I'm facing reproducable BSOD when continously changing the IP address on
an XP machine.
Memory dump points to srvloc.sys.

Description:
-Fresh XP+SP2 install, with NW client 4.9sp4.
-Login locally (NOT to my 6.0 NW server, machine NOT joined to AD).

-Using "netsh" commands, I run one of 2 scripts:

Scenario #1:
*Set IP to DHCP (I'm using a MS DHCP server)
*Sleep 5 seconds
*Set IP to a static address
*Sleep 5 seconds
*goto start


Scenario #2:
*Set IP to static IP#1 (valid, free address on my network)
*Sleep 5 seconds
*Set IP to static IP#2 (a private 10.x.x.x address)
*Sleep 5 seconds
*goto start

In parallel, I run a loop showing the "ipconfig" results.

#1 will crash after 5-30 minutes, 100% of the runs.
#2 runs longer (one hour to a few hours), but will crash eventually.


Below are the windbg analysis of the memory dumps.


Yair


================================================== =================
Scenario #1
================================================== =================


Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:Documents and SettingsyairLocal
SettingsTempCRASH8MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: c:windowssymbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86
compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700
Debug session time: Sun Dec 2 17:06:02.062 2007 (GMT-8)
System Uptime: 0 days 8:34:11.750
Loading Kernel Symbols
.................................................. ..............................................
Loading User Symbols

Loading unloaded module list
..................................................
************************************************** *****************************
*
*
* Bugcheck Analysis
*
*
*
************************************************** *****************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, 804ef48d, f78f7c44, f78f7940}





Probably caused by : srvloc.sys ( srvloc+1f8ef )

Followup: MachineOwner
---------

0: kd> !analyze -v
************************************************** *****************************
*
*
* Bugcheck Analysis
*
*
*
************************************************** *****************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 804ef48d, The address that the exception occurred at
Arg3: f78f7c44, Exception Record Address
Arg4: f78f7940, Context Record Address

Debugging Details:
------------------






EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at

"0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!IoGetRelatedDeviceObject+9
804ef48d 8b4608 mov eax,dword ptr [esi+8]

EXCEPTION_RECORD: f78f7c44 -- (.exr 0xfffffffff78f7c44)
ExceptionAddress: 804ef48d (nt!IoGetRelatedDeviceObject+0x00000009)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000008
Attempt to read from address 00000008

CONTEXT: f78f7940 -- (.cxr 0xfffffffff78f7940)
eax=00000000 ebx=819651b8 ecx=00000000 edx=4b68005e esi=00000000
edi=81762aec
eip=804ef48d esp=f78f7d0c ebp=f78f7d10 iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
nt!IoGetRelatedDeviceObject+0x9:
804ef48d 8b4608 mov eax,dword ptr [esi+8]
ds:0023:00000008=????????
Resetting default scope

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx".

The memory could not be "%s".

READ_ADDRESS: 00000008

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from f77c38ef to 804ef48d

STACK_TEXT:
f78f7d10 f77c38ef 00000000 81b1b5a8 81b1b660
nt!IoGetRelatedDeviceObject+0x9
WARNING: Stack unwind information not available. Following frames may be
wrong.
f78f7d5c f77c3876 81b1b5a8 81b1b660 819651b8 srvloc+0x1f8ef
f78f7d80 f77ab449 81b1b5a8 00000000 81b1b5b8 srvloc+0x1f876
f78f7dac 805ce794 00000000 00000000 00000000 srvloc+0x7449
817252e0 00000000 00000000 00000002 00071220 nt!PspSystemThreadStartup+0x34


FOLLOWUP_IP:
srvloc+1f8ef
f77c38ef 8945e0 mov dword ptr [ebp-20h],eax

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: srvloc+1f8ef

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: srvloc

IMAGE_NAME: srvloc.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4517fbce

STACK_COMMAND: .cxr 0xfffffffff78f7940 ; kb

FAILURE_BUCKET_ID: 0x7E_srvloc+1f8ef

BUCKET_ID: 0x7E_srvloc+1f8ef

Followup: MachineOwner
---------

================================================== =================
Scenario #2
================================================== =================

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:Documents and SettingsyairLocal
SettingsTempCRASH9MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: c:windowssymbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86
compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700
Debug session time: Mon Dec 3 11:54:52.859 2007 (GMT-8)
System Uptime: 0 days 1:08:35.546
Loading Kernel Symbols
.................................................. ...............................................
Loading User Symbols

Loading unloaded module list
........
************************************************** *****************************
*
*
* Bugcheck Analysis
*
*
*
************************************************** *****************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ffffffe8, 1, 80525788, 0}

*** ERROR: Module load completed but symbols could not be loaded for
srvloc.sys




Probably caused by : srvloc.sys ( srvloc+223a6 )

Followup: MachineOwner
---------

0: kd> !analyze -v
************************************************** *****************************
*
*
* Bugcheck Analysis
*
*
*
************************************************** *****************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad
or it
is pointing at freed memory.
Arguments:
Arg1: ffffffe8, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 80525788, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------






WRITE_ADDRESS: ffffffe8

FAULTING_IP:
nt!ObfDereferenceObject+1c
80525788 f00fc13e lock xadd dword ptr [esi],edi

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

TRAP_FRAME: f88e1ca4 -- (.trap 0xfffffffff88e1ca4)
ErrCode = 00000002
eax=81ec0b1c ebx=00000000 ecx=00000000 edx=00000000 esi=ffffffe8
edi=ffffffff
eip=80525788 esp=f88e1d18 ebp=f88e1d50 iopl=0 nv up ei ng nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286
nt!ObfDereferenceObject+0x1c:
80525788 f00fc13e lock xadd dword ptr [esi],edi
ds:0023:ffffffe8=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 8051f478 to 804f9c37

STACK_TEXT:
f88e1c24 8051f478 00000050 ffffffe8 00000001 nt!KeBugCheckEx+0x1b
f88e1c8c 80543568 00000001 ffffffe8 00000000 nt!MmAccessFault+0x9a8
f88e1c8c 80525788 00000001 ffffffe8 00000000 nt!KiTrap0E+0xd0
f88e1d20 f77c63a6 81ec0ac8 f77a6d21 81ec0b1c nt!ObfDereferenceObject+0x1c
WARNING: Stack unwind information not available. Following frames may be
wrong.
f88e1d50 f77a52d9 81ec0ac8 f77c8610 80563720 srvloc+0x223a6
f88e1d7c 80537757 00000000 00000000 821c5a20 srvloc+0x12d9
f88e1dac 805ce794 00000000 00000000 00000000 nt!ExpWorkerThread+0xef
f88e1ddc 805450ce 80537668 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
srvloc+223a6
f77c63a6 ff36 push dword ptr [esi]

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: srvloc+223a6

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: srvloc

IMAGE_NAME: srvloc.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4517fbce

FAILURE_BUCKET_ID: 0x50_W_srvloc+223a6

BUCKET_ID: 0x50_W_srvloc+223a6

Followup: MachineOwner
---------