Re: BugCheck C4, {b7, 1, 2d, 2d}
WinDbg
BugCheck C4, {b7, 1, 2d, 2d}
cadii
2009-08-21, 15:00 下午
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Project\NBLBx\BSOD\Driver Verifier 0xC4\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*C:\windows\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008 Kernel Version 6001 (Service Pack 1) MP (8 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840
Kernel base = 0x82847000 PsLoadedModuleList = 0x82954930
Debug session time: Thu Aug 20 02:37:34.512 2009 (GMT+8)
System Uptime: 0 days 0:02:14.089
Loading Kernel Symbols
......................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C4, {b7, 1, 2d, 2d}
Probably caused by : hardware_bios ( BIOS_ERROR )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Parameter 1 = 0x1000 .. 0x1020 - deadlock verifier error codes.
Typically the code is 0x1001 (deadlock detected) and you can
issue a '!deadlock' KD command to get more information.
Arguments:
Arg1: 000000b7, The system BIOS has corrupted low physical memory during a sleep transition.
Arg2: 00000001, Number of physical pages corrupted.
Arg3: 0000002d, First corrupted physical page.
Arg4: 0000002d, Last corrupted physical page.
Debugging Details:
------------------
BUGCHECK_STR: 0xc4_b7
ADDITIONAL_DEBUG_TEXT: This is BIOS induced corruption, please update machine BIOS.
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 1f
LAST_CONTROL_TRANSFER: from 82833719 to 829026d9
STACK_TEXT:
9f574b90 82833719 000000c4 000000b7 00000001 nt!KeBugCheckEx+0x1e
9f574bc4 8283258b 00003705 00000282 9f574cac hal!HalpAcpiPostSleep+0xe7
9f574bfc 82b14e58 00003705 00000000 00000000 hal!HaliAcpiSleep+0x1af
9f574c20 82b14d55 9f574cd8 00000000 000f4240 nt!PopHandleNextState+0xcb
9f574c34 82b14aeb 00000004 00000002 8646aaf0 nt!PopIssueNextState+0x24
9f574d40 82b1292a 00000002 00000000 00000000 nt!PopInvokeSystemStateHandler+0x31a
9f574d7c 829ef6ad 8646aaf0 d20439f9 00000000 nt!PopTransitionToSleep+0x63
9f574dc0 828d6686 82b128c7 8646aaf0 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
SYMBOL_NAME: BIOS_ERROR
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: hardware
IMAGE_NAME: hardware_bios
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAILURE_BUCKET_ID: 0xc4_b7_VRF_BIOS_ERROR
BUCKET_ID: 0xc4_b7_VRF_BIOS_ERROR
Followup: MachineOwner
---------
哪位高手帮忙分析一下,谢谢了!
Re: BugCheck C4, {b7, 1, 2d, 2d}
MJ0011
2009-08-21, 17:55 下午
8核很强大,把校验器关了吧~
Re: BugCheck C4, {b7, 1, 2d, 2d}
王宇
2009-08-21, 18:25 下午
和上一个蓝屏基本一样 http://advdbg.org/forums/2447/ShowPost.aspx 这也很可能是驱动校验主动触发的一次蓝屏,位置还是在睡眠唤醒。
由于我没有 Windows Server 2008 Kernel Version 6001,基本没法做实验... 爱莫能助 只能逆 XP,下了 hal!HalpAcpiPostSleep 的断点,休眠 + 唤醒,没断住...
Windbg 只打印出了这些页面文件拷贝操作:
HIBER: 9876 Pages written in 9876 Dumps (31 runs).
HIBER: 25859 Pages processed (38 % compression)
HIBER: Elapsed time 4.100 seconds
HIBER: I/O time 0.847 seconds (20%) 0 MB/sec
HIBER: Init time 0.000 seconds ( 0%)
HIBER: Copy time 0.069 seconds ( 1%) 148251688 Bytes
从 dump 的字面分析就是 驱动校验发现 0000002d 物理页面被破坏了,这个破坏可能和休眠的时候往 PageFile 文件里面的拷贝相关
顺便简单解释一下 Raymond 老师在 http://advdbg.org/forums/2447/ShowPost.aspx 说的
char __stdcall HalpAcpiPostSleep(int
a1
)
{
USHORT v1;
USHORT *v2;
USHORT *v3;
__int16 v4;
int v5;
unsigned int v7;
int v8;
char v9;
v9 = HalpProfileRunning == 1;
v7 = (unsigned int)(unsigned __int8)byte_80022698 >> 1;
v3 = (PUSHORT)((char *)Port + v7);
v2 = (PUSHORT)((char *)dword_8002267C + v7);
v1 = READ_PORT_USHORT((PUSHORT)((char *)Port + v7));
v4 = v1;
if ( dword_8002267C )
v4 = READ_PORT_USHORT(v2) | v1;
v5 = v4 & 0xFBFF | 1;
WRITE_PORT_USHORT(v3, v5);
if ( dword_8002267C )
WRITE_PORT_USHORT(v2, v5);
HalpSetClockAfterSleep();
v8
=
a1
;
byte_80022621 = 0;
*(_DWORD *)HalpWakeVector = 0;
HalpSetInterruptControllerWakeupState
(
v8
);
if ( BYTE1(HalpSleepContext) & 4 )
{
if ( KdComPortInUse )
KdRestore(1);
HalpRestoreDmaControllerState();
HalpRestoreTimerState();
}
HalpPiix4Detect(0);
(*(int (__stdcall **)(signed int))(PmAcpiDispatchTable + 8))(1);
HalpRestoreNvsArea();
HalpResetSBF();
if ( v9 )
HalStartProfileInterrupt(0);
return 1;
}
HalpSetInterruptControllerWakeupState 的内部会 call HalStartNextProcessor:
PAGELK:80026A32 loc_80026A32: ; CODE XREF: PAGELK:80026A63j
PAGELK:80026A32 mov eax, _HalpTiledCr3Addresses
PAGELK:80026A37 mov [ebp-504h], bl
PAGELK:80026A3D mov eax, [eax+ebx*8]
PAGELK:80026A40 mov _CurTiledCr3LowPart, eax
PAGELK:80026A45 mov eax, _HalpHiberProcState
PAGELK:80026A4A add eax, edi
PAGELK:80026A4C push eax
PAGELK:80026A4D lea eax, [ebp-74h]
PAGELK:80026A50 push eax
PAGELK:80026A51 call _
HalStartNextProcessor
@8 ; HalStartNextProcessor(x,x)
PAGELK:80026A56 test al, al
PAGELK:80026A58 jz short loc_80026AB0
PAGELK:80026A5A inc ebx
PAGELK:80026A5B add edi, esi
PAGELK:80026A5D cmp ebx, dword_80022748
PAGELK:80026A63 jb short loc_80026A32
HalStartNextProcessor 内部很刺激
mov al, 0Fh
out 70h, al ; CMOS Memory:
; shutdown status byte
pushfw
popfw
jmp short $+2
in al, 71h ; CMOS Memory
pushfw
popfw
jmp short $+2
mov [ebp+var_340], eax
mov eax, 0A0Fh
out 70h, al ; CMOS Memory:
; shutdown status byte
pushfw
popfw
jmp short $+2
mov al, ah
out 71h, al ; CMOS Memory:
; used by real-time clock
pushfw
popfw
jmp short $+2
The 64 bytes of CMOS memory are not mapped into the CPU's address space. Rather, they are accessed via the two I/O ports 70 and 71 hex (112 and 113 decimal). A program writes to a configuration address 00 to 3F hex (0 to 63 decimal) via I/O port 70 hex and then writes a new byte value or reads the current byte value at I/O port 71 hex.
总的来说 细节还是不懂 唉...
话说楼主的8核服务器多少银子?
Re: BugCheck C4, {b7, 1, 2d, 2d}
王宇
2009-08-21, 18:26 下午
kao~ mj tongxie biwozaoyibu ^_^
Re: BugCheck C4, {b7, 1, 2d, 2d}
cadii
2009-08-24, 14:31 下午
从 dump 的字面分析就是 驱动校验发现 0000002d 物理页面被破坏了,这个破坏可能和休眠的时候往 PageFile 文件里面的拷贝相关
请教,如何访问 002d 物理页面?如何知道 002d 物理页面对应的实际物理地址。
Re: BugCheck C4, {b7, 1, 2d, 2d}
cadii
2009-08-24, 14:37 下午
0: kd> ln 82833719
(82833632) hal!HalpAcpiPostSleep+0xe7 | (82833746) hal!HalpDispatchPower
0: kd> u 82833632
hal!HalpAcpiPostSleep:
82833632 8bff mov edi,edi
82833634 55 push ebp
82833635 8bec mov ebp,esp
82833637 83ec0c sub esp,0Ch
8283363a 53 push ebx
8283363b 56 push esi
8283363c 57 push edi
8283363d e87cfaffff call hal!HalpCheckFixedWakeSources (828330be)
0: kd> u
hal!HalpAcpiPostSleep+0x10:
82833642 0fb60578fa8282 movzx eax,byte ptr [hal!HalpFixedAcpiDescTable+0x58 (8282fa78)]
82833649 8b0d58fa8282 mov ecx,dword ptr [hal!HalpFixedAcpiDescTable+0x38 (8282fa58)]
8283364f d1e8 shr eax,1
82833651 8d3408 lea esi,[eax+ecx]
82833654 8b0d5cfa8282 mov ecx,dword ptr [hal!HalpFixedAcpiDescTable+0x3c (8282fa5c)]
8283365a 56 push esi
8283365b 8d3c08 lea edi,[eax+ecx]
8283365e e81d63ffff call hal!READ_PORT_USHORT (82829980)
0: kd> u
hal!HalpAcpiPostSleep+0x31:
82833663 0fb7c0 movzx eax,ax
82833666 33db xor ebx,ebx
82833668 391d5cfa8282 cmp dword ptr [hal!HalpFixedAcpiDescTable+0x3c (8282fa5c)],ebx
8283366e 8945fc mov dword ptr [ebp-4],eax
82833671 740d je hal!HalpAcpiPostSleep+0x4e (82833680)
82833673 57 push edi
82833674 e80763ffff call hal!READ_PORT_USHORT (82829980)
82833679 660945fc or word ptr [ebp-4],ax
0: kd> u
hal!HalpAcpiPostSleep+0x4b:
8283367d 8b45fc mov eax,dword ptr [ebp-4]
82833680 25fffbffff and eax,0FFFFFBFFh
82833685 83c801 or eax,1
82833688 50 push eax
82833689 56 push esi
8283368a 8945fc mov dword ptr [ebp-4],eax
8283368d e85663ffff call hal!WRITE_PORT_USHORT (828299e8)
82833692 391d5cfa8282 cmp dword ptr [hal!HalpFixedAcpiDescTable+0x3c (8282fa5c)],ebx
0: kd> u
hal!HalpAcpiPostSleep+0x66:
82833698 7409 je hal!HalpAcpiPostSleep+0x71 (828336a3)
8283369a ff75fc push dword ptr [ebp-4]
8283369d 57 push edi
8283369e e84563ffff call hal!WRITE_PORT_USHORT (828299e8)
828336a3 8d45f8 lea eax,[ebp-8]
828336a6 50 push eax
828336a7 8d45f4 lea eax,[ebp-0Ch]
828336aa 50 push eax
0: kd> u
hal!HalpAcpiPostSleep+0x79:
828336ab 8d45fc lea eax,[ebp-4]
828336ae 50 push eax
828336af 895dfc mov dword ptr [ebp-4],ebx
828336b2 895df4 mov dword ptr [ebp-0Ch],ebx
828336b5 895df8 mov dword ptr [ebp-8],ebx
828336b8 e87dc5feff call hal!HalpCheckLowMemoryPostSleep (8281fc3a)
828336bd e86eeaffff call hal!HalpSetClockAfterSleep (82832130)
828336c2 e8bbd8feff call hal!HalpRestorePerformanceCounter (82820f82)
0: kd> u
hal!HalpAcpiPostSleep+0x95:
828336c7 e80ad7feff call hal!HalpResumeClock (82820dd6)
828336cc a178e28282 mov eax,dword ptr [hal!HalpWakeVector (8282e278)]
828336d1 ff7508 push dword ptr [ebp+8]
828336d4 881da1f88282 mov byte ptr [hal!HalpWakeupState+0x1 (8282f8a1)],bl
828336da 8918 mov dword ptr [eax],ebx
828336dc e841110000 call hal!HalpSetInterruptControllerWakeupState (82834822)
828336e1 66f70570e282820004 test word ptr [hal!HalpSleepContext (8282e270)],400h
828336ea 7432 je hal!HalpAcpiPostSleep+0xec (8283371e)
0: kd> u
hal!HalpAcpiPostSleep+0xba:
828336ec 391d00e48282 cmp dword ptr [hal!KdComPortInUse (8282e400)],ebx
828336f2 7407 je hal!HalpAcpiPostSleep+0xc9 (828336fb)
828336f4 6a01 push 1
828336f6 e85f11ffff call hal!KdRestore (8282485a)
828336fb 395dfc cmp dword ptr [ebp-4],ebx
828336fe 7619 jbe hal!HalpAcpiPostSleep+0xe7 (82833719)
82833700 ff75f8 push dword ptr [ebp-8]
82833703 ff75f4 push dword ptr [ebp-0Ch]
0: kd> u
hal!HalpAcpiPostSleep+0xd4:
82833706 ff75fc push dword ptr [ebp-4]
82833709 68b7000000 push 0B7h
8283370e 68c4000000 push 0C4h
82833713 ff15a8528182 call dword ptr [hal!_imp__KeBugCheckEx (828152a8)]
82833719 e864030000 call hal!HalpRestoreDmaControllerState (82833a82)
8283371e 53 push ebx
8283371f e89c060000 call hal!HalpPiix4Detect (82833dc0)
82833724 a110e48282 mov eax,dword ptr [hal!PmAcpiDispatchTable (8282e410)]
0: kd> u
hal!HalpAcpiPostSleep+0xf7:
82833729 6a01 push 1
8283372b ff5008 call dword ptr [eax+8]
8283372e e8abc7feff call hal!HalpRestoreNvsArea (8281fede)
82833733 e8380b0000 call hal!HalpResetSBF (82834270)
82833738 5f pop edi
82833739 5e pop esi
8283373a b001 mov al,1
8283373c 5b pop ebx
0: kd> u
hal!HalpAcpiPostSleep+0x10b:
8283373d c9 leave
8283373e c20400 ret 4
反汇编出来的,不知道有没有用!
Re: BugCheck C4, {b7, 1, 2d, 2d}
cadii
2009-08-24, 14:38 下午
hal!HalpAcpiPostSleep+0xd4:
82833706 ff75fc push dword ptr [ebp-4]
82833709 68b7000000 push 0B7h
8283370e 68c4000000 push 0C4h
82833713 ff15a8528182 call dword ptr [hal!_imp__KeBugCheckEx (828152a8)]
82833719 e864030000 call hal!HalpRestoreDmaControllerState (82833a82)
KeBugCheckEx 出现在 hal!HalpRestoreDmaControllerState 之前,可以判定是死在 hal!HalpRestoreDmaControllerState 里面吗?