Bug Check 0x9F: DRIVER_POWER_STATE_FAILURE

Windbg ver. 6.12.2.633 release note, we find some information how to diagnose bugcheck 9F.  

These information is also helpful and provide some directions when we try to check the BSOD 9F dump file.  

a) Bug Check 0x9F Update   Add logic to diagnose bugcheck 0x9F minidumps using new to Windows 7 data added to the 0x9F Mini Dumps by the Kernel and Networking Teams.

Data includes:

All Kernel ExWorkerThreads that process Power IRPs.

IRPs Associated with any ExWorkerThread

IRPs Associated with  PnP Completion Queue.  

All Kernel Power IRPs

Device Stacks for all IRPS

NT_TRIAGE_POWER Structure

NT_TRIAGE_PNP structure


BSOD 9F information in the http://msdn.microsoft.com/en-us/library/windows/hardware/ff559329(v=vs.85).asp

The most failures that we meet is the parameter1=3 condition.  Actually, we can know what device driver cause the BSOD  by parameter 2 and what power action cause the BSOD by parameter 4.

kd>!analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_POWER_STATE_FAILURE (9f)
A driver has failed to complete a power IRP within a specific time (usually 10 minutes).
Arguments:
Arg1: 00000003, A device object has been blocking an Irp for too long a time
Arg2: 857d6030, Physical Device Object of the stack
Arg3: 82b5dae0, nt!TRIAGE_9F_POWER on Win7, otherwise the Functional Device Object of the stack
Arg4: 85086008, The blocked IRP

0: kd> dt nt!TRIAGE_9F_POWER 82b5dae0 
   +0x000 Signature        : 0x8000
   +0x002 Revision         : 1
   +0x004 IrpList          : 0x82b78480 _LIST_ENTRY
   +0x008 ThreadList       : 0x82b77f28 _LIST_ENTRY
   +0x00c DelayedWorkQueue : 0x82b715bc _TRIAGE_EX_WORK_QUEUE
The dt (Display Type) command displays the structure. You can use various debugger commands to follow the LIST_ENTRY fields to examine the list of outstanding IRPs and the power IRP worker threads. Use the !irp command to examine the IRP that was blocked. (The address of this IRP is in Parameter 4 (arg4).)

Here are also some suggestion in the website.

Use the !poaction command to display the threads that handle the power operations and any allocated power IRPs.

To help you determine the cause of the error, consider the following questions: Can you find the blocked thread? When you examine the thread with the !thread debugger command, what does the thread consist of? Is there IO associated with the thread that is blocking it? What symbols are on the stack? When you examine the blocked power IRP, what do you notice? What is the PnP minor function code of the power IRP? What are the characteristics of the physical device object (PDO) driver (Parameter 2, arg2)? Is it is a miniport driver?

parameter 1   parameter2        parameter3                                                   parameter4

0x3 (Windows XP and later)

The physical device object (PDO) of the stack

The functional device object (FDO) of the stack. In Windows 7, this parameter points to the nt!TRIAGE_9F_POWERstructure.

The blocked IRP

A device object has been blocking an IRP for too long a time.

How to get video memory size

From the MSDN http://msdn.microsoft.com/en-us/library/ee419018(v=vs.85).aspx, there are several ways to get the size of video memory on a system. This sample demonstrates 5 methods. The first 4 are available on Windows XP, Windows Vista, and Windows 7, while DirectX Graphics Infrastructure (DXGI) is only available on Windows Vista and Windows 7. Those methods are:

GetVideoMemoryViaDirectDraw

GetVideoMemoryViaWMI

GetVideoMemoryViaDxDiag

GetVideoMemoryViaD3D9

GetVideoMemoryViaDXGI

On Windows Vista and Windows 7, use DXGI to query the available video memory.

On Windows XP, WMI is a good choice—however, note that integrated video cards often have only shared system memory, and WMI does not distinguish between dedicated and shared memory. So, the returned size should be used with caution to avoid compatibility problems when a system has integrated video hardware.

There is the Microsoft Direct X SDK VideoMemory sample code can be reference.  We can find the run result.

D3D9 Adapter: 0

Driver: atiu9pag.dll

Description: ATI Mobility Radeon HD 5450

hMonitor: 0x00010001

hMonitor Device Name: \\.\DISPLAY3

        GetVideoMemoryViaDirectDraw

                dwAvailableVidMem: 504 MB (529022976)

        GetVideoMemoryViaDxDiag

                dwDisplayMemory: 1715 MB (1798307840)

        GetVideoMemoryViaWMI

                dwAdapterRAM: 512 MB (536870912)

        GetVideoMemoryViaDXGI

                DedicatedVideoMemory: 504 MB (529022976)

                DedicatedSystemMemory: 0 MB (0)

                SharedSystemMemory: 1210 MB (1269751808)

        GetVideoMemoryViaD3D9

                dwAvailableTextureMem: 1714 MB (1797259264)

The DedicatedVideoMemory of GetVideoMemoryViaDXGI result is 504MB seems smaller than the actual size.  The GetVideoMemoryViaWMI result seem more correct.

There is one similar document talk about this in the Vista OS -- http://support.microsoft.com/kb/938838/en-us. 

Windows Vista displays the incorrect dedicated video memory size for certain display adapters

Below show you how to check the video memory size in the Windows.

DWM

Desktop Window Manager

The desktop composition feature, introduced in Windows Vista, fundamentally changed the way applications display pixels on the screen. When desktop composition is enabled, individual windows no longer draw directly to the screen or primary display device as they did in previous versions of Windows. Instead, their drawing is redirected to off-screen surfaces in video memory, which are then rendered into a desktop image and presented on the display.

Desktop composition is performed by the Desktop Window Manager (DWM). Through desktop composition, DWM enables visual effects on the desktop as well as various features such as glass window frames, 3-D window transition animations, Windows Flip and Windows Flip3D, and high resolution support.

The Desktop Window Manager in Windows 7 includes some registry keys.

HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM

http://msdn.microsoft.com/en-us/magazine/cc163435.aspx

SCSI and ATAPI

ATAPI refers to devices that use the Packet Interface of the ATA6 (or higher) standard command set. It is basically a way to issue SCSI commands to a CDROM, CD-RW, DVD, or tape drive, attached to the ATA bus.

ATAPI uses a very small number of ATA commands. The most important are the PACKET command (0xA0), and IDENTIFY PACKET DEVICE (0xA1).

PACKET command (0xA0)

Each ATAPI command packet is made of a 'command byte' (from the SCSI command set -- see below for a partial list), followed by 11 'data' bytes. For instance, reading the table of contents is achieved by sending the following byte string to the device, as a "command".

 unsigned char atapi_readtoc[]=  { 0x43 /* ATAPI_READTOC */, 0, 1, 0, 0, 0, 0, 0, 12, 0x40, 0, 0};

IDENTIFY PACKET DEVICE command (0xA1)

This command is a "normal" ATA PIO mode command, used during initialization. It is an exact mirror of the ATA IDENTIFY command, except that it only returns information about ATAPI devices. Use it in exactly the same way as you use IDENTIFY, including the meanings of all the bits in all the 256 words of data returned.

x86 Directions

Important note: on the Primary bus, the standard set of ATA IO ports is 0x1F0 through 0x1F7. In much or all of the ATAPI documentation, you will see this set of IO ports called the "Task File". The term seems very confusing.

If the transfer is complete, BSY and DRQ will clear. Otherwise, wait for the next IRQ, and read or write the same number of words again.

Notes: there is a possible future change planned to increase the length of ATAPI command strings to 8 words. Check the two bottom bits of ATAPI Identify word 0 to verify 6 or 8 word command size.

Once again, if you use polling to check BSY, DRQ, and ERR after sending the PACKET command, then you should probably ignore the ERR bit for the first four loops. (ATAPI calls this the "CHECK" bit, instead of ERR, but it means the same thing.)

Reference from http://wiki.osdev.org/ATAPI.  From here, we can know some ATAPI command and SCSI CDB information.

About the SCSI CDB (Command Descriptor Block) allocation block

The "Allocation length" is the byte 4 in the typical CDB structure.  But "Allocation length" is the byte 3 and byte 4 in the Inquiry command structure.  And the byte 4 is the "LoEj" and "Start" in the Start/Stop Unit command.


It's poor that the allocation length seems not well definite in the CDB spec.


--------------------------------------------------------------------------------------------------------------------------------
From http://en.wikipedia.org/wiki/SCSI_CDB

Each CDB can be a total of 6, 10, 12, or 16 bytes, but later versions of the SCSI standard also allow for variable-length CDBs. The CDB consists of a one byte operation code followed by some command-specific parameters.

A typical CDB structure is:

bit→ ↓byte	7	6	5	4	3	2	1	0
0	Operation code = 03h
1	LUN			Reserved
2	Reserved
3	Reserved
4	Allocation length
5	Control

From http://en.wikipedia.org/wiki/SCSI_Inquiry_Command

The SCSI Inquiry command is used to obtain basic information from a target device.^[1] The CDB structure is:

bit→ ↓byte	7	6	5	4	3	2	1	0
0	Operation code = 12h
1	LUN			Reserved				EVPD
2	Page code
3	Allocation length (MSB)
4	Allocation length (LSB)
5	Control

From http://en.wikipedia.org/wiki/SCSI_Start_Stop_Unit_Command

The SCSI Start/Stop Unit command is used to control the motor in a rotary device such as a SCSI disk-drive. It is also used to load or eject removable media, such as a tape or compact disc. It is a frequently-used command and is often the first one issued after initial communication has been established between the initiator and the target.

The CDB structure is:

bit→ ↓byte	7	6	5	4	3	2	1	0
0	Operation code = 1Bh
1	LUN			Reserved				Immed
2	Reserved
3	Reserved
4	Reserved						LoEj	Start
5	Control

Two dump file check utilities

Debug Diagnostic Tool

Debug Diagnostic Tool v1.2 (http://www.microsoft.com/download/en/details.aspx?id=26798) Overview The Debug Diagnostic Tool (DebugDiag) is designed to assist in troubleshooting issues such as hangs, slow performance, memory leaks or memory fragmentation, and crashes in any user-mode process. The tool includes additional debugging scripts focused on Internet Information Services (IIS) applications, web data access components, COM+ and COM+ related Microsoft technologies, Sharepoint, and .NET framework. DebugDiag 1.0 was released as part of the IIS Diagnostic Toolkit and as a standalone tool (x86 only). DebugDiag 1.1 was released as a standalone tool only (x86 and limited x64 support). DebugDiag 1.2 is currently available as a standalone tool only (x86 and full x64 support). Debug Diagnostic Tool v1.1 Please download it from http://www.microsoft.com/downloads/details.aspx?FamilyID=28BD5941-C458-46F1-B24D-F60151D875A3&displaylang=en Brief Description The Debug Diagnostic Tool (DebugDiag) is designed to assist in troubleshooting issues such as hangs, slow performance, memory leaks or fragmentation, and crashes in any user-mode process. The tool includes additional debugging scripts focused on Internet Information Services (IIS) applications, web data access components, COM+ and related Microsoft technologies. More information -- How to Use the Debug Diagnostic Tool v1.1 (DebugDiag) to Debug User Mode Processes. http://msdn.microsoft.com/en-us/library/ff420662.aspx DumpChk The dumpchk.exe is in the C:\Program Files\Debugging Tools for Windows (x86) after windbg was installed. DumpChk (the Microsoft Crash Dump File Checker tool), DumpChk.exe, is a program that performs a quick analysis of a crash dump file. This enables you to see summary information about what the dump file contains. If the dump file is corrupt in such a way that it cannot be opened by a debugger, DumpChk reveals this fact. From more detail, please check windbg help file. http://support.microsoft.com/kb/315271/en-us

!devstack & !devnode

The !devstack extension displays a formatted view of the device stack associated with a device object.

The !devnode extension displays information about a node in the device tree.

1. WDM driver archecture is the layer structure.   

2. Each device function has a device node.

3. Device node is made by device objects.

1: kd> !devstack fffffa800201e830  (One of the device objects in the device node)  !DevObj   !DrvObj            !DevExt   ObjectName
  fffffa800201e4d0  \Driver\kbdclass   fffffa800201e620  KeyboardClass0
> fffffa800201e830  \Driver\i8042prt   fffffa800201e980    fffffa8001a8f060  \Driver\ACPI       fffffa8000c7b970  0000005e
!DevNode fffffa8001a90610 :
  DeviceInst is "ACPI\PNP0303\4&27dc0b59&0"
  ServiceName is "i8042prt"

1: kd> !DevNode fffffa8001a90610 1   (!devnode command can show us the device node information)DevNode 0xfffffa8001a90610 for PDO 0xfffffa8001a8f060
  InstancePath is "ACPI\PNP0303\4&27dc0b59&0"
  ServiceName is "i8042prt"
  TargetDeviceNotify List - f 0xfffff8a000c5cb70  b 0xfffff8a000c5cb70
  State = DeviceNodeStarted (0x308)
  Previous State = DeviceNodeEnumerateCompletion (0x30d)
1: kd> !devobj  fffffa8001a8f060 Device object (fffffa8001a8f060) is for:
 0000005e \Driver\ACPI DriverObject fffffa8000c394e0
Current Irp 00000000 RefCount 1 Type 00000032 Flags 00003040
Dacl fffff9a100094441 DevExt fffffa8000c7b970 DevObjExt fffffa8001a8f1b0 DevNode fffffa8001a90610
ExtensionFlags (0x00000800)
                             Unknown flags 0x00000800
AttachedDevice (Upper) fffffa800201e830 \Driver\i8042prtDevice queue is not busy.
1: kd> dt nt!_device_object fffffa8001a8f060
   +0x000 Type             : 3
   +0x002 Size             : 0x150
   +0x004 ReferenceCount   : 1
   +0x008 DriverObject     : 0xfffffa80`00c394e0 _DRIVER_OBJECT
   +0x010 NextDevice       : 0xfffffa80`01a52720 _DEVICE_OBJECT
   +0x018 AttachedDevice   : 0xfffffa80`0201e830 _DEVICE_OBJECT
   +0x020 CurrentIrp       : (null)
   +0x028 Timer            : (null)
   +0x030 Flags            : 0x3040
   +0x034 Characteristics  : 0x80
   +0x038 Vpb              : (null)
   +0x040 DeviceExtension  : 0xfffffa80`00c7b970     (The device extension is not the fixed structure)   +0x048 DeviceType       : 0x32
   +0x04c StackSize        : 5 ''
   +0x050 Queue            : <unnamed-tag>
   +0x098 AlignmentRequirement : 0
   +0x0a0 DeviceQueue      : _KDEVICE_QUEUE
   +0x0c8 Dpc              : _KDPC
   +0x108 ActiveThreadCount : 0
   +0x110 SecurityDescriptor : 0xfffff8a0`00094440
   +0x118 DeviceLock       : _KEVENT
   +0x130 SectorSize       : 0
   +0x132 Spare1           : 1
   +0x138 DeviceObjectExtension : 0xfffffa80`01a8f1b0 _DEVOBJ_EXTENSION
   +0x140 Reserved         : (null) 

1: kd> dt _DEVOBJ_EXTENSION 0xfffffa80`01a8f1b0  (Show the device object extension)nt!_DEVOBJ_EXTENSION

   +0x000 Type             : 13

   +0x002 Size             : 0

   +0x008 DeviceObject     : 0xfffffa80`01a8f060 _DEVICE_OBJECT

   +0x010 PowerFlags       : 0x10   (device/system power state information)    +0x018 Dope             : (null)

   +0x020 ExtensionFlags   : 0x800

   +0x028 DeviceNode       : 0xfffffa80`01a90610    +0x030 AttachedTo       : (null)    +0x038 StartIoCount     : 0

   +0x03c StartIoKey       : 0

   +0x040 StartIoFlags     : 0

   +0x048 Vpb              : (null)

   +0x050 DependentList    : _LIST_ENTRY [ 0xfffffa80`01a8f200 - 0xfffffa80`01a8f200 ]

   +0x060 ProviderList     : _LIST_ENTRY [ 0xfffffa80`01a8f210 - 0xfffffa80`01a8f210 ]

In the WIndbg !devnode xxxxxxxx 1 command, it will show show the InstancePath, ServiceName, State, PreviousState.

2: kd> dt _device_node
nt!_DEVICE_NODE
   +0x000 Sibling          : Ptr64 _DEVICE_NODE
   +0x008 Child            : Ptr64 _DEVICE_NODE
   +0x010 Parent           : Ptr64 _DEVICE_NODE
   +0x018 LastChild        : Ptr64 _DEVICE_NODE
   +0x020 PhysicalDeviceObject : Ptr64 _DEVICE_OBJECT
   +0x028 InstancePath     : _UNICODE_STRING
   +0x038 ServiceName      : _UNICODE_STRING
   +0x048 PendingIrp       : Ptr64 _IRP
   +0x050 Level            : Uint4B
   +0x058 Notify           : _PO_DEVICE_NOTIFY
   +0x0c0 PoIrpManager     : _PO_IRP_MANAGER
   +0x0e0 State            : _PNP_DEVNODE_STATE
   +0x0e4 PreviousState    : _PNP_DEVNODE_STATE
   +0x0e8 StateHistory     : [20] _PNP_DEVNODE_STATE
   +0x138 StateHistoryEntry : Uint4B
   +0x13c CompletionStatus : Int4B
   +0x140 Flags            : Uint4B
   +0x144 UserFlags        : Uint4B
   +0x148 Problem          : Uint4B
   +0x150 ResourceList     : Ptr64 _CM_RESOURCE_LIST
   +0x158 ResourceListTranslated : Ptr64 _CM_RESOURCE_LIST
   +0x160 DuplicatePDO     : Ptr64 _DEVICE_OBJECT
   +0x168 ResourceRequirements : Ptr64 _IO_RESOURCE_REQUIREMENTS_LIST
   +0x170 InterfaceType    : _INTERFACE_TYPE
   +0x174 BusNumber        : Uint4B
   +0x178 ChildInterfaceType : _INTERFACE_TYPE
   +0x17c ChildBusNumber   : Uint4B
   +0x180 ChildBusTypeIndex : Uint2B
   +0x182 RemovalPolicy    : UChar
   +0x183 HardwareRemovalPolicy : UChar
   +0x188 TargetDeviceNotify : _LIST_ENTRY
   +0x198 DeviceArbiterList : _LIST_ENTRY
   +0x1a8 DeviceTranslatorList : _LIST_ENTRY
   +0x1b8 NoTranslatorMask : Uint2B
   +0x1ba QueryTranslatorMask : Uint2B
   +0x1bc NoArbiterMask    : Uint2B
   +0x1be QueryArbiterMask : Uint2B
   +0x1c0 OverUsed1        : <unnamed-tag>
   +0x1c8 OverUsed2        : <unnamed-tag>
   +0x1d0 BootResources    : Ptr64 _CM_RESOURCE_LIST
   +0x1d8 BootResourcesTranslated : Ptr64 _CM_RESOURCE_LIST
   +0x1e0 CapabilityFlags  : Uint4B
   +0x1e8 DockInfo         : <unnamed-tag>
   +0x208 DisableableDepends : Uint4B
   +0x210 PendedSetInterfaceState : _LIST_ENTRY
   +0x220 LegacyBusListEntry : _LIST_ENTRY
   +0x230 DriverUnloadRetryCount : Uint4B
   +0x238 PreviousParent   : Ptr64 _DEVICE_NODE
   +0x240 DeletedChildren  : Uint4B
   +0x244 NumaNodeIndex    : Uint4B
   +0x248 ContainerID      : _GUID
   +0x258 OverrideFlags    : UChar
   +0x259 RequiresUnloadedDriver : UChar
   +0x260 PendingEjectRelations : Ptr64 _PENDING_RELATIONS_LIST_ENTRY