I am allocating non paged pool for each node in linked list.
I copies particular pattern of bytes (for ex. FFFFFFFF) in first 4
bytes of allocated pool.
And each time I retrieve node from linked list I compare 4 bytes
against byte pattern (RtlCompareMemory) and proceed further.
Crash occurs after about 3/4 hours.
Crash dump analysis by WinDbg gives following details.
!analyze -v
ERROR: FindPlugIns 8007007b
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-
except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: fffffffc, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8080e074, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)
Could not read faulting driver name
READ_ADDRESS: fffffffc
FAULTING_IP:
nt!RtlCompareMemory+14
8080e074 f3a7 repe cmps dword ptr [esi],dword ptr es:[edi]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: wget.exe
LAST_CONTROL_TRANSFER: from ed9d0544 to 8080e074
STACK_TEXT:
ed414798 ed9d0544 fffffffc 85f01f08 00000004 nt!RtlCompareMemory
+0x14 //Crash occurs here
-----------------------------------------------------------------------------------------
kd > !pool 8080e074
Pool page 8080e074 region is Unknown
GetUlongFromAddress: unable to read from 80894af0
8080e000 is not a valid small pool allocation, checking large pool...
unable to get pool big page table - either wrong symbols or pool
tagging is disabled
8080e000 is freed (or corrupt) pool
Bad previous allocation size @8080e000, last size was 0
***
*** An error (or corruption) in the pool was detected;
*** Pool Region unknown (0xFFFFFFFF8080E000)
***
*** Use !poolval 8080e000 for more details.
***
---------------------------------------------------------------------------------------------------------------------------------------
Thanks
D V
Probably you had a NULL pointer, stepped back 4 bytes and called RtlCompareMemory.
--
Maxim S. Shatskih
Windows DDK MVP
ma...@storagecraft.com
http://www.storagecraft.com
"Devang" <deva...@gmail.com> wrote in message news:670f1adb-a32a-4a46...@z16g2000prd.googlegroups.com...
Hi,
Following are some code details.
//////////////////
structure /////////////////////////////////////////
typedef struct __ch_expected
{
ULONG value;
LIST_ENTRY list;
conn_basic_info *expected;
LARGE_INTEGER timestamp;
}tch_expected;
//////////////////////////////////////////////////////////
//////// Insert node in list ///////////////////////
tch_expected *n_exp = (tch_expected *) ExAllocatePoolWithTag
(NonPagedPool,sizeof(tch_expected),PLG_TAG);
if(!n_exp)
{
return -1;
}
ULONG val = 0xFFFFFFFF;
RtlCopyMemory(n_exp,&val,sizeof(ULONG));
InsertTailList(tch_expected_head,&n_exp->list);
////////////////////////////////////////////////////////
/////////////// Go through linked list ////////////////////
pList = tch_expected_head->FLink;
while(pList != tch_expected_head)
{
tch_expected *exp = NULL;
exp = (tch_expected *) CONTAINING_RECORD
(pList,tch_expected,list);
DbgPrint("%x",*(exp)); // Here it prints correct values exp & val
both prints value FFFFFFFF
DbgPrint("%x",*(val));
if(exp != NULL)
{
if(RtlCompareMemory(exp,val,sizeof(ULONG)) == sizeof(ULONG))
{
DbgPrint("Rtl compare memory
****************************************");
....................................................
}
}
pList = pList->FLink;
}
///////////////////////////////////////////////////////////////////
But crashes at
if(RtlCompareMemory(exp,val,sizeof(ULONG)) == sizeof(ULONG))
after about 3/4 hours.
Thanks,
D V
Should be "&val", not "val"
Hi
Thanks
I changes my code part "/////////////// Go through linked
list //////////////////// " as follows.
ULONG* val = NULL;
val = (ULONG *)ExAllocatePoolWithTag(NonPagedPool,sizeof
(ULONG),PLG_TAG);
if(val != NULL)
{
RtlFillMemory(val,sizeof(ULONG),0xFF);
while(pList != tch_expected_head)
{
tch_expected *exp = NULL;
exp = (tch_expected *) CONTAINING_RECORD
(pList,tch_expected,list);
DbgPrint("-------------------------------------------");
DbgPrint("%x",*(exp));
DbgPrint("%x",*(val));
DbgPrint("-------------------------------------------");
if(exp != NULL)
{
//if(__tch_exp_cmp(tuple, &exp->expected->tuple_hash
[CONNECTION_ORIG].tuple))
//ULONG val = 0xFFFFFFFF;
if(RtlCompareMemory(exp,val,sizeof(ULONG)) == sizeof(ULONG)){
............................
..............................
}
}
}
}
still it crashes at the same location after running successfully for
some time.
Thanks,
D V
Hi,
I found that in every crash dump following is same.
Arg3: 8080e074, If non-zero, the instruction address which referenced
the bad memory.
Any suggestion will be helpful.
Thanks,
D V
Why on earth would you write it that way, instead of the clearer and more
obvious statement:
n_exp->value = 0xFFFFFFFF;
And are you checking the output of this function to make sure you dont get
a -1?
>/////////////// Go through linked list ////////////////////
>
>pList = tch_expected_head->FLink;
>
>while(pList != tch_expected_head)
>{
> tch_expected *exp = NULL;
>
> exp = (tch_expected *) CONTAINING_RECORD
>(pList,tch_expected,list);
>
> DbgPrint("%x",*(exp)); // Here it prints correct values exp & val
>both prints value FFFFFFFF
> DbgPrint("%x",*(val));
Again, why not just exp->value and val->value? These statements are
passing the entire structure to DbgPrint!
> if(exp != NULL)
> {
>
> if(RtlCompareMemory(exp,val,sizeof(ULONG)) == sizeof(ULONG))
if( exp->value == val->value )
> {
> DbgPrint("Rtl compare memory
>****************************************");
> ....................................................
> }
> }
> pList = pList->FLink;
>
>}
>
>///////////////////////////////////////////////////////////////////
>
>
>But crashes at
>
>if(RtlCompareMemory(exp,val,sizeof(ULONG)) == sizeof(ULONG))
>
>after about 3/4 hours.
Doesn't it seem glaringly obvious that you are running out of memory? Have
you actually trapped this in WinDbg so you can find out the current state
of your list?
--
Tim Roberts, ti...@probo.com
Providenza & Boekelheide, Inc.