Re: 求助!关于全局变量

Windows内核调试

求助!关于全局变量

lll 2016-10-08, 18:50 下午
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804e2b68, address which referenced memory


DDITIONAL_DEBUG_TEXT:  
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.

FAULTING_MODULE: 804d8000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  5735654c

WRITE_ADDRESS:  00000000 

CURRENT_IRQL:  1c

FAULTING_IP: 
nt!KeWaitForMultipleObjects+1e5
804e2b68 8939            mov     dword ptr [ecx],edi


STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
a86c6a04 804e2b68 badb0d00 00000000 e14ea298 nt!Kei386EoiHelper+0x27e9
a86c6a98 8070396b 00000000 00000000 00000000 nt!KeWaitForMultipleObjects+0x1e5
a86c6ab8 a8c2c004 00000000 e10eeda0 898e6500 hal!ExAcquireFastMutex+0x2b
a86c6ad0 a8c247a0 000000d0 89860278 00000000 mydriver!FwTcp::ClearPolicy+0x14 [d:\code\mydriver\src\FwTcp.cpp @ 2988]
a86c6b10 a8c2398f 8986c428 00120164 00000000 mydriver!NetFireWall::ProcessRequest+0x600 [d:\code\mydriver\src\NetFireWall.cpp @ 1712]
a86c6b5c a8c2363c 8986c428 00000000 00000000 mydriver!NetFireWall::HandleIRP+0x10f [d:\code\mydriver\src\NetFireWall.cpp @ 714]
a86c6b78 804e2343 89a1d628 8986c428 80703410 mydriver!NetFireWall::DeviceDispatch+0x7c [d:\code\mydriver\src\NetFireWall.cpp @ 602]
a86c6b9c 80583af3 89a1d628 8986c428 89a65028 nt!IofCallDriver+0x32
a86c6c38 80589d00 0000014c 00000000 00000000 nt!RtlAnsiCharToUnicodeChar+0x4fc
a86c6cb0 805885d4 891380a0 000206b4 8913fbb0 nt!NtDeviceIoControlFile+0x2a
a86c6d34 804de9ab 0000014c 00000000 00000000 nt!RtlUnicodeStringToAnsiString+0xc5b
a86c6d64 7c92e514 badb0d00 0012fe74 00000000 nt!KiDeliverApc+0xbaa
a86c6d68 badb0d00 0012fe74 00000000 00000000 0x7c92e514
a86c6d6c 0012fe74 00000000 00000000 00000000 0xbadb0d00
a86c6d70 00000000 00000000 00000000 00000000 0x12fe74


0: kd> x /v mydriver!g_FastMutex
prv global a8c37404            20 mydriver!g_FastMutex = struct _FAST_MUTEX

0: kd> version
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.130704-0421
Machine Name:
Kernel base = 0x804d8000 PsLoadedModuleList = 0x805644c0
Debug session time: Sat Oct  8 12:04:37.484 2016 (UTC + 8:00)
System Uptime: 0 days 0:02:24.156


以下为FwTcp.cpp 2988行的相关代码:

FAST_MUTEX g_FastMutex // 在文件最上面声明的

BOOL FwTcp::ClearPolicy()
{
    ExAcquireFastMutex(&g_FastMutex);

    if (!IsListEmpty(g_pPolicyList))   //这里是2988行
    {
        PLIST_ENTRY pNode = g_pPolicyList->Blink;

        while(!IsListEmpty(g_pPolicyList))
        {
            PLIST_ENTRY pNodeNext = pNode->Blink;
            RemoveEntryList(pNode);
            PPolicy pData = (PPolicy)CONTAINING_RECORD(pNode, Policy, entry);
            if (NULL != pData)
            {
                ExFreePool(pData);
                pData = NULL;
            }

            pNode = pNodeNext;
        }
    }
    
    ExReleaseFastMutex(&g_FastMutex);

    return TRUE;
}

这个函数是在IRP_MJ_DEVICE_CONTROL中调用的。

我的疑问:
这个错误是 写0地址错误。看hal!ExAcquireFastMutex+0x2b的参数为000000000,为什么会为0呢?我是用的全局变量。实际上看符号地址是a8c37404,也不是NULL啊。

我是新手,请大神指教!可能上面分析的都不对,别笑话我。


///////////////////////////////////
g_pPolicyList是真正的错误地方。我一直以为报的错误行数的上一行才是真正的错误地址,所以一直找g_FastMutex了。g_pPolicyList因为一个比较不容易走到的逻辑会变成NULL,所以此处访问异常。

帖子留在这里吧。大神们见笑了。

Re: 求助!关于全局变量

格蠹老雷 2016-10-10, 13:59 下午
似乎不是一个问题,2988行对g_pPolicyList的访问是读,不是写啊,另外从栈回溯来看,应该是在调用ExAcquireFastMutex时出意外了,有dump 文件么?

Powered by Community Server Powered by CnForums.Net