none
Fault injection test failed on windows 7 x64 RRS feed

  • Question

  • Dear all:

    I execute fault injection test(wdftester.sys) with my win7 touch driver.

    The debug message in windbg show as below:

    WDFT: sishidusb.sys calling WdfObjectGetTypedContextWorker
    WDFT: sishidusb.sys calling WdfTimerStart
    WDFT: 
    *** Fatal System Error: 0x0000000a
                           (0xFFFFF80004203CC0,0x0000000000000002,0x0000000000000008,0xFFFFF80004203CC0)

    Break instruction exception - code 80000003 (first chance)

    A fatal system error has occurred.
    Debugger entered on first try; Bugcheck callbacks have not been invoked.

    A fatal system error has occurred.

    Connected to Windows 7 7601 x64 target at (Thu Feb  9 18:01:41.445 2017 (GMT+8)), ptr64 TRUE
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ...........................
    Loading User Symbols

    Loading unloaded module list
    .........................
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck A, {fffff80004203cc0, 2, 8, fffff80004203cc0}

    Probably caused by : wdftester.sys ( wdftester!wdftester_WdfIoQueueGetDevice+88 )

    Followup: MachineOwner
    ---------

    nt!RtlpBreakWithStatusInstruction:
    fffff800`03ed0490 cc              int     3
    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    IRQL_NOT_LESS_OR_EQUAL (a)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If a kernel debugger is available get the stack backtrace.
    Arguments:
    Arg1: fffff80004203cc0, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000008, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
    Arg4: fffff80004203cc0, address which referenced memory

    Debugging Details:
    ------------------


    READ_ADDRESS:  fffff80004203cc0 

    CURRENT_IRQL:  2

    FAULTING_IP: 
    nt! ?? ::NNGAKEGL::`string'+39c0
    fffff800`04203cc0 4c8bc9          mov     r9,rcx

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0xA

    PROCESS_NAME:  System

    TRAP_FRAME:  fffff80000b9b730 -- (.trap 0xfffff80000b9b730)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000006 rbx=0000000000000000 rcx=fffff80000b9bbc0
    rdx=0000000000000006 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80004203cc0 rsp=fffff80000b9b8c0 rbp=fffffa800184bae2
     r8=fffff80000b9b918  r9=fffff80000b9b928 r10=fffff80000b9bbc0
    r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl nz na pe nc
    nt! ?? ::NNGAKEGL::`string'+0x39c0:
    fffff800`04203cc0 4c8bc9          mov     r9,rcx
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff80003fbfd92 to fffff80003ed0490

    FAILED_INSTRUCTION_ADDRESS: 
    nt! ?? ::NNGAKEGL::`string'+39c0
    fffff800`04203cc0 4c8bc9          mov     r9,rcx

    STACK_TEXT:  
    fffff800`00b9ae78 fffff800`03fbfd92 : fffff800`04203cc0 fffff800`04058cc0 00000000`00000065 fffff800`03f14178 : nt!RtlpBreakWithStatusInstruction
    fffff800`00b9ae80 fffff800`03fc0b7e : 00000000`00000003 00000000`00000000 fffff800`03f149d0 00000000`0000000a : nt!KiBugCheckDebugBreak+0x12
    fffff800`00b9aee0 fffff800`03ed8744 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff800`03e82790 : nt!KeBugCheck2+0x71e
    fffff800`00b9b5b0 fffff800`03ed7be9 : 00000000`0000000a fffff800`04203cc0 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx+0x104
    fffff800`00b9b5f0 fffff800`03ed6860 : 00000000`00000000 fffff800`00b9c190 00000000`00000000 fffff800`00b9b928 : nt!KiBugCheckDispatch+0x69
    fffff800`00b9b730 fffff800`04203cc0 : fffff800`00b9b9b4 fffff800`03f28167 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x260
    fffff800`00b9b8c0 fffff800`03f28167 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff880`04c99729 : nt! ?? ::NNGAKEGL::`string'+0x39c0
    fffff800`00b9b8d0 fffff800`03f281a3 : fffff800`00b9ba38 fffffa80`02197b10 00000000`c0000001 fffff880`04c90073 : nt!wctomb_s_l+0x83
    fffff800`00b9b910 fffff800`03f18cb3 : fffffa80`0184bae0 fffff800`00b9bc40 00000000`00000800 fffff800`00b9ba68 : nt!wctomb_s+0xf
    fffff800`00b9b950 fffff800`03f19035 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!output_l+0x57b
    fffff800`00b9bc10 fffff800`03f1907d : 00000000`00000000 00000000`00000000 00000000`00c60010 fffff880`016fcd22 : nt!vsnprintf_l+0x75
    fffff800`00b9bc80 fffff800`03f186d8 : fffffa80`014b0000 fffffa80`012e7480 fffffa80`00c6e2d0 fffff880`01700aa7 : nt!vsnprintf+0x11
    fffff800`00b9bcc0 fffff800`03f19156 : 00000000`000001ff fffff880`02a3fba0 00000000`00000010 00000000`00000295 : nt!DbgPrompt+0x78
    fffff800`00b9bcf0 fffff800`03f1911b : fffffa80`00fb3900 fffffa80`012e7480 fffffa80`0146f1d0 fffff880`016fa441 : nt!RtlStringCbVPrintfA+0x26
    fffff800`00b9bd30 fffff800`03f87d0c : fffff800`00b9c030 fffff800`00b9bff0 fffffa80`014b3000 fffffa80`014b3000 : nt! ?? ::FNODOBFM::`string'+0xc32b
    fffff800`00b9bfe0 fffff880`02a15ce8 : fffff880`02a3fba0 fffffa80`0184bae0 00000000`00000065 00000000`00000003 : nt!DbgPrint+0x3c
    fffff800`00b9c020 fffff880`03202b22 : fffffa80`017f3cd0 0000057f`fdcf7fd8 00000000`00000000 fffffa80`014b3000 : wdftester!wdftester_WdfIoQueueGetDevice+0x88
    fffff800`00b9c090 fffff880`03201927 : 0000057f`fdcf7fd8 fffff800`00b9c1e8 00000000`00000000 fffffa80`016f7b80 : sishidusb!WdfIoQueueGetDevice+0x36 [c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.9\wdfio.h @ 749]
    fffff800`00b9c0d0 fffff880`00ebc047 : 0000057f`fdcf7fd8 0000057f`fe80c328 00000000`00000040 00000000`00000000 : sishidusb!HidFx2EvtInternalDeviceControl+0x33 [c:\wdk\windows_embedded_standard_7\sishidusb\hid.c @ 574]
    fffff800`00b9c120 fffff880`00ebb99f : 00000000`00000000 fffffa80`017f3cd0 fffffa80`02308020 fffffa80`02308020 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x56f
    fffff800`00b9c1a0 fffff880`00ebaf98 : 00000000`00000000 00000000`00000002 00000000`00000000 fffffa80`017f3e22 : Wdf01000!FxIoQueue::DispatchEvents+0x4df
    fffff800`00b9c210 fffff880`00ec0558 : fffff980`08b70f02 fffffa80`017f3cd0 fffff980`08b70d30 fffffa80`017f3cd0 : Wdf01000!FxIoQueue::QueueRequest+0x2bc
    fffff800`00b9c280 fffff880`00eaa245 : fffffa80`017f3cd0 fffff980`08b70d30 00000000`00000002 fffffa80`0185d040 : Wdf01000!FxPkgIo::Dispatch+0x37c
    fffff800`00b9c300 fffff800`0437bc16 : fffff980`08b70d30 00000000`00000002 fffffa80`025c8d20 fffff880`0560b2ae : Wdf01000!FxDevice::Dispatch+0xa9
    fffff800`00b9c330 fffff880`05604555 : fffffa80`015c8e40 fffffa80`025c8d20 fffff980`08b70d30 fffffa80`02acfb10 : nt!IovCallDriver+0x566
    fffff800`00b9c390 fffff880`0560519f : fffffa80`015c8e40 00000000`00000003 00000000`00000000 fffffa80`01020830 : HIDCLASS!HidpSubmitInterruptRead+0xdd
    fffff800`00b9c3f0 fffff800`03ee4062 : 00000000`00000000 fffffa80`00000000 00000000`40f90088 00000000`00000000 : HIDCLASS!HidpPingpongBackoffTimerDpc+0x5f
    fffff800`00b9c430 fffff800`03ee3f06 : fffffa80`010207f0 00000000`00005cba 00000000`00000000 00000000`00000000 : nt!KiProcessTimerDpcTable+0x66
    fffff800`00b9c4a0 fffff800`03ee3dee : 00000000`dcb9a85a fffff800`00b9cb18 00000000`00005cba fffff800`0404e9c8 : nt!KiProcessExpiredTimerList+0xc6
    fffff800`00b9caf0 fffff800`03ee3bd7 : 00000160`614f3bc3 00000160`00005cba 00000160`614f3ba3 00000000`000000ba : nt!KiTimerExpiration+0x1be
    fffff800`00b9cb90 fffff800`03ed036a : fffff800`0404ae80 fffff800`04058cc0 00000000`00000000 fffff880`05002db0 : nt!KiRetireDpcList+0x277
    fffff800`00b9cc40 00000000`00000000 : fffff800`00b9d000 fffff800`00b97000 fffff800`00b9cc00 00000000`00000000 : nt!KiIdleLoop+0x5a


    STACK_COMMAND:  kb

    FOLLOWUP_IP: 
    wdftester!wdftester_WdfIoQueueGetDevice+88
    fffff880`02a15ce8 488b0d99900300  mov     rcx,qword ptr [wdftester!WPP_GLOBAL_Control (fffff880`02a4ed88)]

    SYMBOL_STACK_INDEX:  10

    SYMBOL_NAME:  wdftester!wdftester_WdfIoQueueGetDevice+88

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: wdftester

    IMAGE_NAME:  wdftester.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4b70eb35

    FAILURE_BUCKET_ID:  X64_0xA_VRF_CODE_AV_BAD_IP_wdftester!wdftester_WdfIoQueueGetDevice+88

    BUCKET_ID:  X64_0xA_VRF_CODE_AV_BAD_IP_wdftester!wdftester_WdfIoQueueGetDevice+88

    Followup: MachineOwner
    ---------

    It seems like crash at  WdfIoQueueGetDevice in hid.c(correct if I am wrong).

    and my source is show as below,

    VOID
    HidFx2EvtInternalDeviceControl(
        IN WDFQUEUE Queue,
        IN WDFREQUEST   Request,
        IN size_t   OutputBufferLength,
        IN size_t   InputBufferLength,
        IN ULONG IoControlCode
        )
    {
        NTSTATUS            Status = STATUS_NOT_SUPPORTED;

        WDFDEVICE           DeviceHandle;

        PDEVICE_EXTENSION   pDeviceContext = NULL;

        UNREFERENCED_PARAMETER(OutputBufferLength);

        UNREFERENCED_PARAMETER(InputBufferLength);

        DeviceHandle = WdfIoQueueGetDevice(Queue);  /*line 574 in hid.c*/

        pDeviceContext = GetDeviceContext(DeviceHandle);

        //do something

    }

    I try to check the Queue equal to null or not before I call WdfIoQueueGetDevice, but it still crash.

    How can I solve this problem?

    Thanks for your help,

    Victor

     




    • Edited by Cedric911217 Thursday, February 9, 2017 10:32 AM
    Thursday, February 9, 2017 10:26 AM

All replies

  • the queue handle will always be valid, there should be no need to check for validity. the fault injection tests expose bugs everywhere, it could very well be with wdftester.sys. Which version of wdftester are you using? from which WDK/HLK release?

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, February 9, 2017 6:19 PM
  • Hi, Doron

    I reference this url :

    https://msdn.microsoft.com/windows/hardware/drivers/devtest/wdftester-installation?f=255&MSPPError=-2147217396

    These files copy from WDK 7600.16385.1, and the version of wdftester.sys is 1.7.7600.0.

    Thanks for your help,

    Victor


    Friday, February 10, 2017 1:43 AM
  • You should try using the win10 version, work has been done since win7 in this area

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, February 10, 2017 6:41 AM
  • Hi, Doron

    I search the wdftester.sys in my wdk folder(wdk version : 10.0.14393.0), but it not exists.

    I test my driver with Fault injection test on WHCK 2.1.9600 , and it still crash.

    I reference this url : https://developer.microsoft.com/en-us/windows/hardware/windows-hardware-lab-kit,

    and it say Windows HLK for Windows 10 does not support testing with previous versions of Windows.

    So How can I test my driver with win10 version.

    Thanks for your help

    Victor.

    Friday, March 3, 2017 5:47 AM