Access Violation in aapltp.sys when resuming from sleep.
Hello,
*I have diagnosed an issue in the aapltp.sys (touch pad) driver included with the MacOS 10.6.2 DVD. This issue causes a illegal access to be performed by this driver when the computer resumes from sleep (I have never reproduced it when resuming from hibernate or during normal operation). This issue occurs about once in every 10 resume operations, with both Windows 7 and Windows Vista. I have not experimented other versions of the OS.*
*The version of this driver included with 10.5.x DVD does not have this issue - this is a new regression.*
*In summary, KeyMagic (another apple driver) running on a system thread calls the OS for a dispatch (FxDevice::Dispatch). This ends up being routed to aapltp. While executing, aapltp dereferences a memory position offseted from a register that contains NULL. This causes an Access Violation which escalates into a BugCheck.*
*AFAIK Apple does not distribute driver symbols so I was unable to dig into the cause for the fault in this driver. I am appending some additional crashdump information that might be useful. If you require additional information, let me know. I can either provide you with the full crashdump of perform further analysis if you make the symbols available.*
________________________________________________________________________________ ____________
*****************************************************************************
* *
* Bugcheck Analysis *
* *
*****************************************************************************
SYSTEM THREAD_EXCEPTION_NOTHANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff88004a7ea74, The address that the exception occurred at
Arg3: fffff88005134718, Exception Record Address
Arg4: fffff88005133f70, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
aapltp+ca74
fffff880`04a7ea74 807e5b01 cmp byte ptr [rsi+5Bh],1
EXCEPTION_RECORD: fffff88005134718 -- (.exr 0xfffff88005134718)
ExceptionAddress: fffff88004a7ea74 (aapltp+0x000000000000ca74)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000000000000005b
Attempt to read from address 000000000000005b
CONTEXT: fffff88005133f70 -- (.cxr 0xfffff88005133f70)
rax=0000000000000000 rbx=0000000000000004 rcx=fffffa80057899e0
rdx=0000057ffa876618 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88004a7ea74 rsp=fffff88005134950 rbp=fffffa8005789d50
r8=fffff88004a7b140 r9=0000000000000000 r10=fffffa80056809e0
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000057ffa99e188 r15=0000057ffa99e188
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
aapltp+0xca74:
fffff880`04a7ea74 807e5b01 cmp byte ptr [rsi+5Bh],1 ds:002b:00000000`0000005b=??
Resetting default scope
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000000000000005b
READ_ADDRESS: 000000000000005b
FOLLOWUP_IP:
aapltp+ca74
fffff880`04a7ea74 807e5b01 cmp byte ptr [rsi+5Bh],1
BUGCHECK_STR: 0x7E
DEFAULT BUCKETID: NULL CLASS_PTRDEREFERENCE
LAST CONTROLTRANSFER: from fffff88000e52f90 to fffff88004a7ea74
STACK_TEXT:
fffff880`05134950 fffff880`00e52f90 : fffffa80`05661e70 0000057f`fa9443a8 fffffa80`056809e0 fffffa80`056bbc50 : aapltp+0xca74
fffff880`051349b0 fffff880`00e5299f : 00000000`00000000 fffffa80`05661e70 fffffa80`056bbc50 fffffa80`056bbc50 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x4b8
fffff880`05134a30 fffff880`00e51f98 : 00000000`00000000 00000000`00000000 00000000`00000000 fffffa80`05661fc2 : Wdf01000!FxIoQueue::DispatchEvents+0x4df
fffff880`05134aa0 fffff880`00e57558 : fffffa80`04e2fb00 fffffa80`05661e70 fffffa80`04e2fb00 fffffa80`05661e70 : Wdf01000!FxIoQueue::QueueRequest+0x2bc
fffff880`05134b10 fffff880`00e41245 : fffffa80`05661e70 fffffa80`04160c30 fffffa80`04e8ea58 00000000`000f2008 : Wdf01000!FxPkgIo::Dispatch+0x37c
fffff880`05134b90 fffff880`04a672f6 : fffffa80`04160c30 fffffa80`056bcc90 00000000`00000000 00000000`000007ff : Wdf01000!FxDevice::Dispatch+0xa9
fffff880`05134bc0 fffff880`04a6660b : fffffa80`056bcc90 fffffa80`04e8c010 fffffa80`08897640 fffffa80`04e8ec20 : KeyMagic+0x32f6
fffff880`05134c30 fffff800`03334166 : fffffa80`04e00040 00000000`00000080 fffffa80`03cd1740 fffffa80`04e00040 : KeyMagic+0x260b
fffff880`05134d40 fffff800`0306f486 : fffff800`03209e80 fffffa80`04e00040 fffffa80`03ce6680 fffff880`0122ca90 : nt!PspSystemThreadStartup+0x5a
fffff880`05134d80 00000000`00000000 : fffff880`05135000 fffff880`0512f000 fffff880`05134770 00000000`00000000 : nt!KxStartSystemThread+0x16
SYMBOL_NAME: aapltp+ca74
MODULE_NAME: aapltp
IMAGE_NAME: aapltp.sys
DEBUG FLR_IMAGETIMESTAMP: 49c7fb1c
*I have diagnosed an issue in the aapltp.sys (touch pad) driver included with the MacOS 10.6.2 DVD. This issue causes a illegal access to be performed by this driver when the computer resumes from sleep (I have never reproduced it when resuming from hibernate or during normal operation). This issue occurs about once in every 10 resume operations, with both Windows 7 and Windows Vista. I have not experimented other versions of the OS.*
*The version of this driver included with 10.5.x DVD does not have this issue - this is a new regression.*
*In summary, KeyMagic (another apple driver) running on a system thread calls the OS for a dispatch (FxDevice::Dispatch). This ends up being routed to aapltp. While executing, aapltp dereferences a memory position offseted from a register that contains NULL. This causes an Access Violation which escalates into a BugCheck.*
*AFAIK Apple does not distribute driver symbols so I was unable to dig into the cause for the fault in this driver. I am appending some additional crashdump information that might be useful. If you require additional information, let me know. I can either provide you with the full crashdump of perform further analysis if you make the symbols available.*
________________________________________________________________________________ ____________
*****************************************************************************
* *
* Bugcheck Analysis *
* *
*****************************************************************************
SYSTEM THREAD_EXCEPTION_NOTHANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff88004a7ea74, The address that the exception occurred at
Arg3: fffff88005134718, Exception Record Address
Arg4: fffff88005133f70, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
aapltp+ca74
fffff880`04a7ea74 807e5b01 cmp byte ptr [rsi+5Bh],1
EXCEPTION_RECORD: fffff88005134718 -- (.exr 0xfffff88005134718)
ExceptionAddress: fffff88004a7ea74 (aapltp+0x000000000000ca74)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000000000000005b
Attempt to read from address 000000000000005b
CONTEXT: fffff88005133f70 -- (.cxr 0xfffff88005133f70)
rax=0000000000000000 rbx=0000000000000004 rcx=fffffa80057899e0
rdx=0000057ffa876618 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88004a7ea74 rsp=fffff88005134950 rbp=fffffa8005789d50
r8=fffff88004a7b140 r9=0000000000000000 r10=fffffa80056809e0
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000057ffa99e188 r15=0000057ffa99e188
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
aapltp+0xca74:
fffff880`04a7ea74 807e5b01 cmp byte ptr [rsi+5Bh],1 ds:002b:00000000`0000005b=??
Resetting default scope
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000000000000005b
READ_ADDRESS: 000000000000005b
FOLLOWUP_IP:
aapltp+ca74
fffff880`04a7ea74 807e5b01 cmp byte ptr [rsi+5Bh],1
BUGCHECK_STR: 0x7E
DEFAULT BUCKETID: NULL CLASS_PTRDEREFERENCE
LAST CONTROLTRANSFER: from fffff88000e52f90 to fffff88004a7ea74
STACK_TEXT:
fffff880`05134950 fffff880`00e52f90 : fffffa80`05661e70 0000057f`fa9443a8 fffffa80`056809e0 fffffa80`056bbc50 : aapltp+0xca74
fffff880`051349b0 fffff880`00e5299f : 00000000`00000000 fffffa80`05661e70 fffffa80`056bbc50 fffffa80`056bbc50 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x4b8
fffff880`05134a30 fffff880`00e51f98 : 00000000`00000000 00000000`00000000 00000000`00000000 fffffa80`05661fc2 : Wdf01000!FxIoQueue::DispatchEvents+0x4df
fffff880`05134aa0 fffff880`00e57558 : fffffa80`04e2fb00 fffffa80`05661e70 fffffa80`04e2fb00 fffffa80`05661e70 : Wdf01000!FxIoQueue::QueueRequest+0x2bc
fffff880`05134b10 fffff880`00e41245 : fffffa80`05661e70 fffffa80`04160c30 fffffa80`04e8ea58 00000000`000f2008 : Wdf01000!FxPkgIo::Dispatch+0x37c
fffff880`05134b90 fffff880`04a672f6 : fffffa80`04160c30 fffffa80`056bcc90 00000000`00000000 00000000`000007ff : Wdf01000!FxDevice::Dispatch+0xa9
fffff880`05134bc0 fffff880`04a6660b : fffffa80`056bcc90 fffffa80`04e8c010 fffffa80`08897640 fffffa80`04e8ec20 : KeyMagic+0x32f6
fffff880`05134c30 fffff800`03334166 : fffffa80`04e00040 00000000`00000080 fffffa80`03cd1740 fffffa80`04e00040 : KeyMagic+0x260b
fffff880`05134d40 fffff800`0306f486 : fffff800`03209e80 fffffa80`04e00040 fffffa80`03ce6680 fffff880`0122ca90 : nt!PspSystemThreadStartup+0x5a
fffff880`05134d80 00000000`00000000 : fffff880`05135000 fffff880`0512f000 fffff880`05134770 00000000`00000000 : nt!KxStartSystemThread+0x16
SYMBOL_NAME: aapltp+ca74
MODULE_NAME: aapltp
IMAGE_NAME: aapltp.sys
DEBUG FLR_IMAGETIMESTAMP: 49c7fb1c
MacBook, Windows 7, Core 2 Duo 2.4GHz, 4GB RAM
