I am debugging two piece of code which fails with NT status code 0xc000001d (ILLEGAL_INSTRUCTION). They are valid instruction and I have no idea why. Is it possible that it is hardware problem at the CPU or motherboard?
Case 1
eax=00000159 ebx=00000000 ecx=00000000 edx=00000564 esi=e1a3e000 edi=8569ad98
eip=8057021f esp=efcc6b2c ebp=efcc6b30 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
8057021f 8bc8 mov ecx,eax
Case 2
eax=f31bbc58 ebx=85f5a7b0 ecx=85f5a7e4 edx=00000000 esi=85eeb990 edi=f31bbc38
eip=8057ea5f esp=f31bba2c ebp=f31bbb04 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
8057ea5f 8a4f48 mov cl,[edi+0x48] ds:0023:f31bbc80=00
Any comment is appreciated
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Are you sure EIP points to the faulty instruction? It may point to the next one...
If you're only getting this error with the programs you are debugging, chances are that it's not a hardware fault.
Also see:
http:Q_21278375.html
Thanks for the reply from dimitry, aib 42 and BeyondWu,
BugCheck 1000008E, {c000001d, 8057021f, efcc6ab8, 0}
1: kd> r
eax=00000159 ebx=00000000 ecx=00000000 edx=00000564 esi=e1a3e000 edi=8569ad98
eip=8057021f esp=efcc6b2c ebp=efcc6b30 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt+0x9921f:8057021f 8bc8 mov ecx,eax
1: kd> u 80570210 l9
nt+0x99210:
80570210 0f84e1f8ffff je nt+0x98af7 (8056faf7)
80570216 c60001 mov byte ptr [eax],0x1
80570219 e9d9f8ffff jmp nt+0x98af7 (8056faf7)
8057021e 49 dec ecx
8057021f 8bc8 mov ecx,eax <----
80570221 0f85481f0a00 jne nt+0x13b16f (8061216f)
80570227 c1e909 shr ecx,0x9
8057022a 8b0c8e mov ecx,[esi+ecx*4]
8057022d 25ff010000 and eax,0x1ff
Here is another example, I wouldn't figure out it fails with c00001d unless it is a hardware error.
BugCheck 1000008E, {c000001d, bf80d95f, f3b9bba0, 0}
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f3b9bd54 804ddee0 0000000d 0012f50c 0012f548 win32k+0xd95f
f3b9bd64 7c90eb94 badb0d00 0012f50c 00000000 nt+0x6ee0
0012f548 00000000 00000000 00000000 00000000 0x7c90eb94
TRAP_FRAME: f3b9bba0 -- (.trap fffffffff3b9bba0)
ErrCode = 00000000
eax=01210cb0 ebx=7ffdf1dc ecx=0000ffff edx=0000ffff esi=00000000 edi=00000000
eip=bf80d95f esp=f3b9bc14 ebp=f3b9bd54 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
win32k+0xd95f:
bf80d95f 8b8d68ffffff mov ecx,[ebp-0x98] ss:0010:f3b9bcbc=019000
FAILED_INSTRUCTION_ADDRESS
win32k+d95f bf80d95f 8b8d68ffffff mov ecx,[ebp-0x98]
0: kd> u bf80d94f l20
win32k+0xd94f:
bf80d94f 0000 add [eax],al
bf80d951 85c0 test eax,eax
bf80d953 0f85e1fbffff jne win32k+0xd53a (bf80d53a)
bf80d959 8b45e4 mov eax,[ebp-0x1c]
bf80d95c 8b402c mov eax,[eax+0x2c]
bf80d95f 8b8d68ffffff mov ecx,[ebp-0x98] ?????
bf80d965 394808 cmp [eax+0x8],ecx
bf80d968 0f8534feffff jne win32k+0xd7a2 (bf80d7a2)
bf80d96e 8b45e4 mov eax,[ebp-0x1c]
bf80d971 8b402c mov eax,[eax+0x2c]
bf80d974 8b4dac mov ecx,[ebp-0x54]
bf80d977 3b4820 cmp ecx,[eax+0x20]
bf80d97a 0f858dfcffff jne win32k+0xd60d (bf80d60d)
bf80d980 8b45e4 mov eax,[ebp-0x1c]
bf80d983 f6403c01 test byte ptr [eax+0x3c],0x1
bf80d987 0f85a1fcffff jne win32k+0xd62e (bf80d62e)
bf80d98d 8b45e4 mov eax,[ebp-0x1c]
bf80d990 8b482c mov ecx,[eax+0x2c]
bf80d993 8d8184010000 lea eax,[ecx+0x184]
bf80d999 3b30 cmp esi,[eax]
bf80d99b 0f85c8fcffff jne win32k+0xd669 (bf80d669)
bf80d9a1 8b55c4 mov edx,[ebp-0x3c]
bf80d9a4 3b9188010000 cmp edx,[ecx+0x188]
bf80d9aa 0f85b6fcffff jne win32k+0xd666 (bf80d666)
bf80d9b0 ff4dd8 dec dword ptr [ebp-0x28]
bf80d9b3 8b45c8 mov eax,[ebp-0x38]
bf80d9b6 83c003 add eax,0x3
bf80d9b9 83e0fc and eax,0xfffffffc
bf80d9bc 03d8 add ebx,eax
bf80d9be 895de0 mov [ebp-0x20],ebx
bf80d9c1 837dd800 cmp dword ptr [ebp-0x28],0x0
bf80d9c5 763c jbe win32k+0xda03 (bf80da03)
1 more new occurence and this time the failing instruction is ffff. The failing instruction address bf80d946 belongs to microsoft win32k.sys. Do you think it is a software error of win32k.sys or it is caused by an invalid branch to bf80d946? I searched google and I would not find any related hit.
BugCheck 1000008E, {c000001d, bf80d946, f2618770, 0}
eax=e49119c8 ebx=7ffd81dc ecx=f261889c edx=0000005c esi=00000000 edi=00000332
eip=bf80d946 esp=f26187e4 ebp=f2618924 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
win32k+0xd946:
bf80d946 ffff ???
0: kd> u win32k+d93f l9
win32k+0xd93f:
bf80d93f 40 inc eax
bf80d940 18600f sbb [eax+0xf],ah
bf80d943 85de test esi,ebx
bf80d945 fb sti
bf80d946 ffff ??? <---- this is not a valid intel assembler instruction
bf80d948 8b45e4 mov eax,[ebp-0x1c]
bf80d94b 8b80dc010000 mov eax,[eax+0x1dc]
bf80d951 85c0 test eax,eax
bf80d953 0f85e1fbffff jne win32k+0xd53a (bf80d53a)
I find out the reason and it is a one bit overlay at location at bf80d93e hence windows crashes with op code. Is it possible that it is one byte overlaid by a faulty program or is is a hardware error?
Correct code
bf80d93e f6401860 test byte ptr [eax+0x18],0x60
^^
bf80d942 0f85defbffff jne win32k!NtGdiFlushUserBatch
Corrupt code
bf80d93e e640 out 40,al
^^
bf80d940 18600f sbb [eax+0xf],ah
bf80d943 85de test esi,ebx
bf80d945 fb sti
bf80d946 ffff ??? <--- failed with invalid op code
This is Windows, anything is possible :).
What debugger are you using? If it is SoftIce, you could watch that memory location for write operations, and then figure out what piece of code is doing that.
If you're suspecting your RAM chips (I wouldn't suspect any other hardware), try MemTest86, a boot-up memory tester that will do several tests on your RAMs. - http://www.memtest86.com/
It seems you are debugging a kernel mode driver/module with WinDbg, I don't believe it's a hardware fault. It seems caused by some code modification or buffer overflow....
You can use BPM bf80d93e within SoftICE or "break at location if memory changes" to check when the 0xf640 is modified to 0xe640.... I guess this is maybe caused by your code.
You may could check the following list:
1. Does this modem analysis work properly at other windows box?
If so, this issue maybe caused by hardware or hardware conflict or platform difference.
a. Please make sure your analysis module works on the same windows version(include SP version) as your development machine.
b. Try to reinstall the machine if possible
c. Try to remove all un-necessary card from the motherboard(to test the hardware conflict).
2. Is there any hardware card comes with this modem analysis module?
If so, please try to change another new Card.
3. Tell your colleague to debug it more detailed, put the break point on memroy changes to catch which module changed the Win32k.sys.
I had a problem like this a few years ago. I.E. Invalid opcode at an address that is DEFINITELY valid.
The upshot was that it was actually an ISR address that was faulty. When the interrupt hit, the address was trash so the system tried to vector to a random location. Unfortunately, at that location was an invalid opcode so another interrupt was thrown to report the invalid opcode. Sadly, it then failed to track to the true address, it tracked back to the original address that was executing when the FIRST interrupt happened.
In summary, check that no ISR is in moveable memory etc etc.
Paul
Business Accounts
Answer for Membership
by: dimitryPosted on 2005-01-22 at 11:23:10ID: 13111750
It seems like some H/W problem or you are "seeing" previous command and not the one that gives you exception.
The funny thing is that in google search this error mostly corresponds to WarCraft III.
http://www.vitaerising.com