By what mechanism, if any, would a thread’s user-mode stack limit be
trimmed?
Are there some stack-specific actions that are part of the general
working set trimming? (Since the guard pages would have to be
specifically maintained for any stack pages that were trimmed, versus
other “normal” pages being trimmed.) Or is there something else
entirely that would “trim” a user-mode stack?
For example I have a service process thread that lives forever.
Initially when I break into the service I can see the thread’s TEB
shows the user-mode stack base as 0x000A0000 and its limit as
0x0097000. Later I break in during the midst of an operation on that
thread which happens to be part of a deep call stack, and the TEB
shows stack limit has been extended to 0x0093000.
At “some point later” (hours, so far as I know) the TEB will show that
this thread’s user-mode stack limit is back up around 0x0097000 again.
I want to understand what’s doing that, in case I can change the
frequency with which it occurs. Since I think it would quicken the
pace for duplication of the issue being investigated.
In general, the issue being chased is that the user-mode service
process dies because of a condition that should have resulted in
automatic user-mode stack extension, but instead turns into a case of
a fatal access violation.
The user-mode code is trying to reach no further than one page beyond
the current stack limit; i.e. should have been touching the current
guard page. The user-mode stack only has around 40KB committed at the
time, and the exception is 0xC0000005 not 0xC00000FD, so its not a
matter of having exhausted the allowed stack. Over half of the
physical memory is still available at the time this occurs.
But for some reason when this issue occurs, the next page of stack
being touched is not committed nor is there a guard page anywhere on
the user-mode stack at the time of the crash.
I’m coming at this from a driver/kernel-mode angle because I’m pretty
sure one of the third-party drivers on the machine is somehow involved
in setting up the conditions that allow this to happen.
Seem to be making good progress by setting access breakpoints on the
PTE entries to catch when they’re changed, but if there are any words
of experience for debugging user-mode stack extension, they would be
much appreciated.
Alan Adams