New issue
Advanced search Search tips

Issue 320 attachment: special_pool_crash.txt (6.7 KB) 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
 
Waiting to reconnect...
Connected to Windows 7 7601 x86 compatible target at (Tue Apr  7 12:00:18.730 2015 (UTC + 2:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols;srv*c:\symbols*http://chromium-browser-symsrv.commondatastorage.googleapis.comSRV*c:\symbols\*http://symbols.mozilla.org/firefox;srv*c:\symbols*https://chromium-browser-symsrv.commondatastorage.googleapis.com
Executable search path is: 
Windows 7 Kernel Version 7601 MP (1 procs) Free x86 compatible
Built by: 7601.18741.x86fre.win7sp1_gdr.150202-1526
Machine Name:
Kernel base = 0x82a42000 PsLoadedModuleList = 0x82b8c5b0
System Uptime: not available
nt!DbgLoadImageSymbols+0x47:
82a5a578 cc              int     3
kd> g
*******************************************************************************
*
* This is the string you add to your checkin description
* Driver Verifier: Enabled for win32k.sys on Build 7601 Swoke0cxHt9I3y4CfWvmAH
*
*******************************************************************************
nt!DbgLoadImageSymbols+0x47:
82a5a578 cc              int     3
kd> g

*** Fatal System Error: 0x000000d5
                       (0xFA85EFA4,0x00000001,0x94596F21,0x00000000)

Driver at fault: 
***    win32k.sys - Address 94596F21 base at 944E0000, DateStamp 54ee8ecd
.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Tue Apr  7 12:04:15.780 2015 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols
...........
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D5, {fa85efa4, 1, 94596f21, 0}

*** WARNING: Unable to verify checksum for a37.exe
*** ERROR: Module load completed but symbols could not be loaded for a37.exe
Probably caused by : win32k.sys ( win32k!GreSetBrushOwner+160 )

Followup: MachineOwner
---------

Assertion: *** DPC watchdog timeout
    This is NOT a break in update time
    This is most likely a BUG in an ISR
    Perform a stack trace to find the culprit
    The period will be doubled on continuation
    Use gh to continue!!

nt!KeAccumulateTicks+0x3c5:
82abd38c cd2c            int     2Ch
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fa85efa4, memory referenced
Arg2: 00000001, value 0 = read operation, 1 = write operation
Arg3: 94596f21, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


WRITE_ADDRESS:  fa85efa4 Special pool

FAULTING_IP: 
win32k!GreSetBrushOwner+160
94596f21 8908            mov     dword ptr [eax],ecx

MM_INTERNAL_CODE:  0

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  54ee8ecd

MODULE_NAME: win32k

FAULTING_MODULE: 944e0000 win32k

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xD5

PROCESS_NAME:  a37.exe

CURRENT_IRQL:  1c

TRAP_FRAME:  9a306b34 -- (.trap 0xffffffff9a306b34)
ErrCode = 00000002
eax=fa85efa4 ebx=ff817ac0 ecx=00000000 edx=00000000 esi=fa93af78 edi=00000dd8
eip=94596f21 esp=9a306ba8 ebp=9a306bf4 iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282
win32k!GreSetBrushOwner+0x160:
94596f21 8908            mov     dword ptr [eax],ecx  ds:0023:fa85efa4=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82abc853 to 82abd38c

STACK_TEXT:  
9a306558 82abc853 0002625a 00000000 00004000 nt!KeAccumulateTicks+0x3c5
9a306598 82abc700 82a240a8 0580509c 00000000 nt!KeUpdateRunTime+0x145
9a3065f0 82abbf03 00000002 00000002 000000d1 nt!KeUpdateSystemTime+0x613
9a3065f0 82a240a8 00000002 00000002 000000d1 nt!KeUpdateSystemTimeAssist+0x13
9a306674 82a12b8c 00001000 00000000 9a3066d4 hal!READ_PORT_USHORT+0x8
9a306684 82a12cf5 82b20f92 27522a3c 00000065 hal!HalpCheckPowerButton+0x2e
9a306688 82b20f92 27522a3c 00000065 00000000 hal!HaliHaltSystem+0x7
9a3066d4 82b21a39 00000003 00000000 000fe5f6 nt!KiBugCheckDebugBreak+0x73
9a306a98 82acf9ad 00000050 fa85efa4 00000001 nt!KeBugCheck2+0x68b
9a306b1c 82a82a78 00000001 fa85efa4 00000000 nt!MmAccessFault+0x104
9a306b1c 94596f21 00000001 fa85efa4 00000000 nt!KiTrap0E+0xdc
9a306bf4 946a9342 00000001 00000dd8 2e9007ac win32k!GreSetBrushOwner+0x160
9a306c18 946980af 2e9007ac 9a306c34 82a7f896 win32k!GreMakeBrushNonStock+0x63
9a306c24 82a7f896 2e9007ac 00000001 001ffe8c win32k!NtGdiClearBrushAttributes+0x13
9a306c24 771670f4 2e9007ac 00000001 001ffe8c nt!KiSystemServicePostCall
001ffe78 00e01067 00000000 2e9007ac 00000001 ntdll!KiFastSystemCallRet
WARNING: Stack unwind information not available. Following frames may be wrong.
001ffe8c 00e01164 2e9007ac 00000001 2e9007ac a37+0x1067
001ffeb0 00e0132c 00000001 0033ee48 003422e8 a37+0x1164
001ffef8 7702ee1c 7ffd3000 001fff44 771837eb a37+0x132c
001fff04 771837eb 7ffd3000 7703050b 00000000 kernel32!BaseThreadInitThunk+0xe
001fff44 771837be 00e013a9 7ffd3000 00000000 ntdll!__RtlUserThreadStart+0x70
001fff5c 00000000 00e013a9 7ffd3000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32k!GreSetBrushOwner+160
94596f21 8908            mov     dword ptr [eax],ecx

SYMBOL_STACK_INDEX:  b

SYMBOL_NAME:  win32k!GreSetBrushOwner+160

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0xD5_VRF_win32k!GreSetBrushOwner+160

BUCKET_ID:  0xD5_VRF_win32k!GreSetBrushOwner+160

Followup: MachineOwner
---------