none
windows 8.1 crash in umpo.dll RRS feed

  • Question

  • Hi,

    I am developing a windows Battery miniclass driver, driver loaded successfull but after restart windows login screen shows "RPC server not available"

    After attaching it shows a crash in umpo.dll attaching the crash , stack traces.

    The instruction at 77E9C466 tried to write to an invalid address, 00000014

     *** enter .exr 00F4F210 for the exception record
     ***  enter .cxr 00F4F22C for the context
     *** then kb to get the faulting stack

    Break instruction exception - code 80000003 (first chance)
    ntdll!RtlUnhandledExceptionFilter2+0x2bf:
    001b:77f2ee8d cc              int     3
    0: kd> !analyze -v
    Connected to Windows 8 9600 x86 compatible target at (Mon Oct 13 12:41:55.098 2014 (UTC + 5:30)), ptr64 FALSE
    Loading Kernel Symbols
    .......................

    Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
    Run !sym noisy before .reload to track down problems loading symbols.

    ........................................
    ................................................................
    .............
    Loading User Symbols
    ..................
    Loading unloaded module list
    ..............
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************


    FAULTING_IP: 
    ntdll!RtlpWaitOnCriticalSection+ac
    001b:77e9c466 ff4014          inc     dword ptr [eax+14h]

    EXCEPTION_RECORD:  00f4f210 -- (.exr 0xf4f210)
    ExceptionAddress: 77e9c466 (ntdll!RtlpWaitOnCriticalSection+0x000000ac)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 00000014
    Attempt to write to address 00000014

    CONTEXT:  00f4f22c -- (.cxr 0xf4f22c;r)
    eax=00000000 ebx=00000104 ecx=fffffffc edx=00000000 esi=74d9b0a0 edi=00000000
    eip=77e9c466 esp=00f4f510 ebp=00f4f570 iopl=0         nv up ei pl nz ac po cy
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213
    ntdll!RtlpWaitOnCriticalSection+0xac:
    001b:77e9c466 ff4014          inc     dword ptr [eax+14h] ds:0023:00000014=????????
    Last set context:
    eax=00000000 ebx=00000104 ecx=fffffffc edx=00000000 esi=74d9b0a0 edi=00000000
    eip=77e9c466 esp=00f4f510 ebp=00f4f570 iopl=0         nv up ei pl nz ac po cy
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010213
    ntdll!RtlpWaitOnCriticalSection+0xac:
    001b:77e9c466 ff4014          inc     dword ptr [eax+14h] ds:0023:00000014=????????
    Resetting default scope

    ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

    EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

    EXCEPTION_PARAMETER1:  00000000

    EXCEPTION_PARAMETER2:  00000000

    EXCEPTION_PARAMETER3:  00000000

    NTGLOBALFLAG:  0

    APPLICATION_VERIFIER_FLAGS:  0

    APP:  svchost.exe

    ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre

    WRITE_ADDRESS:  00000014 

    FOLLOWUP_IP: 
    umpo!UmpoPowerRequestOverridePolicyUpdate+19
    001b:74d964f9 85f6            test    esi,esi

    DEFAULT_BUCKET_ID:  STATUS_BREAKPOINT

    FAULTING_THREAD:  00000001

    PRIMARY_PROBLEM_CLASS:  STATUS_BREAKPOINT

    BUGCHECK_STR:  APPLICATION_FAULT_STATUS_BREAKPOINT

    LAST_CONTROL_TRANSFER:  from 77e89680 to 77e9c466

    STACK_TEXT:  
    00f4f570 77e89680 00000002 00000001 74d9b0a0 ntdll!RtlpWaitOnCriticalSection+0xac
    00f4f598 77e895d2 00f4f5c0 74d964f9 74d9b0a0 ntdll!RtlpEnterCriticalSectionContended+0xa0
    00f4f5a0 74d964f9 74d9b0a0 010a01b8 00f4f5e0 ntdll!RtlEnterCriticalSection+0x42
    00f4f5b4 74d964d6 00f4f5e0 00f4f5cc 74d853fe umpo!UmpoPowerRequestOverridePolicyUpdate+0x19
    00f4f5c0 74d853fe 00f4f5e0 00f4fa4c 75853536 umpo!UmpoNotificationHandler+0x79
    00f4f5cc 75853536 00000000 00008013 00f4f5e0 umpoext!UmpoInternalPowerNotificationCallback+0xe
    00f4fa4c 77e7941b a3bc4045 41c64e6d 00000001 powrprof!PowerpSettingCallback+0x208
    00f4fafc 77e791d9 00000000 00000000 010a0188 ntdll!RtlpWnfWalkUserSubscriptionList+0x18d
    00f4fb20 77e790c6 01072b38 00f4fbf0 00000000 ntdll!RtlpWnfProcessCurrentDescriptor+0xaf
    00f4fb48 77e7cd03 00f4fbf0 000000c4 01072b38 ntdll!RtlpWnfNotificationThread+0x82
    00f4fb70 77e7cc77 00000000 00000000 01072c10 ntdll!TppExecuteWaitCallback+0x5f
    00f4fb8c 77e7eba8 00f4fbf0 01072c10 01072b38 ntdll!TppWaitCompletion+0x76
    00f4fd88 775e17ad 01062a90 00f4fdd8 77e9db0e ntdll!TppWorkerThread+0x368
    00f4fd94 77e9db0e 01062a90 6b6d1994 00000000 KERNEL32!BaseThreadInitThunk+0xe
    00f4fdd8 77e9dae7 ffffffff 77ee4ae6 00000000 ntdll!__RtlUserThreadStart+0x20
    00f4fde8 00000000 77e7e840 01062a90 00000000 ntdll!_RtlUserThreadStart+0x1b


    SYMBOL_STACK_INDEX:  3

    SYMBOL_NAME:  umpo!UmpoPowerRequestOverridePolicyUpdate+19

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: umpo

    IMAGE_NAME:  umpo.dll

    DEBUG_FLR_IMAGE_TIMESTAMP:  52157d1b

    STACK_COMMAND:  .cxr 0xf4f22c ; kb

    BUCKET_ID_FUNC_OFFSET:  19

    FAILURE_BUCKET_ID:  STATUS_BREAKPOINT_80000003_umpo.dll!UmpoPowerRequestOverridePolicyUpdate

    BUCKET_ID:  APPLICATION_FAULT_STATUS_BREAKPOINT_umpo!UmpoPowerRequestOverridePolicyUpdate

    ANALYSIS_SOURCE:  KM

    FAILURE_ID_HASH_STRING:  km:status_breakpoint_80000003_umpo.dll!umpopowerrequestoverridepolicyupdate

    FAILURE_ID_HASH:  {b4a6a975-90ee-6741-ec6b-70a09d80e29d}

    Followup: MachineOwner
    ---------

    Monday, October 13, 2014 10:57 AM

Answers

  • It appears to either be either a memory corruption caused by your driver, or you passed the value of a structure instead of its address. If it always crashes in the same place, then it is likely to be the latter; otherwise it is probably the former.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, October 13, 2014 9:00 PM
    Moderator

All replies

  • It appears to either be either a memory corruption caused by your driver, or you passed the value of a structure instead of its address. If it always crashes in the same place, then it is likely to be the latter; otherwise it is probably the former.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, October 13, 2014 9:00 PM
    Moderator
  • but its pointing out the Critical section.
    Tuesday, October 14, 2014 9:39 AM
  • Hi Brian,

    Related to battery driver i have one more problem i am registering the device under ACPI\<HardwareID>

    It is getting enumerated but when i am using SetupDiGetClassDevs and Getting the interface and trying to call CreateFile it is failing with ERROR =1 (ERROR_INVALID_FUNCTION).


     DWORD dwResult = GBS_ONBATTERY;

      // IOCTL_BATTERY_QUERY_INFORMATION,
      // enumerate the batteries and ask each one for information.

      HDEVINFO hdev =
                SetupDiGetClassDevs(&GUID_DEVCLASS_BATTERY, 
                                    0, 
                                    0, 
                                    DIGCF_PRESENT | DIGCF_DEVICEINTERFACE);
      if (INVALID_HANDLE_VALUE != hdev)
       {
        // Limit search to 100 batteries max
        for (int idev = 0; idev < 100; idev++)
         {
          SP_DEVICE_INTERFACE_DATA did = {0};
          did.cbSize = sizeof(did);

          if (SetupDiEnumDeviceInterfaces(hdev,
                                          0,
                                          &GUID_DEVCLASS_BATTERY,
                                          idev,
                                          &did))
           {
            DWORD cbRequired = 0;

            SetupDiGetDeviceInterfaceDetail(hdev,
                                            &did,
                                            0,
                                            0,
                                            &cbRequired,
                                            0);
            if (ERROR_INSUFFICIENT_BUFFER == GetLastError())
             {
              PSP_DEVICE_INTERFACE_DETAIL_DATA pdidd =
                (PSP_DEVICE_INTERFACE_DETAIL_DATA)LocalAlloc(LPTR,
                                                             cbRequired);
     
     

              if (pdidd)
               {
                pdidd->cbSize = sizeof(*pdidd);
                if (SetupDiGetDeviceInterfaceDetail(hdev,
                                                    &did,
                                                    pdidd,
                                                    cbRequired,
                                                    &cbRequired,
                                                    0))
                 {
                  // Enumerated a battery.  Ask it for information.
                     
    wcout<<"Creating Device ::"<<pdidd->DevicePath<<std::endl;
                    m_hBattery =      CreateFile(pdidd->DevicePath,
                                     GENERIC_READ | GENERIC_WRITE,
                                     FILE_SHARE_READ | FILE_SHARE_WRITE,
                                     NULL,
                                     OPEN_EXISTING,
                                     FILE_ATTRIBUTE_NORMAL,
                                     NULL);
    if(INVALID_HANDLE_VALUE == m_hBattery)
    {
    std::cout<<"Error while creating :"<<GetLastError()<<endl;

    Tuesday, October 14, 2014 10:05 AM
  • Do you think that Microsoft hasn't tested this code? Do you know of anyone else having this problem without your driver? Of course it is caused by your driver, and almost certainly in the manner I described. Doron and I have debugged thousands of crashes over the last 20 years. Instead of assuming that we don't know what we are doing and unmarking the answer, you should give us the benefit of the doubt and look more closely at your code.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, October 14, 2014 6:17 PM
    Moderator
  • Again, the issue is with your driver.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, October 14, 2014 6:18 PM
    Moderator
  • Hi Brian,

    Thanks for the help Both problems has been solved there was issue in my driver only but it was not buffer copy issue.

    I mark unanswered to only get your attention for another question.

    Thanks,

    Rabish

    Wednesday, October 15, 2014 12:22 PM
  • That is not an appropriate method for getting my attention. Just create another question, and I or one of the usual answerers (Doron, Don, Pavel, etc.), will respond to your question.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, October 15, 2014 10:36 PM
    Moderator