Referenced Memory "Problem"
January 14, 2009 10:19 AM   Subscribe

What does it mean that my computer tells me, daily, that, "The instruction at '0x7c9108b3' referenced memory at '0xfffffff8'. The Memory could not be 'read'."? And what's with the scare quotes around "read"?
posted by Hypnotic Chick to Computers & Internet (28 answers total) 4 users marked this as a favorite
 
When does this happen? Is there any particular pattern to when/what you are doing when this happens?
posted by Brettus at 10:30 AM on January 14, 2009


Not to panic you, but you need to back up your important personal files in preparation for what better experts may be advising you. This means an external hard drive or network drive. It is always good to have a back up.

In any case, you have at a mimumum, corrupted files or background applications running that are causing interference.
posted by jadepearl at 10:30 AM on January 14, 2009


What the error means is that some program is trying to reference memory that it does not own. (It looks like pointer math being done on a null pointer)

This does not necessarily mean corrupted files.
posted by stubby phillips at 10:35 AM on January 14, 2009


That's usually caused by a program trying to access memory that it's not allowed to access. The title bar should tell you the name of the program that's causing it, which would help a lot in trying to figure out what's going on.

And what's with the scare quotes around "read"?

That's actually a good question, I have no idea. It's possible that the error will also show in cases where a program isn't actually trying to read anything. Or someone at Microsoft might be making the philosophical argument that computers, as non-living unintelligent inanimate objects, cannot "read" in the same sense that humans do.

In any case, you have at a mimumum, corrupted files or background applications running that are causing interference.

Yes, some program is doing something wrong, but it's not always a big deal. It could be that some C++ programmer wrote his code to read 20 items from memory instead of 19, and the error pops up when it tries to read past the last real one. Backing up data is always a good idea in any case though.
posted by burnmp3s at 10:36 AM on January 14, 2009


The quotes mean that they're using a loose definition of the word "read". It may be attempting to load the value, execute and instruction at that address, or reference it in some other way.
posted by stubby phillips at 10:37 AM on January 14, 2009


To put it more simply, a program on your computer is crashing.

Next time you see that message, look at the title bar of the dialog box. You should see the name of an application, like "iexplore.exe - Application Error". Then you should just google the name of the application and see what it is. If it's a program that you know of, then you could try uninstalling and reinstalling it (or making sure that it's up-to-date). If not, then post the name of it here.
posted by helios at 10:39 AM on January 14, 2009


Yes, a program is crashing with a dumb bug. If it's the same program all the time, look for an update. If it's a different program all the time then something may be seriously wrong with your computer and this is just a random symptom. In that case make a good backup, do a virus scan, and run a memory diagnostic like memtest86.

As for the scare quotes around read, they're there to remind you that "programmers" are not "technical writers". There's a grand tradition of terrible error reporting in software. Abort, Retry, or Fail?
posted by Nelson at 10:44 AM on January 14, 2009


Are the numbers the same each time, or do they vary? And what OS are you running?

Given the 0xfffffff8, I think this sounds more like a program bug than a hardware failure. (A null pointer minus eight.)

As for the precise meaning of the message: the OS works hard to provide to each program the illusion that it has the machine's memory all to itself, a virtual space of addresses numbered 00000000 to ffffffff. This holds both the program instructions themselves and the data it's using at the moment. But not everything in that range actually exists (or can be called into existence on demand), and if the program tries to read or write a location that hasn't been given a meaning, the illusion breaks down and the OS terminates that program on the assumption it's buggy. Sometimes it's not the program's fault: if your hardware is failing, you can get errors like that. But I'd expect those errors to be slightly more detailed ("error reading 12345678, DIMM slot 3, ECC failure" or "failure blah blah, disk sector 42, blah blah").

Even more specifically, the instruction at location 7c9108b3 has what it thinks is the address of some chunk of data, but that address (fffffff8) was bogus for one reason or another.

As for the scare quotes, maybe the message is cobbled together from bits of text coming from different places? Dunno. Low-level error messages tend to be a bit weird: the information they give is really for the original programmer's use, and the UI people are usually not willing to touch them without making them useless to the programmer.
posted by hattifattener at 10:56 AM on January 14, 2009


As helios said, you need to narrow down which program is causing the fault. I don't think the application name is showing up in the dialog box, or you probably would have mentioned it.

If so, you can determine which application is crashing (and why) by opening the Windows event viewer (eventvwr.exe) and looking under the Application log for an Application Error event (ID 1000). In the event details, under faulting application there should be the name of the .exe hosting the crashing process, and under faulting module there should be the name of the thing that's really causing the problem.

If the crash details are consistent for all the event log entries (the 0xblahblah numbers), then it's probably not a hardware problem. You need to talk to the software vendor to determine why the application is crashing.

If that doesn't help or you just don't want to deal with the vendor, then you need to diagnose the problem yourself. I assume you're on Windows XP, so the error log with the technical information about the crash should be in C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log. Post the last few entries in the log.
posted by thalakan at 11:02 AM on January 14, 2009


I got this a lot in Windows XP. While the above statements about it being a hard drive COULD be true, it can also be a RAM issue (some bad memory on one of your RAM chips) or even a bad driver issue for one of your hardware devices. Or it could be a faulty CPU.

This is one of those really difficult to somewhat impossible to diagnose errors in that it is so vague. Depending on your level of expertise, you can try to make the error repeatable by seeing if it's one application, a combination of applications, etc. running when you get the error; removing or disabling non-essential hardware components (i.e. sound card if you're not using sound, etc).

But it's one of those that just can't be nailed down just from the error message.
posted by arniec at 11:07 AM on January 14, 2009


It just occurred to me that you might have a crash dump of the error as well. If the crash reporting tool (dr watson) is configured using the Windows XP defaults, there should be a file named C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp which contains a crash dump. If you post that I can figure out what the problem is using the data in the file.

If the log file I mentioned earlier and the crash dump file aren't present, then you may have to enable logging by running drwtsn32 (start->run->drwtsn32) and checking the box that says create crash dump file. Then wait for another crash.

For the other geeks in this thread, I just checked, and 0x7c9108b3 is in ntdll!wcsncpy() on XP SP3 by default, which explains the wrapped memory address.
posted by thalakan at 11:18 AM on January 14, 2009


Again for the other geeks, the message is generated by RtlUnhandledExceptionFilter2() in ntdll.dll. (I checked before I mentioned it to make sure I remembered it correctly.) This gets called when the application triggers a Win32 layer exception (EXCEPTION_ACCESS_VIOLATION in this case) and doesn't register a filter using SetUnhandledExceptionFilter() or AddVectoredExceptionHandler(). The kernel calls RtlUnhandledExceptionFilter in the executive layer as part of the default exception handling sequence, which eventually triggers generation of the message.
posted by thalakan at 11:44 AM on January 14, 2009


Wow, thank you everyone. Here are some responses to the questions posed.

1. Is there any particular pattern...? Not that I can detect. Occaissionally, I'll simply leave the computer and when I get back I'll see it. The only consistent thing is that I am running Firefox (3.0.5), but this is almost always on anyway.

2. Are the numbers the same each time...? I believe so, but from now on, I'll rewrite the message into a notepad file and make sure to check the title bar. It only shows up once a day, though.

3. thalakan: I opened the drwtsn32.log file but it is very long and I don't know how much to copy and paste. I do have a user.dmp file, but I am unsure how to open it. Looking around, it seems I have to first install "Debugging Tools for Windows 32-bit Version". Should I do this?

In the meanwhile, I ran the Event Viewer and it comes up as event ID 5000 and it says the following in the description:

McShield service started.
Engine version : 5300.2777
DAT version : 5494.0000

Number of signatures in EXTRA.DAT : None
Names of threats that EXTRA.DAT can detect : None

BTW, thank you to everyone for your help. I am very much in the weeds here.
posted by Hypnotic Chick at 11:45 AM on January 14, 2009


One more thing, this computer is a six month old Dell Vostro with no added components. If there are any hardware problems they aren't from anything I've added myself. Still, I see the logic in determining that course as well.
posted by Hypnotic Chick at 11:49 AM on January 14, 2009


I already have debugging tools for windows, and I'll use it to open the dump file. You could do it yourself, but I suspect you're not a programmer and you need to be one to interpret the results.

You need to post the dump file somewhere, like, uh, hmm, let me write something real quick here...

Ok, you can upload the dump file and the log file to my server here:

http://lightconsulting.com/~thalakan/test4.php

I'll have a look and post the results.
posted by thalakan at 11:54 AM on January 14, 2009


I've seen these types of errors caused by Javascript on computers around the office. Specifically when using Google's results-as-you-type and Google Maps.
posted by speeb at 11:56 AM on January 14, 2009


It's probably some piece of junk software that's been installed and runs at startup, either intentionally, or as part of fancy spyware that occasionally infects the weak ;)

As hattifattener suggested, 0xfffffff8 is a highly suspect address, and I'd immediately discount any hardware malfunction hypothesis -- THERE IS NO RAM at 0xFFFFFFF8 TO FAIL. Computers use that high range primarily as memory that doesn't exist; the OS will decide to map it to device access and only allow itself access to the range. Applications aren't allowed to read it. I've always imagined that the scare quotes are just a programmer mistake, placing unnecessary quotes around all the variable parts of the message: instruction address, dereferenced address and action. (in this case, read. you can also get "write")

I wouldn't sweat it. I get a similar error every time I finish watching some Quicktime training videos. Your ability to fix this as an end user is pretty much nil. At best, you can identify which program is crashing and stop running it, and maybe report the problem to the brick wall claiming to support the program. If thalakan doesn't yield results, you can probably just disable a startup program, reboot, check if the problem persists, repeat.
posted by pwnguin at 12:00 PM on January 14, 2009


I was curious about the quotes too, so I took apart ntdll and found this unicode string:

The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

Why the author did that, I don't know.
posted by thalakan at 12:06 PM on January 14, 2009 [3 favorites]


thalakan: Ok, I am uploading this file (file name GBDumpfile).
posted by Hypnotic Chick at 12:15 PM on January 14, 2009


Hypnotic Chick: check PM.
posted by thalakan at 12:17 PM on January 14, 2009


This is a fascinating discussion and will come in handy the next time I diagnose one of these messages.
posted by odinsdream at 12:39 PM on January 14, 2009


odinsdream: I think what will really come in handy is "ntsd -z user.dmp".

As far as memory stability goes, there's about a dozen other crashes in the logs, all of which seem to be caused by application problems in Flash, Google Sketchup, and various Gimp plugins. None of them seem to warrant bizarre explanations which is what I usually see when there are memory problems.

These days, the NT kernel scrubs its internal data structures pretty thoroughly so when you have memory problems you tend to get a good mix of blue screens with your application errors. If there aren't any blue screens in the symptom list, memory issues are probably not causing the problem.
posted by thalakan at 12:47 PM on January 14, 2009


Hey all,

I'm writing this post as an update to any readers and in case anyone had a problem in the future. In working with thalakan, it looks like there may be something not so good going on here. This is what has been done so far:

1. user.dmp - checked and there was no recent entry of any problem
2. drwtsn32.log - checked and no recent entries
3. Application event log - checked and no recent entries

In light of this, there is a concern that there may be some malware (and here I thought I was being careful with this computer). I will wait until this happens again tommorrow, note the relevant information and then check with the manufacturer of the computer.

Thanks to everyone for your input and special thanks to thalakan who I've been PMing and emailing throughout the day. I'll update this question as everything progresses.
posted by Hypnotic Chick at 1:28 PM on January 14, 2009


The reason that "read" is in quotes is because when the error is displayed in other languages the word "read" isn't translated into the user's language. For instance, this thread talks about the message an error which says "l'instruction à "0x00000" emploie l'adresse mémoire "0x000000". La mémoire ne peut être read.". Not "lue" or whatever my rusty college french suggests would be the translated version of "read".
posted by jepler at 1:39 PM on January 14, 2009 [1 favorite]


Which is stupid, because they're already doing translation on the rest of the damn string.
posted by pwnguin at 8:16 PM on January 14, 2009


Hypnotic Chick: you probably want to take a screenshot of the dialog as well.
posted by thalakan at 10:17 PM on January 14, 2009


Good Afternoon,

The Error Message has appeared for today. The dialog reads the same today as it did yesterday. The program in the title bar is wmiprvse.exe. Here are the steps I am taking:

1. I have screenshot the dialog box.
2. Google search for wmiprvse.exe application error
3. This article posits two theories: A. a Sasser worm, and B. Sonetbot-b virus
4. I'm ruling out Sasser worm since my system resources are not impacted by this virus. Thoughts?
5. In looking up how to repair for Sonetbot, I needed to go into the Registry Editor. This site noted that I needed to look for the following:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Kernel_check = wmiprvse.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Kernel_check = wmiprvse.exe

I don't have \CurrentVersion\ as a file. Does this rule out Sonetbot?
6. I am contacting the manufacturer. Will update.
posted by Hypnotic Chick at 10:25 AM on January 15, 2009


7. Contacted manufacturer. Problem was referred to MS PC safety - anti virus department.
8. MS won't take calls until after they run an online scan which I am doing right now.
posted by Hypnotic Chick at 10:54 AM on January 15, 2009


« Older Watch Obama inauguration on the internet?   |   You'll Have to Go Sideways Newer »
This thread is closed to new comments.