Funny stack trace

WINDBG
1

Hi,

I am doing Kernel-Debugging over a serial connection. I am using the latest
version WinDbg. Symbols are setup correctly.

I am interested in a particular thread which is running inside my
UserMode-service. The thread sometimes seems to block. So when it blocks I
break into the machine.

Symbols for “MyService.exe” are loaded at this point. I am doing this:

kd> !process 0 7 MyService.exe
PROCESS 8232f918 SessionId: 0 Cid: 0174 Peb: 7ffdf000 ParentCid: 0244
DirBase: 0e4c03e0 ObjectTable: e27d2b58 HandleCount: 244.
Image: MyService.exe
VadRoot 82293658 Vads 162 Clone 0 Private 3225. Modified 4. Locked 0.
DeviceMap e10044d0
Token e29dfa68
ElapsedTime 00:48:09.109
UserTime 00:00:38.281
KernelTime 00:01:06.703
QuotaPoolUsage[PagedPool] 74316
QuotaPoolUsage[NonPagedPool] 14672
Working Set Sizes (now,min,max) (382, 50, 345) (1528KB, 200KB, 1380KB)
PeakWorkingSetSize 4294
VirtualSize 70 Mb
PeakVirtualSize 80 Mb
PageFaultCount 98677
MemoryPriority BACKGROUND
BasePriority 10
CommitCharge 3492

THREAD 821bd638 Cid 0174.0520 Teb: 7ffdb000 Win32Thread: e2b8d4b8
WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
821bd7d4 Semaphore Limit 0x2
Not impersonating
DeviceMap e10044d0
Owning Process 8232f918 Image:
MyService.exe
Wait Start TickCount 167428 Ticks: 45 (0:00:00:00.703)
Context Switch Count 76583 LargeStack
UserTime 00:00:23.0421
KernelTime 00:00:11.0609
Start Address 0x7c810856
Win32 Start Address 0x01267e80
Stack Init b7d02000 Current b7d01bcc Base b7d02000 Limit b7cfe000
Call 0
Priority 13 BasePriority 12 PriorityDecrement 0 DecrementCount 16

kd> .thread /P /r 821bd638
Implicit thread is now 821bd638
Implicit process is now 8232f918
.cache forcedecodeptes done
Loading User Symbols
Unable to read NT module Base Name string at 0002069e - Win32 error 30
Missing image name, possible corrupt data.
…Unable to read LDR_DATA_TABLE_ENTRY at 00241fc0 - HRESULT 0x80004005

WARNING: .reload failed, module list may be incomplete
kd> kb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
b7d01be4 8082917a 821bd6a8 821bd638 808229be nt!KiSwapContext+0x2e
b7d01bf0 808229be 821bd7a4 821bd638 821bd66c nt!KiSwapThread+0x46
b7d01c18 8082912c 00000000 00000005 00000000 nt!KeWaitForSingleObject+0x1c2
b7d01c30 80826030 00000000 00000000 00000000 nt!KiSuspendThread+0x18
b7d01c78 80a02c35 00000000 00000000 b7d01c90 nt!KiDeliverApc+0x124
b7d01c78 80a0279d 00000000 00000000 b7d01c90 hal!HalpApcInterrupt+0xc5
b7d01d00 80845642 021fa03b 01c55ff8 0219acd2 hal!ExReleaseFastMutex+0x25
b7d01d4c 808686ec 00000000 021fa03b 00000001 nt!MmAccessFault+0x1022
b7d01d4c 01b2fc97 00000000 021fa03b 00000001 nt!KiTrap0E+0xcc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0219acd2 0111030b 010e0103 ee00ff01 9b00ff01 0x1b2fc97
0219acd6 010e0103 ee00ff01 9b00ff01 00010f0a 0x111030b
0219acda ee00ff01 9b00ff01 00010f0a 04010000 0x10e0103
0219acde 9b00ff01 00010f0a 04010000 00190401 0xee00ff01
0219ace2 00010f0a 04010000 00190401 01d10014 0x9b00ff01
0219ace6 04010000 00190401 01d10014 16000308 0x10f0a
0219acea 00190401 01d10014 16000308 11be024d 0x4010000
0219acee 01d10014 16000308 11be024d 88c00000 0x190401
0219acf2 16000308 11be024d 88c00000 000100a9 0x1d10014
0219acf6 11be024d 88c00000 000100a9 bcf80000 0x16000308
0219acfa 88c00000 000100a9 bcf80000 000001c1 0x11be024d

The stack trace is obviously wrong. What can I do to see the calls that my
thread is doing in this situation?

Thanks in advance
Frank

2

I would attempt the following in the order specified -

  1. Reloading user mode symbols (during .thread /r command execution) appear to be failing; especially the ntdll symbol load which *might* have affected the user mode stack frames. I would turn on noisy symbol display (!sym noisy) and find why user mode symbol load failed.
  2. If you have user mode stack display issues after fixing the symbols, if you can get hold of the trap frame created before switching to kernel mode (this might be displayed with fpo info on the stack or you can get it by other means) and issue a .trap command with that frame address, it will display the user mode frames alone and may be that will help.
  3. If the problem is because of the debugger assuming a different user mode base, stack addres or eip, you could explicity specify that in k* command.
  4. If all else fail, just do a dds [range] e.g. If the user mode ebp is 0219acd2, dds 0219acd2 Lff will list symbols in that range (note the display is not same as k* command in this case).

    Kamala

    -------------- Original message --------------
    From: “frank”

    > Hi,
    >
    > I am doing Kernel-Debugging over a serial connection. I am using the latest
    > version WinDbg. Symbols are setup correctly.
    >
    > I am interested in a particular thread which is running inside my
    > UserMode-service. The thread sometimes seems to block. So when it blocks I
    > break into the machine.
    >
    > Symbols for “MyService.exe” are loaded at this point. I am doing this:
    >
    > kd> !process 0 7 MyService.exe
    > PROCESS 8232f918 SessionId: 0 Cid: 0174 Peb: 7ffdf000 ParentCid: 0244
    > DirBase: 0e4c03e0 ObjectTable: e27d2b58 HandleCount: 244.
    > Image: MyService.exe
    > VadRoot 82293658 Vads 162 Clone 0 Private 3225. Modified 4. Locked 0.
    > DeviceMap e10044d0
    > Token e29dfa68
    > ElapsedTime 00:48:09.109
    > UserTime 00:00:38.281
    > KernelTime 00:01:06.703
    > QuotaPoolUsage[PagedPool] 74316
    > QuotaPoolUsage[NonPagedPool] 14672
    > Working Set Sizes (now,min,max) (382, 50, 345) (1528KB, 200KB, 1380KB)
    > PeakWorkingSetSize 4294
    > VirtualSize 70 Mb
    > PeakVirtualSize 80 Mb
    > PageFaultCount 98677
    > MemoryPriority BACKGROUND
    > BasePriority 10
    > CommitCharge 3492
    >
    > THREAD 821bd638 Cid 0174.0520 Teb: 7ffdb000 Win32Thread: e2b8d4b8
    > WAIT: (Suspended) KernelMode Non-Alertable
    > SuspendCount 1
    > 821bd7d4 Semaphore Limit 0x2
    > Not impersonating
    > DeviceMap e10044d0
    > Owning Process 8232f918 Image:
    > MyService.exe
    > Wait Start TickCount 167428 Ticks: 45 (0:00:00:00.703)
    > Context Switch Count 76583 LargeStack
    > UserTime 00:00:23.0421
    > KernelTime 00:00:11.0609
    > Start Address 0x7c810856
    > Win32 Start Address 0x01267e80
    > Stack Init b7d02000 Current b7d01bcc Base b7d02000 Limit b7cfe000
    > Call 0
    > Priority 13 BasePriority 12 PriorityDecrement 0 DecrementCount 16
    > …
    >
    > kd> .thread /P /r 821bd638
    > Implicit thread is now 821bd638
    > Implicit process is now 8232f918
    > .cache forcedecodeptes done
    > Loading User Symbols
    > Unable to read NT module Base Name string at 0002069e - Win32 error 30
    > Missing image name, possible corrupt data.
    > …Unable to read LDR_DATA_TABLE_ENTRY at 00241fc0 - HRESULT 0x80004005
    >
    > WARNING: .reload failed, module list may be incomplete
    > kd> kb
    > *** Stack trace for last set context - .thread/.cxr resets it
    > ChildEBP RetAddr Args to Child
    > b7d01be4 8082917a 821bd6a8 821bd638 808229be nt!KiSwapContext+0x2e
    > b7d01bf0 808229be 821bd7a4 821bd638 821bd66c nt!KiSwapThread+0x46
    > b7d01c18 8082912c 00000000 00000005 00000000 nt!KeWaitForSingleObject+0x1c2
    > b7d01c30 80826030 00000000 00000000 00000000 nt!KiSuspendThread+0x18
    > b7d01c78 80a02c35 00000000 00000000 b7d01c90 nt!KiDeliverApc+0x124
    > b7d01c78 80a0279d 00000000 00000000 b7d01c90 hal!HalpApcInterrupt+0xc5
    > b7d01d00 80845642 021fa03b 01c55ff8 0219acd2 hal!ExReleaseFastMutex+0x25
    > b7d01d4c 808686ec 00000000 021fa03b 00000001 nt!MmAccessFault+0x1022
    > b7d01d4c 01b2fc97 00000000 021fa03b 00000001 nt!KiTrap0E+0xcc
    > WARNING: Frame IP not in any known module. Following frames may be wrong.
    > 0219acd2 0111030b 010e0103 ee00ff01 9b00ff01 0x1b2fc97
    > 0219acd6 010e0103 ee00ff01 9b00ff01 00010f0a 0x111030b
    > 0219acda ee00ff01 9b00ff01 00010f0a 04010000 0x10e0103
    > 0219acde 9b00ff01 00010f0a 04010000 00190401 0xee00ff01
    > 0219ace2 00010f0a 04010000 00190401 01d10014 0x9b00ff01
    > 0219ace6 04010000 00190401 01d10014 16000308 0x10f0a
    > 0219acea 00190401 01d10014 16000308 11be024d 0x4010000
    > 0219acee 01d10014 16000308 11be024d 88c00000 0x190401
    > 0219acf2 16000308 11be024d 88c00000 000100a9 0x1d10014
    > 0219acf6 11be024d 88c00000 000100a9 bcf80000 0x16000308
    > 0219acfa 88c00000 000100a9 bcf80000 000001c1 0x11be024d
    >
    >
    > The stack trace is obviously wrong. What can I do to see the calls that my
    > thread is doing in this situation?
    >
    > Thanks in advance
    > Frank
    >
    >
    >
    > —
    > You are currently subscribed to windbg as: xxxxx@comcast.net
    > To unsubscribe send a blank email to xxxxx@lists.osr.com
3

Your problem is that the user-mode module list is paged out. That’s why
you get the errors during the user-mode list reload and the warning
about the module list being incomplete. There is no easy way to get
around this. You can try using .pagein on the addresses mentioned in
the error messages. If you don’t have significant memory pressure on
your system that will usually work fairly well. However, there’s no
guarantee that you won’t get pages paged out as you page in more pages,
thus you can’t ever guarantee getting to a good state.

If you have another user-mode process that has a similar module list you
can try switching to it and reloading from it. As you control some
user-mode code you could also try touching pages before your system call
to try and get things resident. You could do so from a user-mode
debugger too (.reload -ls in a UM debugger will touch the relevant parts
of the UM module list).

Failing all of that you can put modules in manually with .reload
<image.ext>=,. You need to know where modules are, which
you can get from a previous session (system binaries for non-Vista
Windows are usually at consistent addresses). You can also discover
locations by using !vad to look up image mappings.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of frank
Sent: Friday, June 02, 2006 2:21 AM
To: Kernel Debugging Interest List
Subject: [windbg] Funny stack trace

Hi,

I am doing Kernel-Debugging over a serial connection. I am using the
latest version WinDbg. Symbols are setup correctly.

I am interested in a particular thread which is running inside my
UserMode-service. The thread sometimes seems to block. So when it blocks
I break into the machine.

Symbols for “MyService.exe” are loaded at this point. I am doing this:

kd> !process 0 7 MyService.exe
PROCESS 8232f918 SessionId: 0 Cid: 0174 Peb: 7ffdf000 ParentCid:
0244
DirBase: 0e4c03e0 ObjectTable: e27d2b58 HandleCount: 244.
Image: MyService.exe
VadRoot 82293658 Vads 162 Clone 0 Private 3225. Modified 4. Locked
0.
DeviceMap e10044d0
Token e29dfa68
ElapsedTime 00:48:09.109
UserTime 00:00:38.281
KernelTime 00:01:06.703
QuotaPoolUsage[PagedPool] 74316
QuotaPoolUsage[NonPagedPool] 14672
Working Set Sizes (now,min,max) (382, 50, 345) (1528KB, 200KB,
1380KB)
PeakWorkingSetSize 4294
VirtualSize 70 Mb
PeakVirtualSize 80 Mb
PageFaultCount 98677
MemoryPriority BACKGROUND
BasePriority 10
CommitCharge 3492

THREAD 821bd638 Cid 0174.0520 Teb: 7ffdb000 Win32Thread:
e2b8d4b8
WAIT: (Suspended) KernelMode Non-Alertable SuspendCount 1
821bd7d4 Semaphore Limit 0x2
Not impersonating
DeviceMap e10044d0
Owning Process 8232f918 Image:
MyService.exe
Wait Start TickCount 167428 Ticks: 45
(0:00:00:00.703)
Context Switch Count 76583 LargeStack
UserTime 00:00:23.0421
KernelTime 00:00:11.0609
Start Address 0x7c810856
Win32 Start Address 0x01267e80
Stack Init b7d02000 Current b7d01bcc Base b7d02000 Limit
b7cfe000 Call 0
Priority 13 BasePriority 12 PriorityDecrement 0 DecrementCount
16 …

kd> .thread /P /r 821bd638
Implicit thread is now 821bd638
Implicit process is now 8232f918
.cache forcedecodeptes done
Loading User Symbols
Unable to read NT module Base Name string at 0002069e - Win32 error 30
Missing image name, possible corrupt data.
…Unable to read LDR_DATA_TABLE_ENTRY at 00241fc0 - HRESULT 0x80004005

WARNING: .reload failed, module list may be incomplete
kd> kb
*** Stack trace for last set context - .thread/.cxr resets it ChildEBP
RetAddr Args to Child
b7d01be4 8082917a 821bd6a8 821bd638 808229be nt!KiSwapContext+0x2e
b7d01bf0 808229be 821bd7a4 821bd638 821bd66c nt!KiSwapThread+0x46
b7d01c18 8082912c 00000000 00000005 00000000
nt!KeWaitForSingleObject+0x1c2 b7d01c30 80826030 00000000 00000000
00000000 nt!KiSuspendThread+0x18
b7d01c78 80a02c35 00000000 00000000 b7d01c90 nt!KiDeliverApc+0x124
b7d01c78 80a0279d 00000000 00000000 b7d01c90 hal!HalpApcInterrupt+0xc5
b7d01d00 80845642 021fa03b 01c55ff8 0219acd2 hal!ExReleaseFastMutex+0x25
b7d01d4c 808686ec 00000000 021fa03b 00000001 nt!MmAccessFault+0x1022
b7d01d4c 01b2fc97 00000000 021fa03b 00000001 nt!KiTrap0E+0xcc
WARNING: Frame IP not in any known module. Following frames may be
wrong.
0219acd2 0111030b 010e0103 ee00ff01 9b00ff01 0x1b2fc97
0219acd6 010e0103 ee00ff01 9b00ff01 00010f0a 0x111030b 0219acda ee00ff01
9b00ff01 00010f0a 04010000 0x10e0103 0219acde 9b00ff01 00010f0a 04010000
00190401 0xee00ff01
0219ace2 00010f0a 04010000 00190401 01d10014 0x9b00ff01
0219ace6 04010000 00190401 01d10014 16000308 0x10f0a 0219acea 00190401
01d10014 16000308 11be024d 0x4010000 0219acee 01d10014 16000308 11be024d
88c00000 0x190401
0219acf2 16000308 11be024d 88c00000 000100a9 0x1d10014
0219acf6 11be024d 88c00000 000100a9 bcf80000 0x16000308 0219acfa
88c00000 000100a9 bcf80000 000001c1 0x11be024d

The stack trace is obviously wrong. What can I do to see the calls that
my thread is doing in this situation?

Thanks in advance
Frank


You are currently subscribed to windbg as: xxxxx@winse.microsoft.com To
unsubscribe send a blank email to xxxxx@lists.osr.com</image.ext>