none
access violation 0xc0000005 error during stress testing of serial driver RRS feed

  • Question

  • HI,

    I am stress testing my serial driver at a high baud rate of 256000 bps by Writing to the serial port and reading data back from the serial port (after configuring the serial port for loop back).

    At this baud rate, i am seeing that the system crashes with an error "Access violation - code c0000005 (!!! second chance !!!)" very soon after the test is started. As per the crash analysis, my driver is not involved in the I/O. Below is hte crash dump.

    !analyze -v
    Connected to Windows 7 7601 x86 compatible target at (Tue Sep 30 21:39:52.338 2014 (UTC + 5:30)), ptr64 FALSE
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    .............
    Loading User Symbols
    ....
    Loading unloaded module list
    ......
    *** WARNING: Unable to verify checksum for SerialValidation20.exe
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for mfehidk.sys -
    *** ERROR: Module load completed but symbols could not be loaded for regflt.sys
    *** ERROR: Module load completed but symbols could not be loaded for VME.sys
    *** ERROR: Module load completed but symbols could not be loaded for spldr.sys
    *** ERROR: Module load completed but symbols could not be loaded for e1c6232.sys
    *** ERROR: Module load completed but symbols could not be loaded for hbdrvisr.sys
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for mfetdik.sys -
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for igdkmd32.sys -
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Unknown bugcheck code (0)
    Unknown bugcheck description
    Arguments:
    Arg1: 00000000
    Arg2: 00000000
    Arg3: 00000000
    Arg4: 00000000

    Debugging Details:
    ------------------


    PROCESS_NAME:  SerialValidati

    FAULTING_IP:
    Wdf01000!FxContextHeaderInit+1c
    8bc31889 8b4e1c          mov     ecx,dword ptr [esi+1Ch]

    EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 8bc31889 (Wdf01000!FxContextHeaderInit+0x0000001c)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000000
       Parameter[1]: 11100f3a
    Attempt to read from address 11100f3a

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_PARAMETER1:  00000000

    EXCEPTION_PARAMETER2:  11100f3a

    READ_ADDRESS:  11100f3a

    FOLLOWUP_IP:
    Wdf01000!FxContextHeaderInit+1c
    8bc31889 8b4e1c          mov     ecx,dword ptr [esi+1Ch]

    BUGCHECK_STR:  ACCESS_VIOLATION

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from 8bc318f9 to 8bc31889

    STACK_TEXT: 
    ad0d7a68 8bc318f9 87246f90 87246ec8 87439010 Wdf01000!FxContextHeaderInit+0x1c
    ad0d7a7c 8bc31055 87246ec8 00000002 87442010 Wdf01000!FxObjectAndHandleHeaderInit+0x39
    ad0d7aa0 8bc361db 87439010 11100f1e 87442010 Wdf01000!FxDevice::AllocateRequestMemory+0x127
    ad0d7ac4 8bc36849 87439010 11100f1e 871f1e48 Wdf01000!FxRequest::_CreateForPackage+0x1e
    ad0d7b00 8bc30bc2 871f1e48 87439910 871f1e48 Wdf01000!FxPkgIo::Dispatch+0x297
    ad0d7b28 8bc30a33 87439910 871f1e48 8720ed78 Wdf01000!FxDevice::Dispatch+0x155
    ad0d7b44 83250c29 87439910 871f1e48 871f1e48 Wdf01000!FxDevice::DispatchWithLock+0x77
    ad0d7b5c 83445b29 871f1e48 871f1edc 8720ed78 nt!IofCallDriver+0x63
    ad0d7b7c 8347e516 87439910 8720ed78 00000001 nt!IopSynchronousServiceTail+0x1f8
    ad0d7c08 832578fa 87439910 871f1e48 00000000 nt!NtReadFile+0x644
    ad0d7c08 778e7094 87439910 871f1e48 00000000 nt!KiFastCallEntry+0x12a
    006af1ac 778e62c4 75b3cfde 0000001c 0000002c ntdll!KiFastSystemCallRet
    006af1b0 75b3cfde 0000001c 0000002c 00000000 ntdll!ZwReadFile+0xc
    006af214 76f69bba 0000001c 006af7a8 0000000a KERNELBASE!ReadFile+0xaa
    006af25c 013325e1 0000001c 006af7a8 0000000a kernel32!ReadFileImplementation+0xf0
    006af890 76f6ed6c 03b50508 006af8dc 7790377b SerialValidation20!comm_read_thread_proc+0x161 [d:\24-09-2014\solution_amat\solution_amat\solution_amat\serialvalidation.cpp @ 604]
    006af89c 7790377b 03b50508 77fcb8dc 00000000 kernel32!BaseThreadInitThunk+0xe
    006af8dc 7790374e 01332480 03b50508 00000000 ntdll!__RtlUserThreadStart+0x70
    006af8f4 00000000 01332480 03b50508 00000000 ntdll!_RtlUserThreadStart+0x1b


    STACK_COMMAND:  kb

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  Wdf01000!FxContextHeaderInit+1c

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: Wdf01000

    IMAGE_NAME:  Wdf01000.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  5010ac41

    FAILURE_BUCKET_ID:  ACCESS_VIOLATION_Wdf01000!FxContextHeaderInit+1c

    BUCKET_ID:  ACCESS_VIOLATION_Wdf01000!FxContextHeaderInit+1c

    Followup: MachineOwner

    2: kd> .exr 0xffffffffffffffff
    ExceptionAddress: 8bc31889 (Wdf01000!FxContextHeaderInit+0x0000001c)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000000
       Parameter[1]: 11100f3a
    Attempt to read from address 11100f3a

    From the above, i understand that an attempt has been made to read from an invalid address.
    From the stack trace it appears that the application (SerialValidation20) is sending a ReadFile request which the WDF framework is trying to deliver to my driver. But somewhere around FxContextHeaderInit() function it is crashing. My drivers functions are not displayed in stack trace.


    SOme information about my target environment:
    The target OS is WIndows 7 Embedded Standard SP1. I have 5 multiport serial controllers each of which have 8 ports. I am running the tests on all of the ports simultaneoulsy.

    I am not getting any clue how to proceed about debugging these king of issues which don't seem to be related to my driver. Could somebody please suggest me how to go find out the root cause of this issue?

     

    Tuesday, September 30, 2014 4:24 PM

All replies

  • Yes. I have tested the driver for enough duration at lower baud rates and it never crashed.

    One difference in my driver compared to the other drivers is that the read, write and IOCTL queues
    that my driver creates use sequential dispatching. I use the below statement.

    WDF_IO_QUEUE_CONFIG_INIT(&stQueueConfig,WdfIoQueueDispatchSequential);

    Below is the code of my device initialization.  COuld you please let me know where i should be checking for the problem in the driver?

    WDF_PNPPOWER_EVENT_CALLBACKS_INIT(&stPnpPowerCallbacks);
    	stPnpPowerCallbacks.EvtDeviceD0Entry = PortD0Entry;
    	stPnpPowerCallbacks.EvtDeviceD0Exit = PortD0Exit;
    	stPnpPowerCallbacks.EvtDevicePrepareHardware = PortEvtDevicePrepareHardware;
    	stPnpPowerCallbacks.EvtDeviceReleaseHardware = PortEvtDeviceReleaseHardware;
    	/* registers a driver's Plug and Play and power management event callback functions. */
    	WdfDeviceInitSetPnpPowerEventCallbacks(DeviceInit, &stPnpPowerCallbacks);
    	
    	
    	
    	// 
        // Initialize all the properties specific to the device. 
        // Framework has default values for the one that are not 
        // set explicitly here. So please read the doc and make sure 
        // you are okay with the defaults. 
        // 
    	WdfDeviceInitSetExclusive(DeviceInit, TRUE);
    	
    	//set device type
    	WdfDeviceInitSetDeviceType(DeviceInit,FILE_DEVICE_SERIAL_PORT);
    	
    	// 
        // Initialize attributes structure to specify size and accessor function 
        // for storing device context. 
        //
    	WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&stRequestAttributes, REQUEST_CONTEXT);
    	
    	//Sets object attributes that will be used for all of the framework request 
    	//objects that the framework delivers to the driver from the device's I/O queues
        WdfDeviceInitSetRequestAttributes(DeviceInit, &stRequestAttributes);
    	lStatus = RtlUnicodeStringPrintf(&devName, DEVICE_NAME L"%d", InterlockedIncrement(&NumDevName));
    	if(!NT_SUCCESS(lStatus))
    	{
    		
    		return lStatus;
    	}
    	//Assiging a name to FDO
    	lStatus = WdfDeviceInitAssignName(DeviceInit,&devName);
    	if (!NT_SUCCESS(lStatus))
    	{
    		
    	}
    	
    	// 
        // Initialize attributes structure to specify size and accessor function 
        // for storing device context. 
        //
        WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&stDeviceAttributes, DEVICE_CONTEXT);
    	//Create Device Object
        lStatus = WdfDeviceCreate(&DeviceInit, &stDeviceAttributes, &hDevice);
    	if (!NT_SUCCESS(lStatus))
    	{
    		return status;
    	}
    	else
    	{
    		//
    	pstDeviceContext = WdfObjectGet_DEVICE_CONTEXT(hDevice);
    	pstDeviceContext->PrivateDeviceData = 0;
    	pstDeviceContext->hDevice = hDevice;	
    	pstDeviceContext->hCurrentReadRequest = NULL;
    	lStatus = Create_MemoryObject(pstDeviceContext);
    	if(!NT_SUCCESS(lStatus))
    	{
    		return lStatus;
    	}
    	//Create Interrupt objects
    	
    	// Do query for interfaces
    	lStatus = Do_QueryInterface(pstDeviceContext);
    	if (!NT_SUCCESS(lStatus))
    	{
    		return STATUS_UNSUCCESSFUL;
    	}
    	// Queue initialization
    	lStatus = Serial_QueueInitialize( hDevice );	
    	if(!NT_SUCCESS(lStatus))
    	{
    			return lStatus;
    	}
    	//Create Spinlock
    	WDF_OBJECT_ATTRIBUTES_INIT(&stSpinLockAttributes);
    	stSpinLockAttributes.ParentObject = hDevice;
    	lStatus = WdfSpinLockCreate(
    							   &stSpinLockAttributes,
    							   &pstDeviceContext->hPortSpinLock
    							   );
    	if(!NT_SUCCESS(lStatus))
    	{
    		return lStatus;
    	}
    	// create timers and DPCs
    	lStatus = SerialCreateTimersAndDpcs(pstDeviceContext);
    	if (!NT_SUCCESS(lStatus)) 
    	{
    		KdPrint(("SerialCreateTimersAndDpcs failed %x\n", lStatus));
    		return lStatus;
    	} 

    Wednesday, October 1, 2014 12:34 PM
  • I do not see anything in the code presented, but I have reason to suspect that at higher speeds, the buffers are being overrun

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff552360(v=vs.85).aspx

    you may need to add some checks to the buffer object to make sure it is not being flooded

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff552359(v=vs.85).aspx



    MSFT Signature

    Place your rig specifics into your signature like I have, makes it 100x easier!

    Hardcore Games Legendary is the Only Way to Play!
    Vegan Advocate How can you be an environmentalist and still eat meat?

    Wednesday, October 1, 2014 12:41 PM
  • Below is my request context structure. Is there something wrong with the contents of the request context structure?

    
    typedef struct _REQUEST_CONTEXT 
    	{
    	ULONG_PTR				pulInformation;
    	NTSTATUS				lStatus;
    	ULONG					ulLength;
    	PVOID					pvRefCount;
    	PVOID					pvSystemBuffer;
    	UCHAR					ucMajorFunction;
    	PFN_WDF_REQUEST_CANCEL	fpCancelRoutine;
    	BOOLEAN					bCancelled;
    	PVOID					pvType3InputBuffer;
    	PDEVICE_CONTEXT			pstDeviceContext;
    	ULONG					ulIoctlCode;
    	ULONG					ulBytesNeedtoTransmit;
    	ULONG					ulBytesAtStartOfRequest;
    	BOOLEAN					bMarkCancelableOnResume;
    	BOOLEAN					bReadTotalTimerRequired;
    	BOOLEAN					bReadIntervalTimerRequired;
    	BOOLEAN					bDefaultTimeouts;
    	BOOLEAN					bSendAvailableToRequest;
    	SERIAL_TIMEOUTS			stRequestTimeout;
    	/*WDFTIMER				hReadIntervalTimer;
    	WDFTIMER				hReadTotalTimer;*/
    	LARGE_INTEGER			stRequestTotalTime;
    	} REQUEST_CONTEXT, *PREQUEST_CONTEXT;

    Wednesday, October 1, 2014 12:53 PM
  • check the ulBytes parts to see if they are behaving

    this may be where the buffer overrun is occuring



    MSFT Signature

    Place your rig specifics into your signature like I have, makes it 100x easier!

    Hardcore Games Legendary is the Only Way to Play!
    Vegan Advocate How can you be an environmentalist and still eat meat?

    Wednesday, October 1, 2014 12:58 PM
  • HI,

    Sorry ..i couldn't get it.

    WHich buffer object do you mean?

    I have checked the links but couldn't identify anything suspcious. Could you please point me to a place in these structures or macros which need to be verified in my driver for their validity?  

    Wednesday, October 1, 2014 1:36 PM
  • as per the implementation of memory buffer in my driver it can't exceed a size of 16 kbytes. Hence the ulBytesAtStartOfRequest field cannot be more than 16 K at anytime because this field stores the number of bytes present in the memory buffer at any time.

    The field ulBytesNeedtoTransmit can only be less than or equal to the length of a write request, which i am always setting to 15 during my test.

    However if there is such a possibility that these values could be getting corrupted, how to  check their values for validity? Because my driver is not running at the time of crash.

    Wednesday, October 1, 2014 1:41 PM
  • Vegan,  excuse me but what does initializing a request queue have to do with buffer overrun.  Please as has been requested before quit trying to answer questions on this forum, your replys range from misleading to totally incomprehensible.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Wednesday, October 1, 2014 4:09 PM
  • Vegan,  excuse me but what does initializing a request queue have to do with buffer overrun.  Please as has been requested before quit trying to answer questions on this forum, your replys range from misleading to totally incomprehensible.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Sorry the OP has some form of buffer overrun or other object that is straying from the proper bounds which is what is invoking this access violation.

    Its possible that somewhere else down the stack is a problem that the OP blundered into.

    I am often dealing with BSOD problems so I have memorized all the error codes. BSOD etc are all driver related.

    I am simply reading from the manual relative to the code posted. I can only work with what I see.



    MSFT Signature

    Place your rig specifics into your signature like I have, makes it 100x easier!

    Hardcore Games Legendary is the Only Way to Play!
    Vegan Advocate How can you be an environmentalist and still eat meat?

    Wednesday, October 1, 2014 6:01 PM
  • So you point the OP to pages about configuring a queue to recieve or manage I/O requests as something that may help him with a buffer overrun on a given request?  Sorry, but there is a disconnect here, the links you provided, are not going to help.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Wednesday, October 1, 2014 6:08 PM
  • So you point the OP to pages about configuring a queue to recieve or manage I/O requests as something that may help him with a buffer overrun on a given request?  Sorry, but there is a disconnect here, the links you provided, are not going to help.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    On its face the code looks OK, but for some reason it blows up, so where is the buffer? First place to look.

    the links were intended to show what I was envisioning, i was hoping the OP would come back so that more could be done to figured out what is wrong.

    like I said, i work with what is posted

    obviously we may see the problem differently, eventually one of us may find the solution



    MSFT Signature

    Place your rig specifics into your signature like I have, makes it 100x easier!

    Hardcore Games Legendary is the Only Way to Play!
    Vegan Advocate How can you be an environmentalist and still eat meat?

    Wednesday, October 1, 2014 6:17 PM