DOCUMENT:Q149015 19-FEB-2002 [winnt] TITLE :Kernel Debugging: "Parity Error: Bad Instruction Pointer" PRODUCT :Microsoft Windows NT PROD/VER::3.5,3.51 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.5, 3.51 - Microsoft Windows NT Server versions 3.5, 3.51 ------------------------------------------------------------------------------- SUMMARY ======= This article describes a parity error that is caused by a bad processor cache or by a faulty processor. MORE INFORMATION ================ Article Contents: - Stack Trace - Trap Frame - Unassemble of IoAllocateMdl function and EIP - Parity Error - Bad Instruction Pointer - Breakdown of the instruction at 801144dd and Opcode - Breakdown of the instruction at 801144dc and Opcode Stack Trace: The following is the stack trace from the failed system: kv ChildEBP RetAddr Args to Child 8014068c 801144dc ff067010 ff06705c 00000103 NT!_KiTrap0E+0x252 (FPO: [0,0] TrapFrame @ 8014068c) 80140710 fc903dc3 ff177358 00000002 00000000 NT!_IoAllocateMdl+0x44 (FPO: [EBP 0xff177358] [5,1,4]) 80140738 fc93102c 80140768 8014076c 00000000 NDIS!_NdisCopyBuffer+0x26 (FPO: [EBP 0xff067010] [6,0,4]) 8014076c fc932071 ff07300c ff066028 fc9320ba sfmatalk!_AtalkNdisSendPacket+0xa4 (FPO: [EBP 0x801407e8] [4,2,4]) 801407e8 fc931950 ff07300c 80140838 ff9f673c sfmatalk!_AtalkDdpTransmit+0x60b 8014083c 801144fc ff191800 fc942a80 ff11960c sfmatalk!_AtalkDdpSend+0x71 (FPO: [EBP 0x00000000] [9,7,4]) 80140884 fc94299f ff9f6720 ff065c20 00000246 NT!_IoAllocateMdl+0x64 (FPO: [EBP 0x0000001b] [5,1,4]) 801408c0 fc943f5e ff11966c ff982390 ff17732a sfmatalk!atalkAtpSendReqComplete (FPO: [0,0,1]) 80140910 fc943e8b 00000000 ff11799c ff068854 sfmatalk!atalkAspPostWriteContinue+0x9c (FPO: [EBP 0x80140930] [0,1,4]) 80140930 fc9421db 00000000 ff1199cc ff11799c sfmatalk!_atalkAspSssXHandler+0x1f5 80140990 fc930c64 ff07300c ff11960c ff066cf0 sfmatalk!_AtalkAtpPacketIn+0x5a9 801409dc fc90068b ff07300c ffdff420 ff070007 sfmatalk!_AtalkReceiveComplete+0xdc 801409f4 fc910f88 ff07c508 ff07c628 00000001 NDIS!_EthFilterDprIndicateReceiveComplete+0x33 (FPO: [EBP 0xffdff420] [1,0,4]) 80140a04 fc8f04eb ff07c508 ff07c654 8013e820 NDIS!_EthFilterIndicateReceiveComplete+0x21 (FPO: [1,0,2]) In this TrapFrame, note that the instruction pointer is running what is at memory address 801144dc. The unassemble shows that the instruction that should have been called is 801144dd, rather than what is currently in EIP. Trap Frame: kd> !trap 8014068c !trap 8014068c eax=ff0f6488 ebx=00000020 ecx=801440e0 edx=ff971b50 esi=00000000 edi=00000358 eip=801144dc esp=80140700 ebp=ff177358 iopl=0 nv up ei ng nz na pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283 ErrCode = 00000002 801144dc 0083f810760b add [ebx+0xb7610f8],al Unassemble of IoAllocateMdl Function and EIP -------------------------------------------- Correct Unassemble of IoAlloateMdl from the Beginning of the Function:: kd> u NT!_IoAllocateMdl NT!_IoAllocateMdl+0x50 u NT!_IoAllocateMdl NT!_IoAllocateMdl+0x50 NT!_IoAllocateMdl: 80114498 83ec04 sub esp,0x4 8011449b f644240f80 test byte ptr [esp+0xf],0x80 801144a0 53 push ebx 801144a1 56 push esi 801144a2 57 push edi 801144a3 55 push ebp 801144a4 7407 jz NT!_IoAllocateMdl+0x15 (801144ad) 801144a6 33c0 xor eax,eax 801144a8 e99e010000 jmp NT!_IoAllocateMdl+0x1b3 (8011464b) 801144ad 8b7c2418 mov edi,[esp+0x18] 801144b1 8b44241c mov eax,[esp+0x1c] 801144b5 81e7ff0f0000 and edi,0xfff 801144bb 33f6 xor esi,esi 801144bd 03c7 add eax,edi 801144bf 05ff0f0000 add eax,0xfff 801144c4 c1e80c shr eax,0xc 801144c7 8d1c851c000000 lea ebx,[0000001c+eax*4] 801144ce 81fbffff0000 cmp ebx,0xffff 801144d4 7607 jbe NT!_IoAllocateMdl+0x45 (801144dd) 801144d6 33c0 xor eax,eax 801144d8 e96e010000 jmp NT!_IoAllocateMdl+0x1b3 (8011464b) 801144dd 83f810 cmp eax,0x10 <----------------- Position 1 ** 801144e0 760b jbe NT!_IoAllocateMdl+0x55 (801144ed) 801144e2 ff0514411480 inc dword ptr [NT!_IopMdlSizeMiss(80144114)] Unassemble of the Function Using the Current Instruction Pointer That is the Offset Into the Function When the Trap Occurred: kd> u NT!_IoAllocateMdl+0x44 u NT!_IoAllocateMdl+0x44 NT!_IoAllocateMdl+0x44: 801144dc 0083f810760b add [ebx+0xb7610f8],al <---------- Position 2** 801144e2 ff0514411480 inc dword ptr [NT!_IopMdlSizeMiss (80144114)] 801144e8 e99d000000 jmp NT!_IoAllocateMdl+0xf2 (8011458a) 801144ed ba30e21380 mov edx,0x8013e230 801144f2 b9e0401480 mov ecx,0x801440e0 801144f7 e804370200 call NT!ExfInterlockedPopEntryList (80137c00) 801144fc 8bf0 mov esi,eax 801144fe 85f6 test esi,esi The function is unassembled from the beginning, in order to show which instructions should have been run. The unassemble of the function starting at Position 2 should match the unassemble of the function at Position 1. Parity Error: The difference between 801144dc (what was in EIP) and 801144dd (what should have been in EIP) is one bit, as illustrated below. 801144dc = 10000000000100010100010011011100 801144dd = 10000000000100010100010011011101 This difference of one bit is a parity error that could have been caused by a faulty cache or by faulty memory. Bad Instruction Pointer: If you break down the Opcode, you will notice that the instruction at address 801144dd is 83f810. The operand is an instruction to compare the sign extended byte to a dword. The processor should have completed a compare of the EAX register to 0X10. The instruction pointer in EIP was altered by one bit. The system now carries out instructions beginning at 801144dd, which causes the system to fail. The new instruction 0083f810760b is an add-byte register to memory byte. Breakdown of the Instruction at 801144dd and Opcode: Opcode | | Instruction = 801144dd 83f810 cmp eax,0x10 Opcode breakdown 83 = CMP,m32,imm8 f8 = EAX 10 = 0x10 Breakdown of the Instruction at 801144dc and Opcode: Opcode | | Instruction = 801144dc 0083f810760b add [ebx+0xb7610f8],al Opcode breakdown 00 = ADD,m32,imm8 83 = disp32(displace 32 bits) b7610f8 = address used in ADD REFERENCES ========== The computer in this example failed because the invalid instruction accessed memory that had not been initialized. Once the motherboard was replaced, the computer functioned normally. For more information about how to debug the kernel, query on the following word here in the Microsoft Knowledge Base: debugref Additional query words: prodnt debugref ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNTWsearch kbWinNT351search kbWinNT350search kbWinNTW350 kbWinNTW350search kbWinNTW351search kbWinNTW351 kbWinNTSsearch kbWinNTS351 kbWinNTS350 kbWinNTS351search kbWinNTS350search Version : :3.5,3.51 ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.