DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)

I enabled DriverVerifier (Driver Verifier (Windows Drivers)) to debug a different issue on my Toshiba Encore 8 and got this BSOD during boot:

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)

N bytes of memory was allocated and more than N bytes are being referenced.

This cannot be protected by try-except.

When possible, the guilty driver's name (Unicode string) is printed on

the bugcheck screen and saved in KiBugCheckDriver.

Arguments:

Arg1: aefe9000, memory referenced

Arg2: 00000001, value 0 = read operation, 1 = write operation

Arg3: 91b56959, if non-zero, the address which referenced memory.

Arg4: 00000000, (reserved)

Debugging Details:

------------------

WRITE_ADDRESS:  aefe9000 Special pool

FAULTING_IP:

DptfDevDisplay+1959

91b56959 894e08          mov     dword ptr [esi+8],ecx

MM_INTERNAL_CODE:  0

IMAGE_NAME:  DptfDevDisplay.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  52982e04

MODULE_NAME: DptfDevDisplay

FAULTING_MODULE: 91b55000 DptfDevDisplay

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0xD6

PROCESS_NAME:  DptfParticipan

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre

DEVICE_OBJECT: 91022660

DRIVER_OBJECT: 00000000

TRAP_FRAME:  82fef9a0 -- (.trap 0xffffffff82fef9a0)

ErrCode = 00000002

eax=00000000 ebx=82fefa60 ecx=00000064 edx=00000012 esi=aefe8ff8 edi=aee18f38

eip=91b56959 esp=82fefa14 ebp=82fefa30 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246

DptfDevDisplay+0x1959:

91b56959 894e08          mov     dword ptr [esi+8],ecx ds:0023:aefe9000=????????

Resetting default scope

LAST_CONTROL_TRANSFER:  from 8194fbaa to 81913244

STACK_TEXT: 

82fef824 8194fbaa 00000050 aefe9000 00000001 nt!KeBugCheckEx

82fef880 8185d122 82fef9a0 00001a09 82fef8f8 nt! ?? ::FNODOBFM::`string'+0x22f88

82fef908 81927845 00000001 aefe9000 00000000 nt!MmAccessFault+0x742

82fef908 91b56959 00000001 aefe9000 00000000 nt!KiTrap0E+0xf1

WARNING: Stack unwind information not available. Following frames may be wrong.

82fefa30 91b568b6 935cca80 00222004 aefe8ff8 DptfDevDisplay+0x1959

82fefa64 83290a6a 51025059 935cca80 00000004 DptfDevDisplay+0x18b6

82fefab4 83290499 510250e0 935f6de8 aefdaf18 Wdf01000!FxIoQueue::DispatchRequestToDriver+0x175

82fefaec 83294bb2 935f6d00 00000000 aefdaf18 Wdf01000!FxIoQueue::DispatchEvents+0x289

82fefb10 8328dc4f aefdaf18 a850e2f0 aee18f20 Wdf01000!FxIoQueue::QueueRequest+0x6f

82fefbbc 81cc3b3d 00b6e208 aee18f20 81cc3871 Wdf01000!FxDevice::DispatchWithLock+0xf4e

82fefbe0 81871a52 81a8566e 91022660 aee18f20 nt!IovCallDriver+0x2cc

82fefbf4 81a8566e aee18fd8 aee18f20 00000000 nt!IofCallDriver+0x62

82fefc50 81a88328 91022660 00000000 00000001 nt!IopSynchronousServiceTail+0x16e

82fefcf8 81a87f32 00000000 00000000 00000204 nt!IopXxxControlFile+0x3e8

82fefd24 81924377 000000dc 00000000 00000000 nt!NtDeviceIoControlFile+0x2a

82fefd24 77b835d4 000000dc 00000000 00000000 nt!KiSystemServicePostCall

0157fdb8 00000000 00000000 00000000 00000000 0x77b835d4

STACK_COMMAND:  kb

FOLLOWUP_IP:

DptfDevDisplay+1959

91b56959 894e08          mov     dword ptr [esi+8],ecx

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  DptfDevDisplay+1959

FAILURE_BUCKET_ID:  0xD6_VRF_DptfDevDisplay+1959

BUCKET_ID:  0xD6_VRF_DptfDevDisplay+1959

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xd6_vrf_dptfdevdisplay+1959

FAILURE_ID_HASH:  {22c40be8-8845-e808-9beb-e07ea10e88db}

---------

2: kd> !PROCESS 9100b380 f

PROCESS 9100b380  SessionId: 0  Cid: 01f8    Peb: 7fdb9000  ParentCid: 02f4

    DirBase: 79ff3440  ObjectTable: b73aca80  HandleCount: <Data Not Accessible>

    Image: DptfParticipantDisplayService.exe

    VadRoot 9100f2f0 Vads 43 Clone 0 Private 121. Modified 0. Locked 0.

    DeviceMap 82a09f20

    Token                             b73a9620

    ElapsedTime                       00:00:00.093

    UserTime                          00:00:00.000

    KernelTime                        00:00:00.000

    QuotaPoolUsage[PagedPool]         47292

    QuotaPoolUsage[NonPagedPool]      3240

    Working Set Sizes (now,min,max)  (721, 50, 345) (2884KB, 200KB, 1380KB)

    PeakWorkingSetSize                695

    VirtualSize                       24 Mb

    PeakVirtualSize                   24 Mb

    PageFaultCount                    729

    MemoryPriority                    BACKGROUND

    BasePriority                      8

    CommitCharge                      137

    Job                               8caba240

        THREAD 91014bc0  Cid 01f8.0298  Teb: 7fdbf000 Win32Thread: aa213278 WAIT: (UserRequest) UserMode Non-Alertable

            9101c070  SynchronizationEvent

        Not impersonating

        DeviceMap                 82a09f20

        Owning Process            9100b380       Image:         DptfParticipantDisplayService.exe

        Attached Process          N/A            Image:         N/A

        Wait Start TickCount      1406           Ticks: 3 (0:00:00:00.046)

        Context Switch Count      70             IdealProcessor: 0            

        UserTime                  00:00:00.000

        KernelTime                00:00:00.031

        Win32 Start Address 0x00f63e02

        Stack Init b1913de0 Current b1913b74 Base b1914000 Limit b1911000 Call 0

        Priority 13 BasePriority 8 UnusualBoost 5 ForegroundBoost 0 IoPriority 2 PagePriority 5

        ChildEBP RetAddr 

        b1913b8c 8187a702 nt!KiSwapContext+0x19 (FPO: [Uses EBP] [1,0,4])

        b1913be8 8187a1b1 nt!KiSwapThread+0x172 (FPO: [Non-Fpo])

        b1913c2c 81875176 nt!KiCommitThreadWait+0x141 (FPO: [3,11,4])

        b1913ce0 81a8bc9f nt!KeWaitForSingleObject+0x176 (FPO: [5,37,4])

        b1913d40 81924377 nt!NtWaitForSingleObject+0xcf (FPO: [Non-Fpo])

        b1913d40 77b835d4 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ b1913d54)

WARNING: Frame IP not in any known module. Following frames may be wrong.

        0096f5f4 00000000 0x77b835d4

        THREAD 91022bc0  Cid 01f8.02e4  Teb: 7fdbe000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable

            91020a80  QueueObject

        Not impersonating

        DeviceMap                 82a09f20

        Owning Process            9100b380       Image:         DptfParticipantDisplayService.exe

        Attached Process          N/A            Image:         N/A

        Wait Start TickCount      1406           Ticks: 3 (0:00:00:00.046)

        Context Switch Count      9              IdealProcessor: 0            

        UserTime                  00:00:00.000

        KernelTime                00:00:00.000

        Win32 Start Address 0x77b2e840

        Stack Init b1734de0 Current b1734aac Base b1735000 Limit b1732000 Call 0

        Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5

        ChildEBP RetAddr 

        b1734ac4 8187a702 nt!KiSwapContext+0x19 (FPO: [Uses EBP] [1,0,4])

        b1734b20 8187a1b1 nt!KiSwapThread+0x172 (FPO: [Non-Fpo])

        b1734b64 8187d131 nt!KiCommitThreadWait+0x141 (FPO: [3,11,4])

        b1734be4 8187cd5e nt!KeRemoveQueueEx+0x271 (FPO: [6,23,4])

        b1734c50 8187dd9b nt!IoRemoveIoCompletion+0x2c (FPO: [Non-Fpo])

        b1734d38 81924377 nt!NtWaitForWorkViaWorkerFactory+0x20b (FPO: [Non-Fpo])

        b1734d38 77b835d4 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ b1734d54)

WARNING: Frame IP not in any known module. Following frames may be wrong.

        00f2fac0 00000000 0x77b835d4

        THREAD 91026bc0  Cid 01f8.0324  Teb: 7fdbc000 Win32Thread: 00000000 RUNNING on processor 2

        IRP List:

            aee18f20: (0006,00dc) Flags: 40060070  Mdl: 00000000

        Not impersonating

        DeviceMap                 82a09f20

        Owning Process            9100b380       Image:         DptfParticipantDisplayService.exe

        Attached Process          N/A            Image:         N/A

        Wait Start TickCount      1409           Ticks: 0

        Context Switch Count      61             IdealProcessor: 0            

        UserTime                  00:00:00.000

        KernelTime                00:00:00.000

        Win32 Start Address 0x00f61460

        Stack Init 82fefde0 Current 82fefa50 Base 82ff0000 Limit 82fed000 Call 0

        Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5

        ChildEBP RetAddr 

        82fef824 8194fbaa nt!KeBugCheckEx

        82fef880 8185d122 nt! ?? ::FNODOBFM::`string'+0x22f88

        82fef908 81927845 nt!MmAccessFault+0x742 (FPO: [4,23,4])

        82fef908 91b56959 nt!KiTrap0E+0xf1 (FPO: [0,0] TrapFrame @ 82fef9a0)

WARNING: Stack unwind information not available. Following frames may be wrong.

        82fefa30 91b568b6 DptfDevDisplay+0x1959

        82fefa64 83290a6a DptfDevDisplay+0x18b6

        82fefab4 83290499 Wdf01000!FxIoQueue::DispatchRequestToDriver+0x175 (FPO: [Non-Fpo])

        82fefaec 83294bb2 Wdf01000!FxIoQueue::DispatchEvents+0x289 (FPO: [Non-Fpo])

        82fefb10 8328dc4f Wdf01000!FxIoQueue::QueueRequest+0x6f (FPO: [Non-Fpo])

        82fefbbc 81cc3b3d Wdf01000!FxDevice::DispatchWithLock+0xf4e (FPO: [Non-Fpo])

        82fefbe0 81871a52 nt!IovCallDriver+0x2cc (FPO: [Non-Fpo])

        82fefbf4 81a8566e nt!IofCallDriver+0x62 (FPO: [Non-Fpo])

        82fefc50 81a88328 nt!IopSynchronousServiceTail+0x16e (FPO: [Non-Fpo])

        82fefcf8 81a87f32 nt!IopXxxControlFile+0x3e8 (FPO: [Non-Fpo])

        82fefd24 81924377 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo])

        82fefd24 77b835d4 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 82fefd54)

        0157fdb8 00000000 0x77b835d4

2: kd> lmvm DptfDevDisplay

start    end        module name

91b55000 91b5e000   DptfDevDisplay   (no symbols)          

    Loaded symbol image file: DptfDevDisplay.sys

    Image path: \SystemRoot\system32\DRIVERS\DptfDevDisplay.sys

    Image name: DptfDevDisplay.sys

    Timestamp:        Fri Nov 29 07:02:44 2013 (52982E04)

    CheckSum:         00013218

    ImageSize:        00009000

    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

2: kd> .trap 0xffffffff82fef9a0

ErrCode = 00000002

eax=00000000 ebx=82fefa60 ecx=00000064 edx=00000012 esi=aefe8ff8 edi=aee18f38

eip=91b56959 esp=82fefa14 ebp=82fefa30 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246

DptfDevDisplay+0x1959:

91b56959 894e08          mov     dword ptr [esi+8],ecx ds:0023:aefe9000=????????

Have you seen this before? What is this DptfParticipantDisplayService.exe doing? I use the last version (10E) that Toshiba provides:

http://www.toshiba.eu/innovation/download_driver_details.jsp?service=EU&selCategory=2&selFamily=387&selSeries=418&selProduct=17569&selShortMod=4522&language=13&selOS=45&selType=all&yearupload=2014&monthupload=3&dayupload=27&useDate=null&mode=allMachines&search=&action=search&macId=&country=all&selectedLanguage=13&type=all&page=1&ID=90268&OSID=45&driverLanguage=42