Windows蓝屏分析
Windows蓝屏分析-DRIVER_POWER_STATE_FAILURE键盘电源切换引起的蓝屏
2021-07-01
496
0
昨天在回家的路上,老大说你处理一个手中的BUG。我回复说明天处理,今天来到公司一看,果然有一个,是蓝屏的问题。
然后去测试那里看限象,测试组的同学说的是一顿猛操作摄像头和麦克风,然后按住电源关机后出现黑屏,然后蓝屏。
心想坏了,不会是摄像头或麦克风驱动引起的蓝屏吧。
不过幸好的是,当时机子开了dump。拿到dump文件开始分析。
使用windbg自动分析:
3: kd> !analyze -v
ERROR: FindPlugIns 8007007b
ERROR: Some plugins may not be available [8007007b]
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_POWER_STATE_FAILURE (9f)
A driver has failed to complete a power IRP within a specific time.
Arguments:
Arg1: 0000000000000004, The power transition timed out waiting to synchronize with the Pnp
subsystem.
Arg2: 000000000000012c, Timeout in seconds.
Arg3: ffffe6863eebf300, The thread currently holding on to the Pnp lock.
从DRIVER_POWER_STATE_FAILURE (9f)这里来看,是由于某个设备电源状态超时引起看门狗蓝屏。
然后使用kb命令进行栈回溯:
3: kd> kb
# RetAddr : Args to Child : Call Site
00 fffff805`6af4191e : 00000000`0000009f 00000000`00000004 00000000`0000012c ffffe686`3eebf300 : nt!KeBugCheckEx
01 fffff805`6b2399a6 : 00000000`00000004 ffffbb00`98322100 00000000`00000004 fffffa0f`79a4fa10 : nt!PnpBugcheckPowerTimeout+0x8a
02 fffff805`6adc47f9 : fffffa0f`7a11f230 ffffbb00`98322100 fffffa0f`7a11f270 ffffbb00`00000002 : nt!PopBuildDeviceNotifyListWatchdog+0x16
03 fffff805`6adc5747 : 00000000`0000001c 00000000`00989680 ffffbb00`98322100 00000000`0000001a : nt!KiProcessExpiredTimerList+0x159
04 fffff805`6ae7728a : 00000000`00000000 ffffbb00`98312180 00000000`00000000 ffffbb00`98322100 : nt!KiRetireDpcList+0x4a7
05 00000000`00000000 : fffffa0f`79a50000 fffffa0f`79a49000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x5a
看不到有用的信息。
这可咋办了,突然想到前一段时间看到一篇文章,说是有一个未文件化的命令,使用该命令可以看到该与电源相关的IRP.
文章名为虫趣:抓一个Intel显卡驱动的臭虫,网址:https://blog.csdn.net/blog_index/article/details/14169555
使用!poaction命令查看相关的IRP
3: kd> !poaction
PopAction: fffff8056b0d38c0
State..........: 0 - Idle
Updates........: 0
Action.........: None
Lightest State.: Unspecified
Flags..........: 10000003 QueryApps|UIAllowed
Irp minor......: ??
System State...: Unspecified
Hiber Context..: 0000000000000000
Allocated power irps (PopIrpList - fffff8056b0d3f90)
IRP: ffffe6863b302460 (wait-wake/S4), PDO: ffffe6863be2c110
Irp worker threads (PopIrpThreadList - fffff8056b0cc660)
THREAD: ffffe686346db040 (static)
THREAD: ffffe686346da040 (static)
THREAD: ffffe6863f0bf080 (dynamic)
THREAD: ffffe6863ed74080 (dynamic)
THREAD: ffffe6863f1b0080 (dynamic)
THREAD: ffffe6863d8cf080 (dynamic)
THREAD: ffffe6863f279080 (dynamic)
THREAD: ffffe6863f487080 (dynamic)
THREAD: ffffe6863e8e3080 (dynamic)
THREAD: ffffe6863e5cb080 (dynamic)
THREAD: ffffe6863db2c080 (dynamic)
THREAD: ffffe6863e2b1080 (dynamic)
THREAD: ffffe6863ed9f080 (dynamic)
THREAD: ffffe6863e408080 (dynamic)
THREAD: ffffe6863f7b4080 (dynamic)
Broadcast in progress: FALSE
Is Directed DRIPS Transition: FALSE
Device State ffffe6863db84b70
Irp minor......: ??
System State...: Unspecified
Worker thread..: ffffe6863d138080
Status.........: 0
Waking.........: FALSE
Cancelled......: FALSE
Ignore errors..: FALSE
Ignore not imp.: FALSE
Order:
这里看到,只有一个相关的IRP.
IRP: ffffe6863b302460 (wait-wake/S4), PDO: ffffe6863be2c110
使用!irp命令分析该IRP
3: kd> !irp ffffe6863b302460
Irp is active with 26 stacks 24 is current (= 0xffffe6863b302ba8)
No Mdl: No System Buffer: Thread 00000000: Irp stack trace.
cmd flg cl Device File Completion-Context
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
>[IRP_MJ_POWER(16), IRP_MN_WAIT_WAKE(0)]
0 e1 ffffe6863be2c110 00000000 fffff80585ce15a0-00000000 Success Error Cancel pending
\Driver\HidUsb kbdclass
Args: 00000005 00000000 00000000 00000000
[IRP_MJ_POWER(16), IRP_MN_WAIT_WAKE(0)]
0 e1 ffffe6863b6c4470 00000000 fffff8056ae2a220-ffffe68634bfb380 Success Error Cancel pending
\Driver\kbdclass nt!PopRequestCompletion
Args: 00000005 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-ffffe68634bfb380
Args: 00000000 00000000 00000000 00000000
可以看到,该IRP的的主功能号为IRP_MJ_POWER(16), 次功能号为IRP_MN_WAIT_WAKE(0)
查看该IRP的设备树
3: kd> !devstack ffffe6863b6c4470
!DevObj !DrvObj !DevExt ObjectName
> ffffe6863b6c4470 \Driver\kbdclass ffffe6863b6c45c0 KeyboardClass0
ffffe6863b6df040 \Driver\kbdhid ffffe6863b6df190
ffffe6863be2c110 \Driver\HidUsb ffffe6863be2c260 00000046
!DevNode ffffe6863b2cea70 :
DeviceInst is "HID\VID_1A2C&PID_2124&MI_00\8&85e31c1&0&0000"
ServiceName is "kbdhid"
可以看到,该IRP是从hidusb(USB 驱动类)发给键盘kbdhid驱动,最后发给键盘类驱动kdbdclass处理的时候蓝屏的。
该设备为HID\VID_1A2C&PID_2124&MI_00\8&85e31c1&0&0000
重启电脑后查看设备管理器,发现确实系统中插着一个硬件ID为HID\VID_1A2C&PID_2124&MI_00的键盘。
