"The Boolean of Death" (buffer overrun in file system drivers triggered via user application ?)

Discussion in 'Windows 64bit' started by Skybuck Flying, Sep 6, 2009.

  1. Holyshit...

    My DreamPC just had a "Blue screen of Death !".

    It happened as I was debugging the Battlefield Executor... v0.03...

    I was just about to breakoff the debugging... when I stepped over the
    PSpaceEnabled boolean... and WHAM !

    Blue Screen of Death ?!?! This is the second time that this motherfucking
    boolean has cost me troubles ?! WOW.

    This warrants some more attention/investigation !

    I will cross post this to some other microsoft related newsgroups... I will
    just use this posting for it... with a new subject line, it will have the
    funny name of:

    "The Boolean of Death !" =D LOL.

    With full minidump log yeah ! ;)

    I have two explanation of what could have triggered this:

    Explanation 1:

    Because of bugs in a free basic program... free basic read more bytes then
    there was buffer space...

    It was trying to read 8 bytes, however the ammount was set to SizeOf(int64),
    this was incorrect... the ammount needed to be just 1 because free basic
    already multiplies it with 8...

    So instead of reading just 8 bytes... it actually read 64 bytes !

    This must have triggered some kind of buffer overrun.... maybe in free basic
    itself... or maybe in some file system or disk driver ?!?

    This could be a serious issue ?!

    Fortunately... it was just a read... what if it would have been a write ?!?
    Maybe my file system could have been affected... therefore this could be a
    serious thing...

    Maybe somehow free basic managed to corrupted the windows kernel... kinda
    strange...

    to reproduce this issue try something like:

    dim vByte as byte

    get #FileStream, ,vByte, 100000

    I sure as hell not gonna try it on my system !

    Also the bug didn't happen immediatly... it took a while. (If this is what
    caused it)

    Explanation 2:

    Maybe Delphi IDE was somehow corrupted... by free basic...

    Or Delphi IDE has a GUI/Debugger bug that somehow crashes the system...

    This is also a highly plausible possibility... it wouldn't be the first time
    that I see Delphi crashing the system...

    Delphi's debugger probably does lot's of low level
    interfacing/manipulations... so that makes it plausible.

    What the thruth is remains to be seen/investigate...

    For now I am going to post it again before it happens again... me a bit
    scary and I don't wanna re-type this lol.

    The minidump log/output will follow in a next posting for you guys to
    examine !

    And I will post it on my skydrive as well !

    I have lot's of space there ! ;)

    (No zipping required probably... it will just be one file...)

    It's been a while since my computer had a blue screen of death...

    (Windows XP x64 Professional Edition !)

    Ok now I go fire up windbg to analyze the dump etc...

    (Little bit) Later !
    Bye,
    Skybuck =D
     
    Skybuck Flying, Sep 6, 2009
    #1
    1. Advertising

  2. Ok, here is the minidump analyze -v output:

    (Seems to be a driver fault !)
    (I was also trying to investigate a range check error in Delphi... that
    probably throw up some exception or so... and somehow it wasn't handled ?!?
    Or maybe I pressed control-F2 (reset debugger) right in the middle of trying
    to handle the exception or trying to inspect a value ? Or HINT message
    popped up and I try to click away or reset... something like that triggered
    it probably... or it could just be a bug in a driver somewhere !?!)

    Date of Blue Screen of Death is today: 6 september 2009 (month 9)

    (I also have a blue screen of death minidump from january... gonna
    investigate that too and put it up on a website just like this one... though
    the one from january probably not so interesting... however this one is
    interesting... (Delphi) IDE's crashing and taking down the operating system
    is NASTY ! I could have lots some great code or algorithm... fortunately
    that was not the case ! Pfew hihihehe ;) :) But it could have been so should
    be investigated ! (immediatly LOL) might be something rare but still ! ;))
    (I will not post the log of the one from january to prevent confusion... so
    just this one from today... ;))


    Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\WINDOWS\Minidump\Mini090609-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is:
    SRV*c:\Tools\WinDbg\WebSymbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free
    x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 3790.srv03_sp2_gdr.090319-1204
    Machine Name:
    Kernel base = 0xfffff800`01000000 PsLoadedModuleList = 0xfffff800`011d4140
    Debug session time: Sun Sep 6 12:36:57.062 2009 (GMT+2)
    System Uptime: 0 days 5:28:11.995
    Loading Kernel Symbols
    ................................................................
    .................................................................
    ........................
    Loading User Symbols
    Loading unloaded module list
    ...................................................
    *******************************************************************************
    *
    *
    * Bugcheck Analysis
    *
    *
    *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 1E, {ffffffffc0000005, fffff800012c121f, 0, ffffffffffffffff}

    Unable to load image sptd.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for sptd.sys
    *** ERROR: Module load completed but symbols could not be loaded for
    sptd.sys
    Probably caused by : sptd.sys ( sptd+415d2 )

    Followup: MachineOwner
    ---------

    1: kd> !analyze -v
    *******************************************************************************
    *
    *
    * Bugcheck Analysis
    *
    *
    *
    *******************************************************************************

    KMODE_EXCEPTION_NOT_HANDLED (1e)
    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff800012c121f, The address that the exception occurred at
    Arg3: 0000000000000000, Parameter 0 of the exception
    Arg4: ffffffffffffffff, Parameter 1 of the exception

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
    referenced memory at "0x%08lx". The memory could not be "%s".

    FAULTING_IP:
    nt!PspGetSetContextInternal+203
    fffff800`012c121f 488b58f8 mov rbx,qword ptr [rax-8]

    EXCEPTION_PARAMETER1: 0000000000000000

    EXCEPTION_PARAMETER2: ffffffffffffffff

    READ_ADDRESS: ffffffffffffffff

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    BUGCHECK_STR: 0x1E

    PROCESS_NAME: BattlefieldExec

    CURRENT_IRQL: 1

    EXCEPTION_RECORD: fffffadfc3eddd10 -- (.exr 0xfffffadfc3eddd10)
    ExceptionAddress: fffff800012c121f
    (nt!PspGetSetContextInternal+0x0000000000000203)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000008
    NumberParameters: 2
    Parameter[0]: 0000000000000000
    Parameter[1]: ffffffffffffffff
    Attempt to read from address ffffffffffffffff

    TRAP_FRAME: fffffadfc3eddda0 -- (.trap 0xfffffadfc3eddda0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=10fffffadfceb6a0 rbx=0000000000000000 rcx=0000000000000001
    rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800012c121f rsp=fffffadfc3eddf30 rbp=fffffadfc3f04b10
    r8=0000000000000000 r9=0000000000000000 r10=0f00000000000000
    r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei pl nz ac po nc
    nt!PspGetSetContextInternal+0x203:
    fffff800`012c121f 488b58f8 mov rbx,qword ptr [rax-8]
    ds:df90:10fffffa`dfceb698=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER: from fffff80001080e86 to fffff8000102e890

    STACK_TEXT:
    fffffadf`c3edd618 fffff800`01080e86 : 00000000`0000001e ffffffff`c0000005
    fffff800`012c121f 00000000`00000000 : nt!KeBugCheckEx
    fffffadf`c3edd620 fffff800`0102e6af : fffffadf`c3eddd10 fffffa80`06195700
    fffffadf`c3eddda0 fffff800`011b0180 : nt!KiDispatchException+0x128
    fffffadf`c3eddc20 fffff800`0102d30d : 00000000`00000000 00000000`00000000
    00000000`00000000 00000000`00000000 : nt!KiExceptionExit
    fffffadf`c3eddda0 fffff800`012c121f : 00000001`00000001 0f000000`00000000
    fffffadf`c3edec70 fffffadf`c3f045c0 : nt!KiGeneralProtectionFault+0xcd
    fffffadf`c3eddf30 fffff800`0104236b : fffffadf`cb512bf0 00000000`00000000
    fffffadf`cb512c38 00000000`00000000 : nt!PspGetSetContextInternal+0x203
    fffffadf`c3ede480 fffff800`01027eb1 : 00000000`c3ede700 00000001`01298d01
    00000001`cc04ee00 00000000`00000002 : nt!PspGetSetContextSpecialApc+0xab
    fffffadf`c3ede590 fffff800`0103bf97 : 00000246`002b002b 00000000`00000000
    00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x215
    fffffadf`c3ede630 fffff800`0102828e : 00000000`00000000 00000000`01fd50e0
    fffffadf`cb512c88 fffffadf`cb512bf0 : nt!KiSwapThread+0x3e9
    fffffadf`c3ede690 fffff800`0101f88c : 00000000`00000000 00000000`00000005
    00000000`00000000 00000000`00000000 : nt!KeWaitForSingleObject+0x5a6
    fffffadf`c3ede710 fffff800`0101f51b : 00000000`00000000 00000000`00000000
    00000000`00000000 00000000`00000000 : nt!KiSuspendThread+0x2c
    fffffadf`c3ede750 fffff800`01027abd : 00000000`00160014 00000000`00000000
    fffff800`0101f860 fffffadf`cb518730 : nt!KiDeliverApc+0x2d3
    fffffadf`c3ede7f0 fffffadf`c86ff5d2 : 00000000`00000000 00000000`00000000
    00000000`00000000 00000000`00000000 : nt!KiApcInterrupt+0xdd
    fffffadf`c3ede980 00000000`00000000 : 00000000`00000000 00000000`00000000
    00000000`00000000 00000000`00000000 : sptd+0x415d2


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    sptd+415d2
    fffffadf`c86ff5d2 ?? ???

    SYMBOL_STACK_INDEX: c

    SYMBOL_NAME: sptd+415d2

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: sptd

    IMAGE_NAME: sptd.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 47cf3c13

    FAILURE_BUCKET_ID: X64_0x1E_sptd+415d2

    BUCKET_ID: X64_0x1E_sptd+415d2

    Followup: MachineOwner
    ---------


    Bye,
    Skybuck.
     
    Skybuck Flying, Sep 6, 2009
    #2
    1. Advertising

  3. Ok,

    The minidump has been uploaded to my skydrive:

    http://cid-aedd0ea32d61bc86.skydriv...SCrashDumps/WindowsXPx64Pro/Mini090609-01.dmp

    Filename is: Mini090609-01.dmp
    Description is:
    "
    9 september 2009: Windows XP x64 Pro crash during Delphi 2007 debugging,
    range check error, binary file reading related, boolean (1 byte) related
    "boolean of death", free basic related, possible buffer overrun or delphi
    debugger problem.
    "

    So that's the one you want ^

    There is also another up there but it's much older:

    http://cid-aedd0ea32d61bc86.skydriv...SCrashDumps/WindowsXPx64Pro/Mini011609-01.dmp

    Filename is: Mini011609-01.dmp
    Description is:

    "
    16 january 2009: Windows XP x64 Pro crash, possibly overheat related, or
    x-fi soundblaster related, probably happened during playing of the video
    game Mirror's Edge.
    "

    Bye,
    Skybuck.
     
    Skybuck Flying, Sep 6, 2009
    #3
  4. Hmm I just noticed something... the version of the free basic test
    program/evolver I am writing is version 0.13...

    I said to myself: that's just superstition... surely it not gonna give
    problems ?!

    But sure enough !

    Number 0.13 gave me a blue screen of death ! FUCKING HELL.

    Bye,
    Skybuck.
     
    Skybuck Flying, Sep 7, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter

    buffer overrun error

    Peter, Mar 6, 2005, in forum: Computer Support
    Replies:
    7
    Views:
    3,994
    rifisher
    Apr 28, 2007
  2. Leanne McLoughlin

    wot is buffer overrun how do i fix it

    Leanne McLoughlin, Jan 24, 2006, in forum: Computer Support
    Replies:
    7
    Views:
    507
    Dave Keays
    Jan 26, 2006
  3. no one

    Buffer overrun error?

    no one, Jan 8, 2007, in forum: Computer Support
    Replies:
    5
    Views:
    7,049
    no one
    Jan 8, 2007
  4. Buffer Overrun

    , Apr 21, 2007, in forum: Computer Support
    Replies:
    2
    Views:
    1,486
    Fujikawa Yamamoto
    May 1, 2007
  5. 911pyro

    Buffer Overrun Error (Windows\Explorer.exe)

    911pyro, Jun 1, 2007, in forum: General Computer Support
    Replies:
    2
    Views:
    1,101
    911pyro
    Jun 1, 2007
Loading...

Share This Page