Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

PAGE_FAULT_IN_NONPAGED_AREA (50) - RtlCompareMemory

63 views
Skip to first unread message

Devang

unread,
May 22, 2009, 1:45:20 AM5/22/09
to
Hi

I am allocating non paged pool for each node in linked list.
I copies particular pattern of bytes (for ex. FFFFFFFF) in first 4
bytes of allocated pool.
And each time I retrieve node from linked list I compare 4 bytes
against byte pattern (RtlCompareMemory) and proceed further.

Crash occurs after about 3/4 hours.

Crash dump analysis by WinDbg gives following details.

!analyze -v
ERROR: FindPlugIns 8007007b
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-
except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: fffffffc, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8080e074, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)


Could not read faulting driver name

READ_ADDRESS: fffffffc

FAULTING_IP:
nt!RtlCompareMemory+14
8080e074 f3a7 repe cmps dword ptr [esi],dword ptr es:[edi]

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: wget.exe

LAST_CONTROL_TRANSFER: from ed9d0544 to 8080e074

STACK_TEXT:
ed414798 ed9d0544 fffffffc 85f01f08 00000004 nt!RtlCompareMemory
+0x14 //Crash occurs here
-----------------------------------------------------------------------------------------

kd > !pool 8080e074
Pool page 8080e074 region is Unknown
GetUlongFromAddress: unable to read from 80894af0
8080e000 is not a valid small pool allocation, checking large pool...
unable to get pool big page table - either wrong symbols or pool
tagging is disabled
8080e000 is freed (or corrupt) pool
Bad previous allocation size @8080e000, last size was 0

***
*** An error (or corruption) in the pool was detected;
*** Pool Region unknown (0xFFFFFFFF8080E000)
***
*** Use !poolval 8080e000 for more details.
***
---------------------------------------------------------------------------------------------------------------------------------------

Thanks
D V

Maxim S. Shatskih

unread,
May 22, 2009, 4:39:04 AM5/22/09
to
You passed the pointer value of -4 to RtlCompareMemory.

Probably you had a NULL pointer, stepped back 4 bytes and called RtlCompareMemory.

--
Maxim S. Shatskih
Windows DDK MVP
ma...@storagecraft.com
http://www.storagecraft.com

"Devang" <deva...@gmail.com> wrote in message news:670f1adb-a32a-4a46...@z16g2000prd.googlegroups.com...

Devang

unread,
May 22, 2009, 5:44:31 AM5/22/09
to
On May 22, 1:39 pm, "Maxim S. Shatskih"

<ma...@storagecraft.com.no.spam> wrote:
>     You passed the pointer value of -4 to RtlCompareMemory.
>
>     Probably you had a NULL pointer, stepped back 4 bytes and called RtlCompareMemory.
>
> --
> Maxim S. Shatskih
> Windows DDK MVP
> ma...@storagecraft.comhttp://www.storagecraft.com
>
> "Devang" <devang...@gmail.com> wrote in messagenews:670f1adb-a32a-4a46...@z16g2000prd.googlegroups.com...

Hi,

Following are some code details.

//////////////////
structure /////////////////////////////////////////
typedef struct __ch_expected
{
ULONG value;
LIST_ENTRY list;
conn_basic_info *expected;
LARGE_INTEGER timestamp;
}tch_expected;
//////////////////////////////////////////////////////////

//////// Insert node in list ///////////////////////
tch_expected *n_exp = (tch_expected *) ExAllocatePoolWithTag
(NonPagedPool,sizeof(tch_expected),PLG_TAG);

if(!n_exp)
{
return -1;
}

ULONG val = 0xFFFFFFFF;
RtlCopyMemory(n_exp,&val,sizeof(ULONG));

InsertTailList(tch_expected_head,&n_exp->list);
////////////////////////////////////////////////////////

/////////////// Go through linked list ////////////////////

pList = tch_expected_head->FLink;

while(pList != tch_expected_head)
{
tch_expected *exp = NULL;

exp = (tch_expected *) CONTAINING_RECORD
(pList,tch_expected,list);

DbgPrint("%x",*(exp)); // Here it prints correct values exp & val
both prints value FFFFFFFF
DbgPrint("%x",*(val));


if(exp != NULL)
{

if(RtlCompareMemory(exp,val,sizeof(ULONG)) == sizeof(ULONG))
{
DbgPrint("Rtl compare memory
****************************************");
....................................................
}
}
pList = pList->FLink;

}

///////////////////////////////////////////////////////////////////


But crashes at

if(RtlCompareMemory(exp,val,sizeof(ULONG)) == sizeof(ULONG))

after about 3/4 hours.

Thanks,
D V

Maxim S. Shatskih

unread,
May 22, 2009, 6:02:11 AM5/22/09
to
> if(RtlCompareMemory(exp,val,sizeof(ULONG)) == sizeof(ULONG))

Should be "&val", not "val"

Devang

unread,
May 23, 2009, 1:39:20 AM5/23/09
to
On May 22, 3:02 pm, "Maxim S. Shatskih"

Hi

Thanks

I changes my code part "/////////////// Go through linked
list //////////////////// " as follows.

ULONG* val = NULL;
val = (ULONG *)ExAllocatePoolWithTag(NonPagedPool,sizeof
(ULONG),PLG_TAG);

if(val != NULL)
{
RtlFillMemory(val,sizeof(ULONG),0xFF);


while(pList != tch_expected_head)
{
tch_expected *exp = NULL;

exp = (tch_expected *) CONTAINING_RECORD
(pList,tch_expected,list);

DbgPrint("-------------------------------------------");
DbgPrint("%x",*(exp));
DbgPrint("%x",*(val));
DbgPrint("-------------------------------------------");

if(exp != NULL)
{
//if(__tch_exp_cmp(tuple, &exp->expected->tuple_hash
[CONNECTION_ORIG].tuple))
//ULONG val = 0xFFFFFFFF;

if(RtlCompareMemory(exp,val,sizeof(ULONG)) == sizeof(ULONG)){
............................
..............................
}
}
}
}

still it crashes at the same location after running successfully for
some time.

Thanks,
D V

Devang

unread,
May 23, 2009, 1:48:07 AM5/23/09
to
On May 22, 3:02 pm, "Maxim S. Shatskih"

Hi,

I found that in every crash dump following is same.

Arg3: 8080e074, If non-zero, the instruction address which referenced

the bad memory.

Any suggestion will be helpful.


Thanks,
D V

Tim Roberts

unread,
May 25, 2009, 12:20:21 AM5/25/09
to
Devang <deva...@gmail.com> wrote:
>
>Following are some code details.
>...

>//////// Insert node in list ///////////////////////
>tch_expected *n_exp = (tch_expected *) ExAllocatePoolWithTag
>(NonPagedPool,sizeof(tch_expected),PLG_TAG);
>
>if(!n_exp)
>{
> return -1;
>}
>
>ULONG val = 0xFFFFFFFF;
>RtlCopyMemory(n_exp,&val,sizeof(ULONG));

Why on earth would you write it that way, instead of the clearer and more
obvious statement:

n_exp->value = 0xFFFFFFFF;

And are you checking the output of this function to make sure you dont get
a -1?


>/////////////// Go through linked list ////////////////////
>
>pList = tch_expected_head->FLink;
>
>while(pList != tch_expected_head)
>{
> tch_expected *exp = NULL;
>
> exp = (tch_expected *) CONTAINING_RECORD
>(pList,tch_expected,list);
>
> DbgPrint("%x",*(exp)); // Here it prints correct values exp & val
>both prints value FFFFFFFF
> DbgPrint("%x",*(val));

Again, why not just exp->value and val->value? These statements are
passing the entire structure to DbgPrint!

> if(exp != NULL)
> {
>
> if(RtlCompareMemory(exp,val,sizeof(ULONG)) == sizeof(ULONG))

if( exp->value == val->value )

> {
> DbgPrint("Rtl compare memory
>****************************************");
> ....................................................
> }
> }
> pList = pList->FLink;
>
>}
>
>///////////////////////////////////////////////////////////////////
>
>
>But crashes at
>
>if(RtlCompareMemory(exp,val,sizeof(ULONG)) == sizeof(ULONG))
>
>after about 3/4 hours.

Doesn't it seem glaringly obvious that you are running out of memory? Have
you actually trapped this in WinDbg so you can find out the current state
of your list?
--
Tim Roberts, ti...@probo.com
Providenza & Boekelheide, Inc.

0 new messages