Vista/2K8 BSODs after WDDM driver installation on VirtualBox 5.2 / Debian 10

Discussions about using Windows guests in VirtualBox.
Post Reply
i336_
Posts: 1
Joined: 22. Oct 2019, 03:19

Vista/2K8 BSODs after WDDM driver installation on VirtualBox 5.2 / Debian 10

Post by i336_ »

Hi!

I'm trying to set up some Windows Vista, Server 2K8 and 7 VMs so I can do some research into how DWM (Aero) works. I'm not succeeding. I've had a very long week involving sloooooowly downloading quite a few more ISOs than I ever expected I would, and I wonder if I've seen more BSODs over the past ~5 days than I have in the wild over the past 15 years, haha.

TL;DR, with VirtualBox 5.2.34 installed on Debian 10 through the official apt repository, the WDDM driver in 3D (Aero) mode gets very serious indigestion when used with many Vista-era editions of Windows.
  • Aero! - Vista Enterprise SP2 x64 (en_windows_vista_enterprise_sp2_x64_dvd_342332.iso)
  • BSOD - Vista Ultimate x64 Checked (en_windows_vista_x64_check_dvd_x13-31669.iso)
  • BSOD - Vista Ultimate SP1 x64 Checked (en_windows_vista_ultimate_sp2_checked_build_x64_dvd_342433.iso)
  • BSOD - Vista Ultimate SP2 (en_windows_vista_ultimate_sp2_checked_build_x86_dvd_342432.iso)
  • BSOD - Vista Ultimate SP2 x64 (en_windows_vista_ultimate_sp2_checked_build_x64_dvd_342433.iso)
  • BSOD - Vista Ultimate SP2 x64 Checked (en_windows_vista_ultimate_sp2_checked_build_x64_dvd_342433.iso)
  • BSOD - Server 2008 Enterprise 64-bit Checked (en_windows_server_2008_enterprise_checked_x64_dvd_72462.iso)
  • Aero! - 7 SP1 Enterprise Checked 64-bit (en_windows_7_with_sp1_debug_checked_build_x64_dvd_619601.iso)
  • Aero! - 2K8R2 SP1 x64 Enterprise Checked (en_windows_server_2008_r2_standard_enterprise_datacenter_and_web_with_sp1_debug_checked_build_x64_dvd_619600.iso)
I initially started with VirtualBox 6.0, but it didn't take long after the BSODs started for me to find hints that it apparently has issues running Vista - Guest Additions 6.0 and later *broken* on Vista?, Aero/transparency on Windows Vista no longer working with VirtualBox 6.0.0 r127566 - so I promptly downgraded to 5.2.34.

Unfortunately, despite reinstalling all my VMs under 5.x (long past few days :)), the problems continued: the system BSODs on startup immediately following WDDM driver installation, and if left alone will bootloop forever. (I can verify that once I downgraded to 5.2 the Guest Additions installer showed version 5.2.34 each time I ran through it.)

It would be cool if this was fixed sooner(ish, priorities permitting) rather than later, and in the interests of doing what I can to help things head generally in that direction, I would like to offer a) the results of !analyze -v on MEMORY.DMP from Vista Ultimate SP2 x64 (which I was able to find debug symbols for), and b) repro instructions that, when executed on my machine, lead to my staring at said crashdump in WinDBG - which I get the impression is generally the starting point to making real progress in root-causing what's breaking.

I'm definitely out of my depth at this point but I don't mind the thought of poking a bit further, given a reasonable understanding of what it is I would be tracking down - *maybe* I could even set up kernel debugging (where you use two VMs) for example, that could be fun.

So, first of all, here's the crashdump from Vista Ultimate SP2 x64 Checked. The reason I'm only posting this version is that (as you'll see in the repro section) this is the only edition for which I could find working symbol files.

Code: Select all

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [H:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: c:\symbols\
Executable search path is: 
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (2 procs) Checked x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6002.18005.amd64chk.lh_sp2rtm.090410-1830
Machine Name:
Kernel base = 0xfffff800`0146f000 PsLoadedModuleList = 0xfffff800`01b60850
Debug session time: Mon Oct 28 04:03:15.136 2019 (UTC + 11:00)
System Uptime: 49 days 16:03:00.446 (checked kernels begin at 49 days)
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffdf018).  Type ".hh dbgerr001" for details
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {80000003, fffff8000162bed8, fffffa6002ce71c0, 0}

Page 1666b not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : dxgkrnl.sys ( dxgkrnl!ObtainModeSetAvailOnVidPnPresentPath+6c7 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 0000000080000003, Exception code that caused the bugcheck
Arg2: fffff8000162bed8, Address of the instruction which caused the bugcheck
Arg3: fffffa6002ce71c0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

Page 1666b not present in the dump file. Type ".hh dbgerr004" for details

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

FAULTING_IP: 
nt!DebugPrompt+18
fffff800`0162bed8 c3              ret

CONTEXT:  fffffa6002ce71c0 -- (.cxr 0xfffffa6002ce71c0)
rax=0000000000000002 rbx=0000000000000065 rcx=fffffa60041195d0
rdx=fffffa6002ce001d rsi=fffff88004965880 rdi=fffffa60041195ee
rip=fffff8000162bed7 rsp=fffffa6002ce7a38 rbp=0000000000000002
 r8=fffffa6002ce7ac0  r9=0000000000000002 r10=0000000000000000
r11=fffffa6002ce7a88 r12=0000000000000000 r13=0000000000000000
r14=fffffa6004115000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
nt!DebugPrompt+0x17:
fffff800`0162bed7 cc              int     3
Resetting default scope

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  csrss.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff800015e0525 to fffff8000162bed7

STACK_TEXT:  
fffffa60`02ce7a38 fffff800`015e0525 : 00000000`00000065 fffff800`015e012c fffff800`01630a90 ffffffff`00000065 : nt!DebugPrompt+0x17
fffffa60`02ce7a40 fffffa60`04116402 : fffffa60`041195d0 fffffa60`02ce7ac0 fffffa60`00000002 fffffa60`041194f0 : nt!DbgPrompt+0x51
fffffa60`02ce7a90 fffffa60`040616a3 : fffff880`00000002 fffff880`04965880 00000000`00000002 ffffffff`c01e0306 : watchdog!WdLogEvent5+0x282
fffffa60`02ce7b00 fffffa60`04062233 : fffff880`0496a9f0 fffff880`0488cbb0 fffff880`0496aa50 fffff880`0488cb20 : dxgkrnl!ObtainModeSetAvailOnVidPnPresentPath+0x6c7
fffffa60`02ce7cf0 fffffa60`0406722c : fffffa80`02c02000 fffff880`0488cc60 fffff880`0496a9f0 fffff880`0488cbb0 : dxgkrnl!ObtainModeSetAvailOnVidPnSource+0x1ff
fffffa60`02ce7da0 fffffa60`040495ff : fffffa80`02c02000 fffffa60`02ce7f48 fffffa60`02ce7f48 fffffa80`02c02000 : dxgkrnl!GetActiveVidPnBasedDisplayModeList+0x2fc
fffffa60`02ce7eb0 fffffa60`04058cbd : fffffa80`02c02000 fffffa60`02ce7f48 ffffffff`c0000225 00000000`0cddba5e : dxgkrnl!DXGADAPTER::CreateModeList+0xcb
fffffa60`02ce7f10 fffff960`006b5370 : fffffa80`02c02000 fffffa60`02ce7ff8 00000000`0cddba5e 00000000`0023e05b : dxgkrnl!DxgkCddGetDisplayModeList+0x261
fffffa60`02ce7fc0 fffff960`006b5c89 : fffffa60`02ce8190 fffffa80`02c02000 00000000`00000000 fffffa60`02ce80ec : cdd!GetDisplayModeList+0x140
fffffa60`02ce8080 fffff960`001822f6 : fffffa80`02c3d330 fffffa60`00000000 00000000`00000000 00000000`00000000 : cdd!DrvGetModes+0x3f9
fffffa60`02ce8270 fffff960`00186fe1 : fffff900`c006bee0 fffff900`c0049880 fffffa80`02c3d330 fffffa60`02ce8340 : win32k!ldevGetDriverModes+0x23a
fffffa60`02ce8320 fffff960`00187e38 : fffff900`c006bee0 fffff900`00000000 00000000`00000000 fffff800`00000000 : win32k!DrvBuildDevmodeList+0x119
fffffa60`02ce8390 fffff960`0018ef2a : fffff900`c006bee0 fffffa60`02ce85a8 fffffa60`02ce85d8 fffffa60`02ce86b0 : win32k!DrvProbeAndCaptureDevmode+0x6d4
fffffa60`02ce8550 fffff960`001913c0 : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : win32k!DrvCreateMDEV+0x5ea
fffffa60`02ce87f0 fffff960`0002d056 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : win32k!DrvChangeDisplaySettings+0x5f0
fffffa60`02ce8a40 fffff960`0002dae6 : fffffa60`00000001 00000000`00000000 fffff960`002d7a28 00000000`00000001 : win32k!InitVideo+0x18e
fffffa60`02ce8b20 fffff960`0002e832 : fffffa80`02c64040 fffff960`002d9070 fffff960`002d7a28 00000000`00000020 : win32k!UserInitialize+0x392
fffffa60`02ce8bd0 fffff800`01630573 : 00000000`00000060 00000000`00000064 fffffa80`02c64bb0 fffffa60`02ce8ca0 : win32k!NtUserInitialize+0x1ba
fffffa60`02ce8c20 000007fe`fcfbf4ba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`001cf8e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7fe`fcfbf4ba


FOLLOWUP_IP: 
dxgkrnl!ObtainModeSetAvailOnVidPnPresentPath+6c7
fffffa60`040616a3 33c9            xor     ecx,ecx

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  dxgkrnl!ObtainModeSetAvailOnVidPnPresentPath+6c7

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: dxgkrnl

IMAGE_NAME:  dxgkrnl.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  49e0289b

STACK_COMMAND:  .cxr 0xfffffa6002ce71c0 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_dxgkrnl!ObtainModeSetAvailOnVidPnPresentPath+6c7

BUCKET_ID:  X64_0x3B_dxgkrnl!ObtainModeSetAvailOnVidPnPresentPath+6c7

Followup: MachineOwner
---------
Now for the repro instructions, which I'm reasonably confident :) are accurate.

The following sequence reproduces as described below on my system. I make no promises that any of the following will work exactly on your hardware; after all, this is debugging a driver failure.
  • Hardware: Core i3-3220 (w/ Intel Graphics 2500), ASUS P8H61-M LX3 R2.0 motherboard, 8GB RAM, 6TB storage (soon to be ~20TB :D)
    Ingredients (some of which will likely be sitting in your local MSDN archive, or available online if you keep an eye out):
    • Freshly-installed Debian 10 (+ ZFS), kernel 4.19.0-6
    • VirtualBox 5.2.x (5.2.34 in my case) from official Debian repo
    • GRMSDKX_EN_DVD.iso (571MB)
    • en_windows_vista_enterprise_sp2_x64_dvd_342332.iso (3.0G)
    • en_windows_vista_x64_check_dvd_x13-31669.iso (3.2G)
    • en_windows_vista_sp2_windows_server_2008_sp2_symbols_checked_debug_x64_342440.exe (225MB)
    Method:
    1. I create a VM for Server 2K8.
    2. I use: ICH9, 2 CPUs, 3D Accel (duh), 192MB VRAM, no audio, two NICs, and a shared folder (to /). The BSODs only depend on 3D accel being enabled; I mention everything else for completeness' sake.
    3. Add the ISO; install stereotypically. (IIRC this ISO only enables the Custom install path, not the Upgrade path - or that might've been another ISO, I forget.) I name the VM something boring, and don't configure a password. Once at the desktop I insert the Guest Additions CD, browse to D:\ and start the _amd64 installer manually. I'm sure to answer N at the "basic 3D" prompt.
    4. At the next (and all following) reboot(s), on my hardware, Server 2K8 will BSOD. (The BSODs don't occur when I enable DWM - they happen on boot, before the contemporary desktop has even loaded). I close the VM after it has finished dumping.
    5. I create a VM for Vista Enterprise SP2 x64. (^C/^Ving steps #2 and #3 here.) It needs access to the symbols*exe file, which folder sharing comes in handy for.
    6. Hopefully :) this VM does not BSOD on next reboot :). Assuming everything's okay, Aero functionality can be verified via (desktop right-click menu) > Personalize > Theme (near the bottom).
    7. I shut the VM down, go into the Storage configuration and add the disk image from the Server 2K8 VM, then relaunch the (working, Vista Enterprise) VM.
    8. I insert GRMSDKX_EN_DVD.iso. The main setup program didn't work for me and gave an inscrutable error, but the only needed component can be found in D:\Setup\WinSDKDebuggingTools_amd64 (dbg_amd64.exe). (As you're probably already aware, this is WinDBG.)
    9. I run the symbols*exe file to install the debugging symbols. NOTE that the installer EXE crashes for me with 100% reproducibly on Win7 Enterprise SP2 Checked, which is why these instructions specify installing it in Vista. (But the destination symbol directory could be easily extracted via folder sharing.)
    10. Now WinDBG, debugging symbols, and the memory dump are all within arm's reach... and you most definitely know more about how to take it from here than I do :)
Hopefully the above is useful.

I look forward to hearing that engineering is successfully encountering BSODs in lab conditions :D

If the instructions above fail or succeed in different ways than I've described, I'd be interested in diving in and figuring out why, (inconsistently available) time permitting.

I've noted some posts request minidump files. I might be able to upload one of these too, if I can convince the VM to boot so I can actually enable minidumping (even Safe Mode doesn't want to cooperate sometimes once the driver wedges the VM). I could share the MEMORY.DMP, but that would take a bit on my 100KB/s upload.

Cheers!
Post Reply