Questions about .dmp analysis with error codes MEMORY_MANAGEMENT(1a), subtype 0X3453 RRS feed

  • Question

  • Recently I meet several BSOD with full dump.

    Case 1) On one PC A with Windows10 X64, there are 3 dumps with the same error MEMORY_MANAGEMENT(1a), subtype 0X3453.
    Case 2) On another PC B with Windows10 X64, there is 1 dump with the same error MEMORY_MANAGEMENT(1a), subtype 0X3453.

    1) The 3 callstacks on PC A are very similar. One is as below:
    ffffc582`2bfcd2a8 fffff803`97c8829c : 00000000`0000001a 00000000`00003453 ffff9786`f4334080 00000000`001bb110 : nt!KeBugCheckEx
    ffffc582`2bfcd2b0 fffff803`98000e8f : ffff9786`f4334080 00000000`00000000 00000000`00000000 ffff9786`f4334640 : nt!MiDeleteFinalPageTables+0xfd358
    ffffc582`2bfcd360 fffff803`97b88bcf : ffff9786`f4334080 00000000`00000000 ffff9786`f1ef2040 ffff9786`6e497350 : nt!MmDeleteProcessAddressSpace+0x5f
    ffffc582`2bfcd3b0 fffff803`97f8ec00 : 00000000`00000000 ffff9786`f4334050 00000000`00000000 00000000`00000000 : nt!PspProcessDelete+0x13f
    ffffc582`2bfcd440 fffff803`97b250a6 : 00000000`00000000 00000000`00000000 00000000`00000000 ffff9786`f4334080 : nt!ObpRemoveObjectRoutine+0x80
    ffffc582`2bfcd4a0 fffff803`97f845d9 : 00000000`ffff8006 ffff9786`ef643510 ffff9786`ef643510 ffff9786`f4334050 : nt!ObfDereferenceObjectWithTag+0xc6
    ffffc582`2bfcd4e0 fffff803`980171f5 : 00000000`00e985f6 ffff9786`f29fc980 00000000`00000001 00000000`00000080 : nt!ObCloseHandleTableEntry+0x259
    ffffc582`2bfcd620 fffff803`97fe38d9 : 00000000`00000000 00000000`40010004 ffff9786`f3c45738 ffffffff`ffffff01 : nt!ExSweepHandleTable+0xc5
    ffffc582`2bfcd6d0 fffff803`97f37331 : ffffffff`ffffffff ffff9786`f3c45440 ffffffff`00000000 ffff9786`00000000 : nt!ObKillProcess+0x35
    ffffc582`2bfcd700 fffff803`97f45d8c : ffff9786`f3c45440 ffffa804`a1264990 ffffc582`2bfcd918 00000000`00000000 : nt!PspRundownSingleProcess+0x121
    ffffc582`2bfcd780 fffff803`9802a843 : 00000000`40010004 00000000`00000001 00000000`011b2000 00000000`00000000 : nt!PspExitThread+0x5ac
    ffffc582`2bfcd880 fffff803`97b2a390 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSchedulerApcTerminate+0x33
    ffffc582`2bfcd8c0 fffff803`97c3e170 : 00000000`065fe190 ffffc582`2bfcd950 00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x3a0
    ffffc582`2bfcd950 fffff803`97c4a7ea : 00000000`ffffffff 00000000`065fdc40 00000000`ffffffff 00000000`00004148 : nt!KiInitiateUserApc+0x70
    ffffc582`2bfcda90 00007ffd`5f5a96e4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x9f
    00000000`065fdb68 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffd`5f5a96e4
    0: kd> .frame /r 1
    01 ffffc582`2bfcd2b0 fffff803`98000e8f nt!MiDeleteFinalPageTables+0xfd358
    rax=0000000001bb1100 rbx=ffff9786f4334080 rcx=000000000000001a
    rdx=0000000000003453 rsi=0000000000000002 rdi=0000000000000000
    rip=fffff80397c8829c rsp=ffffc5822bfcd2b0 rbp=0000000005313300
    r8=ffff9786f4334080  r9=00000000001bb110 r10=0000000000000100
    r11=ffffc5822bfcd290 r12=ffff9786f3c45440 r13=0000000000000001
    r14=ffff9786f1ef2040 r15=fffffc0000000000
    iopl=0         nv up ei pl nz na pe nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    fffff803`97c8829c cc              int     3

    The above callstack shows as bugcheck happened all callstacks were in nt!, there was nothing showing in 3rd-party's calls.

    2) The callstack on PC B is as below:
    ffffd70c`0c537268 fffff803`d97fc29c : 00000000`0000001a 00000000`00003453 ffffb287`5516f080 00000000`0000c010 : nt!KeBugCheckEx
    ffffd70c`0c537270 fffff803`d9b74e8f : ffffb287`5516f080 00000000`00000000 00000000`00000000 ffffb287`5516f640 : nt!MiDeleteFinalPageTables+0xfd358
    ffffd70c`0c537320 fffff803`d96fcbcf : ffffb287`5516f080 00000000`00000000 ffffb287`55daf700 ffffb287`6e497350 : nt!MmDeleteProcessAddressSpace+0x5f
    ffffd70c`0c537370 fffff803`d9b02c00 : 00000000`00000000 ffffb287`5516f050 00000000`00000000 00000000`00000000 : nt!PspProcessDelete+0x13f
    ffffd70c`0c537400 fffff803`d96990a6 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffb287`5516f080 : nt!ObpRemoveObjectRoutine+0x80
    ffffd70c`0c537460 fffff803`d9af85d9 : 00000000`ffff8096 ffffb287`4bc9b5c0 ffffb287`4bc9b5c0 ffffb287`5516f050 : nt!ObfDereferenceObjectWithTag+0xc6
    ffffd70c`0c5374a0 fffff803`d9b8b1f5 : 00000000`00c48e8e ffffb287`543ec0c0 00000000`00000001 00000000`00000080 : nt!ObCloseHandleTableEntry+0x259
    ffffd70c`0c5375e0 fffff803`d9b578d9 : 00000000`00000000 00000000`c000004b ffffb287`4d1f3878 ffffffff`ffffff01 : nt!ExSweepHandleTable+0xc5
    ffffd70c`0c537690 fffff803`d9aab331 : ffffffff`ffffffff ffffb287`4d1f3580 ffffffff`00000000 ffffb287`00000000 : nt!ObKillProcess+0x35
    ffffd70c`0c5376c0 fffff803`d9ab9d8c : ffffb287`4d1f3580 ffffd887`bf2db990 ffffd70c`0c537a80 00000000`00000000 : nt!PspRundownSingleProcess+0x121
    ffffd70c`0c537740 fffff803`d9b7ec8b : 00000000`c000004b ffffd70c`0c537a01 00000000`00616000 ffffb287`55daf700 : nt!PspExitThread+0x5ac
    ffffd70c`0c537840 fffff806`4749085e : ffffb287`00001fd0 00000000`00000000 ffffb287`4d1f3580 00000000`702ec480 : nt!NtTerminateProcess+0xeb
    ffffd70c`0c5378b0 fffff803`d97be743 : 00000000`00000000 ffffb287`55daf700 00000000`702ec480 00000000`76e74620 : 360Hvm64+0x1085e
    ffffd70c`0c537a00 00000000`76e71e4c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`0058eb58 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76e71e4c

    fffff806`4749085e 488bd8          mov     rbx,rax

    3: kd> .frame /r 0c
    0c ffffd70c`0c5378b0 fffff803`d97be743 360Hvm64+0x1085e
    rax=00000000000c0100 rbx=0000000000000000 rcx=000000000000001a
    rdx=0000000000003453 rsi=00000000702ec480 rdi=0000000000000000
    rip=fffff8064749085e rsp=ffffd70c0c5378b0 rbp=ffffd70c0c537a80
     r8=ffffb2875516f080  r9=000000000000c010 r10=0000000000000100
    r11=ffffd70c0c537250 r12=0000000000616000 r13=000000000058fda0
    r14=00000000008ffa4c r15=0000000076e74620
    iopl=0         nv up ei pl nz na pe nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
    fffff806`4749085e 488bd8          mov     rbx,rax

    3: kd> uf  fffff806`474908a7
    fffff806`474907d8 4c8bdc          mov     r11,rsp
    fffff806`474907db 49895b10        mov     qword ptr [r11+10h],rbx
    fffff806`474907df 49897318        mov     qword ptr [r11+18h],rsi
    fffff806`474907e3 57              push    rdi
    fffff806`474907e4 4881ec40010000  sub     rsp,140h
    fffff806`474907eb 498d4308        lea     rax,[r11+8]
    fffff806`474907ef 48894c2430      mov     qword ptr [rsp+30h],rcx
    fffff806`474907f4 0fb70d0f410600  movzx   ecx,word ptr [360Hvm64+0x7490a (fffff806`474f490a)]
    fffff806`474907fb 4889442428      mov     qword ptr [rsp+28h],rax
    fffff806`47490800 488d442440      lea     rax,[rsp+40h]
    fffff806`47490805 4889542438      mov     qword ptr [rsp+38h],rdx
    fffff806`4749080a 4d8d8b78ffffff  lea     r9,[r11-88h]
    fffff806`47490811 4c8d442430      lea     r8,[rsp+30h]
    fffff806`47490816 ba15000000      mov     edx,15h
    fffff806`4749081b 4889442420      mov     qword ptr [rsp+20h],rax
    fffff806`47490820 e87370ffff      call    360Hvm64+0x7898 (fffff806`47487898)
    fffff806`47490825 8bd8            mov     ebx,eax
    fffff806`47490827 3d030500c0      cmp     eax,0C0000503h
    fffff806`4749082c 7504            jne     360Hvm64+0x10832 (fffff806`47490832)  Branch

    fffff806`4749082e 33db            xor     ebx,ebx
    fffff806`47490830 eb2f            jmp     360Hvm64+0x10861 (fffff806`47490861)  Branch

    fffff806`47490832 85c0            test    eax,eax
    fffff806`47490834 782b            js      360Hvm64+0x10861 (fffff806`47490861)  Branch

    fffff806`47490836 488b15b3410600  mov     rdx,qword ptr [360Hvm64+0x749f0 (fffff806`474f49f0)]
    fffff806`4749083d 0fb70dc6400600  movzx   ecx,word ptr [360Hvm64+0x7490a (fffff806`474f490a)]
    fffff806`47490844 488b02          mov     rax,qword ptr [rdx]
    fffff806`47490847 8b0488          mov     eax,dword ptr [rax+rcx*4]
    fffff806`4749084a 488b4c2430      mov     rcx,qword ptr [rsp+30h]
    fffff806`4749084f c1f804          sar     eax,4
    fffff806`47490852 4898            cdqe
    fffff806`47490854 480302          add     rax,qword ptr [rdx]
    fffff806`47490857 488b542438      mov     rdx,qword ptr [rsp+38h]
    fffff806`4749085c ffd0            call    rax
    fffff806`4749085e 488bd8          mov     rbx,rax

    I looked through the whole assembly instructions as above but there is no idea. In the above assembly instructions I do not see any illegal address ilike register indirect addressing.

    I cannot understand why it failed at "mov rbx, rax".

    The only suggestion is to ask customer uninstall the 3rd-party driver of 360Hvm64.sys. But this is not persuasive only with FOLLOWUP_IP pointing to 360Hvm64.

    Below is description about subtype 0x3453 in Microsoft website:
    0x3453 All the page table pages of an exited process could not be deleted due to outstanding references. This typically indicates corruption in the process’ page table structures.

    But I have no idea where to find the structure of process's page table. I know there is command !pte <address> but no idea what <address> to give.

    Do you have any suggestions about MEMORY_MANAGEMENT(1a), subtype 0X3453? and any debug commands to suggest in Windbg?
    Monday, April 22, 2019 2:12 AM

All replies