Another look at page faults
Thursday, August 9th, 2007Recently observed this bugcheck with reported “valid” address (in blue):
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: e16623fc, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: ae2b222e, address which referenced memory
TRAP_FRAME: a54a4a40 -- (.trap 0xffffffffa54a4a40)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=e16623f0 edx=00000000 esi=ae2ce428 edi=a54a4b4c
eip=ae2b222e esp=a54a4ab4 ebp=a54a4ac4 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
driver!ProcessCommand+0x44:
ae2b222e 39590c cmp dword ptr [ecx+0Ch],ebx ds:0023:e16623fc=00000000
1: kd> dd e16623fc l4
e16623fc 00000000 00790000 004c4c44 00010204
The address belongs to a paged pool:
1: kd> !pool e16623fc
Pool page e16623fc region is Paged pool
e1662000 size: 3a8 previous size: 0 (Allocated) NtfF
e16623a8 size: 10 previous size: 3a8 (Free) ….
e16623b8 size: 28 previous size: 10 (Allocated) Ntfo
e16623e0 size: 8 previous size: 28 (Free) CMDa
*e16623e8 size: 20 previous size: 8 (Allocated) *DRV
So why do we have the bugcheck here if the memory wasn’t paged out? This is because page faults occur when pages are marked as invalid in page tables and not only when they are paged out to a disk. We can check whether an address belongs to an invalid page by using !pte command:
1: kd> !pte e16623fc
VA e16623fc
PDE at 00000000C0603858 PTE at 00000000C070B310
contains 00000000F5434863 contains 00000000E817A8C2
pfn f5434 ---DA--KWEV not valid
Transition: e817a
Protect: 6 - ReadWriteExecute
Let’s check our PTE (page table entry):
1: kd> .formats 00000000E817A8C2
Evaluate expression:
Hex: e817a8c2
Decimal: -401102654
Octal: 35005724302
Binary: 11101000 00010111 10101000 11000010
We see that 0th (Valid) bit is cleared and this means that PTE marks the page as invalid and also 11th bit (Transition) is set which marks that page as on standby or modified lists. When referenced and IRQL is less than 2 the page will be made valid and added to a process working set. We see the address as “valid” in WinDbg because that page was not paged out and present in a crash dump. But it is marked as invalid and therefore triggers the page fault. Page fault handler sees that IRQL == 2 and generates D1 bugcheck.
- Dmitry Vostokov @ DumpAnalysis.org -