex_Grig · January 13, 2014, 11:22am

Processor 4 was running another thread of the affected process.

Processors 5, 7 are inside exception handling with about the same callstack as your failing thread. The processor 5 is terminating some other process.
Processor 0 is handling a kernel stack page-in failure, which would have caused a system bugcheck, too.