Thread pool for RPC/ALPC hang

NTDEV
1

Hi All,

I am debugging an issue related with RPC. Once the issue happened, the client side didn’t consume RPC message and caused server is blocked too.

Using livekd, I can find the port, and see the pending message.

0: kd> !alpc /p ffffde8f0d5e6a20
Port ffffde8f0d5e6a20
Type : ALPC_CONNECTION_PORT
CommunicationInfo : ffff8006c456e4a0
ConnectionPort : ffffde8f0d5e6a20 (OLE835C264A5F3E59BE860EC38BD783)
ClientCommunicationPort : 0000000000000000
ServerCommunicationPort : 0000000000000000
OwnerProcess : ffffde8f08de8080 (NdMini.exe)
SequenceNo : 0x00000002 (2)
CompletionPort : ffffde8f168bf300
CompletionList : 0000000000000000
ConnectionPending : No
ConnectionRefused : No
Disconnected : No
Closed : No
FlushOnClose : Yes
ReturnExtendedInfo : No
Waitable : No
Security : Static
Wow64CompletionList : No

2 thread(s) are registered with port IO completion object:

THREAD ffffde8f14b6b240  Cid 1e78.335c  Teb: 000000710fb07000 Win32Thread: ffffde8f16018ca0 WAIT
THREAD ffffde8f0ab2a080  Cid 1e78.4238  Teb: 000000710fb09000 Win32Thread: ffffde8f16019e70 WAIT

Main queue is empty.

Direct message queue is empty.

Large message queue is empty.

Pending queue has 1 message(s)

ffff8006b36485d0 00009d94 0000000000003d98:0000000000002f58 0000000000000000 ffffde8f14b6b240 LPC_REQUEST

Canceled queue is empty.

Also, the two threads are in waiting mode, looks healthy, but it’s not awake.

0: kd> !thread ffffde8f0ab2a080
THREAD ffffde8f0ab2a080 Cid 1e78.4238 Teb: 000000710fb09000 Win32Thread: ffffde8f16019e70 WAIT: (WrQueue) UserMode Alertable
ffffde8f168bf300 QueueObject
Not impersonating
DeviceMap ffff8006b1da5870
Owning Process ffffde8f08de8080 Image: NdMini.exe
Attached Process N/A Image: N/A
Wait Start TickCount 1504519 Ticks: 746 (0:00:00:11.656)
Context Switch Count 228 IdealProcessor: 6
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ff813c13ce0
Stack Init ffffae0686777b90 Current ffffae0686777360
Base ffffae0686778000 Limit ffffae0686771000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
ffffae06867773a0 fffff8024e71507d : ffffc88094939180 00000000fffffffe ffffc880ffffffff 0000000000000001 : nt!KiSwapContext+0x76
ffffae06867774e0 fffff8024e713f04 : ffffde8f0ab2a080 0000000000000000 0000000000000000 ffff800600000000 : nt!KiSwapThread+0xbfd
ffffae0686777580 fffff8024e717dbe : ffffde8f04cb2aa0 ffffde8f00000000 0000000000000000 ffffde8f0ab2a1c0 : nt!KiCommitThreadWait+0x144
ffffae0686777620 fffff8024e7178b9 : ffffde8f00000000 0000000000000001 ffff8006c456be01 ffffde8f07991ab8 : nt!KeRemoveQueueEx+0x27e
ffffae06867776d0 fffff8024e71758e : ffffde8f0b0404f0 00000000000f00ff 0000000000010000 00000071103ff928 : nt!IoRemoveIoCompletion+0x99
ffffae06867777f0 fffff8024e7d3c15 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!NtWaitForWorkViaWorkerFactory+0x25e
ffffae0686777990 00007ff813c7fa04 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffae0686777a00) 00000071103ffa08 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ff813c7fa04

0: kd> !thread ffffde8f0ab2a080
THREAD ffffde8f0ab2a080 Cid 1e78.4238 Teb: 000000710fb09000 Win32Thread: ffffde8f16019e70 WAIT: (WrQueue) UserMode Alertable
ffffde8f168bf300 QueueObject
Not impersonating
DeviceMap ffff8006b1da5870
Owning Process ffffde8f08de8080 Image: NdMini.exe
Attached Process N/A Image: N/A
Wait Start TickCount 1504519 Ticks: 746 (0:00:00:11.656)
Context Switch Count 228 IdealProcessor: 6
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00007ff813c13ce0
Stack Init ffffae0686777b90 Current ffffae0686777360
Base ffffae0686778000 Limit ffffae0686771000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
ffffae06867773a0 fffff8024e71507d : ffffc88094939180 00000000fffffffe ffffc880ffffffff 0000000000000001 : nt!KiSwapContext+0x76
ffffae06867774e0 fffff8024e713f04 : ffffde8f0ab2a080 0000000000000000 0000000000000000 ffff800600000000 : nt!KiSwapThread+0xbfd
ffffae0686777580 fffff8024e717dbe : ffffde8f04cb2aa0 ffffde8f00000000 0000000000000000 ffffde8f0ab2a1c0 : nt!KiCommitThreadWait+0x144
ffffae0686777620 fffff8024e7178b9 : ffffde8f00000000 0000000000000001 ffff8006c456be01 ffffde8f07991ab8 : nt!KeRemoveQueueEx+0x27e
ffffae06867776d0 fffff8024e71758e : ffffde8f0b0404f0 00000000000f00ff 0000000000010000 00000071103ff928 : nt!IoRemoveIoCompletion+0x99
ffffae06867777f0 fffff8024e7d3c15 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!NtWaitForWorkViaWorkerFactory+0x25e
ffffae0686777990 00007ff813c7fa04 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffae0686777a00) 00000071103ffa08 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ff813c7fa04

Does anyone have clue for further debug? Many thanks in advance.

Best regards,
Raymond