Weird SYSTEM_THREAD_EXCEPTION_NOT_HANDLED triggered by KiCheckForSListFault in cdrom.sys

WDFTrace: WDFKEY 4EC88E30, QueryULong, !STATUS!

Break instruction exception - code 80000003 (first chance)

>  577: {

cdrom_f8a83000!DeviceInitPowerContext:

f8a91890 cc              int     3

kd> g

(ntoskrnl\ps\thread.c:119) PS: Unhandled Kernel Mode Exception Pointers = 0xF8698C08

(ntoskrnl\ps\thread.c:126) Code c0000005 Addr 8056F518 Info0 00000000 Info1 00000000 Info2 00000000 Info3 CCCCCCCC

*** Fatal System Error: 0x0000007e

                       (0xC0000005,0x8056F518,0xF86990C0,0xF8698DB0)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.

Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows Server 2003 3790 x86 compatible target at (Wed Jan 14 17:43:26.573 2026 (UTC + 1:00)), ptr64 FALSE

Loading Kernel Symbols

..............................

Loading User Symbols

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, 8056f518, f86990c0, f8698db0}

Probably caused by : cdrom.sys ( cdrom!DeviceInitPowerContext+4 )

Followup: MachineOwner

---------

nt!RtlpBreakWithStatusInstruction:

80590086 cc              int     3

kd> .reload

Connected to Windows Server 2003 3790 x86 compatible target at (Wed Jan 14 17:43:43.666 2026 (UTC + 1:00)), ptr64 FALSE

Loading Kernel Symbols

..............................

Loading User Symbols

kd> kp

ChildEBP RetAddr  

f8698798 804b3c98 nt!RtlpBreakWithStatusInstruction

f86987c8 804b2d46 nt!KiBugCheckDebugBreak(unsigned long StatusCode = 3)+0x38 [D:\rossrc\reactos_commits\ntoskrnl\ke\bug.c @ 504]

f8698b94 804b25f0 nt!KeBugCheckWithTf(unsigned long BugCheckCode = 0x7e, unsigned long BugCheckParameter1 = 0xc0000005, unsigned long BugCheckParameter2 = 0x8056f518, unsigned long BugCheckParameter3 = 0xf86990c0, unsigned long BugCheckParameter4 = 0xf8698db0, struct _KTRAP_FRAME * TrapFrame = 0x00000000)+0x6b6 [D:\rossrc\reactos_commits\ntoskrnl\ke\bug.c @ 1084]

f8698bb4 80543346 nt!KeBugCheckEx(unsigned long BugCheckCode = 0x7e, unsigned long BugCheckParameter1 = 0xc0000005, unsigned long BugCheckParameter2 = 0x8056f518, unsigned long BugCheckParameter3 = 0xf86990c0, unsigned long BugCheckParameter4 = 0xf8698db0)+0x20 [D:\rossrc\reactos_commits\ntoskrnl\ke\bug.c @ 1426]

f8698be0 8054314f nt!PspUnhandledExceptionInSystemThread(struct _EXCEPTION_POINTERS * ExceptionPointers = 0xf8698c08)+0x1a6 [D:\rossrc\reactos_commits\ntoskrnl\ps\thread.c @ 134]

f8698be8 80579e72 nt!PspSystemThreadStartup(<function> * StartRoutine = 0x804357f0, void * StartContext = 0x80070000)+0x8f [D:\rossrc\reactos_commits\ntoskrnl\ps\thread.c @ 159]

f8699dbc 8056f333 nt!_except_handler3+0x54

f8699ddc 805430bf nt!KiThreadStartup(void)+0x63 [D:\rossrc\reactos_commits\ntoskrnl\ke\i386\thrdini.c @ 78]

f8699de0 804357ef nt!PspCreateThread+0xf0f

f8699de4 80070000 nt!RtlStringVPrintfWorkerA+0xaf

WARNING: Frame IP not in any known module. Following frames may be wrong.

f8699de8 380a7500 0x80070000

f8699dec 00000000 0x380a7500

kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)

This is a very common bugcheck.  Usually the exception address pinpoints

the driver/function that caused the problem.  Always note this address

as well as the link date of the driver/image that contains this address.

Arguments:

Arg1: c0000005, The exception code that was not handled

Arg2: 8056f518, The address that the exception occurred at

Arg3: f86990c0, Exception Record Address

Arg4: f8698db0, Context Record Address

Debugging Details:

------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - L

FAULTING_IP: 

nt!KiCheckForSListFault+68 [D:\rossrc\reactos_commits\ntoskrnl\ke\i386\traphdlr.c @ 1265]

8056f518 0fb60c08        movzx   ecx,byte ptr [eax+ecx]

EXCEPTION_RECORD:  f86990c0 -- (.exr 0xfffffffff86990c0)

ExceptionAddress: 8056f518 (nt!KiCheckForSListFault+0x00000068)

   ExceptionCode: c0000005 (Access violation)

  ExceptionFlags: 00000000

NumberParameters: 2

   Parameter[0]: 00000000

   Parameter[1]: 00000000

Attempt to read from address 00000000

CONTEXT:  f8698db0 -- (.cxr 0xfffffffff8698db0)

eax=00000000 ebx=00040000 ecx=00000000 edx=f86992a0 esi=f8699320 edi=f8699244

eip=8056f518 esp=f8699208 ebp=f869925c iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00210246

> 1265:         ASSERT((((UCHAR*)TrapFrame->Eip)[0] == 0x8B) &&

nt!KiCheckForSListFault+0x68:

8056f518 0fb60c08        movzx   ecx,byte ptr [eax+ecx]     ds:0023:00000000=??

Resetting default scope

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - L

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000000

READ_ADDRESS:  00000000 

FOLLOWUP_IP: 

cdrom!DeviceInitPowerContext+4 [D:\rossrc\reactos_commits\drivers\storage\class\cdrom\init.c @ 577]

f8a91894 ec              in      al,dx

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  NULL_DEREFERENCE

TRAP_FRAME:  f86992a0 -- (.trap 0xfffffffff86992a0)

ErrCode = 00000000

eax=00000000 ebx=00040000 ecx=f8a91bc0 edx=b13f9a30 esi=f8699320 edi=f8699548

eip=00000000 esp=f8699314 ebp=f8699548 iopl=0         nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00210246

00000000 ??              ???

Resetting default scope

PNP_TRIAGE: 

	Lock address  : 0x00000000

	Thread Count  : 0

	Thread address: 0x00000000

	Thread wait   : 0x0

LAST_CONTROL_TRANSFER:  from 805711c7 to 8056f518

STACK_TEXT:  

f869925c 805711c7 f8699548 cccccccc cccccccc nt!KiCheckForSListFault+0x68 [D:\rossrc\reactos_commits\ntoskrnl\ke\i386\traphdlr.c @ 1265]

f8699298 804036fe f8699548 00000000 badb0d00 nt!KiTrap0EHandler+0x107 [D:\rossrc\reactos_commits\ntoskrnl\ke\i386\traphdlr.c @ 1362]

f8699298 00000000 f8699548 00000000 badb0d00 nt!KiTrap0E+0x99

WARNING: Frame IP not in any known module. Following frames may be wrong.

f8699310 f8a91894 f8a8aa9d b13f9a30 f86997ac 0x0

f8699548 f873adab 4ec01858 00000000 f86997cc cdrom!DeviceInitPowerContext+0x4 [D:\rossrc\reactos_commits\drivers\storage\class\cdrom\init.c @ 577]

f8699570 f873aa9f 4ec01858 f86995a0 f869990c wdf01000!FxDriverDeviceAdd::Invoke+0x4b [D:\rossrc\reactos_commits\sdk\lib\drivers\wdf\shared\inc\private\common\fxdrivercallbacks.hpp @ 61]

f86997ac f873a9ee b1430a08 b13fe7a0 f869990c wdf01000!FxDriver::AddDevice+0x8f [D:\rossrc\reactos_commits\sdk\lib\drivers\wdf\shared\core\km\fxdriverkm.cpp @ 73]

f86997bc 80497762 b13fe9d8 b1430a08 f8699968 wdf01000!FxDriver::AddDevice+0x2e [D:\rossrc\reactos_commits\sdk\lib\drivers\wdf\shared\core\km\fxdriverkm.cpp @ 48]

f869990c 80497c38 b13998a0 00000000 f86999b4 nt!PiCallDriverAddDevice+0x6d2 [D:\rossrc\reactos_commits\ntoskrnl\io\pnpmgr\devaction.c @ 771]

f8699968 80499a9c b141baf0 f8699a44 f86999c0 nt!PiDevNodeStateMachine+0xc8 [D:\rossrc\reactos_commits\ntoskrnl\io\pnpmgr\devaction.c @ 2356]

f86999b4 80498e4d 00000000 f8699a4c 00000001 nt!PipDeviceActionWorker+0x15c [D:\rossrc\reactos_commits\ntoskrnl\io\pnpmgr\devaction.c @ 2586]

f86999d4 8061f28d b141bc40 00000001 00000000 nt!PiQueueDeviceAction+0xed [D:\rossrc\reactos_commits\ntoskrnl\io\pnpmgr\devaction.c @ 2701]

f8699a44 8062007e f8699d7c f8699be4 cccccccc nt!IopInitializeBootDrivers+0x3ad [D:\rossrc\reactos_commits\ntoskrnl\io\iomgr\driver.c @ 1196]

f8699bd8 8061acf7 80070000 0000ea94 f8699d94 nt!IoInitSystem+0x3ee [D:\rossrc\reactos_commits\ntoskrnl\io\iomgr\iomgr.c @ 561]

f8699d7c 804357fe 80070000 f8699dbc 80543136 nt!Phase1InitializationDiscard+0xa97 [D:\rossrc\reactos_commits\ntoskrnl\ex\init.c @ 1851]

f8699d88 80543136 80070000 0000ea94 f8699dcc nt!Phase1Initialization+0xe [D:\rossrc\reactos_commits\ntoskrnl\ex\init.c @ 2066]

f8699dbc 8056f333 804357f0 80070000 8000003b nt!PspSystemThreadStartup+0x76 [D:\rossrc\reactos_commits\ntoskrnl\ps\thread.c @ 156]

f8699ddc 805430bf 804357f0 80070000 380a7500 nt!KiThreadStartup+0x63 [D:\rossrc\reactos_commits\ntoskrnl\ke\i386\thrdini.c @ 78]

f8699de0 804357ef 80070000 380a7500 0000027f nt!PspCreateThread+0xf0f

f8699de4 80070000 380a7500 0000027f 00000000 nt!RtlStringVPrintfWorkerA+0xaf

f8699de8 380a7500 0000027f 00000000 00000000 0x80070000

f8699dec 00000000 00000000 00000000 00000000 0x380a7500

FAULTING_SOURCE_CODE:  

   573: 

   574:     NTSTATUS

   575: 

   576: --*/

>  577: {

   578:     NTSTATUS                status = STATUS_SUCCESS;

   579:     WDF_OBJECT_ATTRIBUTES   attributes;

   580: 

   581:     PAGED_CODE();

   582: 

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  cdrom!DeviceInitPowerContext+4

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: cdrom

IMAGE_NAME:  cdrom.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  695d7dd7

STACK_COMMAND:  .cxr 0xfffffffff8698db0 ; kb

FAILURE_BUCKET_ID:  0x7E_cdrom!DeviceInitPowerContext+4

BUCKET_ID:  0x7E_cdrom!DeviceInitPowerContext+4

Followup: MachineOwner

---------