Software Diagnostics Library

Archive for February 27th, 2008

Crash Dump Analysis Patterns (Part 53)

Wednesday, February 27th, 2008

We often say that a particular thread is blocked and/or it blocks other threads. At the same time we know that almost all threads are “blocked” to some degree except those currently running on processors. They are either preempted and in the ready lists, voluntary yielded their execution or they are waiting for some synchronization object. Therefore the notion of Blocked Thread is highly context and problem dependent and usually we notice them when comparing current thread stack traces with their expected normal stack traces. Here reference guides are indispensible especially those created for troubleshooting concrete products. Forthcoming Debugger Log Analyzer was partially incepted to address this problem.

To show the diversity of “blocked” threads I propose the following thread classification:

Running threads

Their EIP (RIP) points to some function different from KiSwapContext:

3: kd> !running

System Processors f (affinity mask) Idle Processors 0

Prcb Current Next 0 ffdff120 a30a9350 ................ 1 f7727120 a3186448 ................ 2 f772f120 a59a1b40 ................ 3 f7737120 a3085888 ................

3: kd> !thread a59a1b40 THREAD a59a1b40 Cid 0004.00b8 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 2 Not impersonating DeviceMap e10028b0 Owning Process a59aa648 Image: System Wait Start TickCount 1450446 Ticks: 1 (0:00:00:00.015) Context Switch Count 308765 UserTime 00:00:00.000 KernelTime 00:00:01.250 Start Address nt!ExpWorkerThread (0×80880356) Stack Init f7055000 Current f7054cec Base f7055000 Limit f7052000 Call 0 Priority 12 BasePriority 12 PriorityDecrement 0 ChildEBP RetAddr f7054bc4 8093c55c nt!ObfReferenceObject+0×1c f7054ca0 8093d2ae nt!ObpQueryNameString+0×2ba f7054cbc 808f7d0f nt!ObQueryNameString+0×18 f7054d80 80880441 nt!IopErrorLogThread+0×197 f7054dac 80949b7c nt!ExpWorkerThread+0xeb f7054ddc 8088e062 nt!PspSystemThreadStartup+0×2e 00000000 00000000 nt!KiThreadStartup+0×16

3: kd> .thread a59a1b40 Implicit thread is now a59a1b40

3: kd> r Last set context: eax=00000028 ebx=e1000228 ecx=e1002b30 edx=e1000234 esi=e1002b18 edi=0000001a eip=8086c73e esp=f7054bc4 ebp=f7054ca0 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202 nt!ObfReferenceObject+0×1c: 8086c73e 40 inc eax

These threads can also be identified by RUNNING attribute in the output of !process 0 ff command applied for complete and kernel memory dumps.

Ready threads

These threads can be seen in the output of !ready command or identified by READY attribute in the output of !process 0 ff command:

3: kd> !ready Processor 0: No threads in READY state Processor 1: Ready Threads at priority 11 THREAD a3790790 Cid 0234.1108 Teb: 7ffab000 Win32Thread: 00000000 READY THREAD a32799a8 Cid 0234.061c Teb: 7ff83000 Win32Thread: 00000000 READY THREAD a3961798 Cid 0c04.0c68 Teb: 7ffab000 Win32Thread: bc204ea8 READY Processor 1: Ready Threads at priority 10 THREAD a32bedb0 Cid 1fc8.1a30 Teb: 7ffad000 Win32Thread: bc804468 READY Processor 1: Ready Threads at priority 9 THREAD a52dcd48 Cid 0004.04d4 Teb: 00000000 Win32Thread: 00000000 READY Processor 2: Ready Threads at priority 11 THREAD a37fedb0 Cid 0c04.11f8 Teb: 7ff8e000 Win32Thread: 00000000 READY Processor 3: Ready Threads at priority 11 THREAD a5683db0 Cid 0234.0274 Teb: 7ffd6000 Win32Thread: 00000000 READY THREAD a3151b48 Cid 0234.2088 Teb: 7ff88000 Win32Thread: 00000000 READY THREAD a5099d80 Cid 0ecc.0d60 Teb: 7ffd4000 Win32Thread: 00000000 READY THREAD a3039498 Cid 0c04.275c Teb: 7ff7d000 Win32Thread: 00000000 READY

If we look at these threads we would see that they were either scheduled to run because of a signaled object they were waiting for:

3: kd> !thread a3039498 THREAD a3039498 Cid 0c04.275c Teb: 7ff7d000 Win32Thread: 00000000 READY IRP List: a2feb008: (0006,0094) Flags: 00000870 Mdl: 00000000 Not impersonating DeviceMap e10028b0 Owning Process a399a770 Image: svchost.exe Wait Start TickCount 1450447 Ticks: 0 Context Switch Count 1069 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x001e4f22 LPC Server thread working on message Id 1e4f22 Start Address KERNEL32!BaseThreadStartThunk (0x77e617ec) Stack Init f171b000 Current f171ac60 Base f171b000 Limit f1718000 Call 0 Priority 11 BasePriority 10 PriorityDecrement 0 ChildEBP RetAddr Args to Child f171ac78 80833465 a3039498 a3039540 e7561930 nt!KiSwapContext+0x26 f171aca4 80829a62 00000000 00000000 00000000 nt!KiSwapThread+0x2e5 f171acec 80938d0c a301cad8 00000006 f171ad01 nt!KeWaitForSingleObject+0×346 f171ad50 8088978c 00000c99 00000000 00000000 nt!NtWaitForSingleObject+0×9a f171ad50 7c8285ec 00000c99 00000000 00000000 nt!KiFastCallEntry+0xfc 03d9efa8 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet

3: kd> !object a301cad8 Object: a301cad8 Type: (a59a0720) Event ObjectHeader: a301cac0 (old version) HandleCount: 1 PointerCount: 3

Or they were boosted in priority:

3: kd> !thread a3790790 THREAD a3790790 Cid 0234.1108 Teb: 7ffab000 Win32Thread: 00000000 READY IRP List: a2f8b7f8: (0006,0094) Flags: 00000900 Mdl: 00000000 Not impersonating DeviceMap e10028b0 Owning Process a554bcc8 Image: lsass.exe Wait Start TickCount 1450447 Ticks: 0 Context Switch Count 384 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address RPCRT4!ThreadStartRoutine (0x77c7b0f5) Start Address KERNEL32!BaseThreadStartThunk (0x77e617ec) Stack Init f3ac1000 Current f3ac0ce8 Base f3ac1000 Limit f3abe000 Call 0 Priority 11 BasePriority 10 PriorityDecrement 0 ChildEBP RetAddr Args to Child f3ac0d00 80831266 a3790790 a50f1870 a3186448 nt!KiSwapContext+0x26 f3ac0d20 8082833a 00000000 a50f1870 8098b56c nt!KiExitDispatcher+0xf8 f3ac0d3c 8098b5b9 a50f1870 00000000 00f5f8d0 nt!KeSetEventBoostPriority+0×156 f3ac0d58 8088978c a50f1870 00f5f8d4 7c8285ec nt!NtSetEventBoostPriority+0×4d f3ac0d58 7c8285ec a50f1870 00f5f8d4 7c8285ec nt!KiFastCallEntry+0xfc 00f5f8d4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet

3: kd> !object a50f1870 Object: a50f1870 Type: (a59a0720) Event ObjectHeader: a50f1858 (old version) HandleCount: 1 PointerCount: 15

Or were interrupted and queued to be run again:

3: kd> !thread a5683db0 THREAD a5683db0 Cid 0234.0274 Teb: 7ffd6000 Win32Thread: 00000000 READY IRP List: a324d498: (0006,0094) Flags: 00000900 Mdl: 00000000 a2f97a20: (0006,0094) Flags: 00000900 Mdl: 00000000 a50c3e70: (0006,0190) Flags: 00000000 Mdl: a50a22d0 a5167750: (0006,0094) Flags: 00000800 Mdl: 00000000 Not impersonating DeviceMap e10028b0 Owning Process a554bcc8 Image: lsass.exe Wait Start TickCount 1450447 Ticks: 0 Context Switch Count 9619 UserTime 00:00:00.156 KernelTime 00:00:00.234 Win32 Start Address RPCRT4!ThreadStartRoutine (0x77c7b0f5) Start Address KERNEL32!BaseThreadStartThunk (0x77e617ec) Stack Init f59f3000 Current f59f2d00 Base f59f3000 Limit f59f0000 Call 0 Priority 11 BasePriority 10 PriorityDecrement 0 ChildEBP RetAddr f59f2d18 80a5c1ae nt!KiDispatchInterrupt+0xb1 f59f2d48 80a5c577 hal!HalpDispatchSoftwareInterrupt+0x5e f59f2d54 80a59902 hal!HalEndSystemInterrupt+0x67 f59f2d54 77c6928d hal!HalpIpiHandler+0xd2 (TrapFrame @ f59f2d64) 00c5f908 00000000 RPCRT4!OSF_SCALL::GetBuffer+0×37

3: kd> .thread a5683db0 Implicit thread is now a5683db0

3: kd> r Last set context: eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=00000000 eip=8088dba1 esp=f59f2d0c ebp=f59f2d2c iopl=0 nv up di pl nz na po nc cs=0008 ss=0010 ds=0000 es=0000 fs=0000 gs=0000 efl=00000000 nt!KiDispatchInterrupt+0xb1: 8088dba1 b902000000 mov ecx,2

3: kd> ub nt!KiDispatchInterrupt+0x8f: 8088db7f mov dword ptr [ebx+124h],esi 8088db85 mov byte ptr [esi+4Ch],2 8088db89 mov byte ptr [edi+5Ah],1Fh 8088db8d mov ecx,edi 8088db8f lea edx,[ebx+120h] 8088db95 call nt!KiQueueReadyThread (80833490) 8088db9a mov cl,1 8088db9c call nt!SwapContext (8088dbd0)

3: kd> u nt!KiDispatchInterrupt+0xb1: 8088dba1 mov ecx,2 8088dba6 call dword ptr [nt!_imp_KfLowerIrql (80801108)] 8088dbac mov ebp,dword ptr [esp] 8088dbaf mov edi,dword ptr [esp+4] 8088dbb3 mov esi,dword ptr [esp+8] 8088dbb7 add esp,0Ch 8088dbba pop ebx 8088dbbb ret

We can get user space thread stack by using .trap command but we need to switch to its process context first:

3: kd> .process /r /p a554bcc8 Implicit process is now a554bcc8 Loading User Symbols

3: kd> kL *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr 00c5f908 77c7ed60 RPCRT4!OSF_SCALL::GetBuffer+0x37 00c5f924 77c7ed14 RPCRT4!I_RpcGetBufferWithObject+0x7f 00c5f934 77c7f464 RPCRT4!I_RpcGetBuffer+0xf 00c5f944 77ce3470 RPCRT4!NdrGetBuffer+0x2e 00c5fd44 77ce35c4 RPCRT4!NdrStubCall2+0x35c 00c5fd60 77c7ff7a RPCRT4!NdrServerCall2+0x19 00c5fd94 77c8042d RPCRT4!DispatchToStubInCNoAvrf+0x38 00c5fde8 77c80353 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f 00c5fe0c 77c68e0d RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3 00c5fe40 77c68cb3 RPCRT4!OSF_SCALL::DispatchHelper+0x149 00c5fe54 77c68c2b RPCRT4!OSF_SCALL::DispatchRPCCall+0x10d 00c5fe84 77c68b5e RPCRT4!OSF_SCALL::ProcessReceivedPDU+0x57f 00c5fea4 77c6e8db RPCRT4!OSF_SCALL::BeginRpcCall+0x194 00c5ff04 77c6e7b4 RPCRT4!OSF_SCONNECTION::ProcessReceiveComplete+0x435 00c5ff18 77c7b799 RPCRT4!ProcessConnectionServerReceivedEvent+0x21 00c5ff84 77c7b9b5 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x1b8 00c5ff8c 77c8872d RPCRT4!ProcessIOEventsWrapper+0xd 00c5ffac 77c7b110 RPCRT4!BaseCachedThreadRoutine+0x9d 00c5ffb8 77e64829 RPCRT4!ThreadStartRoutine+0x1b 00c5ffec 00000000 kernel32!BaseThreadStart+0x34

Waiting threads (wait originated from user space)

THREAD a34369d0 Cid 1fc8.1e88 Teb: 7ffae000 Win32Thread: bc6d5818 WAIT: (Unknown) UserMode Non-Alertable a34d9940 SynchronizationEvent a3436a48 NotificationTimer Not impersonating DeviceMap e12256a0 Owning Process a3340a10 Image: IEXPLORE.EXE Wait Start TickCount 1450409 Ticks: 38 (0:00:00:00.593) Context Switch Count 7091 LargeStack UserTime 00:00:01.015 KernelTime 00:00:02.250 Win32 Start Address mshtml!CExecFT::StaticThreadProc (0x7fab1061) Start Address kernel32!BaseThreadStartThunk (0x77e617ec) Stack Init f252b000 Current f252ac60 Base f252b000 Limit f2528000 Call 0 Priority 11 BasePriority 10 PriorityDecrement 0 ChildEBP RetAddr f252ac78 80833465 nt!KiSwapContext+0x26 f252aca4 80829a62 nt!KiSwapThread+0x2e5 f252acec 80938d0c nt!KeWaitForSingleObject+0x346 f252ad50 8088978c nt!NtWaitForSingleObject+0x9a f252ad50 7c8285ec nt!KiFastCallEntry+0xfc (TrapFrame @ f252ad64) 030dff08 7c827d0b ntdll!KiFastSystemCallRet 030dff0c 77e61d1e ntdll!NtWaitForSingleObject+0xc 030dff7c 77e61c8d kernel32!WaitForSingleObjectEx+0xac 030dff90 7fab08a3 kernel32!WaitForSingleObject+0×12 030dffa8 7fab109c mshtml!CDwnTaskExec::ThreadExec+0xae 030dffb0 7fab106e mshtml!CExecFT::ThreadProc+0×28 030dffb8 77e64829 mshtml!CExecFT::StaticThreadProc+0xd 030dffec 00000000 kernel32!BaseThreadStart+0×34

If we had taken user dump of iexplore.exe we would have seen the following stack trace there:

030dff08 7c827d0b ntdll!KiFastSystemCallRet 030dff0c 77e61d1e ntdll!NtWaitForSingleObject+0xc 030dff7c 77e61c8d kernel32!WaitForSingleObjectEx+0xac 030dff90 7fab08a3 kernel32!WaitForSingleObject+0×12 030dffa8 7fab109c mshtml!CDwnTaskExec::ThreadExec+0xae 030dffb0 7fab106e mshtml!CExecFT::ThreadProc+0×28 030dffb8 77e64829 mshtml!CExecFT::StaticThreadProc+0xd 030dffec 00000000 kernel32!BaseThreadStart+0×34

Another example:

THREAD a31f2438 Cid 1fc8.181c Teb: 7ffaa000 Win32Thread: 00000000 WAIT: (Unknown) UserMode Non-Alertable a30f8c20 NotificationEvent a5146720 NotificationEvent a376fbb0 NotificationEvent Not impersonating DeviceMap e12256a0 Owning Process a3340a10 Image: IEXPLORE.EXE Wait Start TickCount 1419690 Ticks: 30757 (0:00:08:00.578) Context Switch Count 2 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address USERENV!NotificationThread (0x76929dd9) Start Address kernel32!BaseThreadStartThunk (0x77e617ec) Stack Init f5538000 Current f5537900 Base f5538000 Limit f5535000 Call 0 Priority 10 BasePriority 10 PriorityDecrement 0 Kernel stack not resident. ChildEBP RetAddr f5537918 80833465 nt!KiSwapContext+0x26 f5537944 80829499 nt!KiSwapThread+0x2e5 f5537978 80938f68 nt!KeWaitForMultipleObjects+0x3d7 f5537bf4 809390ca nt!ObpWaitForMultipleObjects+0x202 f5537d48 8088978c nt!NtWaitForMultipleObjects+0xc8 f5537d48 7c8285ec nt!KiFastCallEntry+0xfc (TrapFrame @ f5537d64) 0851fec0 7c827cfb ntdll!KiFastSystemCallRet 0851fec4 77e6202c ntdll!NtWaitForMultipleObjects+0xc 0851ff6c 77e62fbe kernel32!WaitForMultipleObjectsEx+0x11a 0851ff88 76929e35 kernel32!WaitForMultipleObjects+0×18 0851ffb8 77e64829 USERENV!NotificationThread+0×5f 0851ffec 00000000 kernel32!BaseThreadStart+0×34

Waiting threads (wait originated from kernel space)

Examples include explicit wait as a result from calling potentially blocking API:

THREAD a33a9740 Cid 1980.1960 Teb: 7ffde000 Win32Thread: bc283ea8 WAIT: (Unknown) UserMode Non-Alertable a35e3168 SynchronizationEvent Not impersonating DeviceMap e689f298 Owning Process a342d3a0 Image: explorer.exe Wait Start TickCount 1369801 Ticks: 80646 (0:00:21:00.093) Context Switch Count 1667 LargeStack UserTime 00:00:00.015 KernelTime 00:00:00.093 Win32 Start Address Explorer!ModuleEntry (0x010148a4) Start Address kernel32!BaseProcessStartThunk (0x77e617f8) Stack Init f258b000 Current f258ac50 Base f258b000 Limit f2585000 Call 0 Priority 13 BasePriority 10 PriorityDecrement 1 Kernel stack not resident. ChildEBP RetAddr f258ac68 80833465 nt!KiSwapContext+0x26 f258ac94 80829a62 nt!KiSwapThread+0x2e5 f258acdc bf89abd3 nt!KeWaitForSingleObject+0×346 f258ad38 bf89da43 win32k!xxxSleepThread+0×1be f258ad4c bf89e401 win32k!xxxRealWaitMessageEx+0×12 f258ad5c 8088978c win32k!NtUserWaitMessage+0×14 f258ad5c 7c8285ec nt!KiFastCallEntry+0xfc (TrapFrame @ f258ad64) 0007feec 7739bf53 ntdll!KiFastSystemCallRet 0007ff08 7c8fadbd USER32!NtUserWaitMessage+0xc 0007ff14 0100fff1 SHELL32!SHDesktopMessageLoop+0×24 0007ff5c 0101490c Explorer!ExplorerWinMain+0×2c4 0007ffc0 77e6f23b Explorer!ModuleEntry+0×6d 0007fff0 00000000 kernel32!BaseProcessStart+0×23

and implicit wait when a thread yields execution to another thread voluntarily via explicit context swap:

THREAD a3072b68 Cid 1fc8.1d94 Teb: 7ffaf000 Win32Thread: bc1e3c20 WAIT: (Unknown) UserMode Non-Alertable a37004d8 QueueObject a3072be0 NotificationTimer IRP List: a322be00: (0006,01fc) Flags: 00000000 Mdl: a30b8e30 a30bcc38: (0006,01fc) Flags: 00000000 Mdl: a35bf530 Not impersonating DeviceMap e12256a0 Owning Process a3340a10 Image: IEXPLORE.EXE Wait Start TickCount 1447963 Ticks: 2484 (0:00:00:38.812) Context Switch Count 3972 LargeStack UserTime 00:00:00.140 KernelTime 00:00:00.250 Win32 Start Address ntdll!RtlpWorkerThread (0x7c839efb) Start Address kernel32!BaseThreadStartThunk (0x77e617ec) Stack Init f1cc3000 Current f1cc2c38 Base f1cc3000 Limit f1cbf000 Call 0 Priority 10 BasePriority 10 PriorityDecrement 0 ChildEBP RetAddr f1cc2c50 80833465 nt!KiSwapContext+0x26 f1cc2c7c 8082b60f nt!KiSwapThread+0x2e5 f1cc2cc4 808ed620 nt!KeRemoveQueue+0×417 f1cc2d48 8088978c nt!NtRemoveIoCompletion+0xdc f1cc2d48 7c8285ec nt!KiFastCallEntry+0xfc (TrapFrame @ f1cc2d64) 06ceff70 7c8277db ntdll!KiFastSystemCallRet 06ceff74 7c839f38 ntdll!ZwRemoveIoCompletion+0xc 06ceffb8 77e64829 ntdll!RtlpWorkerThread+0×3d 06ceffec 00000000 kernel32!BaseThreadStart+0×34

THREAD a3612020 Cid 1980.1a48 Teb: 7ffd9000 Win32Thread: 00000000 WAIT: (Unknown) UserMode Alertable a3612098 NotificationTimer Not impersonating DeviceMap e689f298 Owning Process a342d3a0 Image: explorer.exe Wait Start TickCount 1346718 Ticks: 103729 (0:00:27:00.765) Context Switch Count 4 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address ntdll!RtlpTimerThread (0x7c83d3dd) Start Address kernel32!BaseThreadStartThunk (0x77e617ec) Stack Init f2453000 Current f2452c80 Base f2453000 Limit f2450000 Call 0 Priority 10 BasePriority 10 PriorityDecrement 0 Kernel stack not resident. ChildEBP RetAddr f2452c98 80833465 nt!KiSwapContext+0x26 f2452cc4 80828f0b nt!KiSwapThread+0x2e5 f2452d0c 80994812 nt!KeDelayExecutionThread+0×2ab f2452d54 8088978c nt!NtDelayExecution+0×84 f2452d54 7c8285ec nt!KiFastCallEntry+0xfc (TrapFrame @ f2452d64) 0149ff9c 7c826f4b ntdll!KiFastSystemCallRet 0149ffa0 7c83d424 ntdll!NtDelayExecution+0xc 0149ffb8 77e64829 ntdll!RtlpTimerThread+0×47 0149ffec 00000000 kernel32!BaseThreadStart+0×34

Explicit waits in kernel can be originated from GUI threads and their message loops, for example, Main Thread. Blocked GUI Thread pattern can be seen as an example of a genuine Blocked Thread. Some “blocked” threads are just really Passive Threads.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, Stack Trace Collection | 16 Comments »

Archive for February 27th, 2008

Crash Dump Analysis Patterns (Part 53)

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta

February 2008
M	T	W	T	F	S	S
« Jan				Mar »
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29