Closed Bug 308935 Opened 19 years ago Closed 18 years ago

Blue screen crash and windows system reboot on thunderbird startup with Kaspersky antivirus and Azureus

Categories

(Plugins Graveyard :: Kaspersky AV, defect)

Product:
Plugins Graveyard
Component:
Kaspersky AV
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: TheRizz, Unassigned)

Details

(Keywords: crash, hang) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4
Build Identifier: Thunderbird v1.0.6 and 1.5 Beta 1

Thunderbird has started to crash on a regular basis. When it does, it doesn't
just crash the program but crashes all of Windows, giving me a black screen
followed by a reboot (no errors are generated).
This started at about the time I installed v1.0.6, but the crashes still ocurr
after updating to 1.5 beta 1.

Reproducible: Sometimes

Steps to Reproduce:
1. Start Thunderbird
2. System Reboots
-or-
1. Start Thunderbird
2. Wait for a while
3. System reboots

Because it sometimes has a delay, and sometimes crashes immediately, I am
assuming that it is part of the mail checking procedure that causes the crash.
Actual Results:  
Sometimes crashes the computer.

Expected Results:  
Shouldn't crash the computer.

Probably related is the fact that this seems to occur mostly when I have file
sharing software running (specifically eMule and the Azureus bittorrent client).
I am unsure if I have even had a crash while no filesharing software is running.
Any other updates, like anti-virus, firewall, display or network drivers? 

Also you can prevent an automatic reboot by going to control panel -> system ->
error recovery (?) and unchecking some option (I'm not on windows to check right
now). It usually says which dll file the crash was in.

> Any other updates, like anti-virus, firewall, display or network drivers? 
Not that I can think of.

Follwoing your advice on stopping the automatic reboot, it now causes a Blue
Screen instead of a reboot. The information on the Blue Screen is as follows:

STOP: 0x000000D1 (0x02E00368, 0x00000002, 0x00000000, 0xB8F38326)
  tcpip.sys - Address B8F38326, Datestamp 4294cc20

I also played around with running processes and found that the crash only occurs
when checking email in Thunderbird at the same time as I am running Azureus and
Kaspersky Anti-Virus. If either Kaspersky AV or Azureus are turned off, the
crash does not occur.
two things to do,
A. see instructions on using windbg.exe (bug 307577)
B. follow these approximate instructions on using verifier.exe:
 1. run the driver verifier
 2. create custom settings
 3. select individual settings from a full list
 4. check everything except:
   dma checking
   low resources simulation
 5. select automatically select unsigned drivers (next)
   if you get a list, write down (notepad, whatever) the names, click back
 6. select automatically select drivers built for older versions of windows 
(next)
   if you get a list, write down (notepad, whatever) the names, click back
 7. select driver names from a list
 8. add all the items from 5 and 6.
 9. click add currently not loaded driver(s) to the list..., tell the verifier 
to verify all of the drivers relating to Kaspersky AV and Azureus (use windows 
find or something to find all those drivers, they should have some consistent 
naming or placement scheme -- i don't use Kaspersky, i had to fight symantec 
this summer)
 10. click finish (this will require a reboot and depending on settings will 
slow your system to somewhat of a crawl).

after doing at least A and possibly B, run thunderbird and crash your system. 
at this point, follow the rest of the instructions on windbg.exe. at the very 
least !analyze -v output would be nice. hopefully you get a full sized dmp 
(note: your swap file must be large enough to contain all data from physical 
memory, if it is not, win-break>advanced>performance:settings>advanced>change)

fwiw, if you decide you'd like to make the full memory image to me available: 
from windbg,
.dump /maipwd /u /ba /c "comment describing problem" output-file
and then contact me on irc with a url to the file (note: the file will be huge, 
mozilla crashes for me tend to be 100mb, windows crashes for me are 2gb and 
they won't compress to smaller than 100mb ...), most likely the minidumps will 
be sufficient for whatever chasing we'll do.
> B. follow these approximate instructions on using verifier.exe:

This didn't work very well... it causes a blue screen upon reboot - I ended up
having to use the Last Known Good Configuration to get back into windows.

[Re: windbg.exe]
> .dump /maipwd /u /ba /c "comment describing problem" output-file

This does not work. It gives me the following error:
               ^ Extra character error in '.dump /maipwd /u /ba /c "comment
describing problem" output-file'

I ran the following three commands:
.symfix+
.reload
!analyze -v

...and this is the output:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: f78f33e5, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: b8f3832f, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  f78f33e5 

CURRENT_IRQL:  2

FAULTING_IP: 
tcpip!GetAddress+14
b8f3832f 6683780202       cmp     word ptr [eax+0x2],0x2

DEFAULT_BUCKET_ID:  CODE_CORRUPTION

BUGCHECK_STR:  0xD1

LAST_CONTROL_TRANSFER:  from b8f3f4af to b8f3832f

TRAP_FRAME:  f78b6de4 -- (.trap fffffffff78b6de4)
ErrCode = 00000000
eax=f78f33e3 ebx=00000000 ecx=6bc80100 edx=00000001 esi=000088d9 edi=f78b6ec8
eip=b8f3832f esp=f78b6e58 ebp=f78b6e5c iopl=0         nv up ei ng nz na pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010283
tcpip!GetAddress+0x14:
b8f3832f 6683780202       cmp    word ptr [eax+0x2],0x2 ds:0023:f78f33e5=????
Resetting default scope

STACK_TEXT:  
f78b6e5c b8f3f4af f78eab02 f78b6e98 f78b6e9c tcpip!GetAddress+0x14
f78b6ea4 b8f3ed0b f78b6ec8 00000000 f78eabe0 tcpip!TdiConnect+0x37
f78b6ee0 b8f5c96b 88a74008 88a74078 88c22870 tcpip!TCPConnect+0xa8
f78b6f04 b8f42912 00000000 804e2448 88c22870 tcpip!TCPResumeActiveOpen+0x77
f78b6f24 b8f3cce8 02c22870 00000002 00000000 tcpip!CloseTCB+0x1c4
f78b6f40 b8f42f00 88c22870 00000002 004f7ae1 tcpip!DerefTCB+0x60
f78b6fbc b8f323ec b8f7ab38 00000000 f7727980 tcpip!TCBTimeout+0x79c
f78b6fcc 804dcd22 b8f7ab48 b8f7ab38 f81e1b98 tcpip!TCBTimeoutdpc+0xf
f78b6ff4 804dc88d b5880d44 00000000 00000000 nt!KiRetireDpcList+0x61
f78b6ff8 b5880d44 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2b
WARNING: Frame IP not in any known module. Following frames may be wrong.
804dc88d 00000000 00000009 0081850f bb830000 0xb5880d44


CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    804dc962-804dc968  7 bytes - nt!SwapContext+20
	[ 83 bb 94 09 00 00 00:e9 b9 ce 95 38 90 90 ]
    804e4c40-804e4c43  4 bytes - nt!KiServiceTable+390 (+0x82de)
	[ 1d 1b 58 80:e0 96 e3 b8 ]
    80672000-8067200d  14 bytes - nt!IovUnloadDrivers+8
	[ 90 90 90 90 90 a1 00 71:00 00 01 ba 44 ca fe de ]
    80672010-8067206b  92 bytes - nt!FormatMaxDisplacement <PERF> (nt+0x19b010)
(+0x10)
	[ 00 00 90 90 90 90 90 8b:01 bb 00 12 80 c4 e1 04 ]
    8067206d-80672075  9 bytes - nt!IovFreeIrpPrivate+26 (+0x5d)
	[ 74 0f 53 53 56 6a 02 68:00 00 00 00 00 00 00 00 ]
    80672079-80672085  13 bytes - nt!IovFreeIrpPrivate+32 (+0x0c)
	[ e8 11 51 ec ff 8d 55 0b:00 00 00 00 00 00 00 00 ]
    80672088-80672097  16 bytes - nt!IovFreeIrpPrivate+41 (+0x0f)
	[ 38 5d 0b 75 06 56 e8 1e:00 00 00 00 00 00 00 00 ]
    80672099-806720c7  47 bytes - nt!IovFreeIrpPrivate+52 (+0x11)
	[ 90 cc cc cc cc cc cc 90:00 00 00 00 00 00 00 00 ]
    806720cb-806720d7  13 bytes - nt!IovCallDriver+26 (+0x32)
	[ 66 83 3a 06 74 0a 51 51:00 00 00 00 00 00 00 00 ]
    806720db-806720eb  17 bytes - nt!IovCallDriver+36 (+0x10)
	[ 57 e8 36 ff ff ff 84 c0:00 00 00 00 00 00 00 00 ]
    806720ef-806720ff  17 bytes - nt!IovCallDriver+4a (+0x14)
	[ 8b 35 08 81 4d 80 ff d6:00 00 00 00 00 00 00 00 ]
    80672102-8067210d  12 bytes - nt!IovCallDriver+5d (+0x13)
	[ 8b 4d fc 8d 55 f8 88 45:00 00 00 00 00 00 00 00 ]
    80672110-80672123  20 bytes - nt!IovCallDriver+6b (+0x0e)
	[ 84 c0 75 12 6a 50 58 e8:00 00 00 00 00 00 00 00 ]
    80672126-80672130  11 bytes - nt!IovCallDriver+81 (+0x16)
	[ ff 75 f8 8d 55 fc 8b cf:00 00 00 00 00 00 00 00 ]
    80672133-80672138  6 bytes - nt!IovCallDriver+8e (+0x0d)
	[ 83 c9 ff e8 8e 94:00 00 00 00 00 00 ]
    8067213b-80672152  24 bytes - nt!IovCallDriver+96 (+0x08)
	[ 8b 55 fc 8b cf e8 6d f2:00 00 00 00 00 00 00 00 ]
    80672155-8067215a  6 bytes - nt!IovCallDriver+b0 (+0x1a)
	[ 8b 4d f8 e8 f6 72:00 00 00 00 00 00 ]
    8067215d-80672166  10 bytes - nt!IovCallDriver+b8 (+0x08)
	[ ff 75 f0 ff 75 fc 57 e8:00 00 00 00 00 00 00 00 ]
    80672169-8067217d  21 bytes - nt!IovCallDriver+c4 (+0x0c)
	[ ff d6 3a d8 74 17 ff d6:00 00 00 00 00 00 00 00 ]
    80672181-806721ad  45 bytes - nt!IovCallDriver+dc (+0x18)
	[ e8 09 50 ec ff 8b 45 f4:00 00 00 00 00 00 00 00 ]
    806721af-806721d3  37 bytes - nt!IovBuildAsynchronousFsdRequest+10 (+0x2e)
	[ ff 75 1c ff 75 18 ff 75:00 00 00 00 00 00 00 00 ]
    806721d5-806721dd  9 bytes - nt!IovBuildAsynchronousFsdRequest+36 (+0x26)
	[ 90 90 90 90 90 8b 45 ec:00 00 00 00 00 00 00 00 ]
    806721df - nt!IovBuildAsynchronousFsdRequest+3b (+0x0a)
	[ 8b:00 ]
    806721e1-806721fc  28 bytes - nt!IovBuildAsynchronousFsdRequest+3d (+0x02)
	[ 89 45 e4 33 c0 40 c3 90:00 00 00 00 00 00 00 00 ]
    80672200-8067221e  31 bytes - nt!IovBuildAsynchronousFsdRequest+57 (+0x1f)
	[ e8 8a 4f ec ff cc cc cc:00 00 00 00 00 00 00 00 ]
    80672220-8067224d  46 bytes - nt!IovBuildDeviceIoControlRequest+10 (+0x20)
	[ ff 75 28 ff 75 24 ff 75:00 00 00 00 00 00 00 00 ]
    8067224f-80672257  9 bytes - nt!IovBuildDeviceIoControlRequest+3f (+0x2f)
	[ 90 90 90 90 90 8b 45 ec:00 00 00 00 00 00 00 00 ]
    80672259 - nt!IovBuildDeviceIoControlRequest+44 (+0x0a)
	[ 8b:00 ]
    8067225b-80672276  28 bytes - nt!IovBuildDeviceIoControlRequest+46 (+0x02)
	[ 89 45 e4 33 c0 40 c3 90:00 00 00 00 00 00 00 00 ]
    8067227a-806722a0  39 bytes - nt!IovBuildDeviceIoControlRequest+60 (+0x1f)
	[ e8 10 4f ec ff cc cc cc:00 00 00 00 00 00 00 00 ]
    806722a4-806722b7  20 bytes - nt!IovInitializeTimer+19 (+0x2a)
	[ e8 e6 4e ec ff ff 75 10:00 00 00 00 00 00 00 00 ]
    806722b9-80672325  109 bytes - nt!IovInitializeTimer+2e (+0x15)
	[ 90 cc cc cc cc cc cc 90:00 00 00 00 00 00 00 00 ]
    80672328-80672331  10 bytes - nt!IovpLocalCompletionRoutine+63 (+0x6f)
	[ 8b 53 1c 33 c0 3b d0 c6:00 00 00 00 00 00 00 00 ]
    80672333-80672335  3 bytes - nt!IovpLocalCompletionRoutine+6e (+0x0b)
	[ c6 43 02:00 00 00 ]
    80672337-8067236c  54 bytes - nt!IovpLocalCompletionRoutine+72 (+0x04)
	[ c6 43 03 10 89 43 04 89:00 00 00 00 00 00 00 00 ]
    8067236f-80672385  23 bytes - nt!IovpLocalCompletionRoutine+aa (+0x38)
	[ ff 73 20 57 ff 75 08 ff:00 00 00 00 00 00 00 00 ]
    80672388-8067238f  8 bytes - nt!IovpLocalCompletionRoutine+c3 (+0x19)
	[ 8b 56 08 8b cf e8 7c d2:00 00 00 00 00 00 00 00 ]
    80672392-80672395  4 bytes - nt!IovpLocalCompletionRoutine+cd (+0x0a)
	[ 81 7d 08 16:00 00 00 00 ]
    80672398-8067239d  6 bytes - nt!IovpLocalCompletionRoutine+d3 (+0x06)
	[ c0 74 69 80 7d ff:00 00 00 00 00 00 ]
    8067239f-806723a3  5 bytes - nt!IovpLocalCompletionRoutine+da (+0x07)
	[ 75 63 83 66 0c:00 00 00 00 00 ]
    806723a5-806723d8  52 bytes - nt!IovpLocalCompletionRoutine+e0 (+0x06)
	[ 83 c3 24 89 1e 8b 43 20:00 00 00 00 00 00 00 00 ]
    806723da-8067243a  97 bytes - nt!IovpLocalCompletionRoutine+115 (+0x35)
	[ 74 17 f6 43 03 20 74 11:00 00 00 00 00 00 00 00 ]
    8067243c-80672458  29 bytes - nt!IovInitializeIrp+24 (+0x62)
	[ cc cc cc cc cc cc 90 90:00 00 00 00 00 00 00 00 ]
    8067245b-8067245d  3 bytes - nt!IovAttachDeviceToDeviceStack+14 (+0x1f)
	[ 5d c2 08:00 00 00 ]
    8067245f-8067247e  32 bytes - nt!IovAttachDeviceToDeviceStack+18 (+0x04)
	[ 90 cc cc cc cc cc cc 90:00 00 00 00 00 00 00 00 ]
    80672481-8067248d  13 bytes - nt!IovDeleteDevice+16 (+0x22)
	[ 83 3d 20 a8 55 80 02 72:00 00 00 00 00 00 00 00 ]
    80672490-80672492  3 bytes - nt!IovDeleteDevice+25 (+0x0f)
	[ 5d c2 04:00 00 00 ]
    80672494-806724af  28 bytes - nt!IovDeleteDevice+29 (+0x04)
	[ cc cc cc cc cc 90 90 90:00 00 00 00 00 00 00 00 ]
    806724b2-806724b4  3 bytes - nt!IovDetachDevice+14 (+0x1e)
	[ 5d c2 04:00 00 00 ]
    806724b6-806724d3  30 bytes - nt!IovDetachDevice+18 (+0x04)
	[ 90 90 cc cc cc cc cc cc:00 00 00 00 00 00 00 00 ]
    806724d6-806724db  6 bytes - nt!IovCancelIrp+13 (+0x20)
	[ 8a 45 0f 5d c2 08:00 00 00 00 00 00 ]
    806724dd-80672528  76 bytes - nt!IovCancelIrp+1a (+0x07)
	[ 90 90 90 cc cc cc cc cc:00 00 00 00 00 00 00 00 ]
WARNING: !chkimg output was truncated to 50 lines. Invoke !chkimg without '-lo
[num_lines]' to view  entire output.
    80689000-8068911d  286 bytes - nt!KdPullRemoteFile <PERF> (nt+0x1b2000)
	[ 00 00 00 00 00 00 90 90:38 cf bc 0c c7 fd dd 4d ]
    8068911f-8068921a  252 bytes - nt!MiMakeSpecialPoolPagable+60 (+0x11f)
	[ e7 ff c6 05 6a 6c 56 80:a9 f7 3a 35 78 66 f4 eb ]
    8068921c-8068926c  81 bytes - nt!MiProtectSpecialPool+c9 (+0xfd)
	[ ef 0b 83 e7 01 6a 02 75:4d fd b1 ed c9 22 89 82 ]
    8068926e-80689353  230 bytes - nt!MiProtectSpecialPool+11b (+0x52)
	[ eb 0c 8d 0c 5b bb 1f ff:23 f5 33 46 02 0c b4 79 ]
    80689355-806893c8  116 bytes - nt!MiProtectSpecialPool+202 (+0xe7)
	[ 0f 84 63 01 00 00 83 7d:93 89 d4 b5 4f 84 39 ea ]
    806893ca-80689575  428 bytes - nt!MiProtectSpecialPool+277 (+0x75)
	[ 28 81 4d 80 8b 1e 8b cb:7e 66 f0 08 f0 b0 db 54 ]
    80689577-80689584  14 bytes - nt!MiAllocateSpecialPool+80 (+0x1ad)
	[ 74 df 3d 4d 6d 53 64 74:a3 be f1 9a 43 fa ae 97 ]
    80689586-8068962c  167 bytes - nt!MiAllocateSpecialPool+8f (+0x0f)
	[ d1 33 c9 33 d2 41 e8 74:15 ee 37 bb dc 39 38 a2 ]
    8068962e-8068985f  562 bytes - nt!MiAllocateSpecialPool+137 (+0xa8)
	[ 79 02 00 00 6a 02 8a d3:c9 2e 7c 47 6b d5 a1 4d ]
    80689861-806899b8  344 bytes - nt!MiAllocateSpecialPool+36a (+0x233)
	[ 2a d9 ea ff 8b 41 08 83:61 5a 8d 34 9b e3 1d 39 ]
    806899ba-80689b21  360 bytes - nt!MmFreeSpecialPool+aa (+0x159)
	[ f6 66 8b 37 81 e6 ff 1f:96 0e ab 53 f1 ab 28 7f ]
    80689b23-80689bba  152 bytes - nt!MmFreeSpecialPool+213 (+0x169)
	[ 81 4d 80 ff 0d 34 21 56:f2 e5 ea 41 92 85 39 34 ]
    80689bbc-80689c3e  131 bytes - nt!MmFreeSpecialPool+2ac (+0x99)
	[ 89 41 08 eb 07 8b cf e8:c0 5c ce df 4c b7 e6 06 ]
64055 errors : !nt (804dc962-80689c3e)

MODULE_NAME:  memory_corruption

IMAGE_NAME:  memory_corruption

FOLLOWUP_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MEMORY_CORRUPTOR:  LARGE

STACK_COMMAND:  .trap fffffffff78b6de4 ; kb

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE

BUCKET_ID:  MEMORY_CORRUPTION_LARGE

Followup: memory_corruption
---------


a few things.
1. if verifier causes blue screens, you should find out which drivers suck and
get them reported and fixed or removed from your system.

in our cases, we were able to finger one or two specific drives and remove or
upgrade them to get the system to be mostly happy with verifier which made
normal operation much less sketchy.

2. could you possibly list all the drivers that you told verifier to
investigate? that would at least give someone some things to google, perhaps
some of them turn up as common sources of blue screens :).

3. try: .dump /maip /u /ba /c "tcp CODE_CORRUPTION/MEMORY_CORRUPTION_LARGE"
c:\tcp-308925

if it keeps complaining about flags, try removing letters from the ends of the /
things, the "comment" bit is part of /c, so you'd remove that as a pair (you can
read help on .dump) for a description.

i've never met this error, there's a newsgroup under msnews.microsoft.com which
we could probably use to get more help (or you could google for CODE_CORRUPTION
or MEMORY_CORRUPTION_LARGE.

thank you for the output, it does give me some understanding of what your system
is thinking (unfortunately it's a class of error i haven't before had to
investigate).
(In reply to comment #2)
> I also played around with running processes and found that the crash only occurs
> when checking email in Thunderbird at the same time as I am running Azureus and
> Kaspersky Anti-Virus. If either Kaspersky AV or Azureus are turned off, the
> crash does not occur.

timeless, reporter upgraded "just about every piece of software involved", is not running Azureus, and doesn't see it anymore.  but is willing to help if it's needed.

-> INVALID (based on the Kaspersky/Azureus aspect)  - reopen if it deserves further work
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Keywords: crash, hang
Resolution: --- → INVALID
Summary: Total system crash on mail check → Blue screen crash and windows system reboot on thunderbird startup with Kaspersky antivirus and Azureus
We're now tracking such bugs. This doesn't mean it's something we can fix, merely something we hope to be able to point vendors to so they can investigate. This is an automated message.
Assignee: mscott → nobody
Component: General → Kaspersky AV
Product: Thunderbird → Plugins
QA Contact: general → kaspersky-antivirus
Product: Plugins → Plugins Graveyard
You need to log in before you can comment on or make changes to this bug.