none
서버 2008 R2 BSOD 발생 원인 분석 요청 (PAGE_FAULT_IN_NONPAGED_AREA (50)) RRS feed

  • 질문

  • 안녕하세요 

    간간히 BSOD 가 발생하여 질문 드립니다  

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except.
    Typically the address is just plain bad or it is pointing at freed memory.
    Arguments:
    Arg1: d0cc5048, memory referenced.
    Arg2: 00000000, value 0 = read operation, 1 = write operation.
    Arg3: e19962dc, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 00000000, (reserved)

    시스템 정보 

    Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (16 procs) Free x86 compatible
    Product: Server, suite: Enterprise TerminalServer SingleUserTS
    Built by: 6002.19764.x86fre.vistasp2_gdr.170406-0600
    Machine Name:
    Kernel base = 0xe1819000 PsLoadedModuleList = 0xe1931c70
    Debug session time: Wed Jun  7 15:15:34.879 2017 (UTC + 9:00)
    System Uptime: 0 days 12:21:14.093

    콜 스택 정보 

    0: kd> kvL
    ChildEBP RetAddr  Args to Child              
    ce44c9cc e1866dc4 00000000 f7785048 00000000 nt!MmAccessFault+0x10b
    ce44c9cc e19962dc 00000000 f7785048 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ ce44c9e4)
    ce44ca8c e199c844 01000001 009c4020 009c3f70 nt!CmpCheckKey+0x630
    ce44cabc e199ce72 f4a17a20 01000001 00000006 nt!CmpCheckRegistry2+0x8c
    ce44cb04 e1997898 01000001 ce44cc60 80000ad4 nt!CmCheckRegistry+0xf5
    ce44cb60 e199a007 ce44cbb4 00000005 00000000 nt!CmpInitializeHive+0x4c1
    ce44cbd8 e199c2a7 ce44cc60 00000000 ce44cc4c nt!CmpInitHiveFromFile+0x19e
    ce44cc18 e19924cd ce44cc60 00000000 ce44cc7b nt!CmpCmdHiveOpen+0x36
    ce44cd14 e1992702 00000002 e19125a0 00000002 nt!CmpFlushBackupHive+0x2fd
    ce44cd38 e1a72693 e191c13c c4e0ead0 e18bedf2 nt!CmpSyncBackupHives+0x90
    ce44cd44 e18bedf2 00000000 00000000 c4e0ead0 nt!CmpPeriodicBackupFlushWorker+0x32 (FPO: [1,0,2])
    ce44cd7c e19f025e 00000000 501f3078 00000000 nt!ExpWorkerThread+0xfd
    ce44cdc0 e1857f1e e18becf5 00000001 00000000 nt!PspSystemThreadStartup+0x9d
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

    0: kd> .trap 0xffffffffce44c9e4
    ErrCode = 00000000
    eax=00000000 ebx=f7184024 ecx=9e5bfdb8 edx=00000035 esi=f4a17a20 edi=f7785024
    eip=e19962dc esp=ce44ca58 ebp=ce44ca8c iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
    nt!CmpCheckKey+0x630:
    e19962dc 394724          cmp     dword ptr [edi+24h],eax ds:0023:f7785048=????????
    0: kd> kvL
      *** Stack trace for last set context - .thread/.cxr resets it
    ChildEBP RetAddr  Args to Child              
    ce44ca8c e199c844 01000001 009c4020 009c3f70 nt!CmpCheckKey+0x630
    ce44cabc e199ce72 f4a17a20 01000001 00000006 nt!CmpCheckRegistry2+0x8c
    ce44cb04 e1997898 01000001 ce44cc60 80000ad4 nt!CmCheckRegistry+0xf5
    ce44cb60 e199a007 ce44cbb4 00000005 00000000 nt!CmpInitializeHive+0x4c1
    ce44cbd8 e199c2a7 ce44cc60 00000000 ce44cc4c nt!CmpInitHiveFromFile+0x19e
    ce44cc18 e19924cd ce44cc60 00000000 ce44cc7b nt!CmpCmdHiveOpen+0x36
    ce44cd14 e1992702 00000002 e19125a0 00000002 nt!CmpFlushBackupHive+0x2fd
    ce44cd38 e1a72693 e191c13c c4e0ead0 e18bedf2 nt!CmpSyncBackupHives+0x90
    ce44cd44 e18bedf2 00000000 00000000 c4e0ead0 nt!CmpPeriodicBackupFlushWorker+0x32 (FPO: [1,0,2])
    ce44cd7c e19f025e 00000000 501f3078 00000000 nt!ExpWorkerThread+0xfd
    ce44cdc0 e1857f1e e18becf5 00000001 00000000 nt!PspSystemThreadStartup+0x9d
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

    db f7785048
    f7785048  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    f7785058  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    f7785068  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    f7785078  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    f7785088  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    f7785098  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    f77850a8  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    f77850b8  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

    0: kd> !address f7785048
    Usage:                  
    Base Address:           f7400000
    End Address:            f7e00000
    Region Size:            00a00000
    VA Type:                SystemCache

    BSOD 가 발생을 유발한 메모리 영역은 SystemCache 영역으로 판단.

    81785258 0fb64702        movzx   eax,byte ptr [edi+2]
    8178525c ff750c          push    dword ptr [ebp+0Ch]
    8178525f c0e804          shr     al,4
    81785262 ff75ec          push    dword ptr [ebp-14h]
    81785265 8d55f4          lea     edx,[ebp-0Ch]
    81785268 53              push    ebx
    81785269 2501ffffff      and     eax,0FFFFFF01h
    8178526e 50              push    eax
    8178526f 56              push    esi
    81785270 e8a7040000      call    nt!CmpCheckValueList (8178571c)
    81785275 85c0            test    eax,eax
    81785277 7461            je      nt!CmpCheckKey+0x62e (817852da)
    81785279 891d141d9281    mov     dword ptr [nt!CmpCheckKeyDebug+0xc (81921d14)],ebx
    8178527f eb12            jmp     nt!CmpCheckKey+0x5e7 (81785293)
    81785281 b8ff0f0000      mov     eax,0FFFh
    81785286 eb0b            jmp     nt!CmpCheckKey+0x5e7 (81785293)
    81785288 837de8ff        cmp     dword ptr [ebp-18h],0FFFFFFFFh
    8178528c 744c            je      nt!CmpCheckKey+0x62e (817852da)

    위 코드는 edi 가 앞부분에 참조 된 코드

    Edi 가  nt!CmpCheckKey+0x630 으로 오기전까지 이미 여러번 참조를 하고 있음. 

    갑자기 Cache 메모리가 Clear 되었다고 판단됨.  

    edi 는 nt!HvpGetCellMapped 함수의 리턴값.

    함수의 첫번재 인자는 _CMHIVE 형의 f4a17a20 이고 해당 메모리 정보는 다음과 같음

    0: kd> dt _CMHIVE f4a17a20

    nt!_CMHIVE
       +0x000 Hive             : _HHIVE
       +0x2e8 FileHandles      : [6] 0x80000a28 Void
       +0x300 NotifyList       : _LIST_ENTRY [ 0x0 - 0x0 ]
       +0x308 HiveList         : _LIST_ENTRY [ 0x0 - 0x0 ]
       +0x310 HiveLock         : 0xc7cd6468 _FAST_MUTEX
       +0x314 ViewLock         : _EX_PUSH_LOCK
       +0x318 ViewLockOwner    : (null) 
       +0x31c ViewLockLast     : 0xc
       +0x320 ViewUnLockLast   : 0x18
       +0x324 WriterLock       : 0xc99b5008 _FAST_MUTEX
       +0x328 FlusherLock      : _EX_PUSH_LOCK
       +0x32c SecurityLock     : _EX_PUSH_LOCK
       +0x330 MappedViewList   : _LIST_ENTRY [ 0xdbe81008 - 0xf23bd5f0 ]
       +0x338 PinnedViewList   : _LIST_ENTRY [ 0xd94b2180 - 0xdc83dc60 ]
       +0x340 FlushedViewList  : _LIST_ENTRY [ 0xf4a17d60 - 0xf4a17d60 ]
       +0x348 MappedViewCount  : 0x100
       +0x34a PinnedViewCount  : 2
       +0x34c UseCount         : 0
       +0x350 ViewsPerHive     : 0x100
       +0x354 FileObject       : 0xd5467998 _FILE_OBJECT
       +0x358 LastShrinkHiveSize : 0
       +0x360 ActualFileSize   : _LARGE_INTEGER 0x1dec000
       +0x368 FileFullPath     : _UNICODE_STRING "\Device\HarddiskVolume1\Windows\System32\config\RegBack\SOFTWARE"
       +0x370 FileUserName     : _UNICODE_STRING ""
       +0x378 HiveRootPath     : _UNICODE_STRING ""
       +0x380 SecurityCount    : 0x9a
       +0x384 SecurityCacheSize : 0x9a
       +0x388 SecurityHitHint  : 0n24
       +0x38c SecurityCache    : 0xe954d008 _CM_KEY_SECURITY_CACHE_ENTRY
       +0x390 SecurityHash     : [64] _LIST_ENTRY [ 0xe6a41ed0 - 0xe6a41ed0 ]
       +0x590 UnloadEventCount : 0
       +0x594 UnloadEventArray : (null) 
       +0x598 RootKcb          : (null) 
       +0x59c Frozen           : 0 ''
       +0x5a0 UnloadWorkItem   : (null) 
       +0x5a4 GrowOnlyMode     : 0 ''
       +0x5a8 GrowOffset       : 0
       +0x5ac KcbConvertListHead : _LIST_ENTRY [ 0xf4a17fcc - 0xf4a17fcc ]
       +0x5b4 KnodeConvertListHead : _LIST_ENTRY [ 0xf4a17fd4 - 0xf4a17fd4 ]
       +0x5bc CellRemapArray   : (null) 
       +0x5c0 Flags            : 0x400
       +0x5c4 TrustClassEntry  : _LIST_ENTRY [ 0xf4a17fe4 - 0xf4a17fe4 ]
       +0x5cc FlushCount       : 0
       +0x5d0 CmRm             : (null) 
       +0x5d4 CmRmInitFailPoint : 0
       +0x5d8 CmRmInitFailStatus : 0n0
       +0x5dc CreatorOwner     : (null) 
    0: kd> !fileobj 0xd5467998 

    \Windows\System32\config\RegBack\SOFTWARE

    Device Object: 0xc591d4c8   \Driver\volmgr
    Vpb: 0xc5815ab0
    Access: Read Write 

    Flags:  0x1c0040
    Cache Supported
    Handle Created
    Fast IO Read
    Random Access

    FsContext: 0xd4b9e0f8 FsContext2: 0xc968c200
    Private Cache Map: 0xcacc27d8
    CurrentByteOffset: 0
    Cache Data:
      Section Object Pointers: d2564734
      Shared Cache Map: cacc2700         File Offset: 0 in VACB number 0
      Vacb: c4dda410

    HvpGetCellMapped 함수의 첫번째 인자 데이터는 위와 같이 정상으로 판단됨 .

    HvpGetCellMapped 로 할당받은 Cache 메모리가 갑자기 Clear 되는 원인을 알고 싶습니다. 

    혹시 덤프가 필요하시다면 댓글을 남겨주시면 보내드리도록 하겠습니다. 

    감사합니다. 



    2017년 6월 14일 수요일 오전 1:06

답변

  • 안녕하세요?

    1. 시스템 정보기반으로 해당 시스템은 Serivce Pack 2가 적용된 32bit Windows 2008로 보여집니다.

        Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (16 procs) Free x86 compatible

    2. Bugcheck 50 + Callstack 형태를 보았을때 KB2709236과 관련이 있을 가능성이 높습니다. 해당 문서 참고 및 Hotfix 적용해 보시기 바랍니다.

    0x00000050 Stop error when Windows tries to back up registry hives on a computer that is running Windows Vista SP2 or Windows Server 2008 SP2
    https://support.microsoft.com/ko-kr/help/2709236/0x00000050-stop-error-when-windows-tries-to-back-up-registry-hives-on-a-computer-that-is-running-windows-vista-sp2-or-windows-server-2008-sp2

    [Dump]

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except.
    Typically the address is just plain bad or it is pointing at freed memory.
    Arguments:
    Arg1: d0cc5048, memory referenced.
    Arg2: 00000000, value 0 = read operation, 1 = write operation.
    Arg3: e19962dc, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 00000000, (reserved)

    0: kd> kvL
    ChildEBP RetAddr  Args to Child              
    ce44c9cc e1866dc4 00000000 f7785048 00000000 nt!MmAccessFault+0x10b
    ce44c9cc e19962dc 00000000 f7785048 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ ce44c9e4)
    ce44ca8c e199c844 01000001 009c4020 009c3f70 nt!CmpCheckKey+0x630
    ce44cabc e199ce72 f4a17a20 01000001 00000006 nt!CmpCheckRegistry2+0x8c
    ce44cb04 e1997898 01000001 ce44cc60 80000ad4 nt!CmCheckRegistry+0xf5
    ce44cb60 e199a007 ce44cbb4 00000005 00000000 nt!CmpInitializeHive+0x4c1
    ce44cbd8 e199c2a7 ce44cc60 00000000 ce44cc4c nt!CmpInitHiveFromFile+0x19e
    ce44cc18 e19924cd ce44cc60 00000000 ce44cc7b nt!CmpCmdHiveOpen+0x36
    ce44cd14 e1992702 00000002 e19125a0 00000002 nt!CmpFlushBackupHive+0x2fd
    ce44cd38 e1a72693 e191c13c c4e0ead0 e18bedf2 nt!CmpSyncBackupHives+0x90
    ce44cd44 e18bedf2 00000000 00000000 c4e0ead0 nt!CmpPeriodicBackupFlushWorker+0x32 (FPO: [1,0,2])
    ce44cd7c e19f025e 00000000 501f3078 00000000 nt!ExpWorkerThread+0xfd
    ce44cdc0 e1857f1e e18becf5 00000001 00000000 nt!PspSystemThreadStartup+0x9d
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

    감사합니다.

    2017년 6월 15일 목요일 오전 4:45
    중재자