Wednesday, 7 August 2013

Debugging Stop 0xBE - !pte

I've found another interesting debugging example, which I would like to explain to anyone who follows and reads this blog. This particular example is a Stop 0xBE - Attempted_To_Write_To_ReadOnly_Memory. The bugcheck is usually caused by device drivers or memory.

The reason for the system crashing is quite obvious, a read-only memory address was referenced with a pointer, and then a write operation was attempted to performed to this address.

I'm assuming you already understand about PTE's and virtual address translation, so I will not explain these terms here.

We can see from the parameters, the virtual address which was attempted to written to and contents of the PTE. I decided to examine the PTE with the !pte extension, please also note this documented in the debugger documentation.

The !pte extension would usually give some status flags for the given address, but since this was a Minidump, then this may not always appear. The most important thing, I noticed from this extension was the message about the virtual address (VA), I'm not sure if this is just because I specified the PTE instead of the virtual address, or the virtual address is invalid. The 1 flag tells the debugger, that this is a PTE and not a virtual address.

Anyhow, non-canonical VA, means that the virtual address is invalid and will result in a crash.

This may be helpful, since the crash resulted in a invalid memory address being referenced, and written to. 

Just to add, from this bugcheck, the problem seemed to be linked to a outdated AMD/ATI graphics card driver from 2010.

No comments:

Post a Comment