Hi Guys,

While analyzing one of memory dump, i see stack for a thread
0: kd> .thread 0xffffe0015472e050 Implicit thread is now ffffe0015472e050
0: kd> k
*** Stack trace for last set context - .thread/.cxr resets it

Child-SP RetAddr Call Site

00 ffffd00025821770 b7b7b7b7b7b7b7b7 0xb7b7b7b7b7b7b7b7 01 ffffd00025821778 b7b7b7b7b7b7b7b7 0xb7b7b7b7b7b7b7b7
02 ffffd00025821780 b7b7b7b7b7b7b7b7 0xb7b7b7b7`b7b7b7b7
…

This is a worker thread part of a struct which seems to be alright. Interestingly above thread is not appearing in !process 0 7.
I am wondering what has happened with this thread.

-Gyan

What does !thread show for that thread? Do those addresses match what the OS thinks the stack should be?

Tony
OSR

This thread has been terminated. Thats what !thread o/p says
0: kd> !thread 0xffffe001`5472e050
THREAD ffffe0015472e050 Cid 0004.1fcc Teb: 0000000000000000 Win32Thread: 0000000000000000 TERMINATED
Not impersonating
…
Because of some reference, its still hanging in memory. Is it still possible to have some stack frame for terminated thread?

-Gyan

The thread stack is usually unmapped at this point (i.e. “reaped” by the
reaper thread). You can see if this has already happened by checking the the
InitialStack field from the KTHREAD. If it’s NULL then there is no way to
get the stack back at this point (if it’s not null the best you can do is
dump the raw contents with dps and look for breadcrumbs).

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@windbg…

This thread has been terminated. Thats what !thread o/p says
0: kd> !thread 0xffffe001`5472e050
THREAD ffffe0015472e050 Cid 0004.1fcc Teb: 0000000000000000 Win32Thread:
0000000000000000 TERMINATED
Not impersonating
…
Because of some reference, its still hanging in memory. Is it still possible
to have some stack frame for terminated thread?

-Gyan