积极答复者
今天又蓝屏了,帮忙分析分析.
问题
-
啥也没干,正打开腾迅TM,点登录,就蓝屏了。
下面是C:\Windows\Minidump\123009-19328-01.DMP文件
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [D:\123009-19328-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are availableWARNING: Non-directory path: 'D:\122809-31621-01.dmp'
Symbol search path is: SRV*D:\debug*http://msdl.microsoft.com/download/symbols
Executable search path is: D:\;D:\122809-31621-01.dmp
Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.x86fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0x83e4b000 PsLoadedModuleList = 0x83f93810
Debug session time: Wed Dec 30 09:29:51.071 2009 (GMT+8)
System Uptime: 0 days 0:15:24.709
Loading Kernel Symbols
...............................................................
................................................................
..............................................
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************Use !analyze -v to get detailed debugging information.
BugCheck C5, {4, 2, 1, 83f6b943}
Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+2e3 )
Followup: Pool_corruption
---------0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 83f6b943, address which referenced memoryDebugging Details:
------------------
BUGCHECK_STR: 0xC5_2CURRENT_IRQL: 2
FAULTING_IP:
nt!ExDeferredFreePool+2e3
83f6b943 894604 mov dword ptr [esi+4],eaxCUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: TXPlatform.exe
TRAP_FRAME: b073e674 -- (.trap 0xffffffffb073e674)
ErrCode = 00000002
eax=8634dda0 ebx=000001ff ecx=000001ff edx=83f809f8 esi=00000000 edi=83f808c0
eip=83f6b943 esp=b073e6e8 ebp=b073e720 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
nt!ExDeferredFreePool+0x2e3:
83f6b943 894604 mov dword ptr [esi+4],eax ds:0023:00000004=????????
Resetting default scopeLAST_CONTROL_TRANSFER: from 83f6b943 to 83e917eb
STACK_TEXT:
b073e674 83f6b943 badb0d00 83f809f8 00040012 nt!KiTrap0E+0x2cf
b073e720 83f6a8aa 83f808c0 00000000 b073e838 nt!ExDeferredFreePool+0x2e3
b073e788 83f6ba76 8b3e7538 00000000 b073e7ac nt!ExFreePoolWithTag+0x8a4
b073e798 83e87415 8b3e7538 840c1e0b 8b3e756c nt!ExFreePool+0xf
b073e7a0 840c1e0b 8b3e756c b073e7c4 89b83023 nt!ExFreeToNPagedLookasideList+0x14
b073e7ac 89b83023 8b3e756c b073e838 8b3e756c nt!FsRtlFreeExtraCreateParameter+0x42
b073e7c4 89b83526 8b3e756c 00000000 8b3e756c fltmgr!FreeTargetedIoCtrl+0xbb
b073e7dc 89b6b762 86f0e008 8b3e756c 862d59c4 fltmgr!FltpCleanupFileObjectContextForClose+0x76
b073e7f8 89b66ed2 86298350 86f0e008 00000002 fltmgr!FltpGetStartingCallbackNode+0x110
b073e820 89b673ba 0273e838 87a73020 86298350 fltmgr!FltpPassThrough+0x1d4
b073e850 83e874bc 87a73020 862d5780 87984024 fltmgr!FltpDispatch+0xb4
b073e868 8408cdc7 86223698 86298338 00000000 nt!IofCallDriver+0x63
b073e8ac 8406c6f4 86298350 86298350 86298338 nt!IopDeleteFile+0x10c
b073e8c4 83eb3f60 00000000 86320d48 86298338 nt!ObpRemoveObjectRoutine+0x59
b073e8d8 83eb3ed0 86298350 8409078c 8aa01b00 nt!ObfDereferenceObjectWithTag+0x88
b073e8e0 8409078c 8aa01b00 86320d48 00001898 nt!ObfDereferenceObject+0xd
b073e920 84091f72 8aa01b00 b0147130 8618ed20 nt!ObpCloseHandleTableEntry+0x21d
b073e950 840920ea 8618ed20 00000000 b073e9f4 nt!ObpCloseHandle+0x7f
b073e96c 83e8e42a 80001898 b073ea04 83e8bd8d nt!NtClose+0x4e
b073e96c 83e8bd8d 80001898 b073ea04 83e8bd8d nt!KiFastCallEntry+0x12a
b073e9e8 89b9f5c8 80001898 b073ea28 866089a0 nt!ZwClose+0x11
b073ea04 8406184c 00000000 b073ead4 00000000 fileinfo!FIPfInterfaceClose+0x44
b073ea28 84061db8 ffffff94 86608b1c 866089a0 nt!PfpOpenHandleClose+0x38
b073ea3c 84062b6f 00000001 00000005 00000000 nt!PfSnCleanupPrefetchSectionInfo+0x4c
b073eab4 840d553d 00000000 00000001 00000003 nt!PfSnPrefetchSections+0x3b6
b073ec34 840a3ac8 86630000 b073ec64 b073ec70 nt!PfSnPrefetchScenario+0x1a9
b073ecc8 840d01d6 840ae9bd 86305da0 b073ed20 nt!PfSnBeginAppLaunch+0x382
b073ecd8 840ca6dd 96816f4a 00000000 00000000 nt!PfProcessCreateNotification+0x65
b073ed20 83f0b0d9 00000000 777e64d8 00000001 nt!PspUserThreadStartup+0x113
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
STACK_COMMAND: kbFOLLOWUP_IP:
nt!ExDeferredFreePool+2e3
83f6b943 894604 mov dword ptr [esi+4],eaxSYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!ExDeferredFreePool+2e3
FOLLOWUP_NAME: Pool_corruption
IMAGE_NAME: Pool_Corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: Pool_Corruption
FAILURE_BUCKET_ID: 0xC5_2_nt!ExDeferredFreePool+2e3
BUCKET_ID: 0xC5_2_nt!ExDeferredFreePool+2e3
Followup: Pool_corruption
---------
答案
-
您好,您这个问题很难调试,上面这种普通的方法是不能解决问题的,因为这是一个驱动程序造成的内存池破坏错误。内存池破坏错误通常发生于一个驱动程序遭受了缓冲区溢出,大多为下溢,也有可能是上溢。内存池破坏引起的崩溃原则上是不可调试的,因为系统崩溃发生于破坏的数据被引用之时,而不是数据被破坏之时。所以就像您看见的上面的内容,根本不能指出错误的根源。
鉴于您是使用TM引起的,我建议您尝试以下措施:
1、正确卸载腾讯的所有产品,然后再次尝试检验系统的稳定性;
如果再发生同样的DRIVER_CORRUPTED_EXPOOL (c5)蓝屏:
2、检查自己最近是否安装或更新了驱动,并复原最近对驱动所做的任何更改,然后再次尝试检验系统的稳定性;
或者,如果您不嫌麻烦并且愿意深入研究这个错误case,请跟我进行以下步骤:(请务必确保您能重现该崩溃)
1、运行“verifier.exe”,您会看见“驱动程序验证程序管理器”向导;
2、选择第二项——“创建自定义设置(供程序开发人员使用)”,然后点击“下一步”;
3、选择第二项——“从一个完整的列表选择单个设置”,并点击“下一步”;
4、仅选中第一项——“特殊池”前面的复选框,进入下一步;
5、选择第三项——“自动选择这台计算机上安装的所有驱动程序”,点击“完成”;
6、重新启动系统;
7、尝试再次引发同样的崩溃;
8、再次分析内存转储文件。
以上步骤的原理我简单解释一下:通过这些步骤将启用特殊内存池,被检验的所有驱动程序对于略小于一个页面大小的缓冲区申请都将使用特殊内存池,不而是使用一般情形下的换页或非换页内存池。从特殊内存池中分配的缓冲区被夹在两个无效页面之间。因此,对于小于一个页面大小的缓冲区的溢出,系统在溢出发生时就会检测到,因为它导致了在缓冲区之后的无效页面发生了页面错误,也就是pagefault。那么,再次崩溃时,得到的错误应该是DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION(d6),这样就将不可调试的转为可调试的了,而且运气好的话能够看见Windbg直接指出引起崩溃的驱动。
我还是希望您能通过这种方法深入跟进这个case的,希望早日得到您的feedback。
谢谢!
Microsoft MVP for Windows Desktop Experience https://mvp.support.microsoft.com/profile/Huayu- 已建议为答案 Eric ShehModerator 2009年12月30日 5:14
- 已标记为答案 Vivian Xing 2009年12月31日 6:29
全部回复
-
下面是C:\Windows\MEMORY.DMP文件的分析结果
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [D:\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is availableWARNING: Non-directory path: 'D:\122809-31621-01.dmp'
Symbol search path is: SRV*D:\debug*http://msdl.microsoft.com/download/symbols
Executable search path is: D:\;D:\122809-31621-01.dmp
Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.x86fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0x83e4b000 PsLoadedModuleList = 0x83f93810
Debug session time: Wed Dec 30 09:29:51.071 2009 (GMT+8)
System Uptime: 0 days 0:15:24.709
Loading Kernel Symbols
...............................................................
................................................................
..............................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************Use !analyze -v to get detailed debugging information.
BugCheck C5, {4, 2, 1, 83f6b943}
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Probably caused by : memory_corruptionFollowup: memory_corruption
---------0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 83f6b943, address which referenced memoryDebugging Details:
------------------PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for detailsBUGCHECK_STR: 0xC5_2
CURRENT_IRQL: 2
FAULTING_IP:
nt!ExDeferredFreePool+2e3
83f6b943 894604 mov dword ptr [esi+4],eaxDEFAULT_BUCKET_ID: CODE_CORRUPTION
PROCESS_NAME: TXPlatform.exe
TRAP_FRAME: b073e674 -- (.trap 0xffffffffb073e674)
ErrCode = 00000002
eax=8634dda0 ebx=000001ff ecx=000001ff edx=83f809f8 esi=00000000 edi=83f808c0
eip=83f6b943 esp=b073e6e8 ebp=b073e720 iopl=0 nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
nt!ExDeferredFreePool+0x2e3:
83f6b943 894604 mov dword ptr [esi+4],eax ds:0023:00000004=????????
Resetting default scopeLAST_CONTROL_TRANSFER: from 83f6b943 to 83e917eb
STACK_TEXT:
b073e674 83f6b943 badb0d00 83f809f8 00040012 nt!KiTrap0E+0x2cf
b073e720 83f6a8aa 83f808c0 00000000 b073e838 nt!ExDeferredFreePool+0x2e3
b073e788 83f6ba76 8b3e7538 00000000 b073e7ac nt!ExFreePoolWithTag+0x8a4
b073e798 83e87415 8b3e7538 840c1e0b 8b3e756c nt!ExFreePool+0xf
b073e7a0 840c1e0b 8b3e756c b073e7c4 89b83023 nt!ExFreeToNPagedLookasideList+0x14
b073e7ac 89b83023 8b3e756c b073e838 8b3e756c nt!FsRtlFreeExtraCreateParameter+0x42
b073e7c4 89b83526 8b3e756c 00000000 8b3e756c fltmgr!FreeTargetedIoCtrl+0xbb
b073e7dc 89b6b762 86f0e008 8b3e756c 862d59c4 fltmgr!FltpCleanupFileObjectContextForClose+0x76
b073e7f8 89b66ed2 86298350 86f0e008 00000002 fltmgr!FltpGetStartingCallbackNode+0x110
b073e820 89b673ba 0273e838 87a73020 86298350 fltmgr!FltpPassThrough+0x1d4
b073e850 83e874bc 87a73020 862d5780 87984024 fltmgr!FltpDispatch+0xb4
b073e868 8408cdc7 86223698 86298338 00000000 nt!IofCallDriver+0x63
b073e8ac 8406c6f4 86298350 86298350 86298338 nt!IopDeleteFile+0x10c
b073e8c4 83eb3f60 00000000 86320d48 86298338 nt!ObpRemoveObjectRoutine+0x59
b073e8d8 83eb3ed0 86298350 8409078c 8aa01b00 nt!ObfDereferenceObjectWithTag+0x88
b073e8e0 8409078c 8aa01b00 86320d48 00001898 nt!ObfDereferenceObject+0xd
b073e920 84091f72 8aa01b00 b0147130 8618ed20 nt!ObpCloseHandleTableEntry+0x21d
b073e950 840920ea 8618ed20 00000000 b073e9f4 nt!ObpCloseHandle+0x7f
b073e96c 83e8e42a 80001898 b073ea04 83e8bd8d nt!NtClose+0x4e
b073e96c 83e8bd8d 80001898 b073ea04 83e8bd8d nt!KiFastCallEntry+0x12a
b073e9e8 89b9f5c8 80001898 b073ea28 866089a0 nt!ZwClose+0x11
b073ea04 8406184c 00000000 b073ead4 00000000 fileinfo!FIPfInterfaceClose+0x44
b073ea28 84061db8 ffffff94 86608b1c 866089a0 nt!PfpOpenHandleClose+0x38
b073ea3c 84062b6f 00000001 00000005 00000000 nt!PfSnCleanupPrefetchSectionInfo+0x4c
b073eab4 840d553d 00000000 00000001 00000003 nt!PfSnPrefetchSections+0x3b6
b073ec34 840a3ac8 86630000 b073ec64 b073ec70 nt!PfSnPrefetchScenario+0x1a9
b073ecc8 840d01d6 840ae9bd 86305da0 b073ed20 nt!PfSnBeginAppLaunch+0x382
b073ecd8 840ca6dd 96816f4a 00000000 00000000 nt!PfProcessCreateNotification+0x65
b073ed20 83f0b0d9 00000000 777e64d8 00000001 nt!PspUserThreadStartup+0x113
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
STACK_COMMAND: kbCHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
83e8e3e4-83e8e3e7 4 bytes - nt!KiFastCallEntry+e4
[ 2b e1 c1 e9:e9 77 bf 37 ]
83eba84c-83eba84f 4 bytes - nt!KiServiceTable+15c (+0x2c468)
[ 0e 5c 12 84:ac 9d 51 8c ]
83eba9e8-83eba9eb 4 bytes - nt!KiServiceTable+2f8 (+0x19c)
[ 31 c5 0c 84:98 9d 51 8c ]
83ebaa08-83ebaa0b 4 bytes - nt!KiServiceTable+318 (+0x20)
[ 88 ae 0c 84:9d 9d 51 8c ]
83ebacb8-83ebacbb 4 bytes - nt!KiServiceTable+5c8 (+0x2b0)
[ 3d cb 0a 84:a7 9d 51 8c ]
20 errors : !nt (83e8e3e4-83ebacbb)MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
Followup: memory_corruption
--------- -
您好,您这个问题很难调试,上面这种普通的方法是不能解决问题的,因为这是一个驱动程序造成的内存池破坏错误。内存池破坏错误通常发生于一个驱动程序遭受了缓冲区溢出,大多为下溢,也有可能是上溢。内存池破坏引起的崩溃原则上是不可调试的,因为系统崩溃发生于破坏的数据被引用之时,而不是数据被破坏之时。所以就像您看见的上面的内容,根本不能指出错误的根源。
鉴于您是使用TM引起的,我建议您尝试以下措施:
1、正确卸载腾讯的所有产品,然后再次尝试检验系统的稳定性;
如果再发生同样的DRIVER_CORRUPTED_EXPOOL (c5)蓝屏:
2、检查自己最近是否安装或更新了驱动,并复原最近对驱动所做的任何更改,然后再次尝试检验系统的稳定性;
或者,如果您不嫌麻烦并且愿意深入研究这个错误case,请跟我进行以下步骤:(请务必确保您能重现该崩溃)
1、运行“verifier.exe”,您会看见“驱动程序验证程序管理器”向导;
2、选择第二项——“创建自定义设置(供程序开发人员使用)”,然后点击“下一步”;
3、选择第二项——“从一个完整的列表选择单个设置”,并点击“下一步”;
4、仅选中第一项——“特殊池”前面的复选框,进入下一步;
5、选择第三项——“自动选择这台计算机上安装的所有驱动程序”,点击“完成”;
6、重新启动系统;
7、尝试再次引发同样的崩溃;
8、再次分析内存转储文件。
以上步骤的原理我简单解释一下:通过这些步骤将启用特殊内存池,被检验的所有驱动程序对于略小于一个页面大小的缓冲区申请都将使用特殊内存池,不而是使用一般情形下的换页或非换页内存池。从特殊内存池中分配的缓冲区被夹在两个无效页面之间。因此,对于小于一个页面大小的缓冲区的溢出,系统在溢出发生时就会检测到,因为它导致了在缓冲区之后的无效页面发生了页面错误,也就是pagefault。那么,再次崩溃时,得到的错误应该是DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION(d6),这样就将不可调试的转为可调试的了,而且运气好的话能够看见Windbg直接指出引起崩溃的驱动。
我还是希望您能通过这种方法深入跟进这个case的,希望早日得到您的feedback。
谢谢!
Microsoft MVP for Windows Desktop Experience https://mvp.support.microsoft.com/profile/Huayu- 已建议为答案 Eric ShehModerator 2009年12月30日 5:14
- 已标记为答案 Vivian Xing 2009年12月31日 6:29
