none
AVStream BSOD Issues RRS feed

  • Question

  • Now, we’re debugging a minidriver for AVStream. The Minidriver is took from WDK10(AVsHws.sys).
    Sometimes, when open the camera, it has BSOD as below:

    1. Meet 0x139 in DeleteStreamPoniter
    1.   *******************************************************************************
    2.   * *
    3.   * Bugcheck Analysis *
    4.   * *
    5.   *******************************************************************************
    6.   
    7.   KERNEL_SECURITY_CHECK_FAILURE (139)
    8.   A kernel component has corrupted a critical data structure. The corruption
    9.   could potentially allow a malicious user to gain control of this machine.
    10.  Arguments:
    11.  Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
    12.  Arg2: ffffa70027d47900, Address of the trap frame for the exception that caused the bugcheck
    13.  Arg3: ffffa70027d47858, Address of the exception record for the exception that caused the bugcheck
    14.  Arg4: 0000000000000000, Reserved
    15.  
    16.  Debugging Details:
    17.  ------------------
    18.  
    19.  
    20.  TRAP_FRAME: ffffa70027d47900 -- (.trap 0xffffa70027d47900)
    21.  NOTE: The trap frame does not contain all registers.
    22.  Some register values may be zeroed or incorrect.
    23.  rax=ffffbe88f20c4410 rbx=0000000000000000 rcx=0000000000000003
    24.  rdx=ffffbe88f20c4430 rsi=0000000000000000 rdi=0000000000000000
    25.  rip=fffff80d09e2bfd4 rsp=ffffa70027d47a90 rbp=0000000000000000
    26.  r8=0000000000000001 r9=0000000000000020 r10=0000000000000001
    27.  r11=00000000000003aa r12=0000000000000000 r13=0000000000000000
    28.  r14=0000000000000000 r15=0000000000000000
    29.  iopl=0 nv up ei pl nz na po cy
    30.  ks!CKsQueue::DeleteStreamPointer+0x1a4:
    31.  fffff80d`09e2bfd4 cd29 int 29h
    32.  Resetting default scope
    33.  
    34.  EXCEPTION_RECORD: ffffa70027d47858 -- (.exr 0xffffa70027d47858)
    35.  ExceptionAddress: fffff80d09e2bfd4 (ks!CKsQueue::DeleteStreamPointer+0x00000000000001a4)
    36.  ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
    37.  ExceptionFlags: 00000001
    38.  NumberParameters: 1
    39.  Parameter[0]: 0000000000000003
    40.  
    41.  DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT
    42.  
    43.  BUGCHECK_STR: 0x139
    44.  
    45.  PROCESS_NAME: System
    46.  
    47.  CURRENT_IRQL: 2
    48.  
    49.  ERROR_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text>
    50.  
    51.  EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - <Unable to get error code text>
    52.  
    53.  EXCEPTION_PARAMETER1: 0000000000000003
    54.  
    55.  ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
    56.  
    57.  LAST_CONTROL_TRANSFER: from fffff80023f64129 to fffff80023f58f90
    58.  
    59.  STACK_TEXT: 
    60.  ffffa700`27d475d8 fffff800`23f64129 : 00000000`00000139 00000000`00000003 ffffa700`27d47900 ffffa700`27d47858 : nt!KeBugCheckEx
    61.  ffffa700`27d475e0 fffff800`23f64490 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
    62.  ffffa700`27d47720 fffff800`23f63473 : ffffbe88`f6663010 fffff80d`09e24001 ffffbe88`f6663010 ffffbe88`f6663010 : nt!KiFastFailDispatch+0xd0
    63.  ffffa700`27d47900 fffff80d`09e2bfd4 : ffffbe88`f1f3a840 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiRaiseSecurityCheckFailure+0xf3
    64.  ffffa700`27d47a90 fffff80d`09fc110f : ffffbe88`f1f3a8a0 ffffbe88`f4bd75b0 00000000`00000000 00000000`0000009c : ks!CKsQueue::DeleteStreamPointer+0x1a4
    65.  ffffa700`27d47ae0 fffff80d`09fc1a25 : 00000000`00006719 fffff80d`09fc8018 ffffbe88`f2868810 ffffbe88`f2868810 : HDMI!CCapturePin::CompleteMappings+0xd7 [e:\liwei\workspace\windriver\gillfpgadrv\devices\commonsrc\capture.cpp @ 1512]
    66.  ffffa700`27d47b10 fffff80d`09fc1453 : fffff80d`09fc7fb0 ffffbe88`f2868810 fffff80d`09fc8018 ffffbe88`f2868810 : HDMI!FpgaVideo::ProcessBuffers+0x45 [e:\liwei\workspace\windriver\gillfpgadrv\devices\commonsrc\fpgavideo.cpp @ 897]
    67.  ffffa700`27d47b40 fffff800`23eab4bd : ffffbe88`f2c16040 fffff800`00000003 00000000`00000080 ffffbe88`f2c16040 : HDMI!PollingThreadRoutine+0x15f [e:\liwei\workspace\windriver\gillfpgadrv\devices\commonsrc\device.cpp @ 274]
    68.  ffffa700`27d47b90 fffff800`23f5e456 : fffff800`24151180 ffffbe88`f2c16040 fffff800`23eab47c ffffbe88`f29c5da8 : nt!PspSystemThreadStartup+0x41
    69.  ffffa700`27d47be0 00000000`00000000 : ffffa700`27d48000 ffffa700`27d41000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
    70.  
    71.  
    72.  STACK_COMMAND: kb
    73.  
    74.  FOLLOWUP_IP: 
    75.  ks!CKsQueue::DeleteStreamPointer+1a4
    76.  fffff80d`09e2bfd4 cd29 int 29h
    77.  
    78.  SYMBOL_STACK_INDEX: 4
    79.  
    80.  SYMBOL_NAME: ks!CKsQueue::DeleteStreamPointer+1a4
    81.  
    82.  FOLLOWUP_NAME: MachineOwner
    83.  
    84.  MODULE_NAME: ks
    85.  
    86.  IMAGE_NAME: ks.sys
    87.  
    88.  DEBUG_FLR_IMAGE_TIMESTAMP: 57899ad2
    89.  
    90.  BUCKET_ID_FUNC_OFFSET: 1a4
    91.  
    92.  FAILURE_BUCKET_ID: 0x139_3_ks!CKsQueue::DeleteStreamPointer
    93.  
    94.  BUCKET_ID: 0x139_3_ks!CKsQueue::DeleteStreamPointer
    95.  
    96.  ANALYSIS_SOURCE: KM
    97.  
    98.  FAILURE_ID_HASH_STRING: km:0x139_3_ks!cksqueue::deletestreampointer
    99.  
    100. FAILURE_ID_HASH: {657522b9-e579-6744-b54f-b37897c8fd18}
    101. 
    102. Followup: MachineOwner


    2. meet 0x139 in KsProcessPinUpdate
     MODULE_NAME: ks

    FAULTING_MODULE: fffff801f7813000 nt

    DEBUG_FLR_IMAGE_TIMESTAMP:  57899ad2

    TRAP_FRAME:  ffffd901cbb96900 -- (.trap 0xffffd901cbb96900)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=ffff80051d6bbdb0 rbx=0000000000000000 rcx=0000000000000003
    rdx=ffff80051d6bbdd0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80b3899bfd4 rsp=ffffd901cbb96a90 rbp=0000000000000000
    r8=000000000000082f  r9=000000000000002f r10=fffff801f8035c40
    r11=fffff801f7813000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl nz na po cy
    ks!KsProcessPinUpdate+0x1394:
    fffff80b`3899bfd4 cd29            int     29h
    Resetting default scope

    EXCEPTION_RECORD:  ffffd901cbb96858 -- (.exr 0xffffd901cbb96858)
    ExceptionAddress: fffff80b3899bfd4 (ks!KsProcessPinUpdate+0x0000000000001394)
       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 0000000000000003

    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

    BUGCHECK_STR:  0x139

    CURRENT_IRQL:  0

    ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

    LAST_CONTROL_TRANSFER:  from fffff801f7968129 to fffff801f795cf90

    STACK_TEXT:  
    ffffd901`cbb965d8 fffff801`f7968129 : 00000000`00000139 00000000`00000003 ffffd901`cbb96900 ffffd901`cbb96858 : nt!KeBugCheckEx
    ffffd901`cbb965e0 fffff801`f7968490 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!setjmpex+0x3f69
    ffffd901`cbb96720 fffff801`f7967473 : ffffd901`cbb969b0 00000000`00000000 ffff8005`20d3ea70 ffff8005`2071bb80 : nt!setjmpex+0x42d0
    ffffd901`cbb96900 fffff80b`3899bfd4 : ffff8005`20955bd0 00000000`00000000 00000000`00000000 00000000`00000000 : nt!setjmpex+0x32b3
    ffffd901`cbb96a90 fffff80b`3867110f : ffff8005`20955c30 ffff8005`203768e0 00000000`00000000 00000000`000000ae : ks!KsProcessPinUpdate+0x1394
    ffffd901`cbb96ae0 fffff80b`38671a25 : 00000000`000000c4 fffff80b`38678018 ffff8005`1dff2460 ffff8005`1dff2460 : HDMI!CCapturePin::CompleteMappings+0xd7 [e:\liwei\workspace\windriver\gillfpgadrv\devices\commonsrc\capture.cpp @ 1512]
    ffffd901`cbb96b10 fffff80b`38671453 : fffff80b`38677fb0 ffff8005`1dff2460 fffff80b`38678018 ffff8005`1dff2460 : HDMI!FpgaVideo::ProcessBuffers+0x45 [e:\liwei\workspace\windriver\gillfpgadrv\devices\commonsrc\fpgavideo.cpp @ 897]
    ffffd901`cbb96b40 fffff801`f78af4bd : ffff8005`1e0dc040 fffff801`00000003 00000000`00000080 ffff8005`1e0dc040 : HDMI!PollingThreadRoutine+0x15f [e:\liwei\workspace\windriver\gillfpgadrv\devices\commonsrc\device.cpp @ 274]
    ffffd901`cbb96b90 fffff801`f7962456 : ffffd901`ca940180 ffff8005`1e0dc040 fffff801`f78af47c ffffb481`6c52da00 : nt!KeCountSetBitsAffinityEx+0xb7d
    ffffd901`cbb96be0 00000000`00000000 : ffffd901`cbb97000 ffffd901`cbb90000 00000000`00000000 00000000`00000000 : nt!KeSynchronizeExecution+0x45d6


    STACK_COMMAND:  kb

    FOLLOWUP_IP: 
    ks!KsProcessPinUpdate+1394
    fffff80b`3899bfd4 cd29            int     29h

    SYMBOL_STACK_INDEX:  4

    SYMBOL_NAME:  ks!KsProcessPinUpdate+1394

    FOLLOWUP_NAME:  MachineOwner

    IMAGE_NAME:  ks.sys

    BUCKET_ID:  WRONG_SYMBOLS

    FAILURE_BUCKET_ID:  WRONG_SYMBOLS

    ANALYSIS_SOURCE:  KM

    FAILURE_ID_HASH_STRING:  km:wrong_symbols

    FAILURE_ID_HASH:  {70b057e8-2462-896f-28e7-ac72d4d365f8}

    Followup: MachineOwner

    Could Anybody give some helps?

    Thursday, April 27, 2017 8:23 AM

All replies

  • Could anybody give me some helps?
    Tuesday, May 2, 2017 7:07 AM
  • void
    CCapturePin::
    CompleteMappings (
        IN ULONG NumMappings
        )

    /*++

    Routine Description:

        Called to notify the pin that a given number of scatter / gather
        mappings have completed.  Let the buffers go if possible.
        We're called at DPC.

    Arguments:

        NumMappings -
            The number of mappings that have completed.

    Return Value:

        None

    --*/

    {

        ULONG MappingsRemaining = NumMappings;

        //
        // Walk through the clones list and delete clones whose time has come.
        // The list is guaranteed to be kept in the order they were cloned.
        //
        PKSSTREAM_POINTER Clone = KsPinGetFirstCloneStreamPointer (m_Pin);

        while (MappingsRemaining && Clone) {

            PKSSTREAM_POINTER NextClone = KsStreamPointerGetNextClone (Clone);

    #if defined(_X86_)
            //
            // Count up the number of bytes we've completed and mark this
            // in the Stream Header.  In mapped queues 
            // (KSPIN_FLAG_GENERATE_MAPPINGS), this is the responsibility of
            // the minidriver.  In non-mapped queues, AVStream performs this.
            //
            ULONG MappingsToCount = 
                (MappingsRemaining > Clone -> OffsetOut.Remaining) ?
                     Clone -> OffsetOut.Remaining :
                     MappingsRemaining;

            //
            // Update DataUsed according to the mappings.
            //
            for (ULONG CurMapping = 0; CurMapping < MappingsToCount; CurMapping++) {
                Clone -> StreamHeader -> DataUsed +=
                    Clone -> OffsetOut.Mappings [CurMapping].ByteCount;
            }
    #endif

            // 
            // If we have completed all remaining mappings in this clone, it
            // is an indication that the clone is ready to be deleted and the
            // buffer released.  Set anything required in the stream header which
            // has not yet been set.  If we have a clock, we can timestamp the
            // sample.
            //
    #if !defined(_X86_)
            if (Clone -> StreamHeader -> DataUsed >= Clone -> OffsetOut.Remaining) {
    #else
            if (MappingsRemaining >= Clone -> OffsetOut.Remaining) {
    #endif
                Clone -> StreamHeader -> Duration =
                    m_VideoInfoHeader -> AvgTimePerFrame;

                Clone -> StreamHeader -> PresentationTime.Numerator =
                    Clone -> StreamHeader -> PresentationTime.Denominator = 1;

                //
                // If a clock has been assigned, timestamp the packets with the
                // time shown on the clock. 
                //
                if (m_Clock) {

                    LONGLONG ClockTime = m_Clock -> GetTime ();

                    Clone -> StreamHeader -> PresentationTime.Time = ClockTime;

                    Clone -> StreamHeader -> OptionsFlags =
                        KSSTREAM_HEADER_OPTIONSF_TIMEVALID |
                        KSSTREAM_HEADER_OPTIONSF_DURATIONVALID;

                } else {
         //
         // If there is no clock, don't time stamp the packets.
         //
         Clone -> StreamHeader -> PresentationTime.Time = 0;

                }

                //
                // Increment the frame number.  This is the total count of frames which
                // have attempted capture.
                //
                m_FrameNumber++;

                //
                // Double check the Stream Header size.  AVStream makes no guarantee
                // that because StreamHeaderSize is set to a specific size that you
                // will get that size.  If the proper data type handlers are not 
                // installed, the stream header will be of default size.
                //
                if ( Clone -> StreamHeader -> Size >= sizeof (KSSTREAM_HEADER) +
                    sizeof (KS_FRAME_INFO)) {

                    PKS_FRAME_INFO FrameInfo = reinterpret_cast <PKS_FRAME_INFO> (
                        Clone -> StreamHeader + 1
                        );

                    FrameInfo -> ExtendedHeaderSize = sizeof (KS_FRAME_INFO);
                    FrameInfo -> dwFrameFlags       = KS_VIDEO_FLAG_FRAME;
                    FrameInfo -> PictureNumber      = (LONGLONG)m_FrameNumber;

                    // I don't really have a way to tell if the device has dropped a frame 
                    // or was not able to send a frame on time.
                    FrameInfo -> DropCount = (LONGLONG)m_DroppedFrames;
                }


                //
                // If all of the mappings in this clone have been completed,
                // delete the clone.  We've already updated DataUsed above.
                //

    #if !defined(_X86_)
                MappingsRemaining--;
    #else
                MappingsRemaining -= Clone -> OffsetOut.Remaining;
    #endif
                KsStreamPointerDelete (Clone); //crash here? this code is from WDK sample. the clone is not null, right? or it can't run here.

            } else {
                //
                // If only part of the mappings in this clone have been completed,
                // update the pointers.  Since we're guaranteed this won't advance
                // to a new frame by the check above, it won't fail.
                //
    #if !defined(_X86_)
                (void)KsStreamPointerAdvanceOffsets (
                    Clone,
                    0,
                    Clone -> StreamHeader -> DataUsed,
                    FALSE
                    );

    #else
                (void)KsStreamPointerAdvanceOffsets (
                    Clone,
                    0,
                    MappingsRemaining,
                    FALSE
                    );

    #endif
                MappingsRemaining = 0;

            }

            //
            // Go to the next clone.
            //
            Clone = NextClone;

        }

        //
        // If we've used all the mappings in hardware and pended, we can kick
        // processing to happen again if we've completed mappings.
        //
        if (m_PendIo) {
            m_PendIo = TRUE;
            KsPinAttemptProcessing (m_Pin, TRUE);
        }

    }

    Tuesday, May 2, 2017 10:54 AM