How to determine who's using up file objects...

Ihave a filter driver that is capturing deletes and changing them to
renames. When I run my driver I am getting through several thousand test
files. Then I will get an explorer message “Insufficient Resources…”. I
have looked at PoolTag and it shows that the pool usage for ‘File’ is quite
high and there are many outstanding buffers that aren’t getting freed. I
know that the ‘File’ tag is associated with the file objects. How can I
determine where the leak is? My own resources are being allocated and freed
evenly (according to pool tag). There are only 13 outstanding IRPs when I
die but File is showing 45000 allocs-frees (with 7MB+ of non-paged pool). I
am having trouble determining what and where the cause is.

tia - jb


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Just set a conditional breakpoint on ExAllocatePoolWithTag & check if the
value at ss:esp+C is equal to ‘File’.

-----Original Message-----
From: Jonathan Borden [mailto:xxxxx@earthlink.net]
Sent: Thursday, April 12, 2001 12:12 PM
To: File Systems Developers
Subject: [ntfsd] How to determine who’s using up file objects…

Ihave a filter driver that is capturing deletes and changing them to
renames. When I run my driver I am getting through several thousand test
files. Then I will get an explorer message “Insufficient Resources…”. I
have looked at PoolTag and it shows that the pool usage for ‘File’ is quite
high and there are many outstanding buffers that aren’t getting freed. I
know that the ‘File’ tag is associated with the file objects. How can I
determine where the leak is? My own resources are being allocated and freed
evenly (according to pool tag). There are only 13 outstanding IRPs when I
die but File is showing 45000 allocs-frees (with 7MB+ of non-paged pool). I
am having trouble determining what and where the cause is.

tia - jb


You are currently subscribed to ntfsd as: xxxxx@timesn.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

That will succeed in showing you the opens, and will be intensely
overactive - fileobjects are created and destroyed all the time. The
questions is where these came from.

Several straightforward things:

  • fileobjects are frequently bound to a handle at some point in their
    life; look around and see if some process has a huge handle
    table. Triage: it isn’t closing them. App problem.
  • if the system fell over with 45000 fileobjects, you will stand very
    good odds that the system is sufficiently dominated with
    them
    that you can spot the leaked ones with a !poolfind. Look for
    a pattern. Handle count, pointer count? Volume? Filename? If
    they all seem to have a handle, backtrack through the handle
    tables (!handle) and find processes (though simply finding
    processes that have huge tables probably did this for you
    already)
  • if you can spot the pattern, try to catch fileobjects before things
    get out of hand. Go into the debugger and set watchpoints on the
    pointer/handle counts (especially useful if you suspect someone
    is ObReferencing without ObDereferencing).
  • make very very sure your driver is balancing ObReferenceObject and
    ObDereferenceObject correctly.

-----Original Message-----
From: Jose Flores [mailto:xxxxx@timesn.com]
Sent: Thursday, April 12, 2001 5:27 PM
To: File Systems Developers
Subject: [ntfsd] RE: How to determine who’s using up file objects…

Just set a conditional breakpoint on ExAllocatePoolWithTag & check if
the
value at ss:esp+C is equal to ‘File’.

-----Original Message-----
From: Jonathan Borden [mailto:xxxxx@earthlink.net]
Sent: Thursday, April 12, 2001 12:12 PM
To: File Systems Developers
Subject: [ntfsd] How to determine who’s using up file objects…

Ihave a filter driver that is capturing deletes and changing them to
renames. When I run my driver I am getting through several thousand
test
files. Then I will get an explorer message “Insufficient Resources…”.
I
have looked at PoolTag and it shows that the pool usage for ‘File’ is
quite
high and there are many outstanding buffers that aren’t getting freed.
I
know that the ‘File’ tag is associated with the file objects. How can I
determine where the leak is? My own resources are being allocated and
freed
evenly (according to pool tag). There are only 13 outstanding IRPs when
I
die but File is showing 45000 allocs-frees (with 7MB+ of non-paged
pool). I
am having trouble determining what and where the cause is.

tia - jb


You are currently subscribed to ntfsd as: xxxxx@timesn.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: xxxxx@exchange.microsoft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com