aswTdi.SYS seems to have caused a bsod/reboot on server

[wpn]

this morning my email server spontaniously rebooted, with no apparent reason. i did get a memory dump tho.
i installed the debug tools from MS and pointed the symbols to the website from MS for on the loading and the memory dump analysis gave me this:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [D:\dump\MEMORY25-8-09.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_rtm.070216-1710
Machine Name:
Kernel base = 0xe1000000 PsLoadedModuleList = 0xe10af9c8
Debug session time: Tue Aug 25 08:55:03.638 2009 (GMT+2)
System Uptime: 81 days 18:31:56.953
Loading Kernel Symbols
...............................................................
....................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = bd7d800c).  Type ".hh dbgerr001" for details
Loading unloaded module list
...
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {f63da000, 0, f576d132, 0}

*** ERROR: Module load completed but symbols could not be loaded for aswTdi.SYS
*** ERROR: Module load completed but symbols could not be loaded for aswRdr.SYS
PEB is paged out (Peb.Ldr = bd7d800c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = bd7d800c).  Type ".hh dbgerr001" for details
Probably caused by : aswTdi.SYS ( aswTdi+3132 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f63da000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f576d132, If non-zero, the instruction address which referenced the bad memory
   address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = bd7d800c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = bd7d800c).  Type ".hh dbgerr001" for details

READ_ADDRESS:  f63da000

FAULTING_IP:
aswTdi+3132
f576d132 8a08            mov     cl,byte ptr [eax]

MM_INTERNAL_CODE:  0

IMAGE_NAME:  aswTdi.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  494bd6af

MODULE_NAME: aswTdi

FAULTING_MODULE: f576a000 aswTdi

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  wspsrv.exe

CURRENT_IRQL:  1

TRAP_FRAME:  be2a49ac -- (.trap 0xffffffffbe2a49ac)
ErrCode = 00000000
eax=f63da000 ebx=00000000 ecx=00000065 edx=f63d9e09 esi=00000000 edi=f63d9e09
eip=f576d132 esp=be2a4a20 ebp=be2a4a24 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
aswTdi+0x3132:
f576d132 8a08            mov     cl,byte ptr [eax]          ds:0023:f63da000=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from e106927e to e107c440

STACK_TEXT: 
be2a4944 e106927e 00000050 f63da000 00000000 nt!KeBugCheckEx+0x1b
be2a4994 e1036c1a 00000000 f63da000 00000000 nt!MmAccessFault+0x813
be2a4994 f576d132 00000000 f63da000 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
be2a4a24 f57703b7 f63d9e09 00000000 00000001 aswTdi+0x3132
be2a4a90 f576f1d4 fe1480c0 fc9efe70 f63d9e09 aswTdi+0x63b7
be2a4af8 f576a7f0 fe38f368 fc9efe70 fc9eff28 aswTdi+0x51d4
be2a4b58 e1040153 fe38f2b0 fc9efe70 fd4c34e8 aswTdi+0x7f0
be2a4b6c f2c39310 fd46a860 e1040153 fd4c3430 nt!IofCallDriver+0x45
be2a4b88 f52bb89b 0001201f f52bb6f7 be2a4c2c aswRdr+0x310
be2a4c20 f52b8097 fc9efe70 fc9efe70 f52b8097 afd!AfdSend+0x955
be2a4c2c f52b8097 fc9efe70 fe304030 be2a4c50 afd!AfdDispatchDeviceControl+0x53
fc9efe70 fcfdfc10 00000000 00000000 fd56b6c0 afd!AfdDispatchDeviceControl+0x53
fc9efe7c fd56b6c0 fb3d6ea0 00000000 000001fb 0xfcfdfc10
00000000 00000000 00000000 00000000 00000000 0xfd56b6c0


STACK_COMMAND:  kb

FOLLOWUP_IP:
aswTdi+3132
f576d132 8a08            mov     cl,byte ptr [eax]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  aswTdi+3132

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0x50_aswTdi+3132

BUCKET_ID:  0x50_aswTdi+3132

Followup: MachineOwner
---------

it seems that  aswTdi.SYS  tried to read memory that wasnt allocated anymore

the server was running for about 80 days straight
4GB memoy
xeon 3GHZ
Win2k3 SP2

the memory dump is 150MB so i cant attach it here, if you (Avast techs) want to analyze the dump i can upload it to your servers when you want me to, just give me the location

[igor]

Please upload the dump to ftp://ftp.avast.com/incoming
(you'll have only write access into that folder, so you won't see even the file you've just uploaded)
Thanks.

[wpn]

i am uploading the file right now

After the reboot the server works just fine again.

the file is called: "MEMORY_myforumname_mycompanyabbreviation_customernumber.DMP"

[lukor]

Hello wpn,

thanks for the dump. I have really identified a bug in aswtdi.sys that can lead to bluescreen on some HTTP data.... sorry for that!

It should be fixed now, but I don't know when the release will go out. Vlk might provide more info about that.

Thanks again,

Lukas.

[wpn]

dont worry about it, im happy to contribute improving the product

[sdornseif]

Hi

I may have the same problem, is this update available yet?

[spg SCOTT]

Hi sdornseif,

There has been a recent update, since these posts, so I imagine that it may have been corrected with it.

If you still have the dumps, it would be a good idea to send them to ALWIL like igor has posted above.

-Scott-

[sdornseif]

Thanks Scott, I'll see what happens

[underdogy]

Hi,

Please tell what's the fixed version on this issue?

I may have the same problem too.

Our Avast version is ver4.8.1110 which is installed on Windows 2003 Enterprise Server SP2.

When I'm debuging, I found the following message.
*** ERROR: Module load completed but symbols could not be loaded for aswTdi.SYS
*** ERROR: Module load completed but symbols could not be loaded for aswRdr.SYS

If I upadte avast to the latest version, Can I solve this problem?

Best regards.