|
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
BUGCHECK_STR: 0x7f_8
TSS: 00000028 -- (.tss 0x28)
eax=00000000 ebx=00000003 ecx=f7787101 edx=f7956000 esi=00000000 edi=f7787121
eip=80545c8f esp=f79567b8 ebp=f7956804 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!KiFlushSingleTb+0x3:
80545c8f c3 ret
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: System
TRAP_FRAME: f7956cac -- (.trap 0xfffffffff7956cac)
ErrCode = 00000002
eax=0000e808 ebx=ffdff000 ecx=000017f8 edx=00000000 esi=85fc1020 edi=85fc28b8
eip=85fc28b9 esp=f7956d20 ebp=f7956d74 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
85fc28b9 007000 add byte ptr [eax],dh ds:0023:0000e808=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 804ffb5e to 80545c8f
STACK_TEXT:
f7956804 804ffb5e f7787121 00000001 00000003 nt!KiFlushSingleTb+0x3
f7956824 806e6100 f795683c 00000000 0000001c nt!KiIpiServiceRoutine+0x5e
f7956824 80501e37 f795683c 00000000 0000001c hal!HalpIpiHandler+0xb8
f7956c8c 805446e0 0000000a 0000e808 0000001c nt!KiSaveProcessorControlState+0x63
f7956c8c 85fc28b9 0000000a 0000e808 0000001c nt!KiTrap0E+0x238
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7956d74 8053874a 00000001 ffffff01 00000000 0x85fc28b9
f7956dac 805cff64 85bf1120 00000000 00000000 nt!ExpWorkerThread+0xcc
f7956ddc 805460de 8053867e 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: .tss 0x28 ; kb
FOLLOWUP_IP:
nt!KiFlushSingleTb+3
80545c8f c3 ret
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!KiFlushSingleTb+3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a
FAILURE_BUCKET_ID: 0x7f_8_nt!KiFlushSingleTb+3
BUCKET_ID: 0x7f_8_nt!KiFlushSingleTb+3
Followup: MachineOwner
---------
我连着debugger给一台电脑跑reboot aging时,在3000次左右时出现bugcheck 7F , Double Fault。
1.我看debugger help 提示可能是kernel stack overflow,我该怎么确定是不是stack overflow呢?
2.如果确定是stack overflow,通常采取什么操作找出问题所在?遇到这种很难复制问题的情况,改怎么办呢?
3.我trace回去,觉得问题出在KeRemoveQueue里。thread显示是system进程的3C号thread出现了异常,我在另外一台电脑上看3C的thread是与NtBuildGUID有关,但不知道这个有问题的机器的3C是不是也与NtBuildGUID有关?
|