Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Diagnose and fix AppVerifier-induced crashes #333

Closed
nefarius opened this issue Dec 26, 2023 · 1 comment
Closed

Diagnose and fix AppVerifier-induced crashes #333

nefarius opened this issue Dec 26, 2023 · 1 comment
Assignees
@nefarius
Labels
bug Something isn't working Core Core/Common Driver Topic
Milestone
Version 3

Comments

@nefarius
Copy link
Owner

Current latest stable version crashes the UMDF hosting service when AppVerifier is enabled:

image

Needs proper investigation and fixing 😇

image
@nefarius nefarius added bug Something isn't working Core Core/Common Driver Topic labels Dec 26, 2023
@nefarius nefarius self-assigned this Dec 26, 2023
@nefarius nefarius mentioned this issue Apr 16, 2024
Closed
@nefarius
Copy link
Owner Author

Ha, not our code, it's in the JSON parser 😁

1: kd> !analyze -v
Connected to Windows 10 22621 x64 target at (Fri Apr 19 19:37:40.301 2024 (UTC + 2:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
..........................................................
Loading User Symbols
.........................
Loading unloaded module list
..............................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------

APPLICATION_VERIFIER_HEAPS_FIRST_CHANCE_ACCESS_VIOLATION (13)
First chance access violation for current stack trace.
This is the most common application verifier stop. Typically it is caused by a
buffer overrun error. The heap verifier places a non-accessible page at the end
of a heap allocation and a buffer overrun will cause an exception by
touching this page. To debug this stop identify the access address that caused
the exception and then use the following debugger command:
    !heap -p -a ACCESS_ADDRESS
This command will give details about the nature of the error and what heap block is
overrun. It will also give the stack trace for the block allocation.
There are several other causes for this stop. For example accessing a heap block
after being freed. The same debugger command will be useful for this case too. 
Arguments:
Arg1: 0000016df5724000, Invalid address causing the exception. 
Arg2: 00007ffd899a9a61, Code address executing the invalid access. 
Arg3: 0000005a4ae7e030, Exception record. 
Arg4: 0000005a4ae7db40, Context record. 

KEY_VALUES_STRING: 1

    Key  : AVRF.Code
    Value: 13

    Key  : AVRF.Exception
    Value: 1

    Key  : Analysis.CPU.mSec
    Value: 4749

    Key  : Analysis.Elapsed.mSec
    Value: 7666

    Key  : Analysis.IO.Other.Mb
    Value: 1

    Key  : Analysis.IO.Read.Mb
    Value: 4

    Key  : Analysis.IO.Write.Mb
    Value: 3

    Key  : Analysis.Init.CPU.mSec
    Value: 3859

    Key  : Analysis.Init.Elapsed.mSec
    Value: 2011203

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 191

    Key  : Failure.Bucket
    Value: AVRF_13_VRF_dshidmini!cJSON_ParseWithOpts

    Key  : Failure.Hash
    Value: {1299a902-4cf0-15a7-2a68-2e92192b8d59}

    Key  : Hypervisor.Enlightenments.Value
    Value: 0

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 0

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 0

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 0

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 0

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 0

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 0

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 0

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 0

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 0

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 0

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 0

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 0

    Key  : Hypervisor.Flags.ValueHex
    Value: 0

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 0

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 0

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 0

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 0

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 0

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 0

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.Value
    Value: 0

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 0

    Key  : SecureKernel.HalpHvciEnabled
    Value: 0

    Key  : WER.OS.Branch
    Value: ni_release

    Key  : WER.OS.Version
    Value: 10.0.22621.1


BUGCHECK_CODE:  0

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  WUDFHost.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

EXCEPTION_CODE_STR:  80000003

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_RECORD:  0000005a4ae7e030 -- (.exr 0x5a4ae7e030)
ExceptionAddress: 00007ffd899a9a61 (dshidmini!cJSON_ParseWithOpts+0x0000000000000041)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000016df5724000
Attempt to read from address 0000016df5724000

CONTEXT:  0000005a4ae7db40 -- (.cxr 0x5a4ae7db40)
rax=0000016df5723280 rbx=0000016df5233e38 rcx=0000000000000d80
rdx=0000000000000000 rsi=00007ffd89967f30 rdi=0000005a4ae7e390
rip=00007ffd899a9a61 rsp=0000005a4ae7e2c0 rbp=0000016df51ffb10
 r8=0000000000000000  r9=0000005a4ae7e2a0 r10=0000000000000000
r11=0000000000000246 r12=0000005a4ae7ebf0 r13=00007ffd89967d50
r14=0000005a4ae7ea50 r15=0000016df5233a00
iopl=0         nv up ei pl nz ac pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
dshidmini!cJSON_ParseWithOpts+0x41:
0033:00007ffd`899a9a61 803c0800        cmp     byte ptr [rax+rcx],0 ds:002b:0000016d`f5724000=??
Resetting default scope

STACK_TEXT:  
0000005a`4ae7e2c0 00007ffd`899a97a8     : 0000016d`f5723280 00000000`00000000 00000000`00000000 00000000`00000d7e : dshidmini!cJSON_ParseWithOpts+0x41 [D:\Development\GitHub\dshidmini\sys\JSON\cJSON.c @ 1089] 
0000005a`4ae7e310 00007ffd`8999171a     : 0000016d`f5723280 00007ffd`89967f30 00007ffd`899fa810 0000005a`4ae7e3c0 : dshidmini!cJSON_Parse+0x18 [D:\Development\GitHub\dshidmini\sys\JSON\cJSON.c @ 1178] 
0000005a`4ae7e340 00007ffd`899da809     : 0000016d`f51ffe30 0000016d`f50f1f00 00007ffd`89917b70 00007ffd`899c3048 : dshidmini!ConfigLoadForDevice+0x71a [D:\Development\GitHub\dshidmini\sys\Configuration.c @ 696] 
0000005a`4ae7e670 00007ffd`899d2046     : fffffe92`0abe60d8 00007ffd`899b2f01 00000000`00000000 00000000`00000000 : dshidmini!DMF_DsHidMini_Open+0xc9 [D:\Development\GitHub\dshidmini\sys\DsHidMiniDrv.c @ 201] 
0000005a`4ae7e6e0 00007ffd`899c1278     : fffffe92`0abe60d8 00000000`00000000 00007ffd`89997e23 0000016d`00000000 : dshidmini!DMF_Internal_Open+0x136 [D:\Development\GitHub\DMF\Dmf\Framework\DmfInternal.c @ 1550] 
0000005a`4ae7e770 00007ffd`899bd0a6     : fffffe92`0abe60d8 0000005a`00000005 00007ffd`89917b70 00007ffd`a5044ba0 : dshidmini!DMF_Generic_ModuleD0Entry+0x128 [D:\Development\GitHub\DMF\Dmf\Framework\DmfGeneric.c @ 593] 
0000005a`4ae7e820 00007ffd`899b0e7a     : fffffe92`0abe60d8 0000005a`00000005 0000005a`4ae7ea50 00007ffd`89997ec3 : dshidmini!DMF_Module_D0Entry+0xd6 [D:\Development\GitHub\DMF\Dmf\Framework\DmfCall.c @ 845] 
0000005a`4ae7e890 00007ffd`899b95ef     : fffffe92`0acd20d8 fffffe92`00000005 00000000`00000000 00000040`00000014 : dshidmini!DMF_ModuleCollectionD0Entry+0x20a [D:\Development\GitHub\DMF\Dmf\Framework\DmfModuleCollection.c @ 976] 
0000005a`4ae7e920 00007ffd`8994fb1d     : fffffe92`0ae004e8 00000000`00000005 00000000`0000000e 00000000`00000015 : dshidmini!DmfContainerEvtDeviceD0Entry+0xcf [D:\Development\GitHub\DMF\Dmf\Framework\DmfContainer.c @ 231] 
0000005a`4ae7e980 00007ffd`8994a8e0     : 0000016d`f5233800 0000005a`4ae7ea80 00000000`00000008 0000005a`4ae7ea88 : WUDFx02000!FxPnpDeviceD0Entry::InvokeClient+0x2d [minkernel\wdf\framework\shared\irphandlers\pnp\pnpcallbacks.cpp @ 93] 
0000005a`4ae7e9e0 00007ffd`89951bf6     : 0000016d`f5233880 0000005a`4ae7eab9 00007ffd`89967f30 0000005a`4ae7ebf0 : WUDFx02000!FxPrePostCallback::InvokeStateful+0x50 [minkernel\wdf\framework\shared\irphandlers\pnp\cxpnppowercallbacks.cpp @ 275] 
0000005a`4ae7ea20 00007ffd`899523f9     : 0000016d`f5233880 0000005a`4ae7eab9 00007ffd`89968010 00007ffd`8a4f85b4 : WUDFx02000!FxPkgPnp::PowerD0Starting+0x36 [minkernel\wdf\framework\shared\irphandlers\pnp\powerstatemachine.cpp @ 2267] 
0000005a`4ae7ea50 00007ffd`899534e7     : 00000000`00000040 0000016d`f5233ac8 00000000`00000040 00000000`00000000 : WUDFx02000!FxPkgPnp::PowerEnterNewState+0x1b1 [minkernel\wdf\framework\shared\irphandlers\pnp\powerstatemachine.cpp @ 1699] 
0000005a`4ae7eb20 00007ffd`8995332a     : 0000016d`f5233b00 0000016d`f5233b00 0000005a`4ae7ec10 00000000`00000000 : WUDFx02000!FxPkgPnp::PowerProcessEventInner+0x177 [minkernel\wdf\framework\shared\irphandlers\pnp\powerstatemachine.cpp @ 1613] 
0000005a`4ae7eba0 00007ffd`899512a0     : 00000000`00000000 0000016d`f5233b00 00000000`00000501 0000016d`f52339f0 : WUDFx02000!FxPkgPnp::PowerProcessEvent+0x1a6 [minkernel\wdf\framework\shared\irphandlers\pnp\powerstatemachine.cpp @ 1394] 
0000005a`4ae7ec40 00007ffd`899514d2     : 00000000`00000501 0000005a`4ae7ece0 00000000`00000500 00000000`00000000 : WUDFx02000!FxPkgPnp::NotPowerPolOwnerStarting+0x10 [minkernel\wdf\framework\shared\irphandlers\pnp\notpowerpolicyownerstatemachine.cpp @ 375] 
0000005a`4ae7ec70 00007ffd`89941d0c     : 0000016d`f5233880 0000016d`f5233be0 0000016d`f5233880 00007ffd`898f21ab : WUDFx02000!FxPkgPnp::NotPowerPolicyOwnerEnterNewState+0x15e [minkernel\wdf\framework\shared\irphandlers\pnp\notpowerpolicyownerstatemachine.cpp @ 333] 
0000005a`4ae7ed00 00007ffd`899418e3     : 0000016d`f5233800 0000005a`4ae7ede0 0000016d`f5233880 00007ffd`8a4f5781 : WUDFx02000!FxPkgPnp::PowerPolicyProcessEventInner+0x3e4 [minkernel\wdf\framework\shared\irphandlers\pnp\powerpolicystatemachine.cpp @ 3931] 
0000005a`4ae7ed90 00007ffd`8994d498     : 00000000`00000000 0000016d`f5233800 0000016d`f5233880 00007ffd`89967470 : WUDFx02000!FxPkgPnp::PowerPolicyProcessEvent+0x1a7 [minkernel\wdf\framework\shared\irphandlers\pnp\powerpolicystatemachine.cpp @ 3523] 
0000005a`4ae7ee30 00007ffd`8994ceef     : 00000000`00000101 0000005a`4ae7ee02 00000000`00000108 00000000`00000000 : WUDFx02000!FxPkgPnp::PnpEventHardwareAvailable+0xe8 [minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 1463] 
0000005a`4ae7ee70 00007ffd`8994edd0     : 0000016d`f5233880 0000005a`4ae7efd0 0000016d`f5233880 00000000`00000000 : WUDFx02000!FxPkgPnp::PnpEnterNewState+0x16f [minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 1239] 
0000005a`4ae7ef00 00007ffd`8994ec10     : 0000016d`f5233800 0000016d`f5233880 0000005a`4ae7eff0 00000000`00000000 : WUDFx02000!FxPkgPnp::PnpProcessEventInner+0x15c [minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 1155] 
0000005a`4ae7ef80 00007ffd`89949d92     : 00000000`00000000 0000016d`f555af70 0000016d`f555ae88 0000016d`f5233880 : WUDFx02000!FxPkgPnp::PnpProcessEvent+0x174 [minkernel\wdf\framework\shared\irphandlers\pnp\pnpstatemachine.cpp @ 938] 
0000005a`4ae7f010 00007ff6`ff4d9e1c     : 0000016d`f3280e10 0000016d`f555af70 0000016d`f555ae88 0000005a`4ae7f1e0 : WUDFx02000!FxPkgFdo::_PnpStartDeviceCompletionRoutine+0x52 [minkernel\wdf\framework\shared\irphandlers\pnp\fxpkgfdo.cpp @ 1510] 
0000005a`4ae7f050 00007ff6`ff4d9788     : 00000000`00000000 0000016d`f555af70 00000000`00000000 00000000`00000000 : WUDFHost!CWudfIoStack::OnCompletion+0x66c [minkernel\wdf\framework\umdf\driverhost\wudfhost\wudfiostack.cpp @ 305] 
0000005a`4ae7f120 00007ff6`ff4d435c     : 00007ff6`ff514c30 00007ff6`ff507f78 0000005a`4ae7f100 00000000`00000001 : WUDFHost!CWudfIrpT<CWudfIoIrp,IWudfIoIrp2,_WUDFMESSAGE_IO_HEADER *,_WUDFMESSAGE_REPLY_HEADER *>::CompleteRequest+0x18 [minkernel\wdf\framework\umdf\driverhost\wudfhost\WudfIrp.h @ 1089] 
0000005a`4ae7f150 00007ffd`a1a91ce8     : 0000005a`4ae7f4d8 00000000`00000000 00000000`00000000 00007ffd`a1a98650 : WUDFHost!CLpcNotification::Message+0xc9c [minkernel\wdf\framework\umdf\driverhost\wudfhost\um\wudflpcum.cpp @ 1380] 
0000005a`4ae7f2c0 00007ffd`a1a9196f     : 00007ffd`a45e5460 00000000`00000000 00000000`00000000 00007ffd`8a4f5781 : WUDFPlatform!WdfLpcPort::ProcessMessage+0x108 [minkernel\wdf\framework\umdf\common\lpc\lpcport.cpp @ 349] 
0000005a`4ae7f380 00007ffd`a1a95947     : 00000000`00000000 00000000`00000000 0000016d`f3248f00 00007ffd`8a4f5fea : WUDFPlatform!WdfLpcCommPort::ProcessMessage+0x6f [minkernel\wdf\framework\umdf\common\lpc\lpccomm.cpp @ 695] 
0000005a`4ae7f3d0 00007ffd`a1a97f9d     : 0000016d`f31def30 00000000`00000001 00000000`00000000 00000000`00000000 : WUDFPlatform!WdfLpcConnPort::ProcessMessage+0x147 [minkernel\wdf\framework\umdf\common\lpc\lpcconn.cpp @ 180] 
0000005a`4ae7f480 00007ff6`ff4e400a     : 0000016d`f30c9f70 0000016d`f30c9f70 0000016d`f31eafa8 00000000`7ffe0386 : WUDFPlatform!WdfLpc::RetrieveMessage+0x19d [minkernel\wdf\framework\umdf\common\lpc\lpc_xp.cpp @ 189] 
0000005a`4ae7f610 00007ffd`a5b1e292     : 0000016d`f31eae20 0000005a`4ae7f7e8 0000016d`f31eae20 00000000`00000000 : WUDFHost!ThreadPoolWorkerThunk+0x5a [minkernel\wdf\framework\umdf\driverhost\wudfhost\wudfthreadpool.cpp @ 23] 
0000005a`4ae7f640 00007ffd`a5b057ac     : 0000016d`f30cbe20 0000016d`f3101f90 00000000`00000000 0000016d`f30cbe20 : ntdll!TppExecuteWaitCallback+0xae
0000005a`4ae7f690 00007ffd`a50426ad     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x72c
0000005a`4ae7f970 00007ffd`a5b2a9f8     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x1d
0000005a`4ae7f9a0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x28


STACK_COMMAND:  .cxr 0x5a4ae7db40 ; kb

FAULTING_SOURCE_LINE:  D:\Development\GitHub\dshidmini\sys\JSON\cJSON.c

FAULTING_SOURCE_FILE:  D:\Development\GitHub\dshidmini\sys\JSON\cJSON.c

FAULTING_SOURCE_LINE_NUMBER:  1089

FAULTING_SOURCE_CODE:  
  1085:         return NULL;
  1086:     }
  1087: 
  1088:     /* Adding null character size due to require_null_terminated. */
> 1089:     buffer_length = strlen(value) + sizeof("");
  1090: 
  1091:     return cJSON_ParseWithLengthOpts(value, buffer_length, return_parse_end, require_null_terminated);
  1092: }
  1093: 
  1094: /* Parse an object - create a new root, and populate. */


SYMBOL_NAME:  dshidmini!cJSON_ParseWithOpts+41

MODULE_NAME: dshidmini

IMAGE_NAME:  dshidmini.dll

IMAGE_VERSION:  1.0.0.1

BUCKET_ID_FUNC_OFFSET:  41

FAILURE_BUCKET_ID:  AVRF_13_VRF_dshidmini!cJSON_ParseWithOpts

OS_VERSION:  10.0.22621.1

BUILDLAB_STR:  ni_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {1299a902-4cf0-15a7-2a68-2e92192b8d59}

Followup:     MachineOwner
---------

@nefarius nefarius added this to the Version 3 milestone May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nefarius nefarius

Labels
bug Something isn't working Core Core/Common Driver Topic
Projects
None yet
Milestone
Version 3
Development

No branches or pull requests
1 participant
@nefarius