I have a deadlock I’m trying to solve in which a thread is waiting for
something in NTFS. Can anybody tell me what this thread may be waiting for
in NTFS? Could it be possible that stack space is running low and NTFS has
posted the request? Any other possibilities here?
Which version of Windows is this? Looking at several versions of the
source, I have not found one where NtfsFsdCreate calls KeWaitForSingleObject
so a pointer would help here. As Rod stated, there are waits for OP locks,
possible expansion of the stack, and certain encryption related things.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Tuesday, November 25, 2008 11:50 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] NTFS calling KeWaitForSingleObject?
Which version of Windows is this? Looking at several versions of the
source, I have not found one where NtfsFsdCreate calls KeWaitForSingleObject
so a pointer would help here. As Rod stated, there are waits for OP locks,
possible expansion of the stack, and certain encryption related things.
Then the search becomes a royal PITA. So without some hint of the OS
version, not even worth bothering. Those of us who have access to the
source through the shared source initiative quick learn that its search is
the worst in the industry, making Doc Explorers search look fantastic in
comparison.
“Skywing” wrote in message news:xxxxx@ntfsd… Perhaps it is inlined or hidden by a macro?
- S
-----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn Sent: Tuesday, November 25, 2008 11:50 AM To: Windows File Systems Devs Interest List Subject: Re:[ntfsd] NTFS calling KeWaitForSingleObject?
Which version of Windows is this? Looking at several versions of the source, I have not found one where NtfsFsdCreate calls KeWaitForSingleObject so a pointer would help here. As Rod stated, there are waits for OP locks, possible expansion of the stack, and certain encryption related things.
My IDA shows the call to KeWaitForSingleObject at offset 00052018 surrounded
by calls to Critical Section and KeSetKernelStackSwapEnable. NtfsFsdCreate
jumps to this chunk from code below:
PAGE:00035D34 cmp [ebp+var_64], esi
PAGE:00035D37 jz loc_35E28
PAGE:00035D3D cmp [ebp+var_20], 103h
PAGE:00035D44 jz loc_51FFD <— Jump to
KeWaitForSingleObject routine
PAGE:00035D4A cmp [ebp+var_30], esi
PAGE:00035D4D jz loc_35E28
-Alex
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Tuesday, November 25, 2008 11:50 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] NTFS calling KeWaitForSingleObject?
Which version of Windows is this? Looking at several versions of the
source, I have not found one where NtfsFsdCreate calls KeWaitForSingleObject
so a pointer would help here. As Rod stated, there are waits for OP locks,
possible expansion of the stack, and certain encryption related things.
If you call everything the worst in the world, the concept of being the worst thing tends to lose meaning.
On my build (Srv08 SP1 x64), from the disassembly, there seems to be an NtfsWaitForCreateEvent if the NtfsCommonCreateOnNewStack branch is executed and returns STATUS_PENDING. The NtfsWaitForCreateEvent was probably inlined or was not a separate function in the OP’s build.
- S
-----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn Sent: Tuesday, November 25, 2008 11:59 AM To: Windows File Systems Devs Interest List Subject: Re:[ntfsd] Re:NTFS calling KeWaitForSingleObject?
Then the search becomes a royal PITA. So without some hint of the OS version, not even worth bothering. Those of us who have access to the source through the shared source initiative quick learn that its search is the worst in the industry, making Doc Explorers search look fantastic in comparison.
“Skywing” wrote in message news:xxxxx@ntfsd… Perhaps it is inlined or hidden by a macro?
- S
-----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn Sent: Tuesday, November 25, 2008 11:50 AM To: Windows File Systems Devs Interest List Subject: Re:[ntfsd] NTFS calling KeWaitForSingleObject?
Which version of Windows is this? Looking at several versions of the source, I have not found one where NtfsFsdCreate calls KeWaitForSingleObject so a pointer would help here. As Rod stated, there are waits for OP locks, possible expansion of the stack, and certain encryption related things.
“Alexander Volynkin” wrote in message news:xxxxx@ntfsd… > Don, > > It is XP SP3. Ntfs.sys ver. 5.1.2600.3081 > > My IDA shows the call to KeWaitForSingleObject at offset 00052018 > surrounded > by calls to Critical Section and KeSetKernelStackSwapEnable. NtfsFsdCreate > jumps to this chunk from code below: > PAGE:00035D34 cmp [ebp+var_64], esi > PAGE:00035D37 jz loc_35E28 > PAGE:00035D3D cmp [ebp+var_20], 103h > PAGE:00035D44 jz loc_51FFD <— Jump to > KeWaitForSingleObject routine > PAGE:00035D4A cmp [ebp+var_30], esi > PAGE:00035D4D jz loc_35E28 > > > -Alex > > -----Original Message----- > From: xxxxx@lists.osr.com > [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn > Sent: Tuesday, November 25, 2008 11:50 AM > To: Windows File Systems Devs Interest List > Subject: Re:[ntfsd] NTFS calling KeWaitForSingleObject? > > Which version of Windows is this? Looking at several versions of the > source, I have not found one where NtfsFsdCreate calls > KeWaitForSingleObject > > so a pointer would help here. As Rod stated, there are waits for OP > locks, > possible expansion of the stack, and certain encryption related things. > > > – > Don Burn (MVP, Windows DDK) > Windows Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr > Remove StopSpam to reply > > > > “Matthew N. White” wrote in message > news:xxxxx@ntfsd… >> Hello, >> >> I have a deadlock I’m trying to solve in which a thread is waiting for >> something in NTFS. Can anybody tell me what this thread may be waiting >> for >> in NTFS? Could it be possible that stack space is running low and NTFS >> has >> posted the request? Any other possibilities here? >> >> Thanks, >> Matt >> >> 1: kd> !thread 8813b600 >> THREAD 8813b600 Cid 0960.14b8 Teb: 7ffa3000 Win32Thread: e741e510 WAIT: >> (Executive) UserMode Non-Alertable >> 8c56267c NotificationEvent >> IRP List: >> 87e25d28: (0006,02d4) Flags: 00000884 Mdl: 00000000 >> Not impersonating >> DeviceMap e63d1420 >> Owning Process 880656c8 Image: explorer.exe >> Wait Start TickCount 31495 Ticks: 13837 (0:00:03:36.203) >> Context Switch Count 489 NoStackSwap LargeStack >> UserTime 00:00:00.000 >> KernelTime 00:00:00.078 >> Win32 Start Address 0x77f76ed3 >> Start Address 0x7c8106e9 >> Stack Init 8c563000 Current 8c5625e4 Base 8c563000 Limit 8c55d000 Call 0 >> Priority 14 BasePriority 8 PriorityDecrement 6 DecrementCount 16 >> ChildEBP RetAddr Args to Child >> 8c5625fc 80503846 8813b670 8813b600 804fb078 nt!KiSwapContext+0x2f (FPO: >> [Uses EBP] [0,0,4]) >> 8c562608 804fb078 804faeb6 00000000 87e25d28 nt!KiSwapThread+0x8a (FPO: >> [0,0,0]) >> 8c562630 b9cb2246 00000000 00000000 00000001 >> nt!KeWaitForSingleObject+0x1c2 >> (FPO: [Non-Fpo]) >> 8c562718 804ef19f 8a46c770 87e25d28 87e25d28 Ntfs!NtfsFsdCreate+0x291 >> (FPO: >> [Non-Fpo]) >> 8c562728 b9daa6c3 87e25d28 8828ebdc 8ae17260 nt!IopfCallDriver+0x31 (FPO: >> [0,0,0]) >> 8c562758 804ef19f 8ade6450 87e25d28 87e25f88 fltmgr!FltpCreate+0x1d9 >> (FPO: >> [Non-Fpo]) >> 8c562768 b9d4d3f6 00000000 87e25d28 87f42000 nt!IopfCallDriver+0x31 (FPO: >> [0,0,0]) >> >> >> >> > > > > — > NTFSD is sponsored by OSR > > For our schedule debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > You are currently subscribed to ntfsd as: xxxxx@yandex.ru > To unsubscribe send a blank email to xxxxx@lists.osr.com > >
The search is highly limited, and has almost no options. Think of it a
find a full word (no partials) in tens of thousands of pages, tnen having to
open the page to see if you care. Slow and painful.
“Skywing” wrote in message news:xxxxx@ntfsd… If you call everything the worst in the world, the concept of being the worst thing tends to lose meaning.
On my build (Srv08 SP1 x64), from the disassembly, there seems to be an NtfsWaitForCreateEvent if the NtfsCommonCreateOnNewStack branch is executed and returns STATUS_PENDING. The NtfsWaitForCreateEvent was probably inlined or was not a separate function in the OP’s build.
- S
-----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn Sent: Tuesday, November 25, 2008 11:59 AM To: Windows File Systems Devs Interest List Subject: Re:[ntfsd] Re:NTFS calling KeWaitForSingleObject?
Then the search becomes a royal PITA. So without some hint of the OS version, not even worth bothering. Those of us who have access to the source through the shared source initiative quick learn that its search is the worst in the industry, making Doc Explorers search look fantastic in comparison.
“Skywing” wrote in message news:xxxxx@ntfsd… Perhaps it is inlined or hidden by a macro?
- S
-----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn Sent: Tuesday, November 25, 2008 11:50 AM To: Windows File Systems Devs Interest List Subject: Re:[ntfsd] NTFS calling KeWaitForSingleObject?
Which version of Windows is this? Looking at several versions of the source, I have not found one where NtfsFsdCreate calls KeWaitForSingleObject so a pointer would help here. As Rod stated, there are waits for OP locks, possible expansion of the stack, and certain encryption related things.
On 11/25/08, Don Burn wrote: > > Which version of Windows is this? Looking at several versions of the > source, I have not found one where NtfsFsdCreate calls > KeWaitForSingleObject > so a pointer would help here. As Rod stated, there are waits for OP locks, > possible expansion of the stack, and certain encryption related things. > > > – > Don Burn (MVP, Windows DDK) > Windows Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr > Remove StopSpam to reply > > > > “Matthew N. White” wrote in message news:xxxxx@ntfsd. > … > > Hello, > > > > I have a deadlock I’m trying to solve in which a thread is waiting for > > something in NTFS. Can anybody tell me what this thread may be waiting > > for > > in NTFS? Could it be possible that stack space is running low and NTFS > > has > > posted the request? Any other possibilities here? > > > > Thanks, > > Matt > > > > 1: kd> !thread 8813b600 > > THREAD 8813b600 Cid 0960.14b8 Teb: 7ffa3000 Win32Thread: e741e510 WAIT: > > (Executive) UserMode Non-Alertable > > 8c56267c NotificationEvent > > IRP List: > > 87e25d28: (0006,02d4) Flags: 00000884 Mdl: 00000000 > > Not impersonating > > DeviceMap e63d1420 > > Owning Process 880656c8 Image: explorer.exe > > Wait Start TickCount 31495 Ticks: 13837 (0:00:03:36.203) > > Context Switch Count 489 NoStackSwap LargeStack > > UserTime 00:00:00.000 > > KernelTime 00:00:00.078 > > Win32 Start Address 0x77f76ed3 > > Start Address 0x7c8106e9 > > Stack Init 8c563000 Current 8c5625e4 Base 8c563000 Limit 8c55d000 Call 0 > > Priority 14 BasePriority 8 PriorityDecrement 6 DecrementCount 16 > > ChildEBP RetAddr Args to Child > > 8c5625fc 80503846 8813b670 8813b600 804fb078 nt!KiSwapContext+0x2f (FPO: > > [Uses EBP] [0,0,4]) > > 8c562608 804fb078 804faeb6 00000000 87e25d28 nt!KiSwapThread+0x8a (FPO: > > [0,0,0]) > > 8c562630 b9cb2246 00000000 00000000 00000001 > > nt!KeWaitForSingleObject+0x1c2 > > (FPO: [Non-Fpo]) > > 8c562718 804ef19f 8a46c770 87e25d28 87e25d28 Ntfs!NtfsFsdCreate+0x291 > > (FPO: > > [Non-Fpo]) > > 8c562728 b9daa6c3 87e25d28 8828ebdc 8ae17260 nt!IopfCallDriver+0x31 (FPO: > > [0,0,0]) > > 8c562758 804ef19f 8ade6450 87e25d28 87e25f88 fltmgr!FltpCreate+0x1d9 > (FPO: > > [Non-Fpo]) > > 8c562768 b9d4d3f6 00000000 87e25d28 87f42000 nt!IopfCallDriver+0x31 (FPO: > > [0,0,0]) > > > > > > > > > > > > — > NTFSD is sponsored by OSR > > For our schedule debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > You are currently subscribed to ntfsd as: xxxxx@gmail.com > To unsubscribe send a blank email to xxxxx@lists.osr.com >
Thanks Don. To do the “stack swap” do you know at a high level what
happens? It appears that this operation is getting stuck somewhere, b/c the
machine hangs at this point. I’m basically trying to figure out what would
signal that event.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-344858- xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Tuesday, November 25, 2008 12:17 PM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] NTFS calling KeWaitForSingleObject?
I don’t think actual “stack swapping” is implemented until Vista. Prior
to that the operation would be posted to a separate worker thread. Can
you tie this thread to any other stack on the system via the IRP that’s
being processed?
Using the address of the IRP and searching through every other thread stack
on the system (!process 0 7) reveals no obvious information (to me at
least). Would it be true that if the IRP were posted, it would have had to
be posted to a system thread? I would think so, but I don’t see any system
threads doing anything related to this.
The only other thing I consider interesting right now is that I have kernel
APCs pending for the process containing the thread that is blocked in NTFS
after the IRP was posted. If these APCs are blocked from finishing, could
this have anything to do with it? Maybe the completion processing can’t run
because of this or something?
Thanks,
Matt
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-344968- xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Tuesday, November 25, 2008 10:56 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] NTFS calling KeWaitForSingleObject?
I don’t think actual “stack swapping” is implemented until Vista.
Prior
to that the operation would be posted to a separate worker thread. Can
you tie this thread to any other stack on the system via the IRP that’s
being processed?
Tony
OSR
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
If you see pending APCs then it certainly is quite possible that those
are the issue. Of course, looking at those APCs in greater detail might
yield further insight. Naturally, APCs bring us back to the “hmm,
wonder if it’s waiting for an oplock” case again.
Right. Is there any way to look at the APCs in further detail other than dt
nt!_KAPC or !apc?
Thanks,
Matt
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-345015- xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Wednesday, November 26, 2008 10:53 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] NTFS calling KeWaitForSingleObject?
If you see pending APCs then it certainly is quite possible that those
are the issue. Of course, looking at those APCs in greater detail
might
yield further insight. Naturally, APCs bring us back to the “hmm,
wonder if it’s waiting for an oplock” case again.
Tony
OSR
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit: http://www.osr.com/seminars
You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
“Matthew N. White” wrote in message news:xxxxx@ntfsd… > Right. Is there any way to look at the APCs in further detail other than > dt > nt!_KAPC or !apc? > > Thanks, > Matt > >> -----Original Message----- >> From: xxxxx@lists.osr.com [mailto:bounce-345015- >> xxxxx@lists.osr.com] On Behalf Of Tony Mason >> Sent: Wednesday, November 26, 2008 10:53 AM >> To: Windows File Systems Devs Interest List >> Subject: RE: [ntfsd] NTFS calling KeWaitForSingleObject? >> >> If you see pending APCs then it certainly is quite possible that those >> are the issue. Of course, looking at those APCs in greater detail >> might >> yield further insight. Naturally, APCs bring us back to the “hmm, >> wonder if it’s waiting for an oplock” case again. >> >> Tony >> OSR >> >> >> — >> NTFSD is sponsored by OSR >> >> For our schedule debugging and file system seminars >> (including our new fs mini-filter seminar) visit: >> http://www.osr.com/seminars >> >> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: >> ‘’ >> To unsubscribe send a blank email to xxxxx@lists.osr.com > > >
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-345054- xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Wednesday, November 26, 2008 7:16 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] NTFS calling KeWaitForSingleObject?
!apc has all I’ve ever really needed, although I suppose dt nt!_KAPC
might reveal something else. What more were you seeking? > > Tony > OSR > > > --- > NTFSD is sponsored by OSR > > For our schedule debugging and file system seminars > (including our new fs mini-filter seminar) visit: > http://www.osr.com/seminars > > You are currently subscribed to ntfsd as: unknown lmsubst tag argument: > '' > To unsubscribe send a blank email to xxxxx@lists.osr.com
