xbootmgr triggers BSOD on reboot

kernelist · 17 Feb 2010

Hi,

Just got a BSOD "PAGE_FAULT_IN_NONPAGED_AREA" while rebooting automatically after I launched an xbootmgr -trace boot command.
The exact command used was:
xbootmgr -trace boot -traceflags Base+CSWITCH+DRIVERS+POWER -postbootdelay 60

A few seconds into the reboot, after the animated sequence appeared, the BSOD occurred.
This happened while using an HP Touchsmart 300 box running Win 7 x64 Home premium edition.
Here are the details from the minidump analysis:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffffa80164f7020, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80002987e1e, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------
Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002abd0e0
fffffa80164f7020

FAULTING_IP:
nt!IopPerfCompleteRequest+3e
fffff800`02987e1e 488b4328 mov rax,qword ptr [rbx+28h]

MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: System
CURRENT_IRQL: 0
TRAP_FRAME: fffff88003177030 -- (.trap 0xfffff88003177030)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000000c rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002987e1e rsp=fffff880031771c0 rbp=fffffa80164f44b0
r8=0000000000000000 r9=fffff88006d921a0 r10=0000000000000020
r11=fffffa80164d3fa4 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!IopPerfCompleteRequest+0x3e:
fffff800`02987e1e 488b4328 mov rax,qword ptr [rbx+28h] ds:0123:00000000`00000028=????????????????
Resetting default scope
LOCK_ADDRESS: fffff80002a89400 -- (!locks fffff80002a89400)
Resource @ nt!PiEngineLock (0xfffff80002a89400) Available
WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.
WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.

1 total locks

PNP_TRIAGE:
Lock address : 0xfffff80002a89400
Thread Count : 0
Thread address: 0x0000000000000000
Thread wait : 0x0

LAST_CONTROL_TRANSFER: from fffff800029061e4 to fffff80002886f00

STACK_TEXT:
fffff880`03176ec8 fffff800`029061e4 : 00000000`00000050 fffffa80`164f7020 00000000`00000000 fffff880`03177030 : nt!KeBugCheckEx
fffff880`03176ed0 fffff800`02884fee : 00000000`00000000 fffffa80`164f6ff8 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x42907
fffff880`03177030 fffff800`02987e1e : 00000000`0d224f29 fffff800`028901af fffffa80`16109c00 00000000`00000103 : nt!KiPageFault+0x16e
fffff880`031771c0 fffff880`06d903ed : 00000000`00000103 fffffa80`164f44b0 00000000`00000103 fffffa80`164f6c00 : nt!IopPerfCompleteRequest+0x3e
fffff880`03177270 fffff880`06d90037 : 00000000`0000005b fffff880`031773f0 fffff880`031773f8 00000000`000007ff : hidusb!HumCallUSB+0x2b9
fffff880`03177310 fffff880`06d95972 : fffffa80`1642cf00 00000000`00000000 fffffa80`164f5010 fffffa80`1642cf00 : hidusb!HumGetDescriptorRequest+0x143
fffff880`03177380 fffff880`06d8df70 : fffffa80`0000005b fffffa80`164f4440 fffffa80`164f5440 00000000`00000001 : hidusb!HumGetReportDescriptor+0xa2
fffff880`031773f0 fffff880`06d83517 : 00000000`00000001 fffffa80`1642cb40 fffffa80`1642cb40 fffffa80`1642cb40 : hidusb!HumInternalIoctl+0x14c
fffff880`03177460 fffff880`06d79002 : 00000000`00000003 fffffa80`1642ccc0 fffff880`00000001 00000000`000007ff : HIDCLASS!HidpCallDriverSynchronous+0x4b
fffff880`031774c0 fffff880`06d85cd2 : fffffa80`1642ccc0 00000000`00000001 fffffa80`164f5010 fffffa80`1642ccb0 : HIDCLASS!GetHIDRawReportDescriptor+0x7e
fffff880`03177530 fffff880`06d865b0 : 00000000`00000000 fffffa80`1641f010 fffffa80`1641f010 fffffa80`1642ccb0 : HIDCLASS!AllocDeviceResources+0xaa
fffff880`03177560 fffff880`06d83ccd : 00000000`00000008 fffff880`06d80300 fffff880`06d86c10 fffffa80`164dfa60 : HIDCLASS!HidpStartDevice+0x160
fffff880`031775e0 fffff880`06d8364a : fffff880`06d80300 fffffa80`1642cc90 fffffa80`1642cc90 fffff880`031776a8 : HIDCLASS!HidpFdoPnp+0x20d
fffff880`03177610 fffff880`06d7590d : fffff880`06d803a8 fffff880`06d7f3c0 fffffa80`1642cc90 fffff800`02977d41 : HIDCLASS!HidpIrpMajorPnp+0x8a
fffff880`03177680 fffff800`029a4f6a : fffffa80`1642c540 fffffa80`1642c540 fffffa80`1642cb40 00000000`00000400 : HIDCLASS!HidpMajorHandler+0xf5
fffff880`031776f0 fffff800`02c44bde : fffffa80`164dfa60 fffffa80`164f09a0 fffffa80`1642cb40 fffffa80`160ffa00 : nt!IopPerfCallDriver+0x14a
fffff880`03177790 fffff800`0297f0ed : fffffa80`160ffa00 fffffa80`164f09a0 fffff800`02984cd0 00000000`00000000 : nt!PnpAsynchronousCall+0xce
fffff880`031777d0 fffff800`02c4f926 : fffff800`02a891c0 fffffa80`160ff730 fffffa80`164f09a0 fffffa80`160ff8d8 : nt!PnpStartDevice+0x11d
fffff880`03177890 fffff800`02c4fbc4 : fffffa80`160ff730 fffffa80`16b9002d fffffa80`16b92d90 00000000`00000001 : nt!PnpStartDeviceNode+0x156
fffff880`03177920 fffff800`02c72ea6 : fffffa80`160ff730 fffffa80`16b92d90 00000000`00000001 00000000`00000000 : nt!PipProcessStartPhase1+0x74
fffff880`03177950 fffff800`02c73438 : fffff800`02a86d80 00000000`00000000 00000000`00000001 fffff800`02af371c : nt!PipProcessDevNodeTree+0x296
fffff880`03177bc0 fffff800`02987347 : 00000001`00000003 00000000`00000000 00000000`00000001 00000000`00000000 : nt!PiProcessReenumeration+0x98
fffff880`03177c10 fffff800`02894161 : fffff800`02987020 fffff800`02b80501 fffffa80`036db000 00000000`00000000 : nt!PnpDeviceActionWorker+0x327
fffff880`03177cb0 fffff800`02b2a166 : 00000000`00000000 fffffa80`036db040 00000000`00000080 fffffa80`03669b30 : nt!ExpWorkerThread+0x111
fffff880`03177d40 fffff800`02865486 : fffff880`02f63180 fffffa80`036db040 fffff880`02f6df80 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`03177d80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxStartSystemThread+0x16

STACK_COMMAND: kb
FOLLOWUP_IP:
hidusb!HumCallUSB+2b9
fffff880`06d903ed 3bde cmp ebx,esi
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: hidusb!HumCallUSB+2b9
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: hidusb
IMAGE_NAME: hidusb.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bcbfe
FAILURE_BUCKET_ID: X64_0x50_hidusb!HumCallUSB+2b9
BUCKET_ID: X64_0x50_hidusb!HumCallUSB+2b9
Followup: MachineOwner

Not sure about the cause, if hidusb.sys (USB Miniport Driver for Input Devices
) is involved could this be linked to the touch screen which is a USB device (as are mouse and keyboard)? Any help appreciated!

(FYI: I uploaded the same post on the MSDN Windows Performance ToolKit forum)

kernelist · 18 Feb 2010

Some additional information:

Apparently it's the "DRIVERS" traceflag which triggers the BSOD.
The following commands work without problems:
>xbootmgr -trace boot -traceflags Base+CSWITCH
or
>xbootmgr -trace boot -traceflags Base+CSWITCH+POWER

(Note that the xperf command works OK with the DRIVERS kernel flag)

kernelist · 19 Feb 2010

A new minidump analysis from a new BSOD from the same command (xbootmgr -trace boot -traceflags Base+CSWITCH+DRIVERS+POWER -postbootdelay 60) with a cleaner call stack; the bugcheck is now 0x7e. hidusb is again identified.

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80002983e38, The address that the exception occurred at
Arg3: fffff88003185018, Exception Record Address
Arg4: fffff88003184870, Context Record Address

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - L
FAULTING_IP:
nt!IopPerfCompleteRequest+58
fffff800`02983e38 488b4cc270 mov rcx,qword ptr [rdx+rax*8+70h]

EXCEPTION_RECORD: fffff88003185018 -- (.exr 0xfffff88003185018)
ExceptionAddress: fffff80002983e38 (nt!IopPerfCompleteRequest+0x0000000000000058)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT: fffff88003184870 -- (.cxr 0xfffff88003184870)
rax=0000000000000000 rbx=fffffa80164d13f8 rcx=0000000000000000
rdx=001a001900180017 rsi=0000000000000100 rdi=fffffa80164d1010
rip=fffff80002983e38 rsp=fffff88003185250 rbp=fffffa80036ef510
r8=0000000000000000 r9=fffff880015f31a0 r10=0000000000000020
r11=fffffa80164f72c0 r12=0000000000000005 r13=fffff880015f31a0
r14=0000000000000001 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00210293
nt!IopPerfCompleteRequest+0x58:
fffff800`02983e38 488b4cc270 mov rcx,qword ptr [rdx+rax*8+70h] ds:002b:001a0019`00180087=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - L
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002ab90e0
ffffffffffffffff
FOLLOWUP_IP:
hidusb!HumCallUSB+2b9
fffff880`015f13ed 3bde cmp ebx,esi
BUGCHECK_STR: 0x7E
LOCK_ADDRESS: fffff80002a85400 -- (!locks fffff80002a85400)
Resource @ nt!PiEngineLock (0xfffff80002a85400) Available
WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.
WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.

1 total locks

PNP_TRIAGE:
Lock address : 0xfffff80002a85400
Thread Count : 0
Thread address: 0x0000000000000000
Thread wait : 0x0

LAST_CONTROL_TRANSFER: from fffff880015f13ed to fffff80002983e38

STACK_TEXT:
fffff880`03185250 fffff880`015f13ed : 00000000`00000000 fffffa80`036ef510 00000000`00000103 fffffa80`164d1010 : nt!IopPerfCompleteRequest+0x58
fffff880`03185300 fffff880`015f1037 : 00000000`00000012 fffff880`03185468 fffffa80`16583f08 00000000`000007ff : hidusb!HumCallUSB+0x2b9
fffff880`031853a0 fffff880`015f0365 : 00000000`00000000 fffff880`015f31a0 fffffa80`16583f00 fffffa80`000253a2 : hidusb!HumGetDescriptorRequest+0x143
fffff880`03185410 fffff880`015eebf8 : 00000000`00000000 fffffa80`00000012 fffffa80`16583b40 fffffa80`16583f00 : hidusb!HumGetDeviceDescriptor+0x79
fffff880`03185460 fffff880`015f6565 : fffffa80`036fda90 00000000`00000000 00000000`00000000 fffffa80`036fd6f0 : hidusb!HumInitDevice+0x20
fffff880`03185490 fffff880`00ff5517 : fffffa80`16583b40 00000000`00000001 fffffa80`1640a880 fffffa80`036fd6f0 : hidusb!HumPnP+0x229
fffff880`03185500 fffff880`00ff858f : fffffa80`036fdad8 00000000`00000001 fffffa80`1640a880 fffffa80`16583cb0 : HIDCLASS!HidpCallDriverSynchronous+0x4b
fffff880`03185560 fffff880`00ff5ccd : 00000000`00000008 fffff880`00ff2300 fffff880`00ff8c10 fffffa80`036fd6f0 : HIDCLASS!HidpStartDevice+0x13f
fffff880`031855e0 fffff880`00ff564a : fffff880`00ff2300 fffffa80`16583c90 fffffa80`16583c90 fffff880`031856a8 : HIDCLASS!HidpFdoPnp+0x20d
fffff880`03185610 fffff880`00fe790d : fffff880`00ff23a8 fffff880`00ff13c0 fffffa80`16583c90 fffff800`02973d41 : HIDCLASS!HidpIrpMajorPnp+0x8a
fffff880`03185680 fffff800`029a0f6a : fffffa80`164f9680 fffffa80`164f9680 fffffa80`16583b40 00000000`00000400 : HIDCLASS!HidpMajorHandler+0xf5
fffff880`031856f0 fffff800`02c40bde : fffffa80`036fd6f0 fffffa80`036ef110 fffffa80`16583b40 fffffa80`1610aa00 : nt!IopPerfCallDriver+0x14a
fffff880`03185790 fffff800`0297b0ed : fffffa80`1610aa00 fffffa80`036ef110 fffff800`02980cd0 00000000`00000000 : nt!PnpAsynchronousCall+0xce
fffff880`031857d0 fffff800`02c4b926 : fffff800`02a851c0 fffffa80`164e5aa0 fffffa80`036ef110 fffffa80`164e5c48 : nt!PnpStartDevice+0x11d
fffff880`03185890 fffff800`02c4bbc4 : fffffa80`164e5aa0 fffffa80`16ba002d fffffa80`16ba58a0 00000000`00000001 : nt!PnpStartDeviceNode+0x156
fffff880`03185920 fffff800`02c6eea6 : fffffa80`164e5aa0 fffffa80`16ba58a0 00000000`00000002 00000000`00000000 : nt!PipProcessStartPhase1+0x74
fffff880`03185950 fffff800`02c6f438 : fffffa80`164c74f0 00000000`00000000 00000000`00000000 00000000`00000000 : nt!PipProcessDevNodeTree+0x296
fffff880`03185bc0 fffff800`02983347 : 00000001`00000003 00000000`00000000 00000000`00000001 00000000`00000084 : nt!PiProcessReenumeration+0x98
fffff880`03185c10 fffff800`02890161 : fffff800`02983020 fffff800`02983001 fffffa80`036db600 00000000`00000000 : nt!PnpDeviceActionWorker+0x327
fffff880`03185cb0 fffff800`02b26166 : 0001b1d8`0004cf79 fffffa80`036db680 00000000`00000080 fffffa80`03669b30 : nt!ExpWorkerThread+0x111
fffff880`03185d40 fffff800`02861486 : fffff880`02f63180 fffffa80`036db680 fffff880`02f6df80 0004d8f0`00016fc0 : nt!PspSystemThreadStartup+0x5a
fffff880`03185d80 00000000`00000000 : fffff880`03186000 fffff880`03180000 fffff880`03184da0 00000000`00000000 : nt!KxStartSystemThread+0x16

SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: hidusb!HumCallUSB+2b9
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: hidusb
IMAGE_NAME: hidusb.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bcbfe
STACK_COMMAND: .cxr 0xfffff88003184870 ; kb
FAILURE_BUCKET_ID: X64_0x7E_hidusb!HumCallUSB+2b9
BUCKET_ID: X64_0x7E_hidusb!HumCallUSB+2b9
Followup: MachineOwner