Thursday, December 8, 2011

Troubleshooting 0x50 PAGE_FAULT_IN_NONPAGED_AREA

The Debugging Tools for Windows are required to analyze crash dump files. If you do not have the Debugging Tools for Windows installed or dump files are not being generated on system crash, see this post for installation/configuration instructions:
http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html

The blue screen of death (BSOD) that is referenced by 0x00000050 PAGE_FAULT_IN_NONPAGED_AREA is often a result of a buggy driver that attempts to access information at an invalid location or a driver that has corrupted the memory. Most crash dumps reference the system kernel (ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe, and ntkrnlpamp.exe) which is typically not the cause of the issue, but rather where the issue was detected. Enabling the driver verifier with standard settings may produce more informative crash dumps.

Since the corruption is usually detected long after the time that it occurs, the !analyze -v output may not be useful and may be misleading if actual drivers are referenced. In many cases if the fault is not reported in the kernel, the driver may change from dump to dump.

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffffa8045cdb740, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80003ebf497, If non-zero, the instruction address which referenced the bad memory
 address.
Arg4: 0000000000000005, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800040f30e0
 fffffa8045cdb740 

FAULTING_IP: 
nt!PspReturnQuota+47
fffff800`03ebf497 488b5d00        mov     rbx,qword ptr [rbp]

MM_INTERNAL_CODE:  5

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  audiodg.exe

CURRENT_IRQL:  0

TRAP_FRAME:  fffff8800bc4c8c0 -- (.trap 0xfffff8800bc4c8c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8000406aa00 rbx=0000000000000000 rcx=fffffa8045cdb6c0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80003ebf497 rsp=fffff8800bc4ca50 rbp=fffffa8045cdb740
 r8=0000000000000001  r9=0000000000000400 r10=0000000000000001
r11=00000000000000c9 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
nt!PspReturnQuota+0x47:
fffff800`03ebf497 488b5d00        mov     rbx,qword ptr [rbp] ss:0018:fffffa80`45cdb740=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80003f3a801 to fffff80003ebb600

STACK_TEXT:  
fffff880`0bc4c758 fffff800`03f3a801 : 00000000`00000050 fffffa80`45cdb740 00000000`00000000 fffff880`0bc4c8c0 : nt!KeBugCheckEx
fffff880`0bc4c760 fffff800`03eb96ee : 00000000`00000000 fffff8a0`02c62940 00000000`00000000 fffff800`00000011 : nt! ?? ::FNODOBFM::`string'+0x40ecb
fffff880`0bc4c8c0 fffff800`03ebf497 : 00000000`00000000 00000000`00000002 00000000`00000020 01cb3492`c6dd8100 : nt!KiPageFault+0x16e
fffff880`0bc4ca50 fffff800`041b845f : fffff8a0`02c62940 00000000`0000068c fffffa80`45cdb6c0 fffff800`04184203 : nt!PspReturnQuota+0x47
fffff880`0bc4cab0 fffff800`03ec07bc : fffffa80`45cdb6c0 00000000`00000000 00000000`00000000 fffffa80`03668ce0 : nt!ObpFreeObject+0x20f
fffff880`0bc4cb00 fffff800`041a9852 : 00000000`00000000 fffff8a0`02c67b90 fffff8a0`02c67b70 00000000`00000001 : nt!ObfDereferenceObject+0xdc
fffff880`0bc4cb60 fffff800`041bdfd8 : fffff8a0`02c67b70 00000000`00000001 fffffa80`062e8c60 00000000`ffffffff : nt!AlpcpSecurityDestroyProcedure+0x10e
fffff880`0bc4cb90 fffff800`041585cd : fffff8a0`02c67b90 fffffa80`062e8c60 fffffa80`062e8c60 00000000`00000000 : nt!AlpcpDestroyBlob+0x28
fffff880`0bc4cbc0 fffff800`03eba853 : fffffa80`06744b60 fffff880`0bc4cca0 00000000`00000001 fffffa80`062e8c60 : nt!NtAlpcDeleteSecurityContext+0xdd
fffff880`0bc4cc20 00000000`7757052a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00c7e0c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7757052a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!PspReturnQuota+47
fffff800`03ebf497 488b5d00        mov     rbx,qword ptr [rbp]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!PspReturnQuota+47

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4b88cfeb

FAILURE_BUCKET_ID:  X64_0x50_nt!PspReturnQuota+47

BUCKET_ID:  X64_0x50_nt!PspReturnQuota+47

Followup: MachineOwner
--------- 
 
See Also,
Enable Driver Verifier to Help Identify Blue Screen Causes
Windows Crash Dump Analysis
Troubleshooting Memory Errors

No comments:

Post a Comment