The other possibility, (yes, you knew it was coming), is that another program placed a big fat zero into the ipcaccess () routine. Modules are loaded into memory with writable pages! Yes, a program running in kernel mode can write onto another module's pages, changing its instructions and data. Diving through the SunSolve databases, there are (so far) no recorded instances of modules merrily stomping on other modules the way we have seen in this crash dump. That leaves us the following options.
Option 1 sounds too much like looking for a needle in a haystack. But, if we had the energy to wander through all of the threads, we would probably try to locate the threads running the unknown custom drivers first. At the very least, we could look for a store instruction that writes to ipcaccess+18 . While we will reject this option (in favor of option 3), we do have another trick up our sleeve, which we will try shortly. Option 3 takes care of option 1. The programmer will be doing the same thing, and he knows the code to the driver we are most worried about. Option 4 has been done, with the customer fully aware of the analysis, our findings, and our concerns about his system. He knows it will crash again someday unless the root cause is located. |