We would like to talk about a common error that we see in a lot of cases reported to us by customers. It involves drivers taking too much space on the kernel stack that results in a kernel stack overflow, which will then crash the system with one of the following bugchecks:
1. STOP 0×7F: UNEXPECTED_KERNEL_MODE_TRAP with Parameter 1 set to EXCEPTION_DOUBLE_FAULT, which is caused by running off the end of a kernel stack.
2. STOP 0×1E: KMODE_EXCEPTION_NOT_HANDLED, 0×7E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED, or 0×8E: KERNEL_MODE_EXCEPTION_NOT_HANDLED, with an exception code of STATUS_ACCESS_VIOLATION, which indicates a memory access violation.
3. STOP 0×2B: PANIC_STACK_SWITCH, which usually occurs when a kernel-mode driver uses too much stack space.
Kernel Stack Overview: Each thread in the system is allocated with a kernel mode stack. Code running on any kernel-mode thread (whether it is a system thread or a thread created by a driver) uses that thread’s kernel-mode stack unless the code is a DPC, in which case it uses the processor’s DPC stack on certain platforms. Stack grows negatively. This means that the beginning (bottom) of the stack has a higher address than the end (top) of the stack. For example, let’s stay the beginning of your stack is 0×80f1000 and this is where your stack pointer (ESP) is pointing. If you push a DWORD value onto the stack, its address would be 0×80f0ffc. The next DWORD value would be stored at 0×80f0ff8 and so on up to the limit (top) of the allocated stack. The top of the stack is bordered by a guard-page to detect overruns.
Further reading:
- http://www.microsoft.com/whdc/driver/kernel/mem-mgmt.mspx
- http://www.microsoft.com/whdc/Driver/tips/KMstack.mspx
- http://support.microsoft.com/kb/186775
Windows, Kernel, Stack, Kernel Stack, Overflow, Microsoft, Debug, Debugging, Troubleshooting, Knowledgebase
No comment yet
1 Trackbacks & Pingbacks: | TrackBack URI
-
Pingback from 1Kernel Stack Overflows | Video Driver Blog says:February 3rd, 2008 at 9:37 pm
[...] unknown: [...]
