Driver verifier issue in XP

TheMSsForum.com: The Microsoft Software Forum

Hi,
I am having an issue with my driver when driver verifier is enabled in Win
XP SP1. The problem is that I always get BugCheck
DRIVER_IRQL_NOT_LESS_OR_EQUAL(D1) exactly when i try to acquire a spinlock.
I am sure that the spinlock is allocated in non-paged pool and has been
initialized.

Bugcheck code is as follows:
BugCheck D1, {eff0b4ff, 2, 0, eff0b4ff}
Arguments:
Arg1: eff0b4ff, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: eff0b4ff, address which referenced memory

Arg1 and Arg2 are same, isnt this odd? Can somebody explain this.

From the dump I get BUCKET_ID: 0xD1_CODE_AV_BAD_IP_SupaCemul!OpenComPort+a7
This is the place where spinlock is acquired. What does CODE_AV_BAD_IP mean?

Why doesnt verifier in Win 2k complain. Code works in XP without verifier
enabled. Is this an issue in verifier of Win XP??

Find below the dump snip if it could help.

Thanks in advance,
Najas

----------------------------- Dump
info -------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.3.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [D:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;C:\Project\USB\
SUPA\SupaCemul\objfre\i386;C:\Project\USB\SUPA\SupaCemul\objchk\i386
Executable search path is:
C:\Project\USB\SUPA\SupaCemul\objfre\i386;C:\Project\USB\SUPA\SupaCemul\objc
hk\i386
Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp2.030422-1633
Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530
Debug session time: Tue Jan 13 11:58:06 2004
System Uptime: 0 days 0:05:51.609
Loading Kernel Symbols
............................................................................
.............................
Loading unloaded module list
.........
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

Use !analyze -v to get detailed debugging information.

BugCheck D1, {eff0b4ff, 2, 0, eff0b4ff}

Probably caused by : SupaCemul.sys ( SupaCemul!OpenComPort+a7 )

Followup: MachineOwner
---------

kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: eff0b4ff, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: eff0b4ff, address which referenced memory

Debugging Details:
------------------
READ_ADDRESS: eff0b4ff Nonpaged pool

CURRENT_IRQL: 2

FAULTING_IP:
SupaCemul!OpenComPort+a7 [c:\project\usb\supa\supacemul\comport.c @ 896]
eff0b4ff 8ad0 mov dl,al

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from eff09d82 to eff0b4ff

TRAP_FRAME: f869e914 -- (.trap fffffffff869e914)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=00000041 edx=81f02e02 esi=818cf600
edi=8271afdc
eip=eff0b4ff esp=f869e988 ebp=8271aeb8 iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
SupaCemul!OpenComPort+0xa7:
eff0b4ff 8ad0 mov dl,al
Resetting default scope

STACK_TEXT:
f869e9a4 eff09d82 818cf600 8271aeb8 818cf538 SupaCemul!OpenComPort+0xa7
[c:\project\usb\supa\supacemul\comport.c @ 896]
f869e9c8 804ea221 818ce938 00000000 806ad1a8 SupaCemul!Dispatch+0x1e0
[c:\project\usb\supa\supacemul\dispatch.c @ 308]
f869e9d8 8062c190 818d10e8 8271aeb8 00000000 nt!IopfCallDriver+0x31
f869e9fc f89278ab 818d1030 8271afdc 8271aeb8 nt!IovCallDriver+0x9e
f869ea10 f89279f9 00000000 0171aeb8 81e8fd80
serenum!Serenum_DispatchPassThrough+0x63
f869ea38 804ea221 818d1030 818cf538 806ad1a8
serenum!Serenum_CreateClose+0x9f
f869ea48 8062c190 8271aec8 8271aeb8 81941c08 nt!IopfCallDriver+0x31
f869ea6c 80560609 818cf520 818cff6c f869ec18 nt!IovCallDriver+0x9e
f869eb50 8059a2c6 818cf538 00000000 818cfec8 nt!IopParseDevice+0xa4d
f869ebd8 80596c27 00000000 f869ec18 00000040 nt!ObpLookupObjectName+0x56a
f869ec2c 80553f0d 00000000 00000000 00000001 nt!ObOpenObjectByName+0xe9
f869eca8 80554688 0012f46c c0100080 0012f40c nt!IopCreateFile+0x407
f869ecf0 80556b3c 0012f46c c0100080 0012f40c nt!IoCreateFile+0x36
f869ed30 8052d571 0012f46c c0100080 0012f40c nt!NtCreateFile+0x2e
f869ed30 7ffe0304 0012f46c c0100080 0012f40c nt!KiSystemService+0xc4
0012f464 00000000 00000000 00000000 00000000
SharedUserData!SystemCallStub+0x4


FAILED_INSTRUCTION_ADDRESS:
SupaCemul!OpenComPort+a7 [c:\project\usb\supa\supacemul\comport.c @ 896]
eff0b4ff 8ad0 mov dl,al

FOLLOWUP_IP:
SupaCemul!OpenComPort+a7 [c:\project\usb\supa\supacemul\comport.c @ 896]
eff0b4ff 8ad0 mov dl,al

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: SupaCemul!OpenComPort+a7

MODULE_NAME: SupaCemul

IMAGE_NAME: SupaCemul.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 40038fa1

STACK_COMMAND: .trap fffffffff869e914 ; kb

BUCKET_ID: 0xD1_CODE_AV_BAD_IP_SupaCemul!OpenComPort+a7

Followup: MachineOwner
---------

----------------------------- End Dump
info -------------------------------------------------------
Top

Re: Driver verifier issue in XP by Najas

Najas
Fri Jan 16 01:10:10 CST 2004

I managed to resolve this issue. Incidently, the routine from which I try to
acquire spinlock was forcefully paged with #pragma alloc_text(page, xyz).
Removing this paging solved the issue.

Regards,
Najas

"Najas" <s_wilfred@no.spam.com> wrote in message
news:edw1Wva2DHA.3224@tk2msftngp13.phx.gbl...
> Hi,
> I am having an issue with my driver when driver verifier is enabled in Win
> XP SP1. The problem is that I always get BugCheck
> DRIVER_IRQL_NOT_LESS_OR_EQUAL(D1) exactly when i try to acquire a
spinlock.
> I am sure that the spinlock is allocated in non-paged pool and has been
> initialized.
>
> Bugcheck code is as follows:
> BugCheck D1, {eff0b4ff, 2, 0, eff0b4ff}
> Arguments:
> Arg1: eff0b4ff, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000000, value 0 = read operation, 1 = write operation
> Arg4: eff0b4ff, address which referenced memory
>
> Arg1 and Arg2 are same, isnt this odd? Can somebody explain this.
>
> From the dump I get BUCKET_ID:
0xD1_CODE_AV_BAD_IP_SupaCemul!OpenComPort+a7
> This is the place where spinlock is acquired. What does CODE_AV_BAD_IP
mean?
>
> Why doesnt verifier in Win 2k complain. Code works in XP without verifier
> enabled. Is this an issue in verifier of Win XP??
>
> Find below the dump snip if it could help.
>
> Thanks in advance,
> Najas
>
> ----------------------------- Dump
> info -------------------------------------------------------
> Microsoft (R) Windows Debugger Version 6.3.0005.1
> Copyright (c) Microsoft Corporation. All rights reserved.
>
> Loading Dump File [D:\WINDOWS\MEMORY.DMP]
> Kernel Summary Dump File: Only kernel address space is available
>
> Symbol search path is:
>
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;C:\Project\USB\
> SUPA\SupaCemul\objfre\i386;C:\Project\USB\SUPA\SupaCemul\objchk\i386
> Executable search path is:
>
C:\Project\USB\SUPA\SupaCemul\objfre\i386;C:\Project\USB\SUPA\SupaCemul\objc
> hk\i386
> Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
> Product: WinNt, suite: TerminalServer SingleUserTS
> Built by: 2600.xpsp2.030422-1633
> Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530
> Debug session time: Tue Jan 13 11:58:06 2004
> System Uptime: 0 days 0:05:51.609
> Loading Kernel Symbols
>
............................................................................
> .............................
> Loading unloaded module list
> .........
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details
>
****************************************************************************
> ***
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
****************************************************************************
> ***
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck D1, {eff0b4ff, 2, 0, eff0b4ff}
>
> Probably caused by : SupaCemul.sys ( SupaCemul!OpenComPort+a7 )
>
> Followup: MachineOwner
> ---------
>
> kd> !analyze -v
>
****************************************************************************
> ***
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
****************************************************************************
> ***
>
> DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
> An attempt was made to access a pageable (or completely invalid) address
at
> an
> interrupt request level (IRQL) that is too high. This is usually
> caused by drivers using improper addresses.
> If kernel debugger is available get stack backtrace.
> Arguments:
> Arg1: eff0b4ff, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000000, value 0 = read operation, 1 = write operation
> Arg4: eff0b4ff, address which referenced memory
>
> Debugging Details:
> ------------------
> READ_ADDRESS: eff0b4ff Nonpaged pool
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> SupaCemul!OpenComPort+a7 [c:\project\usb\supa\supacemul\comport.c @ 896]
> eff0b4ff 8ad0 mov dl,al
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xD1
>
> LAST_CONTROL_TRANSFER: from eff09d82 to eff0b4ff
>
> TRAP_FRAME: f869e914 -- (.trap fffffffff869e914)
> ErrCode = 00000000
> eax=00000000 ebx=00000000 ecx=00000041 edx=81f02e02 esi=818cf600
> edi=8271afdc
> eip=eff0b4ff esp=f869e988 ebp=8271aeb8 iopl=0 nv up ei pl zr na po
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010246
> SupaCemul!OpenComPort+0xa7:
> eff0b4ff 8ad0 mov dl,al
> Resetting default scope
>
> STACK_TEXT:
> f869e9a4 eff09d82 818cf600 8271aeb8 818cf538 SupaCemul!OpenComPort+0xa7
> [c:\project\usb\supa\supacemul\comport.c @ 896]
> f869e9c8 804ea221 818ce938 00000000 806ad1a8 SupaCemul!Dispatch+0x1e0
> [c:\project\usb\supa\supacemul\dispatch.c @ 308]
> f869e9d8 8062c190 818d10e8 8271aeb8 00000000 nt!IopfCallDriver+0x31
> f869e9fc f89278ab 818d1030 8271afdc 8271aeb8 nt!IovCallDriver+0x9e
> f869ea10 f89279f9 00000000 0171aeb8 81e8fd80
> serenum!Serenum_DispatchPassThrough+0x63
> f869ea38 804ea221 818d1030 818cf538 806ad1a8
> serenum!Serenum_CreateClose+0x9f
> f869ea48 8062c190 8271aec8 8271aeb8 81941c08 nt!IopfCallDriver+0x31
> f869ea6c 80560609 818cf520 818cff6c f869ec18 nt!IovCallDriver+0x9e
> f869eb50 8059a2c6 818cf538 00000000 818cfec8 nt!IopParseDevice+0xa4d
> f869ebd8 80596c27 00000000 f869ec18 00000040 nt!ObpLookupObjectName+0x56a
> f869ec2c 80553f0d 00000000 00000000 00000001 nt!ObOpenObjectByName+0xe9
> f869eca8 80554688 0012f46c c0100080 0012f40c nt!IopCreateFile+0x407
> f869ecf0 80556b3c 0012f46c c0100080 0012f40c nt!IoCreateFile+0x36
> f869ed30 8052d571 0012f46c c0100080 0012f40c nt!NtCreateFile+0x2e
> f869ed30 7ffe0304 0012f46c c0100080 0012f40c nt!KiSystemService+0xc4
> 0012f464 00000000 00000000 00000000 00000000
> SharedUserData!SystemCallStub+0x4
>
>
> FAILED_INSTRUCTION_ADDRESS:
> SupaCemul!OpenComPort+a7 [c:\project\usb\supa\supacemul\comport.c @ 896]
> eff0b4ff 8ad0 mov dl,al
>
> FOLLOWUP_IP:
> SupaCemul!OpenComPort+a7 [c:\project\usb\supa\supacemul\comport.c @ 896]
> eff0b4ff 8ad0 mov dl,al
>
> SYMBOL_STACK_INDEX: 0
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: SupaCemul!OpenComPort+a7
>
> MODULE_NAME: SupaCemul
>
> IMAGE_NAME: SupaCemul.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 40038fa1
>
> STACK_COMMAND: .trap fffffffff869e914 ; kb
>
> BUCKET_ID: 0xD1_CODE_AV_BAD_IP_SupaCemul!OpenComPort+a7
>
> Followup: MachineOwner
> ---------
>
> ----------------------------- End Dump
> info -------------------------------------------------------
>
>


Top