【Tmp】在完成例程中BSOD

在写一个有关完成例程的driver时，遇到一个Crash：DRIVER_CORRUPTED_EXPOOL(C5)。Windbg直接分析dump file，不容易找到错误，因为错误发生的指令并非是我的Driver模块内。

挂上DriverVerifier后，设置special pool，Windbg 中analyze -v显示以下错误信息

DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 86e69003, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: fac08771, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

READ_ADDRESS:  86e69003 Special pool

FAULTING_IP:
DynamicAttach+771
fac08771 0fb64203        movzx   eax,byte ptr [edx+3]

定位到我的完成例程中的代码：

  if (Irp->PendingReturned)
  {
 >    IoMarkIrpPending(Irp);
  }

IoMarkIrpPending宏： 

#define IoGetCurrentIrpStackLocation( Irp ) /
    ( (Irp)->Tail.Overlay.CurrentStackLocation )

#define IoMarkIrpPending( Irp ) ( /
   IoGetCurrentIrpStackLocation( (Irp) )->Control |= SL_PENDING_RETURNED )

看Arg3，就是fac08771处指令引发了Crash。

0: kd> ub fac08771
DynamicAttach+0x75a:
fac0875a 8b4860          mov     ecx,dword ptr [eax+60h]
fac0875d 894df0          mov     dword ptr [ebp-10h],ecx
fac08760 8b550c          mov     edx,dword ptr [ebp+0Ch]   //取完成例程第2个参数，即Irp
fac08763 0fb64221        movzx   eax,byte ptr [edx+21h]   // Irp->PendingReturned
fac08767 85c0            test    eax,eax
fac08769 7416            je      DynamicAttach+0x781 (fac08781)
fac0876b 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]  //取完成例程第2个参数，即Irp
fac0876e 8b5160          mov     edx,dword ptr [ecx+60h]  //取(Irp)->Tail.Overlay.CurrentStackLocation
0: kd> u fac08771
DynamicAttach+0x771:
fac08771 0fb64203        movzx   eax,byte ptr [edx+3]     //取(Irp)->Tail.Overlay.CurrentStackLocation->Control时Crash
fac08775 83c801          or      eax,1

当取(Irp)->Tail.Overlay.CurrentStackLocation->Control时Crash，因为该地址是无效地址。所以为了避免Crash，之前要判断一下：

  if (Irp->PendingReturned)
  {

       if(MmIsAddressValid(&pIrpSp->Control))

            IoMarkIrpPending(Irp);
  }

不过这只是表面现象，未完待续。