"The Boolean of Death" (buffer overrun in file system drivers triggered via user application ?)


Skybuck Flying


My DreamPC just had a "Blue screen of Death !".

It happened as I was debugging the Battlefield Executor... v0.03...

I was just about to breakoff the debugging... when I stepped over the
PSpaceEnabled boolean... and WHAM !

Blue Screen of Death ?!?! This is the second time that this motherfucking
boolean has cost me troubles ?! WOW.

This warrants some more attention/investigation !

I will cross post this to some other microsoft related newsgroups... I will
just use this posting for it... with a new subject line, it will have the
funny name of:

"The Boolean of Death !" =D LOL.

With full minidump log yeah ! ;)

I have two explanation of what could have triggered this:

Explanation 1:

Because of bugs in a free basic program... free basic read more bytes then
there was buffer space...

It was trying to read 8 bytes, however the ammount was set to SizeOf(int64),
this was incorrect... the ammount needed to be just 1 because free basic
already multiplies it with 8...

So instead of reading just 8 bytes... it actually read 64 bytes !

This must have triggered some kind of buffer overrun.... maybe in free basic
itself... or maybe in some file system or disk driver ?!?

This could be a serious issue ?!

Fortunately... it was just a read... what if it would have been a write ?!?
Maybe my file system could have been affected... therefore this could be a
serious thing...

Maybe somehow free basic managed to corrupted the windows kernel... kinda

to reproduce this issue try something like:

dim vByte as byte

get #FileStream, ,vByte, 100000

I sure as hell not gonna try it on my system !

Also the bug didn't happen immediatly... it took a while. (If this is what
caused it)

Explanation 2:

Maybe Delphi IDE was somehow corrupted... by free basic...

Or Delphi IDE has a GUI/Debugger bug that somehow crashes the system...

This is also a highly plausible possibility... it wouldn't be the first time
that I see Delphi crashing the system...

Delphi's debugger probably does lot's of low level
interfacing/manipulations... so that makes it plausible.

What the thruth is remains to be seen/investigate...

For now I am going to post it again before it happens again... me a bit
scary and I don't wanna re-type this lol.

The minidump log/output will follow in a next posting for you guys to
examine !

And I will post it on my skydrive as well !

I have lot's of space there ! ;)

(No zipping required probably... it will just be one file...)

It's been a while since my computer had a blue screen of death...

(Windows XP x64 Professional Edition !)

Ok now I go fire up windbg to analyze the dump etc...

(Little bit) Later !
Skybuck =D

Skybuck Flying

Ok, here is the minidump analyze -v output:

(Seems to be a driver fault !)
(I was also trying to investigate a range check error in Delphi... that
probably throw up some exception or so... and somehow it wasn't handled ?!?
Or maybe I pressed control-F2 (reset debugger) right in the middle of trying
to handle the exception or trying to inspect a value ? Or HINT message
popped up and I try to click away or reset... something like that triggered
it probably... or it could just be a bug in a driver somewhere !?!)

Date of Blue Screen of Death is today: 6 september 2009 (month 9)

(I also have a blue screen of death minidump from january... gonna
investigate that too and put it up on a website just like this one... though
the one from january probably not so interesting... however this one is
interesting... (Delphi) IDE's crashing and taking down the operating system
is NASTY ! I could have lots some great code or algorithm... fortunately
that was not the case ! Pfew hihihehe ;) :) But it could have been so should
be investigated ! (immediatly LOL) might be something rare but still ! ;))
(I will not post the log of the one from january to prevent confusion... so
just this one from today... ;))

Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\Minidump\Mini090609-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.090319-1204
Machine Name:
Kernel base = 0xfffff800`01000000 PsLoadedModuleList = 0xfffff800`011d4140
Debug session time: Sun Sep 6 12:36:57.062 2009 (GMT+2)
System Uptime: 0 days 5:28:11.995
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
* Bugcheck Analysis

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {ffffffffc0000005, fffff800012c121f, 0, ffffffffffffffff}

Unable to load image sptd.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for sptd.sys
*** ERROR: Module load completed but symbols could not be loaded for
Probably caused by : sptd.sys ( sptd+415d2 )

Followup: MachineOwner

1: kd> !analyze -v
* Bugcheck Analysis

This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800012c121f, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: ffffffffffffffff, Parameter 1 of the exception

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".

fffff800`012c121f 488b58f8 mov rbx,qword ptr [rax-8]

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

READ_ADDRESS: ffffffffffffffff




PROCESS_NAME: BattlefieldExec


EXCEPTION_RECORD: fffffadfc3eddd10 -- (.exr 0xfffffadfc3eddd10)
ExceptionAddress: fffff800012c121f
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000008
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

TRAP_FRAME: fffffadfc3eddda0 -- (.trap 0xfffffadfc3eddda0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=10fffffadfceb6a0 rbx=0000000000000000 rcx=0000000000000001
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800012c121f rsp=fffffadfc3eddf30 rbp=fffffadfc3f04b10
r8=0000000000000000 r9=0000000000000000 r10=0f00000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac po nc
fffff800`012c121f 488b58f8 mov rbx,qword ptr [rax-8]
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80001080e86 to fffff8000102e890

fffffadf`c3edd618 fffff800`01080e86 : 00000000`0000001e ffffffff`c0000005
fffff800`012c121f 00000000`00000000 : nt!KeBugCheckEx
fffffadf`c3edd620 fffff800`0102e6af : fffffadf`c3eddd10 fffffa80`06195700
fffffadf`c3eddda0 fffff800`011b0180 : nt!KiDispatchException+0x128
fffffadf`c3eddc20 fffff800`0102d30d : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : nt!KiExceptionExit
fffffadf`c3eddda0 fffff800`012c121f : 00000001`00000001 0f000000`00000000
fffffadf`c3edec70 fffffadf`c3f045c0 : nt!KiGeneralProtectionFault+0xcd
fffffadf`c3eddf30 fffff800`0104236b : fffffadf`cb512bf0 00000000`00000000
fffffadf`cb512c38 00000000`00000000 : nt!PspGetSetContextInternal+0x203
fffffadf`c3ede480 fffff800`01027eb1 : 00000000`c3ede700 00000001`01298d01
00000001`cc04ee00 00000000`00000002 : nt!PspGetSetContextSpecialApc+0xab
fffffadf`c3ede590 fffff800`0103bf97 : 00000246`002b002b 00000000`00000000
00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x215
fffffadf`c3ede630 fffff800`0102828e : 00000000`00000000 00000000`01fd50e0
fffffadf`cb512c88 fffffadf`cb512bf0 : nt!KiSwapThread+0x3e9
fffffadf`c3ede690 fffff800`0101f88c : 00000000`00000000 00000000`00000005
00000000`00000000 00000000`00000000 : nt!KeWaitForSingleObject+0x5a6
fffffadf`c3ede710 fffff800`0101f51b : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : nt!KiSuspendThread+0x2c
fffffadf`c3ede750 fffff800`01027abd : 00000000`00160014 00000000`00000000
fffff800`0101f860 fffffadf`cb518730 : nt!KiDeliverApc+0x2d3
fffffadf`c3ede7f0 fffffadf`c86ff5d2 : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : nt!KiApcInterrupt+0xdd
fffffadf`c3ede980 00000000`00000000 : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : sptd+0x415d2


fffffadf`c86ff5d2 ?? ???


SYMBOL_NAME: sptd+415d2



IMAGE_NAME: sptd.sys


FAILURE_BUCKET_ID: X64_0x1E_sptd+415d2

BUCKET_ID: X64_0x1E_sptd+415d2

Followup: MachineOwner

Skybuck Flying


The minidump has been uploaded to my skydrive:


Filename is: Mini090609-01.dmp
Description is:
9 september 2009: Windows XP x64 Pro crash during Delphi 2007 debugging,
range check error, binary file reading related, boolean (1 byte) related
"boolean of death", free basic related, possible buffer overrun or delphi
debugger problem.

So that's the one you want ^

There is also another up there but it's much older:


Filename is: Mini011609-01.dmp
Description is:

16 january 2009: Windows XP x64 Pro crash, possibly overheat related, or
x-fi soundblaster related, probably happened during playing of the video
game Mirror's Edge.


Skybuck Flying

Hmm I just noticed something... the version of the free basic test
program/evolver I am writing is version 0.13...

I said to myself: that's just superstition... surely it not gonna give
problems ?!

But sure enough !

Number 0.13 gave me a blue screen of death ! ****ING HELL.


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question